DATABASE RESOURCES PRICING ABOUT US

{"id": "AA22-074A", "vendorId": null, "type": "ics", "bulletinFamily": "info", "title": "Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and \u201cPrintNightmare\u201d Vulnerability", "description": "### Summary\n\n_**Multifactor Authentication (MFA): A Cybersecurity Essential**_ \n\u2022 MFA is one of the most important cybersecurity practices to reduce the risk of intrusions\u2014according to industry research, users who enable MFA are up to 99 percent less likely to have an account compromised. \n\u2022 Every organization should enforce MFA for all employees and customers, and every user should sign up for MFA when available. \n\u2022 Organizations that implement MFA should review default configurations and modify as necessary, to reduce the likelihood that a sophisticated adversary can circumvent this control.\n\nThe Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to warn organizations that Russian state-sponsored cyber actors have gained network access through exploitation of default MFA protocols and a known vulnerability. As early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default MFA protocols at a non-governmental organization (NGO), allowing them to enroll a new device for MFA and access the victim network. The actors then exploited a critical Windows Print Spooler vulnerability, \u201cPrintNightmare\u201d (CVE-2021-34527) to run arbitrary code with system privileges. Russian state-sponsored cyber actors successfully exploited the vulnerability while targeting an NGO using Cisco\u2019s Duo MFA, enabling access to cloud and email accounts for document exfiltration.\n\nThis advisory provides observed tactics, techniques, and procedures, indicators of compromise (IOCs), and recommendations to protect against Russian state-sponsored malicious cyber activity. FBI and CISA urge all organizations to apply the recommendations in the Mitigations section of this advisory, including the following:\n\n * Enforce MFA and review configuration policies to protect against \u201cfail open\u201d and re-enrollment scenarios. \n * Ensure inactive accounts are disabled uniformly across the Active Directory and MFA systems. \n * Patch all systems. Prioritize patching for [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\nFor more general information on Russian state-sponsored malicious cyber activity, see CISA's [Russia Cyber Threat Overview and Advisories](<https://www.cisa.gov/uscert/russia>) webpage. For more information on the threat of Russian state-sponsored malicious cyber actors to U.S. critical infrastructure as well as additional mitigation recommendations, see joint CSA [Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure](<https://www.cisa.gov/uscert/ncas/alerts/aa22-011a>) and CISA's [Shields Up Technical Guidance](<https://www.cisa.gov/uscert/shields-technical-guidance>) webpage.\n\nClick here for a PDF version of this report.\n\nFor a downloadable copy of IOCs, see AA22-074A.stix.\n\n### Technical Details\n\n#### **Threat Actor Activity**\n\n_**Note: **This advisory uses the MITRE ATT&amp;CK\u00ae for Enterprise framework, version 10. See Appendix A for a table of the threat actors\u2019 activity mapped to MITRE ATT&amp;CK tactics and techniques._\n\nAs early as May 2021, the FBI observed Russian state-sponsored cyber actors gain access to an NGO, exploit a flaw in default MFA protocols, and move laterally to the NGO\u2019s cloud environment.\n\nRussian state-sponsored cyber actors gained initial access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)] to the victim organization via compromised credentials [[T1078](<https://attack.mitre.org/versions/v10/techniques/T1078/>)] and enrolling a new device in the organization\u2019s Duo MFA. The actors gained the credentials [[TA0006](<https://attack.mitre.org/versions/v10/tactics/TA0006/>)] via brute-force password guessing attack [[T1110.001](<https://attack.mitre.org/versions/v10/techniques/T1110/001/>)], allowing them access to a victim account with a simple, predictable password. The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo\u2019s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network. \n\nUsing the compromised account, Russian state-sponsored cyber actors performed privilege escalation [[TA0004](<https://attack.mitre.org/versions/v10/tactics/TA0004/>)] via exploitation of the \u201cPrintNightmare\u201d vulnerability ([CVE-2021-34527](<https://nvd.nist.gov/vuln/detail/CVE-2021-34527>)) [[T1068](<https://attack.mitre.org/versions/v10/techniques/T1068/>)] to obtain administrator privileges. The actors also modified a domain controller file, `c:\\windows\\system32\\drivers\\etc\\hosts`, redirecting Duo MFA calls to `localhost` instead of the Duo server [[T1556](<https://attack.mitre.org/versions/v10/techniques/T1556/>)]. This change prevented the MFA service from contacting its server to validate MFA login\u2014this effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to \u201cFail open\u201d if the MFA server is unreachable. _**Note:** \u201cfail open\u201d can happen to any MFA implementation and is not exclusive to Duo._\n\nAfter effectively disabling MFA, Russian state-sponsored cyber actors were able to successfully authenticate to the victim\u2019s virtual private network (VPN) as non-administrator users and make Remote Desktop Protocol (RDP) connections to Windows domain controllers [[T1133](<https://attack.mitre.org/versions/v10/techniques/T1133/>)]. The actors ran commands to obtain credentials for additional domain accounts; then using the method described in the previous paragraph, changed the MFA configuration file and bypassed MFA for these newly compromised accounts. The actors leveraged mostly internal Windows utilities already present within the victim network to perform this activity. \n\nUsing these compromised accounts without MFA enforced, Russian state-sponsored cyber actors were able to move laterally [[TA0008](<https://attack.mitre.org/versions/v10/tactics/TA0008/>)] to the victim\u2019s cloud storage and email accounts and access desired content. \n\n#### **Indicators of Compromise**\n\nRussian state-sponsored cyber actors executed the following processes:\n\n * `ping.exe` \\- A core Windows Operating System process used to perform the Transmission Control Protocol (TCP)/IP Ping command; used to test network connectivity to a remote host [[T1018](<https://attack.mitre.org/versions/v10/techniques/T1018/>)] and is frequently used by actors for network discovery [[TA0007](<https://attack.mitre.org/versions/v10/tactics/TA0007/>)].\n * `regedit.exe` \\- A standard Windows executable file that opens the built-in registry editor [[T1112](<https://attack.mitre.org/versions/v10/techniques/T1112/>)].\n * `rar.exe` \\- A data compression, encryption, and archiving tool [[T1560.001](<https://attack.mitre.org/versions/v10/techniques/T1560/001/>)]. Malicious cyber actors have traditionally sought to compromise MFA security protocols as doing so would provide access to accounts or information of interest. \n * `ntdsutil.exe` \\- A command-line tool that provides management facilities for Active Directory Domain Services. It is possible this tool was used to enumerate Active Directory user accounts [[T1003.003](<https://attack.mitre.org/versions/v10/techniques/T1003/003/>)].\n\nActors modified the c:\\windows\\system32\\drivers\\etc\\hosts file to prevent communication with the Duo MFA server:\n\n * `127.0.0.1 api-<redacted>.duosecurity.com `\n\nThe following access device IP addresses used by the actors have been identified to date:\n\n * `45.32.137[.]94`\n * `191.96.121[.]162`\n * `173.239.198[.]46`\n * `157.230.81[.]39 `\n\n### Mitigations\n\nThe FBI and CISA recommend organizations remain cognizant of the threat of state-sponsored cyber actors exploiting default MFA protocols and exfiltrating sensitive information. Organizations should:\n\n * Enforce MFA for all users, without exception. Before implementing, organizations should review configuration policies to protect against \u201cfail open\u201d and re-enrollment scenarios.\n * Implement time-out and lock-out features in response to repeated failed login attempts.\n * Ensure inactive accounts are disabled uniformly across the Active Directory, MFA systems etc.\n * Update software, including operating systems, applications, and firmware on IT network assets in a timely manner. Prioritize patching [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), especially critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.\n * Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.\n * Continuously monitor network logs for suspicious activity and unauthorized or unusual login attempts.\n * Implement security alerting policies for all changes to security-enabled accounts/groups, and alert on suspicious process creation events (`ntdsutil`, `rar`, `regedit`, etc.).\n\n_**Note:** If a domain controller compromise is suspected, a domain-wide password reset\u2014including service accounts, Microsoft 365 (M365) synchronization accounts, and `krbtgt`\u2014will be necessary to remove the actors\u2019 access. (For more information, see <https://docs.microsoft.com/en-us/answers/questions/87978/reset-krbtgt-password.html>). Consider soliciting support from a third-party IT organization to provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation. _\n\nFBI and CISA also recommend organizations implement the recommendations listed below to further reduce the risk of malicious cyber activity.\n\n#### **Security Best Practices**\n\n * Deploy Local Administrator Password Solution (LAPS), enforce Server Message Block (SMB) Signing, restrict Administrative privileges (local admin users, groups, etc.), and review sensitive materials on domain controller\u2019s `SYSVOL` share.\n * Enable increased logging policies, enforce PowerShell logging, and ensure antivirus/endpoint detection and response (EDR) are deployed to all endpoints and enabled.\n * Routinely verify no unauthorized system modifications, such as additional accounts and Secure Shell (SSH) keys, have occurred to help detect a compromise. To detect these modifications, administrators can use file integrity monitoring software that alerts an administrator or blocks unauthorized changes on the system. \n\n#### **Network Best Practices**\n\n * Monitor remote access/ RDP logs and disable unused remote access/RDP ports.\n * Deny atypical inbound activity from known anonymization services, to include commercial VPN services and The Onion Router (TOR).\n * Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy.\n * Regularly audit administrative user accounts and configure access control under the concept of least privilege. \n * Regularly audit logs to ensure new accounts are legitimate users.\n * Scan networks for open and listening ports and mediate those that are unnecessary.\n * Maintain historical network activity logs for at least 180 days, in case of a suspected compromise.\n * Identify and create offline backups for critical assets.\n * Implement network segmentation.\n * Automatically update anti-virus and anti-malware solutions and conduct regular virus and malware scans.\n\n#### **Remote Work Environment Best Practices**\n\nWith an increase in remote work environments and the use of VPN services, the FBI and CISA encourage organizations to implement the following best practices to improve network security:\n\n * Regularly update VPNs, network infrastructure devices, and devices used for remote work environments with the latest software patches and security configurations.\n * When possible, implement multi-factor authentication on all VPN connections. Physical security tokens are the most secure form of MFA, followed by authenticator applications. When MFA is unavailable, require employees engaging in remote work to use strong passwords.\n * Monitor network traffic for unapproved and unexpected protocols.\n * Reduce potential attack surfaces by discontinuing unused VPN servers that may be used as a point of entry for attackers.\n\n#### **User Awareness Best Practices**\n\nCyber actors frequently use unsophisticated methods to gain initial access, which can often be mitigated by stronger employee awareness of indicators of malicious activity. The FBI and CISA recommend the following best practices to improve employee operations security when conducting business:\n\n * Provide end-user awareness and training. To help prevent targeted social engineering and spearphishing scams, ensure that employees and stakeholders are aware of potential cyber threats and delivery methods. Also, provide users with training on information security principles and techniques. \n * Inform employees of the risks associated with posting detailed career information to social or professional networking sites.\n * Ensure that employees are aware of what to do and whom to contact when they see suspicious activity or suspect a cyberattack, to help quickly and efficiently identify threats and employ mitigation strategies.\n\n### Information Requested\n\nAll organizations should report incidents and anomalous activity to the FBI via your local FBI field office or the FBI\u2019s 24/7 CyWatch at (855) 292-3937 or [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>) and/or CISA\u2019s 24/7 Operations Center at [report@cisa.gov](<mailto:report@cisa.gov>) or (888) 282-0870. \n\n### APPENDIX A: Threat Actor Tactics and Techniques\n\nSee table 1 for the threat actors\u2019 tactics and techniques identified in this CSA. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v10/techniques/enterprise/>) for all referenced threat actor tactics and techniques.\n\n_Table 1: Threat Actor MITRE ATT&amp;CK Tactics and Techniques_\n\n**Tactic** | **Technique** \n---|--- \nInitial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)] | Valid Accounts [[T1078](<https://attack.mitre.org/versions/v10/techniques/T1078/>)] \nPersistence [[TA0003](<https://attack.mitre.org/versions/v10/tactics/TA0003/>)] | External Remote Services [[T1133](<https://attack.mitre.org/versions/v10/techniques/T1133/>)] \nModify Authentication Process [[T1556](<https://attack.mitre.org/versions/v10/techniques/T1556/>)] \nPrivilege Escalation [[TA0004](<https://attack.mitre.org/versions/v10/tactics/TA0004/>)] | Exploitation for Privilege Escalation \n[[T1068](<https://attack.mitre.org/versions/v10/techniques/T1068/>)] \nDefense Evasion [[TA0005](<https://attack.mitre.org/versions/v10/tactics/TA0005/>)] | Modify Registry [[T1112](<https://attack.mitre.org/versions/v10/techniques/T1112/>)] \nCredential Access [[TA0006](<https://attack.mitre.org/versions/v10/tactics/TA0006/>)] | Brute Force: Password Guessing [[T1110.001](<https://attack.mitre.org/versions/v10/techniques/T1110/001/>)] \nOS Credential Dumping: NTDS [[T1003.003](<https://attack.mitre.org/versions/v10/techniques/T1003/003/>)] \nDiscovery [[TA0007](<https://attack.mitre.org/versions/v10/tactics/TA0007/>)] | Remote System Discovery [[T1018](<https://attack.mitre.org/versions/v10/techniques/T1018/>)] \nLateral Movement [[TA0008](<https://attack.mitre.org/versions/v10/tactics/TA0008/>)] | \nCollection [[TA0009](<https://attack.mitre.org/versions/v10/tactics/TA0009/>)] | Archive Collected Data: Archive via Utility [[T1560.001](<https://attack.mitre.org/versions/v10/techniques/T1560/001/>)] \n \n### Revisions\n\nMarch 15, 2022: Initial Version\n", "published": "2022-05-02T12:00:00", "modified": "2022-05-02T12:00:00", "epss": [{"cve": "CVE-2021-34527", "epss": 0.96792, "percentile": 0.99595, "modified": "2023-12-06"}, {"cve": "CVE-2023-26360", "epss": 0.91394, "percentile": 0.98598, "modified": "2023-11-08"}], "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 9.0}, "severity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-074a", "reporter": "Industrial Control Systems Cyber Emergency Response Team", "references": ["https://www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-074a&title=Russian%20State-Sponsored%20Cyber%20Actors%20Gain%20Network%20Access%20by%20Exploiting%20Default%20Multifactor%20Authentication%20Protocols%20and%20%E2%80%9CPrintNightmare%E2%80%9D%20Vulnerability", "https://twitter.com/intent/tweet?text=Russian%20State-Sponsored%20Cyber%20Actors%20Gain%20Network%20Access%20by%20Exploiting%20Default%20Multifactor%20Authentication%20Protocols%20and%20%E2%80%9CPrintNightmare%E2%80%9D%20Vulnerability+https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-074a", "https://www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-074a", "mailto:?subject=Russian%20State-Sponsored%20Cyber%20Actors%20Gain%20Network%20Access%20by%20Exploiting%20Default%20Multifactor%20Authentication%20Protocols%20and%20%E2%80%9CPrintNightmare%E2%80%9D%20Vulnerability&body=https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-074a", "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "https://www.cisa.gov/uscert/russia", "https://www.cisa.gov/uscert/ncas/alerts/aa22-011a", "https://www.cisa.gov/uscert/shields-technical-guidance", "https://attack.mitre.org/versions/v10/tactics/TA0001/", "https://attack.mitre.org/versions/v10/techniques/T1078/", "https://attack.mitre.org/versions/v10/tactics/TA0006/", "https://attack.mitre.org/versions/v10/techniques/T1110/001/", "https://attack.mitre.org/versions/v10/tactics/TA0004/", "https://nvd.nist.gov/vuln/detail/CVE-2021-34527", "https://attack.mitre.org/versions/v10/techniques/T1068/", "https://attack.mitre.org/versions/v10/techniques/T1556/", "https://attack.mitre.org/versions/v10/techniques/T1133/", "https://attack.mitre.org/versions/v10/tactics/TA0008/", "https://attack.mitre.org/versions/v10/techniques/T1018/", "https://attack.mitre.org/versions/v10/tactics/TA0007/", "https://attack.mitre.org/versions/v10/techniques/T1112/", "https://attack.mitre.org/versions/v10/techniques/T1560/001/", "https://attack.mitre.org/versions/v10/techniques/T1003/003/", "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "https://docs.microsoft.com/en-us/answers/questions/87978/reset-krbtgt-password.html", "https://attack.mitre.org/versions/v10/techniques/enterprise/", "https://attack.mitre.org/versions/v10/tactics/TA0001/", "https://attack.mitre.org/versions/v10/techniques/T1078/", "https://attack.mitre.org/versions/v10/tactics/TA0003/", "https://attack.mitre.org/versions/v10/techniques/T1133/", "https://attack.mitre.org/versions/v10/techniques/T1556/", "https://attack.mitre.org/versions/v10/tactics/TA0004/", "https://attack.mitre.org/versions/v10/techniques/T1068/", "https://attack.mitre.org/versions/v10/tactics/TA0005/", "https://attack.mitre.org/versions/v10/techniques/T1112/", "https://attack.mitre.org/versions/v10/tactics/TA0006/", "https://attack.mitre.org/versions/v10/techniques/T1110/001/", "https://attack.mitre.org/versions/v10/techniques/T1003/003/", "https://attack.mitre.org/versions/v10/tactics/TA0007/", "https://attack.mitre.org/versions/v10/techniques/T1018/", "https://attack.mitre.org/versions/v10/tactics/TA0008/", "https://attack.mitre.org/versions/v10/tactics/TA0009/", "https://attack.mitre.org/versions/v10/techniques/T1560/001/", "https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-074a", "https://www.facebook.com/CISA", "https://twitter.com/CISAgov", "https://www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency", "https://www.youtube.com/@cisagov", "https://www.instagram.com/cisagov", "https://www.dhs.gov/performance-financial-reports", "https://www.dhs.gov", "https://www.dhs.gov/foia", "https://www.oig.dhs.gov/", "https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138", "https://www.whitehouse.gov/", "https://www.usa.gov/"], "cvelist": ["CVE-2021-34527", "CVE-2023-26360"], "immutableFields": [], "lastseen": "2023-12-06T15:49:20", "viewCount": 11, "enchantments": {"dependencies": {"references": [{"type": "adobe", "idList": ["APSB23-25"]}, {"type": "attackerkb", "idList": ["AKB:5DB640DC-B30F-464A-BC81-ED3C15946D65", "AKB:7575B82F-7B7A-4416-B1AA-B8A2DF4D0800", "AKB:9ADF44D2-FA0D-4643-8B97-8B46983B6917", "AKB:CC339C3D-417D-4477-92A7-746AEA51530C", "AKB:CDA9C43E-015D-4B04-89D3-D6CABC5729B9", "AKB:FB9BE99D-7DDE-493D-8C9D-12F3DD901458"]}, {"type": "avleonov", "idList": ["AVLEONOV:30285D85FDB40C8D55F6A24D9D446ECF", "AVLEONOV:36BA0DE03DB6F8D0C96B6861C9A07473"]}, {"type": "cert", "idList": ["VU:383432"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0465"]}, {"type": "cisa", "idList": ["CISA:367C27124C09604830E0725F5F3123F7", "CISA:4F4185688CEB9B9416A98FE75E7AFE02", "CISA:6C836D217FB0329B2D68AD71789D1BB0", "CISA:91DA945EA20AF1A221FDE02A2D9CE315"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2021-34527", "CISA-KEV-CVE-2023-26360"]}, {"type": "cve", "idList": ["CVE-2021-34527", "CVE-2023-26360"]}, {"type": "githubexploit", "idList": ["0263BC36-BEB1-519B-965B-52D9E6AB116F", "0BB19334-D311-5464-B40B-7B27A0AD8825", "1E42289A-77F8-55A2-B85E-83CAA00CE951", "21F83D93-118D-50C7-A5C0-B2069237666E", "26B4C125-95CE-54A5-82FB-2D1C219A09CB", "3399B834-8492-5C0C-AA14-7F120BA37AF6", "3DC96731-93EE-5FF0-9AC3-C472059DC1AF", "436B5B97-EF58-5F05-B611-815DDEF67B8A", "4A3F2A96-B727-5EF1-B1C1-FE041BA02E28", "5AE71695-062E-5DBA-9A16-69BD0C7D1384", "64AAF745-D50D-575C-B3FF-A09072475502", "7C3B421E-ED99-5C5F-B2BA-4418307C0EBF", "8542D571-7253-5609-BC52-CBCB5F40929A", "86F04665-0984-596F-945A-3CA176A53057", "8EDE916A-F04B-59F0-A88D-13DEF969DC00", "98CA9A39-577D-51F2-B8B9-B20E80D94173", "AAD37CB5-B2C3-5908-B0D3-052CF47F6D25", "B03B4134-B4C9-5B2D-BA55-EEEA540389F4", "B8D9E2C0-202B-5806-88D2-B0E797582618", "BDFBDA81-0DEB-5523-B538-F23C3B524986", "CD2BFDFF-9EBC-5C8F-83EC-62381CD9BCD5", "D089579B-4420-5AD5-999F-45063D972E66", "DF28DCE7-CCFF-5653-81BA-719525BE09AD", "E235B3DF-990F-5508-9496-90462B45125D", "E7D3FB75-54DE-5CD8-83D6-438BFC7CFA74", "E82ECEEF-07B8-5340-BAC6-FA5B0E964772", "F1347375-6380-5145-9881-486B76875649", "F1B229EB-2178-53B9-839E-BA0B916376A2", "F796D11D-F85B-5218-BBFA-9BDBAE5B6A59", "F92F972D-7309-5D0B-BCC2-054883AE83E9", "FBC9D472-5E25-508D-AB6E-B3197FCFED2D"]}, {"type": "hivepro", "idList": ["HIVEPRO:8D09682ECAC92A6EA4B81D42F45F0233", "HIVEPRO:8DA601C83DB9C139357327C06B06CB36", "HIVEPRO:E7E537280075DE5C0B002F1AF44BE1C5"]}, {"type": "ics", "idList": ["AA18-284A", "AA18-337A", "AA19-024A", "AA19-122A", "AA19-168A", "AA19-290A", "AA19-339A", "AA20-006A", "AA20-010A", "AA20-014A", "AA20-020A", "AA20-031A", "AA20-049A", "AA20-073A", "AA20-099A", "AA20-106A", "AA20-107A", "AA20-120A", "AA20-126A", "AA20-133A", "AA20-182A", "AA20-183A", "AA20-195A", "AA20-198A", "AA20-205A", "AA20-206A", "AA20-209A", "AA20-225A", "AA20-227A", "AA20-239A", "AA20-245A", "AA20-258A", "AA20-259A", "AA20-266A", "AA20-275A", "AA20-280A", "AA20-283A", "AA20-296A", "AA20-296B", "AA20-301A", "AA20-302A", "AA20-304A", "AA20-336A", "AA20-345A", "AA20-352A", "AA21-0000A", "AA21-008A", "AA21-042A", "AA21-048A", "AA21-055A", "AA21-062A", "AA21-076A", "AA21-077A", "AA21-110A", "AA21-116A", "AA21-131A", "AA21-148A", "AA21-200A", "AA21-200B", "AA21-201A", "AA21-209A", "AA21-229A", "AA21-243A", "AA21-259A", "AA21-287A", "AA21-291A", "AA21-321A", "AA21-336A", "AA21-356A", "AA22-011A", "AA22-040A", "AA22-047A", "AA22-054A", "AA22-055A", "AA22-057A", "AA22-076A", "AA22-083A", "AA22-103A", "AA22-108A", "AA22-110A", "AA22-117A", "AA22-131A", "AA22-137A", "AA22-138A", "AA22-138B", "AA22-152A", "AA22-158A", "AA22-174A", "AA22-181A", "AA22-187A", "AA22-216A", "AA22-223A", "AA22-228A", "AA22-249A", "AA22-249A-0", "AA22-257A", "AA22-264A", "AA22-265A", "AA22-277A", "AA22-279A", "AA22-294A", "AA22-320A", "AA22-321A", "AA22-335A", "AA23-025A", "AA23-039A", "AA23-040A", "AA23-059A", "AA23-061A", "AA23-074A", "AA23-075A", "AA23-108", "AA23-129A", "AA23-131A", "AA23-136A", "AA23-144A", "AA23-158A", "AA23-165A", "AA23-187A", "AA23-193A", "AA23-201A", "AA23-208A", "AA23-213A", "AA23-215A", "AA23-242A", "AA23-250A", "AA23-263A", "AA23-270A", "AA23-278A", "AA23-284A", "AA23-289A", "AA23-319A", "AA23-320A", "AA23-325A", "AA23-335A", "AA23-339A"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:6CF60AA98AC32EEEED1A25871823E90D"]}, {"type": "kaspersky", "idList": ["KLA12213", "KLA12214"]}, {"type": "kitploit", "idList": ["KITPLOIT:232707789076746523", "KITPLOIT:6049290411707454748"]}, {"type": "krebs", "idList": ["KREBS:3CC49021549439F95A2EDEB2029CF54E", "KREBS:831FD0B726B800B2995A68BA50BD8BE3"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:335640D886EC822FE646F8A943770825", "MALWAREBYTES:42218FB85F05643E0B2C2C7D259EFEB5", "MALWAREBYTES:44699410831936C9D0A5C048B00776EE", "MALWAREBYTES:7F8FC685D6EFDE8FC4909FDA86D496A5", "MALWAREBYTES:9F3181D8BD5EF0E44A305AF69898B9E0", "MALWAREBYTES:DA59FECA8327C8353EA012EA1B957C7E", "MALWAREBYTES:DB34937B6474073D9444648D34438225", "MALWAREBYTES:F629837C88B5435ECA8E80D0F01621BA"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-GATHER-ADOBE_COLDFUSION_FILEREAD_CVE_2023_26360-", "MSF:EXPLOIT-MULTI-HTTP-ADOBE_COLDFUSION_RCE_CVE_2023_26360-", "MSF:EXPLOIT-WINDOWS-DCERPC-CVE_2021_1675_PRINTNIGHTMARE-"]}, {"type": "mscve", "idList": ["MS:CVE-2021-1675", "MS:CVE-2021-34527"]}, {"type": "mskb", "idList": ["KB5004945", "KB5004946", "KB5004947", "KB5004948", "KB5004950", "KB5004951", "KB5004953", "KB5004954", "KB5004955", "KB5004956", "KB5004958", "KB5004959", "KB5004960", "KB5005575", "KB5007215", "KB5008212", "KB5018427", "KB5019959"]}, {"type": "msrc", "idList": ["MSRC:138C696A39E258DD773C8941F8F90E86", "MSRC:236F052536DCDE6A90F408B759E221BC", "MSRC:239E65C8BEB88185329D9990C80B10DF", "MSRC:7A4C48432D99E285A3DCFB40C66B7041", "MSRC:8DDE6C6C2CBC080233B7C0F929E83062", "MSRC:90189138D61770FDBFA4D6BFCF043C7F", "MSRC:CB3C49E52425E7C1B0CFB151C6D488A4", "MSRC:D3EB0B723121A9028F60C06787605F29"]}, {"type": "nessus", "idList": ["COLDFUSION_WIN_APSB23-25.NASL", "SMB_NT_MS21_DEC_5008212.NASL", "SMB_NT_MS21_JUL_5004945.NASL", "SMB_NT_MS21_JUL_5004946.NASL", "SMB_NT_MS21_JUL_5004947.NASL", "SMB_NT_MS21_JUL_5004948.NASL", "SMB_NT_MS21_JUL_5004950.NASL", "SMB_NT_MS21_JUL_5004951.NASL", "SMB_NT_MS21_JUL_5004958.NASL", "SMB_NT_MS21_JUL_5004959.NASL", "SMB_NT_MS21_JUL_5004960.NASL", "SMB_NT_MS21_JUL_CVE-2021-34527_REG_CHECK.NASL", "SMB_NT_MS21_NOV_5007215.NASL"]}, {"type": "nuclei", "idList": ["NUCLEI:CVE-2023-26360"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:167261", "PACKETSTORM:172079"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:6636EE51C46282492E9A91509CBA5C4B"]}, {"type": "prion", "idList": ["PRION:CVE-2021-34527", "PRION:CVE-2023-26360"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:12BC089A56EB28CFD168EC09B070733D", "QUALYSBLOG:485C0D608A0A8288FF38D618D185D2A2", "QUALYSBLOG:5A5094DBFA525D07EBC3EBA036CDF81A", "QUALYSBLOG:6652DB89D03D8AA145C2F888B5590E3F", "QUALYSBLOG:7B5CCC9A0ADE13140C03A708CCBB4C4A", "QUALYSBLOG:A0F20902D80081B44813D92C6DCCDAAF", "QUALYSBLOG:A730164ABD0AA0A58D62EAFAB48628AD", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "RAPID7BLOG:45A121567763FF457DE6E50439C2605A", "RAPID7BLOG:4B35B23167A9D5E016537F6A81E4E9D4", "RAPID7BLOG:57AB78EC625B6F8060F1E6BD668BDD0C", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "RAPID7BLOG:8DADA7B6B3B1BA6ED3D6EDBA37A79204", "RAPID7BLOG:907F758757E4F4DFA2ED45E5B6AAC01E", "RAPID7BLOG:9D5A16A43EFEA30A49E1E70FD568C548", "RAPID7BLOG:AF89E3740FB97329034E56BA6E181ABB", "RAPID7BLOG:F9B4F18ABE4C32CD54C3878DD17A8630"]}, {"type": "securelist", "idList": ["SECURELIST:0C07A61E6D92865F5B58728A60866991", "SECURELIST:830DE5B1B5EBB6AEE4B12EF66AD749F9", "SECURELIST:86368EF0EA7DAA3D2AB20E0597A62656", "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48"]}, {"type": "talosblog", "idList": ["TALOSBLOG:44F665C3D577FC52EF671E9C0CB1750F", "TALOSBLOG:8CDF0A62E30713225D10811E0E977C1D"]}, {"type": "thn", "idList": ["THN:10A732F6ED612DC7431BDC9A3CEC3A29", "THN:42B8A8C00254E7187FE0F1EF2AF6F5D7", "THN:6428957E9DED493169A2E63839F98667", "THN:849B821D3503018DA38FAFFBC34DAEBB", "THN:878B3321978CDB69F46C7A415B46701B", "THN:934BF6B94312FDB8317CCD9F5E46677C", "THN:9CE630030E0F3E3041E633E498244C8D", "THN:9FD8A70F9C17C3AF089A104965E48C95", "THN:A52CF43B8B04C0A2F8413E17698F9308", "THN:CAFA6C5C5A34365636215CFD7679FD50", "THN:CF5E93184467C7B8F56A517CE724ABCF", "THN:D10C2C7FC285D13E18415150A4507AB6", "THN:F35E41E26872B23A7F620C6D8F7E2334"]}, {"type": "threatpost", "idList": ["THREATPOST:6F7C157D4D3EB409080D90F02185E728", "THREATPOST:827A7E3B49365A0E49A11A05A5A29192", "THREATPOST:8D4EA8B0593FD44763915E703BC9AB72", "THREATPOST:933913B1D9B9CF84D33FECFC77C2FDC8", "THREATPOST:98D815423018872E6E596DAA8131BF3F", "THREATPOST:A8242348917526090B7A1B23735D5C6C", "THREATPOST:ADA9E95C8FD42722E783C74443148525"]}, {"type": "trellix", "idList": ["TRELLIX:ED6978182DFD9CD1EA1E539B1EDABE6C"]}, {"type": "zdt", "idList": ["1337DAY-ID-38634"]}]}, "score": {"value": 10.8, "vector": "NONE"}, "epss": [{"cve": "CVE-2021-34527", "epss": 0.9685, "percentile": 0.99482, "modified": "2023-05-01"}], "vulnersScore": 10.8}, "_state": {"dependencies": 1701891669, "score": 1701892172, "epss": 0}, "_internal": {"score_hash": "b29af1d0bd3af582b80a4b9719d9c8c2"}}

{"ics": [{"lastseen": "2023-12-07T19:02:32", "description": "_**Note:** This joint Cybersecurity Advisory (CSA) is part of an ongoing [#StopRansomware](<https://www.cisa.gov/stopransomware/stopransomware>) effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources._\n\n**Actions to take today to mitigate cyber threats from ransomware:**\n\n\u2022 Prioritize and remediate known exploited vulnerabilities. \n\u2022 Train users to recognize and report phishing attempts. \n\u2022 Enable and enforce multifactor authentication.\n\nThe Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate IOCs and TTPs associated with Vice Society actors identified through FBI investigations as recently as September 2022. The FBI, CISA, and the MS-ISAC have recently observed Vice Society actors disproportionately targeting the education sector with ransomware attacks.\n\nOver the past several years, the education sector, especially kindergarten through twelfth grade (K-12) institutions, have been a frequent target of ransomware attacks. Impacts from these attacks have ranged from restricted access to networks and data, delayed exams, canceled school days, and unauthorized access to and theft of personal information regarding students and staff. The FBI, CISA, and the MS-ISAC anticipate attacks may increase as the 2022/2023 school year begins and criminal ransomware groups perceive opportunities for successful attacks. School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cyber criminals can still put school districts with robust cybersecurity programs at risk. K-12 institutions may be seen as particularly lucrative targets due to the amount of [sensitive student data](<https://www.ic3.gov/Media/News/2022/220526.pdf>) accessible through school systems or their managed service providers.\n\nThe FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.\n\nDownload the PDF version of this report: pdf, 521 KB\n\nDownload the IOCs: [.stix 31 kb](<https://www.cisa.gov/uscert/sites/default/files/publications/AA22-249A.stix.xml>)\n\n### Technical Details\n\n**Note:** _This advisory uses the MITRE ATT&amp;CK_\u00ae_ for Enterprise framework, version 11. See _[_MITRE ATT&amp;CK for Enterprise_](<https://attack.mitre.org/versions/v11/matrices/enterprise/>)_ for all referenced tactics and techniques_.\n\nVice Society is an intrusion, exfiltration, and extortion hacking group that first appeared in summer 2021. Vice Society actors do not use a ransomware variant of unique origin. Instead, the actors have deployed versions of Hello Kitty/Five Hands and Zeppelin ransomware, but may deploy other variants in the future.\n\nVice Society actors likely obtain initial network access through compromised credentials by exploiting internet-facing applications [[T1190](<https://attack.mitre.org/versions/v11/techniques/T1190/>)]. Prior to deploying ransomware, the actors spend time exploring the network, identifying opportunities to increase accesses, and exfiltrating data [[TA0010](<https://attack.mitre.org/versions/v11/tactics/TA0010/>)] for double extortion--a tactic whereby actors threaten to publicly release sensitive data unless a victim pays a ransom. Vice Society actors have been observed using a variety of tools, including SystemBC, PowerShell Empire, and Cobalt Strike to move laterally. They have also used \u201cliving off the land\u201d techniques targeting the legitimate Windows Management Instrumentation (WMI) service [[T1047](<https://attack.mitre.org/versions/v11/techniques/T1047/>)] and tainting shared content [[T1080](<https://attack.mitre.org/versions/v11/techniques/T1080/>)].\n\nVice Society actors have been observed exploiting the PrintNightmare vulnerability ([CVE-2021-1675](<https://nvd.nist.gov/vuln/detail/CVE-2021-1675>) and [CVE-2021-34527](<https://nvd.nist.gov/vuln/detail/CVE-2021-34527>) ) to escalate privileges [[T1068](<https://attack.mitre.org/versions/v11/techniques/T1068/>)]. To maintain persistence, the criminal actors have been observed leveraging scheduled tasks [[T1053](<https://attack.mitre.org/versions/v11/techniques/T1053/>)], creating undocumented autostart Registry keys [[T1547.001](<https://attack.mitre.org/techniques/T1547/001/>)], and pointing legitimate services to their custom malicious dynamic link libraries (DLLs) through a tactic known as DLL side-loading [[T1574.002](<https://attack.mitre.org/versions/v11/techniques/T1547/002/>)]. Vice Society actors attempt to evade detection through masquerading their malware and tools as legitimate files [[T1036](<https://attack.mitre.org/versions/v11/techniques/T1036/>)], using process injection [[T1055](<https://attack.mitre.org/versions/v11/techniques/T1055/>)], and likely use evasion techniques to defeat automated dynamic analysis [[T1497](<https://attack.mitre.org/versions/v11/techniques/T1497/>)]. Vice Society actors have been observed escalating privileges, then gaining access to domain administrator accounts, and running scripts to change the passwords of victims\u2019 network accounts to prevent the victim from remediating. \n\n### Indicators of Compromise (IOCs)\n\n**Email Addresses** \n--- \nv-society.official@onionmail[.]org \nViceSociety@onionmail[.]org \nOnionMail email accounts in the format of [First Name][Last Name]@onionmail[.]org \n \n**TOR Address** \n--- \nhttp://vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad[.]onion \n \n**IP Addresses for C2** | **Confidence Level** \n---|--- \n5.255.99[.]59 | High Confidence \n5.161.136[.]176 | Medium Confidence \n198.252.98[.]184 | Medium Confidence \n194.34.246[.]90 | Low Confidence \n \n_See Table 1 for file hashes obtained from FBI incident response investigations in September 2022._\n\n_Table 1: File Hashes as of September 2022_\n\n**MD5** | **SHA1** \n---|--- \nfb91e471cfa246beb9618e1689f1ae1d | a0ee0761602470e24bcea5f403e8d1e8bfa29832 \n| 3122ea585623531df2e860e7d0df0f25cce39b21 \n| 41dc0ba220f30c70aea019de214eccd650bc6f37 \n| c9c2b6a5b930392b98f132f5395d54947391cb79 \n \n### MITRE ATT&amp;CK TECHNIQUES\n\nVice Society actors have used ATT&amp;CK techniques, similar to Zeppelin techniques, listed in Table 2.\n\n_Table 2: Vice Society Actors ATT&amp;CK Techniques for Enterprise_\n\n**_Initial Access_** \n \n--- \n \n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \nExploit Public-Facing Application\n\n| \n\n[T1190](<https://attack.mitre.org/versions/v11/techniques/T1190/>)\n\n| \n\nVice Society actors exploit vulnerabilities in an internet-facing systems to gain access to victims\u2019 networks. \n \nValid Accounts\n\n| \n\n[T1078](<https://attack.mitre.org/versions/v11/techniques/T1078/>)\n\n| \n\nVice Society actors obtain initial network access through compromised valid accounts. \n \n**_Execution_** \n \n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \nWindows Management Instrumentation (WMI)\n\n| \n\n[T1047](<https://attack.mitre.org/versions/v11/techniques/T1047/>)\n\n| \n\nVice Society actors leverage WMI as a means of \u201cliving off the land\u201d to execute malicious commands. WMI is a native Windows administration feature. \n \nScheduled Task/Job\n\n| \n\n[T1053](<https://attack.mitre.org/versions/v11/techniques/T1053/>)\n\n| \n\nVice Society have used malicious files that create component task schedule objects, which are often mean to register a specific task to autostart on system boot. This facilitates recurring execution of their code. \n \n**_Persistence_** \n \n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \nModify System Process\n\n| \n\n[T1543.003](<https://attack.mitre.org/versions/v11/techniques/T1543/003/>)\n\n| \n\nVice Society actors encrypt Windows Operating functions to preserve compromised system functions. \n \nRegistry Run Keys/Startup Folder\n\n| \n\n[T1547.001](<https://attack.mitre.org/versions/v11/techniques/T1547/001/>)\n\n| \n\nVice Society actors have employed malicious files that create an undocumented autostart Registry key to maintain persistence after boot/reboot. \n \nDLL Side-Loading\n\n| \n\n[T1574.002](<https://attack.mitre.org/versions/v11/techniques/T1547/002/>)\n\n| \n\nVice Society actors may directly side-load their payloads by planting their own DLL then invoking a legitimate application that executes the payload within that DLL. This serves as both a persistence mechanism and a means to masquerade actions under legitimate programs. \n \n**_Privilege Escalation_** \n \n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \nExploitation for Privilege Escalation\n\n| \n\n[T1068](<https://attack.mitre.org/versions/v11/techniques/T1068/>)\n\n| \n\nVice Society actors have been observed exploiting PrintNightmare vulnerability ([CVE-2021-1675](<https://nvd.nist.gov/vuln/detail/CVE-2021-1675>) and [CVE-2021-34527](<https://nvd.nist.gov/vuln/detail/CVE-2021-34527>)) to escalate privileges. \n \n**_Defense Evasion_** \n \n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \nMasquerading\n\n| \n\n[T1036](<https://attack.mitre.org/versions/v11/techniques/T1036/>)\n\n| \n\nVice Society actors may attempt to manipulate features of the files they drop in a victim\u2019s environment to mask the files or make the files appear legitimate. \n \nProcess Injection\n\n| \n\n[T1055](<https://attack.mitre.org/versions/v11/techniques/T1055/>)\n\n| \n\nVice Society artifacts have been analyzed to reveal the ability to inject code into legitimate processes for evading process-based defenses. This tactic has other potential impacts, including the ability to escalate privileges or gain additional accesses. \n \nSandbox Evasion\n\n| \n\n[T1497](<https://attack.mitre.org/versions/v11/techniques/T1497/>)\n\n| \n\nVice Society actors may have included sleep techniques in their files to hinder common reverse engineering or dynamic analysis. \n \n**_Lateral Movement_** \n \n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \nTaint Shared Content\n\n| \n\n[T1080](<https://attack.mitre.org/versions/v11/techniques/T1080/>)\n\n| \n\nVice Society actors may deliver payloads to remote systems by adding content to shared storage locations such as network drives. \n \n**_Exfiltration_** \n \n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \nExfiltration\n\n| \n\n[TA0010](<https://attack.mitre.org/versions/v11/tactics/TA0010/>)\n\n| \n\nVice Society actors are known for double extortion, which is a second attempt to force a victim to pay by threatening to expose sensitive information if the victim does not pay a ransom. \n \n**_Impact_** \n \n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \nData Encrypted for Impact\n\n| \n\n[T1486](<https://attack.mitre.org/versions/v11/techniques/T1486/>)\n\n| \n\nVice Society actors have encrypted data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. \n \nAccount Access Removal\n\n| \n\n[T1531](<https://attack.mitre.org/versions/v11/techniques/T1531/>)\n\n| \n\nVice Society actors run a script to change passwords of victims\u2019 email accounts. \n \n### Mitigations\n\nThe FBI and CISA recommend organizations, particularly the education sector, establish and maintain strong liaison relationships with the FBI Field Office in their region and their regional CISA Cybersecurity Advisor. The location and contact information for FBI Field Offices and CISA Regional Offices can be located at [www.fbi.gov/contact-us/field-offices](<http://www.fbi.gov/contact-us/field-offices>) and www.cisa.gov/cisa-regions, respectively. Through these partnerships, the FBI and CISA can assist with identifying vulnerabilities to academia and mitigating potential threat activity. The FBI and CISA further recommend that academic entities review and, if needed, update incident response and communication plans that list actions an organization will take if impacted by a cyber incident.\n\nThe FBI, CISA, and the MS-ISAC recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Vice Society actors:\n\n**Preparing for Cyber Incidents**\n\n * **Maintain offline backups of data,** and regularly maintain backup and restoration. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.\n * **Ensure all backup data is encrypted, immutable** (i.e., cannot be altered or deleted), and covers the entire organization\u2019s data infrastructure. Ensure your backup data is not already infected.\n * **Review the security posture of third-party vendors and those interconnected with your organization.** Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.\n * **Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs** under an established security policy.\n * **Document and monitor external remote connections.** Organizations should document approved solutions for remote management and maintenance, and immediately investigate if an unapproved solution is installed on a workstation.\n * **Implement a recovery plan** to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).\n\n**Identity and Access Management**\n\n * **Require all accounts** with password logins (e.g., service account, admin accounts, and domain admin accounts) **to comply** with [National Institute of Standards and Technology (NIST) standards](<https://pages.nist.gov/800-63-3/>) for developing and managing password policies. \n * Use longer passwords consisting of at least 8 characters and no more than 64 characters in length;\n * Store passwords in hashed format using industry-recognized password managers;\n * Add password user \u201csalts\u201d to shared login credentials;\n * Avoid reusing passwords;\n * Implement multiple failed login attempt account lockouts;\n * Disable password \u201chints\u201d;\n * Refrain from requiring password changes more frequently than once per year unless a password is known or suspected to be compromised. \n**Note:** NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password \u201cpatterns\u201d cyber criminals can easily decipher.\n * Require administrator credentials to install software.\n * **Require phishing-resistant multifactor authentication** for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.\n * **Review domain controllers, servers, workstations, and active directories** for new and/or unrecognized accounts.\n * **Audit user accounts** with administrative privileges and configure access controls according to the principle of least privilege. \n * **Implement time-based access for accounts set at the admin level and higher.** For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.\n\n**Protective Controls and Architecture**\n\n * **Segment networks** to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between\u2014and access to\u2014various subnetworks and by restricting adversary lateral movement.\n * **Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.** To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.\n * **Install, regularly update, and enable real time detection for antivirus software** on all hosts.\n * **Secure and closely monitor** remote desktop protocol (RDP) use. \n * Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure. If RDP is deemed operationally necessary, restrict the originating sources and require MFA to mitigate credential theft and reuse. If RDP must be available externally, use a VPN, virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices. Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts to block brute force campaigns, log RDP login attempts, and disable unused remote access/RDP ports.\n\n**Vulnerability and Configuration Management**\n\n * **Keep all operating systems, software, and firmware up to date.** Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Organizations should prioritize patching of vulnerabilities on CISA\u2019s Known Exploited Vulnerabilities catalog.\n * **Disable unused** **ports.**\n * **Consider adding an email banner to emails** received from outside your organization.\n * **Disable hyperlinks** in received emails.\n * **Disable command-line and scripting activities and permissions.** Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.\n * **Ensure devices are properly configured and that security features are enabled.**\n * **Disable ports and protocols that are not being used** for a business purpose (e.g., RDP Transmission Control Protocol Port 3389).\n * **Restrict Server Message Block (SMB) Protocol within the network to only access servers that are necessary, and remove or disable outdated versions of SMB** (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.\n\n### REFERENCES\n\n * [Stopransomware.gov](<https://www.cisa.gov/stopransomware>) is a whole-of-government approach that gives one central location for ransomware resources and alerts.\n * Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.\n * No-cost cyber hygiene services: Cyber Hygiene Services and [Ransomware Readiness Assessment](<https://github.com/cisagov/cset/>).\n\n### REPORTING\n\nThe FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Vice Society actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.\n\nThe FBI, CISA, and the MS-ISAC strongly discourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to a [local FBI Field Office](<https://www.fbi.gov/contact-us/field-offices>), or to CISA at [report@cisa.gov](<mailto:report@cisa.gov>) or (888) 282-0870. SLTT government entities can also report to the MS-ISAC ([SOC@cisecurity.org](<mailto:SOC@cisecurity.org>) or 866-787-4722).\n\n### DISCLAIMER\n\nThe information in this report is being provided \u201cas is\u201d for informational purposes only. The FBI, CISA, and the MS-ISAC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, or the MS-ISAC.\n\n### Revisions\n\nSeptember 6, 2022: Initial Version\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-08T12:00:00", "type": "ics", "title": "#StopRansomware: Vice Society", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527", "CVE-2023-26360"], "modified": "2022-09-08T12:00:00", "id": "AA22-249A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-249a", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-07T19:02:35", "description": "### Summary\n\nActions to take today to mitigate cyber threats from ransomware:\n\n\u2022 Prioritize and remediate [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). \n\u2022 Train users to recognize and report phishing attempts. \n\u2022 Enable and enforce multifactor authentication.\n\n_**Note:** This joint Cybersecurity Advisory (CSA) is part of an ongoing [#StopRansomware](<https://www.cisa.gov/stopransomware/stopransomware>) effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources._\n\nThe Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate IOCs and TTPs associated with Vice Society actors identified through FBI investigations as recently as September 2022. The FBI, CISA, and the MS-ISAC have recently observed Vice Society actors disproportionately targeting the education sector with ransomware attacks.\n\nOver the past several years, the education sector, especially kindergarten through twelfth grade (K-12) institutions, have been a frequent target of ransomware attacks. Impacts from these attacks have ranged from restricted access to networks and data, delayed exams, canceled school days, and unauthorized access to and theft of personal information regarding students and staff. The FBI, CISA, and the MS-ISAC anticipate attacks may increase as the 2022/2023 school year begins and criminal ransomware groups perceive opportunities for successful attacks. School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cyber criminals can still put school districts with robust cybersecurity programs at risk. K-12 institutions may be seen as particularly lucrative targets due to the amount of [sensitive student data](<https://www.ic3.gov/Media/News/2022/220526.pdf>) accessible through school systems or their managed service providers. \n\nThe FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.\n\nDownload the PDF version of this report: pdf, 521 KB\n\nDownload the IOCs: .stix 31 kb\n\n### Technical Details\n\n**Note:** This advisory uses the MITRE ATT&amp;CK\u00ae for Enterprise framework, version 11. See [MITRE ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v11/matrices/enterprise/>) for all referenced tactics and techniques.\n\nVice Society is an intrusion, exfiltration, and extortion hacking group that first appeared in summer 2021. Vice Society actors do not use a ransomware variant of unique origin. Instead, the actors have deployed versions of [Hello Kitty/Five Hands](<https://www.cisa.gov/sites/default/files/publications/FLASH_CU_000154_MW_508c.pdf>) and [Zeppelin ransomware](<https://www.cisa.gov/uscert/ncas/alerts/aa22-223a>), but may deploy other variants in the future.\n\nVice Society actors likely obtain initial network access through compromised credentials by exploiting internet-facing applications [[T1190](<https://attack.mitre.org/versions/v11/techniques/T1190/>)]. Prior to deploying ransomware, the actors spend time exploring the network, identifying opportunities to increase accesses, and exfiltrating data [[TA0010](<https://attack.mitre.org/versions/v11/tactics/TA0010/>)] for double extortion--a tactic whereby actors threaten to publicly release sensitive data unless a victim pays a ransom. Vice Society actors have been observed using a variety of tools, including SystemBC, PowerShell Empire, and Cobalt Strike to move laterally. They have also used \u201cliving off the land\u201d techniques targeting the legitimate Windows Management Instrumentation (WMI) service [[T1047](<https://attack.mitre.org/versions/v11/techniques/T1047/>)] and tainting shared content [[T1080](<https://attack.mitre.org/versions/v11/techniques/T1080/>)]. \n\nVice Society actors have been observed exploiting the PrintNightmare vulnerability ([CVE-2021-1675](<https://nvd.nist.gov/vuln/detail/CVE-2021-1675>) and [CVE-2021-34527](<https://nvd.nist.gov/vuln/detail/CVE-2021-34527>) ) to escalate privileges [[T1068](<https://attack.mitre.org/versions/v11/techniques/T1068/>)]. To maintain persistence, the criminal actors have been observed leveraging scheduled tasks [[T1053](<https://attack.mitre.org/versions/v11/techniques/T1053/>)], creating undocumented autostart Registry keys [[T1547.001](<https://attack.mitre.org/techniques/T1547/001/>)], and pointing legitimate services to their custom malicious dynamic link libraries (DLLs) through a tactic known as DLL side-loading [[T1574.002](<https://attack.mitre.org/versions/v11/techniques/T1547/002/>)]. Vice Society actors attempt to evade detection through masquerading their malware and tools as legitimate files [[T1036](<https://attack.mitre.org/versions/v11/techniques/T1036/>)], using process injection [[T1055](<https://attack.mitre.org/versions/v11/techniques/T1055/>)], and likely use evasion techniques to defeat automated dynamic analysis [[T1497](<https://attack.mitre.org/versions/v11/techniques/T1497/>)]. Vice Society actors have been observed escalating privileges, then gaining access to domain administrator accounts, and running scripts to change the passwords of victims\u2019 network accounts to prevent the victim from remediating. \n\n### Indicators of Compromise (IOCs)\n\nEmail Addresses \n \n--- \n \nv-society.official@onionmail[.]org \n \nViceSociety@onionmail[.]org \n \nOnionMail email accounts in the format of [First Name][Last Name]@onionmail[.]org \n \nTOR Address \n \n--- \n \nhttp://vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad[.]onion \n \nIP Addresses for C2\n\n| \n\nConfidence Level \n \n---|--- \n \n5.255.99[.]59\n\n| \n\nHigh Confidence \n \n5.161.136[.]176\n\n| \n\nMedium Confidence \n \n198.252.98[.]184\n\n| \n\nMedium Confidence \n \n194.34.246[.]90\n\n| \n\nLow Confidence \n \nSee Table 1 for file hashes obtained from FBI incident response investigations in September 2022.\n\n_Table 1: File Hashes as of September 2022_\n\nMD5\n\n| \n\nSHA1 \n \n---|--- \n \nfb91e471cfa246beb9618e1689f1ae1d\n\n| \n\na0ee0761602470e24bcea5f403e8d1e8bfa29832 \n \n| \n\n3122ea585623531df2e860e7d0df0f25cce39b21 \n \n| \n\n41dc0ba220f30c70aea019de214eccd650bc6f37 \n \n| \n\nc9c2b6a5b930392b98f132f5395d54947391cb79 \n \n### MITRE ATT&amp;CK TECHNIQUES\n\nVice Society actors have used ATT&amp;CK techniques, similar to Zeppelin techniques, listed in Table 2.\n\n_Table 2: Vice Society Actors ATT&amp;CK Techniques for Enterprise_\n\n_Initial Access_ \n \n--- \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nExploit Public-Facing Application\n\n| \n\n[T1190](<https://attack.mitre.org/versions/v11/techniques/T1190/>)\n\n| \n\nVice Society actors exploit vulnerabilities in an internet-facing systems to gain access to victims\u2019 networks. \n \nValid Accounts\n\n| \n\n[T1078](<https://attack.mitre.org/versions/v11/techniques/T1078/>)\n\n| \n\nVice Society actors obtain initial network access through compromised valid accounts. \n \n_Execution_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nWindows Management Instrumentation (WMI)\n\n| \n\n[T1047](<https://attack.mitre.org/versions/v11/techniques/T1047/>)\n\n| \n\nVice Society actors leverage WMI as a means of \u201cliving off the land\u201d to execute malicious commands. WMI is a native Windows administration feature. \n \nScheduled Task/Job\n\n| \n\n[T1053](<https://attack.mitre.org/versions/v11/techniques/T1053/>)\n\n| \n\nVice Society have used malicious files that create component task schedule objects, which are often mean to register a specific task to autostart on system boot. This facilitates recurring execution of their code. \n \n_Persistence_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nModify System Process\n\n| \n\n[T1543.003](<https://attack.mitre.org/versions/v11/techniques/T1543/003/>)\n\n| \n\nVice Society actors encrypt Windows Operating functions to preserve compromised system functions. \n \nRegistry Run Keys/Startup Folder\n\n| \n\n[T1547.001](<https://attack.mitre.org/versions/v11/techniques/T1547/001/>)\n\n| \n\nVice Society actors have employed malicious files that create an undocumented autostart Registry key to maintain persistence after boot/reboot. \n \nDLL Side-Loading\n\n| \n\n[T1574.002](<https://attack.mitre.org/versions/v11/techniques/T1547/002/>)\n\n| \n\nVice Society actors may directly side-load their payloads by planting their own DLL then invoking a legitimate application that executes the payload within that DLL. This serves as both a persistence mechanism and a means to masquerade actions under legitimate programs. \n \n_Privilege Escalation_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nExploitation for Privilege Escalation\n\n| \n\n[T1068](<https://attack.mitre.org/versions/v11/techniques/T1068/>)\n\n| \n\nVice Society actors have been observed exploiting PrintNightmare vulnerability ([CVE-2021-1675](<https://nvd.nist.gov/vuln/detail/CVE-2021-1675>) and [CVE-2021-34527](<https://nvd.nist.gov/vuln/detail/CVE-2021-34527>)) to escalate privileges. \n \n_Defense Evasion_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nMasquerading\n\n| \n\n[T1036](<https://attack.mitre.org/versions/v11/techniques/T1036/>)\n\n| \n\nVice Society actors may attempt to manipulate features of the files they drop in a victim\u2019s environment to mask the files or make the files appear legitimate. \n \nProcess Injection\n\n| \n\n[T1055](<https://attack.mitre.org/versions/v11/techniques/T1055/>)\n\n| \n\nVice Society artifacts have been analyzed to reveal the ability to inject code into legitimate processes for evading process-based defenses. This tactic has other potential impacts, including the ability to escalate privileges or gain additional accesses. \n \nSandbox Evasion\n\n| \n\n[T1497](<https://attack.mitre.org/versions/v11/techniques/T1497/>)\n\n| \n\nVice Society actors may have included sleep techniques in their files to hinder common reverse engineering or dynamic analysis. \n \n_Lateral Movement_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nTaint Shared Content\n\n| \n\n[T1080](<https://attack.mitre.org/versions/v11/techniques/T1080/>)\n\n| \n\nVice Society actors may deliver payloads to remote systems by adding content to shared storage locations such as network drives. \n \n_Exfiltration_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nExfiltration\n\n| \n\n[TA0010](<https://attack.mitre.org/versions/v11/tactics/TA0010/>)\n\n| \n\nVice Society actors are known for double extortion, which is a second attempt to force a victim to pay by threatening to expose sensitive information if the victim does not pay a ransom. \n \n_Impact_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nData Encrypted for Impact\n\n| \n\n[T1486](<https://attack.mitre.org/versions/v11/techniques/T1486/>)\n\n| \n\nVice Society actors have encrypted data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. \n \nAccount Access Removal\n\n| \n\n[T1531](<https://attack.mitre.org/versions/v11/techniques/T1531/>)\n\n| \n\nVice Society actors run a script to change passwords of victims\u2019 email accounts. \n \n### Mitigations\n\nThe FBI and CISA recommend organizations, particularly the education sector, establish and maintain strong liaison relationships with the FBI Field Office in their region and their regional CISA Cybersecurity Advisor. The location and contact information for FBI Field Offices and CISA Regional Offices can be located at [www.fbi.gov/contact-us/field-offices](<http://www.fbi.gov/contact-us/field-offices>) and [www.cisa.gov/cisa-regions](<https://www.cisa.gov/cisa-regions>), respectively. Through these partnerships, the FBI and CISA can assist with identifying vulnerabilities to academia and mitigating potential threat activity. The FBI and CISA further recommend that academic entities review and, if needed, update incident response and communication plans that list actions an organization will take if impacted by a cyber incident.\n\nThe FBI, CISA, and the MS-ISAC recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Vice Society actors:\n\n**Preparing for Cyber Incidents**\n\n * Maintain offline backups of data, and regularly maintain backup and restoration. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data. \n * Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization\u2019s data infrastructure. Ensure your backup data is not already infected.\n * Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.\n * Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy.\n * Document and monitor external remote connections. Organizations should document approved solutions for remote management and maintenance, and immediately investigate if an unapproved solution is installed on a workstation.\n * Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).\n\nIdentity and Access Management\n\n * Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with [National Institute of Standards and Technology (NIST) standards](<https://pages.nist.gov/800-63-3/>) for developing and managing password policies. \n * Use longer passwords consisting of at least 8 characters and no more than 64 characters in length;\n * Store passwords in hashed format using industry-recognized password managers;\n * Add password user \u201csalts\u201d to shared login credentials;\n * Avoid reusing passwords;\n * Implement multiple failed login attempt account lockouts;\n * Disable password \u201chints\u201d;\n * Refrain from requiring password changes more frequently than once per year unless a password is known or suspected to be compromised. \nNote: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password \u201cpatterns\u201d cyber criminals can easily decipher. \n * Require administrator credentials to install software.\n * Require phishing-resistant multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems. \n * Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.\n * Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege. \n * Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task. \n\nProtective Controls and Architecture\n\n * Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between\u2014and access to\u2014various subnetworks and by restricting adversary lateral movement. \n * Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host. \n * Install, regularly update, and enable real time detection for antivirus software on all hosts. \n * Secure and closely monitor remote desktop protocol (RDP) use. \n * Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure. If RDP is deemed operationally necessary, restrict the originating sources and require MFA to mitigate credential theft and reuse. If RDP must be available externally, use a VPN, virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices. Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts to block brute force campaigns, log RDP login attempts, and disable unused remote access/RDP ports.\n\nVulnerability and Configuration Management\n\n * Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Organizations should prioritize patching of vulnerabilities on CISA\u2019s [Known Exploited Vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) catalog.\n * Disable unused ports.\n * Consider adding an email banner to emails received from outside your organization.\n * Disable hyperlinks in received emails.\n * Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally. \n * Ensure devices are properly configured and that security features are enabled. \n * Disable ports and protocols that are not being used for a business purpose (e.g., RDP Transmission Control Protocol Port 3389).\n * Restrict Server Message Block (SMB) Protocol within the network to only access servers that are necessary, and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.\n\n### REFERENCES\n\n * [Stopransomware.gov](<https://www.cisa.gov/stopransomware>) is a whole-of-government approach that gives one central location for ransomware resources and alerts.\n * Resource to mitigate a ransomware attack: [CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide](<https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf>).\n * No-cost cyber hygiene services: [Cyber Hygiene Services](<https://www.cisa.gov/cyber-hygiene-services>) and [Ransomware Readiness Assessment](<https://github.com/cisagov/cset/>).\n\n### REPORTING\n\nThe FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Vice Society actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. \n\nThe FBI, CISA, and the MS-ISAC strongly discourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to a [local FBI Field Office](<https://www.fbi.gov/contact-us/field-offices>), or to CISA at [report@cisa.gov](<mailto:report@cisa.gov>) or (888) 282-0870. SLTT government entities can also report to the MS-ISAC ([SOC@cisecurity.org](<mailto:SOC@cisecurity.org>) or 866-787-4722).\n\n### DISCLAIMER\n\nThe information in this report is being provided \u201cas is\u201d for informational purposes only. The FBI, CISA, and the MS-ISAC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, or the MS-ISAC.\n\n### Revisions\n\nSeptember 6, 2022: Initial Version\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-08T12:00:00", "type": "ics", "title": "#StopRansomware: Vice Society", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527", "CVE-2023-26360"], "modified": "2022-09-08T12:00:00", "id": "AA22-249A-0", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-249a-0", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T12:58:38", "description": "### Summary\n\n_**Immediate Actions WWS Facilities Can Take Now to Protect Against Malicious Cyber Activity** \n\u2022 Do not click on [suspicious links](<https://us-cert.cisa.gov/ncas/tips/ST04-014>)._ \n_\u2022 If you use[ RDP](<https://www.ic3.gov/Media/Y2018/PSA180927>), secure and monitor it. \n\u2022 __Use [strong passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>)._ \n\u2022 _Use [multi-factor authentication](<https://us-cert.cisa.gov/ncas/tips/ST05-012>)._\n\n__**Note:** This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework, version 9. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v9/techniques/enterprise/>) for all referenced threat actor tactics and techniques.__\n\nThis joint advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Agency (CISA), the Environmental Protection Agency (EPA), and the National Security Agency (NSA) to highlight ongoing malicious cyber activity\u2014by both known and unknown actors\u2014targeting the information technology (IT) and operational technology (OT) networks, systems, and devices of [U.S. Water and Wastewater Systems (WWS) Sector facilities](<https://www.cisa.gov/water-and-wastewater-systems-sector>). This activity\u2014which includes attempts to compromise system integrity via unauthorized access\u2014threatens the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities. **Note:** although cyber threats across [critical infrastructure sectors](<https://www.cisa.gov/critical-infrastructure-sectors>) are increasing, this advisory does not intend to indicate greater targeting of the WWS Sector versus others.\n\nTo secure WWS facilities\u2014including Department of Defense (DoD) water treatment facilities in the United States and abroad\u2014against the TTPs listed below, CISA, FBI, EPA, and NSA strongly urge organizations to implement the measures described in the Recommended Mitigations section of this advisory.\n\nClick here for a PDF version of this report.\n\n### Technical Details\n\n### Threat Overview\n\n#### Tactics, Techniques, and Procedures\n\nWWS facilities may be vulnerable to the following common tactics, techniques, and procedures (TTPs) used by threat actors to compromise IT and OT networks, systems, and devices.\n\n * Spearphishing personnel to deliver malicious payloads, including ransomware [[T1566](<https://attack.mitre.org/versions/v9/techniques/T1566/>)]. \n * Spearphishing is one of the most prevalent techniques used for initial access to IT networks. Personnel and their potential lack of cyber awareness are a vulnerability within an organization. Personnel may open malicious attachments or links to execute malicious payloads contained in emails from threat actors that have successfully bypassed email filtering controls.\n * When organizations integrate IT with OT systems, attackers can gain access\u2014either purposefully or inadvertently\u2014to OT assets after the IT network has been compromised through spearphishing and other techniques.\n * Exploitation of internet-connected services and applications that enable remote access to WWS networks [[T1210](<https://attack.mitre.org/versions/v9/techniques/T1210/>)]. \n * For example, threat actors can exploit a Remote Desktop Protocol (RDP) that is insecurely connected to the internet to infect a network with ransomware. If the RDP is used for process control equipment, the attacker could also compromise WWS operations. Note: the increased use of remote operations due to the COVID-19 pandemic has likely increased the prevalence of weaknesses associated with remote access.\n * Exploitation of unsupported or outdated operating systems and software. \n * Threat actors likely seek to take advantage of perceived weaknesses among organizations that either do not have\u2014or choose not to prioritize\u2014resources for IT/OT infrastructure modernization. WWS facilities tend to allocate resources to physical infrastructure in need of replacement or repair (e.g., pipes) rather than IT/OT infrastructure.\n * The fact that WWS facilities are inconsistently resourced municipal systems\u2014not all of which have the resources to employ consistently high cybersecurity standards\u2014may contribute to the use of unsupported or outdated operating systems and software.\n * Exploitation of control system devices with vulnerable firmware versions. \n * WWS systems commonly use outdated control system devices or firmware versions, which expose WWS networks to publicly accessible and remotely executable vulnerabilities. Successful compromise of these devices may lead to loss of system control, denial of service, or loss of sensitive data [[T0827](<https://collaborate.mitre.org/attackics/index.php/Technique/T0827>)].\n\n#### WWS Sector Cyber Intrusions\n\nCyber intrusions targeting U.S. WWS facilities highlight vulnerabilities associated with the following threats:\n\n * Insider threats, from current or former employees who maintain improperly active credentials\n * Ransomware attacks\n\nWWS Sector cyber intrusions from 2019 to early 2021 include:\n\n * In August 2021, malicious cyber actors used Ghost variant ransomware against a California-based WWS facility. The ransomware variant had been in the system for about a month and was discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message.\n * In July 2021, cyber actors used remote access to introduce ZuCaNo ransomware onto a Maine-based WWS facility\u2019s wastewater SCADA computer. The treatment system was run manually until the SCADA computer was restored using local control and more frequent operator rounds.\n * In March 2021, cyber actors used an unknown ransomware variant against a Nevada-based WWS facility. The ransomware affected the victim\u2019s SCADA system and backup systems. The SCADA system provides visibility and monitoring but is not a full industrial control system (ICS).\n * In September 2020, personnel at a New Jersey-based WWS facility discovered potential Makop ransomware had compromised files within their system.\n * In March 2019, a former employee at Kansas-based WWS facility unsuccessfully attempted to threaten drinking water safety by using his user credentials, which had not been revoked at the time of his resignation, to remotely access a facility computer.\n\n### Mitigations\n\nThe FBI, CISA, EPA, and NSA recommend WWS facilities\u2014including DoD water treatment facilities in the United States and abroad\u2014use a risk-informed analysis to determine the applicability of a range of technical and non-technical mitigations to prevent, detect, and respond to cyber threats.\n\n#### WWS Monitoring\n\nPersonnel responsible for monitoring WWS should check for the following suspicious activities and indicators, which may be indicative of threat actor activity:\n\n * Inability of WWS facility personnel to access SCADA system controls at any time, either entirely or in part;\n * Unfamiliar data windows or system alerts appearing on SCADA system controls and facility data screens that could indicate a ransomware attack;\n * Detection by SCADA system controls, or by water treatment personnel, of abnormal operating parameters\u2014such as unusually high chemical addition rates\u2014used in the safe and proper treatment of drinking water;\n * Access of SCADA systems by unauthorized individuals or groups, e.g., former employees and current employees not authorized/assigned to operate SCADA systems and controls.\n * Access of SCADA systems at unusual times, which may indicate that a legitimate user\u2019s credentials have been compromised\n * Unexplained SCADA system restarts.\n * Unchanging parameter values that normally fluctuate.\n\n#### Remote Access Mitigations\n\nNote: The increased use of remote operations due to the COVID-19 pandemic increases the necessity for asset owner-operators to assess the risk associated with enhanced remote access to ensure it falls within acceptable levels. \n\n * Require multi-factor authentication for all remote access to the OT network, including from the IT network and external networks.\n * Utilize [blocklisting and allowlisting](<https://csrc.nist.gov/News/2015/NIST-Release-of-SP-800-167,-Guide-to-Application-W>) to limit remote access to users with a verified business and/or operational need.\n * Ensure that all remote access technologies have logging enabled and regularly audit these logs to identify instances of unauthorized access.\n * Utilize manual start and stop features in place of always activated unattended access to reduce the time remote access services are running.\n * Audit networks for systems using remote access services. \n * Close unneeded network ports associated with remote access services (e.g., RDP \u2013 Transmission Control Protocol [TCP] Port 3389).\n * When configuring [access control for a host](<https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final>), utilize custom settings to limit the access a remote party can attempt to acquire.\n\n#### Network Mitigations\n\n * Implement and ensure robust network segmentation between IT and OT networks to limit the ability of malicious cyber actors to pivot to the OT network after compromising the IT network. \n * Implement demilitarized zones (DMZs), firewalls, jump servers, and one-way communication diodes to prevent unregulated communication between the IT and OT networks.\n * Develop/update network maps to ensure a full accounting of all equipment that is connected to the network. \n * Remove any equipment from networks that is not required to conduct operations to reduce the attack surface malicious actors can exploit. \n\n#### Planning and Operational Mitigations\n\n * Ensure the organization\u2019s emergency response plan considers the full range of potential impacts that cyberattacks pose to operations, including loss or manipulation of view, loss or manipulation of control, and threats to safety. \n * The plan should also consider third parties with legitimate need for OT network access, including engineers and vendors.\n * Review, test, and update the emergency response plan on an annual basis to ensure accuracy.\n * Exercise the ability to fail over to alternate control systems, including manual operation while assuming degraded electronic communications.\n * Allow employees to gain decision-making experience via [tabletop exercises ](<https://www.cisa.gov/publication/cybersecurity-scenarios>)that incorporate loss of visibility and control scenarios. Utilize resources such as the Environment Protection Agency\u2019s (EPA) [Cybersecurity Incident Action Checklist](<https://www.epa.gov/waterriskassessment/epa-cybersecurity-best-practices-water-sector>) as well as the Ransomware Response Checklist on p. 11 of the [CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide](<https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware Guide_S508C_.pdf>).\n\n#### Safety System Mitigations\n\n * Install independent cyber-physical safety systems. These are systems that physically prevent dangerous conditions from occurring if the control system is compromised by a threat actor. \n * Examples of cyber-physical safety system controls include: \n * Size of the chemical feed pump\n * Gearing on valves\n * Pressure switches, etc.\n * These types of controls benefit WWS Sector facilities\u2014especially smaller facilities with limited cybersecurity capability\u2014because they enable facility staff to assess systems from a worst-case scenario and determine protective solutions. Enabling cyber-physical safety systems allows operators to take physical steps to limit the damage, for example, by preventing cyber actors, who have gained control of a sodium hydroxide pump, from raising the pH to dangerous levels.\n\n### Additional Mitigations\n\n * Foster an organizational culture of cyber readiness. See the [CISA Cyber Essentials](<https://www.cisa.gov/publication/cyber-essentials-toolkits>) along with the items listed in the Resources section below for guidance. \n * Update software, including operating systems, applications, and firmware on IT network assets. Use a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program. Consider using a centralized patch management system.\n * Set antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date signatures. Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware. \n * Implement regular data backup procedures on both the IT and OT networks. \n * Regularly test backups.\n * Ensure backups are not connected to the network to prevent the potential spread of ransomware to the backups.\n * When possible, enable OT device authentication, utilize the encrypted version of OT protocols, and encrypt all wireless communications to ensure the confidentiality and authenticity of process control data in transit.\n * Employ user account management to: \n * Remove, disable, or rename any default system accounts wherever possible.\n * Implement account lockout policies to reduce risk from brute-force attacks.\n * Monitor the creation of administrator-level accounts by third-party vendors with robust and privileged account management policies and procedures.\n * Implement a user account policy that includes set durations for deactivation and removal of accounts after employees leave the organization or after accounts reach a defined period of inactivity.\n * Implement data execution prevention controls, such as application allowlisting and software restriction policies that prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers.\n * Train users through awareness and simulations to recognize and report phishing and social engineering attempts. Identify and suspend access of users exhibiting unusual activity.\n\nFBI, CISA, EPA, and NSA would like to thank Dragos as well as the WaterISAC for their contributions to this advisory.\n\n### Resources\n\n#### Cyber Hygiene Services\n\nCISA offers a range of no-cost [cyber hygiene services](<https://www.cisa.gov/cyber-hygiene-services>)\u2014including vulnerability scanning and ransomware readiness assessments\u2014to help critical infrastructure organizations assess, identify, and reduce their exposure to cyber threats. By taking advantage of these services, organizations of any size will receive recommendations on ways to reduce their risk and mitigate attack vectors. \n\n#### Rewards for Justice Reporting\n\nThe U.S. Department of State\u2019s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the [RFJ website](<https://rewardsforjustice.net/english/malicious_cyber_activity.html>) for more information and how to report information securely.\n\n#### StopRansomware.gov \n\nThe [StopRansomware.gov](<https://www.cisa.gov/stopransomware>) webpage is an interagency resource that provides guidance on ransomware protection, detection, and response. This includes ransomware alerts, reports, and resources from CISA and other federal partners, including:\n\n * CISA and MS-ISAC: [Joint Ransomware Guide](<https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware Guide_S508C.pdf>)\n * CISA Insights: [Ransomware Outbreak](<https://www.cisa.gov/blog/2019/08/21/cisa-insights-ransomware-outbreak-0>)\n * CISA Webinar: [Combating Ransomware](<https://www.youtube.com/watch?v=D8kC07tu27A>)\n\n### Additional Resources\n\nFor additional resources that can assist in preventing and mitigating this activity, see:\n\n * FBI-CISA-EPA-MS-ISAC Joint CSA: [Compromise of U.S. Water Treatment Facility](<https://us-cert.cisa.gov/ncas/alerts/aa21-042a>)\n * WaterISAC: [15 Cybersecurity Fundamentals for Water and Wastewater Utilities](<https://www.waterisac.org/fundamentals>)\n * American Water Works Association: [Cybersecurity Guidance and Assessment Tool](<https://www.awwa.org/Resources-Tools/Resource-Topics/Risk-Resilience/Cybersecurity-Guidance>)\n * EPA: [Cybersecurity Incident Action Checklist](<https://www.epa.gov/waterriskassessment/epa-cybersecurity-best-practices-water-sector>)\n * EPA: [Cybersecurity Best Practices for the Water Sector](<https://www.epa.gov/waterriskassessment/epa-cybersecurity-best-practices-water-sector>)\n * EPA: Supporting Cybersecurity Measures with the [Clean Water](<https://www.epa.gov/cwsrf>) and [Drinking Water](<https://www.epa.gov/dwsrf>) State Revolving Funds\n * CISA: [Cyber Risks &amp; Resources for the Water and Wastewater Systems Sector](<https://www.cisa.gov/ncf-water>) infographic\n * CISA: [Critical ICS Cybersecurity Performance Goals and Objectives](<https://www.cisa.gov/control-systems-goals-and-objectives>)\n * CISA Fact Sheet: [Rising Ransomware Threat to Operational Technology Assets](<https://www.cisa.gov/publication/ransomware-threat-to-ot>)\n * CISA-MS-ISAC: [Joint Ransomware Guide](<https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware Guide_S508C_.pdf>)\n * NSA CSA: [Stop Malicious Cyber Activity Against Connected OT](<https://media.defense.gov/2021/Apr/29/2002630479/-1/-1/1/CSA_STOP-MCA-AGAINST-OT_UOO13672321.PDF>)\n * CISA: [Insider Threat Mitigation Resources](<https://www.cisa.gov/publication/insider-threat-mitigation-resources>)\n * NIST: [Special Publication (SP) 800-167, Guide to Application Whitelisting](<https://csrc.nist.gov/News/2015/NIST-Release-of-SP-800-167,-Guide-to-Application-W>)\n * NIST: [SP 800-82 Rev. 2, Guide to Industrial Control Systems (ICS) Security (Section 6.2.1)](<https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final>)\n\n### Disclaimer of Endorsement \n\nThe information and opinions contained in this document are provided \"as is\" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes. \n\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field-offices](<https://www.fbi.gov/contact-us/field-offices>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. If you have any further questions related to this Joint Cybersecurity Advisory, or to request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov> \"Email CISA Central\" ).\n\n### Revisions\n\nInitial Version: October 14, 2021|October 25, 2021: Corrected typo in Additional Resources\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2021-10-25T12:00:00", "type": "ics", "title": "Ongoing Cyber Threats to U.S. Water and Wastewater Systems", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2021-10-25T12:00:00", "id": "AA21-287A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-287a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T13:02:22", "description": "### Summary\n\n_**Updated April 15, 2021: The U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR). Additional information may be found in a [statement from the White House](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/>). For more information on SolarWinds-related activity, go to <https://us-cert.cisa.gov/remediating-apt-compromised-networks> and <https://www.cisa.gov/supply-chain-compromise>.**_\n\nThis Alert announces the CISA Hunt and Incident Response Program (CHIRP) tool. CHIRP is a forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with activity detailed in the following CISA Alerts:\n\n * AA20-352A: [Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-352a>), which primarily focuses on an advanced persistent threat (APT) actor\u2019s compromise of SolarWinds Orion products affecting U.S. government agencies, critical infrastructure entities, and private network organizations.\n * AA21-008A: [Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments](<https://us-cert.cisa.gov/ncas/alerts/aa21-008a>), which addresses APT activity within Microsoft 365/Azure environments and offers an overview of\u2014and guidance on\u2014available open-source tools. The Alert includes the [CISA-developed Sparrow tool ](<https://github.com/cisagov/Sparrow>)that helps network defenders detect possible compromised accounts and applications in the Azure/M365 environment.\n\nSimilar to [Sparrow](<https://github.com/cisagov/Sparrow>)\u2014which scans for signs of APT compromise within an M365 or Azure environment\u2014CHIRP scans for signs of APT compromise within an on-premises environment.\n\nIn this release, CHIRP, by default, searches for IOCs associated with malicious activity detailed in AA20-352A and AA21-008A that has spilled into an on-premises enterprise environment.\n\nCHIRP is freely available on the [CISA GitHub Repository](<https://github.com/cisagov>). For additional guidance watch CISA's [CHIRP Overview video](<https://www.youtube.com/watch?v=UGYSNiNOpds>). **Note:** CISA will continue to release plugins and IOC packages for new threats via the CISA GitHub Repository.\n\nCISA advises organizations to use CHIRP to:\n\n * Examine Windows event logs for artifacts associated with this activity;\n * Examine Windows Registry for evidence of intrusion;\n * Query Windows network artifacts; and\n * Apply YARA rules to detect malware, backdoors, or implants.\n\nNetwork defenders should review and confirm any post-compromise threat activity detected by the tool. CISA has provided confidence scores for each IOC and YARA rule included with CHIRP\u2019s release. For confirmed positive hits, CISA recommends collecting a forensic image of the relevant system(s) and conducting a forensic analysis on the system(s).\n\nIf an organization does not have the capability to follow the guidance in this Alert, consider soliciting third-party IT security support. **Note**: Responding to confirmed positive hits is essential to evict an adversary from a compromised network.\n\nClick here for a PDF version of this report.\n\n### Technical Details\n\n#### How CHIRP Works\n\nCHIRP is a command-line executable with a dynamic plugin and indicator system to search for signs of compromise. CHIRP has plugins to search through event logs and registry keys and run YARA rules to scan for signs of APT tactics, techniques, and procedures. CHIRP also has a YAML file that contains a list of IOCs that CISA associates with the malware and APT activity detailed in CISA Alerts [AA20-352A](<https://us-cert.cisa.gov/ncas/alerts/aa20-352a>) and [AA21-008A](<https://us-cert.cisa.gov/ncas/alerts/aa21-008a>).\n\nCurrently, the tool looks for:\n\n * The presence of malware identified by security researchers as [TEARDROP](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b>) and RAINDROP;\n * Credential dumping certificate pulls;\n * Certain persistence mechanisms identified as associated with this campaign;\n * System, network, and M365 enumeration; and\n * Known observable indicators of lateral movement.\n\nNetwork defenders can follow step-by-step instructions on the [CISA CHIRP GitHub repository](<https://github.com/cisagov/CHIRP>) to add additional IOCs, YARA rules, or plugins to CHIRP to search for post-compromise threat activity related to the SolarWinds Orion supply chain compromise or new threat activity.\n\n#### **Compatibility**\n\nCHIRP currently only scans Windows operating systems.\n\n#### **Instructions**\n\nCHIRP is available on CISA\u2019s GitHub repository in two forms:\n\n 1. A compiled executable\n\n 2. A python script\n\nCISA recommends using the compiled version to easily scan a system for APT activity. For instructions to run, read the README.md in the CHIRP GitHub repository.\n\nIf you choose to use the native Python version, see the detailed instructions on the CHIRP GitHub repository.\n\n### Mitigations\n\n#### Interpreting the Results\n\nCHIRP provides results of its scan in JSON format. CISA encourages uploading the results into a security information and event management (SIEM) system, if available. If no SIEM system is available, results can be viewed in a compatible web browser or text editor. If CHIRP detects any post-compromise threat activity, those detections should be reviewed and confirmed. CISA has provided confidence scores for each IOC and YARA rule included with CHIRP\u2019s release. For confirmed positive hits, CISA recommends collecting a forensic image of the relevant system(s) and conducting a forensic analysis on the system(s).\n\nIf you do not have the capability to follow the guidance in this Alert, consider soliciting third-party IT security support. **Note:** Responding to confirmed positive hits is essential to evict an adversary from a compromised network.\n\n#### **Frequently Asked Questions**\n\n 1. **What systems should CHIRP run on?**\n\nSystems running SolarWinds Orion or believed to be involved in any resulting lateral movement.\n\n 2. **What should I do with results?**\n\nIngest the JSON results into a SIEM system, web browser, or text editor.\n\n 3. **Are there existing tools that CHIRP complements and/or provide the same benefit as CHIRP?** \n\n 1. Antivirus software developers may have begun to roll out detections for the SolarWinds post-compromise activity. However, those products can miss historical signs of compromise. CHIRP can provide a complementary benefit to antivirus when run.\n\n 2. CISA previously released the Sparrow tool that scans for APT activity within M365 and Azure environments related to activity detailed in CISA Alerts AA20-352A and AA21-008A. CHIRP provides a complementary capability to Sparrow by scanning for on-premises systems for similar activity.\n\n 4. **How often should I run CHIRP?**\n\nCHIRP can be run once or routinely. Currently, CHIRP does not provide a mechanism to run repeatedly in its native format.\n\n 5. **Do I need to configure the tool before I run it?**\n\nNo.\n\n 6. **Will CHIRP change or affect anything on the system(s) it runs on?**\n\nNo, CHIRP only scans the system(s) it runs on and makes no active changes.\n\n 7. **How long will it take to run CHIRP?**\n\nCHIRP will complete its scan in approximately 1 to 2 hours. Duration will be dependent on the level of activity, the system, and the size of the resident data sets. CHIRP will provide periodic progress updates as it runs.\n\n 8. **If I have questions, who do I contact? **\n\nFor general questions regarding CHIRP, please contact CISA via email at [central@cisa.dhs.gov](<mailto:central@cisa.dhs.gov>) or by phone at 1-888-282-0870. For reporting indicators of potential compromise, contact us by submitting a report through our website at <https://us-cert.cisa.gov/report>. For all technical issues or support for CHIRP, please submit issues at the [CISA CHIRP GitHub Repository](<https://github.com/cisagov/CHIRP>). \n\n### Revisions\n\nMarch 18, 2021: Initial Publication |April 9, 2021: Fixed PDF (not related to content)|April 15, 2021: Updated with Attribution Statement\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2021-04-15T12:00:00", "type": "ics", "title": "Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2021-04-15T12:00:00", "id": "AA21-077A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-077a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T13:02:27", "description": "### Summary\n\n_This Joint Cybersecurity Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework, Version 8. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v8/techniques/enterprise/>) for all referenced threat actor tactics and techniques._\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have observed continued targeting through spearphishing campaigns using TrickBot malware in North America. A sophisticated group of cybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot.\n\nTrickBot\u2014first identified in 2016\u2014is a Trojan developed and operated by a sophisticated group of cybercrime actors. Originally designed as a banking Trojan to steal financial data, TrickBot has evolved into highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities.\n\nTo secure against TrickBot, CISA and FBI recommend implementing the mitigation measures described in this Joint Cybersecurity Advisory, which include blocking suspicious Internet Protocol addresses, using antivirus software, and providing social engineering and phishing training to employees.\n\nClick here for a PDF version of this report.\n\n### Technical Details\n\nTrickBot is an advanced Trojan that malicious actors spread primarily by spearphishing campaigns using tailored emails that contain malicious attachments or links, which\u2014if enabled\u2014execute malware (_Phishing:_ _Spearphishing Attachment _[[T1566.001](<https://attack.mitre.org/versions/v8/techniques/T1566/001/>)], _Phishing: Spearphishing Link_ [[T1566.002](<https://attack.mitre.org/versions/v8/techniques/T1566/002>)]). CISA and FBI are aware of recent attacks that use phishing emails, claiming to contain proof of a traffic violation, to steal sensitive information. The phishing emails contain links that redirect to a website hosted on a compromised server that prompts the victim to click on photo proof of their traffic violation. (_User Execution: Malicious Link_ [[T1204.001](<https://attack.mitre.org/versions/v8/techniques/T1204/001/>)], _User Execution: Malicious File_ [[T1204.002](<https://attack.mitre.org/versions/v8/techniques/T1204/002/>)]). In clicking the photo, the victim unknowingly downloads a malicious JavaScript file that, when opened, automatically communicates with the malicious actor\u2019s command and control (C2) server to download TrickBot to the victim\u2019s system (_Command and Scripting Interpreter: JavaScript_ [[T1059.007](<https://attack.mitre.org/versions/v8/techniques/T1059/007/>)]).\n\nAttackers can use TrickBot to:\n\n * Drop other malware, such as Ryuk and Conti ransomware, or\n * Serve as an Emotet downloader (_Ingress Tool Transfer_ [[T1105](<https://attack.mitre.org/versions/v8/techniques/T1105/>)]).