Demo
1. Introduction
Windows loads the appropriate kernel driver by interpreting USB Descriptor when a USB device is connected. If the data sent by the device is not properly validated, this can lead to kernel-level vulnerabilities.
Local Privilege Escalation (LPE) via USB is possible in environments where physical access is available.
In Active Directory environments, attackers can steal machine account credentials with SYSTEM integrity on a workstation and leverage them for lateral movement within the domain. Additionally, they can bypass some restrictions imposed by limited user environments in kiosk or POS devices, and similar conditions apply to public PCs and conference room devices.
In this article, we discuss Windows USB driver vulnerabilities and demonstrate how an attacker can achieve SYSTEM integrity using a malformed USB device and a userland program. We share the full process, from vulnerability discovery to root cause analysis and exploit development.
We are security researchers at ENKI WhiteHat and Windows bug hunters, Dongjun Kim and Jongseong Kim. We previously shared our research on Windows vulnerabilities in a prior post [link].
2. Background
2.1 What does ACE mean?
If you are interested in Windows vulnerabilities, you may know that they are disclosed by the Microsoft Security Response Center via Patch Tuesday.
To the best of our knowledge, starting in 2024, the Microsoft Security Response Center has begun disclosing root cause information for vulnerabilities, including CWE classifications.
When reviewing CVE information, you may occasionally come across statements like the following.
According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?
The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.
Then, what is Arbitrary Code Execution (ACE)? ACE refers to a vulnerability that can occur when an attacker's code is executed on a victim's local machine. By the way, what is the difference between this and general types of vulnerabilities?
In this case, the vulnerability can be triggered when a specially crafted device is connected to a victim's local machine.
The vulnerability we present is also an ACE vulnerability.
2.2 USB Stack in Windows
How does windows implement USB specification to support commonly used USB devices? Windows has a wide and sophisticated USB stack structure.
First, when we connect a USB device to a Windows PC, the PCI bus driver finds newly connected devices by checking PCI slots. At this time, the PCI bus driver finds the USB host controller and reports it to the Windows PnP manager to create a Physical Device Object (PDO).
The PnP manager recognizes that this device is a USB host controller and loads the appropriate driver. If the newly connected USB device uses the USB 3.0 specification, it creates a Functional Device Object (FDO) and loads usbxhci.sys from C:\Windows\System32\drivers.
After the USB host controller driver is loaded, it creates a root hub within the controller. This root hub plays a bus driver role and starts the USB enumeration stage. In the USB enumeration stage, it allocates a unique address to the USB device and gets device information by receiving descriptors from the USB device. The PnP manager reads this information and determines which additional drivers should be loaded.
For instance, if descriptors related to a keyboard are delivered to the PnP manager, it loads the kbdclass.sys driver for the USB device.
From this, we can see that the USB stack has a very sophisticated structure.
https://learn.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/driver-stacks
2.3 USB Enumeration
Wait a moment. What is the USB enumeration stage? The USB enumeration stage is an initialization process that identifies what the device is, allocates a unique address, and loads the appropriate driver to enable communication between the host and the USB device when the device is newly connected to a port, as briefly mentioned earlier.
To briefly explain the steps of USB enumeration,
When a USB device is newly connected, the USB hub detects a voltage change and alerts the host.
The host sends a reset signal to the bus, and the USB device starts communication using address 0.
The host checks the maximum packet size of the USB device by requesting the device descriptor at address 0.
The host allocates a unique address between 1 and 127 to the USB device, and the device starts responding using the assigned address.
The host requests descriptors again via the assigned address and checks the manufacturer ID, power consumption, number of interfaces, and endpoint types.
The PnP manager loads the appropriate drivers and changes the USB device’s state to Configured by sending commands to the device.
This USB enumeration stage is not only executed within one driver but also across multiple drivers.
From a security perspective, the USB enumeration stage is a very important process. If a vulnerability exists in this stage and is successfully exploited by an attacker, the PC can be fully controlled simply by connecting a specially crafted USB device.
2.4 Plug-and-Play
We briefly explain what Plug-and-Play (PnP) is before moving on from the Background part. PnP is a part of the Windows architecture that automatically detects changes in system hardware configuration. PnP is a useful technology that allows new devices to be used immediately without a system reboot by working with the user-mode/kernel PnP manager, I/O manager, bus drivers, function drivers, etc.
https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/pnp-components
3. CVE-2026-32223
3.1. Vulnerbility Root Cause
Now that we have some background on USB devices, we will explain the vulnerability we discovered, CVE-2026-32223.
CVE-2026-32223 is a heap-based buffer overflow vulnerability that occurs in the Windows USB print driver (usbprint.sys). This vulnerability is caused by improper validation of device configuration, and it is triggered when usbprint.sys uses a malformed device configuration.
usbprint.sys processes IRP_MJ_DEVICE_CONTROL requests in the USBPRINT_ProcessIOCTL function. The vulnerability occurs in the Make1284IdStringFromUsbStrings function, which is invoked by IOCTL 0x220064. For this function to be executed, v8[1064] must be 0, and v8[1065] must not be 0.
v8 is the DeviceExtension field in the DeviceObject. A Windows device driver can define a DeviceExtension field that can optionally store additional data within the DeviceObject structure. The DeviceExtension is usually created near the DeviceObject creation routine.
Similarly, in usbprint.sys, the DeviceExtension (v8) is initialized in the USBPRINT_StartDevice function, which is the point where the device is actually started by a request from the PnP manager. In this function, the USBPRINT_ConfigureDevice function is called at [1].
In the USBPRINT_ConfigureDevice function, the USBPRINT_GETUSBConfigs function is invoked at [1], and it stores the Configuration Descriptor, which is one of the USB descriptors, in P. If the descriptor is successfully retrieved, it calls the USBPRINT_CheckConfigs function at [2], using P as the second argument.
The USBPRINT_CheckConfigs function calls the USBD_ParseConfigurationDescriptorEx function at [1] and [2] and finds descriptor arrays with matching InterfaceClass and InterfaceProtocol in the configuration descriptor. The results are stored in DeviceExtension[1064] and DeviceExtension[1065], respectively.
This means that we have to properly set the configuration descriptor to invoke IOCTL 0x220064.
Returning to the USBPRINT_ProcessIOCTL function, if we examine the arguments of the Make1284IdStringFromUsbStrings function, the first argument is the DeviceObject, the second argument is the user-provided output buffer, and the third argument is the length of the output buffer.
The vulnerability occurs in the Make1284IdStringFromUsbStrings function. First of all, it retrieves the device’s MFG and MDL by calling the USBPRINT_GetUsbStringDescriptor function at [1] and [2]. Then, it calculates the lengths of MFG and MDL at [3] and [4], respectively, and stores the sum of the two lengths plus 11 in v13.
If v13 is less than 0x20A, it allocates NonPaged Pool memory at [7] with the size of the output buffer. If the pool allocation succeeds, it copies a formatted string into the pool using RtlStringCbPrintfA at [8]. If the string copy succeeds, it copies the contents of the pool to the output buffer at [9].
In this process, if the size of the output buffer is smaller than the allocated pool, a heap-based buffer overflow may occur.
3.2. Triggering the Vulnerability
To trigger the vulnerability, a USB device with a malformed descriptor and a userland program that invokes IOCTL 0x220064 are required.
3.2.1 USB Device Emulation
To construct a malicious USB device, we used the Odroid C4 board and Armbian. The Odroid C4 supports a USB OTG port, allowing the board itself to operate as a USB device. By using Linux Raw Gadget on Armbian, we can freely construct USB descriptors at the byte level.
Raw Gadget is a low-level interface of the USB Gadget subsystem, and it allows user space to directly control USB enumeration responses through the /dev/raw-gadget device. Unlike traditional approaches based on GadgetFS or ConfigFS, it allows direct handling of each control transfer request from the host, enabling flexible construction of abnormal descriptor combinations.
3.2.2 Descriptor Structure
To satisfy the conditions of the previously analyzed USBPRINT_CheckConfigs function, we set bInterfaceClass of the interface descriptor to 0x07 (Printer) and bInterfaceProtocol to 0x04 (IPP over USB). In this case, an interface with bInterfaceProtocol = 0x02 (Bidirectional) must not be included.
With this configuration, DeviceExtension[1065] = 1 and DeviceExtension[1064] = 0 in USBPRINT_CheckConfigs, allowing us to reach the Make1284IdStringFromUsbStrings function.
3.2.3 Set Malformed String Descriptor
The overflow size is determined by the lengths of the MFG and MDL string descriptors. The string descriptors referenced by iManufacturer and iProduct in the device descriptor are directly handled in the Raw Gadget EP0 handler.
The ASCII string is converted to UTF-16LE to construct a USB string descriptor. In the Make1284IdStringFromUsbStrings function, the number of characters in this wide string is counted to compute v13 = len(MFG) + len(MDL) + 11, so increasing the length of the MFG string allows us to control the overflow size.
3.2.4 EP0 Control Transfer Handling
The point of Raw Gadget is that it directly processes every control transfer request from the host in the EP0 loop. When the host requests a string descriptor, it responds with the malformed MFG/MDL string configured above.
3.2.5 Vulnerability Trigger Scenario
4. Exploitation
4.1 Restriction Analysis
Before developing the exploitation, we first explain the restrictions of this vulnerability.
Pool Type: In the ExAllocatePool2 call at [7], the flag value is 0x40 (POOL_FLAG_NON_PAGED). The overflow occurs in the NonPagedPoolNx pool type.
Data Restriction: The null-terminated ASCII string created by RtlStringCbPrintfA at [8] is the copy target. We cannot insert NULL bytes (0x00) in the middle of the payload, and the null terminator exists only at the end. However, since the overflow data corresponds to the last part of the MDL string descriptor, the USB device can place arbitrary data. The actual values depend on the exploitation strategy.
Overflow Size: In this vulnerability, there are two variables that determine the overflow size:
v13 =
MFG_len + MDL_len + 11: This value is determined by the lengths of MFG and MDL in the USB string descriptor. Each can be up to 253 characters, so the maximum value of v13 is253 + 253 + 11 = 517 = 0x205, and it must satisfy the conditionv13 ≤ 0x209.OutputBufferLength: It is determined by the userland process when calling
DeviceIoControl. In theIopXxxControlFilefunction, the SystemBuffer is allocated usingExAllocatePool2(0x69, max(InputBufferLength, OutputBufferLength), 'IoSB'), so this value determines the allocation size. Since IOCTL 0x220064 does not use an input buffer, the size is equal to OutputBufferLength. In theUSBPRINT_ProcessIOCTLfunction, the length must be at least 1, because if the length is 0, it returns an error.
