Checks/check-ORCA118_2.ps1

using module "..\ORCA.psm1"

class ORCA118_2 : ORCACheck
{
    <#
     
        CONSTRUCTOR with Check Header Data
     
    #>


    ORCA118_2()
    {
        $this.Control="118-2"
        $this.Area="Transport Rules"
        $this.Name="Domain Allow Listing"
        $this.PassText="Domains are not being allow listed in an unsafe manner"
        $this.FailRecommendation="Remove allow listed domains"
        $this.Importance="Emails coming from allow listed domains bypass several layers of protection within Exchange Online Protection. If domains are allow listed, they are open to being spoofed from malicious actors."
        $this.ExpandResults=$True
        $this.CheckType=[CheckType]::ObjectPropertyValue
        $this.ObjectType="Transport Rule"
        $this.ItemName="Condition"
        $this.DataType="Allow Listed Address"
        $this.ChiValue=[ORCACHI]::High
        $this.Links= @{
            "Exchange admin center in Exchange Online"="https://outlook.office365.com/ecp/"
            "Using Exchange Transport Rules (ETRs) to allow specific senders"="https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365#using-exchange-transport-rules-etrs-to-allow-specific-senders-recommended"
        }
    }

    <#
     
        RESULTS
     
    #>


    GetResults($Config)
    {
        $Check = "Transport Rule SCL"
    
        # Look through Transport Rule for an action SetSCL -1
    
        ForEach($TransportRule in $Config["TransportRules"]) 
        {
            If($TransportRule.SetSCL -eq "-1") 
            {
                #Rules that apply to the sender domain
                #From Address notmatch is to include if just domain name is value
                If($TransportRule.SenderDomainIs -ne $null -or ($TransportRule.FromAddressContainsWords -ne $null -and $TransportRule.FromAddressContainsWords -notmatch ".+@") -or ($TransportRule.FromAddressMatchesPatterns -ne $null -and $TransportRule.FromAddressMatchesPatterns -notmatch ".+@"))
                {
                    #Look for condition that checks auth results header and its value
                    If(($TransportRule.HeaderContainsMessageHeader -eq 'Authentication-Results' -and $TransportRule.HeaderContainsWords -ne $null) -or ($TransportRule.HeaderMatchesMessageHeader -like '*Authentication-Results*' -and $TransportRule.HeaderMatchesPatterns -ne $null)) 
                    {
                        # OK
                    }
                    #Look for exception that checks auth results header and its value
                    elseif(($TransportRule.ExceptIfHeaderContainsMessageHeader -eq 'Authentication-Results' -and $TransportRule.ExceptIfHeaderContainsWords -ne $null) -or ($TransportRule.ExceptIfHeaderMatchesMessageHeader -like '*Authentication-Results*' -and $TransportRule.ExceptIfHeaderMatchesPatterns -ne $null)) 
                    {
                        # OK
                    }
                    elseif($TransportRule.SenderIpRanges -ne $null) 
                    {
                        # OK
                    }
                    #Look for condition that checks for any other header and its value
                    else 
                    {

                        ForEach($RuleDomain in $($TransportRule.SenderDomainIs)) 
                        {

                            # Check objects
                            $ConfigObject = [ORCACheckConfig]::new()
                            $ConfigObject.Object=$($TransportRule.Name)
                            $ConfigObject.ConfigItem="From Domain"
                            $ConfigObject.ConfigData=$($RuleDomain)
                            $ConfigObject.ConfigDisabled=$($TransportRule.State -ne "Enabled")

                            $ConfigObject.SetResult([ORCAConfigLevel]::Standard,"Fail")

                            $this.AddConfig($ConfigObject)  

                        }
                        ForEach($FromAddressContains in $($TransportRule.FromAddressContainsWords)) 
                        {

                            # Check objects
                            $ConfigObject = [ORCACheckConfig]::new()
                            $ConfigObject.Object=$($TransportRule.Name)
                            $ConfigObject.ConfigItem="From Contains"
                            $ConfigObject."$($FromAddressContains)"
                            $ConfigObject.ConfigDisabled=$($TransportRule.State -ne "Enabled")