[[1](<https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html>)]\n\nTrickBot uses person-in-the-browser attacks to steal information, such as login credentials (_Man in the Browser_ [[T1185](<https://attack.mitre.org/versions/v8/techniques/T1185/>)]). Additionally, some of TrickBot\u2019s modules spread the malware laterally across a network by abusing the Server Message Block (SMB) Protocol. TrickBot operators have a toolset capable of spanning the entirety of the MITRE ATT&amp;CK framework, from actively or passively gathering information that can be used to support targeting (_Reconnaissance _[[TA0043](<https://attack.mitre.org/tactics/TA0043/>)]), to trying to manipulate, interrupt, or destroy systems and data (_Impact _[[TA0040](<https://attack.mitre.org/tactics/TA0040/>)]).\n\nTrickBot is capable of data exfiltration over a hardcoded C2 server, cryptomining, and host enumeration (e.g., reconnaissance of Unified Extensible Firmware Interface or Basic Input/Output System [UEFI/BIOS] firmware) (_Exfiltration Over C2 Channel _[[T1041](<https://attack.mitre.org/versions/v8/techniques/T1041/>)], _Resource Hijacking_ [[T1496](<https://attack.mitre.org/versions/v8/techniques/T1496>)], System Information Discovery.[[2](<https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/#background>)] For host enumeration, operators deliver TrickBot in modules containing a configuration file with specific tasks.\n\nFigure 1 lays out TrickBot\u2019s use of enterprise techniques.\n\n\n\n_Figure 1: MITRE ATT&amp;CK enterprise techniques used by TrickBot _\n\n### MITRE ATT&amp;CK Techniques\n\nAccording to MITRE, _TrickBot_ [[S0266](<https://attack.mitre.org/software/S0266/>)] uses the ATT&amp;CK techniques listed in table 1.\n\n_Table 1: TrickBot ATT&amp;CK techniques for enterprise_\n\n_Initial Access_ [[TA0001](<https://attack.mitre.org/versions/v8/tactics/TA0001/>)]\n\n**Technique Title**\n\n| **ID** | **Use** \n---|---|--- \nPhishing: Spearphishing Attachment | [T1566.001](<https://attack.mitre.org/versions/v8/techniques/T1566/001/>) | TrickBot has used an email with an Excel sheet containing a malicious macro to deploy the malware. \nPhishing: Spearphishing Link | [T1566.002](<https://attack.mitre.org/versions/v8/techniques/T1566/002>) | \n\nTrickBot has been delivered via malicious links in phishing emails. \n \n_Execution_ [[TA0002](<https://attack.mitre.org/versions/v8/tactics/TA0002/>)]\n\n**Technique Title** | **ID** | **Use** \n---|---|--- \nScheduled Task/Job: Scheduled Task | [T1053.005](<https://attack.mitre.org/versions/v8/techniques/T1053/005/>) | TrickBot creates a scheduled task on the system that provides persistence. \nCommand and Scripting Interpreter: Windows Command Shell | [T1059.003](<https://attack.mitre.org/versions/v8/techniques/T1059/003/>) | TrickBot has used macros in Excel documents to download and deploy the malware on the user\u2019s machine. \nCommand and Scripting Interpreter: JavaScript/JScript | [T1059.007](<https://attack.mitre.org/versions/v8/techniques/T1059/007/>) | TrickBot victims unknowingly download a malicious JavaScript file that, when opened, automatically communicates with the malicious actor\u2019s C2 server to download TrickBot to the victim\u2019s system. \nNative API | [T1106](<https://attack.mitre.org/versions/v8/techniques/T1106>) | TrickBot uses the Windows Application Programming Interface (API) call, CreateProcessW(), to manage execution flow. \nUser Execution: Malicious Link | [T1204.001](<https://attack.mitre.org/versions/v8/techniques/T1204/001/>) | TrickBot has sent spearphishing emails in an attempt to lure users to click on a malicious link. \nUser Execution: Malicious File | [T1204.002](<https://attack.mitre.org/versions/v8/techniques/T1204/002/>) | TrickBot has attempted to get users to launch malicious documents to deliver its payload. \n \n_Persistence_ [[TA0003](<https://attack.mitre.org/versions/v8/tactics/TA0003/>)]\n\n**Technique Title** | **ID** | **Use** \n---|---|--- \nScheduled Task/Job: Scheduled Task | [T1053.005](<https://attack.mitre.org/versions/v8/techniques/T1053/005/>) | TrickBot creates a scheduled task on the system that provides persistence. \nCreate or Modify System Process: Windows Service | [T1543.003](<https://attack.mitre.org/versions/v8/techniques/T1543/003/>) | TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots. \n \n_Privilege Escalation _[[TA0004](<https://attack.mitre.org/versions/v8/tactics/TA0004/>)]\n\n**Technique Title** | **ID** | **Use** \n---|---|--- \nScheduled Task/Job: Scheduled Task | [T1053.005](<https://attack.mitre.org/versions/v8/techniques/T1053/005/>) | TrickBot creates a scheduled task on the system that provides persistence. \nProcess Injection: Process Hollowing | [T1055.012](<https://attack.mitre.org/versions/v8/techniques/T1055/012/>) | TrickBot injects into the svchost.exe process. \nCreate or Modify System Process: Windows Service | [T1543.003](<https://attack.mitre.org/versions/v8/techniques/T1543/003/>) | TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots. \n \n_Defense Evasion_ [[TA0005](<https://attack.mitre.org/versions/v8/tactics/TA0005/>)]\n\n**Technique Title** | **ID** | **Use** \n---|---|--- \nObfuscated Files or Information | [T1027](<https://attack.mitre.org/versions/v8/techniques/T1027>) | TrickBot uses non-descriptive names to hide functionality and uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files. \nObfuscated Files or Information: Software Packing | [T1027.002](<https://attack.mitre.org/versions/v8/techniques/T1027/002/>) | TrickBot leverages a custom packer to obfuscate its functionality. \nMasquerading | [T1036](<https://attack.mitre.org/versions/v8/techniques/T1036>) | The TrickBot downloader has used an icon to appear as a Microsoft Word document. \nProcess Injection: Process Hollowing | [T1055.012](<https://attack.mitre.org/versions/v8/techniques/T1055/012/>) | TrickBot injects into the svchost.exe process. \nModify Registry | [T1112](<https://attack.mitre.org/versions/v8/techniques/T1112/>) | TrickBot can modify registry entries. \nDeobfuscate/Decode Files or Information | [T1140](<https://attack.mitre.org/versions/v8/techniques/T1140>) | TrickBot decodes the configuration data and modules. \nSubvert Trust Controls: Code Signing | [T1553.002](<https://attack.mitre.org/versions/v8/techniques/T1553/002/>) | TrickBot has come with a signed downloader component. \nImpair Defenses: Disable or Modify Tools | [T1562.001](<https://attack.mitre.org/versions/v8/techniques/T1562/001/>) | TrickBot can disable Windows Defender. \n \n_Credential Access _[[TA0006](<https://attack.mitre.org/versions/v8/tactics/TA0006/>)]\n\n**Technique Title** | **ID** | **Use** \n---|---|--- \nInput Capture: Credential API Hooking | [T1056.004](<https://attack.mitre.org/versions/v8/techniques/T1056/004/>) | TrickBot has the ability to capture Remote Desktop Protocol credentials by capturing the CredEnumerateA API. \nUnsecured Credentials: Credentials in Files | [T1552.001](<https://attack.mitre.org/versions/v8/techniques/T1552/001/>) | TrickBot can obtain passwords stored in files from several applications such as Outlook, Filezilla, OpenSSH, OpenVPN and WinSCP. Additionally, it searches for the .vnc.lnk affix to steal VNC credentials. \nUnsecured Credentials: Credentials in Registry | [T1552.002](<https://attack.mitre.org/versions/v8/techniques/T1552/002/>) | TrickBot has retrieved PuTTY credentials by querying the Software\\SimonTatham\\Putty\\Sessions registry key. \nCredentials from Password Stores | [T1555](<https://attack.mitre.org/versions/v8/techniques/T1555>) | TrickBot can steal passwords from the KeePass open-source password manager. \nCredentials from Password Stores: Credentials from Web Browsers | [T1555.003](<https://attack.mitre.org/versions/v8/techniques/T1555/003/>) | TrickBot can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge, sometimes using esentutl. \n \n_Discovery_ [[TA0007](<https://attack.mitre.org/versions/v8/tactics/TA0007/>)]\n\n**Technique Tactic** | **ID** | **Use** \n---|---|--- \nSystem Service Discovery | [T1007](<https://attack.mitre.org/versions/v8/techniques/T1007/>) | TrickBot collects a list of install programs and services on the system\u2019s machine. \nSystem Network Configuration Discovery | [T1016](<https://attack.mitre.org/versions/v8/techniques/T1016>) | TrickBot obtains the IP address, location, and other relevant network information from the victim\u2019s machine. \nRemote System Discovery | [T1018](<https://attack.mitre.org/versions/v8/techniques/T1018>) | TrickBot can enumerate computers and network devices. \nSystem Owner/User Discovery | [T1033](<https://attack.mitre.org/versions/v8/techniques/T1033>) | TrickBot can identify the user and groups the user belongs to on a compromised host. \nPermission Groups Discovery | [T1069](<https://attack.mitre.org/versions/v8/techniques/T1069>) | TrickBot can identify the groups the user on a compromised host belongs to. \nSystem Information Discovery | [T1082](<https://attack.mitre.org/versions/v8/techniques/T1082>) | TrickBot gathers the OS version, machine name, CPU type, amount of RAM available from the victim\u2019s machine. \nFile and Directory Discovery | [T1083](<https://attack.mitre.org/versions/v8/techniques/T1083>) | TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information. \nAccount Discovery: Local Account | [T1087.001](<https://attack.mitre.org/versions/v8/techniques/T1087/001>) | TrickBot collects the users of the system. \nAccount Discovery: Email Account | [T1087.003](<https://attack.mitre.org/versions/v8/techniques/T1087/003>) | TrickBot collects email addresses from Outlook. \nDomain Trust Discovery | [T1482](<https://attack.mitre.org/versions/v8/techniques/T1482>) | TrickBot can gather information about domain trusts by utilizing Nltest. \n \n_Lateral Movement_ [[TA0008](<https://attack.mitre.org/versions/v8/tactics/TA0008/>)]\n\n**Technique Tactic** | **ID** | **Use** \n---|---|--- \nLateral Tool Transfer | [T1570](<https://attack.mitre.org/versions/v8/techniques/T1570>) | Some TrickBot modules spread the malware laterally across a network by abusing the SMB Protocol. \n \n_Collection_ [[TA0009](<https://attack.mitre.org/versions/v8/tactics/TA0009/>)]\n\n**Technique Tactic ** | **ID** | **Use** \n---|---|--- \nData from Local System | [T1005](<https://attack.mitre.org/versions/v8/techniques/T1005>) | TrickBot collects local files and information from the victim\u2019s local machine. \nInput Capture:Credential API Hooking | [T1056.004](<https://attack.mitre.org/versions/v8/techniques/T1056/004/>) | TrickBot has the ability to capture Remote Desktop Protocol credentials by capturing the CredEnumerateA API. \nPerson in the Browser | [T1185](<https://attack.mitre.org/versions/v8/techniques/T1185>) | TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified webpage. \n \n_Command and Control_ [[TA0011](<https://attack.mitre.org/versions/v8/tactics/TA0011/>)]\n\n**Technique Tactic ** | **ID** | **Use** \n---|---|--- \nFallback Channels | [T1008](<https://attack.mitre.org/versions/v8/techniques/T1008>) | TrickBot can use secondary command and control (C2) servers for communication after establishing connectivity and relaying victim information to primary C2 servers. \nApplication Layer Protocol: Web Protocols | [T1071.001](<https://attack.mitre.org/versions/v8/techniques/T1071/001>) | TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files. \nIngress Tool Transfer | [T1105](<https://attack.mitre.org/versions/v8/techniques/T1105>) | TrickBot downloads several additional files and saves them to the victim's machine. \nData Encoding: Standard Encoding | [T1132.001](<https://attack.mitre.org/versions/v8/techniques/T1132/001>) | TrickBot can Base64-encode C2 commands. \nNon-Standard Port | [T1571](<https://attack.mitre.org/versions/v8/techniques/T1571>) | Some TrickBot samples have used HTTP over ports 447 and 8082 for C2. \nEncrypted Channel: Symmetric Cryptography | [T1573.001](<https://attack.mitre.org/versions/v8/techniques/T1573/001>) | TrickBot uses a custom crypter leveraging Microsoft\u2019s CryptoAPI to encrypt C2 traffic. \n \n_Exfiltration_ [[TA0010](<https://attack.mitre.org/versions/v8/tactics/TA0010/>)]\n\n**Technique Tactic** | **ID** | **Use** \n---|---|--- \nExfiltration Over C2 Channel | [T1041](<https://attack.mitre.org/versions/v8/techniques/T1041>) | TrickBot can send information about the compromised host to a hardcoded C2 server. \n \n_Impact_ [[TA0040](<https://attack.mitre.org/versions/v8/tactics/TA0040/>)]\n\n**Technique Tactic** | **ID** | **Use** \n---|---|--- \nResource Hijacking | [T1496](<https://attack.mitre.org/versions/v8/techniques/T1496>) | TrickBot actors can leverage the resources of co-opted systems for cryptomining to validate transactions of cryptocurrency networks and earn virtual currency. \n \n### Detection\n\n#### Signatures\n\nCISA developed the following snort signature for use in detecting network activity associated with TrickBot activity.\n\nalert tcp any [443,447] -&gt; any any (msg:\"TRICKBOT:SSL/TLS Server X.509 Cert Field contains 'example.com' (Hex)\"; sid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content:\"|0b|example.com\"; fast_pattern:only; content:\"Global Security\"; content:\"IT Department\"; pcre:\"/(?:\\x09\\x00\\xc0\\xb9\\x3b\\x93\\x72\\xa3\\xf6\\xd2|\\x00\\xe2\\x08\\xff\\xfb\\x7b\\x53\\x76\\x3d)/\"; classtype:bad-unknown; metadata:service ssl,service and-ports;)\n\nalert tcp any any -&gt; any $HTTP_PORTS (msg:\"TRICKBOT_ANCHOR:HTTP URI GET contains '/anchor'\"; sid:1; rev:1; flow:established,to_server; content:\"/anchor\"; http_uri; fast_pattern:only; content:\"GET\"; nocase; http_method; pcre:\"/^\\/anchor_?.{3}\\/[\\w_-]+\\\\.[A-F0-9]+\\/?$/U\"; classtype:bad-unknown; priority:1; metadata:service http;)\n\nalert tcp any $SSL_PORTS -&gt; any any (msg:\"TRICKBOT:SSL/TLS Server X.509 Cert Field contains 'C=XX, L=Default City, O=Default Company Ltd'\"; sid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content:\"|31 0b 30 09 06 03 55 04 06 13 02|XX\"; nocase; content:\"|31 15 30 13 06 03 55 04 07 13 0c|Default City\"; nocase; content:\"|31 1c 30 1a 06 03 55 04 0a 13 13|Default Company Ltd\"; nocase; content:!\"|31 0c 30 0a 06 03 55 04 03|\"; classtype:bad-unknown; reference:url,www.virustotal.com/gui/file/e9600404ecc42cf86d38deedef94068db39b7a0fd06b3b8fb2d8a3c7002b650e/detection; metadata:service ssl;)\n\nalert tcp any any -&gt; any $HTTP_PORTS (msg:\"TRICKBOT:HTTP Client Header contains 'boundary=Arasfjasu7'\"; sid:1; rev:1; flow:established,to_server; content:\"boundary=Arasfjasu7|0d 0a|\"; http_header; content:\"name=|22|proclist|22|\"; http_header; content:!\"Referer\"; content:!\"Accept\"; content:\"POST\"; http_method; classtype:bad-unknown; metadata:service http;)\n\nalert tcp any any -&gt; any $HTTP_PORTS (msg:\"TRICKBOT:HTTP Client Header contains 'User-Agent|3a 20|WinHTTP loader/1.'\"; sid:1; rev:1; flow:established,to_server; content:\"User-Agent|3a 20|WinHTTP loader/1.\"; http_header; fast_pattern:only; content:\".png|20|HTTP/1.\"; pcre:\"/^Host\\x3a\\x20(?:\\d{1,3}\\\\.){3}\\d{1,3}(?:\\x3a\\d{2,5})?$/mH\"; content:!\"Accept\"; http_header; content:!\"Referer|3a 20|\"; http_header; classtype:bad-unknown; metadata:service http;)\n\nalert tcp any $HTTP_PORTS -&gt; any any (msg:\"TRICKBOT:HTTP Server Header contains 'Server|3a 20|Cowboy'\"; sid:1; rev:1; flow:established,from_server; content:\"200\"; http_stat_code; content:\"Server|3a 20|Cowboy|0d 0a|\"; http_header; fast_pattern; content:\"content-length|3a 20|3|0d 0a|\"; http_header; file_data; content:\"/1/\"; depth:3; isdataat:!1,relative; classtype:bad-unknown; metadata:service http;)\n\nalert tcp any any -&gt; any $HTTP_PORTS (msg:\"TRICKBOT:HTTP URI POST contains C2 Exfil\"; sid:1; rev:1; flow:established,to_server; content:\"Content-Type|3a 20|multipart/form-data|3b 20|boundary=------Boundary\"; http_header; fast_pattern; content:\"User-Agent|3a 20|\"; http_header; distance:0; content:\"Content-Length|3a 20|\"; http_header; distance:0; content:\"POST\"; http_method; pcre:\"/^\\/[a-z]{3}\\d{3}\\/.+?\\\\.[A-F0-9]{32}\\/\\d{1,3}\\//U\"; pcre:\"/^Host\\x3a\\x20(?:\\d{1,3}\\\\.){3}\\d{1,3}$/mH\"; content:!\"Referer|3a|\"; http_header; classtype:bad-unknown; metadata:service http;)\n\nalert tcp any any -&gt; any $HTTP_PORTS (msg:\"HTTP URI GET/POST contains '/56evcxv' (Trickbot)\"; sid:1; rev:1; flow:established,to_server; content:\"/56evcxv\"; http_uri; fast_pattern:only; classtype:bad-unknown; metadata:service http;)\n\nalert icmp any any -&gt; any any (msg:\"TRICKBOT_ICMP_ANCHOR:ICMP traffic conatins 'hanc'\"; sid:1; rev:1; itype:8; content:\"hanc\"; offset:4; fast_pattern; classtype:bad-unknown;)\n\nalert tcp any any -&gt; any $HTTP_PORTS (msg:\"HTTP Client Header contains POST with 'host|3a 20|*.onion.link' and 'data=' (Trickbot/Princess Ransomeware)\"; sid:1; rev:1; flow:established,to_server; content:\"POST\"; nocase; http_method; content:\"host|3a 20|\"; http_header; content:\".onion.link\"; nocase; http_header; distance:0; within:47; fast_pattern; file_data; content:\"data=\"; distance:0; within:5; classtype:bad-unknown; metadata:service http;)\n\nalert tcp any any -&gt; any $HTTP_PORTS (msg:\"HTTP Client Header contains 'host|3a 20|tpsci.com' (trickbot)\"; sid:1; rev:1; flow:established,to_server; content:\"host|3a 20|tpsci.com\"; http_header; fast_pattern:only; classtype:bad-unknown; metadata:service http;)\n\n### Mitigations\n\nCISA and FBI recommend that network defenders\u2014in federal, state, local, tribal, territorial governments, and the private sector\u2014consider applying the following best practices to strengthen the security posture of their organization's systems. System owners and administrators should review any configuration changes prior to implementation to avoid negative impacts.\n\n * Provide social engineering and phishing training to employees.\n * Consider drafting or updating a policy addressing suspicious emails that specifies users must report all suspicious emails to the security and/or IT departments.\n * Mark external emails with a banner denoting the email is from an external source to assist users in detecting spoofed emails.\n * Implement Group Policy Object and firewall rules.\n * Implement an antivirus program and a formalized patch management process.\n * Implement filters at the email gateway and block suspicious IP addresses at the firewall.\n * Adhere to the principle of least privilege.\n * Implement a Domain-Based Message Authentication, Reporting &amp; Conformance validation system.\n * Segment and segregate networks and functions.\n * Limit unnecessary lateral communications between network hoses, segments, and devices.\n * Consider using application allowlisting technology on all assets to ensure that only authorized software executes, and all unauthorized software is blocked from executing on assets. Ensure that such technology only allows authorized, digitally signed scripts to run on a system.\n * Enforce multi-factor authentication.\n * Enable a firewall on agency workstations configured to deny unsolicited connection requests.\n * Disable unnecessary services on agency workstations and servers.\n * Implement an Intrusion Detection System, if not already used, to detect C2 activity and other potentially malicious network activity\n * Monitor web traffic. Restrict user access to suspicious or risky sites.\n * Maintain situational awareness of the latest threats and implement appropriate access control lists.\n * Disable the use of SMBv1 across the network and require at least SMBv2 to harden systems against network propagation modules used by TrickBot.\n * Visit the MITRE ATT&amp;CK Techniques pages (linked in table 1 above) for additional mitigation and detection strategies.\n * See CISA\u2019s Alert on [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>) for more information on addressing potential incidents and applying best practice incident response procedures.\n\nFor additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, [Guide to Malware Incident Prevention and Handling for Desktops and Laptops](<https://csrc.nist.gov/publications/detail/sp/800-83/rev-1/final>).\n\n### Resources\n\n * CISA Fact Sheet: TrickBot Malware\n * [MS-ISAC White Paper: Security Primer \u2013 TrickBot](<https://www.cisecurity.org/white-papers/security-primer-trickbot/>)\n * [United Kingdom National Cyber Security Centre Advisory: Ryuk Ransomware Targeting Organisations Globally](<https://www.ncsc.gov.uk/news/ryuk-advisory>)\n * [CISA and MS-ISAC Joint Alert AA20-280A: Emotet Malware](<https://us-cert.cisa.gov/ncas/alerts/aa20-280a>)\n * [MITRE ATT&amp;CK for Enterprise](<https://attack.mitre.org/matrices/enterprise/>)\n\n### References\n\n[[1] FireEye Blog - A Nasty Trick: From Credential Theft Malware to Business Disruption](<https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html>)\n\n[[2] Eclypsium Blog - TrickBot Now Offers 'TrickBoot': Persist, Brick, Profit](<https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/#background>)\n\n### Revisions\n\nMarch 17, 2021: Initial Version|March 24, 2021: Added MITRE ATT&amp;CK Technique T1592.003 used for reconnaissance|May 20, 2021: Added new MITRE ATT&amp;CKs and updated Table 1\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2021-05-20T12:00:00", "type": "ics", "title": "TrickBot Malware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2021-05-20T12:00:00", "id": "AA21-076A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-076a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T13:02:54", "description": "### Summary\n\n_This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v8/techniques/enterprise/>) for all referenced threat actor tactics and techniques._\n\nThis joint advisory is the result of analytic efforts among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Treasury (Treasury) to highlight the cyber threat to cryptocurrency posed by North Korea, formally known as the Democratic People\u2019s Republic of Korea (DPRK), and provide mitigation recommendations. Working with U.S. government partners, FBI, CISA, and Treasury assess that Lazarus Group\u2014which these agencies attribute to North Korean state-sponsored advanced persistent threat (APT) actors\u2014is targeting individuals and companies, including cryptocurrency exchanges and financial service companies, through the dissemination of cryptocurrency trading applications that have been modified to include malware that facilitates theft of cryptocurrency.\n\nThese cyber actors have targeted organizations for cryptocurrency theft in over 30 countries during the past year alone. It is likely that these actors view modified cryptocurrency trading applications as a means to circumvent international sanctions on North Korea\u2014the applications enable them to gain entry into companies that conduct cryptocurrency transactions and steal cryptocurrency from victim accounts. As highlighted in [FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks](<https://us-cert.cisa.gov/ncas/alerts/aa20-239a>) and [Guidance on the North Korean Cyber Threat](<https://us-cert.cisa.gov/ncas/alerts/aa20-106a>), North Korea\u2019s state-sponsored cyber actors are targeting cryptocurrency exchanges and accounts to steal and launder hundreds of millions of dollars in cryptocurrency.[[1](<https://us-cert.cisa.gov/ncas/alerts/aa20-239a>)][[2](<https://home.treasury.gov/news/press-releases/sm924>)][[3](<https://www.justice.gov/opa/pr/two-chinese-nationals-charged-laundering-over-100-million-cryptocurrency-exchange-hack>)] The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit [https://www.us-cert.cisa.gov/northkorea](<https://us-cert.cisa.gov/northkorea>).\n\nThe U.S. Government has identified malware and indicators of compromise (IOCs) used by the North Korean government to facilitate cryptocurrency thefts; the cybersecurity community refers to this activity as \u201cAppleJeus.\u201d This report catalogues AppleJeus malware in detail. North Korea has used AppleJeus malware posing as cryptocurrency trading platforms since at least 2018. In most instances, the malicious application\u2014seen on both Windows and Mac operating systems\u2014appears to be from a legitimate cryptocurrency trading company, thus fooling individuals into downloading it as a third-party application from a website that seems legitimate. In addition to infecting victims through legitimate-looking websites, HIDDEN COBRA actors also use phishing, social networking, and social engineering techniques to lure users into downloading the malware.\n\nRefer to the following Malware Analysis Reports (MARs) for full technical details of AppleJeus malware and associated IOCs.\n\n * [MAR-10322463-1.v1: AppleJeus \u2013 Celas Trade Pro](<https://us-cert.gov/ncas/analysis-reports/ar21-048a>)\n * [MAR-10322463-2.v1: AppleJeus \u2013 JMT Trading](<https://us-cert.gov/ncas/analysis-reports/ar21-048b>)\n * [MAR-10322463-3.v1: AppleJeus \u2013 Union Crypto](<https://us-cert.gov/ncas/analysis-reports/ar21-048c>)\n * [MAR-10322463-4.v1: AppleJeus \u2013 Kupay Wallet](<https://us-cert.gov/ncas/analysis-reports/ar21-048d>)\n * [MAR-10322463-5.v1: AppleJeus \u2013 CoinGoTrade](<https://us-cert.gov/ncas/analysis-reports/ar21-048e>)\n * [MAR-10322463-6.v1: AppleJeus \u2013 Dorusio](<https://us-cert.gov/ncas/analysis-reports/ar21-048f>)\n * [MAR-10322463-7.v1: AppleJeus \u2013 Ants2Whale](<https://us-cert.gov/ncas/analysis-reports/ar21-048g>)\n\nClick here for a PDF version of this report.\n\n### Technical Details\n\nThe North Korean government has used multiple versions of AppleJeus since the malware was initially discovered in 2018. This section outlines seven of the versions below. The MARs listed above provide further technical details of these versions. Initially, HIDDEN COBRA actors used websites that appeared to host legitimate cryptocurrency trading platforms to infect victims with AppleJeus; however, these actors are now also using other initial infection vectors, such as phishing, social networking, and social engineering techniques, to get users to download the malware.\n\n### Targeted Nations\n\nHIDDEN COBRA actors have targeted institutions with AppleJeus malware in several sectors, including energy, finance, government, industry, technology, and telecommunications. Since January 2020, the threat actors have targeted these sectors in the following countries: Argentina, Australia, Belgium, Brazil, Canada, China, Denmark, Estonia, Germany, Hong Kong, Hungary, India, Ireland, Israel, Italy, Japan, Luxembourg, Malta, the Netherlands, New Zealand, Poland, Russia, Saudi Arabia, Singapore, Slovenia, South Korea, Spain, Sweden, Turkey, the United Kingdom, Ukraine, and the United States (figure 1).\n\n \n \n_Figure 1: Countries targeted with AppleJeus by HIDDEN COBRA threat actors since 2020_\n\n### AppleJeus Versions Note\n\nThe version numbers used for headings in this document correspond to the order the AppleJeus campaigns were identified in open source or through other investigative means. These versions may or may not be in the correct order to develop or deploy the AppleJeus campaigns.\n\n### AppleJeus Version 1: Celas Trade Pro\n\n#### **Introduction and Infrastructure**\n\nIn August 2018, open-source reporting disclosed information about a trojanized version of a legitimate cryptocurrency trading application on an undisclosed victim\u2019s computer. The malicious program, known as Celas Trade Pro, was a modified version of the benign Q.T. Bitcoin Trader application. This incident led to the victim company being infected with a Remote Administration Tool (RAT) known as FALLCHILL, which was attributed to North Korea (HIDDEN COBRA) by the U.S. Government. FALLCHILL is a fully functional RAT with multiple commands that the adversary can issue from a command and control (C2) server to infected systems via various proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware (_Develop Capabilities: Malware _[[T1587.001](<https://attack.mitre.org/versions/v8/techniques/T1587/001/>)]). Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL.[[4](<https://us-cert.cisa.gov/ncas/alerts/TA17-318A>)]\n\nFurther research revealed that a phishing email from a Celas LLC company (_Phishing: Spearphishing Link_ [[T1566.002](<https://attack.mitre.org/versions/v8/techniques/T1566/002/>)]) recommended the trojanized cryptocurrency trading application to victims. The email provided a link to the Celas\u2019 website, `celasllc[.]com` (_Acquire Infrastructure: Domain _[[T1583.001](<https://attack.mitre.org/versions/v8/techniques/T1583/001/>)]), where the victim could download a Windows or macOS version of the trojanized application.\n\nThe `celasllc[.]com` domain resolved to the following Internet Protocol (IP) addresses from May 29, 2018, to January 23, 2021.\n\n * `45.199.63[.]220`\n * `107.187.66[.]103`\n * `145.249.106[.]19`\n * `175.29.32[.]160`\n * `185.142.236[.]213`\n * `185.181.104[.]82`\n * `198.251.83[.]27`\n * `208.91.197[.]46`\n * `209.99.64[.]18`\n\nThe `celasllc[.]com` domain had a valid Sectigo (previously known as Comodo) Secure Sockets Layer (SSL) certificate (_Obtain Capabilities: Digital Certificates _[[T1588.004](<https://attack.mitre.org/versions/v8/techniques/T1588/004/>)]). The SSL certificate was \u201cDomain Control Validated,\u201d a weak security verification level that does not require validation of the owner\u2019s identity or the actual business\u2019s existence.\n\n#### **Celas Trade Pro Application Analysis**\n\n#### _**Windows Program**_\n\nThe Windows version of the malicious Celas Trade Pro application is an MSI Installer (`.msi`). The MSI Installer installation package comprises a software component and an application programming interface (API) that Microsoft uses for the installation, maintenance, and removal of software. The installer looks legitimate and is signed by a valid Sectigo certificate that was purchased by the same user as the SSL certificate for celasllc[.]com (_Obtain Capabilities: Code Signing Certificates_ [[T1588.003](<https://attack.mitre.org/versions/v8/techniques/T1588/003/>)]). The MSI Installer asks the victim for administrative privileges to run (_User Execution: Malicious File_ [[T1204.002](<https://attack.mitre.org/versions/v8/techniques/T1204/002>)]).\n\nOnce permission is granted, the threat actor is able to run the program with elevated privileges (_Abuse Elevation Control Mechanism_ [[T1548](<https://attack.mitre.org/versions/v8/techniques/T1548/>)]) and MSI executes the following actions.\n\n * Installs `CelasTradePro.exe` in folder `C:\\Program Files (x86)\\CelasTradePro`\n * Installs `Updater.exe` in folder `C:\\Program Files (x86)\\CelasTradePro`\n * Runs `Updater.exe` with the `CheckUpdate` parameters\n\nThe `CelasTradePro.exe` program asks for the user\u2019s exchange and loads a legitimate-looking cryptocurrency trading platform\u2014very similar to the benign Q.T. Bitcoin Trader\u2014that exhibits no signs of malicious activity.\n\nThe `Updater.exe` program has the same program icon as `CelasTradePro.exe`. When run, it checks for the `CheckUpdate` parameter, collects the victim\u2019s host information (_System Owner/User Discovery_ [[T1033](<https://attack.mitre.org/versions/v8/techniques/T1033>)]), encrypts the collected information with a hardcoded XOR encryption, and sends information to a C2 website (_Exfiltration Over C2 Channe_l [[T1041](<https://attack.mitre.org/versions/v8/techniques/T1041>)]).\n\n#### **_macOS X Program_**\n\nThe macOS version of the malicious application is a DMG Installer that has a disk image format that Apple commonly uses to distribute software over the internet. The installer looks legitimate and has a valid digital signature from Sectigo (_Obtain Capabilities: Digital Certificates _[[T1588.004](<https://attack.mitre.org/versions/v8/techniques/T1588/004/>)]). It has very similar functionality to the Windows version. The installer executes the following actions.\n\n * Installs `CelasTradePro` in folder `/Applications/CelasTradePro.app/Contents/MacOS/`\n * Installs `Updater` in folder `/Applications/CelasTradePro.app/Contents/MacOS`\n * Executes a `postinstall` script \n * Moves `.com.celastradepro.plist` to folder `LaunchDaemons`\n * Runs `Updater` with the `CheckUpdate` parameter\n\n`CelasTradePro` asks for the user\u2019s exchange and loads a legitimate-looking cryptocurrency trading platform\u2014very similar to the benign Q.T. Bitcoin Trader\u2014that exhibits no signs of malicious activity.\n\n`Updater` checks for the `CheckUpdate` parameter and, when found, it collects the victim\u2019s host information (_System Owner/User Discovery _[[T1033]](<https://attack.mitre.org/versions/v8/techniques/T1033>)), encrypts the collected information with a hardcoded XOR key before exfiltration, and sends the encrypted information to a C2 website (_Exfiltration Over C2 Channel _[[T1041](<https://attack.mitre.org/versions/v8/techniques/T1041>)]). This process helps the adversary obtain persistence on a victim\u2019s network.\n\nThe `postinstall` script is a sequence of instructions that runs after successfully installing an application (_Command and Scripting Interpreter: Unix Shell_ [[T1059.004](<https://attack.mitre.org/versions/v8/techniques/T1059/004/>)]). This script moves property list (`plist`) file `.com.celastradepro.plist` from the installer package to the `LaunchDaemons` folder (_Scheduled Task/Job: Launchd_ [[T1053.004](<https://attack.mitre.org/versions/v8/techniques/T1053/004/>)]). The leading \u201c.\u201d makes it unlisted in the Finder app or default Terminal directory listing (_Hide Artifacts: Hidden Files and Directories_ [[T1564.001](<https://attack.mitre.org/versions/v8/techniques/T1564/001/>)]). Once in the folder, this property list (`plist`) file will launch the `Updater` program with the `CheckUpdate` parameter on system load as Root for every user. Because the `LaunchDaemon` will not run automatically after the `plist` file is moved, the `postinstall` script launches the `Updater` program with the `CheckUpdate` parameter and runs it in the background (Create or _Modify System Process: Launch Daemon _[[T1543.004](<https://attack.mitre.org/versions/v8/techniques/T1543/004/>)]).\n\n#### **_Payload_**\n\nAfter a cybersecurity company published a report detailing the above programs and their malicious extras, the website was no longer accessible. Since this site was the C2 server, the payload cannot be confirmed. The cybersecurity company that published the report states the payload was an encrypted and obfuscated binary (_Obfuscated Files or Information _[[T1027](<https://attack.mitre.org/versions/v8/techniques/T1027>)]), which eventually drops FALLCHILL onto the machine and installs it as a service (_Create or Modify System Process: Windows Service _[[T1543.003](<https://attack.mitre.org/versions/v8/techniques/T1543/003>)]). FALLCHILL malware uses an RC4 encryption algorithm with a 16-byte key to protect its communications (_Encrypted Channel: Symmetric Cryptography_ [[T1573.001](<https://attack.mitre.org/versions/v8/techniques/T1573/001>)]). The key employed in these versions has also been used in a previous version of FALLCHILL.[[5](<https://us-cert.cisa.gov/ncas/alerts/TA17-318A>)][[6](<https://attack.mitre.org/versions/v8/software/S0181/>)]\n\nFor more details on AppleJeus Version 1: Celas Trade Pro, see [MAR-10322463-1.v1](<https://us-cert.gov/ncas/analysis-reports/ar21-048a>).\n\n### **AppleJeus Version 2: JMT Trading**\n\n#### **Introduction and Infrastructure**\n\nIn October 2019, a cybersecurity company identified a new version of the AppleJeus malware\u2014JMT Trading\u2014thanks to its many similarities to the original AppleJeus malware. Again, the malware was in the form of a cryptocurrency trading application, which a legitimate-looking company, called JMT Trading, marketed and distributed on their website, `jmttrading[.]org` (_Acquire Infrastructure: Domain_ [[T1583.001](<https://attack.mitre.org/versions/v8/techniques/T1583/001/>)]). This website contained a \u201cDownload from GitHub\u201d button, which linked to JMT Trading\u2019s GitHub page (_Acquire Infrastructure: Web Services_ [[T1583.006](<https://attack.mitre.org/versions/v8/techniques/T1583/006>)]), where Windows and macOS X versions of the JMT Trader application were available for download (_Develop Capabilities: Malware_ [[T1587.001](<https://attack.mitre.org/versions/v8/techniques/T1587/001/>)]). The GitHub page also included .zip and tar.gz files containing the source code.\n\nThe `jmttrading[.]org` domain resolved to the following IP addresses from October 15, 2016, to January 22, 2021.\n\n * `45.33.2[.]79`\n * `45.33.23[.]183`\n * `45.56.79[.]23`\n * `45.79.19[.]196`\n * `96.126.123[.]244`\n * `146.112.61[.]107`\n * `184.168.221[.]40`\n * `184.168.221[.]57`\n * `198.187.29[.]20`\n * `198.54.117[.]197`\n * `198.54.117[.]198`\n * `198.54.117[.]199`\n * `198.54.117[.]200`\n * `198.58.118[.]167`\n\nThe `jmttrading[.]org` domain had a valid Sectigo SSL certificate (_Obtain Capabilities: Digital Certificates _[[T1588.004](<https://attack.mitre.org/versions/v8/techniques/T1588/004/>)]). The SSL certificate was \u201cDomain Control Validated,\u201d a weak security verification level that does not require validation of the owner\u2019s identity or the actual business\u2019s existence. The current SSL certificate was issued by Let\u2019s Encrypt.\n\n#### **JMT Trading Application Analysis**\n\n#### **_Windows Program_**\n\nThe Windows version of the malicious cryptocurrency application is an MSI Installer. The installer looks legitimate and has a valid digital signature from Sectigo (_Obtain Capabilities: Digital Certificates_ [[T1588.004](<https://attack.mitre.org/versions/v8/techniques/T1588/004/>)]). The signature was signed with a code signing certificate purchased by the same user as the SSL certificate for `jmttrading[.]org` (_Obtain Capabilities: Code Signing Certificates_ [[T1588.003](<https://attack.mitre.org/versions/v8/techniques/T1588/003/>)]). The MSI Installer asks the victim for administrative privileges to run (_User Execution: Malicious File_ [[T1204.002](<https://attack.mitre.org/versions/v8/techniques/T1204/002>)]).\n\nOnce permission is granted, the MSI executes the following actions.\n\n * Installs `JMTTrader.exe` in folder `C:\\Program Files (x86)\\JMTTrader`\n * Installs `CrashReporter.exe` in folder `C:\\Users\\<username>\\AppData\\Roaming\\JMTTrader`\n * Runs `CrashReporter.exe` with the `Maintain` parameter\n\nThe `JMTTrader.exe` program asks for the user\u2019s exchange and loads a legitimate-looking cryptocurrency trading platform\u2014very similar to `CelasTradePro.exe` and the benign Q.T. Bitcoin Trader\u2014that exhibits no signs of malicious activity.\n\nThe program `CrashReporter.exe` is heavily obfuscated with the ADVObfuscation library, renamed \u201csnowman\u201d (_Obfuscated Files or Information_ [[T1027](<https://attack.mitre.org/versions/v8/techniques/T1027>)]). When run, it checks for the `Maintain` parameter and collects the victim\u2019s host information (_System Owner/User Discovery_ [[T1033](<https://attack.mitre.org/versions/v8/techniques/T1033>)]), encrypts the collected information with a hardcoded XOR key before exfiltration, and sends the encrypted information to a C2 website (_Exfiltration Over C2 Channel _[[T1041](<https://attack.mitre.org/versions/v8/techniques/T1041>)]). The program also creates a scheduled SYSTEM task, named `JMTCrashReporter`, which runs `CrashReporter.exe` with the `Maintain` parameter at any user\u2019s login (_Scheduled Task/Job: Scheduled Task_ [[T1053.005](<https://attack.mitre.org/versions/v8/techniques/T1053/005>)]).\n\n#### **_macOS X Program_**\n\nThe macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions.\n\n * Installs `JMTTrader` in folder `/Applications/JMTTrader.app/Contents/MacOS/`\n * Installs `.CrashReporter` in folder `/Applications/JMTTrader.app/Contents/Resources/`\n * Note: the leading \u201c.\u201d makes it unlisted in the Finder app or default Terminal directory listing.\n * Executes a `postinstall` script \n * Moves `.com.jmttrading.plist` to folder `LaunchDaemons`\n * Changes the file permissions on the `plist`\n * Runs `CrashReporter` with the `Maintain` parameter\n * Moves `.CrashReporter` to folder `/Library/JMTTrader/CrashReporter`\n * Makes `.CrashReporter` executable\n\nThe `JMTTrader` program asks for the user\u2019s exchange and loads a legitimate-looking cryptocurrency trading platform\u2014very similar to `CelasTradePro` and the benign Q.T. Bitcoin Trader\u2014that exhibits no signs of malicious activity.\n\nThe `CrashReporter` program checks for the `Maintain` parameter and is not obfuscated. This lack of obfuscation makes it easier to determine the program\u2019s functionality in detail. When it finds the `Maintain` parameter, it collects the victim\u2019s host information (_System Owner/User Discovery_ [[T1033](<https://attack.mitre.org/versions/v8/techniques/T1033>)]), encrypts the collected information with a hardcoded XOR key before exfiltration, and sends the encrypted information to a C2 website (_Exfiltration Over C2 Channel _[[T1041](<https://attack.mitre.org/versions/v8/techniques/T1041>)]).\n\nThe `postinstall` script has similar functionality to the one used by `CelasTradePro`, but it has a few additional features (_Command and Scripting Interpreter: Unix Shell_ [[T1059.004](<https://attack.mitre.org/versions/v8/techniques/T1059/004/>)]). It moves the property list (`plist`) file `.com.jmttrading.plis`t from the Installer package to the `LaunchDaemons` folder (_Scheduled Task/Job: Launchd _[[T1053.004](<https://attack.mitre.org/versions/v8/techniques/T1053/004/>)]), but also changes the file permissions on the `plist` file. Once in the folder, this property list (`plist`) file will launch the `CrashReporter` program with the `Maintain` parameter on system load as Root for every user. Also, the `postinstall` script moves the `.CrashReporter` program to a new location `/Library/JMTTrader/CrashReporter` and makes it executable. Because the `LaunchDaemon` will not run automatically after the `plist` file is moved, the `postinstall` script launches `CrashReporter` with the `Maintain` parameter and runs it in the background (_Create or Modify System Process: Launch Daemon_ [[T1543.004](<https://attack.mitre.org/versions/v8/techniques/T1543/004/>)]).\n\n#### **_Payload_**\n\nSoon after the cybersecurity company tweeted about JMT Trader on October 11, 2019, the files on GitHub were updated to clean, non-malicious installers. Then on October 13, 2019, a different cybersecurity company published an article detailing the macOS X JMT Trader, and soon after, the C2 `beastgoc[.]com` website went offline. There is not a confirmed sample of the payload to analyze at this point.\n\nFor more details on AppleJeus Version 2: JMT Trading, see [MAR-10322463-2.v1](<https://us-cert.gov/ncas/analysis-reports/ar21-048b>).\n\n### AppleJeus Version 3: Union Crypto\n\n#### **Introduction and Infrastructure**\n\nIn December 2019, another version of the AppleJeus malware was identified on Twitter by a cybersecurity company based on many similarities to the original AppleJeus malware. Again, the malware was in the form of a cryptocurrency trading application, which was marketed and distributed by a legitimate-looking company, called Union Crypto, on their website, `unioncrypto[.]vip` (_Acquire Infrastructure: Domain_ [[T1583.001](<https://attack.mitre.org/versions/v8/techniques/T1583/001/>)]). Although this website is no longer available, a cybersecurity researcher discovered a download link, `https://www.unioncrypto[.]vip/download/W6c2dq8By7luMhCmya2v97YeN`, recorded on VirusTotal for the macOS X version of `UnionCryptoTrader`. In contrast, open-source reporting stated that the Windows version might have been downloaded via instant messaging service Telegram, as it was found in a \u201cTelegram Downloads\u201d folder on an unnamed victim.[[7](<https://securelist.com/operation-applejeus-sequel/95596/>)]\n\nThe `unioncrypto[.]vip` domain resolved to the following IP addresses from June 5, 2019, to July 15, 2020.\n\n * `104.168.167[.]16`\n * `198.54.117[.]197`\n * `198.54.117[.]198`\n * `198.54.117[.]199`\n * `198.54.117[.]200`\n\nThe domain `unioncrypto[.]vip `had a valid Sectigo SSL certificate (_Obtain Capabilities: Digital Certificates_ [[T1588.004](<https://attack.mitre.org/versions/v8/techniques/T1588/004/>)]). The SSL certificate was \u201cDomain Control Validated,\u201d a weak security verification level that does not require validation of the owner\u2019s identity or the actual business\u2019s existence.\n\n#### **Union Crypto Trader Application Analysis**\n\n#### **_Windows Program_**\n\nThe Windows version of the malicious cryptocurrency application is a Windows executable (`.exe`) (_User Execution: Malicious File_ [[T1204.002](<https://attack.mitre.org/versions/v8/techniques/T1204/002>)]), which acts as an installer that extracts a temporary MSI Installer.\n\nThe Windows program executes the following actions.\n\n * Extracts `UnionCryptoTrader.msi` to folder `C:\\Users\\<username>\\AppData\\Local\\Temp\\{82E4B719-90F74BD1-9CF1-56CD777E0C42}`\n * Runs `UnionCryptoUpdater.msi`\n * Installs `UnionCryptoTrader.exe` in folder `C:\\Program Files\\UnionCryptoTrader`\n * Installs `UnionCryptoUpdater.exe in folder C:\\Users\\<username>\\AppData\\Local\\UnionCryptoTrader`\n * Deletes `UnionCryptoUpdater.msi`\n * Runs `UnionCryptoUpdater.exe`\n\nThe program `UnionCryptoTrader.exe` loads a legitimate-looking cryptocurrency arbitrage application\u2014defined as \u201cthe simultaneous buying and selling of securities, currency, or commodities in different markets or in derivative forms to take advantage of differing prices for the same asset\u201d\u2014which exhibits no signs of malicious activity. This application is very similar to another cryptocurrency arbitrage application known as Blackbird Bitcoin Arbitrage.[[8](<https://github.com/butor/blackbird>)]\n\nThe program `UnionCryptoUpdater.exe` first installs itself as a service (_Create or Modify System Process: Windows Service_ [[T1543.003](<https://attack.mitre.org/versions/v8/techniques/T1543/003>)]), which will automatically start when any user logs on (_Boot or Logon Autostart Execution_ [[T1547](<https://attack.mitre.org/versions/v8/techniques/T1547/>)]). The service is installed with a description stating it \u201cAutomatically installs updates for Union Crypto Trader.\u201d When launched, it collects the victim\u2019s host information (_System Owner/User Discovery _[[T1033](<https://attack.mitre.org/versions/v8/techniques/T1033>)]), combines the information in a string that is MD5 hashed and stored in the `auth_signature` variable before exfiltration, and sends it to a C2 website (_Exfiltration Over C2 Channel _[[T1041](<https://attack.mitre.org/versions/v8/techniques/T1041>)]).\n\n#### **_macOS X Program_**\n\nThe macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions.\n\n * Installs `UnionCryptoTrader` in folder `/Applications/UnionCryptoTrader.app/Contents/MacOS/`\n * Installs `.unioncryptoupdater` in folder `/Applications/UnionCryptoTrader.app/Contents/Resources/`\n * Note: the leading \u201c.\u201d makes it unlisted in the Finder app or default Terminal directory listing\n * Executes a `postinstall` script \n * Moves `.vip.unioncrypto.plist` to folder `LaunchDaemons`\n * Changes the file permissions on the `plist` to Root\n * Runs `unioncryptoupdater`\n * Moves `.unioncryptoupdater` to folder `/Library/UnionCrypto/unioncryptoupdater`\n * Makes `.unioncryptoupdater` executable\n\nThe `UnionCryptoTrader` program loads a legitimate-looking cryptocurrency arbitrage application, which exhibits no signs of malicious activity. The application is very similar to another cryptocurrency arbitrage application known as Blackbird Bitcoin Arbitrage.\n\nThe `.unioncryptoupdater` program is signed ad-hoc, meaning it is not signed with a valid code-signing identity. When launched, it collects the victim\u2019s host information (_System Owner/User Discovery_ [[T1033](<https://attack.mitre.org/versions/v8/techniques/T1033>)]), combines the information in a string that is MD5 hashed and stored in the `auth_signature` variable before exfiltration, and sends it to a C2 website (_Exfiltration Over C2 Channel _[[T1041](<https://attack.mitre.org/versions/v8/techniques/T1041>)]).\n\nThe `postinstall` script has similar functionality to the one used by JMT Trading (_Command and Scripting Interpreter: Unix Shell_ [[T1059.004](<https://attack.mitre.org/versions/v8/techniques/T1059/004/>)]). It moves the property list (`plist`) file `.vip.unioncrypto.plist` from the Installer package to the `LaunchDaemons` folder (_Scheduled Task/Job: Launchd_ [[T1053.004](<https://attack.mitre.org/versions/v8/techniques/T1053/004/>)]), but also changes the file permissions on the `plist` file to Root. Once in the folder, this property list (`plist`) file will launch the `.unioncryptoupdater` on system load as Root for every user. The `postinstall` script moves the `.unioncryptoupdater` program to a new location `/Library/UnionCrypto/unioncryptoupdater` and makes it executable. Because the `LaunchDaemon` will not run automatically after the `plist` file is moved, the `postinstall` script launches `.unioncryptoupdater` and runs it in the background (_Create or Modify System_ _Process: Launch Daemon_ [[T1543.004](<https://attack.mitre.org/versions/v8/techniques/T1543/004/>)]).\n\n#### **_Payload_**\n\nThe payload for the Windows malware is a Windows Dynamic-Link-Library. `UnionCryptoUpdater.exe` does not immediately download the stage 2 malware but instead downloads it after a time specified by the C2 server. This delay could be implemented to prevent researchers from directly obtaining the stage 2 malware.\n\nThe macOS X malware\u2019s payload could not be downloaded, as the C2 server is no longer accessible. Additionally, none of the open-source reporting for this sample contained copies of the macOS X payload. The macOS X payload is likely similar in functionality to the Windows stage 2 detailed above.\n\nFor more details on AppleJeus Version 3: Union Crypto, see [MAR-10322463-3.v1](<https://us-cert.gov/ncas/analysis-reports/ar21-048c>).\n\n### Commonalities between Celas Trade Pro, JMT Trading, and Union Crypto\n\n#### **Hardcoded Values**\n\nIn each AppleJeus version, there are hardcoded values used for encryption or to create a signature when combined with the time (table 1).\n\n_Table 1: AppleJeus hardcoded values and uses_\n\n**AppleJeus Version ** | **Value ** | **Use ** \n---|---|--- \n1: Celas Trade Pro | Moz&amp;Wie;#t/6T!2y | XOR encryption to send data \n1: Celas Trade Pro | W29ab@ad%Df324V$Yd | RC4 decryption \n2: JMT Trader Windows | X,%`PMk--Jj8s+6=15:20:11 | XOR encryption to send data \n2: JMT Trader OSX | X,%`PMk--Jj8s+6=\\x02 | XOR encryption to send data \n3: Union Crypto Trader | 12GWAPCT1F0I1S14 | Combined with time for signature \n \nThe Union Crypto Trader and Celas LLC (XOR) values are 16 bytes in length. For JMT Trader, the first 16 bytes of the Windows and macOS X values are identical, and the additional bytes are in a time format for the Windows sample. The structure of a 16-byte value combined with the time is also used in Union Crypto Trader to create the `auth_signature`.\n\nAs mentioned, FALLCHILL was reported as the final payload for Celas Trade Pro. All FALLCHILL samples use 16-byte hardcoded RC4 keys for sending data, similar to the 16-byte keys in the AppleJeus samples.\n\n#### **Open-Source Cryptocurrency Applications**\n\nAll three AppleJeus samples are bundled with modified copies of legitimate cryptocurrency applications and can be used as originally designed to trade cryptocurrency. Both Celas LLC and JMT Trader modified the same cryptocurrency application, Q.T. Bitcoin Trader; Union Crypto Trader modified the Blackbird Bitcoin Arbitrage application.\n\n#### **Postinstall Scripts, Property List Files, and LaunchDaemons**\n\nThe macOS X samples of all three AppleJeus versions contain `postinstall` scripts with similar logic. The Celas LLC `postinstall` script only moves the `plist` file to a new location and launches `Updater` with the `CheckUpdate` parameter in the background. The JMT Trader and Union Crypto Trader also perform these actions and have identical functionality. The additional actions performed by both `postinstall` scripts are to change the file permissions on the `plist`, make a new directory in the `/Library` folder, move `CrashReporter` or `UnionCryptoUpdater` to the newly created folder, and make them executable.\n\nThe `plist` files for all three AppleJeus files have identical functionality. They only differ in the files\u2019 names and one default comment that was not removed from the Celas LLC `plist`. As the logic and functionality of the postinstall scripts and plist files are almost identical, the `LaunchDaemons` created also function the same.\n\nThey will all launch the secondary executable as Root on system load for every user.\n\n### AppleJeus Version 4: Kupay Wallet\n\n#### **Introduction and Infrastructure**\n\nOn March 13, 2020, a new version of the AppleJeus malware was identified. The malware was marketed and distributed by a legitimate-looking company, called Kupay Wallet, on their website `kupaywallet[.]com` (_Acquire Infrastructure: Domain_ [[T1583.001](<https://attack.mitre.org/versions/v8/techniques/T1583/001/>)]).\n\nThe domain `www.kupaywallet[.]com` resolved to IP address `104.200.67[.]96` from March 20, 2020, to January 16, 2021. CrownCloud US, LLC controlled the IP address (autonomous system number [ASN] 8100), and is located in New York, NY.\n\nThe domain `www.kupaywallet[.]com` had a valid Sectigo SSL certificate (_Obtain Capabilities: Digital Certificates_ [[T1588.004](<https://attack.mitre.org/versions/v8/techniques/T1588/004/>)]). The SSL certificate was \u201cDomain Control Validated,\u201d a weak security verification level that does not require validation of the owner\u2019s identity or the actual business\u2019s existence.\n\n#### **Kupay Wallet Application Analysis**\n\n#### _Windows Program_\n\nThe Windows version of the malicious cryptocurrency application is an MSI Installer. The MSI executes the following actions.\n\n * Installs `Kupay.exe` in folder `C:\\Program Files (x86)\\Kupay`\n * Installs `KupayUpgrade.exe` in folder `C:\\Users\\<username>\\AppData\\Roaming\\KupaySupport`\n * Runs `KupayUpgrade.exe`\n\nThe program `Kupay.exe` loads a legitimate-looking cryptocurrency wallet platform, which exhibits no signs of malicious activity and is very similar to an open-source platform known as Copay, distributed by Atlanta-based company BitPay.\n\nThe program `KupayUpgrade.exe` first installs itself as a service (_Create or Modify System Process:_ _Windows Service_ [[T1543.003](<https://attack.mitre.org/versions/v8/techniques/T1543/003>)]), which will automatically start when any user logs on (_Boot or Logon_ _Autostart Execution_ [[T1547](<https://attack.mitre.org/versions/v8/techniques/T1547/>)]). The service is installed with a description stating it is an \u201cAutomatic Kupay Upgrade.\u201d When launched, it collects the victim\u2019s host information (_System Owner/User Discovery_ [[T1033](<https://attack.mitre.org/versions/v8/techniques/T1033>)]), combines the information in strings before exfiltration, and sends it to a C2 website (_Exfiltration Over C2_ _Channel_ [[T1041](<https://attack.mitre.org/versions/v8/techniques/T1041>)]).\n\n#### **_macOS X Program_**\n\nThe macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions.\n\n * Installs `Kupay` in folder `/Applications/Kupay.app/Contents/MacOS/`\n * Installs `kupay_upgrade` in folder `/Applications/Kupay.app/Contents/MacOS/`\n * Executes a `postinstall` script \n * Creates `KupayDaemon` folder in `/Library/Application Support` folder\n * Moves `kupay_upgrade` to the new folder\n * Moves `com.kupay.pkg.wallet.plist` to folder `/Library/LaunchDaemons/`\n * Runs the command `launchctl load` to load the `plist` without a restart\n * Runs `kupay_upgrade` in the background\n\n`Kupay` is likely a copy of an open-source cryptocurrency wallet application, loads a legitimate-looking wallet program (fully functional), and its functionality is identical to the Windows `Kupay.exe` program.\n\nThe `kupay_upgrade` program calls its function `CheckUpdate` (which contains most of the logic functionality of the malware) and sends a `POST` to the C2 server with a connection named \u201cKupay Wallet 9.0.1 (Check Update Osx)\u201d (_Application Layer Protocol: Web Protocols_ [[T1071.001](<https://attack.mitre.org/versions/v8/techniques/T1071/001>)]). If the C2 server returns a file, it is decoded and written to the victim\u2019s folder `/private/tmp/kupay_update` with permissions set by the command `chmod 700` (only the user can read, write, and execute) (_Command and Scripting Interpreter_ [[T1059](<https://attack.mitre.org/versions/v8/techniques/T1059/>)]). Stage 2 is then launched, and the malware, `kupay_upgrade`, returns to sleeping and checking in with the C2 server at predetermined intervals (_Application Layer Protocol: Web Protocols_ [[T1071.001](<https://attack.mitre.org/versions/v8/techniques/T1071/001>)]).\n\nThe `postinstall` script has similar functionality to other AppleJeus scripts (_Command and Scripting Interpreter: Unix Shell_ [[T1059.004](<https://attack.mitre.org/versions/v8/techniques/T1059/004/>)]). It creates the `KupayDaemon` folder in `/Library/Application` Support folder and then moves `kupay_upgrade` to the new folder. It moves the property list (`plist`) file `com.kupay.pkg.wallet.plist` from the Installer package to the `/Library/LaunchDaemons/` folder (_Scheduled Task/Job: Launchd _[[T1053.004](<https://attack.mitre.org/versions/v8/techniques/T1053/004/>)]). The script runs the command `launchctl load` to load the `plist` without a restart (_Command and Scripting Interpreter _[[T1059](<https://attack.mitre.org/versions/v8/techniques/T1059/>)]). But, since the LaunchDaemon will not run automatically after the `plist` file is moved, the `postinstall` script launches `kupay_upgrade` and runs it in the background (_Create or Modify System Process: Launch Daemon _[[T1543.004](<https://attack.mitre.org/versions/v8/techniques/T1543/004/>)]).\n\n#### **_Payload_**\n\nThe Windows malware\u2019s payload could not be downloaded since the C2 server is no longer accessible. Additionally, none of the open-source reporting for this sample contained copies of the payload. The Windows payload is likely similar in functionality to the macOS X stage 2 detailed below.\n\nThe stage 2 payload for the macOS X malware was decoded and analyzed. The stage 2 malware has a variety of functionalities. Most importantly, it checks in with a C2 and, after connecting to the C2, can send or receive a payload, read and write files, execute commands via the terminal, etc.\n\nFor more details on AppleJeus Version 4: Kupay Wallet, see [MAR-10322463-4.v1](<https://us-cert.gov/ncas/analysis-reports/ar21-048d>).\n\n### AppleJeus Version 5: CoinGoTrade\n\n#### **Introduction and Infrastructure**\n\nIn early 2020, another version of the AppleJeus malware was identified. This time the malware was marketed and distributed by a legitimate-looking company called CoinGoTrade on their website `coingotrade[.]com` (_Acquire Infrastructure: Domain_ [[T1583.001](<https://attack.mitre.org/versions/v8/techniques/T1583/001/>)]).\n\nThe domain `CoinGoTrade[.]com` resolved to IP address `198.54.114[.]175` from February 28, 2020, to January 23, 2021. The IP address is controlled by NameCheap Inc. (ASN 22612) and is located in Atlanta, GA. This IP address is in the same ASN for `Dorusio[.]com` and `Ants2Whale[.]com`.\n\nThe domain `CoinGoTrade[.]com` had a valid Sectigo SSL certificate (_Obtain Capabilities: Digital Certificates_ [[T1588.004](<https://attack.mitre.org/versions/v8/techniques/T1588/004/>)]). The SSL certificate was \u201cDomain Control Validated,\u201d a weak security verification level that does not require validation of the owner\u2019s identity or the actual business\u2019s existence.\n\n#### **CoinGoTrade Application Analysis**\n\n#### **_Windows Program_**\n\nThe Windows version of the malicious application is an MSI Installer. The installer appears to be legitimate and will execute the following actions.\n\n * Installs `CoinGoTrade.exe` in folder `C:\\Program Files (x86)\\CoinGoTrade`\n * Installs `CoinGoTradeUpdate.exe` in folder `C:\\Users\\<username>\\AppData\\Roaming\\CoinGoTradeSupport`\n * Runs `CoinGoTradeUpdate.exe`\n\n`CoinGoTrade.exe` loads a legitimate-looking cryptocurrency wallet platform with no signs of malicious activity and is a copy of an open-source cryptocurrency application.\n\n`CoinGoTradeUpdate.exe` first installs itself as a service (_Create or Modify System Process: Windows Service _[[T1543.003](<https://attack.mitre.org/versions/v8/techniques/T1543/003>)]), which will automatically start when any user logs on (_Boot or Logon Autostart Execution _[[T1547](<https://attack.mitre.org/versions/v8/techniques/T1547/>)]). The service is installed with a description stating it is an \u201cAutomatic CoinGoTrade Upgrade.\u201d When launched, it collects the victim\u2019s host information (_System Owner/User Discovery _[[T1033](<https://attack.mitre.org/versions/v8/techniques/T1033>)]), combines the information in strings before exfiltration, and sends it to a C2 website (_Exfiltration Over C2_ _Channel _[[T1041](<https://attack.mitre.org/versions/v8/techniques/T1041>)]).\n\n#### **_macOS X Program_**\n\nThe macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions.\n\n * Installs `CoinGoTrade` in folder `/Applications/CoinGoTrade.app/Contents/MacOS/`\n * Installs `CoinGoTradeUpgradeDaemon` in folder `/Applications/CoinGoTrade.app/Contents/MacOS/`\n * Executes a `postinstall` script \n * Creates `CoinGoTradeService` folder in `/Library/Application Support` folder\n * Moves `CoinGoTradeUpgradeDaemon` to the new folder\n * Moves `com.coingotrade.pkg.product.plist` to folder `/Library/LaunchDaemons/`\n * Runs `CoinGoTradeUpgradeDaemon` in the background\n\nThe `CoinGoTrade` program is likely a copy of an open-source cryptocurrency wallet application and loads a legitimate-looking, fully functional wallet program).\n\nThe `CoinGoTradeUpgradeDaemon` program calls its function `CheckUpdate` (which contains most of the logic functionality of the malware) and sends a `POST` to the C2 server with a connection named \u201cCoinGoTrade 1.0 (Check Update Osx)\u201d (_Application Layer Protocol: Web Protocols_ [[T1071.001]](<https://attack.mitre.org/versions/v8/techniques/T1071/001>)). If the C2 server returns a file, it is decoded and written to the victim\u2019s folder `/private/tmp/updatecoingotrade` with permissions set by the command `chmod 700` (only the user can read, write, and execute) (_Command and_ _Scripting Interpreter _[[T1059](<https://attack.mitre.org/versions/v8/techniques/T1059/>)]). Stage 2 is then launched, and the malware, `CoinGoTradeUpgradeDaemon`, returns to sleeping and checking in with the C2 server at predetermined intervals (_Application Layer Protocol: Web Protocols_ [[T1071.001](<https://attack.mitre.org/versions/v8/techniques/T1071/001>)]).\n\nThe `postinstall` script has similar functionality to the other scripts (_Command and Scripting Interpreter: Unix Shell _[[T1059.004](<https://attack.mitre.org/versions/v8/techniques/T1059/004/>)]) and installs `CoinGoTrade` and `CoinGoTradeUpgradeDaemon` in folder `/Applications/CoinGoTrade.app/Contents/MacOS/`. It moves the property list (plist) file `com.coingotrade.pkg.product.plist` to the `/Library/LaunchDaemons/` folder (_Scheduled Task/Job: Launchd _[[T1053.004](<https://attack.mitre.org/versions/v8/techniques/T1053/004/>)]). Because the `LaunchDaemon` will not run automatically after the `plist` file is moved, the `postinstall` script launches `CoinGoTradeUpgradeDaemon` and runs it in the background (_Create or Modify_ _System Process: Launch Daemon_ [[T1543.004](<https://attack.mitre.org/versions/v8/techniques/T1543/004/>)]).\n\n#### **_Payload_**\n\nThe Windows malware\u2019s payload could not be downloaded because the C2 server is no longer accessible. Additionally, none of the open-source reporting for this sample contained copies of the payload. The Windows payload is likely similar in functionality to the macOS X stage 2 detailed below.\n\nThe stage 2 payload for the macOS X malware was no longer available from the specified download URL. Still, a file was submitted to VirusTotal by the same user on the same date as the macOS X `CoinGoTradeUpgradeDaemon`. These clues suggest that the submitted file may be related to the macOS X version of the malware and the downloaded payload.\n\nThe file `prtspool` is a 64-bit Mach-O executable with a large variety of features that have all been confirmed as functionality. The file has three C2 URLs hardcoded into the file and communicates to these with HTTP POST multipart-form data boundary string. Like other HIDDEN COBRA malware, `prtspool` uses format strings to store data collected about the system and sends it to the C2s.\n\nFor more details on AppleJeus Version 5: CoinGoTrade, see [MAR-10322463-5.v1](<https://us-cert.gov/ncas/analysis-reports/ar21-048e>).\n\n### AppleJeus Version 6: Dorusio\n\n#### **Introduction and Infrastructure**\n\nIn March 2020, an additional version of the AppleJeus malware was identified. This time the malware was marketed and distributed by a legitimate-looking company called Dorusio on their website, `dorusio[.]com` (_Acquire Infrastructure: Domain_ [[T1583.001](<https://attack.mitre.org/versions/v8/techniques/T1583/001/>)]). Researchers collected samples for Windows and macOS X versions of the Dorusio Wallet (_Develop Capabilities: Malware_ [[T1587.001](<https://attack.mitre.org/versions/v8/techniques/T1587/001/>)]). As of at least early 2020, the actual download links result in `404` errors. The download page has release notes with version revisions claiming to start with version 1.0.0, released on April 15, 2019.\n\nThe domain dorusio[.]com resolved to IP address `198.54.115[.]51` from March 30, 2020 to January 23, 2021. The IP address is controlled by NameCheap Inc. (ASN 22612) and is located in Atlanta, GA. This IP address is in the same ASN for `CoinGoTrade[.]com` and `Ants2Whale[.]com.`\n\nThe domain `dorusio[.]com` had a valid Sectigo SSL certificate (_Obtain Capabilities: Digital Certificates _[[T1588.004](<https://attack.mitre.org/versions/v8/techniques/T1588/004/>)]). The SSL certificate was \u201cDomain Control Validated,\u201d a weak security verification level that does not require validation of the owner\u2019s identity or the actual business\u2019s existence.\n\n#### **Dorusio Application Analysis**\n\n#### _**Windows Program**_\n\nThe Windows version of the malicious application is an MSI Installer. The installer appears to be legitimate and will install the following two programs.\n\n * Installs `Dorusio.exe` in folder `C:\\Program Files (x86)\\Dorusio`\n * Installs `DorusioUpgrade.exe` in folder `C:\\Users\\<username>\\AppData\\Roaming\\DorusioSupport`\n * Runs `DorusioUpgrade.exe`\n\nThe program, `Dorusio.exe`, loads a legitimate-looking cryptocurrency wallet platform with no signs of malicious activity and is a copy of an open-source cryptocurrency application.\n\nThe program `DorusioUpgrade.exe` first installs itself as a service (_Create or Modify System Process:_ _Windows Service_ [[T1543.003](<https://attack.mitre.org/versions/v8/techniques/T1543/003>)]), which will automatically start when any user logs on (_Boot or Logon Autostart Execution_ [[T1547](<https://attack.mitre.org/versions/v8/techniques/T1547/>)]). The service is installed with a description stating it \u201cAutomatic Dorusio Upgrade.\u201d When launched, it collects the victim\u2019s host information (_System Owner/User Discovery_ [[T1033](<https://attack.mitre.org/versions/v8/techniques/T1033>)]), combines the information in strings before exfiltration, and sends it to a C2 website (_Exfiltration Over C2 Channel _[[T1041](<https://attack.mitre.org/versions/v8/techniques/T1041>)]).\n\n#### _**macOS X Program**_\n\nThe macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions.\n\n * Installs `Dorusio` in folder `/Applications/Dorusio.app/Contents/MacOS/`\n * Installs `Dorusio_upgrade` in folder `/Applications/Dorusio.app/Contents/MacOS/`\n * Executes a `postinstall` script \n * Creates `DorusioDaemon` folder in `/Library/Application Support` folder\n * Moves `Dorusio_upgrade` to the new folder\n * Moves `com.dorusio.pkg.wallet.plist` to folder `/Library/LaunchDaemons/`\n * Runs `Dorusio_upgrade` in the background\n\nThe `Dorusio` program is likely a copy of an open-source cryptocurrency wallet application and loads a legitimate-looking wallet program (fully functional). Aside from the Dorusio logo and two new services, the wallet appears to be the same as the Kupay Wallet. This application seems to be a modification of the open-source cryptocurrency wallet Copay distributed by Atlanta-based company BitPay.\n\nThe `Dorusio_upgrade` program calls its function `CheckUpdate` (which contains most of the logic functionality of the malware) and sends a `POST` to the C2 server with a connection named \u201c_Dorusio Wallet 2.1.0 (Check Update Osx)_\u201d (_Application Layer Protocol: Web Protocols_ [[T1071.001]](<https://attack.mitre.org/versions/v8/techniques/T1071/001>)). If the C2 server returns a file, it is decoded and written to the victim\u2019s folder `/private/tmp/Dorusio_update` with permissions set by the command `chmod 700` (only the user can read, write, and execute) (_Command and Scripting Interpreter _[[T1059](<https://attack.mitre.org/versions/v8/techniques/T1059/>)]). Stage 2 is then launched, and the malware, `Dorusio_upgrade`, returns to sleeping and checking in with the C2 server at predetermined intervals (_Application Layer Protocol: Web Protocols_ [[T1071.001](<https://attack.mitre.org/versions/v8/techniques/T1071/001>)]).\n\nThe `postinstall` script has similar functionality to other AppleJeus scripts (_Command and Scripting Interpreter: Unix Shell_ [[T1059.004](<https://attack.mitre.org/versions/v8/techniques/T1059/004/>)]). It creates the `DorusioDaemon` folder in `/Library/Application Support` folder and then moves `Dorusio_upgrade` to the new folder. It moves the property list (`plist`) file `com.dorusio.pkg.wallet.plist` from the Installer package to the `/Library/LaunchDaemons/` folder (_Scheduled Task/Job: Launchd _[[T1053.004]](<https://attack.mitre.org/versions/v8/techniques/T1053/004/>)). Because the `LaunchDaemon` will not run automatically after the `plist` file is moved, the `postinstall` script launches `Dorusio_upgrade` and runs it in the background (_Create or Modify System Process: Launch Daemon_ [[T1543.004](<https://attack.mitre.org/versions/v8/techniques/T1543/004/>)]).\n\n#### _**Payload**_\n\nNeither the payload for the Windows nor macOS X malware could be downloaded; the C2 server is no longer accessible. The payloads are likely similar in functionality to the macOS X stage 2 from CoinGoTrade and Kupay Wallet, or the Windows stage 2 from Union Crypto.\n\nFor more details on AppleJeus Version 6: Dorusio, see [MAR-10322463-6.v1](<https://us-cert.gov/ncas/analysis-reports/ar21-048f>).\n\n### AppleJeus 4, 5, and 6 Installation Conflictions\n\nIf a user attempts to install the Kupay Wallet, CoinGoTrade, and Dorusio applications on the same system, they will encounter installation conflicts.\n\nIf Kupay Wallet is already installed on a system and the user tries to install CoinGoTrade or Dorusio:\n\n * Pop-up windows appear, stating a more recent version of the program is already installed.\n\nIf CoinGoTrade is already installed on a system and the user attempts to install Kupay Wallet:\n\n * `Kupay.exe` will be installed in the `C:\\Program Files (x86)\\CoinGoTrade\\ folder`.\n * All `CoinGoTrade` files will be deleted.\n * The folders and files contained in the `C:\\Users\\<username>\\AppData\\Roaming\\CoinGoTradeSupport` will remain installed.\n * `KupayUpgrade.exe` is installed in the new folder `C:\\Users\\<username>\\AppData\\Roaming\\KupaySupport`.\n\nIf Dorusio is already installed on a system and the user attempts to install Kupay Wallet:\n\n * `Kupay.exe` will be installed in the `C:\\Program Files (x86)\\Dorusio\\ folder`.\n * All `Dorusio.exe` files will be deleted.\n * The folders and files contained in `C:\\Users\\<username>\\AppData\\Roaming\\DorusioSupport` will remain installed.\n * `KupayUpgrade.exe` is installed in the new folder `C:\\Users\\<username>\\AppData\\Roaming\\KupaySupport`.\n\n### AppleJeus Version 7: Ants2Whale\n\n#### **Introduction and Infrastructure**\n\nIn late 2020, a new version of AppleJeus was identified called \u201cAnts2Whale.\u201d The site for this version of AppleJeus is `ants2whale[.]com` (_Acquire Infrastructure: Domain_ [[T1583.001](<https://attack.mitre.org/versions/v8/techniques/T1583/001/>)]). The website shows a legitimate-looking cryptocurrency company and application. The website contains multiple spelling and grammar mistakes indicating the creator may not have English as a first language. The website states that to download Ants2Whale, a user must contact the administrator, as their product is a \u201cpremium package\u201d (_Develop Capabilities: Malware_ [[T1587.001](<https://attack.mitre.org/versions/v8/techniques/T1587/001/>)]).\n\nThe domain `ants2whale[.]com` resolved to IP address `198.54.114[.]237` from September 23, 2020, to January 22, 2021. The IP address is controlled by NameCheap, Inc. (ASN 22612) and is located in Atlanta, GA. This IP address is in the same ASN for `CoinGoTrade[.]com` and `Dorusio[.]com`.\n\nThe domain `ants2whale[.]com` had a valid Sectigo SSL certificate (_Obtain Capabilities: Digital Certificates_ [[T1588.004](<https://attack.mitre.org/versions/v8/techniques/T1588/004/>)]). The SSL certificate was \u201cDomain Control Validated,\u201d a weak security verification level that does not require validation of the owner\u2019s identity or the actual business\u2019s existence.\n\n#### **Ants2Whale Application Analysis**\n\n#### **_Windows Program_**\n\nAs of late 2020, the Windows program was not available on VirusTotal. It is likely very similar to the macOS X version detailed below.\n\n#### _**macOS X Program**_\n\nThe macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions.\n\n * Installs `Ants2Whale` in folder `/Applications/Ants2whale.app/Contents/MacOS/Ants2whale`\n * Installs `Ants2WhaleHelper` in folder `/Library/Application Support/Ants2WhaleSupport/`\n * Executes a `postinstall` script \n * Moves `com.Ants2whale.pkg.wallet.plist` to folder `/Library/LaunchDaemons/`\n * Runs `Ants2WhaleHelper` in the background\n\nThe `Ants2Whale` and `Ants2WhaleHelper` programs and the `postinstall` script function almost identically to previous versions of AppleJeus and will not be discussed in depth in this advisory.\n\nFor more details on AppleJeus Version 7: Ants2Whale, see [MAR-10322463-7.v1](<https://us-cert.gov/ncas/analysis-reports/ar21-048g>).\n\n### ATT&amp;CK Profile\n\nFigure 2 and table 2 provide summaries of the MITRE ATT&amp;CK techniques observed.\n\n\n\n_Figure 2: MITRE ATT&amp;CK enterprise techniques used by AppleJeus_\n\n_Table 2: MITRE ATT&amp;CK techniques observed_\n\n**Tactic Title** | **Technique ID** | **Technique Title ** \n---|---|--- \n[Resource Development [TA0042]](<https://attack.mitre.org/versions/v8/tactics/TA0042/>) | T1583.001 | Acquire Infrastructure: Domain \n[Resource Development [TA0042]](<https://attack.mitre.org/versions/v8/tactics/TA0042/>) | T1583.006 | Acquire Infrastructure: Web Services \n[Resource Development [TA0042]](<https://attack.mitre.org/versions/v8/tactics/TA0042/>) | T1587.001 | Develop Capabilities: Malware \n[Resource Development [TA0042]](<https://attack.mitre.org/versions/v8/tactics/TA0042/>) | T1588.003 | Obtain Capabilities: Code Signing Certificates \n[Resource Development [TA0042]](<https://attack.mitre.org/versions/v8/tactics/TA0042/>) | T1588004 | Obtain Capabilities: Digital Certificates \n[Initial Access [TA0001]](<https://attack.mitre.org/versions/v8/tactics/TA0001>) | T1566.002 | Phishing: Spearphishing Link \n[Execution [TA0002]](<https://attack.mitre.org/versions/v8/tactics/TA0002>) | T1059 | Command and Scripting Interpreter \n[Execution [TA0002]](<https://attack.mitre.org/versions/v8/tactics/TA0002>) | T1059.004 | Command and Scripting Interpreter: Unix Shell \n[Execution [TA0002]](<https://attack.mitre.org/versions/v8/tactics/TA0002>) | T1204.002 | User Execution: Malicious File \n[Persistence [TA0003]](<https://attack.mitre.org/versions/v8/tactics/TA0003>) | T1053.004 | Scheduled Task/Job: Launchd \n[Persistence [TA0003]](<https://attack.mitre.org/versions/v8/tactics/TA0003>) | T1543.004 | Create or Modify System Process: Launch Daemon \n[Persistence [TA0003]](<https://attack.mitre.org/versions/v8/tactics/TA0003>) | T1547 | Boot or Logon Autostart Execution \n[Privilege Escalation [TA0004]](<https://attack.mitre.org/versions/v8/tactics/TA0004>) | T1053.005 | Scheduled Task/Job: Scheduled Task \n[Defense Evasion [TA0005]](<https://attack.mitre.org/versions/v8/tactics/TA0005>) | T1027 | Obfuscated Files or Information \n[Defense Evasion [TA0005]](<https://attack.mitre.org/versions/v8/tactics/TA0005>) | T1548 | Abuse Elevation Control Mechanism \n[Defense Evasion [TA0005]](<https://attack.mitre.org/versions/v8/tactics/TA0005>) | T1564.001 | Hide Artifacts: Hidden Files and Directories \n[Discovery [TA0007]](<https://attack.mitre.org/versions/v8/tactics/TA0007>) | T1033 | System Owner/User Discovery \n[Exfiltration [TA0010]](<https://attack.mitre.org/versions/v8/tactics/TA0010>) | T1041 | Exfiltration Over C2 Channel \n[Command and Control [TA0011]](<https://attack.mitre.org/versions/v8/tactics/TA0011>) | T1071.001 | \n\nApplication Layer Protocol: Web Protocols \n \n[Command and Control [TA0011]](<https://attack.mitre.org/versions/v8/tactics/TA0011>) | T1573 | Encrypted Channel \n[Command and Control [TA0011]](<https://attack.mitre.org/versions/v8/tactics/TA0011>) | T1573.001 | Encrypted Channel: Symmetric Cryptography \n \n### Mitigations\n\n### Compromise Mitigations\n\nOrganizations that identify AppleJeus malware within their networks should take immediate action. Initial actions should include the following steps.\n\n * Contact the FBI, CISA, or Treasury immediately regarding any identified activity related to AppleJeus. (Refer to the Contact Information section below.)\n * Initiate your organization\u2019s incident response plan.\n * Generate new keys for wallets, and/or move to new wallets.\n * Introduce a two-factor authentication solution as an extra layer of verification. \n * Use hardware wallets, which keep the private keys in a separate, secured storage area.\n * To move funds out off a compromised wallet: \n * Do not use the malware listed in this advisory to transfer funds, and \n * Form all transactions offline and then broadcast them to the network all at once in a short online session, ideally prior to the attacker accessing them.\n * Remove impacted hosts from network.\n * Assume the threat actors have moved laterally within the network and downloaded additional malware.\n * Change all passwords to any accounts associated with impacted hosts.\n * Reimage impacted host(s). \n * Install anti-virus software to run daily deep scans of the host.\n * Ensure your anti-virus software is setup to download the latest signatures daily.\n * Install a Host Based Intrusion Detection (HIDS)-based software and keep it up to date.\n * Ensure all software and hardware is up to date, and all patches have been installed.\n * Ensure network-based firewall is installed and/or up to date.\n * Ensure the firewall\u2019s firmware is up to date.\n\n### Pro-Active Mitigations\n\nConsider the following recommendations for defense against AppleJeus malware and related activity.\n\n#### _Cryptocurrency Users_\n\n * Verify source of cryptocurrency-related applications.\n * Use multiple wallets for key storage, striking the appropriate risk balance between hot and cold storage.\n * Use custodial accounts with multi-factor authentication mechanisms for both user and device verification.\n * Patronize cryptocurrency service businesses that offer indemnity protections for lost or stolen cryptocurrency.\n * Consider having a dedicated device for cryptocurrency management.\n\n#### _Financial Service Companies_\n\n * Verify compliance with Federal Financial Institutions Examination Council (FFIEC) handbooks at [https://ithandbook.ffiec.gov](<https://ithandbook.ffiec.gov/>), especially those related to information security.\n * Report suspicious cyber and financial activities. For more information on mandatory and voluntary reporting of cyber events via suspicious activity reports, see the Financial Crimes Enforcement Network (FinCEN) Advisory FIN-2016-A005: Advisory to Financial Institutions on Cyber- Events and Cyber-Enabled Crime at <https://www.fincen.gov/sites/default/files/advisory/2016-10-25/Cyber%20Threats%20Advisory%20-%20FINAL%20508_2.pdf> and FinCEN\u2019s Section 314(b) Fact Sheet at <https://www.fincen.gov/sites/default/files/shared/314bfactsheet.pdf>.\n\n#### _Cryptocurrency Businesses_\n\n * Verify compliance with the Cryptocurrency Security Standard at <http://cryptoconsortium.github.io/CCSS/>.\n\n#### _All Organizations_\n\n * Incorporate IOCs identified in CISA\u2019s Malware Analysis Reports on <https://us-cert.cisa.gov/northkorea> into intrusion detection systems and security alert systems to enable active blocking or reporting of suspected malicious activity.\n * See table 3 below, which provides a summary of preventative ATT&amp;CK mitigations based on observed techniques.\n\n_Table 3: MITRE ATT&amp;CK mitigations based on observed techniques_\n\n**Mitigation** | **Description** \n---|--- \n[User Training [M1017]](<https://attack.mitre.org/versions/v8/mitigations/M1017>) | Train users to identify social engineering techniques and spearphishing emails. \n[User Training [M1017]](<https://attack.mitre.org/versions/v8/mitigations/M1017>) | Provide users with the awareness of common phishing and spearphishing techniques and raise suspicion for potentially malicious events. \n[User Account Management [M1018]](<https://attack.mitre.org/versions/v8/mitigations/M1018>) | Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons. \n[User Account Management [M1018]](<https://attack.mitre.org/versions/v8/mitigations/M1018>) | Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems. \n[SSL/TLS Inspection [M1020]](<https://attack.mitre.org/versions/v8/mitigations/M1020>) | Use SSL/TLS inspection to see encrypted sessions\u2019 contents to look for network-based indicators of malware communication protocols. \n[Restrict Web-Based Content [M1021]](<https://attack.mitre.org/versions/v8/mitigations/M1021>) | Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if the activity cannot be monitored well or poses a significant risk. \n[Restrict Web-Based Content [M1021]](<https://attack.mitre.org/versions/v8/mitigations/M1021>) | Block Script extensions to prevent the execution of scripts and HTA files that may commonly be used during the exploitation process. \n[Restrict Web-Based Content [M1021]](<https://attack.mitre.org/versions/v8/mitigations/M1021>) | Employ an adblocker to prevent malicious code served up through ads from executing. \n[Restrict File and Directory Permissions [M1022]](<https://attack.mitre.org/versions/v8/mitigations/M1022>) | Prevent all users from writing to the `/Library/StartupItems `directory to prevent any startup items from getting registered since `StartupItems` are deprecated. \n[Privileged Account Management [M1026]](<https://attack.mitre.org/versions/v8/mitigations/M1026>) | When PowerShell is necessary, restrict PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration. \n[Privileged Account Management [M1026]](<https://attack.mitre.org/versions/v8/mitigations/M1026>) | Configure the Increase Scheduling Priority option only to allow the Administrators group the rights to schedule a priority process. \n[Operating System Configuration [M1028]](<https://attack.mitre.org/versions/v8/mitigations/M1028>) | Configure settings for scheduled tasks to force tasks to run under the authenticated account\u2019s context instead of allowing them to run as SYSTEM. \n[Network Intrusion Prevention [M1031]](<https://attack.mitre.org/versions/v8/mitigations/M1031>) | Use network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware and mitigate activity at the network level. \n[Execution Prevention [M1038]](<https://attack.mitre.org/versions/v8/mitigations/M1038>) | Use application control tools where appropriate. \n[Execution Prevention [M1038]](<https://attack.mitre.org/versions/v8/mitigations/M1038>) | Use application control tools to prevent the running of executables masquerading as other files. \n[Behavior Prevention on Endpoint [M1040]](<https://attack.mitre.org/versions/v8/mitigations/M1040>) | Configure endpoint (if possible) to block some process injection types based on common sequences of behavior during the injection process. \n[Disable or Remove Feature or Program [M1042]](<https://attack.mitre.org/versions/v8/mitigations/M1042>) | Disable or remove any unnecessary or unused shells or interpreters. \n[Code Signing [M1045]](<https://attack.mitre.org/versions/v8/mitigations/M1045>) | Where possible, only permit the execution of signed scripts. \n[Audit [M1047]](<https://attack.mitre.org/versions/v8/mitigations/M1047>) | Audit logging for `launchd` events in macOS can be reviewed or centrally collected using multiple options, such as Syslog, OpenBSM, or OSquery. \n[Audit [M1047]](<https://attack.mitre.org/versions/v8/mitigations/M1047>) | Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. \n[Antivirus/Antimalware [M1049]](<Antivirus/Antimalware%20%5BM1049%5D>) | Use an antivirus program to quarantine suspicious files automatically. \n \n### Contact Information\n\nRecipients of this report are encouraged to contribute any additional information that they may have related to this threat.\n\nFor any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, please contact:\n\n * The FBI through the FBI Cyber Division (855-292-3937 or [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>)) or a [local field office](<https://www.fbi.gov/contact-us/field-offices/field-offices>),\n * CISA (888-282-0870 or [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>)), or\n * Treasury Office of Cybersecurity and Critical Infrastructure Protection (Treasury OCCIP) (202-622-3000 or [OCCIP-Coord@treasury.gov](<mailto:OCCIP-Coord@treasury.gov>)).\n\n### References\n\n[[1] CISA Alert AA20-239A: FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks](<https://us-cert.cisa.gov/ncas/alerts/aa20-239a>)\n\n[[2] Department of the Treasury Press Release: Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus Group](<https://home.treasury.gov/news/press-releases/sm924>)\n\n[[3] Department of Justice Press Release: Two Chinese Nationals Charged with Laundering Over $100 Million in Cryptocurrency From Exchange Hack](<https://www.justice.gov/opa/pr/two-chinese-nationals-charged-laundering-over-100-million-cryptocurrency-exchange-hack>)\n\n[[4] CISA Alert TA17-318A: HIDDEN COBRA \u2013 North Korean Remote Administration Tool: FALLCHILL](<https://us-cert.cisa.gov/ncas/alerts/TA17-318A>)\n\n[[5] CISA Alert TA17-318A: HIDDEN COBRA \u2013 North Korean Remote Administration Tool: FALLCHILL ](<https://us-cert.cisa.gov/ncas/alerts/TA17-318A>)\n\n[[6] MITRE ATT&amp;CK Software: FALLCHILL](<https://attack.mitre.org/versions/v8/software/S0181/>)\n\n[[7] SecureList: Operation AppleJeus Sequel](<https://securelist.com/operation-applejeus-sequel/95596/>)\n\n[[8] GitHub: Blackbird Bitcoin Arbitrage](<https://github.com/butor/blackbird>)\n\n### Revisions\n\nFebruary 17, 2021: Initial Version|April 15, 2021: Updated MITRE ATT&amp;CK technique from Command and Scripting Interpreter: AppleScript [T1059.002] to Command and Scripting Interpreter: Unix Shell [T1059.004].\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2021-04-15T12:00:00", "type": "ics", "title": "AppleJeus: Analysis of North Korea\u2019s Cryptocurrency Malware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2021-04-15T12:00:00", "id": "AA21-048A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-048a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T13:03:23", "description": "### Summary\n\n_This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v7/techniques/enterprise/>) for all referenced threat actor tactics and techniques._\n\n_**Updated April 15, 2021: The U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR). Additional information may be found in a [statement from the White House](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/>). For more information on SolarWinds-related activity, go to <https://us-cert.cisa.gov/remediating-apt-compromised-networks> and <https://www.cisa.gov/supply-chain-compromise>.**_\n\nThis Alert is a companion alert to [AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-352a>). AA20-352A primarily focuses on an advanced persistent threat (APT) actor\u2019s compromise of SolarWinds Orion products as an initial access vector into networks of U.S. Government agencies, critical infrastructure entities, and private network organizations. As noted in AA20-352A, the Cybersecurity and Infrastructure Security Agency (CISA) has evidence of initial access vectors in addition to the compromised SolarWinds Orion products.\n\nThis Alert also addresses activity\u2014irrespective of the initial access vector leveraged\u2014that CISA attributes to an APT actor. Specifically, CISA has seen an APT actor using compromised applications in a victim\u2019s Microsoft 365 (M365)/Azure environment. CISA has also seen this APT actor utilizing additional credentials and Application Programming Interface (API) access to cloud resources of private and public sector organizations. These tactics, techniques, and procedures (TTPs) feature three key components:\n\n * Compromising or bypassing federated identity solutions;\n * Using forged authentication tokens to move laterally to Microsoft cloud environments; and\n * Using privileged access to a victim\u2019s cloud environment to establish difficult-to-detect persistence mechanisms for Application Programming Interface (API)-based access.\n\nThis Alert describes these TTPs and offers an overview of, and guidance on, available open-source tools\u2014including a CISA-developed tool, Sparrow\u2014for network defenders to analyze their Microsoft Azure Active Directory (AD), Office 365 (O365), and M365 environments to detect potentially malicious activity.\n\n**Note**: this Alert describes artifacts\u2014presented by these attacks\u2014from which CISA has identified detectable evidence of the threat actor\u2019s initial objectives. CISA continues to analyze the threat actor\u2019s follow-on objectives.\n\n### Technical Details\n\nFrequently, CISA has observed the APT actor gaining _Initial Access_ [[TA0001](<https://attack.mitre.org/versions/v8/tactics/TA0001/>)] to victims\u2019 enterprise networks via compromised SolarWinds Orion products (e.g., Solorigate, Sunburst).[[1]](<https://www.zdnet.com/article/a-second-hacking-group-has-targeted-solarwinds-systems/ >) However, CISA is investigating instances in which the threat actor may have obtained initial access by _Password Guessing_ [[T1110.001](<https://attack.mitre.org/versions/v8/techniques/T1110/001/>)], _Password Spraying_ [[T1110.003](<https://attack.mitre.org/versions/v8/techniques/T1110/003>)], and/or exploiting inappropriately secured administrative or service credentials (_Unsecured Credentials _[[T1552](<https://attack.mitre.org/versions/v8/techniques/T1552/>)]) instead of utilizing the compromised SolarWinds Orion products.\n\nCISA observed this threat actor moving from user context to administrator rights for _Privilege Escalation_ [[TA0004](<https://attack.mitre.org/versions/v8/tactics/TA0004/>)] within a compromised network and using native Windows tools and techniques, such as Windows Management Instrumentation (WMI), to enumerate the Microsoft Active Directory Federated Services (ADFS) certificate-signing capability. This enumeration allows threat actors to forge authentication tokens (OAuth) to issue claims to service providers\u2014without having those claims checked against the identity provider\u2014and then to move laterally to Microsoft Cloud environments (_Lateral Movement _[[TA0008](<https://attack.mitre.org/versions/v8/tactics/TA0008/>)]).\n\nThe threat actor has also used on-premises access to manipulate and bypass identity controls and multi-factor authentication. This activity demonstrates how sophisticated adversaries can use credentials from one portion of an organization to move laterally (_Lateral Movement_ [[TA0008](<https://attack.mitre.org/versions/v8/tactics/TA0008/>)]) through trust boundaries, evade defenses and detection (_Defense Evasion_ [[TA0005](<https://attack.mitre.org/versions/v8/tactics/TA0005/>)]), and steal sensitive data (_Collection _[[TA0009](<https://attack.mitre.org/versions/v8/tactics/TA0009/>)]).