The actual copy is performed by memmove(a2 + 2, v16, v13) at [9]. Since the bLength field of a USB string descriptor is a uint8, its maximum value is 0xFF (255). The WCHAR data length is (bLength - 2) / 2, but if bLength is odd (e.g., 0xFF), the remaining 1 byte can be combined with the next byte of the zero-initialized buffer and counted as a non-zero WCHAR. Therefore, up to 127 WCHARs are possible per string, and the maximum value of v13 is 127 + 127 + 11 = 265 = 0x109. As a result, memmove copies up to 0x109 bytes. The overflow size can be calculated as (v13 + 2) - OutputBufferLength, and since both v13 and OutputBufferLength are controllable by the attacker, the overflow size can be freely controlled.
CACHE_ALIGNED Allocation: There is one more point to consider. IOCTL 0x220064 uses METHOD_BUFFERED, and in the DeviceIoControl path, the I/O manager allocates the SystemBuffer with the CACHE_ALIGNED flag:
In CACHE_ALIGNED allocation, the returned pointer is aligned to a cache line (0x40) boundary. The allocator rounds the request up by 0x10 for the pool header and adds another 0x40 of slack so it can place the user data at a 0x40-aligned position within the block. The space between the POOL_HEADER and the aligned pointer is the alignment padding (meta). Although the rounding itself is deterministic, the resulting meta depends on where the selected block starts inside its LFH subsegment. Since LFH subsegments are page-aligned and each block is laid out at a fixed block_size stride, a bucket whose block_size is not a multiple of 0x40 produces block starts that cycle through {0x00, 0x10, 0x20, 0x30} mod 0x40, and meta ends up cycling through the same four values as the LFH picks different free slots. Therefore, the exact overflow size depends on meta:
In summary, since both v13 and OutputBufferLength are controllable by the attacker, the overflow size can be controlled within a desired range. The only catch is that for buckets whose block_size is not a 0x40 multiple, meta behaves as if it were randomized by the LFH slot lottery. A clean way to sidestep this entirely is to pick OutputBufferLength so that the allocation lands in a bucket whose block_size is a multiple of 0x40 — in such buckets every slot is already 0x40-aligned, and meta collapses to a compile-time constant. The next section walks through that choice.
4.2 Pool Feng Shui
To reliably exploit this overflow vulnerability, the chunk where the overflow occurs must be located next to an attacker-controlled object, so we use a Named Pipe pool spray to manipulate the heap layout.
4.2.1 Select Overflow Size
As summarized in Section 4.1, v13 (the size of the data to copy) and OutputBufferLength (the size of the destination buffer) can be chosen by the attacker. We used the following values:
MFG 110, MDL 75 →
v13 = 110 + 75 + 11 = 196 = 0xC4OutputBufferLength = 0xB0
Adding the pool header (0x10) and the CACHE_ALIGNED overhead (0x40) to OutputBufferLength brings the effective allocation size to exactly 0x100, which places it in the LFH 0x100 bucket. Because 0x100 mod 0x40 == 0, every block start in the selected subsegment is already 0x40-aligned, so meta is fixed at 0x30 for every single attempt. The overflow becomes (v13 + 2) - (0x100 - 0x10 - 0x30) = 0xC6 - 0xC0 = 6 bytes on every run, which is exactly enough to rewrite the adjacent POOL_HEADER and nothing more.
In typical Named Pipe exploits, primitives are obtained by directly corrupting adjacent DATA_QUEUE_ENTRY (DQE) fields via overflow. Since the overflow size can be increased arbitrarily by adjusting v13 and OutputBufferLength, reaching the DQE is feasible. The problem is the NULL-byte constraint mentioned in Section 4.1. Because the overflow data is generated as ASCII output by RtlStringCbPrintfA, NULL bytes (0x00) cannot be inserted in the middle. However, meaningful manipulation of pointer fields in the DQE (Flink, Irp) requires NULL bytes.
In contrast, the POOL_HEADER consists of 1-byte fields (PreviousSize, PoolIndex, BlockSize, PoolType), allowing precise control without NULL bytes. Therefore, we chose to corrupt the POOL_HEADER to manipulate the behavior of ExFreePool. The specific modifications are discussed in the next section.
4.2.2 LFH Bucket Alignment
The SystemBuffer (IoSB) of the IOCTL is allocated as follows:
When WriteFile is called on a Named Pipe, npfs allocates a DQE:
We can perform a named pipe spray as follows. When 0xC0 bytes are written via WriteFile, an NpFr allocation of size 0xF0 occurs in the kernel (since NpAddDataQueueEntry prepends a 0x30-byte DQE header), and it is placed in the same LFH 0x100 bucket as IoSB.
4.2.3 Stabilizing Spray via CPU Pinning
LFH uses a per-CPU affinity slot structure. By analyzing the RtlpHpLfhBucketActivate function, we can observe that when an LFH bucket is activated, owner slots are created for each CPU.
At [1], it checks bit 5 of RtlpHpLfhPerfFlags. If this bit is set, owners are created per CPU; otherwise, only a single owner is created. At [2], each owner is initialized. Since each owner manages an independent subsegment chain, allocations to the same bucket on different CPUs are placed in different subsegments.
To address this issue, we pin the spray thread to a single CPU using SetThreadAffinityMask. This ensures that all spray allocations are concentrated in the same owner’s subsegment chain, increasing the likelihood of adjacent placement.
4.2.4 Spray Layout
The ideal pool layout after a successful spray is as follows. The block immediately following IoSB should be an NpFr pipe.
When the overflow occurs, 6 bytes of the POOL_HEADER of the next block (NpFr) after IoSB are overwritten with the last bytes of the MDL string descriptor. The following shows the modified POOL_HEADER after the overflow.
The roles of each field are as follows:
PreviousSize = 0x0C: This value is used in the cache-aligned backward step of
ExFreePoolWithTag, causing a backward movement of0x0C × 0x10 = 0xC0.PoolType = 0x06: Bit 2 (CacheAligned) is set, which triggers the backward step. In this case, bit 3 (PoolQuota) must be cleared. This will be explained in detail in Section 4.3.1.
These two values are controlled by the tail of the MDL string descriptor from the USB device.
4.3 Ghost Chunk
In Section 4.2, we corrupted the POOL_HEADER of the adjacent block via overflow. Now, we explain how to create a "Ghost Chunk" using this corrupted POOL_HEADER. The Ghost Chunk technique is based on the Aligned Chunk Confusion attack introduced in Synacktiv’s "Scoop the Windows 10 pool!" paper.
4.3.1 CacheAligned Backward Step
In the Windows Segment Heap, chunks allocated with the CACHE_ALIGNED flag undergo special handling during free. By analyzing the ExFreePoolWithTag function, we can observe that when bit 2 (CacheAligned) of PoolType is set, the original allocation base is calculated using PreviousSize.
At [1], it checks bit 3 (PoolQuota) of PoolType. If this bit is set, the ProcessBilled pointer is decoded using ExpPoolQuotaCookie at [2], and validated as a valid EPROCESS at [3]. Since the ProcessBilled field in the corrupted POOL_HEADER does not contain a valid value, a BSOD will occur if bit 3 is set. Therefore, PoolType must be 0x06 (only bit 2 set), and 0x0E (bit 2 + bit 3) must not be used.
After passing [1], it checks bit 2 (CacheAligned) of PoolType at [4]. Since this bit is set in the corrupted PoolType (0x06), a backward step of PreviousSize × 0x10 is performed at [5]. With the corrupted PreviousSize = 0x0C, it moves backward by 0x0C × 0x10 = 0xC0 bytes. At [6], it reads the BlockSize from the POOL_HEADER at the new location and calculates the free size.
The landing position of this backward step is the key point of the exploit. Let’s revisit the block layout at the time of the overflow.
When the IOCTL returns, the kernel frees IoSB, leaving the Block N+1 slot empty. By placing a respray pipe in this slot, we can insert a fake POOL_HEADER at the first byte of the pipe data (data[0x00]). When Block N+2 is freed, the backward step lands at N+2_hdr (slot + 0x200) - 0xC0 = slot + 0x140 = N+1 block + 0x40, which corresponds to the fake POOL_HEADER of the respray pipe.
4.3.2 Ghost Free via Dynamic Lookaside
After the backward step, at [6], it reads the BlockSize (0x21) from the fake POOL_HEADER and calculates the free size as 0x21 × 0x10 = 0x210. This results in a 0x210-byte "ghost chunk" being freed.
It is important where this chunk is freed. In the later part of ExFreePoolWithTag, we can observe the Dynamic Lookaside branch.
At [1], it reads the UserContext field of _SEGMENT_HEAP, which points to the Dynamic Lookaside structure. At [2], it checks whether the free size falls within the range [0x201, 0xF80]. Since 0x210 - 0x201 = 0x0F ≤ 0xD7F, the condition is satisfied. At [3], if the Dynamic Lookaside exists and has available depth, it is pushed into the SList at [4].
Once pushed into the Lookaside SList, subsequent allocation requests of the same size (0x210) will pop and return the exact same address. If the chunk is freed into the VS FreeChunkTree instead, it may be merged with adjacent chunks, causing ghost reclaim to fail. Therefore, entering the Lookaside path is essential.
For Dynamic Lookaside to be activated, the Balance Set Manager (BSM) must recognize frequent allocations and frees for the corresponding bucket. This mechanism can be observed by analyzing the RtlpDynamicLookasideRebalance function.
At [1], it calculates the allocation/free frequency for each bucket, and at [2], it sorts them by frequency. At [3], only buckets with a frequency of at least 25 (0x19) are selected, and at [4], they are set in the EnabledBucketBitmap. The BSM performs this rebalance approximately once per second.
Therefore, at the start of the exploit, it is necessary to perform sufficient alloc/free operations of size 0x210 to pre-activate the corresponding bucket. We followed the EnableLookaside pattern used in vp777’s CVE-2020-17087 exploit, performing 0x1000 pipe alloc/free operations for two rounds, and then waiting for the BSM rebalance.
4.3.3 Ghost Reclaim and Overlap
After the ghost chunk (0x210) is pushed into the Lookaside SList, creating a Named Pipe of the same size results in it being popped at the exact same address. This behavior can be observed in the lookaside pop path of the ExAllocateHeapPool function.
At [1], it checks whether the SList is not empty, and at [2], it pops an entry. The WritePipe(0x1D0) call of the ghost pipe leads to NpAddDataQueueEntry → ExAllocatePool2(0x200) → allocation of a 0x210 block, and at [2], it returns the address of the previously pushed ghost chunk.