                            $ConfigObject.SetResult([ORCAConfigLevel]::Standard,"Fail")

                            $this.AddConfig($ConfigObject)  

                        }
                        ForEach($FromAddressMatch in $($TransportRule.FromAddressMatchesPatterns)) 
                        {

                            # Check objects
                            $ConfigObject = [ORCACheckConfig]::new()
                            $ConfigObject.Object=$($TransportRule.Name)
                            $ConfigObject.ConfigItem="From Matches"
                            $ConfigObject."$($FromAddressMatch)"
                            $ConfigObject.ConfigDisabled=$($TransportRule.State -ne "Enabled")

                            $ConfigObject.SetResult([ORCAConfigLevel]::Standard,"Fail")
                            
                            $this.AddConfig($ConfigObject) 

                        }
    
                    }
                }
                #No sender domain restriction, so check for IP restriction
                elseif($null -ne $TransportRule.SenderIpRanges) 
                {
                    ForEach($SenderIpRange in $TransportRule.SenderIpRanges) 
                    {
                        # Check objects
                        $ConfigObject = [ORCACheckConfig]::new()
                        $ConfigObject.Object=$($TransportRule.Name)
                        $ConfigObject.ConfigItem="IP Range"
                        $ConfigObject.ConfigData=$SenderIpRange
                        $ConfigObject.ConfigDisabled=$($TransportRule.State -ne "Enabled")

                        $ConfigObject.SetResult([ORCAConfigLevel]::Standard,"Fail")
                        
                        $this.AddConfig($ConfigObject) 
                    }
                }
                #No sender restriction, so check for condition that checks auth results header and its value
                elseif(($TransportRule.HeaderContainsMessageHeader -eq 'Authentication-Results' -and $TransportRule.HeaderContainsWords -ne $null) -or ($TransportRule.HeaderMatchesMessageHeader -like '*Authentication-Results*' -and $TransportRule.HeaderMatchesPatterns -ne $null)) 
                {
                    # OK
                }
                #No sender restriction, so check for exception that checks auth results header and its value
                elseif(($TransportRule.ExceptIfHeaderContainsMessageHeader -eq 'Authentication-Results' -and $TransportRule.ExceptIfHeaderContainsWords -ne $null) -or ($TransportRule.ExceptIfHeaderMatchesMessageHeader -like '*Authentication-Results*' -and $TransportRule.ExceptIfHeaderMatchesPatterns -ne $null)) 
                {
                    # OK
                }
            }
        }    