\n\nThis level of compromise is challenging to remediate and requires a rigorous multi-disciplinary effort to regain administrative control before recovering.\n\n### Mitigations\n\n#### Detection\n\nGuidance on identifying affected SolarWinds software is well documented.[[2](<https://www.cisa.gov/supply-chain-compromise >)] However\u2014once an organization identifies a compromise via SolarWinds Orion products or other threat actor TTPs\u2014identifying follow-on activity for on-premises networks requires fine-tuned network and host-based forensics.\n\nThe nature of cloud forensics is unique due to the growing and rapidly evolving technology footprints of major vendors. Microsoft's O365 and M365 environments have built-in capabilities for detecting unusual activity. Microsoft also provides premium services (Advanced Threat Protection [ATP] and Azure Sentinel), which enable network defenders to investigate TTPs specific to the Solorigate activity.[[3]](<https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095 >)\n\n#### Detection Tools\n\n_CISA is providing examples of detection tools for informational purposes only. CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services does not constitute or imply their endorsement, recommendation, or favoring by CISA._\n\nThere are a number of open-source tools available to investigate adversary activity in Microsoft cloud environments and to detect unusual activity, service principals, and application activity.[[4]](<https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/ >) Publicly available PowerShell tools that network defenders can use to investigate M365 and Microsoft Azure include:\n\n * CISA's Sparrow,\n * Open-source utility Hawk, and\n * CrowdStrike's Azure Reporting Tool (CRT).\n\nAdditionally, Microsoft's Office 365 Management API and Graph API provide an open interface for ingesting telemetry and evaluating service configurations for signs of anomalous activity and intrusion.\n\n**Note**: these open-source tools are highlighted and explained to assist with on-site investigation and remediation in cloud environments but are not all-encompassing. Open source tools can be complemented by services such as Azure Sentinel, a Microsoft premium service that provides comprehensive analysis tools, including custom detections for the activity indicated.\n\n#### General Guidance on Using Detection Tools\n\n 1. Audit the creation and use of service principal credentials. Look for unusual application usage, such as use of dormant applications.\n 2. Audit the assignment of credentials to applications that allow non-interactive sign-in by the application. Look for unexpected trust relationships added to the Azure Active Directory.\n 3. Download the interactive sign-ins from the Azure admin portal or use the Microsoft Sentinel product. Review new token validation time periods with high values and investigate whether it was a legitimate change or an attempt to gain persistence by a threat actor.\n\n#### Sparrow\n\nCISA created [Sparrow](<https://github.com/cisagov/Sparrow>) to help network defenders detect possible compromised accounts and applications in the Azure/M365 environment. The tool focuses on the narrow scope of user and application activity endemic to identity- and authentication-based attacks seen recently in multiple sectors. It is neither comprehensive nor exhaustive of available data. It is intended to narrow a larger set of available investigation modules and telemetry to those specific to recent attacks on federated identity sources and applications.\n\n_(Updated April 8, 2021):_ CISA has also created \"Aviary,\" which is a companion Splunk dashboard that can assist in visualizing and reviewing the output of Sparrow. Network defenders can find Aviary on [CISA's Sparrow GitHub page](<https://github.com/cisagov/Sparrow>). CISA advises network defenders to perform the following actions to use Sparrow:\n\n 1. Use Sparrow to detect any recent domain authentication or federation modifications. \n 1. Domain and federation modification operations are uncommon and should be investigated.\n 2. Examine logs for new and modified credentials applied to applications and service principals; delineate for the credential type. Sparrow can be used to detect the modification of service principals and application credentials. \n\n 1. Create a timeline for all credential changes, focusing on recent wholesale changes.\n 2. Review the \u201ctop actors\u201d for activity in the environment and the number of credential modifications performed.\n 3. Monitor changes in application and service principal credentials.\n 4. Investigate any instances of excessive permissions being granted, including, but not limited to, Exchange Online, Microsoft Graph, and Azure AD Graph.\n 3. Use Sparrow to detect privilege escalation, such as adding a service principal, user, or group to a privileged role.\n 4. Use Sparrow to detect `OAuth` consent and users\u2019 consent to applications, which is useful for interpreting changes in adversary TTPs.\n 5. Use Sparrow to identify anomalous Security Assertion Markup Language (SAML) token sign-ins by pivoting on the unified audit log UserAuthenticationValue of 16457, which is an indicator of how a SAML token was built and is a potential indicator for forged SAML tokens. \n\n 1. Note that this TTP has not been the subject of significant published security research but may indicate an unusual usage of a token, such as guest access for external partners to M365 resources.\n 6. Review the PowerShell logs that Sparrow exports. \n\n 1. Review PowerShell mailbox sign-ins and validate that the logins are legitimate actions.\n 2. Review PowerShell usage for users with PowerShell in the environment.\n 7. Use Sparrow to check the Graph API application permissions of all service principals and applications in M365/Azure AD. \n\n 1. Investigate unusual activity regarding Microsoft Graph API permissions (using either the legacy [https://graph.windows.net/ ](<https://graph.windows.net/>)or <https://graph.microsoft.com>). Graph is used frequently as part of these TTPs, often to access and manipulate mailbox resources.\n 8. Review Sparrow\u2019s listed tenant\u2019s Azure AD domains, to see if the domains have been modified.\n 9. For customers with G5 or E5 licensing levels, review MailItemsAccessed for insight into what application identification (ID) was used for accessing users\u2019 mailboxes. Use Sparrow to query for a specific application ID using the app id investigation capability, which will check to see if it is accessing mail or file items. \n\n 1. The MailItemsAccessed event provides audibility for mailbox data accessed via mail protocols or clients.\n 2. By analyzing the MailItemsAccessed action, incident responders can determine which user mailbox items have been accessed and potentially exfiltrated by a threat actor. This event will be recorded even in some situations where the message was not necessarily read interactively (e.g., bind or sync).[[5]](<https://docs.microsoft.com/en-us/microsoft-365/compliance/advanced-audit?view=o365-worldwide>)\n 3. The resulting suspicious application ID can provide incident responders with a pivot to detect other suspicious applications that require additional analysis.\n 4. Check for changes to applications with regards to the accessing of resources such as mail or file items.\n\n_(Updated April 8, 2021): _Aviary can be used to assist with performing the above tasks. To install Aviary, after running Sparrow:\n\n 1. Ingest comma separated values (CSV) output from the Sparrow PowerShell script into Splunk. \n 1. Sparrow output will have the following default filenames, which should not be modified: `AppUpdate_Operations_Export.csv`, `AppRoleAssignment_Operations_Export.csv`, `Consent_Operations_Export.csv`, `Domain_List.csv`, `Domain_Operations_Export.csv`, `FileItems_Operations_Export.csv`, `MailItems_Operations_Export.csv`, `PSLogin_Operations_Export.csv`, `PSMailbox_Operations_Export.csv`, `SAMLToken_Operations_Export.csv`, `ServicePrincipal_Operations_Export.csv`\n 2. Copy and paste the contents of the .xml file (aviary.xml in the root directory) into a new dashboard.\n 3. Use the data selection filters to point to the indexed Sparrow data (see figure 1)\n\n\n\nFigure 1: Data Selection Filters\n\n#### Hawk\n\nHawk is an open-source, PowerShell-driven, community-developed tool network defenders can use to quickly and easily gather data from O365 and Azure for security investigations. Incident responders and network defenders can investigate specific user principals or the entire tenant. Data it provides include IP addresses and sign-in data. Additionally, Hawk can track IP usage for concurrent login situations.\n\nHawk users should review login details for administrator accounts and take the following steps.\n\n#### CrowdStrike Azure Reporting Tool\n\n[CrowdStrike's Azure Reporting Tool ](<https://github.com/CrowdStrike/CRT>)(CRT) can help network defenders analyze their Microsoft Azure AD and M365 environment to help organizations analyze permissions in their Azure AD tenant and service configuration. This tool has minor overlap with Sparrow; it shows unique items, but it does not cover the same areas. CISA is highlighting this tool because it is one of the only free, open-source tools available to investigate this activity and could be used to complement Sparrow.\n\n#### Detection Tool Distinctions\n\n#### Detection Methods\n\nMicrosoft breaks the threat actor\u2019s recent activity into four primary stages, which are described below along with associated detection methods. Microsoft describes these stages as beginning with all activity after the compromise of the on-premises identity solution, such as ADFS.[[6]](<https://techcommunity.microsoft.com/t5/azure-active-directory-identity/understanding-quot-solorigate-quot-s-identity-iocs-for-identity/ba-p/2007610 >)\n\nNote: this step provides an entry vector to cloud technology environments, and is unnecessary when the threat actor has compromised an identity solution or credential that allows the APT direct access to the cloud(e.g., without leveraging the SolarWinds Orion vulnerability).\n\n**Stage 1: Forging a trusted authentication token used to access resources that trust the on-premises identity provider**\n\nThese attacks (often referred to as \u201cGolden Security Assertion Markup Language\u201d attacks) can be analyzed using a combination of cloud-based and standard on-premises techniques.[[7]](<https://www.sygnia.co/golden-saml-advisory>) For example, network defenders can use `OAuth` claims for specific principals made at the Azure AD level and compare them to the on-premises identity.\n\nExport sign-in logs from the Azure AD portal and look at the Authentication Method field.\n\n**Note**: at portal.azure.com, click on a user and review the authentication details (e.g., date, method, result). Without Sentinel, this is the only way to get these logs, which are critical for this effort.\n\n**_Detection Method 1: Correlating service provider login events with corresponding authentication events in Active Directory Federation Services (ADFS) and Domain Controllers_**\n\nUsing SAML single sign-on, search for any logins to service providers that do not have corresponding event IDs 4769, 1200, and 1202 in the domain.\n\n**_Detection Method 2: Identifying certificate export events in ADFS_**\n\nLook for:\n\n**_Detection Method 3: Customizing SAML response to identify irregular access_**\n\nThis method serves as prevention for the future (and would only detect future, not past, activity), as it helps identify irregularities from the point of the change forward. Organizations can modify SAML responses to include custom elements for each service provider to monitor and detect any anomalous requests.[[8]](<https://www.sygnia.co/golden-saml-advisory>)\n\n**_Detection Method 4: Detecting malicious ADFS trust modification_**\n\nA threat actor who gains administrative access to ADFS can add a new, trusted ADFS rather than extracting the certificate and private key as part of a standard Golden SAML attack.[[9]](<https://www.sygnia.co/golden-saml-advisory>) \nNetwork defenders should look for:\n\n**Stage 2: Using the forged authentication token to create configuration changes in the Service Provider, such as Azure AD (establishing a foothold)**\n\nAfter the threat actor has compromised the on-premises identity provider, they identify their next series of objectives by reviewing activity in the Microsoft Cloud activity space (Microsoft Azure and M365 tenants).\n\nThe threat actor uses the ability to forge authentication tokens to establish a presence in the cloud environment. The actor adds additional credentials to an existing service principal. Once the threat actor has impersonated a privileged Azure AD account, they are likely to further manipulate the Azure/M365 environment (action on objectives in the cloud).\n\nNetwork defenders should take the following steps.\n\n**Stage 3: Acquiring an `OAuth` access token for the application using the forged credentials added to an existing application or service principal and calling APIs with the permissions assigned to that application**\n\nIn some cases, the threat actor has been observed adding permissions to existing applications or service principals. Additionally the actor has been seen establishing new applications or service principals briefly and using them to add permissions to the existing applications or service principals, possibly to add a layer of indirection (e.g., using it to add a credential to another service principal, and then deleting it).[[11]](<https://techcommunity.microsoft.com/t5/azure-active-directory-identity/understanding-quot-solorigate-quot-s-identity-iocs-for-identity/ba-p/2007610 >)\n\nNetwork defenders should use Sparrow to:\n\n**Stage 4: Once access has been established, the threat actor Uses Microsoft Graph API to conduct action on objectives from an external RESTful API (queries impersonating existing applications).**\n\nNetwork defenders should:\n\n#### Microsoft Telemetry Nuances\n\nThe existing tools and techniques used to evaluate cloud-based telemetry sources present challenges not represented in traditional forensic techniques. Primarily, the amount of telemetry retention is far less than the traditional logging facilities of on-premises data sources. Threat actor activity that is more than 90 days old is unlikely to have been saved by traditional sources or be visible with the Microsoft M365 Management API or in the UAL.\n\nService principal logging is available using the Azure Portal via the \"Service Principal Sign-ins\" feature. Enable settings in the Azure Portal (see \u201cDiagnostic Setting\u201d) to ingest logs into Sentinel or a third-party security information and event management (SIEM) tool. An Azure Premium P1 or Premium P2 license is necessary to access this setting as well as other features, such as a log analytics workspace, storage account, or event hub.[[12]](<https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins >) These logs must be downloaded manually if not ingested by one of the methods listed in the Detection Methods section.\n\nGlobal Administrator rights are often required by tools other than Hawk and Sparrow to evaluate M365 cloud security posture. Logging capability and visibility of data varies by licensing models and subscription to premium services, such as Microsoft Defender for O365 and Azure Sentinel. According to CrowdStrike, \"There was an inability to audit via API, and there is the requirement for global admin rights to view important information which we found to be excessive. Key information should be easily accessible.\"[[13]](<https://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/>)\n\nDocumentation for specific event codes, such as UserAuthenticationMethod 16457, which may indicate a suspicious SAML token forgery, is no longer available in the M365 Unified Access Log. Auditing narratives on some events no longer exist as part of core Microsoft documentation sources.\n\nThe use of industry-standard SIEMs for log detection is crucial for providing historical context for threat hunting in Microsoft cloud environments. Standard G3/E3 licenses only provide 90 days of auditing; with the advanced auditing license that is provided with a G5/E5 license, audit logs can be extended to retain information for a year. CISA notes that this license change is proactive, rather than reactive: it allows enhanced visibility and features for telemetry from the moment of integration but does not provide retroactive visibility on previous events or historical context.\n\nA properly configured SIEM can provide:\n\nBuilt-in tools, such as Microsoft Cloud Services and M365 applications, provide much of the same visibility available from custom tools and are mapped to the MITRE ATT&amp;CK framework and easy-to-understand dashboards.[[14]](<https://splunkbase.splunk.com/app/3786/>) However, these tools often do not have the ability to pull historical data older than seven days. Therefore, storage solutions that appropriately meet governance standards and usability metrics for analysts for the SIEM must be carefully planned and arranged.\n\n 1. Ingest comma separated values (CSV) output from the Sparrow PowerShell script into Splunk. \n 1. Sparrow output will have the following default filenames, which should not be modified: `AppUpdate_Operations_Export.csv`,`AppRoleAssignment_Operations_Export.csv`, `Consent_Operations_Export.csv`, `Domain_List.csv`, `Domain_Operations_Export.csv`, `FileItems_Operations_Export.csv`, `MailItems_Operations_Export.csv`, `PSLogin_Operations_Export.csv`, `PSMailbox_Operations_Export.csv`, `SAMLToken_Operations_Export.csv`, `ServicePrincipal_Operations_Export.csv`\n 2. Copy and paste the contents of the .xml file (aviary.xml in the root directory) into a new dashboard.\n 3. Use the data selection filters to point to the indexed Sparrow data (see figure 1)\n 4. 1. Investigate high-value administrative accounts to detect anomalous or unusual activity (Global Admins).\n 2. Enable PowerShell logging, and evaluate PowerShell activity in the environment not used for traditional or expected purposes. \n\n 1. PowerShell logging does not reveal the exact `cmdlet` that was run on the tenant.\n 3. Look for users with unusual sign-in locations, dates, and times.\n 4. Check permissions of service principals and applications in M365/Azure AD.\n 5. Detect the frequency of resource access from unusual places. Use the tool to pivot to a trusted application and see if it is accessing mail or file items.\n 6. Review mailbox rules and recent mailbox rule changes.\n * Sparrow differs from CRT by looking for specific indicators of compromise associated with the recent attacks.\n * CRT focuses on the tenant\u2019s Azure AD permissions and Exchange Online configuration settings instead of the unified audit log, which gives it a different output from Sparrow or Hawk.\n * CRT returns the same broad scope of application/delegated permissions for service principals and applications as Hawk.\n * As part of its investigation, Sparrow homes in on a narrow set of application permissions given to the Graph API, which is common to the recent attacks.\n * CRT looks at Exchange Online federation configuration and federation trust, while Sparrow focuses on listing Azure AD domains.\n * Among the items network defenders can use CRT to review are delegated permissions and application permissions, federation configurations, federation trusts, mail forwarding rules, service principals, and objects with KeyCredentials.\n 1. The IP address and Activity_ID in EventCode 410 and the Activity_ID and Instance_ID in EventCode 500.\n 2. Export-PfxCertificate or certutil-exportPFX in Event IDs 4103 and 4104, which may include detection of a certificate extraction technique.\n 3. Deleted certificate extraction with ADFSdump performed using Sysmon Event ID 18 with the pipe name \\microsoft##wid\\tsql\\query (exclude processes regularly making this pipe connection on the machine).\n 4. Event ID 307 (The Federation Service configuration was changed), which can be correlated to relevant Event ID 510 with the same instance ID for change details (Event ID 510 with the same Instance ID could be more than one event per single Event ID 307 event).\n 5. Event ID 307 (The Federation Service configuration was changed), which can be correlated to relevant Event ID 510 with the same Instance ID for change details. (Event ID 510 with the same Instance ID could be more than one event per single Event ID 307 event.) \n 1. Review events, particularly searching for Configuration: Type: IssuanceAuthority where Property Value references an unfamiliar domain.\n 6. Possible activity of an interrogating ADFS host by using ADFS PowerShell plugins. Look for changes in the federation trust environment that would indicate new ADFS sources.\n 7. Audit the creation and use of service principal and application credentials. Sparrow will detect modifications to these credentials. \n\n 1. Look for unusual application usage, such as dormant or forgotten applications being used again.\n 2. Audit the assignment of credentials to applications that allow non-interactive sign-in by the application.\n 8. Look for unexpected trust relationships that have been added to Azure AD. (Download the last 30 days of non-interactive sign-ins from the Azure portal or use Azure Sentinel.).[[10]](<https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/aadserviceprincipalsigninlogs >)\n 9. Use Hawk (and any sub-modules available) to run an investigation on a specific user. Hawk will provide IP addresses, sign-in data, and other data. Hawk can also track IP usage in concurrent login situations.\n 10. Review login details for administrator accounts (e.g., high-value administrative accounts, such as Global Admins). Look for unusual sign-in locations, dates, and times.\n 11. Review new token validation time periods with high values and investigate whether the changes are legitimate or a threat actor\u2019s attempts to gain persistence.\n 12. Examine highly privileged accounts; specifically using sign-in logs, look for unusual sign-in locations, dates, and times.\n 13. Create a timeline for all credential changes.\n 14. Monitor changes in application credentials (the script will export into csv named AppUpdate_Operations_Export).\n 15. Detect service principal credentials change and service principal change (e.g., if an actor adds new permissions or expands existing permissions). \n\n 1. Export and view this activity via the ServicePrincipal_Operations_Export.\n 16. Record `OAuth` consent and consent to applications \n\n 1. Export and view this record via the Consent_Operations_Export file.\n 17. Investigate instances of excessive high permissions, including, but not limited to Exchange Online, Microsoft Graph, and Azure AD Graph. \n\n 1. Review Microsoft Graph API permissions granted to service principals.\n 2. Export and view this activity via the ApplicationGraphPermissions csv file. \n\n 1. **Note:** Hawk can also return the full list of service principal permissions for further investigation.\n 3. Review top actors and the amount of credential modifications performed.\n 4. Monitor changes in application credentials.\n 18. Identify manipulation of custom or third-party applications. \n\n 1. Network defenders should review the catalog of custom or third-party vendors with applications in the Microsoft tenant and perform the above interrogation principles on those applications and trusts.\n 19. Review modifications to federation trust settings. \n\n 1. Review new token validation time periods with high values and investigate whether this was a legitimate change or an attempt to gain persistence by the threat actor. \n 1. The script detects the escalation of privileges, including the addition of Service Principals (SP) to privileged roles. Export this data into csv called AppRoleAssignment_Operations_Export.\n 20. In MailItemsAccessed operations, found within the Unified Audit Log (UAL), review the application ID used (requires G5 or E5 license for this specific detail).\n 21. Query the specific application ID, using the Sparrow script\u2019s app ID investigation capability to interrogate mail and file items accessed for that applicationID (Use the application ID utility for any other suspicious apps that require additional analysis.).\n 22. Check the permissions of an application in M365/Azure AD using Sparrow. \n\n 1. Hawk will return Azure_Application_Audit, and Sparrow will return ApplicationGraphPermissions.\n 2. Network defenders will see the IP address that Graph API uses.\n 3. Note: the Microsoft IP address may not show up as a virtual private server/anonymized endpoint.\n 23. Investigate a specific service principal, if it is a user-specific user account, in Hawk. This activity is challenging to see without Azure Sentinel or manually downloading and reviewing logs from the sign-in portal.\n 24. Longer term storage of log data.\n 25. Cross correlation of log data with endpoint data and network data (such as those produced by ADFS servers), endpoint detection and response data, and identity provider information.\n 26. Ability to query use of application connectors in Azure.\n\n### Contact Information\n\nCISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at\n\n * 1-888-282-0870 (From outside the United States: +1-703-235-8832)\n * [central@cisa.dhs.gov ](<mailto:central@cisa.dhs.gov>)(UNCLASS)\n * us-cert@dhs.sgov.gov (SIPRNET)\n * us-cert@dhs.ic.gov (JWICS)\n\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA/US-CERT homepage at <http://www.us-cert.cisa.gov/>.\n\n### Resources\n\nAzure Active Directory Workbook to Assess Solorigate Risk: <https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718>\n\nVolexity - Dark Halo Leverages SolarWinds Compromise to Breach Organizations: <https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/>\n\nHow to Find Activity with Sentinel:[ https://www.verboon.info/2020/10/monitoring-service-principal-sign-ins-with-azuread-and-azure-sentinel/](<https://www.verboon.info/2020/10/monitoring-service-principal-sign-ins-with-azuread-and-azure-sentinel/>)\n\nThird-Party Walkthrough of the Attack: <https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/>\n\nNational Security Agency Advisory on Detecting Abuse of Authentication Mechanisms: <https://media.defense.gov/2020/Dec/17/2002554125/-1/-1/0/AUTHENTICATION_MECHANISMS_CSA_U_OO_198854_20.PDF>\n\nMicrosoft 365 App for Splunk: <https://splunkbase.splunk.com/app/3786/>\n\nCISA Remediation Guidance: <https://us-cert.cisa.gov/ncas/alerts/aa20-352a>\n\n### References\n\n[[1] ZDNet: A Second Hacking Group has Targeted SolarWinds Systems ](<https://www.zdnet.com/article/a-second-hacking-group-has-targeted-solarwinds-systems/>)\n\n[[2] CISA: Supply Chain Compromise ](<https://www.cisa.gov/supply-chain-compromise>)\n\n[[3] Microsoft SolarWinds Post-Compromise Hunting with Azure Sentinel ](<https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095>)\n\n[[4] Microsoft Solorigate Resource Center ](<https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/>)\n\n[[5] Advanced Audit in Microsoft 365 ](<https://docs.microsoft.com/en-us/microsoft-365/compliance/advanced-audit?view=o365-worldwide>)\n\n[[6] Microsoft: Understanding \u201cSolorigate\u2019s\u201d Identity IOCs ](<https://techcommunity.microsoft.com/t5/azure-active-directory-identity/understanding-quot-solorigate-quot-s-identity-iocs-for-identity/ba-p/2007610>)\n\n[[7] Detection and Hunting of Golden SAML Attack: ](<https://www.sygnia.co/golden-saml-advisory>)\n\n[[8] Ibid](<https://www.sygnia.co/golden-saml-advisory>)\n\n[[9] Ibid](<https://www.sygnia.co/golden-saml-advisory>)\n\n[[10] Microsoft: AADServicePrincipalSignInLogs](<https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/aadserviceprincipalsigninlogs>)\n\n[[11] Microsoft: Understanding \u201cSolorigate\u2019s\u201d Identity IOCs ](<https://techcommunity.microsoft.com/t5/azure-active-directory-identity/understanding-quot-solorigate-quot-s-identity-iocs-for-identity/ba-p/2007610>)\n\n[[12] Azure Active Directory Sign-in Activity Reports](<https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins>)\n\n[[13] CrowdStrike: CrowdStrike Launches Free Tool to Identify and Help Mitigate Risks in Azure Active Directory ](<https://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/>)\n\n[[14] Microsoft 365 App for Splunk ](<https://splunkbase.splunk.com/app/3786/>)\n\n### Revisions\n\nInitial version: January 8, 2021|February 4, 2021: Removed link and section for outdated product feedback form|April 8, 2021: Added Aviary Dashboard information|April 15, 2021: Added Attribution Statement\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2021-04-15T12:00:00", "type": "ics", "title": "Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2021-04-15T12:00:00", "id": "AA21-008A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-008a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T13:05:10", "description": "### Summary\n\n_This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v7/matrices/enterprise/>) framework for all referenced threat actor techniques._\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has observed cyber actors using emails containing a Microsoft Word document with a malicious Visual Basic Application (VBA) macro code to deploy KONNI malware. KONNI is a remote administration tool (RAT) used by malicious cyber actors to steal files, capture keystrokes, take screenshots, and execute arbitrary code on infected hosts.\n\n### Technical Details\n\nKONNI malware is often delivered via phishing emails as a Microsoft Word document with a malicious VBA macro code (_Phishing: Spearphising Attachment_ [[T1566.001](<https://attack.mitre.org/versions/v7/techniques/T1566/001/>)]). The malicious code can change the font color from light grey to black (to fool the user to enable content), check if the Windows operating system is a 32-bit or 64-bit version, and construct and execute the command line to download additional files (_Command and Scripting Interpreter: Windows Command Shell_ [[T1059.003](<https://attack.mitre.org/versions/v7/techniques/T1059/003/>)]).\n\nOnce the VBA macro constructs the command line, it uses the certificate database tool CertUtil to download remote files from a given Uniform Resource Locator. It also incorporates a built-in function to decode base64-encoded files. The Command Prompt silently copies `certutil.exe` into a temp directory and renames it to evade detection.\n\nThe cyber actor then downloads a text file from a remote resource containing a base64-encoded string that is decoded by CertUtil and saved as a batch (.BAT) file. Finally, the cyber actor deletes the text file from the temp directory and executes the .BAT file.\n\n### MITRE ATT&amp;CK Techniques\n\nAccording to MITRE, [KONNI](<https://attack.mitre.org/versions/v7/software/S0356/>) uses the ATT&amp;CK techniques listed in table 1.\n\n_Table 1: KONNI ATT&amp;CK techniques_\n\n**Technique** | **Use** \n---|--- \n \n_System Network Configuration Discovery_ [[T1016](<https://attack.mitre.org/versions/v7/techniques/T1016>)]\n\n| \n\nKONNI can collect the Internet Protocol address from the victim\u2019s machine. \n \n_System Owner/User Discovery_ [[T1033](<https://attack.mitre.org/versions/v7/techniques/T1033>)]\n\n| \n\nKONNI can collect the username from the victim\u2019s machine. \n \n_Masquerading: Match Legitimate Name or Location _[[T1036.005](<https://attack.mitre.org/versions/v7/techniques/T1036/005>)]\n\n| \n\nKONNI creates a shortcut called `Anti virus service.lnk `in an apparent attempt to masquerade as a legitimate file. \n \n_Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol _[[T1048.003](<https://attack.mitre.org/versions/v7/techniques/T1048/003>)]\n\n| \n\nKONNI has used File Transfer Protocol to exfiltrate reconnaissance data out. \n \n_Input Capture: Keylogging _[[T1056.001](<https://attack.mitre.org/versions/v7/techniques/T1056/001>)]\n\n| \n\nKONNI has the capability to perform keylogging. \n \n_Process Discovery _[[T1057](<https://attack.mitre.org/versions/v7/techniques/T1057>)]\n\n| \n\nKONNI has used `tasklist.exe` to get a snapshot of the current processes\u2019 state of the target machine. \n \n_Command and Scripting Interpreter: PowerShell _[[T1059.001](<https://attack.mitre.org/versions/v7/techniques/T1059/001>)]\n\n| \n\nKONNI used PowerShell to download and execute a specific 64-bit version of the malware. \n \n_Command and Scripting Interpreter: Windows Command Shell _[[T1059.003](<https://attack.mitre.org/versions/v7/techniques/T1059/003>)]\n\n| \n\nKONNI has used `cmd.exe` to execute arbitrary commands on the infected host across different stages of the infection change. \n \n_Indicator Removal on Host: File Deletion_ [[T1070.004](<https://attack.mitre.org/versions/v7/techniques/T1070/004>)]\n\n| \n\nKONNI can delete files. \n \n_Application Layer Protocol: Web Protocols _[[T1071.001](<https://attack.mitre.org/versions/v7/techniques/T1071/001>)]\n\n| \n\nKONNI has used Hypertext Transfer Protocol for command and control. \n \n_System Information Discovery _[[T1082](<https://attack.mitre.org/versions/v7/techniques/T1082>)]\n\n| \n\nKONNI can gather the operating system version, architecture information, connected drives, hostname, and computer name from the victim\u2019s machine and has used `systeminfo.exe` to get a snapshot of the current system state of the target machine. \n \n_File and Directory Discovery_ [[T1083](<https://attack.mitre.org/versions/v7/techniques/T1083>)]\n\n| \n\nA version of KONNI searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together. \n \n_Ingress Tool Transfer_ [[T1105](<https://attack.mitre.org/versions/v7/techniques/T1105>)]\n\n| \n\nKONNI can download files and execute them on the victim\u2019s machine. \n \n_Modify Registry _[[T1112](<https://attack.mitre.org/versions/v7/techniques/T1112>)]\n\n| \n\nKONNI has modified registry keys of ComSysApp service and Svchost on the machine to gain persistence. \n \n_Screen Capture _[[T1113](<https://attack.mitre.org/versions/v7/techniques/T1113>)]\n\n| \n\nKONNI can take screenshots of the victim\u2019s machine. \n \n_Clipboard Data _[[T1115](<https://attack.mitre.org/versions/v7/techniques/T1115>)]\n\n| \n\nKONNI had a feature to steal data from the clipboard. \n \n_Data Encoding: Standard Encoding _[[T1132.001](<https://attack.mitre.org/versions/v7/techniques/T1132/001>)]\n\n| \n\nKONNI has used a custom base64 key to encode stolen data before exfiltration. \n \n_Access Token Manipulation: Create Process with Token_ [[T1134.002](<https://attack.mitre.org/versions/v7/techniques/T1134/002>)]\n\n| \n\nKONNI has duplicated the token of a high integrity process to spawn an instance of cmd.exe under an impersonated user. \n \n_Deobfuscate/Decode Files or Information_ [[T1140](<https://attack.mitre.org/versions/v7/techniques/T1140>)]\n\n| \n\nKONNI has used CertUtil to download and decode base64 encoded strings. \n \n_Signed Binary Proxy Execution: Rundll32_ [[T1218.011](<https://attack.mitre.org/versions/v7/techniques/T1218/011>)]\n\n| \n\nKONNI has used Rundll32 to execute its loader for privilege escalation purposes. \n \n_Event Triggered Execution: Component Object Model Hijacking _[[T1546.015](<https://attack.mitre.org/versions/v7/techniques/T1546/015>)]\n\n| \n\nKONNI has modified ComSysApp service to load the malicious DLL payload. \n \n_Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder _[[T1547.001](<https://attack.mitre.org/versions/v7/techniques/T1547/001>)]\n\n| \n\nA version of KONNI drops a Windows shortcut into the Startup folder to establish persistence. \n \n_Boot or Logon Autostart Execution: Shortcut Modification_ [[T1547.009](<https://attack.mitre.org/versions/v7/techniques/T1547/009>)]\n\n| \n\nA version of KONNI drops a Windows shortcut on the victim\u2019s machine to establish persistence. \n \n_Abuse Elevation Control Mechanism: Bypass User Access Control _[[T1548.002](<https://attack.mitre.org/versions/v7/techniques/T1548/002>)]\n\n| \n\nKONNI bypassed User Account Control with the \"AlwaysNotify\" settings. \n \n_Credentials from Password Stores: Credentials from Web Browsers _[[T1555.003](<https://attack.mitre.org/versions/v7/techniques/T1555/003>)]\n\n| \n\nKONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera. \n \n### Detection\n\n#### Signatures\n\nCISA developed the following Snort signatures for use in detecting KONNI malware exploits.\n\n`alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP URI contains '/weget/*.php' (KONNI)\"; sid:1; rev:1; flow:established,to_server; content:\"/weget/\"; http_uri; depth:7; offset:0; fast_pattern; content:\".php\"; http_uri; distance:0; within:12; content:!\"Referrer|3a 20|\"; http_header; classtype:http-uri; priority:2; metadata:service http;)`\n\n`alert tcp any any -> any $HTTP_PORTS (msg:\"KONNI:HTTP header contains 'User-Agent|3a 20|HTTP|0d 0a|'\"; sid:1; rev:1; flow:established,to_server; content:\"User-Agent|3a 20|HTTP|0d 0a|\"; http_header; fast_pattern:only; content:\"POST\"; nocase; http_method; classtype:http-header; priority:2; metadata:service http;)`\n\n`alert tcp any any -> any $HTTP_PORTS (msg:\"KONNI:HTTP URI contains '/weget/(upload|uploadtm|download)'\"; sid:1; rev:1; flow:established,to_server; content:\"/weget/\"; http_uri; fast_pattern:only; pcre:\"/^\\/weget\\x2f(?:upload|uploadtm|download)\\.php/iU\"; content:\"POST\"; http_method; classtype:http-uri; priority:2; reference:url,blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html; metadata:service http;)`\n\n### Mitigations\n\nCISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.\n\n * Maintain up-to-date antivirus signatures and engines. See [Protecting Against Malicious Code](<https://us-cert.cisa.gov/ncas/tips/ST18-271>).\n * Keep operating system patches up to date. See [Understanding Patches and Software Updates](<https://us-cert.cisa.gov/ncas/tips/ST04-006>).\n * Disable file and printer sharing services. If these services are required, use [strong passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>) or Active Directory authentication.\n * Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators\u2019 group unless required.\n * Enforce a strong password policy. See [Choosing and Protecting Passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>).\n * Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See [Using Caution with Email Attachments](<https://us-cert.cisa.gov/ncas/tips/ST04-010>).\n * Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\n * Disable unnecessary services on agency workstations and servers.\n * Scan for and remove suspicious email attachments; ensure the scanned attachment is its \"true file type\" (i.e., the extension matches the file header).\n * Monitor users' web browsing habits; restrict access to sites with unfavorable content.\n * Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).\n * Scan all software downloaded from the internet prior to executing.\n * Maintain situational awareness of the latest threats and implement appropriate access control lists.\n * Visit the MITRE ATT&amp;CK Techniques pages (linked in table 1 above) for additional mitigation and detection strategies.\n\nFor additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, \"[Guide to Malware Incident Prevention and Handling for Desktops and Laptops](<https://csrc.nist.gov/publications/detail/sp/800-83/rev-1/final>).\"\n\n### Resources\n\n * [d-hunter \u2013 A Look Into KONNI 2019 Campaign](<https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b%20>)\n * [MITRE ATT&amp;CK \u2013 KONNI ](<https://attack.mitre.org/versions/v7/software/S0356/>)\n * [MITRE ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v7/matrices/enterprise/>)\n\n### Revisions\n\nAugust 14, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2020-10-24T12:00:00", "type": "ics", "title": "Phishing Emails Used to Deploy KONNI Malware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2020-10-24T12:00:00", "id": "AA20-227A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-227a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T11:17:58", "description": "### Summary\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) is issuing this activity alert in response to recently disclosed exploits that target unsecure configurations of SAP components. [[1](<https://github.com/comaeio/OPCDE/tree/master/2019/Emirates/\\(SAP\\)%20Gateway%20to%20Heaven%20-%20Dmitry%20Chastuhin%2C%20Mathieu%20Geli>)]\n\n### Technical Details\n\nA presentation at the April 2019 Operation for Community Development and Empowerment (OPCDE) cybersecurity conference describes SAP systems with unsecure configurations exposed to the internet. Typically, SAP systems are not intended to be exposed to the internet as it is an untrusted network. Malicious cyber actors can attack and compromise these unsecure systems with publicly available exploit tools, termed \u201c10KBLAZE.\u201d The presentation details the new exploit tools and reports on systems exposed to the internet.\n\n#### SAP Gateway ACL\n\nThe SAP Gateway allows non-SAP applications to communicate with SAP applications. If SAP Gateway access control lists (ACLs) are not configured properly (e.g., gw/acl_mode = 0), anonymous users can run operating system (OS) commands.[[2](<https://wiki.scn.sap.com/wiki/display/SI/Gateway+Access+Control+Lists>)] According to the OPCDE presentation, about 900 U.S. internet-facing systems were detected in this vulnerable condition.\n\n#### SAP Router secinfo\n\nThe SAP router is a program that helps connect SAP systems with external networks. The default `secinfo` configuration for a SAP Gateway allows any internal host to run OS commands anonymously. If an attacker can access a misconfigured SAP router, the router can act as an internal host and proxy the attacker\u2019s requests, which may result in remote code execution.\n\nAccording to the OPCDE presentation, 1,181 SAP routers were exposed to the internet. It is unclear if the exposed systems were confirmed to be vulnerable or were simply running the SAP router service.\n\n#### SAP Message Server\n\nSAP Message Servers act as brokers between Application Servers (AS). By default, Message Servers listen on a port 39XX and have no authentication. If an attacker can access a Message Server, they can redirect and/or execute legitimate man-in-the-middle (MITM) requests, thereby gaining credentials. Those credentials can be used to execute code or operations on AS servers (assuming the attacker can reach them). According to the OPCDE presentation, there are 693 Message Servers exposed to the internet in the United States. The Message Server ACL must be protected by the customer in all releases.\n\n#### Signature\n\nCISA worked with security researchers from Onapsis Inc.[[3](<https://www.onapsis.com/>)] to develop the following Snort signature that can be used to detect the exploits:\n\nalert tcp $EXTERNAL_NET any -&gt; $HOME_NET any (msg:\"10KBLAZE SAP Exploit execute attempt\"; flow:established,to_server; content:\"|06 cb 03|\"; offset:4; depth:3; content:\"SAPXPG_START_XPG\"; nocase; distance:0; fast_pattern; content:\"37D581E3889AF16DA00A000C290099D0001\"; nocase; distance:0; content:\"extprog\"; nocase; distance:0; sid:1; rev:1;)\n\n### Mitigations\n\nCISA recommends administrators of SAP systems implement the following to mitigate the vulnerabilities included in the OPCDE presentation:\n\n * Ensure a secure configuration of their SAP landscape.\n * Restrict access to SAP Message Server. \n * Review SAP Notes 1408081 and 821875. Restrict authorized hosts via ACL files on Gateways (`gw/acl_mode `and `secinfo`) and Message Servers (`ms/acl_info`).[[4](<https://launchpad.support.sap.com/#/notes/1408081>)], [[5](<https://launchpad.support.sap.com/#/notes/821875>)]\n * Review SAP Note 1421005. Split MS internal/public:` rdisp/msserv=0 rdisp/msserv_internal=39NN`. [[6](<https://launchpad.support.sap.com/#/notes/1421005>)]\n * Restrict access to Message Server internal port (`tcp/39NN`) to clients or the internet.\n * Enable Secure Network Communications (SNC) for clients.\n * Scan for exposed SAP components. \n * Ensure that SAP components are not exposed to the internet.\n * Remove or secure any exposed SAP components.\n\n### References\n\n[[1] Comae Technologies: Operation for Community Development and Empowerment (OPCDE) Cybersecurity Conference Materials ](<https://github.com/comaeio/OPCDE/tree/master/2019/Emirates/\\(SAP\\)%20Gateway%20to%20Heaven%20-%20Dmitry%20Chastuhin%2C%20Mathieu%20Geli>)\n\n[[2] SAP: Gateway Access Control Lists ](<https://wiki.scn.sap.com/wiki/display/SI/Gateway+Access+Control+Lists>)\n\n[[3] Onapsis Inc. website ](<https://www.onapsis.com>)\n\n[[4] SAP Note 1408081 ](<https://launchpad.support.sap.com/#/notes/1408081>)\n\n[[5] SAP Note 821875 ](<https://launchpad.support.sap.com/#/notes/821875>)\n\n[[6] SAP Note 1421005 ](<https://launchpad.support.sap.com/#/notes/1421005>)\n\n### Revisions\n\nMay 2, 2019: Initial version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2019-05-03T12:00:00", "type": "ics", "title": "New Exploits for Unsecure SAP Systems", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2019-05-03T12:00:00", "id": "AA19-122A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-122a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T11:18:43", "description": "### Summary\n\nThe National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization\u2019s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization\u2019s domain names, enabling man-in-the-middle attacks.\n\nSee the following links for downloadable copies of open-source indicators of compromise (IOCs) from the sources listed in the References section below:\n\n * IOCs (.csv)\n * IOCs (.stix)\n\nNote: these files were last updated February 13, 2019, to remove the following three non-malicious IP addresses:\n\n * 107.161.23.204\n * 192.161.187.200\n * 209.141.38.71\n\n### Technical Details\n\nUsing the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.\n\n 1. The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.\n 2. Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.\n 3. Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization\u2019s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.\n\n### Mitigations\n\nNCCIC recommends the following best practices to help safeguard networks against this threat:\n\n * Update the passwords for all accounts that can change organizations\u2019 DNS records.\n * Implement multifactor authentication on domain registrar accounts, or on other systems used to modify DNS records.\n * Audit public DNS records to verify they are resolving to the intended location.\n * Search for encryption certificates related to domains and revoke any fraudulently requested certificates.\n\n### References\n\n[Cisco Talos blog: DNSpionage Campaign Targets Middle East ](<https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html>)\n\n[CERT-OPMD blog: [DNSPIONAGE] \u2013 Focus on internal actions](<https://blog-cert.opmd.fr/dnspionage-focus-on-internal-actions>)\n\n[FireEye blog: Global DNS Hijacking Campaign: DNS Record Manipulation at Scale ](<https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html>)\n\n[Crowdstrike blog: Widespread DNS Hijacking Activity Targets Multiple Sectors](<https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors>)\n\n### Revisions\n\nJanuary 24, 2019: Initial version|February 6, 2019: Updated IOCs, added Crowdstrike blog|February 13, 2019: Updated IOCs\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2019-02-13T12:00:00", "type": "ics", "title": "DNS Infrastructure Hijacking Campaign", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2019-02-13T12:00:00", "id": "AA19-024A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-024a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T12:50:04", "description": "#### Actions to take today to mitigate cyber threats from ransomware:\n\n 1. Prioritize remediating known exploited vulnerabilities.\n 2. Train users to recognize and report phishing attempts.\n 3. Enable and enforce multifactor authentication.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2023-11-13T12:00:00", "type": "ics", "title": "#StopRansomware: Royal Ransomware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2023-11-13T12:00:00", "id": "AA23-061A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T12:47:08", "description": "#### Actions to take today to mitigate malicious cyber activity:\n\n 1. Secure and closely monitor Remote Desktop Protocol (RDP).\n 2. Maintain offline backups of data.\n 3. Enable and enforce phishing-resistant multifactor authentication (MFA).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2023-09-20T12:00:00", "type": "ics", "title": "#StopRansomware: Snatch Ransomware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2023-09-20T12:00:00", "id": "AA23-263A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-263a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T13:04:00", "description": "### Summary\n\n_This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v7/techniques/enterprise/>) for all referenced threat actor tactics and techniques._\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed persistent continued cyber intrusions by advanced persistent threat (APT) actors targeting U.S. think tanks. This malicious activity is often, but not exclusively, directed at individuals and organizations that focus on international affairs or national security policy.[[1](<https://www.cyberscoop.com/european-think-tanks-hack-microsoft-fancy-bear-russia/>)] The following guidance may assist U.S. think tanks in developing network defense procedures to prevent or rapidly detect these attacks.\n\nAPT actors have relied on multiple avenues for initial access. These have included low-effort capabilities such as spearphishing emails and third-party message services directed at both corporate and personal accounts, as well as exploiting vulnerable web-facing devices and remote connection capabilities. Increased telework during the COVID-19 pandemic has expanded workforce reliance on remote connectivity, affording malicious actors more opportunities to exploit those connections and to blend in with increased traffic. Attackers may leverage virtual private networks (VPNs) and other remote work tools to gain initial access or persistence on a victim\u2019s network. When successful, these low-effort, high-reward approaches allow threat actors to steal sensitive information, acquire user credentials, and gain persistent access to victim networks.\n\nGiven the importance that think tanks can have in shaping U.S. policy, CISA and FBI urge individuals and organizations in the international affairs and national security sectors to immediately adopt a heightened state of awareness and implement the critical steps listed in the Mitigations section of this Advisory.\n\n[Click here](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-336A-APT_Actors_Targeting_US_ThinkTanks.pdf>) for a PDF version of this report.\n\n### Technical Details\n\n#### ATT&amp;CK Profile\n\nCISA created the following MITRE ATT&amp;CK profile to provide a non-exhaustive list of tactics, techniques, and procedures (TTPs) employed by APT actors to break through think tanks\u2019 defenses, conduct reconnaissance in their environments, exfiltrate proprietary or confidential information, and execute effects on targets. These TTPs were included based upon closed reporting on APT actors that are known to target think tanks or based upon CISA incident response data.\n\n * _**Initial Access**_ [[TA0001](<https://attack.mitre.org/versions/v7/tactics/TA0001>)] \n * Valid Accounts [[T1078](<https://attack.mitre.org/versions/v7/techniques/T1078/>)]\n * Valid Accounts: Cloud Accounts [[T1078.004](<https://attack.mitre.org/versions/v7/techniques/T1078/004/>)]\n * External Remote Services [[T1133](<https://attack.mitre.org/versions/v7/techniques/T1133/>)]\n * Drive-by Compromise [[T1189](<https://attack.mitre.org/versions/v7/techniques/T1189>)]\n * Exploit Public-Facing Application [[T1190](<https://attack.mitre.org/versions/v7/techniques/T1190>)] \n * Supply Chain Compromise: Compromise Software Supply Chain [[T1195.002](<https://attack.mitre.org/versions/v7/techniques/T1195/002>)]\n * Trusted Relationship [[T1199](<https://attack.mitre.org/versions/v7/techniques/T1199>)]\n * Phishing: Spearphishing Attachment [[T1566.001](<https://attack.mitre.org/versions/v7/techniques/T1566/001>)]\n * Phishing: Spearphishing Link [[T1566.002](<https://attack.mitre.org/versions/v7/techniques/T1566/002>)]\n * Phishing: Spearphishing via Service [[T1566.003](<https://attack.mitre.org/versions/v7/techniques/T1566/003>)]\n * _**Execution**_ [[TA0002](<https://attack.mitre.org/versions/v7/tactics/TA0002>)] \n * Windows Management Instrumentation [[T1047](<https://attack.mitre.org/versions/v7/techniques/T1047>)]\n * Scheduled Task/Job: Scheduled Task [[T1053.005](<https://attack.mitre.org/versions/v7/techniques/T1053/005>)]\n * Command and Scripting Interpreter: PowerShell [[T1059.001](<https://attack.mitre.org/versions/v7/techniques/T1059/001>)]\n * Command and Scripting Interpreter: Windows Command Shell [[T1059.003](<https://attack.mitre.org/versions/v7/techniques/T1059/003>)]\n * Command and Scripting Interpreter: Unix Shell [[T1059.004](<https://attack.mitre.org/versions/v7/techniques/T1059/004>)]\n * Command and Scripting Interpreter: Visual Basic [[T1059.005](<https://attack.mitre.org/versions/v7/techniques/T1059/005>)]\n * Command and Scripting Interpreter: Python [[T1059.006](<https://attack.mitre.org/versions/v7/techniques/T1059/006>)]\n * Native API [[T1106](<https://attack.mitre.org/versions/v7/techniques/T1106>)]\n * Exploitation for Client Execution [[T1203](<https://attack.mitre.org/versions/v7/techniques/T1203>)]\n * User Execution: Malicious Link [[T1204.001](<https://attack.mitre.org/versions/v7/techniques/T1204/001>)]\n * User Execution: Malicious File [[T1204.002](<https://attack.mitre.org/versions/v7/techniques/T1204/002>)]\n * Inter-Process Communication: Dynamic Data Exchange [[T1559.002](<https://attack.mitre.org/versions/v7/techniques/T1559/002/>)]\n * System Services: Service Execution [[T1569.002](<https://attack.mitre.org/versions/v7/techniques/T1569/002>)]\n * _**Persistence**_ [[TA0003](<https://attack.mitre.org/versions/v7/tactics/TA0003>)] \n * Boot or Logon Initialization Scripts: Logon Script (Windows) [[T1037.001](<https://attack.mitre.org/versions/v7/techniques/T1037/001>)]\n * Scheduled Task/Job: Scheduled Task [[T1053.005](<https://attack.mitre.org/versions/v7/techniques/T1053/005>)]\n * Account Manipulation: Exchange Email Delegate Permissions [[T1098.002](<https://attack.mitre.org/versions/v7/techniques/T1098/002>)]\n * Create Account: Local Account [[T1136.001](<https://attack.mitre.org/versions/v7/techniques/T1136/001>)]\n * Office Application Startup: Office Test [[T1137.002](<https://attack.mitre.org/versions/v7/techniques/T1137/002>)]\n * Office Application Startup: Outlook Home Page [[T1137.004](<https://attack.mitre.org/versions/v7/techniques/T1137/004>)]\n * Browser Extensions [[T1176](<https://attack.mitre.org/versions/v7/techniques/T1176>)]\n * BITS Jobs [[T1197](<https://attack.mitre.org/versions/v7/techniques/T1197/>)]\n * Server Software Component: Web Shell [[T1505.003](<https://attack.mitre.org/versions/v7/techniques/T1505/003>)]\n * Pre-OS Boot: Bootkit [[T1542.003](<https://attack.mitre.org/versions/v7/techniques/T1542/003/>)]\n * Create or Modify System Process: Windows Service [[T1543.003](<https://attack.mitre.org/versions/v7/techniques/T1543/003>)]\n * Event Triggered Execution: Change Default File Association [[T1546.001](<https://attack.mitre.org/versions/v7/techniques/T1546/001>)]\n * Event Triggered Execution: Windows Management Instrumentation Event Subscription [[T1546.003](<https://attack.mitre.org/versions/v7/techniques/T1546/003>)]\n * Event Triggered Execution: Accessibility Features [[T1546.008](<https://attack.mitre.org/versions/v7/techniques/T1546/008>)]\n * Event Triggered Execution: Component Object Model Hijacking [[T1546.015](<https://attack.mitre.org/versions/v7/techniques/T1546/015>)]\n * Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [[T1547.001](<https://attack.mitre.org/versions/v7/techniques/T1547/001>)]\n * Boot or Logon Autostart Execution: Shortcut Modification [[T1547.009](<https://attack.mitre.org/versions/v7/techniques/T1547/009>)]\n * _**Privilege Escalation**_ [[TA0004](<https://attack.mitre.org/versions/v7/tactics/TA0004>)] \n * Process Injection [[T1055](<https://attack.mitre.org/versions/v7/techniques/T1055>)]\n * Process Injection: Process Hollowing [[T1055.012](<https://attack.mitre.org/versions/v7/techniques/T1055/012>)]\n * Exploitation for Privilege Escalation [[T1068](<https://attack.mitre.org/versions/v7/techniques/T1068>)]\n * Access Token Manipulation: Token Impersonation/Theft [[T1134.001](<https://attack.mitre.org/versions/v7/techniques/T1134/001>)]\n * Event Triggered Execution: Accessibility Features [[T1546.008](<https://attack.mitre.org/versions/v7/techniques/T1546/008>)]\n * Boot or Logon Autostart Execution: Shortcut Modification [[T1547.009](<https://attack.mitre.org/versions/v7/techniques/T1547/009>)]\n * Abuse Elevation Control Mechanism: Bypass User Access Control [[T1548.002](<https://attack.mitre.org/versions/v7/techniques/T1548/002>)]\n * Hijack Execution Flow: DLL Side-Loading [[T1574.002](<https://attack.mitre.org/versions/v7/techniques/T1574/002>)]\n * _**Defense Evasion**_ [[TA0005](<https://attack.mitre.org/versions/v7/tactics/TA0005>)] \n * Rootkit [[T1014](<https://attack.mitre.org/versions/v7/techniques/T1014>)]\n * Obfuscated Files or Information: Binary Padding [[T1027.001](<https://attack.mitre.org/versions/v7/techniques/T1027/001>)]\n * Obfuscated Files or Information: Software Packing [[T1027.002](<https://attack.mitre.org/versions/v7/techniques/T1027/002>)]\n * Obfuscated Files or Information: Steganography [[T1027.003](<https://attack.mitre.org/versions/v7/techniques/T1027/003>)]\n * Obfuscated Files or Information: Indicator Removal from Tools [[T1027.005](<https://attack.mitre.org/versions/v7/techniques/T1027/005>)]\n * Masquerading: Match Legitimate Name or Location [[T1036.005](<https://attack.mitre.org/versions/v7/techniques/T1036/005>)]\n * Indicator Removal on Host: Clear Windows Event Logs [[T1070.001](<https://attack.mitre.org/versions/v7/techniques/T1070/001>)]\n * Indicator Removal on Host: Clear Command History [[1070.003](<https://attack.mitre.org/versions/v7/techniques/T1070/003>)]\n * Indicator Removal on Host: File Deletion [[T1070.004](<https://attack.mitre.org/versions/v7/techniques/T1070/004>)]\n * Indicator Removal on Host: Timestomp [[T1070.006](<https://attack.mitre.org/versions/v7/techniques/T1070/006>)]\n * Modify Registry [[T1112](<https://attack.mitre.org/versions/v7/techniques/T1112>)]\n * Deobfuscate/Decode Files or Information [[T1140](<https://attack.mitre.org/versions/v7/techniques/T1140>)]\n * Exploitation for Defense Evasion [[T1211](<https://attack.mitre.org/versions/v7/techniques/T1211>)]\n * Signed Binary Proxy Execution: Compiled HTML File [[T1218.001](<https://attack.mitre.org/versions/v7/techniques/T1218/001>)]\n * _Signed Binary Proxy Execution: Mshta_ [[T1218.005](<https://attack.mitre.org/versions/v7/techniques/T1218/005>)]\n * Signed Binary Proxy Execution:_ Rundll32 _[[T1218.011](<https://attack.mitre.org/versions/v7/techniques/T1218/011>)]\n * Template Injection [[T1221](<https://attack.mitre.org/versions/v7/techniques/T1221>)]\n * Execution Guardrails: Environmental Keying [[T1480.001](<https://attack.mitre.org/versions/v7/techniques/T1480/001>)]\n * Abuse Elevation Control Mechanism: Bypass User Access Control [[T1548.002](<https://attack.mitre.org/versions/v7/techniques/T1548/002>)]\n * Use Alternate Authentication Material: Application Access Token [[T1550.001](<https://attack.mitre.org/versions/v7/techniques/T1550/001>)]\n * Subvert Trust Controls: Code Signing [[T1553.002](<https://attack.mitre.org/versions/v7/techniques/T1553/002>)]\n * Impair Defenses: Disable or Modify Tools [[T1562.001](<https://attack.mitre.org/versions/v7/techniques/T1562/001>)]\n * Impair Defenses: Disable or Modify System Firewall [[T1562.004](<https://attack.mitre.org/versions/v7/techniques/T1562/004>)]\n * Hide Artifacts: Hidden Files and Directories [[T1564.001](<https://attack.mitre.org/versions/v7/techniques/T1564/001>)]\n * Hide Artifacts: Hidden Window [[T1564.003](<https://attack.mitre.org/versions/v7/techniques/T1564/003>)]\n * _**Credential Access**_ [[TA0006](<https://attack.mitre.org/versions/v7/tactics/TA0006>)] \n * OS Credential Dumping: LSASS Memory [[T1003.001](<https://attack.mitre.org/versions/v7/techniques/T1003/001>)]\n * OS Credential Dumping: Security Account Manager [[T1003.002](<https://attack.mitre.org/versions/v7/techniques/T1003/002>)]\n * OS Credential Dumping: NTDS [[T1003.003](<https://attack.mitre.org/versions/v7/techniques/T1003/003>)]\n * OS Credential Dumping: LSA Secrets [[T1003.004](<https://attack.mitre.org/versions/v7/techniques/T1003/004>)]\n * OS Credential Dumping: Cached Domain Credentials [[T1003.005](<https://attack.mitre.org/versions/v7/techniques/T1003/005>)]\n * Network Sniffing [[T1040](<https://attack.mitre.org/versions/v7/techniques/T1040>)]\n * Input Capture: Keylogging [[T1056.001](<https://attack.mitre.org/versions/v7/techniques/T1056/001>)]\n * Brute Force: Password Cracking [[T1110.002](<https://attack.mitre.org/versions/v7/techniques/T1110/002>)]Brute Force: Password Spraying [[T1110.003](<https://attack.mitre.org/versions/v7/techniques/T1110/003>)]\n * Forced Authentication [[T1187](<https://attack.mitre.org/versions/v7/techniques/T1187>)]\n * Steal Application Access Token [[T1528](<https://attack.mitre.org/versions/v7/techniques/T1528>)]\n * Unsecured Credentials: Credentials in Files [[T1552.001](<https://attack.mitre.org/versions/v7/techniques/T1552/001>)]\n * Unsecured Credentials: Group Policy Preferences [[T1552.006](<https://attack.mitre.org/versions/v7/techniques/T1552/006>)]\n * Credentials from Password Stores: Credentials from Web Browsers [[T1555.003](<https://attack.mitre.org/versions/v7/techniques/T1555/003>)]\n * _**Discovery**_ [[TA0007](<https://attack.mitre.org/versions/v7/tactics/TA0007>)] \n * System Service Discovery [[T1007](<https://attack.mitre.org/versions/v7/techniques/T1007>)]\n * Query Registry [[T1012](<https://attack.mitre.org/versions/v7/techniques/T1012>)]\n * System Network Configuration Discovery [[T1016](<https://attack.mitre.org/versions/v7/techniques/T1016>)]\n * Remote System Discovery [[T1018](<https://attack.mitre.org/versions/v7/techniques/T1018>)]\n * System Owner/User Discovery [[T1033](<https://attack.mitre.org/versions/v7/techniques/T1033>)]\n * Network Sniffing [[T1040](<https://attack.mitre.org/versions/v7/techniques/T1040>)]\n * Network Service Scanning [[T1046](<https://attack.mitre.org/versions/v7/techniques/T1046>)]\n * System Network Connections Discovery [[T1049](<https://attack.mitre.org/versions/v7/techniques/T1049>)]\n * Process Discovery [[T1057](<https://attack.mitre.org/versions/v7/techniques/T1057>)]\n * Permission Groups Discovery: Local Groups [[T1069.001](<https://attack.mitre.org/versions/v7/techniques/T1069/001>)]\n * Permission Groups Discovery: Domain Groups [[T1069.002](<https://attack.mitre.org/versions/v7/techniques/T1069/002>)]\n * System Information Discovery [[T1082](<https://attack.mitre.org/versions/v7/techniques/T1082>)]\n * File and Directory Discovery [[T1083](<https://attack.mitre.org/versions/v7/techniques/T1083>)]\n * Account Discovery: Local Account [[T1087.001](<https://attack.mitre.org/versions/v7/techniques/T1087/001>)]\n * Account Discovery: Domain Account [[T1087.002](<https://attack.mitre.org/versions/v7/techniques/T1087/002>)]\n * Peripheral Device Discovery [[T1120](<https://attack.mitre.org/versions/v7/techniques/T1120>)]\n * Network Share Discovery [[T1135](<https://attack.mitre.org/versions/v7/techniques/T1135>)]\n * Password Policy Discovery [[T1201](<https://attack.mitre.org/versions/v7/techniques/T1201/>)]\n * Software Discovery: Security Software Discovery [[T1518.001](<https://attack.mitre.org/versions/v7/techniques/T1518/001>)]\n * _**Lateral Movement **_[[TA0008](<https://attack.mitre.org/versions/v7/tactics/TA0008>)] \n * Remote Services: Remote Desktop Protocol [[T1021.001](<https://attack.mitre.org/versions/v7/techniques/T1021/001>)]\n * Remote Services: SSH [[T1021.004](<https://attack.mitre.org/versions/v7/techniques/T1021/004>)]\n * Taint Shared Content [[T1080](<https://attack.mitre.org/versions/v7/techniques/T1080/>)]\n * Replication Through Removable Media [[T1091](<https://attack.mitre.org/versions/v7/techniques/T1091>)]\n * Exploitation of Remote Services [[T1210](<https://attack.mitre.org/versions/v7/techniques/T1210>)]\n * Use Alternate Authentication Material: Pass the Hash [[T1550.002](<https://attack.mitre.org/versions/v7/techniques/T1550/002>)]\n * Use Alternate Authentication Material: Pass the Ticket [[T1550.003](<https://attack.mitre.org/versions/v7/techniques/T1550/003>)]\n * _**Collection**_ [[TA0009](<https://attack.mitre.org/versions/v7/tactics/TA0009>)] \n * Data from Local System [[T1005](<https://attack.mitre.org/versions/v7/techniques/T1005>)]\n * Data from Removable Media [[T1025](<https://attack.mitre.org/versions/v7/techniques/T1025>)]\n * Data Staged: Local Data Staging [[T1074.001](<https://attack.mitre.org/versions/v7/techniques/T1074/001>)]\n * Screen Capture [[T1113](<https://attack.mitre.org/versions/v7/techniques/T1113>)]\n * Email Collection: Local Email Collection [[T1114.001](<https://attack.mitre.org/versions/v7/techniques/T1114/001>)]\n * Email Collection: Remote Email Collection [[T1114.002](<https://attack.mitre.org/versions/v7/techniques/T1114/002>)]\n * Automated Collection [[T1119](<https://attack.mitre.org/versions/v7/techniques/T1119>)]\n * Audio Capture [[T1123](<https://attack.mitre.org/versions/v7/techniques/T1123>)]\n * Data from Information Repositories: SharePoint [[T1213.002](<https://attack.mitre.org/versions/v7/techniques/T1213/002>)]\n * Archive Collected Data: Archive via Utility [[T1560.001](<https://attack.mitre.org/versions/v7/techniques/T1560/001>)]\n * Archive Collected Data: Archive via Custom Method [[T1560.003](<https://attack.mitre.org/versions/v7/techniques/T1560/003>)]\n * _**Command and Control**_ [[TA0011](<https://attack.mitre.org/versions/v7/tactics/TA0011>)] \n * Data Obfuscation: Junk Data [[T1001.001](<https://attack.mitre.org/versions/v7/techniques/T1001/001/>)]\n * Fallback Channels [[T1008](<https://attack.mitre.org/versions/v7/techniques/T1008>)]\n * Application Layer Protocol: Web Protocols [[T1071.001](<https://attack.mitre.org/versions/v7/techniques/T1071/001>)]\n * Application Layer Protocol: File Transfer Protocols [[T1071.002](<https://attack.mitre.org/versions/v7/techniques/T1071/002>)]\n * Application Layer Protocol: Mail Protocols [[T1071.003](<https://attack.mitre.org/versions/v7/techniques/T1071/003>)]\n * Application Layer Protocol: DNS [[T1071.004](<https://attack.mitre.org/versions/v7/techniques/T1071/004>)]\n * Proxy: External Proxy [[T1090.002](<https://attack.mitre.org/versions/v7/techniques/T1090/002>)]\n * Proxy: Multi-hop Proxy [[T1090.003](<https://attack.mitre.org/versions/v7/techniques/T1090/003>)]\n * Proxy: Domain Fronting [[T1090.004](<https://attack.mitre.org/versions/v7/techniques/T1090/004>)]\n * Communication Through Removable Media [[T1092](<https://attack.mitre.org/versions/v7/techniques/T1092>)]\n * Non-Application Layer Protocol [[T1095](<https://attack.mitre.org/versions/v7/techniques/T1095>)]\n * Web Service: Dead Drop Resolver [[T1102.001](<https://attack.mitre.org/versions/v7/techniques/T1102/001>)]\n * Web Service: Bidirectional Communication [[T1102.002](<https://attack.mitre.org/versions/v7/techniques/T1102/002>)]\n * Multi-Stage Channels [[T1104](<https://attack.mitre.org/versions/v7/techniques/T1104>)]\n * Ingress Tool Transfer [[T1105](<https://attack.mitre.org/versions/v7/techniques/T1105>)]\n * Data Encoding: Standard Encoding [[T1132.001](<https://attack.mitre.org/versions/v7/techniques/T1132/001>)]\n * Remote Access Software [[T1219](<https://attack.mitre.org/versions/v7/techniques/T1219>)]\n * Dynamic Resolution: Domain Generation Algorithms [[T1568.002](<https://attack.mitre.org/versions/v7/techniques/T1568/002>)]\n * Non-Standard Port [[T1571](<https://attack.mitre.org/versions/v7/techniques/T1571>)]\n * Protocol Tunneling [[T1572](<https://attack.mitre.org/versions/v7/techniques/T1572>)]\n * Encrypted Channel: Symmetric Cryptography [[T1573.001](<https://attack.mitre.org/versions/v7/techniques/T1573/001>)]\n * Encrypted Channel: Asymmetric Cryptography [[T1573.002](<https://attack.mitre.org/versions/v7/techniques/T1573/002>)]\n * _** Exfiltration** _[[TA0010](<https://attack.mitre.org/versions/v7/tactics/TA0010>)] \n * Exfiltration Over C2 Channel [[T1041](<https://attack.mitre.org/versions/v7/techniques/T1041>)]\n * Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol [[T1048.003](<https://attack.mitre.org/versions/v7/techniques/T1048/003>)]\n * _**Impact **_[[TA0040](<https://attack.mitre.org/versions/v7/tactics/TA0040>)] \n * Data Encrypted for Impact [[T1486](<https://attack.mitre.org/versions/v7/techniques/T1486>)]\n * Resource Hijacking [[T1496](<https://attack.mitre.org/versions/v7/techniques/T1496>)]\n * System Shutdown/Reboot [[T1529](<https://attack.mitre.org/versions/v7/techniques/T1529>)]\n * Disk Wipe: Disk Structure Wipe [[T1561.002](<https://attack.mitre.org/versions/v7/techniques/T1561/002>)]\n\n### Mitigations\n\nCISA and FBI recommend think tank organizations apply the following critical practices to strengthen their security posture.\n\n#### Leaders\n\n * Implement a training program to familiarize users with identifying social engineering techniques and phishing emails.\n\n#### Users/Staff\n\n * Log off remote connections when not in use.\n * Be vigilant against tailored spearphishing attacks targeting corporate and personal accounts (including both email and social media accounts).\n * Use different passwords for corporate and personal accounts.\n * Install antivirus software on personal devices to automatically scan and quarantine suspicious files.\n * Employ strong multi-factor authentication for personal accounts, if available.\n * Exercise caution when: \n * Opening email attachments, even if the attachment is expected and the sender appears to be known. See [Using Caution with Email Attachments](<https://www.us-cert.gov/ncas/tips/ST04-010>).\n * Using removable media (e.g., USB thumb drives, external drives, CDs).\n\n#### IT Staff/Cybersecurity Personnel\n\n * Segment and segregate networks and functions.\n * Change the default username and password of applications and appliances.\n * Employ strong multi-factor authentication for corporate accounts.\n * Deploy antivirus software on organizational devices to automatically scan and quarantine suspicious files.\n * Apply encryption to data at rest and data in transit.\n * Use email security appliances to scan and remove malicious email attachments or links.\n * Monitor key internal security tools and identify anomalous behavior. Flag any known indicators of compromise or threat actor behaviors for immediate response.\n * Organizations can implement mitigations of varying complexity and restrictiveness to reduce the risk posed by threat actors who use Tor (The Onion Router) to carry out malicious activities. See the CISA-FBI Joint Cybersecurity Advisory on [Defending Against Malicious Cyber Activity Originating from Tor](<https://us-cert.cisa.gov/ncas/alerts/aa20-183a>) for mitigation options and additional information.\n * Prevent exploitation of known software vulnerabilities by routinely applying software patches and upgrades. Foreign cyber threat actors continue to exploit publicly known\u2014and often dated\u2014software vulnerabilities against broad target sets, including public and private sector organizations. If these vulnerabilities are left unpatched, exploitation often requires few resources and provides threat actors with easy access to victim networks. Review CISA and FBI\u2019s [Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>) and other CISA alerts that identify vulnerabilities exploited by foreign attackers.\n * Implement an antivirus program and a formalized patch management process.\n * Block certain websites and email attachments commonly associated with malware (e.g., .scr, .pif, .cpl, .dll, .exe).\n * Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).\n * Implement Group Policy Object and firewall rules.\n * Implement filters at the email gateway and block suspicious IP addresses at the firewall.\n * Routinely audit domain and local accounts as well as their permission levels to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account.\n * Follow best practices for design and administration of the network to limit privileged account use across administrative tiers.\n * Implement a Domain-Based Message Authentication, Reporting &amp; Conformance (DMARC) validation system.\n * Disable or block unnecessary remote services.\n * Limit access to remote services through centrally managed concentrators.\n * Deny direct remote access to internal systems or resources by using network proxies, gateways, and firewalls.\n * Limit unnecessary lateral communications.\n * Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.\n * Ensure applications do not store sensitive data or credentials insecurely.\n * Enable a firewall on agency workstations, configured to deny unsolicited connection requests.\n * Disable unnecessary services on agency workstations and servers.\n * Scan for and remove suspicious email attachments; ensure any scanned attachment is its \"true file type\" (i.e., the extension matches the file header).\n * Monitor users' web browsing habits; restrict access to suspicious or risky sites. Contact law enforcement or CISA immediately regarding any unauthorized network access identified.\n * Visit the MITRE ATT&amp;CK techniques and tactics pages linked in the ATT&amp;CK Profile section above for additional mitigation and detection strategies for this malicious activity targeting think tanks.\n\n### Contact Information\n\nRecipients of this report are encouraged to contribute any additional information that they may have related to this threat. To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<http://www.fbi.gov/contact-us/field>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.gov](<mailto:Central@cisa.gov>).\n\n### References\n\n * [CISA Alert: Microsoft Office 365 Security Recommendations](<https://us-cert.cisa.gov/ncas/alerts/aa20-120a>)\n * [CISA Alert: Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>)\n * [CISA Webpage: Telework Guidance](<https://www.cisa.gov/telework>)\n * [CISA Webpage: VPN-Related Guidance](<https://www.cisa.gov/vpn-related-guidance>)\n * [FBI Private Industry Notification: PIN 20200409-001](<http://image.communications.cyber.nj.gov/lib/fe3e15707564047c7c1270/m/2/PIN+-+4.9.2020.pdf>)\n\n### References\n\n[[1] CyberScoop: As Europe prepares to vote, Microsoft warns of Fancy Bear attacks on democratic think tanks](<https://www.cyberscoop.com/european-think-tanks-hack-microsoft-fancy-bear-russia/>)\n\n### Revisions\n\nInitial Version: December 1, 2020\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2020-12-01T12:00:00", "type": "ics", "title": "Advanced Persistent Threat Actors Targeting U.S. Think Tanks", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2020-12-01T12:00:00", "id": "AA20-336A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-336a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T13:04:20", "description": "### Summary\n\n**_This advisory was updated to include information on Conti, TrickBot, and BazarLoader, including new IOCs and Yara Rules for detection._**\n\n_This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) version 7 framework. See the [ATT&amp;CK for Enterprise version 7](<https://attack.mitre.org/versions/v7/techniques/enterprise/>) for all referenced threat actor tactics and techniques._\n\nThis joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS). This advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health (HPH) Sector to infect systems with ransomware, notably Ryuk and Conti, for financial gain.\n\nCISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.\n\nClick here for a PDF version of this report.\n\n#### Key Findings\n\n * CISA, FBI, and HHS assess malicious cyber actors are targeting the HPH Sector with TrickBot and BazarLoader malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services.\n * These issues will be particularly challenging for organizations within the COVID-19 pandemic; therefore, administrators will need to balance this risk when determining their cybersecurity investments.\n\n### Technical Details\n\n### Threat Details\n\nThe cybercriminal enterprise behind TrickBot, which is likely also the creator of BazarLoader malware, has continued to develop new functionality and tools, increasing the ease, speed, and profitability of victimization. These threat actors increasingly use loaders\u2014like TrickBot and BazarLoader (or BazarBackdoor)\u2014as part of their malicious cyber campaigns. Cybercriminals disseminate TrickBot and BazarLoader via phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware. Loaders start the infection chain by distributing the payload; they deploy and execute the backdoor from the command and control (C2) server and install it on the victim\u2019s machine.\n\n#### TrickBot\n\nWhat began as a banking trojan and descendant of Dyre malware, TrickBot now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk and Conti.\n\nIn early 2019, the FBI began to observe new TrickBot modules named Anchor, which cyber actors typically used in attacks targeting high-profile victims\u2014such as large corporations. These attacks often involved data exfiltration from networks and point-of-sale devices. As part of the new Anchor toolset, TrickBot developers created `anchor_dns`, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling.\n\n`anchor_dns` is a backdoor that allows victim machines to communicate with C2 servers over DNS to evade typical network defense products and make their malicious communications blend in with legitimate DNS traffic. `anchor_dns` uses a single-byte `XOR` cipher to encrypt its communications, which have been observed using key `0xB9`. Once decrypted, the string `anchor_dns` can be found in the DNS request traffic.\n\n#### TrickBot Indicators of Compromise\n\nAfter successful execution of the malware, TrickBot copies itself as an executable file with a 12-character randomly generated file name (e.g. `mfjdieks.exe`) and places this file in one of the following directories.\n\n * C:\\Windows\\\n * C:\\Windows\\SysWOW64\\\n * C:\\Users\\\\[Username]\\AppData\\Roaming\\\n\nOnce the executable is running and successful in establishing communication with C2s, the executable places appropriate modules downloaded from C2s for the infected processor architecture type (32 or 64 bit instruction set), to the infected host\u2019s `%APPDATA%` or `%PROGRAMDATA%` directory, such as `%AppData\\Roaming\\winapp`. Some commonly named plugins that are created in a Modules subdirectory are (the detected architecture is appended to the module filename, e.g., `importDll32` or `importDll64`):\n\n * `Systeminfo`\n * `importDll`\n * `outlookDll`\n * `injectDll `with a directory (ex. `injectDLL64_configs`) containing configuration files: \n * `dinj`\n * `sinj`\n * `dpost`\n * `mailsearcher` with a directory (ex. `mailsearcher64_configs`) containing configuration file: \n * `mailconf`\n * `networkDll` with a directory (ex. networkDll64_configs) containing configuration file: \n * `dpost`\n * `wormDll`\n * `tabDll`\n * `shareDll`\n\nFilename `client_id` or `data `or `FAQ `with the assigned bot ID of the compromised system is created in the malware directory. Filename `group_tag` or `Readme.md` containing the TrickBot campaign IDs is created in the malware directory.\n\nThe malware may also drop a file named `anchorDiag.txt` in one of the directories listed above.\n\nPart of the initial network communications with the C2 server involves sending information about the victim machine such as its computer name/hostname, operating system version, and build via a base64-encoded `GUID`. The `GUID `is composed of `/GroupID/ClientID/` with the following naming convention:\n\n`/anchor_dns/[COMPUTERNAME]_[WindowsVersionBuildNo].[32CharacterString]/`.\n\nThe malware uses scheduled tasks that run every 15 minutes to ensure persistence on the victim machine. The scheduled task typically uses the following naming convention.\n\n`[random_folder_name_in_%APPDATA%_excluding_Microsoft]`\n\n`autoupdate#[5_random_numbers] (e.g., Task autoupdate#16876)`.\n\nAfter successful execution, `anchor_dns` further deploys malicious batch scripts (`.bat`) using PowerShell commands.\n\nThe malware deploys self-deletion techniques by executing the following commands.\n\n * `cmd.exe /c timeout 3 && del C:\\Users\\[username]\\[malware_sample]`\n * `cmd.exe /C PowerShell \\\"Start-Sleep 3; Remove-Item C:\\Users\\[username]\\[malware_sample_location]\\\"`\n\nThe following domains found in outbound DNS records are associated with `anchor_dns`.\n\n * `kostunivo[.]com`\n * `chishir[.]com`\n * `mangoclone[.]com`\n * `onixcellent[.]com`\n\nThis malware used the following legitimate domains to test internet connectivity.\n\n * `ipecho[.]net`\n * `api[.]ipify[.]org`\n * `checkip[.]amazonaws[.]com`\n * `ip[.]anysrc[.]net`\n * `wtfismyip[.]com`\n * `ipinfo[.]io`\n * `icanhazip[.]com`\n * `myexternalip[.]com`\n * `ident[.]me`\n\nCurrently, there is an open-source tracker for TrickBot C2 servers located at <https://feodotracker.abuse.ch/browse/trickbot/>.\n\nThe `anchor_dns` malware historically used the following C2 servers.\n\n * `23[.]95[.]97[.]59`\n * `51[.]254[.]25[.]115`\n * `193[.]183[.]98[.]66`\n * `91[.]217[.]137[.]37`\n * `87[.]98[.]175[.]85`\n\n#### TrickBot YARA Rules\n\nrule anchor_dns_strings_filenames { \nmeta: \ndescription = \"Rule to detect AnchorDNS samples based off strings or filenames used in malware\" \nauthor = \"NCSC\" \nhash1 = \"fc0efd612ad528795472e99cae5944b68b8e26dc\" \nhash2 = \"794eb3a9ce8b7e5092bb1b93341a54097f5b78a9\" \nhash3 = \"9dfce70fded4f3bc2aa50ca772b0f9094b7b1fb2\" \nhash4 = \"24d4bbc982a6a561f0426a683b9617de1a96a74a\" \nstrings: \n$ = \",Control_RunDLL \\x00\" \n$ = \":$GUID\" ascii wide \n$ = \":$DATA\" ascii wide \n$ = \"/1001/\" \n$ = /(\\x00|\\xCC)qwertyuiopasdfghjklzxcvbnm(\\x00|\\xCC)/ \n$ = /(\\x00|\\xCC)QWERTYUIOPASDFGHJKLZXCVBNM(\\x00|\\xCC)/ \n$ = \"start program with cmdline \\\"%s\\\"\" \n$ = \"Global\\\\\\fde345tyhoVGYHUJKIOuy\" \n$ = \"ChardWorker::thExecute: error registry me\" \n$ = \"get command: incode %s, cmdid \\\"%s\\\", cmd \\\"%s\\\"\" \n$ = \"anchorDNS\" \n$ = \"Anchor_x86\" \n$ = \"Anchor_x64\" \ncondition: \n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and 3 of them \n}\n\nrule anchor_dns_icmp_transport { \nmeta: \ndescription = \"Rule to detect AnchorDNS samples based off ICMP transport strings\" \nauthor = \"NCSC\" \nhash1 = \"056f326d9ab960ed02356b34a6dcd72d7180fc83\" \nstrings: \n$ = \"reset_connection &lt;\\- %s\" \n$ = \"server_ok &lt;\\- %s (packets on server %s)\" \n$ = \"erase successfully transmitted packet (count: %d)\" \n$ = \"Packet sended with crc %s -&gt; %s\" \n$ = \"send data confimation to server(%s)\" \n$ = \"data recived from &lt;\\- %s\" \n$ = \"Rearmost packed recived (id: %s)\" \n$ = \"send poll to server -&gt; : %s\" \ncondition: \n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and 3 of them \n}\n\nrule anchor_dns_config_dexor { \nmeta: \ndescription = \"Rule to detect AnchorDNS samples based off configuration deobfuscation (XOR 0x23 countup)\" \nauthor = \"NCSC\" \nhash1 = \"d0278ec015e10ada000915a1943ddbb3a0b6b3db\" \nhash2 = \"056f326d9ab960ed02356b34a6dcd72d7180fc83\" \nstrings: \n$x86 = {75 1F 56 6A 40 B2 23 33 C9 5E 8A 81 ?? ?? ?? ?? 32 C2 FE C2 88 81 ?? ?? ?? ?? 41 83 EE 01 75 EA 5E B8 ?? ?? ?? ?? C3} \n$x64 = {41 B0 23 41 B9 80 00 00 00 8A 84 3A ?? ?? ?? 00 41 32 C0 41 FE C0 88 04 32 48 FF C2 49 83 E9 01 75 E7} \ncondition: \n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them \n}\n\nrule anchor_dns_installer { \nmeta: \ndescription = \"Rule to detect AnchorDNS installer samples based off MZ magic under one-time pad or deobfuscation loop code\" \nauthor = \"NCSC\" \nhash1 = \"fa98074dc18ad7e2d357b5d168c00a91256d87d1\" \nhash2 = \"78f0737d2b1e605aad62af252b246ef390521f02\" \nstrings: \n$pre = {43 00 4F 00 4E 00 4F 00 55 00 54 00 24 00 00 00} //CONOUT$ \n$pst = {6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00} //kernel32.dll \n$deob_x86 = {8B C8 89 4D F8 83 F9 FF 74 52 46 89 5D F4 88 5D FF 85 F6 74 34 8A 83 ?? ?? ?? ?? 32 83 ?? ?? ?? ?? 6A 00 88 45 FF 8D 45 F4 50 6A 01 8D 45 FF 50 51 FF 15 34 80 41 00 8B 4D F8 43 8B F0 81 FB 00 ?? ?? ?? 72 CC 85 F6 75 08} \n$deob_x64 = {42 0F B6 84 3F ?? ?? ?? ?? 4C 8D 8C 24 80 00 00 00 42 32 84 3F ?? ?? ?? ?? 48 8D 54 24 78 41 B8 01 00 00 00 88 44 24 78 48 8B CE 48 89 6C 24 20 FF 15 ?? ?? ?? ?? 48 FF C7 8B D8 48 81 FF ?? ?? ?? ?? 72 B8} \ncondition: \n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) \nand \n( uint16(@pre+16) ^ uint16(@pre+16+((@pst-(@pre+16))\\2)) == 0x5A4D \nor \n$deob_x86 or $deob_x64 \n) \n}\n\nimport \"pe\" \nrule anchor_dns_string_1001_with_pe_section_dll_export_resolve_ip_domains { \nmeta: \ndescription = \"Rule to detect AnchorDNS samples based off /1001/ string in combination with DLL export name string, PE section .addr or IP resolution domains\" \nauthor = \"NCSC\" \nhash1 = \"ff8237252d53200c132dd742edc77a6c67565eee\" \nhash2 = \"c8299aadf886da55cb47e5cbafe8c5a482b47fc8\" \nstrings: \n$str1001 = {2F 31 30 30 31 2F 00} // /1001/ \n$strCtrl = {2C 43 6F 6E 74 72 6F 6C 5F 52 75 6E 44 4C 4C 20 00} // ,Control_RunDLL \n$ip1 = \"checkip.amazonaws.com\" ascii wide \n$ip2 = \"ipecho.net\" ascii wide \n$ip3 = \"ipinfo.io\" ascii wide \n$ip4 = \"api.ipify.org\" ascii wide \n$ip5 = \"icanhazip.com\" ascii wide \n$ip6 = \"myexternalip.com\" ascii wide \n$ip7 = \"wtfismyip.com\" ascii wide \n$ip8 = \"ip.anysrc.net\" ascii wide \ncondition: \n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) \nand $str1001 \nand ( \nfor any i in (0..pe.number_of_sections): ( \npe.sections[i].name == \".addr\" \n) \nor \n$strCtrl \nor \n6 of ($ip*) \n) \n}\n\nrule anchor_dns_check_random_string_in_dns_response { \nmeta: \ndescription = \"Rule to detect AnchorDNS samples based off checking random string in DNS response\" \nauthor = \"NCSC\" \nhash1 = \"056f326d9ab960ed02356b34a6dcd72d7180fc83\" \nhash2 = \"14e9d68bba7a184863667c680a8d5a757149aa36\" \nstrings: \n$x86 = {8A D8 83 C4 10 84 DB 75 08 8B 7D BC E9 84 00 00 00 8B 7D BC 32 DB 8B C7 33 F6 0F 1F 00 85 C0 74 71 40 6A 2F 50 E8 ?? ?? ?? ?? 46 83 C4 08 83 FE 03 72 EA 85 C0 74 5B 83 7D D4 10 8D 4D C0 8B 75 D0 8D 50 01 0F 43 4D C0 83 EE 04 72 11 8B 02 3B 01 75 10 83 C2 04 83 C1 04 83 EE 04 73 EF 83 FE FC 74 2D 8A 02 3A 01 75 29 83 FE FD 74 22 8A 42 01 3A 41 01 75 1C 83 FE FE 74 15 8A 42 02 3A 41 02 75 0F 83 FE FF 74 08 8A 42 03 3A 41 03 75 02 B3 01 8B 75 B8} \n$x64 = {4C 39 75 EF 74 56 48 8D 45 DF 48 83 7D F7 10 48 0F 43 45 DF 49 8B FE 48 85 C0 74 40 48 8D 48 01 BA 2F 00 00 00 E8 ?? ?? ?? ?? 49 03 FF 48 83 FF 03 72 E4 48 85 C0 74 24 48 8D 55 1F 48 83 7D 37 10 48 0F 43 55 1F 48 8D 48 01 4C 8B 45 2F E8 ?? ?? ?? ?? 0F B6 DB 85 C0 41 0F 44 DF 49 03 F7 48 8B 55 F7 48 83 FE 05 0F 82 6A FF FF FF} \ncondition: \n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them \n}\n\nrule anchor_dns_default_result_execute_command { \nmeta: \ndescription = \"Rule to detect AnchorDNS samples based off default result value and executing command\" \nauthor = \"NCSC\" \nhash1 = \"056f326d9ab960ed02356b34a6dcd72d7180fc83\" \nhash2 = \"14e9d68bba7a184863667c680a8d5a757149aa36\" \nstrings: \n$x86 = {83 C4 04 3D 80 00 00 00 73 15 8B 04 85 ?? ?? ?? ?? 85 C0 74 0A 8D 4D D8 51 8B CF FF D0 8A D8 84 DB C7 45 A4 0F 00 00 00} \n$x64 = {48 98 B9 E7 03 00 00 48 3D 80 00 00 00 73 1B 48 8D 15 ?? ?? ?? ?? 48 8B 04 C2 48 85 C0 74 0B 48 8D 55 90 48 8B CE FF D0 8B C8} \ncondition: \n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them \n}\n\nrule anchor_dns_pdbs { \nmeta: \ndescription = \"Rule to detect AnchorDNS samples based off partial PDB paths\" \nauthor = \"NCSC\" \nhash1 = \"f0e575475f33600aede6a1b9a5c14f671cb93b7b\" \nhash2 = \"1304372bd4cdd877778621aea715f45face93d68\" \nhash3 = \"e5dc7c8bfa285b61dda1618f0ade9c256be75d1a\" \nhash4 = \"f96613ac6687f5dbbed13c727fa5d427e94d6128\" \nhash5 = \"46750d34a3a11dd16727dc622d127717beda4fa2\" \nstrings: \n$ = \":\\\\\\MyProjects\\\\\\secondWork\\\\\\Anchor\\\\\\\" \n$ = \":\\\\\\simsim\\\\\\anchorDNS\" \n$ = \":\\\\\\\\[JOB]\\\\\\Anchor\\\\\\\" \n$ = \":\\\\\\Anchor\\\\\\Win32\\\\\\Release\\\\\\Anchor_\" \n$ = \":\\\\\\Users\\\\\\ProFi\\\\\\Desktop\\\\\\data\\\\\\Win32\\\\\\anchor\" \ncondition: \n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them \n}\n\n#### BazarLoader/BazarBackdoor\n\nBeginning in approximately early 2020, actors believed to be associated with TrickBot began using BazarLoader and BazarBackdoor to infect victim networks. The loader and backdoor work closely together to achieve infection and communicate with the same C2 infrastructure. Campaigns using Bazar represent a new technique for cybercriminals to infect and monetize networks and have increasingly led to the deployment of ransomware, including Ryuk. BazarLoader has become one of the most commonly used vectors for ransomware deployment.\n\nDeployment of the BazarLoader malware typically comes from phishing email and contains the following:\n\n * Phishing emails are typically delivered by commercial mass email delivery services. Email received by a victim will contain a link to an actor-controlled Google Drive document or other free online filehosting solutions, typically purporting to be a PDF file.\n * This document usually references a failure to create a preview of the document and contains a link to a URL hosting a malware payload in the form of a misnamed or multiple extension file.\n * Emails can appear as routine, legitimate business correspondence about customer complaints, hiring decision, or other important tasks that require the attention of the recipient. \n * Some email communications have included the recipient\u2019s name or employer name in the subject line and/or email body.\n\nThrough phishing emails linking users to Google Documents, actors used the below identified file names to install BazarLoader:\n\n * `Report-Review26-10.exe`\n * `Review_Report15-10.exe`\n * `Document_Print.exe`\n * `Report10-13.exe`\n * `Text_Report.exe`\n\nBazar activity can be identified by searching the system startup folders and Userinit values under the `HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon` registry key:\n\n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\adobe.lnk`\n\nFor a comprehensive list of indicators of compromise regarding the BazarLocker and other malware, see <https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html>.\n\n#### Indicators\n\nIn addition to TrickBot and BazarLoader, threat actors are using malware, such as KEGTAP, BEERBOT, SINGLEMALT, and others as they continue to change tactics, techniques, and procedures in their highly dynamic campaign. The following C2 servers are known to be associated with this malicious activity.\n\n * `45[.]148[.]10[.]92`\n * `170[.]238[.]117[.]187`\n * `177[.]74[.]232[.]124`\n * `185[.]68[.]93[.]17`\n * `203[.]176[.]135[.]102`\n * `96[.]9[.]73[.]73`\n * `96[.]9[.]77[.]142`\n * `37[.]187[.]3[.]176`\n * `45[.]89[.]127[.]92`\n * `62[.]108[.]35[.]103`\n * `91[.]200[.]103[.]242`\n * `103[.]84[.]238[.]3`\n * `36[.]89[.]106[.]69`\n * `103[.]76[.]169[.]213`\n * `36[.]91[.]87[.]227`\n * `105[.]163[.]17[.]83`\n * `185[.]117[.]73[.]163`\n * `5[.]2[.]78[.]118`\n * `185[.]90[.]61[.]69`\n * `185[.]90[.]61[.]62`\n * `86[.]104[.]194[.]30`\n * `31[.]131[.]21[.]184`\n * `46[.]28[.]64[.]8`\n * `104[.]161[.]32[.]111`\n * `107[.]172[.]140[.]171`\n * `131[.]153[.]22[.]148`\n * `195[.]123[.]240[.]219`\n * `195[.]123[.]242[.]119`\n * `195[.]123[.]242[.]120`\n * `51[.]81[.]113[.]25`\n * `74[.]222[.]14[.]27`\n\n#### Ryuk Ransomware\n\nTypically Ryuk has been deployed as a payload from banking Trojans such as TrickBot. (See the [United Kingdom (UK) National Cyber Security Centre (NCSC) advisory, Ryuk Ransomware Targeting Organisations Globally](<https://www.ncsc.gov.uk/news/ryuk-advisory>), on their ongoing investigation into global Ryuk ransomware campaigns and associated Emotet and TrickBot malware.) Ryuk first appeared in August 2018 as a derivative of Hermes 2.1 ransomware, which first emerged in late 2017 and was available for sale on the open market as of August 2018. Ryuk still retains some aspects of the Hermes code. For example, all of the files encrypted by Ryuk contain the `HERMES `tag but, in some infections, the files have `.ryk` added to the filename, while others do not. In other parts of the ransomware code, Ryuk has removed or replaced features of Hermes, such as the restriction against targeting specific Eurasia-based systems.