At this point, the NpFr block of the ghost pipe physically overlaps with the data region of the respray pipe.
When PeekNamedPipe is called on the respray pipe, the kernel reads from the data region pointed to by the respray’s DQE (+0x40). Since this region overlaps with the NpFr block of the ghost pipe, the Flink value written by the kernel into the ghost pipe’s DQE can be read from user mode. This Flink value is the kernel address of the OutQueue list head in the ghost pipe’s CCB, and it serves as the starting point for arbitrary read/write.
4.4 Arbitrary Read
After leaking the kernel pointer, we construct an arbitrary read primitive by manipulating the ghost pipe’s DQE.
4.4.1 Ghost DQE Rewrite
When the respray pipe is freed via ReadFile, the corresponding LFH slot is released. By allocating a new pipe (rewrite pipe) in this slot, we overwrite the ghost DQE with desired values:
4.4.2 Arbitrary Address Read using Fake IRP
The fake IRP is constructed in a user-space page allocated with VirtualAlloc. The kernel address to read is set in AssociatedIrp.SystemBuffer (+0x18).
When PeekNamedPipe is called on the ghost pipe, npfs!NpReadDataQueue follows the EntryType=1 path and reads data from the IRP’s SystemBuffer, copying it to the user buffer:
Since PeekNamedPipe is non-destructive (it does not remove the DQE), repeated arbitrary reads are possible by updating only the SystemBuffer:
4.5 Kernel Structure Walk
Although we have obtained an arbitrary read primitive, kernel addresses such as the base address of ntoskrnl.exe and PsInitialSystemProcess are required for privilege escalation. The only known kernel address is g_queue_addr (the OutQueue list head of the ghost pipe’s CCB) leaked in Section 4.3, so we traverse kernel structures starting from this value.
4.5.1 CCB → npfs.sys DRIVER_OBJECT
g_queue_addr points to the OutQueue (+0xA8) list head within the NP_CCB structure of the ghost pipe. From this, we can derive the CCB address as follows: CCB_addr = g_queue_addr - 0xA8.
The Named Pipe’s CCB contains a pointer to the server FILE_OBJECT. The FILE_OBJECT points to its corresponding DEVICE_OBJECT, which in turn points to the managing DRIVER_OBJECT. Since the ghost pipe is a Named Pipe managed by npfs.sys, following this chain leads to the DRIVER_OBJECT of npfs.sys:
4.5.2 DRIVER_OBJECT → ntoskrnl.exe base address
All loaded kernel modules are managed through a linked list of KLDR_DATA_TABLE_ENTRY structures. The DriverSection (+0x28) field of the DRIVER_OBJECT points to the KLDR_DATA_TABLE_ENTRY of the driver, so starting from the entry of npfs.sys and traversing the InLoadOrderLinks list allows us to enumerate all loaded modules in the system:
4.6 Arbitrary Write
Since we can freely read kernel structures using the arbitrary read primitive, we now construct an arbitrary write primitive to achieve privilege escalation.
4.6.1 Mechanism
When ReadFile is called on a Named Pipe, the kernel completes the IRP associated with the DQE. If BUFFERED_IO is set in the IRP, IopProcessBufferedIoCompletion performs memmove(UserBuffer, SystemBuffer, Information). This can be abused to write data to an arbitrary kernel address.
4.6.2 Structure of FAKE IRP
4.6.3 Route of IRP Completion
When the IRP is completed, IopProcessBufferedIoCompletion checks the Flags and performs the memmove. This is the core of the arbitrary write. Immediately after that, IopCompleteRequest attempts to free the IRP. However, since the forged IRP resides in user space, calling IoFreeIrp would cause the kernel to return user memory to the pool, resulting in a crash. Therefore, we add 0x8000 to Flags and set AllocationSize to 0 to bypass the IoFreeIrp call:
4.6.4 Surviving IRP Completion
Since the fake IRP resides in user space, all fields accessed by the kernel during the IRP completion path must be valid. The following three aspects must be handled:
ETHREAD: The Tail.Overlay.Thread (+0x98) field of the IRP must contain a valid ETHREAD pointer. This is because IopCompleteRequest reads this field to manipulate the thread’s IRP list. Using the arbitrary read primitive obtained in Section 4.4, we traverse ActiveProcessLinks from PsInitialSystemProcess to locate the EPROCESS of the current PID, then traverse the ThreadListHead of that EPROCESS to find the ETHREAD of the current TID, and store it in this field.
ThreadListEntry self-link: IopDequeueIrpFromThread removes the IRP from the thread’s IRP list. This operation corresponds to RemoveEntryList on a doubly linked list. Since the forged IRP is not actually linked into the thread list, if Flink/Blink point to invalid locations, it will result in a crash. By setting both Flink and Blink of ThreadListEntry (+0x20) to point to itself (&IRP + 0x20), the validation of RemoveEntryList ( Flink->Blink == &entry && Blink->Flink == &entry) is satisfied, and the list structure remains intact:
NpRemoveDataQueueEntry: When ReadFile is called on the ghost pipe, NpReadDataQueue processes the DQE and then calls NpRemoveDataQueueEntry. This function clears the CancelRoutine (+0x68) of the IRP associated with the DQE to 0 using InterlockedExchange64, and frees the SecurityContext if it exists. It then frees the DQE itself using ExFreePoolWithTag, but does not free the IRP. IofCompleteRequest is called by the caller, NpReadDataQueue. Therefore, the CancelRoutine (+0x68) of the forged IRP must be set to a non-zero value so that InterlockedExchange64 operates correctly.
4.6.5 Privilege Escalation
Once the arbitrary read primitive is established, it can be used very reliably. Although there are several approaches, we adopt the method described in the DevCore blog, which involves modifying SeDebugPrivilege.
We escalate privileges by modifying the global kernel variable nt!SeDebugPrivilege using the arbitrary write primitive.
When OpenProcess(PROCESS_ALL_ACCESS) is called, the kernel’s PsOpenProcess checks whether the caller’s token contains SeDebugPrivilege. The LUID used for this check is stored in the global variable nt!SeDebugPrivilege:
At [1], it reads nt!SeDebugPrivilege (LUID, 8 bytes), and at [2], SepPrivilegeCheck compares this LUID with the privilege list in the caller’s token. If a match is found at [3], all requested access rights are granted.
The default LUID of SeDebugPrivilege is {LowPart=0x14, HighPart=0x0}. Since a medium-integrity process token does not contain this privilege, SepPrivilegeCheck returns FALSE.
However, the situation changes if the LowPart is replaced with the LUID of a privilege that is already present in a medium-integrity process token. For example, SeChangeNotifyPrivilege (LUID=0x17) is included in all standard process tokens. By modifying only 1 byte of nt!SeDebugPrivilege (changing LowPart from 0x14 to 0x17), SepPrivilegeCheck finds SeChangeNotifyPrivilege at [2] and returns TRUE. As a result, [3] grants PROCESS_ALL_ACCESS, allowing full access to SYSTEM processes (e.g., winlogon.exe).
Finally, calling OpenProcess(winlogon.exe, PROCESS_ALL_ACCESS) followed by CreateRemoteThread allows spawning a SYSTEM-level cmd.exe.
4.7 Putting It All Together
Based on the steps described so far, we summarize the overall exploit flow from USB device connection to SYSTEM privilege escalation.
1. USB Device Connection and Driver Loading
A specially crafted USB printer device is connected to the target system. The PnP manager loads usbprint.sys, and the configuration descriptor with InterfaceProtocol = 0x04 sets DeviceExtension[1065] = 1 and DeviceExtension[1064] = 0.
2. Dynamic Lookaside Pre-Activation
Perform 0x1000 iterations of Named Pipe alloc/free operations of size 0x210, repeated twice, and wait for the Balance Set Manager rebalance. This activates the 0x210 bucket in the kernel’s Dynamic Lookaside, allowing subsequent ghost chunks to be reliably reused via the SList.
3. LFH Spray
Create a large number of Named Pipes in the 0x100 LFH bucket. Place a fake POOL_HEADER (BlockSize = 0x21, PoolType = 0x0A) at the beginning of each pipe’s data region. Fix the CPU affinity so that all allocations are concentrated in the same LFH owner’s subsegment.
4. Hole Creation and IOCTL Trigger
Free pipes at the end of the spray array to create empty slots in the LFH, and immediately invoke IOCTL 0x220064. Make1284IdStringFromUsbStrings allocates IoSB and places it into the empty slot. When meta = 0x30, a 6-byte overflow occurs, overwriting the adjacent NpFr block’s POOL_HEADER with PreviousSize = 0x0D and PoolType = 0x06. When the IOCTL returns, the kernel frees IoSB.
5. Respray
Place a new Named Pipe (respray) into the freed IoSB slot. The fake POOL_HEADER (BlockSize = 0x21) is positioned at the first byte of the respray pipe’s data region, which becomes the landing point of the backward step.
6. Spray Free and Ghost Chunk Creation
Free all spray pipes. When a block with a corrupted POOL_HEADER is freed, the CacheAligned backward step in ExFreePoolWithTag is triggered and lands on the fake POOL_HEADER of the respray pipe. Due to the fake BlockSize = 0x21, a 0x210-byte ghost chunk is pushed into the Dynamic Lookaside SList.
7. Ghost Reclaim and Overlap Detection
Creating a Named Pipe with 0x1D0 bytes of data requires a 0x210 block, so the ghost chunk is popped from the Dynamic Lookaside and returned. The DQE of this ghost pipe physically overlaps with the data region of the respray pipe. When PeekNamedPipe is called on the respray pipe, the Flink value of the ghost DQE (a kernel address) is leaked to user mode.
8. Arbitrary Read Construction
Consume the respray pipe to free the corresponding LFH slot, and overwrite the ghost DQE with a rewrite pipe. Set EntryType = 1 and point Irp to a fake IRP in user space. Then, each call to PeekNamedPipe on the ghost pipe reads data from the kernel address specified in the fake IRP’s SystemBuffer.
9. ntoskrnl.exe Base Discovery
Traverse kernel structures starting from the leaked Flink value. From the DRIVER_OBJECT’s DriverSection, obtain the KLDR_DATA_TABLE_ENTRY and follow the InLoadOrderLinks list to enumerate modules, locating the DllBase of ntoskrnl.exe
10. Arbitrary Write and Privilege Escalation
Attach a forged IRP to the ghost DQE. Set the IRP Flags to BUFFERED_IO | INPUT_OPERATION | 0x8000, place the source kernel address in SystemBuffer, and the target address in UserBuffer. When ReadFile is called on the ghost pipe, IopProcessBufferedIoCompletion performs memmove(UserBuffer, SystemBuffer, size), resulting in an arbitrary kernel write. Using this, modify one byte of the LUID in nt!SeDebugPrivilege to match a privilege already held by a medium-integrity process (0x17, SeChangeNotifyPrivilege).