    }

}
# SIG # Begin signature block
# MIIl3gYJKoZIhvcNAQcCoIIlzzCCJcsCAQExDzANBglghkgBZQMEAgEFADB5Bgor
# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDfkVd0ciS1h0Px
# fjV7u4SkPWquKb+Ihx9g7FaOVkuE1aCCC5YwggT7MIID46ADAgECAhMzAAAFqa00
# npLOQgZDAAEAAAWpMA0GCSqGSIb3DQEBCwUAMHkxCzAJBgNVBAYTAlVTMRMwEQYD
# VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy
# b3NvZnQgQ29ycG9yYXRpb24xIzAhBgNVBAMTGk1pY3Jvc29mdCBUZXN0aW5nIFBD
# QSAyMDEwMB4XDTIzMDMxNjE4NTkyN1oXDTI0MDMxNDE4NTkyN1owfDELMAkGA1UE
# BhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAc
# BgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdQ29kZSBTaWdu
# IFRlc3QgKERPIE5PVCBUUlVTVCkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
# AoIBAQCbPZMZ96mQ6KefXZagBUXbFuKwTQWwCFtvZDWAC2UeQ4xDP5m1exO2kbDh
# zldjWMn4HO+r4TRYs5pGB4i4JM1BWQb3LWPKaEXOtN84b8fTtD9Utf/msNh0IDbX
# CPMb8wVv2Vb3FuEdpXBC7UztdptBhoBVnKzIKooNM4mcaf9qQYdz+GdIhTwzKP7j
# 68WxdNKDXPsvM8zbO6kKtLxLd3e+HrOn6Vs634SYjba8xCaQyWA+whs9R6M92dU2
# HLhMxz2Sd7KPIz6RasjVqzX7oyL/ogYIvlZOnZA/yZ+P8HeNAHlUGjeoIh7QVVIu
# Q9Y3BNXx2OFxKwX3RYnsn5r6+usTAgMBAAGjggF3MIIBczATBgNVHSUEDDAKBggr
# BgEFBQcDAzAdBgNVHQ4EFgQUFfx0k/csoohO22mMZZXD+qHMO7gwRQYDVR0RBD4w
# PKQ6MDgxHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEWMBQGA1UEBRMN
# MjMwMDcyKzUwMDUwNDAfBgNVHSMEGDAWgBS/ZaKrb3WjTkWWVwXPOYf0wBUcHDBc
# BgNVHR8EVTBTMFGgT6BNhktodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3Bz
# L2NybC9NaWNyb3NvZnQlMjBUZXN0aW5nJTIwUENBJTIwMjAxMCgxKS5jcmwwaQYI
# KwYBBQUHAQEEXTBbMFkGCCsGAQUFBzAChk1odHRwOi8vd3d3Lm1pY3Jvc29mdC5j
# b20vcGtpb3BzL2NlcnRzL01pY3Jvc29mdCUyMFRlc3RpbmclMjBQQ0ElMjAyMDEw
# KDEpLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAxZjLCOUiW
# BLK3zCqmJhsLMiFt3vignHOD909KV6a8D2aKWsbk45IC2djh8dfJG5sQzsZ6PMNu
# 0zQtRw8Wef2Ii0k+3vAf1VOwkkw369d54MuFs7+E2c+8puQYXGF4Hug/98j5UhX5
# QRBwmYONzurrF8pCoxt2dKW/Hx9VdXXa3Gqvk8XsQjpXkpqCYh/GH8eTHGtul3dt
# PIUgEzvL1t4FXwo2yv2hzCw4wEgiII4yYT59WekAnohy7bvA+J6a8csw9KGvf2/z
# 5AhNLxVJ07Ga6OJkMDsWZWq2wNlHXiSR8QC2x2aczoFpGRzgBJTkuBYR5rS/hJjp
# Q/4wZN/cj8e4MIIGkzCCBHugAwIBAgITMwAAAC01ekaIyQdx2AAAAAAALTANBgkq
# hkiG9w0BAQsFADCBkDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x
# EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv
# bjE6MDgGA1UEAxMxTWljcm9zb2Z0IFRlc3RpbmcgUm9vdCBDZXJ0aWZpY2F0ZSBB