\n\nWhile negotiating the victim network, Ryuk actors will commonly use commercial off-the-shelf products\u2014such as Cobalt Strike and PowerShell Empire\u2014in order to steal credentials. Both frameworks are very robust and are highly effective dual-purpose tools, allowing actors to dump clear text passwords or hash values from memory with the use of Mimikatz. This allows the actors to inject malicious dynamic-link library into memory with read, write, and execute permissions. In order to maintain persistence in the victim environment, Ryuk actors have been known to use scheduled tasks and service creation.\n\nRyuk actors will quickly map the network in order to enumerate the environment to understand the scope of the infection. In order to limit suspicious activity and possible detection, the actors choose to live off the land and, if possible, use native tools\u2014such as net view, net computers, and ping\u2014to locate mapped network shares, domain controllers, and active directory. In order to move laterally throughout the network, the group relies on native tools, such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management , and Remote Desktop Protocol (RDP). The group also uses third-party tools, such as Bloodhound.\n\nOnce dropped, Ryuk uses AES-256 to encrypt files and an RSA public key to encrypt the AES key. The Ryuk dropper drops a `.bat` file that attempts to delete all backup files and Volume Shadow Copies (automatic backup snapshots made by Windows), preventing the victim from recovering encrypted files without the decryption program.\n\nIn addition, the attackers will attempt to shut down or uninstall security applications on the victim systems that might prevent the ransomware from executing. Normally this is done via a script, but if that fails, the attackers are capable of manually removing the applications that could stop the attack. The `RyukReadMe` file placed on the system after encryption provides either one or two email addresses, using the end-to-end encrypted email provider Protonmail, through which the victim can contact the attacker(s). While earlier versions provide a ransom amount in the initial notifications, Ryuk users are now designating a ransom amount only after the victim makes contact.\n\nThe victim is told how much to pay to a specified Bitcoin wallet for the decryptor and is provided a sample decryption of two files.\n\nInitial testing indicates that the `RyukReadMe` file does not need to be present for the decryption script to run successfully but other reporting advises some files will not decrypt properly without it. Even if run correctly, there is no guarantee the decryptor will be effective. This is further complicated because the `RyukReadMe` file is deleted when the script is finished. This may affect the decryption script unless it is saved and stored in a different location before running.\n\nAccording to MITRE, [Ryuk ](<https://attack.mitre.org/versions/v7/software/S0446/>)uses the ATT&amp;CK techniques listed in table 1.\n\n_Table 1: Ryuk ATT&amp;CK techniques_\n\n**Technique** | **Use** \n---|--- \nSystem Network Configuration Discovery [[T1016](<https://attack.mitre.org/versions/v7/techniques/T1016/>)] | Ryuk has called `GetIpNetTable` in attempt to identify all mounted drives and hosts that have Address Resolution Protocol entries. \n \nMasquerading: Match Legitimate Name or Location [[T1036.005](<https://attack.mitre.org/versions/v7/techniques/T1036/005/>)]\n\n| Ryuk has constructed legitimate appearing installation folder paths by calling `GetWindowsDirectoryW` and then inserting a null byte at the fourth character of the path. For Windows Vista or higher, the path would appear as `C:\\Users\\Public`. \nProcess Injection [[T1055](<https://attack.mitre.org/versions/v7/techniques/T1055/>)] | Ryuk has injected itself into remote processes to encrypt files using a combination of `VirtualAlloc`, `WriteProcessMemory`, and `CreateRemoteThread`. \nProcess Discovery [[T1057](<https://attack.mitre.org/versions/v7/techniques/T1057/>)] | Ryuk has called `CreateToolhelp32Snapshot` to enumerate all running processes. \nCommand and Scripting Interpreter: Windows Command Shell [[T1059.003](<https://attack.mitre.org/versions/v7/techniques/T1059/003/>)] | Ryuk has used `cmd.exe` to create a Registry entry to establish persistence. \nFile and Directory Discovery [[T1083](<https://attack.mitre.org/versions/v7/techniques/T1083/>)] | Ryuk has called `GetLogicalDrives` to enumerate all mounted drives, and `GetDriveTypeW` to determine the drive type. \nNative API [[T1106](<https://attack.mitre.org/versions/v7/techniques/T1106/>)] | Ryuk has used multiple native APIs including `ShellExecuteW` to run executables; `GetWindowsDirectoryW` to create folders; and `VirtualAlloc`, `WriteProcessMemory`, and `CreateRemoteThread` for process injection. \nAccess Token Manipulation [[T1134](<https://attack.mitre.org/versions/v7/techniques/T1134/>)] | Ryuk has attempted to adjust its token privileges to have the `SeDebugPrivilege`. \nData Encrypted for Impact [[T1486](<https://attack.mitre.org/versions/v7/techniques/T1486/>)] | Ryuk has used a combination of symmetric and asymmetric encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of `.RYK`. Encrypted directories have had a ransom note of `RyukReadMe.txt` written to the directory. \nService Stop [[T1489](<https://attack.mitre.org/versions/v7/techniques/T1489/>)] | Ryuk has called `kill.bat` for stopping services, disabling services and killing processes. \nInhibit System Recovery [[T1490](<https://attack.mitre.org/versions/v7/techniques/T1490/>)] | Ryuk has used `vssadmin Delete Shadows /all /quiet` to delete volume shadow copies and `vssadmin resize shadowstorage` to force deletion of shadow copies created by third-party applications. \nBoot or Logon Autostart Execution: Registry Run Keys / Startup Folder [[T1047.001](<https://attack.mitre.org/versions/v7/techniques/T1547/001/>)] | Ryuk has used the Windows command line to create a Registry entry under `HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run` to establish persistence. \nImpair Defenses: Disable or Modify Tools [[T1562.001](<https://attack.mitre.org/versions/v7/techniques/T1562/001/>)] | Ryuk has stopped services related to anti-virus. \n \n### Mitigations\n\nFor a downloadable copy of IOCs, see AA20-302A.stix. For additional IOCs detailing this activity, see <https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456>.\n\n#### Plans and Policies\n\nCISA, FBI, and HHS encourage HPH Sector organizations to maintain business continuity plans\u2014the practice of executing essential functions through emergencies (e.g., cyberattacks)\u2014to minimize service interruptions. Without planning, provision, and implementation of continuity principles, organizations may be unable to continue operations. Evaluating continuity and capability will help identify continuity gaps. Through identifying and addressing these gaps, organizations can establish a viable continuity program that will help keep them functioning during cyberattacks or other emergencies. CISA, FBI, and HHS suggest HPH Sector organizations review or establish patching plans, security policies, user agreements, and business continuity plans to ensure they address current threats posed by malicious cyber actors.\n\n#### Network Best Practices\n\n * Patch operating systems, software, and firmware as soon as manufacturers release updates.\n * Check configurations for every operating system version for HPH organization-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.\n * Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.\n * Use multi-factor authentication where possible.\n * Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.\n * Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.\n * Audit user accounts with administrative privileges and configure access controls with least privilege in mind.\n * Audit logs to ensure new accounts are legitimate.\n * Scan for open or listening ports and mediate those that are not needed.\n * Identify critical assets such as patient database servers, medical records, and teleheatlh and telework infrastructure; create backups of these systems and house the backups offline from the network.\n * Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.\n * Set antivirus and anti-malware solutions to automatically update; conduct regular scans.\n\n#### Ransomware Best Practices\n\nCISA, FBI and HHS do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. In addition to implementing the above network best practices, the FBI, CISA and HHS also recommend the following:\n\n * Regularly back up data, air gap, and password protect backup copies offline.\n * Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.\n\n#### User Awareness Best Practices\n\n * Focus on awareness and training. Because end users are targeted, make employees and stakeholders aware of the threats\u2014such as ransomware and phishing scams\u2014and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.\n * Ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.\n\n#### Recommended Mitigation Measures\n\nSystem administrators who have indicators of a TrickBot network compromise should immediately take steps to back up and secure sensitive or proprietary data. TrickBot infections may be indicators of an imminent ransomware attack; system administrators should take steps to secure network devices accordingly. Upon evidence of a TrickBot infection, review DNS logs and use the `XOR` key of `0xB9` to decode `XOR` encoded DNS requests to reveal the presence of `Anchor_DNS`, and maintain and provide relevant logs.\n\n### GENERAL RANSOMWARE MITIGATIONS \u2014 HPH SECTOR\n\nThis section is based on CISA and Multi-State Information Sharing and Analysis Center (MS-ISAC)'s Joint Ransomware Guide, which can be found at <https://www.cisa.gov/publication/ransomware-guide>.\n\nCISA, FBI, and HHS recommend that healthcare organizations implement both ransomware prevention and ransomware response measures immediately.\n\n#### Ransomware Prevention\n\n#### _Join and Engage with Cybersecurity Organizations_\n\nCISA, FBI, and HHS recommend that healthcare organizations take the following initial steps:\n\n * Join a healthcare information sharing organization, H-ISAC: \n * Health Information Sharing and Analysis Center (H-ISAC): <https://h-isac.org/membership-account/join-h-isac/>\n * Sector-based ISACs - National Council of ISACs: <https://www.nationalisacs.org/member-isacs>\n * Information Sharing and Analysis Organization (ISAO) Standards Organization: <https://www.isao.org/information-sharing-groups/>\n * Engage with CISA and FBI, as well as HHS\u2014through the HHS Health Sector Cybersecurity Coordination Center (HC3)\u2014to build a lasting partnership and collaborate on information sharing, best practices, assessments, and exercises. \n * CISA: [cisa.gov](<cisa.gov>), <https://us-cert.cisa.gov/mailing-lists-and-feeds>, [central@cisa.gov](<central@cisa.gov>)\n * FBI: [ic3.gov](<ic3.gov>), [www.fbi.gov/contact-us/field](<www.fbi.gov/contact-us/field>), [CyWatch@fbi.gov](<www.fbi.gov/contact-us/field>)\n * HHS/HC3: <http://www.hhs.gov/hc3>, [HC3@HHS.gov](<HC3@HHS.gov>)\n\nEngaging with the H-ISAC, ISAO, CISA, FBI, and HHS/HC3 will enable your organization to receive critical information and access to services to better manage the risk posed by ransomware and other cyber threats.\n\n#### _Follow Ransomware Best Practices_\n\nRefer to the best practices and references below to help manage the risk posed by ransomware and support your organization\u2019s coordinated and efficient response to a ransomware incident. Apply these practices to the greatest extent possible based on availability of organizational resources.\n\n * It is critical to maintain offline, encrypted backups of data and to regularly test your backups. Backup procedures should be conducted on a regular basis. It is important that backups be maintained offline or in separated networks as many ransomware variants attempt to find and delete any accessible backups. Maintaining offline, current backups is most critical because there is no need to pay a ransom for data that is readily accessible to your organization. \n * Use the 3-2-1 rule as a guideline for backup practices. The rule states that three copies of all critical data are retained on at least two different types of media and at least one of them is stored offline.\n * Maintain regularly updated \u201cgold images\u201d of critical systems in the event they need to be rebuilt. This entails maintaining image \u201ctemplates\u201d that include a preconfigured operating system (OS) and associated software applications that can be quickly deployed to rebuild a system, such as a virtual machine or server.\n * Retain backup hardware to rebuild systems in the event rebuilding the primary system is not preferred. \n * Hardware that is newer or older than the primary system can present installation or compatibility hurdles when rebuilding from images.\n * Ensure all backup hardware is properly patched.\n * In addition to system images, applicable source code or executables should be available (stored with backups, escrowed, license agreement to obtain, etc.). It is more efficient to rebuild from system images, but some images will not install on different hardware or platforms correctly; having separate access to needed software will help in these cases.\n * Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response and notification procedures for a ransomware incident. \n * Review available incident response guidance, such as CISA\u2019s Technical Approaches to Uncovering and Remediating Malicious Activity <https://us-cert.cisa.gov/ncas/alerts/aa20-245a>.\n * Help your organization better organize around cyber incident response.\n * Develop a cyber incident response plan.\n * The Ransomware Response Checklist, available in the [CISA and MS-ISAC Joint Ransomware Guide](<https://www.cisa.gov/publication/ransomware-guide>), serves as an adaptable, ransomware- specific annex to organizational cyber incident response or disruption plans.\n * Review and implement as applicable MITRE\u2019s Medical Device Cybersecurity: Regional Incident Preparedness and Response Playbook (<https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf>).\n * Develop a risk management plan that maps critical health services and care to the necessary information systems; this will ensure that the incident response plan will contain the proper triage procedures.\n * Plan for the possibility of critical information systems being inaccessible for an extended period of time. This should include but not be limited to the following: \n * Print and properly store/protect hard copies of digital information that would be required for critical patient healthcare.\n * Plan for and periodically train staff to handle the re-routing of incoming/existing patients in an expedient manner if information systems were to abruptly and unexpectedly become unavailable.\n * Coordinate the potential for surge support with other healthcare facilities in the greater local area. This should include organizational leadership periodically meeting and collaborating with counterparts in the greater local area to create/update plans for their facilities to both abruptly send and receive a significant amount of critical patients for immediate care. This may include the opportunity to re-route healthcare employees (and possibly some equipment) to provide care along with additional patients.\n * Consider the development of a second, air-gapped communications network that can provide a minimum standard of backup support for hospital operations if the primary network becomes unavailable if/when needed.\n * Predefine network segments, IT capabilities and other functionality that can either be quickly separated from the greater network or shut down entirely without impacting operations of the rest of the IT infrastructure.\n * Legacy devices should be identified and inventoried with highest priority and given special consideration during a ransomware event.\n * See [CISA and MS-ISAC's Joint Ransomware Guide](<https://www.cisa.gov/publication/ransomware-guide>) for infection vectors including internet-facing vulnerabilities and misconfigurations; phishing; precursor malware infection; and third parties and managed service providers.\n * HHS/HC3 tracks ransomware that is targeting the HPH Sector; this information can be found at <http://www.hhs.gov/hc3>.\n\n#### _Hardening Guidance_\n\n * The Food and Drug Administration provides multiple guidance documents regarding the hardening of healthcare and specifically medical devices found here: <https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity>.\n * See [CISA and MS-ISAC's Joint Ransomware Guide](<https://www.cisa.gov/publication/ransomware-guide>) for additional in-depth hardening guidance.\n\n#### _Contact CISA for These No-Cost Resources_\n\n * Information sharing with CISA and MS-ISAC (for SLTT organizations) includes bi-directional sharing of best practices and network defense information regarding ransomware trends and variants as well as malware that is a precursor to ransomware.\n * Policy-oriented or technical assessments help organizations understand how they can improve their defenses to avoid ransomware infection: <https://www.cisa.gov/cyber-resource-hub>. \n * Assessments include Vulnerability Scanning and Phishing Campaign Assessment.\n * Cyber exercises evaluate or help develop a cyber incident response plan in the context of a ransomware incident scenario.\n * CISA Cybersecurity Advisors (CSAs) advise on best practices and connect you with CISA resources to manage cyber risk.\n * Contacts: \n * SLTT organizations: [CyberLiaison_SLTT@cisa.dhs.gov](<CyberLiaison_SLTT@cisa.dhs.gov>)\n * Private sector organizations: [CyberLiaison_Industry@cisa.dhs.gov](<CyberLiaison_Industry@cisa.dhs.gov>)\n\n#### _Ransomware Quick References_\n\n * _Ransomware: What It Is and What to Do About It _(CISA): General ransomware guidance for organizational leadership and more in-depth information for CISOs and technical staff: [https://www.us-cert.cisa.gov/sites/default/files/publications/Ransomware_Executive_One-Pager_and_Technical_ Document-FINAL.pdf](<https://www.us-cert.cisa.gov/sites/default/files/publications/Ransomware_Executive_One-Pager_and_Technical_%20Document-FINAL.pdf>)\n * Ransomware (CISA): Introduction to ransomware, notable links to CISA products on protecting networks, specific ransomware threats, and other resources: <https://www.us-cert.cisa.gov/Ransomware>\n * HHS/HC3: Ransomware that impacts HPH is tracked by the HC3 and can be found at [www.hhs.gov/hc3](<www.hhs.gov/hc3>)\n * _Security Primer \u2013 Ransomware_ (MS-ISAC): Outlines opportunistic and strategic ransomware campaigns, common infection vectors, and best practice recommendations: <https://www.cisecurity.org/white-papers/security-primer-ransomware/>\n * _Ransomware: Facts, Threats, and Countermeasures _(MS- ISAC): Facts about ransomware, infection vectors, ransomware capabilities, and how to mitigate the risk of ransomware infection: [https://www.cisecurity.org/blog/ransomware- facts-threats-and-countermeasures/](<https://www.cisecurity.org/blog/ransomware-%20facts-threats-and-countermeasures/>)\n * HHS Ransomware Fact Sheet: <https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf>\n * NIST Securing Data Integrity White Paper: <https://csrc.nist.gov/publications/detail/white-paper/2020/10/01/securing-data-integrity-against-ransomware-attacks/draft>\n\n#### Ransomware Response Checklist\n\n**Remember: Paying the ransom will not ensure your data is decrypted or that your systems or data will no longer be compromised. CISA, FBI, and HHS do not recommend paying ransom.**\n\nShould your organization be a victim of ransomware, CISA strongly recommends responding by using the Ransomware Response Checklist located in [CISA and MS-ISAC's Joint Ransomware Guide](<https://www.cisa.gov/publication/ransomware-guide>), which contains steps for detection and analysis as well as containment and eradication.\n\n#### _Consider the Need For Extended Identification or Analysis_\n\nIf extended identification or analysis is needed, CISA, HHS/HC3, or federal law enforcement may be interested in any of the following information that your organization determines it can legally share:\n\n * Recovered executable file\n * Copies of the readme file \u2013 DO NOT REMOVE the file or decryption may not be possible\n * Live memory (RAM) capture from systems with additional signs of compromise (use of exploit toolkits, RDP activity, additional files found locally)\n * Images of infected systems with additional signs of compromise (use of exploit toolkits, RDP activity, additional files found locally)\n * Malware samples\n * Names of any other malware identified on your system\n * Encrypted file samples\n * Log files (Windows Event Logs from compromised systems, Firewall logs, etc.)\n * Any PowerShell scripts found having executed on the systems\n * Any user accounts created in Active Directory or machines added to the network during the exploitation\n * Email addresses used by the attackers and any associated phishing emails\n * A copy of the ransom note\n * Ransom amount and whether or not the ransom was paid\n * Bitcoin wallets used by the attackers\n * Bitcoin wallets used to pay the ransom (if applicable)\n * Copies of any communications with attackers\n\nUpon voluntary request, CISA can assist with analysis (e.g., phishing emails, storage media, logs, malware) at no cost to support your organization in understanding the root cause of an incident, even in the event additional remote assistance is not requested.\n\n * CISA \u2013 Advanced Malware Analysis Center: <https://www.malware.us-cert.gov/MalwareSubmission/pages/submission.jsf>\n * Remote Assistance \u2013 Request via [Central@cisa.gov](<Central@cisa.gov>)\n\n### Contact Information\n\nCISA, FBI, and HHS recommend identifying and having on hand the following contact information for ready use should your organization become a victim of a ransomware incident. Consider contacting these organizations for mitigation and response assistance or for purpose of notification.\n\n * State and Local Response Contacts\n * IT/IT Security Team \u2013 Centralized Cyber Incident Reporting\n * State and Local Law Enforcement\n * Fusion Center \n * Managed/Security Service Providers\n * Cyber Insurance \n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<https://www.fbi.gov/contact-us/field-offices>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at [CyWatch@fbi.gov](<CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.gov](<Central@cisa.dhs.gov>).\n\nAdditionally, see [CISA and MS-ISAC's Joint Ransomware Guide](<https://www.cisa.gov/publication/ransomware-guide>) for information on contacting\u2014and what to expect from contacting\u2014federal asset response and federal threat response contacts.\n\n### _Disclaimer_\n\nThis document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see <https://cisa.gov/tlp>.\n\n### References\n\n[CISA Emergency Services Sector Continuity Planning Suite ](<https://www.cisa.gov/emergency-services-sector-continuity-planning-suite>)\n\n[CISA MS-ISAC Joint Ransomware Guide](<https://www.cisa.gov/publication/ransomware-guide>)\n\n[CISA Tip: Avoiding Social Engineering and Phishing Attacks](<https://us-cert.cisa.gov/ncas/tips/ST04-014>)\n\n[FBI PSA: \u201cHigh-Impact Ransomware Attacks Threaten U.S. Businesses and Organizations\"](<https://www.ic3.gov/media/2019/191002.aspx>)\n\n[Health Industry Cybersecurity Tactical Crisis Response](<https://healthsectorcouncil.org/hic-tcr/>)\n\n[Health Industry Cybersecurity Practices (HICP) ](<http://www.phe.gov/405d>)\n\n[HHS - Ransomware Spotlight Webinar ](<https://protect2.fireeye.com/url?k=661c55bd-3a495cae-661c6482-0cc47adb5650-bb09b09e1017f10b&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=99373fd9c7&e=7882426b51>)\n\n[HHS - Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients](<https://protect2.fireeye.com/url?k=b43c8fe1-e86986f2-b43cbede-0cc47adb5650-84218742b50e2b7e&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=3d453bb6fe&e=7882426b51>)\n\n[HHS - Ransomware Briefing ](<https://protect2.fireeye.com/url?k=6a477b44-36127257-6a474a7b-0cc47adb5650-f6c92a4c247070ec&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=071616ff3e&e=7882426b51>)\n\n[HHS - Aggressive Ransomware Impacts](<https://protect2.fireeye.com/url?k=fe80c15e-a2d5c84d-fe80f061-0cc47adb5650-2206dbc55c13f1de&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=ebb762e019&e=7882426b51>)\n\n[HHS - Ransomware Fact Sheet](<https://protect2.fireeye.com/url?k=2923cea5-7576c7b6-2923ff9a-0cc47adb5650-26d7a0932fe07e31&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=107ba38369&e=7882426b51>)\n\n[HHS - Cyber Attack Checklist](<https://protect2.fireeye.com/url?k=08e10c16-54b40505-08e13d29-0cc47adb5650-70b9e6fd13ea4f2d&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=bcc423d21d&e=7882426b51>)\n\n[HHS - Cyber-Attack Response Infographic](<https://protect2.fireeye.com/url?k=8497e505-d8c2ec16-8497d43a-0cc47adb5650-ba5cee20bcf28bab&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=dc2b43974c&e=7882426b51>)\n\n[NIST - Data Integrity Publication](<https://protect2.fireeye.com/url?k=0be33d8b-57b63498-0be30cb4-0cc47adb5650-be7b920b52ab7927&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=c89bf12fa8&e=7882426b51>)\n\n[NIST - Guide for Cybersecurity Event Recovery](<https://protect2.fireeye.com/url?k=5335b9d4-0f60b0c7-533588eb-0cc47adb5650-bbc2d82317c6bc45&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=eeb05487cf&e=7882426b51>)\n\n[NIST - Identifying and Protecting Assets Against Ransomware and Other Destructive Events ](<https://protect2.fireeye.com/url?k=348a7900-68df7013-348a483f-0cc47adb5650-5210c734b99339b1&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=9f0f789411&e=7882426b51>)\n\n[NIST - Detecting and Responding to Ransomware and Other Destructive Events ](<https://protect2.fireeye.com/url?k=daf6be91-86a3b782-daf68fae-0cc47adb5650-1f4f5f947a590fa0&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=958743a29c&e=7882426b51>)\n\n[NIST - Recovering from Ransomware and Other Destructive Events ](<https://protect2.fireeye.com/url?k=90b40d5e-cce1044d-90b43c61-0cc47adb5650-bab63aa79a2b0b2a&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=4947ff3a54&e=7882426b51>)\n\n[Github List of IOCs](<https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456>)\n\n### Revisions\n\nOctober 28, 2020: Initial version|October 29, 2020: Updated to include information on Conti, TrickBot, and BazarLoader, including new IOCs and Yara Rules for detection|November 2, 2020: Updated FBI link\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2020-11-02T12:00:00", "type": "ics", "title": "Ransomware Activity Targeting the Healthcare and Public Health Sector", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2020-11-02T12:00:00", "id": "AA20-302A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T13:05:05", "description": "### Summary\n\n_This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v7/matrices/enterprise/>) framework for all referenced threat actor techniques._\n\nThis joint advisory is the result of analytic efforts among the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), the Federal Bureau of Investigation (FBI) and U.S. Cyber Command (USCYBERCOM). Working with U.S. government partners, CISA, Treasury, FBI, and USCYBERCOM identified malware and indicators of compromise (IOCs) used by the North Korean government in an automated teller machine (ATM) cash-out scheme\u2014referred to by the U.S. Government as \u201cFASTCash 2.0: North Korea's BeagleBoyz Robbing Banks.\u201d\n\nCISA, Treasury, FBI, and USCYBERCOM highlight the cyber threat posed by North Korea\u2014formally known as the Democratic People\u2019s Republic of Korea (DPRK)\u2014and provide recommended steps to mitigate the threat.\n\nRefer to the following Malware Analysis Reports for associated IOCs: [CROWDEDFLOUNDER](<https://us-cert.cisa.gov/ncas/analysis-reports/ar20-045c>), [ECCENTRICBANDWAGON](<https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a>), [ELECTRICFISH](<https://us-cert.cisa.gov/ncas/analysis-reports/ar19-252b>), [FASTCash for Windows](<https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239c>), [HOPLIGHT](<https://us-cert.cisa.gov/ncas/analysis-reports/ar20-045g>), and [VIVACIOUSGIFT](<https://us-cert.gov/ncas/analysis-reports/ar20-239b>).\n\nClick here for a PDF version of this report.\n\n!!!WARNING!!!\n\nSince February 2020, North Korea has resumed targeting banks in multiple countries to initiate fraudulent international money transfers and ATM cash outs. The recent resurgence follows a lull in bank targeting since late 2019. This advisory provides an overview of North Korea\u2019s extensive, global cyber-enabled bank robbery scheme, a short profile of the group responsible for this activity, in-depth technical analysis, and detection and mitigation recommendations to counter this ongoing threat to the Financial Services sector.\n\n!!!WARNING!!!\n\n### Technical Details\n\nNorth Korea's intelligence apparatus controls a hacking team dedicated to robbing banks through remote internet access. To differentiate methods from other North Korean malicious cyber activity, the U.S. Government refers to this team as BeagleBoyz, who represent a subset of HIDDEN COBRA activity. The BeagleBoyz overlap to varying degrees with groups tracked by the cybersecurity industry as Lazarus, Advanced Persistent Threat 38 (APT38), Bluenoroff, and Stardust Chollima and are responsible for the FASTCash ATM cash outs reported in October 2018, fraudulent abuse of compromised bank-operated SWIFT system endpoints since at least 2015, and lucrative cryptocurrency thefts. This illicit behavior has been identified by the United Nations (UN) DPRK Panel of Experts as evasion of UN Security Council resolutions, as it generates substantial revenue for North Korea. North Korea can use these funds for its UN-prohibited nuclear weapons and ballistic missile programs. Additionally, this activity poses significant operational risk to the Financial Services sector and erodes the integrity of the financial system.\n\n**The BeagleBoyz\u2019s bank robberies pose severe operational risk for individual firms beyond reputational harm and financial loss from theft and recovery costs.** The BeagleBoyz have attempted to steal nearly $2 billion since at least 2015, according to public estimates. Equally concerning, these malicious actors have manipulated and, at times, rendered inoperable, critical computer systems at banks and other financial institutions. \n\n * In 2018, a bank in Africa could not resume normal ATM or point of sale services for its customers for almost two months following an attempted FASTCash incident.\n * The BeagleBoyz often put destructive anti-forensic tools onto computer networks of victim institutions. Additionally, in 2018, they deployed wiper malware against a bank in Chile that crashed thousands of computers and servers to distract from efforts to send fraudulent messages from the bank\u2019s compromised SWIFT terminal.\n\n**North Korea\u2019s widespread international bank robbery scheme that exploits critical banking systems may erode confidence in those systems and presents risks to financial institutions across the world. **Any BeagleBoyz robbery directed at one bank implicates many other financial services firms in both the theft and the flow of illicit funds back to North Korea. BeagleBoyz activity fits a known North Korean pattern of abusing the international financial system for profit.\n\n * Fraudulent ATM cash outs have affected upwards of 30 countries in a single incident. The conspirators have withdrawn cash from ATM machines operated by various unwitting banks in multiple countries, including in the United States.\n * The BeagleBoyz also use unwitting banks, including banks in the United States, for their SWIFT fraud scheme. These banks are custodians of accounts belonging to victim banks or unknowingly serve as a pass-through for the fraud. Most infamously, the BeagleBoyz stole $81 million from the Bank of Bangladesh in 2016. The Federal Reserve Bank of New York stopped the remainder of this attempted $1 billion theft after detecting anomalies in the transfer instructions they had received.\n\n**FASTCash Update**\n\nNorth Korea\u2019s BeagleBoyz are responsible for the sophisticated cyber-enabled ATM cash-out campaigns identified publicly as \u201cFASTCash\u201d in October 2018. Since 2016, the BeagleBoyz have perpetrated the FASTCash scheme, targeting banks\u2019 retail payment system infrastructure (i.e., switch application servers processing International Standards Organization [ISO] 8583 messages, which is the standard for financial transaction messaging).\n\nSince the publication of the in October 2018, there have been two particularly significant developments in the campaign: (1) the capability to conduct the FASTCash scheme against banks hosting their switch applications on Windows servers, and (2) an expansion of the FASTCash campaign to target interbank payment processors.\n\n * In October 2018, the U.S. Government identified malware used in the FASTCash scheme that has the capability to manipulate AIX servers running a bank's switch application to intercept financial request messages and reply with fraudulent, but legitimate-looking, affirmative response messages to enable extensive ATM cash outs. The U.S. Government has since identified functionally equivalent malware for the Windows operating system. Please see the Technical Analysis section below for more information about the ISO 8583 malware for Windows.\n * The BeagleBoyz initially targeted switch applications at individual banks with FASTCash malware but, more recently, have targeted at least two regional interbank payment processors. This suggests the BeagleBoyz are exploring upstream opportunities in the payments ecosystem.\n\nFor more information about FASTCash, please see [https://www.us-cert.gov/ncas/alerts/TA18-275A](<https://www.us-cert.gov/ncas/alerts/ta18-275a>). \n \n--- \n \n## BEAGLEBOYZ Profile\n\nThe BeagleBoyz, an element of the North Korean government\u2019s Reconnaissance General Bureau, have likely been active since at least 2014. As opposed to typical cybercrime, the group likely conducts well-planned, disciplined, and methodical cyber operations more akin to careful espionage activities. Their malicious cyber operations have netted hundreds of millions of U.S. dollars and are likely a major source of funding for the North Korean regime. The group has always used a calculated approach, which allows them to sharpen their tactics, techniques, and procedures while evading detection. Over time, their operations have become increasingly complex and destructive. The tools and implants employed by this group are consistently complex and demonstrate a strong focus on effectiveness and operational security.\n\n### Community Identifiers\n\nThe BeagleBoyz overlap to varying degrees with groups tracked by the cybersecurity industry as: APT38 (FireEye), Bluenoroff (Kaspersky), Lazarus Group (ESTSecurity), and Stardust Chollima (CrowdStrike).\n\n### Targeted Nations\n\nThe BeagleBoyz likely have targeted financial institutions in the following nations from 2015 through 2020: Argentina, Brazil, Bangladesh, Bosnia and Herzegovina, Bulgaria, Chile, Costa Rica, Ecuador, Ghana, India, Indonesia, Japan, Jordan, Kenya, Kuwait, Malaysia, Malta, Mexico, Mozambique, Nepal, Nicaragua, Nigeria, Pakistan, Panama, Peru, Philippines, Singapore, South Africa, South Korea, Spain, Taiwan, Tanzania, Togo, Turkey, Uganda, Uruguay, Vietnam, Zambia (figure 1).\n\n\n\n_Figure 1: Nations probably targeted by BeagleBoyz since 2015_\n\n### Anatomy of a BeagleBoyz Bank Heist\n\nFigure 2 provides a graphical depiction of a BeagleBoyz bank heist. The next section describes in detail the end-to-end actions the BeagleBoyz take to rob financial institutions with a malicious cyber operation.\n\n\n\n_Figure 2: BeagleBoyz Bank Heist overview_\n\n## Technical Analysis\n\nThe BeagleBoyz use a variety of tools and techniques to gain access to a financial institution\u2019s network, learn the topology to discover key systems, and monetize their access. The technical analysis below represents an amalgamation of multiple known incidents, rather than details of a single operation. These findings are presented to highlight the group\u2019s ability to tailor their techniques to different targets and to adapt their methods over time. Consequently, there is a need for layered mitigations to effectively defend against this activity, as relying solely on network signature detection will not sufficiently protect against North Korea\u2019s BeagleBoyz.\n\n### Initial Access\n\nThe BeagleBoyz have used a variety of techniques, such as spearphishing and watering holes, to enable initial access into targeted financial institutions. Towards the end of 2018 through 2019 and in early 2020, the BeagleBoyz demonstrated the use of social engineering tactics by carrying out job-application themed phishing attacks using the following publicly available malicious files.\n\nMD5: b484b0dff093f358897486b58266d069\n\nMD5: f34b72471a205c4eee5221ab9a349c55\n\nMD5: 4c26b2d0e5cd3bfe0a3d07c4b85909a4\n\nMD5: 52ec074d8cb8243976963674dd40ffe7\n\nMD5: d1d779314250fab284fd348888c2f955\n\nMD5: cf733e719e9677ebfbc84a3ab08dd0dc\n\nMD5: 01d397df2a1cf1d4c8e3615b7064856c\n\nThe BeagleBoyz may also be working with or contracting out to criminal hacking groups, like TA505, for initial access development. The third party typically uses commodity malware to establish initial access on a victim\u2019s network and then turns over the access to the BeagleBoyz for follow-on exploitation, which may not occur until months later.\n\nThe BeagleBoyz have also used the following techniques to gain an initial foothold on a targeted computer network (_Initial Access_ [[TA0001](<https://attack.mitre.org/versions/v7/tactics/TA0001/>)]).\n\n * Email an attachment with malware to a specific individual, company, or industry (_Phishing:_ _Spearphishing Attachment_ [[T1566.001](<https://attack.mitre.org/versions/v7/techniques/T1566/001/>)])\n * Compromise a website visited by users in specific communities, industries, or regions (_Drive-by Compromise _[[T1189](<https://attack.mitre.org/versions/v7/techniques/T1189/>)])\n * Exploit a weakness (a bug, glitch, or design vulnerability) in an internet-facing computer system (such as a database or web server) (_Exploit Public Facing Application_ [[T1190](<https://attack.mitre.org/versions/v7/techniques/T1190/>)])\n * Steal the credentials of a specific user or service account to bypass access controls and gain increased privileges (_Valid Accounts _[[T1078](<https://attack.mitre.org/versions/v7/techniques/T1078/>)])\n * Breach organizations that have access to the intended victim\u2019s organization and exploit their trusted relationship (_Trusted Relationship_ [[T1199](<https://attack.mitre.org/versions/v7/techniques/T1199/>)])\n * Use remote services to initially access and persist within a victim\u2019s network (_External Remote Services_ [[T1133](<https://attack.mitre.org/versions/v7/techniques/T1133/>)])\n\n### Execution\n\nThe BeagleBoyz selectively exploit victim computer systems after initially compromising a computer connected to a financial institution\u2019s corporate network. After gaining initial access to a financial institution\u2019s corporate network, the BeagleBoyz are selective in which victim systems they further exploit. The BeagleBoyz use a variety of techniques to run their code on local and remote victim systems [_Execution_ [[TA0002](<https://attack.mitre.org/versions/v7/tactics/TA0002/>)]).\n\n * Use command-line interfaces to interact with systems and execute other software (_Command and Scripting Interpreter_ [[T1059](<https://attack.mitre.org/versions/v7/techniques/T1059/>)])\n * Use scripts (e.g., VBScript and PowerShell) to speed up operational tasks, reduce the time required to gain access to critical resources, and bypass process monitoring mechanisms by directly interacting with the operating system (OS) at an Application Programming Interface (API) level instead of calling other programs (_Command and Scripting Interpreter: PowerShell _[[T1059.001](<https://attack.mitre.org/versions/v7/techniques/T1059/001/>)], _Command and Scripting Interpreter: Visual Basic _[[T1059.005](<https://attack.mitre.org/versions/v7/techniques/T1059/005/>)])\n * Rely upon specific user actions, such as opening a malicious email attachment (_User Execution_ [[T1204](<https://attack.mitre.org/versions/v7/techniques/T1204/>)])\n * Exploit software vulnerabilities to execute code on a system (_Exploitation for Client Execution_ [[T1203](<https://attack.mitre.org/versions/v7/techniques/T1203/>)])\n * Create new services or modify existing services to execute executables, commands, or scripts (_System Services: Service Execution _[[T1569.002](<https://attack.mitre.org/versions/v7/techniques/T1569/002/>)])\n * Employ the Windows module loader to load Dynamic Link Libraries (DLLs) from arbitrary local paths or arbitrary Universal Naming Convention (UNC) network paths and execute arbitrary code on a system (Shared Modules [[T1129](<https://attack.mitre.org/versions/v7/techniques/T1129/>)])\n * Use the Windows API to execute arbitrary code on the victim's system (_Native API _[[T1106](<https://attack.mitre.org/versions/v7/techniques/T1106/>)])\n * Use a system's graphical user interface (GUI) to search for information and execute files (_Remote Services_ [[T1021](<https://attack.mitre.org/versions/v7/techniques/T1021/>)])\n * Use the Task Scheduler to run programs at system startup or on a scheduled basis for persistence, conduct remote execution for lateral movement, gain SYSTEM privileges for privilege escalation, or run a process under the context of a specified account (_Scheduled Task/Job_ [[T1053](<https://attack.mitre.org/versions/v7/techniques/T1053/>)])\n * Abuse compiled Hypertext Markup Language (HTML) files (.chm), commonly distributed as part of the Microsoft HTML Help system, to conceal malicious code (_Signed Binary Proxy Execution: Compiled HTML File_ [[T1218.001](<https://attack.mitre.org/versions/v7/techniques/T1218/001/>)])\n * Abuse Windows rundll32.exe to execute binaries, scripts, and Control Panel Item files (.CPL) and execute code via proxy to avoid triggering security tools (_Signed Binary Proxy Execution: Rundl32_ [[T1218.001](<https://attack.mitre.org/versions/v7/techniques/T1218/001/>)])\n * Exploit cron in Linux and launchd in macOS systems to create pre-scheduled and periodic background jobs (_Scheduled Task/Job: Cron _[[T1053.003](<https://attack.mitre.org/versions/v7/techniques/T1053/003/>)], _Scheduled Task/Job: Launchd _[[T1053.004](<https://attack.mitre.org/versions/v7/techniques/T1053/004/>)])\n\n### Persistence\n\nThe BeagleBoyz use many techniques to maintain access on compromised networks through system restarts, changed credentials, and other interruptions that could affect their access (_Persistence_ [[TA0003](<https://attack.mitre.org/versions/v7/tactics/TA0003/>)]).\n\n * Add an entry to the \u201crun keys\u201d in the Registry or an executable to the startup folder to execute malware as the user logs in under the context of the user\u2019s associated permissions levels (_Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder_ [[T1547.001](<https://attack.mitre.org/versions/v7/techniques/T1547/001/>)])\n * Install a new service that can be configured to execute at startup using utilities to interact with services or by directly modifying the Registry (_Create or Modify System Process: Windows Service _[[T1543.003](<https://attack.mitre.org/versions/v7/techniques/T1543/003/>)])\n * Compromise an openly accessible web server with a web script (known as web shell) to use the web server as a gateway into a network and to serve as redundant access or persistence mechanism (_Server Software Component: Web Shell_ [[T1505.003](<https://attack.mitre.org/versions/v7/techniques/T1505/003/>)])\n * Manipulate accounts (e.g., modifying permissions, modifying credentials, adding or changing permission groups, modifying account settings, or modifying how authentication is performed) to maintain access to credentials and certain permission levels within an environment (_Account Manipulation_ [[T1098](<https://attack.mitre.org/versions/v7/techniques/T1098/>)])\n * Steal the credentials of a specific user or service account to bypass access controls and retain access to remote systems and externally available services (_Valid Accounts_ [[T1078](<https://attack.mitre.org/versions/v7/techniques/T1078/>)])\n * Use the Task Scheduler to run programs at system startup or on a scheduled basis for persistence, conduct remote execution for lateral movement, gain SYSTEM privileges for privilege escalation, or run a process under the context of a specified account (_Scheduled Task/Job_ [[T1053](<https://attack.mitre.org/versions/v7/techniques/T1053/>)])\n * Abuse the Windows DLLs search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence (_Hijack Execution Flow: DLL Search Order Hijacking_ [[T1056.004](<https://attack.mitre.org/versions/v7/techniques/T1056/004/>)])\n * Exploit hooking to load and execute malicious code within the context of another process to mask the execution, allow access to the process\u2019s memory, and, possibly, gain elevated privileges (_Input Capture: Credential API Hooking _[[T1574.001](<https://attack.mitre.org/versions/v7/techniques/T1574/001/>)])\n * Use remote services to persist within a victim\u2019s network (External Remote Services [[T1133](<https://attack.mitre.org/versions/v7/techniques/T1133/>)])\n\n### Privilege Escalation\n\nThe BeagleBoyz often seek access to financial institutions\u2019 systems that have tiered user and system accounts with customized privileges. The BeagleBoyz must overcome these restrictions to access necessary systems, monitor normal user behavior, and install and execute additional malicious tools. To do so, the BeagleBoyz have used the following techniques to gain higher-level permissions on a system or network (_Privilege Escalation_ [[TA0004](<https://attack.mitre.org/versions/v7/tactics/TA0004/>)]).\n\n * Inject code into processes to evade process-based defenses and elevate privileges (_Process Injection_ [[T1055](<https://attack.mitre.org/versions/v7/techniques/T1055/>)])\n * Install a new service that can be configured to execute at startup using utilities to interact with services or by directly modifying the Registry (_Create or Modify System Process: Windows Service_ [[T1543.003](<https://attack.mitre.org/versions/v7/techniques/T1543/003/>)])\n * Compromise an openly accessible web server with web shell to use the web server as a gateway into a network (_Server Software Component: Web Shell_ [[T1505.003](<https://attack.mitre.org/versions/v7/techniques/T1505/003/>)])\n * Use the Task Scheduler to run programs at system startup or on a scheduled basis for persistence, conduct remote execution as part of lateral movement, gain SYSTEM privileges for privilege escalation, or run a process under the context of a specified account (_Scheduled Task/Job _[[T1053](<https://attack.mitre.org/versions/v7/techniques/T1053/>)])\n * Steal the credentials of a specific user or service account to bypass access controls and grant increased privileges (_Valid Accounts_ [[T1078](<https://attack.mitre.org/versions/v7/techniques/T1078/>)])\n * Exploit hooking to load and execute malicious code within the context of another process to mask the execution, allow access to the process\u2019s memory, and, possibly, gain elevated privileges (_Input Capture: Credential API Hooking_ [[T1574.001](<https://attack.mitre.org/versions/v7/techniques/T1574/001/>)])\n * Perform Sudo (sometimes referred to as \u201csuper user do\u201d) caching or use the Soudoers file to elevate privileges in Linux and macOS systems (_Abuse Elevation Control Mechanism: Sudo and Sudo Caching_ [[T1548.003](<https://attack.mitre.org/versions/v7/techniques/T1548/003/>)])\n * Execute malicious payloads by hijacking the search order used to load DLLs (_Hijack Execution Flow: DLL Search Order Hijacking _[[T1574.001](<https://attack.mitre.org/versions/v7/techniques/T1574/001/>)])\n\n### Defense Evasion\n\nThroughout their exploitation of a financial institution\u2019s computer network, the BeagleBoyz have used different techniques to avoid detection by OS security features, system and network security software, and system audits (_Defense Evasion_ [[TA0005](<https://attack.mitre.org/versions/v7/tactics/TA0005/>)]).\n\n * Exploit code signing certificates to masquerade malware and tools as legitimate binaries and bypass security policies that allow only signed binaries to execute on a system (_Subvert Trust Controls Signing_ [[T1553.002](<https://attack.mitre.org/versions/v7/techniques/T1553/002/>)])\n * Remove malware, tools, or other non-native files dropped or created throughout an intrusion to reduce their footprint or as part of the post-intrusion cleanup process (_Indicator Removal on Host: File Deletion _[[T1070.004](<https://attack.mitre.org/versions/v7/techniques/T1070/004/>)])\n * Inject code into processes to evade process-based defenses (_Process Injection_ [[T1055](<https://attack.mitre.org/versions/v7/techniques/T1055/>)])\n * Use scripts (such as VBScript and PowerShell) to bypass process monitoring mechanisms by directly interacting with the OS at an API level instead of calling other programs (_Command and Scripting Interpreter: PowerShell_ [[T1059.001](<https://attack.mitre.org/versions/v7/techniques/T1059/001/>)], _Command and Scripting Interpreter: Visual Basic_ [[T1059.005](<https://attack.mitre.org/versions/v7/techniques/T1059/005/>)])\n * Attempt to make an executable or file challenging to discover or analyze by encrypting, encoding, or obfuscating its contents on the system or in transit (_Obfuscated Files or Information_ [[T1027](<https://attack.mitre.org/versions/v7/techniques/T1027/>)])\n * Use external previously compromised web services to relay commands to a victim system (_Web Service_ [[T1102](<https://attack.mitre.org/versions/v7/techniques/T1102/>)])\n * Use software packing to change the file signature, bypass signature-based detection, and decompress the executable code in memory (_Unsecured Credentials: Private Keys_ [[T1552.004](<https://attack.mitre.org/versions/v7/techniques/T1552/004/>)])\n * Use obfuscated files or information to hide intrusion artifacts (_Deobfuscate/Decode Files or Information_ [[T1140](<https://attack.mitre.org/versions/v7/techniques/T1140/>)])\n * Modify the data timestamps (the modify, access, create, and change times fields) to mimic files that are in the same folder, making them appear inconspicuous to forensic analysts or file analysis tools (_Indicator Removal on Host: Remove Timestamp_ [[T1070.006](<https://attack.mitre.org/versions/v7/techniques/T1070/006/>)])\n * Abuse Windows utilities to implement arbitrary execution commands and subvert detection and mitigation controls (such as Group Policy) that limit or prevent the usage of cmd.exe or file extensions commonly associated with malicious payloads (_Indirect Command Execution_ [[T1202](<https://attack.mitre.org/versions/v7/techniques/T1202/>)])\n * Use various methods to prevent their commands from appearing in logs and clear command history to remove activity traces (_Indicator Removal on Host: Clear Command History_ [[T1070.003](<https://attack.mitre.org/versions/v7/techniques/T1070/003/>)])\n * Disable security tools to avoid possible detection of tools and events (_Impair Defenses: Disable or Modify Tools _[[T1562.001](<https://attack.mitre.org/versions/v7/techniques/T1562/001/>)])\n * Steal the credentials of a specific user or service account to bypass access controls and grant increased privileges (_Valid Accounts_ [[T1078](<https://attack.mitre.org/versions/v7/techniques/T1078/>)])\n * Delete or alter generated artifacts on a host system, including logs and potentially captured files, to remove traces of activity (_Indicator Removal on Host: File Deletion_ [[T1070.004](<https://attack.mitre.org/versions/v7/techniques/T1070/004/>)])\n * Abuse compiled HTML files (.chm), commonly distributed as part of the Microsoft HTML Help system, to conceal malicious code (_Signed Binary Proxy Execution: Compiled HTML File _[[T1218.001](<https://attack.mitre.org/versions/v7/techniques/T1218/001/>)])\n * Prepend a space to all their terminal commands to operate without leaving traces in the HISTCONTROL environment, which is configured to ignore commands that start with a space (_Impair Defenses: HISTCONTROL_ [[T1562.003](<https://attack.mitre.org/versions/v7/techniques/T1562/003/>)])\n * Modify malware so it has a different signature and re-use it in cases when the group determines it was quarantined (_Obfuscated Files or Information: Indicator Removal from Tools_ [[T1027.005](<https://attack.mitre.org/versions/v7/techniques/T1027/005/>)])\n * Attempt to block indicators or events typically captured by sensors from being gathered and analyzed (_Impair Defenses: Indicator Blocking_ [[T1562.006](<https://attack.mitre.org/versions/v7/techniques/T1562/006/>)])\n * Use the Windows DLLs search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence (_Hijack Execution Flow: DLL Search Order Hijacking_ [[T1574.001](<https://attack.mitre.org/versions/v7/techniques/T1574/001/>)])\n * Manipulate or abuse the attributes or location of an executable (masquerading) to better blend in with the environment and increase the chances of deceiving a security analyst or product (_Masquerading_ [[T1036](<https://attack.mitre.org/versions/v7/techniques/T1036/>)])\n * Exploit rootkits to hide programs, files, network connections, services, drivers, and other system components (_Rootkit_ [[T1014](<https://attack.mitre.org/versions/v7/techniques/T1014/>)])\n * Abuse the Windows rundll32.exe to execute binaries, scripts, and .CPL files, and execute code via proxy to avoid triggering security tools (_Signed Binary Proxy Execution: Rundl32_ [[T1218.001](<https://attack.mitre.org/versions/v7/techniques/T1218/001/>)])\n\n### Credential Access\n\nThe BeagleBoyz may use malware like ECCENTRICBANDWAGON to log key strokes and take screen captures. The U.S. Government has identified some ECCENTRICBANDWAGON samples that have the ability to RC4 encrypt logged data, but the tool has no network functionality. The implant uses specific formatting for logged data and saves the file locally; another tool obtains the logged data. The implant also contains no mechanism for persistence or self-loading and expects a specific configuration file to be present on the system. A full technical report for ECCENTRICBANDWAGON is available at <https://us-cert.cisa.gov/northkorea>.\n\nThe BeagleBoyz may not always need to use custom keyloggers like ECCENTRICBANDWAGON or other tools to obtain credentials from a compromised system. Depending on the victim\u2019s environment, the BeagleBoyz have used the following techniques to steal credentials (_Credential Access_ [[TA0006](<https://attack.mitre.org/versions/v7/tactics/TA0006/>)]).\n\n * Capture user input, such as keylogging (the most prevalent type of input capture), to obtain credentials for valid accounts and information collection (_Input Capture_ [[T1056](<https://attack.mitre.org/versions/v7/techniques/T1056/>)])\n * Obtain account login and password information, generally in the form of a hash or a clear text password, from the operating system and software (_OS Credential Dumping _[[T1056](<https://attack.mitre.org/versions/v7/techniques/T1056/>)])\n * Gather private keys from compromised systems to authenticate to remote services or decrypt other collected files (_Unsecured Credentials: Private Keys_ [[T1552.004](<https://attack.mitre.org/versions/v7/techniques/T1552/004/>)])\n * Manipulate default, domain, local, and cloud accounts to maintain access to credentials and certain permission levels within an environment (_Account Manipulation_ [[T1098](<https://attack.mitre.org/versions/v7/techniques/T1098/>)])\n * Abuse hooking to load and execute malicious code within the context of another process to mask the execution, allow access to the process's memory, and, possibly, gain elevated privileges (_Input Capture: Credential API Hooking_ [[T1056.004](<https://attack.mitre.org/versions/v7/techniques/T1056/004/>)])\n * Use brute force techniques to attempt account access when passwords are unknown or when password hashes are unavailable (_Brute Force _[[T1110](<https://attack.mitre.org/versions/v7/techniques/T1110/>)])\n\n### Discovery\n\nOnce inside a financial institution\u2019s network, the BeagleBoyz appear to seek two specific systems\u2014the SWIFT terminal and the server hosting the institution\u2019s payment switch application. As they progress through a network, they learn about the systems they have accessed in order to map the network and gain access to the two goal systems. To do so, the BeagleBoyz have used the following techniques to gain knowledge about the systems and internal network (_Discovery _[[TA0007](<https://attack.mitre.org/versions/v7/tactics/TA0007/>)]).\n\n * Attempt to get detailed information about the operating system and hardware, such as version, patches, hotfixes, service packs, and architecture (_System Information Discovery_ [[T1082](<https://attack.mitre.org/versions/v7/techniques/T1082/>)])\n * Enumerate files and directories or search in specific locations of a host or network share for particular information within a file system (_File and Directory Discovery_ [[T1083](<https://attack.mitre.org/versions/v7/techniques/T1083/>)])\n * Get a list of security software, configurations, defensive tools, and sensors installed on the system (_Software Discovery: Security Software Discovery_ [[T1518.001](<https://attack.mitre.org/versions/v7/techniques/T1518/001/>)])\n * Procure information about running processes on a system to understand standard software running on network systems (_Process Discovery_ [[T1057](<https://attack.mitre.org/versions/v7/techniques/T1057/>)])\n * Identify primary users, currently logged in users, sets of users that commonly use a system, or active or inactive users (_System Owner/User Discovery_ [[T1033](<https://attack.mitre.org/versions/v7/techniques/T1033/>)])\n * Enumerate browser bookmarks to learn more about compromised hosts, reveal personal information about users, and expose details about internal network resources (_Browser Bookmark Discovery_ [[T1217](<https://attack.mitre.org/versions/v7/techniques/T1217/>)])\n * Look for information on network configuration and system settings on compromised systems, or perform remote system discovery (_System Network Configuration Discovery_ [[T1016](<https://attack.mitre.org/versions/v7/techniques/T1016/>)])\n * Interact with the Windows Registry to gather information about the system, configuration, and installed software (_Query Registry_ [[T1012](<https://attack.mitre.org/versions/v7/techniques/T1012/>)])\n * Get a list of open application windows to learn how the system is used or give context to data collected (_Application Window Discovery_ [[T1010](<https://attack.mitre.org/versions/v7/techniques/T1010/>)])\n * Attempt to get a listing of local system or domain accounts in the compromised system (_Account Discovery_ [[T1087](<https://attack.mitre.org/versions/v7/techniques/T1087/>)])\n * Obtain a list of network connections to and from the compromised system or remote system by querying for information over the network (_System Network Connections Discovery _[[T1049](<https://attack.mitre.org/versions/v7/techniques/T1049/>)])\n\n### Lateral Movement\n\nTo access a compromised financial institution\u2019s SWIFT terminal and the server hosting the institution\u2019s payment switch application, the BeagleBoyz leverage harvested credentials and take advantage of the accessibility of these critical systems from other systems in the institution\u2019s corporate network. Specifically, the BeagleBoyz have been known to create firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443. Depending on the configuration of compromised systems and the security environment of the victim\u2019s computer network, the BeagleBoyz have used the following techniques to enter and control remote systems on a compromised network (_Lateral Movement_ [[TA0008](<https://attack.mitre.org/versions/v7/tactics/TA0008/>)]).\n\n * Copy files from one system to another to stage adversary tools or other files throughout an operation (_Ingress Tool Transfer_ [[T1105](<https://attack.mitre.org/versions/v7/techniques/T1105/>)])\n * Use Remote Desktop Protocol (RDP) to log into an interactive session with a system desktop GUI on a remote system (_Remote Services: Remote Desktop Protocol_ [[T1021.001](<https://attack.mitre.org/versions/v7/techniques/T1021/001/>)])\n * Employ hidden network shares, in conjunction with administrator-level valid accounts, to remotely access a networked system over Server Message Block (SMB) in order to interact with systems using remote procedure calls (RPCs), transfer files, and run transferred binaries through remote execution (_Remote Services: SMB/Windows Admin Shares_ [[T1021.002](<https://attack.mitre.org/versions/v7/techniques/T1021/002/>)])\n * Exploit valid accounts to log into a service specifically designed to accept remote connections and perform actions as the logged-on user (_Remote Services_ [[T1021](<https://attack.mitre.org/versions/v7/techniques/T1021/>)])\n\n### Collection\n\nDepending on various environmental attributes the BeagleBoyz encounter during their exploitation, they may deploy a variety of reconnaissance tools or use commonly available administrative tools for malicious purposes.\n\nThe BeagleBoyz, like other sophisticated cyber actors, also appear to use resident, legitimate administrative tools for reconnaissance purposes when they are available; this is commonly known as \u201cliving off the land.\u201d PowerShell appears to be a popular otherwise-legitimate tool the BeagleBoyz favor for reconnaissance activities. For example, the BeagleBoyz often use publicly available code from PowerShell Empire for malicious purposes.\n\nThe BeagleBoyz have used the following techniques to gather information from exploited systems (_Collection_ [[TA0009](<https://attack.mitre.org/versions/v7/tactics/TA0009/>)]).\n\n * Use automated methods, such as scripts, for collecting data (_Automated Collection _[[T1119](<https://attack.mitre.org/versions/v7/techniques/T1119/>)])\n * Capture user input to obtain credentials and collect information (_Input Capture_ [[T1056](<https://attack.mitre.org/versions/v7/techniques/T1056/>)])\n * Collect local systems data from a compromised system (_Data from Local System_ [[T1005](<https://attack.mitre.org/versions/v7/techniques/T1005/>)])\n * Take screen captures of the desktop (_Screen Capture_ [[T1113](<https://attack.mitre.org/versions/v7/techniques/T1113/>)])\n * Collect data stored in the Windows clipboard from users (_Clipboard Data_ [[T1115](<https://attack.mitre.org/versions/v7/techniques/T1115/>)])\n\n### Command and Control\n\nThe BeagleBoyz likely change tools\u2014such as CROWDEDFLOUNDER and HOPLIGHT\u2014over time to maintain remote access to financial institution networks and to interact with those systems.\n\nAnalysis of the following CROWDEDFLOUNDER samples was first released in October 2018 as part of the FASTCash campaign.\n\nMD5 hash: 5cfa1c2cb430bec721063e3e2d144feb \nMD5 hash: 4f67f3e4a7509af1b2b1c6180a03b3e4\n\nThe BeagleBoyz have used CROWDEDFLOUNDER as a remote access trojan (RAT) since at least 2018. The implant is designed to operate on Microsoft Windows hosts and can upload and download files, launch a remote command shell, inject into victim processes, obtain user and host information, and securely delete files. The implant may be packed with Themida to degrade or prevent effective reverse engineering or evade detection on a Windows host. It can be set to act in beacon or listening modes, depending on command line arguments or configuration specifications. The implant obfuscates network communications using a simple encoding algorithm. The listening mode of CROWDEDFLOUNDER facilitates proxies like ELECTRICFISH (discussed below) with tunneling traffic in a victim\u2019s network.\n\nMore recently, the U.S. Government has found HOPLIGHT malware on victim systems, suggesting the BeagleBoyz are using HOPLIGHT for similar purposes. HOPLIGHT has the same basic RAT functionality as the CROWDEDFLOUNDER implant. In addition, HOPLIGHT has the capability to create fraudulent Transport Layer Security (TLS) sessions to obfuscate command and control (C2) connections, making detection and tracking of the malware\u2019s communications difficult.\n\nFull technical reports for CROWDEDFLOUNDER and HOPLIGHT are available at <https://us-cert.cisa.gov/northkorea>.\n\nThe BeagleBoyz use network proxy tunneling tools\u2014including VIVACIOUSGIFT and ELECTRICFISH\u2014to tunnel communications from non-internet facing systems like an ATM switch application server or a SWIFT terminal to internet-facing systems. The BeagleBoyz use these network proxy tunneling tools, likely placed at or near a victim\u2019s network boundary, to tunnel other protocols such as RDP and Secure Shell or other implant traffic out from the internal network.\n\nIt appears that as the BeagleBoyz change proxy tools, there is some overlap between their use of older and newer malware. For example, the BeagleBoyz appear to have begun using ELECTRICFISH as they wound down use of VIVACIOUSGIFT. There has been a noticeable decline in ELECTRICFISH use following the U.S. Government\u2019s disclosure of it in May 2019.\n\nFull technical reports for VIVACIOUSGIFT and ELECTRICFISH are available at <https://us-cert.cisa.gov/northkorea>.\n\nIn addition to these tools, the BeagleBoyz have used the following techniques to communicate with financial institution victim systems under their control (_Command and Control_ [[TA0011](<https://attack.mitre.org/versions/v7/tactics/TA0011/>)]).\n\n * Employ known encryption algorithms to conceal C2 traffic (_Encrypted Channel_ [[T1573](<https://attack.mitre.org/versions/v7/techniques/T1573/>)])\n * Communicate over commonly used standard application layer protocols and ports to avoid detection or detailed inspection and to blend with existing traffic (_Application Layer Protocol_ [[T1071](<https://attack.mitre.org/versions/v7/techniques/T1071/>)])\n * Encode C2 information using standard data encoding systems such as the American Standard Code for Information Interchange (ASCII), Unicode, Base64, Multipurpose Internet Mail Extensions, and 8-bit Unicode Transformation Format systems or other binary-to-text and character encoding systems (_Data Encoding: Standard Encoding_ [[T1132.001](<https://attack.mitre.org/versions/v7/techniques/T1132/001/>)])\n * Copy files between systems to stage adversary tools or other files (_Ingress Transfer Tool_ [[T1105](<https://attack.mitre.org/versions/v7/techniques/T1105/>)])\n * Use external previously compromised web services to relay commands to victim systems (_Web Service_ [[T1102](<https://attack.mitre.org/versions/v7/techniques/T1102/>)])\n * Employ a custom C2 protocol that mimics well-known protocols, or develop custom protocols (including raw sockets) to supplement protocols provided by another standard network stack (_Non-Application Layer Protocol _[[T1095](<https://attack.mitre.org/versions/v7/techniques/T1095/>)])\n * Obfuscate C2 communications (but not necessarily encrypt them) to hide commands and make the content less conspicuous and more challenging to discover or decipher (_Data Obfuscation_ [[T1101](<https://attack.mitre.org/versions/v7/techniques/T1101/>)])\n * Employ connection proxies to direct network traffic between systems, act as an intermediary for network communications to a C2 server, or avoid direct connections to its infrastructure (_Proxy_ [[T1090](<https://attack.mitre.org/versions/v7/techniques/T1090/>)])\n * Exploit legitimate desktop support and remote access software to establish an interactive C2 channel to target systems within networks (_Remote Access Software_ [[T1219](<https://attack.mitre.org/versions/v7/techniques/T1219/>)])\n\n**Cryptocurrency Exchange Heists**\n\nIn addition to robbing traditional financial institutions, the BeagleBoyz target cryptocurrency exchanges to steal large amounts of cryptocurrency, sometimes valued at hundreds of millions of dollars per incident. Cryptocurrency offers the BeagleBoyz an irreversible method of theft that can be converted into fiat currency because the permanent nature of cryptocurrency transfers do not allow for claw-back mechanisms. Working with U.S. Government partners, CISA, Treasury, FBI, and USCYBERCOM identified COPPERHEDGE as the tool of choice for the BeagleBoyz to exploit cryptocurrency exchanges. COPPERHEDGE is a full-featured remote access tool capable of running arbitrary commands, performing system reconnaissance, and exfiltrating data. Full technical analysis of COPPERHEDGE is available at <https://us-cert.cisa.gov/northkorea>. \n \n--- \n \n### Exfiltration\n\nDuring a cyber operation, the BeagleBoyz need to exfiltrate a variety of data from compromised systems. In addition to the C2 tools noted that have built-in exfiltration features, such as CROWDEDFLOUNDER and HOPLIGHT, the BeagleBoyz use the following techniques to steal data from a network (_Exfiltration _[[TA0010](<https://attack.mitre.org/versions/v7/tactics/TA0010/>)]).\n\n * Compress and encrypt collected data before exfiltration to minimize the amount of data sent over the web and make it portable, less conspicuous, and less detectable (_Archive Collected Data_ [[T1560](<https://attack.mitre.org/versions/v7/techniques/T1560/>)])\n * Steal collected data via scripts (although this may require other exfiltration techniques) (_Automated Exfiltration_ [[T1020](<https://attack.mitre.org/versions/v7/techniques/T1020/>)])\n * Encode data using the same protocol as the C2 channel and exfiltrate it over the C2 channel (_Exfiltration Over C2 Channel_ [[T1041](<https://attack.mitre.org/versions/v7/techniques/T1041/>)])\n\n### Impact\n\nThe U.S. Government has observed the BeagleBoyz successfully monetize illicit access to financial institutions\u2019 SWIFT terminals to enable wire fraud and gain access to the institutions\u2019 payment switch application servers, which allowed fraudulent ATM cash outs. After gaining access to either one or both of these operationally critical systems, the BeagleBoyz monitor the systems to learn about their configurations and legitimate use patterns, and then they deploy bespoke tools to facilitate illicit monetization.\n\nThe cybersecurity community and Financial Services sector have released substantial information on the BeagleBoyz manipulation of compromised SWIFT terminals, describing their ability to monitor these systems, send fraudulent messages, and attempt to hide the fraudulent activity from detection. The discussion below focuses on the custom tools used to manipulate payment switch applications for ATM cash outs.\n\nThe BeagleBoyz use FASTCash malware to intercept financial request messages and reply with fraudulent but legitimate-looking affirmative response messages in the ISO 8583 format. The BeagleBoyz have functionally equivalent FASTCash malware for both UNIX and Windows that they deploy depending on the operating system running on the server hosting the bank\u2019s payment switch application.\n\nFASTCash for UNIX is composed of AIX executable files designed to inject code and libraries into a currently running process. One AIX executable provides export functions, which allows an application to manipulate transactions on financial systems using the ISO 8583 international standard for financial transaction card-originated interchange messaging. The injected executables interpret financial request messages and construct fraudulent financial response messages. For more details on FASTCash for UNIX malware, please see the FASTCash report at <https://www.us-cert.gov/ncas/alerts/TA18-275A>.\n\nThe BeagleBoyz use FASTCash for Windows to manipulate transactions processed by a switch application running on a Windows box. FASTCash for Windows is also specific to the ISO 8583 message format. The BeagleBoyz appear to have modified publicly available source code to write parts of the tool, likely to speed development. The malware contains code probably taken from open-source repositories on the internet to create hashmaps and hook functions and to parse ISO 8583 messages.\n\nFASTCash for Windows injects itself into software running on a Windows platform. The malware then takes control of the software\u2019s network send and receive functions, allowing it to manipulate ISO 8583 messages. The U.S. Government has identified two variants of FASTCash for Windows. One variant supports ASCII encoding. The BeagleBoyz appear to have modified the second variant\u2019s message parsing code to support Extended Binary Coded Decimal Interchange Code (EBCIDC) encoding. Both ASCII and EBCDIC are character encoding formats. \n\nFASTCash for Windows malware uses code from github.com/petewarden/c_hashmap for hashmaps, code from Microsoft's Detours Library at github.com/Microsoft/Detours for hooking, and code from to parse ISO 8583 messages.\n\nThe malware hooks onto the send and receive function of the switch application so that it can process inbound request messages as they are received. FASTCash for Windows inspects the inbound message, probably looking for specific account numbers. If the account number matches an expected number, the malware constructs a fraudulent response message. If the account number does not match an expected number, the malware allows the request to pass through normally. If the malware constructs a fraudulent response message, it then sends it back to the acquirer without any further processing by the switch application, leaving the issuer without any awareness of the fraudulent transaction.\n\nFull technical reports for FASTCash and FASTCash for Windows malware are available at <https://us-cert.cisa.gov/northkorea>.\n\nThe BeagleBoyz have used the following techniques to manipulate business and operational processes for monetary or destructive purposes (_Impact _[[TA0040](<https://attack.mitre.org/versions/v7/tactics/TA0040/>)]).\n\n * Corrupt or wipe data storage, data structures, and Master Boot Records (MBR) to interrupt network availability, services, and resources (_Disk Wipe: Disk Structure Wipe _[[T1561.002](<https://attack.mitre.org/versions/v7/techniques/T1561/002>)], _Data Destruction _[[T1485](<https://attack.mitre.org/versions/v7/techniques/T1485/>)])\n * Encrypt data on target systems and withhold access to the decryption key until a ransom is paid, or render data permanently inaccessible if the ransom is not paid (_Data Encrypted for Impact_ [[T1486](<https://attack.mitre.org/versions/v7/techniques/T1486/>)])\n * Stop, disable, or render services unavailable on a system to damage the environment or inhibit incident response (_Service Stop_ [[T1489](<https://attack.mitre.org/versions/v7/techniques/T1489/>)])\n * Insert, delete, or modify data at rest, in transit, or in use to manipulate outcomes, hide activity, and affect the business process, organizational understanding, and decision-making (_Data Manipulation: Stored Data Manipulation_ [[T1565.001](<https://attack.mitre.org/versions/v7/techniques/T1565/001/>)], _Data Manipulation: Transmitted Data Manipulation_ [[T1565.002](<https://attack.mitre.org/versions/v7/techniques/T1565/002/>)], _Data Manipulation: Runtime Data Manipulation _[[T1565.003](<https://attack.mitre.org/versions/v7/techniques/T1565/003/>)])\n\n### Mitigations\n\n * Contact law enforcement, CISA, or Treasury immediately regarding any identified activity related to BeagleBoyz. (Refer to the Contact Information section.)\n * Incorporate IOCs identified in CISA\u2019s Malware Analysis Reports on <https://us-cert.cisa.gov/northkorea> into intrusion detection systems and security alert systems to enable active blocking or reporting of suspected malicious activity.\n\n### Recommendations for all Financial Institutions\n\n * Verify compliance with Federal Financial Institutions Examination Council (FFIEC) handbooks, especially those related to Information Security and Payment Systems. \n * <https://ithandbook.ffiec.gov/>\n * Verify compliance with industry security standards for critical systems, such as those available at: \n * <https://www.pcisecuritystandards.org>\n * <https://www.swift.com/myswift/customer-security-programme-csp/swift-customer-security-controls-framework>\n\n### Recommendations for Institutions with Retail Payment Systems\n\nRequire chip and personal identification number (PIN) cryptogram validation.\n\n * Implement chip and PIN requirements for debit cards.\n * Validate card-generated authorization request cryptograms.\n * Use issuer-generated authorization response cryptograms for response messages.\n * Require card-generated authorization response cryptogram validation to verify legitimate response messages.\n\nIsolate payment system infrastructure.\n\n * Require multi-factor authentication for any user to access the switch application server.\n * Confirm perimeter security controls prevent internet hosts from accessing the private network infrastructure servicing your payment switch application server.\n * Confirm perimeter security controls prevent all hosts outside of authorized endpoints from accessing your system, especially if your payment switch application server is internet accessible.\n\nLogically segregate your operating environment.\n\n * Use firewalls to divide your operating environment into enclaves.\n * Use access control lists to permit/deny specific traffic from flowing between those enclaves.\n * Give special considerations to segregating enclaves holding sensitive information (e.g., card management systems) from enclaves requiring internet connectivity (e.g., email).\n\nEncrypt data in transit.\n\n * Secure all links to payment system engines with a certificate-based mechanism, such as Mutual Transport Layer Security, for all external and internal traffic external.\n * Limit the number of certificates that can be used on the production server and restrict access to those certificates.\n\nMonitor for anomalous behavior as part of layered security.\n\n * Configure the switch application server to log transactions and routinely audit transaction and system logs.\n * Develop a baseline of expected software, users, and logons and monitor switch application servers for unusual software installations, updates, account changes, or other activities outside of expected behavior.\n * Develop a baseline of expected transaction participants, amounts, frequency, and timing. Monitor and flag anomalous transactions for suspected fraudulent activity.\n\n### Recommendations for Organizations with ATM or Point of Sale Devices\n\nValidate issuer responses to financial request messages.\n\n * Implement chip and PIN requirements for debit cards.\n * Require and verify message authentication codes on issuer financial request response messages.\n * Perform authorization response cryptogram validation for chip and PIN transactions.\n\n### Recommendations for All Organizations\n\nUsers and administrators should use the following best practices to strengthen the security posture of their organization\u2019s systems:\n\n * Maintain up-to-date antivirus signatures and engines.\n * Keep operating system patches up to date.\n * Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.\n * Restrict users\u2019 ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators\u2019 group unless required.\n * Enforce a strong password policy and require regular password changes.\n * Exercise caution when opening email attachments even if the attachment is expected and the sender appears to be known.\n * Enable a personal firewall on agency workstations and configure it to deny unsolicited connection requests.\n * Disable unnecessary services on agency workstations and servers.\n * Scan for and remove suspicious email attachments; ensure the scanned attachment is its \u201ctrue file type\u201d (i.e., the extension matches the file header).\n * Monitor users' web browsing habits; restrict access to sites with unfavorable content.\n * Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).\n * Scan all software downloaded from the internet before executing.\n * Maintain situational awareness of the latest threats.\n * Implement appropriate access control lists.\n\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and Technology Special Publication 800-83, [Guide to Malware Incident Prevention and Handling for Desktops and Laptops](<https://www.nist.gov/publications/guide-malware-incident-prevention-and-handling-desktops-and-laptops>).\n\n### Contact Information\n\nRecipients of this report are encouraged to contribute any additional information that they may have related to this threat.\n\nFor any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, please contact:\n\n * CISA (888-282-0870 or [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>)),\n * The FBI through the FBI Cyber Division (855-292-3937 or [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>)) or a [local field office](<https://www.fbi.gov/contact-us/field-offices/field-offices>), or\n * Treasury Office of Cybersecurity and Critical Infrastructure Protection (Treasury OCCIP) (202-622-3000 or [OCCIP-Coord@treasury.gov](<mailto:OCCIP-Coord@treasury.gov>)).\n\n_DISCLAIMER_\n\n_This information is provided \"as is\" for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information._\n\n_The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government._\n\n### Revisions\n\nAugust 26, 2020: Initial Version|September 3, 2020: Updated PDF template|October 10, 2020: Updated Initial Access section\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2020-10-24T12:00:00", "type": "ics", "title": "FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2020-10-24T12:00:00", "id": "AA20-239A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-239a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T13:06:39", "description": "### Summary\n\nAs organizations adapt or change their enterprise collaboration capabilities to meet \u201ctelework\u201d requirements, many organizations are migrating to Microsoft Office 365 (O365) and other cloud collaboration services. Due to the speed of these deployments, organizations may not be fully considering the security configurations of these platforms.\n\nThis Alert is an update to the Cybersecurity and Infrastructure Security Agency's May 2019 Analysis Report, [AR19-133A: Microsoft Office 365 Security Observations](<https://www.us-cert.gov/ncas/analysis-reports/AR19-133A>), and reiterates the recommendations related to O365 for organizations to review and ensure their newly adopted environment is configured to protect, detect, and respond against would be attackers of O365.\n\n### Technical Details\n\nSince October 2018, the Cybersecurity and Infrastructure Security Agency (CISA) has conducted several engagements with customers who have migrated to cloud-based collaboration solutions like O365. In recent weeks, organizations have been forced to change their collaboration methods to support a full \u201cwork from home\u201d workforce.\n\nO365 provides cloud-based email capabilities, as well as chat and video capabilities using Microsoft Teams. While the abrupt shift to work-from-home may necessitate rapid deployment of cloud collaboration services, such as O365, hasty deployment can lead to oversights in security configurations and undermine a sound O365-specific security strategy.\n\nCISA continues to see instances where entities are not implementing best security practices in regard to their O365 implementation, resulting in increased vulnerability to adversary attacks.\n\n### Mitigations\n\nThe following list contains recommended configurations when deploying O365:\n\n**Enable multi-factor authentication for administrator accounts: **Azure Active Directory (AD) Global Administrators in an O365 environment have the highest level of administrator privileges at the tenant level. This is equivalent to the Domain Administrator in an on-premises AD environment. The Azure AD Global Administrators are the first accounts created so that administrators can begin configuring their tenant and eventually migrate their users. Multi-factor authentication (MFA) is not enabled by default for these accounts. Microsoft has moved towards a \u201cSecure by default\u201d model, but even this must be enabled by the customer. The new feature, called \u201cSecurity Defaults,\u201d[[1]](<https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults>) assists with enforcing administrators\u2019 usage of MFA. These accounts are internet accessible because they are hosted in the cloud. If not immediately secured, an attacker can compromise these cloud-based accounts and maintain persistence as a customer migrates users to O365.\n\n**Assign Administrator roles using Role-based Access Control (RBAC):** Given its high level of default privilege, you should only use the Global Administrator account when absolutely necessary. Instead, using Azure AD\u2019s numerous other built-in administrator roles instead of the Global Administrator account can limit assigning of overly permissive privileges to legitimate administrators.[[2]](<https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles>) Practicing the principle of \u201cLeast Privilege\u201d can greatly reduce the impact if an administrator account is compromised.[[3]](<https://docs.microsoft.com/en-us/microsoft-365/enterprise/identity-create-protect-global-admins?view=o365-worldwide>) Always assign administrators only the minimum permissions they need to do conduct their tasks. \n\n**Enable Unified Audit Log (UAL): **O365 has a logging capability called the Unified Audit Log that contains events from Exchange Online, SharePoint Online, OneDrive, Azure AD, Microsoft Teams, PowerBI, and other O365 services.[[4]](<https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide>) An administrator must enable the Unified Audit Log in the Security and Compliance Center before queries can be run. Enabling UAL allows administrators the ability to investigate and search for actions within O365 that could be potentially malicious or not within organizational policy.\n\n**Enable multi-factor authentication for all users: **Though normal users in an O365 environment do not have elevated permissions, they still have access to data that could be harmful to an organization if accessed by an unauthorized entity. Also, threat actors compromise normal user accounts in order to send phishing emails and attack other organizations using the apps and services the compromised user has access to.\n\n**Disable legacy protocol authentication when appropriate: **Azure AD is the authentication method that O365 uses to authenticate with Exchange Online, which provides email services. There are a number of legacy protocols associated with Exchange Online that do not support MFA features. These protocols include Post Office Protocol (POP3), Internet Message Access Protocol (IMAP), and Simple Mail Transport Protocol (SMTP). Legacy protocols are often used with older email clients, which do not support modern authentication. Legacy protocols can be disabled at the tenant level or at the user level. However, should an organization require older email clients as a business necessity, these protocols will presumably not be disabled. This leaves email accounts accessible through the internet with only the username and password as the primary authentication method. One approach to mitigate this issue is to inventory users who still require the use of a legacy email client and legacy email protocols and only grant access to those protocols for those select users. Using Azure AD Conditional Access policies can help limit the number of users who have the ability to use legacy protocol authentication methods. Taking this step will greatly reduce an organization\u2019s attack surface.[[5]](<https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication>)\n\n**Enable alerts for suspicious activity:** Enabling logging of activity within an Azure/0365 environment can greatly increase the owner\u2019s effectiveness of identifying malicious activity occurring within their environment and enabling alerts will serve to enhance that. Creating and enabling alerts within the Security and Compliance Center to notify administrators of abnormal events will reduce the time needed to effectively identify and mitigate malicious activity.[[6]](<https://docs.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide>) At a minimum, CISA recommends enabling alerts for logins from suspicious locations and for accounts exceeding sent email thresholds.\n\n**Incorporate Microsoft Secure Score:** Microsoft provides a built-in tool to measure an organization\u2019s security posture with respect to its O365 services and offer enhancement recommendations.[[7]](<https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score?view=o365-worldwide>) These recommendations provided by Microsoft Secure Score do NOT encompass all possible security configurations, but organizations should still consider using Microsoft Secure Score because O365 service offerings frequently change. Using Microsoft Secure Score will help provide organizations a centralized dashboard for tracking and prioritizing security and compliance changes within O365.\n\n**Integrate Logs with your existing SIEM tool:** Even with robust logging enabled via the UAL, it is critical to integrate and correlate your O365 logs with your other log management and monitoring solutions. This will ensure that you can detect anomalous activity in your environment and correlate it with any potential anomalous activity in O365.[[8]](<https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/siem-integration-with-office-365-ti?view=o365-worldwide>)\n\n### Solution Summary\n\nCISA encourages organizations to implement an organizational cloud strategy to protect their infrastructure assets by defending against attacks related to their O365 transition and better securing O365 services.[[9]](<https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/secure-your-business-data?view=o365-worldwide>) Specifically, CISA recommends that administrators implement the following mitigations and best practices:\n\n * Use multi-factor authentication. This is the best mitigation technique to protect against credential theft for O365 administrators and users.\n * Protect Global Admins from compromise and use the principle of \u201cLeast Privilege.\u201d\n * Enable unified audit logging in the Security and Compliance Center.\n * Enable Alerting capabilities.\n * Integrate with organizational SIEM solutions.\n * Disable legacy email protocols, if not required, or limit their use to specific users.\n\n### References\n\n[[1] Azure AD Security Defaults](<https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults>)\n\n[[2] Azure AD Administrator roles](<https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles>)\n\n[[3] Protect Global Admins](<https://docs.microsoft.com/en-us/microsoft-365/enterprise/identity-create-protect-global-admins?view=o365-worldwide>)\n\n[[4] Unified audit log](<https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide>)\n\n[[5] Block Office 365 Legacy Email Authentication Protocols](<https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication>)\n\n[[6] Alert policies in the security and compliance center](<https://docs.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide>)\n\n[[7] Microsoft Secure Score](<https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score?view=o365-worldwide>)\n\n[[8] SIEM integration with Office 365 Advanced Threat Protection](<https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/siem-integration-with-office-365-ti?view=o365-worldwide>)\n\n[[9] Microsoft 365 security best practices](<https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/secure-your-business-data?view=o365-worldwide>)\n\n### Revisions\n\nApril 29, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2020-04-29T12:00:00", "type": "ics", "title": "Microsoft Office 365 Security Recommendations", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2020-04-29T12:00:00", "id": "AA20-120A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-120a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T13:07:36", "description": "### Summary\n\n_**Note: **This Activity Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u2122) framework. See the MITRE [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v7/matrices/enterprise/>) and [ATT&amp;CK for Industrial Control Systems (ICS)](<https://collaborate.mitre.org/attackics/index.php/Main_Page>) frameworks for all referenced threat actor techniques and mitigations._\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages asset owner operators across all critical infrastructure sectors to review the below threat actor techniques and ensure the corresponding mitigations are applied.