11. SYSTEM Shell
After modifying SeDebugPrivilege, OpenProcess(winlogon.exe, PROCESS_ALL_ACCESS) succeeds. By injecting shellcode that calls WinExec("cmd.exe") via CreateRemoteThread, a SYSTEM-level cmd.exe is spawned.
5. Patch
This vulnerability was patched by adding a bounds check before the copy operation. The code now verifies that the output buffer is large enough before writing data, instead of copying data without validating the buffer size.
6. Result
We identified a heap-based buffer overflow in usbprint.sys and demonstrated a full exploitation chain from a crafted USB device to SYSTEM privilege escalation.
By combining controlled USB descriptors, IOCTL interaction, and advanced heap manipulation techniques, we achieved reliable exploitation despite modern mitigations.
Our results highlight that even well-established subsystems like USB enumeration can expose critical attack surfaces when input validation is insufficient.
The full source code for the USB device emulator and exploit is available on our GitHub repository.
Popular Articles
![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 425 210" xmlns="http://www.w3.org/2000/svg"><path d="M 295.523 110.15 C 301.669 102.826 308.749 93.616 312.211 88.447 C 313.793 86.079 316.792 81.9 318.31 79.958 C 321.716 75.593 326.732 71.525 331.712 69.111 C 334.821 67.604 342.004 65.357 348.862 63.748 L 350.824 63.285 L 350.935 58.135 C 351.037 53.372 351.12 52.05 351.583 47.158 C 351.759 45.355 352.184 43.395 352.462 43.117 C 352.555 43.025 353.027 43.09 353.628 43.275 C 355.85 43.968 358.247 43.025 359.45 40.963 C 359.996 40.029 360.19 38.42 359.885 37.467 C 359.302 35.683 357.247 34.592 355.313 35.035 C 353.786 35.387 352.934 34.638 352.61 32.668 C 352.487 31.916 352.107 31.358 351.472 30.994 C 348.556 29.321 345.437 26.066 344.188 23.412 C 343.586 22.126 343.114 20.453 343.114 19.602 C 343.114 19.075 343.068 19.019 342.605 19.019 C 342.328 19.019 341.976 18.973 341.837 18.918 C 341.67 18.853 341.328 19.158 340.874 19.759 C 340.486 20.277 339.32 21.683 338.274 22.903 C 335.377 26.269 333.165 29.839 331.767 33.399 C 331.036 35.248 330.823 36.46 331.11 36.996 C 331.221 37.199 331.702 37.56 332.174 37.81 C 332.656 38.05 333.118 38.401 333.22 38.586 C 333.489 39.086 333.452 40.158 333.081 42.748 C 332.202 48.767 332.48 50.635 334.368 51.495 C 335.738 52.115 340.763 51.8 343.447 50.931 C 344.068 50.728 344.595 50.608 344.651 50.654 C 344.762 50.765 344.068 51.283 340.856 53.437 L 338.385 55.102 L 338.385 57.719 L 338.366 60.336 L 338.949 60.215 C 344.956 59.013 350.75 58.551 350.491 59.309 C 350.454 59.42 349.75 59.55 348.769 59.614 C 345.558 59.827 338.07 61.667 335.858 62.786 C 335.164 63.137 335.081 63.369 334.849 65.412 C 334.766 66.133 334.664 66.392 334.442 66.439 C 334.229 66.476 334.081 66.3 333.933 65.782 C 333.683 64.931 333.951 62.333 334.34 61.954 C 334.479 61.824 335.145 61.473 335.812 61.186 L 337.043 60.668 L 336.996 57.885 C 336.969 56.35 336.895 54.704 336.821 54.214 C 336.691 53.354 336.682 53.335 336.117 53.382 C 335.803 53.409 335.081 53.308 334.535 53.141 C 333.267 52.781 332.036 51.597 331.601 50.321 C 331.203 49.137 331.221 46.668 331.675 43.136 C 332.202 39.021 332.221 39.28 331.323 38.781 C 329.389 37.708 329.407 35.951 331.378 31.79 C 332.35 29.737 333.128 28.507 336.154 24.207 C 339.375 19.621 340.032 18.65 339.94 18.585 C 339.903 18.557 339.357 18.344 338.736 18.113 C 335.136 16.791 332.822 13.286 333.424 10.059 C 333.766 8.191 335.312 5.5 336.904 3.974 C 338.681 2.273 341.513 0.784 344.114 0.192 C 345.613 -0.15 348.094 -0.02 349.362 0.461 C 350.685 0.969 351.824 1.996 352.314 3.124 C 352.694 4.002 352.712 4.021 353.267 3.882 C 353.582 3.808 354.943 3.752 356.303 3.762 C 359.145 3.789 360.764 4.132 362.837 5.14 C 366.475 6.924 369.659 10.706 370.455 14.202 C 370.769 15.57 371.102 16.014 372.639 17.05 C 376.045 19.343 379.33 24.105 380.552 28.535 C 381.931 33.528 381.431 38.438 379.238 41.629 L 378.803 42.267 L 379.608 43.413 C 380.765 45.078 382.412 48.601 383.116 50.95 C 384.143 54.362 384.532 57.053 384.541 60.918 C 384.56 65.486 384.069 68.584 382.681 72.828 C 379.034 83.962 369.668 89.704 361.005 86.126 C 360.172 85.784 359.043 85.192 358.497 84.822 C 356.507 83.472 354.489 80.698 353.249 77.628 C 352.24 75.14 351.352 70.498 351.148 66.688 C 351.055 64.904 351.009 64.709 350.704 64.709 C 349.769 64.709 338.959 67.715 335.821 68.843 C 330.842 70.637 326.001 73.762 322.169 77.637 L 320.689 79.135 L 321.54 80.439 C 324.002 84.202 325.187 88.974 325.177 95.132 C 325.177 97.546 325.085 98.794 324.807 100.339 C 324.381 102.724 324.132 103.64 323.882 103.788 C 323.511 104.01 323.511 103.704 323.882 101.92 C 325.048 96.307 324.178 89.011 321.716 83.675 C 321.087 82.316 319.902 80.393 319.698 80.402 C 319.633 80.402 319.319 80.762 318.986 81.206 C 317.236 83.592 313.766 88.456 312.831 89.834 C 310.036 93.986 302.344 103.612 296.347 110.473 C 295.412 111.537 293.598 113.682 292.302 115.236 C 286.083 122.717 285.352 123.512 284.833 123.345 C 284.222 123.151 284.491 122.032 285.731 119.563 C 287.369 116.299 287.564 116.086 288.397 116.604 C 288.711 116.798 288.822 116.771 289.1 116.438 C 289.433 116.04 289.424 116.022 288.378 113.627 C 286.083 108.384 281.335 97 281.335 96.723 C 281.335 96.667 281.409 96.63 281.511 96.63 C 281.807 96.63 285.972 105.665 290.285 115.652 L 290.535 116.234 L 292.164 114.237 C 293.061 113.137 294.588 111.287 295.57 110.122 Z M 340.31 29.108 C 341.43 27.629 341.532 27.157 340.791 26.769 C 340.507 26.621 340.165 26.716 339.764 27.055 C 339.107 27.61 338.598 29.09 338.875 29.617 C 339.162 30.153 339.634 29.987 340.31 29.108 Z M 275.421 37.689 C 275.596 37.68 277.873 38.272 280.502 39.012 C 283.13 39.751 289.119 41.388 293.83 42.664 C 300.419 44.44 308.425 46.826 308.962 47.168 C 308.99 47.186 308.259 50.127 307.333 53.715 C 306.408 57.293 305.103 62.61 304.418 65.523 C 303.742 68.436 302.928 71.904 302.604 73.245 C 302.15 75.168 301.974 75.649 301.761 75.584 C 301.391 75.464 292.562 73.91 286.666 72.93 C 283.945 72.477 281.696 72.089 281.668 72.061 C 281.64 72.033 281.779 71.645 281.973 71.192 C 282.464 70.063 282.575 69.157 282.297 68.63 C 281.927 67.927 281.687 68.011 281.585 68.898 C 281.474 69.86 280.076 72.782 278.169 76.046 C 276.392 79.079 276.272 79.385 276.605 79.875 C 276.753 80.087 277.031 80.263 277.225 80.263 C 277.475 80.263 277.688 80.503 277.966 81.105 C 278.327 81.881 278.355 82.205 278.355 85.599 C 278.355 89.427 278.456 89.899 279.067 88.743 C 279.419 88.077 279.919 83.851 279.808 82.547 C 279.706 81.4 279.151 80.032 278.521 79.375 L 278.068 78.894 L 279.428 76.305 L 280.789 73.716 L 281.344 74.132 C 281.649 74.363 282.445 74.927 283.14 75.408 C 283.824 75.889 284.824 76.62 285.379 77.045 L 286.388 77.822 L 285.944 78.488 C 285.592 79.015 285.49 79.431 285.435 80.54 C 285.25 84.249 282.584 89.63 279.678 92.127 C 279.197 92.534 278.817 92.987 278.827 93.135 C 278.854 93.597 279.789 94.975 280.122 95.04 C 280.705 95.151 280.817 94.809 280.428 94.069 L 280.067 93.366 L 281.048 92.321 C 281.585 91.748 282.575 90.453 283.251 89.445 C 285.018 86.782 285.851 84.415 286.157 81.132 C 286.259 80.023 286.407 79.616 287.027 78.571 C 287.443 77.887 288.054 76.823 288.415 76.185 L 289.063 75.029 L 290.96 75.353 C 292.006 75.529 294.764 76.028 297.097 76.453 C 302.215 77.387 302.548 77.433 302.779 77.276 C 302.872 77.212 303.057 76.721 303.177 76.185 C 303.298 75.649 304.492 70.702 305.843 65.163 C 309.295 50.94 310.1 47.436 310.036 46.761 L 309.98 46.16 L 307.861 45.559 C 306.694 45.226 304.668 44.606 303.363 44.172 C 302.058 43.737 298.466 42.664 295.412 41.777 C 282.029 37.902 276.92 36.672 275.634 37.005 C 275.124 37.135 274.93 