# dXRob3JpdHkgMjAxMDAeFw0yMDEyMTAyMDQzMjBaFw0zNTA2MTcyMTA0MTFaMHkx
# CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt
# b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xIzAhBgNVBAMTGk1p
# Y3Jvc29mdCBUZXN0aW5nIFBDQSAyMDEwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
# MIIBCgKCAQEAvzxggau+7P/XF2PypkLRE2KcsBfOukYaeyIuVXOaVLnG1NHKmP53
# Rw2OnfBezPhU7/LPKtRi8ak0CgTXxQWG8hD1TdOWCGaF2wJ9GNzieiOnmildrnkY
# zwxj8Br/gampQz+pC7lR8bNIOvxELl8RxVY6/8oOzYgIwf3H1fU+7+pOG3KLI71F
# N54fcMGnybggc+3zbD2LIQXPdxL+odwH6Q1beAlsMlUQR9A3yMf3+nP+RjTkVhao
# N2RT1jX7w4C2jraGkaEQ1sFK9uN61BEKst4unhCX4IGuEl2IAV3MpMQoUpxg8Arm
# iK9L6VeK7KMPNx4p9l0h09faXQ7JTtuNbQIDAQABo4IB+jCCAfYwDgYDVR0PAQH/
# BAQDAgGGMBIGCSsGAQQBgjcVAQQFAgMBAAEwIwYJKwYBBAGCNxUCBBYEFOqfXzO2
# 0F+erestpsECu0A4y+e1MB0GA1UdDgQWBBS/ZaKrb3WjTkWWVwXPOYf0wBUcHDBU
# BgNVHSAETTBLMEkGBFUdIAAwQTA/BggrBgEFBQcCARYzaHR0cDovL3d3dy5taWNy
# b3NvZnQuY29tL3BraW9wcy9Eb2NzL1JlcG9zaXRvcnkuaHRtMBkGCSsGAQQBgjcU
# AgQMHgoAUwB1AGIAQwBBMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUowEE
# fjCIM+u5MZzK64V2Z/xltNEwWQYDVR0fBFIwUDBOoEygSoZIaHR0cDovL2NybC5t
# aWNyb3NvZnQuY29tL3BraS9jcmwvcHJvZHVjdHMvTWljVGVzUm9vQ2VyQXV0XzIw
# MTAtMDYtMTcuY3JsMIGNBggrBgEFBQcBAQSBgDB+ME0GCCsGAQUFBzAChkFodHRw
# Oi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Rlc1Jvb0NlckF1dF8y
# MDEwLTA2LTE3LmNydDAtBggrBgEFBQcwAYYhaHR0cDovL29uZW9jc3AubWljcm9z
# b2Z0LmNvbS9vY3NwMA0GCSqGSIb3DQEBCwUAA4ICAQAntNCFsp7MD6QqU3PVbdrX
# MQDI9v9jyPYBEbUYktrctPmvJuj8Snm9wWewiAN5Zc81NQVYjuKDBpb1un4SWVCb
# 4PDVPZ0J87tGzYe9dOJ30EYGeiIaaStkLLmLOYAM6oInIqIwVyIk2SE/q2lGt8Ov
# wcZevNmPkVYjk6nyJi5EdvS6ciPRmW9bRWRT4pWU8bZIQL938LE4lHOQAixrAQiW
# es5Szp2U85E0nLdaDr5w/I28J/Z1+4zW1Nao1prVCOqrosnoNUfVf1kvswfW3FY2
# l1PiAYp8sGyO57GaztXdBoEOBcDLedfcPra9+NLdEF36NkE0g+9dbokFY7KxhUJ8
# WpMiCmN4yj9LKFLvQbctGMJJY9EwHFifm2pgaiaafKF1Gyz+NruJzEEgpysMo/f9
# AVBQ/qCdPQQGEWp3QDIaef4ts9QTx+RmDKCBDMTFLgFmmhbtUY0JWjLkKn7soz/L
# IcDUle/p5TiFD4VhfZnAcvYQHXfuslnyp+yuhWzASnAQNnOIO6fc1JFIwkDkcM+k
# /TspfAajzHooSAwXkrOWrjRDV6wI0YzMVHrEyQ0hZ5NnIXbL3lrTkOPjf3NBu1na
# SNEaySduStDbFVjV3TXoENEnZiugJKYSwmhzoYHM1ngipN5rNdqJiK5ukp6E8LDz
# i3l5/7XctJQY3+ZgHDJosjGCGZ4wghmaAgEBMIGQMHkxCzAJBgNVBAYTAlVTMRMw
# EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN
# aWNyb3NvZnQgQ29ycG9yYXRpb24xIzAhBgNVBAMTGk1pY3Jvc29mdCBUZXN0aW5n