\n\nCISA responded to a cyberattack affecting control and communication assets on the operational technology (OT) network of a natural gas compression facility. A cyber threat actor used a _Spearphishing Link_ [[T1192]](<https://attack.mitre.org/versions/v7/techniques/T1192/>) to obtain initial access to the organization\u2019s information technology (IT) network before pivoting to its OT network. The threat actor then deployed commodity ransomware to _Encrypt Data for Impact_ [[T1486]](<https://attack.mitre.org/versions/v7/techniques/T1486/>) on both networks. Specific assets experiencing a _Loss of Availability_ [[T826]](<https://collaborate.mitre.org/attackics/index.php/Technique/T826>) on the OT network included human machine interfaces (HMIs), data historians, and polling servers. Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial _Loss of View_ [[T829]](<https://collaborate.mitre.org/attackics/index.php/Technique/T829>) for human operators. The attack did not impact any programmable logic controllers (PLCs) and at no point did the victim lose control of operations. Although the victim\u2019s emergency response plan did not specifically consider cyberattacks, the decision was made to implement a deliberate and controlled shutdown to operations. This lasted approximately two days, resulting in a _Loss of Productivity and Revenue_ [[T828]](<https://collaborate.mitre.org/attackics/index.php/Technique/T828>), after which normal operations resumed. CISA is providing this Alert to help administrators and network defenders protect their organizations against this and similar ransomware attacks.\n\n### Technical Details\n\n### Network and Assets\n\n * The victim failed to implement robust segmentation between the IT and OT networks, which allowed the adversary to traverse the IT-OT boundary and disable assets on both networks.\n * The threat actor used commodity ransomware to compromise Windows-based assets on both the IT and OT networks. Assets impacted on the organization\u2019s OT network included HMIs, data historians, and polling servers.\n * Because the attack was limited to Windows-based systems, PLCs responsible for directly reading and manipulating physical processes at the facility were not impacted.\n * The victim was able to obtain replacement equipment and load last-known-good configurations to facilitate the recovery process.\n * All OT assets directly impacted by the attack were limited to a single geographic facility.\n\n### Planning and Operations\n\n * At no time did the threat actor obtain the ability to control or manipulate operations. The victim took offline the HMIs that read and control operations at the facility. A separate and geographically distinct central control office was able to maintain visibility but was not instrumented for control of operations.\n * The victim\u2019s existing emergency response plan focused on threats to physical safety and not cyber incidents. Although the plan called for a full emergency declaration and immediate shutdown, the victim judged the operational impact of the incident as less severe than those anticipated by the plan and decided to implement limited emergency response measures. These included a four-hour transition from operational to shutdown mode combined with increased physical security.\n * Although the direct operational impact of the cyberattack was limited to one control facility, geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies. This resulted in an operational shutdown of the entire pipeline asset lasting approximately two days.\n * Although they considered a range of physical emergency scenarios, the victim\u2019s emergency response plan did not specifically consider the risk posed by cyberattacks. Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyberattacks.\n * The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning.\n\n### Mitigations\n\nAsset owner operators across all sectors are encouraged to consider the following mitigations using a risk-based assessment strategy.\n\n### Planning and Operational Mitigations\n\n * Ensure the organization\u2019s emergency response plan considers the full range of potential impacts that cyberattacks pose to operations, including loss or manipulation of view, loss or manipulation of control, and loss of safety. In particular, response playbooks should identify criteria to distinguish between events requiring deliberate operational shutdown versus low-risk events that allow for operations to continue.\n * Exercise the ability to fail over to alternate control systems, including manual operation while assuming degraded electronic communications. Capture lessons learned in emergency response playbooks.\n * Allow employees to gain decision-making experience via tabletop exercises that incorporate loss of visibility and control scenarios. Capture lessons learned in emergency response playbooks.\n * Identify single points of failure (technical and human) for operational visibility. Develop and test emergency response playbooks to ensure there are redundant channels that allow visibility into operations when one channel is compromised.\n * Implement redundant communication capabilities between geographically separated facilities responsible for the operation of a single pipeline asset. Coordinate planning activities across all such facilities.\n * Recognize the physical risks that cyberattacks pose to safety and integrate cybersecurity into the organization\u2019s safety training program.\n * Ensure the organization\u2019s security program and emergency response plan consider third parties with legitimate need for OT network access, including engineers and vendors.\n\n### Technical and Architectural Mitigations\n\n * Implement and ensure robust _Network Segmentation_ [[M1030]](<https://attack.mitre.org/versions/v7/mitigations/M1030/>) between IT and OT networks to limit the ability of adversaries to pivot to the OT network even if the IT network is compromised. Define a demilitarized zone (DMZ) that eliminates unregulated communication between the IT and OT networks.\n * Organize OT assets into logical zones by taking into account criticality, consequence, and operational necessity. Define acceptable communication conduits between the zones and deploy security controls to _Filter Network Traffic_ [[M1037]](<https://attack.mitre.org/versions/v7/mitigations/M1037/>) and monitor communications between zones. Prohibit Industrial Control System (ICS) protocols from traversing the IT network.\n * Require _Multi-Factor Authentication_ [[M1032]](<https://attack.mitre.org/versions/v7/mitigations/M1032/>) to remotely access the OT and IT networks from external sources.\n * Implement regular _Data Backup_ [[M1053]](<https://attack.mitre.org/versions/v7/mitigations/M1053/>) procedures on both the IT and OT networks. Ensure that backups are regularly tested and isolated from network connections that could enable the spread of ransomware.\n * Ensure user and process accounts are limited through _Account Use Policies_ [[M1036]](<https://attack.mitre.org/versions/v7/mitigations/M1036/>), _User Account Control_ [[M1052]](<https://attack.mitre.org/versions/v7/mitigations/M1052/>), and _Privileged Account Management_ [[M1026]](<https://attack.mitre.org/versions/v7/mitigations/M1026/>). Organize access rights based on the principles of least privilege and separation of duties.\n * Enable strong spam filters to prevent phishing emails from reaching end users. Implement a_ User Training_ [[M1017]](<https://attack.mitre.org/versions/v7/mitigations/M1017/>) program to discourage users from visiting malicious websites or opening malicious attachments. Filter emails containing executable files from reaching end users.\n * _Filter Network Traffic_ [[M1037]](<https://attack.mitre.org/versions/v7/mitigations/M1037/>) to prohibit ingress and egress communications with known malicious Internet Protocol (IP) addresses. Prevent users from accessing malicious websites using Uniform Resource Locator (URL) blocklist and/or allowlist.\n * _Update Software _[[M1051]](<https://attack.mitre.org/versions/v7/mitigations/M1051/>), including operating systems, applications, and firmware on IT network assets. Use a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program. Consider using a centralized patch management system.\n * Set _Antivirus/Antimalware_ [[M1049]](<https://attack.mitre.org/versions/v7/mitigations/M1049/>) programs to conduct regular scans of IT network assets using up-to-date signatures. Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware. \n * Implement _Execution Prevention_ [[M1038]](<https://attack.mitre.org/versions/v7/mitigations/M1038/>) by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.\n * Implement _Execution Prevention_ [[M1038]](<https://attack.mitre.org/versions/v7/mitigations/M1038/>) via application allow listing, which only allows systems to execute programs known and permitted by security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers or compression/decompression programs, including the AppData/LocalAppData folder.\n * Limit _Access to Resources over Network_ [[M1035]](<https://attack.mitre.org/versions/v7/mitigations/M1035/>), especially by restricting Remote Desktop Protocol (RDP). If after assessing risks RDP is deemed operationally necessary, restrict the originating sources and require _Multi-Factor Authentication_ [[M1032]](<https://attack.mitre.org/versions/v7/mitigations/M1032/>).\n\nResources\n\n * [CISA Ransomware One-Pager and Technical Document](<https://www.us-cert.gov/sites/default/files/publications/Ransomware_Executive_One-Pager_and_Technical_Document-FINAL.pdf>) (CISA, 2019)\n * [CISA Insights: Ransomware Outbreak](<https://www.us-cert.gov/sites/default/files/2019-08/CISA_Insights-Ransomware_Outbreak_S508C.pdf>) (CISA, 2019)\n * [Pipeline Cybersecurity Initiative](<https://www.cisa.gov/pipeline-cybersecurity-initiative>) (CISA, 2018)\n * [CISA Webinar: Combating Ransomware](<https://www.youtube.com/watch?v=D8kC07tu27A>) (CISA, 2018)\n * [Framework for Improving Critical Infrastructure Cybersecurity](<https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf>) (NIST, 2018)\n * [Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events](<https://csrc.nist.gov/publications/detail/white-paper/2018/02/07/data-integrity-identifying-and-protecting-assets-vs-ransomware/final>) (NIST, 2018)\n * [Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events](<https://csrc.nist.gov/publications/detail/white-paper/2018/02/07/data-integrity-detecting-and-responding-to-ransomware/final>) (NIST, 2018)\n * [Pipeline Security Guidelines](<https://www.tsa.gov/sites/default/files/pipeline_security_guidelines.pdf>) (TSA, 2018)\n * [NIST SP 800-11: Data Integrity: Recovering from Ransomware and Other Destructive Events](<https://csrc.nist.gov/publications/detail/sp/1800-11/draft>) (NIST, 2017)\n * [Guide to Industrial Control Systems (ICS) Security](<https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final>) (NIST, 2015)\n * [Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model](<https://www.energy.gov/sites/prod/files/2014/03/f13/ONG-C2M2-v1-1_cor.pdf>) (DOE, 2014)\n\n### Revisions\n\nFebruary 18, 2020: Initial Version|October 23, 2020\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2020-10-24T12:00:00", "type": "ics", "title": "Ransomware Impacting Pipeline Operations", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2020-10-24T12:00:00", "id": "AA20-049A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-049a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T12:46:21", "description": "### **SUMMARY**\n\nThe Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to recent activity by Scattered Spider threat actors against the commercial facilities sectors and subsectors. This advisory provides tactics, techniques, and procedures (TTPs) obtained through FBI investigations as recently as November 2023.\n\nScattered Spider is a cybercriminal group that targets large companies and their contracted information technology (IT) help desks. Scattered Spider threat actors, per trusted third parties, have typically engaged in data theft for extortion and have also been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs.\n\nThe FBI and CISA encourage critical infrastructure organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of a cyberattack by Scattered Spider actors.\n\nDownload the PDF version of this report:\n\nAA23-320A Scattered Spider (PDF, 510.78 KB )\n\n### **TECHNICAL DETAILS**\n\n**Note:** This advisory uses the [MITRE ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v14/matrices/enterprise/> \"Enterprise Matrix\" ) framework, version 14. See the MITRE ATT&amp;CK\u00ae Tactics and Techniques section for a table of the threat actors\u2019 activity mapped to MITRE ATT&amp;CK tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&amp;CK framework, see CISA and MITRE ATT&amp;CK\u2019s [Best Practices for MITRE ATT&amp;CK Mapping](<https://www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping> \"Best Practices for MITRE ATT&CK Mapping\" ) and CISA\u2019s [Decider Tool](<https://github.com/cisagov/Decider/> \"cisagov / decider\" ).\n\n#### **Overview**\n\nScattered Spider (also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra) engages in data extortion and several other criminal activities.[[1](<https://attack.mitre.org/versions/v14/groups/G1015/> \"Scattered Spider\" )] Scattered Spider threat actors are considered experts in social engineering and use multiple social engineering techniques, especially phishing, push bombing, and subscriber identity module (SIM) swap attacks, to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA). According to public reporting, Scattered Spider threat actors have [[2](<https://www.trellix.com/en-us/about/newsroom/stories/research/scattered-spider-the-modus-operandi.html> \"Scattered Spider: The Modus Operandi\" )],[[3](<https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/> \"Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies\" )],[[4](<https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/> \"SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security\" )]:\n\n * Posed as company IT and/or helpdesk staff using phone calls or SMS messages to obtain credentials from employees and gain access to the network [[T1598](<https://attack.mitre.org/versions/v14/techniques/T1598/> \"Phishing for Information\" )],[[T1656](<https://attack.mitre.org/versions/v14/techniques/T1656/> \"Impersonation\" )].\n * Posed as company IT and/or helpdesk staff to direct employees to run commercial remote access tools enabling initial access [[T1204](<https://attack.mitre.org/versions/v14/techniques/T1204/> \"User Execution\" )],[[T1219](<https://attack.mitre.org/versions/v14/techniques/T1219/> \"Remote Access Software\" )],[[T1566](<https://attack.mitre.org/versions/v14/techniques/T1566/> \"Phishing\" )].\n * Posed as IT staff to convince employees to share their one-time password (OTP), an MFA authentication code.\n * Sent repeated MFA notification prompts leading to employees pressing the \u201cAccept\u201d button (also known as MFA fatigue) [[T1621](<https://attack.mitre.org/versions/v14/techniques/T1621/> \"Multi-Factor Authentication Request Generation\" )].[[5](<https://www.malwarebytes.com/blog/personal/2023/09/ransomware-group-steps-up-issues-statement-over-mgm-resorts-compromise> \"Ransomware group steps up, issues statement over MGM Resorts compromise\" )]\n * Convinced cellular carriers to transfer control of a targeted user\u2019s phone number to a SIM card they controlled, gaining control over the phone and access to MFA prompts.\n * Monetized access to victim networks in numerous ways including extortion enabled by ransomware and data theft [[T1657](<https://attack.mitre.org/versions/v14/techniques/T1657/> \"Financial Theft\" )].\n\nAfter gaining access to networks, the FBI observed Scattered Spider threat actors using publicly available, legitimate remote access tunneling tools. Table 1 details a list of legitimate tools Scattered Spider, repurposed and used for their criminal activity. **Note:** The use of these legitimate tools alone is not indicative of criminal activity. Users should review the Scattered Spider indicators of compromise (IOCs) and TTPs discussed in this CSA to determine whether they have been compromised.\n\n_Table 1: Legitimate Tools Used by Scattered Spider_\n\n**Tool**\n\n| \n\n**Intended Use** \n \n---|--- \n \nFleetdeck.io\n\n| \n\nEnables remote monitoring and management of systems. \n \nLevel.io\n\n| \n\nEnables remote monitoring and management of systems. \n \nMimikatz [[S0002](<https://attack.mitre.org/versions/v14/software/S0002/> \"Mimikatz\" )]\n\n| \n\nExtracts credentials from a system. \n \nNgrok [[S0508](<https://attack.mitre.org/versions/v14/software/S0508/> \"ngrok\" )]\n\n| \n\nEnables remote access to a local web server by tunneling over the internet. \n \nPulseway\n\n| \n\nEnables remote monitoring and management of systems. \n \nScreenconnect\n\n| \n\nEnables remote connections to network devices for management. \n \nSplashtop\n\n| \n\nEnables remote connections to network devices for management. \n \nTactical.RMM\n\n| \n\nEnables remote monitoring and management of systems. \n \nTailscale\n\n| \n\nProvides virtual private networks (VPNs) to secure network communications. \n \nTeamviewer\n\n| \n\nEnables remote connections to network devices for management. \n \nIn addition to using legitimate tools, Scattered Spider also uses malware as part of its TTPs. See Table 2 for some of the malware used by Scattered Spider.\n\n_Table 2: Malware Used by Scattered Spider_\n\n**Malware**\n\n| \n\n**Use** \n \n---|--- \n \nAveMaria (also known as WarZone [[S0670](<https://attack.mitre.org/versions/v14/software/S0670/> \"WarzoneRAT\" )])\n\n| \n\nEnables remote access to a victim\u2019s systems. \n \nRaccoon Stealer\n\n| \n\nSteals information including login credentials [[TA0006](<https://attack.mitre.org/versions/v14/tactics/TA0006/> \"Credential Access\" )], browser history [[T1217](<https://attack.mitre.org/versions/v14/techniques/T1217/> \"Browser Information Discovery\" )], cookies [[T1539](<https://attack.mitre.org/versions/v14/techniques/T1539/> \"Steal Web Session Cookie\" )], and other data. \n \nVIDAR Stealer\n\n| \n\nSteals information including login credentials, browser history, cookies, and other data. \n \nScattered Spider threat actors have historically evaded detection on target networks by using living off the land techniques and allowlisted applications to navigate victim networks, as well as frequently modifying their TTPs.\n\nObservably, Scattered Spider threat actors have exfiltrated data [[TA0010](<https://attack.mitre.org/versions/v14/tactics/TA0010/> \"Exfiltration\" )] after gaining access and threatened to release it without deploying ransomware; this includes exfiltration to multiple sites including U.S.-based data centers and MEGA[.]NZ [[T1567.002](<https://attack.mitre.org/versions/v14/techniques/T1567/002/> \"Exfiltration Over Web Service: Exfiltration to Cloud Storage\" )].\n\n#### **Recent Scattered Spider TTPs**\n\n##### _**New TTP - File Encryption**_\n\nMore recently, the FBI has identified Scattered Spider threat actors now encrypting victim files after exfiltration [[T1486](<https://attack.mitre.org/versions/v14/techniques/T1486/> \"Data Encrypted for Impact\" )]. After exfiltrating and/or encrypting data, Scattered Spider threat actors communicate with victims via TOR, Tox, email, or encrypted applications.\n\n##### _**Reconnaissance, Resource Development, and Initial Access**_\n\nScattered Spider intrusions often begin with broad phishing [[T1566](<https://attack.mitre.org/versions/v14/techniques/T1566/> \"Phishing\" )] and smishing [[T1660](<https://attack.mitre.org/versions/v14/techniques/T1660/> \"Phishing \\(Mobile\\)\" )] attempts against a target using victim-specific crafted domains, such as the domains listed in Table 3 [[T1583.001](<https://attack.mitre.org/versions/v14/techniques/T1583/001/> \"Acquire Infrastructure: Domains\" )].\n\n_Table 3: Domains Used by Scattered Spider Threat Actors_\n\n**Domains** \n \n--- \n \nvictimname-sso[.]com \n \nvictimname-servicedesk[.]com \n \nvictimname-okta[.]com \n \nIn most instances, Scattered Spider threat actors conduct SIM swapping attacks against users that respond to the phishing/smishing attempt. The threat actors then work to identify the personally identifiable information (PII) of the most valuable users that succumbed to the phishing/smishing, obtaining answers for those users\u2019 security questions. After identifying usernames, passwords, PII [[T1589](<https://attack.mitre.org/versions/v14/techniques/T1589/> \"Gather Victim Identity Information\" )], and conducting SIM swaps, the threat actors then use social engineering techniques [[T1656](<https://attack.mitre.org/versions/v14/techniques/T1656/> \"Impersonation\" )] to convince IT help desk personnel to reset passwords and/or MFA tokens [[T1078.002](<https://attack.mitre.org/versions/v14/techniques/T1078/002/> \"Valid Accounts: Domain Accounts\" )],[[T1199](<https://attack.mitre.org/versions/v14/techniques/T1199/> \"Trusted Relationship\" )],[[T1566.004](<https://attack.mitre.org/versions/v14/techniques/T1566/004/> \"Phishing: Spearphishing Voice\" )] to perform account takeovers against the users in single sign-on (SSO) environments.\n\n##### _**Execution, Persistence, and Privilege Escalation**_\n\nScattered Spider threat actors then register their own MFA tokens [[T1556.006](<https://attack.mitre.org/versions/v14/techniques/T1556/006/> \"Modify Authentication Process: Multi-Factor Authentication\" )],[[T1606](<https://attack.mitre.org/versions/v14/techniques/T1606/> \"Forge Web Credentials\" )] after compromising a user\u2019s account to establish persistence [[TA0003](<https://attack.mitre.org/versions/v14/tactics/TA0003/> \"Persistence\" )]. Further, the threat actors add a federated identity provider to the victim\u2019s SSO tenant and activate automatic account linking [[T1484.002](<https://attack.mitre.org/versions/v14/techniques/T1484/002/> \"Domain Policy Modification: Domain Trust Modification\" )]. The threat actors are then able to sign into any account by using a matching SSO account attribute. At this stage, the Scattered Spider threat actors already control the identity provider and then can choose an arbitrary value for this account attribute. As a result, this activity allows the threat actors to perform privileged escalation [[TA0004](<https://attack.mitre.org/versions/v14/tactics/TA0004/> \"Privilege Escalation\" )] and continue logging in even when passwords are changed [[T1078](<https://attack.mitre.org/versions/v14/techniques/T1078/> \"Valid Accounts\" )]. Additionally, they leverage common endpoint detection and response (EDR) tools installed on the victim networks to take advantage of the tools\u2019 remote-shell capabilities and executing of commands which elevates their access. They also deploy remote monitoring and management (RMM) tools [[T1219](<https://attack.mitre.org/versions/v14/techniques/T1219/> \"Remote Access Software\" )] to then maintain persistence.\n\n##### _**Discovery, Lateral Movement, and Exfiltration**_\n\nOnce persistence is established on a target network, Scattered Spider threat actors often perform discovery, specifically searching for SharePoint sites [[T1213.002](<https://attack.mitre.org/versions/v14/techniques/T1213/002/> \"Data from Information Repositories: Sharepoint\" )], credential storage documentation [[T1552.001](<https://attack.mitre.org/versions/v14/techniques/T1552/001/> \"Unsecured Credentials: Credentials In Files\" )], VMware vCenter infrastructure [[T1018](<https://attack.mitre.org/versions/v14/techniques/T1018/> \"Remote System Discovery\" )], backups, and instructions for setting up/logging into Virtual Private Networks (VPN) [[TA0007](<https://attack.mitre.org/versions/v14/tactics/TA0007/> \"Discovery\" )]. The threat actors enumerate the victim\u2019s Active Directory (AD), perform discovery and exfiltration of victim\u2019s code repositories [[T1213.003](<https://attack.mitre.org/versions/v14/techniques/T1213/003/> \"Data from Information Repositories: Code Repositories\" )], code-signing certificates [[T1552.004](<https://attack.mitre.org/versions/v14/techniques/T1552/004/> \"Unsecured Credentials: Private Keys\" )], and source code [[T1083](<https://attack.mitre.org/versions/v14/techniques/T1083/> \"File and Directory Discovery\" )],[[TA0010](<https://attack.mitre.org/versions/v14/tactics/TA0010/> \"Exfiltration\" )]. Threat actors activate Amazon Web Services (AWS) Systems Manager Inventory [[T1538](<https://attack.mitre.org/versions/v14/techniques/T1538/> \"Cloud Service Dashboard\" )] to discover targets for lateral movement [[TA0007](<https://attack.mitre.org/versions/v14/tactics/TA0007/> \"Discovery\" )],[[TA0008](<https://attack.mitre.org/versions/v14/tactics/TA0008/> \"Lateral Movement\" )], then move to both preexisting [[T1021.007](<https://attack.mitre.org/versions/v14/techniques/T1021/007/> \"Remote Services: Cloud Services\" )] and actor-created [[T1578.002](<https://attack.mitre.org/versions/v14/techniques/T1578/002/> \"Modify Cloud Compute Infrastructure: Create Cloud Instance\" )] Amazon Elastic Compute Cloud (EC2) instances. In instances where the ultimate goal is data exfiltration, Scattered Spider threat actors use actor-installed extract, transform, and load (ETL) tools [[T1648](<https://attack.mitre.org/versions/v14/techniques/T1648/> \"Serverless Execution\" )] to bring data from multiple data sources into a centralized database [[T1074](<https://attack.mitre.org/versions/v14/techniques/T1074/> \"Data Staged\" )],[[T1530](<https://attack.mitre.org/versions/v14/techniques/T1530/> \"Data from Cloud Storage\" )]. According to trusted third parties, where more recent incidents are concerned, Scattered Spider threat actors may have deployed BlackCat/ALPHV ransomware onto victim networks\u2014thereby encrypting VMware Elastic Sky X integrated (ESXi) servers [[T1486](<https://attack.mitre.org/versions/v14/techniques/T1486/> \"Data Encrypted for Impact\" )].\n\nTo determine if their activities have been uncovered and maintain persistence, Scattered Spider threat actors often search the victim\u2019s Slack, Microsoft Teams, and Microsoft Exchange online for emails [[T1114](<https://attack.mitre.org/versions/v14/techniques/T1114/> \"Email Collection\" )] or conversations regarding the threat actor\u2019s intrusion and any security response. The threat actors frequently join incident remediation and response calls and teleconferences, likely to identify how security teams are hunting them and proactively develop new avenues of intrusion in response to victim defenses. This is sometimes achieved by creating new identities in the environment [[T1136](<https://attack.mitre.org/versions/v14/techniques/T1136/> \"Create Account\" )] and is often upheld with fake social media profiles [[T1585.001](<https://attack.mitre.org/versions/v14/techniques/T1585/001/> \"Establish Accounts: Social Media Accounts\" )] to backstop newly created identities.\n\n### **MITRE ATT&amp;CK TACTICS AND TECHNIQUES**\n\nSee Tables 4 through 17 for all referenced threat actor tactics and techniques in this advisory.\n\n_Table 4: Reconnaissance_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nGather Victim Identity Information\n\n| \n\n[T1589](<https://attack.mitre.org/versions/v14/techniques/T1589/> \"Gather Victim Identity Information\" )\n\n| \n\nScattered Spider threat actors gather usernames, passwords, and PII for targeted organizations. \n \nPhishing for Information\n\n| \n\n[T1598](<https://attack.mitre.org/versions/v14/techniques/T1598/> \"Phishing for Information\" )\n\n| \n\nScattered Spider threat actors use phishing to obtain login credentials, gaining access to a victim\u2019s network. \n \n_Table 5: Resource Development_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nAcquire Infrastructure: Domains\n\n| \n\n[T1583.001](<https://attack.mitre.org/versions/v14/techniques/T1583/001/> \"Acquire Infrastructure: Domains\" )\n\n| \n\nScattered Spider threat actors create domains for use in phishing and smishing attempts against targeted organizations. \n \nEstablish Accounts: Social Media Accounts\n\n| \n\n[T1585.001](<https://attack.mitre.org/versions/v14/techniques/T1585/001/> \"Establish Accounts: Social Media Accounts\" )\n\n| \n\nScattered Spider threat actors create fake social media profiles to backstop newly created user accounts in a targeted organization. \n \n_Table 6: Initial Access_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nPhishing\n\n| \n\n[T1566](<https://attack.mitre.org/versions/v14/techniques/T1566/> \"Phishing\" )\n\n| \n\nScattered Spider threat actors use broad phishing attempts against a target to obtain information used to gain initial access.\n\nScattered Spider threat actors have posed as helpdesk personnel to direct employees to install commercial remote access tools. \n \nPhishing (Mobile)\n\n| \n\n[T1660](<https://attack.mitre.org/versions/v14/techniques/T1660/> \"Phishing \\(Mobile\\)\" )\n\n| \n\nScattered Spider threat actors send SMS messages, known as smishing, when targeting a victim. \n \nPhishing: Spearphishing Voice\n\n| \n\n[T1566.004](<https://attack.mitre.org/versions/v14/techniques/T1566/004/> \"Phishing: Spearphishing Voice\" )\n\n| \n\nScattered Spider threat actors use voice communications to convince IT help desk personnel to reset passwords and/or MFA tokens. \n \nTrusted Relationship\n\n| \n\n[T1199](<https://attack.mitre.org/versions/v14/techniques/T1199/> \"Trusted Relationship\" )\n\n| \n\nScattered Spider threat actors abuse trusted relationships of contracted IT help desks to gain access to targeted organizations. \n \nValid Accounts: Domain Accounts\n\n| \n\n[T1078.002](<https://attack.mitre.org/versions/v14/techniques/T1078/002/> \"Valid Accounts: Domain Accounts\" )\n\n| \n\nScattered Spider threat actors obtain access to valid domain accounts to gain initial access to a targeted organization. \n \n_Table 7: Execution_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nServerless Execution\n\n| \n\n[T1648](<https://attack.mitre.org/versions/v14/techniques/T1648/> \"Serverless Execution\" )\n\n| \n\nScattered Spider threat actors use ETL tools to collect data in cloud environments. \n \nUser Execution\n\n| \n\n[T1204](<https://attack.mitre.org/versions/v14/techniques/T1204/> \"User Execution\" )\n\n| \n\nScattered Spider threat actors impersonating helpdesk personnel direct employees to run commercial remote access tools thereby enabling access to the victim\u2019s network. \n \n_Table 8: Persistence_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nPersistence\n\n| \n\n[TA0003](<https://attack.mitre.org/versions/v14/tactics/TA0003/> \"Persistence\" )\n\n| \n\nScattered Spider threat actors seek to maintain persistence on a targeted organization\u2019s network. \n \nCreate Account\n\n| \n\n[T1136](<https://attack.mitre.org/versions/v14/techniques/T1136/> \"Create Account\" )\n\n| \n\nScattered Spider threat actors create new user identities in the targeted organization. \n \nModify Authentication Process: Multi-Factor Authentication\n\n| \n\n[T1556.006](<https://attack.mitre.org/versions/v14/techniques/T1556/006/> \"Modify Authentication Process: Multi-Factor Authentication\" )\n\n| \n\nScattered Spider threat actors may modify MFA tokens to gain access to a victim\u2019s network. \n \nValid Accounts\n\n| \n\n[T1078](<https://attack.mitre.org/versions/v14/techniques/T1078/> \"Valid Accounts\" )\n\n| \n\nScattered Spider threat actors abuse and control valid accounts to maintain network access even when passwords are changed. \n \n_Table 9: Privilege Escalation_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nPrivilege Escalation\n\n| \n\n[TA0004](<https://attack.mitre.org/versions/v14/tactics/TA0004/> \"Privilege Escalation\" )\n\n| \n\nScattered Spider threat actors escalate account privileges when on a targeted organization\u2019s network. \n \nDomain Policy Modification: Domain Trust Modification\n\n| \n\n[T1484.002](<https://attack.mitre.org/versions/v14/techniques/T1484/002/> \"Domain Policy Modification: Domain Trust Modification\" )\n\n| \n\nScattered Spider threat actors add a federated identify provider to the victim\u2019s SSO tenant and activate automatic account linking. \n \n_Table 10: Defense Evasion_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nModify Cloud Compute Infrastructure: Create Cloud Instance\n\n| \n\n[T1578.002](<https://attack.mitre.org/versions/v14/techniques/T1578/002/> \"Modify Cloud Compute Infrastructure: Create Cloud Instance\" )\n\n| \n\nScattered Spider threat actors will create cloud instances for use during lateral movement and data collection. \n \nImpersonation\n\n| \n\n[TA1656](<https://attack.mitre.org/versions/v14/techniques/T1656/> \"Impersonation\" )\n\n| \n\nScattered Spider threat actors pose as company IT and/or helpdesk staff to gain access to victim\u2019s networks.\n\nScattered Spider threat actors use social engineering to convince IT help desk personnel to reset passwords and/or MFA tokens. \n \n_Table 11: Credential Access_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nCredential Access\n\n| \n\n[TA0006](<https://attack.mitre.org/versions/v14/tactics/TA0006/> \"Credential Access\" )\n\n| \n\nScattered Spider threat actors use tools, such as Raccoon Stealer, to obtain login credentials. \n \nForge Web Credentials\n\n| \n\n[T1606](<https://attack.mitre.org/versions/v14/techniques/T1606/> \"Forge Web Credentials\" )\n\n| \n\nScattered Spider threat actors may forge MFA tokens to gain access to a victim\u2019s network. \n \nMulti-Factor Authentication Request Generation\n\n| \n\n[T1621](<https://attack.mitre.org/versions/v14/techniques/T1621/> \"Multi-Factor Authentication Request Generation\" )\n\n| \n\nScattered Spider sends repeated MFA notification prompts to lead employees to accept the prompt and gain access to the target network. \n \nUnsecured Credentials: Credentials in Files\n\n| \n\n[T1552.001](<https://attack.mitre.org/versions/v14/techniques/T1552/001/> \"Unsecured Credentials: Credentials in Files\" )\n\n| \n\nScattered Spider threat actors search for insecurely stored credentials on victim\u2019s systems. \n \nUnsecured Credentials: Private Keys\n\n| \n\n[T1552.004](<https://attack.mitre.org/versions/v14/techniques/T1552/004/> \"Unsecured Credentials: Private Keys\" )\n\n| \n\nScattered Spider threat actors search for insecurely stored private keys on victim\u2019s systems. \n \n_Table 12: Discovery_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nDiscovery\n\n| \n\n[TA0007](<https://attack.mitre.org/versions/v14/tactics/TA0007/> \"Discovery\" )\n\n| \n\nUpon gaining access to a targeted network, Scattered Spider threat actors seek out SharePoint sites, credential storage documentation, VMware vCenter, infrastructure backups and enumerate AD to identify useful information to support further operations. \n \nBrowser Information Discovery\n\n| \n\n[T1217](<https://attack.mitre.org/versions/v14/techniques/T1217/> \"Browser Information Discovery\" )\n\n| \n\nScattered Spider threat actors use tools (e.g., Raccoon Stealer) to obtain browser histories. \n \nCloud Service Dashboard\n\n| \n\n[T1538](<https://attack.mitre.org/versions/v14/techniques/T1538/> \"Cloud Service Dashboard\" )\n\n| \n\nScattered Spider threat actors leverage AWS Systems Manager Inventory to discover targets for lateral movement. \n \nFile and Directory Discovery\n\n| \n\n[T1083](<https://attack.mitre.org/versions/v14/techniques/T1083/> \"File and Directory Discovery\" )\n\n| \n\nScattered Spider threat actors search a compromised network to discover files and directories for further information or exploitation. \n \nRemote System Discovery\n\n| \n\n[T1018](<https://attack.mitre.org/versions/v14/techniques/T1018/> \"Remote System Discovery\" )\n\n| \n\nScattered Spider threat actors search for infrastructure, such as remote systems, to exploit. \n \nSteal Web Session Cookie\n\n| \n\n[T1539](<https://attack.mitre.org/versions/v14/techniques/T1539/> \"Steal Web Session Cookie\" )\n\n| \n\nScattered Spider threat actors use tools, such as Raccoon Stealer, to obtain browser cookies. \n \n_Table 13: Lateral Movement_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nLateral Movement\n\n| \n\n[TA0008](<https://attack.mitre.org/versions/v14/tactics/TA0008/> \"Lateral Movement\" )\n\n| \n\nScattered Spider threat actors laterally move across a target network upon gaining access and establishing persistence. \n \nRemote Services: Cloud Services\n\n| \n\n[T1021.007](<https://attack.mitre.org/versions/v14/techniques/T1021/007/> \"Remote Services: Cloud Services\" )\n\n| \n\nScattered Spider threat actors use pre-existing cloud instances for lateral movement and data collection. \n \n_Table 14: Collection_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nData from Information Repositories: Code Repositories\n\n| \n\n[T1213.003](<https://attack.mitre.org/versions/v14/techniques/T1213/003/.003> \"Data from Information Repositories: Code Repositories\" )\n\n| \n\nScattered Spider threat actors search code repositories for data collection and exfiltration. \n \nData from Information Repositories: Sharepoint\n\n| \n\n[T1213.002](<https://attack.mitre.org/versions/v14/techniques/T1213/002/> \"Data from Information Repositories: Sharepoint\" )\n\n| \n\nScattered Spider threat actors search SharePoint repositories for information. \n \nData Staged\n\n| \n\n[T1074](<https://attack.mitre.org/versions/v14/techniques/T1074/> \"Data Staged\" )\n\n| \n\nScattered Spider threat actors stage data from multiple data sources into a centralized database before exfiltration. \n \nEmail Collection\n\n| \n\n[T1114](<https://attack.mitre.org/versions/v14/techniques/T1114/> \"Email Collection\" )\n\n| \n\nScattered Spider threat actors search victim\u2019s emails to determine if the victim has detected the intrusion and initiated any security response. \n \nData from Cloud Storage\n\n| \n\n[T1530](<https://attack.mitre.org/versions/v14/techniques/T1530/> \"Data from Cloud Storage\" )\n\n| \n\nScattered Spider threat actors search data in cloud storage for collection and exfiltration. \n \n_Table 15: Command and Control_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nRemote Access Software\n\n| \n\n[T1219](<https://attack.mitre.org/versions/v14/techniques/T1219/> \"Remote Access Software\" )\n\n| \n\nImpersonating helpdesk personnel, Scattered Spider threat actors direct employees to run commercial remote access tools thereby enabling access to and command and control of the victim\u2019s network.\n\nScattered Spider threat actors leverage third-party software to facilitate lateral movement and maintain persistence on a target organization\u2019s network. \n \n_Table 16: Exfiltration_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nExfiltration\n\n| \n\n[TA0010](<https://attack.mitre.org/versions/v14/tactics/TA0010/> \"Exfiltration\" )\n\n| \n\nScattered Spider threat actors exfiltrate data from a target network to for data extortion. \n \n_Table 17: Impact_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nData Encrypted for Impact\n\n| \n\n[T1486](<https://attack.mitre.org/versions/v14/techniques/T1486/> \"Data Encrypted for Impact\" )\n\n| \n\nScattered Spider threat actors recently began encrypting data on a target network and demanding a ransom for decryption.\n\nScattered Spider threat actors has been observed encrypting VMware ESXi servers. \n \nExfiltration Over Web Service: Exfiltration to Cloud Storage\n\n| \n\n[T1567.002](<https://attack.mitre.org/versions/v14/techniques/T1567/002/> \"Exfiltration Over Web Service: Exfiltration to Cloud Storage\" )\n\n| \n\nScattered Spider threat actors exfiltrate data to multiple sites including U.S.-based data centers and MEGA[.]NZ. \n \nFinancial Theft\n\n| \n\n[T1657](<https://attack.mitre.org/versions/v14/techniques/T1657/> \"Financial Theft\" )\n\n| \n\nScattered Spider threat actors monetized access to victim networks in numerous ways including extortion-enabled ransomware and data theft. \n \n### **MITIGATIONS**\n\nThese mitigations apply to all critical infrastructure organizations and network defenders. The FBI and CISA recommend that software manufactures incorporate secure-by-design and -default principles and tactics into their software development practices limiting the impact of ransomware techniques, thus, strengthening the secure posture for their customers.\n\nFor more information on secure by design, see CISA\u2019s [Secure by Design and Default](<https://www.cisa.gov/securebydesign> \"Secure by Design\" ) webpage and [joint guide](<https://www.cisa.gov/resources-tools/resources/secure-by-design-and-default> \"Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software\" ).\n\nThe FBI and CISA recommend organizations implement the mitigations below to improve your organization\u2019s cybersecurity posture based on the threat actor activity and to reduce the risk of compromise by Scattered Spider threat actors. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA\u2019s [Cross-Sector Cybersecurity Performance Goals](<https://www.cisa.gov/cpg> \"Cross-Sector Cybersecurity Performance Goals\" ) for more information on the CPGs, including additional recommended baseline protections.\n\n * **Implement**** application controls** to manage and control execution of software, including allowlisting remote access programs. Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.\n * **Reduce threat of malicious actors **using remote access tools by: \n * **Auditing remote access tools** on your network to identify currently used and/or authorized software.\n * **Reviewing logs for execution of remote access software** to detect abnormal use of programs running as a portable executable [CPG 2.T_]._\n * **Using security software** to detect instances of remote access software being loaded only in memory.\n * **Requiring authorized remote access solutions** to be used only from within your network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).\n * **Blocking both inbound and outbound connections** on common remote access software ports and protocols at the network perimeter.\n * **Applying recommendations** in the Guide to Securing Remote Access Software.\n * **Implementing FIDO/WebAuthn authentication or Public Key Infrastructure (PKI)-based MFA**. These MFA implementations are resistant to phishing and not suspectable to push bombing or SIM swap attacks, which are techniques known to be used by Scattered Spider actors. See CISA\u2019s fact sheet Implementing Phishing-Resistant MFA for more information.\n * **Strictly limit the use of Remote Desktop Protocol (RDP) and other remote desktop services**. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]: \n * Audit the network for systems using RDP.\n * Close unused RDP ports.\n * Enforce account lockouts after a specified number of attempts.\n * Apply phishing-resistant multifactor authentication (MFA)_._\n * Log RDP login attempts.\n\nIn addition, the authoring authorities of this CSA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors:\n\n * **Implement a recovery plan** to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).\n * **Maintain offline backups of data **and regularly maintain backup and restoration (daily or weekly at minimum). By instituting this practice, an organization limits the severity of disruption to its business practices [CPG 2.R].\n * **Require all accounts** with password logins (e.g., service account, admin accounts, and domain admin accounts) **to comply** with [NIST's standards](<https://pages.nist.gov/800-63-3/>) for developing and managing password policies. \n * Implement password policies in compliance with NIST\u2019s standards.\n * Use \u201cstrong\u201d passwords that are unique and random, as well as contain at least sixteen characters and no more than 64 characters in length [[CPG 2.B](<https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf>)].\n * Consider implementing industry-recognized password managers that align with organizational technology procurement policies.\n * Avoid reusing passwords [[CPG 2.C](<https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf>)].\n * Implement multiple failed login attempt account lockouts [[CPG 2.G](<https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf>)].\n * Disable password \u201chints.\u201d\n * Refrain from requiring recurring password changes. \n**Note:** NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password \u201cpatterns\u201d cyber criminals can easily decipher.\n * Require administrator credentials to install software.\n * **Require phishing-resistant multifactor authentication (MFA)** for all services to the extent possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems [CPG 2.H].\n * **Keep all operating systems, software, and firmware up to date.** Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog> \"Known Exploited Vulnerabilities Catalog\" ) in internet-facing systems [CPG 1.E].\n * **Segment networks** to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between\u2014and access to\u2014various subnetworks and by restricting adversary lateral movement [CPG 2.F].\n * **Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.** To aid in detecting the ransomware, implement a tool that logs and reports all network traffic and activity, including lateral movement, on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A].\n * **Install, regularly update, and enable real time detection for antivirus software** on all hosts.\n * **Disable unused** **ports and protocols** [CPG 2.V_]._\n * **Consider adding an email banner to emails** received from outside your organization [CPG 2.M].\n * **Disable hyperlinks** in received emails.\n * **Ensure all backup data is encrypted, immutable **(i.e., ensure backup data cannot be altered or deleted), and covers the entire organization\u2019s data infrastructure [[CPG 2.K, 2.L, 2.R](<https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf>)].\n\n### **VALIDATE SECURITY CONTROLS**\n\nIn addition to applying mitigations, the FBI and CISA recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&amp;CK for Enterprise framework in this advisory. The FBI and CISA recommend testing your existing security controls inventory to assess how they perform against the ATT&amp;CK techniques described in this advisory.\n\nTo get started:\n\n 1. Select an ATT&amp;CK technique described in this advisory (see Tables 4-17).\n 2. Align your security technologies against the technique.\n 3. Test your technologies against the technique.\n 4. Analyze your detection and prevention technologies\u2019 performance.\n 5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.\n 6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.\n\nThe FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&amp;CK techniques identified in this advisory.\n\n### **REPORTING**\n\nThe FBI and CISA are seeking any information that can be shared, to include a sample ransom note, communications with Scattered Spider group actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. The FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to a [local FBI Field Office](<http://www.fbi.gov/contact-us/field-offices> \"Field Offices\" ), report the incident to the FBI Internet Crime Complaint Center (IC3) at [IC3.gov](<https://www.ic3.gov/> \"Internet Crime Complaint Center \\(IC3\\)\" ), or CISA via CISA\u2019s 24/7 Operations Center ([report@cisa.gov](<mailto:report@cisa.gov> \"Report to CISA\" ) or 888-282-0870).\n\n### **REFERENCES**\n\n[1] [MITRE ATT&amp;CK \u2013 Scattered Spider](<https://attack.mitre.org/versions/v14/groups/G1015/> \"Scattered Spider\" ) \n[2] [Trellix - Scattered Spider: The Modus Operandi](<https://www.trellix.com/en-us/about/newsroom/stories/research/scattered-spider-the-modus-operandi.html> \"Scattered Spider: The Modus Operandi\" ) \n[3] [Crowdstrike - Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies](<https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/> \"Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies\" ) \n[4] [Crowdstrike - SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security](<https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/> \"SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security\" ) \n[5] [Malwarebytes - Ransomware group steps up, issues statement over MGM Resorts compromise](<https://www.malwarebytes.com/blog/personal/2023/09/ransomware-group-steps-up-issues-statement-over-mgm-resorts-compromise> \"Ransomware group steps up, issues statement over MGM Resorts compromise\" )\n\n### **DISCLAIMER**\n\nThe information in this report is being provided \u201cas is\u201d for informational purposes only. The FBI and CISA do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI and CISA.\n\n### **VERSION HISTORY**\n\nNovember 16, 2023: Initial version. \nNovember 21, 2023: Updated password recommendation language on page 12.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2023-11-16T12:00:00", "type": "ics", "title": "Scattered Spider", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2023-11-16T12:00:00", "id": "AA23-320A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T12:52:15", "description": "### Summary\n\n**Actions to take today to mitigate cyber threats from ransomware:**\n\n * Install updates for operating systems, software, and firmware as soon as they are released.\n * Require phishing-resistant MFA for as many services as possible.\n * Train users to recognize and report phishing attempts.\n\n_**Note: **This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These [#StopRansomware](<https://cisa.gov/stopransomware/stopransomware>) advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit [stopransomware.gov](<https://cisa.gov/stopransomware> \"stopransomware.gov\" ) to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources._\n\nThe Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) are releasing this joint CSA to provide information on the \u201cDaixin Team,\u201d a cybercrime group that is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health (HPH) Sector, with ransomware and data extortion operations.\n\nThis joint CSA provides TTPs and IOCs of Daixin actors obtained from FBI threat response activities and third-party reporting.\n\nDownload the PDF version of this report:\n\nStopransomware Daixin Team (PDF, 560.58 KB )\n\nDownload the IOCs: \n\nAA22-294A STIX (XML, 23.22 KB )\n\n### Technical Details\n\n_Note: This advisory uses the MITRE ATT&amp;CK\u00ae for Enterprise framework, version 11. See [MITRE ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v11/matrices/enterprise/>) for all referenced tactics and techniques._\n\nCybercrime actors routinely target HPH Sector organizations with ransomware:\n\n * As of October 2022, per FBI Internet Crime Complaint Center (IC3) data, specifically victim reports across all 16 critical infrastructure sectors, the HPH Sector accounts for 25 percent of ransomware complaints.\n * According to an IC3 annual report in 2021, 649 ransomware reports were made across 14 critical infrastructure sectors; the HPH Sector accounted for the most reports at 148.\n\nThe Daixin Team is a ransomware and data extortion group that has targeted the HPH Sector with ransomware and data extortion operations since at least June 2022. Since then, Daixin Team cybercrime actors have caused ransomware incidents at multiple HPH Sector organizations where they have:\n\n * Deployed ransomware to encrypt servers responsible for healthcare services\u2014including electronic health records services, diagnostics services, imaging services, and intranet services, and/or\n * Exfiltrated personal identifiable information (PII) and patient health information (PHI) and threatened to release the information if a ransom is not paid.\n\nDaixin actors gain initial access to victims through virtual private network (VPN) servers. In one confirmed compromise, the actors likely exploited an unpatched vulnerability in the organization\u2019s VPN server [[T1190](<https://attack.mitre.org/versions/v11/techniques/T1190/>)]. In another confirmed compromise, the actors used previously compromised credentials to access a legacy VPN server [[T1078](<https://attack.mitre.org/versions/v11/techniques/T1078/>)] that did not have multifactor authentication (MFA) enabled. The actors are believed to have acquired the VPN credentials through the use of a phishing email with a malicious attachment [[T1598.002](<https://attack.mitre.org/versions/v11/techniques/T1598/002/>)].\n\nAfter obtaining access to the victim\u2019s VPN server, Daixin actors move laterally via Secure Shell (SSH) [[T1563.001](<https://attack.mitre.org/versions/v11/techniques/T1563/001>)] and Remote Desktop Protocol (RDP) [[T1563.002](<https://attack.mitre.org/versions/v11/techniques/T1563/002>)]. Daixin actors have sought to gain privileged account access through credential dumping [[T1003](<https://attack.mitre.org/versions/v11/techniques/T1003/>)] and pass the hash [[T1550.002](<https://attack.mitre.org/versions/v11/techniques/T1550/002/>)]. The actors have leveraged privileged accounts to gain access to VMware vCenter Server and reset account passwords [[T1098](<https://attack.mitre.org/versions/v11/techniques/T1098/>)] for ESXi servers in the environment. The actors have then used SSH to connect to accessible ESXi servers and deploy ransomware [[T1486](<https://attack.mitre.org/versions/v11/techniques/T1486/>)] on those servers. \n\nAccording to third-party reporting, the Daixin Team\u2019s ransomware is based on leaked Babuk Locker source code. This third-party reporting as well as FBI analysis show that the ransomware targets ESXi servers and encrypts files located in `/vmfs/volumes/` with the following extensions: `.vmdk`, `.vmem`, `.vswp`, `.vmsd`, `.vmx`, and `.vmsn`. A ransom note is also written to `/vmfs/volumes/`. See Figure 1 for targeted file system path and Figure 2 for targeted file extensions list. `Figure 3` and `Figure 4` include examples of ransom notes. Note that in the Figure 3 ransom note, Daixin actors misspell \u201cDaixin\u201d as \u201cDaxin.\u201d\n\n\n\n_Figure 1: Daixin Team \u2013 Ransomware Targeted File Path_\n\n\n\n_Figure 2: Daixin Team \u2013 Ransomware Targeted File Extensions_\n\n\n\n_Figure 3: Example 1 of Daixin Team Ransomware Note_\n\n\n\n_Figure 4: Example 2 of Daixin Team Ransomware Note_\n\nIn addition to deploying ransomware, Daixin actors have exfiltrated data [[TA0010](<https://attack.mitre.org/versions/v11/tactics/TA0010/>)] from victim systems. In one confirmed compromise, the actors used Rclone\u2014an open-source program to manage files on cloud storage\u2014to exfiltrate data to a dedicated virtual private server (VPS). In another compromise, the actors used [Ngrok](<https://attack.mitre.org/versions/v11/software/S0508/>)\u2014a reverse proxy tool for proxying an internal service out onto an Ngrok domain\u2014for data exfiltration [[T1567](<https://attack.mitre.org/versions/v11/techniques/T1567/>)].\n\n### MITRE ATT&amp;CK TACTICS AND TECHNIQUES\n\nSee Table 1 for all referenced threat actor tactics and techniques included in this advisory.\n\n_Table 1: Daixin Actors\u2019 ATT&amp;CK Techniques for Enterprise_\n\n**Reconnaissance** \n \n--- \n \n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \nPhishing for Information: Spearphishing Attachment\n\n| \n\n[T1598.002](<https://attack.mitre.org/versions/v11/techniques/T1598/002/>)\n\n| \n\nDaixin actors have acquired the VPN credentials (later used for initial access) by a phishing email with a malicious attachment. \n \n**Initial Access** \n \n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \nExploit Public-Facing Application\n\n| \n\n[T1190](<https://attack.mitre.org/versions/v11/techniques/T1190/>)\n\n| \n\nDaixin actors exploited an unpatched vulnerability in a VPN server to gain initial access to a network. \n \nValid Accounts\n\n| \n\n[T1078](<https://attack.mitre.org/versions/v11/techniques/T1078/>)\n\n| \n\nDaixin actors use previously compromised credentials to access servers on the target network. \n \n**Persistence** \n \n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \nAccount Manipulation\n\n| \n\n[T1098](<https://attack.mitre.org/versions/v11/techniques/T1098/>)\n\n| \n\nDaixin actors have leveraged privileged accounts to reset account passwords for VMware ESXi servers in the compromised environment. \n \n**Credential Access** \n \n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \nOS Credential Dumping\n\n| \n\n[T1003](<https://attack.mitre.org/versions/v11/techniques/T1003/>)\n\n| \n\nDaixin actors have sought to gain privileged account access through credential dumping. \n \n**Lateral Movement** \n \n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \nRemote Service Session Hijacking: SSH Hijacking\n\n| \n\n[T1563.001](<https://attack.mitre.org/versions/v11/techniques/T1563/001>)\n\n| \n\nDaixin actors use SSH and RDP to move laterally across a network. \n \nRemote Service Session Hijacking: RDP Hijacking\n\n| \n\n[T1563.002](<https://attack.mitre.org/versions/v11/techniques/T1563/002>)\n\n| \n\nDaixin actors use RDP to move laterally across a network. \n \nUse Alternate Authentication Material: Pass the Hash\n\n| \n\n[T1550.002](<https://attack.mitre.org/versions/v11/techniques/T1550/002/>)\n\n| \n\nDaixin actors have sought to gain privileged account access through pass the hash. \n \n**Exfiltration** \n \n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \nExfiltration Over Web Service\n\n| \n\n[T1567](<https://attack.mitre.org/versions/v11/techniques/T1567/>)\n\n| \n\nDaixin Team members have used [Ngrok](<https://attack.mitre.org/versions/v11/software/S0508/>) for data exfiltration over web servers. \n \n**Impact** \n \n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \nData Encrypted for Impact\n\n| \n\n[T1486](<https://attack.mitre.org/versions/v11/techniques/T1486/>)\n\n| \n\nDaixin actors have encrypted data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. \n \n### INDICATORS OF COMPROMISE\n\nSee Table 2 for IOCs obtained from third-party reporting.\n\n_Table 2: Daixin Team IOCs \u2013 Rclone Associated SHA256 Hashes_\n\n**File**\n\n| \n\n**SHA256** \n \n---|--- \n \nrclone-v1.59.2-windows-amd64\\git-log.txt\n\n| \n\n9E42E07073E03BDEA4CD978D9E7B44A9574972818593306BE1F3DCFDEE722238 \n \nrclone-v1.59.2-windows-amd64\\rclone.1\n\n| \n\n19ED36F063221E161D740651E6578D50E0D3CACEE89D27A6EBED4AB4272585BD \n \nrclone-v1.59.2-windows-amd64\\rclone.exe\n\n| \n\n54E3B5A2521A84741DC15810E6FED9D739EB8083CB1FE097CB98B345AF24E939 \n \nrclone-v1.59.2-windows-amd64\\README.html\n\n| \n\nEC16E2DE3A55772F5DFAC8BF8F5A365600FAD40A244A574CBAB987515AA40CBF \n \nrclone-v1.59.2-windows-amd64\\README.txt\n\n| \n\n475D6E80CF4EF70926A65DF5551F59E35B71A0E92F0FE4DD28559A9DEBA60C28 \n \n### Mitigations\n\nFBI, CISA, and HHS urge HPH Sector organizations to implement the following to protect against Daixin and related malicious activity:\n\n * Install updates for operating systems, software, and firmware as soon as they are released. Prioritize patching VPN servers, remote access software, virtual machine software, and [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). Consider leveraging a centralized patch management system to automate and expedite the process.\n * Require phishing-resistant MFA for as many services as possible\u2014particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.\n * If you use Remote Desktop Protocol (RDP), secure and monitor it. \n * Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources, and require multifactor authentication (MFA) to mitigate credential theft and reuse. If RDP must be available externally, use a virtual private network (VPN), virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices. Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts to block brute force campaigns, log RDP login attempts, and disable unused remote access/RDP ports.\n * Ensure devices are properly configured and that security features are enabled. Disable ports and protocols that are not being used for business purposes (e.g., RDP Transmission Control Protocol Port 3389).\n * Turn off SSH and other network device management interfaces such as Telnet, Winbox, and HTTP for wide area networks (WANs) and secure with strong passwords and encryption when enabled.\n * Implement and enforce multi-layer network segmentation with the most critical communications and data resting on the most secure and reliable layer.\n * Limit access to data by deploying public key infrastructure and digital certificates to authenticate connections with the network, Internet of Things (IoT) medical devices, and the electronic health record system, as well as to ensure data packages are not manipulated while in transit from man-in-the-middle attacks.\n * Use standard user accounts on internal systems instead of administrative accounts, which allow for overarching administrative system privileges and do not ensure least privilege.\n * Secure PII/PHI at collection points and encrypt the data at rest and in transit by using technologies such as Transport Layer Security (TPS). Only store personal patient data on internal systems that are protected by firewalls, and ensure extensive backups are available if data is ever compromised.\n * Protect stored data by masking the permanent account number (PAN) when it is displayed and rendering it unreadable when it is stored\u2014through cryptography, for example.\n * Secure the collection, storage, and processing practices for PII and PHI, per regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Implementing HIPAA security measures can prevent the introduction of malware on the system.\n * Use monitoring tools to observe whether IoT devices are behaving erratically due to a compromise.\n * Create and regularly review internal policies that regulate the collection, storage, access, and monitoring of PII/PHI.\n * In addition, the FBI, CISA, and HHS urge all organizations, including HPH Sector organizations, to apply the following recommendations to prepare for, mitigate/prevent, and respond to ransomware incidents.\n\n### Preparing for Ransomware\n\n * Maintain offline (i.e., physically disconnected) backups of data, and regularly test backup and restoration. These practices safeguard an organization\u2019s continuity of operations or at least minimize potential downtime from a ransomware incident and protect against data losses. \n * Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization\u2019s data infrastructure.\n * Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response procedures for a ransomware incident. \n * Organizations should also ensure their incident response and communications plans include response and notification procedures for data breach incidents. Ensure the notification procedures adhere to applicable state laws. \n * Refer to applicable state data breach laws and consult legal counsel when necessary.\n * For breaches involving electronic health information, you may need to notify the Federal Trade Commission (FTC) or the Department of Health and Human Services, and\u2014in some cases\u2014the media. Refer to the FTC\u2019s [Health Breach Notification](<https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule>) Rule and U.S. Department of Health and Human Services\u2019 [Breach Notification Rule](<https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html>) for more information.\n * See CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide and CISA Fact Sheet, [Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches](<https://www.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Protecting_Sensitive_and_Personal_Information_from_Ransomware-Caused_Data_Breaches-508C.pdf>), for information on creating a ransomware response checklist and planning and responding to ransomware-caused data breaches.\n\n### Mitigating and Preventing Ransomware\n\n * Restrict Server Message Block (SMB) Protocol within the network to only access servers that are necessary and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.\n * Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.\n * Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs.\n * Open document readers in protected viewing modes to help prevent active content from running.\n * Implement user training program and phishing exercises to raise awareness among users about the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments. Reinforce the appropriate user response to phishing and spearphishing emails.\n * Use strong passwords and avoid reusing passwords for multiple accounts. See CISA Tip [Choosing and Protecting Passwords](<https://www.cisa.gov/tips/st04-002>) and the National Institute of Standards and Technology\u2019s (NIST\u2019s) [Special Publication 800-63B: Digital Identity Guidelines](<https://csrc.nist.gov/publications/detail/sp/800-63b/final>) for more information.\n * Require administrator credentials to install software.\n * Audit user accounts with administrative or elevated privileges and configure access controls with least privilege in mind.\n * Install and regularly update antivirus and antimalware software on all hosts.\n * Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.\n * Consider adding an email banner to messages coming from outside your organizations.\n * Disable hyperlinks in received emails.\n\n### Responding to Ransomware Incidents\n\nIf a ransomware incident occurs at your organization:\n\n * Follow your organization\u2019s Ransomware Response Checklist (see Preparing for Ransomware section).\n * Scan backups. If possible, scan backup data with an antivirus program to check that it is free of malware. This should be performed using an isolated, trusted system to avoid exposing backups to potential compromise.\n * Follow the notification requirements as outlined in your cyber incident response plan.\n * Report incidents to the FBI at a [local FBI Field Office](<https://www.fbi.gov/contact-us/field-offices>), CISA at [cisa.gov/report](<https://www.cisa.gov/report>), or the U.S. Secret Service (USSS) at a [USSS Field Office](<http://www.secretservice.gov/contact/field-offices/>).\n * Apply incident response best practices found in the joint Cybersecurity Advisory, [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>), developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.\n\n**Note: **FBI, CISA, and HHS strongly discourage paying ransoms as doing so does not guarantee files and records will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.\n\n### REFERENCES\n\n * [Stopransomware.gov](<https://www.stopransomware.gov/>) is a whole-of-government approach that gives one central location for ransomware resources and alerts.\n * Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) [Joint Ransomware Guide](<https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C_.pdf>).\n * No-cost cyber hygiene services: [Cyber Hygiene Services](<https://www.cisa.gov/cyber-hygiene-services>) and [Ransomware Readiness Assessment](<https://github.com/cisagov/cset/releases/tag/v10.3.0.0>).\n * Ongoing Threat Alerts and Sector alerts are produced by the Health Sector Cybersecurity Coordination Center (HC3) and can be found at [hhs.gov/HC3](<https://www.hhs.gov/about/agencies/asa/ocio/hc3/index.html> \"hhs.gov/HC3\" ).\n * For additional best practices for Healthcare cybersecurity issues see the HHS 405(d) Aligning Health Care Industry Security Approaches at [405d.hhs.gov](<http://405d.hhs.gov/>)\n\n### REPORTING\n\nThe FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Daixin Group actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. Regardless of whether you or your organization have decided to pay the ransom, the FBI, CISA, and HHS urge you to promptly report ransomware incidents to a [local FBI Field Office](<https://www.fbi.gov/contact-us/field-offices>), or CISA at [cisa.gov/report](<https://www.cisa.gov/report>).\n\n### ACKNOWLEDGEMENTS\n\nFBI, CISA, and HHS would like to thank CrowdStrike and the Health Information Sharing and Analysis Center (Health-ISAC) for their contributions to this CSA.\n\n### DISCLAIMER\n\nThe information in this report is being provided \u201cas is\u201d for informational purposes only. FBI, CISA, and HHS do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI, CISA, or HHS.\n\n### Revisions\n\nInitial Publication: October 21, 2022\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2022-10-26T12:00:00", "type": "ics", "title": "#StopRansomware: Daixin Team", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2022-10-26T12:00:00", "id": "AA22-294A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-294a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T12:55:15", "description": "### Summary\n\nTactical actions for MSPs and their customers to take today: \n\u2022 Identify and disable accounts that are no longer in use. \n\u2022 Enforce MFA on MSP accounts that access the customer environment and monitor for unexplained failed authentication. \n\u2022 Ensure MSP-customer contracts transparently identify ownership of ICT security roles and responsibilities.\n\nThe cybersecurity authorities of the United Kingdom ([NCSC-UK](<https://www.ncsc.gov.uk/>)), Australia ([ACSC](<https://www.cyber.gov.au/>)), Canada ([CCCS](<https://www.cyber.gc.ca/en/>)), New Zealand ([NCSC-NZ](<http://www.ncsc.govt.nz/>)), and the United States ([CISA](<https://www.cisa.gov/>)), ([NSA](<https://www.nsa.gov/Cybersecurity/>)), ([FBI](<https://www.fbi.gov/investigate/cyber>)) are aware of recent reports that observe an increase in malicious cyber activity targeting managed service providers (MSPs) and expect this trend to continue.[[1](<https://www.n-able.com/resources/state-of-the-market-the-new-threat-landscape>)] This joint Cybersecurity Advisory (CSA) provides actions MSPs and their customers can take to reduce their risk of falling victim to a cyber intrusion. This advisory describes cybersecurity best practices for information and communications technology (ICT) services and functions, focusing on guidance that enables transparent discussions between MSPs and their customers on securing sensitive data. Organizations should implement these guidelines as appropriate to their unique environments, in accordance with their specific security needs, and in compliance with applicable regulations. MSP customers should verify that the contractual arrangements with their provider include cybersecurity measures in line with their particular security requirements.\n\nThe guidance provided in this advisory is specifically tailored for both MSPs and their customers and is the result of a collaborative effort from the United Kingdom National Cyber Security Centre (NCSC-UK), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), the United States' Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) with contributions from industry members of the [Joint Cyber Defense Collaborative (JCDC)](<https://www.cisa.gov/jcdc>). Organizations should read this advisory in conjunction with NCSC-UK guidance [on actions to take when the cyber threat is heightened](<https://www.ncsc.gov.uk/guidance/actions-to-take-when-the-cyber-threat-is-heightened>), CCCS guidance on [Cyber Security Considerations for Consumers of Managed Services](<https://cyber.gc.ca/sites/default/files/publications/itsm50030-e.pdf>), and CISA guidance provided on the [Shields Up](<https://www.cisa.gov/shields-up>) and [Shields Up Technical Guidance](<https://www.cisa.gov/uscert/shields-technical-guidance>) webpages.\n\n#### **Managed Service Providers**\n\nThis advisory defines MSPs as entities that deliver, operate, or manage ICT services and functions for their customers via a contractual arrangement, such as a service level agreement. In addition to offering their own services, an MSP may offer services in conjunction with those of other providers. Offerings may include platform, software, and IT infrastructure services; business process and support functions; and cybersecurity services. MSPs typically manage these services and functions in their customer's network environment\u2014either on the customer's premises or hosted in the MSP's data center. **Note:** this advisory does not address guidance on [cloud](<https://www.cisa.gov/5g-library>) service providers (CSPs)\u2014providers who handle the ICT needs of their customers via cloud services such as Software-as-a-Service, Platform-as-a-Service, and Infrastructure-as-a-Service; however, MSPs may offer these services as well. (See Appendix for additional definitions.)\n\nMSPs provide services that usually require both trusted network connectivity and privileged access to and from customer systems. Many organizations\u2014ranging from large critical infrastructure organizations to small- and mid-sized businesses\u2014use MSPs to manage ICT systems, store data, or support sensitive processes. Many organizations make use of MSPs to scale and support network environments and processes without expanding their internal staff or having to develop the capabilities internally. \n\n#### **Threat Actors Targeting MSP Access to Customer Networks**\n\nWhether the customer's network environment is on premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects. The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities expect malicious cyber actors\u2014including state-sponsored advanced persistent threat (APT) groups\u2014to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships. For example, threat actors successfully compromising an MSP could enable follow-on activity\u2014such as ransomware and cyber espionage\u2014against the MSP as well as across the MSP's customer base.\n\nThe UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities have previously issued general guidance for MSPs and their customers.[[2](<https://www.ncsc.gov.uk/information/global-targeting-enterprises-managed-service-providers>)],[[3](<https://cisa.gov/sites/default/files/publications/CISA Insights_Guidance-for-MSPs-and-Small-and-Mid-sized-Businesses_S508C.pdf>)],[[4](<https://www.cisa.gov/uscert/kaseya-ransomware-attack>)],[[5](<https://www.cisa.gov/uscert/APTs-Targeting-IT-Service-Provider-Customers>)],[[6](<https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/msp-investigation-report>)],[[7](<https://www.cyber.gov.au/acsc/view-all-content/publications/how-manage-your-security-when-engaging-managed-service-provider>)],[[8](<https://www.ncsc.govt.nz/guidance/in-safe-hands/>)] This advisory provides specific guidance to enable transparent, well-informed discussions between MSPs and their customers that center on securing sensitive information and data. These discussions should result in a re-evaluation of security processes and contractual commitments to accommodate customer risk tolerance. A shared commitment to security will reduce risk for both MSPs and their customers, as well as the global ICT community. \n\nDownload the Joint Cybersecurity Advisory: Protecting Against Cyber Threats to Managed Service Providers and their Customers (pdf, 697kb).\n\n### Recommendations \n\n#### **MSPs and their Customers**\n\nThe UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities recommend MSPs and their customers implement the baseline security measures and operational controls listed in this section. Additionally, customers should ensure their contractual arrangements specify that their MSP implements these measures and controls.\n\n#### **_Prevent initial compromise. _**\n\nIn their efforts to compromise MSPs, malicious cyber actors exploit vulnerable devices and internet-facing services, conduct brute force attacks, and use phishing techniques. MSPs and their customers should ensure they are mitigating these attack methods. Useful mitigation resources on initial compromise attack methods are listed below:\n\n * Improve security of vulnerable devices. \n * [Selecting and Hardening Remote Access VPN Solutions](<https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/2791320/nsa-cisa-release-guidance-on-selecting-and-hardening-remote-access-vpns/>) (CISA, NSA) \n * [Vulnerability Scanning Tools and Services](<https://www.ncsc.gov.uk/guidance/vulnerability-scanning-tools-and-services>) (NCSC-UK)\n * Protect internet-facing services. \n * [Protecting internet-facing services on public service Critical National Infrastructure (CNI)](<https://www.ncsc.gov.uk/blog-post/protecting-internet-facing-services-public-service-cni>) (NCSC-UK)\n * [Strategies for protecting web application systems against credential stuffing attacks](<https://cyber.gc.ca/en/guidance/strategies-protecting-web-application-systems-against-credential-stuffing-attacks>) (CCCS)\n * Defend against brute force and password spraying. \n * [Microsoft update on brute force and password spraying activity](<https://www.ncsc.gov.uk/news/microsoft-update-brute-force-password-spraying>) (NCSC-UK)\n * [Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments](<https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/2677750/nsa-partners-release-cybersecurity-advisory-on-brute-force-global-cyber-campaign/>) (NSA, CISA, FBI, NCSC-UK)\n * Defend against phishing. \n * [Phishing attacks: defending your organisation](<https://www.ncsc.gov.uk/guidance/phishing>) (NCSC-UK)\n * [Spotting malicious email messages](<https://cyber.gc.ca/en/guidance/spotting-malicious-email-messages-itsap00100>) (CCCS)\n\n#### **_Enable/improve monitoring and logging processes. _**\n\nIt can be months before incidents are detected, so UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities recommend all organizations store their most important logs for at least six months. Whether through a comprehensive security information and event management (SIEM) solution or discrete logging tools, implement and maintain a segregated logging regime to detect threats to networks. Organizations can refer to the following NCSC-UK guidance on the appropriate data to collect for security purposes and when to use it: [What exactly should we be logging?](<https://www.ncsc.gov.uk/blog-post/what-exactly-should-we-be-logging>) Additionally, all organizations\u2014whether through contractual arrangements with an MSP or on their own\u2014should implement endpoint detection and network defense monitoring capabilities in addition to using application allowlisting/denylisting. \n\n * **MSPs** should log the delivery infrastructure activities used to provide services to the customer. MSPs should also log both internal and customer network activity, as appropriate and contractually agreed upon. \n * **Customers** should enable effective monitoring and logging of their systems. If customers choose to engage an MSP to perform monitoring and logging, they should ensure that their contractual arrangements require their MSP to: \n * Implement comprehensive security event management that enables appropriate monitoring and logging of provider-managed customer systems; \n * Provide visibility\u2014as specified in the contractual arrangement\u2014to customers of logging activities, including provider's presence, activities, and connections to the customer networks (**Note:** customers should ensure that MSP accounts are properly monitored and audited.); and\n * Notify customer of confirmed or suspected security events and incidents occurring on the provider\u2019s infrastructure and administrative networks, and send these to a security operations center (SOC) for analysis and triage. \n\n#### **_Enforce multifactor authentication (MFA). _**\n\nOrganizations should secure remote access applications and enforce MFA where possible to harden the infrastructure that enables access to networks and systems.[[9](<https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services>)],[[10](<https://www.ncsc.gov.uk/collection/zero-trust-architecture/authenticate-and-authorise#section_2>)] **Note: **Russian state-sponsored APT actors have recently demonstrated the ability to exploit default MFA protocols; organizations should review configuration policies to protect against \u201cfail open\u201d and re-enrollment scenarios.[[11](<https://www.cisa.gov/uscert/ncas/alerts/aa22-074a>)] \n\n * **MSPs** should recommend the adoption of MFA across all customer services and products. **Note:** MSPs should also implement MFA on all accounts that have access to customer environments and should treat those accounts as privileged.\n * **Customers** should ensure that their contractual arrangements mandate the use of MFA on the services and products they receive. Contracts should also require MFA to be enforced on all MSP accounts used to access customer environments.\n\n#### **_Manage internal architecture risks and segregate internal networks. _**\n\nOrganizations should understand their environment and segregate their networks. Identify, group, and isolate critical business systems and apply appropriate network security controls to them to reduce the impact of a compromise across the organization.[[12](<https://www.ncsc.gov.uk/whitepaper/security-architecture-anti-patterns>)],[[13](<https://www.ncsc.gov.uk/guidance/preventing-lateral-movement>)]\n\n * **MSPs** should review and verify all connections between internal systems, customer systems, and other networks. Segregate customer data sets (and services, where applicable) from each other\u2014as well as from internal company networks\u2014to limit the impact of a single vector of attack. Do not reuse admin credentials across multiple customers. \n * **Customers** should review and verify all connections between internal systems, MSP systems, and other networks. Ensure management of identity providers and trusts between the different environments. Use a dedicated virtual private network (VPN) or alternative secure access method, to connect to MSP infrastructure and limit all network traffic to and from the MSP to that dedicated secure connection. Verify that the networks used for trust relationships with MSPs are suitably segregated from the rest of their networks. Ensure contractual agreements specify that MSPs will not reuse admin credentials across multiple customers.\n\n#### **_Apply the principle of least privilege. _**\n\nOrganizations should apply the principle of least privilege throughout their network environment and immediate update privileges upon changes in administrative roles. Use a tiering model for administrative accounts so that these accounts do not have any unnecessary access or privileges. Only use accounts with full privileges across an enterprise when strictly necessary and consider the use of time-based privileges to further restrict their use. Identify high-risk devices, services and users to minimize their accesses.[[14](<https://www.ncsc.gov.uk/guidance/preventing-lateral-movement#:~:text=The%20principle%20of%20'least%20privilege,rather%20than%20all%20of%20them>)]\n\n * **MSPs** should apply this principle to both internal and customer environments, avoiding default administrative privileges. \n * **Customers** should ensure that their MSP applies this principle to both provider and customer network environments. **Note:** customers with contractual arrangements that provide them with administration of MSP accounts within their environment should ensure that the MSP accounts only have access to the services/resources being managed by the MSP.\n\n#### _**Deprecate obsolete accounts and infrastructure. **_\n\nBoth MSPs and customers should periodically review their internet attack surface and take steps to limit it, such as disabling user accounts when personnel transition.[[15](<https://www.ncsc.gov.uk/collection/device-security-guidance/managing-deployed-devices/obsolete-products>)] (**Note:** although sharing accounts is not recommended, should an organization require this, passwords to shared account should be reset when personnel transition.) Organizations should also audit their network infrastructure\u2014paying particular attention to those on the MSP-customer boundary\u2014to identify and disable unused systems and services. Port scanning tools and automated system inventories can assist organizations in confirming the roles and responsibilities of systems.\n\n * **Customers** should be sure to disable MSP accounts that are no longer managing infrastructure. **Note:** disabling MSP accounts can be overlooked when a contract terminates.\n\n#### **_Apply updates. _**\n\nOrganizations should update software, including operating systems, applications, and firmware. Prioritize applying security updates to software containing known exploited vulnerabilities. **Note:** organizations should prioritize patching vulnerabilities included in [CISA\u2019s catalogue of known exploited vulnerabilities (KEV)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) as opposed to only those with high Common Vulnerability Scoring System (CVSS) scores that have not been exploited and may never be exploited.[[16](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)],[[17](<https://www.ncsc.gov.uk/blog-post/the-problems-with-patching>)],[[18](<https://www.ncsc.gov.uk/collection/cross-domain-solutions/using-the-principles/patching>)],[[19](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>)]\n\n * **MSPs** should implement updates on internal networks as quickly as possible.\n * **Customers** should ensure that they understand their MSP's policy on software updates and request that comprehensive and timely updates are delivered as an ongoing service.\n\n#### **_Backup systems and data. _**\n\nOrganizations should regularly update and test backups\u2014including \u201cgold images\u201d of critical systems in the event these need to be rebuilt (**Note: **organizations should base the frequency of backups on their recovery point objective [[20](<https://csrc.nist.gov/publications/detail/white-paper/2020/04/24/protecting-data-from-ransomware-and-other-data-loss-events/final>)]). Store backups separately and isolate them from network connections that could enable the spread of ransomware; many ransomware variants attempt to find and encrypt/delete accessible backups. Isolating backups enables restoration of systems/data to their previous state should they be encrypted with ransomware. **Note:** best practices include storing backups separately, such as on external media.[[21](<https://www.cisa.gov/stopransomware>)],[[22](<https://www.ncsc.gov.uk/blog-post/offline-backups-in-an-online-world>)],[[23](<https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks>)] \n\n * **MSPs** should regularly backup internal data as well as customer data (where contractually appropriate) and maintain offline backups encrypted with separate, offline encryption keys. Providers should encourage customers to create secure, offsite backups and exercise recovery capabilities.\n * **Customers** should ensure that their contractual arrangements include backup services that meet their resilience and disaster recovery requirements. Specifically, customers should require their MSP to implement a backup solution that automatically and continuously backs up critical data and system configurations and store backups in an easily retrievable location, e.g., a cloud-based solution or a location that is air-gapped from the organizational network.\n\n#### _**Develop and exercise incident response and recovery plans. **_\n\nIncident response and recovery plans should include roles and responsibilities for all organizational stakeholders, including executives, technical leads, and procurement officers. Organizations should maintain up-to-date hard copies of plans to ensure responders can access them should the network be inaccessible (e.g., due to a ransomware attack).[[24](<https://www.ncsc.gov.uk/guidance/effective-steps-to-cyber-exercise-creation>)]\n\n * **MSPs** should develop and regularly exercise internal incident response and recovery plans and encourage customers to do the same.\n * **Customers** should ensure that their contractual arrangements include incident response and recovery plans that meet their resilience and disaster recovery requirements. Customers should ensure these plans are tested at regular intervals.\n\n#### _**Understand and proactively manage supply chain risk. **_\n\nAll organizations should proactively manage ICT supply chain risk across security, legal, and procurement groups, using risk assessments to identify and prioritize the allocation of resources.[[25](<https://www.ncsc.gov.uk/collection/supply-chain-security>)],[[26](<https://www.cisa.gov/ict-supply-chain-library>)]\n\n * **MSPs** should understand their own supply chain risk and manage the cascading risks it poses to customers.\n * **Customers** should understand the supply chain risk associated with their MSP, including risk associated with third-party vendors or subcontractors. Customers should also set clear network security expectations with their MSPs and understand the access their MSP has to their network and the data it houses. Each customer should ensure their contractual arrangements meet their specific security requirements and that their contract specifies whether the MSP or the customer owns specific responsibilities, such as hardening, detection, and incident response.[[27](<https://cisa.gov/sites/default/files/publications/cisa-insights_risk-considerations-for-msp-customers_508.pdf>)]\n\n#### **_Promote transparency. _**\n\nBoth MSPs and their customers will benefit from contractual arrangements that clearly define responsibilities. \n\n * **MSPs**, when negotiating the terms of a contract with their customer, should provide clear explanations of the services the customer is purchasing, services the customer is not purchasing, and all contingencies for incident response and recovery.\n * **Customers **should ensure that they have a thorough understanding of the security services their MSP is providing via the contractual arrangement and address any security requirements that fall outside the scope of the contract. **Note:** contracts should detail how and when MSPs notify the customer of an incident affecting the customer's environment.\n\n#### _**Manage account authentication and authorization. **_\n\nAll organizations should adhere to best practices for password and permission management. [[28](<https://www.ncsc.gov.uk/collection/device-security-guidance/infrastructure/enterprise-authentication-policy>)],[[29](<https://www.ncsc.gov.uk/guidance/preventing-lateral-movement#:~:text=The%20principle%20of%20'least%20privilege,rather%20than%20all%20of%20them>)],[[30](<https://cisa.gov/sites/default/files/publications/CISA_CEG_Implementing_Strong_Authentication_508_1.pdf>)] Organizations should review logs for unexplained failed authentication attempts\u2014failed authentication attempts directly following an account password change could indicate that the account had been compromised. **Note: **network defenders can proactively search for such \"intrusion canaries\" by reviewing logs after performing password changes\u2014using off-network communications to inform users of the changes\u2014across all sensitive accounts. (See the ACSC publication, [Windows Event Logging and Forwarding](<https://www.cyber.gov.au/acsc/view-all-content/publications/windows-event-logging-and-forwarding>) as well as Microsoft's documentation, [4625(F): An account failed to log on](<https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625>), for additional guidance.) \n\n * **MSPs** should verify that the customer restricts MSP account access to systems managed by the MSP.\n * **Customers** should ensure MSP accounts are not assigned to internal administrator groups; instead, restrict MSP accounts to systems managed by the MSP. Grant access and administrative permissions on a need-to-know basis, using the principle of least privilege. Verify, via audits, that MSP accounts are being used for appropriate purposes and activities, and that these accounts are disabled when not actively being used. \n\n### Purpose\n\nThis advisory was developed by UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities in furtherance their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.\n\n### Acknowledgements\n\nThe UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities would like to thank Secureworks for their contributions to this CSA.\n\n### Disclaimer\n\nThe information in this report is being provided \u201cas is\u201d for informational purposes only. NCSC-UK, ACSC, CCCS, NCSC-NZ, CISA, NSA, and FBI do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favouring.