37.717 275.402 37.689 Z M 276.068 72.218 L 277.281 72.588 L 276.004 74.243 C 272.848 78.34 272.385 78.996 271.756 80.328 C 270.284 83.453 269.923 85.377 269.951 89.852 C 269.978 94.282 270.376 97.731 270.811 97.296 C 270.858 97.25 270.895 95.465 270.886 93.311 C 270.867 88.724 271.182 85.839 271.95 83.555 C 272.792 81.031 273.486 79.81 275.661 77.064 C 277.013 75.353 280.77 68.898 280.77 68.297 C 280.77 68.066 280.705 67.89 280.631 67.89 C 280.557 67.89 279.984 68.63 279.373 69.527 L 278.253 71.164 L 276.143 70.757 C 274.986 70.535 272.505 70.147 270.654 69.897 C 268.803 69.647 267.248 69.416 267.22 69.388 C 267.193 69.361 267.415 68.51 267.72 67.502 C 269.516 61.482 274.958 40.14 274.958 39.113 C 274.958 38.633 274.625 38.707 274.421 39.234 C 274.143 39.946 272.949 44.051 272.052 47.334 C 271.598 48.98 270.802 51.763 270.284 53.511 C 269.756 55.259 268.97 58.079 268.516 59.771 C 268.072 61.464 267.267 64.173 266.739 65.782 C 266.212 67.391 265.777 68.88 265.777 69.093 C 265.777 69.601 265.795 69.61 270.719 70.822 C 272.996 71.386 275.411 72.005 276.078 72.209 Z M 336.858 43.376 C 336.062 42.738 335.691 42.84 335.691 43.681 C 335.691 44.162 335.83 44.431 336.312 44.884 C 337.95 46.428 340.032 45.781 341.263 43.367 C 341.707 42.507 341.828 41.943 341.578 41.971 C 341.504 41.98 341.143 42.063 340.773 42.146 C 340.347 42.248 339.838 42.59 339.338 43.099 C 338.403 44.07 337.811 44.135 336.858 43.376 Z M 374.712 88.197 C 374.712 88.438 375.517 89.908 377.146 92.682 C 388.549 111.999 399.72 133.046 405.616 146.315 C 406.421 148.128 406.893 148.978 407.106 149.025 C 407.374 149.08 407.402 149.015 407.3 148.608 C 407.022 147.527 405.745 144.549 402.423 137.225 C 395.601 122.217 394.713 120.479 385.855 104.934 C 381.913 98.018 376.73 89.714 375.517 88.382 C 375.128 87.957 374.693 87.855 374.693 88.188 Z M 381.043 144.336 C 391.742 161.111 400.229 174.889 400.044 175.175 C 399.988 175.268 399.877 175.333 399.766 175.333 C 399.452 175.333 389.863 160.583 380.672 145.955 C 377.803 141.386 375.091 137.087 374.638 136.384 L 373.814 135.108 L 373.074 135.579 C 372.213 136.125 366.345 139.056 365.744 139.241 C 365.475 139.324 365.336 139.5 365.336 139.759 C 365.336 140.129 365.799 142.921 367.169 150.855 C 367.521 152.862 367.808 154.804 367.808 155.146 C 367.808 156.062 367.373 156.959 366.762 157.31 L 366.253 157.597 L 367.169 158.651 C 370.871 162.914 374.268 169.22 376.48 175.906 C 377.776 179.827 378.266 182.444 378.331 185.782 L 378.386 188.556 L 379.303 190.637 C 379.802 191.783 380.996 194.428 381.94 196.508 C 383.523 200.004 386.522 207.448 386.799 208.557 C 386.864 208.826 386.985 209.075 387.077 209.131 C 387.401 209.334 387.234 209.889 386.827 209.945 C 386.614 209.972 380.349 209.982 372.907 209.954 L 359.385 209.908 L 358.747 207.485 C 358.395 206.144 357.867 203.878 357.562 202.417 C 357.266 200.966 356.655 198.154 356.229 196.194 C 355.526 193.004 355.442 192.384 355.442 190.359 C 355.442 187.113 354.702 181.639 353.85 178.504 C 352.832 174.778 350.185 169.239 349.602 169.609 C 349.343 169.766 349.547 170.515 350.343 172.383 C 352.638 177.737 353.36 182 353.304 189.795 C 353.286 192.791 353.341 193.79 353.665 195.621 C 354.221 198.811 354.915 201.372 356.423 205.857 C 357.155 208.03 357.728 209.824 357.71 209.834 C 357.682 209.852 349.491 209.889 339.477 209.926 L 321.29 210 L 320.466 206.292 C 318.421 197.137 317.866 191.543 317.856 180.002 C 317.856 173.844 318.051 170.099 318.504 167.916 C 318.902 165.975 318.902 165.938 318.328 165.78 C 317.06 165.438 316.588 164.301 317.051 162.692 C 317.218 162.128 317.551 161.305 317.792 160.889 L 318.227 160.13 L 317.847 157.273 C 317.366 153.62 316.44 147.397 316.366 147.323 C 316.339 147.295 315.626 147.425 314.774 147.619 C 313.923 147.813 312.97 147.97 312.627 147.97 C 312.063 147.97 312.016 147.924 311.989 147.397 C 311.97 147.083 311.914 142.82 311.859 137.928 L 311.757 129.032 L 310.443 130.604 C 309.721 131.474 307.898 133.406 306.389 134.923 C 299.957 141.377 295.69 143.754 290.007 144.031 C 286.934 144.179 285.018 143.67 282.445 142.006 C 279.215 139.916 276.541 136.698 274.273 132.167 C 272.283 128.182 270.432 121.986 269.034 114.607 C 268.34 110.936 267.526 104.712 267.526 103.048 L 267.526 101.55 L 268.266 100.736 C 269.349 99.553 270.913 98.498 273.209 97.398 C 275.68 96.214 277.623 95.687 279.28 95.761 C 280.039 95.798 280.493 95.891 280.539 96.029 C 280.594 96.177 280.437 96.251 280.085 96.251 C 279.789 96.251 278.938 96.372 278.179 96.51 C 276.041 96.917 272.079 98.933 269.969 100.69 C 268.498 101.911 268.451 102.058 268.896 103.945 C 269.099 104.805 269.553 107.228 269.904 109.308 C 272.514 124.779 275.522 132.888 280.585 138.141 C 284.685 142.394 288.147 143.439 293.515 142.061 C 297.717 140.98 301.317 138.548 306.741 133.138 C 310.434 129.448 312.424 126.989 315.7 122.051 C 317.653 119.101 320.031 114.783 320.744 112.896 C 321.012 112.193 321.29 111.611 321.373 111.611 C 321.605 111.611 321.549 113.127 321.272 114.755 C 320.291 120.405 317.153 127.248 313.941 130.752 L 312.97 131.806 L 313.275 137.013 C 313.442 139.87 313.59 143.079 313.59 144.124 C 313.59 145.853 313.627 146.019 313.904 145.936 C 314.071 145.881 315.006 145.677 315.978 145.483 C 321.392 144.383 334.34 140.249 349.445 134.803 C 358.821 131.418 367.835 128.339 370.584 127.59 C 373.268 126.85 375.591 126.434 377.017 126.434 C 377.581 126.434 378.062 126.378 378.062 126.314 C 378.062 126.249 377.757 125.87 377.387 125.481 C 376.285 124.335 374.064 121.403 372.491 119.027 C 367.835 111.962 364.429 103.871 362.995 96.51 C 362.523 94.06 362.069 89.917 362.227 89.492 C 362.319 89.251 362.384 89.26 362.884 89.51 C 363.263 89.704 363.569 90.074 363.846 90.694 C 364.327 91.757 365.614 95.937 365.901 97.398 C 366.086 98.332 366.077 98.452 365.753 98.767 C 365.29 99.22 364.763 98.979 364.457 98.175 C 364.281 97.712 364.216 97.657 364.161 97.907 C 364.078 98.258 364.642 100.2 365.651 103.057 C 368.539 111.213 373.796 120.044 378.969 125.463 C 380.049 126.591 380.614 127.507 380.663 128.209 C 380.728 129.106 380.682 129.374 380.284 130.04 C 379.719 131.011 378.636 131.964 376.535 133.369 C 375.489 134.063 374.925 134.553 374.971 134.71 C 375.017 134.839 377.738 139.167 381.024 144.318 Z M 363.504 136.439 C 363.245 134.59 362.995 132.833 362.939 132.518 C 362.884 132.204 362.754 131.945 362.643 131.954 C 362.532 131.954 361.486 132.324 360.32 132.759 C 351.315 136.134 336.117 141.312 327.741 143.846 C 325.27 144.595 322.762 145.4 322.179 145.622 C 321.596 145.853 320.439 146.204 319.606 146.417 C 318.773 146.63 317.995 146.861 317.875 146.925 C 317.708 147.027 317.773 148.017 318.19 151.299 C 318.486 153.63 318.847 156.293 318.995 157.199 C 319.402 159.723 319.347 160.509 318.699 161.749 C 318.384 162.35 318.106 163.182 318.06 163.672 C 317.986 164.467 318.023 164.56 318.477 164.865 C 318.893 165.133 319.291 165.188 320.892 165.161 C 321.947 165.142 322.901 165.059 322.993 164.957 C 323.141 164.809 322.114 164.319 320.753 163.912 C 320.476 163.829 320.207 163.653 320.161 163.524 C 320.096 163.339 320.244 163.311 320.772 163.385 C 321.151 163.441 322.577 163.653 323.937 163.866 C 326.695 164.292 329.25 164.338 333.914 164.051 C 342.337 163.533 350.63 161.934 356.081 159.788 C 357.895 159.067 362.106 156.875 363.67 155.821 C 364.161 155.488 364.614 155.229 364.698 155.229 C 365.012 155.229 364.772 155.775 364.115 156.57 L 363.393 157.43 L 363.939 157.486 C 364.698 157.569 366.179 157.042 366.493 156.579 C 367.002 155.849 366.836 154.406 365.614 148.784 C 365.022 146.075 364.059 140.425 363.504 136.43 Z M 421.109 180.012 C 420.831 179.531 420.572 178.819 420.535 178.421 C 420.369 176.646 417.888 172.882 415.287 170.459 L 