# IFBDQSAyMDEwAhMzAAAFqa00npLOQgZDAAEAAAWpMA0GCWCGSAFlAwQCAQUAoIGw
# MBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3AgEEMBwGCisGAQQBgjcCAQsxDjAMBgor
# BgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEiBCDXyjCfp0DsxdhPT17IdO3Synw3a1oP
# tXoGZwxePcxRzDBEBgorBgEEAYI3AgEMMTYwNKAUgBIATQBpAGMAcgBvAHMAbwBm
# AHShHIAaaHR0cHM6Ly93d3cubWljcm9zb2Z0LmNvbSAwDQYJKoZIhvcNAQEBBQAE
# ggEAiAt1N4l1zuC5KCFwcFrTdgTyDXYujymO3OOyFLuOn1mUkah7i4pQbBYL2OZQ
# scmbJgQChumZovkFjfoe2+TVJM8gSyakHCY0nC+F43YxBUdU1wh+1Qsbqvp5VrvC
# OK4ELBbhDY9Z4HNQ4a0mad0kf3IHk/KJqyziO3YavB1uzvP1a9WghHGhkaL8J7fI
# c8JQvIQy1GxMkAXSRlgWbEJ1K6ICu9x3HNr9T3zybKs8kntF4KJqKa1YY659MTCv
# dpNjbAbvYAGUiq/DUuS00QDwsT9yopfd3j+l4iLEG5zUHscgSb3sQNLhwOuZOlmE
# kqK2rI8QVnElbZbw2dyucDq/WaGCFyswghcnBgorBgEEAYI3AwMBMYIXFzCCFxMG
# CSqGSIb3DQEHAqCCFwQwghcAAgEDMQ8wDQYJYIZIAWUDBAIBBQAwggFYBgsqhkiG
# 9w0BCRABBKCCAUcEggFDMIIBPwIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFlAwQC
# AQUABCAHbUPDE3HszDf7D+yjBaZL1ubZHHGCkZxccuo1n40jQwIGZGzwSSfgGBIy
# MDIzMDYwODA3MjEzNC43OVowBIACAfSggdikgdUwgdIxCzAJBgNVBAYTAlVTMRMw
# EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN
# aWNyb3NvZnQgQ29ycG9yYXRpb24xLTArBgNVBAsTJE1pY3Jvc29mdCBJcmVsYW5k
# IE9wZXJhdGlvbnMgTGltaXRlZDEmMCQGA1UECxMdVGhhbGVzIFRTUyBFU046MDg0
# Mi00QkU2LUMyOUExJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZp
# Y2WgghF7MIIHJzCCBQ+gAwIBAgITMwAAAbJuQAN/bqmUkgABAAABsjANBgkqhkiG
# 9w0BAQsFADB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4G
# A1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYw
# JAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDAeFw0yMjA5MjAy
# MDIyMDFaFw0yMzEyMTQyMDIyMDFaMIHSMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
# V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0
# IENvcnBvcmF0aW9uMS0wKwYDVQQLEyRNaWNyb3NvZnQgSXJlbGFuZCBPcGVyYXRp
# b25zIExpbWl0ZWQxJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNOOjA4NDItNEJFNi1D
# MjlBMSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNlMIICIjAN
# BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyqJlMh17+VDisL4GaXl/9a6r/EpP
# Gt9sbbceh+ZD6pkA3gbI7vc8XfL04B+m3tB/aNyV1Y4ZQH4fMG7CWVjI/d/Hgxjz
# O+4C4HfsW+jK2c0LYMqdWtWUc5VwZQv0KeaEM0wDb+eySMh/YiiIb0nSotivx268
# d1An0uLY+r2C7JJv2a9QvrSiCyUI72CSHoWIQPAyvBSvxaNrqMWlROfLy2DQ3Ryc
# I3bDh8qSnmplxtRgViJwtJv/oDukcK1frGeOrCGYmiJve+QonJXFu4UtGFVfEf3l
