Modules/Providers/ProviderHelpers/AADRiskyPermissionsHelper.psm1
|
Import-Module -Name $PSScriptRoot/../../Utility/Utility.psm1 -Function Invoke-GraphDirectly, ConvertFrom-GraphHashtable function Get-ResourcePermissions { param( [ValidateNotNullOrEmpty()] [string] $M365Environment, [hashtable] $ResourcePermissionCache, [string] $ResourceAppId ) try { if ($null -eq $ResourcePermissionCache) { $ResourcePermissionCache = @{} } if (-not $ResourcePermissionCache.ContainsKey($ResourceAppId)) { # v1.0 Graph endpoint is used here because it contains the oauth2PermissionScopes property $result = ( Invoke-GraphDirectly ` -Commandlet "Get-MgServicePrincipal" ` -M365Environment $M365Environment ` -QueryParams @{ '$filter' = "appId eq '$ResourceAppId'" '$select' = "appRoles,oauth2PermissionScopes" } ).Value $ResourcePermissionCache[$ResourceAppId] = $result } return $ResourcePermissionCache[$ResourceAppId] } catch { Write-Warning "An error occurred in Get-ResourcePermissions: $($_.Exception.Message)" Write-Warning "Stack trace: $($_.ScriptStackTrace)" throw $_ } } function Get-RiskyPermissionsJson { process { try { $PermissionsPath = Join-Path -Path ((Get-Item -Path $PSScriptRoot).Parent.Parent.FullName) -ChildPath "Permissions" $PermissionsJson = Get-Content -Path ( Join-Path -Path (Get-Item -Path $PermissionsPath) -ChildPath "RiskyPermissions.json" ) | ConvertFrom-Json } catch { Write-Warning "An error occurred in Get-RiskyPermissionsJson: $($_.Exception.Message)" Write-Warning "Stack trace: $($_.ScriptStackTrace)" throw $_ } return $PermissionsJson } } function Format-Permission { <# .Description Returns an API permission from either application/service principal which maps to the list of permissions declared in RiskyPermissions.json .Functionality #Internal ##> param ( [ValidateNotNullOrEmpty()] [PSCustomObject] $Json, [ValidateNotNullOrEmpty()] [string] $AppDisplayName, [ValidateNotNullOrEmpty()] [string] $Id, [string] $RoleType, [string] $RoleDisplayName, [ValidateNotNullOrEmpty()] [boolean] $IsAdminConsented ) $Map = @() if ( $RoleType -ne $null) { $RiskyPermissions = $Json.permissions.$AppDisplayName.$RoleType.PSObject.Properties.Name $IsRisky = $RiskyPermissions -contains $Id $Map += [PSCustomObject]@{ RoleId = $Id RoleType = if ($null -ne $RoleType) { $RoleType } else { $null } RoleDisplayName = if ($null -ne $RoleDisplayName) { $RoleDisplayName } else { $null } ApplicationDisplayName = $AppDisplayName IsAdminConsented = $IsAdminConsented IsRisky = $IsRisky } } return $Map } function Format-Credentials { <# .Description Returns an array of valid/expired credentials .Functionality #Internal ##> [Diagnostics.CodeAnalysis.SuppressMessageAttribute( "PSReviewUnusedParameter", "IsFromApplication", Justification = "False positive due to variable scoping" )] param ( [Object[]] $AccessKeys, [ValidateNotNullOrEmpty()] [boolean] $IsFromApplication ) process { $ValidCredentials = @() $RequiredKeys = @("KeyId", "DisplayName", "StartDateTime", "EndDateTime") foreach ($Credential in $AccessKeys) { # Only format credentials with the correct keys $MissingKeys = $RequiredKeys | Where-Object { -not ($Credential.PSObject.Properties.Name -contains $_) } if ($MissingKeys.Count -eq 0) { # $Credential is of type PSCredential which is immutable, create a copy $CredentialCopy = $Credential | Select-Object -Property ` KeyId, DisplayName, StartDateTime, EndDateTime, ` @{ Name = "IsFromApplication"; Expression = { $IsFromApplication }} $ValidCredentials += $CredentialCopy } } if ($null -eq $AccessKeys -or $AccessKeys.Count -eq 0 -or $ValidCredentials.Count -eq 0) { return $null } return $ValidCredentials } } function Merge-Credentials { <# .Description Merge credentials from multiple resources into a single resource .Functionality #Internal ##> param ( [Object[]] $ApplicationAccessKeys, [Object[]] $ServicePrincipalAccessKeys ) # Both application/sp objects have key and federated credentials. # Conditionally merge the two together, select only application/service principal creds, or none. $MergedCredentials = @() if ($null -ne $ServicePrincipalAccessKeys -and $null -ne $ApplicationAccessKeys) { # Both objects valid $MergedCredentials = @($ServicePrincipalAccessKeys) + @($ApplicationAccessKeys) } elseif ($null -eq $ServicePrincipalAccessKeys -and $null -ne $ApplicationAccessKeys) { # Only application credentials valid $MergedCredentials = @($ApplicationAccessKeys) } elseif ($null -ne $ServicePrincipalAccessKeys -and $null -eq $ApplicationAccessKeys) { # Only service principal credentials valid $MergedCredentials = @($ServicePrincipalAccessKeys) } else { # Neither credentials are valid $MergedCredentials = $null } return $MergedCredentials } function Get-ApplicationsWithRiskyPermissions { <# .Description Returns an array of applications where each item contains its Object ID, App ID, Display Name, Key/Password/Federated Credentials, and risky API permissions. .Functionality #Internal ##> param ( [ValidateNotNullOrEmpty()] [string] $M365Environment, [hashtable] $ResourcePermissionCache ) process { try { $RiskyPermissionsJson = Get-RiskyPermissionsJson # Get all applications in the tenant $Applications = (Invoke-GraphDirectly -commandlet "Get-MgBetaApplication" -M365Environment $M365Environment).Value $ApplicationResults = @() foreach ($App in $Applications) { # `AzureADMyOrg` = single tenant; `AzureADMultipleOrgs` = multi tenant $IsMultiTenantEnabled = $false if ($App.SignInAudience -eq "AzureADMultipleOrgs") { $IsMultiTenantEnabled = $true } # Map application permissions against RiskyPermissions.json $MappedPermissions = @() foreach ($Resource in $App.RequiredResourceAccess) { # Returns both application and delegated permissions $Roles = $Resource.ResourceAccess $ResourceAppId = $Resource.ResourceAppId $ResourceAppPermissions = Get-ResourcePermissions ` -M365Environment $M365Environment ` -ResourcePermissionCache $ResourcePermissionCache ` -ResourceAppId $ResourceAppId if ($null -eq $ResourceAppPermissions) { Write-Warning "No permissions found for resource app ID: $ResourceAppId" continue } # Additional processing is required to determine if a permission is admin consented. # Initially assume admin consent is false since we reference the application's manifest, # then update the value later when its compared to service principal permissions. $IsAdminConsented = $false # Only map on resources stored in RiskyPermissions.json file if ($RiskyPermissionsJson.resources.PSObject.Properties.Name -contains $ResourceAppId) { foreach ($Role in $Roles) { $ResourceDisplayName = $RiskyPermissionsJson.resources.$ResourceAppId $RoleId = $Role.Id if ($Role.Type -eq "Role") { $ReadableRoleType = "Application" $RoleDisplayName = ($ResourceAppPermissions.appRoles | Where-Object { $_.id -eq $RoleId }).value } else { $ReadableRoleType = "Delegated" $RoleDisplayName = ($ResourceAppPermissions.oauth2PermissionScopes | Where-Object { $_.id -eq $RoleId }).value } $MappedPermissions += Format-Permission ` -Json $RiskyPermissionsJson ` -AppDisplayName $ResourceDisplayName ` -Id $RoleId ` -RoleType $ReadableRoleType ` -RoleDisplayName $RoleDisplayName ` -IsAdminConsented $IsAdminConsented } } } # Get the application credentials via Invoke-GraphDirectly $FederatedCredentials = (Invoke-GraphDirectly -commandlet "Get-MgBetaApplicationFederatedIdentityCredential" -M365Environment $M365Environment -Id $App.Id).Value $FederatedCredentialsResults = @() if ($FederatedCredentials -is [System.Collections.IEnumerable] -and $FederatedCredentials.Count -gt 0) { foreach ($FederatedCredential in $FederatedCredentials) { $FederatedCredentialsResults += [PSCustomObject]@{ Id = $FederatedCredential.Id Name = $FederatedCredential.Name Description = $FederatedCredential.Description Issuer = $FederatedCredential.Issuer Subject = $FederatedCredential.Subject Audiences = $FederatedCredential.Audiences | Out-String } } } else { $FederatedCredentialsResults = $null } $RiskyPermissions = @($MappedPermissions | Where-Object { $_.IsRisky -eq $true }) # Exclude applications without risky permissions if ($RiskyPermissions.Count -gt 0) { $ApplicationResults += [PSCustomObject]@{ ObjectId = $App.Id AppId = $App.AppId DisplayName = $App.DisplayName IsMultiTenantEnabled = $IsMultiTenantEnabled # Credentials from application and service principal objects may get merged in other cmdlets. # Differentiate between the two by setting IsFromApplication=$true KeyCredentials = Format-Credentials -AccessKeys $App.KeyCredentials -IsFromApplication $true PasswordCredentials = Format-Credentials -AccessKeys $App.PasswordCredentials -IsFromApplication $true FederatedCredentials = $FederatedCredentialsResults Permissions = $MappedPermissions } } } } catch { Write-Warning "An error occurred in Get-ApplicationsWithRiskyPermissions: $($_.Exception.Message)" Write-Warning "Stack trace: $($_.ScriptStackTrace)" throw $_ } return $ApplicationResults } } function Get-ServicePrincipalsWithRiskyPermissions { <# .Description Returns an array of service principals where each item contains its Object ID, App ID, Display Name, Key/Password Credentials, and risky API permissions. .Functionality #Internal ##> param ( [ValidateNotNullOrEmpty()] [string] $M365Environment, [hashtable] $ResourcePermissionCache ) process { try { $RiskyPermissionsJson = Get-RiskyPermissionsJson $ServicePrincipalResults = @() # Get all service principals $ServicePrincipals = (Invoke-GraphDirectly -commandlet "Get-MgBetaServicePrincipal" -M365Environment $M365Environment).Value # Prepare service principal IDs for batch processing $ServicePrincipalIds = $ServicePrincipals.Id # Split the service principal IDs into chunks of 20 $Chunks = [System.Collections.Generic.List[System.Object]]::new() $ChunkSize = 20 for ($i = 0; $i -lt $ServicePrincipalIds.Count; $i += $ChunkSize) { $Chunks.Add($ServicePrincipalIds[$i..([math]::Min($i + $ChunkSize - 1, $ServicePrincipalIds.Count - 1))]) } $endpoint = '/beta/$batch' $endpoint = (Get-ScubaGearPermissions -CmdletName Connect-MgGraph -Environment $M365Environment -OutAs endpoint) + $endpoint # Process each chunk foreach ($Chunk in $Chunks) { $BatchBody = @{ Requests = @() } foreach ($ServicePrincipalId in $Chunk) { $BatchBody.Requests += @{ id = $ServicePrincipalId method = "GET" url = "/servicePrincipals/$ServicePrincipalId/appRoleAssignments" } } # Send the batch request $Response = Invoke-MgGraphRequest -Method POST -Uri $endpoint -Body ( $BatchBody | ConvertTo-Json -Depth 5 ) # Check the response if ($Response.responses) { foreach ($Result in $Response.responses) { $ServicePrincipalId = $Result.id $ServicePrincipal = $ServicePrincipals | Where-Object { $_.Id -eq $ServicePrincipalId } $MappedPermissions = @() if ($Result.status -eq 200) { $AppRoleAssignments = $Result.body.value if ($AppRoleAssignments.Count -gt 0) { foreach ($Role in $AppRoleAssignments) { $ResourceDisplayName = $Role.ResourceDisplayName $RoleId = $Role.AppRoleId # Default to true, # `Get-MgBetaServicePrincipalAppRoleAssignment` only returns admin consented permissions $IsAdminConsented = $true # Only map on resources stored in RiskyPermissions.json file if ($RiskyPermissionsJson.permissions.PSObject.Properties.Name -contains $ResourceDisplayName) { $ResourceAppId = $RiskyPermissionsJson.resources.PSObject.Properties | Where-Object { $_.Value -eq $ResourceDisplayName } | Select-Object -ExpandProperty Name $ResourceAppPermissions = Get-ResourcePermissions ` -M365Environment $M365Environment ` -ResourcePermissionCache $ResourcePermissionCache ` -ResourceAppId $ResourceAppId if ($null -eq $ResourceAppPermissions) { Write-Warning "No permissions found for resource app ID: $ResourceAppId" continue } $ReadableRoleType = $null $RoleDisplayName = $null $AppRole = $ResourceAppPermissions.appRoles | Where-Object { $_.id -eq $RoleId } if ($null -ne $AppRole) { $ReadableRoleType = "Application" $RoleDisplayName = $AppRole.value } else { $OauthScope = $ResourceAppPermissions.oauth2PermissionScopes | Where-Object { $_.id -eq $RoleId } if ($null -ne $OauthScope) { $ReadableRoleType = "Delegated" $RoleDisplayName = $OauthScope.value } } $MappedPermissions += Format-Permission ` -Json $RiskyPermissionsJson ` -AppDisplayName $ResourceDisplayName ` -Id $RoleId ` -RoleType $ReadableRoleType ` -RoleDisplayName $RoleDisplayName ` -IsAdminConsented $IsAdminConsented } } } } else { Write-Warning "Error for service principal $($Result.id): $($Result.status)" } $RiskyPermissions = @($MappedPermissions | Where-Object { $_.IsRisky -eq $true }) # Exclude service principals without risky permissions if ($RiskyPermissions.Count -gt 0) { $ServicePrincipalResults += [PSCustomObject]@{ ObjectId = $ServicePrincipal.Id AppId = $ServicePrincipal.AppId DisplayName = $ServicePrincipal.DisplayName SignInAudience = $ServicePrincipal.SignInAudience # Credentials from application and service principal objects may get merged in other cmdlets. # Differentiate between the two by setting IsFromApplication=$false KeyCredentials = Format-Credentials -AccessKeys $ServicePrincipal.KeyCredentials -IsFromApplication $false PasswordCredentials = Format-Credentials -AccessKeys $ServicePrincipal.PasswordCredentials -IsFromApplication $false FederatedCredentials = $ServicePrincipal.FederatedIdentityCredentials Permissions = $MappedPermissions AppOwnerOrganizationId = $ServicePrincipal.AppOwnerOrganizationId } } } } } } catch { Write-Warning "An error occurred in Get-ServicePrincipalsWithRiskyPermissions: $($_.Exception.Message)" Write-Warning "Stack trace: $($_.ScriptStackTrace)" throw $_ } return $ServicePrincipalResults } } function Format-RiskyApplications { <# .Description Returns an aggregated JSON dataset of application objects, combining data from both applications and service principal objects. Key/Password/Federated credentials are combined into a single array, and admin consent is reflected in each object's list of associated risky permissions. .Functionality #Internal ##> param ( [ValidateNotNullOrEmpty()] [Object[]] $RiskyApps, [ValidateNotNullOrEmpty()] [Object[]] $RiskySPs ) process { try { $Applications = @() foreach ($App in $RiskyApps) { $MatchedServicePrincipal = $RiskySPs | Where-Object { $_.AppId -eq $App.AppId } # Merge objects if an application and service principal exist with the same AppId $MergedObject = @{} if ($MatchedServicePrincipal) { # Determine if each risky permission was admin consented or not foreach ($Permission in $App.Permissions) { $ServicePrincipalRoleIds = $MatchedServicePrincipal.Permissions | Select-Object -ExpandProperty RoleId if ($ServicePrincipalRoleIds -contains $Permission.RoleId) { $Permission.IsAdminConsented = $true } } $ObjectIds = [PSCustomObject]@{ Application = $App.ObjectId ServicePrincipal = $MatchedServicePrincipal.ObjectId } $MergedKeyCredentials = Merge-Credentials ` -ApplicationAccessKeys $App.KeyCredentials ` -ServicePrincipalAccessKeys $MatchedServicePrincipal.KeyCredentials $MergedPasswordCredentials = Merge-Credentials ` -ApplicationAccessKeys $App.PasswordCredentials ` -ServicePrincipalAccessKeys $MatchedServicePrincipal.PasswordCredentials $MergedFederatedCredentials = Merge-Credentials ` -ApplicationAccessKeys $App.FederatedCredentials ` -ServicePrincipalAccessKeys $MatchedServicePrincipal.FederatedCredentials $MergedObject = [PSCustomObject]@{ ObjectId = $ObjectIds AppId = $App.AppId DisplayName = $App.DisplayName IsMultiTenantEnabled = $App.IsMultiTenantEnabled KeyCredentials = $MergedKeyCredentials PasswordCredentials = $MergedPasswordCredentials FederatedCredentials = $MergedFederatedCredentials Permissions = $App.Permissions } } else { $MergedObject = $App } $Applications += $MergedObject } } catch { Write-Warning "An error occurred in Format-RiskyApplications: $($_.Exception.Message)" Write-Warning "Stack trace: $($_.ScriptStackTrace)" throw $_ } return $Applications } } function Format-RiskyThirdPartyServicePrincipals { <# .Description Returns a JSON dataset of service principal objects owned by external organizations. .Functionality #Internal ##> param ( [ValidateNotNullOrEmpty()] [Object[]] $RiskySPs, [ValidateNotNullOrEmpty()] [string] $M365Environment ) process { try { $ServicePrincipals = @() $OrgInfo = (Invoke-GraphDirectly -Commandlet "Get-MgBetaOrganization" -M365Environment $M365Environment).Value foreach ($ServicePrincipal in $RiskySPs) { if ($null -eq $ServicePrincipal) { continue } # If the service principal's owner id is not the same as this tenant then it is a 3rd party principal if ($ServicePrincipal.AppOwnerOrganizationId -ne $OrgInfo.Id) { $ServicePrincipals += $ServicePrincipal } } } catch { Write-Warning "An error occurred in Format-RiskyThirdPartyServicePrincipals: $($_.Exception.Message)" Write-Warning "Stack trace: $($_.ScriptStackTrace)" throw $_ } return $ServicePrincipals } } Export-ModuleMember -Function @( "Get-RiskyPermissionsJson", "Format-Credentials", "Get-ApplicationsWithRiskyPermissions", "Get-ServicePrincipalsWithRiskyPermissions", "Format-RiskyApplications", "Format-RiskyThirdPartyServicePrincipals" ) # SIG # Begin signature block # MIIu9wYJKoZIhvcNAQcCoIIu6DCCLuQCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCBSuOaGQxAbnbqR # GshF4GlTEyPApqH0FPwcqu2JNcJdzqCCE6MwggWQMIIDeKADAgECAhAFmxtXno4h # MuI5B72nd3VcMA0GCSqGSIb3DQEBDAUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQK # EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNV # BAMTGERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBHNDAeFw0xMzA4MDExMjAwMDBaFw0z # ODAxMTUxMjAwMDBaMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJ # bmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0 # IFRydXN0ZWQgUm9vdCBHNDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB # AL/mkHNo3rvkXUo8MCIwaTPswqclLskhPfKK2FnC4SmnPVirdprNrnsbhA3EMB/z # G6Q4FutWxpdtHauyefLKEdLkX9YFPFIPUh/GnhWlfr6fqVcWWVVyr2iTcMKyunWZ # anMylNEQRBAu34LzB4TmdDttceItDBvuINXJIB1jKS3O7F5OyJP4IWGbNOsFxl7s # Wxq868nPzaw0QF+xembud8hIqGZXV59UWI4MK7dPpzDZVu7Ke13jrclPXuU15zHL # 2pNe3I6PgNq2kZhAkHnDeMe2scS1ahg4AxCN2NQ3pC4FfYj1gj4QkXCrVYJBMtfb # BHMqbpEBfCFM1LyuGwN1XXhm2ToxRJozQL8I11pJpMLmqaBn3aQnvKFPObURWBf3 # JFxGj2T3wWmIdph2PVldQnaHiZdpekjw4KISG2aadMreSx7nDmOu5tTvkpI6nj3c # AORFJYm2mkQZK37AlLTSYW3rM9nF30sEAMx9HJXDj/chsrIRt7t/8tWMcCxBYKqx # YxhElRp2Yn72gLD76GSmM9GJB+G9t+ZDpBi4pncB4Q+UDCEdslQpJYls5Q5SUUd0 # viastkF13nqsX40/ybzTQRESW+UQUOsxxcpyFiIJ33xMdT9j7CFfxCBRa2+xq4aL # T8LWRV+dIPyhHsXAj6KxfgommfXkaS+YHS312amyHeUbAgMBAAGjQjBAMA8GA1Ud # EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBTs1+OC0nFdZEzf # Lmc/57qYrhwPTzANBgkqhkiG9w0BAQwFAAOCAgEAu2HZfalsvhfEkRvDoaIAjeNk # aA9Wz3eucPn9mkqZucl4XAwMX+TmFClWCzZJXURj4K2clhhmGyMNPXnpbWvWVPjS # PMFDQK4dUPVS/JA7u5iZaWvHwaeoaKQn3J35J64whbn2Z006Po9ZOSJTROvIXQPK # 7VB6fWIhCoDIc2bRoAVgX+iltKevqPdtNZx8WorWojiZ83iL9E3SIAveBO6Mm0eB # cg3AFDLvMFkuruBx8lbkapdvklBtlo1oepqyNhR6BvIkuQkRUNcIsbiJeoQjYUIp # 5aPNoiBB19GcZNnqJqGLFNdMGbJQQXE9P01wI4YMStyB0swylIQNCAmXHE/A7msg # dDDS4Dk0EIUhFQEI6FUy3nFJ2SgXUE3mvk3RdazQyvtBuEOlqtPDBURPLDab4vri # RbgjU2wGb2dVf0a1TD9uKFp5JtKkqGKX0h7i7UqLvBv9R0oN32dmfrJbQdA75PQ7 # 9ARj6e/CVABRoIoqyc54zNXqhwQYs86vSYiv85KZtrPmYQ/ShQDnUBrkG5WdGaG5 # nLGbsQAe79APT0JsyQq87kP6OnGlyE0mpTX9iV28hWIdMtKgK1TtmlfB2/oQzxm3 # i0objwG2J5VT6LaJbVu8aNQj6ItRolb58KaAoNYes7wPD1N1KarqE3fk3oyBIa0H # EEcRrYc9B9F1vM/zZn4wggawMIIEmKADAgECAhAIrUCyYNKcTJ9ezam9k67ZMA0G # CSqGSIb3DQEBDAUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJ # bmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0 # IFRydXN0ZWQgUm9vdCBHNDAeFw0yMTA0MjkwMDAwMDBaFw0zNjA0MjgyMzU5NTla # MGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjFBMD8GA1UE # AxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2RlIFNpZ25pbmcgUlNBNDA5NiBTSEEz # ODQgMjAyMSBDQTEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDVtC9C # 0CiteLdd1TlZG7GIQvUzjOs9gZdwxbvEhSYwn6SOaNhc9es0JAfhS0/TeEP0F9ce # 2vnS1WcaUk8OoVf8iJnBkcyBAz5NcCRks43iCH00fUyAVxJrQ5qZ8sU7H/Lvy0da # E6ZMswEgJfMQ04uy+wjwiuCdCcBlp/qYgEk1hz1RGeiQIXhFLqGfLOEYwhrMxe6T # SXBCMo/7xuoc82VokaJNTIIRSFJo3hC9FFdd6BgTZcV/sk+FLEikVoQ11vkunKoA # FdE3/hoGlMJ8yOobMubKwvSnowMOdKWvObarYBLj6Na59zHh3K3kGKDYwSNHR7Oh # D26jq22YBoMbt2pnLdK9RBqSEIGPsDsJ18ebMlrC/2pgVItJwZPt4bRc4G/rJvmM # 1bL5OBDm6s6R9b7T+2+TYTRcvJNFKIM2KmYoX7BzzosmJQayg9Rc9hUZTO1i4F4z # 8ujo7AqnsAMrkbI2eb73rQgedaZlzLvjSFDzd5Ea/ttQokbIYViY9XwCFjyDKK05 # huzUtw1T0PhH5nUwjewwk3YUpltLXXRhTT8SkXbev1jLchApQfDVxW0mdmgRQRNY # mtwmKwH0iU1Z23jPgUo+QEdfyYFQc4UQIyFZYIpkVMHMIRroOBl8ZhzNeDhFMJlP # /2NPTLuqDQhTQXxYPUez+rbsjDIJAsxsPAxWEQIDAQABo4IBWTCCAVUwEgYDVR0T # AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHwYD # VR0jBBgwFoAU7NfjgtJxXWRM3y5nP+e6mK4cD08wDgYDVR0PAQH/BAQDAgGGMBMG # A1UdJQQMMAoGCCsGAQUFBwMDMHcGCCsGAQUFBwEBBGswaTAkBggrBgEFBQcwAYYY # aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEEGCCsGAQUFBzAChjVodHRwOi8vY2Fj # ZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkUm9vdEc0LmNydDBDBgNV # HR8EPDA6MDigNqA0hjJodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRU # cnVzdGVkUm9vdEc0LmNybDAcBgNVHSAEFTATMAcGBWeBDAEDMAgGBmeBDAEEATAN # BgkqhkiG9w0BAQwFAAOCAgEAOiNEPY0Idu6PvDqZ01bgAhql+Eg08yy25nRm95Ry # sQDKr2wwJxMSnpBEn0v9nqN8JtU3vDpdSG2V1T9J9Ce7FoFFUP2cvbaF4HZ+N3HL # IvdaqpDP9ZNq4+sg0dVQeYiaiorBtr2hSBh+3NiAGhEZGM1hmYFW9snjdufE5Btf # Q/g+lP92OT2e1JnPSt0o618moZVYSNUa/tcnP/2Q0XaG3RywYFzzDaju4ImhvTnh # OE7abrs2nfvlIVNaw8rpavGiPttDuDPITzgUkpn13c5UbdldAhQfQDN8A+KVssIh # dXNSy0bYxDQcoqVLjc1vdjcshT8azibpGL6QB7BDf5WIIIJw8MzK7/0pNVwfiThV # 9zeKiwmhywvpMRr/LhlcOXHhvpynCgbWJme3kuZOX956rEnPLqR0kq3bPKSchh/j # wVYbKyP/j7XqiHtwa+aguv06P0WmxOgWkVKLQcBIhEuWTatEQOON8BUozu3xGFYH # Ki8QxAwIZDwzj64ojDzLj4gLDb879M4ee47vtevLt/B3E+bnKD+sEq6lLyJsQfmC # XBVmzGwOysWGw/YmMwwHS6DTBwJqakAwSEs0qFEgu60bhQjiWQ1tygVQK+pKHJ6l # /aCnHwZ05/LWUpD9r4VIIflXO7ScA+2GRfS0YW6/aOImYIbqyK+p/pQd52MbOoZW # eE4wggdXMIIFP6ADAgECAhAMM6tnPejLgA9WVhXroQvSMA0GCSqGSIb3DQEBCwUA # MGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjFBMD8GA1UE # AxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2RlIFNpZ25pbmcgUlNBNDA5NiBTSEEz # ODQgMjAyMSBDQTEwHhcNMjYwMTE0MDAwMDAwWhcNMjcwMTEzMjM1OTU5WjBfMQsw # CQYDVQQGEwJVUzEdMBsGA1UECBMURGlzdHJpY3Qgb2YgQ29sdW1iaWExEzARBgNV # BAcTCldhc2hpbmd0b24xDTALBgNVBAoTBENJU0ExDTALBgNVBAMTBENJU0EwggIi # MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCuXYolNHqlh6smLTE592waXheZ # 8VHzxeds4pMaepGuwmjf8d1jG9wUNuJX9/qb0a1dgGz5D/EAz5NRTIin4SZYQEE8 # qvdl2yQJ5uWxXIjsFbrOyc1fWscUXw0Kt7OPLOafcEkdDoe8K0tO4h2GL3RWRzjp # uLfQhhnAmD6NT1l+ughnfmarV/ODgIn/RFR4YORlu4YP2xQX6KRxeTDslg7F+z6X # +t87/U8m8gQ9XTm5kBmteP4GcE/ytnyI+ScIxNRybzGomWIBm848XDE5yYhlYQ2R # SnCoo6M4CRqp9WFGVyoLkoPP0OlxzryKWaE1/nuPbYG/kf/rUB1OhqxvSSGwmNhs # vkkjsC0Z9H5Jy6heFdoxOu/+ZQksKoP/fMvHxuCCtkIJbV8tk0oT6MQ8EJbgsWDZ # TKhui1wxW6JIZyBOMPWoZUOouOzo2h5Cz7LBPKME5FkcUzcs47lpRlDkJco4PLcj # wJSo4XPnx3G/2DIjNEFNyfKCWfH8uW6nJjmDBiveFZ2j0YvgdQ+7MOjQnw7R/MAD # DTagrKl3rLV60+X2TY6/onKhCUuU3pMAjVbOwZ3PkzDLZnsEGRfm6hgp6014aXml # t8h4nu+uC41U8vUSGHl0vqKuzvmShLmnI+Iv0l95pmnqomuCZzRDrjEoaLPx7OxL # Dy/Id9E7yQDip4jBdQIDAQABo4ICAzCCAf8wHwYDVR0jBBgwFoAUaDfg67Y7+F8R # hvv+YXsIiGX0TkIwHQYDVR0OBBYEFN30sVU+fpfQQfPQWMhkO1qd+MxoMD4GA1Ud # IAQ3MDUwMwYGZ4EMAQQBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNl # cnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMw # gbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0Rp # Z2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5j # cmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0 # ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEF # BQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t # MFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl # cnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJ # BgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQA77T42YiOx5wWPItgo+kvB+Gzb # ZFCRHRFfTAZZNQt9o/0CqNmyA2xFklX4t5Z9VNdiIOx14AnmJdQkcRdk3vsU5gby # jKEup7LTWtvcWrl6hQwGNt3l892BgUbPKsPBE+AriktVqn5yMSXVVzeboqsqAG8e # Syei0B54/QdgR4whfHvQ/qpCACsJTlJgAykXVgDPJNKnQ7wc17loLQutqF1JUcbO # XKWt1AA9Zas5q30LDZzZeK4B56yojK68CTQXN7toSRFIuZDMKKDfIZpCX8cmbaaO # DFOOu44/QWMv+Xc6+ISYGkrTTzqWhOqiXgLVBeXGn/WrOJJ8R29mZMneCpBesCLs # YII1gCFOo7Vt6mvOKxAPQ3KhJYBFEHkp+GI65koaQkO2xv50iLS0+/j2YC66uviU # MFe0JEOdXuE7Rn/OmWNSzQ+6kPNYDJQASQ974C3wUejJoMtGZEzoTbly/HufQTrd # rhcL2aC69CxSN+idTXPLC9UT3xo4sFdOw+hXkmbXtoB1GDsd5p1TWFgRbnTXDkbM # YMBWYVB6/Tk1bzwj4iTp4g0YrtB628FXPX/ko+JWZlv0Ea865S23w1uGlnDNVxIi # +8oi74G5DM66Q6ENt6+3WoRGRrdoyE6uCh1haY+oPYSgumb0ozzrp8tw89TRKVrK # KSXGBxlExEvjQ6dYwjGCGqowghqmAgEBMH0waTELMAkGA1UEBhMCVVMxFzAVBgNV # BAoTDkRpZ2lDZXJ0LCBJbmMuMUEwPwYDVQQDEzhEaWdpQ2VydCBUcnVzdGVkIEc0 # IENvZGUgU2lnbmluZyBSU0E0MDk2IFNIQTM4NCAyMDIxIENBMQIQDDOrZz3oy4AP # VlYV66EL0jANBglghkgBZQMEAgEFAKCBhDAYBgorBgEEAYI3AgEMMQowCKACgACh # AoAAMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3AgEEMBwGCisGAQQBgjcCAQsxDjAM # BgorBgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEiBCC+5XHXm/ZgUfYoqgW/l+d1OSlT # G4YVIGVpqgwvlMfVkjANBgkqhkiG9w0BAQEFAASCAgAswsrxX406a7ywpCnT6sHh # P6AFplZ9J6D6cNJ3GsBK6u97UQ70TX1qIvTmMiNXnQUpQLG4IEV98tawsJv/hiIc # JxblkJ0sHGdFDKqgCgyjQUUVmaWOJ6g4g8pnxr1/PnLUgQ4Zfa4CobEeDNAoBQQJ # iEH42oT0KdY+t0mykNIFNIfOzmOls7RPFRktjvotXTc82I9OLauGHTLNdCOjlrtM # 6yPWoCzQtGtfJ5XAqQiThuKLsiMom2rzPXWlg3J/4VirUPY0OtJNlQrRXa1fJ+gT # qWTgrmGT5E27eUerOgbDpk2t0xKB6j1xEeVSNNM8wGMqaUESlIYoGzREzPQhJfmn # HB8tzoV1kJnD3G1cI9PIFdPaMmFbCdSA3Gzv5Lc8tMZuySHN9p1EYCkXuIefIVkU # uE0cdK9GwvM/34kk3ry7rkYoRa2fGwIUnyUxYNFj0+6zfD+gNFIlcc9ihqyP9ZEc # 5CRdqZilQcrtvaaVtlOPBSSOmp07UN8sscAAWOJAbks04MmYqI2G7oEIQQVXGUgv # W+MnYfZ/UNeHc6PzOvs76irt95JhS43qZ6Y/uZLvPoCJeYZA/+bqmUY2mWN3eEkh # 1BM3efvMVQbFk6GjTUek44N0e3f+ssTCPanaru80vmYX8Wwp7RqTORLAn1o2HESD # 8MJnr567Fz37hk7i7FaSeqGCF3cwghdzBgorBgEEAYI3AwMBMYIXYzCCF18GCSqG # SIb3DQEHAqCCF1AwghdMAgEDMQ8wDQYJYIZIAWUDBAIBBQAweAYLKoZIhvcNAQkQ # AQSgaQRnMGUCAQEGCWCGSAGG/WwHATAxMA0GCWCGSAFlAwQCAQUABCAnFMdqEGZV # Mk1+f7AiZxDlN5WkQvwu9cwLqYxoQmHRGQIRAKKRy9Jzm1ConD9iN1wM0aQYDzIw # MjYwNTA3MjAwNTI2WqCCEzowggbtMIIE1aADAgECAhAKgO8YS43xBYLRxHanlXRo # MA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2Vy # dCwgSW5jLjFBMD8GA1UEAxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBUaW1lU3RhbXBp # bmcgUlNBNDA5NiBTSEEyNTYgMjAyNSBDQTEwHhcNMjUwNjA0MDAwMDAwWhcNMzYw # OTAzMjM1OTU5WjBjMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIElu # Yy4xOzA5BgNVBAMTMkRpZ2lDZXJ0IFNIQTI1NiBSU0E0MDk2IFRpbWVzdGFtcCBS # ZXNwb25kZXIgMjAyNSAxMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA # 0EasLRLGntDqrmBWsytXum9R/4ZwCgHfyjfMGUIwYzKomd8U1nH7C8Dr0cVMF3Bs # fAFI54um8+dnxk36+jx0Tb+k+87H9WPxNyFPJIDZHhAqlUPt281mHrBbZHqRK71E # m3/hCGC5KyyneqiZ7syvFXJ9A72wzHpkBaMUNg7MOLxI6E9RaUueHTQKWXymOtRw # JXcrcTTPPT2V1D/+cFllESviH8YjoPFvZSjKs3SKO1QNUdFd2adw44wDcKgH+JRJ # E5Qg0NP3yiSyi5MxgU6cehGHr7zou1znOM8odbkqoK+lJ25LCHBSai25CFyD23DZ # gPfDrJJJK77epTwMP6eKA0kWa3osAe8fcpK40uhktzUd/Yk0xUvhDU6lvJukx7jp # hx40DQt82yepyekl4i0r8OEps/FNO4ahfvAk12hE5FVs9HVVWcO5J4dVmVzix4A7 # 7p3awLbr89A90/nWGjXMGn7FQhmSlIUDy9Z2hSgctaepZTd0ILIUbWuhKuAeNIeW # rzHKYueMJtItnj2Q+aTyLLKLM0MheP/9w6CtjuuVHJOVoIJ/DtpJRE7Ce7vMRHoR # on4CWIvuiNN1Lk9Y+xZ66lazs2kKFSTnnkrT3pXWETTJkhd76CIDBbTRofOsNyEh # zZtCGmnQigpFHti58CSmvEyJcAlDVcKacJ+A9/z7eacCAwEAAaOCAZUwggGRMAwG # A1UdEwEB/wQCMAAwHQYDVR0OBBYEFOQ7/PIx7f391/ORcWMZUEPPYYzoMB8GA1Ud # IwQYMBaAFO9vU0rp5AZ8esrikFb2L9RJ7MtOMA4GA1UdDwEB/wQEAwIHgDAWBgNV # HSUBAf8EDDAKBggrBgEFBQcDCDCBlQYIKwYBBQUHAQEEgYgwgYUwJAYIKwYBBQUH # MAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBdBggrBgEFBQcwAoZRaHR0cDov # L2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0VGltZVN0YW1w # aW5nUlNBNDA5NlNIQTI1NjIwMjVDQTEuY3J0MF8GA1UdHwRYMFYwVKBSoFCGTmh0 # dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNFRpbWVTdGFt # cGluZ1JTQTQwOTZTSEEyNTYyMDI1Q0ExLmNybDAgBgNVHSAEGTAXMAgGBmeBDAEE # AjALBglghkgBhv1sBwEwDQYJKoZIhvcNAQELBQADggIBAGUqrfEcJwS5rmBB7NEI # RJ5jQHIh+OT2Ik/bNYulCrVvhREafBYF0RkP2AGr181o2YWPoSHz9iZEN/FPsLST # wVQWo2H62yGBvg7ouCODwrx6ULj6hYKqdT8wv2UV+Kbz/3ImZlJ7YXwBD9R0oU62 # PtgxOao872bOySCILdBghQ/ZLcdC8cbUUO75ZSpbh1oipOhcUT8lD8QAGB9lctZT # TOJM3pHfKBAEcxQFoHlt2s9sXoxFizTeHihsQyfFg5fxUFEp7W42fNBVN4ueLace # Rf9Cq9ec1v5iQMWTFQa0xNqItH3CPFTG7aEQJmmrJTV3Qhtfparz+BW60OiMEgV5 # GWoBy4RVPRwqxv7Mk0Sy4QHs7v9y69NBqycz0BZwhB9WOfOu/CIJnzkQTwtSSpGG # hLdjnQ4eBpjtP+XB3pQCtv4E5UCSDag6+iX8MmB10nfldPF9SVD7weCC3yXZi/uu # hqdwkgVxuiMFzGVFwYbQsiGnoa9F5AaAyBjFBtXVLcKtapnMG3VH3EmAp/jsJ3FV # F3+d1SVDTmjFjLbNFZUWMXuZyvgLfgyPehwJVxwC+UpX2MSey2ueIu9THFVkT+um # 1vshETaWyQo8gmBto/m3acaP9QsuLj3FNwFlTxq25+T4QwX9xa6ILs84ZPvmpovq # 90K8eWyG2N01c4IhSOxqt81nMIIGtDCCBJygAwIBAgIQDcesVwX/IZkuQEMiDDpJ # hjANBgkqhkiG9w0BAQsFADBiMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNl # cnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdp # Q2VydCBUcnVzdGVkIFJvb3QgRzQwHhcNMjUwNTA3MDAwMDAwWhcNMzgwMTE0MjM1 # OTU5WjBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/ # BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgVGltZVN0YW1waW5nIFJTQTQwOTYg # U0hBMjU2IDIwMjUgQ0ExMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA # tHgx0wqYQXK+PEbAHKx126NGaHS0URedTa2NDZS1mZaDLFTtQ2oRjzUXMmxCqvkb # sDpz4aH+qbxeLho8I6jY3xL1IusLopuW2qftJYJaDNs1+JH7Z+QdSKWM06qchUP+ # AbdJgMQB3h2DZ0Mal5kYp77jYMVQXSZH++0trj6Ao+xh/AS7sQRuQL37QXbDhAkt # VJMQbzIBHYJBYgzWIjk8eDrYhXDEpKk7RdoX0M980EpLtlrNyHw0Xm+nt5pnYJU3 # Gmq6bNMI1I7Gb5IBZK4ivbVCiZv7PNBYqHEpNVWC2ZQ8BbfnFRQVESYOszFI2Wv8 # 2wnJRfN20VRS3hpLgIR4hjzL0hpoYGk81coWJ+KdPvMvaB0WkE/2qHxJ0ucS638Z # xqU14lDnki7CcoKCz6eum5A19WZQHkqUJfdkDjHkccpL6uoG8pbF0LJAQQZxst7V # vwDDjAmSFTUms+wV/FbWBqi7fTJnjq3hj0XbQcd8hjj/q8d6ylgxCZSKi17yVp2N # L+cnT6Toy+rN+nM8M7LnLqCrO2JP3oW//1sfuZDKiDEb1AQ8es9Xr/u6bDTnYCTK # IsDq1BtmXUqEG1NqzJKS4kOmxkYp2WyODi7vQTCBZtVFJfVZ3j7OgWmnhFr4yUoz # ZtqgPrHRVHhGNKlYzyjlroPxul+bgIspzOwbtmsgY1MCAwEAAaOCAV0wggFZMBIG # A1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFO9vU0rp5AZ8esrikFb2L9RJ7MtO # MB8GA1UdIwQYMBaAFOzX44LScV1kTN8uZz/nupiuHA9PMA4GA1UdDwEB/wQEAwIB # hjATBgNVHSUEDDAKBggrBgEFBQcDCDB3BggrBgEFBQcBAQRrMGkwJAYIKwYBBQUH # MAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBBBggrBgEFBQcwAoY1aHR0cDov # L2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZFJvb3RHNC5jcnQw # QwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lD # ZXJ0VHJ1c3RlZFJvb3RHNC5jcmwwIAYDVR0gBBkwFzAIBgZngQwBBAIwCwYJYIZI # AYb9bAcBMA0GCSqGSIb3DQEBCwUAA4ICAQAXzvsWgBz+Bz0RdnEwvb4LyLU0pn/N # 0IfFiBowf0/Dm1wGc/Do7oVMY2mhXZXjDNJQa8j00DNqhCT3t+s8G0iP5kvN2n7J # d2E4/iEIUBO41P5F448rSYJ59Ib61eoalhnd6ywFLerycvZTAz40y8S4F3/a+Z1j # EMK/DMm/axFSgoR8n6c3nuZB9BfBwAQYK9FHaoq2e26MHvVY9gCDA/JYsq7pGdog # P8HRtrYfctSLANEBfHU16r3J05qX3kId+ZOczgj5kjatVB+NdADVZKON/gnZruMv # NYY2o1f4MXRJDMdTSlOLh0HCn2cQLwQCqjFbqrXuvTPSegOOzr4EWj7PtspIHBld # NE2K9i697cvaiIo2p61Ed2p8xMJb82Yosn0z4y25xUbI7GIN/TpVfHIqQ6Ku/qjT # Y6hc3hsXMrS+U0yy+GWqAXam4ToWd2UQ1KYT70kZjE4YtL8Pbzg0c1ugMZyZZd/B # dHLiRu7hAWE6bTEm4XYRkA6Tl4KSFLFk43esaUeqGkH/wyW4N7OigizwJWeukcyI # PbAvjSabnf7+Pu0VrFgoiovRDiyx3zEdmcif/sYQsfch28bZeUz2rtY/9TCA6TD8 # dC3JE3rYkrhLULy7Dc90G6e8BlqmyIjlgp2+VqsS9/wQD7yFylIz0scmbKvFoW2j # NrbM1pD2T7m3XDCCBY0wggR1oAMCAQICEA6bGI750C3n79tQ4ghAGFowDQYJKoZI # hvcNAQEMBQAwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZ # MBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgQXNz # dXJlZCBJRCBSb290IENBMB4XDTIyMDgwMTAwMDAwMFoXDTMxMTEwOTIzNTk1OVow # YjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQ # d3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQgVHJ1c3RlZCBSb290 # IEc0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAv+aQc2jeu+RdSjww # IjBpM+zCpyUuySE98orYWcLhKac9WKt2ms2uexuEDcQwH/MbpDgW61bGl20dq7J5 # 8soR0uRf1gU8Ug9SH8aeFaV+vp+pVxZZVXKvaJNwwrK6dZlqczKU0RBEEC7fgvMH # hOZ0O21x4i0MG+4g1ckgHWMpLc7sXk7Ik/ghYZs06wXGXuxbGrzryc/NrDRAX7F6 # Zu53yEioZldXn1RYjgwrt0+nMNlW7sp7XeOtyU9e5TXnMcvak17cjo+A2raRmECQ # ecN4x7axxLVqGDgDEI3Y1DekLgV9iPWCPhCRcKtVgkEy19sEcypukQF8IUzUvK4b # A3VdeGbZOjFEmjNAvwjXWkmkwuapoGfdpCe8oU85tRFYF/ckXEaPZPfBaYh2mHY9 # WV1CdoeJl2l6SPDgohIbZpp0yt5LHucOY67m1O+SkjqePdwA5EUlibaaRBkrfsCU # tNJhbesz2cXfSwQAzH0clcOP9yGyshG3u3/y1YxwLEFgqrFjGESVGnZifvaAsPvo # ZKYz0YkH4b235kOkGLimdwHhD5QMIR2yVCkliWzlDlJRR3S+Jqy2QXXeeqxfjT/J # vNNBERJb5RBQ6zHFynIWIgnffEx1P2PsIV/EIFFrb7GrhotPwtZFX50g/KEexcCP # orF+CiaZ9eRpL5gdLfXZqbId5RsCAwEAAaOCATowggE2MA8GA1UdEwEB/wQFMAMB # Af8wHQYDVR0OBBYEFOzX44LScV1kTN8uZz/nupiuHA9PMB8GA1UdIwQYMBaAFEXr # oq/0ksuCMS1Ri6enIZ3zbcgPMA4GA1UdDwEB/wQEAwIBhjB5BggrBgEFBQcBAQRt # MGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBDBggrBgEF # BQcwAoY3aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJl # ZElEUm9vdENBLmNydDBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vY3JsMy5kaWdp # Y2VydC5jb20vRGlnaUNlcnRBc3N1cmVkSURSb290Q0EuY3JsMBEGA1UdIAQKMAgw # BgYEVR0gADANBgkqhkiG9w0BAQwFAAOCAQEAcKC/Q1xV5zhfoKN0Gz22Ftf3v1cH # vZqsoYcs7IVeqRq7IviHGmlUIu2kiHdtvRoU9BNKei8ttzjv9P+Aufih9/Jy3iS8 # UgPITtAq3votVs/59PesMHqai7Je1M/RQ0SbQyHrlnKhSLSZy51PpwYDE3cnRNTn # f+hZqPC/Lwum6fI0POz3A8eHqNJMQBk1RmppVLC4oVaO7KTVPeix3P0c2PR3WlxU # jG/voVA9/HYJaISfb8rbII01YBwCA8sgsKxYoA5AY8WYIsGyWfVVa88nq2x2zm8j # LfR+cWojayL/ErhULSd+2DrZ8LaHlv1b0VysGMNNn3O3AamfV6peKOK5lDGCA3ww # ggN4AgEBMH0waTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJbmMu # MUEwPwYDVQQDEzhEaWdpQ2VydCBUcnVzdGVkIEc0IFRpbWVTdGFtcGluZyBSU0E0 # MDk2IFNIQTI1NiAyMDI1IENBMQIQCoDvGEuN8QWC0cR2p5V0aDANBglghkgBZQME # AgEFAKCB0TAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQAQQwHAYJKoZIhvcNAQkF # MQ8XDTI2MDUwNzIwMDUyNlowKwYLKoZIhvcNAQkQAgwxHDAaMBgwFgQU3WIwrIYK # LTBr2jixaHlSMAf7QX4wLwYJKoZIhvcNAQkEMSIEIL+s4VXp5OlfbLaT1TI22s9B # /xajy9V7rJSfpwQMrvkVMDcGCyqGSIb3DQEJEAIvMSgwJjAkMCIEIEqgP6Is11yE # xVyTj4KOZ2ucrsqzP+NtJpqjNPFGEQozMA0GCSqGSIb3DQEBAQUABIICAH24/bN0 # pTmPZtTimK0JfQwicEzMa1eYmAKY+51IMmi8LPboiZXdS87ox33a8OEsd7tsW1Dh # kN3kBbrBbDPaBIhfRKacyfMKBlVnt10aYv+AWfyYoQBUcTuWCu+0VW2hscMFGtJd # 4J5zUnYjAywCzzxIN65UFwq2e/4z42sfVlcBdVdlagtHN756eA+T9RQX2PLWBEnQ # NBFlK8w7KMb+eRXU8XtjwRu+3E2stLAtnuWFPf/bAjxHSDyXzFjwjU2UDQDYXxE6 # LbIqWRDlzhrJgKdoIdOFwSnAcAk7d6KWvDUU+72lZ/oMzFqC5uz78utN/77JhzRs # Ki9M/dDqjudkG8XNlA5sAuI9qEEJvo4y4+NxBEEbUGvZ59ZygVqjrOpWVkSrctJI # LnuVxXkdG9LTfLNhUpX2dQjoqME7+dexGT8oAQEIec09fyPDNhHuL4PJtNLJR/Ys # mg26jNcDJCS6Fk9IZk1/yRgUW1oaldgW3H3Vv04/hhqyIC/aOHFpI7w8RuQANNML # LBnUlRetM9w6WiZJamPG8fILEWPqZ+RPqOC9PEzQ31a2R2nwQJ0tnE+XxTZ3pD/D # ofQ2H0aTUu1ZsQ+LwTpYh8YKL7XYO+s6tcVXgnmRfjX08HSpT30mONF4Naf/7kOc # udogRozUvhbNm56+/Q0piZR9F0ALrfE+63Vm # SIG # End signature block |