413.927 169.193 L 414.454 169.008 C 414.751 168.906 415.028 168.712 415.093 168.554 C 415.241 168.175 414.51 166.048 412.566 161.212 C 410.364 155.729 408.624 151.863 408.364 151.863 C 408.216 151.863 408.253 152.178 408.494 152.955 C 408.864 154.129 410.512 158.632 412.057 162.71 C 413.177 165.66 413.779 167.602 413.603 167.759 C 413.538 167.815 412.844 168.083 412.067 168.36 C 406.948 170.136 401.96 173.169 401.034 175.074 C 400.673 175.813 400.673 176.22 401.034 176.22 C 401.118 176.22 401.192 176.119 401.192 175.989 C 401.192 175.86 401.488 175.481 401.858 175.111 L 402.515 174.463 L 402.515 177.145 C 402.524 179.66 403.061 184.025 403.866 188.168 C 404.033 189.028 404.366 189.36 404.635 188.926 C 404.736 188.769 404.135 181.833 403.922 180.613 C 403.857 180.271 403.765 178.597 403.7 176.868 L 403.589 173.733 L 405.181 172.864 C 409.086 170.728 412.492 170.265 414.982 171.523 C 416.75 172.42 419.702 176.821 419.841 178.745 C 419.878 179.364 420.35 180.317 422.136 183.452 C 424.478 187.548 424.774 187.992 424.996 187.77 C 425.117 187.65 422.257 181.926 421.109 179.993 Z M 410.493 182.943 L 409.327 180.751 L 409.623 179.762 C 410.067 178.273 410.03 175.582 409.54 173.973 C 409.16 172.725 408.864 172.272 408.725 172.725 C 408.688 172.854 408.522 173.622 408.355 174.454 C 407.966 176.433 407.578 177.256 406.55 178.356 L 405.708 179.253 L 405.606 184.043 C 405.523 188.103 405.468 188.917 405.208 189.397 C 404.81 190.137 405.144 190.359 405.745 189.749 C 406.476 189.018 406.68 187.77 406.791 183.627 C 406.865 180.77 406.948 179.734 407.143 179.429 C 407.393 179.041 407.439 179.096 408.513 181.195 C 410.78 185.606 413.501 189.962 415.695 192.717 C 416.528 193.762 416.833 194.049 416.879 193.808 C 416.916 193.623 416.13 192.255 415.01 190.544 C 412.881 187.298 412.205 186.17 410.484 182.943 Z M 417.86 178.726 C 418.61 177.903 417.962 177.996 416.741 178.893 C 416.204 179.29 414.908 180.039 413.825 180.566 C 411.78 181.584 410.919 182.185 411.826 181.972 C 412.289 181.861 412.335 181.935 413.622 184.478 C 414.343 185.911 415.389 187.881 415.935 188.833 C 417.074 190.831 419.795 194.955 420.184 195.269 C 420.443 195.482 420.804 195.399 420.804 195.112 C 420.804 195.029 420.072 193.855 419.184 192.514 C 418.295 191.173 417.157 189.388 416.657 188.574 C 415.454 186.596 412.789 181.695 412.872 181.621 C 412.909 181.584 413.39 181.352 413.936 181.112 L 414.936 180.668 L 415.51 181.926 C 415.824 182.619 417.055 185.208 418.258 187.696 C 419.462 190.183 420.6 192.736 420.822 193.383 C 421.229 194.622 421.507 194.77 421.507 193.753 C 421.507 192.8 420.526 190.489 417.907 185.245 C 416.574 182.582 415.51 180.391 415.537 180.363 C 415.565 180.335 415.954 180.076 416.389 179.78 L 417.194 179.244 L 417.666 180.603 C 417.925 181.352 418.721 183.313 419.443 184.95 C 420.165 186.586 421.137 188.917 421.618 190.1 C 422.118 191.349 422.581 192.264 422.71 192.264 C 423.303 192.264 422.322 189.194 420.193 184.413 C 419.647 183.174 419.702 183.23 421.155 185.264 C 422.794 187.557 424.126 189.129 424.256 188.917 C 424.395 188.695 418.675 180.002 418.027 179.448 C 417.583 179.068 417.583 179.041 417.87 178.717 Z M 67.546 37.319 C 67.434 37.135 67.888 36.265 68.351 35.766 C 68.86 35.23 70.591 34.351 71.386 34.231 C 71.757 34.175 72.099 34.101 72.136 34.065 C 72.173 34.028 72.044 33.51 71.849 32.89 C 71.174 30.717 71.47 28.267 72.701 25.918 C 73.95 23.532 76.912 21.109 79.79 20.111 C 80.836 19.75 83.02 19.63 84.325 19.861 L 85.066 19.99 L 85.279 18.733 C 85.871 15.256 89.148 11.613 93.664 9.412 C 95.571 8.478 96.978 8.015 98.523 7.803 C 100.217 7.572 102.207 7.877 103.54 8.552 C 104.447 9.014 106.011 10.512 106.548 11.428 C 108.149 14.165 108.177 17.864 106.612 20.934 L 106.261 21.618 L 107.047 22.432 C 108.038 23.449 108.954 24.817 110.463 27.508 C 113.378 32.733 114.905 34.379 118.82 36.533 C 120.727 37.588 121.662 38.438 121.662 39.141 C 121.662 39.714 121.439 40.094 120.32 41.416 L 119.561 42.313 L 120.875 45.827 C 123.189 52.022 123.485 53.021 123.503 54.824 C 123.513 56.091 123.448 56.572 123.142 57.229 C 122.596 58.412 121.643 59.383 119.912 60.52 C 119.079 61.066 118.357 61.538 118.32 61.565 C 118.024 61.778 120.56 66.827 121.143 67.188 C 121.227 67.243 122.208 66.956 123.3 66.559 C 127.807 64.913 131.417 64.312 133.397 64.876 C 134.915 65.31 135.813 65.893 137.516 67.521 C 139.265 69.204 140.829 71.192 144.272 76.111 C 149.372 83.398 150.742 85.71 154.768 93.829 C 157.943 100.218 159.035 102.706 163.088 112.711 C 164.579 116.401 165.911 119.637 166.032 119.915 L 166.263 120.414 L 166.883 119.776 C 167.605 119.036 168.16 118.962 168.549 119.563 C 168.929 120.146 169.021 125.278 168.66 125.722 C 168.234 126.23 167.327 126.092 166.735 125.426 C 165.56 124.085 164.403 121.635 160.414 111.981 C 155.99 101.291 153.824 96.464 150.936 90.916 C 148.113 85.488 147.253 84.091 142.616 77.332 C 138.256 70.997 136.729 69.111 134.675 67.558 C 134.054 67.086 133.971 67.067 133.545 67.289 C 132.49 67.844 130.787 70.702 129.816 73.54 C 127.122 81.41 126.123 92.747 127.465 100.144 C 127.687 101.393 127.724 101.855 127.576 101.855 C 127.465 101.855 127.243 101.254 127.076 100.496 C 125.345 92.469 126.021 80.522 128.668 72.569 C 129.381 70.415 130.482 67.992 131.121 67.151 L 131.565 66.568 L 131.037 66.568 C 130.26 66.568 127.946 67.04 126.16 67.558 C 124.438 68.066 116.802 70.803 114.942 71.589 C 112.434 72.643 106.344 75.445 103.956 76.638 C 98.255 79.496 87.121 85.996 86.343 86.93 C 86.065 87.263 85.797 87.291 85.797 86.986 C 85.797 86.274 89.222 83.795 96.126 79.486 C 97.292 78.756 98.273 78.145 98.301 78.118 C 98.375 78.053 96.903 73.291 95.774 69.925 C 95.339 68.621 94.997 67.548 95.025 67.539 C 95.052 67.53 95.404 67.299 95.811 67.049 L 96.552 66.577 L 96.922 67.844 C 97.422 69.536 99.791 77.064 99.847 77.138 C 99.865 77.165 101.226 76.453 102.873 75.556 C 106.02 73.836 110.009 71.876 112.369 70.896 C 113.147 70.572 114.378 70.036 115.109 69.694 C 115.84 69.351 117.126 68.815 117.978 68.501 C 118.829 68.186 119.514 67.844 119.514 67.733 C 119.514 67.622 119.042 66.707 118.468 65.69 L 117.432 63.84 L 115.858 63.738 C 113.656 63.591 112.795 63.415 112.665 63.082 C 112.601 62.925 112.647 62.768 112.767 62.731 C 112.878 62.694 113.082 62.555 113.211 62.435 C 113.341 62.305 114.433 61.713 115.627 61.112 C 120.523 58.671 121.967 57.265 121.976 54.935 C 121.976 53.733 121.708 52.781 119.773 47.353 C 118.931 44.967 118.2 42.785 118.145 42.489 C 118.07 42.017 118.2 41.795 119.218 40.658 C 119.857 39.955 120.384 39.298 120.384 39.206 C 120.384 38.993 119.468 38.346 117.561 37.218 C 113.72 34.952 112.129 33.205 109.361 28.211 C 107.334 24.558 106.159 22.811 105.715 22.811 C 105.65 22.811 105.354 23.181 105.057 23.643 C 104.012 25.271 100.967 27.989 99.291 28.803 L 98.551 29.164 L 98.967 29.996 C 99.754 31.549 99.467 33.63 98.292 34.897 L 97.579 35.673 L 98.477 36.977 C 98.977 37.699 99.782 38.688 100.291 39.187 C 100.93 39.816 101.17 40.177 101.087 40.38 C 101.004 40.584 100.874 40.63 100.661 40.537 C 100.485 40.464 99.828 40.371 99.18 40.325 C 98.033 40.251 97.986 40.26 97.264 40.917 C 96.302 41.795 96.033 42.359 96.033 43.487 C 96.033 45.818 97.459 47.02 100.476 47.26 C 103.04 47.464 103.04 47.889 100.458 49.184 C 96.728 51.051 92.655 53.631 89.758 55.962 C 87.759 57.561 87.37 57.7 84.464 57.867 C 81.586 58.024 79.577 57.395 78.097 55.878 C 77.069 54.824 76.616 53.798 76.283 51.819 L 76.005 50.164 L 75.033 50.164 C 73.728 50.164 71.97 49.738 70.914 49.165 C 68.628 47.917 67.296 44.384 67.944 41.296 C 68.24 39.899 69.378 37.726 70.461 36.515 C 71.266 35.618 71.303 35.526 70.933 35.526 C 70.294 35.526 68.675 36.339 68.119 36.94 C 67.842 37.236 67.564 37.412 67.509 37.329 Z