# vQsd42GJ+feO+jaP7/hBXXSMSldVb6IL0GxO1Hr3G9ONTnVmA/sFHhgMRarsmzKV
# I6/kHlMdMNdF/XzhRHMWFPJvw5lApjuaoyHtzwnzDWwQzhcNQXZRk3Lzb01ULMba
# 190RdlofEXxGbGlBgHHKFnBjWui24hL6B83Z6r6GQBPeKkafz8qYPAO3MBud+5eM
# CmB5mrCBxgnykMn7L/FTqi7MnPUG97lNOKGSIDvBCxB7pHrRmT10903PDQwrmeJH
# O5BkC3gYj3oWGOGVRZxRk4KS/8lcz84a7+uBKmVjB2Y8vPN8O1fK7L8YJTkjiXTy
# DqKJ9fKkyChiSRx44ADPi/HXHQE6dlZ8jd9LCo1S+g3udxNP4wHhWm9/VAGmmMEB
# BS6+6Lp4IbQwJU0CAwEAAaOCAUkwggFFMB0GA1UdDgQWBBSZ8ieAXNkRmU+SMM5W
# W4FIMNpqcTAfBgNVHSMEGDAWgBSfpxVdAF5iXYP05dJlpxtTNRnpcjBfBgNVHR8E
# WDBWMFSgUqBQhk5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9N
# aWNyb3NvZnQlMjBUaW1lLVN0YW1wJTIwUENBJTIwMjAxMCgxKS5jcmwwbAYIKwYB
# BQUHAQEEYDBeMFwGCCsGAQUFBzAChlBodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20v
# cGtpb3BzL2NlcnRzL01pY3Jvc29mdCUyMFRpbWUtU3RhbXAlMjBQQ0ElMjAyMDEw
# KDEpLmNydDAMBgNVHRMBAf8EAjAAMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMA4G
# A1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEA3Ee27cXMhptoNtaqzB0o
# GUCEpdEI37kJIyK/ZNhriLZC5Yib732mLACEOEAN9uqivXPIuL3ljoZCe8hZSB14
# LugvVm1nJ73bNgr4Qh/BhmaFL4IfiKd8DNS+xwdkXfCWslR89QgMZU/SUJhWx72a
# C68bR2qRjhrJA8Qc68m5uBllo52D83x0id3p8Z45z7QOgbMH4uJ45snZDQC0S3dc
# 3eJfwKnr51lNfzHAT8u+FHA+lv/6cqyE7tNW696fB1PCoH8tPoI09oSXAV4rEqup
# FM8xsd6D6L4qcEt/CaERewyDazVBfskjF+9P3qZ3R6IyOIwQ7bYts7OYsw13csg2
# jACdEEAm1f7f97f3QH2wwYwen5rVX6GCzrYCikGXSn/TSWLfQM3nARDkh/flmTtv
# 9PqkTHqslQNgK2LvMJuKSMpNqcGc5z33MYyV6Plf58L+TkTFQKs6zf9XMZEJm3ku
# 9VBJ1aqr9AzNMSaKbixvMBIr2KYSSM21lnK8LUKxRwPW+gWS2V3iYoyMT64MRXch
# 10P4OtGT3idXM09K5ld7B9U6dcdJ6obvEzdXt+XZovi/U6Evb4nA7VPHcHSKs7U7
# 2ps10mTfnlue13VFJUqAzbYoUEeegvsmzulGEGJoqZVNAag5v6PVBrur5yLEajjx
# WH2TfkEOwlL8MuhcVI8OXiYwggdxMIIFWaADAgECAhMzAAAAFcXna54Cm0mZAAAA
# AAAVMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz
# aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv
# cnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0ZSBB
# dXRob3JpdHkgMjAxMDAeFw0yMTA5MzAxODIyMjVaFw0zMDA5MzAxODMyMjVaMHwx
# CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt
# b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1p
# Y3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwMIICIjANBgkqhkiG9w0BAQEFAAOC
# Ag8AMIICCgKCAgEA5OGmTOe0ciELeaLL1yR5vQ7VgtP97pwHB9KpbE51yMo1V/YB
# f2xK4OK9uT4XYDP/XE/HZveVU3Fa4n5KWv64NmeFRiMMtY0Tz3cywBAY6GB9alKD