\n\n### Contact Information\n\n**United Kingdom organizations:** report a significant cyber security incident: [ncsc.gov.uk/report-an-incident](<https://www.ncsc.gov.uk/section/about-this-website/contact-us>) (monitored 24 hours) or, for urgent assistance, call 03000 200 973. **Australian organizations:** visit [cyber.gov.au](<https://www.cyber.gov.au/>) or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories. **Canadian organizations: **report incidents by emailing CCCS at [contact@cyber.gc.ca](<mailto:contact@cyber.gc.ca>). **New Zealand organizations:** report cyber security incidents to [incidents@ncsc.govt.nz](<mailto:incidents@ncsc.govt.nz>) or call 04 498 7654. **U.S. organizations:** all organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at [report@cisa.gov](<mailto:report@cisa.gov>) or (888) 282-0870 and/or to the FBI via your [local FBI field office](<https://www.fbi.gov/contact-us/field-offices>) or the FBI\u2019s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA client requirements or general cybersecurity inquiries, contact [Cybersecurity_Requests@nsa.gov](<mailto:Cybersecurity_Requests@nsa.gov>). \n\n### Resources\n\nIn addition to the guidance referenced above, see the following resources:\n\n * Joint CSA: [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-245A-Joint_CSA-Technical_Approaches_to_Uncovering_Malicious_Activity_508.pdf>)\n * Joint CSA: [2021 Trends Show Increased Globalized Threat of Ransomware](<https://www.cisa.gov/uscert/ncas/alerts/aa22-040a>)\n * [ACSC's Managed Service Providers: How to manage risk to customer networks ](<https://www.cyber.gov.au/acsc/view-all-content/publications/managed-service-providers-how-manage-risk-customer-networks>)\n * CCCS:\n * [Cyber Security Considerations for Consumers of Managed Services ](<https://cyber.gc.ca/sites/default/files/publications/itsm50030-e.pdf>)\n * [Baseline Cyber Security Controls for Small and Medium Organizations](<https://www.cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations>)\n * [Top 10 IT Security Action Items to Protect Internet Connected Networks and Information](<https://www.cyber.gc.ca/en/guidance/top-10-it-security-actions-protect-internet-connected-networks-and-information-itsm10089>)\n * [CCCS's Alert: Malicious Cyber Activity Targeting Managed Service Providers ](<https://cyber.gc.ca/en/alerts/malicious-cyber-activity-targeting-managed-service-providers>)\n * CISA: \n * [CISA Cybersecurity Alert: APT Activity Exploiting MSPs (2018)](<https://www.cisa.gov/uscert/ncas/alerts/TA18-276B>)\n * [CISA Cyber Essentials](<https://www.cisa.gov/cyber-essentials>) and [CISA Cyber Resource Hub ](<https://www.cisa.gov/cyber-resource-hub>)\n * [FBI Internet Crime Complaint Center alerts on malicious and criminal cyber activity](<https://www.ic3.gov/>)\n * National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE): [Improving Cybersecurity of Managed Service Providers ](<https://csrc.nist.gov/publications/detail/white-paper/2019/10/08/improving-cybersecurity-of-managed-service-providers/draft>)\n\n### References\n\n[1] [State of the Market: The New Threat Landscape, Pushing MSP security to the next level (N-able)](<https://www.n-able.com/resources/state-of-the-market-the-new-threat-landscape>) \n[2] [Global targeting of enterprises via managed service providers (NCSC-UK)](<https://www.ncsc.gov.uk/information/global-targeting-enterprises-managed-service-providers>) \n[3] [Guidance for MSPs and Small- and Mid-sized Businesses (CISA)](<https://cisa.gov/sites/default/files/publications/CISA Insights_Guidance-for-MSPs-and-Small-and-Mid-sized-Businesses_S508C.pdf>) \n[4] [Kaseya Ransomware Attack: Guidance for Affected MSPs and their Customers (CISA) ](<https://www.cisa.gov/uscert/kaseya-ransomware-attack>) \n[5] [APTs Targeting IT Service Provider Customers (CISA)](<https://www.cisa.gov/uscert/APTs-Targeting-IT-Service-Provider-Customers>) \n[6] [MSP Investigation Report (ACSC)](<https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/msp-investigation-report>) \n[7] [How to Manage Your Security When Engaging a Managed Service Provider](<https://www.cyber.gov.au/acsc/view-all-content/publications/how-manage-your-security-when-engaging-managed-service-provider>) \n[8] [Supply Chain Cyber Security: In Safe Hands (NCSC-NZ)](<https://www.ncsc.govt.nz/guidance/in-safe-hands/>) \n[9] [Multi-factor authentication for online services (NCSC-UK)](<https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services>) \n[10] [Zero trust architecture design principles: MFA (NCSC-UK)](<https://www.ncsc.gov.uk/collection/zero-trust-architecture/authenticate-and-authorise#section_2>) \n[11] [Joint CISA-FBI CSA: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default MFA Protocols and \u201cPrintNightmare\u201d Vulnerability](<https://www.cisa.gov/uscert/ncas/alerts/aa22-110a>) \n[12] [Security architecture anti-patterns (NCSC-UK)](<https://www.ncsc.gov.uk/whitepaper/security-architecture-anti-patterns>) \n[13] [Preventing Lateral Movement (NCSC-UK)](<https://www.ncsc.gov.uk/guidance/preventing-lateral-movement>) \n[14] [Preventing Lateral Movement: Apply the principle of least privilege (NCSC-UK)](<https://www.ncsc.gov.uk/guidance/preventing-lateral-movement#:~:text=The%20principle%20of%20'least%20privilege,rather%20than%20all%20of%20them>) \n[15] [Device Security Guidance: Obsolete products (NCSC-UK)](<https://www.ncsc.gov.uk/collection/device-security-guidance/managing-deployed-devices/obsolete-products>) \n[16] [Known Exploited Vulnerabilities Catalog (CISA)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) \n[17] [The problems with patching (NCSC-UK)](<https://www.ncsc.gov.uk/blog-post/the-problems-with-patching>) \n[18] [Security principles for cross domain solutions: Patching (NCSC-UK)](<https://www.ncsc.gov.uk/collection/cross-domain-solutions/using-the-principles/patching>) \n[19] [Joint CSA: 2021 Top Routinely Exploited Vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>) \n[20] [Protecting Data from Ransomware and Other Data Loss Events: A Guide for Managed Service Providers to Conduct, Maintain, and Test Backup Files (NIST)](<https://csrc.nist.gov/publications/detail/white-paper/2020/04/24/protecting-data-from-ransomware-and-other-data-loss-events/final>) \n[21] [Stop Ransomware website (CISA)](<https://www.cisa.gov/stopransomware>) \n[22] [Offline backups in an online world (NCSC-UK)](<https://www.ncsc.gov.uk/blog-post/offline-backups-in-an-online-world>) \n[23] [Mitigating malware and ransomware attacks (NCSC-UK)](<https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks>) \n[24] [Effective steps to cyber exercise creation (NCSC-UK)](<https://www.ncsc.gov.uk/guidance/effective-steps-to-cyber-exercise-creation>) \n[25] [Supply chain security guidance (NCSC-UK)](<https://www.ncsc.gov.uk/collection/supply-chain-security>) \n[26] [ICT Supply Chain Resource Library (CISA)](<https://www.cisa.gov/ict-supply-chain-library>) \n[27] [Risk Considerations for Managed Service Provider Customers (CISA)](<https://cisa.gov/sites/default/files/publications/cisa-insights_risk-considerations-for-msp-customers_508.pdf>) \n[28] [Device Security Guidance: Enterprise authentication policy (NCSC-UK)](<https://www.ncsc.gov.uk/collection/device-security-guidance/infrastructure/enterprise-authentication-policy>) \n[29] [Preventing Lateral Movement: Apply the principle of least privilege (NCSC-UK)](<https://www.ncsc.gov.uk/guidance/preventing-lateral-movement#:~:text=The%20principle%20of%20'least%20privilege,rather%20than%20all%20of%20them>) \n[30] [Implementing Strong Authentication (CISA)](<https://cisa.gov/sites/default/files/publications/CISA_CEG_Implementing_Strong_Authentication_508_1.pdf>)\n\n### Appendix\n\nThis advisory's definition of MSPs aligns with the following definitions.\n\n[The definition of MSP from Gartner's Information Technology Glossary](<https://www.gartner.com/en/information-technology/glossary/msp-management-service-provider>)\u2014which is also referenced by NIST in [Improving Cybersecurity of Managed Service Providers](<https://csrc.nist.gov/publications/detail/white-paper/2019/10/08/improving-cybersecurity-of-managed-service-providers/draft>)\u2014is:\n\nA managed service provider (MSP) delivers services, such as network, application, infrastructure and security, via ongoing and regular support and active administration on customers\u2019 premises, in their MSP\u2019s data center (hosting), or in a third-party data center.\n\nMSPs may deliver their own native services in conjunction with other providers\u2019 services (for example, a security MSP providing sys admin on top of a third-party cloud IaaS). Pure-play MSPs focus on one vendor or technology, usually their own core offerings. Many MSPs include services from other types of providers. The term MSP traditionally was applied to infrastructure or device-centric types of services but has expanded to include any continuous, regular management, maintenance and support.\n\nThe United Kingdom's Department of Digital, Culture, Media, and Sport (DCMS) [recently published](<https://www.gov.uk/government/publications/call-for-views-on-supply-chain-cyber-security/call-for-views-on-cyber-security-in-supply-chains-and-managed-service-providers>) the following definition of MSP, which includes examples: \n\nManaged Service Provider - A supplier that delivers a portfolio of IT services to business customers via ongoing support and active administration, all of which are typically underpinned by a Service Level Agreement. A Managed Service Provider may provide their own Managed Services or offer their own services in conjunction with other IT providers\u2019 services. The Managed Services might include:\n\n * Cloud computing services (resale of cloud services, or an in-house public and private cloud services, built and provided by the Managed Service Providers)\n * Workplace services\n * Managed Network\n * Consulting\n * Security services\n * Outsourcing\n * Service Integration and Management\n * Software Resale\n * Software Engineering\n * Analytics and Artificial Intelligence (AI)\n * Business Continuity and Disaster Recovery services\n\nThe Managed Services might be delivered from customer premises, from customer data centres, from Managed Service Providers\u2019 own data centres or from 3rd party facilities (co-location facilities, public cloud data centres or network Points of Presence (PoPs)).\n\n### Revisions\n\nMay 11, 2022: Initial version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2022-05-11T12:00:00", "type": "ics", "title": "Protecting Against Cyber Threats to Managed Service Providers and their Customers", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2022-05-11T12:00:00", "id": "AA22-131A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-131a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T12:55:29", "description": "### Summary\n\nActions to take today to mitigate cyber threats to cryptocurrency: \n\u2022 [Patch](<https://us-cert.cisa.gov/ncas/tips/ST04-006>) all systems. \n\u2022 Prioritize patching [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). \n\u2022 Train users to recognize and report [phishing attempts](<https://us-cert.cisa.gov/ncas/tips/ST04-014>). \n\u2022 Use [multifactor authentication](<https://us-cert.cisa.gov/ncas/tips/ST05-012>).\n\nThe Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Treasury Department (Treasury) are issuing this joint Cybersecurity Advisory (CSA) to highlight the cyber threat associated with cryptocurrency thefts and tactics used by a North Korean state-sponsored advanced persistent threat (APT) group since at least 2020. This group is commonly tracked by the cybersecurity industry as Lazarus Group, APT38, BlueNoroff, and Stardust Chollima. For more information on North Korean state-sponsored malicious cyber activity, visit <https://www.us-cert.cisa.gov/northkorea>.\n\nThe U.S. government has observed North Korean cyber actors targeting a variety of organizations in the blockchain technology and cryptocurrency industry, including cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs). The activity described in this advisory involves social engineering of victims using a variety of communication platforms to encourage individuals to download trojanized cryptocurrency applications on Windows or macOS operating systems. The cyber actors then use the applications to gain access to the victim\u2019s computer, propagate malware across the victim\u2019s network environment, and steal private keys or exploit other security gaps. These activities enable additional follow-on activities that initiate fraudulent blockchain transactions.\n\nThe U.S. government previously published an advisory about North Korean state-sponsored cyber actors using AppleJeus malware to steal cryptocurrency: [AppleJeus: Analysis of North Korea\u2019s Cryptocurrency Malware](<https://www.cisa.gov/uscert/ncas/alerts/aa21-048a>). The U.S. government has also previously published advisories about North Korean state-sponsored cyber actors stealing money from banks using custom malware:\n\n * [HIDDEN COBRA \u2013 FASTCash Campaign](<https://www.cisa.gov/uscert/ncas/alerts/TA18-275A>)\n * [FASTCash 2.0: North Korea\u2019s BeagleBoyz Robbing Banks](<https://www.cisa.gov/uscert/ncas/alerts/aa20-239a>)\n\nThis advisory provides information on tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to stakeholders in the blockchain technology and cryptocurrency industry to help them identify and mitigate cyber threats against cryptocurrency. \n\nClick here for a PDF version of this report. \n\nClick here for STIX.\n\n### Technical Details\n\n#### **Threat Update**\n\nThe U.S. government has identified a group of North Korean state-sponsored malicious cyber actors using tactics similar to the previously identified Lazarus Group (see [AppleJeus: Analysis of North Korea\u2019s Cryptocurrency Malware](<https://www.cisa.gov/uscert/ncas/alerts/aa21-048a>)). The Lazarus Group used AppleJeus trojanized cryptocurrency applications targeting individuals and companies\u2014including cryptocurrency exchanges and financial services companies\u2014through the dissemination of cryptocurrency trading applications that were modified to include malware that facilitates theft of cryptocurrency. As of April 2022, North Korea\u2019s Lazarus Group actors have targeted various firms, entities, and exchanges in the blockchain and cryptocurrency industry using spearphishing campaigns and malware to steal cryptocurrency. These actors will likely continue exploiting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime. \n\n#### **Tactics, Techniques and Procedures**\n\nIntrusions begin with a large number of spearphishing messages sent to employees of cryptocurrency companies\u2014often working in system administration or software development/IT operations (DevOps)\u2014on a variety of communication platforms. The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications, which the U.S. government refers to as \"TraderTraitor.\"\n\nThe term TraderTraitor describes a series of malicious applications written using cross-platform JavaScript code with the Node.js runtime environment using the Electron framework. The malicious applications are derived from a variety of open-source projects and purport to be cryptocurrency trading or price prediction tools. TraderTraitor campaigns feature websites with modern design advertising the alleged features of the applications (see figure 1).\n\n\n\n**_Figure 1: Screenshot of CryptAIS website_**\n\nThe JavaScript code providing the core functions of the software is bundled with Webpack. Within the code is a function that purports to be an \u201cupdate,\u201d with a name such as `UpdateCheckSync()`, that downloads and executes a malicious payload (see figure 2). \n\nThe update function makes an HTTP POST request to a PHP script hosted on the TraderTraitor project\u2019s domain at either the endpoint `/update/` or `/oath/checkupdate.php`. In recent variants, the server\u2019s response is parsed as a JSON document with a key-value pair, where the key is used as an AES 256 encryption key in Cipher Block Chaining (CBC) or Counter (CTR) mode to decrypt the value. The decrypted data is written as a file to the system\u2019s temporary directory, as provided by the `os.tmpdir()` method of Node.js, and executed using the `child_process.exec()` method of Node.js, which spawns a shell as a child process of the current Electron application. The text \u201cUpdate Finished\u201d is then logged to the shell for the user to see.\n\nObserved payloads include updated macOS and Windows variants of Manuscrypt, a custom remote access trojan (RAT), that collects system information and has the ability to execute arbitrary commands and download additional payloads (see [North Korean Remote Access Tool: COPPERHEDGE](<https://www.cisa.gov/uscert/ncas/analysis-reports/ar20-133a>)). Post-compromise activity is tailored specifically to the victim\u2019s environment and at times has been completed within a week of the initial intrusion. \n\n\n\n_**Figure 2: Screenshot depicting the UpdateCheckSync() and supporting functions bundled **__**within 60b3cfe2ec3100caf4afde734cfd5147f78acf58ab17d4480196831db4aa5f18 associated with DAFOM**_\n\n#### **Indicators of Compromise**\n\n_**DAFOM**_ \nDAFOM purports to be a \u201ccryptocurrency portfolio application.\u201d A Mach-O binary packaged within the Electron application was signed by an Apple digital signature issued for the Apple Developer Team W58CYKFH67. The certificate associated with Apple Developer Team W58CYKFH67 has been revoked. A metadata file packaged in the DAFOM application provided the URL `hxxps://github[.]com/dafomdev` for bug reports. As of April 2022, this page was unavailable.\n\n_**dafom[.]dev**_\n\nInformation as of February 2022: \n**IP Address: **45.14.227[.]58 \n**Registrar: **NameCheap, Inc. \n**Created: **February 7, 2022 \n**Expires: **February 7, 2023\n\n_**60b3cfe2ec3100caf4afde734cfd5147f78acf58ab17d4480196831db4aa5f18**_\n\n**Tags: **dropper macos \n**Name:** DAFOM-1.0.0.dmg \n**Size:** 87.91 MB (92182575 bytes) \n**MD5:** c2ea5011a91cd59d0396eb4fa8da7d21 \n**SHA-1:** b2d9ca7b6d1bbbe4864ea11dfca343b7e15597d8 \n**SHA-256:** 60b3cfe2ec3100caf4afde734cfd5147f78acf58ab17d4480196831db4aa5f18 \n**ssdeep:** 1572864:LGLBnolF9kPEiKOabR2QEs1B1/LuUQrbecE6Xwijkca/pzpfaLtIP:LGVnoT9kPZK9tVEwBxWbecR5Faxzpf0M\n\n_**TokenAIS**_ \nTokenAIS purports to help \u201cbuild a portfolio of AI-based trading\u201d for cryptocurrencies. Mach-O binaries packaged within the Electron application contained an Apple digital signature issued for the Apple Developer Team RN4BTXA4SA. The certificate associated with Apple Developer Team RN4BTXA4SA has been revoked. The application requires users to \u201cregister\u201d an account by entering an email address and a password to use its features. The malicious TraderTraitor code is a Node.js function called `UpdateCheckSync() `located in a file named `update.js`, which is bundled in a file called `renderer.prod.js`, which is in an archive called `app.asar`. This function passes the email address that the user provided and the system platform to the C2 server, decrypts the response using AES 256 in CBC mode with the hardcoded initialization vector (IV) `!@34QWer%^78TYui` and a key provided in the response, then writes the decrypted data to a file and executes it in a new shell.\n\n_**tokenais[.]com**_\n\nInformation as of January 2022: \n**IP Address:** 199.188.103[.]115 \n**Registrar:** NameCheap, Inc. \n**Created:** January 27, 2022 \n**Expires:** January 27, 2023\n\n_**5b40b73934c1583144f41d8463e227529fa7157e26e6012babd062e3fd7e0b03**_\n\n**Tags: **dropper macos \n**Name: **TokenAIS.app.zip \n**Size: **118.00 MB (123728267 bytes) \n**MD5:** 930f6f729e5c4d5fb52189338e549e5e \n**SHA-1:** 8e67006585e49f51db96604487138e688df732d3 \n**SHA-256:** 5b40b73934c1583144f41d8463e227529fa7157e26e6012babd062e3fd7e0b03 \n**ssdeep:** 3145728:aMFJlKVvw4+zLruAsHrmo5Vvw4+zLruAsHrmob0dC/E:aUlKtw4+/r2HNtw4+/r2HnMCM\n\n_**CryptAIS**_ \nCryptAIS uses the same language as TokenAIS to advertise that it \u201chelps build a portfolio of AI-based trading.\u201d It is distributed as an Apple Disk Image (DMG) file that is digitally signed by an Apple digital signature issued for the Apple Developer Team CMHD64V5R8. The certificate associated with Apple Developer Team CMHD64V5R8 has been revoked. The application requires users to \u201cregister\u201d an account by entering an email address and a password to use its features. The malicious TraderTraitor code is a Node.js function called `UpdateCheckSync()` located in a file named `update.js`, which is bundled in a file called `renderer.prod.js`, which is in an archive called `app.asar`. This function passes the email address that the user provided and the system platform to the C2 server, decrypts the response using AES 256 in CTR mode and a key provided in the response, then writes the decrypted data to a file and executes it in a new shell.\n\n**_cryptais[.]com_**\n\nInformation as of August 2021: \n**IP Address:** 82.102.31.14 \n**Registrar:** NameCheap, Inc. \n**Created:** August 2, 2021 \n**Expires: **August 2, 2022\n\n**_f0e8c29e3349d030a97f4a8673387c2e21858cccd1fb9ebbf9009b27743b2e5b_**\n\n**Tags:** dropper macos \n**Name:** CryptAIS[.]dmg \n**Size:** 80.36 MB (84259810 bytes) \n**MD5:** 4e5ebbecd22c939f0edf1d16d68e8490 \n**SHA-1:** f1606d4d374d7e2ba756bdd4df9b780748f6dc98 \n**SHA-256:** f0e8c29e3349d030a97f4a8673387c2e21858cccd1fb9ebbf9009b27743b2e5b \n**ssdeep:** 1572864:jx9QOwiLDCUrJXsKMoGTwiCcKFI8jmrvGqjL2hX6QklBmrZgkZjMz+dPSpR0Xcpk:F9QOTPCUrdsKEw3coIg2Or6XBmrZgkZw\n\n_**AlticGO**_ \nAlticGO was observed packaged as Nullsoft Scriptable Install System (NSIS) Windows executables that extracted an Electron application packaged for Windows. These executables contain a simpler version of TraderTraitor code in a function exported as `UpdateCheckSync()` located in a file named `update.js`, which is bundled in renderer.prod.js, which is in the app.asar archive. The function calls an external function located in a file `node_modules/request/index.js` bundled in renderer.prod.js to make an HTTP request to hxxps://www.alticgo[.]com/update/. One AlticGO sample, `e3d98cc4539068ce335f1240deb1d72a0b57b9ca5803254616ea4999b66703ad`, instead contacts `hxxps://www.esilet[.]com/update/` (see below for more information about Esilet). Some image resources bundled with the application included the CreAI Deck logo (see below for more information about CreAI Deck). The response is written to disk and executed in a new shell using the `child_process.exec()` method in `Node.js`. Unlike newer versions of TraderTraitor, there is no mechanism to decrypt a payload.\n\n_**alticgo[.]com**_\n\nInformation as of August 2020: \n**IP Address:** 108.170.55[.]202 \n**Registrar:** NetEarth One Inc. \n**Created:** August 8, 2020 \n**Expires: **August 8, 2021\n\n_**765a79d22330098884e0f7ce692d61c40dfcf288826342f33d976d8314cfd819**_\n\n**Tags:** dropper peexe nsis \n**Name: **AlticGO.exe \n**Size:** 43.54 MB (45656474 bytes) \n**MD5:** 1c7d0ae1c4d2c0b70f75eab856327956 \n**SHA-1:** f3263451f8988a9b02268f0fb6893f7c41b906d9 \n**SHA-256:** 765a79d22330098884e0f7ce692d61c40dfcf288826342f33d976d8314cfd819 \n**ssdeep:** 786432:optZmVDkD1mZ1FggTqqLGAU6JXnjmDQ4YBXpleV0RnJYJKoSuDySLGh7yVPUXi7:opzKDginspAU6JXnJ46X+eC6cySihWVX \n**Compilation timestamp:** 2018-12-15 22:26:14 UTC\n\n**_e3d98cc4539068ce335f1240deb1d72a0b57b9ca5803254616ea4999b66703ad_**\n\n**Tags:** dropper peexe nsis \n**Name:** AlticGO_R.exe \n**Size:** 44.58 MB (46745505 bytes) \n**MD5:** 855b2f4c910602f895ee3c94118e979a \n**SHA-1:** ff17bd5abe9f4939918f27afbe0072c18df6db37 \n**SHA-256:** e3d98cc4539068ce335f1240deb1d72a0b57b9ca5803254616ea4999b66703ad \n**ssdeep:** 786432:LptZmVDkD1mQIiXUBkRbWGtqqLGAU6JXnjmDQ4YBXpleV0RnJYJKoSuDySLGh7yH:LpzKDgzRpWGwpAU6JXnJ46X+eC6cySiI \n**Compilation timestamp:** 2020-02-12 16:15:17 UTC\n\n**_8acd7c2708eb1119ba64699fd702ebd96c0d59a66cba5059f4e089f4b0914925_**\n\n**Tags:** dropper peexe nsis \n**Name: **AlticGO.exe \n**Size: **44.58 MB (46745644 bytes) \n**MD5:** 9a6307362e3331459d350a201ad66cd9 \n**SHA-1:** 3f2c1e60b5fac4cf1013e3e1fc688be490d71a84 \n**SHA-256:** 8acd7c2708eb1119ba64699fd702ebd96c0d59a66cba5059f4e089f4b0914925 \n**ssdeep:** 786432:AptZmVDkD1mjPNDeuxOTKQqqLGAU6JXnjmDQ4YBXpleV0RnJYJKoSuDySLGh7yV7:ApzKDgqPxeuLpAU6JXnJ46X+eC6cySiG \n**Compilation timestamp: **2020-02-12 16:15:17 UTC\n\n_**Esilet**_ \nEsilet claims to offer live cryptocurrency prices and price predictions. It contains a simpler version of TraderTraitor code in a function exported as `UpdateCheckSync()` located in a file named `update.js`, which is bundled in `renderer.prod.js`, which is in the `app.asar `archive. The function calls an external function located in a file `node_modules/request/index.js` bundled in renderer.prod.js to make an HTTP request to `hxxps://www.esilet[.]com/update/`. The response is written to disk and executed in a new shell using the `child_process.exec()` method in `Node.js`. Unlike newer versions of TraderTraitor, there is no mechanism to decrypt a payload. Esilet has been observed delivering payloads of at least two different macOS variants of Manuscrypt, `9d9dda39af17a37d92b429b68f4a8fc0a76e93ff1bd03f06258c51b73eb40efa` and `dced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156`. \n\n\n\n**_Figure 3: Screenshot of the UpdateCheckSync() function in Esilet_**\n\n**_esilet[.]com_**\n\nInformation as of June 2020: \n**IP Address: **104.168.98[.]156 \n**Registrar:** NameSilo, LLC \n**Created: **June 12, 2020 \n**Expires: **June 12, 2021\n\n_**greenvideo[.]nl**_\n\n_Likely legitimate but compromised_. Information as of April 2022: \n**IP Address:** 62.84.240[.]140 \n**Registrar: **Flexwebhosting \n**Created: **February 26, 2018 \n**Expires: **Unknown\n\n_**dafnefonseca[.]com**_\n\n_Likely legitimate but compromised_. Information as of June 2020: \n**IP Address: **151.101.64[.]119 \n**Registrar: **PublicDomainRegistry Created: August 27, 2019 \n**Expires:** August 27, 2022\n\n_**haciendadeclarevot[.]com**_\n\n_Likely legitimate but compromised_. Information as of June 2020: \n**IP Address:** 185.66.41[.]17 \n**Registrar:** cdmon, 10DENCEHISPAHARD, S.L. \n**Created:** March 2, 2005 \n**Expires:** March 2, 2023\n\n**_sche-eg[.]org _**\n\n_Likely legitimate but compromised_. Information as of June 2020: \n**IP Address: **160.153.235[.]20 \n**Registrar: **GoDaddy.com, LLC \n**Created:** June 1, 2019 \n**Expires:** June 1, 2022\n\n_**www.vinoymas[.]ch**_\n\n_Likely legitimate but compromised_. Information as of June 2020: \n**IP Address: **46.16.62[.]238 \n**Registrar:** cdmon, 10DENCEHISPAHARD, S.L. \n**Created:** January 24, 2010 \n**Expires: **Unknown\n\n_**infodigitalnew[.]com**_\n\n_Likely legitimate but compromised_. Information as of June 2020: \n**IP Address: **107.154.160[.]132 \n**Registrar: **PublicDomainRegistry \n**Created:** June 20, 2020 \n**Expires:** June 20, 2022\n\n_**9ba02f8a985ec1a99ab7b78fa678f26c0273d91ae7cbe45b814e6775ec477598**_\n\n**Tags: **dropper macos \n**Name: **Esilet.dmg \n**Size: **77.90 MB (81688694 bytes) MD5: 53d9af8829a9c7f6f177178885901c01 \n**SHA-1:** ae9f4e39c576555faadee136c6c3b2d358ad90b9 SHA-256: 9ba02f8a985ec1a99ab7b78fa678f26c0273d91ae7cbe45b814e6775ec477598 \n**ssdeep:** 1572864:lffyoUnp5xmHVUTd+GgNPjFvp4YEbRU7h8cvjmUAm4Du73X0unpXkU:lfqHBmHo+BPj9CYEshLqcuAX0I0\n\n_**9d9dda39af17a37d92b429b68f4a8fc0a76e93ff1bd03f06258c51b73eb40efa**_\n\n**Tags:** trojan macho \n**Name: **Esilet-tmpzpsb3 \n**Size: **510.37 KB (522620 bytes) \n**MD5:** 1ca31319721740ecb79f4b9ee74cd9b0 \n**SHA-1:** 41f855b54bf3db621b340b7c59722fb493ba39a5 SHA-256: 9d9dda39af17a37d92b429b68f4a8fc0a76e93ff1bd03f06258c51b73eb40efa \n**ssdeep:** 6144:wAulcT94T94T97zDj1I/BkjhkbjZ8bZ87ZMSj71obV/7NobNo7NZTb7hMT5ETZ8I:wDskT1UBg2lirFbpR9mJGpmN C2 Endpoints:\n\n * hxxps://greenvideo[.]nl/wp-content/themes/top.php\n * hxxps://dafnefonseca[.]com/wp-content/themes/top.php\n * hxxps://haciendadeclarevot[.]com/wp-content/top.php\n\n_**dced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156**_\n\n**Tags:** trojan macho \n**Name:** Esilet-tmpg7lpp Size: 38.24 KB (39156 bytes) \n**MD5:** 9578c2be6437dcc8517e78a5de1fa975 \n**SHA-1:** d2a77c31c3e169bec655068e96cf4e7fc52e77b8 \n**SHA-256:** dced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156 \n**ssdeep:** 384:sdaWs0fDTmKnY4FPk6hTyQUitnI/kmCgr7lUryESll4yg9RpEwrUifJ8ttJOdy:sdayCkY4Fei9mhy/L9RBrny6y\n\n**C2 Endpoints: **\n\n * `hxxps://sche-eg[.]org/plugins/top.php`\n * `hxxps://www.vinoymas[.]ch/wp-content/plugins/top.php`\n * `hxxps://infodigitalnew[.]com/wp-content/plugins/top.php`\n\n_**CreAI Deck**_ \nCreAI Deck claims to be a platform for \u201cartificial intelligence and deep learning.\u201d No droppers for it were identified, but the filenames of the below samples, win32.bin and darwin64.bin, match the naming conventions used by other versions of TraderTraitor when downloading a payload. Both are samples of Manuscrypt that contact `hxxps://aideck[.]net/board.php` for C2 using HTTP POST requests with `multipart/form-data` Content-Types.\n\n_**creaideck[.]com**_\n\nInformation as of March 2020: \n**IP Address:** 38.132.124[.]161 \n**Registrar:** NameCheap, Inc. \n**Created: **March 9, 2020 \n**Expires:** March 9, 2021\n\n_**aideck[.]net**_\n\nInformation as of June 2020: \n**IP Address: **89.45.4[.]151 \n**Registrar: **NameCheap, Inc. \n**Created: **June 22, 2020 \n**Expires: **June 22, 2021\n\n_**867c8b49d29ae1f6e4a7cd31b6fe7e278753a1ba03d4be338ed11fd1efc7dd36**_\n\n**Tags:** trojan peexe \n**Name:** win32.bin \n**Size:** 2.10 MB (2198684 bytes) \n**MD5:** 5d43baf1c9e9e3a939e5defd8f8fbd8d \n**SHA-1:** d5ff73c043f3bb75dd749636307500b60a436550 SHA-256: 867c8b49d29ae1f6e4a7cd31b6fe7e278753a1ba03d4be338ed11fd1efc7dd36 \n**ssdeep:** 24576:y3SY+/2M3BMr7cdgSLBjbr4nzzy95VV7cEXV:ESZ2ESrHSV3D95oA \n**Compilation timestamp:** 2020-06-23 06:06:35 UTC\n\n_**89b5e248c222ebf2cb3b525d3650259e01cf7d8fff5e4aa15ccd7512b1e63957**_\n\n**Tags:** trojan macho \n**Name:** darwin64.bin \n**Size:** 6.44 MB (6757832 bytes) \n**MD5:** 8397ea747d2ab50da4f876a36d673272 \n**SHA-1:** 48a6d5141e25b6c63ad8da20b954b56afe589031 \n**SHA-256:** 89b5e248c222ebf2cb3b525d3650259e01cf7d8fff5e4aa15ccd7512b1e63957 \n**ssdeep:** 49152:KIH1kEh7zIXlDYwVhb26hRKtRwwfs62sRAdNhEJNDvOL3OXl5zpF+FqBNihzTvff:KIH1kEhI1LOJtm2spB\n\n### Mitigations\n\nNorth Korean state-sponsored cyber actors use a full array of tactics and techniques to exploit computer networks of interest, acquire sensitive cryptocurrency-intellectual property, and gain financial assets. The U.S. government recommends implementing mitigations to protect critical infrastructure organizations as well as financial sector organizations in the blockchain technology and cryptocurrency industry.\n\n * Apply defense-in-depth security strategy. Apply security principles\u2014such as least access models and defense-in-depth\u2014to user and application privileges to help prevent exploitation attempts from being successful. Use network segmentation to separate networks into zones based on roles and requirements. Separate network zones can help prevent lateral movement throughout the organization and limit the attack surface. See NSA\u2019s [Top Ten Cybersecurity Mitigation Strategies](<https://media.defense.gov/2019/Jul/16/2002158046/-1/-1/0/CSI-NSAS-TOP10-CYBERSECURITY-MITIGATION-STRATEGIES.PDF>) for strategies enterprise organizations should use to build a defense-in-depth security posture. \n * Implement patch management. Initial and follow-on exploitation involves leveraging common vulnerabilities and exposures (CVEs) to gain access to a networked environment. Organizations should have a timely vulnerability and patch management program in place to mitigate exposure to critical CVEs. Prioritize patching of internet-facing devices and monitored accordingly for any malicious logic attacks. \n * Enforce credential requirements and multifactor authentication. North Korean malicious cyber actors continuously target user credentials, email, social media, and private business accounts. Organizations should ensure users change passwords regularly to reduce the impact of password spraying and other brute force techniques. The U.S. government recommends organizations implement and enforce multifactor authentication (MFA) to reduce the risk of credential theft. Be aware of [MFA interception techniques for some MFA implementations](<https://www.cisa.gov/uscert/ncas/alerts/aa22-074a>) and monitor for anomalous logins.\n * Educate users on social engineering on social media and spearphishing. North Korean actors rely heavily on social engineering, leveraging email and social media platforms to build trust and send malicious documents to unsuspecting users. A cybersecurity aware workforce is one of the best defenses against social engineering techniques like phishing. User training should include how to identify social engineering techniques and awareness to only open links and attachments from trusted senders.\n * Implement email and domain mitigations. Maintain awareness of themed emails surrounding current events. Malicious cyber actors use current events as lure for potential victims as observed during the COVID-19 pandemic. Organizations should have a robust domain security solution that includes leveraging reputation checks and closely monitoring or blocking newly registered domains (NRDs) in enterprise traffic. NRDs are commonly established by threat actors prior to malicious engagement. \n * HTML and email scanning. Organizations should disable HTML from being used in emails and scan email attachments. Embedded scripts may be hard for an antivirus product to detect if they are fragmented. An additional malware scanning interface product can be integrated to combine potentially malicious payloads and send the payload to the primary antivirus product. Hyperlinks in emails should also be scanned and opened with precautionary measures to reduce the likelihood of a user clicking on a malicious link.\n * Endpoint protection. Although network security is critical, devices mobility often means traveling and connecting to multiple different networks that offer varying levels of security. To reduce the risk of introducing exposed hosts to critical networks, organizations should ensure mobile devices have installed security suites to detect and mitigate malware. \n * Enforce application security. Application allowlisting enables the organization to monitor programs and only allow those on the approved allowlist to execute. Allowlisting helps to stop the initial attack, even if the user clicks a malicious link or opens a malicious attachment. Implement baseline rule sets, such as NSA\u2019s [Limiting Location Data Exposure](<https://media.defense.gov/2020/Aug/04/2002469874/-1/-/0/CSI_LIMITING_LOCATION_DATA_EXPOSURE_FINAL.PDF>) guidance, to block execution of unauthorized or malicious programs. \n * Disable macros in office products. Macros are a common method for executing code through an attached office document. Some office products allow for the disabling of macros that originate from outside of the organization, providing a hybrid approach when the organization depends on the legitimate use of macros. \n * Windows specific settings can be configured to block internet-originated macros from running. This can be done in the Group Policy Administrative Templates for each of the associated Office products (specifically Word, Excel and PowerPoint). Other productivity software, such as LibreOffice and OpenOffice, can be configured to set the Macro Security Level.\n * Be aware of third-party downloads\u2014especially cryptocurrency applications. North Korean actors have been increasingly active with currency generation operations. Users should always verify file downloads and ensure the source is from a reputable or primary (preferred) source and not from a third-party vendor. Malicious cyber actors have continuously demonstrated the ability to trojanize applications and gain a foothold on host devices.\n * Create an incident response plan to respond to possible cyber intrusions. The plan should include reporting incidents to both the FBI and CISA\u2014quick reporting can reduce the severity of incidents and provide valuable information to investigators. Contact information can be found below. \n\n### Contact \n\nAll organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at [report@cisa.gov](<mailto:report@cisa.gov>) or (888) 282-0870 and/or to the FBI via your [local FBI field office](<https://www.fbi.gov/contact-us/field-offices>) or the FBI\u2019s 24/7 CyWatch at (855) 292-3937 or [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>).\n\n### Disclaimer\n\nThe information in this advisory is provided \"as is\" for informational purposes only. The FBI, CISA, and Treasury do not provide any warranties of any kind regarding this information or endorse any commercial product or service, including any subjects of analysis. \n\n\n### Revisions\n\nInitial Version: April 18, 2022\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2022-04-20T12:00:00", "type": "ics", "title": "TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2022-04-20T12:00:00", "id": "AA22-108A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T12:56:28", "description": "### Summary\n\n_The Sandworm actor, which the United Kingdom and the United States have previously attributed to the Russian GRU, has replaced the exposed VPNFilter malware with a new more advanced framework._\n\nThe United Kingdom's (UK) National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) in the U.S. have identified that the actor known as Sandworm or Voodoo Bear is using a new malware, referred to here as Cyclops Blink. The NCSC, CISA, and the FBI have previously attributed the Sandworm actor to the Russian General Staff Main Intelligence Directorate\u2019s Russian (GRU\u2019s) Main Centre for Special Technologies (GTsST). The malicious cyber activity below has previously been attributed to Sandworm:\n\n * The BlackEnergy disruption of Ukrainian electricity in 2015\n * Industroyer in 2016\n * NotPetya in 2017\n * [Attacks against the Winter Olympics and Paralympics in 2018](<https://www.ncsc.gov.uk/news/uk-and-partners-condemn-gru-cyber-attacks-against-olympic-an-paralympic-games>)\n * [A series of disruptive attacks against Georgia in 2019](<https://www.gov.uk/government/news/uk-condemns-russias-gru-over-georgia-cyber-attacks>)\n\nCyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, and which exploited network devices, primarily small office/home office (SOHO) routers and network attached storage (NAS) devices.\n\nThis advisory summarizes the VPNFilter malware it replaces, and provides more detail on Cyclops Blink, as well as the associated tactics, techniques and procedures (TTPs) used by Sandworm. An NCSC [malware analysis report on Cyclops Blink ](<https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf>)is also available.\n\nIt also provides mitigation measures to help organizations defend against malware.\n\nClick here for a PDF version of this report.\n\n### Technical Details\n\n#### VPNFilter\n\n##### _**The malware was first exposed in 2018**_\n\n[A series of articles published by Cisco Talos in 2018](<https://blog.talosintelligence.com/2018/05/VPNFilter.html>) describes VPNFilter and its modules in detail. VPNFilter was deployed in stages, with most functionality in the third-stage modules. These modules enabled traffic manipulation, destruction of the infected host device, and likely enabled downstream devices to be exploited. They also allowed monitoring of Modbus SCADA protocols, which appears to be an ongoing requirement for Sandworm, as also seen in their previous attacks against ICS networks.\n\nVPNFilter targeting was widespread and appeared indiscriminate, with some exceptions: Cisco Talos reported an increase of victims in Ukraine in May 2018. Sandworm also deployed VPNFilter against targets in the Republic of Korea before the 2018 Winter Olympics. \n\nIn May 2018, Cisco Talos published the blog that exposed VPNFilter and the U.S. Department of Justice [linked the activity](<https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected>) to Sandworm and announced efforts to disrupt the botnet.\n\n##### _**Activity since its exposure **_\n\n[A Trendmicro blog](<https://www.trendmicro.com/en_gb/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html>) in January 2021 detailed residual VPNFilter infections and provided data which showed that although there had been a reduction in requests to a known C2 domain, there was still more than a third of the original number of first-stage infections.\n\nSandworm has since shown limited interest in existing VPNFilter footholds, instead preferring to retool.\n\n#### Cyclops Blink\n\n##### _**Active since 2019**_\n\nThe NCSC, CISA, the FBI, and NSA, along with industry partners, have now identified a large-scale modular malware framework ([T1129](<https://attack.mitre.org/techniques/T1129/>)) which is targeting network devices. The new malware is referred to here as** Cyclops Blink **and has been deployed since at least June 2019, fourteen months after VPNFilter was disrupted. In common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread.\n\nThe actor has so far primarily deployed Cyclops Blink to WatchGuard devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware.\n\n_**Note: **Note that only WatchGuard devices that were reconfigured from the manufacturer default settings to open remote management interfaces to external access could be infected_\n\n##### _**Malware overview **_\n\nThe malware itself is sophisticated and modular with basic core functionality to beacon ([T1132.002](<https://attack.mitre.org/techniques/T1132/002/>)) device information back to a server and enable files to be downloaded and executed. There is also functionality to add new modules while the malware is running, which allows Sandworm to implement additional capability as required.\n\nThe NCSC has published a [malware analysis report on Cyclops Blink](<https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf>) which provides more detail about the malware.\n\n##### _**Post exploitation **_\n\nPost exploitation, Cyclops Blink is generally deployed as part of a firmware \u2018update\u2019 ([T1542.001](<https://attack.mitre.org/techniques/T1542/001/>)). This achieves persistence when the device is rebooted and makes remediation harder.\n\nVictim devices are organized into clusters and each deployment of Cyclops Blink has a list of command and control (C2) IP addresses and ports that it uses ([T1008](<https://attack.mitre.org/techniques/T1008/>)). All the known C2 IP addresses to date have been used by compromised WatchGuard firewall devices. Communications between Cyclops Blink clients and servers are protected under Transport Layer Security (TLS) ([T1071.001](<https://attack.mitre.org/techniques/T1071/001/>)), using individually generated keys and certificates. Sandworm manages Cyclops Blink by connecting to the C2 layer through the Tor network.\n\n![](image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA6sAAAKjCAYAAAD7xplcAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAAFxEAABcRAcom8z8AAP+lSURBVHhe7J0HfNbVvf/t7V7WWjusva1trVqtddQ9gezBcmvdCxRkQ0ISMtkEEkIWCWHvvffehBUIIwRIQkL2k2fvkc//8/09eTDiqNfbWzX/87GfnvPbZ/F6Pe+cdQ2UlJSUlDqkvF4vPB4PWltbrxxXVVXh2LFjOHjwIA4cOIDDhw/j+PHjmktKSq742LGPfPz4CZ47yfhx7X7xkSPFH/noIfqg5sNHDqD48EEUF/OeQyfoU/Tpf6PlfaVtlvd/lku+VPxwccmn+/DRNh9rZ5aHdv142zv86Tp28AyOHzhLl+HkvnMooY8dOMNrp3jvSboUh5mXT/oMfbbNZ3D08GkcO3oax4+dYh2U0lIfx3DseDF9EMdLilkvR3Ci5CxOHK/AsSNlfPdRHDm2B8dO7KS3Mb4dxUf24QjfdeJoHU4cMeLIPiOK9xhxeJ8Oh/dfxuGDF/3f57OHDx+6ysW0v86/Sh85cuQzHbinuLgYhw6xLfKclFP7Ni1xrezaOdDuxfKMPCv/JsS1tbXavxmRxWKByWS68u9ISUlJSek/JwWrSkpKSh1Q8sNaQNXtdsPn82k/uE+fPo2FCxdiwoQJSE1NRVJS0hUnJydr5wJOSUljOFJzWtooejRGjRKP0jx69Mh2TqNTMXpMKkaNTsHIUfTIkRiVNo5O1zy6LWwfl/Cz4lff+/H4BMYnYNTIcQz9/mR8vBZ+kbj/ucD5sZpHtoWB+MhRY9o8up15rN3D5yQ9bekakzoR41Im0ZkYnzxZ81jGR6dN4j0TP8WBfElc7pmEkanpSEuVPPL8SKZtFL+hfW8Uv5tKJ2Pk6CSeY7mPkrRnaPenpbEuxozA2AkJGDchnvF4nmPdpvBdqfkYnToTo5LnYGTSHIaMpxTwfLb/2yPHtNUv6+5j9tf5V+nRo0d/pgP3SJuT/AfasMTlXPvzKSkpn7C0/cC/g8TERM2zZs3S/r3Ivxun0wmHw9H2L0tJSUlJ6T8pBatKSkpKHVSBnlWB1bq6OixevBi9e/fGU089hQceeAAPPvggHnnkETz66KN4/PHH8eSTT6JTp07o3Lkz3QVdugTRwQgODkFISCjCwsIQHh6uOSIi7CqHIiIyFOERIQgLp7V7o+hozRFh/rB9XMLPil997yfi8u6ICIaRmj8Zl+sSl3OfFw8854/7HYmwtnvkOCzgSHF4O8t53iPPaunqyjR2RWRoN0SF9vA75Gm/Q59BROjTCNfcA+Fh3Xl/N+0Z//MB+98TFhqN0BBx17ZQHMF6CNfqIiQkGCGhQQgNDeZ5qR8x42FBiIwMQddu4ejWLQpRkcwLnwsOikJIcHfGn+H3X2jz8/SzTAvTJOm5Ur6SDsmXmOWh2V/vX5UjWP6f5cA90ubEUhbBwSyftlAcFCRtuYvWvsXyb0Asbf6xxx67Yvl38fe//x1du3ZFXl4eLly4cOUPPkpKSkpK/3kpWFVSUlLqgJKe1fbDFmtqajB16lRER0fj5ptvxu9//3vccccdeOihhzRQlR/uAqnywz40VMBUACCC4BOpPdOtWzfN8iM+EBd37971Y+7WTe4Vy3F3dOvh96fFJfys+NX3fhTnd+nu3SWMZtj23U/E5brE5dznxQPPfXS+K98f3fbNrj0Z79n1M/zRfd2696B7au7e7Wn62TY/1+YX0L3ry/RLNONyrTvv0/LN70s6AmZauvN98p5uXZ9B1+hnER0lfpruyeM2d5XvRtGh6Nq9M9PRBT16RODpp5/Bc8++hOeeeQ1P93hF+17Xrnwf39ujp3wjqs2BbzHN3Z9pS+fzbaGknee0NMqz/vL/urhHjx6aJd6+bbZvnxKXthsVFaW1YwHbAMwG4FXavACr/BuQP9z89a9/xQ033IBbbrkFAwcO1IYWu1wu7d+QGgaspKSk9J+XglUlJSWlDqTA8F+x9KwGJHNVs7KytB/ov/vd77Qf5fJDXX7U9+zZE8899xxefPFFvPLKK3j99dfx1ltv4Z133sF7772H999/H3369MGHH36Ifv36XXH//v0xYIC43xX37//hRx5ID+rr98C2sH1cws+KX33vp8b7MGzzJ+Jt179IXHtO4n3Rj/5w0Id0v6vcF30HX225rz+fYXkMZBjwgAH0oDYPpAfTMRjQL77NwzGg/xAM4L0D+O0BA3tjwKBeH3ngBxjI9w4aOAgDBwxlWcag/4d+D+g/jOfEQwlTvM70DxzyJgYNexmDY17FkGHvY+iQYXQChgxMxsD+SXwmlvcNwNBhfTAk5h0MHPoq+g/+JwYMfpPfeo/uy7obpL1bS5tm+dZQnh9MD6QHfC0sAHm1A9ekPUq7lHbat29ffPDBB1rbldEE0o6lPUu7lvYt7fzll1/W2vwLL7ygtX/5t/Dwww/jt7/9LW666Sbt3n379l2Z9616WJWUlJT+81KwqqSkpNSBJD+qBVLlh7X8yA6ooqICkyZN0npQpWdVepHkB7v8qJcf+YMHD0ZMTAwSEhK0uXsyz2/MmDEYP348Jk6ciIyMDEyZMgW5ublXLMMk8/PzMXWqWOJ+5+XxWn4O8gqykVc4hc76BljSSTPNuQU5NPMoLsxFjuacL24+F3C2PFuQj9ypRcjPm4P83HkMZ7GcpiGf38kvzKDT6fFtZrwgE1N5bWr+VN47DXm5M5CXw2dyZ6EgfxYKC2bSRSgszEfBNN47PQ0FM+NQOCsRRTMnoKgon9ena9/Jy53J+ijgfZNRNIvXZqdh6ow45E8fjvyiZORPG6d9L591mJ/HZ3Jn05JOfi9vhj+d+QU0r38NLKMDCgoKtPDquFyXdpmdna39YUbarLT59PR0rR2PHTtWm9sq81RHjBiBuLg4DB06VINbAdu3335b64n929/+hj/96U944403sHfvXu3fk/y7kh7W9n8AUlJSUlL6v5eCVSUlJaUOKPlx3b4XSGBVoFOGPMoPcZm3Jz1OsphMAEzlR738yJcf/IWFhZg+fTpmz56NefPmY8GChViyZAmWL1+OZcuWaeGKFSuwcuXKK161apVm//FyrFy9FCvXLKYXtQvbxyX8rPjV97a/5//CS2imd9UymmlfxbytXoEV9HLxmk8zy2LNMixbuwxL1y69yks0L1lH8/qy1WtYJpuxasU2rFq5ieW0BqtYPqvWzMOqtbPo6fQMf5znVq5awvJdieXL1mD50nX0RqxcvhGrV63HmjVr6ZVYrZXJDKZhMtMwBis2TMCajflYu34+VjMNK1YsZz0txfKV85mP6Vi5Pg+rNmRh5caJDCdh1focrFrH766ez/SsYLrWMX1M2wpJJ8OVG3h+Lb1aq9evi1evXv0xB85Lu5M2KW1z6dKl2hxtWVBs3rx5WjueOXMmQb5Ig1oB2smTJ2sAK3+gGTZsmPZHm5deekmbwy1D5KUHdteuXVeGAcu/J/l3paSkpKT0n5OCVSUlJaX/D3Tp0iXtx7nM1bvtttu0uXsyhFJWSRVQlRWC5br0lsoPej+kzsOiRYu0H/4CAO2BNAANa9aswdq1a/1etx7r6DVr1mHNWp5ft4rgtJJewfMrtLB9XMLPil9976fG+f51bf60uPb9LxCX8IrXrqbX0uuueK143ce9RjOhcT2hc8NqAiBhaSMhXTNBdyNhnl6+SUKeW89yWbsNa1fv4vsYspzWavlZiLUb59Cz28J5WLthkXZNoFTgdPWqjVizehPTsgkbNq7Hhk2rsH7DYqzZMAMr1+VgyZoxdBJWbRqJ9dsnY+P2ImzYOovvmU1oFRCeRjDNZxqmaLC6dvMUrNuSi7WbpvF7c5mGJUzTapppWrOZ3tJmxtdu9Oc/UMdfA69j2bd34Ly0RWmTgbi0UYFXab/SjhcsWIC5c+dixgzpMfYDa2Zmptb2ZVVh6WmVob9dunTRFll69dVXsW3bNthstrZ/RUpKSkpK/2kpWFVSUlLqQPqsYcCBOauyeNKdd96pDXeUIZDyI33s2HGYOHGSNsxXhlPKj3n5US+9UkuXSm/qMoIqwYoQsGHDBmzcuBGbNm2iN2Pz5i3YvEW8FVu2bNe8efM2bKG3iXlt+5bN2MH7JAzEt0lczn1K/Op7Px4Xb2V8K9+/nc/4fXV8R7vjz4sHnpP4DqZ3xyaGm3bQO+ldV7x90+427+IzAe9kepnfrVuxadsWejM2bd9IWNyADTvWY/1OghW9ficBc7uUzx5s3XwAWyXcug1bt62nV2Lr9qXYumMJzXD7Cp5bQ2/mfSxPfmPL5h1afPt2lsGutdi+eyk275iJ9VuzCKhjsHxjMlZtScHG3aOx7UA6th/MxNZ9Gdi4cyLWbZ2E9duy+P1cbNhWiI3bZmDLjnn81mJ+azm9it9ax/RspOWbW7Vvbd0i36S3Ms78fZ0sABmwHG9hmxBv3iztkXXAtintVEBWgLV9T6sAq/whRoYP5+TkaLAqIwrGjRuH+Ph4vPbaa9pQ+bvuuusKrFqt1rZ/RUpKSkpK/2kpWFVSUlLqQBJYFUiVvSEDwxdFMgxYfpjLSqjyQ1xWUR0+fDgmTEhHRsZkgmouf8AXavtLzp8/H4Ehv6tXryKkrsb69WsJBluwe/du7NmzB3v27sXevfuxb99B7Nd8iC72e28xDu09gqN7j+PYvuM4ceAETu4vxcmDJzWXHijFCYkzFF8dl+vt7/14XHyK8dN872k+4/fVcbkeOP68eOA5iX/M+/mN/WfauUzzyf1n+Yz4DEr2n8ax/SdQfOAYDu4/jAP7WQ4HWCaH9tEsp+Kd2FW8A7sZ7j20H/v3H8GBfSW8j+GBAzhwcBe9jd6CA4c201uw/+B2vmMPrx/kfVKmB1nG8uxuXt+EA0dWYP/RuXxvDjbtTcOqbUOxdkccdhSPxb6SdBw8NQ57T6Ri66HhWL9nCNbtGo4t+8Zi56EC7C1ewnes5/d28P376P1t4V6e4zcP8hsS18z0SRo0S/zr44MHD16xHO/fL+UjbZHlTksb3bFjhwawAq3yR5bAkGHpaZU/wkg7l6Hu8gca6VkVy5B4mcf9xBNPaPNWA3NWZY9VNfxXSUlJ6auRglUlJSWlDib5YR1wQJWVldqCM7I1zd13341nnnlG+3GelTUFeXlT+cNdhv7OxaJFi7Uf9DKMcv36ddi8eQMhdTO2b99KCCBcBWDh0CEUHzqCw8XHcORwSZtPaD5aXIqSQ2dwan85zuw7jzN76d0XcGrPec2ntXg5Q4nLuavjV9/bPu736d0XcYqW8LPiEn6RuIQf+QLTeh5nd5XTEl5o80We/+g+fzrKUbrvHOG5DCcOncbx4pM4KuVwhOVy5BAOHz2AQ8f30ftx6Fgxzx1n+Zz0lxXvOXL0IL2P3ttmifOcPH/4KMv3MA4dYnkTfA8Wb8ahoytw6MQs7C/JwvbDI7B2Tx+s2P4GNu3vj/2lI3HozCjsPx2H7cf6Yt3et7FyxxtYvbMPNu9LwZ4jRThSsh7Hjh/g+/n94jP0WfpUW3oO+7/NNPt9iOeK/en8Gvno0aOfcODa4cOHta1mDrFtSjsV0Ny5c6fWOxroeRV4leHsMix4zpw5GrDKcGAZ/i69q7JisAwDvvfee9GrVy/tfWoVYCUlJaWvTgpWlZSUlP4/kAwDlp5VmbN63333adt2yHzV3Nx8DVRnzpyNhQsFVFcSUtdrP+y3b99GQN2Bffv3EJgIXASn4uJDOHbsGE6cOIkTJaU4fqwUp08RMOmSkrM4dfI8yk5X49zxyzi1sxLFK09j68yDWJW9DUszN2Lp5E1YnrUFy7I2YRmPl2XKsXgzlk/ezPMbGcp1icu5q+N+++NbGfr9aXEJv0hcQr/5Xn5/RdZ6rJy8jpaQcKNZzjNt9DLGl/LamsKt2LmE5bH5NC4crsalU7UoP1GB0mOnceLYCZw6dRJnzp3EydPHcfzEUZSeOoXS0jMsu1MsqxMMS3Di5AmeK8Up8anTOH36LMuyDCdPnqZP4GRpMY6WbMPhkpU4fnY+Ss7nY/eJeKzc+TKW7eyGXadeQ+nlGJRUJWLXiQFYs/efPN+D4QvYeuQd7D0Zi0OnMnH01GKmYw+/cwalJZdQeryBrqdrUHriIkpP8nxpCdMo6TzW5uM8J+k7qaXxq/TJkyzHNn/WtRMnTrBcSzQfP35cA1n5w4r0tgq4ymJJAq4BYJVhwQKs06ZN06BVVg6WLZoC/0Zk2xt5XmBV9awqKSkpfTVSsKqkpKTUwRT4Yd3+B3b7BZbuv/9+bW6eLKyUn1+IoqKZ/NE+H0uXLNcW9ZE5fzt2bMOePTIsdB8OHzmI4yWHCQCHCapHNEAoO3sOZ86cI+ScxYXz1bhwoYagVYFzZxkva8DxXRexrnAvZiWuxuQ+czDytRwkvTwZKa9mY+TruUhlmPLPLC2UY3HaqzlIfZ3HrzL+eo7mT8b9Hvka3/FaHtLafHV8ZLvjz4sHnpP4SH4/7fXJTMskjKJHv5ZxxaNe4/k2p72WiRSeG9c7BwUJ87AqZzOOrj+DS0frUV1ajwsnK3GutBwXyy+w3C+ybMpwtqwU58+fQ3l5Oc6eLdPK7uzZcpSVVaD83CWcF5ez7M7XMKzi9bMoP38K5RcPE1RXoPjkTJyuKsSJqjHYWPwaFm/vhI3HQ3Cs9iWUtfTB4Yr3seHQi1iwJQyLtoVj85FXcORiDM7WZqKseh7KLm7BufISlJdVo/y0HuWnbLSVcQPKzzTy/CWmo5zpO83vivltcfkZ2p/ur9Lnzp1jWZV9qs+ePav5zJkzmk+fPk3wP6UBrPxhRXpcpbdVoFWAVea5ynzWwJBgWSVYgFVGHsg+rQFYldWy5RmBVSUlJSWlr0YKVpWUlJQ6mD4LVgM9qx/B6jgUFEzHzBlzsWD+YqxYvkrrdZIf8/KjXn6oFxcfxDFC6snSo4SAE4SBUxoQlJefpy8SWi+iqrIel6oaCVm1BJ46nDxSgZXTd2FMrwIM6zYJQ8LTMSh4LAaHjUdM1CTERmdgSES6djwsYiKPM7VzMVEZGCbXGUpc/JnxyEzem4kYhuKr43I9Rs79i3jgOYnHRklaxtKjMTx6FOKjxKPpsRgeNe6KY6PHYRjvGxI9EjHPjMJYQuviietwbN1ZXC5pREN5My6fr0X1+Uu4XFWF6qqLqKwsR2XVeYbnUXGxgq5GZUUtqioaUXWxGZV0xQUJG3jtEsHyFM5XHNYgc/+xAhw8NREnKkdi75leWLEnGOuPPoEjtVE4WB2KbWeCsP5wKFbuC8PKPdHYdPhlHDw3CGcuT8LFxrmoqN2AikuHUMFvV15sROV5CyrLnbSLcRttQuWFJl6TNFVoaaysOkeX+eOVkv7Kr9QXL168Ypl/3d6B8xcuXMD58+c1sBV4FWCV3lYBVhkmLMAqPazbt2/X2rksviRzs2XBJdmmSf6YM2DAAG1e9z/+8Q+tZ1XmwipYVVJSUvrqpGBVSUlJqYPp83pWZc7qAw88oO0hOXbsBP5In425cxbxR/sKrF29TpvbJ/P8BFTlx70fVI/hzNkTWg9hRYUfCC4SuCorBW5qcLmmGbWXDai5pCfw6LB3WynyUhdjaI909H1iLAY9NQlDu0zG8LAcJETkM8zFkKDJGNyZcBqUhTgex4XTDOVaHO+T8NPjdCjjoXmM52nhZ8Ul/CJxCePknWFTEB+eQU+gx2EEYXpEWDo9CQlhGQwztDAhPBNxEZMwoEsa3nsiFgOjkpE1aCb2LjyO5lIT7Jdd0F8yoO5iLS5XXEJtdRUuX65Adc1F1DCsvXwZdZebGOpRW2PmdRsuX7ISao10E6p5f03daZy9sAXFJ4tw+MxEHKtIxp4z72DV/hCsKX4U+yq74HhTCHZdeBBLD9yK+dv+iuV7n8C2kpdw5EIMyuqm4FLzUlxu3oGahqOoqT3Hb1/G5Wod68mMmio77aQd/vglC2rkWk0D76vW0qm5hmmp4XFNzVfq6upqzZ93Tdq4DHcXgJU2Kr2u0ssqPawyNDgwLFgWYJJ2HuhdnT9/vrbgksxdHTRokLatk/xB54MPPlCwqqSkpPQVS8GqkpKSUgfTF4FVWel0/Ph0/kifh4ULlmHF8jXYsH4zduwQUN3bNjf1iDZvURvCeuEMLtVUora2RgOCS9WE1Np6AlcjGuoMaKy3oKnRjroaGzatPozRA6dhWLfJiAnKRULwNCSFz0BK1GykRM5CQmgRYjrnIaZTHuJDCpEcMQOJvJ4YVkQg/AIOnU7PYJzPMBRfHQ9c/yJx/3PTkRTGtBCKk8OymN5MpIRNRkroFDoXqQTaVIYSTybgJobnICZkIvp1SsWAsFSkv1+EPfOOw1zmQmsjYLlsQ0NlA2G1mmVyCfV1Vaitq0B9QxUamxrQ3CRlZkXDZSfqa9y0kwBLcGWZ1jdegM50AifOzcXm/fE4UZWEk7UDsO5wKOZtvQNbTj2Eow1B2FP5IDacvAMLdv8e87b9BeuPhOJo5UBU6PJQZ1yDBsNBNDafRUMjv1/P99Y1oq5Wh/paPW2irai/bKclDQ6GPK418D7eW1/NtNL1l+k6//NfU9fV1Wmura3FZQK5AKy0UeltlSHE0ssagFbpYZXFl+QPMjIvW1YIlrmrsqewLLIk2zlFRETgwQcf1OavKlhVUlJS+mqlYFVJSUmpg+nzYFWGOMoP8TfffBMTJ2Zg7pwFWLJ4BVavXI/Nm7Zj1669OHjwAI4eO8wf98dwuuwkQfWsNoT1cq1AT60GA7UEmsZGHRob9IQuE5oabDDovdA3e7F+xSEk9s7F8O45hMEiJIfOIuDNREr4LCQRDBOCpiG201TEdS7QjlMj5jCciRHBBNEvZMJqMEHz3+rpSAwuRFJwHj0FySFZSGGYEpRD59NTrzgpeCpGhOQiMYIgHjUZsd0mIuODWdg77ySs573w1AMmQntzDcHwch0aCHyNAoyNFWhougSdrgm6ZjOa6u2EVZcGqw11DpahAU26ajQZTqDBuBXFZ8dj/f43ceji2yiueg6ri+/Hgl1/wubT92Bf1SPYcOIuLD9wG5bs/RtBtgsOXeiFipYsNNnWosVajGbDeTQ116OpSY+mRsJxQwvrr5mhuIU2an9kaKyz005/KMdyvbGOrm0LG+jGr9RNTU2f6cA9DQ0NV+BVoFXa/NW9rNLDKiv8yvZLstiSLCYmWzTJ6sCyyFJMTAwiIyPx0EMPKVhVUlJS+hpIwaqSkpJSB9XVsJqVlYXQ0FA8/PDDePvtt7X9VefPW4RlS1dh7eqN2LplJ3/E79d6VY+XHMWpUyUoKz+FixXncKn6ImprpaetVuvBamhsQovOROiyELLEDlhMgNUMbF59GAnv5WAIQW54l3wkdCpEfKcCxHeWsM2Mj+gyjVA4E6lhswiK05HQeRoSeO6r8oguBUjsQgjtMgVJQVlI7kxo7ZRL59NTacIsndh5KuK7SO9qHmE1m7CagYnvz8SeeSdgKffAXuuF4bIFpiYz9LoW6Foa0NxSg8bmSi3U63U8b9XKrKHWRUh0obnJBr1BB6P1Apotu3G+vhD7zvTD5mPdsOH449h86l5sKP0rVh37M1YduQVrjt6JlcV3Y9HOe7D2UDiOVPTHxeYsNNvXwOQ8AoPlPJp19XyvCS3NNtaVFc3NhGHCXbOO6dE18linXW9uJFg3Ovxukvv0tNwn9zBsbv7K3dLSolmn033CgXvag6tA66cBqywOJr2rMsxd9mKVxcRk7urSpUtRVFSk7T0cHR2t/RtRsKqkpKT01UvBqpKSklIH1afBqszHe+SRR/DOO+8iMzMLC+YvwfJla7BuzSZs2yqLKsk+nIdx4sRxnD5zEuUXzqCyqtw/17L2EurqpLetkZDaAn2LhbYTcugGF6yEVacd2LHhGBJ75xFWMxHbOZdwOhVxdEIXgl5wEZJCpyM5bAaSZfhtSJF2TsKkkOn/M4dOYyjPyTuvjst1icu5z4sHnmOaQqYhJWQqUkPykCYOzqcLkRZUhJFdptME66CZSJFe2NBCJITlY1hoJoZEpmNC7xnYvaAE1go3rHVuGOqtsFsI8DYCq5nAZ6ihL0FvrIPRZIRRL3DoQlO9Gy1NLhiNNphtDbC6Swmcq3G0Ig6bS7ph/bEHsOTA77Ds8A1Yf+p3WF/6Jyw98AfM3/Fngup9WLYrlFA7ENX6WWixb4PZWQKL/SK/U0uAI8w1W/ktJ8wmB79hhkGA2NTEeDOth9Fg5nWblh65z2iwa/cZjYZ2Znq/YhsMBs2fd02v12tAK+AqbVR6WK8eEiy9q7LgkgwFlkXEZCiw7Cm8bNkybZGluLg4dO3aVcGqkpKS0tdEClaVlJSUOqg+C1YfffRRvPdeLx5nY9HCpVi5Yi3Wr9uCHdv34MB+mat6FLK/5tky6VUtw6XqC6iVOZfaMOA6DQj0LUYNVg16OwwtLgKXV4NVlwPYvbkEyR9MxdCumRgeLHNWCzEihKAaVoSUyBn0TP881bBpWs+rAG1CSAGSwgmP4QTHL2SZByvPSCguvCoeuEcscTkXON8+HnhHEZJ5LjVsKtLokaHiQpqgGjIDo4Jn0rMJsbOREjpTuz+OsDooaCIGho/DuN7TsXfJCTgInw6dG+ZmG5xOFywuM5otDWg0VhNaa2C2NsFitcBsdEHf7EFLsxcmgwc2mxU21yVYvAdQb5uB/eVvYtn+v2Px/t9gSfGPsPTId7Hs6I+x6tiNWFF8CxbuuBOLtj+Jbcc+wPn6OTDYT8DquAyrvQlmSzMMhNEWPUNCnMVigc1qg5XftViM/L6JoVk7b7FYYTHb/LZIyGM5p137+thsNmv+vGsmk0mDV4FWAVYZFiyjAGTxJVlRWFYLlvmrMhRYFg+TocCy8vXatWu1ocAzZsxAfHy8glUlJSWlr5EUrCopKSl1ULWHVfnBPmXKFISHh+Oxxx5Dr169eZyDxYuWYdXK9diwfit27tiLgweKcfz4MZw+XYpz5R/1qvoX26lBU1ODBgYGgxm6ZsKBQYb/+mDSw9+zagN2bfLD6uDoSYgJycaIsAKMIBS2dwKBMC4kD8M6T8HQTll+qOV9cj7g+KtNgPRfy6fl/py28NPiee2OPy8eeM4fTwzNQbIsosS0JYdMpQuRElyE1KDpSAkipNIjQqYzLYUYHp6HIWGTMCBiLMb0moY9y0vgMrjhNHlg1NlgcxLknXo0WGrRaK6GwVpLmGwhmNphNbPMDOJWgqQXLrcJNk8Z9O4NuGSegF1l0Viw59eYt/fbWH78W1hx8ltYfPjbWHzweqw49FesPvgUth59A2dr8qC3nPDDLt9pNXsJcHYCq55g3AiL9NYSYG12A+8xacBqtfL7FiftYNxKm2lesxn91o7l/NfH7eH0s661B1b5g4oMC5bhwO17V2UosGxnI/NWZRsbmbcaWBVY9ltVsKqkpKT09ZKCVSUlJaUOqqt7VgVWIyLC8fjjfljNJqwuWbwcq1etx6YN27Br5z4UHzqMEyUl2n6q5efPourSea1XtbFJFgmqJQToYLfLUFFZ/degwarD5oPNAm3Oqt0M7Fh/HInv52FgdDqGhU4hnBIww/MJnPkYHpKrWbaLEQBN0K4RRHld7vE7F/ERvOdjzkOcvKPtuh8yA87muSm0hG1xno8P91tgNF7eqT13tXl/4D18bgSPkxhPIrAmheYjKaRAGx6cHFKE5OAZSKRlNeO4sELER0/FkMgM9A0fheS387Bz2VG4TG7YLS40NxthIPg12RvRaKtFM91iIehbjbDb3FfKy8Lycjo98PhaYPEcQaNzPs7pYrDx5INYdPBHWHrsW1h05BosJ6yuLv0BFh/4FeZuux2bjz2PipYcGFz7CMXN/CZglT8YGKHBr8NhhcOp47U6WOx1Wo+uAKz0qGqQyjRegVWBWJuebqENPCdQKyBIqNV6ZNvDoRx/Ucu725ugKdaAWd51tT/tHZIGK9NuZllJ2tub7xFQ5Xmx2WSByUhg1YY7G7T5rDIcuP3cVdmDVVYFPnz4sDZvVfZcVbCqpKSk9PWVglUlJSWlDqovDKurN2DTJsLqrgMoPnwUJ04SVs9+ElabmmQIcLMGDzJs1KAnRBidsFt9Giw5aD+sliC5Tx4GdZ1AWJ1MSPSD5nDCamyIeCqGhxYQDqchMXI6kqKmIyGygIBKgNWcg7jIbAzXnNNmQi4t0JpAjwjLQ+IV5yCRkDoiop0FROVefld6dhOkNze8kPH2LqDlurwvh1CdzfdM0ZzEeBLfoQEr05oUWohEQqrMrU3gs3ERzEM08xg1EX2iRiK111TsWHYMthbCqtWDZr0JOrsejY4GNLkboPfoYGIB2R1OwqTvymJUFrMHFhKmw30JLt9B1JvzceD8S1hx6I9YdvR7WFH6X5hz8BosK/ku1p35ORbt/zOW7O6CwxdTYPDuhs1bA4vNrpU/2Rg2Uyth2EsAdsDpIhi7WF92GXqsI6gaCXdWfl/S4KIdsNlstJk20v7eV/+xnLdfZZ6TZ7TnP7LV9nFbbALBftA1E1L9JkzyGxa7gDFBkxZwtrEtOexMK8vF4XAx7ZIuf6+v9BD7hyf7AdfGArOz4GzMh42hnc/bec1uZp5MbJNsj6YWM0x6mXNr0npXG5s+PndVFlqSRZbaw6qsCLxy5Uptr9WEhAR069ZNwaqSkpLS10QKVpWUlJQ6mAKQevUw4OzsbG0PySuwmp2LJUtWYPWajdi0eTt27fbDaglh9XTZaZRfKENV23zVAKzKtisy1NJOKHHYPLCa3LAYCKuEL68DcFllGPAJjOw3FYO7p2NoWKY2XHZ4OOGOwDicgDo8bLrmuNAZiBeHTSPMyjXeR1AdHjEFsZFZbZa4OJuWa9IjS8AMnYokQq8fJgUqCaxh0jMqJniGyrDefCQQNEeETGNIIJbtcUJmtXkGXcT7CK18xwi+Q3s2fDKd6XdYFs/Lu/zfk3eJpUd4eEQuhjJ9/SPGo3+PsRg3YCZ2rzwJc4NHW2TKSFhrISw2eZqg8zXB4DPB4nbB4ZJhv4BZeqEZCjSazA0w20/D17oH9YaJ2Hi0MxbuuR5Lj3ybkHoN5h26BouPfI/w+hss2f8Q9pYPRo15LYyui3yOEEg4ttkIqVaxRwM+6f22a3BMoBOTZu12G+2gnW2WOO9jQj5uuU/Oi9vfT8u7bQRy1n3ANvtHttrdTJOLwCrQaoeJmTXx2ya7kTbA7CAwOwmsPJYeXAcB2ON0w+Pywu30am3KZpLFuvg8bTXLkGWbdp+T73HKM1YDbWRbM8NN2HWzrF0mBxwthNsmfk9HWDV8BKvtVwaWeaunTp3SVgQWEJUVgTds2KCtCDx79myMGDEC3bt31xYh69u3r7YQk4JVJSUlpa9OClaVlJSUOpi+KKxOaYPVVWs3YoPA6p7Ph1WdrgGygqz0iGmwaiWoGgkmAqtmP6x6CGB7NvphdUj3CYTVDIJoHuK0eaeFtADqbILqLMQTGhNCZvK4SLsmCxbFhecSBKVHNctvDVzFOYiNkOt+aEySobnBMkQ3n5Y5pjJ0d0qb/bDqh0zCqIBpMAE1eA49V3Ni8GwkBc9oWwm4AIly/7+CVW2+rN8fh9XxGD9w1hVYdbMcBNgMbjNavDroW2mPAXqbhRDrJtQBDposCPIrXG6CnO0ErN51qDGmYXPJE5i/+6dYXHwNVp38FhYxnLv3+1i07y/YVPIizukKYWk9A2crIc7tg81BACYkfhxAA24Pnl/G7WBVg9SAPwmrVlry7beTdtA2mAjLJgKq2WmE2W0gtBthc5k0iHaxINwOF0HUBZuFzxhpWb2Y7cpm8fC6QKybIfNqJ6gSeB3WFloPl80It43ASpB181m3gc8IsOqtfljVKVhVUlJS+qZLwaqSkpJSB9P/Fazq9U0wm/3zGbXhoGYnTAQLi8F7BVa9hNW9G09iVP8CDO02ATGhmQTRPAKmQKb0cM4koM7RLPCYQGhMIEz6r8kCSzIvNQdxBNY4gmqcxAmwAqlx4dMIttOQSFD9n8MqQUSD1flXYFXmn8q7EkOmfgSrBNTEgEOzeS3Pf51AO0J6aWnZtkaGNccyfYPC0zGQ+Rzfbxb2LCdw1nvgYznYCFlWUqvJY4LR1wKTVw+zywiDlQBrtBGmvFoPq8spwGqBw1UGa+talDcNw5pD92Pxvp9j+dEfYPmR72LB3h9iwe7fYcuJrrjQlAGTew/svmpCIN/NejATgP1A+Wmw+b+zjcBp47s1yxBdgUqCsU0gVbPAt99WXvP3qLaBqkNsJ6RamHeztjKyxc32I4tJMW53muEkhLocTpaD5IHvk15iQqq822H3EVR98Lg9cDqthFsj79Hzmk6zk3GXzQQXgdhlc8DJ9mg3yYJfVhgIqzrCapOCVSUlJaVvtBSsKikpKXUw/Z/BqkGGABu1VVdlLqHZaPfDqtEL8ghaXYDPDuzffBJj+hdiWLd0xIZMJoTKcNxCejrBdBYhcY5mPzwSEOScDMmV7W00cBTIFNiUobmMCyhqQ3Zl6K4A5vT/BazOo6V3Vb7L83Jdu88/DDhRez6bzkUK353Cb6QET9NWBE5us3xboHU4QXpw2EQMipqACX1m+beuqfUA0mMqQ6LdBFKXjXCph9VHuAJDtw5nz5/HurV7sHjhVuzYdhh1tdWsoctwYRNKKj7E8t33YmXx77Hq2A2Yv/tazN/xe6w7HIQz9UlwYBu8uACjoxoNhnq0mFgXhEN/D+jVvar/e38MVq84AK1iOZZ7/Lba7JotfNZCULXSsiqylIPNReB0871uiVuYbll92AwHodbl8oD/IxjKglMsQsK+gLCVMC7pcBBWHRrgsgztzXxvM+9p4bMmum2IM4FV/ogi2+8oWFVSUlLqGFKwqqSkpNTB9O+H1UuE1VroWhqh17do+1jKMEuTniCmJyCYfCCLAISNAKyO7V/gh9XgyYTCqTQBT0CTkJgUNOfjlnMagBa2AahsGeO3DNFNIiwmBc/036d5Zhs4fhlYDVjmrwoAyyJLAqqyKJMfVP3vy0Nq8FSkBhXS/q1rAk5meqSnNY5AOziEsBoxDhPfn4n9i07CVeMFBNytgNfZSpASaNPD4m6EvbWOwNqMw8eLMXRoKh55KAJvvtYXu3Zuh8l6Fs2W5ThwqjfW7HsCqw7diaX7fo95227Gqv1P4dD5fqg1zSasHoOjtRoGex10ZkIbyc5JmLLxO1eD5r/Dnw6rPCcQqpng6bBesdVu0ew/z3c4HYRM5xU7SaROl5vnWS7aokuy2BLvJfjanT5CaSu/2wqLxQOjyUFbYbYSRgmrTg+BVYYQE1htzpY2GwiuYr6HwGrhu2Tl4MBqwIHtaxSsKikpKX0zpWBVSUlJqYPp/wpWm3UN2gJLAgEGvRFmgxUWI2HESlglpLbyNz15Ans3EFb7TUVM13TEBWUR7KTHlIAnc0QJjckE1OQu7Rw0iwAoEEgw1HoyCYma23o1CYspQbOR2mUuw7n++wmNArftF1hqD6syrDeRICvf/ghWZchxwG1Dj2UOqmxvE57VBqs5bT2qU5EWVIC0LoV0ET2dxx/BqkB0PKF2SFA6hoSPQ0bvmTi44CTclwirJhY43WprhUuGS9sMBNZ62DzVcKNB66WeMXMB7r7rUTz0wFPImDQeK1bnYufBMdh68F0s3doZi7behwVb78Ly3U/hYNmHuGSYDqNzFyyucji9LRq4GcwtaGhuQItBr4Gl9FBeDZv/W2u9pQRUqyNgHhNCrU4bTTh1mgmMbXaYeD+tLeokw3alR1QA1eWHVKesUtwKp0NCjwaBDqeL5eMknIq9sFpbNZvNPkKnh+9wE8ZdcHiYN68Ndg/f7SGwulv4bR0sBFazowUmAqvJbvYv6CSwaiSsthBWGxWsKikpKX2TpWBVSUlJqYPpy8PqfsLqkXaweo6wevETsCqrrErPqtVsg81MELH5aMBNYHUYgd3rjmP0h3lXYFXrHRWwJJBqPaQCm10IrZoFPGdoAChDbv2Q+hGspgZNIyjOQFrnOfQ8zaka4MriSJ8Nq0mE1SRCp9zzSViVebNFbXNkZXsb2aPVv6CSH1YD3xa3h1WBZunRFVidivjgbAzpPB5DCauT35+F4oWl8ARg1cDyN/ngNju0FWwtllroLeVweGt4sRVl58rxyitv4blnnsf06ayHFVnYumcMdhUPwZodz2P+2i6Yv64Ldh5/Hzr7Aj5zlr5MEGwg6Nng9XoJhhY0Cazq/Xvf/vth1d+rqs1FdYgJlPyGxWEjJFpoM4FRejrbTGC02Q0ETBnaa9V6lZ2EUbeAqUP+oEFQlTYiEM+4lwzochBOzW5YTG7YLD7YZVVjtiWZzxuY0+vxgHDO6zKEmJBu9xGMvdJbTVB1sS06dDDY9dDb/HOCDQpWlZSUlDqMFKwqKSkpdTB9eVjdR1g9TFg9QVg9Q1gtJ6xWXDUMmGBgMMBsssBulRWBPTQBw0KgEMAgpO3ZeBxjB+RiWLfxiA3JaBuSK0OBBRxlbqpAa8D+OaDJBFr/kF4ZfivO9wOrBqsz/72wGhpY0InAGZ6L+IgsOkMDVtn+RtLQfihyivT4Mh0pBFcZeqytHkzIHR6SicFdxmJY5Fhk952NI0tPwXOZsGpmgesJYwZCmtEBt5VgZ25As+EC7K56XnTiXPlpJCaOwPDhQ7Bz1xrUNR1BXfNmlFVOxeFTqVi/szfmLX8Jqzb1x5nyuWhqOsTyPweTsUmDSJnjKRDl8XoYb9uq5t9sDVQdBMkrJqzK8N02ULW4jLC6CKhOAVQBVb1mWbXX6bDQTCef89i98BBC3QKfLBtyrRZ6CK5Oth2b0QcnAV8WppKh5CAbeuUa25RshSTzfx3aisMOONw22L1se14TgdW/urDRIaBqgN5qpBWsKikpKXUkKVhVUlJS6mD6v4LVFsKqwdCiwarFbCGkuvywavHBavYy7geMQztKMTFmKob1HIWhoeMQRxjUVveVVX1le5orW8Dk+3s2280ZlVV4k0PpEIHGXP+Q4CDp2ZzdBqoyFHg2oVGGARMc28FqMkFVszZ/lbAq1zRYnU7791iVBZ4SQov4TdkvNQ9xkUxXVAadzng6gZVwraUlx2++W2Dbv1qwpNN/XgA3JmwCBoWkIabraOQMnI2jq0/D09A2Z1Xvg8fggstog4vw5HKY4HKb4PPZGZpxoeIUFiycjgED38a4CcPQ1Hwc3tYaGM07UFWzGKVnizBrXj+83+dJvP7aU3j91UikT0jGxXNn4fXy3S4vgVKg1f1/CqsCqeaAnU7av7qvhXTph1X//FG72EETVp2EVZfdAjefF1D1EUi9AqcEUreebUTHOIGVzI5WQim5E63SGy2wKlzI81KGHoP/GQ/bld3kgcXk0BZRcjhtcHpkSDDTQeo1smz1NhMMNkIqYdWoYFVJSUmpw0jBqpKSklIH0xeH1RzC6vKrYFWGAZ9sB6uVhNVqf8+qroHA2qwtsGQ2mbWeVbvFDbvZDauJ0ETw8LmAkgNnkBFfgIE9EtE/JBnDIicgJmoSnUkT8gJ7qGrOpDPoiYTFiYgnMI6ImEggFE9GMoEyJbQQKV1mIKXzHIaEVVlgKcQ/FNcPqwKmuQTVbL8Juf5zskBTIRIJtrKgUmLoLILnTILqNA2ah4dnYzjTMzx6ImKjxjNt45iOCW3pySRgiydrjm8LtfO8HhudjqGRo9E/PBGDuiYhc0AhDq85AU8LYZXQ1WpohdvggNNIaLNZ4XYyTnu8XtqBZn019h5YjxdfDkdk9IMoK9vKWrISxM6gpmYnLlVux/y5Y9Et6kHc/qdf4Sc/+C90iwzD2ZOlWn16nF5YjKwDG8GN7/002PzfOgCrJtr4abAqixtpsKr3w6q9BU6bHh5Co9dmh8/mQStBVcBTM6FTsyzGRVg11ThRe0aHcweqcWJbOY5uPoPDm0/h8KbTKN54Fke3nEfp7kpUlDTA0uAG2RQOtjOn7KnKtLhczDcbncyfNdltMDLNJpaHyWIlrBr9CywpWFVSUlL6RkvBqpKSklIH07+E1cceR6/evQir2ViydBlhdQM2bNnmh9Xioyg5UYrTZ8+i/CJh9RJhtbambc5q4xVYNRGUbBYCDcHBZnHBRmCVeYitHuBS+WUsyluNhNfHon90IgZEpeLDsGT0CUuh09BXHCpOpVPwYWgy+oUSbMN4L8OBArihIxEbOhYxQemID5Ye0+lIDZ2LpKDZSAwsriSwGjDhVHpU/SasakOAZWixDDGWIcMzEc/nhgcVIF5WAI4qRHx0LkF6IgaHj8ag8DQMjEhlGiQ9TG9IGvoHp6EfQ3Eg/mEIrzG9fcNG4P3QWHwQFYsRzOf89OUoP3QRPosPXqsXrhYXPGYHQVX2EbXCbDGx3EyEUT/4uDxGlJ7Zi55Ph+Cee/6IffsW86wJNutFVF08hMpzh7F8wQy888pLePKBh/HzH1yL6JAoVF+45H9etquxWPhuvp8AKXApc1YdDmdb6AdYm6y02+b2IPpFLLBqtrs0WDW7PbC4JG6DWVbedbH+XTJX1cB7DXA6jFrvsdtKUDVZ0WphPu1MqPSWElC9ja0wnreirqQZ1UfqcWZ7FbbOPYJFkzejMGUpMgbPxOi+hUjrXYCRvacxPh0TB89GTvwCzMtYowFs4zkjrPVSrrKXLaGf6XIyjbJAk9XmhsXOdDJuMtvU1jVKSkpKHUQKVpWUlJQ6mP7nsLqesLqVsLr3U2C1wg+rjfUE1Sb/tjVGozYMWGDVLkOBCQoOK8HB5oXbTvP44vFqzJ20DGM/zMaINyZgwDOE1R5J6Pd0CuOpWvhhz2R8yHP9eyZh8NNJGPIM3TMRg7slIeHZ8YjvPh59n0jGwCfHIjV6BsZ2X4CE4OmI7dQ2/5XQKfuyfhJWxX5YTRHIDZ+FlLBZiOmUj0GPZxFWpyLt6ZlI6snjsLGE0GQM7TYScc+Ow9BnRmFAz1Q6DYN6EGAZigf1SGUo52mmtf8zCejTMwbxb43C/MkrcKG4Ek6TE63OVph1ZpibTfC5eOyT1W6N2iJIZosDLncrPF4fnIS9yupTeOnlp3HrX/4ba9fMYC01w2GpRs3Fk7hQWoKls+ah1yvvovODwbjuuzcgukt31F6QOa8Cq3b43HyfncBoNcBht2rDgd2EysCwYAthVmy1WjVYlVB8NZR+umXPVAcMrGOTg3Xsa4XN44HBZoHJZtKG4bo8BGS7mdBsYJ1bmHcnfIRFr9EJGHz+XlSZo3rZhwt76rGxaC+mJi7EmL75SHk7CyNezUDci5MQ81w6hvYcj0Gs70Fd0zG460TGGT49gW1iLGJeGsNnpmD9jB1oOmvw99byE16zF3YD02l0sAw8TLMPJosTBqNFg1VZCEzBqpKSktI3WwpWlZSUlDqY/vewerINVs9/1LOqwWqzNl/VZDK1g1UnYfUjYHURGlpdgNvkw6UztTi56ywOrinBjkXF2L74EHavOIS9K4uxe/kh7Fh6CDvpPcsOYR+P98s13rNtxn5smXoQc5PWIOGZSejfeRTiI3KR0nUGhgdPRUznPMhKvrJo06fDquyTKosjyQrEMlx4OpIJqzJ3dXgQn4mchhFd8zE4fAL6h6Uh7dVs7Vtb+c29C48yPYc1711KS6jFixkW8zzTzvTuXn6Q6d+HgxuOofpUHWyNDtgFmow22M12uAl4Pp/sSUqwt+phd9jgcHoJgLJQkIvA6oLeUI+3334Nt95yM9atmcdassBprcf50iPYt3kL8ibk4K3n3sNT94bjx9f8Gp0fjkLZkQpWrOzh6mY5m2HSVUPfXENYI0DKNjG0AGrgjwoCnh5CpqweLKAq9Sfg+kVWDrbRBqtNg1Wbx6v1rMoCRmaCqdvj4julN53vMplZ33a0mj2AzQ+SAqnGCxaUbDmF1XlbkR+3AKN75SHmhQnoG5WKD4IT8WFwMgaEjsKgsHEYwroYEj4RQ8IyMTRsMgZHZGBQxAQMCB+NvqGJ6Bs5HEVJ81FdXI9WA99vA3wEYmeLGzY926DFC6ddtrxxEVYlnwpWlZSUlDqCFKwqKSkpdTD9z2B1KWF1HWF1C2F1j3/O6sdgtYqwepmwKvNV/SsBfwSrBDOrnaDqoP3Q6rLSZjc8Np9/sRwZBkpw0eYsCsTwNLw0gfbKMFG5T1aBFcuxjkFVK06vq0L+4IUYEjUeg0JkLmkuhstc05D8fwGredr2MwKriV0KkdBZ9nmdgZTI2UiJnoWkbtMxOHQSPuiSgvhnJ2LJ6C2o3N4EZyXLK7DQz+dZ8iHpF7el22lyw9BohKnFSGiSRZQIqg4jWgikslKuZNzrbYWuxUSYssHt8uHihQo82/Np3HHrX7Bn53rthTZzNSrOEI43r0fmqHS82uMtBN3XAzd87zbc8+cgLCxYB5tOJgcT1Mz1/F4FzMZ6OOwWDTAFSKV+xAKl/t5Wt2Y5NpvN2n1fCFYddphpE++V+aAGPm+Q3lnGZWEnr9sLD6HZbSG4GlmJbfVsb3Ti0tE6bJq+C+n9ctC/ewL6RiRg2NNjEf9cBmJ7TMSwyPGIjZiIeG1e8BRaFuDKQZwsehU2lXHWc0SONkd4SPgY9A8bgYJhc1Gxswa+OtaTke1b3wqP3geX3ss0+OAmKFtMLkK6fxiwglUlJSWlb74UrCopKSl1MP2PYHXZEsLqGsLqZsLqbhQfaVsN+OyZNli9RFitJazKfFX/SsB+WJU5q1bCqo2Q+hGwuqxiAqvFTWj1EOK82jYl2rYkAqmSJIZeHstWJq1yXoBPwE+YQNwGsk3H9Fg4ZoMGOAPDxyEmilATKSAjK/l+PqzKtjey5YzsiZoYVISEoGlIkKHD0qvarRCDwydhUNRYTO47B0cWlcNVxW8KbMniP4FFgASmP8WS5ivppr0ET1md10uAk8WOzGY9dHqWl6EBZqsODrcRXj7g8TnRrGtm+dlh1LuweMFq3H3n/fjHXffi2KG9fJkNFv05NF8+gcozxZgxZTL+2fWf6P74q7jrxlDc/NPH8HbPGJQeLOe95GZjLVyOWng9RsKvAKgfQgWufIRZsRxLnQV6VAVevwioigVWrQKrdiv0VguMfN4ie6+ynm2sZ7fdp/WiawDPspMeT2ulA8fWncaMtMUY/tIo9A4Zhl5dYjAoMg2x3dMxvOtEDAkdhyHB4wilmUgkoI4goGpbG2l/gGD9aKs3t+2Dy+sxoePxYacE5PabifObquC95AP0/CbdSmj1Gv2rDbuthFUjwdqghgErKSkpdRQpWFVSUlLqYPpqYNUPrC6x1QGnhUBkJtTQdguh1eHjj/5WwpKPIOThOxwwyZBZmwtup1cbPivzPG0tNriNJEBCoeGsGauzdyDt9VyCJQEnQoaI5iI2LJ+w6t/+JlFbDdi/IvAnYDWoAKmh0zEyfBYSuhRi2FPZiAnJRXxUHt81CXHPTMbspLWo2tlAMmYhEba8tNvUCgdB2y5m2jVfibvhsLi04c82K0HOKFAk+4sK3bbC1+qGyaKH3tgEm9NMQHXAajcQXOtgsjYQ/vgBVkt9tQlD+6fgxuv/iKjgaJw5dpTPu2AxlaGuci8aKooxO2cSng3pgVcj+iDk72/g59fci1t/2QmLp23W3tHqMRMYL8NqqoVV5o26XVqdi2Xor8Cp1JUMBw70tH4alH6WBVYtBFWDje+wWWAn6DplyxyWgUVPWLV4r/xxobUFaCg1YffCo8iLnYsB3ZLwTqfB6B+ejISekzCiRyaGEVIHdxmD4aGTkBSZo4GqbAmkbUEkw7Vlz93gGUgKmqWFicH+fXSHh0xC/07JyO83Bxc2VcNbTViVrW/EsrWNSXpWvXBavTAb7QpWlZSUlDqQFKwqKSkpdTD952H1I7vEck7ms2qL9MhCPwwJd9pqrbK6LGHWYLJo+2FanXY4CVkCuzYjgUjH55sJB2ZAf9aEtbk7MerNPAyOHI/BYRkYQhiNJcB8HFZlmxqBVZmrmouUK7A6FWlh0zE6cg4SggRWcwg+srdqLgaEjMWwHhMwN3UtLh8irMqwUgFVQyucBFMb0yiWRYas0pNokRVnJW7jef/quhabf5Vfo0nmpZr9+3+6mHexU7ahETiUewwwmhvg8DRrdWE0tSA3azruuu1hPHJPJ8zMn4nGS5VwOZoJqydRX7WTsLoX0yePRI9OYXg9qg9e6jwEf/l5CH5BYH05fAD2rzsMOGU8stSBjmkyXekxlaHAMtxXqyeLf3jwFQBlutsff55tDulJ5XtszJ/sm+rxwsOqkX11bXovvDLUm6Aq+6E2lNqwZcZhjO9bhKFPj0Wf4CQMDB+FpKezMeq5AoyImIxBj4/C4MfHIDUqD+N6zERKWD6BNJ91VqD1gMveuclBM+nZfmi9AqsZGBychmmDFqBiy2V4L/O70guuuRUuk4sATdvYvsw2wrmZ7dSoYFVJSUmpA0jBqpKSklIH038MVs1tsEogC9hFgHPynJy3CcwR4oy816jBqeyHaSewOrShpWaHFTY373fb4PE64SUUeKwu+IyEEavAqhGrs7cj9dVsbREeWXgnLoKQGlH4GbAqc1UFVMX5SCGwpoYWYWQ4IYQwFC/DhaMYRufig6dS8GF4MopGLEFVce2V+aheq4/p96+m6wc2vwPwZmOaBUBtYqcFLo8DPsgKvA5Ckh5Gg16LezwugpMJBr1e6/GULkiHpwG1dWXIzc/CHbf/Db/6+e8wOnk8HCYbWp0m2AznYGw+BEPjPhjqD2Ju/hg8GxSGV8LfwQfPpqL7w/1wy0+DcP01d+L54DexZ80O2FmuAQWG/Eo9CaTKcWDYr1gWXwqsFPzFzLw6zbDaTYR0M5+XXvBWbfi27Hkq5eXRAzXHCaqzTmDCh7MxoOsYDJa9artmYUS3XCR1zcOIsGwM75yB4U9ORELnyayPqRgdOQ0pUnf/Alal53V4iCy8lIaioQtRsZWwWtMGq5ZWeC0e2Fh+VrYtm7QrtjmDlLuUg+yz2qT2WVVSUlL6JkvBqpKSklIH038EVk3Ss2qB3UYoItR8DFZpOW+VlWOtJpgsYllFllDhdMDmcsLqssNC2LM4+C67AWaLHlazEU4BN7NXW8RIf46wOmUbkl/OwoDgsYgJn4LkrjOQHDVdA9WrYfUjUPX3rKYGFyA1ZBo9EyOCphGaCpHcrQgJhChZXKlfhMDqIlQduuyfo0p7rR44CT0OWb2XtjsF2JjPT7HZaoDFatRW9pWVca1WCwwtepaN7H/qoj1w2z2sCMDu0GPP/jXo1edF/Pd//w7X/ewnePu1N1ByRIb/isyEwHK0NOxFQ/V22FuOY8uyaXj3uefwetRbGPzKaPTqkYrH/vQifnnN3bjh+39Bjyefx5oF6wi5dm3hqlafbIvj0YYAByyA2h5WxZ8OplebeSeYO0mmdhfrzsK8mlnXhEOZb6yBvRGoP23HltknMf7DeRjQPR2DIidqc4vjo3IRF0YH5SAhKBepoQTUiGkYFUow7ZyDxE5TCKO5SNbqTuYdyzBggVXWL4E1KaSIdTuVdSY96RMwODQFBUPmonxzFdyXWKb8to9pcVntMJvZJlkPFpcFJsK10WaEwaiHTmC1UcGqkpKS0jdZClaVlJSUOpj+d7Ba3AarZ1F+4SJhtZqwWkdYbSKs6tvBqgk2wuhHsCohIY3HLhkSa6PbAFbriZQeSoKq3UNYoq1uwqrDTIht0eZ3tujqYdI1w2WykuyEvABDhQnrc3dh5Ms5GBhEWA2ZgsSIIiTR2uI7nwOraUGE1aACpF2B1SKtZzUhairiumVjQNhoxD47DnNHrcSlg/Vo1ZGPm9z8vhMuwprDIT2TATBlPj/FNrtJAyUzIdtOEHfaZQsVgqHZiVavv+x95MgLZyswrWAqIqKD8K3vXINrr/sOPuz3Bo4e3slnmuB2NTG/9XCaT6P6wmacLVmJylNbUH5kG+ZlZ+GlkOfwQuc30f+lNPwzeAiC73oNt1z/GH79X7fjqQeiMCZ5IvbvOqj9MSEgB8tajmU4sGxbI4stSVzOyTBhgddPh9SA/bDq9jCULXLMLTDqDcyb6wqoNpRZsXNJGTKHLcH7kWPwTqdRGBw+BTHh+YgPL0RSuOxxOxMjw2dglAzHZl2MDi7AqKB8pGk9qrmsN4KrDAcOlRWbZc6qeLp2PIJ1mxCejZiw8RgYmoi8wTNxZtN5OKpYqEYfvFa2JbYzg6UZLbYmGDwGGNwG6O20ibDaomBVSUlJ6ZsuBatKSkpKHUz/HlgtQ/n5CsJqDWG1nrBKIGgPq+ZPg1UzYZWWPT9tNM+7CKmyQq7Ak/SqWpw22uo377fYpFeVAGVqIayZ4LMR9OxMtwdoKTdhXfYujPlnPoaGpCM2JIfASUgNKfwfwWpa6EwkEoLiCEmxobmIiczCoIixSPxnBhZOWIfqQ43wNZORm11wmhxMO2GV+XHSdgK1nenUQofJ77ZjhwxjZv7NJgOsZgs8Tiaa/9PELOjqW7Bt/S4M7ReLO267A9/+7jW4+ebfITbhbZy/uJ83NaPVd5nPnoFZfxwNl/egomwTyk6sw8kDq2C+fBZVJUfQ54U3EHx3MN7p3h8fPp+M/s+PxotPDsLdv4rEz797B/500334J+/Jz52KUydLIQtdedweGIz+upJtZmT4r9Sd9DZ+HFYJoxK2DXX+uK2sOwtkCx7p+ZbedI+N4EZWtNQAh9ZdQHb8Mgx8dhLeCxqDPsGTMJjwGSP1EzYDqZFzMTpqHkaHz0Zal2lIfSofozpPxYSwIoyLLEJyWA6BNBsjwnL9KwGzrhKlh5WW4wTWbTzhd1j4WAwIH4HcIdNxenMZ7DU2wOqDz+liuzJBb21Ak60OOncTdC4dwbUFLQpWlZSUlDqEFKwqKSkpdTD9S1h9nLDaq5d2vGTpEqwmrG76N8Gq3wQ6wqrdynNtC/rYaIvsAWqR3lQZEmwmBPG6ywKX2wqv14FWjws+uwtek1db5bWxxIDlk7Zh5Mu5iA3PxIjwAiSGSY+bbHGST8uWJ9IrJ8NIZd5jm0NkCHCbeT6NcJSibYkyVVtgaWhYFvqHjUX8SxmYN24tqg/Xa3Nkfc5WeOxuOKwENebrSt5knmrbXNX2tjF/co/b6dS2rdH2kKV8Dh/KT5VjatZU9IzsiRt/8Rv84mc/RZfO9yMvbxQuXS4my9bC462Cz1cBs/kEIXMVzp5ag4bafWio2Y/q83tg112AqeYC5uXk49XIF9Ht0WfQq/tQxL6ajv49x+PFx2IRete7uOWXj+EXP/k97r/zIQzoNRgbV26Fod4EryyI5PLC0GJGU0OTNoxXelllKLA251Zgu20erlU79m99Iwtj2Qi8fmA1w8q6lCHdMpcXrlb4WDeXjhiwOHMHhj2fgXc7pxH+sxHfrYj1VIA4lveI0BkYETwdIwipSZ0LkcpwVFARRgdPwxjCbJrUXdgUJIRnaUN9Zfsh/7xVQqwMB2Zc/hCRoMHqOL4/CfkxM3FmeznsdQ7AwXSwvTjcZhhsjWiy1qHZ2YhmexNaLDptGLDsC6xgVUlJSembLQWrSkpKSh1M/yNYXbIEa9aswebNm7F7924cPnwYJ06cwJkzZ3H+/AX+wG8/DPijOasypFTmaMoiSv7eOQkJb5rbYE6buyrA44cfWUXXaiEYiQUG22DV6Sbwee2EVpr3y1YkAo9Np4xYnrkdaa/kYljYJMRrPagFBBsBVOmRowVatR656fQMba6jgGsK79F6WsW8JzVM9mKdinieHx6ej4GhExHzXAZmjlqFqiN12hxZn8tHAPLB5XBqK/zKli9OwpuPgCe9k7JVjd0uixQxznQK/MlCUk7mzU2wEwlw79iyCb3feQe3/fk2XPfjH+Ifd9+BxLgB2LV9KctQ9kiVTUJrCcVn0UpYbdYdJjDl4OSJVSybUlRV7sC5s5vRXF8Cj6Me9RfPIXlALB7/61N4Nbg3+vVIxuCnJyHm2Xy8H5aObvf2xv2/D8EdN9yPW399N4IfjMLY4ZNQfrxCA2jZ87a+pgFmo38xJm+rV1vh12w3wuGxa3G9RQ+b0wavz8s8uph/qSP/Ak12loHZxLox+4dnm6ot2DjtAMa9NxMDI8ZjQOcJSIgq1OYTJ2h/TJCe0WlICC5EfNBUAitBNIiASgAdSVCVucTJwTmID5uM+IhMJIXnYGRYAUaFFhFoZ2JU51n0TKQFEXRDczGcdT84Ig1TY+fizM6LsNU74bGzTrSh5SamXwejXQeTQ09wJaiaaQNhVS2wpKSkpPSNl4JVJSUlpQ6mfw+sniGsntd+4H/aAkt+WBUgbRtGqlniAfshVeAuYIfNqYGdf5gtQVbmhDrMGnDYXCZYJSTguqyEVRegKzdhZc4OpLyWi8GhEzA8eIp/qxMCTFKo9MhNaYPV6UgImUUTNkJmtg0llTmROYTVbMJRNmEoDymyYA9BdkTENAwhKA17JgNFaStRcaxWg1W3TRZFkqGlTpgJ1BZZ6djpgtPp1rbfsZgJqk4vvB7A4XATLB1anrxunmj1oLH2EhbNm4nIiFD84Hvfwk9/8j1Ehj+GObOmoLlRIJUEDgNa3dXwOS8QuM7zuJEgtQ8F0+Kw/+B8eLzncf7iZuzZOxtlZVu0+2Vs8ao5C9DzyZ4Iv7sn3ug0EIO7T8Kw7nkY0jUXQ7pNRt+wFDx971v4688ewrXX3Ihbrvs7hrw5Agc3HIWlwQov4c5JCJU6s9jMMBFUTTK818G6tBP4NJthYd0JpJotdhjNrEOnBzbZF1fPcmhphdcMXNh/GbmDFyA2msAcmol4gmciyzVJm3cqvd4s54C1odq0XA+ZihQNVOUcYTU8EwmRGUiOyMFoQu6Y4OkY12kWxj0xB2OfmI3RT83Qth+KC8nEoPA05MXMw+mdVbA2uAnxsngUy98lPcIm1pOFZt4szJdRRgAoWFVSUlLqCFKwqqSkpNTB9NXBqt9yTnoebQRUcQBUA7AqvadXw6rVxfc5aZ532Pyw2lxuxIqc7e1gNYvQk6fNdUwKuxpWZ9Nz2oC1iOAkc1mzkRKShTRC7qgw/4q0icGFhNUiwmoWYp7JxPQArPJ7AtEmk+RLenm90olIWHOhWWdEc5ORcOrSQNXtaiW0+uAkMAmoul1OXKo4j6yMcbj7b3/BD3/wfdzyp5vwYZ9XsWP7Mr7vEt8kix81wee4BLe5HF7HRVZQLbzeepw+vR45uUOwZ/9s+HABldXbsXZ9FooPL+MzOtqBS2VlGD98LJ68JQQvPPQehvRIx/udxyKmax6Sni1kOBEfBI3Ai/f1xiM3huF3374dv/v+7Xg+5HUsmbESDZca4bA6CXAtaG5pho2QJ7DabGyC3WWD2+dCi9mAyw0NhFkee3wwmvzAama+bSYv3HrmosyO7TOPYswbhRgqdRI0GQldcjGiUx4SCZbSq/0RrOYjIcw/VFuOteHabcO0E2WeahTrMGoyksNzkMbnRncuIqTOwtjHCKuPz8aoJwirnQv4jQz0D0nBlKFzcIqwamvyyd8G4NVWP3bD6bKzLmi7Q5tXazIYYWQ7lbw2KlhVUlJS+kZLwaqSkpJSB5OC1S8Jq0y72WwhnNkIQP6VkhwOJ5qa9NA1y5BgwqmnFXYrAcnugc/bynzYcKLkCAZ82Ad/+P3v8O1vXYMnn7gfhQXpqKg4BpermW9phtt5ifmugNd1CT53NSvnMs834lLVAWxYn4e1a6fgUs1Owlc5ys5vwLKV6di7bx6huBKt7hZ4XC7sWbcbzz35T3S/+xX0CUvBh6HjMCRqCoZ3y9Z6OYdGjsfgqFF4r8tQhNz6DG761m342fd+g4f/9hRGEnRPHz1LuPYSxGWuJ0HUQqAz6mBn3OklrJqMqG/WsQ6cBEHAQrgVYLUyvz4nk2wGzuyowNS4xYjpPgGDgsYhgWUs+6QmdmHZ0p8Oq+3mFms9q6ybcEJ2lABrNusyBylBBRj51HSMfmI2QXUuxjw5F6M6zUZqUBFhNRN9u6Rg8qA5KN1x6SNYlWbC/Mj+qjYL25vFAZPeDKPeRFg1tcFqo4JVJSUlpW+wFKwqKSkpdTApWP1ysCpzVQVOLVaCnEnSJvuSumAhvJpNBFjGPYQjt9Oj7Wmqb2nG2jUr8dZbr+MnP/ohfvjDbyM6shNWLJvO8qlkqZtoM4G1BlbjWbisF/hcHc81Ar5qmIynsXFjAWZMT8LZs+vh8ZTD5jqFi5e2YPf+Wdi5awbOn9sGp4VwS+mqGpExfDKi734eT9/7LmKezsCQ6Ax82Hk0hoVNQGJPgt9zWYh/ZgL6RY5Az/texe+vvQ3XXPN93PzrvyBhUBLKT8nQY1Er82VmXRphsspetzZYHbKdkAMW1pGNdWWzu2G2EmwdhDVpShZgx8KDiP8n3x+aiiHB6UiKzMfIyOksZ5Y5gfOjYcAStofVvHawypDnEyPzkBCZw/rKRVKXAqQ+NQOjn5qLcU8twNjO8zE6eB7SwmYgLnQK+gWPRNaQ+YRVliVhVfZ6ZVKZBzcMRitMBhssJidh1UpQJbAKrLK9KlhVUlJS+mZLwaqSkpJSB5OC1S8Pq9riSUxvi96oAavL5SGseJlXyZcDXo9/yV+nw4o1q1cgKioC37rmGtzwi2vxQe+XsW3LEuZNek2bme+L8PkuE0KrCaqERLcMB9aj1VODC2e3YsvGQsyZMwobN+RBpzvMa1Uw20twuXEXaup2EqSKsGpFFnSNp+WT8NpcOLKhGM8//goevDEEQ3qMRWzPyejXZQyGhaZj1LMFSHkmBzFRYzGs+2jEPjcKLz7yDv5y7d/x0+/cgFt/dycSh6bg4ulKbR9YD/MmPclSp1bCqkcWV3K7CKg2mMwy/9OhwarM04VUCSFxac5GfBCZgH4haYgNy0BSBGE1YjqhcjqStYWuBFID/jisyrHMW5XeV/9Kv7mIpxOC85EoW9t0mYnRXeZjXNBCjA1ZgFGhc5HCdw9nPfcLG4MpMYtQuvMyLI0+tiHAammF0eiCnoBqMrB+zB5YTUy/0cY8maBje21SsKqkpKT0jZaCVSUlJaUOJgWrX3YYsPQoSh78vavSoyqLKwmwSlwWjBJJ2g8e2I1XXn4R3//+9/CD716Dgf3fwunSPQSoKt4hQ38bCao1NI/FXnE1fATVynM7MX/WaIwd1Rtr1+TAZDyh9aoCF2E0H0Xl5a2wOU7yG/NRODUeZaXbCLqy0BJgrtKjz7P9cOfP7sebnQci4fnJWo9qfHgWUrsyz9FTMDRkLAaFpSGmx2gMezoNr3f5AA/9sROu+9av8bc/3YvxiZNQdaaa7wTshFEr4dTtIZR7Pdq2QlbZvsbpgsFoJrDbmN9WuC1A/VkTClIX4p3gYRgYNgpxEZks62wkETZTCKqy7Uxgj9T2w4AD/hisMozncZzcw+Ok4OlICZ6FkSHzMDpkPkaGzkNK6Axtr9UhIRnoEzYSmbELcHLXZZgJq267pF16Vn1sj8yD2Q2ntRUOHltMDj+sagssKVhVUlJS+iZLwaqSkpJSB5OC1S8Bq+QRB9NlNBiZdulBlf1I/UOABeZkCxefj9DmcWL/vl0sv9dx7bXX4oc/+BYG9nsTZWcPspTNtI4FLz2rMty3ls+dQ6tPht42w+e4iIVzJiA57i3MKEzGulU5qK7ay2tN9CW++yyadPtRWbsVLu9pVFZtxaIFY7B0wSRUlhfzHsrqw7iY8Xjk5ifR8x+vYGjPURj9EuEvMgexnTIQ22Ui85eJBFmpN2oMYrqPwpCeyfjnE+/hrl8/SGD9Fe679WHkT5gG3eUWrcdU9l51yaq/zL+ZsOr0uGgPwdkKk1kWLgJMjW6U7LiA9MEF6BUai5jo8UiIykJc0BQkdMpBcpcCpAQJsPp7V2XI7ydhNU+DVW2BpRCCKi3AOiK0kHU1HcmhMwmos3h9FkYQfOMIwcNYf/0J3++FjED60Nk4tv0SjPVML9PkcsgfGAAby8ROUHUSXq1GtzYkWGBV2quCVSUlJaVvthSsKikpKXUwKVj9X8CqnrBqdWhl53a5YdAbtP1WWZo850NZ2UnEDO2H63/+A/qn+KDXy7h44QivWwh8NczrBYJuFQHnIhyOMng85/ie07yHULQqFwlDX8HolPdxrHgF7JZzfG0N76kiMF6Ex3sOLYZDqKzZjGb9PtgcJThcvAhj03ph7YpppEoWiqcV6+atxmuhryHkjmi81bk/kp7NQnJUHmKfzETsUxlIJrimdee3ugqwjsWwbiPRLyoOLz/2Dm6//h5895qfIujBSKxduAkui2y7Q8w22qHXm+Bwsc5IgSaZw0pYdzi9IJ+jqdqKjQv2IbVXJvpHJSG++0Qkdc1h+eciqXMeUjoXXoFV/zDfz4ZV8QgNVvP8sBpeiOTwIiTSCQTX4QKpwTkYFpqFIRGT+L3R6B2VgIzhhNWdVTDUEVYJpgKqAq0CqmKb2QeDzgZ9i1nBqpKSklIHkYJVJSUlpQ4mBav/i2HAVuZH0irzV2nZBsVsMqLV50Zzcx3y87Pwj3vuwLU//Q7ee+d5nDt7gKXbAo/7MlqaSwi3JwmelRqotugPEQAPorxsDWZMi0d8zMuEzhyYdKUsgwusoFr4fJdYPmX0WXh9F2AyH0f5hbU4c3Y5rLZjhKzdmJIxELML0tBSS7glTFadOo+0DxPx0B8fw9MPvILh3ccjJSofKaGExGBCIfM7gvlLjMpCSo8pSHx6EmJ7jMbAbomIuvd53PDd3+OXdL/XhuHM4fPwyHBag531S1glmJnsFujMetg9LrjcbEOsjsYKE+Znr8bw18ZicPeRGB6djuSuuUiLLEBaSCFSuxQhOYj+ArAq12R4rwarPJ8YOZWwzXphGMM6G9hlIvoHTcDAiAkY0nM8Bj83BoNfHolp45ei7EgtrDr/nFU2FQ1SrRYvbLSdNrZYCasmBatKSkpKHUQKVpWUlJQ6mBSsfglYdQJuwqnX49F6VvV6I9xOF5wOBy0Aa8LOXZvRo0cUrv/ZT/BMjzDs2b2SJevfP9Vhv8B7yuByEUIh81ar0dS8lxA0HlmZ72PWjATs2zMPBt1JXqsDfDJUuJZ1dJnfvAS3qxwG4zFU1+7E2XOrcPDQTFRe2gSz5QgO7Z+LuTNGYufG+XAbGuFxuFAwPgu3/PIWdLv/WSQ+N0nbCiYttEhzCvOeGJqDeOY9PiwDcZHpGN51HOKeHov3w2PQ+Tbm4Vu/wz/+8gSmTZoDXbVJWzjKanHCIisCyx6srBOzg3UkiytR9eV65I2cg4HPJmNwt5Esv7FIiszGmKjpGBU6HSmdpiG58zSkCLASXj8VVmk/rMo81TzW5xSmL5tQTWDtloe4qClaPX8YNBJ9QtIwoPsoDH1pLOLemoCRA7KwctZW1F8wwmuH1ttrM3thNblhMbON2Txw2X0854DJKD2rxrY5q2qfVSUlJaVvshSsKikpKXUwfdWwGvA3rWfVbSeYar2rdoKbDR63h+m0sSDdcDlMGDs6GTdcfx1u+8sfsGB+PpzOy4TMasJMNVxOGf5bwZKup2tRVbUdy5aNwpSsDzB7VhzLcx3PN2jXXJYy+FyytY3AKr8toa8S585twIGDc3CidCm2bsvBkWPz4PacYnpKMWdmGnImDodTJysKA7NyC/DrH/0CkfdGI/VFgVXmL3ga8zqd+SzU5oWOCM5GXHAm4sIJrFGTENeD0Pr0OPQKGYy7fvkwfvbd36J70AvYv/Wwtm+py9EKk9UCh5d15rNrvasWKwuGunxWh0nDp+KD6FgMjk7DsLBxSAxnubIsR4XOQEpnQiqdGtS2KvDnwWqIwGou4kIJ0xFZhOlMDItIx7DoCUh5KQf5gxdi6aSNWFO0Detn78SG+Xuwc9UhlB+tgq3ZxbJrhdvpg93iIZw6WVdsbzb5w4KboeyVK7BqULCqpKSk1AGkYFVJSUmpg0nB6pebsyrpspjMBB6HBqoyDNhqMRNILTh35jgiQjvjxz/8PgYNeAuVlUdZqi28v5zQWqHBqs9byTKvROXFTZhWMBgjU1/G5k1ZLLNi7bz0uPrcF+FxnIeXz7TK6sA+mbNaCZPxJI4eWYJ9+2bj9OkVWLM2HXv3FfEZ6amtxrLF45E5bhCaLpXC63ZhyZw5uPvm2xD8tyAMiU5CSmSeBqvJXQiKXQqQFDQVKcxvijbENg+J0QTXrhmIf3oShvYYiag7X8S1/3UjfnvdnzFpZA6aa0zMZyvLn/XmssHmtsFgNbF+WTA+oOZUMyYMzUWv8CEYGj0S8ZGTkMh6kKHHI1n+AqkpXWiGsiJwYruta9rDqqwCLLCaSLhOjMxGbNhEDA4Zjdiu45H+XhFWZezA+R01cF/2wmv0wWNohccEv82yKrEPLquH7cjNduKiHbBbmV62RStBW/aONZtlGLDAqgwDVrCqpKSk9E2WglUlJSWlDqavGla/kcOA+T1P2zxV6V0VaLUwn7JSbu3lCqQkxeD6n/0Yjzx0Hw4d2Mjzsj1NC5yOShiNpwissuLvZZbzTowf9zbiYnti5/Z8GA2yf+oFtHrKCKhlBNRKwmYVnNZyuOzyTC0B6yxKjq9GSckKNDTs5zu2Ydmy0di+YyqvX6SrUHp8OVYszsC+7UvRWFWG/Vs34d0XX0GnO5/CKw+9RyDNYf4IildgtZAgOQ2pEXQkjyNzCZiTEd8tA8N7jsfbnQbh9l88gJ9/5ya83PVtHNp5jA0GcLrcaLGwjlknTq8bHgIsPMxZKWF1SB56hQ3DsKjRSIjIZPkSkEMKMSp4JtK6zERqlxmfC6ti2dImgc8lR+YjtVsuBnUZhQHBKZj8/gzsnnkczSdZ5jrSsRGwN7vhNPkXgNJWLbZ74ZZ9X62sJ60diW1sLxa2N7YhmxEWq4Ft08B2qlc9q0pKSkodQApWlZSUlDqYFKx+eVh1M60uGQrM/NnMsgowcKR4Lx78x1245ppr0Of9VwmoMtTXwrAKDscF5uEcj5tQd/kgigqHY9yYt7BxfSbMRtluRnpGy+ElrLZ6LsLnqSAAXoTHSWtDgRtRV3sYK1dksdxXwee7wHLfiKKiWGzeksPrvKf1AmyWUzh8aDkKspNx8uBWVJedQHpKCjrf9SSi73geidFTkBIxnfkjKBJUk6SXleWQGkaH8zg8H/HhU5AQNRkJPTMwtMdoBN/+DH75rZvx1xvvx4yceX4g9LaiyaiDwW6AT1ZAJitKr3PtyWZMHDwVvUNjCatjCauT22B12heA1dwr1s6F5mq9vandcjCocxoSn5mEdZk70Vxi1uYOCxw7DV7o6oww6U0sEw+Bke3IZmX7sWrtRyDVRUgVOwiqNpuBsKqHmTZZ9ApWlZSUlDqIFKwqKSkpdTApWP3yc1btZgtDG3xOB3xuO3xeD1YsmY/f/uYXuOk31yE3ZyTTLnNMm2G3lhNYpefzMpqbSrFmZSZGpb6JfbtnkPrOodVbxnec4b2y1+oFeDy064I2FFiekT1Zm5tPYsf2uVi7Jg9Vl/YSFi/g5MmVmDYtBqtWT2B5FxNwy7R7T53ahJSEXtizbTmaas4ha+wodLnnCUTe8TTiu05GcmQRy4egyDwKMAqspoQWITl0GstiKuJDcpAQmY3knjmIf3YSnn/gPdz8vbvws2t+i9i+SWipMxHMvLDYLVrPqoOA6HH6NFit+xisjiOsZvG9eSzbIsLqrH8Bq/xum2VFYNnuZkRYtrb4U0zoWEzttxBn1lbCU+uFz94Kt9UNh8XJ9sV2xLQ43GwnTI/NbmTZm65Aqstm1vwRrLYoWFVSUlLqYFKwqqSkpNTBpGD1y8OqQxYYshDaCElodcGob8CEsam48Ve/QI9uIdizawXPlRM6a+D1VLOMG7WFldaumoJJE/pg47psNNbt5bOy2JK/V1TA1es8A5vlJMHHP7fV4zwPl+MCdu+Yj9mzxuDcue2E2UtwOc+homIrtm7JxcKFqdi5s5BlXcJ3mXH29GaMTevHb8zFuTMHMXF0Cp685zGE3NEDsV0zkCTbv4TKSryFBEmBVL81eAwuQHwwwTEiD0ndcxHTdQJef2wAHrgxCNddcxNeiHodB3YdhcVMQGe7sbmt0BlbCO9Oraez7qQOEwcV4P2Q4YiJHIsR4Vks23yMJJyODpqNtM6EVTolaAa/R2j+HFhN5Lm44MkY2nk8YsPHY3HyJjQVW1nhgLPFDaPO3w7cPhccXisMjmaY7M2wOQirDoFVM4HWQvMeBatKSkpKHVoKVpWUlJQ6mBSsfglYFSbTtq5xw2xogb65Hl6vE+fOluDdN/+JX/3i54iP6YfmhtOwWyvg80jPaCNafbWoq9mP/OyhyEjviwvnNvEdF7W5qa0ematKOHWW8d1nCbjlcLnOwaA/jrJTG7B+dR5WLJmMkmNrtbmvrb7LsJpOwdByFE0N+7BsyWhMzuirwasMM75UtQcL52Vg1vSJ2LB2PvIyJ+Dhvz2AB3/fBUO7TcSI6KkEQkJiGIE1THpT28NqIRKC/fNF4yOmYFDIWPTuEoeou17Cjd+7BY/e1QUz8uejudGgtReby4KGpnrYDHatZ7X+RDMmEVY/CInDsMhxhNUpflgN9sPqSIKqBqxdZiA5WHp4P4LV+PAczVd6VuUc62Vo5wkYEjIGi1M2w3iSRGzhpyxemIw2GAml9la2o1YzWpyNMDib2D4MbbDaBqpWmxY6Ca52q8xZNcBsJayqOatKSkpKHUYKVpWUlJQ6mBSsfllYdRBC3bAYCTx66TF1YMf29Qju9Ah++fMfIzM9mRDaTKhsYonKNjQ6Qu1xrF6RhbysIdiycSpBq5Tn61n41Wh1E1alJ9XlX9EXuNTWa1qAVcsysHjeeJQcXc131vBaM79Xo72vofYAvO5yFB+Yh8yJfbBlUz70+mOwmMtxqnQbxo2NweRJKZhdlIcH7voH/nrD/RjUdSziuuYiLoKAGE5QlHmqGqjSMo9V8k2AjA/OxbCgDAwNm0DAHYuXH30ff/jJHfjzDXcgedho1NY0Mi2A2W6E3tgCl1m6nP2wmjGokLCagJjI8dq2NZ8Gq2lfEFZHsD6GB2diQOdRmBO/DoZS1rmDxcbA6nShxWGEwUv4BMGTZW5wN8Hs0hNWZeivQKoDHouDoRMuQqv0iFttbJdWI2GVzypYVVJSUuoQUrCqpKSk1MGkYPVLwKo2DFigx0QbAZ+s9OPGooUzcc9df8YfbvoZphdM4DkTrWfh1jFsQtmpTUhNfAuzpydD13yUIHtJuyZhq7uC75F9UWuZ77MoO7MO69ZmYe7cVKxfk42q8zu1lYH94NvI+qqHXleCC2VbYTGdQovuKDatz0VebgwOHlykfddqqcCokYMxIv5DzJ01FQ/d+wBuveEe9JO9T7tOQWxELuIjpjKP0rtKaBRwDJJQ5pEWYnhQLoZ0nkSwzULKizl4q8sg3Hztnfj5d3+DPm8OQE0V087/WszNcLocaHWwDbFs6kt0yBg4DX2CEzA8YjzLfwpSg/Mxqm0Y8BeBVbF/zqoMBc5HPOtnYKdxmB23AS0nvWg1s8SdrTA5ndA5Ccs+A/j/tE4DVhNhVdqMSwNVN7xmN9wMXRa2LYtda49mq5mwqrauUVJSUuooUrCqpKSk1MGkYPVLwCp5xGWzwqRrhM3iHworkzUL8zPw19t+i3/c80csXyJbyZCo0AyfqxpuRwUO7V2E+JiXsW5VNs9fgtd5Hl5XpbaPqttWzkq4THCtxsG98zE67S0smJ/Gct2Eutr9BNLTbb2qjYTaerR6amA1nkFTXTHMxhN8roZwtR3pE/pi1cos3meAz1uHzIxEpKYMwuyZeRqs3kZY/SAyGYOjJmNoRDaGRxIQI5nP8CKtbEYET0cSLUOCE0LyERs8GQldszHypTxtwaQ/X3c3vnfNtXj16TdRXXEZXua7ydAAr8+j1YP0OjcSVjP/jbAq1+JDWK9dMjA/cSth1Qcni8HU4oGebajFI32qhE7+18LybvHoYHYa2F6shFUXYdVLWPXBTbssHsKqiyDvgNliI6xa2mBV9awqKSkpfdOlYFVJSUmpg0nB6peDVelZtRNU7VYjPC4HbUF21lgNVjs/eTc2b1zAkrTRjYTVKoLdHqxcmoHsyYNwrHgpz9cQVGU+6yVer0CrW3pVGwmqizFm5HvIyxmMkpIl8HrP8nwVPJ5K2G0X4LTLvTWE1TrYzOVorj8Gm+kU72lAY0MxioqSsG5tHpzOSzAayjGtcALyp07A0iVz8Mg/Hsat19+N3pFJGBiVgcERzFdkLuKiZCgwYTWUsMry8cPqDG17m+SoqRgWOhHx3TPQLyoRf7vhUXznmp/iuYiXUFNZAx//0xka4ZKeVae/Z/XjsDoBiWHZhNUCwuqMNlidQVilu/D90otLWE3QYFW2zBFgzdXcHlZjg3Iw4KmJmDtiM/SlBM9mlq7JC4vbBb3PjCYCaqOnCc1eHfRuPcxsK3aHA06rW4NVz8dg1U1YdRFWHYRVK9upUcGqkpKSUgeQglUlJSWlDiYFq19uGLDHYYfHaYPLboaLaXNYWzRY/dsd/+2H1U0Cqw5aB/hqsG3TNEwa3xdbNhWgUeaZOs/zmiy8JEOEG/m+KpSd2IzxIz/A+LHvE5h2weM7A4v1CNzadjTV/M5F2Ixl8PJewMhyvYizpVtRX30IHncly7wEhw4uw9ats3Hu3E5crjmO6dMnYfacXGzauApPPvQ4/vSzO/FOaBwGRKVjaNRkxEYLrMrcVeY1VHo5CZAhMzRYTY2cidToIgwOSkdM9EQM6pqGh28KJaxei9DHo3H+jMyvBSzaCrsWeO0eDeQbTwRgNRGx4Rks+6lIIQCnBc3CSDq1SxFSuhTynGybM5XfnYp43hMfVtBmWfyJddUOVmOCstH3ifGYFb8BhlOscws/7GmFq9UNg0ePBkcDGpxN0LmNMDktsGjty0VY9WjDfwN2EVL9PasCq07Cqo3t1NQ2DLhRwaqSkpLSN1gKVpWUlJQ6mL5qWA34m9azKumyGg38voVl5+OxAblZ43DPXX/EU4//DevXzGRJyjBgPX0Zs4oSMXTwsyg/txk+7yU4LafQ6pEta/g+3lN1fi/SRryLkYnv4OTxVXxnOXw4S+g6DKf7FHytF3nuEryuS3A7ZAEmHcv5DPbtWY7DB1ehqeEEvN5abWGllSumYsXyfELXCRQVTUJu3gRsWL8CTz38BP77x7fh1U6D0D9iHGK7ZSOhez7io/IQL2XD/KaEElDDZrEsprP8BGAJjhG5SH42D4OiRuKJP0Tjv675KR76eyccOygLRJEZvW7WmxUe1hlYHfUnm5AxqAgfBKdgWDi/QfBNCp6DZDpVQFggNTiPZS57qMpiSvy+BqnT2lzIZ2RosICqXM9FTEgu+nVJx+zEjdCfJhSzaFudHjjZFoz2RuhlyxrGTU4by4xtSfZfJajKMGBZYMlttdMyz9jGaw7CqrMNVu0KVpWUlJQ6iBSsKikpKXUwqZ7VLw+rxhYd7MybyOeyYeqUibj3rj9rPasbN8zjWbkmK+ZWE1aTEDP0OdRc2sVjHVyOMrhtZwl3VdA1lmLzWoJi/NtYuTgTHuc53lMOb+spuL2l8PrOsX4Iq77AAkvNqKg4jAP7VhNU12HvrmU4f26v9l60NmL2rHTkTElBXd0ZLFhQgMlZozF/wQw8eN8D+N1PbsWrTw3CgIjxiOuWg8TuhFGZt8qyElhNJaymtcFqQtBUxAfnI7V7EUa+UIg+wSPw4G/C8N1rfoHOD0ah9Eg5vwk4XC44HFZ47bY2WG3EJMLq+8FpGCrDekPnsCwXEFDnEoZlb1WWbUg2ElknCeFTCKe5iCOsxgmohvK7Mhw5VPaAzadztOsCq/2DJ2JO8gbozxCKTcyqDPN1tMBkrSOgsi5cdlgdTljZJuwWH5xWLwGVsMo25rZZWGeyzyrbEIHVD6suBatKSkpKHUgKVpWUlJQ6mBSsfrlhwG67g0BkgdVkhtup7WWD6QXZuOuOP+Chf/wFG9bPZUnKMGDCams1FswdjcT4f6LqouyDqmN5V/IRQqmvEkcOLMaU9EFYtSQLddWHeO4inK4SeLwneG85WnGe8fP+VYNb69CiK8PG9XOwZmURzpTuxJZN83Do4Gre2wyfrwkzpo/DxPThrMeTWLFiDiZMTMaE9JH42+134I/X3Yk3Ow3DoIiJiI/ORWJX6TkllApAtvWs+mF1BmHVP5c0pfs0pDyXh3efGoa/X/cUfnrNTXg+/A1UnJVeYSI569Yuw4AdH4fV3hqsykq+cwjCCwmr89pgVYb4Zmt10h5Wh2uwyu/y2wKrUi/tYbVfUDpmJ68nrLJcZaFlhx0uZwvMtjZYdbIt2V2EUR/rppWw6muDVSst29goWFVSUlLqyFKwqqSkpNTBpGD1S8CqxqZO+Lxe2CxWWAxG+Jx2AmkR7rz9D/jDTddh4TxZ8ZcJg5G+jLmz0xAf+yIqL2zhcQPLu4KFLosqVWPdimwkxr6GYweX81wdPJ7zhKhiuAisAqtu7xnm/bT2HoP+LLZunoeli3K0XlWB1fnzJmP9+hm8Xk8bsGRxDjIz43HyJK8tIPAlD8KQIX3w1z/eijtuuA/vdh5OiJyk9agmRcviSnRwAWFy2kc9q4RGGQYsc0fjIrOR8HQW3usSg7uuexy/vOaPeOvZvqg654dVq9Sh1Qwv60PBqoJVJSUlpa9KClaVlJSUOpgUrH7ZBZZIrL5WuAlHDrMNXocDK5bOx/333oHrr/0RsiePYkkKqApV1WHh/LFIHvEqzp1ZB4+rHA7HGZ6XrWqqsGpJBkYlv4ML53bwXDOc9tMEwGPwek/D5yuDw3UKdtdZgtlFlBzfiCmTE7TeVJPxAk6f3I7pRWOwfHk2y1qGD7dgx/ZFmFY4Gpu3LEBWVhoGD+mF9997DXfcfCvuvfERvN9lBGLDJhNSme8o2WNV5pAWIjmoSOtRFWBN0cpFYJXlGTQeMV3Ha1vX3Hn9o7jp+7eh7xtDcf6MzJ1lcbhdsFhM8Fgt/2NYjVewqqSkpKT0b5KCVSUlJaUOJgWrX27OqptpMxvMsBN2Wj2ywJIdWzasRWRoEK7/2U+QlDAIJsMFeD0yZ7Ueu3bMQnbWYOzeOQNN9fsIWWUaqDbVF2PlkkmYMyMV9bXF2r1u5xl4PKfhdJ1knk/A7TkHb2s1zpVtx6yZY1GQn0aQOsh79Ty3G6tXTdVgtbR0I8vyAo4d24D58zOxYAFBMK4PPuz7Ovr0eh2333wL7rnxYfQLTiUASrkUIDliGvNOB0/TYDU5eDpSWSYpIQKxskJvNgZ2GYMh0WPxdvAQ/Pln9+G23/4DabHpuHhOVjMmn7Z6YbEaCYYKVhWsKikpKX11UrCqpKSk1MGkYPXLwarT4kBTnQ5mPQHNB0KrFScINX17v4df/eJneP2Vp3GyZAc8Lhkq24ya6gNYuSILU/OH49jR5TxXD5/7PI4eXIwlC8Zj57aZhNuTPM/7fRUE2fOEqSOagUusoHqWfQFSUt7Hnt3L4HDU0NWoqjpIoNqEFSukfjIIWodw+vRWLFo0GUXTxuLdt5/Fm68/g/593satf/gj/v6rBzE4ZIwGosmE1NQwAVNCKkE1SYPVaRqoJocWaL2qceGTMTx6EgZHj0b3e9/ADd//E556MALL56xDc71RazdOjxMWG2HVpmBVwaqSkpLSVycFq0pKSkodTApWv9wwYIEgm9FOaPUwjR5YDBa0NDQiOzMDv/nlL3DfPbdj2ZJC+LSeVTM8nnoc3L8EQ4c8zzLM4zmTttfq9k3TMH/2KBw5uAQ20ymeF7iVhZQuslyOszwEYKsJV+cwd844jB07gOUsAKtnGZ8mWBWjqfk44XQiRo/+ABcv7tb2WJ03dwJys5PxbI/O6Br5FHq9/Sr+8t9/wn2/fhSxYelIIRimBBdpvahpEnaRnlVCanCBBqpJhMw45nt4RAZSXshB3/BEPtsFP7zml3jj+d64WFoNr8sHp8sFo9UEG+vmyyyw9EVhdVgoYTW4DVZPK1hVUlJSUvqkFKwqKSkpdTApWP0SsCoLLNkJJR4BIjch1QyzwUYw9WA9y+cvf7wZP/nh95Aw/EO06C6yRGULGzvOntmOgQOew7TCZFgslfC6K3Bo3yLMmzUS2wit+kaB0BpWRiV8vnK4PWfh9VYSdC/gfPlWLFgwEcuW5bBcZW6qATr9aVRfPkToOo1Zs9LQf8AzKCvbTu9AUeFIZGUkoGf0k3jykbvxdFQYbrvpL3jyD+FICM9EWigBNWg6UoOnIy1oGuOFSAmaSlhlvgUSI3IRH5GJ2Oh0JL+UhX8+9gFu+s7tuOH7v8fo4RMJgSx3ykIQbDYKKFq0Rabg+b+D1Q8Jq7MUrCopKSkpfYYUrCopKSl1MClY/ZI9q4RVF8HIYrShpZkQJPBKHT18BN0iwvH9//o2gjs/gu1bl8PpkN5SJ+rrSpCXMwKj097Hvr0L4XZdRP3lg1rPamFeHCrKt/O+y1dgtRUCurUEq1PYtXMuy34q4Wkry1P2N22CyXoeNXXFLIcyzJiZjF69I7V5q6dObkZedhJyMpLQ+83n8NTD9+Iff70Dt/7iFkTf/gJBNBsjWQ6pnekutMAq85ocTDgMzmU55WBEJMur+2TE9UzHkB4j0fm2brjhv/4bD9/WCYunrYLP1Qqf10dItMJoM/5HYLVvAFbVMGAlJSUlpU+RglUlJSWlDiYFq19yzqrVCX2zCSa9HV63j+XHgqOrKqowacI4/PkPf8Avf/EzDI/pi+pLsl+qh3Bbg+JDqzF08D8xZnRfmAyn0OqtwuzpqYgd8gJKj6/hff59WWVrG5/vgtQGjIYTWLs6HxvWF7F8j7IsL8DXSkCznUdD8zG4vRcxZ+5I9H4/EseOrsKh/cswYfQgwmoKRo0YiujgzvjtdTfgDz/6A5656zUkh+dgVPAMpHYSYJUeVhkSXKCVw4iwbCSEE1IjJyG+50QM7zkG73QZgDt+cT9+/cM/oNeLH+LwrhI4LB7YWT92lwNOL+uNdeNhffxfDgNWsKqkpKSk9HlSsKqkpKTUwfRVw2rA37SeVRdh1aCzwGJywScjYn1kWIeHaXXgzKlS9OgWhWuuuQb3/P0OHNwve6uKWAaWKgyPfRtvvh6Oc2dlq5omFOQl4MXnHsXR4pU8NsDjqSAAn4fbWcbjGhj0p7B4YQZWLM9BfUMJbI5KeFprYLaeQ1NLiQarc+eNwvsfROPwoeVYsyIffXs9i9FJQ5CXPg4v9+yB6777Y9z0nd/h2TtfZ7lkY1TITKR1no7kLgVIDpqKVMLiqOhCpHbLQ0JUBstwFAZEJKNPWAy63/MyfvOtP+FPP/8rCifN0haV8ji9MJsscLiccPlcBD8jy8Tsh9VSBatKSkpKSv95KVhVUlJS6mBSsPolYZXpsxF47FYPnA4fvK5WuOwerfxszOvE9LG46bc34gff/S8kxg8iBFXySivcrnosXUwAI7DOnZ0Ok6EMKwmhLzz/OBbOnwR9Sxm8nhrCaiXcdoHVOp47hZycBBQUpLB8j8Hrq4PTU4XLDUdQcWkvLNYzmDkrBR/06Yrjx9Zh2aIcvNizC4b2eYdwmYm3X3wF13//Otx1wz1477HBSCFAjgyejqSnCjCiM8uI8JgaQWCNzkVidCaGR49HbPexGNwjBa91+gB///Uj+N2P/oLXur2LEwdOa3l0sJ4MRiPrjHXqsrOO221do2BVSUlJSekrkIJVJSUlpQ6mrxpWv5HDgPk9J6HI5SCo2r2EHzfT4YbHLfM4WwmgRhwuPoAP3n8Hv7juR7jlT79FwdQMlkE9y6MKzQ3nsGZVEYYNeQP7di/FyeObMCL+HXzY51ls2zqPNWCkG+B2lLNiatGiO4msrFhkZsSgrGwXnK5LcDgrcenyIZRX7IROfxxTC+K0ntUzZ3Zg1bJp6BH2BN5/9Z/IH5eJ9156Czf++EZ0uT0Cw6JGIzWyAKMEGjsXIL5TDssgBylReRgRlcW8jsbAiBQkvjwBQ19IQfg9z+Dn/3UTOj8Qho1Lt8JhdsLnaWWajNDrDQRl1olD6tYML8FVDQNWsKqkpKT0VUnBqpKSklIHk4LVL9mzSijyuL3wuFo18DEZbXC5PPB4vDy2wEGQ2rRxDbp0fhzf/c638NSTD2HVyrkshzqWsA8nT+zEiIT3MWXyCMLqFqxYmo/Q4L9jzKj+rIwG3lPPb5wjGFbCYj6LjZumo7AgFes3TMelmkNwe6oJiRehM55Es+E4Jk8ZjN69o3GqdBsWzJ6CoEfuwxtPP4eJ8WPwevfX8N8/vhmht3fHh52TENs5ExO6z8O4rnMQ1yULwzqnI7l7Dka9kI+YbuPQK3gY+nYdjmcffx1/uPZ2gu7NSByUAnODRWsfDhkC3eKHVRvrwOliXdos8BIK1dY1ClaVlJSUviopWFVSUlLqYFKw+mVh1Uk4dcPraSWouaBvMTEfDnh9Xp53auXY1FSP3JzJuPfev+MH3/8OukWHYPeudbxuYZnUY/PGRRg84HUsX1KA40e2IKTL3bznYRwpXgO3o4LvroQswOT11qCiYi9ysuMxbtwAXLi4F62EWZ3xNKrrD+Fi9W5kTB6MAQOeR8mxTZg3cwqeDgtC7xffQN8XP0CnO4Nw67V/xzP3vYGYqPFICJ2ClPACls1UxDHPMaHpiOs6EckvZCLu+XF4N2wwIu95Hn/8+R24/ju/IfS+hSO7jqLVIXl1wGq2welwwkIotzsJjG7WF+vi/7JnNSaEsBqkYFVJSUlJ6bOlYFVJSUmpg0nB6pcdBuzQ0u12C5x6mFcj82khWHpoN0GO6bSaUVV5HhmTxuLWW/6En/zoB3jhuW7YtVNW/ZVhw3rkZY/G+LHDsWYl0xLfF2HB9yNmyJu4XHWQ9+joWrT6CGOWcqSnD8YHHzyNisoDPN+AS/XFKK/YhSMlqzF5Sgzihr+FtatmoCgvHYNYZ7G9hyD8gQjc/INb8cjvQvBBeDxGvVSApOg8xHaZjNigyUiIzMLw6EkYHDkKg7unon+PBDz3+Ju4+ad/xU+uuR6Rj3XF1lXbCKqAjWBnItjJfFUf24vL5dL2WbXYLIRGO3xO3vSfgFU1DFhJSUlJ6VOkYFVJSUmpg0nB6peEVabLbCa4OZxwezywMH8mkxFOQpvb7ST8NMFobCG4OnG+/DSSk+Jxy59vxs+u/THefedVnD51hGVuxaWqU8jKHImkEQOwYd0igup7iI54EGuWT2XeLrJiLsPrquK99Zg3bxIGDHgR+w4u04YA29wVaNKfwJYds5AxeRi/8QFSRvTDiCH9kDgwBjHvDsN9f3oQN33vL3j6vjcxrOd4xHXPxNCQSUjumo/UHlOR0I3H0eMwqGsaeocPQ/f7X8bdv30EP/3WDXjozscwr3ABzM0WbbVjOyHP7Sb8EcgEVD3Mt9Eow4H18PI8xB6gTsGqkpKSktJXIAWrSkpKSh1MCla/PKyaTAZYpVfR49KG/losZubVyPxYCULSA2llaXrhI7BWVl5ATnYmHrj/Xtz461/i+We7Y/nSedDrLuPwwZ2YMC4J2ZPHYGZRJoH1Lbz07FNYujADHkcFQVHmubbg4sX9mD5jDCZmDsPxExt5TofzVXsxOXc4Ro/th8yMBLz+Ulc8Hx2BXi++hWeeegY3//hW3HXDo3g/LAEDo8agf8hYxEVOQXKPfMRFZ2JY1DjE9hyHfl0TEX73M/jND/+In1zzCzz5j2BMz50NXUOLNAm4ncyj0wGfz0Mgd/iHALP+TCYzTEYTvLwOMWFV9awqKSkpKX0VUrCqpKSk1MH0/y+szv0CsDqNsDr9c2HVYjXB6bbDQyC12S0wGAlPZsIboc7ndROMTAQqm1auJqMO8+fNxCMP3Y8ffOc7ePC+uzEyJQG7d2zE1o0rMWFsMmZNn4IFc6bg/Xe6o3/v7li3PAcWwzk+TUCDDbt2L8Krb4ZjweLJPG7B0dL16NW3BwYMfAnTiybgnVefRuhjj6HTfU/glp/fhhuv+TPCbn8J8S9kYXDUBAwKTUdyzwLER08hSE7Ah0EpeOWRD/HkX6Lx+5/cjt//4lZ07/IcFhQtha7eiFZvK1q1ebgOrQ5MFgMhz6gNcZa6lXm6LqcbbrsDrYx/OqzOJawu+l/Cah5hdSJhdYOCVSUlJSWlT5WCVSUlJaUOpo4Eq8uztyH51Zx/U88qQUl6ViP9PavDnslAUeqKq4YByz6jhCAP0+giANmZV4KcbOPi8bi1dMtwYLnP6bAR+uScGQvnzUZQpyfxi+t+ht/++ga89fpLmD0jHzOm5WD86BGYNW0SdmwmTA97Ff0IrNs2zUVz42mWTR0OH1mL2IS3kZWbgNPntmP7noV45fVQPP9CZ4wbE4N3XnsOj9/7D/z513/CDd/9Le765SN4/akhSHmlAInPT0VMdBaGhE5EnydT8e7jceh6xxv4648ewa9/8Bfc++fHEPdBKo7uKoXL7CGAegh2stqvDW7m0WzVo0lXrwGr0+3Q6tZOSPW45V4HfKyzAKxOHDjND6sR/6ae1dBcgvUEzEpa9zmwKu1IwaqSkpLS/69SsKqkpKTUwfR1g9UAsPqh1aFB4UewSjgSE1ZtTov2rMvSHla3EFazMDh8DGJDM5AQlo1EgmZieAZGhGcSjnI0CEoIFWANmBDH89p9YZMJU5ORGp5NwCUkEZASoqdiUEQGhj47EYWpy1Bx9LIfVq0OWAihAqnSq2q2mTSIszutcLn8IGs06rVhwk7plWQeZBEikclowNYtGzFk0AA88sB9+OPvf4t7774DT3ePxIAP38OE0XGYVTgO82eNx+T0YYgd+gaSRryPRYvyUX7+AE6d3Y3R4wajd99nMZbX337vaYSGP4Tw0Efxj7/fjl9f93P8/Ps/x5033YcXnnobA58diSHPTmAeJuH9kBQ8f3dfhP3pn7j7hs644Tt/xo3X3IoeT72CmVmLUFFSQ+hkIn2A1+WF2yVQZ4DR3KLBuM1h1nqSXdKTzPKXOpb69bo8aHXwIbJaw4kmwmohYTUZQyNzMDycACrAGjqL5VrEME+rmwSCalwEHZ7Hewir4YWE1iLeKy5gfeXR2bwnG0MiJuP90FEoSlkJ3VkrYGYaHQ64nUZYLI2EVT3rwsH2I73ZXtgJqg6rh4DqpNlOZLi2BqvSG2xle3QwX04Fq0pKSkodSApWlZSUlDqY2sNqIC6wOmXKFISHh38pWG1qavqfwapdeiUJf3YX7WTcbxvP+e8jrNothFaZB0pYtRphtxACCRs+OwGJ8Gi8YMGmGXsx6r0p6BOegA+DUzE8aiKSumYgMTKdnoSkiCwkhRNMw/MJr1M1J0QwHjkFI6ImIz4yA/EE0+Tu2UjukYvYqAwMCBtDwEtC7D8nYO7ENaiSnlXCnM9JIBKQlt49gVOL9KoShgikMqdTFluSYcJOwp4sSiT7kVp5PbCtjajiQjkWzp+D3u+9g0cfeRB//9tfcd89d9F34KF//BXvv/cCYof1wosvhOOZp0MIRK+hoHAiVq+dj/6D3kZQyEN45bWeiO4ehFtv/z2uvfYH+OF3v42f/vBHuPUPt6Frp6fR64UBeKNbP0Q99Cq6/O1Z3PHLR/Gbb9+KW352D+6/5SlEdH4GQ99NxJZlu2FrZkFSrQxkexope0m79BYbjDrtDwZuj8O/VQ3zKNe1OpY5qw4vICxONxxrQU7MHLzbZTje75yGYQTW+KhphM4Cgmk+wzw6F8MjchCrOZ8WWJ2qQav0ssaH5SM+PJd1MgUDQ8firc5xeK97AuZMXo2mC2b4yKtum0v7Q4bVamL69DAyHTaesxFSbVa3tqWQ/LHDyTbmlD8aEFbtGqz626PZIotiWbT9YgOwWldXp7X/yspKrU2fPn0aR48e/QSszpo1CwkJCejWrRsefvhh9OnTR7tHwaqSkpLSVycFq0pKSkodSAKnPp/vCqgGYFWgMysrC2FhYXjssce+MKxWVVV9DFZllVhZLVaAVRbkuRpYNVClrYRVM8HUSFg1ElIlLrbwHrlmI2jY23rFnAQTB+HXabTCayZVOZhmCWqcOL7uDPLiZ6Nvjzi8HTQE/SISEROdhpjQFAwPGYnY4FH0GMQEj8ewkHQMpYeEisdjSNhYDOA9fQm5Q6LHI6bnBHwYmYw3Ow/CO2FDMPrDLKyfvQu1J5vgM7DcnD44tSGn/vRJb10gP59myb9Aux8A3Sx3WXiJUEUIr6y4iNWrVmDY0MF47NFHcdNNN+H666/Fb278Gf521y3o3OURhIY+hYcfuQ933PkX3E2Y7dTpMYSFB+GRRx7AH27+Hb7/g+/hmmuuwbeu+RZuuO6X+Nttf8cj9z+BR/7xJP5++4O49ff34pbf3oU//vZ2XrsXPcKfxdjECdi5YQ/qKpvgEegnb3pcXuaJ5W+SxaIIdVq+xJLHgD+eV7uVwG5xo9XCxkOQbzllxuL0tejfPRFvd4rBQFltOCodfYLG4IOnxqBv5/HoF5SB/sGZ9GTNA4KzMDAos82TMChoouaBIePwXnAcXg3rj0G9UrFq0TY01ciQXgFqtzac1+l0s60ZoWvWE15lqDXPM03SYy8rGNvZ7qT92Nh+rDaZbyu9sbLVkEHr/W5p0RFWddqIAGm/0o4vXryI8vJyrW0fO3ZMA9Ht27dj/fr1WLlyJWbOnIn4+HhER0fjoYcewgcffIB9+/YpWFVSUlL6CqVgVUlJSakD6WpYDejzYHX16tXYtGkTdu3aheLiYpSUlGi9T/LDXn7kyxDKhoYGNDc3fwxYBXwCwNreFosVZoKF0eaEnqCq16DVDhOByEzLPp6ymI8sVGQjYDgY99oc8BJSPAYnWs2ypwo5S+dDzdFGrC/agbH9szHw+UT07RaHQdEJGEZojQ1PplMQE57KY5lLOQqDI0bTYzBIHDUGH0akonfoCPSNTkG/p1PQp0c83u8Zi+HvjMbMiYtxZEsp9BUEpWYP7HoHbCYCkcx/vCpPfvtBLnAs+Te29TJrEMhzTudHvawC9KdKS7Fu3VpkZE7CW2+/jqDgJ/GP+/+O227/M379m1/gRz/6Ib797f/CDwimv//9f+O2227DjTf+Fj//+fW49trrcN111+OGX/wKv/nV7zRff92vcO1Pr8fvbroZDz3wOJ59+iWkpYzG8uUrsXvXbpSfK4fZaGHd+9PgYnpkC54AqLavL//Q2U9ag1WLHU6TEz6pC2bJdtmB/csPIzu2CElvpWPE6xMx+NlR6B2eiF4hiXg/NA39I9MxuNtkOgtDuk7G0K6ZGNY1g55ET6TTMSw6HQO7sp5eSkPK4EnIyZyJXTuOQNckANoKk1GG/Hrg9bTCYrbBaLDCTdh2OFxMv0VrW/50Sj5MzJssDqVvcwtMZun9b9bmFUt7bWho1NpvoFe1rKxMGwYsPasCotu2bftUWFU9q0pKSkpfDylYVVJSUupA+qKw+t5772nDghcvXqwNgdy4cSN27tyJQ4cO4fjx49oP+nPnzmk/8mtqarR5f9K7Kr1VVw8HFgBqb7PZ6p83aHVAr1niBA8Chok20xaLCVZZgdZsIBiZ4CXUuvmMrckMR6MdXhMhyUZOanLh8olGHFhdipVTt2PehDVYNG4tVqdvxJoJm+jNWD1hC1ZN2IqV6duwPH0HvUvzsom7sHjiDiyatA2LJ2/DwqxNmD9lHRZP3YCtS/fj7KGL0F82wWPxwmP2wtpih8UoC/UIcH88T59ngScpBykTAXk59nq9bSVP6PZ4WHb1OHL0EFavWYZpRfmYMHEM4hNi0K//h+jduzd69XpP68l766230K1bdwQFBSM0NAw9ez6D119/C30+6IeBA4di6JDhiI9LQvqEDMybuxBbt+5i3dbA11bXrH14ZaVfGaZMGDWZTVfqKdBrKun7tHy0t5SB3Ug3m1kvAq1eNJ1rROn2U6yLw9hHcN2x4CC2zN2PbYv2Y8fSQ9i96Cj2zDtOl2AfQ7+PtTMBkeHu+cXYtYzv2HIMxQdOoaqyHg47gZT1bTJIz6obHncrAdsGXbP04LNeLDYNVj9qbxIatQWiBFBNGqjqYDTpWAcCqo1ae62v/whW5Y8vZ8+eRWlpqTZnde/evR+D1cAw4K5duypYVVJSUvqaSMGqkpKSUgfSF4HVRx99FO+++y4mT56MRYsWfQxWDx48eAVWpReqoqJCm+8n8/5kSGWgdzUArIEe1oD9YEQoJWgYzDa0tFlPgNXzuoHwZBSAIqSazXoCSQusJoO2YI7DxOcaCB91Rjh0DnitfmCVVWJddYDhggNNp83QnbTAWGqH6aSNtsN40gHDSScMpS7oS91oKfVARzeLT3vRUuZDS7kXzeUONJRb0XCBz9c64DL64HO2aivfOiwOmFqYfsNH+fgiFnAKQKA85y8b5oHXHA6H1tMqw4QdJDGv10WIlIWlzHC6CIwErZrLVTh9uhQnTpSw3I9pACU93fPnz9e8YsVKAuk2FBcfwblzF1BX2wyjgWVl9/B9LBtWcSuLyUMgdrlc2rckTfJ9qZvAkG1Jm79H0g/WgfR/luUei5F1xDp3sJ61/VatTnj5bY/eAej5UT2/L8OEZVqsWLag5a3/0rLqL23Xe2HUsXwszAt50G71Qt8iw5WdcLt8DO1objISPs3Mh4CqOJBG//xhk0WvLRSl9agamzW3fAxWG7Q/tkg7bg+rMtx9z549LNutn4BVNWdVSUlJ6esjBatKSkpKHUhfBFZlpdN33nkHmZmZWLhwoQarssiMLDYjq5/KfD75QS8/7GWenzwr8/5kKLAAgACr9LBKL2KghzVgPyDJ4jgWtJis0LVZ4i28ridkGDQTMgiqRlOztlepTbaMIYhYW4ywNDFsIgQ2EfKaPXC3AD6CUauRJuT4dISzeoZ1zCsh1kvLccBu2kk7Gj6ys5k8xXc4aBtBy2pwway3wai3wKA3QK8jZDJPGoAzfQHQ+zwLmEo5SDzQWylxKZdA2UjY3CTl1UzQ8m+LI1vGyGRSX6uL97ewbKXnupb3sjz4fPuylWNZ2VYWDGph2RiYXivBWmDV6ZS9Uj0sdwvrRKc50PMtz8uzgXqRdwUs5/+1ZZElHYG1EXZTA5zWZrisLXDbjHBbTXCzPj2ESq/ZA4/RDUuDlfXlgI91JNbqSjPboZFga/TQhD6ji8dOtBJMfWRem9kLC22z+AiqNjQ1GjVIFVi129xMu/wRwKblUdqVP22StzabWGdtkKo3NGnWtTRp7VT+uCIjAqT9yirAMlJA5quePHlSG+4uc7RlrvbatWuxYsWKK8OApWc1sBqwglUlJSWlr1YKVpWUlJQ6mAKQ+mmwGhoaqvUavf3228jIyMCCBQs+Aasyn09+0MsPe+mNCgwFlt7V9sAagKL2AOQHIoKcwQwdgbWZlrDFQPN6CyFIr1l6wgQ0mng/IUPXSBBrhpVg5SCgWAUkG8xouWyCrtoM/WVCS4MTlkYXocgFR5NTGy4stjc6tHN+e2Al4FqbCEHNXph4bGggFMo5I6HITFA1u5lWqwZ3DY3Mj65BA2fZxkV6fAUa28PdZ9k/J9I/l1eOJf9SHp9WLrLgT0NDPb9XR6DSEW7N2kJMArAGQ4sW2u3+haoELgPAKgsKuVzutjmbBH4Ca0uLrHRrJAQb+E4BM7lX0u1PV6AeAmEgTQGQlXP/2ky/BoG1aNZdQGPTOUJgBQymGr63FoaWephZh3bpgdWb0FTLdNQ2w6Qz08wXQ4vORBtoPSz8roVlYNU18ZhmWmXItb7ZCh3d0mxDfZ2eZhr5rM3qIsQ6mQ6BVBliLcAeaF+Shza3g9QWfSPTKPXRoIGq1I20WZl3HZivKnOxZQExGe4uc7Rlrrb0ZC9btgzTp09HXFzcZ85ZvfoPQEpKSkpK//dSsKqkpKTUwfSvYFVWOpW5kRMnTmwbaroC69at0+bvyaIzMkRSFlmSocDte1dl7l8AWANDggMA1N6yZUgzIaW5hRBDkGmmdYzrCE06gqBOr6P9cKGZgNHQUEOQu0xg1RFSLBrIGJoJqw2EsloxoabWroUt9SYYGglThDSxXszjlkaCXCOhuIn3NBJGGTY32fzW2ZkGnjdYCcpME2GskZBa11SDel01dKZ6GG18D+FHekGvztOnWfIuZdDeUi7th0sLKPotz8j9cp3Q2iDDquu1Yz3zbJKeZg1qW7TnA38UkLKUYcVNTS0alDY3yzv9vayN9S2orq5jnTRo97SHzUD65B3+93zU4yrhv7KOaW3RN0BnqEFd8znUNJ5Go+ECy+kSGvVVLLdK1msdjJYWGM1Sr81okqG3bZZ86QiNuuY6xgV4a+hqQmkVfYnn62nmq5HtpIltg3Xd2KBHA/MkocxVbWxoQV2t9I7KkF6pF3+eWlqkbMXSi8pvEJw1SNXV89tSrrVaj6q01cAQ4ECvqowYkGHu8keZwLY10v5l7nZhYSFiY2MRFRWlYFVJSUnpayIFq0pKSkodTJ8HqyEhIXjwwQfx5ptvIj09HXPnztVWBJbe1cCKwPJDXhagCQCr/NAXYJUeKpm/KtAqw4IFCALg2t6yAmtDQzPhswX1hCyxxBsITQ1NvNZEOG0iVDTVtvky6huqUVdfrQFrEyFHYE8nYKYzwUjINOqdmltaLIQbAg3f0UgIuuImpkV7v46WbxF0JGz2Q3Mj4a6uWcdzTYRTppOQ3GioR33LZVzWVaKm6SKBrJJplXd9PD+fZQEngb8AFP4/9r4CXIuiff/7fenX3/9LW0G6u7sb6ZCQbkSku1O6FEUQkO7uRhDB7gBRsRAOpwPw/t/37Dvn7Hl5z+GggIDzXNd97ezs7uzuzDPzPPfM7KzyQnliYfe//NLLK0351dRVEbmvvjrD+M/NFGBLXDXyqvOUtv0WVgTtyy+/wqlTnzPvNV1Y5FajpiTyzJtvv/2eaXyVrCPBElSlY59FYUuo7bHUoBHnb0U0w87gq/MncebcJzgXfQbno77BGRLOU199gs+/OY2vWVZfn2PafLezJORJ5WvBZzr7JcGy5XXfnj1FfMZ45vO3fM5vNU1av6gRYQ03YZHVr786y/fS96YinHyGr7x38PRNYYFpk5h6kA6RWFOHvmKeiqRKV+2oqp3+K6Lq/15VU4Cl/+q0efbZZ9GnTx9Uq1bNdOi4b1adOHHi5OcXR1adOHHi5A6TUKM/IqtaUKlChQooWLAgWrZsiQkTJphFZfTd6po1a8xCM/rvpBb50TRJTQfWlElNnbSEVVOCRQCUngiBJUkWIrEiTyIaX575Njl4/EuRtK9IEL8i6f3qNPEZvvz6M5JEEjGSDe1//sUpnP6cBFJkjkRLU12/1igbCe8Z/Yrk6zP4gtd8/u2nxEniFIkT90l4P2can3/9JfEVThPafqEt7/vZV1/g1JnPcZrnnSGB+vY8SaLI2LnTTOMTHv8EX/CZzvD5vPdIHSKBIk/23e1+IuELHFMeiTh9/vln3P+Cx5ITfJ135syXiXlq89EjXB7pUthC5Ncjbxpl1FTgbwPxJGwBYmqRPC0vHf87pAyVEfPhuy/xGfP21Dck8iL333+DT788hY8++xSfMq1PTn/JMPOUJPrrsyqj7334juAzkLR+RdL6FdP66izL+azKj+l+xnw/TX34gsfPkECzjDW1+Vt1cnytUWqRa29EWe9lO0lE8P348kuBecfnEpTP0lHpqnRWswMsUVUnjBYR02JiWlRMCytJ/xctWoTZs2ejV69eqFKliqkjWp3ZkVUnTpw4+XnFkVUnTpw4ucMkrWR1/PjxmD9/Pl566SWsWrXKjDLt3LnTjK7KSdciNFpsyf/9qhaqEQHQ1EpLWkUiBEuIPIJ1hoSThDER3Ofx01+Q2BjwWpHSL5jOl5/i9FcMnzmJU198gpOnP8Gpzxl3hueQXJ7i+Z/yPp8QJ784TcJ5EifPkDx//QHxIU5+/TFOkmie/IrP9ZWOncJJkpdTxKe8xyenSaxIfk+d0bWf8RjP+ZLk9AzJ7tcePjvzEe/zsXmez3kP7z3SBuWBYPeVD0l54e1re/KkplN/lrjvXaNzRdw+Sxy9Vl6KaCm/NSqovBYhs8RXaZw8eQqf8XqvY8Cb7mrTtWF/nNJVOoL20wKVk0j+Jwx/+Jny7wzz8Ut8eIppfcH7klie+uI7vPcRy+azr1lW3+OzL856+PI74hvia+Ir5u8Zgu/J8vzsK69MT5Hkiqye/ozHT4nQM01eI9357DM9uzoERLg9ouo9l95HI/wWXt6fPk09ot58xrI+dYrlzbyUrioPNTvAElV1wtj/q2rqu75V1aiqOm303+GePXuaRcgKFCjgyKoTJ06c3ALiyKoTJ06c3GGSElnV6r/ly5dH/vz50bx5c4wdOxbPP/88Fi5caEaXNMqk0SaNrmqapKYDa8qkHH196yfCqkVqNMoaTFwFESwvrC2J4kmSTAOFScZOnfSB1576mCAh++xDfHjyfQ+nPsDHpz8iySTpICn9lOTxw88+xXuffmTw4WckIKd5/8/fxQdfvI0PP3+HYRLpz99n/AfeMV7/Ec/7mNd9dPJjfPDph/iY9ztJ4nqSpPVj3vODT/guH7+Lj7j9+NP38MlJgeSX54tU2ndKCywxErEUlDcWitc5dqTPklL7DaW2/mstYRUs2bKE1ZJIe8xeY9PX1h+vsC0fbS20nxZ8qvIkafzw09MkpKe4/QLvf3yaefcFPvv8LL7+NpKE9hze//BL5uNX+PjkN2br4QzxBfP+c3zE6z9i+X9Avfjo05ME88uQbRHPMzh18gt8+skpPq9GQkXSP6GeUSc+1Hsob7188Z5LW+VpEj79VGBeq5w/kW7q2g+NriqPNTtAswREVEU+1RmjVYC1sJK+VZX+a3EldeY8+eST5rtudejo/7eqB/olkBMnTpw4+XnEkVUnTpw4+QWIyKpW/y1Tpgxy586NJk2aYNSoUXjmmWcSCascdznw+nZVi89YwqoRVjn7Iq36jlXOv0ZbNWKlKcIiBIKmW3r4gCAhfJ+kw+BjvP/BRyQ1jE8Er/noXbz7EdMg3vmQ6QkfER+/TTD+k3fN9m2Syjd5rqCwOf7JG8RrePfj1wN4k+m8RbwdSJPpf/i+hw/4TNzqvh/o3h/oWd8ltIAUSS+3H3zwNqGtR8ivFUnvfiXsOSJQlkR9oGcKOu4/RyQ16dzkSCle8N83OO1rB8vsg0/w3vsnWb7CZx7eJ2H94Es+xxmzfe+9zxn3hQeF3yO55Xnv8pp33v8U71IH3mU673zwMc8RlC71gxAh1fYDxb3/YSLeey/5e3jwys0rIw9eOXp47z3pI3XjnbdN54r0NHhEVdN/NXtAswg09V2jqvPmzTP1QAuOde/ePZGsdujQwRBb/S/XiRMnTpz8POLIqhMnTpzcQaJR1UuXLiX+a9WKRuS0wFK5cuWQJ08eQ1ZHjBiBGTNmYM6cOWYlVLvY0saNG80Iq6ZKylkXaZWjr2/9RFw12ioCoCnClsBaEpuEt/HWm+8S75ntm2+9Q5BACG+/RfCad97A6+8wDR9ee/dEAK/hRCB84r3XcPw9kg7iBONfe0fxx/HGu8eYxqsBcP/tE8RrTPt1gs/wlkg1n4PExWzffIsgkeH2HQMSG7N9MxE6Zs4jGb/eePttEm8Dj0ylBn9eKm+VzxZefmvr4c033wh5v5+Od0zZvfXmB8yXD/HWGx/i7Tc+4vZjgzdf98Jvv/kJz2GcoGM6l9e8+eb7eOOt91gOHhQ2aRoEysTcR1t/nJcH/mfRO775pt71de7rfT1o/403XjN4/XV1qFBfThw3eip91UiqvsHWP1U1Y0AdMdJvTXvXbAJ10qizRnVA33BrUSXVkXz58hmyKt2Pi4sL1CInTpw4cXKzxZFVJ06cOLmDRAT14sWLiYTVir5dFDHVNGCNrDZo0ACDBw82o636Vk8jSwsWLDD/XdV3fBph1W89NAol0mpHWuX8Cxpx1WiVJa9X4jgJLUnm8TeI1/Eqw6+a7Qm8SjLx6gle99oxHCNeee2VJLx+lHgFR/144xUcCUD7Ou/Ya0dx/LUjhLYBnHiFeBUnSKRP8D4eSHp539deJck18MKvHyPBOUai8yoJrg+vE8fNs19/HDtm8WoKYH6EwCuvME98EAk7evQI8bLBsWN87xD3+6lQ3pm8CuRZUv69cQVOsJwFL6w89/L/OMvaKw+mqbJhuQsKJ92L5xld0Tbp/n68+qr07BWD48d5fQA2Tjh2TPlzhPp52OiqCKpGUkVStfKvOmBEVDWiKj3Xokqa/qtVgFU3Ro8ejbZt26J48eLIkSMH2rVrZzppVJ8koabXO3HixImTGyuOrDpx4sTJHSR2ZFXb4JFVfZOnacDZs2dHrVq1zMqnWmRJ8bNmzTIjTHLgly9fbhx6EVatECwnX9/4WdIqiASIDIgUaOTqShzGocNHQuBlHCKZOPQyryMOEgeOWBwg9pvtfu6Hgs47SOjaw4eDcYggmT5EwpKIowSJ7kESPAMSXm0PkNgcIPE9SNIdwFHiyKGXcZjPLpJyPaE8OXCA77A/NfC99+830Pn2ukOHlM8a4fZw4IDyPgkHDx644n7XAy8zH47w/q/w/q8c2o+jBgeIg1fg5cP7cYTQOQq/fHifweGXve3Lh/cyvIdEUlB4P+/hLzfdU1t/eSZBeWCRUrzNm3379iYSVOmt9Fd6bImq9Ft6rsXF1Emjb7knTpyIoUOH4vHHHze/rcmaNashrsp/S1aDZys4ceLEiZMbL46sOnHixMkdJqEcan2zOnnyZJQqVco44jVq1ECPHj0wcuRIjBs3zvxzVaNLmg6sEVZ9yyenXqOsa9euNf9h1Xd+WkFVjr9GXUUCNK1ShOBK7MSOnbtDgARiF4/t4jnE9l3bE7FN2M00Gb9t93ZsFRg220B4W+C6HTt3YCfvs5P32bljlw+7sYvYvX1PAHsN9gRjWwA8Jwm8zqRH7Lz+2LWLz5YIkalgKH7XFdipd9253WDHDuX5Vg/bAtvt2xLvcT2xa8d25sdW7NuxmdiEvUHY48PunRuwR9ixAbu4tdi5y4bXM7yO0HYjsZn30Mi9915Xg97bIqV45cW2bdLNLUZHpa/qcJH+So/1TbZWvpZ+z50710z9FVGV/mtUVTMNRFaLFi1qOnTat29PQpw0sho8W8GJEydOnNx4cWTViRMnTn4BopVoRUhLliyJbNmymZHVnj17YtiwYYawamVgLTCjKcFy5DXqpO/5RFrl5OsbP0taRQAEjVRZAhsSW7amAVuweavOJbkQTJjxJBybBIbNNhDWsS3C5q3YarCNIJE12yRs20Tie83QtSQ6Ap/lekIEats23mMrCffWnT5o5M+Cx7fx2QMjgUlQB8Emg81bNmDTZnUcrGf+r2M5rGN4o+/c64etvN+2zSSYm9cQq7HDh+3CliRs27IqEVu2etiq7TZvu3XrSoZXYvO21SzbNTy+ltDIvZ49NQTee/PGRNi44PhNm6ST0s/1Rk/9JFXTfvVNtiWqmkmgb7g1oqqFxlQHRFZbt26NEiVKmKnyWg1Y093dyKoTJ06c/HziyKoTJ06c3GFiHWptbVi//pBjLkc8S5YsqFq1qllMpn///hg0aJAhrRpd0jkabZIzr2/5NDVYDr6Iq0altCiNRlwFLcYkEpsi1qwOgTVYtXqtD9xXvLaB8GrGr9Z59lxfWMfWCKss1hHrffvBWHMFVqcGPoMIzo3AqpV8hxV8nxXrfGDcKh7jvb2tl3fKW4tVq9RZEMDqZVi5eilWrFyC5StUHi+RjGkEfNUV9/upWLN6JdbyXutXv0QsToZ1AawNYM2aJKxe62EVsTKwXbX2pQCWME5YyjLmc6eG1SuIlQb+PLBxwfErVy5nXkg/lxlyKn3VdF/pr1b8taOpIqnqmNGCSiKqIqkDBw7EU089haZNm6JIkSKJ36y6BZacOHHi5OcVR1adOHHi5A4VjQRp6qJEZFUjq1o85uGHHzZTHRs2bGimOnbu3Nn8skMjrf369UskrxptGjNmjPmuVSRW04i1IJPIrL5zFeT4a/qwhfYTMZP7V2Amps+YdQVm+DF9DrezPSSGZ2HmdIvZxBwftJ90PCmtmUTSsyU+Y8jn8hDq/J8OPgefa9o0Yqow2wfFz/BhOuHlbVL+TsPMmdM9zJqKGTOnGEyfMZnnTOI53Oc5oe/94zGTac6aPhWzp0/G7BmTvK0NE7OImQHMmDk5AD4Pt8I0YuosbmdNIaYyLEwLbKfyHO89UsQMvqt5L+UDzw/AxgUfmzZNusl7TvV0VPoqnZf+auaAOmO0AvaQIUMwYMAA9O3b1+h8165dzcq/LVq0QOXKlc0U4IwZM5opwZqGHRkZaeqQEydOnDi5+eLIqhMnTpzcoSKiaqcwaoElTfEtW7YsHnzwQeOQ6/vVatWqmSnBderUQf369dG4cWM0a9bMOO5y1jUtUiNMcub90BRJoVOnTobsWmg/EV0sGJ+ILujUuatB587diO4GXfzo9MQV4a5Et07cJoLxied1I7ombjvzHh74TLy/0KlrEjqGRGcDPaO5zvdOPx1d0KWLnk3P2yMAhQPownfQ8UQwj5h/Xv525H4ndOvWxUN3hg06omu3DujStQOfl+jcMeiePx1d+NxdO3UluE0MEwrrnQi9m9CpaxI6dulq0EHo2o3bJ9CeaNe1B9oH0IEEsVMXPnOX9snRNQCzH3g3olNnopMH712TYOM7dkzSTZt/6oyR/rZp08bocqtWrYxuP/bYY0bX1WGjlbFVBypUqIACBQogffr0yJw5s7lOi4lFRES4KcBOnDhx8jOJI6tOnDhxcoeJnf4romrJ6tmzZ803ezVr1jTOeIYMGZAzZ07kz58fhQoVMlMfNeoqAqsVgwURW/3qRk58pUqVDCpWrJgI7WskKkVU5XEDhasEUBWVq1QzqFK5OlHDoKoflWpeEa5GVK/kbe0xc30VgWkF0qxchemb+1RGJd5b0DNUqsZnNuA7BMIVGPajormmCqoIVa4nqqJS5aooX7YyyhHly1UJQOHAfvmKiVB+K/8qVVK4LLcVUJXvUK1aFVSrXplguHpFVK1Wgc9KVBEq+e53vVCN+cz8VxlUqoUqFoyrLFRJQsWqFiR9yVAHFarUQ3miXNV6KFu1Acpzq/NURlWqlg8g8C4poHKVirynB+9dPWhf+SMk6WaSriovBavH2uo/qtJv6bq+4RZUB3LlymVIqupH3rx50bt3b/NfW00DdmTViRMnTn4ecWTViRMnTu4wsdN//WQ1KirK/HpG031Lly6dSE4VlvMuJz4U+RRp0fetGoGtXr16MmhFYZHfYNSoIdRAjVo8x0BhxhnUQo2atQ1qGjyKmjXqoNZVUJt4tLq2vKaGd413fRJM2on34TPW9uCFq6GaQfXAlkSMYT90rDqftSavD/VePxa1az/KvK2KAvmLIHeu/MiTu4CHPPmIwL4J50Pu3HlIlPKZb4tFVquS0Imk1qhRjWnp2aqjFp+zFp+/Zq2qzEcdq8pj1ZPd8/qgtpf/1esR9ZnnFvV437rJUM2gHlHfoGqtAGo2JBononLNJqhSqxGq1eJ1yuda3nskoqbek+/iDxN6fy8PvH0/7DHppPTUQnrrR/Ax6bZ0XLqvuiDCqt/WiMRqxFXft545c8aRVCdOnDj5GcWRVSdOnDi5w0TOtQirfzRIpFUrAmsVX33HpwVl+vTpY75PHT58uIG+5xPsvj9O0GI0+oY17RgdQHD8WB/GEeOvirHEuNHa+q/xpyP47zEao8d68MKjMMpgdGBrw8kxOlkaPx36VnLixKfRr19/1KlTH6VLlyURLUWURukyZcx+qVJlULJkKdNxIKJUqlRpQ6jUsfD00xMxYYK+ufTS0ruM5XOOH69vifVu+q5Y5RIqn38qdD/mNfN9zOgJDFskLxthVCIm+DCReJqYFMDTGGm2itd1uod9BwurY/6wPc++ow0H748x36UK0tVg2GPBx/V9tv2GVYstafElLST2xhtvICYmxtQfJ06cOHHy84gjq06cOHFyh4klq8H/hdR0Rk0H/vjjj/Haa6/h2LFjZvvWW2/hzTffvCp03jvvvJOIt99++yrQOVc7z55zdbxjtv5rgtPyg8f1jOY5tWWcQXA4Od4JmdaPh/Lp/fffN6PaQ4YMRatWrdG8eQsDfT+p7yhbPv64+Y6yVStvq2+FRZz06xWV1QcffIh3333X4K23vHTfe+9dQuVg78Xn9933+sGXP+Ye14J3U4GO23u85UPgnsnCacO16WYSpNua7nv8+HGcOHGC+f0Bvv32W1NfbGePrU9ulNWJEydObq44surEiRMnd6DIsY6Pj0dCQkIyB1th53DffPnyyy/NtFKNZutbSEErL+vXQSKmitd+r169TNxzzz1nSK4VW2au7G6ciJCqzgiqP1aU55qZEBzvxIkTJ05uvDiy6sSJEyd3oMjxloMdiqw6ufmibx+feeaZRHIqaCq2pmFrCqritW/j9U/Q9957L3C1K7efW5T/qlOuHJw4ceLk5oojq06cOHFyh4l1rC2sKF4jQ5bE2mmNDjcWktOnT5tfB2nk9KmnnjLQaKrIqUZZFa99xStu1qxZZnqqrrcdD7Y8bZoS/30cfhxsvtq89cfbsBMnTpw4+XnEkVUnTpw4ucNETraIqHW2g8USVsE54jdH7H9uRUZ79uxpIHIqWAIr0mrjRVb1jbAtH/82FJwkl1B5lBJUHywsafXDf64TJ06cOLm54siqEydOnNyB4nfCg51sv/N9rQjlzDukDOWZRGR19uzZiaOo9tvU4G9W7besM2bMMIv+KA2JTSuYVAXvO1wb/LodDL/o3FB1yYkTJ06c3FhxZNWJEydO7lCRY22dcjnadvqvHzp2LeJ35h2uDiuhRlZFSgURVZFUkVaRWG11rp0GLLHpWXLq378a6XJIHcF1w+avX7R/rXXFiRMnTpz8dHFk1YkTJ07uMLFOuBXraAeTVa1u6hzwmyMpTQNO7ZtV/VbFL7Yc/WXmL2cn1y6h6kao6fH2PCdOnDhxcnPFkVUnTpw4uYNETrUdbbOiOD9snM4JPuZwfWFFZFUE1D8NWKQ01Miq4uw3q35ReirblEb+HH46UhLVlVD57sSJEydObqw4surEiRMnd5j4HW9t7ciR4EaHfh6xI6sioxo9tQsqpTSyaqcB+0VlmRJZdfLjRPUhpdFUv+iYy3MnTpw4ufniyKoTJ06c3MEiB9uOCgkKO6f75ksosmqnAds4kVY7PVjnpjSy6i9DV5Y/TZR/IqquA8CJEydObk1xZNWJEydOnDi5wfLFF19csRqwnQYcPLKqbfA3q5ZIBXc2uM4HJ06cOHFyJ4sjq06cOHHixMkNFkdWnThx4sSJk2sXR1adOHHixImTGyyOrDpx4sSJEyfXLo6sOnHixIkTJzdYHFl14sSJEydOrl0cWXXixIkTJ05usDiy6sSJEydOnFy7OLLqxIkTJ06c3GBxZNWJEydOnDi5dnFk1YkTJ06cOLnB4siqEydOnDhxcu3iyKoTJ06cOHFyg8WRVSdOnDhx4uTaxZFVJ06cOHHi5AaLI6tOnDhx4sTJtYsjq06cOHHixMkNFkdWnThx4sSJk2sXR1adOPkZRM6lnEznaDpx8ssQkdU5c+YYImrJqSWritO+4kVWFT9z5ky8+eabgauTk9VLly6Zrd23YSdOnFxfUb3z17dQouOCEydObow4surEyU0QGTwLiQxfQkKCgY1z4sTJnSuWrIqciozaEdT+/fsnjq4qrmfPniZOI6t+suoX23ZI/O2KEydOrq+obsXFxeHixYuBmOQdRDoeGxtr4OqhEyc3RhxZdeLkBonfcMmwxcfHG9h4Z9icOPnlyFdffWUIqIiqSKpIqQhqMFl98sknMWDAAMybNw8ffvhh4OrkorbDtR9OnNwcCbblweRVYcW5zmcnTm6MOLLqxMkNEhk1a7i09Y+GWJGBi4iIwPfff49vv/3WwcHhDoTqt0ZJp0yZkjgFOCWyakdWNQp79OjRxDS+/vprfPfddzh79qwhvoL2Lfz3c3BwSBn+epMS7Lnnzp0zo6Z2JFVibbmm/lobr7Di/Oc5ceLk+ogjq06c3CBJ6TsWGbOYmBicOXPGOLAHDx7E1q1bsWHDBqxfv95sHRwc7hxs2bIFS5YswejRo82oqiWlfrJqv1u137IOGzYMzz//PDZu3Ih169Zh9erVJqy2Yu3atVizZg02bdpkEOqeDg4OoaF6ZBHquIXs8fbt2/Haa6/h9OnTiIyMDFjx5KOptmPa30HtxImT6yeOrDpxcoPEGi+/AVNYPbVvvfWWMYRaHXTixIkYM2YMRo0ahZEjR5qtg4PDnQOR1BEjRmDQoEGJU4AF+82qoLDIq7aCpgMPHDgQ48aNw/DhwzF06FCTzvjx401a2g91LwcHh9SheiQoLJsbCvaYbPOMGTOwcuVKvPHGGwgPDze2XDZdZDUqKuqKGVNOnDi5vuLIqhMnN1gsYZXIsKmX9qWXXjKGsEePHnjiiScSv1VzcHC4M6E6rhFTEVI/WdWoakpkVfs6rjaie/fuJg17TPv+9B0cHNIGW/8Ulg0OBXue6lnXrl1Nx5G+I3/llVcSCatmTomwaisbr9FWN7LqxMn1F0dWnTi5QSKj5R9RFTSVaMWKFabXVoZQRtA6sXYKoIODw50HS0QVVp0XFKe6b6cBWyhOBFYOssLWybbna6v2I/geDg4OV4fqj6CwrYvBsOdZO925c2ez/9xzz+Hdd9+9YjRVRFXftob69MeJEyc/TRxZdeLkBomMmX/FQPXAnjhxApMnTzbG0Dqb/pEVBweHOxOWZPoR6hwLrQisdkFthNoKtRn+c4LP96fj4OCQMvx1JrhOWthzVQdVFzW7oX379mb6/a5du3DhwoWAZfdEJFWr/dtZVE6cOLl+4siqEyc3QDSiqkWU1NNqJTo6GocOHTLfm2lqkTWGggynSKuDg8OdCdVxvxMsBDvH/nbAdmDZER6/g63jcqAtobXXODg4XBtsvQqGPabvzLXYmepZp06dTLwWPNNKwbLz6pQWUVVYRNXOpnLixMn1E0dWnTi5ASKDZf+rKpFBU0+syKoMX7du3YwDKkdUsI6q31D6DWlqRtXBweH2gq3PodoAOcWWgNpjIqV2SrD2tdW+4hV2cHC4dqiOqd6Fgj0uqJ6JtGoqvsJaiVu/kvKTVYkjq06c3BhxZNWJkxsk1mhpq1FV/R9x//79ZmVP+62qIGNoR1FSgn/kRQg+7uDgcHtA9deSUYVVt239ts6xhYipjslRHjx4sDnHTgeW06xz/Nc7ODhcHdaOqt7YOmbDFv44TcNXXVPdU73Tb6T0n2Nr3yUiqvrsx00DduLk+osjq06c3ASREfv++++xc+fOxJFVGUEZTr9zqn2/0ZRTq307bdg6qNbYOjg43B5QPbYdVLbeqz4Llrwq3p6j87Uv6Lhg09HWtgP2HHsfBweH1GHrnEZKVddUlwTVLQu7qJn/e3Htq9NIv7H58ssvA9bdI6wiqW5k1YmTGyOOrDpxcpPk/Pnz2LZtm1mgQeTTOp2CDKem9WkrkmqNpIyqDGXHjh1NnI5pWX0t9hC81L6Dg8OtCVtfrQNs67fqtraCjbPH/ddpG1znXRvg4PDjINsrW9qlSxdT52xHkMKK9xNXxYuoWts7ZMgQs6L/F198EbDsyX9P58SJk+svjqw6cXKTRGR1+/btIcmqSKmm+lmyKqMpg6kfkuvn5Tqu6wR7roymg4PDrQ+Nxqju6t/KWmBN9Vf13tZ1kVbtK16fCeg8zcDQdfZ6G/an6d93cHBIG1S3VB9V31TXZGMVtnVRdtjaWXUiO7LqxMnPK46sOnFykyQ1sipiant3bc/uhAkTsHTpUqxfv95MO9IKhFrYQYZy7dq1Jl5xDg4OtwdUf5cvX46FCxea/zXOnj0bM2fONFvtK17HdV6o6x0cHH46ZD9XrVplvj2VHVWdmzZtmiGo1v764ciqEyc/rziy6sTJTZLUyKqMofZlELXV6MqCBQvMf1m1kIO+j/nmm2/MCoQKnzlzxsQ7ODjcPlC9/fzzz3Hq1Cl8/PHHeP/99/Hee++ZrfYVr+Oufjs43DiofsmOKiyb+vbbbxsCOmrUKGN/LTnVSKugOEFT7zWjQef6v1l1ZNWJkxsrjqw6cXKTJDWyqrCmHwkKy2hqNNXfe+vEiRMnTpw4ub6ilfq3bt2KcePGJXYYyxZrJFXfj2tfcGTViZOfRxxZdeLkJklqZNU/uiojqZFVGUT1/Dpx4uTOEK0UerXVQtNyjhMnTq6faKX+zZs3m05ijaTKFttOZMGOtDqy6sTJzyOOrDpxcpPkamTVElYZSxnEJUuWmOlKVmQM9QNywTmzTpzcXqI6a53alOpvWs5x4sTJTxP9Sk521Io+sdG3q+oktqsFu29WnTi5dcSRVSdObpKkhawKIqtahVBkNbj3VkbW/njcwcHh9oGffCrsJ6b2ePA5/uMODg7XB9aOWvn222+xYcMGszKwCKn9HMeOsDqy6sTJzyuOrDpxcpPkagssCerFlVEMNbLqd2b9htfBweHWh5+Iav/SpUuJTrOgfcVbcWTVweH6wdpPG/aLvlnVNGD9Ks6uHWFhSau2jqw6cfLziCOrTpzcJAkLC0t1ZFVEVUvnK14jq4sXL042siqH1hlEJ05uX7EOs3Wag+E/7sSJk5sjWhFYZFULLMn+Cuo0FhQONbLqt82uzjpxcmPFkVUnTq5RZJTsSMi1SHh4OHbs2GG+i+nWrZsxgvq3qoygenDtCKsMon5Ern+/fffdd4GrYe6XmkG0Dq8TJ05uTUmLU5uWc5w4cZJc7MwE1Z2r2cpg0QJL6kgePXq0WURJNlk2WDbZb5v1iY7I6rJly5LNerqa+DujrDh77cRJ2sWRVSdO0igyNNbA2IWO4uLiEBUVZUZNhQsXLhhSKthwREQEIiMj8dlnn5kfkvvJqgyijKFdHl9bHdPI6tKlS/HJJ5+Y6wUR13Pnzpn7RUdHm7Q1tVj31fHY2NhEgxgMJ06cOHHi5E4U2Tg780hhv22WjRRkOzXdV8RU+9Y2C7LN+mZ12LBh6Ny5s7HJmgGl2U4iqCKrss8isrLN+gf6u+++m2jrrf1XWrL11jbb+8TExCQSaEHPacm1EydOri6OrDpxkkaxJNUaHe3LGMlo7du3D1u2bDFTidRDu2vXLoPdu3dj79692L9/v/mP29y5c833qBo9Ve+tpv3aKUaCyKqMowzl7NmzsWbNGpPOnj17DHSfw4cP4+WXX8bOnTuNgdVxazit6Bn1rG7qsBMnTpw4udPFEkEblj2UXZSdlO2VDT5w4ICx0Zs2bUq0zdZ2P//884aIipCKmCps15AQWdWnO506dTKzoWbNmoW1a9eamVKCtfk2Pe3rPtp/7733TMe1fT7b0e3sshMnaRdHVp04SaPI0ARPL1JP6ptvvmmm7E6cONFMEdJUoilTphgoTpg0aRKefvpp8x83GTsRUju9SPuCnWYkQ6l0RowYYXp6dY2unTFjBqZOnWrCkydPNotB6Ni8efPwyiuvGINoRc8ZHx/vyKoTJ06cOPlFiCWEEs00km3WKKi+RZUdnjZtGiZMmJC4b6E4a5tFTmWD7dRfEVZBM5406qpzdP348eONjdZ1SkM2WXFjx441qworTutOHD9+PLEjWc8muyyy6vcjnDhxkro4surEyTWKyJ8lgCKD+kebelBFJO00Xhk5O2pqp/lacirYUVTFyfj5e3F1jeJkMLt27WqgOI3IKq5jx47o0KGDIbYiruolPnnypDHOVmQILbF2RtGJEydOnNzJIjsnu+y3d/oljUZQ1Vms2UyC7KxdyFD2V3bUjp7qmLb2mOIVJ3tsO5hlqwXZb9lipal9naOR1/bt25tj8ge2bduGU6dOmSnJEmuXg5/TiRMnqYsjq06cXIPIwNhpPNbYyPBoNUFN09Xop4ydCKaMmzV8Ml526q+Ns8ZT+zJ2MqB+Q6ljmpKksOIF7bdr184YRPXuagqSltC3z2PhxIkTJ06c/FLETwBtWFt9q6rOZNlLu3iSCKjsrDqBtW8Jq+IFhWV/Fa/zBNlfrTEhO63jGmWVnVe8ZkIpTra5S5cuZqRWU4H9tjlYHGF14iTt4siqEydpFBkXjaSGmlqr3lIt3KBvSUVY9X2LNWQyftYoyuhpX/EyhDKI1hAq3o7GyqjqmHpr7UIP2hd0XFONNKKq5fN1b4meyU79dUbQiRMnTpz8UsSSP0F20C44KNEnMvpmVTOR1Pkr+yx7LPtqZzFpX3ZY0L4dSdVWnc2ywepUtvbZ/n5OBNaOvCoNTf/VN7CnT582tliiZ/LbZfuM9rgTJ05SF0dWnThJo8jA2Km1dj+YuGq1QU070veqfqMooybI0MnoCdrXOTouYyhjZ6cTyRgqTlN/RVZFUjX1V+dr4SUt4qCl89Vra0XPoulGfqPoxIkTJ06c3Okim2dhbaEIobWF+m5UhFXflsqeWttsyam1xbLRgrXZtlPZdij7yas6l7Wv0VRdP336dDOK+9VXXyWzzfIRtO//NEfPaDuanThxkro4surEyY8QGR8ZG2uArMg4ikQeOXLEjLDa6b8inzJqfrLq78WV4dQ56qX1/85GxFXnyBjqW1gt4KBVB7UKsURGT89in8dPpp04ceLEiZNfilhbaEX2UDbZxsluavaTSKVsrGyzheyz4mSPZXOt7dW+JbHa6jzFa+qvzpFt1iwq2WZ9lqPvZK1YYqr761m0dfbZiZNrF0dWnTi5RpHBEUkNNYqpsIyS/oOqZfK1yIIMmsio7Y2VoZPh01b7CluDaXtrFWd7erXVvqYXbdy40SymZI2vtpru5DfITpw4ceLEyS9NZI/9o6myibLTguIE2WZLWNUxrE5iQXZWsJ3KssPWXls7bW2yjulaxQn6RlWf5Wjqr7/zWn6C9REsnDhxcu3iyKoTJ2kUGRoZIgsZIQvtBxsi/SRchFXfyYioygjKyMn42V5cS1zVe6utDKHt2dVW1ylOaehfcZ9//nmi4dU9LXH2319xoZ7HiRMnTpw4udNEts7aPdlj2USRVksWbZy2Ev1y7uDBg4kjrLKz1uaq01hx6mQWSRVETHXMEllBBFfniqhqRDV46q+10YJfFO+HEydOri6GrKZWaVyFcuLEE9UDGTv/CKYMkTWCoeqJFl3SYgtaOl/fo8og2t5bGT8ZRG0FGUXbc2sNp8IaURVR1cqC1vClREi178iqEyfJRXXBwkrw/s2SH3Nfna967W97nDhx4omtH7ZeyR6rU9dPHm2cPUerBO/cudPMfrILJ4m0ioD6bbNssMKyyQrLRusckVX9U12znURU/aJ72Pv4xcb74cTJnSxp0XVr2+w52gb7sIasKjL4gA0rAf8xbf3nOXHyS5JQup9anVDd0W9ttOjCrFmzjMHTlGAZPPXWykjKIGrfjrDafZ1rl8DXv1yto+rqoBMnSWLrQ2p1QnVHzqrqoxWFgzuZbka90j2vdl/t2zht9ayhOsVSui4YTpz8kiSU7gfvq06JZGrRpTlz5pjOYn17KsKqGVCCOpVFSmWLRVhll+2UYdlmdURrRX5rm504cZK8/qluWPjrn180C8K/erfsnDqWrL3Wdb/SQUXYkyQ6oDi7tdMpFLbn6piDwy8Ntn74960En6N6Y+vRd999Z1YJ1nRevwEUYZVRFFGVMRRkLHVcv6fRiKolqoLqoa1/9j6hkNoxB4c7EaHskhWFQ9kvhW3czRJLVq3Y5/A/r8Q+ow3rHPuc2tdz+9uYtIpN18Hhlwo76qq6o9lP+lxHCyJq5FQLGarD2H6nKshG65gWU5L9trOd9FmOrZNKSw637VBycPilwi8pxfslJiYGkZGRiXVJW+vrSnTtr2TsrMGzohNshbNhW7GvdlN7PLVznDi500X6rzrjd0pFOkVYp02bZgyfenE1nUgE1RJWO+1IPzDXgg3+6UW2Hrq65cTJlXI122NtmbVtVqxhDI6/USI76re3uqeeIfjeKcVbse/jt8sODg5Xh/V7rYiwHj58GM8++6zpRBYp1Qwo26Es26x9EVX9lk7fqGrVf9U/K6qHwaNBDg6/dFytLkjUyRMVFWVsmhV7zNq5RLLqP0liT3TixMn1E/2cXEZRvbgyfCKs1iCKpKo3V2R2z549ZjTWiRMn11eCbZ1EZDWUHbwRonv476OwJZxOnDj5eUSrBJ84ccIQVtnizp07m85jO9tJW/3jXJ/0+H9P48SJk58uKdk/2wlkvlm1vbNWZDz9PUZ+0TElauEX7VtDnNKNnTj5pUlw/ZKh079S9XNyGUD12toVB7UQ07Zt28worBU50f766OqXEydpk1D1RHUp2L5Z23Uz6pXu4b+P7qvn0VZin8WKiLT/91T2en8a1ypKx8HhlwortpPKytmzZ83sJ42eyi6LtAoirVqIScc09VfXSbSVI636a+ujtrL3oe7r4HCn46fYJV2rOqV0/KL9X6lyvvfee2a0R9D/p7Sk9759+8z20KFDBvbYkSNHDI4ePWrwyiuvJIYFe9x/joPDLxGqG6oztm5pXz23x44dM9+7qJdWBrFFixZo2rSpmWYkArthw4bEc4VXX33VpOOvi6Hu5+DwS0KwjVGdsfDHW5tmz1dYoyOqV3I8NaJyM0UG2W/QZYiDyarIqTq13n33XVPntciaoE4uQauYynHWe8hWC1ooRt/eWeg9Lfzxwec5OPzSYOuFrTeyqWofFF67dq2Z3aRFlB577DE0bNgQHTt2xPjx47FmzRpzndoUnasZUNqqjipd1UftB9c5B4fbGba+XA3+ehBsmyxsnKBzbB3S9Qprir32Zfs0Pd8O9PxKFVMLubRu3do4zW3btjVo3rw5mjVrZqB4HW/Tpo2Bjrdr1w7t27c36NChQzKkFO/g8EtCq1atDOy+rROa+qsFlFSHatSogTx58iBr1qwoU6aMqXf6XqZTp07muML6rlXXqR7quOqfTdPB4ZcI1Q2/LfLbI0H71pY9/vjjpjNIdVHx2pdd00Iqzz//PN54442bSlhDkVUZZH+cfquhlUaHDx9u3rdx48bGabbbBg0amLDeq0mTJiasrfblYOv91FYEw2/TW7Zs6eDwi4TqgOqJ2gK1I9raOiFfV8erVauGXLlyIUuWLChZsiTq1atnjqk+aqv6pPNtG6R91U2brv9+Dg63M6TPaYFsrOqR7JC1RaFgjzdq1MjUK21V52THZNt0z1GjRplOWQ2oSn6lufjly5fHvffei7vvvhuPPPIIMmfOjHTp0uGhhx7Cww8/jAwZMhhnOmPGjCY+ffr0Jk77gs53cHBIDtUT1SfVnWzZshmjp3jt58yZ0xhC7T/44IO47777TN3SsezZs5ttpkyZzHFdp3qmtLS16Tg4/FJh64PskIXitFW86p5sl2zY/fffb6A4naP69p///Mccl3O5YMGCxFU9g4nkjZDgeyhsR1WtnD592nQiFy9e3LzP//73P9NG6Jn1/ILeR22E3klth2DzxN92qC0RFBZ0zJ9vDg6/NKjuCKojss3aKl71R2Frf1XP1HbYeJ1rz9dx1Sdr23WO2hulG3w/B4fbGbIx1wLVDWuD/LC2R3VF9UT1RdzT2jPVtX//+9+45557UKpUKfMf47feesvYxF+pV6ho0aL473//a07MnTs3ChcujPz586NgwYLmmC4qV64cKlasaFCpUiVUrlwZVapUMb1PGh2qWbNmImrVqmXgj3Nw+KWhdu3aBna/Tp06qFu3rqkbqj+CwhoRUW/To48+aupW1apVTW+ToHNKly5tttpXr5M/TQeHXyKqV69u6onsj6Cw7JHqT4UKFYy9Ur2R7SpWrJixabJnsmsymrJ3//jHP1CkSBGMGTPGTDkKJow3SnQfS4yt2LC2mhL84Ycfmn8w582b1xj0Bx54wHRi6Xkt9G56V0EdzrLNaieUF8of5ZPaF9sOCdY2++McHH5pkB2uX7++scmyu7Kt2le8/Fm1KTpPdlkjpjqu83S+Pdde709Tx/xxDg6/NFgb44fqlK1X1kbLZslGlyhRwkB2WgM4Iq7/+te/jJ3WDENND5b8SjsyciKpMvAamhWB1TQHrYamefv6rk4rlg4dOtQwXUEGXr/X0I+R9e9ILQyj7+30YbqDg8MUzJw506z6q3ohTJ8+3cTpexh9/6I6pLqjb1cFXaN9e63Ot+fpep2jeFfPHH7pkL3Rvw4tVE80EqmpQ5o6O3jwYLN4meyWFkjR9+Cya5qiJIdSxlE9wOqMHTJkiJkK7CePN1JEVIOn/VpRvP459/bbb5t3kAHXZwLaahRYNlmfEQiyzVqUTdC5I0aMMO9vbbPyxdplC7uvtkVtk4PDLxFz5swxkC1We6L6YO2w4qwdfuaZZ8zqwDqueNlfe5615TpPW8Xp/FmzZrn65XBHQfqcVmghMtkZQfXIb59Hjhxp7K1sll1cVH/F0Cc5+nxHAzfqcBVp1exD8VB9xyoxI6s6qOlGMuL6lk7/fFRCMn66oW6uCqnKqYo7d+5c863PCy+8YKZQLVq0CIsXLzZ46aWXErFkyRIHh18sli1bloilS5cmi1++fLmB4lVvVI90bN26dQaKV5yOrVq1CqtXrzZxCxcuNHD1y+GXDNUL2R3VhRdffBHz5883Nkm2Sc6ibJaMpEibjKQIrIirPnvRYikaJcmXL5/5Fk1E78033zQG8WaIJavBo6sSxev72ddff908b6FChcxosHqj9dwy9MOGDTPvo/eSXda7yqGQo2xts/JDeRNsk2274W+bHBx+aZDt1VZ1QXXC1hPFy94KCtt2RrZ35cqVxg5rq2ttXdIxm64/7ODwS4H03iKUfRZXlG1SB5EIrXilBjqtbba/blRnrAirOpNl9/QNbCJZ1cfiGp4tW7asOUlMV+xXPbRixTKCuoFI6rx588yN9SB6qBUrVphKrRXStFCTIEd7/fr1Dg4OhFb2tfDHbdy4EZs2bTJh1RnVIR3ToiqCwqpP2m7evNmca+NcHXO4ExFcT0LBduYIqguqN7JBskWySbJN6uR57rnnEkc4ZBhlFNX5KmKqXlxN2RMRlN0T+dM04JshlpymNLqqff1KQ9/pqMNYI6rqSNbUQnUky7BrZpN6qjVCqg5kvavIqWyzdayVH3Ks/XbZths2nx0cfskI1a4oXrZWkI229Ufx2rew1/jrkz89G+fg8EuBX/9VN1Rv/LZZnTsir+KRlrTKhom0yqapI1ajrJrdq05kzXrSyKpWv5eYacCaZ6z5wzpJvbmaRiRjqF5bGXwRVTFjGUKxZt1cToIeUBVXzrQgJ1u/5NB/Ih0cHNIG+1sKhVV/bB2ycX74z3Vw+KXA1gvbmWNtjnUcZRhFzmSbZKNE3ETiZBQ18iiDKJumjliRPktWZfdEYvX7tpshVyOrEsVrGrC+WdV3qVolXKslalRYZNV+PmCnHoqcyxGQQ6DRIOWD8sTZZgeHtCElm+rsrYNDUj1ICTrH2mhrp/0DLCKtmpEg+yQeGUxYNQtKA6QaLLUjq+qk1UrdV5BVffCqD8k1BViGXQmIqMrgW2NoSaoeQAZQD6mlhe2/3zRc6/+3joODg4ODQ1oQ/G+2UMdkY/R/UfuvUdkgGUdLXNWjK8Mo4ibCao2i/bZM04L1rae+/1TPrezerUZWtcCSJasiqlpLQga8d+/epgdahl1GXu+lKb+yzXIEUrPNwf9kdXBwcHBwuBb4/5fqh45Z+yzI5uh/qX7brMFNEVc/YdWnK3YdFs1+0mwi8VAtvKTRVX2mKtslMWTVrkKq/+RoESX1RNvpRUpUc5JlCHVD3VwPoQfSQ2qlJv1Q2f5UOfjn7A4ODg4ODleDbEdK9sMek43RD/n183HZHtkgGUkZNJEz9fCqR9caRRE5TZG1C5/IKPbr1y+x91Z2T6Ott8o0YIklq5oWJaIqQq1/0MmQi6iKeOt9NNtJ055Fzv22WXkh58Fvm5VnzjY7ODg4OPxYHDt2LCR0zNpnQfb5wIEDyWyzJa/qUFXnqmyzBkL1Lav4pj7Xkc3Td6p2NX8tupSMrOp7GC13LxaroVgZdSWgnmmNpqq32vbWWkOoh9FD6SFfffVVHD9+3OC1114zKys6ODg4ODikFVpUyA9/vOyKcOLECQPZGtkd2R/ZIREykTPZJhlGTUOyo6yaFixip85XrcGgEUv13mqKrRYXlM27FUdW1XGsacoi1PpJugy5iKpGVPU+dkRVRNVvm5UPIqfWNlv7rPzz56uDg4ODg8OPgRYltGG/jRZkb0RirW0WcVXHsgY51aGsUVY7A8oSVtlmdRy3a9fO/KFG60loTSVdI/mVVl/SKsBaZEnEVd/16EL1RsvIa0RVRNU/miqiKhbtJ6d6cC0KISOrXmoHBwcHB4e04p133kkGf7zsiiAb44dsj2yQJa4iabJRmoYkwmp7cTVDSDZN33iKBIr8qedW/2a9lcmqRlX1jFpoQtOV9fyaPqURVduRLOMfbJuVH9Y2W/usNP356uDg4ODg8GMgm2nDfhttIbujjmXZIjvqKvskW2VHWG1nsgirZgtpPQYRVHUia3RVK+AnktUuXbqYnxvru1WtkqhpUjLqMu4yhkpQxlC9tv4eWz2ENYD2wT/44APzM/OPPvrIwcHBwcEhzZDtSMl+2GOyMe+//34iZHusYRQ5U2+uenI1wqgOVnW0akqwXXRJBlGLFOmTF30PqhlF+g70ViarekYtNKHn1GKHeg9NcdZ76f1C2Wblh982K6+cbXZwcHBw+LH4+OOPQ0LHrH22kO2xHcqWtIqwapTVdiars9VOCdbMJw2WatBUHbSaVZSMrOrn4lpsQlOBtdqgFm4QUZVxF+uVMVTCMv66kUZTNeQrQ2gNoB72k08+walTpww+++wzBwcHBweHNCM1+2GPnTx5Ep9++qmB7I7sj+yQenZlGEVYRdhsD66mx2qarMidRiM1a0gjlPouRtOMqlWrZnpzlcbNkGshq5r2q+lQekZNjdLiUBpVlWHXir/6NlfvpxFV2WY5A9Y2i6D6bbPyy9lmBwcHB4cfi9OnT4eEjvlttGyO7I/skGyzBjZlm8Qf1alqO5P960tokFSr3GsAVR206qgNSVY1FVirJOp7VRFV23OrUVV9JCvjrxvpprq5mLMlqHrYzz//HF9++SXOnDmDr776ysHBwcHBIc2Q7bBIKV425osvvjD2RgbSbxjtKKsIq6YdqQdXo47qwbXfx4jsadqvRirVc3srk1WNrOp7VX2io6lRWqXfjqr6ZzzJNouoqgfb2maRVOWN8kh5pTwLzlcHBwcHB4drwddff50If7y10bI14oSyP7ZD2ZJW2SjNftJMINku//er+gerZvZqhm/16tVNR61GWZNNAxZZ1VTgXr16mcUbtPqvLlaPtEZVlbB6q8WMdUMZdj2ENYSWpOrhv/nmG3z33XcG3377rYODg4ODw0+C7IrgN5CyO7ZXVyOHmook26QRVpE3+/2qenDt9zEiexqh1Eilem5lFG81spqQkGDI6rBhw8y3OzVr1jRGW73OmvVkF1XSe6kjWe8pgq5rrG1WJ3JwB7LyT3npbLODg4ODQ1phOV1K0Dl+G21Jq2yz7UyWbZKN0pRgO7oqfqnZu1obSTOf9Cca/QddHbTqqNWaSrJxErPAkiWr+iGrpknJGGpUVT3SYrX6BkijqnIC7PQiOQfWGMoQ6gHtS33//fcODg4ODg5pxtmzZ5PBH+83itYwyubI/thRVtkk2SZ1qNrRVduDa6cbySBqhFIjleq5lVEUWZVduxlyrWRV06G0noRmQKnX2S56KNssQy8yrvdUj7VGlq1tFon322bll/LPn68ODg4ODg4/BufOnUsMB9to2RsRVtlmdZyKsKozWXZWtkqDn7LN4pcaXVVnsmybPkPV56i1atUyHbWyeyK1EkNWGzVqhAYNGqBv377mI1d9D2OnGVljKOMvJ0DG0Pbcyhj6Sao1hOfPn3dwcHBwcEgzZPwsguP9RtFCNieUUVQPrj5X0eiqOlrVM6vVBzXdSAZRI5T6FkY9txq11M/IbwZZFTEVSdVWSG0asGytFoLSQhMy3JoapaX9NetJpFvvI0OvKcCaVqWOZDv9V/mgXu3g0VTlX3DeOjg4ODg4XCvCwsISw34bbe20tc12hFXTgkVYZdv8o6t2XQkNkuoz1J49e5oOWnXUyu4lklVNAw4mq+q5tdOM9N2PWLDIqgy6jKHtuZUxlCG0JNUawgsXLhjoZRwcHBwcHK4GazeE8PDwRPhtiTWOgmyOSJjskDWIdnRVI5N2MQeRVXW8yqbpu1X9fFzTau0UW5HVmzEN2E9Qr0ZWNUqqhaDsM3bv3t38tkYr9FuyKiNuFz3U+8oRsLZZTkLwaKryzOazzU8HBwcHB4e0wG+bra229kT2xXJAbWV77JRgO/tJncnikfqkVIOgGgwVWbVTgbVav9ZOElnVehLJyKqGWS1Z7devH55//nljDDVtSj9X11Ctem6VuAy6biaGrJvbUdVgY+h3NBwcHBwcHNKKiIiIK2CP+YmWDKJsj50ObBd18PfeiszJ2FmyqpFJTafVjKLbgazakVV9xyOyqt5n+29VO+tJ76n3VUeytc2hOpKDnQ0HBwcHB4e0IpRtFnTMb5vFBWV71GFqO5Nln9WZKltrpwJrMDQUWX300UfNehLJyKp2GjdubL5b7d+/v1ktUcbQ/rLGv9KgphnpZnaake25DTaG9gUiIyMdHBwcHByuCVFRUclg4/2GUQZRtsdON7JTgUXaRPbsd6u291YdsLcTWR05cmTiN6s9evQwix9qkSh9oqP3sbOe1JGs89WRbG2zCHzw1F9LVJ1tdnBwcHD4MQi2zdY+W95nSatsjzpMbWey7LM6U8Uj9ZmOXRVYM3i1BsOPIqv6tkfTjLQwhX9xJbt4g4ZzdXPbcxvKGOoFoqOjHRwcHBwcrgkxMTHJYOP9hlEGUbZHdsg/Fdg/1cj23tp/ut0JZFUjxCKrdtaTDL/e12+bReD9tll55Seq/rx2cHBwcHBIC4Jts7XPftssLijbow5T25ks+6zOVPFIu2K/BkOviaw2adLETAUeMGAAXnjhhUSyqgUc9M2PphnZb2LEjO03Mbbn1hlDBwcHB4frgZSMoRBsEGV77Lcxdiqwf6qR7b3VJy2aLaR/lE6ZMsX8eFxTbG9lsqr/wfrJqgy5Fj+060nYWU8iq3p+v20WgffbZuWVtc2uI9nBwcHB4VoRyjYLOmZtsyAuKNujDlPbmSz7rM5U8Ui7poQGQ2WbxTf1+emzzz5rfqGaJrI6f/78RLKqhSn0zY9dCdiuNGi/ibE9t8HGMPgFHRwcHBwc0oKUjKHgJ6t+g+ifCuyfamR7b/VJi3pvtUCR/uV2u5NVGXj/rCe9r982i8D7bbPyyhFVBwcHB4cfi1C2WdAxP1mVfZbtUYep7UyWffaTVQ2CyobJNmsNBn1+ql+n9u7dG3Xq1Ll2sqpvfjSdypFVBwcHB4cbjZSMofBTyKpsmiOrjqw6ODg4OFw7QtlmQcfSQlY180c80i6AaMmqPmvRWgyWrNatW/dKsqrVgP3frPqnATuy6uDg4OBwM5GSMRSuF1mV3RMR1Eq748aNuyXJqr5ZtasBO7Lq4ODg4PBzIpRtFnTsx5JVrY0UiqzWqFHD/LItkaz6/7OqX9dogSVdpClT+mbVPw1Yw7epGURLVq1BDPVSDg4ODg4OqSE2NjYZbLzfKMrmiKz6jeHVyKp+/TJt2rTbgqz6/7OqX9fYBZbUmaxvVoPJqt7b2mb/N6uhyKo/rx0cHBwcHNKCYNts7bPsiiA7I3sTiqwGf7OqNZHEMy1Zfe6559CnT5/QZFWrImpUtX79+ujbt6/5z2ooshpqgSUZxODeW//oqnkJ/wslC8dx68GGtU0KJ53vD8fGKrNuV+j5k947NOz7JuVB8vCV8NK9/WDLO3XYd/TyJm0IlffXC9LrYHjHYtKAtKSThOD3SsoXfzgJyfXC4sp0bhckvZtX/j8BMYI/7eC8vl0QSm8s/MfTGrbw583Pj7i4uGSw8dYoWrIq+2ONYUoLLNneW30XczuR1eHDhyeSVRntYLLqX2DJktW0LLBkbfOPQ1JZpC0cCsnPTWqnrgzb864Mp36dP3w900iCv+6khFDX3en4sTrhx81Lw1+2V4bTphOph3WuB384JeicUPCOJ6V9e+Hq75c2BNKTLU+W9o8tl5TDKV/nD197Glci+buEDl8N13LuT0ewbbb22ZJZdYj6yWpqCyxZsip7JruWJrKa1pFVaxDTMtVIznl0XJKjHh3nFZyUNjo2gVsPXjieWyEQxwyw5yuNpHSimDF+RF5j+Gq4EWkIyg+9j/euHpLyIBGB91Y+RMcxP4TEsPJCx5PDSze0Yt2K8OvAVWHe0Z9v9noPV6YvJ0HOmL88/GVxtXBKCJRjXHhyxEaY+BgiOv7q0HleOrwuWVpeOkn388iEp/P2fZUnXj3xwhYBHVGeGh3xw0vjyny61ZH8HWN98HSB4Zi0Iy5aiGdYaaekI/78TykcCmm57qem4elODHUlhjpncEVYxxVWXGphnmvDJm1LXIPL4ObCGjtr/EIdk12xI6uyN6GmAadEVm+3kdXrRVZD2ebg/E0zVJ9YNw1SDetchRUXHFadVDhQxwN27sqw2jyFPduXPJzadTcuDc/hVl5EIy4mKlV4dSoYuvYOxo/WCX/4JqTBcGid8IfTphNXTSMAfzgUoq4Cz+7r2W8v+N/b5H8AMT7441MG6x7tt2y5LeufVC7Jrrs5aZjyuxY9TXZuSmF7HcM3CKnZZntcdsXa52slq3ZkVYOlIqt2gaWQ04CDF1gSWZWBV2IiqzKe/m9W1ZMtJyElYxgdQ9ARioyLQhRhwmyso6hsUczkSBZoFDNZUDhaYcUlhuMJOtu8xp9GtHHO5JjdbuCzs7Lp3VKDlzdxJk8imQcebDgOEVQWPxRn88kq1K2OaJ8ORMReTAbvXf3w3tvLH1Z8k4cWSZUoCVHMaznhocrgp+ACEcaKeS4RMXFE7HkTHx0Xhsj4MEQkhIaORRE6T+fHxPE6Xp+UnpeOdy/pOMF3iaZTFK3yDeiO6ofyJTrmIvOQ+SX48srTi5gAor26wzQM6b0ir25VqFxV1t572TYhGDE0Wkm4mIjYqCsRR8RHsVGPjmPamgZ5I3TkRuKC0Z1o6kw0dcdDcFjH7X5qYXudwkqbeWHyJFRZ3DxYY5faMUtUBY0Uyvb4DaL+5SbSJvJmyaqdBuxfDTiYrOr8Gy0ippcvXw5JVv2kVfH6b6qmAdtvVjUNOLVvVvXvOr13qE90ZJuVV9Y2h8rf1KH6qHpDqK6xbhqkGta5CisuOKz6qrCt47L1Xtiz+zaeto3nWJvoDwefm1L4eqahsNph1ZU4th/x0RGpIlaE1YdboY7dGKRVP4L1IKXwTUiD4VA64Q+nRSdCXecPe9d5sOEke53c/wmPvYQLsZdDQsd0vqd/ocrgVkUgD2L4/DGX2f6EwiWWi7XfLJ8AYq9APIlqnLHjcVEqS1sWP7Zckq778WWb9jSs/3pNeprs3JTC9rpQ/vD1QWq2WQi2zcFk1c58SomsyjbrP6saLBVZlc2rVq2asXs3mKyKmMnRpoEMwAvzhfhiXiFKgZMg59uDV6m9gmUm6JrA9RbJnLgYOfWBOLMN4IpwiHNTCl+3NHzxMlRGwVQRr6yY9r29vBEJ9ZTc21qIiMQmQySJTBSJyJ1IVj3d8PIjmKimXDHlFMj5Dsr/ZOVi4/zhEOcmC4fT4Qijk3IuAEsuBRGJCySkF0hMQ0PHogidZ4gvyUIsSYNNS0girDqH9zXPpgYiiaxakpqMrArKszg/WY0mAp1Ftx1ZFbwy9+uD1QlbV/z1J6lOpUZWGWYdjI2OZVkGyKopY185J9MJfziUTvjC1y0NGxccls5YfUsJXofKtYXtc/z8jnRqBtEe+yWQVY2s3qpkVfUnrWF1DHmdQ8Fh1UEvrDrute9eOKmN9+JTQvC5KYVDXWtxrWkorLyIjRZRDUc8bUKCiCm3ieEgxPHcXxJZ/fE64Q/f+DRUtn5dCIW06MTV4F1nQfsVZM/8vs8FEtKw2B9CQsd0vu4fugxuVSgPZLdFVn9IRBQRHW1xrWSV2yjmA8O2LH5cuSRd5w+HOj8UrjUNe9zqol8fUwqnrN/+sL3OkdUfSVZFLOkIEdp6JFPxIivKWBWuBy9MB5wKaeO8guW5vEbOmpdGUjqJGaUCo/OZGDYFRlwR1nGFFZda+HqmEQibY9qqEvJ9zVYVU+EAAvkgpTNkzpBQCxL8ACJJPPwQERFRvd3IqspXvVD+hluwvVNRJOZeBfTy0rsmCbFMJ9YY/1Dw3S9kuQTKI1k4+Nwrw7GskPHGUfEQx309g3mOQFmYMkoki144kuHEDgWeo/PjWEe8dKKMkxMnMpxIJAIkgrruOTo2z1QvPN2xHTuJHT7KM3VemPt5JDUyjvWR8OoQ7613uY2g+i89SAZTPwLthr/+mDoVMHI+kuonq4K37xFWcx+zteEfqx/23OuRhuJChYN1/HqDz/AzIzWDaI85svpzkVUPcdRXM5X+KmGdazqFQoTNuYGwENy2W/iPpRS+Gq53Gl7brbY/3LTZCWrD6et4ZNXaBSImsCV+GWTVw4/VCX/4Rqehrc6xCFXO/nAopOW65Gl4divJv/GQ3P9J3nHvh47pfC/dUGVwq0LvznelvxKMaPkxASTZ7ySbLhLmIYmcqXzjoliGKmciOJ+vNRwKNzQNPXcgLiXdtGFzjuKuEk6u06HK4KcjNdssBNvm246seg63hXrvbYOtTJUT5oNV1MQ4naNzPbLqT8fMXY++RKdTuByAPxwKKZ17s9KgkyxH2lQ4VUAbDkawwgXyIFXcjkYwqQKHxFXIlUcSk6ZYJSKax0z+ipSkpVwsrl6ecQwnRF5EQlQCEW/CGq0zJMg0uMIlNsTqRdSIpxcWsVS8oPN0jUnHQGnFGdIaawirphpf8MKsQxoBNGTYvLfqhY+YKRyoL2aqsOm4YN1jHfHDG2m+3XTEvkswFB/AFXrjOQTB5FVI7J01ZFVlahGqzEMhpXOvdxopQecQ0uvrDE+PbpyhSytSM4j2mCOrN5+sem2qh3giLoDUwjrX7geH7bk2zVD3vDXhtzlql73ORkNME8P2+JW4Pe301WHL0V+2wrXohD98o9Ow5wih3ufGQO2r305Z+O3X1RE67Vsbod4jLUjiAcnTu7nldn1h9U5ISTdt2J4jpBb263Soe14PpGabhWDbfEuRVWsQUyKrMdFytOVwW6fbwnO+lbGhiJoXTxjDoHPtdTYtNvzG6fwBsZG4PRAFEprLZq59vIiJBd/zSthRNzvyFphSxHc38IdNfiTlaSglunXhjTCGxpWGPm3gtdIjQ0iur37EEQnEpXAigo5mxCUTvhjBeCJe57Gc+RgGLD4Du+/pgHeezhd07aWIy7hoCLDK3q/nycs2sV6YOnK1+pI8jduPrOpZNSJMsh0XnhyGgOuYECCtycCGU8TdGLoAkU+ESGxAN1QmKrPbBNI/6c71hzph1PHhyOqNltuRrKpt0QwSzx7dGKRG8G5JMD+UL54N87ZXhBPb5KTrvGNJeXsnQO8pnyVUud4O8JfPjYenG8n149oQqgxudYS209cCOyhjO6yT9kPn862NUHp4PWBm+pl26fojNdssBNvm24ysynH2psqYKTN0xD1oaoyXsV7vgDeM7SGpx8A7rnMD1yWmxWv1gXXkD8aBu10gp9COoiVExQYQE0C0D5oWGhlABKHpRUTMBYOLUeG4qG0AIqzq1b2dGjKv4ZUOJE2VuhYEV/4kqLLGmZHOUGXwUyDHPpGs+mDJqmDPNQQjQFBFjJKlETj3YuD6y9oawhrLBsdPNi1R9cpWjVBS3QiuLynUlQCUxu3lKOlZA9+UminRhL71JZITV0tavenOWoQtSlOuE6ddk4AlTqUXRF5FVpPK6naBX3euJxxZdWQ1NXjtDu0S25frCa8jNgnBbfytCtmZGOaJnc53xYiQaXeUb5qa59k6S1BC5a/g2UMPoY7fyrBkNVQZ36r4+fTO2nTr/6bsA3lTywMDFQHo/NtLRwJ6T/vszY5MDr/9Tm7H/fZckP/C44Q9prDSVX6Gyr9bFnzeUDp5PSCdcmT1R5PVwCigFiNIrHRqJGxvgHrk7IhiMOz3gYHrlI5Ji9dphJJkNWl04FaHnjWYrFqiaskqSaqBFC8CFw1ITBMRRlzAJZLVSwxb6JgqQGrG8FaDGlxv2pTVibRDFT45QfUjiazeCP3wyCqdTIMryaot57jIwJRNwoyoM8479kPiuSKrIqqXmdZlQ1Y10i6HJcmgJb6T8ixkHbFQXfLlk60rAdxu+uE9q4yRyKpdDMiDFqhKPsrqbSPjBDaU5ltdItYjrN533hYkrGZ0VWV0O7UfHjzdSdKh0GFt0xLWVuk6surIaspITlbVeXp9kKy9uk3gkQ2N6IiY6vt5fYvnQbM2DGLjCNUlO4XRInT+Cv62PtTxWxk3Sj9uJEKV7c2C7Lvn+1iEPk8DFJ7fd8FA+9b3CVUOtyakz3xeQ059Hc8G1n4nR5Sx4357LjBex4jEY4HzDccIkX+3MkLp5E+HI6spktXUv1mloxmoWKZymkrpNchej5Jt5DwYR5wkTh9Oa18OeBwVXdODkq7zKraXpqZAaoTk9oEhUCLZdgqwEHhX0zNpiKodVY0gKRVITINwOZKICkuE4tTo3a5kNXHkmBCxspXPVuyUyGnK7yvdsN+sXj945ed9Z3ox4iIuEUnfnXrwytdbVt0jzfGJcRb+8zX9V+loK33wGprgd/Mcnyun/jJ9hr1OnSSy6uWfL0+Vh7ctWdVoqn7xk7Tysve7FT9hTYGsGmgRMo+o2t/52CXnQ5XxrQqrex6SdChU2K9nqYW1tWH9fzZxoaefEakZRHvMkdWfaxqwdazV1ijs2fSUwzrX7geHk5+r9smzB8nD1nfwbEDycGrX+cPXMw0v7JFVEVT/4jhJv9cSafV/emA/Rwidv0KSXbud2mgPxndLs34E60FK4ZuTRiid8Id17tV0Ivl1thxTg9JQ2snht9mCZtBdirrgG5S4YM5TGqHK4daFJasiqP6O56BZUsaWBxHSkDY9yvzlQIgKTAc2+Z9quVyPsv3paXj6p+v84avrqYfUwjqX92c99HzI64/UbLMQbJtvI7IaGF01jS8Lji+ijNS+52h7vY2e4+2FzQ/75YybsKbQeFDYu86mIeX30rptkEgutPS2H977CRptjRcCjf/FKCEyCVTKS8RlktjLbMQsFK8K4t0rtCLdaghFVjX6rimrtiLaiu81zsnzU9d7q0oHTcESTK+2vVfy634KdE/z3CqfwIh4PMtIsFO4vWk90neVBw2L3iMQZ2HPTbpO6STVgyQnx9dbT4iAJy1AxnMZtoTVg1c/Egy8aSGCyUve10xdS8yXWx3K8wBZTfY7Hz/Us+oZOE0fMkaNxksjqt5KzN5qzFf+6kmrClsdubKcb0Uk6Z6nY1bvgsN+HbxaOF4dYybspX1lGdx8pGYQ7TFHVn+eBZaM/qhN5vXqRDZINexr+64IJz/XOvLBYbUBsbxGCA6ndp0/fD3T8MLUQ7YhIqhJq7UmEVYPdrVXbwVzrz332veQ+Ru4161SD68V3qAD8yeQp8n1wB8O1oOUwjcnjVA64Q/rXL8e+MOhr/P0I3UoDaYdBD9RTaAflDSjzhtZFZJG9kOXw60H732TyGow7KKpsuOCN8XXjqhGGIiY+m16AGbmlM1T5n+q5XJl+NrL9qen8WP1NPR1/jDPJW4UURVSs81CsG2+jciqfTE1zoGeRTrWnpOtsJzugPOdGE76bU1iHBFrtiKxuk7psfDloJrRFTvKEhwOhZTOvR5p+ONCnGMqpPJDeXCRSiVodVKPhAgahTNg/sTzPQ0SCREdSyrmRRKPSySuGnW9GEAClTVeeZKKIt1q8JxvVTb1OHm9Th7BY8UzlVXHvffxFq3wDL2flHr/rkqahpWIWFYckhbT+F21vPxI6dyksL6ZjKXumZ4yA49gx8XQkBDeSr6CRgPPcXuO5S6y5UHH7LlJ13oGyCPaegf/8u50fAJIXOadYa9uUH8UVl3RSC7zI85AxJeNV4CImKnFasRuO7KqRl5E1BJVa9jsNy/2Oxevh1WGy071TU5Q9d9Z/X/Wg0dW/fphy9df5qEQWidSDofCj73OM+6xAR0zukYYnQqEE+ON/qUhbP4ZrHA44XV2pWSQYpN1AN04pHR//zFHVq8PWfXnc3D5XlHeie0HrzE22MZfJZzsOhvWNq1p+K+TTUgKh7pOHZjJ4tkWescDCEovVBqhw/Y6hfXtO9uSRKJKsB0WYbWk1SIiGVkN+D82XR+sk3urk9UU2wGTn3oPITjvkoeTl2FQOOjcFMPB14UMJ90v5DOleJ0/HOI6X9hL28bZeA/WT0nsXE6EzmfaARhfiLZLPpw3Euf5Feq89xNY7ctHur06NLx39L4vpe2Os9OBLfg+sj2JtpztO4movlP1RlBFTK/scDY2nbrodTrbPCVM/qvcFLZxocI6J/g6f9hra5KXbfJwdBrSSLoupWe6WhraBpBqejzXv38DYO1vqGNCsG2+JciqbiaHwJJVaxDlNFiyah6eSuQ10nZ6TFogZ9zCi4siqYuiQ25AJ12LF3gfWYchMv4ccT4AhRVn94PDweemFL62NCIMvk8WHxHHOJKVxPTobEaxwnr/iLS/OBHRSA5LYA2h15Rovm88jV0C89LrvfSIqwisGUHjNpbkNZZxN7JX5cbAa6jjDIn34mQMo/kegvaTfqSsTgwZ/iv/y+o5BV4vt34VIzLiTRcJVV5J5akySjoWumz94SieI53zegAJOvqCN+rnkdHo2O8DOEuCcZaNM0HdiDUgcWU6/mkwttE2PYp8d+9d5Pzo1zeXCb1Tcpj/k5l64dUJhUVao6kzUdQZ07HDfBJxvf1Iqh8BQ86yjGV9NwZN5FWGzxBZEU6eR+MlePqhEQ8PlqRGGsfS70hKP9igqswT/DqRVG+9upukK1fXj9BpBOtYhI4nu84fDr5fUjiK6UQb/ZL+Ub9iAp0gjDd6x33FG71SnIlPLczrA+Fo6mE0HSHlZxzzTFA9tI7p1YzU9URq97LHHFn96WRVZWvLOTjP/fuJOiBbznpkO5O9Nvnmw+ugDOyb5/HtB8X5kXj8RyP5e2v0NLFNUZvMNtuOqvrtUhTbn2iB18Sw3YklbD4nx61HVm3Z+8NWN7TvPx5F/YiS/aHTbGDzTeURgCkLc47NU0F54+WPcM1lZdNPJd67r/VFfzr8z2jSDoRjgp7F2iLPjw1+RtUnD4n5Kh8u4A8ZWOJqofZZ9i6Q57cTYvncXoe87LfX0WzsebTaI9ly6r3JD+aFgUdEPVuuTma/Xbc+IHXK5O+Ngac3oY8ZmLIO6HXwsZ+CRD0K1hnfsVDHTVxS++Kvn3Y/OO5a4LcLoaBjtxRZ/fTTT40zcObMGfMAIqt6GBlFjbBGRMjpIamKI/kiIljYEVFUNjrVkSRiUbGX2HhfToT2FR/yGI2Arr0QGYewiFizjdC5LBRvagCNMJ28cDpdBiasOIUV54UjEuj4JVwwTqJ3Hp3GBMZzq/0Lcd8T3jHFm+vMeYFwsvSC7sf4C7HniO9NelEXw3mvMITReQyLYRzTi7wYgXA6hRfoEEaQOOgdPAKenJybfQPmVWQs8zIG8XEXcfnSD0iIv0TySoVkvMXF+IsksvEIO893C4/4SYr484CVhw1PwsVLZqvGPj7hEss5GucjNFIWj3CSr3AZP+aDaaC0jaPOBCEinsQu/geeRzBfwmOpHyqPS8wblv0FOufhRBTLIupSuClvlY+20o+QZRsUlr5FxF3gc0SQTKosGSaiYngfEoYo6kFkzFnGf2sQGfMd9fh7xF0MCyDcIIbPZUbLRBLi+DzxItbUCzY0F2jYLrAeRMT+wPuA8XyvAGwvfqTqDPVF9eF8uBr1BMQzD5VX58IiEMntRTrBFy+yHqn+RTIvo5TfKTlKtybUGx7PNuQSdeJigjp36BRFqDNMDSbrAPdl9OMTEsy7xpo6lETgI3mt9CaGMO0Mj0fyWLjqIPPc0wWWH7dqH6QjqrfnWYZhxAWVN+u3105cTT90XG2Jrv8e56O/89KgXkjvlIag42ovjD6prTFpJ08jqa1JCus5ouKpbwxfiPyW+I56dIH6RMPPbUQ025ros0YPtR/NNCMT9VKQzpHU8nohKZ5pxrAuhH3PfI00REoQWRJEaKzRUZlYghNcVtcLqRlEe+yXQFYVf6PIqhAfH2+eQ9vg8tW+rlM5SwfUdkTKMaINimZdEqJM3UoOP0nT+cmQ1mNXgdo4+RR6hhg+j+KMj0GorivenndBtiNwfpruFTiudOz7GAIaSDeadsWep7DsjHyRaLbJsbRBcXyeWMWznY005CiecaxDRCzTi49PQALbKuWxLQeFvX067ty/VWy4nknPap9TYdU9OyAhvZDumPrId1UemzyPjDFQWHmlMopNuGy2EcwPr1w8fUrMV0Ln2jSCyyuZfjHOHjdtO9MV7HEdU7y9p+KkB2F8JnvMnOtLPy2wz2Cf0V7vvY/eNR6xskG0VYnHAjB2x9htm1ZQ/SHhCg+PpP+szutY/KD2l/Vf5SBbJzunrfGVaAc9Hbl1OjVSg/RDz6v2TDO+wi+EI4r+iPnET3pDex5O31X2PJ71xPgozONY5pfstmD0g/kUzbyL5lY+oJl1FshPm9+CdMzmc/AxA/+xq8Dqja7TM6isbDpW99QOJOqE71qvbJPK2X9M1xsdZtiv//b5lK70V/HmvMD9BN3P6rz/Ot0jxug878d89fKT7U+grVE5aD+xzgbammtpb3SdEOqYYNO9pciqjGHwyGqSMfRGViNJOCJYgOHM7AsinEQ4iZgc7ShLRuWEcz+cjqWOmak0qtiByq14XRcWIbLqpWOcdUNOmDYd/fD4cG4DMOFAnC8cES9nlI4Nt/a8CHPcwwURSTptCkck6Jyk80KlZ69TOOoiC4Zpaz/qYhRifqCRuhSVeE70JVbWH6hwCWzoY3geGx5DzANIJKp6Z+UBnWlP+UUyaJTleBORJkxFZX6J0EaQvBsDSYSHk5hFeI1CKCW6VWF6Y1nRvAaelYoNfgKJuRqIs+H6JuEiSWsMvuf7hSk/DAFh2YeCyGoCCR4JayQrcnisCAl1UWXBcj9Ph1xlrDJS3AWSxfPRIhcis4EyDyrbK8MkqSQ50QksEwPmdzxJVQKN+0XmP9MRCY3ivaJIerTVaJjIaWxCuDnunSPQOYlj5aceRzGtSDYyMmxhLNtEshonsqqtECCrasBMHfIaq3DpBrcJrMhyni6Q4YZLV5iXEcyzMOafyL/XgN1mZJXPHMd6cZHvHh/D92UbIMSxgU6gzsQxP6L4vmY0mfmgmQnRbCOiCNPpw+OqL7GEqTeqZ2qHaPjVmRFO/VDZSk9UvmoHzkeH4Vy0SKtIpDqeVOZp0Y+k4xdMfKA9kQ5S59QOaKu2QvDiWG8DbUeyNFIIR6t9YToXqLcRfM44hukK00liuiKdseoMIRG5zPzTfbgfGUN9ZPpRDJttAN75IqrU/yi2f+EktzQwakOsQZJDKidD7bnad8XJ+N3IdiY1g2iP+Q2iI6s//ZtVm4/WmVF+yq6rrPVM6q2PZNsbxXZV7Y7gdRp6tjh5B6LaJ7ZhrI+y33b00YxAGtvtHVdbrrbLOPOJaSZtbdgPxV1gm6brotnex6i9Z3oXjI8RsA9qI7kNk6Np/A/vHv77m84+IRA2aQeuM+eZeG/fXCvbzDh1eJlzGGecR43ySBdp0zWTRWRUkKMochHFeHXax5FkaETVEkBtlecqC1uftK9yuVVsuH1W+1xqC7TVgITiLnFfzyqyIf2IVWciIRvkdagqzDaXZRRzkeBW+4nlxXLRebZsle+Kl53X1viEttwCZa/zFe+dE7heOhlI10vDs4fRcvapI4qTHpwXgWa6pmwJm7a9f1qgd5KeKT2rK2afNijCkFW9J+9pdMY7LsifNbZbYW69Z/DeR4ihLZO9DqOfoy05L+KUTqATQKTM8wup9zwuQhuqzG5FRJutSBHLhT5deJimOifgIstGtl2+64UwzZRiHHVENl2fyMXR3stuJ9pu5ZM/zOMx3CpvVK5ePVXd9PLZ5rUJM960A9INXeMv0wCCw4LK+Rz9J11v2z6bltI1cXweT5+pW0zblq3hNzxuB968tHks8EyJ+sd80HkKe3rPtkXXsfx1jZe2925J9cG7j86z6Xn7GvxjmM+tDg4/ORX8+6rDqr/X0t7YdEIdE3TMb5t/drL6ySefmG9WdUPdWAZRxs0aQW31kOfO0fG7QCcrkNkeWSVMxqqR8LbqkRLC2eCpx+08HeswNvTq1bjAymqMkK5lYfkVLZKNaYQISaz3ofXVoJGrSBIDuyKo4sJj+KzEhWhmLLdmpdDAsbQiOkENIBtCXq+t9qNEpJUej8dcTEDsJSmS3l2KL4JGp5uK54dIm0bWTH6p8WNexamxZfjs98xPVvIYvjezzJDasAtMK1INF40242OYr2oUQinRrQmvN1IVUJAx0fvH05GTLpwXCWFl1LEw6oVpDNiIaZqvaeSpD8EwjYUB9+kgqBxsWYRF0allOauMTBzLxpbZtZU5y46EmLcgPOMUR2Oj0b24eJJBEdAYGXiSAo26RhEagY3RtGE6i7ynmfrD51MvWTTLzjRmLMdwvp/qiufkScfVYHkNk+qKDKLZEtF0DOLp0CrP1KDqnLjLbOxp6GQcz4WT8FNnPEPK+nYb6oc3FZ71J4r5FMF3CKdDEHUJl+KBy5eAeJH4cDql5yNp8JivJOn6djea9UIw17KuJEFx6mlkfY1U3kQk6oWFdCJRL+I9Xbk2/Uhqa3St2gOvY8NrF6y+mfiLKs+0p62OjRimFR4tB5ntAfUtlvvm1zwyJHIw6UTGsc0x/5RlPkbGsE0206r4LhaB+AimEUGjEqHPCOI8w+W13edMm659OawycNapVtlci4G7VqRmEO0xv0G8U8mqyMGNIqvKS+WdiIf2VcaCGf1gOetcHbPlH6HOHTnOgfba7zAlOmHcWsfLEgpjswPHZfe9fe86teHWyVPYnmdmQATOsWFtjc1Xu896rLZe94kxM2k8G2FmX7GtM/4CzzF2hfXdho19CDiytjM8WZjHbdrGhjBe1xs/hGmb5wykJzJibDbzJYJ5FRlxgW1VFNsjETyvrnj66uW1Ddu8t/XnSl2/NufxRkLPIUhPtC991FY6pK3aBM8hjaDdo/7Q9sRTf2WDRFC9MvbKXHqjMjZlRkKnY0mk1NMnU4bKb25N2fE675jaSOmBZ/etblkkpeG/nwfvGsYF4hPTNel41/j1Lpm+hdA96YT0SzB6o3dkOtIPpWevs6N7djTM+CMB6DoRKu95PIisxl3ybL15RuUD38uQYl4TzTwT8Tb+M+PUyX/b2HLqUDTbjvALrCtEHN/3h4ts62i/RUjD6ccKhqAy79TZLNsdG8l8of2Ooe3XJ3Oe/SZ5JURy43lugs5XHjJPTP4Hysu0U8wrU2YmztZl1mGe7/EH71xtUwqba+Q/Ba4RjD6pHFg+pk3g85p2QeeobFXGvJ9NQ9vEtBUfOMf6eVa39fzygc/btobnSD8VtjoufRDsvuqTbXONrjM9MxJrRuI9Pua327atsdtrbWuubK+uPO63zbcEWdXN/AZRhs0aQwvvgeVUqbCpOAbqfaDTpu/LCLOlQxiTIKdQBlHOYzgLI5wKyJdlAx/JSqneJJFbM2RuCpyKwcKOpKJEquG4Gniu6Y1hgVooDcVbmAVseI79FjBkOiGg68JJFs6FRZJAskJKuYmwCyTBJAx29FSjpBF0kk2vGB3PWDqpiTBxzA85nXzfcCqt3vkSG36NiH1/jg4Zr4+7xEaLin+Olft8OBWWFTkqRmT1MuN1n9ukASPMNxssU1VgVVqPrNLQ05GzpF3vG28I2GUzxUY9aeb7D+kDz/HAdEx6gTTNVqSRDRwrscpU5atRRiGxnAOQLpgpo74yTRnSC5ZlhDoRSAqjwMrJxoIEKooNaxTLyIz0RahhZj1QJ456nunUREcSbGg0AqjeQrYhLHswL8B4pmXS8/TSPD8Palq00Rc5PyIqqiuGAPEdE5R/0dSDcHx99iyJ6Xk6AhdBO2AMm5wqNZDq0TbT924z/TCOG/MiVj2o0Sx75k1MpIe4aOoF9T6Ohis6gnU7gvmj+sEyiGcZxbGshHjmdQL1KIF1KAlevMpJ9TZcW9VZlS/jrU4YvZCO8BmupT0QvDbAC9t2SvvhEYF7qrfWHPfanuDrU4QcZRrysLAYknOmoTZAs07Cok2cdDMulm2GdJTHYpg/MWofiFjGx1hwP5rHjN7SKdBo8yU6S3JIZWwsbFuu9knH/L20ocvspyO19O0xv0HU8zmyeu1kVVvFqUz1PLZ8dcyWuz3ve9r3MLZj6mg1pFW2nG2TB+qPOgZln9XOaGTNtN+y73LENcIlx49Ol3RYbVoC6xXP1XnqoFbnpKB901b7wuG8pxwwA8apHTPT+pU221H5BGbVXZ6rGSSaghrJc3XcLILEe5pnDqRh0mOcCStex+XsMqzrjI8iR1DPwbhw07HF+satZorZb9jUuaNvCmNIVKMjwhBLvyWBdv1igggr2x/achFYfaen7w+1+qtIbWSkV5802qr8lQ5Lp0X4NFX4VmqjbX2zo6w2zjrAqncRfJ+ES+ogY1ti9EDlJ2KgKZT6nMf7pEezpaQDKhfT4co8VJ6bMlCeG79QuuTpkyF4KiseuzLeu1ZlYvRHZSf7xjyUrknHvDS960ynsBx6xnv39O6n5/R0L0g/fGGjj4F905breaTDsg26n56L6ehZda7n71nbnQTz/aquNenpOQS9h/cc3vt5JP77cOYZbYiZkch3iKTvo07oGG7lL5n0g8rq1gX9FL5jJO2UPtP5gT6dyOrFOPoltGXhtFuy4SKrUfrUL4xtO/3oWJ3P+Die4/3+j7actiqBNv4i8+4S7bKgxUjV+az81Qw9+XxGP1RXma8xLHvFKay6bMpSx23ZMmx0xRdOLHuGdZ10xbY7psylgwH9U5tgfCuWn2mvrD4rHLiHSduUf6Bd4XHVD08PvXJXnOqL6olJV2lQb8zzcKvzzIBeQH8VJ52WTsSo7gXeW4tLav0OYyPZZqsMVF9Vb9Wmq73x2p9r1yHbHoQ6JuiY3zbfEmT19OnT5pvVb775xhhETRmy04H1kGrYrFE2vbYX9U2Zh4RL+kZRIwDEpVgSslhc/oHbH2IYx4Y9gbjIBjFBw9aKi4BTFMoAAP/0SURBVKNB13VKh42iaeRpDEzvCp1WIiHGgw374802FrhEYnA5gQ4BK4q2TJbx3jGFNVoj0M6YuOA0kqXHrQ3rmvhYGmRWrBhWJsWpIsqRjqeTfVHpmvspPgGXebPLfL8fLgkxRCzBOOKS8oQXxMfHmby6zDzUcP6FcBo9EhDafVxghf7mrEbqWInV48Z0TW8wK8HtRUao3CxHQ/b5Lqpomocfz8ZMToMcBI0+xslIyjgSGr28REfnUkI885UNFvPJA3WIuiJcMoj3NYpeeXpQeQteWf/Acrmsc1TuIcr2yrB6A2k0SC5jolXuvFbpMu6ikKhHKmsSRzYol7n9gcTnMo3MJW7tfQXphdKIZXr0e0z4Mt/vBz0/H/KyAd+LiV++HAB15tJlOkWsL6oz8XyAyOhw6sV56gPz5Qd9N6NRV96DlZvtt3HiIojbafqQN8rgkS/6eibf46Ko7xFslMPYKBNxrG+aIsxXZsbpZVnmenEaFAPqCysTL2TBWJj4i9QV1k3WHVvfBZWf2gbBtAWMUz2OYz1OWSeSwvHaVziQlqcLTIf30bGk4x7MdYI/DRsfIqx0PX0RUVe8no/kk3miOKNbfH29k/LKvA/jBKPrFoHnUpto6gcRT9003xFRRy5d1vfOdJxoaNS+q023hEbHQ5fX9UFqBtEe8xtER1Z/3DRgm48iqCpTHVd+Kp+1L7ttyztcTg6Jlx2dN51nPsQqDUJttW2vNXskntcnaLSWcWY0X+XKY/EkN4rXzADFex2MHoxzGyJs9vVcTPOiWeNAekh9VXpM30y/5XGdpym3Jo52wrR5fGZ/Ot637nwXzToweeHt23MFpaG0Bd1H5+ocQ9z43CKmZoXWSLa7EeeI83SkL7COe79jiyN5FYH1SGwU6xmvZ9iu6ZHYMUCyp1VFEy6x3aatiFTHpvJJz/MzwuqHwnpW6/Ba3VC86p3OucwGON7M5uC1KhflmfKO+SS9SNIREnKfniQuMKTjLCvpi+DpkK7TMZaxuVbw0vHrmNEfbhUv0mz1zT6HwopLYJ3TOZ4eJj1nok6kAL8Oyvf09MrTN+mXwnFM1+qY8kf5ZXSE6Xvw8s/oE/XK6KmB3kHkiO9BXyFexEPTP0WuGdZI3vcRMfiO/p+Iih2d88gqn988360OPSffkyQzjn6y7ExUOH2WML5zOONJRhNowy/Tdl/ku8Wq05lEPYGkXbhIX/BSAD9w/zL93B+Y5g/MN+Eiw/G8j8pB3/mqfVD+ql4bXVV7wXiViS1HC3/Z+sMWKlela3SFaZnyF4eRjpoy9+KtToRKz3t/lTXDPFfPpLKXDkbqXOmE2q5AW2j1WbppYfXcgO+lTw+8zw9YRwPny/fXLCnd0+NJ1Bft8xxLTG0bbzgZYW3BlWUWGjo3tfN1TGla23zLkFUZQz2AhciqGi89tDJCyhFPDzMhLopOUSSdI4sINtxqwMN47DyJwnk67WF0yM8TYSYs6JjO0bn2mvhYNf5hiAm/QEWm4x5NQkf8EEUHn7Bhf7wJs6JcYqW4HE1mEkPngFvtX4yg8vPYD6wkilc4gZXlMp3gK9LwhbW1YcQyPRLnBFZApWm6wJicidf9uDVxsbyOBv+HmPO83/ckMN8z/hzj+d7xYXSymQexF/ieEXxv5g/zLIH5F0njFhEZbgy0RAZN06u1KNElOjeahvB9GB22CO+j9WAFupXhfddD5aeuXKSxvnyZDjh1RyORUVR29UxrBTwZ/JjIMOMEXIyJwKUY6gQdhcsxzDODCyw/5qUB85fH2CqwfNQbxy3L1ZQvy0vlFH+BusN8QwzvqR466UCIsr0yzDwnKYiP5HOSDJA3sjzp/JPMXOYxSI9IgvgyZAC8JxsJtkS8DxkG3+kyG6gfSMyNDvLeCUwrNoIG6gIRToLA56WXw+N8/uhzfI/v+XzUlYC+/BB/jrryPXXkLOsN9ecHvjfU2aHG4Sxvo6nHJK7hYcYwSuT/qmG93Toy1MCLrMaSqMUwr2NJykQaYyIvIvx8NI1dDHWB+XxRHUYsV55/ifl7mdf+IHarHoDYSOZlBPOS+cl2w0B5q2M0PCov1V1TxtQBU59JTlVvtX+RxjTuAh1J6kzKOpEU9tLw2hJT56ULNNDQPUw8wySuBjznEstb1yRLg9vQYQ+XmJbRV6WrIub2IvPkEs9BPNNlfvzANidB7RvjLvF9Lplrqf9G7zx46ekY9ZDhqPBoXAjznE8rMnJq02WEVC+Nob2KwfqpSC19e8xvEB1Z/fFkVXmqMtUxnac43df/HElCnba9bGYenwX3jcHzwZ5jepCYFsOmQ1Y9e+b8QLz/XH96IcOESV/Ca9W5Gx/NaFUCPptJj+kmnqs4HxLTYZq2B0c9N4n34PYSHWE+o0lTvTnmWj0rj5seHsbrGq0QYK7TPt/psjECPM7tJe6r51Jbs5IAr+c1l2jLNcJqFlJivhuyyrzX4ndyNjWLSiNwWmjHls3PCVvP1AYYR5/7qm+GALAt0Dnme1XGX1aPr80nky96b8UF61GgfMy5gfK3PWkmrwNlqLCNF/zllZiuoHINHE92P90ncK1J10qSHmrrncPrUoU9x6YVeD7tm+cJxDGsjmVPb3SOrtM7CP60Atcpz9SzSKKv73/VJlixb6GtRtG+/v4CvguLNKNx3idkHgEKLrNbE96z2llSGmE9/30EIumDibheIkm9QkzRMm8MmE8kiGar3n0D5qkZBQpsTTko/8yFJl71OKksAvE6L7E8bXmECgdgriVMW0O/QmleoX/a59aEg9Pzw3eewGfTAJX3TDoWgM4120DYwhwPPA/DyfTYHLPPQNse6Gy2dVh1VmVh23/ZHNVh7atOX1lmoaH0hFDHBHs/a5t/drJqf12jm8og6gFkFPVgyhQ9pIzliRPHcWj/bhzdtx2vHtiOE4d2eDi8HccPbcWxg5uIjXj10EaceHkTXjuyCW+8sgWvH93C8GbGbcbxw1t47jZzzYnDulZp7MRrB3fjzUP78ebBAwZvHThoYMPJ4g8exBv79+G1vXvxOl/4jf37zfa1fXtN+J1Dh/He0SN4l++o+ON7mDbjdV2o9BLTtWGeZ65jPim9D145io9ePWbSe+PAfhP31gFev5/337+N2IjXD6zH6weFDcRGvHaI73+I73xwK9+X+XVwO/OGOMS8378LLx/ai3fefh1h589SyeJNPksh1ZtzPiwcZ78/b3q/rVLeLpDhjomONFOn4mOi8e2ZL/DuGydw/CgdsKOHcPzIQZw4cgCvH9mP1w7voR7txKv7qQsHtuE15uUbB7Ym4q0Dm/H2QWEL3jb7u1nGe3Bi7x68TUf1g1deMWXy2p69eHXXTpbZXp57iOWxz5RfyLK9InyI9zrMMjuK1w+/ijdePoE3Dh3D8X2H8CrT1f3ePLgP7xyWXjH9A7vwDp/jbeKN/bwny/LNg3vxFp/n9YN8x32HcWzvyzi+/xWmdQzv8L3fPbKb12/hvTbyGurIgQ14g3ryxiHiMHXl8AbqyHrqyDrWjw146zjrw9EdOLh3I46wfh1i/uzZuRmHWEdOHD+Cz05+TPLvLZ4SqgxuXXgGTlNZIyMSCD4/SZq+XdF3pwmxdABJNiOo+x+++TaOsN4e2b0Tr+zbhePM99cOEqat2G505fX9bFuIN1jH3mI+vX2Y5XPIq9dv7j9g6ql0wYRVbwkbfpP1N2Wd8IXVZvBcpaWtTdu2O2pr3mdb896RI+a4dPONffuph0lpmGtChE07w2uOq60h3mRa7x5lO8P25g3q02v72c4x7i3pOM8/xsbfO3e/wQk+xwk+w2tMQ1BYOM74Y8RRXnOA58soiOCpXZejKidKxk1GSKRQBi41g/VTkZpBtMf8BtGR1R9HVpWfsheCzVdbzrpOn/aoA9rY9gvnEXHuW0Sc/RKR33/h4awPgbiIs58H4MVHfa/zv0TEd58jPAAd967hMXPOF4j5/kyaEXf+a8ScO4Pwb07j/JmTCPvqFKKYTuz5rwyima72I7/9HNF83lieH3tO8Wc8ME6I0lZp8piOK03FKd0LX5/i9rPA9fbYFyZOx03avE/M+TM8ToTp3kqX9/3OQ7TSjfie7dUFRIWfR0x4GBLi1aZ5emwWXSLMwnckqSKrIiFhF7z6lfh/x58Zsht2lEaQvijO8zWkO1GIiryAGL5rTNjXpnzDvjmF88zDC98yr5hP0czDKOah9s99ddKUeyzPlc6EM076EaXzeI6OKe7Ct595esR46U0Y8/4CoeMxzO+4C98w/79KPN/Eq6zMvQI6p7QZr3SjWU66h55Pz2GeTddIB9IAozcq84AuXKDeSU+kP/EXvjXHzp/51Dyj0Rm9z9nTAUgXBep7QPeizupdv0L491/j/Ldn8P23X+Hc99/hm2++Ztv7jWnTzKAP2wEtyqnp1JpxpoWKQpXTrQ6zwBjttRZBjOS7aFXjOMad/ZZt1HdnESZ8+w3LinrEfIj6juXI/In+jnn/HfOSdSrmu9OIY7kJscpnIob1UcdsnVbZRLB+ejht9pPqPMMqwxDlGwpeu+G1CbatiaReqXzjqL8qe6WpuCg9X+A6tSumfUm8r/RGbQRtatg3ZhuldAM6mlgHqLdGVwP1wOqwzouSTkV8h1gNSlD3VS+kw9Jv1btYHovhsejIc8bfuyjdYT1Ve27LwLb9aud1TDpm67S/rFKCtROhjgk65rfNPztZtSOrcggE3VxGTS8sA6vpwZs3b8awYYPRonFdNKxWFk1rlEbLOuXRql4FtK5fAa3ql8Xj9UoTpRguiTYNS6FtozJo16SsQdvGZbhfjvHliQoMV0aHJtXQuRkN9uP18OTjDdC1aW10qF8NnRpUR6f6NTzYsLa+cMd61dC+blV0qEfU9cIdeW3XxrXxVMuG6NO6MXq2aGDOb/toJZ6ndFNOz2wDYaXZpnYltKlVEZ0b1kSvx730nmha16TT9tHKaFenClEJbevy/eqVJEqgbX2hJNpyv039UsyXMsyfcmhZrzya162AZnUqoHHt8qhfoxzqM+1uHVth7cqX8OXnn1Ihw3CZBC+OBM9+A5NWhbt1IIOs6VH6Z2wYTn74NpbMn4snO7dB8wa10aRudTSsUQkNqpdH4xrl0ax2RTzOPGxVtyLaEG2ZP+2pTx2IjsyzzvXLoWsDobxB5/qV0Z75rjJ4snl99G/XDL1bNWK5V0dr5mcH6kCXRrWMHkgfQpVtcLgD0bHBo+jStDG6tmiGLs2boWOThmhdtyaa16yIlrWor+a5KjLN8mj3aBl0ZFl2ql/JPGu7etStBtS9RrXRruGjLPNHqd/1mE5T9G7fGn3aNkWPx6qhe+Ny6NKgNN+rJJ+foH50aFga7RuV5nWl0KZBSbSoVwxNahVCs7ol0KROKdSvWQLNG1VBM6Zft3pZ1KtVAU35vMMH98GBvTtx/lxSR0fo8rjVQKco7pKZOhR+IfAtS4SePZ46k4Af1HN4IQxvHnsFsydNRLtmjVC/egU0YHvzGHWlRb3KeJz53opl0Ypl0Jp1r029smhP3ejQsCI6NVSZs21g+UsnpCeqyx3rVWc9roFuTWqjZ/MGpj4/8VhdU/46N1gnkoXZZqit8eq76n1lU//VPijt7k3rmHZG+qh7tqpJnXi0Cjqn1tb40m7HtutxptWK13SgDvVoyXarVRN0faw+2tWvyferzvakBo9X5XmV0bpONb63hzasT23M1ttvVacqWus8onmd6nisfl3UqV3TEKMmTZoYMqf23pIpTV+U8ZGRsyMrNwKpGUR7zG8QHVn9aWTVlqeeQ/FKa/HixcYHeObZZzF37lwsXfwiVi2eh9WLnsHaRXM8LPTBxiXCO2/NwtlY8+JsrOP+xiXPYePS57D+pWdN/OoXZ5nt+sXPYMPiZ9OMjbzeCz+D9bz3Oqa/nvfyjs3FRm4Vv2bBTKzjdtMSL24Dn0HQsfXaap/xm/hcOmfLsnnYtmK+SWPN/JlYPX9G4vWbGKdrlaZ3bCaWPzcFy4iVL0zHKp67Yt50LJ07DS89OxUvzWV43iwseWEOXpr/LPbu2IyvPz9pRmcu0W6bb1mZ9/qljf2m8SJ1Qt/dmRVhSU5+7llS5vkCo6raV12zumOPmdGbqEic+uQD7Nu2HusCZbt83jQsmTsZS5k/Cq9kfq1kHimsOJX9BuardGcV81T70hfpicIrX5hh4nXOpmXPm63SXcV0pE8bWB6blnrxui5Rl3j/9SxTo4NMW/H22DrpGc83Osit7iVYvboaPJ2ZY3RpHdNb8fxUrGLZb10+D7vWLMIWPs8q6sAqPrunh9T5RbMMNiy0kK7yvgtZPxYyrxbNZZ16HstfnIuX5j2DBc/NxvNzZmLeXJ6zeiXefvMNM6tOn2WoY0P6kvTrmtDlditDU6cvXvSIUlx8LD75+EOsXbWC7/0sXnhmNhY8OwvLFzzHPGFbs/A5lhvLfZHySflF/Qjk40aW6cYXqR8C83SDdId6sXbBLFNGqq+bWc5qK7SveB03bcA1tTdemZuyN/f3wkrXtBu8j/aV/lqlH7jOXKNzfZDe6PxNfC7p7pblLxhdTKwDesaAjkqPrV5L51VnVJ9WsA6tku5xu3TuFCyaM5HtzSQsf2Ea46bjJZ63df1ynPz4A/pOXkeztZlWZxRWW682X3ZTdTq4nFKCTSvUMUHHbjmyKmMoUiqnQGEZRdt46Zzx4yegSOFC+Nef78Ldf/wVHvzrr5Dp3/+HbHf/Fjnu+z1y3vc75Lif4ft/jVwP/gZ50v0WedP9DnnT/w75hEf+gPyP/JHhPyFfuj+jwCN/Q9HM/0LZXPejeuFMqFUsC8pk/y8KPvAHFHnoLuKPxJ+CtjbM4w//CUUf/jOKMa2igXCJR/6CCtn/g5oFHkSdIulQPd/9KJXhbyh4/+9Q+EGbZqj07NZLu+jD3rHi6f6ESjn+i7pF06N+sUdQNc+9Jj17ftF0f0Thh3+Pgg/9hvg1Cjz0f8j/4P8h3wO/Rl7lw32/QfZ7f4ss9/wOme7+PTL89w946N+/w73/+D/8/Xe/Qvp7/onBvbvh3dePIDbiLH7Q7yfCvkNk+PdmOsFFEpHUFOnWA4mq+UiTzlL0eTP63qP943jknn/jb7/9P/z3z7/GvX/9DR78x++Q+X9/Rq4H/s48+gty3ftH5CHyC/f9CYUe+BMKP/BHFHvwjyjBvC7J8hCKs5yLMK4ky7l6vvvQsGQmPFr4YZTK+HdTxiqXUhn/YXQiqby1tWXrL2/veEGmVyzD/0OVAo+gevHsqFI4M8rmeRBFMv0LeXks7wMs34epk4/w/PS/RSGWcZGHf4si1O1C3BZKp2N/QRE9Q/q/U7f/gcKZ/ovy+R5BvTJ5UYd6XSHbP1E2459QMv0fUJR1o7DAawuzXhQiCrKu5KP+5HzwV8h236+QhXjkf7/Cw//7P2RN9zdkeejvuPf//Rr/ZL37429+hcJ5smPuzEk488WnbLy8bxlCl8etBjnSWvSFZDUihmRVxMTTb32nrOk/3535DGuXLUTDWtVw9z/+in/e9Svc/Zdf4aF//hYZ774LWe+7C9kN/sC25vdsa36P/CyfAunuYjndFSj3QJmz/Lz6/Ce2DX9l2/Bv0zbUL/4IquS+x5R/YdPe6LxgXfHChU0afzTti0EgXbURZTL/A9Xy3mt0sGaBB1Au6z/N/QsxTXNeYno2/eThwkQhpllASP9XlGL7V71IetQumRlVCj2MEln/xfi/IH+6v5htAW7z8Rqjlw962zzCA3exHv0eOdjWZL/718j6v1+zvbkLGR74D/7333/hN7/9Hf5w112oUbOmaf+lLxKNtMnwyNFQO39leV0fpGYQ7TG/QXRk9drJqjoKlY/KP21VporX/caOHYty5cujcOEiyF+gIO14EVQoWxLVyhZBjdL5ULt0XoNHy+TDo2Xzow5Rt1wBoiDqlQ+gQiGzb84hGlcthlZ1yqFNvQpoVqOkOUdp1ClbAPXLF0J9Xp+EgqmjfAE0qVwEj9cqjdaPlkWLGiXQuFJhNGCaDZhWwwoK8/58rnqE4pWuwoqrW4bx2te9eKxRxUIGLWuUQqdGVZhmOXNNHT6frmlUsTDTL+LF8V0UL9QumcdA6dUhapXKh+ol8qJqcaJkflQpWQClC+ZGsfx50PuJLmaWUFxUuJn2FxvIf/NfSRJVfb+m1WDNr8e0YItG0G4BsmpIBeu/rW9+h1fOrvQ4/EIY9u7cim5tmqFSiYKoxXevUSI3qhfLgWpE9RK5UJP5VMvqDGH1pDbDRpdULtyXzui8miVzG516rHpJozeP1y6LJtQh6Zq9vgHLpD7LxugZ4+uoPFn2XjosX6ODBRL1tT73mzG9x1m+LWuXYdol0JDlnqh31CsDsx+kcwZefKOKvK/SLZmLOpQfbfh8XZpUo96UMfpSm8/eqEJBNOZzNCmfD03K5UOjsnnRUKCNr182n9GZR8sU4LsWRM0yhVCjTBFULlkYZYrkRclCRGHmR80qmDRhLN5/9y1oWnqCvqOm3sTrG96fWTeuBbH6ljdai42GISpa30tKn8LZRp/C4sXzUb9uTRQpmB9FC+RGKb5/xZIFUaV0YVRn3tQow/xhG1GLefYo869OOda3snmY/3lZHwmzLYAGFdj+UC8E1dVW1Jd2bGta1Spj2gbVVx1rwHLx2gMftJ9Y7v7y99oMnd+cuqI0W9YsjaZVirGNUTujdqMIdaiwaUvUttjrvXbGex4POlbQXNOAaMI02tWriLZ8xsaVi/LdvHpg9JrpJeo1r61VKg/rUy4D7Vudrl48J6oWzW62NamLVYvmQLE82dC6cX1s27Se/tJ5M1FZdda28bYuq+4KqtOePQhddsFQOkKoY4KO2bZC+NnJqgy6bqbFlQTdXA+iTJGBfZNGc+DAQXjw/vvx5//7FXLd/xcUJWkrQye8Ut67Ub3QfahZmChyH2oVpfNW/D7UK30/GpR5EA3KPshK/RAalU+PxhUyoFG5DNzPwIqfFS2r5UGneiXQp1V1DOlQG13qsDEr/QBalrkfLcs9aPB4uQeIhwiFCaaluFblH0LrCumIh024VfmH0b5KBvSomxsDmxfH0Fal0K9pEXSomgmPlboXLcoonUAaNj0+m00v6RjDgbQ7VsuMPo0LYlT78hjdoQL6P1YUnWtkDdwzHdpUTMdzHzbPLDTlOzcqeR+d4XtJcO9FrUL3oFqBu1Ep3z2oQKe2bJ77UCLXfSic7W7c97df499/+j26tm2GN4/txcWo74H4CESe0zSSr5AQc8F8G3y7/CjaAytNfDSNN53huAt4de8mtGlYB/+66/f4O/UmB8lpsaz3oXzuh6gnmdGgVA7UKZoJtQulQ70i6dCAaFg0PZoUT4/HSqRHi5Lp8Xip9GhdWmBel3kYLVhm7atmYFkUwdhOlUw5d66RBc1L32vKr32VjKZ8kso7qGyDws14XptqWdH38fIY2LEm+rSpjO5NS6JNrVxoxvJtVp7nVk6HttXSo03VB9Gq8n14vNJ9aFnxPrSooK2Op0fLSo+gKXW8Ubn0aF41B7o1LY3hXepicJsq6FIjFzpWyoS2PN6y9INoXup+NOd9m1MPmxFNGW5IvaknlHoAdUo+QLJyN8rl+x/KF3oQZUmwCmb9LzLf/2f8nvmY8YH7MWXcMHzx2Ye3GVmVoYtDdFw89OsMLTyiRSz03VdCXDR+SIjBN198jCUvzEIpGve7fkXC/p+7kDcDSWCW/6I060+lgg+iWpGHSOoeQo1iD6J2iYdRv1Q6Og/p0ITtTbNSLJfSLJeyD1AHmM8MSxfaVEyPbrVzYECzoqYu92lMZ5a61PyKtia5fiid1mwP2rJ821V+BK2pE2obFO7+aC7T1oxoV456WBpP1s9r7qNrzLVKw7QvNk1CbY4JP4QWREue34JptaiaEZ14/QCmNbxrNfRvWw4d6ubBY7xvE+kz9bo50ZjP0pDpCw34bvXYttUpfjdqFfkP2+F/omqBf6Byvn+gPHWnRIEMyJsrK+7+3//w29/+FsWLF8PyZcuM8ZGcPx+GsEBPrByQUOV1PZCaQbTH/AbRkdUfQ1aZl6xP2lceynZ/++132LF9B+rWrYvf//53+P3vfou//e1v+O+//4WH7vk3Mt7zV2S9+w/IcffvkOue3yPXvXchz/1/Qr4H/oz8D/0FBR7+Kwqm+5tB4fR/RyFu8z34F+7/nW242qnsqF+GTlWB9Cia8Z88po6Xv6LII/9AYV3zcAAKpwQeL0SUoU2sLZtQmo5a4UwonfV/5nhBPkcR3q8o0yzCZ7DXFWJ8Qd5PxxUu9NBfTXyR9P9AMbYXQuW8bFsr0BkskQ2lMv+H5+sapsd01EFp0tczP/gngmmoo/GRf6IQUeDh/4e8D/4duR/4G3I98A/kJDLe/Rfasl+ZdqlS6eJYvWwxzn/3NQv5EuKNA++RVU0DvhAeCa00qsV19IuxW2EBHUtWFbZ6IgdX8TasBSC/+forLHz+GRTKnhF/5Lvez3fO+P/+D9n++1vkpK7klK7c8wfkue8uFGC+F5JuMN+lM3nuVwfvn1CQemB1Ji/1STpVNOO/UJFlUrt4FiKrCRdhOUmnlI45n9C1BVSmLPcij/w/o1OCdEz7+Vlm+XgPpVcp38MmvZpFs6By/nQoyXIupHsrPat/Kekg44twW5zpFuXzF+Q1JTP9B3WKZTV6U6tIJvq5fD6+U9F0f0Xx9H9BiXR/QomH/4hi6sBUx+T9dyE/8yEv64463XPc8ydkE+77GzLd8zc89O8/4f5//hF///3/4b9/+yMakcjt2b4ZF2OZ3/rtXcR5xEZHEKHL7FaEbEVUVATOnT+LcC1GFh+J7899jROvHUW/fk/i3v/9Hb+m3vzzL7/BA//5Ex78zx+R/n9/RGbmSxbmUzZ1NN9HHbr/98jz4B+Q76E/sHyZl+nvYrn8kfWT/CI9y5zlrHpdNvs9eLRYFjRkW6MyUdug+qryUrn524WQ8JW/0ixKHapKXakv/1ODCfTJ1b7oXkWZltoGbe01ihfUduh6Qe2Ojtl2Sc+ktqtB2dwol+t+o7v+9lBQXH6mYdpXPT+vL6J2KFB3clOP8tzH+sM2ONc9dyHdX3+FPzMf82Z8BNOeHo+Tn35s6qfqqdfWxBuoLqtcbN1OydaGgrW/oY4JOnZLkNXXX3/dkNV33nnHfLeqm8sQirDaacAywu/T4I8aNRqZ0j+Ie//6W1QvkI7kLAMdt8zoXDMHnqiXGz0b5EbvRrnRt2keOoT5MbhlQQxrVRgj2hTBqHbF6CCWwJgOJTGyfQkMa1sSw9uXw5huNTGtfwu8OL4HVk7thWcGNMJ4njepYzFM7lyUKEIUxpRORQMojikdS3hb7k8NnPN0R6E4pnUrh+f7P4plY1ti1dNtsGhkE0zpUQGj2hTGOJ4zqYt3/pROxTCV95jWoajB1E6FCcab+xXBuPaFMaZtYUzqWhbzBtfDyqfbYfWkDlgwrBGmPFERY9vynDYFMaFdIYxvXwSj2xTFyNbFMLxVMQxpWZTvXxi9mxTEkw3zo3vdvOhcOzc61sqNNjVyo1nlnGhYMSdypfsX/vnHP5hp1S/v34q4qHM0evGGpMaEn0V8FBsBNWK3EVnVFGAtlnU5NgyIPYvj+zaibcNauOdPf0CG//cH1CqWAc0q5aGDnhOtq+REt0cLok/DYujXuDgGNC6KQU2KYWjTYhjRrDhGkQSMbVkCEx8vjqeJiczf8dSjMSyvyU+Ux0ujmmPzjCewemIbzH6qEsa1y4+JHQtiWveSmEzdeJplmKQrKnPudy4U0CmmQR0QJii9HpUxb3RrvPh0Nzw/pj1mDWqMiU9Uxuh2RakHBZku9aNbMUzpSp3oXACTuzCdroUYLshwYaIYJnYujtHt+fxt+ezdqmDW8JZYMas3lkzshBlP1qCulsNk6vYE6WKrghjfmrpDHZMujWxdGENbFsJA1hvVn95NcqN7vRxoWz0THq+aiSQlK5pUyYEaJTLjnr/dhYfvuRujh/THyU/ep85cvq3IalR0FA1cuEFsfKy32p/pIfQWsgj79gusXzYfFYoXwj9p4ItmJRkrkxWNymdH6+qsS3UL4YmGhfFUoyLo3bQo+lJXBrYshWGt2ba0LoqxbZiv7Vg3OxRgPc7P8svLPGYZdipJPamBl0Y0x8apXbBoWFPGlcZ4thtPd2abk9jeePB0xoLl3qkQnu7EcutQkLpWCBM6lsSsp2ph8fDHqYOdsGJsazzTpxYmdqCudpBOeHo2hel7eqj2y59mMd6zOCbwXqOY7ijGTe1dDYvHtcWa6U9g8fi2mNqrOoa3LYqhrQtgNNursZ3VfhZl+1mIyM/43Bj0eA70eyw7ejXKRrKchQQ6I7rUzoS2tbKjYZU8qFmhKArlzY5//o0GNl8evPDccwg7F0YSpd8qRZtFu7z/CIvwWKispFNENA2gYPYVr/bInpM2pGYQ7TFHVlMiqx/xvf2/lZONPkuH4RwdhzDmlTobNJqq/IxjPVIP+0U+w2Xa8HPYvGkzqlSqiN/S6bn7nyQOJCAlC2RHxSLZ6eRnRqMS6dG0xMNoVjI9mtOmtyyXEa0qZkKbypnRrmoWtK+WBR2qZ6Gdz4lONXOhbdWc6FijAAY0r4Knn2iKqU+1wIj2NdGtTmEey4b21bOjy6O50ZX2rhvtXbcaudCNPoLQvUZOg25My0MOdKmRAx2r5sZTDctgXJfGmNarNcZ1bkx9LsO0cqJtlUy8XzZ0rZ0LXXn/rry+K6/pUj0bkRVdiW7VshHZmR7bzdq0uXWKoOujRTCwVTXM6N+abbnSK4VOvE/Hyny+anqenOjMZ+1YNSs6EO2rZud7Z0WzcpnRpEwmNCyRAXWLpMOjBhlQo3AGlM75ALLc8xf8h+StWN5smDl5PM6c/pQle9msFCs91rTOyKgYOvIsF5UHyWqsRltvgZEz2Qk5tHpOOZ3aSm/l52lf62VoQcSTn36CqRPHIPcj9+Pv1JscJKllsvwDtfLfgwZF7kfjovcZNCn+AJqXUod9RrSplJ1llZ3bzGhL3enEMumqPGZ5tauSjbrEsq9XGINaVcbY7g0xvkdjDG4jvSlqjrXntZ1VpizrTtQ5lYuu7ULfqX21rOjIsupeJy+61c7D8mJ6lbNyvxDTqGrSG92N6bWrjZ4NS1EneF61POjOrWD0UDpYi7pCdGXb2LUW01b61CWl26VWXnTiuU81KIXxXRtjZp+2bHMbGF1qS/vbic/VpWZm6lwm6g/frwrrRaUsaFMhC1qWzYRmZTKiSakMaFTqEZKWR1Cn5COoViQ9yhd4GKXyPmxIqwhr1XKlsH3zWpptbzGdmGjaQRJXr029fXy9aP2/XERbC6zyXcIufIdjxw+hR/f2+M/ff4e//f5XyJP5PyhXOB3KFrgPVYo8gLql06N+mXQknenQuCw5RPn0aFExA1pVof5Uy4h2NTKgPdGZ+awykg50rJYTvRuXxtiuDTCld0uM6lIfPRqVZluTh3qjNoHla9oatS3kIkJ1lmn1XNxPaoOMLtbKRV1k21Gb9rNdTabXnG1YY7ZlFVj++aiD2Uyb0J260a1WDtPO6Pqu1XOzzHOjM+/XuWoOdKZuS0+78pzu1M+u1J1ejUtiUu/HMKnv4+jbsgrfoQDb0OyeXvP+Xdg2deK2PXW9HeNaVciM5mUzokVZ+sQl06FR0ftRt+A9qFfoPtQr/ACq5b3bzLq6h21Ntgf/jb49u+K1E8eNv2RnQYm0qj7bqb+WvKo+B5dXSrD2N9QxQcduKbL6/vvv49NPPzXG0C7AoIeR0yDD+xGJ7JgxY5A9czpk/Pcf0KxUVvRk5g+olwuDG+fAsKbZMaZlDkxunwczuxTAs3Tqn6NzP697ccx/ojiW9i2DZf3L4sXexbCgb0nM61cWc/pWwJwBtbF0Uhdsmz8K258fhpXjSDD7V8fS/hWwfFAZogTDxbC0T3Es61MSq/qVJypiWe+y3C+FFf1L8XgJvNSvNBbx2GJeu3ZMC+yZ8xT2z+uHjdM7YcHweni2XyW8MKAcXhpYms9RCiv7lcHqPmWwtk9prGM66/qXxNoBJbBqIJ91QEksHFAGc/uWxTN9K2PpuBbYOa8v9i4YhPWTO2LBgEfx/FNlsbBXcSzqXZTvxPd5qhzm9CiPGd0rYDpJzpTuFTG+c1mS9BIY0aoohrcoiMGP5UUfkvludXOjFStAvkz/pgN5FxqRrO7evwORdBjjafTM731iaTiiL9x+ZDWWDW70OVzUSrcx3+LEwfXo9FhNpP+Hpkv/1TgyT9bLg551sqN3vawYxjx5moRwGh3/6SQTMzuXou6Upt6Uxfwe5bDwybJY0pNlzfx+qU95vDigIub2r4gXhtbB1hk9cfTF0dg3pydWDq+Fhf2KYgnLb8UQlnE/6kXv0ljZp6LRl9UDqCsDCrPsC2Ipz1vavzRRDssGlMeivuXw4pA6WD61Oza+MALr5w7CsvFteK9aWNCrHBb3KkV9K4HVg8pSP8pgCct8JfVllXSpb3Es71sMK5X+oHJYNKASnutXFXOHNsISEo7tS0Zi+4t9qddN8NLgKrxXKSzqVQwv9eKz9iyKRU9Sf4h5PYrjGdaXmSTTUzooT3KTqGfDkEaPoF/9R/BU3SzoyrrWtHIOpP/vH/HIw/fT4R2GTz75WN7wbUVWo2Mi6cSFQ7/mEVFKuPgDG9jLPEbtv3gZ4Wx/1i1dhKolCuOhv/7W9IB2qJmfelMQ/RvTOWlaCCObF8ZEktOpHcthRpdKmNWtKp5lvXv+CeoM24alrL8v9iuIBf0K4MX+RTG/dyk836sSVo5oSX0ZgMPPDcPmp7tg8aB6WNC/KhYNrIAlbG+WDSqFJf1KYEmfEljer6Qp5+V9WFZ9CrKNKUj9KswyLoYX2Ba90KcKlg9vje1TBuPAnNHYOZ3lPOIxLKDOvcjrlw4sSZ0oy7amAlb0Lo+VbANXs21ZwzZtFbcr2AYtH0C9HlwCzw8sgNl9CmHh0LrYNWsAji4Yh52zeuGloQ3wbM/ymPtUKd6vDOYzjXl8l2efKkYUYHwezO6RE9M65cKktnmYJ/kw/vE8GNUsF/o1yoVOJA0taxZExUKZce/f/ogS+fNi0XPzcP7b8+bXQPrFQkwCDVtCFKLjIhATK0SyzVFZaSEsGkWtbi0Ywsq2SI6Vca7ULqWtbUrNINpjvwSyqvi0ktUTx0+QrL6NDz78GJ+ePI3Tn3/BfDhD2/wNzp/7jg7DWToO5xAZEWbIqkbztNJ2fLzaAz4Hyzf8QhS2bdiM6uXL4Z93/R8KZr4fDSsWROtaJHN09Ps1KIDhjfNidJM8GN+sACa0LIxJbdQGFcS0zgUxvWsBzOiWn3YtP+b0LIHZPcthWpfymNq5KutNS2yZ3Ae7Zw/CmvGd8Gyf2rR9pTHzyRJ4hvo690nq6hNl8MITtI89irBuFsTz3QpjXlfPLzBxPYvg2SdLYkbXipjXpxnWT+iL7dNHYd0E+isDmmMW7zfzqcJMuzjmsh2e80QxzKFvMbd7EbzAdnN+j8KYz+eb37kA5ncpwvuVxnM9KuGZJ2th9lP18dKojtj+7GBsmNqTdrsRnqFdntO5JH0T3p9pzWVas9jmzuhcmO9VFJM6FMXoVoUxvHl+DG2aHwMb5qGdyo0nSWY618iDVpVzonK+h/Dw33+PIjkzYfrEUfjys08CbbB+oaJfVuj7w3gSVn0L6q28a36JcQuQVTmx1pFVfVO9s7ZDYbXH6uQ4deokppKI58nyMO79669RmWSjVeUseIJEr1+dTBjeMDPGNs2KsY9lw5jHcmJ8y3yY1K4I26HimNGpGGZ1Yrma8lA+l8IzXWnbadef6VUdi0e2wIbpPbFpVj8sGd2JOvUoZlGn5nYvjRd6lKC+0HfsWtD4kM+wjJ6hPs18ogjmPMm01Ab2LoNnuzOuUwm2jVWxbNTj2DCzD9bOGoQlE57EvP5NWb6VqWflsaBbBSygT/aC9LBnYepbHuplbjzbIz+eof7NeaKoucdzveiPPkn/rRv1sHdDbJzYD3tnT8D68f34zHXpz/GdnipCFGRdKICp9HGndPQ6wyd3LIMJbUth9OPFMIx6M7hZbgxskQtPNsyK9rVJxGplwWPVcyJvhn/jv3/+A2pWKocdWzeQdND2XY5nu0ufKZ5tYGza29OfH3xekuso2ovYi1G4+IP0/QLeeP0YnuzaAffQ1mT87+9Rr1xGtK2TAx3qZMQTDTKgX7OsGNScfh+5wqjWeTGuXQFM7KgBBOZlt0KYxnKZ3iMP25r89LGLYHY36hTr69w+dbDm6W7Yyrq8aspTmDOwGSY/UYPtTUXqR3nWebYx3elLEYu7EazLL3Yujhe6ML4bbT91cC7bmTlPlcE0+gizez+KZeM6YMvMvtg0uSftbAvM7VkNs6mDz1EH5/ekje9RlHpEUG9fkA4Rz3Uti7ldSmAu4+dSf+ayDVK6stEvDmmAjXN6Y/0zA7FgZDuj1zOo17O70F7zGZ7tzvaL9WAG32cq/d3JHYqbgYsxLdj+Ns3FOpUVAx7NgL61MuDJGpnQoWoWNCiZHlmZj1nu/xd6duuA1187YTqTbJ3VVvXZjqyatiYQl7y8Uoa1v6GOCcG2+Wcjq8GrAcsh0M0tWdUoq5j6h3wIGdjsGR9C1v/chTals2AISdcYEtUxTTISD2Hy4+kwt3MWLOyRC0ufyIeVrNSriNXd8mEHCeeOwUWxundOrBmYD6uGkrTSmXtuYGWsndkdB5ZPIiEczsahLZ256tgwqDQ2Dy2CzcMKYNOgfFjfNx829CmMHQNKY+fA8thEgrixbxFsGVQEGwcVxLpBxbB6IB3DgdWwZVxrHHl+EF5ZOBxbZ3ajwWpAJ7Aylg0tjbVDimHzoKLYNqA4dpJo7OlbFPv6FcG+AYWwd1ABbB/M+wxheqNKU4HLYS7J0bLxdHAXDsWRpWOwfcYTWDa4HglPOd6zKNbTyVxDErSUBHx+TyptjzI01KxAT1XGNBKuSRrhY4Wc1Do3xjXPjGGNMqFvg2xoVyMrCmT+O/73nz+iScsm2H3kMC7oX6Q0ehFstOLYCMSRrMbG3F5kNUZklUQ7ISGChPU7HD+0Dl1a1ESmf+pb0r+g+6OZMICGbkjDDBj1WAZMbpMdszvmptOQj44MHQ4aqsUkcctI6Fb2KYa1LKONJINb+henTpTCquE0QEMrYtGI+tgzewBeXzQJh9lAbBhVHauHFMAG6svmYYWxaSB1h6RjK4noDpLSHdSTLYNyYMPAbFg/IDe31JvBJbFpSCnqI4nrsEexemZP7Fw6CbsWj8H6p9ti1aAaWEdCsUXpUEf2DC2J3UNLYSOJy7aB0ufiPFaQx/Jj5+Ai2Dm8JDZQZ5aSlC4c2RjLZ/XAjhWjsXtZf2yY1ggrRpTFcpLl1f3yYWP/fNhEnV7XKw/WPJUXK2gEF/coQOOah0Y2F+Z2yopZrR/G1Mfuw8QmJKYN05GwZsJj5TMg/f9+j4wZH8aIsePw8cnPjDNsG69bH3KO6MDF01Ei4dFKmbFxJKpxYIN40axgH/ZdGFbMX4AqRfIj4z9+gzoFH8ZTdQpgaJMCGNOMbU6TbJjYLDtmtc2PeTRGC7qToD5RAYt6lMdiGqU1/dl2sCxW9s+GFQOzYs3wglg+sAQW9qqITWPa47X54/Hq8+OwY2IPrB7GchpUFSsHl8K64cWwcVgRrBvA+t+3IDb3L4ztgwpja/+82NCPujMkJzaOzMvzlJ46tapi4+guODRzEl59djYOzhyGjaNaYMWACrx3IZ5fCNuGFaeulMHm3qWpi2xzBhfGLuro9kGFqNNFsZk6tHFUISwfmRPzBuTEimF1cITE951FM7kdiPUjGmFp/4p8D3WUqHOuGEl0MbzUuwAWsy1d0jcLFvfKhOe7ZsUz7XNhTtt8mE1MbpGTxi8L+tbLim6P5kDNgvfh4b/8mnlaCGsXvYSIsxGGzGjxl3C2MeFxFxAVf4GO0wXWX7U5dGyjL0H/dTV/CzJbLcDEtsgQWhnHtI8EpGYQ7TFHVkOR1XdIVj8hWf2cZPVMgKx+TbL6LcLDvkNE+PfJyGpM7CU6Kj9w3yOrsVHx2LVxCx4lWX3gr79BxbwPmo6fp+rnw5DGuTC+aXZMpwM5p2VWzG2TGy90yIcXu+TBoidysB3OTh2jfvXJhMXUs6W0w8sGFceiXiQMT1Ri+9gMB6f3xfHnB2P31M5YMbQmFg8qgZdoj5cNoO3vV4h2m+1svwJEToazYn3v7FjfKzfW98nDdjgHbX0O1he2fb3KY9XgFtgzZRAOkSTsnDIMq0lqlg4piWUjcmH1qLxYPbQAlvWhb/FUdqzukxObB+amHc+BLdT/zU9m5jYXfYRCtBu03X2r8VkaYsOkzjgwbyB2sS1eO6IBVvSlj9CrMNb2lj+RG2t65cDSnjmw6KlcbB/yYQHb4Wdpi2a2y0XkweRWOelIZsXQhtnQ+9FsJK250KgE2+C/kqxmz4y508bj6y9PGQdSU30j1cETpwVztNgJncboSIP4OOn+rWPHrTOreud3dLXVYjlffvkFZs+ejpzZ0+O+f/2OpCMretTX4ERGjKx3P6Y/9iDmtU6PF9plwNx2mfFcx+x4gbZrEW3Y0qcKYEVPllfPXFjXm7a2L33AXgWxhORj6cCKWD/hMex97insf2EANjzdCYv716S9L40NbNu2DWS72C8XbWx2rOV29cC8WDkoP5bRZ1wxuADW0ifcSKylHV3Wk+1wv7LYPP4x7HmuL7bPH4l10/pSD5vyfuWx4amS2NyrFDb3IfoVxsaB2bFuYDqsHvAwVvbLhBVs05dTL5f1z832nz7cgGJYpA7ugQ2wf+ogHJ87HXunDMWyIXXxQr+89Adz4KUh2fBiv6yY91Q2PN8jL0lwEczvQTLUrSRmdSiIKfRnJrbOgHFtH8GQ5g+gV8N78QRtd8d62VEs279x39/vQr2aVbBz2ybWVeY/deRCHNu8OIZv4GcY1x8i1ySr8Wx3EmjPL4sgReO9t99A766d2db8yUztblM9M55slBH9mt6Poc3vxuhW92Bim/sxtUN6zOmcjaQvN+YxH+dTXxb0zoVFzNvFAzJixaDMbBuyY3nf3FjwJNuHAdWwbXpnHHpxKLY/0xeLR7fAC4NqYhG5gMptFctnA9uEbbSJO1mXdz3JtoHpbnqSPmHvQvTjCmEV25ll9NlfJId4if7epsntsY++494ZT2Lz2BZYPagK9aIo/fn85BTU2/45sJZt1bqehahDpbGFbcf63sXZZtDn70u/jfZ6Jc9ZwXuvoD+wYVw97J73FLa9MBCrJnbAkkF1sLR3WazoJd5TyNQB4+fxfV6kn/si/dwX6PPOaZcdz7TJgtmPZ8Ckxg9ibP0HMajOw+hVJyvaVsuB7Pf+GRnu/Q/69uyG9959m/YEpgyC7aklqv64tMDa31DHhGDbfEuQ1VOnTl1BVrUAh0dWP8bIkSORg05yzv/9EZ3LZ8HoBmzMm+XE5JaZMZVEdU779HQas2A5lWVNTxoDFsoWYisV5gCN3EE6glsHZKcDlwdbRhfFSjqUS0ZVww4W8IkNM/HK8gnYM70Tto6ojh08tmd0Qewfnw/7xuTF7mH5SRYK49DwMjgysiIODCuDfXQu99PR2z0yP7aPIBkZQWIxqgYOzGiPd5aOxHurx9BQ9cCaiQ2wcowc1VLYNZbXjC6GwyNK4MiwEniF5PXVIUXw6rCCODoiLw6OzoPd4+hMPl0Sq8eUweKRlbBhRmscWzkSb60dj8PPP4XN4xphA0nT9lEkKHRetw+ncjONlSQ0i0mwFvbXqE45PPdUCcyhMs7ulIuOZBbMaJkOTz+Wjg53VjoL2VE6xz/w0D1/RsvWzbH/lWOI0EgHEUmnIy4yHHH6r2ZU+O1FVg00lz4W8bFhePXgZnRpXseQ1TIZ/4yedTJhWJOsdAAy4emWGdnAs9HvmhMLeuSmc5QXS3rnx/I+NG50cDbQ4dk6uBB2sdz3kIDuYBlvZBmuYFmue7oxXmXD9fGa6XhjYX/smlwLW8YUwA7qyp7R+bF3RCHsG1aKelIBh4aVx8ERhbFvZA7sHZUNe0bmxh7qzd7RxYmS2D6yDDZNrI8dC/ri5fXTcGTVGOyZ2RbbqJs7h5TAfhqyA0OoH6OoM2NKY++wokb3DoygLg0rhMPDC+CVUYXx8phi1IcSWEPdXD62LtY/3x2HNo7F4bUDsHV2I6wfWwbrmc62wfmwe0g+7BmUFztJhLaT8G4mcVnTpwjrDo0982HxE9kwv0M6PPf4vXQk78ekZukxiCS/VeWMyHDPH5AhQ3oMGz0eH316GvSTbiOyqm8jtYodG0D1zGpqKckqVZ4NoX4iDlw4G46VCxagauH8yPL/fotGRR/EgIZ5MLZlbkxpnQ3TWmUgIcuIF7rQoaZzJCdoGY3Iij4kqL2LkQCWwG6WxcahmbFhRAZsGZuXpK84Vg+uTOejEz5aNhkfLp2Kl2f1xubRLJfhlbCJZbt9XBHsHk8yyXZnF8t133CW6aiieHlkIewfmQd7xuTArvE0iNSx9cOLEtWwd/ITeGP+DLz/0vN4/YVR2DOpJTYOL0eyXJDPUAAHxxbFwZGlsX9IWepQCRweyTRH56M+FmD6RbCPOrjn6YLYOIGGeURu07a8OW8CTi5/Du/Q+do7sQU2jaiKzSPKs30rhU1DSW6ZzrqBhWks6WwPzEZDnRUvPZkD80kyXuhUAPOIWa1zYVzTLBhOYt+fpKRx8fuR9Z+/Qa0SrENLliH6fDRZFPOc+R8WHY7zMedIWM/R+QgzRDRWbZD59zB1i4iNDCar4aYsHVn1JK1k9VqmAV9JVr8y+XD2u69IVr9BRGAhvsiI84asRrPMomMumboUxeKVxMfEY++W7WhQuQIe+X8s/4IP4Mm6eTG4CetTsxyY1iIL5j6eCfPpLC3qmAtLuubB8idyYSWJ6ioS1VX9M9JpfARrhmTEumE5sXYIyWD/kqxrlbFtZEu8PncAPlg0FEdnd8Wm0bWwZngJrB6WF2sH58FmkowdA1mX2M7tGZyTyEpkJ3Kx/aNDOSwbtg3PSn3Oh9X9y1G/H8crc4azPk3FkWdGYeuEFljDNn/NyExMOyvrQG5sYjoiHVsH56BNyIUDQ7PhAJ3bA/0z0cfgPQYVwOYBJUmkq2LliIbYObMrTiwZjJfnPYlt4xpgkzrB+9Ff6J8LO+WL9MuC9f1Yh1iXVg7Mj6UkVvO758TcDiTvHXJgRuusmNAsI0Y1yYyB9bKgb4NcaF4mIzL/4/cokYNkdfoEfHXmM/M3xEiS1AiS1WiNbpOsxsfTedTvxVi/EujY6xOZW4Ww+smq6pvCV5DVWdOQK+cjuP+/v0f9itnQq1FuDG+YHuMb3I1nm9+Ll9o+iCUd02Fh54xY3C0blpIgrOiVH2v75iPZzIUtfbJhe9/s2MG83tIvDwlDQWwYVhG7pzfHsUV9cGzxIOyY1gmrh9TEhn5sswfJzubDfpKUPYOyYOewHLTNeenT5ae/xTRHsNxGUZ9GFsT2wXmxUZ2+g0tj96QmODy/D/YtHEk72w8bRjVlGZfD7r607wOKYx99z32DC9J/zEqdexjbia1DM2Er0988NDvWD86GjdTZdUMKkxyXwdaRjXF89jC8O38Wjs4azvRIOqizq0Zkoj5m5POS6PbPhuW98mJ5T9rsJ4tjSffiWNC5AJ6jPzO7XXpMb/cQniYpG/X4/Rjc/BE81SQHyuf8D9L94y40qlEFu7Zupj6wDOJiEU4diaBe3I5kNVJk9WIU4n/QdNQ4fPTuOxjwRHe2Nfou9K/o/GhmDHjsEQxrcS/GtP43JrX/D2Z0vAfPdk3HepYVi3rkwkvG78uNZf2zY6VI6tCMLO8MLJtMWM+6voK+4Nrh1XHw2W54fdkIHHqhP9ZNfBzLRtTEiqFlsIZlu4V1f9egrNg/IBsO98uJI/1yc5uP7UJB7B1UCDuHkoeQQ6ynXV9O+7l6VC3sndkBry3oj9fm9cGBKY9jC/2A9WwDNg2i3tJ32DmEOjiQ6ZLo7iPB3TeoLHYNLIbtA+lnDs1NfzQbnzELdTCH6eTeObkeji7pg4NLhmEzeczaEXWwrn9pbOyrAY18bGvyYBPbntV9C7H9LEwiS8LaPTeeb58JL7R7BPNaP4zZze7HFBLWUQ0exoAGWdGhRnbkuO/PyHifj6yyrVEZBNtTS1ZTsrMpwdrfUMcEHbstyKoeSvOik5PVP6BL+cwY0yA3prbIiek0dDPbZcBzXTJhMZ2mFWa0iA1Tz2LY0qsYdtCBPDS0NF6mw7h7CJ0+kold4+lM0vFfN6EGDi7shfe2z8Q7G57GoWc6kHCwQRtdmESVCjc5Bw4/nQv7x+Qh2ciPQyIMY8vhZTr+h+lcHiSZ3TuWhm8sDePY4tg5vjJemduaJGYIPtkwHK8s7IhNU2tg/YSS2DGRTufEAjg0viDTKIpXSJiPjSRRZeN3jGkfHZMLhybkxL5JJMdTi2DDxGJYNb4ctj/TDG+sHoD3NgwlQeqK3VPq0bEtQ8eWBHpsduwdkx27RtHRpCFdM5CGfnABLGfDu6hPXszvQdLRLSNeZKP+3OP3YcZj95HgZ8LA+llQKfvfkInEv23L5iyLY4jTv5DprMdHJuDyhWgiAgkRkYi7jT68jzH/DLuISxcvm1+RnDi4H12aNUKm//cnlM3wD/SqkxMjmmqUOTum0hF4plMOPN8tJxb2zE1HIS9WDMhHQ5CbRiM3nZjc2DkiL/aNoQFj+e4mto4vwrIsjW0z6uGtZf1xetNEvLesFw7MqI6dE0gCSSb2UW8O8NyDJCyHR5fBoZGlcHB0AcZlp75kw0GW8cEJeXFgAuOY3u5xJbBjeh02Mk/hxJZxeG3dIBx6thn2sOz3UjcO0WAeGZUHx0hkjk4sgYPjSFTHUPfGFsGhMQXx6vgCeP3pAjg2gQ0j9zfQwVo7sRp2LOyE13aOwolN/bHz2YbYMoG6NLIoiXRhEhga5mE0oGxodw0qRgJbCus0lbhPUdMz/RIb8QV0Aua1exDPtU1HpykzRjyW3Xw/lvneu5Axw8MYOmosPvxEI6u3E1kVUfWcpSjqdVS0nLsfjIOdRFbDsPLFeahaNB+y/PPXaFTibgykszi+TSZM75Qeszvez7bmfrz4ZDos6ZMZS0nWVgzIidWD8pHE5acDXAR7xhXCttGZsG18euyclBNbub95dHk61e3w+ZqJ+HL9ZJLLJ6kztRlfAlvHFiDRJImcUgD7n86PvWyj9pO0HmEbc4w6coT6cnBCFuyflIU6lgNb6TRtG1uJhLcTPlg6AZ+umoZ3FvWnHjbA1jHFsZ3t1YGJefAyiejLbJcOjShJFMUR6seRcXlxaHQepk8dncB2bmoBbOMzrhvDdnFSU7y7YDw+X/kMPlw4Ci9PbY2dY6nbbPN2jCGhHkljSX0Wad0wWKO3+djm5MXSXvlo+ArgxW6FML9rQTpMuTCheRaMJCEZ+FgeNC35ALL/67eGrG5YshTR5zw2ExUbjwsxJIZx5xGRQNJDshpNIpoaWY0mWY2Oc2TVLzeerH6RJrIapR/0s2hpNhJHVvds2UqyWh4ZSFYfJVl9qn5+DHssHya0zIXZbbNjQcfseKlzTizvnp8ktTDW0IlaR9K2fkAebByak2SB+k4bu5Xt8Ca2XRuHSf+q48CkNvhw0WCcXjkKb7Eu7Xm6AbaMK4uNowqQeFKXee7e4UWxfzjbuxFqRwvgZdabl0cXwmHWg4Nj6QuMpdM3qjA2D6uCvRPb4q35I/Hxsul4e+Fo7J/+ODaz7mwYlQXbaGN3s37soV+wi+fvZhr7xxRievlwdHguHCORfZX19WXWj53D6CAOr4YNYxvj8PM98OG6UXh7aV8cmNaERKccdpGU7BcpGsr7k4RsGZIX64cWwrqhxbB6cHG8RN/lha658UKXPJjTISemtMrOvJLdyolBTQrg8QpZkf0/f0CpPCSrMybiqy9DkNV4klWt8EqiGm8WStTU+tuPrObNnRHp7vsjmlbLSdKRH2ObZca0pg/ihdYPYXmnR7Cie2Ysk8/XJ58ZSV87oCidd9qzIQWxm4RyL7F/KNtW5u+OYSSk42vglXnt8O7qQXhn1XBDQLaMfhQ7hpTGQerKK9STo8Pp943IZWz43gnFsGtCCba1bPfos+2V7R1HnRoR6MQeVR5HZj6GEy/1xStLR2PfvAH085pjN0nxwaGlcHg4MbIkDo8qioPUlf2j6R+MEfhcY2l/x+YjAaafMYZt8OjibNcrsf1vgfdeGIVTS+fgrXkjsJt6vW5kPmwYnY16mA07Rufiu/D8gcXNqO2GnvRjnyiNVd2LYVnXvFjUOQvmdXwEs9qSsLZ8EKObZcSARjlQNfu/kemvd+Ex1vv9GzbhUkQsLslfYrt3O60EbBFFshpBOxAeT3thRlbj8OE77xqymvFff0axDH9F17qZMah5BowgaX+6/T2Y1Y22u8fDWPhUVpK1fFiumRD9imLVgMJYOyQ/fac82MK2Zjt9te0js2HrcLZBw+jXT6iL11/siY/WjsbrSwZh54y22DjuUbYNZbGJ7csu+on7R+bGoWF5cJT69upQ2m0NRo0oRd+N/h9t8p6x9Anot62n/dw6vg6OPd8FH68YwvZmME6Qd+weVw1bDKllW8N77ycfODCqEP200tSjygYHh5flfeQD0n+jv7mL+rSdbc8O+hCHZjXCO2sH4411Y7Hvue7YPqEetg0tix2D6WPSz9s9mL7J4MK02yWwdlAprBxQEot7FsD8ztmpM1mxsGMmPN86A2Y/nglPN8uC4fST9e1/nof+gswP6JtVR1bTRFY/8pPVu/+IrpWyY3zTApjZNj/mdMmLZ5/IgwW9C2BpfyoeC2L9wArYPKgqdg6pjn3Dq+Po+Fo4NrEqXibRODqNZHNmJeyZVg27ZzXEiZX9cGrvbHy6YwpeW9wNB6fXwKGpVLIZhfDqMyQDzxTBy9PZ2EwqjpcnlcMrU6t4mMHwrBJ4eQZJw/TivK4cDs2siTcWtcfpLUPx+fZheGN5R+ybW4v3KYeDs4rjyCwS1BnF8eq0sjgxpQKOT66AVyeXw7FJpXB0SjHeszAOzyHJmVsau2eXxfaZVXDoxRZ4f0M/fLp1MN5e0R1HnmuCgzOr4vBMNoLT8+PI1Lx4eXI+kqQ8dCjzsbIVxqbRRbCGlU/TTJb3pjPdIwMWtyfxaPUgZrTMjGENsqBqtr8i87//gHaPNcWRA0eREMNSI2G9rCHWcAbCYxiOvs3IajxiYi/jEl/hYhzw6sFX0blZc2T6519QLvP/0LdhMYxpVQJT2hXBM10L44WeRbGgVxEsGVAMa2hY1o8mRhWjw1ME22mU9k0qgSPTS+LoDDr700tg38zS2DmrIg7Ma4SP1vXD1zvG45O1vfDqvHpsLGiYZlJXqA9HZ7Chml7e6MmRSZVZPqXx8jQaw5mFcWx2EbxCHJ1J8jCDDdn0Cjj4fCMcZzrv7hyNd7cMwGuLmvN4ZRydTF2ZUgQnphbFiZllcHxOJV7P9HjNYerxK9PK4PWZpfDOnFJ4cxafc2pJ7J7EZ5xdG0dWdcNHh+ks7xmKlxc/jgNzauPw1Mo4NqUS9a4SXplQnmS3PA1nFRrLGmyoq2Pl4EpY3r8MlvYphkU9RUCyYz7J/DOd6Si0LsTGKw+yPfAXZMiYDoNHjMGHH5+iM3w7kVXPUTKrCYqskgBFxwST1XNYufA5VCmWl/Xj/9C09N0YwjrzdOfMeObJDHjhqYewqM+DWD7oEawamgmrR2TBOjoQm2WM6Nzumci6zvq9d1p+HJhFx+dZOqcso73TquLNBR3x7ZaJ+J5tzYfLe+Hl2XWxZ2pp7J1OvXmWbcNzJUhoS5K0EmoTppbDcerRcerfqzPz49XZ+agzRbCf+nRgWm28vqArTq0bg883T8CHq3rh6LyG2DujLPZR147MKoLj1Mnj06iHT1fAK5PK41Wmd4z3e3lSMRyapHPYzrGt2TebBlnt4pw2+Ijk98y6Z3By+Vi8Nrcz25gGOMRn38909k+mvkyuSgeuKg16FWwbV5ltTSWsGlIWS/qVwmI6Twv7lGR7XBiT2ufBmNb5MKRFfjxW6iFk++dvUaMYnfJFLyHyLNkMJTougQ5HFKIuRRCaCuzI6o+Rm0dWvyZZ1TTglMlqeBTrUDif4SIQFR6LXZs2oV7Fskj/99+gdsGH0KtBQYxoUQhPt8mH2R3zYD6J2eIn8mHZU8Wwqk9ZrOmvT1w0C6QkNrEt3j6xKHZNLoYdTxejbStB0lqe9Yzt28wO+GTZUHxBB/Ldhb3Yjj6GnZOq0hEsaerh7nGsV2NYD+lQ7htdlg4j9Ztk9gh9gJdJQNRRs3dCEewcV4ZOZG3Wp45496WR+HT1ZLy/bARefqY171nOzIzYOa4A9k8oiQMTy2PPhArYOb4c9owvT6exJI7QAT1GEnN8IusS099JArNpdA1smtgURxc+hVPbxuNDOpFHn2mJ/eOrYN8o1m2+14GRdCL1yciwolhDAr5mWFmsHV4ey/qXxIIehbDgiYJ4tkt+TG+fD5PbFsDoFgUw+LEiaFEhm7HbJXIHyOqZ03ckWZ1Fspo7ZwY8dM9daFo9Fwa2KIzxLXNhestMmN+BJLV7NizrmQtLehXE8gElsGIQCdvgsrRjmnVWGntGFqdjXxyHRpckSWT7O6YCDkytjxMLu+DD9cPwwbqRODq/B3ZNbEDSWRGHec4ro+mDjS5Eu1iI/lQJ7GRbvo3lvZXYPr4Cy55t+4QyLPdS1CkSXPqUx+e2xNvL++P11aNxdPEgtuWPYw9t6kHq6aGx5Uhuy5L4liY5LUmyW5LplqIucX9iGeydSD2dSNJL33I377VrQi3a9rb4cOFonF4xC+8tHIkD05tiM/VrC4nt7nH5sX9cERzgvfcNq4Sd/Spjy1OVsOnJStjQozzWPFEMy7vmwYsds2JO60cwpfkjGPdYVgxukAfVs/wHWf70B7SoSJ9y7Tb6d6qgF3GZPtPF2ATT5tryuR0gsqpPSMJkD/SLxah4vP/Gu+jL9veRf/wJRR/5G7rVzUHbnR2j22bElM7pab8z0n5nxUt98mFFP63dUAZrBpbH2sHlsHF4aWxRhyzbmx1PF6J9K2A6KLaNpd2b1gTvvNQHpzaMwTsklwdmt8eOSfWxbXwlth30ueQr8tz9rNeHRrJ9GVkBR0dXwdFx9NPHk2ROYDvENkcdH1uoE7snNyD57Y5Ta4fjs9Uj8NYL3Whb62DrqBLYNroA9rCcDz5dxOjafqZzYDTbp1G1mH5V6lIlHCYPOUjfcPd4PiN1dde4crTjzfHh5pF4f9tEHFnUE3unNiaZJc8hYd4zvDh2DacODSuJdSSwq4ZUwIohFbG4X2nMZ1uz8In8WKgp0R3o67XLjcmt8mJE8//P3luAZ5Wm2aL33jPTPa3TM11d1lJdbkDh7u5JIAJJcHcLEpIQ9xAknhB3d3c3IEAIEOLu7rru+n7678nhlDBz59yZurd4npe9/y3f3tnv+ta71tZ5OCU3G9OF3vvj73H10k9m9Y3MallZucSsfv3Zh5j5l9/h0k7xBt21cFRbD7cbG+Gptwn+JtsQRgBF31JBguVBpN89SVNwFg8dzuCp82k8cz2KErc9eOG7F88C9qPI5yAe+J/GywQTNOW7oSHbiYaQhS/wNAG5D88DduFlCCNYmb9V8NhzL4q9juCZzynGCTzzO4IXQfvxLFCF6+zBU/9DjJMoj7qB1kwrtGffRTkN5pPgEyjmciWBu/HcX4nbV0GpD0Whz0kOCQC2V+x1FE+89+MJt1McpIKnofvwKPgAHgYcxbPIq2hINUdrxm3UxBviRcgVkuNxbmsf90uJBXYnit3lUOQsh8J7Csh13o0Mh10Un7KIoaiMYWeL1VuGcPX58Lk4F/fOLoLR/vnYOudtfPber3FgjwoyMnMlgl1cWR3tp9Bhx5/sG8BYH0H4IzKrA4MjLNrjr25npt/OzHqAI/v24eN3/hlrZ34AjUMbYXlhOxyvboeXjhwCjHci0HgHIiwUkGCjghQWnjR2+gxHVeQ478F9j/0oJk5KfJkbn3147C9ycgjFoefRmGKGrhwHNCSZ0bheQEnQEQZz4q9MfO0hfg7jue8J5ucUSnyO4Rnx8SJwH0qDVThU4u9dKPHby5wfYXtqeJliiuo8G9Rk3URlzBW89D+Ml94qKPdVRpmfKs3NATwPOoHnIWfwJPAUHvkewVPuWynxXMntVfpzGW9VPPbai4c0qs+SDdH42AkND6zwLE4dxcEn+XccZJsHUEbz+sxlLx7x7y10PIRsxxNIsjmGqDsHEWm5F+Hmiggx3IZAnXXw01oHV/VNsDzHDq68El9/8h4++uILaOib4kVZDcXwj82siqF4uYf0ObsJBvHSO+XKqoczNiyaha/+8I84tPFzmJ1aCgeaMB9xC4/eIkSKM+0WK5B0i6L17gYWLxnk3duN/Hv7cZ88U+R1CA+9FZknOZSEKOGR3x4UeR9FRZg2utKc0JvpisZ4M/bls5J5j/wV8Sx0F0UUcUOueMIcPfY8zPweJ4aOkzOYM/b1CuKmjLku8T5MXJ5HeYQBmlNs0JJpg9okAzwLP4dHgQfYnjL5RhkvA/Yx38SdxxFi4zjbOMW2juOJ5362T14LUOV29+AxMVnkfxDPgq6jIdYenckeaI63RVmINjF6BsV+XN5PmZhTxQPPgyjg35jrfIJ9hEWWhjbeah/CLZQQbCaPANOd5OPtsFffgDsXVsP0xArJGzq/eefn2Lbkb8+stvbSRb0yq32jLFYTNDvjPeyz325WB/snMTjwk1n9rn//r5nVhma0tYgXLH3fldVJ9PZNSGpJX/cgEiIisWPtSnzyL/8g+V64hsoSmB1bDquzy+BwYTGcLy+CB0WTr+ZmBOnsRJi+EiKMlBBlSjFoKYsk6+1Is9+KFLstSLbZhlQbeaTZkJtdL6Ay3Bj1sTdRGqiNfOJR3JGSZruD8ynuOMywlqfQVKRJUUbOHVXkW+9Ggc0O5FlvQ471JmTZbkW6rTzbPIBclyt4HmqKyuhbeBlhiAfeZ5DppMC2KO5ttiKf2y2w2410G2UkWqsg1VaF0+WRZ7UN99leka0sCq3luL2dSKBxTrA/hvvBN1CTTh0QZyw5EZ5vuwt5d2RQcGcr8m5tQarFFkSbbkOoqRzCzHYi0lwOIfob4Xt9BXzUV8BNbRkczy2F7ZnlMD+6DLoHlmHf+mn47Pf/hCUzPoeTtQWaGuv+blZ7aDz6aViHOf5jN6vWtnfx1bRP8d57v4LStvnQOLKKuFkKq2PzaOYXwO/qYvhqLIcX65OP/jb4Gski0GQHomgEkm7vRPptGWTd2o7c2zSAjCzmJcfxIPmWtTXWFC/jLfAgQBNZ9keQY6WEQitZPLi7BYXiBPMdmgIrGSRZKSDOahcSmOtkW2WkWSsi12YnCqxlmXdZFNgroZj1vTRSjzX2JorCDZHtehqZkuV2INdWDtnERObdHcgSJ/2Iv2zqjGyb3cgkdjJst7P2bkb2va3IsN+BTFvWY+eL5HgL1IY74mWgOfJdTnLb25FstY7YEiepN/HvYbvmu5Gqr4x4rV2I1VBCzHV5RFzbgsBLK+BxdgGcTs2GzYm5uHlkEXT2rMC26X/FF7/9DfZskEV6RComBQUPilv1JzHCGjg0wOP/I9J6/cRQLwt3z6D4FN0E+nvHUfKgFFdOXMDHv/0dln7yLi4qLIHR0aW4dWYB7MVVRPGiQvXFCKRBDbuxjQZ1J6L1FWk4lZBoqoCUm7JIu0uOsd6MFOuN5JJtDEXW9uMoDdFFXawlykINUOh6nlxzAOn2ihKuySSPZNpsR8ZdWeJM8RXXWO0n3+wjzygz78w/uSvLju3ZMHeOB1h7r6Im2gy14u48fw1u4xC3K8sgL9kRgw7bkE1uyrxDnrl9kO0e4vheZFupIN9eAXkO3Kb1eqQJrJLn7hOHFck3UZ5mjYchWshzPsZlFZEt6Qfc7s2tiDPfjjByTZCJAgLNdsPPUAFu5F3P6+vgeWUVXM6Tb86ukLy0S/fwapxQWIqv/vKv+PCP7+Cq2nnWjqffalbF+KuLAKwBrKNT5/1QiGW/b3kx77+9WRUvVxKCQRTY8vIKGBgY4Cua1TmfvQvNI1thp6kMd5O98KPADrI7ggiX04j3vIQUbxKQrxEeBt8hidihKppCLuYO6mJMUB+njea0G2hM10JlihbKUwzQkO+AticBaC3yR0s+RVqWLeeboynTAC05emjOMUR9hinqU29zmgNasl3QlOHEaVZoyLJgmKIpxxyNWbdQl3YXzdmu6H0YjL6iQK5LM5NhwXWM0Zqlh5Z0HTSlGjPuoiXjHlqzPbieO2rT76E6zQpV3G5Nlgnqcri9bFPUcV3RRu8DXww8DEBnvhe37Yha7kttGuenG1Ck6qA6WgsVkdooizHCi1gzPI4wQp7vdWS4nEea03EW5ANItBTPLe6Aj95O3Ly4DbKrv8Bnn7wD1SP7EZ+Xj/ZRigyavN6hYZJXH0msh0ZVFLn/HgXuTULcVtjJQt3G6t08Non43HzsObQXH3zwr1i95HPcuKAAG70D8DA/ihDr04i5dx6x9y4g2eMqcgK08YDi5xHJozjGAs9iLVAafwuVibdRnWjJsGB+LXncLZj7u+i+74WBRyHoKPBBU5Yjw5ZxmzmjgCImGjnekGGPxgxnCWZacxw5tCI+TDhPh23ooTHNDA1pd5hrJzQ+9EPr02B0PPFBZ6Ed2tNN0UZ8dqQZcdyEy7GAcRv1+S6oy3NFdZYDalLvoCHZBC00pm0pRmhNNkJjkolEINXf90B7aSjaX/hznH0gk/uVqoPmpBs0IjdIksRMuDb7iCGKo26iIOwmMoNMkOqnjySv64i/dxbR1ocRdvsAfEwPwkprPy4c2Ymvp32BD6fPhbrxbZRU1GP8R2VWBalStNHw9A+ID4qLcfER/cl/M6s0UgHunli3YC6mvfNrnN25FPbXSOx6qogx34sUFows9qd8p2N44HIGjz3U8JzYqYw0p9C1QnmMDSribqEiUZd50ERdpjaqk/VRGU+OSHdBb0EE+gsi0Z3rg7Yca+LAiJjRRlOuLprzjdGYbUmcWaE+zZHYcWN/dyFnWaGNvNGdaYQuwSfJ1sw78ZTlia4HAeh65Ivm+86oyyXPkYtquVwD890ilk25RVxYo5Mc08Xl22iUa1Pucp9MuJwhGvL0UZ/DQsx1BIa78gPQ/yAM3QV+5EJ71BOHtfw7arOukJ/U8TJRm33DmHEbz2lsH0faIDfQkJi5glj384h0PYtg+5PwtjwIV8PdsLsui/M752LhX/8ZO1YtQbi3r+QFSyDXiP7aO/Lqymrf2HdfWf3JrH7/v/9as9rBY9cjuVNBvGBJ8rIyGtYJcnB/zzASI6OgsGEVvvjDz6C86guKx3VwuLIV7toy8KHB8DHfgYBbKgi7exyxdpeR5KSJVLcbyPTUQq7vVRQEXKDpO40HoafwKOwMnoRfYqijjIajNcuJeHVHY6otXkax9kXeQEnEVRRzmeKIy3gSdhWPg7VQHGSI5yEmKAvTk9wR8zzkHEpCTuFp2Hkudw1PIvSJZfI863pDHmt7jhWFnwGex1yWnAAqC7uEytDrKA/TxmOK1oIwAzyMNMLTCG28CL2CspBLqOAyZWEXURyshgchGnjI/SnLtEPLYy9qDCeUJxiiNIxGKegcyhkvAs7hoe85/p1qSPVWR7rPVWR7nqUA3oeEWwqIp+mKNN2BYAM5cs9OySfxbl3YjtM7F2Hmn3+DlXO+xD1rSzQ31ouu9Hez2scYGqJhFY879NGo9lNDsZ4P/2jM6phEfFrbWuOrWdPwx4/eg4ryRuhf3gVrDQW4aBIvFNnhFsoIIxeHWB9FmMM5hDtfIv9cQZrfdeT5X8EDvwt47HsWJX7MNYdP/C/iCUV8acJN1k9nNLI+lpFXn0booDT0KiqZvyrioizwNJ4zP8Wh1/AwVJu51sX9SJFvPTwK1cRzYqoslLkOOY/y8MuoSzSg/mNdLnRDRbYjSuKIi/AreB5+gXEeT0Mv4EnwZZQE6XBdM7yIMOfQgDhSx2Pi71nMaXLpKeLwIpfVJo4tUZ/shtZMf+oDF+LciPMu4VHICTz0P4IivxN44su/zUMdD+5pIs9Wk6ZEHRl3LiPZ8iSiTFQQSLz46O6Au85O2F5XhMnZ3ZBbMh9fvfsBVGT2Iikmh5wKsMuim8M+cXfR4H+Pzxu9WYjn40dYP8Q3hCdByYqBHuDZ/Rqon9DC5//yF6z54ito7pGDNTWf6/Ud8OfxCDeSR6zpbiRb0PjdPotc6ysodLiOhzyOj12v4wn74mPvc3jkf4bH+yweh19kXMML9uWmdHv00B+0UtNVxJhSN93g9CvM9QUGsRXGdYmZJyE6zKMRc2zKMCbPaEs4oYTc9TziDJ4x56WRGqhLsaQmdKEGcENdqjVKY/XIQ2qMc3gaRdxGXSCPXSN/6aIk2AzPQs3xNMQQJcRIafhVct15jhM35MaS0MvkK1M0P/RAQ5E3yqj/SqN18SJEDS8Cz+FZAP8e39PI9TlPrrmCRC91JHjfQJSrOoKszyD49lEEmx+Ar6EKPKlz7DVUYHpZFecPy2PWtI8lj31dvnxR4tXEP2n/ndqPfzKrU8yqoaEhvv7sI8z94n1onZCBve5eeFgchL/tCYQ4n0UUxVKCvzZSg0yRE2aLkgRvirFgNGcG0RyyoKVYoyXNHB25NAG5FHNZ+qijMWwqoMl4wPkEYgvNYFseAcmC1VZgjbb7d9Byn+sV3kPHQ3/0l8Rg4FkiOouiuJ4P17mHxkKa3QfOaC10ZZs0spne6MwLYRENREumEw2pFXoLrdBXeBtdubfQlmVHgNKQPIhCz9MUdBanovlRPOruB6O2wB11+RSpBSxy+TZozbXj/tL85vuiP8+fApeGhoKzMfMeDZEdi6o1DasVjZQIe9RmeKAqywclya7ID72NDC89pLlfR7rzeSTaHEXErf3wNdsPy+u7ILNxJj7+4k/YdewQovLz0Tg+gXYmrlNc6RjtpujopPgQovC/R4F7kxBvF+0YGUUL9Vk9/56Y/GwoH1HGnz/6HVat+BzaV3fD1vgIPG+fQqj9RcS6qSPRQ5MFTh/5NGtP4u3xMsMTVdm+DB9UZHijKs0TNYx6GoeWbFcaBHtiyoH59aagDyThUNRz+bYCf7QWcLk8OzQU2qOJxau5MJBGgpgpSWbEoauIy993QHMBTUTBbWLNCe253mjJ8yOOAohDf+LMC73376GHuOnKvI2ePGtuywEN2c6oyvNG45ModJQmoeN5PJofBKElxxntGbbozLJGd5YNDQmxw2UFPpuKAogtrvOA+5RrQTNihDaaI2F8GhOMUZNggZoUO5TzbytO90Rh/D2kh99BcqAR4j2vI9rxLCKsT8KfRdBG9xgunVDG9Jkz8PGsRdAws8KzyoYfnVkVRnVgqIuirpOiupc4H2FMkAhfmdWe1gGaVV+a1QWY/u7vcF5xPZyuH0agwQnE3zyDdKuzyLO/hAfOGnjkrodnvmaojnRAawr7ZkY4TWYoqlM9KHyt0Jh3E035t2gc73I6cZPhg46cCHRkhaGTuOksuEeuIcfkW5BrLNH20IZ848rxIHQ9jkdvcTq6HyWjk1zSleWAAfLBYJ4r8+yDlnSBOw4LvYgzV9QTI/XksmbmuqXQjlh0QEe+M7fnRgz5YehBDEafpGGA7bXmB6E+l8KcvNTygGa28CankZvyxDpe6CrwlQxbcx0pxCz4d9wgJ6lT5N1AZboxylKsUJnmxb8xDGWpwbgfbY+UID3E+V1FlI8aQlwvwM+GhvXmATjr7sLlXYuw+ON/gfzqpRKz2tNKZfGaWe3/yaz+h/8JQ/q/36w2TTGrLTSrLTSrbVPMquhbY2BKJbfWcxfQ3ytuA46G0uZVmP7+P+HAxhkSw+Wlp4QQyz2IcjiIGLdjiPO6gFQ/HeQF30ZRlBNrtzteprihPM2BYUlTYYjKTD3U5Rqw5hqjIceMeLXB4BMvjD4NQN8DD7Rl26M9zxZt+XfY54jZAop+jjfksjbnihO9IeguFLXZBs1ZZqyhRmjOM2dfYT8tcCJfs41HHuh8ylr/1BbtRewPhdQLeRboybmFXvJrVwZ5OMsdVYX+qH8chFZya3s+t5tliY5sc/ZptpfD7ZKz68nhbcWsEaX+aH/izm3dRVumCTrIv10ZxuRgU1QnmeF54h08TXVEaboDypLMKW6v4qHXKRS6n0T2vaNItTuCeOtjCDI/CBfdfbh+YAOWfvk21i2aDiebW383q7089t39w+S1YYr3EZpVCsi+rh+lWa2rE2bVBjPmzcLHX32EI0fkYal/nHrvOIJvHUW8wymkuV2k8L6GZH9dpIWZIyv2LgqT7fE0wxFlGdaoSjWnITBGc6oJWhgNqWbUSsRGgTO6SvzR85z6rMiN/HaXebuJPua5L8eUddQE7fzdWuhI8e+F+iJf1D/yQ90D1vZc8jyX78q2IB+bMEyp6+5ioNgN3c/IxY89aILtyMc3iSuahwIjNOYQr1nk+GzBq9R891m/C1jvs1mTs025nD41gQ6ack3I58RvrjtxGoi+h8Hofch6QS3Rkm+O+mx9ahFtmhJdVCUROwlWqIpxRGXkPbwM5d8dcBuFXrrIoGmPtz/Jun0MATQhLqZHYal5HAobVuPrD7+AssJRJCQUEC9AF6OVZrWLprWf+BFvx5fm6L93CLM6in7utzDcw/w7BruB5/cboHFSH1+/9Rk2zZgHw6P74KZ5BMHGhxF/+xgy7U8jz/ECily08NzLFJWB7KfhzHO0M1riWOvirVAXb47aZGPUiotF+TfJObfYp+0xSBM4XhyA4Yfu6MqxoRannifPtOYxz1yugf1b1OCGfE803afOE9pMeIQs1llx0jjHkPXekHxiRM1nQY3ngMHHPhh4HIBumsw21uwmclYTOafxvinbIl5zrchf7mgvDKJfCCG3eaNZXPQgH7Xlm3LbRsSjKXmP+1J0jxikfiS2m4Ufyb1DrUcspxmgNZVeJ9kAZSlmeJpmhcfkmqI0Z+TG2VLrmSLJSxsJLtcQZXcB4VYX4GtxDnaG56F56SiWL5mDGdO/wOUrl+jVnkrqyLeZVWlufjKrfzOr0z//EHM/+Rdo7F0OW7WNcNXZBm8zeQTeUUG43WFEO59Bors6sn1N8TyKRjLFB20pXmiMsUJNmB4aIq+iOe4SmuPPoT72NOpiz6M+QV3yfGlVtC6qo5nUGEacDuoTNVCbdIUmkCItWYDMASPFgRh+EkKw0RQmWaI8Xg8VCTdIivqoTzJAZRTbCDdEQwQBF0kzwMLTGHEBXYmX0Z10GW1xamiI1kR9PMkw0x2d98NoTqJYLINZjJ1ZoC1QlqCLynhuM+4qmmLV0RKlhdYIHbSF66MlkuQXaYiaSB2UR2ngZYwGXkRo4lmoLl5GmqEqxR4VBOGTOBtk+uoj3lENMRSNsXcOIMJUCf4G8nDTVYQJBcPmlV/gg4/ehuLBfYjOyUXz6AS6qGt6RigUR3oxOtwl+YTNj8usDqFndBS9BGDn+ChSctNx4KAiPv7zr1jcP4Du2W2w0VKCm/5uBJjuQeSdw4izPY4kmrIsj6t4FGbEYmBDc+GMWiGU4u7gRThzEkFTF2OGhhgD5vY6CU4dTcx1Y5QBasIZkeZoSLiDmngzvIzVRHmiFiqTjGgEaThpMEceR2CQxUecqKhJvIGqhLOoS7qExkR9NMbdRG2MOSpjjFAZrU1caqA9Th1t0ReZ+wtojb9GY6mNl8Tm01gLVOfSrDyPQO+LcBYxVzQmm6MpRhut0RroIB464rSIcR3UxlLgMaqIp5qE66iOuYS6qHNoijyPpvCLqA25hOpQDdTECtzYojT1Hh5E3UWStzai711ksTuKsJvKCDHZBT8DZdhdV4L64W2YP/0jTP/mG+ibWPztbcA/rk/XSMzqYOcUs8p9Hx4nEY6/Mqtt/Qh098H6hfPx9bu/wfHtS3H7nCLc1JURbLAXUab7kGh5COnWp5BtfwH33dgPQyzRnOSG9lQ/9m03lEWSG9hvaxKuoDaREcP+HKVNvJjy+NO8Ek8Nkcx97HU0xF0kB50lf5wn31wlLgzRmuVIsRLCYhaH7vwwtCRSsLDPd5E7emJZoCItUBdqTpNMAROnQZyqoTT6HIeXUJOsjvpkLTQk6qAhXh9NcSyOSXcwmO2NsfuRGMonbtKcUEnsVSRdIx4vc58vozGeXBWrxf3UQV0kjUG0CE3i4zy3sR9V8cqoiDuIl8TQy0gKplgH7msgp/nhfvBN8u5ZRNzbh2D7PfC1UoWH+S64GSjATl0GZ+VmY+6ffg2ZZQsR6uGFnpZXZnVwhIJjjHmZZIH76Tbg//A/YUj/a8xq69/NquQ4DjGfQxPo7ROfT6GB6h5AYlQkzepKTP/jP+Hgpm9w56IMfAx2IYI1O85RFYlue5DqcQw5vup4HEqujbuH+lRvtGSJEEJPmA4tTrvM35dpJK6gNf0aOtJ1MEjRN5x3B73pNA/JJujLNENftjE6s/Uo1hh5NBQUkEP3gzH+MBLjRT4YKriNzgxdCjhNdGTpoSfPDB0Uf63Zt1jXKfzytWkmrnE9dfTm3MBAlj6GaZaHk2lMkrgMa0NbURB6SyMx8jwAg4W26E43RE+qNvozdWh4KEopYNspYNspPtsoaFuy2Gf5N3QnX0N/yjUMpGhQE9wg97MfJVigKtORRshFcsdOGXnjse95FHqcRqbTUSTZHkas1VH4mx3APZ19uLZ/AxZ/8Q7r2Qw42X6XWR1m7e7/kZrVcUlfE5+umT3ra3z5yTs4zb/ZRnsP/E33IvKmKg38QeS4nECO10VkBWgin1rrcYo1XuaybhdQ99FQNjNnbcnazAtzkkbuTNUlPxuhI9uSZtAaXTSZbdnMfZouBjJuYDRLGyOZWhhIZx5zTGhOHDH83B+DL4LR89QfbeIkYvYd9GRyHvEzlKaJwdRrHNfCUK4xeoRxyaYxztEnfnTQka9J43mNJlWdmCE2c7ww/iABeJSI0QeB6M62Qju31ZmjRvNzHl2Z19GVboLuDG4jwwq9GbfRm3WTYYTurBtoy1RHQxr5mvxenaRLTWqBJuq9llQXcjcNOvvOA291ZLqcRrLTIUTa7IX/LRW4mqjilsZeKG5YiGkf/gWqCnuQnJgluXW2d2QCHYMT6Bkal5w4/PGYVWKH0TtIvA+KEzM02l1jNKvluH5KHV+//WdsnjkdxieV4KGzF6Hme5FgtR+ZjkeQe+8kityuoNTXEHXhxECCE3rSqKnSndCechcN1G11SdRhGdrMpS5aMvTQkcL+n2mJiZw7GGOOBjh/JP0GhrNvoCeLPJKtT74xR2uBLTofsr4Vh6KPPqH3gRdzb8W+r8u8XiNO1DGYdQ196dcxkKmPoeybGMi+i15isjPLmDzEbeXpkLe00ZStjeZsc/QUumKsOAQTJWEYeuDJ5e6gPUOf+LmBvtwbxKouw5jj5uQd8lgOOSfTGF1pN9BLrulLvoJu1vjWhGvEjB6qMm6hMtcBZewrT5KskRtshEwvdaTeO4d46+OIoakPMT0CV72jMDivSh30NeZ8/QmuXb6AZz+Z1e82q2LHROEtr6iUmNVvvvgACz/8ObQUvoTDiW/gcWkOfLUWI8BgJcJMNyHqljxBeQC5TmooDyQRxdqiJ4bE5U+D4HYMtR7KaPDeiQYfGTT4bkej/w40BuxGne8eVHntQaXnXlRzWOOngtogJVQGyKLMdweqgw+iiwVm8sEdjBbcpYHQRVnQSbzw34tS/12oClZFbeBeVHqpoNp9Hxo8D6HRk+04b0Oj+wZ0B25lbEMLt1nrpYjagBNoidFFV4YNugia5gxrVMZp03SeRIm/Kl5ym7V+smjmsM1THq0uCmhx2YUW7l+T937UeKvgJdsp8VbCIw8VFLkfREnABQpHmuckUzwO10Ga6xlEWKrQbMghVH8zAjXXwPPKSjiqrYX+kRXYMO+P+Mv7v8WuPSqIz8xB1zBF4TgwQsExycI2QQEy2i/eBvzfo8C9aQwPj0o+pzJG012YkYjTqjsx7e1fYvvMd2B8aBkcL6yFp9oaBKivRYTuRsQZbUWCmQzS7yrhsedx1AvDl2qAlngtYug8nrofwXOPI6j2O4p6H1U0uMsxp8wNj32DlzLzzTxzvTq/c6jwPYJnXgooDVDCy6ADqAw9j+5UE0wUOmEk24Y5v4Zyf0W89FtHTG1FfdA+1PoeI24OosJbFeWeO1HruR1tvjJo8dpEDG1CEzFQF6CCEp99eOR/ClUsVL2P7Wlk7Fns9NAQdhr1vqrEhSLafOTR4Uus+O16hWmfvajyU+W+cz99FFDvtRPNXvJo9FBEjasS9/0A6gIv0qDQ9IjbxwO1kWR3HJHmuxFmuA0hN1YiRLwl+Noq3Du3CrqqC7Dys99i4Zd/wU0DbVSXldJ0jP+ozOrQIMXRQDeJrxO9/cK4ipdyCbM6hokxmtX2XgR6eGLD4rn46p2f48DG6TA6tgY2F9bBXWMD/HQ3IMRwM6LMZRB/SwEZ9gdQ7H+Fhs8UHYl30Biqj3KvM+yfyqj0l0O1vyxqfATnqKDZ5xCavI4RQwdR57Eb9d6yqPfbhPrADagJ3IgK9vmqwANojdPEcK4NucYNXUlWaAigmXRXRYenIrq99qPFjXhzPUquUkUV2y/z34AXPmuIq42oCpJDbfAucowKaoiBOp8DaAs5h8EEY0xmOmE0zQGt0TdQHnwApYE7Ue5HfPkqopGc10B817iroMqV63rsRR0xWeMji0rf5VxuIblwJV54yaHM+xjqgozQHHEPNSEOKPJQR6L1ToRZrIK/yXJ4k49db6yCA/uY5bk1OLLxK0x/++fYsmgugt09Xj2zyn9Do+MYGGPBo1nt/8ms/of//deZVUZf+9/NqnhesndgHN094lMSwqz2IyEyHAobl+Pr936Gveu/gsWZjXC7IYMgk62IuLkG0bdWIOH2BmTYqOCh60VUBBijKeouOuKt0BZrhPrwC+wT+1BJrNaFyaIpQg4NwXJoIsd2hh5Ed+hxtPkfQavvYfQEn5D8bg4hr4XvQ330MXQkaGM41QHIdMMkjcAAhVtbGPtfALVA8H60RrIWR5xGQ+gJ1IdynfCdaIzcxuly6AxTRjf7SS/b7/U5jk6f82gNp6DMcMBAkQfGHtijP/kGWoOPkXP3oCtkL3qiDqOd222IpN4IP4xabqs2aC91xi60k/u7A3ehy1+ZXEBeJu+X+59HJfm3LskCNfHGKA68jGznY0iy3o9Is10IMJSHj54CHDV24talnTitsBQz//IbrJz7FZzt7qC5ueF/Mqu9/UJADkmeUX1lVrtoVnv/Zlb/V/z/V8QPmdWG+ho4WFti7pcfY9p7/4jz8tNhf4Hccn0NQjWJF8M1SL+5BelWCkhzOIBs8m1xlA6q08zRkG6Mxjh15vIEj/l+dLAOd4ccRAejJfgIWsJOMrdniKOTqA8+hOZAVeZYBQOhKugNUkZnwB50h5/CAE3u2H1y8ENHGoNbaIrVQWPYRbSHHEcv8dUfpII+fwX0EofdzLvAVH3IPuJuDxqjVVAfpYTaiJ2oCVNAU/gJ9MbexHiqP5AViLFUO3RFq6OJyzeFUkuEbUFrqBLbPob24LNoDTiJZr9DHB5ABzHaEbKH+FRGFffxRYgqngYdxEtyel20DpoTTFEfaYASr0vIslFFvOU2RN/cgGCzNfA2ZN3WXoublzZAYeXHmP6nX2Pfzi3IiI/F2PAgRkZpLkiwg3//Du+PReu9qgO9Qx3oHW5jHWHdYD1/9vAB1E+fwJdv/xbrZ/4ResdWw0lrI3yNNiLEbAMieVxixbPiVrtQ6HSC+v06j6ERWpPM0ZRoiJoYdbwgbp4H7kcZc1oXvh8N1GjNvvvRHXAUw0HHMOi7D71eShgM3I2BcGW0My8NofuZ69NoTNCkOb2F3oJ76M8jblIt0Bx5FfXEYWugAvrC5NEXKo/uIAVy1R7GUeaXeGS7TfQYjaHkiQjW7Ej6EG67PuosepKNMZHvBBQ6YyjNDC3hl9jeAbQQB12R3JdIwYGHyUGH0cj26hlNxHx7oDK6uM1O/51opf6op16t8j+EyohLqE7QQ2WSMZ6E30A2fUKa9V4kmckhVo+6RnsTgtQ3wvXiRhjuW4G1n7+FOX99BxqXzuDFs+++DViam5/MKs2qkZERZtKsLvvwH2Cs+CG8TnyKoIufIUxjOiL05iDGSHweZgPSbyuiyPEkGgL1MBx3G6MU4V2+TLAjQeW4GU1Oq9DivAxtbsvR7bOWsRntHtvQ7LYNTa5b0OyxBW1+JI/A9RR6y1Dpvgz1/jLoTzkDFBnReBihPeYchSBNqu82GoINaPDfxGK1FS0eoi0Z9NEU9HtuQce9RehxmY0R3wUY8luETo/FaHRdw0K1iyb6Eg2MGUYKrNDHYWP8JRpgZZTSpFR7rEC79zL0+6zEoPsq9DutRJ/TGgy4b0EfBW671xYa7/Uo89yAYpfNeOwsx453GHUJJOlUXbxgB8lyOYgoC1mEGq5DmM4KAnARvC8thNO5pTA4sBCbZr+Dj9/9Ffaq7kZaZq7kvn8h1sf7hWLvx3hXJ0Z5/Ef+HcD7r46hgUGMiz+EBY/shScpMbi0Wwbzfv8LKE1/C7f3z4PHmaUIvLAYEZcXIUFrKVL1liFVvF7efC2e08B1xZzFaIY6+hLOoZZG75mjDEqdttM4yqHdfQO6XJai3305hnzXo9d7I9rdtqLNYxfavEhunjtQ7roa1ZxXQ8zUUaQMpl8nbu5gPNccXVEnaWxXo9JzBgvpQoosgRkaGddtEnPa5LEcbe6LmPcl6HWfhy63eej0XolWGppyLxnmWBXNKZcx/MgUY49M0Jt6CW3BFD7crzbnFeh2WYY+V+LaYw3aaXRbvbai1ZvbIBZbPDagw209ulzXoe3eejQ60Ay7KLDtY2iLUEdzjB5N9lXk2B1Akrkc4vQoJNXnIfLKTIRemgWPk7NhovAlNn7wj1jx8Tu4q62GutLiH6lZpTHqlZpVmqAhcRuw1Kx2I9DTDRuWzMbX7/4MhzZ/CZNTy2CrtgzumstoVpchWLw12mwlC986pDnupHg4iRaK1v4UQ3SGXEaNC4WF8zpUuy1GnftCNBEvnV4biRdZdLvvRIfLdrS7rCWeFqPDdz46AuaxIM6jQVyCep/t6Ik9ywJlhslCG/TG66PZm2LLZQsGmbshYqXnniLXVyBHkKuClqExcDZqfWeg1mcumvyXoSVgHVp8iCfPzcy9DEXYPownaQA5dzGReRt9MRdRF0gTSn6p9VpF7G5Bt7ccujxl0cLtNDptJj/KoIvT2smRzT4zuV9fELszUemyGrU0tB0B/HvD7SmwbPDC/Twy7qxHlNFMhOhPR4DObHhozpe8lMr89HIc3PAFZrz9M2xdPE/yNmDpp2uGRnncRwbQQ5PaM9IpuQ1YXPn+yaz++/79dzCr4jZgcWV1QPQlGlbuDil4EEnRkVDctAJfvvMP2L3qE8mJUlu1tfDSWo5gvdmIMPgKsQazkE4x+cjmAKo9r5LTDCnCjNEVRkHvewAVrHHlzktR57WEdXYJuXgxa/VydHhuRBfrbZvzdnLadvR60Dx4yUtqeDXn1QbsQFfEeYzH3wRoECZTjDBMI9nuK4Nal/Wod2P/oJBrYS0XJ7HrvDaw5rNGB8yhBliMLq916Hbdil4nOfQ5KKD73l50+KuhN+UWjaojtcBtDMZeILfKs89sQCe32RMgg/YAOdSSd6vIwfUcNnhvRqsH23Jfy30UHLwBTY4bUWW/nfViH2qCrqAxVh+14rk1/0s0YIcQY7kbAXqycNfYAufr22B1aSvMzm7HCbmFmPGnX2HF3C//Z7M6+P8Fszr0yqzWVeOetRmWffUBFr7/f0Bj50dwOzcXIZfnIlxtOhLUZyJVdwFSjVchxXI7sh1UaTIuoSVVj8ZDg+bvBGuxAuru8bi7bEKX+1Z0ulPjuW4nNnaQz2ggxQlET9ZH1sUez/XUa+vQSW5rvcehtyKGqPEm8mgUCi3Rk6RNPXka9V57WOtpODy3Y5Dr9btSm7lRmxE3Xb5b2S7zzdpf77+WfLyC2nAxqr2Wk9sVMRimjckENyDNExPxFugLOcP6TM3puQhNXnPJs2vQzeW6vVXR6sp9c9iIZtbpDreNrB2s1d4bUOGzEU9YRx7y7ynhcrVh59Eaq4mGsCt44nwQqeabEGWwEOEGcxCoPxMeN76Bw7VZMDszF/JL3sGM936GA7KrkBUbhMnBdoyPtJNvW3jsX/Huj8OsiluAaYi4zwOjLRicqMfoRBNGhhrw4kkmrp87iC/e+QVWz/hnaByciTuX5+Ce5ix4kWsCDOcgxHA+YszWItNGvBzrJKoixFcdtFEffw0vI0/gkZ8iHpE/XrB21lHfN3K8ifWwmxwz7LINw47EisNKDLutwbDPeuos5tqDmt1HCU00rF3J+hhmnR3Lvo3+BB3W4qOocyE2XFaQm6jpGb0exAy1ey9rcyf1QKubLBrdtqCe/FFPP1FHvVctth24FwNx1zGZcwfIt8JIopbEONc4c5/II93+WzBAnSmw3eS8mW3IoFnoVC9yITHZ77GaXLMcLU7LUeu4GlWuMqgJOIyGaGq32OsoCTiHPIe9yLTYjhSdlYi7thAx1MUhFxbC8+QCmO36Bhv/+kvM+/O/QuvSabx4/pNZfWOzOvuLv2LVR/8AS+W/IvDMx4i68gnitL9GvMFMJJosRprFGuTe2YFn946jI1QPSGGSky3QH3CRJKSENqdNLD6r0UdT0E8SGaJY6/cWBWQTCYcikKKth4TTF8iiE0ziYsFq9F5CQbYNI5mngGJ94KEBeuLPojmQ4Ayg+Q2g6Awi4QVu4robMOizFRP+cphkO0Ou8zHi8Q0QMBeTgfM4bz4L4Cp0B+zCaIIa8IBF9KktxjnsSrmE2tBdqPZbT3G6BP3cNgKWAz4rMEljPem2CvDehHG/bejzpTn2XsOCuA6lNColJOHKoINoTVFHW6Yeqtjx8j0OIf6WLKJN1iNGfxUibyxBwNVFkjd+GR9ajO3z38OXf/oNjh7ah5y8QhIWjeoIBU3PKCa7+jAubsHuEx8V/7eHp38ovg1s3xZiWVGcRLy+nhS8PwTibwvx5uJx8RCDMKz9fXiWFgd1FVksfusX2PPNW7A/tAAB/PsjLi1C/LUFyNBdigKTFSgwW46Ht9dQ4MhjMP4kkEVDmHSSwn8XyljwqkkkXX4yGKBwH6L5GKNYgv9qjAesZ043o59Fpj9gD4XMDgqT1WgOWoemIJrEMFWM5dIkPLfG5MObGGLbLb4r0eg7Dd2hCzEUupW53IlumsoBYq7PbykGfBcQK4sw5jMHQ55z+JvkRnzVMe/VNKbdmZcxUWIKlJgQkxfRG76LIomFzmUhBlwWYIQGadhzJfd1PYmM++a3WYJLIbz6PNZikIKph0apg32h3U0BPUHH0Efi6k7QR03oNTxwPIBMSzmkGa5BosZcxF+dgchLM+B9fBpMdnyITX/8H1j94Tuw1r6IhpdPqIZpKkbESz2+HRNT49ty9l0hCGoq8Yn1pZiR4ubf365o65VZHRBXVwXGxIslxIsaxGv8JWa1E8E+rti4dA6+fu/nOCb7NW5eWAEn9WXw0VmGIMMlCDNdgiiLZUiwWo0slx14EX4C3RlamMgyxEDkZQoiJRaONWjxWogO7/kUICKvazBE0TrgsQ0DFBtDXmsxzD4+HDwPQyFzyR9z0eq7CJ2BLIpJ54AicsNjWwynGqA38BDzthkT7qsBrjvmrsh2djK3LEhhi9ETMYum9Wu0+H+DrhD+DiEeiM0uXxpkv+0YDd8LZGiSb2yAAiuMJl1Ce6gMRTkLGfmll1w1SuyO+MmRF7dRuBGPXrIY8pVFv/8adPhMIxd+QjE2g4V3BQvlbvQH38B4tAMGI+1Q430B+dbrkWA6A1GGXyNcfzb8tRfg3rWlsDi9Akc2fYXZ7/8CO1YuRrRfAAbFQ1L0UP00Nz1DLEA0qb3i7LjkWXkhrIfJOxMU2sAIY2hgkuJ7jLlmDiVXAoSwenOz+n1YkfKMFG8ifjKrr5vV+h8wq900q8zHEHlgRHwKSuyLOMkwiNTYaChsXIXP3vpHKK/+FAbHVsL24mp4aixBkM40ROt/iiSjGcg0WY1Hd5RpMi6hP8IYo7Em6A1Vo/jajRphLD2Woc13MTr8FlCMLUCHxxKajDWS2t3jSo6jgBukWBvylCXXUbh5raFx2Mq+cYZGlTogzxXcCMYiD9KM0KS6raXxIAdS2LV508Bw2OS9ivw8Dx1BM9AbMA8D5PIBmp1BR/ZXe/aNe8roC7iEobRb7J8OwH1LjMSdp2mWo75gn2P/7KfQFCKymcai0Xu95ERju6/gX7bluYLczGXIDW2Oa1HvsAW1bnvQHHIZHYn6FM36KAlSQ7rDQURbKMFfVwaemlvhpikD+ysysLwoh9PyS/DNX36NlTSr92xvo6mx/tXbgHnMewZGX5nVAWL9b2Z1pL+TfamHfUi8sfl/rq3fFVJhKP39ep/5fxrSvijdlpgmOF1iVondxvoauNiYY80M6r2//B/QV/wQ3udmIvLyN4i//DXSNWYgS3cuMo2XI+PWFuTaKaEs5Cy60nXRnXodLSGHUOu6DfU8xh0iL85r0eW8jsZvC9rdmW8vGbT5bKNZZF6IoWFy8Sh1WT+FfZfzGtZzeYzHETcFhpi8b47eBA20BB6n5lKhMSDG3DdSA6zBGHXkiPti8vlyase16KZ2a/Nbg2a/5dQOS9FArNZ7LUarD7k1hPybJDDoBSRaYCCIGpXmpMObePYmb4uLE95yxNwualQZtDuJfeY+sV73eRFH1Kk1vutQQlw/ouZ74bsLTVHnaKQ10RZ1Bc/dDiD9JrWewVxy8DcI1p8GT62v4HhtGm6emyX5Xvg37/4ch+RWIjvWGxP9DZgYbiRW6tlv29hnRU18VW//M0PkeWrNfh0L//6QmtVODI23YAR1mEAjxkfr8bIkDRoXDuDL936JNTN/C83D02B1ZSactabDU+dr+BvMQITpPMRZrEK6lSyN/yE0xFxDZ7oeGpOuojT8IB75yqGE/FDtyz5M7SRO+ne7bKZRZf113ogJx1UYc1yKcVeGN/2DD/PN/NR6yaEl/DiGMgwwWWRPbrCiltRk/9+PZldxwmQZBj0XkJ8WYJDcNeS+irih1yCeuonJdnJRMzHUSM5ppFaoZ01uD1KlT1And5FvCu9gPOk6On33oNFlA7mL2CAehn03sw22z210em5Hl48sjepm6ovV9B7LMOC6BJ33ltBwr0C921bq0oNoj1NDW8J1VASfxX0HZWSbb0K6zlIkqc9DwuV5iLowD/6n5+Gu6gxs/+hXWPyXP0Dn8hk8f/bq0zXSPE7NpzTfUs32piHlmqlab2qIaWKedLn/FmZVbExsVGpWxc4IwfDKrFb93ayu/Oh/0PF/AL9THyGCZjWGZjVWYlYXIdVcmFWC7d4xdIbpSorUZIoFC88FJksBbc4U794bMOK/jiZjFUlgBbrdVrPgsdD5CfG3A72+29Drz+QHrkab/zK0BqxiwduJsSyS1xNhVilIky+hNVQFTYFbaVrXoyOYgA7agk4WqF5vGlsCfkwIUxqIYRoOBC6ggZ1PYC1CDwHWHaiMkYTLbOs28MwRYw8t0Zl0ETXBSqjx24gmn+US4zIRuJKmdxVFKoPFdYJmetRXhtvYzCK+FnX8W8oI8ufusqgMPoSWlOt/M6vqyPc8goTbcogx3Yg4Go9obXE75xI406yZHF5Cs/o+Pv/jb3Di2CHkFhShd4DCkGZ1tHsIE919kifXJygG/3eYVRFSApP+ntrGVHB+G4C/K4YZo31Ut+KVlMNDeJGTAo29O7HoD7+E6qw/wOHIQgTy7w+/uACxV+YhU28JHpivwkPL1Si2piH0VsJg3AlMpl8k0ZxgwdmNCtftqCGZdPjJEiMbSTRLMeS2COM+JAPf9ejz3kKxr4i+oH3oYv6aA5g/msvGABbDsD0YzdWiWbWluLnFnJ9GWwDJzX8WesKWYjhMFgN+SjSTchgklvr8VtDULGLel2DUZz7JbT5/r2Dbm2lWZVAVrEKzegUTL2hkSm9iLOcyzRGn0Yz2ui2lWON6niygJNBB3000q1tpVgQuN7AwrkMPzWq/2zr0Uvx13tuCDnduO+Qk+uK10JNshJqwayhw2I9UCxkkG6xBguY8xKvPQqTaLHgenw4juQ+x4U//F1Z//A5sdC+joaz4f4tZnUpQUhIT64vtiJAWPjGUbvvb2vlfQxCkuJrag2G6oEGuJ25dHBqe4HSpWW1HmJ87Ni+bi69Y3I/JfIWb51ew6C+DtzCrBksQbrIUMRbLkXR3DXJoVssiTqI3QxsTmcboi7iMJgrsJs/1aCd/9AQsZZ9nDik2+jy3SIrTIAvbCAvhSADFa9AiDAbPR0/QfC6/lGZTDsMpF4FHLFBP7DGWaYqh0BPE3TaMUuSCJnLSR5VmVdwSvB69IUvQHTEPLUHT0ej3DTpDl6E7ZB35ayO6uI1ef1mMRuynWSUOHxCHBdYYSVJDu7ilkvzSzILb470JY4Hy3Kcd5EUZ8uNOmlU58qMMsbmG5vQriu9PKORnoc51JX9TtIdoYzTaHgMRdqj2ukSzuhEJZrMolGbQrM6RmFXnq8toVpfjyMYvMfM9YVaXICYg8JVZnQA5Z0hiVgcnmIuJXvT/v2BWvw03AmNSnIn4/6pZFdPf2Kw++JtZfVGBiooG1NR8j1kd6GKfIlcPDaN/aJx9aozbEi9Y6kN6QgzkN6zGx//yM+zd8AXMz66D49V18LmxDMG60xFv/CUybs5Dltka3L+liDqvyxhPZF1MuU1uUkM9OaqBda8jkMYiaCXa/RYR1+xXFHQ9PsQ/54kTK4M0jAM0q2LYR8y3+m9EA81qF83qZI4d+5IfkGuOkdC96PDahA6fzTSVNAXEe5vvTrSyZrf4rUN74EJ0h85Bf+hiDAWso7jcimFnGQw7Uh84q5CL1TCccRuTDylICy0wGn8BPX6KNEIb0M2a3OPLfkez2k7+bwvYyiGD0zq9aYI8V3L/VqOPmqP93jo03tuOes/9aIu8hp5UY7QlG+JZ4EWk2+1DlPgMlM42Hqdt8L6xE87Xd+CO2g6colmdLq6szhFXVm8zJxTr4sTAKI/3yATEM3wD7D9DQ6J2izf6d2Gov1tiXl/vF98WAv9CEIoQfUJMk/Yb6XwRr0//94RYR1r7p25DDMeJ4+amOrjZWWL1jA+xkmZVj2bV/dQ0hF2agcRrNKras5FjMJ/pXI1cmo48x90oC6VxyzbAQLYOWsIOo4ZmtcmFukyczBB3FDE/fb47mB955lyOplKGJpI6z2sd6+U6TDCGmb8BmpPhwF2YSLxAw2GCiQeW6E3UQFvIaWLwIJcnR9KsTnivA4jBUU9i0WUJa+kq9AZuJkZpJKgdO0KpH0OWoYnGtZX4Ggkl/6a603gQh2m30Rt0DO3EYW/QMuJlLjrFFTdPWepTJdaJnehxpwmhmR0mTgeEcfHdgPrATSj124BiYr48QJWm4xIG02jQ4zXw0usIMm+L718vRIyJuIL4Dc3qNDipz8RdtYVQXvFnzHjnn3B452pkx/tgjGZ1cqyVx72JeGnjsf/fc2VV5Fl8flJas8U0KYb+Y1j6N7M6ONaE4cl6GqhmmtVGvHxKs3p+P75irdkw+1+gf2IOHDUXwlNvDrzJNcFGs5B4ezmSb69nCrbhsfsBdIjnTwvM0ZZ6HaUh+1FMjJQFyKI+SJZmlfzhsx1D3tTzHjKYIJ4mnZl3FxpWmtVR+och1tkO9vE6nx1oDjuGsVxT4KUHxh87oDdGnfV1D9q8tlPnrWVtXYxh78XEG9fzJB8wx/3kq36fnej2o2H1o2GlP2jksg00oZ0heyUGFfmWrNu3MJGsQYwdQKsHOcVrDXXnOgk2Br3ZPjEtbkvvpo/pJq76PFZiiGZ1kLqwx4UYdKYJ9pRh3ziKrkTyTZoOasIv4r69MrmXZlWXx+X6fCRcmU+zOh+BZxfCeu8sbPvo11jywdswuHYeL2hWBddIa6fIqTREHqU19Nvz9u0hNaBTtf5UHIhpYp6oySL+25vVir9dWZ315V+x9KN/gKHSR/A89TlCrnyFCJ2ZiDaajzhzHmzLTciyVkSxyym0hhtgLOUuRhPMSEwXUO2ohHonFhGSUQ87fjcLnTCXnSxWPX7K6BfPptBwdAfspnBUQFcoi1joZoYMumP203RcA57SJDy5haFMbRaYY2igOWkMJvGFs1iF7iIpiWcGd9H0Ukz6Ejg0mOJW3rEQmgcK0x5fFimazTaSXm+cOsYK7mLy8T0M5LPoxF9GeeAeVPjJoZHFrpsGZTh4CwXkVoJuG4ZoSId9aKb8VFisFWlo5VDnvwPlPvJ44a2CytBTaE7WRkuGESpitZDncQLxtxUQZboV0QbrEK65HL4Ujy5qq2B8bBk2zHkXf3rrl9i3fx/ScgrQJb63RQE5OjCMCYoMogTj4mz530D0JiEVfd8XYjkpQKUFUYBTdABBamIoQCqmTzUrUvB+XwyJECZ7hK5jdBjFuSm4uGcnvuHfKf/NH3D3yCJ4X1iBoEuLEXV1MZJ0liJNbykyjJbjgdVmVPnsQV/CRYxnaGAgUQ2NQYfx0k0Jpc47UOsuhx4e7yH/bZJbOAb9tjHPchQhCmjz2YvOYBaf0ANoDNmJBhqO+iAltEQcw2i2PjFjh8nCO+iPv4jGwG3M22IWMgqbEEXJmbI2713oING001h2UzCNBK3HoD9FDfHSH7gFPaEKqAtSRlX4UXRma2NcXKl9boXhHE30Rh8mZneQuLZIrvKOcP8GA8S+KtBgc9/85SnCKMR8tlKksX2Kr07iqdWN0zxZ8ELOoSNOB61J4tMOmsh1PIJESwXEGW5AjBbNhcZCRKgvhte5hTDaPQ1rP/o5lnz6Lm7pXkVN6VNMjAsT8eos+Q+FFAM/FCKXUixI2xbTBR6kmBAhxc1Ucvv+EPvRw2LXTbPKcZqfXvHMqvhOmzCrkhcsdSDcz4NmdR6+evvnOLrla5ifXgWHK6vgo7MKIQYrEWWyGgk31yHVagvyXXajIvw8yd8QQ6mmzOs1VLvvlVyNr/dZzeKzBq3eGyiOhfEjN/jupwg+iIEARfIOeShgFToDV1DYrkCT/zqaTi6TeIVC6S5Q5ERhTLEUep5mV4kFbjsm/FUwHnAMPRS5rTSUHSEb0Bm1hly0FHWBS8lFFDah2ynWKdgpktr9dmEw/BgmUnQplCiws20xIF7aFaokeU62iYa2O0AeQyEq6PVTYnFWQD+FUI+PMseVOI+iz2cemgJmopnt13pvRoMPRVuoPgZiHGkG7CiULpN3tyPafCHCjOYiUG8+PDUXw1l9FW6dXYkDaz/DlzQrmxbMQ6inF/o76EBZ9MR3VsXbgAfGyTHjPeilAOlnbsQVuaG+MdCTYogx0Dch+ei7OPPfP0jO4DL9/TS3/f+Ghe8LaaETOBKFVVxhFCEwJrAztRhKMfb/+yur32pWW2hWW77TrPZTSPZKru6NcFsib33ITI6D0ua1+PRff4Z9G7+kWV0Lu8ur4aGxGIG6sxFnNpvCcSnSb25C/l1V1PhqsG7bAJm26I64jhqKvToaScldTP6rGCvQQX7sJI92+G5n/RYnmHdTDCqjx4t8Kt7xQMHZGChueWP/iLyAyVxHoDgAk3mWGAg/JDGm7eTMjiBFciM5Mog8SBPbErIDLaFr0B6+HN1hrN3B29gu+4Yn664r+4frARpZdQxmk38fOQPiHRZJV1irXwlScVt+u+82NPuzhrNPNQTKoymQ+0Ih2kpu7iQPdLN2dLiuR4PTRlTfk0O112G0xGihN8OCZtUIzwLOI8NWFTFmOxCovQU+mlvgrSmDe9dkcOuCjOQ24K/f/SXN6tdwsb9LvSTEOgUka/eQOEEwLD4fJLiTOB/ux+iQ+NZqL0aG/+0E8Q+FlC9F3xAhnS79PTX+Z359sxDrSbcj+qd0mhhKzGpjPdzsb2PVrI+w/KN/hPbur+ByZg4CLs1m3Z6FZK15rNuLkGm+Htk2Csi9tw/lUVfRd98SgwWmaI4+jWpPBbR47UQv66Awqd3kwl7muYsaq0U8M0xD2sjprT6s476snTQHvcxNp/sWGgJljCVdlpwwnHhii55Ufcmzgm2hJ9EptKK3LEZZ/ycCt1KfbUSX53q0iRMj4azh4ayroVuoPzfTvDDPgevJ6SoYiaYOyPEnp4cBuQ7oi7hAkyOP3rAN5FJi2p/YIFf3+u+nTqSeIJa7vHfQgOxEX9AOtAfLoi54O16wvj/l9PKgg2ijhhxg3elk/S71PoHMOzKIM1mOSONFCDKYB3etWbC7Nh+31ZZDacVf8eXbv8D+nRuQmRCK0cEOkgP5cKwHQyO9zMcrbvzPDsG5Uk4VIeVkqSaYioc3xtMQ9cBQN3pptPtHGjA60U6ct6H0SQ40zh3Cl+/8Ehu+eQs6hxfA5spiuGjMg7f2bESYLELKHdbt21uQcXsHnrofQ3eyISYK76Kbpr8y5Bie+e1GKTWTeH9Era8s2omffuJlkPkYcpXFiNs2jNMsDnuuQ6/XWsmJqRb28WquVx9+CsO5FjSr3hh/4ozuuBvEGPs3OaY3aCvr/SrW/rUYJa8Msj73Ujt2++xm3pXRSS5qC6bhDZKhp9hOvbcDbRGHMJqqAxRaSa7UTnAfe0KPv3p0gXzSTsx2k28ETrp8yX0BKqz7u6k3ZCVX7cXjYF3uq9Dqshr1zuLqrwIaI0+jk0a1M9MYFRFXkeewB2lm25CitwZx15cgkscr+MJieJ9dCst987Dho99gwQfvwFDjEl7+7TZgUV9E7RQhraXS3L2e/x+K13Mufk8NMU3gRWBH1OcfjVn95ssPsfiz38LgAMXQtRUI0V+NKBrUOJvtSHJSRLrbAeR7ncGzIIrvZBuM5ntgLOceeuJN0Bqqhs6IEzSJx9CfcJTG4Qh64/k7/gKnXachFW/aZNHguBCL/SkXSFLiHvTz6E3XwmgRxWOZD8Mfww+d0JVmhNbEaxT5F9GVepWgV0d7NAtX1HUMxepgOPY6esJPYCDqMMaTjmM48QhF4gn0xauhN1GcAbTD+NMgTL6MwrD4zmv2XdQl3UBDgrgl6AL6k85iOOEMhqPPYijsAobD1DAcpYFBFrae2Gtoi7mEljgaqpgrqI/WQHOiETpzbNGRfw81NOlFgTeQ7nQaSTYHkHR7N2KMZSi0ZRBgvAt3rspSjH+C9977Z+zavxdx2XloZqWjRUUPiaCvuw2DPe0Y7ieRveHZNqmhkJKQlIheDwFAMU9qVsW4mCZMx7cZj9d/f19I3hDHDtA/MYnBiXFk56fh4N6d+PjtX2LrvD/i5vn18NSWQbDeNsSZyiH1ljxSLXcg864CHrsfRm3UNfRn38T4fVsM599FZ4oJGqN1SELX0Rp5FYMJ1zASd4GF5hSGYi4yz8x7BHMRoYWuOAN0JemgjSa3LYmFLZmYyjTH+GN3klcYJksCMJR3Bx3JF9CWsJ+4Ig6TrqI39gY6mNdWYqcl6ixxeBIj8ScxHHMEQ9FHMZLA/KdcJdY00JBqhJ5HTpioCMREufgciQ2LlS4GianhuPMYiz+PcZrtoXjikPsm2myPv4xO7k9nwilu6wQGY0+iP/qU5IpDZ9QVdKUQNzQwLXn3UJ58F4WBWkhzOYMEq72INRdX5rcjwlgOXlpyMDy2DsunvYtZ7If6OjdQ9rIUk/+bnlkVeZfmXmBESlhSjEmX+TbC+84YEut2EyddLNBsi7/Fd4UlHxUXz9lJzGo3wn28sWnpfHzNondGhgXvoiy8NHfwOCgi8eYuZN1VQYHdfhS5HEOpL/thrDGGyDMjuR7oTrJDc5Qe4wKP/XF0JZxgLk6jL1aNeLlB0cK+H6GL/sgrGIg7TS4iDpKPoCfpCDoSKIYSr2Mw1xooCSRuosk7ARhMpghjrkYjz2KC/DQeb4TecB20R1xGd+JZ9KWfJj6OoDH+EDF7Gj3krl7isJemtC9BE8NpppgscAWehFMshWAo2wZtKdfRnEwMJJ3h9s9jiBjpijqHzvAL3C919MVwXe7zQOJJdMRThCWyACZR5MWyWJInu5Pt0ZcRiPZkX8LbDDkeRxHvuBORNjIIstwGH5Pt8DNThIv2DpySmYkZFEqbFsxBkJu75AVLwkOJq0CdzEfHYBu6h9tfe8HS+Hc/s8plxJucB14TPd8VUqEkxgVeXj8RIi2EP5nVNzGrrd9uVodemdXuvmF094pj/MqsZtOs7t66Fp//4Wc4sFncpbAWDtfWwk1rJXz0lyDMYjmib29ELLk4zeYonvvroTvFEQOZTmiK0UdpwAm8CFClgNyBlxTq1TSUjRHKaAzbJ3lxSb2/eLkI+Sz0LAX9STT4HUC1/15Uc3552CHiVQtjeW40qyEYL7BDT9wlNIUdRHOECHJ+yGHUhZ1CbfgZVIUeRkWIPEXrNtSEyKIxaBdaAmgcfA9R/B1Bk/tJNEVw//JdMPLUl9x+D0MZ+uyHp2l+9lFo7qHQ5LaDD6CcbZWFHkF5yCFUBO1DbaAq51NIBtAkeSuiwk0Bz11V8dzvHGoSjNFBA9yWbsHl1VDgtA8ptxURyXodpL0V/tqycLsui7vkodM7FmL6+7/AitlfSG4DbmyoxThzPDg2Kbmy2sM+1UdOGxpmTWVOXn0vnWaEdV3KqT8UUzlV2r8E775e36Uxta+9SUi3IcZFm9JpYvjKrDbgHo34olkfY84nv4banoWwvrgGHldXIfA6zZjOKsQarEWCJWu40yFkep5FSZw+mgqs0ZxriYooNTz32ocqbxrTwANoC9yPRprAusCjqPQ7ioqAY8THSVQFH+W0/ehgznqClGk45dFAU9IcfBh9NAkTJfcw/kJ8W/MmKiOuozr0AjF3CC2+KjStSugJVKLJVCLmdqOG7YgXalWF70dl6C5UhSmgIlQOLwPlUBVyBF2xZhjPCwYeR2M83w0d1Jv1wfvRJF7oFb4NDSGKaAo6RhydQ6PfGdR4HaHh5j6L2z5psutDVNmuCp7RSD/124+y4PPUf+It1Lc5NEOJ92Wksi5FmW5BqMl6+Buugav2KlhfXwtzta2QXf4FPnzrN1CSlUVCXCJ6B0YwzGPdNzpG3h1h/2U+/pb//8wQXCp0nuBWKYakOPgPxxBxM9CPnr4u/h09GBkl1vsH8fJRCTTPXMDXb7+FTTM+hN6h9bBT2wT362vgT76JMlyHFAsZpJorIOvmHjxzpsaPvYnJbAdqMTPUBl1Aqc8hPPPZg6c0kS/Z9xvCjklOUrT5H0Wb1wGawgPoJ6Z6g1XRFqBIPCihNlT092Ooot4SnxqcfBGAsWJvdKRYkFuo0cOOoj1SlR5kB9pDFdAVtodcxdyTV+q9j6LW57AEPzUh5A7muCJUGS+DVFDLet+fyf17SP4qcsNI9i20RV9FHfFZF6xCzOwmp6iiyf8AGgKPkMtOENMn2NZB4l0YVwWIl7TWesqh3F0eL3wPoiJGHQ1Z4nN0VngRa4hstzNIptaLN5NHpO4WBGluhNfVjXBS2wyDQ2uw4rO38M1f34G2+iXJ24BFnZHWThFiXNRTkRfBBVNz/yYheEC0IV1f4ENgRso1Yig1qaIm/2jM6vQvP8KSae/D/AJNl5kqom33I8njGDL8TyE37CLuR2viaZwxKlNs0VnIYvI8AngejonHPpgoEmdXrYBSms6XjBd3SUa2GHvhhqGnPuh76I0BxugjL4wWu3G6E0af23AejctTF4xXhAJN6YxsjJfHc7o/Bp66YaDECSPPXTFS4oHBhx4YKfLH5DOak2fBHHfCWBG3WULx+UyEHcfdOS8EKE9iW/eB9idAYwFGymPQ/9wHQ889uF1njJc4YqKY8ciV4cXwYwRivMiX7bpj4NE9DDx24j4zCu9h+IEnxp6GYLgkEh33A1CZ7IDiMFM8CtRGkc8V5LmcRKrDccQ5nIWr6REoyczDx1+8D9VTxxBb+AD1I+PoYOLahvvR0duK3r5Xt4YMs+h9G8heDynY/k4ojKnzBSilIcApDWnREutKhaIAqFhH2hGky/xQiE/XdHD5Nv4dLYy4+9nYdUgJf/rzr7Fp1ae4paMMfyv+vTwOme5n8ND/Mp4EXsOLiBuoJVl15Nlj6Ik3xp8FYux5MEafMofFQTyuQcwZzUOJNyYeOmKk0A4TXG6yhPMfBWDgvi+GHgcQBxw+c2UOXTD8wgfjZVFAfSZ35gHQnAdUx2C81IX5vc0iKK6OerCNQIw8CUQfMdpLYyuwNvmUWC26S5IiTp/YEzduGCz2Qu+zIIzUETdtOWwzA+OVUdxX7scTZ2LbCXh6j+FC3Hjy7/BFX4kfBkuJ6TJnbtMaE09vcTnG49sYE1cFHtjxb/TE8Mtw9NAYNT4OxIsMJxSRwPOCNJHucRYpxE2cwyn4Wp6E8eW9WLpwOr6aNQuaBuZ4Xl7z6qw+8zQ11/9PQuRaYEFKTNLiJp0nxYz4LSW213H3nSER1F3ESSeGRtk2nVAv2xkg9v/NrPbSrPph0+L5+Obd3+C68nr46hxGjNlxZFufQdG983jhcQVV/loUEAYUHbcwnEEj+IhcU5xIronD6GOBGVdMljkAjEmKHhR7MEIw+TgKQ/nM430v5pXrlTLX5XaYLCcXPbfHWIkXx2OJl/xX3FDPYUkEJh8wx/dtuR228zgYwwX+GHzgTcwRrxVeGHzuiN5iaww/s8fEC27vhTu5z5vb8Oc2uG/VxGFjEVBXiImyOK7nhZFSctxLO2LRilxoQ/6yxdAD4ueZH4utF8OZ41YYLtbGUIk626bJLrJA/wMn4j2UWE1BT1Ei6rI88STOCHkR15ARrIZEn3OIcjmF2HunEXz7CDT3r8SyT9+SfGc1woe4bOsTd49TaAyji2Kjc6AdPcMdkmdWxUmEV7cBT065DZjxt9uAhzlf3AYsruQNTsn76xiaGlKukeJULC9wIzWo0sIopkuL409m9T9mVnv6RyRmdWR0kvN7kJkUjV1bV+PLd36GYzIzYKu+FT6GcgiykEOY1Q7EOu1CkutBpLieRY73DZTG2KCD2O4V34jOsWUd00FF8hVUJp1DdfIZNGapoTVbgwZCG80pemhONkJ7mjm6syzRnW2G1nRdNKZpST79UJ+pi7Zca4yWhIENkHsD0Fd4k8ZQG5252ujI1UFTpg4a0o1Qm26OGg6r0zVQlXYJ1akX0JByGc2p6mhPvoH2eD00xRqhJZOGl/V7iFw+VhlMnrXjdg3RmX6DoYm2jBtozNBDXbYRarJNUJNhiNo0XTRxnzrSxedJ2F7KVTTEXUZ19DVUJBqjPtcRXRSjffft0Jqkg7KA03jsdgjZNqpIvrUb8ZZ7EGa8B+7aKlDftxqLPvkd1s7/Ao53zVFfU4nR8QnJFVXxRuCufpED1lN2GlG/xS3Ag3097CtvfoeUtI+I8an9RFqbX19e2gffNKR9VIxP5XcxFDhuamqEg701Zs78DF989gecObQJd7V2wctoN8IsdiHujjKSbPYgzYWcHHgd+VGGeJ5li4bHnqQ4Z+bPFGVR11hur6A5iVhJ1kBD4nXUJGqjIkEPVcni26cWaMgwRku6HrqJgf4sTXSlXEFrghraUm+gr8gWEzXBmKiPQBu5uybnLurSzdCQrIXmhMtoS7iEjiRiMYm5TKF+SDeU5LomQ4c4uoraDGIo7Rzxex41qQJrrMEl8UBFKsaehfL3HTSkqRPPNKdZp9GYfhlNqQbEtCUak2+jLtEc1bH6qI27jsakK8T0ZS6vhtpENdSIaYlm6Mq+h74Cb3RmuKEy3AKFbpeR5nAEiXYHEGW9B/43leFitAd3bxyG/PrF+Ojd96AgR90cmwdxc0vPGEvMENAxOCm5w6h/4FXO/7NDml9piNxLx6UYkIb4/cMhTjKOoK9/jPvMOiEeX+ujrH9QC61T2vjmnQ8hO2c2bp5WhY/OQUSY7EOCuQqy7uzFA7tjeGR7BiUOV1Dna4zBZNbgfH8MZ95DeyxxEamBGprOyng11KURO1ms8eJ7pSmGaE8wQFeyAfrSGdm66MrifOa6OesGGjL10Jh7E70l9Bq18dRmsegu8kRrzm20ZxugO1cDnVkXyQ/EF3mglZhoSjJEfbwxasktNUla5InrqMu8hppM6ovUK8SoMfpZ7ydfsn5TSw4X+6BTfJedvNaapc64KmmrLVWHfGjIfTBDXQYxmmbI9rXQRXx1sp3WxEuoi7mIyjhNVGdYoumhM5rpeSpynFAYbogcH9Ztl7NIsD6CCMsD8DPZDxf9QzC8qIyVcz/FjC8/wPVrl1gPHktqi8ibNF/SfIpxwQ8iP9+Gge8KaY0W42J9oflECL6RLiPGxbQflVmd9vlHWDrjz7h9dRfCbh9FovMJGtVzyA+7RIGtjpIkXZSJjz9n2qD7vjBvgRT+FGsEEGhKUU4RV0fR10CA1lHMNdCAdKZisuc+xtvySUwpmKyJoUAkOFqCMdnsg8k6T0xW+3FaNHs2BV9bHiZruVwVBWQ9l6mnOa2nmakL53JRmGygoe2kOekqxGRTLKdz+/Xcfi1FZq0nIwgQ26jjgWotJFM85LZy2SaXrWY7bAuNDLFvDTTIzQlcJptBs9PE7VfHY7KSBrw6gMv7EsgEczENzhP+Pc8CaF5CCHBfNGU5ojrhJqpiDFEZoYUX/mokszNIsDsJd5OD2LdzIaZ98yGOXDyLpKInaKS46GbieiZGMDg2gLFxcRVCgOXNCEQKNmlBk4YUcFOXFeCU3kIgBbpUIEoBLxWXYv7Udb8v+oZG0DY6jmb+HU2MmMJ8KB7ajT/+9bfYsv4r2BgdRJjTeaR6XECB3yU853GpTjBEU7oFScBKIsIHH9EYsuiJM+cTL5iDMgqdqkjmjFHL8XLmuyKYucvgwSrCJHM3IXJSG0O8RPJ3KCbbwjDZSKNaw9w1cLkWmkuxfDNNSCPxIPBXz3zVMc9ivfokTLRkYqIzC5OdyVxOrEvMVdLQ1PhyOeKsljlviMNkBzHQTSx0ZHG5RM7jPtUGcMh9FdipC5FgdZLbm+gjBnu53VbiqJ74qyb+KxmiHzx3ogGnoSqlMamIQF9ZJFpoyqsLPVBGQSZO+twPVkeurxpS3NUQaH0BpppHsHz5PExbuBhaZnfxrKIO49TCb5ojKRZ+KKTEJ8alZCgN8VtMF/MFaYkXsYlxaeH7/mDb4hZSmtWBsR70CbMqCh/Nat/gKMZZvHvaeiSGasuieZj9/m+gvW8DQoyPIuXOSTx0OovnnudRHUARFE5xGm2IgcSbGMt2ookk1zwmJzwhTl4Iccw+3yA4hn1e5LKanNLEnHUUY6L5EXNOnmjgsk3MWyvnt4rlaS6r+Ls2jjxDzHSQRxo5rCD3VBA3Ag/VzC9xNVmeSK4iD3Vx/gD5ozMeE43cBwm+iJl6YqKWy1YL7FIkNXDbLeSbplz+Jo6quZ06LtfENpuJDW5biLPJhlQJd0nw2sDtNvoRe9bkMUvJcPyFPUafekgMwOjzBPQXx6K50Btl6bfxlCKwKN6AplUbqf5XEed8FkGWR6B9aA3WfP0+VDatQWxAEAY66T6JG3HcB8eZV3LN4BjF8BtcWRVGtZ/L9PWL51