M 70.007 33.676 C 70.359 33.907 70.498 33.926 70.702 33.759 C 70.924 33.584 70.896 33.436 70.526 32.742 C 70.294 32.298 70.091 31.67 70.091 31.355 C 70.091 31.004 69.98 30.736 69.813 30.671 C 69.566 30.578 69.332 30.643 69.11 30.865 C 68.527 31.448 69.036 33.029 70.007 33.667 Z M 109.398 33.861 C 109.657 33.473 109.648 33.371 109.287 32.539 C 108.898 31.642 108.232 30.93 107.769 30.93 C 107.64 30.93 107.316 31.133 107.094 31.364 C 106.862 31.596 106.659 31.928 106.659 32.076 C 106.659 32.456 107.14 33.399 107.603 33.889 C 108.102 34.434 109.037 34.416 109.407 33.852 Z M 254.291 40.732 C 254.013 40.584 253.661 40.473 253.541 40.491 C 253.411 40.51 243.49 40.574 231.504 40.63 C 219.518 40.685 209.597 40.796 209.467 40.88 C 209.115 41.092 209.217 41.462 209.661 41.573 C 210.05 41.675 221.268 41.795 242.768 41.934 C 248.626 41.971 253.467 42.054 253.522 42.109 C 253.578 42.165 253.421 44.135 253.152 46.502 C 252.458 52.781 251.144 69.231 249.607 90.906 C 249.459 92.987 249.246 95.438 249.145 96.335 L 248.95 97.971 L 246.803 97.971 C 245.618 97.971 242.361 98.045 239.538 98.138 C 236.715 98.23 231.485 98.387 227.885 98.489 C 224.285 98.591 219.926 98.748 218.176 98.841 C 216.427 98.933 214.048 99.053 212.882 99.118 L 210.763 99.22 L 212.706 98.128 C 215.446 96.593 222.128 92.793 223.915 91.757 C 225.395 90.897 226.21 90.324 226.21 90.13 C 226.21 89.741 221.74 90.712 217.325 92.044 C 210.281 94.18 201.498 98.313 198.324 100.977 L 197.093 102.012 L 196.658 101.328 C 195.815 100.006 193.751 95.733 193.27 94.337 C 193.002 93.56 192.743 92.358 192.696 91.674 C 192.557 89.677 192.909 88.78 195.214 85.34 C 197.148 82.445 201.045 77.378 201.387 77.322 C 201.526 77.295 203.257 81.669 203.257 82.048 C 203.257 82.112 202.868 82.39 202.396 82.658 C 200.823 83.537 200.758 84.054 202.239 83.832 C 202.942 83.721 205.645 82.455 213.067 78.737 C 222.971 73.781 225.34 72.422 225.34 71.691 C 225.34 70.776 224.266 71.155 218.13 74.215 C 216.066 75.251 213.678 76.481 212.836 76.953 C 211.984 77.424 209.874 78.608 208.134 79.579 C 206.385 80.559 204.95 81.336 204.941 81.317 C 204.923 81.299 205.015 80.402 205.145 79.311 C 205.358 77.489 207.496 54.112 208.134 46.613 C 208.421 43.228 208.43 41.518 208.144 41.453 C 208.051 41.434 207.903 41.693 207.838 42.026 C 207.653 42.868 206.69 50.903 205.293 63.202 L 204.117 73.522 L 203.266 74.317 C 202.803 74.743 202.165 75.297 201.868 75.519 C 201.276 75.972 198.064 79.57 196.26 81.807 C 192.872 86.024 190.568 90.333 189.836 93.801 L 189.624 94.809 L 188.902 94.106 C 187.948 93.191 187.467 92.941 187.051 93.163 C 186.162 93.634 168.253 114.829 167.411 116.401 C 167.133 116.909 167.244 117.085 167.744 116.919 C 168.271 116.752 179.683 104.028 185.329 97.324 C 186.393 96.057 187.31 94.966 187.384 94.883 C 187.458 94.8 187.772 95.031 188.096 95.401 C 188.42 95.77 190.438 98.018 192.557 100.385 L 196.426 104.703 L 196.112 105.6 C 195.519 107.274 193.27 111.971 191.799 114.616 C 187.375 122.559 182.525 129.06 176.592 134.997 C 175.185 136.412 173.399 138.067 172.621 138.686 C 169.41 141.266 165.569 143.449 163.07 144.133 C 162.311 144.346 161.848 144.558 161.848 144.715 C 161.848 145.353 165.236 144.466 167.901 143.125 C 171.27 141.442 176.064 137.817 179.591 134.294 C 187.023 126.878 193.594 116.965 196.963 108.088 C 197.407 106.922 197.879 105.693 198.027 105.35 C 198.287 104.731 198.194 104.102 197.805 103.862 C 197.703 103.797 197.611 103.677 197.611 103.603 C 197.611 103.381 200.045 101.439 201.23 100.718 C 202.498 99.941 199.555 100.024 225.155 100.061 C 246.183 100.089 249.857 100.015 250.44 99.534 C 250.801 99.238 250.838 99.016 250.949 96.51 C 251.014 95.021 251.283 91.387 251.533 88.419 C 253.708 62.925 254.818 47.621 254.818 43.043 L 254.818 40.981 L 254.3 40.704 Z M 117.247 49.063 C 117.247 48.601 116.849 48.037 116.525 48.037 C 116.442 48.037 116.284 48.259 116.182 48.518 C 116.081 48.786 115.905 49.063 115.784 49.137 C 115.359 49.405 114.035 49.267 113.434 48.897 C 112.601 48.388 111.879 48.499 111.805 49.137 C 111.694 50.127 112.795 50.848 114.424 50.848 C 116.192 50.848 117.247 50.173 117.247 49.045 Z M 102.41 49.1 C 102.346 49.1 101.457 49.526 100.448 50.034 C 97.977 51.292 95.126 53.021 92.785 54.658 C 90.786 56.054 88.99 57.506 88.99 57.709 C 88.99 57.774 89.314 58.107 89.703 58.421 L 90.415 59.013 L 91.952 57.876 C 94.516 55.971 96.7 54.63 99.726 53.114 L 102.605 51.662 L 102.568 50.386 C 102.549 49.683 102.475 49.11 102.41 49.11 Z M 102.503 54.972 L 102.559 53.798 C 102.586 53.141 102.549 52.623 102.466 52.633 C 102.392 52.633 101.244 53.188 99.921 53.844 C 97.163 55.231 94.84 56.655 92.553 58.347 C 90.86 59.605 90.813 59.716 91.6 60.447 C 91.952 60.77 91.97 60.761 92.887 60.086 C 94.497 58.902 96.894 57.561 99.754 56.239 L 102.494 54.972 Z M 99.921 57.016 C 97.329 58.236 94.71 59.697 93.211 60.77 L 92.378 61.362 L 92.813 62.092 L 93.248 62.823 L 94.877 61.834 C 95.765 61.288 97.894 60.225 99.588 59.466 L 102.679 58.088 L 102.734 56.942 C 102.762 56.304 102.725 55.795 102.642 55.795 C 102.568 55.795 101.337 56.341 99.921 57.007 Z M 93.775 63.461 C 93.636 63.637 93.72 64.062 94.136 65.172 C 94.432 65.986 94.71 66.679 94.747 66.716 C 94.784 66.753 95.589 66.3 96.543 65.717 C 98.56 64.487 100.467 63.507 101.985 62.943 C 103.012 62.555 103.049 62.527 103.095 61.871 C 103.123 61.501 103.086 60.659 103.003 60.03 L 102.864 58.865 L 100.041 60.123 C 97.237 61.371 94.164 63.017 93.784 63.47 Z M 222.674 75.538 C 221.03 76.51 219.398 77.502 217.778 78.515 C 215.427 80.004 209.125 84.35 208.051 85.22 C 207.292 85.83 207.042 86.44 207.607 86.292 C 207.783 86.246 209.828 84.951 212.16 83.407 C 214.493 81.863 218.213 79.449 220.425 78.044 C 224.859 75.223 225.738 74.567 225.645 74.123 C 225.59 73.883 224.979 74.178 222.665 75.547 Z M 228.024 76.463 C 227.95 76.463 224.155 78.7 219.583 81.447 C 209.782 87.328 208.727 88.003 208.727 88.336 C 208.727 88.844 209.56 88.687 211.114 87.883 C 212.475 87.18 217.899 84.961 223.831 82.667 C 224.711 82.325 225.599 81.983 225.83 81.9 C 226.062 81.807 226.191 81.669 226.136 81.585 C 226.08 81.493 224.877 81.817 223.443 82.288 C 222.008 82.76 220.833 83.139 220.814 83.12 C 220.768 83.065 226.034 78.599 227.237 77.683 C 228.033 77.073 228.44 76.444 228.033 76.463 Z M 226.173 84.48 C 226.876 84.017 227.441 83.537 227.441 83.407 C 227.441 83.102 227.515 83.083 226.469 83.629 C 225.21 84.286 216.436 87.984 213.928 88.928 C 211.318 89.899 210.754 90.342 211.42 90.897 C 211.688 91.119 212.642 90.999 216.399 90.278 C 219.592 89.667 225.581 88.345 225.812 88.206 C 226.136 88.012 226.08 87.568 225.719 87.568 C 225.544 87.568 224.461 87.725 223.295 87.91 C 222.128 88.105 221.157 88.234 221.129 88.206 C 221.055 88.132 224.692 85.441 226.164 84.48 Z M 17.557 167.842 C 17.891 167.842 22.148 163.237 29.932 154.434 C 34.467 149.311 36.124 147.323 42.186 139.787 C 48.1 132.426 50.895 129.051 56.393 122.587 C 61.965 116.04 65.759 111.472 71.59 104.324 C 74.394 100.884 77.902 96.63 79.365 94.883 C 83.335 90.157 84.446 88.622 83.881 88.622 C 83.789 88.622 82.863 89.556 81.799 90.703 C 78.717 94.041 75.505 97.759 69.026 105.471 C 65.685 109.447 59.725 116.484 55.782 121.089 C 47.961 130.225 45.222 133.508 40.159 139.796 C 35.809 145.196 33.828 147.554 25.23 157.597 C 21.297 162.183 17.863 166.28 17.594 166.696 C 17.104 167.454 17.095 167.842 17.557 167.842 Z M 160.377 143.966 C 161.672 145.335 159.96 144.641 157.545 142.829 C 155.971 141.645 155.268 140.832 147.919 131.64 L 142.051 124.298 L 141.829 125.916 C 141.709 126.804 141.135 131.538 140.552 136.439 C 139.645 144.133 136.331 171.282 136.044 173.437 C 135.85 174.87 134.767 175.277 131.102 175.314 L 128.612 175.342 L 128.131 179.577 C 127.391 