# RLemjkZrBxTzxXb1hlDcwUTIcVxRMTegCjhuje3XD9gmU3w5YQJ6xKr9cmmvHaus
# 9ja+NSZk2pg7uhp7M62AW36MEBydUv626GIl3GoPz130/o5Tz9bshVZN7928jaTj
# kY+yOSxRnOlwaQ3KNi1wjjHINSi947SHJMPgyY9+tVSP3PoFVZhtaDuaRr3tpK56
# KTesy+uDRedGbsoy1cCGMFxPLOJiss254o2I5JasAUq7vnGpF1tnYN74kpEeHT39
# IM9zfUGaRnXNxF803RKJ1v2lIH1+/NmeRd+2ci/bfV+AutuqfjbsNkz2K26oElHo
# vwUDo9Fzpk03dJQcNIIP8BDyt0cY7afomXw/TNuvXsLz1dhzPUNOwTM5TI4CvEJo
# LhDqhFFG4tG9ahhaYQFzymeiXtcodgLiMxhy16cg8ML6EgrXY28MyTZki1ugpoMh
# XV8wdJGUlNi5UPkLiWHzNgY1GIRH29wb0f2y1BzFa/ZcUlFdEtsluq9QBXpsxREd
# cu+N+VLEhReTwDwV2xo3xwgVGD94q0W29R6HXtqPnhZyacaue7e3PmriLq0CAwEA
# AaOCAd0wggHZMBIGCSsGAQQBgjcVAQQFAgMBAAEwIwYJKwYBBAGCNxUCBBYEFCqn
# Uv5kxJq+gpE8RjUpzxD/LwTuMB0GA1UdDgQWBBSfpxVdAF5iXYP05dJlpxtTNRnp
# cjBcBgNVHSAEVTBTMFEGDCsGAQQBgjdMg30BATBBMD8GCCsGAQUFBwIBFjNodHRw
# Oi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL0RvY3MvUmVwb3NpdG9yeS5odG0w
# EwYDVR0lBAwwCgYIKwYBBQUHAwgwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEw
# CwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU1fZWy4/o
# olxiaNE9lJBb186aGMQwVgYDVR0fBE8wTTBLoEmgR4ZFaHR0cDovL2NybC5taWNy
# b3NvZnQuY29tL3BraS9jcmwvcHJvZHVjdHMvTWljUm9vQ2VyQXV0XzIwMTAtMDYt
# MjMuY3JsMFoGCCsGAQUFBwEBBE4wTDBKBggrBgEFBQcwAoY+aHR0cDovL3d3dy5t
# aWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5j
# cnQwDQYJKoZIhvcNAQELBQADggIBAJ1VffwqreEsH2cBMSRb4Z5yS/ypb+pcFLY+
# TkdkeLEGk5c9MTO1OdfCcTY/2mRsfNB1OW27DzHkwo/7bNGhlBgi7ulmZzpTTd2Y
# urYeeNg2LpypglYAA7AFvonoaeC6Ce5732pvvinLbtg/SHUB2RjebYIM9W0jVOR4
# U3UkV7ndn/OOPcbzaN9l9qRWqveVtihVJ9AkvUCgvxm2EhIRXT0n4ECWOKz3+SmJ
# w7wXsFSFQrP8DJ6LGYnn8AtqgcKBGUIZUnWKNsIdw2FzLixre24/LAl4FOmRsqlb
# 30mjdAy87JGA0j3mSj5mO0+7hvoyGtmW9I/2kQH2zsZ0/fZMcm8Qq3UwxTSwethQ
# /gpY3UA8x1RtnWN0SCyxTkctwRQEcb9k+SS+c23Kjgm9swFXSVRk2XPXfx5bRAGO
# WhmRaw2fpCjcZxkoJLo4S5pu+yFUa2pFEUep8beuyOiJXk+d0tBMdrVXVAmxaQFE
# fnyhYWxz/gq77EFmPWn9y8FBSX5+k77L+DvktxW/tM4+pTFRhLy/AsGConsXHRWJ
# jXD+57XQKBqJC4822rpM+Zv/Cuk0+CQ1ZyvgDbjmjJnW4SLq8CdCPSWU5nR0W2rR
# nj7tfqAxM328y+l7vzhwRNGQ8cirOoo6CGJ/2XBjU02N7oJtpQUQwXEGahC0HVUz
# WLOhcGbyoYIC1zCCAkACAQEwggEAoYHYpIHVMIHSMQswCQYDVQQGEwJVUzETMBEG
# A1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWlj
# cm9zb2Z0IENvcnBvcmF0aW9uMS0wKwYDVQQLEyRNaWNyb3NvZnQgSXJlbGFuZCBP