z+TUBP5ZupOZfiR2pUxXwp14ihWGcqxqTzpxbEn8zqG5jVvz2z2jc4ht7+UZrVcfR0dSItPhwKm1dKnv8+LT8bbvoKiLq7F6nOh1AQeArFMZfxgiaijOK8Ns2epdMPo+UxGK+JxWiFH4ZLHTBcZsW4hZEyS4xWWWGs3AFjL90k80crA8lfgRSH/hiv9cVYHbFZ48K4x/n3OI/4bSRPkjcnW2OIcQ+MVzmwfTuM1Tpw/XsYqfDGSFUohln3h5s4bPTFMHXCSA3nM8aqXWhMvV5tryoE443sa0I3dMZRM/hivNwJ42X2HDpyezQllawfNf4YIW+P1AZihFwwWs42uN/jFfYc2rLvWGHkCWuOeAzohR/XDcDEMxcMi+++JqijIeISyvzOoNjtJB64nkG6/SlE3joOs9PbsXHW+9i6bDqcrS3QWFsp+db1kHhelYa1myJePAs+KG77HerHsDCszI14hlXg/E1CyrOi/4j+IO1T0n4kavfUuxOm9rc3Cek2xLjof9JpYig1q/YO1vhm1pf46qs/Qu20PFzMTyDG8RyyPc6hyO8CigMv4lmkJkpTzFGeY4O2Zz4YIV+NNDCH5Z4YKrHD8HMeZ+ZEkuNyZwwzL0M1QRhuCOdy4cylP3PhjvFqV0ww3+OVzE2pNbHFPNWTkzup07oTMdYRh5HmCOaTOa0WuCMHltlijDkf5e+RRuaZNXu4IQzDtdyPWmKnnrit4z5U2xFbbhgjtibbqeN6CljDaVjrAtiWPZe7i9H628QZ26ryxmgtt9OQwkjFcBXbLPcgfuw4zxqjLy2JGXOMFN3B6CNXaj2a6dJojD8JQ1+mOxpjbqI8TBvPQq7jPvVeCg1IhO15eFpcxkG5jZj+0afYt+sIkhMfoIcU3Md61zlMuqdhFc+aD4or8szDD4U0j28SYnkpt0pjahsCW4LDpTw+dd3vDvI46/XAEOuC+PgDzepwD8tuYS00T+hg1jufQHHBIthfPorom+eRZX8BTzwuoTpQHS3huugMN0FfJI95ijMmiqiNSqnBngVh/BF547EtRkruYuQFj3EFc0zcjL2klygXOolcQ/03Xi5qpScxwj5dS3zVOHFZEeSWRtbbLnJNRwbG66Il/DNW5UK+sSXv3CGPWBEz5Ahy1Wg9cVhDvFYRk9XMs8BNgyPxROzUi3Y9uR1qieYU6oF01mZxgsyHbZJnqsmD1Xf5m/tYyX2sIe7qQ9hGKPFOHix3I9eQl8pfYXqk+DZ1rQ36xAW2sgAMVIah9QnrdpoVSuNN8SxCBw/8riHL/RLiHS8iyEoNd3VPYuvaOVgw5ytoalylEXzC/vnqu/pSXhDjggdEXqS/p2Llh0LKJ2JcrC+t4eK3lGek80Rd/tGY1Rlf0Kx++Q4sTm1GsIES4u8qI915D3I89+J+wCEUh57Ai/BzqIq6hpZ4ffSID4UnG2IowxAjOXoYzNHAQIEm+UKL3k+PXoNEUUtB1lvEXkthXxHKju+ACYIVpRYU8oYYK9bF8AN9DD+0oEhj4Som6T2wZvD3E1MMPTLAYJExTY4lhgn0cYIZrUk0tomYqPKi6bmFgceGGHyozTa0MfKQ+1N4E0MFLMAPHTDyyBGDbK8/zwT9BbpsywADxcYsYmyb+zFRTQHbRpPTxoLLQjkirqZy/YH7bOcB28u/juH0yxhMuYy+VA10pYpvb2miKvwSXvqfRKn3Efr0fXjisAvZt3ciymgH7l3bhj00b9M/fQdHjx9Dcs59NPeMsdhRQFIUjvSJt+q+ernSIM2qAMqbxFTSkYZ03uuEI50mXU8AUQynglTME+CUTn+9jddD3FbYMTyBduqz9gkgMbcAKnuV8QFNx/bln8FWczfCbh1EovU+EtgePHI/hJcBJ1AbcRbN8ZfQnnSNoY42RmeqJvqydTCUx3zkG6GvwAg9hQwOBx7dJVHRfHSTlJpIIM9JMsW3MPrMAmMvzFlAKKqeMO/5t5jXu+gvvMP8M+dFJsSIHoYfaWLooRbzZ4TB+8SNuCLK4olOmlthdil4xh7fxOh9A4w9MMDoQyOMPDDjuncxyCI8WCKuANvwN7dZZIqJR0YkXWMWMRNuxxyDT+24fzQqA2k0Myx4ZQ7EoBlxpk/s6WIoXxf9mdroTdNBd7oRfclN1KRYoDTOCCVReigOv44i/7PIdzmEDPu9iL2zB56GqtA7twNL5n2OabO/wQ1jMzyvqJKYVSmZ/GeFyKUgPYEBQWZScpTiSUqQUmJ8HQffF+L2UfHc48AYDfEwCZCYEbcBvzKrk5IXLEX4umPrkjmY9d4vcG2XeN5FBjFmssi22Ykipx00rIo0rOKWv0NojRC3+l5EX5r4AL0hetN5nPNM2Ze10PvgMnruX0N33g305TOfpeSGdppLcs0EzeuwyGGxGYWrMUZfGPC3Hvu2PjnKnLzCAvPYgfmyYnuc/1APY0U65A9j8ga54z65qESYTWKmm8K5MUgigAceG6PvIXmEyw+LZQspbojDkUIbYoXC6QGXEfuXp89lGMXkxacM7sf4U2dyDNtry6fRjcdkiYcEcwPkmYGH17n8DfSKM8pphuhIvYn2tDtoSrqFymh9PA25iiIKyEK/c8h0P4FY2wMIvrkHrjpKuLJ7MZZ+8nvJldVwLx90N3fTOL26sto7TJ4YYd8f7WY+OiVm9dUzq+NTnlmd/Pszq5JbgAe57BuaVUnOp8x/nWuEgRM1RmBJTJPyzU9m9T9gVkU/FaZJ1BBhVjvbkRIXip0bluPLd36OMwqz4WmkhDhiI8f9CB75H8OLsNOojr2Chnhd8q45ejKtyIsUasT+ePEdQLz5vNQEqDQHam4Rn+LOKLtXJ27aWLu7iNdGcXKIv8UJ6FZXcihxXG/PabYAjSRYh1FH81HD+ZU2jNsct+Q0tl/N3y+4DAUcmuPYN1ln2yk4G7ksxSAqLYAKLl/BbVL8ocyF08TJHfY9cTKq0pr7w7bKuIxom0YY1ZwuTha1R9GciBNP3D+x7XLOr7DictwuzTee3cQkOXyEInKUXDD24CYGM7TRGaeGlsiLFNen8cLzBB67n2a9Ookoy2MwO7kF62f8AVuWfAVXG3M01VVikrkfGnl1ZfWVWaURJLYlt/4Ko/rvNKsiXu9DYprgXKm4FMNvW+5NQqwn+psYF31SOk0MX71gqRGONKuzZ35KzfcHaJ6Wgf/NI8h0PYUnvqdREXwGNaFnUBd9GU1p+mjNMUfXQ1EbHciBPP7iLraSmxyK5wd5nMuYR5pLVAls0Jz0Mce9jGaOi1zRbIAmAfViGeaGhgI1/F3H5cVFBnHCUWCrmtMqmEORuxfMubhDT5x07iIOu6n5Wphvmg6Uc/sCOzVsR+BV/BYniAUOaSoky4j9KeP+VRPf1cR3Ofe3jPtRG0zcZBKHBeR2tlnJ9sVy5cbcniFQbAA85PL32fZDYrGI+5bnirFkK3RHGaA57BpqQ9XwIoD12/UEEm1PIsjiHE7Lrcb8D/+M40p7kR2fg+E+cTsnD8XABPEijKq4c+U/36xKQ1rbp9bxb4tvW/fbQpwYE+88GBwew8gwTWv3GJ4WlEL9mBpm/OE9KCyYAYerexB39zjynE+g2PM4qgJOoSXsIroiNdAfbYCRRAuMZ9tigrUUrIugpkcxj+1LM+aK+a0W/ZS5K3MjVqjPuoiZFua6Wlx8EtN4/FuEdhO4EXkW/V9ghnVeXEAQnESziyrOr/0b55SJ4O8G8lG70PXxxJA4qczlKtlGNefXEgu1xJjA2ku2JzmBzWXECfAygUEuJ1mGUcN2a8l1zWyvl231kA8biKEq7l8F/y4JXrk8uQbUlCOPyK9P7OkxnNBRcBe1ifqoi9VCbeRVYuYCHnqcRrrDCUTePQk77f2QWfkFFs78EFoaanj6lGZ1cuLvekyEGJf2Zenvb8PMd4WUU6TrSzEwlWfEb2nd/tGY1W++/AiLP/5nGKoshI/aakTqrkGi2Rqk3FqFbNu1uH9vE564bsdzV3lUeaii0Xs/Wn32ozfkEAYiDqArZBe6wpXJV6qoCTqI+kg19D8g4MTV0NokDNNA9sWex1DCEYym7MNoqjL6E5QIbhF70R97HINxZ9ATdRzd0QfQG6eKjmgltEXtRjt/d8afwXA+SaWcQBFn3CgWu5JPoyV2D9pjFNEXp4QBjvdGHkBP2CH0hx/FYNQx9IYfQHvoLtZIRbahTPxy32P2sHifpEglQVVxH0lwk0W30Jtwmf3mAFrCldAeIYue8O3oC9mGDv8taPSVQY2vPMq8duKp81Y8tFmPB3dW4775MmTrLUDijYWI0FiJe2dXQmXJn/D1e7/Ckb17kJ6ai65OAmMIGGGnH20fYPRipEecmf12svi2kIJtKuik8W1AlYZ0XUFiAuxCVAmQCoB2dnZKQCpd7vtigMajZ5BiaZwkzMjMysdBZWV88tavITvvA9ic34xArW2I1F6HBN0VyDRdicLbq1Fst56csJm1ZBt5aDuP4XY0BMqhNUz+b7nfhTZGQ8Ru1EXsQWvyhVdFsTEEEySPgawr5Ij9DFX0JaliIHEvcXQIXRFH0RF2BB3h+9EVpYzemF3EgCJxo4Ae4qE7UhkdxGV3ymVMiAJb501iscd4vhYG4o8TH6oYZJ77w7hOhCoxdwidMWwv+jA6iKHuyD3oZ7sj0bsxTAx2C2yH7yVuLpCMbmGyzR9j9S7ozr/BaWeIwSMsaAe53kG0B+1Dk98+1PkeRLnvMTzxPIIC533Ic1JBnoMicqy3I92cx8lwFUK0VsLx0mpo7F+MhV/9HtO+/it0DXRRWv6SYvgVeX1bPl6P1/P+bTG1Lek0MS4wIL3yLpYRvCBCYEW6zJuEeNalTwjr0SGaI5olcYZWmFUK7PGxCZrVJkT4OWH7stn45p1/xJntH8L+4hz43ZiDWJM5SL85E3nWs/HIaQGeuy1FqecKVPitRx3xUh/E489+3UkuaImUQ3P0ZoYMGsSH4UPZ3zPZlyuCWJyiWTRs0R1/jnEIfeSawTTyQpIKcyswwXHmeJB80xd1CN3EXX+sPEMOPeSbLk7riDqLgTRyTYkQQME0mjboTb3AWroXzeSRrhjihlwzQJz0c58Gwg9jKOow+iP3oyN0N/UzuTBGhXyzG61x/B13BEPJ+pIrxKhM5tCbAsiA27pATbePnKPCPnCA40dQJ5758juGSoZ4C2Xxvb0osN2FXCtFZN6RR7zpVgTpbICPzjY4qG/HGbnZmPPHX2Lr4rmSZ1a7mjtZiMQzq0OS24A7BtrQOdQmubL6Rt9ZpWEdeO22xqk5luLm9ZAWUulyUq4ROBJtCK4RhVBgTGDtJ7M61aw2v5FZ7ad47CcPj45SBHd3IDU+DPIbV+KzP/wMx2SnwZH8G2KhgERreWTZyOChgyxeuO9Glfdh1PqdQkPAaTSHnGYtPMW+cRwDqazF2ccxls/aWnAJw9mXMZyqgTHxAjIhytqjMVHqitFcQ4wWaGHsiRZNribGH6hjPPcKxjIvYyzjKkYzr3KoxjiHsezTGM87hbHCsxjNU8NgqiZGsin6XlBk1kSwj/pj8okll7mIsayjGM86zjiHCa4/ms7ts63RvOtsXw3jGacwkXaC885iIpvzs69jOFcfw4UWGCuj0GynUSWvTzw0w0jGFYykcpvpZ7gfp6kvTqEv4RTaYs+iOeYsWqNOozHoCGvQflR4HUCJsyru2+6WPCMfa6oMX20laKksxcIPfol1cz+Dm605muurmOMJDIyMsfaN/u02YHHlSeCc/YL9RBJifEof+b74tj71eoj5op/80HLfFtK+KMa/y6w62VthzrSPMOPDX+H6QfEmdhkkW8qh0FoGJQ7bUeq0DeXuCtRxh1iXTzFtJ1EbfgKt0acxmHgG48nMS9JxTKScwjiP+TjzNp6ri8kXFPYt4s6oUNZuF4wVmGAsR4M19yomia+JXOY55zzGci8RE8y1+IxdzlXijrnLvIiJrPOYZK4nU89ggtiafGJO7UgTIU6YvPQiLowxkszlMi4AOWqSmMw8j4nUc9wPYi/tPMbTLnB/uE+Z3LccYivnGEYFHtI1MFFIg1TOtmrJwaVBxLQJhrjcSOYhLsNIZsQewUjEWQyHX8FQqDoG/K+gw/Ms6u4dRIXTLjx3UsBDWzmkWW5HpJEsfIib4+u/wbx3/xknZGWRF52A8W461aFJ8ix5tZ+8OCjy8WZ1VIqPN4mp64hcvx7SZaYu+yYhbnPvHWIbHI6M8G/oHcDTwke4dvwkpr31G8jM+QtuU+8FGcsi4fY2ZFpvwn2HLXjmIotKDxXUk29a/U6gO+g0+sJOYTD6OEao+8fTjxADJ4iL0xjJO4fhtIsYyTHApDjR0CnuzPDHyP1b1Pl6GH2kg3HyzcTDK+QK4iaTIXCWRu5hLsfTr7OfXyO+LrG988zlBQxlXCSmNDHJei2546qKnFNsh4l8tsX1x7NOSDAxIXBBjIylqrMNffKQIYc3iB9yWjbxmU/+YozmCg67yvp/k3ovWHJX3/gzB4zkGnDfr2Ik/RJxxW2nnEE//UlbzDlyDWt67GVq2XMo8z2ESu99kmPy1FEB+Xd20FPJIEhflsdvA9bPeAuzP30b2tcv4FmJeBvwpKSvSvMnxl///W35+q6Qri/FizSk88W40H6iLov40ZjVmV9+jMUf/gaGSnPgc3YJIq8vRpwwYcZzkWk5Dw9sFjHvy/DcbjXK7TdI3v4rPm4v3rw5GCwvebNlHw1IT9QeisojaIq6goEHNJZ1mQRNIgazLNEVepTL7CJ45TAct51mcjt6QmTQE7yTgk8VwxT6A+H7aCR2YyBqp8QsdoTJ0ZDsRlf0UQKHgq+CbdaI51dN0Zl4ituhAY2Sw0DcToxQRA6J9oN2YTRYGRNhKhgNVcBAyHb0RzDi5NEZq0ACVkQTDc9IIdsTZ/fqaWQeWdLoEGghFI7cp45g8emK9RgIFq/iX48Gz02o8dqOMncZFDtuxAOrVbh/azkKTRchU2cOEjXn8ZitgPM5YVb/SLP6Sxw7sBd5OQ8k9/1L/lFEop9ip3sIY/2DGGVREYXlTUJ6luT7Qiwnzpi8Lq4EMAUQBTAFQKUAFr9FJ5CC9/uDBneQbdGoDjPyc3NxYs8ufPXWryA/5z3YnFqJgKurEX51EWKvz0K63iwUmMzFY8sFeGa9GC8dlqHSeTlq3Fai0Xst2gI2ojtkC/rCt9HgydIEyLMgUtzTrI6VOrPgRbGw0KxSfHQTC91RMjQXclxejrlUxlDE37ASRuMQIUMsbcVQ9DYOZWkaxHI70Rm6C92J5zApPm8jbgmtcsFE3g0MxtBYhBC3QVwvkOsQtwNss4fL94QooTtYAb3BOzAUIouxMFkMh8qik4apIUgRzSSlfvFsamcwJhrd0JOvgbbE42iP2osettFHU9sVuAutPkpo9NqNak9VGi8VPCRZFdhuQ4H1ZuTfXotMk8VI1F2AEPUFcDq/GDf2zcOSr3+HWdM/gJGxLvtl2SvIMJ+vY+H1ELkXy71JiOWlQkiKG4EBgQUxXeRaSpBSA/smJCne/ts3KF6qxLZHuI2hkdfM6iR625sRSbMqI8zq2/8Dp7b8CbbnpsHn+nRE6H2FRKPPkGHxBQqtZuCJw2wUO82jqFyEMrfV7Hvb0MZ+3UVz2hK8Dh2Ra9CTwH4avQtt4TSMLDqSKzg1kRil2O6isOqI3Ms+vRtDSYoYSlQgfhhhHGeexmk8x6I4L0KWfLSZ89YTh9vQSQx2hB3DYLIRCx2LnXj84ClxSJHUyty2hRGH0bIYiVbEaIQKhoNVMRKijLEIJQxH7EQ/sdITSoxyWz2xOwhjGbRGktsStIHHodw/8uFjH4zFaxOfp9AcoIoW4qU9RBWtQfvR6LcXtd7KqPZWkry44amDHB7clUGBpSxyLbYh2WA9QrVWw097E5zUt9GszsJsmtXtS+cj3NsHQ72DEtxMMIYmmIPRbvSMdEhuzRafFBphXka5yNgAscUY5vjwkLj6ycLG+UOjXGZEnH39fs6R4m6qeRP/BMakeJJyixRL0iurP5nV180qj0ND6/eaVfHOAHGngrgNdWxsAv193chIioTi5tX49K1/xP7Nn8Ly4io4a6xFgO4q1u2VKLi5Gk/JN+VO8qh02cVQRKXrTsl3C5sCZdk/ZNHNutkVq4g29onWkH1oCTiO3hRDoJLYbwqX3GnQFX0OXTEH0Zu0HwOMwTgG+W6A9bWffNkXJI/+oJ0YDJEnl+6QcPBAzA70xuxBdwQNTooJ+5Iva3c0TUIgzYsx+pMOoTtWDr3sIwMxu7mOKuu9KrrC2Sb71VC4PEaCt7GOb8c4a/hIGOeHHmIfPI2W6MvofUAD3BTEGuFCY6qOrqC9rNM70OMnw31hH+Tf1+IvhxofeZpTeUlfeu4kSw2zHU9oNgopstNNNiHeYAuCtTbD5fJmXN4xB7Pe/gXWzvoC3o6WaG+ukeR2eOoLlhhDwwL/NIUU85KYwsU/FFIBOXWahD/Jx6KfiBDjU7n13xPStsW4tP9J+fuVWW2gWb2LucKs/uWfcFllDu6prUCY5hIkac9Djv5sFBjOxEPzhXhqux4vXGRQ6rYDL93lyEvUecG7mQvyJjXfIOtkf8hu9IbtR1/sGYw+NKXeo/Go85O8NLMvTo05O4jhMPJtuCLGw6jRWJcHqL+6IsjbjHbmvZOasSeSXEq8jDFGIvZwnKaigJxezfYawjDxzB19SVqszwfZxn6ANRw0lhPk8ZFI1vJw1v1wYi+SGjCW+iBeGYPxShiI5/5F7yG/n6TRMZA8zoUqmlXxXpR0LXTEUlvGbOf+iE8kbkKX71Z0ECstzrvR4KCCWhsVlN9RwLObW1BksQZ54ssYRosRdmMBvK8tgaPaOuxb8Qlm/v6XOCqzGbkx0ZjoI7Gyj44SJ+KK6tRc/1BI8fEmIZafysfS9aVYkGJKcK4UC28SA5KXI/ZI7soZm+A2WNdfPiqC1ukTmPb2r7Bl5tswOb4ErteXIkBnHmJN5iHr9hJq4hV4Zr8JFc47UOOqgHpGg/tOtPhSP1GDi7o5IE4Kkx862b9bApWpxy9gXNx90R6B0ZfuaE/WQSv5pjvhBAYSDtAniAsGChilRhsNVMSI3y4M+zO/gXvIN+Qg1uu+aCXWWhV0RAmOuoTJx+SGKmr6CmLn/k2MiAsMxNgAa/IgeWk4mtqOeBwg3w2FHGc7xyVfLOkLVpFgc4DzeyPpS4jVnghVDGVdw2SDFyYbAzGYb0HePIcWvz3oEC8CC1CQvPG/1VeBGkUJFZ67uVllvHBTwGO7rXhmtwkvxIUt8xVI01+KSK2l8Lm2HGZHF2LFp7/BNx+8AwMtNZrB5xKuEfVTmgdpbqf+lub5PxJS3EzFhajToi5L48dhVr/4CMs+/h3MlBcg6PxyxGosQSLNaorxbORazsYTm3l44bAIlY7LUeu4Gk331qLTbQMGfWlSfTehTXxEnOJ+KP4geuLPoSNRR/JyG8mLjqrTMZZji97wsyxwezEcpYiJeAVMsEiOhCthJFQZkxGHgKjjjKOM/ZiMU8VojDC2LF7RFKNx58HqSxCyzfoQTDyxQ494SDvuOAUrixtBPR6rSkJkBKkABB44DpoZUDyOUZSOiquvSfu4ziE0xZ3FyH1LEmEI0BJB8nLCUPINmqLjBDUBGklA0yj3sQi3epOoPVjwaT5KPZTxmMX/vs02FN7ZiAKL1cgyWoZYrSXwUVuC2ycWQ4Fm9Ys//xqHjxxAZsFDicH7+z8WPozQtY6OYXLs1RWsNwkhmKaGmCYE0ushAC01pdJ1BdAFCMUziCLvYp4UuNKO8IPBZSVvQpycwMjkGO4XpuH0AXnMePeXUJz/FuzPLETQtaWIVp+HZK1ZyKdRLb69CKVWi1FuuwTVjitQ70LceKxDm/dGCgsWBr8tFBVbJd+/7IjZJ3kbanuKFiZfUii1Z5BsfDCcoSYho8E4BYwxx2ORu5lLFquIY5iMPIJxFrkxiq7RKAobmtkRFqvhSJIZp4s3w3UlXcZkqTvbS3p1S0ihueTNvqM0u5MUWwjfxcLH9mIPs919bG8vxinEJkiCoAEBhRSixVXYPZLXnYs3vQ4+J7n2iBf1+NKsaqE14RjaxDdZhXFm9InPM/nJo81HfAZJGFZlPHPeiUd2m/HQmsR1awVyjHmcdGYj/Po8uF1aDIPDC7Fq5u8xb+ZHMDbRZ5+tlMBFKpC/L17HxneFaEs6PvWfwI0UD4IsxW+R86kG9odCnI0VV1V7h2hS6IJ66YJ6aYxePbM6JnlmtbetBZG+LpBZSlH4zj/i3PZP4HRxIQI0FiBGj8fDYBayTGfj4Z1FeG63Ai8c16LUaQNF9hY0eOxEO4uU+CxGvfdKtIeuZX8lP4g3P7PgSa7eVMbQDCZjvNAZXVFX0B52hEJlL42qCkZFRLPw0XBO0DyC0xFF3mFhGo+XwUjCdgwmKKKf3NAbfQFjqVbkhAS2l0uBE0Sho8fpxyi+KYai5TERo0LO2o+x4IMYZ9EEcQkW1bEIeYozcloUxVcihVKSPDrj9mA0SQ8oEc9VP+AwGPxjKaAuEKOHWRAp9sJfXZFvJF7qvXegTtyF4LEVpY5b8eTudjy6JYsHN2XINRsRdWM1PK+uxt3za3By23TM+dMvIbdiISJ9/DDcO/y3rDKvtKwsTYw+jHI4TuExQRE1KU6ajRBbjHGOi9yM8z8hTMYmucwE15z4N1wJjE3lmKkhFdZSTIlpAjeCa6R3bkiLowjx+yez+h8zqz3i1u5+mtVx8bmhHmSlRENpyxp8+vt/xN4NH8P0zBLYkEs8rrA/6SxCnvEyPKZhLbXZinJHGcYWlDmup2FdQ3ytpWFdg8agtWgO3kyjqoj2kP1o8z+FvmRx+2Qo62IMRops0R0j3qS+j3VdiQZUEUPsN6OCdyn4hkNkKBw3YyRoK02lHE2JLM3GFvLvVtZRJeKbYjDRGHhMk1CWSOyHYjzLiAZ5D1ojN6AzciN6WZt7Ra2lmRmMpDCN3Mm2tmAyaD3r+CbWb/bRUIrS4P1oCT3J9S6jnyZaCFySK/vqdQpGGl1PCmKfzRgK2IIBRof/1ld3RImTzM5bUWKzgX1pAx7f3UzTsQ7J+qsRq7MOwRrr4X55I9Tl52D+e7/Exrlfwe/ebXS21klySwrDwOik5OqqOGEwxPotEYDipWQMqah8k5DyrPS3aEf0D6lwFOOCgwXmpgrXNw3RtmhTjEsNipgmhsKsNom3ATvcweJZH2Hep7+E+p65cFJbimDxHUiNb5B9YxoKdL5CkckslNxZjhf261Husg3VHjJo8JRBXyBNQ4g8Bvy2Sj7p1s3j2+mvRK49hKFcnVcn/xuDMPbIFn0xNKuB1Hush5PUhgjeQq7cQg6WQX/UTnQxzx00BK2c1ym+gS1yT7PQH6xILByQXK1FtbglPIpa0g3dscyz/z6MBKhgImQPJkNZp0OpIcM2YzB0NY0zI5zj5HQR/TRHfTGsxRG7WZsPY5xGCE+DWCfSgUcB6E28iqYIObRGrZec/OxiTekMpJal3mtyU0S9kxKq7XehzFYeJVZbWJdWI+f2UsQazYWv5gy4XJsL68uroLL6I0yjDjqssBXZSbEYGyEfgrprjOw7wnyP/q84+K6Q4uNNQuRUquVEzqVtSI2JmC9wNfVChZj2/TEgMat94kV7o32YYJEY599QUfwEOudOYfq7v8LmmW/B8PA84mYuvNWnIVJ/OtIs6BNuzmXfWo6XNKyVTttQRb6pvrcR9R7rX31mLmAlOoNXoSd0A0MGbQFK6Ig9j/EyZ5AQMFbhS32lj5bo8zSxR1lvVajndrJeEzthjAAZwEcGk747MCm+1xsiTpwooD9iJ5fdTX22H10Jl5jbO/QJ4rZeYjHPBEOxJ7k9Yip0O83tRprT9RgKliEWVYkh6r6ggxgmpoaClYi/nTTH22haN5OT6G2oD0doVtFCTdoajpHCW6/Mqq8yNexO9PnJoddPluPEjLcC6rwUUUGDXuKwBUV3VxM3q/Ds9nIUGC5A8o25CKc+9r26FDePL8SaL3+LuZ+8C2Odq6gsL5Vwjagv0vxJ8ynyIn4LPhAhnf5D8Xo70t8CEyIEP0jbFfMERkTN/lGY1eWf/gvM9y5GkBpJXGsFEvUXI8VoDkE4B8V2C/DSeRmqXVbRdLDQua5HmwcNh/dW1DisQIHxNORbzMED23XItZFDuu0BPA6xQG1mCKoTPfDCR5uGVxWP72zFU+u1eOmwhsVzPUop3l/c3oTyOzKotJJHhZUcyq23okyckbDbgBIK/Me2ciiyU0Gp92U0JFqhMd0epWF6KHA9gWx7JeTbbsET+40o5Tqltzm0YEG+uR71dzag3motqkQHuruMxLsWJW6yyHXYgSQrJRR6q6E61Q4NOc6ojjTCE5eTeGiryG1uYWFbheK7a/Dw1gZkm2zgcdiMJFMZyWdZIvS3IEhrLQLUlyPgykJ4n58D++PfwGT/DKirzMLaOe/ivT/8CnK7FeEdEYUCipKisgoUUqA8evxIcsn/+bMSlDwtwdOnT/8eIl/fFVOXE6B58uQJHj9+LAkh8IqKiiRDIYTy8/NRWloqMahSoApgSs+eSEEq4n8lq28PYUZ6hvspeVmk+f/9B3E4fUgG097/BXbO/x2sTs+Cv/p8RGnMQareHNy3WISnd5fihdVylNutQq3zRjSx2DV7yaHBfTuqnDbiudVKPORyeeZLkEdBlW6rgAz7w3gZaYmWbD/Uxt7Eo3vKKLy7Ek8dVqPMifm14Xq3KbruECd3ZVFOAfLSZimeWy9Cyd0VeGa9Ac9tt9LsbEOR9XYUOh3E0whTeg4f1GQ44YXfFWJZFc+It/I7W4i3jahzlEONozyN9RYa662osiP+7rJIW61BNTFYaS+EjgzyreWR7XwUDyP0UUlDVJF9Cw8DjyHHSQY5d1ehkMX98Z0VeHJrOf+uZTwGK5BnsQaZZmuRZLgcMdoLEKU5B2FXvob/2Q/hcfKvcDj2GSwOT8clRZqOT36LLz79My5fvYTUtFRJ3xUC+NvwII2peBDDNwmx3vPnzyVtC/wIc1BYWCgR/83NzRJ8SHHzphh5ZVZpbsUZ2TEKrxFxdlY8ZzfVrLbRULlj+5K5NKs/xyVZFny1dQjSWItY3VVI1ltOM7YKRbfY99nnXzoqUVzvRpWzCs3qPjR7H0ClswxyzWYi23w6HtmvwkM7WeTd3o3HLuItoC5oSvRCmb8p7tseRd4dBdxnTosd2J7TZmKC2GBeyyhYK603SvJbakXs2C/BU6elKL63Fo8dZXGfPFXspIm6MC80J0egPtIRL1zPo8hGEQ/urkOxzWq8tN3IdrbjhaUMOWcLKonDKvs1KLNZg2ds/5n1JjxzXo8i1+XIsSXO7Q6iPtwBHTnh1F538fzeCTy02YX7woiS7x4zCi03IttsFWMxcizmIcuMBl53AWKvL0H0teWIuLIM/ufmw+HoTJgdmAntvfOwZ/Vn+OKtf8Lq2d/g3q07ePbwGSrKqvDw8VM8KC7C4xdFKC4twlMOS549lnDOs+IyPH9SwahESXEFp5USE+QWzn/67BEx9YRR/INcI4aCa8RyoqaIoidMm8CD4BlRY0QBFHgSQkmE+P2TWf0us/rqO6s9r5nVfumVVclbOoenmNUoiVn97G9XVi3OL4fjtRXw01iKeJ3FyDVcgkdmy4n5DSgnh1U4bkKFE+uh+2o0+FNAhmxAXeB6VPttQh2FY1PQUdT7nqOApFl9ESy5S2EgzwpN4efQGn0IzRSEjaEK6AhWRn/YPgyFK9NAyqKHxlBczZTc1RSmiG7x6EzoVrSHKqEx8Dg6Y2hWHwTSqCZh4n4ouhMN2RdU6Yc3ojF8C1rCxDcQ5WiW5dEbSbPC3wM0wAN+6zHsT3NDIz1Ac9IWeAh1QWdRH6EhebsvnQYmyzzRk6iFZn8aWU8FdPpSPPrLoctfBo0+21BJo/qS9eaZE/uZ1WbcJ7cU3tqMNKO1iNJahdDrayge10uurKorzMc8mtVV0z+B810jNNdXMMfjPPYj6OJxb+vuY/Siq/dvb9bs7pKEwPS3hVQUTg2BfWm/EL/FUHo1Q5zgEX1FYElgTvDv6zz7QyH4WghPMS7akk4Tw7+bVXua1Zk0q5/8AtdU58Dx0hKEXKeY1p6DAoNZeGQ0E89uzmNdXSk5uVHF41fjKYtqt608rjsxxHx0+2yn/tuGVq8dkhNstcxNXybNYIWn5IJCX74NmsLU0OR3AF0ByhikYR0I2M7cbEU3MdMZrkDtr4hmmo36IJF/cSfdLvSI7+tT9Nf77kNfGs1qhT8mqqPRkefMdGug3e8our33oMdbFT2+qugNEHdBbSbmVhGXq9AWvJG4k0Vb6A60hslJrt42h6pKsN0fz/17FAK8zMR4vr/kRVsvA2VQHbYJNWHrUBdMzRi4DbW+Cqjy2I0y1p3njioopsa8b7MdWeT+RMtlCDGeD3ceK3vNRbh1bR3kV3+CD//wS+yW24TkxEjJm/D7xwbR2teJ1t5OdPcRD6/hYCpOpoaUN6fG1GkS3P0thLEQmBHjglulZkQMpSHyLt3ev8usso4PjPRKTnCODQ+i/MljmtWTmPHur7F11lswOTYfbtcWIEBrJmINZyLNfBbr1kw8tFzI2k2OuUej6rwZNa4b0eC1ES0BIugb/FejJXAD2kJ2ot6PdT38wqv3ijRFY/CZD2oTDFAbdRmNUSdRH6LCnBJvzOWYiIAdGBHf4WV+xoJUMRxMHBAvbSEKkkdpxGet6qPUaCitmGOa1RI3DKcboj3sOJrJb+3BO9AVshUd3Jcuf/JVMDks+Aj6/A+iy0eVON2FPuKxN0rczbkdLSHET/ge9GdpQTwnP1kfjm7xpunwS6jz3Y8mH2XiUQmt3vJo8NxJzCjQqCrihYs8HlFDFt5eg6I79BA3VyBNh9r42mwE0OB7XV2OmyeXYfXX/4Lpf30LGlfOsHaIZ1YnJTmQ5leKFcEPIvdTsTN1XBrSadIQbYj1pPPEUHrRSnoiWWxPqvPE7x+FWZU8s/rpP8Ngz0J4qZHEtVYiUn8pYgznI9ViAQrtluGJ81o8d6VhcNuGCq+dqPTeRXO6Bf5q02Ci9DtoK/wOmkrv4aLsn3B6+6fQOrQBt64cguWFvTA9vAGGu7+BgcJHMFL8E8yU/wgLlT/DVOkvMNnxAcx2foybCp/BXP5TxocwU/oAJrv+AuPdH8JA6TPoKE2D6f4VsDuvAIcru2F2chM09izAdeWvoa38CYz3fAQL1Y9wU/FD3Nz5Ae7KfwA7pb/CTpnju/4Iy13vwWIPt3PgC2gqf45zOz+H+t4luHVJCXbqe2F5eiv0+Lfr7vpSsk0jpfdhyP00UPgYmrKf4qrM57gqNw1Xdk7n3/clTm/+GKc2/gWn17+P46vexv7lf4DK8vchv+IjTPvoX/CLX/wMsxYtxMnLV6BpaoFr+sZQ09SC5g0t6OnrUtToQldXDPWgr68vGYrf3xY6Ojq4cePG30NLS0sSmpqaktDQ0JDg4OrVq7h27ZqkLUdHR6Snp6OhoeHvxU8AciphSUWk9Pf3hXh+oXuYZAphWLuR/yAaxw9tw2fv/QJb5/0LzE/NJnktpPGYjzi9hRTay5BPs/bg1io8ocEsddmJahaXSr99eOi4AxEUU/bHPmGO34G2/B9wnTi4KP8xYwbMj8lQPByC9entzPsX0NjxNgyZP3NVYkJR4OWvxMhnsFT8DLd2f4Cbyu/CbNfbxNL7MFcWOPgcN/d8AROVL6G7Zz70T2yH5bXDuH11L4wOrYKe0nQY76S4kydeFP4KK9UvYLXnS5grfEicfMw2P4aZ/J+5jT/iFvfLkr+Nd32OG0pfQl1lHm6c2AwLDVVYasjD4NQi3Nj7GbSU/gRdbt9o1/vsCxwqvE/scJriB7gh/1dcZ5+4svVtXN7yFtQ2/g5nV/8Cx5b/HAeX/4a4+QM2zf0D3vnN/4l/+d3vsHX7VlxTvwZDQ0NJLqfG69gQ0wQ+tLW1vxUb0t+vh8CMwMvFixdx9uxZXLp0CcbGxvDz85OYEEFaAjdvLpgGJC9X6h/qlpyR7RsWZlWcWZ5qVjtoVr2wbck8zHj7n3B++2w4XtgKv2tbEHFjM2K1NyBVfxsKbirRvO3DU7vDKLE/jhfOp1DldQ7FjgcRTiFuofwH6O74FQx2vQtNuQ9wcePH0JJfAptTe+B4/jBuHd0BPZXFuKE4jfj5BEYqH8Gc/GCm/FeYKnzAPBMzzIuF4h/5+23m9g8wVHkbRnvY31U+wQ2FadDbtRZWxw/C+eIZtqtCflnG/H5F7HxAfiAmVARWPoeFwufE4ce4y99Wez/ALRW2r8RtEUdm+z6A3r63cVXxLWiyTZuTSvDROAW7M/IwVJ4LHcUvoEN+0Vf8iBz3IfS4X9o7/8h4m9P/lf3iX3F9+x9wZeP7xMyfcWnDH3F61Vs4sORfobL0Xexa+RFWzXgfb//TP+DzP/4ZR1X3wszQFEaG5rimoYXr2hrQMbjB0IK2ngZ09bSgT7zo6xpDT8cEetqmDBPo6hgSSzqS+dq6WsSRJkMM/1e+kXKNurq6hGvENGEko6KiUF5eLsHCVKEt+EWE4BppwRS15yez+rpZFc+sNkvMand3C4/TK7PaR7Mq7lgQd7WIfiRuqR8Tt6VKbwPetFpiVg9u/hy3L62G+421CNNbhWQa1RyDebhvvABPb69EucNGVDptQqXzBtR4byUXb0OJ6zrkWi9DvMli1vnVHMohSm8Xks1P4qmnAYW8KfIdziPORAGJFtsQb74O0UarkGC4HqmmW5BhvhFppiuRYrIU6aarkcnf6WYU9KbLEW+6BHGmXN5YHil3z6DI0wQl/ra472aG5LsnEWnBPm+xDLGWK5FguY5tr0UiI8ViLdtehTTDxUhjHckwWIpsk7VsfwvijWUQabILkTcPIcvtGp5FmOFhgDZSrA4h1kgGcfrrkWTINoxWI8FgBSJ1lyLwxhL4aS5jrIT3tZXwUFsBt4vLYXNiIcwPzIXxvvnQ3bsQGqpLsGfV1/j0n3+GGR+8B/ULxxAXHUpxRizm5iItKwdJaemMVKSkp7G2piA9TUQqMjIyvjVE/RUhhJt0XIi81NTUv/8W4wLnCQkJknFx0lBoNiEo/2d+fbP4IbMqbgO+Z3cXC776CDP/+DOoKX4Du3OLEXRtERJ15iHPeA4ems7CE8t5eG67HC8c16DUdTMNvyy133Y8d9qGxzYbkGu2EumGzD2Pd7zhJkSbyCL73gk8CzXA42BDpDmpIdJUFdGG25FsvBkZJuuRbrySuFyOJBPm3GwNYpnvWIsNiDFfz/yvR5rlJqSab0aM/gZEcr0Mh+N4EmaChxF3kOSiSawcQYqZIlIMtiJZfwuSDbYgxXgdjdIypN6k2aZOTTRbigTzVWxvDeIs1hBbGxFP7MaZKSDD+jhKfCxQHnwP912NEGWhikCTVQizWIpQ0wUIZV8JN+a4wRqE6KyHv+YG+FzfAM9ra+F8eRlsL86jTvwGZqdnsO7PhMbR2biwfwGWfvM+/vWffobVyxbC1uYmsrLTkZmXhYR05jUtCWkZzDXxIHAgxcK34UWEwIAI6XJiOHWadFyEwI0IwZWiZldVVUnqtsi3OHH4ut578+jDwCDxN9TBut2H0YEelBXdh9bpY5j+9q+wbdbvYXZiPrw0FiFMdy4SxfsmzOYgy3gm7jMHz+3WoMJ5CyrdaFi9ZFDtI0fsbEGhzWrmdxH76kLmaC0ijTYjwkQROR5XUBxhjmxvbYTdPobwW3sQdVMeYUYbaIRXETsrkUtOyDNejWz91cgxJG+ZbEEmOSHJdD35aS2izTYizEQGMbf2Is/9Cp4Sg0/8tJHlcJLbkucyG5FkQd6yWI0U0xXEzRqks4008kaywTYk6G1EovhWrBn5w5JcaL4CMeS0OIutSHc6jEdh+ngQZookp4vcN1XiUxaxxF+CwUbE6a5FhPYqBNMzBWquJuesI3ZWwVNtEb3UAnicnw27w19LNKmhylfUpDNxdsd0zPrLr/GX3/8Ge3bvgK+vFwoK70vqg5QbXsfEVJy8voz0txQ30nGxnhiKZcRQ4EXUITEU2xInmoVHkJ4IkZ44+y8xq2IjNTU1ElEgdkpcOZG6agHosrJySeGf8dXHmPvJb6G5bxHuXV0LP911CDFZxw69BknW65FN8OW7y6GQBrXI/yCehp7D/YALsLm2BruW/Rarvvo/sXLGP2HZN7/EzI//AV99QLP2+e+xbM5HWLPgM6z65s9Y8cW/YuWXYtlfYc3Xv5TE6i9/jVWf/4rxa6z54p+x5svfYe1X/4z103+LdTN+i7Uz+Hv677F62jtYM+P/Zu8toOw4kuzvHfKYx2xJtmUxM0OrxczMYDEzMzNTi1pqklrMzNxiZrRlMVOrRfb94pevS+7xaGzv7szuzv+bd06coqx89Spu3oibmVXvKxXKkECFMiVUvvTx5J/2C+VO+5klbB+pYFo7x6xw6g9UOOUHKpbyLyqeyszqKZbqPRVJ/a4dt/rSf2TnfKKcqT8zkvlC+TIlUoHMSZQ/Qzzlse28aT5131kwzXt2ne8qV5L3lDPRX5Q90YfKlvhjZU3yibIk+ViZbTuz7c9i9yxzgveUMf57Sh3vfaWI/5G+jPW+3nv/bcWJ+5XSZM6sLH65lCmHn7L5+ckvdy5lz5FdWbJkUbZs2ZQrVy7lyZNH/v7+ypEjh9uHZc+e3RnrWbNmfWWc550bc1/GjBmVJk0apU6dWpkyZVLevHmdAAEPJIl8vKSRRBLfe4nk6wnrrw2xeu/ZQ1nqJEs3tW3vCtWtW1IJ4rytotlNLLbJoxm9imhO34JGQoWswZfQznFltDuggvYFVtPhmQ10fGFrHVvSSSsm1lbnWslVPPOflTvlH5Qr1R+ULfkflTHxW3ZvP1KuFF+bP80naeLK3/Dgl/RNw86fDTtvKXfSt5Q32XuGEfOR+bmw+bdQmndUMPU7hhnzsfPdh+brj5TfcJM7dRz5p0+kPJlSmq+TK2+6rw1LsVQw1acqlPJjFUn5oYqmsaVZoVQfWn0fOSuUChy9ryIsbbtA6k+V1zCTK80XypUhoXJnTabcmRMoV7pY8rPz/FO8b7/FsGyW33CTzyyv7ctj15jHvsMv6fvKmuDPym6/MXfy9wxXbyv9l79Tmi/+oHSGncRfvKv33vqd3nnnLSVJmtT5N2fOnM78wE20se1hg3XwA3Y4Bn7AQ2bDHBjwjG0PNxznXPaDl1SpUrll8uTJlTZtWpUvX14BAQFOCOB3cPJzLLzewNJ9W1qwfPbAgt1D8d9yvAnx8ePnbrrpg1v3tCx8lkr6ZVWqz99Wi1IW3NuW18xuFS3BrmyBqYoFs9raNbaxDkxqrUNTOupwYHedmNlPZ+YP0qKBNdS88JcqlvwPKpzi9ypsfJMj4VtK9+Xb1v4+lX/KpCqUMZ3ypUumXMnjKFeyT5U7xYfmk/eNa941zMAx5hfDT34zuCd/ynesvZulNU5KZ/sNO3nMz3lSxTcMplSRDGlUKF0S5UvzpfIZBvKn/tDwZTxjOPPh5BPjlo9UzPYVNX4pDA+5Mmbp3rdreUv+ad5WbsNbwXSJDfMpVDi9cWLqWFbfJ2aGU+OvfKnel3/St5Uz8ZvyS/KGciX9o2Hmj8Y9f7bf+Lbxz7tm7xiG3rHf+o5Sx31HKb/+UAnjfKCP331TsT/+SOlSppJfjlyGA+OSnH7yz5NbOf1zKks2/J/R8JJNuXPnNrzkdWWyZTUuygpuMMNVDuOSrIaZzD7MgBWPjzDwA24yZMigdOnSOdyw5FjNmjU1c+ZMF1/4ePxC4gzfsE7M+X9VrLL/N4vVfdFi9fQ5nb/wvb67xNuAr/1MrPJ/3Hf0wBLFB8a9D58+16OnvreLPnshPXpwX5vXLFWFwnmV6KM/6ZvCiTW6dR4Fd8unRX38tckE6I6B6RQxILUOj86uc1ML69z04jo7vaS+m11N+yaV1vRWKdWz3CdqWegj166aF02qRgVTqWHBDGpVPKc6lsujDqWzq0XhlGqaP56a5I+jxvm/UKMC8dSoUAI1KhJfjYvEU+NicdWkWHyzhGpSNIEaFotnFtcsoRoWT6WmpbOqZYV8alOxsCVp+dWoVGbVK55U3xT7ykT2V6pfPL6VS6hGVr5RsQRqXNTqKvK1mhT+Sk2LxDVLYNtJ1LBIMtUtmsrOS6/GZbOrTbV8al3ZX03LZLJrSKlGdg8aFoqvBgXjql6Br/RNgS9VK/9Xqp7va1XJE0+V8yRQlXyJVCl3IpXKFleFM36hghm+VMGMcZU7ncXqeB/rs3d+pwRfWLvO76daNaqoSZOGatKsiRo1aaT6DeurXoN6btmwcT01alRfjRs1VNOmTa1cEzVs2ND2NXLrWIMGDSxG1tU333yjevXquePeknIcq1WrlqpXr66qVauqTp06atPGcqoJE1w7IG7Tfjyx+Vvs18XqZU0PGK3syeMrU5w/q2uVDJraLo/mW6K9ul8OS+Aza8eQdNo9MoMOB/jpWGABHTHcnAyvqlNz61qSXlBDayZUl1Kx1aZIbDUt8IXq5/lS3+SLp2al0qpDFX+1qZxHTcrmML+mV4Miyc0vScyHidS0qOED/5o1NKtnWKlbJKGz+nasUfFEalI8iRoVTeZw06xMZrWqklctqhVWk4p51ahkZsNcCjU2PzcqZOUww0Zjw1DjYnEMO1+oYVHDXdF4amB4rF88gRoYrhpYnQ2KG4ZLZ1LbivnVvnIxtTAcNiiRTnXsOmoX/VJ1in6hOkWwL1W74NeqZRivkS+BqoGZ3PFVyT+uKuT6UmVyxlGpnLFVIqdhJ9sXymGx4qsP39B7f/iDUiVKoHIli6pB3dpq2qSB+dh83ajBK2zgbwxcsI88niVYwCjjYcXDUP369d05LDmPY5QBK+CmRo0a7lx0QGhoqJsxhf/hI3iWTg/8/7rBitdbpKKe3Leyt/T86U39+PK+fnh8T+cO7FHP5g2V5rO3VTLdBxraKL1Cu2TWol4ZtG5gFhOUWbV1YCbtG+mnk1OK6PSMEjo+o5jOzamiI6HVFN7dT70qG0YKf6qGhWOrSYlE5v/EqpE/seqXzKAWlXOraUV/1S6eUbWKpzafJFVt80Fda8uNChkHFI5rHBVPzY13mhdmoMiwUjSRYcU4xnBUr5jVVyyFGpZKr6bls6tVpdxqVdHPcUND830DK0s5uMXxC1gsktiwlMzMeA9MGQ7hn0bwkeEHDNUrZvtLp7Xry6UWVfKpUTnDdcl0htcUql8oqeoXSKT6+eOrrlkds1r5E9p1J3bL6nniqmquL1Qp++cql+ljlc7wiYpnsDwg7afKarohznu/V+wP3lH2LBlUsUIFNWjYyHEJ1rhx47/Chbfu4YV9GOXY5+ELbLD0zvHwAnbAEHG6WrVqjm84d/jw4U7YIky9Ed3/dbHKF3tiFfVM0kASccbE6pAhQ5Q6eQJlTf6JBrYoolmDKmrZuCpaP7WmtgfV0j4Tp0eWNNLxlS11am1nXdg2WBcixmvL4gFq36ig0iZ+V/HivKlkST5XqpRfKWGizxU/wedKlDi2UqWOZwlOMmU1oZAtY3Jlz5xSObNaUpU1pbOcWVKZ+ZZ+2dLIP0c6n2VPrVzZ0zjzz852ejueTjmypDXnplFOW/ezfbmsbK7sac0o7zvH37Zzs8yW2llultHH/aiTc3KkV047P3vWtMpmdeawpavPvsurIxffkcW+18Dkl9WSPc+yZbRr+clyZc9kZTM50GXJnF4ZM6RV2nSplS59OmVEKCAqs2WXvyWKefLmcWLBEw2e+GDbExfeMZJARKi3jwSS7fTp0zsjWfQsZcqUSpQokb766ivFjh1bX3zxhUqUKKGwsDAHPMgLIHp+x1j3AtqvmRtZffZYD2Tn6Ym27V+v+g3KKvHX76iMkfq4HhU0f2QtrR5XU1sn1db+4IY6Pru5Ti9sozPLOunC2n66uGWkTm8drwWB7VSrYlolT/yG4sf7s5Im+1BJk3yiJIliK2XSeEqVLIHSpEis9KmTKHP6pGYsE7tlFtvOnimF4cBwA46y+QzfepjxM39jObOmsXLpzbf4JqOznOYnfOWfPaNhI6NhI4Ntm9/N/N26z1jP7fZxLHq/neNn5+Ywy2Z1ZTVfZ6d+MJIVM7z8lbHPd25OK5M9E3jOoPz+WZUnp+EifUprE2mU28+EafYsSm+YSZMmtfN7THGKIUQxDyseRrxyrHvmlcMo54kMsOMJjRQpUiipieJkyZI5oRorViy9++67Spw4sVq0aOF65CCt354s/SRWnz19YEuwZYnSkxeKfCVW72vp7HAVz5lFaeO8p47VCiikTz0tGdZIm8Y3V8SUVjoY1EknZ/fWuflDdHHxKF1ePUVXN4Xo9KrJCuhaXYXTfawUn/9OaeO9q4zJYylFojhKlOArJUqYUMmTpVS6tNZeMmSye2v324SrX2Zrx5ntvhvv5MpsWMlsuLD27nxj/syVw3zt+AXfRHOO8YOf+Smn+c7hJ4ttGxfADY4XKGNc5eMJ3z54xuMgX11efWY5fHXmsO/MbteT07gGbnHn5rBzzV7hNqsPu69wzfe476IMZeEow7JhL4v9vozp09pvTmXYSaMsjifo6MrhRGm+/PnklyuX7aOTIovt93WCwUcZM8I1CNJsPqFq52TJAr9keMVDmMc5YIaOMHgG7CRJkkRff/2145pPPvnElWVknnhDYgRuSLa95BmugX/Y92+xGlOsXjKxetXdh1s3r5lYvW7356YePLylB4/vmli1+2b38MHTF7b8QfciX8hW9ej+A21Zw8hqXiX75A1LsJJpUsdCmtOnmFYNKaKIsQW1f2wuHRyTXWcCi+j72ZV0aU4NXQivowvzmmnlkDJqUzSOCib4D2X+3OzLN5Qp3vtKH/cTpf7yU6X96nNlTfil/JPElX/Cz5Xjy/eU4ytLrKxMpngfKl18s4QfKX3CT5TBuBvLmJi3W36qjEk+fbXMmuILZU/1tbKliqdsKeObxVMWyxEyJYvtzknvzv1UmZPFUpbksc1YxrJcxGdum2NWPkvyOMpslinZF7b8StnTxFcOLLXVn+JLVyZjks+iryP6emw7bRLjiQSfKbnFl9TJvlKqpHGVLGEcJY4fS4kTxFbSRF/YMo6+jP2RPvvkHX0R5yOLpV8rWfJESps2pTJktDaWIbVSp01h+Uxyt0yXIZXF99QWh9O94lTaB7GY2BxzH22GJZ2B3pJytCFidoIECVzcjhs3ruNfEr7x48e7EVYvVr+ec//WvPbG+i+J1ZwmVrN+8aZ6VM+ioC5FtHhAca0ZXlhbx+TXznH+2jc5r06EltCZOZV0ck5NnVnSQscWtdeE9vlVMctf5J/oj8oa94/K+NWfldbqSfflu8qS+DMTwV8qU5Iv7L7HUTrL/9LZfU+XwPCQ0PxifsiU1MyWGRJ/rvSJPlX6xLFsf2zbH9swEMf5OFvKuIYZ8PK14SeesqZKqOxpEymrYSezlQUrma18FneOrSf7zLbBkC2Tfe6z5Jh9l61jWVJQ71euTh8O7feniGvfa9eR+GMr85mVobzhNulnDje+a7TrT2jtwdlnSmOW4uuPlSzuR0oe/1Ml/eoTxfnLO/r03beVNO6XSp88qTKmsjzXeDlrhnTKbDjIkvmnwQQPHx6/ghH2edih8xh8gB/KefjxeJd4DW4wcANmElrsox6EyeLFix23wk1wLgNT4OE3i1XL86KiTKw+uWFi9Zr04q5+fPRA5w/sV+8WjZQu9tsqa8JrdItsxjX+Wjkot7aNLKg9Y4po35jCOjm1lC6GV9H5uVV1YnZlnV7cQJsDa6tnzQwqmOIdpTauSRnnz4aJD5Uq/gdKEvsdJf/qL8YDdu8NO+kMD2kNR2kNG2kTfKS08T9yZbEMCT9WRtufyYyl4xiPb8xf4Cer+Rh+wbdZDUdZUn5pODDOMD/DDZlNo8AnWQ0PjlOiMZfVLaP5JwYXwVOZjW+ypDDcpE5gPBbf6oxrdYLzOHYdxjmGk0x23W47aRzDUxzDyucOM2kMI6njfazU8T+232O/y/aDnwSfv6c4H76tOJ9+oATx4iqJtftU5mtw4sVbDy/gwduOiRcPK+CE/R5WvP3sYx2sgB0MviFuf/75545zGNRiVh7xFl0IZ/yfFqsE/tS8YClVbI3rWEErxtTT9sBGOhDeUicWtNaFFe11eWM3Xd/eX3f2jFbUqVl6eGqBIpaPU+fG5Rw4kif4whJvA6QlSIUKFlCxooVVtlRxVa5QStWrllft2tVUt15t1atvKr9RPTVqYsrfrHFTrJGaNGus5i2aqkWrZmbN3frfWpPX2F+XafYL9vOyv1hfc7uOli3VqnUbs9a/YHa8VWu1tmWbtu3cOU2ie1rxk2cIAHpNW9s5rONQ1knA6OGgJ4Rz2OYYxnn0iHCM3hbW6SWpXbu261GrVKmSGwmrUKGCWxYvXtwJFcRH/PjxnVgFSPjfE6deAgkxkTSy/TeE9Rpzz0xFWdDkj4t//EG79+5Uk/pVlOrr91S1YFJN71dTayY2VsT0xjo2s5m+XdxWV1d01o11PXR362A92hugx0dn6sbBOVoRNkD1K+dRWgsoqSzpyJEjowoUyKPCRQqoeMmiKlO2pCpWLq+q1SqpRq1qqv1NTX1Tr47qNTDsNKynho0bONyAmabNmzj7G3+zr5nPB82bt/i71iyGxdz2rbf8q+3XWouWv9laGk7atmvvrEXLVmrazHxtGGjfoaPa2b7mhgv8jO89rDBFF0z4fkdzhx2M/RhlPQxxrocf7zww5eGGXnx61cBNuXLlVLZsWZUpU8bhhMAZJ04cFwDBF9M6eWTAm070Okz8tXli9Z6JVTDFC3V+JlZv39WS2TNVjGdWLfntWa+w5o9spA2TmmlfWBsdn9tB55d00+U1A3Rz4wjd2zFRzw7P1PMTi3Rxa5Am9vpGxbJ9bUL1HQsccVUob1bjmrwqVKyoipUqpzIVqqpCFfuNNeuqTt2GxjUN1Mh+e1NrP80a2bIJPZONXftsar5t2rK1mtHOWhjfNPc4wbOf8wL203EPZzHXY+57vYHT19fXvGVTtWwNHowbfm5tYizdunFHG6Zvt3L+9XpX8Te81bKlj2u8Kd5YTK4BD40a2T0xTLWmrmhOoieWY14ZbyQAPNATC8dgYAfMIIgJjgQ9OkUQagQ0MEOCRODzkiO4xuOb/xfF6n9qGvDfFatXY4jV29Fi9ZEePnlqQvWF7j15qbuRdm+tLT168FBb1y5XteJ5lSb2n9WqQjqF9imrlSOraHtAdR0JqqUzYbV0Yc43ur60pe6u66L7m/ro9sZBurR2iBYMraPaeRMoXaw/Kelnb1pyGEvpUyZQ+tQplD5tamXJkF65s2dWQb+sKpwjvQpnTali2VOpWK50KuKfSQVzZ1Ehs8K5s6lw3uwqki+HipoVyW/LvL71ovmyq3j+nCpZKJdKFc6l0oX9bemv4gX9VMzKFMnLudmsfHYVtXLFC/iphFkxO846FnOd8zjuylmdZYrkVumiuVXSq9Pq4Dupz7ueYvlyqnCBXMqXN5fy5sutAoXyq1DhArbMp/zGHfkL5FVBW8fy5PNXLv8cypEzq/xyZVe+/P4qXDi/+bOAClrZfHY8b75cdl4eq4N6zAoVtNhVwI7ldzOkMBLA/PnzO8uXL5/b9s1o8M2AYUkHJILEM9oRwuPjjz928Zu2GRER4drSb5/d8hvF6qTR8ksdX9kTvKPe9XMprH9FrRxXQ1un1dL+sDo6Gl5bZxc00OVVrXV9Q3dd2zJQV7eN05EVIzW4dXnlSxtbKb96TynimohAmJqgzJImofwyp1C+nBmU3y+T8lpMz5PdloahfDkzq4Ddz8J5zBfmjyJ5/WwdAyu5zG/+KmY+Kp4/ty3NlwVym5/zqERB861ZKbv3JQrlsf12LL+fihbI6Xzt/P2zdfBWjH3R60XBIziwZQnDiIdDhxnDEVgpnCebWwenxQvm9GEQo65oHBcBU4bZwmYFcmVTAb/sdtxfZYsUVNE8/sqTLbNh2q7XsFA8f16VMVyUKmjHsMJFDENFDUuFDS+FXi3BDdjwZtaxZB+48bDizZwCL3AscRoxwxKRghChw/Czzz5z548dO9ZxKdwEJ3kYABO/KY6bWOUvzh5H3lFk1G29eP5YTx9F6fSh4+phsSJd3A9U3u9rTehcTEtGVdCmiZW1L7CmToTU1/nZDXVtaXPdWddOtzZ11NUtnXVpWx+tDW6pFpWzK0O8DxT/47eU7KtPlT6FcU2qhEqb7GtlSZvEsJLO7mlG45x0DkMFcmVW/lzGM7aEawrmNh5yXJPN2ra1cfMLXOP4Jnodf3ncUMrM50+fHzmncPR5Dh8el9jS4xVvn7ffLd069eUx3OQxPIJDw2n+XFYX+MllddvSeMHtL+jv8F3QP7tdczbjSMOM4b6IlQfflClqGC6SO6f9vuzyN67J5ZfD4QBcEN9YetyBxeQSj0/wNZzC0ivz82MYeoAOZ292HbhB7BKzP/jAhLLle+iHOXPmvHr04P+0WB1igT9tsoTKlewzjWleUisG1tDOsXV1KLCJToQ11bm5LfX9kva6saan7m8ZrpdHSCCX6NiKKRrQtJoKpE6iHMmSqXTeQmpQtbZa1m2ijk3bGLjbq3e7DurTuZMG9O6pQQP7a9DggRo6bIhGjByukSNHWBIySmPGjNbYcWM0fsI4TZw4QZMmB2jylEn/60aiERDw6zZxol3v5CmaNi3QzpnszgsMnK7p06drsq1PnDjR7cNYx6ZOnWrlp73ax9RLtjkH5/PM6bhx4zRqFPdnjDNGwHm+mBEMkiKeG+vQocMrQ6wgQCA1Rs0ADvVDXhCXR0gecYEBj8x+1SJNqD7+QS+j3yJ6cMc+tTDxkzbW+6rml0gzulbS6hG1tXN8DR018roYXleX5zXStcUtdH9dTz3fPV4/HputxwcXav2MIWpUqoCyJIinnKnSqVyR0qpfu56aNW1iIq652rVvq67duqiXYaZf/76WmA7S8OHDNHLUCI0ZO1rjxo/VhInjNTFgggIm2b0zAzOvN3w55b9oU6Ptdceizfz+c5sUbX+1z3ARYAZGplid48dPsN9g12f7JprvfRjwYSSmgQsPH5MnT3a4ACdgBAyxzTGmjtEbjxGwSO5HjhypoUOHOrzwXDTPuPIMIpzB84bt27d3xII4QXyQMJEoIU5WrVrlhAVB77V4+BtDrD4wnDwwserb9/hx1CuxyltoH965qaVzgizhzai0X76tTrWzaebgClo1vooigmrqkCVJJxfU04XlzXR5bVvd2tJDUYdG6eXpYF3bHagZAxuobO7EyprsExXKmVI1K5dUg3q1TXS2UOsOndWhS0916tZHPXoPUP+BQ4xrBmuYtZlRw4ZqzIhhGjNqpI9r7P6MGx+gcXa/Jxg+Jk3hvv5t+/8fNbuOgAD8/Gtm/DgpwHw/zeHBcUk0b4AFtsEN6yzBBeVicg3Gcc7BwBH7Ro8e43AD54AbuAZRyJJnVmNyDeIWAUtCRW8tnAO2EJtwDQbHeAmSN8UIzvm3WP1viNXHzxT17Ec9ZGQVsVoir9J98abaVs6o8AH8x2otRQQ20NFZbXR2YXddWtlfNzaM0v0dkxV1cKaenVisu8bBCyd0UZWC6ZXya6aPJ1TBwnlVvFxpla5SRWVr1FDlOnX0TeP6atyigZq3qKtWLWqqQ+s66tqxkXp0aameXduoV9e26t21nXp3b6++PTqon1nfnr5lv54d3T6O9+rSRr27tVWfbu2ccW7PTq3VvVMrZ6z3sDLU14fy3a1O6vXW7RyMdY67bVvvZ9/bJ/o45/a0OrBenW3pro36LAfp3lHdu3ZSN4spPXp0V69ePZ316Nld3bp3ddY95tLKdeveRT17dVdvi0E8w82+Ll06OaOM77lu3gngezdA167dXDzmPQDwakzzOo2Iz14nNh1DTOPEmJpHJxBtiVEyRAjn0A7+0WL12tXLmjZ5lHJlsNib8n31aVFIM0fW0ZpAE8fhbXR0UUedXtZV363pqxtbR+uu8e7jIwsVeXKjTm5epAHtmihXuhRKlTCeMqZLZWLfBFrpIipXsZgqVy2pevWqqGXz+mrbopHaNm+sDi2bqVPbFureoa35pYP5yfJB80Xvrh3deu8utuzSwfxlfmLd9vXs0t5XlqVZb1t3+6J92tOw1KuLz/5qneOsU8YMHPToYtjq3Fo9sRg4BD+U6+Fw2NphrU8Ps+5t1bebfaezn/DWCyzaNXAdXHs/w8MAw8fwAX01qI9hqZP9LvN/b57j72j479LVtg1LlsR36dTZ4cN7hwTP/XvP/GNgBk4l4Wc/j2+Bk5gd12CGDkSm/xKfwQz8C9cwosZMOvAzYsQI9+4APvATnYXejBYPI79mj6Oe6H7UI917Zuv85Vzkjzpy+KL5satSxo9jeX4qje1RVYsm1NfGwIbaE9pCJ+Z11KXlPXR7Q1892DFIjw6MUuSpybp/NkSbFw1UsxpFlDbRl0qZ4Cvl98us8qUKqXK5YqpiVqd6OTVtUFMtG9dRs0a11aZZPXVs01id2jVTj47GD/AFvsUXcECP9q+4xvFN9BLfOj9beXDitt2+Nj6u6dzKhwW4KwYOXJ34mHW+A19zLHod//ftZv41c5iMxqOHUw8Tfbt1NvwYtg3HPTu1s++07+4Ehrk233GWvQzrfaxMb2sHPbsbXgxLxE7yM94/AkbI0cACWAE3Md8X4R3zcOPxDOtgx+uYBjPkdoy4M1ABZlhWMY5HyDKLg9FWOAjRySg8/v+/LVYtoeN/VnMm+EBDavhrfvsS2tC7nHYOray9o6vo0PjqOj6ljs6GNNH3C7vo4dbxerJ7pk4snKAhjSqrSMpEypPUfnThUupUv4X6t+2mkd0GaHyfwZrQb5AmDBqiyWPGKtCSwmmBUxUUNF2hocGaOTNU4eEzTdWHa968ORbU52nRwgVatGiBFi9e+L9uXAeJxq/Z/PnzX63TQ4ED16xZ44xpGexnuWjRIrfOcbYx1rElS5a4hIYl9fGiG54BmzVr1qt1EkwvyUSgIEa8ZBIDCxAZvSxMAyhZsqRLVPE/xEXQ84IZy5gjH79qTD97ZMlZlCEwUjq8ab9aVq6tNB+8p8oZvtLkFkW0uGdJre9fWBHDC+nI+CI6MbGYTk0uq+/DG+rh2v56uXeGInfP1YZJA9WocD5lj5tYhdP5q0GFuurcyhquNcZevXpo4ID+Jk6HmqgY7ZLzqVMnG8Z/wszs2eF2j+a+soUL5ztfOexE4+cn++le/zPM89+vmYcT/Mt5JODsZ19oaKjzL9uMaFLGOw/MUJ72DT5WrFjh2jlL9nnlvHPmzZtnbSrc1Ue9ISEh1t6CnFgBO+AGsUZQ80QIiRFcQs8bvfw828ALP/A7n7/Bwt+xSPcn+Q8NX5YcRYIvS5qiXjqx+qMTq9e0dO40Fc+dQam/+JNaVEimSV1zac6gPFo9toA2BxTQzmkFtS+4mAnXMjq9uLqub26jhweG6fKOsSaOknjCAAD/9ElEQVRW66lsroTKnvxTlcibTo3rVlaHdi1NnPZS/8HDNHjYaA0ZbkJ9HJ1dga5jINjayqzgGZodFqzZs8I0Z/Ysu/dz7L7bvV9kbXPxIi0ye137/580H9fM+w02N3o533ENOAIP+As8gDMPMz/HUEzuAUsY29QDz4AZsMOjA16HGUsMzMA1dHxg4IaEm+AE15AoMZ2INwZ7Is5LmjGSJWLOv8Xqf02sPjSxet9NAzYOfy4nVhlZrVo8r9LE8o2shvQuo5WjqmrTpG+0fVoL7Q3rpqMLBunUkhG6sHqibu2erSen1uvusfWaG9BP5QtnU+pkcZXTP7uqfFNHdVu1UeMu3dSiZ2+1699P3YcNUv8xQzRk7CCNmjBAAVOGGBZGakbgGAVNG6/gwAkKCZyo0BmTFBY0WTOx4CmaFTTFLWcGT7a2Z9tY6FSFh5jZclbIFIVHH8dYn+WOTdOc0EDNnhnoln9vfXaYz9y6nRMeglGv7ztmYxw3mzdzhubOCtassCDDtcWPsFDDepjLO4glISHBCgkOcktfbCHe0hbC3HZYWIgdC3I5y4wZgW7JNrEI4zx4Nixspms3wcHBjmuJu/je6zCis3nYsGGu7Xidzl6HIUZSycwopu0xCkLiSWL4Dxer1y5rqonVbGnjKVPSd9WlST5NG1xdiyc20vrpLRQxs60OzO6kYwt769yqkfpuwzTdPbhKkWf36/jmNerTupVypsugDKnSmlAtqJqGm+ZtWqi1CYF2XU0Y9u5obbOPRgzpr9GGn/Gjhilg3EhNCxinoCkBhplJhpnJCpk2ybh5kmEDH84w3083v9kyxPg6JNAwAW8HGj6mGZ58S59vbWk+Z/n31ln61n1Yc/iLxibm8BaNR47NtDLgaE6YnWP2E8ZY9+0LZ9uukevEZgVNU+h0OxYaZHUYNixHCbNYExo43X4j3x1i3xNs7WSqpk+1OBQU7PARZrgiJpOzE5dZBzNse1xLxyHxGc7zOhfZ7t+/vxM15HngA1GCeGUkjcEJRtY4xxOrcNXrcPBLFvnE9xeF9wxDd56/0MOX0n3L9w4d/l7tWvdSkq+/VlH/tBrWtbpmj26glZMaasPkRoqY3lLH5nbWucXd9e2qXrq2Y5genZ6ux98u0Jalo9S0VillTJFE2TKkVZXyJdWiaV11aN1Ynds2N7HYXkMH9tTIIYaboX01fvQQw8tou2+GmanjHdcEveKaAOOaSa+4xvFN9NLtw/C5+db5Fz8HT/Udh3fYH+1Tj1Ne8cpruOZVGYfPv8YmWAWz4HeO8cu8mcGOa+bakn2uLGVsfXaYmZWdabgJC7JrMB6ZQ04yM8Q4KRobZnCJhweW4IN9Xi7HkjiNse11Uk+OHsiAbxjkQhvAM/ANuEHoIigxOpqZHUWuR0cHIpb88V9IrCZQzvjvanDVzJrT0pLHzgW1uXcRbetXWDsHFtWeYSV1aFwlnQlurDtrBurRtik6MnuYBtYpqUJJvlTeJIlVu2gJ9WjSSsM69dS43oM0ecAQTRk8VFOHj1DQJAOZkXyYOYdg8EqcWpK2ZMkiC+ZLLAFfplWrSMaXu/X/feM6Vvyqcd89kUFi6PkBseoJVJaeecLDEy4Y6xjixRMbLDkXA6QAEVACDgIggOSNsfTIsCSBZMowgGG4nymejJqQDPIh6CFOPYEac/1XzROrRlx6LB3ZuFetK9VUuvffVaU0sRTQOJfmd8qtFV2zamPvjNo1KIv2D83m/sLlpAnW6wvb6um2sXq8I0QbJvRRw4J+yvFlfJXMmEetajRRn4491a83v6OfBfUhFtxHGUmPjxaqgfb7LeGwJAPsIFBjJvpLl5J8LzEfLH2N4cfX++1/0sCH10Yx1sEHxxCY4GL16tVOdLCPbU9UcK53vocTT3wgNLzzvW1wQwcH5gkRAuNPI2ij3cgZJEaPHb1xTA9mqhHPy5I4cW30yJKovxYPrzGHpcjHliw9syV/l2RJ1t+I1SkqkSe9Usf5o5qWja/x7TNYkp1Ji4dk0aoRmbRuVEZtGpdF2ybl1IHQwvpu1Te6s6uXLm4eqsm9a6pE9q+VNenHKpUvg5o3rK6uXdqrX/8BGjx8lIaPGq9RYwM0cfJ0BQVD/jM1x377wjmztXj+HC1eOF9LHF7AirXZVavNVkX76P8K5/ya+a6T30CgAB+IOoSQxx+eQGXJPsqAnZhcwzbHY3aKeeeyDVbgG5YYmIFjwAxLhCnikaBHJwc9tfAQf3PDByEHJhCpJEuYJ1j/LVb/G2LV2hP/+/n4wSMnVisXzasUn7yhxiVTuGdW5/YrqSVDy2nZ8CpaM66+tkxtpa3T2mpncBedWjlGt/Yt0NW9SxQ8qrNK5k2ntMnjKk/eXKrZoIGaduyqdn0HqfPgkeo5cowGjBuvEVMmauy0CZo8Y7xCZk7W3DkzNG9OsBbMCdWCuWFaNG+mFi0I15KFs7UUWzRHy8yWLpyjJd46tjh6neXiuVpuxvLV+hJbLpmnlUvma/nS+VphS+zn6xxfwT63f56zZYvnafmiuVa3r67lbC+1Y1Zm1bIFWrl8kbV7sD3PzNexSdwg7/BiSMwcZPXqlc7IQ4ghxJefxxjK+Y752hL8zGwUuIQ2BifDvbQvrwOIxJK47QkQ8i5mvNCWwAptiVFVZikgRngz8D9DrE6bNFpZUsRXurhvqV3NHBrXtYxC+1fWwqFVtWp0Da0fW0vbJzfUvuB2OjS7r77fFKr7hzfq0Op56t60vnJYgpslTXqVKl5aLZq3Uo9evdXH4nafAX01eMgAjR0zQgETRmvqJISGiThL2ufMCtECi90L54UbZma75cL54YYJ8+sSax/41fywfLGtm6+Wm49YLl1k/jWfscSvK/BttN+x162z/Gk9GmceDg2XztgXjZVlVs7D4is8xlynDuqz6+E6uZbF8/kNs63+hbbf8LVwgdaY79euWKlVhoX1hoXVlnsstWPLDB/wGPhYuWrlKz4GM+xn6cVzDL4DL3AyGGIdIeJ1MsN9jMAxskbHMlOKmdoJ7yBUeNYZngIHxGTyfG+mi4eTv2eI1ccmVh9YDH/w/KWMbqwO6dih79ShZXcliRNHhbIm04DWZRXUv4oWDKmixYMqas3Qato5sb52TWmg3YENdGxRB93YPVp3j4dqXXh/NahYUJmTJ5Z/5kyqUam8Cd+m6tG1vfr27GxCtY/GmUCdOHa4Jo4fYcJ/oglKw0y4CcDZoZpvXDN/bqjdb+Oa+bO02PgGroFfHN/gz1e+Zb/HQ3DCHMcNjhOiMeHxR0wu+TXeWc4SXBpWX2HUlg6ztm+F4WClccjKZWZLF7lj4GSpcQ4Yp7wzW18K5hzuDTvGKysMJ+SpXn7HEozAJV6+iLHt7SdXBE9se5jB4Btwg9D1OsrgGjrKvNl1CEvyPd5fAW54pBD8/cuI1fTJ4ss/4bsaXiuzFrT119queUys5jOxmkc7B+TVnqEFdWhsaZ0NqasHG/rrScRkHZ49QP1qF1ahpLFUIGUi1S9dUv1at9aoHr00YcBATRk6RNNHm1CdOFYzp09R+MxQN7Ix30SqJzI84kekEiDWriVhX22Bfc3/AVvrEqbfYiQimLcO6Oj5QFx6IpMlpINwwHCyN+KFeQmiF8wYBWMfx5ia5yWK9JbQw0ZvCb2yTDGilxaxSkJHDy3PNXhi9dKlSw44kJU3Fc8Ji58R1S+aiY+nD39wQhXBemzLbrWvWl0ZP3pH1TJ8rinNcmphZz8Tq+m1vkdqRQxMrwMjs+rgqJw6FlBMl+c30ZOtw/VoZ6A2TuymRoWyKMdXcVQycw61rt1IA7r31pCBg5xQHT16pP1+n1ANCgo0sv7rDg4SCzBDMoGBmzVrVr3Czl8bfvT55h9t+Jr29luMsghAxChEQ4DyXknOfm9JcAIX+JylhxVvGqdHPmAD86b+so+lN2WcoMU25T1xSiKNOAUr3vQRAh5Ew/QQno/JkSOHmz7CdUJeBLnX4uE1FvnYMGX29KklVz8Tq75pwNe0zMRqydzplTbOn9SyQkIFdMqkMMTqoMxaNSyD1g1Pr02jM2nHxOw6bGL16tr6erivny5uGqqJPas5scrIavnCWdW2+Tfq1bOLBhl/DRs1VqPHT3ZCddoMerB9Yn3BPEs0LJEgmKyITkZXrlyhVavXaBW+sDbOb6Wtv54D/mcMrK5fD9/8NovJTWAJgQlmPK7x+MbDEIkyGPL4BKMMuAEjMbnGG0UluME5MTs1GIUHL8Qd1nn++ediFXFHsoQ49WINfEPy/G+x+l8Rq7wv4KUlkD+aYH2p50bDkQ8fa+u6FSZW8ynZR39SvSKJNaZVbgV1za/ZvQtq4YAiWjmynNaPr6J1Y6sZ59bTkYU9dH2nxYMdwQoc1ETFciRUuiSfK1/urKpT7xu1MrHapf8w9RoyXv1GmJgaO0WjJ03TxKnTFDh9qmaGzbCEcZYv2bLkbdlSE4LLLElbsVirVy7RGrPVq5Zqjdlas9WrLK7bsRVWZjm21Ldke9Xyxe48zK2boMRWma2IXsd+vs5xb9t3HsmeLS1JXE6Z6PqXL7frii7D8SXW/hfGmLVFDCH3IH6Qe8AL7KcjlDLkJmwjbj2Byznsjyly58+f53gGjNJBhCFUSRiJ/7Q98jOM9gU3g2X4mTdxkkSCZfiY6Xney/XgZv7D+B8tVvnrmukBY5QzRQJl+fJtda6aQxPalVBIt1Ka17u4lg0ortWDimrzyDLaFVBTB2Y00/erR+jBvrk6smyKejaqrFyW6+VIlVLli5ZQ22at1a9nfw3qP1QD+w/WiOEj3aNPMyzfC7HYPdtyvvkmTBeTtNv9Wk4ybzy8irxv+RK3voLOw2XmQ1s6jnbrdpx1V8Yra1gx+2V8RGNpRcx1MGj+9jBouAW7DodgcGU0Rm2fh09X9tU6uLJ67Lu5zuUmRrjG1YabTcbFa42jli4G/yZQTayyvtxs8QJmVM03nBhm7LexBB90CsbsVIQfYnYaeoMViFREBzwNJ3t4YUk8p5ODwQmeceRlOuR98Dkjq17chm/xPxj6LWLVs8goW5o+MLrTC8v3zhy6qG4tOin55x+rcPqv1a9RIU3rUkzhPYpqgdmafmW0g+flR1XSttEVdSi0ka5tHqA7+wO0JtBEdYnsypLwK+XJmF41K5ZTu7bN1atHF/Xv21PDhgzQuDEI1VGaOGG0ZgROFjMh5ppQXWJC03ENwtF8gT/x2c+5hiV+9nzr87PPh75zDHOcE7308c5P2Pll3gFHYJbzbAkeX+HUt0R0unX4xo4tt+1l9v1LDfPL4BrwYlyzllx11XJ3fIHls/MtP1nM7K5oHHi48ERrTPM6wbzBCa+Dw+vQ8PgGI957jxGSB4IZeAath07gXRSMyKMTEKvU968zsposgfwSvqNhtTNqbtvsWtk1hzb0zqUt/f20fVBu7R6WXwfHl9CZsG/0cHM/Re2dpCPz+6tf/SIqlDqOCmVIqsaVy2twl84aN9CE6kgTqePHaObUiZoTEqj5s8O0YP4cuykE7qUuQCAwSNRIvjZsWGc3YL0l7Ru0detmC+rb/tdt+/Zt2rbt143/MGK5a9cu50ySEkgD35DgIQ5wJskdQcl7LgGRiWOZzoGxj+OUJVixD197L9SBmDxj6J4pIPSQ0CPLvHQvgeT5Q3poEaskqIhVEqtISxi95xcIaNhvJbCoyChFPXqhH5kZGmViddsOtatRWRk+M7Ga+XNNbpFT87v4aamJ1dXdU2n7wIzaP9pPB8bm1uFJJfTtvEZ6sGWI7u2crHUBHdWgcAZl//oTFcuSUS3rfKPBluiOHTXCGtgY96wp062YhsUUcZIFerVJLNasWenwAk42b97oDLxs27bF/LXV2d/6csc/xWhn+Py3GC/LoLyXhCNMWfeO89+LkA+dETyjAhbwp/d8i4cHDyfs4zjY8gzscC6YAi/ghgSfkVJ6YJkiDjGBGbiDdcrwHTwPA3khVtkHGYEVbyrRb7HISEuOokdWI5881aPHz34mVq9r2ZxpKuWfQWnivKGW5ZMooENWhXXPokX9smilCdb1Q7Noy8jsihifW0eCS+n62maK2j9Ul7aM1KTeNVTaL4H808RRtVL+6tq+iQYN7KORJH8BJtACjaxDZ2vWnIWaN5+RRQsSFkDWrliu9atXaD2C0PHNOm2w37d+E/+ZCG62a+eO7ebTn+Pmf87A7bZt4PiXzcN6RISP4+EdghOdV+AC7qADAh5g23uuBdyAC49vOA6mOBaTazDKsAQzBDW4BeyAGxJq1sEZdfPcFLM4wA5CDbFKokRyBH6INSTNHs8Qd9j3b7H6n39mlZHV+0/s3iJWHz3WtvUrVaVYfidW6xZOpFEtcmlaR3/N7JFbSwbm17rRRbXJYvam8aW1Y2p1nV3eRff2TtS1iCkKHlRXpXLGVaYkH6t4gex2bxurR59+GjQqQMPHB2l0QKgCpoVrejCjPHM1N3yOls5foFWWZCE0Vq4khi/TGmtXa9eutN+2ytoWHS6rLZaveWWbN63Xls0W1zev06aNPtu8aZ22bt6gLVuNu7eY2fpmjtt+ym/atNaVwf52neO+7S3uvPXOtlg82MQ6x+w7Nkaft8nKb7Rt8gvX7t2Sa7NyFjtoSxidRcSayRZ76CwdOXK4exQFGzFimNvHYymYd3zUqOF2bLjLnzASQka+WLJNZ4/Xqew9c0b79OI8nM10YMqyn7bF7BZeqEP7JF78w8Xq1SsKMrGaL1UC5Y33nvpWz63p7UtrronVpb0Ka03/Ato4KK92ji6sQ1Mq6HhIXd1cZ/newWCdXjlWA5uUVYHU8ZQ3bVJVLVFMXVq21dC+dn+GjNO4ERM0afwUExtBCg0JVvissOhkHAFh8Xu5r2NgzepVlrSv1to1q7VxnfnTclZyv8223LTRfGq2ZeMm82n0/9hu4v9J2bb95k+wwvL16zEwAcZYbmEJPnwYA4MbNxo2bbnVjm3dGo2/jZZX2NLhhm23Dt6sPvcdVocZMWSd4YUYuW7tWs0MDdOY0WM0fqzdg+jp3iOGGT5GjnRiAQMXCExPbLLtYQVjPzjwHunyOgvBjZcPenkBmPLKsw+uQXR4j315+R448AYnPHz8Fot6YjE80vRB1GMjNt8AxcWDF9S7eTul/ux9FUsbSwPq+SuwXV6Fdzau6Z5fm/qX0p4RFbVnZDntHVdeZ8Mt39s+QJEHJmhTYHs1KZ5ZORPEUeEsmdSwVnX17NFZQ4cMtHs0zATqGAVOm6ygGdMUFDxNc2bP1GJGJRmxRCDCNWZrVpvYW7vCuMZyQI9rzDY6rlnt/IefaPs+riFPhCfW+3jG+GbbFsMTeNji8ymc8ku8g+8x338qR5thc7NhE5xu3rDRvse+02LVpvXg2M6JxrG3f6PxDuvb0QgWt7dt2Wy/bYlmmKCkE2LUaPAx8hUmwAv7vY4tZlB6ht8dvqLLYuDKm+0EXjzzuIY4DX4QqWCGcuR7vMwL3BDXiVH/Gi9Ysh/ANODsCd9W/5rpFNwqixZ0suSxVw6tH+CnLUNzG3nl176AEjo56xvd2dJPD/ZN0v4F/dWzfiHlSRNLeTImUb1qFdS/RzeNHjZUAabqpxnxhwYHWhAIc4RF7+VqIyqCBuRDkPAla5Ys7tzhErBduyIsWdltN2Xv/7rt3bvHJU6/xZiyg+DAofjCE42ekERYIg4whKb3H1ns997U6u0jGfTKV6xY0Y1eEMh4CQPb1ElChBhlSW8sIEGg8L2QFvPRKUcPC+TlTef0EkeSK/z/W8UqFhn5VM+fvTTh8UKHdm5Si1oVlCrW26qQNZbGtfDXrC55Nb9rdi3tnlkbB/pp96hC2ju2mPZPqaiz81rq1pZhurFzklZOaa+6JdIpS9IPVcQvjZrXr6HB/Xtp3NiRmjBhvBPYYWGhlqTSubFQTJFYY4FtwwaCELhBkP41Znbv3mV+2O18hv21L/f90wy//xYDGyTy/Hm3J1rZTzvlOT/+nBnRATZIyPEzuEEseG/xRRiACfZ7b271cOI9PM+SbU+Qgpmy0W/9ZYmBS0ZRGQ2jLMKXFzqQJCE8WIeM4AgPN7/F3DOrT3hm1dZ59iXGM6s/8KKG2ze1bPYMlc6VyT1n17xUco1rmVNBHXJqQQ8/reyXWxsG59e24YW1a2xJHQ2soRvLOytq1zhd2jBOAT1rqGSOeMqVOrYTqz06NdewoQM0dvx4BUwNVGDQTIWGz9e8Rcu0bPkqS4xWaYMlE9sscOywYLWTjgzXmWHYMdzsMMzsdJiJiZX/HfNxze7faHsMT/scv/MfaQgk2nrp0qUdHsCM9/IW/OuZxzVepwUGZtgGN2AOvMA1GHUSgKgXA5eIUoIc9ZBwgzOeseM5eQIm/OdxC51iWMwE+t9i9R8vVpN//NPI6ozOeTSnp7+WGf+uH5FLm8f4a9v4AjoQVEFX1rTXk/2jdHvXWM0aUkMVcn2h7Ek/UNmCWdW+dRPz30CNHjdFEyaHafK02QoOXqg5s5Zr8ZwVWjHfEsXFK7RxpSWG9jvWb1irDSRmJG0uEdysbVtN+G3f7DpenO3Y6pKz3bt3KmKXj6937KTtbdfuXbZ/T4R27Taz9Z07LQ+wYxFWZmfENluyTtmfr3PcV0eE8eirdfuenbt8xyizw8ru5BzW7Z5zfLf7rgjX/jH20e5YEmPGjh1j8bONGjbkjdj8lyFv4vetu38HaMFLS/gPRP7zkP849L1Rm849XoYDJ9MxCE4xtmlztEPaCW2MtgYvw8dsk1QiVsjjKAMv80ZPksx/llgNnjhGBSzfy//lexpQxV8hbUpoYddiWtkznzb1y6Vtg7Jr32h/nZhaTGfDKuvu+k56cXCCzq8crGFNi6homtgqlD6RapUsqp6t22nswNGaOjpQMyaGKjRwlsLD5rjRHnC/dOkyN/V19Wpmj4Abkv/NlvRvMczQUYh/LB7iV1vuwKdmETt3mV8iDDe7DEO7DSd06lqsjzBfGpZYvn4drLFuRj223GX4Iz9gGWHlwMWOnVvd0tW5hxzCyoMdV4ctd2PUyzX4zFt3eYfDUYQWLVys3r37mp99/23JPwQ0bsx/pPJyJF+nIPggpoIN8EKehrHuYYYyCE/WqYclHAtHezwOP/PmVo6RsyNqqJ8RVaZzMsLKIAl8yseb3QLnMlDhYeTXLMpi+DPjnpeR96RnT6VHL3Rp/2n1b9ZK6T97V6XTfqZh9XMqtH1uLejip1Xdc2trvyLaM7Sk9o8ooaMTy+rKgoZ6GtFXTw+M0bbprdSyRHrlTvi5imXLqKZ1a5sQ72UibYTGjx+rqSZUQ3jMK3ymZs8xobp4oW8G1CrEqa9jycc1Jg6Na7ZstRwQrtkG15iG2L7NcQ1t33GJLeESpy2i99H24ZvdDBx4vnY8YeWi11/HO/h6p8MWWMLAwS63hDcidhoODGdgeMd2w7F9J/jdtWu3fZ+Vs7LEsu3GN3ui873NJlaDg0PUrVt3h4umxikePty2cQnY8DiFPA9McMwbhPDKUwauYduL+/CIhxnW0Q/ghnMRtnSCcC7Tx4ndlP3XE6uJ31W/bzJrRvucmtfdkscB+bRxRCHtGF9Me6YYEGdU1Il5jXVzx2DdOxSovUuGqWujosph5JU9QzLVqF5RPXv30nBLLMZPnqrJM4I0Y2aYwhfM1VJGxSxx5PoYiYSImObCj+daMRJ5khWSd5b/CPvP1fXXZTn3txrlEST8KTMOJBAxJxyQ0IOKn7weMgiGJYGKZw9YAkCAhZjwhApOJyGkPD4HkOwDoACRMiSU9I4gNAAgQY5AmCVLFgdSsIH/IS4vaHkBEAL7rSTGtJCHURb8XkbpmSItoVyvRt+UU5I4b6t09i80qk0hhfYoqXm9imqZEdem4aW1a1wl7ZlYTQdmNNS5pT10c+cEXd0zXctmdNY3FTIoa7qPVaxwWrVsXsMw2FvjxvFCpQAT2DPcdBgvyWPaLLghMafhe9jxOgnAEPfew9DBgzF9+s81vi8mfl9nHAMjtEcaPOchXL11hCq44bfT2BEEEA898V6vGIEMHLANXsAUWKCc12kB1urXr/9q9JVzYgZE1sEZZfgOpg5BMOASImMfI/IcJ7FmuuZvH1kFSxYUnzzQ02ePbRlpYtXw5sTqC/3AS2Fu3dHy8FCV9susdJ+9pdalMyigZWGFdiispT1LaMOgsto5orL2jqmpgxPq6lRga91eOkRPdwbp8oZpmtyjjopni6scKT9TVROrPTu30MgRgy25DtCU6cGaERKumbMXatESS47W+KbIbt28SbstmO2zALV/724d2O/rODhw8ID2Hz6kA0d+8mXMtvxfsf/c+X9bzjv/txiYAjMEBfzM1EGSFtbhGngD87AAZpimS68qOCJphjswBCvYoBzHCH7ghH0ESvAAzuATEml4jdgDbjiXzjICHyMC4Jq4gnncAu+QOHuJ07+nAf8DxKo3DbhIPiUzsdqgaFKNbZNHIV3za0Gf3FoxMJvWDs2oDcMyatvonDoSVFrXV7fUk92DdGv7UM0eXEXV8nyp3Ck/UMXCWdWxVWMN7t9f48dN0pSpPF85R7NCl2jx3NVatXCt1i1eo41L12jb2k3auY0Ez0viSAJ3ae8+Ogj3ad8B4+MD+7UfO7jfx3+23Gvtbo8Jw910yuzf8+o4y73797k6du/ZbfXs0x6ray8dOGZu3c5x23Yex91+a8vgZDdLM9/xaLOYwNLXERTdqWjmxQiOe7kHeGMdH8G34IvOPA/zXudP/fq+duB1LGPsh1s9UUoHDzGcMvAtCSbtjE5GjhGzOUZnMm2I9kpHIdP0aJvkDIhVOoNoW/+Uv65BrE4Yo7yJE8jfOLhvuawKalFICzrm18ruObWpTxZtH5BB+0Zk1olJeXQ2uITurG2uZ3uH6vzyXhrWOK+Kp/1UxTImUr0yxdW3fQcFDBtndYYqbOoczQ5eoPlzF2vR4iVatmKl5Xy+WSybTJxu2bpN25iRZAn87j34CL/sN/+Z/80ne/aY723d+Xiv7bclxvpe890+K+98ahijsw5zeGNJXc7n7KMOwwb5ge2LiUPKgSkfbny4ovw+zsWi1x2O3LoPn5jDkS0PHjqoo8eOW/37THSEGg7qK3fe/CpbzoRkExMZzVqoYaMmzpo29b2RtUGD+q86meFVcjiwAF4wsMV+lpTD2A9uwAXYgVfABzzMo2BM84SvyRl4MRccDJYQF3ATnORhwMPEr1ukidUHeh55Sz8+uW1i9bGJ1ScmVo9qgP2WjJ+9o3LpPtWohjncqOrSHn5a29NfW/rk184BBbV3aEEdDyipqwvr68n27orcPURbpjZRm1JplT/pZyqRPUO0WO2tUWNGa8LECZo2fZpmzpqpufPmav7C+Vq+YrnF79WGndWuQwOe8bhml/EE7d35Odpf+61N42MX041PnH+NSzDW2eeOef6Hg6I5Yw+Gr936z7mG/T6f7zVcgs09htd9+w5YPcYjtu7DqS1j4picdL/lfsYt+w8c0q7dexRhxvqhw0e0bsN6jRgxymJveeczeIQ4Cx5Yx/ce9+B7jGOUiSlK4RV4CJ7BKMM+8MGS89ASvHgLfUAZ4igjs8R38IRYpQ5m9f3L/HVNmmQJlDP5xxrWvIBm9y6h5UNKafO4Cto9raqOhtXUidnf6NSCRrqwqqMeHBinyFOzdXj9JPVuU0n+mRMpZ7Z0qmU3t++gYRozKVCTQ2dr+pwFCl24RPOWr9SyNWu1dj3TKDa5gE3AgEBIvEhwSNi5XgI+SdipU6ddMsLy9Olftp/Knoqx/0yM9b+2vy37eqMM1/JbzBMi3Gv8QJAqWLCgcyLz0ElW8BFz0Um+eC7Bm5+O/0gmARaCAQADTDoRmIvO8wyMkAIKtlnSG0vPGgkp30OAA4AEXEZHSCDBB+ddvHjxlTgFjPidJTjwRj5+IqvXm+915pZw/hBlUjVSO/ZuMGItr8RfvaMy/gk1vktFzR1URyuG1damMXW0d0ojHZreXEdDWunU/G66vHG07h+aqZuH52rlzD6qXy2Hcmb9QiVKZVGb9nU1cvRATZ06yV3vzJk+obp8OVPM6FHb5JJX34jSfpdgeGIPi4kbb/k6f/7cPBz8Viy8rizt6+fmlY9Zjm2uE5yzff78efEiBK6f62WdxNYbjWfKBzjynnEBMzyrAKlg4IAy4Ivkh84JRr/AAwGL42CM0Vrq5blEjGcSmV4C2XnngBnEL+TFPgIqQgF8EPBeh4e/NcTqAxOp902sPrKlYcWJVf66xhOr90yszlLJnJmVIda76lolt0K7VNHi3lW0aWht7R3fUCemttS56R10IbizroT3U+SaKfpx3wLd3m6/ZUATlcudSLnTfaFa5fOrf8927jmX6bzNc9Ychc+1e7VouSVJxjXrNhqhGtds22pCdacOW/A5cshEwmFLNI4a3xw/pqMnT+j4KeMafPQz33p+fJ29Dgd/z/4zZT0u+TUD4+CGIEKbwOeMbOI3nnGCa8AIXANmPK5hH51AiEr4iXMQn2CBqWW0PcrCR9TjvaQBPBHkwAmcQvAjeWJaEYGVqYtgh3rhcy9hJlHyOsQIhB7f/Fus/mfFapQePn2ph89kovWlnke/YGnzmmUmNPMq6Uc+sTq+XT7N7FlYSwcW1IYRBbR5tL82j/JTxISCOjGzmm6t76TIPcN1Y9tIzR1qgqtgQhVI/7mqlsylrh1aaviwoZo0xeJM8BwFh/Fm8ZVauXyjNqzerK1rN2vn+i3as3WH9lni5ZJ3JzgP6OBhS8KOHNZha1dHjhkn07bMjp0wXrb2hbHOMe/4cdqeGfvZ9s73zv01ox7Kx/xO6vLqfWWnfN9x2OIFMcOL0+AUf8G77KOt0FmDiCR+IgaYKUBnMj7luW2W3rResM8+On/Ix2hDdBaSJCJEKMO55Gd0NmLeoxuU4SVKxGzKMZOI7yNppNOJdgmv83jIP1ysXrusoImjlTtJfPnFelO9K2ZRUJsiWtS9sNb0zadtg3MpYlh2HRyXS6enF9X5WRV1Z0N7PTswRudXD9TwFkVUMtMXKp4thRpULqsB3bpr8tgABU0OVch0E6uzFmrRQma2rNQqy/k2bNzsROr2HREmOBAQXiJvvrM2cOSo+eOY8dnP7egJ8yuYMXNlLHaaH3/NjptPWTqMkB/YEhx4OGTdh0PDmsVidw44eVWHnX/8pJ3nq+OVUaeVP2LrJ04an58558TqpMlTVbFSFfnlyq269SxnGzpcI0aOVt/+A823/D1SLzeSBRbADks6Juh0JseDTxEXiFQwAh7AFEs6HulsJDazTqxGXBDv4VqegaZO6iDfg3PgG+KC18kM18K/5Hy/Jc/zxOqzqNv64ekdmWrVjw+jdGHfEfU2XKf71PK9dJ9pZGM/hXcvoGV982rTwELaOaSkdg8rrgOjS+jU9Eq6vrypHu/spYd7hmqL5YHtymdSwVRfqJR/FrVoXF+DBg/S+IkTNWXaVIWEhWr+gvlasmyplq9cofVMrzWRikXs3uUTi2ZwzYFDB/+Ka7y27/xsvsPHrMfkBvz6cx7i2CvfxjCXF7zGwOARw6SHTzCCHY9eegZODx+x67LyJ06eNmxZTDt81Bnb4GbTlq0aOGiI/HPnVd58+Z0PyfXBhsc3XscyuoDjcA04onMCnkArYOAGroCP4BZvkAIsgRswBs/AN8RqBkTo5ABXjMSDJ0Qt/Pcv8cwqgT91sgTySxlLY9qW1bLhdbR1Un3tD2lqIrWFLi5qoysrO+r6+p66s2OYnh0P0dMzS3RsY5AGd26gwrkyKY9fTn1Tt6kGDZ+kgBnzNG3WMgXPW6PZyzZp0eotWrrGhOqWbe7HkoyQtHMTCBYkYCQrBGz2kcgjsLwlyQzXz3FuHtNa2ceS34ZRDuM4N5rfSRnqoxy/3bv5fBcPoXMeZW/evOn2s805fA/GNtfwW4zfwb3me3lhC8CAhBAHHOMauD7v9xEoSbb47UxXBJQkgfz3Eb1k+BYxyig0fkSk0dNKssMII888kswBPgIlSRy4ALT0xkFeBE9vZNULeB5hEcj+M9NDHtt592z54MVzPXgZpS0Rm1WnTkUl+updlc+XSoF9G2v1hI7aMa2zDod204UF/XR12VBdXzVSNzdO1P09YXp6cqUenF6rjQvGqFmdQsqVPZFKlvJXu45NNWbsMLtWhOpMS5Lmm1Bd/mo0FSNwk2yQ1HM/MXzIEn9yf71G5WH+53gBA+xj6e3nHM/YBgtggnWvDsqzzvdQjrq888EUiTjn4XvKe3jgHM/nmHe97POOsY96WMeXCFVEB+2Z/Xwn9fGbONe7TtoRvqWnjam78ePHd6IBEuIewgHeCByJP4kyuIREwBvkAt4YyYcMCZ6QGrhBFNBBwPMu/ymx+uShidP7evYcsRqpRzznbEl25OOXr8TqMhNLJXJkUsbY76l3zYJaNKCBNo1uqkNT2+hMSEd9P7u7bi8YqAdLhitqdYB+3DlHOrJCdyLmadawVqpWOJXyZ/padSoU0JC+nRU4NUChs2Zq1twFWrB4hZYsX2MBb53Wrd9sPLNXey3YHd6/V9+eO63zZ0/pxPGjdh9P6/srRsKXv9c5u+/cT+4r95d7jU8hbPzJMczjB/xEGYz9lAEvHOcYBj48vvXKU5ZymIcnzvF4zcOXV/cvGZgBD2AOHiUGkMAQ0OgApF7Ked8N12CcB4fQyUHikzRpUmeM8BAYecsgeAFbdCbS5sAL2IFrwBWBCK5BrMJZBEN6bRFoJPeITS9hRpjCMxgxh8Tp/9WRVfb/U8WqidRXL1iKIVYrFcmj5J+8oaalUml6jxJaPqKStk2qrgNB3+jozHo6Ht5Q5xa00vW1vRW1d6Jenpyl+4dmafHEdqpTPL1yp4+rCqXyW3LcWSMtiQkICrXYPU8hC5Zq/vK1Wr52vdYaDzN9fv+endq/d5f27d3jksbjJ07p1BmL36dOuyTt6HGLaYbLc+cvWFJ21m0fP3FSpy3HOHvOOMyW7Pe2WXIuyf/J02fMTts98Z1/Jvr4+QvWpr79zp1LXZTnGOdzzgm27RjnnDA8fHfJ4re1Sa7L7bc2wDXRIeVxqLf02ghtE5wRPxGK4JpnwcEgMYg2wDqcCHdiYNOLv3T8IHL5Cyc6muFS2gp10kHElFgwzDqdR2CE9uo9m0qyR7LKyAedR/AydfxzXrD0vaYHjFLOFPGU/eu31bdeToX3La+1o6tq56SqOjy9mk6EVNPFed+Y4GihW+u6KOqQ8fCFJbq0PVjju9VVSb9Uyps1jWpXr+wS6AmTpmhqUIimz5ytuYuXmkhdr1Wr12n1mnXavGW7du32CdQDBw+7JP7kKfO1mS+5P2HrFsvPG1dd+NZtU4Z19p05A27Ou7ZyzrBwwbAAhhABGHhhGzxcuPitLhqPsg5uvv3ukpU5afVZW7MyYMeVBwOGDVfe6jtvGKAs5x0zjJ2K/k4Pm15Z6uTcs+cu2HnfO8E9fkKAypQtr9JlymnK1ED3W7dt36mt23Zo/YZNWm3tBwzxCBP48XiUPI3Yy6w4ZjOR7zEAAVfAw4gAcIOxTqczIgR8evzHPjifEVhiPzOswCOxBG7C58RwcPDbhKrPIqMeWr53T5FP7+u55XtPHxm37T+pzs1aKsXn76tk5q80qm0xLRhWWRsnVtGeabV1LKiRToc1Ntw01bWVbfUooq9xzTg9O2P3ZEEvdaidT3nSxFOxPDnUrnULjbTcdtKUqZo+I0izwmdr8RLTL6tWa8269dpqbY3RSEYp9x0AN4eMbw47jvF8CFfQ/vE97RtuOAb/2L6z1q7PWKzDd+yj7DmLL/iQY77zLU+0Mo5rzL+Oa+w4OPBxidWPue/hO885Q2yCS2/5/WXL9wyrCFEwDSeyDn44DlZOnbZrNDt/wfSFld+xc5f69O2vPPl4nKaemzlIzPXwwRIxSLzwZhVi4AYMMKDFtG86tuAsOi0Y1PA6p8EMA1ys8+wr/EReh07wBi7gHeI+uGEEF276lxhZ9cRqjuSxNapleS0f2kA7JjfTwZBWOj6zpc7Na6PLyzvrxro+urN1hB7tn657B+bowPLJGty+gYrlyqZ8OfxV/5sWGjYyUFOCligwbKVC5m7QvBU7tGxthFat36oIa8hcEyRMIkRixY/H2E/wIAFBkHhJ+Xff+ZJ89ntJF2VZnjp10s4590qI8Dupg9/slSeZ80azqPOKJamUJ0h5ySGB6+RJX1nO8UY6OEbZ32JcK0sSMQCHWKXHAuDQYwFpAAIA4Rn7SFJwLKTPqBrCAwAx1A+wEKleMuslc+zzpjIBFHpa6CUhmaMevhdwInzABteG6ICwMATqzwPZrxli9cGTZ+5Poh+/eOkIpU6NSkpkoqN87tSa1rORVo0zsTrFxGqwidV5/XRt6VDdXDlK19eM183N03V373zd2L9Ma2eOUuPqReSXOalKlaAXuZXGjR2l4OAgd78gbLDspoAYljF+r5fIgh3w7YmxQ5Y44fNLl75zv9WHHQta5lcamNcOMG9kCkyBGdoF5+Bv9nvYoW7OpQ7ufUw/e8KG42CGujif72HJNo2cBk95LyHy6vDqoV6uAVywzfMmdHBASCRLJPvg5NatW06YUM57YQLfDyHBBUwNIughNhllYxSNe8V18h1cE20MoeKJVxImEn86NFinF44kiaSLKcGQETzx2xMlT6w+MLEaPQ34b8TqXROrYSqRPZMyxHpHParlNbFaT1vHNdORwDY6HdJW387sqBsL+ujh8qGKWjtBL7aH6Pneubq8MUihA5uqepHUyp8xrmqVy6eh/TprxvTJCguf5cTqoqWrtHyVJUprNlqyEGG+Oa4D+/YqYtsWHdq3200D3rvHxOthw8s5CyBnDQ/mb/xx1fwAH4APr+1zj/EpPgYTbH/7LWLUJ2BZ98pxnHJgwut8o15wQFmvPPiKWaeHSdbxFeVj4uR15mEHruFcfIf4RIRyjGTV4xq4h3WWGNcHzujQoleVHldGeniWhSDJb+Havd8ER9PeaHcENAIRCTmcQ+8vnSU8++yJVdoNcQUDvxh8463/W6z+d0ZWf9SDZz/IKFhPHkVGvw04r1J9xsvK0mpmv/LaMLG29gY30cm5HXR+SU9dWmE8vHaY7m2dqKiDs/Ti9HLdP7ZMS6b2Vu3SfsqZMbHKlCqirj17aKSJjolh4Zoyb4FCl63QArv/SzdZwrRtnXbu26L9h3fo4JFdltAfdUki133jxm1du37TEkEEJQmhYfiKJTlmF781zH9nsfnqdd24eVs3b93R9Ru3dPXaDfP51ehzfEndpe+vRJ93/VUZjHNu3rxj33XZJYgkhtRHGZaUp8ztO/dcGb7nzt37Lkmkfsqw/zvX/r51OMOID2xjcCudv0zXREAw0gk24V2Po+FCMIufMPIo8Ed8JQ/jz/UTJEjgxCZChCSTtkksYEm7ANvwMEknIyKUBSOIDoQK+GaWFPtJ/mgH/wyxOm3SSGUz4ZA16Tvq2yK35o6srk3TG2jvzMY6Mb+F4aaNrq7uqntbBun+jrGKOj5Pzy5u1vkdCzWud1sTHNmUPUsG1ahdU/2GDdW4GYGaFB6q6QssQeY5w00btX7jJm3avNWNPnoCFf/hFzBB0o6/fb657NbxFf4FN/gTv4ItjOMeJjhOOc7zYcCHN47hf2956/Zdn1gwMXzJ8Eb5n77XYr/VSxmwdO36LasXjCF0we1lO9cnShAZ4JPz+V6un3Npv4yslq9QSXVMdCBQHzx85L7jVjTWL1/xYeX69WsOT/AzvMbIKByRJEkS19EMfyM0yXOIP3TMgxkPN3AzGCGnQ5TCf8x8Id8Df8RtOkAYNeM7+OB3MODh4Lfao6jHumeC9f7zSD35wc0Ctus4r3at2inxFx+raI5EGtm1ghZNqKctwY10YHZLnV7QSd8u76ara7vr1tY+enRguJ6dm6ao72YpYsUQtW9YQn4Zkqpwvtzq0L6dxo4br6mBQQoKCdPsOfO0dBlTxk3Yb9zsRuD37N3vps0i/mIKw2vXbrolbRvDL2yDCY97wM0tyzXABr7yzMMa51y5esP5x+MRMAMWMI6Dm3Pnfb5m28Me5eEX/M95fBff7ytvmsKugXO4Hu+a2I/x3eCSDo1evS3/KlZSPbr3cnxEjIRX4CMXCwwrGDyEwSPEX2ZP8j6ar776yuV88AeiFNyQS1CO/IKYzT461tCIxGg6NRC2vISLPBH80WGGWEV0ki/gfy82/58Uq/TqpUmeUNkSf6LB9Qtrbs/KWjusuraNq6ldE2vo4NSaOhFST2fnNNP5he313cp+urB6lLaHDVTfphVVKHNK5cucRY1qN9Lo4ZPsehYoJGyZwuev1eKVW7R6w04TN7tdTxQ/mB9CQOjff4BrgIw+MgUN0iawE9BxIM5iyYgQ5ZmORoMmAWAbYcPIIwkjN5jfySgc9UyYMNGV4UbiIPYxWsc9oSz3AtHH93l/40A51jmPaZTcR+4bwYzlLxn3levF2RALIw4kdFwjIOB+s/TEB4kbZMJ5XAff500pYnSMt3zhT4gL8PLbvMDngYaEjnvCdACCHFMAuJ+AD7HKdCawwbn/XbHKC3Mio3zPS9Gzv3tnhBrWqKLEn76rMlkTalyb8prXt6ZWDqqmzSOqa++Eujo6tZGOz2iuYyHtdHx2D51cMkxHl43T7FGdVLuUn/zSJlT5EgXUvUs7TQoY7/6wfe5c/gtvofvt+BJBTsIMniF5eoWYMsUS34IF/EYySLLI/cVf3CPqgrzxKf9TCwYoyyu+wSCkTnnaCBijDPeTabIswQTTJsEYDRbcIDy57+CGuihH8s+S76I8QgT/0s7AGfefhJx1L9lhHSIAO4gItvk+RAR+5HfTPr3fw9ITHBjXw/3h9zPlg155esvY5nr5Tfw+DNxwD6kTrHH9BDl61hDHBE5GV0my6a0jaeJ+8Hu5ht+GEU+sGq8Q5KJ4ZtWSpqiXevzouX54hli9bWI1WCVzZFS6z99S+wpZFNqtnFYMqqyto6tp97hqOhhQS6emN9LFWa10eW4nXV9iyfbKETq+cJgCutdU+TxJfNOAEav9o8Wq3fPweQvdqOrqdZu1eWuE9u3nWeDj2h2xU7PDQjRsUH8NHTxQARN5gdcUBTKKP2e21ltiddKSzlt2j/EB3AM+6JH0sIWBDRJa+MMLItxTOgY4DhbhMLiDJRimjdK+uY88qgCmKQeHcQ5lvXMJKh7Gfs4trzOuFYyBeUZhCBRwBljDZ2DPM49rWCfBpgeWZMd7WQP+RxB6HRxeQg+vUj+YIfjROeKN/tAZB9dwPgGPzrK/J1bhGm/9/1Wx+s+cBvzAuPfRs5eKfCE9fm7XY98X9fhJ9AuW8jmx2rxsagX1LKUVI60tBdTRgeAWOhHeUafndtXZ+T11celAXd0wXjd3BOvbrSEKH9VRtUpmV56syVWhXDF169ldY6ZY/Aufq+kLlyjc8LhkywatjtikzXs3a/ehrdp7cLN27bP1vREu4dq7jyn1jIydcaMJjB6QnHkigCVJnDf9DWHK0htp8CVwPpHqJZwc90bcvOl21O+JE0/Mco4TIlaPVy/TSg8e8k234zquWmJLMukEzFX7DsMZ7QOL2Sl0+/YdhzXwRcyk/Xp8SznaMNiN2enCMWIxfE+8xt+0ATqK6fiBKzjufQ9YpW3AGSSXxHmwzNRg2hV8Q1ti5Iz2RDIJX/+jxeo1xOpkE6vp4ylz8rfVs7mfQodV1HLj3c2BtbU3tJ6OhDfU2YWt9f3KHrq8dpCubp2sKztna8+yaRrUsbEK+mVRzuyZ9E2DbzR47EgFGKdPnT9TwUvnai5/IbJ+reV7O5zgYPojPmRkddv2CDfqGLFrj9uP/xACnuFTTzziz+PRo1RH7XwE77HjjHKed2IAn96998AtwRH1+Z4JPOZww7kx8UhZ6uVcjnti6NgxsEb9J61uOkIQITcNO7cMk9deiRyuj3XMCSLDDKOyM4JCVKVqddVv0MiNmD22+3zdeO3O3Xu2tHpMpIIV8ITB23Qaw/3wLwMU+JzOC+IAAoN4TfwGM+QS4IZYz0w78IlYJWcnTjGySs7AW/z/EWI10uwRj3w9f+xm0PG3+o+eyu7PBbVv00GJvvpYhXMm0pBOZYxDqmvl5FraNqOBDs00vpnXRqcXtdHZ5W317YZuurJ7sC4fGq81c7urZd0iyp0lpYoXyqf27do4sTojKNRi92zNX7BIK1etcZ0b4APf7N13wOEEnmH7wEGmbfv4wJs+jm/xPx0bCEfwxCg9fvd4Bu7wOkrgF3znCU04xasPDIA1Dzf4GXFKWbiJsmAPA2+UAXOcCz4o5/BrIpl19nnmCVcP3/yevv0GqHiJ0pZ39XYxF18RD+EL8j3ipJenEy+JxYy400EMBojBdKyhGYgv4IZ64CpiKbkHXIMeZGox3ETM9vJgcgawR77HyCt1gE8w4MVm8gyuh3r/T4nVtPzvVvx31adqZoW0yaMlPQpodf+C2jAwn3YMza99Y4roUEBpHZpaSUeC6+lwWBttDGip3t/kU+E0/HVNMrWsXUOTRo5SeHCY5s6aq0UL+C+qNXbhW7RvL6OnJ6zhHbHrXCXemJYkSTIlT57SGpoJF79c5oD87oH02bPn6KyB4vHjSCP8UxppdRYrVkJp06ZXmjRplT59Rivvrxo1alrjnGAJzhEr+8R+5/fmjDBVr17DxFp2Z1mz+pZFixazpL6D3eTNrt5bljivWbPOhEEHFShQ0JXLmDGzMmTw1V2lSlXx7CSO416x/CXzElgCGWKVEQfAAQi4316g8wKJZ+wDnCRpJGUkgBhJML1rHKN+fAiJIV4JgpAYSSSB1Xv4nhE5fIlI9p69AZiQ139XrD5hlCzSRMdzS9IsYTq0Y5ta1KiklJ+8o3KZYml8c3/N7ppfS3vk0rp+ftoxLK/2ji6gAxOK6+CUijow/RvtD2mpiJDOCu5bVzULplWeVHFVtXg+9encXjOmTNI8E/YLF/KfZLxUyQLe1m2WuO5zooMH3HnxUvnyFZQyZWplzpzFgnpuZ8WLl7R20N3u+2a71w/snt125zdp0kxZsmR1PVA0SpIARL3XaGmE+IZEnISdXktGm+i54tlNAgAdAQQA7rtrL9aeEJXeM8lMyeBeM0JF/dRN4sM9pm4wgXn4wPApS9ok+yEjtmn0TNXwEhXPZ2DGq8/DEkZ7RpgilhGfLCEJCIYASf2Ia08EQF5gilFbSI9kid/Hb2fbIy/4BbFKHVzDa/HwOrPEOurJI7tPdr0k2NF/XfPYlj8YZh7evqGl4YEqmSujUn/+JzUtmUQT2/hpVg9/Le2fW6sH+muT4WbX2KLaP9m4ZlpFHQ2qraMzm2tHcHsNb1fWvQ3YP20cNw14xMBuCp4xRTNnhWv2/EVatnKdic/t2rWHF2Dw3NMxbbcg369nD2VOn0ZJEiVStqyZlTNnduXwy6Eqdq/H2T3j5Qj37t23hPa6JZLzVdWSD3gpVarUDj85cuS0e1PKAksvh7H79x8Ysd91/NGqFdNy8hnH5LCy2Qw/WY3H8lny0cB1loDFyMgnxseHTGANMUIvY3jJ4cplzJjJ8U6RIsWs3Q61IHPR7mOUtfc7v2B3HXdduXLVjbLDBTzfxAg5nSzwBHiBszzseJzjJdlgmVgBruELeuiJGeAJbFKHN/MEvMM14AbBRSDyXgrBuST43sgqOPLEKgk2HMN3ekvs32L1vz6y+ogOH1u6acAPH70aWU356RtqUjKFpnQuorn9Smjl0LLaNq6K9k2uo4NT6+lQYEMdDm6uE3M66/Ti/jq8cLCm9f5G1QqmVP5MCVS1XGH16d1VkwOnKsTwP3PxMi1YvUZrtm3S1r3btfvgDh04vE0H9m/WwkUzLfnpoRYtW6l5i9Zqafjv3KWbRo8Zp6XLVrgkkqSMZI/kfazF506du6prtx6uHOskaiT5jLp5ySDrYTPD3bNclOvQsbPatu+ojp26aNTosS6RpV6MBHHxkmUaOWqMG6GgfFuL45zTvUcvBQWHumSSERDqvmhJ7RU77/p1puCTB7HOYxtw8A3XnslReHtrpUqVLWYGW9siVoNhuBZ+o00x0+Wu4wqO0wZ56yexhDbIs6r4n1yMdgMPex0+YJX4TVtCnDKKC5Y5j1hP5yviBeFCTEHEkhj+s0ZWs6SJrwyJ/qzO9TNrSu/imj2ktJaNLKVNE8oqYnI5HZhRTcdnNdKJua11YmEPHV08VOuD+6ln04oqkDWF/LOlVYOGtTV8/AhNnR2kGQtmauayeYabZVq1wXAescsNThwwQ4AwAtnO/Nm6TTvnJ/AwaPBQhYbNcr4FN554Xb9hs3r36af2HTpZuZ7Ov5QfNnyk5s1f6EQmuKHs5i3bFDBpivN7e6sXvGA9evXR1GnTnehB0IADRMJME0f9+g9014JxLR07ddXwEaO1cfN2q9d46RajuohN33neqBrrr0bh7tzWpcvfu47S6jVrqpH5k5dBwQ+PHj/UE/PBI4vRt+/eMYFiwtqEgBe34VY6MxCf5Gz4He5GkIITbyYW+QnbYAbeACMIU/I6+JD3C3hildl4PxerHgb4TtZ/qz2OMqH67IEevDDB9MMzPXryXEcPn1GH1m2U5Mu/qHD2rzSoTWEFDSit+cNLa/WYCtoRUF17A2trf3At7QutpQNzTSMsb6XDa7tq7uRGalA5u3JlSKziBXOrXdtWGj9homvvc+bOt3xvudau2+Cea0ac4l+mjDONHIzAMfiKNo6BDdo4HSB0QIAFsDZ9RrDDARwDBlgy3RZ8UD+CFfGIKF2+YpXjFbD1Ew66qP+AQcZxS5wgpaMLccq51AFvgUNw5mFy1OhxDrv3Hzx2eKTzjU4ODzMebjCu9e69h+63DTCeK1WmXLRY9b0AlXZLjCSuk+cRqzHiJXEZsUhHMxzDYBh5IrM0iLle5zK8gxHjwQ4xh4EIxCrnwD3wFfwCXsj3iOWM2vJdYMWLzf9nxWo6E6vZ4r+pftXSKKx1Fi3pmlVremXTxr5ZtHNwVh0c7acjE/PpSEBRHZlWQYdn1NGGMTXVp0YGlUj9nkpm+kqd6lVQ8NjBWhw2TUvmBGvlolnavGaJIrau05GD+3TSSJs3ac2bt9BuVGn9x3/8h7Pf/e4Ptvy93njjTWt0uaxRBtjN/9YazlMTKfvVunVbffHFV6/KY3/4wxtKnDipWrRoZb93lwss5w1gYyxokgD+6U9//qvyH3zwkUsKFxkQo6KeuSRyvhFfxYqV9fnnsaOv4afrSZw4mRPJOBCy94Dz98xzMEDDkfiIgAQI2Me9xkhwYooQPuyDYHA8oxOIVRI1Ehj8RP3UHZO8AA4gBawIJIQGpAd50bv7jxarUZFPFfXwqX6I/EGKeqFj2zeqXc3yyvDZW6qS+UNNapFe87tm1IoeqbSpX3LtGpZK+0en1dGJ2XRyemEdD66gI6F1tCeomUJ7V1HdgslVKPWXql0sj/p1aKuQKZO1aD5/vL5MK1atcZ0KO3fy1reDhuOTzseDjbjwuc9Pv9Pvf/8n56tPP/3ckowqDle3jGDwLaK3cOGiP/Pr7/Tuu+86UQmp08C5vwg+fMV0nDfeeMOw9dM5TLdgpJNknQ/TIyELnk9655139Pbbb78qT90kGviRehGikAz+g3DouQInXi8rxzmGL9hPO8Z3TOukp4wkmXvvJf+er9jPB2IDA5AF18QSQcp3U5Y6PbIBN2AGTiDwIW5JlsAI50Jo3jMMYBce4br4rt8c7KxclNmzZ89NrFqQe2xJ1iuxyv+sXtPSOVNV0j+DUsf6o5qUjqfx7TIotHsmLeiXUcsGpNe6YZm0Y1xO7ZmcV/umFbSkqZQLfhumNdbAFkVVIvvXypv+KzWoWlRjh/VWWEigZhkBz1mwWCtWb9Dmbbu074D9zhOn7V4ccn9d06ppE7375p9e+dSzBImTqFPXbhYg95l/HrqkNiBgsvk2Q4xyv3MGf5Sx4AKuSFTB2FwLtIjP99//MEb5/9Af//hn17EGF4HHyMgoE18RTtgmSZLc8VzM8h9++LHrWKGD7sWLHwwT93/BEMqWSFmijf8JSvSuMsWHzgqEH3jBdyzhGLDAEg7An+CCDjWSJQQmyTK4hqfAIzGCWOF1dIB9cEMHBkGJgMSbB+EaEnTEKvv+LVb/eWKVFyvde/JSd+kAYjqwCSaeWfXEaqMSyTWhXX6FdC+gBb3za83A/Noxooj2ji2l/RPL68DkKjo0va4Oh7TQrhltNbF9SVXy+0L503ymmmXzaki/LgoJnqZ5CxdovnHwUjh4q28U9fDB3TpqgvXI3q0aO3KQ0qRJqc9jxdLX8RLoy6++VvwEiZS/QCHjlAHmt532W667kQTaRwHbHzvOF0pkvA13x/06vlKmSqPatb9xgpNRkVu377jn+5o1a6E01m4SJEyspMlSGB8n1Fdx47m6pwXOcEKBBJIRlwEDBytvvgJKmjS5u47Ysb90y5Sp06pZ85YuIXwS9dSNZCBOb1iiSEcPS2/d1/Fzx3AZqW3bdphwaGeJfzXNMkHz7BlthYSfBJL/J6ejBw6/Z3iGk19Yu35qudUll5ghJGgPcDgY9hJOcE28plOJZJJ2hMioX7++e2wDrqf9MdsCvLCPxzGYSkwO988Rq6OUOWV8pY37htrXSKdxHfIqqEd+zeubR6uG5NWmkXkUMaGwDkwtqwPTq+pASEMdCG+vtZNbq2fDQipouV6ezInVuF4VjRozRDNmBSrMxOrcZQu0fP0abdq2VbusDR86Qo5yVCtXr1HdevUV13yJJU2W3OEhWfLkKle+ogImT3GjVFevXTeRcEEjLO9KZX6MHTuOYSGRw1fS5CndG3e70Clt4vbe/QfiGUSeE2UaboqUqZUwYRKHMVfe8FO1Wg0neOhkQEiAN7BBfpgwURJ3DfENa2AyZ07LCcZPMlFx3QSF+drs5q27r0bD8D2i9zodzXQwm38ZQQ2fM9vEag3Vb9jAvWH4xx9/0OMnFn+fWZ71JNKu874rCx7ww4sXzx3HEqcZlSf3ZiQeEQI+yBfgX/J1eJH8HezAiXAJM6HoVAdv4IZ8kcc4/rFi9aEePLllnHPTfscjRT6M1PEDx9S5ZXMl/+IdFcsWS4Nb5Nb0nvkV3jevlvTPrw3DimnH2DLaNamsdk0po4ig8toVXlMR8xorZFgl1SmZUjlTfaES+XOqQ9vW9lsmO6G6wOIpnVzr1m90nVt0LtB26ZBiejDPdX4eK7Zr23DBl1/GVcZMWZwfeYmXE4EmVjmXF1x9afkaZfFtPOOP5ClSueeJJ1hcZ4QVH4I1OsVy+vm/KgteqD99hkzqYQKSEdeH1u5P2Tl0evCm52SGwXjxjWviwDXxlThJMve88oaNm+w+PXfcdJUOMLse1j1jhP2aGVxHnYePHtOQocNcnf369Xe+5kMMwV/gg9yQHNHDDTGVfXACA1SMltLBwcCDl2OS58XsGCOm0ymCRoRTEKVwD7M42QdeyIWZLcWsU+r41xCryeMrR6I3Nah2as3ukNlER2Zt6JtZ2wZm0t6RWXQswE+np+XTqelFdDqknE6G1tCmMRXVt3pylU7zZ5XLGls9GpfV7In9tSo8QKvmT9O6ZcHasX6+9m1fraOH9ui4kTbic9GipeJ/qT744OPohO13TlT85S8fWjJS3JT/TBfwSPL27z+obt16KLWR1x//+MarBO/99z9wI6wdOvAigr3WyJ66ZDPQghojbR9//KmV+70rS91fWVCtXLmqVlkQpiwAX25gb9y4qRtFefPNt1/V/d57f1G2bDk1ZcpU50AaMMtfMu4pwMLZJFmMrCKAAAFg85IdAOkla/jAEx4QE8KT4XkSMaaKkNxRJ36DgAh8+BNAkkDiY6aCAEKARy8dCSMjq4wKMtrCqAl1/7fFqt2zJw+i9PLRc2PBKB3fYYlr7bLKHOstVc/6nia3TK753VJoRc8E2tT/axOr8Q03CUysptaZoNw6G1ZKJ2dVd4FvVp/yalgksYqmi606xfzVr31LhUyepEXzeGPpUhdg+A8zfM+o+cmTp90IK8k/Pv/jH/8UAwu/09cWbBo2bGxtYLlLPhAeW7ZscwkROPj9738Sn3/5y1+csPdEPL+NBJuEn+eFP/jgg1fi8/e//71hI7k7Rlvy/IQoYHTpww9/EikIYYQtogEhwD2GXPCzJ049nHjGNljgGjjONSFW6fWCGPiAAeoiYSEJATOUp+1SB4kQU4pIbphSShD06vdwQyIM4Xi9bQQ+2jzTieAQEmzOh2gIeggQfoPXmcL3ezj4RbNyUZG+RO7JE8TK68TqFJXwT680sf+kFuUTKKBzJs3snVmLB2XSyqHptXF0JkVM9tP+4Pw6FFpIR2aV0YHZtbU+sKEGNDcRkCOeCmSKp6a1SmnCqAEKnxmk2SZm5i5colXrNmnrjj3af5C3+vG85SFt2rBePbt2VpIE8Z2PPH/94Q9/VOp0GTRg8BAXmEhG6ewKCQlT/vwFXwnKP/zhT85ix/7CfFPbOHa1wxcJL/zBCxLA3+9//8dXdSNs/f3zmF+mu4T44cPH2mUJNv/HR2ccx72y4DihJUydOnVxHXTPn5sg+Stx+npjdAdM4FNeCEPCwog//M7HS3LhD3DmdWDAQWCNIOZ1UsBRBCd8SJwAM97oKvWDRYypykw5p1ODZJvp+AhIOmjADtvwkvfdnkj1lv8Wq/9Vser76xrE6h0nVn94JVarFDOx+plPrI5rm09BXfJoTvccWtUni3YMyaoDo/11NKCQjk0toWOBvpkKe6bW1+TWeVQtx0cqnOYvql/WT6MHdNbc0EAtXbRQS4yDVy5fpS2btuiA+eLEgX06vX+3Tu7ZqaF9e+kj40iw+/bb77p2QscwIqF1q7aWpGw1fN1zSSGdwRks+aPsW1b23Xff1++tLb1nsbtQoSIW78Ld9MwnJvrg+zp16umDDz/WH6xNfPDBh3rrzbfs3N8pmSWSjIIQsxGOJJsDBgxysYBr+L21ZWI9dX/40SeqWaOWG0X74YcfDYfwD29FpdMX3PlEKjNwMPaRZ/D9bdu2d7MquG4+L1/+6Mp45amH+rwP7qe9kbgRExAdCBDaABgH78QAb4SVtoTwIMHjJXrMzEGsMi0Yscp0YvaRWNKm/zli9bICJ41W9lTxlSnum+pYJaPGtcljuMmteT0NNwOyadOwLNo1NocOTcqng5OL6HBQJTc1eNPkeurXMKeKZfrECdYW35R1HDwzLNDu2WwtXb5MGyxu7NwV4f4GxL3YyGI3b3etZHHG47w//ekN4+LfG/f9wcRBRg0fMdK95IhOTl6Q1LdfPydKKAtnE7/xMwKzUaMmbjT15csfDGM33YgtfA2m4OA33viz41TwxoyXFStWmaPk/Mxo2jd16yueCZQ/GW7f+PNbbglu4sT+Sn36DNS1q7ftvlmcfURMfmB8yMj7Q4e728abN27d1J27d3zx9/49zTXfVatW1YRSHeP4nXaPn+nBo7t6HGmC7wGPYDx03MD9Bw/4Br8gJHgpjjeTDg6Gd4m1YAfMwL+UQ3jAizzOhFCFW8ALAyFwLjkHI2Ts53Ek6uHjYeA3x28syspGGdYjb9h5V/Q86q6eWQw5a7lYr5ZNlO7Ld1U666ca1jy7grv5aW73bFrSI5vWD8ijiFFFtH9iCR2YXEL7p5fSvpmVtGf2N5o5qLTqFUusPCk/V9n82dW1XRvLVaa56b+LjGucWF23wbVBRkvJ+Y4dO+FG3VOmTONwQAwm78PHX3xpeZa109mz57oZHLTNw4eP2X2o4fCCT8nh/2i89OZb7zgOGjxkmBu5p62fPn3WjWjSGYY2eO+99532+A9bJ19s2rSFteHjLo9htuaMGcHWLgvrXSvnyyHA5O+t7rfkl8vfcLVCz8zH1P0Y/z0wrrnjaQOedWd0nRl0/FvCE/Gm6WHDhrtZgviPcnzwE+vERuI27d6LPXzAD5yA3iN/I96j9RCrlPe4xovbYIc8jhjPjA10AvzkiVXwQkfzv6RYzZbwz+pXO4XCOqTT0h5ptaZvOm0akFa7RqbXkYBsOjnNXyen59epkBI6EVrJxGpZ9auRRGXS/VHls3+mnk1LaM6kXlo9d5zWLJyiDStmaNemudq/c5UO7d9uYvWoBfRTrhdktAUfAtbHH3/iAEMClz17Ttc7i/gk4AGWy5evuh5axC1JHYB904JYmjTpXE/snDnzHPgIJASVrVu3OyAyLe+dd95zQGfktFy5CtaQJ9oNP+7KOoAfOWoOn+pGV72R27fffscllN2797SEaYcjDho8y79nMe8nACMpAQCIVV60QILjfSAE/IGoQCSRpABI6iGBJAmj14xjBBmAwygbiRsC1uuhxa+UQawyssoD+gCG/1DimVVvCqsnVrkG6sMA5M8D2a9ZFMuHkXppiZOeRur4rtXqWKe0MplYrZr5HQW0SKg5XRJqcfc4Wtc3lrYNjmPJUmztH5NIx6dl1YmQwjoaVlF7g79RWO9Sqlcongqn/US1i+dQ/w7NFTolQAssKWXkiim8JPf0yuIv/ItgRRw0b95SadOmc3ghKCEiypev6DopKI/oADfffnvJjZIVKVLUAt9XPnJ58003XZdeKUZTaeT4i7ZBzybtKlGiRK+CJOsk5QQV7iFlIQQaKp0CvNjoj3/0iZTYscFYOZe04B8CFJjwxALngRO2PcPnlCGAUQZfeSOriFA+YAPf4S9IiKAFEVEe8iLJJ5lnlAziYJvv4RrgAXrewAnncIz9TDEmQDJ9iO/jtyDIvWnA4Ba84Xc+P8fC37XIx4YT38jqk0hG92JOAzaxetvus4nVYrkzKJWJ1WblEmp8h0wK6ZVJ8wdm1FITq+tGZ9b2yf7aE1xQ+0OK6ODMMtoXXkvrAhtrQItiKp0zvgplSaBmtUsrYMxAzQkP0dwF87VgyTKt2bBFO3bxv3hHLFGih9GElt2vWSFBql29quLF/cqC3u+MF952IzKNmjbXCsMaU3VIRhgthXto+4yMwh90YtHDzwjqlCnTnMhAfMIhjPgzC4Qpwp99FsvhgIQcoYowZZQJnqFuOtIWWHCGs5jGTtAlANNR1qBBI5cgk4zTkUZy9PcN3Dy074902EAg0cFFLKDTAt97H3AD7igDbgheXvJC0CGxAQcENM5jPzGDGIKo8riG8xCGnlgFJ2CEZ2SZzcHzM/8Wq//cZ1a9FyzdN9H69IUlLpYQbV27QtVK5FOqz99Q45LJNb5tfgV1zq253TJrbZ/U2j00pY6OTatTk7LpzLS8OjOjuM6EVNLhwOoKapdD9XK9r7IZ3lfz8jk1sX9HLQqZplXGISsX2rUuXaOdG7bpqLWn8weO6NLBw7q4f7+mjhyp1NZ2/mRx2Ju1gmBlSnufPv20d89+3b/HrJK7Wr1qrSpWqKxPPvkseqYTid7v9aXF2urVamrxoiW6YzH7kbWn/fsOqGuX7kqWNIUr4yv7H/qzCQq/nP4Kmh5s9+eOHt5/ZHnESUt2A91MB1+ntE8E0aYSmaDp0L6ju78vjXMiHzMrihjtazcsMdowsYJ9zLRi5k57O4+El3bKB/c+ffrM+Ra/I36JLbR9ElM+D8wPYBXeh0eJx/Ctx+20P68DCP7GaEcIU9oRohR8gBM6mxGrtKd/2jTgq1c0I2CMcqdOIL9476lXNT9NaVtE4V3yaWmvHNo4KLN2Dk+nA2PT6fikLDo2JYdOBBXWyZlVtGNSJQ1tkF5lM72rEpljqX3d0ppuYnVRWLBWzF+g9SvXaNvmbYrYaaJj314dO3pEp42Dd++OcLOT4liM9HyFffrJxypm7ZmRoiuWFHPdFy6c17hxY5U3dx795f33X5X985/fVIb0GdW9aw9t37bT4swz59eFCxarZo3aivV5nFdlweXnxscVylfSxg2bzXe+2SqIoZ49elk9mRz3+sr/zg18ZM2SQ4HTQsxnPO5kscvEKhi5exvBGekwii8xfPvCfPLwwX3j7XmqYbGlYaN6ltPtc5zw/IXd65dPzSzumT1/Dqf78kRiI2XABDk7nAmXwQ/wIDkk3wG3eTEbbiDfIz9gAIJcj45pBAa5O4+BkYuw/3ViNSYGft0i9fTJfT1/ckMvo67ox6e39OPDu/ruwF4NaNlImb94RxUyf6TRTTNpVpcsWtQtg1Z0z6gt/XLqwMgCOjaxiI5PLqpj00vo6MwKOjy7thYMLqnmJRKqaJrPVblgDvVo31aB1n4XLlyipRa3ly1bqfUmVmmDB41naN+nT51xsyALm0Yg3/f44A/WxondzU1Qkg9e/v6K7t25r5MnTqtzpy5KEC+Bi9seN/3l/Q9NqBVyef6l7y5bXoJYPadRI8fI3y+33jR+8XADfyRJnMzF/5Mnz7iy3337vRZZTtqoYSPF+/rrV2Wxzz79xPitosXPjXZ/n+i+YezOHd/LDPH3fcMHS7bv3vO9t+ap+eH4iWMaYXl6hfL8RdZA13nMhzgD12DeOjGZ8+AfeIC8EByAG3QC3EMeSxmWYAh9AW4QmuR6lCU+o0mYBoxghXfAC7hBxJL/ch1g4F9ArCZQ5gRvqkfNVJrePqPm98io5X0zac2ADNo2PKP2T8iuI1Ny60igATK4tI6EVtXG8RXVt1ZKlU73Z5XJFkvdmpTSrEl9tGLuRK1eHKgNq8K0a9ti7d+9Vvv3btWJ48fsZjK97FuXyNE7ikBFTNJL2rZtO9u/w24aPRKMHOCgF648zyuWLl1WsWLF8Y2SVqnqgsqlS5edSH1kyZsvOfM9i4qoSZEilUsicxvxIY5JLglQBBsCFNND6MUZNnyE64X79NPPlCp1Gkv+OrvroFckZpL1SwYpQLbcUxxJYsUIFc70EjKcDgl5PbEEN8BDMgiZUIZj+BCignQQVSRqjHxBRBAUCQ/CFSFCbxtilemcBDiST6boMULGlBGCJ4Dj3vAd2H9ZrHKPLXgbk+nIrjVqa2I1Xey3VCnLe5rQKrlmd0+hxb0Sau2A+NoxPJF2jkik/ePTGnHl1rHQkjoys5p2hzZQcJ+yql0wvgqYWK1ZIocGdGmpWdOnarEFbU+sRuzabUGfN+IdFa8Qp4cLrNJTypRJetvjxYtvjaOEE6VnzpxzSQjJQ5RdI/5F6PKcIM9Df/75527qLsk2yTmNESLht+FfGje+IIH45JNPnFBlhJqpNvgBcUk52g5+oo1xv1OnTu3KMrLNtAw6Ibi3HtFwf9n2CCwmZrw6wQz1QkJ8Jw0fEvJIg3ZLvVwfnREkNhynTXOcZ5dJhEn0ISwEBgIbfJE8I2LADXjhuuEJ9sMfPHsLmfHMKiOtjJIxK4COE66NwPpzLLzeIo3cfc+sPn/21AI+v9uWTyy5e/TMJY4PnFidpmL+GZUi1p/UuEwijWmXVUE9smle/2xaPDirVo/MqS0T82lnYFHtDiqpvaGVtGdWPa2f3kKDW5VUKROrjKw2qVlSE0f3d2J1nrWxxRa41m/erp27D2r33kM6fOS4+e17XTPsHz2wX0HTJqtUiWKKEyeWBbskqla9honcRbpsQvUBiatxAYkpI5Zr1653AjJxkqSuM4Rn6ocPH2n39YL50Jfoksjyu/FL//4DXQfXx5986jrROnfu6v74Hg4j0UGARkUx8+NbhYXNclPW6RyjZ7dWrdoO83TKURZuov5fMl85H8bgE7iBZ53pbacX3kuOwTRxgJ5UfAxuEILgjsBEIGNqL8k1HMGSxJH64BF67uEfMENZuIyEmqAEt9FBQmBiJCimWOW6/i1W/7Fi9ZGJ1ceI1Gc/uJfcuWdWTazygqXkn/xJDYsl1dg2eU2s5tH87llMrKZQxJDEOjwqmU6MT6+Tk3Lo1LSCOh1U1sRqFYW0z66G/u+rQqa/qGUFPwX066BFwVO12ny8etEKbVixQbs2RejE7kP67tBJXT92VlePntTmJcvVqXVbZbSEHwH6OxOWSZMkVxvbt27tBvsNt639v7BE/rFOHDulGYFBKlu6vD74i282wYcffKyKJiICp87QaUsII00UPH4Yqe8uXtKqFavVomlLEzVfurJ/NEGRJXNW9enVT4cO0Hn7zET6Y31vSWfEzt0aPWqsE7Jv/OkNZwmsPdWv11ArjAsQwT+auHxkdd+4zjQ5uJdOZ3jXlwPQjsgBeISI9sosLcQqneMInBjudb6+abkFz56vZ8qiCR9GTBCw8O28eXNdTMfPbINtkjswjMHRtE2OUYZ2RLJIxylcDU54QR4zdhCrdEDRDv7xYvWqZkwcK/9UCeUX9y/qXS2fAtuV1JxuhbS8V05tGphZEUPT6MDo1Do+MYMJ1sw6Pi2PjgeX0fbxZTT0m5Qql/5Nlc4US13qlVXo6MFabvyyZt4SbVy+Xts2bNHOrTt0mL82OnbECdajRw65lydWrVLZYrZvxPSdt95Ugfx5NXLEcLun+3Tfknk6Oq9fv6qtWzZr0IAByuWX08QEnSL/YVz5tdq2bqN1ltudMmGCQIl8ZMLDMDRt6nQVLVJc77/3F/3eRMonH3+m0iXLuP0Xzn3rOizumOi8/P1Vw+h6NW/W0mEFzHxgYgYM9enVX0cOHTcR+tJEx0PdM7wgVsBnpOHknuWCvITvoXHXo0cPTHRE2jXzKEi4atWsatzUyPLLw9FYMZH6A7OSfrRyjyy/Q7Dvdv6kswJ/wIFe/obwhBfIzeFCuA/xQJ4CJ5M3wi3MvPKmAZPz0+lBPkCHM9M5/5Fi9WXUTenpNcv1TEg9vKdL+0ysNmuoTJ+bWM3woUY3yqDwTpm1uGsGreqWUVt759T+ofl0dExBHR1fSEdNsB4JLqfD4TW1aHAptS6ZWCXSxla1Qn7qaWJ1+pRA40XE6nI3i2Pjhk3avWuvYeW4zp4+rwvnL2rnjl0aNni4CuQrqI8/+tT5Nk6sL1Stag3NDJ1lbemi/T6LhdbGEaLLrK4mjZopcSLfo2LwR84cuTSg3yDTHwcMB0/0/OkLxx+bNoAx0z0xHvmBx5o0bqaVxkP4/6nxzfUrN4x7DincBF6liuVN/L4nZgTEjv25ypQuqSmTJ1luetH4/7nh5q5xzTXD2i3jHcvtou3B/Xtmd+37Ldd7GmVC+LhGDB9mQrecBg7o73K2n3/ABz4HA+gBcEMcoiOD3Ay+8GZxsA9uoRw6kJhNbPSwRFwmPyVmE0s5jxjPC5rADYNbcNC/jFhNkzyRMif+WL3q51NQz5IGsDJaM7KsNo4ppZ0BpXRoRnmdmFlVp2bX1tmFzXR6UXttntZcfev5q0SGz1U8axK1b1RdQRNHadHcMC1bPF9rVi+3m7VJe/YypXOvu/nfX7qiq1f4/8Ir2rJluyXUQ9TYANKjey/Xk3L16g3Xa0bP7CMjCoIGBMK0gAkTJqlB/UaWSDa2RhmgU0ZUL1/8aA3xuSv74sVLsx9d/UuXrnB1MqTPs447tke43jLzt4kIyBxCseBvQOfZyOHDR7myPXua2DawMs2P7/aE3S+ZV4ZkjEDB/cd5gANQQSq8FRiywUgE6Q0DKN7rpAEEiRAgBbyABKAiiHg4mgSIHhBGwDif5I3g6D2vxigqL2uAvBCrjJD9I8UqL8x5bPft6TO7x8+ea+/OzWpau6JSxn5X5XN8oQkd8mv+gKJaNbSgthph7Z9UTIemltSJkIo6O6euzi1sodNLu+jAol4KHdZQNYumVe50cVW1VH71695J4aEhWr5suetlW7NmvZH3LkvqDrqpwEzJAC+3LeBcvPCdwsPnqnXrdmpmQYeEZf/+Q4blF0Yuzw3ftyzhu+cSDcSH603t2dOJQO4Pb1SjMXI/SNoRkZ4PaSsED9oXD6/zIDrJhZd4cx7thntGw8av1E1iQS8XHQj4j7qpj7LcO8qDDb6PfdSFeesxxSrEwXcjkmnLEAuYwdf0TkMG9L5TBtKiPfOdkAvG9UIgJPYkPeDGe+Mr2EBg8FyLJzrAIc+9kDRBXkwX4fdTN9cLQf4cC683xKrdmycPLFm132zbjy1J+GuxelNLZgepqF9Gw82balExvSZ3K6Y5A3iLaWmtM67ZElBeu2dU18Gwujoyu4mOL2qn40t7akd4D41oX0FlcyVUvoxx1aBaMY0b0UezTawuMFG1dOVqbdiyUxF7Dr0aWeXFBTeN925duazjh/Zr0sTxlqg0sXvXzkRZkE6cPqtIw8gD44A7lvyQDJN8uhctzV3gpgXWq9tAPXv0tra41WHs5Qv7HZYws05ZfLjNkrMhQ4arcaOmxsc9XAC+eeO2JcuWMFibgXd4FpVz4Cy+u1WrtmrfvpN75OHcuYt2z2ifjEYj8n/NfB0sCCS4Hb/CDQQlEmESHbAEbhCw8BCdEEzfxdcIbC+hhWvAECIRTqHTCwwwrRjuITYwgko9/DWO93w8+GLbE6vUjYAkoP1brP5zxCpPYDDCalCxpPmBNq1eqoqF8irJh39S/SJJ3DTgsO4FtKRvHq0bkFXbh2XQvlFZdWicvw4HWAIZWNb4uLYOBjXQ9I4FVDv3Zxa7P1XD8nk0qm8XzQ62PGLRUi1fvs6udZvFzH06vO+ozh47rSuG0Wtnz+vi8RPavG6DunTsrCyZsiiTidbmTZprzco1ukXMfG6+tzb1FNybOLxo500cN1F5cuVRvLjxVNxExXQTEWet7T2JFgKPTDwiChjFWmWJa7XKVZUoQSLlzJ5TvXv21m6Lz5FW17Oop3pgSeSDeyYmrL3u2bXHrqOLcmbLKb8cfmpoQnXxgkW6bdfxo8sbTORZvffv0IkJ/vjfScOitXfXLq0tsU7bi4jYEy1Wa5rwXGBJ5XPdthzkO0ts6SjlrbF0oo4cOUZt27RX9249zacrrO3ccDHkqIky+J9OZuIt+KXdgAHiDp1AxB4wwPQ92itcTvz2xCr8Dr5pf/9MsRo4cZyyJk+oDF/8RZ2rF9DkjuUV3quMlvQrpA1D8mj78BzaN8ZPRyfl1bEphXR8elkdC/lGWybU0sBvsqhUug9VIlM8daxXRUFjRmjJzHAtN7G6eukabVq7URHbd5igPGZC8piOHTlogvGMThw/YgIjWN/UrqnUKZMrV85sGti/rw7s22M+uGd+eqAnjx9YvHhsQuG2InZsVSfj6Qzp0lj5ZKpTq4bWr13rsHLbuPUGeaKJyRfmu/Nnzmv0yNEqVKCQ0qZOqxJFixvXT9Klb7834fVMd82Pd27dsbIvTGA+sNx0mb6pVUdZMmZRofyFHMb2ROwzfNm9Nr/fuHpTtyyPiDJ88B2Rj+yabt8xzN2xMk8sz3hs9dq+Ozc0JzxMNWtUVotmjQwD+11H7eVL54znD+vc2RMm2vdaLJ/reBQ+HTNm9Cthiqgk+cfP8B+xGyww6kXHBfwK98GDYAeeR3TALeQp7ANjdDgznfMfJVafPGEE8I6bAvzDc8PNg0id3XtYPRo3VapP3lXJdJ9oeKMcmtk1jxb3yq1VvfNok2Fn97DiOjC6pA6MN5tSTofCLI7Pa6QFw6qoeak0Kpw6rioV8Dex2t7E6jQtmL9Iyy1Wrl211o3I79u9T8ePHnec8f23l3TO+HGvCdgxo8aoVPGSzl9VKlZx/HH65GnzheUVxrtwDaOaV7+/au1/sapXqaaE8RMqW+Zs6turr/nWMGa4gZfw5wPDAJ1ZBy23bNemnVIkTaGM6TKqVfNWJpxXmkC97srCTfctl7x/564unj+nCePHqEihAsqeNbOqVamkaVMm6cyp44arKLuOZ8bJxteMoD64Z+c+eGXg+5HtizIup+xpE6ujRvjE6pDBA53YxD9eZwUzmhB7+BgeIFdD4yFIycnACS8FJdbCNSw5zmwNcjevo5kXdjHAQa6IhmAQgkcOPLFKpwd5AXrhX0SsnrUbNlipkydWlhTxNLBNLc0e0VqrJ3XQ9iAjzLAOOjK3o84t6arvV/XWtQ2DdWdngK7vnK7dc0ZoQPOqKp4trYrkyKFWjVpqyoRgzZ2zyhLITVq+JkKbth3Wzr3HdeAQb7A9ZY34nC5e/N4C811L6O7o9KnzOnjgqI4dPalL310xonpozrbAZQHmzm16Q3lO5EdFPn6mby9e1t49BxWxc4+R3xl3/Dk9zc8sabRz7t9nGiIJpQVzC0rnz31nZHHclb129ZYFqGcWwEysWl337zEKxJxwWTL51ETQ9zpy+IRdzzldv3bb6iK4+UTMbzWIgcDCtF38wlQ5kiqCE0kM0zu9twaS4PFCn3Tp0jkxQS8b/uBDEoSPECwkhnHjxnVvtAUMTEulXt7sxRQ8lpAUYtUbESEQ/lax+lvtsRHD/SdMRSNhkrZu36O6NWsqceyPVdY/jQK619PSUQbSCS21b1prnQzraCK1my4u7qvLq4br2qZJurYjTOe2zdaCqQNVu0Ih5cyUWhXKlDTBZwLWknZGTdesXq/16zZr+zb+J8rE6r7D5sNjunD+kuHlriV1N3Xm9Hm3f+eOPQ47N67fcZ0WkY+f6uqVm7bt693nQ086yTmNi6Dg3QsSUC9pJolmH/cf4qDd0ChpO5ADPvXKci+8pNUb8YQ4OIfEn7Ico06vnXEO99xL3D28sM3Sqx9f4TvIheTGe46JJB3S4hh4YeSXad4k8BAJHw8zXDfPToEvcMNzuJARiRC44VkpMMgSbCFWwSb7wBGJEngkqeLa/1Ni1YRqVNQ9u/e0LQQ5otUTq9IDSxqWhM80rsikNHHeVedaBRQ+uL5Wj2uinYEttT+4lY6Gd9CZRT313YrBurp2tG5vD9TtXWE6vipAAb3qqkqBFCqYOZ7vBUvDfWJ1kYmz5ZZIbjSxunP3Ae0/6PubA6YBf3vhvO5cv6r7t2/ou4vndPjwASNd3p53UTctCD14zDNCkZaY3jfueWRB2nDwlGe7bjs+2GVJzKGDR3Xl8nX3WzgOz9y989DhDf5g5PTSd1et3DFn3xq/UYZ6nkQ+d2Uf2HfAPSTG168ZxkwAHDc+/P7SNcdFcJLPnsZY/ztGAmW4weeIHHCAiMSHYAb/EzzADPghgDD6nzhxYidC4RWw7OGG5JZEG3xQhue0vf9SZeoQdYMJ+AYxS0LNdsyRVbBEQsY0JYQbxjWCdwysY/8Wq/+1FywhUh88/dE42DcN+KElXD6xmkfJPvqTe2Z1SpcirpN5/ehy2j6urPYEWMI4rYqOB9fWqVmNdW5BB11Y3kcnFvfXjD41Va1AUuXL+LWqlSusAf17a0ZomOYtW60l67Zq9bY92rL7sHYZvx48flJnre18d+m8e+bxsiXDq1es1IghQzV6xEitZjret98p8sFDPbp339qaJT0WOxGMTyOfWLK4y5Xr0aWrJalTdfzIUT15aBxhbe82o56MxppI4NnCK99d0rzw2RrYt78mjh2vHVu26o6Jz2dWz71bt3Xz6nU3w0cvf7T1a1pr1zF+9BgFjBuv5YuX6pK1a2b/UPfDu5Y0InJNsNBGHz9CnEa5eE9bpm3SnmiXu3ftV4f2XVStai0tMTETZfd8z+79CgkO1+RJ0yxRnaxBA4epfr1GypO7gPz985l/25qAXeNw/Pixr6OaGAIuEREkiLxVnk5AxAcdm3QosY7ogGt/Lla9zkiEDXkEsQF7Pef+rRHff1GsXruqqQHjlSF5AqWK+6Ha1y2mSb1ra+6wulo5uqa2TaymPZMr6+j06jo3s57Oz26miwu76MKywdoV0kuDm5RRycyJVSRLGrWuX0dTzEdzw/m7uaVatny15Z8btXf3Lp0+cVTnLJE/f/qEbhlmHt2/47bnz5mlQf16a9yo4ebbjSYKr5hvjf/s+KN7ty2Zt/j6gwnGK5e0dOE89enZzQRHdy2cO0fXrlx2GHlsOLtlvqfDhu0Xhp2De/dr0oSJ6t+nr/2+STpy8JDV9dyOPXMYAzuU43P10vcOY0MGDDKMjdO2TZsNK1aXfXjU6Y7lD/dvmbigU8NwCq4f87zhwwd6YWIV+/G5iZN7t6yeMNWqbmK1aUMdPrBbd25e1qrlCzVt8lhNHD9SkwLGmc8HWK5eSSlTpnIz3uCImI9L4BswRIJPjsjUTOI7IpScDj7n5V3wMwMc4IoOZ3J+OJj4juhgZhSd5vCp+y2vwcCvmv22x1HWdhzvRCrKcuvIBz/q2N6z6tC4rRJ/+oGKGmcMa1VccwZW0qpRlbVpdFXtHFtLBybVNdzU1/HQhjo5r7nOrOyk0+v6aGlASzWt4K88aZKpbL786tmho2YYD/COklXLlmvTuvXatX2HDuzZq2OHLDafOev4BD/dvHZde3ZGaOqkyRo1bITmzArXUStz96bl88Yxzi8mRJ9arkG7P3fqjEKmz1CPrt00evgIbedlXOZ7jt+zc8DCE1uHuzl37cpVhoOBru61q1Y7/sHfDyw3uHPjpmHygX4wHEVZ7NobsUPTJk3QuNEjHI6PHznoMPuDYRb8kmM8f2pxns76R/ftOx84Y/2JCdbnTx4ZbqJ09uQxjRkxVJXKl9WokSNcPESjIfwYuMK35PGIVOKd91/odD4jVImrtHFiDjko4pPRdXI98AEe6PCgcwPO8aaJg5+YYpVYTuwmviNu/zXEqiUZqZMnMbGaQIPa1tO8UV20PrC3dof316F5/XRmyQB9v3a4bm2ZoAe7puvZ0QV6fHSFjq4K08jOLVU2b14Vy11ELZt01cSJdjPmbNacxbu0ePVhrdtyRtt2n9OBIxd09Bh/iH/KksbLlvzd0JXvrzuhcd3IgT/7dQkjiZsFEwIJApTthw8subck7pEFmzu3H7hzKPvIhOwzC+IIVo6TIPLMAdsI1khLkhHFJIecR08qySZlH7g6n7nzEbF3TSTfvnnPieUH930P1zN1yBMXXtL1OiMJw8kQDwAiIWG6KeAgySLZopcEEGIklYxEpEqVyr39DyJiuod3PkAEMEzRQ9gyfRWRgvjkXN7kChgBHMAAB4CZffgSsAJO9jM6+HOx6l0zv+uviOoXzInVqB/0wO7rA+P8Tdv3q1aNOkoQ6zOVzZ1VU3q11cpxfbRjaj8dDhmoc3OH67uFo3R5xUTd2hSih3uX6smJzbpzYrvWzZuhRrUrK2f2zCpdrqy69uitaTOCrcEss9+8UZs2bjUhutuEKNOIThlmTuv8Of4s+ZYTowgJHw5uW7J/1XVE0Gv+zLI4EpJ79+jwYGTTN+2LRnj7tu9lR/SCewLSuxdscy+4/7QJyIN2gnDlmFfGK8e5rFMXdVKONoWwxfAfdVMP26xTL+fGvOfUyxKfxxSrYAcCYJveVQ83iAWCWNKkSZ1vIR3aNOd7uKGtM6pGrxl/OA7RIUwJkEz19XDDPp5/4fvAE0ESwQF5/VfFaqQnVp9bIhplbcP95cNL84kJeMPMg1sPTKyGm1jNrDSx31PXWoU1b0hTbQhoq/0hXXQ8vLvOLeyrqytH6O6GyXq8PUwvDizRy6NrdGX7HM0c3lrflMxk5ydWw2rFNW5EX82dHaolcN/q9SZWd2l7BGKV/9mDa06acLyg61e/N675Vjcsabp585qu37imW4aJu/b7HljgYsZApHEAmLl755Ee3DN/s27ilRke9237sfEKfANngDHXmWX7XjxHxMjxCpi8Rq+88QjHnkZZQmzlEaP3rA44DYxyjLJ0tjnOMiHL9z1+yGhPtBl3/fW6L8n2rfvuOb5hehCj5gQrEl9e0gZu+N9GMMNIKh1ZKVOmFP+9TKJMjAC74MXDKoEIHiKZSpYsmRNclGXEHc6hbhJoZnGQaIMRAiqYJOlm3y+JVa/9YP9/F6v79u+zZPWoTp866zrh6KS9evWK4eaa4Y/HE6LF6iNPrD6NfmbV2tDTH/TCvvaJcRv/s1q1eF6lifWGWldIr9kDKmmzJYwHQ5vo5OwWujC/na4s76pba/vp/tZRerw3UJGHZ+vGnnAtGN9ZdcrkUN5sKVS5Qkn1HtBfU0JnK3zFei3eHKHVuw5q476j2rz/kHZYbDpy7pTOfX9eVxHUhp3vTBQeNUFwwn7HpYvf6p75M9Il9JY4WhJJIvnE/P7cRN99a2unT57UQRPpp44d110ra8rJidlIOjBMVCJAeDkb596yBPXMiZM6efSYrn5/2ZI9qyfK2qiVwRCibCNgb1tCefbkKVf2e0tw2acXFuOtHPVGPSJ55OV0JgqiR1Nd3Lf26tqntUlyhT0mVju276rq1Wq7TtOHdv6SRUsN8z3VulU7derUTR07dLUYXE2pUqZV/HhJzMdl3bR+sBzzA4bhU+J2woQJXfuAZ+FclogKOpMRGOCF3O3nYpXzaQcxBc1vMdoybZp1L76wjyVi9Zq1t6mTxitT2oRKn/wz9WhVQWGjW2rN9A7aObODjs3vqPOLOuj6yh56uGmoHm8dpyd7whS5f4nOrArR+E7NVc4vm3FwdrVs2EgBEwI0e+5CLTTRsXztGm3ettXwvUeHDuzViaOHdOn8Wd26ccXwcUPXL1/S2dPHzVeHdfr4UcsDz+rB3VsmIiPNbxZn7901DDy0/M144/5dXbl0UccPHzDhud8wdt7K3tUzw9PLZ4ymWQw2/yJYESmIym/PW4554KAJ5RO6awKF/ZSnLNi6ZwKEdcTHFRNCdJqcPo6Yvm4C1Lj5yTMTH4ZfwwnbUZZTPLxjXH4P4cE1EgfuG7bu68cXVtYEygITLfVq11D7Ni108thBE9QXNSMwQJ07tFKzJvUNM20snrc13iqizz+P5QYoyAtJ5vGT9wFDPKrDzCowQ+yGQ+gsxOg4BDf8ywNxGrxQ3hOrzKKiUwSx+t8bWbVz7J7ds3twz9qHNQ+Lj7K2/p06tuiiZHFiq1TOFBrXrbpWTGyqXSGtdGRmW52Z00nfL+mhG2v66Pbmgbq/e6RphCm6fzxEW+YNUtu6ZZQvU3qVKVREPTt10Yyp05xYXb18hTZv2OgE6f7de3Rg7z7HEd+eM66xuPDIfHzNOODQ/gPuZW9njfMRqohHfEl7d/61i8Sv8M5FO5d6jpuoRezquTVw4wT8iGClzEtybbv/t6/fcHg5fviI4w946IXdK+rDnhh/uPK276EJ0wtnLR89dMAt7xtXP31s5Z8aLgwLD+/c0g8mRn94YXHV9j81LD8zgYpgffL4vsO5kZH9huMmVoepUoVyFqfHuHjIYwLENDqXEam0fwai8PeXX37p8jjiPDGGeOR9yPfwOR0Y8eLFU5o0aVzuxygq2gFdQMcz57ONuOSNwD8Xq/9nRlb5MpICjIsg2HgjRohVevtSJ0ukLIk/U/8GxTSzZzUtH1ZHm8c31K7JTXQkqIVOz26vi4t66OqaYXq0K0iPDy7UsZVBGt6+sUrlyq4i/vnUvEl7TQgI16z5GzVvWYSWrD6gtVtPavs+E6tHL1gCyf+EntHZM+ftOjdreuAMS6xnird6zZ+/wM0V5wUnVy5fFaOeBBheenLk8DHxHCrThHkom+WypSssoYnQxQvfusSREYtIC+qIXp5D3bRxs1atXGsCaInVvVCrV69zCQLTjAlaPNd448ZtHbBgzBs++duTuXPoIVxs17HGvagpZi+GJzReZx4heGKTUVIcRnAiecQHJFb4g0CGCKW3jBE0pm1QHt8gkHh+FSOBY0oRhESSCIkR2BgV4Xx8jc9J4iArQAkWADRl//Fi9akeWaL9hETJGsuOiAjVq1VDiWN9pDKW8ExoX1uLBjbXhuEtFDG2lQ5Nbqfj0zrqZLAJkHlDdG39dEUeWal7xzdqTfhENaxRWtmypFbJssXVrVd3TZ0eqPlGXiQKG9Zv0q6IPW70gVHxM4YXnmHgvzP5j97Z4XO1aOFS8Tc3TNdkyvchIyaeJ2TqJcn8d99e1tYt2w0ri9095EVXTJthnYaEb/ErDR+hyb3muRLKkFh695hGyTHuF/71ylIHdVGWXinWmTpLkk0bo17qj5k4eDiJafgD39Ae8RXJDETFFGOIyXvJDSO4Xo8YghMcgBO+i/ZNGUZ2uT7KIlQgLMQEwoWE2bsHfA/fAT7ADiKFOhlZhbwQBfwWSJRr+/k1v96sHZhYjTSxGmVilf9qexhpAdKS68jIH4zEo8Wq/YbiJlbTfv6W2lXMrqBulbRkUDVtGVNHewPq6WhgE50Na6dLc3ro5pKherp5un48sEjXt4crbGgrVS+aXoWyJVR9E6tjhvdz07D4n7YVq9Zr/aad2hZxUAcPWVszrqGT44zxza6IHZoZFqKQ4EDNtuQifF645i9bpM0RO3XW7h1/g+CeV73/0L1YYa1xDbiCa1asWOleFMM0YJ6hZpo503V5BpWpw7zanufveV6PaYELFy7ScuMxpq8znZgpwO4vNG7dMSyDm61umvBcq5//dAW7mzZuse89bRiI/tsfRk4tofaNoHrrCOWf1rnf+AYMwAuISMQj/MI+uAYDj2AB4YmYBNcEOLDCtCK4yROM8BBl6NEncUb0gkOMtkCcQaSSFBH4CK5s0+H2b7H6nxWrvHzmjPHadyZWv7f74InVm3Z/TKg+tBj96IGJ1UgTq8/10MQVI6sPzXhdX+SjhyZWV6haibxKF+fPalsxg2b1q6QN47/RgaDGOjOrmb6f10q3lnbSPUsgH5tYfXkoWDq9RI+OGF9N6qn6ZfxUIFtKVTOx2n9AP80Im615K9Zp2cbtWrtzn7bsPaLtB45qjwnBY+fO6vQFi9+2BF9nTp024XHGJYbfWRu6bL/hhuEd8YCQfIpIteSQZPDalau6bOLg++8uObt65YobTQUXbvTLynMebzhGgNy0c65fveaE6neWQHIOQoNpvT9Y4sm0TAQvoyTXrBzC+aJh+fvokZg7lpDesxznEe3a2spLS1R9nYXMcLG2E0knNW/HRwT6Hgfif7w7dqQzpobzFdjdvm27goJCFRoy073IcfKkqWrStLny5smnAvkLi38piIjY5X4H/A33wve0LxI4OgMRpSzp8GGkg/hM/kZSR7uho5DYwYgK+YAnVonlJIb/eLF6xcTqWGXPkEBZUnykXi2KK3xUA60LbK6IkOY6Pqel5XltdGNFF91fP1CRJlZfHponnVyvSxsXaHK3dqro76eiOXKYWG2oiRPGG6fO0eIVi7R640pt27lFe/bu0j6z4yZKv//2ouVkl3X+nCW7hw5awntI58+c1gXD0blzpwwzV3T/7h3Dym3z1309f2rX/fCe4eU7XTVxe+uG5UXGEVe+v2QY+1a3DBtPLc/Dp/gWzDA1/O7tO7rOgAwYM8xcsuX1y1esLhMTYMaEx63okTU6OK4Ytq4Y77C8ZOW/szzy1jXjduq28j+8+ME3ZdTqZiT/KfeTZxDddOXHdtzapAnqBXNnq16dWmrXpqVOnThi++5Y/rJaoRZrpkyeqGnTJpugHBH9V0W+xyt4pIfBCcSBl4ORk8N74AFxwbReYjOdheCGzkLqABt0PoIXcPPPEavPdD/ype5bsmdNxK7xR504dE5dWnVQqi8/Uzm/pAroVlmrxtfX7hlNdCy0mS7Oaa1rSzvo9tpuureln54cGKMfzobq2YX52rl0uDo0KK38WVOrTJEC6tapowKnTdNii5XM0NhkOVbEjp3av2evDppuOXX8hM4Zt2B0QMA1R+1+0TF2/uw5w8UVN+oJZ/BoACPm/BPBA8cd1x3X0IF22TAAP8AHD6xtPjbecMKWe273hZfU3TC+oDydF+AA7LiODuNzPmDtjnENdTCr5FvjwAvGf1e+/854jfOs/O2brhPjiXHyjy+Nz57ZvTbc8f6OqEi7//zvLu/yiHoiesbOnT2t0SOGq0K5sua/kS4eEofJ7xg9Zeou75kg14MPEJrkheSZDIyAGeI3nEMMJacjNnodYMRmZnYQM+EU8MIxeAdRyiOJ4AleoiMNXP2feMESgYXedxICvpwfycVwgwiwZ835JKupE3+t7AneUv/qaRTcIpPmd8iqVT1ya2P/Ato5tJh2jyytfeMr60RwE91YM1j3dgTq4Pzh6tuonApkSKQC2TOqeePG1hCnae7ClVq8crOWrtmhddsOavehMzp8zIKdiQ6+D4Lv06evI2veCFyuXHl346pXr+mmhK5fT8//fRdgeClJSEioqf/6Kl68hCXUZVzPAec0b97CiUEetOZ5VV6OwouR+O8iXlxSo0ZNNwResWIlE3B1XcPet2//qwCwf/8BS7CGunK8Rrps2XKu94q/uGnduo0laStdIydZYflLhpMBEckMU+roIaFnBIB5CY4nYAAFyQrkhMjAF4CD6aQM0+NLfIefSOZIIgEFvgUw+JREDSHD70eccv8QIIyk/JpY9ZLImAT1axZpDS3yaZReWKr04oco7du9Uc3rVlTqWO+oTIbYGtkwn2a1L66lXYprbfei2tq3hHYOKquIYZW024TIiZlddGv7NF3dbUJhcg/VKptTGdN+rRKl8qpX3y4KCZ2hhQv46xrvbcC+FyzxkiQwg0Bctmy565WEsHkTJD1D4IG/DyEA0BmBiEBYIhb69x/gymA0WHzLG3AR/xA99xe/QO4QBT7z4bC6680ksPB9kAfthg8jmSQz1EE56qWnk4ZK7yejl7Q96sW471wPiQz33cOKZ+ABXJDEQ1AEHoQjfvbqwDiP62RqGGKU6+Fc9iFAEK88owCx0M7BF8kxxxDh1AdmIB22ERYENzBC+yfJ9nraIDuELQEUjoh5vX/PIqMi9SjqoR49va9HJlbvm5i6b0nhk+c/mliTBXfp/s37WjIzTCVzZlG6z/6sVqVTaWLLPArt4K+lPXNrQ/982jG4sHYPL6mDI8rr9MS6urOwt55tn6pL6ye7acCl/ZMqb8Z4qle1hEYP7atwq2/JkhVaZkn26vU7tGP3ER0+wtujL7hHDHjL6MTx41WubGkVLJRXpcuVVKnypVW6Ulk1a99asxbO0wVLgvDNVQtsdIZAtrxFukyZso4/KlWqbL6t4/iDv8N5Gj1KftSS+HHjxjtugrvgEWY/VK1azQJNTxO4m62dWZJoGEAY8qxqs2bNXX3c+1KlSquc8U7duvWM8KdbMuUboQHDniD+aZ22+9N6pAVBcAO340uwSKcE3OJhhuPgDgEJt9CGCHDgEe4AxwgpAhD8QyAEuwQuAiD7wYvHN8QXghLXTkccnZz/Fqu+D/t/s1i1+0r7PGX+4HeTWDPF0SdWb1niziyNh+5Z6gePTcg9MaH6xHwZ+YMeRPlGVkmKN65epMpFcyv152+oaclUCmhfRHN6l9a6oeVcvD42rozOTKqss9Pr6NvwVrqzdrCids/Q7Z0hmj+ijWoVSqf8GRKqZtliGtq/r2bNDNfS5au1Ys1Grdu809rSIR08ckonTp/XufO8HPCMNhqmeUSBTtZJAZMs6QxUmMWYJYuXaJfFdfjoEVMnLcF33LR6jSuDhQQHO56dZ/5cbe2MGEc5xMENEyFHjb8pTz4z07hw4fwFCp8Vrnlz5loSe9CSvyd6bm3vtiWTJPvLlixV0IwgTZ0yxSW/wUHB7rxNG30v0CM5RWiARbgSPPLXEUwJ9gk6uPip+VFuZIMXKxIf8Be+5aU6PJPKS1x4ERMv++NFj/BlgP12uNjDM5xM3gWW+R7aF7OpiBOUJ67je86B54kvJHaIEbBBwkdiCXaIbySqtMX/jFjle+EGfpuPI37a5rhPrF52/7OaK118ZUnwhjrXyqTAniW0YEgZrRxWQtvGltT+yeV0dFoVnZhRV+dnt9O9jeMVtXe+Ti8P0th2jVU2e2YVzZpZrerXVcC4URYfQ7RkebjWbVqiHREbtXvPDrt2/lf/uC4avs+fP6c1q1dp/NhxTrhNGDfOhNxky11CtdFymiPmy++Mg8HNi+fPdOb0KfdCm6lTJtu9CtVsw0BYqOHB/LLbMEY+88RExzP7XYgRcDfXMEKiPytspsMA9xgs8ZZhcIOYhWv27N7jMIXYC7byoZZbTp0y1eHokHH7Dy9/cPUifrh/CBr37LN93x2rg/uJ+EXM8OKc+fPmqHatGsbrJtpMnIObu3dvW1u+YRzH21kvOb/zfQgI8rj/j72zAPii2N6/93ev9147sFtQkW6kG1EQEZBSEClBRKXtRjEQFEGUUJAuO8CiW+yOe+2Wert4/ucz3/e8rF9fwvs3EHb1Yfe7Ozs7c+bMOeeZmd0XX4Cdxnajx9hM4grgH9RkcINVVQwU4ruJAbmf+IS4hNc9iJVIsyNk1XVg+8gwsmpEPHWzrPuYLIywpeTqvVff0tWX9lbpI/dViypH6p7LGmnOLWdr/h3NteTuZlp7Xwu9M+5cvT+pgz6c3lVfPneFNr5ynza8NUkvz7hRl3aqp7qVT1TzM2rqysH9jMSPCzYDO4CdZ2DoVYvNkcVH+BwD7Upb3md6Q3w37sGxoZ2Y1FhkduijDz+yNuBjV5lmN38KX6HGFtGXSDfVdIHY7QmT0xrzKficPOMJ+MAPzHcsWrgo2KSHrU/PmTVbM6bPMBs4LZSFPk1bssICH/iScZLJj0zSgw+Msbwf1swZ002PphrhfjToK68BoDc5ORYbmMzRG+SZar4W8LVgSPLm4LP/o+HWludY7HrHnXcEG0Ja2h9/De9Bx/HDxPMAP4h/5hr+GP+IXhCj0d7Ef8SNvPrDBzXRo2Aj82NVBkDw2aSDrGJ3iF0hq/AU0pEXOu++eacjq3xgidGc0icfp1rF/qU7OhbX9EtL6vEBpTT/6kpaeGN1Lbu1rlbc0VirRzTXOxO66Pt5txhZHaO1s4boph5nqnHF43RGrXLqd0l3jbXGnP3oY3r8mfl6Yt7Len7RSq169R298db7+ujjxJ9coawI6oAD9tfBBxfRUUcdJf6+5cEH8/cJ64R3PCknyoLRx3Cz9HHfffcN7+uB/fbbL7yHBcEguKEzfmz580VW/3uZpDv66KNVpEgR2x8TAknkQ740OrOuBOi820c6/tA5+e6///4qWbJkmKJHidi2dOZfwh0DhgGZQlaZ0WJ6HYUj2PGNoIZnR0di2ThmNou2IBDDOKHE5IuRRSHZo7C0IySX4BOyyhJACDxKyb0Yr9/6nVXISFpGqrJyM8x5btTalfPVt2srVTxyb51b6VCNvKimZg5sqKevbKAXr66rpTc00OrbztCaO5trzT1t9e4jl+uHRffp6+UPafboQerUorIqlz3SgtyaRlYHa+r0SaYXjwXd4D0gDDyB69tvvxPalY5H4MdSRvTgsMMOM305KLRX0aJFw+gQBBS9pm50VgJ42h5dAH4fwTWzTciQQIDn0MH4O6nkd4TpAV8PPuCAAwr+ziqyRm8ILikHnZzlGegNeovOcEyHxcGgB+SNrJEfbR51GJwHnGejzLQlhJdBB/qubzyXjfzQE8iGbzg+/zur7DH25AXQFwwNfZ/RfuwAv7ENzMLh3NARAmzqSNnpfxB0yCqyRG+8zNsC+sEfE9+UuVGbstO0zozz+nQz3LxvbmSVpXY/I6uHQ1ZLaszlNTVlUDU9eV01vXRTdS0ZUksrhtbXK3c00Xv3tdNPc69U1uJR+u/8Ubrv2gt0dp1T1LBKsTAzP3LYEAtkpunxJ562INvI6gu8s/qOXn/jI3Mgn+nzT7/WyuWr1N9sBF8B3nvfvXT40YfqoMMP0r4H7adipYtrwLVX6M133gr1pJ8gQ5bC7r333uHPatGm6A56g81CLrQDn6jHUEPS+Hu7pOHPF6EL/I1IRkPJixlbNoz8ZZddHpZ3YZfIj3vQN3SU4HVLkGFBtPXTRDDtxyZn9vnHtC865mSVmVXIKvoR3dA5zuGIuM/PETQT/PBOC0EPNgXbgJNCDoCVHpynXPgR/AsBNTPw6AirQ7BzDHDE76z+ipnV8M7qm2ZT3rdgnhnBT/WtkdWfvvtGG378IczmbNzAF6ozjKxa4Ji22ciq+Yh0ZlbzwsxqykbI6qOBrJY8ZE91b1Jcd19STw8NbKzHr2usl24wnz2kjvWjxnpl+Nl684EL9Pmj12j9wtH6ZuF4zbi9jzo2KKOG5U7UhS3P1HAjqzMtuHv68Wf0zNPPm+wXmx9ba3b3PSMdH4WBn/ff5curE1SvXn2VLl1KVapUUfnyFYK/Pbf1uSFQfu/990yPWEnwQ2g7Bk4rVqwY+gPvb1aqWCnoiy9HD3ptRGDVypUhKENuLH0j+CYdg67t27UPQSc+k773oQWpBEj4vfpWFnwCr8mUKV0m9F3IIbpLW6F73IcuovcO7C76zvNpR8gqdrdDh/YhmCtsoy/SH3xlgudF36B8EHgGB6k7eRPr4MfRZeIY+hR9CT+FbtBnvP9BbJEJRJV6Q1YoE/UFQU7bAXXkuZTJ/bz/5nqCrH6hh8YMVz0jq6ed8HcN7lBKD15RX1PNX8++oYaeva2GFt5VT8uGn65V956j18d11ddPDdWGJZP15twxGnbphWpepbzOqFJZfY2sPjj6Hs2a/Yieema6Xlz4uFasfllrX11pZX8l+Gzqjc6zUqN0qdLh6/l1rE1rVK8RXmnBjhBAI1P6ELKjbfHRvCaF3tC+VapUDfK68447w8AA7QfhQ5b9+/UPMiM/9sxKNrT7Bw0cGHwderDRbA7HxFfkjS6SPqHD5YNdoQ1JS393vcFWIX/kyN/OxH4xeME57OpcK3uXLheGQTuC+eQN3SIdtgHbiN3jGZSdGAWfj31jABlbyPOwawT7xJH4a+4n/oDwEtMA+hr+B7JKH/vN3lk1HU8zsspsqv0Mr+9kp2Xpg9de0bWX9lCpw/dWswoH686LqmvKlfX16LW19ewN1bXo1lpaOcxivnub6JUHWumDWRfr24W367s14/T85GvV+7yaqlXxGCOr1XX1lf014aEJIf7GRmAX6SO0DzKi/sQ12Ez8K8uit+hBFTVpckboH8gIeTHg9a7FS8RAtClpAXaH350tpmLpK7qFjtFfkRP8qbrliY1BJ4iZm57Z1Pzi8CB39IA2IYa//PK+lqahleG0UAa+IYMOQfTQddqUAQz+XA16QpnQUfogx94H0QfyZuCbwXD8mMdzUX/Csykv/QK7QRrKzjEyI7ag/dEL9IM80SH6Gv2O2BY94Dd2FRJJjIFt8xV6cAb0xnkKOkkZ/xJktcZJ/9bQC0pqat+yemxwOT17bVW9eENNLbylrpYMbayV5vTentBN3z8/ROuMrK6acbNu7HGGmlQ+Xs3qVdBAU+bxD47W7Dmz9fhTFkA+O18vLFiqlWte15pXXtM7774XFBHjjKD+9S/+9tqWv1vE37YkWMZwU14a7MMPPwiKCZGIpgWQTNZ3I0CUBcEy4oQi8Xc1o2kJCunMfGGXjbpTDgIvAsx//vOfP0uPoSTQQNlQop936F+CdOzJFwUhiEORUQIMGxv5cB0E5Ta4gmJUcHSQBtoDQ0aeKDnKSHsRcOKEUR6MH+3LCCIEB9LNyApLRiCrO/qna3YUiZkzuyfbDF/WRq1ZMV+Xd2utCkfvrTZVDtfIXrU1Y3AjPXVVfc2/urYW31hPa25vorV3N9fa+9ro3cmX6rsF9+jLpeM0a9RAdTqnsqqUO8qMUS1dd9NgTTGy+vTTT4YZHeSAk0eHqSf1pQNCMHEs0XYCEEuWLj7xxONBVpSX+6l/so5BWAmECCzoF8gFh8qIFOQzmhZAhGkPgmnaCuOBocMYknfij0RvyRuHSh8kX9qOvoahQZcxXkGW+fIHTlY5h+PCEfHOKkE7G7pDGu5nQ3f8mA2j7l+NQ1+dLLDxLAwe/R4ZkhZ7gFFDTyBfjNIS3BE0UXYMNiNwDJzgmHdE90FiMIOZ1Y1KyU7VeiOrG/iwST5ZpUjrjaw+nk9Wyx3xL11qZHV031qafGVNPW52Zv7NNfXyraY7QxtoxV1N9db95+m7R69W6uLR+ujZe3TPVecZWT1ZjU47WRdf0FKjht+mGdO3kNX5L67Q8tXvmK15R2+/9aG++uK7sMx/gNmIg4sc9LN2BccWL6r+1wzW2tctoMnJDQYaW0rbJqfdb799w6wLNjYzMyPIhkAJA73XXlv+Vhv4+9//HmwQDsXbgvaEbEFoo2kB5LVPn0siZBVbkgzknDhGVwA6hlPC4aE39A/0LbqhPyCqN/xGB1iSiJNh1ge7wnnsDEGa2xr0HUeFraG+6CZ2FB8E2cUxESDyDv7WyCr7mKz+D2R1o5PVPCOrm7UuzYLuDPMb9rzUlJ+08IVH1b5ZXZU6dE91O724hvWuq/H9G2r21Q31nAWRC2+uraVDG2rpnWdp9eiO+nD2Vfp2wWh9/vJ4TR16mc5rWF4NyhVT51ZNNfzWWzT9kcl6Yu6TevqJ5/Ti8xYsL1+jN19/W++99Z7effNdvff2e7r9ttu1V/i7h3sU/I1pgF7j89ArfAztS1DEe5vJaekfBIcEkAR3m1I2Bb/MKgYGCLGp/E3sPfJtKwM8w0cM1/f5wSb2mpkBzmOD99zT/2ZmAuSDz2Nz3aNM3hewy9jURACf8O9byGqHoG++Rdu4sA1dps4MFOF/8bf4FTb0Bn+ELAC2GF1nMNO/xo7d9Q8sMfCOXAggGXgmrvEyJ9vbwkBdqRP1cz/vv7nuZPXhfLJazcjqFe1La8ygupp0TV1Nu6aqnripql4YWlOL7mqo5fe20GvjuuiLp27VuiWT9Pqc0bqjT2c1M7J6etUq6tuzh8aOGWnx3hQ98cxMzXvxcS1duUCvvb4m+G6CW4JpAlfiLG+ffcxPogMcMxjMoNdnnyVsH/IhkGYgz9M7sJMQM2wD7YL9QG7YHwYXSYMuEPsRzxFLYrNoB2ya6xh5o49R300MSDncRiI72o770BWA7cIucg47gF7xmhHBPrrvZDVqa32jHdzXs2FbiT8hEjwX24B+sNFW+GzSQCA4T974ecrPwKSTVWzwb09Ws5RitiY1Iy+87plt93701hpdd7mR1SP21plGVof2qKqJg+po1lU19eS11fQiA82319OyYY214r5z9NbUi/XFi3fom5UPa96kG4ys1jWyepyaN7F476pBesgIDuXHLhLv0aYMQlBPfAhxCvbj+Py/bUq7us7Q1vQdBjl8EBZ9I57hOu0fjf/5XgOD8/hX+gJ2Gr/HJBnX8d8eJzLwfHHvi0O8STtiR1hJAqHFJnkZHJWNuLKijS0nXyfQD+TN/ZQNXfI+iN4Si0FWW7ZKkFX0yjeue59P3sgTv0GMkljdMSYMOpM/+kj+6Cwcz2fqWVHFM4jtiOsYkCHOdLLKwI4vMf7rkNVTjlPVonvpuo5lNO6ySpo2qIrmXl1TT11XR8/dWF/PDzldi4ado1fHdddXzw3Rd4vv19KpN+marqeHmdWmdcqr/yXdNG7MfWFpBOV5mvcPX16klavWGli++HoIMCgfzgbi4UYGZeHlYBwGdaC8NA7BzOTJk4OxYwYCA4MiMuOBY4GsEbB5Y9E4CA6y6QqIMkLeqCfBEIqA4aChIYeM2DAzRlqMGPcyUoZxQxFIz35b4NnkiZEiIKHBUA46I2VjQxGTjRgb9/mIK0qMwaED0FbIAGXGYKE41BVnTYdmj/JhrCCr6AIB468hq/xmv10Y+UjhXt7/yMrQqhUvq0+3dip79D5qWflwDetZS5MGNtDswXX0+BU1NN+CpSW3NNLyO5pq5T2t9cbE3vryhbv0nwUPaPq9/dXxnKqqWsGMV/P6uu7GKzTxkYeswzwWdJggFbJJ+6DDBMzoMcaJNicwcj3AyTAajdGmI3lgQqfGEdC2DFTQtugaJIKggOcgU+RCv2DECcKLXpEWZ8fsFx2aYB6jSNuRlnLQwflyqgdK6A+jeCwDpqxsGCjuw4Ag72T5A3dgnHOyyig0hpuN8tFPPWhi7/B6svwJY0xbY2TJl/uQBXXEaKE3BA6AEVvIKvYD58dyTspNH8N4sQwY58n9PKdQffgFrB+kb1KqkdW0bDPY9ntjmgWE+cuAmVldZ2T1sWlTdFatqmHpYs9mp2p4n1oaP7i2Zl5fxwKl2nrmlrqaf2tjvXxHc60a1Un/nXOtfrAA+60n79awQe3UrGZRNahSVD075c+sTucDS0+FZcDPv7RcK1e/bXrzll57NfEFaT5iwzLBhg3ra78DTA/+Zs5sz7/ryKLHq123zpo8Z4be/+iDIDPaCSMLKWKQIuocGeAgICWoRS7YBGSJ3JEZtsn1BvtB8IJBp41oP2wwgRXGHJ0lLTrM6hB0GhtHWyFvtynbAvmij05WmWXCbuBwXE8K2ygLjoiysQqFQAlHRfloR+SAzmIzGNzAXuPcsTUE2dhWgiJ0BB3ymdWt/ekaQHmRGYjJ6o6R1U18eGtjupFVC5LTeX8sVz8ZcV2fni2GPyCri158VB3OqqvSh/1TPc6wvnRJfU0Y2EizrmmsJ29oYD67ofWjpnp5WCstvb+r3plzvb5Y+KA+WfCwHrm9n9o1qqQ65U5Wx1ZnaZiR1amTHtFjcx7XU0+YDX5+gVYZWX3byOoHb71reEcfvP1O+PJusROLBrvn/tV9JgQL/+vtjh8nSGIQz/08OPTQQ0NgiVzQV/QDeXA/BDQ6cMwxdpWACL1EzugKfpKZE3y7B6aUA5uNnmDzaB8CR3TRfT5gsMmDR55N+yaWAV8R+iL23Tf36b65HviGLmNPWaaITuJH6DeJ5/Ahx8QKKny5B37otJNV4g/6H7Nm2H2W6/2+ZNWC7zEjVMfIapXj/6GB7cpq1ID6euiqepp8VTU9dkM1zR9aWwvvPl3LR7XSaw9115fPDdW6ZY/o9bn3a+ilF+oMI6uNTquqS3tdZAHzKM3gGwBPzNaTzz2hlxa9aDZ4pd6w9iTApb7Eosyg7rPPPsHmOUlEJ2hbBtmIf5AzNhBZMsgRBizy9QBdY7Ubg2XIhbToDr4Z25c80AzpYFaOlTDUn3yJO/H92Fx00tOiQ/hynstG+6K/2Crk523pdow9adjTdsRb6Bw6zMY96Gl047frEvdi+4j3IB0MGnqsSTq3kdSPeAMZUmdsCUQVHfVlwPifrZFVykE9aHuOo7qydbAMOCP47o0ZOcq08mZmpuqDd1brmn49VPKofXRmpSK67aJqenhwfc242uK962rp+ZvraNEdjbTkrqZaNrKN3ph6mT57cYS+WjlVz026Vb3aN1KN8kV1VuM6uuaKQRpv+k7bUQfaKEpWifnwrdgHBhzQk+iAMPEfsRoTG/StzKzMkB5fxMQFbeu+m/vIwycnkAPyQecYlI6m/dv//S3oAZNj+DvaAr3BHiTs2H4Fuss9xJXYevSKjfZDT7z/cT8y9TbgOu1POZgRJ7bE/6JTvkXj9GQdIl/ifj6gic6gD/Qt0pIv+TDAge2jjuwZSMMuUX76IL4UzuDLgIlrdnqySiNjBLeQ1RNU8cS9NbhDOY26tJomDaqpmdfU12PXN9RTN52uebc204K722jN+J767Jlb9ZUFkIseuVFXdmmsBuWPUZPqpdW3Zyc9MGq4+ELaM089oeesPAv40tdK/sTIayGQRqkoD4EIxpklRIxwsEfZmIlEOHRWhI+xJwhgVInOyGwqgSTkDCHReCgUHRyloIGQBR2Y2VgUvUKFCqFx6BBcp+7kS6BEOVjaBnFmxI1RGAwPHYVyomAoA3lvDZSTRkbR2Jysohx0KFc65M1x1NlxD2SMQJAOBMEiCIS44PhpK57PnjaMBpAoEM4RY42iYMi5n44MWUUZUWzui3YC6kS5KTO/2W8fGUZWjbRbFdNyNmvFyqW6uGsHlTxyH51V8TDd3qOmJvSvr+mDauvRwTX07DW19PJNDbR46JlaNuJcvfbwxfps/h366MXRmnZPf13QooaqVyqmc1o01nXXX6UJD40zozA7yAsdpq3oaBgw6kwdCGQZ5YKEszSEL+sxEk3HReboNmWlbrQt9+MMCKRoW4Ib2hbjQ8BDu5EWnSBAJmBgeS8BD84SHSNIdgKIs+EZ9C3ah05OcIX+QlgIVJkRJ1+MB2VBvugmhoDz3gZeTvak5ZiRRGbJ6fg8kw1dieoLx6THcNFPGJXHGPFsyAeGH3nRJ9zoYHCwAxhggKwY1EA/IKvcjw3AeEI8kBGBNeX2emwfRqLSNxoxXa+MrE1KSTNykmp1jZLVHzbo0elT1LROVZU8bE91PaO47ri4th4YWE/TbmioR29pqCeMqD59ezPNH9baAuwuen/Odfry5VF67cnhumtwezWtcaLqVTpe3c5vphF33qhpUyeG/v7Mc8/rhZeWaOWqN0x27+utN98Lfxrmv5/8V2tMD4YNu1ONT2+ko48/RieVOFmtOrbXg1Mm6p2PP9AG/nA3wCaYLhBEsGSG4IjBC2ab6VcMntD+yIU6Y0eQJYEly9twjOgl92L8CcBISzragYCYNkJnIazYMgIP7DeOgLS0K7qwLdB/sSVskFX0HxtAAMOz2LAztF1Ud9jQC3QUe0rfoF7MANPn6Ac8HzlEySo2G/1hth1biePr3r17GORAV5ys8puAzQNsyup9jD2gjrs9WS34wJL5wk/+oy8+g6x+YWT12/BnX/hQyKYNvN+75Z3VLWQ1S9niHfcftOD5OWrbrI5KWF/qfuYpurtPHY0f1FAzrmusudafnry5sZ67/SzNu/tcvTymh16bc6P+s2Cc3l8wSeONrLZqUFE1yhRT+3Oa6Y4hN2vKxElGVh/T008+q5dfXKA1K1brndf4O6vv6r/vWV8yPG32prvZPZbc4lshiAR46APthM+kb6CjyINgGn33AUb0Hl2hHyAD0mIP8YEEr/guJx7kjR1G5/CF2F+AvtC/8K98uZrAEVLLLB39iQFsdBhdpr9SFo7d7vKbvfcn2pQgrDCyih7T/r7RzuTjvp7+xsAy/YnBLO6lXsRaDsqAnqPj9CVsNrqMHJhZJebxgI+vekI8KAv2xvsS5d0eqBdl87pGf3M9kNVvvtR4I6s1y5yoCsf8XX3PLat7+jXU+CsbaOKV1TX7+up69rY6emlYYy0Z2UJrJnTVZ8/equ+XTdQrc+/TLZd0VKNKZVSvSiX17nGRkYD7NcVikBmPzdWjzz6lZ1+YrwWLF+pNs2fUF31AD+gH9F1sHu2KrWQgGbJOX0dGXk7sEzEukxdOUtAJ/C3BMXlSL+wINpW4iT4HQWXgAl+PznEeu4UcCOKJh7F1+Dm+nIo+ojfoGLrEc9mQt9t4jtE58kBXOKactD9pKA8+m8E7bDib297oRj6eB3aQOuBn6B/Ee758nDzRXdIxOOO2kTiI+ASyygof9A2/x708n/jD31nlHjZkRD7Ug2P2O4LUjHRtzDSymm26LiNc2RaDv7NCV/brplOP2ltNjKze0rO6xg9uoGnX1NOca2vrmRvr6qWhp2vBnWdpyb3t9frkfvrv8yP1xfLpeubhO3RRmyaqZramacM6umrQgPDOMrErfYHY11fSIUNiFGJbCA/6Qd2YVUcPGBRmEIKBBWJ/ZEqZ8bUM1iMbYjJsAoMdLNWFfNJHkSdth+9hcICJMbgBOoMuEE/CG7AtpKUN2WOz4Q+QW2weaeEW6DM+jziMtMR4Lm/Kha7wmzb1dkdvaHsG24gvaT/Os5FHMtAlwEbZiQupJ5Mz6DIDZfhR7BC2hrwBZcKmotPEdpBIJs+wsdhpzhFH47vpV7TDTk9W+XiNk9XyRffToPOrhj8uPumaM8IL1E8Nbal5d7bWguHttez+rnptUj999txd+nLhg1oy9VZd0+0MI6tHqfFpp+rSbu11/z13aO6MKZr39BN6Yd6zWvjSC1q9YpneeettU/h3g+EiKPJAG0dEoEXAhyApMw3rxsA7L4pJMIZgCQbplNTRFdDTImzqSuDPMlxeSEfhkQlKETUaHNNAGArkSDlQbAgTDU0a0nr6bYHnugPD+EK8UQ7y8vMYDOCKyIZCY3AZYaGjYXSZ4cKZ0a60n9fPlRGHhxzp1MzIcB9KAlklcMXhM2JJ3Z2supMFXh/KvKNGLC3DypCZqzQrdqr1neUWPPTqcr5ONbLatOIRGtqznh4a3ESzr22kp25ooBeHNNLi28/Q8hEttHrM+Xpral99+dIIffLyA5oxcqAubFVHtaucqlYtmujaa6/SuAmJkTYMOEGqk1UCV5w/+oLe0GHoHDgHRjQJDtF5DD3tSb1cF9BxOitGCVLGnmACw4Y8aBdkgQ7ROQmUCYKRH8ECzoHO6UaGe5AF+oh+YGxpJwwc96FjPJN03OPHtB/PwLnyPH4jd9cdyk150VnqhC5SZ9/IgzSuMwTJlAEDzNIzdIYAB/KJ8UQekBgnrOgNeoTsgJNV/1iDLwNG7zBerCqgT1Be6p2sC4UDp8HyF97DNuOcBmFNV6aR1Qy+YGpdYN0P6wvIaonD/6kuTUvpjksbauzVZ2jmbWfribvO0TPDW2v+yA56+f4LtfyhS/XeE0P0+cIH9MazIzXimo5qXruY6lY6Vhe2b6JhQ6/W1CkT9ORTZvvmP6/nX1qkZctfMVthxPzdj8If/f7ICAFfkVy2dLHVeag6demki/r00r1jx2j5G2Y/+FCRNmv9hsRyPT6OgIFGF5n9wN4w6+w6RhvQft5utDEkjoE35IfssGvInHajnbExtC86gfwhXtgadJhZcUgX15Djjtga0vBsNgglhBP9jpJVrvN8h28EPgz4QC6wGRBP7CRlwg6RN+WgP2BrcFJOWLFlzEwQULP0DZ1H/xmdJa+YrP6vZPUzI6t84fK7ArK6MZ+sbjKympKeE5b/rjds4uu5prEbN32vl+bPVOszaunkIv/QhU2K6c7eNfTgwPqaem1jTbu2gWZe30iP3XqWHr+rrebd31Or5tysD14er7deekRjbuuns+tXVNUyRdWmhQVdt9ykyeYrHn/0CT379HOBrK5avkJvWh/6kD8L89GH+vqTj/X2q2s1bcpkdTGbR1DI4AxxiK9wQne8f0AQCKbQTwZ8CPBYTkeARvCNriFb7iEuwccjL/SLtJAI/Cg+gevInnzRG3wffRTb639DmEAen4mu0h7ki56hdzzL+5brpIMyoPv4B/JA33zjGuDZDnSbOpI39cDHYrPpG9hVykscg7+i72OrSYvPoNz4IL7Ujp5gv7EXkA9sCKuECM4J/n4Xsvr1Vxp//z2qXqqoyh7xD13aupxG9G2k8Vc0MrJaU7Ouq6GnhtTWvDvq66W7m2rJmPP04RPX68vFY7V81t26/uK2qlfhVNWqVEEXdTO7MXK0Js2YpemPP6lH583XMy+8qJcWJMgqtom28AFSyDxEEb1hcoB3dPHPyMZ9I7LGJuBbaVsGDGlb+pPHMm5LSc+9+F3iR94lJG/kRxxEGxBfUXfaAX3En6N/zGAz6cEANv2UQV7sO/IifxCVK+UDtAV5AmwtOshqKMiu+2zq4LYCPeSYc9xLXtg6bBuEiziDGNhX0xHnkC+gvE4+6BvYbfoaftvJKnEjvoTZw63NrPJMr8v2wAfIUnjNhT/NkwdZNTues0FvvrNEA/peqGJH7G3x/kG6vvtpGjOwgR65qr6mX1lLj11jOnPL6XphaHMtHHG+1k4cqE+eG6XPFk/XU+PuUI9WZ6hayVN0ZoO6unLggPBdGtrYZ1bRA/QdGeJzkBF15hpty8AG7eWr6PARtD31o61oX/QMAgdpZ/kwgx3oGLLmOm2BTGhH+iL9FD9GvugNsRBEkGd7P/e0kFvaCnLLgAvlQI8YRENu5E2M534O0O/Y++ADx+RLG+PPIIu0n/ts15uoX+EcZSYNcsF2EK8R68NrKC+yIKaljqRDjykz9phyQ7Sxqfh5ZM7rF5xDj4gb6Wd/KbJakpnVUw7W1V3r64Frztb0W9vo6bs76YX7umjJA921evzFeu2Rfnpv1nX68sWR+mrJBC2feadu6HmWGlvweHr1EurTtZ3uHzFUj86YrOefeUIvz3tGi16Yp5VLzHi9ZuV5O/HnFFAGDDnOnfLiyOmo/KZsNLI3tIPzKDLKS3DICAPnQgezzkgajt2Y0HgEPKRHwNTbjQzpUB6UgHtpEBqcBqDDUDaukZcrGfttgXzIG2VklAgniwFj1Mg3FI/rfszGb5QAJ4fiMIJYvHjx4DQxTh7I0mloP1cc5Ahoe5SeUVqcLflAtujcvyVZ5e+sbjSymmrF3mRx8tLla4ysdtKpR+2ns6oco7suPUNTbmipp28/RwuGn6NV97XSqw+01ZsPddK7U3rp48eu0XdL7td/F/HO6hXq3qa+6lcppdbNzWFfdWVQeP58EXpMmyFD2o32IJBADrQLbYW8aCtGpNEb6ucOGTm5LmDE6LTkg56Rp4+0enqOaWfagXsJliFqdDaegwFiIw3pkReyRH60A+koi6clHXlzjNFwvfA2ZM918qF8GDKO6Y8+W8uAic+ssvE88ogaMe6jnBgGHDrLX1idgNFAftSbNACnR70x/vQxBgEY0UU/0B2IKrqDocHRQwoIrCkvcqHe20fhZDUrkFX0HrL6UyCrZ9apohJH/ls9WlbUPYOba9KQ1nrcHNz8MRdowfhuWjqxt1ZM6au1s67Wh/OG6fOlE/T2C/dr1E0X6pwGJ6t+VSOrHcxZDL3CgmRz2k8/bmR1vua9+LIWLl5hZOBNvfnGO3rj1dfD31D76vNPjRR8aIR1kaV9Qs+9+LxWGVH99PtvTZetvQxu5GkT6k2ghb7g6JAXekc70Xbe52kT2hv5Yj/o6wRl6ClyA7Q/TsDbmWPalrbDQfMcdIK8SMux578tkBc2hHaFDBCwEOjznOjmQZNv9BUIMm1PEIijZqQax0sdKB8ywFlha8ifIABbQ3/Drrnj4x7IOXYrJqv/K1k13/zZF0ZWvzay+v0vyGpKIKvZZnuNsBpSc8xW2X8bN32rF+dNV8smNXVSkT114RknmQ2upfFXNtL0m5pq1pCmevT25npmRDs9O6qLXny4r1558g59uHiS3lwwRWNuH6AWjSqrWsVT1LZlM912841GVifqCSMdz/H6zgsvadlis8ErVuodiyU+//B9ffPfj/X1fz8JXz2dMuWRELwRfzBgSt1pZ7eTrqfoE/0IXSEopx3pT+gBm9tGgM3E3rNkD3uEjaKfYMvoG+TnNpTf6CdkAcIHKAc6QTquA8pCX+GcP8fv9zLSjvgYgmKIR5SsstH+lDNqg8kX+8+SOga16AOQawasWOJHEItdcBvPsfcn+hG6TJ/B1hOAQjLoWwwWQjyoP37L+9IWO7t1UCe3Ueyjv7nuZHXC/fcGslr+qH+qX5sqGj3oLE2+/mzNvPF0PTW0kV64u7EW3numloxqqZUTLtBHz9ygL5Y8qGVzhumGPm3Nb5+q2lUq6qLuPTRi5P2aNH2OkdVn9di8lzVvwRItWbYyod/5RJU98RjEHpKF3hBw07fp/5STdqUt6EeUl0Ab2RKQE5/iG9Ex6uO2hXT0R2I7iAd9D31ElsTA7r9IxzMAOoZ9gTgjY4gPAT1paV98AMeuM6RHX2hDjpGjl4F0UbJKDMCGjgDqQnqeH9UbYnOfeGHwhvZmkBoCh53lOcR66D3+gT16TTyI3UbHuB89It5joPI3J6u55udksbIy7XidXntnsfr17awTjKzWq1DE4v6aevCqJpp6/Zmae8PpevaWM7RwWEstGdFBK+/voTenXqdP54/V54tn65mxd6ln62aqVbaUzmrUUFcNGhj0ANlRB+IV4igGtpAN+kJf8ViXtmXwgb7CfbQf8qFNaAPaBxlTX2IcJhmwNegYPpm03h7Iw2VC/ugYOgN5g8ihr/TZqD9GLtgx9AS/g96gP/RxysCzyZPncx/H5MF93v/9mZSDvsD98LcoWWXzcjo/YOM+dABbyLum+GtWTjLgwgAXRBM94Rk8Ex2m/wD8KHLAb+KzmRDBTiJLSD3xHrq3Uy8DppERipPVEkZWK596iK7vebrG39Bas+44T8/e01Uvj7lIKyZcotcm99Vb0wfr/bk36rPnR+jTlx/Qkmm36YaLzlKTKsfrjJqldGn39hpzj5HV6Y9o3lOP6cVnntRCI6zLFr6kVcuXWiDyWlBEKo4AMOCUB+EiHH57B+M8gqPxaWwa1JUToXLsCsW9/HYjhoK44nBM5wfUm3y5n/w4Riacd2XiPNe5z/PaUaDYPBPnTIP5O6vIGSXEcKKEgHP8pswYbJSF0VaU0JcXoGjebigrAR1KieHCGQDaHj1ghgQnwH0sC4GsssyAwNRnEpEJoJ6u2Pxmvz3wt7f4swkpOfxheplDekU9L7zAyOr+an7a8bq731maMaSt5g1vp2Wj2+nV8efp7UkX6INpPfTRrMv0yZPX6ZtFo/TRi2M0fcQAdW9VVw0ql9S5zZroWlP0h8aND58kR/nRZUgozo3Anj1GyEcZkRc6g2xoe8pHnTgHOMaAOAHxdkQH0B/gnZE03hahnpaWdOgiesE5z8t1h7z47f2I6+RBWvSQ5wPXOfQCOZOW615efpMPv9kzO8FAAx0fo+AbZUOv0BX0CJAnARaBHe1PsITTxInR9ykreVIPZIajB/Q/7IPPrEJWCfQw7pAQnCcEBGOELNBVyrd9mEM0gpqRbvLISCarEDcjqyaLuTMeUZM6lVXiqL10cdvTNOqaVppye3s9ObKzXnywq5ZM7KWV0/pqzczBeu3R6/TevDv1yeIxem3evbr3xk46p9FJalD9OF14fmPdefsVemTyA3rsiTl66tmn9cz85/XSgsVatHiZVq1crQ/ee1+f4uz/87G+/Py/+urLz/Ttd9/qu3U/6aufzBakpoQPQX1vx8iK+tI+bl9oIz/HMfJHroDfrlPuLDlHWu7hmDzRP9IA7kPvPH/ScS/H6ILbkR0FOoF9p89DVglUyNt1xIFuOigHfQun518exW4wa0pe9CmAreE3+oIfwdZgowioIWM4PnSIoBuHh80ioKC/Ui5A3YDXE1Bu6kq/QBYxWf3UyOqX2yCrGQmyatiQxuqWTBl9MbL6tV6cP13nNq2pEkf8Uz3OLqF7BzXUIzcyk3qu5o/qoIXjL9TyRy7W8qn9tHrOtXr7hXv0yYrJemvRFD1w5wC1PuM01T2ttM5rc7ZuveUGPTLxIT1ugc+zTz+jF6wvLV5gAaQR1teMXH7y7tv64uMP9bX1I9575MOHtBXBHYMz6Dp6DGhnbAI2j35BW+O3kA/tTFrOc911mWN0Bv10XcBvkTbaD0nLvfRFnoPukJb80SXyAfQ7rrtd5j6/n7w4R76AdtzazKpv3n98o6z4ZIhm9+7dwywOMy6sMiAAJT/KQH9EPpSP/kQAiU4zC4uO0A8J2lmySlzH/dhybDJ2nHqCLXZ266AuLnP20d9ch6x+a2T1oTH3qnbZE1X1uL101Xm19PC1bTX39g56Zti5WjT6XK0e31avTzT/PbWLPnjscn25YKi+Wm4k4Ym7deuA8yzWK60GNSvrYotv7rlvjCZOnaNpc5/V3Kdf1guLVmr1mteCbuCzaRvqje1DHpxjsAK9wTfRvm4fvY0oM3XmOvcjM+7lOnXiGnva0duFtOQN0AnkTp7oAPkBT48s0DGCb3wj59EBnk1MQN70ee6l3Ow55zrOb9qfY+IVfDaxm5PV6IbsuRe7wUY56AeQLuIzlp6yOgG9Y5aMumIfozGf6zhklXsgq8zKYo+xg/j935Ss8nHEbPNledY/jK5uyvlRrxtZ7d+/s4ods7dOP+1I3XZ5I026qZUevb2NXhjeVqvu76g3H+qhdyZeoncnD9Qnj92mr19+SF8vmaN54+5Sn3bNLd4rq1ZNm+jqwYN+QVYhgth8bL/bCeqPHGgj7CVtC2/AntAW3h6UG51AxugI95EHPAMfQ/2RheuXtwdtAxnDvyFf7IdfR24uO9IBdIpykS9lop3Ihz26RhnQL/TD84k+E6Bn2DVeg2AlHANylN83rntdfOPZ6CHyge/BEdAZZnnxx8iPelAO6oCtcY4FoUZH4AfwEcgqE1jYOuwPvhtfjn+iDpTRfTOy36nIqr+zysxqpVMO1jXd6uuBq87S1Jtb6TEzYM8N72QGrJsZsN5aO/FyI62D9ObsG/X6o7fruQev0pUXNFajCsfozFqldflF5+n+Ebdp5pSH9NRjs/Tck4/qxWef1OKXnteyJQuMdKwNnZGK0+gYIBoSpaBMlBGBcR4hYRAwGq4MKBwN6crAeRQIwdLg1If6ubHifhqa/ElLvv5M0qPsbjA98KCxyI/z5MF9OwLvPDyPgAQlwoj5zCb5sadeHNMWODEH7YWxYiSRUWhGUZAVcqKjch3SBjyY4zkYLZbWECDhABkhYqSNz/9j2NANOi+yQX6AOiITZMBv9tsDX4jblG4GPFtmzKSlS9aqh9XvlCP2U9Mqx+iOS8/Q5Btb6onbz9GLw882wtpSr4xto9cfPl+vT+qm16ddrg+eHKJX5w7VhJsv0gVnVlW9cierzZmNdN3AARo/5n7NnD49GDA6AHqMw6fuBMAYKuRBR6Q+yBC5eQejXTECyJXftAN72tqdHPqA/lB30tPOtDH6RBuig9SVdNxDOuTDda5xD+nIi/PkDciT3+RHmTjneXCOe7juOuL6S548n2ukYcSLpSgsD6X9OefpovqCDqFLGFgCegw/OkNgTEDshoqAABkyYskACoaLmQtGKrEbjNBBVtE5CAs65GQV54Es6BdRPdg6MMYEqQQHGHojJ2kWKOXY/QVk9Qcjq5MCWT3VyOpFrStrxBVn6yFzerPvbKen7umgF+7vrEUTemrZpEu1Ykp/vTL7Gr1qerNg5o26bXBLNatzrOpVO0YXdmysO4YO1sMTR2nm3Gma++RcPWGE64WXFuillxOjtPyNP2ZVP/3kI335xX/1/XffJN5NtbJ9+b3py3dmZwyffUGbbQoOwm0RcqfPuPOhndA1rtH+nKctaQu3P64rnCcdtohjznPd7+eYDdnyPNKRB2l5Lu2+Pbg9pD/gjPAFkEWcNHlRLnQG4MBcb9jjFyBQzMgC+hv3kZcPDmFv0B30Bb3Bp+DomEGA5GLbIGb8xuGhO+QVk9Ud+cBSPln9gL+z+qnZLWsrI6s/Glldb2R1Q+SdVSerfFl7XYr5LOzY5sxAVl9+YYbaNq+lUsf8Uz1bldbIK80G39JCT45oq4XjOmv11J56ddZlWjtrgNbOvVpvzbtT7y96UK88P1b33XqJWjWppAbVS6lj2+YacuO1mjhhrOaa/eXvl85/zgLIl17W0oWL9Ir1pfctUPnPB+/rs0/4o/yJQUL0lb5A+9I/0GO3x5zjmDQcow9uk10ngAdz6ATXSAO8zwDOe/9i7/pD/hxznjaiDbiX/Lnm+ka53JfzLM57GQH3QaCYpWAAj9kWNvKk3OzZou3Nht1HBxkwJBD014iwr/Q1nsNz0W/sMX6L9BBcYjgCSFa1oB/k4WQVcJ5+yDOAy2JboE7IwuUX/c11n1mFrNYxslrtuL11zfl19Mh17fXEnedr/oj2WvZAB7028Xy9M7WzPpzdU58+M1BfvDxE/10wQsvnmr0Y0M5scGk1Nhveu1cPjbh3tB56ZJYmz3hKsx57Qc+/vEKrVr9asCIKv+3kg76OPaLtaJdkoCt+nTojd6+7t6nrCWnRQeTLb+pIWvqn+17Scp/fj/+mvWlH2pxj0pDW24o05MV1znPO80B3eC7l45nc62SV9qe92KJEg416uA6xkS82FXvtA8bMtCErLw86i7zQGYC9YOaVmI54j0FpZtQYqISs4rchsclklbJTT8pLHbYLI6qpGWlal75J67IsBtpsfSjrh7AMePCAC1X8uH10Zo2jdUf/MzVlSFs9eVcHLbyvk94wovrB1D76cFpfvT9tkD6ee4s+nz9an744UU+NvlG9WzdW4yql1Pas042sDgh2kX6G/Pw7JR6jIAcf2EEGyML7MDrge+rl+kGbcJ5ztB86QJ2pv8PtjNsG7nU/xXmXvesT4Jw/259H+7q8XNfQC9KSLhon+jO5l+dwL32BGX3aiwFf8mEjb4DuRW0Nx+gPdcRWsJKDwQ10jsko8qOslAEfjl/B/hAPI1c4AX6T1yfx4fCMKFklH2wWcqHMPIe+RV8kn52OrJY65USVP2E/9WtbScMurq0x/erpoUGNNfXqJnr85hZ64a52emlER70w4kK9eF9Pzb+/r6YOvUi9zzlNtUseGmZW+/bsGP6cxOSJYzVn1lQ98egszX/mcS1e8IJWrlgWOjNlouOhiJQHgSIQD1zcoFFOGhoBUl4aGkGiDKSl/FwjHY1Eg3OO+7nu9zkZ5V7OAfJFwQD3cJ3zHPszuc/z2VGQDzJF/oxWoCAoCiMfAEWjcWkrghdGlQCdld+sJWfNPSNokDbOYZBcwSAzkF/ICc6NdDhHH41FSQiWcJrMrGLU0A1kTLmQkTsxOo//Zr99ZCnVyGp6jhnBTGkFZLXTBSp2yL5qWPZw3di9ru4f2EgTr6qrGdfW0GM31tTTQ+po/p2NNX9YM80f3laLx/YOejPs8tY6t2YJ1S5xnNo2aaDrB/TX2FH3acbUqUFG1Bl5EdgRuNJB6ChOVtFnOhC6TfCN3GkrjtEH2pG2p0045pwbENocXQLe1lynvf1e8vM+Qhp0DnDMfa47pPNrrr+uM6T1fLju+bIHnCct12gb2oO2osPjfBiEwCAQsLuusEd3k