186.068 124.67 208.631 124.568 209.075 C 124.494 209.417 124.364 209.482 123.763 209.482 L 123.05 209.482 L 123.152 208.733 C 123.207 208.317 123.846 203.305 124.568 197.572 L 125.873 187.16 L 125.364 186.096 C 123.17 181.547 114.396 174.167 103.29 167.537 C 100.448 165.845 99.726 165.475 95.765 163.709 L 92.729 162.359 L 90.804 162.359 C 87.805 162.359 74.607 161.601 73.395 161.36 C 73.127 161.305 72.923 161.342 72.923 161.443 C 72.923 161.73 67.518 173.973 59.558 191.737 C 55.384 201.049 51.858 208.974 51.728 209.334 L 51.487 210 L 49.424 210 L 49.942 209.075 C 50.229 208.567 51.46 205.922 52.672 203.213 C 53.885 200.503 56.208 195.288 57.827 191.654 C 59.447 188.02 61.807 182.758 63.057 179.975 C 64.306 177.191 65.333 174.842 65.333 174.759 C 65.333 174.676 64.713 174.426 63.973 174.214 C 60.817 173.289 58.947 171.809 57.652 169.193 C 56.624 167.13 56.356 165.706 56.633 163.811 C 57.068 160.815 58.077 158.882 60.734 155.923 C 63.695 152.64 66.398 148.581 69.924 142.163 C 76.875 129.495 81.854 115.273 83.604 103.085 C 84.261 98.489 84.14 98.693 82.15 105.554 C 80.373 111.675 77.819 120.285 77.328 121.838 C 77.153 122.402 76.829 122.744 76.829 122.365 C 76.829 121.746 83.733 96.834 84.094 96.15 C 84.946 94.522 85.177 100.052 84.492 105.341 C 83.872 110.094 81.836 118.787 80.087 124.094 C 76.708 134.377 70.1 147.323 65.019 153.611 C 64.232 154.582 63.612 155.396 63.64 155.424 C 63.668 155.451 64.158 155.322 64.741 155.137 C 67.24 154.36 71.72 154.249 75.533 154.869 C 80.003 155.599 86.426 157.597 91.887 159.973 C 100.633 163.774 102.466 164.578 107.131 166.65 C 115.257 170.274 122.615 172.586 127.77 173.141 C 129.658 173.344 133.573 173.233 134.008 172.965 C 134.203 172.845 134.758 168.823 137.22 149.922 C 137.905 144.678 138.775 138.15 139.154 135.404 C 139.774 130.956 139.83 130.336 139.617 129.754 C 139.487 129.393 138.062 126.434 136.461 123.188 C 131.565 113.257 128.742 107.329 128.742 106.959 C 128.742 106.266 129.408 106.627 130.63 107.986 C 132.583 110.168 144.541 124.39 153.481 135.191 C 155.86 138.067 158.405 141.294 159.192 142.422 C 159.562 142.949 160.108 143.652 160.404 143.957 Z M 89.333 160.889 C 89.092 160.648 84.77 159.113 81.577 158.133 C 79.689 157.56 77.449 156.931 76.625 156.755 L 75.116 156.431 L 74.302 158.346 L 73.487 160.26 L 75.116 160.26 C 76.93 160.26 86.537 160.722 88.287 160.889 C 88.925 160.953 89.388 160.953 89.333 160.889 Z M 65.074 146.704 C 64.88 146.398 64.778 146.445 63.742 147.332 C 60.456 150.143 46.684 162.581 38.345 170.265 L 34.05 174.223 L 30.922 172.642 C 25.748 170.016 22.037 168.721 19.705 168.721 C 18.048 168.721 17.622 169.313 18.326 170.644 L 18.65 171.245 L 17.585 172.318 C 15.91 174.01 13.753 177.598 14.161 178.005 C 14.346 178.19 14.586 177.894 15.382 176.535 C 17.289 173.289 20.278 170.635 22.296 170.395 C 23.046 170.302 23.342 170.367 24.24 170.82 C 26.859 172.124 30.154 175.906 31.626 179.29 C 32.116 180.419 32.199 180.825 32.172 181.87 C 32.135 183.507 31.228 187.89 30.219 191.312 C 29.284 194.483 29.136 195.269 29.488 195.158 C 30.034 194.983 31.829 189.462 32.819 184.913 C 33.458 181.981 33.773 179.3 33.662 177.626 C 33.588 176.498 33.625 176.322 33.884 176.322 C 34.282 176.322 35.069 175.638 40.242 170.774 C 56.93 155.072 65.241 147.009 65.065 146.713 Z M 90.008 174.001 C 89.092 175.092 86.325 181.214 84.936 185.227 C 83.927 188.158 83.511 190.331 83.511 192.782 L 83.511 194.807 L 82.299 196.989 C 81.632 198.182 79.938 201.197 78.532 203.666 C 76.391 207.432 75.391 209.387 75.533 209.528 C 75.625 209.621 76.69 209.732 77.893 209.769 L 80.077 209.834 L 81.021 207.069 C 81.54 205.543 82.808 202.362 83.835 199.976 L 85.705 195.658 L 85.751 193.633 C 85.779 192.523 85.964 190.729 86.167 189.666 C 86.602 187.409 88.24 182.379 90.018 177.811 C 91.323 174.473 91.415 174.084 91.063 173.733 C 90.739 173.409 90.462 173.483 89.999 174.029 Z M 76.875 175.037 L 76.986 174.547 L 75.792 174.574 C 75.126 174.593 74.052 174.667 73.367 174.75 C 72.682 174.833 71.424 174.935 70.544 174.981 C 68.989 175.055 68.943 175.074 68.554 175.638 C 68.332 175.952 68.156 176.396 68.156 176.618 L 68.156 177.025 L 71.22 177.025 C 72.895 177.025 74.783 176.969 75.376 176.914 C 76.56 176.794 76.468 176.905 76.875 175.046 Z M 105.853 175.092 C 105.169 175.166 103.456 175.231 102.031 175.24 L 99.439 175.259 L 99.143 175.887 C 98.977 176.239 98.838 176.71 98.819 176.969 L 98.782 177.432 L 103.197 177.404 C 108.621 177.376 108.852 177.339 109 176.636 C 109.37 174.861 109.148 174.759 105.844 175.101 Z M 29.654 184.589 C 29.552 184.395 29.404 184.247 29.33 184.247 C 29.016 184.247 27.794 183.119 27.072 182.166 C 26.045 180.798 25.249 178.245 25.249 176.294 C 25.249 175.342 24.989 175.296 24.48 176.174 C 24.008 176.988 23.657 178.541 23.657 179.845 C 23.657 181.87 24.814 184.728 26.091 185.856 L 26.674 186.374 L 25.933 187.465 C 23.944 190.396 20.14 195.51 18.418 197.572 C 17.363 198.839 15.373 201.03 13.985 202.454 C 11.727 204.785 11.116 205.598 11.643 205.598 C 11.93 205.598 17.28 200.198 19.408 197.766 C 22.861 193.818 25.832 189.925 27.664 186.965 C 28.331 185.893 28.405 185.819 28.294 186.364 C 28.081 187.456 28.136 194.53 28.358 194.604 C 28.627 194.696 28.719 194.234 28.941 191.663 C 29.043 190.461 29.293 188.436 29.478 187.197 C 29.728 185.551 29.774 184.848 29.636 184.589 Z M 9.774 180.548 C 12.439 179.485 13.069 179.179 13.355 178.8 C 13.855 178.144 13.355 178.088 11.717 178.606 C 10.236 179.078 4.6 181.898 2.98 182.989 C 1.546 183.951 0 185.477 0 185.921 C 0 186.3 0.231 186.253 0.639 185.8 C 1.925 184.349 5.72 182.166 9.783 180.548 Z M 16.437 196.777 C 14.327 199.357 8.756 204.979 8.487 204.812 C 8.376 204.738 8.302 204.572 8.33 204.452 C 8.358 204.322 9.431 203.037 10.708 201.594 C 13.189 198.792 14.772 196.915 16.16 195.14 L 17.011 194.049 L 15.373 195.602 C 13.448 197.424 9.552 200.771 8.024 201.927 C 6.914 202.769 5.026 204.017 4.859 204.017 C 4.581 204.017 4.804 203.49 5.127 203.388 C 5.322 203.324 5.729 203.028 6.044 202.713 C 6.358 202.399 7.312 201.567 8.2 200.827 C 11.912 197.748 18.085 191.367 20.639 187.964 C 21.26 187.132 21.954 186.263 22.185 186.004 L 22.611 185.541 L 21.583 184.691 C 18.955 182.508 15.901 179.179 16.16 178.763 C 16.243 178.634 16.623 178.939 17.178 179.595 C 18.39 181.02 19.677 182.24 22.009 184.191 C 23.101 185.107 24.036 185.93 24.11 186.031 C 24.295 186.327 24.027 186.466 23.675 186.244 C 23.398 186.068 23.314 186.152 22.944 186.965 C 21.88 189.305 18.992 193.67 16.437 196.777 Z M 17.252 193.707 C 17.465 193.531 17.65 193.346 17.65 193.318 C 17.65 193.17 17.502 193.281 17.187 193.651 L 16.854 194.039 Z M 12.208 184.173 C 14.559 182.767 15.632 181.917 15.447 181.621 C 15.234 181.278 14.568 181.463 11.902 182.61 C 9.727 183.544 5.618 185.135 1.435 186.66 C 0.713 186.928 0.407 187.437 0.972 187.437 C 1.324 187.437 5.562 186.059 8.052 185.135 C 9.079 184.755 9.968 184.441 10.014 184.441 C 10.061 184.441 8.922 185.245 7.469 186.226 C 3.286 189.065 1.703 190.387 1.129 191.497 C 0.62 192.486 1.027 192.366 2.24 191.164 C 3.526 189.897 8.561 186.364 12.199 184.182 Z M 6.553 200.115 C 8.395 198.016 12.365 193.096 13.809 191.136 C 16.734 187.15 19.103 183.618 19.131 183.211 C 19.177 182.555 18.705 182.555 18.094 183.211 C 15.993 185.43 10.949 188.63 4.804 191.626 C 3.128 192.449 1.721 193.189 1.657 193.281 C 1.416 193.679 1.87 193.623 3.313 193.078 C 6.266 191.968 11.541 189.222 14.531 187.243 C 15.077 186.882 15.54 186.623 15.54 186.679 C 15.54 186.984 9.589 195.029 6.432 198.977 C 4.452 201.465 3.943 202.195 4.109 202.362 C 4.285 202.538 4.961 201.918 6.553 200.106 Z" fill="rgb(255, 255, 255)" height="209.99999944452435px" id="s16LUEeu4" width="425.00001613409887px"/></svg>)