# cGVyYXRpb25zIExpbWl0ZWQxJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNOOjA4NDIt
# NEJFNi1DMjlBMSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNl
# oiMKAQEwBwYFKw4DAhoDFQCOEn4R7JJF+fYoI2yOf1wX0BRJOqCBgzCBgKR+MHwx
# CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt
# b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1p
# Y3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwMA0GCSqGSIb3DQEBBQUAAgUA6Cvc
# IjAiGA8yMDIzMDYwODEyNDgzNFoYDzIwMjMwNjA5MTI0ODM0WjB3MD0GCisGAQQB
# hFkKBAExLzAtMAoCBQDoK9wiAgEAMAoCAQACAgJdAgH/MAcCAQACAhFkMAoCBQDo
# LS2iAgEAMDYGCisGAQQBhFkKBAIxKDAmMAwGCisGAQQBhFkKAwKgCjAIAgEAAgMH
# oSChCjAIAgEAAgMBhqAwDQYJKoZIhvcNAQEFBQADgYEANAs0HZeXLL9JLG4kztyQ
# zGIgHshSmD78qSxcnLv+8jn2yfwsxrT1BB5MYj3BF51odnrYacJ+L9+0lMeIRZwx
# HutZT5l3p5PwOCgUZxtNQPArRcDMaANNK3Dq4HuElVqremPWuPgd+WBCEqutwia2
# JZwCYsCED5v9xI14ePcSCg4xggQNMIIECQIBATCBkzB8MQswCQYDVQQGEwJVUzET
# MBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMV
# TWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1T
# dGFtcCBQQ0EgMjAxMAITMwAAAbJuQAN/bqmUkgABAAABsjANBglghkgBZQMEAgEF
# AKCCAUowGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMC8GCSqGSIb3DQEJBDEi
# BCAy0YCEoZI6T6FgXH4R6UHDJwp9xyZt4XrIwZHWrDgPVDCB+gYLKoZIhvcNAQkQ
# Ai8xgeowgecwgeQwgb0EIFN4zjzn4T63g8RWJ5SgUpfs9XIuj+fO76G0k8IbTj41
# MIGYMIGApH4wfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO
# BgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEm
# MCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTACEzMAAAGybkAD
# f26plJIAAQAAAbIwIgQg8uOmsa32LY6Sy8lQP0nbVf8hF424GjehjggOBkv+OBIw
# DQYJKoZIhvcNAQELBQAEggIASuDEMwSwJzl5TObT3LyIIL/BO0zDe9qoXPCr/HNN
# ov3YF3AfkV/9Y4hzC7wONKsDnrazEA0EBU8Kg7bAx5+q2aOTqav4s7eJ60ZNrvXN
# P9q6GuhzEGjPI2dPBWi2WHIOBpGelXJWzi4eMfPXPgnFZ0WgEMARPtMJnCEiI3z4
# iiqPb5ErYx0BAZP93VCTRB8rFgBmkAmhSEerxj8lAw0AXLBssl5AdfkPC2dMUzvC
# UWFt9inBH/GDxIRqA90JqB39GUbbenNx5ayFyD0gIA/c0FaFCZPb53IWhZp8NQkU
# 6UHSe3+0BvDbTWgHvecWRNZprlMY8wZHRjm6g7wj6NPy6cwYS5jtrqHhGtkf5dsE
# B70Csp+F6iS4Zs6kRy4WlmP8XZ2D9y0jVRErlQucVBO8ewdn/U1NXKzwB0i82CSd
# UBNc7W70dh9d9HNxw+cdJpYGcCnjL89kX+EEjK2pNAuBVsI3nx+ytDbvpGMQq8/P
# YvD5jj5wuY4uld9XIX9oHknF4Jpy9WA9ZkJopGN7RuwelxK1VHxR/SXgPKcqK9Tb
# ltCxX1+vPmpbGzyFrvpQREdx1i2iM+1k+IjSHvrTjKDVI1ZY3BhkKqwKwXC3bhv+
# 7t042Ir+ErfbzSQjEri/7duESpEgF+15aR2lkrTpWr67gBocLaxAPX2b+Nwjzc+R
# RFM=
# SIG # End signature block